Principles of key management

Security services based on cryptographic mechanisms assume keys to be distributed prior to secure communications. The secure management of these keys is one of the most critical elements when integrating cryptographic functions into a system, since any security concept will be ineffective if the key management is weak. This work approaches the problem of key management in a modular and hierarchical manner. It discusses key management security requirements, deals with generic key management concepts and design criteria, describes key management services and building blocks, as well as key management facilities, key management units, and their interrelationship     

An efficient identity-based secret key management scheme for MANETs

This paper put forward an identity-based key management scheme for mobile ad hoc networks (MANETs), it provids an efficient secret key management mechanism for security schemes, which be implemented over any cyclic group in that the strong Diffie-Hellman problem is supposed to be hard. By employing identity-based and threshold cryptography, the proposed scheme eliminates the burden of certificates management and can be high level tolerance to node compromise. The scheme is based on threshold Schnorr signature (TSch), for higher efficiency, we transform TSch to a simpler form, donated by SimpleTSch, and prove that SimpleTSch is unforgeable under passive attacks in the random oracle model. However, to cope with active attacks, we enforce the security by introducing Fiore et al's key agreement. We can say that the proposed key management scheme gives lots of help for design of security protocols in MANETs.     

一种基于ID的传感器网络密钥管理方案

对偶密钥的建立是无线传感器网络的安全基础,它使得节点之间能够进行安全通信。但是由于节点资源的限制,传统的密钥管理方法在传感器网络中并不适用。在分析了现有密钥预分配协议的前提下,该文提出一种新的基于ID的密钥预分配协议。此协议用计算和比较散列值的方式替代广播方式协商密钥,减少了传感器节点大量的通信消耗。然后,分析了所提出方案的安全性、通信量和计算量,并和已有协议进行了比较。结果表明本文的方法不仅能保证安全性,而且节约了大量通信资源。     

An efficient and attack‐resistant key agreement scheme for secure group communications in mobile ad‐hoc networks

As a result of the growing popularity of wireless networks, in particular mobile ad hoc networks (MANET), security over such networks has become very important. Trust establishment, key management, authentication, and authorization are important areas that need to be thoroughly researched before security in MANETs becomes a reality. This work studies the problem of secure group communications (SGCs) and key management over MANETs. It identifies the key features of any SGC scheme over such networks. AUTH‐CRTDH, an efficient key agreement scheme with authentication capability for SGC over MANETs, is proposed. Compared to the existing schemes, the proposed scheme has many desirable features such as contributory and efficient computation of group key, uniform work load for all members, few rounds of rekeying, efficient support for user dynamics, key agreement without member serialization and defense against the Man‐in‐the‐Middle attack, and the Least Common Multiple (LCM) attack. These properties make the proposed scheme well suited for MANETs. The implementation results show that the proposed scheme is computationally efficient and scales well to a large number of mobile users. Copyright © 2007 John Wiley & Sons, Ltd.     

Hexagonal Clustered Trust Based Distributed Group Key Agreement Scheme in Mobile Ad Hoc Networks

Secure and efficient group communication among mobile nodes is one of the significant aspects in mobile ad hoc networks (MANETs). The group key management (GKM) is a well established cryptographic technique to authorise and to maintain group key in a multicast communication, through secured channels. In a secure group communication, a one-time session key is required to be shared between the participants by using distributed group key agreement (GKA) schemes. Due to the resource constraints of ad hoc networks, the security protocols should be communication efficient with less overhead as possible. The GKM solutions from various researches lacks in considering the mobility features of ad hoc networks. In this paper, we propose a hexagonal clustered one round distributed group key agreement scheme with trust (HT-DGKA) in a public key infrastructure based MANET environment. The proposed HT-DGKA scheme guarantees an access control with key authentication and secrecy. The performance of HT-DGKA is evaluated by simulation analysis in terms of key agreement time and overhead for different number of nodes. Simulation results reveal that the proposed scheme guarantees better performance to secure mobile ad hoc network. It is demonstrated that the proposed scheme possesses a maximum of 2250 ms of key agreement time for the higher node velocity of 25 m/s and lower key agreement overhead. Also, the HT-DGKA scheme outperforms the existing schemes in terms of successful message rate, packet delivery ratio, level of security, computation complexity, number of round, number of exponentiations and number of message sent and received that contribute to the network performance.

