Security Issues in A Networked Age - A R PDF

SECURITY ISSUES IN A
NETWORKED AGE
RESEARCH COLLECTION
by Jaydip Sen
NETWORKED AGE
RESEARCH COLLECTION
by Jaydip Sen
Security Issues in a Networked Age - Research Collection
by Jaydip Sen
Published by InTech
Janeza Trdine 9, 51000 Rijeka, Croatia
Edition 2016
© InTech and the Author(s) 2016
The moral rights of the author have been asserted.
All rights to the book as a whole are reserved by InTech. The book as a whole (compilation) cannot
be reproduced, distributed or used for commercial or non-commercial purposes without InTech’s
written permission. Enquiries concerning the use of the book should be directed to InTech’s rights and
permissions department (permissions@intechopen.com).
Violations are liable to prosecution under the governing Copyright Law.
Individual chapters of this publication are distributed under the terms of the Creative Commons
Attribution 3.0 Unported License which permits commercial use, distribution and reproduction of the
individual chapters, provided the original author and source publication are appropriately acknowledged.
More details and guidelines concerning content reuse and adaptation can be found at http://www.
intechopen.com/copyright-policy.html.
Notice
Statements and opinions expressed in the chapters are these of the individual contributors and
not necessarily those of the editors or publisher. No responsibility is accepted for the accuracy of
information contained in the published chapters. The publisher assumes no responsibility for any
damage or injury to persons or property arising out of the use of any materials, instructions, methods or
ideas contained in the book.
Additional hard copies can be obtained from orders@intechopen.com
Security Issues in a Networked Age - Research Collection by Jaydip Sen
p. cm.
ISBN 978-953-51-2321-7
Contents
Preface VII
Routing Security Issues in Wireless Sensor Networks:

Attacks and Defenses 9
Jaydip Sen
Secure Routing in Wireless Mesh Networks 41
Jaydip Sen
Secure and Privacy-Preserving Data Aggregation Protocols for
Wireless Sensor Networks 85
Jaydip Sen
Secure and Privacy-Preserving Authentication Protocols for
Wireless Mesh Networks 117
Jaydip Sen
Homomorphic Encryption — Theory and Application 149
Jaydip Sen
Preface
Wireless networks are truly pervasive in the modern environment: from the workplace and
the home, to implanted medical devices. Network security, therefore, is of paramount im-
portance. This volume begins with an overview of the security vulnerabilities of wireless
sensor networks, but also offers some means of defence against them. It goes on to propose
ways of securing routing in wireless mesh networks. Two further chapters offer in-depth
studies of secure and privacy-preserving data protocols for wireless sensor and mesh net-
works. The book concludes with an overview of the history of homomorphism encryption as
a means of securing data, also covering some emerging trends in which this form of encryp-
tion offers exciting new possibilities.
Chapters in this book were also published in:
Jaydip Sen (2010). Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses, Sustainable Wireless Sen-
sor Networks, Yen Kheng Tan (Ed.), InTech, DOI: 10.5772/12952.
Jaydip Sen (2011). Secure Routing in Wireless Mesh Networks, Wireless Mesh Networks, Nobuo Funabiki (Ed.), InTech,
DOI: 10.5772/13468.
Jaydip Sen (2012). Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks, Cryptogra-
phy and Security in Computing, Dr. Jaydip Sen (Ed.), InTech, DOI: 10.5772/38615.
Jaydip Sen (2012). Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks, Applied Cryp-
tography and Network Security, Dr. Jaydip Sen (Ed.), InTech, DOI: 10.5772/39176.
Jaydip Sen (2013). Homomorphic Encryption — Theory and Application, Theory and Practice of Cryptography and Net-
work Security Protocols and Technologies, Prof. Jaydip Sen (Ed.), InTech, DOI: 10.5772/56687.
Routing Security Issues in Wireless Sensor Networks: Attacks and
Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses 279
Defenses
12
X
Routing Security Issues in Wireless

Sensor Networks: Attacks and Defenses
Jaydip Sen
Innovation Lab, Tata Consultancy Services Ltd.
India
1. Introduction
Wireless Sensor Networks (WSNs) are rapidly emerging as an important new area in
wireless and mobile computing research. Applications of WSNs are numerous and growing,
and range from indoor deployment scenarios in the home and office to outdoor deployment
scenarios in adversary’s territory in a tactical battleground (Akyildiz et al., 2002). For
military environment, dispersal of WSNs into an adversary’s territory enables the detection
and tracking of enemy soldiers and vehicles. For home/office environments, indoor sensor
networks offer the ability to monitor the health of the elderly and to detect intruders via a
wireless home security system. In each of these scenarios, lives and livelihoods may depend
on the timeliness and correctness of the sensor data obtained from dispersed sensor nodes.
As a result, such WSNs must be secured to prevent an intruder from obstructing the
delivery of correct sensor data and from forging sensor data. To address the latter problem,
end-to-end data integrity checksums and post-processing of senor data can be used to
identify forged sensor data (Estrin et al., 1999; Hu et al., 2003a; Ye et al., 2004).
The design and implementation of secure WSNs must simultaneously address several
difficult research challenges. First, wireless communication among the sensor nodes
increases the vulnerability of the network to eavesdropping, unauthorized access, spoofing,
replay, and denial-of-service (DoS) attacks. Second, the sensor nodes themselves are highly
resource-constrained in terms of limited memory, CPU, communication bandwidth, and
especially battery life. These resource constraints limit the degree of encryption, decryption,
and authentication that can be implemented on individual sensor nodes, and call into
question the suitability of traditional security mechanisms such as computation-intensive
public-key cryptography for such resource-constrained sensor nodes (Carman et al., 2000).
Third, WSNs face the added physical security risk of individual sensor nodes falling into
wrong hands. Sensor nodes that are physically deployed in the field can be captured by an
intruder, and can then be subject to attacks from the potentially well-equipped intruder in
order to compromise a single resource-poor node. Following a successful attack, a
compromised sensor node could then be used to launch such malicious activities as
advertising false routing information, and launching DoS attacks from within the sensor
network.
11
280 Security Issues
Sustainable in aSensor
Wireless Networked Age
Networks
The combined threats introduced by increased physical security risk and severe resource
constraints motivate the following design philosophy to achieve secure WSNs: assume that
a well-equipped intruder can compromise individual sensor nodes, but secure the overall
design of the WSN so that these intrusions can be tolerated and the network as a whole
remains functioning despite such localized intrusions. More precisely, the objective is the
design of an intrusion-tolerant WSN that has the property that a single compromised node
can only disrupt a localized portion of the network, and cannot bring down the entire sensor
network. This design objective of intrusion tolerance for secure WSNs must provide
protection against two classes of attacks that could bring down an entire sensor network:
DoS-type attacks and routing disruption attacks that propagate erroneous control packets
containing false routing information throughout the network.
The focus of this chapter is on routing security in WSNs. Most of the currently existing
routing protocols for WSNs make an optimization on the limited capabilities of the nodes
and the application-specific nature of the network, but do not any the security aspects of the
protocols. Although these protocols have not been designed with security as a goal, it is
extremely important to analyze their security properties. When the defender has the
liabilities of insecure wireless communication, limited node capabilities, and possible insider
threats, and the adversaries can use powerful laptops with high energy and long range
communication to attack the network, designing a secure routing protocol for WSNs is
obviously a non-trivial task.
One aspect of sensor networks that complicates the design of a secure routing protocol is in-
network aggregation (Shrivastava et al., 2004; Madden et al., 2002; Przydatck et al., 2003; Zhu
et al., 2004a). In more conventional networks, a secure routing protocol is typically only
required to guarantee message availability. Message integrity, authenticity, and
confidentiality are handled at a higher layer by an end-to-end security mechanism such as
SSH or SSL. End-to-end security is possible in more conventional networks because it is
neither necessary nor desirable for intermediate routers to have access to the contents of
messages. However, in sensor networks, in-network processing makes end-to-end security
mechanism harder to deploy because intermediate nodes need direct access to the contents
of the messages. Link layer security mechanisms can help mediate some of the resulting
vulnerabilities, but it is not enough: we will now require much more from our protocols,
and they must be designed with this in mind.
The organization of this chapter is as follows. In Section 2, we discuss the various resource
constraints under which a typical WSN operates. In Section 3, various security requirements
of such networks are identified. In section 4, a number of security vulnerabilities of WSNs
are presented. Different types of attacks at various layers such as physical, link, network and
transport layers are discussed in detail. In particular, various attacks at the network layers
are described such as : (i) spoofed routing information (Karlof et al., 2003), (ii) selective
packet forwarding (Karlof et al., 2003), (iii) sinkhole (Wood et al., 2002), (iv) Sybil (Newsome
et al., 2004), (v) wormhole (Karlof et al., 2003), (vi) hello flood (Karlof et al., 2003), (vii)
acknowledgment spoofing etc (Karlof et al., 2003). Section 5 presents a discussion on the
defense mechanisms for DoS attacks at the network layer. In particular, schemes such as use
of message authentication code (MAC) (Perrig et al., 2002), directional antenna-based
defense (Hu et al., 2004a), packet leashes (Hu et al., 2004b), client puzzles (Aura et al., 2001)
are discussed. Section 6 discusses secure broadcasting and multicasting techniques based on
group key management protocols (Rafaeli et al., 2003) and directed diffusion-based
12
mechanism (Di Pietro et al., 2003) etc. Section 7 presents some of the well-known existing
secure routing protocols for WSNs such as μTESLA (Liu et al., 2004), INSENS (Deng et al.,
2002b), SPINS (Perrig et al., 2002), TRANS (Tanachawiwat et al., 2003), and defense
mechanisms against Sybil attack (Newsome et al., 2004; Chan, et al., 2003b; Eschenauer et al.,
2002; Du et al., 2003), blackhole and grayhole (Sen et al., 2007b) attacks, a secure and energy-
efficient routing protocol (Sen et al., 2010) are also discussed in detail. Finally, in conclusion,
some future research directions are discussed.
In summary, the chapter makes the following contributions:
 It proposes threat models and security goals for secure routing in WSNs.
 It identifies various possible attacks on the network layer of a WSN sensor
networks
 It demonstrates how attacks against ad-hoc wireless networks and peer-to-peer
networks can be adapted into powerful attacks against WSNs.
 It presents a detailed security analysis of all the major routing protocols and energy
conserving topology maintenance algorithms for WSNs.
 It presents various defense mechanisms to counter the well-known attacks on the
routing protocols of WSNs.
2. Constraints in WSNs
A WSN consists of a large number of sensor nodes which are inherently resource-
constrained. These nodes have limited processing capability, very low storage capacity, and
constrained communication bandwidth. These limitations are due to limited energy and
physical size of the sensor nodes. Due to these constraints, it is difficult to directly employ
the conventional security mechanisms in WSNs. In order to optimize the conventional
security algorithms for WSNs, it is necessary to be aware about the constraints of sensor
nodes (Carman et al., 2000). The major constraints of a WSN are listed below.
(i) Energy constraints: Energy is the biggest constraint for a WSN. In general, energy
consumption in sensor nodes can be categorized in three parts: (i) energy for the sensor
transducer, (ii) energy for communication among sensor nodes, and (iii) energy for
microprocessor computation. The study in (Hill et al., 2000) found that each bit transmitted
in WSNs consumes about as much power as executing 800 to 1000 instructions. Thus,
communication is more costly than computation in WSNs. Any message expansion caused
by security mechanisms comes at a significant cost. Further, higher security levels in WSNs
usually correspond to more energy consumption for cryptographic functions. Thus, WSNs
could be divided into different security levels depending on energy cost (Slijepcevic et al.,
2002; Yuan et al., 2002).
(ii) Memory limitations: A sensor is a tiny device with only a small amount of memory and
storage space. Memory is a sensor node usually includes flash memory and RAM. Flash
memory is used for storing downloaded application code and RAM is used for storing
application programs, sensor data, and intermediate results of computations. There is
usually not enough space to run complicated algorithms after loading the OS and
application code. In the SmartDust project, for example, TinyOS consumes about 4K bytes of
instructions, leaving only 4500 bytes for security and applications (Hill et al., 2000). A
common sensor type- TelosB- has a 16-bit, 8 MHz RISC CPU with only 10K RAM, 48K
13
282 Security Issues
Networks
program memory, and 1024K flash storage. The current security algorithms are therefore,
infeasible in these sensors (Perrig et al., 2002).
(iii) Unreliable communication: Unreliable communication is another serious threat to sensor
security. Normally the packet-based routing of sensor networks is based on connectionless
protocols and thus inherently unreliable. Packets may get damaged due to channel errors or
may get dropped at highly congested nodes. Furthermore, the unreliable wireless
communication channel may also lead to damaged or corrupted packets. Higher error rate
also mandates robust error handling schemes to be implemented leading to higher
overhead. In certain situation even if the channel is reliable, the communication may not be
so. This is due to the broadcast nature of wireless communication, as the packets may collide
in transit and may need retransmission (Akyildiz et al., 2002).
(iv) Higher latency in communication: In a WSN, multi-hop routing, network congestion and
processing in the intermediate nodes may lead to higher latency in packet transmission. This
makes synchronization very difficult to achieve. The synchronization issues may sometimes
be very critical in security as some security mechanisms may rely on critical event reports
and cryptographic key distribution (Stankovic, 2003).
(v) Unattended operation of networks: In most cases, the nodes in a WSN are deployed in
remote regions and are left unattended. The likelihood that a sensor encounters a physical
attack in such an environment is therefore, very high. Remote management of a WSN makes
it virtually impossible to detect physical tampering. This makes security in WSNs a
particularly difficult task.
3. Security Requirements in WSNs

A WSN is a special type of network. It shares some commonalities with a typical computer
network, but also exhibits many characteristics which are unique to it. The security services
in a WSN should protect the information communicated over the network and the resources
from attacks and misbehavior of nodes. The most important security requirements in WSN
are listed below:
(i) Data confidentiality: The security mechanism should ensure that no message in the
network is understood by anyone except the intended recipient. In a WSN, the issue of
confidentiality should address the following requirements (Carman et al., 2000; Perrig et al.,
2002): (i) a sensor node should not allow its readings to be accessed by its neighbors unless
they are authorized to do so, (ii) key distribution mechanism should be extremely robust,
(iii) public information such as sensor identities, and public keys of the nodes should also be
encrypted in certain cases to protect against traffic analysis attacks.
(ii) Data integrity: The mechanism should ensure that no message can be altered by an entity
as it traverses from the sender to the recipient.
(iii) Availability: This requirements ensures that the services of a WSN should be available
always even in presence of an internal or external attacks such as a denial of service (DoS)
attack. Different approaches have been proposed by researchers to achieve this goal. While
some mechanisms make use of additional communication among nodes, others propose use
of a central access control system to ensure successful delivery of every message to its
recipient.
(iv) Data freshness: It implies that the data is recent and ensures that no adversary can replay
old messages. This requirement is especially important when the WSN nodes use shared-
14
keys for message communication, where a potential adversary can launch a replay attack
using the old key as the new key is being refreshed and propagated to all the nodes in the
WSN. A nonce or time-specific counter may be added to each packet to check the freshness
of the packet.
(v) Self-organization: Each node in a WSN should be self-organizing and self-healing. This
feature of a WSN also poses a great challenge to security. The dynamic nature of a WSN
makes it sometimes impossible to deploy any pre-installed shared key mechanism among
the nodes and the base station (Eschenauer et al., 2002). A number of key pre-distribution
schemes have been proposed in the context of symmetric encryption (Chan et al., 2003b;
Eschenauer et al., 2002; Hwang et al., 2004; Liu, et al., 2005a). However, for application of
public-key cryptographic techniques an efficient mechanism for key-distribution is very
much essential. It is desirable that the nodes in a WSN self-organize among themselves not
only for multi-hop routing but also to carry out key management and developing trust
relations.
(vi) Secure localization: In many situations, it becomes necessary to accurately and
automatically locate each sensor node in a WSN. For example, a WSN designed to locate
faults would require accurate locations of sensor nodes identifying the faults. A potential
adversary can easily manipulate and provide false location information by reporting false
signal strength, replaying messages etc., if the location information is not secured properly.
The authors in (Capkun et al., 2006) have described a technique called verifiable multi-
lateration (VM). In multi-lateration, the position of a device is accurately computed from a
series of known reference points. The authors have used authenticated ranging and distance
bounding to ensure accurate location of a node. Because of the use of distance bounding, an
attacking node can only increase its claimed distance from a reference point. However, to
ensure location consistency, the attacker would also have to prove that its distance from
another reference point is shorter. As it is not possible for the attacker to prove this, it is
possible to detect the attacker. In (Lazos et al., 2005), the authors have described a scheme
called secure range-independent localization (SeRLoC). The scheme is a decentralized range-
independent localization scheme. It is assumed that the locators are trusted and cannot be
compromised by any attacker. A sensor computes its location by listening to the beacon
information sent by each locator which includes the locator’s location information. The
beacon messages are encrypted using a shared global symmetric key that is pre-distributed
in the sensor nodes. Using the information from all the beacons that a sensor node receives,
it computes its approximate location based on the coordinates of the locators. The sensor
node then computes an overlapping antenna region using a majority vote scheme. The final
location of the sensor node is determined by computing the center of gravity of the
overlapping antenna region.
(vii) Time synchronization: Most of the applications in sensor networks require time
synchronization. Any security mechanism for WSN should also be time-synchronized. A
collaborative WSN may require synchronization among a group of sensors. In (Ganeriwal et
al., 2005), the authors have proposed a set of secure synchronization protocols for multi-hop
sender-receiver and group synchronization.
(viii) Authentication: It ensures that the communicating node is the one that it claims to be.
An adversary can not only modify data packets but also can change a packet stream by
injecting fabricated packets. It is, therefore, essential for a receiver to have a mechanism to
verify that the received packets have indeed come from the actual sender node. In case of
communication between two nodes, data authentication can be achieved through a message
15
284 Security Issues
Networks
authentication code (MAC) computed from the shared secret key among the nodes. A number
of authentication schemes for WSNs have been proposed by researchers. Most of these
schemes are for secure routing and reliable packet. Some of these schemes will be discussed
in Section 5.
4. Security Vulnerabilities in WSNs

Wireless Sensor Networks are vulnerable to various types of attacks. These attacks are
mainly of three types (Shi et al., 2004):
(i) Attacks on network availability: attacks on availability of WSN are often referred to as DoS
attacks.
(ii) Attacks on secrecy and authentication: standard cryptographic techniques can protect the
secrecy and authenticity of communication channels from outsider attacks such as
eavesdropping, packet replay attacks, and modification or spoofing of packets.
(iii) Stealthy attack against service integrity: in a stealthy attack, the goal of the attacker is to
make the network accept a false data value. For example, an attacker compromises a sensor
node and injects a false data value through that sensor node.
In these attacks, keeping the sensor network available for its intended use is essential. DoS
attacks against WSNs may permit real-world damage to the health and safety of people
(Wood et al., 2002). The DoS attack usually refers to an adversary’s attempt to disrupt,
subvert, or destroy a network. However, a DoS attack can be any event that diminishes or
eliminates a network’s capacity to perform its expected functions (Wood et al., 2002).
4.1 Denial of Service Attacks

Wood and Stankovic have defined a DoS attack as an event that diminishes or attempts to
reduce a network’s capacity to perform its expected function (Wood et al., 2002). There are
several standard techniques existing in the literature to cope with some of the more common
denial of service attacks, although in a broader sense, development of a generic defense
mechanism against DoS attacks is still an open problem. Moreover, most of the defense
mechanisms require high computational overhead and hence not suitable for resource-
constrained WSNs. Since DoS attacks in WSNs can sometimes prove very costly, researchers
have spent a great deal of effort in identifying various types of such attacks, and devising
strategies to defend against them. Some of the important types of DoS attacks at different
layers of WSNs are discussed below:
(a) Physical layer attacks: The physical layer is responsible for frequency selection, carrier
frequency generation, signal detection, modulation, and data encryption (Akyildiz et al.
2002). As with any radio-based medium, the possibility of jamming is there. The nodes in
WSNs may be deployed in hostile or insecure environments, where an attacker has the
physical access. Two types of attacks in physical layer are (i) jamming and (ii) tampering.
(i) Jamming: it is a type of attack which interferes with the radio frequencies that the nodes
use in a WSN for communication (Wood et al., 2002; Shi et al., 2004). A jamming source may
be powerful enough to disrupt the entire network. Even with less powerful jamming
sources, an adversary can potentially disrupt communication in the entire network by
strategically distributing the jamming sources. Even an intermittent jamming may prove
detrimental as the message communication in a WSN may be extremely time-sensitive
(Wood et al., 2002).
16
(ii) Tampering: sensor networks typically operate in outdoor environments. Due to

unattended and distributed nature, the nodes in a WSN are highly susceptible to physical
attacks (Wang et al., 2004a). The physical attacks may cause irreversible damage to the
nodes. The adversary can extract cryptographic keys from the captured node, tamper with
its circuitry, modify the program codes, or even replace it with a malicious sensor (Wang et
al., 2005). It has been shown that sensor nodes such as MICA2 motes can be compromised in
less than one minute time (Hartung, et al., 2004).
(b) Link layer attacks: The link layer is responsible for multiplexing of data-streams, data
frame detection, medium access control, and error control (Akyildiz et al., 2002). Attacks at
this layer include purposefully created collisions, resource exhaustion, and unfairness in
allocation.
A collision occurs when two nodes attempt to transmit on the same frequency
simultaneously (Wood et al., 2002). When packets collide, they are discarded and need to re-
transmitted. An adversary may strategically cause collisions in specific packets such as ACK
control messages. A possible result of such collisions is the costly exponential back-off. The
adversary may simply violate the communication protocol, and continuously transmit
messages in an attempt to generate collisions. Repeated collisions can also be used by an
attacker to cause resource exhaustion (Wood et al., 2002). For example, a naïve link layer
implementation may continuously attempt to retransmit the corrupted packets. Unless these
retransmissions are detected early, the energy levels of the nodes would be exhausted
quickly. Unfairness is a weak form of DoS attack (Wood et al., 2002). An attacker may cause
unfairness by intermittently using the above link layer attacks. In this case, the adversary
causes degradation of real-time applications running on other nodes by intermittently
disrupting their frame transmissions.
(c) Network layer attacks: The network layer of WSNs is vulnerable to the different types of
attacks such as: spoofed routing information, selective packet forwarding, sinkhole, Sybil,
wormhole, blackhole, hello flood, Byzantine attack, information disclosure, resource
depletion attack, acknowledgment spoofing, routing table overflow, route poisoning,
rushing attack etc. These attacks are described briefly in the following:
(i) Spoofed routing information: the most direct attack against a routing protocol is to target the
routing information in the network. An attacker may spoof, alter, or replay routing
information to disrupt traffic in the network (Karlof et al., 2003). These disruptions include
creation of routing loops, attracting or repelling network traffic from selected nodes,
extending or shortening source routes, generating fake error messages, causing network
partitioning, and increasing end-to-end latency.
(ii) Selective forwarding: in a multi-hop network like a WSN, for message communication all
the nodes need to forward messages accurately. An attacker may compromise a node in
such a way that it selectively forwards some messages and drops others (Karlof et al., 2003).
(iii) Sinkhole: In a sinkhole attack, an attacker makes a compromised node look more
attractive to its neighbors by forging the routing information (Karlof et al., 2003; Wood et al.,
2002; Newsome et al., 2004). The result is that the neighbor nodes choose the compromised
node as the next-hop node to route their data through. This type of attack makes selective
forwarding very simple as all traffic from a large area in the network would flow through
the compromised node.
(iv) Sybil attack: it is an attack where one node presents more that one identity in a network.
It was originally described as an attack intended to defeat the objective of redundancy
17
286 Security Issues
Networks
mechanisms in distributed data storage systems in peer-to-peer networks (Douceur, 2002).

Newsome et al. describe this attack from the perspective of a WSN (Newsome et al., 2004).
In addition to defeating distributed data storage systems, the Sybil attack is also effective
against routing algorithms, data aggregation, voting, fair resource allocation, and foiling
misbehavior detection. Regardless of the target (voting, routing, aggregation), the Sybil
algorithm functions similarly. All of the techniques involve utilizing multiple identities. For
instance, in a sensor network voting scheme, the Sybil attack might utilize multiple
identities to generate additional “votes”. Similarly, to attack the routing protocol, the Sybil
attack would rely on a malicious node taking on the identity of multiple nodes, and thus
routing multiple paths through a single malicious node.
(v) Wormhole: a wormhole is low latency link between two portions of a network over which
an attacker replays network messages (Karlof et al., 2003). The attacker receives packets at
one location in the network, and tunnels them to another location in the network, where the
packets are resent into the network. The tunnel between the two colluding attackers is
known as the wormhole. This link may be established either by a single node forwarding
messages between two adjacent but otherwise non-neighboring nodes or by a pair of nodes
in different parts of the network communicating with each other. The latter case is closely
related to sinkhole attack as an attacking node near the base station can provide a one-hop
link to that base station via the other attacking node in a distant part of the network. Due to
the broadcast nature of the radio channel, the attacker can create a wormhole link even for
packets which are not addressed to it. If proper security mechanisms are not deployed to
defend against such attacks, routing in WSN may be impossible.
(vi) Blackhole and Grayhole: in this attack, a malicious node falsely advertises good paths (e.g.
the shortest path or the most stable path) to the destination node during the path-finding
process (in reactive routing protocols), or in the route updates messages (in proactive
routing protocols). The intention of the malicious node could be to hinder the path-finding
process or to intercept all data packets being sent to the destination node concerned. A
more delicate form of this attack is known as the grayhole attack, where the malicious node
intermittently drops the data packets thereby making its detection even more difficult.
(vii) Hello flood: most of the protocols that use Hello packets make the naïve assumption that
receiving such a packet implies that the sender is within the radio range of the receiver. An
attacker may use a high-powered transmitter to fool a large number of nodes and make
them believe that they are within its neighborhood (Karlof et al., 2003). Subsequently, the
attacker node falsely broadcasts a shorter route to the base station, and all the nodes which
received the Hello packets, attempt to transmit to the attacker node. However, these nodes
are out of the radio range of the attacker.
(viii)Byzantine attack: in this attack, a compromised node or a set of compromised nodes
works in collusion and carries out attacks such as creating routing loops, forwarding packets
in non-optimal routes, and selectively dropping packets (Awerbuch et al., 2002). Byzantine
attacks are very difficult to detect, since under such attacks the networks usually do not
exhibit any abnormal behavior.
(ix) Information disclosure: a compromised node may leak confidential or important
information to unauthorized nodes in the network. Such information may include
information regarding the network topology, geographic location of nodes, or optimal
routes to authorized nodes in the network.
18
(x) Resource depletion attack: in this type of attack, a malicious node tries to deplete resources
of other nodes in the network. The typical resources that are targeted are: battery power,
bandwidth, and computational power. The attacks could be in the form of unnecessary
requests for routes, very frequent generation of beacon packets, or forwarding of stale
packets to other nodes.
Acknowledgment spoofing: some routing algorithms for WSNs require transmission of
acknowledgment packets. An attacking node may overhear packet transmissions from its
neighboring nodes and spoof the acknowledgments thereby providing false information to
the nodes (Karlof et al., 2003). In this way, the attacker is able to disseminate wrong
information about the status of the nodes.
(xi) Attacks on routing protocols: most of the routing protocols for WSNs are vulnerable to
various types of attacks. Some of these attacks are listed below.
 Routing table overflow: in this type of attack, an adversary node advertises routes to
non-existent nodes, to the authorized node present in the network. The main
objective of such an attack is to cause an overflow of the routing tables, which would
in turn prevent the creation of entries corresponding to new routes to authorized
nodes. Proactive routing protocols are more vulnerable to this attack compared to
reactive routing protocols.
 Routing table poisoning: in this case, the compromised nodes in the network send
fictitious routing updates or modify genuine route update packets sent to other
honest nodes. Routing table poisoning may result in sub-optimal routing, congestion
in some portions of the network, or even make some parts of the network
inaccessible.
 Packet replication: in this attack, an adversary node replicates stale packets. This
consumes additional bandwidth and battery power and other resources available to
the nodes and also causes unnecessary confusion in the routing process.
 Route cache poisoning: in reactive (i.e. on-demand) routing protocols such as ad hoc
on-demand distance vector (AODV) (Perkins, et al., 1999), each node maintains a
route cache which holds information regarding routes that have become known to
the node in the recent past. Similar to routing table poisoning, an adversary can also
poison the route cache to achieve similar objectives.
 Rushing attack: on-demand routing protocols that use duplicate suppression during the
route discovery process are vulnerable to this attack (Hu et al., 2003b). An adversary
node which receives a routerequest packet from the source node floods the packet
quickly throughout the network before other nodes which also receive the same
routerequest packet can react. Nodes that receive the legitimate routerequest packets
assume those packets to be duplicates of the packet already received through the
adversary node and hence discard those packets. Any route discovered by the source
node would contain the adversary node as one of the intermediate nodes. Hence, the
source node would not be able to find secure routes, that is, routes that do not
include the adversary node. It is extremely difficult to detect such attacks in WSNs.
(d) Transport layer attacks: The attacks that can be launched on the transport layer in a
WSN are flooding attack and de-synchronization attack.
(i) Flooding: Whenever a protocol is required to maintain state at either end of a connection,
it becomes vulnerable to memory exhaustion through flooding (Wood et al., 2002). An
attacker may repeatedly make new connection request until the resources required by each
19
288 Security Issues
Networks
connection are exhausted or reach a maximum limit. In either case, further legitimate
requests will be ignored.
(ii) De-synchronization: De-synchronization refers to the disruption of an existing connection
(Wood et al., 2002). An attacker may, for example, repeatedly spoof messages to an end host
causing the host to request the retransmission of missed frames. If timed correctly, an
attacker may degrade or even prevent the ability of the end hosts to successfully exchange
data causing them instead to waste energy attempting to recover from errors which never
really exist. The possible DoS attacks and the corresponding countermeasures are listed in
Table 1.
Layer Attacks Defense

Jamming Spread-spectrum, priority
Physical messages, lower duty
cycle, region mapping,
mode change
Collision Error-correction code
Link Exhaustion Rate limitation
Unfairness Small frames
Spoofed routing Egress filtering,
Network information & selective authentication, monitoring
forwarding
Sinkhole Redundancy checking
Sybil Authentication,
monitoring, redundancy
Wormhole Authentication, probing
Hello Flood Authentication, packet
leashes by using
geographic and temporal
info
Ack. flooding Authentication, bi-
directional link
authentication verification
Flooding Client puzzles
Transport De-synchronization Authentication
Table 1. Various attacks on WSNs and their countermeasures (Wang et al., 2006)
4.2 Attacks on Secrecy and Authentication

There are different types of attacks under this category as discussed below.
(i) Node replication attack: In a node replication attack, an attacker attempts to add a node to
an existing WSN by replicating (i.e. copying) the node identifier of an already existing node
in the network (Parno et al., 2005). A node replicated and joined in the network in this
manner can potentially cause severe disruption in message communication in the WSN by
corrupting and forwarding the packets in wrong routes. This may also lead to network
partitioning, communication of false sensor readings etc. In addition, if the attacker gains
physical access to the entire network, it is possible for him to copy the cryptographic keys
and use these keys for message communication from the replicated node. The attacker can
also place the replicated node in strategic locations in the network so that he could easily
manipulate a specific segment of the network, possibly causing a network partitioning.
(ii) Attacks on privacy: Since WSNs are capable of automatic data collection through efficient
and strategic deployment of sensors, these networks are also vulnerable to potential abuse
20
of these vast data sources. Privacy preservation of sensitive data in a WSN is particularly
difficult challenge (Gruteser et al., 2003). Moreover, an adversary may gather seemingly
innocuous data to derive sensitive information if he knows how to aggregate data collected
from multiple sensor nodes. This is analogous to the panda hunter problem, where the hunter
can accurately estimate the location of the panda by monitoring the traffic (Ozturk et al.,
2004).
The privacy preservation in WSNs is even more challenging since these networks make
large volumes of information easily available through remote access mechanisms. Since the
adversary need not be physically present to carryout the surveillance, the information
gathering process can be done anonymously with a very low risk. In addition, remote access
allows a single adversary to monitor multiple sites simultaneously (Chan et al., 2003a).
Following are some of the common attacks on sensor data privacy (Gruteser et al., 2003,
Chan et al., 2003a):
(iii) Eavesdropping and passive monitoring: This is the most common and the easiest form of
attack on data privacy. If the messages are not protected by cryptographic mechanisms, the
adversary could easily understand the contents. Packets containing control information in a
WSN convey more information than accessible through the location server, Eavesdropping
on these messages prove more effective for an adversary.
(iv) Traffic analysis: In order to make an effective attack on privacy, eavesdropping should be
combined with a traffic analysis. Through an effective analysis of traffic, an adversary can
identify some sensor nodes with special roles and activities in a WSN. For example, a
sudden increase in message communication between certain nodes signifies that those
nodes have some specific activities and events to monitor. Deng et al. have demonstrated
two types of attacks that can identify the base station in a WSN without even underrating
the contents of the packets being analyzed in traffic analysis (Deng et al., 2004).
(v) Camouflage: An adversary may compromise a sensor node in a WSN and later on use that
node to masquerade a normal node in the network. This camouflaged node then may
advertise false routing information and attract packets from other nodes for further
forwarding. After the packets start arriving at the compromised node, it starts forwarding
them to strategic nodes where privacy analysis on the packets may be carried out
systematically.
It may be noted from the above discussion that WSNs are vulnerable to a number of attacks
at all layers of the TCP/IP protocol stack. However, as pointed out by authors in (Perrig et
al., 2004), there may be other types of attacks possible which are not yet identified. Securing
a WSN against all these attacks may be a quite challenging task.
5. Network Layer Defense on DoS Attacks

A countermeasure against spoofing and alteration is to append a message authentication code
(MAC) after the message. By adding a MAC to the message, the receivers can verify whether
the messages have been spoofed or altered. To defend against replayed information,
counters or time-stamps may be introduced in the messages (Perrig et al., 2002). A possible
defense against selective forwarding attack is using multiple paths to send data (Karlof et
al., 2003). A second defense is to detect the malicious node or assume it has failed and seek
an alternative route.
21
290 Security Issues
Networks
Hu et al. have proposed a novel and generic mechanism called packet leashes for detecting
and defending against wormhole attacks (Hu et al., 2004b). As mentioned in Section 4.1, in a
wormhole attack, a malicious node eavesdrops on a series of packets, then tunnels them
through a path in the network, and replays them. This is done in order to make a false
representation of the distance between the two colluding nodes. It is also used, more
generally, to disrupt the routing protocol by misleading the neighbor discovery process
(Karlof et al., 2003). Hu et al. have presented a mechanism that employs directional antenna
to combat wormhole attack (Hu et al., 2004a). Wang and Bhargava have used a visualization
approach to detect wormholes in a WSN (Wang et al., 2004b). In the mechanism proposed
by the authors, a distance estimation is made between all the sensor nodes in a
neighborhood. Using multi-dimensional scaling, a virtual layout of the network is then
computed, and a surface smoothing strategy is used to adjust the round-off errors. Finally,
the shape of the resulting virtual network is analyzed. If any wormhole exists, the shape of
the network will bend and curve towards the wormhole, otherwise the network will appear
flat.
To defend against flooding DoS attack at the transport layer, Aura et al. have proposed a
mechanism using client puzzles (Aura et al., 2001). The main idea is that each connecting
client should demonstrate its commitment to the connection by solving a puzzle. As an
attacker in most likelihood, does not have infinite resource, it will be impossible for him to
create new connections fast enough to cause resource starvation on the serving node.
A possible defense against de-synchronization attack on the transport layer is to enforce a
mandatory requirement of authentication of all packets communicated between nodes
(Wood et al., 2002). If the authentication mechanism is secure, an attacker will be unable to
send any spoofed messages to any destination node.
Some mechanisms for secure multicasting and broadcasting in WSNs are discussed in the
following sub-section.
6. Secure Broadcasting and Multicasting Protocols for WSNs

Multicasting and broadcasting techniques are used primarily to reduce the communication
and management overhead of sending a single message to multiple receivers. In order to
ensure that only legitimate group members receive the multicast and broadcast
communication, appropriate authentication and encryption mechanisms must be in place.
To handle this problem, several key management schemes have been devised: centralized
group key management protocols, decentralized key management protocols, and
distributed key management protocols (Rafaeli et al., 2003). First, we will discuss some
generic security mechanisms for multicast and broadcast communication in wireless
networks. Then we will present some of the well-known propositions specific to WSNs.
In the case of the centralized group key management protocols, a central authority is used to
maintain the group. Decentralized management protocols, however, divide the task of
group management amongst multiple nodes. In distributed key management protocols, the
key management activity is distributed among a set of nodes rather than on a single node. In
some cases, the entire group of nodes is responsible for key management (Rafaeli et al.,
2003).
An efficient way to distribute keys in a network is to use a logical key tree. Such techniques
essentially fall under the category of centralized key management protocols. Some schemes
22
have been developed for WSNs based on logical key tree technique (Di Pietro et al., 2003;
Lazos et al., 2002; Lazos et al., 2003). While centralized solutions are not always the most
efficient ones, these mechanisms may sometimes be very effective for WSNs, as relatively
heavier computations can be usually carried out in powerful base stations.
Di Pietro et al. have proposed a directed diffusion-based multicast mechanism for WSNs
that utilizes a logical key hierarchy (Di Pietro et al., 2003). In the logical hierarchy, a central
key distributor is at the root of a tree, and the nodes in the network are the leaf level. The
internal nodes of tree contain keys that are used in the re-keying process. The directed
diffusion is an energy-efficient data dissemination technique for WSNs (Intanagonwiwat et
al., 2000). In directed diffusion, a query is transformed into an interest and then diffused
throughout the network. The source node then starts collecting data from the network based
on the propagated interest. The dissemination technique also sets up certain gradients
designed to draw events toward the interest. The collected data is then sent back to the
source along the reverse path of the interest propagation. The directed diffusion-based
logical key hierarchy scheme as proposed by Di Pietro et al. allows nodes to join and leave
groups. The key hierarchy is used to effectively re-establish keys for the nodes below the
node that has left the group. When a node declares its intension to join a group, a key set is
generated for the new node based on the keys within the existing key hierarchy.
Kaya et al. discuss the problem of multicast group management in (Kaya et al., 2003). In
their proposition, the nodes in a network are grouped based on their locality and a security
tree is constructed on the groups.
Lazos and Poovendran have presented a tree-based key distribution scheme that is similar
to the directed diffusion-based logical key hierarchy proposed by Di Pietro et al. (Lazos et
al., 2003). In their proposed scheme, a routing-aware tree is constructed in which the leaf
nodes are assigned keys based on all relay nodes above them. As the scheme takes
advantage of routing information for construction the key hierarchy, it is more energy-
efficient than routing schemes that arbitrarily arrange nodes into a routing tree. The authors
have also proposed a greedy routing-aware key distribution algorithm.
In (Lazos et al., 2003), the authors have proposed a mechanism that uses geographic location
information (e.g. GPS data) for construction of a logical key hierarchy for secure multicast
communication. The nodes, based on the geographical location information, are grouped
into different clusters. The nodes within a cluster are able to reach each other with a single
hop communication. Using the cluster information, a key hierarchy is constructed in a
manner similar to that proposed in (Lazos et al., 2002).
7. Secure Routing Protocols for WSNs

Many routing protocols have been proposed for WSNs. These protocols can be divided into
three broad categories according to the network structure: (i) flat-based routing, (ii)
hierarchical-based routing, and (iii) location-based routing (Al-Karaki et al., 2004). In flat-
based routing, all nodes are typically assigned equal roles or functionality. In hierarchical-
based routing, nodes play different roles in the network. In location-based routing, sensor
node positions are used to route data in the network. One common location-based routing
protocol is GPSR (Karp et al., 2000). It allows nodes to send packets to a region rather than
to a particular node. All these routing protocols are vulnerable to various types of attacks
such as selective forwarding, sinkhole attack etc as mentioned in Section 4. An elaborate
23
292 Security Issues
Networks
discussion on various types of attacks on the routing protocols in WSNs is given in (Karlof
et al., 2003).
The goal of a secure routing protocol for a WSN is to ensure the integrity, authentication,
and availability of messages. Most of the existing secure routing algorithms for WSNs are all
based on symmetric key cryptography except the work in (Du et al., 2005), which is based
on public key cryptography. In the following sub-sections, some of the existing secure
routing protocols for WSNs are discussed in detail.
7.1 Micro TESLA Protocol

The “micro” version of the Timed, Efficient, Streaming, Loss-tolerant Authentication (μTESLA)
protocol (Perrig et al., 2002) and its extensions (Liu et al., 2003; Liu et al. 2004) have been
proposed to provide broadcast authentication for sensor networks. μTESLA is broadcast
authentication mechanism which was proposed by Perrig et al. for the SPINS protocol
(Perrig et al., 2002). μTESLA introduces asymmetry through a delayed disclosure of
symmetric keys resulting in an efficient broadcast authentication scheme. For its operation,
it requires the base station and the sensor nodes to be loosely synchronized. In addition,
each node must know an upper bound on the maximum synchronization error.
To send an authenticated packet, the base station simply computes a MAC on the packet
with a key that is secret at that point of time. When a node gets a packet, it can verify that
the corresponding MAC key was not yet disclosed by the base station. Because a receiving
node is assured that the MAC key is known only to the base station, the receiving node is
assured that no adversary could have altered the packet in transit. The node stores the
packet in a buffer. At the time of key disclosure, the base station broadcasts the verification
key to all its receivers. When a node receives the disclosed key, it can easily verify the
correctness of the key. If the key is correct, the node can now use it to authenticate the
packet stored in its buffer.
Each MAC is a key from the key chain, generated by a public one-way function F. To
generate the one-way key chain, the sender chooses the last key Kn from the chain, and
repeatedly applies F to compute all other keys: Ki = F(Ki+1).
Fig. 1. Time-released key chain for source authentication (Wang et al. 2006)
Fig. 1 shows an example of μTESLA. The receiver node is loosely time synchronized and
knows K0 in an authenticated way. Packets P1 and P2 sent in interval 1 contain a MAC with a
key K1. Packet P3 has a MAC using key K2. If P4, P5, and P6 are all lost, as well as the packet
that disclosed the key K1, the receiver cannot authenticate P1, P2, and P3. In interval 4, the
base station broadcasts the key K2, which the nodes authenticate by verifying K0 = F(F(K2)),
and hence know also K1 = F(K2), so they can authenticate packets P1, P2 with K1, and P3 with
K2. SPINS limits the broadcasting capability to only the base station. If a node wants to
24
broadcast authenticated data, the node has to broadcast the data through the base station.
The data is first sent to the base station in an authenticated way. It is then broadcasted by
the base station.
To bootstrap a new receiver, μTESLA depends on a point-to-point authentication
mechanism in which a receiver sends a request message to the base station and the base
station replies with a message containing all the necessary parameters. It may be noted that
μTESLA requires the base station to unicast initial parameters to individual sensor nodes,
and thus incurs a long delay to boot up a large-scale sensor network. Liu and Ning have
proposed a multi-level key chain scheme for broadcast authentication to overcome this
deficiency (Liu et al., 2003; Liu et al. 2004).
The basic idea in (Liu et al., 2003; Liu et al., 2004) is to predetermine and broadcast the initial
parameters required by μTESLA instead of using unicast-based message transmission. The
simplest way is to pre-distribute the μTESLA parameters with a master key during the
initialization of the sensor nodes. As a result, all sensor nodes have the key chain
commitments and other necessary parameters once they are initialized, and are ready to use
μTESLA as long as the staring time has passed. Furthermore, the authors have introduced a
multi-level key chain scheme, in which the higher key chains are used to authenticate the
commitments of the lower-level ones. However, the multi-level key chain suffers from
possible DoS attacks during commitment distribution stage. Further, none of the μTESLA or
multi-level key chain schemes is scalable in terms of the number of senders. In (Liu et al.,
2005b), a practical broadcast authentication protocol has been proposed to support a
potentially large number of broadcast senders using μTESLA as a building block.
μTESLA provides broadcast authentication for base stations, but is not suitable for local
broadcast authentication. This is because μTESLA does not provide immediate
authentication. For every received packet, a node has to wait for one μTESLA interval to
receive the MAC key used in computing the MAC for the packet. As a result, if μTESLA is
used for local broadcast authentication, a message traversing l hops will take at least l
μTESLA intervals to arrive at the destination. In addition, a sensor node has to buffer all
unverified packets. Both the latency and the storage requirements limit the scheme for
authenticating infrequent messages broadcast by the base station. Zhu et al. have
proposed a one-way key chain scheme for one-hop broadcast authentication (Zhu
et al., 2004b). The mechanism is known as LEAP. In this scheme, every node
generates a one-way key chain of certain length and then transmits the
commitment (i.e., first key) of the key chain to each neighbor, encrypted with their
pair-wise shared key. Whenever a node has a message to send, it attaches to the
message to the next authenticated key in the key chain. The authenticated keys are
disclosed in reverse order to their generation. A receiving neighbor can verify the
message based on the commitment or an authenticated key it received from the
sending node more recently.
7.2 Intrusion Tolerant Routing Protocol in WSNs

Deng et al. have proposed an intrusion tolerant routing protocol in wireless sensor networks
(INENS) that adopts a routing-based approach to security in WSNs (Deng et al., 2002b). It
constructs routing tables in each node, bypassing malicious nodes in the network. The
protocol can not totally rule out attack on nodes, but it minimizes the damage caused to the
25
294 Security Issues
Networks
network. The computation, communication, storage, and bandwidth requirements at the

nodes are reduced, but at the cost of greater computation and communication at the base
station. To prevent DoS attacks, individual nodes are not allowed to broadcast to the entire
network. Only the base station is allowed to broadcast, and the base station is authenticated
using one-way hash function so as to prevent a possible masquerading by a malicious
node. Control information pertaining to routing is authenticated by the base station in order
to prevent injection of false routing data. The base station computes and disseminates
routing tables, since it does not have computational and energy constraints. Even if an
intruder takes over a node and does not forward packets, INSENS uses redundant multi-
path routing, so that the destination can still reach without passing through the malicious
node.
INSENS has two phases: route discovery and data forwarding. During the route discovery
phase, the base station sends a request message to all nodes in the network by multi-hop
forwarding. Any node receiving a request message records the identity of the sender and
sends the message to all its immediate neighbors if it has not already done so. Subsequent
request messages are used to identify the senders as neighbors, but repeated flooding is not
performed. The nodes respond with their local topology by sending feedback messages. The
integrity of the messages is protected using encryption by a shared key mechanism. A
malicious node can inflict damage only by not forwarding packets, but the messages are
sent through different neighbors, so it is likely that it reaches a node by at least one path.
Hence, the effect of malicious nodes is not totally eliminated, but it is restricted to only a few
downstream nodes in the worst case. Malicious nodes may also send spurious messages and
cause battery drain for a few downstream nodes. Finally, the base station calculates
forwarding tables for all nodes, with two independent paths for each node, and sends them
to the nodes. The second phase of data forwarding takes place based on the forwarding
tables computed by the base station.
7.3 Security Protocols for Sensor Networks

SPINS is a suite of security protocols optimized for sensor networks (Perrig et al., 2002).
SPINS includes two building blocks: (i) secure network encryption protocol (SNEP) and (ii)
TESLA protocol. SNEP provides data confidentiality, two-party data authentication, and
data freshness for peer-to-peer communication (node to base station). μTESLA provides
authenticated broadcast as discussed already.
SPINS assumes that each node is pre-distributed with a master key K which is shared with
the base station at its time of creation. All the other keys, including a key Kencr for
encryption, a key Kmac for MAC generation, and a key Krand for random number generation
are derived from the master key using a string one-way function. SPINS uses RC5 protocol
for confidentiality. If A wants to send a message to base station B, the complete message A
sends to B is:
A  B : D<KencrC>, MAC (Kmac, C | D) <KencrC>
In the above expression, D is the transmitted data and C is a shared counter between the
sender and the receiver for the block cipher in counter mode. The counter C is incremented
after each message is sent and received in both the sender and the receiver side. SNEP also
provides a counter exchange protocol to synchronize the counter value in both sides.
SNEP provides the flowing properties:
26
(i) Semantic security: the counter value is incremented after each message and thus the same
message is encrypted differently each time.
(ii) Data authentication: a receiver can be assured that the message originated from the
claimed sender if the MAC verification produces positive results.
(iii) Replay protection: the counter value in the MAC prevents replaying old messages by an
adversary.
(iv) Weak freshness: SPINS identifies two types of freshness. Weak freshness provides partial
message ordering and carries no delay information. Strong freshness provides a total order
on a request-response pair and allows delay estimation. IN SNEP, the counter maintains a
message ordering in the receiver side and yields weak freshness. SNEP guarantees weak
freshness only, since there is no guarantee to node A that a message was created by node B
in response to an event in node A.
(v) Low communication overhead: the counter state is kept at each endpoint and need not be
sent in each message.
7.4 A Secure Protocol for Defending Cooperative Grayhole Attack

As mentioned in Section 4.1, blackhole and grayhole are two attacks that can severely
disrupt routing in WSNs. A blackhole attack typically has two phases. In the first phase, the
malicious node exploits the ad hoc routing protocol such as AODV (Perkins et al., 1999) to
advertise itself as having a valid route to a destination node, with the intention of
intercepting packets, even though the route is spurious. In the second phase, the attacker
node drops the intercepted packets without forwarding them.
Fig. 2. Network flooding by RREQ and propagation of RREP (Deng et al., 2002a)
In the standard AODV protocol, when the source node S (Fig. 2) wants to communicate with
the destination node D, the source node S broadcasts the route request (RREQ) packet. Each
neighboring active node updates its routing table with an entry for the source node S, and
checks if it is the destination node or whether it has the current route to the destination
node. If an intermediate node does not have the current route to the destination node, it
updates the RREQ packet by increasing the hop count and floods the network with the
RREQ to the destination node D until it reaches node D or any other intermediate node that
has the current route to D. The destination node D or any intermediate node that has the
current route to D, initiates a route reply (RREP) in the reverse direction. Node S starts
sending data packets to the neighboring node that responded first, and discards the other
responses. This works fine when the network has no malicious nodes.
27
296 Security Issues
Networks
In (Deng et al., 2002a), authors have proposed a solution to identify and isolate a single
blackhole node. However, the security threat arising out of the situation where multiple
blackhole nodes act in coordination has not been addressed. For example, in Fig. 2, when
more than one blackhole nodes are acting in coordination with each other, the first black
hole node B1 refers to one of its partners B2 as the next hop. In the mechanism proposed in
(Deng et al., 2002a), the source node S sends further request (FRq) to B2 through a different
route (S24B2) other than via B1. Node S asks B2 if it has a route to node B1 and a route
to destination node D. Since B2 is cooperating with B1, its further reply (FRp) will be ‘yes’ to
both the queries. Node S starts sending the data packets assuming that the route SB1B2
is secure. However, in reality, the packets are intercepted and then dropped by the node B1
and the security of the network is compromised.
Sen et al. have proposed a security mechanism that can detect cooperative grayhole attacks
in a wireless ad hoc and sensor network (Sen et al., 2007b). As mentioned in Section 4.1,
detection of grayholes is more difficult than detection of blackholes since these nodes drop
packets intermittently and change their behavior frequently so as to avoid detection. In the
proposed mechanism, each node in the network collects the data forwarding information in
its neighborhood and stores it in a table known as the data routing information (DRI) table.
RREQ
9
RREP
5
IN
8
7
SN
1
4 6
2
CN
3
Fig. 3. The topology of a wireless ad hoc and sensor network (Sen et al., 2007b)
The DRI table of node 7 in Fig. 3 is shown in Table 2. In its DRI table node 7 maintains packet
routing information of its neighbor nodes 1, 2, 6, 8, and 9. An entry ‘1’ for a node under the
column ‘From’ implies that node 7 has forwarded data packet coming from that node and an
entry ‘1’ for a node under the column ‘Through’ implies that node 7 has forwarded data
packets to that node. Thus, as per Table 2, node 7 has neither forwarded any data packet from
node 1 nor it has forwarded any data packet to node 1. However, node 7 has forwarded data
packets to node 2 and also has forwarded data packets that have come from node 2. In this
way, each node constructs its DRI table and maintains it. After a certain threshold time
interval, each node identifies its neighbors with which it has not interacted, and invokes
subsequent detection procedures to probe them further. This identification is done on the
basis of the nodes that have ‘0’ entries both in the ‘From’ and ‘Through’ columns in the DRI
table. For example, as shown in Table 2, node 7 has not communicated to node 1. Therefore,
28
the node 7 invokes the local anomaly detection procedure for node 1. The ‘RTS/CTS’ column
in the DRI table gives the ratio of the number of request to send (RTS) messages to the number
of clear to send (CTS) messages for the corresponding node. This gives a rough idea about the
number of requests arriving at the node for data communication and number packet
transmission that the node is actually doing. The significance of the column ‘CheckBit’ in the
DRI table will be discussed in later in this section.
Node From Through RTS/CTS CheckBit

1 0 0 15 0
2 1 1 5 1
6 0 1 3 0
8 1 0 6 1
9 0 1 4 0
Table 2. The DRI table of node 7 as depicted in Fig. 3 (Sen et al., 2007b)
The node that initiates the anomaly detection procedure is called the initiator node (IN). The
IN first chooses a cooperative node (CN) in its neighborhood based on its DRI records and
broadcasts a RREQ message to its 1-hop neighbors requesting for a route to the CN. In reply
to this RREQ message the IN will receive a number of RREP messages from its neighboring
nodes. It will certainly receive a RREP message from the suspected node (SN) if the latter is
really a grayhole (since the grayholes always send RREP messages but drop data packets
probabilistically). After receiving the RREP from the SN, the IN sends a probe packet to the
CN through the SN. After the time to live (TTL) value of the probe packet is over, the IN
enquires the CN whether it has received the probe packet. If the reply to this query is
affirmative, (i.e., the probe packet is really received by the CN) then the IN updates its DRI
table by making an entry ‘1’ under the column ‘CheckBit’ against the node ID of the SN.
However, if the probe packet is found to have not reached the CN, the IN increases its level
of suspicion about the SN and activates the cooperative anomaly detection procedure, as
discussed later in this section.
In Fig. 3, node 7 acts as the IN and initiates the local anomaly detection procedure for the SN
(node 1) and chooses node 2 as the CN. Node 2 is the most reliable node for node 7 as both
the entries under columns ‘From’ and ‘Through’ for node 2 are ‘1’. Node 7 broadcasts a
RREQ message to all its neighbor nodes 1, 2, 6, 8 and 9 requesting them for a route to the
CN, i.e., node 2 in the example. After receiving a RREP from the SN (node 1), node 7 sends a
probe packet to node 2 via node 1. Node 7 then enquires node 2 whether it has received the
probe packet. If node 2 has received the probe packet, node 7 makes an entry ‘1’ under the
column ‘CheckBit’ in its DRI table corresponding to the row of node 1. If node 2 has not
received the probe packet, then node 7 invokes the cooperative anomaly detection
procedure. The objective of the cooperative anomaly detection is to increase the detection
reliability by reducing the probability of false detection.
The cooperative detection procedure is activated when an IN observes that the probe packet
it had sent to the CN through the SN did not reach the CN. The IN invokes the cooperative
detection procedure and sends a cooperative detection request message to all the neighbors
of the SN. When the neighbors of the SN receive the cooperative detection request message,
each of them sends a RREQ message to the SN requesting for a route to the IN. After the SN
29
298 Security Issues
Networks
responds with a RREP message, each of the requesting nodes sends a ‘further probe packet’ to
the IN along that route. This route will obviously include SN, as SN is a neighbor of each
requesting node and the IN as well. Each neighbor of the SN (except the IN) now notifies the
IN that a ‘further probe packet’ has already been sent to it. This notification message from each
neighbor is sent to the IN through routes which do not include the SN. This is necessary to
ensure that the SN is not aware about the on-going cross checking process. The IN will
receive numerous ‘further probe packets’ and notification messages. The IN now constructs a
ProbeCheck table. The ProbeCheck table has two fields: NodeID and ProbeStatus. Under the
NodeID field, the IN enters the identifiers of the nodes which have sent notification
messages to it. An entry of ‘1’ is made under the column ‘ProbeStatus’ corresponding to the
nodes from which the IN has received the ‘further probe packet’.
NodeID ProbeStatus
2 0
6 1
8 1
9 1
Table 3. The ProbeCheck table for node 7 (Sen et al., 2007b)
An example ProbeCheck table for node 7 of the network in Fig. 3 is presented in Table 3. It
may be observed that node 7 has received the ‘further probe packet’ from all the neighbors of
the SN (node 1) except node 2. There may be a possibility that the probe packet might have
not been maliciously dropped by the SN, rather it has been lost because of collision or buffer
overflow. A mathematical estimation can be made for the probability of collision or buffer
overflow at the SN (Sen et al., 2007a). However, to avoid complex mathematical
computation, we propose a simple mechanism where each node sends three ‘further probe
packets’ interspaced with a small time interval. If none of these three packets from a
neighbor are received by the IN, the SN is believed to be behaving like a grayhole for that
node during that time. This grayhole behavior may be exhibited for a single node (as for
node 2 in Table 3) or may be for a group of nodes.
7.5 A Secure and Energy-Efficient Routing Protocol for WSNs

