Identity-based and Threshold Key Management in Mobile Ad Hoc Networks

Jingfeng Li, Dawei Wei, Hongzhao Kou Institute of Electrical Technique,

Information Engineering University, Zhengzhou 450004, P.R.China

Email: lee_jingfeng@yahoo.com.cn

Abstract—Robust key management services are central to ensuring security of mobile ad hoc networks (MANETs). In this paper, a novel key management scheme for MANETs is introduced, which exploits advantages of identity-based signcryption mechanism combined with threshold cryptography. The major innovative aspect of this scheme is the use of on-line virtual private key generator (PKG) to provide private key updating services for client nodes and master secret key share refreshing services for all server nodes. Thus, the proposed scheme enables flexible and efficient key management while respecting the unique constraints of MANETs. In this scheme, the public key certificates are not needed and every node uses its identity as its public key. It greatly decreases the need of computing and storage abilities of nodes, as well as communication cost for network key management.

Keywords-key management; signcryption; thrshold cryptoraphy;mobile ad hoc networks

I. INOTRODUCTION With the proliferation of wireless technology, wireless

mobile ad hoc networking becomes an attractive solution to the services that need flexible set-up, dynamic and low-cost wireless connectivity. Significant applications of mobile ad hoc networks (MANETs) include establishing survivable, efficient, dynamic communication for emergency operations, disaster relief efforts, and military networks that cannot rely on centralized and organized connectivity. The ever-growing demands also raise great concerns on the security of wireless ad hoc networks, especially for security sensitive applications [1].

Providing security in ad hoc networks is challenging due to the unique characteristics of these networks, such as the vulnerability of the weak-secure wireless link, user roaming, dynamic topology or the limited physical protection of each node. Efficient and robust key management services are central to ensuring security of MANETs settings. Traditionally, key management service is based on PKI/CA infrastructure to issue public key certificate of every node. However, within the constraints of MANETs, it is dangerous to provide key management service by setting up a single CA. How to set up a trusted key management service for an ad hoc network is a big issue.

To mitigate this problem, the concept of threshold secret sharing has been introduced and there are two proposed schemes using threshold cryptography to distribute the services of CA in ad hoc networks. Zhou and Hass firstly proposed a partially distributed certificate authority scheme [2], in which a group of special nodes is capable of generating partial certificates using their shares of CA’s secret key. A valid certificate can be obtained by combining k such partial certificates. However, at the initial time of network, a trusted third party is needed. Periodical share refreshing is also proposed to defend against powerful adversaries. Kong and others make an extension of [2] and they provide a fully distributed CA scheme. Under the assumption of no special nodes in the network, they propose that each node should hold a share of the private key of CA [3]. Hubaux et al. have proposed a self-organized public key infrastructure in [4] , which has similarity with PGP “web of trust” concept. Unlike the above publications, it does not require a trusted authority or any special nodes; instead, each node issues its own certificates to other nodes. Khalili et al. [5] provide a key distribution mechanism combining the use of ID-based and threshold cryptography. In their scheme, no trusted third party is needed at the initial time of network. However, the problem of clients’ private keys update and share refreshing of system secret key is not addressed. Moreover, no mechanism handles a compromised node in [5].

In this paper, we use an identity-based signcryption mechanism combined with threshold cryptography to enable flexible and efficient key management while respecting the constraints of MANETs. The rest of this paper is organized as follows. The provably secure ID-based signcryption mechanism used in our scheme is briefly described in section II. Section III details our new scheme for key management. Finally, section IV concludes this work and presents future work.

II. ID-BASED SIGNCRYPTION MECHANISM In this section, we briefly describe the basic technology our

scheme bases on.

1-4244-0517-3/06/$20.00 ©2006 IEEE 1

A. Bilinear Map Groups and Related Computational Problems Let k be a security parameter and q be a k-bit prime

number. Let G1, G2, G3 be cyclic groups of the same prime order q , writing the group action multiplicatively. Let g1 (resp. g2 ) be a generator of G1 (resp. G2 ). We say that (G1, G2, G3) are bilinear map groups if there exists a bilinear map 321: GGGe →× satisfying the following properties:

Bilinearity: 21),( GGyx ×∈∀ , Z∈∀ βα , , =),( βα yxe αβ),( yxe .

