A Totally Distributed Cluster Based Key Management Model for Ad hoc Networks Mohamed Elhoucine Elhdhili, Lamia Ben Azzouz, Farouk Kamoun CRISTAL Laboratory ENSI, University of Manouba, Tunisia Email:
[email protected],
[email protected],
[email protected]
Abstract— In this paper, we address key management in ad hoc networks. Ad hoc networks are a new wireless networking paradigm in which mobile hosts rely on each other to keep the network connected without the help of any preexisting infrastructure or central administrator. Thus, additional vulnerabilities and features pertinent to this new networking paradigm appeared. This might render traditional solutions inadaptable. In particular, the absence of a central authorization facility in an open and distributed communication environment is a major challenge, especially due to the need for cooperative network operations. For this reason, key management is particularly difficult to implement in such networks. In this paper, we study different proposals published so far, then we propose a new solution. Our solution uses the clustering technique and derives from distributed PKI solutions presented in the literature. It combines the strength of centralized PKI in the same cluster and distributed PKI for the clusterheads leading to more suitable, economic, adaptable, scalable and autonomous key management.
I. I NTRODUCTION The recent technology evolution concerning wireless communication and the apparition of mobile calculators pushes today researchers to make more efforts in order to reinforce the access to the information anywhere and anytime. Wireless networks can be classified into two categories: networks with infrastructure using basically the cellular communication model and networks without infrastructure (ad hoc networks). In ad hoc networks, mobility covers all components of the environment and mobile hosts collaborate to build up a temporary network infrastructure. Hence, new features related to ad hoc networks appeared: a dynamic topology leading to frequent disconnections, a reduced bit rate, a big number of heterogeneous nodes, modest and energy limited resources. As a consequence, the classical client/server model doesn’t match this type of networks and tasks of management are then distributed
on a group of nodes that collaborate to assure the good working of the network. Today, networks security, what ever they are wireless or not, is an important component in the network management. It needs more work in the case of ad hoc networks due to links vulnerabilities, nodes short of physical protection and dynamically changing topology. In ad hoc networks, it is difficult to implement authentication techniques known in wired networks such as digital signatures and certificates since the client/server model is not adapted. In the literature, different works proposed key management mechanisms for ad hoc networks. These solutions have advantages but they present some limits such as the administrator’s availability and congestion. Our works are inspired from existing solutions, to propose a distributed key management architecture which is based on clustering techniques. The paper is structured as follows: in section 2, we review schemes related to the problem. In section 3, we present our security architecture. We summarize our general assumptions then we describe our solution in details. Section 4 discusses the robustness and efficiency of our solution in comparison with existing ones. Section 5 presents briefly our implementation on UNIX platforms. Finally, in section 6, we conclude the paper and outline our immediate future work. II. S TATE
OF THE ART
Several researchers have recently studied the key management problem in ad hoc networks [1], [2], [3], [4], [5], [6], [7], [8], [9]. [1] and [2] describe a totally distributed PKI solution in which all nodes share the certificate authority signing key according to the (K, N) threshold scheme [10], [11], [12], [13]. This scheme is based on Lagrange interpolation. In fact, if we consider a polynomial function of degree K-1, then we can reconstruct this function
291
knowing just K of its coordinates. To share the certificate signing key S between N users, we consider a polynomial function of degree K − 1 < N as follows: f (x) = (S + a1 x + a2 x2 + ... + ak−1 xk−1 ) mod p
where p is a huge prime number and a1 , a2 ...ak−1 are arbitrary chosen from Z/pZ. Then we provide each user of identity idi with its partial key Si = f (idi ). The polynomial function can be reconstructed by any K out of N collaborating users as follows: f (x) =
k X
Si Lidi (x) mod p
i=1
Lidi (x) =
k Y i=1,i6=j
x − idj idi − idj
and the secret S is then calculated S = f (0). Thus, a set of K collaborating users can reconstruct the certificate signing key S . In this solution, services provided by the CA (Central Authority) such as certificate renewal or revocation, except the certification service (certificate delivery) which is accomplished by the CA, are devoted to all nodes in the network. In fact, an operation requiring the CA’s private key can’t be done unless the participation of K or more collaborating nodes. So, this solution assumes that every node has a minimum of K neighbors and that this latter must obtain an initial certificate from the CA before joining the network. Consequently, this solution has the drawback that, when the CA leaves, any new node won’t be able to join the network. The system then provides distributed services to maintain and update initial certificates. [3] Describes a partially distributed PKI solution. It differs from the solution described above by the fact that the services provided by the CA, except the certification service, are distributed to specialized nodes in the network called servers. This solution assumes that a subset of nodes is able to take on the specialized server role and that every node has a minimum of K neighbor servers. [4] describes a self-issued certificates solution similar to PGP where certificates are delivered by the users themselves independently. In fact, each user can sign the public keys of other users. Moreover, a user certificate can be signed by one or more other users and each one indicates how much trust to place in a specific certificate when it signs it. Each user stores a small number of certificates that have been issued. Authentication could be done by finding a certificate chain between the two users wanting to authenticate each other [14], [15].
