ON SECURE GROUP KEY AGREEMENT PROTOCOLS FOR MOBILE AD HOC NETWORKS

Abstract

Nowadays, the popularity of wireless network is increasing very fast. Wireless technology is gaining more and more attention from both academia and industry. Most wireless networks used today, for example, the cell phone networks and the 802.11 Wireless Local Area Networks (WLANs), are based on the wireless network model with pre-existing wired network infrastructures. Packets from source wireless nodes are received by nearby base stations, then injected into the underlying network infrastructure and finally transferred to destination nodes. Another wireless network model, which is actively researched, is the mobile ad hoc network (MANET). This network is formed by only mobile nodes and requires no pre existing network infrastructure. Nodes with wireless capability form a MANET instantly and packets can be delivered to any node in the network. Since there is no base station and no underlying network infrastructure in MANETs, some mobile nodes work as routers to relay packets from source to destination. It is very easy and economic to form an MANET in real time. MANET is ideal in situations like battlefield or emergency rescue area where fixed network infrastructure is very hard to deploy. In recent years the popularity of multicast and group-oriented applications is also rapidly increasing in both scenarios such as wireless as well as wireline networks. Group communication provides point-to-multi-point or multi-point-to-multi-point communication by organizing processes in groups. A set of such processes is called group, where every process is a member of a group. Multicast and group communications are peer to peer and occur in many different settings, such as software updates, multimedia content distribution, interactive gaming and stock data distribution, voice and video conferencing, shared white boards, distributed simulations, as well as online games, replicated servers and databases of all types. The multicast and group communication systems are, therefore, used as vehicle to provide efficient data delivery to a large audience. One of major concerns for such systems is security. Security services include data confidentiality, integrity, authenticity, access control, etc. Many of these services can be facilitated if all group members share a common group

key. This makes secure and efficient group key creation, distribution and management a fundamental service and design challenge for Group Communication. The existing group key establishment protocols can be categorized into three categories: centralized, decentralized and contributory. In centralized protocols only one central server is responsible for creation and distribution of keys. In decentralized protocols based on common group key approach, one central server creates and other additional servers help in distributing keys, this way other servers share the load of the central server. In another category of decentralized protocols, the group is divided into subgroups and each subgroup has its own subgroup key. Although this eliminates one-affect-all phenomena, yet it involves a lot of encryption/decryption cost. Since nodes in MANET are not computationally powerful, no one node can work as central server for creating and distributing the keys. Therefore, these protocols are not suitable for secure and efficient group communication in mobile ad hoc networks. In contributory protocols each node contributes equally in group key formation, therefore, these protocols seem to be promising for mobile ad hoc networks. The contributory protocols are also known as group key agreement protocols. This thesis concentrates on group key agreement protocols that are based on the two party Diffie- Hellman protocol. In the thesis we first analyze various existing group key agreement protocols based on the two party key agreement protocol of W. Diffie and M. Hellman, for example, INGM, BD, Hypercube, Octopus, Clique (IKA. 1 and IKA.2), TGDH, NAGKA, and STR. The parameters such as number of rounds, number of messages communicated, number of exponential operations performed and round synchronization are taken into consideration for complexity analysis. All protocols other than Clique protocols need round synchronization, which involves a synchronising device like clock that creates parallel broadcasts, which are problematic in mobile ad hoc networks. From this analysis it is concluded that the Clique protocol suite (IKA. 1 and IKA.2) show the best performance among all the protocols considered. Among clique protocols, IKA.2 protocol needs less number of exponential operations as compared to IKA.l protocol. Although IKA.l protocol is inferior to IKA.2 in terms of exponential operations, yet it is more efficient regarding the number of messages. Group communication involves various dynamic events such as join, merge, leave, and partition, therefore, a group key agreement protocol must make efficient provision for forward and backward secrecy, which means that a joining member(s) should not be able to in decrypt the past communications and leaving member(s) should not be able to decrypt the future communications. So we next analyze group key agreement protocols based on two party Diffie-Hellman protocol for above dynamic membership events. We observe that Clique protocols do not need round synchronization among various group key agreement protocols. And IKA.2 protocol shows the better performance for merge, leave and partition events as far as exponential operations are concerned. It is again concluded that Clique protocols suite shows the best results, especially IKA.2, among various group key agreement protocols. Thus it is observed that a group key agreement protocol must be secure and efficient in various complexity measures. The total number of exponential operations should be small because nodes in MANETs are computationally weak. Further if the number of rounds is independent of group size, the protocol will be highly scalable. Next we propose a protocol suite, which is natural extension of two party Diffie- Hellman protocol. The proposed protocol not only provides efficient algorithms for setup, join (merge) and leave (partition), but also member authentication service. The proposed protocol also has provisions for all valid members to detect errors in communicated messages and stop execution of the protocol immediately as they encounter invalid message from the members who have awry intentions. This helps in eliminating the man-in-the-middle attack in addition to message corruption due to system faults using message verification. In the proposed protocol suite the members are arranged in a logical ring. The setup algorithm takes initial group as an input and outputs a group key after second round. At the end of each round members are authenticated, and after second round messages are also verified for corruption. If message validity checks fail the protocol terminates immediately, otherwise a group key can be generated and saved by each member in addition to three other parameters, which are used during the dynamic events, i.e., join, leave, multiple join and multiple leave. After computing the group key and three parameters other ephemeral data is erased by each member. The proposed protocol suite also consists of an algorithm, which can be used for dynamic events join and merge. The algorithm takes the initial group and joining member(s) as an input and outputs the group key and three other parameters for each member. The algorithm also takes two rounds. After each rounds members are authenticated, and after second round messages are also verified for corruption. If message validity checks fail the

