01549386
01549386
01549386
Security of MANETs is questioned due to its unique characteristics such as wireless communication, infrastructure-less network, dynamic membership, and heterogeneous devices. External vulnerabilities like eavesdropping and dynamic network and internal constraints like limited computational and storage capabilities pose challenges in implementing a secure ad hoc network. Hence, basic security requirements of MANET are availability, authentication, integrity, confidentiality, authorization, and trust management
This paper covers in brief current security solutions in MANET. In addition, this paper sheds light on TC and its application in computer and ad hoc networks. Our RSA-TC implementation is discussed. Through this implementation, we put forth the practical issues faced while implementing this scheme in a MANET. Also, considering its limitations, we suggest under what circumstances, RSA-TC could be implemented in MANET. Further, we demonstrate why RSA-TC is unsuitable for MANET. Lastly, we discuss why ECC based TC could be considered as an alternative to realize benefits of TC in MANET.
1. Introduction
Mobile Ad hoc Network (MANET) is emerging as an important area for new developments in the field of wireless communication. The premise of forming a MANET is to provide wireless communication between heterogeneous devices, anytime and anywhere, with least or no infiastructure [1], [2], [3], [4]. These devices, for instance cell phones, laptops, palmtops remote systems, etc. carry out communication with other nodes that come in their radio range of connectivity. Each participating node provide services such as message forwarding, providing routing infornation, authentication, etc. to form a network with other nodes spread over an area.
69
Lagrange's interpolation and threshold sharing functions e.g. geometric based threshold [Q. These schemes are being used to implement threshold variants of RSA, El Gamal, and Diffle-Hellman cryptographic algorithms that have characteristic, E (x + y) = E (x) * E (y), called homomorphism [7]. TC finds its application in document authorization/signing or verification in organizations [7], a voting system for allowing access to system resources [8], e-commerce transactions, distributed online certification authority [9], and key distribution [1], [2] in computer networks. TC can be implemented in various applications in a MANET. Applications such as coordinating efforts of military attacks using wireless devices in the battlefield or in disaster-struck area, wireless connectivity of various home appliances, and establishing communication among laptops, PDAs and other wireless devices at conferences, are ideal grounds for adopting TC. When compared with computer networks, it is easy to deduce that to implement TC in MANETs is a challenging task due to its dynamic and distributed nature and constrained resources at each network node. In next section, we present our efforts to apply threshold scheme based on RSA in ad hoc networks and explore possible difficulties that would have to be addressed.
on
3. Threshold cryptography
Threshold cryptography (TC) involves sharing of a key by multiple individuals called shareholders engaged in encryption or decryption. The objective is to have distributed architecture in a hostile environment. Other than sharing keys or working in distributed manner, TC can be implemented to redundantly split the message into n pieces such that with t or more pieces the original message can be recovered. This ensures secure message transmission between two nodes over n multiple paths. Threshold schemes generally involve key generation, encryption, share generation, share verification, and share combining algorithms. Share generation, for data confidentiality and integrity, is the basic requirement of any TC scheme. Threshold models can be broadly divided into single secret sharing threshold e.g. Shamir's t-out-of-n scheme based
Thus,
C
I
=Al i=o j=o tl i=i= (xj (xi-xJ))*f(xi) mod N M'=M =C e modN =Ce modN
70
f(x), xi
shareholders and the receiver. The receiver uses it for checking integrity of the recovered message. 4.2.2. Determination of threshold: The sender's available neighbors will act as its shareholders. Based on 'n' available neighbors, the threshold t is randomly generated such that (t 2(n+ 1)/2) and t < n, where n 2 2. In this implementation, (n, t) values are fixed to one of the following: (10, {Q 8, 10}), (15, {8, 11, 15}), or (20, {11, 15, 20}). 4.2.3. Share generation: For calculating key shares and for combining partial messages, Shamir's secret sharing scheme using Lagrange interpolation is implemented. For its polynomial, the coefficients are randomly generated over the modulus 0(N). The coefficient zero depends on the type of threshold scheme. For threshold encryption, it would be e, while for threshold decryption it would be set to d. The xi-values used for calculating the shares are I to n, rather than randomly picking these values. The generated shares and xi-values are distributed among the shareholders during the key sharing process.
(p-lI)*(q-l).
