Read AD-HOC_report.pdf text version

TS-1: Comparing Cryptographic Protocols for Securing Wireless Ad-hoc Networks

1

Comparing Cryptographic Protocols for Securing Wireless Ad-hoc Networks

Lawrence Awuah, Pavan Kumar Burri,Sirija Puramshetty

Abstract-- As computing devices and wireless connectivity become ubiquitous, the need for ad hoc network becomes a critical concern where wireless communication links between mobile devices are established in an ad-hoc manner. Due to the nature of wireless ad-hoc networks, lack of their permanent or consistent access to the global network, and their dynamic behavior, security issues are a great concern. This research focused on analyzing three different types of cryptographic protocols and how suitable they are for ad hoc network environment and whether they provide the needed security services such as authentication within the ad hoc network constraints. Index Terms--Ad-hoc wireless networks, cryptographic protocols, Key Distribution Center, Key Distribution Pattern

A. Ad-Hoc Network Configurations The IEEE 802.11 standard provides two modes for wireless clients to communicate: ad-hoc and infrastructure. The ad-hoc mode is a network of stations within communication range of each other. Ad-hoc networks are created spontaneously between the network participants.

I. INTRODUCTION "A wireless ad-hoc network is a self configuring network of mobile nodes (or hosts) connected by wireless links to form an arbitrary topology without a fixed infrastructure. The nodes move randomly and organize themselves arbitrarily in such a way that the wireless network topology may be subject to frequent changes and unpredictably (highly dynamic). Such a network may operate in a standalone fashion, or may be connected to the larger Internet. The nature of ad hoc networks makes it suitable for emergency situations such as natural or human-induced disasters, military operations or emergency medical conditions." Wireless ad-hoc network Topology [14]

Wireless ad-hoc network Topology ad-

Figure 2

B. Infrastructure Networks Configurations In infrastructure mode, access points (APs) provide for a more permanent structure for the network. An infrastructure consists of one or more access points as well as a distribution system (i.e. wired network) behind the access points which tie the wireless network with the wired network.

From Wikipedia, the free encyclopedia

Figure 1 Manuscript received December 15, 2005. L. Awuah is a student at GMU. P.K. Burri is a student at GMU. S. Puramshetty is a student at GMU.

TS-1: Comparing Cryptographic Protocols for Securing Wireless Ad-hoc Networks this environment is good authentication and security.

2

Emergency operations: The ad hoc networks in this case are formed between communicating nodes which are part of the following network scenario: search-and-rescue, policing and fire fighting. Medical teams require fast, effective communications when they rush to a disaster to treat victims. The major constraint is the protocol should be able to address the dynamic nature of the nodes. D. Sensor Networks

1) Sensor:

Figure 3

C. Applications of ad-hoc networks in different scenarios

A sensor is a mechanical, electrical or electromechanical device for sensing a physical variable of the environment like temperature, pressure or position. Sensors are used in almost all the fields such as aerospace and defense, automation medical imaging and robotics.

Military and Emergency operations

Emergency operation Military operation

2) Distributed sensor networks:

A distributed sensor network is an ad-hoc network with a number of scattered sensor nodes, which are deployed in the battlefield. The sensor nodes communicate with each other via ad-hoc networks to collect important information especially in battlefield scenario. The intelligent sensors can report information about their status and local conditions. The sensor nodes are susceptible to attack by adversaries. Since the information communicated is highly confidential the protocols used must be strong enough to overcome the attacks thus providing confidentiality and authentication. In our paper we present different key distribution techniques for secure communication between the nodes and compare the different protocols. All the protocols are symmetric key based. In the symmetric key based scheme, the communicating parties share a common secret key, which is used for the encryption and decryption processes. 3) Key distribution technique: A key distribution technique is the process of securely delivering the secret key to both the communicating parties. 4) General layout of sensor network: A sensor network consists of a number of sensor nodes that are deployed inside the enemy's territory. These nodes with their sensor capabilities track the troops and send this information to the main command installed in the friendly territory. The nodes also communicate amongst themselves to exchange information. 5) Limited resources in ad-hoc networks: Some of the resources, which are limited for the nodes, are:

Figure 4

1) Military environment: In military environment Ad-hoc networks are generally formed with sensors as the nodes. These sensors can be used by any of soldiers, tankers, planes etc. The major constraint in this scenario is optimum power consumption with good security. 2) Civilian environment: The ad-hoc networks can be formed for general purpose applications with laptops, cellular phones etc as nodes. The environment can be any of meeting rooms, sports stadiums, boats, small aircraft or taxi cab network. Ad hoc mode allows users to spontaneously form a wireless LAN. For example, a group of people with 802.11-equipped laptops may gather for a business meeting at their corporate headquarters. In order to share documents such as presentation charts and spreadsheets, they could easily switch their NICs to ad hoc mode to form a small wireless LAN within their meeting room. The major constraint in

