Authentication and Key Exchange in Mobile Ad Hoc Networks
MetadataShow full item record
Over the past decade or so, there has been rapid growth in wireless and mobile applications technologies. More recently, an increasing emphasis has been on the potential of infrastructureless wireless mobile networks that are easy, fast and inexpensive to set up, with the view that such technologies will enable numerous new applications in a wide range of areas. Such networks are commonly referred to as mobile ad hoc networks (MANETs). Exchanging sensitive information over unprotected wireless links with unidentified and untrusted endpoints demand the deployment of security in MANETs. However, lack of infrastructure, mobility and resource constraints of devices, wireless communication links and other unique features of MANETs induce new challenges that make implementing security a very difficult task and require the design of specialized solutions. This thesis is concerned with the design and analysis of security solutions for MANETs. We identify the initial exchange of authentication and key credentials, referred to as pre-authentication, as well as authentication and key exchange as primary security goals. In particular, the problem of pre-authentication has been widely neglected in existing security solutions, even though it is a necessary prerequisite for other security goals. We are the first to classify and analyze different methods of achieving pairwise pre-authentication in MANETs. Out of this investigation, we identify identity-based cryptographic (IBC) schemes as well-suited to secure MANET applications that have no sufficient security solutions at this time. We use pairing-based IBC schemes to design an authentication and key exchange framework that meets the special requirements of MANETs. Our solutions are comprised of algorithms that allow for efficient and secure system set up, pre-authentication, mutual authentication, key establishment, key renewal, key revocation and key escrow prevention. In particular, we present the first fully self-organized key revocation scheme for MANETs that does not require any trusted third party in the network. Our revocation scheme can be used to amend existing IBC solutions, be seamlessly integrated in our security framework and even be adopted to conventional public key solutions for MANETs. Our scheme is based on propagated accusations and once the number of received accusations against a node reaches a defined threshold, the keys of the accused nodes are revoked. All communications are cryptographically protected, but unlike other proposed schemes, do not require computationally demanding digital signatures. Our scheme is the first that efficiently and securely enables nodes to revoke their own keys. Additionally, newly joining nodes can obtain previous accusations without performing computationally demanding operations such as verifying digital signatures. Several security and performance parameters make our scheme adjustable to the hostility of the MANET environment and the degree of resource constraints of network and devices. In our security analysis we show how security parameters can be selected to prevent attacks by colluding nodes and roaming adversaries. In our proposed security framework, we utilize special properties of pairing-based keys to design an efficient and secure method for pairwise pre-authentication and a set of ID-based authenticated key exchange protocols. In addition, we present a format for ID-based public keys that, unlike other proposed formats, allows key renewal before the start of a new expiry interval. Finally, we are the first to discuss the inherent key escrow property of IBC schemes in the context of MANETs. Our analysis shows that some special features of MANETs significantly limit the escrow capabilities of key generation centers (KGCs). We propose a novel concept of spy nodes that can be utilized by KGCs to increase their escrow capabilities and analyze the probabilities of successful escrow attacks with and without spy nodes. In summary, we present a complete authentication and key exchange framework that is tailored for MANET applications that have previously lacked such security solutions. Our solutions can be implemented using any pairing-based IBC scheme. The component design allows for the implementation of single schemes to amend existing solutions that do not provide certain functionalities. The introduction of several security and performance parameters make our solutions adjustable to different levels of resource constraints and security needs. In addition, we present extensions that make our solutions suitable for applications with sporadic infrastructure access as envisioned in the near future.