--
One hop between 2 nodes + Multi-hop over more than 2 nodes on single disjoint route
values to the receiver. After receiving t or more Cis, the receiver selects t C,s for recovery of C. The receiver encrypts xi-values using the sender's public key e, and sends it to the sender via more than one route. The sender calculates respective xi'-values using Lagrange interpolation over mod 05(N) and sends them back to the receiver. The receiver then apply these xi '-values to the respective partial signatures and combines the results to recover the final C. It then computes Ce mod N to recover the final message M for verification. As shown in Fig. 2, applying Fermat's theorem [11] in our model, Lagrange interpolation and polynomial
71
generation were carried out over mod pf(N) to generate the partial keys f(xd as explained in Fig. 3. The shareholders only apply f(xds to the message and forward these partial signatures Cis along-with the x1values to the receiver. After receiving t or more Cis, the receiver selects t Cis for recovery of C. The receiver encrypts xi-values using the sender's public key e, and sends it to the sender via more than one route. The sender calculates respective xj'-values using Lagrange interpolation over mod tb(N) and sends them back to the receiver. The receiver then apply these xi '-values to the respective partial signatures and combines the results to recover the final C. It then computes C' mod N to recover the final message M for verification. qb4N) is not shared with shareholders and no partial messages are stored at the shareholders. The sender carries out computation of the xi'-values. Thus, the shareholders need not know t or other xi-values that are obtained by the receiver. Instead of sending the values to all the shareholders, the receiver sends them to the sender via multiple reverse routes, less than t, thus reducing the message-exchanges carried over the wireless network. In this case, it does not affect the message-exchange even if a few
x,-
consecutive xi-values and multiplicative inverse always exists in mod bp(N) for all xj' = ojfiti1ij t (xj /(x i - x )) mod eO(N).
1-3
1-W
IWW
_512-- r
10421
12-097
1-5U
I02
10761
1771 22-4I
871
z0211
Further, one would expect D,ime >= (t * ETime), but the decryption key e is G5537, which is comparatively much smaller than d or any partial encryption keysf(xd). Also, not all the xi '-values have bit size equal to f(xd. Taking into consideration above facts, the timings DTime obtained here are justified i.e. DTime <= (t * Eirme). Fig. 4 and Fig. 5 demonstrate that increasing key size by 2, ETime as well as DT,me increases exponentially. This is an expected behavior as in regular RSA scheme these timings increase exponentially by doubling key size.
3 72
22 ss
27 173
Prcssr SUSacUta510
Spar 510
iigfr5
Timings1 151 f1
0 run
01 0
13072btI 22.412.4
Figure 4. Average Partial Signature Generation Time )ETime) at each Shareholder in RSA-TC
In Fig. 4, for a given key size, the average signature generation time (ETime) is approximately same at each shareholder irrespective of n and t because all the distributed shared keys have bit lengths equivalent to d. (Note that all the results, Fig. 4 and Fig. 5, have been collected for 500 runs.) Fig. 5 proves that, for fixed n, the combination and verification time (DTime) increases with increase in t which is equivalent to number of partial cipher texts Cis to be retrieved. But when t = n the DTin,e drops. In later case, calculation of xi '-values is easier due to all
l0246s o204862,
22.2 38.2
208 2108
70
1x1
24
13.
266 02
9 62
IW1
186 100
266 767
9s.
