an authentication service against dishonest users in mobile ad hoc networks
DESCRIPTION
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks. Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big Sky, MT, March 6-13, 2004. Outline. Introduction Related Work Models Security Operations Simulation Results Conclusion. - PowerPoint PPT PresentationTRANSCRIPT
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks
Edith Ngai, Michael R. Lyu, and Roland T. Chin
IEEE Aerospace Conference, Big Sky, MT, March 6-13, 2004
Dept. of Computer Science & Engineering, CUHK
2
Outline
IntroductionRelated WorkModelsSecurity OperationsSimulation ResultsConclusion
Dept. of Computer Science & Engineering, CUHK
3
Mobile Ad Hoc Networks
Infrastructure-lessMulti-hopsWireless communicationsHighly mobileDynamic topologyVulnerable to security attacks
Dept. of Computer Science & Engineering, CUHK
4
Introduction
Certificate-based approachFully distributed mannerDetect false public key certificatesIsolate dishonest usersPropose a secure, scalable and distributed
authentication serviceAssure correctness of public key
certification
Dept. of Computer Science & Engineering, CUHK
5
Related Work
Traditional network authentication solutions rely on physically present, trust third-party servers, or called certificate authorities (CAs).
Partially-distributed certificate authority makes use of a (k,n) threshold scheme to distribute the services of the certificate authority to a set of specialized server nodes.
Fully-distributed certificate authority extends the idea of the partially-distributed approach by distributing the certificate services to every node.
Dept. of Computer Science & Engineering, CUHK
6
Related Work
Pretty Good Privacy (PGP) is proposed by following a web-of-trust authentication model. PGP uses digital signatures as its form of introduction. When any user signs for another user's key, he or she becomes an introducer of that key. As this process goes on, a web of trust is established.
Self-issued certificates issue certificates by users themselves without the involvement of any certificate authority.
Dept. of Computer Science & Engineering, CUHK
7
Our Work
Propose a secure public key authentication service in mobile ad hoc networks with malicious nodes
Prevent nodes from obtaining false public keys of the others
Based on a network model and a trust model Security operations include public key certification and
trust value update
Dept. of Computer Science & Engineering, CUHK
8
Architecture
•Clustering-based network model
•Trust model with an authentication metric
•Security operations to detect and isolate malicious nodes
Dept. of Computer Science & Engineering, CUHK
9
The Network Model
Obtain a hierarchical organization Minimize the amount of storage for
communication information Optimize the use of network bandwidth Direct monitoring capability is limited to
neighboring nodes Allow the monitoring work to proceed more
naturally Improve network security
Dept. of Computer Science & Engineering, CUHK
10
The Network Model
Divide the network into different regions
Each region with similar number of nodes
Unique group ID E.g. Zonal distributed
algorithm, Weight base clustering algorithm, etc
Group 1
Group 2
Group 3
Group 4
Group 5
Dept. of Computer Science & Engineering, CUHK
11
The Trust Model
Define a fully-distributed trust management algorithm that is based on the web-of-trust model, in which any user can act as a certifying authority
This model uses digital signatures as its form of introduction. Any node signs another's public key with its own private key to establish a web of trust
Our trust model does not have any trust root certificate; it just relies on direct trust and groups of introducers in certification
Dept. of Computer Science & Engineering, CUHK
12
The Trust Model
Define the authentication metric as a continuous value between 0.0 and 1.0
A direct trust is the trust relationship between two nodes in the same group
A recommendation trust is the trust relationship between nodes of different groups
s
Group 1
Group 2
Group 3
Group 4
Group 5
Direct Trust
RecommendationTrust
Dept. of Computer Science & Engineering, CUHK
13
Security Operations
Select introducers Send request messages Compare certificates
received Trust value update
Discovers maliciousintroducer?
Selects a number of trustablenodes as introducers
Sends out request messages tointroducers
Collects and compares all thepublic key certificates received
Selects the public key of tfollowing the majority votes
Calculates trust value of t
Updates trust table
Isolates maliciousintroducer
Y
N
Dept. of Computer Science & Engineering, CUHK
14
Authentication in our network relies on the public key certificates signed by some trustable nodes.
Nodes in the same group are assumed to know each other by means of their monitoring components and the short distances among them
Public Key Certification
s
i1
t
i2
in
Group 1
Group 2
Group 3
Group 4
Group 5
…...
