Beruflich Dokumente
Kultur Dokumente
NETWORKED AGE
RESEARCH COLLECTION
by Jaydip Sen
SECURITY ISSUES IN A
NETWORKED AGE
RESEARCH COLLECTION
by Jaydip Sen
Security Issues in a Networked Age - Research Collection
by Jaydip Sen
Published by InTech
Janeza Trdine 9, 51000 Rijeka, Croatia
Edition 2016
© InTech and the Author(s) 2016
The moral rights of the author have been asserted.
All rights to the book as a whole are reserved by InTech. The book as a whole (compilation) cannot
be reproduced, distributed or used for commercial or non-commercial purposes without InTech’s
written permission. Enquiries concerning the use of the book should be directed to InTech’s rights and
permissions department (permissions@intechopen.com).
Individual chapters of this publication are distributed under the terms of the Creative Commons
Attribution 3.0 Unported License which permits commercial use, distribution and reproduction of the
individual chapters, provided the original author and source publication are appropriately acknowledged.
More details and guidelines concerning content reuse and adaptation can be found at http://www.
intechopen.com/copyright-policy.html.
Notice
Statements and opinions expressed in the chapters are these of the individual contributors and
not necessarily those of the editors or publisher. No responsibility is accepted for the accuracy of
information contained in the published chapters. The publisher assumes no responsibility for any
damage or injury to persons or property arising out of the use of any materials, instructions, methods or
ideas contained in the book.
p. cm.
ISBN 978-953-51-2321-7
Contents
Preface VII
Wireless networks are truly pervasive in the modern environment: from the workplace and
the home, to implanted medical devices. Network security, therefore, is of paramount im-
portance. This volume begins with an overview of the security vulnerabilities of wireless
sensor networks, but also offers some means of defence against them. It goes on to propose
ways of securing routing in wireless mesh networks. Two further chapters offer in-depth
studies of secure and privacy-preserving data protocols for wireless sensor and mesh net-
works. The book concludes with an overview of the history of homomorphism encryption as
a means of securing data, also covering some emerging trends in which this form of encryp-
tion offers exciting new possibilities.
Jaydip Sen (2010). Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses, Sustainable Wireless Sen-
sor Networks, Yen Kheng Tan (Ed.), InTech, DOI: 10.5772/12952.
Jaydip Sen (2011). Secure Routing in Wireless Mesh Networks, Wireless Mesh Networks, Nobuo Funabiki (Ed.), InTech,
DOI: 10.5772/13468.
Jaydip Sen (2012). Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks, Cryptogra-
phy and Security in Computing, Dr. Jaydip Sen (Ed.), InTech, DOI: 10.5772/38615.
Jaydip Sen (2012). Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks, Applied Cryp-
tography and Network Security, Dr. Jaydip Sen (Ed.), InTech, DOI: 10.5772/39176.
Jaydip Sen (2013). Homomorphic Encryption — Theory and Application, Theory and Practice of Cryptography and Net-
work Security Protocols and Technologies, Prof. Jaydip Sen (Ed.), InTech, DOI: 10.5772/56687.
Routing Security Issues in Wireless Sensor Networks: Attacks and
Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses 279
Defenses
12
X
1. Introduction
Wireless Sensor Networks (WSNs) are rapidly emerging as an important new area in
wireless and mobile computing research. Applications of WSNs are numerous and growing,
and range from indoor deployment scenarios in the home and office to outdoor deployment
scenarios in adversary’s territory in a tactical battleground (Akyildiz et al., 2002). For
military environment, dispersal of WSNs into an adversary’s territory enables the detection
and tracking of enemy soldiers and vehicles. For home/office environments, indoor sensor
networks offer the ability to monitor the health of the elderly and to detect intruders via a
wireless home security system. In each of these scenarios, lives and livelihoods may depend
on the timeliness and correctness of the sensor data obtained from dispersed sensor nodes.
As a result, such WSNs must be secured to prevent an intruder from obstructing the
delivery of correct sensor data and from forging sensor data. To address the latter problem,
end-to-end data integrity checksums and post-processing of senor data can be used to
identify forged sensor data (Estrin et al., 1999; Hu et al., 2003a; Ye et al., 2004).
The design and implementation of secure WSNs must simultaneously address several
difficult research challenges. First, wireless communication among the sensor nodes
increases the vulnerability of the network to eavesdropping, unauthorized access, spoofing,
replay, and denial-of-service (DoS) attacks. Second, the sensor nodes themselves are highly
resource-constrained in terms of limited memory, CPU, communication bandwidth, and
especially battery life. These resource constraints limit the degree of encryption, decryption,
and authentication that can be implemented on individual sensor nodes, and call into
question the suitability of traditional security mechanisms such as computation-intensive
public-key cryptography for such resource-constrained sensor nodes (Carman et al., 2000).
Third, WSNs face the added physical security risk of individual sensor nodes falling into
wrong hands. Sensor nodes that are physically deployed in the field can be captured by an
intruder, and can then be subject to attacks from the potentially well-equipped intruder in
order to compromise a single resource-poor node. Following a successful attack, a
compromised sensor node could then be used to launch such malicious activities as
advertising false routing information, and launching DoS attacks from within the sensor
network.
11
280 Security Issues
Sustainable in aSensor
Wireless Networked Age
Networks
The combined threats introduced by increased physical security risk and severe resource
constraints motivate the following design philosophy to achieve secure WSNs: assume that
a well-equipped intruder can compromise individual sensor nodes, but secure the overall
design of the WSN so that these intrusions can be tolerated and the network as a whole
remains functioning despite such localized intrusions. More precisely, the objective is the
design of an intrusion-tolerant WSN that has the property that a single compromised node
can only disrupt a localized portion of the network, and cannot bring down the entire sensor
network. This design objective of intrusion tolerance for secure WSNs must provide
protection against two classes of attacks that could bring down an entire sensor network:
DoS-type attacks and routing disruption attacks that propagate erroneous control packets
containing false routing information throughout the network.
The focus of this chapter is on routing security in WSNs. Most of the currently existing
routing protocols for WSNs make an optimization on the limited capabilities of the nodes
and the application-specific nature of the network, but do not any the security aspects of the
protocols. Although these protocols have not been designed with security as a goal, it is
extremely important to analyze their security properties. When the defender has the
liabilities of insecure wireless communication, limited node capabilities, and possible insider
threats, and the adversaries can use powerful laptops with high energy and long range
communication to attack the network, designing a secure routing protocol for WSNs is
obviously a non-trivial task.
One aspect of sensor networks that complicates the design of a secure routing protocol is in-
network aggregation (Shrivastava et al., 2004; Madden et al., 2002; Przydatck et al., 2003; Zhu
et al., 2004a). In more conventional networks, a secure routing protocol is typically only
required to guarantee message availability. Message integrity, authenticity, and
confidentiality are handled at a higher layer by an end-to-end security mechanism such as
SSH or SSL. End-to-end security is possible in more conventional networks because it is
neither necessary nor desirable for intermediate routers to have access to the contents of
messages. However, in sensor networks, in-network processing makes end-to-end security
mechanism harder to deploy because intermediate nodes need direct access to the contents
of the messages. Link layer security mechanisms can help mediate some of the resulting
vulnerabilities, but it is not enough: we will now require much more from our protocols,
and they must be designed with this in mind.
The organization of this chapter is as follows. In Section 2, we discuss the various resource
constraints under which a typical WSN operates. In Section 3, various security requirements
of such networks are identified. In section 4, a number of security vulnerabilities of WSNs
are presented. Different types of attacks at various layers such as physical, link, network and
transport layers are discussed in detail. In particular, various attacks at the network layers
are described such as : (i) spoofed routing information (Karlof et al., 2003), (ii) selective
packet forwarding (Karlof et al., 2003), (iii) sinkhole (Wood et al., 2002), (iv) Sybil (Newsome
et al., 2004), (v) wormhole (Karlof et al., 2003), (vi) hello flood (Karlof et al., 2003), (vii)
acknowledgment spoofing etc (Karlof et al., 2003). Section 5 presents a discussion on the
defense mechanisms for DoS attacks at the network layer. In particular, schemes such as use
of message authentication code (MAC) (Perrig et al., 2002), directional antenna-based
defense (Hu et al., 2004a), packet leashes (Hu et al., 2004b), client puzzles (Aura et al., 2001)
are discussed. Section 6 discusses secure broadcasting and multicasting techniques based on
group key management protocols (Rafaeli et al., 2003) and directed diffusion-based
12
Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses 281
mechanism (Di Pietro et al., 2003) etc. Section 7 presents some of the well-known existing
secure routing protocols for WSNs such as μTESLA (Liu et al., 2004), INSENS (Deng et al.,
2002b), SPINS (Perrig et al., 2002), TRANS (Tanachawiwat et al., 2003), and defense
mechanisms against Sybil attack (Newsome et al., 2004; Chan, et al., 2003b; Eschenauer et al.,
2002; Du et al., 2003), blackhole and grayhole (Sen et al., 2007b) attacks, a secure and energy-
efficient routing protocol (Sen et al., 2010) are also discussed in detail. Finally, in conclusion,
some future research directions are discussed.
In summary, the chapter makes the following contributions:
It proposes threat models and security goals for secure routing in WSNs.
It identifies various possible attacks on the network layer of a WSN sensor
networks
It demonstrates how attacks against ad-hoc wireless networks and peer-to-peer
networks can be adapted into powerful attacks against WSNs.
It presents a detailed security analysis of all the major routing protocols and energy
conserving topology maintenance algorithms for WSNs.
It presents various defense mechanisms to counter the well-known attacks on the
routing protocols of WSNs.
2. Constraints in WSNs
A WSN consists of a large number of sensor nodes which are inherently resource-
constrained. These nodes have limited processing capability, very low storage capacity, and
constrained communication bandwidth. These limitations are due to limited energy and
physical size of the sensor nodes. Due to these constraints, it is difficult to directly employ
the conventional security mechanisms in WSNs. In order to optimize the conventional
security algorithms for WSNs, it is necessary to be aware about the constraints of sensor
nodes (Carman et al., 2000). The major constraints of a WSN are listed below.
(i) Energy constraints: Energy is the biggest constraint for a WSN. In general, energy
consumption in sensor nodes can be categorized in three parts: (i) energy for the sensor
transducer, (ii) energy for communication among sensor nodes, and (iii) energy for
microprocessor computation. The study in (Hill et al., 2000) found that each bit transmitted
in WSNs consumes about as much power as executing 800 to 1000 instructions. Thus,
communication is more costly than computation in WSNs. Any message expansion caused
by security mechanisms comes at a significant cost. Further, higher security levels in WSNs
usually correspond to more energy consumption for cryptographic functions. Thus, WSNs
could be divided into different security levels depending on energy cost (Slijepcevic et al.,
2002; Yuan et al., 2002).
(ii) Memory limitations: A sensor is a tiny device with only a small amount of memory and
storage space. Memory is a sensor node usually includes flash memory and RAM. Flash
memory is used for storing downloaded application code and RAM is used for storing
application programs, sensor data, and intermediate results of computations. There is
usually not enough space to run complicated algorithms after loading the OS and
application code. In the SmartDust project, for example, TinyOS consumes about 4K bytes of
instructions, leaving only 4500 bytes for security and applications (Hill et al., 2000). A
common sensor type- TelosB- has a 16-bit, 8 MHz RISC CPU with only 10K RAM, 48K
13
282 Security Issues
Sustainable in aSensor
Wireless Networked Age
Networks
program memory, and 1024K flash storage. The current security algorithms are therefore,
infeasible in these sensors (Perrig et al., 2002).
(iii) Unreliable communication: Unreliable communication is another serious threat to sensor
security. Normally the packet-based routing of sensor networks is based on connectionless
protocols and thus inherently unreliable. Packets may get damaged due to channel errors or
may get dropped at highly congested nodes. Furthermore, the unreliable wireless
communication channel may also lead to damaged or corrupted packets. Higher error rate
also mandates robust error handling schemes to be implemented leading to higher
overhead. In certain situation even if the channel is reliable, the communication may not be
so. This is due to the broadcast nature of wireless communication, as the packets may collide
in transit and may need retransmission (Akyildiz et al., 2002).
(iv) Higher latency in communication: In a WSN, multi-hop routing, network congestion and
processing in the intermediate nodes may lead to higher latency in packet transmission. This
makes synchronization very difficult to achieve. The synchronization issues may sometimes
be very critical in security as some security mechanisms may rely on critical event reports
and cryptographic key distribution (Stankovic, 2003).
(v) Unattended operation of networks: In most cases, the nodes in a WSN are deployed in
remote regions and are left unattended. The likelihood that a sensor encounters a physical
attack in such an environment is therefore, very high. Remote management of a WSN makes
it virtually impossible to detect physical tampering. This makes security in WSNs a
particularly difficult task.
14
Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses 283
keys for message communication, where a potential adversary can launch a replay attack
using the old key as the new key is being refreshed and propagated to all the nodes in the
WSN. A nonce or time-specific counter may be added to each packet to check the freshness
of the packet.
(v) Self-organization: Each node in a WSN should be self-organizing and self-healing. This
feature of a WSN also poses a great challenge to security. The dynamic nature of a WSN
makes it sometimes impossible to deploy any pre-installed shared key mechanism among
the nodes and the base station (Eschenauer et al., 2002). A number of key pre-distribution
schemes have been proposed in the context of symmetric encryption (Chan et al., 2003b;
Eschenauer et al., 2002; Hwang et al., 2004; Liu, et al., 2005a). However, for application of
public-key cryptographic techniques an efficient mechanism for key-distribution is very
much essential. It is desirable that the nodes in a WSN self-organize among themselves not
only for multi-hop routing but also to carry out key management and developing trust
relations.
(vi) Secure localization: In many situations, it becomes necessary to accurately and
automatically locate each sensor node in a WSN. For example, a WSN designed to locate
faults would require accurate locations of sensor nodes identifying the faults. A potential
adversary can easily manipulate and provide false location information by reporting false
signal strength, replaying messages etc., if the location information is not secured properly.
The authors in (Capkun et al., 2006) have described a technique called verifiable multi-
lateration (VM). In multi-lateration, the position of a device is accurately computed from a
series of known reference points. The authors have used authenticated ranging and distance
bounding to ensure accurate location of a node. Because of the use of distance bounding, an
attacking node can only increase its claimed distance from a reference point. However, to
ensure location consistency, the attacker would also have to prove that its distance from
another reference point is shorter. As it is not possible for the attacker to prove this, it is
possible to detect the attacker. In (Lazos et al., 2005), the authors have described a scheme
called secure range-independent localization (SeRLoC). The scheme is a decentralized range-
independent localization scheme. It is assumed that the locators are trusted and cannot be
compromised by any attacker. A sensor computes its location by listening to the beacon
information sent by each locator which includes the locator’s location information. The
beacon messages are encrypted using a shared global symmetric key that is pre-distributed
in the sensor nodes. Using the information from all the beacons that a sensor node receives,
it computes its approximate location based on the coordinates of the locators. The sensor
node then computes an overlapping antenna region using a majority vote scheme. The final
location of the sensor node is determined by computing the center of gravity of the
overlapping antenna region.
(vii) Time synchronization: Most of the applications in sensor networks require time
synchronization. Any security mechanism for WSN should also be time-synchronized. A
collaborative WSN may require synchronization among a group of sensors. In (Ganeriwal et
al., 2005), the authors have proposed a set of secure synchronization protocols for multi-hop
sender-receiver and group synchronization.
(viii) Authentication: It ensures that the communicating node is the one that it claims to be.
An adversary can not only modify data packets but also can change a packet stream by
injecting fabricated packets. It is, therefore, essential for a receiver to have a mechanism to
verify that the received packets have indeed come from the actual sender node. In case of
communication between two nodes, data authentication can be achieved through a message
15
284 Security Issues
Sustainable in aSensor
Wireless Networked Age
Networks
authentication code (MAC) computed from the shared secret key among the nodes. A number
of authentication schemes for WSNs have been proposed by researchers. Most of these
schemes are for secure routing and reliable packet. Some of these schemes will be discussed
in Section 5.
16
Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses 285
17
286 Security Issues
Sustainable in aSensor
Wireless Networked Age
Networks
18
Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses 287
(x) Resource depletion attack: in this type of attack, a malicious node tries to deplete resources
of other nodes in the network. The typical resources that are targeted are: battery power,
bandwidth, and computational power. The attacks could be in the form of unnecessary
requests for routes, very frequent generation of beacon packets, or forwarding of stale
packets to other nodes.
Acknowledgment spoofing: some routing algorithms for WSNs require transmission of
acknowledgment packets. An attacking node may overhear packet transmissions from its
neighboring nodes and spoof the acknowledgments thereby providing false information to
the nodes (Karlof et al., 2003). In this way, the attacker is able to disseminate wrong
information about the status of the nodes.
(xi) Attacks on routing protocols: most of the routing protocols for WSNs are vulnerable to
various types of attacks. Some of these attacks are listed below.
Routing table overflow: in this type of attack, an adversary node advertises routes to
non-existent nodes, to the authorized node present in the network. The main
objective of such an attack is to cause an overflow of the routing tables, which would
in turn prevent the creation of entries corresponding to new routes to authorized
nodes. Proactive routing protocols are more vulnerable to this attack compared to
reactive routing protocols.
Routing table poisoning: in this case, the compromised nodes in the network send
fictitious routing updates or modify genuine route update packets sent to other
honest nodes. Routing table poisoning may result in sub-optimal routing, congestion
in some portions of the network, or even make some parts of the network
inaccessible.
Packet replication: in this attack, an adversary node replicates stale packets. This
consumes additional bandwidth and battery power and other resources available to
the nodes and also causes unnecessary confusion in the routing process.
Route cache poisoning: in reactive (i.e. on-demand) routing protocols such as ad hoc
on-demand distance vector (AODV) (Perkins, et al., 1999), each node maintains a
route cache which holds information regarding routes that have become known to
the node in the recent past. Similar to routing table poisoning, an adversary can also
poison the route cache to achieve similar objectives.
Rushing attack: on-demand routing protocols that use duplicate suppression during the
route discovery process are vulnerable to this attack (Hu et al., 2003b). An adversary
node which receives a routerequest packet from the source node floods the packet
quickly throughout the network before other nodes which also receive the same
routerequest packet can react. Nodes that receive the legitimate routerequest packets
assume those packets to be duplicates of the packet already received through the
adversary node and hence discard those packets. Any route discovered by the source
node would contain the adversary node as one of the intermediate nodes. Hence, the
source node would not be able to find secure routes, that is, routes that do not
include the adversary node. It is extremely difficult to detect such attacks in WSNs.
(d) Transport layer attacks: The attacks that can be launched on the transport layer in a
WSN are flooding attack and de-synchronization attack.
(i) Flooding: Whenever a protocol is required to maintain state at either end of a connection,
it becomes vulnerable to memory exhaustion through flooding (Wood et al., 2002). An
attacker may repeatedly make new connection request until the resources required by each
19
288 Security Issues
Sustainable in aSensor
Wireless Networked Age
Networks
connection are exhausted or reach a maximum limit. In either case, further legitimate
requests will be ignored.
(ii) De-synchronization: De-synchronization refers to the disruption of an existing connection
(Wood et al., 2002). An attacker may, for example, repeatedly spoof messages to an end host
causing the host to request the retransmission of missed frames. If timed correctly, an
attacker may degrade or even prevent the ability of the end hosts to successfully exchange
data causing them instead to waste energy attempting to recover from errors which never
really exist. The possible DoS attacks and the corresponding countermeasures are listed in
Table 1.
20
Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses 289
of these vast data sources. Privacy preservation of sensitive data in a WSN is particularly
difficult challenge (Gruteser et al., 2003). Moreover, an adversary may gather seemingly
innocuous data to derive sensitive information if he knows how to aggregate data collected
from multiple sensor nodes. This is analogous to the panda hunter problem, where the hunter
can accurately estimate the location of the panda by monitoring the traffic (Ozturk et al.,
2004).
The privacy preservation in WSNs is even more challenging since these networks make
large volumes of information easily available through remote access mechanisms. Since the
adversary need not be physically present to carryout the surveillance, the information
gathering process can be done anonymously with a very low risk. In addition, remote access
allows a single adversary to monitor multiple sites simultaneously (Chan et al., 2003a).
Following are some of the common attacks on sensor data privacy (Gruteser et al., 2003,
Chan et al., 2003a):
(iii) Eavesdropping and passive monitoring: This is the most common and the easiest form of
attack on data privacy. If the messages are not protected by cryptographic mechanisms, the
adversary could easily understand the contents. Packets containing control information in a
WSN convey more information than accessible through the location server, Eavesdropping
on these messages prove more effective for an adversary.
(iv) Traffic analysis: In order to make an effective attack on privacy, eavesdropping should be
combined with a traffic analysis. Through an effective analysis of traffic, an adversary can
identify some sensor nodes with special roles and activities in a WSN. For example, a
sudden increase in message communication between certain nodes signifies that those
nodes have some specific activities and events to monitor. Deng et al. have demonstrated
two types of attacks that can identify the base station in a WSN without even underrating
the contents of the packets being analyzed in traffic analysis (Deng et al., 2004).
(v) Camouflage: An adversary may compromise a sensor node in a WSN and later on use that
node to masquerade a normal node in the network. This camouflaged node then may
advertise false routing information and attract packets from other nodes for further
forwarding. After the packets start arriving at the compromised node, it starts forwarding
them to strategic nodes where privacy analysis on the packets may be carried out
systematically.
It may be noted from the above discussion that WSNs are vulnerable to a number of attacks
at all layers of the TCP/IP protocol stack. However, as pointed out by authors in (Perrig et
al., 2004), there may be other types of attacks possible which are not yet identified. Securing
a WSN against all these attacks may be a quite challenging task.
21
290 Security Issues
Sustainable in aSensor
Wireless Networked Age
Networks
Hu et al. have proposed a novel and generic mechanism called packet leashes for detecting
and defending against wormhole attacks (Hu et al., 2004b). As mentioned in Section 4.1, in a
wormhole attack, a malicious node eavesdrops on a series of packets, then tunnels them
through a path in the network, and replays them. This is done in order to make a false
representation of the distance between the two colluding nodes. It is also used, more
generally, to disrupt the routing protocol by misleading the neighbor discovery process
(Karlof et al., 2003). Hu et al. have presented a mechanism that employs directional antenna
to combat wormhole attack (Hu et al., 2004a). Wang and Bhargava have used a visualization
approach to detect wormholes in a WSN (Wang et al., 2004b). In the mechanism proposed
by the authors, a distance estimation is made between all the sensor nodes in a
neighborhood. Using multi-dimensional scaling, a virtual layout of the network is then
computed, and a surface smoothing strategy is used to adjust the round-off errors. Finally,
the shape of the resulting virtual network is analyzed. If any wormhole exists, the shape of
the network will bend and curve towards the wormhole, otherwise the network will appear
flat.
To defend against flooding DoS attack at the transport layer, Aura et al. have proposed a
mechanism using client puzzles (Aura et al., 2001). The main idea is that each connecting
client should demonstrate its commitment to the connection by solving a puzzle. As an
attacker in most likelihood, does not have infinite resource, it will be impossible for him to
create new connections fast enough to cause resource starvation on the serving node.
A possible defense against de-synchronization attack on the transport layer is to enforce a
mandatory requirement of authentication of all packets communicated between nodes
(Wood et al., 2002). If the authentication mechanism is secure, an attacker will be unable to
send any spoofed messages to any destination node.
Some mechanisms for secure multicasting and broadcasting in WSNs are discussed in the
following sub-section.
22
Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses 291
have been developed for WSNs based on logical key tree technique (Di Pietro et al., 2003;
Lazos et al., 2002; Lazos et al., 2003). While centralized solutions are not always the most
efficient ones, these mechanisms may sometimes be very effective for WSNs, as relatively
heavier computations can be usually carried out in powerful base stations.
Di Pietro et al. have proposed a directed diffusion-based multicast mechanism for WSNs
that utilizes a logical key hierarchy (Di Pietro et al., 2003). In the logical hierarchy, a central
key distributor is at the root of a tree, and the nodes in the network are the leaf level. The
internal nodes of tree contain keys that are used in the re-keying process. The directed
diffusion is an energy-efficient data dissemination technique for WSNs (Intanagonwiwat et
al., 2000). In directed diffusion, a query is transformed into an interest and then diffused
throughout the network. The source node then starts collecting data from the network based
on the propagated interest. The dissemination technique also sets up certain gradients
designed to draw events toward the interest. The collected data is then sent back to the
source along the reverse path of the interest propagation. The directed diffusion-based
logical key hierarchy scheme as proposed by Di Pietro et al. allows nodes to join and leave
groups. The key hierarchy is used to effectively re-establish keys for the nodes below the
node that has left the group. When a node declares its intension to join a group, a key set is
generated for the new node based on the keys within the existing key hierarchy.
Kaya et al. discuss the problem of multicast group management in (Kaya et al., 2003). In
their proposition, the nodes in a network are grouped based on their locality and a security
tree is constructed on the groups.
Lazos and Poovendran have presented a tree-based key distribution scheme that is similar
to the directed diffusion-based logical key hierarchy proposed by Di Pietro et al. (Lazos et
al., 2003). In their proposed scheme, a routing-aware tree is constructed in which the leaf
nodes are assigned keys based on all relay nodes above them. As the scheme takes
advantage of routing information for construction the key hierarchy, it is more energy-
efficient than routing schemes that arbitrarily arrange nodes into a routing tree. The authors
have also proposed a greedy routing-aware key distribution algorithm.
In (Lazos et al., 2003), the authors have proposed a mechanism that uses geographic location
information (e.g. GPS data) for construction of a logical key hierarchy for secure multicast
communication. The nodes, based on the geographical location information, are grouped
into different clusters. The nodes within a cluster are able to reach each other with a single
hop communication. Using the cluster information, a key hierarchy is constructed in a
manner similar to that proposed in (Lazos et al., 2002).
23
292 Security Issues
Sustainable in aSensor
Wireless Networked Age
Networks
discussion on various types of attacks on the routing protocols in WSNs is given in (Karlof
et al., 2003).
The goal of a secure routing protocol for a WSN is to ensure the integrity, authentication,
and availability of messages. Most of the existing secure routing algorithms for WSNs are all
based on symmetric key cryptography except the work in (Du et al., 2005), which is based
on public key cryptography. In the following sub-sections, some of the existing secure
routing protocols for WSNs are discussed in detail.
Fig. 1. Time-released key chain for source authentication (Wang et al. 2006)
Fig. 1 shows an example of μTESLA. The receiver node is loosely time synchronized and
knows K0 in an authenticated way. Packets P1 and P2 sent in interval 1 contain a MAC with a
key K1. Packet P3 has a MAC using key K2. If P4, P5, and P6 are all lost, as well as the packet
that disclosed the key K1, the receiver cannot authenticate P1, P2, and P3. In interval 4, the
base station broadcasts the key K2, which the nodes authenticate by verifying K0 = F(F(K2)),
and hence know also K1 = F(K2), so they can authenticate packets P1, P2 with K1, and P3 with
K2. SPINS limits the broadcasting capability to only the base station. If a node wants to
24
Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses 293
broadcast authenticated data, the node has to broadcast the data through the base station.
The data is first sent to the base station in an authenticated way. It is then broadcasted by
the base station.
To bootstrap a new receiver, μTESLA depends on a point-to-point authentication
mechanism in which a receiver sends a request message to the base station and the base
station replies with a message containing all the necessary parameters. It may be noted that
μTESLA requires the base station to unicast initial parameters to individual sensor nodes,
and thus incurs a long delay to boot up a large-scale sensor network. Liu and Ning have
proposed a multi-level key chain scheme for broadcast authentication to overcome this
deficiency (Liu et al., 2003; Liu et al. 2004).
The basic idea in (Liu et al., 2003; Liu et al., 2004) is to predetermine and broadcast the initial
parameters required by μTESLA instead of using unicast-based message transmission. The
simplest way is to pre-distribute the μTESLA parameters with a master key during the
initialization of the sensor nodes. As a result, all sensor nodes have the key chain
commitments and other necessary parameters once they are initialized, and are ready to use
μTESLA as long as the staring time has passed. Furthermore, the authors have introduced a
multi-level key chain scheme, in which the higher key chains are used to authenticate the
commitments of the lower-level ones. However, the multi-level key chain suffers from
possible DoS attacks during commitment distribution stage. Further, none of the μTESLA or
multi-level key chain schemes is scalable in terms of the number of senders. In (Liu et al.,
2005b), a practical broadcast authentication protocol has been proposed to support a
potentially large number of broadcast senders using μTESLA as a building block.
μTESLA provides broadcast authentication for base stations, but is not suitable for local
broadcast authentication. This is because μTESLA does not provide immediate
authentication. For every received packet, a node has to wait for one μTESLA interval to
receive the MAC key used in computing the MAC for the packet. As a result, if μTESLA is
used for local broadcast authentication, a message traversing l hops will take at least l
μTESLA intervals to arrive at the destination. In addition, a sensor node has to buffer all
unverified packets. Both the latency and the storage requirements limit the scheme for
authenticating infrequent messages broadcast by the base station. Zhu et al. have
proposed a one-way key chain scheme for one-hop broadcast authentication (Zhu
et al., 2004b). The mechanism is known as LEAP. In this scheme, every node
generates a one-way key chain of certain length and then transmits the
commitment (i.e., first key) of the key chain to each neighbor, encrypted with their
pair-wise shared key. Whenever a node has a message to send, it attaches to the
message to the next authenticated key in the key chain. The authenticated keys are
disclosed in reverse order to their generation. A receiving neighbor can verify the
message based on the commitment or an authenticated key it received from the
sending node more recently.
25
294 Security Issues
Sustainable in aSensor
Wireless Networked Age
Networks
26
Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses 295
(i) Semantic security: the counter value is incremented after each message and thus the same
message is encrypted differently each time.
(ii) Data authentication: a receiver can be assured that the message originated from the
claimed sender if the MAC verification produces positive results.
(iii) Replay protection: the counter value in the MAC prevents replaying old messages by an
adversary.
(iv) Weak freshness: SPINS identifies two types of freshness. Weak freshness provides partial
message ordering and carries no delay information. Strong freshness provides a total order
on a request-response pair and allows delay estimation. IN SNEP, the counter maintains a
message ordering in the receiver side and yields weak freshness. SNEP guarantees weak
freshness only, since there is no guarantee to node A that a message was created by node B
in response to an event in node A.
(v) Low communication overhead: the counter state is kept at each endpoint and need not be
sent in each message.
Fig. 2. Network flooding by RREQ and propagation of RREP (Deng et al., 2002a)
In the standard AODV protocol, when the source node S (Fig. 2) wants to communicate with
the destination node D, the source node S broadcasts the route request (RREQ) packet. Each
neighboring active node updates its routing table with an entry for the source node S, and
checks if it is the destination node or whether it has the current route to the destination
node. If an intermediate node does not have the current route to the destination node, it
updates the RREQ packet by increasing the hop count and floods the network with the
RREQ to the destination node D until it reaches node D or any other intermediate node that
has the current route to D. The destination node D or any intermediate node that has the
current route to D, initiates a route reply (RREP) in the reverse direction. Node S starts
sending data packets to the neighboring node that responded first, and discards the other
responses. This works fine when the network has no malicious nodes.
27
296 Security Issues
Sustainable in aSensor
Wireless Networked Age
Networks
In (Deng et al., 2002a), authors have proposed a solution to identify and isolate a single
blackhole node. However, the security threat arising out of the situation where multiple
blackhole nodes act in coordination has not been addressed. For example, in Fig. 2, when
more than one blackhole nodes are acting in coordination with each other, the first black
hole node B1 refers to one of its partners B2 as the next hop. In the mechanism proposed in
(Deng et al., 2002a), the source node S sends further request (FRq) to B2 through a different
route (S24B2) other than via B1. Node S asks B2 if it has a route to node B1 and a route
to destination node D. Since B2 is cooperating with B1, its further reply (FRp) will be ‘yes’ to
both the queries. Node S starts sending the data packets assuming that the route SB1B2
is secure. However, in reality, the packets are intercepted and then dropped by the node B1
and the security of the network is compromised.
Sen et al. have proposed a security mechanism that can detect cooperative grayhole attacks
in a wireless ad hoc and sensor network (Sen et al., 2007b). As mentioned in Section 4.1,
detection of grayholes is more difficult than detection of blackholes since these nodes drop
packets intermittently and change their behavior frequently so as to avoid detection. In the
proposed mechanism, each node in the network collects the data forwarding information in
its neighborhood and stores it in a table known as the data routing information (DRI) table.
RREQ
9
RREP
5
IN
8
7
SN
1
4 6
2
CN
3
Fig. 3. The topology of a wireless ad hoc and sensor network (Sen et al., 2007b)
The DRI table of node 7 in Fig. 3 is shown in Table 2. In its DRI table node 7 maintains packet
routing information of its neighbor nodes 1, 2, 6, 8, and 9. An entry ‘1’ for a node under the
column ‘From’ implies that node 7 has forwarded data packet coming from that node and an
entry ‘1’ for a node under the column ‘Through’ implies that node 7 has forwarded data
packets to that node. Thus, as per Table 2, node 7 has neither forwarded any data packet from
node 1 nor it has forwarded any data packet to node 1. However, node 7 has forwarded data
packets to node 2 and also has forwarded data packets that have come from node 2. In this
way, each node constructs its DRI table and maintains it. After a certain threshold time
interval, each node identifies its neighbors with which it has not interacted, and invokes
subsequent detection procedures to probe them further. This identification is done on the
basis of the nodes that have ‘0’ entries both in the ‘From’ and ‘Through’ columns in the DRI
table. For example, as shown in Table 2, node 7 has not communicated to node 1. Therefore,
28
Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses 297
the node 7 invokes the local anomaly detection procedure for node 1. The ‘RTS/CTS’ column
in the DRI table gives the ratio of the number of request to send (RTS) messages to the number
of clear to send (CTS) messages for the corresponding node. This gives a rough idea about the
number of requests arriving at the node for data communication and number packet
transmission that the node is actually doing. The significance of the column ‘CheckBit’ in the
DRI table will be discussed in later in this section.
The node that initiates the anomaly detection procedure is called the initiator node (IN). The
IN first chooses a cooperative node (CN) in its neighborhood based on its DRI records and
broadcasts a RREQ message to its 1-hop neighbors requesting for a route to the CN. In reply
to this RREQ message the IN will receive a number of RREP messages from its neighboring
nodes. It will certainly receive a RREP message from the suspected node (SN) if the latter is
really a grayhole (since the grayholes always send RREP messages but drop data packets
probabilistically). After receiving the RREP from the SN, the IN sends a probe packet to the
CN through the SN. After the time to live (TTL) value of the probe packet is over, the IN
enquires the CN whether it has received the probe packet. If the reply to this query is
affirmative, (i.e., the probe packet is really received by the CN) then the IN updates its DRI
table by making an entry ‘1’ under the column ‘CheckBit’ against the node ID of the SN.
However, if the probe packet is found to have not reached the CN, the IN increases its level
of suspicion about the SN and activates the cooperative anomaly detection procedure, as
discussed later in this section.
In Fig. 3, node 7 acts as the IN and initiates the local anomaly detection procedure for the SN
(node 1) and chooses node 2 as the CN. Node 2 is the most reliable node for node 7 as both
the entries under columns ‘From’ and ‘Through’ for node 2 are ‘1’. Node 7 broadcasts a
RREQ message to all its neighbor nodes 1, 2, 6, 8 and 9 requesting them for a route to the
CN, i.e., node 2 in the example. After receiving a RREP from the SN (node 1), node 7 sends a
probe packet to node 2 via node 1. Node 7 then enquires node 2 whether it has received the
probe packet. If node 2 has received the probe packet, node 7 makes an entry ‘1’ under the
column ‘CheckBit’ in its DRI table corresponding to the row of node 1. If node 2 has not
received the probe packet, then node 7 invokes the cooperative anomaly detection
procedure. The objective of the cooperative anomaly detection is to increase the detection
reliability by reducing the probability of false detection.
The cooperative detection procedure is activated when an IN observes that the probe packet
it had sent to the CN through the SN did not reach the CN. The IN invokes the cooperative
detection procedure and sends a cooperative detection request message to all the neighbors
of the SN. When the neighbors of the SN receive the cooperative detection request message,
each of them sends a RREQ message to the SN requesting for a route to the IN. After the SN
29
298 Security Issues
Sustainable in aSensor
Wireless Networked Age
Networks
responds with a RREP message, each of the requesting nodes sends a ‘further probe packet’ to
the IN along that route. This route will obviously include SN, as SN is a neighbor of each
requesting node and the IN as well. Each neighbor of the SN (except the IN) now notifies the
IN that a ‘further probe packet’ has already been sent to it. This notification message from each
neighbor is sent to the IN through routes which do not include the SN. This is necessary to
ensure that the SN is not aware about the on-going cross checking process. The IN will
receive numerous ‘further probe packets’ and notification messages. The IN now constructs a
ProbeCheck table. The ProbeCheck table has two fields: NodeID and ProbeStatus. Under the
NodeID field, the IN enters the identifiers of the nodes which have sent notification
messages to it. An entry of ‘1’ is made under the column ‘ProbeStatus’ corresponding to the
nodes from which the IN has received the ‘further probe packet’.
NodeID ProbeStatus
2 0
6 1
8 1
9 1
An example ProbeCheck table for node 7 of the network in Fig. 3 is presented in Table 3. It
may be observed that node 7 has received the ‘further probe packet’ from all the neighbors of
the SN (node 1) except node 2. There may be a possibility that the probe packet might have
not been maliciously dropped by the SN, rather it has been lost because of collision or buffer
overflow. A mathematical estimation can be made for the probability of collision or buffer
overflow at the SN (Sen et al., 2007a). However, to avoid complex mathematical
computation, we propose a simple mechanism where each node sends three ‘further probe
packets’ interspaced with a small time interval. If none of these three packets from a
neighbor are received by the IN, the SN is believed to be behaving like a grayhole for that
node during that time. This grayhole behavior may be exhibited for a single node (as for
node 2 in Table 3) or may be for a group of nodes.