16.22
13 34.4
1o
100
100
Processor: SUN Sparc Ultra 5_10, Success rate for 500 runs
72
increasing key size increases success rate, but note that selection of RSA keys and hence, qb(N) play a major role in this variation. Thus, for same key sizes and t # n, success rate will vary based solely on 0(N). The observed advantage of RSA-TC is that success rate is 100% for t = n. Thus, if qb(N) is available with the sender, then using steps 5 and Gin Fig. 3, n-out-ofn scheme can be implemented in MANET. However, from above results, RSA-TC exhibits a few drawbacks that make it difficult to implement it in MANET. First, as q5(N)=(p-J)(q-1) is even, inverse of all numbers do not exist in mod 0(N) [%, [12]. Since Lagrange interpolation is carried out over mod /(N), the question of determining n values of x, where all subsets of t x-values can re-compute xi'-values, was raised. For maximum success rate at any n, t can be varied, and t that gives maximum success rate could be selected. It is observed in Fig. G that as t was gradually increased from n/2 to n, combinations of xi-values i.e. n./((n-t)! * t!), decreased but the success rate of retrieving xi'-values increased. Further, when t = n, success rate was 100%. Hence, for different t-values and given qb(N) at sender, pre-determination of set of x,-values is required for a reasonable success rate. Second, considering multiple computations and delays due to message exchanges with multiple nodes, receiver has to store partial messages until M is recovered. This may render the receiver incapable of storing more messages. -In addition to this, given a keysize of z bits, each node in the network stores at least 3z bits, i.e. (f(x) mod 0(N), xi, N), and a unique identity (Id) for each sender for which it acts as a shareholder. Note that the bit length of associated Id will be much less than z. For processing message signature generation and verification, additional memory is required to temporarily store intermediate results. Further, exponential calculations for C, = Mf(xI) mod 4b(N) mod N are very costly as bit length off(x) is equivalent to that of O(N). Thus, RSA-TC imposes a significant load of storing and processing keys and messages at each node. We would like to suggest alternative RSA-TC scheme. If 0(N) is secret but still RSA-TC is to be implemented then, instead of keys, message could be split before or after encryption. Lagrange's interpolation, in mod N field, could be used to divide message at the sender. In this scheme, shareholders are not required on disjoint routes. Since (e, N) is known so the receiver can calculate xi'-values, thus eliminating the steps 5 and Gin Fig. 3. In this case, the success rate would be 100% for any t-out-of-n case since N is multiple of two prime numbers. Also, xi'-values would always be available in mod N field. But note that if
message is split into n pieces before encryption this would increase RSA computations by n times. Hence, splitting message after encryption and then forwarding partial pieces on disjoint path would work and require encryption timings equivalent to a RSA scheme.
ECC 111
283
DHIDSA/ RSA
1024
3072
7(30
409 571
25G
15,3()
Table 2. Sample ECC exponentiation over GF)p)and RSA encryptVDecrypt timings in mSecs
Processor
MHz
113ECC
192ECC
1024RSAe 1.7
1024RSAd
2048 RSAe
2048 RSAd
SPARCII
GI
22.9
8.7
37.7
32.1
188.7
GI
______
205.5
ECC: rG operation, RSAe: RSA Public key operation, RSAd: RSA Private key operation
200MHz 200
10.8
39.1
1273.8
ECC
share split before encryption share split after encryption IG3- 192- I(3- 192- 1G3- 192- 1(3- 192bit bit bit bit it it bit bit Sun Sun ARM ARM ttn un ARM kM
18.3n 2Gin
GI
12.2
EG
MO
DH
MV KMOV
.7
22.9
45.8
.7
G1
.7
22.9 45.8
17.4
75.4
113.1
Ertaul
2Gi
Gln
113.1 18.3
GI C.7
Demytko 1 8.3n
5.4
Due to exponential computations, RSA scheme require lots of computational capacity, bandwidth, power, and storage. ECC-TC could be a better option in MANET. From Table 1 and 2 [4], ECC provides equivalent security as RSA, but with reduced key sizes and at faster speed. With smaller keys, ECC requires less memory and bandwidth and gives better efficiency than RSA [13]. Research has been done to prove that ECC scheme is suitable for applications on mobile devices [14]. Apart from above reasons, ECC works in prime field p, so we assume that compared to RSA-TC, ECC-TC would be easy to implement using Shamir's tout-of-n scheme. Further, success rate could be 100%. Many variants of ECC based algorithms exist such as ECC El Gamal [15], EC Diffie-Hellman [1Q (EC-
73
DH), Massey-Omura (MO), Menezes- Vanstone (MV), Koyama-Maurer-Okamoto-Vanstone (KMOV), Ertaul, and Demytko [17]. These variants can be modified to implement ECC-TC in MANET. From table 3 [17], DH, MV and Ertaul have been identified as best possible ECC-TC algorithms suitable for MANETs. These algorithms are efficient in both share split before and after encryption. Moving forward, our goal is to implement ECC based DH, MV, Ertaul, and El Gamal for share as well as message splitting before and after encryption in simulated MANET environment and to compare its performance with RSA-TC.
