TIDS: threshold and identity-based security scheme for wireless ad hoc networks

Ad Hoc Networks 2 (2004) 291–307 www.elsevier.com/locate/adhoc

TIDS: threshold and identity-based security scheme for wireless ad hoc networks q Hongmei Deng, Dharma P. Agrawal

*

Center for Distributed and Mobile Computing, Department of Electrical & Computer Engineering and Computer Science, University of Cincinnati, Cincinnati, OH 45221-0030, USA Available online 20 April 2004

Abstract As various applications of wireless ad hoc network have been proposed, security has received increasing attentions as one of the critical research challenges. In this paper, we consider the security issues at network layer, wherein routing and packet forwarding are the main operations. We propose a novel efficient security scheme in order to provide various security characteristics, such as authentication, confidentiality, integrity and non-repudiation for wireless ad hoc networks. In our scheme, we deploy the recently developed concepts of identity-based signcryption and threshold secret sharing. We describe our proposed security solution in context of dynamic source routing (DSR) protocol. Without any assumption of pre-fixed trust relationship between nodes, the ad hoc network works in a self-organizing way to provide key generation and key management services using threshold secret sharing algorithm, which effectively solves the problem of single point of failure in the traditional public-key infrastructure (PKI) supported system. The identity-based signcryption mechanism is applied here not only to provide end-to-end authenticity and confidentiality in a single step, but also to save network bandwidth and computational power of wireless nodes. Moreover, one-way hash chain is used to protect hop-by-hop transmission.
2004 Elsevier B.V. All rights reserved. Keywords: Wireless ad hoc networks; Security; Key management; Authenticmmation

1. Introduction Wireless ad hoc networks, by nature, are highly dynamic networks with scarce channels. Mobile hosts are not bound to any centralized control like base stations or mobile switching centers. It is q This work has been supported by the Ohio Board of Regents, Doctoral Investment Funds and National Science Foundation under Grant No. CCR-0113361. * Corresponding author. E-mail addresses: [email protected] (H. Deng), dpa@ ececs.uc.edu (D.P. Agrawal).

formed on-the-fly and uses multi-hop routing to transmit information. The property of not relying on the support from any fixed infrastructure makes it useful for a wide range of applications, such as instant consultation between mobile users in the battlefields, emergency, and disaster situations, where geographical or terrestrial constraints demand totally distributed networks. While wireless ad hoc network provides a great flexibility for establishing communications; at the same time it also brings a lot of research challenges. One of the important issues is the security, and the problem becomes more serious in the applications where safety is critical.

1570-8705/$ - see front matter
2004 Elsevier B.V. All rights reserved. doi:10.1016/j.adhoc.2004.03.005

292

H. Deng, D.P. Agrawal / Ad Hoc Networks 2 (2004) 291–307

The truth is that wireless ad hoc networks are highly vulnerable to various security threats due to its inherent characteristics, such as open medium, absence of fixed central structure, dynamically changing topology and constrained capability [1,9,10,24–29]. As ad hoc networking somewhat different from the traditional approaches, security aspects that are valid in these networks are not directly applicable to ad hoc networks. Designing an efficient security scheme to protect wireless ad hoc network is confronted with several new requirements. First, the key management mechanism should be implemented in a distributed fashion. 1 In wireless ad hoc networks, each mobile node acts not only as a host, but also as a router to forward packets for those nodes that are not in direct transmission range with each other. The network connectivity and network services, for instance, packet forwarding and routing are maintained by the nodes themselves within the network, and each node has an equal functionality. There are no dedicated service nodes, which can work as a trusted authority to generate and distribute the network keys or provide certificates to the nodes, as the certificate authority (CA) does in the traditional public-key infrastructure (PKI) supported approaches. Even if the service node can be defined, maintaining such a centralized server and keeping its availability to all the nodes in such a dynamic network is not an easy task. Moreover, the service node is prone to a single point of failure, i.e., only by damaging the service node, the whole network would be paralyzed. Thus, distributed key generation and management approach is needed in securing ad hoc networks. Secondly, light-weight authentication and encryption scheme are required. Nodes in ad hoc networks most often rely on batteries as their power source, and may also have constrained computational abilities. The low resource avail-

1

Here, we consider the ad hoc network working in a truly ad hoc mode. Depending on the network origin, an ad hoc network can be a planned network, in which some initial data structure such as pre-distributed public keys and shared keys can be assumed.

ability necessitates their efficient utilization and prevents the use of complex authentication and encryption algorithms. Public-key cryptography based authentication and encryption mechanisms are fully developed in securing traditional networks. Unfortunately, generation and verification of digital signatures are relatively expensive, which limits its widely application to wireless ad hoc networks. Symmetric cryptography is more efficient than public-key based asymmetric primitives due to its moderate resource consumption, but it requires both the sender and receiver share a secret. In ad hoc networks, the problem is how to distribute the shared keys safely so that only the two parties (correct sender and receiver) would get it and not anyone else. It is thus challenging to develop or define some new efficient cryptography algorithms for designing an efficient light-weight authentication and encryption scheme. Thirdly, the security scheme needs to combine several security protocols of multiple layers since the attacks may come from different layers. On physical and link layers, an adversary could employ jamming or colliding to interfere with communication on physical channels. On the network layer, an adversary could perform various attacks against routing protocols and degrade the network performance. On the higher layers, an adversary could bring down high-level services. For an instance, key management service is one such target service, which is essential for any security framework. To secure an ad hoc network, each layer should have its own security mechanism, and an integrated security scheme is necessary. In this paper, we attempt to fulfill the first two requirements, and focus on the security issues at network layer, wherein routing and packet forwarding are the main operations. We propose a security solution, threshold and identity-based security scheme, called TIDS, which shows the properties of distributed key management and light-weight authentication. We describe the scheme in the context of dynamic source routing (DSR) [2] protocol. In this scheme, we take a self-organized approach by deploying threshold secret sharing [3] algorithm to provide the key generation and key management in a distributed way, without assuming any trust association between nodes, or the existence of any cen-

H. Deng, D.P. Agrawal / Ad Hoc Networks 2 (2004) 291–307

tralized trusted entity in the network. The lightweight authentication and encryption is implemented by applying the concepts of identity-based signcryption [4] and one-way hash chain [5]. The rest of the paper is organized as follows. In Section 2, we give some background knowledge of our security scheme. We brief overview the basic operations of DSR protocol, and describe several possible attacks on it. The concepts of identitybased signcryption and threshold secret sharing are briefly introduced. Our proposed security scheme TIDS is detailed described in Section 3. In Section 4, we present a performance analysis of the proposed scheme. Some related works are present in Section 5. The conclusions and future work are added in Section 6. 2. Background Establishing correct route between communicating nodes in ad hoc networks is a pre-requisite for guaranteeing the messages to be delivered in a timely manner. The function of route discovery is performed by routing protocols, and hence securing routing protocols is critical in the development of any application of wireless ad hoc networks. Routing protocols in ad hoc networks generally can be categorized as proactive or reactive. Proactive routing protocols attempt to evaluate continuously the routes within the network, so that the hosts exchange the information routinely and construct the routing tables in advance. Reactive routing protocols invoke a route discovery procedure only on demand, also called on-demand routing protocols. Each type of routing protocol has advantages and disadvantages. Here we focus on securing ad hoc network on-demand routing protocols. In this section, we first describe the basic operations of DSR routing protocol, and then present the vulnerabilities of DSR protocol. We also give a brief introduction of the concepts of identity-based signcryption and threshold secret sharing. 2.1. Basic operations of DSR The dynamic source routing (DSR) [2] protocol, proposed by David B. Johnson, is an on-demand

