security in heterogeneous wireless ad hoc networks: challenges and...

SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS:CHALLENGES AND SOLUTIONS

By

YANCHAO ZHANG

A DISSERTATION PRESENTED TO THE GRADUATE SCHOOLOF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT

OF THE REQUIREMENTS FOR THE DEGREE OFDOCTOR OF PHILOSOPHY

UNIVERSITY OF FLORIDA

2006

Copyright 2006

by

Yanchao Zhang

To my parents and my sister.

ACKNOWLEDGMENTS

First and foremost, I would like to express my sincere gratitude to my advisor, Prof.

Yuguang Fang, for his invaluable guidance, encouragement and support with my years in

Wireless Networks Laboratory (WINET). Prof. Fang has guided my path in the past four

years not only with his intellect and knowledge, but also with thoughtfulness about a young

man’s personal growth.

I also would like to acknowledge my other committee members, Prof. Shigang Chen,

Prof. Jose Fortes, Prof. Pramod Khargonekar, and Prof. Sartaj Sahni, for serving on my

supervisory committee and for their help in various stages of my work and career.

I would not be a sane graduate student without a group of great friends. There are

many whom I would like to thank: Xiang Chen, Wei Liu, Byung-Seo Kim, Jianfeng Wang,

Shushan Wen, Hongqiang Zhai, Xiaoxia Huang, Yun Zhou, Chi Zhang, Frank Goergen, Pan

Li, Rongsheng Huang, and Feng Chen. I would like to specially acknowledge my former

WINET colleague and good friend, Prof. Wenjing Lou in Worcester Polytechnic Institute,

for her help and encouragement in my journey.

Finally, I owe a special debt of gratitude to my beloved parents and sister. Without

their love and unwavering support, I would never imagine what I have achieved.

iv

TABLE OF CONTENTSpage

ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv

LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

CHAPTER

1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 ANONYMOUS COMMUNICATIONS IN MOBILE AD HOC NETWORKS . . 6

2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.2.1 Basics of ID-Based Cryptography (IBC) . . . . . . . . . . . . . . 92.2.2 Adversary Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.3 MASK Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.3.1 Network Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.3.2 Anonymous MAC-Layer Communications . . . . . . . . . . . . . 112.3.3 Anonymous Network-Layer Communications . . . . . . . . . . . . 152.3.4 Countermeasures against Attacks . . . . . . . . . . . . . . . . . . 212.3.5 Replenishing Pseudonym/Secret Point Pairs . . . . . . . . . . . . 23

2.4 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.4.1 Simulation Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.4.2 Simulation Results . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2.5 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3 SECURING MOBILE AD HOC NETWORKS WITH CERTIFICATELESS PUB-LIC KEYS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31


3.2.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333.2.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.3 Design Goals and System Models . . . . . . . . . . . . . . . . . . . . . . 363.3.1 Design Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373.3.2 Network Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373.3.3 Adversary Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.4 IKM Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393.4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

v

3.4.2 Network Initialization . . . . . . . . . . . . . . . . . . . . . . . . . 403.4.3 Key Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433.4.4 Key Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473.4.5 Securing D-PKGs against Pinpoint Attacks . . . . . . . . . . . . 483.4.6 Choosing Secret-Sharing Parameters . . . . . . . . . . . . . . . . 503.4.7 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

3.5 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 513.5.1 Simulation Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 523.5.2 Computational Costs . . . . . . . . . . . . . . . . . . . . . . . . . 533.5.3 Comparison in Key Revocation . . . . . . . . . . . . . . . . . . . 543.5.4 Comparison in Key Update . . . . . . . . . . . . . . . . . . . . . 553.5.5 Comparison in Secure Routing . . . . . . . . . . . . . . . . . . . . 56

3.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

4 SECURE LOCALIZATION IN WIRELESS SENSOR NETWORKS . . . . . . 62

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624.2 Vulnerability Analysis of Two-Way Time-of-Arrival Localization . . . . 634.3 Mobility-Assisted Secure Localization for UWB Sensor Networks . . . . 65

4.3.1 Network Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654.3.2 Overview of SLS . . . . . . . . . . . . . . . . . . . . . . . . . . . 664.3.3 K-Distance: a K-Round Distance Estimation Algorithm . . . . . 664.3.4 Location Validity Test . . . . . . . . . . . . . . . . . . . . . . . . 704.3.5 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

4.4 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

5 LOCATION-BASED COMPROMISE-TOLERANT SECURITY MECHANISMSFOR WIRELESS SENSOR NETWORKS . . . . . . . . . . . . . . . . . . . . 75


5.2.1 Adversary Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 775.2.2 Security Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 77

5.3 A Location-Based Key Management Scheme . . . . . . . . . . . . . . . . 785.3.1 Pre-Deployment Phase . . . . . . . . . . . . . . . . . . . . . . . . 785.3.2 Sensor Deployment and Localization . . . . . . . . . . . . . . . . 795.3.3 Location-Based Neighborhood Authentication . . . . . . . . . . . 805.3.4 Immediate Pairwise Key Establishment . . . . . . . . . . . . . . . 835.3.5 Multi-hop Pairwise Key Establishment . . . . . . . . . . . . . . . 84

5.4 Efficacy of LBKs in Attack Mitigation . . . . . . . . . . . . . . . . . . . 855.4.1 Spoofing, Altering or Replaying Routing Information . . . . . . . 855.4.2 The Sybil Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . 865.4.3 The Identity Replication Attack . . . . . . . . . . . . . . . . . . . 865.4.4 Wormhole and Sinkhole Attacks . . . . . . . . . . . . . . . . . . . 87

5.5 Location-Based Filtering of Bogus Data . . . . . . . . . . . . . . . . . . 885.5.1 The Bogus Data Injection Attack . . . . . . . . . . . . . . . . . . 885.5.2 Generation and Distribution of Cell Keys . . . . . . . . . . . . . . 895.5.3 Performing Threshold-Endorsements of Data Reports . . . . . . . 92

vi

5.5.4 Probabilistic Enroute Filtering of Data Reports . . . . . . . . . . 945.5.5 Efficacy and Security Analysis . . . . . . . . . . . . . . . . . . . . 945.5.6 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . 97

5.6 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1015.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1045.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

6 ATTACK-RESILIENT SECURE AUTHENTICATION AND BILLING IN WIRE-LESS MESH NETWORKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106


6.2.1 Security Requirements of WMNs . . . . . . . . . . . . . . . . . . 1106.2.2 Attacker Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

6.3 System Models and Notation . . . . . . . . . . . . . . . . . . . . . . . . 1126.3.1 Network Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1126.3.2 Trust Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136.3.3 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146.3.4 Trust-Domain Initialization . . . . . . . . . . . . . . . . . . . . . 1146.3.5 Pass Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

6.4 Authentication and Key Agreement (AKA) . . . . . . . . . . . . . . . . 1196.4.1 Inter-Domain Authentication and Key Agreement . . . . . . . . . 1196.4.2 Intra-Domain Authentication and Key Agreement . . . . . . . . . 1226.4.3 Client-Client Authentication and Key Agreement . . . . . . . . . 123

6.5 Security Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1246.5.1 Location Privacy Attack . . . . . . . . . . . . . . . . . . . . . . . 1256.5.2 Bogus-Beacon Flooding Attack . . . . . . . . . . . . . . . . . . . 1266.5.3 Denial-of-Access Attack . . . . . . . . . . . . . . . . . . . . . . . 1306.5.4 Bandwidth-Exhaustion Attack . . . . . . . . . . . . . . . . . . . . 132

6.6 Incontestable Billing of Mobile Users . . . . . . . . . . . . . . . . . . . . 1346.6.1 Billing Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1346.6.2 Payment Structures . . . . . . . . . . . . . . . . . . . . . . . . . . 1376.6.3 Making Payments . . . . . . . . . . . . . . . . . . . . . . . . . . . 1396.6.4 Redemption of Payment Records . . . . . . . . . . . . . . . . . . 1416.6.5 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

6.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1436.7.1 Mobility Management . . . . . . . . . . . . . . . . . . . . . . . . 1436.7.2 Public-Key vs. Symmetric-Key Cryptography . . . . . . . . . . . 1446.7.3 Incremental Deployment . . . . . . . . . . . . . . . . . . . . . . . 144

6.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

7 CONCLUSION AND FUTURE WORK . . . . . . . . . . . . . . . . . . . . . . 146

REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

BIOGRAPHICAL SKETCH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

vii

LIST OF TABLESTable page

2–1 Processing timings of cryptographic operations. . . . . . . . . . . . . . . . . 25

3–1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3–2 Timings of primitive operations . . . . . . . . . . . . . . . . . . . . . . . . . 54

3–3 Comparison of key revocation time . . . . . . . . . . . . . . . . . . . . . . . 54

3–4 Comparison of key update (t = 5) . . . . . . . . . . . . . . . . . . . . . . . . 55

3–5 Comparison of key update (t = 10) . . . . . . . . . . . . . . . . . . . . . . . 55

4–1 The K-Distance algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

4–2 Testing if a point is inside a |B|-vertex polygon. . . . . . . . . . . . . . . . . 70

viii

LIST OF FIGURESFigure page

2–1 Anonymous route discovery with a route reply generated by the destinationA.4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2–2 Anonymous hop-by-hop packet forwarding from A.1 to A.4. . . . . . . . . . 20

2–3 The comparison between MASK and AODV. . . . . . . . . . . . . . . . . . 27

3–1 Average route discovery delay. . . . . . . . . . . . . . . . . . . . . . . . . . . 58

3–2 Average data packet delay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

3–3 Packet delivery ratio. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

3–4 Average routing load. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

4–1 An exemplary two-way ToA localization process, where anchors A,B, C aredetermining the location of sensor S. . . . . . . . . . . . . . . . . . . . . . 63

4–2 The topology of an exemplary distance enlargement attack. . . . . . . . . . 64

4–3 The time plot of the challenge-response process. . . . . . . . . . . . . . . . . 67

4–4 Location validity test with three anchors. . . . . . . . . . . . . . . . . . . . 69

5–1 Node deployment model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

5–2 The probability pµ of filtering one bogus report as a function of the samplingprobability ps and the number µ of hops a bogus report travels. . . . . . 95

5–3 The comparison of Esum and E′sum as a function of the bogus traffic ratio ρ,

where ξ = 50 and the optimal ps’s are used. . . . . . . . . . . . . . . . . 98

5–4 The comparison of Esum and E′sum as a function of the bogus traffic ratio ρ,

where ξ = 50 and non-optimal ps’s are used. . . . . . . . . . . . . . . . . 100

5–5 The comparison of Esum and E′sum as a function of the average path length

ξ, where ρ = 2 and ps = 0.2. . . . . . . . . . . . . . . . . . . . . . . . . . 101

6–1 A typical three-tiered wireless mesh network architecture. . . . . . . . . . . 107

6–2 An exemplary 5-by-5 hierarchical one-way hash chain. . . . . . . . . . . . . 127

6–3 An exemplary payment structure (m > 3, t > 2). . . . . . . . . . . . . . . . 136

ix

Abstract of Dissertation Presented to the Graduate Schoolof the University of Florida in Partial Fulfillment of theRequirements for the Degree of Doctor of Philosophy

SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS:CHALLENGES AND SOLUTIONS

By

Yanchao Zhang

August 2006

Chair: Yuguang FangMajor Department: Electrical and Computer Engineering

Wireless ad hoc networks have been widely accepted as an indispensable component of

next-generation communication systems to facilitate ubiquitous network access. Although

offering significant benefits, they also provide unique security challenges over their wired

counterparts. Of note are the issues associated with the open network architecture, shared

wireless medium, stringent resource constraints, high network dynamics, lack of trusted

authorities, and so on. In this dissertation, we aim to address a number of challenging

security issues in heterogeneous wireless ad hoc networks, spanning mobile ad hoc networks

(MANETs), wireless sensor networks (WSNs), and wireless mesh networks (WMNs).

Our contributions are mainly fivefold. First, we propose an anonymous on-demand

routing protocol (MASK) to deal with malicious eavesdropping and traffic analysis attacks

against MANETs deployed in hostile environments. Second, we design a secure, scalable

ID-based key management scheme for MANETs to enable flexible public-key services with-

out reliance on conventional public-key certificates. Third, we devise a secure localization

scheme to ensure secure location estimates in WSNs despite malicious attacks. Fourth, we

develop a suite of location-based, compromise-tolerant security mechanisms for WSNs. Last,

we present an attack-resilient secure authentication and billing architecture for WMNs.

x

CHAPTER 1INTRODUCTION

Recent years have witnessed a surge of research and development for wireless ad hoc

networks. Unlike conventional infrastructure-supported wireless networks, wireless ad hoc

networks feature rapidly-deployable, self-organizing, self-maintaining capabilities and can

be formed on the fly without relying on any existing infrastructure. In such a network, each

node functions not only as an end host but also as a router forwarding packets to and from

other nodes to enable otherwise impossible multi-hop communications. Wireless ad hoc

networks are naturally well-suited for application scenarios where fixed infrastructures are

often not available or reliable, while fast network establishment and self-maintenance are a

must. As such, they have been widely accepted as an indispensable part of next-generation

communication systems to facilitate ubiquitous network access.

In general, wireless ad hoc networks can be classified into two categories, mobile ad hoc

networks (MANETs) and static ad hoc networks. The former comprise network nodes that

are free to move about randomly and organize themselves arbitrarily. Exemplary application

scenarios of MANETs include tactical military operations, homeland security, emergency

disaster relief and rescue, and so on. Most recently, MANETs have been extended to general

civilian contexts and are often referred to as wireless mesh networks (WMNs) [1], where

mobile users can access the network either through a direct wireless link to a wireless access

point (AP), or through a sequence of intermediate users to an AP that is too far away to

reach. By contrast, static ad hoc networks mainly consist of stationary nodes, that is, fixed

at where they were deployed. The most significant example of this later type is wireless

sensor networks (WSNs) [2], which have attracted extensive attention in both academia

and industry for their broad potential not only in military and homeland security scenarios

but also in general civilian settings.

While offering significant benefits, wireless ad hoc networks are also vulnerable to

unique security challenges as compared to their wired counterparts. Roughly speaking,

1

2

risks in wireless ad hoc networks are equal to the sum of the risks of operating a wired

network plus the new risks introduced by weaknesses in wireless protocols. Some of the

major security challenges that a wireless ad hoc network faces include the following:

• All old threats to a conventional wired network apply to a wireless ad hoc network.• The shared wireless medium facilitates passive eavesdropping on data communications

and active bogus message injection into the network by attackers.• Early protocol design for wireless ad hoc networks all assumed a friendly and coop-

erative environment. As such, many wireless protocols have inherent security flaws.• Mobile devices are subject to physical theft or loss, leading to insider attacks launched

by attackers harnessing confidential information extracted from stolen devices.• Intrusion detection is far more difficult, mainly because it is hard to differentiate

anomalies caused by characteristics of wireless channels and those caused by attacks.• There is often lack of an on-line centralized authority or administration.• Mobile devices usually have stringent resource constraints and thus cannot afford

resource-hungry security protocols.

How to model node misbehavior is an essential component in any security protocol

design, as a decent solution designed under one misbehavior model may be less effective

or even completely invalid under another one. In this dissertation, we classify misbehaving

nodes into two classes: malicious and selfish. The objectives of the former are to attack

the proper network operations without consideration of their own gains. Adversarial nodes

often existing in military ad hoc networks are typical examples of such malicious nodes. By

comparison, selfish nodes can be characterized by the intention of maximizing their own

gains or collective gains with collusive nodes from the network community while minimizing

their contributions to it. Selfish nodes are less likely to exist in single-authority-like ad hoc

networks such as military MANETs and WSNs, but are very likely to be present in general

civilian ad hoc networks where nodes may have conflicting interests. For example, in a

WMN, nodes may be reluctant to forward packets to and from the AP for others in order

to save their own resources such as battery life, CPU cycles, or available network bandwidth

[3, 4].

This dissertation contributes to developing novel solutions to a number of challenging

issues in heterogeneous wireless ad hoc networks, involving either malicious nodes or selfish

nodes or both, which are either ignored or not well addressed in the literature. The rest of

this dissertation is structured as follows.

3

Chapter 2 considers passive eavesdropping and the accompanying attacks launched

against MANETs deployed in hostile environments. To deal with such attacks, we propose

a novel anonymous on-demand routing protocol, termed MASK, which can accomplish both

MAC-layer and network-layer communications without disclosing real IDs of participating

nodes under a rather strong adversarial model. MASK offers the anonymity of senders, re-

ceivers, and sender-recipient relationships, as well as node unlocatability and untrackability

and end-to-end flow untraceability. It is also resistant to a wide range of attacks. Moreover,

MASK preserves the high routing efficiency as compared to previous work.

Chapter 3 studies key management, a fundamental problem in securing MANETs. We

present IKM, an ID-based key management scheme as a novel combination of ID-based

and threshold cryptography. IKM is a certificateless solution in that public keys of mobile

nodes are directly derivable from their known IDs plus some common information. It thus

eliminates the need for certificate-based authenticated public-key distribution indispens-

able in conventional public-key management schemes. IKM features a novel construction

method of ID-based public/private keys, which not only ensures high-level tolerance to

node compromise, but also enables efficient network-wide key update via a single broadcast

message. We also provide general guidelines about how to choose the secret-sharing param-

eters used with threshold cryptography to meet desirable levels of security and robustness.

The advantages of IKM over conventional certificate-based solutions are justified through

extensive simulations. Since most MANET security mechanisms thus far involve the heavy

use of certificates, we believe that our findings open a new avenue towards more effective

and efficient security design for MANETs.

Chapter 4 explores secure localization in WSNs. The proper operations of many sen-

sor networks rely on the knowledge of physical sensor locations. However, most existing

localization algorithms developed for sensor networks are vulnerable to attacks in hos-

tile environments. As a result, attackers can easily subvert the normal functionalities of

location-dependent sensor networks by exploiting the weakness of localization algorithms.

In this chapter, we first analyze the security of existing localization techniques. We then

develop a mobility-assisted secure localization scheme for WSNs.

4

Chapter 5 introduces a suite of location-based compromise-tolerant security mechanisms

for WSNs. Node compromise is a serious threat to WSNs deployed in unattended and hostile

environments. To mitigate the impact of compromised nodes, we design a few location-

based compromise-tolerant security mechanisms. Based on a new cryptographic concept

called pairing, we propose the notion of location-based keys (LBKs) by binding private

keys of individual nodes to both their IDs and geographic locations. We then develop

an LBK-based neighborhood authentication scheme to localize the impact of compromised

nodes to their vicinity. We also present efficient approaches to establish a shared key

between any two network nodes. In contrast to previous key establishment solutions, our

approaches feature nearly perfect resilience to node compromise, low communication and

computation overhead, low memory requirements, and high network scalability. Moreover,

we demonstrate the efficacy of LBKs in counteracting several notorious attacks against

sensor networks. Finally, we propose a location-based threshold-endorsement scheme, called

LTE, to thwart the infamous bogus data injection attack, in which adversaries inject lots of

bogus data into the network. The utility of LTE in achieving remarkable energy savings is

validated by detailed performance evaluation.

Chapter 6 presents a secure authentication and billing architecture for WMNs which are

finding ever-growing acceptance as a viable and effective solution to ubiquitous broadband

Internet access. This chapter addresses the security of WMNs, which is a key impediment to

wide-scale deployment of WMNs, but thus far receives little attention. We first thoroughly

identify the unique security requirements of WMNs for the first time in the literature. We

then propose UPASS, the first known secure authentication and billing architecture for

WMNs. In contrast to a conventional cellular-like solution, UPASS eliminates the need

for establishing bilateral roaming agreements and having realtime interactions between po-

tentially numerous WMN operators. With UPASS in place, each user is no longer bound

to any specific network operator, as he or she ought to do in current cellular networks.

Instead, he or she acquires a universal pass from a third-party broker whereby to realize

seamless roaming across WMN domains administrated by different operators. UPASS sup-

ports efficient mutual authentication and key agreement both between a user and a serving

WMN domain and between users served by the same WMN domain. In addition, UPASS

5

is designed to be resilient to a wide range of attacks. Morever, the incontestable billing of

mobile users is fulfilled through a lightweight realtime micropayment protocol built on the

combination of digital signature and one-way hash-chain techniques.

Finally, Chapter 7 concludes this dissertation and points out some future work.

CHAPTER 2ANONYMOUS COMMUNICATIONS IN MOBILE AD HOC NETWORKS

2.1 Introduction

Mobile ad hoc networks (MANETs) are infrastructureless, autonomous, stand-alone

wireless networks that are receiving growing attention from both academia and industry.

In this chapter, we are concerned with MANETs deployed in hostile environments, such

as those facilitating large-scale theater-wide communications or relatively small-scale com-

munications in MOUT (Military Operations on Urban Terrain). It is obvious that robust

security support is indispensable for the proper functioning of such MANETs.

The shared wireless medium of MANETs introduces abundant opportunities for passive

eavesdropping on data communications. This means that, without physically compromis-

ing a node, adversaries can easily overhear all the MAC frames “flying in the air,” each

typically including <MAC addresses, network addresses, data>.1 Although end-to-end

and/or link encryption can be enforced to prevent adversarial access to data contents, for

any observed frame, adversaries can still learn not only the network and MAC addresses of

its local transmitter and receiver, but also the network addresses of its end-to-end source

and destination. Such MAC and network address information is currently left bare with-

out protection in the de facto MAC protocol IEEE 802.11 and existing MANET routing

protocols such as AODV [5] and DSR [6].

The leakage of MAC and network addresses may result in a number of severe conse-

quences. First of all, it would facilitate adversarial traffic analysis run to infer network

1 We use the terms “packets” and “frames” interchangeably in this chapter.

6

7

traffic patterns and/or traffic pattern changes.2 In a tactical military MANET, an abnor-

mal change of the network traffic pattern may indicate a forthcoming action, a chain of

commands, or a state change of network alertness [7]. Its disclosure to adversaries would

thus lead to the failure of urgent military actions. In addition, adversaries are able to

trace any packet backward to its original source or forward to its final destination. This is

also undesirable because in many cases packet sources are critical nodes such as captains

or majors, while packet destinations are nodes commanded to carry out certain military

operations. Moreover, adversaries can locate individual nodes and track their movements.

This is extremely dangerous in that adversaries can easily identify critical network nodes

and then launch directed attacks on them. Most previous proposals such as Ariadne [8] and

ARAN [9] aim to deal with active attacks, which usually involve the launch of denial-of-

service (DoS) or other more “visible,” aggressive attacks on the target network. By contrast,

the aforementioned attacks belong to the category of once-passive-then-active attacks, or

passive attacks for short, which are more subtle, “invisible,” and difficult to detect before

severe damage actually occurs. In this chapter, we seek efficient solutions to such more

dangerous passive attacks.

For ease of presentation, we use the notion “network ID” (or simply “ID”) to indicate

both the MAC and network addresses of a mobile node, which should be understandable

from the context. We also define “anonymity” as the privacy preservation of network IDs

of mobile nodes and their group membership information, e.g., belonging to nation A or B,

or affiliated with battalion 1 or 2. Although less intuitive, the privacy of node affiliations

is as important as that of node IDs in many security-sensitive environments. For example,

suppose a coalition force of multiple nations is dispatched to carry out a common military

mission. Soldiers of the same nation can form an exclusive MANET among themselves

and thus there would co-exist multiple MANETs in the battlefield. In this case, each node

2 A network traffic pattern consists of triplets <sender addr, receiver addr, averagerate>, each describing one flow. A flow can be an end-to-end network flow, then theaddress fields are the network addresses of an end-to-end source and destination pair. Itcan also be a local link flow, then the address fields are the MAC addresses of a localtransmitter and a receiver.

8

may want to avoid unnecessary exposure of both its ID and nationality because adversaries

or terrorists may perform selective directed attacks according to not only IDs but also

nationalities. As demonstrated in Section 2.3.2, conventional cryptographic techniques such

as Diffe-Hellman key exchange [10] cannot satisfy this anonymity requirement and thus fail

to withstand passive attacks.

We observe that passive attacks are feasible for two reasons: (1) each node can be

uniquely identified by its network ID, and (2) each node uses the invariant network ID

in both MAC-layer and network-layer communications. Motivated by this observation, we

propose to thwart passive attacks by designing anonymous communication protocols. The

fundamental purpose is to realize both efficient MAC-layer and network-layer communi-

cations, while anonymizing all the involved nodes, therefore effectively defeating passive

attacks.

The contribution of this chapter is the design of a novel anonymous on-demand rout-

ing protocol, called MASK, which can simultaneously achieve anonymous MAC-layer and

network-layer communications. The novelty of MASK lies in the use of dynamic pseudonyms

rather than static MAC and network addresses. MASK offers both sender and receiver

anonymity as well as sender-receiver relationship anonymity.3 Specifically, although ad-

versaries might observe a packet transmission, they cannot determine real network IDs of

its sender and receiver, nor can they decide if (or when) any two nodes in the network are

communicating. In addition, MASK ensures node unlocatability and untrackability, meaning

that, although adversaries might know some real network IDs and/or group memberships,

they are unable to decide whom and where the corresponding nodes are in the network.

Moreover, MASK guarantees end-to-end flow untraceability, which means that adversaries

cannot trace a packet forward to its final destination or backward to its original source, nor

can they recognize packets belonging to a same ongoing communication flow. Furthermore,

MASK is as efficient as classical routing protocols such as AODV [5], which is confirmed by

3 For a given packet, a sender can be its original source or local transmitter, and a receivercan be its final destination or local receiver.

9

detailed simulation results. It can also withstand a variety of attacks, e.g., message coding,

flow recognition, and timing analysis.

2.2 Preliminaries

2.2.1 Basics of ID-Based Cryptography (IBC)

IBC [11] is receiving extensive attention as a powerful alternative to traditional certificate-

based cryptography (CBC) and serves as one of the cryptographic foundations of this dis-

sertation. The main idea of IBC is to make an entity’s public key directly derivable from his

publicly known identity information such as his email address. IBC thus completely elimi-

nates the need for public-key distribution realized via conventional public-key certificates.

Although the idea of IBC dates back to 1984 [11], only recently has its rapid development

taken place due to the application of the pairing technique outlined below.

Let G1 denote a cyclic additive group of some large prime order q and G2 a cyclic

multiplicative group of the same order. Assume that the Discrete Logarithm Problem

(DLP) is hard4 in both G1 and G2. For us, a pairing is a map e : G1 ×G1 → G2 with the

following properties:

1. Bilinear : ∀ P, Q, R, S ∈ G1,

e(P + Q,R + S) = e(P, R)e(P, S)e(Q,R)e(Q,S). (2.1)

Consequently, for ∀ a, b ∈ Z∗q , we have

e(aP, bQ) = e(aP, Q)b = e(P, bQ)a = e(P, Q)ab.

2. Non-degenerate: If P is a generator of G1, then e(P, P ) ∈ F∗p2 is a generator of G2.

3. Computable: There is an efficient algorithm to compute e(P, Q) for all P, Q ∈ G1.

Note that e is also symmetric, i.e., e(P, Q) = e(Q,P ), for all P, Q ∈ G1, which follows

immediately from the bilinearity and the fact that G1 is a cyclic group. Modified Weil

[12, 13] and Tate [14] pairings are examples of such bilinear maps for which the Bilinear

4 It is computationally infeasible to extract the integer x ∈ Z∗q = a|1 6 a 6 q−1, givenP, Q ∈ G1 (respectively, P, Q ∈ G2) such that Q = xP (respectively, Q = P x).

10

Diffie-Hellman Problem (BDHP) is believed to be hard. That is, it is believed that, given

< P, xP, yP, zP > for random x, y, z ∈ Z∗q and P ∈ G1, there is no algorithm running in ex-

pected polynomial time which can compute e(P, P )xyz ∈ G2 with non-negligible probability.

We refer to Boneh and Franklin [12, 13] and Barreto et al. [14] for a more comprehensive

description of how these pairing parameters should be selected in practice for efficiency and

security.

2.2.2 Adversary Model

We assume that adversaries can collaborate to passively monitor every radio transmis-

sion on every communication link. In addition, they may compromise any node in the target

network to become an internal adversary. However, we postulate that passive adversaries

cannot compromise an unlimited number of nodes. Neither can they have unbounded com-

putational capabilities to easily invert and read encrypted messages and break the BDHP

assumption. Otherwise, it is believed that there is no workable cryptographic solution.

2.3 MASK Design

In this section, we elaborate the design of MASK. We start with describing the net-

work model and then discuss how to achieve single-hop MAC-layer communications. Sub-

sequently, we present an on-demand routing protocol to realize anonymous network-layer

communications. After that, some countermeasures against attacks and a security enhance-

ment based on the secret-sharing technique [15] are introduced.

2.3.1 Network Model

We consider a general case that there co-exist multiple MANETs, each comprising

nodes of the same group. For simplicity, we use a capital letter, such as A, B, or C, to

indicate each MANET and the group it corresponds to. The concrete meanings of groups

may vary across different application contexts. For example, each group or the related

MANET may be related to a troop of a different nation, or a different company or battalion

in the same brigade. Hereafter, we will utilize network A as an example to illustrate our

MASK design. We denote by A.i the ith node of A for 1 6 i 6 NA, where NA is the

number of nodes in A. We assume that each A.i has a unique non-zero network ID IDA.i.

11

As discussed before, both IDA.i and node A.i’s membership in A should be well protected

from adversaries.

Prior to network deployment, a trusted authority (TA) who himself/herself does not en-

ter the network first determines the pairing parameters (q,G1,G2, e) along with a group-wise

master key gA ∈ Z∗q . The TA then chooses two collision-resistant cryptographic hash func-

tions: H1, mapping strings to non-zero elements in G1, and H2, mapping arbitrary inputs

to fixed-length outputs, e.g., SHA-1 [16]. Public system parameters < q,G1,G2, e, H1,H2 >

are preloaded to each A.i. By contrast, gA should be well safeguarded from unauthorized

access and never be disclosed to ordinary group members dispatched to execute dangerous

military actions.

In MASK, nodes substitute pseudonyms for real IDs in communications. If a node

uses one pseudonym all the time, it will not help to defend against passive attacks we have

in mind, because the pseudonym will be analyzed the same way as its real ID. Therefore,

each node should use dynamic pseudonyms instead. For this purpose, the TA furnishes

each A.i with a sufficiently large set PSA.i = PSkA.i|1 6 k 6 |PSA.i| of collision-resistant

pseudonyms5 . A pseudonym can be any type of string and collision-resistance means that

all the pseudonyms are different from each other. In addition, each A.i is armed with

a corresponding secret point set as SPA.i = SP kA.i = gAH1(PSk

A.i) ∈ G1 (1 6 k 6

|PSA.i|). Due to the difficulty of solving the DLP in G1 (cf. Section 2.2.1), given any

< PSkA.i, SP k

A.i > pair, it is impossible to deduce gA with non-negligible probability.

2.3.2 Anonymous MAC-Layer Communications

In this subsection, we discuss how to achieve anonymous single-hop MAC-layer com-

munications through an anonymous neighborhood authentication protocol.

Anonymous neighborhood authentication. As the name suggests, anonymous

authentication allows two neighboring nodes of the same group to identify each other se-

cretly, in the sense that each party reveals its group membership to the other only if the

other party is also a group member. This notion bears similarity to the concept of secret

5 If X is a set, |X| means its cardinality.

12

handshakes introduced by Balfanz et al. [17]. As an example, node A.i might want to

authenticate itself to a neighboring node x, but only if x is also a member of group A.

In addition, if x does not belong to A, the authentication protocol should not help x in

determining either the real ID (IDA.i) of A.i or whether A.i is a member of A or not.

As mentioned in [17], realizing anonymous authentication (or secret handshakes) requires

new cryptographic protocols since it cannot be easily accomplished through existing cryp-

tographic tools. For example, authentication techniques based on public-key certificates,

such as authenticated two-party Diffe-Hellman key exchange [10], may inevitably disclose

either real IDs of mobile nodes or their group memberships or both, which are either im-

plied or explicitly embedded in public-key certificates. For instance, for its certificate to be

verified, a node has to tell the other party the authentic public key of the CA (Certificate

Authority) that generates its certificate. Obviously, this would cause the exposure of that

node’s group membership, i.e., from which CA it obtains the certificate, no matter whether

the other party belongs to the same group or not. In the following, we illustrate a pairing-

based anonymous neighborhood authentication protocol, which is an extension of the secret

handshake scheme introduced in [17] to MANETs.

Without loss of generality, below is shown the authentication process between nodes

A.1 and A.2, where ‖ denotes message concatenation.

A.1 → A.2 : PSiA.1, n1

A.2 → A.1 : PSjA.2, n2, V2,1 = H2(n1 ‖ n2 ‖ 0 ‖ K2,1)

A.1 → A.2 : V1,2 = H2(n1 ‖ n2 ‖ 1 ‖ K1,2)

A.1 starts the protocol by pulling out from PSA.1 an unused pseudonym PSiA.1 and locally

broadcasts a MAC frame including PSiA.1 and a random nonce n1. Upon seeing the request,

A.2 also draws an unused pseudonym PSjA.2 from PSA.2 and then generates a master key as

K2,1 = e(H1(PSiA.1), SP j

A.2). After that, A.2 locally broadcasts a reply frame consisting of

PSjA.2, a random nonce n2, and a value V2,1 shown above. Upon reception of the reply from

A.2, node A.1 calculates a master key as K1,2 = e(H1(PSjA.2), SP i

A.1) as well and checks

V2,1?= H2(n1 ‖ n2 ‖ 0 ‖ K1,2). According to Eq. (2.1) and the symmetric property of e, if

13

and only if both nodes are affiliated with the same group A, could they have

K2,1 = e(H1(PSiA.1),H1(PSj

A.2))gA

= e(H1(PSjA.2),H1(PSi

A.1))gA = K1,2 .

As a result, if the verification succeeds, A.1 knows that A.2 must be an authentic group

peer. To authenticate itself to A.2, A.1 returns a value V1,2 shown above. If V1,2 = H2(n1 ‖n2 ‖ 1 ‖ K2,1), node A.2 can rest assured that A.1 belongs to the same group A as itself.

Notice that the source and destination addresses of the three involved MAC frames should

both be set to be a pre-defined universal address such as all 1’s instead of their real network

IDs (MAC addresses in this case).

After a successful three-way handshake, A.1 learns that there is a trustable group

peer in its neighborhood, but has no knowledge of the real ID except one of the public

pseudonyms of A.2. So does A.2. If the authentication fails, which may occur for instance

when one of them is an adversarial impersonator, the legitimate one reveals nothing but a

pseudonym to the impersonator. In addition, an adversarial eavesdropper learns nothing

more than some seemingly random numbers from the protocol execution.

Since A.1 and A.2 have established a shared master key K1,2 = K2,1, they can proceed

to calculate Γ pairs of shared session key (Skey) and link identifier (LinkID) as

kγ1,2 = H2(n1 ‖ n2 ‖ 2 ∗ γ ‖ K1,2)

Lγ1,2 = H2(n1 ‖ n2 ‖ 2 ∗ γ + 1 ‖ K1,2) ,

(2.2)

where Γ is a design parameter, and kγ1,2 and Lγ

1,2 (1 6 γ 6 Γ) indicate the γth Skey and

LinkID, respectively. The collision-resistance of node pseudonyms, H1 and H2 ensures

that such <Skey, LinkID> pairs are also collision-resistant, meaning that no identical pairs

would be generated by different pairs of nodes or two same nodes with different pairs of

nonces. In addition, each <Skey, LinkID> pair is only known to the two nodes which

established it and there is even no apparent relationship among the <Skey, LinkID> pairs

generated by two same nodes under the same pair of nonces. Such < kγ1,2, L

γ1,2 > pairs are

to be used in an increasing sequence for subsequent data communications between A.1 and

A.2, as will be explained shortly. Whenever established Γ pairs are used up, A.1 and A.2

14

are required to automatically increase both n1 and n2 by one and generate new Γ pairs

using the computationally efficient hash function H2. Of course, A.1 and A.2 should have

a simple agreement so as to synchronize the use of such pairs.

Similarly, each node can achieve anonymous mutual authentication and establish pair-

wise shared <Skey, LinkID> pairs with all its neighboring nodes. Notice that if multiple

nodes simultaneously answer the same request, possible MAC-layer collisions may occur. In

this chapter, we assume the reliable transmissions of authentication requests/replies, which

can be achieved for instance by using a random delay for which each node has to wait before

answering an authentication request.

In our design, we leave the decision when and whether a node wants to initiate the

anonymous neighborhood authentication to the node itself. Ideally, a node should keep

track of its neighbors at all time and should perform the authentication whenever it moves

to a new place or finds new neighbors. In this case, a neighbor discovery/maintanence

mechanism such as the “Hello” messages used in AODV [5] will be necessary. Notice here

that although the “Hello” messages are transmitted periodically, the authentication is done

only once for each neighbor. A node may also choose not to do the authentication while

it is on the constant and fast movement. Another option is that a node only initiates

the authentication on-demand, e.g., when it receives a route discovery message from an

unauthenticated neighbor. Authentication purely on-demand could reduce the overhead

caused by running the neighborhood authentication protocol, while at the same time it

would introduce extra delay on the route discovery process.

We would like to point out that anonymous neighborhood authentication would incur

additional computational overhead in contrast to other on-demand routing protocols such

as AODV and DSR, which do not provide either security or anonymity guarantees. How-

ever, mutual authentication between neighboring nodes is indispensable in MANETs, only

by which one node can reject accepting messages from or forwarding messages for unau-

thenticated neighbors. Otherwise, adversaries can easily inject bogus messages into the

network to deplete scarce network resources as well as interrupting proper network func-

tionalities. In addition, any two neighboring nodes only need to perform authentication

once and subsequent communications can be encrypted and authenticated using efficient

15

symmetric-key algorithms based on established shared Skeys. It will be shown in Section

2.4 that anonymous neighborhood authentication can be implemented efficiently without

much degrading the routing efficiency.

Anonymous MAC frame exchange. Based on established shared <Skey, LinkID>

pairs, two neighboring nodes can easily realize anonymous single-hop MAC-layer commu-

nications. In our design, we replace the transmitter and receiver MAC addresses in a

conventional MAC frame with a single LinkID. In fact, we will see later that the same

LinkID also eliminates the necessity of network addresses. In other words, a conventional

MAC frame <MAC addresses, network addresses, data> changes to <LinkID, data> in

our scheme.

For example, A.1 sends a MAC frame of format < L11,2, datak1

1,2>, where msgK

stands for a message msg encrypted under key K using any symmetric-key encryption

algorithm such as RC6 [18]. That frame can be heard by all its neighboring nodes, among

which only A.2 will accept the frame because of its unique sharing of L11,2 with A.1. A.2

can decrypt the data with the corresponding Skey k11,2. Similarly, A.2 can reply with a

MAC frame < L21,2, datak2

1,2>. If the MAC protocol in use is contention-based, such as

the Distributed Coordination Function (DCF) of the IEEE 802.11, conventional RTS-CTS-

DATA-ACK frame exchange is also easy to implement based on pairwise shared LinkIDs

to alleviate notorious hidden and exposed terminal problems.

Since real IDs of mobile nodes are kept confidential in anonymous neighborhood authen-

tication and subsequent local MAC frame exchange, we have successfully realized anony-

mous single-hop MAC-layer communications. In other words, local transmitter and re-

ceiver anonymity and their relationship anonymity have been achieved. Also notice that

our anonymous neighborhood authentication protocol ensures both node unlocatability and

untrackability at the same time.

