security in heterogeneous wireless ad hoc networks: challenges and...
TRANSCRIPT
![Page 1: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/1.jpg)
SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS:CHALLENGES AND SOLUTIONS
By
YANCHAO ZHANG
A DISSERTATION PRESENTED TO THE GRADUATE SCHOOLOF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT
OF THE REQUIREMENTS FOR THE DEGREE OFDOCTOR OF PHILOSOPHY
UNIVERSITY OF FLORIDA
2006
![Page 2: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/2.jpg)
Copyright 2006
by
Yanchao Zhang
![Page 3: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/3.jpg)
To my parents and my sister.
![Page 4: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/4.jpg)
ACKNOWLEDGMENTS
First and foremost, I would like to express my sincere gratitude to my advisor, Prof.
Yuguang Fang, for his invaluable guidance, encouragement and support with my years in
Wireless Networks Laboratory (WINET). Prof. Fang has guided my path in the past four
years not only with his intellect and knowledge, but also with thoughtfulness about a young
man’s personal growth.
I also would like to acknowledge my other committee members, Prof. Shigang Chen,
Prof. Jose Fortes, Prof. Pramod Khargonekar, and Prof. Sartaj Sahni, for serving on my
supervisory committee and for their help in various stages of my work and career.
I would not be a sane graduate student without a group of great friends. There are
many whom I would like to thank: Xiang Chen, Wei Liu, Byung-Seo Kim, Jianfeng Wang,
Shushan Wen, Hongqiang Zhai, Xiaoxia Huang, Yun Zhou, Chi Zhang, Frank Goergen, Pan
Li, Rongsheng Huang, and Feng Chen. I would like to specially acknowledge my former
WINET colleague and good friend, Prof. Wenjing Lou in Worcester Polytechnic Institute,
for her help and encouragement in my journey.
Finally, I owe a special debt of gratitude to my beloved parents and sister. Without
their love and unwavering support, I would never imagine what I have achieved.
iv
![Page 5: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/5.jpg)
TABLE OF CONTENTSpage
ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv
LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
CHAPTER
1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2 ANONYMOUS COMMUNICATIONS IN MOBILE AD HOC NETWORKS . . 6
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.1 Basics of ID-Based Cryptography (IBC) . . . . . . . . . . . . . . 92.2.2 Adversary Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3 MASK Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.3.1 Network Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.3.2 Anonymous MAC-Layer Communications . . . . . . . . . . . . . 112.3.3 Anonymous Network-Layer Communications . . . . . . . . . . . . 152.3.4 Countermeasures against Attacks . . . . . . . . . . . . . . . . . . 212.3.5 Replenishing Pseudonym/Secret Point Pairs . . . . . . . . . . . . 23
2.4 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.4.1 Simulation Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.4.2 Simulation Results . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.5 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3 SECURING MOBILE AD HOC NETWORKS WITH CERTIFICATELESS PUB-LIC KEYS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.2.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333.2.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.3 Design Goals and System Models . . . . . . . . . . . . . . . . . . . . . . 363.3.1 Design Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373.3.2 Network Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373.3.3 Adversary Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.4 IKM Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393.4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
v
![Page 6: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/6.jpg)
3.4.2 Network Initialization . . . . . . . . . . . . . . . . . . . . . . . . . 403.4.3 Key Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433.4.4 Key Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473.4.5 Securing D-PKGs against Pinpoint Attacks . . . . . . . . . . . . 483.4.6 Choosing Secret-Sharing Parameters . . . . . . . . . . . . . . . . 503.4.7 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.5 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 513.5.1 Simulation Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 523.5.2 Computational Costs . . . . . . . . . . . . . . . . . . . . . . . . . 533.5.3 Comparison in Key Revocation . . . . . . . . . . . . . . . . . . . 543.5.4 Comparison in Key Update . . . . . . . . . . . . . . . . . . . . . 553.5.5 Comparison in Secure Routing . . . . . . . . . . . . . . . . . . . . 56
3.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4 SECURE LOCALIZATION IN WIRELESS SENSOR NETWORKS . . . . . . 62
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624.2 Vulnerability Analysis of Two-Way Time-of-Arrival Localization . . . . 634.3 Mobility-Assisted Secure Localization for UWB Sensor Networks . . . . 65
4.3.1 Network Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654.3.2 Overview of SLS . . . . . . . . . . . . . . . . . . . . . . . . . . . 664.3.3 K-Distance: a K-Round Distance Estimation Algorithm . . . . . 664.3.4 Location Validity Test . . . . . . . . . . . . . . . . . . . . . . . . 704.3.5 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.4 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
5 LOCATION-BASED COMPROMISE-TOLERANT SECURITY MECHANISMSFOR WIRELESS SENSOR NETWORKS . . . . . . . . . . . . . . . . . . . . 75
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
5.2.1 Adversary Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 775.2.2 Security Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 77
5.3 A Location-Based Key Management Scheme . . . . . . . . . . . . . . . . 785.3.1 Pre-Deployment Phase . . . . . . . . . . . . . . . . . . . . . . . . 785.3.2 Sensor Deployment and Localization . . . . . . . . . . . . . . . . 795.3.3 Location-Based Neighborhood Authentication . . . . . . . . . . . 805.3.4 Immediate Pairwise Key Establishment . . . . . . . . . . . . . . . 835.3.5 Multi-hop Pairwise Key Establishment . . . . . . . . . . . . . . . 84
5.4 Efficacy of LBKs in Attack Mitigation . . . . . . . . . . . . . . . . . . . 855.4.1 Spoofing, Altering or Replaying Routing Information . . . . . . . 855.4.2 The Sybil Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . 865.4.3 The Identity Replication Attack . . . . . . . . . . . . . . . . . . . 865.4.4 Wormhole and Sinkhole Attacks . . . . . . . . . . . . . . . . . . . 87
5.5 Location-Based Filtering of Bogus Data . . . . . . . . . . . . . . . . . . 885.5.1 The Bogus Data Injection Attack . . . . . . . . . . . . . . . . . . 885.5.2 Generation and Distribution of Cell Keys . . . . . . . . . . . . . . 895.5.3 Performing Threshold-Endorsements of Data Reports . . . . . . . 92
vi
![Page 7: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/7.jpg)
5.5.4 Probabilistic Enroute Filtering of Data Reports . . . . . . . . . . 945.5.5 Efficacy and Security Analysis . . . . . . . . . . . . . . . . . . . . 945.5.6 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . 97
5.6 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1015.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1045.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
6 ATTACK-RESILIENT SECURE AUTHENTICATION AND BILLING IN WIRE-LESS MESH NETWORKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1066.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
6.2.1 Security Requirements of WMNs . . . . . . . . . . . . . . . . . . 1106.2.2 Attacker Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
6.3 System Models and Notation . . . . . . . . . . . . . . . . . . . . . . . . 1126.3.1 Network Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1126.3.2 Trust Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136.3.3 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146.3.4 Trust-Domain Initialization . . . . . . . . . . . . . . . . . . . . . 1146.3.5 Pass Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
6.4 Authentication and Key Agreement (AKA) . . . . . . . . . . . . . . . . 1196.4.1 Inter-Domain Authentication and Key Agreement . . . . . . . . . 1196.4.2 Intra-Domain Authentication and Key Agreement . . . . . . . . . 1226.4.3 Client-Client Authentication and Key Agreement . . . . . . . . . 123
6.5 Security Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1246.5.1 Location Privacy Attack . . . . . . . . . . . . . . . . . . . . . . . 1256.5.2 Bogus-Beacon Flooding Attack . . . . . . . . . . . . . . . . . . . 1266.5.3 Denial-of-Access Attack . . . . . . . . . . . . . . . . . . . . . . . 1306.5.4 Bandwidth-Exhaustion Attack . . . . . . . . . . . . . . . . . . . . 132
6.6 Incontestable Billing of Mobile Users . . . . . . . . . . . . . . . . . . . . 1346.6.1 Billing Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1346.6.2 Payment Structures . . . . . . . . . . . . . . . . . . . . . . . . . . 1376.6.3 Making Payments . . . . . . . . . . . . . . . . . . . . . . . . . . . 1396.6.4 Redemption of Payment Records . . . . . . . . . . . . . . . . . . 1416.6.5 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
6.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1436.7.1 Mobility Management . . . . . . . . . . . . . . . . . . . . . . . . 1436.7.2 Public-Key vs. Symmetric-Key Cryptography . . . . . . . . . . . 1446.7.3 Incremental Deployment . . . . . . . . . . . . . . . . . . . . . . . 144
6.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
7 CONCLUSION AND FUTURE WORK . . . . . . . . . . . . . . . . . . . . . . 146
REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
BIOGRAPHICAL SKETCH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
vii
![Page 8: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/8.jpg)
LIST OF TABLESTable page
2–1 Processing timings of cryptographic operations. . . . . . . . . . . . . . . . . 25
3–1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3–2 Timings of primitive operations . . . . . . . . . . . . . . . . . . . . . . . . . 54
3–3 Comparison of key revocation time . . . . . . . . . . . . . . . . . . . . . . . 54
3–4 Comparison of key update (t = 5) . . . . . . . . . . . . . . . . . . . . . . . . 55
3–5 Comparison of key update (t = 10) . . . . . . . . . . . . . . . . . . . . . . . 55
4–1 The K-Distance algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4–2 Testing if a point is inside a |B|-vertex polygon. . . . . . . . . . . . . . . . . 70
viii
![Page 9: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/9.jpg)
LIST OF FIGURESFigure page
2–1 Anonymous route discovery with a route reply generated by the destinationA.4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2–2 Anonymous hop-by-hop packet forwarding from A.1 to A.4. . . . . . . . . . 20
2–3 The comparison between MASK and AODV. . . . . . . . . . . . . . . . . . 27
3–1 Average route discovery delay. . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3–2 Average data packet delay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3–3 Packet delivery ratio. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3–4 Average routing load. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4–1 An exemplary two-way ToA localization process, where anchors A,B, C aredetermining the location of sensor S. . . . . . . . . . . . . . . . . . . . . . 63
4–2 The topology of an exemplary distance enlargement attack. . . . . . . . . . 64
4–3 The time plot of the challenge-response process. . . . . . . . . . . . . . . . . 67
4–4 Location validity test with three anchors. . . . . . . . . . . . . . . . . . . . 69
5–1 Node deployment model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
5–2 The probability pµ of filtering one bogus report as a function of the samplingprobability ps and the number µ of hops a bogus report travels. . . . . . 95
5–3 The comparison of Esum and E′sum as a function of the bogus traffic ratio ρ,
where ξ = 50 and the optimal ps’s are used. . . . . . . . . . . . . . . . . 98
5–4 The comparison of Esum and E′sum as a function of the bogus traffic ratio ρ,
where ξ = 50 and non-optimal ps’s are used. . . . . . . . . . . . . . . . . 100
5–5 The comparison of Esum and E′sum as a function of the average path length
ξ, where ρ = 2 and ps = 0.2. . . . . . . . . . . . . . . . . . . . . . . . . . 101
6–1 A typical three-tiered wireless mesh network architecture. . . . . . . . . . . 107
6–2 An exemplary 5-by-5 hierarchical one-way hash chain. . . . . . . . . . . . . 127
6–3 An exemplary payment structure (m > 3, t > 2). . . . . . . . . . . . . . . . 136
ix
![Page 10: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/10.jpg)
Abstract of Dissertation Presented to the Graduate Schoolof the University of Florida in Partial Fulfillment of theRequirements for the Degree of Doctor of Philosophy
SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS:CHALLENGES AND SOLUTIONS
By
Yanchao Zhang
August 2006
Chair: Yuguang FangMajor Department: Electrical and Computer Engineering
Wireless ad hoc networks have been widely accepted as an indispensable component of
next-generation communication systems to facilitate ubiquitous network access. Although
offering significant benefits, they also provide unique security challenges over their wired
counterparts. Of note are the issues associated with the open network architecture, shared
wireless medium, stringent resource constraints, high network dynamics, lack of trusted
authorities, and so on. In this dissertation, we aim to address a number of challenging
security issues in heterogeneous wireless ad hoc networks, spanning mobile ad hoc networks
(MANETs), wireless sensor networks (WSNs), and wireless mesh networks (WMNs).
Our contributions are mainly fivefold. First, we propose an anonymous on-demand
routing protocol (MASK) to deal with malicious eavesdropping and traffic analysis attacks
against MANETs deployed in hostile environments. Second, we design a secure, scalable
ID-based key management scheme for MANETs to enable flexible public-key services with-
out reliance on conventional public-key certificates. Third, we devise a secure localization
scheme to ensure secure location estimates in WSNs despite malicious attacks. Fourth, we
develop a suite of location-based, compromise-tolerant security mechanisms for WSNs. Last,
we present an attack-resilient secure authentication and billing architecture for WMNs.
x
![Page 11: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/11.jpg)
CHAPTER 1INTRODUCTION
Recent years have witnessed a surge of research and development for wireless ad hoc
networks. Unlike conventional infrastructure-supported wireless networks, wireless ad hoc
networks feature rapidly-deployable, self-organizing, self-maintaining capabilities and can
be formed on the fly without relying on any existing infrastructure. In such a network, each
node functions not only as an end host but also as a router forwarding packets to and from
other nodes to enable otherwise impossible multi-hop communications. Wireless ad hoc
networks are naturally well-suited for application scenarios where fixed infrastructures are
often not available or reliable, while fast network establishment and self-maintenance are a
must. As such, they have been widely accepted as an indispensable part of next-generation
communication systems to facilitate ubiquitous network access.
In general, wireless ad hoc networks can be classified into two categories, mobile ad hoc
networks (MANETs) and static ad hoc networks. The former comprise network nodes that
are free to move about randomly and organize themselves arbitrarily. Exemplary application
scenarios of MANETs include tactical military operations, homeland security, emergency
disaster relief and rescue, and so on. Most recently, MANETs have been extended to general
civilian contexts and are often referred to as wireless mesh networks (WMNs) [1], where
mobile users can access the network either through a direct wireless link to a wireless access
point (AP), or through a sequence of intermediate users to an AP that is too far away to
reach. By contrast, static ad hoc networks mainly consist of stationary nodes, that is, fixed
at where they were deployed. The most significant example of this later type is wireless
sensor networks (WSNs) [2], which have attracted extensive attention in both academia
and industry for their broad potential not only in military and homeland security scenarios
but also in general civilian settings.
While offering significant benefits, wireless ad hoc networks are also vulnerable to
unique security challenges as compared to their wired counterparts. Roughly speaking,
1
![Page 12: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/12.jpg)
2
risks in wireless ad hoc networks are equal to the sum of the risks of operating a wired
network plus the new risks introduced by weaknesses in wireless protocols. Some of the
major security challenges that a wireless ad hoc network faces include the following:
• All old threats to a conventional wired network apply to a wireless ad hoc network.• The shared wireless medium facilitates passive eavesdropping on data communications
and active bogus message injection into the network by attackers.• Early protocol design for wireless ad hoc networks all assumed a friendly and coop-
erative environment. As such, many wireless protocols have inherent security flaws.• Mobile devices are subject to physical theft or loss, leading to insider attacks launched
by attackers harnessing confidential information extracted from stolen devices.• Intrusion detection is far more difficult, mainly because it is hard to differentiate
anomalies caused by characteristics of wireless channels and those caused by attacks.• There is often lack of an on-line centralized authority or administration.• Mobile devices usually have stringent resource constraints and thus cannot afford
resource-hungry security protocols.
How to model node misbehavior is an essential component in any security protocol
design, as a decent solution designed under one misbehavior model may be less effective
or even completely invalid under another one. In this dissertation, we classify misbehaving
nodes into two classes: malicious and selfish. The objectives of the former are to attack
the proper network operations without consideration of their own gains. Adversarial nodes
often existing in military ad hoc networks are typical examples of such malicious nodes. By
comparison, selfish nodes can be characterized by the intention of maximizing their own
gains or collective gains with collusive nodes from the network community while minimizing
their contributions to it. Selfish nodes are less likely to exist in single-authority-like ad hoc
networks such as military MANETs and WSNs, but are very likely to be present in general
civilian ad hoc networks where nodes may have conflicting interests. For example, in a
WMN, nodes may be reluctant to forward packets to and from the AP for others in order
to save their own resources such as battery life, CPU cycles, or available network bandwidth
[3, 4].
This dissertation contributes to developing novel solutions to a number of challenging
issues in heterogeneous wireless ad hoc networks, involving either malicious nodes or selfish
nodes or both, which are either ignored or not well addressed in the literature. The rest of
this dissertation is structured as follows.
![Page 13: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/13.jpg)
3
Chapter 2 considers passive eavesdropping and the accompanying attacks launched
against MANETs deployed in hostile environments. To deal with such attacks, we propose
a novel anonymous on-demand routing protocol, termed MASK, which can accomplish both
MAC-layer and network-layer communications without disclosing real IDs of participating
nodes under a rather strong adversarial model. MASK offers the anonymity of senders, re-
ceivers, and sender-recipient relationships, as well as node unlocatability and untrackability
and end-to-end flow untraceability. It is also resistant to a wide range of attacks. Moreover,
MASK preserves the high routing efficiency as compared to previous work.
Chapter 3 studies key management, a fundamental problem in securing MANETs. We
present IKM, an ID-based key management scheme as a novel combination of ID-based
and threshold cryptography. IKM is a certificateless solution in that public keys of mobile
nodes are directly derivable from their known IDs plus some common information. It thus
eliminates the need for certificate-based authenticated public-key distribution indispens-
able in conventional public-key management schemes. IKM features a novel construction
method of ID-based public/private keys, which not only ensures high-level tolerance to
node compromise, but also enables efficient network-wide key update via a single broadcast
message. We also provide general guidelines about how to choose the secret-sharing param-
eters used with threshold cryptography to meet desirable levels of security and robustness.
The advantages of IKM over conventional certificate-based solutions are justified through
extensive simulations. Since most MANET security mechanisms thus far involve the heavy
use of certificates, we believe that our findings open a new avenue towards more effective
and efficient security design for MANETs.
Chapter 4 explores secure localization in WSNs. The proper operations of many sen-
sor networks rely on the knowledge of physical sensor locations. However, most existing
localization algorithms developed for sensor networks are vulnerable to attacks in hos-
tile environments. As a result, attackers can easily subvert the normal functionalities of
location-dependent sensor networks by exploiting the weakness of localization algorithms.
In this chapter, we first analyze the security of existing localization techniques. We then
develop a mobility-assisted secure localization scheme for WSNs.
![Page 14: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/14.jpg)
4
Chapter 5 introduces a suite of location-based compromise-tolerant security mechanisms
for WSNs. Node compromise is a serious threat to WSNs deployed in unattended and hostile
environments. To mitigate the impact of compromised nodes, we design a few location-
based compromise-tolerant security mechanisms. Based on a new cryptographic concept
called pairing, we propose the notion of location-based keys (LBKs) by binding private
keys of individual nodes to both their IDs and geographic locations. We then develop
an LBK-based neighborhood authentication scheme to localize the impact of compromised
nodes to their vicinity. We also present efficient approaches to establish a shared key
between any two network nodes. In contrast to previous key establishment solutions, our
approaches feature nearly perfect resilience to node compromise, low communication and
computation overhead, low memory requirements, and high network scalability. Moreover,
we demonstrate the efficacy of LBKs in counteracting several notorious attacks against
sensor networks. Finally, we propose a location-based threshold-endorsement scheme, called
LTE, to thwart the infamous bogus data injection attack, in which adversaries inject lots of
bogus data into the network. The utility of LTE in achieving remarkable energy savings is
validated by detailed performance evaluation.
Chapter 6 presents a secure authentication and billing architecture for WMNs which are
finding ever-growing acceptance as a viable and effective solution to ubiquitous broadband
Internet access. This chapter addresses the security of WMNs, which is a key impediment to
wide-scale deployment of WMNs, but thus far receives little attention. We first thoroughly
identify the unique security requirements of WMNs for the first time in the literature. We
then propose UPASS, the first known secure authentication and billing architecture for
WMNs. In contrast to a conventional cellular-like solution, UPASS eliminates the need
for establishing bilateral roaming agreements and having realtime interactions between po-
tentially numerous WMN operators. With UPASS in place, each user is no longer bound
to any specific network operator, as he or she ought to do in current cellular networks.
Instead, he or she acquires a universal pass from a third-party broker whereby to realize
seamless roaming across WMN domains administrated by different operators. UPASS sup-
ports efficient mutual authentication and key agreement both between a user and a serving
WMN domain and between users served by the same WMN domain. In addition, UPASS
![Page 15: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/15.jpg)
5
is designed to be resilient to a wide range of attacks. Morever, the incontestable billing of
mobile users is fulfilled through a lightweight realtime micropayment protocol built on the
combination of digital signature and one-way hash-chain techniques.
Finally, Chapter 7 concludes this dissertation and points out some future work.
![Page 16: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/16.jpg)
CHAPTER 2ANONYMOUS COMMUNICATIONS IN MOBILE AD HOC NETWORKS
2.1 Introduction
Mobile ad hoc networks (MANETs) are infrastructureless, autonomous, stand-alone
wireless networks that are receiving growing attention from both academia and industry.
In this chapter, we are concerned with MANETs deployed in hostile environments, such
as those facilitating large-scale theater-wide communications or relatively small-scale com-
munications in MOUT (Military Operations on Urban Terrain). It is obvious that robust
security support is indispensable for the proper functioning of such MANETs.
The shared wireless medium of MANETs introduces abundant opportunities for passive
eavesdropping on data communications. This means that, without physically compromis-
ing a node, adversaries can easily overhear all the MAC frames “flying in the air,” each
typically including <MAC addresses, network addresses, data>.1 Although end-to-end
and/or link encryption can be enforced to prevent adversarial access to data contents, for
any observed frame, adversaries can still learn not only the network and MAC addresses of
its local transmitter and receiver, but also the network addresses of its end-to-end source
and destination. Such MAC and network address information is currently left bare with-
out protection in the de facto MAC protocol IEEE 802.11 and existing MANET routing
protocols such as AODV [5] and DSR [6].
The leakage of MAC and network addresses may result in a number of severe conse-
quences. First of all, it would facilitate adversarial traffic analysis run to infer network
1 We use the terms “packets” and “frames” interchangeably in this chapter.
6
![Page 17: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/17.jpg)
7
traffic patterns and/or traffic pattern changes.2 In a tactical military MANET, an abnor-
mal change of the network traffic pattern may indicate a forthcoming action, a chain of
commands, or a state change of network alertness [7]. Its disclosure to adversaries would
thus lead to the failure of urgent military actions. In addition, adversaries are able to
trace any packet backward to its original source or forward to its final destination. This is
also undesirable because in many cases packet sources are critical nodes such as captains
or majors, while packet destinations are nodes commanded to carry out certain military
operations. Moreover, adversaries can locate individual nodes and track their movements.
This is extremely dangerous in that adversaries can easily identify critical network nodes
and then launch directed attacks on them. Most previous proposals such as Ariadne [8] and
ARAN [9] aim to deal with active attacks, which usually involve the launch of denial-of-
service (DoS) or other more “visible,” aggressive attacks on the target network. By contrast,
the aforementioned attacks belong to the category of once-passive-then-active attacks, or
passive attacks for short, which are more subtle, “invisible,” and difficult to detect before
severe damage actually occurs. In this chapter, we seek efficient solutions to such more
dangerous passive attacks.
For ease of presentation, we use the notion “network ID” (or simply “ID”) to indicate
both the MAC and network addresses of a mobile node, which should be understandable
from the context. We also define “anonymity” as the privacy preservation of network IDs
of mobile nodes and their group membership information, e.g., belonging to nation A or B,
or affiliated with battalion 1 or 2. Although less intuitive, the privacy of node affiliations
is as important as that of node IDs in many security-sensitive environments. For example,
suppose a coalition force of multiple nations is dispatched to carry out a common military
mission. Soldiers of the same nation can form an exclusive MANET among themselves
and thus there would co-exist multiple MANETs in the battlefield. In this case, each node
2 A network traffic pattern consists of triplets <sender addr, receiver addr, averagerate>, each describing one flow. A flow can be an end-to-end network flow, then theaddress fields are the network addresses of an end-to-end source and destination pair. Itcan also be a local link flow, then the address fields are the MAC addresses of a localtransmitter and a receiver.
![Page 18: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/18.jpg)
8
may want to avoid unnecessary exposure of both its ID and nationality because adversaries
or terrorists may perform selective directed attacks according to not only IDs but also
nationalities. As demonstrated in Section 2.3.2, conventional cryptographic techniques such
as Diffe-Hellman key exchange [10] cannot satisfy this anonymity requirement and thus fail
to withstand passive attacks.
We observe that passive attacks are feasible for two reasons: (1) each node can be
uniquely identified by its network ID, and (2) each node uses the invariant network ID
in both MAC-layer and network-layer communications. Motivated by this observation, we
propose to thwart passive attacks by designing anonymous communication protocols. The
fundamental purpose is to realize both efficient MAC-layer and network-layer communi-
cations, while anonymizing all the involved nodes, therefore effectively defeating passive
attacks.
The contribution of this chapter is the design of a novel anonymous on-demand rout-
ing protocol, called MASK, which can simultaneously achieve anonymous MAC-layer and
network-layer communications. The novelty of MASK lies in the use of dynamic pseudonyms
rather than static MAC and network addresses. MASK offers both sender and receiver
anonymity as well as sender-receiver relationship anonymity.3 Specifically, although ad-
versaries might observe a packet transmission, they cannot determine real network IDs of
its sender and receiver, nor can they decide if (or when) any two nodes in the network are
communicating. In addition, MASK ensures node unlocatability and untrackability, meaning
that, although adversaries might know some real network IDs and/or group memberships,
they are unable to decide whom and where the corresponding nodes are in the network.
Moreover, MASK guarantees end-to-end flow untraceability, which means that adversaries
cannot trace a packet forward to its final destination or backward to its original source, nor
can they recognize packets belonging to a same ongoing communication flow. Furthermore,
MASK is as efficient as classical routing protocols such as AODV [5], which is confirmed by
3 For a given packet, a sender can be its original source or local transmitter, and a receivercan be its final destination or local receiver.
![Page 19: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/19.jpg)
9
detailed simulation results. It can also withstand a variety of attacks, e.g., message coding,
flow recognition, and timing analysis.
2.2 Preliminaries
2.2.1 Basics of ID-Based Cryptography (IBC)
IBC [11] is receiving extensive attention as a powerful alternative to traditional certificate-
based cryptography (CBC) and serves as one of the cryptographic foundations of this dis-
sertation. The main idea of IBC is to make an entity’s public key directly derivable from his
publicly known identity information such as his email address. IBC thus completely elimi-
nates the need for public-key distribution realized via conventional public-key certificates.
Although the idea of IBC dates back to 1984 [11], only recently has its rapid development
taken place due to the application of the pairing technique outlined below.
Let G1 denote a cyclic additive group of some large prime order q and G2 a cyclic
multiplicative group of the same order. Assume that the Discrete Logarithm Problem
(DLP) is hard4 in both G1 and G2. For us, a pairing is a map e : G1 ×G1 → G2 with the
following properties:
1. Bilinear : ∀ P, Q, R, S ∈ G1,
e(P + Q,R + S) = e(P, R)e(P, S)e(Q,R)e(Q,S). (2.1)
Consequently, for ∀ a, b ∈ Z∗q , we have
e(aP, bQ) = e(aP, Q)b = e(P, bQ)a = e(P, Q)ab.
2. Non-degenerate: If P is a generator of G1, then e(P, P ) ∈ F∗p2 is a generator of G2.
3. Computable: There is an efficient algorithm to compute e(P, Q) for all P, Q ∈ G1.
Note that e is also symmetric, i.e., e(P, Q) = e(Q,P ), for all P, Q ∈ G1, which follows
immediately from the bilinearity and the fact that G1 is a cyclic group. Modified Weil
[12, 13] and Tate [14] pairings are examples of such bilinear maps for which the Bilinear
4 It is computationally infeasible to extract the integer x ∈ Z∗q = a|1 6 a 6 q−1, givenP, Q ∈ G1 (respectively, P, Q ∈ G2) such that Q = xP (respectively, Q = P x).
![Page 20: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/20.jpg)
10
Diffie-Hellman Problem (BDHP) is believed to be hard. That is, it is believed that, given
< P, xP, yP, zP > for random x, y, z ∈ Z∗q and P ∈ G1, there is no algorithm running in ex-
pected polynomial time which can compute e(P, P )xyz ∈ G2 with non-negligible probability.
We refer to Boneh and Franklin [12, 13] and Barreto et al. [14] for a more comprehensive
description of how these pairing parameters should be selected in practice for efficiency and
security.
2.2.2 Adversary Model
We assume that adversaries can collaborate to passively monitor every radio transmis-
sion on every communication link. In addition, they may compromise any node in the target
network to become an internal adversary. However, we postulate that passive adversaries
cannot compromise an unlimited number of nodes. Neither can they have unbounded com-
putational capabilities to easily invert and read encrypted messages and break the BDHP
assumption. Otherwise, it is believed that there is no workable cryptographic solution.
2.3 MASK Design
In this section, we elaborate the design of MASK. We start with describing the net-
work model and then discuss how to achieve single-hop MAC-layer communications. Sub-
sequently, we present an on-demand routing protocol to realize anonymous network-layer
communications. After that, some countermeasures against attacks and a security enhance-
ment based on the secret-sharing technique [15] are introduced.
2.3.1 Network Model
We consider a general case that there co-exist multiple MANETs, each comprising
nodes of the same group. For simplicity, we use a capital letter, such as A, B, or C, to
indicate each MANET and the group it corresponds to. The concrete meanings of groups
may vary across different application contexts. For example, each group or the related
MANET may be related to a troop of a different nation, or a different company or battalion
in the same brigade. Hereafter, we will utilize network A as an example to illustrate our
MASK design. We denote by A.i the ith node of A for 1 6 i 6 NA, where NA is the
number of nodes in A. We assume that each A.i has a unique non-zero network ID IDA.i.
![Page 21: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/21.jpg)
11
As discussed before, both IDA.i and node A.i’s membership in A should be well protected
from adversaries.
Prior to network deployment, a trusted authority (TA) who himself/herself does not en-
ter the network first determines the pairing parameters (q,G1,G2, e) along with a group-wise
master key gA ∈ Z∗q . The TA then chooses two collision-resistant cryptographic hash func-
tions: H1, mapping strings to non-zero elements in G1, and H2, mapping arbitrary inputs
to fixed-length outputs, e.g., SHA-1 [16]. Public system parameters < q,G1,G2, e, H1,H2 >
are preloaded to each A.i. By contrast, gA should be well safeguarded from unauthorized
access and never be disclosed to ordinary group members dispatched to execute dangerous
military actions.
In MASK, nodes substitute pseudonyms for real IDs in communications. If a node
uses one pseudonym all the time, it will not help to defend against passive attacks we have
in mind, because the pseudonym will be analyzed the same way as its real ID. Therefore,
each node should use dynamic pseudonyms instead. For this purpose, the TA furnishes
each A.i with a sufficiently large set PSA.i = PSkA.i|1 6 k 6 |PSA.i| of collision-resistant
pseudonyms5 . A pseudonym can be any type of string and collision-resistance means that
all the pseudonyms are different from each other. In addition, each A.i is armed with
a corresponding secret point set as SPA.i = SP kA.i = gAH1(PSk
A.i) ∈ G1 (1 6 k 6
|PSA.i|). Due to the difficulty of solving the DLP in G1 (cf. Section 2.2.1), given any
< PSkA.i, SP k
A.i > pair, it is impossible to deduce gA with non-negligible probability.
2.3.2 Anonymous MAC-Layer Communications
In this subsection, we discuss how to achieve anonymous single-hop MAC-layer com-
munications through an anonymous neighborhood authentication protocol.
Anonymous neighborhood authentication. As the name suggests, anonymous
authentication allows two neighboring nodes of the same group to identify each other se-
cretly, in the sense that each party reveals its group membership to the other only if the
other party is also a group member. This notion bears similarity to the concept of secret
5 If X is a set, |X| means its cardinality.
![Page 22: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/22.jpg)
12
handshakes introduced by Balfanz et al. [17]. As an example, node A.i might want to
authenticate itself to a neighboring node x, but only if x is also a member of group A.
In addition, if x does not belong to A, the authentication protocol should not help x in
determining either the real ID (IDA.i) of A.i or whether A.i is a member of A or not.
As mentioned in [17], realizing anonymous authentication (or secret handshakes) requires
new cryptographic protocols since it cannot be easily accomplished through existing cryp-
tographic tools. For example, authentication techniques based on public-key certificates,
such as authenticated two-party Diffe-Hellman key exchange [10], may inevitably disclose
either real IDs of mobile nodes or their group memberships or both, which are either im-
plied or explicitly embedded in public-key certificates. For instance, for its certificate to be
verified, a node has to tell the other party the authentic public key of the CA (Certificate
Authority) that generates its certificate. Obviously, this would cause the exposure of that
node’s group membership, i.e., from which CA it obtains the certificate, no matter whether
the other party belongs to the same group or not. In the following, we illustrate a pairing-
based anonymous neighborhood authentication protocol, which is an extension of the secret
handshake scheme introduced in [17] to MANETs.
Without loss of generality, below is shown the authentication process between nodes
A.1 and A.2, where ‖ denotes message concatenation.
A.1 → A.2 : PSiA.1, n1
A.2 → A.1 : PSjA.2, n2, V2,1 = H2(n1 ‖ n2 ‖ 0 ‖ K2,1)
A.1 → A.2 : V1,2 = H2(n1 ‖ n2 ‖ 1 ‖ K1,2)
A.1 starts the protocol by pulling out from PSA.1 an unused pseudonym PSiA.1 and locally
broadcasts a MAC frame including PSiA.1 and a random nonce n1. Upon seeing the request,
A.2 also draws an unused pseudonym PSjA.2 from PSA.2 and then generates a master key as
K2,1 = e(H1(PSiA.1), SP j
A.2). After that, A.2 locally broadcasts a reply frame consisting of
PSjA.2, a random nonce n2, and a value V2,1 shown above. Upon reception of the reply from
A.2, node A.1 calculates a master key as K1,2 = e(H1(PSjA.2), SP i
A.1) as well and checks
V2,1?= H2(n1 ‖ n2 ‖ 0 ‖ K1,2). According to Eq. (2.1) and the symmetric property of e, if
![Page 23: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/23.jpg)
13
and only if both nodes are affiliated with the same group A, could they have
K2,1 = e(H1(PSiA.1),H1(PSj
A.2))gA
= e(H1(PSjA.2),H1(PSi
A.1))gA = K1,2 .
As a result, if the verification succeeds, A.1 knows that A.2 must be an authentic group
peer. To authenticate itself to A.2, A.1 returns a value V1,2 shown above. If V1,2 = H2(n1 ‖n2 ‖ 1 ‖ K2,1), node A.2 can rest assured that A.1 belongs to the same group A as itself.
Notice that the source and destination addresses of the three involved MAC frames should
both be set to be a pre-defined universal address such as all 1’s instead of their real network
IDs (MAC addresses in this case).
After a successful three-way handshake, A.1 learns that there is a trustable group
peer in its neighborhood, but has no knowledge of the real ID except one of the public
pseudonyms of A.2. So does A.2. If the authentication fails, which may occur for instance
when one of them is an adversarial impersonator, the legitimate one reveals nothing but a
pseudonym to the impersonator. In addition, an adversarial eavesdropper learns nothing
more than some seemingly random numbers from the protocol execution.
Since A.1 and A.2 have established a shared master key K1,2 = K2,1, they can proceed
to calculate Γ pairs of shared session key (Skey) and link identifier (LinkID) as
kγ1,2 = H2(n1 ‖ n2 ‖ 2 ∗ γ ‖ K1,2)
Lγ1,2 = H2(n1 ‖ n2 ‖ 2 ∗ γ + 1 ‖ K1,2) ,
(2.2)
where Γ is a design parameter, and kγ1,2 and Lγ
1,2 (1 6 γ 6 Γ) indicate the γth Skey and
LinkID, respectively. The collision-resistance of node pseudonyms, H1 and H2 ensures
that such <Skey, LinkID> pairs are also collision-resistant, meaning that no identical pairs
would be generated by different pairs of nodes or two same nodes with different pairs of
nonces. In addition, each <Skey, LinkID> pair is only known to the two nodes which
established it and there is even no apparent relationship among the <Skey, LinkID> pairs
generated by two same nodes under the same pair of nonces. Such < kγ1,2, L
γ1,2 > pairs are
to be used in an increasing sequence for subsequent data communications between A.1 and
A.2, as will be explained shortly. Whenever established Γ pairs are used up, A.1 and A.2
![Page 24: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/24.jpg)
14
are required to automatically increase both n1 and n2 by one and generate new Γ pairs
using the computationally efficient hash function H2. Of course, A.1 and A.2 should have
a simple agreement so as to synchronize the use of such pairs.
Similarly, each node can achieve anonymous mutual authentication and establish pair-
wise shared <Skey, LinkID> pairs with all its neighboring nodes. Notice that if multiple
nodes simultaneously answer the same request, possible MAC-layer collisions may occur. In
this chapter, we assume the reliable transmissions of authentication requests/replies, which
can be achieved for instance by using a random delay for which each node has to wait before
answering an authentication request.
In our design, we leave the decision when and whether a node wants to initiate the
anonymous neighborhood authentication to the node itself. Ideally, a node should keep
track of its neighbors at all time and should perform the authentication whenever it moves
to a new place or finds new neighbors. In this case, a neighbor discovery/maintanence
mechanism such as the “Hello” messages used in AODV [5] will be necessary. Notice here
that although the “Hello” messages are transmitted periodically, the authentication is done
only once for each neighbor. A node may also choose not to do the authentication while
it is on the constant and fast movement. Another option is that a node only initiates
the authentication on-demand, e.g., when it receives a route discovery message from an
unauthenticated neighbor. Authentication purely on-demand could reduce the overhead
caused by running the neighborhood authentication protocol, while at the same time it
would introduce extra delay on the route discovery process.
We would like to point out that anonymous neighborhood authentication would incur
additional computational overhead in contrast to other on-demand routing protocols such
as AODV and DSR, which do not provide either security or anonymity guarantees. How-
ever, mutual authentication between neighboring nodes is indispensable in MANETs, only
by which one node can reject accepting messages from or forwarding messages for unau-
thenticated neighbors. Otherwise, adversaries can easily inject bogus messages into the
network to deplete scarce network resources as well as interrupting proper network func-
tionalities. In addition, any two neighboring nodes only need to perform authentication
once and subsequent communications can be encrypted and authenticated using efficient
![Page 25: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/25.jpg)
15
symmetric-key algorithms based on established shared Skeys. It will be shown in Section
2.4 that anonymous neighborhood authentication can be implemented efficiently without
much degrading the routing efficiency.
Anonymous MAC frame exchange. Based on established shared <Skey, LinkID>
pairs, two neighboring nodes can easily realize anonymous single-hop MAC-layer commu-
nications. In our design, we replace the transmitter and receiver MAC addresses in a
conventional MAC frame with a single LinkID. In fact, we will see later that the same
LinkID also eliminates the necessity of network addresses. In other words, a conventional
MAC frame <MAC addresses, network addresses, data> changes to <LinkID, data> in
our scheme.
For example, A.1 sends a MAC frame of format < L11,2, datak1
1,2>, where msgK
stands for a message msg encrypted under key K using any symmetric-key encryption
algorithm such as RC6 [18]. That frame can be heard by all its neighboring nodes, among
which only A.2 will accept the frame because of its unique sharing of L11,2 with A.1. A.2
can decrypt the data with the corresponding Skey k11,2. Similarly, A.2 can reply with a
MAC frame < L21,2, datak2
1,2>. If the MAC protocol in use is contention-based, such as
the Distributed Coordination Function (DCF) of the IEEE 802.11, conventional RTS-CTS-
DATA-ACK frame exchange is also easy to implement based on pairwise shared LinkIDs
to alleviate notorious hidden and exposed terminal problems.
Since real IDs of mobile nodes are kept confidential in anonymous neighborhood authen-
tication and subsequent local MAC frame exchange, we have successfully realized anony-
mous single-hop MAC-layer communications. In other words, local transmitter and re-
ceiver anonymity and their relationship anonymity have been achieved. Also notice that
our anonymous neighborhood authentication protocol ensures both node unlocatability and
untrackability at the same time.
