Key Distribution Schemes for Wireless Networks - Article Example

Wireless Network Security Key Distribution Schemes i. Introduction Wireless network security is critical and they must have sufficient security similar to their wired counterpart. However, wireless networks security is far more complicated than wired since radio frequencies are more vulnerable to eavesdropping and data interception. This is because wireless transmitted data can be breached while in transit without physical contact with network devices. For this reason, network services rely on secure communication and efficient key distribution. Regrettably, key management is a complicated predicament in secure communication and therefore requires a bulletproof key distribution schemes that would ensure safety of data transmission. This paper will discussed the various scheme being proposed by a number of experts in the field of network security such as Self-Healing, Random Key Pre-Distribution Schemes (RKPS) with I-HARPS, and Matrix Threshold Key Pre-Distribution (MTKP) and Polynomial Threshold Key Pre-Distribution (PTKP) that are based on Blom’s scheme and secret sharing. ii. Wireless Network Security “Almost all wireless networks are at risk of compromise” (Nicopolitidis 2003, p.22) but regrettably solving this predicament is not that straightforward and even with the fact that they are absolutely vulnerable, they are generally accepted and still achieving success. The most important motivation is ease of use and performance. Similar to wired networks, wireless networks must have adequate security to keep interlopers at bay and guarantee the veracity and confidentiality of information. As a rule, security is done through customary process like merging passwords, authorizations, authentication, and encryption schemes. However, wireless networks cause security risk that are not shared by their wired counterparts and if radio frequencies are used to transmit data over longer distances, hacker’s intent of eavesdropping or intercepting data is possible. This is because data can be breached while in transit without the need to be actually near to the communicating devices or network. Therefore, if wireless networks provide an entry into wired ones, hackers can effortlessly access the entire corporate systems (Hayes 2003, p.295). On the other hand, those wireless networks that are designed to transmit straight through line-of-sight light transmission like infrared are intrinsically secure from eavesdropping (Hayes 2003, p.296). The remaining type of wireless networks relies on traditional mechanisms, which may be built-in to keep information secure. People in the field of networking persistently check the security of wireless networks for weakness and enhancement, and persuade vendors to devise a more bulletproof wireless networks. For instance, vulnerabilities in the security protocol for 802.11 wireless LANs or WEP and a certain gateways (WAP) were exposed (Hayes 2003, p.296). Although wireless networks vary in their security approach, it is incumbent that companies fully understand the security offered, and enhance it with other commercially accessible products, operating policies, and procedures comparable to their wired networks. It is expected that companies should at all times determine the value of information travelling over the wireless networks, and take corresponding measure to warrant its security. iii. Key Distribution Schemes To deliver data without being compromised, network services rely on secure communication and efficient key distribution. However, key management is a difficult problem in secure communication, primarily because of social rather than technical factors. Cryptographically secure ways of creating and distributing keys have been developed and are strong. However, the weakest link in any secure system is that humans are accountable for keeping secret and private keys classified. For this reason, human factor will always be an issue that needs adequate checks to ensure that keys have not been compromised. For a small number of communicating unit, it is realistic to create a key and manually deliver it but in most wide-scale corporation, this procedure is uncomfortable and obsolete. Since secret key encryption is time and again used in application requiring confidentiality, it is practical to suppose the existence of a secret key per session, a session being “any single communication data transfer between two entities” (Kaeo 2003, p.165). For a large network with hundreds of communication hosts, each holding numerous sessions per