protocol terminate immediately, otherwise a group key can be generated and saved by each member in addition to other three parameters, which are used during the future dynamic events. After computing the group key and three parameters other ephemeral data is erased by each member. The proposed protocol suite also consists of an algorithm for leave and partition events. The leave-partition algorithm also takes two rounds. After each round members are authenticated, and after second round messages are also verified for its corruption. If message validity checks fail the protocol terminate immediately, otherwise a group key can be generated. After computing the group key and other parameters, ephemeral data is erased by each member. Security analysis of the proposed protocol has been done in random oracle model. For which a number of oracle queries are used, which can be replaced by actual function for practical purpose, for example, secure signature scheme (S ) and hash function (H) may be replaced by ElGamal digital signature algorithm and secure hash algorithm (SHA-1) respectively. The selected pseudorandom number in ElGamal digital signature algorithm plays an important role in eliminating the impersonation attack when a secret key is somehow compromised. Further, the work shows the comparison between the proposed protocol and Clique protocol suite. The proposed protocol suite does not involve round synchronization as in case of Clique protocols. Thereby, no synchronous mechanism is needed. The number of rounds in setup protocol of IKA. 1 and IKA.2 measures as n and n +1 (where n is the number of group members) whereas our protocol needs only two rounds irrespective of the group size, joinv merge (forjoin or merge) and leave-partition (for leave or partition) protocols also needs two rounds each for their completion, which indicates that the proposed protocol suite is scalable too. The setup protocol in proposed protocol suite needs 3/7 exponential operations whereas n IKA.l and IKA.2 need (—(« + 3)-l) and (5«-6) exponential operations respectively. However, the number of messages n in IKA. 1 protocol is less as compared to IKA.2 and the proposed protocol, which need 2n -1 and 2n messages respectively. It is also seen that the join-merge of our protocol is more efficient in number of exponential operations measure as compared to join (merge) protocol of IKA.l and IKA.2 protocols for large group size. And, the proposed leave-partition protocol is also efficient as compared to IKA. 1 and IKA.2 when the n (the number of current group members) is high and / (the leaving members) is low. Our leave-partition protocol takes 6/ exponential operations as compared to 2(//-/)and (»-/) exponential operations of IKA.l and IKA.2 protocol, where / is number of leaving members. However, in case of number of messages, our leave-partition protocol is inferior to IKA.l and IKA.2 protocols. In the proposed setup protocol, the total cost of computations has been reduced considerably. For authentication, each group member generates two signatures and performs In signature verifications, which creates additional cost for authentication. Other existing protocols, for example, INGM, BD, Hypercube, Octopus, Clique (IKA.l and IKA.2), TGDH, NAGKA, and STR, do not provide authentication, our protocol suite provides member authentication at a nominal cost. In proposed setup protocol, each group member performs at most 3 exponential operations, 4 one-way hash function operations, and n XOR operations. Since the operation dependent on the number of group members is the XOR operation, this way the total cost of computation has been reduced considerably. In view of the above security and complexity analysis of proposed protocol suite and various existing group key agreement protocols, it is logically concluded that the proposed protocol suite outperforms INGM, BD, Hypercube, Octopus, TGDH, NAGKA, STR as well as Clique protocols (IKA. 1 and IKA.2) in terms of number of rounds, number of messages, number of exponential operations and round synchronization.