30
Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses 299
the sink. While this approach ensures reliable packet delivery, it consumes an appreciable
amount of energy for delivering each packet. To avoid this problem, the protocol uses a single-
path routing mechanism. If a malicious node is encountered, the node is avoided and the
packet is routed around it in an efficient manner, still in a single-path mode to the base station.
The selection of the new path is based on some broadcast signaling in the neighborhood of the
malicious node. The salient features of the protocol are briefly described below:
(i) Neighbor list checking: during the neighbor discovery phase, each node exchanges hello
messages with its neighbor nodes to know its 1-hop and 2-hop neighbors (i.e., neighbors of
each of its neighboring nodes). The neighborhood information is subsequently verified by
exchange of neighbor list checking messages (Sen et al., 2010).
(ii) One-hop packet forwarding: when a node u sends a packet to its neighbor, it first keeps a
copy of the packet in its buffer, and then forwards it to its next-hop node v before encrypting
it with the cluster key of the node u. Since the cluster key is shared between the node and all
its neighbors, the packet encrypted and sent by node u to node v can be overheard by all the
neighbors of node u.
(iii) Monitoring nodes selection: as the packet is forwarded from node u to node v, the
neighbors of node u that are also neighbors of node v receive the packet and store it in their
buffers. These nodes are designated as the secondary monitoring nodes. For example, in Fig.
4, nodes w and y are the secondary monitoring nodes for node v. The node u is the primary
monitoring node. The nodes that are not neighbors of node v but have received the packet
because they are neighbors of node u, discard the packet. The primary node knows the
secondary monitoring nodes, since every node knows its 1-hop and 2-hop neighbors.
Fig. 4. Neighbor monitor system (secondary nodes w, y ; primary node u) (Sen et al., 2010)
(iv) Role of secondary monitoring nodes: the secondary monitoring nodes w and y monitor the
traffic from node v and compare the outbound packets from node v with the packets stored
in their buffer. The next-hop address of each packet is also verified to check whether the
packet’s intended next-hop is a really a neighbor of node v, by cross-checking the neighbor
list of node v. If both these checks yield positive results, the secondary monitoring nodes
remove the packet from their buffer and their role of monitoring is complete for that packet.
If any packet is found to remain in the buffer of a secondary monitoring node for more than
a threshold period of time, it first sends a broadcast signal in its neighborhood to inform all
its neighbors that it is going to forward the packet to its designated next-hop so that other
31
300 Security Issues
Sustainable in aSensor
Wireless Networked Age
Networks
neighbors do not forward the same packet. The secondary monitoring node now forwards
the packet to its designated next-hop after encrypting the packet with the cluster key. The
role of the secondary node now becomes that of the primary node and its neighbors become
the secondary node. This is in contrast to the scheme proposed in (Lee et al., 2006), where all
the secondary nodes forward the packet in a multi-path mode.
(v) Role of primary monitoring node: the role of a primary monitoring node (node u) is
identical to that of secondary monitoring nodes (nodes w and y); the only difference is that it
listens not only on the traffic from node v, but also on the traffic from the nodes w and y. If
the packet is correctly forwarded by any one of the nodes v, w, y, the node u removes the
packet from its buffer. The role of node u as the primary monitoring node is now complete.
If time out occurs for a packet, the primary monitoring node u forwards the packet
(encrypted with its cluster key) to its next-hop other than node v.
As the packet is routed along a path towards the sink, the above steps of NMS algorithm
except the neighbor list checking are executed at each hop so that reliable packet delivery can
happen through a single path. This is in contrast to the previous schemes proposed in (Ye et
al., 2005; Morcos et al., 2005; Yang et al., 2005). In these schemes, a node broadcasts a packet
without specifying a designated next-hop, and all neighboring nodes with smaller costs (the
cost at a node is the minimum energy required to forward a packet from the node to the
base station) or within a specific geographic region continue forwarding the packet to the
base station. If nodes v, w, and y have smaller costs than node u in Fig. 4, then each of them
will forward packets received from node u following the existing approaches. However, in
the proposed scheme, nodes w and y only observe the packet forwarding activities of node
v, instead of actively forwarding the packets. In the event of no packet drop, the routing to
the base station happens in a single-path, thereby making the process highly energy-
efficient. Even in the event of a packet drop, the proposed algorithm works in a single-path
mode. This makes it more efficient than the one proposed in (Lee et al., 2006). If the node v
in Fig. 4 does not forward the packet it has received from node u, then one of the secondary
monitoring nodes w and y would forward the packet to its next-hop nodes. The node (either
w or y) that forwards the packet to its next-hop neighbors will first send a broadcast
message in its neighborhood so that its other neighbors would not forward the same packet.
Fig. 5. Two malicious nodes identified by secondary monitoring nodes (Sen et al., 2010)
Fig. 5 shows an example of the application of the scheme, where two malicious (or faulty)
nodes are bypassed as the packet is routed to the base station in a single-path.
32
Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses 301
For the scheme to work, each packet should be encrypted with a cluster key of the
forwarding node so that all the neighbors of the forwarding node can decrypt and overhear
it. If a link-level encryption was applied between each pair of nodes in the routing path, the
scheme would have been more robust, since a compromised node could decrypt only the
packets which were destined to it. However, it would have made the scheme less resilient to
packet dropping attack. Since encryption with a cluster key provides a reasonable level of
robustness to a node compromise, and also supports local broadcast (i.e. resiliency against
packet-dropping) it makes the algorithm optimum in its performance (Karlof et al., 2004).
To make the scheme robust to routing disruption attack, where a node intentionally
forwards the packets to a spurious address of the next-hop so that the packet is lost in
routing, it is necessary that each node should prove that it really has the claimed neighbors.
Apparently, a node has the knowledge of its direct neighbors by neighbor discovery and
pair-wise key establishment phases discussed earlier. However, in the case of two-hop
neighbors, a malicious node v can inform its neighbor u that it also has neighbor node x (any
possible id in the network) which in fact is not a neighbor of node v (Fig. 4). Apparently,
there is no way node u can detect these false claim of v since x is not in the neighborhood of
u. To handle this problem, a scheme has been proposed by the authors using which a node
can verify the neighbors of each of its neighboring nodes (Sen et al., 2010).
In the above expressions, “||” represents the concatenation of two strings and h is a one-
way hash function such as MD5 or SHA-1. Let R be the root of the tree. Each sensor node v
needs to store the root value Φ(R) and the sibling node values λ1,……. λH along the path
from v to R. If node A wants to authenticate B’s public key, B sends its public key pk along
with the value of λ1,……. λH to node A. Then, A can use the same procedure to reconstruct
the Merkle tree R` and calculate the root value Φ(R`). A will trust B to be authentic if Φ(R`) =
33
302 Security Issues
Sustainable in aSensor
Wireless Networked Age
Networks
Φ(R).A sensor node only needs H + 1 storage units for the extra hash values. Based on this
scheme, Du et al. further extended the idea to reduce the height of the Merkle tree to
improve the communication overhead of the scheme. The proposed scheme is more efficient
than signature verification on certificates. However, the scheme requires that some hash
values be distributed in a pre-distribution stage. This results in some scalability issues when
new sensors are added to an existing WSN.
Tanachaiwiwat et al. have presented a novel secure routing protocol- trust routing for location
aware sensor networks (TRANS) (Tanachawiwat et al., 2003). It is primarily meant for use in
data centric networks. It makes use of a loose-time synchronization asymmetric
cryptographic scheme to ensure message confidentiality. The authors have used μTESLA to
ensure message authentication and confidentiality. Using μTESLA, TRANS is able to ensure
that a message is sent along a path of trusted nodes utilizing location aware routing. The
base station broadcasts an encrypted message to all its neighbors. Only the trusted
neighbors will possess the shared key necessary to decrypt the message. The trusted
neighbors then add their locations (for the return trip), encrypt the new message with their
shared key, and forward the message to their neighbors closest to the destination. Once the
message reaches the destination, the recipient is able to authenticate the source (base station)
using the MAC corresponding to the base station. To acknowledge or reply to the message,
the destination node can simply forward a return message along the same trusted path from
the message was received (Tanachawiwat et al., 2003).
Papadimitratos and Hass have proposed a secure route discovery protocol that guarantees
correct topology discovery in an ad hoc sensor network (Papadimitratos et al., 2002). The
security relies on the MAC (message authentication code) and an accumulation of the node
identities along the route traversed by a message. In this way, a source node discovers the
sensor network topology as each node along the route from source to destination appends
its identity to the message. In order to ensure that the message has not been tampered with,
a MAC is verified at the source and the destination.
A family of configurable secure routing protocols called secure implicit geographic forwarding
(SIGF) has been proposed in (Wood et al., 2006). SIGF is based on a nondeterministic hybrid
routing protocol – IGF (Blum et al., 2003) that is completely stateless. This allows SIGF to
handle network dynamics effortlessly, and intrinsically limits the effects of a compromised
node to a local area. There are no routing tables to corrupt, since forwarding decisions are
made as late as possible – when a packet is ready to transmit over the air. However, the
protocol is susceptible to a CTS rushing attack (Hu et al., 2003b).
To defend against route poisoning attack in a multi-hop WSN, a trust-aware routing
framework has been proposed in (Zhan et al., 2010). The protocol integrates trustworthiness
and energy-efficiency in routing decisions. Each node maintains a neighborhood table with
trust level values and energy cost values for certain known neighbors. Once a node is able to
decide its next-hop for routing a packet to the base station, it broadcasts its energy-report
message that contains the information regarding the energy cost to deliver a packet from the
node to the base station. The trustworthiness of a node is computed from its packet
forwarding statistics. In this way, a secure and energy-efficient routing is achieved.
Table 4 presents a comparative analysis of some secure routing protocols for WSNs.
34
Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses 303
Table 4. Comparison of secure routing protocols for WSNs
35
304 Security Issues
Sustainable in aSensor
Wireless Networked Age
Networks
8. Conclusion
Although research efforts have been made on cryptography, key management, secure
routing, secure data aggregation, and intrusion detection in WSNs, there are still some
challenges to be addressed. First, the selection of the appropriate cryptographic methods
depends on the processing capability of the sensor nodes, indicating that there is no unified
solution for all sensor networks. Instead, the security mechanisms are highly application-
specific. Second, sensors are characterized by the constraints on energy, computation
capability, memory, and communication bandwidth. The design of security services in
WSNs must satisfy these constraints. Third, most of the current protocols assume that the
sensor nodes and the base stations are stationary. However, there may be situations, such as
battlefield environments, where the base station and possibly the sensors need to be mobile.
The mobility of the sensor nodes has a great influence on sensor network topology and thus
raises many issues in secure routing protocols. Some future trends in WSN security research
are identified as follows:
Exploit the availability of private key operations on sensor nodes: recent studies on public key
cryptography have shown that public key operations are still very expensive to realize in
sensor nodes. A public key cryptography can greatly ease the design of security in WSNs,
improving the efficiency of private key operations on sensor nodes is highly desirable.
Secure routing protocols for mobile sensor networks: mobility of sensor nodes has a great
influence on sensor network topology and thus on the routing protocols. Mobility can be at
the base station, sensor nodes, or both. Current protocols assume the sensor network is
stationary. New secure routing protocols for mobile sensor networks need to be developed.
Time synchronization issues: current broadcast authentication schemes such as µTESLA and
its extensions require the sensor network to be loosely time synchronized. This requirement
is often hard to meet and new techniques that do not have such requirement are in demand.
Scalability and efficiency in broadcast authentication protocols: new schemes with higher
scalability and efficiency need to be developed for authenticated broadcast protocols. The
recent progress on public key cryptography may facilitate the design of authenticated
broadcast protocols.
QoS and security: performance is generally degraded with the addition of security services in
WSNs. Current studies on security in WSNs focus on individual topics such as key
management, secure routing, secure data aggregation, and intrusion detection. QoS and
security need to be evaluated together in WSNs.
9. References
Akyildiz, I.F. ; Su, W. ; Sankarasubramaniam, Y. & Cayirci, E. (2002). A survey on sensor
networks. IEEE Communications Magazine, Vol. 40, No. 8, pp. 102-114.
Al-Karaki, J.N. & Kamal, A.E. (2004). Routing techniques in wireless sensor networks : a
survey. IEEE Wireless Communications, Vol. 11. No. 6, pp. 6 – 28.
Aura, T. ; Nikander, P. & Leiwo, J. (2001). DoS-resistant authentication with client puzzles.
Proceedings of the 8th International Workshop on Security Protocols, pp. 170-177,
Springer-Verlag, Germany.
Awerbuch, B. ; Holmer, D. ; Nita-Rotaru, C. & Rubens, H. (2002). An on-demand secure
routing protocol resilient to Byzantine failures. Proceedings of the ACM Workshop on
Wireless Security, pp. 21 – 30.
36
Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses 305
Blum, B. ; He, T. ; Son, S. & Stankovic, J. (2003). IGF : a state-free robust communication
protocol for wireless sensor networks. Technical Report : CS-2003-11, University of
Virginia, Charlottesville, VA, USA.
Capkun, S. & Hubaux, J.-P. (2006). Secure positioning in wireless networks. IEEE Journal on
Selcted Areas in Communications, Vol. 24, No. 2, pp. 221-232.
Carman, D.W. ; Krus, P.S. & Matt, B.J. (2000). Constraints and approaches for distributed
sensor network security. Technical Resport No : 00-010, NAI Labs, Network
Associates Inc., Glenwood, MD, USA.
Chan, H. & Perrig, A. (2003a). Security and privacy in sensor networks. IEEE Computer
Magazine, pp. 103 – 105.
Chan, H. ; Perrig, A. & Song, D. (2003b). Random key pre-distribution schemes for sensor
networks. Proceedings of the IEEE Symposium on Security and Privacy, p. 197, IEEE
Computer Society Press.
Deng, H. ; Li, H. & Agrawal, D. (2002a). Routing security in wireless ad hoc networks. IEEE
Communications Magazine, Vol. 40, No. 10.
Deng, J. ; Han, R. & Mishra, S. (2002b). INSENS : intrusion-tolerant routing in wireless
sensor networks. Technical Report CU-CS-939-02, Department of Computer Science,
University of Colorado at Boulder.
Deng, J. ; Han, R. & Mishra, S. (2004). Countermeasures against traffic analysis in wireless
sensor networks. Technical Report : CU-CS-987-04, University of Colorado at
Boulder.
Di Pietro, R. ; Mancini, L.V. ; Law, Y.W. ; Etalle, S. & Havinga, P. (2003). LKHW : a direced
diffusion-based secure multi-cast scheme for wireless sensor networks. Proceedings
of the 32nd International Conference on Parallel Processing Workshops (ICPPW’03), pp.
397-406, IEEE Computer Society Press.
Douceur, J. (2002). The Sybil attack. Proceedings of the 1st International Workshop on Peer-to-
Peer Systems (IPTPS’02).
Du, W. ; Deng, J. ; Han, Y.S. & Varshney, P.K. (2003). A pair-wise key pre-distribution
scheme for wireless sensor networks. Proceedings of the 10th ACM Conference on
Computer and Communications Security, pp. 42-51, New York, USA, ACM Press.
Du, W. ; Wang, R. & Ning, P. (2005). An efficient scheme for authenticating public keys in
sensor networks. Proceedings of the 6th ACM International Symposium on Mobile Ad
Hoc Networking and Computing, pp. 58 – 67, New York, USA, ACM Press.
Eschenauer, L. & Gligor, V.D. (2002). A key-management scheme for distributed sensor
networks. Proceedings of the 9th ACM Conference on Computer and Networking, pp. 41-47.
Estrin, D. ; Govindan, R. ; Heidemann, J.S. & Kumar. S. (1999). Next century challenges : scalable
coordination in sensor networks. Mobile Computing and Networking, pp. 263-270.
Ganeriwal, S. ; Capkun, S. ; Han, C.-C. & Srivastava, M.B. (2005). Secure time
synchronization service for sensor networks. Proceedings of the 4th ACM Workshop on
Wireless Security, pp. 97 – 106, New York, USA, ACM Press.
Gaubatz, G. ; Kaps, J.P. & Sunar, B. (2004). Public key cryptography in sensor networks-
revisited. Proceedings of the 1st European Workshop on Security in Ad- Hoc and Sensor
networks (ESAS’04).
Gruteser, M. ; Schelle, G. ; Jain, A. ; Han, R. & Grunwald, D. (2003). Privacy-aware location
sensor networks. Proceedings of the 9th USENIX Workshop on Hot Topics in Operating
Systems (HotOS IX).
37
306 Security Issues
Sustainable in aSensor
Wireless Networked Age
Networks
Gura, N. ; Patel, A. ; Wander, A. ; Eberle, H. & Shantz, S. (2004). Comparing elliptic curve
cryptography and RSA on 8-bit CPUs. Proceedings of Workshop on Cryptographic
Hardware and Embedded Systems (CHES’04).
Han, Y-J. ; Park, M-W. & Chung, T-M. (2010). SecDEACH : secure and resilient dynamic
clustering protocol preserving data privacy in WSNs. Proceedings of the International
Conference on Computational Science and its Applications (ICCSA’10), pp. 142 – 157,
Fukuaka, Japan.
Hartung, C. ; Balasalle, J. & Han, R. (2004). Node compromise in sensor networks : the need
for secure systems. Technical Report : CU-CS-988-04, Department of Computer
Science, University of Colorado at Boulder.
Hill, J. ; Szewczyk, R. ; Woo, A. ; Hollar, S. ; Culler, D.E. & Pister, K. (2000). System
architecture directions for networked sensors. Proceedings of the 9th International
Conference on Architectural Support for Programming Languages and Operating Systems,
pp. 93-104, ACM Press.
Hu, L. & Evans, D. (2003a). Secure aggregation for wireless sensor networks. Proceedings of
the Symposium on Applications and the Internet Workshops, p. 384, IEEE Comp. Soc.
Press.
Hu, L. & Evans, D. (2004a). Using directional antennas to prevent wormhole attacks.
Proceedings of the 11th Annual Network and Distributed System Security Symposium.
Hu, Y. ; Perrig, A. & Johnson, D.B. (2003b). Rushing attacks and defense in wireless ad hoc
network routing protocols. Proceedings of the ACM Workshop on Wireless Security, pp.
30 – 40.
Hu, Y. ; Perrig, A. & Johnson, D.B. (2004b). Packet leashes : a defense against worm-hole
attacks. Proceedings of the 11th Annual Network and Distributed System Security
Symposium.
Hwang, J. & Kim, Y. (2004). Revisiting random key pre-distribution schemes for wireless
sensor networks. Proceedings of the 2nd ACM Workshop on Security of Ad Hoc and
Sensor Networks (SASN’04), pp. 43-52, New York, USA, ACM Press.
Intanagonwiwat, C. ; Govindan, R. & Estrin, D. (2000). Directed diffusion : a scalable and
robust communication paradigm for sensor networks. Mobile Computing and
Networking, pp. 56 – 67.
Karlof, C. & Wagner, D. (2003). Secure routing in wireless sensor networks : attacks and
countermeasures. Proceedings of the 1st IEEE International Workshop on Sensor
Network Protocols and Applications, pp. 113-127.
Karlof, C. ; Sastry, N. & Wagner, D. (2004). TinySec : a link layer security architecture for
wireless sensor networks. Proceedings of ACM SensSys, pp. 162 – 175.
Karp, B. & Kung, H.T. (2000). GPSR : greedy perimeter stateless routing for wireless
networks. Proceedings of the 6th Annual International Conference on Mobile Computing
and Networking, pp. 243 – 254, ACM Press.
Kaya, T. ; Lin, G. ; Noubir, G. & Yilmaz, A. (2003). Secure multicast gropus on ad hoc
networks. Proceedings of the 1st ACM Workshop on Security of Ad Hoc and Sensor
Systems (SASN’03), pp. 94 - 102, ACM Press.
Lazos, L. & Poovendran, R. (2002). Secure broadcast in energy-aware wireless sensor
networks. Proceedings of the IEEE International Symposium on Advances in Wireless
Communications (ISWC’02).
38
Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses 307
Lazos, L. & Poovendran, R. (2005). SERLOC : robust localization for wireless sensor
networks. ACM Transactions on Sensor Networks, Vol. 1, No. 1, pp. 73 -100.
Lazos, L. & Poovendran, R. (2003). Energy-aware secure multi-cast communication in ad-
hoc networks using geographic location information. Proceedings of the IEEE
International Conference on Acoustics Speech and Signal Processing.
Lee, S-B. & Choi, Y-H. (2006). A resilient packet-forwarding scheme against maliciously
packet-dropping nodes in sensor networks. Proceedings of the 4th ACM Workshop on
Security of Ad Hoc and Sensor Networks, pp. 59-70.
Liu, D. & Ning, P. (2003). Efficient distribution of key chain commitments for broadcast
authentication in distributed sensor networks. Proceedings of the 10th Annual
Network and Distributed System Security Symposium, pp. 263 – 273, San Diego, CA,
USA.
Liu, D. & Ning, P. (2004). Multilevel μTESLA : broadcast authentication for distributed
sensor networks. ACM Transactions on Embedded Computing Systems (ECS), Vol. 3,
No. 4, pp. 800-836.
Liu, D. ; Ning, P. & Li, R. (2005a). Establishing pair-wise keys in distributed sensor
networks. ACM Transactions on Information Systems Security, Vol. 8, No. 1, pp. 41-77.
Liu, D. ; Ning, P. ; Zhu, S. & Jajodia, S. (2005b). Practical broadcast authentication in sensor
networks. Proceedings of the 2nd Annual International Conference on Mobile and
Ubiquitous Systems : Networking and Services, pp. 118 – 129.
Madden, S. ; Franklin, M.J. ; Hellerstein, J.M. & Hong, W. (2002). TAG : a tiny aggregation
service for ad-hoc sensor networks. SIGOPS Operating Systems Review, Special Issue,
pp. 131-146.
Morcos, H. ; Matta, I. & Bestavros, A. (2005). M2RC : multiplicative-increase /additive-
decrease multipath routing control for wireless sensor networks. ACM SIGBED
Reviw, Vol. 2.
Newsome, J. ; Shi, E. ; Song, D. & Perrig, A. (2004). The Sybil attack in sensor networks :
analysis and defenses. Proceedings of the 3rd International Symposium on Information
Processing in Sensor Networks, pp. 259-268, ACM Press.
Ozturk, C. ; Zhang, Y. & Trappe, W. (2004). Source-location privacy in energy-constrained
sensor network routing. Proceedings of the 2nd ACM Workshop on Security of Ad Hoc
and Sensor Networks.
Papadimitratos, P. & Haas, Z.J. (2002). Secure routing for mobile ad hoc networks.
Proceedings of the SCS Communication Networks and Distributed System Modeling and
Simulation Conference (CNDS’02).
Parno, B. ; Perrig, A. & Gligor, V. (2005). Distributed detection of node replication attacks in
sensor networks. Proceedings of IEEE Symposium on Security and Privacy.
Pecho, P. ; Nagy, J. ; Hanacke, P. & Drahansky, M. (2009). Secure collection tree protocol for
tamper-resistant wireless sensors. Communications in Computer and Information
Science, Vol. 58, pp. 217 – 224, Springer-Verlag, Heidelberg, Germany.
Perkins, C.E. & Royer, E.M. (1999). Ad hoc on-demand distance vector routing. Proceedings of
IEEE Workshop on Mobile Computing Systems and Applications, pp. 90 – 100.
Perrig, A. ; Stankovic, J. & Wagner, D. (2004). Security in wireless sensor networks.
Communications of the ACM, Vol. 47, No. 6, pp. 53 – 57.
Perrig, A. ; Szewczyk, R. ; Wen, V. ; Culler, D.E. & Tygar, J.D. (2002). SPINS : security
protocols for sensor networks. Wireless Networks, Vol. 8, No. 5, pp. 521-534.
39
308 Security Issues
Sustainable in aSensor
Wireless Networked Age
Networks
Przydatck, B. ; Song, D. & Perrig, A. (2003). SIA : secure information aggregation in sensor
networks. Proceedings of the 1st International Conference on Embedded Networked
Systems (SenSys ’08), pp. 255-265, ACM Press.
Rafaeli, S. & Hutchison, D. (2003). A survey of key management for secure group
communication. ACM Computing Survey, Vol. 35, No. 3, pp. 309-329.
Sen, J ; Chandra, M.G. ; Harihara, S.G. ; Reddy, H. & Balamuralidhar, P. (2007b). A
mechanism for detection of grayhole attack in mobile ad hoc networks. Proceedings
of the 6th International Conference on Information, Communication, and Signal Processing
(ICICS’07), pp. 1 – 5, Singapore.
Sen, J. & Ukil, A. (2010). A secure routing protocol for wireless sensor networks. Proceedings
of the International Conference on Computational Sciences and its Applications
(ICCSA’10), pp. 277 – 290, Fukuaka, Japan.
Sen, J. ; Chandra, M.G. ; Balamuralidhar, P. ; Harihara, S.G. & Reddy, H. (2007a). A
distributed protocol for detection of packet dropping attack in mobile ad hoc
networks. Proceedings of the IEEE International Conference on Telecommunications
(ICT’07), Penang, Malaysia.
Shi, E. & Perrig, A. (2004). Designing secure sensor networks. Wireless Communication
Magazine, Vol. 11, No. 6, pp. 38 – 43.
Shrivastava, N. ; Buragohain, C. ; Agrawal, D. & Suri, S. (2004). Medians and beyond : new
aggregation techniques for sensor networks. Proceedings of the 2nd International
Conference on Embedded Networked Sensor Systems, pp. 239-249, ACM Press.
Slijepcevic, S. ; Potkonjak, M. ; Tsiatsis, V. ; Zimbeck, S. & Srivastava, M.B. (2002). On
communication security in wireless ad-hoc sensor networks. Proceedings of the 11th
IEEE International Workshop on Enabling Technologies : Infrastructure for Collaborative
Enterprises (WETICE’02), pp. 139-144.
Stankovic J.A. (2003). Real-time communication and coordination in embedded sensor
networks. Proceedings of the IEEE, Vol. 91, No. 7, pp. 1002-1022.
Tanachawiwat, S. ; Dave, P. ; Bhindwale, R. & Helmy, A. (2003). Routing on trust and
isolating compromised sensors in location-aware sensor systems. Proceedings of the
1st International Conference on Embedded Networked Sensor Systems, pp. 324-325, ACM
Press.
Wander, A.S. ; Gura, N. ; Eberle, H. ; Gupta, V. & Shantz, S.C. (2005). Energy analysis of
public-key cryptography for wireless sensor networks. Proceedings of the 3rd IEEE
International Conference on Pervasive Computing and Communication.
Wang, W. & Bhargava, B. (2004b). Visualization of wormholes in sensor networks.
Proceedings of the 2004 ACM Workshop on Wireless Security, pp. 51 – 60, New York,
USA, ACM Press.
Wang, X. ; Gu, W. ; Chellappan, S. ; Xuan, D. & Laii, T.H. (2005). Search-based physical
attacks in sensor networks : modeling and defense. Technical Report, Department of
Computer Science and Engineering, Ohio State University.
Wang, X. ; Gu, W. ; Schosek, K. ; Chellappan, S. & Xuan, D. (2004a). Sensor network
configuration under physical attacks. Technical Report : OSU-CISRC-7/04-TR45,
Department of Computer Science and Engineering, Ohio State University.
Wang, Y. ; Attebury, G. & Ramamurthy, B. (2006). A survey of security issues in wireless
sensor networks. IEEE Communications Surveys and Tutorials, Vol. 8, No. 2, pp. 2- 23.
40
Routing Security Issues in Wireless Sensor Networks: Attacks and Defenses 309
Watro, R. ; Kong, D. ; Cuti, S. ; Gardiner, C. ; Lynn, C. & Kruus, P. (2004). TinyPK : securing
sensor networks with public key technology. Proceedings of the 2nd ACM Workshop on
Security of Ad Hoc and Sensor Networks (SASN’04), pp. 59 – 64, New York, USA,
ACM Press.
Wood, A.D. & Stankvic, J.A. (2002). Denial of service in sensor networks. IEEE Computer,
Vol. 35, No. 10, pp. 54-62.
Wood, A.D. ; Fang, L. ; Stankovic, J.A. & He, T. (2006). SIGF : a family of configurable,
secure routing protocols for wireless sensor networks. Proceedings of the 4th ACM
Workshop on Security of Ad Hoc and Sensor Networks, pp. 35 – 48, Alexandria, VA,
USA.
Yang, H. ; Ye, F. ; Yuan, Y. ; Lu, S. & Arbough, W. (2005). Towards resilient security in
wireless sensor networks. Procedings of ACM MobiHoc, pp. 34 – 45.
Ye, F. ; Luo, L.H. & Lu, S. (2004). Statistical en-route detection and filtering of injected false
data in sensor networks. Proceddings of IEEE INFOCOM’04.
Ye, F. ; Zhong, G. ; Lu, S. & Zhang, L. (2005). GRAdient Broadcast : a robust data delivery
protocol for large scale sensor networks. ACM Journal of Wireless Networks (WINET).
Yuan, L. & Qu, G. (2002). Design space expolration for energy-efficient secure sensor
networks. Proceedings of IEEE International Conference on Application-Specific Systems,
Architectures, and Processors, pp. 88-100.
Zhang, K. ; Wang, C. & Wang, C. (2008). A secure routing protocol for cluster-based wireless
sensor networks using group key management. Proceedings of the 4th International
Conference on Wireless Communications, Networking and Mobile Computing
(WiCOM’08), pp. 1-5, Dalian.
Zhan, G. ; Shi, W. & Deng, J. (2010). TARF : a trust-aware routing framework for wireless
sensor networks. Proceedings of the 7th European Conference on Wireless Sensor
Networks (EWSN’10), pp. 65 – 80, Coimbra, Portugal.
Zhu, H. ; Bao, F. ; Deng, R.H. & Kim, K. (2004a). Computing of trust in wireless networks.
Proceedings of 60th IEEE Vehicular Technology Conference, California, USA.
Zhu, S. ; Setia, S. & Jajodia, S. (2004b). LEAP : efficient security mechanism for large-scale
distributed sensor networks. Proceedings of the 10th ACM Conference on Computer and
Communications Security, pp. 62 – 72, New York, USA, ACM Press.
41
Secure Routing in Wireless Mesh Networks
11
1. Introduction
Wireless mesh networks (WMNs) have emerged as a promising concept to meet the challenges
in next-generation networks such as providing flexible, adaptive, and reconfigurable
architecture while offering cost-effective solutions to the service providers (Akyildiz et al.,
2005). Unlike traditional Wi-Fi networks, with each access point (AP) connected to the wired
network, in WMNs only a subset of the APs are required to be connected to the wired
network. The APs that are connected to the wired network are called the Internet gateways
(IGWs), while the APs that do not have wired connections are called the mesh routers (MRs).
The MRs are connected to the IGWs using multi-hop communication. The IGWs provide
access to conventional clients and interconnect ad hoc, sensor, cellular, and other networks
to the Internet as shown in Fig. 1.
43
238 Wireless
Security Issues in a Mesh Networks
Networked Age
security surveillance systems, disaster management and rescue operations etc (Franklin et
al., 2007). As there is no wired infrastructure to deploy in the case of WMNs, they are
considered cost-effective alternative to wireless local area networks (WLANs) and backbone
networks to mobile clients. The existing wireless networking technologies such as IEEE
802.11, IEEE 802.15, IEEE 802.16, and IEEE 802.20 are used in the implementation of WMNs.
As WMNs become an increasingly popular replacement technology for last-mile
connectivity to the home networking, community and neighborhood networking, it is
imperative to design an efficient resource management system for these networks. Routing
is one of the most challenging issues in resource management for supporting real-time
applications with stringent quality of service (QoS) requirements. However, most of the
existing routing protocols for WMNs are extensions of protocols originally designed for
mobile ad hoc networks (MANETs) and thus they perform sub-optimally. Moreover, most
routing protocols for WMNs are designed without security issues in mind, where the nodes
are all assumed to be honest. In practical deployment scenarios, this assumption does not
hold. In a community-based WMN, a group of MRs managed by different operators form an
access network to provide last-mile connectivity to the Internet. As with any end-user
supported infrastructure, ubiquitous cooperative behavior in these networks cannot be
assumed a priori. Preserving scarce access bandwidth and power, as well as security
concerns may induce some selfish users to avoid forwarding data for other nodes, even as
they send their own traffic through the network. The selfish behavior of an MR degrades the
performance of a WMN since it increases the latency in packet delivery and packet drops
and decreases the network throughput. In addition, some nodes may also launch malicious
packet dropping attacks. Therefore, enforcing cooperation among the nodes in WMNs
becomes a critical issue and a routing protocol should make use of such a cooperation
enforcement scheme in order to ensure efficiency in packet forwarding and minimizing
packet drops (Dong, 2009). To enforce cooperation among nodes and detect malicious and
selfish nodes in self-organizing networks such as MANETs, various collaboration schemes
have been proposed in the literature (Santhanam et al., 2008). Most of these proposals are
based on trust and reputation frameworks which attempt to identify misbehaving nodes by
an appropriate detection and decision making system, and then isolate or punish them.
Unfortunately, most of these schemes are not directly applicable for WMNs due to inherent
differences in characteristics between MANETs and WMNs. Efficient, reliable and secure
routing protocols for WMNs are clearly in demand.
Keeping this in mind, this chapter provides a comprehensive overview of security issues in
WMNs and then particularly focuses on secure routing in these networks. First, it identifies
security vulnerabilities in the medium access control (MAC) and the network layers. Various
possibilities of compromising data confidentiality, data integrity, replay attacks and offline
cryptanalysis are also discussed. Then various types of attacks in the MAC and the network
layers are discussed. In the MAC layer, attacks such as passive eavesdropping, link layer
jamming (Law et al., 2005; Brown et al., 2006), MAC spoofing, replay attacks (Mishra et al.,
2002) are discussed in detail. In the network layer, two broad categories of attacks are
identified: (i) attacks on the control plane and (ii) attacks on the data plane. Among the
attacks on the control plane, rushing attack (Hu et al., 2003a), wormhole attack (Hu et al.,
2003b), blackhole attack (Al-Shurman et al., 2004), grayhole attack (Sen et al., 2007), Sybil
attack (Newsome et al., 2004) are discussed. The data plane attacks are launched by the
selfish and malicious nodes which lead to degradation in the network performance (Zhong
et al., 2005; Salem et al., 2003). After enumerating the various types of attacks on the MAC
44
Secure Routing in Wireless Mesh Networks 239
and the network layer, the chapter briefly discusses on some of the preventive mechanisms
for those attacks. After the preliminary discussion on various attacks and their
countermeasures, the chapter focuses on its major issue- security in routing. It first identifies
the major security requirements for design of a routing protocol in WMNs. Then various
existing secure routing protocols for self-organizing networks such as ARAN (Sanzgiri et al.,
2002), SAODV (Zapata et al., 2002), SRP (Papadimitratos et al., 2002), SEAD (Hu et al.,
2002b), ARIADNE (Hu et al., 2002a), SEAODV (Li et al., 2011) etc. are discussed. All these
protocols are compared in terms of their relative performance and their areas of application.
After discussing these existing mechanisms, the chapter presents two novel secure routing
protocols that detect selfish nodes in WMNs and isolate those nodes from the network
activities so as to maximize the network throughput while providing desired QoS of the
user application (Sen, 2010a; Sen, 2010b).
The organization of the chapter is as follows. In Section 2, we discuss various security
vulnerabilities in different layers of the protocol stack of a WMN. Attacks at the physical,
MAC, network, and transport layers are discussed in detail, and the countermeasures to
defend against such attacks are briefly presented. In Section 3, several routing challenges in
WMNs are highlighted. Section 4 presents some of the well-known existing security
mechanisms for routing in WMNs. These protocols are also compared with respect to their
capabilities in defending against different attacks in the network layer of WMNs. In Section
5, two novel routing protocols for WMNs are presented. These protocols can guarantee
application QoS in addition to identifying malicious and selfish nodes in the network.
Section 6 concludes the chapter while identifying some open issues and future research
directions in designing secure routing protocols for WMNs.
In summary, the chapter makes the following contributions:
• It proposes threat models and security goals for secure routing in WMNs.
• It identifies various possible attacks on different layers of a WMN.
• It demonstrates how attacks against MANETs and peer-to-peer networks can be
adapted into powerful attacks against WMNs.
• It makes security analysis of some of the major existing routing protocols fro WMNs.
• It presents various defense mechanisms to counter the well-known attacks on the
routing protocols of WMNs.
• It presents two novel routing protocols for WMNs. These protocols enhance the routing
efficiency and the application QoS while providing security in routing.
• It identifies some open research problems in the area of secure routing in WMNs.