293

ad hoc network routing protocol based on the concept of source routing. Two components are involved in the DSR routing protocol, Route Discovery and Route Maintenance. When a node requires a route to a destination node, i.e., it has packets to send to the destination node and does not have a route to that node in its route cache, it initiates a route discovery process within the network, and the node is considered as the source node of the route discovery. The source node composes a route request packet (RREQ) by specifying the destination node and a unique identifier from the source node, and then broadcasts the RREQ packet to its neighbors. Each node receiving the RREQ packet, if it has recently seen this request by recognizing the request identifier from the source node, discards the RREQ. Otherwise, it appends its own address to the node list of the RREQ packets, and then rebroadcast the RREQ packet. Once the RREQ reaches the destination, the destination node responds by unicasting a route reply (RREP) packet back to the neighboring node from which it receives the RREQ. The RREP packet, which includes a copy of the accumulated list of nodes in the RREQ, is routed back to the source node by inversing the RREQ path. When the RREP reaches the source node of the request, it caches the new route in its Route Cache. After selecting and establishing a route, it is maintained by a route maintenance procedure until either the destination becomes inaccessible along every path from the source or the route is no longer desired. Route maintenance is accomplished through the use of route error (RERR) packet and acknowledgements (ACKs). When sending a packet, the source node lists the entire sequence of the nodes through which the packet is passing on. Each node forwards the packet to the next node in the sequence, which is indicated in the packet’s header, and attempts to confirm that the packet is received by the next node, by means of link-layer ACKs. The RERR packet is generated when a node encounters a fatal transmission problem, i.e., it is unable to get this confirmation after a limited number of local retransmissions. The node sends the RERR packet to source node to inform about the broken link. The source node

294

H. Deng, D.P. Agrawal / Ad Hoc Networks 2 (2004) 291–307

then removes the broken link from its Route Cache. For latter transmissions to the same destination, the source node may choose another route in its cache, if it has, otherwise, it may re-initialize a new route discovery process. 2.2. Vulnerabilities of DSR routing protocol and possible attacks All the routing protocols initially assume that all the nodes within the network behave properly according to the routing protocols and no malicious nodes exist in the network. Obviously this assumption is too strong to be practical. Various potential attacks on ad hoc routing protocols have been widely exploited [1,6,7,9] and can be classified into passive attacks and active attacks. Passive attack is one kind of attack that listens to the routing traffic, aiming to gather valuable information, such as network connectivity, location, traffic distribution, and so on. Active attack is an attempt to improperly modify routing message, inject erroneous routing messages, or impersonate a node in order to confuse the routing procedure and degrade the network performance. The main goal of passive attack is to create threat against the network privacy, rather than disrupt the operation of the routing protocol. Here, we mainly consider the active attacks against DSR routing protocol. Depending on the purpose of the attackers, active attacks against DSR routing protocol can be further categorized as routing disruption attacks and resource consumption attacks. In routing disruption attacks, attacker attempts to route legitimate packets in a malicious way, while in resource consumption attacks, attacker aims to consume valuable network resources, for example bandwidth, or consume other nodes’ limited memory space and computational power. The following are several possible behaviors of these two types of attack. An attacker can simply create an ignorance attack by destroying or discarding all the routing packets it receives. Since all the packets through that node are dropped, the attacker does not involve in the network communication, just hides itself from the other communicating nodes. Moreover, an attacker can forge RERR message

by pretending a broken link to reduce the amount of routing information available to other nodes. These types of attacks have limited impact on the network performance, as long as there are multiple routes between the source and destination nodes. An attacker can further launch a black hole attack by sending forged routing packets, so that it can route all the packets for some destinations to itself, and then discards them. This attack can be easily deployed by impersonating the destination nodes. As a special case, an attacker can choose to selectively drop packets instead of all packets, thus creates a gray hole attack. One possible solution to black hole and gray hole attacks is to use an intrusion detection mechanism, in which each node’s behavior is monitored and analyzed periodically. For example, Watchdog and Pathrater in [9,10] are such mechanisms. Moreover, impersonation may also happen to source node or any other nodes in the network. An attacker can shorten or lengthen the node list in the RREQ and RREP messages by removing the existing nodes or adding some fabricated nodes, so the source node would get an invalid route, i.e., the route discovery process fails under this attack. An attacker can also create another type of routing disruption, named wormhole attack [7], using a pair of malicious nodes linked together via a private network connection. Every packet A receives from the ad hoc network, it forwards to B using the wormhole, and then B forwards this packet normally; similarly, B may forward all the packets received to A. Such an attack potentially disrupts routing by short-circuiting the normal flow of routing packets. An attacker can mount a replay attack by sending some old messages to a node, aiming to overload the network and deplete the node’s resources. More seriously, an attack can create a rushing attack by sending many RREQ packets with high frequency, in an attempt to keep other nodes busy with the route discovery process, so the network service cannot be achieved by other legitimate nodes. Replay attack and rushing attack are considered as resource consumption attacks. An attacker can also perform an IP spoofing attack by sending a packet containing its own MAC address and a victim’s IP address, thereby

H. Deng, D.P. Agrawal / Ad Hoc Networks 2 (2004) 291–307

usurping the IP-to-MAC address binding of the victim from the other neighbor’s ARP cache. This causes the attacker to receive the packets intended for the victim. Finally, we note that all the above attacks discussed can be generated by an adversary and a compromised node. If the attack is launched by a compromised node, it would have access to all cryptographic keys of the network, and it may also cooperate with other adversaries or compromised nodes. This type of attack has more serious effect in degrading the network performance. 2.3. Identity-based signcryption The idea of identity-based cryptosystem is proposed by Shamir [4] with the original motivation of simplifying certificate management in email system, thus avoiding the high cost of the public-key management and signature authentication in PKI supported cryptosystem. The basic idea is to find an approach, in which each entity’s public key can be defined by an arbitrary string. In other words, users may use some well-known information, such as e-mail address, IP address, or identity as their public key, thus there is no need to propagate this common information through the network. The idea remains a theoretical concept until the first practical identity-based encryption scheme was proposed by Boneh–Franklin [11]. Since then several other identity-based cryptography schemes [12–16] have been proposed. Recently, a new type of cryptographic primitive, named identity-based signcryption, which combines a function of digital signature with a symmetric key encryption algorithm, was introduced in [17,19]. A digital signature scheme is used for the authentication of messages and an encryption algorithm is used for the confidentiality of messages. Signcyption offers these two properties in a single step, and also gives more efficient computations than traditional signature-thenencryption scheme. For such a system to work, there is a private key generator (PKG), which generates system parameters, and master public/ private key pair, and makes the master public key known to everyone. The master private key is only kept to itself. PKG is also responsible of generat-