TS-1: Comparing Cryptographic Protocols for Securing Wireless Ad-hoc Networks o o o Limited energy Limited bandwidth Limited memory

3

After deploying the sensor nodes they can be charged using batteries, which will be limited. Hence energy of the sensors has to be conserved. 6) Modes of operation The sensors have four modes of operation [15]: o Transmit mode o Receive mode o Idle mode o Sleep mode A node is in the transmit mode when it is transmitting information and it is in the receive mode when it is receiving information. In the idle mode the node is neither transmitting nor receiving information but consumes energy since it has to continuously listen to the wireless medium and switch over to the receive mode when a packet is detected. The sleep mode is the one wherein the nodes can neither transmit nor receive packets. The network interface can be switched to the idle mode by an explicit instruction from the node. One way of preserving energy is to keep the nodes that are not needed to perform any action in the sleep mode as nodes in this mode consume very little energy. 7) Energy Consumption in Sensors Security related applications also consume a large amount of energy. The energy consumption of the nodes can be categorized as: o Computational energy o Communication energy The algorithms used for encryption and decryption, the software implementation are some of the aspects, which come under computation energy. The exchange of keys, certificates, nuances, initialization vectors, signatures etc., comes under communication energy. Communication forms the major part in energy consumption. The security protocols must be such that they should minimize the consumption of these energies to extend the lifetime of the nodes. Public key algorithms consume more energy when compared to symmetric key algorithms.

A) Group keying Protocols 1. Diffie-Hellman Protocols 2. Burmester-Desmedt Protocols B) Arbitrated Protocols 1. Kerberos Protocols 2. Otway-Rees C) Pre-Deployed Keying Protocols 1. Network-wide pre-deployed keying protocol 2. Node-specific pre-deployed keying protocol 3. Key Distribution Pattern (KDP) based predeployed keying protocol II. GROUP KEY AGREEMENT (GROUP COMMUNICATIONS) PROTOCOLS IN AD HOC NETWORK Group Key protocols provide a mechanism for providing security in wireless ad hoc networks. A proposal for group key establishment among the members of an ad hoc network is presented and is the base for the deployment of security services in group communications, especially in ad hoc networks. A. Overview 1) Dimensions of Key Agreement Two types consist of Initial Key Agreement (IKA) and Auxiliary Key Agreement (AKA) operations ­ single member operations, subgroup operations and group key refresh. IKA refers to the initial group key agreement, a sort of an initial group formation agreement. AKA encompasses all subsequent key agreement operations. 2) Centralized and contributory We also consider two types of group key agreement protocols: Several group key management approaches have been proposed in the past among which generally fall into two main categories base on computation and distribution: o Centralized o Contributory Centralized group key management involves a single entity (or subgroup) that generates and distributes keys to group members. A special case is the scenario where the key is generated by some trusted third party (TTP) which is outside of the group membership. Contrary to the centralized approach is the contributory group key agreement which requires each group member to contribute an equal share to the common group key (computed as a function of all members' contributions). This approach is fault tolerant and suppresses the risks of vicious key generation by a single entity. 3) Member inclusion and exclusion Member Addition: A member joins the group by sending a join message, including the new member's blinded random key to its nearest neighbor within the group. This join message will be forwarded to the nearest controller, who forces this neighbor node to become a controller and thus become the

E. Protocols

A security protocol (or cryptographic protocol) is an indisputable protocol that performs a security-related function and applies cryptographic methods. We wish to compare following cryptographic protocols as part of our project.

TS-1: Comparing Cryptographic Protocols for Securing Wireless Ad-hoc Networks parent node to the new member. 4) Member Leave/Partition: A member may leave the group by sending a leave message to its controller. If that controller has other children, it will create a new random value and re-key the subgroup. Otherwise, the node will simply be decommissioned as a controller and no other action need be taken. 5) Motivation We need group key agreement methods satisfying the following: o Strong security o Dynamic operation o Robustness o Efficiency in communication and computation o Implementation, integration, and measurement Why is the need for computation overhead important? Most group key agreement methods rely on modular exponentiation. ­ 512 bit modular exponentiation on Pentium 400 Mhz = 2 msec ­ 1024 bit modular exponentiation = 8 msec Most methods require a lot of modular exponentiations for each membership operation. 6) Security Requirements The security property characteristic to all AKA operations is key independence. It comprises of the following two requirements: A group member must not have knowledge of keys used before it joined the group or any subset of group keys cannot be used to discover previous group keys i.e. backward secrecy. New keys must remain out of reach of former group members or any subset of group keys cannot be used to discover subsequent group keys i.e. forward secrecy. B. Overview of protocols 1. Cliques Group Diffie-Hellman Protocols 2. Burmester-Desmedt Protocols