45
240 Wireless
Security Issues in a Mesh Networks
Networked Age
46
Secure Routing in Wireless Mesh Networks 241
iii. Intentional collision of frames: a collision occurs when two nodes attempt to transmit
on the same frequency simultaneously (Wood et al., 2002). When frames collide, they
are discarded and need to be retransmitted. An adversary may strategically cause
collisions in specific packets such as acknowledgment (ACK) control messages. A
possible result of such collision is the costly exponential back-off. The adversary may
simply violate the communication protocol and continuously transmit messages in an
attempt to generate collisions. Repeated collisions can also be used by an attacker to
cause resource exhaustion. For example a naïve MAC layer implementation may
continuously attempt to retransmit the corrupted packets. Unless these retransmissions
are detected early, the energy levels of the nodes would be exhausted quickly. An
attacker may cause unfairness by intermittently using the MAC layer attacks. In this
case, the adversary causes degradation of real-time applications running on other nodes
by intermittently disrupting their frame transmissions.
iv. MAC spoofing attack: MAC addresses have long been used as the singularly unique
layer-2 network identifiers in both wired and wireless LANs. MAC addresses which are
globally unique have often been used as an authentication factor or as a unique
identifier for granting varying levels of network privileges to a user. This is particularly
common in 802.11 WiFi networks. However, today’s MAC protocols (802.11) and
network interface cards do not provide any safeguards that would prevent a potential
attacker from modifying the source MAC address in its transmitted frames. On the
contrary, there is often full support in the form of drivers from manufacturers, which
makes this particularly easy. Modifying MAC addresses in transmitted frames is
referred to as MAC spoofing, and can be used by attackers in a variety of ways. MAC
spoofing enables the attacker to evade intrusion detection systems (IDSs) that are in place.
Further, today’s network administrators often use MAC addresses in access control
lists. For example, only registered MAC addresses are allowed to connect to the access
points. An attacker can easily eavesdrop on the network to determine the MAC
addresses of legitimate devices. This enables the attacker to masquerade as a legitimate
user and gain access to the network. An attacker can even inject a large number of
bogus frames into the network to deplete the resources (in particular, bandwidth and
energy), which may lead to denial of services for the legitimate nodes.
v. Replay attack: the replay attack, often known as the man-in-the-middle attack (Mishra et
al., 2002), can be launched by external as well as internal nodes. An external malicious
node (not a member of WMN) can eavesdrop on the broadcast communication between
two nodes (A and B) in the network as shown in Fig. 2. It can then transmit legitimate
messages at a later stage of time to gain access to the network resources. Generally, the
authentication information is replayed where the attacker deceives a node (node B in
Fig. 2) to believe that the attacker is a legitimate node (node A in Fig. 2). On a similar
note, an internal malicious node, which is an intermediate hop between two
communicating node, can keep a copy of all relayed data. It can then retransmit this
data at a later point in time to gain the unauthorized access to the network resources.
vi. Pre-computation and partial matching attack: unlike the above-mentioned attacks,
where MAC protocol vulnerabilities are exploited, these attacks exploit the
vulnerabilities in the security mechanisms that are employed to secure the MAC layer
of the network. Pre-computation and partial matching attacks exploit the cryptographic
primitives that are used at MAC layer to secure the communication. In a pre-
47
242 Wireless
Security Issues in a Mesh Networks
Networked Age
computation attack or time memory trade-off attack (TMTO), the attacker computes a large
amount of information (key, plaintext, and respective ciphertext) and stores that
information before launching the attack. When the actual transmission starts, the
attacker uses the pre-computed information to speed up the cryptanalysis process.
TMTO attacks are highly effective against a large number of cryptographic solutions.
On the other hand, in a partial matching attack, the attacker has access to some (cipher
text, plaintext) pairs, which in turn decreases the encryption key strength, and improves
the chances of success of the brute force mechanisms. Partial matching attacks exploit
the weak implementations of encryption algorithms. For example, the IEEE80.11i
standard for MAC layer security in wireless networks is prone to the sensor hijacking
attack and the man-in-the-middle attack that exploit the vulnerabilities in IEEE802.1X.
DoS attacks on the four-way handshake procedure in IEEE 80.211i.
48
Secure Routing in Wireless Mesh Networks 243
i. Control plane attacks: Rushing attacks (Hu et al., 2003a) targeting the on-demand routing
protocols (e.g., AODV) were among the first exposed attacks on the network layer of
multi-hop wireless networks. Rushing attacks exploit the route discovery mechanism of
on-demand routing protocols. In these protocols, the node requiring the route to the
destination floods the route_request (RREQ) message, which is identified by a sequence
number. To limit the flooding, each node only forwards the first message that it receives
and drops remaining messages with the same sequence number. To avoid collisions of the
messages, the protocol specifies a specific amount of delay between the receiving of a
route request message by a particular node, and its forwarding by the same node. The
malicious node launching the rushing attack forwards the RREQ message to the target
node before any other intermediate node from the source to destination. This can easily be
achieved by ignoring the specified delay. Consequently, the route from the source to the
destination includes the malicious node as an intermediate hop, which can then drop the
packets of the flow thereby launching a data plane DoS attack.
49
244 Wireless
Security Issues in a Mesh Networks
Networked Age
multiple nodes collude together, resulting in complete disruption of routing and packet
forwarding functionality of the network. The cooperative blackhole attack and the
prevention mechanism have been studied in (Ramaswamy et al., 2003).
50
Secure Routing in Wireless Mesh Networks 245
51
246 Wireless
Security Issues in a Mesh Networks
Networked Age
maliciously crafted control packets, which may lead to the disruption of routing
functionality. The control plane attacks are dependent on such maliciously crafted control
packets. The malicious and selfish behaviors of nodes in WMNs have been studied in
(Zhong et al., 2005; Salem et al., 2003).
52
Secure Routing in Wireless Mesh Networks 247
layer, are the Internet gateways (IGWs) which are connected to the wired Internet. They form
the backbone infrastructure for providing Internet connectivity to the elements in the second
level. The entities at the second level are called wireless mesh routers (MRs) that eliminate the
need for wired infrastructure at every MR and forward their traffic in a multi-hop fashion
towards the IGW. At the lowest level are the mesh clients (MCs) which are the wireless
devices of the users. Internet connectivity and peer-to-peer communications inside the mesh
are two important applications for a WMN. Therefore, design of an efficient and low-
overhead routing protocol that avoids unreliable routes, and accurately estimate the end-to-
end delay of a flow along the path from the source to the destination is a major challenge.
Some of the major challenges in designing routing protocol for WMNs are discussed below:
i. Measuring link reliability: it has been observed that in wireless ad hoc networks like
WMNs, nodes receiving broadcast messages introduce communication gray zones
(Lundgren et al., 2002). In such zones, data messages cannot be exchanged although the
hello messages reach the neighbors. This leads to disruption in communication among the
nodes. Since the routing protocols such as AODV and WMR (Xue et al., 2003) relay on
control packets like RREQ, these protocols are highly unreliable for estimating the quality
of wireless links. Due to communication gray zone problem, nodes that are able to send
and receive bi-directional RREQ packets sometimes cannot send/receive data packets at
high rate. These fragile links trigger link repairs resulting in high control overhead.
ii. End-to-end delay estimation: an important issue in a routing protocol is end-to-end
delay estimation. Current protocols estimate end-to-end delay by measuring the time
taken to route route request (RREQ) and route reply (RREP) packets along the given
path. However, RREQ and RREP packets are different from normal data packets and
hence they are unlikely to experience the same levels of delay and loss as data packets.
It has been observed through simulation that a RREP-based estimator overestimates
while a hop-count-based estimator underestimates the actual delay experienced by the
data packets (Kone et al., 2007). The reason for the significant deviation of a RREP-
based estimator from the actual end-to-end delay is interference of signals. The RREQ
packets are flooded in the network resulting in a heavy burst of traffic. This heavy
traffic causes inter-flow interference in the paths. The unicast data packets do not cause
such events. Moreover, as a stream of packets traverse along a route, due to the
broadcast nature of wireless links, different packets in the same flow interfere with each
other resulting in per-packet delays. Since the control packets do not experience per-
packet delay, the estimates based on control packet delay deviate widely from the
actual delay experience by the data packets.
iii. Reduction of control overhead: since the effective bandwidth of wireless channels vary
continuously, reduction of control overhead is important in order to maximize
throughput in the network. Reactive protocols such as AODV and DSR use flooding of
RREQ packets for route discovery. This consumes a high proportion of the network
bandwidth and reduces the effective throughput. An important challenge in designing
a routing protocol for WMNs is to optimize the communication and computation
overhead of the control messages so that the bandwidth of the wireless channels may be
used for applications as efficiently as possible. Security and privacy issues bring
another dimension of complexity. The goal of the protocol designer would be to design
the security framework in such as way that it involves minimum computational and
communication overhead.
53
248 Wireless
Security Issues in a Mesh Networks
Networked Age
54
Secure Routing in Wireless Mesh Networks 249
is the first of its kind that encompasses both high performance and security as goals in
multicast routing and considers attacks on both path establishment and data delivery phases.
As mentioned in Section 2.3, wireless networks are also subject to attacks such as rushing
attacks and wormhole attacks. Defenses against these attacks have been extensively studied
in (Hu et al., 2003b; Hu et al., 2003a; Eriksson et al., 2006; Hu et al., 2004). RAP (Hu et al.,
2003a) prevents the rushing attack by waiting for several flood requests and then randomly
selecting one to forward, rather than always forwarding only the first one. Techniques to
defend against wormhole attacks include packet leashes (Hu et al., 2003b) which restricts the
maximum transmission distance by using time or location information. Truelink (Eriksson et
al., 2006) which uses MAC level acknowledgments to infer whether a link exists between
two nodes, and the work in (Hu et al., 2004) that relies on directional antennas are two
mechanisms for defense against the wormhole attack.
In the following sub-sections, some of the well-known security protocols for routing in
WMNs are presented. These protocols are extensions of base routing protocols like AODV,
DSR etc. and use cryptographic mechanisms for ensuring node authentication, message
integrity and message confidentiality.
T → A : cert A =
[ IPA , K A + , t , e ]KT − (1)
In (1), IPA , K A + , t, e and KT − represent the IP address of node A, the public key of node A,
the time of creation of the certificate, the time of expiry of the certificate, and the private key
of the server, respectively.
End-to-end route authentication: the main goal of the end-to-end route authentication
process is to ensure that the packets reach the current intended destination from the source
55
250 Wireless
Security Issues in a Mesh Networks
Networked Age
node. The source node S broadcasts a RREQ (i.e. route discovery) packet destined to the
destination node D. The RREQ packet contains the packet identifier (route discovery process
(RDP)), the IP address of the destination (IPD), the certificate of the source node S (CertS), the
current time (t) and a nonce NS. The process can be denoted as in (2), where, KS − is the
private key of the source node S.
S → broadcasts :=
[ RDP , IPD , CertS , N S , t ]KS − (2)
Whenever the source sends a route discovery message, it increments the value of the nonce.
Nonce is a counter used in conjunction with the time-stamp in order to make the nonce
recycling easier. When a node receives an RDP packet from the source with a higher value
of the source’s nonce than that in the previously received RDP packets from the same source
node, it makes a record of the neighbor from which it received the packet, encrypts the
packet with its own certificate, and broadcasts it further. The process is represented in (3)
below:
A → broadcasts :=
[[ RDP , IPD , CertS , N s , t ]K s − ]K A − , Cert A (3)
An intermediate node B on receiving an RDP packet from node A removes its neighbor’s
certificate, inserts its own certificate, and broadcast the packet further. The destination node,
on receiving an RDP packet, verifies node S’s certificate and the tuple (NS, t) and then replies
with the route reply (REP). The destination unicasts the REP packet to the source node along
the reverse path as in (4):
D → X :=
[ REP , IPS , CertD , N S , t ]K D − (4)
In (4), node X is the neighbor of the destination node D, which had originally forwarded the
RDP packet to node D. The REP packet follows the same procedure on the reverse path as that
followed by the route-discovery packet. An error message is generated if the time-stamp or
nonce does not match the requirements or if the certificate fails. The error message looks
similar to the other packets except that the packet identifier is replaced by the ERR message.
In summary, ARAN is a robust protocol in the presence of attacks such as unauthorized
participation, spoofed route signaling, fabricated routing messages, alteration of routing
messages, securing shortest paths, and replay attacks. However, since ARAN uses public-
key cryptography for authentication, it is particularly vulnerable to DoS attacks based on
flooding the network with bogus control packets for which signature verifications are
required. As long as a node can’t verify signature at required speed, an attacker can force
that node to discard some fraction of the control packets it receives.
56
Secure Routing in Wireless Mesh Networks 251
authenticates the sender ensuring that the routing information originates from the correct
node. The source of each routing update message is also authenticated so as to prevent
creation of a routing loop by an attacker launching an impersonation attack.
In the following, first a brief description of the base DSDV protocol is given followed by a
discussion on the enhancements proposed in the SEAD protocol.
Distance vector routing: distance vector routing protocols belong to the category of table-
driven routing protocols. Each node maintains a routing table containing the list of all
known routes to various destination nodes in the network. The metric used for routing is the
distance measured in terms of hop-count. The routing table is updated periodically by
exchanging routing information. An alternative to this approach is triggered updates, in
which each node broadcasts routing updates only if its routing table gets altered. The DSDV
protocol for ad hoc wireless networks and WMNs uses sequence number tags to prevent the
formation of loops, to counter the count-to-infinity problem, and for faster convergence.
When a new route update packet is received for a destination, the node updates the
corresponding entry in its routing table only if the sequence number on the received update
is greater than that recorded with the corresponding entry in the routing table. If the
received sequence number and the previously recorded sequence number are both equal,
but if the routing update has a new value for the routing metric (distance in number of
hops), then in this case also the update is effected. Otherwise, the received update packet is
discarded. DSDV uses triggered updates (for important routing changes) in addition to the
regular periodic updates. A slight variation of DSDV protocol known as DSDV sequence
number (DSDV-SQ), initiates triggered updates on receiving a new sequence number update.
One-way hash function: SEAD uses authentication to differentiate between updates that are
received from non-malicious nodes and malicious nodes. This minimizes the chances of
resource consumption attacks caused by malicious nodes. SEAD uses a one-way hash
function for authenticating the updates. A one-way hash function (H) generates a one-way
hash chain (h1, h2, …). The function H maps an input bit-string of any length to a fixed
length bit-string, that is, H : (0, 1)* Æ (0, 1)ρ, where ρ is the length in bits of the output bit-
string. To create a one-way hash chain, a node generates a random number with initial value
x ∈ (0, 1)ρ. h0, the first number in the hash chain is initialized to x. The remaining values in
the chain are computed using the general formula hi = H(hi-1) for 0 ≤ i ≤ n, for some n. The
way one-way hash function incorporates security into the existing DSDV-DQ routing
protocol will now be explained. The SEAD protocol assumes an upper bound on the metric
used. For example, if the metric used is distance, then the upper bound value m – 1 defines
the maximum diameter (maximum of lengths of all the routes between a pair of nodes) of
the ad hoc wireless network or the WMN. Hence, the routing protocol assumes that no route
of length greater than m hops exists between any two nodes.
If the sequence of values calculated by a node using the hash function H is given by (h1, h2,…
hn), where n is divisible by m, then for a routing table entry with sequence number i, let
k
=k − i . If the metric j (distance) used for that routing table entry is, 0 ≤ j ≤ m − 1 , then the
m
value of hkm+j is used to authenticate the routing update entry for that sequence number i
and that metric j. Whenever a route update message is sent, the node appends the value
used for authentication along with it. If the authentication value used is hkm+j, then the
attacker who tries to modify this value can do so only if he/she knows hkm+j-1. Since it is a
one-way hash chain, calculating hkm+j-1 becomes impossible. An intermediate node, on
57
252 Wireless
Security Issues in a Mesh Networks
Networked Age
receiving this authenticated update, calculates the new hash value based on the earlier
updates (hkm+j-1), the value of the metric, and the sequence number. If the calculated value
matches with the one present in the route update message, then the update is done.
Otherwise, the received update is just discarded.
SEAD avoids routing loops unless the loop contains more than one attacker. This protocol
could be implemented easily with slight modifications to the DSDV protocol. The use of
one-way hash chain to verify the authentication largely reduces the computational
complexity. Moreover, the protocol is robust against multiple uncoordinated attacks. The
main disadvantage is that a trusted entity is needed in the network to distribute and
maintain the verification element of every node since the verification element of a hash
chain is detached by a trusted entity. This leads to a single-point of failure in the protocol. If
the trusted entity is compromised, the entire network becomes vulnerable. In addition, the
protocol is vulnerable in situations where an attacker uses the same metric and sequence
number which has been used in a recent update message and sends a new routing update.
Ii
Shortest route
Secure route
58
Secure Routing in Wireless Mesh Networks 253
As shown in Fig. 6, two paths exist between the nodes N1 and N2 who want to communicate
with each other. One of these paths is shorter which passes through private nodes (P1 and
P2) whose trust levels are low. Hence, the protocol chooses a longer but secure path which
passes through secure nodes I1, I2, and I3.
The SAR protocol can be explained using any one of the traditional routing protocols. In this
Section, SAR protocol has been explained using AODV protocol (Perkins et al., 1999). In the
AODV protocol, the source node broadcasts a route_request (RREQ) packet to its neighbors.
An intermediate node, on receiving a RREQ packet, forwards it further if it does not have a
route to the destination. Otherwise, it initiates route_reply (RREP) packet back to the source
node using the reverse path traversed by the RREQ packet. In SAR, a certain level of
security is incorporated into the packet-forwarding mechanism. Here, each packet is
associated with a security level which is determined by a number calculation method
(explained later in this section). Each intermediate node is also associated with a certain
level of security. On receiving a packet, the intermediate node is also associated with a
certain level of security. On receiving a packet, the intermediate node compares its level of
security with that defined for the packet. If node’s security level is less than that of the
packet, the RREQ is simply discarded. If it is greater, the node is considered to be a secure
node and is permitted to forward the packet in addition to being able to view the packet. If
the security level of the intermediate node and the received packet are found to be equal,
then the intermediate node will not be able to view the packet (which can be ensured using
a proper authentication mechanism); it just forwards the packet further.
Nodes of equal level of trust distribute a common key among themselves and with those
nodes having higher levels of trust. Hence, a hierarchical level of security could be
maintained. This ensures that an encrypted packet can be decrypted (using the common
key) only by nodes of the same or higher levels of security compared to the level of security
of the packet. Different levels of trust can be defined using a number calculated based on the
level of security required. It can be calculated using a number of methods. Since timeliness,
in-order delivery of packets, authenticity, authorization, integrity, confidentiality, and non-
repudiation are some of the desired characteristics of a routing protocol, a suitable number
can be defined for the trust level for nodes and packets based on the number of such
characteristics taken into account.
The SAR protocol can be easily incorporated into the traditional routing protocols for ad hoc
wireless networks and WMNs. It could be incorporated into both on-demand and table-
driven routing protocols. The SAR protocol allows the application to choose the level of
security it requires. But the protocol requires different keys for different levels of security.
This tends to increase the number of keys required when the number of security levels used
increases.
59
254 Wireless
Security Issues in a Mesh Networks
Networked Age
destination. Therefore, routing messages do not have an increasing size. It uses destination
sequence numbers to specify how fresh a route is (in comparison to the others), which is
used to grant loop freedom.
Whenever a node needs to send a packet to a destination for which it has no ‘fresh enough’
route (i.e., a valid route entry for the destination whose associated sequence number is at
least as great as the one contained in any RREQ that the node has received for that
destination), it broadcasts an RREQ message to its neighbors. Each node that receives the
broadcast message sets up a reverse route towards the originator of the RREQ, unless it has
a ‘fresher’ one (Fig. 7). When the intended destination (or an intermediate node that has a
‘fresh enough’ route to the destination) receives the RREQ, it replies by sending an RREP. It
is important that the only mutable information in an RREQ and in an RREP is the hop-count
(which is being monotonically increased at each hop). The RREP is unicast back to the
originator of the RREQ (Fig. 8).
Fig. 7. Route request in AODV. S and D are the source and destination nodes respectively
Fig. 8. Route reply in AODV. S and D are the source and destination nodes respectively
At each intermediate node, a route to the destination is set unless the node has a ‘fresher’
route than the one specified in the RREP). In the case that the RREQ is replied to by an
intermediate node (and if the RREQ had set this option), the intermediate node also sends
an RREP to the destination. In this way, it can be granted that the node path is being set up
60
Secure Routing in Wireless Mesh Networks 255
bi-directionally. In the case that a node receives a new route (by an RREQ or by an RREP)
and the node already has a route ‘as fresh’ as the received one, the shortest one will be
updated. Optionally, route_reply acknowledgment (RREP-ACK) message may be sent by the
originator of the RREQ to acknowledge the receipt of the RREP. An RREP-ACK message has
no mutable information. In addition to these routing messages, a route_error (RERR)
message is used to notify the other nodes that certain nodes are not reachable anymore due
to link breakage. When a node re-broadcasts an RERR, it only adds the unreachable
destinations to which the node might forward messages. Therefore, the mutable information
in an RERR is the list of unreachable destinations and the counter of unreachable
destinations included in the message. It is predictable that, in each hop, the unreachable
destination list may not change or become a subset of the original one.
Because AODV has no security mechanisms, malicious nodes can perform many attacks just
by not following the protocol. A malicious node M can carry out the following attacks
(among many others) against AODV:
• Impersonate a node S by forging an RREQ with its address as the originator address.
• When forwarding an RREQ generated by node S to discover a route to node D, reduce
the hop count field to increase the chances of being in the route path between S and D
so that it can analyze the traffic between them.
• Impersonate a node D by forging an RREP with its address as a destination address.
• Impersonate a node by forging an RREP that claims that the node is the destination.
• Selectively drop certain RREQs and RREPs and data packets. This kind of attack is
especially hard even to detect because transmission errors have similar effect.
• Forge an RERR message pretending it is the node S and send it to its neighbor D. The
RERR message has a very high destination sequence number (dsn) for one of the
unreachable destination, say, U. This might cause D to update the destination sequence
number corresponding to U with the value dsn and, therefore, future route discoveries
performed by D to obtain a route to U will fail (because U’s destination sequence
number will be much smaller than the one stored in D’s routing table).
• According to the AODV specification (Perkins et al., 1999), the originator of an RREQ
can put a much bigger destination sequence number than the real one. In addition,
sequence numbers wrap around when they reach the maximum value allowed by the
field size. This allows a very easy attack, where an attacker is able to set the sequence
number of a node to any desired value by just sending two RREQ messages.
To plug these vulnerabilities the secure version of the AODV protocol is now presented.
Secure ad hoc on-demand distance vector (SAODV) routing protocol: this protocol has
been proposed to secure the AODV protocol (Zapata et al. 2002). The idea behind SAODV is
to use a signature to authenticate most of the fields of RREQs and RREPs and to use hash
chains to authenticate the hop-count. SAODV designs signature extensions to AODV.
Network nodes authenticate AODV routing packets with an SAODV signature extension,
which prevents certain certain impersonation attacks. In SAODV, an RREQ packet includes
a route request single signature extension (RREQ-SSE). The initiator chooses a maximum hop
count, based on the expected network diameter, and generates a one-way hash chain of
length equal to the maximum hop count plus one. This one-way hash chain is used as a
metric authenticator, much like the hash chain within SEAD protocol (Hu et al., 2002b). The
initiator signs the RREQ and the anchor of this hash chain; both this signature and the
anchor are included in the RREQ-SSE. In addition, the RREQ-SSE includes an element of the
61
256 Wireless
Security Issues in a Mesh Networks
Networked Age
hash chain based on the actual hop count in the RREQ header. For sake of explanation, we
call this value the hop-count authenticator (HCA). For example, if the hash chain values h0, h1,
….., hN were generated such that hi = H[hi+1], then the hop-count authenticator hi corresponds
to a hop count of N – i.
With the exception of the hop-count field and HCA, the fields of the RREQ and RREQ-SSE
headers are immutable and therefore can be authenticated by verifying the signature in the
RREQ-SSE extension. To verify the hop-count field in the RREQ header, a node can follow
the hash chain to the anchor. For example, if the hop-count field is i, then HCA should be
Hi[hN]. Because the length (N) and the anchor (hN) of this hash chain are included in the
RREQ-SSE and authenticated by the signature, a node can follow the hash chain and ensure
that hN = HN-i[HCA].
When forwarding an RREQ in SAODV, a node first authenticates the RREQ to ensure that
each field is valid. It then performs duplicate suppression to ensure that it forwards only a
single RREQ for each route discovery. The node then increments the hop-count field in the
RREQ header, hashes the HCA, and re-broadcasts the RREQ, together with its RREQ-SSE
extension. When the RREQ reaches the target, the target checks the authentication in the
RREQ-SSE. If the RREQ is valid, the target returns an RREP as in AODV. A route reply single
signature extension (RREP-SSE) provides authentication for the RREP. As in the RREQ, the
only mutable field is the hop-count; as a result, the RREP is secured in the same way as the
RREQ. In particular, an RRE-SSE has a signature covering the hash chain anchor together
with all RREP fields except the hop count. The hop-count is authenticated by an HCA,
which is also a hash chain element; an HCA hi corresponds to a hop-count of N – i.
A node forwarding an RREP checks the signature extension. If the signature is valid, then
the forwarding node sets its routing table entry for the RREP’s original source, specifying
that packets to that destination should be forwarded to the node from which the forwarding
node heard the RREP. For example, in Fig. 9, when node B forwards the RREP from node C,
it sets its next hop for destination node D to C.
′ N )K − ,1, hN
C → B : ( RREP , D, S , seqD , S , lifetime , h0, ′ −1
D
′ N )K − , 2, h′N − 2
B → A : ( RREP , D, S , seqD , S , lifetime , h0,
D
′ N )K − , 3, h′N − 1
A → S : ( RREP , D, S , seqD , S , lifetime , h0,
D
62
Secure Routing in Wireless Mesh Networks 257
SAODV allows replies from intermediate nodes through the use of a route reply double
signature extension (RREP-DSE). An intermediate node replying to an RREQ includes an
RREP-DSE. The idea here is that to establish a route to the destination, an intermediate node
must have previously forwarded an RREP from the destination. If the intermediate node has
stored the RREP and the signature, it can then return the same RREP if the sequence number
in that RREP is greater than the sequence number specified in the RREQ. However, some of
the fields of that RREP, in particular the life-time field, are no longer valid. As a result, a
second signature, computed by the intermediate node, is used to authenticate this field.
To allow replies based on routing information from an RREQ packet, the initiator includes a
signature suitable for an RREP packet through the use of an RREQ-DSE. Conceptually, the
RREQ-DSE is an RREQ and RREP rolled into one packet. To reduce overhead, SAODV uses
the observation that the RREQ and RREP fields substantially overlap. In particular, the
RREQ-DSE needs to include some flags, a prefix size, and some reserved fields, together
with a signature valid for an RREP using those values. When a node forwards an RREQ-
DSE, it caches the route and the signature in the same way as if it had forwarded an RREP.
SAODV also uses signatures to protect the route error (RERR) message used in route
maintenance. In SAODV, each node signs the RERR it transmits, whether it’s originating the
RERR or forwarding it. Nodes implementing SADOV don’t change their destination
sequence number information when receiving an RERR because the destination doesn’t
authenticate the destination sequence number. Fig. 10 shows an example of SAODV route
maintenance.
B → A : ( RERR , D, seqD )K −
B
A → S : ( RERR , D, seqD )K −
A
63
258 Wireless
Security Issues in a Mesh Networks
Networked Age
the path of the RREQ are neighbors. Such paths are called valid or plausible routes. The
target T replaces the MAC of a valid RREQ by a MAC computed with the same key that
authenticates the route. This is then sent back (upstream) to S using the reverse route. For
example, an RREQ that reaches an intermediate node Xj is of the following form:
In (5), id is a randomly generated route identifier, sn is a session number and macS is a MAC
on (rreq, S, T, id, sn) computed by S using a key shared with T, X1, …….., Xp, T is a
discovered route, then the route reply (RREP) of the target T has the following form for all
intermediate nodes Xj, 1 ≤ j ≤ p:
In (6), macT is a MAC computed by T with the key shared with S on the message field
preceding it. Intermediate nodes should check the RREP header (including its id and sn) and
that they are adjacent with two of their neighbors on the route before sending the RREP
upstream.
SRP doesn’t attempt to prevent unauthorized modification of fields that are ordinarily
modified in the course of forwarding these packets. For example, a node can freely remove
or corrupt the node list of an RREQ packet that it forwards. Since SRP requires a security
association between communicating nodes, it uses extremely lightweight mechanisms to
prevent other attacks. For example, to limit flooding, nodes record the rate at which each
neighbor forwards the RREQ packets and gives priority to REQUEST packets sent through
neighbor that less frequently forward REQUEST packets. Such mechanisms can secure a
protocol when few attackers are present. However, such techniques provide secondary
attacks, such as sending forged RREQ packets to reduce the effectiveness of a node’s
authentic RREQs. In addition, such techniques exacerbate the problem of greedy nodes. For
example, a node that doesn’t forward RREQ packets ordinarily achieves better performance
because it is generally less congested, and it doesn’t need to use its battery power to forward
packets originated by other nodes. In SRP, a greedy node retains these advantages, and in
addition, gets a higher priority when it initiates route discovery.
64
Secure Routing in Wireless Mesh Networks 259
Route discovery: The protocol design is explained in two stages: (i) a mechanism is
presented that lets the target node verify the authenticity of the RREQ, and (ii) an efficient
per-hop hashing technique is described that verifies whether any node is missed from the
node list in the RREQ. In the following, we assume that the initiator node S performs a route
discovery for target node D and that they share the secret keys KSD and KDS, respectively for
message authentication in each direction.
i. Target authenticates route request: To convince the target of the legitimacy of each field in an
RREQ, the initiator simply includes a message authentication code (MAC) computed with
the key KSD over unique data – for example, a timestamp. The target can easily verify the
route requestor’s authenticity and freshness using the shared key KSD. In a route
discovery, the initiator wants to authenticate each individual node in the node list of the
RREP. A secondary requirement is that the target can authenticate each node in the node
list of the RREQ so that it will return an RREP only along paths that contain legitimate
nodes. Each hop authenticates the new information in the RREQ using its current TESLA
key. The target node buffers the RREP until intermediate nodes can release the
corresponding TESLA keys. The TESLA security condition is verified at the target node,
and the target includes a MAC in the RREP to certify that security condition was met.
ii. Per-hop hashing: Authenticating data in routing messages isn’t sufficient because an
attacker could remove a node from the node list in an RREQ. One-way hash functions
are used to verify that no hop was omitted – an approach that is called per-hop hashing.
To change or remove a previous hop, an attacker must either hear an RREQ without
that node listed or must be able to invert the one-way hash function. For efficiency, the
authenticator may be included in the hash value passed in the RREQ. Fig. 11 shows an
example of Ariadne route discovery.
Fig. 11. Route discovery in Ariadne. Initiator S attempts to discover a route to target D. The
bold font indicates changed message fields relative to the previous similar message.
65
260 Wireless
Security Issues in a Mesh Networks
Networked Age
Route maintenance: Route maintenance in Ariadne is based on the DSR protocol. A node
forwarding a packet to the next hop along the source route returns an RERR to the packet’s
original sender if it is unable to deliver the packet to the next-hop after a limited number of
retransmission attempts. The mechanisms for securing RERRs are discussed in the
following. However, the case in which attackers to not send the RERRs is not considered.
To prevent unauthorized nodes from sending RERRs, a mechanism should be in place in
which the sender needs to authenticate the RERR messages. Each node on the return path to
the source node forwards the RERR message. If the authentication is delayed – for example,
when TESLA is used – each node that will be able to authenticate the RERR message buffers
it until it can be authenticated.
Avoiding routing misbehavior: Ariadne protocol described above is vulnerable to an attacker
that happens to be along the discovered route. In particular, a mechanism should be there that
is able to determine whether the intermediate nodes forward the packets that they are
requested to forward. To avoid the continued use of malicious routes, the routes are chosen
based on their prior performance in packet forwarding. The scheme relies on feedback about
which packets were successfully delivered. The feedback can be received either through an
extra end-to-end network layer message or by exploiting properties of the transport layers,
such as TCP with selective acknowledgments (Mathis et al., 1996). This feedback approach is
somewhat similar to the one used in IPv6 for neighbor unreachability detection (Narten et al.,
2007). A node with multiple routes to a single destination can assign a fraction of packets that
it originates to be sent along each route. When a substantially smaller fraction of packets sent
along any particular route is successfully delivered, the node can begin sending a smaller
fraction of its overall packets to that destination along that route.
66
Secure Routing in Wireless Mesh Networks 261
columns of P, and then node i computes a key Kij as the product of its own row of A and j-th
column of P, and node j computes Kji as the product of its own row of A and the i-th column
of P. Since S is symmetric, it is easy to see that:
K = A ⋅ P = (S ⋅ P )T ⋅ P = PT ⋅ ST ⋅ P = PT ⋅ S ⋅ P = ( A ⋅ P )T = K T (7)
The node pair (i, j) uses Kij = Kji as the shared key. The Blom scheme has a t-secure property. It
implies that in a network of N nodes, the collusion of less than t +1 nodes cannot reveal any
key shared by other pairs of nodes. This is because as least t rows of A and t columns of P
are required to solve the secret symmetric matrix S. The memory cost per node in the Blom
scheme is t + 1. To guarantee perfect security in a WMN with N nodes, the (N – 2)-secure
Blom scheme should be used, which means the memory cost per node is N – 1. Hence Blom
scheme can provide strong security in networks of small size.
SEAODV protocol: SEAODV is built on AODV protocol. It requires each node in the
network to maintain two key hierarchies. One is the broadcast key hierarchy, which
includes all the broadcast keys from its active one hop neighbors. The other hierarchy is
called unicast hierarchy, which stores all secret pair-wise keys that this node shares with its
one hop neighbors. Every node uses keys in its broadcast routing messages (e.g., RREQ
messages) from its one hop neighbors and applies secret pair-wise keys in the unicast
hierarchy to verify the incoming messages, such as the RREP messages. Various features of
the protocol are now described.
i. Enhanced hello messages: in AODV, hello message is broadcast by each node in its
one-hop neighborhood. In SEAODV, two enhanced hello messages are defined following
the idea presented in (Jing et al., 2004). Each node embeds its column of the public
matrix P into its enhanced hello RREQ message. Since each column of P can be
regenerated by applying the seed (a primitive element of GF(q)) from each node, every
node only needs to store the seed in order to exchange the public information of matrix
P. To guarantee bi-directional links, the neighboring nodes who receive hello RREQ
reply with an enhanced hello RREP.
ii. Exchange public Seed_P and GTK using enhanced hello message: during the key pre-
distribution phase, every legitimate node in the WMN knows and stores the public
Seed_P (seed of the column of public matrix P) and the corresponding private row of the
generated matrix A. The entire exchange process is depicted in three steps: (a) exchange
of Seed_P of public matrix P, (b) derivation of PTK, and (c) exchange of GTK. In the
exchange of Seed_P phase, each node looks for its public Seed_P from its key pool, and
broadcasts the enhanced hello RREQ message. On completion of this step, each node in
the network possesses the public Seed_P of all of its one-hop neighbors. In the derivation
of PTK phase, each node uses the Seed_P it received from its neighbors and the node’s
corresponding private row of matrix A to compute PTK. On completion of this step,
every node has stored the public Seed_P of its neighbors and has derived the PTK it
shares with each of its one-hop neighbors. In the exchange of GTK phase, upon receiving
hello RREQ from node X, node Y (node X’s neighbor) encrypts GTK_Y with its private
PTK_Y and unicasts the corresponding hello RREP message back to X. The encrypted
GTK_Y is also attached in the unicast hello RREP message. Once X receives hello RREP
from Y, X applies its private PTK_X to decrypt the GTK_Y and stores it in the database.
The same process applies to node Y as well. Eventually, every node possesses the GTK
keys from all its one-hop neighbors and the group of secret pair-wise PTK keys that it
shares with each of its one-hop neighbor.
67
262 Wireless
Security Issues in a Mesh Networks
Networked Age
68
Secure Routing in Wireless Mesh Networks 263
going to be forwarded to the source. Node X then uses the PTK to construct the new MAC
and appends it to the new RREP message. Otherwise, the received RREP is deemed to be
unauthentic and hence dropped.
v. Securing route maintenance: a node generates an RERR message if it receives data
packet destined to another node for which it does not have an active route in its routing
table or the node detects a broken link for the next hop of an active route or a node
receives a RERR message from a neighbor for one or more active routes. The structure
of a modified RERR message is presented in Fig. 14. The MAC field in the modified
RERR message is computed by applying the node’s GTK on the entire RERR packet. On
receiving the broadcast RERR message from node Y, node X first checks whether it has
the GTK_Y. If it has, node X then computes MAC’(GTK_Y, M’) and compares it with the
received MAC. If the two MACs match, node X searches its routing table and tries to
identify the affected routes (a new group of unreachable destinations) that use node Y
as its next-hop based on the unreachable destination list received from Y. If no routes in
node X’s routing table is affected, X simply drops the RERR message and starts
listening to the channel again. Node X also discards the RERR message if it fails to find
the GTK_Y or the MAC’(GTK_Y, M’) does not match the one received from node Y.
69
264 Wireless
Security Issues in a Mesh Networks
Networked Age
detection accuracy is increased. In the following sub-sections the two protocols are
discussed in detail.
R = α * N t + (1 − α ) * N t − 1 (8)
Every node maintains estimates of the reliability of each of its links with its neighbors in a
link reliability table. The reliability for an end-to-end routing path is computed by taking the
average of the reliability values of all the links on the path. Computation of the link
reliability values is based on the RREQ packets on the reverse path and the RREP packets on
the forward path. The use of routing path with the highest reliability reduces the overhead
of route repair and makes the routing process more efficient.
ii. Use of network topological information in route discovery: the protocol makes use of
the knowledge of network topology by utilizing selective flooding of control messages
in a portion of the network. In this way, broadcasting of control messages is avoided
and thus the chances of network congestion and disruption of the flows in the network
are reduced. If both the source and the destination are under the control of the same
mesh router (Fig. 15), the flooding of the control messages are confined within the
portion of the network served by the mesh router only. However, if the source and the
destination are under different mesh routers, the control traffic is limited to the two
mesh groups. To reduce the control overhead further and enhance the routing
efficiency, the nodes accept broadcast control messages from only those neighbors
which have link reliability greater than 0.5 (i.e., on the average 50% of the control
packets sent from those nodes have been received by the node). This ensures that paths
with less reliability are not discovered, and hence not considered for routing.