295

ing private keys corresponding to the defined public keys for the network user, using the master private key and user’s public key. In other words, identity-based signcryption scheme involves four algorithms: Setup, Extract, Signcrypt and Unsigncrypt. The functions of these algorithms are described below: • Setup: Generate the master public/private key pair and common system parameter. • Extract: Given a public key, generate the corresponding private key. • Signcrypt: Suppose A wishes to send a message m to B, this function takes A’s private key, B’s public key and m as input, and generates the corresponding ciphertext r. • Unsigncrypt: Suppose B receives a ciphertext r from A, this function is to recover the corresponding plaintext m, using A’s public key and B’s private key. 2.4. (k,n) threshold secret sharing algorithm Secret sharing allows a secret to be shared among a group of users (also called shareholders) in such a way that no single user can deduce the secret from his share alone. To construct the secret, one needs to combine a sufficient number of shares. ðk; nÞ threshold secret sharing represents that the secret is distributed to n shareholders, and any k out of the n shareholders can reconstruct the secret, but any collection of less than k partial shares cannot get any information about the secret. Here, k is the threshold parameter such that 1 6 k 6 n. One classical ðk; nÞ secret sharing algorithm is proposed was proposed by Adi Shamir [3] in 1979, which is based on polynomial interpolation. To distribute a secret S among n users, a trust authority chooses a large prime q, and randomly selects a polynomial f ðzÞ over Zq of degree k
1, such that f ð0Þ ¼ S. The trust authority computes each user’s share using Si ¼ f ðiÞ mod q and securely sends the share Si to user i. Then any k shareholders can reconstruct the secretPusing the k Lagrange interpolation Qk by f ðzÞ ¼ i¼1 Si li ðzÞ ðmod qÞ, where li ðzÞ ¼ j¼1;j6¼i ðz
jÞ=ði
jÞðmodqÞ is the Lagrange coefficient. Shamir’s secret sharing scheme suffers from the requirement of a

296

H. Deng, D.P. Agrawal / Ad Hoc Networks 2 (2004) 291–307

trust authority and the absence of share verification. Many enhancements such as [8,20,21] have been proposed. Also, work has been done on the issues related to verifiable secret sharing [22] and verifiable secret redistribution [23].

dynamic address allocation and auto-configuration, only if the address is selected without any conflict with other nodes in the network. We also assume that each mobile node has a mechanism to discover its one-hop neighborhood and to get the identities of other nodes in the network.

3. Proposed security solution

3.2. Proposed security scheme

In this section, we first describe our assumptions about the network, and then give an overview of our scheme which combines the ideas of threshold and identity-based cryptography approach. We describe the details of distributed key management and authentication mechanisms.

3.2.1. Overview Securing ad hoc network routing protocols needs to meet several basic security services, such as authentication, confidentiality, integrity, availability and non-repudiation. Our proposed security scheme comprises of two components: distributed key management and identity and hash chain based authentication. The key management component provides the public/private key pair for each node of the ad hoc network in a distributed way, and the generated keys are used for authentication during route discovery process. Identitybased authentication mechanism is to perform end-to-end authentication and confidentiality between communicating nodes and the one-way hash chain protects hop-by-hop routing messages. During the authentication process, a symmetric session is calculated on both sides of the communication nodes, which is used in data encryption/ decryption to keep the integrity of data packets.

3.1. Assumptions Unlike other PKI supported security schemes [25–29], the security solution described in this paper does not rely on any assumption of underlying key management sub-system. That is, there is no trusted authority to generate and distribute the public/private keys and there is no pre-built trust association between nodes in the network. All the keys used is generated and maintained in a selforganizing way within the network. Similar to most of the common assumptions on securing ad hoc networks, we also assume that all wireless links are bidirectional. In fact, many wireless medium access control protocols also require bidirectional links to exchange link-layer frames for avoiding collisions. This implies that if node A is in the transmission range of B, then B is also in the transmission range of A. We mainly consider the attacks against DSR routing protocol, and disregard the attacks from other layers. The adversary may exhibit arbitrary operations to drop, corrupt, replay and fabricate routing packets, and a set of malicious nodes may mount attacks against the routing protocol concurrently. To simplify the problem, we assume the multiple malicious nodes do not collude and mount a routing attack together. We assume that each node carries an IP address or an identity, which is unique and unchanged during its lifetime in the ad hoc network. The IP address or identity can be obtained through some

3.2.2. Distributed key management Consider that an ad hoc network with N nodes in the initial phase. The network has a public/private key pair, called master key hPK; SKi, which is used to provide key generation service to all the nodes in the network. The master public-key pair is generated in such a manner that the master PK is well known to all the nodes in the network, and the master private key SK is shared by all of them in a ðk; nÞ threshold fashion. Each of them holds a unique secret share of the master private key SK, and no one is able to reconstruct the master private key based on its own information. Any k nodes among them can reconstruct the mater private key jointly, whereas it is infeasible for at most k
1 nodes to do so, even by collusion. The threshold parameter k ð1 6 k 6 nÞ controls the trade off between security and service availability.

H. Deng, D.P. Agrawal / Ad Hoc Networks 2 (2004) 291–307

Choosing a value of 1 for k causes the least security while keeping highest service availability. On the other hand, selecting a value of n for k results a maximum security but weak service availability. As mentioned, we assume that each regular node has a unique IP address or identity when it joins the network. In the following description, we use identity to refer this. Each node within the network needs to obtain its personal private key corresponding to its identity and register to the network before utilizing any network service. In the following, we describe the basic operations of our proposed key management approach: master public/private key generation, private key generation service, and new master private key share creation.

3.2.2.1. Master key generation. Our master key generation mechanism does not need the support of the trusted third party to safely compute a master key, separate it into multiple pieces (shares) and then distribute the shares to shareholders. Instead, the master key pair is computed collaboratively by the initial network nodes without constructing the master private key at any single node. The scheme we used is an extension to Shamir’s secret sharing [3] without the support of a trust authority. In the scheme, each node Ci randomly chooses a secret xi and a polynomial fi ðzÞ over Zq of degree k
1, such that fi ð0Þ ¼ xi . Node Ci computes his sub-share for node Cj as ssij ¼ fi ðjÞ for j ¼ 1; 2; . . . ; n and sends sij securely to Cj . After sending the n
1 sub-shares, node Cj can compute itsPshare of master private key Pn n as Sj ¼ i¼1 ssij ¼ i¼1 fi ðjÞ. That is, the master key share of node Cj is combined by the subshares from all the nodes, and each of them contributes one piece of that information. Similarly, any coalition of k shareholders can jointly recover the secret as in basic secret sharing using Pk S l ðzÞ mod q, where li ðzÞ is the Lagrange i i i¼1 coefficient. It is easy to see that Pnthe jointly Pn generated master private key SK ¼ i¼1 xi ¼ i¼1 fi ð0Þ. We also deploy the verifiable secret sharing to detect the invalid share that some shareholders generate to prevent the reconstruction of the secret key.

