A Novel Cryptography for Ad Hoc Network Security

PI Jian-yong, LIU Xin-song, WU Ai, LIU Dan

8010 Research Lab, School of Computer Science & Engineering University of Electronic Science and Technology of China Chengdu 610054, SiChuan, P. R. China.

pijy2004i163.com

Abstract-In this paper, we propose a novel cryptography for ad hoc network security. In this cryptography, we present a new digital signature algorithm for identity authentication and key agreement scheme. The identity authentication is validated by zero-knowledge proof, and the identity authentication process includes the key agreement process, so the cryptography has high efficiency. Because of the fully distributed characteristics of ad hoc network, our security scheme has no central administration in the on-line process. The security analysis for our scheme indicated that the scheme can withstand the man-in-middle attack and message replay attack. The security of the scheme is guaranteed by the intractability of computing discrete logarithm. I.

knowledge proof algorithm we proposed can solve the problem successfully.

II.

RELATED WORK

INTRODUCTION

The security of Ad Hoc network is an important issue in current research field of network security. But there is not any fixed infrastructure and central administration in Ad Hoc network[1], therefore the scheme we presented should be a fully distributed architecture. The trust model of security system is very important, especially security system of Ad Hoc network. We think there are two concepts of trust relations in fully distributed network: the first is constructing the trust relations, just in fixed peer to peer(P2P) network; the second is maintaining the trust relations. In most scenarios, the mobile Ad Hoc network is a wireless communication network for temporary task[2], so an Ad Hoc network can hardly exist timelessly. It means that constructing trust relation in Ad Hoc network is unfeasible. Therefore our scheme adopts offline Trusted Third Party (TTP), each node in Ad Hoc network only maintains the trust relations instead of constructing. In addition, the Trusted Third Party (TTP) only sign the identity of each node in Ad Hoc network, because we think the identity of each node in Ad Hoc network is steady compared with session key. So the key is obtained via key agreement protocol in each session. The identity of every participator in Ad Hoc network is not only their unique symbol but also in charge of key generation in each session, therefore every participator can not get the identity signed by offline Trusted Third Party (TTP) via a session, otherwise the compromised participator can impersonate other participators. The zero-

The Key Distribution Center (KDC) architecture is mainstream in wired network, because KDC has so many merits: efficient key management, including key generation, storage, distribution and updating[3] [4] [5]. Every participator has a certificate signed by KDC for identity authentication. Communication parties of both sides not only exchange their public keys but also authenticate their identities each other in each session. The Key Distribution Center (KDC) architecture has several perfect models for application[6]. Although KDC architecture presented some distributed model, the essential thoughts is same as original one. Threshold cryptography is an eclectic scheme between central administration and fully distribution architecture, which was firstly introduced by Zhou and Haas [7]. The trust anchor of Threshold cryptography is a conversion from single trusted server to whole participators. In Shamir(k,n) secret sharing scheme, every participator can own a private key share from KDC according to a random polynomial. When a new participator takes part in the communication network, it will ask for identity authentication, so k participators will provide their private key share for combining the private key of offline KDC. The simulation studies about secret sharing scheme demonstrated higher maintenance overhead in the scheme[8].
111.
DIGITAL SIGNATURE ALGORITHM AND KEY AGREEMENT SCHEME

Our scheme contains two procedures: the first is offline Trusted Third Party (TTP), which sign the ID of each node in Ad Hoc network via the novel digital signature algorithm we proposed. Every node which wants to enter the Ad Hoc network should get the Authentication Code (AC) signed by offline TTP. The second procedure is key agreement, our key agreement is similar to Diffie-Hellman key agreement protocol, but our scheme can authenticate identity between communication participators.

*Research supported by Basic Application Research Project of SiChuan China (Grant No 04JY029-017-2)

0-7803-9584-0/06/$20.00O2006 IEEE.