4

The Protocol (2-party DH)

· Key Exchange

A Computes

xz

x

z

Z

z y

B Computes

yz

·We assume that A and B are sharing a secret KAB

A

x

y KAB

B

the secret key is xy

UCL Crypto Group DEC-05

Figure 5

b) The CLIQUES protocol suite (n-party GDH): · The protocols from this suite can provide member authentication, which solves the Diffie-Hellman authentication vulnerability mentioned earlier. · GDH protocols are relatively efficient for member leave and group partition operations, but the merge protocol requires the number of rounds equal to the number of new (merging) members.

Member computed values

i 1 2 3 4 n

Figure 6

mi m1 M2 M3 M4

Sets of Values computed by mi

gs1 gs1s2 gs1 gs2 s1s2s3 g gs1s2 gs1s3 gs1s3 gs2s3 s1s2s3s4 gs1s2s3 gs1s2s4 gs1s2s4 gs2s3s4 g

mn gs1s2s3...sn

1. Cliques Group Diffie-Hellman Protocols

a) The Diffie-Hellman Protocol (2-party DH): This DH algorithm allows the establishment of a cryptographic secret key between two entities by means of data exchange through an insecure communication channel. The algorithm executed between two entities A and B is defined

c) Authenticated 2-party Key Agreement: The need for authentication An authenticated group key agreement protocol is a key agreement protocol which provides implicit key authentication.

TS-1: Comparing Cryptographic Protocols for Securing Wireless Ad-hoc Networks

5

Figure 8 [6]

Figure 7 [6]

d) Analysis: A-DH protocol, shown in the figures above provides implicit key authentication between M1 and M2. The A-DH protocol is a contributory authenticated key agreement protocol. The two parties M1 and M2 share a secret session key (S2) computed by both parties. It is assumed that, it is infeasible for an attacker to obtain any information about S2. e) Authenticated Group Key Agreement: Here, we extend the GDH protocols to provide implicit key authentication by making use of the ADH protocol discussed earlier. The protocols of interest here are GDH.2 and AGDH.2 ASSUMPTIONS We assume that Mn shares with each Mi a distinct secret or session key Kin. We also assume each group member obtains an authenticated shared key with Mn. i.e. the cardinal key for all group members. Mn must be trusted by all group members.

1. Burmester-Desmedt Protocols BD (Burmester-Desmedt) - a protocol that requires three rounds and up to n multicasts in each round, and is fairly easy to make it robust. The BD scheme utilizes a ring-based structure, where users are arranged in a ring, i.e. the user after the last user Un, is again U1. Burmester and Desmedt proposed an efficient protocol which takes three modular exponentiations per member to generate a group key. This protocol allows all members to re-compute the group key for any membership change with a constant CPU cost. However, it requires broadcast messages which can be expensive in ad hoc network or other WANs. Burmester and Desmedt give a proof of security for their main protocol only for an even number of participants, n. Burmester and Desmedt show only that an adversary cannot compute the entire session key; in contrast, we show that the session key is indistinguishable. The protocol:

Figure 9 [12]

In the form;

For added security, the message broadcast is piggybacked with certificate and signature. Each node takes g and raises it by a unique random value ri in G and generates

TS-1: Comparing Cryptographic Protocols for Securing Wireless Ad-hoc Networks

6

Comparison of protocols

Protocol/ Parameter Power consumption Authentication Key independence Communication energy Computation energy Scalability Table 1 BD High High High High High High GDH.2 High High PFS/PBS High High High Comparison w.r.t. other protocols High High PFS High High High

III. ARBITRATED PROTOCOLS An Arbitrated protocol is a protocol in which a trusted third party is used to establish a trust between the nodes participating in the message exchange. Each node has to authenticate itself trusted third party to obtain a key pair with which it can communicate with the other node.

