Download presentation

Presentation is loading. Please wait.

Published byAmber Meachum Modified about 1 year ago

1
Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, 2006 Presenter: Hsin-Ruey, Tsai

2
Introduction Related work Design goals and system models IKM design Performance evaluation

3
Introduction MANET: Mobile ad hoc network Infrastructureless, autonomous, stand-alone wireless networks. Key management: Serverless Two intuitive symmetric-key solutions: 1. Preload all the nodes with a global symmetric key. 2. Let each pair of nodes maintain a unique secret that is only known to those two nodes.

4
Use public-key certificates to authenticate public keys by binding public keys to the owners’ identities. Preload each node with all the others’ public-key certificates prior to network deployment. Certificate-based cryptography(CBC) Drawbacks: network size, key update is not in a secure, cost-effective way.

5
ID-based cryptography(IBC) Eliminate the need for public key distribution and certificates. Master-key All/some are shareholders ID-based private keys collaboratively issues Drawbacks: 1. Compromised nodes more than threshold number, 2. Key update is a significant overheads, 3.How to select the secret sharing parameters, 4.No comprehensive argument about the advantages of IBC-based schemes over CBC-based ones.

6
ID-based key management (IKM) A novel construction method of ID-based public/ private keys. Determining secret-sharing parameters used with threshold cryptography. Simulation studies of advantages of IKM over CBC-based schemes. Node-specific not jeopardize noncompromised nodes’ private keys Common element efficient key updates via a single broadcast message Each node’s public key and private key is composed of a node-specific, ID-based element and a network-wide common element. IKM has performance equivalent to CBC-based schemes, denoted by CKM while it behaves much better in key updates. Identify pinpoint attacks against shareholders.

7
Introduction Related work Design goals and system models IKM design Performance evaluation

8
Related work CBC and (t, n) threshold cryptography N is number of nodes. t N N nodes CA’s public key Divided into n shares CA’s private key D-CA Certificate generation and revocation t D-CAs Tolerate the compromise of up to (t-1) D-CAs The failure of up to (n-t) D-CAs

9
Pairing Technique p, q be two large primes G 1 a q-order subgroup of the additive group of point of E/F p G 2 a q-order subgroup of the multiplicative group of the finite field F* p^2 e : G 1 *G 1 → G 2 Bilinear: For all P, Q, R, S belong to G 1, Consequently, for all a, b belong to Z* q e(aP, bQ)=e(aP, Q)^b= e(P, bQ)^a=e(P, Q)^ab e(P+Q, R+S)= e(P, R) e(P, S) e(Q, R)e(Q, S)

10
Introduction Related work Design goals and system models IKM design Performance evaluation

11
Design goals MANETs should satisfy the following requirements: 1. Each node is without attack originally. 2. Compromise-tolerant. 3. Efficiently revoke and update keys of nodes. 4. Be efficient because of resource-constrained.

12
Network & Adversary Model Network Model: special-purpose, single-authority MANET consisting of N nodes. Adversary Model: 1. Only minor members are compromised/disrupted. 2. Can’t break any of the cryptographic primitives. 3. Static adversaries. 4. Exhibit detectable misbehavior. Assumption that adversaries can compromise at most (t-1) D-PKGs and can disrupt no more than (n-t) D-PKGs (n is number of D-PKG, t is the threshold number)

13
Introduction Related work Design goals and system models IKM design Performance evaluation

14
Network Initialization PKG generates the paring parameters (p, q, e) and selects an generator W of G 1. H 1 : hash function maps binary strings to nonzero elements in G 1. K p 1,K p 2 : belong to Z* q and are master-secretes. W p 1 =K p 1 W, W p 2 =K p 2 W PKG preloads parameters (p, q, e, H 1, W, W p 1, W p 2 ) to each node while K p 1,K p 2 should never be disclosed to any single node.

15
Secret Sharing Enable key revocation and update. PKG performs a (t, n)-threshold secret sharing of K p 2. (t nodes number of threshold) (n D-PKGs ) (N nodes) PKG n D-PKGs distributes functionality to n D-PKGs reach threshold t PKG preloads to D-PKG: (verifiable) t elements Lagrange interpolation Lagrange coefficient K P 2 can then be reconstructed by computing g(0) with at least t elements.

16
Generation of ID-Based Public/Private Keys node-specificphase-specific Our IKM is composed of a number of continuous, nonoverlapping key update phases, denoted by p i for 1 i < M, where M is the maximum possible phase index. p i is associated with a unique binary string, called a phase salt, salt i Vary across key- update phases Remain unchanged and be kept confidential to A itself Due to the difficulty of solving the DLP in G 1, it is computationally infeasible to derive the network mastersecrets KP1 and KP2 from an arbitrary number of public/private key pairs Cannot deduce the private key of any noncompromised node.

17
Key Revocation Misbehavior Notification B accuses A timestamp shared key with V communication overheadresilient

18
Key Revocation Revocation Generation If over thresholddiagnose joint efforts of t D-PKGs t D-PKGs in with smallest IDs (leader) generates partial revocation revocation leader accumulated all the D-PKGs in generates partial revocation sends revocation leader D-PKGs sends the accumulated accusations response after verify accusation Complete revocation

19
Key Revocation Partial revocations Complete revocation Revocation leader denote the t D-PKGs participating in revocation generation It is possible that one or several members of A are unrevoked compromised nodes which might send wrongly computed partial revocations. Revocation leader check If not equivalent Check each node Floods to each node

20
Key Revocation If D-PKGs in do not receive a correct revocation against A in a certain time revocation leader itself is a compromised node second lowest ID succeeds as the revocation leader As long as there is at least one noncompromised D-PKG in and there are at least t noncompromised D-PKGs in, a valid accusation against node A can always be generated.

21
Key Update Public key: Private key: (B just performs two hash operations) needs the collective efforts of t D-PKGs in randomly selects (t-1) other nonrevoked D-PKGs send request these t D-PKGs including Z itself A generate a partial common private-key element check

22
Key Update To propagate securely to all the nonrevoked nodes, we use a variant of the self-healing group key distribution scheme : set of nodes revoked until phase p i Z broadcasts maximum number of compromised nodes PKG picks M distinct degree polynomials, denoted by and M distinct degree polynomials is a point on E=F p, its x-coordinate can be uniquely determined from its y-coordinate. Key-Update Parameters Revoked node

23
IKM design Choosing Secret-Sharing Parameter t, n They can only do is to attempt to compromise or disrupt randomly picked nodes with the expectation that those nodes happen to be the D-PKGs. Compromise and disrupt up to N c >=t and N d >=n-t+1 nodes P r c and P r d as the probabilities that at least t out of N c compromised nodes and (n-t+1) out of N d disrupted nodes happen to be D-PKGs

24
Introduction Related work Design goals and system models IKM design Performance evaluation

25
CKM vs IKM GloMoSim, a popular MANET simulator, on a desktop with an Intel P4 2.4GHz processor and 1 GB memory

26
Performance evaluation

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google