Privacy in Mobile Ad Hoc Networks

Jhansi Vazram. B1, Valli Kumari. V2, Murthy J.V.R3

1 Dept.of CSE, Narasaraopeta Engg. College, Andhra pradesh, India-522601.
2 3

Dept. of CS &SE., Andhra University, Andhra Pradesh, India 530003. Dept. of CSE, J N T University, Kakinada, Andhra Pradesh, India 533003. { jhansi.bolla, vallikumari, mjonnalagedda }@gmail.com

Abstract. In mobile adhoc networks, generating and maintaining anonymity for any adhoc node is challenging because of the node mobility, dynamic network topology, cooperative nature of the network and broadcast nature of the communication media. Anonymity is provided to protect the communication, by hiding the participants as well as the message contents. Existing techniques based on cryptosystem and broadcasting cannot be easily adapted to MANET because of their extensive cryptographic computation and/or large communication overhead. In this paper, we first propose an unconditionally secure privacy preserving message authentication scheme (PPMAS) which uses Modified New variant ElGamal signature Scheme (MNES). Secondly we proposed privacy preserving communication protocol for MANET based on dynamic generation of pseudonyms, which are used in place of real nodes to provide anonymity. Keywords: Network security, anonymity, mobile adhoc networks.

1 Introduction
A mobile ad hoc network (MANET) comprises of a set of wireless devices that can move around freely and cooperate in relaying packets on behalf of one another. A MANET does not require a fixed infrastructure or centralized administration. Distant mobile nodes communicate through multi hop paths, as they have limited transmission range. Their ease of deployment makes MANETs an attractive choice for a variety of applications like battleground communications, disaster recovery efforts, communication among a group of islands or ships, conferencing without the support of a wired infrastructure, and interactive information sharing. In MANETs, mobile nodes cooperate to forward data on behalf of each other. Typical protocols used for self-organizing and routing in these networks expose the node identifiers (network and link layer addresses), neighbors, and the end-points of communication. Some modes of operation further mandate that the nodes freely divulge their physical

location. In short, nodes must advertise a profile of their online presence to participate in the MANETs, which is highly undesirable. Both military and civilian MANETs may find the mandated exposure of information unacceptable, a node should be able to keep its identity, its location and its correspondents private, i.e., remain anonymous [6], [4]. Any solution providing anonymity must overcome the broadcast nature of wireless environments (which enables eavesdropping) and operate under often tight resource constraints, unlike wired networks. Simple solutions like packet encryption are also largely ineffective because of ease of traffic analysis over a broadcast media. Hence, supporting privacy in MANETs is enormously challenging. Outline of the paper: Section 2 presents the related work done. Section 3 gives overview of the proposed privacy preserving unconditionally secure message authentication scheme. Section 4 proposes a privacy preserving communication protocol. Section 5 discusses security analysis. Section 6 gives the performance analysis and finally we conclude in section 7.

2 Related work
Unlinkability of an entity with a message or an action performed by it means that an adversary with enough information is unable to identify the identity of the entity, given the message or an action performed by it. Unlinkability makes anonymity possible. Privacy of both the source and the destination has to be protected in MANETs. It is also desirable that the attacker should not be able to derive the fact that source and destination nodes are communicating. We define a set of objects called anonymous set (AS) to see that a particular object is unidentifiable. Our proposed work, like any other signature schemes consists of two algorithms, generation and verification. With generation algorithm, given the message m and the public keys of anonymous set (AS), a sender from AS, with her own private key, can generate an anonymous message . The verification algorithm, given the message m and anonymous message , is used to verify whether is generated by a member in the AS. The security requirements for our method are sender anonymity and Unforgeability. 2.2. Modified New variant ElGamal signature scheme (MNES) Definition 1: Based on the New variant ElGamal signature scheme [2], we propose a modified new variant ElGamal signature scheme(MNES), which consists of the following 3 algorithms: i) Key generation algorithm : Let p be a large prime, be a generator of . Both p and are made public. For a random private key x , The public key y is computed from y = x mod p. ii) Signature algorithm: The MNES can also have many variants. For the purpose of efficiency, we will describe the variant, called optimal scheme. To

 sign a message m, one chooses a random k, l , then computes the k l exponentiation r= mod p, s = mod p and q= h mod p and solves w from

1 (1) where h is a one way hash function .The signature of the message m is defined as the triple ( r, s, w ). iii) Verification algorithm : The verifier checks the signature equation , h=h(m,rs). If the equality holds true, then the verifier accepts the signature and rejects otherwise. The existing anonymous communication protocols are largely stemmed from either mixnet [1] or DC-net [3]. Moler presented a secure public-key encryption algorithm for mixnet [8]. This algorithm has been adopted by Mixminion [7]. However, since mixnet like protocols rely on the statistical properties of background traffic, they cannot provide provable anonymity. Recently [5][10] message sender anonymity based on ring signatures was introduced. This method provides an assurance to the sender that the generated message has source anonymous signature along with content authenticity, while hiding the message senders real identity. In this paper, we first propose an unconditionally secure privacy preserving message authentication scheme (PPMAS) based on the modified new variant ElGamal signature scheme. This is because the original ElGamal signature scheme is existentially forgeable with a generic message attack [12, 11]. While the modified ElGamal signature (MES) scheme [5] is secure against no-message attack and adaptive chosen message attack in the random oracle model [9], it cannot be used for more than one message. The modified new variant ElGamal signature scheme (MNES) is almost very similar to MES, and also [2] we can transmit more than one message without changing the secret exponents.

