An Efficient Key Agreement Scheme for Infrastructure ...

2 downloads 0 Views 588KB Size Report
Southern University Bangladesh. Chittagong, Bangladesh [email protected]. Abstract- For the last decade or so wireless and mobile communication and its.
IEEEIOSAIIAPR International Conference on Informatics, Electronics & Vision

An Efficient Key Agreement Scheme for Infrastructure Less Wireless Network (ILWN) Md. Ataur Rahman Khan

Golam Moktader Nayeem

Dept of Electronic & Communication Engineering Southern University Bangladesh Chittagong, Bangladesh gm [email protected]

Dept of Electronic & Communication Engineering Southern University Bangladesh Chittagong, Bangladesh [email protected]

Abstract- For the last decade or so wireless and mobile communication

and

its

application

has

been

enjoying

tremendous attention because of their unique features. More recently, an increasing emphasis has been on the potential of infrastructure less wireless mobile networks that are easy, fast and in-expensive to set up, with the view that such technologies will enable numerous new applications in a wide range of areas. However, security in ILWN is still its primary stage as very little attention has been devoted so far to this topic by the research community. authentication

and

We identify the initial exchange of key

credentials,

referred

to

as

pre­

authentication, as well as authentication and key exchange as primary

security

goals.

In

particular,

the

problem

of

authentication has been widely neglected in existing security solutions, even though it is a necessary pre-requisite for other security

goals.

The

Elliptic

curve

crypto

system

(ECC)

provides more security in less key length which makes is energy

efficient.

Through

a

thorough

study

the-middle attack on these types of networks [1][2]. So it is a very crucial factor to establish a secure channel between participating nodes before communication takes place. As the nodes are mobile and stand-alone device it has limited computational power and limited energy. So the establishment of secure channel must be efficient both in terms of computational overhead and energy usage. Normally in centralized networks this issues are handled by the central system, but in case of ILWN, the nodes has to provide a sufficient security and privacy before communication takes place. In this paper we tried to address those issue after a thorough study and proposed a elliptic curve based key management scheme for partially solve these problem. II. RELATED WORK

and

implementation we show the scheme provide better security to infrastructure less wireless networks.

Keywords: EC; key; wireless; RSA; elliptic;

I. INTRODUCTION Infrastructure Less Wireless Network (lLWN) is believed to be a highly promising technology and will play an increasingly important role in future generation of wireless networks. Infrastructure Less Wireless Network (ILWN) is a radical network form of the ever-evolving wireless networks that marks the divergence from the traditional centralized wireless systems such as cellular networks and wireless local area networks (LANs). The primary advantages of a ILWN lie in its inherent fault tolerance against network failures, simplicity of setting up a network and the broadband capability. Such types of network are: Mobile Ad-hoc Network (MANET), Wireless Mesh Networks (WMN), Pervasive Distributed Networks (PDN) etc. Key management protocol plays a vital role in establishing a secure communication between nodes in wireless network. Usually wireless network are highly vulnerable to eavesdropping and Denial of Service (DoS) attack. It is also easy to penetrate replay attack and man-in-

978-1-4673-1154-0112/$3l.00 ©2012 IEEE

M. A. Mottalib

Dept. of Computer Science & Information Technology Islamic University of Technology Gazipur, Bangladesh [email protected]

Providing security in ILWN is a challenging task. A lot of works have been done in this area. In [3], a Lightweight key management protocol has been proposed based on Wired Equivalent Privacy (WEP) by using small key at the time of trust establishment. In [4], a pair wise key pre­ distribution scheme has been proposed based on Blom's key pre-distribution but it has substantial computational overhead. Eschenauer and Gligor [5] have proposed key­ management schemes based on random key pre-distribution. A subset of keys is randomly selected from a large key pool and distributed to each sensor before deployment. Each sensor node receives a random subset of keys from a large key pool; to agree on a key for communication, two nodes find one common key within their subsets and use that key as their shared secret key [5]. Based on this scheme, Chan, Perrig, and Song proposed a q-composite random key pre­ distribution scheme, which increases the security of key setup such that an attacker has to compromise many more nodes to achieve a high probability of compromising communication [6]. The difference between the q-composite scheme and the scheme in [5] is that q common keys (q � 1), instead of just a single one, are needed to establish secure communication between a pair of nodes. It is shown that by

ICIEV 2012

IEEE/OSAIIAPR International Conference on Informatics, Electronics & Vision increasing the value of capture is improved [5].