2.3.3 Anonymous Network-Layer Communications

Network-layer communications, most likely multi-hop, rely on routing protocols to find

end-to-end routing paths between any source-destination pair and relay packets in a hop-by-

hop manner enroute from the source to the destination. To realize anonymous network-layer

communications, we present here an anonymous on-demand routing protocol, called MASK,

16

1A.4 A.1<ARREQ, 1001, ID , 50, PS >

51,2

51,2 A.4 k

<L , ARREP, ID , 51 >

A.1 A.2

2A.4 A.2<ARREQ, 1001, ID , 50, PS > 3

A.4 A.3<ARREQ, 1001, ID , 50, PS >

A.3 A.4

72,3

72,3 A.4 k

<L , ARREP, ID , 51 > 93,4

93,4 A.4 k

<L , ARREP, ID , 51 >

1A.1PS 2

A.2PS

Reverse route table of A.2

dest_id destSeqpre-

LinkID-Listnext-

LinkID-List

Forwarding route table of A.1

dest_id destSeqpre-

LinkID-Listnext-

LinkID-List

Forwarding route table of A.2 Forwarding route table of A.3

dest_id destSeqpre-

LinkID-Listnext-

LinkID-List

A.4ID 61,2L 8

2,3L 82,3L 10

3,4L

Target LinkID table of A.4

103,4L

... ... ... ...

51 null 61,2L

dest_id destSeqpre-hop-

pseudonym

A.4ID

... ... ...

50

Reverse route table of A.3

dest_id destSeqpre-hop-

pseudonym

A.4ID

... ... ...

50

...

...

A.4ID

... ... ... ...

51 A.4ID

... ... ... ...

51

Figure 2–1: Anonymous route discovery with a route reply generated by the destinationA.4.

to establish a sequence of <Skey, LinkID> pairs between any source and destination pair.

In our MASK, each node maintains the following data structures:

• Forwarding route table: A table consisting of entries of format <dest id, destSeq, pre-LinkID-list, next-LinkID-list>, where dest id is the real ID of the destination anddestSeq6 is the corresponding node sequence number. The pre-LinkID-list is theset of pre-hop LinkIDs from which packets destined for dest id may come, and next-LinkID-list is the set of next-hop LinkIDs to which packets destined for dest id aresupposed to be forwarded.

• Reverse route table: A table consisting of entries of format <dest id, destSeq, pre-hop-pseudonym>, based on which route replies are relayed back to the source.

• Target LinkID table: A table consisting of selected LinkIDs shared with neighbors.The current node is the final destination (end-to-end) for the packets bearing theLinkIDs in its target LinkID table.

An appropriate timer is associated with each entry of the above tables and an entry should

be recycled when its timer expires.

Anonymous route discovery. Without loss of generality, we illustrate the anony-

mous route discovery process in MASK using the simple chain topology shown in Fig. 2–1,

where nodes A.1, A.2, A.3, and A.4 are assumed to be using pseudonyms PS1A.1, PS2

A.2, PS3A.3,

and PS4A.4, respectively, in their current places. To ease the presentation, we further assume

6 The maintenance of node sequence numbers strictly follows the steps defined in AODV[5].

17

that each node has finished anonymous mutual authentication using the same pseudonym

with all its neighboring nodes and has established shared <Skey, LinkID> pairs with them.

Similar to other on-demand routing protocols, our anonymous route discovery starts

from broadcasting route request messages when a node has a packet to a certain destination

but it does not know a path to that destination. An anonymous route request (ARREQ)

has the format <ARREQ, ARREQ id, dest id, destSeq, PSsrc>, where dest id is the real

ID of the destination, 7 ARREQ id is a globally unique value that uniquely identifies an

ARREQ, destSeq is set to be the last known sequence number for the destination or to be an

unknown flag if needed, and PSsrc is the active pseudonym of the source. To be consistent

with the aforementioned MASK packet format, a predefined LinkID such as all 1’s should

be used to identify the ARREQ, which is not shown for brevity. In the shown example, the

ARREQ takes the form of <ARREQ, 1001, IDA.4, 50, PS1A.1 >. When an intermediate

node, say node A.2, receives an ARREQ message for the first time, it inserts an entry into

its reverse route table where this ARREQ comes from, and then rebroadcasts the ARREQ

after replacing the embedded pseudonym PS1A.1 with its currently-used one, i.e., PS2

A.2.

ARREQs with previously seen ARREQ ids are simply discarded8 . This process continues

until all the nodes in the network have rebroadcasted the ARREQ once.

It is worth noting that in the propagation of ARREQs, the real IDs of the source and

all the intermediate nodes are concealed, while the real ID of the destination has to be

exposed. In traditional on-demand routing protocols such as AODV [5], the destination

itself and any intermediate node which has a valid routing entry to the destination do not

need to rebroadcast the route request message. However, that design allows adversaries to

identify the destination node easily by monitoring the activities at each node - every node

broadcasts the routing request once except the destination and/or some nodes having the

routes to the destination. Therefore, in our design, every node, including the destination

7 ARREQ id could be generated by applying a collision-resistant hash function like SHA-1 [16] on the concatenation of a node’s pseudonym, sequence number, and a timestamp.

8 Note that ARREQ flooding is supposed to be finished in a limited period so that eachnode does not need to keep too many old ARREQ ids.

18

and qualified intermediate nodes, needs to rebroadcast the ARREQ message once. This

will effectively hide the whereabout of the destination - even though adversaries know that

there is such a node, they will have difficulty to match the dest id (IDA.4 in this case) to

any of the nodes in the network. Note that the overhead introduced by this modification is

minimal - in a route discovery protocol using flooding, every node needs to broadcast once

anyway except the destination and qualified intermediate nodes. So the extra overheard

introduced is only one or a few more transmissions by the destination and the intermediate

nodes which can reply.

An anonymous route reply (ARREP) can be generated and sent back to the source

at the destination or at any intermediate node which has a valid route to the destination.

Fig. 2–1 demonstrates the case that a route reply is generated by the destination A.4 itself.

Once receiving an ARREQ toward itself, A.4 can generate an ARREP to be unicasted back

to the source following the reverse route established before. In our design, an ARREP

packet is of format <LinkID, ARREP, dest id, destSeqSkey>, where LinkID is the next

to be used shared between the destination and the pre-hop node from which the ARREQ

comes, and the corresponding Skey is used to encrypt the packet content so that adversaries

cannot recognize that this is an ARREP corresponding to the previously-observed ARREQ.

In the shown example, an ARREP is in the form of < L93,4, ARREP, IDA.4, 51k9

3,4>.

As noted before, only the intended receiver A.3 will be able to interpret L93,4 and decrypt

the packet content accordingly. While for a passive eavesdropper, L93,4 only appears to be

some meaningless random number, and it has no idea of what the packet is about and to

whom the packet is sent. Moreover, A.4 adds L103,4 to its target LinkID table. The reason

of inserting L103,4 instead of L9

3,4 is to prevent adversaries from identifying the relationship

between this ARREP packet and subsequent data packets. Later on, when seeing a packet

identified by L103,4, A.4 knows that it is the end-to-end destination of that packet. An

intermediate node can also generate an ARREP if it has one forward route entry for the

dest id with destSeq equal to or larger than that contained in the received ARREQ. The

node needs to prepare an ARREP packet to be sent to its pre-hop node as well. Different

from the destination, the intermediate node need not modify its target LinkID table. This

case is straightforward and not shown for lack of space.

19

For a node on the reverse path, say A.3, when receiving an ARREP < L93,4, ARREP,

IDA.4, 51k93,4

> from its next-hop, A.3 will discard it if the embedded destSeq, 51 in this

case, is smaller than that in its reverse route table. Otherwise, A.3 will decrypt the ARREP,

form and transmit a new ARREP < L72,3, ARREP, IDA.4, 51k7

2,3>. Here <k7

2,3, L72,3>

is the next to be used <Skey, LinkID> pair shared between A.3 and the pre-hop node

“PS2A.2” (in fact, node A.2) stored in its reverse route table. A.3 also needs to update its

forwarding route table as follows. If it does not have an entry for IDA.4, a new entry will be

created. Or if the entry for IDA.4 has a smaller destSeq than that in the ARREP, the old

entry will be replaced with the new information, i.e., dest id, destSeq, pre-LinkID-list, and

next-LinkID-list will be set to IDA.4, destSeq in the ARREP, L82,3, and L10

3,4, respectively.

If A.3 already has an entry for IDA.4, and the new destSeq in the ARREP is equal to

the old one, it updates the route entry by appending L103,4 and L8

2,3 to the next-LinkID-list

and pre-LinkID-list fields of its forwarding route entry, respectively. Therefore, MASK

may simultaneously maintain several next-hop and pre-hop LinkIDs for one dest id (called

virtual multipath functionality in this chapter) in the forwarding route table. This operation

is different from that of AODV [5] in which a node suppresses routing replies with the same

destination sequence number. The reason for adopting this design will be stated in the

subsequent subsection. Also notice that LinkIDs inserted into forwarding route tables are

always next to the ones used to identify the ARREPs so that adversaries cannot correlate

the ARREPs with subsequent data packets. The above process continues until the ARREP

reaches the source A.1. An exemption in the route reply process is that, in MASK, since

each node is required to rebroadcast the ARREQ message no matter whether it replies or

not, the ARREPs coming back to an intermediate node which replied before may present

inconsistent state information that may cause routing loops. Therefore, we require that

the intermediate nodes which have already replied ignore the route replies with the same

destSeq.

Notice that in the route reply process, all the ARREP packets are encrypted and

identified by the LinkIDs which are only interpretable by the intended local receivers. A

passive eavesdropper might see discrete transmissions everywhere but it will not be able to

tell the content of a particular transmission, neither can it tell who is transmitting and who

20

Target LinkID table

103,4L

...

...

A.1

A.2 A.3

A.4

A.5 A.6

154,6L

61,2L

82,3L

103,4L

92,5L

71,5L

165,6L

154,6L

133,6L

113,5L

92,6L

packet 1

packet 2

Figure 2–2: Anonymous hop-by-hop packet forwarding from A.1 to A.4.

is receiving. For an internal adversary who happens to reside in the reverse route to the

source, due to the anonymous neighborhood authentication, what it can learn is the ID of

the destination, but not which and where that destination is even when the destination is

its neighbor.

Anonymous packet forwarding. The packet forwarding in MASK is more like a

virtual circuit switching process. By looking up in the forwarding route table, the source

picks a random LinkID from the next-LinkID-list field in the entry for the destination. A

packet is then formed and sent to the next-hop neighbor that shares the chosen LinkID.

As noted before, a packet is of format <LinkID, data>, where the data part carries other

protocol and application data. Depending on different applications, the data part can

be end-to-end encrypted and/or authenticated using cryptographic methods. Or it can

be encrypted and authenticated by the Skey corresponding to the LinkID. When seeing

such a packet, the first intermediate node sharing the embedded LinkID needs to change

it to one randomly selected from its next-LinkID-list field of the forwarding route entry

in which the embedded LinkID matches one of the values in the pre-LinkID-list. It then

re-unicasts the packet to the chosen next hop. Following this process, a packet can finally

reach the destination which will terminate the forwarding when finding the LinkID in its

target LinkID table.

An example of anonymous packet forwarding is depicted in Fig. 2–2, in which a set

of forwarding links (denoted by directional solid lines) have been established, each labelled

by its respective LinkID. The incoming and outgoing links of a node constitute the pre-

LinkID-List and next-LinkID-List fields of its forwarding route entry for the destination

21

A.4, respectively. As we can see, due to the random selection of next-hop LinkIDs at each

intermediate node, MASK has the nice traffic mixing property that packets of the same

flow may travel through different paths to the destination. This makes it more difficult

for adversaries to correlate observed radio transmissions to acquire actual network traffic

patterns. It also increases the difficulty of adversaries in tracing a packet enroute from its

original source to the final destination. The shortcoming is that, MASK does not always use

the best path, e.g., the shortest-hop path, for packet forwarding, so it may introduce extra

delay and/or delay jitter. However, for security-sensitive MANETs demanding anonymity

protection, we argue that this tradeoff of routing efficiency for anonymity is acceptable. In

addition, we will see in Section 2.4.2 that such random packet forwarding can help improve

the routing performance under heavy traffic load.

When all the next-hop nodes for one destination become unavailable due to mobility

or other reasons, a node needs to locally broadcast an anonymous route error (ARRER)

packet of format <ARRER, pre-LinkID-list> to inform its up-stream nodes, which is again

identified by a predefined universal LinkID including all 1’s. Any neighboring node which

has one of the LinkIDs in the received pre-LinkID-list should remove it from the next-

LinkID-list field of its corresponding forwarding route entry. If its own next-LinkID-list

becomes empty as well, it should also broadcast a similar ARRER packet. When the source

has no available next-hop LinkIDs for the destination, it should restart the anonymous

routing discovery process.

2.3.4 Countermeasures against Attacks

Up to now, we have described the basic operations of MASK with a focus on how to

provide anonymity in neighborhood authentication, route discovery, and packet forwarding.

In what follows, we describe some security enhancements and discuss more attacks that

MASK is able to defend against.

Message coding attack. The Message coding attack happens when adversaries can

easily link and trace some packets that do not change their contents or lengths during

transmission. Two countermeasures are designed in MASK to cope with this kind of attack.

First, random padding on every forwarded packet is used by intermediate nodes to prevent

from the attack resulting from the fixed packet length. Intermediate nodes can randomly

22

adjust the length and content of the random padding. Second, the per-hop link encryption

method through established pairwise Skeys can be used in MASK as well. The purpose

here is to make the same packet appear quite different across links.

Flow recognition and message replay attacks. The Flow recognition attack oc-

curs when adversaries can recognize packets related to a same communication flow. Notice

that, in MASK, a same packet bears completely different and uncorrelated LinkIDs when

transmitted across different hops. Therefore, it is not possible to trace a packet by its

LinkID. However, if the packets belonging to a single flow always use the same LinkID at a

same hop, adversaries may obtain some useful information. Fortunately, the aforementioned

random packet forwarding can partially mitigate this attack. In fact, an intermediate node

works as a multiplexer which takes inputs from multiple pre-links, mixes them together,

and sends them out to multiple next-links. In addition, we request that two neighboring

nodes automatically change their currently-used shared LinkID either on a per-packet basis

or periodically. In doing so, MASK leaves adversaries a dynamic set of LinkIDs for the

same flow and at each hop. Moreover, dynamic LinkIDs at each hop effectively thwart the

message replay attack in which adversaries replay an old packet repeatedly to reorganize

the packet forwarding pattern.

Timing analysis attack. Suppose adversaries can divide the monitored area into

small cells. They might ascertain that one source or destination exists in one cell by

observing that no packets go into or come out of that cell while some packets come out of

or go into that cell during a certain time interval. In addition, adversaries might guess that

two consecutive radio transmissions belong to the same communication flow. These attacks

belong to the category of the timing analysis attack.

In MASK, packets transmitted in the air are only identified by seemingly random

LinkIDs. When network traffic load is high and every node is busy in transmitting and

receiving, all the transmissions will be mixed together, which leads to very difficult timing

analysis. However, when the traffic load is light, several precautions need to be taken

against the alleged timing analysis attack. First, when one destination receives a packet

destined for it, it can forge a packet with a fake LinkID and forward it further. By doing

so, it tries to fool adversaries into believing that one observed radio transmission does not

23

end at the destination. The destination can also use genuine LinkIDs to ask its trustful

neighbors to help further enlarge the suspicious area viewed by adversaries. Second, a

packet needs to wait a random amount of time to be forwarded so that an earlier arriving

packet may be forwarded after a later arrival. Last, even without being involved in any

communications, nodes can send dummy packets [19] with fake LinkIDs at random intervals

to increase the difficulty of adversaries in determining the originating and terminating areas

of observed radio transmissions. The purpose here is to introduce more randomness of the

radio transmissions so as to conceal the real network traffic patterns, at the cost of increasing

communication overhead.

2.3.5 Replenishing Pseudonym/Secret Point Pairs

In our MASK, each node is required to use dynamic pseudonym/secret point pairs.

If the network has a rather long lifetime, however, a node may use up the preloaded

pseudonym/secret point pairs sooner or later. If this occurs, a node can reuse old pairs, star-

ing from the first one. This measure can prevent adversaries from continuously tracking the

movement of individual nodes if there are sufficiently many preloaded pairs. Nevertheless,

it may still offer useful attack clues to powerful adversaries - adversaries may roughly ascer-

tain the movement of certain nodes by observing that a pre-recorded pseudonym reappears

in certain network location.

To avoid the above situation and ensure strong anonymity protection, it is necessary

to introduce the TA functionality into the network whereby mobile nodes can get replenish-

ment of pseudonym/secret point pairs. Since using a single TA is vulnerable to single point

of failure, we propose to employ Shamir’ secret-sharing technique [15] to enable a more

scalable, secure solution. To do this, the TA executes the following additional operations

when bootstrapping network A:

1. Determine a (t-1)-degree (1 6 t 6 NA) polynomial, h(x) = gA +∑t−1

i=1 aixi, with

random coefficients ai in Z∗q and gA being the group master key.

2. Select n (t 6 n 6 NA) nodes from A, either without distinction or by considering node

heterogeneity and choosing physically more secure or computationally more powerful

ones. We call these nodes shareholders, denoted by SH = SH.k|1 6 k 6 n.3. Calculate n shares of gA as gk = h(IDSH.k) and assign it to SH.k.

24

4. Choose an arbitrary generator W ∈ G1 and compute a set of share commitments as

SC = W pubk = gkW ∈ G1|1 6 k 6 n.

SH, SC and W are appended to the public system parameters known to every node.

An interesting fact is that, although each SH.k does not have the full knowledge of gA, any

t of them can collectively construct gA, while any less than t cannot. For example, based

on the Lagrange interpolation, shareholders SH.1, SH.2, ..., SH.t can determine gA:

gA =∑t

i=1λigi, where λi =

∏t

j=1,j 6=i

IDSH.j

IDSH.j−IDSH.i. (2.3)

During network operation, when a node, say A.1, almost runs out of preloaded pseudonym/secret

point pairs, it can get replenishment by sending a request including the list of desired new

pseudonyms to each of t randomly-picked shareholders. Without loss of generality, assume

that shareholders SH.1, SH.2, ..., SH.t are selected by A.1. For each pseudonym PSxA.1 in

the request, each chosen SH.i generates a partial secret point SP x,iA.1 = giH1(PSx

A.1) sent

back to A.1. To verify the authenticity of each SP x,iA.1, A.1 needs to check if e(SP x,i

A.1,W ) =

e(H1(PSxA.1),W

pubi ). Notice that, due to Eq. (2.1), the two sides of the equation are equal

to the same value e(H1(PSxA.1),W )gi if SP x,i

A.1 is authentic. As a result, if the verification

fails, A.1 knows that there must be something wrong with SH.i. For example, the reply

from SH.i might have undergone transmission errors, or even SH.i itself might have been

physically or logically controlled by adversaries. A.1 can then request a new partial secret

point from another unselected shareholder. Once obtaining t authentic partial secret points,

A.1 utilizes Eq. (2.3) to calculate the complete secret point:

SP xA.1 =

∑t

i=1λiSP x,i

A.1 = gAH1(PSxA.1) (2.4)

Same as before, node A.1 cannot deduce gi from SP x,iA.1, neither can it obtain gA from SP x

A.1,

due to the difficulty in solving the DLP in G1. It is worth noting that all the requests and

replies should be end-to-end encrypted and authenticated to prevent from adversarial access

and modification. How to fulfill them is beyond the scope of this chapter.

In terms of the choice of the secret-sharing parameters t, n, we have shown in [20] that,

when t = dn/2e, and n is equal to either 2⌈

NA−25

⌉−1 or 2

⌊NA+3

5

⌋−1, the maximum security

can be obtained. Currently, we are investigating proactive approaches to further improve

25

Table 2–1: Processing timings of cryptographic operations.Item Processing timingsTate paring 8.5 msSHA-1 18.980 MB/sComputation of <Skey,LinkID> pairs 2.4 ms (for 1000 pairs)RC6 7.111 MB/s

the security of the proposed scheme, e.g., by dynamically adjusting the shareholder set and

the values of t, n to allow dynamic node join/leave without changing gA while maintaining

the highest level of security.

2.4 Performance Evaluation

In this section, we evaluate the routing performance of MASK through simulations.

2.4.1 Simulation Setup

We implement MASK in GloMoSim [21], a popular network simulator for MANETs,

and the pairing implementation is based on MIRACL library [22]. The bilinear map e we use

is the Tate pairing, with some of the modifications and performance improvements described

in [12, 14]. We use two security parameters, a 160-bit Solinas prime q = 2159 + 217 + 1 and

a 512-bit prime p = 12qr − 1 (for some r large enough to make p the correct size). Such

bit-length configurations of q, p can deliver a comparable level of security to 1024-bit RSA

cryptography. The elliptic curve E we use is y2 = x3 + x defined over the finite field Fp

(denoted by E(Fp)). Then G1 is a q-order subgroup of the additive group of points of

E(Fp), while G2 is a q-order subgroup of the multiplicative group of the finite field F∗p2 .

In addition, we use SHA-1 [16] as the hash function H2 and RC6 [18] as the encryption

method used for ARREPs and data packets.

We evaluate the computational costs of critical cryptographic operations in MASK on

a Pentium III 1 GHz processor under Windows 2000. For convenience only, we assume the

lengths of node pseudonyms, random nonces, Γ, and LinkIDs (also Skeys) to be 8, 4, 2,

and 20 bytes, respectively. In fact, the impact of larger lengths on the results is negligible.

From Table 2–1, we can see that the most time-consuming operation is the Tate pairing

required by anonymous neighborhood authentication. Since the pairing is a relatively new

concept, we anticipate that its evaluation cost will be much reduced with the rapid advance

in cryptography. For example, Barreto et al. [23] recently announce an approach to evaluate

26

the Tata pairing by up to 10 times faster than previous methods, the implementation of

which is underway.

Also note that the Tate pairing only needs to be performed once for a pair of neighboring

nodes, and then the result can be fed into the fast SHA-1 to compute shared <Skey, LinkID>

pairs. Supposing a node maintains Γ = 1000 <Skey, LinkID> pairs with each neighbor,

the computation of such 1000 pairs only costs around 2.4 ms. Hence, when two neighboring

nodes run out of the established shared <Skey, LinkID> pairs, they can generate new Γ

pairs instantly. Moreover, the hop-by-hop link encryption/decryption operations based RC6

are not time-consuming and can be done in a very fast manner. Therefore, although we

introduce some cryptographic operations into MASK to provide the desirable anonymity

property, the resulting computation overhead and end-to-end packet delay are affordable.

The physical-layer path loss model is the two-ray model. The radio propagation range

for each node is 250 meters and the channel capacity is 2 Mb/s. The base MAC protocol

used is the DCF of IEEE 802.11, with some modifications according to MASK operations.

We simulate an ad hoc network with 50 nodes uniformly deployed in a 700×700 m2 square

field. To emulate node mobility, we modify the random waypoint model in GloMoSim

library according to [24] in order to guarantee the convergence of average nodal speed

within the simulation time. In particular, initial speeds of nodes are chosen from the steady-

state distribution, and subsequent speeds uniformly from the designated speed range. In

addition, the pause time is set to be zero, meaning that nodes are always moving. CBR

sessions are used to generate network data traffic and various number of sources are used to

simulate different offered load. All the data packets are 512 bytes and are sent at a speed

of 4 packets/second. Each simulation is executed for 15 simulated minutes and each data

point represents an average of ten runs with identical traffic models, but different randomly

generated mobility scenarios.

In our implementation of MASK, we use a fixed delay of 150 µs into each node to mimic

the encryption/decryption processing of ARREPs and data packets with RC6 for simplicity.

The purpose is to withstand the aforementioned message coding attack (cf. 2.3.4). In

addition, the random delay method for data packets to be forwarded is also adopted in each

node to thwart the timing analysis attack (cf. 2.3.4), where the random delay is uniformly

27

2 4 6 8 10 12 14 160.65

0.7

0.75

0.8

0.85

0.9

0.95

1

Average nodal speed (m/s)

Pac

ket d

eliv

ery

rat

io

AODV 20 sourcesMASK 20 sourcesAODV 40 sourcesMASK 40 sources

(a) PDR vs. V .

2 4 6 8 10 12 14 160

0.5

1

1.5

2

2.5


Nor

ma

lize

d r

ou

ting

load


(b) Normalized routing load vs. V .

2 4 6 8 10 12 14 160

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6


Ave

rag

e e

nd-

to-e

nd

de

lay

(s)


(c) Average packet delay vs. V .

Figure 2–3: The comparison between MASK and AODV.

distributed between [0, 50] ms. Furthermore, we set the maximum number of next-hop

LinkIDs maintained for one destination to be three. We compare the routing performance

of MASK with classical AODV routing protocol [5] with regard to three commonly-used

metrics:(1) Packet delivery ratio (PDR) – the ratio of data packets successfully delivered

to the destination over those generated at the sources; (2) Average end-to-end delay of

data packets – this includes all possible delay caused by buffering during route discovery,

queuing delay at the interface, retransmission delay at the MAC, and propagation delay;

(3) Normalized routing load – the total number of routing control packets “transmitted”

for each delivered data packet. Each hop-wise transmission of a routing control packet is

counted as one transmission.

2.4.2 Simulation Results

Fig. 2–3(a) compares the PDRs of MASK and AODV under different traffic load.

We can see that MASK has the similar PDR to AODV under normal traffic load (i.e., 20

sources). The slight difference partly comes from the fact that routing request packets in

MASK have a higher probability of colliding with and causing the dropping of data packets

than those in AODV due to the simple network-wide flooding of ARREQs in contrast to the

expanding-ring-search method of AODV [5]. Another reason is that data packets in MASK

are not always routed along the shortest paths due to the random selection of next-hops

at intermediate nodes, which increases the dropping probability of data packets forwarded

along longer paths. However, MASK outperforms AODV under heavy traffic load (i.e., 40

28

sources), where packets are more subject to collisions due to the high level of network con-

gestion. The observed advantage mainly results from the aforementioned virtual multipath

effect in MASK, that is, MASK may simultaneously maintain several next-hop LinkIDs for

one given destination. If one of the next-hops becomes unreachable due to mobility or colli-

sions or other reasons, a packet could still be forwarded through another available next-hop

rather than being dropped as AODV does. Moreover, the random selection of next-hops at

intermediate nodes acts as a load balancing method for evenly distributing the traffic in the

network. For the same reason, MASK demonstrates comparable or lower routing overhead

than AODV (see Fig. 2–3(b)) because MASK conducts the route discovery less frequently

than AODV.

In terms of the average packet delay (Fig. 2–3(c)), MASK behaves worse than AODV

under normal traffic load as a result of the per-hop random delay, the fixed encryp-

tion/decryption delay, and the delay incurred by the Tate pairing operations. Therefore,

there is a tradeoff between the desired packet delay and the level of anonymity. However,

under heavy traffic load, both the virtual multipath effect and the processing delay (in-

cluding the above three) introduced into MASK can help mitigate the possible MAC-layer

collisions, which contributes to the shown advantage of MASK over AODV in Fig. 2–3(c).

In summary, our MASK not only achieves the desirable anonymity without sacrificing

the routing efficiency, but also helps improve it under heavy traffic load.

2.5 Related work

Anonymous communication protocols have been studied extensively in the wired net-

works. Chaum [25] defines a layered object that routes data through a chain of pre-deployed

intermediate nodes called mixes. Following their work, Reed et al. propose an interesting

Onion routing protocol [26], in which data is wrapped in a series of encrypted layers to

form an onion by a series of proxies communicating over encrypted channels. The state

of the art of wired networks anonymity can be found in [27]. However, the proposals in

the Internet realm cannot be directly applied to MANETs mainly because the prerequisite

pre-deployed infrastructure such as the well-known mixes is often unavailable in infrastruc-

tureless MANETs.

29

In contrast, there is little work done to address the anonymity problem and related

issues in the context of MANETs. Jiang et al. explore the use of mixes in MANETs

[28] by designing a mix discovery protocol that allows communicating nodes to choose mix

nodes at run time. As noted before, such mix nodes are either unavailable or unreliable

in MANETs deployed in hostile environments. The same authors also propose to prevent

traffic analysis by using traffic padding, i.e., generating dummy traffic into the network [19],

but their work does not aim to enable anonymous communications. Most recently, Kong

and Hong propose an anonymous on-demand routing protocol, called ANODR [29], to

conceal network IDs of communicating nodes. Besides the computationally intensive route

discovery process, ANODR is very sensitive to node mobility, which leads to a low routing

efficiency, as the authors mentioned. By comparison, our MASK enables an AODV-like

anonymous on-demand routing protocol with high routing efficiency. In addition, MASK

addresses anonymous MAC-layer communications, which is left untouched in [29].

2.6 Summary

In this chapter, we propose MASK, a novel anonymous on-demand routing protocol,

to enable both anonymous MAC-layer and network-layer communications so as to thwart

adversarial, passive eavesdropping and the resulting attacks. By a careful design, MASK

provides the anonymity of senders, receivers and sender-receiver relationships, as well as

node unlocatability and untrackability and end-to-end flow untraceability. It is also resilient

to a wide range of attacks. Detailed simulation studies demonstrate that MASK has com-

parably high routing efficiency to classical AODV routing protocol while achieving the nice

anonymity property.

This chapter focuses on dealing with passive attacks and thus there are several unad-

dressed issues in the current MASK design. First, anonymous neighborhood authentication

in MASK relies on pairing operations, which currently have similar computational overhead

to conventional public-key operations. Therefore, adversaries might launch active DoS at-

tacks on target nodes by continuously sending a number of bogus authentication requests,

which is a problem any authentication scheme has to face. Second, the routing information

in the current design is only secured against external adversaries. Once becoming internal

adversaries by compromising certain nodes, adversaries can send bogus routing messages

30

that are difficult to verify by legitimate nodes. Third, although pairing-based cryptography

is an active research topic nowadays, the implementation on low-end devices is still an open

problem.

As the future research, we will first incorporate some intrusion detection capabilities

into MASK to defend against not only passive attacks but also active DoS-type attacks such

as those mounted on neighborhood authentication. In addition, we will plan to combine

MASK with other secure routing protocols such as [8, 9] to ensure both routing anonymity

and strong routing security. Finally, we will seek theoretical proofs to show the resilience

of MASK to rigorous adversarial cryptanalysis.

CHAPTER 3SECURING MOBILE AD HOC NETWORKS WITH CERTIFICATELESS PUBLIC

KEYS

3.1 Introduction

In this chapter, we are concerned with key management, the foundation on which to

build any other security mechanism for MANETs.

Conventional key management techniques may either require an online trusted server or

not. The infrastructureless nature of MANETs precludes the use of server-based protocols

such as Kerberos [30]. We therefore focus on discussing serverless approaches from here

on. There are two intuitive symmetric-key solutions, though neither is satisfactory. The

first one is to preload all the nodes with a global symmetric key, which is vulnerable to any

point of compromise: if any single node is compromised, the security of the entire network

is breached. Assuming a network of N nodes, the other solution is to let each pair of nodes

maintain a unique secret that is only known to those two nodes. This approach suffers from

three main drawbacks making it also unsuitable for MANETs. First, it lacks scalability

because it is difficult to establish pairwise symmetric keys between existing nodes and

newly-joined nodes. Second, securely updating the overall N(N − 1)/2 keys in the network

is a nontrivial (if not impossible) task, as the size of the network increases. Last, it requires

each node to store (N − 1) keys, which may represent a significant storage overhead in a

large network. Symmetric-key techniques are also commonly criticized for not supporting

efficient digital signatures because each key is known to at least two nodes. This renders

public-key solutions more appealing for MANETs, which are the theme of this chapter.

There has been a rich literature on public-key management in MANETs, see [31, 32,

33, 34, 35, 36] for example. These schemes all depend on certificate-based cryptography

(CBC), which uses public-key certificates to authenticate public keys by binding public

keys to the owners’ identities. A main concern with CBC-based approaches is the need

for certificate-based public-key distribution. One naive method is to preload each node

31

32

with all the others’ public-key certificates prior to network deployment. This approach can

neither scale well with the increasing network size, nor handle key update in a secure and

cost-effective way. Another approach of on-demand certificate retrieval may cause both

unfavorable communication latency and often tremendous communication overhead, which

will be justified via simulations in Section 3.5.5.

As a powerful alternative to CBC, ID-based cryptography (IBC) [11] has been gaining

momentum in recent years. It allows public keys to be derived from entities’ known iden-

tity information, thus eliminating the need for public-key distribution and certificates. This

nice feature has inspired a few IBC-based certificateless public-key management schemes

for MANETs such as [37, 38, 39, 20]. The basic idea is to let some [37, 38, 20] or all network

nodes [39], called shareholders, share a network master-key using threshold cryptography

[15, 40] and collaboratively issue ID-based private keys. There, however, remain many is-

sues to be satisfactorily resolved. First of all, the security of the whole network is breached

when a threshold number of shareholders are compromised. Second, updating ID-based

public/private keys requires each node to individually contact a threshold number of share-

holders, which represents a significant communication overhead in a large-scale MANET.

Third, except our preliminary result in [20], none of existing proposals consider how to

select the secret-sharing parameters used with threshold cryptography to achieve desirable

levels of security and robustness. Last, there is no comprehensive quantitative argument

about the advantages of IBC-based public-key management schemes over CBC-based ones.

In this chapter, we address all the above concerns by devising an ID-based key manage-

ment scheme, called IKM, for special-purpose MANETs administered by a single authority.

MANETs of this type have long been recognized and will continue to be one of the ma-

jor application categories of wireless ad hoc networking techniques. Typical examples are

those deployed in military battlefield operations and homeland security scenarios. Our

major contributions are as follows:

• A novel construction method of ID-based public/private keys. In IKM, eachnode’s public key as well as private key is composed of a node-specific, ID-basedelement and a network-wide common element. Node-specific key elements ensurethat the compromise of arbitrarily many nodes does not jeopardize the secrecy of

33

non-compromised nodes’ private keys; common key elements enable very efficientnetwork-wide public/private key updates via a single broadcast message. We alsodiscuss efficient key agreement, public-key encryption, and digital signatures basedon such public/private keys.

• Determining secret-sharing parameters used with threshold cryptography.Similar to [37, 38, 39], we apply threshold cryptography to distribute a networkmaster-key among some shareholders. Different from them, we identify devastatingpinpoint attacks against shareholders and propose the corresponding countermeasurebased on anonymous routing [41]. In addition, we discuss how to choose the secret-sharing parameters for meeting desirable levels of security and robustness.

• Simulation studies of advantages of IKM over CBC-based schemes. Bydetailed simulations, we show that IKM has equivalent performance to CBC-basedschemes, denoted by CKM, with regard to key revocation, while behaves much betterin key updates. Furthermore, we demonstrate that IKM is able to turn an elegantCKM-based secure routing protocol [42] into a much more efficient one.

Since most existing MANET security mechanisms rely on the heavy use of certificates,

we believe that our findings open a new avenue towards more effective, efficient security

designs.

The rest of the chapter is organized as follows. In Section 3.2, we define the notation

to be used and survey the related work. Next we present design goals and the network and

adversary models in Section 3.3, followed by a detailed illustration of the IKM design in

Section 3.4. Then the simulation-based comparative study of our IKM and CKM is given

in Section 3.5, and this chapter is finally concluded in Section 6.8.

3.2 Preliminaries

In this section, we first define the notation to be used in the rest of this chapter, and

then survey the related work.

3.2.1 Notation

For clarity, Table 3–1 lists some important notation whose concrete meanings will be

further explained where they appear for the first time.

3.2.2 Related Work

Here we only discuss prior art that is more germane to our work, and refer to [43] for

a more comprehensive survey.

The seminal paper by Zhou and Hass [31] suggests using CBC and (t, n)-threshold

cryptography [15, 40] in MANETs. Let N be the overall number of nodes and t, n be two

integers satisfying t 6 n < N . In [31], prior to network deployment, the CA’s public key is

34

Table 3–1: Notationp, q two large primesG1,G2 cyclic groups of order q

e pairing s.t. e : G1 ×G1 → G2

H1 mapping strings to non-zero elements in G1

Ψ the network node set, |Ψ| = N

Ω the D-PKG set, |Ω| = n

IDA network ID of node A

t, n secret-sharing parametersg(x) (t− 1)-degree polynomialλV (x)-s Lagrange coefficientsIDA key revocation against node A

KP1,KP2 two distinct network master secretsW generator of G1

WP1,WP2 WP1 = KP1W ∈ G1,WP2 = KP2W ∈ G1

kA,B symmetric key shared between A and B

pi ith key update period, for 1 6 i 6 M

KA/K−1A node-specific public-key and private-key elements of node A

Kpi/K−1pi

common public-key and private-key elements in phase pi

salti unique binary string associated with pi

KA,pi/K−1

A,pipublic/private keys of node A in phase pi

KVP2 the D-PKG V’s secret share of KP2

γ revocation thresholdF mapping a given node ID to β D-PKG IDsh hash function such as SHA-1 [16]mkx

message m encrypted under key kx with a symmetric-key primitive[m]K−1

A,pi

message m with its ID-based signature generated under private key K−1A,pi

35

furnished to each node, while its private key is divided into n shares, each uniquely assigned

to one of n chosen nodes called D-CAs hereafter. During network operation, any t D-CAs

can jointly perform certificate generation and revocation based on their secret shares, while

any less than t D-CAs cannot. Yi and Kravets [34] proposes to select computationally

more powerful and physically more secure nodes as D-CAs. Both schemes can tolerate the

compromise of up to (t− 1) D-CAs so that adversaries cannot reconstruct the CA’s private

key, and the failure of up to (n − t) D-CAs so that there are always at least t functional

D-CAs.

Different from [31, 34], URSA [32, 36] is a (t,N)-threshold scheme in which each of the

N nodes is a D-CA. The advantage of URSA is the increased service availability in that a

certificate can now be generated or revoked by any t nearby nodes, and URSA can tolerate

the failure of up to (N − t) D-CAs. The disadvantage, however, is that the compromise of

any t out of N nodes would expose the CA’s private key and thus result in loss of overall

system security [34]. In addition, as noted in [44], URSA is vulnerable to the Sybil attack

[45] because an adversary can take as many identities as necessary to collect enough shares

and reconstruct the CA’s private key. Other security problems of URSA are analyzed in

[33, 46].

All the above schemes are based on RSA [47], either explicitly [32, 36] or implicitly

[31, 34, 35]. By comparison, the scheme [33] relies on DSA [48] and threshold cryptography,

and has much worse communication efficiency than RSA-based schemes. The reason is that,

to tolerate the compromise of up to (t− 1) D-CAs, the DSA-based scheme needs to contact

(2t − 1) D-CAs for generating a new certificate, while RSA-based approaches only involve

t D-CAs [33]. Please refer to [39] for simulation studies of the communication inefficiency

of DSA-based approaches.

The aforementioned CBC-based schemes are all targeted for single-authority MANETs

as what we have in mind. Another notable line of approaches such as [44, 49] is to let each

node act as a CA to issue certificates to other nodes. While maybe suitable for authority-less

civilian networks, they are less fit for single-authority MANETs under consideration.

Despite its attractive features, IBC has not received deserved attention as a powerful

tool to secure MANETs until recently. Khalili et al. [37] suggest using IBC and threshold

36

cryptography in MANETs, but their work is conceptual. Deng et al. [38] present an ID-

based key management scheme for authority-less MANETs, thus is less applicable to single-

authority MANETs we aim at. Bohio and Miri [50] propose to use ID-based keys for secure

broadcast, but their work is not intended for efficient key management. Our preliminary

work [20] also addresses the secure application of IBC to MANETs. In addition, Zhang

et al. develop MASK [41, 51], an IBC-based anonymous on-demand routing protocol for

MANETs.

The closest work to ours is ID-GAC [39], in which Saxena et al. present an elegant

IBC-based access control scheme for ad hoc groups such as MANETs. ID-GAC is basically

a (t,N)-threshold scheme, in which, prior to deployment, each of the N nodes is furnished

with a share of a master-key. Although having high-level service availability as URSA

[36], ID-GAC suffers from the same undesirable security drawback mentioned above. In

contrast, our IKM is a (t, n)-threshold scheme, similar to [31, 34]. At a first glance, IKM is

less robust than ID-GAC because it only tolerates the failure of up to (n− t) shareholders

instead of (N − t) in ID-GAC. However, this also means that IKM is more secure than ID-

GAC because the fewer shareholders make it feasible to spend more in safeguarding them,

for instance, by enclosing them in high-quality tamper-resistant devices and/or putting

them under better monitoring. In addition, our IKM incorporates an additional defense

line by making shareholders indistinguishable from common nodes via anonymous routing

[41]. Furthermore, even when t or more shareholders are compromised and the master-key

is exposed, our novel public/private key construction method guarantees that private keys

of non-compromised nodes remain safe. This is in contrast to the overall loss of security

in ID-GAC (see Section 3.4.7). Moreover, each non-compromised node in ID-GAC needs

to individually contact t shareholders for key update. In contrast, our IKM is much more

efficient in both computation and communication by updating public/private keys of all the

non-compromised nodes via a single broadcast message. As an addition, ID-GAC suffers

from the Sybil attack as URSA, while our IKM does not.