297

After the master private key is shared, each shareholder publishes Si P , where P is a common parameter used by the identity-based scheme [10]. Then the Pn master public key can be computed as PK ¼ i¼1 Si P . 3.2.2.2. Private key generation (PKG) service. The way to obtain a public/private key pair and register to the network is to contact with at least k neighbor nodes, present its identity and request PKG service. The node that holds the master key share can be the PKG service node. In our scheme, all the network nodes share the master private key, thus each of them can be the PKG service node. The k nodes works together to issue the public/ private key pair for the requesting node. Using identity-based cryptosystem, the public key can be any arbitrary string; usually it is decided by the node’s identity. In our scheme, the public key is computed as pkID ¼ fIDjjMACjjExpire timeg, which includes the requesting node’s identity, MAC address and expire time of this public key. Different with the standard identity-based cryptosystem, we bind the node’s identity with its MAC address to take care of the IP spoofing problem, based on the assumption that the identity and MAC address would keep unique and unchanged during its lifetime in the ad hoc network. We also add a time stamp to the public key, protecting from the private key loss. When the public key is expired, the node needs to obtain its new public key and corresponding private key. After determining the public key, each of the k PKG service nodes generates a secret share of a new private key sk and sends to the requesting node. To make sure the generated shares are securely transmitted, the requesting node may also present its self-generated temporary public key pktemp when sending request. Each of the PKG service nodes sends encrypted share to the requesting node using the requesting node’s temporary public key pk-temp. The process of generation of a share of the new secret key sk can be represented by ski ¼ fextract ðSi ; pkID Þ, where Si ði ¼ 1; . . . ; kÞ is the share of the master private key of the serving node, ID is the identity of the requesting node, pkID is its public key, and ski denotes the generated private key share for the

298

H. Deng, D.P. Agrawal / Ad Hoc Networks 2 (2004) 291–307

3.2.2.3. New master key share creation. When a new node joins a network, it presents its identity, self-generated temporary public key, and some other required physical proofs (depends on key issuing policy) to the k neighbor nodes and requests personal private key, the master public key and his share of the master private key. Each of the k nodes verifies the validity of the identity of the new node Cp . If the verification process succeeds, the private key can be generated using the method described in the previous section. To initialize the share of master key for the requesting node, each coalition node Ci generates the partial share sip ¼ Si  li ðpÞ for node Cp . Here, li ðpÞ is the Lagrange term. It encrypts the partial share using the temporary public key of requesting node and sends it to node Cp . Node Cp obtainsPits new share k by adding the partial shares as Sp ¼ j¼1 sp;j . Note that the partial shares may be shuffled before being sent to the joining node to protect the secrecy of the coalition nodes’ secret shares [32]. After obtaining the share of the master private key, the new joining node is available to provide PKG service to other joining nodes.

requesting node by the serving node i. The function fextract ðÞ is defined in [18]. By collecting the k shares of its new private key, the requesting node would compute its new private key sk. After this key exchange process, the requesting node obtains its new public/private key pair hpk; ski. Since we would like to make this public-key information well known to the whole network, we also define the public key as the requesting node’s network identifier (NID). The serving nodes broadcast the requesting node’s NID information to the network and all other nodes would register the requesting node into their registration table by entering the node’s NID. It is easy to see that an adversary cannot duplicate the existing identity in the network given the assumptions that the node’s identity is identical. One possibility is that the node who needs PKG service cannot get k neighbor nodes reachable. In this case, mobility can help solve this problem. The requesting node can move to discover more nodes in order to obtain k shares. In summary, during this distributed key generation phase, each node within the network obtains its public/private key pair, in which the public key is propagated in the network, and the private key is kept as a secret key. It may discard its temporary public/private key pair, and keeps the new key pair in its memory for the later authentication and communication. In the rest of the paper, we use the notation hpk; ski representing this new generated key pair. This public/private key generation process is showed in Fig. 1.

2

2

2 6

3

6

3

1

4

3.2.3. Identity and hash chain based authentication Authentication occurs during the route discovery phase, and the route discovery has two stages: the source node floods the network with a RREQ, and the destination node unicasts back a RREP. The authentication during route discovery process provides the following two properties: (1) strong

3

6 1

1

5

Node 1 broadcasts key generation request

4

5

Reply with partial private key to the requesting node

4

5

Broadcast node 1 registration information

Fig. 1. Public/private key generation process.

H. Deng, D.P. Agrawal / Ad Hoc Networks 2 (2004) 291–307

end-to-end authentication: the source node can authenticate the destination node, and the destination node can also authenticate the source node; (2) hop-by-hop protection: no intermediate node can remove a previous node in the accumulated node list in the RREQ; (3) a symmetric session key is computed at both sides of communication during authentication process. We now describe in detail to show how these properties are achieved. When a source node S needs to discover a route to a destination node D, it initiates a route request (RREQ) message, which includes the source ðSÞ node and destination ðDÞ node, a request sequence number, a list to accumulate the addresses of intermediate nodes forwarding this message, and an initial hash value. The initial hash value is computed as h0 ¼ HashðaÞ, where a is a random number. The source node S also signcrypts the routing request message using its private key and the destination node’s public key. It appends the computed initial hash value h0 , the signcrypted message rrreq to the packet and then broadcast the RREQ packet. The neighbor node, receiving this RREQ packet, would check the validity of source node’s public key Expire_time and consistency of the source node’s identity and MAC address by comparing it with the registered NID information of this node. If any checking process fails, the node discards the packet, otherwise, rebroadcasts. Any intermediate node, say X , receiving the packet checks whether it has already seen this packet by recognizing the combination of Æsource node, request sequence numberæ. If it has, discards the packet, as in regular DSR, otherwise it adds its address to the node list, replaces the hash value field with Hash(X , previous hash value) and rebroadcasts the packet. 2 S

5 4 8 (a)

H ½Nn ; H ½Nn
1 ; H ½. . . H ½N1 ; h0  . . .; where Ni is the node identity at position i of the node list in the RREQ, and n is the number of nodes in the node list. If any step of the above checking process fails, the authentication fails, and the destination node discards the RREQ packet; otherwise, the destination node prepares the RREP packet. It first copies the accumulated node list from the RREQ packet, reverses it, and puts it to the source route. Then it digitally signcrypts the destination and source address, the accumulated node list. It appends this signcrypted message rrrep to the packet. The RREP is then routed back to the source node along the source route in the RREP packet. When the source node receives the RREP packet, it verifies the packet is valid by unsigncrypting rrrep and comparing the node list with the received route. When the verification succeeds, source node accepts this packet as a valid route reply packet, and caches this route. If any of these checks fail, S discards the reply packet as it was either tampered or not properly authenticated. This completes a two-way strong authentication process. As an illustrative example, consider the topology of Fig. 2, comprising of 11 nodes. Node S floods the 2