3. Unconditionally Secure Privacy Preserving MAC (PPMAS):

In this section, we propose an efficient privacy preserving unconditionally secure message authentication scheme (PPMAS). The main idea is that for each message m to be released, the sending node generates a privacy preserving message authentication for the message m. The generation is based on the MNES scheme. Unlike ring signatures, which require computing a forgery signature for each member in the AS separately, our scheme only requires three steps to generate the entire PPMAS. This scheme links all non-senders and the message sender to the PPMAS alike. In addition, our design enables the PPMAS to be verified through a single equation without individually verifying the signatures. 3.1. The Proposed PPMAS Scheme. Suppose that the message sender (say Alice) wishes to transmit a message m anonymously from her network node to any other node. The AS includes n members, A1,A2, . . . ,An, for example, = {A1,A2, . . . ,An}, where the actual message sender Alice is At, for some value t, 1 t n.

 Let p be a large prime number and be a primitive element of Z . Then is also a generator of Z . That is Z = < >. Both p and are made public and shared by all members in . Each Ai has a publickey , where xi is a randomly selected private key from Z . In this paper, we will not distinguish between the node Ai and its public key yi. Therefore, we also have =, ,.., .

Suppose m is a message to be transmitted. The private key of the message sender Alice is x , 1 t n. To generate an efficient PPMAS for message m, Alice performs the following three steps:

(1) Select a random and pair wise different k , for each 1 i n, and compute , , where 1 k , l , .
(2) Choose two integers , 1 , and compute , , such that 1, 1, 1, , , t. (3) Compute
h 1.

The PPMAS of the message m is defined as , , . , . , . , . , 2)

Where . . . . . . .

(3)

3.2. Verification of PPMAS. A verifier can verify an alleged PPMAS, , .. .. . , . . , for message m by verifying whether the following equation
. . . . . . .

holds. If (3) holds true, the verifier accepts the PPMAS as valid for message m. Otherwise the verifier rejects the PPMAS. In fact, if the PPMAS has been correctly generated, then we have 1 1 1 1 1 1
=

Therefore, the verifier should always accept the PPMAS if it is correctly generated without being modified. As a trade-off between computation and transmission, the PPMAS can also be defined as (m) = (m, ,r1, . . . , rn, s1..sn, q1.qn, h1, . . . , hn, w). In case is also clear, it can be eliminated from the PPMAS. 3.3. Security Analysis. In this subsection, we prove that the proposed PPMAS scheme is unconditionally anonymous and provably unforgeable against adaptive chosen-message attack. 3.3.1. Anonymity. In order to prove that the proposed PPMAS is unconditionally anonymous, we have to prove that(i) for anybody other than the members of S, the probability to successfully identify the real sender is 1/n, and(ii) anybody from can generate PPMAS. 3.3.2. Unforgeability. The design of the proposed PPMAS relies on the ElGamal signature scheme. Different levels of security can be achieved by signature schemes. The maximum level of security is a counter to existential forgery under adaptive chosen message attack.

4. The Privacy Preserving Communication Protocol

4.1 Network Assumption As any physical transmission in a world can be monitored and traced to its origin, it is probably impossible to keep confidential who is communicating to whom by which messages. Our paper addresses the above problem. Assume that our network model similar to that discussed in[5], consists of networks with multiple MANETs, i.e., the participating nodes are divided into set of small groups. The network nodes are categorized into Ordinary node and Special nodes An ordinary node is one that is unable to communicate directly with the nodes in other MANETS. A special node can be an ordinary node that can also provide message forward services to other MANET nodes. In some peculiar situations e.g.: energy optimization, an ordinary node can be automatically converted to a special node. Prior to the network deployment, there should be an administrator. The administrator does not take part in routing rather it has the following tasks during the bootstrap of the network. i) Determines two groups G1, G2 of the same prime order q. We view G1 as an additive group and G2 as a multiplicative group. ii) Determines bilinear map , collision resistant cryptographic hash functions H1 and H2 where H 0,1 G mapping from arbitrary length strings to points in G1 and H 0,1 0,1 mapping from arbitrary length strings to bit fixed length output.

iii)

Generates systems secret , where | . Any one in the network does not know except system administrator. Thus the parameters 1, 2, , 1, 2 are known to the special nodes. System administrator also provides the following parameters to special nodes, regarding their IDs and secret points. Provides each node a different pseudo ID, PSID , and their corresponding secret point , which is defined as 1 ; if then PSID as well as .