3.3 Design Goals and System Models

In this section, we present our design goals as well as network and adversary models.

37

3.3.1 Design Goals

From our point of view, a sound key management scheme for MANETs should sat-

isfy the following requirements. First, it must not have single point of compromise and

failure because mobile nodes deployed in hostile environments are subject to either logical

or physical attacks. Second, it should be compromise-tolerant, meaning that the com-

promise of certain number of nodes does not harm the communication security between

non-compromised nodes. Third, it should be able to efficiently and securely revoke keys

of compromised nodes once detected and update keys of non-compromised nodes. Last, it

should be efficient in terms of storage, computation, and communication, as mobile nodes

are usually very resource-constrained. It is worth stressing that communication efficiency is

far more important an issue in MANETs than in wireline networks, as wireless transmission

of a bit can require over 1000 times more energy than a single 32-bit computation (see [52]).

We thus must seek ways to reduce communications related to key management as much as

possible.

3.3.2 Network Model

We consider a special-purpose, single-authority MANET consisting of N nodes, de-

noted by a set notation Ψ (|Ψ| = N). The network size N may be dynamically changing

with node join, leave, or failure over time. Depending on different applications, N may

range from several tens to several thousands or even more. Each node A ∈ Ψ has a unique

ID, denoted by IDA and assumed to be its network-layer address as usual.

We assume that each node has limited transmission and reception capabilities. Two

nodes out of transmission range of each other can communicate via a sequence of interme-

diate nodes in a multihop fashion. Since all the nodes belong to a single authority and thus

have common interests, node selfishness [4] is not worrysome in that each node is ready to

forward packets not destined for itself. Nodes may freely move in the network, but do not

continuously move so rapidly as to make the flooding of every data packet the only feasible

routing protocol. This is a common assumption made about node mobility by nearly all

MANET schemes. We further assume that nodes are capable of performing public-key op-

erations, which is reasonable for the targeted application scenarios, though symmetric-key

operations should be used instead whenever possible.

38

Our IKM is independent of the underlying transport, routing, or MAC protocols. How-

ever, we do assume that, whenever needed, a valid unicast route can be established between

any two nodes. This can be achieved through many existing secure routing protocols, such

as ARAN [42]. It is worth pointing out that, similar to almost all the other existing secure

routing schemes, ARAN is built upon conventional certificates. In later Section 3.5.5, we

will show that it can be easily converted into a much more efficient scheme based on our

IKM.


Our intention here is to devise a sound key management scheme for MANETs, so we

just consider attacks aimed at key management itself. Mitigating denial-of-service attacks,

such as physical-layer jamming, MAC-layer misbehavior, or routing disruption, though

important, is beyond the chapter scope.

Attacks can be mounted by a single adversary or collaborative ones. We differentiate

between node compromise and disruption attacks. By saying that a node is compromised,

we mean that adversaries have complete control over it, including learning or modifying

its secret information, changing its intended behavior, and so on. In contrast, disrupting

a node means that adversaries can only disrupting communication to that node, e.g., by

interfering with wireless signals to and from it, but cannot read the secret information stored

on it. Therefore, node disruption attacks are less severe than node compromise attacks.

However, we assume that adversaries cannot compromise or disrupt an unlimited number

of nodes so that legitimate nodes are always the majority. Neither can they break any of

the cryptographic primitives on which we base our design. In addition, we assume static

instead of dynamic adversaries [53].

We further assume that compromised nodes will eventually exhibit detectable mis-

behavior. There is unlikely to be a valid security solution if compromised nodes remain

“passive.” As [32, 36], we assume an efficient misbehavior detection scheme such as [3] or

[54]. One of our main objectives is to drive identified compromised nodes out of the network

by revoking their keys. Hereafter we use compromised nodes to indicate those which have

been compromised and identified, unless otherwise stated.

39

There are n distributed authorities called D-PKGs in our IKM, similar in role to the

distributed CAs (D-CAs) in conventional CKM [31, 32, 33, 34, 35, 36]. The D-PKGs differ

from common nodes only in that each of them knows a share of a network master-secret.

Similar to [31, 32, 33, 34, 35, 36], our IKM works properly on the assumption that adversaries

can compromise at most (t−1) D-PKGs and can disrupt no more than (n−t) D-PKGs. For

the sake of simplicity, we refer to this assumption as the t-limited assumption. Note that

this t-limited assumption only needs to hold in each predetermined time period rather than

the whole network lifetime, if proactive secret sharing [55] is used to periodically refresh

secret shares of the D-PKGs.

3.4 IKM Design

This section presents our IKM design. We first provide an overview of IKM in Sec-

tion 3.4.1, and then describe the key predistribution phase in Section 3.4.2. Next we discuss

how to achieve efficient key revocation and update in Sections 3.4.3 and 3.4.4, respectively.

Section 3.4.5 presents our method of protecting the D-PKGs from devastating pinpoint

attacks, and Section 3.4.6 gives general guidelines as to how to select the secret-sharing

parameters t, n. Finally, the security of IKM is analyzed in Section 3.4.7.

3.4.1 Overview

In IKM, each node should carry an authentic ID-based public/private key pair at any

time as a proof of its group membership. With such key pairs, nodes can realize mutual

authentication, key agreement, public-key encryption, and digital signatures, among other

security services. IKM consists of three phases: key predistribution, revocation, and update.

Key predistribution is a one-time process occurring during network initialization, where

a Private Key Generator (PKG), essentially a trusted authority, determines a set of system

parameters and preloads every node with appropriate keying materials. In addition, the

PKG distributes its functionality to n D-PKGs selected among the N nodes to enable secure

and robust key revocation and update during network operation.

To minimize the damage from node compromise, it is a must to explicitly revoke public

keys of compromised nodes. During network operation, if suspecting that a peer, say A,

has been compromised, a node sends a signed accusation against A to some D-PKGs. The

accused A is diagnosed as compromised when the number of accusations against it reaches a

40

predefined revocation threshold, denoted by γ, in a certain time window. At that point, the

network enters the key revocation phase in which the D-PKGs jointly issue a key revocation

against A.

As a common practice [36], public/private keys of mobile nodes need to be updated

at intervals for many reasons, e.g., preventing from cryptanalysis. The key update phase

may occur either periodically according to a prescribed time period, or reactively when the

number of revoked nodes attains some predetermined threshold. During this phase, each

non-revoked node can update its public key autonomously and its private key via a single

broadcast message. This is enabled by our novel public/private key construction method.

Our scheme can also ensure that compromised nodes, once revoked, cannot get their keys

updated, thus isolated from the network.

Due to the shared wireless medium, adversaries are easy to find the whereabouts of

D-PKGs based on their network IDs leaked in routing and data packets [41]. This renders

the D-PKGs particularly vulnerable to devastating pinpoint attacks. As a natural defense,

we propose to make the D-PKGs indistinguishable from common nodes via anonymous

routing [41]. This measure allows us to provide general guidelines about how to choose the

secret-sharing parameters t, n for achieving desirable levels of security and robustness.

3.4.2 Network Initialization

For a single-authority MANET under consideration, it is reasonable to assume a trusted

PKG to bootstrap the network, which itself is not part of the resulting network.

Generation of pairing parameters. To bootstrap the network, the PKG does the

following operations:

1. Generate the pairing parameters (q,G1,G2, e, P, H1) (cf. Section 2.2.1), where P is

an arbitrary generator of G1, and H1 is a hash function mapping given strings to

non-zero elements in G1.

2. Pick two distinct random numbers KP1,KP2 ∈ Z∗q as network master-secrets. Set

WP1 = KP1W and WP2 = KP2W , respectively.

The parameters (q, e,H1,W,WP1,WP2) are public knowledge preloaded to each node, while

KP1 and KP2 should never be disclosed to any single node.

41

Secret sharing. To enable key revocation and update during network operation,

it is necessary to introduce the PKG functionality into the network. In our design, only

knowledge of KP2 is introduced into the network to ensure high-level compromise tolerance

(analyzed in Section 3.4.7). To avoid single point of compromise and failure, the PKG

performs a (t, n)-threshold secret sharing of KP2 by first determining a random polynomial,

g(x) = KP2 +∑t−1

i=1 gixi (mod q). It then randomly selects a subset Ω ⊂ Ψ of size n of

nodes as D-PKGs (t 6 n < |Ψ| = N). Then the PKG assigns to each V ∈ Ω a secret share

computed as KVP2 = g(IDV ). Based on Lagrange interpolation, any subset A ⊂ Ω of size t

can co-determine the polynomial:

g(x) =∑

V ∈AλV (x)KV

P2 (mod q), (3.1)

where λV (x) =∏

S∈A\V IDS−x

IDS−IDVis called a Lagrange coefficient. The PKG’s master

secret KP2 can then be reconstructed by computing g(0). However, any subset of Ω of size

(t − 1) or smaller does not suffice to do so. To enable verifiable secret sharing, the PKG

also calculates a set of values W VP2 = KV

P2W |V ∈ Ω preloaded to each D-PKG. Due to the

difficulty in solving the DLP in G1, all the other D-PKGs cannot deduce the secret share

KVP2 of D-PKG V from W V

P2. The IDs of all the D-PKGs are known to each node to make

key revocation and update feasible, and the choice of t, n will be discussed in Section 3.4.6.

Generation of ID-based public/private keys. One of our essential design points

is how to construct an ID-based public/private key pair for each node A, be it a D-PKG

or common node. Our IKM is composed of a number of continuous, non-overlapping key

update phases, denoted by pi for 1 6 i < M , where M is the maximum possible phase

index. Such pi-s may not of the same length in time and thus do not require nodes to be

time-synchronized for them either. Each pi is associated with a unique binary string, called

a phase salt and denoted by salti. Prior to deployment, the PKG issues a random number

salt1 to each node which, in turn, can subsequently generate salti = salti−1 +1 (1 < i 6 M)

by itself with an efficient hash function h such as SHA-1 [16].

In IKM, each public/private key pair is both node-specific and phase-specific and node

A’s key pair valid only during phase pi is denoted by < KA,pi ,K−1A,pi

>. Each of KA,pi and

42

K−1A,pi

comprises a node-specific element and a phase-specific element common to all the

nodes, both in G1. In particular,KA,pi := (KA,Kpi) = (H1(IDA),H1(salti))

K−1A,pi

:= (K−1A ,K−1

pi) = (KP1H1(IDA),KP2H1(salti)) .

Initially, the PKG issues < KA,p1 ,K−1A,p1

> to node A which can acquire < KA,pi ,K−1A,pi

>

(1 < i 6 M) from the D-PKGs during network operation, as will be shown later. For

convenience, hereafter we refer to < Kpi ,K−1pi

> as common public-key and private-key

elements of phase pi, and < KA,K−1A > as node-specific public-key and private-key elements

of node A. The former pair varies across key-update phases, while the later pair remains

unchanged during network lifetime and should be kept confidential to A itself.

Due to the difficulty of solving the DLP in G1, it is computationally infeasible to de-

rive the network master-secrets KP1 and KP2 from an arbitrary number of public/private

key pairs [12, 13]. It means that, no matter how many key pairs adversaries acquire from

compromised nodes, they cannot deduce the private key of any non-compromised node.

Therefore, our IKM exhibits the desirable compromise-tolerant property. The advantage

of our key construction method in facilitating key update can be seen in Section 3.4.4. In

addition, the resulting higher-level resilience to the compromise of D-PKGs than the con-

ventional key construction method [39, 20] is to be analyzed in Section 3.4.7. Furthermore,

we refer to the readers to [56] for the use of such public/private keys in key agreement, key

agreement, encryption/decryption, and signature generation/verification.

Our IKM allows dynamic node join at any time and thus ensures high network scal-

ability. Suppose a new node X joins the network at phase pi. The PKG just needs to

pre-equip X with public system parameters and < KX,pi ,K−1X,pi

>.

Generation of key-update parameters. Let tc be the maximum number of com-

promised nodes the network can tolerate. To realize broadcast-based public/private key up-

dates, the PKG picks M distinct 2tc-degree polynomials, li(x) =∑2tc

j=0 li,jxj (mod q)i=1,...,M

with li,j ∈ Z∗q , and M distinct tc-degree polynomials, ui(x) =∑tc

j=0 ui,jxj (mod q)i=1,...,M

with ui,j ∈ Z∗q . Since K−1pi

is a point on E/Fp, its x-coordinate (denoted as [K−1pi

]x)

can be uniquely determined from its y-coordinate (denoted as [K−1pi

]y). The PKG then

43

constructs vi(x) = [K−1pi

]y − ui(x)i=1,...,M , which are given to each node A along with

li(IDA)i=1,...,M .

Summary. To summarize, each node has the following cryptographic materials be-

fore network deployment:

• Pairing parameters: (q, e,H1,W,WP1,WP2).• Public and private keys: < KA,p1 ,K−1

A,p1>.

• Phase salt: salt1.• Key-update parameters: vi(x), li(IDA)i=1,...,M .

In addition to the above materials, each D-PKG V ∈ Ω holds a secret share KVP2 and values

W VP2 = KV

P2W |V ∈ Ω.3.4.3 Key Revocation

Key revocation comprises three subprocesses: misbehavior notification, revocation gen-

eration, and revocation verification. The following description applies to phase pi.

Misbehavior notification. Upon detection of node A’s misbehavior, node B gener-

ates a signed accusation [IDA, sB]K−1B,pi

against A, where sB is a timestamp for withstanding

message replay attacks. The revocation needs to be sent to the D-PKGs to report A’s mis-

behavior. The naive flooding of the accusation is insecure because it may alert the accused

A to temporarily behave normally. By doing so, it attempts to make the number of ac-

cusations against it below the predefined revocation threshold γ to avoid being revoked.

Therefore, B should unicast the accusation secretly to the D-PKGs. The next question is

to which D-PKGs the accusation is sent. The following approach is adopted in IKM.

During network initialization, the PKG furnishes each node with a function F that

maps each node ID to the IDs of β distinct D-PKGs. More formally, for node A ∈ Ψ,

F(IDA) = IDXj |1 6 j 6 β, Xj ∈ Ω, Xj 6= A. There are many possible ways to construct

such a function. One simple approach is to divide the node set Ψ into n disjoint node

sets, each associated with β D-PKGs. However, the condition that must be satisfied is that

the node set a D-PKG belongs to should not be associated with itself. In our IKM, node

B is required to send the accusation in an encrypted form [IDA, sB]K−1B,pi

kB,Vto each

V ∈ F(IDA), where kB,V is the shared key with V that can be derived using the method

given in [56].

44

The value of β determines the tradeoff between resilience to D-PKG compromise and

communication overhead. The smaller β, the lower the related communication overhead,

the less resilient the network is to the compromise of D-PKGs, and vice versa. Specifically,

in one extreme case that β = 1, the communication overhead is the lowest, while the

compromise of a D-PKG, say IDX1 (X1 ∈ Ω) which has not been revoked, would allow all

the accused whose IDs are mapped by F to IDX1 to escape revocation. In another extreme

case that β = n, the network shows perfect resilience to D-PKG compromise, while the

related communication overhead is the highest. Therefore, β should be carefully chosen in

practice to strike a good balance between these two metrics.

Revocation generation. Upon receipt of an accusation from B, a D-PKG will

simply drop it if the accuser itself has been revoked. Otherwise, the D-PKG saves the

accusation after decrypting it and verifying B’s signature. To prevent an unrevoked com-

promised node from falsely accusing legitimate nodes, a node is diagnosed as compromised

only when the number of accusations against it reaches the network-wide revocation thresh-

old γ in one key update phase or any other predetermined time window. The choice of γ is

application-specific and determines the tradeoff between tolerance of false accusations and

compromise detectability: a larger γ means higher-level tolerance of false accusations but

lower compromise detectability, and vice versa.

Once the revocation threshold is attained, a key revocation against node A needs to

be generated and published. In IKM, to generate a revocation needs the joint efforts of t

D-PKGs. For simplicity, we assume that, among F(IDA), the D-PKG with the smallest ID

acts as the role of revocation leader. We distinguish between two cases. If β > t, each of

the t D-PKGs in F(IDA) with smallest IDs generates a partial revocation (shown below)

sent to the revocation leader. If β < t, all the D-PKGs in F(IDA) should generate a partial

revocation and send it to the revocation leader. In addition, the revocation leader sends

the accumulated accusations against A to (t− β) extra randomly-picked D-PKGs, each of

which responds with a partial revocation after verifying the accusations.

For ease of presentation, let A ⊂ Ω denote the t D-PKGs participating in revocation

generation. Each V ∈ A generates a partial revocation KVP2H1(IDA) accumulated at the

revocation leader. The revocation leader can construct a complete revocation from these

45

partial revocations through Lagrange interpolation, which is an application of pairing-based

threshold signatures [57, 13]. In particular, a complete revocation is derived as

IDA =∑

V ∈AλV (0)KV

P2H1(IDA) = KP2H1(IDA) (mod q),

where λV (0)-s are Lagrange coefficients defined in Eq. (3.1). It is possible that one or several

members of A are unrevoked compromised nodes which might send wrongly computed

partial revocations. To detect this, the revocation leader checks whether the following

equation holds.

e(IDA,W ) = e(H1(IDA),WP2) (3.2)

If so, it knows that this revocation is authentic and all other (t− 1) D-PKGs gave correct

partial revocations. The equation should hold for a valid revocation because

e(IDA,W ) = e(KP2H1(IDA),W )

= e(H1(IDA),W )KP2 (e is bilinear)

= e(H1(IDA),KP2W ) (e is bilinear)

= e(H1(IDA),WP2) (WP2 = KP2W ).

The revocation leader then floods < IDA, IDA > throughout the network to inform others

that A has been compromised.

If Eq. (3.2) does not hold, the revocation leader knows that at least one of the partial

revocations is incorrect. Our IKM allows the pinpoint identification of the misbehaving

D-PKG(s). To do this, for each received KVP2H1(IDA), the revocation leader harnesses

the preloaded W VP2 to check whether the equation e(KV

P2H1(IDA),W ) = e(H1(IDA),W VP2)

holds. The check should succeed for a valid partial revocation because W VP2 = KV

P2W and

e is bilinear. Otherwise, the revocation leader considers V misbehaving and then issues a

signed accusation against it. After identifying all misbehaving D-PKGs in A, the revocation

leader solicits the corresponding number of new partial revocations from D-PKGs in Ω \A,

calculates a complete revocation, and verifies it as before. Continuing this process, the

revocation leader can form a correct revocation against A, as long as there are at least t

well-behaved D-PKGs in Ω.

46

Our IKM can well handle the situation that the revocation leader itself is a compro-

mised node. If other D-PKGs in F(IDA) do not receive a correct revocation against A

in certain time, they would consider the revocation leader misbehaving and publish signed

accusations against it. Then the D-PKG in F(IDA) with the second lowest ID succeeds as

the revocation leader and restarts the revocation generation process. We can see that, as

long as there is at least one non-compromised D-PKG in F(IDA) and there are at least t

non-compromised D-PKGs in Ω, a valid accusation against node A can always be generated.

In addition, our pinpoint identification mechanism will deter the D-PKGs compromised yet

unrevoked from offering invalid partial revocations to avoid being easily caught. There-

fore, we expect that a valid revocation will be generated most likely in one round. Also

notice that, since whether a D-PKG provides a wrong partial revocation and whether the

revocation leader behaves normal are both publicly verifiable, compromised but unrevoked

D-PKGs dare not falsely accuse the revocation leader or other D-PKGs in order to avoid

being identified.

Revocation verification. Upon reception of IDA, every node verifies it by checking

if Eq. (3.2) holds. If so, it should record IDA in its memory and refuse to interact with node

A in future time. In our IKM, each node needs to store the IDs of all the revoked nodes.

Assuming that each node ID is of 16 bytes, it costs a node about 4 KB to store 250 IDs of

compromised nodes, which is believed to be an acceptable overhead given the increasingly

low memory price. Some space-efficient data storage techniques such as Bloom filters [58]

may be used to reduce the storage overhead. However, we do not further investigate this

issue for lack of space.

In rare cases, the revoked A and/or its conspirators may be the sole connections between

parts of the network. Since they would not further propagate the revocation, there might be

some legitimate nodes which cannot receive the revocation. Fortunately, this problem can

be greatly mitigated by node mobility. In particular, we require each node to store received

revocations for a certain amount of time. When a node meets a new neighbor, it can

exchange its stored revocations with that neighbor. If that neighbor offers some unknown

revocations, it records the revoked node IDs after verifying those revocations. Since a

47

node can dump stored revocations after a while, the related storage overhead should be

affordable.

3.4.4 Key Update

To withstand cryptanalysis and limit any potential damage from compromised keys, it

is a common practice [31, 32, 33, 34, 35, 36] to employ relatively frequent key update. A new

key update phase pi+1 starts either when phase pi lasts for more than a predetermined time

threshold, or when the number of nodes revoked in pi has attained a prescribed threshold.

In IKM, each node B can update its public key autonomously by computing KB,pi+1 :=

(H1(IDB),H1(salti+1)), where salti+1 = salti +1. In other words, B just performs two hash

operations, one for generating the phase salt for pi+1 and the other for computing the

new common public-key element. By contrast, generating the common private-key element

K−1pi+1

= KP2H1(salti+1) needs the collective efforts of t D-PKGs in Ω. For simplicity, we

assume that Z ∈ Ω initiates phase pi+1, though in practice the D-PKGs should take turns

to act as this role to balance their resource usage. Z randomly selects (t − 1) other non-

revoked D-PKGs from Ω and sends a request to each of them. Let A denote these t D-PKGs

including Z itself. Each V ∈ A uses its secret share to generate a partial common private-

key element KVP2H1(salti+1) accumulated at Z which, in turn, constructs the complete

K−1pi+1

using Lagrange interpolation, K−1pi+1

=∑

V ∈A λV (0)KVP2H1(salti+1) = KP2H1(salti+1).

Notice that K−1pi+1

is self-authenticating in that every node can check its authenticity by

checking if the following equation holds.

e(K−1pi+1

,W ) = e(H1(salti+1),WP2) (3.3)

It is also possible that some D-PKGs in A might be compromised yet unrevoked nodes.

The method used in revocation generation can be employed as well to deal with this case.

As long as there are at least t non-compromised D-PKGs in Ω, a valid K−1pi+1

can always be

generated.

48

To propagate K−1pi+1

securely to all the non-revoked nodes, we use a variant of the self-

healing group key distribution scheme by Liu et al. [59]1 . Let Λ ⊂ Ψ denote the set of

nodes revoked until phase pi (including pi). D-PKG Z broadcasts the following message:

Bi := IDXX∈Λ ∪ Uj(x) = ξj(x)uj(x) + lj(x)j=1,...,i,

where ξj(x) =∏

X∈Λ (x− IDX). When a non-revoked node, say B, receives this message,

it derives Ui(IDB) = ξi(IDB)ui(IDB) + li(IDB). Since B knows vi(x), li(IDB), and

ξj(IDB) 6= 0 (cf. Section 3.4.2), it can get ui(IDB) = Ui(IDB)−li(IDB)ξi(IDB) and then [K−1

pi]y =

vi(IDB) + ui(IDB). Subsequently, node B computes [K−1pi

]x using the elliptic curve E/Fp,

thus constructing the complete K−1pi

. In the similar way, all the other non-revoked nodes

can derive K−1pi

and finish key update. Any revoked node X ∈ Λ, however, cannot compute

ui(IDX) and thus K−1pi

because ξi(IDX) = 0. In addition, as long as the number of

compromised nodes is no more than tc, i.e., |Λ 6 tc|, the compromised nodes cannot jointly

determine K−1pi

either, as shown in [59].

The above key-update method provides the self-healing capability in the sense that

any non-revoked node can recover K−1pj

for any phase pj (j < i), of which it did not receive

the key-update broadcast message due to reasons such as mobility, channel errors, and

temporary network partitions. Consider node B again as an example. It can get K−1pj

in

the similar way as obtaining K−1pi

. This nice feature, however, is achieved at the cost of

increased communication overhead. Therefore, if either this self-healing capability is not

required or reliable broadcast can be guaranteed, the broadcast message Bi can change to

IDXX∈Λi ∪ Ui(x) = ξi(x)ui(x) + li(x), where ξi(x) =∏

X∈Λ (x− IDX) and Λi ⊆ Λ

represents the set of new nodes needed to be revoked in phase pi. In doing so, the broadcast

communication overhead can be reduced.

3.4.5 Securing D-PKGs against Pinpoint Attacks

Similar to [31, 34, 35], our IKM relies on the validity of the t-limited assumption

mentioned in Section 3.3.3. However, if adversaries have the entire network lifetime to

1 K−1pi

can be viewed as a group key to be distributed to non-revoked group members.

49

mount attacks, they may compromise or disrupt enough D-PKGs sooner or later. As a

well-known countermeasure, Herzberg et al. [55] propose to periodically refresh secret

shares without changing the original secret, in such a way that any information learned

by adversaries about individual shares becomes obsolete after the shares are refreshed. In

addition, they present techniques to periodically and securely recover shares not refreshed

properly to withstand D-PKG disruption attacks. Their techniques are either adopted or

suggested by [31, 34, 35]. To deal with long-term adversaries, we also suggest to incorporate

such proactive secret-sharing techniques in our IKM.

Proactive secret-sharing techniques are valid as long as adversaries are t-limited in

each predefined time period. Nearly all previous proposals simply make this assumption

without efforts to justify it. In our opinion, without precaution, the t-limited assumption

is difficult to hold for MANETs deployed in hostile environments. The reason is that the

IDs of the D-PKGs are public knowledge to every node, and adversaries can easily get this

information, e.g., by compromising a single node. In common MANET routing protocols

such as AODV [5] and DSR [6], node IDs are left bare without any protection. The shared

wireless medium renders adversaries to perform passive eavesdropping and easily locate the

D-PKGs based on their IDs leaked in routing and data packets. As a result, adversaries

can launch pinpoint compromise or disruption attacks on the locked D-PKGs. This type of

severe pinpoint attacks resulting from the unique characteristics of MANETs are reported

in [29, 41]. Obviously, we have to seek efficient ways to thwart such pinpoint attacks to

make the t-limited assumption reasonable.

Assume that adversaries have no ways (e.g., traffic analysis) to distinguish between the

D-PKGs and non-D-PKG nodes other than from their IDs. We propose to eliminate the

pinpoint attacks by MASK, the anonymous on-demand routing protocol for MANETs pre-

sented in Chapter 2. As stated before, MASK guarantees that, given a node ID, adversaries

cannot ascertain whom and where the corresponding node is. For our purpose, this means

that, even given the list of D-PKG IDs, adversaries cannot determine which nodes are the

D-PKGs based on passive eavesdropping of node IDs. Therefore, the pinpoint attacks are

effectively defeated. Also note that the same method can be used to eliminate pinpoint

attacks on the D-CAs in [31, 34, 35].

50

3.4.6 Choosing Secret-Sharing Parameters

Now we discuss how to select the secret-sharing parameters t, n for a good tradeoff

between security and robustness, namely, the resilience to the compromise and disruption

of D-PKGs, respectively. For a fixed n, the larger t, the more secure the network is because

adversaries need to compromise more D-PKGs to learn KP2, the less robust the network

is in that adversaries need to disrupt fewer D-PKGs to make KP2 irrecoverable, and vice

versa. To strike a good balance between them, it is often wise to let t = dn2 e, as suggested

in [15, 40]. The next question is, given the network size N , how we decide the value of n

to achieve desired levels of security and robustness.

With our MASK in place, adversaries cannot distinguish between the D-PKGs and

common nodes based on passive eavesdropping. What they can only do is to attempt

to compromise or disrupt randomly-picked nodes with the expectation that those nodes

happen to be the D-PKGs. Assume that adversaries can surreptitiously compromise and

disrupt up to Nc > t and Nd > n−t+1 nodes, respectively, in each proactive secret-sharing

time period without being detected. We define Prc and Prd as the probabilities that at

least t out of Nc compromised nodes and (n− t + 1) out of Nd disrupted nodes happen to

be D-PKGs. In particular,

Prc =min(n,Nc)∑

i=t

(ni )“

N−nNc−i

”“

NNc

” and Prd =min(n,Nd)∑

i=n−t+1

(ni )“

N−nNd−i

”“

NNd

” ,

where t = dn2 e. In practice, we want both probabilities to as low as possible. Prior to

deployment, the PKG can use the enumerative method to determine the values of t, n for

obtaining appropriate values of Prc and Prd, i.e., meeting desirable levels of security and

robustness. For example, when N = 50, Nc = 5, and Nd = 7, we have Prc = 1.19 × 10−4

and Prd = 8.53× 10−5 if n = 10 and thus t = 5; when N = 50, Nc = 10, and Nd = 14, we

have Prc = 1.8 × 10−5 and Prd = 7.88 × 10−4 if n = 20 and thus t = 10. Obviously, the

success probabilities of such random attacks are pretty low.

During network operation, the network size N may be changing with node join, leave,

or failure over time. Accordingly, the parameters t, n and the D-PKG set should be adjusted

to maintain desirable levels of security and robustness. This can be easily realized through

51

verifiable secret redistribution by Wong et al. [60] to redistribute the PKG’s master key

KP2 from a (t, n) structure to a (t′, n′) one.

3.4.7 Security Analysis

Here we briefly compare the security of our IKM with CKM such as [31, 34] and

previous IBC-based schemes [39, 20] (referred to as o-IKM ). In o-IKM, the PKG only has

one master secret KP2 jointly shared by n chosen D-PKGs in a (t, n)-threshold fashion.

Each node A has a public/private key pair (H1(IDA ‖ exp),KP2H1(IDA ‖ exp)), where

exp indicates the key expiration time. To renew its private key before it expires, A needs to

individually contact t out of n D-PKGs for partial private keys, based on which to construct

a complete one via Langrange interpolation. As usual, our discussion is from the viewpoint

of key management instead of cryptographic algorithms themselves.

Since all three approaches are (t, n)-threshold schemes, they have the same level of

security as long as the t-limited assumption holds. However, they differ in the worst-

case scenario where adversaries manage to compromise at least t distributed CAs (D-CAs

for short) in CKM, or t D-PKGs in IKM or o-IKM. In that situation, adversaries are

able to construct the CA’s private key in CKM, or the PKG’s master secret KP2 in IKM

or o-IKM. For both CKM and our IKM, adversaries cannot deduce the private key of

any non-compromised node, be it a D-CA (or D-PKG) or common node. Therefore, the

communication security between non-compromised nodes is still guaranteed. In contrast,

the exposure of KP2 in o-IKM would result in loss of overall system security because it

permits adversaries to derive all the private keys of all the compromised or non-compromised

nodes ever used since the network formation. This means that adversaries would be able to

freely read encrypted messages observed in the past or future, and forge any node’s digital

signature.

In summary, our IKM is at least as secure as conventional CKM, but outperforms

o-IKM in the worst-case scenario.

3.5 Performance Evaluation

In this section, we compare the proposed IKM with conventional CKM via simulations.

As mentioned in Section 3.2.2, DSA-based CKM solutions have much worse communication

efficiency than RSA-based ones under the same security level. Therefore, we focus on

52

comparing IKM with RSA-based CKM, which is implemented mainly based on [32, 36]

with the number of D-CAs set to n instead of N . As discussed before, our IKM is more

secure than o-IKM [39, 20] under the same secret-sharing parameters (t, n). In addition,

the communication and computation overheads of o-IKM are the same as those of IKM

with regard to key revocation, but are much higher in terms of key update because o-IKM

requires that each node individually contact t out of n D-PKGs for key update. Since the

advantages of our IKM over o-IKM are quite obvious, we do not offer the simulation results

of their comparison for lack of space.

3.5.1 Simulation Setup

The comparison is done within GloMoSim [21], a popular MANET simulator, on a

desktop with an Intel P4 2.4GHz processor and 1 GB memory. Although such a powerful

machine may not be available in some application scenarios, it should be appropriate for the

comparative study of IKM and CKM. To avoid causal implementation errors and guarantee

fair comparison, all the cryptographic primitives are built using MIRACL [22], a standard

cryptographic library.

For CKM, the underlying CBC is RSA with a 1024-bit modulus for sufficient security.

An RSA public key consists of an ordered pair (s, e) where s is the modulus, and e is the

public exponent. A common value for the public exponent is e = 216 + 1, which is the

value we use for all public exponents. Note that this is in favor of CKM because RSA

encryption and signature verification can be made very fast with e = 216 +1 than a random

exponent. Therefore, an RSA public key would require 128 bytes for the modulus and 3

bytes for the public exponent, resulting in a total size of 131 bytes. In addition, an RSA

signature consists of a single 1024-bit value. For simplicity, we assume that a node ID is of

16 bytes and that certificate expiration time can be encoded in 2 bytes. An RSA certificate

< IDA, (n, e), exp,CA’s signature > will be totally 277 bytes in length.

For our IKM, the bilinear map e we use is the Tate pairing [14]. q is a 160-bit Solinas

prime 2159 + 217 + 1 and p is a 512-bit prime equal to 12qr− 1 (for some r large enough to

make p the correct size). Such choices of q, p deliver a comparable level of security to 1024-

bit RSA [12, 13]. The elliptic curve E we use is y2 = x3 + x defined over Fp. The ID-based

53

signature primitive [M ]K−1A,pi

used is the one outlined in [56], in which a signature consists

of one element of G1 and one element of Z∗q . Since the former is a point on E/Fp, only the

y-coordinate needs to be transmitted because the x-coordinate can be easily derived using

E. Therefore, an ID-based signature is of 84 bytes. This point compression technique is

also used in transmitting key revocations and common private-key components, both being

elements in G1. Moreover, the hash function SHA-1 [16] and the symmetric-key encryption

primitive RC6 [18] are used wherever applicable.

We simulate a MANET with 50 nodes deployed in a 700×700 m2 square field.2 The

physical-layer path loss model is the two-ray model. The node transmission range is 250

meters and the channel capacity is 2 Mb/s. The MAC protocol used is the Distributed

Coordination Function (DCF) of the IEEE 802.11. For simplicity, the underlying routing

protocol is AODV [5] instead of our MASK [20]. Nodes initially are uniformly distributed

and node mobility are emulated according to the random waypoint model [6]. We run

simulations for constant node speeds of 5, 10, and 15 m/s, with pause time fixed to 5

seconds. In addition, we use 20 CBR connections with random source and destination pairs

throughout the simulations. All the data packets are 512 bytes and are sent at a speed of

4 packets/s.

3.5.2 Computational Costs

We present the computational costs of outstanding primitive operations in CKM and

IKM in Table 3–2. As compared to RSA operations, the pairing evaluation is currently

a relatively expensive operation, which by far takes the most running time of an IBC

algorithm. However, since the pairing is a relatively new technique, we anticipate that

its evaluation cost will be much reduced with the rapid advance in cryptography. For

example, Barreto et al. [23] recently announce an approach to evaluate the Tate pairing by

up to 10 times faster than previous methods, the implementation of which is underway. In

2 Note that for the simulated network size, it may be feasible to preload each node withall the others’ public keys. However, it should be understood that this choice is just forillustration purpose and also to ensure a fair comparison with ARAN [42] which uses thesame network size.

54

Table 3–2: Timings of primitive operations

Primitive Time(ms)

RSA key generation 526.5RSA encryption/verfication (e = 216 + 1) 0.26RSA decryption/signing 5.08Modular exponentiation (mN mod N) 16.89

Map-to-point H1(·) 2.6Scalar multiplication in G1 3.3Modular exponentiation in G2 2.4Pairing 11.0ID-based signing (with pre-computation) 5.7ID-based signature verification 35.5

Table 3–3: Comparison of key revocation time

threshold t = 5 threshold t = 10Speed (m/s) IKM (sec) CKM (sec) IKM (sec) CKM (sec)5 3.344 3.179 8.563 8.32310 3.356 3.220 8.577 8.38715 3.362 3.235 8.586 8.401

addition, the pairing computation can be much accelerated by using dedicated cryptographic

hardware. For instance, it is reported in [61] that the Tate pairing can be calculated in

about 6 ms on a modern FPGA. Despite its computational inefficiency, we will see below

that our IKM still outperforms CKM in almost all aspects because of its certificateless

nature.

3.5.3 Comparison in Key Revocation

Here we compare IKM with CKM with regard to key revocation. We use 20 CBR

sessions as background “noise” to simulate more realistic scenarios. Two sets of secret-

sharing parameters (t, n) are simulated: (5, 10) and (10, 20). The revocation process of

CKM is implemented as similar to that of our IKM. For simplicity, we set the revocation

threshold γ equal to t and each accusation is sent to β = 1 D-PKG in IKM or D-CA in

CKM. In other words, when the number of accusations against one specific node reaches

γ = t at a D-PKG or D-CA, that D-PKG or D-CA sends the accumulated accusations to

other random (t − 1) out of (n − 1) D-PKGs or D-CAs which, in turn, send back partial

revocations after verifying the received accusations. To avoid possible MAC-layer collisions

55

Table 3–4: Comparison of key update (t = 5)

IKM: threshold t = 5 CKM: threshold t = 5Speed (m/s) Time (sec) Overhead

(packet)Time (sec) Overhead

(packet)5 3.173 352 271.088 1855610 3.182 674 271.965 2084615 3.189 1328 273.443 22400

Table 3–5: Comparison of key update (t = 10)

IKM: threshold t = 10 CKM: threshold t = 10Speed (m/s) Time (sec) Overhead

(packet)Time (sec) Overhead

(packet)5 8.187 662 275.289 3707810 8.194 1286 276.952 4543815 8.207 1582 279.978 47501

resulting from returned partial revocations, the revocation leader uses a fixed delay of one

second between contacting two different D-PKGs.

Table 3–3 gives the one-time key revocation time of IKM and CKM for t = 5 and 10,

respectively. The counted time starts from when a D-PKG or D-CA sends the accumulated

accusations to (t−1) peers, until the last node in the network receives and verifies the final

complete revocation. All packet transmission and cryptographic processing time has been

included. As we can see, although our IKM is slightly inferior to CKM, both can finish a key

revocation in a very short duration. This demonstrates the feasibility of real-time public-

key revocations in MANETs. We can also observe that, the larger the threshold t, the more

time it takes to finish the revocation process, which is quite intuitive. In addition, node

mobility has little impact on the revocation time in that the revocation process only involves

the transmission of 2(t− 1) unicast packets and one network-wide broadcast packet for the

final revocation. Such a small amount of traffic can be transmitted before the network

topology changes significantly and thus some unicast routes break due to node mobility.

3.5.4 Comparison in Key Update

In this subsection, we demonstrate the advantage of our IKM over CKM in terms of

key update. Again, 20 CBR sessions are used to emulate normal traffic scenarios. For our

IKM, the key update process starts when one D-PKG sends a key update request to other

56

random (t − 1) D-PKGs,3 and finishes when all the network nodes receive and verify the

broadcasted common private-key component. For CKM, the key update process lasts from

when the first node starts contacting t random D-CAs for key update until the last node

finishes its key update through t random D-CAs. To avoid traffic collisions at the D-CAs, a

fixed interval of 5 seconds is inserted between two consecutive key updates by two different

nodes.4

We are interested in two metrics: one-time key update time, including packet trans-

mission time and all cryptographic processing time, and key update overhead in number of

packets, which counts all the key requests/replies and the incurred routing control packets.

Tables 3–4 and 3–5 compare our IKM with CKM with regard to these two metrics for t = 5

and 10, respectively. Since a key update process in IKM is similar to a key revocation

process, it can be finished in a similarly short period. In contrast, key update in CKM

requires a relatively great amount of time and incurs a significantly larger overhead. In

addition, the key update time and overhead of both schemes increase with the threshold t,

which is of no surprise.