PFS =Perfect Forward Secrecy PBS = Perfect Backword Secrecy The first two columns give an absolute overview of how the different constraints are being addressed while the last column gives information of how best the group keying protocol addresses these issues when compared to the other two families of protocols. From the analysis of these group key agreement protocols, average power consumed per transmission increases with increase number of communication and computational energy. Authentication is possibly high depending on the particular protocol version and whether signature and certificates are piggybacked. Both protocols have perfect forward and backward secrecy in terms of key refresh. Communication and computation energy could be high depending on number of key and message exchanges and number of exponentiations respectively. Scalability of both group keys is comparatively largecan withstand larger group members especially by subgroup techniques. Security Thread A compromised group leader and a malicious insider of the group key agreement protocols are the main thread to the security of the ad hoc network. Solution To achieve a much effective security, SA-GDH.2 protocol is preferred since it has the requirement for a priori availability of all members' long-term credentials.

Figure 10

Examples of Arbitrated Protocols 1. Kerberos Protocol 2. Otwayrees Protocol 1. Kerberos Protocol

Kerberos protocol for Ad-hoc Networks is based on the KerberosV5 Protocol and is modified to address the limitations of the DNS. Here All the communicating nodes share a Secrete key with trusted third party called Key Distribution Center "KDC" the key is distributed prior to the deployment they authenticate them selves to KDC to obtain a session whenever a node want to speak to another node. "Symmetric Key Cryptography is used"

Dynamic Group Changes and Key Refresh Group membership changes during the lifetime of groupnew members join in and old members leave. In order to save computations, recycle old key information to the extent possible rather than Starting from scratch. Starting from scratch approach is expensive, unscalable and unsuitable for environments with frequent membership changes [6].

Figure 11[9]

a) Rounds Round1: Node A to KDC KDC||IDA||IDB||NA

TS-1: Comparing Cryptographic Protocols for Securing Wireless Ad-hoc Networks Round2: KDC to Node A IDA ||KDC|| TicketB||NA TicketB is KB, KDC(Kpair|| IDA ||L) Round3: Node A to Node B IDB || IDA ||TicketB|| E Kpair(IDB,TA) Round4: Node B to Node A IDA || IDB || E Kpair (TA). IDA, IDB, KDC are the identities of Node A, Node B and Key distribution center respectively. NA is the nonce which is a random number. Ticket to B is encrypted with Kpair which is a shared symmetric key between node A and node B. L is the life time of the key pair, it determines the time during which the key generated is good. The key expires after the life time. TA is the time stamp which is used for providing additional security b) Calculations: The following explains the factors used in calculating the number of bits to be transferred in each round.Assumptions: "Stream cipher is used for encryption" Length of All the Node ID's is 64 bits Length of Nonce and Time stamps and life time values is 64 bits. The total length of message for each of the following rounds assuming a stream cipher is used for encryption. o Round1: 256 bits. o Round2: 384 bits. o Round3: 448 bits. o Round4: 192 bits. 2. Otwayrees Protocol The Otwayrees protocol is based on Needham Schroeder protocol. It's different from Kerberos as it uses Nonce instead of time stamps, which takes into consideration the possibility that the clock can be rotated back wards. a) Rounds Round1: Node A to Node B IDB||IDA||KDCj||NA Round2: Node B to KDCj KDCj||IDB||IDA||NB||NA Mkbj(KDCj||IDB||IDA||NB||NA) Message: Mkbj(KDCj||IDB||IDA||NB||NA)is message encrypted by the shared key between Node B and the KDC. Round3: Node KDCj to Node B IDB||IDA||EkAj( H(IDA||IDB||NA||NB||Keypair)|| KBj(H(Ida||IDB||NA||NB)||Key pair) Round4: Node B to Node A IDA||IDB||NB||EKAj(H(IDA||IDB||NA || NB)||Keypair)||Ekeypair(NA||NB) Round5: Node A to Node B IDA||IDB||Ekeypair(NB||NA)

7

Explanation of short forms: IDA, IDB, KDC are the identities of Node A, Node B and Key distribution center respectively. NA, NB are nonce which are random number. KAj is shared key between KDC and node A KBj is the shared key between node B and KDC. E is used to secret key encryption. Kpair is a shared symmetric key between node A and node B. L is the life time of the key pair, it determines the time during which the key generated is good. The key expires after the life time. b) Calculating Number of Bits to be transferred in each round Assumptions: "Stream cipher is used for encryption" Length of each Node ID = 64 bits. Length of each Nonce = 64 bits. o Round1: 256 bits o Round2: 640 bits o Round3: (192+Length of (two hash messages)) bits o Round4: ( 320+Length of one hash message) bits o Round5: 256 bits The no bits required for the key establishment in Otwayrees is more compared to no of bits required in Kerberos Protocol TA is the time stamp which is used for providing additional security

Figure 12 [9]

TS-1: Comparing Cryptographic Protocols for Securing Wireless Ad-hoc Networks

Protocols/ properties Kerberos Protocol High High High High High Low Otwayrees protocol High High High High High Low Comparison w.r.t. other protocols High High Low Low High Medium