9

3

1 D

6

7

When the destination node receives the RREQ, it performs a sequence of checking processes. It first unsigncrypts the received ciphertext rrreq , using sender’s public key, and its private key, and compare the result with the routing message received. If the comparison indicates a match, node D gets the initial hash value h0 . It would further verify the sequence number is a new and valid one from the source node S. If the sequence number is greater than the last received sequence number from S, it checks the hash chain field is equal to

3

1

299

S

5

D

6 9

4 7

8 (b)

Fig. 2. Route discovery on one example topology: source node S wishes to discover a route to destination D. (a) Source node S broadcasts RERQ; (b) destination node D unicasts back RREP.

300

H. Deng, D.P. Agrawal / Ad Hoc Networks 2 (2004) 291–307

In this section, we first analyze our proposed scheme in high level for satisfying security service requirements, and then do it in protocol level by going through several attacks. We also present a comparison on computational overhead with the traditional PKI supported security schemes and some simulation results.

scheme we take care of this problem by making use of ðk; nÞ threshold secret sharing algorithm, as any k out of n nodes need to work together for key generation and key management. Thus, our security solution is tolerant to k
1 compromised nodes, i.e., the adversaries has to compromise at least k
1 nodes to broke to key generation and key management services. Confidentiality ensures that certain information is never disclosed to unauthorized entities. In our scheme, confidentiality is taken care of by identitybased signcryption mechanism during route discovery and symmetric key encryption/decryption for data transmission. Integrity guarantees that a message being transferred is never corrupted due to the non-benign failure. During route request (RREQ) and route reply (RREP) process, the two-way authentication process and one-way hash chain provide integrity as the RREQ and RREP packets are properly signed by the source and destination nodes respectively, and the node list in RREQ is secured hashed. Authentication enables a node to ensure the identity of the peer node it is communicating with, so that no attacker could masquerade a node, thus gaining unauthorized access to resource and sensitive information. In our scheme, we have obtained a secure authentication mechanism by making use of identity-based signcryption. Finally, non-repudiation ensures that the origin of a message cannot deny having sent the message. Non-repudiation is useful for detection and isolation of compromised nodes. When a node A receives an erroneous message from a node B, non-repudiation allows A to accuse B using this message and to convince other nodes that B is compromised. In our scheme, during RREQ and RREP, the packets are signcrypted by the source and destination nodes respectively. If we choose the identity-based signcryption scheme with nonrepudiation, for example [19], then they cannot deny having sent the requests.

4.1. Security service analysis

4.2. Protocol analysis

Availability ensures the survivability of network services despite denial of service attacks. In our

In the following discussions we consider several scenarios of the possible attacks described in Sec-

Fig. 3. Packets exchanged between nodes during Route Discovery phase. Here, skS and pkD represent the private/public-key pair of S, skD and pkD represent the private/public-key pair of D respectively.

network to discover a route to D. The packets exchanged between the nodes are showed in Fig. 3. We note that the above authentication scheme, in essence, is still an asymmetric key based approach, except it shows some properties of lower computational cost and reduced communication overhead comparing with the traditional PKI supported schemes. To further minimize the computational complexity, a session key is calculated at the two communicating nodes using the method defined in [19] during the authentication process, which is used for later data encryption/decryption. 4. Scheme analysis

H. Deng, D.P. Agrawal / Ad Hoc Networks 2 (2004) 291–307

tion 2.2 and analyze them one by one. Here, we use the example topology showed in Fig. 2, and only small part of the RREQ and RREP packets are used for analysis. Scenario 1: Consider the case that node 1 attempts to conduct an ignorance attack. It discards the routing request packets arriving from its neighbors, excluding the one from node 5. By discarding routing request packets, node 1 partially narrows the network topology from S, but at the same time it practically removes itself from S’s view. Thus, node 1 would not be involved in the communication path between S and D. Scenario 2: Consider the case in which node 2 attempts to send a RREP by impersonating the destination node D, when it receives RREQ from S. The node list it sends back would bee fS; 1; D g. In our scheme, node 2 would be caught by its neighbor node, since the identity and MAC address received by the neighbor node would be different from the destination node’s NID information. Moreover, the reply from node 2 cannot pass node S’s authentication check, since it is impossible for node 2 to generate a valid signcrypted ciphertext without knowing the destination node’s private key. In essence, it is not possible for anyone to impersonate any other node to his own advantage in our scheme. Scenario 3: Consider three ways by which the attacker attempts to do a route modification. Firstly, malicious nodes may try to shorten a route by modifying the node list on a RREQ packet. Suppose when node 3 receives RREQ packet from S, it works maliciously by removing one previous node 2 from the node list of RREQ. We assume that all the other nodes on the route to node D follow the protocol correctly, so that D receives the RREQ packet, in which the node list would be fS; 1; 3; Dg. The checking process in destination node D cannot succeed since the one-way hash chain checking fails. Secondly, a malicious node might be able to lengthen a route by appending false nodes {5; 7; 9} to RREQ packets, at the same time it computes the false hash chain, but it would be recognized by its neighbor node by doing the identity and MAC address checking. Further, if the node can fortunately pass the neighbor’s check, it does not gain anything other than the

301

route being avoided, which can achieve anyway by not forwarding the RREQ in the Scenario 1. Thirdly, an attacker such as node 1, might modify a RREP (e.g., it might add to or delete from the nodes of the node list). In this case, the RREP packet may lost or source node S would reject the modified RREP packet as it would not pass source node S’s authentication check. Scenario 4: In order to consume network resources, a malicious node may replay route requests or replies, which are discarded by intermediate nodes, to mount a replay attack. But, the attack cannot succeed because replayed requests would be detected at the destination D and replayed replies will be discarded at source S due to the use of packet sequence numbers. Scenario 5: Node 1 might spoof its IP address or identity and forward a route request as node 5. The RREQ message it forward likes like fS; 5 g. The neighbor node of node 1, for example node 2, would believe node 5 is in its neighbor list. This RREQ message would propagate the network and reach destination node D. Consequently, the source node S would accept the route fS; 5 ; 2; 3; Dg. In reality, the route goes through node 1 instead of node 5. In our scheme, we take care of this by binding the identity and MAC address in NID, such that no IP spoof attack is possible. Scenario 6: The attacks launched by a compromised node within a network are more severe and tough to detect. In our scheme, we attempt to solve the problem of single point of failure in certification authority or trusted third party, by using ðk; nÞ threshold cryptography. Based on the assumption that the number of compromised nodes in an ad hoc network is few (less than k), we enhance the network tolerance due to compromised nodes. However, we cannot claim that our security scheme can handle all the attacks. One possible attack against the approach would be that if two malicious nodes work together during one route discovery phase. We consider the case that node 1 and node 3 are malicious and they can cooperate via private link to disrupt the routing procedure. When node 1 receives the route request from source node S, it computes the hash value, and

