**Meet the editor**

Jaydip Sen has 18 years of experience in the field of networking, security and communication. He has worked in reputed organizations like Tata Consultancy Services, India, Oil and Natural Gas Corporation Ltd., India, Oracle India Pvt. Ltd., and Akamai Technology Pvt. Ltd, India. His research areas include security in wired and wireless networks, intrusion detection systems, secure

routing protocols in wireless ad hoc and sensor networks, secure multicast and broadcast communication in next generation broadband wireless networks, trust and reputation based systems, quality of service in multimedia communication in wireless networks and cross layer optimization based resource allocation algorithms in next generation wireless networks, sensor networks, and privacy issues in ubiquitous and pervasive communication. He has more than 90 publications in reputed international books, journals and referred conference proceedings. He is a member of ACM and IEEE.

Contents

**Preface IX** 

Jaydip Sen

**Part 1 Security and Privacy in** 

Chapter 1 **Secure and Privacy-Preserving** 

Chapter 2 **Security from Location 35** 

Chapter 4 **Security Approaches for** 

Chapter 5 **Secure Platform Over** 

Chapter 6 **Privacy-Secure Digital** 

Mitsuo Okada

Chapter 7 **NLM-MAC: Lightweight Secure Data** 

Chapter 8 **Key Establishment Protocol for** 

**Communication Framework Using** 

Pardeep Kumar and Hoon-Jae Lee

**Wireless Sensor Networks 169**  Ali Fanian and Mehdi Berenjkoub

**Computing and Communication Networks 1** 

Di Qiu, Dan Boneh, Sherman Lo and Per Enge

**Information-Centric Networking 73**  Walter Wong and Maurício Ferreira Magalhães

**Wireless Sensor Networks 99** 

**Vehicular Ad Hoc Networks: An Overview 53**  Hu Xiong, Zhi Guan, Jianbin Hu and Zhong Chen

Marco Pugliese, Luigi Pomante and Fortunato Santucci

**Authenticated Encryption in Wireless Sensor Networks 153** 

**Watermarking for Fair Content Trading 125** 

Chapter 3 **Anonymous Authentication Protocols for** 

**Authentication Protocols for Wireless Mesh Networks 3** 

## Contents

#### **Preface** XI


**Wireless Sensor Networks 169**  Ali Fanian and Mehdi Berenjkoub

#### **Part 2 Quantum Cryptography 197**

	- **Part 3 Evolutionary Concepts and Techniques in Security 265**

## Preface

We live in an era of unimaginably rapidly advancing and amazing technologies that enable instantaneous flow of information – anytime, anywhere. The convergence of computers and networks has been the key force behind the development of these awesome technologies. Increasing use of systems which are built using advanced information technologies is having a profound impact on our everyday lives. These technologies are becoming all pervasive and ubiquitous.

With the exponential growth of wireless telecommunication and information technologies and the increasingly dominant roles played by electronic commerce in every major industry, safeguarding of information travelling over the communication networks is increasingly becoming one of the most important and contentious challenges for the technology innovators. The key prerequisite for the continued development and successful exploitation of information technology and other related industries is the notion of information assurance that includes operations for protecting and defending information and information systems by ensuring their availability, integrity, authentication, non-repudiation and information confidentiality and privacy.

In this age of electronic connectivity, of viruses and hackers, of electronic eavesdropping and electronic fraud, network security has assumed increasing importance. Two trends are emerging very clearly in this regard. First, the explosive growth in computer systems and their interconnections via networks has increased the dependence of both organizations and individuals on the information stored and communicated using these systems. This, in turn, has led to a heightened awareness of the need to protect data and resources from disclosure, to guarantee the authenticity of data and messages, and to protect systems from network-based attacks. Second, the disciplines of cryptography and network security have matured, leading to the development of practical, readily available applications to enforce network security.

Cryptography will continue to play lead roles in developing new security solutions which will be in great demand with the advent of high-speed next-generation communication systems and networks. New cryptographic algorithms, protocols and tools must follow up in order to adapt to the new communication and computing technologies. Computing systems and communication protocols like IEEE 802.11 and

#### XII Preface

IEEE 802.15 are increasingly becoming targets of attacks since the underlying radio communication medium for wireless networks provides serious security loopholes. New security mechanisms should be designed to defend against the increasingly complex and sophisticated attacks launched on networks and web-based applications. In addition to classical cryptographic algorithms, new approaches like chaos-based cryptography, DNA-based cryptography and quantum cryptography will be play important roles.

Preface XI

The Part 2 contains three chapters. In Chapter 9: *Quantum Cryptography*, Chen et al. provide a basic survey on quantum cryptography particularly focussing on the fundamentals concepts of quantum cryptography, its current state of the art, use of quantum cryptography in network security applications and its future research trends. In Chapter 10: *Quantum Key Management*, Schartner and Rass discuss various issues related to key management in quantum cryptography like how quantum access nodes are maintained, how authentication can be done in a quantum network without preshared keys, how to recover from a possible node or network failure etc. In Chapter 11: *Securing Telecom Services using Quantum Cryptographic Mechanisms,* Handoura discusses various security threats in a telecommunication network and proposes a security mechanism based on the principle of quantum cryptography to defend those attacks.

The Part 3 of the book consists of five chapters. In Chapter 12: *Notions of Chaotic Cryptography: Sketch of a Chaos based Cryptosystem*, Pellicer-Lostao and López-Ruiz present some fundamental concepts of chaos, the relation between chaos and cryptography, different kinds of chaotic cryptosystems and their main characteristics. In Chapter 13: *Chaotic Electronic Circuits in Cryptography*, Šalamon describes a model of a well-known analog chaotic circuit – the Chua's circuit which is used in cryptosystem as a pseudo number sequence generator. It also discusses the use of chaotic circuits in cryptography focussing on chaotic encryption techniques. In Chapter 14: *An En/Decryption Machine based on Statistical Physics*, Perez et al. present a short review of the algorithms used to simulate a two dimensional Ising spin lattice model. A cipher key generator is also proposed and evaluated. In Chapter 15: *Modern Technologies used for Security of Software,* Hodorogea and Otto, emphasize the need of robust security mechanisms in enterprise software development models and discuss the design and development of DNA cryptographic keys based on evolutionary models. In Chapter 16: *DNA Cryptography and an Example Algorithm*, Zhang et al. present a DNA encryption algorithm based on the PCR amplification technology. The authors have used the concepts of chaotic systems using logistic chaos mapping and Henon chaos mapping to produce the cipher text from the plain text while eliminating and possible

The book can be very useful for researchers, engineers, graduate and doctoral students working in cryptography and security related areas. It can also be very useful for faculty members of graduate schools and universities. However, it is not a basic tutorial on cryptography and network security. Hence, it does not have any detailed introductory information on these topics. The readers need to have at least some basic knowledge on theoretical cryptography and fundamentals on network security. The book should also not be taken as a detailed research report. While some chapters simply present some specific problems and their solutions that might be helpful for graduate students, some talk about fundamental information that might be useful for general readers. Some of the chapters present in-depth cryptography and security related theories and latest updates in a particular research area that might be useful to advanced readers and researchers in

statistical correlations among the plain text cipher text pairs.

identifying their research directions and formulating problems to solve.

The purpose of this book is to present some of the critical security challenges in today's communication networks and computing and to provide insights to possible mechanisms to defend against attacks. With this objective, the book provides a collection of research work in the field of cryptography and network security by some experts in these areas. The book contains 16 chapters which are divided into three parts. The chapters in Part 1 of the book largely deal with security and privacy issues in computing and communication networks. The Part 2 includes chapters which are related to the field of quantum cryptography. The chapters dealing with the evolutionary concepts of cryptography and their applications like chaos-based cryptography and DNA cryptography are included in the Part 3 of the book.

The Part 1 of the book contains 8 chapters. In Chapter 1: *Secure and Privacy Preserving Authentication Protocols for Wireless Mesh Networks*, Sen has identified various vulnerabilities in wireless mesh networks and proposed a secure authentication and user privacy protection scheme for such networks. In Chapter 2: *Security from Location (...)*, Qiu et al. have presented a scheme for location-based security service which limits access of location information of a device to provide location privacy to the user of the device. In Chapter 3: *Privacy Issue in Vehicular Networks*, Xiong has identified various privacy issues in vehicular ad hoc networks and has presented a taxonomy for classification of various defense mechanisms for the privacy attacks. In Chapter 4: *Security Approaches for Information-Centric Networking*, Wong and Magalhães have presented two hash tree techniques to provide content authentication based on contents instead on the communication channel to provide content authentication in information-centric networks. In Chapter 5: *Secure platform over wireless sensor networks,*  Pugliese et al. present a middleware service suite for the wireless sensor network platform that provides various security services in an application execution environment. In Chapter 6: *Privacy-Secure Digital Watermarking for Fair Content Trading*, Okada discusses a privacy-preserving digital watermarking scheme to defend against cyber attacks and content piracy. In Chapter 7: *NLM-MAC: Lightweight Secure Data Communication Framework using Authenticated Encryption in Wireless Sensor Networks*, Kumar and Lee propose a lightweight steam cipher for encrypting traffic in a wireless sensor network. For authentication and integrity of the messages a message authentication code named "NLM-MAC" has been proposed that is suitable for resource constrained sensor nodes. In Chapter 8: *Key Establishment Protocol for Wireless Sensor Networks*, Fanian and Berenjkoub propose and evaluate a key management protocol for wireless sensor networks.

