D. Nagamalai, E. Renault, and M. Dhanushkodi (Eds.): DPPR 2011, CCIS 205, pp. 336–345, 2011. © Springer-Verlag Berlin Heidelberg 2011

Privacy in Mobile Ad Hoc Networks

B. Jhansi Vazram1, V. Valli Kumari2, and J.V.R. Murthy3

1 Dept.of CSE, Narasaraopeta Engg. College, Andhra pradesh, India-522601 2 Dept. of CS &SE., Andhra University, Andhra Pradesh, India – 530003

3 Dept. of CSE, J N T University, Kakinada, Andhra Pradesh, India – 533003 {jhansi.bolla,vallikumari,mjonnalagedda}@gmail.com

Abstract. In mobile adhoc networks, generating and maintaining anonymity for any adhoc node is challenging because of the node mobility, dynamic network topology, cooperative nature of the network and broadcast nature of the communication media. Anonymity is provided to protect the communication, by hiding the participants as well as the message contents. Existing techniques based on cryptosystem and broadcasting cannot be easily adapted to MANET because of their extensive cryptographic computation and/or large communication overhead. In this paper, we first propose an unconditionally secure privacy preserving message authentication scheme (PPMAS) which uses Modified New variant ElGamal signature Scheme (MNES). Secondly we proposed privacy preserving communication protocol for MANET based on dynamic generation of pseudonyms, which are used in place of real nodes to provide anonymity.

Keywords: Network security, anonymity, mobile adhoc networks.

1 Introduction

A mobile ad hoc network (MANET) comprises of a set of wireless devices that can move around freely and cooperate in relaying packets on behalf of one another. A MANET does not require a fixed infrastructure or centralized administration. Distant mobile nodes communicate through multi hop paths, as they have limited transmission range. Their ease of deployment makes MANETs an attractive choice for a variety of applications like battleground communications, disaster recovery efforts, communication among a group of islands or ships, conferencing without the support of a wired infrastructure, and interactive information sharing. In MANETs, mobile nodes cooperate to forward data on behalf of each other. Typical protocols used for self-organizing and routing in these networks expose the node identifiers (network and link layer addresses), neighbors, and the end-points of communication. Some modes of operation further mandate that the nodes freely divulge their physical location. In short, nodes must advertise a profile of their online presence to participate in the MANETs, which is highly undesirable.

Both military and civilian MANETs may find the mandated exposure of information unacceptable, a node should be able to keep its identity, its location and its correspondents private, i.e., remain anonymous [6], [4]. Any solution providing

Privacy in Mobile Ad Hoc Networks 337

anonymity must overcome the broadcast nature of wireless environments (which enables eavesdropping) and operate under often tight resource constraints, unlike wired networks. Simple solutions like packet encryption are also largely ineffective because of ease of traffic analysis over a broadcast media. Hence, supporting privacy in MANETs is enormously challenging.

Outline of the paper: Section 2 presents the related work done. Section 3 gives overview of the proposed privacy preserving unconditionally secure message authentication scheme. Section 4 proposes a privacy preserving communication protocol. Section 5 discusses security analysis. Section 6 gives the performance analysis and finally we conclude in section 7.

2 Related Work

Unlinkability of an entity with a message or an action performed by it means that an adversary with enough information is unable to identify the identity of the entity, given the message or an action performed by it. Unlinkability makes anonymity possible. Privacy of both the source and the destination has to be protected in MANETs. It is also desirable that the attacker should not be able to derive the fact that source and destination nodes are communicating. We define a set of objects called anonymous set (AS) to see that a particular object is unidentifiable. Our proposed work, like any other signature schemes consists of two algorithms, generation and verification. With generation algorithm, given the message m and the public keys of anonymous set (AS), a sender from AS, with her own private key, can generate an anonymous message . The verification algorithm, given the message m and anonymous message , is used to verify whether is generated by a member in the AS. The security requirements for our method are sender anonymity and Unforgeability.