This solution requires neither centralized administration nor pre-existing infrastructure but it presents a bootstrapping problem. In fact, in the beginning, all repositories are empty. Thus, authentication can’t function unless these repositories reach a certain limit of certificates. Moreover, a node certifies a user without taking the other nodes point of view. So it is supposed to be confidential. But how can we define confidentiality in ad hoc networks? [5] describes a distributed key system based on symmetrical encryption called secure pebblenets. The solution provides only group authentication, message integrity and confidentiality. It doesn’t provide peer to peer authentication. All network nodes store the same secret key called KGI (Group Identity Key) which lasts during the network lifetime. This key is used to provide group authentication and to derive additional keys used to provide confidentiality and integrity. The derived keys are updated on regular intervals in a distributed manner. In fact, during the updating phase, the network is devised into clusters (groups). Each one has a clusterhead. The clusterheads elect one of them to generate new additional keys. These keys are then given to the clusterheads who distribute them to their cluster members. This solution requires an administrative infrastructure that securely initializes nodes with KGI . It remains a limited solution because the KGI must be transmitted via a secured channel. Besides, nodes must also maintain a back-up memory resistant to attacks and this needs a use of special nodes. Moreover, the solution uses several parameters and executes complex algorithms appropriate for updating keys just to ensure group authentication, integrity and confidentiality but not peer to peer services. [6] describes a solution called demonstrative identification. This solution provides a mechanism to settle down confidential relationships in stretch limited ad hoc networks as in conferences where the spreading of the network is limited in place. To establish initial trust, two nodes first exchange pre-authentication data (public keys for example) over a location-limited channel as infrared and audio. Then, any traditional key agreement protocol such as Diffie Hellmann can be used over the main communication channel to establish a common key used to protect the communication. This solution doesn’t require an administrative authority but is just applicable in local ad hoc networks not large ones. Moreover it requires that nodes can exchange information over location limited channels. Many other works presented other solutions but just for group key establishment. These solutions don’t ensure
292
peer to peer authentication but construct a secret to be used by all network nodes. Examples of protocols are GDH.2 (Generalized Diffie Hellmann) [7], hypercube [8], octopus and the tree based algorithm [9]. These protocols need an arbitrary topology to be settled down. But this is not the case of ad hoc networks known by their dynamically changing topology. III. T HE
PROPOSED SOLUTION
Approaches presented in the literature tried to solve key management problem in ad hoc networks, but these solutions still carry many limits (administrator availability and congestion, dependence of nodes on the administrator and so on). In this section, we are going to describe the approach that we propose for key management in ad hoc networks. Our solution is based on the clustering technique and is inspired from the partially distributed PKI solution. A. Clustering in ad hoc networks Clustering consists in grouping the nodes into clusters (groups) where one node in each cluster functions as clusterhead, responsible for some tasks. Clusters are used for different targets, we distinguish [16]: 1) Clustering for transmission management: Clustering provides a mutual organization of network nodes that simplifies coordination of transmission among neighboring nodes. In fact, this technique reduces interference in a multiple access broadcast environment by forming distinct clusters of nodes in which transmissions can be scheduled in a contention free manner by using, for example, different spreading codes in adjoining clusters. Each cluster contains a clusterhead, one or more gateways and zero or more ordinary nodes. The clusterhead schedules transmission and allocates resources within the clusters while gateways connect adjacent clusters. Generally, all cluster members are within one hop of the clusterhead and hence within two hops of each other. This arrangement provides low delay paths between cluster members that may communicate frequently and it places clusterheads in the ideal location to coordinate transmissions among their cluster members. 2) Clustering for backbone formation: In any network, the delay incurred by a packet at each hop is a function of the processing and queuing delays at the transmitting node and the transmission and propagation delays over the link. Thus, in a multihop network, reducing the number of hops in a route may significantly reduce the end to end delays experienced by packets traversing the route. Routing backbones consisting of
