The core of the Distributed Public-Key TrustModel, examined by Lidong Zhou and Zygmund J.Haas [26] is the use of threshold cryptography in or- der to build a highly secure and available key management service. The difficulty of the establishment of a Certification Authority (CA) for key management in MANETs was mentioned in the introductory paragraph. Obviously, the CA, which is responsible for the security of the entire net- work, is a vulnerable single point of failure that must be continuously ac- cessible by every node. Threshold cryptography implicates sharing of a key by multiple entities called shareholders which are involved in authen- tication and encryption. In [26] the system, as a whole, has a public- /private-key pair and the private-key is distributed over n nodes. Conse- quently, a central Certification Authority is not necessary. All nodes in the network know the system’s public-key and trust any certificate signed us- ing the corresponding private-key. Additionally, each node has a pubic- /private-key pair and has the ability to submit requests to get the public- key of another node or requests to change its own public-key.
The ingenious idea is that (t+1) out of nshareholders have the ability to compute the private-key by combining their partial keys but not less then (t+1). In order to obtain the private-key, (t+1) nodes must be compro- mised. For the service of signing a certificate, each shareholder generates a partial signature for the certificate using its private key share and submits the partial signature to one arbitrary shareholder, called combiner. With (t+1) correct partial signatures the combiner is able to compute the signature for the certificate. In the case of one or more incorrect partial signatures generated by compromised nodes, it is not possible to unnoticeably estab- lish a legal signature for the certificate. Fortunately, the combiner has the ability to verify the correctness of the signature by using the system’s pub- lic-key. However, if the verification fails, the combiner tries other sets of (t + 1) partial signatures and continues this process until a verifiably cor- rect signature from (t+1) truthful partial parts can be established.
In order to tolerate mobile adversaries and to adapt to changes in the network the Distributed Public-Key Trust Model employs a share refresh- ing method. Mobile adversaries have the capacity to temporarily compro- mise one or more shareholders and can then move to the next victim. By this technique an adversary may compromise all shareholders and gather more than t or evenall private-key shares over an extended period of time. Finally, the adversary would be allowed to generate any valid certificate signed by the private-key. Share refreshing allows shareholders to com- pute new private-key shares from their old ones in collaboration, but without
54
Although the model offers strong security, like authentication of com- municating nodes, it has some factors that inhibit its deployment to mobile ad-hoc networks. The pre-establishment of a distributed central authority requires a huge computational complexity and asymmetric cryptographic operations are known to consume precious node battery power. Addition- ally, the (t+1) parts of the private key may not be reachable to a node re- quiring authentication and following asymmetric cryptographic services. Finally, the distribution of signed certificates within the MANET is not sufficiently discussed and questionable.
RSA-Based Threshold Cryptography in MANETs
Levent Ertaul and Nitu Chavan visualize in [8] the potentialities and diffi- culties of RSA-based threshold cryptography in MANETs. The examined RSA threshold scheme involves key generation, encryption, share genera- tion, share verification, and share combining algorithm. It employs the Shamir’s t-out-of-n scheme based on Lagrange’s interpolation. The central idea of this secret sharing scheme is the construction of a (t – 1)-degree polynomial over the field GF(q) in order to allow t out of n entities to con- struct the secret.
f(x) = a0 + a1 x + … + at-1 xt-1 (3.1)
disclosing the private-key. The new shares are independent from the old and because of this the adversary cannot combine old with new shares in order to recover the private-key.
The coefficient a0 is the secret and all other coefficients are random ele- ments in the field. The field is known by all entities and each of the n shares is a pair (xi, yi) fulfilling the following condition:
f(xi) = yi and xi≠0 (3.2)
With t known shares, the polynomial is uniquely determined and the se- cret a0 can be computed. The success of the scheme is based on the fact that using t-1 shares, the secret can be any element of the field and is not determinable.
The RSA-Based Threshold Cryptography approach makes use of this se- cret sharing scheme in the following way. After node A has constructed its public-/private-key pair (e,d), the threshold is determined. If node A has n neighbors then the private-key d is partitioned into n partial keys and the neighbors act as shareholders. The threshold t is randomly selected under certain conditions:
t ≥ (n+1)/2, t < n, where n ≥ 2 (3.3)
Applying Trust in Mobile and Wireless Networks 55
In the subsequent step Shamir’s secret sharing scheme is applied to cal- culate key shares and for combining partial messages. Depending on the type of threshold scheme, the secret, and this is always the coefficient a0 of the polynomial, is different. For threshold encryption, the coefficient a0 would be e, while for threshold decryption it would be set to d.
We consider a RSA-Based Threshold Cryptography based signature scheme between nodes A and B. At first, node A distributes the key shares together with the xi – values among its n neighbors acting as shareholders. xi – values are selected by A and are public coordinates. The threshold t is not published to the shareholders and A notifies only B about t and its public- key e. Consequently, each neighbor has the ability to calculate the partial key f(xi). Then, A sends the message M securely to all shareholders for par- tial signature generation. Shareholders apply f(xi)s to M and send the partial signature Cis along with the xi – values to node B. After obtaining at least t partial signature Cis, B sends t selected Cis to A for recovery of C. B en- crypts xi – values using A’s public-key e. In the following, A calculates xi ´- values using Lagrange interpolation and sends them back to B. Finally, B combines the xi ´- values to the partial signatures in order to get the original C. With Ce= M, node B gets the message M for verification.
Due to the exponential computations, the RSA-Based Threshold Cryp- tography scheme requires lots of computational capacity, bandwidth, power and storage. Thus, the authors stress that this approach is unsuitable in resource-constrained MANETs. Another crucial vulnerability of this system is the fact that the neighbors acting as shareholders must not au- thenticate towards node A, from which they get the message M as well as the xi – values. If the attacker compromises n-t or even more shareholders he will be able to fake partial signatures in order to disturb the communica- tion between A and B. Although RSA-Based Threshold Cryptography does not need a central party to generate shares, it does not consider the vulner- ability of wireless links and does not apply to mobility and the dynami- cally changing network topology in MANETs.
ECC-Based Threshold Cryptography in MANETs
As a result of previous achievements, Levent Ertaul and Nitu Chavan adapt their idea to ECC-based threshold cryptography in [9]. Due to the combination of threshold cryptography and Elliptic Curve Cryptography, to securely transmit messages in n shares within mobile ad-hoc networks, the performance of ECC-based threshold cryptography is more efficient in comparison to RSA-based threshold cryptography.
56
Table 3.1 [20] demonstrates, that key sizes can be selected to be much smaller for ECC than for RSA achieving the same level of security and pro- tection against known attacks.
Although threshold cryptography is a significant approach to build a key management service by distributing the key among a group of entities, the amount of communication for generating the keys, determining the thresh- old and generating the share could be beyond the scope of available re- sources in mobile ad-hoc networks, such as computational power, without even considering the problem of finding out a number of routes of disjoint nodes between the sender and receiver in order to choose a number of n shares. All in all, this method is not well suitable for application in mobile ad-hoc networks.
Table 3.1. Key sizes for equivalent security levels in bits (© 2004 IEEE) Symmetric ECC RSA
80 163 1024
128 283 3072
192 409 7680
256 571 15360