1448

A. System initialization In order to validate the identity authentication for each node which enters the Ad Hoc network, we postulate there are different identities of nodes in Ad Hoc network. Let n is number of nodes in Ad Hoc network, m is identity of nodes in Ad Hoc network. mi E JmJIm2, ......{m nm.,m} ,m E m,m2 ...... , mnl

Vi.j,i, jen,3mi .m1 The offline Trusted Third Party (TTP) will generate the authentication code(AC) for every node that will enter the Ad Hoc network. Firstly, Trusted Third Party (TTP) generate a large prime p, and g is a generator element in ,so zp is a finiteZPfield. In our scheme, Z* should meet p ~~~~~~~~~~p the identity of each node in Ad Hoc network: mi E GP(p) i.e. 0 < mi < (p -1),O < i < n , the offline Trusted Third Party (TTP) choose an element randomly: VAUth E GF(p), and calculate: Auth Vg mod p Offline Trusted Third Party (TTP) keep VAUth as her private key, publicize (YAuth, p, g ) as her public key, and distribute her public key to every node which will enter the Ad Hoc network.
network Every node in Ad Hoc network has an identity which is unique token to the node of Ad Hoc network. Therefore the identity of node should participate in the identity authentication without exposing their raw identity. We propose the new digital signature algorithm which can verify the authentic identity of each node without getting the raw identity. The off-line Trusted Third Party (TTP) choose s E GF(p) and s' E GF(p) randomly, s, <p-1, s' < p -1, which should meet: gcd(si, p -1) = 1, gcd(s', p -1) = 1 Calculate: W,_ gs, modp, Q, _ gs, modp According to: mi -VAUthW + > mod(p 1) , QIUI Ui can be computed by using the extended Euclid algorithm. Each node which wants to enter the Ad Hoc

C. Signature verification In order to verify the Authentication Code (AC), we should compute: g g QUthW,+Q,modp i.e. (1) gmi yWgQ modp therefore: VerifY(gyYA (mi, (, Qi, Ui)) True
=

"P)

D. Key agreement in communication In our scheme, (Wi, Qi, U) , as Authentication Code (AC) of each node, will take part in identity authentication and key agreement in Ad Hoc network. Let Alice as sponsor of communication, Bob is receiver. We show the protocol of session as follows: 1. Alice generate a big integer x randomly, and compute: X gxmodp (2)

B. Digital signature for identity ofnode in Ad Hoc

Alice send (mA, WA, X, X') to Bob. 2. Bob generate a big integer y randomly, and compute: Y4 gymodp (3) gYQU mod p y4/ Bob send (mB, WB, Y, Y') to Alice. 3. Alice receive (mB, WB, Y, Y') from Bob, then compute: k,- YX+QAUAmodp 4. Bob receive (mA, X, X') from Alice, then compute: k -=XY+QBUB modp 5. In order to authenticate the identity of Bob, Alice compute: Congruence(3)x Congruence (1) i.e.

X' -gX+QUA modp

yg

YAuth 9 9 Yg YB hY mod p
n

network keeps (Wi, Q1, Ui) as her secret private

is:

Authentication Code (AC), the digital signature algorithm

Si(Mi VA,th ) = I, Qi,IUi )

I

k1 = k2 - gXQAUA)(Y+QBUB) modp 7. The Alice and Bob can communicate securely with key k1 = k2 via arbitrary algorithm of symmetric key

If the congruence hold, then the identity of Bob is authentic. Where k2 is the authentic key of session. 6. In order to authenticate the identity of Alice, Bob compute: Congruence(2) x Congruence (1) i.e. g AthgQugx mod p Xgn YAthX mod p If the congruence hold, then the identity of Alice is authentic. Where k1 is the authentic key of session. In addition:

1449

cryptography. When the session is over, Alice and Bob should discard the key.
SECURITY ANALYSIS In the fully distributed computing environment, each node that wants to enter Ad Hoc network should obtain an authentication code(AC) from offline Trusted Third Party (TTP). The authentication code(AC) is unique identity of node in Ad Hoc network, actually authentication code(AC) which take part in identity authentication and key agreement in each session is also the identity digital signature of each node in Ad Hoc network.
IV.

gQIUu Xg-x modp Therefore, if Bob will obtain (Q1, U1) pair, he should have coped with the intractability of computing discrete logarithm. So we prove that receiver can not obtain the complete (Wi, Q1, U1) of sender at either situation.
=