Reply
Request
Dept. of Computer Science & Engineering, CUHK
15
Operation of Node
Select introducers Send request messages
to introducers Collect and decrypt the
messages Compare the certificates,
isolate dishonest nodes Calculate trust value of
the new node
Dept. of Computer Science & Engineering, CUHK
16
Trust Value Update
s denotes the requesting node
t denotes the target node Nodes i1, i2, …, in are the
introducers Each Vs, i* and Vi*, t form a
pair to make up a single trust path from s to t
s
i2
i1
t
in
…...
RecommendationTrust
Direct Trust
Vs,i1
Vs,i2
Vs,in
Vi1,t
Vi2,t
Vin,t
Dept. of Computer Science & Engineering, CUHK
17
Trust Value Update
Compute the new trust relationship from s to t of a single path
Combine trust values of different paths to give the ultimate trust value of t
Insert trust value Vt to the trust table of s
1221 )1(1 VVVV
,
1 1
1 (1 )i
i
m n
ncom i j
i j
V V
Dept. of Computer Science & Engineering, CUHK
18
Simulation Set-Up
Network simulator Glomosim
Evaluate the effectiveness in providing secure public key authentication in the presence of malicious nodes
Simulation Parameters
Dept. of Computer Science & Engineering, CUHK
19
Metrics
Successful rate % of public key requests that lead to a correct
conclusion
Failure rate % of public key requests that lead to an incorrect
conclusion
Unreachable rate % of public key requests that cannot be made due to not
enough number of introducers
Dept. of Computer Science & Engineering, CUHK
20
Ratings to Periods of Time
Ratings to Time with m=70% and p=40%
0
10
20
30
40
50
60
70
80
90
100
0-1000 1000-2000 2000-3000 3000-4000
Number of Requests
Rat
ings
(%) Successful rate
Failure rateUnreachable rate
Dept. of Computer Science & Engineering, CUHK
21
Ratings to Malicious Nodes
Ratings to % of Malicious Nodes with p=30%
0
10
20
30
4050
60
70
80
90
100
0 10 20 30 40 50 60 70 80 90 100
% of Malicious Nodes
Rat
ings
(%)
Successful rate
Failure rate
Unreachable rate
Ratings to % of Malicious Nodes with p=60%
0
10
20
30
40
50
60
70
80
90
100
0 10 20 30 40 50 60 70 80 90 100
% of Malicious NodesR
atin
gs (%
)
Successful rate
Failure rate
Unreachable rate
Dept. of Computer Science & Engineering, CUHK
22
Ratings to Trustable Nodes at Initialization
Ratings to % of Trustable Nodes at Initialization with m=30%
0
10
20
30
40
50
60
7080
90
100
0 10 20 30 40 50 60 70 80 90 100
% of Trustable Nodes at Initialization (p)
Rat
ings
(%)
Successful rate
Failure rate
Unreachable rate
Ratings to % of Trustable Nodes at Initialization with m=70%
0
10
20
30
40
50
60
70
80
90
100
0 10 20 30 40 50 60 70 80 90 100
% of Trustable Nodes at Initialization (p)R
atin
gs (%
)
Successful rate
Failure rate
Unreachable rate
Dept. of Computer Science & Engineering, CUHK
23
Comparison with PGP- Successful Rate
Successful Rate to % of Malicious Nodes
0
10
20
30
40
50
60
70
80
90
100
0 10 20 30 40 50 60 70 80 90 100
% of Malicious Nodes
Succ
essf
ul R
ate
(%)
Authentication serviceproposed
Pretty good privacy
Dept. of Computer Science & Engineering, CUHK
24
Comparison with PGP - Failure Rate
Failure Rate to % of Malicious Nodes
0
10
20
30
40
50
60
70
80
90
100
0 10 20 30 40 50 60 70 80 90 100
% of Malicious Nodes
Failu
re R
ate
(%)
Authentication serviceproposedPretty good privacy
Dept. of Computer Science & Engineering, CUHK
25
Comparison with PGP - Unreachable Rate
Unreachable Rate to % of Malicious Nodes
0
10
20
30
40
50
60
70
80
90
100
0 10 20 30 40 50 60 70 80 90 100
% of Malicious Nodes
Unr
each
able
Rat
e (%
) Authentication serviceproposedPretty good privacy
Dept. of Computer Science & Engineering, CUHK
26
Conclusions
We developed a trust- and clustering-based public key authentication mechanism
We defined a trust model that allows nodes to monitor and rate each other with quantitative trust values
We defined the network model as clustering-based The authentication protocol proposed involves new security
operations on public key certification, update of trust table, discovery and isolation on malicious nodes
We conducted security evaluation We compared with the PGP approach to demonstrate the
effectiveness of our scheme