To address the problem of security and efficiency in routing in WSNs, a scheme has been
proposed by Sen et al. that reliably identifies compromised (or faulty) nodes and utilizes a
routing path that avoids these nodes (Sen et al., 2010). The protocol utilizes a single-path
routing concept and thereby saves energy-consumption. The proposed protocol is a
modification of the routing scheme proposed in (Lee et al., 2006). However, it is more
energy- efficient and less delay-inducing.
The protocol is based on a robust neighborhood monitoring system (NMS). NMS works on
promiscuous monitoring of the neighborhood by a node and detection of any possible
malicious packet dropping attack by a cooperative algorithm using neighbor list checking (Sen
et al., 2010). The scheme ensures reliable hop-by-hop delivery of packets in a WSN even in
presence of malicious nodes that may launch packet-dropping attack in the routing path. To
defend against packet-dropping attack, most of the existing algorithms exploit the concept of
multi-path routing, where a single packet is routed through multiple paths from the source to
30
the sink. While this approach ensures reliable packet delivery, it consumes an appreciable
amount of energy for delivering each packet. To avoid this problem, the protocol uses a single-
path routing mechanism. If a malicious node is encountered, the node is avoided and the
packet is routed around it in an efficient manner, still in a single-path mode to the base station.
The selection of the new path is based on some broadcast signaling in the neighborhood of the
malicious node. The salient features of the protocol are briefly described below:
(i) Neighbor list checking: during the neighbor discovery phase, each node exchanges hello
messages with its neighbor nodes to know its 1-hop and 2-hop neighbors (i.e., neighbors of
each of its neighboring nodes). The neighborhood information is subsequently verified by
exchange of neighbor list checking messages (Sen et al., 2010).
(ii) One-hop packet forwarding: when a node u sends a packet to its neighbor, it first keeps a
copy of the packet in its buffer, and then forwards it to its next-hop node v before encrypting
it with the cluster key of the node u. Since the cluster key is shared between the node and all
its neighbors, the packet encrypted and sent by node u to node v can be overheard by all the
neighbors of node u.
(iii) Monitoring nodes selection: as the packet is forwarded from node u to node v, the
neighbors of node u that are also neighbors of node v receive the packet and store it in their
buffers. These nodes are designated as the secondary monitoring nodes. For example, in Fig.
4, nodes w and y are the secondary monitoring nodes for node v. The node u is the primary
monitoring node. The nodes that are not neighbors of node v but have received the packet
because they are neighbors of node u, discard the packet. The primary node knows the
secondary monitoring nodes, since every node knows its 1-hop and 2-hop neighbors.
Fig. 4. Neighbor monitor system (secondary nodes w, y ; primary node u) (Sen et al., 2010)
(iv) Role of secondary monitoring nodes: the secondary monitoring nodes w and y monitor the
traffic from node v and compare the outbound packets from node v with the packets stored
in their buffer. The next-hop address of each packet is also verified to check whether the
packet’s intended next-hop is a really a neighbor of node v, by cross-checking the neighbor
list of node v. If both these checks yield positive results, the secondary monitoring nodes
remove the packet from their buffer and their role of monitoring is complete for that packet.
If any packet is found to remain in the buffer of a secondary monitoring node for more than
a threshold period of time, it first sends a broadcast signal in its neighborhood to inform all
its neighbors that it is going to forward the packet to its designated next-hop so that other
31
300 Security Issues
Networks
neighbors do not forward the same packet. The secondary monitoring node now forwards
the packet to its designated next-hop after encrypting the packet with the cluster key. The
role of the secondary node now becomes that of the primary node and its neighbors become
the secondary node. This is in contrast to the scheme proposed in (Lee et al., 2006), where all
the secondary nodes forward the packet in a multi-path mode.
(v) Role of primary monitoring node: the role of a primary monitoring node (node u) is
identical to that of secondary monitoring nodes (nodes w and y); the only difference is that it
listens not only on the traffic from node v, but also on the traffic from the nodes w and y. If
the packet is correctly forwarded by any one of the nodes v, w, y, the node u removes the
packet from its buffer. The role of node u as the primary monitoring node is now complete.
If time out occurs for a packet, the primary monitoring node u forwards the packet
(encrypted with its cluster key) to its next-hop other than node v.
As the packet is routed along a path towards the sink, the above steps of NMS algorithm
except the neighbor list checking are executed at each hop so that reliable packet delivery can
happen through a single path. This is in contrast to the previous schemes proposed in (Ye et
al., 2005; Morcos et al., 2005; Yang et al., 2005). In these schemes, a node broadcasts a packet
without specifying a designated next-hop, and all neighboring nodes with smaller costs (the
cost at a node is the minimum energy required to forward a packet from the node to the
base station) or within a specific geographic region continue forwarding the packet to the
base station. If nodes v, w, and y have smaller costs than node u in Fig. 4, then each of them
will forward packets received from node u following the existing approaches. However, in
the proposed scheme, nodes w and y only observe the packet forwarding activities of node
v, instead of actively forwarding the packets. In the event of no packet drop, the routing to
the base station happens in a single-path, thereby making the process highly energy-
efficient. Even in the event of a packet drop, the proposed algorithm works in a single-path
mode. This makes it more efficient than the one proposed in (Lee et al., 2006). If the node v
in Fig. 4 does not forward the packet it has received from node u, then one of the secondary
monitoring nodes w and y would forward the packet to its next-hop nodes. The node (either
w or y) that forwards the packet to its next-hop neighbors will first send a broadcast
message in its neighborhood so that its other neighbors would not forward the same packet.
Fig. 5. Two malicious nodes identified by secondary monitoring nodes (Sen et al., 2010)
Fig. 5 shows an example of the application of the scheme, where two malicious (or faulty)
nodes are bypassed as the packet is routed to the base station in a single-path.
32
For the scheme to work, each packet should be encrypted with a cluster key of the
forwarding node so that all the neighbors of the forwarding node can decrypt and overhear
it. If a link-level encryption was applied between each pair of nodes in the routing path, the
scheme would have been more robust, since a compromised node could decrypt only the
packets which were destined to it. However, it would have made the scheme less resilient to
packet dropping attack. Since encryption with a cluster key provides a reasonable level of
robustness to a node compromise, and also supports local broadcast (i.e. resiliency against
packet-dropping) it makes the algorithm optimum in its performance (Karlof et al., 2004).
To make the scheme robust to routing disruption attack, where a node intentionally
forwards the packets to a spurious address of the next-hop so that the packet is lost in
routing, it is necessary that each node should prove that it really has the claimed neighbors.
Apparently, a node has the knowledge of its direct neighbors by neighbor discovery and
pair-wise key establishment phases discussed earlier. However, in the case of two-hop
neighbors, a malicious node v can inform its neighbor u that it also has neighbor node x (any
possible id in the network) which in fact is not a neighbor of node v (Fig. 4). Apparently,
there is no way node u can detect these false claim of v since x is not in the neighborhood of
u. To handle this problem, a scheme has been proposed by the authors using which a node
can verify the neighbors of each of its neighboring nodes (Sen et al., 2010).
7.6 Some More Protocols for Secure Routing in WSNs

Inspired by the work on public key cryptography (Gura et al., 2004; Gaubatz et al., 2004;
Watro et al., 2004; Wander et al., 2005), Du et al. have investigated the public key
authentication problem (Du et al., 2005). The use of public key cryptography eases many
problems in secure routing, for example, authentication and integrity. However, before a
node A uses the public key from another node B, A must verify that the public key is
actually B’s, i.e., A must authenticate B’s public key; otherwise, man-in-the-middle attacks
are possible. In general networks, public key authentication involves a signature verification
on a certificate signed by a trusted third party Certificate Authority (CA). However, the
signature verification operations are very expensive operations for sensor nodes. Du et al.
have proposed an efficient alternative that uses only one-way hash function for the public
key authentication. The proposed scheme can be divided into two stages. In the pre-
distribution stage, A Merkle tree R is constructed with each leaf Li corresponding to a sensor
node. Let pki represent node i’s public key, V be an internal tree node, and Vleft and Vright be
V’s two children. The value of an internal tree node is denoted by Φ. The Merkel tree can
then be constructed as follows:
Φ (Li) = h (idi, pki) for i = 1,….N
Φ(V) = h (Φ(Vleft) || Φ(Vright))
In the above expressions, “||” represents the concatenation of two strings and h is a one-
way hash function such as MD5 or SHA-1. Let R be the root of the tree. Each sensor node v
needs to store the root value Φ(R) and the sibling node values λ1,……. λH along the path
from v to R. If node A wants to authenticate B’s public key, B sends its public key pk along
with the value of λ1,……. λH to node A. Then, A can use the same procedure to reconstruct
the Merkle tree R` and calculate the root value Φ(R`). A will trust B to be authentic if Φ(R`) =
33
302 Security Issues
Networks
Φ(R).A sensor node only needs H + 1 storage units for the extra hash values. Based on this
scheme, Du et al. further extended the idea to reduce the height of the Merkle tree to
improve the communication overhead of the scheme. The proposed scheme is more efficient
than signature verification on certificates. However, the scheme requires that some hash
values be distributed in a pre-distribution stage. This results in some scalability issues when
new sensors are added to an existing WSN.
Tanachaiwiwat et al. have presented a novel secure routing protocol- trust routing for location
aware sensor networks (TRANS) (Tanachawiwat et al., 2003). It is primarily meant for use in
data centric networks. It makes use of a loose-time synchronization asymmetric
cryptographic scheme to ensure message confidentiality. The authors have used μTESLA to
ensure message authentication and confidentiality. Using μTESLA, TRANS is able to ensure
that a message is sent along a path of trusted nodes utilizing location aware routing. The
base station broadcasts an encrypted message to all its neighbors. Only the trusted
neighbors will possess the shared key necessary to decrypt the message. The trusted
neighbors then add their locations (for the return trip), encrypt the new message with their
shared key, and forward the message to their neighbors closest to the destination. Once the
message reaches the destination, the recipient is able to authenticate the source (base station)
using the MAC corresponding to the base station. To acknowledge or reply to the message,
the destination node can simply forward a return message along the same trusted path from
the message was received (Tanachawiwat et al., 2003).
Papadimitratos and Hass have proposed a secure route discovery protocol that guarantees
correct topology discovery in an ad hoc sensor network (Papadimitratos et al., 2002). The
security relies on the MAC (message authentication code) and an accumulation of the node
identities along the route traversed by a message. In this way, a source node discovers the
sensor network topology as each node along the route from source to destination appends
its identity to the message. In order to ensure that the message has not been tampered with,
a MAC is verified at the source and the destination.
A family of configurable secure routing protocols called secure implicit geographic forwarding
(SIGF) has been proposed in (Wood et al., 2006). SIGF is based on a nondeterministic hybrid
routing protocol – IGF (Blum et al., 2003) that is completely stateless. This allows SIGF to
handle network dynamics effortlessly, and intrinsically limits the effects of a compromised
node to a local area. There are no routing tables to corrupt, since forwarding decisions are
made as late as possible – when a packet is ready to transmit over the air. However, the
protocol is susceptible to a CTS rushing attack (Hu et al., 2003b).
To defend against route poisoning attack in a multi-hop WSN, a trust-aware routing
framework has been proposed in (Zhan et al., 2010). The protocol integrates trustworthiness
and energy-efficiency in routing decisions. Each node maintains a neighborhood table with
trust level values and energy cost values for certain known neighbors. Once a node is able to
decide its next-hop for routing a packet to the base station, it broadcasts its energy-report
message that contains the information regarding the energy cost to deliver a packet from the
node to the base station. The trustworthiness of a node is computed from its packet
forwarding statistics. In this way, a secure and energy-efficient routing is achieved.
Table 4 presents a comparative analysis of some secure routing protocols for WSNs.
34
Table 4. Comparison of secure routing protocols for WSNs
35
304 Security Issues
Networks
8. Conclusion
Although research efforts have been made on cryptography, key management, secure
routing, secure data aggregation, and intrusion detection in WSNs, there are still some
challenges to be addressed. First, the selection of the appropriate cryptographic methods
depends on the processing capability of the sensor nodes, indicating that there is no unified
solution for all sensor networks. Instead, the security mechanisms are highly application-
specific. Second, sensors are characterized by the constraints on energy, computation
capability, memory, and communication bandwidth. The design of security services in
WSNs must satisfy these constraints. Third, most of the current protocols assume that the
sensor nodes and the base stations are stationary. However, there may be situations, such as
battlefield environments, where the base station and possibly the sensors need to be mobile.
The mobility of the sensor nodes has a great influence on sensor network topology and thus
raises many issues in secure routing protocols. Some future trends in WSN security research
are identified as follows:
Exploit the availability of private key operations on sensor nodes: recent studies on public key
cryptography have shown that public key operations are still very expensive to realize in
sensor nodes. A public key cryptography can greatly ease the design of security in WSNs,
improving the efficiency of private key operations on sensor nodes is highly desirable.
Secure routing protocols for mobile sensor networks: mobility of sensor nodes has a great
influence on sensor network topology and thus on the routing protocols. Mobility can be at
the base station, sensor nodes, or both. Current protocols assume the sensor network is
stationary. New secure routing protocols for mobile sensor networks need to be developed.
Time synchronization issues: current broadcast authentication schemes such as µTESLA and
its extensions require the sensor network to be loosely time synchronized. This requirement
is often hard to meet and new techniques that do not have such requirement are in demand.
Scalability and efficiency in broadcast authentication protocols: new schemes with higher
scalability and efficiency need to be developed for authenticated broadcast protocols. The
recent progress on public key cryptography may facilitate the design of authenticated
broadcast protocols.
QoS and security: performance is generally degraded with the addition of security services in
WSNs. Current studies on security in WSNs focus on individual topics such as key
management, secure routing, secure data aggregation, and intrusion detection. QoS and
security need to be evaluated together in WSNs.
9. References
Akyildiz, I.F. ; Su, W. ; Sankarasubramaniam, Y. & Cayirci, E. (2002). A survey on sensor
networks. IEEE Communications Magazine, Vol. 40, No. 8, pp. 102-114.
Al-Karaki, J.N. & Kamal, A.E. (2004). Routing techniques in wireless sensor networks : a
survey. IEEE Wireless Communications, Vol. 11. No. 6, pp. 6 – 28.
Aura, T. ; Nikander, P. & Leiwo, J. (2001). DoS-resistant authentication with client puzzles.
Proceedings of the 8th International Workshop on Security Protocols, pp. 170-177,
Springer-Verlag, Germany.
Awerbuch, B. ; Holmer, D. ; Nita-Rotaru, C. & Rubens, H. (2002). An on-demand secure
routing protocol resilient to Byzantine failures. Proceedings of the ACM Workshop on
Wireless Security, pp. 21 – 30.
36
Blum, B. ; He, T. ; Son, S. & Stankovic, J. (2003). IGF : a state-free robust communication
protocol for wireless sensor networks. Technical Report : CS-2003-11, University of
Virginia, Charlottesville, VA, USA.
Capkun, S. & Hubaux, J.-P. (2006). Secure positioning in wireless networks. IEEE Journal on
Selcted Areas in Communications, Vol. 24, No. 2, pp. 221-232.
Carman, D.W. ; Krus, P.S. & Matt, B.J. (2000). Constraints and approaches for distributed
sensor network security. Technical Resport No : 00-010, NAI Labs, Network
Associates Inc., Glenwood, MD, USA.
Chan, H. & Perrig, A. (2003a). Security and privacy in sensor networks. IEEE Computer
Magazine, pp. 103 – 105.
Chan, H. ; Perrig, A. & Song, D. (2003b). Random key pre-distribution schemes for sensor
networks. Proceedings of the IEEE Symposium on Security and Privacy, p. 197, IEEE
Computer Society Press.
Deng, H. ; Li, H. & Agrawal, D. (2002a). Routing security in wireless ad hoc networks. IEEE
Communications Magazine, Vol. 40, No. 10.
Deng, J. ; Han, R. & Mishra, S. (2002b). INSENS : intrusion-tolerant routing in wireless
sensor networks. Technical Report CU-CS-939-02, Department of Computer Science,
University of Colorado at Boulder.
Deng, J. ; Han, R. & Mishra, S. (2004). Countermeasures against traffic analysis in wireless
sensor networks. Technical Report : CU-CS-987-04, University of Colorado at
Boulder.
Di Pietro, R. ; Mancini, L.V. ; Law, Y.W. ; Etalle, S. & Havinga, P. (2003). LKHW : a direced
diffusion-based secure multi-cast scheme for wireless sensor networks. Proceedings
of the 32nd International Conference on Parallel Processing Workshops (ICPPW’03), pp.
397-406, IEEE Computer Society Press.
Douceur, J. (2002). The Sybil attack. Proceedings of the 1st International Workshop on Peer-to-
Peer Systems (IPTPS’02).
Du, W. ; Deng, J. ; Han, Y.S. & Varshney, P.K. (2003). A pair-wise key pre-distribution
scheme for wireless sensor networks. Proceedings of the 10th ACM Conference on
Computer and Communications Security, pp. 42-51, New York, USA, ACM Press.
Du, W. ; Wang, R. & Ning, P. (2005). An efficient scheme for authenticating public keys in
sensor networks. Proceedings of the 6th ACM International Symposium on Mobile Ad
Hoc Networking and Computing, pp. 58 – 67, New York, USA, ACM Press.
Eschenauer, L. & Gligor, V.D. (2002). A key-management scheme for distributed sensor
networks. Proceedings of the 9th ACM Conference on Computer and Networking, pp. 41-47.
Estrin, D. ; Govindan, R. ; Heidemann, J.S. & Kumar. S. (1999). Next century challenges : scalable
coordination in sensor networks. Mobile Computing and Networking, pp. 263-270.
Ganeriwal, S. ; Capkun, S. ; Han, C.-C. & Srivastava, M.B. (2005). Secure time
synchronization service for sensor networks. Proceedings of the 4th ACM Workshop on
Wireless Security, pp. 97 – 106, New York, USA, ACM Press.
Gaubatz, G. ; Kaps, J.P. & Sunar, B. (2004). Public key cryptography in sensor networks-
revisited. Proceedings of the 1st European Workshop on Security in Ad- Hoc and Sensor
networks (ESAS’04).
Gruteser, M. ; Schelle, G. ; Jain, A. ; Han, R. & Grunwald, D. (2003). Privacy-aware location
sensor networks. Proceedings of the 9th USENIX Workshop on Hot Topics in Operating
Systems (HotOS IX).
37
306 Security Issues
Networks
Gura, N. ; Patel, A. ; Wander, A. ; Eberle, H. & Shantz, S. (2004). Comparing elliptic curve
cryptography and RSA on 8-bit CPUs. Proceedings of Workshop on Cryptographic
Hardware and Embedded Systems (CHES’04).
Han, Y-J. ; Park, M-W. & Chung, T-M. (2010). SecDEACH : secure and resilient dynamic
clustering protocol preserving data privacy in WSNs. Proceedings of the International
Conference on Computational Science and its Applications (ICCSA’10), pp. 142 – 157,
Fukuaka, Japan.
Hartung, C. ; Balasalle, J. & Han, R. (2004). Node compromise in sensor networks : the need
for secure systems. Technical Report : CU-CS-988-04, Department of Computer
Science, University of Colorado at Boulder.
Hill, J. ; Szewczyk, R. ; Woo, A. ; Hollar, S. ; Culler, D.E. & Pister, K. (2000). System
architecture directions for networked sensors. Proceedings of the 9th International
Conference on Architectural Support for Programming Languages and Operating Systems,
pp. 93-104, ACM Press.
Hu, L. & Evans, D. (2003a). Secure aggregation for wireless sensor networks. Proceedings of
the Symposium on Applications and the Internet Workshops, p. 384, IEEE Comp. Soc.
Press.
Hu, L. & Evans, D. (2004a). Using directional antennas to prevent wormhole attacks.
Proceedings of the 11th Annual Network and Distributed System Security Symposium.
Hu, Y. ; Perrig, A. & Johnson, D.B. (2003b). Rushing attacks and defense in wireless ad hoc
network routing protocols. Proceedings of the ACM Workshop on Wireless Security, pp.
30 – 40.
Hu, Y. ; Perrig, A. & Johnson, D.B. (2004b). Packet leashes : a defense against worm-hole
attacks. Proceedings of the 11th Annual Network and Distributed System Security
Symposium.
Hwang, J. & Kim, Y. (2004). Revisiting random key pre-distribution schemes for wireless
sensor networks. Proceedings of the 2nd ACM Workshop on Security of Ad Hoc and
Sensor Networks (SASN’04), pp. 43-52, New York, USA, ACM Press.
Intanagonwiwat, C. ; Govindan, R. & Estrin, D. (2000). Directed diffusion : a scalable and
robust communication paradigm for sensor networks. Mobile Computing and
Networking, pp. 56 – 67.
Karlof, C. & Wagner, D. (2003). Secure routing in wireless sensor networks : attacks and
countermeasures. Proceedings of the 1st IEEE International Workshop on Sensor
Network Protocols and Applications, pp. 113-127.
Karlof, C. ; Sastry, N. & Wagner, D. (2004). TinySec : a link layer security architecture for
wireless sensor networks. Proceedings of ACM SensSys, pp. 162 – 175.
Karp, B. & Kung, H.T. (2000). GPSR : greedy perimeter stateless routing for wireless
networks. Proceedings of the 6th Annual International Conference on Mobile Computing
and Networking, pp. 243 – 254, ACM Press.
Kaya, T. ; Lin, G. ; Noubir, G. & Yilmaz, A. (2003). Secure multicast gropus on ad hoc
networks. Proceedings of the 1st ACM Workshop on Security of Ad Hoc and Sensor
Systems (SASN’03), pp. 94 - 102, ACM Press.
Lazos, L. & Poovendran, R. (2002). Secure broadcast in energy-aware wireless sensor
networks. Proceedings of the IEEE International Symposium on Advances in Wireless
Communications (ISWC’02).
38
Lazos, L. & Poovendran, R. (2005). SERLOC : robust localization for wireless sensor
networks. ACM Transactions on Sensor Networks, Vol. 1, No. 1, pp. 73 -100.
Lazos, L. & Poovendran, R. (2003). Energy-aware secure multi-cast communication in ad-
hoc networks using geographic location information. Proceedings of the IEEE
International Conference on Acoustics Speech and Signal Processing.
Lee, S-B. & Choi, Y-H. (2006). A resilient packet-forwarding scheme against maliciously
packet-dropping nodes in sensor networks. Proceedings of the 4th ACM Workshop on
Security of Ad Hoc and Sensor Networks, pp. 59-70.
Liu, D. & Ning, P. (2003). Efficient distribution of key chain commitments for broadcast
authentication in distributed sensor networks. Proceedings of the 10th Annual
Network and Distributed System Security Symposium, pp. 263 – 273, San Diego, CA,
USA.
Liu, D. & Ning, P. (2004). Multilevel μTESLA : broadcast authentication for distributed
sensor networks. ACM Transactions on Embedded Computing Systems (ECS), Vol. 3,
No. 4, pp. 800-836.
Liu, D. ; Ning, P. & Li, R. (2005a). Establishing pair-wise keys in distributed sensor
networks. ACM Transactions on Information Systems Security, Vol. 8, No. 1, pp. 41-77.
Liu, D. ; Ning, P. ; Zhu, S. & Jajodia, S. (2005b). Practical broadcast authentication in sensor
networks. Proceedings of the 2nd Annual International Conference on Mobile and
Ubiquitous Systems : Networking and Services, pp. 118 – 129.
Madden, S. ; Franklin, M.J. ; Hellerstein, J.M. & Hong, W. (2002). TAG : a tiny aggregation
service for ad-hoc sensor networks. SIGOPS Operating Systems Review, Special Issue,
pp. 131-146.
Morcos, H. ; Matta, I. & Bestavros, A. (2005). M2RC : multiplicative-increase /additive-
decrease multipath routing control for wireless sensor networks. ACM SIGBED
Reviw, Vol. 2.
Newsome, J. ; Shi, E. ; Song, D. & Perrig, A. (2004). The Sybil attack in sensor networks :
analysis and defenses. Proceedings of the 3rd International Symposium on Information
Processing in Sensor Networks, pp. 259-268, ACM Press.
Ozturk, C. ; Zhang, Y. & Trappe, W. (2004). Source-location privacy in energy-constrained
sensor network routing. Proceedings of the 2nd ACM Workshop on Security of Ad Hoc
and Sensor Networks.
Papadimitratos, P. & Haas, Z.J. (2002). Secure routing for mobile ad hoc networks.
Proceedings of the SCS Communication Networks and Distributed System Modeling and
Simulation Conference (CNDS’02).
Parno, B. ; Perrig, A. & Gligor, V. (2005). Distributed detection of node replication attacks in
sensor networks. Proceedings of IEEE Symposium on Security and Privacy.
Pecho, P. ; Nagy, J. ; Hanacke, P. & Drahansky, M. (2009). Secure collection tree protocol for
tamper-resistant wireless sensors. Communications in Computer and Information
Science, Vol. 58, pp. 217 – 224, Springer-Verlag, Heidelberg, Germany.
Perkins, C.E. & Royer, E.M. (1999). Ad hoc on-demand distance vector routing. Proceedings of
IEEE Workshop on Mobile Computing Systems and Applications, pp. 90 – 100.
Perrig, A. ; Stankovic, J. & Wagner, D. (2004). Security in wireless sensor networks.
Communications of the ACM, Vol. 47, No. 6, pp. 53 – 57.
Perrig, A. ; Szewczyk, R. ; Wen, V. ; Culler, D.E. & Tygar, J.D. (2002). SPINS : security
protocols for sensor networks. Wireless Networks, Vol. 8, No. 5, pp. 521-534.
39
308 Security Issues
Networks
Przydatck, B. ; Song, D. & Perrig, A. (2003). SIA : secure information aggregation in sensor
networks. Proceedings of the 1st International Conference on Embedded Networked
Systems (SenSys ’08), pp. 255-265, ACM Press.
Rafaeli, S. & Hutchison, D. (2003). A survey of key management for secure group
communication. ACM Computing Survey, Vol. 35, No. 3, pp. 309-329.
Sen, J ; Chandra, M.G. ; Harihara, S.G. ; Reddy, H. & Balamuralidhar, P. (2007b). A
mechanism for detection of grayhole attack in mobile ad hoc networks. Proceedings
of the 6th International Conference on Information, Communication, and Signal Processing
(ICICS’07), pp. 1 – 5, Singapore.
Sen, J. & Ukil, A. (2010). A secure routing protocol for wireless sensor networks. Proceedings
of the International Conference on Computational Sciences and its Applications
(ICCSA’10), pp. 277 – 290, Fukuaka, Japan.
Sen, J. ; Chandra, M.G. ; Balamuralidhar, P. ; Harihara, S.G. & Reddy, H. (2007a). A
distributed protocol for detection of packet dropping attack in mobile ad hoc
networks. Proceedings of the IEEE International Conference on Telecommunications
(ICT’07), Penang, Malaysia.
Shi, E. & Perrig, A. (2004). Designing secure sensor networks. Wireless Communication
Magazine, Vol. 11, No. 6, pp. 38 – 43.
Shrivastava, N. ; Buragohain, C. ; Agrawal, D. & Suri, S. (2004). Medians and beyond : new
aggregation techniques for sensor networks. Proceedings of the 2nd International
Conference on Embedded Networked Sensor Systems, pp. 239-249, ACM Press.
Slijepcevic, S. ; Potkonjak, M. ; Tsiatsis, V. ; Zimbeck, S. & Srivastava, M.B. (2002). On
communication security in wireless ad-hoc sensor networks. Proceedings of the 11th
IEEE International Workshop on Enabling Technologies : Infrastructure for Collaborative
Enterprises (WETICE’02), pp. 139-144.
Stankovic J.A. (2003). Real-time communication and coordination in embedded sensor
networks. Proceedings of the IEEE, Vol. 91, No. 7, pp. 1002-1022.
Tanachawiwat, S. ; Dave, P. ; Bhindwale, R. & Helmy, A. (2003). Routing on trust and
isolating compromised sensors in location-aware sensor systems. Proceedings of the
1st International Conference on Embedded Networked Sensor Systems, pp. 324-325, ACM
Press.
Wander, A.S. ; Gura, N. ; Eberle, H. ; Gupta, V. & Shantz, S.C. (2005). Energy analysis of
public-key cryptography for wireless sensor networks. Proceedings of the 3rd IEEE
International Conference on Pervasive Computing and Communication.
Wang, W. & Bhargava, B. (2004b). Visualization of wormholes in sensor networks.
Proceedings of the 2004 ACM Workshop on Wireless Security, pp. 51 – 60, New York,
USA, ACM Press.
Wang, X. ; Gu, W. ; Chellappan, S. ; Xuan, D. & Laii, T.H. (2005). Search-based physical
attacks in sensor networks : modeling and defense. Technical Report, Department of
Computer Science and Engineering, Ohio State University.
Wang, X. ; Gu, W. ; Schosek, K. ; Chellappan, S. & Xuan, D. (2004a). Sensor network
configuration under physical attacks. Technical Report : OSU-CISRC-7/04-TR45,
Department of Computer Science and Engineering, Ohio State University.
Wang, Y. ; Attebury, G. & Ramamurthy, B. (2006). A survey of security issues in wireless
sensor networks. IEEE Communications Surveys and Tutorials, Vol. 8, No. 2, pp. 2- 23.
40
Watro, R. ; Kong, D. ; Cuti, S. ; Gardiner, C. ; Lynn, C. & Kruus, P. (2004). TinyPK : securing
sensor networks with public key technology. Proceedings of the 2nd ACM Workshop on
Security of Ad Hoc and Sensor Networks (SASN’04), pp. 59 – 64, New York, USA,
ACM Press.
Wood, A.D. & Stankvic, J.A. (2002). Denial of service in sensor networks. IEEE Computer,
Vol. 35, No. 10, pp. 54-62.
Wood, A.D. ; Fang, L. ; Stankovic, J.A. & He, T. (2006). SIGF : a family of configurable,
secure routing protocols for wireless sensor networks. Proceedings of the 4th ACM
Workshop on Security of Ad Hoc and Sensor Networks, pp. 35 – 48, Alexandria, VA,
USA.
Yang, H. ; Ye, F. ; Yuan, Y. ; Lu, S. & Arbough, W. (2005). Towards resilient security in
wireless sensor networks. Procedings of ACM MobiHoc, pp. 34 – 45.
Ye, F. ; Luo, L.H. & Lu, S. (2004). Statistical en-route detection and filtering of injected false
data in sensor networks. Proceddings of IEEE INFOCOM’04.
Ye, F. ; Zhong, G. ; Lu, S. & Zhang, L. (2005). GRAdient Broadcast : a robust data delivery
protocol for large scale sensor networks. ACM Journal of Wireless Networks (WINET).
Yuan, L. & Qu, G. (2002). Design space expolration for energy-efficient secure sensor
networks. Proceedings of IEEE International Conference on Application-Specific Systems,
Architectures, and Processors, pp. 88-100.
Zhang, K. ; Wang, C. & Wang, C. (2008). A secure routing protocol for cluster-based wireless
sensor networks using group key management. Proceedings of the 4th International
Conference on Wireless Communications, Networking and Mobile Computing
(WiCOM’08), pp. 1-5, Dalian.
Zhan, G. ; Shi, W. & Deng, J. (2010). TARF : a trust-aware routing framework for wireless
sensor networks. Proceedings of the 7th European Conference on Wireless Sensor
Networks (EWSN’10), pp. 65 – 80, Coimbra, Portugal.
Zhu, H. ; Bao, F. ; Deng, R.H. & Kim, K. (2004a). Computing of trust in wireless networks.
Proceedings of 60th IEEE Vehicular Technology Conference, California, USA.
Zhu, S. ; Setia, S. & Jajodia, S. (2004b). LEAP : efficient security mechanism for large-scale
distributed sensor networks. Proceedings of the 10th ACM Conference on Computer and
Communications Security, pp. 62 – 72, New York, USA, ACM Press.
41
Secure Routing in Wireless Mesh Networks
11
Secure Routing in Wireless Mesh Networks

Jaydip Sen
India
1. Introduction
Wireless mesh networks (WMNs) have emerged as a promising concept to meet the challenges
in next-generation networks such as providing flexible, adaptive, and reconfigurable
architecture while offering cost-effective solutions to the service providers (Akyildiz et al.,
2005). Unlike traditional Wi-Fi networks, with each access point (AP) connected to the wired
network, in WMNs only a subset of the APs are required to be connected to the wired
network. The APs that are connected to the wired network are called the Internet gateways
(IGWs), while the APs that do not have wired connections are called the mesh routers (MRs).
The MRs are connected to the IGWs using multi-hop communication. The IGWs provide
access to conventional clients and interconnect ad hoc, sensor, cellular, and other networks
to the Internet as shown in Fig. 1.
Fig. 1. The architecture of a wireless mesh network

Due to the recent research advances in WMNs, these networks have been used in numerous
applications such as in home networking, community and neighborhood monitoring,
43
238 Wireless
Security Issues in a Mesh Networks
Networked Age
security surveillance systems, disaster management and rescue operations etc (Franklin et
al., 2007). As there is no wired infrastructure to deploy in the case of WMNs, they are
considered cost-effective alternative to wireless local area networks (WLANs) and backbone
networks to mobile clients. The existing wireless networking technologies such as IEEE
802.11, IEEE 802.15, IEEE 802.16, and IEEE 802.20 are used in the implementation of WMNs.
As WMNs become an increasingly popular replacement technology for last-mile
connectivity to the home networking, community and neighborhood networking, it is
imperative to design an efficient resource management system for these networks. Routing
is one of the most challenging issues in resource management for supporting real-time
applications with stringent quality of service (QoS) requirements. However, most of the
existing routing protocols for WMNs are extensions of protocols originally designed for
mobile ad hoc networks (MANETs) and thus they perform sub-optimally. Moreover, most
routing protocols for WMNs are designed without security issues in mind, where the nodes
are all assumed to be honest. In practical deployment scenarios, this assumption does not
hold. In a community-based WMN, a group of MRs managed by different operators form an
access network to provide last-mile connectivity to the Internet. As with any end-user
supported infrastructure, ubiquitous cooperative behavior in these networks cannot be
assumed a priori. Preserving scarce access bandwidth and power, as well as security
concerns may induce some selfish users to avoid forwarding data for other nodes, even as
they send their own traffic through the network. The selfish behavior of an MR degrades the
performance of a WMN since it increases the latency in packet delivery and packet drops
and decreases the network throughput. In addition, some nodes may also launch malicious
packet dropping attacks. Therefore, enforcing cooperation among the nodes in WMNs
becomes a critical issue and a routing protocol should make use of such a cooperation
enforcement scheme in order to ensure efficiency in packet forwarding and minimizing
packet drops (Dong, 2009). To enforce cooperation among nodes and detect malicious and
selfish nodes in self-organizing networks such as MANETs, various collaboration schemes
have been proposed in the literature (Santhanam et al., 2008). Most of these proposals are
based on trust and reputation frameworks which attempt to identify misbehaving nodes by
an appropriate detection and decision making system, and then isolate or punish them.
Unfortunately, most of these schemes are not directly applicable for WMNs due to inherent
differences in characteristics between MANETs and WMNs. Efficient, reliable and secure
routing protocols for WMNs are clearly in demand.
Keeping this in mind, this chapter provides a comprehensive overview of security issues in
WMNs and then particularly focuses on secure routing in these networks. First, it identifies
security vulnerabilities in the medium access control (MAC) and the network layers. Various
possibilities of compromising data confidentiality, data integrity, replay attacks and offline
cryptanalysis are also discussed. Then various types of attacks in the MAC and the network
layers are discussed. In the MAC layer, attacks such as passive eavesdropping, link layer
jamming (Law et al., 2005; Brown et al., 2006), MAC spoofing, replay attacks (Mishra et al.,
2002) are discussed in detail. In the network layer, two broad categories of attacks are
identified: (i) attacks on the control plane and (ii) attacks on the data plane. Among the
attacks on the control plane, rushing attack (Hu et al., 2003a), wormhole attack (Hu et al.,
2003b), blackhole attack (Al-Shurman et al., 2004), grayhole attack (Sen et al., 2007), Sybil
attack (Newsome et al., 2004) are discussed. The data plane attacks are launched by the
selfish and malicious nodes which lead to degradation in the network performance (Zhong
et al., 2005; Salem et al., 2003). After enumerating the various types of attacks on the MAC
44
and the network layer, the chapter briefly discusses on some of the preventive mechanisms
for those attacks. After the preliminary discussion on various attacks and their
countermeasures, the chapter focuses on its major issue- security in routing. It first identifies
the major security requirements for design of a routing protocol in WMNs. Then various
existing secure routing protocols for self-organizing networks such as ARAN (Sanzgiri et al.,
2002), SAODV (Zapata et al., 2002), SRP (Papadimitratos et al., 2002), SEAD (Hu et al.,
2002b), ARIADNE (Hu et al., 2002a), SEAODV (Li et al., 2011) etc. are discussed. All these
protocols are compared in terms of their relative performance and their areas of application.
After discussing these existing mechanisms, the chapter presents two novel secure routing
protocols that detect selfish nodes in WMNs and isolate those nodes from the network
activities so as to maximize the network throughput while providing desired QoS of the
user application (Sen, 2010a; Sen, 2010b).
The organization of the chapter is as follows. In Section 2, we discuss various security
vulnerabilities in different layers of the protocol stack of a WMN. Attacks at the physical,
MAC, network, and transport layers are discussed in detail, and the countermeasures to
defend against such attacks are briefly presented. In Section 3, several routing challenges in
WMNs are highlighted. Section 4 presents some of the well-known existing security
mechanisms for routing in WMNs. These protocols are also compared with respect to their
capabilities in defending against different attacks in the network layer of WMNs. In Section
5, two novel routing protocols for WMNs are presented. These protocols can guarantee
application QoS in addition to identifying malicious and selfish nodes in the network.
Section 6 concludes the chapter while identifying some open issues and future research
directions in designing secure routing protocols for WMNs.
In summary, the chapter makes the following contributions:
• It proposes threat models and security goals for secure routing in WMNs.
• It identifies various possible attacks on different layers of a WMN.
• It demonstrates how attacks against MANETs and peer-to-peer networks can be
adapted into powerful attacks against WMNs.
• It makes security analysis of some of the major existing routing protocols fro WMNs.
• It presents various defense mechanisms to counter the well-known attacks on the
routing protocols of WMNs.
• It presents two novel routing protocols for WMNs. These protocols enhance the routing
efficiency and the application QoS while providing security in routing.
• It identifies some open research problems in the area of secure routing in WMNs.
2. Security Vulnerabilities in WMNs

Several vulnerabilities exist in the protocols foe WMNs. These vulnerabilities can be
exploited by the attackers to degrade the performance of the network. The nodes in a WMN
depend on the cooperation of the other nodes in the network. Consequently, the MAC layer
and the network layer protocols for these networks usually assume that the participating
nodes are honest and well-behaving with no malicious or dishonest intentions. In practice,
however, some nodes in a WMN may behave in a selfish manner or may be compromised
by malicious users. The assumed trust and the lack of accountability due to the absence of a
central administrator make the MAC and the network layer protocols vulnerable to various
types of attacks. In this section, a comprehensive discussion on various types of attacks in
different layers of the protocol stack of a WMN is provided.
45
240 Wireless
Networked Age
2.1 Physical layer attacks

The physical layer is responsible for frequency selection, carrier frequency generation, signal
detection, modulation, and data encryption. As with any radio-based medium, the
possibility of jamming attacks in this layer of WMNs is always there. Jamming is a type of
attack which interferes with the radio frequencies that the nodes use in a WMN for
communication (Shi et al., 2004). A jamming source may be powerful enough to disrupt
communication in the entire network. Even with less powerful jamming sources, an
adversary can potentially disrupt communication in the entire network by strategically
distributing the jamming sources. An intermittent jamming source may also prove
detrimental as some communications in WMNs may be time-sensitive. More complex forms
of radio jamming attacks have been studied in (Xu et al., 2005), where the attacking devices
do not obey the MAC layer protocols.
2.2 MAC layer attacks

Different types of attacks are possible in the MAC layer of a WMN. Some of the major
attacks at this layer are: passive eavesdropping, jamming, MAC address spoofing, replay,
unfairness in allocation, pre-computation and partial matching etc. These attacks are briefly
described in this subsection.
i. Passive eavesdropping: the broadcast nature of transmission of the wireless networks
makes these networks prone to passive eavesdropping by the external attackers within
the transmission range of the communicating nodes. Multi-hop wireless networks like
WMNs are also prone to internal eavesdropping by the intermediate hops, whereby a
malicious intermediate node may keep the copy of all the data that it forwards without
the knowledge of any other nodes in the network. Although passive eavesdropping
does not affect the network functionality directly, it leads to the compromise in data
confidentiality and data integrity. Data encryption is generally employed using strong
encryption keys to protect the confidentiality and integrity of data.
ii. Link layer jamming attack: link layer attacks are more complex compared to blind
physical layer jamming attacks. Rather than transmitting random bits constantly, the
attacker may transmit regular MAC frame headers (no payload) on the transmission
channel which conforms to the MAC protocol being used in the victim network (Law et
al., 2005). Consequently, the legitimate nodes always find the channel busy and back off
for a random period of time before sensing the channel again. This leads to the denial-
of-service for the legitimate nodes and also enables the jamming node to conserve its
energy. In addition to the MAC layer, jamming can also be used to exploit the network
and transport layer protocols (Brown et al., 2006). Intelligent jamming is not a purely
transmit activity. Sophisticated sensors are deployed, which detect and identify victim
network activity, with a particular focus on the semantics of higher-layer protocols (e.g.,
AODV and TCP). Based on the observations of the sensors, the attackers can exploit the
predictable timing behavior exhibited by higher-layer protocols and use offline analysis
of packet sequences to maximize the potential gain for the jammer. These attacks can be
effective even if encryption techniques such as wired equivalent privacy (WEP) and WiFi
protocol access (WPA) have been employed. This is because the sensor that assists the
jammer can still monitor the packet size, timing, and sequence to guide the jammer.
Because these attacks are based on carefully exploiting protocol patterns and
consistencies across size, timing and sequence, preventing them will require
modifications to the protocol semantics so that these consistencies are removed
wherever possible.
46
iii. Intentional collision of frames: a collision occurs when two nodes attempt to transmit
on the same frequency simultaneously (Wood et al., 2002). When frames collide, they
are discarded and need to be retransmitted. An adversary may strategically cause
collisions in specific packets such as acknowledgment (ACK) control messages. A
possible result of such collision is the costly exponential back-off. The adversary may
simply violate the communication protocol and continuously transmit messages in an
attempt to generate collisions. Repeated collisions can also be used by an attacker to
cause resource exhaustion. For example a naïve MAC layer implementation may
continuously attempt to retransmit the corrupted packets. Unless these retransmissions
are detected early, the energy levels of the nodes would be exhausted quickly. An
attacker may cause unfairness by intermittently using the MAC layer attacks. In this
case, the adversary causes degradation of real-time applications running on other nodes
by intermittently disrupting their frame transmissions.
iv. MAC spoofing attack: MAC addresses have long been used as the singularly unique
layer-2 network identifiers in both wired and wireless LANs. MAC addresses which are
globally unique have often been used as an authentication factor or as a unique
identifier for granting varying levels of network privileges to a user. This is particularly
common in 802.11 WiFi networks. However, today’s MAC protocols (802.11) and
network interface cards do not provide any safeguards that would prevent a potential
attacker from modifying the source MAC address in its transmitted frames. On the
contrary, there is often full support in the form of drivers from manufacturers, which
makes this particularly easy. Modifying MAC addresses in transmitted frames is
referred to as MAC spoofing, and can be used by attackers in a variety of ways. MAC
spoofing enables the attacker to evade intrusion detection systems (IDSs) that are in place.
Further, today’s network administrators often use MAC addresses in access control
lists. For example, only registered MAC addresses are allowed to connect to the access
points. An attacker can easily eavesdrop on the network to determine the MAC
addresses of legitimate devices. This enables the attacker to masquerade as a legitimate
user and gain access to the network. An attacker can even inject a large number of
bogus frames into the network to deplete the resources (in particular, bandwidth and
energy), which may lead to denial of services for the legitimate nodes.
v. Replay attack: the replay attack, often known as the man-in-the-middle attack (Mishra et
al., 2002), can be launched by external as well as internal nodes. An external malicious
node (not a member of WMN) can eavesdrop on the broadcast communication between
two nodes (A and B) in the network as shown in Fig. 2. It can then transmit legitimate
messages at a later stage of time to gain access to the network resources. Generally, the
authentication information is replayed where the attacker deceives a node (node B in
Fig. 2) to believe that the attacker is a legitimate node (node A in Fig. 2). On a similar
note, an internal malicious node, which is an intermediate hop between two
communicating node, can keep a copy of all relayed data. It can then retransmit this
data at a later point in time to gain the unauthorized access to the network resources.
vi. Pre-computation and partial matching attack: unlike the above-mentioned attacks,
where MAC protocol vulnerabilities are exploited, these attacks exploit the
vulnerabilities in the security mechanisms that are employed to secure the MAC layer
of the network. Pre-computation and partial matching attacks exploit the cryptographic
primitives that are used at MAC layer to secure the communication. In a pre-
47
242 Wireless
Networked Age
computation attack or time memory trade-off attack (TMTO), the attacker computes a large
amount of information (key, plaintext, and respective ciphertext) and stores that
information before launching the attack. When the actual transmission starts, the
attacker uses the pre-computed information to speed up the cryptanalysis process.
TMTO attacks are highly effective against a large number of cryptographic solutions.
On the other hand, in a partial matching attack, the attacker has access to some (cipher
text, plaintext) pairs, which in turn decreases the encryption key strength, and improves
the chances of success of the brute force mechanisms. Partial matching attacks exploit
the weak implementations of encryption algorithms. For example, the IEEE80.11i
standard for MAC layer security in wireless networks is prone to the sensor hijacking
attack and the man-in-the-middle attack that exploit the vulnerabilities in IEEE802.1X.
DoS attacks on the four-way handshake procedure in IEEE 80.211i.
Fig. 2. Illustration of MAC spoofing and replay attacks

DoS attacks may also be launched by exploiting the security mechanisms. For example, the
IEEE 802.11i standard for MAC layer security in wireless networks is prone to the sensor
hijacking attack and the man-in-the-middle attack, exploiting the vulnerabilities in IEEE
802.1X, and DoS attack, exploiting vulnerabilities in the four-way handshake procedure in
IEEEE 802.11i.
2.3 Network layer attacks

The attacks on the network layer can be divided into control plane attacks and data plane
attacks, and can be active or passive in nature. Control plane attacks generally target the
routing functionality of the network layer. The objective of the attacker is to make routes
unavailable or force the network to choose sub-optimal routes. On the other hand, the data
plane attacks affect the packet forwarding functionality of the network. The objective of the
attacker is to cause the denial of service for the legitimate user by making user data
undeliverable or injecting malicious data into the network. We first consider the network
layer control plane attacks, and then the network layer data plane attacks.
48
i. Control plane attacks: Rushing attacks (Hu et al., 2003a) targeting the on-demand routing
protocols (e.g., AODV) were among the first exposed attacks on the network layer of
multi-hop wireless networks. Rushing attacks exploit the route discovery mechanism of
on-demand routing protocols. In these protocols, the node requiring the route to the
destination floods the route_request (RREQ) message, which is identified by a sequence
number. To limit the flooding, each node only forwards the first message that it receives
and drops remaining messages with the same sequence number. To avoid collisions of the
messages, the protocol specifies a specific amount of delay between the receiving of a
route request message by a particular node, and its forwarding by the same node. The
malicious node launching the rushing attack forwards the RREQ message to the target
node before any other intermediate node from the source to destination. This can easily be
achieved by ignoring the specified delay. Consequently, the route from the source to the
destination includes the malicious node as an intermediate hop, which can then drop the
packets of the flow thereby launching a data plane DoS attack.
Fig. 3. Illustration of wormhole attack launched by nodes M1 and M2

A wormhole attack has a similar objective albeit it uses a different technique (Hu et al.,
2003b). During a wormhole attack, two or more malicious nodes collude together by
establishing a tunnel using an efficient communication medium (i.e., wired connection
or high-speed wireless connection etc.), as shown in Fig. 3. During the route discovery
phase of the on-demand routing protocols, the RREQ messages are forwarded between
the malicious nodes using the established tunnel. Therefore, the first RREQ message
that reaches the destination node is the one forwarded by the malicious nodes.
Consequently, the malicious nodes are added in the path from the source to the
destination. Once the malicious nodes are included in the routing path, these nodes
either drop all the packets resulting in a complete DoS attack, or drop the packets
selectively to avoid detection.
A blackhole attack (or sinkhole attack) (Al-Shurman et al., 2004) is another attack that
leads to denial of service in WMNs. It also exploits the route discovery mechanism of
on-demand routing protocols. In a blackhole attack, the malicious node always replies
positively to a RREQ, although it may not have a valid route to the destination. Because
the malicious node does not check its routing entries, it will always be the first to reply
to the RREQ message. Therefore, almost all the traffic within the neighborhood of the
malicious node will be directed towards the malicious node, which may drop all the
packets, resulting in denial of service. Fig. 4 shows the effect of a blackhole attack in the
neighborhood of the malicious node where the traffic is directed towards the malicious
node. A more complex form of the attack is the cooperative blackhole attack where
49
244 Wireless
Networked Age
multiple nodes collude together, resulting in complete disruption of routing and packet
forwarding functionality of the network. The cooperative blackhole attack and the
prevention mechanism have been studied in (Ramaswamy et al., 2003).
Fig. 4. Illustration of blackhole attack launched by node M

A grayhole attack is a variant of the blackhole attack (Sen et al., 2007). In a blackhole
attack, the malicious node drops all the traffic that it is supposed to forward. This
makes detection of the malicious node a relatively easier task. In a grayhole attack, the
adversary avoids the detection by dropping the packets selectively. A grayhole does not
lead to complete denial of service, but it may go undetected for a longer duration of
time. This is because the malicious packet dropping may be considered congestion in
the network, which also leads to selective packet loss.
A Sybil attack is the form of attack where a malicious node creates multiple identities in
the network, each appearing as a legitimate node (Newsome et al., 2004). A Sybil attack
was first exposed in distributed computing applications where the redundancy in the
system was exploited by creating multiple identities and controlling considerable
system resources. In the networking scenario, a number of services like packet
forwarding, routing, and collaborative security mechanisms can be disrupted by the
adversary using a Sybil attack. Following form of the attack affects the network layer of
WMNs, which are supposed to take advantage of the path diversity in the network to
increase the available bandwidth and reliability. If the malicious node creates multiple
identities in the network, the legitimate nodes will assume these identities to be distinct
nodes and will add these identities in the list of distinct paths available to a particular
destination. When the packets are forwarded to these fake nodes, the malicious node
that created the identities processes these packets. Consequently, all the distinct routing
paths will pass through the malicious node. The malicious node may then launch any of
the above-mentioned attacks. Even if no other attack is launched, the advantage of path
diversity is diminished, resulting in degraded performance.
In addition to the above-mentioned attacks, the network layer of WMNs are also prone
to various types of attack such as: route request (RREQ) flooding attack, route reply (RREP)
loop attack, route re-direction attack, fabrication attack, network partitioning attack etc. RREQ
flooding is one of the simplest attacks in which a malicious node tries to flood the entire
network with RREQ message. As a consequence, this causes a large number of
50
unnecessary broadcast communications resulting in energy drains and bandwidth

wastage in the network. A routing loop is a path that goes through the same nodes over
and over again. As a result, this kind of attack will deplete the resources of every node
in the loop and will lead to isolation of the destination node.
Fig. 5 describes two instances where route re-direction attack has been launched by a
malicious node M. In case A, the malicious node M tries to initiate the attack by
modifying the mutable fields in the routing messages. These mutable fields include hop
count, sequence numbers and other metric-related fields. The malicious node M could
divert the traffic through itself by advertising a route to the destination with a larger
destination sequence number (DSN) than the one it received from the destination. In case
B, route re-direction attack may be launched by modifying the metric field in the AODV
routing message, which is the hop-count field in this case. The malicious node M simply
modifies the hop count field to zero in order to claim that it has a shorter path to the
destination.
Fig. 5. Illustration of route re-direction attack

An adversary may fabricate false routing messages in order to disrupt routing in the
network. For example, a malicious node may fabricate a route error (RERR) message in
the AODV protocol. This may result in the upstream nodes re-initiating the route
request to the unreachable destination so as to discover and establish alternative routes
to them leading to energy and bandwidth wastage in the network. In a network
partitioning attack, the malicious nodes collude together to disrupt the routing tables in
such a way that the network is divided into disconnected partitions, resulting in denial
of service for a certain network portion. Routing loop attacks affect the packet-
forwarding capability of the network where the packets keep circulating in loop until
they reach the maximum hop count, at which stage the packets are simply dropped.
ii. Data plane attacks: data plane attacks are primarily launched by selfish and malicious
(compromised) nodes in the network and lead to performance degradation or denial of
service of the legitimate user data traffic. The simplest of the data plane attacks is passive
eavesdropping. Eavesdropping is a MAC layer attack. Selfish behavior of the participating
WMN nodes is a major security issue because the WMN nodes are dependent on each
other for data forwarding. The intermediate-hop selfish nodes may not perform the
packet-forwarding functionality as per the protocol. The selfish node may drop all the
data packets, resulting in complete denial of service, or it may drop the data packets
selectively or randomly. It is hard to distinguish between such a selfish behavior and the
link failure or network congestion. On the other hand, malicious intermediate-hop nodes
may inject junk packets into the network. Considerable network resources (bandwidth
and packet processing time) may be consumed to forward the junk packets, which may
lead to denial of service for legitimate user traffic. The malicious nodes may also inject the
51
246 Wireless
Networked Age
maliciously crafted control packets, which may lead to the disruption of routing
functionality. The control plane attacks are dependent on such maliciously crafted control
packets. The malicious and selfish behaviors of nodes in WMNs have been studied in
(Zhong et al., 2005; Salem et al., 2003).
2.4 Transport layer attacks

The attacks that can be launched on the transport layer of a WMN are flooding attack and
de-synchronization attack. Whenever a protocol is required to maintain state at either end of
a connection, it becomes vulnerable to memory exhaustion through flooding. An attacker
may repeatedly make new connection request until the resources required by each
connection are exhausted or reach a maximum limit. In either case, further legitimate
requests will be ignored. De-synchronization refers to the disruption of an existing
connection (Wood et al., 2002). An attacker may, for example, repeatedly spoof messages to
an end host causing the host to request the retransmission of missed frames. If timed
correctly, an attacker may degrade or even prevent the ability of the end hosts to
successfully exchange data causing them instead to waste energy attempting to recover
from errors which never really exist.
Table 1 presents various types of vulnerabilities in different layers of a WMN and their
respective defense mechanisms.
Layer Attacks Defense Mechanism

Spread-spectrum, priority messages,
Jamming
lower duty cycle, region mapping,
Physical Device tampering
mode change
Collision Error-correction code
Exhaustion Rate limitation
MAC
Unfairness Small frames
Spoofed routing information Egress filtering, authentication,
& selective forwarding monitoring
Sinkhole Redundancy checking
Authentication, monitoring,
Sybil
redundancy
Network Wormhole Authentication, probing
Authentication, packet leashes by
Hello Flood
using geographic and temporal info
Authentication, bi-directional link
Ack. flooding
authentication verification
Flooding Client puzzles
Transport De-synchronization Authentication
Logic errors Application authentication
Application
Buffer overflow Trusted computing
Table 1. Attacks on different layers of a WMN and their countermeasures
3. Routing Challenges in WMNs

In this section, some of the important challenges in designing routing protocols for WMNs
are discussed. A typical architecture of a hierarchical WMN is presented in Fig. 1. At the top
52
layer, are the Internet gateways (IGWs) which are connected to the wired Internet. They form
the backbone infrastructure for providing Internet connectivity to the elements in the second
level. The entities at the second level are called wireless mesh routers (MRs) that eliminate the
need for wired infrastructure at every MR and forward their traffic in a multi-hop fashion
towards the IGW. At the lowest level are the mesh clients (MCs) which are the wireless
devices of the users. Internet connectivity and peer-to-peer communications inside the mesh
are two important applications for a WMN. Therefore, design of an efficient and low-
overhead routing protocol that avoids unreliable routes, and accurately estimate the end-to-
end delay of a flow along the path from the source to the destination is a major challenge.
Some of the major challenges in designing routing protocol for WMNs are discussed below:
i. Measuring link reliability: it has been observed that in wireless ad hoc networks like
WMNs, nodes receiving broadcast messages introduce communication gray zones
(Lundgren et al., 2002). In such zones, data messages cannot be exchanged although the
hello messages reach the neighbors. This leads to disruption in communication among the
nodes. Since the routing protocols such as AODV and WMR (Xue et al., 2003) relay on
control packets like RREQ, these protocols are highly unreliable for estimating the quality
of wireless links. Due to communication gray zone problem, nodes that are able to send
and receive bi-directional RREQ packets sometimes cannot send/receive data packets at
high rate. These fragile links trigger link repairs resulting in high control overhead.
ii. End-to-end delay estimation: an important issue in a routing protocol is end-to-end
delay estimation. Current protocols estimate end-to-end delay by measuring the time
taken to route route request (RREQ) and route reply (RREP) packets along the given
path. However, RREQ and RREP packets are different from normal data packets and
hence they are unlikely to experience the same levels of delay and loss as data packets.
It has been observed through simulation that a RREP-based estimator overestimates
while a hop-count-based estimator underestimates the actual delay experienced by the
data packets (Kone et al., 2007). The reason for the significant deviation of a RREP-
based estimator from the actual end-to-end delay is interference of signals. The RREQ
packets are flooded in the network resulting in a heavy burst of traffic. This heavy
traffic causes inter-flow interference in the paths. The unicast data packets do not cause
such events. Moreover, as a stream of packets traverse along a route, due to the
broadcast nature of wireless links, different packets in the same flow interfere with each
other resulting in per-packet delays. Since the control packets do not experience per-
packet delay, the estimates based on control packet delay deviate widely from the
actual delay experience by the data packets.
iii. Reduction of control overhead: since the effective bandwidth of wireless channels vary
continuously, reduction of control overhead is important in order to maximize
throughput in the network. Reactive protocols such as AODV and DSR use flooding of
RREQ packets for route discovery. This consumes a high proportion of the network
bandwidth and reduces the effective throughput. An important challenge in designing
a routing protocol for WMNs is to optimize the communication and computation
overhead of the control messages so that the bandwidth of the wireless channels may be
used for applications as efficiently as possible. Security and privacy issues bring
another dimension of complexity. The goal of the protocol designer would be to design
the security framework in such as way that it involves minimum computational and
communication overhead.
53
248 Wireless
Networked Age
4. Secure Routing Protocols for WMNs