2.3.3 Anonymous Network-Layer Communications
Network-layer communications, most likely multi-hop, rely on routing protocols to find
end-to-end routing paths between any source-destination pair and relay packets in a hop-by-
hop manner enroute from the source to the destination. To realize anonymous network-layer
communications, we present here an anonymous on-demand routing protocol, called MASK,
![Page 26: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/26.jpg)
16
1A.4 A.1<ARREQ, 1001, ID , 50, PS >
51,2
51,2 A.4 k
<L , ARREP, ID , 51 >
A.1 A.2
2A.4 A.2<ARREQ, 1001, ID , 50, PS > 3
A.4 A.3<ARREQ, 1001, ID , 50, PS >
A.3 A.4
72,3
72,3 A.4 k
<L , ARREP, ID , 51 > 93,4
93,4 A.4 k
<L , ARREP, ID , 51 >
1A.1PS 2
A.2PS
Reverse route table of A.2
dest_id destSeqpre-
LinkID-Listnext-
LinkID-List
Forwarding route table of A.1
dest_id destSeqpre-
LinkID-Listnext-
LinkID-List
Forwarding route table of A.2 Forwarding route table of A.3
dest_id destSeqpre-
LinkID-Listnext-
LinkID-List
A.4ID 61,2L 8
2,3L 82,3L 10
3,4L
Target LinkID table of A.4
103,4L
... ... ... ...
51 null 61,2L
dest_id destSeqpre-hop-
pseudonym
A.4ID
... ... ...
50
Reverse route table of A.3
dest_id destSeqpre-hop-
pseudonym
A.4ID
... ... ...
50
...
...
A.4ID
... ... ... ...
51 A.4ID
... ... ... ...
51
Figure 2–1: Anonymous route discovery with a route reply generated by the destinationA.4.
to establish a sequence of <Skey, LinkID> pairs between any source and destination pair.
In our MASK, each node maintains the following data structures:
• Forwarding route table: A table consisting of entries of format <dest id, destSeq, pre-LinkID-list, next-LinkID-list>, where dest id is the real ID of the destination anddestSeq6 is the corresponding node sequence number. The pre-LinkID-list is theset of pre-hop LinkIDs from which packets destined for dest id may come, and next-LinkID-list is the set of next-hop LinkIDs to which packets destined for dest id aresupposed to be forwarded.
• Reverse route table: A table consisting of entries of format <dest id, destSeq, pre-hop-pseudonym>, based on which route replies are relayed back to the source.
• Target LinkID table: A table consisting of selected LinkIDs shared with neighbors.The current node is the final destination (end-to-end) for the packets bearing theLinkIDs in its target LinkID table.
An appropriate timer is associated with each entry of the above tables and an entry should
be recycled when its timer expires.
Anonymous route discovery. Without loss of generality, we illustrate the anony-
mous route discovery process in MASK using the simple chain topology shown in Fig. 2–1,
where nodes A.1, A.2, A.3, and A.4 are assumed to be using pseudonyms PS1A.1, PS2
A.2, PS3A.3,
and PS4A.4, respectively, in their current places. To ease the presentation, we further assume
6 The maintenance of node sequence numbers strictly follows the steps defined in AODV[5].
![Page 27: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/27.jpg)
17
that each node has finished anonymous mutual authentication using the same pseudonym
with all its neighboring nodes and has established shared <Skey, LinkID> pairs with them.
Similar to other on-demand routing protocols, our anonymous route discovery starts
from broadcasting route request messages when a node has a packet to a certain destination
but it does not know a path to that destination. An anonymous route request (ARREQ)
has the format <ARREQ, ARREQ id, dest id, destSeq, PSsrc>, where dest id is the real
ID of the destination, 7 ARREQ id is a globally unique value that uniquely identifies an
ARREQ, destSeq is set to be the last known sequence number for the destination or to be an
unknown flag if needed, and PSsrc is the active pseudonym of the source. To be consistent
with the aforementioned MASK packet format, a predefined LinkID such as all 1’s should
be used to identify the ARREQ, which is not shown for brevity. In the shown example, the
ARREQ takes the form of <ARREQ, 1001, IDA.4, 50, PS1A.1 >. When an intermediate
node, say node A.2, receives an ARREQ message for the first time, it inserts an entry into
its reverse route table where this ARREQ comes from, and then rebroadcasts the ARREQ
after replacing the embedded pseudonym PS1A.1 with its currently-used one, i.e., PS2
A.2.
ARREQs with previously seen ARREQ ids are simply discarded8 . This process continues
until all the nodes in the network have rebroadcasted the ARREQ once.
It is worth noting that in the propagation of ARREQs, the real IDs of the source and
all the intermediate nodes are concealed, while the real ID of the destination has to be
exposed. In traditional on-demand routing protocols such as AODV [5], the destination
itself and any intermediate node which has a valid routing entry to the destination do not
need to rebroadcast the route request message. However, that design allows adversaries to
identify the destination node easily by monitoring the activities at each node - every node
broadcasts the routing request once except the destination and/or some nodes having the
routes to the destination. Therefore, in our design, every node, including the destination
7 ARREQ id could be generated by applying a collision-resistant hash function like SHA-1 [16] on the concatenation of a node’s pseudonym, sequence number, and a timestamp.
8 Note that ARREQ flooding is supposed to be finished in a limited period so that eachnode does not need to keep too many old ARREQ ids.
![Page 28: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/28.jpg)
18
and qualified intermediate nodes, needs to rebroadcast the ARREQ message once. This
will effectively hide the whereabout of the destination - even though adversaries know that
there is such a node, they will have difficulty to match the dest id (IDA.4 in this case) to
any of the nodes in the network. Note that the overhead introduced by this modification is
minimal - in a route discovery protocol using flooding, every node needs to broadcast once
anyway except the destination and qualified intermediate nodes. So the extra overheard
introduced is only one or a few more transmissions by the destination and the intermediate
nodes which can reply.
An anonymous route reply (ARREP) can be generated and sent back to the source
at the destination or at any intermediate node which has a valid route to the destination.
Fig. 2–1 demonstrates the case that a route reply is generated by the destination A.4 itself.
Once receiving an ARREQ toward itself, A.4 can generate an ARREP to be unicasted back
to the source following the reverse route established before. In our design, an ARREP
packet is of format <LinkID, ARREP, dest id, destSeqSkey>, where LinkID is the next
to be used shared between the destination and the pre-hop node from which the ARREQ
comes, and the corresponding Skey is used to encrypt the packet content so that adversaries
cannot recognize that this is an ARREP corresponding to the previously-observed ARREQ.
In the shown example, an ARREP is in the form of < L93,4, ARREP, IDA.4, 51k9
3,4>.
As noted before, only the intended receiver A.3 will be able to interpret L93,4 and decrypt
the packet content accordingly. While for a passive eavesdropper, L93,4 only appears to be
some meaningless random number, and it has no idea of what the packet is about and to
whom the packet is sent. Moreover, A.4 adds L103,4 to its target LinkID table. The reason
of inserting L103,4 instead of L9
3,4 is to prevent adversaries from identifying the relationship
between this ARREP packet and subsequent data packets. Later on, when seeing a packet
identified by L103,4, A.4 knows that it is the end-to-end destination of that packet. An
intermediate node can also generate an ARREP if it has one forward route entry for the
dest id with destSeq equal to or larger than that contained in the received ARREQ. The
node needs to prepare an ARREP packet to be sent to its pre-hop node as well. Different
from the destination, the intermediate node need not modify its target LinkID table. This
case is straightforward and not shown for lack of space.
![Page 29: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/29.jpg)
19
For a node on the reverse path, say A.3, when receiving an ARREP < L93,4, ARREP,
IDA.4, 51k93,4
> from its next-hop, A.3 will discard it if the embedded destSeq, 51 in this
case, is smaller than that in its reverse route table. Otherwise, A.3 will decrypt the ARREP,
form and transmit a new ARREP < L72,3, ARREP, IDA.4, 51k7
2,3>. Here <k7
2,3, L72,3>
is the next to be used <Skey, LinkID> pair shared between A.3 and the pre-hop node
“PS2A.2” (in fact, node A.2) stored in its reverse route table. A.3 also needs to update its
forwarding route table as follows. If it does not have an entry for IDA.4, a new entry will be
created. Or if the entry for IDA.4 has a smaller destSeq than that in the ARREP, the old
entry will be replaced with the new information, i.e., dest id, destSeq, pre-LinkID-list, and
next-LinkID-list will be set to IDA.4, destSeq in the ARREP, L82,3, and L10
3,4, respectively.
If A.3 already has an entry for IDA.4, and the new destSeq in the ARREP is equal to
the old one, it updates the route entry by appending L103,4 and L8
2,3 to the next-LinkID-list
and pre-LinkID-list fields of its forwarding route entry, respectively. Therefore, MASK
may simultaneously maintain several next-hop and pre-hop LinkIDs for one dest id (called
virtual multipath functionality in this chapter) in the forwarding route table. This operation
is different from that of AODV [5] in which a node suppresses routing replies with the same
destination sequence number. The reason for adopting this design will be stated in the
subsequent subsection. Also notice that LinkIDs inserted into forwarding route tables are
always next to the ones used to identify the ARREPs so that adversaries cannot correlate
the ARREPs with subsequent data packets. The above process continues until the ARREP
reaches the source A.1. An exemption in the route reply process is that, in MASK, since
each node is required to rebroadcast the ARREQ message no matter whether it replies or
not, the ARREPs coming back to an intermediate node which replied before may present
inconsistent state information that may cause routing loops. Therefore, we require that
the intermediate nodes which have already replied ignore the route replies with the same
destSeq.
Notice that in the route reply process, all the ARREP packets are encrypted and
identified by the LinkIDs which are only interpretable by the intended local receivers. A
passive eavesdropper might see discrete transmissions everywhere but it will not be able to
tell the content of a particular transmission, neither can it tell who is transmitting and who
![Page 30: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/30.jpg)
20
Target LinkID table
103,4L
...
...
A.1
A.2 A.3
A.4
A.5 A.6
154,6L
61,2L
82,3L
103,4L
92,5L
71,5L
165,6L
154,6L
133,6L
113,5L
92,6L
packet 1
packet 2
Figure 2–2: Anonymous hop-by-hop packet forwarding from A.1 to A.4.
is receiving. For an internal adversary who happens to reside in the reverse route to the
source, due to the anonymous neighborhood authentication, what it can learn is the ID of
the destination, but not which and where that destination is even when the destination is
its neighbor.
Anonymous packet forwarding. The packet forwarding in MASK is more like a
virtual circuit switching process. By looking up in the forwarding route table, the source
picks a random LinkID from the next-LinkID-list field in the entry for the destination. A
packet is then formed and sent to the next-hop neighbor that shares the chosen LinkID.
As noted before, a packet is of format <LinkID, data>, where the data part carries other
protocol and application data. Depending on different applications, the data part can
be end-to-end encrypted and/or authenticated using cryptographic methods. Or it can
be encrypted and authenticated by the Skey corresponding to the LinkID. When seeing
such a packet, the first intermediate node sharing the embedded LinkID needs to change
it to one randomly selected from its next-LinkID-list field of the forwarding route entry
in which the embedded LinkID matches one of the values in the pre-LinkID-list. It then
re-unicasts the packet to the chosen next hop. Following this process, a packet can finally
reach the destination which will terminate the forwarding when finding the LinkID in its
target LinkID table.
An example of anonymous packet forwarding is depicted in Fig. 2–2, in which a set
of forwarding links (denoted by directional solid lines) have been established, each labelled
by its respective LinkID. The incoming and outgoing links of a node constitute the pre-
LinkID-List and next-LinkID-List fields of its forwarding route entry for the destination
![Page 31: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/31.jpg)
21
A.4, respectively. As we can see, due to the random selection of next-hop LinkIDs at each
intermediate node, MASK has the nice traffic mixing property that packets of the same
flow may travel through different paths to the destination. This makes it more difficult
for adversaries to correlate observed radio transmissions to acquire actual network traffic
patterns. It also increases the difficulty of adversaries in tracing a packet enroute from its
original source to the final destination. The shortcoming is that, MASK does not always use
the best path, e.g., the shortest-hop path, for packet forwarding, so it may introduce extra
delay and/or delay jitter. However, for security-sensitive MANETs demanding anonymity
protection, we argue that this tradeoff of routing efficiency for anonymity is acceptable. In
addition, we will see in Section 2.4.2 that such random packet forwarding can help improve
the routing performance under heavy traffic load.
When all the next-hop nodes for one destination become unavailable due to mobility
or other reasons, a node needs to locally broadcast an anonymous route error (ARRER)
packet of format <ARRER, pre-LinkID-list> to inform its up-stream nodes, which is again
identified by a predefined universal LinkID including all 1’s. Any neighboring node which
has one of the LinkIDs in the received pre-LinkID-list should remove it from the next-
LinkID-list field of its corresponding forwarding route entry. If its own next-LinkID-list
becomes empty as well, it should also broadcast a similar ARRER packet. When the source
has no available next-hop LinkIDs for the destination, it should restart the anonymous
routing discovery process.
2.3.4 Countermeasures against Attacks
Up to now, we have described the basic operations of MASK with a focus on how to
provide anonymity in neighborhood authentication, route discovery, and packet forwarding.
In what follows, we describe some security enhancements and discuss more attacks that
MASK is able to defend against.
Message coding attack. The Message coding attack happens when adversaries can
easily link and trace some packets that do not change their contents or lengths during
transmission. Two countermeasures are designed in MASK to cope with this kind of attack.
First, random padding on every forwarded packet is used by intermediate nodes to prevent
from the attack resulting from the fixed packet length. Intermediate nodes can randomly
![Page 32: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/32.jpg)
22
adjust the length and content of the random padding. Second, the per-hop link encryption
method through established pairwise Skeys can be used in MASK as well. The purpose
here is to make the same packet appear quite different across links.
Flow recognition and message replay attacks. The Flow recognition attack oc-
curs when adversaries can recognize packets related to a same communication flow. Notice
that, in MASK, a same packet bears completely different and uncorrelated LinkIDs when
transmitted across different hops. Therefore, it is not possible to trace a packet by its
LinkID. However, if the packets belonging to a single flow always use the same LinkID at a
same hop, adversaries may obtain some useful information. Fortunately, the aforementioned
random packet forwarding can partially mitigate this attack. In fact, an intermediate node
works as a multiplexer which takes inputs from multiple pre-links, mixes them together,
and sends them out to multiple next-links. In addition, we request that two neighboring
nodes automatically change their currently-used shared LinkID either on a per-packet basis
or periodically. In doing so, MASK leaves adversaries a dynamic set of LinkIDs for the
same flow and at each hop. Moreover, dynamic LinkIDs at each hop effectively thwart the
message replay attack in which adversaries replay an old packet repeatedly to reorganize
the packet forwarding pattern.
Timing analysis attack. Suppose adversaries can divide the monitored area into
small cells. They might ascertain that one source or destination exists in one cell by
observing that no packets go into or come out of that cell while some packets come out of
or go into that cell during a certain time interval. In addition, adversaries might guess that
two consecutive radio transmissions belong to the same communication flow. These attacks
belong to the category of the timing analysis attack.
In MASK, packets transmitted in the air are only identified by seemingly random
LinkIDs. When network traffic load is high and every node is busy in transmitting and
receiving, all the transmissions will be mixed together, which leads to very difficult timing
analysis. However, when the traffic load is light, several precautions need to be taken
against the alleged timing analysis attack. First, when one destination receives a packet
destined for it, it can forge a packet with a fake LinkID and forward it further. By doing
so, it tries to fool adversaries into believing that one observed radio transmission does not
![Page 33: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/33.jpg)
23
end at the destination. The destination can also use genuine LinkIDs to ask its trustful
neighbors to help further enlarge the suspicious area viewed by adversaries. Second, a
packet needs to wait a random amount of time to be forwarded so that an earlier arriving
packet may be forwarded after a later arrival. Last, even without being involved in any
communications, nodes can send dummy packets [19] with fake LinkIDs at random intervals
to increase the difficulty of adversaries in determining the originating and terminating areas
of observed radio transmissions. The purpose here is to introduce more randomness of the
radio transmissions so as to conceal the real network traffic patterns, at the cost of increasing
communication overhead.
2.3.5 Replenishing Pseudonym/Secret Point Pairs
In our MASK, each node is required to use dynamic pseudonym/secret point pairs.
If the network has a rather long lifetime, however, a node may use up the preloaded
pseudonym/secret point pairs sooner or later. If this occurs, a node can reuse old pairs, star-
ing from the first one. This measure can prevent adversaries from continuously tracking the
movement of individual nodes if there are sufficiently many preloaded pairs. Nevertheless,
it may still offer useful attack clues to powerful adversaries - adversaries may roughly ascer-
tain the movement of certain nodes by observing that a pre-recorded pseudonym reappears
in certain network location.
To avoid the above situation and ensure strong anonymity protection, it is necessary
to introduce the TA functionality into the network whereby mobile nodes can get replenish-
ment of pseudonym/secret point pairs. Since using a single TA is vulnerable to single point
of failure, we propose to employ Shamir’ secret-sharing technique [15] to enable a more
scalable, secure solution. To do this, the TA executes the following additional operations
when bootstrapping network A:
1. Determine a (t-1)-degree (1 6 t 6 NA) polynomial, h(x) = gA +∑t−1
i=1 aixi, with
random coefficients ai in Z∗q and gA being the group master key.
2. Select n (t 6 n 6 NA) nodes from A, either without distinction or by considering node
heterogeneity and choosing physically more secure or computationally more powerful
ones. We call these nodes shareholders, denoted by SH = SH.k|1 6 k 6 n.3. Calculate n shares of gA as gk = h(IDSH.k) and assign it to SH.k.
![Page 34: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/34.jpg)
24
4. Choose an arbitrary generator W ∈ G1 and compute a set of share commitments as
SC = W pubk = gkW ∈ G1|1 6 k 6 n.
SH, SC and W are appended to the public system parameters known to every node.
An interesting fact is that, although each SH.k does not have the full knowledge of gA, any
t of them can collectively construct gA, while any less than t cannot. For example, based
on the Lagrange interpolation, shareholders SH.1, SH.2, ..., SH.t can determine gA:
gA =∑t
i=1λigi, where λi =
∏t
j=1,j 6=i
IDSH.j
IDSH.j−IDSH.i. (2.3)
During network operation, when a node, say A.1, almost runs out of preloaded pseudonym/secret
point pairs, it can get replenishment by sending a request including the list of desired new
pseudonyms to each of t randomly-picked shareholders. Without loss of generality, assume
that shareholders SH.1, SH.2, ..., SH.t are selected by A.1. For each pseudonym PSxA.1 in
the request, each chosen SH.i generates a partial secret point SP x,iA.1 = giH1(PSx
A.1) sent
back to A.1. To verify the authenticity of each SP x,iA.1, A.1 needs to check if e(SP x,i
A.1,W ) =
e(H1(PSxA.1),W
pubi ). Notice that, due to Eq. (2.1), the two sides of the equation are equal
to the same value e(H1(PSxA.1),W )gi if SP x,i
A.1 is authentic. As a result, if the verification
fails, A.1 knows that there must be something wrong with SH.i. For example, the reply
from SH.i might have undergone transmission errors, or even SH.i itself might have been
physically or logically controlled by adversaries. A.1 can then request a new partial secret
point from another unselected shareholder. Once obtaining t authentic partial secret points,
A.1 utilizes Eq. (2.3) to calculate the complete secret point:
SP xA.1 =
∑t
i=1λiSP x,i
A.1 = gAH1(PSxA.1) (2.4)
Same as before, node A.1 cannot deduce gi from SP x,iA.1, neither can it obtain gA from SP x
A.1,
due to the difficulty in solving the DLP in G1. It is worth noting that all the requests and
replies should be end-to-end encrypted and authenticated to prevent from adversarial access
and modification. How to fulfill them is beyond the scope of this chapter.
In terms of the choice of the secret-sharing parameters t, n, we have shown in [20] that,
when t = dn/2e, and n is equal to either 2⌈
NA−25
⌉−1 or 2
⌊NA+3
5
⌋−1, the maximum security
can be obtained. Currently, we are investigating proactive approaches to further improve
![Page 35: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/35.jpg)
25
Table 2–1: Processing timings of cryptographic operations.Item Processing timingsTate paring 8.5 msSHA-1 18.980 MB/sComputation of <Skey,LinkID> pairs 2.4 ms (for 1000 pairs)RC6 7.111 MB/s
the security of the proposed scheme, e.g., by dynamically adjusting the shareholder set and
the values of t, n to allow dynamic node join/leave without changing gA while maintaining
the highest level of security.
2.4 Performance Evaluation
In this section, we evaluate the routing performance of MASK through simulations.
2.4.1 Simulation Setup
We implement MASK in GloMoSim [21], a popular network simulator for MANETs,
and the pairing implementation is based on MIRACL library [22]. The bilinear map e we use
is the Tate pairing, with some of the modifications and performance improvements described
in [12, 14]. We use two security parameters, a 160-bit Solinas prime q = 2159 + 217 + 1 and
a 512-bit prime p = 12qr − 1 (for some r large enough to make p the correct size). Such
bit-length configurations of q, p can deliver a comparable level of security to 1024-bit RSA
cryptography. The elliptic curve E we use is y2 = x3 + x defined over the finite field Fp
(denoted by E(Fp)). Then G1 is a q-order subgroup of the additive group of points of
E(Fp), while G2 is a q-order subgroup of the multiplicative group of the finite field F∗p2 .
In addition, we use SHA-1 [16] as the hash function H2 and RC6 [18] as the encryption
method used for ARREPs and data packets.
We evaluate the computational costs of critical cryptographic operations in MASK on
a Pentium III 1 GHz processor under Windows 2000. For convenience only, we assume the
lengths of node pseudonyms, random nonces, Γ, and LinkIDs (also Skeys) to be 8, 4, 2,
and 20 bytes, respectively. In fact, the impact of larger lengths on the results is negligible.
From Table 2–1, we can see that the most time-consuming operation is the Tate pairing
required by anonymous neighborhood authentication. Since the pairing is a relatively new
concept, we anticipate that its evaluation cost will be much reduced with the rapid advance
in cryptography. For example, Barreto et al. [23] recently announce an approach to evaluate
![Page 36: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/36.jpg)
26
the Tata pairing by up to 10 times faster than previous methods, the implementation of
which is underway.
Also note that the Tate pairing only needs to be performed once for a pair of neighboring
nodes, and then the result can be fed into the fast SHA-1 to compute shared <Skey, LinkID>
pairs. Supposing a node maintains Γ = 1000 <Skey, LinkID> pairs with each neighbor,
the computation of such 1000 pairs only costs around 2.4 ms. Hence, when two neighboring
nodes run out of the established shared <Skey, LinkID> pairs, they can generate new Γ
pairs instantly. Moreover, the hop-by-hop link encryption/decryption operations based RC6
are not time-consuming and can be done in a very fast manner. Therefore, although we
introduce some cryptographic operations into MASK to provide the desirable anonymity
property, the resulting computation overhead and end-to-end packet delay are affordable.
The physical-layer path loss model is the two-ray model. The radio propagation range
for each node is 250 meters and the channel capacity is 2 Mb/s. The base MAC protocol
used is the DCF of IEEE 802.11, with some modifications according to MASK operations.
We simulate an ad hoc network with 50 nodes uniformly deployed in a 700×700 m2 square
field. To emulate node mobility, we modify the random waypoint model in GloMoSim
library according to [24] in order to guarantee the convergence of average nodal speed
within the simulation time. In particular, initial speeds of nodes are chosen from the steady-
state distribution, and subsequent speeds uniformly from the designated speed range. In
addition, the pause time is set to be zero, meaning that nodes are always moving. CBR
sessions are used to generate network data traffic and various number of sources are used to
simulate different offered load. All the data packets are 512 bytes and are sent at a speed
of 4 packets/second. Each simulation is executed for 15 simulated minutes and each data
point represents an average of ten runs with identical traffic models, but different randomly
generated mobility scenarios.
In our implementation of MASK, we use a fixed delay of 150 µs into each node to mimic
the encryption/decryption processing of ARREPs and data packets with RC6 for simplicity.
The purpose is to withstand the aforementioned message coding attack (cf. 2.3.4). In
addition, the random delay method for data packets to be forwarded is also adopted in each
node to thwart the timing analysis attack (cf. 2.3.4), where the random delay is uniformly
![Page 37: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/37.jpg)
27
2 4 6 8 10 12 14 160.65
0.7
0.75
0.8
0.85
0.9
0.95
1
Average nodal speed (m/s)
Pac
ket d
eliv
ery
rat
io
AODV 20 sourcesMASK 20 sourcesAODV 40 sourcesMASK 40 sources
(a) PDR vs. V .
2 4 6 8 10 12 14 160
0.5
1
1.5
2
2.5
Average nodal speed (m/s)
Nor
ma
lize
d r
ou
ting
load
AODV 20 sourcesMASK 20 sourcesAODV 40 sourcesMASK 40 sources
(b) Normalized routing load vs. V .
2 4 6 8 10 12 14 160
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
Average nodal speed (m/s)
Ave
rag
e e
nd-
to-e
nd
de
lay
(s)
AODV 20 sourcesMASK 20 sourcesAODV 40 sourcesMASK 40 sources
(c) Average packet delay vs. V .
Figure 2–3: The comparison between MASK and AODV.
distributed between [0, 50] ms. Furthermore, we set the maximum number of next-hop
LinkIDs maintained for one destination to be three. We compare the routing performance
of MASK with classical AODV routing protocol [5] with regard to three commonly-used
metrics:(1) Packet delivery ratio (PDR) – the ratio of data packets successfully delivered
to the destination over those generated at the sources; (2) Average end-to-end delay of
data packets – this includes all possible delay caused by buffering during route discovery,
queuing delay at the interface, retransmission delay at the MAC, and propagation delay;
(3) Normalized routing load – the total number of routing control packets “transmitted”
for each delivered data packet. Each hop-wise transmission of a routing control packet is
counted as one transmission.
2.4.2 Simulation Results
Fig. 2–3(a) compares the PDRs of MASK and AODV under different traffic load.
We can see that MASK has the similar PDR to AODV under normal traffic load (i.e., 20
sources). The slight difference partly comes from the fact that routing request packets in
MASK have a higher probability of colliding with and causing the dropping of data packets
than those in AODV due to the simple network-wide flooding of ARREQs in contrast to the
expanding-ring-search method of AODV [5]. Another reason is that data packets in MASK
are not always routed along the shortest paths due to the random selection of next-hops
at intermediate nodes, which increases the dropping probability of data packets forwarded
along longer paths. However, MASK outperforms AODV under heavy traffic load (i.e., 40
![Page 38: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/38.jpg)
28
sources), where packets are more subject to collisions due to the high level of network con-
gestion. The observed advantage mainly results from the aforementioned virtual multipath
effect in MASK, that is, MASK may simultaneously maintain several next-hop LinkIDs for
one given destination. If one of the next-hops becomes unreachable due to mobility or colli-
sions or other reasons, a packet could still be forwarded through another available next-hop
rather than being dropped as AODV does. Moreover, the random selection of next-hops at
intermediate nodes acts as a load balancing method for evenly distributing the traffic in the
network. For the same reason, MASK demonstrates comparable or lower routing overhead
than AODV (see Fig. 2–3(b)) because MASK conducts the route discovery less frequently
than AODV.
In terms of the average packet delay (Fig. 2–3(c)), MASK behaves worse than AODV
under normal traffic load as a result of the per-hop random delay, the fixed encryp-
tion/decryption delay, and the delay incurred by the Tate pairing operations. Therefore,
there is a tradeoff between the desired packet delay and the level of anonymity. However,
under heavy traffic load, both the virtual multipath effect and the processing delay (in-
cluding the above three) introduced into MASK can help mitigate the possible MAC-layer
collisions, which contributes to the shown advantage of MASK over AODV in Fig. 2–3(c).
In summary, our MASK not only achieves the desirable anonymity without sacrificing
the routing efficiency, but also helps improve it under heavy traffic load.
2.5 Related work
Anonymous communication protocols have been studied extensively in the wired net-
works. Chaum [25] defines a layered object that routes data through a chain of pre-deployed
intermediate nodes called mixes. Following their work, Reed et al. propose an interesting
Onion routing protocol [26], in which data is wrapped in a series of encrypted layers to
form an onion by a series of proxies communicating over encrypted channels. The state
of the art of wired networks anonymity can be found in [27]. However, the proposals in
the Internet realm cannot be directly applied to MANETs mainly because the prerequisite
pre-deployed infrastructure such as the well-known mixes is often unavailable in infrastruc-
tureless MANETs.
![Page 39: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/39.jpg)
29
In contrast, there is little work done to address the anonymity problem and related
issues in the context of MANETs. Jiang et al. explore the use of mixes in MANETs
[28] by designing a mix discovery protocol that allows communicating nodes to choose mix
nodes at run time. As noted before, such mix nodes are either unavailable or unreliable
in MANETs deployed in hostile environments. The same authors also propose to prevent
traffic analysis by using traffic padding, i.e., generating dummy traffic into the network [19],
but their work does not aim to enable anonymous communications. Most recently, Kong
and Hong propose an anonymous on-demand routing protocol, called ANODR [29], to
conceal network IDs of communicating nodes. Besides the computationally intensive route
discovery process, ANODR is very sensitive to node mobility, which leads to a low routing
efficiency, as the authors mentioned. By comparison, our MASK enables an AODV-like
anonymous on-demand routing protocol with high routing efficiency. In addition, MASK
addresses anonymous MAC-layer communications, which is left untouched in [29].
2.6 Summary
In this chapter, we propose MASK, a novel anonymous on-demand routing protocol,
to enable both anonymous MAC-layer and network-layer communications so as to thwart
adversarial, passive eavesdropping and the resulting attacks. By a careful design, MASK
provides the anonymity of senders, receivers and sender-receiver relationships, as well as
node unlocatability and untrackability and end-to-end flow untraceability. It is also resilient
to a wide range of attacks. Detailed simulation studies demonstrate that MASK has com-
parably high routing efficiency to classical AODV routing protocol while achieving the nice
anonymity property.
This chapter focuses on dealing with passive attacks and thus there are several unad-
dressed issues in the current MASK design. First, anonymous neighborhood authentication
in MASK relies on pairing operations, which currently have similar computational overhead
to conventional public-key operations. Therefore, adversaries might launch active DoS at-
tacks on target nodes by continuously sending a number of bogus authentication requests,
which is a problem any authentication scheme has to face. Second, the routing information
in the current design is only secured against external adversaries. Once becoming internal
adversaries by compromising certain nodes, adversaries can send bogus routing messages
![Page 40: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/40.jpg)
30
that are difficult to verify by legitimate nodes. Third, although pairing-based cryptography
is an active research topic nowadays, the implementation on low-end devices is still an open
problem.
As the future research, we will first incorporate some intrusion detection capabilities
into MASK to defend against not only passive attacks but also active DoS-type attacks such
as those mounted on neighborhood authentication. In addition, we will plan to combine
MASK with other secure routing protocols such as [8, 9] to ensure both routing anonymity
and strong routing security. Finally, we will seek theoretical proofs to show the resilience
of MASK to rigorous adversarial cryptanalysis.
![Page 41: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/41.jpg)
CHAPTER 3SECURING MOBILE AD HOC NETWORKS WITH CERTIFICATELESS PUBLIC
KEYS
3.1 Introduction
In this chapter, we are concerned with key management, the foundation on which to
build any other security mechanism for MANETs.
Conventional key management techniques may either require an online trusted server or
not. The infrastructureless nature of MANETs precludes the use of server-based protocols
such as Kerberos [30]. We therefore focus on discussing serverless approaches from here
on. There are two intuitive symmetric-key solutions, though neither is satisfactory. The
first one is to preload all the nodes with a global symmetric key, which is vulnerable to any
point of compromise: if any single node is compromised, the security of the entire network
is breached. Assuming a network of N nodes, the other solution is to let each pair of nodes
maintain a unique secret that is only known to those two nodes. This approach suffers from
three main drawbacks making it also unsuitable for MANETs. First, it lacks scalability
because it is difficult to establish pairwise symmetric keys between existing nodes and
newly-joined nodes. Second, securely updating the overall N(N − 1)/2 keys in the network
is a nontrivial (if not impossible) task, as the size of the network increases. Last, it requires
each node to store (N − 1) keys, which may represent a significant storage overhead in a
large network. Symmetric-key techniques are also commonly criticized for not supporting
efficient digital signatures because each key is known to at least two nodes. This renders
public-key solutions more appealing for MANETs, which are the theme of this chapter.
There has been a rich literature on public-key management in MANETs, see [31, 32,
33, 34, 35, 36] for example. These schemes all depend on certificate-based cryptography
(CBC), which uses public-key certificates to authenticate public keys by binding public
keys to the owners’ identities. A main concern with CBC-based approaches is the need
for certificate-based public-key distribution. One naive method is to preload each node
31
![Page 42: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/42.jpg)
32
with all the others’ public-key certificates prior to network deployment. This approach can
neither scale well with the increasing network size, nor handle key update in a secure and
cost-effective way. Another approach of on-demand certificate retrieval may cause both
unfavorable communication latency and often tremendous communication overhead, which
will be justified via simulations in Section 3.5.5.
As a powerful alternative to CBC, ID-based cryptography (IBC) [11] has been gaining
momentum in recent years. It allows public keys to be derived from entities’ known iden-
tity information, thus eliminating the need for public-key distribution and certificates. This
nice feature has inspired a few IBC-based certificateless public-key management schemes
for MANETs such as [37, 38, 39, 20]. The basic idea is to let some [37, 38, 20] or all network
nodes [39], called shareholders, share a network master-key using threshold cryptography
[15, 40] and collaboratively issue ID-based private keys. There, however, remain many is-
sues to be satisfactorily resolved. First of all, the security of the whole network is breached
when a threshold number of shareholders are compromised. Second, updating ID-based
public/private keys requires each node to individually contact a threshold number of share-
holders, which represents a significant communication overhead in a large-scale MANET.
Third, except our preliminary result in [20], none of existing proposals consider how to
select the secret-sharing parameters used with threshold cryptography to achieve desirable
levels of security and robustness. Last, there is no comprehensive quantitative argument
about the advantages of IBC-based public-key management schemes over CBC-based ones.
In this chapter, we address all the above concerns by devising an ID-based key manage-
ment scheme, called IKM, for special-purpose MANETs administered by a single authority.
MANETs of this type have long been recognized and will continue to be one of the ma-
jor application categories of wireless ad hoc networking techniques. Typical examples are
those deployed in military battlefield operations and homeland security scenarios. Our
major contributions are as follows:
• A novel construction method of ID-based public/private keys. In IKM, eachnode’s public key as well as private key is composed of a node-specific, ID-basedelement and a network-wide common element. Node-specific key elements ensurethat the compromise of arbitrarily many nodes does not jeopardize the secrecy of
![Page 43: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/43.jpg)
33
non-compromised nodes’ private keys; common key elements enable very efficientnetwork-wide public/private key updates via a single broadcast message. We alsodiscuss efficient key agreement, public-key encryption, and digital signatures basedon such public/private keys.
• Determining secret-sharing parameters used with threshold cryptography.Similar to [37, 38, 39], we apply threshold cryptography to distribute a networkmaster-key among some shareholders. Different from them, we identify devastatingpinpoint attacks against shareholders and propose the corresponding countermeasurebased on anonymous routing [41]. In addition, we discuss how to choose the secret-sharing parameters for meeting desirable levels of security and robustness.
• Simulation studies of advantages of IKM over CBC-based schemes. Bydetailed simulations, we show that IKM has equivalent performance to CBC-basedschemes, denoted by CKM, with regard to key revocation, while behaves much betterin key updates. Furthermore, we demonstrate that IKM is able to turn an elegantCKM-based secure routing protocol [42] into a much more efficient one.
Since most existing MANET security mechanisms rely on the heavy use of certificates,
we believe that our findings open a new avenue towards more effective, efficient security
designs.
The rest of the chapter is organized as follows. In Section 3.2, we define the notation
to be used and survey the related work. Next we present design goals and the network and
adversary models in Section 3.3, followed by a detailed illustration of the IKM design in
Section 3.4. Then the simulation-based comparative study of our IKM and CKM is given
in Section 3.5, and this chapter is finally concluded in Section 6.8.
3.2 Preliminaries
In this section, we first define the notation to be used in the rest of this chapter, and
then survey the related work.
3.2.1 Notation
For clarity, Table 3–1 lists some important notation whose concrete meanings will be
further explained where they appear for the first time.
3.2.2 Related Work
Here we only discuss prior art that is more germane to our work, and refer to [43] for
a more comprehensive survey.
The seminal paper by Zhou and Hass [31] suggests using CBC and (t, n)-threshold
cryptography [15, 40] in MANETs. Let N be the overall number of nodes and t, n be two
integers satisfying t 6 n < N . In [31], prior to network deployment, the CA’s public key is
![Page 44: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/44.jpg)
34
Table 3–1: Notationp, q two large primesG1,G2 cyclic groups of order q
e pairing s.t. e : G1 ×G1 → G2
H1 mapping strings to non-zero elements in G1
Ψ the network node set, |Ψ| = N
Ω the D-PKG set, |Ω| = n
IDA network ID of node A
t, n secret-sharing parametersg(x) (t− 1)-degree polynomialλV (x)-s Lagrange coefficientsIDA key revocation against node A
KP1,KP2 two distinct network master secretsW generator of G1
WP1,WP2 WP1 = KP1W ∈ G1,WP2 = KP2W ∈ G1
kA,B symmetric key shared between A and B
pi ith key update period, for 1 6 i 6 M
KA/K−1A node-specific public-key and private-key elements of node A
Kpi/K−1pi
common public-key and private-key elements in phase pi
salti unique binary string associated with pi
KA,pi/K−1
A,pipublic/private keys of node A in phase pi
KVP2 the D-PKG V’s secret share of KP2
γ revocation thresholdF mapping a given node ID to β D-PKG IDsh hash function such as SHA-1 [16]mkx
message m encrypted under key kx with a symmetric-key primitive[m]K−1
A,pi
message m with its ID-based signature generated under private key K−1A,pi
![Page 45: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/45.jpg)
35
furnished to each node, while its private key is divided into n shares, each uniquely assigned
to one of n chosen nodes called D-CAs hereafter. During network operation, any t D-CAs
can jointly perform certificate generation and revocation based on their secret shares, while
any less than t D-CAs cannot. Yi and Kravets [34] proposes to select computationally
more powerful and physically more secure nodes as D-CAs. Both schemes can tolerate the
compromise of up to (t− 1) D-CAs so that adversaries cannot reconstruct the CA’s private
key, and the failure of up to (n − t) D-CAs so that there are always at least t functional
D-CAs.
Different from [31, 34], URSA [32, 36] is a (t,N)-threshold scheme in which each of the
N nodes is a D-CA. The advantage of URSA is the increased service availability in that a
certificate can now be generated or revoked by any t nearby nodes, and URSA can tolerate
the failure of up to (N − t) D-CAs. The disadvantage, however, is that the compromise of
any t out of N nodes would expose the CA’s private key and thus result in loss of overall
system security [34]. In addition, as noted in [44], URSA is vulnerable to the Sybil attack
[45] because an adversary can take as many identities as necessary to collect enough shares
and reconstruct the CA’s private key. Other security problems of URSA are analyzed in
[33, 46].
All the above schemes are based on RSA [47], either explicitly [32, 36] or implicitly
[31, 34, 35]. By comparison, the scheme [33] relies on DSA [48] and threshold cryptography,
and has much worse communication efficiency than RSA-based schemes. The reason is that,
to tolerate the compromise of up to (t− 1) D-CAs, the DSA-based scheme needs to contact
(2t − 1) D-CAs for generating a new certificate, while RSA-based approaches only involve
t D-CAs [33]. Please refer to [39] for simulation studies of the communication inefficiency
of DSA-based approaches.
The aforementioned CBC-based schemes are all targeted for single-authority MANETs
as what we have in mind. Another notable line of approaches such as [44, 49] is to let each
node act as a CA to issue certificates to other nodes. While maybe suitable for authority-less
civilian networks, they are less fit for single-authority MANETs under consideration.
Despite its attractive features, IBC has not received deserved attention as a powerful
tool to secure MANETs until recently. Khalili et al. [37] suggest using IBC and threshold
![Page 46: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/46.jpg)
36
cryptography in MANETs, but their work is conceptual. Deng et al. [38] present an ID-
based key management scheme for authority-less MANETs, thus is less applicable to single-
authority MANETs we aim at. Bohio and Miri [50] propose to use ID-based keys for secure
broadcast, but their work is not intended for efficient key management. Our preliminary
work [20] also addresses the secure application of IBC to MANETs. In addition, Zhang
et al. develop MASK [41, 51], an IBC-based anonymous on-demand routing protocol for
MANETs.
The closest work to ours is ID-GAC [39], in which Saxena et al. present an elegant
IBC-based access control scheme for ad hoc groups such as MANETs. ID-GAC is basically
a (t,N)-threshold scheme, in which, prior to deployment, each of the N nodes is furnished
with a share of a master-key. Although having high-level service availability as URSA
[36], ID-GAC suffers from the same undesirable security drawback mentioned above. In
contrast, our IKM is a (t, n)-threshold scheme, similar to [31, 34]. At a first glance, IKM is
less robust than ID-GAC because it only tolerates the failure of up to (n− t) shareholders
instead of (N − t) in ID-GAC. However, this also means that IKM is more secure than ID-
GAC because the fewer shareholders make it feasible to spend more in safeguarding them,
for instance, by enclosing them in high-quality tamper-resistant devices and/or putting
them under better monitoring. In addition, our IKM incorporates an additional defense
line by making shareholders indistinguishable from common nodes via anonymous routing
[41]. Furthermore, even when t or more shareholders are compromised and the master-key
is exposed, our novel public/private key construction method guarantees that private keys
of non-compromised nodes remain safe. This is in contrast to the overall loss of security
in ID-GAC (see Section 3.4.7). Moreover, each non-compromised node in ID-GAC needs
to individually contact t shareholders for key update. In contrast, our IKM is much more
efficient in both computation and communication by updating public/private keys of all the
non-compromised nodes via a single broadcast message. As an addition, ID-GAC suffers
from the Sybil attack as URSA, while our IKM does not.
