Distributed Hierarchical Key Management Scheme in ... - IEEE Xplore

1 downloads 0 Views 139KB Size Report
Department of Systems and Computer Engineering, Carleton University, Ottawa, ... Email: wangfei@sce.carleton.ca; richard yu@carleton.ca; [email protected].
Distributed Hierarchical Key Management Scheme in Mobile Ad Hoc Networks †

Fei Wang† , F. Richard Yu† and Anand Srinivasan‡ Department of Systems and Computer Engineering, Carleton University, Ottawa, ON, Canada ‡ EION Inc., Ottawa, ON, Canada Email: [email protected]; richard [email protected]; [email protected]

Abstract - In mobile ad hoc networks (MANETs), hierarchical key management structure has some distinct features and becomes popular in many applications. In a MANET where security requirement is high, node states should be considered when constructing a private key generator (PKG). In this paper, we propose a distributed hierarchical key management scheme in which nodes can get their keys updated from optimally selected nodes. The key management problem is formulated as a stochastic system, and the proposed scheme can select the best nodes from all available ones based on their security conditions. Simulation results show that the network compromising probability in the proposed scheme can be decreased significantly. I. I NTRODUCTION ID-based cryptography or encryption (IBE) and the associated ID-based public key infrastructure (ID-PKI) have a number of properties that make them attractive in building security services for mobile ad hoc networks (MANETs) [1], which are gaining importance with the increasing number of potential applications, such as military battlefield communications. In ID-PKI, a global trusted authority (TA) owns a master secret key and is responsible for generating private keys for other nodes, based on the master key and IDs of those nodes. User identity is usually composed of a unique ID such as an email address or a telephone number and a preset expiration time indicating the life-span of the key. A user should contact the TA to get its private key updated before the current one expires. Consequently, the security of the TA becomes the major part of the whole network security. To maintain the safety of the TA, threshold cryptography [2, 3] is proposed to allow the secret to be shared by multiple parties. In a MANET with N nodes, any k nodes in the group are capable of generating private keys using their shares of the master key, which is called (k, n) threshold cryptography. The security of the network is breached only when more than a threshold number of node secrets are compromised. In MANETs, a hierarchical key management structure can provide highly secure services because the security

risk is distributed in different hierarchies. In that tree-like structure, the root TA needs only distribute keys to its child organizations, each of which can work as the private key generator (PKG) and distribute keys to lower level units, until finally all the end-nodes get their secret keys. Some hierarchical key management schemes have been proposed in [4–6]. The authors of [6] give a summary of existing schemes and propose an ID-based threshold system which is fully resilient against compromise of any numbers of leaves in the hierarchy and a threshold of nodes in each of the upper levels of the hierarchy. Although the above schemes have been proposed for hierarchical key management in MANETs, they concentrate only on the network structures and key allocation. Consequently, the dynamic behaviors of nodes in MANETs have been largely ignored. Specifically, how to select the best nodes to work as the PKG in a dynamic MANET has not been well studied in previous work. In this paper, we propose a distributed hierarchical key management scheme, combined with Intrusion Detect System (IDS), to select the best nodes to work as the PKG while taking account into the nodes security conditions. The objectives of the scheme is to improve the network security. The node selection problem is formulated as a stochastic system, and the proposed scheme can select the best nodes from all available ones based on their security conditions. Simulation results are presented to show the effectiveness of the proposed scheme. The rest of this paper is organized as follows. Section II presents the ID-based hierarchical key management in MANETs. System models are presented in Section III. The stochastic formulation and the solution are described in Section IV. We then present the key management process of our proposed scheme in Section V. Simulation results and some discussions are given in Section VI. Finally, we conclude this study in Section VII. II. I DENTITY BASED H IERARCHICAL K EY M ANAGEMENT IN MANET S In this section, we present the ID-based hierarchical key management in MANETs.

978-1-4244-4148-8/09/$25.00 ©2009 This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE "GLOBECOM" 2009 proceedings.