Extensive work has been done in the area of secure unicast routing in multi-hop wireless
networks (Hu et al., 2002a; Hu et al., 2002b; Sanzgiri et al., 2002; Marti et al., 2000;
Papadimitratos et al., 2003a; Awerbuch et al., 2002; Awerbuch et al., 2005). As mentioned in
Section 2.3, attacks on routing protocols can target either the route establishment process or
the data delivery process, or both. Ariadne (Hu et al., 2002a) and SRP (Papadimitratos et al.,
2003a) propose to secure on-demand source routing protocols by using hop-by-hop
authentication techniques to prevent malicious packet manipulations on the route discovery
process. SAODV (Zapata et al., 2002), SEAD (Hu et al., 2002b), and ARAN (Sanzgiri et al.,
2002) propose to secure on-demand distance vector routing protocols by using one-way
hash chains to secure the propagation of hop counts. The authors in (Papadimitratos et al.,
2003b) propose a secure link state routing protocol that ensures the correctness of link state
updates with digital signatures and one-way hash chains. To ensure correct data delivery,
(Marti et al., 2000) proposes the watchdog and pathrater techniques to detect adversarial
nodes by having each node monitor if its neighbors forward packets correctly. SMT
(Papadimitratos et al., 2003a) and Ariadne (Hu et al., 2002a) use multi-hop routing to
prevent malicious nodes from selectively dropping data. ODSBR (Awerbuch et al., 2002;
Awerbuch et al., 2005) provides resilience to colluding Byzantine attacks by detecting
malicious links based on end-to-end acknowledgment-based feedback technique. In HWMP
(Bahr, 2006; Bahr, 2007), the on-demand node allows two mesh points (MPs) to
communicate using peer-to-peer paths. This model is primarily used if nodes experience a
changing environment and no root MP is configured. While the proactive tree building
mode is an efficient choice for nodes in a fixed network topology, HWMP does not address
security issues and is vulnerable to a numerous attacks such as RREQ flooding attack, RREP
routing loop attack, route re-direction attack, fabrication attack, tunnelling attack etc (Li et
al., 2011). LHAP (Zhu et al., 2003) is a lightweight transparent authentication protocol for
wireless ad hoc networks. It uses TESLA (Perrig et al., 2000) to maintain the trust
relationship among nodes, which is not realistic due to TESLA’s delayed key disclosure
period. In LHAP, simply attaching the TRAFFIC key right after the raw message is not
secure since the traffic key has no relationship with the message being transmitted.
In contrast to secure unicast routing, work studying security problems specific to multicast
routing in wireless networks is particularly scarce, with the notable exception of the work by
(Roy et al., 2005) and BSMR (Curtmola et al., 2007). The work in (Roy et al., 2005) proposes
an authentication framework that prevents outsider attacks in tree-based multicast protocol,
MAODV (Royer et al., 2000), while BSMR (Curtmola et al., 2007) complements the work in
(Roy et al., 2005) and presents a measurement-based technique that addresses insider attacks
in tree-based multicast protocols.
A key point to note is that all of the above existing work in either secure unicast or multicast
routing considers routing protocols that use only basic routing metrics, such as hop-count
and latency. None of them consider routing protocols that incorporate high-throughput
metrics, which have been shown to be critical for achieving high performance in wireless
networks. On the contrary, many of them even have to remove important performance
optimizations in existing protocols in order to prevent security attacks. There are also a few
studies (Papadimitratos et al., 2006; Zhu et al., 2006) on secure QoS routing in wireless
networks. However, they require strong assumptions, such as symmetric links, correct trust
evaluation on nodes, ability to correctly determine link metrics despite attacks etc. In addition,
none of them consider attacks on the data delivery phase. The work presented in (Dong, 2009)
54
is the first of its kind that encompasses both high performance and security as goals in
multicast routing and considers attacks on both path establishment and data delivery phases.
As mentioned in Section 2.3, wireless networks are also subject to attacks such as rushing
attacks and wormhole attacks. Defenses against these attacks have been extensively studied
in (Hu et al., 2003b; Hu et al., 2003a; Eriksson et al., 2006; Hu et al., 2004). RAP (Hu et al.,
2003a) prevents the rushing attack by waiting for several flood requests and then randomly
selecting one to forward, rather than always forwarding only the first one. Techniques to
defend against wormhole attacks include packet leashes (Hu et al., 2003b) which restricts the
maximum transmission distance by using time or location information. Truelink (Eriksson et
al., 2006) which uses MAC level acknowledgments to infer whether a link exists between
two nodes, and the work in (Hu et al., 2004) that relies on directional antennas are two
mechanisms for defense against the wormhole attack.
In the following sub-sections, some of the well-known security protocols for routing in
WMNs are presented. These protocols are extensions of base routing protocols like AODV,
DSR etc. and use cryptographic mechanisms for ensuring node authentication, message
integrity and message confidentiality.
4.1 Authenticated Routing for Ad Hoc Networks (ARAN)

Authenticated routing for ad hoc networks (ARAN) protocol (Sanzgiri et al., 2002), is an on-
demand routing protocol that makes use of cryptographic certificates to offer routing
security. It takes care of authentication, message integrity, and non-repudiation, but expects
a small amount of prior security coordination among the nodes. In (Sanzgiri et al., 2002),
vulnerabilities and attacks specific to AODV and DSR protocols are discussed and the two
protocols are comapred with the ARAN protocol.
During the route discovery process of ARAN, the source node brodcasts route_request
(RREQ) packets. The destination node, on receiving the RREQ packets, responds by
unicasting back a reply packt, called the route_reply (RREP) packet. The ARAN protocol uses
a preliminary cryptographic certification process, followed by an end-to-end route
authentication process, which ensures secure route establishment. The protocol requires the
use of a trusted certificate server T, whose public key is known to all the nodes in the
network. End-to-end authentication is achieved by the source by having it verify that the
intended destination was indeed reached. The source trusts the destination to choose the
return path. The protocol is briefly discussed below.
Issue of certificates: ARAN utilizes an authenticated trusted server whose public key is
known to all legitimate nodes in the network. The protocol assumes that keys are generated
a priori by the server and distributed to all nodes in the network. It does not specify any
specific key distribution algorithm. On joining the network, each node receives a certificate
from the trusted server. The certificate received by a node A from the trusted server T looks
like the following:
T → A : cert A =
[ IPA , K A + , t , e ]KT − (1)
In (1), IPA , K A + , t, e and KT − represent the IP address of node A, the public key of node A,
the time of creation of the certificate, the time of expiry of the certificate, and the private key
of the server, respectively.
End-to-end route authentication: the main goal of the end-to-end route authentication
process is to ensure that the packets reach the current intended destination from the source
55
250 Wireless
Networked Age
node. The source node S broadcasts a RREQ (i.e. route discovery) packet destined to the
destination node D. The RREQ packet contains the packet identifier (route discovery process
(RDP)), the IP address of the destination (IPD), the certificate of the source node S (CertS), the
current time (t) and a nonce NS. The process can be denoted as in (2), where, KS − is the
private key of the source node S.
S → broadcasts :=
[ RDP , IPD , CertS , N S , t ]KS − (2)
Whenever the source sends a route discovery message, it increments the value of the nonce.
Nonce is a counter used in conjunction with the time-stamp in order to make the nonce
recycling easier. When a node receives an RDP packet from the source with a higher value
of the source’s nonce than that in the previously received RDP packets from the same source
node, it makes a record of the neighbor from which it received the packet, encrypts the
packet with its own certificate, and broadcasts it further. The process is represented in (3)
below:
A → broadcasts :=
[[ RDP , IPD , CertS , N s , t ]K s − ]K A − , Cert A (3)
An intermediate node B on receiving an RDP packet from node A removes its neighbor’s
certificate, inserts its own certificate, and broadcast the packet further. The destination node,
on receiving an RDP packet, verifies node S’s certificate and the tuple (NS, t) and then replies
with the route reply (REP). The destination unicasts the REP packet to the source node along
the reverse path as in (4):
D → X :=
[ REP , IPS , CertD , N S , t ]K D − (4)
In (4), node X is the neighbor of the destination node D, which had originally forwarded the
RDP packet to node D. The REP packet follows the same procedure on the reverse path as that
followed by the route-discovery packet. An error message is generated if the time-stamp or
nonce does not match the requirements or if the certificate fails. The error message looks
similar to the other packets except that the packet identifier is replaced by the ERR message.
In summary, ARAN is a robust protocol in the presence of attacks such as unauthorized
participation, spoofed route signaling, fabricated routing messages, alteration of routing
messages, securing shortest paths, and replay attacks. However, since ARAN uses public-
key cryptography for authentication, it is particularly vulnerable to DoS attacks based on
flooding the network with bogus control packets for which signature verifications are
required. As long as a node can’t verify signature at required speed, an attacker can force
that node to discard some fraction of the control packets it receives.
4.2 Secure Efficient Ad Hoc Distance Vector (SEAD) routing protocol

Secure efficient ad hoc distance vector (SEAD) (Hu et al., 2002b) is a secure and proactive ad hoc
routing protocol based on the destination-sequenced distance vector (DSDV) routing protocol
(Perkins et al., 1994). This protocol is mainly designed to overcome security attacks such as
DoS and resource consumption attacks. The operation of the routing protocol does not get
affected even in the presence of multiple uncoordinated attackers corrupting the routing
tables. The protocol uses a one-way hash function and does not involve any asymmetric
cryptographic operation. The basic idea of SEAD is to authenticate the sequence number
and metrics of a routing table update message using hash chain elements. The receiver also
56
authenticates the sender ensuring that the routing information originates from the correct
node. The source of each routing update message is also authenticated so as to prevent
creation of a routing loop by an attacker launching an impersonation attack.
In the following, first a brief description of the base DSDV protocol is given followed by a
discussion on the enhancements proposed in the SEAD protocol.
Distance vector routing: distance vector routing protocols belong to the category of table-
driven routing protocols. Each node maintains a routing table containing the list of all
known routes to various destination nodes in the network. The metric used for routing is the
distance measured in terms of hop-count. The routing table is updated periodically by
exchanging routing information. An alternative to this approach is triggered updates, in
which each node broadcasts routing updates only if its routing table gets altered. The DSDV
protocol for ad hoc wireless networks and WMNs uses sequence number tags to prevent the
formation of loops, to counter the count-to-infinity problem, and for faster convergence.
When a new route update packet is received for a destination, the node updates the
corresponding entry in its routing table only if the sequence number on the received update
is greater than that recorded with the corresponding entry in the routing table. If the
received sequence number and the previously recorded sequence number are both equal,
but if the routing update has a new value for the routing metric (distance in number of
hops), then in this case also the update is effected. Otherwise, the received update packet is
discarded. DSDV uses triggered updates (for important routing changes) in addition to the
regular periodic updates. A slight variation of DSDV protocol known as DSDV sequence
number (DSDV-SQ), initiates triggered updates on receiving a new sequence number update.
One-way hash function: SEAD uses authentication to differentiate between updates that are
received from non-malicious nodes and malicious nodes. This minimizes the chances of
resource consumption attacks caused by malicious nodes. SEAD uses a one-way hash
function for authenticating the updates. A one-way hash function (H) generates a one-way
hash chain (h1, h2, …). The function H maps an input bit-string of any length to a fixed
length bit-string, that is, H : (0, 1)* Æ (0, 1)ρ, where ρ is the length in bits of the output bit-
string. To create a one-way hash chain, a node generates a random number with initial value
x ∈ (0, 1)ρ. h0, the first number in the hash chain is initialized to x. The remaining values in
the chain are computed using the general formula hi = H(hi-1) for 0 ≤ i ≤ n, for some n. The
way one-way hash function incorporates security into the existing DSDV-DQ routing
protocol will now be explained. The SEAD protocol assumes an upper bound on the metric
used. For example, if the metric used is distance, then the upper bound value m – 1 defines
the maximum diameter (maximum of lengths of all the routes between a pair of nodes) of
the ad hoc wireless network or the WMN. Hence, the routing protocol assumes that no route
of length greater than m hops exists between any two nodes.
If the sequence of values calculated by a node using the hash function H is given by (h1, h2,…
hn), where n is divisible by m, then for a routing table entry with sequence number i, let
k
=k − i . If the metric j (distance) used for that routing table entry is, 0 ≤ j ≤ m − 1 , then the
m
value of hkm+j is used to authenticate the routing update entry for that sequence number i
and that metric j. Whenever a route update message is sent, the node appends the value
used for authentication along with it. If the authentication value used is hkm+j, then the
attacker who tries to modify this value can do so only if he/she knows hkm+j-1. Since it is a
one-way hash chain, calculating hkm+j-1 becomes impossible. An intermediate node, on
57
252 Wireless
Networked Age
receiving this authenticated update, calculates the new hash value based on the earlier
updates (hkm+j-1), the value of the metric, and the sequence number. If the calculated value
matches with the one present in the route update message, then the update is done.
Otherwise, the received update is just discarded.
SEAD avoids routing loops unless the loop contains more than one attacker. This protocol
could be implemented easily with slight modifications to the DSDV protocol. The use of
one-way hash chain to verify the authentication largely reduces the computational
complexity. Moreover, the protocol is robust against multiple uncoordinated attacks. The
main disadvantage is that a trusted entity is needed in the network to distribute and
maintain the verification element of every node since the verification element of a hash
chain is detached by a trusted entity. This leads to a single-point of failure in the protocol. If
the trusted entity is compromised, the entire network becomes vulnerable. In addition, the
protocol is vulnerable in situations where an attacker uses the same metric and sequence
number which has been used in a recent update message and sends a new routing update.
4.3 Security-Aware Ad Hoc Routing (SAR) protocol

The security-aware ad hoc routing (SAR) protocol (Yi et al., 2001) uses security as one of the
key metrics in path finding and provides a framework for enforcing and measuring the
attributes of the security metric. This framework also enables the use of different levels of
security for different applications that use SAR for routing. In WMNs, communication
between two end nodes through possibly multiple nodes is based on the fact that the end
nodes trust the intermediate nodes. SAR defines level of trust as a metric for routing and as
one of the attributes for security to be taken into consideration. In SAR, security metric is
embedded into the RREQ packet and the forwarding behavior of the protocol is
implemented with respect to the RREQs. The intermediate nodes receive an RREQ packet
with a particular security metric or trust level. The protocol ensures that a node can only
process the packet or forward it if the node itself can provide the required security or has
the required authorization or trust level. If the node cannot provide the required security,
the RREQ is dropped. If an end-to-end path with the required security attributes can be
found, a suitably modified RREP is sent from an intermediate node or the destination node.
The routing protocol based on the level of trust is explained using Fig. 6.
Ii
Shortest route
Secure route
Fig. 6. Illustration of use of trust metric of nodes in routing
58
As shown in Fig. 6, two paths exist between the nodes N1 and N2 who want to communicate
with each other. One of these paths is shorter which passes through private nodes (P1 and
P2) whose trust levels are low. Hence, the protocol chooses a longer but secure path which
passes through secure nodes I1, I2, and I3.
The SAR protocol can be explained using any one of the traditional routing protocols. In this
Section, SAR protocol has been explained using AODV protocol (Perkins et al., 1999). In the
AODV protocol, the source node broadcasts a route_request (RREQ) packet to its neighbors.
An intermediate node, on receiving a RREQ packet, forwards it further if it does not have a
route to the destination. Otherwise, it initiates route_reply (RREP) packet back to the source
node using the reverse path traversed by the RREQ packet. In SAR, a certain level of
security is incorporated into the packet-forwarding mechanism. Here, each packet is
associated with a security level which is determined by a number calculation method
(explained later in this section). Each intermediate node is also associated with a certain
level of security. On receiving a packet, the intermediate node is also associated with a
certain level of security. On receiving a packet, the intermediate node compares its level of
security with that defined for the packet. If node’s security level is less than that of the
packet, the RREQ is simply discarded. If it is greater, the node is considered to be a secure
node and is permitted to forward the packet in addition to being able to view the packet. If
the security level of the intermediate node and the received packet are found to be equal,
then the intermediate node will not be able to view the packet (which can be ensured using
a proper authentication mechanism); it just forwards the packet further.
Nodes of equal level of trust distribute a common key among themselves and with those
nodes having higher levels of trust. Hence, a hierarchical level of security could be
maintained. This ensures that an encrypted packet can be decrypted (using the common
key) only by nodes of the same or higher levels of security compared to the level of security
of the packet. Different levels of trust can be defined using a number calculated based on the
level of security required. It can be calculated using a number of methods. Since timeliness,
in-order delivery of packets, authenticity, authorization, integrity, confidentiality, and non-
repudiation are some of the desired characteristics of a routing protocol, a suitable number
can be defined for the trust level for nodes and packets based on the number of such
characteristics taken into account.
The SAR protocol can be easily incorporated into the traditional routing protocols for ad hoc
wireless networks and WMNs. It could be incorporated into both on-demand and table-
driven routing protocols. The SAR protocol allows the application to choose the level of
security it requires. But the protocol requires different keys for different levels of security.
This tends to increase the number of keys required when the number of security levels used
increases.
4.4 Secure Ad Hoc On-Demand Distance Vector (SAODV) routing protocol

In this section, a secure version of the AODV protocol will be described that plugs some
well-known vulnerabilities of the routing protocol. Before presenting the secure version, a
brief discussion of the base AODV protocol is presented.
Ad hoc on-demand distance vector (AODV) routing protocol: it is a reactive routing
protocol (Perkins et al., 1999; Perkins et al., 2003) for MANETs and WMNs that maintains
routes only between nodes which need to communicate. The routing messages do not
contain information about the whole routing path, but only about the source and the
59
254 Wireless
Networked Age
destination. Therefore, routing messages do not have an increasing size. It uses destination
sequence numbers to specify how fresh a route is (in comparison to the others), which is
used to grant loop freedom.
Whenever a node needs to send a packet to a destination for which it has no ‘fresh enough’
route (i.e., a valid route entry for the destination whose associated sequence number is at
least as great as the one contained in any RREQ that the node has received for that
destination), it broadcasts an RREQ message to its neighbors. Each node that receives the
broadcast message sets up a reverse route towards the originator of the RREQ, unless it has
a ‘fresher’ one (Fig. 7). When the intended destination (or an intermediate node that has a
‘fresh enough’ route to the destination) receives the RREQ, it replies by sending an RREP. It
is important that the only mutable information in an RREQ and in an RREP is the hop-count
(which is being monotonically increased at each hop). The RREP is unicast back to the
originator of the RREQ (Fig. 8).
Fig. 7. Route request in AODV. S and D are the source and destination nodes respectively
Fig. 8. Route reply in AODV. S and D are the source and destination nodes respectively
At each intermediate node, a route to the destination is set unless the node has a ‘fresher’
route than the one specified in the RREP). In the case that the RREQ is replied to by an
intermediate node (and if the RREQ had set this option), the intermediate node also sends
an RREP to the destination. In this way, it can be granted that the node path is being set up
60
bi-directionally. In the case that a node receives a new route (by an RREQ or by an RREP)
and the node already has a route ‘as fresh’ as the received one, the shortest one will be
updated. Optionally, route_reply acknowledgment (RREP-ACK) message may be sent by the
originator of the RREQ to acknowledge the receipt of the RREP. An RREP-ACK message has
no mutable information. In addition to these routing messages, a route_error (RERR)
message is used to notify the other nodes that certain nodes are not reachable anymore due
to link breakage. When a node re-broadcasts an RERR, it only adds the unreachable
destinations to which the node might forward messages. Therefore, the mutable information
in an RERR is the list of unreachable destinations and the counter of unreachable
destinations included in the message. It is predictable that, in each hop, the unreachable
destination list may not change or become a subset of the original one.
Because AODV has no security mechanisms, malicious nodes can perform many attacks just
by not following the protocol. A malicious node M can carry out the following attacks
(among many others) against AODV:
• Impersonate a node S by forging an RREQ with its address as the originator address.
• When forwarding an RREQ generated by node S to discover a route to node D, reduce
the hop count field to increase the chances of being in the route path between S and D
so that it can analyze the traffic between them.
• Impersonate a node D by forging an RREP with its address as a destination address.
• Impersonate a node by forging an RREP that claims that the node is the destination.
• Selectively drop certain RREQs and RREPs and data packets. This kind of attack is
especially hard even to detect because transmission errors have similar effect.
• Forge an RERR message pretending it is the node S and send it to its neighbor D. The
RERR message has a very high destination sequence number (dsn) for one of the
unreachable destination, say, U. This might cause D to update the destination sequence
number corresponding to U with the value dsn and, therefore, future route discoveries
performed by D to obtain a route to U will fail (because U’s destination sequence
number will be much smaller than the one stored in D’s routing table).
• According to the AODV specification (Perkins et al., 1999), the originator of an RREQ
can put a much bigger destination sequence number than the real one. In addition,
sequence numbers wrap around when they reach the maximum value allowed by the
field size. This allows a very easy attack, where an attacker is able to set the sequence
number of a node to any desired value by just sending two RREQ messages.
To plug these vulnerabilities the secure version of the AODV protocol is now presented.
Secure ad hoc on-demand distance vector (SAODV) routing protocol: this protocol has
been proposed to secure the AODV protocol (Zapata et al. 2002). The idea behind SAODV is
to use a signature to authenticate most of the fields of RREQs and RREPs and to use hash
chains to authenticate the hop-count. SAODV designs signature extensions to AODV.
Network nodes authenticate AODV routing packets with an SAODV signature extension,
which prevents certain certain impersonation attacks. In SAODV, an RREQ packet includes
a route request single signature extension (RREQ-SSE). The initiator chooses a maximum hop
count, based on the expected network diameter, and generates a one-way hash chain of
length equal to the maximum hop count plus one. This one-way hash chain is used as a
metric authenticator, much like the hash chain within SEAD protocol (Hu et al., 2002b). The
initiator signs the RREQ and the anchor of this hash chain; both this signature and the
anchor are included in the RREQ-SSE. In addition, the RREQ-SSE includes an element of the
61
256 Wireless
Networked Age
hash chain based on the actual hop count in the RREQ header. For sake of explanation, we
call this value the hop-count authenticator (HCA). For example, if the hash chain values h0, h1,
….., hN were generated such that hi = H[hi+1], then the hop-count authenticator hi corresponds
to a hop count of N – i.
With the exception of the hop-count field and HCA, the fields of the RREQ and RREQ-SSE
headers are immutable and therefore can be authenticated by verifying the signature in the
RREQ-SSE extension. To verify the hop-count field in the RREQ header, a node can follow
the hash chain to the anchor. For example, if the hop-count field is i, then HCA should be
Hi[hN]. Because the length (N) and the anchor (hN) of this hash chain are included in the
RREQ-SSE and authenticated by the signature, a node can follow the hash chain and ensure
that hN = HN-i[HCA].
When forwarding an RREQ in SAODV, a node first authenticates the RREQ to ensure that
each field is valid. It then performs duplicate suppression to ensure that it forwards only a
single RREQ for each route discovery. The node then increments the hop-count field in the
RREQ header, hashes the HCA, and re-broadcasts the RREQ, together with its RREQ-SSE
extension. When the RREQ reaches the target, the target checks the authentication in the
RREQ-SSE. If the RREQ is valid, the target returns an RREP as in AODV. A route reply single
signature extension (RREP-SSE) provides authentication for the RREP. As in the RREQ, the
only mutable field is the hop-count; as a result, the RREP is secured in the same way as the
RREQ. In particular, an RRE-SSE has a signature covering the hash chain anchor together
with all RREP fields except the hop count. The hop-count is authenticated by an HCA,
which is also a hash chain element; an HCA hi corresponds to a hop-count of N – i.
A node forwarding an RREP checks the signature extension. If the signature is valid, then
the forwarding node sets its routing table entry for the RREP’s original source, specifying
that packets to that destination should be forwarded to the node from which the forwarding
node heard the RREP. For example, in Fig. 9, when node B forwards the RREP from node C,
it sets its next hop for destination node D to C.
S → * : ( RREQ , id , S , seqS , D, oldseqD , h0, N )K − , o , hN

S
A → * : ( RREQ , id , S , seqS , D, oldseqD , h0, N )K − ,1, hN − 1

S
B → * : ( RREQ , id , S , seqS , D, oldseqD , h0,N )K − , 2, hN − 2

S
C → * : ( RREQ , id , S , seqS , D, oldseqD , h0, N )K − , 3, hN − 3

S
D → C : ( RREP , D, S , seqD , S , lifetime , h0' , N )K − , o , h′N

D
′ N )K − ,1, hN
C → B : ( RREP , D, S , seqD , S , lifetime , h0, ′ −1
D
′ N )K − , 2, h′N − 2
B → A : ( RREP , D, S , seqD , S , lifetime , h0,
D
′ N )K − , 3, h′N − 1
A → S : ( RREP , D, S , seqD , S , lifetime , h0,
D
Fig. 9. Route discovery in SAODV protocol. Node S is discovering a route to node D
62
SAODV allows replies from intermediate nodes through the use of a route reply double
signature extension (RREP-DSE). An intermediate node replying to an RREQ includes an
RREP-DSE. The idea here is that to establish a route to the destination, an intermediate node
must have previously forwarded an RREP from the destination. If the intermediate node has
stored the RREP and the signature, it can then return the same RREP if the sequence number
in that RREP is greater than the sequence number specified in the RREQ. However, some of
the fields of that RREP, in particular the life-time field, are no longer valid. As a result, a
second signature, computed by the intermediate node, is used to authenticate this field.
To allow replies based on routing information from an RREQ packet, the initiator includes a
signature suitable for an RREP packet through the use of an RREQ-DSE. Conceptually, the
RREQ-DSE is an RREQ and RREP rolled into one packet. To reduce overhead, SAODV uses
the observation that the RREQ and RREP fields substantially overlap. In particular, the
RREQ-DSE needs to include some flags, a prefix size, and some reserved fields, together
with a signature valid for an RREP using those values. When a node forwards an RREQ-
DSE, it caches the route and the signature in the same way as if it had forwarded an RREP.
SAODV also uses signatures to protect the route error (RERR) message used in route
maintenance. In SAODV, each node signs the RERR it transmits, whether it’s originating the
RERR or forwarding it. Nodes implementing SADOV don’t change their destination
sequence number information when receiving an RERR because the destination doesn’t
authenticate the destination sequence number. Fig. 10 shows an example of SAODV route
maintenance.
B → A : ( RERR , D, seqD )K −
B
A → S : ( RERR , D, seqD )K −
A
Fig. 10. Route maintenance in SAODV protocol.
4.5 Secure Routing Protocol (SRP)

Papadimitratos et al. (Papadimitratos et al., 2002) have proposed a secure routing protocol
(SRP) that can be applied to several existing routing protocols (in particular to DSR (Johnson
et al., 2007)). It is an on-demand source routing protocol that captures the basic features of
reactive routing. The packets in SRP have extension headers that are attached to RREQ and
RREP messages. The protocol doesn’t attempt to secure RERR packets; instead it delegates
the route-maintenance function of the secure route maintenance portion of the secure message
transmission protocol. SRP uses a sequence number in the RREQs and RREPs to ensure
freshness, but this sequence number can only be checked at the target. SRP requires a
security association only between communicating nodes and uses this security association to
authenticate RREQs and RREPs through the use of message authentication codes (MACs). At
the target, SRP can detect any modifications of the RREQs, and at the source node, it can
detect modifications of the RREPs. In the following, the protocol is discussed briefly.
In SRP, route requests (RREQs) generated by a source node S are protected by message
authentication codes (MACs) computed using a key shared with the target T. Requests are
broadcast to all the neighbors of S. Each neighbor that receives a request for the first time
appends its identifier to the request and re-broadcasts it. The intermediate nodes also
perform the same actions. The MAC in the request is not checked because only S and T
know the key being used to compute it. When the request reaches the target T, its MAC is
checked by T. If it is valid, then it is assumed by the target that all adjacent pairs of nodes on
63
258 Wireless
Networked Age
the path of the RREQ are neighbors. Such paths are called valid or plausible routes. The
target T replaces the MAC of a valid RREQ by a MAC computed with the same key that
authenticates the route. This is then sent back (upstream) to S using the reverse route. For
example, an RREQ that reaches an intermediate node Xj is of the following form:
msgS ,T ,rreq = (rreq , S , T , id , sn , X1 , X2 ..........X j , macS ) (5)
In (5), id is a randomly generated route identifier, sn is a session number and macS is a MAC
on (rreq, S, T, id, sn) computed by S using a key shared with T, X1, …….., Xp, T is a
discovered route, then the route reply (RREP) of the target T has the following form for all
intermediate nodes Xj, 1 ≤ j ≤ p:
msgS ,T ,rrep = (rrep , S , T , id , sn , X1 , X 2 ,......X p , macT ) (6)
In (6), macT is a MAC computed by T with the key shared with S on the message field
preceding it. Intermediate nodes should check the RREP header (including its id and sn) and
that they are adjacent with two of their neighbors on the route before sending the RREP
upstream.
SRP doesn’t attempt to prevent unauthorized modification of fields that are ordinarily
modified in the course of forwarding these packets. For example, a node can freely remove
or corrupt the node list of an RREQ packet that it forwards. Since SRP requires a security
association between communicating nodes, it uses extremely lightweight mechanisms to
prevent other attacks. For example, to limit flooding, nodes record the rate at which each
neighbor forwards the RREQ packets and gives priority to REQUEST packets sent through
neighbor that less frequently forward REQUEST packets. Such mechanisms can secure a
protocol when few attackers are present. However, such techniques provide secondary
attacks, such as sending forged RREQ packets to reduce the effectiveness of a node’s
authentic RREQs. In addition, such techniques exacerbate the problem of greedy nodes. For
example, a node that doesn’t forward RREQ packets ordinarily achieves better performance
because it is generally less congested, and it doesn’t need to use its battery power to forward
packets originated by other nodes. In SRP, a greedy node retains these advantages, and in
addition, gets a higher priority when it initiates route discovery.
4.6 ARIADNE: A secure on-demand routing protocol for ad hoc networks

Ariadne (Hu et al., 2002a) is a secure on-demand routing protocol based on the dynamic
source routing (DSR) protocol (Johnson et al., 2007). The protocol can withstand node
compromise and relies only on highly efficient symmetric key cryptography. Ariadne can
authenticate routing message using one of the three schemes: (i) shared secret between each
pair of nodes, (ii) shared secrets between communicating nodes combined with broadcast
authentication using TESLA (Perrig et al., 2001), and (iii) digital signatures. In this section,
we discuss Ariadne with TESLA, an efficient broadcast authentication scheme that requires
loose time synchronization. Using pair-wise shared keys the protocol avoids the need for
time synchronization but at the cost of higher key-setup overhead. Ariadne discovers routes
in a reactive (on-demand) manner through route discovery and uses them to source route
data packets to their destinations. Each forwarding node helps by performing route
maintenance to discover problems with each selected route.
64
Route discovery: The protocol design is explained in two stages: (i) a mechanism is
presented that lets the target node verify the authenticity of the RREQ, and (ii) an efficient
per-hop hashing technique is described that verifies whether any node is missed from the
node list in the RREQ. In the following, we assume that the initiator node S performs a route
discovery for target node D and that they share the secret keys KSD and KDS, respectively for
message authentication in each direction.
i. Target authenticates route request: To convince the target of the legitimacy of each field in an
RREQ, the initiator simply includes a message authentication code (MAC) computed with
the key KSD over unique data – for example, a timestamp. The target can easily verify the
route requestor’s authenticity and freshness using the shared key KSD. In a route
discovery, the initiator wants to authenticate each individual node in the node list of the
RREP. A secondary requirement is that the target can authenticate each node in the node
list of the RREQ so that it will return an RREP only along paths that contain legitimate
nodes. Each hop authenticates the new information in the RREQ using its current TESLA
key. The target node buffers the RREP until intermediate nodes can release the
corresponding TESLA keys. The TESLA security condition is verified at the target node,
and the target includes a MAC in the RREP to certify that security condition was met.
ii. Per-hop hashing: Authenticating data in routing messages isn’t sufficient because an
attacker could remove a node from the node list in an RREQ. One-way hash functions
are used to verify that no hop was omitted – an approach that is called per-hop hashing.
To change or remove a previous hop, an attacker must either hear an RREQ without
that node listed or must be able to invert the one-way hash function. For efficiency, the
authenticator may be included in the hash value passed in the RREQ. Fig. 11 shows an
example of Ariadne route discovery.
S : h0 = MAC KSD ( REQUEST , S , D, id , ti )

S → * : REQUEST , S , D, id , ti , h0 ,(),()
A : h1 = H [ A , ho ] , M A = MAC K Ati ( REQUEST , S , D, id , ti , h1 ,( A),())
A → * : REQUEST , S , D, id , ti , h1 ,( A), M A
B : h2 = H [ B, h1 ] , MB = MAC KBti ( REQUEST , S , D, id , ti , h2, ( A, B),( M A ))
B → * : REQUEST , S , D, id , ti , h2 ,(A , B ),( M A , M B )
C : h3 = H [C , h2 ] , MC = MAC KCti ( REQUEST , S , D, id , ti , h3 ,( A, B, C ),( M A , M B ))
C → * : REQUEST , S , D, id , ti , h3 ,( A , B, C ),( M A , MB , MC )
D : MD = MAC KDS ( REPLY , D, S , ti ,( A, B, C ),( M A , MB , MC ))
D → C : REPLY , D, S , ti ,( A , B, C ),( M A , MB , MC ), M D ,()
C → B : REPLY , D, S , ti ,( A, B, C ),( M A , MB , MC ), MD ,( KCti )
B → A : REPLY , D, S , ti ,( A, B, C ),( M A , M B , MC ), MD ,(KCti , K Bti )
A → S : REPLY , D, S , ti ,( A, B, C ),( M A , M B , MC ), MD ,(KCti , K Bti , K Ati )
Fig. 11. Route discovery in Ariadne. Initiator S attempts to discover a route to target D. The
bold font indicates changed message fields relative to the previous similar message.
65
260 Wireless
Networked Age
Route maintenance: Route maintenance in Ariadne is based on the DSR protocol. A node
forwarding a packet to the next hop along the source route returns an RERR to the packet’s
original sender if it is unable to deliver the packet to the next-hop after a limited number of
retransmission attempts. The mechanisms for securing RERRs are discussed in the
following. However, the case in which attackers to not send the RERRs is not considered.
To prevent unauthorized nodes from sending RERRs, a mechanism should be in place in
which the sender needs to authenticate the RERR messages. Each node on the return path to
the source node forwards the RERR message. If the authentication is delayed – for example,
when TESLA is used – each node that will be able to authenticate the RERR message buffers
it until it can be authenticated.
Avoiding routing misbehavior: Ariadne protocol described above is vulnerable to an attacker
that happens to be along the discovered route. In particular, a mechanism should be there that
is able to determine whether the intermediate nodes forward the packets that they are
requested to forward. To avoid the continued use of malicious routes, the routes are chosen
based on their prior performance in packet forwarding. The scheme relies on feedback about
which packets were successfully delivered. The feedback can be received either through an
extra end-to-end network layer message or by exploiting properties of the transport layers,
such as TCP with selective acknowledgments (Mathis et al., 1996). This feedback approach is
somewhat similar to the one used in IPv6 for neighbor unreachability detection (Narten et al.,
2007). A node with multiple routes to a single destination can assign a fraction of packets that
it originates to be sent along each route. When a substantially smaller fraction of packets sent
along any particular route is successfully delivered, the node can begin sending a smaller
fraction of its overall packets to that destination along that route.
4.7 Security Enhanced AODV protocol

A security enhanced AODV (SEAODV) routing protocol has been proposed in (Li et al., 2011)
that employs Blom’s key pre-distribution scheme (Blom, 1985) to compute the pair-wise
transient key (PTK) through the flooding of enhanced hello message and subsequently uses
the established PTK to distribute the group transient key (GTK). PTK and GTK are used for
authenticating unicast and broadcast routing messages respectively. In WMNs, a unique
PTK is shared by each pair of nodes, while GTK is shared secretly between the node and all
its one-hop neighbors. A message authentication code (MAC) is attached as the extension to the
original AODV routing message to guarantee the message’s authenticity and integrity in a
hop-by-hop fashion. Since SEAODV uses Blom’s key pre-distribution scheme, for the benefit
of the readers, a brief discussion on the key pre-distribution scheme is presented in the
following before the secure routing protocol is discussed.
Blom’s key pre-distribution scheme: Blom’s key pre-distribution is applied for
implementing key exchange process (Blom, 1985; Du et al., 2003). Blom’s t secure key pre-
distribution scheme is as follows. Blom’s pre-distribution scheme is based on (N, t + 1)
maximum distance separable (MDS) linear codes (MacWilliams et al., 1977). In this scheme,
before a network is deployed, a central authority first constructs a (t + 1) x N public matrix P
over a finite field GF(q), where N is the network size. Then, the central authority selects a
random (t + 1) x (t + 1) symmetric matrix S over GF(q), where S is secret and only known to
the central authority. An N x (t + 1) matrix A = (S . P)T is computed, where (.)T denotes the
transpose operator. The central authority pre-loads the i-th row and i-th column of P to node
i, for i = 1, 2,…..n. When node i and j need to establish a shared key, they first exchange their
66
columns of P, and then node i computes a key Kij as the product of its own row of A and j-th
column of P, and node j computes Kji as the product of its own row of A and the i-th column
of P. Since S is symmetric, it is easy to see that:
K = A ⋅ P = (S ⋅ P )T ⋅ P = PT ⋅ ST ⋅ P = PT ⋅ S ⋅ P = ( A ⋅ P )T = K T (7)
The node pair (i, j) uses Kij = Kji as the shared key. The Blom scheme has a t-secure property. It
implies that in a network of N nodes, the collusion of less than t +1 nodes cannot reveal any
key shared by other pairs of nodes. This is because as least t rows of A and t columns of P
are required to solve the secret symmetric matrix S. The memory cost per node in the Blom
scheme is t + 1. To guarantee perfect security in a WMN with N nodes, the (N – 2)-secure
Blom scheme should be used, which means the memory cost per node is N – 1. Hence Blom
scheme can provide strong security in networks of small size.
SEAODV protocol: SEAODV is built on AODV protocol. It requires each node in the
network to maintain two key hierarchies. One is the broadcast key hierarchy, which
includes all the broadcast keys from its active one hop neighbors. The other hierarchy is
called unicast hierarchy, which stores all secret pair-wise keys that this node shares with its
one hop neighbors. Every node uses keys in its broadcast routing messages (e.g., RREQ
messages) from its one hop neighbors and applies secret pair-wise keys in the unicast
hierarchy to verify the incoming messages, such as the RREP messages. Various features of
the protocol are now described.
i. Enhanced hello messages: in AODV, hello message is broadcast by each node in its
one-hop neighborhood. In SEAODV, two enhanced hello messages are defined following
the idea presented in (Jing et al., 2004). Each node embeds its column of the public
matrix P into its enhanced hello RREQ message. Since each column of P can be
regenerated by applying the seed (a primitive element of GF(q)) from each node, every
node only needs to store the seed in order to exchange the public information of matrix
P. To guarantee bi-directional links, the neighboring nodes who receive hello RREQ
reply with an enhanced hello RREP.
ii. Exchange public Seed_P and GTK using enhanced hello message: during the key pre-
distribution phase, every legitimate node in the WMN knows and stores the public
Seed_P (seed of the column of public matrix P) and the corresponding private row of the
generated matrix A. The entire exchange process is depicted in three steps: (a) exchange
of Seed_P of public matrix P, (b) derivation of PTK, and (c) exchange of GTK. In the
exchange of Seed_P phase, each node looks for its public Seed_P from its key pool, and
broadcasts the enhanced hello RREQ message. On completion of this step, each node in
the network possesses the public Seed_P of all of its one-hop neighbors. In the derivation
of PTK phase, each node uses the Seed_P it received from its neighbors and the node’s
corresponding private row of matrix A to compute PTK. On completion of this step,
every node has stored the public Seed_P of its neighbors and has derived the PTK it
shares with each of its one-hop neighbors. In the exchange of GTK phase, upon receiving
hello RREQ from node X, node Y (node X’s neighbor) encrypts GTK_Y with its private
PTK_Y and unicasts the corresponding hello RREP message back to X. The encrypted
GTK_Y is also attached in the unicast hello RREP message. Once X receives hello RREP
from Y, X applies its private PTK_X to decrypt the GTK_Y and stores it in the database.
The same process applies to node Y as well. Eventually, every node possesses the GTK
keys from all its one-hop neighbors and the group of secret pair-wise PTK keys that it
shares with each of its one-hop neighbor.
67
262 Wireless
Networked Age
Fig. 12. The structure of RREQ message in SEAODV protocol

iii. Securing route discovery: in order to ensure hop-by-hop authentication, each node
must verify the incoming message from its one-hop neighbors before re-broadcasting or
unicasting the messages. The trust relationship between each pair of nodes relies on the
shared GTK and PTK of the nodes. Route discovery process of SEAODV is similar to
that of AODV, except for a MAC extension appended to the AODV message. The
structure of the RREQ in SEAODV is presented in Fig. 12. The MAC is computed for
message M using GTK of the node which needs to broadcast a RREQ to its one-hop
neighbors. When a node wants to discover a route to a designated destination, it
broadcasts the modified RREQ message to its neighbors. The receiving node computes
the corresponding MAC value of the received message if the node possesses the GTK of
the sender. The receiving node then compares the computed MAC with the one it
received. If there is a match, the received RREQ is considered to be authentic and
unaltered. The receiving node then updates the mutable field (hop-count in RREQ) and
its routing table, and subsequently sets up the reverse path back to the source by
recording the neighbor from which it received the RREQ. Finally, the node computes a
MAC of the updated RREQ with its GTK and attaches the MAC value to the end of the
RREQ before the message is re-broadcast to its neighbors.
iv. Securing route setup: the destination node or an intermediate node generates a
modified RREP and unicasts it back to the next hop from which it received the RREQ.
Since the RREP message is authenticated at each hop using PTKs, an adversary has no
opportunity to re-direct the traffic. Before unicasting the modified RREP back to the
originator of the RREQ, the node first needs to check its routing table to identify the
next hop from which it received the broadcast RREQ. The node then applies PTK that it
shares with the identified next hop to compute the MAC (PTK, M) and affixes this MAC
to the end of RREP as shown in Fig. 13.
Fig. 13. The structure of RREP message in SEAODV protocol

Upon receiving the RREP from node Y, node X checks whether PTK_YX is in its group PTK.
If it is, then node X computes MAC’(PTK_XY, M) and compares it with the MAC(PTK_YX,
M) it received from node Y. If MAC’(PTK_XY, M) matches MAC(PTK_YX, M), the received
RREP is considered authentic. Node X then updates the hop-count field in the RREP and its
own routing table, sets up the forwarding path towards the destination. Node X also
searches the appropriate PTK that it shares with its next hop to which the new RREP is
68
going to be forwarded to the source. Node X then uses the PTK to construct the new MAC
and appends it to the new RREP message. Otherwise, the received RREP is deemed to be
unauthentic and hence dropped.
v. Securing route maintenance: a node generates an RERR message if it receives data
packet destined to another node for which it does not have an active route in its routing
table or the node detects a broken link for the next hop of an active route or a node
receives a RERR message from a neighbor for one or more active routes. The structure
of a modified RERR message is presented in Fig. 14. The MAC field in the modified
RERR message is computed by applying the node’s GTK on the entire RERR packet. On
receiving the broadcast RERR message from node Y, node X first checks whether it has
the GTK_Y. If it has, node X then computes MAC’(GTK_Y, M’) and compares it with the
received MAC. If the two MACs match, node X searches its routing table and tries to
identify the affected routes (a new group of unreachable destinations) that use node Y
as its next-hop based on the unreachable destination list received from Y. If no routes in
node X’s routing table is affected, X simply drops the RERR message and starts
listening to the channel again. Node X also discards the RERR message if it fails to find
the GTK_Y or the MAC’(GTK_Y, M’) does not match the one received from node Y.
Fig. 14. The structure of RERR message in SEAODV protocol

Security analysis of SEAODV: SEAODV is vulnerable to RREQ flooding attack. However,
since it authenticates RREQs from nodes that are in the list of active one-hop neighbors, the
detection of the attack will be fast. Since GTKs and PTKs are used to secure the broadcast
and unicast messages, and integrity of the messages are protected by MACs, the protocol is
robust against RREP routing loop attack and route re-direction attack. RERR fabrication
attack has minimal impact on SEAODV protocol, since a receiving node authenticates RERR
messages coming from its active one-hop neighbors only. Since a malicious node can only
forward the replayed RERR messages coming from the receiving node’s one-hop neighbors,
launching of RERR fabrication attack becomes particularly difficult.
5. Some novel secure routing protocols for WMNs

In this section, two novel routing protocols for WMNs are presented that can satisfy
application QoS requirements in addition to providing security in routing. The first protocol
is based on a reliable estimation of the available bandwidth in wireless links and a robust
estimation of the end-to-end delay on a routing path. The protocol, while satisfying the
application QoS, detects selfish nodes in the network and isolates them from the network
activities so that energy of the nodes and the precious bandwidth of the wireless links are
optimally utilized. The second protocol is based on an algorithm for detection of selfish
nodes in a WMN that uses statistical theory of inference and clustering techniques to make a
robust and reliable classification of the nodes based on their packet forwarding activities. It
also introduces some additional fields in the packet header for AODV protocol so that
69
264 Wireless
Networked Age
detection accuracy is increased. In the following sub-sections the two protocols are
discussed in detail.
5.1 A secure and efficient routing protocol for WMNs

A secure and efficient routing protocol for WMNs has been proposed in (Sen, 2010a) that
can handle stringent quality of service (QoS) requirements of real-time applications. There
are several key contributions of the work: (i) It provides an accurate estimation of the end-
to-end delay in a routing path; the estimated value is then used to check whether the routing
can guarantee the application QoS. (ii) It computes a link quality estimator and utilizes it in
route selection. (iii) It provides a framework for reliable estimation of available bandwidth
in a routing path so that flow admission with guaranteed QoS can be made. (iv) It helps in
identifying and isolating selfish nodes.
The protocol is a reactive routing protocol, in which during the routing discovery phase,
each intermediate node uses an admission control scheme to check whether the flow can be
admitted or not. If a flow is admitted, an entry is created for the flow in a table (called the
flow table) maintained locally by the node. The important components of the protocol are
described below:
i. Estimating reliability of routing paths: every node estimates the reliability of each of
its wireless links to its one-hop neighbor nodes. For computing the reliability of a link,
the number of control packets that a node receives in a given time window is used as a
base parameter. An exponentially weighted moving average (EWMA) method is used to
update the link reliability estimate. If the percentage of control packets received by a
node over a link in the last interval of measurement of link reliability is Nt, and if Nt-1 is
the historical value of the link reliability before the last measurement interval, α = 0.5 is
the weighting parameter, the updated link reliability (R) is computed using (8):
R = α * N t + (1 − α ) * N t − 1 (8)
Every node maintains estimates of the reliability of each of its links with its neighbors in a
link reliability table. The reliability for an end-to-end routing path is computed by taking the
average of the reliability values of all the links on the path. Computation of the link
reliability values is based on the RREQ packets on the reverse path and the RREP packets on
the forward path. The use of routing path with the highest reliability reduces the overhead
of route repair and makes the routing process more efficient.
ii. Use of network topological information in route discovery: the protocol makes use of
the knowledge of network topology by utilizing selective flooding of control messages
in a portion of the network. In this way, broadcasting of control messages is avoided
and thus the chances of network congestion and disruption of the flows in the network
are reduced. If both the source and the destination are under the control of the same
mesh router (Fig. 15), the flooding of the control messages are confined within the
portion of the network served by the mesh router only. However, if the source and the
destination are under different mesh routers, the control traffic is limited to the two
mesh groups. To reduce the control overhead further and enhance the routing
efficiency, the nodes accept broadcast control messages from only those neighbors
which have link reliability greater than 0.5 (i.e., on the average 50% of the control
packets sent from those nodes have been received by the node). This ensures that paths
with less reliability are not discovered, and hence not considered for routing.
70
Fig. 15. The hierarchical architecture of a WMN

iii. Estimating end-to-end delay in a routing path: for addressing the issue of differential
delays experienced by the control and data packets, the protocol makes use of some
probe packets during the route discovery phase. When a source node receives RREP
packets from the destination in response to its RREQ, it stores in a table, the records for
all the RREP packets together with the path through which the packets have arrived at
it. However, instead of randomly selecting a path to send probe packets to the
destination, the packets are sent along the path from which RREP messages have
arrived at the source first. This ensures that the probe packets are sent along the path
which is likely to induce less end-to-end delay, resulting in a better performance of the
protocol. The probe packets are identical to the data packets so far as their size, priority,
and flow rates are concerned. The objective of sending probe packets is to simulate the
data flow and observe the delay characteristics in the routing path. The number of
probe packets is kept limited to 2H for a path consisting of H hops to make a trade-off
between the control overhead and measurement accuracy (Kone et al., 2007). The
destination node sets a timer after it receives the first probe packet from the source
node. The timer duration is based on the estimated time for receiving all the probe
packets and is computed statistically. The destination computes the average delay
experienced by all the probe packets it has received, and send the computed value to
the source node piggybacking it on an RREP message. If the computed value is within
the limit of tolerance of the application QoS, the source selects the route and sends
packets through it. If the delay exceeds the acceptable limit, the source selects the next
best path (based on the arrival of RREP packets) from its table and tries once again.
Since the routing path is set up based on probe packets rather than the naïve RREP
packets, the protocol has higher route establishment time. However, since the selected
paths have high end-to-end reliability, the delay and the control overhead are reduced
because of minimal subsequent route breaks.
iv. Estimation of available network bandwidth: the protocol estimates the available
bandwidth in a wireless link using its end-to-end delay and the loss of packets due to
71
266 Wireless
Networked Age
congestion. The packet loss due to congestion in the link is estimated as follows. In a
wireless link packet loss may happen due to tow reasons: (a) loss due to faulty wireless
links and (b) loss due to network congestion. The radio link control (RLC) layer segments
an IP packet into several RLC frames before transmission and reassembles them into an
IP packet at the receiver side. An IP packet loss occurs when any RLC frame belonging
to an IP packet fails to be delivered. When this happens, the receiver knows that the
RLC frames re-assembly has failed and the IP packet has been lost due to wireless error.
Meanwhile, the sender detects retransmission time out (RTO) of the frame and discards
all the RLC frames belonging to the IP packet. This enables the sender to compute
packet drop rate in the wireless links. Moreover, using the sequence numbers of the IP
packets received at the receiver, it is possible to differentiate the packet loss due to link
error and packet loss due to congestion (Yang et al., 2004). For example, while receiving
two incoming packets with sequence number i and i +2, if the receiver finds an IP
packet assembly failure in RLC layer, the packet with sequence number i+1 is lost due
to wireless channel. Once the packet loss ratio due to congestion (Pcongestion) is estimated,
the available bandwidth in the wireless link, estrat, is computed as follows (Yang et al.,
2004):
PacketSize
estrat = (9)
X +Y
In (9), X and Y are given by:
2 Pcongestion
X = RTT (10)
3
3 Pcongestion 2
Y = RTO * min(1, 3 * Pcongestion(1 + 32 Pcongestion ) (11)
8
In (10), RTT is the average round trip time for a control packet. RTO is the retransmission
time out for a packet, and is computed using (12):
−−−−− −−−−−
RTO
= RTT + k * RTT Var (12)
−−−−− −−−−−
In (12), RTT and RTT Var are the mean and variance respectively of RTTs and k is set to 4.
This bandwidth estimator is employed to dynamically compute the available bandwidth in
the wireless links on a routing path so that the guaranteed minimum bandwidth for the flow
is always maintained throughout the application life-time.
v. Identifying selfish nodes: the protocol also enforces cooperation among the nodes by
identifying the selfish nodes in the network and isolating them. Selfishness is an
inherent problem associated with any capacity-constrained multi-hop wireless
networks like WMNs. A mesh router can behave selfishly owing to various reasons
such as: (a) to obtain more wireless or Internet throughput, or (b) to avoid path
congestion. A selfish mesh router increases the packet delivery latency, and also
increases the packet loss rate. A selfish node while utilizing the network resources for
routing its own packet, avoids forwarding packets for others to conserve its energy.
72
Identification of selfish nodes is therefore, a vital issue. Several schemes have been
proposed in the literature to mitigate the selfish behavior of nodes in wireless networks,
such as credit-based schemes, reputation-based schemes, and game theory-based
scheme (Santhanam et al., 2008). However, to keep the overhead of computation and
communication at the minimum, the protocol employs a simple mechanism to
discourage selfish behavior and encourage cooperation among nodes. To punish the
selfish nodes, each node forwards packets to its neighbor node for routing only if the
link reliability of the latter is greater than a threshold value (say, 0.5). Since the link
reliability of a selfish node is 0, the packets arriving from this node will not be
forwarded. Therefore, to keep link reliability higher than the threshold, each node has
to participate and cooperate in routing. The link reliability serves dual purpose of
enhancing reliability and enforcing node cooperation in the network.
vi. QoS violation and recovery: the protocol detects failure to guarantee QoS along a path
with the help of reservation timeouts in flow tables records maintained in the nodes, by
detection of non-availability of minimum bandwidth as estimated along its outbound
wireless link. Failure to guarantee QoS may occur in three different scenarios. In the
first case, a node receives a data packet for which it does not find a corresponding
record in its flow table. This implies that a reservation time-out has happened for that
flow. The node, therefore, sends a route error (RERR), to the source which re-initiates
route discovery. In the second scenario, a destination node detects from its flow table
records that the data packets received have exceeded the maximum allowable delay
(Tmax). To restore the path, the destination broadcasts a new RREP back to the source,
and the source starts re-routing the packets via the same path on which RREP has
traversed. In the third case, an intermediate node on the routing path may find that the
estimated bandwidth (using (9)) in its forwarding link is less than the guaranteed
minimum (Bmin) value. In this case, the intermediate node sends an RERR to the source
which re-initiates the route discovery process. The real-time estimation of the
bandwidth in the next-hop wireless link at each node on the routing path makes the
protocol more robust and reliable compared to most of the existing routing protocols
for WMNs. For example, the similar protocol presented in (Kone et al., 2007) does not
employ any bandwidth estimation mechanism at intermediate nodes, and therefore,
cannot ensure delivery of all packets for every admitted flow in the network.
5.2 A Trust-based protocol for selfish nodes detection in WMNs

To address the issue of selfish nodes in a WMN, a scheme has been proposed that uses local
observations in the nodes for detecting node misbehavior (Sen, 2010b). The scheme is
applicable for on-demand routing protocol like ad hoc on-demand distance vector (AODV)
protocol, and uses statistical theory of inference and clustering techniques to make a robust
and reliable classification (cooperative or selfish) of the nodes based on their neighbors. In
addition, the scheme introduces additional fields in the packet header of AODV packets so
that detection accuracy is increased. Since the security protocol works on AODV protocol, a
brief description of AODV protocol is given before the protocol is described for the benefit
of the readers.
AODV protocol and modeling of the state machine: AODV routing protocol uses an on-
demand approach for finding routes to a destination node. It employs destination sequence
numbers to identify the most recent path. The source node and the intermediate nodes store
73
268 Wireless
Networked Age
the next-hop information corresponding to each flow of data packet transmission. The source
node floods the route request (RREQ) packet in the network when a route is not available for
the desired destination. It may obtain multiple routes to different destinations from a single
RREQ. The RREQ carries the source identifier (src_id), the destination identifier (dest_id), the
source sequence number (src_seq_num), the destination sequence number (dest_seq_num), the
broadcast identifier (bcast_id), and the time to live (TTL). When an intermediate node receives
an RREQ, it either forwards the request further or prepares a route reply (RREP) if it has a valid
route to the destination. Every intermediate node, while forwarding an RREQ, enters the
previous node address and its bcast_id. A timer is used to delete this entry in case an RREP is
not received before the timer expires. This helps in storing an active path at the intermediate
node as AODV does not employ source routing of data packets. When a node receives an
RREP packet, information of the previous node from which the packet was received is also
stored, so that data packets may be routed to that node as the next hop towards the
destination. It is clear that AODV depends heavily on cooperation among the nodes for its
successful operation. A selfish node can easily manipulate the protocol to minimize its chances
of being included on routes for it is neither the source nor the destination. It may drop or
tamper with the RREQ messages to ensure that no routes will ever be selected through it.
Alternatively, it may drop, delay, or modify the RREP messages so as to prevent the replies
from reaching the source node. The security protocol proposed in this work attempts to detect
selfish nodes in a WMN so that these nodes may be isolated from the network. In the
following, a finite state machine (FSM) model of the AODV protocol is presented which is
utilized later for describing the security protocol.
Fig. 16. The finite state machine of a monitored node