5. Conclusions
In the RSA-TC implementation, we have proved that knowledge of qj(N) is must for sharing keys. It is clearly demonstrated here, that irrespective of key size and for known qbkN) at the sender, the success rate increases as t is increased from n/2 to n. Further, 100% success rate can be achieved with n-out-of-n RSA-TC scheme. As in regular RSA, RSA-TC implementation confirmed that the signature generation and signature verification time increases exponentially when key sizes are doubled. In this paper, it is established that the combining and verifying time is less than t times partial signature generation time. Rather than sharing keys, we have suggested an alternative of splitting the message at the sender to achieve 100% success rate without knowledge of 0(N). Thus, our work proves that RSATC using key sharing is unsuitable in resourceconstrained MANETs due to high storage, computation, and bandwidth requirements. Finally, considering the growth of ad hoc networks in coming years, it is crucial to seriously consider the security of these networks. At this point, though RSA-TC is unsuitable for MANETs but ECC-TC appears (DH, MV, Ertaul, and El Gamal) to be an option to apply threshold cryptography in these networks. Further exploration of ECC-TC algorithms is required to prove that TC could be implemented to take a step closer in achieving enhanced ad hoc network security.
Applications
http://citeseer.ist.psu.edu/lysyanskaya99efficient.htmI [11] W. Stallings, Cryptography and Network Security: Principles and Practice. Delhi: Pearson Education (Singapore), 2002, ch.7. [12] M. Narasimha, G. Tsudik, and J. Yi, "On the Utility of Distributed Cryptography in P2P and MANETs: the Case of Membership Control." [Online]. Available: http://citeseer.ist.psu.eduKE8081 .html [13] G. V. S. Raju, "Wireless Network Security." Available: http:Hlcias.utsa.edu/Presentations/TIPS04-Raju.ppt [14] W. Chou, "Elliptic Curve Cryptography and Its
to
[31 H. Yang, H. Luo, F. Ye, S. Lu, and U. Zhang, "Security in Mobile Ad Hoc Networks: Challenges and Solutions", IEEE Wireless Communications, vol. 11, no. 1, Feb. 2004, pp. 38-47. [41 K. Lauter, "The advantages of Elliptic Curve Cryptography For Wireless Security", IEEE Wireless Communications, vol. I1, no. 1, Feb. 2004, pp. I2-G7. [5] W. A. Arbaugh, "Wireless Security is Different", IEEE Computer, vol. 3Q no. 8, Aug. 2003, pp. 99-101. [(I Y. Desmedt and Y. Frankel, "Threshold cryptosystems", in Advances in Cryptology - Crypto '89, Proceedings, Lecture Notes in Computer Science 435, G. Brassard, Ed., Santa Barbara: Springer-Verlag,1990, pp. 307-315. [7] Y. Desmedt, "Some Recent Research Aspects of Threshold Cryptography", in Information Security, Proceedings (Lecture Notes in Computer Science 1396), E. Okamoto, G. Davida, and M. Mambo, Eds., Tatsunokuchi: Springer-Verlag, 1997, pp. 158-173. [8] Y. Desmedt and S. Jajodia, (1997, July). "Redistributing secret shares to new access structures and its applications Available: www.isse.gmu.edu/techrep/1997/97_0 ljajodia.pdf [9] L. Zhou, "Towards Fault-tolerant and Secure On-line Services". Ph.D. dissertation, Dept. of Computer Science, Cornell Univ., Ithaca, NY, 2001. Available: http://citeseer.ist.psu.edu/zhouO I towards.html [10] A. Lysyanskaya, (1999), "Efficient Threshold and Proactive Cryptography Secure against the Adaptive Adversary". Available:
[2] P. Papadimitratos and Z. Hass, "Securing Mobile Ad Hoc Networks", in The Handbook of Ad Hoc Wireless Networks, M. llyas, Ed. Boca Raton: CRC Press, 2002, pp. 31.1-31.17.
6. References
[1] A. Mishra and K. M. Nadkarni, "Security in wireless ad hoc networks - A Survey"', in The Handbook of Ad Hoc Wireless Networks, M. Ilyas, Ed. Boca Raton: CRC Press, 2002, pp. 30.1-30.5 1.
[15] T. Elgamal, "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms," IEEE Transactions on Information Theory, vol. 31(4), July 1985, pp. 4Ci-472. [lq N. Koblitz, "Elliptic Curve Cryptosystems," Mathematics of Computation, vol. 48(177), pp. 203-209, 1987. [17] L. Ertaul and W. Lu, "ECC Based Threshold Cryptography for Secure Data Forwarding and Secure Key Exchange in MANET (I)," Networking 2005, LCNS 3462, University of Waterloo, Canada, May 2005, pp. 102-113.
http://www.cs.umd.edu/Honors/reports/ECCpaper.pdf
Mobile
Devices."
Available:
74