70
Secure Routing in Wireless Mesh Networks 265
71
266 Wireless
Security Issues in a Mesh Networks
Networked Age
congestion. The packet loss due to congestion in the link is estimated as follows. In a
wireless link packet loss may happen due to tow reasons: (a) loss due to faulty wireless
links and (b) loss due to network congestion. The radio link control (RLC) layer segments
an IP packet into several RLC frames before transmission and reassembles them into an
IP packet at the receiver side. An IP packet loss occurs when any RLC frame belonging
to an IP packet fails to be delivered. When this happens, the receiver knows that the
RLC frames re-assembly has failed and the IP packet has been lost due to wireless error.
Meanwhile, the sender detects retransmission time out (RTO) of the frame and discards
all the RLC frames belonging to the IP packet. This enables the sender to compute
packet drop rate in the wireless links. Moreover, using the sequence numbers of the IP
packets received at the receiver, it is possible to differentiate the packet loss due to link
error and packet loss due to congestion (Yang et al., 2004). For example, while receiving
two incoming packets with sequence number i and i +2, if the receiver finds an IP
packet assembly failure in RLC layer, the packet with sequence number i+1 is lost due
to wireless channel. Once the packet loss ratio due to congestion (Pcongestion) is estimated,
the available bandwidth in the wireless link, estrat, is computed as follows (Yang et al.,
2004):
PacketSize
estrat = (9)
X +Y
In (9), X and Y are given by:
2 Pcongestion
X = RTT (10)
3
3 Pcongestion 2
Y = RTO * min(1, 3 * Pcongestion(1 + 32 Pcongestion ) (11)
8
In (10), RTT is the average round trip time for a control packet. RTO is the retransmission
time out for a packet, and is computed using (12):
−−−−− −−−−−
RTO
= RTT + k * RTT Var (12)
−−−−− −−−−−
In (12), RTT and RTT Var are the mean and variance respectively of RTTs and k is set to 4.
This bandwidth estimator is employed to dynamically compute the available bandwidth in
the wireless links on a routing path so that the guaranteed minimum bandwidth for the flow
is always maintained throughout the application life-time.
v. Identifying selfish nodes: the protocol also enforces cooperation among the nodes by
identifying the selfish nodes in the network and isolating them. Selfishness is an
inherent problem associated with any capacity-constrained multi-hop wireless
networks like WMNs. A mesh router can behave selfishly owing to various reasons
such as: (a) to obtain more wireless or Internet throughput, or (b) to avoid path
congestion. A selfish mesh router increases the packet delivery latency, and also
increases the packet loss rate. A selfish node while utilizing the network resources for
routing its own packet, avoids forwarding packets for others to conserve its energy.
72
Secure Routing in Wireless Mesh Networks 267
Identification of selfish nodes is therefore, a vital issue. Several schemes have been
proposed in the literature to mitigate the selfish behavior of nodes in wireless networks,
such as credit-based schemes, reputation-based schemes, and game theory-based
scheme (Santhanam et al., 2008). However, to keep the overhead of computation and
communication at the minimum, the protocol employs a simple mechanism to
discourage selfish behavior and encourage cooperation among nodes. To punish the
selfish nodes, each node forwards packets to its neighbor node for routing only if the
link reliability of the latter is greater than a threshold value (say, 0.5). Since the link
reliability of a selfish node is 0, the packets arriving from this node will not be
forwarded. Therefore, to keep link reliability higher than the threshold, each node has
to participate and cooperate in routing. The link reliability serves dual purpose of
enhancing reliability and enforcing node cooperation in the network.
vi. QoS violation and recovery: the protocol detects failure to guarantee QoS along a path
with the help of reservation timeouts in flow tables records maintained in the nodes, by
detection of non-availability of minimum bandwidth as estimated along its outbound
wireless link. Failure to guarantee QoS may occur in three different scenarios. In the
first case, a node receives a data packet for which it does not find a corresponding
record in its flow table. This implies that a reservation time-out has happened for that
flow. The node, therefore, sends a route error (RERR), to the source which re-initiates
route discovery. In the second scenario, a destination node detects from its flow table
records that the data packets received have exceeded the maximum allowable delay
(Tmax). To restore the path, the destination broadcasts a new RREP back to the source,
and the source starts re-routing the packets via the same path on which RREP has
traversed. In the third case, an intermediate node on the routing path may find that the
estimated bandwidth (using (9)) in its forwarding link is less than the guaranteed
minimum (Bmin) value. In this case, the intermediate node sends an RERR to the source
which re-initiates the route discovery process. The real-time estimation of the
bandwidth in the next-hop wireless link at each node on the routing path makes the
protocol more robust and reliable compared to most of the existing routing protocols
for WMNs. For example, the similar protocol presented in (Kone et al., 2007) does not
employ any bandwidth estimation mechanism at intermediate nodes, and therefore,
cannot ensure delivery of all packets for every admitted flow in the network.
73
268 Wireless
Security Issues in a Mesh Networks
Networked Age
the next-hop information corresponding to each flow of data packet transmission. The source
node floods the route request (RREQ) packet in the network when a route is not available for
the desired destination. It may obtain multiple routes to different destinations from a single
RREQ. The RREQ carries the source identifier (src_id), the destination identifier (dest_id), the
source sequence number (src_seq_num), the destination sequence number (dest_seq_num), the
broadcast identifier (bcast_id), and the time to live (TTL). When an intermediate node receives
an RREQ, it either forwards the request further or prepares a route reply (RREP) if it has a valid
route to the destination. Every intermediate node, while forwarding an RREQ, enters the
previous node address and its bcast_id. A timer is used to delete this entry in case an RREP is
not received before the timer expires. This helps in storing an active path at the intermediate
node as AODV does not employ source routing of data packets. When a node receives an
RREP packet, information of the previous node from which the packet was received is also
stored, so that data packets may be routed to that node as the next hop towards the
destination. It is clear that AODV depends heavily on cooperation among the nodes for its
successful operation. A selfish node can easily manipulate the protocol to minimize its chances
of being included on routes for it is neither the source nor the destination. It may drop or
tamper with the RREQ messages to ensure that no routes will ever be selected through it.
Alternatively, it may drop, delay, or modify the RREP messages so as to prevent the replies
from reaching the source node. The security protocol proposed in this work attempts to detect
selfish nodes in a WMN so that these nodes may be isolated from the network. In the
following, a finite state machine (FSM) model of the AODV protocol is presented which is
utilized later for describing the security protocol.
74
Secure Routing in Wireless Mesh Networks 269
AODV protocol. The finite state machine shown in Fig. 16 depicts various states through
which a neighbor node undergoes for each LMU (Wang et al., 2008). The corresponding
states for the numbers mentioned in Fig.16 can be found in Table 2.
State Interpretation
1: init Initial phase; no RREQ is observed
2: unexp RREP Receipt of a RREP without RREQ observed
3: rcvd RREQ Receipt of a RREQ observed
4: fwd RREQ Broadcast of a RREQ observed
5: timeout RREQ Timeout after receipt of RREQ
6: rcvd RREP Receipt of a RREP observed
7: LMU complete Forwarding of a valid a RREP observed
8: timeout RREP Timeout after receipt of a RREP
Table 2. The states of the finite state machine for a local message unit (LMU)
To distinguish the finals states, these states are shaded. Every message transmission by a
node causes a state transition in each of its neighbor’s finite state machine. The finite state
machine in one neighbor node gives only a local view of the activities of the node being
monitored. It does not, in any way, represent the actual behavior of the monitored node. The
collaborative participation of each neighbor node makes it possible to get an accurate global
picture regarding the monitored node’s behavior. A node whose activity is being monitored
by its neighbors is referred to as a monitored node, and its neighbors are referred to as a
monitor node. Each node plays the dual role of a monitor node and a monitored node for
each of its neighbors. Each monitor node in the network observes a series of interleaved
LMUs for a routing session. Each LMU can be identified by the source-destination pair
contained in an RREQ message. Let us denote the kth LMU observed by a monitor node as
(sk, dk). The pair (sk, dk) does not uniquely identify an LMU, because source can issue
multiple RREQs for the same destination. However, since the subsequent RREQs have some
delays associated with them, we can safely assume that there is only one active LMU (sk, dk)
in the network at any point of time. At the beginning, a monitored node starts with the state
1 in its finite state machine. As the monitor node(s) observes the behavior of the monitored
node by examining the LMUs, it records a sequence of transitions form its initial state 1 to
one of its possible final states -- 5, 7 and 8. When a monitor node broadcasts an RREQ, it
assumes that the monitored node has received it. The monitor node, therefore, records a
state transition 1 Æ 3 for the monitored node’s finite state machine. If a monitor node
observes a monitored node to broadcast an RREQ, then a state transition of 3 Æ 4 is
recorded if the RREQ message was previously sent by the monitor node to the monitored
node; otherwise a transition of 1 Æ 4 will be recorded meaning thereby that the RREQ was
received by the monitored node from some other neighbor. The transition to a timeout state
occurs when a monitor node finds no activity by the monitored node for the concerned
LMU before the expiry of a timer. When a monitor node observes a monitored node to
forward an RREP, it records a transition to the final state – LMU complete (State No 7). At
this state, the monitored node becomes a candidate for inclusion on a routing path.
Fig. 17 depicts an example of LMU observed by the node N during the discovery of a route
from the source node S to the destination node D indicated by bold lines. Table 3 shows the
events observed by node N and the corresponding state transitions for each of its three
neighbor nodes X, Y and Z. When the final state is reached, the finite state machine
75
270 Wireless
Security Issues in a Mesh Networks
Networked Age
terminates and the corresponding sequences of state transitions are stored by each node for
each of its neighbors. When sufficient number of events is collected by a node, a statistical
analysis is performed to detect the presence of any selfish nodes in the network.
observed transition matrix for the rth neighbor, where [ f ij( r ) ] is the number of transitions
from state i to state j observed in the previous detection window. If m is the number of states
in the finite state machine in each node, the size of T ( r ) is m x m. Let T ( r ) = [ f i(1r ) ,... f im
(r )
]
denote the ith row of the transition matrix T ( r ) , which shows the transitions out of state i at
the neighbor node r. If two neighbor nodes r and s have identical distributions
corresponding to transitions from state i, then one can write Ti( r ) ≡ Ti( s ) .
To test the hypothesis Ti( r ) ≡ Ti( s ) the Pearson’s χ2 test is used as follows.
76
Secure Routing in Wireless Mesh Networks 271
m 2
∑ ∑ ⎡⎣ f ij(l) − f ij(l ) ⎤⎦
lε ( r , s ) j = 1
χ 2 (i ) = (13)
f ij( l )
f ij( r ) + f ij( s )
f ij( l ) = Fij( l ) (14)
Fi( r ) + Fi( s )
where Fi( r ) and Fi( s ) denote total number of transitions for state i in T ( r ) and T (s)
respectively.
If the value of χ2 exceeds the value of χ2m-1,α , then the hypothesis Ti( r ) ≡ Ti( s ) is rejected at
confidence interval α. If we write K irs for the event that χ2(i) > χ2m-1,α , then the conditional
(
probability P Ti( r ) ≡ Ti( s ) |Birs ) can be taken as a reasonable estimator of the similarity
between r and s with respect to the state i. In absence of any prior information, it is
reasonable to assume that r and s have no similarity in state i and the probability that the
Pearson test rejects its hypothesis to be 0.5 (Wang et al., 2008). In order to evaluate the
similarity between r and s for all the m states, (1) is applied to all rows of T(r) and T(s). This
yields a vector, {i = 1,…..,m}. From the standard Markovian principle one can write:
m
where S( rs ) = ∑ Bi( rs ) (15)
i =1
The lower-order terms in the right hand side of (15) are ignored since α < < 1. For small
value of α , Lrs monotonically decreases in S(rs), which, as evident from (15), is the number of
rejections of Pearson’s hypothesis. Therefore, 1 -- Lrs may be taken as the measure of the
dissimilarity between the neighbor nodes r and s. In presence of noise in the data, however,
it is found that for two nodes r and s which have Lrs ≈ 1, a third node t may cause
inconsistency such that Lrt ≉Lst . To avoid this inconsistency in clustering in the proposed
algorithm, clustering are not computed on the basis of pair-wise dissimilarity. To compute
dissimilarity between r and s, the L values for all neighbors are computed with respect to r
and s separately, and the following equation is applied:
nrs2 (16)
drs= 1 −
nr /s * ns /r
where,
K
nr /s = ∑ Lrt
t ≠ r ,s
77
272 Wireless
Security Issues in a Mesh Networks
Networked Age
K
ns /r = ∑ Lst
t ≠ r ,s
It may be observed that the computation of drs does not involve Lrs -- the pair-wise similarity
index between nodes r and s. In fact, it measures the degree of inconsistency in similarity
between r and s with all their neighbors. Since, in the computation, contribution of each
neighbor plays its role, drs presents a robust indicator for dissimilarity between nodes and
plays a crucial part in computing the clusters (Wang et al., 2008). For clustering, an
agglomerative hierarchical clustering technique is used. This is a single-linkage approach in
which each cluster is represented by all of the objects in the cluster, and the similarity
between two clusters is measured by the similarity of the closest pair of data points
belonging to different clusters. The cluster merging process repeats until all the objects are
eventually merged to form one cluster (Eddy et al., 1996). After the nodes are clustered into
similar sets, the sets are further classified into three groups: (i) a set (G) of cooperative
nodes, (ii) a set (B) of selfish nodes, and (iii) a set of nodes whose behavior could not be
ascertained. The cooperation score (Cr) of a node is computed as (Wang et al., 2008):
m m
∑ nij(r ) ∑ nij(r )
i , jε G i , jε B
=Cr − (17)
|G| |B|
The set B is most likely to contain the selfish nodes. To reduce false positives (i.e. wrongly
identifying a cooperative node as selfish), an ANOVA test is applied. The ANOVA
approach computes a probability Pk of the random variation among the mean cooperation
scores of k clusters. A lower value of Pk implies that the clusters actually represent distinct
differences in their behavior. At each iteration, k clusters are formed and Pk is compared
with a pre-defined level of significance β. If Pk < β, clusters are believed to be reliably
reflecting the behavior of the nodes and their classifications are accepted. The cluster with
lowest mean cooperation score is assumed to contain the selfish nodes. If Pk > Pk-1 , the
neighbor behavior has not been properly reflected in the cluster formation, which has led to
the increase in the value of Pk . In this case, all the nodes are classified as cooperative, and
the next iteration of the algorithm is executed. The confidence parameter β can be tuned so
as to adjust the alacrity of detection of selfish nodes and rate of false positives (Wang et al.,
2008). In spite of all the above statistical approaches, there is still a possibility of
misclassification. The proposed algorithm further reduces the probability of
misclassification by a new cross-checking mechanism. For this purpose, a minor
modification is suggested in the packet header for AODV routing. Two additional fields are
inserted in the header of an RREQ packet. These fields are: next_to_source and duplicate_flag
to indicate respectively the address of the node that is next hop to the source, and whether
the packet is a duplicate packet which has already been broadcasted by some other nodes in
the network. In the header of an RREQ packet, in addition to the above two fields, another
field called next_to_destination is added to indicate the address of the node to which the
packet must be forwarded in the reverse path. It has been shown in (Kim et al., 2008), with
the above extra fields, it is possible to detect every instance of selfish behavior in a wireless
network with 100% detection accuracy, if the following conditions are satisfied: (i) no packet
loss lost due to interference, (ii) links are bi-directional, (iii) the nodes are stationary, and (iv)
78
Secure Routing in Wireless Mesh Networks 273
the queuing delays are bounded. Since all these conditions cannot be guaranteed in a real-
world deployment, there will be always some detection inaccuracy.
Table 4 presents a list of vulnerabilities in different layers of the protocol stack of WMNs
and the security protocols for defending those attacks. Table 5 compares the secure routing
protocols discussed in this chapter with respect to various mechanisms these protocols use.
6. Conclusion
WMNs have become the focus of research in recent years, owing to their great promise in
realizing numerous next-generation wireless services. Driven by the demand for rich and
high-speed content access, recent research on WMNs has focussed on developing high
performance communication protocols, while the security of the proposed protocols have
received relatively little attention. However, given the wireless and multi-hop nature of the
communication, WMNs are subject to a wide range of security threats. In this chapter, a
large number of security issues at various layers of WMNs have been presented with a
particular focus on the network layer. In addition, some of the major routing security
mechanisms for WMNs currently existing in the literature have been presented and
compared with respect to their strengths and weaknesses. A few novel secure routing
mechanisms that take into account application QoS while detecting malicious and selfish
nodes are also discussed. Although, researchers have done substantial contributions in the
area of routing security in WMNs, there are still many challenges that remain to be
addressed. First, efficient (i.e., lightweight) and robust authentication protocols for the mesh
routers (MRs) need to be designed which involves scalable key management techniques.
Second, for reliability in routing, energy-aware and secure multi-path routing protocols are
in demand. Third issue is on strategic deployment of hop integrity protocols in WMNs. Hop
integrity protocols are open to incremental deployment, and the security they provide
increases with the number of pairs of hop integrity-equipped mesh routers, because an
adversary will have less venues to launch his/her attacks. However, due to
hardware/software compatibility and efficiency consideration, it may be worthwhile to
consider a strategic deployment scheme. For example, few hotspots in the network may be
required to install static hop integrity, in which hop integrity is always turned on; other
spots in the network can install dynamic hop integrity, in which hop integrity is randomly
turned on and off. Fourth, efficient security mechanism should be designed for defending
against tunnelling attack, in which two malicious nodes advertise in such a way as if they
have a very reliable link between them. This is achieved by tunnelling AODV messages
between them. No security scheme exists so far that can detect this attack promptly and
efficiently. Fifth, appropriate security protocols should be designed for hybrid networks. In
many deployment situations, WMNs are designed to be integrated with other types of
networks, such as wired networks and cellular networks. Addressing attacks in hybrid
environment also presents an interesting future direction. Such networks are vulnerable to a
wider range of attacks than its individual network components. For example, a mesh
network for wireless Internet access can be targeted with DDoS attacks launched from the
Internet. The scarcity of bandwidth resource on WMNs further exacerbates the severity of
such attacks. On the other hand, hybrid networks possess additional resources and
opportunities for defending against attacks. For example, WMNs connected to the wired
networks, it is possible to leverage the high bandwidth, low latency wired links, and deploy
powerful computers on the wired networks to defend against attacks. Sixth, a balanced
79
274 Wireless
Security Issues in a Mesh Networks
Networked Age
Targeted layer in
Attack Protocols
the protocol stack
Information
Network layer SMT (Papadimitratos, 2003a)
disclosure
Table 4. Different attacks on WMN protocol stack and protocols for defending the attacks
80
Secure Routing in Wireless Mesh Networks 275
81
276 Wireless
Security Issues in a Mesh Networks
Networked Age
network coding system needs to be designed for high performance secure routing
(Ahlswede et al., 2000). Existing network coding systems are vulnerable to a wide range of
attacks besides the most well-known packet pollution attacks (Yu et al., 2008). Many of the
weaknesses of existing system designs lie in their single focus in performance optimizations.
A more balanced approach, which can provide improved security guarantees, is crucial for
the actual adoption of network coding in real-world applications. A future direction of
research is to uncover the security implications of different design and optimization
techniques, and explore balanced system designs with network coding that achieve
appropriate tradeoffs between security and performance suitable for different application
requirements. Finally, multi-layer (i.e. cross-layer) security protocols should be developed
that address network vulnerabilities in multiple layers of the protocol stack to provide
robust and highest level of protection to mission-critical network deployments.
7. References
Ahlswede, R.; Cai, N.; Li, S.- Y. & Yeung, R. (2000). Network information flow. IEEE
Transactions on Information Theory, Vol 46, No 4, pp. 1204 – 1216.
Akyildiz, I.F.; Wang, X.; & Wang, W. (2005). Wireless mesh networks: a survey. Journal of
Computer Networks, Vol 47, No 4, pp. 445 – 487.
Al-Shurman, M.; Yoo, S. & Park, S. (2004). Black hole attack in mobile ad hoc networks.
Proceedings of the 42nd Annual Southeast Regional Conference, Huntsville, Alabama,
USA.
Awerbuch, B.; Holmer, D.; Nita-Rotaru, C. & Rubens, H. (2002). An on-demand secure
routing protocol resilient to Byzantine failure. Proceedings of ACM Workshop on
Wireless Security (WiSe), ACM Press.
Awerbuch, B.; Curtmola, R.; Holmer, D.; Nita-Rotaru, C. & Rubens, H. (2005). On the
survivability of routing protocols in ad hoc wireless networks. Proceedings of ICST
International Conference on Security and Privacy in Communication Networks
(SecureComm).
Bahr, M. (2006). Proposed routing for IEEE 802.11s WLAN mesh networks. Proceedings of the
2nd Annual International Wireless Internet Conference (WICON), pp. 133 – 144, Boston,
MA, USA.
Bahr, M. (2007). Update on the hybrid wireless mesh protocol 80.11s. Proceedings of the IEEE
International Conference on Mobile Ad Hoc and Sensor Systems, (MASS’07), pp. 1 – 6.
Blom, R. (1985). An optimal class of symmetric key generation systems. Proceedings of the
EUROCRYPT’84, pp. 335 – 338.
Brown, T.; James, J. & Sethi, A. (2006). Jamming and sensing of encrypted wireless ad hoc
networks. Proceedings of ACM MOBIHOC’06.
Curtmola, R. & Nita-Rotaru, C. (2007). BSMR: Byzantine-resilient secure multicast routing in
multi-hop wireless networks. Proceedings of IEEE Communications Society Conference
on Sensor, Mesh and Ad Hoc Communications and Networks (SECON).
Dong, J. (2009). Secure and robust communication in wireless mesh networks. Doctoral
Thesis, Purdue University, Indiana, USA.
82
Secure Routing in Wireless Mesh Networks 277
Du, W.; Deng, J.; Han, Y. S. & Varshney, P. K. (2003). A pair-wise key pre-distribution
scheme for wireless sensor networks. ACM Transactions on Information and System
Security, Vol 8, No 2, pp. 228 – 258.
Eddy, W.F.; Mockus, A. & Oue, S. (1996). Approximate single linkage cluster analysis of
large datasets in high dimensional spaces. Journal of Computational Statistics and
Data Analysis, Vol 23, pp. 29 – 43.
Eriksson, J.; Krishnamurthy, S. V. & Faloutsos, M. (2006). Truelink: a practical
countermeasure to the wormhole attack in wireless networks. Proceedings of IEEE
International Conference on Network Protocols (ICNP).
Franklin, A. A. & C. S. R. Murthy. (2007). An introduction to wireless mesh networks. Book
chapter in: Security in Wireless Mesh Networks, Zhang, Y.; Zheng, J. & Hu, H. (eds.),
CRC Press, pp. 3 – 44.
Hu, L. & Evans, D. (2004). Using directional antennas to prevent wormhole attacks.
Proceedings of ISOC Symposium of Network and Distributed Systems Security
(NDSS’04).
Hu, Y.-C.; Perrig, A. & Johnson, D. (2002a). Ariadne: a secure on-demand routing protocol
for ad hoc networks. Proceedings of ACM Annual International Conference on Mobile
Computing (MOBICOM’02), pp. 21 – 38, Atlanta, GA, USA.
Hu, Y.-C. ; Johnson, D.B. & Perrig, A. (2002b). SEAD : secure efficient distance vector routing
for mobile wireless ad hoc networks. Proceedings of IEEE Workshop on Mobile
Computing Systems and Applications (WMCSA’02), pp. 3 – 13.
Hu, Y.-C. ; Perrig, A. & Johnson, D.B. (2003a). Rushing attacks and defense in wireless ad
hoc network routing protocols. Proceedings of the ACM Workshop on Wireless Security
(WiSe’03) in conjunction with MOBICOM’03, pp. 30 – 40.
Hu, Y.-C.; Perrig, A. & Johnson, D.B. (2003b). Packet leashes: a defense against wormhole
attacks in wireless ad hoc networks. Proceedings of IEEE INFOCOM’03.
Jing, X. & Lee, M. J. (2004). Energy-aware algorithms for AODV in ad hoc networks.
Proceedings of Mobile Computing and Ubiquitous Networking, pp. 466 – 468, Yokosuka,
Japan.
Johnson, D. B. (2007). The dynamic source routing protocol (DSR) for mobile ad hoc
networks for IPv4. IETF Request for Comments, RFC4728.
Kim, H. J. & Peha, J. M. (2008). Detecting selfish behavior in a cooperative commons.
Proceedings of IEEE DySPAN, pp. 1 -12.
Kone, V.; Das, S.; Zhao, B. Y. & Zheng, H. (2007). Quorum: quality of service in wireless
mesh networks. Journal of Mobile Networks and Applications, Vol 12, No 5, pp.
358 – 369.
Law, Y.; Hoesel, L.; Doumen, J.; Hartel, P. & Havinga, P. (2005). Energy-efficient link-layer
jamming attacks against wireless sensor network MAC protocols. Proceedings of the
3rd ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN’05).
Li, C.; Wang, Z. & Yang, C. (2011). Secure routing for wireless mesh networks. International
Journal of Network Security, Vol 13, No 2, pp. 109 – 120.
Lundgren, H.; Nordstrom, E. & Tschudin, C. (2002). The gray zone problem in IEEE 802.11b
based ad hoc networks, M2CR, Vol 6, No 2, pp. 104 – 105.
83
278 Wireless
Security Issues in a Mesh Networks
Networked Age
MacWillams, F. J. & Sloane, N. J. A. (1977). The Theory of Error Correction Codes. North-
Holland, New York.
Marti, S.; Guili, T.; Lai, K. & Baker, M. (2000). Mitigating routing misbehavior in mobile ad
hoc networks. Proceedings of ACM Annual International Conference on Mobile
Computing (MOBICOM).
Mathis, M.; Mahdavi, J.; Floyd, S. & Romanow, A. (1996). TCP selective acknowledgment
options. IETF RFC 2018, October 1996.
Mishra, A. & Arbaugh, W.A. (2002). An initial security analysis of the IEEE 802.1X standard.
Technical Report, University of Maryland, USA.
Narten, T.; Nordmark, E.; Simpson, W. & Soliman, H. (2007). Neighbor discovery for IP
version 6 (IPv6). IETF RFC 4861, September 2007.
Newsome, J. ; Shi, E. ; Song, D. & Perrig, A. (2004). The Sybil attack in sensor networks:
analysis and defenses. Proceedings of the 3rd International Symposium on Information
Processing in Sensor Networks (IPSN’04), pp. 259 – 268.
Papadimitratos, P. & Haas, Z.J. (2002). Secure routing for mobile ad hoc networks.
Proceedings of the SCS Communication Networks and Distributed Systems Modelling and
Simulation Conference (CNDS’02).
Papadimitratos, P. & Hass, Z. J. (2003a). Secure data transmission in mobile ad hoc
networks. Proceedings of ACM Workshop on Wireless Security (WiSe), pp. 41 – 50.
Papadimitratos, P. & Hass Z. J. (2003b). Secure link state routing for mobile ad hoc
networks. Proceedings of the Symposium on Applications and the Internet Workshops
(SAINT’03 Workshops).
Papadimitratos, P. & Haas, Z. J. (2006). Secure route discovery of QoS-aware routing in ad
hoc networks. Proceedings of IEEE Sarnoff Symposium.
Perkins, C.E. & Belding-Royer, E.M. (1999). Ad hoc on-demand distance vector routing.
Proceedings of the IEEE Workshop on Mobile Computing Systems and Applications, pp.
90 – 100.
Perkins, C. E.; Belding-Royer, E. M. & Das, S. R. (2003). Ad hoc on-demand distance vector
(AODV). Internet Request for Comments, RFC 3561.
Perkins, C. E. & Bhagwat, P. (1994). Highly dynamic destination-sequenced distance-vector
routing (DSDV) for mobile computers. Proceedings of ACM SIGCOMM, pp. 234 –
244.
Perrig, A.; Canetti, R.; Tygar, J. D. & Song, D. (2000). Efficient authentication and signing of
multicast streams over lossy channels. Proceedings of the IEEE Symposium on Security
and Privacy, pp. 56 – 73.
Perrig, A.; Canetti, R.; Song, D. & Tygar, D. (2001). Efficient and secure source authentication
for multicast. Proceedings of the Network and Distributed System Security Symposium
(NDSS’01).
Ramaswamy, S.; Fu, Huirong.; Sreekantaradhya, M.; Dixon, J. & Nygard, K.E. (2003).
Prevention of cooperative black hole attacks in wireless ad hoc networks.
Proceedings of the International Conference on Wireless networks, pp. 570 – 575.
Roy, S.; Addada, V. G.; Setia, S. & Jajodia, S. (2005). Securing MAODV: attacks and
countermeasures. Proceedings of IEEE Communications Society Conference on Sensor,
Mesh and Ad Hoc Communications and Networks (SECON).
84
Secure Routing in Wireless Mesh Networks 279
Royer, E. M. & Perkins, C. E. (2000). Multicast ad-hoc on-demand distance vector (MAODV)
routing. Internet Draft, July 2000.
Salem, N.B.; Buttyan, L.; Hubaux, J.-P. & Jacobson, M. (2003). A charging and rewarding
scheme for packet forwarding in multi-hop cellular networks. Proceedings of IEEE
MOBIHOC’03, pp. 1324.
Santhanam, L.; Xie, B. & Agrawal, D. (2008). Selfishness in mesh networks: wired multi-hop
MANETs. IEEE Journal of Wireless Communications, Vol 15, No 4, pp. 16 – 23.
Sanzgiri, K.; Dahill, B.; Levine, B. N.; Shields, C. & Belding-Royer, E. M. (2002). A secure
routing protocol for ad hoc networks. Proceedings of IEEE International Conference on
Network Protocols (ICNP’02), pp. 78 – 87.
Sen, J. (2010a). An efficient and reliable routing protocol for wireless mesh networks.
Proceedings of the International Conference on Computational Sciences and its
Applications (ICCSA’10), Lecture Notes in Computer Science (LNCS), Springer-
Verlag, Heidelberg, Germany, Vol 6018, pp. 246-257, Fukuaka, Japan.
Sen, J. (2010b). A trust-based detection algorithm of selfish packet dropping nodes in a peer-
to-peer wireless mesh networks. Proceedings of the International Conference on Recent
Trends in Network Security and Applications, Communications in Computer and
Information Science (CCIS), Springer-Verlag, Heidelberg, Germany, Vol 89, Part 2,
pp. 528 – 537.
Sen, J.; Chandra, M. G.; Harihara, S. G.; Reddy, H. & Balamuralidhar, P. (2007). A
mechanism for detection of grayhole attack in mobile ad hoc networks. Proceedings
of the 6th IEEE International Conference on Information, Communications, and Signal
Processing (ICICS’07), Singapore.
Shi, E. & Perrig, A. (2004). Designing secure sensor networks. IEEE Wireless Communication
Magazine, Vol 11, No 6, pp. 38 – 43.
Wang, B. ; Soltani, S. ; Shaprio, J.K. ; Tan, P.-N. & Mutka, M. (2008). Distributed detection of
selfish routing in wireless mesh networks. Technical Report- MSU-CSE-06-19,
Department of Computer Science and Engineering, Michigan State University.
Wood, A. D. & Stankovic, J. A. (2002). Denial of service in sensor networks. IEEE Computer,
Vol 35, No. 10, pp. 54 – 62.
Xu, W.; Trappe, W.; Zhang, Y. & Wood, T. (2005). The feasibility of launching and detecting
jamming attacks in wireless networks. Proceedings of ACM MobiHoc’05.
Xue, Q.; & Ganz, A. (2002). QoS routing for mesh-based wireless LANs. International Journal
of Wireless Information Networks, Vol 9, No 3, pp. 179 – 190.
Yang, F.; Zhang, Q.; Zhu, W. & Zhang, Y.-Q. (2004). End-to-end TCP-friendly streaming
protocol and bit allocation for scalable video over wireless Internet. IEEE Journal on
Selected Areas in Communications, Vol 22, No 22, pp. 777- 790.
Yi, S.; Naldurg, P. & Kravets, R. (2001). Security-aware ad hoc routing for wireless networks.
Proceedings of ACM MobiHoc’01, pp. 299 – 302.
Yu, Z.; Wei, Y.; Ramkumar, B. & Guan, Y. (2008). An efficient signature-based scheme for
securing network coding against pollution attacks. Proceedings of the IEEE Conference
of the IEEE Communications Society (INFOCOMM’08), Phoenix, AZ, April, 2008.
Zapata, M. G.; & Asokan, N. (2002). Securing ad hoc routing protocols. Proceedings of ACM
Workshop on Wireless Security (WiSe).
85
280 Wireless
Security Issues in a Mesh Networks
Networked Age
Zhong, S.; Li, L. E.; Liu, Y. G. & Yang, Y. R. (2005). On designing incentive-compatible
routing and forwarding protocols in wireless ad-hoc networks: an integrated
approach using game theoretical and cryptographic techniques. Proceedings of IEEE
MOBICO’05, pp. 117 – 131.
Zhu, S.; Xu, S.; Setia, S. & Jajodia, S. (2003). LHAP: a lightweight hop-by-hop authentication
protocol for ad-hoc networks. Proceedings of ICDCS International Workshop on Mobile
and Wireless Network, pp. 749 – 755, Providence, Rhode Island.
Zhu, T. & Yu, M. (2006). A dynamic secure QoS routing protocol for wireless ad hoc
networks. Proceedings of IEEE Sarnoff Symposium, pp. 1 – 4.
86
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor
Networks
1. Introduction
In recent years, wireless sensor networks (WSNs) have drawn considerable attention from
the research community on issues ranging from theoretical research to practical
applications. Special characteristics of WSNs, such as resource constraints on energy and
computational power and security have been well-defined and widely studied (Akyildiz et
al., 2002; Sen, 2009). What has received less attention, however, is the critical privacy
concern on information being collected, transmitted, and analyzed in a WSN. Such private
and sensitive information may include payload data collected by sensors and transmitted
through the network to a centralized data processing server. For example, a patient's blood
pressure, sugar level and other vital signs are usually of critical privacy concern when
monitored by a medical WSN which transmits the data to a remote hospital or doctor's
office. Privacy concerns may also arise beyond data content and may focus on context
information such as the location of a sensor initiating data communication. Effective
countermeasure against the disclosure of both data and context-oriented private information
is an indispensable prerequisite for deployment of WSNs in real-world applications (Sen,
2010a; Bandyopadhyay & Sen, 2011).
Privacy protection has been extensively studied in various fields such as wired and wireless
networking, databases and data mining. However, the following inherent features of WSNs
introduce unique challenges for privacy preservation of data and prevent the existing
techniques from being directly implemented in these networks.
87
134 Security and
Cryptography Issues in a Networked
Security Age
in Computing
88
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 135
Keeping this requirement in mind, we also present a secure and robust aggregation protocol
for WSNs where aggregation algorithm does not preserve the privacy of the individual
sensor data but guarantees high level of security in the aggregation process so that a
potential malicious insider node cannot inject false data during the aggregation process.
The rest of this chapter is organized as follows. Section 2 provides a brief background
discussion on the CPDA scheme. In Section 3, we present a cryptanalysis on CPDA and
demonstrate a security vulnerability of the scheme. In Section 4, we present some design
modifications of the CPDA scheme. Section 4.1 presents an efficient way to compute the
aggregation operation so as to make CPDA more efficient. Section 4.2 briefly discusses how
the identified security vulnerability can be addressed. Section 5 presents a comparative
analysis of the overhead of the original CPDA protocol and its proposed modified version.
Section 5.1 provides a comparison of the communication overheads in the network, and
Section 5.2 provides an analysis of the computational overheads in the sensor nodes in the
sensor nodes. Section 6 discusses the importance of security in designing aggregation
schemes for WSNs. Section 7 presents some related work in the field of secure aggregation
protocols in WSNs. In Section 8, a secure aggregation algorithm for WSNs is proposed.
Section 9 presents some simulation results to evaluate the performance of the proposed
secure aggregation protocol. Section 10 concludes the chapter while highlighting some
future directions of research in privacy and security in WSNs.
89
136 Security and
Cryptography Issues in a Networked
Security Age
in Computing
functions, the following requirements are to be satisfied: (i) privacy of the individual sensor
data is to be protected, i.e., each node's data should be known to no other nodes except the
node itself, (ii) the number of messages transmitted within the WSN for the purpose of data
aggregation should be kept at a minimum, and (iii) the aggregation result should be as
accurate as possible.
(( K k )!)2
pconnect 1 (1)
(K 2 k )! K !
If the probability that any other node can overhear the encrypted message by a given key is
denoted as poverhear, then poverhear is given by (2).
k
poverhear (2)
K
It has been shown in (He et al., 2007) that the above key distribution algorithm is efficient for
communication in a large-scale sensor network and when a limited number of keys are
available for encryption of the messages to prevent eavesdropping attacks.
90
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 137
more number of nodes which will elect themselves as cluster leaders. This will result in higher
number of clusters in the network. On the other hand, smaller values of p will lead to less
number of clusters due to fewer number of cluster leader nodes. Hence, the value of the
parameter p can be suitably chosen to control the number of clusters in the network. If a node
becomes a cluster leader, it forwards the HELLO message to its neighbors; otherwise, it waits for
a threshold period of time to check whether any HELLO message arrives at it from any of its
neighbors. If any HELLO message arrives at the node, it decides to join the cluster formed by its
neighbor by broadcasting a JOIN message as shown in Fig. 2. This process is repeated and
multiple clusters are formed so that the entire WSN becomes a collection of a set of clusters.
Fig. 1. The query server Q sends HELLO messages for initiating the cluster formation
procedure to its neighbors A, D, E and F. The query server is shaded in the figure.