Finite state machine model: in the security mechanism, with AODV as the underlying
routing protocol, the set of all messages corresponding to a RREQ flooding and the unicast
RREP is referred to as a message unit. It is clear that no node in the network can observe all
the transmission in a message unit. The subset of a message unit that a node can observe is
referred to as the local message unit (LMU). The LMU for a particular node consists of the
messages transmitted by that node, the messages transmitted by all its neighbors, and
messages overheard by the node. The detection of selfish nodes is made on the basis of data
collected by each node from its observed LMUs. Corresponding to each message
transmission in an LMU, a node maintains a record of its sender, and the receiver in its
neighborhood. It also keeps record of the neighbor nodes that receive the RREQ broadcast
messages sent by the node itself. The messages are assumed to follow the sequence of the
74
AODV protocol. The finite state machine shown in Fig. 16 depicts various states through
which a neighbor node undergoes for each LMU (Wang et al., 2008). The corresponding
states for the numbers mentioned in Fig.16 can be found in Table 2.
State Interpretation
1: init Initial phase; no RREQ is observed
2: unexp RREP Receipt of a RREP without RREQ observed
3: rcvd RREQ Receipt of a RREQ observed
4: fwd RREQ Broadcast of a RREQ observed
5: timeout RREQ Timeout after receipt of RREQ
6: rcvd RREP Receipt of a RREP observed
7: LMU complete Forwarding of a valid a RREP observed
8: timeout RREP Timeout after receipt of a RREP
Table 2. The states of the finite state machine for a local message unit (LMU)
To distinguish the finals states, these states are shaded. Every message transmission by a
node causes a state transition in each of its neighbor’s finite state machine. The finite state
machine in one neighbor node gives only a local view of the activities of the node being
monitored. It does not, in any way, represent the actual behavior of the monitored node. The
collaborative participation of each neighbor node makes it possible to get an accurate global
picture regarding the monitored node’s behavior. A node whose activity is being monitored
by its neighbors is referred to as a monitored node, and its neighbors are referred to as a
monitor node. Each node plays the dual role of a monitor node and a monitored node for
each of its neighbors. Each monitor node in the network observes a series of interleaved
LMUs for a routing session. Each LMU can be identified by the source-destination pair
contained in an RREQ message. Let us denote the kth LMU observed by a monitor node as
(sk, dk). The pair (sk, dk) does not uniquely identify an LMU, because source can issue
multiple RREQs for the same destination. However, since the subsequent RREQs have some
delays associated with them, we can safely assume that there is only one active LMU (sk, dk)
in the network at any point of time. At the beginning, a monitored node starts with the state
1 in its finite state machine. As the monitor node(s) observes the behavior of the monitored
node by examining the LMUs, it records a sequence of transitions form its initial state 1 to
one of its possible final states -- 5, 7 and 8. When a monitor node broadcasts an RREQ, it
assumes that the monitored node has received it. The monitor node, therefore, records a
state transition 1 Æ 3 for the monitored node’s finite state machine. If a monitor node
observes a monitored node to broadcast an RREQ, then a state transition of 3 Æ 4 is
recorded if the RREQ message was previously sent by the monitor node to the monitored
node; otherwise a transition of 1 Æ 4 will be recorded meaning thereby that the RREQ was
received by the monitored node from some other neighbor. The transition to a timeout state
occurs when a monitor node finds no activity by the monitored node for the concerned
LMU before the expiry of a timer. When a monitor node observes a monitored node to
forward an RREP, it records a transition to the final state – LMU complete (State No 7). At
this state, the monitored node becomes a candidate for inclusion on a routing path.
Fig. 17 depicts an example of LMU observed by the node N during the discovery of a route
from the source node S to the destination node D indicated by bold lines. Table 3 shows the
events observed by node N and the corresponding state transitions for each of its three
neighbor nodes X, Y and Z. When the final state is reached, the finite state machine
75
270 Wireless
Networked Age
terminates and the corresponding sequences of state transitions are stored by each node for
each of its neighbors. When sufficient number of events is collected by a node, a statistical
analysis is performed to detect the presence of any selfish nodes in the network.
Fig. 17. An example of local message unit (LMU) observed by node N
Neighbor Events State changes

X broadcasts RREQ 1Æ4
N broadcasts RREQ 4Æ4
X
N sends RREP to X 4Æ6
X sends RREP to S (overheard) 6Æ7
Y broadcasts RREQ 1Æ4
Y N broadcasts RREQ 4Æ4
Timeout 4Æ5
N broadcasts RREQ 1Æ3
Z Z broadcasts RREQ 3Æ4
Z sends RREP to N 4Æ7
Table 3. The state transitions of the neighbor nodes of node N
The security algorithm: As mentioned in the previous section, a monitoring node keeps a
record of state transitions in the finite state machine of a monitored node in each LMU.
These sequences can be represented as a transition matrix T = [Tij], where Tij is the number
of times the transition i Æ j is found. The monitor node invokes a detection algorithm every
W seconds using data from the most recent D = d * W seconds of observations, where d is a
small integer. The parameter D, called the detection window, should be such that it is possible
to punish the selfish nodes promptly while maintaining a high level of accuracy.
In the proposed algorithm, a node is assumed to monitor the activities of its R neighbors
(r )
which are identified by their respective indices 1, 2,….R. Let T = ⎡⎣ f ij( r ) ⎤⎦ denote the
observed transition matrix for the rth neighbor, where [ f ij( r ) ] is the number of transitions
from state i to state j observed in the previous detection window. If m is the number of states
in the finite state machine in each node, the size of T ( r ) is m x m. Let T ( r ) = [ f i(1r ) ,... f im
(r )
]
denote the ith row of the transition matrix T ( r ) , which shows the transitions out of state i at
the neighbor node r. If two neighbor nodes r and s have identical distributions
corresponding to transitions from state i, then one can write Ti( r ) ≡ Ti( s ) .
To test the hypothesis Ti( r ) ≡ Ti( s ) the Pearson’s χ2 test is used as follows.
76
m 2
∑ ∑ ⎡⎣ f ij(l) − f ij(l ) ⎤⎦
lε ( r , s ) j = 1
χ 2 (i ) = (13)
f ij( l )
f ij( r ) + f ij( s )
f ij( l ) = Fij( l ) (14)
Fi( r ) + Fi( s )
where Fi( r ) and Fi( s ) denote total number of transitions for state i in T ( r ) and T (s)
respectively.
If the value of χ2 exceeds the value of χ2m-1,α , then the hypothesis Ti( r ) ≡ Ti( s ) is rejected at
confidence interval α. If we write K irs for the event that χ2(i) > χ2m-1,α , then the conditional
(
probability P Ti( r ) ≡ Ti( s ) |Birs ) can be taken as a reasonable estimator of the similarity
between r and s with respect to the state i. In absence of any prior information, it is
reasonable to assume that r and s have no similarity in state i and the probability that the
Pearson test rejects its hypothesis to be 0.5 (Wang et al., 2008). In order to evaluate the
similarity between r and s for all the m states, (1) is applied to all rows of T(r) and T(s). This
yields a vector, {i = 1,…..,m}. From the standard Markovian principle one can write:
Lrs P(T ( r ) ≡ T ( s ) |B( rs ) )

=
( rs ) ( rs ) ( rs )
(14)
=α S (1 − α )m −S ≈αS
m
where S( rs ) = ∑ Bi( rs ) (15)
i =1
The lower-order terms in the right hand side of (15) are ignored since α < < 1. For small
value of α , Lrs monotonically decreases in S(rs), which, as evident from (15), is the number of
rejections of Pearson’s hypothesis. Therefore, 1 -- Lrs may be taken as the measure of the
dissimilarity between the neighbor nodes r and s. In presence of noise in the data, however,
it is found that for two nodes r and s which have Lrs ≈ 1, a third node t may cause
inconsistency such that Lrt ≉Lst . To avoid this inconsistency in clustering in the proposed
algorithm, clustering are not computed on the basis of pair-wise dissimilarity. To compute
dissimilarity between r and s, the L values for all neighbors are computed with respect to r
and s separately, and the following equation is applied:
nrs2 (16)
drs= 1 −
nr /s * ns /r
where,
nrs = ∑ min(Lrt ,Lst ),

t ≠ r ,s
K
nr /s = ∑ Lrt
t ≠ r ,s
77
272 Wireless
Networked Age
K
ns /r = ∑ Lst
t ≠ r ,s
It may be observed that the computation of drs does not involve Lrs -- the pair-wise similarity
index between nodes r and s. In fact, it measures the degree of inconsistency in similarity
between r and s with all their neighbors. Since, in the computation, contribution of each
neighbor plays its role, drs presents a robust indicator for dissimilarity between nodes and
plays a crucial part in computing the clusters (Wang et al., 2008). For clustering, an
agglomerative hierarchical clustering technique is used. This is a single-linkage approach in
which each cluster is represented by all of the objects in the cluster, and the similarity
between two clusters is measured by the similarity of the closest pair of data points
belonging to different clusters. The cluster merging process repeats until all the objects are
eventually merged to form one cluster (Eddy et al., 1996). After the nodes are clustered into
similar sets, the sets are further classified into three groups: (i) a set (G) of cooperative
nodes, (ii) a set (B) of selfish nodes, and (iii) a set of nodes whose behavior could not be
ascertained. The cooperation score (Cr) of a node is computed as (Wang et al., 2008):
m m
∑ nij(r ) ∑ nij(r )
i , jε G i , jε B
=Cr − (17)
|G| |B|
The set B is most likely to contain the selfish nodes. To reduce false positives (i.e. wrongly
identifying a cooperative node as selfish), an ANOVA test is applied. The ANOVA
approach computes a probability Pk of the random variation among the mean cooperation
scores of k clusters. A lower value of Pk implies that the clusters actually represent distinct
differences in their behavior. At each iteration, k clusters are formed and Pk is compared
with a pre-defined level of significance β. If Pk < β, clusters are believed to be reliably
reflecting the behavior of the nodes and their classifications are accepted. The cluster with
lowest mean cooperation score is assumed to contain the selfish nodes. If Pk > Pk-1 , the
neighbor behavior has not been properly reflected in the cluster formation, which has led to
the increase in the value of Pk . In this case, all the nodes are classified as cooperative, and
the next iteration of the algorithm is executed. The confidence parameter β can be tuned so
as to adjust the alacrity of detection of selfish nodes and rate of false positives (Wang et al.,
2008). In spite of all the above statistical approaches, there is still a possibility of
misclassification. The proposed algorithm further reduces the probability of
misclassification by a new cross-checking mechanism. For this purpose, a minor
modification is suggested in the packet header for AODV routing. Two additional fields are
inserted in the header of an RREQ packet. These fields are: next_to_source and duplicate_flag
to indicate respectively the address of the node that is next hop to the source, and whether
the packet is a duplicate packet which has already been broadcasted by some other nodes in
the network. In the header of an RREQ packet, in addition to the above two fields, another
field called next_to_destination is added to indicate the address of the node to which the
packet must be forwarded in the reverse path. It has been shown in (Kim et al., 2008), with
the above extra fields, it is possible to detect every instance of selfish behavior in a wireless
network with 100% detection accuracy, if the following conditions are satisfied: (i) no packet
loss lost due to interference, (ii) links are bi-directional, (iii) the nodes are stationary, and (iv)
78
the queuing delays are bounded. Since all these conditions cannot be guaranteed in a real-
world deployment, there will be always some detection inaccuracy.
Table 4 presents a list of vulnerabilities in different layers of the protocol stack of WMNs
and the security protocols for defending those attacks. Table 5 compares the secure routing
protocols discussed in this chapter with respect to various mechanisms these protocols use.
6. Conclusion
WMNs have become the focus of research in recent years, owing to their great promise in
realizing numerous next-generation wireless services. Driven by the demand for rich and
high-speed content access, recent research on WMNs has focussed on developing high
performance communication protocols, while the security of the proposed protocols have
received relatively little attention. However, given the wireless and multi-hop nature of the
communication, WMNs are subject to a wide range of security threats. In this chapter, a
large number of security issues at various layers of WMNs have been presented with a
particular focus on the network layer. In addition, some of the major routing security
mechanisms for WMNs currently existing in the literature have been presented and
compared with respect to their strengths and weaknesses. A few novel secure routing
mechanisms that take into account application QoS while detecting malicious and selfish
nodes are also discussed. Although, researchers have done substantial contributions in the
area of routing security in WMNs, there are still many challenges that remain to be
addressed. First, efficient (i.e., lightweight) and robust authentication protocols for the mesh
routers (MRs) need to be designed which involves scalable key management techniques.
Second, for reliability in routing, energy-aware and secure multi-path routing protocols are
in demand. Third issue is on strategic deployment of hop integrity protocols in WMNs. Hop
integrity protocols are open to incremental deployment, and the security they provide
increases with the number of pairs of hop integrity-equipped mesh routers, because an
adversary will have less venues to launch his/her attacks. However, due to
hardware/software compatibility and efficiency consideration, it may be worthwhile to
consider a strategic deployment scheme. For example, few hotspots in the network may be
required to install static hop integrity, in which hop integrity is always turned on; other
spots in the network can install dynamic hop integrity, in which hop integrity is randomly
turned on and off. Fourth, efficient security mechanism should be designed for defending
against tunnelling attack, in which two malicious nodes advertise in such a way as if they
have a very reliable link between them. This is achieved by tunnelling AODV messages
between them. No security scheme exists so far that can detect this attack promptly and
efficiently. Fifth, appropriate security protocols should be designed for hybrid networks. In
many deployment situations, WMNs are designed to be integrated with other types of
networks, such as wired networks and cellular networks. Addressing attacks in hybrid
environment also presents an interesting future direction. Such networks are vulnerable to a
wider range of attacks than its individual network components. For example, a mesh
network for wireless Internet access can be targeted with DDoS attacks launched from the
Internet. The scarcity of bandwidth resource on WMNs further exacerbates the severity of
such attacks. On the other hand, hybrid networks possess additional resources and
opportunities for defending against attacks. For example, WMNs connected to the wired
networks, it is possible to leverage the high bandwidth, low latency wired links, and deploy
powerful computers on the wired networks to defend against attacks. Sixth, a balanced
79
274 Wireless
Networked Age
Targeted layer in
Attack Protocols
the protocol stack
Physical and Frequenscy hopping spread spectrum (FHSS),

Jamming
MAC layers Direct sequence spread spectrum (DSSS)
Wormhole Network layer Packet Leashes (Hu, 2003b)
Blackhole Network layer SAR (Yi, 2001)
Grayhole Network layer GRAYSEC (Sen, 2007), SAR (Yi, 2001)
Sybil Network layer SYIBSEC (Newsome, 2004)
Selective packet SMT (Papadimitratos, 2003a), ARIADNE (Hu,

Network layer
dropping 2002a), Sen (2010a), Sen (2010b)
ARAN (Sanzgiri, 2002), SAR (Yi, 2001), SEAD

(Hu, 2002b), ARIADNE (Hu, 2002a), SAODV
Rushing Network layer
(Li, 2001), SRP (Papadimitratos, 2002), SEAODV
(Li, 2011)
Byzantine Network layer ODSBR (Awerbuch, 2002)
Resource depletion Network layer SEAD (Hu, 2002b)
Information
Network layer SMT (Papadimitratos, 2003a)
disclosure
Location disclosure Network layer SRP (Papadimitratos, 2002)
ARAN (Sanzgiri, 2002), SAR (Yi, 2001), SRP

Routing table (Papadimitratos, 2002), SEAD (Hu, 2002b),
Network layer
modification ARIADNE (Hu, 2002a), SAODV (Li, 2001),
SEAODV (Li, 2011)
Repudiation Application layer ARAN (Sanzgiri, 2002)
SRP (Papadimitratos, 2002), SEAD (Hu, 2002b),

Denial of service Multi-layer
ARIADNE (Hu, 2002a)
ARAN (Sanzgiri, 2002), SEAD (Hu, 2002b),

Impersonation Multi-layer
SEAODV (Li, 2011)
Table 4. Different attacks on WMN protocol stack and protocols for defending the attacks
80
Table 5. Comparative analysis of various secure routing protocols for WMNs
81
276 Wireless
Networked Age
network coding system needs to be designed for high performance secure routing
(Ahlswede et al., 2000). Existing network coding systems are vulnerable to a wide range of
attacks besides the most well-known packet pollution attacks (Yu et al., 2008). Many of the
weaknesses of existing system designs lie in their single focus in performance optimizations.
A more balanced approach, which can provide improved security guarantees, is crucial for
the actual adoption of network coding in real-world applications. A future direction of
research is to uncover the security implications of different design and optimization
techniques, and explore balanced system designs with network coding that achieve
appropriate tradeoffs between security and performance suitable for different application
requirements. Finally, multi-layer (i.e. cross-layer) security protocols should be developed
that address network vulnerabilities in multiple layers of the protocol stack to provide
robust and highest level of protection to mission-critical network deployments.
7. References
Ahlswede, R.; Cai, N.; Li, S.- Y. & Yeung, R. (2000). Network information flow. IEEE
Transactions on Information Theory, Vol 46, No 4, pp. 1204 – 1216.
Akyildiz, I.F.; Wang, X.; & Wang, W. (2005). Wireless mesh networks: a survey. Journal of
Computer Networks, Vol 47, No 4, pp. 445 – 487.
Al-Shurman, M.; Yoo, S. & Park, S. (2004). Black hole attack in mobile ad hoc networks.
Proceedings of the 42nd Annual Southeast Regional Conference, Huntsville, Alabama,
USA.
Awerbuch, B.; Holmer, D.; Nita-Rotaru, C. & Rubens, H. (2002). An on-demand secure
routing protocol resilient to Byzantine failure. Proceedings of ACM Workshop on
Wireless Security (WiSe), ACM Press.
Awerbuch, B.; Curtmola, R.; Holmer, D.; Nita-Rotaru, C. & Rubens, H. (2005). On the
survivability of routing protocols in ad hoc wireless networks. Proceedings of ICST
International Conference on Security and Privacy in Communication Networks
(SecureComm).
Bahr, M. (2006). Proposed routing for IEEE 802.11s WLAN mesh networks. Proceedings of the
2nd Annual International Wireless Internet Conference (WICON), pp. 133 – 144, Boston,
MA, USA.
Bahr, M. (2007). Update on the hybrid wireless mesh protocol 80.11s. Proceedings of the IEEE
International Conference on Mobile Ad Hoc and Sensor Systems, (MASS’07), pp. 1 – 6.
Blom, R. (1985). An optimal class of symmetric key generation systems. Proceedings of the
EUROCRYPT’84, pp. 335 – 338.
Brown, T.; James, J. & Sethi, A. (2006). Jamming and sensing of encrypted wireless ad hoc
networks. Proceedings of ACM MOBIHOC’06.
Curtmola, R. & Nita-Rotaru, C. (2007). BSMR: Byzantine-resilient secure multicast routing in
multi-hop wireless networks. Proceedings of IEEE Communications Society Conference
on Sensor, Mesh and Ad Hoc Communications and Networks (SECON).
Dong, J. (2009). Secure and robust communication in wireless mesh networks. Doctoral
Thesis, Purdue University, Indiana, USA.
82
Du, W.; Deng, J.; Han, Y. S. & Varshney, P. K. (2003). A pair-wise key pre-distribution
scheme for wireless sensor networks. ACM Transactions on Information and System
Security, Vol 8, No 2, pp. 228 – 258.
Eddy, W.F.; Mockus, A. & Oue, S. (1996). Approximate single linkage cluster analysis of
large datasets in high dimensional spaces. Journal of Computational Statistics and
Data Analysis, Vol 23, pp. 29 – 43.
Eriksson, J.; Krishnamurthy, S. V. & Faloutsos, M. (2006). Truelink: a practical
countermeasure to the wormhole attack in wireless networks. Proceedings of IEEE
International Conference on Network Protocols (ICNP).
Franklin, A. A. & C. S. R. Murthy. (2007). An introduction to wireless mesh networks. Book
chapter in: Security in Wireless Mesh Networks, Zhang, Y.; Zheng, J. & Hu, H. (eds.),
CRC Press, pp. 3 – 44.
Hu, L. & Evans, D. (2004). Using directional antennas to prevent wormhole attacks.
Proceedings of ISOC Symposium of Network and Distributed Systems Security
(NDSS’04).
Hu, Y.-C.; Perrig, A. & Johnson, D. (2002a). Ariadne: a secure on-demand routing protocol
for ad hoc networks. Proceedings of ACM Annual International Conference on Mobile
Computing (MOBICOM’02), pp. 21 – 38, Atlanta, GA, USA.
Hu, Y.-C. ; Johnson, D.B. & Perrig, A. (2002b). SEAD : secure efficient distance vector routing
for mobile wireless ad hoc networks. Proceedings of IEEE Workshop on Mobile
Computing Systems and Applications (WMCSA’02), pp. 3 – 13.
Hu, Y.-C. ; Perrig, A. & Johnson, D.B. (2003a). Rushing attacks and defense in wireless ad
hoc network routing protocols. Proceedings of the ACM Workshop on Wireless Security
(WiSe’03) in conjunction with MOBICOM’03, pp. 30 – 40.
Hu, Y.-C.; Perrig, A. & Johnson, D.B. (2003b). Packet leashes: a defense against wormhole
attacks in wireless ad hoc networks. Proceedings of IEEE INFOCOM’03.
Jing, X. & Lee, M. J. (2004). Energy-aware algorithms for AODV in ad hoc networks.
Proceedings of Mobile Computing and Ubiquitous Networking, pp. 466 – 468, Yokosuka,
Japan.
Johnson, D. B. (2007). The dynamic source routing protocol (DSR) for mobile ad hoc
networks for IPv4. IETF Request for Comments, RFC4728.
Kim, H. J. & Peha, J. M. (2008). Detecting selfish behavior in a cooperative commons.
Proceedings of IEEE DySPAN, pp. 1 -12.
Kone, V.; Das, S.; Zhao, B. Y. & Zheng, H. (2007). Quorum: quality of service in wireless
mesh networks. Journal of Mobile Networks and Applications, Vol 12, No 5, pp.
358 – 369.
Law, Y.; Hoesel, L.; Doumen, J.; Hartel, P. & Havinga, P. (2005). Energy-efficient link-layer
jamming attacks against wireless sensor network MAC protocols. Proceedings of the
3rd ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN’05).
Li, C.; Wang, Z. & Yang, C. (2011). Secure routing for wireless mesh networks. International
Journal of Network Security, Vol 13, No 2, pp. 109 – 120.
Lundgren, H.; Nordstrom, E. & Tschudin, C. (2002). The gray zone problem in IEEE 802.11b
based ad hoc networks, M2CR, Vol 6, No 2, pp. 104 – 105.
83
278 Wireless
Networked Age
MacWillams, F. J. & Sloane, N. J. A. (1977). The Theory of Error Correction Codes. North-
Holland, New York.
Marti, S.; Guili, T.; Lai, K. & Baker, M. (2000). Mitigating routing misbehavior in mobile ad
hoc networks. Proceedings of ACM Annual International Conference on Mobile
Computing (MOBICOM).
Mathis, M.; Mahdavi, J.; Floyd, S. & Romanow, A. (1996). TCP selective acknowledgment
options. IETF RFC 2018, October 1996.
Mishra, A. & Arbaugh, W.A. (2002). An initial security analysis of the IEEE 802.1X standard.
Technical Report, University of Maryland, USA.
Narten, T.; Nordmark, E.; Simpson, W. & Soliman, H. (2007). Neighbor discovery for IP
version 6 (IPv6). IETF RFC 4861, September 2007.
Newsome, J. ; Shi, E. ; Song, D. & Perrig, A. (2004). The Sybil attack in sensor networks:
analysis and defenses. Proceedings of the 3rd International Symposium on Information
Processing in Sensor Networks (IPSN’04), pp. 259 – 268.
Papadimitratos, P. & Haas, Z.J. (2002). Secure routing for mobile ad hoc networks.
Proceedings of the SCS Communication Networks and Distributed Systems Modelling and
Simulation Conference (CNDS’02).
Papadimitratos, P. & Hass, Z. J. (2003a). Secure data transmission in mobile ad hoc
networks. Proceedings of ACM Workshop on Wireless Security (WiSe), pp. 41 – 50.
Papadimitratos, P. & Hass Z. J. (2003b). Secure link state routing for mobile ad hoc
networks. Proceedings of the Symposium on Applications and the Internet Workshops
(SAINT’03 Workshops).
Papadimitratos, P. & Haas, Z. J. (2006). Secure route discovery of QoS-aware routing in ad
hoc networks. Proceedings of IEEE Sarnoff Symposium.
Perkins, C.E. & Belding-Royer, E.M. (1999). Ad hoc on-demand distance vector routing.
Proceedings of the IEEE Workshop on Mobile Computing Systems and Applications, pp.
90 – 100.
Perkins, C. E.; Belding-Royer, E. M. & Das, S. R. (2003). Ad hoc on-demand distance vector
(AODV). Internet Request for Comments, RFC 3561.
Perkins, C. E. & Bhagwat, P. (1994). Highly dynamic destination-sequenced distance-vector
routing (DSDV) for mobile computers. Proceedings of ACM SIGCOMM, pp. 234 –
244.
Perrig, A.; Canetti, R.; Tygar, J. D. & Song, D. (2000). Efficient authentication and signing of
multicast streams over lossy channels. Proceedings of the IEEE Symposium on Security
and Privacy, pp. 56 – 73.
Perrig, A.; Canetti, R.; Song, D. & Tygar, D. (2001). Efficient and secure source authentication
for multicast. Proceedings of the Network and Distributed System Security Symposium
(NDSS’01).
Ramaswamy, S.; Fu, Huirong.; Sreekantaradhya, M.; Dixon, J. & Nygard, K.E. (2003).
Prevention of cooperative black hole attacks in wireless ad hoc networks.
Proceedings of the International Conference on Wireless networks, pp. 570 – 575.
Roy, S.; Addada, V. G.; Setia, S. & Jajodia, S. (2005). Securing MAODV: attacks and
countermeasures. Proceedings of IEEE Communications Society Conference on Sensor,
Mesh and Ad Hoc Communications and Networks (SECON).
84
Royer, E. M. & Perkins, C. E. (2000). Multicast ad-hoc on-demand distance vector (MAODV)
routing. Internet Draft, July 2000.
Salem, N.B.; Buttyan, L.; Hubaux, J.-P. & Jacobson, M. (2003). A charging and rewarding
scheme for packet forwarding in multi-hop cellular networks. Proceedings of IEEE
MOBIHOC’03, pp. 1324.
Santhanam, L.; Xie, B. & Agrawal, D. (2008). Selfishness in mesh networks: wired multi-hop
MANETs. IEEE Journal of Wireless Communications, Vol 15, No 4, pp. 16 – 23.
Sanzgiri, K.; Dahill, B.; Levine, B. N.; Shields, C. & Belding-Royer, E. M. (2002). A secure
routing protocol for ad hoc networks. Proceedings of IEEE International Conference on
Network Protocols (ICNP’02), pp. 78 – 87.
Sen, J. (2010a). An efficient and reliable routing protocol for wireless mesh networks.
Proceedings of the International Conference on Computational Sciences and its
Applications (ICCSA’10), Lecture Notes in Computer Science (LNCS), Springer-
Verlag, Heidelberg, Germany, Vol 6018, pp. 246-257, Fukuaka, Japan.
Sen, J. (2010b). A trust-based detection algorithm of selfish packet dropping nodes in a peer-
to-peer wireless mesh networks. Proceedings of the International Conference on Recent
Trends in Network Security and Applications, Communications in Computer and
Information Science (CCIS), Springer-Verlag, Heidelberg, Germany, Vol 89, Part 2,
pp. 528 – 537.
Sen, J.; Chandra, M. G.; Harihara, S. G.; Reddy, H. & Balamuralidhar, P. (2007). A
mechanism for detection of grayhole attack in mobile ad hoc networks. Proceedings
of the 6th IEEE International Conference on Information, Communications, and Signal
Processing (ICICS’07), Singapore.
Shi, E. & Perrig, A. (2004). Designing secure sensor networks. IEEE Wireless Communication
Magazine, Vol 11, No 6, pp. 38 – 43.
Wang, B. ; Soltani, S. ; Shaprio, J.K. ; Tan, P.-N. & Mutka, M. (2008). Distributed detection of
selfish routing in wireless mesh networks. Technical Report- MSU-CSE-06-19,
Department of Computer Science and Engineering, Michigan State University.
Wood, A. D. & Stankovic, J. A. (2002). Denial of service in sensor networks. IEEE Computer,
Vol 35, No. 10, pp. 54 – 62.
Xu, W.; Trappe, W.; Zhang, Y. & Wood, T. (2005). The feasibility of launching and detecting
jamming attacks in wireless networks. Proceedings of ACM MobiHoc’05.
Xue, Q.; & Ganz, A. (2002). QoS routing for mesh-based wireless LANs. International Journal
of Wireless Information Networks, Vol 9, No 3, pp. 179 – 190.
Yang, F.; Zhang, Q.; Zhu, W. & Zhang, Y.-Q. (2004). End-to-end TCP-friendly streaming
protocol and bit allocation for scalable video over wireless Internet. IEEE Journal on
Selected Areas in Communications, Vol 22, No 22, pp. 777- 790.
Yi, S.; Naldurg, P. & Kravets, R. (2001). Security-aware ad hoc routing for wireless networks.
Proceedings of ACM MobiHoc’01, pp. 299 – 302.
Yu, Z.; Wei, Y.; Ramkumar, B. & Guan, Y. (2008). An efficient signature-based scheme for
securing network coding against pollution attacks. Proceedings of the IEEE Conference
of the IEEE Communications Society (INFOCOMM’08), Phoenix, AZ, April, 2008.
Zapata, M. G.; & Asokan, N. (2002). Securing ad hoc routing protocols. Proceedings of ACM
Workshop on Wireless Security (WiSe).
85
280 Wireless
Networked Age
Zhong, S.; Li, L. E.; Liu, Y. G. & Yang, Y. R. (2005). On designing incentive-compatible
routing and forwarding protocols in wireless ad-hoc networks: an integrated
approach using game theoretical and cryptographic techniques. Proceedings of IEEE
MOBICO’05, pp. 117 – 131.
Zhu, S.; Xu, S.; Setia, S. & Jajodia, S. (2003). LHAP: a lightweight hop-by-hop authentication
protocol for ad-hoc networks. Proceedings of ICDCS International Workshop on Mobile
and Wireless Network, pp. 749 – 755, Providence, Rhode Island.
Zhu, T. & Yu, M. (2006). A dynamic secure QoS routing protocol for wireless ad hoc
networks. Proceedings of IEEE Sarnoff Symposium, pp. 1 – 4.
86
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor
Networks
Secure and Privacy-Preserving

Data Aggregation Protocols for
Wireless Sensor Networks
Jaydip Sen
India
1. Introduction
In recent years, wireless sensor networks (WSNs) have drawn considerable attention from
the research community on issues ranging from theoretical research to practical
applications. Special characteristics of WSNs, such as resource constraints on energy and
computational power and security have been well-defined and widely studied (Akyildiz et
al., 2002; Sen, 2009). What has received less attention, however, is the critical privacy
concern on information being collected, transmitted, and analyzed in a WSN. Such private
and sensitive information may include payload data collected by sensors and transmitted
through the network to a centralized data processing server. For example, a patient's blood
pressure, sugar level and other vital signs are usually of critical privacy concern when
monitored by a medical WSN which transmits the data to a remote hospital or doctor's
office. Privacy concerns may also arise beyond data content and may focus on context
information such as the location of a sensor initiating data communication. Effective
countermeasure against the disclosure of both data and context-oriented private information
is an indispensable prerequisite for deployment of WSNs in real-world applications (Sen,
2010a; Bandyopadhyay & Sen, 2011).
Privacy protection has been extensively studied in various fields such as wired and wireless
networking, databases and data mining. However, the following inherent features of WSNs
introduce unique challenges for privacy preservation of data and prevent the existing
techniques from being directly implemented in these networks.
 Uncontrollable environment: sensors may have to be deployed in an environment that is

uncontrollable by the defender, such as a battlefield, enabling an adversary to launch
physical attacks to capture sensor nodes or deploy counterfeit ones. As a result, an
adversary may retrieve private keys used for secure communication and decrypt any
communication eavesdropped by the adversary.
 Sensor-node resource constraints: battery-powered sensor nodes generally have severe
constraints on their ability to store, process, and transmit the sensed data. As a result,
the computational complexity and resource consumption of public-key ciphers is
usually considered unsuitable for WSNs.
87
134 Security and
Cryptography Issues in a Networked
Security Age
in Computing
 Topological constraints: the limited communication range of sensor nodes in a WSN

requires multiple hops in order to transmit data from the source to the base station.
Such a multi-hop scheme demands different nodes to take diverse traffic loads. In
particular, a node closer to the base station (i.e., data collecting and processing server)
has to relay data from nodes further away from base station in addition to transmitting
its own generated data, leading to higher transmission rate. Such an unbalanced
network traffic pattern brings significant challenges to the protection of context-
oriented privacy information. Particularly, if an adversary has the ability to carry out a
global traffic analysis, observing the traffic patterns of different nodes over the whole
network, it can easily identify the sink and compromise context privacy, or even
manipulate the sink node to impede the proper functioning of the WSN.
The unique challenges for privacy preservation in WSNs call for development of effective
privacy-preserving techniques. Supporting efficient in-network data aggregation while
preserving data privacy has emerged as an important requirement in numerous wireless
sensor network applications (Acharya et al., 2005; Castelluccia et al., 2009; Girao et al., 2005;
He et al., 2007; Westhoff et al., 2006). As a key approach to fulfilling this requirement of
private data aggregation, concealed data aggregation (CDA) schemes have been proposed in
which multiple source nodes send encrypted data to a sink along a converge-cast tree with
aggregation of cipher-text being performed over the route (Acharya et al., 2005; Armknecht
et al., 2008; Castelluccia et al., 2009; Girao et al., 2005; Peter et al., 2010; Westhoff et al., 2006).
He et al. have proposed a cluster-based private data aggregation (CPDA) scheme in which the
sensor nodes are randomly distributed into clusters (He et al., 2007). The cluster leaders
carry out aggregation of the data received from the cluster member nodes. The data
communication is secured by using a shared key between each pair of communicating nodes
for the purpose of encryption. The aggregate function leverages algebraic properties of the
polynomials to compute the desired aggregate value in a cluster. While the aggregation is
carried out at the aggregator node in each cluster, it is guaranteed that no individual node
gets to know the sensitive private values of other nodes in the cluster. The intermediate
aggregate value in each cluster is further aggregated along the routing tree as the data
packets move to the sink node. The privacy goal of the scheme is two-fold. First, the privacy
of data has to be guaranteed end-to-end. While only the sink could learn about the final
aggregation result, each node will have information of its own data and does not have any
information about the data of other nodes. Second, to reduce the communication overhead,
the data from different source nodes have to be efficiently combined at the intermediate
nodes along the path. Nevertheless, these intermediate nodes should not learn any
information about the individual nodes' data. The authors of the CPDA scheme have
presented performance results of the protocol to demonstrate the efficiency and security of
the protocol. The CPDA protocol has become quite popular, and to the best of our
knowledge, there has been no identified vulnerability of the protocol published in the
literature so far. In this chapter, we first demonstrate a security loophole in the CPDA
protocol and then proceed to show how the protocol can be made more secure and efficient.
Some WSN application may not require privacy of the individual sensor data. Instead, the
data aggregation scheme may need high level of security so that no malicious node should
be able to introduce any fake data during the execution of the aggregation process. This
requirement introduces the need for design of secure aggregation protocols for WSNs.
88
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 135
Keeping this requirement in mind, we also present a secure and robust aggregation protocol
for WSNs where aggregation algorithm does not preserve the privacy of the individual
sensor data but guarantees high level of security in the aggregation process so that a
potential malicious insider node cannot inject false data during the aggregation process.
The rest of this chapter is organized as follows. Section 2 provides a brief background
discussion on the CPDA scheme. In Section 3, we present a cryptanalysis on CPDA and
demonstrate a security vulnerability of the scheme. In Section 4, we present some design
modifications of the CPDA scheme. Section 4.1 presents an efficient way to compute the
aggregation operation so as to make CPDA more efficient. Section 4.2 briefly discusses how
the identified security vulnerability can be addressed. Section 5 presents a comparative
analysis of the overhead of the original CPDA protocol and its proposed modified version.
Section 5.1 provides a comparison of the communication overheads in the network, and
Section 5.2 provides an analysis of the computational overheads in the sensor nodes in the
sensor nodes. Section 6 discusses the importance of security in designing aggregation
schemes for WSNs. Section 7 presents some related work in the field of secure aggregation
protocols in WSNs. In Section 8, a secure aggregation algorithm for WSNs is proposed.
Section 9 presents some simulation results to evaluate the performance of the proposed
secure aggregation protocol. Section 10 concludes the chapter while highlighting some
future directions of research in privacy and security in WSNs.
2. The CPDA scheme for data aggregation in WSNs

The basic idea of CPDA is to introduce noise to the raw data sensed by the sensor nodes in a
WSN, such that an aggregator can obtain accurate aggregated information but not
individual sensor data (He et al., 2007). This is similar to the data perturbation approach
extensively used in privacy-preserving data mining. However, unlike in privacy-preserving
data mining, where noises are independently generated (at random) leading to imprecise
aggregated results, the noises in CPDA are carefully designed to leverage the cooperation
between different sensor nodes, such that the precise aggregated values can be obtained by
the aggregator. The CPDA protocol classifies sensor nodes into two types: cluster leaders
and cluster members. There is a one-to-many mapping between the cluster leaders and
cluster members. The cluster leaders are responsible for aggregating data received from the
cluster members. For security, the messages communicated between the cluster leaders and
the cluster members are encrypted using different symmetric keys for each pair of nodes.
The details of the CPDA scheme are provided briefly in the following sub-sections.
2.1 The network model

The sensor network is modeled as a connected graph G(V, E), where V represents the set of
senor nodes and E represents the set of wireless links connecting the sensor nodes. The
number of sensor nodes is taken as |V| = N.
A data aggregation function is taken that aggregates the individual sensor readings. CPDA
N
scheme has focused on additive aggregation function: f (t )   di (t ), where di(t) is the
i 1
individual sensor reading at time instant t for node i. For computation of the aggregate
89
136 Security and
Security Age
in Computing
functions, the following requirements are to be satisfied: (i) privacy of the individual sensor
data is to be protected, i.e., each node's data should be known to no other nodes except the
node itself, (ii) the number of messages transmitted within the WSN for the purpose of data
aggregation should be kept at a minimum, and (iii) the aggregation result should be as
accurate as possible.
2.2 Key distribution and management

CPDA uses a random key distribution mechanism proposed in (Eschenauer & Gligor, 2002)
for encrypting messages to prevent message eavesdropping attacks. The key distribution
scheme has three phases: (i) key pre-distribution, (ii) shared-key discovery, and (iii) path-
key establishment. These phases are described briefly as follows.
A large key-pool of K keys and their identities are first generated in the key pre-distribution
phase. For each sensor nodes, k keys out of the total K keys are chosen. These k keys form a
key ring for the sensor node.
During the key-discovery phase, each sensor node identifies which of its neighbors share a
common key with itself by invoking and exchanging discovery messages. If a pair of
neighbor nodes share a common key, then it is possible to establish a secure link between
them.
In the path-key establishment phase, an end-to-end path key is assigned to the pairs of
neighboring nodes who do not share a common key but can be connected by two or more
multi-hop secure links at the end of the shared-key discovery phase.
At the end of the key distribution phase, the probability that any pair of nodes possess at
least one common key is given by (1).
(( K  k )!)2
pconnect 1  (1)
(K  2 k )! K !
If the probability that any other node can overhear the encrypted message by a given key is
denoted as poverhear, then poverhear is given by (2).
k
poverhear  (2)
K
It has been shown in (He et al., 2007) that the above key distribution algorithm is efficient for
communication in a large-scale sensor network and when a limited number of keys are
available for encryption of the messages to prevent eavesdropping attacks.
2.3 Cluster-based private data aggregation (CPDA) protocol

The CPDA scheme works in three phases: (i) cluster formation, (ii) computation of aggregate
results in clusters, and (ii) cluster data aggregation. These phases are described below.
Cluster formation: Fig. 1 depicts the cluster formation process. A query server Q triggers a
query by sending a HELLO message. When the HELLO message reaches a sensor node, it elects
itself as a cluster leader with a pre-defined probability p. If the value of p is large, there will be
90
more number of nodes which will elect themselves as cluster leaders. This will result in higher
number of clusters in the network. On the other hand, smaller values of p will lead to less
number of clusters due to fewer number of cluster leader nodes. Hence, the value of the
parameter p can be suitably chosen to control the number of clusters in the network. If a node
becomes a cluster leader, it forwards the HELLO message to its neighbors; otherwise, it waits for
a threshold period of time to check whether any HELLO message arrives at it from any of its
neighbors. If any HELLO message arrives at the node, it decides to join the cluster formed by its
neighbor by broadcasting a JOIN message as shown in Fig. 2. This process is repeated and
multiple clusters are formed so that the entire WSN becomes a collection of a set of clusters.
Fig. 1. The query server Q sends HELLO messages for initiating the cluster formation
procedure to its neighbors A, D, E and F. The query server is shaded in the figure.
Computation within clusters: In this phase, aggregation is done in each cluster. The
computation is illustrated with the example of a simple case where a cluster contains three
members: A, B, and C, where A is the assumed to be the cluster leader and the aggregator
node, whereas B and C are the cluster member nodes. Let a, b, c represent the private data
held by the nodes A, B, and C respectively. The goal of the aggregation scheme is to
compute the sum of a, b and c without revealing the private values of the nodes.
Fig. 2. A and D elect themselves as the cluster leaders randomly and in turn send HELLO
messages to their neighbors. E and F join the cluster formed by Q. B and C join the cluster
formed with A as the cluster leader, while G and H join the cluster with D as the cluster
leader. All the cluster leaders and the query server are leader.
91
138 Security and
Security Age
in Computing
As shown in Fig. 3, for the privacy-preserving additive aggregation function, the nodes A, B,
and C are assumed to share three public non-zero distinct numbers, which are denoted as x,
y, and z respectively. In addition, node A generates two random numbers r1A and r2A, which
are known only to node A. Similarly, nodes B and C generate r1B, r2B and r1C, r2C respectively,
which are private values of the nodes which have generated them.
Fig. 3. Nodes A, B and C broadcast their distinct and non-zero public seeds x, y and z
respectively
Node A computes vAA, vBA, and vCA as shown in (3).
v AA 
a r1A x  r2A x 2
vBA 
a r1A y  r2A y 2 (3)
vCA a r1A z  r2A z 2

Similarly, node B computes vAB, vBB, and vCB as in (4).
v BA 
b r1Bx  r2Bx 2
vBB 
b r1B y  r2B y 2 (4)
vCB 
b r1B z  r2B z2
Likewise, node C computes vAC, vBC, and vCC as in (5).
vCA 
c r1C x  r2C x 2
vCB 
c  r1C y  r2C y 2 (5)
vCC 
c r1C z  r2C z2
92
Node A encrypts vBA and sends it to node B using the shared key between node A and
node B. Node A also encrypts vCA and sends it to node C using the shared key between
node A and node C. In the same manner, node B sends encrypted vAB to node A and vCB to
node C; node C sends encrypted vAC and vBC to node A and node B respectively. The
exchanges of these encrypted messages are depicted in Fig. 4. On receiving vAB and vAC,
node A computes the sum of vAA (already computed by node A), vAB and vAC. Now, node
A computes FA using (6).
Fig. 4. Exchanges of encrypted messages among nodes A, B and C using shared keys
FA v AA  vBA  vCA ( a  b  c )  r1x  r2 x 2 (6)
In (6), r1  r1A  r1B  r1C and r2  r2A  r2B  r2C . Similarly, node B and node C compute FB and
FC respectively, where FB and FC are given by (7) and (8) respectively.
FB  vBA  vBB  vCB  ( a  b  c )  r1 y  r2 y 2 (7)
FC  vCA  vCB  vCC  ( a  b  c )  r1 z  r2 z2 (8)
Node B and node C broadcast FB and FC to the cluster leader node A, so that node A has the
knowledge of the values of FA, FB and FC. From these values the cluster leader node A can
compute the aggregated value (a + b + c) as explained below.
The equations (6), (7), and (8) can be rewritten as in (9).
U  G 1F (9)
93
140 Security and
Security Age
in Computing
1 x x 2 
  a  b  c
In (9), G  1 y y  , U   r1  and F   FA FB Fc  .
2 T
 2  r2 
1 z z 
Since x, y, z, FA, FB, and FC are known to the cluster leader node A, it can compute the value
of (a + b + c) without having any knowledge of b and c.
In order to avoid eavesdropping attack by neighbor nodes, it is necessary to encrypt the
values of vBA, vCA, vAB, vCB, vAC, and vBC. If node B overhears the value of vCA, then node B
gets access to the values of vCA, vBA and FA. Then node B can deduce: v AA  FA  vBA  vCA .
Having the knowledge of vAA, node B can further obtain the value of a if x, vAA, vAB and vAC
are known. However, if node A encrypts vCA and sends it to node C, then node B cannot get
vCA. With the knowledge of vBA, FA, and x from node A, node B cannot deduce the value of a.
If node B and node C collude and reveal node A's information (i.e., vBA and vCA), to each
other, then node A's privacy will be compromised and its private value a will be revealed. In
order to reduce the probability of such collusion attacks, the cluster size should be as large
as possible, since in a cluster of size m, at least (m - 1) nodes should collude in order to
successfully launch the attack. Higher values of m will require larger number of colluding
nodes thereby making the attack more difficult.
Cluster data aggregation The CPDA scheme has been implemented on top of a protocol
known as Tiny Aggregation (TAG) protocol (Madden et al., 2002). Using the TAG protocol,
each cluster leader node routes the sum of the values in the nodes in its cluster to the query
server through a TAG routing tree whose root is situated at the server.
3. An Attack on the CPDA scheme

In this section, we present an efficient attack (Sen & Maitra, 2011) on the CPDA aggregation
scheme. The objective of the attack is to show the vulnerability of the CPDA scheme which
can be suitably exploited by a malicious participating sensor node. The intention of the
malicious node is to participate in the scheme in such a way that it can get access to the
private values (i.e., a, b and c) of the participating sensor nodes. For describing the attack
scenario, we use the same example cluster consisting of three sensor nodes A, B and C. Node
A is the cluster leader whereas node B and node C are the cluster members. We distinguish
two types of attacks: (i) attack by a malicious cluster leader (e.g., node A) and (ii) attack by a
malicious cluster member (e.g., either node B or node C). These two cases are described in
detail in the following sub-sections.
3.1 Privacy attack by a malicious cluster leader node

Let us assume that the cluster leader node A is malicious. Node A chooses a very large value
of x such that x >> y, z. Since y and z are public values chosen by node B and node C which
are broadcast in the network by node B and node C respectively, it is easy for node A to
choose a suitable value for x.
Nodes A, B and C compute the values of vAA, vBA, vCA, vAB, vBB, vCB, vAC, vBC, and vCC using (3),
(4) and (5) as described in Section 2.3. As per the CPDA scheme, node A receives:
94
v BA 
b r1Bx  r2Bx 2 from node B. Since x is very large compared to b and r1B node A can
derive the value of r2B using (10) where we consider integer division.
v BA b r1B (10)
   r2B  0  0  r2B  r2B
x2 x2 x
Using the value of r2B as derived in (10), and using v BA 
b r1Bx  r2Bx 2 , node A can now
compute the value of r1B by solving (11).
v BA  r2Bx 2 b (11)
  r1B 0  r1B r1B
x x
In the same manner, node A derives the values of r1C and r2C from vAC received from node C.
Since r1  r1A  r1B  r1C , and r2  r2A  r2B  r2C , as shown in (6), (7) and (8), node A can
compute the values of r1 and r2 (r1B, r2B, r1C, and r2C are derived as shown above, and r1A and
r2A were generated by node A).
At this stage, node A uses the values of FB and FC received from node B and node C
respectively as shown in (7) and (8). Node A has now two linear simultaneous equations
with two unknowns: b and c, the values of y and z being public. Solving (7) and (8) for b and
c, the malicious cluster leader node A can get the access to the private information.
3.2 Privacy attack by a malicious cluster member node

In this scenario, let us assume that the cluster member node B is malicious and it tries to
access the private values of the cluster leader node A and the cluster member node C. Node
B chooses a very large value of y so that y >> x, z. Once the value of FB is computed in (7),
node B derives the value of r2 and r1 using (12) and (13).
FB ( a  b  c ) r1 (12)
   r2  0  0  r2
y2 y2 y
FB  r2 y 2 ( a  b  c ) (13)
  r1 0  r1 r1
y y
As per the CPDA scheme, node B receives vCB  c  r1C y  r2C y 2 from node C. Since the
magnitude of y is very large compared to c, r1C and r2C, it is easy for node B to derive the
values of r2C and r1C using (14) and (15) respectively.
vCB c rC (14)
2
 2  1  r2C 0  0  r2C r2C
y y y
vCB  r2C y 2 c (15)

  r1C 0  r1C r1C
y y
Using (12), (13), (14}) and (15) node B can compute r1A  r1  r1B  r1C and r2A  r2  r2B  r2C .
Now, node B can compute the value of a using v BA 
a r1A y  r2A y 2 (received from node A),
95
142 Security and
Security Age
in Computing
in which the values of all the variables are known except that of a. In a similar fashion, node
B derives the value of c using vCB c  r1C y  r2C y 2 (received from node C).
Since the private values of the nodes A and C are now known to node B, the privacy attack
launched by participating cluster member node B is successful on the CPDA aggregation
scheme.
4. Modification of the CPDA Scheme

In this section, we present two modifications of CPDA scheme: one towards making the
protocol more efficient and the other for making it more secure.
4.1 Modification of CPDA scheme for enhanced efficiency

In this section, a modification is proposed for the CPDA protocol for achieving enhanced
efficiency in its operation. The modification is based on suitable choice for the value of x (the
public seed) done by the aggregator node A.
Let us assume that the node A chooses a large value of x such that the following conditions
in (16) and (17) are satisfied.
r2 x 2  r1x (16)
r1x  ( a  b  c ) (17)
In (16) and (17), r1  r1A  r1B  r1C and r2  r2A  r2B  r2C . Now, node A has computed the value
of FA as shown in (6). In order to efficiently compute the value of (a + b + c), node A divides
the value of FA by x2 as shown in (18).
FA ( a  b  c ) r1x
  2  r2  0  0  r2  r2 (18)
x2 x2 x
Using (18), node A derives the value of r2. Once the value of r2 is deduced, node A attempts
to compute the value of r1 using (19) and (20).
FA  r2 x 2  ( a  b  c )  r1x (19)
(FA  r2 x 2 ) ( a  b  c ) (FA  r2 x 2 ) (FA  r2 x 2 )

r1    0 (20)
x x x x
Since, the values of FA, r2 and x are all known to node A, it can compute the value of r1 using
(20). Once the values of r1 and r2 are computed by node A, it can compute the value of (a + b + c)
using (6). Since the computation of the sum (a + b + c) by node A involves two division
operations (involving integers) only (as done in (18) and (20)), the modified CPDA scheme is
light-weight and it is much more energy-efficient hence much more energy- and time-efficient
as compared to the original CPDA scheme. The original CPDA scheme involved additional
computations of the values of FB and FC, and an expensive matrix inversion operation as
described in Section 2.3.
96
4.2 Modification of the CPDA scheme for resisting the attack

In this section, we discuss the modifications required on the existing CPDA scheme so that a
malicious participant node cannot launch the attack described in Section 3.
It may be noted that, the vulnerability of the CPDA scheme lies essentially in the
unrestricted freedom delegated on the participating nodes for generating their public seed
values. For example, nodes A, B and C have no restrictions on their choice for values of x, y
and z respectively while they generate these values. A malicious attacker can exploit this
freedom to generate an arbitrarily large public seed value, and can thereby launch an attack
as discussed in Section 3.
In order to prevent such an attack, the CPDA protocol needs to be modified. In this
modified version, the nodes in a cluster make a check on the generated public seed values so
that it is not possible for a malicious participant to generate any arbitrarily large seed value.
For a cluster with three nodes, such a constraint may be imposed by the requirement that
the sum of any two public seeds must be greater than the third seed. In other words: x + y >
z, z + x > y, and y + z > x. If these constraints are satisfied by the generated values of x, y and
z, it will be impossible for any node to launch the attack and get access to the private values
of the other participating nodes.
However, even if the above restrictions on the values of x, y and z are imposed, the nodes
should be careful in choosing the values for their secret random number pairs. If two nodes
happen to choose very large values for their random numbers compared to those chosen by
the third node, then it will be possible for the third node to get access to the private values of
the other two nodes. For example, let us assume that nodes A and C have chosen the values
of r1A, r2A and r1C, r2C such that they are all much larger than r1B and r2B - the private random
number pair chosen by node B. It will be possible for node B to derive the values of a and c:
the private values of nodes A and C respectively. This is explained in the following.
Node B receives vBA 

a r1A y  r2A y 2 from node A and computes the values of r1A and r2A
using (21) and (22).
vBA a rA
2
 2  1  r2A  0  0  r2A (21)
y y y
vBA  r2A y 2 a
  r1A 0  r1A r1A (22)
y y
In a similar fashion, node B derives the values of r1C and r2C from vBC received from node C.
Now, node B computes r1  r1A  r1B  r1C and r2  r2A  r2B  r2C , since it has access to the values
of all these variables. In the original CPDA scheme in (He et al., 2007), the values of FB and
FC are broadcast by nodes B and C in unencrypted from. Hence, node B has access to both
these values. Using (7) and (8), node B can compute the values of a and c, since these are the
only unknown variables in the two linear simultaneously equations.
In order to defend against the above vulnerability, the CPDA protocol needs further
modification. In this modified version, after the values vAA, vAB, and vAC are generated and
97
144 Security and
Security Age
in Computing
shared by nodes A, B and C respectively, the nodes check whether the following constraints
are satisfied: vAA + vAB > vAC, vAB + vAC > vAA, and vAC + vAA > vAB. The nodes proceed for
further execution of the algorithm only if the above three inequalities are satisfied. If all
three inequalities are not satisfied, there will be a possibility that the random numbers
generated by one node is much larger than those generated by other nodes - a scenario
which indicates a possible attack by a malicious node.
5. Performance analysis
In this section, we present a brief comparative analysis of the overheads of the original CPDA
protocol and the proposed modified CPDA protocols that we have discussed in Section 4.1
and Section 4.2. Our analysis is based on two categories of overheads: (i) overhead due to
message communication in the network and (ii) computational overhead at the sensor nodes.
5.1 Communication overhead

We compare communication overheads of three protocols - the tiny aggregation protocol
(TAG), the original CPDA protocol and the proposed modified CPDA protocols. In TAG,
each sensor node needs to send 2 messages for the data aggregation protocol to work. One
HELLO message communication from each sensor node is required for forming the
aggregation tree, and one message is needed for data aggregation. However, this protocol
only performs data aggregation and does not ensure any privacy for the sensor data. In the
original CPDA protocol, each cluster leader node sends 4 messages and each cluster
member node sends 3 messages for ensuring that the aggregation protocol works in a
privacy-preserving manner. In the example cluster shown in Fig. 3, the 4 messages sent by
the cluster leader node A are: one HELLO message for forming the cluster, one message for
communicating the public seed x, one message for communicating vBA and vCA to cluster
member nodes B and C respectively, and one message for sending the aggregate result from
the cluster. Similarly, the 3 messages sent by the cluster member node B are: one message
for communicating its public seed y, one message for communicating vAB and vCB to cluster
leader node A and cluster member node C respectively, and one message for
communicating the intermediate result FB to the cluster leader node A.
In contrast to the original CPDA protocol, the modified CPDA protocol in Section 4.1
involves 3 message communications from the cluster leader node and 2 message
communications from each cluster member node. The 3 messages sent by the cluster leader
node A are: one HELLO message for forming the cluster, one message for broadcasting its
public seed x, and one message for sending the final aggregate result. It may be noted that in
this protocol, the cluster leader node A need not send vBA and vCA to the cluster member
nodes B and C respectively. Each cluster member node needs to send 2 messages. For
example, the cluster member node B needs to broadcast its public seed y, and also needs to
send vAB to the cluster leader node A. Unlike in the original CPDA protocol, the cluster
member node B does not send FB to the cluster leader. Similarly, the cluster member node C
does not send FC to the cluster leader node A. In a cluster consisting of three members, the
original CPDA protocol would involve 10 messages (4 messages from the cluster leader and
3 messages from each cluster member). The modified CPDA protocol presented in Section
4.1, on the other hand, would involve 7 messages (3 messages from the cluster leader and 2
98
messages from each cluster member) in a cluster of three nodes. Therefore, in a cluster of
three nodes, the modified CPDA protocol presented in Section 4.1 will involve 3 less
message communications. Since in a large-scale WSN the number of clusters will be quite
high, there will be an appreciable reduction in the communication overhead in the modified
CPDA protocol presented in Section 4.1.
The secure version of the modified CPDA protocol presented in Section 4.2 involves the
same communication overhead as the original CPDA protocol. However, if any node
chooses abnormally higher values for its public seed or its private random numbers, the
secure version of the modified CPDA protocol will involve 2 extra messages from each of
the participating sensor nodes. Therefore, in a cluster of three nodes, the secure version of
the modified CPDA protocol will involve 6 extra messages in the worst case scenario when
compared with the original CPDA protocol.
If pc is the probability of a sensor node electing itself as a cluster leader, the average number of
messages sent by a sensor node in the original CPDA protocol is: 4 pc  3(1  pc ) 3  pc . Thus,
the message overhead in the original CPDA is less than twice as that in TAG. However, in the
modified CPDA protocol presented in Section 4.1, the average number of messages
communicated by a sensor node is: 3 pc  2(1  p c ) 2  pc . As mentioned in Section 2.3, in
order to prevent collusion attack by sensor nodes, the cluster size in the CPDA protocol should
be as large as possible. This implies that the value of pc should be small. Since the value of pc is
small, it is clear that the message overhead in the modified CPDA protocol presented in
Section 4.1 is almost the same as that in TAG and it is much less (one message less for each
sensor node) than that of the original CPDA protocol. In the secure version of the protocol in
Section 4.2, the communication overhead, in the average case, will be the same as in the
original CPDA protocol. However, in the worst case, the number of messages sent by a sensor
node in this protocol will be: 6 pc  5(1  pc ) 5  pc . This is 2.5 times the average
communication overhead in the TAG protocol and 1.67 times the average communication
overhead in the original CPDA protocol. The secure protocol, therefore, will involve 67% more
overhead in the worst case scenario (where a malicious participant sensor node chooses
abnormally higher values for its public seed as well as for its private random numbers).
5.2 Computational overhead