8

Comparison The major limitation of the Kerberos Protocol and Ottwayrees Protocol is only two nodes can be addressed at a given point of time. The number of key exchanges required to set up a network is high as every node has to set up a connection with each corresponding node, so the total number of keys required if N nodes wants to communicate with each other will be NC2. So, the power consumption will be high if an these protocols are used, but a trade off has to be made as it provides greater security since each node authenticates before its communicates with another node. The arbitrated protocols can be improved to address large number of nodes but the authentication and security decreases. Some of the security threats to this family of protocols and improvements can be mentioned as Security Threats 1. Arbitrated protocol makes use of KDC for the key distribution, which brings in possibility of DOS "Denial of service attack" by which the intruder can succeed restricting the nodes from communicating with each other. 2. The use of centralized server to store all the secret keys between KDC and Nodes keys brings a possibility of attack where in if attacker can get access to the server there is a threat to security of whole network. 3. When the protocol is scaled to large number of nodes (i.e. a key is generated for communication of large number of nodes) there is a threat to authentication. By which an attacker with in the network can impersonate as other node in the network. Improvements 1. The improvements to these protocols have been made and other protocols are developed which use the certification process to over come the threat 2. Where key is not stored in the server but is stored in the node itself in encrypted form with the secret key of the KDC and key that is not shared with node. The problem 1, 3 can be addressed by assigning a certificate to each of the node for authentication. Hence impersonation attack can be restricted. This improvement does not address the problem 1 directly but restricts unauthorized users from accessing the network and if attacker is with in the network he can be recognized.

Power consumption Authentication Forward Secrecy Backward Secrecy Memory consumption Scalability Table 2

The first two columns give an absolute overview of how the different constraints are being addressed while the last column gives information of how best the Arbitrated protocol addresses these issues when compared to the other two families of protocols. IV. PRE-DEPLOYED KEYING PROTOCOLS In the pre deployed keying protocol all the sensor nodes are loaded with the keys before they are deployed in the territory. This procedure provides both confidentiality and authentication of the nodes. Above all the energy efficiency is very high. The pre-deployed protocols, which we would be comparing in our paper, are: 1. Key distribution based pre-deployed protocol 2. Network wide pre-deployed protocol 3. Node specific pre-deployed protocol 1. Key Distribution Pattern (KDP) based pre-deployed keying protocol This is one of the most reliable and secured way of key distribution scheme proposed by Hartono Kurnio, Huaxiong Wang, Josef Pieprzyk and Kris Gaj [1] which is extended to Pre-deployed keying protocols. In this scheme each node is loaded prior to deployment with a set of keys and a matrix, which gives information about the keys that all other nodes in the network have. Each key of the set of keys that the nodes have is of 128bits. The secret key takes the form of a session key since it changes whenever a node leaves or joins the group. This key can be computed individually by any node deployed anywhere. a) Main features of KDP ·Decentralized model: A decentralized model is one wherein the trust is distributed to all the nodes in the network and a number of nodes need to perform the security operations together. The main aspect of this model is the absence of a trusted authority which usually does all the security operations. This model is highly secure when compared to a single entity which does all the security operations for a few

ossible

TS-1: Comparing Cryptographic Protocols for Securing Wireless Ad-hoc Networks reasons such as: In some situations the authority might be unavailable or unreachable. Compromise of the authority will expose all the secrets of the entire network. ·Self-initialization: A certain number of nodes co-operatively initialize the system and will add new nodes when necessary and load the set of keys into the new nodes. ·Self-securing: Any node of the group can determine the session key from anywhere, which is very secure rather than transmitting the key to each node. ·Assumption: It is assumed that all the nodes have secure point-to-point channels between them.

9

well as the session key by implementing X-OR function which would consume energy. Energy in the form of communication is also being used for the exchange of updated keys, which is seen in the next section. e) Change in the nodes: When a new node wants to enter the group it gets the set of secret keys from a subset of existing nodes called sponsors. Each node in the group has to compute the session key for the new group formed and store in its memory. To ensure for the safety of the group the key set of unattended nodes in hostile territory has to be updated. The nodes which are nearest to it and share the common keys change those keys and send the updated keys to that node via the secure point to point channel which each node has with every other node. Blom's key is used for the secure point-to-point communication between two nodes [2][3]. The scheme uses a symmetric polynomial F(x, y) over a finite field GF (q) in the construction.

b) Construction of KDP: Let K = {k1, ..., kv} be a v-set of keys and B = {B1, ..., Bn} be a family of subsets of K. [1][2] A system (K, B) is a t-resilient (v, n, r) key distribution pattern (KDP) if the following condition holds:

F ( x, y ) =

i =0

t

h

j =0

t

i, j

x i y j mod q Where

hi , j GF (q) (0 i t,0 j t) and h i, j = h j,i for all i, j.