q

network resilience against node

Du et al. have proposed a method to improve the Eschenauer-Gligor scheme using a priori deployment knowledge [7]. This method can also be used to further improve other random key pre-distribution schemes, such as the Chan-Perrig-Song scheme. Blundo et al. proposed several schemes which allow any group of t parties to compute a common key while being secure against collision between some of them [8]. These schemes focus on saving communication costs while memory constraints are not placed on group members. D.P. Agarwal [9] have proposed an active cache based defense against flooding type DoS attack and IP spoofing but at the initial stage the algorithm misclassify the bursty flow as an attack which eventually degrade the overall system performance. Raniwala and Chiueh [lO] have proposed multi-channel architecture built on 802.11 wireless LAN. He proposed fault tolerant channel assignment algorithm but the algorithm doesn't adapt any security protocol. Ravi K. Balachandran et al. proposed a Chinese remainder theorem based DH contributory key agreement protocol [11]. The scheme suffers from the Man-in-the-Middle attack and the LCM attacks but secure against group key cracking attack. Avishai Wool [3] have proposed a lightweight solution to the host-revocation problem on IEEE 802.11 LANs. He used long term secret key and periodic key refresh to increase the WEP performance. Feiyi Huang et al. proposed a flow based network monitoring scheme to detect the misbehaving router in Wireless Mesh Networks [12]. He uses third party in the scheme to analyze the network flow but the failure of the third party node will degrade the network performance. Kui Ren et al. proposed a random key pre-distribution scheme combined hash chain mechanism key chain is generated using the keyed hash function [13].



Symmetric Cryptography based key management scheme is preferable for wireless networks due to its low complexity and efficiency managing the shared secret key is quite difficult. Also it provides less security than public key cryptosystem. On the other hand, public key cryptography based key management scheme provides better security, but at the price of high computational power. So we have to use a key management scheme that provides high security, use less computational power, efficient algorithm, less storage capacity use and small key. IV. ELLIPTIC CURVE CRYPTOSYSTEM In 1985, Neal Koblitz and Victor Miller independently introduced the elliptic curve cryptosystem as another alternative public key cryptosystem [14]. Let F be an algebraically closed field. We write the affine plane A2(F) as F2 for short. Definition 4.1 Let C E F [X, Y] be an irreducible polynomial. Then the set of zeros of C in the affine plane F2 is an affine plane curve over F , that is, {(x,y) E F2 I C(x,y) OJ. =

a) Group Law of an Elliptic Curve Definition 4.2 Let E be an elliptic curve defined over the field of real numbers R with its equation given by equation (1), (1) E: y2 X3 + aX + h, a, hER =

Let P and Q be two points on E. We state the following rules that determine the negative of P and the sum P + Q: 1.

III. OBJECTIVE The problems identified in Infrastructure Less Wireless Network (ILWN) are summ ed up as follows: •



2.

ILWN does not rely on any fixed infrastructure; instead, all networking functions are performed by the nodes themselves in a self-organizing manner. Nodes are battery operated device. algorithm should not drain the battery.

So

the



Limited storage capacity.



Limited computational power and thus complex algorithm may increase the processing delay.



The algorithm should provide enough security to minimize attack like DoS, man-in-middle and replay attack.

272

The key should be small due to limited channel bandwidth.

If P is the point at infinity 0, then define -P to be o . For any point Q, define 0+ Q to be Q. Thus, 0 serves as the additive identity of the group E(R). From now on, we suppose that neither P nor Q is the point O. The negative -P is the point with the same x­ coordinate as P but with negative y-coordinate; that is, -(x, y) (x, -y). From equation (13), it is clear that if (x, y) is on the curve, then so is (x, -y). If Q -P, then define P + Q to be O. If P and Q have different x-coordinates, then the line I PQ intersects the curve at exactly one more point R (if I is tangent to the curve at P or Q, then take R P or Q respectively). Define P + Q to be R, that is, the mirror image of the third point of intersection with respect to the x-axis. For the last case where P Q, let I be the tangent line to the curve at P and let R be the only other point of intersection of I with the curve. Defme 2P =

=

3.

=

=

4.

=

ICIEV 2012

IEEE/OSA/IAPR International Conference on Informatics, Electronics & Vision = -R. (If I has a "double tangency" at P, that is, if P is a point of inflection, then let R = P.)

i

Elliptic curves were proposed for use as the basis for discrete logarithm-based cryptosystems almost 20 years ago, by Victor Miller of IBM and Neal Koblitz of the University of Washington. Since then, there had been several variations of the elliptic curve cryptosystem being proposed [14]. At this juncture, we shall only introduce the Elliptic Curve Encryption Scheme (ECES).