Non-degeneracy: 1),(,1 =∈∀ yxeGx for all 2Gy ∈ iff OS = .

Computability: 21),( GGyx ×∈∀ , ),( yxe is efficiently computable.

There exists an efficient, publicly computable (but not necessarily invertible) isomorphism 12: GG →ϕ such that

12 )( gg =ϕ .

Such bilinear map groups are known to be instantiable with ordinary elliptic curves such as those suggested in [6] or [7]. In this case, the trace map can be used as an efficient isomorphismϕ as long as 2G is properly chosen [8]. With super singular curves, symmetric pairings (i.e. 21 GG = ) can be obtained andϕ is the identity.

Definition 1. (Co-BDH Problem). The co-Bilinear Diffie- Hellman problem is that, given P , αP , 1GP ∈β , 2GQ ∈ , for unknown qZ∈βα , , to compute αβ),( QPe .

Definition 2. (Co-CDH Problem). The co-Computational Diffie-Hellman problem is that, given P , 1GP ∈α , 2GQ ∈ ,for unknown qZ∈α ,to compute αQ .

B. Underlying Identity-based Signcryption Scheme It’s believed that Co-BDH problem is hard in some groups

on certain supersingular elliptic curves or hyper-elliptic curves over finite fields. Based on the above hard problems, using bilinear pairings on elliptic curves, Yuen and Wei [9] give a fast and proven secure Identity-based signcryption scheme. The most outstanding feature of this scheme is that it accomplishes signature and encryption using the same group structures and parameters set. It is secure, compact, fast and practical, offers detachable signatures, and supports multi-recipient encryption with signature sharing for maximum scalability. In their scheme, no public key certificate is needed. Each user can select any string for its identity that acts as his or her public key.

A trusted private key generation authority, called PKG, generates system keys and users’ private keys. PKG picks three groups G1, G2, G3 of prime order q , on which Co-BDH problem is hard. Let 321: GGGe →× be bilinear paring, and 1g be the generator of G1. The PKG picks a random qZs ∈ as the master secret key and computes 11 )( GgP s

PKG ∈= as the master public key.

After that, the PKG chooses four cryptographic hash functions 2

*0 }1,0{: GH → , qZGH →×× *

2*

1 }1,0{}1,0{: , *

32 }1,0{: →GH , 2*

33 }1,0{: GGH →× . The PKG keeps s secret and publishes the system parameters ,,, 21 GGq<

>321013 ,,,,,,, HHHHPgeG PKG .

Given a user identity string *}1,0{∈ID , his public key is 20 )( GIDHQID ∈= . His private key 2)( GQS s

IDID ∈= is calculated by PKG.

Suppose user Alice wants to signcrypt a message m to user Bob. Alice’s identity is AID with public key AQ and private key AS . Bob’s identity is BID . Alice will execute the following two algorithms:

Signature Algorithm: Alice chooses a random qZr ∈ and computes: 11 )( GgX r ∈= , qB ZIDXmHh ∈= ),,(1 , =W

2GQS rA

hA ∈ .

Encryption Algorithm: Alice computes: )(0 BB IDHQ = 2G∈ , 3),( GQPeV B

rPKG ∈= , 23 ),( GWIDVHY A ∈⊕= ,

*2 }1,0{,)( >∈<⊕= mIDVHZ A .

Then, Alice outputs a ciphertext >=< ZYX ,,σ and sends it to Bob. Once receiving the ciphertext >=< ',','' ZYXσ , Bob will execute the following two algorithms:

Decryption Algorithm: Assume the private key of Bob is BS . Bob computes: ),(' BSXeV = , )'(, 2 VHmIDA >=<

'Z⊕ .

Signature Verify Algorithm: Bob computes (' 3HW = YIDV A ⊕),' and verifies whether: )',( 1 Wge is equal to

),( Ah

PKG QXPe where ),,(1 BIDXmHh = . If it is true, Bob can determine m is sent by Alice. Otherwise, m is not belong to Alice.

For more details of the signcryption scheme, [9] is referred.