3.3 Design Goals and System Models
In this section, we present our design goals as well as network and adversary models.
![Page 47: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/47.jpg)
37
3.3.1 Design Goals
From our point of view, a sound key management scheme for MANETs should sat-
isfy the following requirements. First, it must not have single point of compromise and
failure because mobile nodes deployed in hostile environments are subject to either logical
or physical attacks. Second, it should be compromise-tolerant, meaning that the com-
promise of certain number of nodes does not harm the communication security between
non-compromised nodes. Third, it should be able to efficiently and securely revoke keys
of compromised nodes once detected and update keys of non-compromised nodes. Last, it
should be efficient in terms of storage, computation, and communication, as mobile nodes
are usually very resource-constrained. It is worth stressing that communication efficiency is
far more important an issue in MANETs than in wireline networks, as wireless transmission
of a bit can require over 1000 times more energy than a single 32-bit computation (see [52]).
We thus must seek ways to reduce communications related to key management as much as
possible.
3.3.2 Network Model
We consider a special-purpose, single-authority MANET consisting of N nodes, de-
noted by a set notation Ψ (|Ψ| = N). The network size N may be dynamically changing
with node join, leave, or failure over time. Depending on different applications, N may
range from several tens to several thousands or even more. Each node A ∈ Ψ has a unique
ID, denoted by IDA and assumed to be its network-layer address as usual.
We assume that each node has limited transmission and reception capabilities. Two
nodes out of transmission range of each other can communicate via a sequence of interme-
diate nodes in a multihop fashion. Since all the nodes belong to a single authority and thus
have common interests, node selfishness [4] is not worrysome in that each node is ready to
forward packets not destined for itself. Nodes may freely move in the network, but do not
continuously move so rapidly as to make the flooding of every data packet the only feasible
routing protocol. This is a common assumption made about node mobility by nearly all
MANET schemes. We further assume that nodes are capable of performing public-key op-
erations, which is reasonable for the targeted application scenarios, though symmetric-key
operations should be used instead whenever possible.
![Page 48: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/48.jpg)
38
Our IKM is independent of the underlying transport, routing, or MAC protocols. How-
ever, we do assume that, whenever needed, a valid unicast route can be established between
any two nodes. This can be achieved through many existing secure routing protocols, such
as ARAN [42]. It is worth pointing out that, similar to almost all the other existing secure
routing schemes, ARAN is built upon conventional certificates. In later Section 3.5.5, we
will show that it can be easily converted into a much more efficient scheme based on our
IKM.
3.3.3 Adversary Model
Our intention here is to devise a sound key management scheme for MANETs, so we
just consider attacks aimed at key management itself. Mitigating denial-of-service attacks,
such as physical-layer jamming, MAC-layer misbehavior, or routing disruption, though
important, is beyond the chapter scope.
Attacks can be mounted by a single adversary or collaborative ones. We differentiate
between node compromise and disruption attacks. By saying that a node is compromised,
we mean that adversaries have complete control over it, including learning or modifying
its secret information, changing its intended behavior, and so on. In contrast, disrupting
a node means that adversaries can only disrupting communication to that node, e.g., by
interfering with wireless signals to and from it, but cannot read the secret information stored
on it. Therefore, node disruption attacks are less severe than node compromise attacks.
However, we assume that adversaries cannot compromise or disrupt an unlimited number
of nodes so that legitimate nodes are always the majority. Neither can they break any of
the cryptographic primitives on which we base our design. In addition, we assume static
instead of dynamic adversaries [53].
We further assume that compromised nodes will eventually exhibit detectable mis-
behavior. There is unlikely to be a valid security solution if compromised nodes remain
“passive.” As [32, 36], we assume an efficient misbehavior detection scheme such as [3] or
[54]. One of our main objectives is to drive identified compromised nodes out of the network
by revoking their keys. Hereafter we use compromised nodes to indicate those which have
been compromised and identified, unless otherwise stated.
![Page 49: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/49.jpg)
39
There are n distributed authorities called D-PKGs in our IKM, similar in role to the
distributed CAs (D-CAs) in conventional CKM [31, 32, 33, 34, 35, 36]. The D-PKGs differ
from common nodes only in that each of them knows a share of a network master-secret.
Similar to [31, 32, 33, 34, 35, 36], our IKM works properly on the assumption that adversaries
can compromise at most (t−1) D-PKGs and can disrupt no more than (n−t) D-PKGs. For
the sake of simplicity, we refer to this assumption as the t-limited assumption. Note that
this t-limited assumption only needs to hold in each predetermined time period rather than
the whole network lifetime, if proactive secret sharing [55] is used to periodically refresh
secret shares of the D-PKGs.
3.4 IKM Design
This section presents our IKM design. We first provide an overview of IKM in Sec-
tion 3.4.1, and then describe the key predistribution phase in Section 3.4.2. Next we discuss
how to achieve efficient key revocation and update in Sections 3.4.3 and 3.4.4, respectively.
Section 3.4.5 presents our method of protecting the D-PKGs from devastating pinpoint
attacks, and Section 3.4.6 gives general guidelines as to how to select the secret-sharing
parameters t, n. Finally, the security of IKM is analyzed in Section 3.4.7.
3.4.1 Overview
In IKM, each node should carry an authentic ID-based public/private key pair at any
time as a proof of its group membership. With such key pairs, nodes can realize mutual
authentication, key agreement, public-key encryption, and digital signatures, among other
security services. IKM consists of three phases: key predistribution, revocation, and update.
Key predistribution is a one-time process occurring during network initialization, where
a Private Key Generator (PKG), essentially a trusted authority, determines a set of system
parameters and preloads every node with appropriate keying materials. In addition, the
PKG distributes its functionality to n D-PKGs selected among the N nodes to enable secure
and robust key revocation and update during network operation.
To minimize the damage from node compromise, it is a must to explicitly revoke public
keys of compromised nodes. During network operation, if suspecting that a peer, say A,
has been compromised, a node sends a signed accusation against A to some D-PKGs. The
accused A is diagnosed as compromised when the number of accusations against it reaches a
![Page 50: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/50.jpg)
40
predefined revocation threshold, denoted by γ, in a certain time window. At that point, the
network enters the key revocation phase in which the D-PKGs jointly issue a key revocation
against A.
As a common practice [36], public/private keys of mobile nodes need to be updated
at intervals for many reasons, e.g., preventing from cryptanalysis. The key update phase
may occur either periodically according to a prescribed time period, or reactively when the
number of revoked nodes attains some predetermined threshold. During this phase, each
non-revoked node can update its public key autonomously and its private key via a single
broadcast message. This is enabled by our novel public/private key construction method.
Our scheme can also ensure that compromised nodes, once revoked, cannot get their keys
updated, thus isolated from the network.
Due to the shared wireless medium, adversaries are easy to find the whereabouts of
D-PKGs based on their network IDs leaked in routing and data packets [41]. This renders
the D-PKGs particularly vulnerable to devastating pinpoint attacks. As a natural defense,
we propose to make the D-PKGs indistinguishable from common nodes via anonymous
routing [41]. This measure allows us to provide general guidelines about how to choose the
secret-sharing parameters t, n for achieving desirable levels of security and robustness.
3.4.2 Network Initialization
For a single-authority MANET under consideration, it is reasonable to assume a trusted
PKG to bootstrap the network, which itself is not part of the resulting network.
Generation of pairing parameters. To bootstrap the network, the PKG does the
following operations:
1. Generate the pairing parameters (q,G1,G2, e, P, H1) (cf. Section 2.2.1), where P is
an arbitrary generator of G1, and H1 is a hash function mapping given strings to
non-zero elements in G1.
2. Pick two distinct random numbers KP1,KP2 ∈ Z∗q as network master-secrets. Set
WP1 = KP1W and WP2 = KP2W , respectively.
The parameters (q, e,H1,W,WP1,WP2) are public knowledge preloaded to each node, while
KP1 and KP2 should never be disclosed to any single node.
![Page 51: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/51.jpg)
41
Secret sharing. To enable key revocation and update during network operation,
it is necessary to introduce the PKG functionality into the network. In our design, only
knowledge of KP2 is introduced into the network to ensure high-level compromise tolerance
(analyzed in Section 3.4.7). To avoid single point of compromise and failure, the PKG
performs a (t, n)-threshold secret sharing of KP2 by first determining a random polynomial,
g(x) = KP2 +∑t−1
i=1 gixi (mod q). It then randomly selects a subset Ω ⊂ Ψ of size n of
nodes as D-PKGs (t 6 n < |Ψ| = N). Then the PKG assigns to each V ∈ Ω a secret share
computed as KVP2 = g(IDV ). Based on Lagrange interpolation, any subset A ⊂ Ω of size t
can co-determine the polynomial:
g(x) =∑
V ∈AλV (x)KV
P2 (mod q), (3.1)
where λV (x) =∏
S∈A\V IDS−x
IDS−IDVis called a Lagrange coefficient. The PKG’s master
secret KP2 can then be reconstructed by computing g(0). However, any subset of Ω of size
(t − 1) or smaller does not suffice to do so. To enable verifiable secret sharing, the PKG
also calculates a set of values W VP2 = KV
P2W |V ∈ Ω preloaded to each D-PKG. Due to the
difficulty in solving the DLP in G1, all the other D-PKGs cannot deduce the secret share
KVP2 of D-PKG V from W V
P2. The IDs of all the D-PKGs are known to each node to make
key revocation and update feasible, and the choice of t, n will be discussed in Section 3.4.6.
Generation of ID-based public/private keys. One of our essential design points
is how to construct an ID-based public/private key pair for each node A, be it a D-PKG
or common node. Our IKM is composed of a number of continuous, non-overlapping key
update phases, denoted by pi for 1 6 i < M , where M is the maximum possible phase
index. Such pi-s may not of the same length in time and thus do not require nodes to be
time-synchronized for them either. Each pi is associated with a unique binary string, called
a phase salt and denoted by salti. Prior to deployment, the PKG issues a random number
salt1 to each node which, in turn, can subsequently generate salti = salti−1 +1 (1 < i 6 M)
by itself with an efficient hash function h such as SHA-1 [16].
In IKM, each public/private key pair is both node-specific and phase-specific and node
A’s key pair valid only during phase pi is denoted by < KA,pi ,K−1A,pi
>. Each of KA,pi and
![Page 52: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/52.jpg)
42
K−1A,pi
comprises a node-specific element and a phase-specific element common to all the
nodes, both in G1. In particular,KA,pi := (KA,Kpi) = (H1(IDA),H1(salti))
K−1A,pi
:= (K−1A ,K−1
pi) = (KP1H1(IDA),KP2H1(salti)) .
Initially, the PKG issues < KA,p1 ,K−1A,p1
> to node A which can acquire < KA,pi ,K−1A,pi
>
(1 < i 6 M) from the D-PKGs during network operation, as will be shown later. For
convenience, hereafter we refer to < Kpi ,K−1pi
> as common public-key and private-key
elements of phase pi, and < KA,K−1A > as node-specific public-key and private-key elements
of node A. The former pair varies across key-update phases, while the later pair remains
unchanged during network lifetime and should be kept confidential to A itself.
Due to the difficulty of solving the DLP in G1, it is computationally infeasible to de-
rive the network master-secrets KP1 and KP2 from an arbitrary number of public/private
key pairs [12, 13]. It means that, no matter how many key pairs adversaries acquire from
compromised nodes, they cannot deduce the private key of any non-compromised node.
Therefore, our IKM exhibits the desirable compromise-tolerant property. The advantage
of our key construction method in facilitating key update can be seen in Section 3.4.4. In
addition, the resulting higher-level resilience to the compromise of D-PKGs than the con-
ventional key construction method [39, 20] is to be analyzed in Section 3.4.7. Furthermore,
we refer to the readers to [56] for the use of such public/private keys in key agreement, key
agreement, encryption/decryption, and signature generation/verification.
Our IKM allows dynamic node join at any time and thus ensures high network scal-
ability. Suppose a new node X joins the network at phase pi. The PKG just needs to
pre-equip X with public system parameters and < KX,pi ,K−1X,pi
>.
Generation of key-update parameters. Let tc be the maximum number of com-
promised nodes the network can tolerate. To realize broadcast-based public/private key up-
dates, the PKG picks M distinct 2tc-degree polynomials, li(x) =∑2tc
j=0 li,jxj (mod q)i=1,...,M
with li,j ∈ Z∗q , and M distinct tc-degree polynomials, ui(x) =∑tc
j=0 ui,jxj (mod q)i=1,...,M
with ui,j ∈ Z∗q . Since K−1pi
is a point on E/Fp, its x-coordinate (denoted as [K−1pi
]x)
can be uniquely determined from its y-coordinate (denoted as [K−1pi
]y). The PKG then
![Page 53: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/53.jpg)
43
constructs vi(x) = [K−1pi
]y − ui(x)i=1,...,M , which are given to each node A along with
li(IDA)i=1,...,M .
Summary. To summarize, each node has the following cryptographic materials be-
fore network deployment:
• Pairing parameters: (q, e,H1,W,WP1,WP2).• Public and private keys: < KA,p1 ,K−1
A,p1>.
• Phase salt: salt1.• Key-update parameters: vi(x), li(IDA)i=1,...,M .
In addition to the above materials, each D-PKG V ∈ Ω holds a secret share KVP2 and values
W VP2 = KV
P2W |V ∈ Ω.3.4.3 Key Revocation
Key revocation comprises three subprocesses: misbehavior notification, revocation gen-
eration, and revocation verification. The following description applies to phase pi.
Misbehavior notification. Upon detection of node A’s misbehavior, node B gener-
ates a signed accusation [IDA, sB]K−1B,pi
against A, where sB is a timestamp for withstanding
message replay attacks. The revocation needs to be sent to the D-PKGs to report A’s mis-
behavior. The naive flooding of the accusation is insecure because it may alert the accused
A to temporarily behave normally. By doing so, it attempts to make the number of ac-
cusations against it below the predefined revocation threshold γ to avoid being revoked.
Therefore, B should unicast the accusation secretly to the D-PKGs. The next question is
to which D-PKGs the accusation is sent. The following approach is adopted in IKM.
During network initialization, the PKG furnishes each node with a function F that
maps each node ID to the IDs of β distinct D-PKGs. More formally, for node A ∈ Ψ,
F(IDA) = IDXj |1 6 j 6 β, Xj ∈ Ω, Xj 6= A. There are many possible ways to construct
such a function. One simple approach is to divide the node set Ψ into n disjoint node
sets, each associated with β D-PKGs. However, the condition that must be satisfied is that
the node set a D-PKG belongs to should not be associated with itself. In our IKM, node
B is required to send the accusation in an encrypted form [IDA, sB]K−1B,pi
kB,Vto each
V ∈ F(IDA), where kB,V is the shared key with V that can be derived using the method
given in [56].
![Page 54: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/54.jpg)
44
The value of β determines the tradeoff between resilience to D-PKG compromise and
communication overhead. The smaller β, the lower the related communication overhead,
the less resilient the network is to the compromise of D-PKGs, and vice versa. Specifically,
in one extreme case that β = 1, the communication overhead is the lowest, while the
compromise of a D-PKG, say IDX1 (X1 ∈ Ω) which has not been revoked, would allow all
the accused whose IDs are mapped by F to IDX1 to escape revocation. In another extreme
case that β = n, the network shows perfect resilience to D-PKG compromise, while the
related communication overhead is the highest. Therefore, β should be carefully chosen in
practice to strike a good balance between these two metrics.
Revocation generation. Upon receipt of an accusation from B, a D-PKG will
simply drop it if the accuser itself has been revoked. Otherwise, the D-PKG saves the
accusation after decrypting it and verifying B’s signature. To prevent an unrevoked com-
promised node from falsely accusing legitimate nodes, a node is diagnosed as compromised
only when the number of accusations against it reaches the network-wide revocation thresh-
old γ in one key update phase or any other predetermined time window. The choice of γ is
application-specific and determines the tradeoff between tolerance of false accusations and
compromise detectability: a larger γ means higher-level tolerance of false accusations but
lower compromise detectability, and vice versa.
Once the revocation threshold is attained, a key revocation against node A needs to
be generated and published. In IKM, to generate a revocation needs the joint efforts of t
D-PKGs. For simplicity, we assume that, among F(IDA), the D-PKG with the smallest ID
acts as the role of revocation leader. We distinguish between two cases. If β > t, each of
the t D-PKGs in F(IDA) with smallest IDs generates a partial revocation (shown below)
sent to the revocation leader. If β < t, all the D-PKGs in F(IDA) should generate a partial
revocation and send it to the revocation leader. In addition, the revocation leader sends
the accumulated accusations against A to (t− β) extra randomly-picked D-PKGs, each of
which responds with a partial revocation after verifying the accusations.
For ease of presentation, let A ⊂ Ω denote the t D-PKGs participating in revocation
generation. Each V ∈ A generates a partial revocation KVP2H1(IDA) accumulated at the
revocation leader. The revocation leader can construct a complete revocation from these
![Page 55: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/55.jpg)
45
partial revocations through Lagrange interpolation, which is an application of pairing-based
threshold signatures [57, 13]. In particular, a complete revocation is derived as
IDA =∑
V ∈AλV (0)KV
P2H1(IDA) = KP2H1(IDA) (mod q),
where λV (0)-s are Lagrange coefficients defined in Eq. (3.1). It is possible that one or several
members of A are unrevoked compromised nodes which might send wrongly computed
partial revocations. To detect this, the revocation leader checks whether the following
equation holds.
e(IDA,W ) = e(H1(IDA),WP2) (3.2)
If so, it knows that this revocation is authentic and all other (t− 1) D-PKGs gave correct
partial revocations. The equation should hold for a valid revocation because
e(IDA,W ) = e(KP2H1(IDA),W )
= e(H1(IDA),W )KP2 (e is bilinear)
= e(H1(IDA),KP2W ) (e is bilinear)
= e(H1(IDA),WP2) (WP2 = KP2W ).
The revocation leader then floods < IDA, IDA > throughout the network to inform others
that A has been compromised.
If Eq. (3.2) does not hold, the revocation leader knows that at least one of the partial
revocations is incorrect. Our IKM allows the pinpoint identification of the misbehaving
D-PKG(s). To do this, for each received KVP2H1(IDA), the revocation leader harnesses
the preloaded W VP2 to check whether the equation e(KV
P2H1(IDA),W ) = e(H1(IDA),W VP2)
holds. The check should succeed for a valid partial revocation because W VP2 = KV
P2W and
e is bilinear. Otherwise, the revocation leader considers V misbehaving and then issues a
signed accusation against it. After identifying all misbehaving D-PKGs in A, the revocation
leader solicits the corresponding number of new partial revocations from D-PKGs in Ω \A,
calculates a complete revocation, and verifies it as before. Continuing this process, the
revocation leader can form a correct revocation against A, as long as there are at least t
well-behaved D-PKGs in Ω.
![Page 56: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/56.jpg)
46
Our IKM can well handle the situation that the revocation leader itself is a compro-
mised node. If other D-PKGs in F(IDA) do not receive a correct revocation against A
in certain time, they would consider the revocation leader misbehaving and publish signed
accusations against it. Then the D-PKG in F(IDA) with the second lowest ID succeeds as
the revocation leader and restarts the revocation generation process. We can see that, as
long as there is at least one non-compromised D-PKG in F(IDA) and there are at least t
non-compromised D-PKGs in Ω, a valid accusation against node A can always be generated.
In addition, our pinpoint identification mechanism will deter the D-PKGs compromised yet
unrevoked from offering invalid partial revocations to avoid being easily caught. There-
fore, we expect that a valid revocation will be generated most likely in one round. Also
notice that, since whether a D-PKG provides a wrong partial revocation and whether the
revocation leader behaves normal are both publicly verifiable, compromised but unrevoked
D-PKGs dare not falsely accuse the revocation leader or other D-PKGs in order to avoid
being identified.
Revocation verification. Upon reception of IDA, every node verifies it by checking
if Eq. (3.2) holds. If so, it should record IDA in its memory and refuse to interact with node
A in future time. In our IKM, each node needs to store the IDs of all the revoked nodes.
Assuming that each node ID is of 16 bytes, it costs a node about 4 KB to store 250 IDs of
compromised nodes, which is believed to be an acceptable overhead given the increasingly
low memory price. Some space-efficient data storage techniques such as Bloom filters [58]
may be used to reduce the storage overhead. However, we do not further investigate this
issue for lack of space.
In rare cases, the revoked A and/or its conspirators may be the sole connections between
parts of the network. Since they would not further propagate the revocation, there might be
some legitimate nodes which cannot receive the revocation. Fortunately, this problem can
be greatly mitigated by node mobility. In particular, we require each node to store received
revocations for a certain amount of time. When a node meets a new neighbor, it can
exchange its stored revocations with that neighbor. If that neighbor offers some unknown
revocations, it records the revoked node IDs after verifying those revocations. Since a
![Page 57: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/57.jpg)
47
node can dump stored revocations after a while, the related storage overhead should be
affordable.
3.4.4 Key Update
To withstand cryptanalysis and limit any potential damage from compromised keys, it
is a common practice [31, 32, 33, 34, 35, 36] to employ relatively frequent key update. A new
key update phase pi+1 starts either when phase pi lasts for more than a predetermined time
threshold, or when the number of nodes revoked in pi has attained a prescribed threshold.
In IKM, each node B can update its public key autonomously by computing KB,pi+1 :=
(H1(IDB),H1(salti+1)), where salti+1 = salti +1. In other words, B just performs two hash
operations, one for generating the phase salt for pi+1 and the other for computing the
new common public-key element. By contrast, generating the common private-key element
K−1pi+1
= KP2H1(salti+1) needs the collective efforts of t D-PKGs in Ω. For simplicity, we
assume that Z ∈ Ω initiates phase pi+1, though in practice the D-PKGs should take turns
to act as this role to balance their resource usage. Z randomly selects (t − 1) other non-
revoked D-PKGs from Ω and sends a request to each of them. Let A denote these t D-PKGs
including Z itself. Each V ∈ A uses its secret share to generate a partial common private-
key element KVP2H1(salti+1) accumulated at Z which, in turn, constructs the complete
K−1pi+1
using Lagrange interpolation, K−1pi+1
=∑
V ∈A λV (0)KVP2H1(salti+1) = KP2H1(salti+1).
Notice that K−1pi+1
is self-authenticating in that every node can check its authenticity by
checking if the following equation holds.
e(K−1pi+1
,W ) = e(H1(salti+1),WP2) (3.3)
It is also possible that some D-PKGs in A might be compromised yet unrevoked nodes.
The method used in revocation generation can be employed as well to deal with this case.
As long as there are at least t non-compromised D-PKGs in Ω, a valid K−1pi+1
can always be
generated.
![Page 58: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/58.jpg)
48
To propagate K−1pi+1
securely to all the non-revoked nodes, we use a variant of the self-
healing group key distribution scheme by Liu et al. [59]1 . Let Λ ⊂ Ψ denote the set of
nodes revoked until phase pi (including pi). D-PKG Z broadcasts the following message:
Bi := IDXX∈Λ ∪ Uj(x) = ξj(x)uj(x) + lj(x)j=1,...,i,
where ξj(x) =∏
X∈Λ (x− IDX). When a non-revoked node, say B, receives this message,
it derives Ui(IDB) = ξi(IDB)ui(IDB) + li(IDB). Since B knows vi(x), li(IDB), and
ξj(IDB) 6= 0 (cf. Section 3.4.2), it can get ui(IDB) = Ui(IDB)−li(IDB)ξi(IDB) and then [K−1
pi]y =
vi(IDB) + ui(IDB). Subsequently, node B computes [K−1pi
]x using the elliptic curve E/Fp,
thus constructing the complete K−1pi
. In the similar way, all the other non-revoked nodes
can derive K−1pi
and finish key update. Any revoked node X ∈ Λ, however, cannot compute
ui(IDX) and thus K−1pi
because ξi(IDX) = 0. In addition, as long as the number of
compromised nodes is no more than tc, i.e., |Λ 6 tc|, the compromised nodes cannot jointly
determine K−1pi
either, as shown in [59].
The above key-update method provides the self-healing capability in the sense that
any non-revoked node can recover K−1pj
for any phase pj (j < i), of which it did not receive
the key-update broadcast message due to reasons such as mobility, channel errors, and
temporary network partitions. Consider node B again as an example. It can get K−1pj
in
the similar way as obtaining K−1pi
. This nice feature, however, is achieved at the cost of
increased communication overhead. Therefore, if either this self-healing capability is not
required or reliable broadcast can be guaranteed, the broadcast message Bi can change to
IDXX∈Λi ∪ Ui(x) = ξi(x)ui(x) + li(x), where ξi(x) =∏
X∈Λ (x− IDX) and Λi ⊆ Λ
represents the set of new nodes needed to be revoked in phase pi. In doing so, the broadcast
communication overhead can be reduced.
3.4.5 Securing D-PKGs against Pinpoint Attacks
Similar to [31, 34, 35], our IKM relies on the validity of the t-limited assumption
mentioned in Section 3.3.3. However, if adversaries have the entire network lifetime to
1 K−1pi
can be viewed as a group key to be distributed to non-revoked group members.
![Page 59: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/59.jpg)
49
mount attacks, they may compromise or disrupt enough D-PKGs sooner or later. As a
well-known countermeasure, Herzberg et al. [55] propose to periodically refresh secret
shares without changing the original secret, in such a way that any information learned
by adversaries about individual shares becomes obsolete after the shares are refreshed. In
addition, they present techniques to periodically and securely recover shares not refreshed
properly to withstand D-PKG disruption attacks. Their techniques are either adopted or
suggested by [31, 34, 35]. To deal with long-term adversaries, we also suggest to incorporate
such proactive secret-sharing techniques in our IKM.
Proactive secret-sharing techniques are valid as long as adversaries are t-limited in
each predefined time period. Nearly all previous proposals simply make this assumption
without efforts to justify it. In our opinion, without precaution, the t-limited assumption
is difficult to hold for MANETs deployed in hostile environments. The reason is that the
IDs of the D-PKGs are public knowledge to every node, and adversaries can easily get this
information, e.g., by compromising a single node. In common MANET routing protocols
such as AODV [5] and DSR [6], node IDs are left bare without any protection. The shared
wireless medium renders adversaries to perform passive eavesdropping and easily locate the
D-PKGs based on their IDs leaked in routing and data packets. As a result, adversaries
can launch pinpoint compromise or disruption attacks on the locked D-PKGs. This type of
severe pinpoint attacks resulting from the unique characteristics of MANETs are reported
in [29, 41]. Obviously, we have to seek efficient ways to thwart such pinpoint attacks to
make the t-limited assumption reasonable.
Assume that adversaries have no ways (e.g., traffic analysis) to distinguish between the
D-PKGs and non-D-PKG nodes other than from their IDs. We propose to eliminate the
pinpoint attacks by MASK, the anonymous on-demand routing protocol for MANETs pre-
sented in Chapter 2. As stated before, MASK guarantees that, given a node ID, adversaries
cannot ascertain whom and where the corresponding node is. For our purpose, this means
that, even given the list of D-PKG IDs, adversaries cannot determine which nodes are the
D-PKGs based on passive eavesdropping of node IDs. Therefore, the pinpoint attacks are
effectively defeated. Also note that the same method can be used to eliminate pinpoint
attacks on the D-CAs in [31, 34, 35].
![Page 60: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/60.jpg)
50
3.4.6 Choosing Secret-Sharing Parameters
Now we discuss how to select the secret-sharing parameters t, n for a good tradeoff
between security and robustness, namely, the resilience to the compromise and disruption
of D-PKGs, respectively. For a fixed n, the larger t, the more secure the network is because
adversaries need to compromise more D-PKGs to learn KP2, the less robust the network
is in that adversaries need to disrupt fewer D-PKGs to make KP2 irrecoverable, and vice
versa. To strike a good balance between them, it is often wise to let t = dn2 e, as suggested
in [15, 40]. The next question is, given the network size N , how we decide the value of n
to achieve desired levels of security and robustness.
With our MASK in place, adversaries cannot distinguish between the D-PKGs and
common nodes based on passive eavesdropping. What they can only do is to attempt
to compromise or disrupt randomly-picked nodes with the expectation that those nodes
happen to be the D-PKGs. Assume that adversaries can surreptitiously compromise and
disrupt up to Nc > t and Nd > n−t+1 nodes, respectively, in each proactive secret-sharing
time period without being detected. We define Prc and Prd as the probabilities that at
least t out of Nc compromised nodes and (n− t + 1) out of Nd disrupted nodes happen to
be D-PKGs. In particular,
Prc =min(n,Nc)∑
i=t
(ni )“
N−nNc−i
”“
NNc
” and Prd =min(n,Nd)∑
i=n−t+1
(ni )“
N−nNd−i
”“
NNd
” ,
where t = dn2 e. In practice, we want both probabilities to as low as possible. Prior to
deployment, the PKG can use the enumerative method to determine the values of t, n for
obtaining appropriate values of Prc and Prd, i.e., meeting desirable levels of security and
robustness. For example, when N = 50, Nc = 5, and Nd = 7, we have Prc = 1.19 × 10−4
and Prd = 8.53× 10−5 if n = 10 and thus t = 5; when N = 50, Nc = 10, and Nd = 14, we
have Prc = 1.8 × 10−5 and Prd = 7.88 × 10−4 if n = 20 and thus t = 10. Obviously, the
success probabilities of such random attacks are pretty low.
During network operation, the network size N may be changing with node join, leave,
or failure over time. Accordingly, the parameters t, n and the D-PKG set should be adjusted
to maintain desirable levels of security and robustness. This can be easily realized through
![Page 61: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/61.jpg)
51
verifiable secret redistribution by Wong et al. [60] to redistribute the PKG’s master key
KP2 from a (t, n) structure to a (t′, n′) one.
3.4.7 Security Analysis
Here we briefly compare the security of our IKM with CKM such as [31, 34] and
previous IBC-based schemes [39, 20] (referred to as o-IKM ). In o-IKM, the PKG only has
one master secret KP2 jointly shared by n chosen D-PKGs in a (t, n)-threshold fashion.
Each node A has a public/private key pair (H1(IDA ‖ exp),KP2H1(IDA ‖ exp)), where
exp indicates the key expiration time. To renew its private key before it expires, A needs to
individually contact t out of n D-PKGs for partial private keys, based on which to construct
a complete one via Langrange interpolation. As usual, our discussion is from the viewpoint
of key management instead of cryptographic algorithms themselves.
Since all three approaches are (t, n)-threshold schemes, they have the same level of
security as long as the t-limited assumption holds. However, they differ in the worst-
case scenario where adversaries manage to compromise at least t distributed CAs (D-CAs
for short) in CKM, or t D-PKGs in IKM or o-IKM. In that situation, adversaries are
able to construct the CA’s private key in CKM, or the PKG’s master secret KP2 in IKM
or o-IKM. For both CKM and our IKM, adversaries cannot deduce the private key of
any non-compromised node, be it a D-CA (or D-PKG) or common node. Therefore, the
communication security between non-compromised nodes is still guaranteed. In contrast,
the exposure of KP2 in o-IKM would result in loss of overall system security because it
permits adversaries to derive all the private keys of all the compromised or non-compromised
nodes ever used since the network formation. This means that adversaries would be able to
freely read encrypted messages observed in the past or future, and forge any node’s digital
signature.
In summary, our IKM is at least as secure as conventional CKM, but outperforms
o-IKM in the worst-case scenario.
3.5 Performance Evaluation
In this section, we compare the proposed IKM with conventional CKM via simulations.
As mentioned in Section 3.2.2, DSA-based CKM solutions have much worse communication
efficiency than RSA-based ones under the same security level. Therefore, we focus on
![Page 62: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/62.jpg)
52
comparing IKM with RSA-based CKM, which is implemented mainly based on [32, 36]
with the number of D-CAs set to n instead of N . As discussed before, our IKM is more
secure than o-IKM [39, 20] under the same secret-sharing parameters (t, n). In addition,
the communication and computation overheads of o-IKM are the same as those of IKM
with regard to key revocation, but are much higher in terms of key update because o-IKM
requires that each node individually contact t out of n D-PKGs for key update. Since the
advantages of our IKM over o-IKM are quite obvious, we do not offer the simulation results
of their comparison for lack of space.
3.5.1 Simulation Setup
The comparison is done within GloMoSim [21], a popular MANET simulator, on a
desktop with an Intel P4 2.4GHz processor and 1 GB memory. Although such a powerful
machine may not be available in some application scenarios, it should be appropriate for the
comparative study of IKM and CKM. To avoid causal implementation errors and guarantee
fair comparison, all the cryptographic primitives are built using MIRACL [22], a standard
cryptographic library.
For CKM, the underlying CBC is RSA with a 1024-bit modulus for sufficient security.
An RSA public key consists of an ordered pair (s, e) where s is the modulus, and e is the
public exponent. A common value for the public exponent is e = 216 + 1, which is the
value we use for all public exponents. Note that this is in favor of CKM because RSA
encryption and signature verification can be made very fast with e = 216 +1 than a random
exponent. Therefore, an RSA public key would require 128 bytes for the modulus and 3
bytes for the public exponent, resulting in a total size of 131 bytes. In addition, an RSA
signature consists of a single 1024-bit value. For simplicity, we assume that a node ID is of
16 bytes and that certificate expiration time can be encoded in 2 bytes. An RSA certificate
< IDA, (n, e), exp,CA’s signature > will be totally 277 bytes in length.
For our IKM, the bilinear map e we use is the Tate pairing [14]. q is a 160-bit Solinas
prime 2159 + 217 + 1 and p is a 512-bit prime equal to 12qr− 1 (for some r large enough to
make p the correct size). Such choices of q, p deliver a comparable level of security to 1024-
bit RSA [12, 13]. The elliptic curve E we use is y2 = x3 + x defined over Fp. The ID-based
![Page 63: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/63.jpg)
53
signature primitive [M ]K−1A,pi
used is the one outlined in [56], in which a signature consists
of one element of G1 and one element of Z∗q . Since the former is a point on E/Fp, only the
y-coordinate needs to be transmitted because the x-coordinate can be easily derived using
E. Therefore, an ID-based signature is of 84 bytes. This point compression technique is
also used in transmitting key revocations and common private-key components, both being
elements in G1. Moreover, the hash function SHA-1 [16] and the symmetric-key encryption
primitive RC6 [18] are used wherever applicable.
We simulate a MANET with 50 nodes deployed in a 700×700 m2 square field.2 The
physical-layer path loss model is the two-ray model. The node transmission range is 250
meters and the channel capacity is 2 Mb/s. The MAC protocol used is the Distributed
Coordination Function (DCF) of the IEEE 802.11. For simplicity, the underlying routing
protocol is AODV [5] instead of our MASK [20]. Nodes initially are uniformly distributed
and node mobility are emulated according to the random waypoint model [6]. We run
simulations for constant node speeds of 5, 10, and 15 m/s, with pause time fixed to 5
seconds. In addition, we use 20 CBR connections with random source and destination pairs
throughout the simulations. All the data packets are 512 bytes and are sent at a speed of
4 packets/s.
3.5.2 Computational Costs
We present the computational costs of outstanding primitive operations in CKM and
IKM in Table 3–2. As compared to RSA operations, the pairing evaluation is currently
a relatively expensive operation, which by far takes the most running time of an IBC
algorithm. However, since the pairing is a relatively new technique, we anticipate that
its evaluation cost will be much reduced with the rapid advance in cryptography. For
example, Barreto et al. [23] recently announce an approach to evaluate the Tate pairing by
up to 10 times faster than previous methods, the implementation of which is underway. In
2 Note that for the simulated network size, it may be feasible to preload each node withall the others’ public keys. However, it should be understood that this choice is just forillustration purpose and also to ensure a fair comparison with ARAN [42] which uses thesame network size.
![Page 64: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/64.jpg)
54
Table 3–2: Timings of primitive operations
Primitive Time(ms)
RSA key generation 526.5RSA encryption/verfication (e = 216 + 1) 0.26RSA decryption/signing 5.08Modular exponentiation (mN mod N) 16.89
Map-to-point H1(·) 2.6Scalar multiplication in G1 3.3Modular exponentiation in G2 2.4Pairing 11.0ID-based signing (with pre-computation) 5.7ID-based signature verification 35.5
Table 3–3: Comparison of key revocation time
threshold t = 5 threshold t = 10Speed (m/s) IKM (sec) CKM (sec) IKM (sec) CKM (sec)5 3.344 3.179 8.563 8.32310 3.356 3.220 8.577 8.38715 3.362 3.235 8.586 8.401
addition, the pairing computation can be much accelerated by using dedicated cryptographic
hardware. For instance, it is reported in [61] that the Tate pairing can be calculated in
about 6 ms on a modern FPGA. Despite its computational inefficiency, we will see below
that our IKM still outperforms CKM in almost all aspects because of its certificateless
nature.
3.5.3 Comparison in Key Revocation
Here we compare IKM with CKM with regard to key revocation. We use 20 CBR
sessions as background “noise” to simulate more realistic scenarios. Two sets of secret-
sharing parameters (t, n) are simulated: (5, 10) and (10, 20). The revocation process of
CKM is implemented as similar to that of our IKM. For simplicity, we set the revocation
threshold γ equal to t and each accusation is sent to β = 1 D-PKG in IKM or D-CA in
CKM. In other words, when the number of accusations against one specific node reaches
γ = t at a D-PKG or D-CA, that D-PKG or D-CA sends the accumulated accusations to
other random (t − 1) out of (n − 1) D-PKGs or D-CAs which, in turn, send back partial
revocations after verifying the received accusations. To avoid possible MAC-layer collisions
![Page 65: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/65.jpg)
55
Table 3–4: Comparison of key update (t = 5)
IKM: threshold t = 5 CKM: threshold t = 5Speed (m/s) Time (sec) Overhead
(packet)Time (sec) Overhead
(packet)5 3.173 352 271.088 1855610 3.182 674 271.965 2084615 3.189 1328 273.443 22400
Table 3–5: Comparison of key update (t = 10)
IKM: threshold t = 10 CKM: threshold t = 10Speed (m/s) Time (sec) Overhead
(packet)Time (sec) Overhead
(packet)5 8.187 662 275.289 3707810 8.194 1286 276.952 4543815 8.207 1582 279.978 47501
resulting from returned partial revocations, the revocation leader uses a fixed delay of one
second between contacting two different D-PKGs.
Table 3–3 gives the one-time key revocation time of IKM and CKM for t = 5 and 10,
respectively. The counted time starts from when a D-PKG or D-CA sends the accumulated
accusations to (t−1) peers, until the last node in the network receives and verifies the final
complete revocation. All packet transmission and cryptographic processing time has been
included. As we can see, although our IKM is slightly inferior to CKM, both can finish a key
revocation in a very short duration. This demonstrates the feasibility of real-time public-
key revocations in MANETs. We can also observe that, the larger the threshold t, the more
time it takes to finish the revocation process, which is quite intuitive. In addition, node
mobility has little impact on the revocation time in that the revocation process only involves
the transmission of 2(t− 1) unicast packets and one network-wide broadcast packet for the
final revocation. Such a small amount of traffic can be transmitted before the network
topology changes significantly and thus some unicast routes break due to node mobility.
3.5.4 Comparison in Key Update
In this subsection, we demonstrate the advantage of our IKM over CKM in terms of
key update. Again, 20 CBR sessions are used to emulate normal traffic scenarios. For our
IKM, the key update process starts when one D-PKG sends a key update request to other
![Page 66: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/66.jpg)
56
random (t − 1) D-PKGs,3 and finishes when all the network nodes receive and verify the
broadcasted common private-key component. For CKM, the key update process lasts from
when the first node starts contacting t random D-CAs for key update until the last node
finishes its key update through t random D-CAs. To avoid traffic collisions at the D-CAs, a
fixed interval of 5 seconds is inserted between two consecutive key updates by two different
nodes.4
We are interested in two metrics: one-time key update time, including packet trans-
mission time and all cryptographic processing time, and key update overhead in number of
packets, which counts all the key requests/replies and the incurred routing control packets.
Tables 3–4 and 3–5 compare our IKM with CKM with regard to these two metrics for t = 5
and 10, respectively. Since a key update process in IKM is similar to a key revocation
process, it can be finished in a similarly short period. In contrast, key update in CKM
requires a relatively great amount of time and incurs a significantly larger overhead. In
addition, the key update time and overhead of both schemes increase with the threshold t,
which is of no surprise.