small numbers of long range links are frequently employed to provide low delay, high speed connectivity between distant nodes in large networks. Thus, in ad hoc networks, reduced-hop backbone topologies can be formed by clusterheads which enables direct communication with a more distant node, but it may also increase interference because the node’s transmissions will be received at higher power and by a large number of nodes. Thus, it is better to isolate local transmissions within a cluster from distant ones along the backbone. 3) Clustering for routing efficiency: Ad hoc networks are known by their dynamically changing topology leading to frequent routes discovery and maintenance. Clustering reduces significantly the overhead costs imposed by routing without scarifying the quality of the routes produced. In addition, a node moving in the same cluster without entering in an overlapping zone doesn’t make any problem since it doesn’t affect the cluster structure. That means that the entries of both routing tables and neighbor tables won’t be modified. Moreover, each node is localized in a single cluster by the correspondent clusterhead. This minimizes considerably the number of entries in the routing tables. Finally, routing could be accomplished via backbones, leading to more efficient routing algorithms. Thus, the clustering technique facilitates network management and ensures the best assets for this management (adaptability, scalability, autonomy, heterogeneity, survivability and economy). B. The proposed solution The solution we propose for key management in ad hoc networks, assumes the existence of a clustering protocol which can split the network into groups that are stable enough. It uses a (K,N) threshold scheme to distribute an RSA certificate signing key to the set of clusterheads. It also uses proactive and verifiable secret sharing to protect the secret respectively from denial of service attacks and node compromise. 1) System architecture: The system architecture, as it is shown in Fig. 1, contains three types of nodes: an administrator (central authority) which will be present only at the initialization step then it can leave the network, a set of clusterheads that will provide administrator’s services when it leaves and simple nodes grouped into clusters. Each node has a private and a public key. In this architecture, we consider that each clusterhead is a central certification authority for its cluster members and that it is initialized either by the administrator (see paragraph “system bootstrapping”) or by a coalition
293
Fig. 2
Fig. 1 S YSTEM A RCHITECTURE
I NITIALIZATION OF THE CLUSTERHEAD C
BY THE
ADMINISTRATOR
of K other clusterheads. Operations inside the same cluster are accomplished exactly like in standard PKI (Registration, Certification, publishing and certificates validation) where the clusterhead plays the role of a certification authority. The administrator’s responsibilities are distributed over the existing clusterheads. So, every operation requiring the administrator private key SK CA (Central Authority Secret Key) can be accomplished by any K collaborating clusterheads. 2) Cluster generation step: We are not going to propose a new clustering protocol but to select an existing one (WCA [17], ABCP [18], DDCA...) which would be suitable for our case study concerning key management. Clustering parameters that we must take into consideration are: •
•
in which he saves the certificates of the clusterheads he certifies. We suppose also that every clusterhead has a directory where he saves the certificates of the other clusterheads as well as the administrator’s certificate. • •
•
Clusters stability: we prefer having clusters where the corresponding clusterheads have a minimum mobility degree. Clusterheads energy: we had better to elect clusterheads having the highest power because they will be responsible for some tasks.