4.2. Anonymous intra MANET communication In anonymous communications, the message content should not consist of any explicit information such as the message sender and recipient addresses. Everything is embedded into the anonymizing message payload. The administrator selects a set of security parameters for the entire system, before the network deployment, including a large prime p and a generator of Z . The network nodes Ai, 1 , the corresponding public keys yi, 1 of the n participating nodes, xis are randomly selected private keys of Ais, where , 1 , then yi is computed from [ 5]. In this paper we adopted the same anonymous local communication for our network and also the dynamic local MANET formation including the node joining and leaving process from [5]. 4.3. Anonymous Communications between Two Arbitrary Special nodes When Anonymous authentication is present, two nodes in the same group can authenticate each other secretly in such a way that each party reveals its group membership to the other party if and only if the other party is also a group member. The scheme consists of a set of special nodes and an administrator who creates groups and enrolls special nodes in groups. For this purpose, the administrator will assign each special node A, a pseudonym and their corresponding secret point , which is defined as 1 ; if then PSID as well as . For a given set of , , no one can determine the system secret . When the special node A wants to authenticate anonymously to the special node B, the following secret hand shake can be conducted. This means that two special nodes A and B can know each others group membership only if they belong to the same group. When the special node A wants to authenticate to the special node B, the following secret handshake can be conducted which is shown in Figure 1. Pseudo IDs of the nodes are generated considering Pairing-based Cryptography based on bilinear mapping [12]. 4.5. Anonymous Communication between Two Arbitrary Ordinary nodes. The sender first randomly selects a local special node and transmits the message as discussed above. On receiving the message, the local special node first determines the destination MANET ID by checking the message recipient flag Fr. If it is 0, then the

PSID : Pseudo ID initially assigned by the system administrator to a special node A. PSSP : Secret point initially assigned by System a dministrator to a special node A corresponding to PSID . PSID : Dynamically generated pseudonym by special node A. GPSSP : Dynamically generated secret point by special node A corresponding to PSID N : Nonce, randomly generated by special node A to generate a new dynamic pseudonym. N : Nonce, randomly generated by special node A, for authentication purpose. A computes: PSID N H PSID GPSSP N H N H PSID GPSID B computes: PSID N H PSID GPSSP N H N H PSID GPSID A generates a random N , for authentication as a new node, and sends PSID , N to special node B B computes K g GPSSP , PSID gPSID , PSID . B also generates a random N and computes ver and sends PSID , , ver to special node A. : A computes K g GPSSP , PSID gPSID , PSID , computes ver H K ver ? ver . Also A ver PSID PSID and sends computes PSID , ver to special node B. B then computes ver H K PSID PSID ver ? ver. . since KBA= KAB, A can verify B by checking whether ver ver . If the verification succeeds, then A knows that B is an authentic group peer. Similarly, B can verify A by checking whether ver ver . If the verification succeeds, then B knows that A is also an authentic group peer. However, in this authentication process, neither special node A, nor special node B can get the real identity of the other node. In other words, the real identities of special node A and special node B remain anonymous after the authentication process.
Figure 1: Anonymous authentication process between two arbitrary special nodes A and B

recipient and the special node are in the same MANET. Otherwise they are in a different MANET. The communication is done using the procedure discussed above. While providing message recipient anonymity, the message can be encrypted to achieve confidentiality. The presented anonymous communication is quite general and can be used in a variety of situations for communication anonymity in MANET including anonymous file sharing.

5. Security Analysis
We study several attacks designed [5] to analyze the security of the privacy preserving communication protocol. 5.1. Anonymity (I) It is computationally infeasible for an adversary to identify the message sender and recipient on the local MANET. Hence the privacy preserving communication protocol provides to the sender and recipient anonymity in the local MANET. (II) The presented communication protocol offers both message sender and recipient anonymity among any two special nodes. As told earlier, each special node is being assigned a large set of pseudonyms. A dynamically selected pseudonym will be used for any two ordinary nodes in different MANETs to communicate anonymously. The pseudonyms do not carry user information implicitly. The communication can be broken into three segments: the communication between the sender and local special node in the message senders local MANET the communication between the special nodes in the corresponding MANETs the communication between the recipient special node and the receiver. (I) has assured the communication anonymity between a special node and an ordinary node in the local MANETs. Therefore we only need to ensure anonymity between two special nodes in different MANETs in order to achieve full anonymity between the sender and receiver. 5.2. Impersonation Attacks As told above, the forgery attack performed by an adversary, to carry out an impersonation attack is infeasible. For an adversary to forge as a special node, he needs to authenticate himself with a special node A. For this the adversary needs to compute gPSID , PSID , where PSID is the identity of the adversary and PSID is the newly generated pseudonym of the special node . However, since the adversary does not know the secret point , he is unable to compute gPSID , PSID and impersonate as a special node. 5.3. Message Replay Attacks Each message packet in communication has a unique one-time session ID (nonce) to protect it from being modified or replayed. In addition, these fields are encrypted using the intermediate receiver nodes public key so that only the designated receiver nodes can decrypt the message. In this fashion, each packet transmitted across different MANETs bears different and uncorrelated IDs and content for adversaries. Even if the same message is transmitted multiple times, the adversary still cannot link them together without knowing all the private keys of the intermediate nodes.