Here we introduce a typical implementation [6] that is based on multiple variables polynomial and is combined with ID-based and threshold cryptography. In this scheme, each node has a secret polynomial, and the shared key between two leaf nodes is computed by evaluating the polynomial held by one node at a point that corresponds to the identity of the other node. Let L be the depth of the hierarchy, i.e., the nodes are arranged in a tree with L levels. Each node identity corresponds to the path from the root to the node (thus a node at level i will have as identity a vector with i components (I1 , ..., Il ) where each Ii is an integer). For desired threshold parameters ti , the root authority chooses a random polynomial F (x1 , y1 , . . . , xL , yL ), where the degree of xi , yi is ti . F is chosen such that F (x1 , y1 , . . . , xL , yL ) ≡ F (y1 , x1 , . . . , yL , xL ), i.e. F is symmetric between the x’s and y’s. A simple implementation to choose such polynomial is to choose a random polynomial f on the same variables, and then set F (x1 , y1 , . . . , xL , yL ) = f (x1 , y1 , . . . , xL , yL ) + f (y1 , x1 , . . . , yL , xL ). The master secret key of the system is the polynomial F itself. The secret key of node with identity I in the first level of the hierarchy is the polynomial FI = F (I, y1 , x2 , y2 , . . .). Similarly, the secret key of a node at level i with identity I = I1 , . . . , Ii  is the polynomial: FI = F (I1 , y1 , . . . , Ii , yi , xi+1 , yi+1 , . . .), and the secret key of the leaf with identity I1 , . . . , IL  is the polynomial in L variables F (I1 , y1 , . . . , IL , yL ). The shared key between the two leaf nodes I1 , . . . , IL  and J1 , . . . , JL  is the value of the polynomial = F (J1 , I1 , . . . , JL , IL ), that F (I1 , J1 , . . . , IL , JL ) each node can compute by evaluating its secret polynomial on the points that correspond to its peer’s identity. An alternative approach to building a hierarchical scheme is to use subset-based key pre-distribution schemes as in [7], and extend it to a hierarchical scheme as in [5]. Note that our proposed scheme can be easily combined with any existing schemes without affecting their structures and key allocation.

III. S YSTEM M ODEL The system time is divided into equal slots that correspond to the time intervals [8]. The length of time slot depends on the security requirements and system environment. If the system is used in some extremely unsafe environments, the time interval can be shorter than that used in safe environments. We use the information observed from IDS for decision making. The IDS is popular in network to detect unwanted attempts at accessing, it may continuously or periodically monitors the network activities and detect intrusions. In our system, IDS is also used to select the best nodes based on their conditions. A. System Security Model Each node n(n ∈ 1, . . . , N ) has a finite number of In states representing the security conditions. For example, the security state space S can be defined as {saf e, attacked, compromised}. The security state of the potential node n at the time instant t(t ∈ 1, . . . , T ) is defined as stn , which evolves according to an In -state Markov chain with one-step transition probability matrix: = j|stn = i), Pna = (φij )i,j∈In = P r(st+1 n

(1)

where a stands for an action. In our system there are two actions {0, 1}; action 1 means the node is selected or active, and 0 means the node is not selected or passive. The security condition stn is observed by IDS and we assume the state observation by IDS is accurate, the system security state evolves as a Markov chain. B. Cost Definition The costs associated with node selection are defined as information leakage ctn = c(stn , atn ). There are M active nodes at time t, so  the cost of all the nodes for key update M at time t is q(t) = n=1 ctn , where n ∈ [1, . . . , M ] means all active nodes at time t. The total expected discounted cost of over infinite time horizon is given by: ∞   Z(u) = E β t q(t) , (2) t=0

We focus on the system dynamics of the MANETs. In hierarchical key management scheme, key update can be processed at different hierarchies since multiple PKGs exist at different levels. It is possible for nodes to get private keys from either its parent or a threshold of sibling nodes. Compromise of a subtree will not affect the security of another subtree, only if they do not have the same ancestors.

where u denotes policy which is the history of all actions. E denotes mathematical expectation; β ∈ (0, 1) is the discount factor to ensure the expectation is bounded. The optimization objective is to find the optimal policy u to minimize the cost in (2).