3) System bootstrapping: For system bootstrapping, we suppose that we have an administrator which plays the role of a certification authority (PKI) for the existing clusterheads then he can leave. Its main role is to certify existing clusterheads, distribute his secret key over them according to the secret sharing scheme and finally give them his certificate. Thus, every clusterhead Ci will be supplied with a partial key Si of the certification authority secret key, a valid certificate cert i and the administrator certificate. Clusterheads will be then considered as a distributed certification authority for the new ones. Details concerning initialization are as follows (see Fig. 2): We suppose that the administrator has a directory 294
•
The new clusterhead tries to connect to the administrator. If the latter is available and is listening to clients requests, the clusterhead sends him an initialization request REQ-INIT. It includes in this request a set of information such as its identity and its public key. This information will be useful for the creation of its certificate. when the administrator receives a request from a clusterhead C, he validates the related information then executes the following operations: - Computes a partial key SC for C from SKCA (Central Authority Secret Key) using the clusterhead identity. - Creates a certificate certC for C . - Sends the set (certC , SC , certADM IN ) to C - Sends the certificates of the already initialized clusterheads to C. - Saves C certificate in his directory. - Sends C’s certificate to all already initialized clusterheads. The clusterhead C receives the set (certC , SC , certADM IN ) and the certificates of the others and saves them. Then, he begins listening in order to receive the certificates of the other clusterheads which will obtain initialization information after him. Thus, when the administrator leaves, every clusterhead already saves the certificates of the others.
The certificate signature must be certSKCA . Thus, Cn applies an algorithm called “k bound offsetting algorithm” [3] to find the valid signature. The algorithm is as follows:
C. Inter clusters services Services provided by the certification authority which is distributed on the set of clusterheads can be divided into three categories: certification services, maintenance services and security services. The first includes certification and certificates renewal or revocation. The second includes incorporating new clusterheads in the network by supplying them with their partial keys Si derived from the administrator secret key SKCA . This includes a proactive partial keys update to protect the secret SKCA from compromise. The third includes essentially authentication. 1) Certification services: In this part, we are going to describe certification services ensured by the distributed certification authority. These services require the collaboration of at least K already initialized clusterheads. • Obtaining a certificate by a new clusterhead: Every new clusterhead must obtain a valid certificate. He requests either the administrator if he already exists or at least K other clusterheads. We focus on the latter case. Thus, every requested clusterhead sends him a partial certificate. These partial certificates are then combined to obtain a certificate as if it was computed by the administrator. Details are as follows (we suppose that a new clusterhead Cn wants to obtain a certificate): - Cn broadcasts a certification request to all clusterheads. He includes in this request his identity and a digest of the information which compose his certificate (his identity, dates, his public key...etc). It resembles the fact that the new clusterhead composes his certificate and then attempts to sign it using the administrator secret key which is shared over the clusterheads. We will call this digest cert. - Every clusterhead Ci with partial key Si who receives the request verifies Cn0 s information then decides to send him a partial certificate signature or not. If it accepts to serve him, he sends him certSi and a set of other information useful for the verification of the generated partial signature [1], [2]. - Cn verifies the validity of the responses [1], [2] then he combines K valid partial signatures to form a valid signature for his certificate according to the formula: Y Lidi (0) (certSi ) sig =
Y0 = certt.N +SKCA Z = cert−N modN j = 0, w = 1 while(j ≤ k)do Y = Y0 × wmodN w = w × ZmodN if (cert = Y P KCA modN certif icatef ound = Y j =j+1 endwhile •
•
2) Maintenance services: The maintenance is required to handle the joining of new nodes and to protect the security services against attackers who try to compromise the administrator secret key. This is done by proactively updating secret shares.