Computation within clusters: In this phase, aggregation is done in each cluster. The
computation is illustrated with the example of a simple case where a cluster contains three
members: A, B, and C, where A is the assumed to be the cluster leader and the aggregator
node, whereas B and C are the cluster member nodes. Let a, b, c represent the private data
held by the nodes A, B, and C respectively. The goal of the aggregation scheme is to
compute the sum of a, b and c without revealing the private values of the nodes.
Fig. 2. A and D elect themselves as the cluster leaders randomly and in turn send HELLO
messages to their neighbors. E and F join the cluster formed by Q. B and C join the cluster
formed with A as the cluster leader, while G and H join the cluster with D as the cluster
leader. All the cluster leaders and the query server are leader.
91
138 Security and
Cryptography Issues in a Networked
Security Age
in Computing
As shown in Fig. 3, for the privacy-preserving additive aggregation function, the nodes A, B,
and C are assumed to share three public non-zero distinct numbers, which are denoted as x,
y, and z respectively. In addition, node A generates two random numbers r1A and r2A, which
are known only to node A. Similarly, nodes B and C generate r1B, r2B and r1C, r2C respectively,
which are private values of the nodes which have generated them.
Fig. 3. Nodes A, B and C broadcast their distinct and non-zero public seeds x, y and z
respectively
v AA
a r1A x r2A x 2
vBA
a r1A y r2A y 2 (3)
vCA a r1A z r2A z 2
v BA
b r1Bx r2Bx 2
vBB
b r1B y r2B y 2 (4)
vCB
b r1B z r2B z2
vCA
c r1C x r2C x 2
vCB
c r1C y r2C y 2 (5)
vCC
c r1C z r2C z2
92
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 139
Node A encrypts vBA and sends it to node B using the shared key between node A and
node B. Node A also encrypts vCA and sends it to node C using the shared key between
node A and node C. In the same manner, node B sends encrypted vAB to node A and vCB to
node C; node C sends encrypted vAC and vBC to node A and node B respectively. The
exchanges of these encrypted messages are depicted in Fig. 4. On receiving vAB and vAC,
node A computes the sum of vAA (already computed by node A), vAB and vAC. Now, node
A computes FA using (6).
Fig. 4. Exchanges of encrypted messages among nodes A, B and C using shared keys
In (6), r1 r1A r1B r1C and r2 r2A r2B r2C . Similarly, node B and node C compute FB and
FC respectively, where FB and FC are given by (7) and (8) respectively.
Node B and node C broadcast FB and FC to the cluster leader node A, so that node A has the
knowledge of the values of FA, FB and FC. From these values the cluster leader node A can
compute the aggregated value (a + b + c) as explained below.
The equations (6), (7), and (8) can be rewritten as in (9).
U G 1F (9)
93
140 Security and
Cryptography Issues in a Networked
Security Age
in Computing
1 x x 2
a b c
In (9), G 1 y y , U r1 and F FA FB Fc .
2 T
2 r2
1 z z
Since x, y, z, FA, FB, and FC are known to the cluster leader node A, it can compute the value
of (a + b + c) without having any knowledge of b and c.
In order to avoid eavesdropping attack by neighbor nodes, it is necessary to encrypt the
values of vBA, vCA, vAB, vCB, vAC, and vBC. If node B overhears the value of vCA, then node B
gets access to the values of vCA, vBA and FA. Then node B can deduce: v AA FA vBA vCA .
Having the knowledge of vAA, node B can further obtain the value of a if x, vAA, vAB and vAC
are known. However, if node A encrypts vCA and sends it to node C, then node B cannot get
vCA. With the knowledge of vBA, FA, and x from node A, node B cannot deduce the value of a.
If node B and node C collude and reveal node A's information (i.e., vBA and vCA), to each
other, then node A's privacy will be compromised and its private value a will be revealed. In
order to reduce the probability of such collusion attacks, the cluster size should be as large
as possible, since in a cluster of size m, at least (m - 1) nodes should collude in order to
successfully launch the attack. Higher values of m will require larger number of colluding
nodes thereby making the attack more difficult.
Cluster data aggregation The CPDA scheme has been implemented on top of a protocol
known as Tiny Aggregation (TAG) protocol (Madden et al., 2002). Using the TAG protocol,
each cluster leader node routes the sum of the values in the nodes in its cluster to the query
server through a TAG routing tree whose root is situated at the server.
94
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 141
v BA
b r1Bx r2Bx 2 from node B. Since x is very large compared to b and r1B node A can
derive the value of r2B using (10) where we consider integer division.
v BA b r1B (10)
r2B 0 0 r2B r2B
x2 x2 x
Using the value of r2B as derived in (10), and using v BA
b r1Bx r2Bx 2 , node A can now
compute the value of r1B by solving (11).
v BA r2Bx 2 b (11)
r1B 0 r1B r1B
x x
In the same manner, node A derives the values of r1C and r2C from vAC received from node C.
Since r1 r1A r1B r1C , and r2 r2A r2B r2C , as shown in (6), (7) and (8), node A can
compute the values of r1 and r2 (r1B, r2B, r1C, and r2C are derived as shown above, and r1A and
r2A were generated by node A).
At this stage, node A uses the values of FB and FC received from node B and node C
respectively as shown in (7) and (8). Node A has now two linear simultaneous equations
with two unknowns: b and c, the values of y and z being public. Solving (7) and (8) for b and
c, the malicious cluster leader node A can get the access to the private information.
FB ( a b c ) r1 (12)
r2 0 0 r2
y2 y2 y
FB r2 y 2 ( a b c ) (13)
r1 0 r1 r1
y y
As per the CPDA scheme, node B receives vCB c r1C y r2C y 2 from node C. Since the
magnitude of y is very large compared to c, r1C and r2C, it is easy for node B to derive the
values of r2C and r1C using (14) and (15) respectively.
vCB c rC (14)
2
2 1 r2C 0 0 r2C r2C
y y y
Using (12), (13), (14}) and (15) node B can compute r1A r1 r1B r1C and r2A r2 r2B r2C .
Now, node B can compute the value of a using v BA
a r1A y r2A y 2 (received from node A),
95
142 Security and
Cryptography Issues in a Networked
Security Age
in Computing
in which the values of all the variables are known except that of a. In a similar fashion, node
B derives the value of c using vCB c r1C y r2C y 2 (received from node C).
Since the private values of the nodes A and C are now known to node B, the privacy attack
launched by participating cluster member node B is successful on the CPDA aggregation
scheme.
r2 x 2 r1x (16)
r1x ( a b c ) (17)
In (16) and (17), r1 r1A r1B r1C and r2 r2A r2B r2C . Now, node A has computed the value
of FA as shown in (6). In order to efficiently compute the value of (a + b + c), node A divides
the value of FA by x2 as shown in (18).
FA ( a b c ) r1x
2 r2 0 0 r2 r2 (18)
x2 x2 x
Using (18), node A derives the value of r2. Once the value of r2 is deduced, node A attempts
to compute the value of r1 using (19) and (20).
FA r2 x 2 ( a b c ) r1x (19)
96
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 143
vBA a rA
2
2 1 r2A 0 0 r2A (21)
y y y
vBA r2A y 2 a
r1A 0 r1A r1A (22)
y y
In a similar fashion, node B derives the values of r1C and r2C from vBC received from node C.
Now, node B computes r1 r1A r1B r1C and r2 r2A r2B r2C , since it has access to the values
of all these variables. In the original CPDA scheme in (He et al., 2007), the values of FB and
FC are broadcast by nodes B and C in unencrypted from. Hence, node B has access to both
these values. Using (7) and (8), node B can compute the values of a and c, since these are the
only unknown variables in the two linear simultaneously equations.
In order to defend against the above vulnerability, the CPDA protocol needs further
modification. In this modified version, after the values vAA, vAB, and vAC are generated and
97
144 Security and
Cryptography Issues in a Networked
Security Age
in Computing
shared by nodes A, B and C respectively, the nodes check whether the following constraints
are satisfied: vAA + vAB > vAC, vAB + vAC > vAA, and vAC + vAA > vAB. The nodes proceed for
further execution of the algorithm only if the above three inequalities are satisfied. If all
three inequalities are not satisfied, there will be a possibility that the random numbers
generated by one node is much larger than those generated by other nodes - a scenario
which indicates a possible attack by a malicious node.
5. Performance analysis
In this section, we present a brief comparative analysis of the overheads of the original CPDA
protocol and the proposed modified CPDA protocols that we have discussed in Section 4.1
and Section 4.2. Our analysis is based on two categories of overheads: (i) overhead due to
message communication in the network and (ii) computational overhead at the sensor nodes.
98
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 145
messages from each cluster member) in a cluster of three nodes. Therefore, in a cluster of
three nodes, the modified CPDA protocol presented in Section 4.1 will involve 3 less
message communications. Since in a large-scale WSN the number of clusters will be quite
high, there will be an appreciable reduction in the communication overhead in the modified
CPDA protocol presented in Section 4.1.
The secure version of the modified CPDA protocol presented in Section 4.2 involves the
same communication overhead as the original CPDA protocol. However, if any node
chooses abnormally higher values for its public seed or its private random numbers, the
secure version of the modified CPDA protocol will involve 2 extra messages from each of
the participating sensor nodes. Therefore, in a cluster of three nodes, the secure version of
the modified CPDA protocol will involve 6 extra messages in the worst case scenario when
compared with the original CPDA protocol.
If pc is the probability of a sensor node electing itself as a cluster leader, the average number of
messages sent by a sensor node in the original CPDA protocol is: 4 pc 3(1 pc ) 3 pc . Thus,
the message overhead in the original CPDA is less than twice as that in TAG. However, in the
modified CPDA protocol presented in Section 4.1, the average number of messages
communicated by a sensor node is: 3 pc 2(1 p c ) 2 pc . As mentioned in Section 2.3, in
order to prevent collusion attack by sensor nodes, the cluster size in the CPDA protocol should
be as large as possible. This implies that the value of pc should be small. Since the value of pc is
small, it is clear that the message overhead in the modified CPDA protocol presented in
Section 4.1 is almost the same as that in TAG and it is much less (one message less for each
sensor node) than that of the original CPDA protocol. In the secure version of the protocol in
Section 4.2, the communication overhead, in the average case, will be the same as in the
original CPDA protocol. However, in the worst case, the number of messages sent by a sensor
node in this protocol will be: 6 pc 5(1 pc ) 5 pc . This is 2.5 times the average
communication overhead in the TAG protocol and 1.67 times the average communication
overhead in the original CPDA protocol. The secure protocol, therefore, will involve 67% more
overhead in the worst case scenario (where a malicious participant sensor node chooses
abnormally higher values for its public seed as well as for its private random numbers).
99
146 Security and
Cryptography Issues in a Networked
Security Age
in Computing
Since v AA
a r1A x r2A x 2 , for computation of vAA, node A needs to perform 2 addition, 2
multiplication and 1 exponentiation operations. Hence, for computing vAA, vBA and vCA,
node A needs to perform 6 addition, 6 multiplication and 3 exponentiation operations.
Therefore, in a cluster consisting of three members, for computation of all parameters,
the original CPDA protocol requires 18 addition, 18 multiplication and 9 exponentiation
operations.
ii. Computations for encrypting messages: Some of the messages in the CPDA protocol need
to be communicated in encrypted form. The encryption operation involves
computational overhead. For example, node A needs to encrypt vBA and vCA before
sending them to nodes B and C respectively. Therefore, 2 encryption operations are
required at node A. For a cluster consisting of three members, the CPDA protocol will
need 6 encryption operations.
iii. Computations of intermediate results: The nodes A, B, and C need to compute the
intermediate values FA, FB and FC respectively for computation of the final aggregated
result. Since FA v AA v BA vCA ( a b c ) r1x r2 x 2 and r1 r1A r1B r1C and
r2 r2A r2B r2C , for computing FA, node A will need to perform 4 addition operations.
Therefore, for a cluster of three members, 12 addition operations will be needed.
iv. Aggregate computation at the cluster leader: For computing the final aggregated result in a
privacy-preserving way, the cluster leader node A needs to perform one matrix
inversion operation and one matrix multiplication operation.
The summary of various operations in the original CPDA protocol are presented in Table 1.
Addition 30
Multiplication 18
Exponentiation 3
Encryption 6
Matrix multiplication 1
Matrix inversion 1
Computational overhead of the modified CPDA protocol: The overhead of the efficient
version of the CPDA protocol presented in Section 4.1 are due to: (i) computation of the
parameters at the sensor nodes, (ii) computation of the intermediate result at the cluster
leader node, and (iii) computation of the aggregated result at the cluster leader node. The
details of these computations are presented below.
i. Computation of the parameters at the sensor nodes: In the modified version of the CPDA
protocol, the nodes A, B and C need to only compute vAA, vAB, and vAC respectively. As
shown earlier, each parameter computation involves 2 addition, 2 multiplication and 1
exponentiation operations. Therefore, in total, 6 addition, 6 multiplication, and 3
exponentiation operations will be needed.
100
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 147
ii. Computations for encrypting messages: The nodes B and C will need to encrypt the
messages vAB and vAC respectively before sending them to the cluster leader node A.
Therefore, 2 encryption operations will be required.
iii. Computation of intermediate result: The cluster leader node A will only compute FA in the
modified CPDA. The cluster member nodes B and C need not perform any
computations here. As discussed earlier, computation of FA needs 4 addition operations.
iv. Aggregate computation at the cluster leader: For computation of the final result at the
cluster leader node, 2 integer division and 2 subtraction operations will be required.
v. The summary of various operations in the modified CPDA protocol are presented in
Table 2.
Operation Type No. of operations
Addition 10
Subtraction 2
Multiplication 6
Division 2
Exponentiation 3
Encryption 2
Table 2. Operation in the proposed modified CPDA protocol
It is clearly evident from Table 1 and Table 2 that the modified version of the CPDA protocol
involves much less computational overhead than the original version of the protocol.
101
148 Security and
Cryptography Issues in a Networked
Security Age
in Computing
major challenge for sensor networks (Karlof & Wagner, 2003), most of the existing proposals
for data aggregation in WSNs have not been designed with security in mind. Consequently,
these schemes are all vulnerable to various types of attacks (Sen, 2009). Even when a single
sensor node is captured, compromised or spoofed, an attacker can often manipulate the
value of an aggregate function without any bound, gaining complete control over the
computed aggregate. In fact, any protocol that computes the average, sum, minimum, or
maximum function is insecure against malicious data, no matter how these functions are
computed. To defend against these critical threats, in this chapter, an energy-efficient
aggregation algorithm based on distributed estimation approach. The algorithm is secure
and robust against malicious attacks in WSNs. The main threat that has been considered
while designing the proposed scheme is the injection of malicious data in the network by an
adversary who has compromised a sensor’s sensed value by subjecting it to unusual
temperature, lighting, or other spoofed environmental conditions. In designing the
proposed algorithm, a WSN is considered as a collective entity that performs a sensing task
and have proposed a distributed estimation algorithm that can be applied to a large class of
aggregation problems.
In the proposed scheme (Sen, 2011), each node in a WSN has complete information about
the parameter being sensed. This is in contrast to the snapshot aggregation, where the
sensed parameters are aggregated at the intermediate nodes till the final aggregated result
reaches the root. Each node, in the proposed algorithm, instead of unicasting its sensed
information to its parent, broadcasts its estimate to all its neighbors. This makes the protocol
more fault-tolerant and increases the information availability in the network. The scheme is
an extension of the one suggested in (Boulis et al., 2003). However, it is more secure and
reliable even in presence of compromised and faulty nodes in a WSN.
In the following section, we provide a brief discussion on some of the well-known secure
aggregation schemes for WSNs.
102
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 149
using the query language, and the sensor nodes send their reply using routes constructed
based on a routing tree. At each point in the routing tree, the data is aggregated using
some aggregation function that was defined in the initial query sent by the BS. In
(Shrivastava et al., 2004), a summary structure for supporting fairly complex aggregate
functions, such as median and range quires have been proposed. Computation of
relatively easier function such as min/max, sum, and average are also supported in the
proposed framework. However, more complex aggregates, such as the most frequently
reported data values are not supported. The computed aggregate functions are
approximate but the estimate errors are statistically bounded. There are also
propositions based on programmable sensor networks for aggregation based on
snapshot algorithms (Jaikaeo et al., 2000). In (Zhao et al., 2002), the authors have
focussed their attention into the problem of providing a residual energy map of a WSN.
They have proposed a scheme for computing the equi-potential curves of residual energy
with certain acceptable margin of error. A simple but efficient aggregation function is
proposed where the location approximation of the nodes are not computed. A more
advanced aggregate function can be developed for this purpose that will encompass an
accurate convex curve. For periodic update of the residual energy map, the authors have
proposed a naïve scheme of incremental updates. Thus if a node changes its value
beyond the tolerance limit its value is transmitted and aggregated again by some nodes
before the final change reaches the user. No mechanism exists for prediction of changes
or for estimation of correlation between sensed values for the purpose of setting the
tolerance threshold. In (Goel & Imielinski, 2001), a scheme has been proposed for the
purpose of monitoring the sensed values of each individual sensor node in a WSN. There
is no aggregation algorithm in the scheme; however, the spatial-temporal correlation
between the sensed data can be extrapolated to fit an aggregation function. The authors
have also attempted to modify the techniques of MPEG-2 for sensor network monitoring
to optimize communication overhead and energy. A central node computes predictions
and transmits them to all the nodes. The nodes send their update only if their sensed
data deviate significantly from the predictions. A distributed computing framework is
developed by establishing a hierarchical dependency among the nodes. An energy
efficient aggregation algorithm is proposed by the authors in (Boulis et al., 2003), in
which each node in a WSN senses the parameter and there is no hierarchical dependency
among the nodes. The nodes in a neighbourhood periodically broadcast their information
based on a threshold value.
As mentioned earlier in this section, none of the above schemes consider security aspects in
the aggregation schemes. Security in aggregation schemes for WSNs has also attracted
attention from the researchers and a considerable number of propositions exist in the
literature in this perspective. We discuss some of the well-known mechanisms below.
A secure aggregation (SA) protocol has been proposed that uses the TESLA protocol (Hu &
Evans, 2003). The protocol is resilient to both intruder devices and single device key
compromises. In the proposition, the sensor nodes are organized into a tree where the
internal nodes act as the aggregators. However, the protocol is vulnerable if a parent and
one of its child nodes are compromised, since due to the delayed disclosure of symmetric
keys, the parent node will not be able to immediately verify the authenticity of the data sent
by its children nodes.
103
150 Security and
Cryptography Issues in a Networked
Security Age
in Computing
Przydatek et al. have presented a secure information aggregation (SIA) framework for sensor
networks (Przydatek et al., 2003; Chan et al., 2007). The framework consists of three
categories of node: a home server, base station and sensor nodes. A base station is a
resource-enhanced node which is used as an intermediary between the home server and
the sensor nodes, and it is also the candidate to perform the aggregation task. SIA
assumes that each sensor has a unique identifier and shares a separate secret
cryptographic key with both the home server and the aggregator. The keys enable
message authentication and encryption if data confidentiality is required. Moreover, it
further assumes that the home server and the base station can use a mechanism, such as
μTESLA, to broadcast authenticated messages. The proposed solution follows aggregate-
commit-prove approach. In the first phase: aggregate- the aggregator collects data from
sensors and locally computes the aggregation result using some specific aggregate
function. Each sensor shares a key with the aggregator. This allows the aggregator to
verify whether the sensor reading is authentic. However, there is a possibility that a
sensor may have been compromised and an adversary has captured the key. In the
proposed scheme there is no mechanism to detect such an event. In the second phase:
commit- the aggregator commits to the collected data. This phase ensures that the
aggregator actually uses the data collected from the sensors, and the statement to be
verified by the home server about the correctness of computed results is meaningful. One
efficient mechanism for committing is a Merkle hash-tree construction (Merkle, 1980). In
this method, the data collected from the sensors is placed at the leaves of a tree. The
aggregator then computes a binary hash tree staring with the leaf nodes. Each internal
node in the hash tree is computed as the hash value of the concatenation of its two
children nodes. The root of the tree is called the commitment of the collected data. As the
hash function in use is collision free, once the aggregator commits to the collected values,
it cannot change any of the collected values. In the third and final phase, the aggregator and
the home server engage in a protocol in which the aggregator communicates the
aggregation result. In addition, aggregator uses an interactive proof protocol to prove
correctness of the reported results. This is done in two logical steps. In the first step, the
home server ensures that the committed data is a good representation of the sensor data
readings collected. In the second step, the home server checks the reliability of the
aggregator output. This is done by checking whether the aggregation result is close to the
committed results. The interactive proof protocol varies depending on the aggregation
function is being used. Moreover, the authors also presented efficient protocols for secure
computation of the median and the average of the measurements, for the estimation of the
network size, and for finding the minimum and maximum sensor reading.
In (Mahimkar & Rappaport, 2004), a protocol is proposed that uses elliptic curve
cryptography for encrypting the data in WSNs. The scheme is based on clustering where all
nodes within a cluster share a secret cluster key. Each sensor node in a cluster generates a
partial signature over its data. Each aggregator aggregates its cluster data and broadcasts
the aggregated data in its cluster. Each node in a cluster checks its data with the aggregated
data broadcast by the aggregator. A sensor node puts its partial signature to authenticate a
message only if the difference between its data and aggregated data is less than a threshold.
Finally, the aggregator combines all the partially signed message s to form a full signature
with the authenticated result.
104
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 151
Deng et al. proposed a collection of mechanisms for securing in-network processing (SINP) for
WSNs (Deng et al., 2003). Security mechanisms have been proposed to address the
downstream requirement that sensor nodes authenticate commands disseminated from
parent aggregators and the upstream requirement that aggregators authenticate data
produced by sensors before aggregating that data. In the downstream stage, two techniques
are involved: one way functions and TESLA. The upstream stage requires that a pair-wise
key be shared between an aggregator and its sensor nodes.
Cam et al. proposed an energy-efficient secure pattern-based data aggregation (ESPDA) protocol
for wireless sensor networks (Cam et al., 2003; Cam et al., 2005; Cam et al., 2006a). ESPDA is
applicable for hierarchy-based sensor networks. In ESPDA, a cluster-head first requests
sensor nodes to send the corresponding pattern code for the sensed data. If multiple sensor
nodes send the same pattern code to the cluster-head, only one of them is permitted to send
the data to the cluster-head. ESPDA is secure because it does not require encrypted data to
be decrypted by cluster-heads to perform data aggregation.
Cam et al. have introduced another secure differential data aggregation (SDDA) scheme based
on pattern codes (Cam et al., 2006b). SDDA prevents redundant data transmission from
sensor nodes by implementing the following schemes: (1) SDDA transmits differential data
rather than raw data, (2) SDDA performs data aggregation on pattern codes representing the
main characteristics of the sensed data, and (3) SDDA employs a sleep protocol to
coordinate the activation of sensing units in such a way that only one of the sensor nodes
capable of sensing the data is activated at a given time. In the SDDA data transmission
scheme, the raw data from the sensor nodes is compared with the reference data and the
difference of them is transmitted in the network. The reference data is obtained by taking
the average of previously transmitted data.
In (Sanli et al., 2004 ), a secure reference-based data aggregation (SRDA) protocol is proposed for
cluster-based WSNs, in which raw data sensed by sensor nodes are compared with
reference data values and then only difference data is transmitted to conserve sensor energy.
Reference data is taken as the average of a number of historical (i.e. past) sensor readings.
However, a serious drawback of the scheme is that does not allow aggregation at the
intermediate nodes.
To defend against attacks by malicious aggregator nodes in WSNs which may falsely
manipulate the data during the aggregation process, a cryptographic mechanism has been
proposed in (Wu et al., 2007). In the proposed mechanism, a secure aggregation tree (SAT), is
constructed that enables monitoring of the aggregator nodes. The child nodes of the
aggregators can monitor the incoming data to the aggregators and can invoke a voting
scheme in case any suspicious activities by the aggregator nodes are observed.
A secure hop-by-hop data aggregation protocol (SDAP) has been proposed in (Yang et al., 2006),
in which a WSN is dynamically partitioned into multiple logical sub-trees of almost equal
sizes using a probabilistic approach. In this way, fewer nodes are located under a high-level
sensor node, thereby reducing potential security threats on nodes at higher level. Since a
compromised node at higher level in a WSN will cause more adverse effect on data
aggregation than on a lower-level node, the authors argue that by reducing number of
nodes at the higher level in the logical tree, aggregation process becomes more secure.
105
152 Security and
Cryptography Issues in a Networked
Security Age
in Computing
In (Ozdemir, 2007), a secure and reliable data aggregation scheme – SELDA- is proposed
that makes use of the concept of web of trust. Trust and reputation based schemes have been
extensively used for designing security solutions for multi-hop wireless networks like mobile
ad hoc networks (MANETs), wireless mesh networks (WMNs) and WSNs (Sen, 2010b; Sen,
2010c; Sen 2010d). In this scheme, sensor nodes exchange trust values in their neighborhood
to form a web of trust that facilitates in determining secure and reliable paths to aggregators.
Observations from the sensor nodes which belong to a web of trust are given higher weights
to make the aggregation process more robust.
A data aggregation and authentication (DAA) protocol is proposed in (Cam & Ozdemir, 2007),
to integrate false data detection with data aggregation and confidentiality. In this scheme, a
monitoring algorithm has been proposed for verifying the integrity of the computed
aggregated result by each aggregator node.
In order to minimize false positives (a scenario where an alert is raised, however there is no
attack), in a WSN, a dynamic threshold scheme is proposed in (Parkeh & Cam, 2007), which
dynamically varies the threshold in accordance with false alarm rate. A data aggregation
algorithm is also proposed to determine the detection probability of a target by fusing data
from multiple sensor nodes.
Du et al. proposed a witness-based data aggregation (WDA) scheme for WSNs to assure the
validation of the data fusion nodes to the base station (Du et al., 2003). To prove the validity
of the fusion results, the fusion node has to provide proofs from several witnesses. A
witness is one who also conducts data fusion like a data fusion node, but does not forward
its result to the base station. Instead, each witness computes the MAC of the result and then
provides it to the data fusion node, which must forward the proofs to the base station. This
scheme can defend against attacks on data integrity in WSNs.
Wagner studied secure data aggregation in sensor networks and proposed a mathematical
framework for formally evaluating their security (Wagner, 2004). The robustness of an
aggregation operator against malicious data is quantified. Ye et al. propose a statistical en-
route filtering mechanism to detect any forged data being sent from the sensor nodes to the
base station of a WSN using multiple MACs along the path from the aggregator to the base
station (Ye et al., 2004; Ye et al., 2005).
106
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 153
boundaries (e.g., maxima, minima), and hence the aggregation result is determined by the
values of few nodes. However, the proposed algorithm does not assume any knowledge
about the underlying physical process.
107
154 Security and
Cryptography Issues in a Networked
Security Age
in Computing
b. If the difference exceeds the threshold, the node performs the same function as in
step (a). Additionally, it requests its other neighbors to send their values of the
global estimate.
c. If the estimates sent by the majority of the neighbors differ from the estimate sent
by the first neighbor by a threshold value, then the node is assumed to be
compromised. Otherwise, it is assumed to be normal.
3. If a node is identified to be compromised, the global estimate previously sent by it is
ignored in the computation of the new global estimate and the node is isolated from the
network by a broadcast message in its neighborhood.
1 1 1
PCC ( * PAA
(1 )PBB ) (23)
1 1
C PCC ( * PAA * A (1 )PBB * B) (24)
Here, PAA, PBB, and PCC represent the covariance matrices associated with the estimates A, B,
and C respectively. The main computational problem with CI is the computation of ω. The
value of ω lies between 0 and 1. The optimum value of ω is arrived at when the trace of the
determinant of PCC is minimized.
108
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 155
For max aggregation function, covariance matrices are simple scalars. It can be observed
from (23) and (24) that in such a case ω can be either 1 or 0. Subsequently, PCC is equal to the
minimum of PAA and PBB, and C is equal to either A or B depending on the value of PCC.
Even when the estimates are reasonably small-sized vectors, there are efficient algorithms to
determine ω.
109
156 Security and
Cryptography Issues in a Networked
Security Age
in Computing
In all these computations, it assumed that the resultant distribution after combination of two
bounded Gaussian distributions is also a Gaussian distribution. This is done in order to
maintain the consistency of the estimates. The mean and the variance of the new Gaussian
distribution represent the new estimate and the confidence (or certainty) associated with
this new estimate respectively.
110
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 157
greater load on the estimation algorithm thereby demanding more energy for the same level
of accuracy (Boulis et al., 2003). If the user has no information about the physical process, he
can determine the level of accuracy of the aggregation and the amount of energy spent
dynamically as the process executes.
9. Simulation results
In this section, we describe the simulations that have been performed on the proposed scheme.
As the proposed algorithm is an extension of the algorithm presented in (Boulis et al., 2003), we
present here the results that are more relevant to our contribution, i.e., the performance of the
security module. The results related to the energy consumption of nodes and aggregation
accuracy for different threshold values (discussed in Section 8.4) are presented in detail in (Boulis
et al., 2003) and therefore these are not within the scope of this work.
In the simulated environment, the implemented application accomplishes temperature
monitoring, based on network simulator (ns-2) and its sensor network extension Mannasim
(Mannasim, 2002). The nodes sense the temperature continuously and send the maximum
sensed temperature only when it differs from the last data sent by more than 2%.In order to
simulate the temperature behaviour of the environment, random numbers are generated
following a Gaussian distribution, taking into consideration standard deviation of 1C from
an average temperature of 25C. The simulation parameters are presented in Table 3.
To evaluate the performance of the security module of the proposed algorithm, two
different scenarios are simulated. In the first case, the aggregation algorithm is executed in
the nodes without invoking the security module to estimate the energy consumption of the
aggregation algorithm. In the second case, the security module is invoked in the nodes and
some of the nodes in the network are intentionally compromised. This experiment allows us
to estimate the overhead associated with the security module of the algorithm and its
detection effectiveness.
111
158 Security and
Cryptography Issues in a Networked
Security Age
in Computing
Parameter Value
Fig. 6. Detection effectiveness with 10% of the nodes in the network faulty
It is observed that delivery ratio (ratio of the packets sent to the packets received by the
nodes) is not affected by invocation of the security module. This is expected, as the packets
are transmitted in the same wireless environment, introduction of the security module
should not have any influence on the delivery ratio.
Regarding energy consumption, it is observed that the introduction of the security module
has introduced an average increase of 105.4% energy consumption in the nodes in the
network. This increase is observed when 20% of the nodes chosen randomly are
compromised intentionally when the aggregation algorithm was executing. This increase in
energy consumption is due to additional transmission and reception of messages after the
security module is invoked.
112
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 159
To evaluate the detection effectiveness of the security scheme, further experiments are
conducted. For this purpose, different percentage of nodes in the network is compromised and
the detection effectiveness of the security scheme is evaluated. Fig. 6 and Fig. 7 present the
results for 10% and 20% compromised node in the network respectively. In these diagrams, the
false positives refer to the cases where the security scheme wrongly identifies a sensor node as
faulty while it is actually not so. False negatives, on the other hand, are the cases where the
detection scheme fails to identify a sensor node which is actually faulty. It is observed that even
when there are 20% compromised nodes in the network the scheme has a very high detection
rate with very low false positive and false negative rate. The results show that the proposed
mechanism is quite effective in detection of failed and compromised nodes in the network.
Fig. 7. Detection effectiveness with 20% of the nodes in the network faulty
113
160 Security and
Cryptography Issues in a Networked
Security Age
in Computing
114
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 161
11. References
Acharya, M.; Girao, J. & Westhohh, D. (2005). Secure Comparison of Encrypted Data in
Wireless Sensor Networks. Proceedings of the 3rd International Symposium on
Modelling and Optimization in Mobile, Ad Hoc, and Wireless Networks (WIOPT), pp. 47-
53, Washington, DC, USA, 2005.
Akyildiz, I. F.; Su, W.; Sankarasubramaniam, Y. & Cayirci, E. (2002). Wireless Sensor
Networks: A Survey. IEEE Computer, Vol 38, No 4, pp. 393-422, March 2002.
Armknecht, F.; Westhoff, D.; Girao, J. & Hessler, A. (2008). A Lifetime-Optimized End-to-
End Encryption Scheme for Sensor Networks Allowing In-Network Processing.
Computer Communications, Vol 31, No 4, pp. 734-749, March 2008.
Bandyopadhyay, D. & Sen, J. (2011). Internet of Things: Applications and Challenges in
Technology and Standardization. International Journal of Wireless Personal
Communications- Special Issue; Distributed and Secure Cloud Clustering (DISC), Vol 58,
No 1, pp. 49-69, May 2011.
Boulis, A.; Ganeriwal, S. & Srivastava, M. B. (2003). Aggregation in Sensor Networks: An
Energy-Accuracy Trade-Off. Ad Hoc Networks, Vol 1, No 2-3, pp. 317-331,
September 2003.
Cam, H.; Muthuavinashiappan, D. & Nair, P. (2003). ESPDA: Energy-Efficient and Secure
Pattern-Based Data Aggregation for Wireless Sensor Networks. Proceedings of IEEE
International Conference on Sensors, pp. 732-736, Toronto, Canada, October 2003.
Cam, H.; Muthuavinashiappan, D. & Nair, P. (2005). Energy-Efficient Security Protocol for
Wireless Sensor Networks. Proceedings of the IEEE Vehicular Technology Conference
(VTC’05), pp. 2981-2984, Orlando, Florida, October 2005.
Cam, H. & Ozdemir, S. (2007). False Data Detection and Secure Aggregation in Wireless
Sensor Networks. Security in Distributed Grid Mobile and Pervasive Computing, Yang
Xiao (ed.), Auerbach Publications, CRC Press, April 2007.
Cam, H.; Ozdemir, S.; Nair, P.; Muthuavinashiappan, D. & Sanli, H. O. (2006a). Energy-
Efficient Secure Pattern Based Data Aggregation for Wireless Sensor Networks.
Computer Communications, Vol 29, No 4, pp. 446-455, February 2006.
Cam, H.; Ozdemir, S.; Sanli, H. O. & Nair, P. (2006b). Secure Differential Data Aggregation
for Wireless Sensor Networks. Sensor Network Operations, Phoha et al. (eds.), pp.
422-441, Wiley-IEEE Press, May 2006.
Castelluccia, C.; Chan, A. C-F.; Mykletun, E. & Tsudik, G. (2009). Efficient and Provably
Secure Aggregation of Encrypted Data in Wireless Sensor Networks. ACM
Transactions on Sensor Networks, Vol 5, No 3, May 2009.
Castelluccia, C. Mykletun, E. & Tsudik, G. (2005). Efficient Aggregation of Encrypted Data
in Wireless Sensor Networks. Proceedings of the 2nd Annual International Conference on
Mobile and Ubiquitous Systems: Networking and Services (MobiQuitous’05), pp. 109-117,
San Diego, California, USA, July 2005.
Chan, H.; Perrig, A.; Przydatek, B. & Song, D. (2007). SIA: Secure Information Aggregation
in Sensor Networks. Journal of Computer Security – Special Issue on Security of Ad Hoc
and Sensor Networks, Vol 15, No 1, pp. 69-102, January 2007.
Chaum, D. (1988). The Dining Cryptographers Problem: Unconditional Sender and
Recipient Untraceability. Journal of Cryptology, Vol 1, No 1, pp. 65–75, 1988.
Deng, J.; Han, R. & Mishra, S. (2003). Security Support for In-network Processing in Wireless
Sensor Networks. Proceedings of the 1st ACM Workshop on Security of Ad Hoc and
Sensor Networks (SASN’03), pp. 83-93, Fairfax, Virginia, USA, October 2003.
115
162 Security and
Cryptography Issues in a Networked
Security Age
in Computing
Du, W.; Deng, J.; Han, Y. S. & Varshney, P. K. (2003). A Witness-Based Approach for Data
Fusion Assurance in Wireless Sensor Networks. Proceedings of IEEE Global
Telecommunications Conference (GLOBECOM’03), Vol 3, pp. 1435-1439, San Fransisco,
USA, December 2003.
Eschenauer, L. & Gligor, V. D. (2002). A Key-Management Scheme for Distributed Sensor
Networks. Proceedings of the 9th ACM Conference on Computing and Communications
Security (CCS’02), pp. 41- 47, Washington, DC, USA, November 2002.
Estrin, D.; Govindan, R.; Heidemann, J. S. & Kumar, S. (1999). Next Century Challenges:
Scalable Coordination in Sensor Networks. Proceedings of the 5th ACM/IEEE
International Conference on Mobile Computing and Networking (MobiCom’99), pp. 263-
270, Seattle, Washington, USA, August 1999.
Fontaine, C. & Galand, F. (2007). A Survey of Homomorphic Encryption for Nonspecialists.
EURASIP Journal on Information Security, Vol 2007, Article ID 13801, January 2007.
Gentry, C. (2009). A Fully Homomorphic Encryption Scheme. Doctoral Dissertation,
Department of Computer Science, Stanford University, USA, September 2009.
Girao, J.; Westhoff, D. & Schneider, M. (2005) CDA: Concealed Data Aggregation for
Reverse Multicast Traffic in Wireless Sensor Networks. Proceedings of the 40th IEEE
Conference on Communications (IEEE ICC’05), Vol. 5, pp. 3044–3049, Seoul, Korea,
May 2005.
Goel, S. & Imielinski. (2001). Prediction-Based Monitoring in Sensor Networks: Taking
Lessons from MPEG. ACM SIGCOMM Computing and Communication Review-
Special Issue on Wireless Extensions to the Internet, Vol 31, No 5, pp. 82-98, ACM
Press, New York, October 2001.