The Part 2 contains three chapters. In Chapter 9: *Quantum Cryptography*, Chen et al. provide a basic survey on quantum cryptography particularly focussing on the fundamentals concepts of quantum cryptography, its current state of the art, use of quantum cryptography in network security applications and its future research trends. In Chapter 10: *Quantum Key Management*, Schartner and Rass discuss various issues related to key management in quantum cryptography like how quantum access nodes are maintained, how authentication can be done in a quantum network without preshared keys, how to recover from a possible node or network failure etc. In Chapter 11: *Securing Telecom Services using Quantum Cryptographic Mechanisms,* Handoura discusses various security threats in a telecommunication network and proposes a security mechanism based on the principle of quantum cryptography to defend those attacks.

X Preface

important roles.

protocol for wireless sensor networks.

IEEE 802.15 are increasingly becoming targets of attacks since the underlying radio communication medium for wireless networks provides serious security loopholes. New security mechanisms should be designed to defend against the increasingly complex and sophisticated attacks launched on networks and web-based applications. In addition to classical cryptographic algorithms, new approaches like chaos-based cryptography, DNA-based cryptography and quantum cryptography will be play

The purpose of this book is to present some of the critical security challenges in today's communication networks and computing and to provide insights to possible mechanisms to defend against attacks. With this objective, the book provides a collection of research work in the field of cryptography and network security by some experts in these areas. The book contains 16 chapters which are divided into three parts. The chapters in Part 1 of the book largely deal with security and privacy issues in computing and communication networks. The Part 2 includes chapters which are related to the field of quantum cryptography. The chapters dealing with the evolutionary concepts of cryptography and their applications like chaos-based

cryptography and DNA cryptography are included in the Part 3 of the book.

The Part 1 of the book contains 8 chapters. In Chapter 1: *Secure and Privacy Preserving Authentication Protocols for Wireless Mesh Networks*, Sen has identified various vulnerabilities in wireless mesh networks and proposed a secure authentication and user privacy protection scheme for such networks. In Chapter 2: *Security from Location (...)*, Qiu et al. have presented a scheme for location-based security service which limits access of location information of a device to provide location privacy to the user of the device. In Chapter 3: *Privacy Issue in Vehicular Networks*, Xiong has identified various privacy issues in vehicular ad hoc networks and has presented a taxonomy for classification of various defense mechanisms for the privacy attacks. In Chapter 4: *Security Approaches for Information-Centric Networking*, Wong and Magalhães have presented two hash tree techniques to provide content authentication based on contents instead on the communication channel to provide content authentication in information-centric networks. In Chapter 5: *Secure platform over wireless sensor networks,* Pugliese et al. present a middleware service suite for the wireless sensor network platform that provides various security services in an application execution environment. In Chapter 6: *Privacy-Secure Digital Watermarking for Fair Content Trading*, Okada discusses a privacy-preserving digital watermarking scheme to defend against cyber attacks and content piracy. In Chapter 7: *NLM-MAC: Lightweight Secure Data Communication Framework using Authenticated Encryption in Wireless Sensor Networks*, Kumar and Lee propose a lightweight steam cipher for encrypting traffic in a wireless sensor network. For authentication and integrity of the messages a message authentication code named "NLM-MAC" has been proposed that is suitable for resource constrained sensor nodes. In Chapter 8: *Key Establishment Protocol for Wireless Sensor Networks*, Fanian and Berenjkoub propose and evaluate a key management

The Part 3 of the book consists of five chapters. In Chapter 12: *Notions of Chaotic Cryptography: Sketch of a Chaos based Cryptosystem*, Pellicer-Lostao and López-Ruiz present some fundamental concepts of chaos, the relation between chaos and cryptography, different kinds of chaotic cryptosystems and their main characteristics. In Chapter 13: *Chaotic Electronic Circuits in Cryptography*, Šalamon describes a model of a well-known analog chaotic circuit – the Chua's circuit which is used in cryptosystem as a pseudo number sequence generator. It also discusses the use of chaotic circuits in cryptography focussing on chaotic encryption techniques. In Chapter 14: *An En/Decryption Machine based on Statistical Physics*, Perez et al. present a short review of the algorithms used to simulate a two dimensional Ising spin lattice model. A cipher key generator is also proposed and evaluated. In Chapter 15: *Modern Technologies used for Security of Software,* Hodorogea and Otto, emphasize the need of robust security mechanisms in enterprise software development models and discuss the design and development of DNA cryptographic keys based on evolutionary models. In Chapter 16: *DNA Cryptography and an Example Algorithm*, Zhang et al. present a DNA encryption algorithm based on the PCR amplification technology. The authors have used the concepts of chaotic systems using logistic chaos mapping and Henon chaos mapping to produce the cipher text from the plain text while eliminating and possible statistical correlations among the plain text cipher text pairs.

The book can be very useful for researchers, engineers, graduate and doctoral students working in cryptography and security related areas. It can also be very useful for faculty members of graduate schools and universities. However, it is not a basic tutorial on cryptography and network security. Hence, it does not have any detailed introductory information on these topics. The readers need to have at least some basic knowledge on theoretical cryptography and fundamentals on network security. The book should also not be taken as a detailed research report. While some chapters simply present some specific problems and their solutions that might be helpful for graduate students, some talk about fundamental information that might be useful for general readers. Some of the chapters present in-depth cryptography and security related theories and latest updates in a particular research area that might be useful to advanced readers and researchers in identifying their research directions and formulating problems to solve.

#### XIV Preface

My sincere thanks go to the authors of different chapters of the book without whose invaluable contributions, this project would never have been possible. All the authors have been extremely cooperative on different occasions during the submission, review, and editing process of the book. I would like to express my special gratitude to Ms. Martina Durovic and Ms. Mirna Cvijic of Intech Publisher for their support, encouragement, patience and cooperation during the entire period of publication of the book. Finally, I would like to thank my mother Kishna Sen, my wife Nalanda Sen and my daughter Ritabrata Sen for their continuous support and encouragement throughout the entire period of the publication project.

> **Jaydip Sen**  Senior Scientist Innovation Lab, Tata Consultancy Service, Kolkata, India

## **Part 1**

**Security and Privacy in Computing and Communication Networks** 

**1** 

Jaydip Sen

*India* 

**Secure and Privacy-Preserving Authentication** 

*Wireless mesh networks* (WMNs) have emerged as a promising concept to meet the challenges in next-generation wireless networks such as providing flexible, adaptive, and reconfigurable architecture while offering cost-effective solutions to service providers (Akyildiz et al., 2005). WMNs are multi-hop networks consisting of *mesh routers* (MRs), which form wireless mesh backbones and *mesh clients* (MCs). The mesh routers provide a rich radio mesh connectivity which significantly reduces the up-front deployment cost of the network. Mesh routers are typically stationary and do not have power constraints. However, the clients are mobile and energy-constrained. Some mesh routers are designated as gateway routers which are connected to the Internet through a wired backbone. A gateway router provides access to conventional clients and interconnects ad hoc, sensor, cellular, and other networks to the Internet. The gateway routers are also referred to as the *Internet gateways* (IGWs). A mesh network can provide multi-hop communication paths between wireless clients, thereby serving as a community network, or can provide multi-hop paths between the client and the

As WMNs become an increasingly popular replacement technology for last-mile connectivity to the home networking, community and neighborhood networking, it is imperative to design efficient and secure communication protocols for these networks. However, several vulnerabilities exist in the current protocols of WMNs. These security loopholes can be exploited by potential attackers to launch attack on WMNs. Absence of a central point of administration makes securing WMNs even more challenging. Security is, therefore, an issue which is of prime importance in WMNs (Sen, 2011). Since in a WMN, traffic from the end users is relayed via multiple wireless mesh routers, preserving privacy of the user data is also a critical requirement (Wu et al., 2006a). Some of the existing security and privacy protection protocols for WMNs are based on the trust and reputation of the network entities (Sen, 2010a; Sen, 2010b). However, many of these schemes are primarily designed for *mobile ad hoc networks* (MANETs) (Sen, 2006; Sen, 2010c), and hence these

The broadcast nature of transmission and the dependency on the intermediate nodes for multi-hop communications lead to several security vulnerabilities in WMNs. The attacks can be external as well as internal in nature. External attacks are launched by intruders who are

gateway router, thereby providing broadband Internet access to the clients.

protocols do not perform well in large-scale hybrid WMN environments.

**1. Introduction** 

**Protocols for Wireless Mesh Networks** 

*Innovation Lab, Tata Consultancy Services Ltd.* 

## **Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks**

Jaydip Sen *Innovation Lab, Tata Consultancy Services Ltd. India* 

## **1. Introduction**

*Wireless mesh networks* (WMNs) have emerged as a promising concept to meet the challenges in next-generation wireless networks such as providing flexible, adaptive, and reconfigurable architecture while offering cost-effective solutions to service providers (Akyildiz et al., 2005). WMNs are multi-hop networks consisting of *mesh routers* (MRs), which form wireless mesh backbones and *mesh clients* (MCs). The mesh routers provide a rich radio mesh connectivity which significantly reduces the up-front deployment cost of the network. Mesh routers are typically stationary and do not have power constraints. However, the clients are mobile and energy-constrained. Some mesh routers are designated as gateway routers which are connected to the Internet through a wired backbone. A gateway router provides access to conventional clients and interconnects ad hoc, sensor, cellular, and other networks to the Internet. The gateway routers are also referred to as the *Internet gateways* (IGWs). A mesh network can provide multi-hop communication paths between wireless clients, thereby serving as a community network, or can provide multi-hop paths between the client and the gateway router, thereby providing broadband Internet access to the clients.