In this section, we present a comparative analysis of the computational overheads incurred
by the sensor nodes in the original CPDA protocol and in the proposed efficient version of
the protocol.
Computational overhead of the original CPDA protocol: The computational overhead of
the CPDA protocol can be broadly classified into four categories: (i) computation of the
parameters, (ii) computation for encrypting messages, (iii) computation of the intermediate
results, and (iv) computation of the final aggregate result at the cluster leader node. The
details of these computations are presented below:
i. Computation of the parameters at the sensor nodes: Each sensor node in a three member
cluster computes three parameters. For example, the cluster leader node A computes
vAA, vBA, vCA. Similarly, the cluster member node B computes vAB, vBB and vCB. We first
compute the overhead due these computations.
99
146 Security and
Security Age
in Computing
Since v AA 
a r1A x  r2A x 2 , for computation of vAA, node A needs to perform 2 addition, 2
multiplication and 1 exponentiation operations. Hence, for computing vAA, vBA and vCA,
node A needs to perform 6 addition, 6 multiplication and 3 exponentiation operations.
Therefore, in a cluster consisting of three members, for computation of all parameters,
the original CPDA protocol requires 18 addition, 18 multiplication and 9 exponentiation
operations.
ii. Computations for encrypting messages: Some of the messages in the CPDA protocol need
to be communicated in encrypted form. The encryption operation involves
computational overhead. For example, node A needs to encrypt vBA and vCA before
sending them to nodes B and C respectively. Therefore, 2 encryption operations are
required at node A. For a cluster consisting of three members, the CPDA protocol will
need 6 encryption operations.
iii. Computations of intermediate results: The nodes A, B, and C need to compute the
intermediate values FA, FB and FC respectively for computation of the final aggregated
result. Since FA v AA  v BA  vCA ( a  b  c )  r1x  r2 x 2 and r1  r1A  r1B  r1C and
r2  r2A  r2B  r2C , for computing FA, node A will need to perform 4 addition operations.
Therefore, for a cluster of three members, 12 addition operations will be needed.
iv. Aggregate computation at the cluster leader: For computing the final aggregated result in a
privacy-preserving way, the cluster leader node A needs to perform one matrix
inversion operation and one matrix multiplication operation.
The summary of various operations in the original CPDA protocol are presented in Table 1.
Operation Type No. of operations
Addition 30
Multiplication 18
Exponentiation 3
Encryption 6
Matrix multiplication 1
Matrix inversion 1
Table 1. Operation in the CPDA protocol
Computational overhead of the modified CPDA protocol: The overhead of the efficient
version of the CPDA protocol presented in Section 4.1 are due to: (i) computation of the
parameters at the sensor nodes, (ii) computation of the intermediate result at the cluster
leader node, and (iii) computation of the aggregated result at the cluster leader node. The
details of these computations are presented below.
i. Computation of the parameters at the sensor nodes: In the modified version of the CPDA
protocol, the nodes A, B and C need to only compute vAA, vAB, and vAC respectively. As
shown earlier, each parameter computation involves 2 addition, 2 multiplication and 1
exponentiation operations. Therefore, in total, 6 addition, 6 multiplication, and 3
exponentiation operations will be needed.
100
ii. Computations for encrypting messages: The nodes B and C will need to encrypt the
messages vAB and vAC respectively before sending them to the cluster leader node A.
Therefore, 2 encryption operations will be required.
iii. Computation of intermediate result: The cluster leader node A will only compute FA in the
modified CPDA. The cluster member nodes B and C need not perform any
computations here. As discussed earlier, computation of FA needs 4 addition operations.
iv. Aggregate computation at the cluster leader: For computation of the final result at the
cluster leader node, 2 integer division and 2 subtraction operations will be required.
v. The summary of various operations in the modified CPDA protocol are presented in
Table 2.
Operation Type No. of operations
Addition 10
Subtraction 2
Multiplication 6
Division 2
Exponentiation 3
Encryption 2
Table 2. Operation in the proposed modified CPDA protocol
It is clearly evident from Table 1 and Table 2 that the modified version of the CPDA protocol
involves much less computational overhead than the original version of the protocol.
6. Security requirements in data aggregation protocols for WSNs

The purpose of any WSN deployment is to provide the users with access to the information
of interest from the data gathered by spatially distributed sensor nodes. In most
applications, users require only certain aggregate functions of this distributed data.
Examples include the average temperature in a network of temperature sensors, a particular
trigger in the case of an alarm network, or the location of an event. Such aggregate functions
could be computed under the end-to-end information flow paradigm by communicating all
relevant data to a central collector node. This, however, is a highly inefficient solution for
WSNs which have severe constraints in energy, memory and bandwidth, and where tight
latency constraints are to be met. As mentioned in Section 1 of this chapter, an alternative
solution is to perform in-network computations (Madden et al., 2005). However, in this case,
the question that arises is how best to perform the distributed computations over a network
of nodes with wireless links. What is the optimal way to compute, for example, the average,
min, or max of a set of statistically correlated values stored in different nodes? How would
such computations be performed in the presence of unreliability such as noise, packet drops,
and node failures? Such questions combine the complexities of multi-terminal information
theory, distributed source coding, communication complexity, and distributed computation.
This makes development of an efficient in-network computing framework for WSNs very
challenging.
Apart from making a trade-off between the level of accuracy in aggregation and the energy
expended in computation of the aggregation function, another issue that needs serious
attention in WSN is security. Unfortunately, even though security has been identified as a
101
148 Security and
Security Age
in Computing
major challenge for sensor networks (Karlof & Wagner, 2003), most of the existing proposals
for data aggregation in WSNs have not been designed with security in mind. Consequently,
these schemes are all vulnerable to various types of attacks (Sen, 2009). Even when a single
sensor node is captured, compromised or spoofed, an attacker can often manipulate the
value of an aggregate function without any bound, gaining complete control over the
computed aggregate. In fact, any protocol that computes the average, sum, minimum, or
maximum function is insecure against malicious data, no matter how these functions are
computed. To defend against these critical threats, in this chapter, an energy-efficient
aggregation algorithm based on distributed estimation approach. The algorithm is secure
and robust against malicious attacks in WSNs. The main threat that has been considered
while designing the proposed scheme is the injection of malicious data in the network by an
adversary who has compromised a sensor’s sensed value by subjecting it to unusual
temperature, lighting, or other spoofed environmental conditions. In designing the
proposed algorithm, a WSN is considered as a collective entity that performs a sensing task
and have proposed a distributed estimation algorithm that can be applied to a large class of
aggregation problems.
In the proposed scheme (Sen, 2011), each node in a WSN has complete information about
the parameter being sensed. This is in contrast to the snapshot aggregation, where the
sensed parameters are aggregated at the intermediate nodes till the final aggregated result
reaches the root. Each node, in the proposed algorithm, instead of unicasting its sensed
information to its parent, broadcasts its estimate to all its neighbors. This makes the protocol
more fault-tolerant and increases the information availability in the network. The scheme is
an extension of the one suggested in (Boulis et al., 2003). However, it is more secure and
reliable even in presence of compromised and faulty nodes in a WSN.
In the following section, we provide a brief discussion on some of the well-known secure
aggregation schemes for WSNs.
7. Overview of some aggregation protocols for WSNs

Extensive work has been done on aggregation applications in WSNs. However, security and
energy- two major aspects for design of an efficient and robust aggregation algorithm have
not attracted adequate attention. Before discussing some of the existing secure aggregation
mechanisms, we present a few well-known aggregation schemes for WSNs.
In (Heidemann, 2001), a framework for flexible aggregation in WSNs has been presented
following snapshot aggregation approach without addressing issues like energy
efficiency and security in the data aggregation process. A cluster-based algorithm has
been proposed in (Estrin et al., 1999) that uses directed diffusion technique to gather a
global perspective utilizing only the local nodes in each cluster. The nodes are assigned
different level – level 0 being assigned to the nodes lying at the lowest level. The nodes
at the higher levels can communicate with the nodes in the same cluster and the cluster
head node. This effectively enables localized cluster computation. The nodes at the higher
level communicate the local information of the cluster to get a global picture of the
network aggregation. In (Madden et al., 2002), the authors have proposed a mechanism
called TAG – a generic data aggregation scheme that involves a language similar to SQL
for generating queries in a WSN. In this scheme, the base station (BS) generates a query
102
using the query language, and the sensor nodes send their reply using routes constructed
based on a routing tree. At each point in the routing tree, the data is aggregated using
some aggregation function that was defined in the initial query sent by the BS. In
(Shrivastava et al., 2004), a summary structure for supporting fairly complex aggregate
functions, such as median and range quires have been proposed. Computation of
relatively easier function such as min/max, sum, and average are also supported in the
proposed framework. However, more complex aggregates, such as the most frequently
reported data values are not supported. The computed aggregate functions are
approximate but the estimate errors are statistically bounded. There are also
propositions based on programmable sensor networks for aggregation based on
snapshot algorithms (Jaikaeo et al., 2000). In (Zhao et al., 2002), the authors have
focussed their attention into the problem of providing a residual energy map of a WSN.
They have proposed a scheme for computing the equi-potential curves of residual energy
with certain acceptable margin of error. A simple but efficient aggregation function is
proposed where the location approximation of the nodes are not computed. A more
advanced aggregate function can be developed for this purpose that will encompass an
accurate convex curve. For periodic update of the residual energy map, the authors have
proposed a naïve scheme of incremental updates. Thus if a node changes its value
beyond the tolerance limit its value is transmitted and aggregated again by some nodes
before the final change reaches the user. No mechanism exists for prediction of changes
or for estimation of correlation between sensed values for the purpose of setting the
tolerance threshold. In (Goel & Imielinski, 2001), a scheme has been proposed for the
purpose of monitoring the sensed values of each individual sensor node in a WSN. There
is no aggregation algorithm in the scheme; however, the spatial-temporal correlation
between the sensed data can be extrapolated to fit an aggregation function. The authors
have also attempted to modify the techniques of MPEG-2 for sensor network monitoring
to optimize communication overhead and energy. A central node computes predictions
and transmits them to all the nodes. The nodes send their update only if their sensed
data deviate significantly from the predictions. A distributed computing framework is
developed by establishing a hierarchical dependency among the nodes. An energy
efficient aggregation algorithm is proposed by the authors in (Boulis et al., 2003), in
which each node in a WSN senses the parameter and there is no hierarchical dependency
among the nodes. The nodes in a neighbourhood periodically broadcast their information
based on a threshold value.
As mentioned earlier in this section, none of the above schemes consider security aspects in
the aggregation schemes. Security in aggregation schemes for WSNs has also attracted
attention from the researchers and a considerable number of propositions exist in the
literature in this perspective. We discuss some of the well-known mechanisms below.
A secure aggregation (SA) protocol has been proposed that uses the TESLA protocol (Hu &
Evans, 2003). The protocol is resilient to both intruder devices and single device key
compromises. In the proposition, the sensor nodes are organized into a tree where the
internal nodes act as the aggregators. However, the protocol is vulnerable if a parent and
one of its child nodes are compromised, since due to the delayed disclosure of symmetric
keys, the parent node will not be able to immediately verify the authenticity of the data sent
by its children nodes.
103
150 Security and
Security Age
in Computing
Przydatek et al. have presented a secure information aggregation (SIA) framework for sensor
networks (Przydatek et al., 2003; Chan et al., 2007). The framework consists of three
categories of node: a home server, base station and sensor nodes. A base station is a
resource-enhanced node which is used as an intermediary between the home server and
the sensor nodes, and it is also the candidate to perform the aggregation task. SIA
assumes that each sensor has a unique identifier and shares a separate secret
cryptographic key with both the home server and the aggregator. The keys enable
message authentication and encryption if data confidentiality is required. Moreover, it
further assumes that the home server and the base station can use a mechanism, such as
μTESLA, to broadcast authenticated messages. The proposed solution follows aggregate-
commit-prove approach. In the first phase: aggregate- the aggregator collects data from
sensors and locally computes the aggregation result using some specific aggregate
function. Each sensor shares a key with the aggregator. This allows the aggregator to
verify whether the sensor reading is authentic. However, there is a possibility that a
sensor may have been compromised and an adversary has captured the key. In the
proposed scheme there is no mechanism to detect such an event. In the second phase:
commit- the aggregator commits to the collected data. This phase ensures that the
aggregator actually uses the data collected from the sensors, and the statement to be
verified by the home server about the correctness of computed results is meaningful. One
efficient mechanism for committing is a Merkle hash-tree construction (Merkle, 1980). In
this method, the data collected from the sensors is placed at the leaves of a tree. The
aggregator then computes a binary hash tree staring with the leaf nodes. Each internal
node in the hash tree is computed as the hash value of the concatenation of its two
children nodes. The root of the tree is called the commitment of the collected data. As the
hash function in use is collision free, once the aggregator commits to the collected values,
it cannot change any of the collected values. In the third and final phase, the aggregator and
the home server engage in a protocol in which the aggregator communicates the
aggregation result. In addition, aggregator uses an interactive proof protocol to prove
correctness of the reported results. This is done in two logical steps. In the first step, the
home server ensures that the committed data is a good representation of the sensor data
readings collected. In the second step, the home server checks the reliability of the
aggregator output. This is done by checking whether the aggregation result is close to the
committed results. The interactive proof protocol varies depending on the aggregation
function is being used. Moreover, the authors also presented efficient protocols for secure
computation of the median and the average of the measurements, for the estimation of the
network size, and for finding the minimum and maximum sensor reading.
In (Mahimkar & Rappaport, 2004), a protocol is proposed that uses elliptic curve
cryptography for encrypting the data in WSNs. The scheme is based on clustering where all
nodes within a cluster share a secret cluster key. Each sensor node in a cluster generates a
partial signature over its data. Each aggregator aggregates its cluster data and broadcasts
the aggregated data in its cluster. Each node in a cluster checks its data with the aggregated
data broadcast by the aggregator. A sensor node puts its partial signature to authenticate a
message only if the difference between its data and aggregated data is less than a threshold.
Finally, the aggregator combines all the partially signed message s to form a full signature
with the authenticated result.
104
Deng et al. proposed a collection of mechanisms for securing in-network processing (SINP) for
WSNs (Deng et al., 2003). Security mechanisms have been proposed to address the
downstream requirement that sensor nodes authenticate commands disseminated from
parent aggregators and the upstream requirement that aggregators authenticate data
produced by sensors before aggregating that data. In the downstream stage, two techniques
are involved: one way functions and TESLA. The upstream stage requires that a pair-wise
key be shared between an aggregator and its sensor nodes.
Cam et al. proposed an energy-efficient secure pattern-based data aggregation (ESPDA) protocol
for wireless sensor networks (Cam et al., 2003; Cam et al., 2005; Cam et al., 2006a). ESPDA is
applicable for hierarchy-based sensor networks. In ESPDA, a cluster-head first requests
sensor nodes to send the corresponding pattern code for the sensed data. If multiple sensor
nodes send the same pattern code to the cluster-head, only one of them is permitted to send
the data to the cluster-head. ESPDA is secure because it does not require encrypted data to
be decrypted by cluster-heads to perform data aggregation.
Cam et al. have introduced another secure differential data aggregation (SDDA) scheme based
on pattern codes (Cam et al., 2006b). SDDA prevents redundant data transmission from
sensor nodes by implementing the following schemes: (1) SDDA transmits differential data
rather than raw data, (2) SDDA performs data aggregation on pattern codes representing the
main characteristics of the sensed data, and (3) SDDA employs a sleep protocol to
coordinate the activation of sensing units in such a way that only one of the sensor nodes
capable of sensing the data is activated at a given time. In the SDDA data transmission
scheme, the raw data from the sensor nodes is compared with the reference data and the
difference of them is transmitted in the network. The reference data is obtained by taking
the average of previously transmitted data.
In (Sanli et al., 2004 ), a secure reference-based data aggregation (SRDA) protocol is proposed for
cluster-based WSNs, in which raw data sensed by sensor nodes are compared with
reference data values and then only difference data is transmitted to conserve sensor energy.
Reference data is taken as the average of a number of historical (i.e. past) sensor readings.
However, a serious drawback of the scheme is that does not allow aggregation at the
intermediate nodes.
To defend against attacks by malicious aggregator nodes in WSNs which may falsely
manipulate the data during the aggregation process, a cryptographic mechanism has been
proposed in (Wu et al., 2007). In the proposed mechanism, a secure aggregation tree (SAT), is
constructed that enables monitoring of the aggregator nodes. The child nodes of the
aggregators can monitor the incoming data to the aggregators and can invoke a voting
scheme in case any suspicious activities by the aggregator nodes are observed.
A secure hop-by-hop data aggregation protocol (SDAP) has been proposed in (Yang et al., 2006),
in which a WSN is dynamically partitioned into multiple logical sub-trees of almost equal
sizes using a probabilistic approach. In this way, fewer nodes are located under a high-level
sensor node, thereby reducing potential security threats on nodes at higher level. Since a
compromised node at higher level in a WSN will cause more adverse effect on data
aggregation than on a lower-level node, the authors argue that by reducing number of
nodes at the higher level in the logical tree, aggregation process becomes more secure.
105
152 Security and
Security Age
in Computing
In (Ozdemir, 2007), a secure and reliable data aggregation scheme – SELDA- is proposed
that makes use of the concept of web of trust. Trust and reputation based schemes have been
extensively used for designing security solutions for multi-hop wireless networks like mobile
ad hoc networks (MANETs), wireless mesh networks (WMNs) and WSNs (Sen, 2010b; Sen,
2010c; Sen 2010d). In this scheme, sensor nodes exchange trust values in their neighborhood
to form a web of trust that facilitates in determining secure and reliable paths to aggregators.
Observations from the sensor nodes which belong to a web of trust are given higher weights
to make the aggregation process more robust.
A data aggregation and authentication (DAA) protocol is proposed in (Cam & Ozdemir, 2007),
to integrate false data detection with data aggregation and confidentiality. In this scheme, a
monitoring algorithm has been proposed for verifying the integrity of the computed
aggregated result by each aggregator node.
In order to minimize false positives (a scenario where an alert is raised, however there is no
attack), in a WSN, a dynamic threshold scheme is proposed in (Parkeh & Cam, 2007), which
dynamically varies the threshold in accordance with false alarm rate. A data aggregation
algorithm is also proposed to determine the detection probability of a target by fusing data
from multiple sensor nodes.
Du et al. proposed a witness-based data aggregation (WDA) scheme for WSNs to assure the
validation of the data fusion nodes to the base station (Du et al., 2003). To prove the validity
of the fusion results, the fusion node has to provide proofs from several witnesses. A
witness is one who also conducts data fusion like a data fusion node, but does not forward
its result to the base station. Instead, each witness computes the MAC of the result and then
provides it to the data fusion node, which must forward the proofs to the base station. This
scheme can defend against attacks on data integrity in WSNs.
Wagner studied secure data aggregation in sensor networks and proposed a mathematical
framework for formally evaluating their security (Wagner, 2004). The robustness of an
aggregation operator against malicious data is quantified. Ye et al. propose a statistical en-
route filtering mechanism to detect any forged data being sent from the sensor nodes to the
base station of a WSN using multiple MACs along the path from the aggregator to the base
station (Ye et al., 2004; Ye et al., 2005).
8. The proposed distributed secure aggregation protocol

In this section, we propose a distributed estimation algorithm that is secure and resistant to
insider attack by compromised and faulty nodes. There are essentially two categories of
aggregation functions (Boulis et al., 2003):
 Aggregation functions that are dependent on the values of a few nodes (e.g., the max
result is based on one node).
 Aggregation functions whose values are determined by all the nodes (e.g., the average
function).
However, computation of both these types of functions are adversely affected by wrong
sensed result sent by even a very few number of compromised nodes. In this chapter, we
consider only the first case, i.e., aggregation function that find or approximate some kind of
106
boundaries (e.g., maxima, minima), and hence the aggregation result is determined by the
values of few nodes. However, the proposed algorithm does not assume any knowledge
about the underlying physical process.
8.1 The proposed secure aggregation algorithm

In the proposed distributed estimation algorithm, a sensor node instead of transmitting a
partially aggregated result, maintains and if required, transmits an estimation of the global
aggregated result. The global aggregated description in general will be a vector since it
represents multi-dimensional parameters sensed by different nodes. A global estimate will
thus be a probability density function of the vector that is being estimated. However, in
most of the practical situations, due to lack of sufficient information, complex computational
requirement or unavailability of sophisticated estimation tools, an estimate is represented
as: (estimated value, confidence indication), which in computational terms can be represented
as: (average of estimated vector, covariance matrix of estimated vector). For the sake of
manipulability with tools of estimation theory, we have chosen to represent estimates in the
form of (A, PAA) with A being the mean of the aggregated vector and PAA being the
covariance matrix of vector A. For the max aggregation function, vector A becomes a scalar
denoting the mean of the estimated max, and PAA becomes simply the variance of A.
In the snapshot aggregation, a node does not have any control on the rate at which it send
information to its parents; it has to always follow the rate specified the user application.
Moreover, every node has little information about the global parameter, as it has no idea
about what is happening beyond its parent. In proposed approach, a node accepts
estimations from all of its neighbors, and gradually gains in knowledge about the global
information. It helps a node to understand whether its own information is useful to its
neighbors. If a node realizes that its estimate could be useful to its neighbors, it transmits the
new estimate. Unlike snapshot aggregation where the node transmits its estimate to its
parent, in the proposed scheme, the node broadcasts its estimate to all its neighbors.
Moreover, there is no need to establish and maintain a hierarchical relationship among the
nodes in the network. This makes the algorithm particularly suitable for multiple user,
mobile users, faulty nodes and transient network partition situations.
The proposed algorithm has the following steps:
1. Every node has an estimate of the global aggregated value (global estimate) in the form
of (mean, covariance matrix). When a node makes a new local measurement, it makes
an aggregation of the local observation with its current estimate. This is depicted in the
block Data Aggregation 1 in Fig. 5. The node computes the new global estimate and
decides whether it should broadcast the new estimate to its neighbors. The decision is
based on a threshold value as explained in Section 8.4.
2. When a node receives a global estimate from a neighbor, it first checks whether the
newly received estimate differs from its current estimate by more than a pre-defined
threshold.
a. If the difference does not exceed the threshold, the node makes an aggregation of
the global estimates (its current value and the received value) and computes a new
global estimate. This is depicted in the block Data Aggregation 2 in Fig. 5. The node
then decides whether it should broadcast the new estimate.
107
154 Security and
Security Age
in Computing
b. If the difference exceeds the threshold, the node performs the same function as in
step (a). Additionally, it requests its other neighbors to send their values of the
global estimate.
c. If the estimates sent by the majority of the neighbors differ from the estimate sent
by the first neighbor by a threshold value, then the node is assumed to be
compromised. Otherwise, it is assumed to be normal.
3. If a node is identified to be compromised, the global estimate previously sent by it is
ignored in the computation of the new global estimate and the node is isolated from the
network by a broadcast message in its neighborhood.
Fig. 5. A Schematic flow diagram of the proposed aggregation algorithm
8.2 Aggregation of two global estimates

In Fig. 5, the block Data Aggregation 1 corresponds to this activity. For combining two global
estimates to produce a single estimate, covariance intersection (CI) algorithm is used. CI
algorithm is particularly suitable for this purpose, since it has the capability of aggregating
two estimates without requiring any prior knowledge about their degree of correlation. This
is more pertinent to WSNs, as we cannot guarantee statistical independence of observed
data in such networks.
Given two estimates (A, PAA) and (B, PBB), the combined estimate (C, PCC) by CI is given by
(23) and (24):
1 1 1
PCC ( * PAA
  (1   )PBB ) (23)
1 1
C  PCC ( * PAA * A  (1   )PBB * B) (24)
Here, PAA, PBB, and PCC represent the covariance matrices associated with the estimates A, B,
and C respectively. The main computational problem with CI is the computation of ω. The
value of ω lies between 0 and 1. The optimum value of ω is arrived at when the trace of the
determinant of PCC is minimized.
108
For max aggregation function, covariance matrices are simple scalars. It can be observed
from (23) and (24) that in such a case ω can be either 1 or 0. Subsequently, PCC is equal to the
minimum of PAA and PBB, and C is equal to either A or B depending on the value of PCC.
Even when the estimates are reasonably small-sized vectors, there are efficient algorithms to
determine ω.
8.3 Aggregation of a local observation with a global estimate

This module corresponds to the block Data Aggregation 2 in Fig. 5. Aggregation of a local
observation with a global estimate involves a statistical computation with two probability
distributions.
Case 1: Mean of the local observation is greater than the mean of the current global estimate:
In case of max aggregation function, if the mean of the local observation is greater than the
mean of the current global estimate, the local observation is taken as the new estimate. The
distribution of the new estimate is arrived at by multiplying the distribution of the current
global estimate by a positive fraction (w1) and summing it with the distribution of the local
observation. The fractional value determines the relative weight assigned to the value of the
global estimate. The weight assigned to the local observation being unity.
Case 2: Mean of the local observation is smaller than the mean of the current global
estimate: If a node observes that the mean of the local observation is smaller than its current
estimate, it combines the two distributions in the same way as in Case 1 above, but this time
a higher weight (w2) is assigned to the distribution having the higher mean (i.e. the current
estimate). However, as observed in (Boulis et al., 2003), this case should be handled more
carefully if there is a sharp fall in the value of the global maximum. We follow the same
approach as proposed in (Boulis et al., 2003). If the previous local measurement does not
differ from the global estimate beyond a threshold value, a larger weight is assigned to the
local measurement as in Case 1. In this case, it is believed that the specific local measurement
is still the global aggregated value.
For computation of the weights w1 and w2 in Case 1 and Case 2 respectively, we follow the
same approach as suggested in (Boulis et al., 2003). Since all the local measurements and
the global estimates are assumed to follow Gaussian distribution, almost all the
observations are bounded within the interval [μ ± 3*σ]. When the mean of the local
measurement is larger than the mean of the global estimate, the computation of the
weight (w1) is done as follows. Let us suppose that l(x) and g(x) are the probability
distributions for the local measurement and the global estimate respectively. If l(x) and
g(x) can take non-zero values in the intervals [x1, x2] and [y1, y2] respectively, then the
weight w1(x) will be assigned a value of 0 for all x  1 – 3* and w1(x) will be assigned a
value of 1 for all x  1 – 3*. Here, x1 is equal to μ1 – 3*σ1, where μ1 and σ1 are the mean
and the standard deviation of l(x) respectively.
When the mean of the local measurement is smaller than the mean of the global estimate,
the computation of the weight w2 is carried out as follows. The value of w2(x) is assigned to
be 0 for all x  max {1 – 3*1, 2 – 3*2}. w2(x) is assigned a value of 1 for all x  max {1 –
3*1, 2 – 3*2}. Here, y1 is equal to 2 – 3*2, where 2 and 2 represent the mean and the
standard deviation of g(x) respectively.
109
156 Security and
Security Age
in Computing
In all these computations, it assumed that the resultant distribution after combination of two
bounded Gaussian distributions is also a Gaussian distribution. This is done in order to
maintain the consistency of the estimates. The mean and the variance of the new Gaussian
distribution represent the new estimate and the confidence (or certainty) associated with
this new estimate respectively.
8.4 Optimization of communication overhead

Optimization of communication overhead is of prime importance in resource constrained
and bandwidth-limited WSNs. The block named Decision Making in Fig. 5 is involved in this
optimization mechanism of the proposed scheme. This module makes a trade-off between
energy requirement and accuracy of the aggregated results.
To reduce the communication overhead, each node in the network communicates its
computed estimate only when the estimate can bring a significant change in the estimates of its
neighbors. For this purpose, each node stores the most recent value of the estimate it has
received from each of its neighbors in a table. Every time a node computes its new estimate, it
checks the difference between its newly computed estimate with the estimates of each of its
neighbors. If this difference exceeds a pre-set threshold for any of its neighbors, the node
broadcasts its newly computed estimate. The determination of this threshold is crucial as it has
a direct impact on the level of accuracy in the global estimate and the energy expenditure in
the WSN. A higher overhead due to message broadcast is optimized by maintaining two-hop
neighborhood information in each node in the network (Boulis et al., 2003). This eliminates
communication of redundant messages. This is illustrated in the following example.
Suppose that nodes A, B and C are in the neighborhood of each other in a WSN. Let us
assume that node A makes a local measurement and this changes its global estimate. After
combining this estimate with the other estimates of its neighbors as maintained in its local
table, node A decides to broadcast its new estimate. As node A broadcasts its computed
global estimate, it is received by both nodes B and C. If this broadcast estimate changes the
global estimate of node B too, then it will further broadcast the estimate to node C, as node B
is unaware that the broadcast has changed the global estimate of node C also. Thus the same
information is propagated in the same set of nodes in the network leading to a high
communication overhead in the network.
To avoid this message overhead, every node in the network maintains its two-hop
neighborhood information. When a node receives information from another node, it not
only checks the estimate values of its immediate neighbors as maintained in its table but
also it does the same for its two-hop neighbors. Thus in the above example, when node B
receives information from node A, it does not broadcast as it understands that node C has
also received the same information from node A, since node C is also a neighbor of node A.
The two-hop neighborhood information can be collected and maintained by using
algorithms as proposed in (McGlynn & Borbash, 2001).
The choice of the threshold value is vital to arrive at an effective trade-off between the
energy consumed for computation and the accuracy of the result of aggregation. For a
proper estimation of the threshold value, some idea about the degree of dynamism of the
physical process being monitored is required. A more dynamic physical process puts a
110
greater load on the estimation algorithm thereby demanding more energy for the same level
of accuracy (Boulis et al., 2003). If the user has no information about the physical process, he
can determine the level of accuracy of the aggregation and the amount of energy spent
dynamically as the process executes.
8.5 Security in aggregation scheme

The security module of the proposed scheme assumes that the sensing results for a set of
sensors in the same neighborhood follows a normal (Gaussian) distribution. Thus, if a node
receives estimates from one (or more) of its neighbors that deviates from its own local estimate
by more than three times its standard deviation, then the neighbor node is suspected to have
been compromised or failed. In such a scenario, the node that first detected such an anomaly
sends a broadcast message to each of its neighbors requesting for the values of their estimates.
If the sensing result of the suspected node deviates significantly (i.e., by more than three times
the standard deviation) from the observation of the majority of the neighbor nodes, then the
suspected node is detected as malicious. Once a node is identified as malicious, a broadcast
message is sent in the neighborhood of the node that detected the malicious node and the
suspected node is isolated from the network activities.
However, if the observation of the node does not deviate significantly from the observations
made by the majority of its neighbors, the suspected node is assumed to be not malicious. In
such a case, the estimate sent by the node is incorporated in the computation of the new
estimate and a new global estimate is computed in the neighborhood of the node.
9. Simulation results
In this section, we describe the simulations that have been performed on the proposed scheme.
As the proposed algorithm is an extension of the algorithm presented in (Boulis et al., 2003), we
present here the results that are more relevant to our contribution, i.e., the performance of the
security module. The results related to the energy consumption of nodes and aggregation
accuracy for different threshold values (discussed in Section 8.4) are presented in detail in (Boulis
et al., 2003) and therefore these are not within the scope of this work.
In the simulated environment, the implemented application accomplishes temperature
monitoring, based on network simulator (ns-2) and its sensor network extension Mannasim
(Mannasim, 2002). The nodes sense the temperature continuously and send the maximum
sensed temperature only when it differs from the last data sent by more than 2%.In order to
simulate the temperature behaviour of the environment, random numbers are generated
following a Gaussian distribution, taking into consideration standard deviation of 1C from
an average temperature of 25C. The simulation parameters are presented in Table 3.
To evaluate the performance of the security module of the proposed algorithm, two
different scenarios are simulated. In the first case, the aggregation algorithm is executed in
the nodes without invoking the security module to estimate the energy consumption of the
aggregation algorithm. In the second case, the security module is invoked in the nodes and
some of the nodes in the network are intentionally compromised. This experiment allows us
to estimate the overhead associated with the security module of the algorithm and its
detection effectiveness.
111
158 Security and
Security Age
in Computing
Parameter Value
No. of nodes 160

Simulation time 200 s
Coverage area 120 m * 120 m
Initial energy in each node 5 Joules
MAC protocol IEEE 802.11
Routing protocol None
Node distribution Uniform random
Transmission power of each node 12 mW
Transmission range 15 m
Node capacity 5 buffers
Energy spent in transmission 0.75 W
Energy spent in reception 0.25 mW
Energy spent in sensing 10 mW
Sampling period 0.5 s
Node mobility Stationary
Table 3. Simulation parameters
Fig. 6. Detection effectiveness with 10% of the nodes in the network faulty
It is observed that delivery ratio (ratio of the packets sent to the packets received by the
nodes) is not affected by invocation of the security module. This is expected, as the packets
are transmitted in the same wireless environment, introduction of the security module
should not have any influence on the delivery ratio.
Regarding energy consumption, it is observed that the introduction of the security module
has introduced an average increase of 105.4% energy consumption in the nodes in the
network. This increase is observed when 20% of the nodes chosen randomly are
compromised intentionally when the aggregation algorithm was executing. This increase in
energy consumption is due to additional transmission and reception of messages after the
security module is invoked.
112
To evaluate the detection effectiveness of the security scheme, further experiments are
conducted. For this purpose, different percentage of nodes in the network is compromised and
the detection effectiveness of the security scheme is evaluated. Fig. 6 and Fig. 7 present the
results for 10% and 20% compromised node in the network respectively. In these diagrams, the
false positives refer to the cases where the security scheme wrongly identifies a sensor node as
faulty while it is actually not so. False negatives, on the other hand, are the cases where the
detection scheme fails to identify a sensor node which is actually faulty. It is observed that even
when there are 20% compromised nodes in the network the scheme has a very high detection
rate with very low false positive and false negative rate. The results show that the proposed
mechanism is quite effective in detection of failed and compromised nodes in the network.
Fig. 7. Detection effectiveness with 20% of the nodes in the network faulty
10. Conclusion and future research issues

In-network data aggregation in WSNs is a technique that combines partial results at the
intermediate nodes en route to the base station (i.e. the node issuing the query), thereby
reducing the communication overhead and optimizing the bandwidth utilization in the
wireless links. However, this technique raises privacy and security issues of the sensor
nodes which need to share their data with the aggregator node. In applications such as
health care and military surveillance where the sensitivity of the private data of the sensors
is very high, the aggregation has to be carried out in a privacy-preserving way, so that the
sensitive data are not revealed to the aggregator. A very popular scheme for this purpose
exists in the literature which is known as CPDA. Although CPDA is in literature for quite
some time now, no vulnerability of the protocol has been identified so far. In this chapter,
we have first demonstrated a security vulnerability in the CPDA protocol, wherein a
malicious sensor node can exploit the protocol is such a way that it gets access to the private
values of its neighbors while participating in data aggregation process. A suitable
modification of the CPDA protocol is further proposed so as to plug the identified
vulnerability and also to make the protocol computationally more efficient. We have also
made an analysis of the communication and computational overhead in the original CPDA
protocol and the proposed modified version of the CPDA protocol. It has been found from
the analysis that the modified version of the protocol involves appreciably less message
communication overhead in the network and computational load on the sensor nodes.
113
160 Security and
Security Age
in Computing
We have also presented a comprehensive discussion on the existing secure aggregation

protocols for WSNs and proposed a secure aggregation protocol for defending against
attacks by malicious insider nodes that may introduce fake messages/data or alter data of
honest nodes in the network. The performance of the proposed scheme has been evaluated
on a network simulator and results have shown that the scheme is effective for defending
attacks launched by malicious insider nodes in a WSN.
It may be noted that over the past few years, several schemes have been proposed in the
literature for privacy preserving data aggregation in WSNs. A very popular and elegant
approach in this direction is homomorphic encryption (Fontaine & Galand, 2007). Westhoff et al.
have proposed additive privacy homomorphic functions that allow for end-to-end encryption
between the sensors and the sink node and simultaneously enable aggregators to apply
aggregation functions directly over the ciphertexts (Westhoff et al., 2006). This has the
advantage of eliminating the need for intermediate aggregators to carry out decryption and
encryption operations on the sensitive data. Armknecht et al. have presented a symmetric
encryption scheme for sensor data aggregation that is homomorphic both for data and the
keys (Armknecht et al., 2008). This is called bi-homomorphic encryption, which is also essentially
an additive homomorphic function. Castellucia et al. have proposed an approach that
combines inexpensive encryption techniques with simple aggregation methods to achieve
efficient aggregation of encrypted data in WSNs (Castelluccia et al., 2009). The method relies
on end-to-end encryption of data and hop-by-hop authentication of nodes. Privacy is achieved
by using additive homomorphic functions. A very simple approach for privacy-preserving
multi-party computation has been discussed by Chaum (Chaum, 1988). The protocol is known
as Dining Cryptographers Problem which describes the way a channel is created so that it is
difficult to trace (i.e. identify) the sender of any message through that channel.
The approaches based on privacy homomorphic functions are more elegant than CPDA for
the purpose of carrying out sensor data aggregation in a privacy preserving way. However,
they involve large computational overhead due to complexities involved in computing the
homomorphic encryption functions and the associated key management related issues. Most
of the existing public key cryptography-based privacy homomorphic functions are too
heavy for resource-constrained battery-operated sensor nodes. Some secure data
aggregation schemes use elliptic curve cryptography (Westhoff et al., 2006). However, these
schemes work only for some specific query-based aggregation functions, e.g., sum, average
etc. A more elegant scheme that works for all types of functions is clearly in demand. In
(Gentry, 2009), a fully homomorphic function has been presented. However, this scheme is
too complex and heavy-weight for deployment in WSNs. In addition, in some WSN
environment, symmetric cryptography-based privacy homomorphic encryption schemes are
more suitable (Castelluccia, 2005; Castelluccia, 2009; Ozdemir, 2008). However, most of the
current homomorphic encryption schemes are based on public key encryption. Hence,
exploration of symmetric key cryptography based privacy homomorphism functions is an
interesting research problem. Another emerging research problem is the use of digital
watermarking schemes in place of privacy homomorphic encryption functions (Zhang et al.,
2008). However, this method allows only one-way authentication of sensor data at the base
station only. To defend against rogue base station attacks on sensor nodes, this scheme would
not be applicable. Design of mutual authentication scheme using watermarking techniques
for secure and privacy-preserving data aggregation protocols is another research problem
that needs attention of the research community.
114
11. References
Acharya, M.; Girao, J. & Westhohh, D. (2005). Secure Comparison of Encrypted Data in
Wireless Sensor Networks. Proceedings of the 3rd International Symposium on
Modelling and Optimization in Mobile, Ad Hoc, and Wireless Networks (WIOPT), pp. 47-
53, Washington, DC, USA, 2005.
Akyildiz, I. F.; Su, W.; Sankarasubramaniam, Y. & Cayirci, E. (2002). Wireless Sensor
Networks: A Survey. IEEE Computer, Vol 38, No 4, pp. 393-422, March 2002.
Armknecht, F.; Westhoff, D.; Girao, J. & Hessler, A. (2008). A Lifetime-Optimized End-to-
End Encryption Scheme for Sensor Networks Allowing In-Network Processing.
Computer Communications, Vol 31, No 4, pp. 734-749, March 2008.
Bandyopadhyay, D. & Sen, J. (2011). Internet of Things: Applications and Challenges in
Technology and Standardization. International Journal of Wireless Personal
Communications- Special Issue; Distributed and Secure Cloud Clustering (DISC), Vol 58,
No 1, pp. 49-69, May 2011.
Boulis, A.; Ganeriwal, S. & Srivastava, M. B. (2003). Aggregation in Sensor Networks: An
Energy-Accuracy Trade-Off. Ad Hoc Networks, Vol 1, No 2-3, pp. 317-331,
September 2003.
Cam, H.; Muthuavinashiappan, D. & Nair, P. (2003). ESPDA: Energy-Efficient and Secure
Pattern-Based Data Aggregation for Wireless Sensor Networks. Proceedings of IEEE
International Conference on Sensors, pp. 732-736, Toronto, Canada, October 2003.
Cam, H.; Muthuavinashiappan, D. & Nair, P. (2005). Energy-Efficient Security Protocol for
Wireless Sensor Networks. Proceedings of the IEEE Vehicular Technology Conference
(VTC’05), pp. 2981-2984, Orlando, Florida, October 2005.
Cam, H. & Ozdemir, S. (2007). False Data Detection and Secure Aggregation in Wireless
Sensor Networks. Security in Distributed Grid Mobile and Pervasive Computing, Yang
Xiao (ed.), Auerbach Publications, CRC Press, April 2007.
Cam, H.; Ozdemir, S.; Nair, P.; Muthuavinashiappan, D. & Sanli, H. O. (2006a). Energy-
Efficient Secure Pattern Based Data Aggregation for Wireless Sensor Networks.
Computer Communications, Vol 29, No 4, pp. 446-455, February 2006.
Cam, H.; Ozdemir, S.; Sanli, H. O. & Nair, P. (2006b). Secure Differential Data Aggregation
for Wireless Sensor Networks. Sensor Network Operations, Phoha et al. (eds.), pp.
422-441, Wiley-IEEE Press, May 2006.
Castelluccia, C.; Chan, A. C-F.; Mykletun, E. & Tsudik, G. (2009). Efficient and Provably
Secure Aggregation of Encrypted Data in Wireless Sensor Networks. ACM
Transactions on Sensor Networks, Vol 5, No 3, May 2009.
Castelluccia, C. Mykletun, E. & Tsudik, G. (2005). Efficient Aggregation of Encrypted Data
in Wireless Sensor Networks. Proceedings of the 2nd Annual International Conference on
Mobile and Ubiquitous Systems: Networking and Services (MobiQuitous’05), pp. 109-117,
San Diego, California, USA, July 2005.
Chan, H.; Perrig, A.; Przydatek, B. & Song, D. (2007). SIA: Secure Information Aggregation
in Sensor Networks. Journal of Computer Security – Special Issue on Security of Ad Hoc
and Sensor Networks, Vol 15, No 1, pp. 69-102, January 2007.
Chaum, D. (1988). The Dining Cryptographers Problem: Unconditional Sender and
Recipient Untraceability. Journal of Cryptology, Vol 1, No 1, pp. 65–75, 1988.
Deng, J.; Han, R. & Mishra, S. (2003). Security Support for In-network Processing in Wireless
Sensor Networks. Proceedings of the 1st ACM Workshop on Security of Ad Hoc and
Sensor Networks (SASN’03), pp. 83-93, Fairfax, Virginia, USA, October 2003.
115
162 Security and
Security Age
in Computing
Du, W.; Deng, J.; Han, Y. S. & Varshney, P. K. (2003). A Witness-Based Approach for Data
Fusion Assurance in Wireless Sensor Networks. Proceedings of IEEE Global
Telecommunications Conference (GLOBECOM’03), Vol 3, pp. 1435-1439, San Fransisco,
USA, December 2003.
Eschenauer, L. & Gligor, V. D. (2002). A Key-Management Scheme for Distributed Sensor
Networks. Proceedings of the 9th ACM Conference on Computing and Communications
Security (CCS’02), pp. 41- 47, Washington, DC, USA, November 2002.
Estrin, D.; Govindan, R.; Heidemann, J. S. & Kumar, S. (1999). Next Century Challenges:
Scalable Coordination in Sensor Networks. Proceedings of the 5th ACM/IEEE
International Conference on Mobile Computing and Networking (MobiCom’99), pp. 263-
270, Seattle, Washington, USA, August 1999.
Fontaine, C. & Galand, F. (2007). A Survey of Homomorphic Encryption for Nonspecialists.
EURASIP Journal on Information Security, Vol 2007, Article ID 13801, January 2007.
Gentry, C. (2009). A Fully Homomorphic Encryption Scheme. Doctoral Dissertation,
Department of Computer Science, Stanford University, USA, September 2009.
Girao, J.; Westhoff, D. & Schneider, M. (2005) CDA: Concealed Data Aggregation for
Reverse Multicast Traffic in Wireless Sensor Networks. Proceedings of the 40th IEEE
Conference on Communications (IEEE ICC’05), Vol. 5, pp. 3044–3049, Seoul, Korea,
May 2005.
Goel, S. & Imielinski. (2001). Prediction-Based Monitoring in Sensor Networks: Taking
Lessons from MPEG. ACM SIGCOMM Computing and Communication Review-
Special Issue on Wireless Extensions to the Internet, Vol 31, No 5, pp. 82-98, ACM
Press, New York, October 2001.
He, W.; Liu, X.; Nguyen, H.; Nahrstedt, K. & Abdelzaher, T. (2007). PDA: Privacy-
Preserving Data Aggregation in Wireless Sensor Networks. Proceedings of the 26th
IEEE International Conference on Computer Communications (INFOCOM’07), pp. 2045-
2053, Anchorage, Alaska, USA, May 2007.
Heidemann, J.; Silva, F.; Intanagonwiwat, C.; Govindan, R.; Estrin, D. & Ganesan, D. (2001).
Building Efficient Wireless Sensor Networks with Low-Level Naming. Proceedings
the 18th ACM Symposium of Operating Systems Principles (SOS’01), Banff, Canada,
October 2001.
Hu, L. & Evans, D. (2003). Secure Aggregation for Wireless Networks. Proceedings of the
Symposium on Applications and the Internet Workshops (SAINT’03), pp. 384-391,
Orlando, Florida, USA, January 2003.
Jaikaeo, C.; Srisathapomphat, C. & Shen, C. (2000). Querying and Tasking of Sensor
Networks. Proceedings of SPIE’s 14th Annual International Symposium on
Aerospace/Defence Sensing, Simulation and Control (Digitization of the Battlespace V),
pp. 26-27, Orlando, Florida, USA, April 2000.
Karlof, C. & Wagner, D. (2003). Secure Routing in Sensor Networks: Attacks and
Countermeasures. AD Hoc Networks, Vol 1, pp, 293-315, May, 2003.
Madden, S. R.; Franklin, M. J.; Hellerstein, J. M. & Hong, W. (2002). TAG: A Tiny
Aggregation Service for Ad-Hoc Sensor Networks. Proceedings of the 5th Symposium
on Operating Systems Design and Implementation (OSDI’02), pp. 131-146, Boston,
Massachusetts, USA, December 2002.
Madden, S. R.; Franklin, M. J.; Hellerstein, J. M & Hong, W. (2005). TinyDB: An
Acquisitional Query Processing System for Sensor Networks. ACM Transactions on
Database Systems, Vol 30, No 1, pp. 122-173, March 2005.
116
Mahimkar, A. & Rappaport, T. S. (2004). SecureDAV: A Secure Data Aggregation and

Verification Protocol for Wireless Sensor Networks. Proceedings of the 47th IEEE
Global Telecommunications Conference (GLOBECOM), Vol 4, pp. 2175-2179, Dallas,
Texas, USA, November- December, 2004.
Mannasim. (2002). Mannasim Wireless Network Simulation Environment. URL:
http://www.mannasim.dcc.ufmg.br.
McGlynn, M. J. & Borbash, S. A. (2001). Birthday Protocols for Low-Energy Deployment and
Flexible Neighbour Discovery in Ad Hoc Wireless Networks. Proceedings of the 2nd
ACM International Symposium on Mobile Ad Hoc Networking and Computing
(MobiHoc’01), pp. 137-145, Long beach, California, USA, October 2001.
Merkle, R. C. (1980). Protocols for Public Key Cryptosystems. Proceedings of the IEEE
Symposium on Security and Privacy, pp. 122-134, Oakland, California, USA, April
1980.
Ozdemir, S. (2007). Secure and Reliable Data Aggregation for Wireless Sensor Networks.
Proceedings of the 4th International Conference on Ubiquitous Computing Systems
(UCS’07). Lecture Notes in Computer Science (LNCS), Ichikawa et al. (eds.), Vol 4836,
pp. 102-109, Springer-Verlag Berlin, Heidelberg, Germany2007.
Ozdemir, S. (2008). Secure Data Aggregation in Wireless Sensor Networks via
Homomorphic Encryption. Journal of The Faculty of Engineering and Architecture of
Gazi University, Ankara, Turkey, Vol 23, No 2, pp. 365-373, September 2008.
Parekh, B. & Cam, H. (2007). Minimizing False Alarms on Intrusion Detection for Wireless
Sensor Networks in Realistic Environments. Proceedings of the IEEE Military
Communications Conference (MILCOM’07), pp. 1-7, Orlando, Florida, USA, October
2007.
Peter, S.; Westhoff, D. & Castelluccia, C. (2010). A Survey on the Encryption of Convergecast
Traffic with In-Network Processing. IEEE Transactions on Dependable and Secure
Computing, Vol 7, No 1, pp. 20–34, February 2010.
Przydatek, B.; Song, D. & Perrig, A. (2003). SIA: Secure Information Aggregation in Sensor
Networks. Proceedings of the 1st International Conference on Embedded Networked
Systems (SenSys’03), pp. 255-265, Los Angeles, California, USA, November 2003.
Sanli, H. O.; Ozdemir, S. & Cam, H. (2004). SRDA: Secure Reference-Based Data
Aggregation Protocol for Wireless Sensor Networks. Proceedings of the 60th IEEE
Vehicular Technology Conference (VTC’04 Fall), Vol 7, pp. 4650-4654, Los Angeles,
California, USA, September 2004.
Sen, J. (2009). A Survey on Wireless Sensor Network Security. International Journal of
Communication Networks and Information Security (IJCNIS), Vol 1, No 2, pp. 59-82,
August 2009.
Sen, J. (2010a). Privacy Preservation Technologies for Internet of Things. Proceedings of the
International Conference on Emerging Trends in Mathematics, Technology and
Management, pp. 496-504, Shantiniketan, West Bengal, India, January 2010.
Sen, J. (2010b). A Distributed Trust and reputation Framework for Mobile Ad Hoc
Networks. Proceedings of the 1st International Conference on Network Security and its
Applications (CNSA’10), Chennai, India, July 2010. Recent Trends in Network Security
and its Applications, Meghanathan et al. (eds.), pp. 528–537, Communications in
Computer and Information Science (CCIS), Springer-Verlag, Heidelberg, Germany,
July 2010.
Sen, J. (2010c). A Trust-Based Detection Algorithm of Selfish Packet Dropping Nodes in a
Peer-to-Peer Wireless Mesh Networks. Proceedings of the 1st International Conference
117
164 Security and
Security Age
in Computing
on Network Security and its Applications (CNSA’10), Chennai, India, July 2010. Recent
Trends in Network Security and its Applications, Meghanathan et al. (eds.), pp. 538–
547, Communications in Computer and Information Science (CCIS), Springer-Verlag,
Heidelberg, Germany, July 2010.
Sen, J. (2010d). Reputation- and Trust-Based Systems for Wireless Self-Organizing
Networks, pp. 91-122. Security of Self-Organizing Networks: MANET, WSN, WMN,
VANET, A-S. K. Pathan (ed.), Aurbach Publications, CRC Press, USA, December
2010.
Sen, J. (2011). A Robust and Secure Aggregation Protocol for Wireless Sensor Networks.
Proceedings of the 6th International Symposium on Electronic Design, Test and
Applications (DELTA’11), pp. 222-227, Queenstown, New Zealand, January, 2011.
Sen, J. & Maitra, S. (2011). An Attack on Privacy-Preserving Data Aggregation Protocol for
Wireless Sensor Networks. Proceedings of the 16th Nordic Conference in Secure IT
Systems (NordSec’11), Tallin, Estonia, October, 2011. Lecture Notes in Computer
Science (LNCS), Laud, P. (ed.), Vol 7161, pp. 205-222, Springer, Heidelberg,
Germany.
Shrivastava, N; Buragohain, C.; Agrawal, D. & Suri. (2004). Medians and Beyond: New
Aggregation Configuration techniques for Sensor Networks. Proceedings of the 2nd
International Conference on Embedded Networked Sensor Systems, pp. 239-249, ACM
Press, New York, November 2004.
Wagner, D. (2004). Resilient Aggregation in Sensor Networks. Proceedings of the 2nd ACM
Workshop on Security of Ad Hoc and Sensor Networks (SASN’04), pp. 78-87, ACM
Press, New York, USA, October 2004.
Westhoff, D.; Girao, J. & Acharya, M. (2006). Concealed Data Aggregation for Reverse
Multicast Traffic in Sensor Networks: Encryption, Key Distribution, and Routing
Adaptation. IEEE Transactions on Mobile Computing, Vol 5, No 10, pp. 1417-1431,
October 2006.
Wu, K.; Dreef, D.; Sun, B. & Xiao, Y. (2007). Secure Data Aggregation without Persistent
Cryptographic Operations in Wireless Sensor Networks. Ad Hoc Networks, Vol 5,
No 1, pp. 100–111, January 2007.
Yang, Y.; Wang, X.; Zhu, S. & Cao, G. (2006). SDAP: A Secure Hop-by-Hop Data
Aggregation Protocol for Sensor Networks. ACM Transactions on Information and
System Security (TISSEC), Vol 11, No 4, July 2008. Proceedings of the 7th ACM
International Symposium on Mobile Ad Hoc Networking and Computing
(MOBIHOC’06), Florence, Italy, May 2006.
Ye, F.; Luo, H. & Lu, S. & Zhang, L. (2004). Statistical En-Route Filtering of Injected False
Data in Sensor Networks. Proceedings of the 23rd IEEE Annual International Computer
and Communications (INFOCOM’04), Vol 4, pp. 2446-2457, Hong Kong, March 2004.
Ye, F.; Luo, H.; Lu, S. & Zhang, L. (2005). Statistical En-route Filtering of Injected False Data
in Sensor Networks. IEEE Journal on Selected Areas in Communications, Vol 23, No 4,
pp. 839-850, April 2005.
Zhang, W.; Liu, Y.; Das, S. K. & De, P. (2008). Secure Data Aggregation in Wireless Sensor
Networks: A Watermark Based Authentication Supportive Approach. Pervasive
Mobile Computing, Vol 4, No 5, pp. 658-680, Elsevier Press, October 2008.
Zhao, Y. J.; Govindan, R. & Estrin, D. (2002). Residual Energy Scan for Monitoring Sensor
Networks. Proceedings of IEEE Wireless Communications and Networking Conference
(WCNC’02), Vol 1, pp. 356-362, March 2002.
118
Secure and Privacy-Preserving Authentication Protocols for Wireless
Mesh Networks
Secure and Privacy-Preserving Authentication