3.5.5 Comparison in Secure Routing

A most important use of public-key techniques in MANETs is to secure routing proto-

cols. As noted in [42], most existing secure routing schemes for MANETs rely on the use of

public keys and certificates without explicitly discussing how to perform certificate distri-

bution. By contrast, a recent work, called ARAN [42], accounts for certificate distribution.

ARAN is an elegant scheme because it is essentially a secured version of classic AODV [5]

and thus preserves many nice features of AODV. However, using ID-based public/private

keys in place of certificate-based ones can turn ARAN into a much more efficient solution,

which is shown as follows.

3 The 1-s sending interval is still used.

4 We have tried different interval values and the chosen one can guarantee that almostall the nodes can successively finish their key update within the simulation time.

57

Due to space limitations, we refer to [42] for detailed descriptions of ARAN. For ease

of presentation, we denote the original ARAN by ARAN-CKM and the modification with

our IKM by ARAN-IKM. Regarding the overall routing process, ARAN-IKM is the same as

ARAN-CKM. Their difference lies in the structures and cryptographic processing of rout-

ing control packets, including route discovery/reply/error packets. For example, assuming

a source and destination pair of nodes X and Y , a typical route discovery packet (RDP)

in ARAN-CKM is of format < 〈〈RDP, IDY , NX〉X−1〉A−1 , certX , certA >. Here, 〈m〉X−1

stands for message m with its RSA signature generated under node X’s RSA private key

X−1; NX is a monotonically increasing sequence number set by X; certX is the RSA certifi-

cate of source X (see Section 3.5.1 for the certificate format); certA is the RSA certificate

of an intermediate node A attached when A forwards the RDP of X to its own neighbors.5

Considering the RDP format < RDP, IDY , NX , IDX , IDA > in AODV [5], ARAN-CKM

adds 778 bytes to the RDP. Suppose the network is in key update phase pi. In ARAN-IKM,

the RDP changes to < [[RDP, IDY , NX ]K−1X,pi

]K−1A,pi

, IDX , IDA >. Therefore, ARAN-IKM

increases the RDP in AODV by 168 bytes because of the two ID-based signatures. The

routing reply and error packets in ARAN-CKM are modified similarly.

We run simulations to compare the routing performance of ARAN-CKM and ARAN-

IKM. The results generated with AODV are also provided as the baseline. Again, 20

CBR sessions are used in the simulations and each simulation is executed for 15 simulated

minutes. In our simulation results, each data item represents an average of ten runs with

identical traffic models, but with different mobility scenarios.

We use four key performance metrics to evaluate the performance. Average route

discovery delay measures the average latency from the time of sending a RDP to receiving

the first corresponding route reply. Average data packet delay measures the average time

from the sending of a data packet by a CBR source until its reception at the corresponding

CBR destination. This includes all possible delay caused by buffering during route discovery,

5 Node IDs are included in certificates. Please refer to [42] on how the RDP is processedin a hop-by-hop manner.

58

5 10 15 0

50

100

150

200

250

300

350

400

450

500

550

Ave

rage

Rou

te D

isco

very

Del

ay (

ms)

Node Speed (m/s)

AODV ARAN-IKM ARAN-CKM

Figure 3–1: Average route discovery delay.

queuing delay at the interface, retransmission delay at the MAC layer, and propagation and

transmission delay at the physical layer. Packet delivery ratio (PDR) measures the ratio of

the data packets delivered to the destination to those generated by the CBR sources. Finally,

normalized routing load measures the average amount of routing packet byte transmitted

per delivered data packet byte. Each hop-wise transmission of a routing packet byte is

counted as one transmission.

The advantages of ARAN-CKM over AODV in the presence of malicious nodes have

been demonstrated in [42]. For simplicity, we just compare the performance of AODV,

ARAN-CKM, and ARAN-IKM when all the nodes in the network are well-behaved or

benign. Note that, no matter whether there are malicious nodes or not, the operations

of both ARAN-CKM and ARAN-IKM remain the same. Therefore, as long as we can

show that ARAN-IKM outperforms ARAN-CKM in the simulated scenarios, it will also

demonstrate better performance than the latter and thus AODV in the face of malicious

nodes. In all our simulation results, AODV always outperforms both ARAN-CKM and

ARAN-IKM. This is of no surprise because there are no efforts at all made in AODV to

deal with routing attacks. We will focus on discussing the difference between ARAN-CKM

and ARAN-IKM.

Fig. 3–1 compares the average route discovery delay of ARAN-CKM and ARAN-IKM

under three mobility scenarios. We can observe that ARAN-IKM always exhibits shorter

route discovery delay than ARAN-CKM. The key reason is that routing discovery and reply

59

5 10 15 0

100

200

300

400

500

600

700

Ave

rage

Dat

a P

acke

t Del

ay (

ms)

Node Speed (m/s)


Figure 3–2: Average data packet delay.

5 10 15 0.0

0.2

0.4

0.6

0.8

1.0

1.2

1.4

Pac

ket D

eliv

ery

Rat

io

Node Speed (m/s)


Figure 3–3: Packet delivery ratio.

packets in ARAN-CKM are of much larger sizes than those of ARAN-IKM. As a result,

routing packets in ARAN-CKM are more subject to loss due to collisions with other data

or routing packets during their transmission. When a source does not receive a route reply

packet after sending the RDP for a while, it has to resend the RDP, which worsens the

situation. This contributes to the shown advantage of ARAN-IKM over ARAN-CKM. In

addition, the performance difference between ARAN-IKM and ARAN-CKM becomes more

and more significant with the increase of node mobility. For example, when the node speed

is 15 m/s, the route discovery delay of ARAN-IKM is about 390.08 ms, representing a

saving of about 28 percent as compared to the 540.32 ms delay of ARAN-CKM. That is

because high mobility means that routes will break more frequently, so accordingly route

discovery needs to be performed more frequently. Since more routing packets are involved,

60

5 10 15 0.0 0.2

0.4 0.6 0.8 1.0

1.2 1.4 1.6

1.8 2.0 2.2

2.4 2.6 2.8 3.0

3.2 3.4 3.6

Nor

mal

ized

Rou

ting

Load

Node Speed (m/s)


Figure 3–4: Average routing load.

their probabilities of colliding with other traffic become increasingly higher in ARAN-CKM

than in ARAN-IKM.

Fig. 3–2 plots the average data packet delay vs. node speed. As we can see, ARAN-

IKM has a significant advantage over ARAN-CKM in all three mobility scenarios. In

particular, when the node speed is 5 or 10 or 15 m/s, the data packet delay of ARAN-

CKM is about 4.68 or 7.86 or 8.04 times longer than that of ARAN-IKM. This result is

partly due to the shorter route discovery delay ARAN-IKM has than ARAN-CKM, which

results in shorter delay caused by buffering at the network layer. Another more important

reason is that MAC-layer frames in the IEEE 802.11, including RTS/CTS/DATA/ACK, are

more subject to collisions with the MAC frames of routing packets in ARAN-CKM than

in ARAN-IKM because the former has much larger-sized routing packets. The situation

deteriorates with the increase in node mobility and thus the increase in the number of

routing packets. As a result, data packets in ARAN-CKM experience much longer queuing

and retransmission delay at the MAC layer.

Fig. 3–3 shows the PDRs of AODV, ARAN-IKM, and ARAN-CKM for three mobility

scenarios. In all cases, ARAN-IKM demonstrates performance close to AODV and higher

than ARAN-CKM. This mainly results from the fact that a smaller portion of data packets

are dropped in ARAN-IKM than in ARAN-CKM due to attainment of the retransmission

limit at the MAC layer. The ultimate reason, however, is still because of the larger-sized

routing packets in ARAN-CKM. Finally, the normalized routing load of ARAN-IKM and

61

ARAN-CKM are shown in Fig. 3–4. For node speeds of 5 or 10 or 15 m/s, ARAN-CKM

has a routing load 3.1 or 3.7 or 4.1 times higher than that of ARAN-IKM for the larger

sizes of routing packets.

To summarize, our IKM has significant advantages over conventional CKM in secure

routing protocol design, a fundamental component in MANET security.

3.6 Summary

Key management is a fundamental, challenging issue in securing MANETs. This chap-

ter presents IKM, a secure, lightweight, scalable ID-based key management scheme for

MANETs. As a novel combination of ID-based and threshold cryptography, IKM is a cer-

tificateless solution that permits public keys of mobile nodes to be directly derivable from

their known network IDs and some other common information. It thus obviates the need for

public-key distribution and thus certificates inherent in conventional public-key solutions.

Our IKM is characterized by a novel method of constructing ID-based public/private keys,

which not only guarantees high-level resilience to node compromise attacks but also facil-

itates very efficient network-wide key update by a single broadcast message. In addition,

we give general guidelines on choosing the secret-sharing parameters for achieving desir-

able levels of security and robustness. The significant advantages of IKM over conventional

certificate-based solutions have been confirmed by extensive simulation results.

Most existing security mechanisms for MANETs thus far involve the heavy use of

public-key certificates. In this regard, we believe that the findings of this chapter would

have much influence on the research paradigm of the whole community and stimulate many

other fresh research outcomes. As our future work, we will seek efficient solutions based on

IKM to a variety of challenging security issues in MANETs such as intrusion detection and

secure routing.

CHAPTER 4SECURE LOCALIZATION IN WIRELESS SENSOR NETWORKS

4.1 Introduction

Wireless sensor networks (WSNs) have attracted a lot of attention recently due to

their broad applications in both military and civilian operations. Many WSNs are deployed

in unattended and often hostile environments such as military and homeland security op-

erations. Therefore, security mechanisms providing confidentiality, authentication, data

integrity, and non-repudiation, among other security objectives, are vital to ensure proper

network operations.

Many WSNs require sensor nodes to know their physical locations. Examples include

those for target detection and tracking, precision navigation, search and rescue, geographic

routing, security surveillance, and so on. Driven by this demand, many localization schemes

have been proposed in recent years, with most assuming the existence of a few anchors that

are special nodes knowing their own locations, e.g., via GPS or manual configuration. These

proposals can be divided into two categories: range-based such as [62, 63] and range-free

[64, 65]. The former are characterized by using absolute point-to-point distance (range) or

angle estimates in location derivations, while the latter depend on messages from neighbor-

ing sensors and/or anchors. Range-based solutions can provide more accurate locations, but

have higher hardware requirements for performing precise range or angle measurements. By

contrast, although having lower hardware requirements, range-free approaches only guaran-

tee coarse-grained location accuracy. In this chapter, we focus on range-based approaches

and leave the investigation on range-free ones as the future work.

We observe that almost all existing range-based proposals were designed for benign

scenarios where nodes cooperate to determine their locations. As a result, they are ill-

suited for unattended and often hostile settings such as tactical military operations and

homeland security monitoring. Under such circumstances, attackers can easily subvert

the normal functionalities of WSNs by exploiting the weakness of localization algorithms

62

63

S

A

B C

ASd

BSd

CSd

(a) No attacks.

S

A

B C

ASd

BSd

CSd

(b) dCS is reduced.

S

A

B C

ASd

BSd

CSd

(c) dCS is enlarged.

Figure 4–1: An exemplary two-way ToA localization process, where anchors A,B, C aredetermining the location of sensor S.

[66, 67]. In this chapter, we do not intend to provide brand-new localization techniques for

WSNs. Instead, we focus on analyzing and enhancing the security of existing approaches

when applied in adversarial settings.

The rest of this chapter is structured as follows. We start with analyzing the vulner-

ability of existing approaches in Section 4.2. Next, we present a novel mobility-assisted

secure localization scheme (SLS) in Section 4.3. We then review related work in Section 4.4

and summarize this chapter.

4.2 Vulnerability Analysis of Two-Way Time-of-Arrival Localization

Popular range-based localization techniques include Received-Signal-Strength-Indicator

(RSSI), Angle-of-Arrival (AoA), Time-of-Arrival (ToA), and Time-Difference-of-Arrival (TDoA).

Readers are referred to [63] for a nice review. Among these techniques, ToA is the most

commonly used one whose requirement for fine time resolution can be satisfied by the ultra-

wideband (UWB) technique [68]. Therefore, our study focuses on a two-way ToA approach,

which is illustrated with Fig. 4–1.

In the shown example, anchors A,B, and C intend to determine the 2-D location of

sensor S. To do so, A transmits at time t1 a challenge to sensor S which immediately

echoes a response received by A at time t2. Anchor A can then estimate its distance to S

as dAS ≈ (t2 − t1)c/2, where c is the speed of light. In the same way, B and C can obtain

distance estimates to S, denoted by dBS and dCS , respectively. Let (XA, YA), (XB, YA),

(XC , YC) be the known locations of A,B, and C, and (XS , YS) be S’s location to be decided.

64

C S

attacker 1

attacker 2

secret channel

Figure 4–2: The topology of an exemplary distance enlargement attack.

Assume that A is the leader which collects dBS and dCS and then sets up the following

equations:

fA = dAS −√

(XS −XA)2 + (YS − YA)2

fB = dBS −√

(XS −XB)2 + (YS − YB)2

fC = dCS −√

(XS −XC)2 + (YS − YC)2.

(4.1)

If there is no measurement error, fA, fB, and fC are all equal to zero, and (XS , YS) is

the common intersection point of the three circles defined by the above equations. Since

measurement errors inevitably exist in reality, however, (XS , YS) will be somewhere in the

intersection area formed by the three circles, as shown in Fig. 4–1(a). It can be obtained

via the Minimum Mean-Square Error (MMSE) method [62], i.e., minimizing F (XS , YS) =

f2A + f2

B + f2C .

The above process is vulnerable to distance reduction and enlargement attacks, in

which attackers attempt to reduce and enlarge distance estimates, respectively, so as to

maliciously increase the location inaccuracy. For example, attackers can impersonate sensor

S to answer anchor C’s challenge before S does, and then jams the later genuine response

from S. As a result, dCS would be intentionally reduced. In addition, Fig. 4–2 shows the

topology of an exemplary distance enlargement attack, where the two circles indicate the

transmission ranges of anchor C and attacker 2, respectively. In this attack, the challenge

from C is correctly received by attacker 1, but not by sensor S whose reception activities

are interfered by attacker 2. Subsequently, attacker 1 sends the unmodified challenge via a

secret channel to attacker 2 which, in turn, forwards the challenge to sensor S after some

65

time. Sensor S will consider it a challenge from anchor C and respond to it. In doing so,

attackers can increase the challenge-response time difference measured at C and thus the

distance estimate dCS . Both distance reduction and enlargement attacks may make the

location estimate of sensor S far from its true location, as can be seen from Fig. 4–1(b) and

Fig. 4–1(c), respectively. To satisfy the requirement for high location accuracy by many

WSN applications, we must therefore seek ways to mitigate the impact of such attacks.

4.3 Mobility-Assisted Secure Localization for UWB Sensor Networks

In this section, we present a mobility-assisted secure localization scheme (SLS) for

WSNs. To ease our illustration, we focus on how to ensure secure 2-D location estimates,

but SLS can be easily extended to the 3-D case.

4.3.1 Network Model

We consider a WSN that consists of randomly-deployed sensor nodes, e.g., via random

aerial scattering. Sensor localization is normally done during the network initialization

phase, in which we assume that a set of anchors, denoted by A, perform coordinated group

movement across the whole sensor field. Typical examples of anchors are mobile robots or

Unmanned Aerial Vehicles (UAVs) flying at low levels. The number of anchors, denoted

by na = |A|, should be at least three for determining a 2-D location. Intuitively, the more

anchors (i.e., distance estimates) are available, the more precise location estimates are at

the cost of increased communication and computational overhead. We also indicate anchor

i by Ai for i ∈ 1, ..., na.Each Ai is assumed to know its own location (XAi , YAi) at any time and place through

GPS receivers or other means. In addition, there is always a leader in A that takes charge

of the localization process. In practice, each anchor should take turns to act as the leader

to balance their resource usage. For convenience, however, we assume A1 to be always the

anchor leader hereafter. We further assume that anchors and sensor nodes have the same

transmission range r0.

Before network deployment, we assume that the network planner picks a sufficiently

long secret K, and loads each sensor S with a secret key KS = hK(IDS). Here, IDs is the

unique identifier of node S, h indicates a fast hash function such as SHA-1, and hK(M)

refers to the message integrity code (MIC) of message M under key K. We further postulate

66

that each anchor knows the network secret K and is trusted and unassailable to attackers

during the node localization phase which usually does not last too long. This assumption is

reasonable in that anchors are usually much fewer than sensor nodes, so we can spend more

on them by enclosing them in high-quality tamper-resistant enclosures and putting them

under perfect monitoring. How to deal with compromised anchors is part of our ongoing

work.

4.3.2 Overview of SLS

After sensor nodes are deployed, anchors are instructed to perform strategic group

movement along pre-planned routes to localize all the sensor nodes. Anchors are required

to always maintain an na-vertex polygon with the longest distance between any two vertices

no larger than r0. This means that anchors and sensors inside the polygon can directly com-

municate with each other. To localize a node, say S, anchors first measure their respective

distance to S with a modified two-way ToA approach, called K-Distance. The anchor leader

A1 then collects all the distance estimates whereby to derive a MMSE location estimate.

Subsequently, A1 runs a validity test on the location estimate to detect possible attacks.

Unlike traditional localization methods such as AHLos [62], our mobility-assisted ap-

proach does not require each sensor node to accurately measure distances to anchors and

do the MMSE estimation. Instead, each node just needs to answer the challenges from

anchors, and the tasks of time (distance) measurement and location derivation are shifted

to resource-rich anchors. This is highly desirable for lowering the requirements on sensor

hardware and thus the manufacturing costs. In the rest of this section, we will detail the

operations of SLS with a to-be-localized sensor node S as an example.

4.3.3 K-Distance: a K-Round Distance Estimation Algorithm

To obtain a distance estimate to node S, anchor Ai first calculates KS = hK(IDS) based

on the preloaded network secret K. It then executes the K-Distance algorithm outlined in

Table 4–1. Ai begins with sending to S an l-bit random nonce Nj and starts a timer

when the last bit of Nj is sent. Upon receiving Nj , node S needs to immediately echo Nj

concatenated by another l-bit random nonce Mj picked by itself. Next, S sends to Ai a

MIC, v = hKS(Nj ‖ Mj), where ‖ means message concatenation.

67

Table 4–1: The K-Distance algorithm.

1: T = φ

2: for (j = 1; j 6 K; j + +) do3: Ai sends a random challenge nonce Nj to S

4: S responds with Nj and another random nonce Mj

5: Ai sets tj = time elapses between challenge and response6: S sends to Ai a number v = hKS

(Nj ‖ Mj)7: if hKS

(Nj ‖ Mj) == v then /*by Ai*/8: tp,j = (tj − tAi

proc − tSproc − ttran)/29: T = T ∪ tp,j10: end if11: end for12: tAiS = median(T )13: return dAiS = ctAiS /*c is the light speed*/

iA

S

jt

Sproct trant

iAproct

last bit of jN last bit of ||j jN Mfirst bit of ||j jN M

,p jt,p jt

Figure 4–3: The time plot of the challenge-response process.

68

When receiving the last bit of the response, Ai stops the timer and sets tj equal to

the elapsing time. It then uses KS to compute a MIC on Nj and Mj . If the result is not

equal to v which arrives later, Ai considers the response a bogus one and simply ignores it.

Otherwise, it believes that the response indeed came from S, and proceeds to calculate the

one-way signal propagation time as tp,j = (tj− tAiproc− tSproc− ttran)/2. Here, tAi

proc represents

the time duration from when the last bit of the response hits the antenna of Ai until the

response is completely decoded (cf. Fig. 4–3); tSproc is the time duration from when the last

bit of the challenge reaches the antenna of S until S transmits the first bit of the response.

tAiproc and tSproc are device-dependent and usually are constant or vary in a tiny scale. Both

can be pre-determined and preloaded to Ai to calibrate the time measurements to certain

precision. Assume that transmission links from S to anchors have a bandwidth of b b/s.

Then the response transmission time ttran is approximately equal to 2lb seconds.

The above process offers strong defense against distance reduction attacks in the sense

that attackers cannot reduce tp,j and thus the distance estimate ctp,j . One reason is that

the MIC check ensures that an authentic response can only be sent by node S. Another

important reason is that nothing can travel faster than light so that attackers are unable

to make the challenge arrive at S earlier than it should.

Attackers, however, can still launch the distance enlargement attack, i.e., enlarging tp,j

and thus the distance estimate. To mitigate this attack, we require Ai to perform K times

of distance measurements. The motivation is that attackers might not be able to actively

affect all K time measurements and thus distance estimates. It is also worth noting that

our method can help mitigate sporadic measurement errors. K is a design parameter that

determines the tradeoff between algorithm overhead and resilience to distance enlargement

attacks and measurement errors. Assume that all the K time measurements are stored in

an initially empty set T . The next question is how to securely use them. The naive use

of the average is insecure because attackers can easily make the calculated average quite

different from the true one by merely enlarging one time measurement to be sufficiently

large.

69

S

1A Sd

2A Sd

1A

2A 3A

3A Sd

(a) No measurement errors.

S

2A 3A

1A Sd

2A Sd

3A Sd

δ

1A

(b) Measurement errors exist.

1A

2A 3A

S

δ

2A Sd

3A Sd

1A Sd

(c) dA3S is enlarged.

Figure 4–4: Location validity test with three anchors.

As pointed out in [69], the median is a safer replacement for the average, so K-Distance

uses the median of K time measurements to calculate dAiS .1 For brevity only, we assume

K > 3 to be odd in what follows and the extension to the case that K is even is straight-

forward. Let t(1),..., t(K) denote trustful time estimates (without attacks) in T placed in

an increasing order. We then have tAiS = median(T ) = t(r) for r equal to K+12 . Consider

first the simple case that attackers enlarged just one time estimate from t(j) to t′(j). If

t(j), t′(j) < t(r), the median tAiS remains unchanged; otherwise, it changes to some value

between [t(r−1), t(r+1)]. It is easy to see that K-Distance is vulnerable to single distance en-

largement attack when K is equal to one (as all previous TOA-based proposals) or two. In

general, if m time measurements were enlarged, tAiS either remains unchanged or changes

to some value between [t(r−m), t(r+m)], depending on how attackers contaminated the time

measurements. It is obvious that the median method can tolerate the enlargement of up to

about half of the time measurements.

Ai then calculates dAiS = ctAiS and sends to anchor leader A1 a message of format

dAiS , hK(dAiS)K, where MK means encrypting data M with key K. Upon receipt of

1 We notice that there might exist other methods such as Least Median Squares (LMS)to deal with outliers (distance estimates enlarged in our case). However, they are lesscomputationally efficient than the median method.

70

Table 4–2: Testing if a point is inside a |B|-vertex polygon.

Inputs: B: an anchor set, (XS , YS): a location estimateOutput: 0 if outside, else 11: u = 02: for (i = 1, j = |B|; i 6 |B|; j = i + +) do3: if ((((Yi 6 YS)&&(Yj > YS)) ‖ ((Yi > YS)&&(Yj 6 YS)))4: &&(XS > (Xi −Xj) ∗ (YS − Yj)/(Yi − Yj) + Yj)) then5: u =!u6: end if7: end for8: return u

it, A1 decrypts dAiS and checks its authenticity via the preloaded K. Once obtaining all na

distance estimates, A1 can then derive a MMSE location estimate (XS , YS).

4.3.4 Location Validity Test

The median approach may be enough for withstanding less powerful attackers. How-

ever, if K assumes a small value, attackers launch persistent attacks, and m is greater than

K+12 , some distance estimates used for deriving (XS , YS) might have still been enlarged,

leading to the invalidity of (XS , YS). Therefore, we require A1 to run a validity test on

(XS , YS).

Consider first the simple case that there are no measurement errors. If all the na

distance estimates were not enlarged by attackers, (Xs, Ys) should be exactly the intersection

point of na circles (x − XAi)2 + (y − YAi)

2 = d2AiS

|1 6 i 6 na. To test the validity of

(XS , YS), A1 merely needs to check whether (XS , YS) is inside the na-vertex polygon formed

by all the anchors. The underlying logic is very simple. If attackers want to make S appear

to be at any location other than its true location, they have to enlarge certain distance

measurements, while at the same time reduce some others so as to keep the resulting location

estimate inside the polygon. As mentioned before, however, our K-Distance algorithm can

prevent attackers from launching distance reduction attacks. Therefore, anchors can be

assured that the location estimate is trustable as long as it resides in the na-vertex polygon.

We refer to Fig. 4–4(a) for an example with three anchors (na = 3).

To determine the inclusion of a point inside a polygon, we select the ray-tracing method

for its simpleness and computational efficiency. This method works by starting at the

71

point in question and drawing a straight line in any direction. If the number of times

the ray intersects the polygon edges is odd, the starting point is inside the polygon and

is outside otherwise. This is easy to understand intuitively. Each time the ray crosses

a polygon edge, its in-out parity changes because each edge always separates the inside

of a polygon from its outside. Eventually, any ray must end up beyond and outside the

bounded polygon. Therefore, if the point is inside, the sequence of crossings “→” must

be: in→out→ · · ·→in→out, and there are an odd number of them. Similarly, if the point

is outside, there are an even number of crossings in the sequence: out→ · · ·→in→out.

Table 4–2 gives the pseudo-code implementation for the ray-tracing method, which uses a

horizontal ray extending to the left of (XS , YS) and parallel to the negative x-axis.

In practical scenarios, however, time measurement errors and thus distance estimate

errors occur inevitably. The na circles centered at anchors will therefore not have a common

intersection point, but form an intersection area in which the location estimate is located,

as shown in Fig. 4–4(b). This would introduce room for distance enlargement attacks.

Consider again the three-anchor example in Fig. 4–4(c). Suppose the distance estimate

dA3S was maliciously enlarged, while dA1S and dA2S are just a little larger than the actual

distances due to measurement errors. It is obvious that, by adjusting the level of enlarging

dA3S , attackers might be able to freely enlarge the intersection area of the three circles and

thus make the MMSE distance estimate (though still inside the triangle) deviate much from

the true location. Fortunately, we can alleviate this issue by imposing certain reasonable

constraints. Let δ be the two-sided maximum allowable measurement error with respect

to distance estimates. Now (Xs, Ys) should reside in the intersection area of na rings,

(dAiS − δ)2 6 (x −XAi)2 + (y − YAi)

2 6 (dAiS + δ)2|1 6 i 6 na (see Fig. 4–4(b)). This

means that, in addition to performing the point-inclusion test, A1 needs to check whether

the inequality |dAiS−√

(XS −XAi)2 + (YS − YAi)2| 6 δ holds for each dAiS . If so, (Xs, Ys)

is considered valid and invalid otherwise.

With our method in place, attackers might only be able to enlarge any dAiS a little bit

to make the resulting (XS , YS) appear to be valid, leading to tolerable location imprecision.

However, if they enlarge dAiS by a relatively large amount, the resulting (XS , YS) will be

identified as invalid. One such example is shown in Fig. 4–4(c). Therefore, although our

72

method cannot completely eliminate distance enlargement attacks, which is believed to

be impossible for any security mechanism, it does constrain the impact of attackers to a

tolerable level.

If (XS , YS) does not pass either the point-inclusion test or the δ-error check, A1 re-

computes a MMSE location estimate based on any (na − 1) distance estimates and checks

its validity via these two tests. If all the sets of (na−1) distance estimates are traversed and

still no valid location estimate is generated, A1 tries the sets of (na− 2) distance estimates.

A1 continues this process until either a valid (XS , YS) is found or all the 3-degree subsets

of na distance estimates are examined (3 is the minimum number of distance estimates

required to derive a 2-D location estimate). If the latter case occurs without yielding a valid

location estimate, A1 may consider that the localization process was attacked and should

take certain actions, e.g., reporting this abnormality to the control center, as stipulated by

concrete WSN applications.

If a valid (XS , YS) is derived, anchor A1 transmits it securely to node S in a message,

XS , YS , hKS(XS ‖ YS)KS

. Upon receiving it, node S uses the preloaded secret key KS to

decrypt (XS , YS) and compute a MIC. If the result matches with what A1 sent, S considers

(XS , YS) trustable and saves it for subsequent use.

4.3.5 Discussion

Overhead analysis. So far we have elaborated the operations of SLS, by which a

valid location estimate can be obtained despite the presence of attacks as long as there are

at least three unattacked distance estimates. The desirable security improvement does not

come for free. Specifically, the K-Distance algorithm requires each anchor to obtain K dis-

tance estimates instead of one as in previous schemes. Besides the tunability of K, however,

K-Distance can not only mitigate distance enlargement attacks, but also smooth sporadic

measurement errors in the first place. Also note that, if some distance estimates were

maliciously enlarged, A1 may need to perform the MMSE estimation for up to∑na

j=3

(na

j

)

times. In practical scenarios, na should be carefully chosen to be a small number that can

guarantee a certain level of resilience to attacks while not incurring too much overhead.

For instance, when na = 5 anchors are used, SLS can tolerate two (40 percent) maliciously

enlarged distance estimates that are not filtered by K-Distance. Then A1 needs to calculate

73

at most 16 distance estimates. Since anchors have more powerful computational capacities

than sensor nodes and node localization is a one-time process, we believe such overhead to

be acceptable for security-sensitive WSNs.

Other applications. In addition to securely localizing sensor nodes, SLS can find

uses in many other applications. One example is critical asset tracking. Many organiza-

tions, particularly defense contractors, have parts and equipment of a sensitive, secure, or

hazardous nature. These parts need to be monitored and audited to record their move-

ments and who had access to them, as proof that they have not been tampered with or

viewed by unauthorized personnel. We can accomplish this task by deploying a tracking

infrastructure composed of a set of anchors and attaching to critical assets some sensors

that are difficult to remove without being detected. Anchors and sensors communicate with

each other through wireless links. SLS can then be used by anchors to keep tracking the

locations of critical assets (in fact, attached sensors).

4.4 Related Work

In this section, we briefly review some important work that is closely related to this

chapter. Brands and Chaum [70] propose a TOA-based distance bounding protocol that

can be used to verify the proximity of two devices connected by a wired link. Sastry et al.

[71] present a similar distance bounding approach based on ultrasound and RF signals to

verify the presence of a wireless device in a region of interest. In [72], Waters and Felten

propose a scheme that uses round-trip time-of-flight RF signals to prove the locations of

tamper-resistant devices. Their scheme cannot be directly applied in UWB sensor networks

because individual sensors are usually not tamper-resistant due to cost limitations. More

recently, Lazos and Poovendran [66] present an approach to secure range-free sensor local-

ization techniques [64, 65]. By contrast, this chapter concentrates on securing range-based

localization techniques [62, 63]. The closest work to our SLS can be found in [67], in which a

scheme called Verifiable Multilateration (VM) is proposed for secure positioning of wireless

devices. However, SLS differs significantly from VM in several major aspects. First, SLS is

able to mitigate the impact of attacks and sporadic measurement errors in the first place,

which is a nice property not provided by VM. Second, VM calculates location estimates

on the basis of three anchors or triangles. By contrast, we consider a more general case

74

by using an na-vertex polygon formed by na anchors for na > 3, which allows for higher

location accuracy. Last, we propose to utilize mobile anchors instead of static anchors,

which can greatly reduce the number of required anchors.

4.5 Summary

How to ensure secure localization is one of the challenging issues in securing WSNs.

In this chapter, we present SLS, a novel mobility-assisted secure localization algorithm that

can furnish sensor nodes with secure, accurate locations despite the presence of attacks. As

the future research, we plan to extend our approach to range-free localization techniques.

CHAPTER 5LOCATION-BASED COMPROMISE-TOLERANT SECURITY MECHANISMS FOR

WIRELESS SENSOR NETWORKS

5.1 Introduction

A future WSN is expected to consist of hundreds or even thousands of sensor nodes.

This renders it impractical to monitor and protect each individual node from either physical

or logical attack. It is also unrealistic and uneconomical to enclose each node in tamper-

resistant hardware. Thus, each node represents a potential point of compromise. Once

compromising certain nodes and acquiring their keying material, adversaries can launch

various insider attacks. For example, they might spoof, alter or replay routing information

to interrupt the network routing [73]. They may also launch the Sybil attack [45, 74], where

a single node presents multiple identities to other nodes, or the identity replication attack,

in which clones of a compromised node are put into multiple network places [74]. Moreover,

adversaries may inject bogus data into the network to consume the scarce network resources

[75, 76]. This situation poses the demand for compromise-tolerant security design. That is,

the network should remain highly secure even when a number of nodes are compromised.

Although a lot of solutions such as [77, 78, 79, 80, 81, 82, 83, 84, 85] have been proposed

for securing WSNs, most of them do not provide adequate resilience to node compromise

and the resulting attacks.

Many WSNs have an intrinsic property that sensor nodes are stationary, i.e., fixed

at where they were deployed. This property has played an important role in many WSN

applications such as target tracking [86] and geographic routing [87]. By contrast, its great

potential in securing WSNs has so far drawn little attention. Based on this observation,

we propose a suite of location-based compromise-tolerant security mechanisms for WSNs

in this chapter. Our main contributions are summarized as follows.

First, we propose the novel notion of location-based keys (LBKs) based on the afore-

mentioned pairing technique (cf. Section 2.2.1). In our scheme, each node holds a private

75

76

key bound to both its ID and geographic location rather than merely its ID as in conven-

tional schemes. To the best of our knowledge, this is the first such effort in the context of

WSNs.

Second, we design a novel node-to-node neighborhood authentication protocol based

on LBKs. It helps achieve the desirable goal of localizing the impact of compromise nodes

(if any) to their vicinity, which is a nice property absent in most previous proposals.

Third, we present efficient approaches to establish pairwise shared keys between any two

nodes that are either immediate neighbors or multi-hop away. Such keys are fundamental

in providing security support for WSNs [78, 79, 80, 81, 82, 83, 84, 85]. In contrast to

previous proposals, our approaches feature low communication and computation overhead,

low memory requirements and good network scalability. More important, our approaches

show perfect resistance to node compromise in that pairwise shared keys between non-

compromised nodes always remain secure, no matter how many nodes are compromised.

Fourth, we demonstrate how LBKs can act as efficient countermeasures against some

notorious attacks against WSNs. These include the Sybil attack [73, 74], the identity

replication attack [74], wormhole and sinkhole attacks [73], and so on.

Last, we develop a location-based threshold-endorsement scheme (LTE) to thwart the

aforementioned bogus data injection attack [75, 76]. Detailed performance evaluation shows

that LTE can achieve remarkable energy savings by detecting and dropping bogus traffic at

their early transmission stages. Moreover, our LTE has a much higher level of compromise

tolerance than previous work [75, 76].

The rest of this chapter is structured as follows. Section 5.2 introduces the crypto-

graphic basis, the adversary model and the security objectives of this chapter. Next we

detail a location-based key management scheme, including key generation, authentication

and shared-key establishment. This is followed by a detailed illustration of using LBKs in

combating various attacks. Section 5.5 presents the LTE scheme and evaluates its perfor-

mance. We then survey related work in Section 5.6, discuss the use of symmetric-key vs.

public-key cryptography in Section 6.7, and summarize this chapter.

77

5.2 Preliminaries


Adversaries in WSNs can be classified as either external or internal adversaries. The

former do not have authentic keying material whereby to participate in network operations

as legitimate nodes. They might just passively eavesdrop on radio transmissions or actively

inject bogus data or routing messages into the network to consume the network resources.

Once in full control of certain nodes, external adversaries can become internal ones to be

able to launch more subtle attacks like those mentioned in Section 5.1. Internal adversaries

are generally more difficult to defend against than external ones for their possession of

authentic keying material. We further assume that adversaries have much more powerful

resources regarding energy, communication and communication capacities than ordinary

sensor nodes. They might also communicate and collaborate over a high-bandwidth and

low-latency channel invisible to legitimate sensor nodes. However, we do assume that

adversaries cannot compromise an unlimited number of sensor nodes. Neither can they

break any cryptographic primitive on which we base our design. Otherwise, there is unlikely

to be any feasible security solution.

5.2.2 Security Objectives

We aim to provide confidentiality, authentication, data integrity, and non-repudiation,

four essential security objectives. We also intend to offer both link-layer and end-to-end

security guarantees, both of which are indispensable for security-sensitive WSNs [73]. By

definition, link-layer security indicates the security of radio links between neighboring nodes.

It is a prerequisite to prevent external adversaries from accessing or modifying or faking

radio transmissions. In contrast, end-to-end security refers to the communication security

between a pair of source and destination nodes, e.g., a data aggregation point (AP) to

a higher-level AP or the sink [73]. We achieve link-layer security by immediate pairwise

keys shared between neighboring nodes and end-to-end security by multi-hop pairwise keys

shared between end-to-end sources and destinations.

78

5.3 A Location-Based Key Management Scheme

This section presents a location-based key management scheme for WSNs, including

the generation and distribution of LBKs, a secure LBK-based neighborhood authentication

scheme, and methods for establishing both immediate and multi-hop pairwise shared keys.

5.3.1 Pre-Deployment Phase

We examine a large-scale WSN consisting of hundreds or even thousands of sensor

nodes. We assume that all the nodes have the same transmission range R and communicate

via bi-directional wireless links. Nodes perform a collaborative monitoring of the designated

sensor field and report the sensed events to the distant sink, which is a data collection center

with sufficiently powerful processing capabilities and resources. We further assume that each

node A has a unique, integer-valued and non-zero ID, denoted by IDA. In view of the cost

constraints, nodes are assumed to be not tamper-resistant in the sense that adversaries

can extract all the keying material and data stored on a compromised node. However, we

postulate that the sink is trustworthy and unassailable, as is commonly assumed in the

literature [78, 79, 80, 81, 82, 83, 84, 85].

Prior to network deployment, we assume that a trusted authority (TA) does the fol-

lowing operations:

1. Generate the pairing parameters (q,G1,G2, e,W,H) (cf. Section 2.2.1), where W is

an arbitrary generator of G1, and H is a hash function mapping given strings to

non-zero elements in G1.

2. Choose h, mapping arbitrary inputs to fixed-length outputs, e.g., SHA-1 [16].

3. Pick a random κ ∈ Z∗q as the network master secret and set Wpub = κW .

4. Calculate for each node A an ID-based key (IBK for short), IKA = κH(IDA) ∈ G1.

Each node A is preloaded with the public system parameters (q,G1,G2, e, H, h,W,Wpub)

and its private IKA. It is important to note that it is computationally infeasible to deduce

κ from either (W,Wpub) or any (ID, IBK) pair like (IDA, IKA), due to the difficulty of

solving the DLP in G1 (cf. Section 2.2.1). Therefore, even after compromising an arbitrary

number of nodes and their IBKs, adversaries are still unable to calculate the IBKs of non-

compromised nodes.

79

5.3.2 Sensor Deployment and Localization

After loaded with the keying material, sensor nodes can be deployed in various ways

such as physical installation or random aerial scattering. There are also many methods

to localize each node, i.e., furnishing each node with its geographic location. We consider

the following two sensor localization techniques, which accordingly differ in their ways of

generating LBKs for individual nodes. The final outcome of either approach is that each

node A possesses its location denoted by lA and an LBK LKA = κH(IDA ‖ lA), where ‖denotes message concatenation.

Range-based localization. In this approach, we assume that a group of mobile

robots are dispatched to sweep across the whole sensor field along pre-planned routes.

Mobile robots have GPS capabilities as well as more powerful computation and communi-

cation capacities than ordinary nodes. The leading robot is also equipped with the network

master secret κ. To localize a node, say A, mobile robots run the secure range-based lo-

calization protocol given in Chapter 4 or [67] to first measure their respective absolute

distance to node A and then co-determine lA, the location of A. Subsequently, the leading

robot calculates LKA = κH(IDA ‖ lA). It then generates IKA = κH(IDA) and sends

< LKA ‖ lAIKA, hIKA

(LKA ‖ lA) > to A. Henceforth, Mk means encrypting message

M with key k, and hk(M) refers to the message integrity code (MIC) of message M under

key k.