i∈E
sig = cert
i∈B
Certificate renewal for a clusterhead: Certificate renewal is exactly accomplished as obtaining a new certificate. But nodes have to check if the certificate hasn’t been revoked or expired. Certificate revocation mechanism: Clusterheads certificate revocation mechanism is based on the fact that each clusterhead is verified and monitored by its local neighbors collaboratively. Thus we suppose that every clusterhead is able to measure its neighbor’s behavior such as detecting routing updates or packet forwarding misbehaviors [19]. If a clusterhead detects that a node is misbehaving, he puts the corresponding certificate in his local CRL (Certificate Revocation List) and broadcasts an accusation against the node. Any clusterhead receiving such an accusation first checks its CRL to verify that the accusation didn’t originate from a node whose certificate has been revoked. If the accuser’s certificate has been revoked the accusation is ignored. However, if the accusation originated from a valid node, the accused node is marked as suspect. When a threshold of legitimate accusations, i.e. K accusations, against the same node is received the accused node’s certificate is revoked.
Si Lidi (0)
sig = certt.N +SKCA
295
•
Obtaining a partial secret key by a new joining clusterhead : Any new clusterheads joining the network are incorporated into the distributed CA by being provided with their own share of the CA certificate
Fig. 3 T HE NEW JOINING CLUSTERHEAD P
Fig. 4 I NTER CLUSTER AUTHENTICATION IS OBTAINING A PARTIAL
SECRET KEY
signing key SKCA . Since the administrator is no longer part of the network, this share distribution mechanism needs to be handled by the nodes that have already been initialized as illustrated in Fig. 3: An already initialized clusterhead i can generate a partial share for the joining clusterhead p as follows:
•
Sp,i = Si × Lidi (idp ) k Y
Lidi (x) =
i=1,j6=i
x − idj idi − idj
By combining K such partial shares, the Inter cluster authentication complete share Sp for the joining node can be generated as follows: Sp =
k X i=1
•
Sp,i =
k X
Si Lidi (idp ) = f (idp )
i=1
the certificate list. Thus, at any time, all initialized clusterheads have the same certificate list. Now, the new clusterhead becomes a member of the distributed CA. he can participate in its services; this includes his participation in initializing new joining clusterheads. Updating partial keys : This task could be done as presented in the secure pebblenets solution [5]. The network is already clustered. The corresponding clusterheads will elect one of them. He generates a new polynomial function for update; he encrypts it using his private key and then sends it to the set of clusterheads. They decrypt it and then use it to update their partial keys. During this step, the network shouldn’t certify new joining clusterheads.
3) Security services: In this part, we focus on the methods used by our approach to provide security services (authentication, integrity, non repudiation, confidentiality and availability).
However the joining node is only allowed to know the sum of the K shares, not the values of the shares themselves. The reason is that Lidi (idp ) is a publicly known value and therefore the Si can be derived, thereby revealing the secret shares of the nodes in the coalition. To protect the secrecy of the coalition node’s secret shares, they shuffle their partial shares before sending them to the joining node [1], [2]. Obtaining the other clusterheads certificates : Now as he obtained his partial key Sc and his certificate certC , the clusterhead C must obtain the administrator certificate as well as the other already initialized clusterheads certificates. He must also send to them his certificate. To do, a new initialized clusterhead broadcasts his certificate to all already initialized clusterheads. One among them sends him 296
•
Inter cluster authentication : Before describing the inter cluster authentication process, we remind that every clusterhead maintains a certificate list of the whole clusterheads as well as the administrator certificate. Authentication is done as follows (see Fig. 4): suppose that a node N1, member of a cluster CL1 with clusterhead C1 wants to authenticate a node N2, member of a cluster C2 with clusterhead C2. N1 knows that N2 belongs to CL2, but he hasn’t the public key of CL2 in order to verify N2’s certificate. Thus he sends a C2’s authentication request to his clusterhead C1 (including N2’s certificate). C1 knows that N2’s certificate have been signed by C2, he verifies N2’s certificate using C2’s public key (retrieved from C2’s certificate stored in the database maintained by C1). Then he responds to N1.
•
Inter cluster integrity, confidentiality and non repudiation: Once inter cluster authentication is ensured,two communicating nodes can use normal security procedures such as digital signatures or symmetric/asymmetric/hybrid cryptography to ensure these services.