Protocols for Wireless Mesh Networks
Jaydip Sen
India
1. Introduction
Wireless mesh networks (WMNs) have emerged as a promising concept to meet the challenges in
next-generation wireless networks such as providing flexible, adaptive, and reconfigurable
architecture while offering cost-effective solutions to service providers (Akyildiz et al., 2005).
WMNs are multi-hop networks consisting of mesh routers (MRs), which form wireless mesh
backbones and mesh clients (MCs). The mesh routers provide a rich radio mesh connectivity
which significantly reduces the up-front deployment cost of the network. Mesh routers are
typically stationary and do not have power constraints. However, the clients are mobile and
energy-constrained. Some mesh routers are designated as gateway routers which are
connected to the Internet through a wired backbone. A gateway router provides access to
conventional clients and interconnects ad hoc, sensor, cellular, and other networks to the
Internet. The gateway routers are also referred to as the Internet gateways (IGWs). A mesh
network can provide multi-hop communication paths between wireless clients, thereby
serving as a community network, or can provide multi-hop paths between the client and the
gateway router, thereby providing broadband Internet access to the clients.
As WMNs become an increasingly popular replacement technology for last-mile
connectivity to the home networking, community and neighborhood networking, it is
imperative to design efficient and secure communication protocols for these networks.
However, several vulnerabilities exist in the current protocols of WMNs. These security
loopholes can be exploited by potential attackers to launch attack on WMNs. Absence of a
central point of administration makes securing WMNs even more challenging. Security is,
therefore, an issue which is of prime importance in WMNs (Sen, 2011). Since in a WMN,
traffic from the end users is relayed via multiple wireless mesh routers, preserving privacy
of the user data is also a critical requirement (Wu et al., 2006a). Some of the existing security
and privacy protection protocols for WMNs are based on the trust and reputation of the
network entities (Sen, 2010a; Sen, 2010b). However, many of these schemes are primarily
designed for mobile ad hoc networks (MANETs) (Sen, 2006; Sen, 2010c), and hence these
protocols do not perform well in large-scale hybrid WMN environments.
The broadcast nature of transmission and the dependency on the intermediate nodes for
multi-hop communications lead to several security vulnerabilities in WMNs. The attacks can
be external as well as internal in nature. External attacks are launched by intruders who are
119
4 Security Issues
Applied Cryptography in Network
and a Networked Age
Security
not authorized users of the network. For example, an intruding node may eavesdrop on the
packets and replay those packets at a later point of time to gain access to the network
resources. On the other hand, the internal attacks are launched by the nodes that are part of
the WMN. On example of such attack is an intermediate node dropping packets which it
was supposed to forward. To prevent external attacks in vulnerable networks such as
WMNs, strong authentication and access control mechanisms should be in place for
practical deployment and use of WMNs. A secure authentication should enable two
communicating entities (either a pair of MC and MR or a pair of MCs) to validate the
authenticity of each other and generate the shared common session keys which can be used
in cryptographic algorithms for enforcing message confidentiality and integrity. As in other
wireless networks, a weak authentication scheme can easily be compromised due to several
reasons such as distributed network architecture, the broadcast nature of the wireless
medium, and dynamic network topology (Akyildiz et al., 2005). Moreover, the behavior of
an MC or MR can be easily monitored or traced in a WMN by adversaries due to the use of
wireless channel, multi-hop connection through third parties, and converged traffic pattern
traversing through the IGW nodes. Under such scenario, it is imperative to hide an active
node that connects to an IGW by making it anonymous. Since on the Internet side
traditional anonymous routing approaches are not implemented, or may be compromised
by strong attackers such protections are extremely critical (X. Wu & Li, 2006).
This chapter presents a comprehensive discussion on the current authentication and privacy
protection schemes for WMN. In addition, it proposes a novel security protocol for node
authentication and message confidentiality and an anonymization scheme for privacy
protection of users in WMNs.
The rest of this chapter is organized as follows. Section 2 discusses the issues related to
access control and authentication in WMNs. Various security vulnerabilities in the
authentication and access control mechanisms for WMNs are first presented and then a list
of requirements (i.e. properties) of a secure authentication scheme in an open and large-
scale, hybrid WMN are discussed. Section 3 highlights the importance of the protection user
privacy in WMNs. Section 4 presents a state of the art survey on the current authentication
and privacy protection schemes for WMNs. Each of the schemes is discussed with respect to
its applicability, performance efficiency and shortcomings. Section 5 presents the details of a
hierarchical architecture of a WMN and the assumptions made for the design of a secure
and anonymous authentication protocol for WMNs. Section 6 describes the proposed key
management scheme for secure authentication. Section 7 discusses the proposed privacy
protection algorithm which ensures user anonymity. Section 8 presents some performance
results of the proposed scheme. Section 9 concludes the chapter while highlighting some
future direction of research in the field of secure authentication in WMNs.
2. Access control and authentication in WMNs

Authentication and authorization is the first step towards prevention of fraudulent accesses
by unauthorized users in a network. Authentication ensures that an MC and the
corresponding MR can mutually validate their credentials with each other before the MC is
allowed to access the network services. In this section, we first present various attacks in
WMNs that can be launched on the authentication services and then enumerate the
requirements for authentication under various scenarios.
120
Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 5
2.1 Security vulnerabilities in authentication schemes

Several vulnerabilities exist in different protocols for WMNs. These vulnerabilities can be
suitably exploited by potential attackers to degrade the network performance (Sen, 2011).
The nodes in a WMN depend on the cooperation of other nodes in the network for their
successful operations. Consequently, the medium access control (MAC) layer and the network
layer protocols for these networks usually assume that the participating nodes are honest
and well-behaving with no malicious or dishonest intentions. In practice, however, some
nodes in a WMN may behave in a selfish manner or may be compromised by malicious
users. The assumed trust (which in reality may not exist) and the lack of accountability due
to the absence of a central point of administration make the MAC and the network layer
protocols vulnerable to various types of attacks. In this sub-section, we present a
comprehensive discussion on various types of attacks on the existing authentication
schemes of WMNs. A detailed list various attacks on the different layers of WMN
communication protocol stack can be found in (Sen, 2011; Yi et al., 2010).
There are several types of attacks that are related to authentication in WMNs. These attacks
are: (i) unauthorized access, (ii) replay attack, (iii) spoofing attack, (iv) denial of service
attack (DoS), (v) intentional collision of frames, (vi) pre-computation and partial matching
attack, and (vi) compromised or forged MRs. These attacks are discussed in detail below.
Unauthorized access: in this attack, an unauthorized user gets access to the network
services by masquerading a legitimate user.
Fig. 1. Illustration of MAC spoofing and replay attacks [Source: (Sen, 2011)]
Replay attack: the replay attack is a type of man-in-the-middle attack (Mishra & Arbaugh,
2002) that can be launched by external as well as internal nodes. An external malicious node
can eavesdrop on the broadcast communication between two nodes (A and B) in the network
as shown in Fig. 1. It can then transmit legitimate messages at a later point of time to gain
access to the network resources. Generally, the authentication information is replayed where
the attacker deceives a node (node B in Fig. 1) to believe that the attacker is a legitimate node
(node A in Fig. 1). On a similar note, an internal malicious node, which is an intermediate hop
between two communicating nodes, can keep a copy of all relayed data. It can then retransmit
this data at a later point in time to gain unauthorized access to the network resources.
121
6 Security Issues
and a Networked Age
Security
Spoof attack: spoofing is the act of forging a legitimate MAC or IP address. IP spoofing is
quite common in multi-hop communications in WMNs. In IP spoofing attack, an adversary
inserts a false source address (or the address of a legitimate node) from the packets
forwarded by it. Using such a spoofed address, the malicious attacker can intercept a
termination request and hijack a session. In MAC address spoofing, the attacker modifies
the MAC address in transmitted frames from a legitimate node. MAC address spoofing
enables the attacker to evade intrusion detection systems (IDSs) that may be in place.
DoS attack: in this attack, a malicious attacker sends a flood of packets to an MR thereby
making a buffer overflow in the router. Another well-known security flaw can be exploited
by an attacker. In this attack, a malicious attacker can send false termination messages on
behalf of a legitimate MC thereby preventing a legitimate user from accessing network
services.
Intentional collision of frames: a collision occurs when two nodes attempt to transmit on
the same frequency simultaneously (Wood & Stankovic, 2002). When frames collide, they
are discarded and need to be retransmitted. An adversary may strategically cause collisions
in specific packets such as acknowledgment (ACK) control messages. A possible result of
such collision is the costly exponential back-off. The adversary may simply violate the
communication protocol and continuously transmit messages in an attempt to generate
collisions. Repeated collisions can also be used by an attacker to cause resource exhaustion.
For example, a naïve MAC layer implementation may continuously attempt to retransmit
the corrupted packets. Unless these retransmissions are detected early, the energy levels of
the nodes would be exhausted quickly. An attacker may cause unfairness by intermittently
using the MAC layer attacks. In this case, the adversary causes degradation of real-time
applications running on other nodes by intermittently disrupting their frame transmissions.
Pre-computation and partial matching attack: unlike the attacks mentioned above, where
the MAC protocol vulnerabilities are exploited, these attacks exploit the vulnerabilities in
the security mechanisms that are employed to secure the MAC layer of the network. Pre-
computation and partial matching attacks exploit the cryptographic primitives that are used
at the MAC layer to secure the communication. In a pre-computation attack, or time memory
trade-off (TMTO) attack, the attacker computes a large amount of information (e.g., key,
plaintext, and the corresponding ciphertext) and stores that information before launching
the attack. When the actual transmission starts, the attacker uses the pre-computed
information to speed up the cryptanalysis process. TMTO attacks are highly effective
against a large number of cryptographic solutions. On the other hand, in a partial matching
attack, the attacker has access to some (ciphertext, plaintext) pairs, which in turn decreases
the encryption key strength, and improves the chances of success of the brute force
mechanisms. Partial matching attacks exploit the weak implementations of encryption
algorithms. For example, the IEEE 802.11i standard for MAC layer security in wireless
networks is prone to the session hijacking attack and the man-in-the-middle attack that
exploits the vulnerabilities in IEEE802.1X. DoS attacks are possible on the four-way
handshake procedure in IEEE802.11i.
Compromised or Forged MR: an attacker may be able to compromise one or more MRs in a
network by physical tampering or logical break-in. The adversary may also introduce rogue
MRs to launch various types of attacks. The fake or compromised MRs may be used to
122
attack the wireless link thereby implementing attacks such as: passive eavesdropping,
jamming, replay and false message injection, traffic analysis etc. The attacker may also
advertise itself as a genuine MR by forging duplicate beacons procured by eavesdropping
on genuine MRs in the network. When an MC receives these beacon messages, it assumes
that it is within the radio coverage of a genuine MR, and initiates a registration procedure.
The false MR now can extract the secret credentials of the MC and can launch spoof attack
on the network. This attack is possible in protocols which require an MC to be authenticated
by and MR but not the vice versa (He et al., 2011).
2.2 Requirements for authentication in WMNs

On the basis of whether a central authentication server is available, there are two types of
implementations of access control enforcements in WMNs: (i) centralized access control and
(ii) distributed access control. For both these approaches, the access control policies should
be implemented at the border of the mesh network. In the distributed access control, the
access points could act as the distributed authentication servers. The authentication could
also be performed in three different places:
 A remote central authentication center
 Local entities such as IGWs or MRs that play the role of an authentication server
 Local MRs
The main benefit of central authentication server is the ease of management and
maintenance. However, this approach suffers from the drawback of having a single point of
failure. Due to higher round trip time (RTT) and authentication delay, a centralized
authentication scheme in a multi-hop WMN is not desirable. Instead, authentication
protocols are implemented in local nodes such as IGW or MRs. For ensuring higher level of
availability of the network services, the authentication power is delegated to a group of MRs
in order to avoid single point of failure.
The objective of an authentication system is to guarantee that only the legitimate users have
access to the network services. Any pair of network entities in a WMN (e.g., IGW, MR, and MC)
may need to mutually authenticate if required. An MR and MC should be able to mutually
authenticate each other to prevent unauthorized network access and other attacks. The MCs
and MRs should be able to establish a shared pair-wise session key to encrypt messages. The
protocol should have robust key generation, distribution and revocation procedures.
Several requirements have been identified in (Buttyan et al., 2010) for authentication
mechanisms between MC and MRs in a WMN. These requirements are summarized below:
 Authentication should be fast enough to support user mobility. In order to maintain the quality of
service (QoS) of user applications on mobile MCs, the authentication process should be fast.
Also, the re-authentication delays should be within the acceptable limit of handoff delay.
 MCs and MRs should be able to authenticate themselves mutually. During the authentication
process, the MR authenticates the MC, but the MR also should prove its authenticity to
the MC.
 Authentication process should be resistant to DoS attacks. Since a successful attack against
the central authentication server will lead to a complete compromise of the security
system in the network, the authentication process should be robust.
123
8 Security Issues
and a Networked Age
Security
 Authentication protocols should be compatible with standards. In a multi-operator

environment, it is mandatory that the authentication protocols are standardized so that
an MC of one vendor should be able to authenticate with the MR of a different network
operator.
 Authentication protocols should be scalable. Since the mesh networks have large number of
MCs, MRs and IGWs, the authentication protocol should be scalable and must not
degrade in performance as the network size increases.
The mutual authentication protocols for MCs and MRs must use several keys for encrypting
the credentials. The connection key management should satisfy the following requirements.
 The connection keys should not reveal long term keys. The connection keys that the MRs
obtain during the authentication of the MCs should not reveal any long-term
authentication keys. This requirement must hold because in the multi-operator
environment, the MCs may associate to MRs operated by foreign operators.
 The connection keys should be independent of each other. As the neighboring MRs may not
fully trust each other in a multi-operator environment, the authentication and key
generation mechanism have to prevent an MR from deriving connection keys that are
used at another MR.
 The connection keys must be fresh in each session. It must be ensured that the connection
key derived during the authentication protocol for both participants (MC and MR) is
fresh.
3. User privacy requirement in WMNs

Privacy provision is an important issue to be considered for WMN deployment. However,
privacy is difficult to achieve even if messages are protected, as there are no security solutions
or mechanisms which can guarantee that data is not revealed by the authorized parties
themselves (Moustafa, 2007). Thus, it is important that complementary solutions are in place.
Moreover, communication privacy cannot not be assured with message encryption since the
attackers can still observe who is communicating with whom as well as the frequency and
duration of the communication sessions. This makes personal information susceptible to
disclosure and subsequent misuse even when encryption mechanisms are in place.
Furthermore, users in WMNs can be easily monitored or traced with regard to their presence
and location, which causes the exposure of their personal life. Unauthorized parties can get
access to the location information about the MC’s positions by observing their communications
and traffic patterns. Consequently, there is a need to ensure location privacy in WMNs as well.
To control the usage of personal information and the disclosure of personal data, different
types of information hiding mechanisms like anonymity, data masking etc should be
implemented in WMN applications. The following approaches can be useful in information
hiding, depending on what is needed to be protected:
 Anonymity: this is concerned with hiding the identity of the sender or receiver of the
message or both of them. In fact, hiding the identity of both the sender and the receiver
of the message can assure communication privacy. Thus, attackers monitoring the
messages being communicated could not know who is communicating with whom,
thus no personal information is disclosed.
124
 Confidentiality: it is concerned with hiding the transferred messages by using suitable

data encryption algorithms. Instead of hiding the identity of the sender and the receiver
of a message, the message itself is hidden in this approach.
 Use of pseudonyms: this is concerned with replacing the identity of the sender and the
receiver of the message by pseudonyms which function as identifiers. The pseudonyms
can be used as a reference to the communicating parties without infringing on their
privacy, which helps to ensure that the users in the WMNs cannot be traced or
identified by malicious adversaries. However, it is important to ensure that there exist
no indirect ways by which the adversaries can link the pseudonyms with their
corresponding real world entities.
Privacy has been a major concern of Internet users (Clarke, 1999). It is also been a
particularly critical issue in context of WMN-based Internet access, where users’ traffic is
forwarded via multiple MRs. In a community mesh network, this implies that the traffic of a
residence can be observed by the MRs residing at its neighbors premises. Therefore, privacy
in WMNs has two different dimensions: (i) data confidentiality (or privacy) and traffic
confidentiality. These issues are briefly described below:
 Data confidentiality: it is obvious that data content reveals user privacy on what is being
communicated. Data confidentiality aims to protect the data content and prevent
eavesdropping by intermediate MRs. Message encryption is a conventional approach
for data confidentiality.
 Traffic confidentiality: traffic information such as with whom, when and how frequently
the users are communicating, and the pattern of traffic also reveal critical privacy-
sensitive information. The broadcast nature of wireless communication makes
acquiring such information easy. In a WMN, attackers can conduct traffic analysis as
MRs by simply listening to the channels to identify the “ups and downs” of the target’s
traffic. While data confidentiality can be achieved via message encryption, it is much
harder to preserve traffic confidentiality (T. Wu et al., 2006).
4. Secure authentication and privacy protection schemes in WMNs

Since security and privacy are two extremely important issues in any communication
network, researchers have worked on these two areas extensively. However, as compared to
MANETs and wireless sensor networks (WSNs) (Sen, 2009; Sen & Subramanyam, 2007),
WMNs have received very little attention in this regard. In this section, we first present a
brief discussion on some of the existing propositions for secure authentication and user
privacy protection in WMNs. Later on, some of the mechanisms are discussed in detail in
the following sub-sections.
In (Mishra & Arbaugh, 2002), a standard mechanism has been proposed for client
authentication and access control to guarantee a high-level of flexibility and transparency to
all users in a wireless network. The users can access the mesh network without requiring
any change in their devices and softwares. However, client mobility can pose severe
problems to the security architecture, especially when real-time traffic is transmitted. To
cope with this problem, proactive key distribution has been proposed in (Kassab et al., 2005;
Prasad & Wang, 2005).
125
10 Security Issues
and a Networked Age
Security
Providing security in the backbone network for WMNs is another important challenge.
Mesh networks typically employ resource constrained mobile clients, which are difficult to
protect against removal, tampering, or replication. If the device can be remotely managed, a
distant hacking into the device would work perfectly (Ben Salem & Hubaux, 2006).
Accordingly, several research works have been done to investigate the use of cryptographic
techniques to achieve secure communication in WMNs. In (Cheikhrouhou et al., 2006), a
security architecture has been proposed that is suitable for multi-hop WMNs employing
PANA (Protocol for carrying Authentication for Network Access) (Parthasarathy, 2006). In
the scheme, the wireless clients are authenticated on production of the cryptographic
credentials necessary to create an encrypted tunnel with the remote access router to which
they are associated. Even though such framework protects the confidentiality of the
information exchanged, it cannot prevent adversaries to perform active attacks against the
network itself. For instance, a malicious adversary can replicate, modify and forge the
topology information exchanged among mesh devices, in order to launch a denial of service
attack. Moreover, PANA necessitates the existence of IP addresses in all the mesh nodes,
which is poses a serious constraint on deployment of this protocol.
Authenticating transmitted data packets is an approach for preventing unauthorized nodes
to access the resources of a WMN. A light-weight hop-by-hop access protocol (LHAP) has been
proposed for authenticating mobile clients in wireless dynamic environments, preventing
resource consumption attacks (Zhu et al., 2006). LHAP implements light-weight hop-by-hop
authentication, where intermediate nodes authenticate all the packets they receive before
forwarding them. LHAP employs a packet authentication technique based on the use of
one-way hash chains. Moreover, LHAP uses TESLA (Perrig et al., 2001) protocol to reduce
the number of public key operations for bootstrapping and maintaining trust between
nodes.
In (Prasad et al., 2004), a lightweight authentication, authorization and accounting (AAA)
infrastructure is proposed for providing continuous, on-demand, end-to-end security in
heterogeneous networks including WMNs. The notion of a security manager is used
through employing an AAA broker. The broker acts as a settlement agent, providing
security and a central point of contact for many service providers.
The issue of user privacy in WMNs has also attracted the attention of the research
community. In (T. Wu et al., 2006), a light-weight privacy preserving solution is
presented to achieve well-maintained balance between network performance and traffic
privacy preservation. At the center of the solution is of information-theoretic metric
called traffic entropy, which quantifies the amount of information required to describe the
traffic pattern and to characterize the performance of traffic privacy preservation. The
authors have also presented a penalty-based shortest path routing algorithm that
maximally preserves traffic privacy by minimizing the mutual information of traffic
entropy observed at each individual relaying node while controlling the possible
degradation of network within an acceptable region. Extensive simulation study proves
the soundness of the solution and its resilience to cases when two malicious observers
collude. However, one of the major problems of the solution is that the algorithm is
evaluated in a single-radio, single channel WMN. Performance of the algorithm in
multiple radios, multiple channels scenario will be a really questionable issue. Moreover,
the solution has a scalability problem. In (X. Wu & Li, 2006), a mechanism is proposed
126
with the objective of hiding an active node that connects to a gateway router, where the
active mesh node has to be anonymous. A novel communication protocol is designed to
protect the node’s privacy using both cryptography and redundancy. This protocol uses
the concept of onion routing (Reed et al., 1998). A mobile user who requires anonymous
communication sends a request to an onion router (OR). The OR acts as a proxy to the
mobile user and constructs an onion route consisting of other ORs using the public keys
of the routers. The onion is constructed such that the inner most part is the message for
the intended destination, and the message is wrapped by being encrypted using the
public keys of the ORs in the route. The mechanism protects the routing information
from insider and outsider attack. However, it has a high computation and
communication overhead.
In the following sub-sections, some of the well-known authentication and privacy
preservation schemes for WMNs are discussed briefly. For each of the schemes, its salient
features and potential shortcomings are highlighted.
4.1 Local authentication based on public key certificates

In the localized authentication, a trusted third party (TTP) serves as the trusted certificate
authority (CA) that issues certificates. In (Buttyan & Dora, 2009), a localized authentication
scheme is proposed in which authentication is performed locally between the MCs and the
MRs in a hybrid large-scale WMN operated by a number of operators. Each operator
maintains its own CA. Each CA is responsible for issuing certificates to its customers. Each
CA maintains its own certificate revocation list (CRL). The CAs also issue cross-certificates
among each other for enabling entities (MCs or MRs) subscribing to different operators to
perform certificate-based authentications and key exchanges. To minimize authentication
delay, the provably secure key transport protocol (Blake-Wilson & Menezes, 1998) proposed by
Blake-Wilson-Menezes (BWM) has been used.
For authentication in multiple domains in a metropolitan area network, a localized
authentication scheme has been proposed in (Lin et al., 2008). In this scheme, an embedded
two-factor authentication mechanism is utilized to verify the authenticity of a roaming MC.
The authenticity verification does not need any intervention of the home Internet service
provider (ISP) of the MC. The two-factor authentication mechanism includes two methods of
authentication: password and smart card. To minimize the ping-pong effect, the session key is
cached in the current network domain. Whenever the MC requests a handoff into a
neighboring MR which has a valid shared session key with the MC, a user-authenticated
key agreement protocol with secret key cryptography is performed. Thus an expensive full
authentication based on an asymmetric key encryption is avoided. The protocol execution is
fast since it involves encryption using only the symmetric key and keyed hash message
authentication codes (HMACs).
The localized authentication schemes are based on the assumption that the MRs are trusted
and fully protected by robust certificates. In practice, MRs are low cost devices and without
extra protection, these devices can easily be compromised. In the event an MR gets
compromised, the local authentication schemes will fail. To defend against compromised
MRs, a scheme based on local voting strategy (Zhu et al., 2008) is adopted which work on
the principle of threshold digital signature mechanism (Cao et al., 2006).
127
12 Security Issues
and a Networked Age
Security
Fig. 2. Schematic diagram of IEEE 802.11i authentication protocol [Source: (Moustafa, 2007)]
4.2 Authentication model based on 802.11i protocol

In most commercial deployments of wireless local area networks (WLANs), IEEE 802.11i
(IEEE 802.11i, 2004) is the most common approach for assuring authentication at the layer 2.
However, the IEEE 802.11i authentication does not fully address the problem of WLAN
vulnerability (Moustafa, 2007). In IEEE 802.11i authentication, as described in Fig. 2, the MC
and the authentication server (AS) apply the 802.1X (IEEE 802.1X, 2001) authentication model
carrying out some negotiation to agree on pair-wise master key (PMK) by using some upper
layer authentication schemes or using a pre-shared secret. This key is generated by both the
MC and the AS, assuring the mutual authentication between them. The access point (AP)
then receives a PMK copy from the AS, authenticating the MC and authorizing its
communication. Afterwards, a four-way handshake starts between the AP and the MC to
generate encryption keys from the generated PMK. Encryption keys can assure confidential
transfer between the MC and the AP. If the MC roams to a new AP, it will perform another
full 802.1X authentication with the AS to derive a new PMK. For performance enhancement,
the PMK of the MC is cached by the MC and the AP to be used for later re-association
without another full authentication. The features of 802.11i exhibit a potential vulnerability
because a compromised AP can still authenticate itself to an MC and gain control over the
connection. Furthermore, IEEE 802.11i authentication does not provide a solution for multi-
hop communication. Consequently new mechanisms are needed for authentication and
secure layer 2 links setup in WMNs (Moustafa, 2007).
Wireless dual authentication protocol (WDAP) (Zheng et al., 2005) is proposed for 802.11
WLAN and can be extended to WMNs. WDAP provides authentication for both MCs and
APs and overcomes the shortcomings of other authentication protocols. The name “dual”
implies the fact that the AS authenticates both the MC and the AP. As in the four-way
handshake in IEEE 802.11i, this protocol also generates a session key for maintaining
confidentiality of the messages communicated between the MC and the AP after a
successful authentication. WDAP provides authentication during the initial connection state.
For roaming, it has three sub-protocols: an authentication protocol, a de-authentication
protocol, and a roaming authentication protocol.
128
Fig. 3. Schematic diagram of the authentication process in WDAP [Source: (Moustafa, 2007)]
Fig. 3 illustrates the WDAP authentication process. In the authentication protocol, the AP
receives the authentication request from the MC. It then creates an authentication request
for itself and concatenates this request to the received request from the MC. The
concatenated request is then sent to the AS. Since both the mobile station and the AP do not
trust each other until the AS authenticates both of them, WDAP is a dual authentication
protocol. If the authentication is successful, AS generates a session key and sends the key to
the AP. The AP then sends this key to the MC encrypting it with the shared key with MC.
This key is thus shared between the AP and the MC for their secure communication and
secure de-authentication when the session is finished. When an MC finishes a session with
an AP, secure de-authentication takes place to prevent the connection from being exploited
by an adversary. Use of WDAP in WMN environments ensures mutual authentication of
both MCs and MRs. Also, WDAP can be used to ensure authentication between the MRs
through authentication requests concatenation. In case of multi-hop communication in
WMNs, each pair of nodes can mutually authenticate through the session key generated by
the AS. However, a solution is needed in case of open mesh networks scenarios, where the
AS may not be present in reality. Another problem arises in case of roaming authentication.
WDAP is not ideally suited for use in roaming authentication since it works only for
roaming into new APs, and does not consider the case of back roaming in which an MC may
need to re-connect with another MC or an AP with whom it was authenticated earlier. As a
result, the WDAP session key revocation mechanisms has some shortcomings that makes it
unsuitable for deployment in real-world WMNs.
An approach that adapts IEEE 802.11i to the multi-hop communication has been presented
in (Moustafa et al., 2006a). An extended forwarding capability in 802.11i is proposed
without compromising on its security features to setup authenticated links in layer 2 to
achieve secure wireless access as well as confidential data transfer in ad hoc multi-hop
environments. The general objective of this approach is to support secure and seamless
129
14 Security Issues
and a Networked Age
Security
access to the Internet by the MCs situated near public WLAN hotspots, even when these
nodes may move beyond the coverage area of the WLAN. To accomplish the authentication,
authorization and accounting (AAA) process for an MC within the WLAN communication
range, classical 802.11i authentication and message exchange take place.
Fig. 4. Schematic diagram of adapted 802.11i with EAP-TLS for multi-hop communication
[Source: (Moustafa, 2007)]
As shown in Fig. 4, for accomplishing the AAA process for MCs that are beyond the WLAN
communication range but belong to the ad hoc clusters, 802.11i is extended to support
forwarding capabilities. In this case, the notion of friend nodes is introduced to allow each
MC to initiate the authentication process through a selected node in its proximity. The
friend node plays the role of an auxiliary authenticator that forwards the authentication
request of the MC to the actual authenticator (i.e., the AP). If the friend node is not within
the communication range of the AP, it invokes other friend nodes in a recursive manner
until the AP is reached. The concept of proxy RADIUS (Rigney et al., 2000) is used for
ensuring forwarding compatibility and secure message exchange over multi-hops. Proxy
chaining (Aboba & Vollbrecht, 1999) takes place if the friend node is not directly connected
to an AP. To achieve higher level of security on each authenticated link between the
communicating nodes, 802.11i encryption is used by invoking the four-way handshake
between each MC and its authenticator (AP or friend node). This approach is useful in open
mesh network scenarios, since it allows authentication by delegation among the mesh nodes.
In addition, since the authentication keys are stored in the immediate nodes, the re-
authentication process is optimized in case of roaming of the MCs. However, an adaptation
is needed that allows establishment of multiple simultaneous connections to the
authenticators - APs and the friend nodes – in a dense mesh topology. Also, a solution is
needed to support fast and secure roaming across multiple wireless mesh routers (WMRs). A
possible solution is through sharing session keys of authenticated clients among the WMRs
(Moustafa, 2007).
130
4.3 Data packet authentication

An approach to prevent unauthorized node getting access to the network services in
WMNs is to authenticate the transmitted data packets. Following this approach, a light-
weight hop-by-hop access protocol (LHAP) (Zhu et al., 2003; Zhu et al., 2006) has been
proposed for authenticating MCs for preventing resource consumption attacks in WMNs.
LHAP implements light-weight hop-by-hop authentication, where intermediate nodes
authenticate all the packets they receive before forwarding them further in the network. In
this protocol, an MC first performs some light-weight authentication operations to
bootstrap a trust relationship with its neighbors. It then invokes a light-weight protocol
for subsequent traffic authentication and data encryption. LHAP is ideally suited for ad
hoc networks, where it resides between the data link layer and the network layer and can
be seamlessly integrated with secure routing protocols to provide high-level of security in
a communication network.
LHAP employs a packet authentication technique based on the use of one-way hash chains
(Lamport, 1981). Moreover, it uses TESLA (Perrig et al., 2001) protocol to reduce the number
of public key operations for bootstrapping and maintaining trust among the nodes. For
every traffic packet received from the network layer, LHAP adds its own header, which
includes the node ID, a packet type field indicating a traffic packet, and an authentication
tag. The packet is then passed to the data link layer and control packets are generated for
establishing and maintaining trust relationships with the neighbor nodes. For a received
packet, LHAP verifies its authenticity based on the authentication tag in the packet header.
If the packet is valid, LHAP removes the LHAP header and passes the packet to the network
layer; otherwise, it discards the packet. LHAP control packets are passed to the network
layer with the goal to allow LHAP execution without affecting the operation of the other
layers.
LHAP is very suitable for WMN applications. For secure roaming, LHAP can be useful in
distributing session keys among MCs employing a special type of packet designated for this
purpose. However, the focus of this protocol is on preventing resource consumption attack
on the network. However, LHAP cannot prevent insider attacks and hence complementary
mechanisms are needed for this purpose (Moustafa, 2007).
4.4 Proactive authentication and pre-authentication schemes

In (Pack & Choi, 2004), a fast handoff scheme based on prediction of mobility pattern has
been proposed. In this scheme, an MC on entering in the coverage area of an access point
performs authentication procedures for multiple MRs (or APs). When an MC sends an
authentication request, the AAA server authenticates the all the relevant APs (or MRs) and
sends multiple session keys to the MC. A prediction method known as frequent handoff region
(FHR) selection is utilized to reduce the handoff delay further. FHR selection algorithm
takes into account user mobility pattern, service classes etc. to make a selection of frequent
MRs suitable for handoff. To increase the accuracy of the user mobility prediction, a
proactive key distribution approach has been proposed in (Mishra et al., 2004). A new data
structure – neighbor graphs – is used to determine the candidate MR sets for the MC to
associate with.
131
16 Security Issues
and a Networked Age
Security
A reliable re-authentication scheme has been proposed in (Aura & Roe, 2005), in which an
MR issues a credential for the MC it is currently serving. The credential can be used later (by
the next MR) to certify the authenticity of the MC.
A fast authentication and key exchange mechanism to support seamless handoff has been
proposed in (Soltwisch et al., 2004). The mechanism uses the context transfer protocol (CTP)
(Loughney et al., 2005) to forward session key from the previous router to the new access
router.
4.5 Extensible authentication protocols

IEEE 802.1X has been applied to resolve some of the security problems in the 802.11
standard, where the MC and the AS authenticate each other by applying an upper layer
authentication protocol like extensible authentication protocol encapsulating transport layer
security (EAP-TLS) protocol (Aboba & Simon, 1999). Although EAP-TLS offers mutual
authentication, it introduces high latency in WMNs because each terminal acts as an
authenticator for its neighbor to reach the AS. This can lead to longer paths to the AS.
Furthermore, in case of high mobility of terminals, re-authentication due to frequent
handoffs can make be detrimental to real-time applications. Consequently, variants of EAP
have been proposed by researchers to adapt 802.1X authentication model to multi-hop
communications in WMNs. Some of these mechanisms are briefly discussed below.
EAP with token-based re-authentication: a fast and secure hand-off protocol is presented in
(Fantacci et al., 2006), which allows mutual authentication and access control thereby
preventing insider attacks during the re-authentication process. To achieve this, old
authentication keys are revoked. Thus, a node should ask for the keys from its neighbors or
from the AS when its needs the keys. The mechanism involves a token-based re-
authentication scheme based on a two-way handshake between the node that performs the
handshake and the AS. The AS is involved in every hand-off to have a centralized entity for
monitoring the network. An authentication token, in the form of keying material is provided
by the authenticator of the network to the AS to obtain the PMK key. The authenticator can
be an AP or a host in the WMN. Initially, the MC performs a full EAP-TLS authentication,
generating a PMK key that is then shared between the MC and its authenticator. Whenever
the MC performs hand-off to another authenticator, the new authenticator should receive
the PMK key to avoid a full re-authentication. The new authenticator issues a request to the
AS for the PMK and adds a token to the request. The token is a cryptographic material to
prove that the authenticator is in contact with the MC which owns the requested PMK. The
token was earlier generated by the MC while performing the hand-off and was transmitted
to the new authenticator. The AS verifies the token, and issues the PMK to the new
authenticator. This protocol is secure and involves centralized key management. However,
the need to involve the AS in each re-authentication is not suitable for scenarios where MCs
have random and frequent mobility (Moustafa, 2007). A distributed token verification will
be more suitable for open and multi-hop WMN environments.
EAP-TLS over PANA: a security architecture suitable for multi-hop mesh network is
presented in (Cheikhrouhou et al., 2006) that employs EAP-TLS over protocol for carrying
authentication and network access (PANA) (Parthasarathy, 2006). It proposes an authentication
solution for WMNs adapting IEE 802.1X so that MCs can be authenticated by MRs. The
132
authentication between MCs and MRs requires MCs to be directly connected to the MRs.
Since PANA enables MCs to authenticate to the access network using IP protocol, it is used
in this mechanism to overcome the problem of association between MCs and MRs that can
be attached through more than one intermediate node. When a new MC joins the network, it
first gets an IP address (pre-PANA address) from a local DHCP server. Then, the PANA
protocol is initiated so that the mobile node discovers the PANA access (PAA) router to
authenticate itself. After successful authentication, the MC initiates the Internet key exchange
(IKE) protocol with the MR for establishing a security association. Finally, IPSec tunnel
ensures data protection over the radio link and a data access control by the MR. During the
authentication and authorization phases, PANA uses EAP message exchange between the
MC and the PAA, where PAA relays EAP messages to the AS using EAP over RADIUS.
EAP-TLS message is used in this approach. The protocol is suited for heterogeneous WMNs
since it is independent of the technology of the wireless media. However, PANA requires
use of IP addresses in the mesh nodes. This puts a restriction in its use since all elements of a
WMN may not use IP as the addressing standard.
EAP-TLS using proxy chaining: the combinations of (Moustafa et al., 2006a; Moustafa et al.,
2006b) propose adaptive EAP solutions for authentication and access control in the multi-
hop wireless environment. In (Moustafa et al., 2006a), an adapted EAP-TLS approach is used
to allow authentication of mobile nodes. A delegation process is used among mobile nodes
by use of auxiliary authenticators in a recursive manner until the AS is reached. To allow
extended forwarding and exchange of EAP-TLS authentication messages, proxy RADIUS is
involved using proxy chaining among the intermediate nodes between the MCs requesting
the authentication and the AS. This approach permits the storage of authentication keys of
the MCs in the auxiliary authenticators. This speeds up the re-authentication process and
enhances the performance of the adaptive EAP-TLS mechanism. This solution is applicable
for WMNs, especially in multi-hop communications. However, to support secure roaming
across different wireless mesh routers (WMRs), communication is required between the old
and the new WMRs. This can be done by using central elements or switches that link the
WMRs and allow storing of information in a central location and distribution of information
among the WMRs.
EAP-enhanced pre-authentication: an EAP-enhanced pre-authentication scheme for mobile
WMN (IEEE 802.e) in the link layer has been proposed in (Hur et al., 2008). In this scheme,
the PKMv2 (public key management version 2) has been slightly modified based on the key
hierarchy in a way that the communication key can be established between the MC and the
target MR before hand-off in a proactive way. The modification allows the master session
key generated by the authentication server to bind the MR identification (i.e., base station
identification) and the MAC address of the MC. In the pre-authentication phase, the
authentication server generates and delivers the unique public session keys for the neighbor
MRs of the MC. The neighboring MRs are the access points that the MC potentially moves
to. These MRs can use the public session key to derive an authorization key of the
corresponding MC. In the same way, the MC can derive the public session key and the
authorization key for its neighbor MRs, with the MR identification. Once the handoff is
complete, the MC only needs to perform a three-way handshake and update the encryption
key since the MC and MR already possess the authentication key. Thus a re-authentication
with the authentication server is avoided and the associated delay is reduced.
133
18 Security Issues
and a Networked Age
Security
Distributed authentication: a distributed authentication for minimizing the

authentication delay has been proposed in (Lee et al., 2008), in which multiple trusted
nodes are distributed over a WMN to act on the behalf of an authentication server. This
makes management of the network easy, and it also incurs less storage overhead in the MRs.
However, the performance of the scheme will degrade when multiple MCs send out their
authentication requests, since the number of trusted nodes acting as the authentication
server is limited compared to the number of access routers. In (He et al., 2010), a
distributed authenticated key establishment scheme (AKES) has been proposed based on
hierarchical multi-variable symmetric functions (HMSF). In this scheme, MCs and MRs can
mutually authenticate each other and establish pair-wise communication keys without the
need of interaction with any central authentication server. The authors have extended the
polynomial-based key generation concept (Blundo et al., 1993) to the asymmetric function
for mutual authentication among the MCs and MRs. Based on the symmetric polynomial
and an asymmetric function, an efficient and hierarchical key establishment scheme is
designed This substantially reduces the communication overhead and authentication
delay.
Secure authentication: an improved security protocol for WMNs has been proposed in
(Lukas & Fackroth, 2009). The protocol is named “WMNSec”, which is based on the four-
way handshake mechanism in 802.11i. In WMNSec, a dedicated station - mesh key
distributor (MKD) – generates one single dynamically generated key for the whole
network. This key is called the global key (GK). The GK is distributed from the MKD to the
authenticated stations (MRs) using the four-way handshake from 802.11i. A newly joined
MR would become another authenticator after it is authenticated and become the
authenticated part of the WMN. Thus, the iterative authentication forms a spanning tree
rooted as the MKD and spanning the whole network. To provide a high level of security,
each key has a limited validity period. Periodic re-keying ensures that the keys used in all
stations are up-to-date.
4.6 Authentication using identity-based cryptography

Identity-based cryptography (IBC) is a public key cryptography in which public key of a user
is derived from some publicly available unique identity information about the user, e.g.
SSN, email address etc. Although the concept of IBC was first introduced by Shamir
(Shamir, 1984), a fully functional IBC scheme was not established till Boneh and Franklin
applied Weil pairing to construct a bilinear map (Boneh & Franklin, 2001). Using IBC, an
attack-resilient security architecture called “ARSA” for WMNs has been proposed in
(Zhang & Fang, 2006). The relationship among three entities in this scheme, e.g., brokers,
users and network operators are made analogous to that among a bank, a credit card
holder, and a merchant. The broker acts as a TTP that distributes secure pass to each
authenticated user. Each secure pass has the ID of the user enveloped in it and the WMN
operator grants access to all the users those possess secure passes. The users are not
bound to any specific operator, and can get ubiquitous network access by a universal pass
issued by a third-party broker. ARSA also provides an efficient mutual authentication and key
agreement (AKA) between a user and a serving WMN domain or between users served by
the same WMN domain.
134
4.7 Privacy protection schemes in WMNs

Traffic privacy preservation is an important issue in WMNs. In a community mesh network,
the traffic of mobile users can be observed by the MRs residing at its neighbors, which could
reveal sensitive personal information. A mesh network privacy-preserving architecture is
presented in (T. Wu et al., 2006). The mechanism aims to achieve traffic confidentiality based
on the concept of traffic pattern concealment by controlling the routing process using multi-
paths. The traffic from the source (i.e., IGW) to the destination (i.e., MR) is split into multiple
paths. Hence, each relaying nodes along the path from the source to the destination can
observe only a portion of the entire traffic. The traffic is split in a random manner (both
spatially and temporally) so that an intermediate node can have little knowledge to figure out
the overall traffic pattern. In this way the traffic confidentially is achieved. The mechanism
defines an information-theoretic metric, and then proposes a penalty-based routing algorithm
to allow traffic pattern hiding by exploiting multiple available paths between a pair of nodes.
Source routing strategy is adopted so that a node can easily know the topology of its
neighborhood. The protocol can also ensure communication privacy in WMNs, where each
destination node is able to consistently limit the proportion of mutual information it shares
with the observing node. However, the traffic splitting can increase delay in communication
and hence this mechanism may not be suitable for real-time applications in WMNs.
A novel privacy and security scheme named PEACE (Privacy Enhanced yet Accountable
seCurity framEwork) for WMNs has been proposed in (Ren et al., 2010). The scheme achieves
explicit mutual authentication and key establishment between users (i.e. MCs) and MRs and
between the users themselves (i.e., between the MCs). It also enables unilateral anonymous
authentication between users and the MRs and bilateral anonymous authentication between a
pair of users. Moreover, it enables user accountability by regulating user behaviors and
protects WMNs from being abused and attacked. Network communications can be audited in
cases of disputes and frauds. The high level architecture of PEACE trust model consists of four
kinds of network entities: the network operator, user group managers, user groups and a
trusted third party (TTP). Before accessing the WMN services, each user has to enroll in at least
one user group whose manager, thus, knows the essential and non-essential attributes of the
user. The users do not directly register with the network operator; instead, each group
manager subscribes to the network operator on behalf of its group members. Upon registration
from a group manager, the network operator allocates a set of group secret keys to this user
group. The network operator divides each group secret key into two parts – one part is sent to
the requesting group manager and the other part to the TTP. To access network services, each
user request one part of the group secret key from his group manager and the other part from
the TTP to recover a complete group secret key. The user also needs to return signed
acknowledgments to both the group manager and the TTP. PEACE uses a variation of the
short group signature scheme proposed in (Boneh & Shacham, 2004) to ensure sophisticated
user privacy. The scheme is resistant to bogus data injection attacks, data phishing attacks and
DoS attacks (Ren et al., 2010).
A security architecture named “SAT” has been proposed in (Sun et al., 2008; Sun et al., 2011).
The system consists of ticket-based protocols, which resolves the conflicting security
requirements of unconditional anonymity for honest users and traceability of misbehaving
users in a WMN. By utilizing the tickets, self-generated pseudonyms, and the hierarchical
identity-based cryptography, the architecture has been demonstrated to achieve the desired
135
20 Security Issues
and a Networked Age
Security
security objectives and the performance efficiency. The system uses a blind signature
technique from the payment systems. (Brands, 1993; Wei et al., 2006; Figueiredo et al., 2005;
Chaum, 1982), and hence it achieves the anonymity by delinking user identities from their
activities. The pseudonym technique also renders user location information unexposed. The
pseudonym generation mechanism does not rely on a central authority, e.g. the broker in
(Zhang & Fang, 2006), the domain authority in (Ateniese et al., 1999), the transportation authority
or the manufacturer in (Raya & Hubaux, 2007), and the trusted authority in (Zhang et al., 2006),
who can derive the user’s identity from his pseudonyms and illegally trace on an honest user.
However, the system is not intended for achieving routing anonymity. Hierarchical identity-
based cryptography (HIBC) for inter-domain authentication is adopted to avoid domain
parameter certification in order to ensure anonymous access control.
5. The hierarchical architecture of a WMN

In this section, we first present a standard architecture of a typical WMN for which we
propose a security and privacy protocol. The architecture is a very generic one that
represents majority of the real-world deployment scenarios for WMNs. The architecture of a
hierarchical WMN consists of three layers as shown in Fig. 5. At the top layers are the
Internet gateways (IGWs) that are connected to the wired Internet. They form the backbone
infrastructure for providing Internet connectivity to the elements in the second level. The
entities at the second level are called wireless mesh routers (MRs) that eliminate the need for
wired infrastructure at every MR and forward their traffic in a multi-hop fashion towards
the IGW. At the lowest level are the mesh clients (MCs) which are the wireless devices of the
users. Internet connectivity and peer-to-peer communications inside the mesh are two
important applications for a WMN. Therefore design of an efficient and low-overhead
communication protocol which ensure security and privacy of the users is a critical
requirement which poses significant research challenges.
Fig. 5. A three-tier architecture of a wireless mesh network (WMN)
136
For designing the proposed protocol and to specify the WMN deployment scenario, the
following assumptions are made.
1. Each MR which is authorized to join the wireless backbone (through the IGWs), has two
certificates to prove its identity. One certificate is used during the authentication phase
that occurs when a new node joins the network. EAP-TLS (Aboba et al., 2004) for 802.1X
authentication is used for this purpose since it is the strongest authentication method
provided by EAP (Aboba et al., 2004), whereas the second certificate is used for the
authentication with the authentication server (AS).
2. The certificates used for authentication with the RADIUS server and the AS are signed
by the same certificate authority (CA). Only recognized MRs are authorized to join the
backbone.
3. Synchronization of all MRs is achieved by use of the network time protocol (NTP)
protocol (Mills, 1992).
The proposed security protocol serves the dual purpose of providing security in the access
network (i.e., between the MCs and the MRs) and the backbone network (i.e., between the
MRs and the IGWs). These are described the following sub-sections.
5.1 Access network security

The access mechanism to the WMN is assumed to be the same as that of a local area network
(LAN), where mobile devices authenticate themselves and connect to an access point (AP).
This allows the users to the access the services of the WMN exploiting the authentication
and authorization mechanisms without installing any additional software. It is evident that
such security solution provides protection to the wireless links between the MCs and the
MRs. A separate security infrastructure is needed for the links in the backbone networks.
This is discussed in Section 5.2.
Fig. 6. Secure information exchange among the MCs A and B through the MRs 1 and 2
Fig. 6 illustrates a scenario where users A and B are communicating in a secure way to MRs
1 and 2 respectively. If the wireless links are not protected, an intruder M will be able to
eavesdrop on and possibly manipulate the information being exchanged over the network.
This situation is prevented in the proposed security scheme which encrypts all the traffic
transmitted on the wireless link using a stream cipher in the data link layer of the protocol
stack.
137
22 Security Issues
and a Networked Age
Security
5.2 Backbone network security

For providing security for the traffic in the backbone network, a two-step approach is
adopted. When a new MR joins the network, it first presents itself as an MC and completes
the association formalities. It subsequently upgrades its association by successfully
authenticating to the AS. In order to make such authentication process efficient in a high
mobility scenario, the key management and distribution processes have been designed in a
way so as to minimize the effect of the authentication overhead on the network
performance. The overview of the protocol is discussed as follows.
Fig. 7 shows the three phases of the authentication process that a MR (say N) undergoes.
When N wants to join the network, it scans all the radio channels to detect any MR that is
already connected to the wireless backbone. Once such an MR (say A) is detected, N
requests A for access to network services including authentication and key distribution.
After connecting to A, N can perform the tasks prescribed in the IEEE 802.11i protocol to
complete a mutual authentication with the network and establish a security association with
the entity to which it is physically connected. This completes the Phase I of the
authentication process. Essentially, during this phase, a new MR performs all the steps that
an MC has to perform to establish a secure channel with an MR for authentication and
secure communication over the WMN.
Fig. 7. Steps performed by a new MR (N) using backbone encrypted traffic to join the WMN
During Phase II of the authentication process, the MRs use the transport layer security (TLS)
protocol. Only authorized MRs that have the requisite credentials can authenticate to the AS
and obtain the cryptographic credentials needed to derive the key sequence used to protect
the wireless backbone. In the proposed protocol, an end-to-end secure channel between the
AS and the MR is established at the end of a successful authentication through which the
cryptographic credentials can be exchanged in a secure way.
To eliminate any possibility of the same key being used over a long time, a server-initiated
protocol is proposed for secure key management. The protocol is presented in Section 6. As
mentioned earlier in this section, all the MRs are assumed to be synchronized with a central
server using the NTP protocol.
138
Fig. 8 shows a collection of four MRs connected with each other by five wireless links. The
MR A is connected with the AS by a wired link. At the time of network bootstrapping, only
node A can connect to the network as an MR, since it is the only node that can successfully
authenticate to the AS. Nodes B and C which are neighbors of A then detect a wireless
network to which can connect and perform the authentication process following the IEEE
802.11i protocol. At this point of time, nodes B and C are successfully authenticated as MCs.
After their authentication as MCs, nodes B and C are allowed to authenticate to the AS and
request the information used by A to produce the currently used cryptographic key for
communication in the network. After having derived such key, both B and C will be able to
communicate with each other, as well as with node A, using the ad hoc mode of
communication in the WMN. At this stage, B and C both have full MR functionalities. They
will be able to turn on their access interface for providing node D a connection to the AS for
joining the network.
Fig. 8. Autonomous configuration of the MRs in the proposed security scheme
6. The key distribution protocol

In this section, the details of the proposed key distribution and management protocol are
presented. The protocol is essentially a server-initiated protocol (Martignon et al., 2008) and
provides the clients (MRs and MCs) flexibility and autonomy during the key generation.
In the proposed key management protocol delivers the keys to all the MRs from the AS in a
reactive manner. The keys are used subsequently by the MRs for a specific time interval in
their message communications to ensure integrity and confidentiality of the messages. After
the expiry of the time interval for validity of the keys, the existing keys are revoked and new
keys are generated by the AS. Fig. 9 depicts the message exchanges between the MRs and
the AS during the execution of the protocol.
A newly joined MR, after its successful mutual authentication with a central server, sends its
first request for key list (and its time of generation) currently being used by other existing
MRs in the wireless backbone. Let us denote the key list timestamp as TSKL. Let us define a
session as the maximum time interval for validity of the key list currently being used by each
node MR and MC). We also define the duration of a session as the product of the cardinality
of the key list (i.e., the number of the keys in the key list) and the longest time interval of
validity of a key (the parameter timeout in Fig. 9).
139
24 Security Issues
and a Networked Age
Security
Fig. 9. Message exchanges between an MR and the AS in the key management protocol
The validity of a key list is computed from the time instance when the list is generated (i.e.,
TSKL) by the AS. An MR, based on the time instance at which it joins the backbone (tnow in
Fig. 9), can find out the key (from the current list) being used by its peers (keyidx) and the
interval of validity of the key (Ti) using (1) and (2) as follows:
 t  TSKL 
keyidx   now 1 (1)
 timeout 
Ti keyidx * timeout  (tnow  TSKL ) (2)
In the proposed protocol, each WMN node requests the AS for the key list that will be used
in the next session before the expiry of the current session. This is feature is essential for
nodes which are located multiple hops away from the AS, since, responses from the AS take
longer time to reach these nodes. The responses may also get delayed due to fading or
congestion in the wireless links. If the nodes send their requests for key list to the AS just
before expiry of the current session, then due to limited time in hand, only the nodes which
have good quality links with the AS will receive the key list. Hence, the nodes which will
fail to receive responses for the server will not be able to communicate in the next session
due to non-availability of the current key list. This will lead to an undesirable situation of
network partitioning.
The key index value that triggers the request from the nodes to the server can be set equal to
the difference between the cardinality of the list and a correction factor. The correction factor
can be estimated based on parameters like the network load, the distance of the node from
the AS and the time required for the previous response.
140
In the proposed protocol, the correction factor is estimated based on the time to receive the
response from the AS using (3), where ts is the time instance when the first key request was
sent, tr is the time instance when the key response was received from the AS, and timeout is
the validity period of the key. Therefore, if a node fails to receive a response (i.e., the key
list) from the AS during timeout, and takes a time tlast, it must send the next request to the
AS before setting the last key.
c   t last
  timeout 
 timeout 
 if t last  timeout (3)
= 0 if tlast  timeout
tlast  tr  ts
The first request of the key list sent by the new node to the AS is forwarded by the peer to
which it is connected as an MC through the wireless access network. However, the
subsequent requests are sent directly over the wireless backbone.
7. The privacy and anonymity protocol

As mentioned in Section 1, to ensure privacy of the users, the proposed security protocol
is complemented with a privacy protocol so as to ensure user anonymity and privacy.
The same authentication server (AS) used in the security protocol is used for managing the
key distribution for preserving the privacy. To enable user authentication and
anonymity, a novel protocol has been designed extending the ring signature authentication
scheme in (Cao et al., 2004). It is assumed that a symmetric encryption algorithm E exists
such that for any key k, the function Ek is a permutation over b-bit strings. We also
assume the existence of a family of keyed combining functions Ck,v(y1, y2, …., yn), and a
publicly defined collision-resistant hash function H(.) that maps arbitrary inputs to strings
of constant length which are used as keys for Ck,v(y1, y2, …., yn) (Rivest et al., 2001). Every
keyed combining function Ck,v(y1, y2, …., yn) takes as input the key k, an initialization b-
bit value v, and arbitrary values y1, y2, …., yn. A user Ui who wants to generate a session
key with the authentication server, uses a ring of n logged-on-users and performs the
following steps.
Step 1. Ui chooses the following parameters: (i) a large prime pi such that it is hard to
compute discrete logarithms in GF(pi), (ii) another large prime qi such that qi | pi – 1,
and (iii) a generator gi in GF(pi) with order qi.
Step 2. Ui chooses x Ai  Zqi as his private key, and computes the public
key y Ai  gix Ai mod pi .
Step 3. Ui defines a trap-door function f i ( ,  )   .yAimod qi . gi mod pi . Its inverse function
f i1 ( y ) is defined as f i1 ( y )  ( ,  ) , where  and  are computed as follows (K is
a random integer in Zqi .
141
26 Security Issues
and a Networked Age
Security
K
  y Ai .gi K .( gi mod pi )mod qi
mod pi (4)
 *   mod qi (5)
  K .( giK mod pi )  x Ai . * mod qi (6)
Ui makes pi, qi, gi and y Ai public, and keeps x Ai as secret.
The authentication server (AS) chooses: (i) a large prime p such that it is hard to compute
discrete logarithms in GF(p), (ii) another large prime q such that q | p – 1, (iii) a generator g
in GF(p) with order q, (iv) a random integer xB from Zq as its private key. AS computes its
public key y B  g xB mod p and publishes (yB, p, q, g).
Anonymous authenticated key exchange: The key-exchange is initiated by the user Ui and
involves three rounds to compute a secret session key between Ui and AS. The operations in
these three rounds are as follows:
Round 1: When Ui wants to generate a session key on the behalf of n ring users U1, U2, …..Un,
where 1  i  n , Ui does the following:
i. (i) Ui chooses two random integers x1, xA  Zq* and computes the following:
R  g x1 mod p , Q  y Bx1 mod p mod q , X  g xa mod p and l  H ( X , Q ,V , y B , I ) .

ii. (ii) Ui Chooses a pair of values ( t , t ) for every other ring member Ut (1  t  n , t  k ) in
a pseudorandom way, and computes yt  f t ( t , t )mod pt .
iii. (iii) Ui randomly chooses a b-bit initialization value v, and finds the value of yi from
the equation C k , v ( y1, y 2,........yn )  v .
iv. (iv) Ui computes ( i , i )  f i1 ( yi ) by using the trap-door information of f i . First, it
chooses a random integer K  Zqi , computes  i using (6), and keeps K secret. It then
computes  i* using (5) and finally computes  i using (6).

v. (v) (U1 ,U 2 .,U n , v ,V , R ,( 1 , 1 ),( 2 ,  2 ),.,( n ,  n ) is the ring signature  on X.
Finally, Ui sends  and I to the server AS.