The polynomial has a symmetric property that is F (ab) = F (ba). Blom's key can be computed between any two nodes and any node can compute the key value given the function and that key will be the same for both the nodes. The updated key information is encrypted using this key and sent to the unattended node. f) Forward and Backward secrecy: The session secrecy, forward secrecy and backward secrecy are very well satisfied because whenever there is a change in the node the secret key is recomputed and hence is called the session key. g) Scalability: This scheme is very well scalable since the security levels are the same for a small as well as a large group. Addition and deletion of nodes will not put any of the security aspects at stake. Advantages of KDP based pre-deployed protocol: o o o o Most secured way of key distribution protocol Forward and backward secrecy are very well protected. Highly scalable. Session key can be computed by any node which increases the security.

IB

i

i

UB

j

j

Where and are any disjoint subsets of {1, ..., n} such that || = r and || = t `r' is the number of nodes that form the group and the subset of keys B = {B1, ..., Bn} should be formed such that even if `t' number of nodes are compromised the system is safe. This means that there exists at least one element, which belongs to the r subsets but does not belong to the k subsets. This is what a t-resilient system is. Any node can compute the secret key or group key, which is called the session key in this protocol. Since each node is aware of the keys of all other nodes, the keys that are common between all the nodes in the group are X-ORed and finally a single 128 bit value is obtained which forms the session key. c) Memory storage: The number of bits stored in the memory of each node depends upon the pre-defined function (v,n,r) and the subset of keys `B' which would be loaded into the nodes before deployment. The key size is 128 bits. d) Computation and Communication energy: The computation energy for a KDP scheme is a bit high when compared to the other two pre-deployed techniques. In this case the nodes have to compute the Blom's key as

Disadvantages of KDP based pre-deployed protocol:

TS-1: Comparing Cryptographic Protocols for Securing Wireless Ad-hoc Networks o As the size of the group increases the complexity in terms of the computation of subset of keys increases. Memory power usage is more in KDP as in addition to the session keys the set of keys and the secret key computed using Blom's key is to be stored. Network wide pre-deployed protocol

10

o

2.

This is one of the most energy efficient key management protocols. All the nodes in the network are loaded with the same key before deployment. Each node communicates with the other node, which shares the same key by encrypting the message and appending a message authentication code (MAC) to it. This will protect the integrity of the message. If any intruder happens to modify the message the MAC function cannot be modified as it is calculated using the secret key known only to the nodes in the network. a) Memory storage: As only a single cryptographic key is needed to be stored, the memory space, which is limited in the sensor nodes, is also preserved. And the number of bits stored in memory will be equal to the key size. b) Computation and communication energy: Since all the nodes share a single key the computation energy in terms of authentication keys will be negligible and this is one of the reasons for the high-energy efficiency. As there is no need of key exchanges to be done the communication energy costs are saved.

backward secrecy aspects are not satisfied, as the new node that enters the group will be able to discover all the past communications and keys of the group and likewise the node which leaves will be able to discover all the future keys of the group. In order to avoid this, a large-scale audit of all sensor nodes is to be performed prior to every phase of adding new nodes, which would ensure that each node's hardware and software has not been altered maliciously. Once this is ascertained a new network-wide key can be distributed to all the nodes including the new node. But such a high-scale audit would be too expensive in practical applications. e) Scalability: As the number of nodes increases the security characteristics might be weakened thus weakening the scalability factor. Advantages of network-wide pre-deployed keying protocol: o o o Minimum memory storage required. Computation and communication energy are almost zero. Use of MAC function assures integrity.

Disadvantages of network-wide pre-deployed keying protocol: Compromise of one node exposes the whole network communication. Scalability factor is weakened. Session, Backward and Forward secrecies are weak. Node specific pre-deployed keying protocol

o o o

c) Change in the nodes: Unattended nodes in hostile territory are prone to attacks by adversaries. And since all the nodes in the network share a single common secret key, compromise of one node will put the confidentiality of the whole group of nodes at stake. All past and future communications between the nodes could be disclosed and even hostile nodes can be inserted into the network which can keep track of the communications between the nodes or inject false information. In some situations nodes might have to leave the network when they no longer need to perform any more actions or nodes have to be deleted permanently when their energy is exhausted and new nodes will replace these nodes. The session secrecy will be at stake in this case of temporarily leaving nodes. d) Forward and backward secrecy: New nodes that are to join the group have to be loaded before deployment with the same network key that the whole group of nodes shares. In such a case the forward and

3.