He, W.; Liu, X.; Nguyen, H.; Nahrstedt, K. & Abdelzaher, T. (2007). PDA: Privacy-
Preserving Data Aggregation in Wireless Sensor Networks. Proceedings of the 26th
IEEE International Conference on Computer Communications (INFOCOM’07), pp. 2045-
2053, Anchorage, Alaska, USA, May 2007.
Heidemann, J.; Silva, F.; Intanagonwiwat, C.; Govindan, R.; Estrin, D. & Ganesan, D. (2001).
Building Efficient Wireless Sensor Networks with Low-Level Naming. Proceedings
the 18th ACM Symposium of Operating Systems Principles (SOS’01), Banff, Canada,
October 2001.
Hu, L. & Evans, D. (2003). Secure Aggregation for Wireless Networks. Proceedings of the
Symposium on Applications and the Internet Workshops (SAINT’03), pp. 384-391,
Orlando, Florida, USA, January 2003.
Jaikaeo, C.; Srisathapomphat, C. & Shen, C. (2000). Querying and Tasking of Sensor
Networks. Proceedings of SPIE’s 14th Annual International Symposium on
Aerospace/Defence Sensing, Simulation and Control (Digitization of the Battlespace V),
pp. 26-27, Orlando, Florida, USA, April 2000.
Karlof, C. & Wagner, D. (2003). Secure Routing in Sensor Networks: Attacks and
Countermeasures. AD Hoc Networks, Vol 1, pp, 293-315, May, 2003.
Madden, S. R.; Franklin, M. J.; Hellerstein, J. M. & Hong, W. (2002). TAG: A Tiny
Aggregation Service for Ad-Hoc Sensor Networks. Proceedings of the 5th Symposium
on Operating Systems Design and Implementation (OSDI’02), pp. 131-146, Boston,
Massachusetts, USA, December 2002.
Madden, S. R.; Franklin, M. J.; Hellerstein, J. M & Hong, W. (2005). TinyDB: An
Acquisitional Query Processing System for Sensor Networks. ACM Transactions on
Database Systems, Vol 30, No 1, pp. 122-173, March 2005.
116
Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 163
117
164 Security and
Cryptography Issues in a Networked
Security Age
in Computing
on Network Security and its Applications (CNSA’10), Chennai, India, July 2010. Recent
Trends in Network Security and its Applications, Meghanathan et al. (eds.), pp. 538–
547, Communications in Computer and Information Science (CCIS), Springer-Verlag,
Heidelberg, Germany, July 2010.
Sen, J. (2010d). Reputation- and Trust-Based Systems for Wireless Self-Organizing
Networks, pp. 91-122. Security of Self-Organizing Networks: MANET, WSN, WMN,
VANET, A-S. K. Pathan (ed.), Aurbach Publications, CRC Press, USA, December
2010.
Sen, J. (2011). A Robust and Secure Aggregation Protocol for Wireless Sensor Networks.
Proceedings of the 6th International Symposium on Electronic Design, Test and
Applications (DELTA’11), pp. 222-227, Queenstown, New Zealand, January, 2011.
Sen, J. & Maitra, S. (2011). An Attack on Privacy-Preserving Data Aggregation Protocol for
Wireless Sensor Networks. Proceedings of the 16th Nordic Conference in Secure IT
Systems (NordSec’11), Tallin, Estonia, October, 2011. Lecture Notes in Computer
Science (LNCS), Laud, P. (ed.), Vol 7161, pp. 205-222, Springer, Heidelberg,
Germany.
Shrivastava, N; Buragohain, C.; Agrawal, D. & Suri. (2004). Medians and Beyond: New
Aggregation Configuration techniques for Sensor Networks. Proceedings of the 2nd
International Conference on Embedded Networked Sensor Systems, pp. 239-249, ACM
Press, New York, November 2004.
Wagner, D. (2004). Resilient Aggregation in Sensor Networks. Proceedings of the 2nd ACM
Workshop on Security of Ad Hoc and Sensor Networks (SASN’04), pp. 78-87, ACM
Press, New York, USA, October 2004.
Westhoff, D.; Girao, J. & Acharya, M. (2006). Concealed Data Aggregation for Reverse
Multicast Traffic in Sensor Networks: Encryption, Key Distribution, and Routing
Adaptation. IEEE Transactions on Mobile Computing, Vol 5, No 10, pp. 1417-1431,
October 2006.
Wu, K.; Dreef, D.; Sun, B. & Xiao, Y. (2007). Secure Data Aggregation without Persistent
Cryptographic Operations in Wireless Sensor Networks. Ad Hoc Networks, Vol 5,
No 1, pp. 100–111, January 2007.
Yang, Y.; Wang, X.; Zhu, S. & Cao, G. (2006). SDAP: A Secure Hop-by-Hop Data
Aggregation Protocol for Sensor Networks. ACM Transactions on Information and
System Security (TISSEC), Vol 11, No 4, July 2008. Proceedings of the 7th ACM
International Symposium on Mobile Ad Hoc Networking and Computing
(MOBIHOC’06), Florence, Italy, May 2006.
Ye, F.; Luo, H. & Lu, S. & Zhang, L. (2004). Statistical En-Route Filtering of Injected False
Data in Sensor Networks. Proceedings of the 23rd IEEE Annual International Computer
and Communications (INFOCOM’04), Vol 4, pp. 2446-2457, Hong Kong, March 2004.
Ye, F.; Luo, H.; Lu, S. & Zhang, L. (2005). Statistical En-route Filtering of Injected False Data
in Sensor Networks. IEEE Journal on Selected Areas in Communications, Vol 23, No 4,
pp. 839-850, April 2005.
Zhang, W.; Liu, Y.; Das, S. K. & De, P. (2008). Secure Data Aggregation in Wireless Sensor
Networks: A Watermark Based Authentication Supportive Approach. Pervasive
Mobile Computing, Vol 4, No 5, pp. 658-680, Elsevier Press, October 2008.
Zhao, Y. J.; Govindan, R. & Estrin, D. (2002). Residual Energy Scan for Monitoring Sensor
Networks. Proceedings of IEEE Wireless Communications and Networking Conference
(WCNC’02), Vol 1, pp. 356-362, March 2002.
118
Secure and Privacy-Preserving Authentication Protocols for Wireless
Mesh Networks
1. Introduction
Wireless mesh networks (WMNs) have emerged as a promising concept to meet the challenges in
next-generation wireless networks such as providing flexible, adaptive, and reconfigurable
architecture while offering cost-effective solutions to service providers (Akyildiz et al., 2005).
WMNs are multi-hop networks consisting of mesh routers (MRs), which form wireless mesh
backbones and mesh clients (MCs). The mesh routers provide a rich radio mesh connectivity
which significantly reduces the up-front deployment cost of the network. Mesh routers are
typically stationary and do not have power constraints. However, the clients are mobile and
energy-constrained. Some mesh routers are designated as gateway routers which are
connected to the Internet through a wired backbone. A gateway router provides access to
conventional clients and interconnects ad hoc, sensor, cellular, and other networks to the
Internet. The gateway routers are also referred to as the Internet gateways (IGWs). A mesh
network can provide multi-hop communication paths between wireless clients, thereby
serving as a community network, or can provide multi-hop paths between the client and the
gateway router, thereby providing broadband Internet access to the clients.
As WMNs become an increasingly popular replacement technology for last-mile
connectivity to the home networking, community and neighborhood networking, it is
imperative to design efficient and secure communication protocols for these networks.
However, several vulnerabilities exist in the current protocols of WMNs. These security
loopholes can be exploited by potential attackers to launch attack on WMNs. Absence of a
central point of administration makes securing WMNs even more challenging. Security is,
therefore, an issue which is of prime importance in WMNs (Sen, 2011). Since in a WMN,
traffic from the end users is relayed via multiple wireless mesh routers, preserving privacy
of the user data is also a critical requirement (Wu et al., 2006a). Some of the existing security
and privacy protection protocols for WMNs are based on the trust and reputation of the
network entities (Sen, 2010a; Sen, 2010b). However, many of these schemes are primarily
designed for mobile ad hoc networks (MANETs) (Sen, 2006; Sen, 2010c), and hence these
protocols do not perform well in large-scale hybrid WMN environments.
The broadcast nature of transmission and the dependency on the intermediate nodes for
multi-hop communications lead to several security vulnerabilities in WMNs. The attacks can
be external as well as internal in nature. External attacks are launched by intruders who are
119
4 Security Issues
Applied Cryptography in Network
and a Networked Age
Security
not authorized users of the network. For example, an intruding node may eavesdrop on the
packets and replay those packets at a later point of time to gain access to the network
resources. On the other hand, the internal attacks are launched by the nodes that are part of
the WMN. On example of such attack is an intermediate node dropping packets which it
was supposed to forward. To prevent external attacks in vulnerable networks such as
WMNs, strong authentication and access control mechanisms should be in place for
practical deployment and use of WMNs. A secure authentication should enable two
communicating entities (either a pair of MC and MR or a pair of MCs) to validate the
authenticity of each other and generate the shared common session keys which can be used
in cryptographic algorithms for enforcing message confidentiality and integrity. As in other
wireless networks, a weak authentication scheme can easily be compromised due to several
reasons such as distributed network architecture, the broadcast nature of the wireless
medium, and dynamic network topology (Akyildiz et al., 2005). Moreover, the behavior of
an MC or MR can be easily monitored or traced in a WMN by adversaries due to the use of
wireless channel, multi-hop connection through third parties, and converged traffic pattern
traversing through the IGW nodes. Under such scenario, it is imperative to hide an active
node that connects to an IGW by making it anonymous. Since on the Internet side
traditional anonymous routing approaches are not implemented, or may be compromised
by strong attackers such protections are extremely critical (X. Wu & Li, 2006).
This chapter presents a comprehensive discussion on the current authentication and privacy
protection schemes for WMN. In addition, it proposes a novel security protocol for node
authentication and message confidentiality and an anonymization scheme for privacy
protection of users in WMNs.
The rest of this chapter is organized as follows. Section 2 discusses the issues related to
access control and authentication in WMNs. Various security vulnerabilities in the
authentication and access control mechanisms for WMNs are first presented and then a list
of requirements (i.e. properties) of a secure authentication scheme in an open and large-
scale, hybrid WMN are discussed. Section 3 highlights the importance of the protection user
privacy in WMNs. Section 4 presents a state of the art survey on the current authentication
and privacy protection schemes for WMNs. Each of the schemes is discussed with respect to
its applicability, performance efficiency and shortcomings. Section 5 presents the details of a
hierarchical architecture of a WMN and the assumptions made for the design of a secure
and anonymous authentication protocol for WMNs. Section 6 describes the proposed key
management scheme for secure authentication. Section 7 discusses the proposed privacy
protection algorithm which ensures user anonymity. Section 8 presents some performance
results of the proposed scheme. Section 9 concludes the chapter while highlighting some
future direction of research in the field of secure authentication in WMNs.
120
Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 5
Fig. 1. Illustration of MAC spoofing and replay attacks [Source: (Sen, 2011)]
Replay attack: the replay attack is a type of man-in-the-middle attack (Mishra & Arbaugh,
2002) that can be launched by external as well as internal nodes. An external malicious node
can eavesdrop on the broadcast communication between two nodes (A and B) in the network
as shown in Fig. 1. It can then transmit legitimate messages at a later point of time to gain
access to the network resources. Generally, the authentication information is replayed where
the attacker deceives a node (node B in Fig. 1) to believe that the attacker is a legitimate node
(node A in Fig. 1). On a similar note, an internal malicious node, which is an intermediate hop
between two communicating nodes, can keep a copy of all relayed data. It can then retransmit
this data at a later point in time to gain unauthorized access to the network resources.
121
6 Security Issues
Applied Cryptography in Network
and a Networked Age
Security
Spoof attack: spoofing is the act of forging a legitimate MAC or IP address. IP spoofing is
quite common in multi-hop communications in WMNs. In IP spoofing attack, an adversary
inserts a false source address (or the address of a legitimate node) from the packets
forwarded by it. Using such a spoofed address, the malicious attacker can intercept a
termination request and hijack a session. In MAC address spoofing, the attacker modifies
the MAC address in transmitted frames from a legitimate node. MAC address spoofing
enables the attacker to evade intrusion detection systems (IDSs) that may be in place.
DoS attack: in this attack, a malicious attacker sends a flood of packets to an MR thereby
making a buffer overflow in the router. Another well-known security flaw can be exploited
by an attacker. In this attack, a malicious attacker can send false termination messages on
behalf of a legitimate MC thereby preventing a legitimate user from accessing network
services.
Intentional collision of frames: a collision occurs when two nodes attempt to transmit on
the same frequency simultaneously (Wood & Stankovic, 2002). When frames collide, they
are discarded and need to be retransmitted. An adversary may strategically cause collisions
in specific packets such as acknowledgment (ACK) control messages. A possible result of
such collision is the costly exponential back-off. The adversary may simply violate the
communication protocol and continuously transmit messages in an attempt to generate
collisions. Repeated collisions can also be used by an attacker to cause resource exhaustion.
For example, a naïve MAC layer implementation may continuously attempt to retransmit
the corrupted packets. Unless these retransmissions are detected early, the energy levels of
the nodes would be exhausted quickly. An attacker may cause unfairness by intermittently
using the MAC layer attacks. In this case, the adversary causes degradation of real-time
applications running on other nodes by intermittently disrupting their frame transmissions.
Pre-computation and partial matching attack: unlike the attacks mentioned above, where
the MAC protocol vulnerabilities are exploited, these attacks exploit the vulnerabilities in
the security mechanisms that are employed to secure the MAC layer of the network. Pre-
computation and partial matching attacks exploit the cryptographic primitives that are used
at the MAC layer to secure the communication. In a pre-computation attack, or time memory
trade-off (TMTO) attack, the attacker computes a large amount of information (e.g., key,
plaintext, and the corresponding ciphertext) and stores that information before launching
the attack. When the actual transmission starts, the attacker uses the pre-computed
information to speed up the cryptanalysis process. TMTO attacks are highly effective
against a large number of cryptographic solutions. On the other hand, in a partial matching
attack, the attacker has access to some (ciphertext, plaintext) pairs, which in turn decreases
the encryption key strength, and improves the chances of success of the brute force
mechanisms. Partial matching attacks exploit the weak implementations of encryption
algorithms. For example, the IEEE 802.11i standard for MAC layer security in wireless
networks is prone to the session hijacking attack and the man-in-the-middle attack that
exploits the vulnerabilities in IEEE802.1X. DoS attacks are possible on the four-way
handshake procedure in IEEE802.11i.
Compromised or Forged MR: an attacker may be able to compromise one or more MRs in a
network by physical tampering or logical break-in. The adversary may also introduce rogue
MRs to launch various types of attacks. The fake or compromised MRs may be used to
122
Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 7
attack the wireless link thereby implementing attacks such as: passive eavesdropping,
jamming, replay and false message injection, traffic analysis etc. The attacker may also
advertise itself as a genuine MR by forging duplicate beacons procured by eavesdropping
on genuine MRs in the network. When an MC receives these beacon messages, it assumes
that it is within the radio coverage of a genuine MR, and initiates a registration procedure.
The false MR now can extract the secret credentials of the MC and can launch spoof attack
on the network. This attack is possible in protocols which require an MC to be authenticated
by and MR but not the vice versa (He et al., 2011).
123
8 Security Issues
Applied Cryptography in Network
and a Networked Age
Security
Anonymity: this is concerned with hiding the identity of the sender or receiver of the
message or both of them. In fact, hiding the identity of both the sender and the receiver
of the message can assure communication privacy. Thus, attackers monitoring the
messages being communicated could not know who is communicating with whom,
thus no personal information is disclosed.
124
Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 9
125
10 Security Issues
Applied Cryptography in Network
and a Networked Age
Security
Providing security in the backbone network for WMNs is another important challenge.
Mesh networks typically employ resource constrained mobile clients, which are difficult to
protect against removal, tampering, or replication. If the device can be remotely managed, a
distant hacking into the device would work perfectly (Ben Salem & Hubaux, 2006).
Accordingly, several research works have been done to investigate the use of cryptographic
techniques to achieve secure communication in WMNs. In (Cheikhrouhou et al., 2006), a
security architecture has been proposed that is suitable for multi-hop WMNs employing
PANA (Protocol for carrying Authentication for Network Access) (Parthasarathy, 2006). In
the scheme, the wireless clients are authenticated on production of the cryptographic
credentials necessary to create an encrypted tunnel with the remote access router to which
they are associated. Even though such framework protects the confidentiality of the
information exchanged, it cannot prevent adversaries to perform active attacks against the
network itself. For instance, a malicious adversary can replicate, modify and forge the
topology information exchanged among mesh devices, in order to launch a denial of service
attack. Moreover, PANA necessitates the existence of IP addresses in all the mesh nodes,
which is poses a serious constraint on deployment of this protocol.
Authenticating transmitted data packets is an approach for preventing unauthorized nodes
to access the resources of a WMN. A light-weight hop-by-hop access protocol (LHAP) has been
proposed for authenticating mobile clients in wireless dynamic environments, preventing
resource consumption attacks (Zhu et al., 2006). LHAP implements light-weight hop-by-hop
authentication, where intermediate nodes authenticate all the packets they receive before
forwarding them. LHAP employs a packet authentication technique based on the use of
one-way hash chains. Moreover, LHAP uses TESLA (Perrig et al., 2001) protocol to reduce
the number of public key operations for bootstrapping and maintaining trust between
nodes.
In (Prasad et al., 2004), a lightweight authentication, authorization and accounting (AAA)
infrastructure is proposed for providing continuous, on-demand, end-to-end security in
heterogeneous networks including WMNs. The notion of a security manager is used
through employing an AAA broker. The broker acts as a settlement agent, providing
security and a central point of contact for many service providers.
The issue of user privacy in WMNs has also attracted the attention of the research
community. In (T. Wu et al., 2006), a light-weight privacy preserving solution is
presented to achieve well-maintained balance between network performance and traffic
privacy preservation. At the center of the solution is of information-theoretic metric
called traffic entropy, which quantifies the amount of information required to describe the
traffic pattern and to characterize the performance of traffic privacy preservation. The
authors have also presented a penalty-based shortest path routing algorithm that
maximally preserves traffic privacy by minimizing the mutual information of traffic
entropy observed at each individual relaying node while controlling the possible
degradation of network within an acceptable region. Extensive simulation study proves
the soundness of the solution and its resilience to cases when two malicious observers
collude. However, one of the major problems of the solution is that the algorithm is
evaluated in a single-radio, single channel WMN. Performance of the algorithm in
multiple radios, multiple channels scenario will be a really questionable issue. Moreover,
the solution has a scalability problem. In (X. Wu & Li, 2006), a mechanism is proposed
126
Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 11
with the objective of hiding an active node that connects to a gateway router, where the
active mesh node has to be anonymous. A novel communication protocol is designed to
protect the node’s privacy using both cryptography and redundancy. This protocol uses
the concept of onion routing (Reed et al., 1998). A mobile user who requires anonymous
communication sends a request to an onion router (OR). The OR acts as a proxy to the
mobile user and constructs an onion route consisting of other ORs using the public keys
of the routers. The onion is constructed such that the inner most part is the message for
the intended destination, and the message is wrapped by being encrypted using the
public keys of the ORs in the route. The mechanism protects the routing information
from insider and outsider attack. However, it has a high computation and
communication overhead.
In the following sub-sections, some of the well-known authentication and privacy
preservation schemes for WMNs are discussed briefly. For each of the schemes, its salient
features and potential shortcomings are highlighted.
127
12 Security Issues
Applied Cryptography in Network
and a Networked Age
Security
Fig. 2. Schematic diagram of IEEE 802.11i authentication protocol [Source: (Moustafa, 2007)]
128
Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 13
Fig. 3. Schematic diagram of the authentication process in WDAP [Source: (Moustafa, 2007)]
Fig. 3 illustrates the WDAP authentication process. In the authentication protocol, the AP
receives the authentication request from the MC. It then creates an authentication request
for itself and concatenates this request to the received request from the MC. The
concatenated request is then sent to the AS. Since both the mobile station and the AP do not
trust each other until the AS authenticates both of them, WDAP is a dual authentication
protocol. If the authentication is successful, AS generates a session key and sends the key to
the AP. The AP then sends this key to the MC encrypting it with the shared key with MC.
This key is thus shared between the AP and the MC for their secure communication and
secure de-authentication when the session is finished. When an MC finishes a session with
an AP, secure de-authentication takes place to prevent the connection from being exploited
by an adversary. Use of WDAP in WMN environments ensures mutual authentication of
both MCs and MRs. Also, WDAP can be used to ensure authentication between the MRs
through authentication requests concatenation. In case of multi-hop communication in
WMNs, each pair of nodes can mutually authenticate through the session key generated by
the AS. However, a solution is needed in case of open mesh networks scenarios, where the
AS may not be present in reality. Another problem arises in case of roaming authentication.
WDAP is not ideally suited for use in roaming authentication since it works only for
roaming into new APs, and does not consider the case of back roaming in which an MC may
need to re-connect with another MC or an AP with whom it was authenticated earlier. As a
result, the WDAP session key revocation mechanisms has some shortcomings that makes it
unsuitable for deployment in real-world WMNs.
An approach that adapts IEEE 802.11i to the multi-hop communication has been presented
in (Moustafa et al., 2006a). An extended forwarding capability in 802.11i is proposed
without compromising on its security features to setup authenticated links in layer 2 to
achieve secure wireless access as well as confidential data transfer in ad hoc multi-hop
environments. The general objective of this approach is to support secure and seamless
129
14 Security Issues
Applied Cryptography in Network
and a Networked Age
Security
access to the Internet by the MCs situated near public WLAN hotspots, even when these
nodes may move beyond the coverage area of the WLAN. To accomplish the authentication,
authorization and accounting (AAA) process for an MC within the WLAN communication
range, classical 802.11i authentication and message exchange take place.
Fig. 4. Schematic diagram of adapted 802.11i with EAP-TLS for multi-hop communication
[Source: (Moustafa, 2007)]
As shown in Fig. 4, for accomplishing the AAA process for MCs that are beyond the WLAN
communication range but belong to the ad hoc clusters, 802.11i is extended to support
forwarding capabilities. In this case, the notion of friend nodes is introduced to allow each
MC to initiate the authentication process through a selected node in its proximity. The
friend node plays the role of an auxiliary authenticator that forwards the authentication
request of the MC to the actual authenticator (i.e., the AP). If the friend node is not within
the communication range of the AP, it invokes other friend nodes in a recursive manner
until the AP is reached. The concept of proxy RADIUS (Rigney et al., 2000) is used for
ensuring forwarding compatibility and secure message exchange over multi-hops. Proxy
chaining (Aboba & Vollbrecht, 1999) takes place if the friend node is not directly connected
to an AP. To achieve higher level of security on each authenticated link between the
communicating nodes, 802.11i encryption is used by invoking the four-way handshake
between each MC and its authenticator (AP or friend node). This approach is useful in open
mesh network scenarios, since it allows authentication by delegation among the mesh nodes.
In addition, since the authentication keys are stored in the immediate nodes, the re-
authentication process is optimized in case of roaming of the MCs. However, an adaptation
is needed that allows establishment of multiple simultaneous connections to the
authenticators - APs and the friend nodes – in a dense mesh topology. Also, a solution is
needed to support fast and secure roaming across multiple wireless mesh routers (WMRs). A
possible solution is through sharing session keys of authenticated clients among the WMRs
(Moustafa, 2007).
130
Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 15
131
16 Security Issues
Applied Cryptography in Network
and a Networked Age
Security
A reliable re-authentication scheme has been proposed in (Aura & Roe, 2005), in which an
MR issues a credential for the MC it is currently serving. The credential can be used later (by
the next MR) to certify the authenticity of the MC.
A fast authentication and key exchange mechanism to support seamless handoff has been
proposed in (Soltwisch et al., 2004). The mechanism uses the context transfer protocol (CTP)
(Loughney et al., 2005) to forward session key from the previous router to the new access
router.
132
Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 17
authentication between MCs and MRs requires MCs to be directly connected to the MRs.
Since PANA enables MCs to authenticate to the access network using IP protocol, it is used
in this mechanism to overcome the problem of association between MCs and MRs that can
be attached through more than one intermediate node. When a new MC joins the network, it
first gets an IP address (pre-PANA address) from a local DHCP server. Then, the PANA
protocol is initiated so that the mobile node discovers the PANA access (PAA) router to
authenticate itself. After successful authentication, the MC initiates the Internet key exchange
(IKE) protocol with the MR for establishing a security association. Finally, IPSec tunnel
ensures data protection over the radio link and a data access control by the MR. During the
authentication and authorization phases, PANA uses EAP message exchange between the
MC and the PAA, where PAA relays EAP messages to the AS using EAP over RADIUS.
EAP-TLS message is used in this approach. The protocol is suited for heterogeneous WMNs
since it is independent of the technology of the wireless media. However, PANA requires
use of IP addresses in the mesh nodes. This puts a restriction in its use since all elements of a
WMN may not use IP as the addressing standard.
EAP-TLS using proxy chaining: the combinations of (Moustafa et al., 2006a; Moustafa et al.,
2006b) propose adaptive EAP solutions for authentication and access control in the multi-
hop wireless environment. In (Moustafa et al., 2006a), an adapted EAP-TLS approach is used
to allow authentication of mobile nodes. A delegation process is used among mobile nodes
by use of auxiliary authenticators in a recursive manner until the AS is reached. To allow
extended forwarding and exchange of EAP-TLS authentication messages, proxy RADIUS is
involved using proxy chaining among the intermediate nodes between the MCs requesting
the authentication and the AS. This approach permits the storage of authentication keys of
the MCs in the auxiliary authenticators. This speeds up the re-authentication process and
enhances the performance of the adaptive EAP-TLS mechanism. This solution is applicable
for WMNs, especially in multi-hop communications. However, to support secure roaming
across different wireless mesh routers (WMRs), communication is required between the old
and the new WMRs. This can be done by using central elements or switches that link the
WMRs and allow storing of information in a central location and distribution of information
among the WMRs.
EAP-enhanced pre-authentication: an EAP-enhanced pre-authentication scheme for mobile
WMN (IEEE 802.e) in the link layer has been proposed in (Hur et al., 2008). In this scheme,
the PKMv2 (public key management version 2) has been slightly modified based on the key
hierarchy in a way that the communication key can be established between the MC and the
target MR before hand-off in a proactive way. The modification allows the master session
key generated by the authentication server to bind the MR identification (i.e., base station
identification) and the MAC address of the MC. In the pre-authentication phase, the
authentication server generates and delivers the unique public session keys for the neighbor
MRs of the MC. The neighboring MRs are the access points that the MC potentially moves
to. These MRs can use the public session key to derive an authorization key of the
corresponding MC. In the same way, the MC can derive the public session key and the
authorization key for its neighbor MRs, with the MR identification. Once the handoff is
complete, the MC only needs to perform a three-way handshake and update the encryption
key since the MC and MR already possess the authentication key. Thus a re-authentication
with the authentication server is avoided and the associated delay is reduced.
133
18 Security Issues
Applied Cryptography in Network
and a Networked Age
Security
134
Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 19
135
20 Security Issues
Applied Cryptography in Network
and a Networked Age
Security
security objectives and the performance efficiency. The system uses a blind signature
technique from the payment systems. (Brands, 1993; Wei et al., 2006; Figueiredo et al., 2005;
Chaum, 1982), and hence it achieves the anonymity by delinking user identities from their
activities. The pseudonym technique also renders user location information unexposed. The
pseudonym generation mechanism does not rely on a central authority, e.g. the broker in
(Zhang & Fang, 2006), the domain authority in (Ateniese et al., 1999), the transportation authority
or the manufacturer in (Raya & Hubaux, 2007), and the trusted authority in (Zhang et al., 2006),
who can derive the user’s identity from his pseudonyms and illegally trace on an honest user.
However, the system is not intended for achieving routing anonymity. Hierarchical identity-
based cryptography (HIBC) for inter-domain authentication is adopted to avoid domain
parameter certification in order to ensure anonymous access control.
136
Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 21
For designing the proposed protocol and to specify the WMN deployment scenario, the
following assumptions are made.
1. Each MR which is authorized to join the wireless backbone (through the IGWs), has two
certificates to prove its identity. One certificate is used during the authentication phase
that occurs when a new node joins the network. EAP-TLS (Aboba et al., 2004) for 802.1X
authentication is used for this purpose since it is the strongest authentication method
provided by EAP (Aboba et al., 2004), whereas the second certificate is used for the
authentication with the authentication server (AS).
2. The certificates used for authentication with the RADIUS server and the AS are signed
by the same certificate authority (CA). Only recognized MRs are authorized to join the
backbone.
3. Synchronization of all MRs is achieved by use of the network time protocol (NTP)
protocol (Mills, 1992).
The proposed security protocol serves the dual purpose of providing security in the access
network (i.e., between the MCs and the MRs) and the backbone network (i.e., between the
MRs and the IGWs). These are described the following sub-sections.
Fig. 6. Secure information exchange among the MCs A and B through the MRs 1 and 2
Fig. 6 illustrates a scenario where users A and B are communicating in a secure way to MRs
1 and 2 respectively. If the wireless links are not protected, an intruder M will be able to
eavesdrop on and possibly manipulate the information being exchanged over the network.
This situation is prevented in the proposed security scheme which encrypts all the traffic
transmitted on the wireless link using a stream cipher in the data link layer of the protocol
stack.
137
22 Security Issues
Applied Cryptography in Network
and a Networked Age
Security
Fig. 7. Steps performed by a new MR (N) using backbone encrypted traffic to join the WMN
During Phase II of the authentication process, the MRs use the transport layer security (TLS)
protocol. Only authorized MRs that have the requisite credentials can authenticate to the AS
and obtain the cryptographic credentials needed to derive the key sequence used to protect
the wireless backbone. In the proposed protocol, an end-to-end secure channel between the
AS and the MR is established at the end of a successful authentication through which the
cryptographic credentials can be exchanged in a secure way.
To eliminate any possibility of the same key being used over a long time, a server-initiated
protocol is proposed for secure key management. The protocol is presented in Section 6. As
mentioned earlier in this section, all the MRs are assumed to be synchronized with a central
server using the NTP protocol.
138
Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 23
Fig. 8 shows a collection of four MRs connected with each other by five wireless links. The
MR A is connected with the AS by a wired link. At the time of network bootstrapping, only
node A can connect to the network as an MR, since it is the only node that can successfully
authenticate to the AS. Nodes B and C which are neighbors of A then detect a wireless
network to which can connect and perform the authentication process following the IEEE
802.11i protocol. At this point of time, nodes B and C are successfully authenticated as MCs.
After their authentication as MCs, nodes B and C are allowed to authenticate to the AS and
request the information used by A to produce the currently used cryptographic key for
communication in the network. After having derived such key, both B and C will be able to
communicate with each other, as well as with node A, using the ad hoc mode of
communication in the WMN. At this stage, B and C both have full MR functionalities. They
will be able to turn on their access interface for providing node D a connection to the AS for
joining the network.
139
24 Security Issues
Applied Cryptography in Network
and a Networked Age
Security
Fig. 9. Message exchanges between an MR and the AS in the key management protocol
The validity of a key list is computed from the time instance when the list is generated (i.e.,
TSKL) by the AS. An MR, based on the time instance at which it joins the backbone (tnow in
Fig. 9), can find out the key (from the current list) being used by its peers (keyidx) and the
interval of validity of the key (Ti) using (1) and (2) as follows:
t TSKL
keyidx now 1 (1)
timeout
In the proposed protocol, each WMN node requests the AS for the key list that will be used
in the next session before the expiry of the current session. This is feature is essential for
nodes which are located multiple hops away from the AS, since, responses from the AS take
longer time to reach these nodes. The responses may also get delayed due to fading or
congestion in the wireless links. If the nodes send their requests for key list to the AS just
before expiry of the current session, then due to limited time in hand, only the nodes which
have good quality links with the AS will receive the key list. Hence, the nodes which will
fail to receive responses for the server will not be able to communicate in the next session
due to non-availability of the current key list. This will lead to an undesirable situation of
network partitioning.
The key index value that triggers the request from the nodes to the server can be set equal to
the difference between the cardinality of the list and a correction factor. The correction factor
can be estimated based on parameters like the network load, the distance of the node from
the AS and the time required for the previous response.
140
Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 25
In the proposed protocol, the correction factor is estimated based on the time to receive the
response from the AS using (3), where ts is the time instance when the first key request was
sent, tr is the time instance when the key response was received from the AS, and timeout is
the validity period of the key. Therefore, if a node fails to receive a response (i.e., the key
list) from the AS during timeout, and takes a time tlast, it must send the next request to the
AS before setting the last key.
c t last
timeout
timeout
if t last timeout (3)
= 0 if tlast timeout
tlast tr ts
The first request of the key list sent by the new node to the AS is forwarded by the peer to
which it is connected as an MC through the wireless access network. However, the
subsequent requests are sent directly over the wireless backbone.
Step 3. Ui defines a trap-door function f i ( , ) .yAimod qi . gi mod pi . Its inverse function
f i1 ( y ) is defined as f i1 ( y ) ( , ) , where and are computed as follows (K is
a random integer in Zqi .
141
26 Security Issues
Applied Cryptography in Network
and a Networked Age
Security
K
y Ai .gi K .( gi mod pi )mod qi
mod pi (4)
* mod qi (5)
The authentication server (AS) chooses: (i) a large prime p such that it is hard to compute
discrete logarithms in GF(p), (ii) another large prime q such that q | p – 1, (iii) a generator g
in GF(p) with order q, (iv) a random integer xB from Zq as its private key. AS computes its
public key y B g xB mod p and publishes (yB, p, q, g).
Anonymous authenticated key exchange: The key-exchange is initiated by the user Ui and
involves three rounds to compute a secret session key between Ui and AS. The operations in
these three rounds are as follows:
Round 1: When Ui wants to generate a session key on the behalf of n ring users U1, U2, …..Un,
where 1 i n , Ui does the following:
i. (i) Ui chooses two random integers x1, xA Zq* and computes the following:
142
Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 27
Round 3: Ui verifies whether KS' is from the server AS. For this purpose, Ui
computes KS' Y xa mod p , hashes K, X, Y to get h' using h' H ( K s' , X , Y , I ' ) . If h' h , Ui
accepts Ks as the session key.
Security analysis: The key exchange scheme satisfies the following requirements.
User anonymity: For a given signature X, the server can only be convinced that the ring
signature is actually produced by at least one of the possible users. If the actual user does
not reveal the seed K, the server cannot determine the identity of the user. The strength of
the anonymity depends on the security of the pseudorandom number generator. It is not
possible to determine the identity of the actual user in a ring of size n with a probability
greater than 1/n. Since the values of k and v are fixed in a ring signature, there are (2 b )n 1
number of ( x1 , x2 ,...xn ) that satisfy the equation C k , v ( y1 , y 2 ,...yn ) v , and the probability of
generation of each ( x1 , x2 ,...xn ) is the same. Therefore, the signature can’t leak the identity
information of the user.
Mutual authentication: In the proposed scheme, not only the server verifies the users, but the
users can also verify the server. Because of the hardness of inverting the hash function f(.), it
is computationally infeasible for the attacker to determine ( i , i ) , and hence it is infeasible
for him to forge a signature. If the attacker wants to masquerade as the AS, he needs to
compute h H (K s , X , Y ) . He requires xB in order to compute X. However, xB is the private
key of AS to which the attacker has no access.
Forward secrecy: The forward secrecy of a scheme refers to its ability to defend leaking of its
keys of previous sessions when an attacker is able to catch hold of the key of a particular
session. The forward secrecy of a scheme enables it to prevent replay attacks. In the proposed
scheme, since xa and xb are both selected randomly, the session key of each period has not
relation to the other periods. Therefore, if the session key generated in the period j is leaked,
the attacker cannot get any information of the session keys generated before the period j.
The proposed protocol is, therefore, resistant to replay attack.
8. Performance evaluation
The proposed security and privacy protocols have been implemented in the Qualnet
network simulator, version 4.5 (Network Simulator, Qualnet). The simulated network
consists of 50 nodes randomly distributed in the simulation area forming a dense WMN.
The WMN topology is shown in Fig. 10, in which 5 are MRs and remaining 45 are MCs.
Each MR has 9 MCs associated with it. To evaluate the performance of the security protocol,
first the network is set as a full-mesh topology, where each MR (and also MC) is directly
connected to two of its neighbors. In such as scenario, the throughput of a TCP connection
established over a wireless link is measured with the security protocol activated in the
nodes. The obtained results are then compared with the throughput obtained on the same
wireless link protected by a static key to encrypt the traffic.
After having 10 simulation runs, the average throughput of a wireless link between a pair of
MRs was found to be equal to 30.6 MBPS, when the link is protected by a static key.
However, the average throughput for the same link was 28.4 MBPS when the link was
143
28 Security Issues
Applied Cryptography in Network
and a Networked Age
Security
protected by the proposed security protocol. The results confirm that the protocol does not
cause any significant overhead on the performance of the wireless link, since the throughput
in a link on average decreased by only 7%.
The impact of the security protocol for key generation and revocation on packet drop rate in
real-time applications is also studied in the simulation. For this purpose, a VoIP application is
invoked between two MRs which generated UDP traffic in the wireless link. The packet drop
rates in wireless link when the link is protected with the proposed security protocol and when
the link is protected with a static key. The transmission rate was set to 1 MBPS. The average
packet drop rate in 10 simulation runs was found to be only 4%. The results clearly
demonstrate that the proposed security scheme has no adverse impact on packet drop rate
even if several key switching (regeneration and revocation) operations are carried out.
The performance of the privacy protocol is also analyzed in terms of its storage,
communication overhead. Both storage and communication overhead were found to
increase linearly with the number of nodes in the network. In fact, it has been analytically
shown that overhead due to cryptographic operation on each message is: 60n + 60 bytes,
where n represents the number of public key pairs used to generate the ring signature
(Xiong et al., 2010). It is clear that the privacy protocol has a low overhead.