The aim of our work is to dynamically decide which node/nodes (can be a parent node or k nodes among the n sibling nodes with secret key shares) to work as PKG based on nodes states.

In this section, we formulate the key management problem as a stochastic system. We first introduce the system formulation, then discuss the solutions to the stochastic system.

IV. S TOCHASTIC F ORMULATION AND S OLUTION

978-1-4244-4148-8/09/$25.00 ©2009 This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE "GLOBECOM" 2009 proceedings.

A. System Formulation 1) Node States: The state of nodes n ∈ {1, 2, . . . , N } in time slot t ∈ {0, 1, . . . , T − 1} is modeled as stn which is defined in the system model. The state set of stn is represented as Sn and stn ∈ Sn . The state stn evolves with one-step transition probability matrix Pna . We consider system security states here, note that it is straightforward to to generalize the model to consider more states such as energy, channel conditions etc. 2) Costs: The total expected discounted cost over the time horizon is defined in (2), and the optimization objective is: (3) Z ∗ = min Z(u). u∈U

3) Policies: The policies is the history of all the actions taken, i.e. the nodes selection history for constructing the PKG. We denote by U the class of all admissible policies. The admissible policy u ∈ U is a T × N matrix, whose element of the tth row and the nth column is atn , representing the action taken by node n in time slot t. The optimal policy u∗ is the policy that achieves the minimal cost. The optimal policy is u∗ = arg min Z(u). u∈U

(4)

4) Priority Index: The priority index for potential node n with state stn at time t is represented as δkn . The optimal policy has an index rule: The M nodes with the smallest indices in a given time slot t act as the active nodes. That is, assuming {δk1 , δk2 , . . . , δkM } to be the set of indices arranged from the smallest value to the largest value in time slot t, the node n’s action should be  1, if n ∈ {k1 , k2 , . . . , kM }, atn = (5) 0, otherwise. Thus, to solve the node selection problem, computing the priority indices is the key step, which is described later. B. LP Formulation of the Stochastic System The key management problem can be solved by a hierarchy of increasingly stronger LP relaxations [9] based on the result of LP formulations of Markov decision chains (MDCs), the last of which is exact but with the most computing complexity. For simplicity, we use the first-order relaxation and the first-order relaxation is formulated as the linear program:    cainn xainn , Z 1 = min n∈N in ∈Sn an ∈{0,1}

subject to xn ∈ Q1n , n ∈ N ,   M , x1in = 1−β

n∈N in ∈Sn

(6)

where X = {x = (xainn (u))in ∈Sn ,an ∈{0,1},n∈N |u ∈ U }, Sn denotes the state of node n in state space S and cainn is the cost for node n in state i and take action a; Q1n is the performance region of the first-order MDC corresponding to project n and |Smax | = maxn∈N |Sn |, with the size polynomial in the problem dimensions [9]. V. D ISTRIBUTED H IERARCHICAL K EY M ANAGEMENT S CHEME The node selection process can be divided into off-line part and on-line part. During the off-line process, priority indices are computed. The priority indices are computed and saved as an index table. In the online part of our scheme, the priority index table will be used to select the best nodes based on nodes’ instantaneous states. The key update process is as follows: 1) When a guest node g1 in network B wants to join network A, it sends a message to a node in network A to request its new private key, for example the message is received by node a1 in network A. 2) Node a1 in network A relays the message to its IDS. 3) The IDS performs a priority index table lookup to find the best node/nodes based on current states of all available nodes. For example, we assume node a2 and a5 are selected. The IDS then sends messages to the selected nodes to request for construction of the PKG. 4) The selected nodes a2 and a5 construct a temporary PKG and generate a private key for node g1 . 5) The private key is transmitted to node g1 and node g1 joins the network successfully. We assume that most node properties can be made known to the IDS, which should be realistic particularly for MANETs where initial planning and device management is an a priori requirement. In a dynamic environment, we should be able to use the IDS to learn and predict the node properties from the history of actions and observations, which is left for future research. VI. S IMULATION R ESULTS AND D ISCUSSIONS In this section, we illustrate the effectiveness of the proposed scheme using simulation examples. We create a network with one parent node and five heterogeneous child nodes, each with different transition probabilities and cost matrices. For the off-line part, it takes about 2 seconds to compute the priority index table using a regular PC with Intel Core 2 Due processor and 2GB RAM. We compare the performance of the proposed scheme with an existing scheme [10], in which nodes are selected randomly without considering the security situation of the MANET. In this simulation, we use three security states: saf e, attacked and compromised. The threshold Nth is set to 2. The security state transition probability matrices are set