D. Intra cluster services Intra cluster services are services offered by each clusterhead to the members of his cluster. Knowing that each clusterhead represents a central authority for his members, these services will be the same as the ones offered by a PKI. However, we can add other services such as group key establishment. 1) Intra cluster authentication: Here, we focus on the case where a node wants to authenticate another node in the same cluster. Since the clusterhead is a certification authority for his members, he is supposed providing each one with a valid certificate signed with his secret key. He is also supposed publishing his public key. Thus any node can authenticate any other node in the same cluster using the corresponding clusterhead public key. 2) Intra cluster integrity, confidentiality and non repudiation: This set of services is guaranteed in the same cluster thanks to the intra cluster services (central authority) offered by the corresponding clusterhead.
3) When a clusterhead moves: If a clusterhead quits his cluster, as it is mentioned in most clustering algorithms (WCA [17], ABCP [18], DDCA), he must inform his members to elect another clusterhead or to join existing clusters. If a new clusterhead is formed, he must obtain a certificate and a partial key by requesting a coalition of K initialized clusterheads. Then, he certifies the members of his cluster using his private key. IV. A NALYSIS This part will be devoted to describe how our approach resists to different attacks. We are going to highlight also its contributions. A. Resistance to attacks In this paragraph, we tempt to evaluate our solution regarding attacks. We focus on: •
•
E. Reaction of our solution to topology changing Here, we are going to describe how our approach reacts to topology changing. 1) When a node joins the network for the first time: In most clustering algorithms (WCA [17], ABCP [18], DDCA), when a node joins the network for the first time, he attempts to join a cluster. Two main cases can take place: the new node is accepted in a cluster; otherwise he forms a new one. Concerning the first case, the node must obtain a certificate signed by the corresponding clusterhead. The latter adds the generated certificate to his list and the node acts as a member of the network. If the node becomes a clusterhead, he must obtain a valid certificate and a partial key by requesting a coalition of K other already initialized clusterheads. 2) When a node leaves his cluster: When a node moves far from his cluster and joins another cluster, he must obtain a new certificate from the new corresponding clusterhead. The latter adds the generated certificate in his list and the old clusterhead deletes the old certificate from his list. A clusterhead certifies only his members which are not numerous. Thus he won’t be congested. 297
•
• •
•
Listening to packets : this passive attack could be easily solved by using an encryption technique. In our approach, since every node holds a certified couple of private/secret key, we can use asymmetric or hybrid encryption. The latter is more suitable since it is less resource consuming than the former. Traffic analysis : the goal of this attack is not to break confidentiality but to analyze packets. This analysis can reveal interesting information which could be used in much more severe attacks. To fight against this attack, we can introduce encryption in routing protocols. Impersonation : the attacker uses the identity of an authorized node in order to have access to network resources. We can establish an access control mechanism by accepting just nodes with valid certificates. Thus we can authenticate them. Modification : this attack is easily solved thanks to the use of digital signatures to provide data integrity. Insertion : in this attack, the attacker inserts data saying that they come from a legitimate node. This attack can be easily solved since our approach ensures authentication. Thus, only authenticated nodes can inject useful data in he network and even if attackers succeed injecting data in the network, that data will be rejected. Denial of service : here, the attacker limits or blocks several network services. The attack can’t be executed by exterior nodes because they can’t have access to the network since they are not authenticated. However, it can be executed by authenticated nodes.
•
Intrusion detection : this attack is solved since we accept only confidential nodes in the network. But, the problem still exists : how can we define confidential nodes in ad hoc networks?