6. Performance

Analysis

In this section we will provide comparison results based on energy consumed by the network nodes of our proposed communication protocol and the method discussed in [7]. Using the method discussed in [7], energy consumed by normal nodes and super nodes are as follows: At normal node, At super node, ( intra group communication)

( inter group communication) Where, : Energy consumed by normal node : Energy consumed by super node : Energy required for a node to generate SAMAS message : Energy required transmitting a message : Energy required for decrypting the message : Energy required for encrypting the message : Energy required by a node to perform authentication process : Energy required by a super node to maintain set of pseudonyms assigned by the administrator Using our proposed method , energy consumed by ordinary nodes and special nodes are as given below: At ordinary node, At special node, (Intra group communication)

(Inter group communication) Where, : Energy consumed by ordinary node : Energy consumed by special node : Energy required by a node to generate PPMAS message : Energy required for a node to generate pseudonyms dynamically Our proposed method has an advantage that during the intra group communication, energy consumed by special node is same as that of ordinary node. During inter group communication also very little energy is required to generate a new pseudonym dynamically. Energy required for maintaining a set of pseudonyms (which is must in [5]) is completely eliminated.

7. Conclusion
In this paper, we first propose an efficient unconditionally secure privacy preserving message authentication scheme (PPMAS) that can be applied to any number of messages without changing the secret exponents. PPMAS ensures message sender privacy along with message content authenticity. To ensure communication privacy without effecting transmission delay and collusion problems, we then proposed a new and efficient privacy-preserving communication protocol for MANET that can provide both message sender and recipient privacy protection. Security analysis shows that the proposed protocol is secure against various attacks.

References
1. D. Chaum.: Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, vol. 24, pp. 8488( 1981). 2. Omkar Khadir.: New Variant of ElGamal Signature Scheme. J. Contemp. Math. Sciences, Vol. 5, no.34, 1653-1662 (2010). 3 Chaum D.: The dining Cryptographers problemml: unconditional sender and recipient untraceability. J. Cryptology, vol. 1, no. 1, pp. 6575(1988). 4. Reiter M.K., Rubin A.D.,:. Crowds: Anonymity for Web Transactions. ACM Transactions on Information and System Security, 1(1):66-92, 1998.Symposium on Security & Privacy, Oakland, Calif, USA, May (2003). 5. Jian Ren., Yun Li., and Tongtong Li.: SPM: Source Privacy for Mobile Ad Hock Networks. EURASIP J. on wireless communications and networking, vol.2010, article ID534712, 10 Pages (2010). 6. Reed M.G., Syverson P.F., Goldschlag D.M: Anonymous Connections and Onion Routing. J. Selected Areas in Communication Special Issue on Copyright and Privacy Protection (1998). 7. Danezis G., Dingledine R., Mathewson. : Mixminion: design of a type III anonymous remailer protocol. In Proc. of the IEEE Computer Society Symposium on Research in Security and Privacy, pp. 215, Oakland, Calif, USA, May (2003). 8. Moller B.: Provably secure public-key encryption for length preserving chaumian mixes. In Proc. of the Cryptographers Track at the RSA Conference (CT-RSA 03), vol. 2612 of Lecture Notes in Computer Science, pp. 244262, San Francisco, Calif, USA, Apr. (2003). 9. D. Pointcheval and J. Stern. Security proofs for signature schemes. In Proc. of the International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT 96), vol. 1070 of Lecture Notes in Computer Science, pp. 387398, Saragossa, Spain, May (1996). 10. Rivest R., Shamir A., and Truman Y.: How to leak a secret. In Proc. of the 7th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT 01), vol. 2248 of Lecture Notes in Computer Science, Springer, Gold Coast, Australia, Dec. (2001). 11. Goldwasser S., Micali S., and Rivest R.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Computing, vol. 17, pp. 281308, (1988). 12. ElGamal T.A., A public-key cryptosystem and a signature scheme based on discrete Logarithms. IEEE Transactions on Information Theory, vol. 31, no. 4, pp. 469472, (1985).