Round 2: AS does the following to recover and verify X from the signature  .
i. AS computes Q  R xB mod p mod q , recovers X using X  V .gQ mod p and hashes X, Q,

V and yb to recover l, where l  H ( X , Q ,V , y B , I ) .
ii. AS computes yt  f i ( t , t )mod pi , for t = 1,2,…..n.
iii. AS checks whether C k , v ( y1, y 2, .........yn )  v. If it is true, AS accepts X as valid; otherwise,
AS rejects X. If X is valid, AS chooses a random integer xb from Zq* , and computes the
following: Y  g xb mod p Ks  X xb mod p and h  H (Ks , X , Y , I ' ) . AS sends {h, Y, I ' } to
Ui .
142
Round 3: Ui verifies whether KS' is from the server AS. For this purpose, Ui
computes KS'  Y xa mod p , hashes K, X, Y to get h' using h'  H ( K s' , X , Y , I ' ) . If h'  h , Ui
accepts Ks as the session key.
Security analysis: The key exchange scheme satisfies the following requirements.
User anonymity: For a given signature X, the server can only be convinced that the ring
signature is actually produced by at least one of the possible users. If the actual user does
not reveal the seed K, the server cannot determine the identity of the user. The strength of
the anonymity depends on the security of the pseudorandom number generator. It is not
possible to determine the identity of the actual user in a ring of size n with a probability
greater than 1/n. Since the values of k and v are fixed in a ring signature, there are (2 b )n  1
number of ( x1 , x2 ,...xn ) that satisfy the equation C k , v ( y1 , y 2 ,...yn )  v , and the probability of
generation of each ( x1 , x2 ,...xn ) is the same. Therefore, the signature can’t leak the identity
information of the user.
Mutual authentication: In the proposed scheme, not only the server verifies the users, but the
users can also verify the server. Because of the hardness of inverting the hash function f(.), it
is computationally infeasible for the attacker to determine ( i ,  i ) , and hence it is infeasible
for him to forge a signature. If the attacker wants to masquerade as the AS, he needs to
compute h  H (K s , X , Y ) . He requires xB in order to compute X. However, xB is the private
key of AS to which the attacker has no access.
Forward secrecy: The forward secrecy of a scheme refers to its ability to defend leaking of its
keys of previous sessions when an attacker is able to catch hold of the key of a particular
session. The forward secrecy of a scheme enables it to prevent replay attacks. In the proposed
scheme, since xa and xb are both selected randomly, the session key of each period has not
relation to the other periods. Therefore, if the session key generated in the period j is leaked,
the attacker cannot get any information of the session keys generated before the period j.
The proposed protocol is, therefore, resistant to replay attack.
8. Performance evaluation
The proposed security and privacy protocols have been implemented in the Qualnet
network simulator, version 4.5 (Network Simulator, Qualnet). The simulated network
consists of 50 nodes randomly distributed in the simulation area forming a dense WMN.
The WMN topology is shown in Fig. 10, in which 5 are MRs and remaining 45 are MCs.
Each MR has 9 MCs associated with it. To evaluate the performance of the security protocol,
first the network is set as a full-mesh topology, where each MR (and also MC) is directly
connected to two of its neighbors. In such as scenario, the throughput of a TCP connection
established over a wireless link is measured with the security protocol activated in the
nodes. The obtained results are then compared with the throughput obtained on the same
wireless link protected by a static key to encrypt the traffic.
After having 10 simulation runs, the average throughput of a wireless link between a pair of
MRs was found to be equal to 30.6 MBPS, when the link is protected by a static key.
However, the average throughput for the same link was 28.4 MBPS when the link was
143
28 Security Issues
and a Networked Age
Security
protected by the proposed security protocol. The results confirm that the protocol does not
cause any significant overhead on the performance of the wireless link, since the throughput
in a link on average decreased by only 7%.
The impact of the security protocol for key generation and revocation on packet drop rate in
real-time applications is also studied in the simulation. For this purpose, a VoIP application is
invoked between two MRs which generated UDP traffic in the wireless link. The packet drop
rates in wireless link when the link is protected with the proposed security protocol and when
the link is protected with a static key. The transmission rate was set to 1 MBPS. The average
packet drop rate in 10 simulation runs was found to be only 4%. The results clearly
demonstrate that the proposed security scheme has no adverse impact on packet drop rate
even if several key switching (regeneration and revocation) operations are carried out.
Fig. 10. The simulated network topology in Qualnet Simulator
The performance of the privacy protocol is also analyzed in terms of its storage,
communication overhead. Both storage and communication overhead were found to
increase linearly with the number of nodes in the network. In fact, it has been analytically
shown that overhead due to cryptographic operation on each message is: 60n + 60 bytes,
where n represents the number of public key pairs used to generate the ring signature
(Xiong et al., 2010). It is clear that the privacy protocol has a low overhead.
9. Conclusion and future work

WMNs have become an important focus area of research in recent years owing to their great
promise in realizing numerous next-generation wireless services. Driven by the demand for
144
rich and high-speed content access, recent research has focused on developing high
performance communication protocols, while security and privacy issues have received
relatively little attention. However, given the wireless and multi-hop nature of
communication, WMNs are subject to a wide range of security and privacy threats. This
chapter has provided a comprehensive discussion on the current authentication, access
control and user privacy protection schemes for WMNs. It has also presented a novel
security and key management protocol that can be utilized for secure authentication in
WMNs. The proposed security protocol ensures security in both the access and the
backbone networks. A user privacy protection algorithm has also been presented that
enables anonymous authentication of the users. Simulation results have shown the
effectiveness of the protocol. Future research issues include the study of a distributed and
collaborative system where the authentication service is provided by a dynamically selected
set of MRs. The integration with the current centralized scheme would increase the
robustness of the proposed protocol, maintaining a low overhead since MRs would use the
distributed service only when the central server is not available. Authentication on the
backbone network in a hybrid and open WMN is still an unsolved problem. In addition,
authentication between MRs and IGWs from different operators in a hybrid WMN
environment is another challenge. Authentication and key distribution in a mobile WMN
such as mobile WiMAX or LTE networks is another open problem. High mobility users
make the challenge even more difficult. Owing to very limited coverage IEEE 802.11-based
MRs (e.g., 100 meters), the high-mobility users (e.g. a user on a fast moving car) will migrate
from the coverage area of an MR to that of another. It is not acceptable for the user to
authenticate and negotiate the key with each MR. Novel solutions possibly using group
keys are needed for this purpose. The requirements of user anonymity and privacy of users
should be integrated to most of the applications in WMNs.
10. References
Aboba, B.; Bluk, L.; Vollbrecht, J.; Carlson, J. & Levkowetz, H. (2004). Extensible
Authentication Protocol (EAP). RFC 3748, June 2004.
Aboba, B. & Simon, D. (1999). PPP EAP TLS Authentication Protocol. RFC 2716, 1999.
Aboba, B. & Vollbrecht, J. (1999). Proxy Chaining and Policy Implementation in Roaming, RFC
2607, October 1999.
Akyildiz, I. F.; Wang, X. & Wang, W. (2005). Wireless Mesh Networks: A Survey. Computer
Networks, Vol 47, No 4, pp. 445–487, March 2005.
Ateniese, G.; Herzberg, A.; Krawczyk, H. & Tsudik, G. (1999). Untraceable Mobility or How
to Travel Incognito. Computer Networks, Vol 31, No 8, pp. 871–884, April 1999.
Aura, T. & Roe, M. (2005). Reducing Reauthentication Delay in Wireless Networks.
Proceedings of the 1st IEEE International Conference on Security and Privacy for Emerging
Areas in Communications Networks (SecureComm’05), pp. 139-148, Athens, Greece,
September 2005.
Ben Salem, N. & Hubaux, J.-P. (2006). Securing Wireless Mesh Networks. IEEE Wireless
Communication, Vol 13, No 2, pp. 50-55, April 2006.
Blake-Wilson, S. & Menezes, A. (1998). Entity Authentication and Authenticated Key
Transport Protocols Employing Asymmetric Techniques. Proceedings of the 5th
International Workshop on Security Protocols, Lecture Notes in Computer Science, Vol
145
30 Security Issues
and a Networked Age
Security
1361, pp. 137–158, Christianson et al. (eds.), Springer-Verlag, Heidelberg, Germany,

1998.
Blundo, C.; Santis, A. D.; Herzberg. A.; Kutten, S.; Vaccaor, U. & Yung, M. (1993). Perfectly-
Secure Key Distribution for Dynamic Conferences. Proceedings of the 12th Annual
International Cryptology Conference on Advances in Cryptology (CRYPTO’92). Lecture
Notes in Computer Science, Brickell (ed.), Vol 740, pp. 471-486, 1993.
Boneh, D. & Franklin, M. (2001). Identity-Based Encryption from the Weil Pairing.
Proceedings of the Annual International Cryptology Conference (CRYPTO’01). Lecture
Notes in Computer Science, Vol 2139, pp. 213–229, Springer-Verlag, Berlin, Germany,
August 2001.
Boneh, D. & Shacham, H. (2004). Group Signatures with Verifier-Local Revocation.
Proceedings of the 11th ACM Conference on Computer and Communication Security
(CCS), pp. 168-177, Washington DC, USA, October 2004.
Brands, S. (1993). Untraceable Off-Line Cash in Wallets with Observers. Proceedings of the
Annual International Cryptology Conference (CRYPTO’93). Lecture Notes in Computer
Science Vol 773, pp. 302–318, August 1993.
Buttyan, L. & Dora, L. (2009). An Authentication Scheme for QoS-Aware Multi-Operator
Maintained Wireless Mesh Networks. Proceedings of the 1st IEEE WoWMoM
Workshop on Hot Topics in Mesh Networking (HotMESH ’09), Kos, Greece, June 2009.
Buttyan, L.; Dora, L; Martinelli, F. & Petrochhi, M. (2010). Fast Certificate-based
Authentication Scheme in Multi-Operator Maintained Wireless Mesh Networks.
Journal of Computer Communications, Vol 33, Issue 8, May 2010.
Cao, T.; Lin, D. & Xue, R. (2004). Improved Ring Authenticated Encryption Scheme.
Proceedings of 10th Joint International Computer Conference (JICC), International
Academic Publishers World Publishing Corporation, pp. 341-346, 2004.
Cao, Z; Zhu, H. & Lu, R. (2006). Provably Secure Robust Threshold Partial Blind Signature.
Science in China Series F: Information Sciences, Vol 49, No 5, pp. 604–615, October
2006.
Chaum, D. (1982). Blind Signatures for Untraceable Payments. Proceedings of the Annual
International Cryptology Conference (CRYPTO’82). Advances in Cryptology, pp. 199–
203, Plenum Press, New York, USA, August 1983.
Cheikhrouhou, O.; Maknavicius, M. & Chaouchi, H. (2006). Security Architecture in a Multi-
Hop Mesh Network. Proceedings of the 5th Conference on Security Architecture Research
(SAR 2006), Seignosse-Landes, France, June 2006.
Clarke, R. (1999). Internet Privacy Concerns Confirm the Case for Intervention.
Communications of the ACM, Vol 42, No 2, pp. 60–67, February 1999.
Fantacci, R.; Maccari, L.; Pecorella, T. & Frosali, F. (2006). A Secure and Performant Token-
Based Authentication for Infrastructure and Mesh 802.1X Networks. Proceedings of
the 25th IEEE International Conference on Computer Communications (INFOCOM’06),
Poster Paper, Barcelona, Spain, April 2006.
Figueiredo, D.; Shapiro, J. & Towsley, D. (2005). Incentives to Promote Availability in Peer-
to-Peer Anonymity Systems. Proceedings of the 13th IEEE International Conference on
Network Protocols (ICNP‘05), pp. 110–121, November 2005.
He, B.; Xie, B.; Zhao, D. & Reddy, R. (2011). Secure Access Control and Authentication in
Wireless Mesh Networks. Security of Self-Organizing Networks: MANET, WSN,
WMN, WANET, Al-Sakib Khan Pathan (ed.), CRC Pres, USA, 2011.
146
He, B.; Joshi, S.; Agrawal, D. P. & Sun, D. (2010). An Efficient Authenticated Key
Establishment Scheme for Wireless Mesh Networks. Proceedings of IEEE Global
Telecommunications Conference (GLOBECOM’10), pp. 1-5, Miami, Florida, USA,
December 2010.
Hur, J.; Shim, H.; Kim, P.; Yoon, H. & Song, N.-O. (2008). Security Consideration for
Handover Schemes in Mobile WiMAX Networks. Proceedings of IEEE Wireless
Communications and Networking Conference (WCNC ’08), Las Vegas, NV, March,
2008.
IEEE Standard 802.11i (2004). Medium Access Control Security Enhancements, 2004.
IEEE Standard 802.1X (2001). Local and Metropolitan Area Networks Port-Based Network Access
Control, 2001.
Kassab, M.; Belghith, A.; Bonnin, J.-M. & Sassi, S. (2005). Fast Pre-Authentication Based on
Proactive Key Distribution for 802.11 Infrastructure Networks. Proceedings of the 1st
ACM Workshop on Wireless Multimedia Networking and Performance Modeling
(WMuNeP 2005), pp. 46–53, Montreal, Canada, October 2005.
Lamport, L. (1981). Password Authentication with Insecure Communication.
Communications of the ACM, Vol. 24, No. 11, pp. 770-772, November 1981.
Lee, I.; Lee, J.; Arbaugh, W. & Kim, D. (2008). Dynamic Distributed Authentication Scheme
for Wireless LAN-Based Mesh Networks. Proceedings of International Conference on
Information, Networking, Towards Ubiquitous Networking and Services (ICOIN ’07),
Estril, Portugal, January, 2007. Lecture Notes in Computer Science, Vazao et al. (eds.),
Vol. 5200, pp. 649–658, Springer-Verlag, Heidelberg, Germany, 2008.
Lin, X.; Ling, X.; Zhu, H.; Ho, P.-H. & Shen, X. (2008). A Novel Localised Authentication
Scheme in IEEE 802.11 Based Wireless Mesh Networks. International Journal of
Security and Networks, Vol. 3, No. 2, pp. 122–132, 2008.
Loughney, L.; Nakhjiri, M.; Perkins, C. & Koodli, R. (2005). Context Transfer Protocol (CXTP).
IETF RFC 4067, July 2005.
Lukas, G. & Fackroth, C. (2009). WMNSec: Security for Wireless Mesh Networks. Proceedings
of the International Conference on Wireless Communications and Mobile Computing:
Connecting the World Wirelessly (IWCMC’09), pp. 90–95, Leipzig, Germany, June,
2009, ACM Press, New York, USA.
Martignon, F.; Paris, S. & Capone, A. (2008). MobiSEC: A Novel Security Architecture for
Wireless Mesh Networks. Proceedings of the 4th ACM Symposium on QoS and Security
for Wireless and Mobile Networks (Q2SWinet’08), pp. 35-42, Vancouver, Canada,
October 2008.
Mills, D.L. (1992). Network Time Protocol, RFC 1305, March 1992.
Mishra, A. & Arbaugh, W. A. (2002). An Initial Security Analysis of the IEEE 802.1X Standard.
Computer Science Department Technical Report CS-TR-4328, University of Maryland,
USA, February 2002.
Mishra, A.; Shin, M.H.; Petroni, N. I.; Clancy, J. T. & Arbauch, W. A. (2004). Proactive Key
Distribution Using Neighbor Graphs. IEEE Wireless Communications, Vol. 11, No. 1,
pp. 26–36, February 2004.
Moustafa, H. (2007). Providing Authentication, Trust, and Privacy in Wireless Mesh
Networks, pp. 261-295. Security in Wireless Mesh Networks. Zhang et al. (eds.), CRC
Press, USA, 2007.
147
32 Security Issues
and a Networked Age
Security
Moustafa, H.; Bourdon, G. & Gourhant, Y. (2006a). Authentication, Authorization and

Accounting (AAA) in Hybrid Ad Hoc Hotspot’s Environments. Proceedings of the 4th
ACM International Workshop on Wireless Mobile Applications and Services on WLAN
Hotspots (WMASH’06), pp. 37-46, Los Angeles, California, USA, September 2006.
Moustafa, H.; Bourdon, G. & Gourhant, Y. (2006b). Providing Authentication and Access
Control in Vehicular Network Environment. Proceedings of the 21st IFIP TC- 11
International Information Security Conference (IFIP-SEC’06), pp. 62-73, Karlstad,
Sweden, May 2006.
Network Simulator QUALNET. URL: http://www.scalable-networks.com.
Pack, S. & Choi, Y. (2004). Fast Handoff Scheme Based on Mobility Prediction in Public
Wireless LAN Systems. IEEE Communications, Vol. 151, No. 5, pp. 489–495, October
2004.
Parthasarathy, M. (2006). Protocol for Carrying Authentication and Network Access (PANA)
Threat Analysis and Security Requirements. RFC 4016, March 2005.
Perrig, A.; Canetti, R.; Song, D. & Tygar, J. (2001). Efficient and Secure Source
Authentication for Multicast. Proceedings of the Network and Distributed System
Security Symposium (NDSS 2001), pp. 35-46, San Diego, California, USA, February
2001.
Prasad, N. R.; Alam, M. & Ruggieri, M. (2004). Light-Weight AAA Infrastructure for
Mobility Support across Heterogeneous Networks. Wireless Personal
Communications, Vol 29, No 3–4, pp. 205–219, June 2004.
Prasad, A. R. & Wang, H. (2005). Roaming Key Based Fast Handover in WLANs. Proceedings
of IEEE Wireless Communications and Networking Conference (WCNC 2003), Vol 3, pp.
1570–1576, New Orleans, Louisiana, USA, March 2005.
Raya, M. & Hubaux, J.-P. (2007). Securing Vehicular Ad Hoc Networks. Journal of Computer
Security, Special Issue on Security of Ad Hoc and Sensor Networks, Vol 15, No 1, pp. 39–
68, January 2007.
Reed, M.; Syverson, P. & Goldschlag, D. D. (1998). Anonymous Connections and Onion
Routing. IEEE Journal on Selected Areas in Communications, Vol 16, No 4, pp. 482-494,
May 1998.
Ren, K.; Yu, S.; Lou, W. & Zhang, Y. (2010). PEACE: A Novel Privacy-Enhanced Yet Accountable
Security Framework for Metropolitan Wireless Mesh Networks. IEEE Transactions on
Parallel and Distributed Systems, Vol 21, No 2, pp. 203–215, February 2010.
Rigney, C.; Willens, S.; Rubins, A. & Simpson, W. (2000). Remote Authentication Dial in User
Service (RADIUS), RFC 2865, June 2000.
Rivest, R.; Shamir, A. & Tauman, Y. (2001). How to Leak a Secret. Proceedings of the 7th
International Conference on the Theory and Applications of Cryptology and Information
Security: Advances in Security (ASIACRPT’01). Lecture Notes in Computer Science, Vol
2248, pp. 552-565, Boyd, C. (ed.), Springer, Heidelberg, December 2001.
Sen, J.; Chowdhury, P. R. & Sengupta, I. (2006). Proceedings of the International Symposium on
Ad Hoc and Ubiquitous Computing (ISAHUC’06), pp. 62-67, Surathkal, Mangalore,
India, December, 2006.
Sen, J. & Subramanyam, H. (2007). An Efficient Certificate Authority for Ad Hoc Networks.
Proceedings of the 4th International Conference on Distributed Computing and Internet
Technology (ICDCIT’07), Bangalore, India, December 2007. Lecture Notes in Computer
Science, Janowski & Mohanty (eds.), Vol 4882, pp. 97-109, 2007.
148
Sen, J. (2009). A Survey on Wireless Sensor Network Security. International Journal of

Communication Networks and Information Security (IJCNIS), Vol 1, No2, pp. 59-82,
August 2009.
Sen, J. (2010a). A Distributed Trust and Reputation Framework for Mobile Ad Hoc
Networks. Recent Trends in Network Security and its Applications, Meghanathan et al.
(eds.), pp. 528–537, Communications in Computer and Information Science (CCIS),
Springer- Verlag, Heidelberg, Germany, July 2010.
Sen, J. (2010b). Reputation- and Trust-Based Systems for Wireless Self-Organizing
Networks, pp. 91-122. Security of Self-Organizing Networks: MANET, WSN, WMN,
VANET, A-S. K. Pathan (ed.), Aurbach Publications, CRC Press, USA, December
2010.
Sen, J. (2010c). A Robust and Efficient Node Authentication Protocol for Mobile Ad Hoc
Networks. Proceedings of the 2nd International Conference on Computational
Intelligence, Modelling and Simulation (CIMSiM’10), pp. 476-481, Bali, Indonesia,
September 2010.
Sen, J. (2011). Secure Routing in Wireless Mesh Networks, pp. 237-280. Wireless Mesh
Networks, Nobuo Funabiki (ed.), InTech, Croatia, January 2011.
Shamir, A. (1984). Identity-Based Cryptosystems and Signature Schemes. Proceedings of the
International Cryptology Conference (CRYPTO’84). Lecture Notes in Computer Science,
Vol. 196, pp. 47–53, Springer-Verlag, Berlin, Germany, August 1984.
Soltwisch, R.; Fu, X.; Hogrefe, D. & Narayanan, S. (2004). A Method for Authentication and
Key Exchange for Seamless Inter-Domain Handovers. Proceedings of the 12th IEEE
International Conference on Networks (ICON ’04), pp. 463–469, Singapore, November
2004.
Sun, J.; Zhang, C. & Fang, Y. (2008). A Security Architecture Achieving Anonymity and
Traceability in Wireless Mesh Networks. Proceedings of the 27th IEEE International
Conference on Computer Communications (IEEE INFOCOM’08), pp. 1687–1695, April
2008.
Sun, J.; Zhang, C. ; Zhang, Y. & Fang, Y. (2011). SAT: A Security Architecture Achieving
Anonymity and Traceability in Wireless Mesh Networks. IEEE Transactions on
Dependable and Secure Computing, Vol 8, No 2, pp. 295–307, March 2011.
Wei, K.; Chen, Y. R.; Smith, A. J. & Vo, B. (2006). WhoPay: A Scalable and Anonymous
Payment system for Peer-to-Peer Environments. Proceedings of the 26th IEEE
International Conference on Distributed Computing Systems (ICDCS’06), July 2006.
Wood, A. D. & Stankovic, J. A. (2002). Denial of Service in Sensor Networks. IEEE Computer,
Vol 35, No. 10, pp. 54–62, October 2002.
Wu, T.; Xue, Y. & Cui, Y. (2006). Preserving Traffic Privacy in Wireless Mesh Networks.
Proceedings of the International Symposium on a World of Wireless, Mobile and
Multimedia Networks (WoWMoM‘06), pp. 459-461, Buffalo-Niagara Falls, NY, USA,
June 2006.
Wu, X. & Li, N. (2006). Achieving Privacy in Mesh Networks. Proceedings of the 4th ACM
Workshop on Security of Ad Hoc and Sensor Networks (SASN), pp. 13-22, October 2006.
Xiong, H.; Beznosov, K.; Qin, Z. & Ripeanu, M. (2010). Efficient and Spontaneous Privacy-
Preserving Protocol for Secure Vehicular Communication. Proceedings of IEEE
International Conference on Communications (ICC’10), pp. 1-6, Cape Town, South
Africa, May 2010.
149
34 Security Issues
and a Networked Age
Security
Yi, P.; Wu, Y.; Zou, F. & Liu, N. (2010). A Survey on Security in Wireless Mesh Networks.
IETE Technical Review, Vol 27, No 1, pp. 6-14.
Zhang, Y. & Fang, Y. (2006). ARSA: An Attack-Resilient Security Architecture for Multihop
Wireless Mesh Networks. IEEE Journal of Selected Areas in Communication, Vol. 24,
No. 10, pp. 1916–1928, October 2006.
Zhang, Y.; Liu, W.; Lou, W. & Fang, Y. (2006). MASK: Anonymous On-demand Routing in
Mobile Ad Hoc Networks. IEEE Transactions on Wireless Communications, Vol. 5. No.
9, pp. 2376–2385, September 2006.
Zheng, X.; Chen, C.; Huang, C.-T.; Matthews, M. & Santhapuri, N. (2005). A Dual
Authentication Protocol for IEEE 802.11 Wireless LANs. Proceedings of the 2nd IEEE
International Symposium on Wireless Communication Systems, pp. 565–569, September
2005.
Zhu, S.; Xu, S.; Setia, S. & Jajodia, S. (2003). LHAP: A Lightweight Hop-by-Hop
Authentication protocol for Ad-hoc Networks. Proceedings of the 23rd IEEE
International Conference on Distributed Computing Systems Workshops (ICDCSW’03),
pp. 749–755, May 2003.
Zhu, S.; Xu, S.; Setia S. & Jajodia, S. (2006). LHAP: A Lightweight Network Access Control
Protocol for Ad Hoc Networks. Ad Hoc Networks, Vol 4, No 5, pp. 567-585,
September 2006.
Zhu, H.; Lin, X.; Lu, R.; Ho, P.-H. & Shen, X. (2008). SLAB: A Secure Localized
Authentication and Billing Scheme for Wireless Mesh Networks. IEEE Transactions
on Wireless Communications, Vol 7, No. 10, pp. 3858–3868, October 2008.
150
Homomorphic Encryption — Theory and Application
Chapter 1
Homomorphic Encryption — Theory and Application
Jaydip Sen
Additional information is available at the end of the chapter
http://dx.doi.org/10.5772/56687
1. Introduction
The demand for privacy of digital data and of algorithms for handling more complex structures
have increased exponentially over the last decade. This goes in parallel with the growth in
communication networks and their devices and their increasing capabilities. At the same time,
these devices and networks are subject to a great variety of attacks involving manipulation
and destruction of data and theft of sensitive information. For storing and accessing data
securely, current technology provides several methods of guaranteeing privacy such as data
encryption and usage of tamper-resistant hardwares. However, the critical problem arises
when there is a requirement for computing (publicly) with private data or to modify functions
or algorithms in such a way that they are still executable while their privacy is ensured. This
is where homomorphic cryptosystems can be used since these systems enable computations
with encrypted data.
In 1978 Rivest et al. (Rivest et al, 1978a) first investigated the design of a homomorphic
encryption scheme. Unfortunately, their privacy homomorphism was broken a couple of years
later by Brickell and Yacobi (Brickell & Yacobi, 1987). The question rose again in 1991 when
Feigenbaum and Merritt (Feigenbaum & Merritt, 1991) raised an important question: is there
an encryption function (E) such that both E(x + y) and E(x.y) are easy to compute from E(x) and
E(y)? Essentially, the question is intended to investigate whether there is any algebraically
homomorphic encryption scheme that can be designed. Unfortunately, there has been a very
little progress in determining whether such encryption schemes exist that are efficient and
secure until 2009 when Craig Gentry, in his seminal paper, theoretically demonstrated the
possibility of construction such an encryption system (Gentry, 2009). In this chapter, we will
discuss various aspects of homomorphic encryption schemes – their definitions, requirements,
applications, formal constructions, and the limitations of the current homomorphic encryption
schemes. We will also briefly discuss some of the emerging trends in research in this field of
computer science.
©
© 2013
2013 Sen;
Sen;licensee
licenseeInTech.
InTech.This
Thisisisa an
paper distributed
open underdistributed
access article the terms of the Creative
under the termsCommons
of the Creative
Attribution License (http://creativecommons.org/licenses/by/3.0),
Commons Attribution which permitswhich
License (http://creativecommons.org/licenses/by/3.0), unrestricted
permitsuse,
unrestricted use,
distribution,
distribution,and
andreproduction
reproductionininany
anymedium,
medium,provided
providedthe original
the work
original is properly
work cited.
is properly cited.
151
2 Theory and
Security Practice
Issues of Cryptography
in a Networked Age and Network Security Protocols and Technologies
The chapter is organized as follows. In Section 2, we provide some basic and fundamental
information on cryptography and various types of encryption schemes. Section 3 presents a
formal discussion on homomorphic encryption schemes and discusses their various features.
In Section 4, we discuss some of the most well-known and classical homomorphic encryption
schemes in the literature. Section 5 provides a brief presentation on various properties and
applications of homomorphic cryptosystems. Section 6 presents a discussion on fully homo‐
morphic encryption schemes which are the most powerful encryption schemes for providing
a framework for computing over encrypted data. Finally, Section 7 concludes the chapter while
outlining a number of research directions and emerging trends in this exciting field of
computation which has a tremendous potential of finding applications in the real-world
deployments.
2. Fundamentals of cryptography
In this Section, we will recall some important concepts on encryption schemes. For more
detailed information, the reader may refer to (Menezes et al., 1997; Van Tilborg, 2011).
Encryption schemes are designed to preserve confidentiality. The security of encryption
schemes must not rely on the obfuscation of their codes, but it should only be based on the
secrecy of the key used in the encryption process. Encryption schemes are broadly of two types:
symmetric and asymmetric encryption schemes. In the following, we present a very brief
discussion on each of these schemes.
Symmetric encryption schemes: In these schemes, the sender and the receiver agree on the
key they will use before establishing any secure communication session. Therefore, it is not
possible for two persons who never met before to use such schemes directly. This also implies
that in order to communicate with different persons, we must have a different key for each
people. Requirement of large number of keys in these schemes make their key generation and
management relatively more complex operations. However, symmetric schemes present the
advantage of being very fast and they are used in applications where speed of execution is a
paramount requirement. Among the existing symmetric encryption systems, AES (Daemen &
Rijmen, 2000; Daemen & Rijmen, 2002), One-Time Pad (Vernam, 1926) and Snow (Ekdahl &
Johansson, 2002) are very popular.
Asymmetric encryption schemes: In these schemes, every participant has a pair of keys-
private and public. While the private key of a person is known to only her, the public key of
each participant is known to everyone in the group. Such schemes are more secure than their
symmetric counterparts and they don’t need any prior agreement between the communicating
parties on a common key before establishing a session of communication. RSA (Rivest et al.,
1978b) and ElGamal (ElGamal, 1985) are two most popular asymmetric encryption systems.
Security of encryption schemes: Security of encryption schemes was first formalized by
Shannon (Shannon, 1949). In his seminal paper, Shannon first introduced the notion of perfect
secrecy/unconditional secrecy, which characterizes encryption schemes for which the knowl‐
edge of a ciphertext does not give any information about the corresponding plaintext and the
152
http://dx.doi.org/10.5772/56687
encryption key. Shannon also proved that One-Time Pad (Vernam, 1926) encryption scheme
is perfectly secure under certain conditions. However, no other encryption scheme has been
proved to be unconditionally secure. For asymmetric schemes, we can rely on their mathe‐
matical structures to estimate their security strength in a formal way. These schemes are based
on some well-identified mathematical problems which are hard to solve in general, but easy
to solve for the one who knows the trapdoor – i.e., the owner of the keys. However, the
estimation of the security level of these schemes may not always be correct due to several
reasons. First, there may be other ways to break the system than solving the mathematical
problems on which these schemes are based (Ajtai & Dwork, 1997; Nguyen & Stern, 1999).
Second, most of the security proofs are performed in an idealized model called random oracle
model, in which involved primitives, for example, hash functions, are considered truly random.
This model has allowed the study of the security level of numerous asymmetric ciphers.
However, we are now able to perform proofs in a more realistic model called standard model
(Canetti et al., 1998; Paillier, 2007). This model eliminates some of the unrealistic assumptions
in the random oracle model and makes the security analysis of cryptographic schemes more
practical.
Usually, to evaluate the attack capacity of an adversary, we distinguish among several contexts
(Diffie & Hellman, 1976): cipher-text only attacks (where the adversary has access only to some
ciphertexts), known-plaintext attacks (where the adversary has access to some pairs of plaintext
messages and their corresponding ciphertexts), chosen-plaintext attacks (the adversary has
access to a decryption oracle that behaves like a black-box and takes a ciphertext as its input
and outputs the corresponding plaintexts). The first context is the most frequent in real-world
since it can happen when some adversary eavesdrops on a communication channel. The other
cases may seem difficult to achieve, and may arise when the adversary is in a more powerful
position; he may, for example, have stolen some plaintexts or an encryption engine. The chosen
one exists in adaptive versions, where the opponents can wait for a computation result before
choosing the next input (Fontaine & Galand, 2007).
Probabilistic encryption: Almost all the well-known cryptosystems are deterministic. This
means that for a fixed encryption key, a given plaintext will always be encrypted into the same
ciphertext under these systems. However, this may lead to some security problems. RSA
scheme is a good example for explaining this point. Let us consider the following points with
reference to the RSA cryptosystem:
• A particular plaintext may be encrypted in a too much structured way. With RSA, messages
0 and 1 are always encrypted as 0 and 1, respectively.
• It may be easy to compute some partial information about the plaintext: with RSA, the
ciphertext c leaks one bit of information about the plaintext m, namely, the so called Jacobi
symbol (Fontaine & Galand, 2007).
• When using a deterministic encryption scheme, it is easy to detect when the same message
is sent twice while being processed with the same key.
In view of the problems stated above, we prefer encryption schemes to be probabilistic. In case
of symmetric schemes, we introduce a random vector in the encryption process (e.g., in the
153
4 Theory and
Security Practice
pseudo-random generator for stream ciphers, or in the operating mode for block ciphers) –
generally called initial vector (IV). This vector may be public and it may be transmitted in a
clear-text form. However, the IV must be changed every time we encrypt a message. In case
of asymmetric ciphers, the security analysis is more mathematical and formal, and we want
the randomized schemes to remain analyzable in the same way as the deterministic schemes.
Researchers have proposed some models to randomize the existing deterministic schemes, as
the optimal asymmetric encryption padding (OAEP) for RSA (or any scheme that is based on a
trapdoor one-way permutation) (Bellare & Rogaway, 1995). In the literature, researchers have
also proposed some other randomized schemes (ElGamal, 1985; Goldwasser & Micali, 1982;
Blum & Goldwasser, 1985).
A simple consequence of this requirement of the encryption schemes to be preferably proba‐
bilistic appears in the phenomenon called expansion. Since, for a plaintext, we require the
existence of several possible ciphertexts, the number of ciphertexts is greater than the number
of possible plaintexts. This means that the ciphertexts cannot be as short as the plaintexts; they
have to be strictly longer. The ratio of the length of the ciphertext and the corresponding
plaintext (in bits) is called expansion. The value of this parameter is of paramount importance
in determining security and efficiency tradeoff of a probabilistic encryption scheme. In Paillier’s
scheme, an efficient probabilistic encryption mechanism has been proposed with the value of
expansion less than 2 (Paillier, 1997). We will see the significance of expansion in other
homomorphic encryption systems in the subsequent sections of this chapter.
3. Homomorphic encryption schemes
During the last few years, homomorphic encryption schemes have been studied extensively
since they have become more and more important in many different cryptographic protocols
such as, e.g., voting protocols. In this Section, we introduce homomorphic cryptosystems in
three steps: what, how and why that reflects the main aspects of this interesting encryption
technique. We start by defining homomorphic cryptosystems and algebraically homomorphic
cryptosystems. Then we develop a method to construct algebraically homomorphic schemes
given special homomorphic schemes. Finally, we describe applications of homomorphic
schemes.
Definition: Let the message space (M, o) be a finite (semi-)group, and let σ be the security
parameter. A homomorphic public-key encryption scheme (or homomorphic cryptosystem) on M is a
quadruple (K, E, D, A) of probabilistic, expected polynomial time algorithms, satisfying the
following functionalities:
• Key Generation: On input 1σ the algorithm K outputs an encryption/decryption key pair

(ke , kd ) = k ∈ , where  denotes the key space.
• Encryption: On inputs 1σ, ke, and an element m ∈ M the encryption algorithm E outputs a
ciphertext c ∈ C , where C denotes the ciphertext space.
• Decryption: The decryption algorithm D is deterministic. On inputs 1σ, k, and an element
c ∈ C it outputs an element in the message space M so that for all m ∈ M it holds : if
154
http://dx.doi.org/10.5772/56687
c = E (11σ , ke, m) then Prob D (1σ , k, c ) ≠ m is negligible, i.e., it holds that

Prob D (1 , k, c ) ≠ m ≤ 2 .
σ -σ
• Homomorphic Property: A is an algorithm that on inputs 1σ , k , and elements c , c ∈ C

e 1 2
outputs an element c3 ∈ C so that for all m1, m2 ∈ M it holds: if m3 = m1 o m2 and
c1 = E (1 , ke , m1), and c2 = E (1 , ke , m2), then Prob D ( A(1 , ke , c1, c2)) ≠ m3 is negligible.
σ σ σ
Informally speaking, a homomorphic cryptosystem is a cryptosystem with the additional

property that there exists an efficient algorithm to compute an encryption of the sum or the
product, of two messages given the public key and the encryptions of the messages but not
the messages themselves.
If M is an additive (semi-)group, then the scheme is called additively homomorphic and the
algorithms A is called Add Otherwise, the scheme is called multiplicatively homomorphic and the
algorithm A is called Mult.
With respect to the aforementioned definitions, the following points are worth noticing:
• For a homomorphic encryption scheme to be efficient, it is crucial to make sure that the size
of the ciphertexts remains polynomially bounded in the security parameter σ during
repeated computations.
• The security aspects, definitions, and models of homomorphic cryptosystems are the same
as those for other cryptosystems.
If the encryption algorithm E gets as additional input a uniform random number r of a set ,
the encryption scheme is called probabilistic, otherwise, it is called deterministic. Hence, if a
cryptosystem is probabilistic, there belong several different ciphertexts to one message
depending on the random number r ∈ . But note that as before the decryption algorithm
remains deterministic, i.e., there is just one message belonging to a given ciphertext. Further‐
more, in a probabilistic, homomorphic cryptosystem the algorithm A should be probabilistic
too to hide the input ciphertext. For instance, this can be realized by applying a blinding
algorithm on a (deterministic) computation of the encryption of the product and of the sum
respectively.
Notations: In the following, we will omit the security parameter σ and the public key in the
description of the algorithms. We will write Ek (m) or E(m) for E (1σ , ke , m) and Dk (c ) or D(c)
e
for D (1σ , k, c ) when there is no possibility of any ambiguity. If the scheme is probabilistic,
we will also write Eke (m) or E(m) as well as Eke (m, r ) or E(m, r) for E (1σ , ke , m, r ). Further‐
more, we will write A(E (m), E (m ' )) = E (m o m ' ) to denote that the algorithm A (either Add or
Mult) is applied on two encryptions of the messages m, m ' ∈ (M , o ) and outputs an encryp‐
tion of m o m ' , i.e., it holds that except with negligible probability:
D ( A(1σ , ke , Eke (m), Eke (m '))) = m o m '
155
6 Theory and
Security Practice
Example: In the following, we give an example of a deterministic multiplicatively homomor‐

phic scheme and an example of a probabilistic, additively homomorphic scheme.
The RSA Scheme: The classical RSA scheme (Rivest et al., 1987b) is an example of a deter‐
ministic multiplicatively homomorphic cryptosystem on M = (ℤ / N ℤ, .), where N is the
product of two large primes. As ciphertext space, we have C = (ℤ / N ℤ, .) and as key space we
have  = {(ke , kd ) = (( N , e ), d )| N = pq, ed ≡ 1 mod φ ( N )}. The encryption of a message m ∈ M
is defined as Eke (m) = m e mod N for decryption of a ciphertext Eke (m) = c ∈ C we compute
Dke, kd (c ) = c d mod N = m mod N . Obviously, the encryption of the product of two messages can
be efficiently computed by multiplying the corresponding ciphertexts, i.e.,
Eke (m1.m2) = (m1.m2)e mod N = (m1e mod n )(m2e mod N ) = Eke (m1). Eke (m2)
where m1, m2 ∈ M . Therefore, the algorithm for Mult can be easiliy realized as follows:
Mult (Eke (m1), Eke (m2)) = Eke (m1). Eke (m2)
Usually in the RSA scheme as well as in most of the cryptosystems which are based on the
difficulty of factoring the security parameter σ is the bit length of N. For instance, σ = 1024 is
a common security parameter.
The Goldwasser-Micali Scheme: The Goldwasser-Micali scheme (Goldwasser & Micali,

1984) is an example of a probabilistic, additively homomorphic cryptosystem on
M = (ℤ / 2ℤ, + ) with the ciphtertext space C = Z = (ℤ / N ℤ)* where N = pq is the product of two
large primes. We have.
K = {(k e , kd ) = (( N , a), ( p, q )) | N = pq, a ∈ (ℤ / N ℤ)* : ( ap ) = ( qa ) = }
-1
Since this scheme is probabilistic, the encryption algorithm gets as additional input a random
value r ∈ . We define Ek (m, r ) = a mr 2 mod N and D(k k ) = 0 if c is a square and = 1 otherwise.
e e d
The following relation therefore holds good:
Eke (m1, r1). Eke (m2, r2) = Eke (m1 + m2, r1r2)
The algorithms Add can, therefore, be efficiently implemented as follows:
Add (Eke (m1, r1), Eke (m2, r2), r3) = Eke (m1, r1). Eke (m2, r2). r32 mod N = Eke (m1 + m2, r1r2r3)
In the above equation, r32 mod N is equivalent to Eke (0, r3). Also, m1, m2 ∈ M and r1, r2,r3 ∈ Z .
Note that this algorithm should be probabilistic, since it obtains a random number r3 as an
additional input.
156
http://dx.doi.org/10.5772/56687
A public-key homomorphic encryption scheme on a (semi-)ring (M, +,.) can be defined in a

similar manner. Such schemes consist of two algorithms: Add and Mult for the homomorphic
property instead of one algorithm for A, i.e., it is additively and multiplicatively homomorphic
at the same time. Such schemes are called algebraically homomorphic.
Definition: An additively homomorphic encryption scheme on a (semi-)ring (M, +,.) is called
scalar homomorphic if there exists a probabilistic, expected polynomial time algorithm
Mixed_Mult that on inputs 1σ , ke , s ∈ M and an element c ∈ C outputs an element c ' ∈ C so
that for all m ∈ M it holds that: if m ' = s.m and c = E (1σ , ke , m) then the probability
Prob D (Mixed _ Mult (1σ , ke , s, s )) ≠ m ' is negligible.
Thus in a scalar homomorphic scheme, it is possible to compute an encryption

E (1σ , ke , s.m) = E (1σ , ke , m ' ) of a product of two messages s, m ∈ M given the public key
ke and an encryption c = E (1σ , ke , m) of one message m and the other message s as a plaintext.
It is clear that any scheme that is algebraically homomorphic is scalar homomorphic as well.
We will denote by Mixed _ Mult (m, E (m ' )) = E (mm ' ) if the following equation holds good
except possibly with a negligible probability of not holding.
D (Mixed _ Mult (1σ , ke , m, Eke (m ')) = m . m '
Definition: A blinding algorithm is a probabilistic, polynomial-time algorithm which on inputs

1σ , ke , and c ∈ Eke (m, r ) where r ∈  is randomly chosen outputs another encryption
c ' ∈ Eke (m, r ' ) of m where r ' ∈  is chosen uniformly at random.
For instance, in a probabilistic, homomorphic cryptosystem on (M, o) the blinding algorithm

can be realized by applying the algorithm A on the ciphertext c and an encryption of the identity
element in M.
If M is isomorphic to ℤ / nℤ if M is finite or to ℤ otherwise, then the algorithm Mixed_Mult can
easily be implemented using a double and Add algorithm. This is combined with a blinding
algorithm is the scheme is probabilistic (Cramer et al., 2000). Hence, every additively homo‐
morphic cryptosystem on ℤ / nℤ or ℤ is also scalar homomorphic and the algorithm Mixed_Mult
can be efficiently implemented (Sander & Tschudin, 1998).
Algebraically Homomorphic Cryptosystems: The existence of an efficient and secure
algebraically homomorphic cryptosystem has been a long standing open question. In this
Section, we first present some related work considering this problem. Thereafter, we describe
the relationship between algebraically homomorphic schemes and homomorphic schemes on
special non-abelian groups. More precisely, we prove that a homomorphic encryption scheme
on the non-ableain group (S7,.), the symmetric group on seven elements, allows to construct
an algebraically homomorphic encryption scheme on (F2, +,.). An algebraically homomorphic
encryption scheme on (F2, +,.) can also be obtained from a homomorphic encryption scheme
on the special linear group (SL(3, 2),.) over F2. Furthermore, using coding theory, an algebra‐
157
8 Theory and
Security Practice
ically homomorphic encryption on an arbitrary finite ring or field could be obtained given a
homomorphic encryption scheme on one of these non-abelian groups. These observations
could be a first step to solve the problem whether efficient and secure algebraically homo‐
morphic schemes exist. The research community in cryptography has spent substantial effort
on this problem. In 1996, Boneh and Lipton proved that under a reasonable assumption every
deterministic, algebraically homomorphic cryptosystem can be broken in sub-exponential
time (Boneh & Lipton, 1996). This may be perceived as a negative result concerning the
existence of an algebraically homomorphic encryption scheme, although most of the existing
cryptosystems, e.g., RSA scheme or the ElGamal scheme can be also be broken in sub-
exponential time. Furthermore, if we seek for algebraically homomorphic public-key schemes
on small fields or rings such as M = F2, obviously such a scheme has to be probabilistic in order
to be secure.
Some researchers also tried to find candidates for algebraically homomorphic schemes. In 1993,
Fellows and Koblitz presented an algebraic public-key cryptosystem called Polly Cracker
(Fellows & Koblitz, 1993). It is algebraically homomorphic and provably secure. Unfortunately,
the scheme has a number of difficulties and is not efficient concerning the ciphertext length.
Firstly, Polly Cracker is a polynomial-based system. Therefore, computing an encryption of
the product E (m1.m2) of two messages m1 and m2 by multiplying the corresponding ciphertext
polynomials E (m1) and E (m2), leads to an exponential blowup in the number of monomials.
Hence, during repeated computations, there is an exponential blow up in the ciphertext length.
Secondly, all existing instantiations of Polly Cracker suffer from further drawbacks (Koblitz,
1998). They are either insecure since they succumb to certain attacks, they are too inefficient
to be practical, or they lose the algebraically homomorphic property. Hence, it is far from clear
how such kind of schemes could be turned into efficient and secure algebraically homomorphic
encryption schemes. A detailed analysis and description of these schemes can be found in (Ly,
2002).
In 2002, J. Domingo-Ferrer developed a probabilistic, algebraically homomorphic secret-key
cryptosystem (Domingo-Ferrer, 2002). However, this scheme was not efficient since there was
an exponential blowup in the ciphertext length during repeated multiplications that were
required to be performed. Moreover, it was also broken by Wagner and Bao (Bao, 2003;
Wagner, 2003).
Thus considering homomorphic encryption schemes on groups instead of rings seems more
promising to design a possible algebraically homomorphic encryption scheme. It brings us
closer to structures that have been successfully used in cryptography. The following theorem
shows that indeed the search for algebraically homomorphic schemes can be reduced to the
search for homomorphic schemes on special non-abelian groups (Rappe, 2004).
Theorem I: The following two statements are equivalent: (1) There exists an algebraically
homomorphic encryption scheme on (F2, +,.). (2) There exists a homomorphic encryption
scheme on the symmetric group (S7,.).
Proof: 1 → 2: This direction of proof follows immediately and it holds for an arbitrary finite
group since operations of finite groups can always be implemented by Boolean circuits. Let S7
158
http://dx.doi.org/10.5772/56687
be represented as a subset of {0, 1}l, where e.g. l = 21 can be chosen, and let C be a circuit with
addition and multiplication gates that takes as inputs the binary representations of elements
m1, m2 ∈ S7 and outputs the binary representations of m1m2. If we have an algebraically
homomorphic encryption scheme (K, E, D, Add, Mult) on (F2, +,.) then we can define a homo‐
morphic encryption scheme ( K˜ ˜ D,
, E, ˜ Mult
˜ ) on S7 by defining E ˜ (m) = (E (s ), … .E (s ))
0 l -1
˜
where (s … … ..s ) denotes the binary representation of m. Mult is constructed by substituting
0, l -1
the addition gates in C by Add and the multiplication gates by Mult. K̃ and D̃ are defined in
the obvious way.
2 → 1: The proof has two steps. First, we use a construction of Ben-Or and Cleve (Ben-Or &
Cleve, 1992) to show that the field (F2, +,.) can be encoded in the special linear group (SL(3,2),.)
over F2. Then, we apply a theorem from projective geometry to show that (SL(3,2),.) is a
subgroup of S7. This proves the claim.
Homomorphic encryption schemes on groups have been extensively studied. For instance, we
have homomorphic schemes on groups (ℤ / M ℤ, + ), for M being a smooth number (Gold‐
wasser & Micali, 1984; Benaloh, 1994; Naccache & Stern, 1998) for M = p.q being an RSA
modulus (Paillier, 1999; Galbraith, 2002), and for groups ((ℤ / N ℤ) * , .) where N is an RSA
modulus. All known efficient and secure schemes are homomorphic on abelian groups.
However, S7 and SL(3, 2) are non-abelian. Sander, Young and Yung (Sander et al., 1999)
investigated the possibility of existence of a homomorphic encryption scheme on non-abelain
groups. Although non-abelian groups had been used to construct encryption schemes (Ko et
al., 2000; Paeng et al., 2001; Wagner & Magyarik, 1985; Grigoriev & Ponomarenko, 2006), the
resulting schemes are not homomorphic in the sense that we need for computing efficiently
on encrypted data.
Grigoriev and Ponomarenko propose a novel definition of homomorphic cryptosystems on
which they base a method to construct homomorphic cryptosystems over arbitrary finite
groups including non-abelian groups (Grigoriev & Ponomarenko, 2006). Their construction
method is based on the fact that every finite group is an epimorphic image of a free product
of finite cyclic groups. It uses existing homomorphic encryption schemes on finite cyclic groups
as building blocks to obtain homomorphic encryption schemes on arbitrary finite groups. Since
the ciphertext space obtained from the encryption scheme is a free product of groups, an
exponential blowup of the ciphertext lengths during repeated computations is produced as a
result. The reason is that the length of the product of two elements x and y of a free product
is, in general, the sum of the length of x and the length of y. Hence, the technique proposed by
Grigoriev and Ponomarenko suffers from the same drawback as the earlier schemes and does
not provide an efficient cryptosystem. We note that using this construction it is possible to
construct a homomorphic encryption scheme on the symmetric group S7 and on the special
linear group SL(3, 2). If we combine this with Theorem 1, we can construct an algebraically
homomorphic cryptosystem on the finite field (F2, +,.). Unfortunately, the exponential blowup
owing to the construction method in the homomorphic encryption scheme on S7 and on SL(3,
2) respectively, would lead to an exponential blowup in F2 and hence leaves the question open
159
10 Theory and
Security Practice
if an efficient algebraically homomorphic cryptosystem on F2 exists. We will come back to this

issue in Section 6, where we discuss fully homomorphic encryption schemes.
Grigoriev and Ponomarenko propose another method to encrypt arbitrary finite groups
homomorphically (Grigoriev & Ponomarenko, 2004). This method is based on the difficulty of
the membership problem for groups of integer matrices, while in (Grigoriev & Ponomarenko,
2006) it is based on the difficulty of factoring. However, as before, this scheme is not efficient.
Moreover, in (Grigoriev & Ponomarenko, 2004), an algebraically homomorphic cryptosystem
over finite commutative rings is proposed. However, owing to its immense size, it is infeasible
to implement in real-world applications.
4. Some classical homomorphic encryption systems
In this Section, we describe some classical homomorphic encryption systems which have
created substantial interest among the researchers in the domain of cryptography. We start
with the first probabilistic systems proposed by Goldwasser and Micali in 1982 (Goldwasser
& Micali, 1982; Goldwasser & Micali, 1984) and then discuss the famous Paillier’s encryption
scheme (Paillier, 1999) and its improvements. Paillier’s scheme and its variants are well-known
for their efficiency and the high level of security that they provide for homomorphic encryp‐
tion. We do not discuss their mathematical considerations in detail, but summarize their
important parameters and properties.
Goldwasser-Micali scheme: This scheme (Goldwasser & Micali, 1982; Goldwasser & Micali,
1984) is historically very important since many of subsequent proposals on homomorphic
encryption were largely motivated by its approach. Like in RSA, in this scheme, we use
computations modulo n = p.q, a product of two large primes. The encryption process is simple
which uses a product and a square, whereas decryption is heavier and involves exponentiation.
The complexity of the decryption process is: O (k.l ( p )2), where l ( p ) denotes the number of bits
in p. Unfortunately, this scheme has a limitation since its input consists of a single bit. First,
this implies that encrypting k bits leads to a cost of O (k.l ( p )2). This is not very efficient even if
it may be considered as practical. The second concern is related to the issue of expansion – a
single bit of plaintext is encrypted in an integer modulo n, that is, l (n ) bits. This leads to a huge
blow up of ciphertext causing a serious problem with this scheme.
Goldwasser-Micali (GM) scheme can be viewed from another perspective. When looked from
this angle, the basic principle of this scheme is to partition a well-chosen subset of integers
modulo n into two secret parts: M 0 and M 1. The encryption process selects a random element
M b to encrypt plaintext b, and the decryption process lets the user know in which part the
randomly selected element lies. The essence of the scheme lies in the mechanism to determine
the subset, and to partition it into M 0 and M 1. The scheme uses group theory to achieve this
goal. The subset is the group G of invertible integers modulo n with a Jacobi symbol with
respect to n, equal to 1. The partition is generated by another group H ⊂ G, consisting of the
160
http://dx.doi.org/10.5772/56687
elements that are invertible modulo n with a Jacobi symbol, with respect to a fixed factor n,
equal to 1. With these settings of parameters, it is possible to split G into two parts – H and G
\H. The generalization schemes of GM deal with these two groups. These schemes attempt to
find two groups G and H such that G can be split into more than k = 2 parts.
Benaloh’s scheme: Benaloh (Benaloh, 1988) is a generalization of GM scheme that enables one
to manage inputs of l (k ) bits, k being a prime satisfying some specified constraints. Encryption
is similar as in GM scheme (encrypting a message m ∈ {0, … ., k - 1} is tantamount to picking
an integer r ∈ Z n* and computing c = g mr k mod n ). However, the decryption phase is more
complex. If the input and output sizes are l (k ) and l (n ) bits respectively, the expansion is equal
to l (n ) / l (k ). The value of expansion obtained in this approach is less than that achieved in GM.
This makes the scheme more attractive. Moreover, the encryption is not too expensive as well.
The overhead in the decryption process is estimated to be O ( k.l (k )) for pre-computation
which remains constant for each dynamic decryption step. This implies that the value of k has
to be taken very small, which in turn limits the gain obtained on the value of expansion.
Naccache-Stern scheme: This scheme (Naccache & Stern, 1998) is an improvement of Benaloh’s
scheme. Using a value of the parameter k that is greater than that used in the Benaloh’s scheme,
it achieves a smaller expansion and thereby attains a superior efficiency. The encryption step
is precisely the same as in Benaloh’s scheme. However, decryption is different. The value of
expansion is same as that in Benaloh’s scheme, i.e., l (n ) / l (k ). However, the cost of decryption
is less and is given by:O (l (n )5log (l (n )). The authors claim that it is possible to choose the values
of the parameters in the system in such a way that the achieved value of expansion is 4
(Naccache & Stern, 1998).
Okamoto-Uchiyama scheme: To improve the performance of the earlier schemes on homo‐
morphic encryption, Okamoto and Uchiyama changed the base group G (Okamoto & Uchiya‐
ma, 1998). By taking n = p 2q, p and q being two large prime numbers as usual, and the group
G = Z p* 2, the authors achieve k = p. The value of the expansion obtained in the scheme is 3. One
of the biggest advantages of this scheme is that its security is equivalent to the factorization of
n. However, a chosen-ciphertext attack has been proposed on this scheme that can break the
factorization problem. Hence, currently it has a limited applicability. However, this scheme
was used to design the EPOC systems (Okamoto et al., 2000) which is accepted in the IEEE
standard specifications for public-key cryptography (IEEE P1363).
Paillier scheme: One of the most well-known homomorphic encryption schemes is due to
Paillier (Paillier, 1999). It is an improvement over the earlier schemes in the sense that it is able
to decrease the value of expansion from 3 to 2. The scheme uses n = p.q with
gcd (n, ϕ (n )) = 1. As usual p and q are two large primes. However, it considered the group
G = Z * 2 and a proper choice of H led to k = l (n ). While the cost of encryption is not too high,
n
decryption needs one exponentiation modulo n 2 to the power λ (n ), and a multiplication

modulo n. This makes decryption a bit heavyweight process. The author has shown how to
manage decryption efficiently using the famous Chinese Remainder Theorem. With smaller
expansion and lower cost compared with the other schemes, this scheme found great accept‐
161
12 Theory and
Security Practice
ance. In 2002, Cramer and Shoup proposed a general approach to achieve higher security
against adaptive chosen-ciphertext attacks for certain cryptosystems with some particular
algebraic properties (Cramer & Shoup, 2002). They applied their propositions on Paillier’s
original scheme and designed a stronger variant of homomorphic encryption. Bresson et al.
proposed a slightly different version of a homomorphic encryption scheme that is more
accurate for some applications (Bresson et al., 2003).
Damgard-Jurik scheme: Damgard and Jurik propose a generalization of Paillier’s scheme to
groups of the form Z n* s +1 for s > 0 (Damgard & Jurik, 2001). In this scheme, choice of larger values
of s will achieve lower values of expansion. This scheme can be used in a number of applica‐
tions. For example, we can mention the adaptation of the size of the plaintext, the use of
threshold cryptography, electronic voting, and so on. To encrypt a message, m ∈ Z n* , one picks
s
at random r ∈ Z n* and computes g mr n ∈ Z n s +1. The authors show that if one can break the
scheme for a given value s = σ, then one can break it for s = σ - 1. They also show that the
semantic security of this scheme is equivalent to that of Paillier’s scheme. The value of
expansion can be computed using: 1 + 1 / s. It is clear that expansion can attain a value close to
1 if s is sufficiently large. The ratio of the cost for encryption in this scheme over Paillier’s
s (s + 1)(s + 2)
scheme can be estimated to be: 6 . The same ratio for the decryption process will have
(s + 1)(s + 2)
value equal to: 6 . Even if this scheme has a lower value of expansion as compared to
Paillier’s scheme, it is computationally more intensive. Moreover, if we want to encrypt or
decrypt k blocks of l (n ) bits, running Paillier’s scheme k times is less expensive than running
Damgard-Jurik‘s scheme.
Galbraith scheme: This is an adaptation of the existing homomorphic encryption schemes in
the context of elliptic curves (Galbraith, 2002). Its expansion is equal to 3. For s = 1, the ratio of
the encryption cost for this scheme over that of Paillier’s scheme can be estimated to be about
7, while the same ratio for the cost of decryption cost is about 14 for the same value of s.
However, the most important advantage of this scheme is that the cost of encryption and
decryption can be decreased using larger values of s. In addition, the security of the scheme
increases with the increase in the value of s as it is the case in Damgard-Jurik’s scheme.
Castagnos scheme: Castagnos explored the possibility of improving the performance of
homomorphic encryption schemes using quadratic fields quotations (Castagnos, 2006;
Castagnos, 2007). This scheme achieves an expansion value of 3 and the ratio of encryption/
decryption cost with s = 1 over Paillier’s scheme can be estimated to be about 2.
5. Applications and properties of homomorphic encryption schemes
An inherent drawback of homomorphic cryptosystems is that attacks on these systems might

possibly exploit their additional structural information. For instance, using plain RSA (Rivest
et al., 1978b) for signing, the multiplication of two signatures yields a valid signature of the
product of the two corresponding messages. Although there are many ways to avoid such
162
http://dx.doi.org/10.5772/56687
attacks, for instance, by application of hash functions, the use of redundancy or probabilistic
schemes, this potential weakness leads us to the question why homomorphic schemes should
be used instead of conventional cryptosystems under certain situations. The main reason for
the interest in homomorphic cryptosystems is its wide application scope. There are theoretical
as well as practical applications in different areas of cryptography. In the following, we list
some of the main applications and properties of homomorphic schemes and summarize the
idea behind them.
5.1. Some applications of homomorphic encryption schemes
Protection of mobile agents: One of the most interesting applications of homomorphic