2.1 Modified New variant ElGamal signature scheme (MNES)

Definition 1: Based on the New variant ElGamal signature scheme [2], we propose a modified new variant ElGamal signature scheme(MNES), which consists of the following 3 algorithms:

i) Key generation algorithm : Let p be a large prime, α be a generator of .

Both p and α are made public. For a random private key x , The public key y is computed from y = αx mod p.

ii) Signature algorithm: The MNES can also have many variants. For the purpose of efficiency, we will describe the variant, called optimal scheme. To sign a message m, one chooses a random k, l , then computes the exponentiation r= α k mod p, s = α l mod p and q= αh mod p and solves w from 1 (1)

where h is a one way hash function .The signature of the message m is defined as the triple ( r, s, w ). iii) Verification algorithm :

338 B. Jhansi Vazram, V. Valli Kumari, and J.V.R. Murthy

The verifier checks the signature equation α , h=h(m,rs). If the equality holds true, then the verifier accepts the signature and rejects otherwise.

The existing anonymous communication protocols are largely stemmed from either mixnet [1] or DC-net [3]. Moler presented a secure public-key encryption algorithm for mixnet [8]. This algorithm has been adopted by Mixminion [7]. However, since mixnet like protocols rely on the statistical properties of background traffic, they cannot provide provable anonymity. Recently [5][10] message sender anonymity based on ring signatures was introduced. This method provides an assurance to the sender that the generated message has source anonymous signature along with content authenticity, while hiding the message sender’s real identity.

In this paper, we first propose an unconditionally secure privacy preserving message authentication scheme (PPMAS) based on the modified new variant ElGamal signature scheme. This is because the original ElGamal signature scheme is existentially forgeable with a generic message attack [12, 11]. While the modified ElGamal signature (MES) scheme [5] is secure against no-message attack and adaptive chosen message attack in the random oracle model [9], it cannot be used for more than one message. The modified new variant ElGamal signature scheme (MNES) is almost very similar to MES, and also [2] we can transmit more than one message without changing the secret exponents.

3 Unconditionally Secure Privacy Preserving MAC (PPMAS):

In this section, we propose an efficient privacy preserving unconditionally secure message authentication scheme (PPMAS). The main idea is that for each message m to be released, the sending node generates a privacy preserving message authentication for the message m. The generation is based on the MNES scheme. Unlike ring signatures, which require computing a forgery signature for each member in the AS separately, our scheme only requires three steps to generate the entire PPMAS. This scheme links all non-senders and the message sender to the PPMAS alike. In addition, our design enables the PPMAS to be verified through a single equation without individually verifying the signatures.

3.1. The Proposed PPMAS Scheme. Suppose that the message sender (say Alice) wishes to transmit a message m anonymously from her network node to any other node. The AS includes n members, A1,A2, . . . ,An, for example, = {A1,A2, . . . ,An}, where the actual message sender Alice is At, for some value t, 1 ≤ t ≤ n.

Let p be a large prime number and α be a primitive element of Z . Then α is also a

generator of Z . That is Z = < α >. Both p and α are made public and shared by all members in . Each Ai has a publickey , where xi is a randomly selected private key from Z . In this paper, we will not distinguish between the

node Ai and its public key yi. Therefore, we also have = , ,……….., .

Privacy in Mobile Ad Hoc Networks 339

Suppose m is a message to be transmitted. The private key of the message sender Alice is x , 1 ≤ t ≤ n. To generate an efficient PPMAS for message m, Alice performs the following three steps:

(1) Select a random and pair wise different k , for each 1 ≤ i ≤ n, and

compute , , where 1 k , l , .

(2) Choose two integers , 1 , and compute ∏ , ∏ ∏ , such that 1, 1, 1, , , t. (3) Compute h ∑ ∑ ∑ 1 .