144
Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 29
rich and high-speed content access, recent research has focused on developing high
performance communication protocols, while security and privacy issues have received
relatively little attention. However, given the wireless and multi-hop nature of
communication, WMNs are subject to a wide range of security and privacy threats. This
chapter has provided a comprehensive discussion on the current authentication, access
control and user privacy protection schemes for WMNs. It has also presented a novel
security and key management protocol that can be utilized for secure authentication in
WMNs. The proposed security protocol ensures security in both the access and the
backbone networks. A user privacy protection algorithm has also been presented that
enables anonymous authentication of the users. Simulation results have shown the
effectiveness of the protocol. Future research issues include the study of a distributed and
collaborative system where the authentication service is provided by a dynamically selected
set of MRs. The integration with the current centralized scheme would increase the
robustness of the proposed protocol, maintaining a low overhead since MRs would use the
distributed service only when the central server is not available. Authentication on the
backbone network in a hybrid and open WMN is still an unsolved problem. In addition,
authentication between MRs and IGWs from different operators in a hybrid WMN
environment is another challenge. Authentication and key distribution in a mobile WMN
such as mobile WiMAX or LTE networks is another open problem. High mobility users
make the challenge even more difficult. Owing to very limited coverage IEEE 802.11-based
MRs (e.g., 100 meters), the high-mobility users (e.g. a user on a fast moving car) will migrate
from the coverage area of an MR to that of another. It is not acceptable for the user to
authenticate and negotiate the key with each MR. Novel solutions possibly using group
keys are needed for this purpose. The requirements of user anonymity and privacy of users
should be integrated to most of the applications in WMNs.
10. References
Aboba, B.; Bluk, L.; Vollbrecht, J.; Carlson, J. & Levkowetz, H. (2004). Extensible
Authentication Protocol (EAP). RFC 3748, June 2004.
Aboba, B. & Simon, D. (1999). PPP EAP TLS Authentication Protocol. RFC 2716, 1999.
Aboba, B. & Vollbrecht, J. (1999). Proxy Chaining and Policy Implementation in Roaming, RFC
2607, October 1999.
Akyildiz, I. F.; Wang, X. & Wang, W. (2005). Wireless Mesh Networks: A Survey. Computer
Networks, Vol 47, No 4, pp. 445–487, March 2005.
Ateniese, G.; Herzberg, A.; Krawczyk, H. & Tsudik, G. (1999). Untraceable Mobility or How
to Travel Incognito. Computer Networks, Vol 31, No 8, pp. 871–884, April 1999.
Aura, T. & Roe, M. (2005). Reducing Reauthentication Delay in Wireless Networks.
Proceedings of the 1st IEEE International Conference on Security and Privacy for Emerging
Areas in Communications Networks (SecureComm’05), pp. 139-148, Athens, Greece,
September 2005.
Ben Salem, N. & Hubaux, J.-P. (2006). Securing Wireless Mesh Networks. IEEE Wireless
Communication, Vol 13, No 2, pp. 50-55, April 2006.
Blake-Wilson, S. & Menezes, A. (1998). Entity Authentication and Authenticated Key
Transport Protocols Employing Asymmetric Techniques. Proceedings of the 5th
International Workshop on Security Protocols, Lecture Notes in Computer Science, Vol
145
30 Security Issues
Applied Cryptography in Network
and a Networked Age
Security
146
Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 31
He, B.; Joshi, S.; Agrawal, D. P. & Sun, D. (2010). An Efficient Authenticated Key
Establishment Scheme for Wireless Mesh Networks. Proceedings of IEEE Global
Telecommunications Conference (GLOBECOM’10), pp. 1-5, Miami, Florida, USA,
December 2010.
Hur, J.; Shim, H.; Kim, P.; Yoon, H. & Song, N.-O. (2008). Security Consideration for
Handover Schemes in Mobile WiMAX Networks. Proceedings of IEEE Wireless
Communications and Networking Conference (WCNC ’08), Las Vegas, NV, March,
2008.
IEEE Standard 802.11i (2004). Medium Access Control Security Enhancements, 2004.
IEEE Standard 802.1X (2001). Local and Metropolitan Area Networks Port-Based Network Access
Control, 2001.
Kassab, M.; Belghith, A.; Bonnin, J.-M. & Sassi, S. (2005). Fast Pre-Authentication Based on
Proactive Key Distribution for 802.11 Infrastructure Networks. Proceedings of the 1st
ACM Workshop on Wireless Multimedia Networking and Performance Modeling
(WMuNeP 2005), pp. 46–53, Montreal, Canada, October 2005.
Lamport, L. (1981). Password Authentication with Insecure Communication.
Communications of the ACM, Vol. 24, No. 11, pp. 770-772, November 1981.
Lee, I.; Lee, J.; Arbaugh, W. & Kim, D. (2008). Dynamic Distributed Authentication Scheme
for Wireless LAN-Based Mesh Networks. Proceedings of International Conference on
Information, Networking, Towards Ubiquitous Networking and Services (ICOIN ’07),
Estril, Portugal, January, 2007. Lecture Notes in Computer Science, Vazao et al. (eds.),
Vol. 5200, pp. 649–658, Springer-Verlag, Heidelberg, Germany, 2008.
Lin, X.; Ling, X.; Zhu, H.; Ho, P.-H. & Shen, X. (2008). A Novel Localised Authentication
Scheme in IEEE 802.11 Based Wireless Mesh Networks. International Journal of
Security and Networks, Vol. 3, No. 2, pp. 122–132, 2008.
Loughney, L.; Nakhjiri, M.; Perkins, C. & Koodli, R. (2005). Context Transfer Protocol (CXTP).
IETF RFC 4067, July 2005.
Lukas, G. & Fackroth, C. (2009). WMNSec: Security for Wireless Mesh Networks. Proceedings
of the International Conference on Wireless Communications and Mobile Computing:
Connecting the World Wirelessly (IWCMC’09), pp. 90–95, Leipzig, Germany, June,
2009, ACM Press, New York, USA.
Martignon, F.; Paris, S. & Capone, A. (2008). MobiSEC: A Novel Security Architecture for
Wireless Mesh Networks. Proceedings of the 4th ACM Symposium on QoS and Security
for Wireless and Mobile Networks (Q2SWinet’08), pp. 35-42, Vancouver, Canada,
October 2008.
Mills, D.L. (1992). Network Time Protocol, RFC 1305, March 1992.
Mishra, A. & Arbaugh, W. A. (2002). An Initial Security Analysis of the IEEE 802.1X Standard.
Computer Science Department Technical Report CS-TR-4328, University of Maryland,
USA, February 2002.
Mishra, A.; Shin, M.H.; Petroni, N. I.; Clancy, J. T. & Arbauch, W. A. (2004). Proactive Key
Distribution Using Neighbor Graphs. IEEE Wireless Communications, Vol. 11, No. 1,
pp. 26–36, February 2004.
Moustafa, H. (2007). Providing Authentication, Trust, and Privacy in Wireless Mesh
Networks, pp. 261-295. Security in Wireless Mesh Networks. Zhang et al. (eds.), CRC
Press, USA, 2007.
147
32 Security Issues
Applied Cryptography in Network
and a Networked Age
Security
148
Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 33
149
34 Security Issues
Applied Cryptography in Network
and a Networked Age
Security
Yi, P.; Wu, Y.; Zou, F. & Liu, N. (2010). A Survey on Security in Wireless Mesh Networks.
IETE Technical Review, Vol 27, No 1, pp. 6-14.
Zhang, Y. & Fang, Y. (2006). ARSA: An Attack-Resilient Security Architecture for Multihop
Wireless Mesh Networks. IEEE Journal of Selected Areas in Communication, Vol. 24,
No. 10, pp. 1916–1928, October 2006.
Zhang, Y.; Liu, W.; Lou, W. & Fang, Y. (2006). MASK: Anonymous On-demand Routing in
Mobile Ad Hoc Networks. IEEE Transactions on Wireless Communications, Vol. 5. No.
9, pp. 2376–2385, September 2006.
Zheng, X.; Chen, C.; Huang, C.-T.; Matthews, M. & Santhapuri, N. (2005). A Dual
Authentication Protocol for IEEE 802.11 Wireless LANs. Proceedings of the 2nd IEEE
International Symposium on Wireless Communication Systems, pp. 565–569, September
2005.
Zhu, S.; Xu, S.; Setia, S. & Jajodia, S. (2003). LHAP: A Lightweight Hop-by-Hop
Authentication protocol for Ad-hoc Networks. Proceedings of the 23rd IEEE
International Conference on Distributed Computing Systems Workshops (ICDCSW’03),
pp. 749–755, May 2003.
Zhu, S.; Xu, S.; Setia S. & Jajodia, S. (2006). LHAP: A Lightweight Network Access Control
Protocol for Ad Hoc Networks. Ad Hoc Networks, Vol 4, No 5, pp. 567-585,
September 2006.
Zhu, H.; Lin, X.; Lu, R.; Ho, P.-H. & Shen, X. (2008). SLAB: A Secure Localized
Authentication and Billing Scheme for Wireless Mesh Networks. IEEE Transactions
on Wireless Communications, Vol 7, No. 10, pp. 3858–3868, October 2008.
150
Homomorphic Encryption — Theory and Application
Chapter 1
Jaydip Sen
http://dx.doi.org/10.5772/56687
1. Introduction
The demand for privacy of digital data and of algorithms for handling more complex structures
have increased exponentially over the last decade. This goes in parallel with the growth in
communication networks and their devices and their increasing capabilities. At the same time,
these devices and networks are subject to a great variety of attacks involving manipulation
and destruction of data and theft of sensitive information. For storing and accessing data
securely, current technology provides several methods of guaranteeing privacy such as data
encryption and usage of tamper-resistant hardwares. However, the critical problem arises
when there is a requirement for computing (publicly) with private data or to modify functions
or algorithms in such a way that they are still executable while their privacy is ensured. This
is where homomorphic cryptosystems can be used since these systems enable computations
with encrypted data.
In 1978 Rivest et al. (Rivest et al, 1978a) first investigated the design of a homomorphic
encryption scheme. Unfortunately, their privacy homomorphism was broken a couple of years
later by Brickell and Yacobi (Brickell & Yacobi, 1987). The question rose again in 1991 when
Feigenbaum and Merritt (Feigenbaum & Merritt, 1991) raised an important question: is there
an encryption function (E) such that both E(x + y) and E(x.y) are easy to compute from E(x) and
E(y)? Essentially, the question is intended to investigate whether there is any algebraically
homomorphic encryption scheme that can be designed. Unfortunately, there has been a very
little progress in determining whether such encryption schemes exist that are efficient and
secure until 2009 when Craig Gentry, in his seminal paper, theoretically demonstrated the
possibility of construction such an encryption system (Gentry, 2009). In this chapter, we will
discuss various aspects of homomorphic encryption schemes – their definitions, requirements,
applications, formal constructions, and the limitations of the current homomorphic encryption
schemes. We will also briefly discuss some of the emerging trends in research in this field of
computer science.
©
© 2013
2013 Sen;
Sen;licensee
licenseeInTech.
InTech.This
Thisisisa an
paper distributed
open underdistributed
access article the terms of the Creative
under the termsCommons
of the Creative
Attribution License (http://creativecommons.org/licenses/by/3.0),
Commons Attribution which permitswhich
License (http://creativecommons.org/licenses/by/3.0), unrestricted
permitsuse,
unrestricted use,
distribution,
distribution,and
andreproduction
reproductionininany
anymedium,
medium,provided
providedthe original
the work
original is properly
work cited.
is properly cited.
151
2 Theory and
Security Practice
Issues of Cryptography
in a Networked Age and Network Security Protocols and Technologies
The chapter is organized as follows. In Section 2, we provide some basic and fundamental
information on cryptography and various types of encryption schemes. Section 3 presents a
formal discussion on homomorphic encryption schemes and discusses their various features.
In Section 4, we discuss some of the most well-known and classical homomorphic encryption
schemes in the literature. Section 5 provides a brief presentation on various properties and
applications of homomorphic cryptosystems. Section 6 presents a discussion on fully homo‐
morphic encryption schemes which are the most powerful encryption schemes for providing
a framework for computing over encrypted data. Finally, Section 7 concludes the chapter while
outlining a number of research directions and emerging trends in this exciting field of
computation which has a tremendous potential of finding applications in the real-world
deployments.
2. Fundamentals of cryptography
In this Section, we will recall some important concepts on encryption schemes. For more
detailed information, the reader may refer to (Menezes et al., 1997; Van Tilborg, 2011).
Encryption schemes are designed to preserve confidentiality. The security of encryption
schemes must not rely on the obfuscation of their codes, but it should only be based on the
secrecy of the key used in the encryption process. Encryption schemes are broadly of two types:
symmetric and asymmetric encryption schemes. In the following, we present a very brief
discussion on each of these schemes.
Symmetric encryption schemes: In these schemes, the sender and the receiver agree on the
key they will use before establishing any secure communication session. Therefore, it is not
possible for two persons who never met before to use such schemes directly. This also implies
that in order to communicate with different persons, we must have a different key for each
people. Requirement of large number of keys in these schemes make their key generation and
management relatively more complex operations. However, symmetric schemes present the
advantage of being very fast and they are used in applications where speed of execution is a
paramount requirement. Among the existing symmetric encryption systems, AES (Daemen &
Rijmen, 2000; Daemen & Rijmen, 2002), One-Time Pad (Vernam, 1926) and Snow (Ekdahl &
Johansson, 2002) are very popular.
Asymmetric encryption schemes: In these schemes, every participant has a pair of keys-
private and public. While the private key of a person is known to only her, the public key of
each participant is known to everyone in the group. Such schemes are more secure than their
symmetric counterparts and they don’t need any prior agreement between the communicating
parties on a common key before establishing a session of communication. RSA (Rivest et al.,
1978b) and ElGamal (ElGamal, 1985) are two most popular asymmetric encryption systems.
Security of encryption schemes: Security of encryption schemes was first formalized by
Shannon (Shannon, 1949). In his seminal paper, Shannon first introduced the notion of perfect
secrecy/unconditional secrecy, which characterizes encryption schemes for which the knowl‐
edge of a ciphertext does not give any information about the corresponding plaintext and the
152
Homomorphic Encryption — Theory and Application 3
http://dx.doi.org/10.5772/56687
encryption key. Shannon also proved that One-Time Pad (Vernam, 1926) encryption scheme
is perfectly secure under certain conditions. However, no other encryption scheme has been
proved to be unconditionally secure. For asymmetric schemes, we can rely on their mathe‐
matical structures to estimate their security strength in a formal way. These schemes are based
on some well-identified mathematical problems which are hard to solve in general, but easy
to solve for the one who knows the trapdoor – i.e., the owner of the keys. However, the
estimation of the security level of these schemes may not always be correct due to several
reasons. First, there may be other ways to break the system than solving the mathematical
problems on which these schemes are based (Ajtai & Dwork, 1997; Nguyen & Stern, 1999).
Second, most of the security proofs are performed in an idealized model called random oracle
model, in which involved primitives, for example, hash functions, are considered truly random.
This model has allowed the study of the security level of numerous asymmetric ciphers.
However, we are now able to perform proofs in a more realistic model called standard model
(Canetti et al., 1998; Paillier, 2007). This model eliminates some of the unrealistic assumptions
in the random oracle model and makes the security analysis of cryptographic schemes more
practical.
Usually, to evaluate the attack capacity of an adversary, we distinguish among several contexts
(Diffie & Hellman, 1976): cipher-text only attacks (where the adversary has access only to some
ciphertexts), known-plaintext attacks (where the adversary has access to some pairs of plaintext
messages and their corresponding ciphertexts), chosen-plaintext attacks (the adversary has
access to a decryption oracle that behaves like a black-box and takes a ciphertext as its input
and outputs the corresponding plaintexts). The first context is the most frequent in real-world
since it can happen when some adversary eavesdrops on a communication channel. The other
cases may seem difficult to achieve, and may arise when the adversary is in a more powerful
position; he may, for example, have stolen some plaintexts or an encryption engine. The chosen
one exists in adaptive versions, where the opponents can wait for a computation result before
choosing the next input (Fontaine & Galand, 2007).
Probabilistic encryption: Almost all the well-known cryptosystems are deterministic. This
means that for a fixed encryption key, a given plaintext will always be encrypted into the same
ciphertext under these systems. However, this may lead to some security problems. RSA
scheme is a good example for explaining this point. Let us consider the following points with
reference to the RSA cryptosystem:
• A particular plaintext may be encrypted in a too much structured way. With RSA, messages
0 and 1 are always encrypted as 0 and 1, respectively.
• It may be easy to compute some partial information about the plaintext: with RSA, the
ciphertext c leaks one bit of information about the plaintext m, namely, the so called Jacobi
symbol (Fontaine & Galand, 2007).
• When using a deterministic encryption scheme, it is easy to detect when the same message
is sent twice while being processed with the same key.
In view of the problems stated above, we prefer encryption schemes to be probabilistic. In case
of symmetric schemes, we introduce a random vector in the encryption process (e.g., in the
153
4 Theory and
Security Practice
Issues of Cryptography
in a Networked Age and Network Security Protocols and Technologies
pseudo-random generator for stream ciphers, or in the operating mode for block ciphers) –
generally called initial vector (IV). This vector may be public and it may be transmitted in a
clear-text form. However, the IV must be changed every time we encrypt a message. In case
of asymmetric ciphers, the security analysis is more mathematical and formal, and we want
the randomized schemes to remain analyzable in the same way as the deterministic schemes.
Researchers have proposed some models to randomize the existing deterministic schemes, as
the optimal asymmetric encryption padding (OAEP) for RSA (or any scheme that is based on a
trapdoor one-way permutation) (Bellare & Rogaway, 1995). In the literature, researchers have
also proposed some other randomized schemes (ElGamal, 1985; Goldwasser & Micali, 1982;
Blum & Goldwasser, 1985).
A simple consequence of this requirement of the encryption schemes to be preferably proba‐
bilistic appears in the phenomenon called expansion. Since, for a plaintext, we require the
existence of several possible ciphertexts, the number of ciphertexts is greater than the number
of possible plaintexts. This means that the ciphertexts cannot be as short as the plaintexts; they
have to be strictly longer. The ratio of the length of the ciphertext and the corresponding
plaintext (in bits) is called expansion. The value of this parameter is of paramount importance
in determining security and efficiency tradeoff of a probabilistic encryption scheme. In Paillier’s
scheme, an efficient probabilistic encryption mechanism has been proposed with the value of
expansion less than 2 (Paillier, 1997). We will see the significance of expansion in other
homomorphic encryption systems in the subsequent sections of this chapter.
During the last few years, homomorphic encryption schemes have been studied extensively
since they have become more and more important in many different cryptographic protocols
such as, e.g., voting protocols. In this Section, we introduce homomorphic cryptosystems in
three steps: what, how and why that reflects the main aspects of this interesting encryption
technique. We start by defining homomorphic cryptosystems and algebraically homomorphic
cryptosystems. Then we develop a method to construct algebraically homomorphic schemes
given special homomorphic schemes. Finally, we describe applications of homomorphic
schemes.
Definition: Let the message space (M, o) be a finite (semi-)group, and let σ be the security
parameter. A homomorphic public-key encryption scheme (or homomorphic cryptosystem) on M is a
quadruple (K, E, D, A) of probabilistic, expected polynomial time algorithms, satisfying the
following functionalities:
154
Homomorphic Encryption — Theory and Application 5
http://dx.doi.org/10.5772/56687
If M is an additive (semi-)group, then the scheme is called additively homomorphic and the
algorithms A is called Add Otherwise, the scheme is called multiplicatively homomorphic and the
algorithm A is called Mult.
With respect to the aforementioned definitions, the following points are worth noticing:
• For a homomorphic encryption scheme to be efficient, it is crucial to make sure that the size
of the ciphertexts remains polynomially bounded in the security parameter σ during
repeated computations.
• The security aspects, definitions, and models of homomorphic cryptosystems are the same
as those for other cryptosystems.
If the encryption algorithm E gets as additional input a uniform random number r of a set ,
the encryption scheme is called probabilistic, otherwise, it is called deterministic. Hence, if a
cryptosystem is probabilistic, there belong several different ciphertexts to one message
depending on the random number r ∈ . But note that as before the decryption algorithm
remains deterministic, i.e., there is just one message belonging to a given ciphertext. Further‐
more, in a probabilistic, homomorphic cryptosystem the algorithm A should be probabilistic
too to hide the input ciphertext. For instance, this can be realized by applying a blinding
algorithm on a (deterministic) computation of the encryption of the product and of the sum
respectively.
Notations: In the following, we will omit the security parameter σ and the public key in the
description of the algorithms. We will write Ek (m) or E(m) for E (1σ , ke , m) and Dk (c ) or D(c)
e
for D (1σ , k, c ) when there is no possibility of any ambiguity. If the scheme is probabilistic,
we will also write Eke (m) or E(m) as well as Eke (m, r ) or E(m, r) for E (1σ , ke , m, r ). Further‐
more, we will write A(E (m), E (m ' )) = E (m o m ' ) to denote that the algorithm A (either Add or
Mult) is applied on two encryptions of the messages m, m ' ∈ (M , o ) and outputs an encryp‐
tion of m o m ' , i.e., it holds that except with negligible probability:
155
6 Theory and
Security Practice
Issues of Cryptography
in a Networked Age and Network Security Protocols and Technologies
The RSA Scheme: The classical RSA scheme (Rivest et al., 1987b) is an example of a deter‐
ministic multiplicatively homomorphic cryptosystem on M = (ℤ / N ℤ, .), where N is the
product of two large primes. As ciphertext space, we have C = (ℤ / N ℤ, .) and as key space we
have = {(ke , kd ) = (( N , e ), d )| N = pq, ed ≡ 1 mod φ ( N )}. The encryption of a message m ∈ M
is defined as Eke (m) = m e mod N for decryption of a ciphertext Eke (m) = c ∈ C we compute
Dke, kd (c ) = c d mod N = m mod N . Obviously, the encryption of the product of two messages can
be efficiently computed by multiplying the corresponding ciphertexts, i.e.,
Eke (m1.m2) = (m1.m2)e mod N = (m1e mod n )(m2e mod N ) = Eke (m1). Eke (m2)
where m1, m2 ∈ M . Therefore, the algorithm for Mult can be easiliy realized as follows:
Usually in the RSA scheme as well as in most of the cryptosystems which are based on the
difficulty of factoring the security parameter σ is the bit length of N. For instance, σ = 1024 is
a common security parameter.
Since this scheme is probabilistic, the encryption algorithm gets as additional input a random
value r ∈ . We define Ek (m, r ) = a mr 2 mod N and D(k k ) = 0 if c is a square and = 1 otherwise.
e e d
Eke (m1, r1). Eke (m2, r2) = Eke (m1 + m2, r1r2)
Add (Eke (m1, r1), Eke (m2, r2), r3) = Eke (m1, r1). Eke (m2, r2). r32 mod N = Eke (m1 + m2, r1r2r3)
In the above equation, r32 mod N is equivalent to Eke (0, r3). Also, m1, m2 ∈ M and r1, r2,r3 ∈ Z .
Note that this algorithm should be probabilistic, since it obtains a random number r3 as an
additional input.
156
Homomorphic Encryption — Theory and Application 7
http://dx.doi.org/10.5772/56687
We will denote by Mixed _ Mult (m, E (m ' )) = E (mm ' ) if the following equation holds good
except possibly with a negligible probability of not holding.
157
8 Theory and
Security Practice
Issues of Cryptography
in a Networked Age and Network Security Protocols and Technologies
ically homomorphic encryption on an arbitrary finite ring or field could be obtained given a
homomorphic encryption scheme on one of these non-abelian groups. These observations
could be a first step to solve the problem whether efficient and secure algebraically homo‐
morphic schemes exist. The research community in cryptography has spent substantial effort
on this problem. In 1996, Boneh and Lipton proved that under a reasonable assumption every
deterministic, algebraically homomorphic cryptosystem can be broken in sub-exponential
time (Boneh & Lipton, 1996). This may be perceived as a negative result concerning the
existence of an algebraically homomorphic encryption scheme, although most of the existing
cryptosystems, e.g., RSA scheme or the ElGamal scheme can be also be broken in sub-
exponential time. Furthermore, if we seek for algebraically homomorphic public-key schemes
on small fields or rings such as M = F2, obviously such a scheme has to be probabilistic in order
to be secure.
Some researchers also tried to find candidates for algebraically homomorphic schemes. In 1993,
Fellows and Koblitz presented an algebraic public-key cryptosystem called Polly Cracker
(Fellows & Koblitz, 1993). It is algebraically homomorphic and provably secure. Unfortunately,
the scheme has a number of difficulties and is not efficient concerning the ciphertext length.
Firstly, Polly Cracker is a polynomial-based system. Therefore, computing an encryption of
the product E (m1.m2) of two messages m1 and m2 by multiplying the corresponding ciphertext
polynomials E (m1) and E (m2), leads to an exponential blowup in the number of monomials.
Hence, during repeated computations, there is an exponential blow up in the ciphertext length.
Secondly, all existing instantiations of Polly Cracker suffer from further drawbacks (Koblitz,
1998). They are either insecure since they succumb to certain attacks, they are too inefficient
to be practical, or they lose the algebraically homomorphic property. Hence, it is far from clear
how such kind of schemes could be turned into efficient and secure algebraically homomorphic
encryption schemes. A detailed analysis and description of these schemes can be found in (Ly,
2002).
In 2002, J. Domingo-Ferrer developed a probabilistic, algebraically homomorphic secret-key
cryptosystem (Domingo-Ferrer, 2002). However, this scheme was not efficient since there was
an exponential blowup in the ciphertext length during repeated multiplications that were
required to be performed. Moreover, it was also broken by Wagner and Bao (Bao, 2003;
Wagner, 2003).
Thus considering homomorphic encryption schemes on groups instead of rings seems more
promising to design a possible algebraically homomorphic encryption scheme. It brings us
closer to structures that have been successfully used in cryptography. The following theorem
shows that indeed the search for algebraically homomorphic schemes can be reduced to the
search for homomorphic schemes on special non-abelian groups (Rappe, 2004).
Theorem I: The following two statements are equivalent: (1) There exists an algebraically
homomorphic encryption scheme on (F2, +,.). (2) There exists a homomorphic encryption
scheme on the symmetric group (S7,.).
Proof: 1 → 2: This direction of proof follows immediately and it holds for an arbitrary finite
group since operations of finite groups can always be implemented by Boolean circuits. Let S7
158
Homomorphic Encryption — Theory and Application 9
http://dx.doi.org/10.5772/56687
be represented as a subset of {0, 1}l, where e.g. l = 21 can be chosen, and let C be a circuit with
addition and multiplication gates that takes as inputs the binary representations of elements
m1, m2 ∈ S7 and outputs the binary representations of m1m2. If we have an algebraically
homomorphic encryption scheme (K, E, D, Add, Mult) on (F2, +,.) then we can define a homo‐
morphic encryption scheme ( K˜ ˜ D,
, E, ˜ Mult
˜ ) on S7 by defining E ˜ (m) = (E (s ), … .E (s ))
0 l -1
˜
where (s … … ..s ) denotes the binary representation of m. Mult is constructed by substituting
0, l -1
the addition gates in C by Add and the multiplication gates by Mult. K̃ and D̃ are defined in
the obvious way.
2 → 1: The proof has two steps. First, we use a construction of Ben-Or and Cleve (Ben-Or &
Cleve, 1992) to show that the field (F2, +,.) can be encoded in the special linear group (SL(3,2),.)
over F2. Then, we apply a theorem from projective geometry to show that (SL(3,2),.) is a
subgroup of S7. This proves the claim.
Homomorphic encryption schemes on groups have been extensively studied. For instance, we
have homomorphic schemes on groups (ℤ / M ℤ, + ), for M being a smooth number (Gold‐
wasser & Micali, 1984; Benaloh, 1994; Naccache & Stern, 1998) for M = p.q being an RSA
modulus (Paillier, 1999; Galbraith, 2002), and for groups ((ℤ / N ℤ) * , .) where N is an RSA
modulus. All known efficient and secure schemes are homomorphic on abelian groups.
However, S7 and SL(3, 2) are non-abelian. Sander, Young and Yung (Sander et al., 1999)
investigated the possibility of existence of a homomorphic encryption scheme on non-abelain
groups. Although non-abelian groups had been used to construct encryption schemes (Ko et
al., 2000; Paeng et al., 2001; Wagner & Magyarik, 1985; Grigoriev & Ponomarenko, 2006), the
resulting schemes are not homomorphic in the sense that we need for computing efficiently
on encrypted data.
Grigoriev and Ponomarenko propose a novel definition of homomorphic cryptosystems on
which they base a method to construct homomorphic cryptosystems over arbitrary finite
groups including non-abelian groups (Grigoriev & Ponomarenko, 2006). Their construction
method is based on the fact that every finite group is an epimorphic image of a free product
of finite cyclic groups. It uses existing homomorphic encryption schemes on finite cyclic groups
as building blocks to obtain homomorphic encryption schemes on arbitrary finite groups. Since
the ciphertext space obtained from the encryption scheme is a free product of groups, an
exponential blowup of the ciphertext lengths during repeated computations is produced as a
result. The reason is that the length of the product of two elements x and y of a free product
is, in general, the sum of the length of x and the length of y. Hence, the technique proposed by
Grigoriev and Ponomarenko suffers from the same drawback as the earlier schemes and does
not provide an efficient cryptosystem. We note that using this construction it is possible to
construct a homomorphic encryption scheme on the symmetric group S7 and on the special
linear group SL(3, 2). If we combine this with Theorem 1, we can construct an algebraically
homomorphic cryptosystem on the finite field (F2, +,.). Unfortunately, the exponential blowup
owing to the construction method in the homomorphic encryption scheme on S7 and on SL(3,
2) respectively, would lead to an exponential blowup in F2 and hence leaves the question open
159
10 Theory and
Security Practice
Issues of Cryptography
in a Networked Age and Network Security Protocols and Technologies
Grigoriev and Ponomarenko propose another method to encrypt arbitrary finite groups
homomorphically (Grigoriev & Ponomarenko, 2004). This method is based on the difficulty of
the membership problem for groups of integer matrices, while in (Grigoriev & Ponomarenko,
2006) it is based on the difficulty of factoring. However, as before, this scheme is not efficient.
Moreover, in (Grigoriev & Ponomarenko, 2004), an algebraically homomorphic cryptosystem
over finite commutative rings is proposed. However, owing to its immense size, it is infeasible
to implement in real-world applications.
In this Section, we describe some classical homomorphic encryption systems which have
created substantial interest among the researchers in the domain of cryptography. We start
with the first probabilistic systems proposed by Goldwasser and Micali in 1982 (Goldwasser
& Micali, 1982; Goldwasser & Micali, 1984) and then discuss the famous Paillier’s encryption
scheme (Paillier, 1999) and its improvements. Paillier’s scheme and its variants are well-known
for their efficiency and the high level of security that they provide for homomorphic encryp‐
tion. We do not discuss their mathematical considerations in detail, but summarize their
important parameters and properties.
Goldwasser-Micali scheme: This scheme (Goldwasser & Micali, 1982; Goldwasser & Micali,
1984) is historically very important since many of subsequent proposals on homomorphic
encryption were largely motivated by its approach. Like in RSA, in this scheme, we use
computations modulo n = p.q, a product of two large primes. The encryption process is simple
which uses a product and a square, whereas decryption is heavier and involves exponentiation.
The complexity of the decryption process is: O (k.l ( p )2), where l ( p ) denotes the number of bits
in p. Unfortunately, this scheme has a limitation since its input consists of a single bit. First,
this implies that encrypting k bits leads to a cost of O (k.l ( p )2). This is not very efficient even if
it may be considered as practical. The second concern is related to the issue of expansion – a
single bit of plaintext is encrypted in an integer modulo n, that is, l (n ) bits. This leads to a huge
blow up of ciphertext causing a serious problem with this scheme.
Goldwasser-Micali (GM) scheme can be viewed from another perspective. When looked from
this angle, the basic principle of this scheme is to partition a well-chosen subset of integers
modulo n into two secret parts: M 0 and M 1. The encryption process selects a random element
M b to encrypt plaintext b, and the decryption process lets the user know in which part the
randomly selected element lies. The essence of the scheme lies in the mechanism to determine
the subset, and to partition it into M 0 and M 1. The scheme uses group theory to achieve this
goal. The subset is the group G of invertible integers modulo n with a Jacobi symbol with
respect to n, equal to 1. The partition is generated by another group H ⊂ G, consisting of the
160
Homomorphic Encryption — Theory and Application 11
http://dx.doi.org/10.5772/56687
elements that are invertible modulo n with a Jacobi symbol, with respect to a fixed factor n,
equal to 1. With these settings of parameters, it is possible to split G into two parts – H and G
\H. The generalization schemes of GM deal with these two groups. These schemes attempt to
find two groups G and H such that G can be split into more than k = 2 parts.
Benaloh’s scheme: Benaloh (Benaloh, 1988) is a generalization of GM scheme that enables one
to manage inputs of l (k ) bits, k being a prime satisfying some specified constraints. Encryption
is similar as in GM scheme (encrypting a message m ∈ {0, … ., k - 1} is tantamount to picking
an integer r ∈ Z n* and computing c = g mr k mod n ). However, the decryption phase is more
complex. If the input and output sizes are l (k ) and l (n ) bits respectively, the expansion is equal
to l (n ) / l (k ). The value of expansion obtained in this approach is less than that achieved in GM.
This makes the scheme more attractive. Moreover, the encryption is not too expensive as well.
The overhead in the decryption process is estimated to be O ( k.l (k )) for pre-computation
which remains constant for each dynamic decryption step. This implies that the value of k has
to be taken very small, which in turn limits the gain obtained on the value of expansion.
Naccache-Stern scheme: This scheme (Naccache & Stern, 1998) is an improvement of Benaloh’s
scheme. Using a value of the parameter k that is greater than that used in the Benaloh’s scheme,
it achieves a smaller expansion and thereby attains a superior efficiency. The encryption step
is precisely the same as in Benaloh’s scheme. However, decryption is different. The value of
expansion is same as that in Benaloh’s scheme, i.e., l (n ) / l (k ). However, the cost of decryption
is less and is given by:O (l (n )5log (l (n )). The authors claim that it is possible to choose the values
of the parameters in the system in such a way that the achieved value of expansion is 4
(Naccache & Stern, 1998).
Okamoto-Uchiyama scheme: To improve the performance of the earlier schemes on homo‐
morphic encryption, Okamoto and Uchiyama changed the base group G (Okamoto & Uchiya‐
ma, 1998). By taking n = p 2q, p and q being two large prime numbers as usual, and the group
G = Z p* 2, the authors achieve k = p. The value of the expansion obtained in the scheme is 3. One
of the biggest advantages of this scheme is that its security is equivalent to the factorization of
n. However, a chosen-ciphertext attack has been proposed on this scheme that can break the
factorization problem. Hence, currently it has a limited applicability. However, this scheme
was used to design the EPOC systems (Okamoto et al., 2000) which is accepted in the IEEE
standard specifications for public-key cryptography (IEEE P1363).
Paillier scheme: One of the most well-known homomorphic encryption schemes is due to
Paillier (Paillier, 1999). It is an improvement over the earlier schemes in the sense that it is able
to decrease the value of expansion from 3 to 2. The scheme uses n = p.q with
gcd (n, ϕ (n )) = 1. As usual p and q are two large primes. However, it considered the group
G = Z * 2 and a proper choice of H led to k = l (n ). While the cost of encryption is not too high,
n
161
12 Theory and
Security Practice
Issues of Cryptography
in a Networked Age and Network Security Protocols and Technologies
ance. In 2002, Cramer and Shoup proposed a general approach to achieve higher security
against adaptive chosen-ciphertext attacks for certain cryptosystems with some particular
algebraic properties (Cramer & Shoup, 2002). They applied their propositions on Paillier’s
original scheme and designed a stronger variant of homomorphic encryption. Bresson et al.
proposed a slightly different version of a homomorphic encryption scheme that is more
accurate for some applications (Bresson et al., 2003).
Damgard-Jurik scheme: Damgard and Jurik propose a generalization of Paillier’s scheme to
groups of the form Z n* s +1 for s > 0 (Damgard & Jurik, 2001). In this scheme, choice of larger values
of s will achieve lower values of expansion. This scheme can be used in a number of applica‐
tions. For example, we can mention the adaptation of the size of the plaintext, the use of
threshold cryptography, electronic voting, and so on. To encrypt a message, m ∈ Z n* , one picks
s
at random r ∈ Z n* and computes g mr n ∈ Z n s +1. The authors show that if one can break the
scheme for a given value s = σ, then one can break it for s = σ - 1. They also show that the
semantic security of this scheme is equivalent to that of Paillier’s scheme. The value of
expansion can be computed using: 1 + 1 / s. It is clear that expansion can attain a value close to
1 if s is sufficiently large. The ratio of the cost for encryption in this scheme over Paillier’s
s (s + 1)(s + 2)
scheme can be estimated to be: 6 . The same ratio for the decryption process will have
(s + 1)(s + 2)
value equal to: 6 . Even if this scheme has a lower value of expansion as compared to
Paillier’s scheme, it is computationally more intensive. Moreover, if we want to encrypt or
decrypt k blocks of l (n ) bits, running Paillier’s scheme k times is less expensive than running
Damgard-Jurik‘s scheme.
Galbraith scheme: This is an adaptation of the existing homomorphic encryption schemes in
the context of elliptic curves (Galbraith, 2002). Its expansion is equal to 3. For s = 1, the ratio of
the encryption cost for this scheme over that of Paillier’s scheme can be estimated to be about
7, while the same ratio for the cost of decryption cost is about 14 for the same value of s.