     

Threshold-based intrusion detection in ad hoc networks and secure AODV

Mobile ad hoc networks (MANETs) play an important role in connecting devices in pervasive environments. MANETs provide inexpensive and versatile communication, yet several challenges remain in addressing their security. So far, numerous schemes have been proposed for secure routing and intrusion detection, with only simulations to validate them; little work exists, in implementing such schemes on small handheld devices. In this paper, we present our approach of securing a MANET using a threshold-based intrusion detection system and a secure routing protocol. We present a proof-of-concept implementation of our IDS deployed on handheld devices and in a MANET testbed connected by a secure version of AODV over IPv6 – SecAODV. While the IDS helps detect attacks on data traffic, SecAODV incorporates security features of non-repudiation and authentication, without relying on the availability of a Certificate Authority (CA) or a Key Distribution Center (KDC). We present the design and implementation details of our system, the practical considerations involved, and how these mechanisms can be used to detect and thwart malicious attacks.     

SRDP: Secure route discovery for dynamic source routing in MANETs

Routing is a critical function in multi-hop mobile ad hoc networks (MANETs). A number of MANET-oriented routing protocols have been proposed, of which DSR is widely considered both the simplest and the most effective. At the same time, security in MANETs – especially, routing security – presents a number of new and interesting challenges. Many security techniques geared for MANETs have been developed, among which Ariadne is the flagship protocol for securing DSR.The focus of this work is on securing the route discovery process in DSR. Our goal is to explore a range of suitable cryptographic techniques with varying flavors of security, efficiency and robustness. The Ariadne approach (with TESLA), while very efficient, assumes loose time synchronization among MANET nodes and does not offer non-repudiation. If the former is not possible or the latter is desired, an alternative approach is necessary. To this end, we construct a secure route discovery protocol (SRDP) which allows the source to securely discover an authenticated route to the destination using either aggregated message authentication codes (MACs) or multi-signatures. Several concrete techniques are presented and their efficiency and security are compared and evaluated.     

Securing Mobile Ad Hoc Networks Using Enhanced Identity‐Based Cryptography

Recent developments in identity‐based cryptography (IBC) have provided new solutions to problems related to the security of mobile ad hoc networks (MANETs). Although many proposals to solve problems related to the security of MANETs are suggested by the research community, there is no one solution that fits all. The interdependency cycle between secure routing and security services makes the use of IBC in MANETs very challenging. In this paper, two novel methods are proposed to eliminate the need for this cycle. One of these methods utilizes a key pool to secure routes for the distribution of cryptographic materials, while the other adopts a pairing‐based key agreement method. Furthermore, our proposed methods utilize threshold cryptography for shared secret and private key generation to eliminate the “single point of failure” and distribute cryptographic services among network nodes. These characteristics guarantee high levels of availability and scalability for the proposed methods. To illustrate the effectiveness and capabilities of the proposed methods, they are simulated and compared against the performance of existing methods.     

量子保密术和保密通信

基于量子物理原理的量子密码术已被证明是保密通信中密钥安全分配的有效手段．本文介绍了量子密码的基本原理，探讨了实现量子密码的几种方案，并研究了各自的密钥分配机制．还讨论了量子密码通信的历史发展和指出现存在的问题以及未来的发展前景。     

Security Through Collaboration and Trust in MANETs

It is well understood that Mobile Ad Hoc Networks (MANETs) are extremely susceptible to a variety of attacks, and traditional security mechanisms do not work well. Many security schemes have been proposed that depend on cooperation amongst the nodes in a MANET for identifying nodes that are exhibiting malicious behaviors such as packet dropping, packet modification, and packet misrouting. We argue that in general, this problem can be viewed as an instance of detecting nodes whose behavior is an outlier when compared to others. In this paper, we propose a collaborative and trust-based outlier detection algorithm that factors in a node??s reputation for MANETs. The algorithm leads to a common outlier view amongst distributed nodes with a limited communication overhead. Simulation results demonstrate that the proposed algorithm is efficient and accurate.     

A cryptographic key management solution for HIPAA privacy/security regulations.