hour, assigning and transferring secret key is a great problem. Key distribution is regularly achieved through centralized ‘key distribution centres’ or KDCs or through public key algorithm that create secret keys in a secure, distributed fashion (Kaeo 2003, p.165). iv. Self-Healing Key Distribution Scheme Self-healing distribution schemes according to Dittman et. al. (2005) was introduced by Staddon et. al. (2002) who provided the formal definitions, lower bounds to the resource required to such schemes as well as constructions. After a year, Liu et. al. (2003) generalized this definition and gave some instructions. However, Blundo et. al. (2004) modified the proposed definitions, gave new lower bounds, and proposed some efficient constructions and showed some problems in previous constructions (p.23). Self-healing in general enables large and dynamic groups of users of an unreliable network to establish group keys for secure communication. In a self-healing distribution scheme, Dittman et. al. (2005) explains, a group of manager provides a common key to a group of users by using packets that he sends over a broadcast channel at the beginning of each session. Every user on the group computes the group key by means of this packet and some private information supplied by the group manager. The group manager can set up multiple groups for numerous sessions by joining or removing users from the initial group (p.22). The main goal of this scheme is the self-healing property (Dittman et. al. 2005, p. 22). For instance, during a certain session some broadcasted packet gets lost, the users are still capable of recovering the group key for that session. This is done by basically using the packets they have received during a previous session and the packets they will receive at the beginning of a successive one, without requesting additional transmission from the group manager. This new approach to ‘key distribution’ is very useful due to the self-healing property, “supporting secure communications in wireless networks, mobile wireless ad-hoc networks, broadcast communications over low-cost channels, and in several Internet-related settings” (Dittman et. al. 2005, p. 22-23). Dittman et. al., 2005, p.25) proposed a new approach where they formally define self-healing distribution schemes with ‘sponsorization’. The simplified version of the proposed definition is below: “Let U be the universe of users of a network, let m be the maximum number of sessions, and let R ⊂ 2U be a monotone decreasing access structure of subsets of users that can be invalidated by the group manager. Assume that I’ is the family of authorized subsets of users to carry out a ‘sponsorization’ verifying I’ ∩ R = ∅. They also consider the monotone decreasing structure S⊂ 2U of the accepted coalition of users that can be sponsored by a single sponsor.” A (R, I’, S) self-healing key distributions scheme sponsorization is a protocol satisfying the following conditions. For Dittman et. al., 2005, p.25); (1) The scheme is a ‘session’ key distribution scheme, which means that a) For each member i ∈ Gj , the key KJ is determined by Bj and Si. Formally, it holds that: H (Kj|Bj, Si) = 0. b) Keys K1,…..,Kn cannot be determined from the broadcast or personal keys alone. That is H (K1,….,Km|B1,…..,Bm) = H (K1,….,Km|SGiu…uGm) = H (K1,…..,Km). 2. The scheme has R- revocation capability. For each session j, if R =Rj∪Rj-1∪…∪R2 is such that R ∈ R then the group manager can generate a broadcast message Bj such that all revoked users R cannot recover Kj even aware of the information broadcast is sessions 1,…..,j. In other words H (K1|Bj, Bj-1,…., B1, SR) = H(Kj). 3. The scheme is (R, I’)-self-healing. This means that the following properties are satisfied. a) Every user i ∈ Gr who has not been revoked before session s can recover all keys Kℓ for ℓ = r,….,s, from broadcast Br and Bs, where 1 ≤ r < s ≤ m. Formally, it holds that : H (Kr,…..,Ks|Si, Br, Bs)=0. b) Let B⊂ Rr∪Rr-1∪….∪R2 be a coalition of users removed from the group session r and let C⊂ Js∪Js+1∪…∪Jm be a coalition of users who join the group from session s with r < s. Suppose B∪C ∈ R. Then, such a coalition does not get any information about keys Kj, for any r ≤ j < s. That is H(Kr,…..Ks-1|B1,….,Bm,SB,SC) = H (Kr,….,Ks-1). 