However, the most important advantage of this scheme is that the cost of encryption and
decryption can be decreased using larger values of s. In addition, the security of the scheme
increases with the increase in the value of s as it is the case in Damgard-Jurik’s scheme.
Castagnos scheme: Castagnos explored the possibility of improving the performance of
homomorphic encryption schemes using quadratic fields quotations (Castagnos, 2006;
Castagnos, 2007). This scheme achieves an expansion value of 3 and the ratio of encryption/
decryption cost with s = 1 over Paillier’s scheme can be estimated to be about 2.
162
Homomorphic Encryption — Theory and Application 13
http://dx.doi.org/10.5772/56687
attacks, for instance, by application of hash functions, the use of redundancy or probabilistic
schemes, this potential weakness leads us to the question why homomorphic schemes should
be used instead of conventional cryptosystems under certain situations. The main reason for
the interest in homomorphic cryptosystems is its wide application scope. There are theoretical
as well as practical applications in different areas of cryptography. In the following, we list
some of the main applications and properties of homomorphic schemes and summarize the
idea behind them.
Secret sharing scheme: In secret sharing schemes, parties share a secret so that no individual
party can reconstruct the secret form the information available to it. However, if some parties
cooperate with each other, they may be able to reconstruct the secret. In this scenario, the
homomorphic property implies that the composition of the shares of the secret is equivalent
to the shares of the composition of the secrets.
Threshold schemes: Both secret sharing schemes and the multiparty computation schemes
are examples of threshold schemes. Threshold schemes can be implemented using homomor‐
phic encryption techniques.
163
14 Theory and
Security Practice
Issues of Cryptography
in a Networked Age and Network Security Protocols and Technologies
164
Homomorphic Encryption — Theory and Application 15
http://dx.doi.org/10.5772/56687
r ∈ Z it is possible to efficiently convert Eke (m, r ) into another encryption Eke (m, r ' ) that is
perfectly indistinguishable from a fresh encryption of m under the public key ke . This property
is also called re-encryption.
It obvious that every probabilistic homomorphic cryptosystem is re-randomizable. Without
loss of generality, we assume that the cryptosystem is additively homomorphic. Given
Ek (m, r ) and the public key ke , we can compute Ek (0, r '' ) for a random number r’’ and hence
e e
Add (Eke (m, r ), Eke (0, r '')) = Eke (m + 0, r ') = Eke (m, r ')
where r’ is an appropriate random number. We note that this is exactly what a blinding
algorithm does.
Random self-reducibility: Along with the possibility of re-encryption comes the property of
random self-reducibility concerning the problem of computing the plaintext from the cipher‐
text. A cryptosystem is called random self-reducible if any algorithm that can break a non-trivial
fraction of ciphertexts can also break a random instance with significant probability. This
property is discussed in detail in (Damgard et al., 2010; Sander et al., 1999).
Verifiable encryptions / fair encryptions: If an encryption is verifiable, it provides a mecha‐
nism to check the correctness of encrypted data without compromising on the secrecy of the
data. For instance, this is useful in voting schemes to convince any observer that the encrypted
name of a candidate, i.e., the encrypted vote is indeed in the list of candidates. A cryptosystem
with this property that is based on homomorphic encryption can be found in (Poupard & Stern,
2000). Verifiable encryptions are also called fair encryptions.
In 2009, Gentry described the first plausible construction of a fully homomorphic cryptosystem
that supports both addition and multiplication (Gentry, 2009). Gentry’s proposed fully
165
16 Theory and
Security Practice
Issues of Cryptography
in a Networked Age and Network Security Protocols and Technologies
166
Homomorphic Encryption — Theory and Application 17
http://dx.doi.org/10.5772/56687
adversary to distinguish this sequence of samples from random pairs of ring elements. The
authors have shown that this simple assumption can be very efficiently reduced to the worst
case hardness of short-vector problems on ideal lattices. They have also shown how to
construct a very efficient ring counterpart to Regev’s public-key encryption scheme (Regev,
2005), as well as a counterpart to the identity-based encryption scheme presented in (Gentry
et al., 2008) by using the basis sampling techniques in (Regev, 2005). The scheme presented in
(Lyubashevsky et al., 2010) is very elegant and efficient since it is not dependent on any
complex computations over ideal lattices.
Brakerski and Vaikuntanathan raised a natural question that whether the above approaches
(i.e., ideal lattices and RLWE) can be effectively exploited so that benefits of both these
approaches can be achieved at the same time – namely the functional powerfulness on the one
hand (i.e., the ideal lattice approach) and the simplicity and efficiency of the other (i.e., RLWE).
They have shown that indeed this can be done (Brakerski & Vaikuntanathan, 2011). They have
constructed a somewhat homomorphic encryption scheme based on RLWE. The scheme
inherits the simplicity and efficiency, as well as the worst case relation to ideal lattices.
Moreover, the scheme enjoys key dependent message security (KDM security, also known as
circular security), since it can securely encrypt polynomial functions (over an appropriately
defined ring) of its own secret key. The significance of this feature of the scheme in context of
homomorphic encryption has been clearly explained by the authors. The authors argue that
all known constructions of fully homomorphic encryption employ a bootstrapping technique
that enforces the public key of the scheme to grow linearly with the maximal depth of evaluated
circuits. This is a major drawback with regard to the usability and the efficiency of the scheme.
However, the size of the public key can be made independent of the circuit depth if the
somewhat homomorphic scheme can securely encrypt its own secret key. With the design of
this scheme, the authors have solved an open problem - achieving circular secure somewhat
homomorphic encryption. They have also computed the circular security of their scheme with
respect to the representation of the secret key as a ring element, where bootstrapping requires
circular security with respect to the bitwise representation of the secret key (actually, the
bitwise representation of the squashed secret key). Since there is no prior work that studies a
possible co-existence between somewhat homomorphism with any form of circular security,
the work is a significant first step towards removing the assumption (Brakerski & Vaikunta‐
nathan, 2011). The authors have also shown how to transform the proposed scheme into a fully
homomorphic encryption scheme following Gentry’s blueprint of squashing and bootstrap‐
ping. Applying the techniques presented in (Brakerski & Vaikuntanathan, 2011a), the authors
argue that squashing can even be avoided at the cost of relying on sparse version of RLWE that
is not known to reduce to worst case scenarios. This greatly enhances the efficiency of the
proposed scheme in practical applications. The proposed scheme is also additively key-
homomorphic– a property that has found applications in achieving security against key-related
attacks (Applebaum et al., 2011).
Smart and Vercauteren (Smart & Vercauteren, 2010) present a fully homomorphic encryption
scheme that has smaller key and ciphertext sizes. The construction proposed by the authors
follows the fully homomorphic construction based on ideal lattices proposed by Gentry
167
18 Theory and
Security Practice
Issues of Cryptography
in a Networked Age and Network Security Protocols and Technologies
168
Homomorphic Encryption — Theory and Application 19
http://dx.doi.org/10.5772/56687
Moreover, Stehle and Steinfield have relaxed the definition of fully homomorphic encryption
to allow for a negligible but non-zero probability of decryption error. They have shown that
the randomness in the SplitKey key generation for the squashed decryption algorithm (i.e., the
decryption algorithms of the bootstrappable scheme) in the Gentry’s scheme can be gainfully
exploited to allow a negligible decryption error probability. This decryption error, although
negligible in value, can lead to rounding precision used in representing the ciphertext
components that is almost half the value of the precision as achieved in Gentry’s scheme
(Gentry, 2009), which involves zero error probability.
Boneh and Freeman propose a linearly homomorphic signature scheme that authenticates
vector subspaces of a given ambient space (Boneh & Freeman, 2011). The scheme has several
novel features that were not present in any of the existing similar schemes. First, the scheme
is the first of its kind that enables authentication of vectors over binary fields; previous schemes
could not authenticate vectors with large or growing coefficients. Second, the scheme is the
only scheme that is based on the problem of finding short vectors in integer lattices, and therefore,
it enjoys the worst-case security guarantee that is common to lattice-based cryptosystems. The
scheme can be used to authenticate linear transformations of signed data, such as those arising
when computing mean and Fourier transform or in networks that use network coding (Boneh
& Freeman, 2011). The work has three major contributions in the state of the art as identified
by the authors: (i) Homomorphic signatures over F2: the authors have constructed the first
unforgeable linearly homomorphic signature scheme that authenticates vectors with coordinates in
F2. It is an example of a cryptographic primitive that can be built using lattice models, but
cannot be built using bilinear maps or other traditional algebraic methods based on factoring
or discrete log type problems. The scheme can be modified to authenticate vectors with
coefficients in other small fields, including prime fields and extension fields such as F2d.
Moreover, the scheme is private, in the sense that a derived signature on a vector v leaks no
information about the original signed vectors beyond what is revealed by v. (ii) A simple k-time
signature without random oracles: the authors have presented a stateless signature scheme and
have proved that it is secure in the standard model when used to sign at most k messages, for
small values of k. The public key of the scheme is significantly smaller than that of any other
stateless lattice-based signature scheme that can sign multiple large messages and is secure in
the standard model. The construction proposed by the authors can be viewed as removing the
random oracle from the signature scheme of Gentry, Peikert, and Vaikuntanathan (Gentry et al.,
169
20 Theory and
Security Practice
Issues of Cryptography
in a Networked Age and Network Security Protocols and Technologies
2008), but only for signing k messages (Boneh & Freeman, 2011). (iii) New tools for lattice-based
signatures: the scheme is unforgeable based on a new hard problem on lattices, which the
authors have called the k-small integer solutions (k-SIS) problem. The authors have shown that
k-SIS reduces to the small integer solution (SIS) problem, which is known to be as hard as
standard worst-case lattice problems (Micciancio & Regev, 2007).
The study of fully homomorphic encryption has led to a number of new and exciting concepts
and questions, as well as a powerful tool-kit to address them. We conclude the chapter by
discussing a number of research directions related to the domain of fully homomorphic
encryption and more generally, on the problem of computing on encrypted data.
Applications of fully homomorphic encryption: While Gentry’s original construction was
considered as being infeasible for practical deployments, recent constructions and implemen‐
tation efforts have drastically improved the efficiency of fully homomorphic encryption
(Vaikuntanathan, 2011). The initial implementation efforts focused on Gentry’s original
scheme and its variants (Smart & Vercauteren, 2010; Smart & Vercauteren, 2012; Coron et al.,
2011; Gentry & Halevi, 2011), which seemed to pose rather inherent efficiency bottlenecks.
Later implementations leverage the recent algorithmic advances (Brakerski & Vaikuntanathan,
2011; Brakerski et al., 2011; Brakerski & Vaikuntanathan, 2011a) that result in asymptotically
better fully homomorphic encryption systems, as well as new algebraic mechanisms to
improve the overall efficiency of these schemes ( Naehrig et al., 2011; Gentry et al., 2012; Smart
& Vercauteren, 2012).
Non-malleability and homomorphic encryption: Homomorphism and non-malleability are
two orthogonal properties of an encryption scheme. Homomorphic encryption schemes
permit anyone to transform an encryption of a message m into an encryption of f(m) for non-
trivial functions f. Non-malleable encryption, on the other hand, prevents precisely this sort
of thing- it requires that no adversary be able to transform an encryption of m into an encryption
of any related message. Essentially, what we need is a combination of both the properties that
selectively permit homomorphic computations (Vaikuntanathan, 2011). This implies that the
evaluator should be able to homomorphically compute any function from some pre-specified
class Fhom; however, she should not be able to transform an encryption of m into an encryption
of f(m) for which f ∈ F hom does not hold good (i.e., f does not belong to Fhom). The natural
question that arises is: whether we can control what is being (homomorphically) computed?
Answering this question turns out to be tricky. Boneh, Segev and Waters (Boneh et al., 2011)
propose the notion of targeted malleability – a possible formalization of such a requirement as
well as formal constructions of such encryption schemes. Their encryption scheme is based on
a strong knowledge of exponent-type assumption that allows iterative evaluation of at most t
functions, where t is a suitably determined and pre-specified constant. Improving their
construction as well as the underlying complexity assumptions is an important open problem
(Vaikuntanathan, 2011).
170
Homomorphic Encryption — Theory and Application 21
http://dx.doi.org/10.5772/56687
It is also interesting to extend the definition of non-malleability to allow for chosen cipher-text
attacks. As an example, we consider the problem that involves implementing an encrypted targeted
advertisement system that generates advertisements depending on the contents of a user’s e-mail. Since
the e-mail is stored in an encrypted form with the user’s public key, the e-mail server performs
a homomorphic evaluation and computes an encrypted advertisement to be sent back to the
user. The user decrypts it, performs an action depending on what she sees. If the advertisement
is relevant, she might choose to click on it; otherwise, she simply discards it. However, if the
e-mail server is aware to this information, namely whether the user clicked on the advertise‐
ment or not, it can use this as a restricted decryption oracle to break the security of the user’s
encryption scheme and possibly even recover her secret key. Such attacks are ubiquitous
whenever we compute on encrypted data, almost to the point that CCA security seems
inevitable. Yet, it is easy to see that chosen ciphertext (CCA2-secure) homomorphic encryption
schemes cannot exist. Therefore, an appropriate security definition and constructions that
achieve the definition is in demand.
Other problems and applications: Another important open question relates to the assump‐
tions underlying the current fully homomorphic encryption systems. All known fully homo‐
morphic encryption schemes are based on hardness of lattice problems. The natural question that
arises - can we construct fully homomorphic from other approaches – say, for example, from
number-theoretic assumptions? Can we bring in the issue of the hardness of factoring or
discrete logarithms in this problem?
In addition to the scenarios where it is beneficial to keep all data encrypted and to perform
computations on encrypted data, fully homomorphic encryption can be gainfully exploited to
solve a number of practical problems in cryptography. Two such examples are the problems
of verifiably outsourcing computation (Goldwasser et al., 2008; Gennaro et al., 2010; Chung et al.,
2010; Applebaum et al., 2010) and constructing short non-interactive zero-knowledg e proofs
(Gentry, 2009). Some of the applications of fully homomorphic encryption do not require its
full power. For example, in private information retrieval (PIR), it is sufficient to have a somewhat
171
22 Theory and
Security Practice
Issues of Cryptography
in a Networked Age and Network Security Protocols and Technologies
Author details
Jaydip Sen*
Department of Computer Science, National Institute of Science & Technology, Odisha, India
References
[1] Adelsbach, A., Katzenbeisser, S., & Sadeghi, A. (2002). Cryptography Meets Water‐
marking: Detecting Watermarks with Minimal or Zero Knowledge Disclosure. In:
Proceedings of the European Signal Processing Conference (EUSIPCO’02), Vol 1, pp.
446-449, Toulouse, France.
[2] Agrawal, S., Freeman, D. M., & Vaikuntanathan, V. (2011). Functional Encryption for
Inner Product Predicates from Learning with Errors. In: Advances in Cryptology-
Proceedings of ASIACRYPT’11, Lecture Notes in Computer Science (LNCS), Vol
7073, Springer-Verlag, pp. 21-40.
[3] Ajtai, M. & Dwork, C. (1997). A Public Key Cryptosystem with Worst-Case/ Average-
Case Equivalence. In: Proceedings of the 29th Annual ACM International Symposium
on Theory of Computing (STOC’97), pp. 284-293, ACM Press, New York, NY, USA.
[4] Applebaum, B., Ishai, Y., & Kushilevitz, E. (2010). Semantic Security under Related-
Key Attacks and Applications. Innovations in Computer Science (ICS), pp. 45-55,
2011.
[5] Applebaum, B., Ishai, Y., & Kushilevitz, E. (2010). From Secrecy to Soundness: Effi‐
cient Verification via Secure Computation. In: Automata, Language and Program‐
ming - Proceedings of ICALP, Lecture Notes in Computer Science (LNCS), Vol 6198,
Springer-Verlag, pp. 152-163.
[6] Bao, F. (2003). Cryptanalysis of a Provable Secure Additive and Multiplicative Priva‐
cy Homomorphism. In: Proceedings of International Workshop on Coding and Cryp‐
tography (WCC’03), Versailles, France, pp. 43-49.
[7] Bellare, M. & Rogaway, P. (1995). Optimal Asymmetric Encryption- How to Encrypt
with RSA. In: Advances in Cryptology - Proceedings of EUROCRYPT’94, Lecture
Notes in Computer Science (LNCS), Vol 950, Springer-Verlag, pp. 92-111.
172
Homomorphic Encryption — Theory and Application 23
http://dx.doi.org/10.5772/56687
[8] Benaloh, J. (1994). Dense Probabilistic Encryption. In: Proceedings of the Workshop
on Selected Areas of Cryptography, 1994, pp. 120-128.
[10] Ben-Or, M. & Cleve, R. (1992). Computing Algebraic Formulas Using a Constant
Number of Registers. SIAM Journal on Computing, Vol 21, No 1, pp. 54-58, 1992.
[13] Boneh, D. & Lipton, R. (1996). Searching for Elements in Black Box Fields and Appli‐
cations. In: Advances in Cryptology- Proceedings of CRYPTO’96, Lecture Notes in
Computer Science (LNCS), Vol 1109, Springer-Verlag, pp. 283-297.
[14] Boneh, D., Segev, G., & Waters, B. (2012). Targeted Malleability: Homomorphic En‐
cryption for Restricted Computations. In: Proceedings of Innovations in Theoretical
Computer Science (ITCS), pp 350-366, ACM Press, New York, NY, USA, 2012.
[15] Brakerski, Z., Gentry, C., & Vaikuntanathan, V. (2011). Fully Homomorphic Encryp‐
tion without Bootstrapping. In: Proceedings of the 3rd Innovations in Theoretical
Computer Science Conference (ITCS’12), pp. 309-325, ACM Press, New York, NY,
USA.
[18] Bresson, E., Catalano, D., & Pointcheval, D. (2003). A Simple Public-Key Cryptosys‐
tem with a Double Trapdoor Decryption Mechanism and its Applications. In: Advan‐
ces in Cryptology- Proceedings of ASIACRYPT’03, Lecture Notes in Computer
Science (LNCS), Vol 2894, Springer-Verlag, pp. 37-54.
173
24 Theory and
Security Practice
Issues of Cryptography
in a Networked Age and Network Security Protocols and Technologies
[20] Canetti, R., Goldreich, O., & Halevi, S. (2004). The Random Oracle Methodology, Re‐
visited. Journal of ACM (JACM), Vol 5, Issue 4, July 2004, pp. 557-594, ACM Press,
New York, NY, USA.
[23] Chung, K.-M., Kalai, Y. & Vadhan, S. (2010). Improved Delegation of Computation
Using Fully Homomorphic Encryption. In: Advances in Cryptology - Proceedings of
CRYPTO’10, Lecture Notes in Computer Science (LNCS), Vol 6223, Springer-Verlag,
pp. 483-501.
[25] Coron, J.-S., Mandal, A., Naccache, D., & Tibouchi, M. (2011). Fully Homomorphic
Encryption over the Integers with Shorter Public Keys. In: Advances in Cryptology -
Proceedings of CRYPTO’11, Lecture Notes in Computer Science (LNCS), Vol 6841,
Springer-Verlag, pp. 487-504.
[26] Cramer, R. & Damgard, I. (1998). Zero-Knowledge Proofs for Finite Field Arithmetic,
Or: Can Zero-Knowledge be for Free? In: Advances in Cryptology - Proceedings of
CRYPTO’98, Lecture Notes in Computer Science (LNCS), Vol 1462, Springer-Verlag,
pp. 424-441.
[27] Cramer, R., Damgard, I., & Maurer, U. (2000). General Secure Multi-party Computa‐
tion from any Linear Secret-Sharing Scheme. In: Advances in Cryptology – Proceed‐
ings of EUROCRYPT’00, Lecture Notes in Computer Science (LNCS), Vol 1807,
Springer-Verlag, pp. 316-334.
[28] Cramer, R. & Shoup, V. (2002). Universal Hash Proofs and a Paradigm for Adaptive
Chosen Ciphertext Secure Public-Key Encryption. In: Advances in Cryptology – Pro‐
ceedings of EUROCRYPT’02, Lecture Notes in Computer Science (LNCS), Vol 2332,
Springer-Verlag, New York, NY, USA, pp. 45-64.
[29] Daemen, J. & Rijmen, V. (2002). The Design of Rijndael: AES- The Advanced Encryp‐
tion Standard. Information Security and Cryptography, Springer, New York, NY,
USA, 2002.
174
Homomorphic Encryption — Theory and Application 25
http://dx.doi.org/10.5772/56687
[30] Daemen, J. & Rijmen, V. (2000). The Block Cipher Rijndael. In: Proceedings of Inter‐
national Conference on Smart Cards Research and Applications (CARDS’98), Lecture
Notes in Computer Science (LNCS), Vol 1820, Springer-Verlag, pp. 247-256.
[31] Damgard, I. & Jurik, M. (2003). A Length-Flexible Threshold Cryptosystem with Ap‐
plications. In: Proceedings of the 8th Australasian Conference on Information Security
and Privacy (ACSIP’03), Lecture Notes in Computer Science (LNCS), Vol 2727,
Springer-Verlag, pp 350-364.
[32] Damgard, I. & Jurik, M. (2001). A Generalisation, a Simplification and Some Applica‐
tions of Paillier’s Probabilistic Public-Key System. In: Proceedings of the 4th Interna‐
tional Workshop on Practice and Theory in Public Key Cryptography (PKC’01),
Lecture Notes in Computer Science (LNCS), Vol 1992, Springer-Verlag, pp. 119-136.
[33] Damgard, I., Jurik, M., & Nielsen, J. (2010). A Generalization of Paillier’s Public-Key
System with Applications to Electronic Voting. International Journal on Information
Security (IJIS), Special Issues on Special Purpose Protocol, Vol 9, Issue 6, December
2010, pp. 371-385, Springer-Verlag, Heidelberg, Berlin, Germany.
[34] Diffie, W. & Hellman, M. (1976). New Directions in Cryptography. IEEE Transactions
on Information Theory, Vol 22, No 6, November 1976, pp. 644-654.
[35] Domingo-Ferrer, J. (2002). A Provably Secure Additive and Multiplicative Privacy
Homomorphism. In: Proceedings of the 5th International Conference on Information
Security (ISC’02), Lecture Notes in Computer Science (LNCS), Vol 2433, Springer-
Verlag, pp. 471-483.
[36] Ekdahl, E. & Johansson, T. (2002). A New Version of the Stream Cipher SNOW. In:
Proceedings of the 9th International Workshop on Selected Areas of Cryptography
(SAC’02), Lecture Notes in Computer Science (LNCS), Vol 2595, Springer-Verlag, pp.
47-61.
[37] ElGamal, T. (1985). A Public Key Cryptosystem and a Signature Scheme Based on
Discrete Logarithms. IEEE Transactions on Information Theory, Vol 31, Issue 4, July
1985, pp. 469-472.
[38] Feigenbaum, J. & Merritt, M. (1991). Open Questions, Talk Abstracts, and Summary
of Discussions. DIMACS Series in Discrete Mathematics and Theoretical Computer
Science, Vol 2, pp. 1-45.
[39] Fellows, M. & Koblitz, N. (1993). Combinatorial Cryptosystems Galore! Finite Fields-
Theory, Applications and Algorithms. Contemporary Mathematics, Vol. 168, Las Ve‐
gas, 1994, pp. 51-61.
[40] Fontaine, C. & Galand, F. (2007). A Survey of Homomorphic Encryption for Nonspe‐
cialists. EURASIP Journal on Information Security, Vol 2007, January 2007, Article ID
15, Hindawi Publishing Corporation, New York, NY, USA. DOI: 10.1155/2007/13801.
[41] Fouque, P., Poupard, G., & Stern, J. (2000). Sharing Decryption in the Context of Vot‐
ing or Lotteries. In: Proceedings of the 4th International Conference on Financial
175
26 Theory and
Security Practice
Issues of Cryptography
in a Networked Age and Network Security Protocols and Technologies
Cryptography (FC’00), Lecture Notes in Computer Science (LNCS), Vol 1962, Spring‐
er-Verlag, pp. 90-104.
[42] Galbraith, S. D. (2002). Elliptic Curve Paillier Schemes. Journal of Cryptology, Vol 15,
No 2, pp. 129-138, August 2002.
[43] Gennaro, R., Gentry, C., & Parno, B. (2010). Non-Interactive Verifiable Computing:
Outsourcing Computation to Untrusted Workers. In: Advances in Cryptology-Pro‐
ceedings of CRYPTO’10, Lecture Notes in Computer Science (LNCS), Vol 6223,
Springer-Verlag, pp. 465-482.
[45] Gentry, C. (2009). Fully Homomorphic Encryption Using Ideal Lattices. In: Proceed‐
ings of the 41st Annual ACM Symposium on Theory of Computing (STOC’09), pp.
169-178, ACM Press, New York, NY, USA.
[47] Gentry, C, Halevi, S., & Smart, N. (2012). Better Bootstrapping in Fully Homomor‐
phic Encryption. In: Proceedings of the 15th International Conference on Practice and
Theory in Public Key Cryptography (PKC’12), Lecture Notes in Computer Science
(LNCS), Vol 7293, Springer-Verlag, pp. 1-16.
[48] Gentry, C., Peikert, C., & Vaikuntanathan, V. (2008). Trapdoors for Hard Lattices and
New Cryptographic Constructions. In: Proceedings of the 40th Annual ACM Sympo‐
sium on Theory of Computing (STOC’08), pp. 197-206, ACM Press, New York, NY,
USA.
[49] Goldreich, O., Goldwasser, S., & Halevi, S. (1997). Public-Key Cryptosystems from
Lattice Reduction Problems. In: Advances in Cryptology- Proceedings of CRYP‐
TO’97, Lecture Notes in Computer Science (LNCS), Vol 1294, Springer-Verlag, pp.
112-131.
[50] Goldwasser, S., Kalai, Y. T., & Rothblum, G. N. (2008). Delegating Computation: In‐
teractive Proofs for Muggles. In: Proceedings of the 40th Annual ACM Symposium
on Theory of Computing (STOC’08), pp. 113-122, ACM Press, New York, NY, USA.
[51] Goldwasser, S. & Micali, S. (1982). Probabilistic Encryption and How to Play Mental
Poker Keeping Secret All Partial Information. In: Proceedings of the 14th Annual
ACM Symposium on Theory of Computing (STOC’82), pp. 365-377, ACM Press,
New York, NY, USA.
[52] Goldwasser, S. & Micali, S. (1984). Probabilistic Encryption. Journal of Computer and
System Sciences, Vol 28, Issue 2, pp. 270-299, April 1984.
176
Homomorphic Encryption — Theory and Application 27
http://dx.doi.org/10.5772/56687
[53] Golle, P., Jakobsson, M., Juels, A., & Syverson, P. (2004). Universal Re-Encryption for
Mixnets. In: Topics in Cryptology - Proceedings of the RSA Conference Cryptogra‐
phers’ Track (CT-RSA’04), Lecture Notes in Computer Science (LNCS), Vol 2964,
Springer-Verlag, pp. 163-178.
[56] Groth, J. (2004). Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack
Secure Cryptosystems. In: Proceedings of the 1st Theory of Cryptography Conference
(TCC’04), Lecture Notes in Computer Science (LNCS), Vol 2951, Springer-Verlag, pp.
152-170.
[57] Hoffstein, J., Pipher, J., & Silverman, J. (1998). NTRU: A Ring-Based Public Key Cryp‐
tosystem. In: Proceedings of the 3rd International Symposium on Algorithmic Num‐
ber Theory (ANTS-III), ANTS’98, Lecture Notes in Computer Science (LNCS), Vol
1423, Springer-Verlag, pp. 267-288.
[58] Katz, J. Sahai, A., & Waters, B. (2013). Predicate Encryption Supporting Disjunctions,
Polynomial Equations, and Inner Products. Journal of Cryptology, Vol 26, Issue 2,
pp. 191-224, April 2013, Springer-Verlag, Berlin, Heidelberg, Germany.
[59] Ko, K. H., Lee, S. J. Cheon, J. H., Han, J. W., Kang, J.-S., & Park, C. (2000). New Pub‐
lic-Key Cryptosystem Using Braid Groups. In: Advances in Cryptology – Proceed‐
ings of CRYPTO’00, Lecture Notes in Computer Science (LNCS), Vol 1880, Springer-
Verlag, pp. 166-183.
[61] Lewko, A. B., Okamoto, T., Sahai, A. Takashima, K. & Waters, B. (2010). Fully Secure
Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product
Encryption. In: Advances in Cryptology- Proceedings of EUROCRYPT’10, Lecture
Notes in Computer Science (LNCS), Vol 6110, Springer-Verlag, pp. 62-91.
[62] Lipmaa, H. (2003). Verifiable Homomorphic Oblivious Transfer and Private Equality
Test. In: Advances in Cryptology- Proceedings of ASIACRYPT’03, Lecture Notes in
Computer Science (LNCS), Vol 2894, Springer-Verlag, pp. 416-433.
[63] Ly, L. V. (2002). Polly Two - A Public-Key Cryptosystem Based on Polly Cracker.
Doctoral Dissertation, Ruhr-Universitat, Bochum, Germany, October 2002.
177
28 Theory and
Security Practice
Issues of Cryptography
in a Networked Age and Network Security Protocols and Technologies
[65] Lyubashevsky, V. & Micciancio, D. (2006). Generalized Compact Knapsacks are Col‐
lision Resistant. In: Proceedings of the 33rd International Conference on Automata,
Languages and Programming (ICALP’06), Lecture Notes in Computer Science
(LNCS), Vol 4052, Springer-Verlag, pp. 144-155.
[66] Lyubashevsky, V., Micciancio, D., Peikert, C., & Rosen, A. (2008). SWIFT: A Modest
Proposal for FFT Hashing. In: Proceedings of the 15th International Workshop on Fast
Software Encryption (FSE’08), Lecture Notes in Computer Science (LNCS), Vol 5068,
Springer-Verlag, pp. 54-72.
[67] Lyubashevsky, V., Peikert, C., & Regev, O. (2010). On Ideal Lattices and Learning
with Errors over Rings. In: Advances in Cryptology- Proceedings of EURO‐
CRYPT’10, Lecture Notes in Computer Science (LNCS), Vol 6110, Springer-Verlag,
pp. 1-23.
[68] Menezes, A., Van Orschot, P. & Vanstone, S. (1997). Handbook of Applied Cryptog‐
raphy. CRC Press, USA. Available Online at: http://www.cacr.math.uwaterloo.ca/
hac/.
[69] Micciancio, D. (2007). Generalized Compact Knapsacks, Cyclic Lattices, and Efficient
One-Way Functions. Computational Complexity, Vol 16, No 4, pp. 365-411, Decem‐
ber 2007.
[70] Micciancio, D. (2001). Improving Lattice Based Cryptosystems Using Hermite Nor‐
mal Form. In: Cryptography and Lattices - Proceedings of the International Confer‐
ence on Cryptography and Lattices (CaLC’01), Lecture Notes in Computer Science
(LNCS), Vol 2146, Springer-Verlag, pp. 126-145.
[72] Naccache, D. & Stern, J. (1998). A New Public Key Cryptosystem Based on Higher
Residues. In: Proceedings of the 5th ACM Conference on Computer and Communica‐
tions Security (CCS’98), pp. 59-66, ACM Press, New York, NY, USA.
[73] Naehrig, M., Lauter, K., & Vaikuntanathan, V. (2011). Can Homomorphic Encryption
be Practical? In: Proceedings of the 3rd ACM Workshop on Cloud Computing Securi‐
ty, pp. 113-124, ACM Press, New York, NY, USA.
[74] Nguyen, P. & Stern, J. (1999). Cryptanalysis of the Ajtai-Dwork Cryptosystem. In:
Advances in Cryptology – Proceedings of CRYPTO’98, Lecture Notes in Computer
Science (LNCS), Springer-Verlag, Vol 1462, New York, NY, USA, pp. 223-242.
[75] Ogura, N., Yamamoto, G., Kobayashi, T., & Uchiyama, S. (2010). An Improvement of
Key Generation Algorithm for Gentry’s Homomorphic Encryption Scheme. In: Ad‐
178
Homomorphic Encryption — Theory and Application 29
http://dx.doi.org/10.5772/56687
[77] Okamoto, T., Uchiyama, S., & Fujisaki, E. (2000). EPOC: Efficient Probabilistic Public-
Key Encryption. Technical Report, 2000, Proposal to IEEE P1363a. Available Online
at: http://grouper.iee.org/groups/1363/StudyGroup/NewFam.html.
[78] Paeng, S.-H, Ha, K.-C., Kim, J. H., Chee, S., & Park, C. (2001). New Public Key Cryp‐
tosystem Using Finite Non Abelian Groups. In: Advances in Cryptology- Proceed‐
ings of CRYPTO’01, Lecture Notes in Computer Science (LNCS), Vol 2139, Springer-
Verlag, pp. 470-485.
[79] Paillier, P. (2007). Impossibility Proofs for RSA Signatures in the Standard Model. In:
Topics in Cryptology - Proceedings of the RSA Conference Cryptographers’ Track
(CT-RSA’07), Lecture Notes in Computer Science (LNCS), Vol 4377, pp. 31-48, San
Francisco, California, USA.
[82] Peikert, C. & Rosen, A. (2007). Lattices that Admit Logarithmic Worst-Case to Aver‐
age-Case Connection Factors. In: Proceedings of the 39th Annual ACM Symposium
on Theory of Computing (STOC’07), pp. 478-487, ACM Press, June 2007.
[83] Peikert, C. & Rosen, A. (2006). Efficient Collision-Resistant Hashing from Worst-Case
Assumptions on Cyclic Lattices. In: Theory of Cryptography - Proceedings of the 3rd
International Conference on Theory of Cryptography (TCC’06), Lecture Notes in
Computer Science (LNCS), Vol 3876, Springer-Verlag, pp. 145-166.
[84] Poupard, G. & Stern, J. (2000). Fair Encryption of RSA Keys. In: Advances in Cryptol‐
ogy- Proceedings of EUROCRYPT’00, Lecture Notes in Computer Science (LNCS),
Vol 1807, Springer-Verlag, pp. 172-189.
[86] Regev, O. (2005). On Lattices, Learning with Errors, Random Linear Codes, and
Cryptography. In: Proceedings of the 37th Annual ACM Symposium on Theory of
Computing (STOC’05), pp. 84-93, ACM Press, New York, NY, USA.
179
30 Theory and
Security Practice
Issues of Cryptography
in a Networked Age and Network Security Protocols and Technologies
[87] Rivest, R., Adleman, L., & Dertouzos, M. (1978a). On Data Banks and Privacy Homo‐
morphisms. Foundations of Secure Communication, pp. 169-177, Academic Press.
[88] Rivest, R., Shamir, A., & Adleman, L. (1978b). A Method for Obtaining Digital Signa‐
tures and Public-Key Cryptosystems. Communications of the ACM, Vol 21, No 2, pp.
120-126.
[89] Sahai, A. & Waters, B. (2005). Fuzzy Identity-Based Encryption. In: Advances in
Cryptology - Proceedings of EUROCRYPT’05, Lecture Notes in Computer Science
(LNCS), Vol 3494, Springer-Verlag, pp. 457-473.
[90] Sander, T. & Tschudin, C. F. (1998). Towards Mobile Cryptography. In: Proceedings
of IEEE Symposium on Security & Privacy, Oakland, California, USA, pp. 215-224,
May 1998.
[91] Sander, T. & Tshudin, C. F. (1998a). Protecting Mobile Agents against Malicious
Hosts. In: Proceedings of International Conference on Mobile Agents and Security,
Lecture Notes in Computer Science (LNCS), Vol 1419, Springer-Verlag, pp. 44-60.
[92] Sander, T., Young, A., & Yung, M. (1999). Non-Interactive CryptoComputing for NC.
In: Proceedings of the 40th Annual IEEE Symposium on Foundations of Computer
Science, pp. 564-566, October 1999.
[93] Shannon, C. (1949). Communication Theory of Secrecy Systems. Bell System Techni‐
cal Journal, Vol 28, Issue 4, pp. 656-715, October 1949.
[94] Smart, N. P. & Vercauteren, F. (2010). Fully Homomorphic Encryption with Relative‐
ly Small Key and Ciphertext Sizes. In: Public Key Cryptography - Proceedings of the
13th International Conference on Practice and Theory in Public Key Cryptography
(PKC’10), Lecture Notes in Computer Science (LNCS), Vol 6056, Springer-Verlag, pp.
420-443.
[95] Smart, N. & Vercauteren. (2012). Fully Homomorphic SIMD Operations. Design Co‐
des and Cryptography, Springer, USA, July 2012.
[96] Stehle, D. & Steinfeld, R. (2010). Faster Fully Homomorphic Encryption. In: Advan‐
ces in Cryptology – Proceedings of ASIACRYPT’10, Lecture Notes in Computer Sci‐
ence (LNCS), Vol 6477, Springer-Verlag, pp. 377-394.
[98] Van Tilborg, H. C. A. & Jajodia, S. (Eds) (2011). Encyclopaedia of Cryptography and
Security. Springer-Verlag, New York, NY, USA, 2011.
180
Homomorphic Encryption — Theory and Application 31
http://dx.doi.org/10.5772/56687
[99] Vernam, G. S. (1926). Cipher Printing Telegraph Systems for Secret Wire and Radio
Telegraphic Communications. Journal of the American Institute of Electrical Engi‐
neers, Vol 45, pp. 295-301.
[101] Wagner, N. R. & Magyarik, M. R. (1985). A Public Key Cryptosystem Based on the
Word Problem. In: Advances in Cryptology- Proceedings of CRYPTO’84, Lecture
Notes in Computer Science (LNCS), Vol 196, Springer-Verlag, pp. 19-36.
181
SECURITY ISSUES IN A
NETWORKED AGE
RESEARCH COLLECTION
ISBN 978-953-51-2321-7
INTECHOPEN.COM