In the node specific pre-deployed keying method, different keys are computed offline for different possible combinations of nodes and are loaded before deployment. A unique key is assigned for every combination of communicating nodes. Thus each node will be loaded with a group of different keys and it uses the appropriate key for the node with which it has to communicate. The security aspects will be strengthened in this particular protocol when compared to the network wide pre deployed protocol since compromise of a single node will not disclose the confidentiality of the whole network. Only the information shared between two parties will be known. a) Memory storage: If there are `n' numbers of nodes in the network then each node has to store `n-1' number of keys and the total number of session keys to be generated is nc 2 The number of bits stored in the memory of each node

TS-1: Comparing Cryptographic Protocols for Securing Wireless Ad-hoc Networks will thus be equal to (n-1)*key size. Thus the memory power consumption will be high as each node has to store a set of different keys and the number depends on the number of nodes it will be communicating. b) Computation and Communication energy: All the keys are computed offline and loaded before deployment. Hence the computation and communication energy cost are negligible for the sensor nodes. c) Change in the nodes: o

11

The nodes which are to form a group have to be imagined before deployment because addition of a new node after deployment is difficult.

Conclusion:

Protocol/ Parameter Power consumption Authentication Forward Secrecy Backward Secrecy Memory consumption Scalability Table 3 Network wide Low Low Low Low Low Low Node specific Low Medium Medium Medium Low Low KDP based medium Medium High High Medium High Comparison w.r.t. other protocols Low Low Medium Medium Low Low

The set of nodes with which a particular node can communicate is fixed in this method and if a new node is to join it has to be loaded with one of the keys which already exists and this tends to differ from the main idea of node specific protocol. Or else other non pre-deployed techniques may be employed to extend the group to new nodes. The session secrecy is at stake in this case as a node which leaves the group temporarily or which might also have been compromised can again join the group at any point of time and start communicating with the nodes because as soon as the node leaves the group, the keys which all the nodes have shared with that node are not deleted from their memory. d) Forward and Backward secrecy: Since each pair of communicating nodes have a unique key the forward and backward secrecies are improved. e) Scalability:

The first two columns give an absolute overview of how the different constraints are being addressed while the last column gives information of how best the Pre-deployed protocol addresses these issues when compared to the other two families of protocols. V. COMPARISON OF THE THREE MAIN PROTOCOLS

Protocols/properties Arbritrated Protocol High High Low Low High Medium Group keying Protocols High High High High High High Pre-deployed keying Protocol Low Low Medium Medium Low Low

Power Consumption Authentication Forward Secrecy Backward Secrecy Memory Consumption Scalability

This keying method is not flexible. The node specific technique best suits for small groups. If the group is large the number of keys to be computed will increase and also it will consume a large amount of memory power of each node. Hence the scalability factor is weakened. Advantages of Node specific pre-deployed keying protocol: o o Security aspects are strengthened in this protocol compared to network wide. Forward and backward secrecy are improved.

Table 4

This table analyses how good each protocol analysis each of the security issues mentioned. Group keying Protocol: Power consumption and memory consumption is high because of high exponentiations and large number of message exchanges. Authentication is high as signatures and certificate can be sent along with the information and depending on the protocol version used ex: SA--GDH.2. This protocol has good forward and backward secrecy because of effective key refreshing features and good key updating features. Has high Scalability because the protocols in this family can address large number of nodes. Arbitrated Protocol: The power and memory consumption of theses nodes is high because of large no of messages being transmitted and usage of certificates.

Disadvantages of Node specific pre-deployed keying protocol: o o o o Number of keys computed is more. Memory power consumed is more. Lack of flexibility and scalability. At any given point of time not more than two nodes can form a group and communicate.

TS-1: Comparing Cryptographic Protocols for Securing Wireless Ad-hoc Networks The authentication provided by this protocol is high as some protocols of this family use certification for authentication and in other protocols each node has to authenticate itself to key distribution center to get the session key. This session secrecy is maintained in this protocol by usage of time stamps (i.e.) the key is good for the duration provided by time stamp. But this mechanism becomes complicated as the number of nodes increases and when time of communication of nodes cannot be predetermined. Has a medium scalability. This is because as the number of nodes increases the power consumption increases rapidly to maintain features like scalability, authentication and session secrecy. Pre-Deployed Keying Protocols: Power consumed is low as the keys are loaded before deployment by which computational energy is conserved and the absence of key exchanges will minimize the communication energy. The authentication is low since there is no assurance that the message has been sent by the sender which it claims to be. The forward and backward secrecies do not fair well, as the keys are not refreshed frequently. Memory consumption is not very high as only the keys are stored. The scalability is low for this protocol since the security issues are not well addressed as the number of nodes increases.