302

H. Deng, D.P. Agrawal / Ad Hoc Networks 2 (2004) 291–307

sends the packet secretly to node 3. Node 3 also computes the hash and adds node 1 and node 3 to the RREQ. The node list in this RREQ that the destination node D receives looks like fS; 1; 3; Dg. The packet can successfully pass the destination node D’s checking process. During the route reply process, they do the same way to route back the RREP packet to source node S. The RREP packet can also pass the source node’s checking process and the false route would become a valid one. This attack can be considered as a hash chain attack. Therefore, other efficient security mechanisms are needed to deal with the attacks generated by colluding nodes. 4.3. Computational consumption and communication overhead Compared with the traditional PKI supported security solutions, the scheme proposed in this paper has a lower communication overhead and reduced computational consumption. The conventional PKI based key management approaches assume each node’s public/private key pair is selfgenerated, and the public key is propagated in the network. In order to identify each node, the public key has to be signed by a trusted certificate authority (CA). The certificates are also required to spread in the network, so that each node can get other nodes’ certificate. Propagating these public keys and certificates consumes a lot of network bandwidth, and also causes a large network/connection setup delay. Moreover, caching of these public keys and certificates introduces problems of trust and storage. For large ad hoc network, this adds considerable overhead on local storage. In our proposed scheme, the public/private key pair is generated by the neighbor nodes, and the public key is derived from well-known information, the node’s identity. Thus there is no necessary for the certificate generation, propagation, and storage. In addition, the public key is based on each node’s identity, which can be very shorter comparing to the 1024 bits public key in RSA cryptosystem. The properties of using shorter public/private key pair and without spreading the long-term certificates reduce the computational consumption and communicational

overhead. Further, the concept of identity-based signcryption used in this scheme brings us more savings. As mentioned earlier, to conduct a secure and authenticated communication, usually two-step approach, called signature-then-encryption [18], is followed in a PKI based approach. Namely, before a message is sent out, the sender of the message would sign it using a digital signature mechanism, and then encrypt the message and the signature using a digital encryption algorithm. A digital signature is used for authentication of the message and encryption is for the confidentiality of messages. However, signature generation and encryption add more computational cost and also introduce additional bits to an original message, i.e. more communication overhead. Symmetrically, a comparable amount of computation is generally required for signature verification and decryption. In our scheme, we use a digital signcryption scheme, which offers authentication and confidentiality at the same time with an expense less than that required by signature-then-encryption. In [24], the author pointed that the cost of signcryption is much less than the cost of signature-then-encryption. We use identity-based signcryption, which is more efficient than both the RSA-based and identity-based signature-thenencryption approaches. 4.4. Simulations We also run simulations to further evaluate the performance of our proposed distributed key management mechanism. The simulations are run on a Linux machine P4-2.0 GHz with 512MRAM. We implement identity-based encryption into ns-2 [36] environment, in which the IEEE 802.11 is used in MAC layer. The radio model has a bit-rate of 2 Mb/s with a transmission range of 250 m. The transport protocol that we used for our simulations is User Datagram Protocol (UDP). The mobile nodes move from a random starting point to a random destination with a maximum speed of each node is 5 m/s. Once the destination is reached, another random destination is targeted after a pause time of 10 s. The simulation time is 200 s. We vary the network size of {10; 20; 30; 40; 50} and

H. Deng, D.P. Agrawal / Ad Hoc Networks 2 (2004) 291–307 Table 1 Master key generation time

303

1 N=10 N=20 N=30 N=40 N=50

0.9

0.78 13.55 40.82 57.12 98.28

measure the average time taken to jointly generate the maser private key, the ratio of successful PKG service, and the time taken by the PKG service. Table 1 shows the time for master key generation in terms of different network size. When we increase the network size from 10 to 50, the master key generation time is also increased. This observation can be easily explained as the result of more the transmission delay. To get a master key share, each mobile node needs to get message from any of the n
1 node. As we enlarge the network size, the number of transmitted message exploded, which results in a large transmission delay. From this observation, we can also get that the distributed master key generation is not suitable for ad hoc networks with large number of mobile nodes; otherwise the network setup time would be long. One way to address this problem is to initialize a portion of the network nodes, that is, the master private key is first shared by part of the network nodes, and these initialized nodes can be used to initialize other nodes in a ðk; nÞ threshold way. Fig. 4 shows the ratio of successful PKG issuing by varying the value of threshold. In PKG service, large threshold value requires the node to collect a large number of shares for combining its private key. However, in some situation, the requesting node only has a few neighbors, i.e., it cannot get enough number of shares. We count this situation as an unsuccessful PKG service. From Fig. 4, the ratio of successful PKG service decreases as we increase the value of threshold. That means, when we vary the value of threshold from low to high, more and more mobile nodes could not get enough number of neighbors for PKG service. For an example, when the network size is 30, the ratio is 89% for threshold value k ¼ 4. While the ratio

0.8 Ratio of successful PKG Service

Time (s)

10 20 30 40 50

0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0

2

4

6 8 Threshold value k

10

12

14

Fig. 4. Ratio of successful PKG service.

5 4.5 Average PKG Service Time (seconds)

Network size

4 3.5 3 2.5 2 1.5 1 0.5 0 4

5

6

7

8 9 Threshold value k

10

11

12

13

Fig. 5. Average PKG service time.

decreases to only 12% if we choose threshold value k ¼ 13. For different network size, we have the similar observation. In Fig. 5 we also give the average PKG service time to a new joining mobile node for different threshold value. We fix the network size to 50 and vary the threshold value from k ¼ 4 to k ¼ 13. As expected, the average PKG service time for smaller threshold value is shorter, but it grows rapidly as we increase the value of threshold. Thus, choosing an appropriate threshold value for different network size is important in the real network applications.