Upon receipt of the message, node A first uses its preloaded IBK IKA to decrypt LKA

and lA and then regenerates the MIC. If the result matches with what the robot sent, A

saves LKA and lA for subsequent use. Following this process, all the nodes can be furnished

with their respective location and LBK. After that, mobile robots leave the sensor field and

the leading robot should securely erase κ from its memory. During subsequent network

operations, node addition may be necessary to maintain good network connectivity. The

localization of new nodes can be done in the same manner.

The assumption underlying this approach is that adversaries do not launch active and

explicit pinpoint attacks on mobile robots at this stage which usually does not last too long.

However, they may still perform relatively passive attacks such as message eavesdropping

or strategic channel inference to disturb the localization process [67]. This assumption is

80

reasonable in that mobile robots are much fewer than ordinary sensor nodes and hence

we can spend more on them by enclosing them in high-quality tamper-proof hardware and

putting them under super monitoring. Adversaries may also want to temporarily avoid

active and explicit attacks that may easily expose themselves. After the localization phase,

adversaries are free to launch all kinds of attacks.

Range-free localization. By contrast, the range-free localization approach does

not rely on exact distance or range measurements. Instead, we assume that there are

some special nodes called anchors knowing their own locations. All the non-anchor nodes

autonomously derive their locations based on information from the anchors and neighboring

nodes via secure range-free localization techniques such as [66, 88, 89].

The LBKs are also generated on the nodes’ own. To enable this, each node A is

preloaded with the network master secret κ whereby to generate its LBK LKA = κH(IDA ‖lA). As LEAP [90], this approach takes advantage of the fact that sensor nodes deployed in

security-sensitive environments are usually designed to withstand break-in attacks at least

for a short interval when captured by adversaries. Specifically, we assume that an adversary

needs a time interval at least Tmin to successfully compromise a node, and each node takes

some time less than Tmin to finish localization and generation of its LBK. In addition,

each node should be programmed to securely erase κ from its memory after Tmin of its

deployment. In the case of subsequent node addition, new nodes can get their locations

and LBKs in the same way.

5.3.3 Location-Based Neighborhood Authentication

By definition, neighborhood authentication means the process that any two neighboring

nodes validate each other’s network membership. This process is fundamental in supporting

many security services in WSNs. For example, a node should only accept messages from and

forward messages to authenticated neighbors. Otherwise, external adversaries can easily

inject bogus broadcast messages into the network or swindle network secret information

from legitimate nodes.

During the post-deployment phase, each node is required to discover nd perform mutual

authentication with neighboring nodes, which is a normal process in many existing security

solutions for sensor networks. In our scheme, each node will think of another node as an

81

authentic neighbor if and only that node is within its transmission range R and also holds

the correct corresponding LBK. We take the following concrete example to explain the

neighborhood authentication process.

1. A → ∗ : IDA, lA, nA

2. B → A : IDB, lB, nB, hKB,A(nA ‖ nB ‖ 1)

3. A → B : hKA,B(nA ‖ nB ‖ 2)

Suppose node A wishes to discover and authenticate neighboring nodes once having its

location and LBK. To do so, A locally broadcasts an authentication request including its

ID IDA, location lA and a random nonce nA. Upon receipt of such a request, node B first

needs to ascertain that the claimed location lA is in its transmission range by verifying if

the Euclidean distance ‖lA− lB‖ 6 R. This check is the baseline defense against the attack

that adversaries surreptitiously tunnel authentication messages between B and a virtually

non-neighboring node. Without the location check, B and that victim will falsely believe

that they are neighbors because both possess an authentic LBK whereby to successfully

finish the following authentication process.

If the inequality does not hold, node B simply discards the authentication request.

Otherwise, B calculates a shared key as KB,A = e(LKB,H(IDA ‖ lA)). It then unicasts a

reply to node A including its ID and location, a random nonce nB, and a MIC computed

as hKB,A(nA ‖ nB ‖ 1). Upon receiving the reply, node A also first checks if the inequality

‖lA − lB‖ 6 R holds. If so, it proceeds to derive a shared key as KA,B = e(LKA,H(IDB ‖lB)) whereby to recompute the MIC. If the result is equal to what B sent, node A considers

B an authentic neighbor. Subsequently, A returns to node B a new MIC computed as

hKA,B(nA ‖ nB ‖ 2). Upon receipt of it, B uses KB,A to regenerate the MIC and compares

the result with what it just received. If they are equal, B regards node A as an authentic

neighbor as well.

82

The above process is valid because, if and only if both A and B have a correct LBK,

KA,B is equal to KB,A due to the following equations.

KA,B = e(LKA,H(IDB ‖ lB))

= e(κH(IDA ‖ lA),H(IDB ‖ lB))

= e(H(IDA ‖ lA), κH(IDB ‖ lB))

= e(κH(IDB ‖ lB),H(IDA ‖ lA))

= e(LKB,H(IDA ‖ lA)) = KB,A

(5.1)

The second and third lines hold for the bilinearity of e and the fourth line holds by the

symmetry of e (cf. Section 2.2.1).

Using the above three-way handshake, all the nodes can achieve mutual authentication

with neighboring nodes. Note that if multiple nodes simultaneously respond to the same

authentication request, possible MAC-layer collision may happen. We resort to effective

MAC-layer mechanisms to resolve this issue. For example, it can be alleviated through

MAC-layer retransmission or by using a random jitter delay for which each node has to

wait before answering an authentication request.

In our scheme, new nodes can be added freely to maintain necessary network con-

nectivity, especially when some existing nodes die out because of power shortage or other

reasons. A new node is also required to execute the authentication protocol once localized

properly.

Security analysis. Our location-based authentication scheme is secure against var-

ious malicious attacks. For example, in a location forgery attack, an adversary might send

an authentication request with a forged location within node B’s range. Since the adversary

does not hold the LBK corresponding to the forged location, he or she cannot successfully

finish the authentication procedure and thus deceive B into believing that he or she is an

authentic neighbor. Adversaries might as well launch the tunnelling of authentication mes-

sages attack by tunnelling authentication messages received at one location of the network

over an invisible, out-of-band and low-latency channel to another network location which

is typically multi-hop away. By doing so, they attempt to make two victim nodes far away

from each other believe that they are authentic neighbors. This attack is infeasible with

83

our scheme in that each node will simply deny authentication requests from nodes that are

not physically within its transmission range. In addition, an adversary might put into the

vicinity of a legitimate node, say B, a replica of one compromised node at other distant loca-

tions. Most purely ID-based authentication schemes are vulnerable to this attack because,

without dependence on any central authority [79, 74], the victim B has great difficulty in

differentiating between legitimate authentication requests and malicious ones from replicas

of a compromised node. With our scheme in place, node B will simply ignore the replica’s

authentication request because the replica should not appear in its transmission range.

It is worth pointing out that, as any other security solution, our scheme itself cannot

prevent a compromised node or its replicas from achieving mutual authentication with

its legitimate neighbors. However, it can guarantee that the compromised node or its

replicas receive nothing more than some random numbers, public IDs and locations from

legitimate nodes. This ensures that the compromised node cannot impersonate its legitimate

neighbors to other nodes. Therefore, our location-based authentication scheme can reduce

the impact of a compromised node from the otherwise network-wide scale to its vicinity,

more specifically, within a circle with radius 2R centered at its current location. This makes

it far more easier to devise efficient localized intrusion detection mechanisms.

One may worry that adversaries might mount the denial-of-service attack by continu-

ously sending bogus authentication requests or replies to allure legitimate nodes into endless

processing of such messages. In our opinion, this attack is in fact less worrisome. The rea-

son is that the number of neighbors of any node is limited in reality. Therefore, abnormally

many authentication requests or replies are highly likely an indicator of malicious attacks.

Under such situations, we assume that there are efficient mechanisms available for legitimate

nodes to report such an abnormality to the sink.

5.3.4 Immediate Pairwise Key Establishment

Link-layer security schemes demand an efficient method to establish pairwise shared

keys between neighboring nodes. Henceforth, we refer to such keys as immediate pairwise

keys (or IPKs for short). With IPKs, messages exchanged between neighboring nodes can

be encrypted and authenticated via efficient symmetric-key algorithms.

84

Note that after a successful three-way handshake, two neighboring nodes, say A and B,

have established a shared key KA,B = KB,A. Adversaries, be they external or internal, may

overhear the authentication messages, but cannot deduce the shared key for the lack of the

LBKs of A and B. From KA,B, A and B can derive various shared session keys for different

security purposes by feeding KA,B into the hash function h. For example, they can use

k0 = h(KA,B ‖ 0) for message encryption and k1 = h(KA,B ‖ 1) for message authentication.

In the similar way, each node can establish IPKs with all its legitimate neighbors after the

neighbor discovery and authentication phase.

Since the IPKs are by-products of the neighborhood authentication process, there is no

extra key-establishment communication and computation overhead. In addition, our IPK

establishment method has perfect resistance to node compromise because the IPKs are built

upon the private LBKs of individual nodes. No matter how many nodes are compromised,

the LBKs of non-compromised nodes always remain secure, and so do the IPKs established

between them.

5.3.5 Multi-hop Pairwise Key Establishment

In addition to the IPKs, a node may need to establish pairwise shared keys with other

nodes that are multi-hop away. We call such keys as multi-hop pairwise keys (or MPKs for

short) that are required for securing end-to-end traffic.

Assume that nodes U and V are multi-hop apart and the routing path between them

has been established using the underlying routing protocol. To establish an MPK, U and

V execute the following protocol.

1. U → V : IDU , lU , nUH(IDU ‖ lU )

2. V → U : IDV , lV , nV H(IDV ‖ lV )

Here, nU , nV ∈ Z∗q are random private numbers chosen by nodes U and V , respectively. At

the conclusion of the protocol, node V calculates

KV,U = e(LKV , nV H(IDU ‖ lU ) + nUH(IDU ‖ lU ))

= e(κH(IDV ‖ lV ), (nV + nU )H(IDU ‖ lU )).

85

Likewise, node U computes

KU,V = e(LKU , nUH(IDV ‖ lV ) + nV H(IDV ‖ lV ))

= e(κH(IDU ‖ lU ), (nU + nV )H(IDV ‖ lV )).

If both nodes are legitimate and have followed the protocol correctly, by the bilinearity and

symmetry of e,

KU,V = KV,U = e(H(IDU ‖ lU ),H(IDV ‖ lV ))(nU+nV )κ.

Based on the MPK KU,V , nodes U and V can derive various shared session keys for different

security purposes as before.

Discussion. If possible, the two protocol messages can piggyback on the routing

messages used to establish the routing path between U and V . In doing so, the related

communication overhead can be much reduced. In addition, there is no need for U and V

to further exchange messages to prove to the other the knowledge of the MPK. Any future

messages encrypted and authenticated with the MPK or the derivative session keys can

implicitly achieve the same effect.

Our MPK establishment protocol is a simple adaptation of the provably secure ID-

based key agreement protocol [91]. Any third party may overhear the plaintext messages

exchanged between U and V , but cannot derive the MPK KU,V without knowing the LBKs

of U or V . This protocol also has perfect resilience against node compromise because of

the dependence of the MPKs on the nodes’ private LBKs.

5.4 Efficacy of LBKs in Attack Mitigation

In this section, we show how the proposed LBKs can act as effective and efficient

countermeasures against several notorious attacks against WSNs.

5.4.1 Spoofing, Altering or Replaying Routing Information

Without precaution, external adversaries are able to spoof, alter or replay routing

messages. By doing so, they attempt to create routing loops, cause network partitions,

incur false error messages, and so on [73].

As mentioned before, neighboring nodes are required to perform mutual authentica-

tion based on their private LBKs. Since each node only processes routing messages from

86

authenticated neighbors, external adversaries can be prevented from entering the network

and distributing phony routing messages. The remaining problem is how to defend against

internal adversaries or compromised nodes in possession of authentic keying material. It

is believed that there is no cryptographic way that can prevent them from manipulating

routing information. However, our location-based neighborhood authentication scheme can

constrain the impact of compromised nodes to a small range centered at their original lo-

cations. In other words, internal adversaries cannot utilize the acquired keying material at

one place to launch routing attacks at another distant place. What they can only possibly

do is to continue misbehaving at “the scene of the crime,” i.e., a small range around the

location of the compromised node. If doing so, they might run a high risk of being detected

by legitimate nodes if effective localized misbehavior detection mechanisms are available.

5.4.2 The Sybil Attack

The Sybil attack happens when a malicious node behaves as if it were a large number

of nodes, e.g., by impersonating other nodes or simply claiming multiple forged IDs and/or

locations. As pointed out in [73, 74], this attack is extremely detrimental to many impor-

tant WSN functions, such as routing, fair resource allocation, misbehavior detection, data

aggregation, and distributed storage.

With our scheme in place, when a malicious node intends to impersonate a legitimate

node, it does not have the authentic LBK and thus cannot successfully finish mutual au-

thentication with other legitimate nodes. For the same reason, a malicious node cannot

claim forged IDs and/or locations without being detected. Therefore, the Sybil attack is

effectively defeated.

5.4.3 The Identity Replication Attack

The identity replication attack [74] takes place when adversaries put multiple replicas

of a compromised node in different geographic locations. It may lead to the inconsistence of

the network routing information, as well as jeopardizing other important network functions.

Conventional defenses often involve a central authority, e.g., the sink, that either keeps a

record of each node’s location [74], or centrally counts the number of connections a node

87

has and revokes those with too many connections [79]. These solutions require node-to-

node authentication and pairwise key establishment to be performed through the central

authority, thereby causing significant communication overhead and the lack of scalability.

This attack is no longer feasible when our location-based neighborhood authentication

scheme is applied. The replicas of a compromised node will be prevented from entering

the network by legitimate nodes at locations other than the neighborhood of the compro-

mised node. Our countermeasure is totally self-organizing and does not involve any central

authority, hence it is rather lightweight and highly scalable in contrast to previous solutions.

5.4.4 Wormhole and Sinkhole Attacks

Wormhole [73, 92] and sinkhole [73] attacks are two notorious attacks against WSN

routing protocols that are difficult to withstand, especially when the two are used in com-

bination.

In the wormhole attack, instead of compromising any node, collaborative adversaries

first create a wormhole link, essentially an out-of-band and low-latency channel, between

two distant network locations. They then tunnel routing messages recorded at one location

via the wormhole link to the other, leading to the chaos of the routing operations. Hu

et al. [92] presented a technique called packet leashes to withstand the wormhole attack.

It requires extremely tight time synchronization and is thus infeasible for most WSNs, as

noted in [73]. In contrast, each node in our scheme only accepts routing messages from

authenticated neighbors and will discard those tunnelled from distant locations. Therefore,

the wormhole attack is effectively and efficiently thwarted.

In the sinkhole attack, compromised nodes attempt to attract all the traffic from their

surrounding nodes by announcing a high-quality route to the sink or some other destina-

tions. For example, adversaries create an invisible and fast channel between two compro-

mised nodes A and B residing in distant network regions. Node A claims that it is one

hop or a few hops away from B or other nodes close to B. By doing so, A aims to be se-

lected by legitimate surrounding nodes as a packet relay to B or other nodes in that region.

Fortunately, our scheme can withstand such sinkhole attacks against minimum-hop routing

protocols. For instance, upon seeing A’s advertisement of a single-hop path to node B, a

legitimate node can immediately find out that A is malicious by noting that the distance

88

between A and B is far more larger than the normal transmission range R. In addition,

geographic routing protocols such as [87] have been identified in [73] as promising solutions

resistant to sinkhole and wormhole attacks. The reason is that they construct the rout-

ing topology on demand using only localized interactions and geographic information. To

apply such schemes, however, the location information advertised from neighboring nodes

must be authenticated. We provide such a guarantee by the LBKs and the location-based

neighborhood authentication scheme.

We note that our scheme itself cannot prevent the sinkhole attacks against routing

protocols with routing metrics such as remaining energy or end-to-end reliability. The

major reason is that the authenticity of these information is very difficult to verify by

cryptographic means alone. As far as we know, the related countermeasure thus far remains

an open challenging issue, and is an interesting topic worthy of further study.

5.5 Location-Based Filtering of Bogus Data

In this section, we first describe the bogus data injection attack. We then present a

location-based threshold-endorsement scheme (LTE) as the countermeasure. At last, we

evaluate the performance of LTE in terms of energy savings.

5.5.1 The Bogus Data Injection Attack

As mentioned before, neighborhood mutual authentication is sufficient to prevent ex-

ternal adversaries from injecting bogus data into the network, but will fail in the presence

of internal adversaries. By a single compromised node, internal adversaries can induce ar-

bitrary and seemingly authentic data reports into the network. Without precaution, this

kind of attack may do a lot of damage to the network, e.g., causing false alarms or net-

work traffic congestion. Even worse, it can deplete the precious energy of relaying nodes

on any forwarding path to the sink, which is often tens or even hundreds of hops away

from the sources of data reports. It is, therefore, important to design effective and efficient

countermeasures against this attack.

Since there is no way of hindering internal adversaries from injecting bogus data, we

attempt to figure out ways to mitigate their impact. Our first goal is to filter bogus

data reports as early as possible before they reach the sink. Our second goal is to detain

adversaries from freely fabricating the originating locations of injected bogus data reports.

89

0 0( , )X Y

r

Figure 5–1: Node deployment model.

We achieve the first goal by a threshold-endorsement method. That is, a data report

should be co-signed by t nodes for it to be considered authentic. A report without a

correct endorsement will be regarded as a fake one and discarded by any legitimate node

after verifying it. Our method is motivated by the observation that every point in the

sensor field should be covered by at least t nodes, known as the t-coverage problem [93].

The t-coverage property is required by many security-sensitive WSN applications such as

intrusion detection to facilitate fine-grained surveillance. In our case, adversaries will have

much greater difficulty in injecting seemingly authentic yet bogus data reports, as they now

have to compromise at least t nodes instead of only one as before.

We fulfill the second objective by embedding the location information of a data report’s

originating area in the joint endorsement it carries. To inject a bogus data report that

originates from a certain area and can survive the filtering by legitimate intermediate nodes,

adversaries must actually compromise at least t nodes holding keying material of that area.

Even so, they cannot utilize the acquired keying material to fake data reports that seem to

originate from other areas. Another benefit is that, once determining that some arriving

reports are unfiltered bogus ones, the sink can pinpoint their originating areas and then

take specific remedy actions.

Below we detail how to actually realize the above ideas.

5.5.2 Generation and Distribution of Cell Keys

To enable location-based threshold-endorsement, we propose the notion of cell keys.

For the sake of simplicity, we assume that the sensor field is a Mr × Nr rectangle whose

90

lower-left corner is at location (X0, Y0). The sensor field is divided into MN square cells of

equal side length r. Each cell is labelled with a pair of integers < m,n >, for 1 6 m 6 M

and 1 6 n 6 N . Prior to deployment, (X0, Y0) and r are preloaded to each node. Also note

that our LTE can be easily extended for use with any other node deployment model.

We define the cell key of cell < m,n > as Km,n = κH(m ‖ n), which shall be used

to endorse any report originating from that cell. The next question is how to distribute

Km,n to nodes in cell < m, n >. Let IDim,n denote the ith node with location lim,n in cell

< m, n >. The naive method of letting each IDim,n hold one copy of Km,n obviously suffers

from single node compromise. Instead, we propose to utilize the secret-sharing technique

[15] to assign a share of Km,n to each IDim,n. The purpose is to make Km,n reconstructible

by any t nodes in cell < m, n >, while irrecoverable by any less than t of them. To do this,

prior to network deployment, the TA additionally generates a (t − 1)-degree polynomial,

F(x) =∑t−1

j=1 Fjxj ∈ G1, with coefficients Fj randomly selected from G∗1.1 It also selects

another system parameter c 6 r whose use is explained shortly. We consider the following

two cases of cell-key share distribution, depending on whether node localization is range-

based or range-free (cf. Section 5.3.2).

Range-based cell-Key distribution. In this approach, the leading robot is preloaded

with the polynomial F(x). In addition to determining a node’s location, it decides that

node’s present cell by simple geometric calculations. Consider node IDim,n as an ex-

ample. Its location lim,n, i.e., (Xim,n, Y i

m,n), will satisfy (m − 1)r 6 Xim,n − X0 < mr

and (n − 1)r 6 Y im,n − Y0 < nr. Then the leading robot derives Km,n = κH(m ‖ n)

and a set of authenticators ~Vm,n = v(j)m,n|0 6 j 6 t − 1, where v

(0)m,n = e(Km,n,W )

and v(j)m,n = e(H(Fj ‖ m ‖ n),W ) for 1 6 j 6 t − 1 . Note that it just needs to

do these computations once for each cell. Next, the leading robot calculates Kim,n =

∑t−1j=1 H(Fj ‖ m ‖ n)(IDi

m,n ‖ lim,n)j + Km,n ∈ G1, referred to as node IDim,n’s share of

Km,n. Finally, Kim,n and ~Vm,n are securely sent to node IDi

m,n along with lim,n and its LBK

(cf. Section 5.3.2).

1 G∗1 denotes the set G1 \ O where O is the identity element of G1.

91

Km,n can be reconstructed from any t shares of it, but is irretrievable from any (t− 1)

or fewer shares. In particular, let Tm,n denote the number of nodes in cell < m, n > and Ω

be a t-order subset of 1, ..., Tm,n. We can compute

Km,n =∑

i∈ΩλiKi

m,n, (5.2)

where λi =∏

j∈Ω\iIDj

m,n‖ljm,n

IDjm,n‖ljm,n−IDi

m,n‖lim,n

. Regarding the choice of t, there is a tradeoff

between resilience to node compromise and node density. Basically, the larger t, the more

resilient the network is to node compromise, the higher the required node density is, and

vice versa. This issue is closely related to the well-studied t-coverage problem [93]. We refer

interested readers to [93] about how to strike a good balance between these two competing

metrics.

To ensure high-level t-coverage of cell boundaries with regard to security, it is also

important to let some nodes possess cell-key shares of adjacent cells. In particular, we

require that the nodes out of a cell but within c of the cell boundary also hold cell-key

shares of that cell. For example, if mr −Xim,n 6 c, node IDi

m,n also has the authenticator

vector ~Vm+1,n and a share of cell key Km+1,n. Likewise, if nr − Y im,n 6 c, it owns ~Vm+1,n

and a share of Km,n+1 as well. In addition, for the boundaries of the sensor field, it is often

necessary to purposely deploy some sensors beyond the field boundaries. The choice of c

represents a tradeoff between cell-boundary t-coverage and tolerance to node compromise.

The greater c, the higher-level t-coverage of cell boundaries, the more vulnerable a cell

key is to node compromise because more nodes have a cell-key share, and vice versa. Its

concrete value is also germane to that of t and node density.

Range-Free cell-key distribution. In this method, each node is preloaded with

the polynomial F(x) in addition to the network master secret κ. Consider again node IDim,n

as an example. Once determining its own location lim,n, it also knows that it resides in cell

< m, n >. Therefore, besides generating its LBK (cf. Section 5.3.2), node IDim,n employs

κ to first derive Km,n and then its share Kim,n. Moreover, it computes the authenticator

92

vector ~Vm,n.2 If within c of adjacent cells’ boundaries, node IDim,n should as well compute

a cell-key share and the authenticator vector for each of those cells. Upon finishing all these

operations, it should securely erase κ, F(x) and all the complete cell keys from its memory.

5.5.3 Performing Threshold-Endorsements of Data Reports

Now we explain how to perform threshold-endorsements on data reports. Without loss

of generality, we take cell < m, n > as an example in the following description.

In general, sensor nodes generate a report when triggered by a special event such as

the appearance of adversaries, or in response to a query made by the sink. Assume that

such a stimulus occurs in cell < m, n > and is detected by s > t nodes. If the event occurs

closely to the cell boundary, then the s nodes may include nodes in different adjacent cells.

To simplify our presentation, however, we assume that all of them are in cell < m, n >. By

local interactions, the detecting nodes can reach a consensus on a final report, denoted by

Λ and containing application-dependent information such as the type, occurrence time and

location of the event.

The detecting nodes are required to elect among themselves an aggregation point (AP).

To obtain a threshold-endorsement of Λ, the AP chooses a random α ∈ Z∗q and computes

θ = e(W,W )α broadcasted to the other detecting nodes. Upon receipt of θ, each detecting

node IDim,n endorses the report Λ by computing U i

m,n = Kim,nh(Λ ‖ θ). It then sends

to the AP U im,n encrypted and authenticated with the pairwise key shared with the AP

(cf. Section 5.3.4). Once receiving over t such endorsements, the AP randomly selects t

of the endorsers, denoted by a set notation Ω which may include itself. It then calculates

Um,n =∑

i∈Ω λiUim,n = Km,nh(Λ ‖ θ) (cf. Eq. 5.2) and Υm,n = Um,n +αW . The threshold-

endorsement of Λ is (Υm,n, h(Λ ‖ θ)) and the final report is of format < Λ,Υm,n, h(Λ ‖ θ) >.

It is possible that some of the endorsers have been compromised and thus may provide

the AP with falsely computed endorsements. Fortunately, our LTE scheme can well handle

this situation. In particular, once deriving Um,n, the AP is required to verify its authenticity

2 The authenticators v(j)m,n (1 6 j 6 t − 1) may be precalculated and preloaded to each

node to reduce the computational overhead.

93

by checking if the equation e(Um,n,W ) = (v(0)m,n)h(Λ‖θ) holds. The check should succeed for

a valid Um,n because e(Um,n,W ) = e(Km,n,W )h(Λ‖θ) by the bilinearity of e and v(0)m,n =

e(Km,n,W ). Otherwise, the AP proceeds to verify each received U im,n by checking if

e(U im,n,W ) =

t−1∏

j=0

(v(j)m,n)(IDi

m,n‖lim,n)j ·h(Λ‖θ).

The verification works because of the following equations.

e(U im,n,W )

= e(Kim,n,W )h(Λ‖θ)

= e(∑t−1

j=1 H(Fj ‖ m ‖ n)(IDim,n ‖ lim,n)j +Km,n,W )h(Λ‖θ)

= (e(Km,n,W )t−1∏j=1

e(H(Fj ‖ m ‖ n),W )(IDim,n‖lim,n)j

)h(Λ‖θ)

=t−1∏j=0

(v(j)m,n)(IDi

m,n‖lim,n)j ·h(Λ‖θ)

(5.3)

The third-line equation holds because e is bilinear. If the check succeeds, the AP considers

node IDim,n legitimate and compromised otherwise. In this way, the AP is able to pinpoint

all the endorsers offering false endorsements and delete them from Ω. Subsequently, it re-

plenishes Ω with the corresponding number of endorsers randomly selected from the unused

ones, and recalculates (Υm,n, h(Λ ‖ θ)). As long as there are at least t legitimate endorsers,

a correct threshold-endorsement can always be generated.

It is worth noting that the pinpoint-identification capability of the AP may deter the

compromised endorsers (if any) from providing false endorsements. As a result, it is highly

possible that the AP can derive an authentic threshold-endorsement in the first round. In

the light of this, we let the AP verify the individual endorsements only when the threshold-

endorsement is incorrect rather than at the beginning, thereby reducing its computational

load.

In some cases, the AP itself may be a compromised node. It may either not at all

send a final report to the sink or transmit a bogus report with an incorrect Λ or a wrong

(Υm,n, h(Λ ‖ θ)) or both. Both attacks can be easily detected by the legitimate detecting

nodes which, in turn, elect a new AP among themselves to generate a new threshold-

endorsement and send the final report to the sink. Also note that dealing with the latter

94

attack requires the legitimate detecting nodes to verify the threshold-endorsement in the

final report. The verifications are similar to the filtering operations by intermediate nodes

on the way to the sink, which are explained in what follows.

5.5.4 Probabilistic Enroute Filtering of Data Reports

The AP sends to the sink the final report along a multi-hop path discovered via the

underlying routing protocol. Depending on different applications, end-to-end and/or link-

layer security measures can be enforced on the report transmission (cf. Sections 5.3.4 and

5.3.5). We denote by ps the sampling probability which is a system-wide parameter.

Upon receipt of a report < Λ,Υm,n, h(Λ ‖ θ) > to be forwarded, with probability ps,

each intermediate node, say A, deduces the originating cell information < m, n > from the

event location embedded in Λ. It then computes

θ′ = e(Υm,n,W )e(H(m ‖ n),−Wpub)h(Λ‖θ), (5.4)

where Wpub = κW is the public system parameter defined in Section 5.3.1. If the report is

authentic, we will have

θ′ = e(Υm,n,W )e(H(m ‖ n),Wpub)−h(Λ‖θ)

= e(Km,nh(Λ ‖ θ) + αW,W )e(H(m ‖ n), κW )−h(Λ‖θ)

= e(Km,nh(Λ ‖ θ) + αW,W )e(κH(m ‖ n),W )−h(Λ‖θ)

= e(Km,n,W )h(Λ‖θ)e(W,W )αe(Km,n,W )−h(Λ‖θ)

= θ.

(5.5)

Therefore, if h(Λ ‖ θ′) = h(Λ ‖ θ), node A considers the report authentic and then forwards

it to the next hop. Otherwise, it thinks of the report a fabricated one and simply dumps

it. Our LTE scheme is a simplified adaptation of the provably secure threshold version [94]

of Hess’s ID-based signature scheme [95].

5.5.5 Efficacy and Security Analysis

We first quantify the efficacy of probabilistic enroute filtering of fabricated data re-

ports. There might be compromised nodes lying on the forwarding path to the sink which

just relay bogus reports to the next hop without verifying them. Since we are only inter-

ested in the energy consumption of legitimate intermediate nodes, we merely consider a

95

1 3 5 7 9 11 13 15 17 19

0.10.3

0.50.7

0.9

0

0.2

0.4

0.6

0.8

1

µ (hops)ps

p µ

Figure 5–2: The probability pµ of filtering one bogus report as a function of the samplingprobability ps and the number µ of hops a bogus report travels.

“valid” forwarding path from which compromised nodes are extracted. Given the sampling

probability ps, the probability that a bogus report can be detected and dropped within µ

hops is pµ = 1− (1− ps)µ, and the average number of hops a bogus report traverses is

µ =∑∞

j=1jps(1− ps)j−1 = 1

ps. (5.6)

Fig. 5–2 shows how pµ changes with ps and µ. We can see that, even when ps assumes a

small value, say 0.3, over 83 percent of bogus reports can be filtered within 5 hops, and less

than 3 percent of them can travel beyond 10 hops. Therefore, for large-scale WSNs often

involving very long forwarding paths, our LTE is highly effective in filtering bogus reports

during their early transmission stages, thereby saving the precious energy of legitimate

nodes.

Due to the probabilistic verifications at intermediate nodes, a bogus report might

escape the filtering and reach the sink with a small probability (1 − ps)len−1, where len

indicates the forwarding path length. As the last line of defense, the sink is required to

verify the threshold-endorsement of each received report and discard those failing the test.

The choice of ps represents a tradeoff between the early filterability of bogus reports

and the computational overhead involved in verifying authentic reports. On the one hand,

if ps is too small, a bogus report will statistically traverse more hops before being filtered.

96

On the other hand, if ps is too large, it may incur unnecessary computational overhead on

intermediate nodes in verifying authentic reports. ps can be either fixed or dynamically

adjusted as time goes on. For example, if the sink receives many alarms of bogus reports

from sensor nodes or detects many unfiltered bogus reports by itself during a predetermined

time period, it can increase ps by a certain amount or else decrease it. The new ps can

be securely conveyed to sensor nodes using a µTESLA-like [96] broadcast authentication

protocol.

Our LTE scheme has strong resilience against node compromise. It guarantees that,

as long as there are less than t compromised nodes holding cell-key shares of a same cell,

adversaries are unable to forge data reports that seem to originate from that cell and can

escape the filtering by enroute intermediate nodes and the sink. In the worst-case scenario,

adversaries may manage to compromise at least t nodes with cell-key shares of a same

cell. We refer to this event as cell compromise. Fortunately, adversaries can only utilize

the reconstructed cell key to fabricate reports in that cell but not in other cells, due to

the location-dependent nature of the cell key. Therefore, if the sink initially accepts a

report with a correct endorsement but finally finds that it is a bogus one by further field

investigations or other means, the sink can immediately detect the cell-compromise event

and take corresponding remedy actions that are outside the chapter scope.

Adversaries might launch denial-of-service attacks by trapping legitimate nodes into

endless verifications of data reports. Consequently, if a legitimate node detects too many

bogus reports in a short time window, we assume that there are efficient ways for it to

report such an abnormality to the sink. Another possible attack is that a compromised

intermediate node may stall the reporting of real events to the sink by either directly

dropping any received report or tampering with the report content before forwarding it to

the next hop. This attack is orthogonal to the bogus data injection attack we focus on,

but we would like to suggest several possible ways to withstand it. One way is to utilize

a SPREAD-like [97] secure multipath routing protocol to transmit copies of a report along

multiple disjoint paths to the sink. Another possible approach is through local monitoring

enabled by the broadcast nature of radio transmissions. In particular, if an intermediate

node receives a report from the pre-hop node, multiple neighbors of it can hear that packet

97

as well. Likewise, these neighbors can overhear the packet it transmits to the next hop and

thus be able to tell whether it behaves good or not. We leave the further investigation on

this issue and its combination with the bogus data injection attack to a separate chapter.

5.5.6 Performance Evaluation

In this subsection, we evaluate the performance of our LTE in achieving energy savings.

Pairing parameters. In our evaluation, the bilinear map e used is the Tate pairing

[14]. The elliptic curve E is defined over Fp, where p is a 512-bit prime. The order q of G1

and G2 is a 160-bit prime. According to [12], our chosen parameters deliver an equivalent

level of security to that of 1024-bit RSA.

We use the following method to quantify the computation time and energy consumption

of the Tate pairing. We assume that the sensor CPU is a low-power high-performance 32-bit

Intel PXA255 processor at 400 MHz. The PXA255 has been widely used in many sensor

products such as Sensoria WINS 3.0 and Crossbow Stargate. According to [98], the typical

power consumption of PXA255 in active and idle modes are 411 and 121 mW, respectively.

It was reported in [99] that it takes 752 ms to compute the Tate pairing with the similar

parameters as ours on a 32-bit ST22 smartcard microprocessor at 33 MHz. Therefore, the

computation of the Tate pairing on PXA255 roughly needs 33/400× 752 ≈ 62.04 ms, and

the energy consumption Ep is approximately 25.5 mJ.

Overhead analysis. For an authentic report forwarded along a ξ-hop path, LTE

statistically involves ξps filtering operations, while it takes only one filtering operation to

detect and dump a bogus report. A filtering operation requires one exponentiation in G2,

one hash function evaluation and two evaluations of the Tate pairing. Due to the stationarity

of sensor nodes, each sensor is more likely to forward reports from the same set of cells. As

a result, each node can evaluate a limited set of values e(H(m ‖ n),Wpub) beforehand,

each corresponding to a potential cell from which a report may come from. By doing so,

one of the pairing evaluations can be eliminated. As noted in [95], the pairing evaluation

by far takes the most running time of a filtering operation. Thus, for the sake of simplicity,

we use Ep to approximate the energy consumption of an enroute filtering operation.

98

0 2 4 6 8 100

2

4

6

8

10

12

14

Bogus traffic ratio ρ

Nor

mal

ized

ene

rgy

cons

umpt

ion

(J)

EsumE'sum

Figure 5–3: The comparison of Esum and E′sum as a function of the bogus traffic ratio ρ,

where ξ = 50 and the optimal ps’s are used.

Our LTE requires each report to carry a threshold-endorsement of format (Υm,n, h(Λ ‖θ)) in addition to the normal fields. Since Υm,n is a point of E/Fp, only one of its X and

Y coordinates needs to be transmitted because the other can be easily derived using the

curve equation, resulting in an overhead of 512 bits. Also assume that the hash function

h is implemented using SHA-1 [16] with a 20-byte output. Then the total packet overhead

introduced by LTE is Lo = 84 bytes to achieve a high level of security as that of 1024-bit

RSA.

Energy savings. Our LTE aims to save the energy of intermediate nodes along

the forwarding path to the sink through its early detection and dropping of bogus data

reports. On the other hand, the introduced packet overhead and the probabilistic enroute

filtering operations incur both communication and computation energy consumption. In the

following, we employ a similar model to that of [75] to analyze the energy savings caused by

LTE. For the sake of simplicity, we ignore the energy consumption of the report generation

process, which is considered to be negligible as compared to that of transmitting it to the

distant sink.

We denote by Etr the hop-wise energy consumption for transmitting and receiving one

byte. As reported in [100], a Chipcon CC1000 radio used in Xrossbow MICA2DOT motes

consumes 28.6 and 59.2 µJ to receive and transmit one byte, respectively, at an effective

99

data rate of 12.4 kb/s. Thus, we have Etr = 87.8 µJ, which is used as an exemplary value

throughout our evaluation.

We also denote by Ln the byte length of an original data report without using LTE,

and by ξ the average number of hops an original report travels towards the sink. To simplify

our evaluation, we assume that Ln is fixed to be 256 bytes. We further assume that the

ratio of legitimate data traffic to bogus data traffic is 1 : ρ and ρ is called the bogus traffic

ratio hereafter. As mentioned before, our LTE spends ξps filtering operations in verifying

an authentic report, while merely one filtering operation to sift a bogus report. Let Esum

and E′sum be the normalized energy consumed to deliver all the traffic without and with

LTE in place, respectively. Then we have

Esum = LnEtrξ(1 + ρ) , (5.7)

andE′

sum = (Ln + Lo)Etr(ξ + ρµ) + (ξps + ρ)Ep

= (Ln + Lo)Etr(ξ + ρps

) + (ξps + ρ)Ep

> (Ln + Lo)Etrξ + ρEp + 2√

(Ln + Lo)EtrρξEp ,

(5.8)

with equality if and only if ps =√

(Ln+Lo)EtrρξEp

.

Fig. 5–3 compares Esum with E′sum, where the optimal ps’s are used and ξ = 50. We

can see that Esum increases dramatically along with the increase of bogus data reports,

while E′sum always maintains a rather stable level. The reason is that most bogus reports

can be detected and dropped during their early transmission stages with LTE in place. In

addition, when there is no bogus traffic, our LTE increases the energy consumption by about

32 percent due to the introduced packet overhead. However, when the bogus traffic starts

to exceed the legitimate traffic, LTE demonstrates growingly remarkable energy savings.

For example, when ρ = 2 and 5, our LTE saves more than 37 and 63 percent of energy,

respectively.

In most WSN applications, data delivery is event-driven and legitimate traffic occurs

only when some events of interest appear in the sensor field. In contrast, to increase the

impact of their attacks, adversaries often inject into the network a large amount of bogus

traffic, which is often several orders of magnitude greater than that of legitimate traffic [75].

100

0 2 4 6 8 100

2

4

6

8

10

12

14

Bogus traffic ratio ρ

Nor

mal

ized

ene

rgy

cons

umpt

ion

(J)

EsumE'sum: ps=0.1

E'sum: ps=0.2

E'sum

: ps=0.3

Figure 5–4: The comparison of Esum and E′sum as a function of the bogus traffic ratio ρ,

where ξ = 50 and non-optimal ps’s are used.

Our LTE is particularly useful for these scenarios in saving a great deal of energy by early

filtering bogus data reports.

In reality, it is often difficult to obtain an accurate estimate of the bogus traffic ratio

ρ. Therefore, to some extent, Fig. 5–3 reflects the upper-bound performance of our LTE.

There are two possible ways to approach this upper bound. In the first approach, the sink

estimates the current ρ based on the received reports and possible alarms from sensor nodes.

It then derives the optimal sampling probability ps, which is conveyed to sensor nodes using

a µTESLA-like [96] broadcast authentication protocol. The other approach is for each node

itself to estimate the ρ as the ratio of bogus traffic to legitimate traffic in the total traffic

sampled during a certain period. Then it can compute the new ps locally optimal to itself.

Even if without using an optimal ps, the energy savings resulting from our LTE are

still remarkable. Fig. 5–4 depicts the case that non-optimal values of ps are used. The

advantages of using our LTE are quite obvious under all the three sampling probabilities.

Another observation is that, when ρ becomes larger, ps should be increased as well in

order to filter bogus data reports as early as possible. Likewise, the new ps can either be

determined by the sink as a network-wide common value, or be decided individually by

each node based on its local observations.