4. The scheme has (I’,S)-sponsorization, this means that the three following properties are satisfied: a) Every user ℓ ∉ Gj can generate a proof of sponsorship Pjℓi to sponsor a user i ∉ Gj for session j using his personal key. In other words H (Pjℓi|Sℓ) = 0 b) A user i ∉ Gj that receives enough sponsorizations from a subset of users A ⊂ Gj with A ∈ I’ can compute the key Kj in the same conditions that users in Gj. That is: H (Kj|PjAiBrBs) = 0 for A∈I’, A ⊂ Gj, i ∉ G and r ≤ j ≤ s. c) Suppose that a coalition of users’ i1, ….iu ∉ Gj, not revoked before session j, have received sponsorization from subsets of user C1,….,Cu ∉ I’ respectively, with C1 ∪…∪Cu = {ℓ1…,ℓv} ⊂ Gj. This action is performed in such a way that user ℓ1…,ℓv sponsor subsets of users D1,….Dv ∈ S respectively, with D1∪…∪Dv = {i1,…,iu} ⊂ U-Gj; therefore PjC1i1.. PjCviv. = Pjℓ1D1… PjℓvDu. In these conditions, such a coalition does not get any information about the value of key Kj. Formally, it holds that H (Kj|PjC1i1…PjCuiuBrBs) = H (Kj) for C1,….Cu ∉ I’,D1,…,Dv ∈ S such that PjC1i1…PjCuiu=Pjℓ1D1…PjℓuDu,C1∪...∪Cu ={ℓ1…,ℓv} ⊂ Gj, D1∪…∪Dv = {i1,…,iu}⊂ U-Gj and r ≤ j ≤ s. This definition take into account the common case of any probable monotone decreasing structure R, not only threshold one. For this reason, it will allow consideration of more universal self-healing key distribution schemes in cases where some users can be more revocable than others. Furthermore, the prospect of sponsorization is well thought-out. The circumstances to define this feature are the following conditions. a) It expresses the mechanism of sponsorization where the information used to sponsor is computed from the personal key. b) It expresses the actuality that the information acquired from sufficient sponsorizations with corresponding broadcast allows to calculate the personal key of the session. c) It gives us the security condition where a coalition of users outside Gj sponsored by not enough users cannot obtain any information about the value of the key Kj. Therefore, the key remains secure even if every user receives sponsorization of a coalitions S (Dittman et. al. 2005, p.25) v. Efficient Random Key Pre-Distribution Scheme (RKPS) RKPS performance according to Ramkumar (2005) is 2 to 3 ‘orders of magnitude’ better than other schemes of the same complexity (p.1). Such performance he added is achieved by increasing insecure storage complexity (ex. using external flash memory). RKPS is a combination of the “Kerberos-like KDS and random key pre-distribution schemes based on subset intersections” (p.1). A key distribution scheme similar to what we discussed earlier is a “mechanism of distributing secrets to each node in a system, such that any two nodes can validate each other” (Ramkumar 2005, p.1). KDS comes into two major categories which includes the frequently used Kerberos-line KDS or any KDS that is based of the Needham-Schroeder symmetric key protocol and the PKI. This category typically providing secrets to each node ‘independently’, this means, “secrets of a node do not provide any information regarding the secrets of other nodes” (Ramkumar 2005, p.1). On the other hand, in the other category Key Pre-Distribution Schemes (KPS), secrets of each are ‘dependent’ since that are all coming from a set of secrets chosen by a TA (trusted authority). Ramkumar (2005) explains with KPSs, a system could be compromised if a group of conspiring nods pool their secrets simultaneously. In other words, this group can obtain secrets of all nodes. This is the concept of n-secure KPS where n is the number of conspiring nodes that KPS can oppose. However, according to him, any KPS is “essentially a trade-off between security and complexity” (p.1) thus the degree of security depends on the value of n. Moreover, k represents the number of secrets as that can stored in each node as primary measure of complexity. Therefore, KPS efficiency can be express as a ratio of n (the number of colluding nodes) against k (the number of secrets in each node). Ramkumar (2005) claims while referring to the work of Blom et. al. (1984) that it is possible to trade-off security and complexity. For this reason, he introduces I-HARPS (Id-Hashed Random Preloaded Subsets). The objective of this scheme is to attain substantial cutback in the size of k and computational complexity by augmenting insecure storage complexity because they are considered insignificant issue in various application scenarios. For instance, Flash based SD cards have approximately 8GB of storage hence it is reasonable for any wireless devices to take up several megabytes of storage for KDS. The technique is to increase the insecure storage complexity to dramatically reduce secure storage complexity so that computational complexity will be possible. On the other hand, a considerable increase in security of the same secure storage complexity is possible. A