12

3. For general propose, security is of major importance while power consumption may not be optimum. These are the parameters which we have chosen for the analysis. The choice of the protocol changes depending on the requirements. Arbitrated protocol: Generally uses a centralized trusted third party for authentication and if a key distribution center is used for the trust it is expected to be online for better performance. It also uses certification process for better authentication. This infrastructure is not applicable for military scenario where the nodes have low power resources; this also is not applicable for the emergency operations where the nodes tend to be dynamic. So, arbitrated protocol will be a poor choice for military and emergency scenarios. But it would be a fair choice for general propose scenario where the major concern would be authentication between the nodes. This is assuming the nodes are provided with good power resources. Group key distribution: This family of protocols is fairly good for both military and emergency operations because of high security being provided with good key refreshing and key updating features. The trade off is power consumption, is not optimum. Some of the protocols that provide good authentication is good for the general propose ad-hoc networks.

Pre-Deployed Keying Protocols:

The power consumed by the nodes is low but the security issues are not well addressed. Hence this is an optimal choice in military scenario. Because of the absence of a trusted authority the nodes can be deployed anywhere hence its application in emergency operations is a fair choice. For general purpose Pre-deployed is not a good choice as the authentication is a major drawback for this family of protocols. REFERENCES

[1] [2] [3] [4] [5] [6] Securing multicast groups in Ad-Hoc networks, Hartono kurnio, Huaziong Wang, Josef Pieprzyk and Kris Gaj, Macquarie University and George Mason University. Group Protocols for Secure Wireless Ad-hoc Networks, Srikanth.Nannapaneni, Aparna.Kasturi, Swethana.Pagadala, Nagasree Chandu.Kamisetty, George Mason University, 2005 Key Distribution Techniques for Sensor Networks, Haowen Chan, Adrian Perrig and Dawn Song, Carnegie Mellon Univeristy. Security system for ad-hoc wireless networks based on generic secure objects Ciobanu Morogan, Matei Securing Ad Hoc Networks Lidong Zhou, Zygmunt J. Haas, Cornell UniversityIthaca, NY 14853 New Multiparty Authentication Services and Key Agreement Protocols Giuseppe Ateniese, Michael Steiner, and Gene Tsudik, Member, IEEE Journal of Selected Areas in Communications, VOL 18, NO. 4, April Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange- E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL), D. Pointcheval (ENS), J.-J. Quisquater (UCL)

Purpose/Protocol.

Arbitrated

Group key distribution Fair Fair Good

Pre-Deployed Keying Protocols Fair. Fair. Poor.

Military scenario. Emergency Operation. General Purpose.

Poor. Poor Good

This table analysis how protocol addresses each of the possible infrastructure of ad-hoc networks. Rating: Good, Fair, and Poor. Basis for analysis: This analysis is based on the assumption that the following factors are important for each of the following scenario. 1. The nodes in ad-hoc network formed by the military scenario have a limited power so the issue to be taken care is power consumption while providing better security. 1 2. For emergency operation the protocol should be able to address dynamic nature of the nodes.

[7]

TS-1: Comparing Cryptographic Protocols for Securing Wireless Ad-hoc Networks

[8] [9] [10] [11] [12] [13] [14] [15] Key Agreement in Dynamic Peer Groups- Michael Steiner, Gene Tsudik, Member, IEEE Computer Society, and Michael Waidner, Member, IEEE Computer Society Constraints and approaches for Distributed sensor network security, David W. Carman, Peter S. Kruus, Brian J. Matt, September 1, 2000 Group key generation in Ad hoc wireless networks using a subgroup method, KRISTIN E. BURKE, Spring Semester, 2003 Group Key Agreement-Theory and Practice December 12, 2005, Yongdae Kim Group Key Establishment in Wireless Ad Hoc Networks, Eric Ricardo Anton, Otto Carlos Muniz Bandeira Duarte Scalable Protocols for Authenticated Group Key Exchange September 11, 2003- Jonathan Katz Moti Yungy http://en.wikipedia.org/wiki Cryptography and Network Security, William Stallings

13

Information

13 pages

Find more like this

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate

593922


You might also be interested in

BETA
r: Adobe PageMaker 7.0 - [Untitled-1]
FullManual.book
Microsoft Word - MC04_Journal_V0006.doc
WCDMA_˵6-26(С޸)
FullManual.book