The Health Insurance Portability and Accountability Act (HIPAA) privacy and security regulations are two crucial provisions in the protection of healthcare privacy. Privacy regulations create a principle to assure that patients have more control over their health information and set limits on the use and disclosure of health information. The security regulations stipulate the provisions implemented to guard data integrity, confidentiality, and availability. Undoubtedly, the cryptographic mechanisms are well defined to provide suitable solutions. In this paper, to comply with the HIPAA regulations, a flexible cryptographic key management solution is proposed to facilitate interoperations among the applied cryptographic mechanisms. In addition, case of consent exceptions intended to facilitate emergency applications and other possible exceptions can also be handled easily.     

A dynamic key management solution to access hierarchy

Hierarchical access control (HAC) has been a fundamental problem in computer and network systems. Since Akl and Taylor proposed the first HAC scheme based on number theory in 1983, cryptographic key management techniques for HAC have appeared as a new and promising class of solutions to the HAC problem. Many cryptographic HAC schemes have been proposed in the past two decades. One common feature associated with these schemes is that they basically limited dynamic operations at the node level. In this paper, by introducing the innovative concept of ‘access polynomial’ and representing a key value as the sum of two polynomials in a finite field, we propose a new key management scheme for dynamic access hierarchy. The newly proposed scheme supports full dynamics at both the node level and user level in a uniform yet efficient manner. Furthermore, the new scheme allows access hierarchy to be a random structure and can be flexibly adapted to many other access models such as ‘transfer down’ and ‘depth‐limited transfer’. Copyright © 2007 John Wiley & Sons, Ltd.     

An Enhanced Hierarchical Key Management Scheme for MANETs

Security is one of the major issues in Mobile Ad-hoc Networks (MANETs). Their natural characteristics make them vulnerable to numerous severe attacks. In this paper, we present an enhanced hierarchical key management scheme for secure group communications in MANETs. The proposed approach primarily aims at improving security and complexity, especially complexity in the level of ordinary members for joining or leaving processes to achieve the most possible dynamic characteristic of MANETs without neglecting network security. The proposal scheme is designed with the potential of developing an efficient model interested in keying applied on hierarchical structure to increase the security and make no need to apply rekeying of all group members in different sub-levels as made by hierarchical key management scheme (HKMS). Also, it reduces complexity of processing load, memory usage and improves resources. In the proposed model, each communication between two nodes have a unique key to make it more secure with encrypting messages by different keys for more than one time and support node flexibility. Experiments are carried out on the proposed scheme to show the effect of complexity on each node in different grades and results are compared with traditional HKMS.     

Provably secure hybrid key agreement protocols in cluster-based wireless ad hoc networks

Wireless ad hoc networks support rapid on-demand and adaptive communication among the nodes due to their self-configurable and autonomous nature and lack of fixed infrastructure. Security is a crucial factor for such systems. Since ad hoc networks rely on the collaboration principle, the issue of key distribution and efficient group key management in such networks represents two of the most important problems. We describe hybrid solutions to the problem of key distribution and key management by reflecting ad hoc networks in a topology composed of a set of clusters. To date no security proofs exist for these types of protocols. We present two dynamically efficient schemes. We show that both our hybrid schemes are provably secure in the standard model under Decision Diffie–Hellman (DDH) assumption. The proposed protocols avoid the use of a trusted third party (TTP) or a central authority, eliminating a single point of attack. We analyse the complexity of the schemes and differentiate between the two approaches based on performance in a wireless setting. In comparison with the existing cluster-based hybrid key agreement protocols, our proposed approaches individually provide better performance in terms of both communication and computation, handle dynamic events efficiently, and are supported by sound security analysis in formal security models under standard cryptographic assumptions.     

The KryptoKnight family of light-weight protocols forauthentication and key distribution

An essential function for achieving security in computer networks is reliable authentication of communicating parties and network components. Such authentication typically relies on exchanges of cryptographic messages between the involved parties, which in turn implies that these parties be able to acquire shared secret keys or certified public keys. Provision of authentication and key distribution functions in the primitive and resource-constrained environments of low-function networking mechanisms, portable, or wireless devices presents challenges in terms of resource usage, system management, ease of use, efficiency, and flexibility that are beyond the capabilities of previous designs such as Kerberos or X.509. This paper presents a family of light-weight authentication and key distribution protocols suitable for use in the low layers of network architectures. All the protocols are built around a common two-way authentication protocol. The paper argues that key distribution may require substantially different approaches in different network environments and shows that the proposed family of protocols offers a flexible palette of compatible solutions addressing many different networking scenarios. The mechanisms are minimal in cryptographic processing and message size, yet they are strong enough to meet the needs of secure key distribution for network entity authentication. The protocols presented have been implemented as part of comprehensive security subsystem prototype called KryptoKnight     