KPSs may be ‘deterministic’ or ‘random’ and in n-secure Blom’s scheme, the TA chooses (n+1/2) secrets in ℤp = {0, 1,…., P-1} where P is big enough prime and generates a polynomial similar the one below. where aij=aji are (n+1/2) independent secrets chose by the TA. Every node is assigned a distinctive public ID form ℤp. A node A, a node with public ID A ∈ ℤp, receives gA(x) = f(x, A) securely (gA(x) has n+1 coefficient, equivalent to k = n+1 secrets of the node A) from the TA. Two nodes A and B can calculate KAB = KBA = f (A, B) = f (B, A) = gA(B) = gA(A) autonomously. A n-secure deterministic KPS is categorically secure as long as n or less nodes have been compromised. If more than n nodes are compromised however, the whole KPS is compromised or failure of the KPS occurs disastrously. The most competent of deterministic KPSs thus requires only k=n+1 keys in each node to be n-secure. However, according to (Ramkumar 2005) this scheme is computationally expensive (p.2) thus to prevail over these restrictions of KPSs based finite field arithmetic, a ‘random allocation subsets’ instead of complex deterministic strategies will be use. The ‘random key pre-distribution scheme’ or LM-KPS, is not based on subset intersections but rather based on distributing keys with assorted ‘hash depths’ to every node. As a result, HARPS became the simplification RPS (Random Preloaded Subsets) and LM-KPS (random key pre-distribution scheme) (Ramkumar 2005, p.3). In sum, compared to other KPSs in terms of the probability with which an attacker who has compromised n nodes, all KPSs have the same k =1000. For HARPS it is P=15000, L=1024. In I-HARPS (similar to HARPS) which also determined by three parameters P (the number of secrets the TA chooses), k as the number of secrets in each node, and L, L determines the additional insecure storage complexity thus P=15000, L-1024. For RPS P= 20000 and for LM-KPS P=k=1000, L=11024, and k=1000 for Blom’s scheme. The problem with other KPSs and even with deterministic KPSs is that there is always a probability that the attacker can “guess” the shared secret between two nodes. For instance, like (Ramkumar 2005, p.6) also noticed, if the final shared secret is a 128-bit secret, the probability that the attacker can determine the secret is pe =1/2128 ≈ 3x10-39. For Blom’s scheme the probability of compromise is unchanging at approximately 10-39 for n ≤ 999 and n ≥ 1000 the probability of compromise log10pe=0 or unity. Ramkumar (2005) also noted that an I-HARPS scheme is efficient even if 8000 nodes have been compromised. Moreover, above this mark, the probability of compromise is estimated to be at around 1 in a billion or (pe ≈ 10-9) for 9000 nodes, 1 in a million for 12,000 nodes, 1 in a thousand for 17,500 nodes, and pe=0.5 for 27, 500 nodes. As we discussed earlier, the trade-off is the need for additional megabytes of ‘insecure storage’. I-HARPS have other advantageous features that are too great to cover. However, compared to other KPSs in general, I-HARPS is better since it takes advantage of inexpensive and virtually unrestricted insecure storage without increasing secure storage complexity and computational complexity. vi. Key Pre-Distribution Schemes for MANET MANET is Mobile ad hoc Networks that are different from mobile wireless IP networks that there are no base stations, wireless switches, and infrastructure services like naming, routing, certificate authorities and so on. In addition, because mobile nodes join and leave the network dynamically, sometimes even overlooked, and move dynamically, network topology and administrative domain membership can transform hastily. Therefore, it is important to provide security services such as accessibility, privacy, verification, access control, veracity, and non-repudiation. Similar to other networks, “cryptography is the foundation for all network security services and key management is the major factor to guarantee a secure ad hoc network” Boutaba (2005, p.1084). However, key management in ad hoc network has to be distributed services since there is no permanent infrastructure to provide centralized service. In addition, comparable to other security approach, the most important challenge is to deliver reliable data transmission when some nodes may be compromised. Boutaba (2005) introduces the Matrix Threshold Key Pre-Distribution (MTKP) and Polynomial Threshold Key Pre-Distribution (PTKP) that employs threshold secret sharing using a polynomial. These schemes are the result of combining two famous techniques (Blom’s key pre-distribution scheme and Threshold