3.5.5 Comparison in Secure Routing
A most important use of public-key techniques in MANETs is to secure routing proto-
cols. As noted in [42], most existing secure routing schemes for MANETs rely on the use of
public keys and certificates without explicitly discussing how to perform certificate distri-
bution. By contrast, a recent work, called ARAN [42], accounts for certificate distribution.
ARAN is an elegant scheme because it is essentially a secured version of classic AODV [5]
and thus preserves many nice features of AODV. However, using ID-based public/private
keys in place of certificate-based ones can turn ARAN into a much more efficient solution,
which is shown as follows.
3 The 1-s sending interval is still used.
4 We have tried different interval values and the chosen one can guarantee that almostall the nodes can successively finish their key update within the simulation time.
![Page 67: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/67.jpg)
57
Due to space limitations, we refer to [42] for detailed descriptions of ARAN. For ease
of presentation, we denote the original ARAN by ARAN-CKM and the modification with
our IKM by ARAN-IKM. Regarding the overall routing process, ARAN-IKM is the same as
ARAN-CKM. Their difference lies in the structures and cryptographic processing of rout-
ing control packets, including route discovery/reply/error packets. For example, assuming
a source and destination pair of nodes X and Y , a typical route discovery packet (RDP)
in ARAN-CKM is of format < 〈〈RDP, IDY , NX〉X−1〉A−1 , certX , certA >. Here, 〈m〉X−1
stands for message m with its RSA signature generated under node X’s RSA private key
X−1; NX is a monotonically increasing sequence number set by X; certX is the RSA certifi-
cate of source X (see Section 3.5.1 for the certificate format); certA is the RSA certificate
of an intermediate node A attached when A forwards the RDP of X to its own neighbors.5
Considering the RDP format < RDP, IDY , NX , IDX , IDA > in AODV [5], ARAN-CKM
adds 778 bytes to the RDP. Suppose the network is in key update phase pi. In ARAN-IKM,
the RDP changes to < [[RDP, IDY , NX ]K−1X,pi
]K−1A,pi
, IDX , IDA >. Therefore, ARAN-IKM
increases the RDP in AODV by 168 bytes because of the two ID-based signatures. The
routing reply and error packets in ARAN-CKM are modified similarly.
We run simulations to compare the routing performance of ARAN-CKM and ARAN-
IKM. The results generated with AODV are also provided as the baseline. Again, 20
CBR sessions are used in the simulations and each simulation is executed for 15 simulated
minutes. In our simulation results, each data item represents an average of ten runs with
identical traffic models, but with different mobility scenarios.
We use four key performance metrics to evaluate the performance. Average route
discovery delay measures the average latency from the time of sending a RDP to receiving
the first corresponding route reply. Average data packet delay measures the average time
from the sending of a data packet by a CBR source until its reception at the corresponding
CBR destination. This includes all possible delay caused by buffering during route discovery,
5 Node IDs are included in certificates. Please refer to [42] on how the RDP is processedin a hop-by-hop manner.
![Page 68: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/68.jpg)
58
5 10 15 0
50
100
150
200
250
300
350
400
450
500
550
Ave
rage
Rou
te D
isco
very
Del
ay (
ms)
Node Speed (m/s)
AODV ARAN-IKM ARAN-CKM
Figure 3–1: Average route discovery delay.
queuing delay at the interface, retransmission delay at the MAC layer, and propagation and
transmission delay at the physical layer. Packet delivery ratio (PDR) measures the ratio of
the data packets delivered to the destination to those generated by the CBR sources. Finally,
normalized routing load measures the average amount of routing packet byte transmitted
per delivered data packet byte. Each hop-wise transmission of a routing packet byte is
counted as one transmission.
The advantages of ARAN-CKM over AODV in the presence of malicious nodes have
been demonstrated in [42]. For simplicity, we just compare the performance of AODV,
ARAN-CKM, and ARAN-IKM when all the nodes in the network are well-behaved or
benign. Note that, no matter whether there are malicious nodes or not, the operations
of both ARAN-CKM and ARAN-IKM remain the same. Therefore, as long as we can
show that ARAN-IKM outperforms ARAN-CKM in the simulated scenarios, it will also
demonstrate better performance than the latter and thus AODV in the face of malicious
nodes. In all our simulation results, AODV always outperforms both ARAN-CKM and
ARAN-IKM. This is of no surprise because there are no efforts at all made in AODV to
deal with routing attacks. We will focus on discussing the difference between ARAN-CKM
and ARAN-IKM.
Fig. 3–1 compares the average route discovery delay of ARAN-CKM and ARAN-IKM
under three mobility scenarios. We can observe that ARAN-IKM always exhibits shorter
route discovery delay than ARAN-CKM. The key reason is that routing discovery and reply
![Page 69: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/69.jpg)
59
5 10 15 0
100
200
300
400
500
600
700
Ave
rage
Dat
a P
acke
t Del
ay (
ms)
Node Speed (m/s)
AODV ARAN-IKM ARAN-CKM
Figure 3–2: Average data packet delay.
5 10 15 0.0
0.2
0.4
0.6
0.8
1.0
1.2
1.4
Pac
ket D
eliv
ery
Rat
io
Node Speed (m/s)
AODV ARAN-IKM ARAN-CKM
Figure 3–3: Packet delivery ratio.
packets in ARAN-CKM are of much larger sizes than those of ARAN-IKM. As a result,
routing packets in ARAN-CKM are more subject to loss due to collisions with other data
or routing packets during their transmission. When a source does not receive a route reply
packet after sending the RDP for a while, it has to resend the RDP, which worsens the
situation. This contributes to the shown advantage of ARAN-IKM over ARAN-CKM. In
addition, the performance difference between ARAN-IKM and ARAN-CKM becomes more
and more significant with the increase of node mobility. For example, when the node speed
is 15 m/s, the route discovery delay of ARAN-IKM is about 390.08 ms, representing a
saving of about 28 percent as compared to the 540.32 ms delay of ARAN-CKM. That is
because high mobility means that routes will break more frequently, so accordingly route
discovery needs to be performed more frequently. Since more routing packets are involved,
![Page 70: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/70.jpg)
60
5 10 15 0.0 0.2
0.4 0.6 0.8 1.0
1.2 1.4 1.6
1.8 2.0 2.2
2.4 2.6 2.8 3.0
3.2 3.4 3.6
Nor
mal
ized
Rou
ting
Load
Node Speed (m/s)
AODV ARAN-IKM ARAN-CKM
Figure 3–4: Average routing load.
their probabilities of colliding with other traffic become increasingly higher in ARAN-CKM
than in ARAN-IKM.
Fig. 3–2 plots the average data packet delay vs. node speed. As we can see, ARAN-
IKM has a significant advantage over ARAN-CKM in all three mobility scenarios. In
particular, when the node speed is 5 or 10 or 15 m/s, the data packet delay of ARAN-
CKM is about 4.68 or 7.86 or 8.04 times longer than that of ARAN-IKM. This result is
partly due to the shorter route discovery delay ARAN-IKM has than ARAN-CKM, which
results in shorter delay caused by buffering at the network layer. Another more important
reason is that MAC-layer frames in the IEEE 802.11, including RTS/CTS/DATA/ACK, are
more subject to collisions with the MAC frames of routing packets in ARAN-CKM than
in ARAN-IKM because the former has much larger-sized routing packets. The situation
deteriorates with the increase in node mobility and thus the increase in the number of
routing packets. As a result, data packets in ARAN-CKM experience much longer queuing
and retransmission delay at the MAC layer.
Fig. 3–3 shows the PDRs of AODV, ARAN-IKM, and ARAN-CKM for three mobility
scenarios. In all cases, ARAN-IKM demonstrates performance close to AODV and higher
than ARAN-CKM. This mainly results from the fact that a smaller portion of data packets
are dropped in ARAN-IKM than in ARAN-CKM due to attainment of the retransmission
limit at the MAC layer. The ultimate reason, however, is still because of the larger-sized
routing packets in ARAN-CKM. Finally, the normalized routing load of ARAN-IKM and
![Page 71: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/71.jpg)
61
ARAN-CKM are shown in Fig. 3–4. For node speeds of 5 or 10 or 15 m/s, ARAN-CKM
has a routing load 3.1 or 3.7 or 4.1 times higher than that of ARAN-IKM for the larger
sizes of routing packets.
To summarize, our IKM has significant advantages over conventional CKM in secure
routing protocol design, a fundamental component in MANET security.
3.6 Summary
Key management is a fundamental, challenging issue in securing MANETs. This chap-
ter presents IKM, a secure, lightweight, scalable ID-based key management scheme for
MANETs. As a novel combination of ID-based and threshold cryptography, IKM is a cer-
tificateless solution that permits public keys of mobile nodes to be directly derivable from
their known network IDs and some other common information. It thus obviates the need for
public-key distribution and thus certificates inherent in conventional public-key solutions.
Our IKM is characterized by a novel method of constructing ID-based public/private keys,
which not only guarantees high-level resilience to node compromise attacks but also facil-
itates very efficient network-wide key update by a single broadcast message. In addition,
we give general guidelines on choosing the secret-sharing parameters for achieving desir-
able levels of security and robustness. The significant advantages of IKM over conventional
certificate-based solutions have been confirmed by extensive simulation results.
Most existing security mechanisms for MANETs thus far involve the heavy use of
public-key certificates. In this regard, we believe that the findings of this chapter would
have much influence on the research paradigm of the whole community and stimulate many
other fresh research outcomes. As our future work, we will seek efficient solutions based on
IKM to a variety of challenging security issues in MANETs such as intrusion detection and
secure routing.
![Page 72: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/72.jpg)
CHAPTER 4SECURE LOCALIZATION IN WIRELESS SENSOR NETWORKS
4.1 Introduction
Wireless sensor networks (WSNs) have attracted a lot of attention recently due to
their broad applications in both military and civilian operations. Many WSNs are deployed
in unattended and often hostile environments such as military and homeland security op-
erations. Therefore, security mechanisms providing confidentiality, authentication, data
integrity, and non-repudiation, among other security objectives, are vital to ensure proper
network operations.
Many WSNs require sensor nodes to know their physical locations. Examples include
those for target detection and tracking, precision navigation, search and rescue, geographic
routing, security surveillance, and so on. Driven by this demand, many localization schemes
have been proposed in recent years, with most assuming the existence of a few anchors that
are special nodes knowing their own locations, e.g., via GPS or manual configuration. These
proposals can be divided into two categories: range-based such as [62, 63] and range-free
[64, 65]. The former are characterized by using absolute point-to-point distance (range) or
angle estimates in location derivations, while the latter depend on messages from neighbor-
ing sensors and/or anchors. Range-based solutions can provide more accurate locations, but
have higher hardware requirements for performing precise range or angle measurements. By
contrast, although having lower hardware requirements, range-free approaches only guaran-
tee coarse-grained location accuracy. In this chapter, we focus on range-based approaches
and leave the investigation on range-free ones as the future work.
We observe that almost all existing range-based proposals were designed for benign
scenarios where nodes cooperate to determine their locations. As a result, they are ill-
suited for unattended and often hostile settings such as tactical military operations and
homeland security monitoring. Under such circumstances, attackers can easily subvert
the normal functionalities of WSNs by exploiting the weakness of localization algorithms
62
![Page 73: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/73.jpg)
63
S
A
B C
ASd
BSd
CSd
(a) No attacks.
S
A
B C
ASd
BSd
CSd
(b) dCS is reduced.
S
A
B C
ASd
BSd
CSd
(c) dCS is enlarged.
Figure 4–1: An exemplary two-way ToA localization process, where anchors A,B, C aredetermining the location of sensor S.
[66, 67]. In this chapter, we do not intend to provide brand-new localization techniques for
WSNs. Instead, we focus on analyzing and enhancing the security of existing approaches
when applied in adversarial settings.
The rest of this chapter is structured as follows. We start with analyzing the vulner-
ability of existing approaches in Section 4.2. Next, we present a novel mobility-assisted
secure localization scheme (SLS) in Section 4.3. We then review related work in Section 4.4
and summarize this chapter.
4.2 Vulnerability Analysis of Two-Way Time-of-Arrival Localization
Popular range-based localization techniques include Received-Signal-Strength-Indicator
(RSSI), Angle-of-Arrival (AoA), Time-of-Arrival (ToA), and Time-Difference-of-Arrival (TDoA).
Readers are referred to [63] for a nice review. Among these techniques, ToA is the most
commonly used one whose requirement for fine time resolution can be satisfied by the ultra-
wideband (UWB) technique [68]. Therefore, our study focuses on a two-way ToA approach,
which is illustrated with Fig. 4–1.
In the shown example, anchors A,B, and C intend to determine the 2-D location of
sensor S. To do so, A transmits at time t1 a challenge to sensor S which immediately
echoes a response received by A at time t2. Anchor A can then estimate its distance to S
as dAS ≈ (t2 − t1)c/2, where c is the speed of light. In the same way, B and C can obtain
distance estimates to S, denoted by dBS and dCS , respectively. Let (XA, YA), (XB, YA),
(XC , YC) be the known locations of A,B, and C, and (XS , YS) be S’s location to be decided.
![Page 74: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/74.jpg)
64
C S
attacker 1
attacker 2
secret channel
Figure 4–2: The topology of an exemplary distance enlargement attack.
Assume that A is the leader which collects dBS and dCS and then sets up the following
equations:
fA = dAS −√
(XS −XA)2 + (YS − YA)2
fB = dBS −√
(XS −XB)2 + (YS − YB)2
fC = dCS −√
(XS −XC)2 + (YS − YC)2.
(4.1)
If there is no measurement error, fA, fB, and fC are all equal to zero, and (XS , YS) is
the common intersection point of the three circles defined by the above equations. Since
measurement errors inevitably exist in reality, however, (XS , YS) will be somewhere in the
intersection area formed by the three circles, as shown in Fig. 4–1(a). It can be obtained
via the Minimum Mean-Square Error (MMSE) method [62], i.e., minimizing F (XS , YS) =
f2A + f2
B + f2C .
The above process is vulnerable to distance reduction and enlargement attacks, in
which attackers attempt to reduce and enlarge distance estimates, respectively, so as to
maliciously increase the location inaccuracy. For example, attackers can impersonate sensor
S to answer anchor C’s challenge before S does, and then jams the later genuine response
from S. As a result, dCS would be intentionally reduced. In addition, Fig. 4–2 shows the
topology of an exemplary distance enlargement attack, where the two circles indicate the
transmission ranges of anchor C and attacker 2, respectively. In this attack, the challenge
from C is correctly received by attacker 1, but not by sensor S whose reception activities
are interfered by attacker 2. Subsequently, attacker 1 sends the unmodified challenge via a
secret channel to attacker 2 which, in turn, forwards the challenge to sensor S after some
![Page 75: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/75.jpg)
65
time. Sensor S will consider it a challenge from anchor C and respond to it. In doing so,
attackers can increase the challenge-response time difference measured at C and thus the
distance estimate dCS . Both distance reduction and enlargement attacks may make the
location estimate of sensor S far from its true location, as can be seen from Fig. 4–1(b) and
Fig. 4–1(c), respectively. To satisfy the requirement for high location accuracy by many
WSN applications, we must therefore seek ways to mitigate the impact of such attacks.
4.3 Mobility-Assisted Secure Localization for UWB Sensor Networks
In this section, we present a mobility-assisted secure localization scheme (SLS) for
WSNs. To ease our illustration, we focus on how to ensure secure 2-D location estimates,
but SLS can be easily extended to the 3-D case.
4.3.1 Network Model
We consider a WSN that consists of randomly-deployed sensor nodes, e.g., via random
aerial scattering. Sensor localization is normally done during the network initialization
phase, in which we assume that a set of anchors, denoted by A, perform coordinated group
movement across the whole sensor field. Typical examples of anchors are mobile robots or
Unmanned Aerial Vehicles (UAVs) flying at low levels. The number of anchors, denoted
by na = |A|, should be at least three for determining a 2-D location. Intuitively, the more
anchors (i.e., distance estimates) are available, the more precise location estimates are at
the cost of increased communication and computational overhead. We also indicate anchor
i by Ai for i ∈ 1, ..., na.Each Ai is assumed to know its own location (XAi , YAi) at any time and place through
GPS receivers or other means. In addition, there is always a leader in A that takes charge
of the localization process. In practice, each anchor should take turns to act as the leader
to balance their resource usage. For convenience, however, we assume A1 to be always the
anchor leader hereafter. We further assume that anchors and sensor nodes have the same
transmission range r0.
Before network deployment, we assume that the network planner picks a sufficiently
long secret K, and loads each sensor S with a secret key KS = hK(IDS). Here, IDs is the
unique identifier of node S, h indicates a fast hash function such as SHA-1, and hK(M)
refers to the message integrity code (MIC) of message M under key K. We further postulate
![Page 76: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/76.jpg)
66
that each anchor knows the network secret K and is trusted and unassailable to attackers
during the node localization phase which usually does not last too long. This assumption is
reasonable in that anchors are usually much fewer than sensor nodes, so we can spend more
on them by enclosing them in high-quality tamper-resistant enclosures and putting them
under perfect monitoring. How to deal with compromised anchors is part of our ongoing
work.
4.3.2 Overview of SLS
After sensor nodes are deployed, anchors are instructed to perform strategic group
movement along pre-planned routes to localize all the sensor nodes. Anchors are required
to always maintain an na-vertex polygon with the longest distance between any two vertices
no larger than r0. This means that anchors and sensors inside the polygon can directly com-
municate with each other. To localize a node, say S, anchors first measure their respective
distance to S with a modified two-way ToA approach, called K-Distance. The anchor leader
A1 then collects all the distance estimates whereby to derive a MMSE location estimate.
Subsequently, A1 runs a validity test on the location estimate to detect possible attacks.
Unlike traditional localization methods such as AHLos [62], our mobility-assisted ap-
proach does not require each sensor node to accurately measure distances to anchors and
do the MMSE estimation. Instead, each node just needs to answer the challenges from
anchors, and the tasks of time (distance) measurement and location derivation are shifted
to resource-rich anchors. This is highly desirable for lowering the requirements on sensor
hardware and thus the manufacturing costs. In the rest of this section, we will detail the
operations of SLS with a to-be-localized sensor node S as an example.
4.3.3 K-Distance: a K-Round Distance Estimation Algorithm
To obtain a distance estimate to node S, anchor Ai first calculates KS = hK(IDS) based
on the preloaded network secret K. It then executes the K-Distance algorithm outlined in
Table 4–1. Ai begins with sending to S an l-bit random nonce Nj and starts a timer
when the last bit of Nj is sent. Upon receiving Nj , node S needs to immediately echo Nj
concatenated by another l-bit random nonce Mj picked by itself. Next, S sends to Ai a
MIC, v = hKS(Nj ‖ Mj), where ‖ means message concatenation.
![Page 77: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/77.jpg)
67
Table 4–1: The K-Distance algorithm.
1: T = φ
2: for (j = 1; j 6 K; j + +) do3: Ai sends a random challenge nonce Nj to S
4: S responds with Nj and another random nonce Mj
5: Ai sets tj = time elapses between challenge and response6: S sends to Ai a number v = hKS
(Nj ‖ Mj)7: if hKS
(Nj ‖ Mj) == v then /*by Ai*/8: tp,j = (tj − tAi
proc − tSproc − ttran)/29: T = T ∪ tp,j10: end if11: end for12: tAiS = median(T )13: return dAiS = ctAiS /*c is the light speed*/
iA
S
jt
Sproct trant
iAproct
last bit of jN last bit of ||j jN Mfirst bit of ||j jN M
,p jt,p jt
Figure 4–3: The time plot of the challenge-response process.
![Page 78: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/78.jpg)
68
When receiving the last bit of the response, Ai stops the timer and sets tj equal to
the elapsing time. It then uses KS to compute a MIC on Nj and Mj . If the result is not
equal to v which arrives later, Ai considers the response a bogus one and simply ignores it.
Otherwise, it believes that the response indeed came from S, and proceeds to calculate the
one-way signal propagation time as tp,j = (tj− tAiproc− tSproc− ttran)/2. Here, tAi
proc represents
the time duration from when the last bit of the response hits the antenna of Ai until the
response is completely decoded (cf. Fig. 4–3); tSproc is the time duration from when the last
bit of the challenge reaches the antenna of S until S transmits the first bit of the response.
tAiproc and tSproc are device-dependent and usually are constant or vary in a tiny scale. Both
can be pre-determined and preloaded to Ai to calibrate the time measurements to certain
precision. Assume that transmission links from S to anchors have a bandwidth of b b/s.
Then the response transmission time ttran is approximately equal to 2lb seconds.
The above process offers strong defense against distance reduction attacks in the sense
that attackers cannot reduce tp,j and thus the distance estimate ctp,j . One reason is that
the MIC check ensures that an authentic response can only be sent by node S. Another
important reason is that nothing can travel faster than light so that attackers are unable
to make the challenge arrive at S earlier than it should.
Attackers, however, can still launch the distance enlargement attack, i.e., enlarging tp,j
and thus the distance estimate. To mitigate this attack, we require Ai to perform K times
of distance measurements. The motivation is that attackers might not be able to actively
affect all K time measurements and thus distance estimates. It is also worth noting that
our method can help mitigate sporadic measurement errors. K is a design parameter that
determines the tradeoff between algorithm overhead and resilience to distance enlargement
attacks and measurement errors. Assume that all the K time measurements are stored in
an initially empty set T . The next question is how to securely use them. The naive use
of the average is insecure because attackers can easily make the calculated average quite
different from the true one by merely enlarging one time measurement to be sufficiently
large.
![Page 79: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/79.jpg)
69
S
1A Sd
2A Sd
1A
2A 3A
3A Sd
(a) No measurement errors.
S
2A 3A
1A Sd
2A Sd
3A Sd
δ
1A
(b) Measurement errors exist.
1A
2A 3A
S
δ
2A Sd
3A Sd
1A Sd
(c) dA3S is enlarged.
Figure 4–4: Location validity test with three anchors.
As pointed out in [69], the median is a safer replacement for the average, so K-Distance
uses the median of K time measurements to calculate dAiS .1 For brevity only, we assume
K > 3 to be odd in what follows and the extension to the case that K is even is straight-
forward. Let t(1),..., t(K) denote trustful time estimates (without attacks) in T placed in
an increasing order. We then have tAiS = median(T ) = t(r) for r equal to K+12 . Consider
first the simple case that attackers enlarged just one time estimate from t(j) to t′(j). If
t(j), t′(j) < t(r), the median tAiS remains unchanged; otherwise, it changes to some value
between [t(r−1), t(r+1)]. It is easy to see that K-Distance is vulnerable to single distance en-
largement attack when K is equal to one (as all previous TOA-based proposals) or two. In
general, if m time measurements were enlarged, tAiS either remains unchanged or changes
to some value between [t(r−m), t(r+m)], depending on how attackers contaminated the time
measurements. It is obvious that the median method can tolerate the enlargement of up to
about half of the time measurements.
Ai then calculates dAiS = ctAiS and sends to anchor leader A1 a message of format
dAiS , hK(dAiS)K, where MK means encrypting data M with key K. Upon receipt of
1 We notice that there might exist other methods such as Least Median Squares (LMS)to deal with outliers (distance estimates enlarged in our case). However, they are lesscomputationally efficient than the median method.
![Page 80: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/80.jpg)
70
Table 4–2: Testing if a point is inside a |B|-vertex polygon.
Inputs: B: an anchor set, (XS , YS): a location estimateOutput: 0 if outside, else 11: u = 02: for (i = 1, j = |B|; i 6 |B|; j = i + +) do3: if ((((Yi 6 YS)&&(Yj > YS)) ‖ ((Yi > YS)&&(Yj 6 YS)))4: &&(XS > (Xi −Xj) ∗ (YS − Yj)/(Yi − Yj) + Yj)) then5: u =!u6: end if7: end for8: return u
it, A1 decrypts dAiS and checks its authenticity via the preloaded K. Once obtaining all na
distance estimates, A1 can then derive a MMSE location estimate (XS , YS).
4.3.4 Location Validity Test
The median approach may be enough for withstanding less powerful attackers. How-
ever, if K assumes a small value, attackers launch persistent attacks, and m is greater than
K+12 , some distance estimates used for deriving (XS , YS) might have still been enlarged,
leading to the invalidity of (XS , YS). Therefore, we require A1 to run a validity test on
(XS , YS).
Consider first the simple case that there are no measurement errors. If all the na
distance estimates were not enlarged by attackers, (Xs, Ys) should be exactly the intersection
point of na circles (x − XAi)2 + (y − YAi)
2 = d2AiS
|1 6 i 6 na. To test the validity of
(XS , YS), A1 merely needs to check whether (XS , YS) is inside the na-vertex polygon formed
by all the anchors. The underlying logic is very simple. If attackers want to make S appear
to be at any location other than its true location, they have to enlarge certain distance
measurements, while at the same time reduce some others so as to keep the resulting location
estimate inside the polygon. As mentioned before, however, our K-Distance algorithm can
prevent attackers from launching distance reduction attacks. Therefore, anchors can be
assured that the location estimate is trustable as long as it resides in the na-vertex polygon.
We refer to Fig. 4–4(a) for an example with three anchors (na = 3).
To determine the inclusion of a point inside a polygon, we select the ray-tracing method
for its simpleness and computational efficiency. This method works by starting at the
![Page 81: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/81.jpg)
71
point in question and drawing a straight line in any direction. If the number of times
the ray intersects the polygon edges is odd, the starting point is inside the polygon and
is outside otherwise. This is easy to understand intuitively. Each time the ray crosses
a polygon edge, its in-out parity changes because each edge always separates the inside
of a polygon from its outside. Eventually, any ray must end up beyond and outside the
bounded polygon. Therefore, if the point is inside, the sequence of crossings “→” must
be: in→out→ · · ·→in→out, and there are an odd number of them. Similarly, if the point
is outside, there are an even number of crossings in the sequence: out→ · · ·→in→out.
Table 4–2 gives the pseudo-code implementation for the ray-tracing method, which uses a
horizontal ray extending to the left of (XS , YS) and parallel to the negative x-axis.
In practical scenarios, however, time measurement errors and thus distance estimate
errors occur inevitably. The na circles centered at anchors will therefore not have a common
intersection point, but form an intersection area in which the location estimate is located,
as shown in Fig. 4–4(b). This would introduce room for distance enlargement attacks.
Consider again the three-anchor example in Fig. 4–4(c). Suppose the distance estimate
dA3S was maliciously enlarged, while dA1S and dA2S are just a little larger than the actual
distances due to measurement errors. It is obvious that, by adjusting the level of enlarging
dA3S , attackers might be able to freely enlarge the intersection area of the three circles and
thus make the MMSE distance estimate (though still inside the triangle) deviate much from
the true location. Fortunately, we can alleviate this issue by imposing certain reasonable
constraints. Let δ be the two-sided maximum allowable measurement error with respect
to distance estimates. Now (Xs, Ys) should reside in the intersection area of na rings,
(dAiS − δ)2 6 (x −XAi)2 + (y − YAi)
2 6 (dAiS + δ)2|1 6 i 6 na (see Fig. 4–4(b)). This
means that, in addition to performing the point-inclusion test, A1 needs to check whether
the inequality |dAiS−√
(XS −XAi)2 + (YS − YAi)2| 6 δ holds for each dAiS . If so, (Xs, Ys)
is considered valid and invalid otherwise.
With our method in place, attackers might only be able to enlarge any dAiS a little bit
to make the resulting (XS , YS) appear to be valid, leading to tolerable location imprecision.
However, if they enlarge dAiS by a relatively large amount, the resulting (XS , YS) will be
identified as invalid. One such example is shown in Fig. 4–4(c). Therefore, although our
![Page 82: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/82.jpg)
72
method cannot completely eliminate distance enlargement attacks, which is believed to
be impossible for any security mechanism, it does constrain the impact of attackers to a
tolerable level.
If (XS , YS) does not pass either the point-inclusion test or the δ-error check, A1 re-
computes a MMSE location estimate based on any (na − 1) distance estimates and checks
its validity via these two tests. If all the sets of (na−1) distance estimates are traversed and
still no valid location estimate is generated, A1 tries the sets of (na− 2) distance estimates.
A1 continues this process until either a valid (XS , YS) is found or all the 3-degree subsets
of na distance estimates are examined (3 is the minimum number of distance estimates
required to derive a 2-D location estimate). If the latter case occurs without yielding a valid
location estimate, A1 may consider that the localization process was attacked and should
take certain actions, e.g., reporting this abnormality to the control center, as stipulated by
concrete WSN applications.
If a valid (XS , YS) is derived, anchor A1 transmits it securely to node S in a message,
XS , YS , hKS(XS ‖ YS)KS
. Upon receiving it, node S uses the preloaded secret key KS to
decrypt (XS , YS) and compute a MIC. If the result matches with what A1 sent, S considers
(XS , YS) trustable and saves it for subsequent use.
4.3.5 Discussion
Overhead analysis. So far we have elaborated the operations of SLS, by which a
valid location estimate can be obtained despite the presence of attacks as long as there are
at least three unattacked distance estimates. The desirable security improvement does not
come for free. Specifically, the K-Distance algorithm requires each anchor to obtain K dis-
tance estimates instead of one as in previous schemes. Besides the tunability of K, however,
K-Distance can not only mitigate distance enlargement attacks, but also smooth sporadic
measurement errors in the first place. Also note that, if some distance estimates were
maliciously enlarged, A1 may need to perform the MMSE estimation for up to∑na
j=3
(na
j
)
times. In practical scenarios, na should be carefully chosen to be a small number that can
guarantee a certain level of resilience to attacks while not incurring too much overhead.
For instance, when na = 5 anchors are used, SLS can tolerate two (40 percent) maliciously
enlarged distance estimates that are not filtered by K-Distance. Then A1 needs to calculate
![Page 83: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/83.jpg)
73
at most 16 distance estimates. Since anchors have more powerful computational capacities
than sensor nodes and node localization is a one-time process, we believe such overhead to
be acceptable for security-sensitive WSNs.
Other applications. In addition to securely localizing sensor nodes, SLS can find
uses in many other applications. One example is critical asset tracking. Many organiza-
tions, particularly defense contractors, have parts and equipment of a sensitive, secure, or
hazardous nature. These parts need to be monitored and audited to record their move-
ments and who had access to them, as proof that they have not been tampered with or
viewed by unauthorized personnel. We can accomplish this task by deploying a tracking
infrastructure composed of a set of anchors and attaching to critical assets some sensors
that are difficult to remove without being detected. Anchors and sensors communicate with
each other through wireless links. SLS can then be used by anchors to keep tracking the
locations of critical assets (in fact, attached sensors).
4.4 Related Work
In this section, we briefly review some important work that is closely related to this
chapter. Brands and Chaum [70] propose a TOA-based distance bounding protocol that
can be used to verify the proximity of two devices connected by a wired link. Sastry et al.
[71] present a similar distance bounding approach based on ultrasound and RF signals to
verify the presence of a wireless device in a region of interest. In [72], Waters and Felten
propose a scheme that uses round-trip time-of-flight RF signals to prove the locations of
tamper-resistant devices. Their scheme cannot be directly applied in UWB sensor networks
because individual sensors are usually not tamper-resistant due to cost limitations. More
recently, Lazos and Poovendran [66] present an approach to secure range-free sensor local-
ization techniques [64, 65]. By contrast, this chapter concentrates on securing range-based
localization techniques [62, 63]. The closest work to our SLS can be found in [67], in which a
scheme called Verifiable Multilateration (VM) is proposed for secure positioning of wireless
devices. However, SLS differs significantly from VM in several major aspects. First, SLS is
able to mitigate the impact of attacks and sporadic measurement errors in the first place,
which is a nice property not provided by VM. Second, VM calculates location estimates
on the basis of three anchors or triangles. By contrast, we consider a more general case
![Page 84: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/84.jpg)
74
by using an na-vertex polygon formed by na anchors for na > 3, which allows for higher
location accuracy. Last, we propose to utilize mobile anchors instead of static anchors,
which can greatly reduce the number of required anchors.
4.5 Summary
How to ensure secure localization is one of the challenging issues in securing WSNs.
In this chapter, we present SLS, a novel mobility-assisted secure localization algorithm that
can furnish sensor nodes with secure, accurate locations despite the presence of attacks. As
the future research, we plan to extend our approach to range-free localization techniques.
![Page 85: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/85.jpg)
CHAPTER 5LOCATION-BASED COMPROMISE-TOLERANT SECURITY MECHANISMS FOR
WIRELESS SENSOR NETWORKS
5.1 Introduction
A future WSN is expected to consist of hundreds or even thousands of sensor nodes.
This renders it impractical to monitor and protect each individual node from either physical
or logical attack. It is also unrealistic and uneconomical to enclose each node in tamper-
resistant hardware. Thus, each node represents a potential point of compromise. Once
compromising certain nodes and acquiring their keying material, adversaries can launch
various insider attacks. For example, they might spoof, alter or replay routing information
to interrupt the network routing [73]. They may also launch the Sybil attack [45, 74], where
a single node presents multiple identities to other nodes, or the identity replication attack,
in which clones of a compromised node are put into multiple network places [74]. Moreover,
adversaries may inject bogus data into the network to consume the scarce network resources
[75, 76]. This situation poses the demand for compromise-tolerant security design. That is,
the network should remain highly secure even when a number of nodes are compromised.
Although a lot of solutions such as [77, 78, 79, 80, 81, 82, 83, 84, 85] have been proposed
for securing WSNs, most of them do not provide adequate resilience to node compromise
and the resulting attacks.
Many WSNs have an intrinsic property that sensor nodes are stationary, i.e., fixed
at where they were deployed. This property has played an important role in many WSN
applications such as target tracking [86] and geographic routing [87]. By contrast, its great
potential in securing WSNs has so far drawn little attention. Based on this observation,
we propose a suite of location-based compromise-tolerant security mechanisms for WSNs
in this chapter. Our main contributions are summarized as follows.
First, we propose the novel notion of location-based keys (LBKs) based on the afore-
mentioned pairing technique (cf. Section 2.2.1). In our scheme, each node holds a private
75
![Page 86: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/86.jpg)
76
key bound to both its ID and geographic location rather than merely its ID as in conven-
tional schemes. To the best of our knowledge, this is the first such effort in the context of
WSNs.
Second, we design a novel node-to-node neighborhood authentication protocol based
on LBKs. It helps achieve the desirable goal of localizing the impact of compromise nodes
(if any) to their vicinity, which is a nice property absent in most previous proposals.
Third, we present efficient approaches to establish pairwise shared keys between any two
nodes that are either immediate neighbors or multi-hop away. Such keys are fundamental
in providing security support for WSNs [78, 79, 80, 81, 82, 83, 84, 85]. In contrast to
previous proposals, our approaches feature low communication and computation overhead,
low memory requirements and good network scalability. More important, our approaches
show perfect resistance to node compromise in that pairwise shared keys between non-
compromised nodes always remain secure, no matter how many nodes are compromised.
Fourth, we demonstrate how LBKs can act as efficient countermeasures against some
notorious attacks against WSNs. These include the Sybil attack [73, 74], the identity
replication attack [74], wormhole and sinkhole attacks [73], and so on.
Last, we develop a location-based threshold-endorsement scheme (LTE) to thwart the
aforementioned bogus data injection attack [75, 76]. Detailed performance evaluation shows
that LTE can achieve remarkable energy savings by detecting and dropping bogus traffic at
their early transmission stages. Moreover, our LTE has a much higher level of compromise
tolerance than previous work [75, 76].
The rest of this chapter is structured as follows. Section 5.2 introduces the crypto-
graphic basis, the adversary model and the security objectives of this chapter. Next we
detail a location-based key management scheme, including key generation, authentication
and shared-key establishment. This is followed by a detailed illustration of using LBKs in
combating various attacks. Section 5.5 presents the LTE scheme and evaluates its perfor-
mance. We then survey related work in Section 5.6, discuss the use of symmetric-key vs.
public-key cryptography in Section 6.7, and summarize this chapter.
![Page 87: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/87.jpg)
77
5.2 Preliminaries
5.2.1 Adversary Model
Adversaries in WSNs can be classified as either external or internal adversaries. The
former do not have authentic keying material whereby to participate in network operations
as legitimate nodes. They might just passively eavesdrop on radio transmissions or actively
inject bogus data or routing messages into the network to consume the network resources.
Once in full control of certain nodes, external adversaries can become internal ones to be
able to launch more subtle attacks like those mentioned in Section 5.1. Internal adversaries
are generally more difficult to defend against than external ones for their possession of
authentic keying material. We further assume that adversaries have much more powerful
resources regarding energy, communication and communication capacities than ordinary
sensor nodes. They might also communicate and collaborate over a high-bandwidth and
low-latency channel invisible to legitimate sensor nodes. However, we do assume that
adversaries cannot compromise an unlimited number of sensor nodes. Neither can they
break any cryptographic primitive on which we base our design. Otherwise, there is unlikely
to be any feasible security solution.
5.2.2 Security Objectives
We aim to provide confidentiality, authentication, data integrity, and non-repudiation,
four essential security objectives. We also intend to offer both link-layer and end-to-end
security guarantees, both of which are indispensable for security-sensitive WSNs [73]. By
definition, link-layer security indicates the security of radio links between neighboring nodes.
It is a prerequisite to prevent external adversaries from accessing or modifying or faking
radio transmissions. In contrast, end-to-end security refers to the communication security
between a pair of source and destination nodes, e.g., a data aggregation point (AP) to
a higher-level AP or the sink [73]. We achieve link-layer security by immediate pairwise
keys shared between neighboring nodes and end-to-end security by multi-hop pairwise keys
shared between end-to-end sources and destinations.
![Page 88: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/88.jpg)
78
5.3 A Location-Based Key Management Scheme
This section presents a location-based key management scheme for WSNs, including
the generation and distribution of LBKs, a secure LBK-based neighborhood authentication
scheme, and methods for establishing both immediate and multi-hop pairwise shared keys.
5.3.1 Pre-Deployment Phase
We examine a large-scale WSN consisting of hundreds or even thousands of sensor
nodes. We assume that all the nodes have the same transmission range R and communicate
via bi-directional wireless links. Nodes perform a collaborative monitoring of the designated
sensor field and report the sensed events to the distant sink, which is a data collection center
with sufficiently powerful processing capabilities and resources. We further assume that each
node A has a unique, integer-valued and non-zero ID, denoted by IDA. In view of the cost
constraints, nodes are assumed to be not tamper-resistant in the sense that adversaries
can extract all the keying material and data stored on a compromised node. However, we
postulate that the sink is trustworthy and unassailable, as is commonly assumed in the
literature [78, 79, 80, 81, 82, 83, 84, 85].
Prior to network deployment, we assume that a trusted authority (TA) does the fol-
lowing operations:
1. Generate the pairing parameters (q,G1,G2, e,W,H) (cf. Section 2.2.1), where W is
an arbitrary generator of G1, and H is a hash function mapping given strings to
non-zero elements in G1.
2. Choose h, mapping arbitrary inputs to fixed-length outputs, e.g., SHA-1 [16].
3. Pick a random κ ∈ Z∗q as the network master secret and set Wpub = κW .
4. Calculate for each node A an ID-based key (IBK for short), IKA = κH(IDA) ∈ G1.
Each node A is preloaded with the public system parameters (q,G1,G2, e, H, h,W,Wpub)
and its private IKA. It is important to note that it is computationally infeasible to deduce
κ from either (W,Wpub) or any (ID, IBK) pair like (IDA, IKA), due to the difficulty of
solving the DLP in G1 (cf. Section 2.2.1). Therefore, even after compromising an arbitrary
number of nodes and their IBKs, adversaries are still unable to calculate the IBKs of non-
compromised nodes.
![Page 89: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/89.jpg)
79
5.3.2 Sensor Deployment and Localization
After loaded with the keying material, sensor nodes can be deployed in various ways
such as physical installation or random aerial scattering. There are also many methods
to localize each node, i.e., furnishing each node with its geographic location. We consider
the following two sensor localization techniques, which accordingly differ in their ways of
generating LBKs for individual nodes. The final outcome of either approach is that each
node A possesses its location denoted by lA and an LBK LKA = κH(IDA ‖ lA), where ‖denotes message concatenation.
Range-based localization. In this approach, we assume that a group of mobile
robots are dispatched to sweep across the whole sensor field along pre-planned routes.
Mobile robots have GPS capabilities as well as more powerful computation and communi-
cation capacities than ordinary nodes. The leading robot is also equipped with the network
master secret κ. To localize a node, say A, mobile robots run the secure range-based lo-
calization protocol given in Chapter 4 or [67] to first measure their respective absolute
distance to node A and then co-determine lA, the location of A. Subsequently, the leading
robot calculates LKA = κH(IDA ‖ lA). It then generates IKA = κH(IDA) and sends
< LKA ‖ lAIKA, hIKA
(LKA ‖ lA) > to A. Henceforth, Mk means encrypting message
M with key k, and hk(M) refers to the message integrity code (MIC) of message M under
key k.