978-1-4244-4148-8/09/$25.00 ©2009 This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE "GLOBECOM" 2009 proceedings.

as follows:



0.95 P11 = ⎝ 0.03 0.04 ⎛

0.93 P21 = ⎝ 0.02 0.05 ⎛

0.97 P31 = ⎝ 0.03 0.02 ⎛

P41

0.93 ⎝ 0.04 = 0.03 ⎛

0.96 P51 = ⎝ 0.02 0.04 ⎛

0.99 P61 = ⎝ .005 .005



0.05 0.95 0.02

0 0.02 ⎠ , 0.94

0.07 0.95 0.02

⎞ 0 0.03 ⎠ , 0.93

0.03 0.96 0.03

⎞ 0 0.01 ⎠ , 0.95

0.07 0.95 0.03

⎞ 0 0.01 ⎠ , 0.94

0.04 0.970 0.010

⎞ 0 0.01 ⎠ , 0.95

0.01 0.99 .005

⎞ 0 .005 ⎠ . 0.99

The passive transition probability matrices are defined as ⎛ ⎞ 0.99 0.01 0 0 Pi = ⎝ 0.02 0.97 0.01 ⎠ , 0.01 0.01 0.98 for i = (1, . . . , 5) and ⎛ 0.999 P60 = ⎝ 0.001 0.001

0.001 0.998 0.001

⎞ 0 0.001 ⎠ . 0.998

Node 6 is a parent node and has high transition probability which means it is more stable than child nodes. The cost of selecting a safe node is lower than that of selecting an attacked/compromised node. The cost matrices for the simulations are defined as follows: c(1) = (2, 6, 20), c(2) = (3, 7, 25), c(3) = (2.5, 9, 28), c(4) = (4, 8, 19), c(5) = (3.5, 7, 25), c(6) = (8, 15, 50). Fig. 1 shows the cost comparison between the proposed scheme and the existing scheme. We can see that the proposed scheme have distinct cost reduction over the existing scheme, which means the information leaking of the proposed scheme is lower than existing scheme, thus the network is more safe under the proposed scheme. To verify the dynamic stability of the proposed scheme, we consider different transition probabilities for the nodes in the network. Fig. 2 shows the cost comparison over the existing scheme when the first component in the state transition probability matrix changes from 0.85 to 0.98.

With the increase of the transition probabilities, the system becomes more secure and the cost is decreased while the proposed scheme always has lower cost than the existing scheme. In this simulation, we investigate the network compromising probability of the proposed scheme. The network is compromised when the root node is compromised or a threshold Nth of children are compromised. We first compare the network compromising probability when security transition probabilities are set from 0.75 to 1.0, and Nth = 2. The result is shown in Fig. 3. When the node transition probability becomes higher, which means the nodes are more secure, the network compromising probability becomes lower. The proposed scheme always has lower network compromising probability than the existing scheme.. In Fig. 4 we compare the network compromising probability when there are more nodes in the network. With the increase of the total number of nodes in the network, all the schemes shows downward trend in compromising probabilities. This is because more nodes means more choices for selecting the best nodes, which thus decreases the network compromising probability. In Fig. 5, we compare the compromising probabilities when different thresholds are used. It is shown that with the increase of the threshold, the compromising probabilities are decreased in both schemes, while the proposed scheme always have lower compromising probability than existing scheme. VII. C ONCLUSIONS AND F UTURE W ORK In this paper, we have presented a distributed hierarchical key management scheme for MANETs. The proposed scheme can dynamically select the best nodes to work as the PKG while taking account into node security conditions. The node selection is formulated as a stochastic system. Simulation results show that the proposed scheme can improve network security and decrease the network compromising probability compared to an existing key management scheme. In this work, we did not consider node energy in the key management problem, which is an important issue for the network lifetime in MANETs. The node energy level can be formulated as a node state component in the stochastic system. Future work in this direction is in progress. Moreover, we are working on a MANET testbed to implement our proposed scheme. R EFERENCES [1] S. Balfe, K. D. Boklan, Z. Klagsbrun, and K. G. Paterson, “Key refreshing in identity-based cryptography and its applications in MANETs,” in Proc. IEEE MILCOM 2007, (Orlando, FL, USA), Oct. 2007. [2] R. L. Rivest, A. Shamir, and Y. Tauman, “How to share a secret,” Comm. ACM, vol. 22, pp. 612–612, Nov. 1979. [3] Y. Desmedt and Y. Frankel, “Threshold cryptosystems,” in Proc. CRYPTO’89, (Santa Barbara, CA, USA), Aug. 1989.