As WMNs become an increasingly popular replacement technology for last-mile connectivity to the home networking, community and neighborhood networking, it is imperative to design efficient and secure communication protocols for these networks. However, several vulnerabilities exist in the current protocols of WMNs. These security loopholes can be exploited by potential attackers to launch attack on WMNs. Absence of a central point of administration makes securing WMNs even more challenging. Security is, therefore, an issue which is of prime importance in WMNs (Sen, 2011). Since in a WMN, traffic from the end users is relayed via multiple wireless mesh routers, preserving privacy of the user data is also a critical requirement (Wu et al., 2006a). Some of the existing security and privacy protection protocols for WMNs are based on the trust and reputation of the network entities (Sen, 2010a; Sen, 2010b). However, many of these schemes are primarily designed for *mobile ad hoc networks* (MANETs) (Sen, 2006; Sen, 2010c), and hence these protocols do not perform well in large-scale hybrid WMN environments.

The broadcast nature of transmission and the dependency on the intermediate nodes for multi-hop communications lead to several security vulnerabilities in WMNs. The attacks can be external as well as internal in nature. External attacks are launched by intruders who are

Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 5

Several vulnerabilities exist in different protocols for WMNs. These vulnerabilities can be suitably exploited by potential attackers to degrade the network performance (Sen, 2011). The nodes in a WMN depend on the cooperation of other nodes in the network for their successful operations. Consequently, the *medium access control* (MAC) layer and the network layer protocols for these networks usually assume that the participating nodes are honest and well-behaving with no malicious or dishonest intentions. In practice, however, some nodes in a WMN may behave in a selfish manner or may be compromised by malicious users. The assumed trust (which in reality may not exist) and the lack of accountability due to the absence of a central point of administration make the MAC and the network layer protocols vulnerable to various types of attacks. In this sub-section, we present a comprehensive discussion on various types of attacks on the existing authentication schemes of WMNs. A detailed list various attacks on the different layers of WMN

There are several types of attacks that are related to authentication in WMNs. These attacks are: (i) unauthorized access, (ii) replay attack, (iii) spoofing attack, (iv) denial of service attack (DoS), (v) intentional collision of frames, (vi) pre-computation and partial matching attack, and (vi) compromised or forged MRs. These attacks are discussed in detail below.

**Unauthorized access**: in this attack, an unauthorized user gets access to the network

**2.1 Security vulnerabilities in authentication schemes** 

communication protocol stack can be found in (Sen, 2011; Yi et al., 2010).

Fig. 1. Illustration of MAC spoofing and replay attacks [Source: (Sen, 2011)]

**Replay attack:** the replay attack is a type of *man-in-the-middle* attack (Mishra & Arbaugh, 2002) that can be launched by external as well as internal nodes. An external malicious node can eavesdrop on the broadcast communication between two nodes (*A* and *B*) in the network as shown in Fig. 1. It can then transmit legitimate messages at a later point of time to gain access to the network resources. Generally, the authentication information is replayed where the attacker deceives a node (node *B* in Fig. 1) to believe that the attacker is a legitimate node (node *A* in Fig. 1). On a similar note, an internal malicious node, which is an intermediate hop between two communicating nodes, can keep a copy of all relayed data. It can then retransmit

this data at a later point in time to gain unauthorized access to the network resources.

services by masquerading a legitimate user.

not authorized users of the network. For example, an intruding node may eavesdrop on the packets and replay those packets at a later point of time to gain access to the network resources. On the other hand, the internal attacks are launched by the nodes that are part of the WMN. On example of such attack is an intermediate node dropping packets which it was supposed to forward. To prevent external attacks in vulnerable networks such as WMNs, strong authentication and access control mechanisms should be in place for practical deployment and use of WMNs. A secure authentication should enable two communicating entities (either a pair of MC and MR or a pair of MCs) to validate the authenticity of each other and generate the shared common session keys which can be used in cryptographic algorithms for enforcing message confidentiality and integrity. As in other wireless networks, a weak authentication scheme can easily be compromised due to several reasons such as distributed network architecture, the broadcast nature of the wireless medium, and dynamic network topology (Akyildiz et al., 2005). Moreover, the behavior of an MC or MR can be easily monitored or traced in a WMN by adversaries due to the use of wireless channel, multi-hop connection through third parties, and converged traffic pattern traversing through the IGW nodes. Under such scenario, it is imperative to hide an active node that connects to an IGW by making it anonymous. Since on the Internet side traditional anonymous routing approaches are not implemented, or may be compromised by strong attackers such protections are extremely critical (X. Wu & Li, 2006).

This chapter presents a comprehensive discussion on the current authentication and privacy protection schemes for WMN. In addition, it proposes a novel security protocol for node authentication and message confidentiality and an anonymization scheme for privacy protection of users in WMNs.

The rest of this chapter is organized as follows. Section 2 discusses the issues related to access control and authentication in WMNs. Various security vulnerabilities in the authentication and access control mechanisms for WMNs are first presented and then a list of requirements (i.e. properties) of a secure authentication scheme in an open and largescale, hybrid WMN are discussed. Section 3 highlights the importance of the protection user privacy in WMNs. Section 4 presents a state of the art survey on the current authentication and privacy protection schemes for WMNs. Each of the schemes is discussed with respect to its applicability, performance efficiency and shortcomings. Section 5 presents the details of a hierarchical architecture of a WMN and the assumptions made for the design of a secure and anonymous authentication protocol for WMNs. Section 6 describes the proposed key management scheme for secure authentication. Section 7 discusses the proposed privacy protection algorithm which ensures user anonymity. Section 8 presents some performance results of the proposed scheme. Section 9 concludes the chapter while highlighting some future direction of research in the field of secure authentication in WMNs.

## **2. Access control and authentication in WMNs**

Authentication and authorization is the first step towards prevention of fraudulent accesses by unauthorized users in a network. Authentication ensures that an MC and the corresponding MR can mutually validate their credentials with each other before the MC is allowed to access the network services. In this section, we first present various attacks in WMNs that can be launched on the authentication services and then enumerate the requirements for authentication under various scenarios.

#### **2.1 Security vulnerabilities in authentication schemes**

4 Applied Cryptography and Network Security

not authorized users of the network. For example, an intruding node may eavesdrop on the packets and replay those packets at a later point of time to gain access to the network resources. On the other hand, the internal attacks are launched by the nodes that are part of the WMN. On example of such attack is an intermediate node dropping packets which it was supposed to forward. To prevent external attacks in vulnerable networks such as WMNs, strong authentication and access control mechanisms should be in place for practical deployment and use of WMNs. A secure authentication should enable two communicating entities (either a pair of MC and MR or a pair of MCs) to validate the authenticity of each other and generate the shared common session keys which can be used in cryptographic algorithms for enforcing message confidentiality and integrity. As in other wireless networks, a weak authentication scheme can easily be compromised due to several reasons such as distributed network architecture, the broadcast nature of the wireless medium, and dynamic network topology (Akyildiz et al., 2005). Moreover, the behavior of an MC or MR can be easily monitored or traced in a WMN by adversaries due to the use of wireless channel, multi-hop connection through third parties, and converged traffic pattern traversing through the IGW nodes. Under such scenario, it is imperative to hide an active node that connects to an IGW by making it anonymous. Since on the Internet side traditional anonymous routing approaches are not implemented, or may be compromised

by strong attackers such protections are extremely critical (X. Wu & Li, 2006).

future direction of research in the field of secure authentication in WMNs.

**2. Access control and authentication in WMNs** 

requirements for authentication under various scenarios.

protection of users in WMNs.

This chapter presents a comprehensive discussion on the current authentication and privacy protection schemes for WMN. In addition, it proposes a novel security protocol for node authentication and message confidentiality and an anonymization scheme for privacy

The rest of this chapter is organized as follows. Section 2 discusses the issues related to access control and authentication in WMNs. Various security vulnerabilities in the authentication and access control mechanisms for WMNs are first presented and then a list of requirements (i.e. properties) of a secure authentication scheme in an open and largescale, hybrid WMN are discussed. Section 3 highlights the importance of the protection user privacy in WMNs. Section 4 presents a state of the art survey on the current authentication and privacy protection schemes for WMNs. Each of the schemes is discussed with respect to its applicability, performance efficiency and shortcomings. Section 5 presents the details of a hierarchical architecture of a WMN and the assumptions made for the design of a secure and anonymous authentication protocol for WMNs. Section 6 describes the proposed key management scheme for secure authentication. Section 7 discusses the proposed privacy protection algorithm which ensures user anonymity. Section 8 presents some performance results of the proposed scheme. Section 9 concludes the chapter while highlighting some

Authentication and authorization is the first step towards prevention of fraudulent accesses by unauthorized users in a network. Authentication ensures that an MC and the corresponding MR can mutually validate their credentials with each other before the MC is allowed to access the network services. In this section, we first present various attacks in WMNs that can be launched on the authentication services and then enumerate the Several vulnerabilities exist in different protocols for WMNs. These vulnerabilities can be suitably exploited by potential attackers to degrade the network performance (Sen, 2011). The nodes in a WMN depend on the cooperation of other nodes in the network for their successful operations. Consequently, the *medium access control* (MAC) layer and the network layer protocols for these networks usually assume that the participating nodes are honest and well-behaving with no malicious or dishonest intentions. In practice, however, some nodes in a WMN may behave in a selfish manner or may be compromised by malicious users. The assumed trust (which in reality may not exist) and the lack of accountability due to the absence of a central point of administration make the MAC and the network layer protocols vulnerable to various types of attacks. In this sub-section, we present a comprehensive discussion on various types of attacks on the existing authentication schemes of WMNs. A detailed list various attacks on the different layers of WMN communication protocol stack can be found in (Sen, 2011; Yi et al., 2010).