III. A NEW SCHEME FOR KEY MANAGEMENT In this section, using ID-based signcryption mechanism in

[9] and threshold cryptography, we give a new scheme for key management in Mobile ad hoc networks. This work considers an ad hoc network, where mobile nodes communicate with each other via the bandwidth-constrained, error-prone, and insecure wireless channel. We also make the following assumptions.

(1) An off-line Trusted Authority (TA) is available. (2) Each node has a unique and unchanged identity during

its lifetime in the ad hoc networks. (3) Nodes in the network are heterogeneous. (4) Each node has a local detection mechanism to discover

the misbehaving nodes among its one-hop neighborhood [10].

A. Key Generation We distinguish two network phases in mobile ad hoc

networks, namely the initialization phase and running phase. In the first phase, an off-line TA (called PKG) generates master secret key s and public key sg1 . Then PKG initializes all nodes with the required data, such as system parameters and cryptographic keys. Concretely, before joining the network, a node (user) must register and authenticates its identity to the PKG. The user’s identity can be any string selected according to his taste. After that, the PKG generates the private key of this identity and sends it via secure channel to the authorized owner. We rely on the off-line trusted PKG to form a trust anchor, which improves security level of the network.

1-4244-0517-3/06/$20.00 ©2006 IEEE 2

PKG chooses n nodes as on-line server nodes according to some pre-defined metrics. Generally, the nodes with stronger computation ability, more storage space and larger wireless transmission range are selected. Then the master secret key s is shared by all of these server nodes in a ),( nk threshold cryptography, e.g., the polynomial secret sharing scheme of Shamir[11]. Any k nodes among these server nodes can jointly act as a virtual PKG deployed in the running phase, in order to provide private key update service for nodes on-line. In order to check malicious server nodes, the PKG publishes a verification commitment for each server node (The details will be described in section III.B).

The signature algorithm described in Section II.B can be used separately. In some scenarios, only the authentication of a node’s identity should be assured, which will be done by a “challenge- response” mechanism. Node is required to sign a random message. Once verifying this signature successfully, the authentication is achieved. Because the network does not use the public key certificate, any node can verify the signature using the node’s identity and system parameters.

When node Alice wants to send messages secretly to node Bob, there are two methods for them to establish a secret session key.

Key Agreement Method: Let 1g be the generator of 1G . Alice selects a secret 1Ga ∈ randomly and computes 11 Gg a ∈ ; then she signs ag1 , and sends ag1 together with its signature to Bob. When Bob receives it from Alice, he verifies the correctness of the signature firstly. If it is correct, Bob can ensure the authentication of Alice’s identity. Then he selects a secret 1Gb ∈ randomly, computes 11 Gg b ∈ and signs it, then sends bg1 together with its signature to Alice. Of course, Alice also verifies the signature of Bob. If the signature is correct, Alice can ensure the authentication of Bob’s identity. Later, Alice and Bob can establish their secret shared session key by computing bag )( 1 and abg )( 1 respectively.

Key Transport Mehod: Alice generates a secret session key randomly, signcrypts it using its private key and the identity of Bob. Then she sends the ciphertext to Bob. Bob can decrypt the session key and verify the signature.

B. Update of a Node’s Private Key To enhance the security level of the network, we present a

secure and efficient mechanism for a node’s private key update, using the signcryption scheme described in Section II.

At first, the whole lifetime of the mobile ad hoc network is divided into time intervals of length t. At the j th time interval, a node’s public key is computed as )||(0 jIDHQID = , where

jID || is called temporary ID and|| represents concatenation of strings. Then its private key is s

IDID QSj

)(= .

To obtain a new private key, the node has to contact at least k server nodes selected by PKG. For simplicity, the server nodes are respectively denoted as mv , nm ,,2,1= . Each of them has a master secret key share ms , nm ,,2,1= . Any k nodes of these n server nodes can act as a virtual PKG jointly to generate a new private key for the node according to its temporary ID.