978-1-4244-4148-8/09/$25.00 ©2009 This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE "GLOBECOM" 2009 proceedings.

0.06 Existing Scheme Proposed Scheme 0.05 Compromising Probability

[4] G. Hanaoka, T. Nishioka, Y. Zheng, , and H. Imai., “A hierarchical non-interactive key-sharing scheme with low memory size and high resistance against collusion attacks,” Comput. J., vol. 45, no. 3, pp. 293–303, 2002. [5] M. Ramkumar, N. Memon, and R. Simha, “A hierarchical key predistribution scheme,” in Proc. EIT’05, (Lincoln, NE, USA), May. 2005. [6] R. Gennaro, S. Halevi, H. Krawczyk, T. Rabin, S. Reidt, and S. D. Wolthusen, “Strongly-resilient and non-interactive hierarchical keyagreement in MANETs,” in Proc. ESORICS’08, (Berlin, Heidelberg), Springer-Verlag, 2008. [7] E. Laurent and D. G. Virgil, “A key-management scheme for distributed sensor networks,” in Proc. of the 9th ACM conf. on Computer and communications security, (Washington, DC, USA), ACM, 2002. [8] H. Luo, J. Kong, P. Zerfos, S. Lu, and L. Zhang, “URSA: Ubiquitous and robust access control for mobile ad hoc networks,” IEEE/ACM Trans. Netw., vol. 12, pp. 1049–1063, Dec. 2004. [9] D. Berstimas and J. Nino-Mora, “Restless bandits, linear programming relaxations, and a primal dual index heuristic,” Operations Research, vol. 48, no. 1, pp. 80–90, 2000. [10] H. Deng, A. Mukherjee, and D. Agrawal, “Threshold and identitybased key management and authentication for wireless ad hoc networks,” in Proc. ITCC’04, (Washington, DC, USA), Apr. 2004.

0.04

0.03

0.02

0.01

0 0.75

0.85 0.9 Transition Probability

0.95

1

Fig. 3. Network compromising probabilities in different transition probabilities.

0.025

10

Existing Scheme Proposed Scheme

Existing Scheme Proposed Scheme

9.5

0.02 Compromising Probability

9 8.5 Average Cost

0.8

8 7.5 7 6.5

0.015

0.01

6

0.005 5.5 5 4.5

0 0

20

40

60

80

100

6

8

10 12 Total Number of Nodes

Step

Fig. 1.

Cost Comparison on different steps.

Fig. 4.

14

16

Network compromising probabilities under different nodes.

0.025 Existing Scheme Proposed Scheme

13

Existing Scheme Proposed Scheme 0.02 Compromising Probability

12 11 Average Cost

14

10 9 8 7

0.015

0.01

0.005

6 5 0.84

Fig. 2.

0.86

0.88

0.9 0.92 0.94 Transition Probability

0.96

0

0.98

Cost under different security transition probabilities.

Fig. 5.

2

3

4 Threshold

5

6

Network compromising probabilities under different thresholds.

978-1-4244-4148-8/09/$25.00 ©2009 This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE "GLOBECOM" 2009 proceedings.