Upon receipt of the message, node A first uses its preloaded IBK IKA to decrypt LKA
and lA and then regenerates the MIC. If the result matches with what the robot sent, A
saves LKA and lA for subsequent use. Following this process, all the nodes can be furnished
with their respective location and LBK. After that, mobile robots leave the sensor field and
the leading robot should securely erase κ from its memory. During subsequent network
operations, node addition may be necessary to maintain good network connectivity. The
localization of new nodes can be done in the same manner.
The assumption underlying this approach is that adversaries do not launch active and
explicit pinpoint attacks on mobile robots at this stage which usually does not last too long.
However, they may still perform relatively passive attacks such as message eavesdropping
or strategic channel inference to disturb the localization process [67]. This assumption is
![Page 90: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/90.jpg)
80
reasonable in that mobile robots are much fewer than ordinary sensor nodes and hence
we can spend more on them by enclosing them in high-quality tamper-proof hardware and
putting them under super monitoring. Adversaries may also want to temporarily avoid
active and explicit attacks that may easily expose themselves. After the localization phase,
adversaries are free to launch all kinds of attacks.
Range-free localization. By contrast, the range-free localization approach does
not rely on exact distance or range measurements. Instead, we assume that there are
some special nodes called anchors knowing their own locations. All the non-anchor nodes
autonomously derive their locations based on information from the anchors and neighboring
nodes via secure range-free localization techniques such as [66, 88, 89].
The LBKs are also generated on the nodes’ own. To enable this, each node A is
preloaded with the network master secret κ whereby to generate its LBK LKA = κH(IDA ‖lA). As LEAP [90], this approach takes advantage of the fact that sensor nodes deployed in
security-sensitive environments are usually designed to withstand break-in attacks at least
for a short interval when captured by adversaries. Specifically, we assume that an adversary
needs a time interval at least Tmin to successfully compromise a node, and each node takes
some time less than Tmin to finish localization and generation of its LBK. In addition,
each node should be programmed to securely erase κ from its memory after Tmin of its
deployment. In the case of subsequent node addition, new nodes can get their locations
and LBKs in the same way.
5.3.3 Location-Based Neighborhood Authentication
By definition, neighborhood authentication means the process that any two neighboring
nodes validate each other’s network membership. This process is fundamental in supporting
many security services in WSNs. For example, a node should only accept messages from and
forward messages to authenticated neighbors. Otherwise, external adversaries can easily
inject bogus broadcast messages into the network or swindle network secret information
from legitimate nodes.
During the post-deployment phase, each node is required to discover nd perform mutual
authentication with neighboring nodes, which is a normal process in many existing security
solutions for sensor networks. In our scheme, each node will think of another node as an
![Page 91: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/91.jpg)
81
authentic neighbor if and only that node is within its transmission range R and also holds
the correct corresponding LBK. We take the following concrete example to explain the
neighborhood authentication process.
1. A → ∗ : IDA, lA, nA
2. B → A : IDB, lB, nB, hKB,A(nA ‖ nB ‖ 1)
3. A → B : hKA,B(nA ‖ nB ‖ 2)
Suppose node A wishes to discover and authenticate neighboring nodes once having its
location and LBK. To do so, A locally broadcasts an authentication request including its
ID IDA, location lA and a random nonce nA. Upon receipt of such a request, node B first
needs to ascertain that the claimed location lA is in its transmission range by verifying if
the Euclidean distance ‖lA− lB‖ 6 R. This check is the baseline defense against the attack
that adversaries surreptitiously tunnel authentication messages between B and a virtually
non-neighboring node. Without the location check, B and that victim will falsely believe
that they are neighbors because both possess an authentic LBK whereby to successfully
finish the following authentication process.
If the inequality does not hold, node B simply discards the authentication request.
Otherwise, B calculates a shared key as KB,A = e(LKB,H(IDA ‖ lA)). It then unicasts a
reply to node A including its ID and location, a random nonce nB, and a MIC computed
as hKB,A(nA ‖ nB ‖ 1). Upon receiving the reply, node A also first checks if the inequality
‖lA − lB‖ 6 R holds. If so, it proceeds to derive a shared key as KA,B = e(LKA,H(IDB ‖lB)) whereby to recompute the MIC. If the result is equal to what B sent, node A considers
B an authentic neighbor. Subsequently, A returns to node B a new MIC computed as
hKA,B(nA ‖ nB ‖ 2). Upon receipt of it, B uses KB,A to regenerate the MIC and compares
the result with what it just received. If they are equal, B regards node A as an authentic
neighbor as well.
![Page 92: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/92.jpg)
82
The above process is valid because, if and only if both A and B have a correct LBK,
KA,B is equal to KB,A due to the following equations.
KA,B = e(LKA,H(IDB ‖ lB))
= e(κH(IDA ‖ lA),H(IDB ‖ lB))
= e(H(IDA ‖ lA), κH(IDB ‖ lB))
= e(κH(IDB ‖ lB),H(IDA ‖ lA))
= e(LKB,H(IDA ‖ lA)) = KB,A
(5.1)
The second and third lines hold for the bilinearity of e and the fourth line holds by the
symmetry of e (cf. Section 2.2.1).
Using the above three-way handshake, all the nodes can achieve mutual authentication
with neighboring nodes. Note that if multiple nodes simultaneously respond to the same
authentication request, possible MAC-layer collision may happen. We resort to effective
MAC-layer mechanisms to resolve this issue. For example, it can be alleviated through
MAC-layer retransmission or by using a random jitter delay for which each node has to
wait before answering an authentication request.
In our scheme, new nodes can be added freely to maintain necessary network con-
nectivity, especially when some existing nodes die out because of power shortage or other
reasons. A new node is also required to execute the authentication protocol once localized
properly.
Security analysis. Our location-based authentication scheme is secure against var-
ious malicious attacks. For example, in a location forgery attack, an adversary might send
an authentication request with a forged location within node B’s range. Since the adversary
does not hold the LBK corresponding to the forged location, he or she cannot successfully
finish the authentication procedure and thus deceive B into believing that he or she is an
authentic neighbor. Adversaries might as well launch the tunnelling of authentication mes-
sages attack by tunnelling authentication messages received at one location of the network
over an invisible, out-of-band and low-latency channel to another network location which
is typically multi-hop away. By doing so, they attempt to make two victim nodes far away
from each other believe that they are authentic neighbors. This attack is infeasible with
![Page 93: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/93.jpg)
83
our scheme in that each node will simply deny authentication requests from nodes that are
not physically within its transmission range. In addition, an adversary might put into the
vicinity of a legitimate node, say B, a replica of one compromised node at other distant loca-
tions. Most purely ID-based authentication schemes are vulnerable to this attack because,
without dependence on any central authority [79, 74], the victim B has great difficulty in
differentiating between legitimate authentication requests and malicious ones from replicas
of a compromised node. With our scheme in place, node B will simply ignore the replica’s
authentication request because the replica should not appear in its transmission range.
It is worth pointing out that, as any other security solution, our scheme itself cannot
prevent a compromised node or its replicas from achieving mutual authentication with
its legitimate neighbors. However, it can guarantee that the compromised node or its
replicas receive nothing more than some random numbers, public IDs and locations from
legitimate nodes. This ensures that the compromised node cannot impersonate its legitimate
neighbors to other nodes. Therefore, our location-based authentication scheme can reduce
the impact of a compromised node from the otherwise network-wide scale to its vicinity,
more specifically, within a circle with radius 2R centered at its current location. This makes
it far more easier to devise efficient localized intrusion detection mechanisms.
One may worry that adversaries might mount the denial-of-service attack by continu-
ously sending bogus authentication requests or replies to allure legitimate nodes into endless
processing of such messages. In our opinion, this attack is in fact less worrisome. The rea-
son is that the number of neighbors of any node is limited in reality. Therefore, abnormally
many authentication requests or replies are highly likely an indicator of malicious attacks.
Under such situations, we assume that there are efficient mechanisms available for legitimate
nodes to report such an abnormality to the sink.
5.3.4 Immediate Pairwise Key Establishment
Link-layer security schemes demand an efficient method to establish pairwise shared
keys between neighboring nodes. Henceforth, we refer to such keys as immediate pairwise
keys (or IPKs for short). With IPKs, messages exchanged between neighboring nodes can
be encrypted and authenticated via efficient symmetric-key algorithms.
![Page 94: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/94.jpg)
84
Note that after a successful three-way handshake, two neighboring nodes, say A and B,
have established a shared key KA,B = KB,A. Adversaries, be they external or internal, may
overhear the authentication messages, but cannot deduce the shared key for the lack of the
LBKs of A and B. From KA,B, A and B can derive various shared session keys for different
security purposes by feeding KA,B into the hash function h. For example, they can use
k0 = h(KA,B ‖ 0) for message encryption and k1 = h(KA,B ‖ 1) for message authentication.
In the similar way, each node can establish IPKs with all its legitimate neighbors after the
neighbor discovery and authentication phase.
Since the IPKs are by-products of the neighborhood authentication process, there is no
extra key-establishment communication and computation overhead. In addition, our IPK
establishment method has perfect resistance to node compromise because the IPKs are built
upon the private LBKs of individual nodes. No matter how many nodes are compromised,
the LBKs of non-compromised nodes always remain secure, and so do the IPKs established
between them.
5.3.5 Multi-hop Pairwise Key Establishment
In addition to the IPKs, a node may need to establish pairwise shared keys with other
nodes that are multi-hop away. We call such keys as multi-hop pairwise keys (or MPKs for
short) that are required for securing end-to-end traffic.
Assume that nodes U and V are multi-hop apart and the routing path between them
has been established using the underlying routing protocol. To establish an MPK, U and
V execute the following protocol.
1. U → V : IDU , lU , nUH(IDU ‖ lU )
2. V → U : IDV , lV , nV H(IDV ‖ lV )
Here, nU , nV ∈ Z∗q are random private numbers chosen by nodes U and V , respectively. At
the conclusion of the protocol, node V calculates
KV,U = e(LKV , nV H(IDU ‖ lU ) + nUH(IDU ‖ lU ))
= e(κH(IDV ‖ lV ), (nV + nU )H(IDU ‖ lU )).
![Page 95: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/95.jpg)
85
Likewise, node U computes
KU,V = e(LKU , nUH(IDV ‖ lV ) + nV H(IDV ‖ lV ))
= e(κH(IDU ‖ lU ), (nU + nV )H(IDV ‖ lV )).
If both nodes are legitimate and have followed the protocol correctly, by the bilinearity and
symmetry of e,
KU,V = KV,U = e(H(IDU ‖ lU ),H(IDV ‖ lV ))(nU+nV )κ.
Based on the MPK KU,V , nodes U and V can derive various shared session keys for different
security purposes as before.
Discussion. If possible, the two protocol messages can piggyback on the routing
messages used to establish the routing path between U and V . In doing so, the related
communication overhead can be much reduced. In addition, there is no need for U and V
to further exchange messages to prove to the other the knowledge of the MPK. Any future
messages encrypted and authenticated with the MPK or the derivative session keys can
implicitly achieve the same effect.
Our MPK establishment protocol is a simple adaptation of the provably secure ID-
based key agreement protocol [91]. Any third party may overhear the plaintext messages
exchanged between U and V , but cannot derive the MPK KU,V without knowing the LBKs
of U or V . This protocol also has perfect resilience against node compromise because of
the dependence of the MPKs on the nodes’ private LBKs.
5.4 Efficacy of LBKs in Attack Mitigation
In this section, we show how the proposed LBKs can act as effective and efficient
countermeasures against several notorious attacks against WSNs.
5.4.1 Spoofing, Altering or Replaying Routing Information
Without precaution, external adversaries are able to spoof, alter or replay routing
messages. By doing so, they attempt to create routing loops, cause network partitions,
incur false error messages, and so on [73].
As mentioned before, neighboring nodes are required to perform mutual authentica-
tion based on their private LBKs. Since each node only processes routing messages from
![Page 96: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/96.jpg)
86
authenticated neighbors, external adversaries can be prevented from entering the network
and distributing phony routing messages. The remaining problem is how to defend against
internal adversaries or compromised nodes in possession of authentic keying material. It
is believed that there is no cryptographic way that can prevent them from manipulating
routing information. However, our location-based neighborhood authentication scheme can
constrain the impact of compromised nodes to a small range centered at their original lo-
cations. In other words, internal adversaries cannot utilize the acquired keying material at
one place to launch routing attacks at another distant place. What they can only possibly
do is to continue misbehaving at “the scene of the crime,” i.e., a small range around the
location of the compromised node. If doing so, they might run a high risk of being detected
by legitimate nodes if effective localized misbehavior detection mechanisms are available.
5.4.2 The Sybil Attack
The Sybil attack happens when a malicious node behaves as if it were a large number
of nodes, e.g., by impersonating other nodes or simply claiming multiple forged IDs and/or
locations. As pointed out in [73, 74], this attack is extremely detrimental to many impor-
tant WSN functions, such as routing, fair resource allocation, misbehavior detection, data
aggregation, and distributed storage.
With our scheme in place, when a malicious node intends to impersonate a legitimate
node, it does not have the authentic LBK and thus cannot successfully finish mutual au-
thentication with other legitimate nodes. For the same reason, a malicious node cannot
claim forged IDs and/or locations without being detected. Therefore, the Sybil attack is
effectively defeated.
5.4.3 The Identity Replication Attack
The identity replication attack [74] takes place when adversaries put multiple replicas
of a compromised node in different geographic locations. It may lead to the inconsistence of
the network routing information, as well as jeopardizing other important network functions.
Conventional defenses often involve a central authority, e.g., the sink, that either keeps a
record of each node’s location [74], or centrally counts the number of connections a node
![Page 97: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/97.jpg)
87
has and revokes those with too many connections [79]. These solutions require node-to-
node authentication and pairwise key establishment to be performed through the central
authority, thereby causing significant communication overhead and the lack of scalability.
This attack is no longer feasible when our location-based neighborhood authentication
scheme is applied. The replicas of a compromised node will be prevented from entering
the network by legitimate nodes at locations other than the neighborhood of the compro-
mised node. Our countermeasure is totally self-organizing and does not involve any central
authority, hence it is rather lightweight and highly scalable in contrast to previous solutions.
5.4.4 Wormhole and Sinkhole Attacks
Wormhole [73, 92] and sinkhole [73] attacks are two notorious attacks against WSN
routing protocols that are difficult to withstand, especially when the two are used in com-
bination.
In the wormhole attack, instead of compromising any node, collaborative adversaries
first create a wormhole link, essentially an out-of-band and low-latency channel, between
two distant network locations. They then tunnel routing messages recorded at one location
via the wormhole link to the other, leading to the chaos of the routing operations. Hu
et al. [92] presented a technique called packet leashes to withstand the wormhole attack.
It requires extremely tight time synchronization and is thus infeasible for most WSNs, as
noted in [73]. In contrast, each node in our scheme only accepts routing messages from
authenticated neighbors and will discard those tunnelled from distant locations. Therefore,
the wormhole attack is effectively and efficiently thwarted.
In the sinkhole attack, compromised nodes attempt to attract all the traffic from their
surrounding nodes by announcing a high-quality route to the sink or some other destina-
tions. For example, adversaries create an invisible and fast channel between two compro-
mised nodes A and B residing in distant network regions. Node A claims that it is one
hop or a few hops away from B or other nodes close to B. By doing so, A aims to be se-
lected by legitimate surrounding nodes as a packet relay to B or other nodes in that region.
Fortunately, our scheme can withstand such sinkhole attacks against minimum-hop routing
protocols. For instance, upon seeing A’s advertisement of a single-hop path to node B, a
legitimate node can immediately find out that A is malicious by noting that the distance
![Page 98: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/98.jpg)
88
between A and B is far more larger than the normal transmission range R. In addition,
geographic routing protocols such as [87] have been identified in [73] as promising solutions
resistant to sinkhole and wormhole attacks. The reason is that they construct the rout-
ing topology on demand using only localized interactions and geographic information. To
apply such schemes, however, the location information advertised from neighboring nodes
must be authenticated. We provide such a guarantee by the LBKs and the location-based
neighborhood authentication scheme.
We note that our scheme itself cannot prevent the sinkhole attacks against routing
protocols with routing metrics such as remaining energy or end-to-end reliability. The
major reason is that the authenticity of these information is very difficult to verify by
cryptographic means alone. As far as we know, the related countermeasure thus far remains
an open challenging issue, and is an interesting topic worthy of further study.
5.5 Location-Based Filtering of Bogus Data
In this section, we first describe the bogus data injection attack. We then present a
location-based threshold-endorsement scheme (LTE) as the countermeasure. At last, we
evaluate the performance of LTE in terms of energy savings.
5.5.1 The Bogus Data Injection Attack
As mentioned before, neighborhood mutual authentication is sufficient to prevent ex-
ternal adversaries from injecting bogus data into the network, but will fail in the presence
of internal adversaries. By a single compromised node, internal adversaries can induce ar-
bitrary and seemingly authentic data reports into the network. Without precaution, this
kind of attack may do a lot of damage to the network, e.g., causing false alarms or net-
work traffic congestion. Even worse, it can deplete the precious energy of relaying nodes
on any forwarding path to the sink, which is often tens or even hundreds of hops away
from the sources of data reports. It is, therefore, important to design effective and efficient
countermeasures against this attack.
Since there is no way of hindering internal adversaries from injecting bogus data, we
attempt to figure out ways to mitigate their impact. Our first goal is to filter bogus
data reports as early as possible before they reach the sink. Our second goal is to detain
adversaries from freely fabricating the originating locations of injected bogus data reports.
![Page 99: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/99.jpg)
89
0 0( , )X Y
r
Figure 5–1: Node deployment model.
We achieve the first goal by a threshold-endorsement method. That is, a data report
should be co-signed by t nodes for it to be considered authentic. A report without a
correct endorsement will be regarded as a fake one and discarded by any legitimate node
after verifying it. Our method is motivated by the observation that every point in the
sensor field should be covered by at least t nodes, known as the t-coverage problem [93].
The t-coverage property is required by many security-sensitive WSN applications such as
intrusion detection to facilitate fine-grained surveillance. In our case, adversaries will have
much greater difficulty in injecting seemingly authentic yet bogus data reports, as they now
have to compromise at least t nodes instead of only one as before.
We fulfill the second objective by embedding the location information of a data report’s
originating area in the joint endorsement it carries. To inject a bogus data report that
originates from a certain area and can survive the filtering by legitimate intermediate nodes,
adversaries must actually compromise at least t nodes holding keying material of that area.
Even so, they cannot utilize the acquired keying material to fake data reports that seem to
originate from other areas. Another benefit is that, once determining that some arriving
reports are unfiltered bogus ones, the sink can pinpoint their originating areas and then
take specific remedy actions.
Below we detail how to actually realize the above ideas.
5.5.2 Generation and Distribution of Cell Keys
To enable location-based threshold-endorsement, we propose the notion of cell keys.
For the sake of simplicity, we assume that the sensor field is a Mr × Nr rectangle whose
![Page 100: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/100.jpg)
90
lower-left corner is at location (X0, Y0). The sensor field is divided into MN square cells of
equal side length r. Each cell is labelled with a pair of integers < m,n >, for 1 6 m 6 M
and 1 6 n 6 N . Prior to deployment, (X0, Y0) and r are preloaded to each node. Also note
that our LTE can be easily extended for use with any other node deployment model.
We define the cell key of cell < m,n > as Km,n = κH(m ‖ n), which shall be used
to endorse any report originating from that cell. The next question is how to distribute
Km,n to nodes in cell < m, n >. Let IDim,n denote the ith node with location lim,n in cell
< m, n >. The naive method of letting each IDim,n hold one copy of Km,n obviously suffers
from single node compromise. Instead, we propose to utilize the secret-sharing technique
[15] to assign a share of Km,n to each IDim,n. The purpose is to make Km,n reconstructible
by any t nodes in cell < m, n >, while irrecoverable by any less than t of them. To do this,
prior to network deployment, the TA additionally generates a (t − 1)-degree polynomial,
F(x) =∑t−1
j=1 Fjxj ∈ G1, with coefficients Fj randomly selected from G∗1.1 It also selects
another system parameter c 6 r whose use is explained shortly. We consider the following
two cases of cell-key share distribution, depending on whether node localization is range-
based or range-free (cf. Section 5.3.2).
Range-based cell-Key distribution. In this approach, the leading robot is preloaded
with the polynomial F(x). In addition to determining a node’s location, it decides that
node’s present cell by simple geometric calculations. Consider node IDim,n as an ex-
ample. Its location lim,n, i.e., (Xim,n, Y i
m,n), will satisfy (m − 1)r 6 Xim,n − X0 < mr
and (n − 1)r 6 Y im,n − Y0 < nr. Then the leading robot derives Km,n = κH(m ‖ n)
and a set of authenticators ~Vm,n = v(j)m,n|0 6 j 6 t − 1, where v
(0)m,n = e(Km,n,W )
and v(j)m,n = e(H(Fj ‖ m ‖ n),W ) for 1 6 j 6 t − 1 . Note that it just needs to
do these computations once for each cell. Next, the leading robot calculates Kim,n =
∑t−1j=1 H(Fj ‖ m ‖ n)(IDi
m,n ‖ lim,n)j + Km,n ∈ G1, referred to as node IDim,n’s share of
Km,n. Finally, Kim,n and ~Vm,n are securely sent to node IDi
m,n along with lim,n and its LBK
(cf. Section 5.3.2).
1 G∗1 denotes the set G1 \ O where O is the identity element of G1.
![Page 101: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/101.jpg)
91
Km,n can be reconstructed from any t shares of it, but is irretrievable from any (t− 1)
or fewer shares. In particular, let Tm,n denote the number of nodes in cell < m, n > and Ω
be a t-order subset of 1, ..., Tm,n. We can compute
Km,n =∑
i∈ΩλiKi
m,n, (5.2)
where λi =∏
j∈Ω\iIDj
m,n‖ljm,n
IDjm,n‖ljm,n−IDi
m,n‖lim,n
. Regarding the choice of t, there is a tradeoff
between resilience to node compromise and node density. Basically, the larger t, the more
resilient the network is to node compromise, the higher the required node density is, and
vice versa. This issue is closely related to the well-studied t-coverage problem [93]. We refer
interested readers to [93] about how to strike a good balance between these two competing
metrics.
To ensure high-level t-coverage of cell boundaries with regard to security, it is also
important to let some nodes possess cell-key shares of adjacent cells. In particular, we
require that the nodes out of a cell but within c of the cell boundary also hold cell-key
shares of that cell. For example, if mr −Xim,n 6 c, node IDi
m,n also has the authenticator
vector ~Vm+1,n and a share of cell key Km+1,n. Likewise, if nr − Y im,n 6 c, it owns ~Vm+1,n
and a share of Km,n+1 as well. In addition, for the boundaries of the sensor field, it is often
necessary to purposely deploy some sensors beyond the field boundaries. The choice of c
represents a tradeoff between cell-boundary t-coverage and tolerance to node compromise.
The greater c, the higher-level t-coverage of cell boundaries, the more vulnerable a cell
key is to node compromise because more nodes have a cell-key share, and vice versa. Its
concrete value is also germane to that of t and node density.
Range-Free cell-key distribution. In this method, each node is preloaded with
the polynomial F(x) in addition to the network master secret κ. Consider again node IDim,n
as an example. Once determining its own location lim,n, it also knows that it resides in cell
< m, n >. Therefore, besides generating its LBK (cf. Section 5.3.2), node IDim,n employs
κ to first derive Km,n and then its share Kim,n. Moreover, it computes the authenticator
![Page 102: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/102.jpg)
92
vector ~Vm,n.2 If within c of adjacent cells’ boundaries, node IDim,n should as well compute
a cell-key share and the authenticator vector for each of those cells. Upon finishing all these
operations, it should securely erase κ, F(x) and all the complete cell keys from its memory.
5.5.3 Performing Threshold-Endorsements of Data Reports
Now we explain how to perform threshold-endorsements on data reports. Without loss
of generality, we take cell < m, n > as an example in the following description.
In general, sensor nodes generate a report when triggered by a special event such as
the appearance of adversaries, or in response to a query made by the sink. Assume that
such a stimulus occurs in cell < m, n > and is detected by s > t nodes. If the event occurs
closely to the cell boundary, then the s nodes may include nodes in different adjacent cells.
To simplify our presentation, however, we assume that all of them are in cell < m, n >. By
local interactions, the detecting nodes can reach a consensus on a final report, denoted by
Λ and containing application-dependent information such as the type, occurrence time and
location of the event.
The detecting nodes are required to elect among themselves an aggregation point (AP).
To obtain a threshold-endorsement of Λ, the AP chooses a random α ∈ Z∗q and computes
θ = e(W,W )α broadcasted to the other detecting nodes. Upon receipt of θ, each detecting
node IDim,n endorses the report Λ by computing U i
m,n = Kim,nh(Λ ‖ θ). It then sends
to the AP U im,n encrypted and authenticated with the pairwise key shared with the AP
(cf. Section 5.3.4). Once receiving over t such endorsements, the AP randomly selects t
of the endorsers, denoted by a set notation Ω which may include itself. It then calculates
Um,n =∑
i∈Ω λiUim,n = Km,nh(Λ ‖ θ) (cf. Eq. 5.2) and Υm,n = Um,n +αW . The threshold-
endorsement of Λ is (Υm,n, h(Λ ‖ θ)) and the final report is of format < Λ,Υm,n, h(Λ ‖ θ) >.
It is possible that some of the endorsers have been compromised and thus may provide
the AP with falsely computed endorsements. Fortunately, our LTE scheme can well handle
this situation. In particular, once deriving Um,n, the AP is required to verify its authenticity
2 The authenticators v(j)m,n (1 6 j 6 t − 1) may be precalculated and preloaded to each
node to reduce the computational overhead.
![Page 103: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/103.jpg)
93
by checking if the equation e(Um,n,W ) = (v(0)m,n)h(Λ‖θ) holds. The check should succeed for
a valid Um,n because e(Um,n,W ) = e(Km,n,W )h(Λ‖θ) by the bilinearity of e and v(0)m,n =
e(Km,n,W ). Otherwise, the AP proceeds to verify each received U im,n by checking if
e(U im,n,W ) =
t−1∏
j=0
(v(j)m,n)(IDi
m,n‖lim,n)j ·h(Λ‖θ).
The verification works because of the following equations.
e(U im,n,W )
= e(Kim,n,W )h(Λ‖θ)
= e(∑t−1
j=1 H(Fj ‖ m ‖ n)(IDim,n ‖ lim,n)j +Km,n,W )h(Λ‖θ)
= (e(Km,n,W )t−1∏j=1
e(H(Fj ‖ m ‖ n),W )(IDim,n‖lim,n)j
)h(Λ‖θ)
=t−1∏j=0
(v(j)m,n)(IDi
m,n‖lim,n)j ·h(Λ‖θ)
(5.3)
The third-line equation holds because e is bilinear. If the check succeeds, the AP considers
node IDim,n legitimate and compromised otherwise. In this way, the AP is able to pinpoint
all the endorsers offering false endorsements and delete them from Ω. Subsequently, it re-
plenishes Ω with the corresponding number of endorsers randomly selected from the unused
ones, and recalculates (Υm,n, h(Λ ‖ θ)). As long as there are at least t legitimate endorsers,
a correct threshold-endorsement can always be generated.
It is worth noting that the pinpoint-identification capability of the AP may deter the
compromised endorsers (if any) from providing false endorsements. As a result, it is highly
possible that the AP can derive an authentic threshold-endorsement in the first round. In
the light of this, we let the AP verify the individual endorsements only when the threshold-
endorsement is incorrect rather than at the beginning, thereby reducing its computational
load.
In some cases, the AP itself may be a compromised node. It may either not at all
send a final report to the sink or transmit a bogus report with an incorrect Λ or a wrong
(Υm,n, h(Λ ‖ θ)) or both. Both attacks can be easily detected by the legitimate detecting
nodes which, in turn, elect a new AP among themselves to generate a new threshold-
endorsement and send the final report to the sink. Also note that dealing with the latter
![Page 104: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/104.jpg)
94
attack requires the legitimate detecting nodes to verify the threshold-endorsement in the
final report. The verifications are similar to the filtering operations by intermediate nodes
on the way to the sink, which are explained in what follows.
5.5.4 Probabilistic Enroute Filtering of Data Reports
The AP sends to the sink the final report along a multi-hop path discovered via the
underlying routing protocol. Depending on different applications, end-to-end and/or link-
layer security measures can be enforced on the report transmission (cf. Sections 5.3.4 and
5.3.5). We denote by ps the sampling probability which is a system-wide parameter.
Upon receipt of a report < Λ,Υm,n, h(Λ ‖ θ) > to be forwarded, with probability ps,
each intermediate node, say A, deduces the originating cell information < m, n > from the
event location embedded in Λ. It then computes
θ′ = e(Υm,n,W )e(H(m ‖ n),−Wpub)h(Λ‖θ), (5.4)
where Wpub = κW is the public system parameter defined in Section 5.3.1. If the report is
authentic, we will have
θ′ = e(Υm,n,W )e(H(m ‖ n),Wpub)−h(Λ‖θ)
= e(Km,nh(Λ ‖ θ) + αW,W )e(H(m ‖ n), κW )−h(Λ‖θ)
= e(Km,nh(Λ ‖ θ) + αW,W )e(κH(m ‖ n),W )−h(Λ‖θ)
= e(Km,n,W )h(Λ‖θ)e(W,W )αe(Km,n,W )−h(Λ‖θ)
= θ.
(5.5)
Therefore, if h(Λ ‖ θ′) = h(Λ ‖ θ), node A considers the report authentic and then forwards
it to the next hop. Otherwise, it thinks of the report a fabricated one and simply dumps
it. Our LTE scheme is a simplified adaptation of the provably secure threshold version [94]
of Hess’s ID-based signature scheme [95].
5.5.5 Efficacy and Security Analysis
We first quantify the efficacy of probabilistic enroute filtering of fabricated data re-
ports. There might be compromised nodes lying on the forwarding path to the sink which
just relay bogus reports to the next hop without verifying them. Since we are only inter-
ested in the energy consumption of legitimate intermediate nodes, we merely consider a
![Page 105: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/105.jpg)
95
1 3 5 7 9 11 13 15 17 19
0.10.3
0.50.7
0.9
0
0.2
0.4
0.6
0.8
1
µ (hops)ps
p µ
Figure 5–2: The probability pµ of filtering one bogus report as a function of the samplingprobability ps and the number µ of hops a bogus report travels.
“valid” forwarding path from which compromised nodes are extracted. Given the sampling
probability ps, the probability that a bogus report can be detected and dropped within µ
hops is pµ = 1− (1− ps)µ, and the average number of hops a bogus report traverses is
µ =∑∞
j=1jps(1− ps)j−1 = 1
ps. (5.6)
Fig. 5–2 shows how pµ changes with ps and µ. We can see that, even when ps assumes a
small value, say 0.3, over 83 percent of bogus reports can be filtered within 5 hops, and less
than 3 percent of them can travel beyond 10 hops. Therefore, for large-scale WSNs often
involving very long forwarding paths, our LTE is highly effective in filtering bogus reports
during their early transmission stages, thereby saving the precious energy of legitimate
nodes.
Due to the probabilistic verifications at intermediate nodes, a bogus report might
escape the filtering and reach the sink with a small probability (1 − ps)len−1, where len
indicates the forwarding path length. As the last line of defense, the sink is required to
verify the threshold-endorsement of each received report and discard those failing the test.
The choice of ps represents a tradeoff between the early filterability of bogus reports
and the computational overhead involved in verifying authentic reports. On the one hand,
if ps is too small, a bogus report will statistically traverse more hops before being filtered.
![Page 106: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/106.jpg)
96
On the other hand, if ps is too large, it may incur unnecessary computational overhead on
intermediate nodes in verifying authentic reports. ps can be either fixed or dynamically
adjusted as time goes on. For example, if the sink receives many alarms of bogus reports
from sensor nodes or detects many unfiltered bogus reports by itself during a predetermined
time period, it can increase ps by a certain amount or else decrease it. The new ps can
be securely conveyed to sensor nodes using a µTESLA-like [96] broadcast authentication
protocol.
Our LTE scheme has strong resilience against node compromise. It guarantees that,
as long as there are less than t compromised nodes holding cell-key shares of a same cell,
adversaries are unable to forge data reports that seem to originate from that cell and can
escape the filtering by enroute intermediate nodes and the sink. In the worst-case scenario,
adversaries may manage to compromise at least t nodes with cell-key shares of a same
cell. We refer to this event as cell compromise. Fortunately, adversaries can only utilize
the reconstructed cell key to fabricate reports in that cell but not in other cells, due to
the location-dependent nature of the cell key. Therefore, if the sink initially accepts a
report with a correct endorsement but finally finds that it is a bogus one by further field
investigations or other means, the sink can immediately detect the cell-compromise event
and take corresponding remedy actions that are outside the chapter scope.
Adversaries might launch denial-of-service attacks by trapping legitimate nodes into
endless verifications of data reports. Consequently, if a legitimate node detects too many
bogus reports in a short time window, we assume that there are efficient ways for it to
report such an abnormality to the sink. Another possible attack is that a compromised
intermediate node may stall the reporting of real events to the sink by either directly
dropping any received report or tampering with the report content before forwarding it to
the next hop. This attack is orthogonal to the bogus data injection attack we focus on,
but we would like to suggest several possible ways to withstand it. One way is to utilize
a SPREAD-like [97] secure multipath routing protocol to transmit copies of a report along
multiple disjoint paths to the sink. Another possible approach is through local monitoring
enabled by the broadcast nature of radio transmissions. In particular, if an intermediate
node receives a report from the pre-hop node, multiple neighbors of it can hear that packet
![Page 107: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/107.jpg)
97
as well. Likewise, these neighbors can overhear the packet it transmits to the next hop and
thus be able to tell whether it behaves good or not. We leave the further investigation on
this issue and its combination with the bogus data injection attack to a separate chapter.
5.5.6 Performance Evaluation
In this subsection, we evaluate the performance of our LTE in achieving energy savings.
Pairing parameters. In our evaluation, the bilinear map e used is the Tate pairing
[14]. The elliptic curve E is defined over Fp, where p is a 512-bit prime. The order q of G1
and G2 is a 160-bit prime. According to [12], our chosen parameters deliver an equivalent
level of security to that of 1024-bit RSA.
We use the following method to quantify the computation time and energy consumption
of the Tate pairing. We assume that the sensor CPU is a low-power high-performance 32-bit
Intel PXA255 processor at 400 MHz. The PXA255 has been widely used in many sensor
products such as Sensoria WINS 3.0 and Crossbow Stargate. According to [98], the typical
power consumption of PXA255 in active and idle modes are 411 and 121 mW, respectively.
It was reported in [99] that it takes 752 ms to compute the Tate pairing with the similar
parameters as ours on a 32-bit ST22 smartcard microprocessor at 33 MHz. Therefore, the
computation of the Tate pairing on PXA255 roughly needs 33/400× 752 ≈ 62.04 ms, and
the energy consumption Ep is approximately 25.5 mJ.
Overhead analysis. For an authentic report forwarded along a ξ-hop path, LTE
statistically involves ξps filtering operations, while it takes only one filtering operation to
detect and dump a bogus report. A filtering operation requires one exponentiation in G2,
one hash function evaluation and two evaluations of the Tate pairing. Due to the stationarity
of sensor nodes, each sensor is more likely to forward reports from the same set of cells. As
a result, each node can evaluate a limited set of values e(H(m ‖ n),Wpub) beforehand,
each corresponding to a potential cell from which a report may come from. By doing so,
one of the pairing evaluations can be eliminated. As noted in [95], the pairing evaluation
by far takes the most running time of a filtering operation. Thus, for the sake of simplicity,
we use Ep to approximate the energy consumption of an enroute filtering operation.
![Page 108: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/108.jpg)
98
0 2 4 6 8 100
2
4
6
8
10
12
14
Bogus traffic ratio ρ
Nor
mal
ized
ene
rgy
cons
umpt
ion
(J)
EsumE'sum
Figure 5–3: The comparison of Esum and E′sum as a function of the bogus traffic ratio ρ,
where ξ = 50 and the optimal ps’s are used.
Our LTE requires each report to carry a threshold-endorsement of format (Υm,n, h(Λ ‖θ)) in addition to the normal fields. Since Υm,n is a point of E/Fp, only one of its X and
Y coordinates needs to be transmitted because the other can be easily derived using the
curve equation, resulting in an overhead of 512 bits. Also assume that the hash function
h is implemented using SHA-1 [16] with a 20-byte output. Then the total packet overhead
introduced by LTE is Lo = 84 bytes to achieve a high level of security as that of 1024-bit
RSA.
Energy savings. Our LTE aims to save the energy of intermediate nodes along
the forwarding path to the sink through its early detection and dropping of bogus data
reports. On the other hand, the introduced packet overhead and the probabilistic enroute
filtering operations incur both communication and computation energy consumption. In the
following, we employ a similar model to that of [75] to analyze the energy savings caused by
LTE. For the sake of simplicity, we ignore the energy consumption of the report generation
process, which is considered to be negligible as compared to that of transmitting it to the
distant sink.
We denote by Etr the hop-wise energy consumption for transmitting and receiving one
byte. As reported in [100], a Chipcon CC1000 radio used in Xrossbow MICA2DOT motes
consumes 28.6 and 59.2 µJ to receive and transmit one byte, respectively, at an effective
![Page 109: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/109.jpg)
99
data rate of 12.4 kb/s. Thus, we have Etr = 87.8 µJ, which is used as an exemplary value
throughout our evaluation.
We also denote by Ln the byte length of an original data report without using LTE,
and by ξ the average number of hops an original report travels towards the sink. To simplify
our evaluation, we assume that Ln is fixed to be 256 bytes. We further assume that the
ratio of legitimate data traffic to bogus data traffic is 1 : ρ and ρ is called the bogus traffic
ratio hereafter. As mentioned before, our LTE spends ξps filtering operations in verifying
an authentic report, while merely one filtering operation to sift a bogus report. Let Esum
and E′sum be the normalized energy consumed to deliver all the traffic without and with
LTE in place, respectively. Then we have
Esum = LnEtrξ(1 + ρ) , (5.7)
andE′
sum = (Ln + Lo)Etr(ξ + ρµ) + (ξps + ρ)Ep
= (Ln + Lo)Etr(ξ + ρps
) + (ξps + ρ)Ep
> (Ln + Lo)Etrξ + ρEp + 2√
(Ln + Lo)EtrρξEp ,
(5.8)
with equality if and only if ps =√
(Ln+Lo)EtrρξEp
.
Fig. 5–3 compares Esum with E′sum, where the optimal ps’s are used and ξ = 50. We
can see that Esum increases dramatically along with the increase of bogus data reports,
while E′sum always maintains a rather stable level. The reason is that most bogus reports
can be detected and dropped during their early transmission stages with LTE in place. In
addition, when there is no bogus traffic, our LTE increases the energy consumption by about
32 percent due to the introduced packet overhead. However, when the bogus traffic starts
to exceed the legitimate traffic, LTE demonstrates growingly remarkable energy savings.
For example, when ρ = 2 and 5, our LTE saves more than 37 and 63 percent of energy,
respectively.
In most WSN applications, data delivery is event-driven and legitimate traffic occurs
only when some events of interest appear in the sensor field. In contrast, to increase the
impact of their attacks, adversaries often inject into the network a large amount of bogus
traffic, which is often several orders of magnitude greater than that of legitimate traffic [75].
![Page 110: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/110.jpg)
100
0 2 4 6 8 100
2
4
6
8
10
12
14
Bogus traffic ratio ρ
Nor
mal
ized
ene
rgy
cons
umpt
ion
(J)
EsumE'sum: ps=0.1
E'sum: ps=0.2
E'sum
: ps=0.3
Figure 5–4: The comparison of Esum and E′sum as a function of the bogus traffic ratio ρ,
where ξ = 50 and non-optimal ps’s are used.
Our LTE is particularly useful for these scenarios in saving a great deal of energy by early
filtering bogus data reports.
In reality, it is often difficult to obtain an accurate estimate of the bogus traffic ratio
ρ. Therefore, to some extent, Fig. 5–3 reflects the upper-bound performance of our LTE.
There are two possible ways to approach this upper bound. In the first approach, the sink
estimates the current ρ based on the received reports and possible alarms from sensor nodes.
It then derives the optimal sampling probability ps, which is conveyed to sensor nodes using
a µTESLA-like [96] broadcast authentication protocol. The other approach is for each node
itself to estimate the ρ as the ratio of bogus traffic to legitimate traffic in the total traffic
sampled during a certain period. Then it can compute the new ps locally optimal to itself.
Even if without using an optimal ps, the energy savings resulting from our LTE are
still remarkable. Fig. 5–4 depicts the case that non-optimal values of ps are used. The
advantages of using our LTE are quite obvious under all the three sampling probabilities.