R

Let E be an elliptic curve of the form of expressed in equation (1) defined over the integers Z, that is

y

E: y2

-, ..... ,

=

X3

aX

+

(2)

b, a, bE Z

Let p be a large prime number such that Ll of E is not divisible by p. The discriminant Ll of E given by is -16(4a3 + 27b2). Thus, it requires that

... Q =-R

-16(4a3

-,

+

X----o-

+

27b2)

$

0 (mod p)

Let #E denote the number of points (x, y) lying on E, x, y, satisfying equation (2), #E may be given by,

(a)

#E where

=

1 + If:Ol 1 +

(

(+:i+b) )

(3)

(;) denotes the Legendre symbol for quadratic

residues. d) Elliptic Curve Discrete Logarithm Problem (ECDLP): The way in which an adversary can compute A's private key d from A 's domain parameters (q,FR,a,b,G,n,h) and

-,

public key Q [2] . The adversary can subsequently forge A 's signature on any message of its choice. The elliptic curve discrete logarithm problem (ECDLP) is Given an elliptic curve E defined over a finite field Fq a point P E E( Fq) of (b)

Figure 1: (a) Addition of two points in EC (P;tQ) (b)Doubling of point in EC

order n , and a point Q

=

IP

where

,

0::; I ::; n -1

determine 1.

V. PROPOSED KEY AGREEMENT SCHEME b) Computational Overhead We have discussed the operations addition and doubling in elliptic curves. The computational costs of both operations under affine coordinate and projective coordinate are summed up in Table l.

Inverse 1

Multiplication 3

Projective coordinate Multiplication 16

1

4

10

1

4

Affme coordinate Operation Addition Doubling (arbitrary a) Doubling (a=-3)

In our scheme, we use elliptic curve over finite prime field to calculate the points on the curve because large value of prime field increase the security of the algorithm. Before communication takes place, both the communicating parties agree beforehand to use the same curve parameters and base point P. The public parameters are: 1. 2.

The curve E The prime field Fq

3.

A chosen point P, where P

E

E(Fq)

8

..

Table 1: ComputatIOnal overhead of addItIOn and doublmg over Fp

c) Elliptic Curve Cryptosystem

273

ICIEV 2012

IEEE/OSA/IAPR International Conference on Informatics, Electronics & Vision

�s A

Known Parameters:

E, F'q,P E E(�)

Pick a random k. (1';; Calculate Q.

=

k. ,;;

Known Pa'ameters: E, F"

PE

q) and

E(F,)



Pick

a

random k. (1 ,; k.';

q)

192/1024

256/3072

384/768

I

1000

1000

1000

1200

10

9000

10000

10500

12000

1 10000

120000

Text

k.P and

ECiRSA Key Size (bit)

100

100000

100000

1000

1000000

1000000

521/15360

10000

100

7000

75000

1000000

100000

800

9000

100000

1500000

1000000

8000

60000

125000

2500000

10000000

60000

600000

Calculate Q. = k.P

Figure 2: Key Exchange Protocol Table 2: Simulation Data ( ECC/RSA) Key size vs Time and Text size

a) Key Establishment Phase The key establishment steps are: 1. For communication A fIrst llltIates a connection to the B by relaying Hello with its pre-computed public key QA=kAP where kA is a chosen random number. 2.

After receiving the message public key:

B

2

4

also send his

QB=kBP where kB is a chosen random number. 3.

Input Byte

Then they both calculate their session key by :

8

RSA Cypher Size

EC Cipher Size

4cgebblba4037 1bc9a29395aa2bl6fD89c9dfl 3a7bb526 157a851 12dcb80d770aa2a997c7e6 bOt7aa64324dd6a30facafa3f4cIDca39 15b43 Oe9f97cee9dd6b = 128 byte 128a5b9f939085d6dI5018eOa4e7ebf234bI0 57 1e3a53545cIab6bd96cc4c5bcab7a50fl baf fl54a27b396d30590bca5c817t3c02e76645c7 e632321d671a84= 128 byte 6f95 19bf6288t7c900ece09f486deat3a2da3bb 523aOb7 132fDOOb54c83 126 175d76e80e9d6I Obfl69c69dbOb68e53 fSe0284ec4 1bI t334ged 0t79875fedbc90= 128 byte

aSokUtN' EinO aI = 16 byte

ui±2Toia ±£Nm u= 16 byte

I>Up" S4510g0>:qn'€ [= 32 byte

Table 3 : Plain text vs ciphertext between RSA and EC

Alice compute: K=kAQB=kAkBP Bob compute: K=kBQA=kAkBP 4.

Both end up with the same result.

5.

Once the keys are established, both parties can transmit application data encrypted with AES.

6.

To close the connection securely, we use a close connection control message which deletes the previously generated keys. VI. PERFORMANCE ANALYSIS:

The simulation is operated on an Intel Core i3 Processor CPU 2.13 GHz and 2 GB RAM. The operating system is Windows 7. The simulation system was developed on NetBeans IDE 6.0, JDK 1.5. NetBeans IDE 6.0 used as it integrates well with the emulators. The implementation of cryptography algorithms (EC and RSA) was done with help from the third party cryptography API provider Bouncy Castle The comparative simulation result is shown in the table 2,3. From result we can say that the EC based key agreement scheme is performing better than the RSA algorithm. RSA algorithm is one the most widely used public key cryptosystem. So we compared our algorithm with RSA.