Packet Recycling and Delayed ACK for Improving the Performance of TCP over MANETs

Most of the schemes that were proposed to improve the performance of transmission control protocol (TCP) over mobile ad hoc networks (MANETs) are based on a feedback from the network, which can be expensive (require extra bandwidth) and unreliable. Moreover, most of these schemes consider only one cause of packet loss. They also resume operation based on the same stand-by parameters that might vary in the new route. Therefore, we propose two techniques for improving the performance of TCP over MANETs. The first one, called TCP with packet recycling (TCP-PR), allows the nodes to recycle the packets instead of dropping them after reaching the retransmission limit at the MAC layer. In the second technique, which is called TCP with adaptive delay window (TCP-ADW), the receiver delays sending TCP ACK for a certain time that is dynamically changed according to the congestion window and the trip time of the received packet. TCP-PR and TCP-ADW are simple, easy to implement, do not require network feedback, compatible with the standard TCP, and do not require distinguishing between the causes of packet loss. Our thorough simulations show that the integration of our two techniques improves the performance of TCP over MANETs.     

Fault Analysis and Evaluation of a True Random Number Generator Embedded in a Processor

True Random Number Generators have many uses, in particular they play a key role in security applications and cryptographic algorithms. Our interest lies in the quality of their generated random numbers. More specifically, for such utilizations, a slight deviation of the numbers from a “perfect” behavior can have disastrous consequences. It is then necessary to devise schemes for the testing of these generators in order to detect non-random properties of their numbers. Moreover, one should consider them from an attacker point of view and use any means to try to perturbate their good functionnality. In this article we describe such experiments and several standard statistical tools for the generators testing. We also present experimental results obtained through the study of a generator embedded in a processor in order to illustrate our methodology. We show that its pertubation leads to the apparition of dangerous deviations in its numbers distribution.     

Performance Evaluation of Cost-Effective Multicast–Unicast Key Management Method

Group key management is one of the key security issues in multicast networks. The main challenge is to provide a secure group key management method which avoids high key update cost in terms of the number of transmitted keys. In order to achieve low key update cost for group key management, most of the existing methods increase their encryption/decryption cycles which requires a strong cryptographic function. In this paper, a cost-effective key management method is proposed to address the problem of high key update cost without increasing the encryption/decryption cycles. We evaluated our proposed method with existing tree-based methods by using Markov chain and Poisson Arrival Process. Results indicate the efficiency of our proposed method in reducing the key update cost significantly compared to the existing tree-based key management methods.     

Load Based Key Generation for MANETs: A Comparative Study with DSR and AODV

Wireless Personal Communications - Automatic key establishment schemes are the root of secure communication in Mobile adhoc networks(MANETs). These schemes are not universal, their performance...     

Stimulating Node Cooperation in Mobile Ad hoc Networks

Mobile Ad hoc Networks (MANETs) rely on the cooperation of nodes for packet routing and forwarding. Much of the existing work in MANETs assume that mobile nodes (possibly owned by selfish users) will follow prescribed protocols without deviation. However, a user may misbehave due to several advantages resulting from noncooperation, the most obvious being power saving. As such, the network availability is severely endangered. Hence, enforcing the cooperation among nodes becomes a very important issue. Several different approaches have been developed to detect non-cooperative nodes or deal with the non-cooperative behavior of mobile nodes in MANETs. These protocols are first surveyed in details in this paper. It is found that the proposed approaches have several concerns that prevent them from really enforcing the node cooperation in MANETs. Thus, a new scheme that can stimulate and also enforce nodes to cooperate in a selfish ad hoc environment is presented. We also present a mechanism to detect and exclude potential threats of selfish mobile nodes. The simulation results indicate that by using the proposed scheme, MANETs can be robust against nodes’ misbehaving and the performance of the network is enhanced many folds when compared to other existing schemes.