304

H. Deng, D.P. Agrawal / Ad Hoc Networks 2 (2004) 291–307

5. Related work In the recent research on security in wireless ad hoc networks, the approaches can be classified into two types, intrusion prevention and intrusion detection. Intrusion prevention implies developing secured protocols or modifying the logic of existing protocols to make them secure. The most key based security protocols [23–29] belong to this type. The idea of intrusion detection is to characteristic the user normal behavior within the network in terms of a set of relevant system features. Once the set of system features is selected, a classification model is built to recognize the anomalies from its normal behavior. Currently, the researches on intrusion prevention and intrusion detection are separated, and intrusion prevention has been paid more attentions. Actually, they are not independent, and should be considered together to provide security services. Among the intrusion prevention approaches, [25,26,30] have proposed the use of asymmetric cryptography to secure ad hoc network routing protocols. Dahill et al. [25] have proposed ARAN, in which every node forwarding a route request and route reply message must sign it. Although their approach could provide strong security, performing a digital signature on every routing packet could lead to performance bottleneck on both bandwidth and computation. In addition, it is prone to reply attacks using error messages unless the nodes have time synchronization. In [26], Zapata proposes a secure extension of the Ad Hoc On-demand Distance Vector routing protocol, named SAODV. The basic idea of SAODV is to use RSA signature and one-way hash chain (i.e., the result of n consecutive hash calculations on a random number) to secure the AODV routing messages. The effectiveness of this approach is sensitive to the tunneling attacks, in which two malicious nodes can contact each other via a private link. IP spoofing attack is still possible in SAODV routing protocol. Using public-key cryptography imposes a high processing overhead. A number of other researches have also proposed the use of symmetric cryptography for authenticating ad hoc routing protocols, based on the assumption that a security

association (a shared key KSD ) between the source node S and the destination node D exists. In [27], a secure ad hoc network routing protocol based on the design of the Destination-Sequenced DistanceVector routing protocol, called SEAD, has been proposed. In this approach, one-way hash function is employed to authenticate routing updates sent by a distance-vector protocol. Another approach, Ariadne [28], proposed by the same authors, uses one broadcast authentication scheme TESLA [31] for securing DSR routing protocol. Papadimitratos and Hass [29] propose a Securing Routing Protocol (SRP), which can be applied to several existing routing protocols (in particular, the DSR and IERP). In this approach, Message Authentication Code (MAC) along with shared key KSD is used to provide an end-to-end security. Most of the protocols discussed above (except [30]) make an assumption that efficient key distribution and management has been implemented by some kind of key distribution center, certificate authority, which has super power to keep connecting to the network and cannot be compromised, but how to maintain the super server safely and keep it available when needed presents another big issue and cannot be easily solved. To mitigate this problem, the concept of threshold secret sharing is introduced and there are two proposed approaches. Zhou and Hass [30] use a partially distributed certificate authority scheme, in which a group of special nodes is capable of generating partially certificates using their shares of the certificate signing key. This work is the first to introduce the threshold scheme into the security protocols in ad hoc networks and provide an excellent guide to the following work. The drawback of this solution is that it still requires an administrative infrastructure available to distribute the shares to the special nodes and issue the public/private key pairs to all the nodes. How to keep the n special nodes available when needed and how the normal nodes know how to locate the server nodes make the system maintenance difficult. In [32], Kong et al. propose another threshold cryptography scheme by distributing the RSA certificate signing key to all the nodes in the network. This scheme can be considered as fully distributed certificate authority, in which the

H. Deng, D.P. Agrawal / Ad Hoc Networks 2 (2004) 291–307

capabilities of certificate authority are distributed to all nodes and any operations requiring the certificate authority’s private key can only be performed by a coalition of k or more nodes. This solution is better from the sense that it is easier for a node to locate k neighbor nodes and request the certificate authority service since all nodes are part of the certificate authority service, but it requires a set of complex maintenance protocols. Recently, Khalili et al. [33] present the idea of using identitybased encryption for key distribution in high level language. In the area of intrusion detection approaches, a few efforts have been given. Zhang and Lee [34] is the first to present a distributed intrusion detection and response architecture, which provides an excellent guide for the later works on designing the intrusion detection system in wireless ad hoc networks. Almost at the same time, Sergio Marti et al. [9] introduced Watchdog and Pathrater techniques that improve throughput in an ad hoc network by identifying misbehaving nodes that agree to forward the packets but never do so. The Watchdog can be considered as a simple version of intrusion detection agent to identify misbehaving nodes, and the Pathrater works as the response agent to help routing protocols avoid these nodes. However, the Watchdog can only detect the nodes who do not forward the packets, and the method only works on the source routing protocol since two-hop routing information is needed. Considering the limited bandwidth and battery power in wireless ad hoc network, another distributed intrusion detection system using mobile agent technology is proposed in [35]. The function of intrusion detection system is further distributed into several sub-tasks, such as network monitoring, host monitoring, decision making, and action. Each node in the wireless ad hoc network performs some sub-tasks of the intrusion detection, not the whole function, thus reduces the communication cost and increases the performance of the system. We have seen that many security solutions have been proposed to secure ad hoc networks, but no one is able to claim that it solves all the security problems, or even most of them. Actually, securing ad hoc network is still in its early stage and would be a long-term ongoing research topic.

305

6. Conclusions and future work Wireless ad hoc networks are an emerging research area with many useful applications. However, the security problem in wireless ad hoc network is not trivial to solve. In this paper, we define several security requirements for ad hoc network security. We mainly consider the security issues at network layer, and propose a new efficient security solution, TIDS for securing the ad hoc network in term of the DSR routing protocol. The security analysis of the scheme shows that the proposed scheme successfully avoids some common attacks against ad hoc routing protocol. The main contribution of our proposed security solution relies on the following aspects. First, we first propose a new security scheme for ad hoc networks deploying the concept of identity-based signcryption. Our proposed scheme provides end-to-end authentication and confidentiality with reduced communication overhead and computational cost than the traditional PKI based approaches. Secondly, we completely avoid a centralized certification authority or trusted third party to distribute the public keys and the certificates, thus enhance the tolerance of the network to compromised nodes and also efficiently save network bandwidth. Thirdly, the one-way hash chain mechanism protects hop-byhop transmission. Finally using symmetric key encryption algorithm for data transmission further saves the wireless nodes’ computational power. The most significant advantage of our scheme lies in the reduction of computational cost and communication overhead while enhancing the overall security. However, our scheme does not immune from all possible attacks. Using one-way hash chain results that the scheme is vulnerable to the colluding nodes. Since the identity-based signcryption is less-expensive than the traditional PKI supported cryptosystem, we would look at the possibility of using it at every node. Our ongoing work also includes comparing this design with several recent protocols discussed in Section 5 and considering a more efficient scheme for colluding nodes.