B. Contributions In comparison to the other solutions, we can say that our solution discards centralized administration except in bootstrapping and ensures service availability despite mobility. It is more adaptable even for temporary networks with high mobility thanks to the clustering algorithm which permits to elect clusterheads with the minimum mobility. In addition, almost all configuration changes are local. This is very important regarding updates, synchronization and resource consuming. In fact, in the other solutions, mobility can lead to a reconfiguration heavy load: this is the case of fully and partially distributed solutions where, after a change in the topology, a node can no longer reach K different nodes to have a service like authentication. Our solution is also more scalable. It can be adapted either for little or large networks. It is also more economic concerning resource consuming since the services will be ensured only by the clusterheads but not by all the nodes like the fully distributed solution where any node could be asked for a service. It ensures network connectivity and survivability despite its split or its merge. During these two phases, we don’t alter node’s configuration concerning certificates management. In addition, security services still work even if clusterheads aren’t reachable. Our solution requires that every clusterhead stores the other clusterheads certificates. This is not a heavy task since we needn’t synchronization in propagating new certificates to all clusterheads. In addition, the number of certificates stored is less than the one of the other distributed PKI solutions that store in every node the certificates of all the other nodes. In our approach, only clusterheads store certificates. They just store the certificates of the other clusterheads but not the certificates of the clusterheads members and every clusterhead stores the certificates of his members. Thus, in comparison to the distributed PKI solution described in the literature, the number of certificates stored in each clusterhead is almost divided by the average number of nodes in a cluster. This is significant regarding resource consumption. As a consequence, a clusterhead will be requested just by the other clusterheads and his members. This is not the case of the other distributed PKI solution where a server can be requested by any other node. Finally, in comparison to the fully distributed PKI solution, we see
that the number of nodes that a clusterhead manages is divided by the average number of clusterhead members. In a nutshell, our solution solves many problems experienced in the other ones presented in the literature. But, like any other architecture, it has also some limits. In fact, if the network is split into two or more parts and that the number of clusterheads in one or more parts is inferior to the parameter K, we can no longer afford neither new clusterhead initialization nor services that require the participation of K nodes such as clusterhead certificate renewal or revocation. V. I MPLEMENTATION
AND TESTS
We have implemented our design on UNIX platforms using c++. We focused only on the application layer services. Tests were carried out on personal computers (PCs) equipped with wireless adapters. We used sockets as an inter process communication and threads for parallelism. We used neither routing protocols implementations nor clustering ones. Thus, we limited ourselves to a one hop environment and we considered each PC as a clusterhead. In the implementation, we focused our interest on three basic entities which are the administrator (adm), the clusterheads (C) and the other nodes. Each entity runs a special program and has interactions (using sockets and threads) with the others as described in Fig. 5: • Interactions 1 between any clusterhead and the administrator. They exist just in the system bootstrapping where the administrator have to initialize a minimum number of clusterheads (by giving each one a partial signature key, a valid certificate, his proper one and the other clusterheads certificates) before leaving the network. • Interactions 2 between clusterheads. They exist during the whole network lifetime and they are revealed to initialize new coming clusterheads or after changes in network topology. • Interactions 3 between a node and the corresponding clusterhead. That’s because the clusterhead is a central authority for his members. The administrator and each clusterhead store the other ones certificates in a local repository. All exchanged messages are texts. We carry out several tests to prove the correctness of our implementation. These tests include mainly the initialization of a clusterhead either by the administrator or by a coalition of other clusterheads. It includes also distributed security services as certificate renewal or revocation and partial keys update.
298
We limited ourselves to application layer services in a one hop environment. We executed several tests to verify the correctness of our implementation. What we’ve done could be improved when we will be able to use clustering and routing implementations. We plan also to test our solution using simulation, especially regarding mobility and services availability. R EFERENCES
Fig. 5 N ETWORK ENTITIES INTERACTIONS
This implementation can be improved when we will be provided with clustering and routing implementations. VI. C ONCLUSIONS
AND FUTURE WORK
The present work is carried in the general context of security study in ad hoc networks. We focused on key management problems in such networks. The project consists in analyzing existing key management solutions to palliate their limitations by specifying an architecture based on both the clustering technique and the distributed PKI which better ensures security services in such environment. Thus, in a first stage, we focus our interest on existing key management solutions for ad hoc networks proposed in the literature. Adequate solutions are based on PKI architectures which could be centralized, partially distributed or fully distributed. Distributed architectures are more suitable to ad hoc networks which are peer to peer networks and where the client/server model is a little bit adaptable. Hence, we’ve proposed a security architecture based on the clustering technique and taking advantage of the distributed PKI. This architecture tempts not only to palliate proposed solutions limitations but also to fulfill security and mobility needs in ad hoc networks. In comparison with other solutions, our architecture has many advantages such as security services availability despite mobility, reduced number of managed nodes and information stored. We can say that our solution permits to settle down a key management solution which is adaptable regarding ad hoc networks constraints especially the lack of infrastructure, energy limitations and mobility. It tempts to resolve key distribution problems using a locally centralized solution for the nodes of each cluster and a globally distributed solution for clusterheads. This has a great advantage concerning security services availability. We implemented our architecture on a UNIX platform.