274

Figure 3: Comparison between ECC and RSA

VII. CONCLUSION This paper is a small initiative to initiate the establishment of security association in Infrastructure Less Wireless Networks (ILWN). However, Authentication, Authorization and Key Management in Wireless Networks still needs a lot of investigations since it should be achieved on several interacting security layers, each of which having its own considerations, requirements and specifIcations. Through a thorough analysis over the available security solutions lead us to possible adaptation of a key management scheme for

ICIEV 2012

IEEE/OSAIIAPR International Conference on Informatics, Electronics & Vision infrastructure less wireless network. On the other hand, features of the proposed key management scheme proved the capability of such scheme to distribute the trust among wireless nodes. In this paper we presented a practical implementation of our proposed scheme and showed its characteristics. VIII. SCOPE FOR FURTHER WORK We have implemented the scheme using application software. But there are many known vulnerabilities of software oriented secured system. They can be summed up as follows: • Entire system can be copied without detection. • System can be compromised due to site failure, network failure and so on. • In soft system the required credentials can also be copied exactly. So our future work is to implement the scheme into hardware level. Additionally a suitable combination of soft system and hard system can be designed for better functionality.

[ 10] A. Raniwala, and T. Chiueh, "Architecture and Algorithms for an IEEE 802. 1 1-based Multi-channel Wireless Mesh Network," in proc ofIEEE Irifocom '05. [ 1 1] Ravi K. Balachandran, Xukai Zou, Byrav Rarnamurthy and Amandeep Thukra1, "An efficient and attack-resistant key agreement scheme for secure group communications in mobile ad-hoc networks", Wireless Communications And Mobile Computing 2007, Published online in Wiley InterScience, DOl: 10. 1002/wcm.575. [ 12] Feiyi Huang, Yang Yang and Liwen He, "A Flow-Based Network Monitoring Framework For Wireless Mesh Networks", IEEE Wireless Communications· October 2007. [ 13] Kui Ren, Kai Zeng and Wenjing Lou, "A new approach for random key pre-distribution in large-scale wireless sensor networks", WireI. Commun. Mob. Comput. 2006; 6:307-318 Published online in Wiley InterScience (www.interscience.wi1ey.com). DOl: 10. 1002/wcm.397 [ 14] V. S. Miller, "Use of Elliptic Curves in Cryptography," H. C. Williams, Ed., Advances in Cryptology - CRYPTO, LNCS, vol. 2 18, 1985, Springer-Verlag, 1986, pp. 4 17-426.

IX. REFERENCE [ 1]

N. B. Salem and J.-P. Hubaux, "Securing wireless mesh networks," IEEE Wireless Communications, 13(2), pp. 15-55, April 2006.

[2]

Parag S. Mogre, K'alm'an Graffi, Matthias Hollick, and Ralf Steinmetz, "AntSec, WatchAnt, and AntRep: Innovative Security Mechanisms for Wireless Mesh Networks", 32nd IEEE Coriference on Local Computer Networks, 2007.

[3]

Avishai Wool, "Lightweight Key Management for IEEE 802. 1 1Wireless LANs with Key Refresh and Host Revocation", Springer Science + Business Media, Inc., 2005.

[4]

W. Du, J. Deng, Y. S. Han, and P. K. Varshney. A pairwise key pre-distribution scheme for wireless sensor networks. In Proceedings

of the

ACM

Coriference

Communications Security (CCS),

[5]

on

Computer

and

Washington DC, USA, 2003.

Laurent Eschenauer and Virgil Gligor, "A key-management scheme for distributed sensor networks", In Proceedings of the 9th

ACM

Security,

Coriference

on

Computer

and

Communications

pages 4 1--47, November 2002.

[6]

Haowen Chan, Adrian Perrig, and Dawn Song, "Random key predistribution schemes for sensor networks", In Proceedings of the 2003 IEEE Symposium on Security and Privacy, pages 1972 13, May 2003.

[7]

W. Du, J. Deng, Y. S. Han, S. Chen, and P. K. Varshney, "A key management scheme for wireless sensor networks using deployment knowledge", Technical Report, Syracuse University, July 2003. Available from http://www.cis.syr.edu/ -wedu/Research/paperl ddhcv03.pdf.

[8]

C. Blundo, A. D. Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung, "Perfectly-secure key distribution for dynamic conferences", Lecture Notes in Computer Science, 740:47 1--486, 1993.

[9]

Lakshmi Santhanam, Deepti Nandiraju, Nagesh Nandiraju and Dhrma P. Agarwal "Active Cache Based Defense against Dos Atcaks inWireless Mesh Network"" IEEE Journal, pp 4 19-424, 2007.

275

ICIEV 2012