There are several types of attacks that are related to authentication in WMNs. These attacks are: (i) unauthorized access, (ii) replay attack, (iii) spoofing attack, (iv) denial of service attack (DoS), (v) intentional collision of frames, (vi) pre-computation and partial matching attack, and (vi) compromised or forged MRs. These attacks are discussed in detail below.

**Unauthorized access**: in this attack, an unauthorized user gets access to the network services by masquerading a legitimate user.

Fig. 1. Illustration of MAC spoofing and replay attacks [Source: (Sen, 2011)]

**Replay attack:** the replay attack is a type of *man-in-the-middle* attack (Mishra & Arbaugh, 2002) that can be launched by external as well as internal nodes. An external malicious node can eavesdrop on the broadcast communication between two nodes (*A* and *B*) in the network as shown in Fig. 1. It can then transmit legitimate messages at a later point of time to gain access to the network resources. Generally, the authentication information is replayed where the attacker deceives a node (node *B* in Fig. 1) to believe that the attacker is a legitimate node (node *A* in Fig. 1). On a similar note, an internal malicious node, which is an intermediate hop between two communicating nodes, can keep a copy of all relayed data. It can then retransmit this data at a later point in time to gain unauthorized access to the network resources.

Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 7

attack the wireless link thereby implementing attacks such as: passive eavesdropping, jamming, replay and false message injection, traffic analysis etc. The attacker may also advertise itself as a genuine MR by forging duplicate beacons procured by eavesdropping on genuine MRs in the network. When an MC receives these beacon messages, it assumes that it is within the radio coverage of a genuine MR, and initiates a registration procedure. The false MR now can extract the secret credentials of the MC and can launch spoof attack on the network. This attack is possible in protocols which require an MC to be authenticated

On the basis of whether a central authentication server is available, there are two types of implementations of access control enforcements in WMNs: (i) centralized access control and (ii) distributed access control. For both these approaches, the access control policies should be implemented at the border of the mesh network. In the distributed access control, the access points could act as the distributed authentication servers. The authentication could

Local entities such as IGWs or MRs that play the role of an authentication server

The main benefit of central authentication server is the ease of management and maintenance. However, this approach suffers from the drawback of having a single point of failure. Due to higher *round trip time* (RTT) and authentication delay, a centralized authentication scheme in a multi-hop WMN is not desirable. Instead, authentication protocols are implemented in local nodes such as IGW or MRs. For ensuring higher level of availability of the network services, the authentication power is delegated to a group of MRs

The objective of an authentication system is to guarantee that only the legitimate users have access to the network services. Any pair of network entities in a WMN (e.g., IGW, MR, and MC) may need to mutually authenticate if required. An MR and MC should be able to mutually authenticate each other to prevent unauthorized network access and other attacks. The MCs and MRs should be able to establish a shared pair-wise session key to encrypt messages. The

Several requirements have been identified in (Buttyan et al., 2010) for authentication mechanisms between MC and MRs in a WMN. These requirements are summarized below: *Authentication should be fast enough to support user mobility*. In order to maintain the *quality of service* (QoS) of user applications on mobile MCs, the authentication process should be fast. Also, the re-authentication delays should be within the acceptable limit of handoff delay. *MCs and MRs should be able to authenticate themselves mutually*. During the authentication process, the MR authenticates the MC, but the MR also should prove its authenticity to

 *Authentication process should be resistant to DoS attacks*. Since a successful attack against the central authentication server will lead to a complete compromise of the security

system in the network, the authentication process should be robust.

protocol should have robust key generation, distribution and revocation procedures.

by and MR but not the vice versa (He et al., 2011).

**2.2 Requirements for authentication in WMNs** 

also be performed in three different places: A remote central authentication center

in order to avoid single point of failure.

Local MRs

the MC.

**Spoof attack:** spoofing is the act of forging a legitimate MAC or IP address. IP spoofing is quite common in multi-hop communications in WMNs. In IP spoofing attack, an adversary inserts a false source address (or the address of a legitimate node) from the packets forwarded by it. Using such a spoofed address, the malicious attacker can intercept a termination request and hijack a session. In MAC address spoofing, the attacker modifies the MAC address in transmitted frames from a legitimate node. MAC address spoofing enables the attacker to evade *intrusion detection systems* (IDSs) that may be in place.

**DoS attack:** in this attack, a malicious attacker sends a flood of packets to an MR thereby making a buffer overflow in the router. Another well-known security flaw can be exploited by an attacker. In this attack, a malicious attacker can send false termination messages on behalf of a legitimate MC thereby preventing a legitimate user from accessing network services.

**Intentional collision of frames:** a collision occurs when two nodes attempt to transmit on the same frequency simultaneously (Wood & Stankovic, 2002). When frames collide, they are discarded and need to be retransmitted. An adversary may strategically cause collisions in specific packets such as acknowledgment (ACK) control messages. A possible result of such collision is the costly exponential back-off. The adversary may simply violate the communication protocol and continuously transmit messages in an attempt to generate collisions. Repeated collisions can also be used by an attacker to cause resource exhaustion. For example, a naïve MAC layer implementation may continuously attempt to retransmit the corrupted packets. Unless these retransmissions are detected early, the energy levels of the nodes would be exhausted quickly. An attacker may cause unfairness by intermittently using the MAC layer attacks. In this case, the adversary causes degradation of real-time applications running on other nodes by intermittently disrupting their frame transmissions.

**Pre-computation and partial matching attack:** unlike the attacks mentioned above, where the MAC protocol vulnerabilities are exploited, these attacks exploit the vulnerabilities in the security mechanisms that are employed to secure the MAC layer of the network. Precomputation and partial matching attacks exploit the cryptographic primitives that are used at the MAC layer to secure the communication. In a pre-computation attack, or *time memory trade-off* (TMTO) attack, the attacker computes a large amount of information (e.g., key, plaintext, and the corresponding ciphertext) and stores that information before launching the attack. When the actual transmission starts, the attacker uses the pre-computed information to speed up the cryptanalysis process. TMTO attacks are highly effective against a large number of cryptographic solutions. On the other hand, in a partial matching attack, the attacker has access to some (ciphertext, plaintext) pairs, which in turn decreases the encryption key strength, and improves the chances of success of the brute force mechanisms. Partial matching attacks exploit the weak implementations of encryption algorithms. For example, the IEEE 802.11i standard for MAC layer security in wireless networks is prone to the session hijacking attack and the *man-in-the-middle* attack that exploits the vulnerabilities in IEEE802.1X. DoS attacks are possible on the four-way handshake procedure in IEEE802.11i.

**Compromised or Forged MR:** an attacker may be able to compromise one or more MRs in a network by physical tampering or logical break-in. The adversary may also introduce rogue MRs to launch various types of attacks. The fake or compromised MRs may be used to attack the wireless link thereby implementing attacks such as: passive eavesdropping, jamming, replay and false message injection, traffic analysis etc. The attacker may also advertise itself as a genuine MR by forging duplicate beacons procured by eavesdropping on genuine MRs in the network. When an MC receives these beacon messages, it assumes that it is within the radio coverage of a genuine MR, and initiates a registration procedure. The false MR now can extract the secret credentials of the MC and can launch spoof attack on the network. This attack is possible in protocols which require an MC to be authenticated by and MR but not the vice versa (He et al., 2011).

## **2.2 Requirements for authentication in WMNs**

On the basis of whether a central authentication server is available, there are two types of implementations of access control enforcements in WMNs: (i) centralized access control and (ii) distributed access control. For both these approaches, the access control policies should be implemented at the border of the mesh network. In the distributed access control, the access points could act as the distributed authentication servers. The authentication could also be performed in three different places:


6 Applied Cryptography and Network Security

**Spoof attack:** spoofing is the act of forging a legitimate MAC or IP address. IP spoofing is quite common in multi-hop communications in WMNs. In IP spoofing attack, an adversary inserts a false source address (or the address of a legitimate node) from the packets forwarded by it. Using such a spoofed address, the malicious attacker can intercept a termination request and hijack a session. In MAC address spoofing, the attacker modifies the MAC address in transmitted frames from a legitimate node. MAC address spoofing

**DoS attack:** in this attack, a malicious attacker sends a flood of packets to an MR thereby making a buffer overflow in the router. Another well-known security flaw can be exploited by an attacker. In this attack, a malicious attacker can send false termination messages on behalf of a legitimate MC thereby preventing a legitimate user from accessing network

**Intentional collision of frames:** a collision occurs when two nodes attempt to transmit on the same frequency simultaneously (Wood & Stankovic, 2002). When frames collide, they are discarded and need to be retransmitted. An adversary may strategically cause collisions in specific packets such as acknowledgment (ACK) control messages. A possible result of such collision is the costly exponential back-off. The adversary may simply violate the communication protocol and continuously transmit messages in an attempt to generate collisions. Repeated collisions can also be used by an attacker to cause resource exhaustion. For example, a naïve MAC layer implementation may continuously attempt to retransmit the corrupted packets. Unless these retransmissions are detected early, the energy levels of the nodes would be exhausted quickly. An attacker may cause unfairness by intermittently using the MAC layer attacks. In this case, the adversary causes degradation of real-time applications running on other nodes by intermittently disrupting their frame transmissions. **Pre-computation and partial matching attack:** unlike the attacks mentioned above, where the MAC protocol vulnerabilities are exploited, these attacks exploit the vulnerabilities in the security mechanisms that are employed to secure the MAC layer of the network. Precomputation and partial matching attacks exploit the cryptographic primitives that are used at the MAC layer to secure the communication. In a pre-computation attack, or *time memory trade-off* (TMTO) attack, the attacker computes a large amount of information (e.g., key, plaintext, and the corresponding ciphertext) and stores that information before launching the attack. When the actual transmission starts, the attacker uses the pre-computed information to speed up the cryptanalysis process. TMTO attacks are highly effective against a large number of cryptographic solutions. On the other hand, in a partial matching attack, the attacker has access to some (ciphertext, plaintext) pairs, which in turn decreases the encryption key strength, and improves the chances of success of the brute force mechanisms. Partial matching attacks exploit the weak implementations of encryption algorithms. For example, the IEEE 802.11i standard for MAC layer security in wireless networks is prone to the session hijacking attack and the *man-in-the-middle* attack that exploits the vulnerabilities in IEEE802.1X. DoS attacks are possible on the four-way

**Compromised or Forged MR:** an attacker may be able to compromise one or more MRs in a network by physical tampering or logical break-in. The adversary may also introduce rogue MRs to launch various types of attacks. The fake or compromised MRs may be used to

enables the attacker to evade *intrusion detection systems* (IDSs) that may be in place.

services.

handshake procedure in IEEE802.11i.