The PPMAS of the message m is defined as , , … . , … . , … . , … . , 2)

Where … . … . … . … . … . … . … . (3)

3.2 Verification of PPMAS

A verifier can verify an alleged PPMAS , , . . . . . , … . . , for message m by verifying whether the following equation

… . … . … . … . … . … . … . holds. If (3) holds true, the verifier accepts the PPMAS as valid for message m.

Otherwise the verifier rejects the PPMAS. In fact, if the PPMAS has been correctly generated, then we have ∏ 1 ∏ 1 ∏ 1 ∏ 1 ∏ 1 ∏ 1

= ∏ ∏ ∏ ∏ ∏ ∏ ∑ ∑ ∑ ∏ ∏ ∏ ∏ ∏ ∏ ∑ ∑ ∑

∑ ∑ ∑ ∑ ∑ ∑

340 B. Jhansi Vazram, V. Valli Kumari, and J.V.R. Murthy

Therefore, the verifier should always accept the PPMAS if it is correctly generated without being modified.

As a trade-off between computation and transmission, the PPMAS can also be defined as (m) = (m, ,r1, . . . , rn, s1…..sn, q1….qn, h1, . . . , hn, w). In case is also clear, it can be eliminated from the PPMAS.

3.3 Security Analysis

In this subsection, we prove that the proposed PPMAS scheme is unconditionally anonymous and provably unforgeable against adaptive chosen-message attack.

3.3.1 Anonymity In order to prove that the proposed PPMAS is unconditionally anonymous, we have to prove that(i) for anybody other than the members of S, the probability to successfully identify the real sender is 1/n, and(ii) anybody from can generate PPMAS.

3.3.2 Unforgeability The design of the proposed PPMAS relies on the ElGamal signature scheme. Different levels of security can be achieved by signature schemes. The maximum level of security is a counter to existential forgery under adaptive chosen message attack.

4 The Privacy Preserving Communication Protocol

4.1 Network Assumption

As any physical transmission in a world can be monitored and traced to its origin, it is probably impossible to keep confidential who is communicating to whom by which messages. Our paper addresses the above problem. Assume that our network model similar to that discussed in[5], consists of networks with multiple MANETs, i.e., the participating nodes are divided into set of small groups. The network nodes are categorized into Ordinary node and Special nodes

An ordinary node is one that is unable to communicate directly with the nodes in other MANETS. A special node can be an ordinary node that can also provide message forward services to other MANET nodes. In some peculiar situations e.g.: energy optimization, an ordinary node can be automatically converted to a special node.

Prior to the network deployment, there should be an administrator. The administrator does not take part in routing rather it has the following tasks during the bootstrap of the network.

i) Determines two groups G1, G2 of the same prime order q. We view G1 as an additive group and G2 as a multiplicative group.

ii) Determines bilinear map , collision resistant cryptographic hash functions H1 and H2 where H 0,1 G mapping from arbitrary length strings to points in G1 and H

Privacy in Mobile Ad Hoc Networks 341 0,1 0,1 μ mapping from arbitrary length strings to bit fixed length output.

iii) Generates system’s secret , where | . Any one in the network does not know except system

administrator. Thus the parameters 1, 2, , 1, 2 are known to the special nodes. System administrator also provides the following parameters to special nodes, regarding their IDs and secret points.

• Provides each node a different pseudo ID, PSID , and their corresponding secret point , which is defined as 1 ; if then PSID as

well as .

4.2 Anonymous Intra MANET Communication

In anonymous communications, the message content should not consist of any explicit information such as the message sender and recipient addresses. Everything is embedded into the anonymizing message payload. The administrator selects a set of security parameters for the entire system, before the network deployment, including a large prime p and a generator α of Z . The network nodes Ai, 1 , the corresponding public keys yi, 1 of the n participating nodes, xi’s are randomly selected private keys of Ai’s, where , 1 , then yi is computed from [5]. In this paper we adopted the same anonymous local communication for our network and also the dynamic local MANET formation including the node joining and leaving process from [5].