306

H. Deng, D.P. Agrawal / Ad Hoc Networks 2 (2004) 291–307

References [1] D.P. Agrawal, Q.-A. Zeng, Introduction to Wireless and Mobile Systems, Brooks/Cole, Belmont, MA, 2002. [2] D.B. Johnson, D.A. Maltz, Dynamic source routing in ad hoc networks, in: C.E. Perkins (Ed.), Ad Hoc Networking, Addison-Wesley, Reading, MA, 2001, pp. 139–172. [3] A. Shamir, How to share a secret, Communications of the ACM 22 (11) (1979) 612–613. [4] A. Shamir, Identity based cryptosystems and signatures Schemes, in: Proceedings of the Advances in Cryptology, 1984. [5] R. Hauser, A. Przygienda, G. Tsudik, Reducing the cost of security in link state routing, in: Proceedings of the Symposium on Network and Distributed Systems Security (NDSS’97), 1997, pp. 93–99. [6] M. Jakobsson, S. Wetzel, Stealth attacks on ad-hoc wireless networks, in: Proceedings of Vehicular Technology Conference, 2003. [7] A. Perrig, Y.C. Hu, D.B. Johnson, Wormhole protection in wireless ad hoc networks, Technical Report TR01-384, Department of Computer Science, Rice University, December 2001. [8] C. Asmuth, J. Bloom, A modular approach to key safeguarding, IEEE Transactions on Information Theory IT-29 (1983) 208–211. [9] S. Marti, T. Giuli, K. Lai, M. Baker, Mitigating routing misbehavior in mobile ad hoc networks, in: Proceedings of the 6th International Conference on Mobile Computing and Networking (MOBICOM’00), August 2000, pp. 255–265. [10] H. Deng, Q.-A. Zeng, D.P. Agrawal, SVM-based intrusion detection system for wireless ad hoc networks, IEEE Vehicular Technology Conference, Orlando, October 6–9, 2003. [11] D. Bonh, M. Franklin, Identity-based encryption from Weil pairing, in: Advances in Cryptology, CRYPTO 2001, Lecture Notes in Computer Science, vol. 2139, Springer, Berlin, 2001, pp. 213–229. [12] C. Cocks, An identity based encryption scheme based on quadratic residues, in: B. Honary (Ed.), Cryptography and Coding, Lecture Notes in Computer Science, vol. 2260, Springer, Berlin, 2001. [13] F. Hess, Efficient identity based signature schemes based on pairings, in: Proceedings of the 9th Workshop on Selective Areas on Cryptography (SAC 2002), Lecture Notes in Computer Science, vol. 2595, Springer, Berlin, 2002. [14] J.C. Cha, J.H. Cheon, An identity-based signature from Gap Diffie–Hellman groups, Cryptology ePrint Archive, Report 2002/018. Available from . [15] K.G. Paterson, ID-based signatures from pairing on elliptic curves, Cryptology ePrint Archive, Report 2002/ 004. Available from . [16] R. Sakai, K. Ohgishi, M. Kasahara, Cryptosystems based on pairing, SCIS’2000, 2000. [17] H.Y. Jung, D.H. Lee, J. Lim, K.S. Chang, Signcryption schemes with forward secrecy, WISA, vol. 2, 2001, pp. 403– 475.

[18] J. Malonee-Lee, Identity-based signcryption, Cryptology ePrint Archive, Report 2002/098. Available from . [19] J. Malonee-Lee, Signcryption with non-repudiation, Technical Report CSTR-02-004, Department of Computer Science, University of Bristol, June 2002. [20] E.F. Brickell, Some ideal secret sharing schemes, Journal of Combinatorial Mathematics and Combinatorial Computing 6 (1989) 105–113. [21] E.D. Karnin, J.W. Greene, M.E. Hellman, On secret sharing systems, IEEE Transactions on Information Theory IT-29 (1983) 35–41. [22] T.P. Pederson, Non-interactive and information-theoretic secure verifiable secret sharing, Lecture Notes in Computer Science, 1992, pp. 129–140. [23] Y. Desmedt, S. Jajodia, Redistribution secret shares to new access structures and its applications, Technical Report ISSE TR-97-01, George Mason University, Fairfax, VA, July 1997. [24] Y. Zheng, Signcryption and its applications in efficient public key solutions, in: Proceedings of the 1st International Information Security Workshop, 1997, pp. 291–312. [25] B. Dahill, B.N. Levine, E. Royer, C. Shields, A secure routing protocol for ad hoc networks, Technical Report UM-CS-2001-037, Electrical Engineering and Computer Science, University of Michigan, August 2001. [26] M.G. Zapata, Secure ad hoc on-demand distance vector routing, ACM SIGMOBILE Mobile Computing and Communications Review 6 (3) (2002) 106–107. [27] Y.C. Hu, D.B. Johnson, A. Perrig, SEAD: secure efficient distance vector routing in mobile wireless ad-hoc networks, in: Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA ’02), 2002, pp. 3–13. [28] Y.C. Hu, A. Perrig, D.B. Johnson, Ariadne: a secure ondemand routing protocol for ad hoc networks, in: Proceedings of the 8th ACM International Conference on Mobile Computing and Networking, September 2002. [29] P. Papadimitratos, Z. Haas, Secure routing for mobile ad hoc networks, in: Proceedings of the SCS Communication Networks and Distributed Systems Modeling and Simulation Conference, January 2002. [30] L. Zhou, Z.J. Hass, Securing ad hoc networks, IEEE Network 13 (6) (1999) 24–30. (Special Issue on Network Security). [31] A. Perrig, R. Canetti, B. Whillock, TELSA: Multicast Source Authentication Transform Specification, draft-ietfmsec-tesla-spec-00, October 2002. [32] J. Kong, P. Zerfos, H. Luo, S. Lu, L. Zhang, Providing robust and ubiquitous security support for mobile ad-hoc networks, in: Proceedings of the IEEE 9th International Conference on Network Protocols (ICNP’01), 2001. [33] A. Khalili, J. Katz, W. Arbaugh, Toward secure key distribution in truly ad-hoc networks, in: Proceedings of the IEEE Workshop on Security and Assurance in Ad hoc Networks, in conjunction with the 2003 International Symposium on Applications and the Internet, Orlando, FL, January 28, 2003.

H. Deng, D.P. Agrawal / Ad Hoc Networks 2 (2004) 291–307 [34] Y. Zhang, W. Lee, Intrusion detection in wireless ad-hoc networks, in: Proceedings of the 6th International Conference on Mobile Computing and Networking (MobiCom’2000), August 2000. [35] S. Yi, R. Kravets, MOCA: mobile certificate authority for wireless ad hoc networks, in: Proceedings of the 2nd Annual PKI Research Workshop Program (PKI 03), Gaithersburg, MD, April 2003. [36] K. Fall, E. Varadhanm, The ns Manual (Formerly ns Notes and Documentation), 2000. Hongmei Deng is currently a Ph.D. candidate at the University of Cincinnati. Her main research interest is the security of wireless networks. She received BS and MS from the Tianjin University, China in 1994, 1997 respectively, majoring in Electrical Engineering.

307

Dharma P. Agrawal is the Ohio Board of Regents Distinguished Professor of Computer Science and Computer Engineering at the University of Cincinnati. He is the founding director of the Research Center for Distributed and Mobile Computing. His research interest includes energy efficient routing and information retrieval in ad hoc and sensor networks, effective handoff and multicasting in integrated wireless networks, interference analysis in piconets and routing in scatternet, use of directional antennas for enhanced QoS, Scheduling of periodic real-time applications and automatic load balancing in heterogeneous workstation environment. He is Fellow of the IEEE and the ACM. He received his DSc degree from Federal Institute of Technology, Lausanne, Switzerland in 1975.