[1] J. Kong, P. Zerfos, H. Luo, S. Lu et L. Zhang, “Providing robust and ubiquitous security support for mobile ad-hoc networks”, ICNP, 2001, pp. 251–260. [2] H. Luo et S. Lu. “Ubiquitous and Robust Authentication Services for Ad Hoc Wireless Networks”, rapport technique, 2000. [3] L. Zhou et Z. J. Haas, “Securing Ad Hoc Networks”, IEEE Network Magazine, 13(6), 1999. [4] J.-P. Hubaux, L. Buttyan et S. Capkun,“The quest for security in mobile ad hoc networks”, The 2nd ACM Symposium on Mobile Ad Hoc Networking and Computing, 2001. [5] S. Basagni, K. Herrin, D. Bruschi et E. Rosti. “Secure pebblenets”, Proceedings ACM on Mobile Ad Hoc Networking and Computing, pages 156–163, ACM Press, 2001. [6] D. Balfanz, D. Smetters, P. Stewart et H. Wong. “Talking to strangers: Authentication in ad hoc wireless networks”, Proceedings of the 9th Annual Network and Distributed System Security Symposium (NDSS), 2002. [7] M. Hietalahti, “Key Establishment in Ad-hoc Networks”, Helsinki University of Technology Laboratory for Theoretical Computer Science, 2001. [8] C. Becker et U. Willie, “Communication complexity of group key distribution”, ACM conference on Computer and Communication Society, 1998. [9] M. Burmester and Y. Desmedt, “A secure and efficient conference key distribution system”, Advances in Cryptology (EUROCRYPT ’94), pp. 275-286, 1994. [10] http://www.cs.fsu.edu/ desmedt/topics-threshold.html,Dec 2003. [11] http://www.tcs.hut.fi/ helger/ crypto/link/threshold, Dec 2003. [12] http://theory.lcs.mit.edu/ cis/cis-threshold.html, Dec 2003. [13] Y. Desmedt. “Some recent research aspects of threshold cryptography”. Information Security, First International Workshop ISW ’97, volume 1196 of Lecture Notes in Computer Science, pages 158–173, 1997. [14] S. Capkun, L. Buttyan et J-P Hubaux, “Self-Organized PublicKey Management for Mobile Ad Hoc Networks”, ACM International Workshop on Wireless Security, (WiSe 2002), 2002. [15] K. Fokine, “Key Management in Ad Hoc Networks”, technical report, http://www.ep.liu.se/exjobb/isy/ 2002/3322/exjobb.pdf, April 2003. [16] C. E. Perkins, “Ad hoc networking”, Addison-Wesley Pub Co, 1st edition December 29, 2000. [17] M. Chatterjee, S. K. Das, and D. Turgut, “WCA: A weighted clustering algorithm for mobile ad hoc networks”, ClusterComputing 5, pp. 193–204, 2002. [18] T-C. Hou, T-J. Tsai, “An Access-Based Clustering Protocol for Multihop Wireless Ad Hoc Networks”, IEEE Journal on Selected Areas in Comm., Vol. 19, No. 7, 2001. [19] H. Yang, X. Meng et S. Lu. “Self-organized Network Layer Security in Mobile Ad Hoc Networks”, ACM MOBICOM Wireless Security Workshop (WiSe’02), 2002.
299