4.3 Anonymous Communications between Two Arbitrary Special Nodes

When Anonymous authentication is present, two nodes in the same group can authenticate each other secretly in such a way that each party reveals its group membership to the other party if and only if the other party is also a group member.

The scheme consists of a set of special nodes and an administrator who creates groups and enrolls special nodes in groups. For this purpose, the administrator will assign each special node A, a pseudonym and their corresponding secret

point , which is defined as 1 ; if then PSID as well as . For a given set of , , no

one can determine the system secret . When the special node A wants to authenticate anonymously to the special node B, the following secret hand shake can be conducted. This means that two special nodes A and B can know each other’s group membership only if they belong to the same group. When the special node A wants to authenticate to the special node B, the following secret handshake can be conducted which is shown in Figure 1. Pseudo IDs of the nodes are generated considering Pairing-based Cryptography based on bilinear mapping [12].

342 B. Jhansi Vazram, V. Valli Kumari, and J.V.R. Murthy

Fig. 1. Anonymous authentication process between two arbitrary special nodes A and B

4.4 Anonymous Communication between Two Arbitrary Ordinary nodes

The sender first randomly selects a local special node and transmits the message as discussed above. On receiving the message, the local special node first determines the destination MANET ID by checking the message recipient flag Fr. If it is 0, then the recipient and the special node are in the same MANET. Otherwise they are in a different MANET. The communication is done using the procedure discussed above.

: Pseudo ID initially assigned by the system administrator to a special node A. : Secret point initially assigned by System a dministrator to a special node A

corresponding to . : Dynamically generated pseudonym by special node A.

: Dynamically generated secret point by special node A corresponding to

: Nonce, randomly generated by special node A to generate a new dynamic pseudonym.

: Nonce, randomly generated by special node A, for authentication purpose. A computes:

B computes:

A generates a random , for authentication as a new node, and sends to special node B

B computes . B

also generates a random and computes and sends , to special node A.

: A computes , computes . Also A computes and sends

, to special node B.

B then computes .

since KBA= KAB, A can verify B by checking whether If the verification succeeds, then A knows that B is an authentic group peer. Similarly, B can verify A by checking whether If the verification succeeds, then B knows that A is also an authentic group peer. However, in this authentication process, neither special node A, nor special node B can get the real identity of the other node. In other words, the real identities of special node A and special node B remain anonymous after the authentication process.

Privacy in Mobile Ad Hoc Networks 343

While providing message recipient anonymity, the message can be encrypted to achieve confidentiality. The presented anonymous communication is quite general and can be used in a variety of situations for communication anonymity in MANET including anonymous file sharing.

5 Security Analysis

We study several attacks designed [5] to analyze the security of the privacy preserving communication protocol.

5.1 Anonymity

(I) It is computationally infeasible for an adversary to identify the message sender and recipient on the local MANET. Hence the privacy preserving communication protocol provides to the sender and recipient anonymity in the local MANET.

(II) The presented communication protocol offers both message sender and recipient anonymity among any two special nodes.

As told earlier, each special node is being assigned a large set of pseudonyms. A dynamically selected pseudonym will be used for any two ordinary nodes in different MANETs to communicate anonymously. The pseudonyms do not carry user information implicitly. The communication can be broken into three segments:

the communication between the sender and local special node in the message sender‘s local MANET

the communication between the special nodes in the corresponding MANETs

the communication between the recipient special node and the receiver.

(I) has assured the communication anonymity between a special node and an ordinary node in the local MANETs. Therefore we only need to ensure anonymity between two special nodes in different MANETs in order to achieve full anonymity between the sender and receiver.

5.2 Impersonation Attacks

As told above, the forgery attack performed by an adversary, to carry out an impersonation attack is infeasible. For an adversary to forge as a special node, he needs to authenticate himself with a special node A. For this the adversary needs to compute g PSID , PSIDB , where PSID is the identity of the adversary and PSIDB is the newly generated pseudonym of the special node .

However, since the adversary does not know the secret point , he is unable to compute g PSID , PSIDB and impersonate as a special node.