A. Security notion for digital signature In order to generate the authentication code(AC) for each node in Ad Hoc network, offline Trusted Third Party (TTP) choose (s1, s') pair randomly. Every (s1, s') pair which we selected evenly and randomly from GF(p) space matches every node in Ad Hoc network. Therefore every (Wi , Qi, Ui) pair, i.e. authentication code(AC) for every node in Ad Hoc network has strong randomicity. The node which has Byzatine behavior can not recover the private key of Trusted Third Party (TTP) via conspiracy. Traditional ElGamal digital signature need to format the message for preventing existential forgery[9][10]. The most commonly used message formatting mechanism is to have m to be a hashed value of the message to be signed. An example of such a hashed message can be: M = H(m, r) Where H is a cryptographic hash function and m is a bit string representing a message. Therefore message M is recognizable. But in our scheme, the identity of each node is a recognizable string. As the outcome of digital signature, the authentication code(AC) can prevent identity of each node from existential forgery attacks.
B. Zero knowledge prooffor identity authentication As the authentication code(AC), (W , Q1, U1) is unique token for each node in Ad Hoc network. Therefore (W, Q1, U1) can not be leaked to the other side of communication completely in each session. In order to meet identity authentication requirement, only Wi should be send to the other side of communication. The receiver get Wi, however he can not recover (Q1, U1) pair, for
To recover (Q1, U1) pair is equal to the intractability of computing discrete logarithm. As the same, we described the scenario about Alice and Bob session scenario above: X _ gxmodp X' X+Qui mod p

C. Message replay attack In Ad Hoc network, the messages of every session can be eavesdropped and recorded. The eavesdropper can replay the messages in the coming communication[1 1]. For keeping the messages fresh, communication parts will generate an integer x randomly before key agreement, i.e. X _ gX+Q'U mod p The random integer x is applying for key agreement with communication parts. Therefore the key of every session is different. The communication parts should save the key. If the key appear again, the node in Ad Hoc network would have rejected the communication.

D. Man in middle attack Because of the absence of message authentication, traditional key agreement protocol is attacked easily by man-in-middle attack[12]. Therefore in our scheme, we propose that the key agreement protocol include message authentication. The scheme authenticate firstly: Xg YAuthg g modp Where X _ gx mod p, x is a random integer. If the congruence above is false, the receiver can not believe the sender. In addition, the receiver can not believe: k _ YX+Q'U' mod p Where Y _ gy+QU mod p, y is the random integer of the other side, k is the key of session. Therefore the message authentication in key agreement protocol guarantee consistency between the identity of the node mi and authentication code(AC) (WL, Q1, U1) . The

man-in-middle can get mi , but can not get (WL, Q1, Ui). Therefore they can not guarantee the success of verification from the receiver.
PERFORMANCE ANALYSIS In this Section, we first analyze our proposed approach in terms of communication overhead and then present some V.

gQU

-'YAUthmodp

Finally:

simulation results. A. Communication overhead In our scheme, we generate authentication code(AC) for the node want to join the mobile Ad Hoc network from offline Trusted Third Party (TTP). Compared with the traditional PKI/CA solutions, our proposed approach omitted management overhead to public key, i.e. certification management, such as certification generation, propagation, and storage. So the communication overhead

1450

in our approach mainly depended on symmetric key generation and identity authentication. Thus our scheme has a lower communication overhead than PKI/CA solutions. In the actual simulations, we adopted the 1024 bits public key in RSA cryptosystem, and length to mi of nodes in Ad Hoc network is not more than 512 bits. The performance that we concern is the end-to-end average delay per second. B. Simulations To evaluate the performance of mobile Ad Hoc network with our scheme, we run simulations on a Linux host P41.7GHz with 5 12MRAM. We implement our identity authentication and key agreement mechanism into NS-2[13] simulation environment, in which the IEEE 802.11 is used in MAC layer, the route protocol is DSR[14]. Table 1 show the scenario consist of simulation parameters. We run the simulation program, generate thirty source CBR transaction files. After that we run TCL simulate scripts continually, generate trace files. We analyze the trace files, and generate Figure 1. The Figure 1 show the end-to-end average delay per second compare between PKI/CA solution and our scheme.
TABLE I. THE SCENARIO CONSIST OF SIMULATION PARAMETERS

identity and the public key. The identity of each node in Ad Hoc network is fixed compared with the key of session. Therefore we divide the identity from the key of session for meeting the practical secure communication requirement. The session key is different in every session, but the authentication code(AC) is unchanged in all sessions. The security analysis demonstrate that our scheme can prevent existential forgery attacks and Byzatine node conspiracy attacks. Our scheme implements zero knowledge proof in the identity authentication algorithm. So the receiver can not get the raw identity of sender in authentication. In order to resist the message replay attack, our scheme keeps the message fresh by adding random integer into key agreement. Finally we prove that our scheme can prevent