Another observation is that, when ρ becomes larger, ps should be increased as well in
order to filter bogus data reports as early as possible. Likewise, the new ps can either be
determined by the sink as a network-wide common value, or be decided individually by
each node based on its local observations.
![Page 111: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/111.jpg)
101
0 10 20 30 40 50 60 70 80 90 1000
1
2
3
4
5
6
7
Average path length ξ (hop)
Nor
mal
ized
ene
rgy
cons
umpt
ion
(J)
EsumE'sum
Figure 5–5: The comparison of Esum and E′sum as a function of the average path length ξ,
where ρ = 2 and ps = 0.2.
Next we investigate the impact of the average path length ξ on the energy-saving
performance of LTE. As can be seen from Fig. 5–5, the further the originating cells of
bogus data reports are away from the sink, the more energy savings our LTE can achieve.
We note that adversaries may inject bogus data reports to consume the energy resources of
the nodes that are only several hops away from the sink. For this case, our LTE might not
achieve the desirable objective because the energy savings from early filtering bogus reports
may be offset by the energy consumption incurred by our scheme. However, bogus reports
injected in the distant cells away from the sink are much more detrimental than those
injected in the sink’s vicinity because their transmissions involve many more intermediate
nodes. In addition, we believe that it is much easier for the sink to detect the bogus data
injection attack mounted in its vicinity than in the distant cells.
5.6 Related work
Recent years have witnessed growing interest in sensor network security. Due to space
limitations, here we merely discuss prior art that is more germane to this chapter.
How to set up a pairwise shared key between two sensors is a topic which by far has
attracted extensive attention. As a pioneering solution, Eschenauer and Gligor propose a
probabilistic key pre-distribution scheme [78]. The main idea is to preload each sensor with
a random subset of keys from a global key pool in a way that any two nodes can share at
![Page 112: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/112.jpg)
102
least one common key with a certain probability. This scheme has been improved later by
several other proposals such as [79, 80, 81] in terms of network connectivity, memory usage
and resilience against node compromise, among others. Unfortunately, these probabilistic
schemes suffer from a few drawbacks that may limit their potential in large-scale WSNs
demanding a high level of security.
First of all, as noted in [101], these schemes are vulnerable to node compromise at-
tacks in that adversaries who compromised sufficiently many nodes could also obtain a
large fraction of pairwise keys shared between non-compromised nodes. Second, they are
subject to all the attacks discussed in Section 5.4. Third, they are designed to establish
pairwise shared keys among neighboring nodes. As a result, they are both inefficient and
insecure in setting up a pairwise key shared between two non-neighboring nodes or two
neighboring nodes without a priori shared knowledge. Fourth, most of them fail to pro-
vide secure neighborhood authentication, which is prerequisite for guaranteeing link-level
security. Although the random pairwise keys scheme in [79] offers mutual authentication
between two neighbors having a pre-loaded pairwise key, the resulting cost is the much
restricted supportable network size [74]. Fifth, these schemes all have an upper limit on the
network size and often require each node to store tens or even hundreds of keys, leading to
the poor network scalability. Last, all of them do not offer support for non-repudiation of
digital signatures, which is one of the fundamental security requirements.
As compared to the above schemes, our schemes enable deterministic, secure and ef-
ficient establishment of a shared key between any two network nodes, be they immediate
neighbors or multiple hops apart. Our IPK and MPK establishment methods both have
perfect resilience against node compromise because of their reliance on the private LBKs of
individual nodes. In addition, our schemes can not only limit the impact of compromised
nodes to their vicinity, but also withstand other notorious attacks like those mentioned in
Section 5.4. Moreover, our schemes provide secure location-based neighborhood authenti-
cation and support non-repudiation of digital signatures. Furthermore, our schemes merely
require each node to memorize its own IBK and LBK, and allow the addition of an arbitrary
number of new nodes.
![Page 113: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/113.jpg)
103
Some other proposals [82, 83, 84, 85] propose to use the known deployment information
to facilitate more secure and efficient pairwise key establishment. These solutions still
belong to the category of the probabilistic schemes, thereby suffering from either some or
even all of the aforementioned drawbacks. In addition, concrete geographic locations of
individual nodes are not used in all of them. More recently, Lazos et al. [102] present a
location-based solution to deal with the wormhole attack. This solution addresses neither
the establishment of multi-hop pairwise keys, nor the issue of node addition (or the network
scalability issue).
Aside from the probabilistic schemes, another notable work called LEAP is proposed
by Zhu et al. in [90]. In LEAP, each node is preloaded with a global shared secret, through
which it can authenticate neighboring nodes and establish pairwise shared keys with them
once deployed. However, the MPK establishment method of LEAP suffers from both the
significant communication overhead and the vulnerability to the compromise of intermediate
nodes. In addition, LEAP does not support non-repudiation of digital signatures.
We are aware of two existing solutions to the bogus data injection attack, namely, SEF
[75] and IHA [76]. Both schemes can achieve the same objective of energy savings as our
LTE by detecting and dropping bogus reports as early as possible. However, adversaries who
compromised nodes carrying keys from t different key partitions can render SEF completely
useless, as noted in [75]. Likewise, IHA breaks down once adversaries compromise over t
nodes and thus are able to forge data reports seeming to originate from arbitrary network
locations. In a large-scale WSN with many more than t nodes, however, it seems unlikely
to prevent adversaries from compromising over t nodes. In addition, IHA suffers from the
considerable communication overhead in maintaining the per-route interleaved structure of
nodes as compared to both SEF and our LTE. By comparison, our LTE is able to localize
the impact of compromised nodes to their vicinity due to its location-dependent nature.
It can tolerate the compromise of up to (t − 1) nodes holding cell-key shares of the same
cell and thus many more nodes regarding the whole network. Therefore, our LTE exhibits
much better compromise-tolerant performance than both SEF and IHA.
There are many other related work in sensor network security. Carman et al. [103]
investigate the performance of a number of key management schemes over different hardware
![Page 114: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/114.jpg)
104
platforms. Basagni et al. [77] utilize tamper-resistant hardware in periodically updating
the key shared by all the nodes. Perrig et al. [96] propose SNEP, a protocol for data
confidentiality and two-party data authentication, and µTESLA, a protocol for broadcast
data authentication. µTESLA is further improved by Liu and Ning in [104]. Przydatek et
al. [105] construct efficient random sampling mechanisms and interactive proofs to ensure
secure information aggregation in WSNs. Karlof and Wagner [73] discuss various attacks
against existing sensor network routing protocols and point out some possible solutions.
Newsome et al. [74] analyze in detail the impact of the Sybil attack on sensor networks and
propose several defenses.
5.7 Discussion
In this section, we discuss the use of symmetric-key vs. public-key cryptography (PKC)
in WSNs.
It was a common belief that PKC is too complex, slow and power hungry, and thus
ill-suited for use in resource-constrained WSNs. For this reason, PKC has often been ruled
out for securing WSNs and most previous proposals such as [78, 79, 80, 81, 82, 83, 84, 85]
are purely based on symmetric-key cryptography. However, many researchers [106, 107,
108, 109, 100] have recently challenged this belief by showing that traditional PKC such as
RSA or elliptic-curve cryptography is rather viable in WSNs.
Moreover, we have mentioned previously that the pure symmetric-key solutions have
a number of drawbacks due to the inherent limitations of symmetric-key cryptography. In
addition, they may not be so energy efficient as they are claimed to be. For example,
most of the probabilistic key pre-distribution schemes such as [78, 79, 80, 81] require a
secure “puzzle-solving” method to set up a shared key between two neighboring nodes. In
particular, one node broadcasts a key-discovery message containing a challenge α and m
ciphertexts αkifor i = 1, ..., m, where ki is a potential pairwise key the other node may
have. If the other node can correctly decrypt any of the m ciphertexts, it can establish
a pairwise key with the broadcasting node. Since there are often several tens or even
hundreds of potential pairwise keys, the total energy consumption caused by communication
and symmetric-key encryption and decryption operations may have been already higher
than that of a public-key solution. Therefore, we believe that it is both necessary and
![Page 115: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/115.jpg)
105
feasible to design public-key solutions for security-sensitive WSNs to establish shared keys
for subsequent use with efficient symmetric-key algorithms.
Our proposed schemes are public-key solutions built upon the pairing-based IBC, which
is more appropriate than traditional PKC for WSNs. Therefore, our schemes eliminate the
need for transmitting and verifying conventional public-key certificates. As an emerging
technique, IBC is under rapid development. For example, according to the recent result
in [23], the Tate pairing can be evaluated up to 10 times faster than previously reported
implementations. We have also been aware of the efficient hardware implementations of the
Tate pairing on smartcards [99], PDAs [110] and FPGAs [111]. The real implementation of
the pairing on sensor node hardware is part of our ongoing work.
5.8 Summary
To counteract the impact of compromised nodes, this chapter presents a comprehensive
set of location-based compromise-tolerant security mechanisms for WSNs. We first propose
the notion of location-based keys (LBKs) by binding private keys of individual nodes to both
their IDs and concrete geographic locations. We then develop an LBK-based neighborhood
authentication protocol which is able to constrain the impact of compromised nodes to their
vicinity. We also present efficient methods to set up pairwise shared keys between any two
network nodes, be they direct neighbors or multi-hop away. In addition, we demonstrate
the capability of LBKs in withstanding some notorious attacks against WSNs. Moreover,
we design a location-based threshold-endorsement scheme (LTE) to filter bogus traffic in-
jected by adversaries during their early transmission stages. The remarkable energy savings
resulting from LTE have been confirmed by detailed performance evaluation.
As the future research, we plan to evaluate the performance of the proposed schemes
in real sensor platforms. We also intend to further investigate the potential applications of
LBKs in WSNs, such as misbehavior detection, secure distributed storage, secure routing,
and target tracking.
![Page 116: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/116.jpg)
CHAPTER 6ATTACK-RESILIENT SECURE AUTHENTICATION AND BILLING IN WIRELESS
MESH NETWORKS
6.1 Introduction
Wireless mesh networks (WMNs) are increasingly recognized as ideal solutions to ubiq-
uitous last-mile high-speed Internet access. A typical WMN has a layered structure, as
shown in Fig. 6–1. The first layer consists of access points (APs) which are high-speed
wired Internet entry points. At the second layer, stationary mesh routers form a multi-hop
backbone via long-range high-speed wireless techniques such as WiMAX [112]. The wireless
backbone connects to wired APs at some mesh routers through high-speed wireless links. It
provides multi-hop wireless backhaul between wired APs and mesh clients (i.e., end users)
at the lowest layer.1 Mesh clients, while at rest or in motion, can assess the network
either by a direct wireless link to a nearby mesh router or by a chain of other clients to a
mesh router out of reach. WMNs represent a unique marriage of the ubiquitous coverage
of wide-area cellular networks with the ease and the speed of local-area Wi-Fi networks.
Other notable advantages of WMNs include low deployment costs, self-configuration and
self-maintenance, good scalability, high robustness, and so on [1]. Consequently, WMNs
have sparkled a surge of research, development and standardization activities, of which we
refer to [1] for a comprehensive survey. Numerous commercial and experimental WMNs
have been in use or are under development all over the world, ranging from metro-scale
broadband city networks [113] to medium-scale and small-scale community and neighbor-
hood networks [114, 115, 116].
Security is one of the main barriers to wide-scale deployment of WMNs, but has gained
little attention so far. The necessity for security in large-scale WMNs can be best illustrated
1 We use “client” and “user” as synonyms throughout the chapter. We will not distinguishthe user and the device either.
106
![Page 117: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/117.jpg)
107
Internet
Access points
Mesh routers
Mesh clients
Wired connection Wireless connection
Figure 6–1: A typical three-tiered wireless mesh network architecture.
by the following example. Suppose David wishes to retrieve some important documents from
his corporate network back in Miami via a local WMN in Philadelphia where he is on a
business stay. On the one hand, the serving WMN has to corroborate the identity of David
to avert fraudulent use of network resources; on the other hand, David might as well want
to authenticate the serving WMN to prevent an attacker from impersonating a legitimate
WMN to obtain confidential information from him. Other security concerns may include
the location privacy of David, passive eavesdropping, denial-of-service (DoS) attacks, and
so forth. We will dwell on the security requirements of WMNs in Section 6.2.1.
The security of nomadic users and the serving wireless networks has been studied
extensively in the past. Elegant solutions are available in the contexts of Global System
for Mobile Communications (GSM) [117], Personal Communication Systems (PCSs) [118],
Universal Mobile Telecommunication System (UMTS) [119, 120], and Mobile IP networks
[121], among others. Despite their differences in specifics, these schemes all depend on a
home/foreign-domain model. Specifically, each user has a home network domain where he2
is registered on a long-term basis and account information is maintained. Each time the user
roams into a foreign network domain, his home domain is contacted for his credentials to
authenticate him. Subsequently, the foreign domain reports the amount of service assessed
2 No gender implication.
![Page 118: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/118.jpg)
108
by the user to his home domain which, in turn, pays the foreign domain and charges the user
an amount commensurate with his usage. We argue that such solutions are less suitable for
future large-scale WMNs due to at least the following reasons.
First, a bilateral service level agreement (SLA) has to be set up between each pair of
network operators to permit user roaming between them. Establishing such SLAs may be
a relatively easy task in cellular networks where the operators are comparatively limited
in number. Due to the easy-deployment nature of WMNs, however, the future large-scale
WMNs are expected to comprise numerous WMN domains, each administrated by an in-
dependent operator [1]. Unlike a cellular operator often of a nation-wide or larger scale,
a WMN operator may be on a community, section, metro or larger scale. Consequently,
the number of WMN operators will be much larger than that of cellular operators. This
renders it less feasible to establish pairwise bilateral SLAs among them.
Second, the above solutions all involve a potentially time-consuming and expensive
execution of an authentication protocol among a user, his home domain and the foreign
domain. As the user base grows large, the overall network authentication signalling overhead
would be significant. In addition, in view of the high-speed wireless link, the authentication
latency may be unacceptable for some short-lived data applications. Assume, for example,
that a mesh client connects to a mesh router via an 802.11a/g link with a raw rate up to
54 Mb/s. It may take the client just a couple of seconds to download several tens of MP3
music files. This makes it highly desirable to minimize the authentication delay.
Third, under conventional solutions, mesh routers will become very attractive targets
and network entry points for DoS or distributed DoS (DDoS) attacks. For example, an
attacker continuously sends fake authentication requests to a mesh router which, in turn,
has to contact the home domains of the impersonated or even non-existent users. If lots of
collusive attackers launch this type of attack simultaneously, the resulting authentication
signalling traffic will severely interfere with normal network signalling and data traffic.
Last, conventional solutions fail to take into consideration the multi-hop communi-
cation paradigm featured by WMNs, as well as the communication security among mesh
clients within the coverage of a same mesh router.
![Page 119: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/119.jpg)
109
The limitations of conventional solutions necessitate the development of a brand-new
security architecture to cope with the unique requirements of WMNs. In this chapter, we
answer this important open question affirmatively by proposing UPASS, a secure authen-
tication and billing architecture to enable seamless roaming and ubiquitous network access
in future large-scale multi-hop WMNs. UPASS stems from an all-too-familiar scenario in
real life. A user first applies for a credit card with a bank whereby to buy goods at any
merchant accepting credit cards. Merchants need not establish agreements with each other,
but just need to have a trust relationship with one or a few banks that accept payments
from credit-card users and pay merchants. If we regard each merchant as a distinct WMN
domain, the consumption of a user at different merchants can be viewed as his roaming
across various WMN domains. This natural analogy motivates us to adopt the sophisti-
cated credit-card-based business model whilst designing UPASS.
The players in UPASS are brokers, users and WMN operators whose relationship is
analogous to that among a bank, a credit-card user and a merchant. Each user acquires a
universal pass from a broker whereby to enjoy ubiquitous WMN access. Once authenticat-
ing a pass, a WMN operator can grant access to the pass holder without fear of not being
paid later. As compared to conventional home/foreign-domain solutions, UPASS does not
require WMN operators to establish pairwise bilateral SLAs. Rather, each WMN operator
merely needs to have an agreement with one or a few brokers whose quantity is considered
much smaller than that of global WMN operators. In addition, mutual authentication and
key agreement (AKA) between a mesh client and the serving WMN domain just involve
local interactions without the realtime involvement of the corresponding broker. This is
particularly beneficial for reducing authentication signalling overhead and latency. Fur-
thermore, UPASS supports efficient pairwise AKA among mesh clients present in the same
WMN domain. UPASS is also designed to be resilient to various attacks, including the
location privacy attack, the denial-of-access attack, the bogus-beacon flooding attack, and
the bandwidth-exhaustion attack.
As far as we know, our UPASS is the first attempt to address the security of WMNs. It
provides a solid foundation on which to solve other security issues in WMNs such as secure
routing and medium access control (MAC). Since the research and development of WMNs
![Page 120: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/120.jpg)
110
are still in their very early stage, we believe that UPASS has a high potential of becoming
an important component of future large-scale WMNs.
The rest of this chapter is organized as follows. Section 6.2 describes the unique security
requirements of WMNs and the attacker model under consideration. Next, we present the
network architecture and some system models, followed by a detailed illustration of the
AKA process. In Section 6.5, we identify a few severe attacks against WMNs and provide
the related countermeasures. Section 6.6 presents an incontestable billing scheme. We then
discuss several other important issues in Section 6.7 and summarize this chapter.
6.2 Preliminaries
6.2.1 Security Requirements of WMNs
Throughout the chapter, we refer to the combination of the multi-hop wireless back-
bone, the wired APs and any other WMN operator equipments, as the infrastructure. We
also use the term “mesh” to indicate a subnet comprising a mesh router and its covered mesh
clients. From a high-level point of view, we identify the following security requirements of
WMNs:
• Infrastructure security : This means the security of signalling and data traffic trans-mitted over the infrastructure.
• Network access security : This indicates the communication security between a meshclient and a mesh router. It may also involve the communication security among meshclients served by the same mesh router, if the route between a client and a router isin multiple hops.
• Application security : This refers to the security of mesh clients’ concrete data appli-cations.
Among them, infrastructure security is relatively easy to achieve since the infrastruc-
ture is under the full control of a WMN operator and the network elements of the in-
frastructure are typically stationary. Application security can also be easily achieved via
high-layer security mechanisms such as IPsec, TLS or VPNs. By contrast, network access
security is much more difficult to ensure than the other two. One major reason is that mesh
routers are designed to accept open access requests by most likely unknown mesh clients.
Other notable causes include open access to the wireless channels and the dynamic network
topology caused by the mobility of mesh clients. For lack of space, we focus on investigating
![Page 121: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/121.jpg)
111
network access security in this work, and leave the exploration of the other issues as future
work.
With respect to network access security, we recognize the following specific require-
ments, which are, however, not necessarily a complete list:
1. Router-client authentication: A mesh router should authenticate a requesting client to
prevent unauthorized network access. The client should also authenticate the router
to shun bogus mesh routers of attackers.
2. Router-client key agreement : The mesh router and the client should establish a shared
key to encrypt and authenticate radio messages transmitted between them.
3. Client-client authentication: This is required when one client forwards another’s traffic
to and from the mesh router. In general, each client should only help other legitimate
ones to get proper remuneration later.
4. Client-client key agreement : If needed, two mesh clients should establish a shared key
whereby to encrypt and authenticate the traffic between them.
5. Location privacy : No entity other than a mesh client himself and a responsible location
management authority (if any) should know both the real identity and the current
location of the mesh client.
6. Signalling authentication: The signalling data broadcast by a mesh router should
always be authenticated to be distinguishable from those announced by an attacker.
7. Service availability : A mesh router must be protected from DoS attacks and offer
always available services.
8. Incontestable billing : A mesh client should just pay what he ought to pay, while
a WMN operator, as well as those clients forwarding traffic for others, receives the
amount commensurate with the offered service.
9. Secure routing : The routing protocol used inside a mesh should be secured against
attacks.
10. Secure MAC : The MAC protocol employed within a mesh must be resilient to attacks.
We do not have the ambition in this chapter to satisfactorily address all these require-
ments, but concentrate on solving the first eight issues. These efforts will offer a solid
foundation for addressing the rest issues.
![Page 122: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/122.jpg)
112
6.2.2 Attacker Model
We assume that an attacker has necessary hardware, such as a laptop equipped with a
wireless networking card, to overhear the radio transmissions and inject arbitrary messages.
The attacker may be much more capable than regular mesh clients in terms of memory,
energy supply, and communication and computation capacities. We, however, assume that
he cannot break any cryptographic algorithm on which we base our design. Otherwise, he
can obviously break any security mechanism in place.
An attacker can launch various attacks to jeopardize the fulfillment of the aforemen-
tioned security requirements. The simplest form of attack he can launch is to jam the
wireless medium by continuously broadcasting a large number of garbage packets. Such
radio jamming attacks are widely believed to be not addressable through cryptographic
means alone [122]. One possible non-cryptographic solution is for a WMN operator to use
some specialized instruments to locate the radio jamming source and then resort to law en-
forcement agencies for assistance in catching the attacker. We also refer interested readers
to [122] for other countermeasures against the radio jamming attack. For the purpose of
this chapter, however, we will not touch on this attack any more.
6.3 System Models and Notation
In this section, we present the network, trust and pass models adopted in our UPASS,
as well as the notation used.
6.3.1 Network Model
Future large-scale WMNs are expected to consist of a large number of WMN domains of
different scales. Each WMN domain is operated by an independent operator and composed
of a certain number of meshes, either physically adjacent or non-adjacent. For example, a
WMN operator may own meshes in multiple cities or only in one city section. WMN domains
may overlap with each other, and whether or not neighboring domains are connected solely
depends on operator policies.
In general, a mesh router has much more powerful computation and communication
capacities and abundant other resources than regular mesh clients. It is, therefore, rea-
sonable to assume that a mesh router sends packets in one hop to all mesh clients in its
![Page 123: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/123.jpg)
113
coverage. By contrast, a mesh client may transmit packets in one hop or multiple hops
to a mesh router within or beyond his transmission range. As noted in [123], a single-hop
downlink can be highly beneficial. First, mesh clients can save their scarce energy, as there
is no need to relay downlink packets. Second, a single-hop downlink can greatly facilitate
the transmissions of control signalling packets from the mesh router to all mesh clients.
Last, it renders the radio resource allocation performed by the mesh router much easier to
implement. Note that, however, our UPASS can be easily extended for use in symmetric
WMNs with both multi-hop uplinks and downlinks.
It is worth pointing out that communications to and from a mesh router will be the
major traffic pattern within a mesh. This is in line with the target use of WMNs, namely,
relaying end users’ traffic to and from the wired Internet. Such a unique traffic pattern
would significantly reduce the routing complexity from mesh clients’ point of view. The
reason is that they only need to maintain a route to the mesh router instead of one route
to each other client in the same mesh.
To make UPASS independent of the underlying network implementations, we do not
specify the MAC and routing protocols in use. Interested readers are referred to [1] for a
detailed survey of candidate schemes.
6.3.2 Trust Model
The trust model of our UPASS is composed of a number of trust domains, each managed
by a broker or WMN operator. To enjoy ubiquitous WMN access, each mesh client has
to first register with at least one broker which, in turn, issues an electronic universal pass
to the client. If enrolling in more than one broker, a client may accordingly own multiple
passes. Each WMN operator is also required to have a trust relationship with one or a
few brokers. It will grant network access to mesh clients holding valid passes issued by
its trustable broker(s). In fact, one may view brokers as regular banks with which both
mesh clients and WMN operators have opened accounts. We assume that brokers are fully
trustable by both clients and operators, but a client and an operator usually do not play
full trust on each other.
The above trust model fits in well with ubiquitous Internet access via WMNs. Mesh
clients see the advantage of being able to get on-demand network access by any WMN
![Page 124: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/124.jpg)
114
operator. The operators are relived from the heavy burden of establishing pairwise bilateral
SLAs with potentially many other operators. Instead, each of them just needs to have a
trust relationship with certain broker(s) whose quantity is considered much smaller than
that of WMN operators. Furthermore, the operators have all mesh clients as potential
customers, which is in contrast to the home/foreign-domain model where a user is locked to
a specific operator once signing an agreement. The brokers can make profits by deducing
fees from an operator’s credit or adding fees to a client’s charge. They may also impose
entry or subscription fees to mesh clients and operators for participation in their trust
systems.
6.3.3 Notation
We denote by Bi and Oi the ith broker and WMN operator, respectively. We use Ci,j
to indicate the unique identifier of client j enrolled in Bi. Typically, Ci,j is of a standard
format “userName@brokerName” [124]. In addition, Ri,j refers to the unique identifer of
mesh router j ofOi, which is of the same format “routerName@operatorName”. We indicate
by PASSCi,j the pass of Ci,j and by KCi,j a pass-based key (pass-key for short), both issued
by Bi to Ci,j . Likewise, PASSRi,j and KRi,j are used to denote the router pass and the
pass-key, respectively, which Ri,j obtains from operator Oi. Furthermore, (PASSOiCi,j
,KOiCi,j
)
refers to a temporary client (pass, pass-key) pair that Oi issues to a served client Ci,j .
We will also use the following cryptographic primitives. hk(M) refers to the keyed
message integrity code (MIC) of message M under key k, where h indicates a fast one-way
hash function such as SHA-1 [16]; Mk means encrypting message M under key k via a
symmetric-key algorithm; Epk(M) denotes an IBC encryption operation of message M with
public key pk; Ssk(M) indicates message M with its IBC signature under private key sk.
We refer to [125] for a number of elegant IBC encryption and signature schemes.
6.3.4 Trust-Domain Initialization
A crucial issue in UPASS is the design of passes, through which a mesh client and
a serving WMN can achieve mutual authentication and key agreement. It is natural to
consider using digital certificates as passes. The most commonly-used X.509 certificate
[126] is, however, about 1 KB in length, which might translate to a significant bandwidth
overhead incurred in transmitting them. To make as short a pass as possible, we propose
![Page 125: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/125.jpg)
115
to utilize the emerging IBC. For this purpose, we require the administrator of each trust
domain to perform the following domain-initialization operations:
1. Generate the pairing parameters (q,G1,G2, e, P, H1), where P is a generator of G1,
and H1 is a hash function mapping given strings to non-zero elements in G1.
2. Pick a random β ∈ Z∗q as the domain-secret whereby to compute a domain-public-key
as Ppub = βP .
We define the public trust-domain parameters as follows:
domain-params := 〈group-params, domain-public-key〉:= 〈(q,G1,G2, e, P, H1), Ppub〉
The domain administrator must keep β confidential, while making domain-params publicly
known. As Diffe-Hellman group parameters used in IPsec [127], group-params can be stan-
dardized by such organizations as IETF. This would make it possible to use a well-known
short index in place of group-params. In contrast, β and Ppub should be unique to each trust
domain. Also note that it is computationally infeasible to deduce β from the (P, Ppub) pair
because of the difficulty of solving the DLP in G1 (cf. Section 2.2.1).
It is a prerequisite in an IBC cryptosystem that two communication entities use
the same domain-params. This poses the demand for an assurance on the legitimacy of
domain-params, which is satisfied in UPASS via domain-params certificates. In particu-
lar, we assume that there is a trusted third party (TTP) with well-known domain-params
〈q, G1, G2, ˘e, P , H1, ˇPpub〉 and a private domain secret β ∈ Z∗q . The TTP, for instance, can
publish its domain-params through its website. Upon request of a certificate for domain-params,
the TTP computes βH1(domain-params) and returns it to the requesting domain adminis-
trator. We refer to such a 〈domain-params, βH1(domain-params)〉 pair as a domain-params
certificate. For ease of presentation, we indicate by domain-certOi and domain-certBi the
domain-params certificate of operator Oi and broker Bi, respectively.
To validate a domain-cert, one just needs to check whether
˘e(P , βH1(domain-params)) = ˘e( ˘Ppub, H1(domain-params)). (6.1)
![Page 126: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/126.jpg)
116
The equation should hold for an authentic domain-cert because
˘e(P , βH1(domain-params)) = ˘e(βP , H1(domain-params))
by the bilinearity of ˘e (cf. Section 2.2.1) and ˘Ppub = βP .
Our method of certifying domain-params is an application of the provably secure ID-
based short-signature scheme by Boneh et al. [128]. Another way to certify domain-params
is to rely on conventional public-key certificates. Such domain-params certificates can be
stored at some public directory from which they can be retrieved as needed. An alternative
way is to use the Domain Name System (DNS), where the domain-cert of each trust domain
is stored and distributed as part of its DNS record [129]. Also note that, in reality, the
root TTP may be replaced by a hierarchy of TTPs, similar to the traditional Public-Key
Infrastructure (PKI), in which a higher-level TTP certifies domain-params of each TTP at
the adjacent lower level. In this scenario, a conventional certificate-chain method [10] can
be used for verifying domain-params certificates generated by different TTPs. For clarity
and ease of presentation, however, we will just discuss the single TTP case in the rest of
this chapter.
6.3.5 Pass Model
There are three types of passes in UPASS: router passes (R-PASSes) issued by a WMN
operator to its mesh routers, client passes (C-PASSes) provided by a broker to the registered
clients, and temporary client passes (T-PASSes) given by a WMN operator to mesh clients
present in its domain. In this subsection, we focus on the issuance of R-PASSes and C-
PASSes, and defer the discussion on T-PASSes to Section 6.4.
Issuance of R-PASSes. We take operator Oi as an example to explain the issuance
of R-PASSes. Prior to network deployment, Oi issues to each controlled router Ri,j an R-
PASS PASSRi,j := (Ri,j , expiry-time) as well as a pass-key KRi,j = βOiHOi1 (PASSRi,j ) which
Ri,j keeps secret. Here, βOi is operator Oi’s domain-secret, and HOi1 is the hash function
specified in domain-paramsOi. The freshness of PASSRi,j is controlled by the expiry-time field.
Oi should send to Ri,j a new (PASSRi,j ,KRi,j ) pair via a secure channel before its current
one expires. Depending on Oi’s security policies, (PASSRi,j ,KRi,j ) may be updated hourly,
![Page 127: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/127.jpg)
117
daily, weekly, or even monthly. New pairs can be sent along with other domain-related
control signalling traffic to minimize the communication overhead.
In essence, (PASSRi,j ,KRi,j ) is a standard ID-based public and private key pair in
an IBC cryptosystem. Alternatively, PASSRi,j can be designed as a conventional public-
key certificate and KRi,j as the corresponding private key. As compared to a typical X.509
certificate of about 1 KB, our ID-based PASSRi,j has at most a few tens of bytes in size. The
main reason is that it retains the entity identifier and expiry-time parts of a certificate, while
dumping the most space-consuming fields, namely, a public key and the digital signature of
a certification authority (CA). The merits of such ID-based passes in facilitating efficient
entity authentication and key agreement will be seen more clearly in Section 6.4.
Issuance of C-PASSes. To enjoy ubiquitous WMN access, each client has to first
register with a desired broker, similar to applying for a credit card with a bank. Consider
broker Bi as an example. Upon a registration request from client j, Bi usually needs to
validate the client’s personal data such as his driver’s licence or social security number
(SSN), as well as checking his credit status. Bi may also ask for a security deposit as
required by its registration policy. Subsequently, Bi assigns to the applicant an identifier
Ci,j and a C-PASS in the form of
PASSCi,j := (Ci,j , expiry-time, otherTerms).
Here, expiry-time specifies the expiry time of PASSCi,j before which Ci,j has to renew it if
desiring to stay with Bi. Broker Bi may use the otherTerms field to name other terms and
conditions Ci,j should comply with. For instance, it may specify the per-day spending limit
of Ci,j at any WMN domain, or the list of WMN domains Ci,j is allowed to visit, which
have cooperative agreements with Bi.
In addition to PASSCi,j , the broker issues to Ci,j a pass-key KCi,j = βBiHBi1 (PASSCi,j ),
where βBi is Bi’s domain-secret and HBi1 is the hash function specified in domain-paramsBi
.
Likewise, (PASSCi,j ,KCi,j ) is a standard ID-based public and private key pair. As an R-
PASS, PASSCi,j is much shorter than a conventional certificate realizing the same function-
alities, namely, having the same otherTerms field.
![Page 128: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/128.jpg)
118
Protection and revocation of C-PASSes. Since router passes can be easily pro-
tected, here we only concentrate on protecting and revoking user passes. Client Ci,j may
store (PASSCi,j ,KCi,j ) in his often-used mobile device or on a USB drive to use it on multiple
devices if any. PASSCi,j can be made publicly known, while KCi,j must be kept confidential
to himself. There are many possible ways to protect KCi,j . An all-too-familiar method is
to ask Ci,j to enter a personal identification number (PIN) for per access to KCi,j .
It is possible that a careless client loses his (pass, pass-key) pair unprotected using the
PIN method. This occurs, for instance, when the client loses the mobile device or the USB
drive storing his secret pair. In that case, the client should report it immediately to the
broker and his liability should be limited accordingly, as it is for credit-card loss. However,
it should be noted that the loss of a client (pass, pass-key) pair would cause much less
severe consequences or financial loss than that of a credit card. The principle reason is
that C-PASSes are not designed for purchasing regular goods of possibly high values, but
specifically for buying Internet access services whose rates are becoming more and more
lower.
A broker can take further measures to minimize its financial risk. For example, if a
client repeatedly reports a (pass, pass-key) loss, it may refuse to issue him new secret pairs.
The broker may also specify a carefully-designed spending-limit in a C-PASS. Moreover,
the broker may use a short C-PASS validity period, say one day, and send to a client (e.g.,
via email) a new secret pair at the early morning of each day that is only valid for that day.
Furthermore, the broker can maintain a hot list of C-PASSes whose holders have reported
losses, or which are otherwise problematic. WMN operators can periodically download
the host lists from the brokers during idle hours, and refuse to serve mesh clients whose
presented C-PASSes are on the host lists. Although the last measure requires certain inter-
actions between WMN operators and brokers, it is an off-line method and still considered
much more lightweight than a conventional cellular-like method, where the foreign operator
has to perform realtime checking with a roaming user’s home operator about his account
status.
![Page 129: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/129.jpg)
119
6.4 Authentication and Key Agreement (AKA)
In this section, we illustrate how to utilize R-PASSes and C-PASSes to realize both
router-client and client-client authentication and key agreement (AKA). We also distinguish
inter-domain AKA and intra-domain AKA. The former occurs when a client migrates from
one WMN domain to another, and the latter happens while a client makes his way from one
mesh to another of the same WMN domain. In addition, we make the usual assumption
that inter-domain migrations happen less frequently than intra-domain ones. So does inter-
domain AKA than intra-domain AKA.
6.4.1 Inter-Domain Authentication and Key Agreement
Without loss of generality, we take client C1,1 and mesh router R1,1 as an example to
explain the inter-domain AKA protocol, which works in the following three steps.
(A.1) R1,1 → ∗ : PASSR1,1 , domain-certO1 ,
SKR1,1(t1,OtherInfo)
(A.2) C1,1 → R1,1 : PASSC1,1 ,SKC1,1(t2)
(A.3) R1,1 → C1,1 : PASSO1C1,1
, EPASSC1,1(KO1
C1,1)
Router R1,1 periodically broadcasts a beacon (A.1) via the single-hop downlink to
announce its presence. The beacon should at least include PASSR1,1 , domain-certO1 , and
a fresh timestamp t1 signed with its pass-key KR1,1 and used to defend against message
replay attacks [10]. The beacon may also contain other network service information such
as the current network access fee of O1.
The beacon can be received by all mesh clients in router R1,1’s coverage. Assume that
client C1,1 is currently served by a WMN domain other than O1. Upon receipt of (A.1), he
may choose to switch to O1 under certain conditions. For example, he may do so if R1,1
has a much stronger signal strength than the serving router, or the access fee of O1 is lower
than that of the serving operator. Supposing that is the case, C1,1 performs the following
operations in sequence:
![Page 130: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/130.jpg)
120
1. Check whether the difference between t1 and his local clock time is within an accep-tance window.3
2. Make sure that PASSR1,1 has not expired by examining its expiry-time field.3. Validate domain-certO1 according to Eq. 6.1.4. Use domain-paramsO1
to verify SKR1,1(t1,OtherInfo) with PASSR1,1 as the public key.
We need to stress that C1,1 just needs to execute step 3 once for operator O1. In other
words, knowing the authentic domain-paramsO1enables him to verify the signatures of any
router of O1. If any of the checks fails, C1,1 considers the beacon bogus and ignores it.
Otherwise, he regards R1,1 as a legitimate router of O1 and then forms message (A.2),
including PASSC1,1 and a timestamp t2 signed under KC1,1 .
As for the uplink transmission of (A.2) to R1,1, there are two cases deserving consid-
eration. If R1,1 is within direct reach, C1,1 simply sends (A.2) to R1,1 via the single-hop
uplink. The more challenging case is when R1,1 is out of C1,1’s transmission range. A naive
solution is for C1,1 to ask clients between himself and R1,1, which have achieved mutual
authentication with and known a uplink route to R1,1, to help relay (A.2) to R1,1 in a
hop-by-hop fashion. This measure is, however, not quite realistic since intermediate clients
are generally reluctant to forward (A.2) because of the uncertainty of getting later remu-
neration from the as-yet unauthenticated C1,1. It may also introduce room for a special
type of DoS attack, in which an attacker continuously sends lots of faked versions of (A.2)
via innocent intermediate clients to R1,1.
Fortunately, we can deal with the second case by harnessing the transmit power control
capability of many mobile devices, i.e., the ability to vary the transmit power in steps. In
particular, the radio module of C1,1 should be able to automatically boot the transmit
power just enough to send (A.2) to R1,1 in one hop. During the post-authentication stage,
the transmit power can be reduced back to the normal level so that C1,1 may send packets
to R1,1 in multiple hops. In doing so, he can not only save his battery power, but also help
increase spatial concurrency and frequency reuse, as is shown in [130].
3 This can be a fixed-size time interval, e.g., 10 ms or 20 s, preset to account for themaximum message transit and processing time, plus clock skew.
![Page 131: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/131.jpg)
121
Since brokers are relatively fewer in number, it is reasonable to assume that R1,1
can acquire and verify the domain-params certificates of all the brokers (including B1) in
advance. An alternative solution is to let C1,1 append domain-certB1 to (A.2). Once learning
the authentic domain-paramsB1, router R1,1 shall be able to verify the signatures by all the
registered clients of B1. Upon receiving (A.2), R1,1 first checks that PASSC1,1 is not on the
hot list of B1 (cf. Section 6.3.5). It then carries out actions analogous to what C1,1 did. If
all the inspections are successful, R1,1 determines that C1,1 is a legitimate registered client
of broker B1 it trusts.
After authentication of C1,1, router R1,1 contacts its domain administrator to acquire
the following data:
PASSO1C1,1
:= (CO11,1 , expiry-time)
KO1C1,1
= βO1HO11 (PASSO1
C1,1) .
PASSO1C1,1
will be the temporary pass (T-PASS) of C1,1 in domain O1, where CO11,1 is his
temporary identifier and expiry-time indicates the expiry time of PASSO1C1,1
. Next, R1,1 sends
PASSO1C1,1
in plaintext and pass-key KO1C1,1
encrypted under public key PASSC1,1 to C1,1 in
message (A.3).
Upon receipt of (A.3), C1,1 first decrypts KO1C1,1
using his pass-key KC1,1 and then
checks that the equation eO1(KO1C1,1
, PO1) = eO1(HO11 (PASSO1
C1,1), PO1
pub) holds. Here, eO1 ,
PO1 and PO1pub are extracted from domain-paramsO1
. The check should succeed for a valid
(PASSO1C1,1
,KO1C1,1
) pair due to the following equations:
eO1(KO1C1,1
, PO1) = eO1(βO1HO11 (PASSO1
C1,1), PO1)
= eO1(HO11 (PASSO1
C1,1), βO1PO1)
= eO1(HO11 (PASSO1
C1,1), PO1
pub).
The second line is due to the bilinearity of eOi , and the third line holds because PO1pub =
βO1PO1 . After a successful check, C1,1 saves (PASSO1C1,1
,KO1C1,1
) for subsequent use as his
temporary credential in domain O1. Router R1,1 and its domain administrator may record
the mapping between PASSC1,1 and PASSO1C1,1
if needed. We will soon show the usefulness
of such temporary credentials in both intra-domain client-router authentication and client-
client authentication.
![Page 132: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/132.jpg)
122
After a successful three-way handshake, R1,1 and C1,1 can establish a shared key as
KR1,1,C1,1 = eO1(KR1,1 ,HO11 (PASSO1
C1,1))
= eO1(HO11 (PASSR1,1),H
O11 (PASSO1
C1,1))βO1
= eO1(HO11 (PASSO1
C1,1),HO1
1 (PASSR1,1))βO1
= eO1(KO1C1,1
,HO11 (PASSR1,1)) = KC1,1,R1,1 .