101

0 10 20 30 40 50 60 70 80 90 1000

1

2

3

4

5

6

7

Average path length ξ (hop)

Nor

mal

ized

ene

rgy

cons

umpt

ion

(J)

EsumE'sum

Figure 5–5: The comparison of Esum and E′sum as a function of the average path length ξ,

where ρ = 2 and ps = 0.2.

Next we investigate the impact of the average path length ξ on the energy-saving

performance of LTE. As can be seen from Fig. 5–5, the further the originating cells of

bogus data reports are away from the sink, the more energy savings our LTE can achieve.

We note that adversaries may inject bogus data reports to consume the energy resources of

the nodes that are only several hops away from the sink. For this case, our LTE might not

achieve the desirable objective because the energy savings from early filtering bogus reports

may be offset by the energy consumption incurred by our scheme. However, bogus reports

injected in the distant cells away from the sink are much more detrimental than those

injected in the sink’s vicinity because their transmissions involve many more intermediate

nodes. In addition, we believe that it is much easier for the sink to detect the bogus data

injection attack mounted in its vicinity than in the distant cells.

5.6 Related work

Recent years have witnessed growing interest in sensor network security. Due to space

limitations, here we merely discuss prior art that is more germane to this chapter.

How to set up a pairwise shared key between two sensors is a topic which by far has

attracted extensive attention. As a pioneering solution, Eschenauer and Gligor propose a

probabilistic key pre-distribution scheme [78]. The main idea is to preload each sensor with

a random subset of keys from a global key pool in a way that any two nodes can share at

102

least one common key with a certain probability. This scheme has been improved later by

several other proposals such as [79, 80, 81] in terms of network connectivity, memory usage

and resilience against node compromise, among others. Unfortunately, these probabilistic

schemes suffer from a few drawbacks that may limit their potential in large-scale WSNs

demanding a high level of security.

First of all, as noted in [101], these schemes are vulnerable to node compromise at-

tacks in that adversaries who compromised sufficiently many nodes could also obtain a

large fraction of pairwise keys shared between non-compromised nodes. Second, they are

subject to all the attacks discussed in Section 5.4. Third, they are designed to establish

pairwise shared keys among neighboring nodes. As a result, they are both inefficient and

insecure in setting up a pairwise key shared between two non-neighboring nodes or two

neighboring nodes without a priori shared knowledge. Fourth, most of them fail to pro-

vide secure neighborhood authentication, which is prerequisite for guaranteeing link-level

security. Although the random pairwise keys scheme in [79] offers mutual authentication

between two neighbors having a pre-loaded pairwise key, the resulting cost is the much

restricted supportable network size [74]. Fifth, these schemes all have an upper limit on the

network size and often require each node to store tens or even hundreds of keys, leading to

the poor network scalability. Last, all of them do not offer support for non-repudiation of

digital signatures, which is one of the fundamental security requirements.

As compared to the above schemes, our schemes enable deterministic, secure and ef-

ficient establishment of a shared key between any two network nodes, be they immediate

neighbors or multiple hops apart. Our IPK and MPK establishment methods both have

perfect resilience against node compromise because of their reliance on the private LBKs of

individual nodes. In addition, our schemes can not only limit the impact of compromised

nodes to their vicinity, but also withstand other notorious attacks like those mentioned in

Section 5.4. Moreover, our schemes provide secure location-based neighborhood authenti-

cation and support non-repudiation of digital signatures. Furthermore, our schemes merely

require each node to memorize its own IBK and LBK, and allow the addition of an arbitrary

number of new nodes.

103

Some other proposals [82, 83, 84, 85] propose to use the known deployment information

to facilitate more secure and efficient pairwise key establishment. These solutions still

belong to the category of the probabilistic schemes, thereby suffering from either some or

even all of the aforementioned drawbacks. In addition, concrete geographic locations of

individual nodes are not used in all of them. More recently, Lazos et al. [102] present a

location-based solution to deal with the wormhole attack. This solution addresses neither

the establishment of multi-hop pairwise keys, nor the issue of node addition (or the network

scalability issue).

Aside from the probabilistic schemes, another notable work called LEAP is proposed

by Zhu et al. in [90]. In LEAP, each node is preloaded with a global shared secret, through

which it can authenticate neighboring nodes and establish pairwise shared keys with them

once deployed. However, the MPK establishment method of LEAP suffers from both the

significant communication overhead and the vulnerability to the compromise of intermediate

nodes. In addition, LEAP does not support non-repudiation of digital signatures.

We are aware of two existing solutions to the bogus data injection attack, namely, SEF

[75] and IHA [76]. Both schemes can achieve the same objective of energy savings as our

LTE by detecting and dropping bogus reports as early as possible. However, adversaries who

compromised nodes carrying keys from t different key partitions can render SEF completely

useless, as noted in [75]. Likewise, IHA breaks down once adversaries compromise over t

nodes and thus are able to forge data reports seeming to originate from arbitrary network

locations. In a large-scale WSN with many more than t nodes, however, it seems unlikely

to prevent adversaries from compromising over t nodes. In addition, IHA suffers from the

considerable communication overhead in maintaining the per-route interleaved structure of

nodes as compared to both SEF and our LTE. By comparison, our LTE is able to localize

the impact of compromised nodes to their vicinity due to its location-dependent nature.

It can tolerate the compromise of up to (t − 1) nodes holding cell-key shares of the same

cell and thus many more nodes regarding the whole network. Therefore, our LTE exhibits

much better compromise-tolerant performance than both SEF and IHA.

There are many other related work in sensor network security. Carman et al. [103]

investigate the performance of a number of key management schemes over different hardware

104

platforms. Basagni et al. [77] utilize tamper-resistant hardware in periodically updating

the key shared by all the nodes. Perrig et al. [96] propose SNEP, a protocol for data

confidentiality and two-party data authentication, and µTESLA, a protocol for broadcast

data authentication. µTESLA is further improved by Liu and Ning in [104]. Przydatek et

al. [105] construct efficient random sampling mechanisms and interactive proofs to ensure

secure information aggregation in WSNs. Karlof and Wagner [73] discuss various attacks

against existing sensor network routing protocols and point out some possible solutions.

Newsome et al. [74] analyze in detail the impact of the Sybil attack on sensor networks and

propose several defenses.

5.7 Discussion

In this section, we discuss the use of symmetric-key vs. public-key cryptography (PKC)

in WSNs.

It was a common belief that PKC is too complex, slow and power hungry, and thus

ill-suited for use in resource-constrained WSNs. For this reason, PKC has often been ruled

out for securing WSNs and most previous proposals such as [78, 79, 80, 81, 82, 83, 84, 85]

are purely based on symmetric-key cryptography. However, many researchers [106, 107,

108, 109, 100] have recently challenged this belief by showing that traditional PKC such as

RSA or elliptic-curve cryptography is rather viable in WSNs.

Moreover, we have mentioned previously that the pure symmetric-key solutions have

a number of drawbacks due to the inherent limitations of symmetric-key cryptography. In

addition, they may not be so energy efficient as they are claimed to be. For example,

most of the probabilistic key pre-distribution schemes such as [78, 79, 80, 81] require a

secure “puzzle-solving” method to set up a shared key between two neighboring nodes. In

particular, one node broadcasts a key-discovery message containing a challenge α and m

ciphertexts αkifor i = 1, ..., m, where ki is a potential pairwise key the other node may

have. If the other node can correctly decrypt any of the m ciphertexts, it can establish

a pairwise key with the broadcasting node. Since there are often several tens or even

hundreds of potential pairwise keys, the total energy consumption caused by communication

and symmetric-key encryption and decryption operations may have been already higher

than that of a public-key solution. Therefore, we believe that it is both necessary and

105

feasible to design public-key solutions for security-sensitive WSNs to establish shared keys

for subsequent use with efficient symmetric-key algorithms.

Our proposed schemes are public-key solutions built upon the pairing-based IBC, which

is more appropriate than traditional PKC for WSNs. Therefore, our schemes eliminate the

need for transmitting and verifying conventional public-key certificates. As an emerging

technique, IBC is under rapid development. For example, according to the recent result

in [23], the Tate pairing can be evaluated up to 10 times faster than previously reported

implementations. We have also been aware of the efficient hardware implementations of the

Tate pairing on smartcards [99], PDAs [110] and FPGAs [111]. The real implementation of

the pairing on sensor node hardware is part of our ongoing work.

5.8 Summary

To counteract the impact of compromised nodes, this chapter presents a comprehensive

set of location-based compromise-tolerant security mechanisms for WSNs. We first propose

the notion of location-based keys (LBKs) by binding private keys of individual nodes to both

their IDs and concrete geographic locations. We then develop an LBK-based neighborhood

authentication protocol which is able to constrain the impact of compromised nodes to their

vicinity. We also present efficient methods to set up pairwise shared keys between any two

network nodes, be they direct neighbors or multi-hop away. In addition, we demonstrate

the capability of LBKs in withstanding some notorious attacks against WSNs. Moreover,

we design a location-based threshold-endorsement scheme (LTE) to filter bogus traffic in-

jected by adversaries during their early transmission stages. The remarkable energy savings

resulting from LTE have been confirmed by detailed performance evaluation.

As the future research, we plan to evaluate the performance of the proposed schemes

in real sensor platforms. We also intend to further investigate the potential applications of

LBKs in WSNs, such as misbehavior detection, secure distributed storage, secure routing,

and target tracking.

CHAPTER 6ATTACK-RESILIENT SECURE AUTHENTICATION AND BILLING IN WIRELESS

MESH NETWORKS

6.1 Introduction

Wireless mesh networks (WMNs) are increasingly recognized as ideal solutions to ubiq-

uitous last-mile high-speed Internet access. A typical WMN has a layered structure, as

shown in Fig. 6–1. The first layer consists of access points (APs) which are high-speed

wired Internet entry points. At the second layer, stationary mesh routers form a multi-hop

backbone via long-range high-speed wireless techniques such as WiMAX [112]. The wireless

backbone connects to wired APs at some mesh routers through high-speed wireless links. It

provides multi-hop wireless backhaul between wired APs and mesh clients (i.e., end users)

at the lowest layer.1 Mesh clients, while at rest or in motion, can assess the network

either by a direct wireless link to a nearby mesh router or by a chain of other clients to a

mesh router out of reach. WMNs represent a unique marriage of the ubiquitous coverage

of wide-area cellular networks with the ease and the speed of local-area Wi-Fi networks.

Other notable advantages of WMNs include low deployment costs, self-configuration and

self-maintenance, good scalability, high robustness, and so on [1]. Consequently, WMNs

have sparkled a surge of research, development and standardization activities, of which we

refer to [1] for a comprehensive survey. Numerous commercial and experimental WMNs

have been in use or are under development all over the world, ranging from metro-scale

broadband city networks [113] to medium-scale and small-scale community and neighbor-

hood networks [114, 115, 116].

Security is one of the main barriers to wide-scale deployment of WMNs, but has gained

little attention so far. The necessity for security in large-scale WMNs can be best illustrated

1 We use “client” and “user” as synonyms throughout the chapter. We will not distinguishthe user and the device either.

106

107

Internet

Access points

Mesh routers

Mesh clients

Wired connection Wireless connection

Figure 6–1: A typical three-tiered wireless mesh network architecture.

by the following example. Suppose David wishes to retrieve some important documents from

his corporate network back in Miami via a local WMN in Philadelphia where he is on a

business stay. On the one hand, the serving WMN has to corroborate the identity of David

to avert fraudulent use of network resources; on the other hand, David might as well want

to authenticate the serving WMN to prevent an attacker from impersonating a legitimate

WMN to obtain confidential information from him. Other security concerns may include

the location privacy of David, passive eavesdropping, denial-of-service (DoS) attacks, and

so forth. We will dwell on the security requirements of WMNs in Section 6.2.1.

The security of nomadic users and the serving wireless networks has been studied

extensively in the past. Elegant solutions are available in the contexts of Global System

for Mobile Communications (GSM) [117], Personal Communication Systems (PCSs) [118],

Universal Mobile Telecommunication System (UMTS) [119, 120], and Mobile IP networks

[121], among others. Despite their differences in specifics, these schemes all depend on a

home/foreign-domain model. Specifically, each user has a home network domain where he2

is registered on a long-term basis and account information is maintained. Each time the user

roams into a foreign network domain, his home domain is contacted for his credentials to

authenticate him. Subsequently, the foreign domain reports the amount of service assessed

2 No gender implication.

108

by the user to his home domain which, in turn, pays the foreign domain and charges the user

an amount commensurate with his usage. We argue that such solutions are less suitable for

future large-scale WMNs due to at least the following reasons.

First, a bilateral service level agreement (SLA) has to be set up between each pair of

network operators to permit user roaming between them. Establishing such SLAs may be

a relatively easy task in cellular networks where the operators are comparatively limited

in number. Due to the easy-deployment nature of WMNs, however, the future large-scale

WMNs are expected to comprise numerous WMN domains, each administrated by an in-

dependent operator [1]. Unlike a cellular operator often of a nation-wide or larger scale,

a WMN operator may be on a community, section, metro or larger scale. Consequently,

the number of WMN operators will be much larger than that of cellular operators. This

renders it less feasible to establish pairwise bilateral SLAs among them.

Second, the above solutions all involve a potentially time-consuming and expensive

execution of an authentication protocol among a user, his home domain and the foreign

domain. As the user base grows large, the overall network authentication signalling overhead

would be significant. In addition, in view of the high-speed wireless link, the authentication

latency may be unacceptable for some short-lived data applications. Assume, for example,

that a mesh client connects to a mesh router via an 802.11a/g link with a raw rate up to

54 Mb/s. It may take the client just a couple of seconds to download several tens of MP3

music files. This makes it highly desirable to minimize the authentication delay.

Third, under conventional solutions, mesh routers will become very attractive targets

and network entry points for DoS or distributed DoS (DDoS) attacks. For example, an

attacker continuously sends fake authentication requests to a mesh router which, in turn,

has to contact the home domains of the impersonated or even non-existent users. If lots of

collusive attackers launch this type of attack simultaneously, the resulting authentication

signalling traffic will severely interfere with normal network signalling and data traffic.

Last, conventional solutions fail to take into consideration the multi-hop communi-

cation paradigm featured by WMNs, as well as the communication security among mesh

clients within the coverage of a same mesh router.

109

The limitations of conventional solutions necessitate the development of a brand-new

security architecture to cope with the unique requirements of WMNs. In this chapter, we

answer this important open question affirmatively by proposing UPASS, a secure authen-

tication and billing architecture to enable seamless roaming and ubiquitous network access

in future large-scale multi-hop WMNs. UPASS stems from an all-too-familiar scenario in

real life. A user first applies for a credit card with a bank whereby to buy goods at any

merchant accepting credit cards. Merchants need not establish agreements with each other,

but just need to have a trust relationship with one or a few banks that accept payments

from credit-card users and pay merchants. If we regard each merchant as a distinct WMN

domain, the consumption of a user at different merchants can be viewed as his roaming

across various WMN domains. This natural analogy motivates us to adopt the sophisti-

cated credit-card-based business model whilst designing UPASS.

The players in UPASS are brokers, users and WMN operators whose relationship is

analogous to that among a bank, a credit-card user and a merchant. Each user acquires a

universal pass from a broker whereby to enjoy ubiquitous WMN access. Once authenticat-

ing a pass, a WMN operator can grant access to the pass holder without fear of not being

paid later. As compared to conventional home/foreign-domain solutions, UPASS does not

require WMN operators to establish pairwise bilateral SLAs. Rather, each WMN operator

merely needs to have an agreement with one or a few brokers whose quantity is considered

much smaller than that of global WMN operators. In addition, mutual authentication and

key agreement (AKA) between a mesh client and the serving WMN domain just involve

local interactions without the realtime involvement of the corresponding broker. This is

particularly beneficial for reducing authentication signalling overhead and latency. Fur-

thermore, UPASS supports efficient pairwise AKA among mesh clients present in the same

WMN domain. UPASS is also designed to be resilient to various attacks, including the

location privacy attack, the denial-of-access attack, the bogus-beacon flooding attack, and

the bandwidth-exhaustion attack.

As far as we know, our UPASS is the first attempt to address the security of WMNs. It

provides a solid foundation on which to solve other security issues in WMNs such as secure

routing and medium access control (MAC). Since the research and development of WMNs

110

are still in their very early stage, we believe that UPASS has a high potential of becoming

an important component of future large-scale WMNs.

The rest of this chapter is organized as follows. Section 6.2 describes the unique security

requirements of WMNs and the attacker model under consideration. Next, we present the

network architecture and some system models, followed by a detailed illustration of the

AKA process. In Section 6.5, we identify a few severe attacks against WMNs and provide

the related countermeasures. Section 6.6 presents an incontestable billing scheme. We then

discuss several other important issues in Section 6.7 and summarize this chapter.

6.2 Preliminaries

6.2.1 Security Requirements of WMNs

Throughout the chapter, we refer to the combination of the multi-hop wireless back-

bone, the wired APs and any other WMN operator equipments, as the infrastructure. We

also use the term “mesh” to indicate a subnet comprising a mesh router and its covered mesh

clients. From a high-level point of view, we identify the following security requirements of

WMNs:

• Infrastructure security : This means the security of signalling and data traffic trans-mitted over the infrastructure.

• Network access security : This indicates the communication security between a meshclient and a mesh router. It may also involve the communication security among meshclients served by the same mesh router, if the route between a client and a router isin multiple hops.

• Application security : This refers to the security of mesh clients’ concrete data appli-cations.

Among them, infrastructure security is relatively easy to achieve since the infrastruc-

ture is under the full control of a WMN operator and the network elements of the in-

frastructure are typically stationary. Application security can also be easily achieved via

high-layer security mechanisms such as IPsec, TLS or VPNs. By contrast, network access

security is much more difficult to ensure than the other two. One major reason is that mesh

routers are designed to accept open access requests by most likely unknown mesh clients.

Other notable causes include open access to the wireless channels and the dynamic network

topology caused by the mobility of mesh clients. For lack of space, we focus on investigating

111

network access security in this work, and leave the exploration of the other issues as future

work.

With respect to network access security, we recognize the following specific require-

ments, which are, however, not necessarily a complete list:

1. Router-client authentication: A mesh router should authenticate a requesting client to

prevent unauthorized network access. The client should also authenticate the router

to shun bogus mesh routers of attackers.

2. Router-client key agreement : The mesh router and the client should establish a shared

key to encrypt and authenticate radio messages transmitted between them.

3. Client-client authentication: This is required when one client forwards another’s traffic

to and from the mesh router. In general, each client should only help other legitimate

ones to get proper remuneration later.

4. Client-client key agreement : If needed, two mesh clients should establish a shared key

whereby to encrypt and authenticate the traffic between them.

5. Location privacy : No entity other than a mesh client himself and a responsible location

management authority (if any) should know both the real identity and the current

location of the mesh client.

6. Signalling authentication: The signalling data broadcast by a mesh router should

always be authenticated to be distinguishable from those announced by an attacker.

7. Service availability : A mesh router must be protected from DoS attacks and offer

always available services.

8. Incontestable billing : A mesh client should just pay what he ought to pay, while

a WMN operator, as well as those clients forwarding traffic for others, receives the

amount commensurate with the offered service.

9. Secure routing : The routing protocol used inside a mesh should be secured against

attacks.

10. Secure MAC : The MAC protocol employed within a mesh must be resilient to attacks.

We do not have the ambition in this chapter to satisfactorily address all these require-

ments, but concentrate on solving the first eight issues. These efforts will offer a solid

foundation for addressing the rest issues.

112

6.2.2 Attacker Model

We assume that an attacker has necessary hardware, such as a laptop equipped with a

wireless networking card, to overhear the radio transmissions and inject arbitrary messages.

The attacker may be much more capable than regular mesh clients in terms of memory,

energy supply, and communication and computation capacities. We, however, assume that

he cannot break any cryptographic algorithm on which we base our design. Otherwise, he

can obviously break any security mechanism in place.

An attacker can launch various attacks to jeopardize the fulfillment of the aforemen-

tioned security requirements. The simplest form of attack he can launch is to jam the

wireless medium by continuously broadcasting a large number of garbage packets. Such

radio jamming attacks are widely believed to be not addressable through cryptographic

means alone [122]. One possible non-cryptographic solution is for a WMN operator to use

some specialized instruments to locate the radio jamming source and then resort to law en-

forcement agencies for assistance in catching the attacker. We also refer interested readers

to [122] for other countermeasures against the radio jamming attack. For the purpose of

this chapter, however, we will not touch on this attack any more.

6.3 System Models and Notation

In this section, we present the network, trust and pass models adopted in our UPASS,

as well as the notation used.

6.3.1 Network Model

Future large-scale WMNs are expected to consist of a large number of WMN domains of

different scales. Each WMN domain is operated by an independent operator and composed

of a certain number of meshes, either physically adjacent or non-adjacent. For example, a

WMN operator may own meshes in multiple cities or only in one city section. WMN domains

may overlap with each other, and whether or not neighboring domains are connected solely

depends on operator policies.

In general, a mesh router has much more powerful computation and communication

capacities and abundant other resources than regular mesh clients. It is, therefore, rea-

sonable to assume that a mesh router sends packets in one hop to all mesh clients in its

113

coverage. By contrast, a mesh client may transmit packets in one hop or multiple hops

to a mesh router within or beyond his transmission range. As noted in [123], a single-hop

downlink can be highly beneficial. First, mesh clients can save their scarce energy, as there

is no need to relay downlink packets. Second, a single-hop downlink can greatly facilitate

the transmissions of control signalling packets from the mesh router to all mesh clients.

Last, it renders the radio resource allocation performed by the mesh router much easier to

implement. Note that, however, our UPASS can be easily extended for use in symmetric

WMNs with both multi-hop uplinks and downlinks.

It is worth pointing out that communications to and from a mesh router will be the

major traffic pattern within a mesh. This is in line with the target use of WMNs, namely,

relaying end users’ traffic to and from the wired Internet. Such a unique traffic pattern

would significantly reduce the routing complexity from mesh clients’ point of view. The

reason is that they only need to maintain a route to the mesh router instead of one route

to each other client in the same mesh.

To make UPASS independent of the underlying network implementations, we do not

specify the MAC and routing protocols in use. Interested readers are referred to [1] for a

detailed survey of candidate schemes.

6.3.2 Trust Model

The trust model of our UPASS is composed of a number of trust domains, each managed

by a broker or WMN operator. To enjoy ubiquitous WMN access, each mesh client has

to first register with at least one broker which, in turn, issues an electronic universal pass

to the client. If enrolling in more than one broker, a client may accordingly own multiple

passes. Each WMN operator is also required to have a trust relationship with one or a

few brokers. It will grant network access to mesh clients holding valid passes issued by

its trustable broker(s). In fact, one may view brokers as regular banks with which both

mesh clients and WMN operators have opened accounts. We assume that brokers are fully

trustable by both clients and operators, but a client and an operator usually do not play

full trust on each other.

The above trust model fits in well with ubiquitous Internet access via WMNs. Mesh

clients see the advantage of being able to get on-demand network access by any WMN

114

operator. The operators are relived from the heavy burden of establishing pairwise bilateral

SLAs with potentially many other operators. Instead, each of them just needs to have a

trust relationship with certain broker(s) whose quantity is considered much smaller than

that of WMN operators. Furthermore, the operators have all mesh clients as potential

customers, which is in contrast to the home/foreign-domain model where a user is locked to

a specific operator once signing an agreement. The brokers can make profits by deducing

fees from an operator’s credit or adding fees to a client’s charge. They may also impose

entry or subscription fees to mesh clients and operators for participation in their trust

systems.

6.3.3 Notation

We denote by Bi and Oi the ith broker and WMN operator, respectively. We use Ci,j

to indicate the unique identifier of client j enrolled in Bi. Typically, Ci,j is of a standard

format “userName@brokerName” [124]. In addition, Ri,j refers to the unique identifer of

mesh router j ofOi, which is of the same format “routerName@operatorName”. We indicate

by PASSCi,j the pass of Ci,j and by KCi,j a pass-based key (pass-key for short), both issued

by Bi to Ci,j . Likewise, PASSRi,j and KRi,j are used to denote the router pass and the

pass-key, respectively, which Ri,j obtains from operator Oi. Furthermore, (PASSOiCi,j

,KOiCi,j

)

refers to a temporary client (pass, pass-key) pair that Oi issues to a served client Ci,j .

We will also use the following cryptographic primitives. hk(M) refers to the keyed

message integrity code (MIC) of message M under key k, where h indicates a fast one-way

hash function such as SHA-1 [16]; Mk means encrypting message M under key k via a

symmetric-key algorithm; Epk(M) denotes an IBC encryption operation of message M with

public key pk; Ssk(M) indicates message M with its IBC signature under private key sk.

We refer to [125] for a number of elegant IBC encryption and signature schemes.

6.3.4 Trust-Domain Initialization

A crucial issue in UPASS is the design of passes, through which a mesh client and

a serving WMN can achieve mutual authentication and key agreement. It is natural to

consider using digital certificates as passes. The most commonly-used X.509 certificate

[126] is, however, about 1 KB in length, which might translate to a significant bandwidth

overhead incurred in transmitting them. To make as short a pass as possible, we propose

115

to utilize the emerging IBC. For this purpose, we require the administrator of each trust

domain to perform the following domain-initialization operations:

1. Generate the pairing parameters (q,G1,G2, e, P, H1), where P is a generator of G1,

and H1 is a hash function mapping given strings to non-zero elements in G1.

2. Pick a random β ∈ Z∗q as the domain-secret whereby to compute a domain-public-key

as Ppub = βP .

We define the public trust-domain parameters as follows:

domain-params := 〈group-params, domain-public-key〉:= 〈(q,G1,G2, e, P, H1), Ppub〉

The domain administrator must keep β confidential, while making domain-params publicly

known. As Diffe-Hellman group parameters used in IPsec [127], group-params can be stan-

dardized by such organizations as IETF. This would make it possible to use a well-known

short index in place of group-params. In contrast, β and Ppub should be unique to each trust

domain. Also note that it is computationally infeasible to deduce β from the (P, Ppub) pair

because of the difficulty of solving the DLP in G1 (cf. Section 2.2.1).

It is a prerequisite in an IBC cryptosystem that two communication entities use

the same domain-params. This poses the demand for an assurance on the legitimacy of

domain-params, which is satisfied in UPASS via domain-params certificates. In particu-

lar, we assume that there is a trusted third party (TTP) with well-known domain-params

〈q, G1, G2, ˘e, P , H1, ˇPpub〉 and a private domain secret β ∈ Z∗q . The TTP, for instance, can

publish its domain-params through its website. Upon request of a certificate for domain-params,

the TTP computes βH1(domain-params) and returns it to the requesting domain adminis-

trator. We refer to such a 〈domain-params, βH1(domain-params)〉 pair as a domain-params

certificate. For ease of presentation, we indicate by domain-certOi and domain-certBi the

domain-params certificate of operator Oi and broker Bi, respectively.

To validate a domain-cert, one just needs to check whether

˘e(P , βH1(domain-params)) = ˘e( ˘Ppub, H1(domain-params)). (6.1)

116

The equation should hold for an authentic domain-cert because

˘e(P , βH1(domain-params)) = ˘e(βP , H1(domain-params))

by the bilinearity of ˘e (cf. Section 2.2.1) and ˘Ppub = βP .

Our method of certifying domain-params is an application of the provably secure ID-

based short-signature scheme by Boneh et al. [128]. Another way to certify domain-params

is to rely on conventional public-key certificates. Such domain-params certificates can be

stored at some public directory from which they can be retrieved as needed. An alternative

way is to use the Domain Name System (DNS), where the domain-cert of each trust domain

is stored and distributed as part of its DNS record [129]. Also note that, in reality, the

root TTP may be replaced by a hierarchy of TTPs, similar to the traditional Public-Key

Infrastructure (PKI), in which a higher-level TTP certifies domain-params of each TTP at

the adjacent lower level. In this scenario, a conventional certificate-chain method [10] can

be used for verifying domain-params certificates generated by different TTPs. For clarity

and ease of presentation, however, we will just discuss the single TTP case in the rest of

this chapter.

6.3.5 Pass Model

There are three types of passes in UPASS: router passes (R-PASSes) issued by a WMN

operator to its mesh routers, client passes (C-PASSes) provided by a broker to the registered

clients, and temporary client passes (T-PASSes) given by a WMN operator to mesh clients

present in its domain. In this subsection, we focus on the issuance of R-PASSes and C-

PASSes, and defer the discussion on T-PASSes to Section 6.4.

Issuance of R-PASSes. We take operator Oi as an example to explain the issuance

of R-PASSes. Prior to network deployment, Oi issues to each controlled router Ri,j an R-

PASS PASSRi,j := (Ri,j , expiry-time) as well as a pass-key KRi,j = βOiHOi1 (PASSRi,j ) which

Ri,j keeps secret. Here, βOi is operator Oi’s domain-secret, and HOi1 is the hash function

specified in domain-paramsOi. The freshness of PASSRi,j is controlled by the expiry-time field.

Oi should send to Ri,j a new (PASSRi,j ,KRi,j ) pair via a secure channel before its current

one expires. Depending on Oi’s security policies, (PASSRi,j ,KRi,j ) may be updated hourly,

117

daily, weekly, or even monthly. New pairs can be sent along with other domain-related

control signalling traffic to minimize the communication overhead.

In essence, (PASSRi,j ,KRi,j ) is a standard ID-based public and private key pair in

an IBC cryptosystem. Alternatively, PASSRi,j can be designed as a conventional public-

key certificate and KRi,j as the corresponding private key. As compared to a typical X.509

certificate of about 1 KB, our ID-based PASSRi,j has at most a few tens of bytes in size. The

main reason is that it retains the entity identifier and expiry-time parts of a certificate, while

dumping the most space-consuming fields, namely, a public key and the digital signature of

a certification authority (CA). The merits of such ID-based passes in facilitating efficient

entity authentication and key agreement will be seen more clearly in Section 6.4.

Issuance of C-PASSes. To enjoy ubiquitous WMN access, each client has to first

register with a desired broker, similar to applying for a credit card with a bank. Consider

broker Bi as an example. Upon a registration request from client j, Bi usually needs to

validate the client’s personal data such as his driver’s licence or social security number

(SSN), as well as checking his credit status. Bi may also ask for a security deposit as

required by its registration policy. Subsequently, Bi assigns to the applicant an identifier

Ci,j and a C-PASS in the form of

PASSCi,j := (Ci,j , expiry-time, otherTerms).

Here, expiry-time specifies the expiry time of PASSCi,j before which Ci,j has to renew it if

desiring to stay with Bi. Broker Bi may use the otherTerms field to name other terms and

conditions Ci,j should comply with. For instance, it may specify the per-day spending limit

of Ci,j at any WMN domain, or the list of WMN domains Ci,j is allowed to visit, which

have cooperative agreements with Bi.

In addition to PASSCi,j , the broker issues to Ci,j a pass-key KCi,j = βBiHBi1 (PASSCi,j ),

where βBi is Bi’s domain-secret and HBi1 is the hash function specified in domain-paramsBi

.

Likewise, (PASSCi,j ,KCi,j ) is a standard ID-based public and private key pair. As an R-

PASS, PASSCi,j is much shorter than a conventional certificate realizing the same function-

alities, namely, having the same otherTerms field.

118

Protection and revocation of C-PASSes. Since router passes can be easily pro-

tected, here we only concentrate on protecting and revoking user passes. Client Ci,j may

store (PASSCi,j ,KCi,j ) in his often-used mobile device or on a USB drive to use it on multiple

devices if any. PASSCi,j can be made publicly known, while KCi,j must be kept confidential

to himself. There are many possible ways to protect KCi,j . An all-too-familiar method is

to ask Ci,j to enter a personal identification number (PIN) for per access to KCi,j .

It is possible that a careless client loses his (pass, pass-key) pair unprotected using the

PIN method. This occurs, for instance, when the client loses the mobile device or the USB

drive storing his secret pair. In that case, the client should report it immediately to the

broker and his liability should be limited accordingly, as it is for credit-card loss. However,

it should be noted that the loss of a client (pass, pass-key) pair would cause much less

severe consequences or financial loss than that of a credit card. The principle reason is

that C-PASSes are not designed for purchasing regular goods of possibly high values, but

specifically for buying Internet access services whose rates are becoming more and more

lower.

A broker can take further measures to minimize its financial risk. For example, if a

client repeatedly reports a (pass, pass-key) loss, it may refuse to issue him new secret pairs.

The broker may also specify a carefully-designed spending-limit in a C-PASS. Moreover,

the broker may use a short C-PASS validity period, say one day, and send to a client (e.g.,

via email) a new secret pair at the early morning of each day that is only valid for that day.

Furthermore, the broker can maintain a hot list of C-PASSes whose holders have reported

losses, or which are otherwise problematic. WMN operators can periodically download

the host lists from the brokers during idle hours, and refuse to serve mesh clients whose

presented C-PASSes are on the host lists. Although the last measure requires certain inter-

actions between WMN operators and brokers, it is an off-line method and still considered

much more lightweight than a conventional cellular-like method, where the foreign operator

has to perform realtime checking with a roaming user’s home operator about his account

status.

119

6.4 Authentication and Key Agreement (AKA)

In this section, we illustrate how to utilize R-PASSes and C-PASSes to realize both

router-client and client-client authentication and key agreement (AKA). We also distinguish

inter-domain AKA and intra-domain AKA. The former occurs when a client migrates from

one WMN domain to another, and the latter happens while a client makes his way from one

mesh to another of the same WMN domain. In addition, we make the usual assumption

that inter-domain migrations happen less frequently than intra-domain ones. So does inter-

domain AKA than intra-domain AKA.

6.4.1 Inter-Domain Authentication and Key Agreement

Without loss of generality, we take client C1,1 and mesh router R1,1 as an example to

explain the inter-domain AKA protocol, which works in the following three steps.

(A.1) R1,1 → ∗ : PASSR1,1 , domain-certO1 ,

SKR1,1(t1,OtherInfo)

(A.2) C1,1 → R1,1 : PASSC1,1 ,SKC1,1(t2)

(A.3) R1,1 → C1,1 : PASSO1C1,1

, EPASSC1,1(KO1

C1,1)

Router R1,1 periodically broadcasts a beacon (A.1) via the single-hop downlink to

announce its presence. The beacon should at least include PASSR1,1 , domain-certO1 , and

a fresh timestamp t1 signed with its pass-key KR1,1 and used to defend against message

replay attacks [10]. The beacon may also contain other network service information such

as the current network access fee of O1.

The beacon can be received by all mesh clients in router R1,1’s coverage. Assume that

client C1,1 is currently served by a WMN domain other than O1. Upon receipt of (A.1), he

may choose to switch to O1 under certain conditions. For example, he may do so if R1,1

has a much stronger signal strength than the serving router, or the access fee of O1 is lower

than that of the serving operator. Supposing that is the case, C1,1 performs the following

operations in sequence:

120

1. Check whether the difference between t1 and his local clock time is within an accep-tance window.3

2. Make sure that PASSR1,1 has not expired by examining its expiry-time field.3. Validate domain-certO1 according to Eq. 6.1.4. Use domain-paramsO1

to verify SKR1,1(t1,OtherInfo) with PASSR1,1 as the public key.

We need to stress that C1,1 just needs to execute step 3 once for operator O1. In other

words, knowing the authentic domain-paramsO1enables him to verify the signatures of any

router of O1. If any of the checks fails, C1,1 considers the beacon bogus and ignores it.

Otherwise, he regards R1,1 as a legitimate router of O1 and then forms message (A.2),

including PASSC1,1 and a timestamp t2 signed under KC1,1 .

As for the uplink transmission of (A.2) to R1,1, there are two cases deserving consid-

eration. If R1,1 is within direct reach, C1,1 simply sends (A.2) to R1,1 via the single-hop

uplink. The more challenging case is when R1,1 is out of C1,1’s transmission range. A naive

solution is for C1,1 to ask clients between himself and R1,1, which have achieved mutual

authentication with and known a uplink route to R1,1, to help relay (A.2) to R1,1 in a

hop-by-hop fashion. This measure is, however, not quite realistic since intermediate clients

are generally reluctant to forward (A.2) because of the uncertainty of getting later remu-

neration from the as-yet unauthenticated C1,1. It may also introduce room for a special

type of DoS attack, in which an attacker continuously sends lots of faked versions of (A.2)

via innocent intermediate clients to R1,1.

Fortunately, we can deal with the second case by harnessing the transmit power control

capability of many mobile devices, i.e., the ability to vary the transmit power in steps. In

particular, the radio module of C1,1 should be able to automatically boot the transmit

power just enough to send (A.2) to R1,1 in one hop. During the post-authentication stage,

the transmit power can be reduced back to the normal level so that C1,1 may send packets

to R1,1 in multiple hops. In doing so, he can not only save his battery power, but also help

increase spatial concurrency and frequency reuse, as is shown in [130].

3 This can be a fixed-size time interval, e.g., 10 ms or 20 s, preset to account for themaximum message transit and processing time, plus clock skew.

121

Since brokers are relatively fewer in number, it is reasonable to assume that R1,1

can acquire and verify the domain-params certificates of all the brokers (including B1) in

advance. An alternative solution is to let C1,1 append domain-certB1 to (A.2). Once learning

the authentic domain-paramsB1, router R1,1 shall be able to verify the signatures by all the

registered clients of B1. Upon receiving (A.2), R1,1 first checks that PASSC1,1 is not on the

hot list of B1 (cf. Section 6.3.5). It then carries out actions analogous to what C1,1 did. If

all the inspections are successful, R1,1 determines that C1,1 is a legitimate registered client

of broker B1 it trusts.

After authentication of C1,1, router R1,1 contacts its domain administrator to acquire

the following data:

PASSO1C1,1

:= (CO11,1 , expiry-time)

KO1C1,1

= βO1HO11 (PASSO1

C1,1) .

PASSO1C1,1

will be the temporary pass (T-PASS) of C1,1 in domain O1, where CO11,1 is his

temporary identifier and expiry-time indicates the expiry time of PASSO1C1,1

. Next, R1,1 sends

PASSO1C1,1

in plaintext and pass-key KO1C1,1

encrypted under public key PASSC1,1 to C1,1 in

message (A.3).

Upon receipt of (A.3), C1,1 first decrypts KO1C1,1

using his pass-key KC1,1 and then

checks that the equation eO1(KO1C1,1

, PO1) = eO1(HO11 (PASSO1

C1,1), PO1

pub) holds. Here, eO1 ,

PO1 and PO1pub are extracted from domain-paramsO1

. The check should succeed for a valid

(PASSO1C1,1

,KO1C1,1

) pair due to the following equations:

eO1(KO1C1,1

, PO1) = eO1(βO1HO11 (PASSO1

C1,1), PO1)

= eO1(HO11 (PASSO1

C1,1), βO1PO1)

= eO1(HO11 (PASSO1

C1,1), PO1

pub).

The second line is due to the bilinearity of eOi , and the third line holds because PO1pub =

βO1PO1 . After a successful check, C1,1 saves (PASSO1C1,1

,KO1C1,1

) for subsequent use as his

temporary credential in domain O1. Router R1,1 and its domain administrator may record

the mapping between PASSC1,1 and PASSO1C1,1

if needed. We will soon show the usefulness

of such temporary credentials in both intra-domain client-router authentication and client-

client authentication.

122

After a successful three-way handshake, R1,1 and C1,1 can establish a shared key as

KR1,1,C1,1 = eO1(KR1,1 ,HO11 (PASSO1

C1,1))

= eO1(HO11 (PASSR1,1),H

O11 (PASSO1

C1,1))βO1

= eO1(HO11 (PASSO1

C1,1),HO1

1 (PASSR1,1))βO1

= eO1(KO1C1,1

,HO11 (PASSR1,1)) = KC1,1,R1,1 .

(6.2)

The above equations hold by the bilinearity and symmetry of eO1 (cf. Section 2.2.1). Here,

R1,1 (respectively, C1,1) derives the shared key using the first line (respectively, fourth line)

pairing computation. This key agreement method is first presented in [131], which shows

that the shared key will be exclusively known to the two entities establishing it. R1,1 and

C1,1 can then use the shared key to secure subsequent traffic between them via efficient

symmetric-key algorithms.