The main benefit of central authentication server is the ease of management and maintenance. However, this approach suffers from the drawback of having a single point of failure. Due to higher *round trip time* (RTT) and authentication delay, a centralized authentication scheme in a multi-hop WMN is not desirable. Instead, authentication protocols are implemented in local nodes such as IGW or MRs. For ensuring higher level of availability of the network services, the authentication power is delegated to a group of MRs in order to avoid single point of failure.

The objective of an authentication system is to guarantee that only the legitimate users have access to the network services. Any pair of network entities in a WMN (e.g., IGW, MR, and MC) may need to mutually authenticate if required. An MR and MC should be able to mutually authenticate each other to prevent unauthorized network access and other attacks. The MCs and MRs should be able to establish a shared pair-wise session key to encrypt messages. The protocol should have robust key generation, distribution and revocation procedures.

Several requirements have been identified in (Buttyan et al., 2010) for authentication mechanisms between MC and MRs in a WMN. These requirements are summarized below:


Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 9

 *Confidentiality*: it is concerned with hiding the transferred messages by using suitable data encryption algorithms. Instead of hiding the identity of the sender and the receiver

 *Use of pseudonyms*: this is concerned with replacing the identity of the sender and the receiver of the message by pseudonyms which function as identifiers. The pseudonyms can be used as a reference to the communicating parties without infringing on their privacy, which helps to ensure that the users in the WMNs cannot be traced or identified by malicious adversaries. However, it is important to ensure that there exist no indirect ways by which the adversaries can link the pseudonyms with their

Privacy has been a major concern of Internet users (Clarke, 1999). It is also been a particularly critical issue in context of WMN-based Internet access, where users' traffic is forwarded via multiple MRs. In a community mesh network, this implies that the traffic of a residence can be observed by the MRs residing at its neighbors premises. Therefore, privacy in WMNs has two different dimensions: (i) data confidentiality (or privacy) and traffic

 *Data confidentiality*: it is obvious that data content reveals user privacy on what is being communicated. Data confidentiality aims to protect the data content and prevent eavesdropping by intermediate MRs. Message encryption is a conventional approach

 *Traffic confidentiality*: traffic information such as with whom, when and how frequently the users are communicating, and the pattern of traffic also reveal critical privacysensitive information. The broadcast nature of wireless communication makes acquiring such information easy. In a WMN, attackers can conduct traffic analysis as MRs by simply listening to the channels to identify the "ups and downs" of the target's traffic. While data confidentiality can be achieved via message encryption, it is much

Since security and privacy are two extremely important issues in any communication network, researchers have worked on these two areas extensively. However, as compared to MANETs and *wireless sensor networks* (WSNs) (Sen, 2009; Sen & Subramanyam, 2007), WMNs have received very little attention in this regard. In this section, we first present a brief discussion on some of the existing propositions for secure authentication and user privacy protection in WMNs. Later on, some of the mechanisms are discussed in detail in

In (Mishra & Arbaugh, 2002), a standard mechanism has been proposed for client authentication and access control to guarantee a high-level of flexibility and transparency to all users in a wireless network. The users can access the mesh network without requiring any change in their devices and softwares. However, client mobility can pose severe problems to the security architecture, especially when real-time traffic is transmitted. To cope with this problem, *proactive key distribution* has been proposed in (Kassab et al., 2005;

of a message, the message itself is hidden in this approach.

corresponding real world entities.

for data confidentiality.

the following sub-sections.

Prasad & Wang, 2005).

confidentiality. These issues are briefly described below:

harder to preserve traffic confidentiality (T. Wu et al., 2006).

**4. Secure authentication and privacy protection schemes in WMNs** 


The mutual authentication protocols for MCs and MRs must use several keys for encrypting the credentials. The connection key management should satisfy the following requirements.


## **3. User privacy requirement in WMNs**

Privacy provision is an important issue to be considered for WMN deployment. However, privacy is difficult to achieve even if messages are protected, as there are no security solutions or mechanisms which can guarantee that data is not revealed by the authorized parties themselves (Moustafa, 2007). Thus, it is important that complementary solutions are in place. Moreover, communication privacy cannot not be assured with message encryption since the attackers can still observe who is communicating with whom as well as the frequency and duration of the communication sessions. This makes personal information susceptible to disclosure and subsequent misuse even when encryption mechanisms are in place. Furthermore, users in WMNs can be easily monitored or traced with regard to their presence and location, which causes the exposure of their personal life. Unauthorized parties can get access to the location information about the MC's positions by observing their communications and traffic patterns. Consequently, there is a need to ensure location privacy in WMNs as well.

To control the usage of personal information and the disclosure of personal data, different types of information hiding mechanisms like anonymity, data masking etc should be implemented in WMN applications. The following approaches can be useful in information hiding, depending on what is needed to be protected:

 *Anonymity*: this is concerned with hiding the identity of the sender or receiver of the message or both of them. In fact, hiding the identity of both the sender and the receiver of the message can assure communication privacy. Thus, attackers monitoring the messages being communicated could not know who is communicating with whom, thus no personal information is disclosed.

 *Authentication protocols should be compatible with standards*. In a multi-operator environment, it is mandatory that the authentication protocols are standardized so that an MC of one vendor should be able to authenticate with the MR of a different network

 *Authentication protocols should be scalable*. Since the mesh networks have large number of MCs, MRs and IGWs, the authentication protocol should be scalable and must not

The mutual authentication protocols for MCs and MRs must use several keys for encrypting the credentials. The connection key management should satisfy the following requirements. *The connection keys should not reveal long term keys*. The connection keys that the MRs obtain during the authentication of the MCs should not reveal any long-term authentication keys. This requirement must hold because in the multi-operator

 *The connection keys should be independent of each other*. As the neighboring MRs may not fully trust each other in a multi-operator environment, the authentication and key generation mechanism have to prevent an MR from deriving connection keys that are

 *The connection keys must be fresh in each session*. It must be ensured that the connection key derived during the authentication protocol for both participants (MC and MR) is

Privacy provision is an important issue to be considered for WMN deployment. However, privacy is difficult to achieve even if messages are protected, as there are no security solutions or mechanisms which can guarantee that data is not revealed by the authorized parties themselves (Moustafa, 2007). Thus, it is important that complementary solutions are in place. Moreover, communication privacy cannot not be assured with message encryption since the attackers can still observe who is communicating with whom as well as the frequency and duration of the communication sessions. This makes personal information susceptible to disclosure and subsequent misuse even when encryption mechanisms are in place. Furthermore, users in WMNs can be easily monitored or traced with regard to their presence and location, which causes the exposure of their personal life. Unauthorized parties can get access to the location information about the MC's positions by observing their communications and traffic patterns. Consequently, there is a need to ensure location privacy in WMNs as well. To control the usage of personal information and the disclosure of personal data, different types of information hiding mechanisms like anonymity, data masking etc should be implemented in WMN applications. The following approaches can be useful in information

 *Anonymity*: this is concerned with hiding the identity of the sender or receiver of the message or both of them. In fact, hiding the identity of both the sender and the receiver of the message can assure communication privacy. Thus, attackers monitoring the messages being communicated could not know who is communicating with whom,

environment, the MCs may associate to MRs operated by foreign operators.

degrade in performance as the network size increases.

operator.

used at another MR.

**3. User privacy requirement in WMNs** 

hiding, depending on what is needed to be protected:

thus no personal information is disclosed.

fresh.


Privacy has been a major concern of Internet users (Clarke, 1999). It is also been a particularly critical issue in context of WMN-based Internet access, where users' traffic is forwarded via multiple MRs. In a community mesh network, this implies that the traffic of a residence can be observed by the MRs residing at its neighbors premises. Therefore, privacy in WMNs has two different dimensions: (i) data confidentiality (or privacy) and traffic confidentiality. These issues are briefly described below:


## **4. Secure authentication and privacy protection schemes in WMNs**

Since security and privacy are two extremely important issues in any communication network, researchers have worked on these two areas extensively. However, as compared to MANETs and *wireless sensor networks* (WSNs) (Sen, 2009; Sen & Subramanyam, 2007), WMNs have received very little attention in this regard. In this section, we first present a brief discussion on some of the existing propositions for secure authentication and user privacy protection in WMNs. Later on, some of the mechanisms are discussed in detail in the following sub-sections.

In (Mishra & Arbaugh, 2002), a standard mechanism has been proposed for client authentication and access control to guarantee a high-level of flexibility and transparency to all users in a wireless network. The users can access the mesh network without requiring any change in their devices and softwares. However, client mobility can pose severe problems to the security architecture, especially when real-time traffic is transmitted. To cope with this problem, *proactive key distribution* has been proposed in (Kassab et al., 2005; Prasad & Wang, 2005).

Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 11

with the objective of hiding an active node that connects to a gateway router, where the active mesh node has to be anonymous. A novel communication protocol is designed to protect the node's privacy using both cryptography and redundancy. This protocol uses the concept of *onion routing* (Reed et al., 1998). A mobile user who requires anonymous communication sends a request to an *onion router* (OR). The OR acts as a proxy to the mobile user and constructs an onion route consisting of other ORs using the public keys of the routers. The onion is constructed such that the inner most part is the message for the intended destination, and the message is wrapped by being encrypted using the public keys of the ORs in the route. The mechanism protects the routing information from insider and outsider attack. However, it has a high computation and

In the following sub-sections, some of the well-known authentication and privacy preservation schemes for WMNs are discussed briefly. For each of the schemes, its salient

In the localized authentication, a *trusted third party* (TTP) serves as the trusted *certificate authority* (CA) that issues certificates. In (Buttyan & Dora, 2009), a localized authentication scheme is proposed in which authentication is performed locally between the MCs and the MRs in a hybrid large-scale WMN operated by a number of operators. Each operator maintains its own CA. Each CA is responsible for issuing certificates to its customers. Each CA maintains its own *certificate revocation list* (CRL). The CAs also issue cross-certificates among each other for enabling entities (MCs or MRs) subscribing to different operators to perform certificate-based authentications and key exchanges. To minimize authentication delay, the *provably secure key transport protocol* (Blake-Wilson & Menezes, 1998) proposed by

For authentication in multiple domains in a metropolitan area network, a localized authentication scheme has been proposed in (Lin et al., 2008). In this scheme, an *embedded two-factor authentication* mechanism is utilized to verify the authenticity of a roaming MC. The authenticity verification does not need any intervention of the home *Internet service provider* (ISP) of the MC. The two-factor authentication mechanism includes two methods of authentication: password and smart card. To minimize the *ping-pong effect*, the session key is cached in the current network domain. Whenever the MC requests a handoff into a neighboring MR which has a valid shared session key with the MC, a user-authenticated key agreement protocol with secret key cryptography is performed. Thus an expensive full authentication based on an asymmetric key encryption is avoided. The protocol execution is fast since it involves encryption using only the symmetric key and keyed *hash message* 

The localized authentication schemes are based on the assumption that the MRs are trusted and fully protected by robust certificates. In practice, MRs are low cost devices and without extra protection, these devices can easily be compromised. In the event an MR gets compromised, the local authentication schemes will fail. To defend against compromised MRs, a scheme based on local voting strategy (Zhu et al., 2008) is adopted which work on

the principle of *threshold digital signature* mechanism (Cao et al., 2006).

communication overhead.

features and potential shortcomings are highlighted.

Blake-Wilson-Menezes (BWM) has been used.

*authentication codes* (HMACs).

**4.1 Local authentication based on public key certificates** 

Providing security in the backbone network for WMNs is another important challenge. Mesh networks typically employ resource constrained mobile clients, which are difficult to protect against removal, tampering, or replication. If the device can be remotely managed, a distant hacking into the device would work perfectly (Ben Salem & Hubaux, 2006). Accordingly, several research works have been done to investigate the use of cryptographic techniques to achieve secure communication in WMNs. In (Cheikhrouhou et al., 2006), a security architecture has been proposed that is suitable for multi-hop WMNs employing PANA (Protocol for carrying Authentication for Network Access) (Parthasarathy, 2006). In the scheme, the wireless clients are authenticated on production of the cryptographic credentials necessary to create an encrypted tunnel with the remote access router to which they are associated. Even though such framework protects the confidentiality of the information exchanged, it cannot prevent adversaries to perform active attacks against the network itself. For instance, a malicious adversary can replicate, modify and forge the topology information exchanged among mesh devices, in order to launch a denial of service attack. Moreover, PANA necessitates the existence of IP addresses in all the mesh nodes, which is poses a serious constraint on deployment of this protocol.

Authenticating transmitted data packets is an approach for preventing unauthorized nodes to access the resources of a WMN. A *light-weight hop-by-hop access protocol* (LHAP) has been proposed for authenticating mobile clients in wireless dynamic environments, preventing resource consumption attacks (Zhu et al., 2006). LHAP implements light-weight hop-by-hop authentication, where intermediate nodes authenticate all the packets they receive before forwarding them. LHAP employs a packet authentication technique based on the use of one-way hash chains. Moreover, LHAP uses TESLA (Perrig et al., 2001) protocol to reduce the number of public key operations for bootstrapping and maintaining trust between nodes.

In (Prasad et al., 2004), a lightweight *authentication, authorization and accounting* (AAA) infrastructure is proposed for providing continuous, on-demand, end-to-end security in heterogeneous networks including WMNs. The notion of a security manager is used through employing an AAA broker. The broker acts as a settlement agent, providing security and a central point of contact for many service providers.

The issue of user privacy in WMNs has also attracted the attention of the research community. In (T. Wu et al., 2006), a light-weight privacy preserving solution is presented to achieve well-maintained balance between network performance and traffic privacy preservation. At the center of the solution is of information-theoretic metric called *traffic entropy*, which quantifies the amount of information required to describe the traffic pattern and to characterize the performance of traffic privacy preservation. The authors have also presented a penalty-based shortest path routing algorithm that maximally preserves traffic privacy by minimizing the mutual information of traffic entropy observed at each individual relaying node while controlling the possible degradation of network within an acceptable region. Extensive simulation study proves the soundness of the solution and its resilience to cases when two malicious observers collude. However, one of the major problems of the solution is that the algorithm is evaluated in a single-radio, single channel WMN. Performance of the algorithm in multiple radios, multiple channels scenario will be a really questionable issue. Moreover, the solution has a scalability problem. In (X. Wu & Li, 2006), a mechanism is proposed

Providing security in the backbone network for WMNs is another important challenge. Mesh networks typically employ resource constrained mobile clients, which are difficult to protect against removal, tampering, or replication. If the device can be remotely managed, a distant hacking into the device would work perfectly (Ben Salem & Hubaux, 2006). Accordingly, several research works have been done to investigate the use of cryptographic techniques to achieve secure communication in WMNs. In (Cheikhrouhou et al., 2006), a security architecture has been proposed that is suitable for multi-hop WMNs employing PANA (Protocol for carrying Authentication for Network Access) (Parthasarathy, 2006). In the scheme, the wireless clients are authenticated on production of the cryptographic credentials necessary to create an encrypted tunnel with the remote access router to which they are associated. Even though such framework protects the confidentiality of the information exchanged, it cannot prevent adversaries to perform active attacks against the network itself. For instance, a malicious adversary can replicate, modify and forge the topology information exchanged among mesh devices, in order to launch a denial of service attack. Moreover, PANA necessitates the existence of IP addresses in all the mesh nodes,

Authenticating transmitted data packets is an approach for preventing unauthorized nodes to access the resources of a WMN. A *light-weight hop-by-hop access protocol* (LHAP) has been proposed for authenticating mobile clients in wireless dynamic environments, preventing resource consumption attacks (Zhu et al., 2006). LHAP implements light-weight hop-by-hop authentication, where intermediate nodes authenticate all the packets they receive before forwarding them. LHAP employs a packet authentication technique based on the use of one-way hash chains. Moreover, LHAP uses TESLA (Perrig et al., 2001) protocol to reduce the number of public key operations for bootstrapping and maintaining trust between

In (Prasad et al., 2004), a lightweight *authentication, authorization and accounting* (AAA) infrastructure is proposed for providing continuous, on-demand, end-to-end security in heterogeneous networks including WMNs. The notion of a security manager is used through employing an AAA broker. The broker acts as a settlement agent, providing

The issue of user privacy in WMNs has also attracted the attention of the research community. In (T. Wu et al., 2006), a light-weight privacy preserving solution is presented to achieve well-maintained balance between network performance and traffic privacy preservation. At the center of the solution is of information-theoretic metric called *traffic entropy*, which quantifies the amount of information required to describe the traffic pattern and to characterize the performance of traffic privacy preservation. The authors have also presented a penalty-based shortest path routing algorithm that maximally preserves traffic privacy by minimizing the mutual information of traffic entropy observed at each individual relaying node while controlling the possible degradation of network within an acceptable region. Extensive simulation study proves the soundness of the solution and its resilience to cases when two malicious observers collude. However, one of the major problems of the solution is that the algorithm is evaluated in a single-radio, single channel WMN. Performance of the algorithm in multiple radios, multiple channels scenario will be a really questionable issue. Moreover, the solution has a scalability problem. In (X. Wu & Li, 2006), a mechanism is proposed

which is poses a serious constraint on deployment of this protocol.

security and a central point of contact for many service providers.

nodes.

with the objective of hiding an active node that connects to a gateway router, where the active mesh node has to be anonymous. A novel communication protocol is designed to protect the node's privacy using both cryptography and redundancy. This protocol uses the concept of *onion routing* (Reed et al., 1998). A mobile user who requires anonymous communication sends a request to an *onion router* (OR). The OR acts as a proxy to the mobile user and constructs an onion route consisting of other ORs using the public keys of the routers. The onion is constructed such that the inner most part is the message for the intended destination, and the message is wrapped by being encrypted using the public keys of the ORs in the route. The mechanism protects the routing information from insider and outsider attack. However, it has a high computation and communication overhead.

In the following sub-sections, some of the well-known authentication and privacy preservation schemes for WMNs are discussed briefly. For each of the schemes, its salient features and potential shortcomings are highlighted.