secret sharing). Both schemes (MTKP and PTKP), allows a node to join a MANET by receiving a secret token from t different nodes, where t is a security parameter. The schemes are auto configurable in the sense that there is no centralized support required, and a node becomes a member only if it is approved by at least t member nodes. However, when a node becomes a member, it can calculate a secret key with any other member without communication. The proposed schemes are secure against collusion of up to a certain number (t-1) of compromised nodes (p.1084). Boutaba (2005) explains that threshold cryptography allows n parties to share the facility to perform a cryptographic operation in a way that any t parties can perform this operation together, whereas no coalition of up to t-1 parties can do so. A secret sharing scheme which is based on polynomial interpolation, distribute shares among n users through a trusted dealer TD which will choose a large prime q, and selects a polynomial; f (x) = S + a1x +….+ at-1xt-1 over ℤq of degree t-1 such that f (0) = S, where S is the group secret. The TD computes each user’s share ssi such that ssi = f (idi) (mod q), and securely transfers ssi to user Mi. Then, any group t members who have their shares can recover the secret using the Lagrange interpolation formula f (0) = ∑ti =1 ssi li (0) (mod q), where li (0) = ∏tj = 1, j ≠ 1 idj/ idj-idi (mod q). To facilitate the authentication of secret shares, TD publishes a commitment to the polynomial as in Verifiable Secret Sharing (VSS). VSS set up involves a large prime p such that q divides p – 1 and a generator g which is an element of ℤ*p of order q. TD computes wi (i=0,…, t -1), called the witness, such that wi = gai (mod p) and publishes these wi-s in some public domain such as directory server etc. On receiving the secret share ssi from Mi, Mj verifies the correctness of ssi by checking gssi = ∏t-1k =0 (wk) idik (mod p) (Boutaba 2005, p.1085). The above and Blom’s scheme that we already discussed earlier is the basis for MTKP and PTKP schemes. In a real MANET setting, MTKP fares better than PTKP as far as the pair wise key establishment costs are concerned. However, in terms of node admission cost, the latter out performs the former. Based on the analysis of Boutaba (2005, p.1094), MTKP scheme is well matched for MANET applications where node admission is not a recurrent operation, while the PTKP scheme is more appropriate for highly dynamic MANETs consisting of mobile devices with practically high computation power. vii. Conclusion Solving wireless communication security problems is far from over as the there are so many things to consider in terms of key management concerns. Key distribution schemes particularly in a large network is generally a sizeable problem thus experts in the field proposed various key distribution schemes. However, although they are all generally aiming to protect the secret key, their approach varies with one another. Some claims their scheme is better because it has a self-healing property that is capable of recovering group key from the previous session in case the broadcasted packets got lost. Others rely on Kerberos-like KDS and Random Key Pre-Distribution Scheme where increasing insecure storage complexity helps to reduce secure storage complexity so that computational complexity will be possible. Although some combines various key distribution schemes and secret sharing techniques in a more complicated wireless network category like the ad hoc network or MANET, the objective of delivering reliable data transmission is utterly similar and commendable. In sum, key management is a very complicated task that requires further study and experimentation. We definitely cannot rely on one proposal thus we need to a have a standardized efficient key distribution scheme in the near future. viii. Bibliography Boutaba Raouf, 2005, Networking 2005: Networking Technologies, Services, and Protocols, Published 2005 Springer, ISBN 3540258094 Dittmann Jana, Katzenbeisser Stefan, and Uhl Andreas, 2005, Communications And Multimedia Security, Published 2005 Springer, ISBN 3540287914 Kaeo Merike, 2003, Designing Network Security, Published 2003 Cisco Press, ISBN 1587051176 Hayes Ian, 2003, Just Enough Wireless Computing, Published 2003 Prentice Hall PTR, ISBN 0130994618 Nicopolitidis P., 2003, Wireless Networks, Published 2003 John Wiley and Sons, ISBN 0470845295 Ramkumar Mahalingam, 2005, I-HARPS: An Efficient Key Pre-distribution Scheme, Department of Computer Science and Engineering, Mississippi State University Read More