5.3 Message Replay Attacks

Each message packet in communication has a unique one-time session ID (nonce) to protect it from being modified or replayed. In addition, these fields are encrypted

344 B. Jhansi Vazram, V. Valli Kumari, and J.V.R. Murthy

using the intermediate receiver node’s public key so that only the designated receiver nodes can decrypt the message. In this fashion, each packet transmitted across different MANETs bears different and uncorrelated IDs and content for adversaries.

Even if the same message is transmitted multiple times, the adversary still cannot link them together without knowing all the private keys of the intermediate nodes.

6 Performance Analysis

In this section we will provide comparison results based on energy consumed by the network nodes of our proposed communication protocol and the method discussed in [7]. Using the method discussed in [7], energy consumed by normal nodes and super nodes are as follows: At normal node, At super node, ( intra group communication) ( inter group communication) Where, : Energy consumed by normal node : Energy consumed by super node : Energy required for a node to generate SAMAS message : Energy required transmitting a message : Energy required for decrypting the message

: Energy required for encrypting the message : Energy required by a node to perform authentication process

: Energy required by a super node to maintain set of pseudonyms assigned by the administrator

Using our proposed method , energy consumed by ordinary nodes and special nodes are as given below: At ordinary node, At special node, (Intra group communication) (Inter group communication) Where,

: Energy consumed by ordinary node : Energy consumed by special node : Energy required by a node to generate PPMAS message

: Energy required for a node to generate pseudonyms dynamically

Privacy in Mobile Ad Hoc Networks 345

Our proposed method has an advantage that during the intra group communication, energy consumed by special node is same as that of ordinary node. During inter group communication also very little energy is required to generate a new pseudonym dynamically. Energy required for maintaining a set of pseudonyms (which is must in [5]) is completely eliminated.

7 Conclusion

In this paper, we first propose an efficient unconditionally secure privacy preserving message authentication scheme (PPMAS) that can be applied to any number of messages without changing the secret exponents. PPMAS ensures message sender privacy along with message content authenticity. To ensure communication privacy without effecting transmission delay and collusion problems, we then proposed a new and efficient privacy-preserving communication protocol for MANET that can provide both message sender and recipient privacy protection. Security analysis shows that the proposed protocol is secure against various attacks.

References

1. Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 24, 84–88 (1981)

2. Khadir, O.: New Variant of ElGamal Signature Scheme. J. Contemp. Math. Sciences 5(34), 1653–1662 (2010)

3. Chaum, D.: The dining Cryptographer’s problemml: unconditional sender and recipient untraceability. J. Cryptology 1(1), 65–75 (1988)

4. Reiter, M.K., Rubin, A.D.: Crowds: Anonymity for Web Transactions. ACM Transactions on Information and System Security 1(1), 66–92 (1998); Symposium on Security & Privacy, Oakland, Calif, USA (May 2003)

5. Ren, J., Li, Y., Li, T.: SPM: Source Privacy for Mobile Ad Hock Networks. EURASIP J. on Wireless Communications and Networking 2010, article ID534712, 10 Pages (2010)

6. Reed, M.G., Syverson, P.F., Goldschlag, D.M.: Anonymous Connections and Onion Routing. J. Selected Areas in Communication Special Issue on Copyright and Privacy Protection (1998)

7. Danezis, G., Dingledine, R., Mathewson: Mixminion: design of a type III anonymous remailer protocol. In: Proc. of the IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, Calif, USA, pp. 2–15 (May 2003)

8. Möller, B.: Provably secure public-key encryptionfor length-preserving chaumian mixes. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 244–262. Springer, Heidelberg (2003)

9. Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996)

10. Rivest, R., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001)

11. Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Computing 17, 281–308 (1988)

12. ElGamal, T.A.: A public-key cryptosystem and a signature scheme based on discrete Logarithms. IEEE Transactions on Information Theory 31(4), 469–472 (1985)