For example, before the j th time interval expires, Alice should acquire her new private key for the )1( +j th time interval. Alice sends a private key update request (PKU_REQ) message signed with her current private key to at least k server nodes. When a server node mv receives PKU_REQ, it verifies whether the signature matches the claimed temporary identity. If the verification is true, using ms , mv generates a partial private key of Alice for the )1( +j th time interval, which is denoted as ms

jAm

jA QS )( 1,1, ++ = . Next, mv signcrypts mjAS 1, + and

sents it in a private key update reply (PKU_REP) message to Alice. After decrypting and verifying PKU_REP, Alice needs to make a further check to discover the malicious server node that may return a false partial private key. At the initial phase, PKG publishes a verification commitment msg )( 1 for each server node mv . To check the validity of partial key sent by mv , Alice only checks whether the equation

),(),( 11,11, gSegQe mjA

sjA

m

++ = holds. If it is true, Alice ensures m

jAS 1, + is a valid partial value. Otherwise, Alice broadcasts an accusation against mv signed with its current private key. After collecting k valid partial values of private key or the (j+1)th time interval, Alice can reconstruct its new private key using Lagrange interpolation[8].

C. Share Refreshing of Server Nodes Proactive secret sharing is required to protect against the

attackers who might compromise at least k server nodes during a long enough time [2].

The whole lifetime is divided into time periods of lengthT . Typically, T is much bigger than t . Each time period consists of two phases, the serving phase and the refreshing phase. During the serving phase, the server nodes can provide the private key update service for all the nodes, including themselves. During the refreshing phase, all server nodes will jointly generate new master secret key shares from the old ones. Thus, the adversary is enforced to comprise at least k server nodes duringT .

Share refreshing relies on the homomorphism property of the secret key shares in some cryptographic threshold schemes. Given n correct server nodes, share-refreshing process is: Each server node mv generates ),,,( 21

mn

mm sss randomly, which is a ( nk, ) sharing of 0. m

ls is called subshare. m

ls is distributed to server node lv through a secure link implemented with the signcryption scheme described in Section 2. After lv receives ),,,( 21 n

lll sss , it can generate a new secret key share from these subshares together with its old share: ∑ =

+=n

m

mlll sss

1

' : .

The above refreshing process may come across the malicious server nodes’ arbitrary misbehaving or the packages’ transmission failure. However, as long as k server nodes come to an agreement, the refreshing process can be accomplished successfully. Other server nodes can acquire their new master secret key share from those that already possess the new shares. Additionally, the verifiable sharing scheme in [12] can be used to detect malicious server nodes. After isolating the malicious server nodes, share refreshing can be accomplished according to the above process.

1-4244-0517-3/06/$20.00 ©2006 IEEE 3

D. Discover and Punish Malicious node To discover and punish malicious nodes, a localized trust

model is provided as follows. A network-wide fixed parameter k , which is tuned according to the network density and system robustness requirements, is chosen. A node is thought malicious if any k local trusted nodes all claim so. Consequently, it will recognized as a malicious node globally. In our assumption, each node has some detection mechanism to discover the misbehaving nodes among its one-hop neighborhood. Every node v keeps a table of malicious nodes, called malicious nodes list (MNL). An entry of MNL consists of a node identity and a list of its accusers. If a node’s accuser list contains less than k legitimate accusers, the node is marked as “suspect”. Otherwise, the node is determined to be malicious and marked as “convicted”. In two scenarios a node is marked “convicted”. By direct monitoring v determines one of its neighboring nodes to be misbehaving or comprised, puts the node identity into its MNL and directly marks it “convicted”. In this scenario, v also floods a signed accusation against the malicious node. The other scenario happens when v receives an accusation message against some node. It firstly checks if the accuser is a convicted node in its MNL. If it’s true, this accusation message is dropped. Otherwise, v updates its MNL entry of the accused node by adding the accuser into the node’s accuser list. The accused node will be marked “convicted” if the number of accusers reaches k . When a node is convicted, v delete the node from all accuser lists. A convicted node will be marked “suspect” if its number of accusers drops below k .

The range of the accusation propagation is an important design parameter. A large range causes excessive communication overhead, while a small range may be not enough to cover a roaming adversary. A practical scheme for controlled flooding is by setting the TTL (time-to-live) field in the IP headers of the accusation packets [13].