## **4.1 Local authentication based on public key certificates**

In the localized authentication, a *trusted third party* (TTP) serves as the trusted *certificate authority* (CA) that issues certificates. In (Buttyan & Dora, 2009), a localized authentication scheme is proposed in which authentication is performed locally between the MCs and the MRs in a hybrid large-scale WMN operated by a number of operators. Each operator maintains its own CA. Each CA is responsible for issuing certificates to its customers. Each CA maintains its own *certificate revocation list* (CRL). The CAs also issue cross-certificates among each other for enabling entities (MCs or MRs) subscribing to different operators to perform certificate-based authentications and key exchanges. To minimize authentication delay, the *provably secure key transport protocol* (Blake-Wilson & Menezes, 1998) proposed by Blake-Wilson-Menezes (BWM) has been used.

For authentication in multiple domains in a metropolitan area network, a localized authentication scheme has been proposed in (Lin et al., 2008). In this scheme, an *embedded two-factor authentication* mechanism is utilized to verify the authenticity of a roaming MC. The authenticity verification does not need any intervention of the home *Internet service provider* (ISP) of the MC. The two-factor authentication mechanism includes two methods of authentication: password and smart card. To minimize the *ping-pong effect*, the session key is cached in the current network domain. Whenever the MC requests a handoff into a neighboring MR which has a valid shared session key with the MC, a user-authenticated key agreement protocol with secret key cryptography is performed. Thus an expensive full authentication based on an asymmetric key encryption is avoided. The protocol execution is fast since it involves encryption using only the symmetric key and keyed *hash message authentication codes* (HMACs).

The localized authentication schemes are based on the assumption that the MRs are trusted and fully protected by robust certificates. In practice, MRs are low cost devices and without extra protection, these devices can easily be compromised. In the event an MR gets compromised, the local authentication schemes will fail. To defend against compromised MRs, a scheme based on local voting strategy (Zhu et al., 2008) is adopted which work on the principle of *threshold digital signature* mechanism (Cao et al., 2006).

Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 13

Fig. 3. Schematic diagram of the authentication process in WDAP [Source: (Moustafa, 2007)]

Fig. 3 illustrates the WDAP authentication process. In the authentication protocol, the AP receives the authentication request from the MC. It then creates an authentication request for itself and concatenates this request to the received request from the MC. The concatenated request is then sent to the AS. Since both the mobile station and the AP do not trust each other until the AS authenticates both of them, WDAP is a dual authentication protocol. If the authentication is successful, AS generates a session key and sends the key to the AP. The AP then sends this key to the MC encrypting it with the shared key with MC. This key is thus shared between the AP and the MC for their secure communication and secure de-authentication when the session is finished. When an MC finishes a session with an AP, secure de-authentication takes place to prevent the connection from being exploited by an adversary. Use of WDAP in WMN environments ensures mutual authentication of both MCs and MRs. Also, WDAP can be used to ensure authentication between the MRs through authentication requests concatenation. In case of multi-hop communication in WMNs, each pair of nodes can mutually authenticate through the session key generated by the AS. However, a solution is needed in case of open mesh networks scenarios, where the AS may not be present in reality. Another problem arises in case of roaming authentication. WDAP is not ideally suited for use in roaming authentication since it works only for roaming into new APs, and does not consider the case of *back roaming* in which an MC may need to re-connect with another MC or an AP with whom it was authenticated earlier. As a result, the WDAP session key revocation mechanisms has some shortcomings that makes it

An approach that adapts IEEE 802.11i to the multi-hop communication has been presented in (Moustafa et al., 2006a). An extended forwarding capability in 802.11i is proposed without compromising on its security features to setup authenticated links in layer 2 to achieve secure wireless access as well as confidential data transfer in ad hoc multi-hop environments. The general objective of this approach is to support secure and seamless

unsuitable for deployment in real-world WMNs.

Fig. 2. Schematic diagram of IEEE 802.11i authentication protocol [Source: (Moustafa, 2007)]

#### **4.2 Authentication model based on 802.11i protocol**

In most commercial deployments of wireless local area networks (WLANs), IEEE 802.11i (IEEE 802.11i, 2004) is the most common approach for assuring authentication at the layer 2. However, the IEEE 802.11i authentication does not fully address the problem of WLAN vulnerability (Moustafa, 2007). In IEEE 802.11i authentication, as described in Fig. 2, the MC and the *authentication server* (AS) apply the 802.1X (IEEE 802.1X, 2001) authentication model carrying out some negotiation to agree on *pair-wise master key* (PMK) by using some upper layer authentication schemes or using a pre-shared secret. This key is generated by both the MC and the AS, assuring the mutual authentication between them. The *access point* (AP) then receives a PMK copy from the AS, authenticating the MC and authorizing its communication. Afterwards, a four-way handshake starts between the AP and the MC to generate encryption keys from the generated PMK. Encryption keys can assure confidential transfer between the MC and the AP. If the MC roams to a new AP, it will perform another full 802.1X authentication with the AS to derive a new PMK. For performance enhancement, the PMK of the MC is cached by the MC and the AP to be used for later re-association without another full authentication. The features of 802.11i exhibit a potential vulnerability because a compromised AP can still authenticate itself to an MC and gain control over the connection. Furthermore, IEEE 802.11i authentication does not provide a solution for multihop communication. Consequently new mechanisms are needed for authentication and secure layer 2 links setup in WMNs (Moustafa, 2007).

*Wireless dual authentication protocol* (WDAP) (Zheng et al., 2005) is proposed for 802.11 WLAN and can be extended to WMNs. WDAP provides authentication for both MCs and APs and overcomes the shortcomings of other authentication protocols. The name "dual" implies the fact that the AS authenticates both the MC and the AP. As in the four-way handshake in IEEE 802.11i, this protocol also generates a session key for maintaining confidentiality of the messages communicated between the MC and the AP after a successful authentication. WDAP provides authentication during the initial connection state. For roaming, it has three sub-protocols: an authentication protocol, a de-authentication protocol, and a roaming authentication protocol.

Fig. 2. Schematic diagram of IEEE 802.11i authentication protocol [Source: (Moustafa, 2007)]

In most commercial deployments of wireless local area networks (WLANs), IEEE 802.11i (IEEE 802.11i, 2004) is the most common approach for assuring authentication at the layer 2. However, the IEEE 802.11i authentication does not fully address the problem of WLAN vulnerability (Moustafa, 2007). In IEEE 802.11i authentication, as described in Fig. 2, the MC and the *authentication server* (AS) apply the 802.1X (IEEE 802.1X, 2001) authentication model carrying out some negotiation to agree on *pair-wise master key* (PMK) by using some upper layer authentication schemes or using a pre-shared secret. This key is generated by both the MC and the AS, assuring the mutual authentication between them. The *access point* (AP) then receives a PMK copy from the AS, authenticating the MC and authorizing its communication. Afterwards, a four-way handshake starts between the AP and the MC to generate encryption keys from the generated PMK. Encryption keys can assure confidential transfer between the MC and the AP. If the MC roams to a new AP, it will perform another full 802.1X authentication with the AS to derive a new PMK. For performance enhancement, the PMK of the MC is cached by the MC and the AP to be used for later re-association without another full authentication. The features of 802.11i exhibit a potential vulnerability because a compromised AP can still authenticate itself to an MC and gain control over the connection. Furthermore, IEEE 802.11i authentication does not provide a solution for multihop communication. Consequently new mechanisms are needed for authentication and

*Wireless dual authentication protocol* (WDAP) (Zheng et al., 2005) is proposed for 802.11 WLAN and can be extended to WMNs. WDAP provides authentication for both MCs and APs and overcomes the shortcomings of other authentication protocols. The name "dual" implies the fact that the AS authenticates both the MC and the AP. As in the four-way handshake in IEEE 802.11i, this protocol also generates a session key for maintaining confidentiality of the messages communicated between the MC and the AP after a successful authentication. WDAP provides authentication during the initial connection state. For roaming, it has three sub-protocols: an authentication protocol, a de-authentication

**4.2 Authentication model based on 802.11i protocol** 

secure layer 2 links setup in WMNs (Moustafa, 2007).

protocol, and a roaming authentication protocol.

Fig. 3. Schematic diagram of the authentication process in WDAP [Source: (Moustafa, 2007)]

Fig. 3 illustrates the WDAP authentication process. In the authentication protocol, the AP receives the authentication request from the MC. It then creates an authentication request for itself and concatenates this request to the received request from the MC. The concatenated request is then sent to the AS. Since both the mobile station and the AP do not trust each other until the AS authenticates both of them, WDAP is a dual authentication protocol. If the authentication is successful, AS generates a session key and sends the key to the AP. The AP then sends this key to the MC encrypting it with the shared key with MC. This key is thus shared between the AP and the MC for their secure communication and secure de-authentication when the session is finished. When an MC finishes a session with an AP, secure de-authentication takes place to prevent the connection from being exploited by an adversary. Use of WDAP in WMN environments ensures mutual authentication of both MCs and MRs. Also, WDAP can be used to ensure authentication between the MRs through authentication requests concatenation. In case of multi-hop communication in WMNs, each pair of nodes can mutually authenticate through the session key generated by the AS. However, a solution is needed in case of open mesh networks scenarios, where the AS may not be present in reality. Another problem arises in case of roaming authentication. WDAP is not ideally suited for use in roaming authentication since it works only for roaming into new APs, and does not consider the case of *back roaming* in which an MC may need to re-connect with another MC or an AP with whom it was authenticated earlier. As a result, the WDAP session key revocation mechanisms has some shortcomings that makes it unsuitable for deployment in real-world WMNs.

