ANÁLISIS DOCUMENTAL

identity private key public key own binding

certify own own trust root CA binding identity entity private key (public key) own inquire extract PKG

(a) regular PKC (b) identity-based PKC (IBC)

Figure 2.Two forms of public-key cryptography systems.

model may not be applied to wireless ad hoc networks, where neither a PKI nor a CA hierarchy is easy to build or maintain in practice.

Unlike regular PKC, in which an entity generates its public-key and private-key (or obtains them from PKI) and has the public-key certified by CA, in IBC, the entity proposes a unique identity (e.g.,[email protected]), which is also its public-key. A private-key generator (PKG) extracts a corresponding private-key from the public system parame- ters and the master-key that is only known to the PKG. The procedure is shown in Fig. 2(b). For example, when a peeriwants to send a messagemto another peerk

(see Fig. 1),mis encrypted withk’s identityidk and the system parameters; onlyk can decrypt the encrypted message with its private-keypkkand the system parameters. Whenksigns the receipt ofm, the receipt is manipulated withpkk, and is verifiable by everyone knowingidk.ihas to knowidkwhen communicating withk, and no one else can compromise these procedures without knowingpkk. Also, IBC can bootstrap symmetric cryptographic procedures by establishing a shared-keyski,kforiandk.

The concept of IBC was first introduced by Shamir in 1984 [19], and several efficient IBC-based signature schemes had been found subsequently. However, non- mediated IBC-based encryption (IBE) has proved to be much more challenging, and it is relatively recent that practical IBE schemes were found [8]. The first efficient and secure IBE scheme was given by Boneh and Franklin in 2001, which employs Weil pairing on elliptic curves and is considered more efficient than using regular RSA-based counterparts [20]. Its security is based on the bilinear Diffie-Hellman problem (BDHP), which is considered secure in the random oracle model (ROM) [21]. The Boneh-Franklin (BF-IBE) scheme is semantically secure against chosen ciphertext attacks, even when an adversary has the private-key of any entities other than the one being attacked. Lynn extended the BF-IBE scheme to provide message authenticity without extra computation cost; i.e., receivers can verify the identity of senders and whether the received messages have already been tampered, even without resorting to digital signatures [22].

Based on the latest advances in IBC and related techniques, in the next section, we will design key management schemes to bootstrap secure communications among identifiable peers in wireless ad hoc networks, without PKIs, CAs, key directories, always online authorities, or manually-arranged pairwise preshared secrets among all involved peers.

90 JIANPING PAN, et al.

3.

3.1. System Setup

Before an IBC-powered wireless ad hoc network becomes fully functional (i.e., allowing peers to join the system and request keying), an offline PKG first picks a random master-keyx ∈ Zq (qis a prime andZq is an algebraic field) and a bilinear mappingf :G × G → Zq. f is defined on the points of an elliptic curve (as a group G), and has the following property that for anyP, Q∈ Gand for any integeraandb,

f(aP, bQ) =f(P, bQ)a_{=f(aP, Q)}b_{=f(P, Q)}ab_.

(3) The PKG then picks a random generatorP, and publishesP,xP,f and four chosen cryptographic hash functions as the public system parameters. These hash functions, which will be explained shortly, are used to hash an arbitrary identity (e.g., any ASCII strings) to a point on the elliptic curve (H1), to achieve security against chosen ciphertext

attacks (H2andH3), and to encrypt plaintext (H4), respectively. The PKG should keep xsecret, and no one else can derivexeven when they have bothPandxP.

A lot of offline entities (e.g., the ticketing booth of a recreation park) can assume the role of PKG, as long as they can keep the master-key secret and extract private-keys from the master-key for peers joining the system and requesting to be keyed. Once the private-key is extracted, a peer has no need to communicate with the PKG (nor to keep the PKG online), unless the peer wants to propose a new identity. Also, the offline PKG can key peers in batch (e.g., only during normal business hours), since peers can receive regular, encrypted information even before they request keying. Compared with an online PKI, the offline PKG has many advantages in wireless ad hoc networks. With a PKI, whenever a peerkjoins a system, the PKI should verify the binding of the public-key ofkand its identity, and broadcast the authenticated public-key to all existing peers, or keep the public-key in a central directory for queries from other peers. No matter when another peeriwants to communicate withk,ihas to obtain both the identity and the public-key ofk, andishould have a way of verifying the public-key. The complexity of obtaining, verifying and managing public-keys creates considerable overhead in energy-constrained systems that rely on radio technologies to exchange identities, keys and data.

3.2. Peer Keying

When a peerkjoins an IBC-powered wireless ad hoc network,kproposes a system- wide unique identityidk (or the PKG appends a timestamp or sequence number to peer identity). The PKG obtains a corresponding pointQ= H1(idk)on the elliptic curve by hashingidk, and extractsk’s private-keypkk =xQfrom the master-keyx.

idk can be the email address ofk, concatenated with temporal or spatial properties (e.g., [email protected]@date@site). Identity ownership should be easily verified, e.g., by short-range encounters [23] when peers passing by the PKG or by sending a request- to-confirm email to[email protected].pkkis conveyed back tokin a secure, out-of-band side

WIRELESS NETWORK SECURITY 91