CONCLUSION In this paper, the scheme we proposed discard the traditional identity authentication mechanism bound the

VI.

man-in-middle attack. Because there is not central security service administration in our scheme, there is not bottleneck to communication in Ad Hoc network. Our scheme has high fault tolerance ability. Therefore the communication in Ad Hoc network will be more secure with our scheme.
ACKNOWLEDGMENT

The number of nodes Maxx X Maxy Max move speed of The duration simulation Transaction type Pause time

Parameter

Value 50 1500m X 300m 20 m/s 900 s

Our work was supported by Basic Application Research Project of SiChuan China (Grant No. 04JY029-017-2).
REFERENCES [1] Bing Wu; Jie Wu; Fernandez, E.B.; Magliveras, S.; "Secure and Efficient Key Management in Mobile Ad Hoc Networks". Parallel and Distributed Processing Symposium, 2005. Proceedings. 19th IEEE International 04-08 April 2005 Page(s):288a - 288a [2] Xiong yan, "Secure Distributed Authentication Based on Multi2Hop Signing with Encrypted Signature Functions in Mobile", Ad Hoc Networks[J], ACTA ELECTRONICA SINICA Vol.31 No.2 Feb 2003 Pages: 161 - 165 [3] Yi, S.; Kravets, R.; "Composite key management for ad hoc networks". Mobile and Ubiquitous Systems: Networking and Services, 2004. MOBIQUITOUS 2004. The First Annual International Conference on 22-26 Aug. 2004 Page(s):52 - 61 [4] Perlman, R.; "An overview of PKI trust models. Network", IEEE ,Volume: 13 ,Issue: 6,Nov.-Dec. 1999 Pages:38 - 43 [5] Gutmann, P.; "PKI: it's not dead, just resting Computer". IEEE, Volume: 35 ,Issue: 8 ,Aug. 2002 Pages:41 - 49 [6] Pirzada, A.A.; McDonald, C.; "Secure pervasive computing without a trusted third party. Pervasive Services", 2004. ICPS 2004. Proceedings. The IEEE/ACS International Conference on 19-23 July 2004 Page(s):240 [7] Lidong Zhou ,Zygmunt J Hass. "Securing Ad Hoc networks" [J]. IEEE Network ,1999 :24 - 29. [8] Ibrahim, M.H.; "Verifiable Threshold Sharing of a Large Secret Safe-Prime". Information Technology: Coding and Computing, 2005. ITCC 2005. International Conference on Volume 1, 04-06 April 2005 Page(s):608 - 613 [9] Ham, L.; Xu, Y.; "Design of generalised ElGamal type digital signature schemes based on discrete logarithm" Electronics Letters ,Volume: 30 ,Issue: 24, 24 Nov. 1994 Pages:2025 - 2026

Os,25s,50s,100s,300s,60 Os,900s

CBR

160 C') -

1401
121-

(1) il
(0
J %6040

[
..

*PKI/CA Solution
Our Scheme

200

100

200

300

pause time/s

400

500

600

700

800

900

Figure 1. end-to-end average delay/s comp

1451

[10] Eun-Jun Yoon; Eun-Kyung Ryu; Kee-Young Yoo; "Efficient remote user authentication scheme based on generalized ElGamal signature scheme". Consumer Electronics, IEEE Transactions on ,Volume: 50 ,Issue: 2 ,May 2004 Pages:568 - 570 [11] Aura, T. "Strategies against replay attacks", Computer Security Foundations Workshop, 1997. Proceedings., 10th, 10-12 June 1997 Pages:59 - 68 [12] Serpanos, D.N.; Lipton, R.J.; "Defense against man-in-the-middle attack in client-server systems" Computers and Communications,

2001. Proceedings. Sixth IEEE Symposium on 3-5 July 2001 Pages:9- 14 [13] K. Fall and E. Varadhanm, "The NS Manual (Formely ns Notes and Documentation)", 2000. [14] Kargl, F.; Geis, A.; Schlott, S.; Weber, M.; "Secure Dynamic Source Routing". System Sciences, 2005. HICSS '05. Proceedings of the 38th Annual Hawaii International Conference on 03-06 Jan. 2005 Page(s): 320c-320c Digital Object Identifier 10.1109/ HICSS .2005.531

1452