E. Adaptive On-line Virtual PKG With a fixed number of server nodes, when the network

size increases, the availability of a on-line virtual PKG becomes lower. To solve this problem, the trusted off-line PKG can adaptively increase the number of server nodes, according to the current network size and the evaluation of network state. Concretely, when new nodes joining the mobile ad hoc network, the trusted off-line PKG can appoint some of them as new server nodes. Each new server node is assigned a master secret key share securely, while a public message signed with master secret key is also issued to prove that new node plays the role of server node. The style of the announce message is: <{ID, PKG server node}, signature>. The new server node floods this announce message during the running phase. Any node can verify its authentication using the master public key and system parameters then trusts this new server node. Thus, the adaptive on-line virtual PKG not only ensures the security level of the network, but also increases the availability of the key management service.

IV. CONCLUSIONS AND FURTURE WORK Secure and efficient key management in mobile ad hoc

network is a challenging task for the researches due to special properties of these networks. This paper presents a new approach for key management using identity-based signcryption and threshold cryptography. We will further analyze the performance of our proposed scheme using NS-2 and OPNet10.0 network simulator. Very interesting aspect would be finding more efficient and secure key management protocols for the mobile ad hoc networks.

ACKNOWLEDGMENT This work is supported by the NSFC of China (60473021,

60503012) and the Henan Province Natural Science Foundation (511010900).

REFERENCES [1] Jean. Pierre hubaux, Levente Buttyan, and Srdan. Capkun, “The quest

for security in mobile ad hoc networks,” Proceeding of ACM Symposium on MobiHOC2001, pp.146-155, 2001.

[2] Zhou L., Haas Z.J,“Securing Ad hoc Networks,” IEEE Networks, vol.13 no.66, pp.24-30, 1999.

[3] J.Kong, P.Zerfos, H.Luo, S. Lu and L.Zhang, “Providing Robust and Ubiquitous Security Support for Mobile Ad-Hoc Networks,” in Proceedings of the IEEE 9th International Conference on Network Protocols (ICNP’01), 2001.

[4] Hubaux J. P., Buttyan L., Capkun S, “Self-organized Public-Key Management for Mobile Ad hoc Networks,” IEEE Trans. on Mobile Computing, vol.2, no.1, pp.52-64, 2003.

[5] Khalili A., Katz J., Arbaugh W. A, “Towards Secure Key Distribution in Truly Ad Hoc Networks,” in Proceedings of IEEE Workshop on Security and Assurance in Ad hoc Networks, 2003.

[6] A. Miyaji, M. Nakabayashi, and S. Takano, “New explicit conditions of elliptic curve traces for FR-reduction,” IEICE Transactions on Fundamentals, E84 –A (5), pp.1234–1243, 2001.

[7] P. S. L. M. Barreto and M. Naehrig, “Pairing-friendly elliptic curves of prime order,” Cryptology ePrint Archive, Report 2005/133, http://eprint.iacr.org/2005/133, 2005.

[8] N. P. Smart and F. Vercauteren, “On computable isomorphisms in efficient pairing based systems,” Cryptology ePrint Archive, Report 2005/116, http://eprint.iacr.org/2005/116, 2005.

[9] TszHon Yuen and Victor K. Wei, “Fast and Proven Secure Blind Identity-Based Signcryption from Pairings,” in Proceedings of CT-RSA2005, LNCS3376, Springer-Verlag, Berlin Heidelberg New York, pp.305-322, 2005.

[10] Zhang Y., Lee W., Huang Y, “Intrusion Detection Techniques for Mobile Wireless Networks,” ACM/Kluwer Wireless Networks Journal. Vol.9, no.5, pp.545-556, 2003

[11] Adi Shamir, “How to share a secret,” Communications of ACM, vol.22, no.11, pp.612-613, November 1979.

[12] Pedersen T, “Non-interactive and Information-theoretic Secure Verifiable Secret Sharing,” in Proceedings of Crypto’91, LNCS576, Springer-Verlag, Berlin Heidelberg New York , pp.129-140, 1992.

[13] Luo H., Zerfos P., Kong J., Lu S., Zhang L, “Self-securing Ad Hoc Wireless Networks,” in Proceedings of the 7th IEEE Symp. on Computers and Communications, pp.567-574, 2002.

1-4244-0517-3/06/$20.00 ©2006 IEEE 4