6.4.2 Intra-Domain Authentication and Key Agreement

Intra-domain authentication occurs when client C1,1 moves out of the coverage area of

R1,1 into that of another router of O1, say R1,2. The naive reuse of the inter-domain AKA

protocol is less efficient because the established trust relationship between R1,1 and C1,1 is

not exploited. Another option is to let R1,1 hand over the shared key KR1,1,C1,1 to R1,2 via

a secure channel. The purpose is to allow R1,2 and C1,1 to authenticate each other through

a classical symmetric-key challenge-response technique [10] based on KR1,1,C1,1 . Such an

approach would cause non-negligible processing burden and communication overhead on

mesh routers, especially when the user base is growing large. It is also insecure to constantly

use KR1,1,C1,1 or session keys derived from it to secure the communication between C1,1 and

multiple or even all mesh routers of O1.

Fortunately, possession of (PASSO1C1,1

,KO1C1,1

) enables C1,1 to fulfill AKA with R1,2 by

the following efficient protocol:

(B.1) R1,2 → ∗ : PASSR1,2 , domain-certO1 ,

SKR1,2(t1,OtherInfo)

(B.2) C1,1 → R1,2 : PASSO1C1,1

, t2, hKC1,1,R1,2(t1 ‖ t2)

123

Similar to (A.1), message (B.1) is a beacon periodically broadcast by R1,2 to its coverage

area. Upon receipt of it, client C1,1 learns from PASSR1,2 that R1,2 is possibly another router

of O1. He corroborates this by carrying out operations analogous to what he did in the

inter-domain AKA protocol. If all the inspections succeed, C1,1 regards R1,2 as a legitimate

router of broker O1, and then derives a shared key KC1,1,R1,2 = eO1(KO1C1,1

,HO11 (PASSR1,2)).

Then he computes a MIC hKC1,1,R1,2(t1 ‖ t2) and sends it together with PASSO1

C1,1and t2

to R1,2 in message (B.2). Here, t2 is a fresh timestamp and ‖ indicates concatenation.

Transmission of (B.2) can be realized in a way similar to that of (A.2).

Upon receiving (B.2), R1,2 first checks that PASSO1C1,1

has not expired and t2 is fresh

enough. If so, it then computes a shared key as KR1,2,C1,1 = eO1(KR1,2 ,HO11 (PASSO1

C1,1)).

According to Eq. 6.2, only if both C1,1 and R1,2 are legitimate, are KC1,1,R1,2 and KR1,2,C1,1

equal to eO1(HO11 (PASSO1

C1,1),HO1

1 (PASSR1,2))βO1 . Router R1,2 can make sure of this by

computing a MIC hKR1,2,C1,1(t1 ‖ t2). If the result matches with what C1,1 sent, it thinks

of C1,1 as a legitimate client who has been authenticated by a peer router.

The intra-domain AKA protocol is more efficient than the inter-domain one in both

computation and communication. This is desirable because intra-domain AKA needs to be

done much more frequently than inter-domain AKA. Note that, if PASSO1C1,1

has expired,

C1,1 has to execute the inter-domain AKA protocol with R1,2.

6.4.3 Client-Client Authentication and Key Agreement

One significant advantage of WMNs over wireless LANs lies in the multi-hop commu-

nication paradigm extending the network coverage. This, however, poses the demand for

mutual authentication among mesh clients present in the same mesh. By client-client au-

thentication, we mean that two mesh clients ascertain that each other is served by the same

WMN domain. This is important, for example, because each client should only forward

packets to the mesh router for those legitimate. Otherwise, he might get unpaid for his

packet forwarding service which consumes his precious battery power. Two clients might as

well wish to set up a shared key whereby to secure the data and signalling traffic between

them.

The introduction of temporary client credentials greatly eases client-client AKA. The

reason is that possession of an authentic temporary credential can serve as the proof that the

124

holder has been authenticated by the current WMN domain. Consider, for example, clients

C1,1 and C2,1 which are registered with brokers B1 and B2, respectively. Suppose both have

finished inter-domain AKA with the same or different routers of operator O1. As a result,

C1,1 has (PASSO1C1,1

,KO1C1,1

) and C2,1 owns (PASSO1C2,1

,KO1C2,1

). Once actively exchanging or

passively learning (e.g., from routing messages) the T-PASS of each other, they can derive

the same shared key KC1,1,C2,1 = eO1(HO11 (PASSO1

C1,1),HO1

1 (PASSO1C2,1

))βO1 , similar to what

C1,1 and R1,1 did in Eq. 6.2. Subsequently, they can fulfill mutual authentication with many

classical symmetric-key challenge-response authentication techniques [10]. For instance,

C1,1 can send to C1,2 a challenge r1 encrypted with KC1,1,C1,2 . If C1,2 can report a correct

response, say (r1 +1), C1,1 declares the authentication of C2,1 successful. In much a similar

way, C2,1 can authenticate C1,1.

Owning an authentic temporary credential permits a client to achieve mutual AKA

with all the other clients served by the same WMN domain. Also note that, unlike router-

client AKA, client-client AKA can be done on demand, e.g., when two clients become

neighbors, or one is helping the other deliver traffic to the mesh router. In addition, client-

client AKA is expected to occur even more frequently than intra-domain AKA. This is

mainly due to the dynamic client join to and leave from a mesh, as well as the frequent

uplink route changes caused by mobility of mesh clients or many other reasons. In light

of this, our ID-based T-PASSes clearly have substantial advantages over their much longer

certificate-based alternatives whose transmissions may incur a significant communication

overhead.

6.5 Security Enhancements

Up to now, we have detailed the router-client and client-client AKA procedures based

on router and client passes. The protocols presented are perfectly secure against both

client and router impersonation attacks. In this section, we describe several other severe

attacks against WMN access and present corresponding countermeasures. These defense

mechanisms also serve as answers to security requirements five to seven introduced in Section

6.2.1.

125

6.5.1 Location Privacy Attack

Anonymity and location privacy are of growing concern to end users [132]. In particular,

mesh clients would usually prefer to travel incognito, thereby remaining anonymous to both

visited WMN domains and potential eavesdroppers. In our UPASS, if a mesh client uses

a fixed C-PASS while roaming, it will be possible for some attackers or vicious WMN

operators to track his movements and whereabouts. We refer to such an attack as the

location privacy attack.

Constancy and uniqueness of client identifiers are the root cause of the location privacy

attack. Consider client Ci,j as an example. As mentioned in Section 6.3.3, Ci,j is a standard

network access identifier (NAI) [124] of format IDCi,j@IDBi . To defend against the location

privacy attack, we obviously have to ensure the confidentiality of client-name IDCi,j that

is unique in domain Bi. A straightforward solution would be to use dynamically-changing

aliases in place of the fixed IDi,j . One may think of also hiding the identity of broker Bi,

i.e., broker-name IDBi , as a higher-level anonymity requirement. A serving WMN domain,

however, often needs to know the enrolling broker of a client. This conflict renders it unlikely

to have a lightweight solution to ensuring broker anonymity. As far as we know, the only

possible solution appears in [132]. In this approach, there exists a central clearinghouse or

a mix network trusted by all brokers and WMN operators. Aliases are assigned to brokers

so that a mesh client can reference his enrolling broker by an alias; it is then left up to the

central clearinghouse to resolve broker aliases. Considering the infrastructure complexity

related to this proposal, we currently do not feel it worthwhile to guarantee the anonymity

of brokers. What we need is merely an efficient way to generate unlinkable aliases for mesh

clients.

Again, we uses Ci,j as an example to explain our solution. We require that broker Bi

have a long-enough key ΓBi which it keeps secret. The alias it generates for client Ci,j is of

an encrypted form aliasCi,j = IDCi,j , rand, hΓBi(IDCi,j ‖ rand)ΓBi

, where rand denotes a

random number. Then PASSCi,j takes a new form, (aliasCi,j@IDBi , expiry-time, otherTerms).

Hereafter, we refer to such a C-PASS as an alias C-PASS and the corresponding pass-key

as an alias pass-key. Upon registration with Bi, client Ci,j is armed with multiple alias

126

(C-PASS, pass-key) pairs, which he uses in a random fashion while roaming across WMN

domains.

The use of random numbers in encryption results in unlinkable aliases. In particular,

aliases for the same client are always different and an alias discloses no information about the

true identity of the client. In addition, compromise of a client’s alias neither compromises

aliases of others nor reveals previous aliases of the same client. Therefore, the alias method

provides adequate protection against the location privacy attack. It is also a stateless

solution in that a broker need not book the aliases it generated. To make sure of the true

identity of a client, it merely needs to perform one simple decryption of a presented alias

as well as a MIC check.

It is a must to periodically issue new alias (C-PASS, pass-key) pairs to client Ci,j .

For this purpose, broker Bi gives a shared key hΓBi(IDCi,j ) to Ci,j during his registration.

Subsequently, it uses the shared key to encrypt new alias (C-PASS, pass-key) pairs for Ci,j

who, in turn, can decrypt them for subsequent use. As for the alias update frequency, there

is a tradeoff between degree of location privacy protection and alias update overhead. On

the one hand, if each alias (C-PASS, pass-key) pair is used only once, we can achieve a

high level of resilience to the location privacy attack. This, however, is achieved at the cost

of demand for very frequent alias updates, which translate to great communication and

computation overhead. Vice versa. In practice, a good balance should be made between

these two competing factors.

6.5.2 Bogus-Beacon Flooding Attack

Beacons periodically broadcast by a mesh router and processed by mesh clients place

a fundamental role in ensuring the proper operation of a mesh. It is, therefore, important

to guarantee the authenticity of beacons. Otherwise, an attacker may launch the bogus-

beacon flooding attack by flooding a mesh with a lot of bogus beacons for all kinds of

vicious motives. In previous intra-domain and inter-domain AKA protocols, a mesh router

digitally sign all the beacons before sending them out to provide an assurance about their

authenticity. Since beacons are usually sent in very short intervals (e.g., every 100 ms as in

the IEEE 802.11b), performing continuous signature verifications will be too great a burden

127

1a 2ah3ah

1,1b 2,1b 3,1b

1,2b 2,2b 3,2b

h h h

sending order

send

ing

orde

r

1 1,1( )ah b2 2,1( )ah b

3 3,1( )ah b

1,3b 2,3b 3,3b

h h h

1,4b 2,4b 3,4b

h h h

1,5b 2,5b 3,5b

h h h

4ah5ah

4,1b 5,1b

4,2b 5,2b

h h

4 4,1( )ah b5 5,1( )ah b

4,3b 5,3b

h h

4,4b 5,4b

h h

4,5b 5,5b

h h

…...1,1b 1,3b 5,1b 5,2b 5,3b 5,4b

super beacon intervalδ

1a

5,5b5a

1,2b

st

Figure 6–2: An exemplary 5-by-5 hierarchical one-way hash chain.

for common mesh clients with limited computational resources. This serves as motivation

for a more lightweight yet effective solution.

We deal with this attack by a hierarchical one-way hash-chain technique, which is a

modified version of the well-known Lamport’s one-time-password scheme [133]. Consider

router R1,1 as an example. Assume that it broadcasts a beacon every δ ms. We also define

a super beacon interval as a time period lasting mnδ ms, where m and n are both positive

integers. With our technique in place, each beacon (A.1) from R1,1 will take the following

new form:< PASSR1,1 , domain-certO1 ,OtherInfo,SKR1,1

(ts ‖ δ ‖ a1),

x, ax, bx,1, hax(bx,1), y, bx,y, hbx,y(all previous fields) >

Here, ts indicates the starting time of a super beacon interval; x and y are both integers

such that 1 6 x 6 m and 1 6 y 6 n; ax = h(ax+1) for each x ∈ [1,m − 1], where am is

picked by R1,1 at random; bx,y = h(bx,y+1) for each x ∈ [1,m] and y ∈ [1, n − 1], where

each bx,n is randomly chosen by R1,1. Due to the one-way feature of the hash function

h, if am is chosen randomly, given ax it is computationally infeasible to find ax+1, while

given ax+1 it is computationally efficient to derive ax. Therefore, we can use the chain

of values ax|1 6 x 6 m as one-time keys. The same argument applies to each chain

bx,y|1 6 y 6 n, where bx,y is used to compute a keyed MIC of beacon (x − 1)n + y of

128

a super beacon interval. By contrast, ax is used to calculate a keyed MIC of the initial

value bx,1 to guarantee its authenticity. To help understanding, Fig. 6–2 illustrates a 5-by-5

hierarchical hash chain.

Suppose client C1,1 hears such a beacon. Let us first consider the case that C1,1 has

not fulfilled mutual authentication with router R1,1. C1,1 first needs to authenticate R1,1

by performing the operations given in Section 6.4.1. Note that the required timestamp t1,

i.e., the beacon sending time, can be easily deduced as t1 = ts + (x− 1)nδ + yδ. If all the

checks succeed, C1,1 then verifies that a1 = h(x−1)(ax), where h(s)(M) means applying the

hash function h iteratively to message M for s times and h(0)(M) = M . If so, he calculates

hax(bx,1) compared with what is in the beacon. If they are equal, C1,1 uses bx,y to computed

a keyed MIC of proper beacon fields and, if the result matches what he received, considers

the beacon authentic. Finally, he stores the super-interval parameter triplet (ts, δ, a1), and

sets ca ← x, cb ← y, aca ← ax, and bca,cb← bx,y for later use. Other operations remain the

same as those of the aforementioned inter-domain or intra-domain AKA protocol.

Now we consider the case that C1,1 and R1,1 have authenticated each other. This

means that C1,1 has known an authentic super-interval parameter triplet of R1,1. Upon

receiving a beacon, C1,1 first checks that the contained super-interval parameter triplet is

different from what it stores, which might be possible if he loses track of beacons. If so,

he does the operations described above to first verify the super-interval parameters and

then authenticate the beacon. Otherwise, he first checks that ca 6 x and cb < y, and then

that the difference between t1 = ts + (x − 1)nδ + yδ and his local clock time is within an

acceptance window. These checks are necessary for withstanding beacon replay attacks.

If they are successful, C1,1 further distinguishes two cases. If aca = ax, he merely checks

that bca,cb= h(y−cb)(bx,y) and, if so, sets cb ← y and bca,cb

← bx,y. Otherwise, he needs to

verify in sequence that aca = h(x−ca)(ax), hax(bx,1) is equal to the MIC in the beacon, and

bx,1 = h(y−1)(bx,y). If all the checks succeed, he computes a keyed MIC over proper beacon

fields using bx,y. Only when the result matches what is in the beacon, does he consider the

beacon authentic and update ca ← x, cb ← y, aca ← ax, and bca,cb← bx,y.

129

A new super beacon interval begins either when R1,1 has used bm,n or when it has

updated its (PASSR1,1 ,KR1,1) pair.4 In either case, it selects a random am and bx,n’s for

all x ∈ [1,m], based on which to compute a new signature SKR1,1(ts ‖ δ ‖ a1) broadcast in

the next beacon.

The hash-chain technique greatly reduces the computational load of both mesh routers

and clients because moderately expensive signature operations are replaced with hash op-

erations which are usually several orders of magnitude faster. In particular, R1,1 just needs

to generate a signature at the start of each super beacon interval, rather than each time

sending a beacon; each client accordingly merely performs a signature verification per super

beacon interval instead of for each received beacon. The concrete performance gains are

closely related to the hash-chain-length parameters m,n, which, in turn, are constrained

by the maximum memory the router allocates for this purpose. Generally speaking, the

larger m and n, the more performance gains we can have, and vice versa. For instance,

assume that the beacon interval is δ = 100 ms, m = 40 and n = 1000, meaning a su-

per beacon interval of about 67 minutes. It takes the router one signature generation and

(m− 1) + m(n− 1) + m + mn = 80039 hash operations in total to generate one-time keys

and keyed MICs in beacons. This is in contrast to the 40000 IBC signature generations if

the hash-chain technique is not used. In practice, a mesh router will have enough space to

allow for much larger m,n values, hence meaning potentially more substantial performance

gains.

In addition, the generation of bx,y|1 6 y 6 n can be deferred until the values of

bx−1,y|1 6 y 6 n are almost used up. This may be desirable for lowering the storage

complexity. For ax|1 6 x 6 m and each bx,y|1 6 y 6 n, there is a computation-storage

tradeoff with respect to hash-chain traversal. One may envision two extreme approaches for

this problem, i.e., storing either only the hash-chain seed (am or bx,n) or the entire chain.

The first one has a relatively large on-line computational cost for generating each hash value,

as the same sequence of values is repetitively computed. By contrast, the second method

4 The latter case usually occurs much less frequently than the former.

130

substantially reduces the computational complexity at the cost of high storage complexity.

Researchers have recently investigated ways to optimize this computation-storage tradeoff.

Interested readers are referred to [134, 135] for a thorough treatment of this issue.

6.5.3 Denial-of-Access Attack

A denial-of-access (DoA) attack is one in which an attacker sends a large number of

bogus authentication responses like (A.2) or (B.2) to a mesh router. The purpose is to

exhaust its resources and render it less capable of serving legitimate clients. The router is,

however, assumed to at least be able to reject bogus authentication responses and send out

packets. Therefore, the DoA attack is different from and less devastating than the radio

jamming attack mentioned in Section 6.2.2.

The client-puzzle approach [136, 137, 138, 139] is a promising countermeasure against

the DoA attack. The idea is quite simple. When there is no evidence of attack, a router

processes authentication replies normally. Under a suspected DoA attack, the router re-

quires that a solution to a cryptographic puzzle be attached to each authentication re-

sponse. Only when the solution is correct will the router commit resources to process the

response, which involves moderately expensive public-key operations. Typically, solving a

client puzzle requires a brute-force search in the solution space, while solution verification is

trivial. Therefore, an attacker must have access to abundant resources to be able to quickly

compute a large enough number of puzzle solutions in line with his sending rate of bogus

authentication responses. By contrast, although puzzles slightly increase legitimate clients’

computational load when the router is under attack, they are still able to obtain network

access as if there were no DoA attack. The commonly-used puzzles include CPU-bound

puzzles [136, 137] and memory-bound puzzles [140, 141]. The former impose a number of

computational steps to generate a solution, while the latter aim to impose similar puzzle-

solving delays on clients with even different computation power. Due to space limitations,

we will just demonstrate the use of CPU-bound puzzles because they are relatively easy to

generate and understand. We leave the exploration of memory-bound puzzles as our future

work.

131

With the client-puzzle approach and the aforementioned hash-chain technique, the

inter-domain AKA protocol given in Section 6.4.1 is modified as follows:

(A.1’) R1,1 → ∗ : PASSR1,1 , domain-certO1 ,OtherInfo,

SKR1,1(ts ‖ δ ‖ a1), x, ax, bx,1, hax(bx,1), y, bx,y,

NR1,1, LR1,1 , hbx,y(all previous fields)

(A.2’) C1,1 → R1,1 : PASSC1,1 ,SKC1,1(t2),NC1,1, XC1,1

(A.3’) R1,1 → C1,1 : PASSO1C1,1

, EPASSC1,1(KO1

C1,1)

The puzzle we use is similar to that of [137], consisting of NR1,1 and LR1,1 sent in beacon

(A.1’). NR1,1 is a random nonce created and changed by R1,1 periodically. We refer to such

a period as a puzzle interval. LR1,1 is a one-byte value and called the puzzle indicator. Only

when there is evidence of the DoA attack does R1,1 set the highest bit of LR1,1 to ask for

puzzle solutions. In that case, the rest seven bits of LR1,1 , denoted by bLR1,1c7, determines

the puzzle difficulty.

Upon receipt of the beacon, if the highest bit of LR1,1 is zero, client C1,1 just performs

the operations described before. Otherwise, he has to additionally derive a solution to the

presented puzzle. He does so by first generating a random client nonce NC1,1 and then

performing a brute-force search for a string XC1,1 , such that the bLR1,1c7 bits of the hash

result h(PASSR1,1 ‖ PASSC1,1 ‖ NR1,1 ‖ NC1,1 ‖ XC1,1) are zeros. The (NC1,1 , XC1,1) pair is a

puzzle solution and returned to router R1,1 in message (A.2’). If h is a good one-way hash

function such as SHA-1 [16], the average number of hash operations for finding a puzzle

solution is 2bLR1,1c7 . It is also worth noting that, since router and client passes are used in

solving the puzzle, it is unlikely that the same puzzle solution can be used for other routers

and clients.

After receiving (A.2’), router R1,1 first checks that client C1,1 has not previously sub-

mitted a correct puzzle solution with the same NC1,1 under the same NR1,1 . Message (A.2’)

is simply dumped if containing a replayed puzzle solution. Otherwise, R1,1 verifies the puz-

zle solution by recomputing the hash to see if the bLR1,1c7 bits of the result are all zeros.

Only if the solution is correct, does it continue processing (A.2’) according to the previous

description.

132

Now we discuss the choice of puzzle parameters. To prevent an attacker from precom-

puting puzzle solutions, the router nonce NR1,1 must be random enough to be unpredictable.

We believe that a 64-bit NR1,1 is long enough for this purpose. Also, the nonce interval

should be relatively short, say one minute, to lower the risk that an attacker precomputes

solutions for the same NR1,1 and LR1,1 , but not be too short so as to leave a client enough

time to solve the puzzle. It is possible that a legitimate client submits a solution for a

puzzle interval that just ended. To allow this, there should be a short overlap between

two adjacent puzzle intervals, during which the router accepts correct puzzle solutions for

both intervals. Router R1,1 can dynamically adjust the puzzle difficulty bLR1,1c7 whose

reasonable values lie between 1 and 64. The basic rule of thumb is to set bLR1,1c7 larger

when there is evidence of heavy attack and smaller otherwise. Finally, the length of a client

nonce like C1,1 can generally be shorter than that of a router nonce, but should still be long

enough, say 24 bits. This is necessary to prevent an attacker from quickly exhausting all

possible client nonces in the same puzzle interval with the purpose of making a router treat

the puzzle solutions submitted by legitimate clients as replayed ones.

Likewise, the intra-domain AKA protocol given in Section 6.4.2 is modified as follows:

(B.1’) R1,2 → ∗ : PASSR1,2 , domain-certO1 ,OtherInfo,

SKR1,2(ts ‖ δ ‖ a1), x, ax, bx,1, hax(bx,1), y, bx,y,

NR1,2, LR1,2 , hbx,y(all previous fields)

(B.2’) C1,1 → R1,2 : PASSC1,1 , t2,NC1,1, XC1,1

hKC1,1,R1,2(t1 ‖ t2 ‖ NC1,1 ‖ XC1,1)

The protocol illustration is omitted here for lace of space.

6.5.4 Bandwidth-Exhaustion Attack

In a bandwidth-exhaustion attack, an attacker continuously sends data packets destined

for a mesh router at a high data rate. Without precaution, innocent intermediate clients

will waste significant resources in forwarding the attacker’s packets. The attacker’s traffic

may also consume a significant portion of available network bandwidth, as well as interfering

with legitimate clients’ traffic to and from the mesh router.

133

We use an s-hop uplink route, starting from attacker C1,1 through legitimate clients

C2,1, ..., Cs,1 to router R1,1, to illustrate our countermeasures. Assume that all the clients

including C1,1 have finished mutual authentication with R1,1 and owned an authentic tem-

porary credential accordingly. As a result, pairwise shared keys can be established among

all the clients and router R1,1 (cf. Eq. 6.2). For simplicity, we further assume that at-

tacker C1,1 sends out IP packets of format pkt :=< R1,1, data >, where data may contain

the ultimate destination to which R1,1 should forward this packet and other upper-layer

information.

An intuitive solution to the above attack is to require C1,1 to attach to each packet s

keyed MICs, computed with his pairwise keys shared with intermediate clients and R1,1.

More specifically, each packet sent by C1,1 takes a new form,5

pkt′ :=< pkt, hKC1,1,C2,1(pkt), ..., hKC1,1,Cs,1

(pkt), hKC1,1,R1,1(pkt) > .

Upon receipt of such a packet, each intermediate client Ci,1 for i ∈ [2, s] can verify the

MIC hKC1,1,Ci,1(pkt) before forwarding it to the next hop. Finally, router R1,1 verifies

hKC1,1,R1,1(pkt) before processing the packet. This method can withstand the bandwidth-

exhaustion attack by an attacker not authenticated by the serving WMN domain, as his

packets will not carry correct keyed MICs. In addition, if an authenticated attacker like

C1,1 follows the process correctly, router R1,1 can slow down his traffic by economic means.

Particularly, R1,1 regards C1,1 as a normal client with a high bandwidth demand and charges

him a large amount commensurate with his traffic rate. However, the economic means fails

if C1,1 always inserts into each packet incorrect keyed MICs only for the last few hops. In

doing so, his packets will always be dropped by intermediate clients before reaching R1,1,

thus R1,1 has no way of charging C1,1. However, C1,1 can still effectively achieve the vicious

goal of consuming network and legitimate clients’ resources.

A complementary way to mitigate the bandwidth-exhaustion attack is through the

aforementioned client-puzzle approach. It utilizes the fact that each served client of R1,1

5 There are ways to shorten the packet, which are ignored for brevity.

134

can hear the puzzle (NR1,1 , LR1,1) and is thus able to validate puzzle solutions. In this

approach, C1,1 needs to provide R1,1 with a puzzle solution (NC1,1 , XC1,1,R1,1) satisfying the

aforementioned constraint. He also has to offer a solution (NC1,1 , XC1,1,Ci,1) for each inter-

mediate client Ci,1, which should satisfy that the bLR1,1c7 bits of h(PASSCi,1 ‖ PASSC1,1 ‖NR1,1 ‖ NC1,1 ‖ XC1,1,Ci,1) are all zeros. Each such solution can be individually validated

by the intended client.

If suspecting the presence of the bandwidth-exhaustion attack, router R1,1 sets the

highest bit of LR1,1 to instruct all clients within coverage to perform validations of puzzle

solutions. If this occurs, each packet source like C1,1 needs to send puzzle solutions along

with data packets at a rate in line with his traffic rate. We use the well-known token-bucket

approach to realize this objective. In particular, each intermediate client Ci,1 maintains

a token bucket for C1,1, essentially an integer counter of sufficient length, say four bytes.

He adds α tokens to the bucket each time C1,1 provides a correct puzzle solution. Each

token corresponds to a traffic unit, say 1 KB, and only when there are enough tokens in

the bucket, will Ci,1 forward C1,1’s packets to the next hop after doing a MIC check. The

rate-control parameter α can be dynamically adjusted to cope with the current network

traffic load. Specifically, it should be set smaller when the traffic load is heavy and larger

otherwise. R1,1 can either centrally decide α conveyed to mesh clients in beacons, or let

each client determine α by himself.

6.6 Incontestable Billing of Mobile Users

Once finishing mutual inter- or intra-domain authentication with a mesh router, a

user can start to access the network through it. In this section, we present a realtime

micropayment approach to realize incontestable billing of mobile users for receiving network

access services.

6.6.1 Billing Basics

We assume that each WMN operator has two network access rates, λ and γ monetary

units (m-units) per traffic unit (t-unit), say 0.05 and 0.01 cents/KB. In particular, a user

needs to pay the network operator and each intermediate user λ and γ m-units, respectively,

for each t-unit received or transmitted through them. Different WMN operators may have

diverse access rates and each operator may also dynamically adjust its access rates. For

135

example, λ and γ can be set higher during busy hours, while lower during idle hours. An

operator even can enforce various charging rates for mesh routers deployed in different

locations. All we require is that each mesh router should include its current λ, γ values

in periodically broadcasted Beacon messages. These two are usually important inputs to a

user’s decision-making process as to whether to join a WMN domain. Also note that our

UPASS can be easily extended to adopt a time-based rather than traffic-based charging

method, which is omitted for brevity.

In what follows, we take router R1,1 and client C1,1 as an example to illustrate our

session-based billing scheme. A session begins when a new uplink route from C1,1 to R1,1

is established and terminates when the route breaks due to reasons such as user mobility.

We also assume the existence of a secure routing protocol that finds a valid uplink route.

Many existing secure ad hoc routing protocols such as Ariadne [8] or ARAN [42] can serve

this purpose after minor modifications. We further postulate that router R1,1 can reliably

verify that each intermediate user indeed participates in forwarding each packet from C1,1.

This can be fulfilled, for example, by asking each intermediate user to attach to each

forwarded packet a MIC calculated under its pairwise shared key with R1,1 established

during mutual authentication. After verification of the received MICs, R1,1 can ascertain

that the corresponding intermediate users indeed participated in forwarding the packet for

C1,1. Due to space limitations, we will not dwell on this point hereafter.

In concurrent on-demand ad hoc routing protocols such as AODV [5] or its secure

version ARAN [42], a multihop route is finally chosen by the intended destination, which is

router R1,1 in our case. Suppose R1,1 selects an uplink route with n intermediate users and

informs C1,1 about it. Then C1,1 can decide that he totally needs to pay rateup :=λ + nγ

m-units per t-unit transmitted via the multihop uplink and λ m-units per t-unit received

via the single-hop downlink. The uplink charging rate rateup varies across sessions with

different uplink route lengths. Whenever a new session begins due to a newly discovered

uplink route, R1,1 should inform C1,1 about this. Here, we assume that the WMN operator

does not collude with intermediate users to cheat C1,1 in the sense that R1,1 always selects

the cheapest route for C1,1 allowed by the underlying routing metric. For instance, if the

hop count is the routing metric, R1,1 will always pick the shortest (i.e., cheapest) route for

136

ma1a 2ah

3ah2ma − 1ma −

hmah

1,1w 2,1w 3,1w 2,1mw − 1,1mw − ,1mw

1,2w 2,2w 3,2w 2,2mw − 1,2mw − ,2mw

h h h h h h

1,3w 2,3w 3,3w 2,3mw − 1,3mw − ,3mw

h h h h h h

1, 1tw − 2, 1tw − 3, 1tw − 2, 1m tw − − 1, 1m tw − − , 1m tw −

1,tw 2,tw 3,tw 2,m tw − 1,m tw − ,m tw

h h h h h h

spending order

spen

ding

ord

er

1,tw 2,tw 3,tw 2,m tw − 1,m tw − ,m tw

authenticate authenticate authenticateauthenticate

Figure 6–3: An exemplary payment structure (m > 3, t > 2).

C1,1. This assumption is reasonable because the operator is always paid with a constant

rate of λ m-units/t-unit for both uplink and downlink traffic, independent of the route

length.

There is a possible attack launched by collusive users. In particular, collusive users

within the same mesh first exchange certain cryptographic materials such as permanent

or temporary passes, pass-based keys and the pairwise keys shared with router R1,1. The

purpose is to make each of them able to emulate all the other conspirators, i.e., to act as

several consecutive users but only incurring the communication cost of a single user. If

successfully performed, this emulation attack may cause C1,1 to pay more than what he

ought to pay. We note that this attack may be possible only when an emulator resides

on the uplink route discovered via the underlying secure routing protocol. For example,

if the emulator acts as too many conspirators, leading to a long uplink route length, the

trustworthy R1,1 will select other routes with shorter lengths. This is very likely to happen

because of the usual availability of multiple candidate routes from C1,1 to R1,1. Therefore,

the damage of the emulation attack might be rather limited. To deal with the case that

the emulator is on the uplink route, the best known countermeasure is through statistical

approaches proposed by Jakobsson et al. [123] and Salem et al. [142]. For lack of space,

we refer interested readers to [123] and [142] for details.

137

6.6.2 Payment Structures

We now define an important data structure called a payment structure used in our

billing process. Let DC1,1→R1,1 :=< R1,1, expiry-date, L, a1, t, m >. A payment structure is

defined as follows:

< SKC1,1(DC1,1→R1,1), 〈am〉, 〈w1,t〉, 〈w2,t〉, ..., 〈wm,t〉 > .

Expiry-date specifies the expiry date of this payment structure before which it is redeemable

at C1,1’s enrolled broker. Fig. 6–3 depicts an exemplary payment structure for m > 3 and

t > 2.

We write 〈am〉 for m hash values ai|1 6 i 6 m generated as follows: C1,1 first picks a

random number am and then recursively computes ai = h(ai+1) for i = m− 1,m− 2, ..., 1.

Due to the one-way feature of the hash function h, if am is chosen randomly, given ai−1 it is

computationally infeasible to find ai, while given ai it is computationally efficient to derive

ai−1. Each 〈wi,t〉 (1 6 i 6 m) denotes t hash values wi,j |1 6 j 6 t generated by C1,1 in

the similar way, where each wi,t is chosen at random. The chain-length parameters m, t are

selected at C1,1’s convenience, the choice of which will be discussed shortly. We also refer

to am and wi,t to as the roots of 〈am〉 and 〈wi,t〉, respectively.

SKC1,1(DC1,1→R1,1) is C1,1’s signed commitment to his payment structure for R1,1, and

should be sent to R1,1 before starting any session. For example, C1,1 can send it as part

of its authentication message to R1,1. Upon recept of it, R1,1 first verifies the signature

using PASSC1,1 as C1,1’s public key and, if successful, saves it for subsequent verification of

payments from C1,1. We require R1,1 to acknowledge the recept of SKC1,1(DC1,1→R1,1).

Each 〈wi,t〉 is called a payment chain, of which each wi,j is termed a payment token and

worth L m-units. The payment tokens are spent in order, but not necessarily consecutively.

In other words, once C1,1 spends wi,j , he cannot spend wi,k for k < j. The m payment

chains do not need to be generated simultaneously at the beginning. Instead, C1,1 can defer

the generation of 〈wi+1,t〉 until payment tokens of 〈wi,t〉 are used up. By comparison, 〈am〉is referred to as a proof chain and used to provide efficient authentication of payment-chain

roots. Elements of 〈am〉 are called proof tokens, and are not only used in order but also

138

consecutively: a1 first, then a2, and so forth. Note that, once used, a payment or proof

token can be dumped by C1,1 to save storage space.

We take a concrete example to explain how a proof token ai is used to authenticate

root wi,1 of 〈wi,t〉. Recall that user C1,1 has sent the authenticated a1 to router R1,1. To

spend payment tokens of 〈w1,t〉, C1,1 first sends (w1,1, ha1(w1,1)) to R1,1. We view a1 as a

one-time password of C1,1 and thus ha1(w1,1) as a MIC. Upon receipt of the message, R1,1

recalculates the MIC and checks the result against what C1,1 sent. If the two are equal,

R1,1 knows that w1,1 indeed came from C1,1 and then saves it for subsequent verification of

payment tokens of 〈w1,t〉. Suppose C1,1 has used up payment tokens of 〈wi,t〉 and wants to

use 〈wi+1,t〉 for i > 1. To do so, he sends to router R1,1 a triplet (ai+1, wi+1,1, hai+1(wi+1,1))

as a commitment to 〈wi+1,m〉. Upon receiving it, R1,1 first checks whether ai+1 = h(ai). If

so, R1,1 determines that ai+1 was sent by C1,1 because nobody else is able to forge ai+1 that

can pass the check, due to the one-way feature of 〈am〉. Subsequently, R1,1 recomputes the

MIC hai+1(wi+1,1). If the result matches with what C1,1 sent, R1,1 knows that wi+1,1 is a

valid root which can be used to verify subsequent payment tokens from 〈wi+1,1〉. It is worth

point out that R1,1 just needs to memorize the highest-indexed proof token from 〈am〉. In

addition, R1,1 is required to acknowledge the receipt of (ai+1, wi+1,1, hai+1(wi+1,1)).

Here may come a question: why should we use m payment chains of size t instead

of a single one of size tm? The reason is that doing so imposes a much smaller storage

requirement on C1,1. In particular, the single-chain approach requires C1,1 to store about

tm/2 payment tokens on average during the payment process. Suppose SHA-1 [16] is used

as h and each of payment and proof tokens is a SHA-1’s 20-byte output. Also assume that

L, m and t are equal to 1, 50 and 100, respectively. This means that a single payment

chain provides a total worth of 5000 m-units, while requiring an average space of about

50 KB. In contrast, using our payment structure allows C1,1 to store just m/2 proof and

t/2 payment tokens on average, representing an average storage overhead of only about 1.5

KB. In addition, employing shorter payment chains can minimize the waste coming from

unspent hash tokens. Such storage savings come at the cost of some service delay caused

by generating a new payment chain in realtime. However, since the hash operation is very

fast and a hash chain with 1000 tokens can be derived in less than one second [143] even in

139

low-end devices, such a delay is believed to be affordable. Also notice that a new payment-

chain commitment (triplet) can be transmitted along with regular data packets so that the

extra communication overhead can be minimized.

A payment structure is both user-specific and router-specific and thus is of no value to

another user or router. It is also session-independent in that C1,1 can use it across different

sessions with R1,1. A payment structure supports the generation of up to m payment

chains of size t. Once all m payment chains are used up, a new payment structure needs

to be generated if needed. Since generating a new payment structure involves a signature

generation on C1,1 and a signature verification on R1,1, respectively, we suggest using a

slightly larger m to reduce moderately expensive signature operations.

6.6.3 Making Payments

In what follows, we first discuss how user C1,1 pays router R1,1 and then intermediate

users along the uplink route.

Paying routers. To make payments to R1,1, C1,1 maintains a debt counter DCC1,1

recording the amount in m-units he owes to R1,1. DCC1,1 is increased by λ for each downlink

t-unit and by rateup for each uplink t-unit. Accordingly, R1,1 maintains for C1,1 a profit

counter PCC1,1 which is increased by λ and rateup for each t-unit sent to and received from

C1,1, respectively.

We require that R1,1 specify in its periodically broadcasted Beacon messages a param-

eter θR1,1 , indicating the maximum amount in m-units that each user is allowed to owe it.

Whenever DCC1,1 > θR1,1 , C1,1 should make a payment to clear its debt at R1,1 in due

time to avoid service cutoff by R1,1. Without loss of generality, suppose C1,1 is spending

payment tokens of 〈wi,t〉. For ease of presentation, we temporarily assume that 〈wi,t〉 still

has enough unspent payment tokens. If the lowest-indexed unspent token is wi,u, C1,1 sends

to R1,1 a payment of format (wi,j , j), where u 6 j 6 t is the minimum integer such that

(j − u + 1)L > θR1,1 . He then decreases DCC1,1 by (j − u + 1)L and thus DCC1,1 may be

a negative value sometimes. Since the worth L of each payment token is usually of a small

amount, say several cents, we refer to each payment like (wi,j , j) as a micropayment.

For each payment chain 〈wi,t〉, router R1,1 merely needs to store the payment token

with the highest index, say (wi,k, k) (1 6 k 6 t). This means that R1,1 has been paid kL

140

m-units by C1,1 using 〈wi,t〉 and ((i−1)t+k)L m-units in all. Upon receipt of (wi,j , j), R1,1

first verifies that j > k and then wi,k = hj−k(wi,j), where hj−k means applying the hash

function h iteratively to wi,j for (j− k) times. If both checks succeed, R1,1 knows that C1,1

indeed made a payment because nobody else can generate a valid payment token passing

the checks, due to the one-way feature of 〈wi,t〉. Subsequently, R1,1 replaces (wi,k, k) with

(wi,j , j) and decreases PCC1,1 by (j − k)L.

Assume that R1,1 sets a threshold θ∗R1,1and stops serving C1,1 if it does not receive a

payment in the first data packet from C1,1 once PCC1,1 > θ∗R1,1. This may happen either

because C1,1 does not make a payment at all, or because a payment gets lost on its way

to R1,1, for example, due to a route break. Fortunately, the hash-chain technique can

well tolerate payment losses. For instance, suppose R1,1 does not receive (wi,j , j) but a

later payment (wi,l, l) for l > j. If l > k and wi,k = hl−k(wi,l), R1,1 can change (wi,k, k)

to (wi,l, l) and decrease PCC1,1 by (l − k)L. Obviously, this is equivalent to R1,1 having

correctly received both (wi,j , j) and (wi,l, l). To leverage this loss-tolerance feature, however,

θ∗R1,1should be set larger than θR1,1 . The difference between θ∗R1,1

and θR1,1 determines the

tradeoff between payment-loss tolerance and the financial risk of the operator. The larger

the difference, the more payment losses R1,1 can tolerate, the higher financial risk the

operator runs because R1,1 may not make a payment at all, and vice versa.