(6.2)
The above equations hold by the bilinearity and symmetry of eO1 (cf. Section 2.2.1). Here,
R1,1 (respectively, C1,1) derives the shared key using the first line (respectively, fourth line)
pairing computation. This key agreement method is first presented in [131], which shows
that the shared key will be exclusively known to the two entities establishing it. R1,1 and
C1,1 can then use the shared key to secure subsequent traffic between them via efficient
symmetric-key algorithms.
6.4.2 Intra-Domain Authentication and Key Agreement
Intra-domain authentication occurs when client C1,1 moves out of the coverage area of
R1,1 into that of another router of O1, say R1,2. The naive reuse of the inter-domain AKA
protocol is less efficient because the established trust relationship between R1,1 and C1,1 is
not exploited. Another option is to let R1,1 hand over the shared key KR1,1,C1,1 to R1,2 via
a secure channel. The purpose is to allow R1,2 and C1,1 to authenticate each other through
a classical symmetric-key challenge-response technique [10] based on KR1,1,C1,1 . Such an
approach would cause non-negligible processing burden and communication overhead on
mesh routers, especially when the user base is growing large. It is also insecure to constantly
use KR1,1,C1,1 or session keys derived from it to secure the communication between C1,1 and
multiple or even all mesh routers of O1.
Fortunately, possession of (PASSO1C1,1
,KO1C1,1
) enables C1,1 to fulfill AKA with R1,2 by
the following efficient protocol:
(B.1) R1,2 → ∗ : PASSR1,2 , domain-certO1 ,
SKR1,2(t1,OtherInfo)
(B.2) C1,1 → R1,2 : PASSO1C1,1
, t2, hKC1,1,R1,2(t1 ‖ t2)
![Page 133: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/133.jpg)
123
Similar to (A.1), message (B.1) is a beacon periodically broadcast by R1,2 to its coverage
area. Upon receipt of it, client C1,1 learns from PASSR1,2 that R1,2 is possibly another router
of O1. He corroborates this by carrying out operations analogous to what he did in the
inter-domain AKA protocol. If all the inspections succeed, C1,1 regards R1,2 as a legitimate
router of broker O1, and then derives a shared key KC1,1,R1,2 = eO1(KO1C1,1
,HO11 (PASSR1,2)).
Then he computes a MIC hKC1,1,R1,2(t1 ‖ t2) and sends it together with PASSO1
C1,1and t2
to R1,2 in message (B.2). Here, t2 is a fresh timestamp and ‖ indicates concatenation.
Transmission of (B.2) can be realized in a way similar to that of (A.2).
Upon receiving (B.2), R1,2 first checks that PASSO1C1,1
has not expired and t2 is fresh
enough. If so, it then computes a shared key as KR1,2,C1,1 = eO1(KR1,2 ,HO11 (PASSO1
C1,1)).
According to Eq. 6.2, only if both C1,1 and R1,2 are legitimate, are KC1,1,R1,2 and KR1,2,C1,1
equal to eO1(HO11 (PASSO1
C1,1),HO1
1 (PASSR1,2))βO1 . Router R1,2 can make sure of this by
computing a MIC hKR1,2,C1,1(t1 ‖ t2). If the result matches with what C1,1 sent, it thinks
of C1,1 as a legitimate client who has been authenticated by a peer router.
The intra-domain AKA protocol is more efficient than the inter-domain one in both
computation and communication. This is desirable because intra-domain AKA needs to be
done much more frequently than inter-domain AKA. Note that, if PASSO1C1,1
has expired,
C1,1 has to execute the inter-domain AKA protocol with R1,2.
6.4.3 Client-Client Authentication and Key Agreement
One significant advantage of WMNs over wireless LANs lies in the multi-hop commu-
nication paradigm extending the network coverage. This, however, poses the demand for
mutual authentication among mesh clients present in the same mesh. By client-client au-
thentication, we mean that two mesh clients ascertain that each other is served by the same
WMN domain. This is important, for example, because each client should only forward
packets to the mesh router for those legitimate. Otherwise, he might get unpaid for his
packet forwarding service which consumes his precious battery power. Two clients might as
well wish to set up a shared key whereby to secure the data and signalling traffic between
them.
The introduction of temporary client credentials greatly eases client-client AKA. The
reason is that possession of an authentic temporary credential can serve as the proof that the
![Page 134: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/134.jpg)
124
holder has been authenticated by the current WMN domain. Consider, for example, clients
C1,1 and C2,1 which are registered with brokers B1 and B2, respectively. Suppose both have
finished inter-domain AKA with the same or different routers of operator O1. As a result,
C1,1 has (PASSO1C1,1
,KO1C1,1
) and C2,1 owns (PASSO1C2,1
,KO1C2,1
). Once actively exchanging or
passively learning (e.g., from routing messages) the T-PASS of each other, they can derive
the same shared key KC1,1,C2,1 = eO1(HO11 (PASSO1
C1,1),HO1
1 (PASSO1C2,1
))βO1 , similar to what
C1,1 and R1,1 did in Eq. 6.2. Subsequently, they can fulfill mutual authentication with many
classical symmetric-key challenge-response authentication techniques [10]. For instance,
C1,1 can send to C1,2 a challenge r1 encrypted with KC1,1,C1,2 . If C1,2 can report a correct
response, say (r1 +1), C1,1 declares the authentication of C2,1 successful. In much a similar
way, C2,1 can authenticate C1,1.
Owning an authentic temporary credential permits a client to achieve mutual AKA
with all the other clients served by the same WMN domain. Also note that, unlike router-
client AKA, client-client AKA can be done on demand, e.g., when two clients become
neighbors, or one is helping the other deliver traffic to the mesh router. In addition, client-
client AKA is expected to occur even more frequently than intra-domain AKA. This is
mainly due to the dynamic client join to and leave from a mesh, as well as the frequent
uplink route changes caused by mobility of mesh clients or many other reasons. In light
of this, our ID-based T-PASSes clearly have substantial advantages over their much longer
certificate-based alternatives whose transmissions may incur a significant communication
overhead.
6.5 Security Enhancements
Up to now, we have detailed the router-client and client-client AKA procedures based
on router and client passes. The protocols presented are perfectly secure against both
client and router impersonation attacks. In this section, we describe several other severe
attacks against WMN access and present corresponding countermeasures. These defense
mechanisms also serve as answers to security requirements five to seven introduced in Section
6.2.1.
![Page 135: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/135.jpg)
125
6.5.1 Location Privacy Attack
Anonymity and location privacy are of growing concern to end users [132]. In particular,
mesh clients would usually prefer to travel incognito, thereby remaining anonymous to both
visited WMN domains and potential eavesdroppers. In our UPASS, if a mesh client uses
a fixed C-PASS while roaming, it will be possible for some attackers or vicious WMN
operators to track his movements and whereabouts. We refer to such an attack as the
location privacy attack.
Constancy and uniqueness of client identifiers are the root cause of the location privacy
attack. Consider client Ci,j as an example. As mentioned in Section 6.3.3, Ci,j is a standard
network access identifier (NAI) [124] of format IDCi,j@IDBi . To defend against the location
privacy attack, we obviously have to ensure the confidentiality of client-name IDCi,j that
is unique in domain Bi. A straightforward solution would be to use dynamically-changing
aliases in place of the fixed IDi,j . One may think of also hiding the identity of broker Bi,
i.e., broker-name IDBi , as a higher-level anonymity requirement. A serving WMN domain,
however, often needs to know the enrolling broker of a client. This conflict renders it unlikely
to have a lightweight solution to ensuring broker anonymity. As far as we know, the only
possible solution appears in [132]. In this approach, there exists a central clearinghouse or
a mix network trusted by all brokers and WMN operators. Aliases are assigned to brokers
so that a mesh client can reference his enrolling broker by an alias; it is then left up to the
central clearinghouse to resolve broker aliases. Considering the infrastructure complexity
related to this proposal, we currently do not feel it worthwhile to guarantee the anonymity
of brokers. What we need is merely an efficient way to generate unlinkable aliases for mesh
clients.
Again, we uses Ci,j as an example to explain our solution. We require that broker Bi
have a long-enough key ΓBi which it keeps secret. The alias it generates for client Ci,j is of
an encrypted form aliasCi,j = IDCi,j , rand, hΓBi(IDCi,j ‖ rand)ΓBi
, where rand denotes a
random number. Then PASSCi,j takes a new form, (aliasCi,j@IDBi , expiry-time, otherTerms).
Hereafter, we refer to such a C-PASS as an alias C-PASS and the corresponding pass-key
as an alias pass-key. Upon registration with Bi, client Ci,j is armed with multiple alias
![Page 136: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/136.jpg)
126
(C-PASS, pass-key) pairs, which he uses in a random fashion while roaming across WMN
domains.
The use of random numbers in encryption results in unlinkable aliases. In particular,
aliases for the same client are always different and an alias discloses no information about the
true identity of the client. In addition, compromise of a client’s alias neither compromises
aliases of others nor reveals previous aliases of the same client. Therefore, the alias method
provides adequate protection against the location privacy attack. It is also a stateless
solution in that a broker need not book the aliases it generated. To make sure of the true
identity of a client, it merely needs to perform one simple decryption of a presented alias
as well as a MIC check.
It is a must to periodically issue new alias (C-PASS, pass-key) pairs to client Ci,j .
For this purpose, broker Bi gives a shared key hΓBi(IDCi,j ) to Ci,j during his registration.
Subsequently, it uses the shared key to encrypt new alias (C-PASS, pass-key) pairs for Ci,j
who, in turn, can decrypt them for subsequent use. As for the alias update frequency, there
is a tradeoff between degree of location privacy protection and alias update overhead. On
the one hand, if each alias (C-PASS, pass-key) pair is used only once, we can achieve a
high level of resilience to the location privacy attack. This, however, is achieved at the cost
of demand for very frequent alias updates, which translate to great communication and
computation overhead. Vice versa. In practice, a good balance should be made between
these two competing factors.
6.5.2 Bogus-Beacon Flooding Attack
Beacons periodically broadcast by a mesh router and processed by mesh clients place
a fundamental role in ensuring the proper operation of a mesh. It is, therefore, important
to guarantee the authenticity of beacons. Otherwise, an attacker may launch the bogus-
beacon flooding attack by flooding a mesh with a lot of bogus beacons for all kinds of
vicious motives. In previous intra-domain and inter-domain AKA protocols, a mesh router
digitally sign all the beacons before sending them out to provide an assurance about their
authenticity. Since beacons are usually sent in very short intervals (e.g., every 100 ms as in
the IEEE 802.11b), performing continuous signature verifications will be too great a burden
![Page 137: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/137.jpg)
127
1a 2ah3ah
1,1b 2,1b 3,1b
1,2b 2,2b 3,2b
h h h
sending order
send
ing
orde
r
1 1,1( )ah b2 2,1( )ah b
3 3,1( )ah b
1,3b 2,3b 3,3b
h h h
1,4b 2,4b 3,4b
h h h
1,5b 2,5b 3,5b
h h h
4ah5ah
4,1b 5,1b
4,2b 5,2b
h h
4 4,1( )ah b5 5,1( )ah b
4,3b 5,3b
h h
4,4b 5,4b
h h
4,5b 5,5b
h h
…...1,1b 1,3b 5,1b 5,2b 5,3b 5,4b
super beacon intervalδ
1a
5,5b5a
1,2b
st
Figure 6–2: An exemplary 5-by-5 hierarchical one-way hash chain.
for common mesh clients with limited computational resources. This serves as motivation
for a more lightweight yet effective solution.
We deal with this attack by a hierarchical one-way hash-chain technique, which is a
modified version of the well-known Lamport’s one-time-password scheme [133]. Consider
router R1,1 as an example. Assume that it broadcasts a beacon every δ ms. We also define
a super beacon interval as a time period lasting mnδ ms, where m and n are both positive
integers. With our technique in place, each beacon (A.1) from R1,1 will take the following
new form:< PASSR1,1 , domain-certO1 ,OtherInfo,SKR1,1
(ts ‖ δ ‖ a1),
x, ax, bx,1, hax(bx,1), y, bx,y, hbx,y(all previous fields) >
Here, ts indicates the starting time of a super beacon interval; x and y are both integers
such that 1 6 x 6 m and 1 6 y 6 n; ax = h(ax+1) for each x ∈ [1,m − 1], where am is
picked by R1,1 at random; bx,y = h(bx,y+1) for each x ∈ [1,m] and y ∈ [1, n − 1], where
each bx,n is randomly chosen by R1,1. Due to the one-way feature of the hash function
h, if am is chosen randomly, given ax it is computationally infeasible to find ax+1, while
given ax+1 it is computationally efficient to derive ax. Therefore, we can use the chain
of values ax|1 6 x 6 m as one-time keys. The same argument applies to each chain
bx,y|1 6 y 6 n, where bx,y is used to compute a keyed MIC of beacon (x − 1)n + y of
![Page 138: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/138.jpg)
128
a super beacon interval. By contrast, ax is used to calculate a keyed MIC of the initial
value bx,1 to guarantee its authenticity. To help understanding, Fig. 6–2 illustrates a 5-by-5
hierarchical hash chain.
Suppose client C1,1 hears such a beacon. Let us first consider the case that C1,1 has
not fulfilled mutual authentication with router R1,1. C1,1 first needs to authenticate R1,1
by performing the operations given in Section 6.4.1. Note that the required timestamp t1,
i.e., the beacon sending time, can be easily deduced as t1 = ts + (x− 1)nδ + yδ. If all the
checks succeed, C1,1 then verifies that a1 = h(x−1)(ax), where h(s)(M) means applying the
hash function h iteratively to message M for s times and h(0)(M) = M . If so, he calculates
hax(bx,1) compared with what is in the beacon. If they are equal, C1,1 uses bx,y to computed
a keyed MIC of proper beacon fields and, if the result matches what he received, considers
the beacon authentic. Finally, he stores the super-interval parameter triplet (ts, δ, a1), and
sets ca ← x, cb ← y, aca ← ax, and bca,cb← bx,y for later use. Other operations remain the
same as those of the aforementioned inter-domain or intra-domain AKA protocol.
Now we consider the case that C1,1 and R1,1 have authenticated each other. This
means that C1,1 has known an authentic super-interval parameter triplet of R1,1. Upon
receiving a beacon, C1,1 first checks that the contained super-interval parameter triplet is
different from what it stores, which might be possible if he loses track of beacons. If so,
he does the operations described above to first verify the super-interval parameters and
then authenticate the beacon. Otherwise, he first checks that ca 6 x and cb < y, and then
that the difference between t1 = ts + (x − 1)nδ + yδ and his local clock time is within an
acceptance window. These checks are necessary for withstanding beacon replay attacks.
If they are successful, C1,1 further distinguishes two cases. If aca = ax, he merely checks
that bca,cb= h(y−cb)(bx,y) and, if so, sets cb ← y and bca,cb
← bx,y. Otherwise, he needs to
verify in sequence that aca = h(x−ca)(ax), hax(bx,1) is equal to the MIC in the beacon, and
bx,1 = h(y−1)(bx,y). If all the checks succeed, he computes a keyed MIC over proper beacon
fields using bx,y. Only when the result matches what is in the beacon, does he consider the
beacon authentic and update ca ← x, cb ← y, aca ← ax, and bca,cb← bx,y.
![Page 139: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/139.jpg)
129
A new super beacon interval begins either when R1,1 has used bm,n or when it has
updated its (PASSR1,1 ,KR1,1) pair.4 In either case, it selects a random am and bx,n’s for
all x ∈ [1,m], based on which to compute a new signature SKR1,1(ts ‖ δ ‖ a1) broadcast in
the next beacon.
The hash-chain technique greatly reduces the computational load of both mesh routers
and clients because moderately expensive signature operations are replaced with hash op-
erations which are usually several orders of magnitude faster. In particular, R1,1 just needs
to generate a signature at the start of each super beacon interval, rather than each time
sending a beacon; each client accordingly merely performs a signature verification per super
beacon interval instead of for each received beacon. The concrete performance gains are
closely related to the hash-chain-length parameters m,n, which, in turn, are constrained
by the maximum memory the router allocates for this purpose. Generally speaking, the
larger m and n, the more performance gains we can have, and vice versa. For instance,
assume that the beacon interval is δ = 100 ms, m = 40 and n = 1000, meaning a su-
per beacon interval of about 67 minutes. It takes the router one signature generation and
(m− 1) + m(n− 1) + m + mn = 80039 hash operations in total to generate one-time keys
and keyed MICs in beacons. This is in contrast to the 40000 IBC signature generations if
the hash-chain technique is not used. In practice, a mesh router will have enough space to
allow for much larger m,n values, hence meaning potentially more substantial performance
gains.
In addition, the generation of bx,y|1 6 y 6 n can be deferred until the values of
bx−1,y|1 6 y 6 n are almost used up. This may be desirable for lowering the storage
complexity. For ax|1 6 x 6 m and each bx,y|1 6 y 6 n, there is a computation-storage
tradeoff with respect to hash-chain traversal. One may envision two extreme approaches for
this problem, i.e., storing either only the hash-chain seed (am or bx,n) or the entire chain.
The first one has a relatively large on-line computational cost for generating each hash value,
as the same sequence of values is repetitively computed. By contrast, the second method
4 The latter case usually occurs much less frequently than the former.
![Page 140: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/140.jpg)
130
substantially reduces the computational complexity at the cost of high storage complexity.
Researchers have recently investigated ways to optimize this computation-storage tradeoff.
Interested readers are referred to [134, 135] for a thorough treatment of this issue.
6.5.3 Denial-of-Access Attack
A denial-of-access (DoA) attack is one in which an attacker sends a large number of
bogus authentication responses like (A.2) or (B.2) to a mesh router. The purpose is to
exhaust its resources and render it less capable of serving legitimate clients. The router is,
however, assumed to at least be able to reject bogus authentication responses and send out
packets. Therefore, the DoA attack is different from and less devastating than the radio
jamming attack mentioned in Section 6.2.2.
The client-puzzle approach [136, 137, 138, 139] is a promising countermeasure against
the DoA attack. The idea is quite simple. When there is no evidence of attack, a router
processes authentication replies normally. Under a suspected DoA attack, the router re-
quires that a solution to a cryptographic puzzle be attached to each authentication re-
sponse. Only when the solution is correct will the router commit resources to process the
response, which involves moderately expensive public-key operations. Typically, solving a
client puzzle requires a brute-force search in the solution space, while solution verification is
trivial. Therefore, an attacker must have access to abundant resources to be able to quickly
compute a large enough number of puzzle solutions in line with his sending rate of bogus
authentication responses. By contrast, although puzzles slightly increase legitimate clients’
computational load when the router is under attack, they are still able to obtain network
access as if there were no DoA attack. The commonly-used puzzles include CPU-bound
puzzles [136, 137] and memory-bound puzzles [140, 141]. The former impose a number of
computational steps to generate a solution, while the latter aim to impose similar puzzle-
solving delays on clients with even different computation power. Due to space limitations,
we will just demonstrate the use of CPU-bound puzzles because they are relatively easy to
generate and understand. We leave the exploration of memory-bound puzzles as our future
work.
![Page 141: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/141.jpg)
131
With the client-puzzle approach and the aforementioned hash-chain technique, the
inter-domain AKA protocol given in Section 6.4.1 is modified as follows:
(A.1’) R1,1 → ∗ : PASSR1,1 , domain-certO1 ,OtherInfo,
SKR1,1(ts ‖ δ ‖ a1), x, ax, bx,1, hax(bx,1), y, bx,y,
NR1,1, LR1,1 , hbx,y(all previous fields)
(A.2’) C1,1 → R1,1 : PASSC1,1 ,SKC1,1(t2),NC1,1, XC1,1
(A.3’) R1,1 → C1,1 : PASSO1C1,1
, EPASSC1,1(KO1
C1,1)
The puzzle we use is similar to that of [137], consisting of NR1,1 and LR1,1 sent in beacon
(A.1’). NR1,1 is a random nonce created and changed by R1,1 periodically. We refer to such
a period as a puzzle interval. LR1,1 is a one-byte value and called the puzzle indicator. Only
when there is evidence of the DoA attack does R1,1 set the highest bit of LR1,1 to ask for
puzzle solutions. In that case, the rest seven bits of LR1,1 , denoted by bLR1,1c7, determines
the puzzle difficulty.
Upon receipt of the beacon, if the highest bit of LR1,1 is zero, client C1,1 just performs
the operations described before. Otherwise, he has to additionally derive a solution to the
presented puzzle. He does so by first generating a random client nonce NC1,1 and then
performing a brute-force search for a string XC1,1 , such that the bLR1,1c7 bits of the hash
result h(PASSR1,1 ‖ PASSC1,1 ‖ NR1,1 ‖ NC1,1 ‖ XC1,1) are zeros. The (NC1,1 , XC1,1) pair is a
puzzle solution and returned to router R1,1 in message (A.2’). If h is a good one-way hash
function such as SHA-1 [16], the average number of hash operations for finding a puzzle
solution is 2bLR1,1c7 . It is also worth noting that, since router and client passes are used in
solving the puzzle, it is unlikely that the same puzzle solution can be used for other routers
and clients.
After receiving (A.2’), router R1,1 first checks that client C1,1 has not previously sub-
mitted a correct puzzle solution with the same NC1,1 under the same NR1,1 . Message (A.2’)
is simply dumped if containing a replayed puzzle solution. Otherwise, R1,1 verifies the puz-
zle solution by recomputing the hash to see if the bLR1,1c7 bits of the result are all zeros.
Only if the solution is correct, does it continue processing (A.2’) according to the previous
description.
![Page 142: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/142.jpg)
132
Now we discuss the choice of puzzle parameters. To prevent an attacker from precom-
puting puzzle solutions, the router nonce NR1,1 must be random enough to be unpredictable.
We believe that a 64-bit NR1,1 is long enough for this purpose. Also, the nonce interval
should be relatively short, say one minute, to lower the risk that an attacker precomputes
solutions for the same NR1,1 and LR1,1 , but not be too short so as to leave a client enough
time to solve the puzzle. It is possible that a legitimate client submits a solution for a
puzzle interval that just ended. To allow this, there should be a short overlap between
two adjacent puzzle intervals, during which the router accepts correct puzzle solutions for
both intervals. Router R1,1 can dynamically adjust the puzzle difficulty bLR1,1c7 whose
reasonable values lie between 1 and 64. The basic rule of thumb is to set bLR1,1c7 larger
when there is evidence of heavy attack and smaller otherwise. Finally, the length of a client
nonce like C1,1 can generally be shorter than that of a router nonce, but should still be long
enough, say 24 bits. This is necessary to prevent an attacker from quickly exhausting all
possible client nonces in the same puzzle interval with the purpose of making a router treat
the puzzle solutions submitted by legitimate clients as replayed ones.
Likewise, the intra-domain AKA protocol given in Section 6.4.2 is modified as follows:
(B.1’) R1,2 → ∗ : PASSR1,2 , domain-certO1 ,OtherInfo,
SKR1,2(ts ‖ δ ‖ a1), x, ax, bx,1, hax(bx,1), y, bx,y,
NR1,2, LR1,2 , hbx,y(all previous fields)
(B.2’) C1,1 → R1,2 : PASSC1,1 , t2,NC1,1, XC1,1
hKC1,1,R1,2(t1 ‖ t2 ‖ NC1,1 ‖ XC1,1)
The protocol illustration is omitted here for lace of space.
6.5.4 Bandwidth-Exhaustion Attack
In a bandwidth-exhaustion attack, an attacker continuously sends data packets destined
for a mesh router at a high data rate. Without precaution, innocent intermediate clients
will waste significant resources in forwarding the attacker’s packets. The attacker’s traffic
may also consume a significant portion of available network bandwidth, as well as interfering
with legitimate clients’ traffic to and from the mesh router.
![Page 143: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/143.jpg)
133
We use an s-hop uplink route, starting from attacker C1,1 through legitimate clients
C2,1, ..., Cs,1 to router R1,1, to illustrate our countermeasures. Assume that all the clients
including C1,1 have finished mutual authentication with R1,1 and owned an authentic tem-
porary credential accordingly. As a result, pairwise shared keys can be established among
all the clients and router R1,1 (cf. Eq. 6.2). For simplicity, we further assume that at-
tacker C1,1 sends out IP packets of format pkt :=< R1,1, data >, where data may contain
the ultimate destination to which R1,1 should forward this packet and other upper-layer
information.
An intuitive solution to the above attack is to require C1,1 to attach to each packet s
keyed MICs, computed with his pairwise keys shared with intermediate clients and R1,1.
More specifically, each packet sent by C1,1 takes a new form,5
pkt′ :=< pkt, hKC1,1,C2,1(pkt), ..., hKC1,1,Cs,1
(pkt), hKC1,1,R1,1(pkt) > .
Upon receipt of such a packet, each intermediate client Ci,1 for i ∈ [2, s] can verify the
MIC hKC1,1,Ci,1(pkt) before forwarding it to the next hop. Finally, router R1,1 verifies
hKC1,1,R1,1(pkt) before processing the packet. This method can withstand the bandwidth-
exhaustion attack by an attacker not authenticated by the serving WMN domain, as his
packets will not carry correct keyed MICs. In addition, if an authenticated attacker like
C1,1 follows the process correctly, router R1,1 can slow down his traffic by economic means.
Particularly, R1,1 regards C1,1 as a normal client with a high bandwidth demand and charges
him a large amount commensurate with his traffic rate. However, the economic means fails
if C1,1 always inserts into each packet incorrect keyed MICs only for the last few hops. In
doing so, his packets will always be dropped by intermediate clients before reaching R1,1,
thus R1,1 has no way of charging C1,1. However, C1,1 can still effectively achieve the vicious
goal of consuming network and legitimate clients’ resources.
A complementary way to mitigate the bandwidth-exhaustion attack is through the
aforementioned client-puzzle approach. It utilizes the fact that each served client of R1,1
5 There are ways to shorten the packet, which are ignored for brevity.
![Page 144: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/144.jpg)
134
can hear the puzzle (NR1,1 , LR1,1) and is thus able to validate puzzle solutions. In this
approach, C1,1 needs to provide R1,1 with a puzzle solution (NC1,1 , XC1,1,R1,1) satisfying the
aforementioned constraint. He also has to offer a solution (NC1,1 , XC1,1,Ci,1) for each inter-
mediate client Ci,1, which should satisfy that the bLR1,1c7 bits of h(PASSCi,1 ‖ PASSC1,1 ‖NR1,1 ‖ NC1,1 ‖ XC1,1,Ci,1) are all zeros. Each such solution can be individually validated
by the intended client.
If suspecting the presence of the bandwidth-exhaustion attack, router R1,1 sets the
highest bit of LR1,1 to instruct all clients within coverage to perform validations of puzzle
solutions. If this occurs, each packet source like C1,1 needs to send puzzle solutions along
with data packets at a rate in line with his traffic rate. We use the well-known token-bucket
approach to realize this objective. In particular, each intermediate client Ci,1 maintains
a token bucket for C1,1, essentially an integer counter of sufficient length, say four bytes.
He adds α tokens to the bucket each time C1,1 provides a correct puzzle solution. Each
token corresponds to a traffic unit, say 1 KB, and only when there are enough tokens in
the bucket, will Ci,1 forward C1,1’s packets to the next hop after doing a MIC check. The
rate-control parameter α can be dynamically adjusted to cope with the current network
traffic load. Specifically, it should be set smaller when the traffic load is heavy and larger
otherwise. R1,1 can either centrally decide α conveyed to mesh clients in beacons, or let
each client determine α by himself.
6.6 Incontestable Billing of Mobile Users
Once finishing mutual inter- or intra-domain authentication with a mesh router, a
user can start to access the network through it. In this section, we present a realtime
micropayment approach to realize incontestable billing of mobile users for receiving network
access services.
6.6.1 Billing Basics
We assume that each WMN operator has two network access rates, λ and γ monetary
units (m-units) per traffic unit (t-unit), say 0.05 and 0.01 cents/KB. In particular, a user
needs to pay the network operator and each intermediate user λ and γ m-units, respectively,
for each t-unit received or transmitted through them. Different WMN operators may have
diverse access rates and each operator may also dynamically adjust its access rates. For
![Page 145: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/145.jpg)
135
example, λ and γ can be set higher during busy hours, while lower during idle hours. An
operator even can enforce various charging rates for mesh routers deployed in different
locations. All we require is that each mesh router should include its current λ, γ values
in periodically broadcasted Beacon messages. These two are usually important inputs to a
user’s decision-making process as to whether to join a WMN domain. Also note that our
UPASS can be easily extended to adopt a time-based rather than traffic-based charging
method, which is omitted for brevity.
In what follows, we take router R1,1 and client C1,1 as an example to illustrate our
session-based billing scheme. A session begins when a new uplink route from C1,1 to R1,1
is established and terminates when the route breaks due to reasons such as user mobility.
We also assume the existence of a secure routing protocol that finds a valid uplink route.
Many existing secure ad hoc routing protocols such as Ariadne [8] or ARAN [42] can serve
this purpose after minor modifications. We further postulate that router R1,1 can reliably
verify that each intermediate user indeed participates in forwarding each packet from C1,1.
This can be fulfilled, for example, by asking each intermediate user to attach to each
forwarded packet a MIC calculated under its pairwise shared key with R1,1 established
during mutual authentication. After verification of the received MICs, R1,1 can ascertain
that the corresponding intermediate users indeed participated in forwarding the packet for
C1,1. Due to space limitations, we will not dwell on this point hereafter.
In concurrent on-demand ad hoc routing protocols such as AODV [5] or its secure
version ARAN [42], a multihop route is finally chosen by the intended destination, which is
router R1,1 in our case. Suppose R1,1 selects an uplink route with n intermediate users and
informs C1,1 about it. Then C1,1 can decide that he totally needs to pay rateup :=λ + nγ
m-units per t-unit transmitted via the multihop uplink and λ m-units per t-unit received
via the single-hop downlink. The uplink charging rate rateup varies across sessions with
different uplink route lengths. Whenever a new session begins due to a newly discovered
uplink route, R1,1 should inform C1,1 about this. Here, we assume that the WMN operator
does not collude with intermediate users to cheat C1,1 in the sense that R1,1 always selects
the cheapest route for C1,1 allowed by the underlying routing metric. For instance, if the
hop count is the routing metric, R1,1 will always pick the shortest (i.e., cheapest) route for
![Page 146: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/146.jpg)
136
ma1a 2ah
3ah2ma − 1ma −
hmah
1,1w 2,1w 3,1w 2,1mw − 1,1mw − ,1mw
1,2w 2,2w 3,2w 2,2mw − 1,2mw − ,2mw
h h h h h h
1,3w 2,3w 3,3w 2,3mw − 1,3mw − ,3mw
h h h h h h
1, 1tw − 2, 1tw − 3, 1tw − 2, 1m tw − − 1, 1m tw − − , 1m tw −
1,tw 2,tw 3,tw 2,m tw − 1,m tw − ,m tw
h h h h h h
spending order
spen
ding
ord
er
1,tw 2,tw 3,tw 2,m tw − 1,m tw − ,m tw
authenticate authenticate authenticateauthenticate
Figure 6–3: An exemplary payment structure (m > 3, t > 2).
C1,1. This assumption is reasonable because the operator is always paid with a constant
rate of λ m-units/t-unit for both uplink and downlink traffic, independent of the route
length.
There is a possible attack launched by collusive users. In particular, collusive users
within the same mesh first exchange certain cryptographic materials such as permanent
or temporary passes, pass-based keys and the pairwise keys shared with router R1,1. The
purpose is to make each of them able to emulate all the other conspirators, i.e., to act as
several consecutive users but only incurring the communication cost of a single user. If
successfully performed, this emulation attack may cause C1,1 to pay more than what he
ought to pay. We note that this attack may be possible only when an emulator resides
on the uplink route discovered via the underlying secure routing protocol. For example,
if the emulator acts as too many conspirators, leading to a long uplink route length, the
trustworthy R1,1 will select other routes with shorter lengths. This is very likely to happen
because of the usual availability of multiple candidate routes from C1,1 to R1,1. Therefore,
the damage of the emulation attack might be rather limited. To deal with the case that
the emulator is on the uplink route, the best known countermeasure is through statistical
approaches proposed by Jakobsson et al. [123] and Salem et al. [142]. For lack of space,
we refer interested readers to [123] and [142] for details.
![Page 147: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/147.jpg)
137
6.6.2 Payment Structures
We now define an important data structure called a payment structure used in our
billing process. Let DC1,1→R1,1 :=< R1,1, expiry-date, L, a1, t, m >. A payment structure is
defined as follows:
< SKC1,1(DC1,1→R1,1), 〈am〉, 〈w1,t〉, 〈w2,t〉, ..., 〈wm,t〉 > .
Expiry-date specifies the expiry date of this payment structure before which it is redeemable
at C1,1’s enrolled broker. Fig. 6–3 depicts an exemplary payment structure for m > 3 and
t > 2.
We write 〈am〉 for m hash values ai|1 6 i 6 m generated as follows: C1,1 first picks a
random number am and then recursively computes ai = h(ai+1) for i = m− 1,m− 2, ..., 1.
Due to the one-way feature of the hash function h, if am is chosen randomly, given ai−1 it is
computationally infeasible to find ai, while given ai it is computationally efficient to derive
ai−1. Each 〈wi,t〉 (1 6 i 6 m) denotes t hash values wi,j |1 6 j 6 t generated by C1,1 in
the similar way, where each wi,t is chosen at random. The chain-length parameters m, t are
selected at C1,1’s convenience, the choice of which will be discussed shortly. We also refer
to am and wi,t to as the roots of 〈am〉 and 〈wi,t〉, respectively.
SKC1,1(DC1,1→R1,1) is C1,1’s signed commitment to his payment structure for R1,1, and
should be sent to R1,1 before starting any session. For example, C1,1 can send it as part
of its authentication message to R1,1. Upon recept of it, R1,1 first verifies the signature
using PASSC1,1 as C1,1’s public key and, if successful, saves it for subsequent verification of
payments from C1,1. We require R1,1 to acknowledge the recept of SKC1,1(DC1,1→R1,1).
Each 〈wi,t〉 is called a payment chain, of which each wi,j is termed a payment token and
worth L m-units. The payment tokens are spent in order, but not necessarily consecutively.
In other words, once C1,1 spends wi,j , he cannot spend wi,k for k < j. The m payment
chains do not need to be generated simultaneously at the beginning. Instead, C1,1 can defer
the generation of 〈wi+1,t〉 until payment tokens of 〈wi,t〉 are used up. By comparison, 〈am〉is referred to as a proof chain and used to provide efficient authentication of payment-chain
roots. Elements of 〈am〉 are called proof tokens, and are not only used in order but also
![Page 148: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/148.jpg)
138
consecutively: a1 first, then a2, and so forth. Note that, once used, a payment or proof
token can be dumped by C1,1 to save storage space.
We take a concrete example to explain how a proof token ai is used to authenticate
root wi,1 of 〈wi,t〉. Recall that user C1,1 has sent the authenticated a1 to router R1,1. To
spend payment tokens of 〈w1,t〉, C1,1 first sends (w1,1, ha1(w1,1)) to R1,1. We view a1 as a
one-time password of C1,1 and thus ha1(w1,1) as a MIC. Upon receipt of the message, R1,1
recalculates the MIC and checks the result against what C1,1 sent. If the two are equal,
R1,1 knows that w1,1 indeed came from C1,1 and then saves it for subsequent verification of
payment tokens of 〈w1,t〉. Suppose C1,1 has used up payment tokens of 〈wi,t〉 and wants to
use 〈wi+1,t〉 for i > 1. To do so, he sends to router R1,1 a triplet (ai+1, wi+1,1, hai+1(wi+1,1))
as a commitment to 〈wi+1,m〉. Upon receiving it, R1,1 first checks whether ai+1 = h(ai). If
so, R1,1 determines that ai+1 was sent by C1,1 because nobody else is able to forge ai+1 that
can pass the check, due to the one-way feature of 〈am〉. Subsequently, R1,1 recomputes the
MIC hai+1(wi+1,1). If the result matches with what C1,1 sent, R1,1 knows that wi+1,1 is a
valid root which can be used to verify subsequent payment tokens from 〈wi+1,1〉. It is worth
point out that R1,1 just needs to memorize the highest-indexed proof token from 〈am〉. In
addition, R1,1 is required to acknowledge the receipt of (ai+1, wi+1,1, hai+1(wi+1,1)).
Here may come a question: why should we use m payment chains of size t instead
of a single one of size tm? The reason is that doing so imposes a much smaller storage
requirement on C1,1. In particular, the single-chain approach requires C1,1 to store about
tm/2 payment tokens on average during the payment process. Suppose SHA-1 [16] is used
as h and each of payment and proof tokens is a SHA-1’s 20-byte output. Also assume that
L, m and t are equal to 1, 50 and 100, respectively. This means that a single payment
chain provides a total worth of 5000 m-units, while requiring an average space of about
50 KB. In contrast, using our payment structure allows C1,1 to store just m/2 proof and
t/2 payment tokens on average, representing an average storage overhead of only about 1.5
KB. In addition, employing shorter payment chains can minimize the waste coming from
unspent hash tokens. Such storage savings come at the cost of some service delay caused
by generating a new payment chain in realtime. However, since the hash operation is very
fast and a hash chain with 1000 tokens can be derived in less than one second [143] even in
![Page 149: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/149.jpg)
139
low-end devices, such a delay is believed to be affordable. Also notice that a new payment-
chain commitment (triplet) can be transmitted along with regular data packets so that the
extra communication overhead can be minimized.
A payment structure is both user-specific and router-specific and thus is of no value to
another user or router. It is also session-independent in that C1,1 can use it across different
sessions with R1,1. A payment structure supports the generation of up to m payment
chains of size t. Once all m payment chains are used up, a new payment structure needs
to be generated if needed. Since generating a new payment structure involves a signature
generation on C1,1 and a signature verification on R1,1, respectively, we suggest using a
slightly larger m to reduce moderately expensive signature operations.
6.6.3 Making Payments
In what follows, we first discuss how user C1,1 pays router R1,1 and then intermediate
users along the uplink route.
Paying routers. To make payments to R1,1, C1,1 maintains a debt counter DCC1,1
recording the amount in m-units he owes to R1,1. DCC1,1 is increased by λ for each downlink
t-unit and by rateup for each uplink t-unit. Accordingly, R1,1 maintains for C1,1 a profit
counter PCC1,1 which is increased by λ and rateup for each t-unit sent to and received from
C1,1, respectively.
We require that R1,1 specify in its periodically broadcasted Beacon messages a param-
eter θR1,1 , indicating the maximum amount in m-units that each user is allowed to owe it.
Whenever DCC1,1 > θR1,1 , C1,1 should make a payment to clear its debt at R1,1 in due
time to avoid service cutoff by R1,1. Without loss of generality, suppose C1,1 is spending
payment tokens of 〈wi,t〉. For ease of presentation, we temporarily assume that 〈wi,t〉 still
has enough unspent payment tokens. If the lowest-indexed unspent token is wi,u, C1,1 sends
to R1,1 a payment of format (wi,j , j), where u 6 j 6 t is the minimum integer such that
(j − u + 1)L > θR1,1 . He then decreases DCC1,1 by (j − u + 1)L and thus DCC1,1 may be
a negative value sometimes. Since the worth L of each payment token is usually of a small
amount, say several cents, we refer to each payment like (wi,j , j) as a micropayment.
For each payment chain 〈wi,t〉, router R1,1 merely needs to store the payment token
with the highest index, say (wi,k, k) (1 6 k 6 t). This means that R1,1 has been paid kL
![Page 150: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/150.jpg)
140
m-units by C1,1 using 〈wi,t〉 and ((i−1)t+k)L m-units in all. Upon receipt of (wi,j , j), R1,1
first verifies that j > k and then wi,k = hj−k(wi,j), where hj−k means applying the hash
function h iteratively to wi,j for (j− k) times. If both checks succeed, R1,1 knows that C1,1
indeed made a payment because nobody else can generate a valid payment token passing
the checks, due to the one-way feature of 〈wi,t〉. Subsequently, R1,1 replaces (wi,k, k) with
(wi,j , j) and decreases PCC1,1 by (j − k)L.
Assume that R1,1 sets a threshold θ∗R1,1and stops serving C1,1 if it does not receive a
payment in the first data packet from C1,1 once PCC1,1 > θ∗R1,1. This may happen either
because C1,1 does not make a payment at all, or because a payment gets lost on its way
to R1,1, for example, due to a route break. Fortunately, the hash-chain technique can
well tolerate payment losses. For instance, suppose R1,1 does not receive (wi,j , j) but a
later payment (wi,l, l) for l > j. If l > k and wi,k = hl−k(wi,l), R1,1 can change (wi,k, k)
to (wi,l, l) and decrease PCC1,1 by (l − k)L. Obviously, this is equivalent to R1,1 having
correctly received both (wi,j , j) and (wi,l, l). To leverage this loss-tolerance feature, however,
θ∗R1,1should be set larger than θR1,1 . The difference between θ∗R1,1
and θR1,1 determines the
tradeoff between payment-loss tolerance and the financial risk of the operator. The larger
the difference, the more payment losses R1,1 can tolerate, the higher financial risk the
operator runs because R1,1 may not make a payment at all, and vice versa.