encryption is its use in protection of mobile agents. As we have seen in Section 3, a homomor‐
phic encryption scheme on a special non-abelian group would lead to an algebraically
homomorphic cryptosystem on the finite field F2. Since all conventional computer architectures
are based on binary strings and only require multiplication and addition, such homomorphic
cryptosystems would offer the possibility to encrypt a whole program so that it is still
executable. Hence, it could be used to protect mobile agents against malicious hosts by
encrypting them (Sander & Tschudin, 1998a). The protection of mobile agents by homomor‐
phic encryption can be used in two ways: (i) computing with encrypted functions and (ii)
computing with encrypted data. Computation with encrypted functions is a special case of
protection of mobile agents. In such scenarios, a secret function is publicly evaluated in such
a way that the function remains secret. Using homomorphic cryptosystems, the encrypted
function can be evaluated which guarantees its privacy. Homomorphic schemes also work on
encrypted data to compute publicly while maintaining the privacy of the secret data. This can
be done encrypting the data in advance and then exploiting the homomorphic property to
compute with encrypted data.
Multiparty computation: In multiparty computation schemes, several parties are interested

in computing a common, public function on their inputs while keeping their individual inputs
private. This problem belongs to the area of computing with encrypted data. Usually in multiparty
computation protocols, we have a set of n ≥ 2 players whereas in computing with encrypted
data scenarios n = 2. Furthermore, in multi-party computation protocols, the function that
should be computed is publicly known, whereas in the area of computing with encrypted data
it is a private input of one party.
Secret sharing scheme: In secret sharing schemes, parties share a secret so that no individual
party can reconstruct the secret form the information available to it. However, if some parties
cooperate with each other, they may be able to reconstruct the secret. In this scenario, the
homomorphic property implies that the composition of the shares of the secret is equivalent
to the shares of the composition of the secrets.
Threshold schemes: Both secret sharing schemes and the multiparty computation schemes
are examples of threshold schemes. Threshold schemes can be implemented using homomor‐
phic encryption techniques.
163
14 Theory and
Security Practice
Zero-knowledge proofs: This is a fundamental primitive of cryptographic protocols and

serves as an example of a theoretical application of homomorphic cryptosystems. Zero-
knowledge proofs are used to prove knowledge of some private information. For instance,
consider the case where a user has to prove his identity to a host by logging in with her account
and private password. Obviously, in such a protocol the user wants her private information
(i.e., her password) to stay private and not to be leaked during the protocol operation. Zero-
knowledge proofs guarantee that the protocol communicates exactly the knowledge that was
intended, and no (zero) extra knowledge. Examples of zero-knowledge proofs using homo‐
morphic property can be found in (Cramer & Damgard, 1998).
Election schemes: In election schemes, the homomorphic property provides a tool to obtain
the tally given the encrypted votes without decrypting the individual votes.
Watermarking and fingerprinting schemes: Digital watermarking and fingerprinting
schemes embed additional information into digital data. The homomorphic property is used
to add a mark to previously encrypted data. In general, watermarks are used to identify the
owner/seller of digital goods to ensure the copyright. In fingerprinting schemes, the person
who buys the data should be identifiable by the merchant to ensure that data is not illegally
redistributed. Further properties of such schemes can be found in (Pfitzmann & Waidner,
1997; Adelsbach et al. 2002).
Oblivious transfer: It is an interesting cryptographic primitive. Usually in a two-party 1-out-
of-2 oblivious transfer protocol, the first party sends a bit to the second party in such as way
that the second party receives it with probability ½, without the first party knowing whether
or not the second party received the bit. An example of such a protocol that uses the homo‐
morphic property can be found in (Lipmaa, 2003).
Commitment schemes: Commitment schemes are some fundamental cryptographic primi‐
tives. In a commitment scheme, a player makes a commitment. She is able to choose a value
from some set and commit to her choice such that she can no longer change her mind. She does
not have to reveal her choice although she may do so at some point later. Some commitment
schemes can be efficiently implemented using homomorphic property.
Lottery protocols: Usually in a cryptographic lottery, a number pointing to the winning ticket
has to be jointly and randomly chosen by all participants. Using a homomorphic encryption
scheme this can be realized as follows: Each player chooses a random number which she
encrypts. Then using the homomorphic property the encryption of the sum of the random
values can be efficiently computed. The combination of this and a threshold decryption scheme
leads to the desired functionality. More details about homomorphic properties of lottery
schemes can be found in (Fouque et al., 2000).
Mix-nets: Mix-nets are protocols that provide anonymity for senders by collecting encrypted
messages from several users. For instance, one can consider mix-nets that collect ciphertexts
and output the corresponding plaintexts in a randomly permuted order. In such a scenario,
privacy is achieved by requiring that the permutation that matches inputs to outputs is kept
secret to anyone except the mix-net. In particular, determining a correct input/output pair, i.e.,
a ciphertext with corresponding plaintext, should not be more effective then guessing one at
164
http://dx.doi.org/10.5772/56687
random. A desirable property to build such mix-nets is re-encryption which is achieved by

using homomorphic encryption. More information about applications of homomorphic
encryption in mix-nets can be found in (Golle et al., 2004; Damgard & Jurik, 2003).
5.2. Some properties of homomorphic encryption schemes
Homomorphic encryption schemes have some interesting mathematical properties. In the

following, we mention some of these properties.
Re-randomizable encryption/re-encryption: Re-randomizable cryptosystems (Groth, 2004)
are probabilistic cryptosystems with the additional property that given the public key ke and
an encryption Ek (m, r ) of a message m ∈ M under the public key ke and a random number
e
r ∈ Z it is possible to efficiently convert Eke (m, r ) into another encryption Eke (m, r ' ) that is
perfectly indistinguishable from a fresh encryption of m under the public key ke . This property
is also called re-encryption.
It obvious that every probabilistic homomorphic cryptosystem is re-randomizable. Without
loss of generality, we assume that the cryptosystem is additively homomorphic. Given
Ek (m, r ) and the public key ke , we can compute Ek (0, r '' ) for a random number r’’ and hence
e e
compute the following:
Add (Eke (m, r ), Eke (0, r '')) = Eke (m + 0, r ') = Eke (m, r ')
where r’ is an appropriate random number. We note that this is exactly what a blinding
algorithm does.
Random self-reducibility: Along with the possibility of re-encryption comes the property of
random self-reducibility concerning the problem of computing the plaintext from the cipher‐
text. A cryptosystem is called random self-reducible if any algorithm that can break a non-trivial
fraction of ciphertexts can also break a random instance with significant probability. This
property is discussed in detail in (Damgard et al., 2010; Sander et al., 1999).
Verifiable encryptions / fair encryptions: If an encryption is verifiable, it provides a mecha‐
nism to check the correctness of encrypted data without compromising on the secrecy of the
data. For instance, this is useful in voting schemes to convince any observer that the encrypted
name of a candidate, i.e., the encrypted vote is indeed in the list of candidates. A cryptosystem
with this property that is based on homomorphic encryption can be found in (Poupard & Stern,
2000). Verifiable encryptions are also called fair encryptions.
6. Fully homomorphic encryption schemes
In 2009, Gentry described the first plausible construction of a fully homomorphic cryptosystem
that supports both addition and multiplication (Gentry, 2009). Gentry’s proposed fully
165
16 Theory and
Security Practice
homomorphic encryption consists of several steps: First, it constructs a somewhat homomor‐

phic scheme that supports evaluating low-degree polynomials on the encrypted data. Next, it
squashes the decryption procedure so that it can be expressed as a low-degree polynomial which
is supported by the scheme, and finally, it applies a bootstrapping transformation to obtain a fully
homomorphic scheme. The essential approach of this scheme is to derive and establish a
process that can evaluate polynomials of high-enough degree using a decryption procedure
that can be expressed as a polynomial of low-enough degree. Once the degree of polynomials
that can be evaluated by the scheme exceeds the degree of the decryption polynomial by a
factor of two, the scheme is called bootstrappable and it can then be converted into a fully
homomorphic scheme.
For designing a bootstrappable scheme, Gentry presented a somewhat homomorphic scheme
(Gentry, 2009) which is roughly a GGH (Goldreich, Goldwasser, Halevi)-type scheme
(Goldreich et al., 1997; Micciancio, 2001) over ideal lattices. Gentry later proved that with an
appropriate key-generation procedure, the security of that scheme can be reduced to the worst-
case hardness of some lattice problems in ideal lattice constructions (Gentry, 2010). Since this
somewhat homomorphic scheme is not bootstrappable, Gentry described a transformation to
squash the decryption procedure, reducing the degree of the decryption polynomial (Gentry,
2009). This is done by adding to the public key, an additional hint about the secret key in the
form of a sparse subset-sum problem (SSSP). The public key is augmented with a big set of vectors
in such a way that there exists a very sparse subset of them that adds up to the secret key. A
ciphertext of the underlying scheme can be post-processed using this additional hint and the
post-processed ciphertext can be decrypted with a low-degree polynomial, thereby achieving
a bootstrappable scheme.
Gentry’s construction is quite involved – the secret key, even in the private key version of his
scheme is a short basis of a random ideal lattice. Generating pairs of public and secret bases with
the right distributions appropriate for the worst-case to average-case reduction is technically
quite complicated. A significant research effort has been devoted to increase the efficiency of
its implementation (Gentry & Halevi, 2011; Smart & Vercauteren, 2010).
A parallel line of work that utilizes ideal lattices in cryptography dates back to the NTRU
cryptosystem (Hoffstein et al., 1998). This approach uses ideal lattices for efficient crypto‐
graphic constructions. The additional structure of ideal lattices, compared to ordinary lattices,
makes their representation more powerful and enables faster computation. Motivated by the
work of Micciancio (Micciancio, 2007), a significant number of work (Peikert & Rosen, 2006;
Lyubashevsky & Micciancio, 2006; Peikert & Rosen, 2007; Lyubashevsky et al., 2008; Lyba‐
shevsky & Micciancio, 2008) has produced efficient constructions of various cryptographic
primitives whose security can formally be reduced to the hardness of short-vector problems
in ideal lattices (Brakerski & Vaikuntanathan, 2011).
Lyubashevsky et al. (Lyubashevsky et al., 2010) present the ring learning with errors (RLWE)
assumption which is the ring counterpart of Regev’s learning with errors assumption (Regev,
2005). In a nutshell, the assumption is that given polynomially many samples over a certain
ring of the form (ai , ai s + ei ), where s is a random secret ring element, ai’s are distributed
uniformly randomly in the ring, and ei are small ring elements, it will be impossible for an
166
http://dx.doi.org/10.5772/56687
adversary to distinguish this sequence of samples from random pairs of ring elements. The
authors have shown that this simple assumption can be very efficiently reduced to the worst
case hardness of short-vector problems on ideal lattices. They have also shown how to
construct a very efficient ring counterpart to Regev’s public-key encryption scheme (Regev,
2005), as well as a counterpart to the identity-based encryption scheme presented in (Gentry
et al., 2008) by using the basis sampling techniques in (Regev, 2005). The scheme presented in
(Lyubashevsky et al., 2010) is very elegant and efficient since it is not dependent on any
complex computations over ideal lattices.
Brakerski and Vaikuntanathan raised a natural question that whether the above approaches
(i.e., ideal lattices and RLWE) can be effectively exploited so that benefits of both these
approaches can be achieved at the same time – namely the functional powerfulness on the one
hand (i.e., the ideal lattice approach) and the simplicity and efficiency of the other (i.e., RLWE).
They have shown that indeed this can be done (Brakerski & Vaikuntanathan, 2011). They have
constructed a somewhat homomorphic encryption scheme based on RLWE. The scheme
inherits the simplicity and efficiency, as well as the worst case relation to ideal lattices.
Moreover, the scheme enjoys key dependent message security (KDM security, also known as
circular security), since it can securely encrypt polynomial functions (over an appropriately
defined ring) of its own secret key. The significance of this feature of the scheme in context of
homomorphic encryption has been clearly explained by the authors. The authors argue that
all known constructions of fully homomorphic encryption employ a bootstrapping technique
that enforces the public key of the scheme to grow linearly with the maximal depth of evaluated
circuits. This is a major drawback with regard to the usability and the efficiency of the scheme.
However, the size of the public key can be made independent of the circuit depth if the
somewhat homomorphic scheme can securely encrypt its own secret key. With the design of
this scheme, the authors have solved an open problem - achieving circular secure somewhat
homomorphic encryption. They have also computed the circular security of their scheme with
respect to the representation of the secret key as a ring element, where bootstrapping requires
circular security with respect to the bitwise representation of the secret key (actually, the
bitwise representation of the squashed secret key). Since there is no prior work that studies a
possible co-existence between somewhat homomorphism with any form of circular security,
the work is a significant first step towards removing the assumption (Brakerski & Vaikunta‐
nathan, 2011). The authors have also shown how to transform the proposed scheme into a fully
homomorphic encryption scheme following Gentry’s blueprint of squashing and bootstrap‐
ping. Applying the techniques presented in (Brakerski & Vaikuntanathan, 2011a), the authors
argue that squashing can even be avoided at the cost of relying on sparse version of RLWE that
is not known to reduce to worst case scenarios. This greatly enhances the efficiency of the
proposed scheme in practical applications. The proposed scheme is also additively key-
homomorphic– a property that has found applications in achieving security against key-related
attacks (Applebaum et al., 2011).
Smart and Vercauteren (Smart & Vercauteren, 2010) present a fully homomorphic encryption
scheme that has smaller key and ciphertext sizes. The construction proposed by the authors
follows the fully homomorphic construction based on ideal lattices proposed by Gentry
167
18 Theory and
Security Practice
(Gentry, 2009). It produces a fully homomorphic scheme from a somewhat homomorphic

scheme. For a somewhat homomorphic scheme, the public and the private keys consist of two
large integers (one of which is shared by both the public and the private key), and the ciphertext
consists of one large integer. The scheme (Smart & Vercauteren, 2010) has smaller ciphertext
blow up and reduced key size than in Gentry’s scheme based on ideal lattices. Moreover, the
scheme also allows and efficient homomorphic encryption over any field of characteristics two.
More specifically, it uses arithmetic of cyclotomic number fields. In particular, the authors have
n
focused on the field generated by the polynomial: F ( X ) = X 2 + 1. However, they also noted
that the scheme could be applied with arbitrary (even non-cyclotomic) number fields as well.
In spite of having many advantages, the major problem with this scheme is that the key
generation method is very slow.
Gentry and Halevi presented a novel implementation approach for the variant of Smart and
Vercauteren proposition (Smart & Vercauteren, 2010), which had a greatly improved key
generation phase (Gentry & Halevi, 2011). In particular, the authors have noted that the key
generation (for cyclotomic fields) is essentially an application of a Discrete Fourier Transform
(DFT), followed by a small quantum of computation, and then application of the inverse
transform. The authors then further demonstrate that it is not even required to perform the
n
DFTs if one selects the cyclotomic field to be of the form: X 2 + 1. The authors illustrate this
by using a recursive approach to deduce two constants from the secret key which subsequently
facilitates the key generation algorithm to construct a valid associated public key. The key
generation method of Gentry and Halevi (Gentry & Halevi, 2011) is fast. However, the scheme
appears particularly tailored to work with two-power roots of unity.
Researchers have also examined ways of improving key generation in fully homomorphic
encryption schemes. For example, in (Ogura et al., 2010), a method is proposed for construction
of keys for essentially random number fields by pulling random elements and analyzing
eigenvalues of the corresponding matrices. However, this method is unable to achieve the
improvement in efficiency in terms of reduced ciphertext blow up as done in (Smart & Vercau‐
teren, 2010) and (Gentry & Halevi, 2011).
Stehle and Steinfield improved Gentry’s fully homomorphic scheme and obtained a faster fully
homomorphic scheme with O(n3.5) bits complexity per elementary binary addition/multipli‐
cation gate (Stehle & Steinfeld, 2010). However, the hardness assumption of the security of the
scheme is stronger than that of Gentry’s scheme (Gentry, 2009). The improved complexity of
the proposed scheme stems from two sources. First, the authors have given a more aggressive
security analysis of the sparse subset sum problem (SSSP) against lattice attacks as compared to
the analysis presented in (Gentry, 2009). The SSSP along with the ideal lattice bounded distance
decoding (BDD) problem are the two problems underlying the security of Gentry’s fully
homomorphic scheme. In his security analysis of BDD, Gentry has used the best known
complexity bound for the approximate shortest vector problem (SVP) in lattices. However, in
analyzing SSSP, Gentry has assumed the availability of an exact SVP oracle. On the contrary,
the finer analysis of Stehle and Steinfield for SSSP takes into account the complexity of
approximate SVP, thereby making it more consistent with the assumption underlying the
analysis of the BDD problem. This leads to choices of smaller parameter in the scheme.
168
http://dx.doi.org/10.5772/56687
Moreover, Stehle and Steinfield have relaxed the definition of fully homomorphic encryption
to allow for a negligible but non-zero probability of decryption error. They have shown that
the randomness in the SplitKey key generation for the squashed decryption algorithm (i.e., the
decryption algorithms of the bootstrappable scheme) in the Gentry’s scheme can be gainfully
exploited to allow a negligible decryption error probability. This decryption error, although
negligible in value, can lead to rounding precision used in representing the ciphertext
components that is almost half the value of the precision as achieved in Gentry’s scheme
(Gentry, 2009), which involves zero error probability.
In (Chunsheng, 2012), Chunsheng proposed a modification of the fully homomorphic encryp‐

tion scheme of Smart and Vercauteren (Smart & Vercauteren, 2010). The author has applied a
self-loop bootstrappable technique so that the security of the modified scheme only depends on
the hardness of the polynomial coset problem and does not require any assumption of the sparse
subset problem as required in the original work of Smart and Vercauteren (Smart & Vercauteren,
2010). In addition, the author have constructed a non-self-loop fully homomorphic encryption
scheme that uses cycle keys. In a nutshell, the security of the improved fully homomorphic
encryption scheme in this work is based on use of three mathematical approaches: (i) hardness
of factoring integer problem, (ii) solving Diophantine equation problem, and (iii) finding
approximate greatest common divisor problem.
Boneh and Freeman propose a linearly homomorphic signature scheme that authenticates
vector subspaces of a given ambient space (Boneh & Freeman, 2011). The scheme has several
novel features that were not present in any of the existing similar schemes. First, the scheme
is the first of its kind that enables authentication of vectors over binary fields; previous schemes
could not authenticate vectors with large or growing coefficients. Second, the scheme is the
only scheme that is based on the problem of finding short vectors in integer lattices, and therefore,
it enjoys the worst-case security guarantee that is common to lattice-based cryptosystems. The
scheme can be used to authenticate linear transformations of signed data, such as those arising
when computing mean and Fourier transform or in networks that use network coding (Boneh
& Freeman, 2011). The work has three major contributions in the state of the art as identified
by the authors: (i) Homomorphic signatures over F2: the authors have constructed the first
unforgeable linearly homomorphic signature scheme that authenticates vectors with coordinates in
F2. It is an example of a cryptographic primitive that can be built using lattice models, but
cannot be built using bilinear maps or other traditional algebraic methods based on factoring
or discrete log type problems. The scheme can be modified to authenticate vectors with
coefficients in other small fields, including prime fields and extension fields such as F2d.
Moreover, the scheme is private, in the sense that a derived signature on a vector v leaks no
information about the original signed vectors beyond what is revealed by v. (ii) A simple k-time
signature without random oracles: the authors have presented a stateless signature scheme and
have proved that it is secure in the standard model when used to sign at most k messages, for
small values of k. The public key of the scheme is significantly smaller than that of any other
stateless lattice-based signature scheme that can sign multiple large messages and is secure in
the standard model. The construction proposed by the authors can be viewed as removing the
random oracle from the signature scheme of Gentry, Peikert, and Vaikuntanathan (Gentry et al.,
169
20 Theory and
Security Practice
2008), but only for signing k messages (Boneh & Freeman, 2011). (iii) New tools for lattice-based
signatures: the scheme is unforgeable based on a new hard problem on lattices, which the
authors have called the k-small integer solutions (k-SIS) problem. The authors have shown that
k-SIS reduces to the small integer solution (SIS) problem, which is known to be as hard as
standard worst-case lattice problems (Micciancio & Regev, 2007).
7. Conclusion and future trends
The study of fully homomorphic encryption has led to a number of new and exciting concepts
and questions, as well as a powerful tool-kit to address them. We conclude the chapter by
discussing a number of research directions related to the domain of fully homomorphic
encryption and more generally, on the problem of computing on encrypted data.
Applications of fully homomorphic encryption: While Gentry’s original construction was
considered as being infeasible for practical deployments, recent constructions and implemen‐
tation efforts have drastically improved the efficiency of fully homomorphic encryption
(Vaikuntanathan, 2011). The initial implementation efforts focused on Gentry’s original
scheme and its variants (Smart & Vercauteren, 2010; Smart & Vercauteren, 2012; Coron et al.,
2011; Gentry & Halevi, 2011), which seemed to pose rather inherent efficiency bottlenecks.
Later implementations leverage the recent algorithmic advances (Brakerski & Vaikuntanathan,
2011; Brakerski et al., 2011; Brakerski & Vaikuntanathan, 2011a) that result in asymptotically
better fully homomorphic encryption systems, as well as new algebraic mechanisms to
improve the overall efficiency of these schemes ( Naehrig et al., 2011; Gentry et al., 2012; Smart
& Vercauteren, 2012).
Non-malleability and homomorphic encryption: Homomorphism and non-malleability are
two orthogonal properties of an encryption scheme. Homomorphic encryption schemes
permit anyone to transform an encryption of a message m into an encryption of f(m) for non-
trivial functions f. Non-malleable encryption, on the other hand, prevents precisely this sort
of thing- it requires that no adversary be able to transform an encryption of m into an encryption
of any related message. Essentially, what we need is a combination of both the properties that
selectively permit homomorphic computations (Vaikuntanathan, 2011). This implies that the
evaluator should be able to homomorphically compute any function from some pre-specified
class Fhom; however, she should not be able to transform an encryption of m into an encryption
of f(m) for which f ∈ F hom does not hold good (i.e., f does not belong to Fhom). The natural
question that arises is: whether we can control what is being (homomorphically) computed?
Answering this question turns out to be tricky. Boneh, Segev and Waters (Boneh et al., 2011)
propose the notion of targeted malleability – a possible formalization of such a requirement as
well as formal constructions of such encryption schemes. Their encryption scheme is based on
a strong knowledge of exponent-type assumption that allows iterative evaluation of at most t
functions, where t is a suitably determined and pre-specified constant. Improving their
construction as well as the underlying complexity assumptions is an important open problem
(Vaikuntanathan, 2011).
170
http://dx.doi.org/10.5772/56687
It is also interesting to extend the definition of non-malleability to allow for chosen cipher-text
attacks. As an example, we consider the problem that involves implementing an encrypted targeted
advertisement system that generates advertisements depending on the contents of a user’s e-mail. Since
the e-mail is stored in an encrypted form with the user’s public key, the e-mail server performs
a homomorphic evaluation and computes an encrypted advertisement to be sent back to the
user. The user decrypts it, performs an action depending on what she sees. If the advertisement
is relevant, she might choose to click on it; otherwise, she simply discards it. However, if the
e-mail server is aware to this information, namely whether the user clicked on the advertise‐
ment or not, it can use this as a restricted decryption oracle to break the security of the user’s
encryption scheme and possibly even recover her secret key. Such attacks are ubiquitous
whenever we compute on encrypted data, almost to the point that CCA security seems
inevitable. Yet, it is easy to see that chosen ciphertext (CCA2-secure) homomorphic encryption
schemes cannot exist. Therefore, an appropriate security definition and constructions that
achieve the definition is in demand.
Fully homomorphic encryption and functional decryption: Homomorphic encryption

schemes permit anyone to evaluate functions on encrypted data, but the evaluators never see
any information about the result. It is possible to construct an encryption scheme where a user
can compute f(m) from an encryption of a message m, but she should not be able to learn any
other information about m (including the intermediate results in the computation of f)?
Essentially, the issue boils down to the following question: can we control the information that
the evaluator can see? Such an encryption scheme is called a functional encryption scheme. The
concept of functional encryption scheme was first introduced by Sahai and Waters (Sahai &
Waters, 2005) and subsequently investigated in a number of intriguing works (Katz et al.,
2013; Lewko et al., 2010; Boneh et al., 2011; Agrawal et al., 2011). Although the constructions
in these propositions work for several interesting families of functions (such as monotone
formulas and inner products), construction of a fully functional encryption scheme is still not
achieved and remains as an open problem. What we need is a novel and generic encryption
system that provides us with fine-grained control over what one can see and access and what
one can compute on data to get a desired output.
Other problems and applications: Another important open question relates to the assump‐
tions underlying the current fully homomorphic encryption systems. All known fully homo‐
morphic encryption schemes are based on hardness of lattice problems. The natural question that
arises - can we construct fully homomorphic from other approaches – say, for example, from
number-theoretic assumptions? Can we bring in the issue of the hardness of factoring or
discrete logarithms in this problem?
In addition to the scenarios where it is beneficial to keep all data encrypted and to perform
computations on encrypted data, fully homomorphic encryption can be gainfully exploited to
solve a number of practical problems in cryptography. Two such examples are the problems
of verifiably outsourcing computation (Goldwasser et al., 2008; Gennaro et al., 2010; Chung et al.,
2010; Applebaum et al., 2010) and constructing short non-interactive zero-knowledg e proofs
(Gentry, 2009). Some of the applications of fully homomorphic encryption do not require its
full power. For example, in private information retrieval (PIR), it is sufficient to have a somewhat
171
22 Theory and
Security Practice
homomorphic encryption scheme that is capable of evaluating simple database indexing

functions. For this applications, what is needed is an optimized and less functional encryption
scheme that is more efficient than a fully homomorphic encryption function. Design of such
functions for different application scenarios is also a current hot topic of research.
Author details
Jaydip Sen*
Department of Computer Science, National Institute of Science & Technology, Odisha, India
References
[1] Adelsbach, A., Katzenbeisser, S., & Sadeghi, A. (2002). Cryptography Meets Water‐
marking: Detecting Watermarks with Minimal or Zero Knowledge Disclosure. In:
Proceedings of the European Signal Processing Conference (EUSIPCO’02), Vol 1, pp.
446-449, Toulouse, France.
[2] Agrawal, S., Freeman, D. M., & Vaikuntanathan, V. (2011). Functional Encryption for
Inner Product Predicates from Learning with Errors. In: Advances in Cryptology-
Proceedings of ASIACRYPT’11, Lecture Notes in Computer Science (LNCS), Vol
7073, Springer-Verlag, pp. 21-40.
[3] Ajtai, M. & Dwork, C. (1997). A Public Key Cryptosystem with Worst-Case/ Average-
Case Equivalence. In: Proceedings of the 29th Annual ACM International Symposium
on Theory of Computing (STOC’97), pp. 284-293, ACM Press, New York, NY, USA.
[4] Applebaum, B., Ishai, Y., & Kushilevitz, E. (2010). Semantic Security under Related-
Key Attacks and Applications. Innovations in Computer Science (ICS), pp. 45-55,
2011.
[5] Applebaum, B., Ishai, Y., & Kushilevitz, E. (2010). From Secrecy to Soundness: Effi‐
cient Verification via Secure Computation. In: Automata, Language and Program‐
ming - Proceedings of ICALP, Lecture Notes in Computer Science (LNCS), Vol 6198,
Springer-Verlag, pp. 152-163.
[6] Bao, F. (2003). Cryptanalysis of a Provable Secure Additive and Multiplicative Priva‐
cy Homomorphism. In: Proceedings of International Workshop on Coding and Cryp‐
tography (WCC’03), Versailles, France, pp. 43-49.
[7] Bellare, M. & Rogaway, P. (1995). Optimal Asymmetric Encryption- How to Encrypt
with RSA. In: Advances in Cryptology - Proceedings of EUROCRYPT’94, Lecture
Notes in Computer Science (LNCS), Vol 950, Springer-Verlag, pp. 92-111.
172
http://dx.doi.org/10.5772/56687
[8] Benaloh, J. (1994). Dense Probabilistic Encryption. In: Proceedings of the Workshop
on Selected Areas of Cryptography, 1994, pp. 120-128.
[9] Benaloh, J. (1988). Verifiable Secret-Ballot Elections. Doctoral Dissertation, Depart‐

ment of Computer Science, Yale University, New Haven, Connecticut, USA.
[10] Ben-Or, M. & Cleve, R. (1992). Computing Algebraic Formulas Using a Constant
Number of Registers. SIAM Journal on Computing, Vol 21, No 1, pp. 54-58, 1992.
[11] Blum, M. & Goldwasser, S. (1985). An Efficient Probabilistic Public-Key Encryption

Scheme which Hides All Partial Information. In: Advances in Cryptology – Proceed‐
ings of EUROCRYPT’84, Lecture Notes in Computer Science (LNCS), Vol 196,
[12] Boneh, D. & Freeman, D. M. (2011). Linearly Homomorphic Signatures over Binary
Fields and New Tools for Lattice-Based Signatures. In: Public Key Cryptography
(PKC’11), Lecture Notes in Computer Science (LNCS), Vol 6571, Springer-Verlag, pp.
1-16.
[13] Boneh, D. & Lipton, R. (1996). Searching for Elements in Black Box Fields and Appli‐
cations. In: Advances in Cryptology- Proceedings of CRYPTO’96, Lecture Notes in
Computer Science (LNCS), Vol 1109, Springer-Verlag, pp. 283-297.
[14] Boneh, D., Segev, G., & Waters, B. (2012). Targeted Malleability: Homomorphic En‐
cryption for Restricted Computations. In: Proceedings of Innovations in Theoretical
Computer Science (ITCS), pp 350-366, ACM Press, New York, NY, USA, 2012.
[15] Brakerski, Z., Gentry, C., & Vaikuntanathan, V. (2011). Fully Homomorphic Encryp‐
tion without Bootstrapping. In: Proceedings of the 3rd Innovations in Theoretical
Computer Science Conference (ITCS’12), pp. 309-325, ACM Press, New York, NY,
USA.
[16] Brakerski, Z. & Vaikuntanathan, V. (2011). Fully Homomorphic Encryption from

Ring-LWE and Security for Key Dependent Messages. In: Advances in Cryptology-
Proceedings of CRYPTO’11, Lecture Notes in Computer Science (LNCS), Vol 6841,
[17] Brakerski, Z. & Vaikuntanathan, V. (2011a). Efficient Fully Homomorphic Encryption

from (Standard) LWE. In: Proceedings of the IEEE 52nd Annual Symposium on Foun‐
dations of Computer Science (FOCS’11), pp. 97-106, ACM Press, New York, NY,
USA.
[18] Bresson, E., Catalano, D., & Pointcheval, D. (2003). A Simple Public-Key Cryptosys‐
tem with a Double Trapdoor Decryption Mechanism and its Applications. In: Advan‐
ces in Cryptology- Proceedings of ASIACRYPT’03, Lecture Notes in Computer
Science (LNCS), Vol 2894, Springer-Verlag, pp. 37-54.
173
24 Theory and
Security Practice
[19] Brickell, E. F. & Yacobi, Y. (1987). On Privacy Homomorphisms. In: Advances in

Cryptology – Proceedings of EUROCRYPT 1987, Lecture Notes in Computer Science
(LNCS) Vol 304, Springer-Verlag, pp. 117-125.
[20] Canetti, R., Goldreich, O., & Halevi, S. (2004). The Random Oracle Methodology, Re‐
visited. Journal of ACM (JACM), Vol 5, Issue 4, July 2004, pp. 557-594, ACM Press,
New York, NY, USA.
[21] Castagnos, G. (2007). An Efficient Probabilistic Public-Key Cryptosystem over Quad‐

ratic Fields Quotients. Finite Fields and Their Applications, Vol 13, No 3, pp. 563-576,
July 2007.
[22] Castagnos, G. (2006). Quelques Schemas De Cryptographic Asymetrique Probabi‐

liste. Doctoral Dissertation, Universite De Limoges, 2006. Available Online at: http://
epublications.unilim.fr/theses/2006/castagnos-guilhem/castagnos-guilhem.pdf
[23] Chung, K.-M., Kalai, Y. & Vadhan, S. (2010). Improved Delegation of Computation
Using Fully Homomorphic Encryption. In: Advances in Cryptology - Proceedings of
CRYPTO’10, Lecture Notes in Computer Science (LNCS), Vol 6223, Springer-Verlag,
pp. 483-501.
[24] Chunsheng, G. (2012). More Practical Fully Homomorphic Encryption. International

Journal of Cloud Computing and Services Science, Vol 1, Issue 4, pp. 199-201.
[25] Coron, J.-S., Mandal, A., Naccache, D., & Tibouchi, M. (2011). Fully Homomorphic
Encryption over the Integers with Shorter Public Keys. In: Advances in Cryptology -
Proceedings of CRYPTO’11, Lecture Notes in Computer Science (LNCS), Vol 6841,
[26] Cramer, R. & Damgard, I. (1998). Zero-Knowledge Proofs for Finite Field Arithmetic,
Or: Can Zero-Knowledge be for Free? In: Advances in Cryptology - Proceedings of
CRYPTO’98, Lecture Notes in Computer Science (LNCS), Vol 1462, Springer-Verlag,
pp. 424-441.
[27] Cramer, R., Damgard, I., & Maurer, U. (2000). General Secure Multi-party Computa‐
tion from any Linear Secret-Sharing Scheme. In: Advances in Cryptology – Proceed‐
ings of EUROCRYPT’00, Lecture Notes in Computer Science (LNCS), Vol 1807,
[28] Cramer, R. & Shoup, V. (2002). Universal Hash Proofs and a Paradigm for Adaptive
Chosen Ciphertext Secure Public-Key Encryption. In: Advances in Cryptology – Pro‐
ceedings of EUROCRYPT’02, Lecture Notes in Computer Science (LNCS), Vol 2332,
Springer-Verlag, New York, NY, USA, pp. 45-64.
[29] Daemen, J. & Rijmen, V. (2002). The Design of Rijndael: AES- The Advanced Encryp‐
tion Standard. Information Security and Cryptography, Springer, New York, NY,
USA, 2002.
174
http://dx.doi.org/10.5772/56687
[30] Daemen, J. & Rijmen, V. (2000). The Block Cipher Rijndael. In: Proceedings of Inter‐
national Conference on Smart Cards Research and Applications (CARDS’98), Lecture
[31] Damgard, I. & Jurik, M. (2003). A Length-Flexible Threshold Cryptosystem with Ap‐
plications. In: Proceedings of the 8th Australasian Conference on Information Security
and Privacy (ACSIP’03), Lecture Notes in Computer Science (LNCS), Vol 2727,
Springer-Verlag, pp 350-364.
[32] Damgard, I. & Jurik, M. (2001). A Generalisation, a Simplification and Some Applica‐
tions of Paillier’s Probabilistic Public-Key System. In: Proceedings of the 4th Interna‐
tional Workshop on Practice and Theory in Public Key Cryptography (PKC’01),
Lecture Notes in Computer Science (LNCS), Vol 1992, Springer-Verlag, pp. 119-136.
[33] Damgard, I., Jurik, M., & Nielsen, J. (2010). A Generalization of Paillier’s Public-Key
System with Applications to Electronic Voting. International Journal on Information
Security (IJIS), Special Issues on Special Purpose Protocol, Vol 9, Issue 6, December
2010, pp. 371-385, Springer-Verlag, Heidelberg, Berlin, Germany.
[34] Diffie, W. & Hellman, M. (1976). New Directions in Cryptography. IEEE Transactions
on Information Theory, Vol 22, No 6, November 1976, pp. 644-654.
[35] Domingo-Ferrer, J. (2002). A Provably Secure Additive and Multiplicative Privacy
Homomorphism. In: Proceedings of the 5th International Conference on Information
Security (ISC’02), Lecture Notes in Computer Science (LNCS), Vol 2433, Springer-
Verlag, pp. 471-483.
[36] Ekdahl, E. & Johansson, T. (2002). A New Version of the Stream Cipher SNOW. In:
Proceedings of the 9th International Workshop on Selected Areas of Cryptography
(SAC’02), Lecture Notes in Computer Science (LNCS), Vol 2595, Springer-Verlag, pp.
47-61.
[37] ElGamal, T. (1985). A Public Key Cryptosystem and a Signature Scheme Based on
Discrete Logarithms. IEEE Transactions on Information Theory, Vol 31, Issue 4, July
1985, pp. 469-472.
[38] Feigenbaum, J. & Merritt, M. (1991). Open Questions, Talk Abstracts, and Summary
of Discussions. DIMACS Series in Discrete Mathematics and Theoretical Computer
Science, Vol 2, pp. 1-45.
[39] Fellows, M. & Koblitz, N. (1993). Combinatorial Cryptosystems Galore! Finite Fields-
Theory, Applications and Algorithms. Contemporary Mathematics, Vol. 168, Las Ve‐
gas, 1994, pp. 51-61.
[40] Fontaine, C. & Galand, F. (2007). A Survey of Homomorphic Encryption for Nonspe‐
cialists. EURASIP Journal on Information Security, Vol 2007, January 2007, Article ID
15, Hindawi Publishing Corporation, New York, NY, USA. DOI: 10.1155/2007/13801.
[41] Fouque, P., Poupard, G., & Stern, J. (2000). Sharing Decryption in the Context of Vot‐
ing or Lotteries. In: Proceedings of the 4th International Conference on Financial
175
26 Theory and
Security Practice
Cryptography (FC’00), Lecture Notes in Computer Science (LNCS), Vol 1962, Spring‐
er-Verlag, pp. 90-104.
[42] Galbraith, S. D. (2002). Elliptic Curve Paillier Schemes. Journal of Cryptology, Vol 15,
No 2, pp. 129-138, August 2002.
[43] Gennaro, R., Gentry, C., & Parno, B. (2010). Non-Interactive Verifiable Computing:
Outsourcing Computation to Untrusted Workers. In: Advances in Cryptology-Pro‐
ceedings of CRYPTO’10, Lecture Notes in Computer Science (LNCS), Vol 6223,
[44] Gentry, C. (2010). Toward Basing Fully Homomorphic Encryption on Worst-Case

Hardness. In: Advances in Cryptology- Proceedings of CRYPTO’10, Lecture Notes in
[45] Gentry, C. (2009). Fully Homomorphic Encryption Using Ideal Lattices. In: Proceed‐
ings of the 41st Annual ACM Symposium on Theory of Computing (STOC’09), pp.
169-178, ACM Press, New York, NY, USA.
[46] Gentry, C. & Halevi, S. (2011). Implementing Gentry’s Fully-Homomorphic Encryp‐

tion Scheme. In: Advances in Cryptology - Proceedings of EUROCRYPT’11, Lecture
Note in Computer Science (LNCS), Vol 6632, Springer-Verlag, pp. 129-148.
[47] Gentry, C, Halevi, S., & Smart, N. (2012). Better Bootstrapping in Fully Homomor‐
phic Encryption. In: Proceedings of the 15th International Conference on Practice and
Theory in Public Key Cryptography (PKC’12), Lecture Notes in Computer Science
(LNCS), Vol 7293, Springer-Verlag, pp. 1-16.
[48] Gentry, C., Peikert, C., & Vaikuntanathan, V. (2008). Trapdoors for Hard Lattices and
New Cryptographic Constructions. In: Proceedings of the 40th Annual ACM Sympo‐
sium on Theory of Computing (STOC’08), pp. 197-206, ACM Press, New York, NY,
USA.
[49] Goldreich, O., Goldwasser, S., & Halevi, S. (1997). Public-Key Cryptosystems from
Lattice Reduction Problems. In: Advances in Cryptology- Proceedings of CRYP‐
TO’97, Lecture Notes in Computer Science (LNCS), Vol 1294, Springer-Verlag, pp.
112-131.
[50] Goldwasser, S., Kalai, Y. T., & Rothblum, G. N. (2008). Delegating Computation: In‐
teractive Proofs for Muggles. In: Proceedings of the 40th Annual ACM Symposium
on Theory of Computing (STOC’08), pp. 113-122, ACM Press, New York, NY, USA.
[51] Goldwasser, S. & Micali, S. (1982). Probabilistic Encryption and How to Play Mental
Poker Keeping Secret All Partial Information. In: Proceedings of the 14th Annual
ACM Symposium on Theory of Computing (STOC’82), pp. 365-377, ACM Press,
New York, NY, USA.
[52] Goldwasser, S. & Micali, S. (1984). Probabilistic Encryption. Journal of Computer and
System Sciences, Vol 28, Issue 2, pp. 270-299, April 1984.
176
http://dx.doi.org/10.5772/56687
[53] Golle, P., Jakobsson, M., Juels, A., & Syverson, P. (2004). Universal Re-Encryption for
Mixnets. In: Topics in Cryptology - Proceedings of the RSA Conference Cryptogra‐
phers’ Track (CT-RSA’04), Lecture Notes in Computer Science (LNCS), Vol 2964,
[54] Grigoriev, D. & Ponomarenko. (2006). Homomorphic Public-Key Cryptosystems and

Encrypting Boolean Circuits. Applicable Algebra in Engineering, Communication
and Computing, Vol 17, Issue 3-4, pp. 239-255, August 2006.
[55] Grigoriev, D. & Ponomarenko, I. (2004). Homomorphic Public-Key Cryptosystems

over Groups and Rings. Quaderni di Mathematica, Vol 13, pp. 304-325, 2004.
[56] Groth, J. (2004). Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack
Secure Cryptosystems. In: Proceedings of the 1st Theory of Cryptography Conference
(TCC’04), Lecture Notes in Computer Science (LNCS), Vol 2951, Springer-Verlag, pp.
152-170.
[57] Hoffstein, J., Pipher, J., & Silverman, J. (1998). NTRU: A Ring-Based Public Key Cryp‐
tosystem. In: Proceedings of the 3rd International Symposium on Algorithmic Num‐
ber Theory (ANTS-III), ANTS’98, Lecture Notes in Computer Science (LNCS), Vol
1423, Springer-Verlag, pp. 267-288.
[58] Katz, J. Sahai, A., & Waters, B. (2013). Predicate Encryption Supporting Disjunctions,
Polynomial Equations, and Inner Products. Journal of Cryptology, Vol 26, Issue 2,
pp. 191-224, April 2013, Springer-Verlag, Berlin, Heidelberg, Germany.
[59] Ko, K. H., Lee, S. J. Cheon, J. H., Han, J. W., Kang, J.-S., & Park, C. (2000). New Pub‐
lic-Key Cryptosystem Using Braid Groups. In: Advances in Cryptology – Proceed‐
ings of CRYPTO’00, Lecture Notes in Computer Science (LNCS), Vol 1880, Springer-
[60] Koblitz, N. (1998). Algebraic Aspects of Cryptography: Algorithms and Computation

in Mathematics, Vol 3, Springer-Verlag, Berlin, Heidelberg, Germany, 1998.
[61] Lewko, A. B., Okamoto, T., Sahai, A. Takashima, K. & Waters, B. (2010). Fully Secure
Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product
Encryption. In: Advances in Cryptology- Proceedings of EUROCRYPT’10, Lecture
[62] Lipmaa, H. (2003). Verifiable Homomorphic Oblivious Transfer and Private Equality
Test. In: Advances in Cryptology- Proceedings of ASIACRYPT’03, Lecture Notes in
[63] Ly, L. V. (2002). Polly Two - A Public-Key Cryptosystem Based on Polly Cracker.
Doctoral Dissertation, Ruhr-Universitat, Bochum, Germany, October 2002.
[64] Lyubashevsky, V. & Micciancio, D. (2008). Asymptotically Efficient Lattice-Based

Digital Signatures. In: Proceedings of the 5th International Conference on Theory of
177
28 Theory and
Security Practice
Cryptography (TCC’08), Lecture Notes in Computer Science (LNCS), Vol 4948,

[65] Lyubashevsky, V. & Micciancio, D. (2006). Generalized Compact Knapsacks are Col‐
lision Resistant. In: Proceedings of the 33rd International Conference on Automata,
Languages and Programming (ICALP’06), Lecture Notes in Computer Science
[66] Lyubashevsky, V., Micciancio, D., Peikert, C., & Rosen, A. (2008). SWIFT: A Modest
Proposal for FFT Hashing. In: Proceedings of the 15th International Workshop on Fast
Software Encryption (FSE’08), Lecture Notes in Computer Science (LNCS), Vol 5068,
[67] Lyubashevsky, V., Peikert, C., & Regev, O. (2010). On Ideal Lattices and Learning
with Errors over Rings. In: Advances in Cryptology- Proceedings of EURO‐
CRYPT’10, Lecture Notes in Computer Science (LNCS), Vol 6110, Springer-Verlag,
pp. 1-23.
[68] Menezes, A., Van Orschot, P. & Vanstone, S. (1997). Handbook of Applied Cryptog‐
raphy. CRC Press, USA. Available Online at: http://www.cacr.math.uwaterloo.ca/
hac/.
[69] Micciancio, D. (2007). Generalized Compact Knapsacks, Cyclic Lattices, and Efficient
One-Way Functions. Computational Complexity, Vol 16, No 4, pp. 365-411, Decem‐
ber 2007.
[70] Micciancio, D. (2001). Improving Lattice Based Cryptosystems Using Hermite Nor‐
mal Form. In: Cryptography and Lattices - Proceedings of the International Confer‐
ence on Cryptography and Lattices (CaLC’01), Lecture Notes in Computer Science
[71] Micciancio, D. & Regev, O. (2007). Worst-Case to Average-Case Reductions Based on

Gaussian Measures. SIAM Journal on Computing, Vol 37, Issue 1, pp. 267-302, April
2007.
[72] Naccache, D. & Stern, J. (1998). A New Public Key Cryptosystem Based on Higher
Residues. In: Proceedings of the 5th ACM Conference on Computer and Communica‐
tions Security (CCS’98), pp. 59-66, ACM Press, New York, NY, USA.
[73] Naehrig, M., Lauter, K., & Vaikuntanathan, V. (2011). Can Homomorphic Encryption
be Practical? In: Proceedings of the 3rd ACM Workshop on Cloud Computing Securi‐
ty, pp. 113-124, ACM Press, New York, NY, USA.
[74] Nguyen, P. & Stern, J. (1999). Cryptanalysis of the Ajtai-Dwork Cryptosystem. In:
Advances in Cryptology – Proceedings of CRYPTO’98, Lecture Notes in Computer
Science (LNCS), Springer-Verlag, Vol 1462, New York, NY, USA, pp. 223-242.
[75] Ogura, N., Yamamoto, G., Kobayashi, T., & Uchiyama, S. (2010). An Improvement of
Key Generation Algorithm for Gentry’s Homomorphic Encryption Scheme. In: Ad‐
178
http://dx.doi.org/10.5772/56687
vances in Information and Computer Security- Proceedings of the 5th International

Conference on Advances in Information and Computer Security (IWSEC’10), Lecture
[76] Okamoto, T. & Uchiyama, S. (1998). A New Public-Key Cryptosystem as Secure as

Factoring. In: Advances in Cryptology- Proceedings of EUROCRYPT’98, Lecture
[77] Okamoto, T., Uchiyama, S., & Fujisaki, E. (2000). EPOC: Efficient Probabilistic Public-
Key Encryption. Technical Report, 2000, Proposal to IEEE P1363a. Available Online
at: http://grouper.iee.org/groups/1363/StudyGroup/NewFam.html.
[78] Paeng, S.-H, Ha, K.-C., Kim, J. H., Chee, S., & Park, C. (2001). New Public Key Cryp‐
tosystem Using Finite Non Abelian Groups. In: Advances in Cryptology- Proceed‐
ings of CRYPTO’01, Lecture Notes in Computer Science (LNCS), Vol 2139, Springer-
[79] Paillier, P. (2007). Impossibility Proofs for RSA Signatures in the Standard Model. In:
Topics in Cryptology - Proceedings of the RSA Conference Cryptographers’ Track
(CT-RSA’07), Lecture Notes in Computer Science (LNCS), Vol 4377, pp. 31-48, San
Francisco, California, USA.
[80] Paillier, P. (1999). Public-Key Cryptosystems Based on Composite Degree Residuosi‐

ty Classes. In: Advances in Cryptology – Proceedings of EUROCRYPT’99, Lecture
[81] Pfitzmann, B. & Waidner, M. (1997). Anonymous Fingerprinting. In: Advances in

Cryptology- Proceedings of the EUROCRYPT’97, Lecture Notes in Computer Science
[82] Peikert, C. & Rosen, A. (2007). Lattices that Admit Logarithmic Worst-Case to Aver‐
age-Case Connection Factors. In: Proceedings of the 39th Annual ACM Symposium
on Theory of Computing (STOC’07), pp. 478-487, ACM Press, June 2007.
[83] Peikert, C. & Rosen, A. (2006). Efficient Collision-Resistant Hashing from Worst-Case
Assumptions on Cyclic Lattices. In: Theory of Cryptography - Proceedings of the 3rd
International Conference on Theory of Cryptography (TCC’06), Lecture Notes in
[84] Poupard, G. & Stern, J. (2000). Fair Encryption of RSA Keys. In: Advances in Cryptol‐
ogy- Proceedings of EUROCRYPT’00, Lecture Notes in Computer Science (LNCS),
Vol 1807, Springer-Verlag, pp. 172-189.
[85] Rappe, D. (2004). Homomorphic Cryptosystems and their Applications. Doctoral

Dissertation. University of Dortmund, Dortmund, Germany.
[86] Regev, O. (2005). On Lattices, Learning with Errors, Random Linear Codes, and
Cryptography. In: Proceedings of the 37th Annual ACM Symposium on Theory of
Computing (STOC’05), pp. 84-93, ACM Press, New York, NY, USA.
179
30 Theory and
Security Practice
[87] Rivest, R., Adleman, L., & Dertouzos, M. (1978a). On Data Banks and Privacy Homo‐
morphisms. Foundations of Secure Communication, pp. 169-177, Academic Press.
[88] Rivest, R., Shamir, A., & Adleman, L. (1978b). A Method for Obtaining Digital Signa‐
tures and Public-Key Cryptosystems. Communications of the ACM, Vol 21, No 2, pp.
120-126.
[89] Sahai, A. & Waters, B. (2005). Fuzzy Identity-Based Encryption. In: Advances in
Cryptology - Proceedings of EUROCRYPT’05, Lecture Notes in Computer Science
[90] Sander, T. & Tschudin, C. F. (1998). Towards Mobile Cryptography. In: Proceedings
of IEEE Symposium on Security & Privacy, Oakland, California, USA, pp. 215-224,
May 1998.
[91] Sander, T. & Tshudin, C. F. (1998a). Protecting Mobile Agents against Malicious
Hosts. In: Proceedings of International Conference on Mobile Agents and Security,
Lecture Notes in Computer Science (LNCS), Vol 1419, Springer-Verlag, pp. 44-60.
[92] Sander, T., Young, A., & Yung, M. (1999). Non-Interactive CryptoComputing for NC.
In: Proceedings of the 40th Annual IEEE Symposium on Foundations of Computer
Science, pp. 564-566, October 1999.
[93] Shannon, C. (1949). Communication Theory of Secrecy Systems. Bell System Techni‐
cal Journal, Vol 28, Issue 4, pp. 656-715, October 1949.
[94] Smart, N. P. & Vercauteren, F. (2010). Fully Homomorphic Encryption with Relative‐
ly Small Key and Ciphertext Sizes. In: Public Key Cryptography - Proceedings of the
13th International Conference on Practice and Theory in Public Key Cryptography
(PKC’10), Lecture Notes in Computer Science (LNCS), Vol 6056, Springer-Verlag, pp.
420-443.
[95] Smart, N. & Vercauteren. (2012). Fully Homomorphic SIMD Operations. Design Co‐
des and Cryptography, Springer, USA, July 2012.
[96] Stehle, D. & Steinfeld, R. (2010). Faster Fully Homomorphic Encryption. In: Advan‐
ces in Cryptology – Proceedings of ASIACRYPT’10, Lecture Notes in Computer Sci‐
ence (LNCS), Vol 6477, Springer-Verlag, pp. 377-394.
[97] Vaikuntanathan, V. (2011). Computing Blindfolded: New Developments in Fully Ho‐

momorphic Encryption. In: Proceedings of the IEEE 52nd Annual Symposium on
Foundations of Computer Science (FOCS’11), pp. 5-16, IEEE Computer Society Press,
Washington, DC, USA.
[98] Van Tilborg, H. C. A. & Jajodia, S. (Eds) (2011). Encyclopaedia of Cryptography and
Security. Springer-Verlag, New York, NY, USA, 2011.
180
http://dx.doi.org/10.5772/56687
[99] Vernam, G. S. (1926). Cipher Printing Telegraph Systems for Secret Wire and Radio
Telegraphic Communications. Journal of the American Institute of Electrical Engi‐
neers, Vol 45, pp. 295-301.
[100] Wagner, D. (2003). Cryptanalysis of an Algebraic Privacy Homomorphism. In: Pro‐

ceedings of the 6th International Conference on Information Security (ISC’03), Lecture
Notes in Computer Science (LNCS), Vol 2851, Springer-Verlag, pp.234-239.
[101] Wagner, N. R. & Magyarik, M. R. (1985). A Public Key Cryptosystem Based on the
Word Problem. In: Advances in Cryptology- Proceedings of CRYPTO’84, Lecture
181
NETWORKED AGE
RESEARCH COLLECTION
Wireless networks are truly pervasive in the modern environ-

ment: from the workplace and the home, to implanted medical
devices. Network security, therefore, is of paramount impor-
tance. This volume begins with an overview of the security vul-
nerabilities of wireless sensor networks, but also offers some
means of defence against them. It goes on to propose ways of
securing routing in wireless mesh networks. Two further chapters offer in-depth
studies of secure and privacy-preserving data protocols for wireless sensor and
mesh networks. The book concludes with an overview of the history of homo-
morphism encryption as a means of securing data, also covering some emerging
trends in which this form of encryption offers exciting new possibilities.
© Can Stock Photo Inc. / kentoh
ISBN 978-953-51-2321-7
INTECHOPEN.COM

Security Issues in A Networked Age - A R PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Security Issues in A Networked Age - A R PDF

Hochgeladen von

Copyright:

Verfügbare Formate

SECURITY ISSUES IN A

Violations are liable to prosecution under the governing Copyright Law.

Additional hard copies can be obtained from orders@intechopen.com

Security Issues in a Networked Age - Research Collection by Jaydip Sen

Routing Security Issues in Wireless Sensor Networks:

Chapters in this book were also published in:

Routing Security Issues in Wireless

3. Security Requirements in WSNs

4. Security Vulnerabilities in WSNs

4.1 Denial of Service Attacks

(ii) Tampering: sensor networks typically operate in outdoor environments. Due to

mechanisms in distributed data storage systems in peer-to-peer networks (Douceur, 2002).

Layer Attacks Defense

4.2 Attacks on Secrecy and Authentication

5. Network Layer Defense on DoS Attacks

6. Secure Broadcasting and Multicasting Protocols for WSNs

7. Secure Routing Protocols for WSNs

7.1 Micro TESLA Protocol

7.2 Intrusion Tolerant Routing Protocol in WSNs

network. The computation, communication, storage, and bandwidth requirements at the

7.3 Security Protocols for Sensor Networks

7.4 A Secure Protocol for Defending Cooperative Grayhole Attack

Node From Through RTS/CTS CheckBit

Table 3. The ProbeCheck table for node 7 (Sen et al., 2007b)

7.5 A Secure and Energy-Efficient Routing Protocol for WSNs

7.6 Some More Protocols for Secure Routing in WSNs

Φ (Li) = h (idi, pki) for i = 1,….N

Φ(V) = h (Φ(Vleft) || Φ(Vright))

Secure Routing in Wireless Mesh Networks

Fig. 1. The architecture of a wireless mesh network

2. Security Vulnerabilities in WMNs

2.1 Physical layer attacks

2.2 MAC layer attacks

Fig. 2. Illustration of MAC spoofing and replay attacks

2.3 Network layer attacks

Fig. 3. Illustration of wormhole attack launched by nodes M1 and M2

Fig. 4. Illustration of blackhole attack launched by node M

unnecessary broadcast communications resulting in energy drains and bandwidth

Fig. 5. Illustration of route re-direction attack

2.4 Transport layer attacks

Layer Attacks Defense Mechanism

3. Routing Challenges in WMNs

4. Secure Routing Protocols for WMNs

4.1 Authenticated Routing for Ad Hoc Networks (ARAN)

4.2 Secure Efficient Ad Hoc Distance Vector (SEAD) routing protocol

4.3 Security-Aware Ad Hoc Routing (SAR) protocol

Fig. 6. Illustration of use of trust metric of nodes in routing

4.4 Secure Ad Hoc On-Demand Distance Vector (SAODV) routing protocol

S → * : ( RREQ , id , S , seqS , D, oldseqD , h0, N )K − , o , hN

A → * : ( RREQ , id , S , seqS , D, oldseqD , h0, N )K − ,1, hN − 1

B → * : ( RREQ , id , S , seqS , D, oldseqD , h0,N )K − , 2, hN − 2

C → * : ( RREQ , id , S , seqS , D, oldseqD , h0, N )K − , 3, hN − 3

D → C : ( RREP , D, S , seqD , S , lifetime , h0' , N )K − , o , h′N

Fig. 9. Route discovery in SAODV protocol. Node S is discovering a route to node D

Fig. 10. Route maintenance in SAODV protocol.

4.5 Secure Routing Protocol (SRP)

msgS ,T ,rreq = (rreq , S , T , id , sn , X1 , X2 ..........X j , macS ) (5)

msgS ,T ,rrep = (rrep , S , T , id , sn , X1 , X 2 ,......X p , macT ) (6)

4.6 ARIADNE: A secure on-demand routing protocol for ad hoc networks

S : h0 = MAC KSD ( REQUEST , S , D, id , ti )

4.7 Security Enhanced AODV protocol

Fig. 12. The structure of RREQ message in SEAODV protocol

Fig. 13. The structure of RREP message in SEAODV protocol