If the remaining tokens of 〈wi,t〉 are not enough to cover DCC1,1 , C1,1 should generate a

new payment chain 〈wi+1,t〉. It then sends the new chain commitment (ai+1, wi+1,1, hai+1(wi+1,1))

to R1,1 which, in turn, verifies the commitment as described in Section 6.6.2. Subsequently,

C1,1 can delete unspent payment tokens of 〈wi,t〉 if any and start to pay R1,1 with payment

tokens of 〈wi+1,t〉.At last, R1,1 is required to store a payment record for C1,1 of format

< SKC1,1(DC1,1→R1,1), ak, (wi,1, hai(wi,1), wi,ki

, ki|1 6 i 6 k > .

Here, ak (1 6 k 6 m) refers to the highest-indexed proof token and wi,ki(1 6 ki 6 t) is the

highest-indexed payment token from 〈wi,t〉. In rare cases, if C1,1 has generated and used

multiple payment structures, R1,1 should maintain such a record for each of them.

141

Paying intermediate users. We now discuss how to pay intermediate users using

the hash-chain technique. A naive way is for C1,1 to generate a payment structure for each

intermediate user and release payment tokens at pre-defined intervals, as he does for R1,1.

Such an approach has three significant drawbacks. First of all, it is computationally ineffi-

cient. For C1,1, he has to generate multiple payment structures and thus perform multiple

signature generations. Once the uplink route breaks, he has to redo these operations for

newly-joined intermediate users on the new route. Each intermediate user has to first ver-

ify a signature and then each subsequent proof or payment token. Since a user may act as

packet forwarders for multiple users simultaneously, he has to do these operations for each

of them. Secondly, it is communicationally inefficient in that C1,1 must release multiple

hash tokens at one time according to pre-defined intervals. Lastly, it is space inefficient

because C1,1 has to maintain multiple payment structures at the same time, and each user

needs to maintain at least one payment record for all the other users with him as a packet

relay.

To minimize the burden of mobile users, we propose to let R1,1 pay intermediate users

on behalf of C1,1. This is the reason why a payment from C1,1 to R1,1 covers all what

R1,1 and all the intermediate users should get. Consider an intermediate user C2,1 as an

example. After authenticating C2,1, R1,1 generates a payment structure for C2,1 and sends

to him the signed commitment to the payment structure. Once verifying R1,1’s signature,

C2,1 saves the commitment for later verification of payment and proof tokens sent by R1,1.

The payment structure is also both user-specific and router-specific, and is used by R1,1

to pay C2,1 for all the traffic he forwards for all the other users in R1,1’s coverage area.

The detailed payment process is similar to that of C1,1 and omitted here due to space

constraints.

6.6.4 Redemption of Payment Records

All payment records should be redeemed at the users’ enrolled brokers before their

expiry dates. At the end of each day (or other suitable period), R1,1 reports all the stored

payment records to its domain operator who, in turn, assembles the records related to a

same broker and sends them in bulk.

142

For each submitted payment record as < SKC1,1(DC1,1→R1,1), ak, (wi,1, hai(wi,1), wi,ki

, ki|1 6

i 6 k >, a broker does the following in sequence:

(1) Examine SKC1,1(DC1,1→R1,1), including verifying the user’s signature, checking the

expiry-date, and so on.

(2) Check that a1 = hk−1(ak) and saves the intermediary values ak−1, ..., a2. For each

i ∈ [1, k],

(3) Calculate a MIC hai(wi,1). If the result matches the corresponding value in the

submitted record,

(4) Check that wi,1 = hki−1(wi,ki) and, if successful, credit the operator’s account with

kiL m-units.

If the operator has no account at the broker corresponding to a payment record, it

can redeem the payment record at its own enrolled broker that will interact with the cor-

responding broker on behalf of it. Then there would be some money transfer between the

two brokers, analogous to what happens in daily life when one deposits some checks issued

by banks other than his enrolled bank. Likewise, mobile users can redeem their payment

records stored for operators at the brokers.

6.6.5 Security Analysis

Our micropayment approach ensures incontestable billing. For a user, he must digitally-

sign a payment structure before using it to pay a WMN operator, so he cannot deny the

payments he makes later. In addition, the user cannot obtain more services than he will

actually be billed for, as he is required to release payment tokens in realtime at pre-defined

intervals to avoid service cutoff by the operator. For an operator, it cannot overcharge

the user who releases valid payment tokens commensurate with the amount of received

services. Since a payment structure is both user-specific and router-specific, it also prevents

from both double-spending and double-redemption of a payment structure. In particular,

the user cannot use the same payment structure to pay different routers; the operator can

redeem the same payment structure of a user only once via that user’s registered broker.

Note that our billing scheme cannot completely prevent from cheating by a user or an

operator, which might happen only at the end of each service duration. For example, in

one case, user C1,1 does not pay for the last few t-units received or transmitted via router

143

R1,1, e.g., by leveraging the difference between θR1,1 and θ∗R1,1. In the other case, R1,1 does

not serve C1,1 for the last payment he made, if C1,1 is asked to prepay payment tokens.

In both cases, the financial loss (or gain) of the user or the broker is less significant, say

several m-units. Considering the similar situation in cellular networks where an operator

usually enforces a basic charging unit, e.g., 6 seconds, we believe that such rare cheating

situations should be tolerable.

Regarding the payment process from an operator (through a router like R1,1) to a user,

say C2,1, we argue that the operator would have the right incentive to behave honestly. The

reason is that, if not receiving payments from R1,1 in due time, C2,1 will stop forwarding

packets for other users within R1,1’s coverage. If this happens frequently, the affected users

who experience frequent service disruptions will heap all blames on the operator. Both

those users and C2,1 will choose to shun that operator in the future. Since the operator’s

reputation is worth much more than what it can earn from cheating, it would rather not to

do so. Other security analysis is similar to that of the payment process from a user to an

operator, which is omitted here for lack of space.

6.7 Discussion

In this section, we discuss other issues relevant to UPASS.

6.7.1 Mobility Management

Effective mobility management is important to support seamless user mobility. Tradi-

tionally, it is realized by cooperation between a mobile user’s foreign domain and his home

domain [144]. With UPASS in place, we conjecture that some trustable service providers

can provide the mobility-management service by maintaining and answering queries to cur-

rent locations of mesh clients. Brokers may be good candidates in this regard. In designing

a sound mobility management for WMNs, one may also need to take into consideration

the location-privacy requirement. It is an important open task to devise a valid scheme

satisfying the proposed criteria and other unique requirements of WMNs.

144

6.7.2 Public-Key vs. Symmetric-Key Cryptography

In UPASS, mesh clients need to execute a few public-key operations when performing

AKA with mesh routers and other clients. A few years ago, this computational require-

ment was significant to mobile users. With the rapid progress in public-key cryptography,

however, public-key encryption and signature schemes that are both more secure and sig-

nificantly faster are currently available. Moreover, the computational costs of public-key

operations have continued to decrease due to the rapid development of hardware imple-

mentations. For example, we have been aware of the efficient hardware implementations of

the Tate pairing on smartcards [99], PDAs [110] and FPGAs [111]. In addition, public-key

operations are executed relatively rarely. Once establishing a shared key, a client and a

router or two clients can secure subsequent traffic between them via efficient symmetric-

key techniques. In summary, it has been widely acceptable to use public-key techniques in

securing wireless networks for their great advantages. This trend has also been reflected

in the recent IEEE 802.16-2004 standard, which uses public-key cryptography (though not

IBC) to realize key management.

6.7.3 Incremental Deployment

One of the main barriers to wide deployment and use of WMNs is the lack of a sound

business model. Our UPASS affirmatively answers this problem and is highly advantageous

for WMN operators, mesh clients and brokers. As the development of the credit card system,

we expect UPASS to be deployed incrementally along with WMNs. Initially, there might be

only one broker, which might be an enterprising regular bank or emerging electronic money

transmitter like PayPal, a few WMN operators and a limited number of mesh clients. As

time goes on, the shown benefits of UPASS would attract more and more operators to

built WMNs and users to use WMN services, and increasing brokers (though still limited

in number) to act as trust intermediaries.

6.8 Summary

For the first time in the literature, this chapter identifies and satisfies a number of

unique security requirements of the emerging multi-hop WMNs. We present a secure au-

thentication and billing architecture, called UPASS, for multi-hop WMNs. In contrast to

145

a conventional cellular-like solution, UPASS is more practical and lightweight because it

does not require a WMN operator to establish pairwise bilateral SLAs and interact in real

time with potentially numerous other WMN operators. UPASS is also a homeless solution

in which each user, instead of being bound to any specific WMN operator, can get ubiq-

uitous network access by a universal pass issued by a third-party broker. UPASS provides

efficient mutual authentication and key agreement not only between a user and a serving

WMN domain but also between users served by the same WMN domain. In addition, it is

designed to be resistant to various attacks against WMN access.

CHAPTER 7CONCLUSION AND FUTURE WORK

In this dissertation, we provide efficient and effective solutions to a number of chal-

lenges in securing heterogeneous wireless ad hoc networks. In particular, we design an

anonymous on-demand routing protocol to deal with malicious eavesdropping and other

resulting against mobile ad hoc networks deployed in hostile environments. In addition, we

propose a secure, scalable ID-based key management scheme for mobile ad hoc networks

to enable flexible public-key services without using conventional certificates. Moreover, we

design a secure localization scheme and a suite of location-based compromise-tolerant se-

curity mechanisms for wireless sensor networks. Finally, we present the first known secure

authentication and billing architecture for the emerging wireless mesh networks.

In our future work, we first plan to further evaluate the performance of our solutions

on real network testbeds or platforms. In addition, we will seek efficient solutions to new

security problems that are being exposed with increasing deployments of wireless ad hoc

networks. We also intend to develop efficient security solutions for integrated wired/wireless

networks.

146

REFERENCES

[1] I. Akyildiz, X. Wang, and W. Wang, “Wireless mesh networks: A survey,” ComputerNetworks, vol. 47, no. 4, pp. 445–487, Mar. 2005.

[2] I. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “A survey on sensornetworks,” IEEE Commun. Mag., vol. 40, no. 8, pp. 102–116, Aug. 2002.

[3] S. Marti, T. Giuli, K. Lai, and M. Baker, “Mitigating routing misbehavior in mobilead hoc networks,” in ACM MobiCom, Boston, MA, Aug. 2000, pp. 255–265.

[4] Y. Zhang, W. Lou, and Y. Fang, “SIP: A secure incentive protocol against selfishnessin mobile ad hoc networks,” in IEEE WCNC, Atlanta, GA, Mar. 2004, pp. 1679–1684.

[5] C. Perkins, E. Belding-Royer, and S. Das, “Ad hoc on-demand distance vector(AODV) routing,” RFC 3561, July 2003.

[6] D. Johnson and D. Maltz, “Dynamic source routing in ad hoc wireless networks,” inAd Hoc Wireless Networks, edited by T. Imielinski and H. Korth, Kluwer AcademicPublishers, New York, NY, 1996.

[7] Defense Advanced Research Projects Agency (DARPA), “Research challenges in highconfidence networking,” White paper, Arlington, VA, July 1998.

[8] Y.-C. Hu, A. Perrig, and D. B. Johnson, “Ariadne: A secure on-demand routingprotocol for ad hoc networks,” in ACM MobiCom, Atlanta, GA, Sep. 2002, pp. 12–23.

[9] K. Sanzgiri, B. Dahill, B. Levine, C. Shields, and E. Royer, “A secure routing protocolfor ad hoc networks,” in IEEE ICNP’02, Paris, France, Nov. 2002, pp. 78–89.

[10] A. Menezes, P. van Oorschot, and S. Vanston, Handbook of Applied Cryptography.Boca Raton, FL: CRC Press, Oct. 1996.

[11] A. Shamir, “Identity based cryptosystems and signature schemes,” in CRYPTO’84,Santa Barbara, CA, Aug. 1984, pp. 47–53.

[12] D. Boneh and M. Franklin, “Identify-based encryption from the weil pairing,” inCRYPTO’01, Santa Barbara, CA, Aug. 2001, pp. 213–229.

[13] ——, “Identify-based encryption from the weil pairing,” SIAM J. of Computing,vol. 32, no. 3, pp. 586–615, Mar. 2003.

[14] P. Barreto, H. Kim, B. Bynn, and M. Scott, “Efficient algorithms for pairing-basedcryptosystems,” in CRYPTO’02, Santa Barbara, CA, Aug. 2002, pp. 354–368.

[15] A. Shamir, “How to share a secret,” Comm. ACM, vol. 22, no. 11, pp. 612–613, 1979.

147

148

[16] N. I. of Standards and T. (NIST), “Digital hash standard,” Federal Information Pro-cessing Standards Publication 180-1, Rockville, MD, April 1995.

[17] D. Balfanz, G. Durfee, N. Shankar, D. Smetters, J. Staddon, and H.-C. Wong, “Secrethandshakes from pairing-based key agreements,” in IEEE Symp. on Security andPrivacy, Oakland, CA, May 2003, pp. 180–196.

[18] R. Rivest, M. Robshaw, R. Sidney, and L. Yin, “The rc6 block cipher (v1.1),” availableat ftp://ftp.rsasecurity.com/pub/rsalabs/rc6/rc6v11.pdf, Aug. 2006.

[19] S. Jiang, N. Vaidya, and W. Zhao, “Energy consumption of traffic padding schemesin wireless ad hoc networks,” in Real-Time System Security, edited by B. Tjaden andL. R. Welch, Nova Science Publishers, Commack, NY, 2003.

[20] Y. Zhang, W. Liu, W. Lou, Y. Fang, and Y. Kwon, “AC-PKI: Anonymous andcertificateless public-key infrastructure for mobile ad hoc networks,” in IEEE ICC’05,Seoul, Korea, May 2005, pp. 3515–3519.

[21] X. Zeng, R. Bagrodia, and M. Gerla, “GloMoSim: A library for parallel simulationof large scale wireless networks,” in the 12th Workshop on Parallel and DistributedSimulations (PADS’98), Banff, Alberta, Canada, May 1998, pp. 154–161.

[22] Shamus Software Ltd., “Miracl library,” Dublin, Ireland.

[23] P. Barreto, B. Lynn, and M. Scott, “On the selection of pairing-friendly groups,” inSelected Areas in Cryptography (SAC’03), Ottawa, Canada, Aug. 2004, pp. 17–25.

[24] J. Yoon, M. Liu, and B. Nobles, “Sound mobility models,” in ACM MOBICOM’03,San Diego, CA, Sep. 2003, pp. 205–216.

[25] D. Chaum, “Untraceable electronic mail, return addresses, and digital pseudonyms,”Comm. ACM, vol. 24, no. 2, pp. 84–90, Feb. 1981.

[26] M. Reed, P. Syverson, and D. Goldschlag, “Anonymous connections and onion rout-ing,” IEEE J. Select. Areas Commun., vol. 16, no. 4, pp. 482–494, May 1998.

[27] Anonymity bibliography, available at http://freehaven.net/anonbib/, Aug. 2006.

[28] S. Jiang, N. Vaidya, and W. Zhao, “Dynamic mix method in wireless ad hoc net-works,” in IEEE Milcom’01, Washington, D.C., Oct. 2001, pp. 873–877.

[29] J. Kong and X. Hong, “ANODR: Anonymous on demand routing with untraceableroutes for mobile ad-hoc networks,” in ACM MobiHoc’03, Annapolis, MD, June 2003,pp. 291 – 302.

[30] B. Neuman and T. Tso, “Kerberos: An authentication service for computer networks,”IEEE Commun. Mag., vol. 32, no. 9, pp. 33–38, Sep. 1994.

[31] L. Zhou and Z. J. Haas, “Securing ad hoc networks,” IEEE Network, vol. 13, no. 6,pp. 24–30, 1999.

[32] J. Kong, P. Zerfos, H. Luo, S. Lu, and L. Zhang, “Providing robust and ubiquitoussecurity support for mobile ad hoc networks,” in IEEE ICNP, Riverside, CA, Nov.2001, pp. 251–260.

149

[33] M. Narasimha, G. Tsudik, and J. H. Yi, “On the utility of distributed cryptographyin p2p and manets: the case of membership control,” in IEEE ICNP, Atlanta, GA,Nov. 2003, pp. 336–345.

[34] S. Yi and R. Kravets, “MOCA: Mobile certificate authority for wireless ad hoc net-works,” in 2nd Annual PKI Research Workshop (PKI03), Apr. 2003, pp. 65–79.

[35] M. Bechler, H.-J. Hof, D. Kraft, F. Pahlke, and L. Wolf, “A cluster-based securityarchitecture for ad hoc networks,” in IEEE INFOCOM, Hong Kong, China, Mar.2004, pp. 2404–2413.

[36] H. Luo, J. Kong, P. Zerfos, S. Lu, and L. Zhang, “URSA: ubiquitous and robustaccess control for mobile ad hoc networks,” IEEE/ACM Trans. Networking, vol. 12,no. 6, pp. 1049–1063, Dec. 2004.

[37] A. Khalili, J. Katz, and W. Arbaugh, “Toward secure key distribution in truly ad-hoc networks,” in IEEE Workshop on Security and Assurance in Ad Hoc Networks,Orlando, FL, Jan. 2003, pp. 342–346.

[38] H. Deng, A. Mukherjee, and D. Agrawal, “Threshold and identity-based key manage-ment and authentication for wireless ad hoc networks,” in International Conferenceon Information Technology: Coding and Computing (ITCC’04), Las Vegas, Nevada,April 2004, pp. 107–111.

[39] N. Saxena, G. Tsudik, and J. H. Yi, “Identity-based access control for ad hoc groups,”in Int. Conf. Inform. Security Cryptology (ICISC’04), Seoul, Korea, Dec. 2004, pp.107–111.

[40] Y. Desmedt and Y. Frankel, “Threshold cryptosystems,” in CRYPTO’89, Santa Bar-bara, California, Aug. 1989, pp. 307–315.

[41] Y. Zhang, W. Liu, and W. Lou, “Anonymous communications in mobile ad hocnetworks,” in IEEE INFOCOM’05, Miami, FL, Mar. 2005, pp. 1940–1951.

[42] K. Sanzgiri, D. LaFlamme, B. Dahill, B. Levine, C. Shields, and E. Belding-Royer,“Authenticated routing for ad hoc networks,” IEEE J. Select. Areas Commun.,vol. 23, no. 3, pp. 598–610, Mar. 2005.

[43] W. Lou and Y. Fang, “A survey of wireless security in mobile ad hoc networks:Challenges and available solutions,” Ad Hoc Wireless Networking, edited by X. Chen,X. Huang, and D.-Z. Du, Kluwer Academic Publishers, New York, NY, Mar. 2003.

[44] S. Capkun, L. Buttyan, and J.-P. Hubaux, “Self-organized public key managementfor mobile ad hoc networks,” IEEE Transactions on Mobile Computing, vol. 2, no. 1,pp. 52–64, Jan.-March 2003.

[45] J. R. Douceur, “The sybil attack,” in Proc. of First International Workshop on Peer-to-Peer Systems (IPTPS ’02), Cambridge, MA, March 2002, pp. 251–260.

[46] S. Jarecki, N. Saxena, and J. H. Yi, “An attack on the proactive RSA signaturescheme in the URSA ad hoc network access control protocol,” in 2nd ACM workshop

150

on Security of ad hoc and sensor networks (SASN’04), Washington, DC, Oct. 2004,pp. 1–9.

[47] R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signaturesand public key cryptosystems,” Comm. ACM, vol. 21, no. 2, pp. 120–126, Feb. 1978.

[48] N. I. of Standards and T. (NIST), “Digital signature standard,” Federal InformationProcessing Standards Publication 186-2, Rockville, MD, Feb. 2000.

[49] M. Gouda and E. Jung, “Certificate dispersal in ad-hoc networks,” in Proc. ICDCS’04,Tokyo, Japan, Mar. 2004, pp. 616–623.

[50] M. Bohio and A. Miri, “Efficient identity-based security schemes for ad hoc networkrouting protocols,” Elsevier Ad Hoc Networks Journal, vol. 2, no. 3, pp. 309–317, July2004.

[51] Y. Zhang, W. Liu, W. Lou, and Y. Fang, “MASK: anonymous on-demand routing inmobile ad hoc networks,” IEEE Trans. Wireless Commun., to appear.

[52] K. Barr and K. Asanovic, “Energy aware lossless data compression,” in 1st Int. Conf.Mobile Systems, Applications, and Services (MobiSys’03), San Francisco, CA, May2003, pp. 231–244.

[53] R. Canetti, R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Adaptive securityfor threshold cryptosystems,” in CRYPTO’99, Santa Barbara, CA, Aug. 1999, pp.98–115.

[54] Y. Zhang and W. Lee, “Intrusion detection in wireless ad-hoc networks,” in ACMMOBICOM’00, Boston, MA, Aug. 2000, pp. 275–283.

[55] A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung, “Proactive secret sharing or:How to cope with perpetual leakage,” in CRYPTO’95, Santa Barbara, CA, Aug.1995, pp. 339–352.

[56] Y. Zhang, W. Liu, W. Lou, and Y. Fang, “Securing mobile ad hoc networks withcertificateless public keys,” Department of Electrical and Computer Engineering, Uni-versity of Florida, Gainesville, Florida, Tech. Rep., April 2006.

[57] A. Boldyreva, “Threshold signatures, multisignatures and blind signatures based onthe gap-diffie-hellman-group signature scheme,” in 6th Int. Workshop on Theory andPractice in Public Key Cryptography (PKC’03), Miami, FL, Jan. 2003, pp. 31–46.

[58] B. Bloom, “Space/time trade-offs in hash coding with allowable errors,” Comm. ACM,vol. 13, no. 7, pp. 422–426, July 1970.

[59] D. Liu, P. Ning, and K. Sun, “Efficient self-healing group key distribution with revo-cation capability,” in ACM CCS’03, Washington, DC, Oct. 2003, pp. 241–240.

[60] T. Wong, C. Wang, and J. Wing, “Verifiable secret redistribution for archive systems,”in 1st Int. IEEE Security in Storage Workshop, Greenbelt, MD, Dec. 2002, pp. 94–105.

[61] T. Kerins, W. Marnane, E. Popovici, and P. Barreto, “Hardware accelerators forpairing based cryptosystems,” IEE Proceedings on Information Security, Special Issue

151

on Cryptographic Algorithms and Architectures for System on Chip, vol. 152, no. 1,pp. 47–56, Oct. 2005.

[62] A. Savvides, C. Han, and M. Srivastava, “Dynamic fine-grained localization in ad-hocnetworks of sensors,” in ACM MOBICOM’01, Rome, Italy, July 2001, pp. 166–179.

[63] X. Cheng, A. Thaeler, G. Xue, and D. Chen, “TPS: A time-based positioning schemefor outdoor wireless sensor networks,” in IEEE INFOCOM’04, Hong Kong, China,Mar. 2004, pp. 2685–2696.

[64] T. He, C. Huang, B. M. Blum, J. A. Stankovic, and T. F. Abdelzaher, “Range-free localization scheme in large scale sensor networks,” in ACM MOBICOM’03, SanDiego, CA, Sep. 2003, pp. 81–95.

[65] L. Hu and D. Evans, “Localization for mobile sensor networks,” in ACM MOBI-COM’04, Philadephia, PA, Sep/Oct 2004, pp. 45–57.

[66] L. Lazos and R. Poovendran, “Serloc: Secure range-independent localization for wire-less sensor networks,” in ACM WiSe’04, Philadelphia, PA, Oct. 2004, pp. 21–30.

[67] S. Capkun and J.-P. Hubaux, “Secure positioning of wireless devices with applicationto sensor networks,” in IEEE INFOCOM’05, Miami, FL, March 2005, pp. 1917–1928.

[68] R. C. Qiu, H. Liu, and X. Shen, “Ultra-wideband for multiple access communications,”IEEE Commun. Mag., vol. 43, no. 2, pp. 80–87, Feb. 2005.

[69] D. Wagner, “Resilient aggregation in sensor networks,” in ACM SASN’04, Washing-ton, DC, Oct. 2004, pp. 78–87.

[70] S. Brands and D. Chaum, “Distance-bounding protocols (extended abstract),” inEUROCRYPT’93, Lofthus, Norway, May 1993, pp. 344–359.

[71] N. Sastry, U. Shankar, and D. Wagner, “Secure verification of location claims,” inACM WiSe’03, San Diego, CA, Sep. 2003, pp. 1–10.

[72] B. Waters and E. Felten, “Proving the location of tamper-resistant devices,” Depart-ment of Computer Science, Princeton University, Priceton, NJ, Tech. Rep. TR-667-03,Jan. 2003.

[73] C. Karlof and D. Wagner, “Secure routing in wireless sensor networks: Attacks andcountermeasures,” Ad Hoc Networks, vol. 1, no. 2, pp. 293–315, Sep. 2003.

[74] J. Newsome, E. Shi, D. Song, and A. Perrig, “The sybil attack in sensor networks:Analysis & defenses,” in 3rd Int. Symp. on Inform. Processing in Sensor Networks(IPSN’04), Berkeley, CA, Apr. 2004, pp. 259–268.

[75] F. Ye, H. Luo, S. Lu, and L. Zhang, “Stastical en-route filtering of injected falsedata in sensor networks,” in IEEE INFOCOM’04, Hong Kong, China, Mar. 2004, pp.2446–2457.

[76] S. Zhu, S. Setia, S. Jajodia, and P. Ning, “An interleaved hop-by-hop authenticationscheme for filtering of injected false data in sensor networks,” in IEEE Symp. SecurityPrivacy, Oakland, CA, May 2004, pp. 259–271.

152

[77] S. Basagni, K. Herrin, E. Rosti, and D. Bruschi, “Secure pebblenets,” in ACM MO-BIHOC’01, Long Beach, CA, Oct. 2001, pp. 256–263.

[78] L. Eschenauer and V. Gligor, “A key-management scheme for distributed sensor net-works,” in ACM CCS’02, Washington, DC, Nov. 2002, pp. 41–47.

[79] H. Chan, A. Perrig, and D. Song, “Random key predistribution schemes for sensornetworks,” in IEEE Symposium on Security and Privacy, Oakland, CA, May 2003,pp. 197–213.

[80] W. Du, J. Deng, Y. Han, and P. Varshney, “A pairwise key pre-distribution schemefor wireless sensor networks,” in ACM CCS, Washington, DC, Oct. 2003, pp. 42–51.

[81] D. Liu and P. Ning, “Establishing pairwise keys in distributed sensor networks,” inACM CCS, Washington, DC, Oct. 2003, pp. 52–61.

[82] ——, “Location-based pairwise key establishments for static sensor networks,” inACM SASN, Fairfax, VA, Oct. 2003, pp. 72–82.

[83] W. Du, J. Deng, Y. Han, S. Chen, and P.K.Varshney, “A key management schemefor wireless sensor networks using deployment knowledge,” in IEEE INFOCOM’04,HongKong, China, Mar. 2004, pp. 586–597.

[84] D. Huang, M. Mehta, D. Medhi, and L. Harn, “Location-aware key managementscheme for wireless sensor networks,” in ACM SASN’04, Washington, DC, Oct. 2004,pp. 29–42.

[85] Y. Zhou, Y. Zhang, and Y. Fang, “LLK: a link-layer key establishment scheme inwireless sensor networks,” in IEEE WCNC’05, New Orleans, LA, Mar. 2005, pp.1921–1926.

[86] A. Cerpa, J. Elson, D. Estrin, L. Girod, M. Hamilton, and J. Zhao, “Habitat monitor-ing: Application driver for wireless communications technology,” in ACM SIGCOMMWorkshop Data Comm. Latin America and the Caribbean, Costa Rica, Apr. 2001, pp.20–41.

[87] B. Karp and H. Kung, “GPSR: Greedy perimeter stateless routing for wireless net-works,” in ACM MOBICOM’00, Boston, MA, Aug. 2000, pp. 243–254.

[88] D. Liu, P. Ning, and W. Du, “Attack-resistant location estimation in sensor networks,”in IPSN’05, Los Angeles, CA, Apr. 2005, pp. 99–106.

[89] W. Du, L. Fang, and P. Ning, “LAD: Localization anomaly detection for wirelesssensor networks,” in IPDPS’05, Denver, CO, Apr. 2005, pp. 99–106.

[90] S. Zhu, S. Setia, and S. Jajodia, “LEAP: Efficient security mechanisms for large-scaledistributed sensor networks,” in ACM CCS, Washington, DC, Oct. 2003, pp. 62–72.

[91] L. Chen and C. Kudla, “Identity based authenticated key agreement proto-cols from pairings,” Cryptology ePrint Archive,” Report 2002/184, available athttp://eprint.iacr.org/2002/184, Aug. 2006.

153

[92] Y. Hu, A. Perrig, and D. Johnson, “Packet leashes: A defense against wormholeattacks in wireless ad hoc networks,” in IEEE INFOCOM, San Francisco, CA, April2003, pp. 1976–1986.

[93] S. Kumar, T. Lai, and J. Balogh, “On k-coverage in a mostly sleeping sensor network,”in ACM MobiCom ’04, Philadelphia, PA, Sep./Oct. 2004, pp. 144–158.

[94] J. Baek and Y. Zheng, “Identity-based threshold signature from the bilinear pairings,”in Proc. Int. Conf. Inform. Tech.: Coding Comput., Las Vegas, Apr. 2004, pp. 124–128.

[95] F. Hess, “Efficient identity based signature schemes based on pairings,” in Proc.SAC’02, St. John’s, Newfoundland, Canada, Aug. 2002, pp. 310–324.

[96] A. Perrig, R. Szewczyk, J. Tygar, V. Wen, and D. Culler, “SPINS: Security protocolsfor sensor networks,” ACM Wireless Networks, vol. 8, no. 5, pp. 521–234, Sep. 2002.

[97] W. Lou, W. Liu, and Y. Fang, “SPREAD: Enhancing data confidentiality in mobilead hoc networks,” in IEEE INFOCOM’04, Hong Kong, China, Mar. 2004, pp. 2404–2413.

[98] Intel, “Intel PXA255 Processor Electrical, Mechanical, and Thermal Specification,”Santa Clara, CA, Tech. Rep., Feb. 2004.

[99] G. Bertoni, L. Chen, P. Fragneto, K. Harrison, and G. Pelosi1, “Computing tatepairing on smartcards,” White Paper, STMicroelectronics, 2005.

[100] A. Wander, N. Gura, H. Eberle, V. Gupta, and S. Chang, “Energy analysis for public-key cryptography for wireless sensor networks,” in IEEE PerCom’05, Pisa, Italy, Mar.2005, pp. 324–328.

[101] A. Perrig, J. Stankovic, and D. Wagner, “Security in wireless sensor networks,”Comm. ACM, vol. 47, no. 6, pp. 53–57, June 2004.

[102] L. Lazos, R. Poovendran, C. Meadows, P. Syverson, and L. Chang, “Preventing worm-hole attacks on wireless ad hoc networks: A graph theoretic approach,” in IEEEWCNC’05, New Orleans, LA, Mar. 2005, pp. 1193–1199.

[103] D. Carman, P. Kruus, and B. Matt, “Constraints and approaches for distributedsensor network security,” NAI Labs, McLean, VA, Tech. Rep. 00-010, Sep. 2000.

[104] D. Liu and P. Ning, “Efficient distribution of key chain commitments for broadcastauthentication in distributed sensor networks,” in Proc. NDSS’03, San Diego, CA,Feb. 2003, pp. 263–276.

[105] B. Przydatek, D. Song, and A. Perrig, “SIA: Secure information aggregation in sensornetworks,” in ACM SenSys’03, Los Angeles, CA, Nov. 2003, pp. 255–265.

[106] D. J. Malan, M. Welsh, and M. D. Smith, “A public-key infrastructure for key dis-tribution in TinyOS based on elliptic curve cryptography,” in IEEE SECON, SantaClara, CA, Oct. 2004, pp. 71–80.

154

[107] N. Gura, A. Patel, A. Wander, H. Eberle, and S. C. Shantz, “Comparing ellipticcurve cryptography and rsa on 8-bit cpus,” in CHES’04, Boston, MA, Aug. 2004, pp.119–132.

[108] R. Watro, D. Kong, S. fen Cuti, C. Gardiner, C. Lynn, and P. Kruus, “Tinypk:Securing sensor networks with public key technology,” in ACM SASN, Washington,DC, Oct. 2004, pp. 59–64.

[109] G. Gaubatz, J. Kaps, and B. Sunar, “Public keys cryptography in sensor networks –revisited,” in ESAS’04, EURESCOM, Heidelberg, Germany, Aug. 2004, pp. 2–18.

[110] M. Scott, “Computing the tate pairing,” in Cryptographers’ Track at the RSA Con-ference (CT-RSA’05), San Francisco, CA, Feb. 2005, pp. 293–304.

[111] T. Kerins, W. Marnane, E. Popovici, and P. Barreto, “Efficient hardware for thetate pairing calculation in characteristic three,” in Proc. Workshop on CryptographicHardware and Embedded Systems (CHES’05), Edinburgh, Scotland, Aug./Sep. 2005,pp. 412–426.

[112] The WiMAX Forum. http://www.wimaxforum.org, Aug. 2006.

[113] Tropos Networks. http://www.tropos.com/technology/whitepaper.shtml, Aug. 2006.

[114] D. Aguayo, J. Bicket, S. Biswas, G. Judd, and R. Morris, “Link-level measurementsfrom an 802.11b mesh network,” in ACM SIGCOMM’04, Portland, OR, Aug. 2004,pp. 121–132.

[115] R. Chandra, L. Qiu, K. Jain, and M. Mahdian, “Optimizing the placement of internettaps in wireless neighborhood networks,” in IEEE ICNP’04, Berlin, Germany, Oct.2004, pp. 271–282.

[116] R. Draves, J. Padhye, and B. Zill, “Routing in multi-radio, multi-hop wireless meshnetworks,” in ACM MOBICOM’04, Philadelphia, PA, Sep./Oct. 2004, pp. 114–128.

[117] European Telecommunications Standards Institute (ETSI), “GSM 2.09: Security as-pects,” Sophia Antipolis, France, June 1993.

[118] H. Lin and L. Harn, “Authentication protocols for personal communication systems,”in ACM SIGCOMM’95, Cambridge, MA, Sep. 1995, pp. 256–261.

[119] 3rd Generation Partnership Project (3GPP), “3rd generation mobile system release4 specifications,” 3GPP, Sophia Antipolis, France, TS 21.102, June 2003.

[120] Y. Lin and Y. Chen, “Reducing authentication signalling traffic in third-generationmobile network,” IEEE Trans. Wireless Commun., vol. 2, no. 3, pp. 493–501, May2003.

[121] C. Perkins, “IP mobility support for IPv4,” RFC 3344, Aug. 2002.

[122] W. Xu, W. Trappe, Y. Zhang, and T. Wood, “The feasibility of launching anddetecting jamming attacks in wireless networks,” in ACM MOBIHOC’05, Urbana-Champaign, IL, May 2005, pp. 46–57.

155

[123] M. Jakobsson, J.-P. Hubaux, and L. Buttyan, “A micro-payment scheme encouragingcollaboration in multi-hop cellular networks,” in 7th Int. Conf. Financial Cryptogra-phy (FC’03), Gosier, Guadeloupe, Jan. 2003, pp. 15–33.

[124] B. Aboda and M. Beadles, “The network acces identifier,” RFC 2486, Jan. 1999.

[125] R. Dutta, R. Barua, and P. Sarkar, “Pairing-based cryptography : A survey,” Cryp-tology ePrint Archive Report 2004/064, 2004.

[126] ITU-T Recommendations X.509, “Authentication framework,” Geneva, Switzerland,1989.

[127] D. Harkins and D. Carrel, “The Internet key exchange (IKE),” RFC 2409, Nov. 2003.

[128] D. Boneh, B. Lynn, and H. Shacham, “Short signature from the weil pairing,” inASIACRYPT’01, Gold Coast, Australia, Dec. 2001, pp. 514–532.

[129] D. Smetters and G. Durfee, “Domain-based administration of identity-based cryp-tosystems for secure email and ipsec,” in 12th USENIX Security Symposium, Wash-ington, DC, Aug. 2003, pp. 215–229.

[130] P. Gupta and P. Kumar, “The capacity of wireless networks,” IEEE Trans. Inform.Theory, vol. 46, no. 2, pp. 388–404, Mar. 2000.

[131] R. Sakai, K. Ohgishi, and M. Kasahara, “Cryptosystems based on pairing,” in Sym-posium on Cryptography and Information Security (SCIS’00), Okinawa, Japan, Jan.2000, pp. 26–28.

[132] G. Ateniese, A. Herzberg, H. Krawczyk, and G. Tsudik, “Untraceable mobility orhow to travel incognito,” Computer Networks, vol. 31, no. 8, pp. 871–884, Apr. 1999.

[133] L. Lamport, “Password authentication with insecure communication,” Comm. ACM,vol. 24, no. 11, pp. 770–772, Nov. 1981.

[134] D. Coppersmith and M. Jakobsson, “Almost optimal hash sequence traversal,” inFinancial Cryptography’02, Southampton, Bermuda, Mar. 2002, pp. 102–119.

[135] Y. Sella, “On the computation-storage trade-offs of hash chain traversal,” in FinancialCryptography’03, Guadeloupe, French West Indies, Jan. 2003, pp. 270–285.

[136] A. Juels and J. Brainard, “Client puzzles: A cryptographic countermeasure againstconnection depletion attacks,” in 6th Annual Network and Distributed System SecuritySymposium (NDSS’99), San Diego, CA, Feb. 1999, pp. 151–165.

[137] T. Aura, P. Nikander, and J. Leiwo, “Dos-resistant authentication with client puz-zles,” in 8th Int. Workshop on Security Protocols, Cambridge, UK, Apr. 2000, pp.178–181.

[138] X. Wang and M. Reiter, “Defending against denial-of-service attacks with puzzleauctions,” in IEEE Symp. Security and Privacy, Oakland, CA, May 2003, pp. 78–92.

[139] ——, “Mitigating bandwidth-exhaustion attacks using congestion puzzles,” in ACMCCS’04, Washington, DC, Oct. 2004, pp. 257–267.

156

[140] M. Abadi, M. Burrows, M. Manasse, and T. Wobber, “Moderately hard, memory-bound functions,” in 10th Annual Network and Distributed System Security Sympo-sium (NDSS’03), San Diego, CA, Feb. 2003, pp. 25–39.

[141] C. Dwork, A. Goldberg, and M. Naor, “On memory-bound functions for fightingspam,” in CRYPTO’03, Santa Barbara, CA, Aug. 2003, pp. 426–444.

[142] N. Salem, L. Buttyan, J. Hubaux, and M. Jakobsson, “A charging and rewardingscheme for packet forwarding in multi-hop cellular networks,” in ACM MOBIHOC’03,Annapolis, Maryland, June 2003, pp. 13–24.

[143] J. Zhou and K. Lam, “Undeniable billing in mobile communication,” in ACM MO-BICOM’98, Dallas, TX, Oct. 1998, pp. 284–290.

[144] W. Ma and Y. Fang, “Dynamic hierarchical mobility management strategy for mobileip networks,” IEEE J. Select. Areas Commun., vol. 22, no. 4, pp. 664–676, May 2004.

BIOGRAPHICAL SKETCH

Yanchao Zhang received the B.E. degree in computer communications from Nanjing

University of Posts and Telecommunications, Nanjing, China, in July 1999, and the M.E.

degree in computer applications from Beijing University of Posts and Telecommunications,

Beijing, China, in April 2002. Since September 2002, he has been working towards the

Ph.D. degree in the Department of Electrical and Computer Engineering at the University

of Florida, Gainesville, Florida, USA. His research interests are network and distributed

system security, wireless networking, and mobile computing, with emphasis on mobile

ad hoc networks, wireless sensor networks, wireless mesh networks, and heterogeneous

wired/wireless networks.

157

security in heterogeneous wireless ad hoc networks: challenges and...

Documents