If the remaining tokens of 〈wi,t〉 are not enough to cover DCC1,1 , C1,1 should generate a
new payment chain 〈wi+1,t〉. It then sends the new chain commitment (ai+1, wi+1,1, hai+1(wi+1,1))
to R1,1 which, in turn, verifies the commitment as described in Section 6.6.2. Subsequently,
C1,1 can delete unspent payment tokens of 〈wi,t〉 if any and start to pay R1,1 with payment
tokens of 〈wi+1,t〉.At last, R1,1 is required to store a payment record for C1,1 of format
< SKC1,1(DC1,1→R1,1), ak, (wi,1, hai(wi,1), wi,ki
, ki|1 6 i 6 k > .
Here, ak (1 6 k 6 m) refers to the highest-indexed proof token and wi,ki(1 6 ki 6 t) is the
highest-indexed payment token from 〈wi,t〉. In rare cases, if C1,1 has generated and used
multiple payment structures, R1,1 should maintain such a record for each of them.
![Page 151: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/151.jpg)
141
Paying intermediate users. We now discuss how to pay intermediate users using
the hash-chain technique. A naive way is for C1,1 to generate a payment structure for each
intermediate user and release payment tokens at pre-defined intervals, as he does for R1,1.
Such an approach has three significant drawbacks. First of all, it is computationally ineffi-
cient. For C1,1, he has to generate multiple payment structures and thus perform multiple
signature generations. Once the uplink route breaks, he has to redo these operations for
newly-joined intermediate users on the new route. Each intermediate user has to first ver-
ify a signature and then each subsequent proof or payment token. Since a user may act as
packet forwarders for multiple users simultaneously, he has to do these operations for each
of them. Secondly, it is communicationally inefficient in that C1,1 must release multiple
hash tokens at one time according to pre-defined intervals. Lastly, it is space inefficient
because C1,1 has to maintain multiple payment structures at the same time, and each user
needs to maintain at least one payment record for all the other users with him as a packet
relay.
To minimize the burden of mobile users, we propose to let R1,1 pay intermediate users
on behalf of C1,1. This is the reason why a payment from C1,1 to R1,1 covers all what
R1,1 and all the intermediate users should get. Consider an intermediate user C2,1 as an
example. After authenticating C2,1, R1,1 generates a payment structure for C2,1 and sends
to him the signed commitment to the payment structure. Once verifying R1,1’s signature,
C2,1 saves the commitment for later verification of payment and proof tokens sent by R1,1.
The payment structure is also both user-specific and router-specific, and is used by R1,1
to pay C2,1 for all the traffic he forwards for all the other users in R1,1’s coverage area.
The detailed payment process is similar to that of C1,1 and omitted here due to space
constraints.
6.6.4 Redemption of Payment Records
All payment records should be redeemed at the users’ enrolled brokers before their
expiry dates. At the end of each day (or other suitable period), R1,1 reports all the stored
payment records to its domain operator who, in turn, assembles the records related to a
same broker and sends them in bulk.
![Page 152: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/152.jpg)
142
For each submitted payment record as < SKC1,1(DC1,1→R1,1), ak, (wi,1, hai(wi,1), wi,ki
, ki|1 6
i 6 k >, a broker does the following in sequence:
(1) Examine SKC1,1(DC1,1→R1,1), including verifying the user’s signature, checking the
expiry-date, and so on.
(2) Check that a1 = hk−1(ak) and saves the intermediary values ak−1, ..., a2. For each
i ∈ [1, k],
(3) Calculate a MIC hai(wi,1). If the result matches the corresponding value in the
submitted record,
(4) Check that wi,1 = hki−1(wi,ki) and, if successful, credit the operator’s account with
kiL m-units.
If the operator has no account at the broker corresponding to a payment record, it
can redeem the payment record at its own enrolled broker that will interact with the cor-
responding broker on behalf of it. Then there would be some money transfer between the
two brokers, analogous to what happens in daily life when one deposits some checks issued
by banks other than his enrolled bank. Likewise, mobile users can redeem their payment
records stored for operators at the brokers.
6.6.5 Security Analysis
Our micropayment approach ensures incontestable billing. For a user, he must digitally-
sign a payment structure before using it to pay a WMN operator, so he cannot deny the
payments he makes later. In addition, the user cannot obtain more services than he will
actually be billed for, as he is required to release payment tokens in realtime at pre-defined
intervals to avoid service cutoff by the operator. For an operator, it cannot overcharge
the user who releases valid payment tokens commensurate with the amount of received
services. Since a payment structure is both user-specific and router-specific, it also prevents
from both double-spending and double-redemption of a payment structure. In particular,
the user cannot use the same payment structure to pay different routers; the operator can
redeem the same payment structure of a user only once via that user’s registered broker.
Note that our billing scheme cannot completely prevent from cheating by a user or an
operator, which might happen only at the end of each service duration. For example, in
one case, user C1,1 does not pay for the last few t-units received or transmitted via router
![Page 153: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/153.jpg)
143
R1,1, e.g., by leveraging the difference between θR1,1 and θ∗R1,1. In the other case, R1,1 does
not serve C1,1 for the last payment he made, if C1,1 is asked to prepay payment tokens.
In both cases, the financial loss (or gain) of the user or the broker is less significant, say
several m-units. Considering the similar situation in cellular networks where an operator
usually enforces a basic charging unit, e.g., 6 seconds, we believe that such rare cheating
situations should be tolerable.
Regarding the payment process from an operator (through a router like R1,1) to a user,
say C2,1, we argue that the operator would have the right incentive to behave honestly. The
reason is that, if not receiving payments from R1,1 in due time, C2,1 will stop forwarding
packets for other users within R1,1’s coverage. If this happens frequently, the affected users
who experience frequent service disruptions will heap all blames on the operator. Both
those users and C2,1 will choose to shun that operator in the future. Since the operator’s
reputation is worth much more than what it can earn from cheating, it would rather not to
do so. Other security analysis is similar to that of the payment process from a user to an
operator, which is omitted here for lack of space.
6.7 Discussion
In this section, we discuss other issues relevant to UPASS.
6.7.1 Mobility Management
Effective mobility management is important to support seamless user mobility. Tradi-
tionally, it is realized by cooperation between a mobile user’s foreign domain and his home
domain [144]. With UPASS in place, we conjecture that some trustable service providers
can provide the mobility-management service by maintaining and answering queries to cur-
rent locations of mesh clients. Brokers may be good candidates in this regard. In designing
a sound mobility management for WMNs, one may also need to take into consideration
the location-privacy requirement. It is an important open task to devise a valid scheme
satisfying the proposed criteria and other unique requirements of WMNs.
![Page 154: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/154.jpg)
144
6.7.2 Public-Key vs. Symmetric-Key Cryptography
In UPASS, mesh clients need to execute a few public-key operations when performing
AKA with mesh routers and other clients. A few years ago, this computational require-
ment was significant to mobile users. With the rapid progress in public-key cryptography,
however, public-key encryption and signature schemes that are both more secure and sig-
nificantly faster are currently available. Moreover, the computational costs of public-key
operations have continued to decrease due to the rapid development of hardware imple-
mentations. For example, we have been aware of the efficient hardware implementations of
the Tate pairing on smartcards [99], PDAs [110] and FPGAs [111]. In addition, public-key
operations are executed relatively rarely. Once establishing a shared key, a client and a
router or two clients can secure subsequent traffic between them via efficient symmetric-
key techniques. In summary, it has been widely acceptable to use public-key techniques in
securing wireless networks for their great advantages. This trend has also been reflected
in the recent IEEE 802.16-2004 standard, which uses public-key cryptography (though not
IBC) to realize key management.
6.7.3 Incremental Deployment
One of the main barriers to wide deployment and use of WMNs is the lack of a sound
business model. Our UPASS affirmatively answers this problem and is highly advantageous
for WMN operators, mesh clients and brokers. As the development of the credit card system,
we expect UPASS to be deployed incrementally along with WMNs. Initially, there might be
only one broker, which might be an enterprising regular bank or emerging electronic money
transmitter like PayPal, a few WMN operators and a limited number of mesh clients. As
time goes on, the shown benefits of UPASS would attract more and more operators to
built WMNs and users to use WMN services, and increasing brokers (though still limited
in number) to act as trust intermediaries.
6.8 Summary
For the first time in the literature, this chapter identifies and satisfies a number of
unique security requirements of the emerging multi-hop WMNs. We present a secure au-
thentication and billing architecture, called UPASS, for multi-hop WMNs. In contrast to
![Page 155: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/155.jpg)
145
a conventional cellular-like solution, UPASS is more practical and lightweight because it
does not require a WMN operator to establish pairwise bilateral SLAs and interact in real
time with potentially numerous other WMN operators. UPASS is also a homeless solution
in which each user, instead of being bound to any specific WMN operator, can get ubiq-
uitous network access by a universal pass issued by a third-party broker. UPASS provides
efficient mutual authentication and key agreement not only between a user and a serving
WMN domain but also between users served by the same WMN domain. In addition, it is
designed to be resistant to various attacks against WMN access.
![Page 156: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/156.jpg)
CHAPTER 7CONCLUSION AND FUTURE WORK
In this dissertation, we provide efficient and effective solutions to a number of chal-
lenges in securing heterogeneous wireless ad hoc networks. In particular, we design an
anonymous on-demand routing protocol to deal with malicious eavesdropping and other
resulting against mobile ad hoc networks deployed in hostile environments. In addition, we
propose a secure, scalable ID-based key management scheme for mobile ad hoc networks
to enable flexible public-key services without using conventional certificates. Moreover, we
design a secure localization scheme and a suite of location-based compromise-tolerant se-
curity mechanisms for wireless sensor networks. Finally, we present the first known secure
authentication and billing architecture for the emerging wireless mesh networks.
In our future work, we first plan to further evaluate the performance of our solutions
on real network testbeds or platforms. In addition, we will seek efficient solutions to new
security problems that are being exposed with increasing deployments of wireless ad hoc
networks. We also intend to develop efficient security solutions for integrated wired/wireless
networks.
146
![Page 157: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/157.jpg)
REFERENCES
[1] I. Akyildiz, X. Wang, and W. Wang, “Wireless mesh networks: A survey,” ComputerNetworks, vol. 47, no. 4, pp. 445–487, Mar. 2005.
[2] I. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “A survey on sensornetworks,” IEEE Commun. Mag., vol. 40, no. 8, pp. 102–116, Aug. 2002.
[3] S. Marti, T. Giuli, K. Lai, and M. Baker, “Mitigating routing misbehavior in mobilead hoc networks,” in ACM MobiCom, Boston, MA, Aug. 2000, pp. 255–265.
[4] Y. Zhang, W. Lou, and Y. Fang, “SIP: A secure incentive protocol against selfishnessin mobile ad hoc networks,” in IEEE WCNC, Atlanta, GA, Mar. 2004, pp. 1679–1684.
[5] C. Perkins, E. Belding-Royer, and S. Das, “Ad hoc on-demand distance vector(AODV) routing,” RFC 3561, July 2003.
[6] D. Johnson and D. Maltz, “Dynamic source routing in ad hoc wireless networks,” inAd Hoc Wireless Networks, edited by T. Imielinski and H. Korth, Kluwer AcademicPublishers, New York, NY, 1996.
[7] Defense Advanced Research Projects Agency (DARPA), “Research challenges in highconfidence networking,” White paper, Arlington, VA, July 1998.
[8] Y.-C. Hu, A. Perrig, and D. B. Johnson, “Ariadne: A secure on-demand routingprotocol for ad hoc networks,” in ACM MobiCom, Atlanta, GA, Sep. 2002, pp. 12–23.
[9] K. Sanzgiri, B. Dahill, B. Levine, C. Shields, and E. Royer, “A secure routing protocolfor ad hoc networks,” in IEEE ICNP’02, Paris, France, Nov. 2002, pp. 78–89.
[10] A. Menezes, P. van Oorschot, and S. Vanston, Handbook of Applied Cryptography.Boca Raton, FL: CRC Press, Oct. 1996.
[11] A. Shamir, “Identity based cryptosystems and signature schemes,” in CRYPTO’84,Santa Barbara, CA, Aug. 1984, pp. 47–53.
[12] D. Boneh and M. Franklin, “Identify-based encryption from the weil pairing,” inCRYPTO’01, Santa Barbara, CA, Aug. 2001, pp. 213–229.
[13] ——, “Identify-based encryption from the weil pairing,” SIAM J. of Computing,vol. 32, no. 3, pp. 586–615, Mar. 2003.
[14] P. Barreto, H. Kim, B. Bynn, and M. Scott, “Efficient algorithms for pairing-basedcryptosystems,” in CRYPTO’02, Santa Barbara, CA, Aug. 2002, pp. 354–368.
[15] A. Shamir, “How to share a secret,” Comm. ACM, vol. 22, no. 11, pp. 612–613, 1979.
147
![Page 158: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/158.jpg)
148
[16] N. I. of Standards and T. (NIST), “Digital hash standard,” Federal Information Pro-cessing Standards Publication 180-1, Rockville, MD, April 1995.
[17] D. Balfanz, G. Durfee, N. Shankar, D. Smetters, J. Staddon, and H.-C. Wong, “Secrethandshakes from pairing-based key agreements,” in IEEE Symp. on Security andPrivacy, Oakland, CA, May 2003, pp. 180–196.
[18] R. Rivest, M. Robshaw, R. Sidney, and L. Yin, “The rc6 block cipher (v1.1),” availableat ftp://ftp.rsasecurity.com/pub/rsalabs/rc6/rc6v11.pdf, Aug. 2006.
[19] S. Jiang, N. Vaidya, and W. Zhao, “Energy consumption of traffic padding schemesin wireless ad hoc networks,” in Real-Time System Security, edited by B. Tjaden andL. R. Welch, Nova Science Publishers, Commack, NY, 2003.
[20] Y. Zhang, W. Liu, W. Lou, Y. Fang, and Y. Kwon, “AC-PKI: Anonymous andcertificateless public-key infrastructure for mobile ad hoc networks,” in IEEE ICC’05,Seoul, Korea, May 2005, pp. 3515–3519.
[21] X. Zeng, R. Bagrodia, and M. Gerla, “GloMoSim: A library for parallel simulationof large scale wireless networks,” in the 12th Workshop on Parallel and DistributedSimulations (PADS’98), Banff, Alberta, Canada, May 1998, pp. 154–161.
[22] Shamus Software Ltd., “Miracl library,” Dublin, Ireland.
[23] P. Barreto, B. Lynn, and M. Scott, “On the selection of pairing-friendly groups,” inSelected Areas in Cryptography (SAC’03), Ottawa, Canada, Aug. 2004, pp. 17–25.
[24] J. Yoon, M. Liu, and B. Nobles, “Sound mobility models,” in ACM MOBICOM’03,San Diego, CA, Sep. 2003, pp. 205–216.
[25] D. Chaum, “Untraceable electronic mail, return addresses, and digital pseudonyms,”Comm. ACM, vol. 24, no. 2, pp. 84–90, Feb. 1981.
[26] M. Reed, P. Syverson, and D. Goldschlag, “Anonymous connections and onion rout-ing,” IEEE J. Select. Areas Commun., vol. 16, no. 4, pp. 482–494, May 1998.
[27] Anonymity bibliography, available at http://freehaven.net/anonbib/, Aug. 2006.
[28] S. Jiang, N. Vaidya, and W. Zhao, “Dynamic mix method in wireless ad hoc net-works,” in IEEE Milcom’01, Washington, D.C., Oct. 2001, pp. 873–877.
[29] J. Kong and X. Hong, “ANODR: Anonymous on demand routing with untraceableroutes for mobile ad-hoc networks,” in ACM MobiHoc’03, Annapolis, MD, June 2003,pp. 291 – 302.
[30] B. Neuman and T. Tso, “Kerberos: An authentication service for computer networks,”IEEE Commun. Mag., vol. 32, no. 9, pp. 33–38, Sep. 1994.
[31] L. Zhou and Z. J. Haas, “Securing ad hoc networks,” IEEE Network, vol. 13, no. 6,pp. 24–30, 1999.
[32] J. Kong, P. Zerfos, H. Luo, S. Lu, and L. Zhang, “Providing robust and ubiquitoussecurity support for mobile ad hoc networks,” in IEEE ICNP, Riverside, CA, Nov.2001, pp. 251–260.
![Page 159: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/159.jpg)
149
[33] M. Narasimha, G. Tsudik, and J. H. Yi, “On the utility of distributed cryptographyin p2p and manets: the case of membership control,” in IEEE ICNP, Atlanta, GA,Nov. 2003, pp. 336–345.
[34] S. Yi and R. Kravets, “MOCA: Mobile certificate authority for wireless ad hoc net-works,” in 2nd Annual PKI Research Workshop (PKI03), Apr. 2003, pp. 65–79.
[35] M. Bechler, H.-J. Hof, D. Kraft, F. Pahlke, and L. Wolf, “A cluster-based securityarchitecture for ad hoc networks,” in IEEE INFOCOM, Hong Kong, China, Mar.2004, pp. 2404–2413.
[36] H. Luo, J. Kong, P. Zerfos, S. Lu, and L. Zhang, “URSA: ubiquitous and robustaccess control for mobile ad hoc networks,” IEEE/ACM Trans. Networking, vol. 12,no. 6, pp. 1049–1063, Dec. 2004.
[37] A. Khalili, J. Katz, and W. Arbaugh, “Toward secure key distribution in truly ad-hoc networks,” in IEEE Workshop on Security and Assurance in Ad Hoc Networks,Orlando, FL, Jan. 2003, pp. 342–346.
[38] H. Deng, A. Mukherjee, and D. Agrawal, “Threshold and identity-based key manage-ment and authentication for wireless ad hoc networks,” in International Conferenceon Information Technology: Coding and Computing (ITCC’04), Las Vegas, Nevada,April 2004, pp. 107–111.
[39] N. Saxena, G. Tsudik, and J. H. Yi, “Identity-based access control for ad hoc groups,”in Int. Conf. Inform. Security Cryptology (ICISC’04), Seoul, Korea, Dec. 2004, pp.107–111.
[40] Y. Desmedt and Y. Frankel, “Threshold cryptosystems,” in CRYPTO’89, Santa Bar-bara, California, Aug. 1989, pp. 307–315.
[41] Y. Zhang, W. Liu, and W. Lou, “Anonymous communications in mobile ad hocnetworks,” in IEEE INFOCOM’05, Miami, FL, Mar. 2005, pp. 1940–1951.
[42] K. Sanzgiri, D. LaFlamme, B. Dahill, B. Levine, C. Shields, and E. Belding-Royer,“Authenticated routing for ad hoc networks,” IEEE J. Select. Areas Commun.,vol. 23, no. 3, pp. 598–610, Mar. 2005.
[43] W. Lou and Y. Fang, “A survey of wireless security in mobile ad hoc networks:Challenges and available solutions,” Ad Hoc Wireless Networking, edited by X. Chen,X. Huang, and D.-Z. Du, Kluwer Academic Publishers, New York, NY, Mar. 2003.
[44] S. Capkun, L. Buttyan, and J.-P. Hubaux, “Self-organized public key managementfor mobile ad hoc networks,” IEEE Transactions on Mobile Computing, vol. 2, no. 1,pp. 52–64, Jan.-March 2003.
[45] J. R. Douceur, “The sybil attack,” in Proc. of First International Workshop on Peer-to-Peer Systems (IPTPS ’02), Cambridge, MA, March 2002, pp. 251–260.
[46] S. Jarecki, N. Saxena, and J. H. Yi, “An attack on the proactive RSA signaturescheme in the URSA ad hoc network access control protocol,” in 2nd ACM workshop
![Page 160: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/160.jpg)
150
on Security of ad hoc and sensor networks (SASN’04), Washington, DC, Oct. 2004,pp. 1–9.
[47] R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signaturesand public key cryptosystems,” Comm. ACM, vol. 21, no. 2, pp. 120–126, Feb. 1978.
[48] N. I. of Standards and T. (NIST), “Digital signature standard,” Federal InformationProcessing Standards Publication 186-2, Rockville, MD, Feb. 2000.
[49] M. Gouda and E. Jung, “Certificate dispersal in ad-hoc networks,” in Proc. ICDCS’04,Tokyo, Japan, Mar. 2004, pp. 616–623.
[50] M. Bohio and A. Miri, “Efficient identity-based security schemes for ad hoc networkrouting protocols,” Elsevier Ad Hoc Networks Journal, vol. 2, no. 3, pp. 309–317, July2004.
[51] Y. Zhang, W. Liu, W. Lou, and Y. Fang, “MASK: anonymous on-demand routing inmobile ad hoc networks,” IEEE Trans. Wireless Commun., to appear.
[52] K. Barr and K. Asanovic, “Energy aware lossless data compression,” in 1st Int. Conf.Mobile Systems, Applications, and Services (MobiSys’03), San Francisco, CA, May2003, pp. 231–244.
[53] R. Canetti, R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Adaptive securityfor threshold cryptosystems,” in CRYPTO’99, Santa Barbara, CA, Aug. 1999, pp.98–115.
[54] Y. Zhang and W. Lee, “Intrusion detection in wireless ad-hoc networks,” in ACMMOBICOM’00, Boston, MA, Aug. 2000, pp. 275–283.
[55] A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung, “Proactive secret sharing or:How to cope with perpetual leakage,” in CRYPTO’95, Santa Barbara, CA, Aug.1995, pp. 339–352.
[56] Y. Zhang, W. Liu, W. Lou, and Y. Fang, “Securing mobile ad hoc networks withcertificateless public keys,” Department of Electrical and Computer Engineering, Uni-versity of Florida, Gainesville, Florida, Tech. Rep., April 2006.
[57] A. Boldyreva, “Threshold signatures, multisignatures and blind signatures based onthe gap-diffie-hellman-group signature scheme,” in 6th Int. Workshop on Theory andPractice in Public Key Cryptography (PKC’03), Miami, FL, Jan. 2003, pp. 31–46.
[58] B. Bloom, “Space/time trade-offs in hash coding with allowable errors,” Comm. ACM,vol. 13, no. 7, pp. 422–426, July 1970.
[59] D. Liu, P. Ning, and K. Sun, “Efficient self-healing group key distribution with revo-cation capability,” in ACM CCS’03, Washington, DC, Oct. 2003, pp. 241–240.
[60] T. Wong, C. Wang, and J. Wing, “Verifiable secret redistribution for archive systems,”in 1st Int. IEEE Security in Storage Workshop, Greenbelt, MD, Dec. 2002, pp. 94–105.
[61] T. Kerins, W. Marnane, E. Popovici, and P. Barreto, “Hardware accelerators forpairing based cryptosystems,” IEE Proceedings on Information Security, Special Issue
![Page 161: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/161.jpg)
151
on Cryptographic Algorithms and Architectures for System on Chip, vol. 152, no. 1,pp. 47–56, Oct. 2005.
[62] A. Savvides, C. Han, and M. Srivastava, “Dynamic fine-grained localization in ad-hocnetworks of sensors,” in ACM MOBICOM’01, Rome, Italy, July 2001, pp. 166–179.
[63] X. Cheng, A. Thaeler, G. Xue, and D. Chen, “TPS: A time-based positioning schemefor outdoor wireless sensor networks,” in IEEE INFOCOM’04, Hong Kong, China,Mar. 2004, pp. 2685–2696.
[64] T. He, C. Huang, B. M. Blum, J. A. Stankovic, and T. F. Abdelzaher, “Range-free localization scheme in large scale sensor networks,” in ACM MOBICOM’03, SanDiego, CA, Sep. 2003, pp. 81–95.
[65] L. Hu and D. Evans, “Localization for mobile sensor networks,” in ACM MOBI-COM’04, Philadephia, PA, Sep/Oct 2004, pp. 45–57.
[66] L. Lazos and R. Poovendran, “Serloc: Secure range-independent localization for wire-less sensor networks,” in ACM WiSe’04, Philadelphia, PA, Oct. 2004, pp. 21–30.
[67] S. Capkun and J.-P. Hubaux, “Secure positioning of wireless devices with applicationto sensor networks,” in IEEE INFOCOM’05, Miami, FL, March 2005, pp. 1917–1928.
[68] R. C. Qiu, H. Liu, and X. Shen, “Ultra-wideband for multiple access communications,”IEEE Commun. Mag., vol. 43, no. 2, pp. 80–87, Feb. 2005.
[69] D. Wagner, “Resilient aggregation in sensor networks,” in ACM SASN’04, Washing-ton, DC, Oct. 2004, pp. 78–87.
[70] S. Brands and D. Chaum, “Distance-bounding protocols (extended abstract),” inEUROCRYPT’93, Lofthus, Norway, May 1993, pp. 344–359.
[71] N. Sastry, U. Shankar, and D. Wagner, “Secure verification of location claims,” inACM WiSe’03, San Diego, CA, Sep. 2003, pp. 1–10.
[72] B. Waters and E. Felten, “Proving the location of tamper-resistant devices,” Depart-ment of Computer Science, Princeton University, Priceton, NJ, Tech. Rep. TR-667-03,Jan. 2003.
[73] C. Karlof and D. Wagner, “Secure routing in wireless sensor networks: Attacks andcountermeasures,” Ad Hoc Networks, vol. 1, no. 2, pp. 293–315, Sep. 2003.
[74] J. Newsome, E. Shi, D. Song, and A. Perrig, “The sybil attack in sensor networks:Analysis & defenses,” in 3rd Int. Symp. on Inform. Processing in Sensor Networks(IPSN’04), Berkeley, CA, Apr. 2004, pp. 259–268.
[75] F. Ye, H. Luo, S. Lu, and L. Zhang, “Stastical en-route filtering of injected falsedata in sensor networks,” in IEEE INFOCOM’04, Hong Kong, China, Mar. 2004, pp.2446–2457.
[76] S. Zhu, S. Setia, S. Jajodia, and P. Ning, “An interleaved hop-by-hop authenticationscheme for filtering of injected false data in sensor networks,” in IEEE Symp. SecurityPrivacy, Oakland, CA, May 2004, pp. 259–271.
![Page 162: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/162.jpg)
152
[77] S. Basagni, K. Herrin, E. Rosti, and D. Bruschi, “Secure pebblenets,” in ACM MO-BIHOC’01, Long Beach, CA, Oct. 2001, pp. 256–263.
[78] L. Eschenauer and V. Gligor, “A key-management scheme for distributed sensor net-works,” in ACM CCS’02, Washington, DC, Nov. 2002, pp. 41–47.
[79] H. Chan, A. Perrig, and D. Song, “Random key predistribution schemes for sensornetworks,” in IEEE Symposium on Security and Privacy, Oakland, CA, May 2003,pp. 197–213.
[80] W. Du, J. Deng, Y. Han, and P. Varshney, “A pairwise key pre-distribution schemefor wireless sensor networks,” in ACM CCS, Washington, DC, Oct. 2003, pp. 42–51.
[81] D. Liu and P. Ning, “Establishing pairwise keys in distributed sensor networks,” inACM CCS, Washington, DC, Oct. 2003, pp. 52–61.
[82] ——, “Location-based pairwise key establishments for static sensor networks,” inACM SASN, Fairfax, VA, Oct. 2003, pp. 72–82.
[83] W. Du, J. Deng, Y. Han, S. Chen, and P.K.Varshney, “A key management schemefor wireless sensor networks using deployment knowledge,” in IEEE INFOCOM’04,HongKong, China, Mar. 2004, pp. 586–597.
[84] D. Huang, M. Mehta, D. Medhi, and L. Harn, “Location-aware key managementscheme for wireless sensor networks,” in ACM SASN’04, Washington, DC, Oct. 2004,pp. 29–42.
[85] Y. Zhou, Y. Zhang, and Y. Fang, “LLK: a link-layer key establishment scheme inwireless sensor networks,” in IEEE WCNC’05, New Orleans, LA, Mar. 2005, pp.1921–1926.
[86] A. Cerpa, J. Elson, D. Estrin, L. Girod, M. Hamilton, and J. Zhao, “Habitat monitor-ing: Application driver for wireless communications technology,” in ACM SIGCOMMWorkshop Data Comm. Latin America and the Caribbean, Costa Rica, Apr. 2001, pp.20–41.
[87] B. Karp and H. Kung, “GPSR: Greedy perimeter stateless routing for wireless net-works,” in ACM MOBICOM’00, Boston, MA, Aug. 2000, pp. 243–254.
[88] D. Liu, P. Ning, and W. Du, “Attack-resistant location estimation in sensor networks,”in IPSN’05, Los Angeles, CA, Apr. 2005, pp. 99–106.
[89] W. Du, L. Fang, and P. Ning, “LAD: Localization anomaly detection for wirelesssensor networks,” in IPDPS’05, Denver, CO, Apr. 2005, pp. 99–106.
[90] S. Zhu, S. Setia, and S. Jajodia, “LEAP: Efficient security mechanisms for large-scaledistributed sensor networks,” in ACM CCS, Washington, DC, Oct. 2003, pp. 62–72.
[91] L. Chen and C. Kudla, “Identity based authenticated key agreement proto-cols from pairings,” Cryptology ePrint Archive,” Report 2002/184, available athttp://eprint.iacr.org/2002/184, Aug. 2006.
![Page 163: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/163.jpg)
153
[92] Y. Hu, A. Perrig, and D. Johnson, “Packet leashes: A defense against wormholeattacks in wireless ad hoc networks,” in IEEE INFOCOM, San Francisco, CA, April2003, pp. 1976–1986.
[93] S. Kumar, T. Lai, and J. Balogh, “On k-coverage in a mostly sleeping sensor network,”in ACM MobiCom ’04, Philadelphia, PA, Sep./Oct. 2004, pp. 144–158.
[94] J. Baek and Y. Zheng, “Identity-based threshold signature from the bilinear pairings,”in Proc. Int. Conf. Inform. Tech.: Coding Comput., Las Vegas, Apr. 2004, pp. 124–128.
[95] F. Hess, “Efficient identity based signature schemes based on pairings,” in Proc.SAC’02, St. John’s, Newfoundland, Canada, Aug. 2002, pp. 310–324.
[96] A. Perrig, R. Szewczyk, J. Tygar, V. Wen, and D. Culler, “SPINS: Security protocolsfor sensor networks,” ACM Wireless Networks, vol. 8, no. 5, pp. 521–234, Sep. 2002.
[97] W. Lou, W. Liu, and Y. Fang, “SPREAD: Enhancing data confidentiality in mobilead hoc networks,” in IEEE INFOCOM’04, Hong Kong, China, Mar. 2004, pp. 2404–2413.
[98] Intel, “Intel PXA255 Processor Electrical, Mechanical, and Thermal Specification,”Santa Clara, CA, Tech. Rep., Feb. 2004.
[99] G. Bertoni, L. Chen, P. Fragneto, K. Harrison, and G. Pelosi1, “Computing tatepairing on smartcards,” White Paper, STMicroelectronics, 2005.
[100] A. Wander, N. Gura, H. Eberle, V. Gupta, and S. Chang, “Energy analysis for public-key cryptography for wireless sensor networks,” in IEEE PerCom’05, Pisa, Italy, Mar.2005, pp. 324–328.
[101] A. Perrig, J. Stankovic, and D. Wagner, “Security in wireless sensor networks,”Comm. ACM, vol. 47, no. 6, pp. 53–57, June 2004.
[102] L. Lazos, R. Poovendran, C. Meadows, P. Syverson, and L. Chang, “Preventing worm-hole attacks on wireless ad hoc networks: A graph theoretic approach,” in IEEEWCNC’05, New Orleans, LA, Mar. 2005, pp. 1193–1199.
[103] D. Carman, P. Kruus, and B. Matt, “Constraints and approaches for distributedsensor network security,” NAI Labs, McLean, VA, Tech. Rep. 00-010, Sep. 2000.
[104] D. Liu and P. Ning, “Efficient distribution of key chain commitments for broadcastauthentication in distributed sensor networks,” in Proc. NDSS’03, San Diego, CA,Feb. 2003, pp. 263–276.
[105] B. Przydatek, D. Song, and A. Perrig, “SIA: Secure information aggregation in sensornetworks,” in ACM SenSys’03, Los Angeles, CA, Nov. 2003, pp. 255–265.
[106] D. J. Malan, M. Welsh, and M. D. Smith, “A public-key infrastructure for key dis-tribution in TinyOS based on elliptic curve cryptography,” in IEEE SECON, SantaClara, CA, Oct. 2004, pp. 71–80.
![Page 164: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/164.jpg)
154
[107] N. Gura, A. Patel, A. Wander, H. Eberle, and S. C. Shantz, “Comparing ellipticcurve cryptography and rsa on 8-bit cpus,” in CHES’04, Boston, MA, Aug. 2004, pp.119–132.
[108] R. Watro, D. Kong, S. fen Cuti, C. Gardiner, C. Lynn, and P. Kruus, “Tinypk:Securing sensor networks with public key technology,” in ACM SASN, Washington,DC, Oct. 2004, pp. 59–64.
[109] G. Gaubatz, J. Kaps, and B. Sunar, “Public keys cryptography in sensor networks –revisited,” in ESAS’04, EURESCOM, Heidelberg, Germany, Aug. 2004, pp. 2–18.
[110] M. Scott, “Computing the tate pairing,” in Cryptographers’ Track at the RSA Con-ference (CT-RSA’05), San Francisco, CA, Feb. 2005, pp. 293–304.
[111] T. Kerins, W. Marnane, E. Popovici, and P. Barreto, “Efficient hardware for thetate pairing calculation in characteristic three,” in Proc. Workshop on CryptographicHardware and Embedded Systems (CHES’05), Edinburgh, Scotland, Aug./Sep. 2005,pp. 412–426.
[112] The WiMAX Forum. http://www.wimaxforum.org, Aug. 2006.
[113] Tropos Networks. http://www.tropos.com/technology/whitepaper.shtml, Aug. 2006.
[114] D. Aguayo, J. Bicket, S. Biswas, G. Judd, and R. Morris, “Link-level measurementsfrom an 802.11b mesh network,” in ACM SIGCOMM’04, Portland, OR, Aug. 2004,pp. 121–132.
[115] R. Chandra, L. Qiu, K. Jain, and M. Mahdian, “Optimizing the placement of internettaps in wireless neighborhood networks,” in IEEE ICNP’04, Berlin, Germany, Oct.2004, pp. 271–282.
[116] R. Draves, J. Padhye, and B. Zill, “Routing in multi-radio, multi-hop wireless meshnetworks,” in ACM MOBICOM’04, Philadelphia, PA, Sep./Oct. 2004, pp. 114–128.
[117] European Telecommunications Standards Institute (ETSI), “GSM 2.09: Security as-pects,” Sophia Antipolis, France, June 1993.
[118] H. Lin and L. Harn, “Authentication protocols for personal communication systems,”in ACM SIGCOMM’95, Cambridge, MA, Sep. 1995, pp. 256–261.
[119] 3rd Generation Partnership Project (3GPP), “3rd generation mobile system release4 specifications,” 3GPP, Sophia Antipolis, France, TS 21.102, June 2003.
[120] Y. Lin and Y. Chen, “Reducing authentication signalling traffic in third-generationmobile network,” IEEE Trans. Wireless Commun., vol. 2, no. 3, pp. 493–501, May2003.
[121] C. Perkins, “IP mobility support for IPv4,” RFC 3344, Aug. 2002.
[122] W. Xu, W. Trappe, Y. Zhang, and T. Wood, “The feasibility of launching anddetecting jamming attacks in wireless networks,” in ACM MOBIHOC’05, Urbana-Champaign, IL, May 2005, pp. 46–57.
![Page 165: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/165.jpg)
155
[123] M. Jakobsson, J.-P. Hubaux, and L. Buttyan, “A micro-payment scheme encouragingcollaboration in multi-hop cellular networks,” in 7th Int. Conf. Financial Cryptogra-phy (FC’03), Gosier, Guadeloupe, Jan. 2003, pp. 15–33.
[124] B. Aboda and M. Beadles, “The network acces identifier,” RFC 2486, Jan. 1999.
[125] R. Dutta, R. Barua, and P. Sarkar, “Pairing-based cryptography : A survey,” Cryp-tology ePrint Archive Report 2004/064, 2004.
[126] ITU-T Recommendations X.509, “Authentication framework,” Geneva, Switzerland,1989.
[127] D. Harkins and D. Carrel, “The Internet key exchange (IKE),” RFC 2409, Nov. 2003.
[128] D. Boneh, B. Lynn, and H. Shacham, “Short signature from the weil pairing,” inASIACRYPT’01, Gold Coast, Australia, Dec. 2001, pp. 514–532.
[129] D. Smetters and G. Durfee, “Domain-based administration of identity-based cryp-tosystems for secure email and ipsec,” in 12th USENIX Security Symposium, Wash-ington, DC, Aug. 2003, pp. 215–229.
[130] P. Gupta and P. Kumar, “The capacity of wireless networks,” IEEE Trans. Inform.Theory, vol. 46, no. 2, pp. 388–404, Mar. 2000.
[131] R. Sakai, K. Ohgishi, and M. Kasahara, “Cryptosystems based on pairing,” in Sym-posium on Cryptography and Information Security (SCIS’00), Okinawa, Japan, Jan.2000, pp. 26–28.
[132] G. Ateniese, A. Herzberg, H. Krawczyk, and G. Tsudik, “Untraceable mobility orhow to travel incognito,” Computer Networks, vol. 31, no. 8, pp. 871–884, Apr. 1999.
[133] L. Lamport, “Password authentication with insecure communication,” Comm. ACM,vol. 24, no. 11, pp. 770–772, Nov. 1981.
[134] D. Coppersmith and M. Jakobsson, “Almost optimal hash sequence traversal,” inFinancial Cryptography’02, Southampton, Bermuda, Mar. 2002, pp. 102–119.
[135] Y. Sella, “On the computation-storage trade-offs of hash chain traversal,” in FinancialCryptography’03, Guadeloupe, French West Indies, Jan. 2003, pp. 270–285.
[136] A. Juels and J. Brainard, “Client puzzles: A cryptographic countermeasure againstconnection depletion attacks,” in 6th Annual Network and Distributed System SecuritySymposium (NDSS’99), San Diego, CA, Feb. 1999, pp. 151–165.
[137] T. Aura, P. Nikander, and J. Leiwo, “Dos-resistant authentication with client puz-zles,” in 8th Int. Workshop on Security Protocols, Cambridge, UK, Apr. 2000, pp.178–181.
[138] X. Wang and M. Reiter, “Defending against denial-of-service attacks with puzzleauctions,” in IEEE Symp. Security and Privacy, Oakland, CA, May 2003, pp. 78–92.
[139] ——, “Mitigating bandwidth-exhaustion attacks using congestion puzzles,” in ACMCCS’04, Washington, DC, Oct. 2004, pp. 257–267.
![Page 166: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/166.jpg)
156
[140] M. Abadi, M. Burrows, M. Manasse, and T. Wobber, “Moderately hard, memory-bound functions,” in 10th Annual Network and Distributed System Security Sympo-sium (NDSS’03), San Diego, CA, Feb. 2003, pp. 25–39.
[141] C. Dwork, A. Goldberg, and M. Naor, “On memory-bound functions for fightingspam,” in CRYPTO’03, Santa Barbara, CA, Aug. 2003, pp. 426–444.
[142] N. Salem, L. Buttyan, J. Hubaux, and M. Jakobsson, “A charging and rewardingscheme for packet forwarding in multi-hop cellular networks,” in ACM MOBIHOC’03,Annapolis, Maryland, June 2003, pp. 13–24.
[143] J. Zhou and K. Lam, “Undeniable billing in mobile communication,” in ACM MO-BICOM’98, Dallas, TX, Oct. 1998, pp. 284–290.
[144] W. Ma and Y. Fang, “Dynamic hierarchical mobility management strategy for mobileip networks,” IEEE J. Select. Areas Commun., vol. 22, no. 4, pp. 664–676, May 2004.
![Page 167: SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS: CHALLENGES AND SOLUTIONSufdcimages.uflib.ufl.edu/UF/E0/01/56/09/00001/zhang_y.pdf · 2010-05-13 · security in heterogeneous wireless](https://reader033.vdocument.in/reader033/viewer/2022041913/5e6865388edcb1421a3a12c3/html5/thumbnails/167.jpg)
BIOGRAPHICAL SKETCH
Yanchao Zhang received the B.E. degree in computer communications from Nanjing
University of Posts and Telecommunications, Nanjing, China, in July 1999, and the M.E.
degree in computer applications from Beijing University of Posts and Telecommunications,
Beijing, China, in April 2002. Since September 2002, he has been working towards the
Ph.D. degree in the Department of Electrical and Computer Engineering at the University
of Florida, Gainesville, Florida, USA. His research interests are network and distributed
system security, wireless networking, and mobile computing, with emphasis on mobile
ad hoc networks, wireless sensor networks, wireless mesh networks, and heterogeneous
wired/wireless networks.
157