An approach that adapts IEEE 802.11i to the multi-hop communication has been presented in (Moustafa et al., 2006a). An extended forwarding capability in 802.11i is proposed without compromising on its security features to setup authenticated links in layer 2 to achieve secure wireless access as well as confidential data transfer in ad hoc multi-hop environments. The general objective of this approach is to support secure and seamless

Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 15

An approach to prevent unauthorized node getting access to the network services in WMNs is to authenticate the transmitted data packets. Following this approach, a *lightweight hop-by-hop access protocol* (LHAP) (Zhu et al., 2003; Zhu et al., 2006) has been proposed for authenticating MCs for preventing resource consumption attacks in WMNs. LHAP implements light-weight hop-by-hop authentication, where intermediate nodes authenticate all the packets they receive before forwarding them further in the network. In this protocol, an MC first performs some light-weight authentication operations to bootstrap a trust relationship with its neighbors. It then invokes a light-weight protocol for subsequent traffic authentication and data encryption. LHAP is ideally suited for ad hoc networks, where it resides between the data link layer and the network layer and can be seamlessly integrated with secure routing protocols to provide high-level of security in

LHAP employs a packet authentication technique based on the use of *one-way hash chains* (Lamport, 1981). Moreover, it uses TESLA (Perrig et al., 2001) protocol to reduce the number of public key operations for bootstrapping and maintaining trust among the nodes. For every traffic packet received from the network layer, LHAP adds its own header, which includes the node ID, a packet type field indicating a traffic packet, and an authentication tag. The packet is then passed to the data link layer and control packets are generated for establishing and maintaining trust relationships with the neighbor nodes. For a received packet, LHAP verifies its authenticity based on the authentication tag in the packet header. If the packet is valid, LHAP removes the LHAP header and passes the packet to the network layer; otherwise, it discards the packet. LHAP control packets are passed to the network layer with the goal to allow LHAP execution without affecting the operation of the other

LHAP is very suitable for WMN applications. For secure roaming, LHAP can be useful in distributing session keys among MCs employing a special type of packet designated for this purpose. However, the focus of this protocol is on preventing resource consumption attack on the network. However, LHAP cannot prevent insider attacks and hence complementary

In (Pack & Choi, 2004), a fast handoff scheme based on prediction of mobility pattern has been proposed. In this scheme, an MC on entering in the coverage area of an access point performs authentication procedures for multiple MRs (or APs). When an MC sends an authentication request, the AAA server authenticates the all the relevant APs (or MRs) and sends multiple session keys to the MC. A prediction method known as *frequent handoff region* (FHR) selection is utilized to reduce the handoff delay further. FHR selection algorithm takes into account user mobility pattern, service classes etc. to make a selection of frequent MRs suitable for handoff. To increase the accuracy of the user mobility prediction, a proactive key distribution approach has been proposed in (Mishra et al., 2004). A new data structure – neighbor graphs – is used to determine the candidate MR sets for the MC to

mechanisms are needed for this purpose (Moustafa, 2007).

**4.4 Proactive authentication and pre-authentication schemes** 

**4.3 Data packet authentication** 

a communication network.

layers.

associate with.

access to the Internet by the MCs situated near public WLAN hotspots, even when these nodes may move beyond the coverage area of the WLAN. To accomplish the *authentication, authorization and accounting* (AAA) process for an MC within the WLAN communication range, classical 802.11i authentication and message exchange take place.

Fig. 4. Schematic diagram of adapted 802.11i with EAP-TLS for multi-hop communication [Source: (Moustafa, 2007)]

As shown in Fig. 4, for accomplishing the AAA process for MCs that are beyond the WLAN communication range but belong to the ad hoc clusters, 802.11i is extended to support forwarding capabilities. In this case, the notion of *friend nodes* is introduced to allow each MC to initiate the authentication process through a selected node in its proximity. The friend node plays the role of an auxiliary authenticator that forwards the authentication request of the MC to the actual authenticator (i.e., the AP). If the friend node is not within the communication range of the AP, it invokes other friend nodes in a recursive manner until the AP is reached. The concept of proxy RADIUS (Rigney et al., 2000) is used for ensuring forwarding compatibility and secure message exchange over multi-hops. Proxy chaining (Aboba & Vollbrecht, 1999) takes place if the friend node is not directly connected to an AP. To achieve higher level of security on each authenticated link between the communicating nodes, 802.11i encryption is used by invoking the four-way handshake between each MC and its authenticator (AP or friend node). This approach is useful in open mesh network scenarios, since it allows *authentication by delegation* among the mesh nodes. In addition, since the authentication keys are stored in the immediate nodes, the reauthentication process is optimized in case of roaming of the MCs. However, an adaptation is needed that allows establishment of multiple simultaneous connections to the authenticators - APs and the friend nodes – in a dense mesh topology. Also, a solution is needed to support fast and secure roaming across multiple *wireless mesh routers* (WMRs). A possible solution is through sharing session keys of authenticated clients among the WMRs (Moustafa, 2007).

#### **4.3 Data packet authentication**

14 Applied Cryptography and Network Security

access to the Internet by the MCs situated near public WLAN hotspots, even when these nodes may move beyond the coverage area of the WLAN. To accomplish the *authentication, authorization and accounting* (AAA) process for an MC within the WLAN communication

Fig. 4. Schematic diagram of adapted 802.11i with EAP-TLS for multi-hop communication

As shown in Fig. 4, for accomplishing the AAA process for MCs that are beyond the WLAN communication range but belong to the ad hoc clusters, 802.11i is extended to support forwarding capabilities. In this case, the notion of *friend nodes* is introduced to allow each MC to initiate the authentication process through a selected node in its proximity. The friend node plays the role of an auxiliary authenticator that forwards the authentication request of the MC to the actual authenticator (i.e., the AP). If the friend node is not within the communication range of the AP, it invokes other friend nodes in a recursive manner until the AP is reached. The concept of proxy RADIUS (Rigney et al., 2000) is used for ensuring forwarding compatibility and secure message exchange over multi-hops. Proxy chaining (Aboba & Vollbrecht, 1999) takes place if the friend node is not directly connected to an AP. To achieve higher level of security on each authenticated link between the communicating nodes, 802.11i encryption is used by invoking the four-way handshake between each MC and its authenticator (AP or friend node). This approach is useful in open mesh network scenarios, since it allows *authentication by delegation* among the mesh nodes. In addition, since the authentication keys are stored in the immediate nodes, the reauthentication process is optimized in case of roaming of the MCs. However, an adaptation is needed that allows establishment of multiple simultaneous connections to the authenticators - APs and the friend nodes – in a dense mesh topology. Also, a solution is needed to support fast and secure roaming across multiple *wireless mesh routers* (WMRs). A possible solution is through sharing session keys of authenticated clients among the WMRs

[Source: (Moustafa, 2007)]

(Moustafa, 2007).

range, classical 802.11i authentication and message exchange take place.

An approach to prevent unauthorized node getting access to the network services in WMNs is to authenticate the transmitted data packets. Following this approach, a *lightweight hop-by-hop access protocol* (LHAP) (Zhu et al., 2003; Zhu et al., 2006) has been proposed for authenticating MCs for preventing resource consumption attacks in WMNs. LHAP implements light-weight hop-by-hop authentication, where intermediate nodes authenticate all the packets they receive before forwarding them further in the network. In this protocol, an MC first performs some light-weight authentication operations to bootstrap a trust relationship with its neighbors. It then invokes a light-weight protocol for subsequent traffic authentication and data encryption. LHAP is ideally suited for ad hoc networks, where it resides between the data link layer and the network layer and can be seamlessly integrated with secure routing protocols to provide high-level of security in a communication network.

LHAP employs a packet authentication technique based on the use of *one-way hash chains* (Lamport, 1981). Moreover, it uses TESLA (Perrig et al., 2001) protocol to reduce the number of public key operations for bootstrapping and maintaining trust among the nodes. For every traffic packet received from the network layer, LHAP adds its own header, which includes the node ID, a packet type field indicating a traffic packet, and an authentication tag. The packet is then passed to the data link layer and control packets are generated for establishing and maintaining trust relationships with the neighbor nodes. For a received packet, LHAP verifies its authenticity based on the authentication tag in the packet header. If the packet is valid, LHAP removes the LHAP header and passes the packet to the network layer; otherwise, it discards the packet. LHAP control packets are passed to the network layer with the goal to allow LHAP execution without affecting the operation of the other layers.

LHAP is very suitable for WMN applications. For secure roaming, LHAP can be useful in distributing session keys among MCs employing a special type of packet designated for this purpose. However, the focus of this protocol is on preventing resource consumption attack on the network. However, LHAP cannot prevent insider attacks and hence complementary mechanisms are needed for this purpose (Moustafa, 2007).

#### **4.4 Proactive authentication and pre-authentication schemes**

In (Pack & Choi, 2004), a fast handoff scheme based on prediction of mobility pattern has been proposed. In this scheme, an MC on entering in the coverage area of an access point performs authentication procedures for multiple MRs (or APs). When an MC sends an authentication request, the AAA server authenticates the all the relevant APs (or MRs) and sends multiple session keys to the MC. A prediction method known as *frequent handoff region* (FHR) selection is utilized to reduce the handoff delay further. FHR selection algorithm takes into account user mobility pattern, service classes etc. to make a selection of frequent MRs suitable for handoff. To increase the accuracy of the user mobility prediction, a proactive key distribution approach has been proposed in (Mishra et al., 2004). A new data structure – neighbor graphs – is used to determine the candidate MR sets for the MC to associate with.

Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 17

authentication between MCs and MRs requires MCs to be directly connected to the MRs. Since PANA enables MCs to authenticate to the access network using IP protocol, it is used in this mechanism to overcome the problem of association between MCs and MRs that can be attached through more than one intermediate node. When a new MC joins the network, it first gets an IP address (pre-PANA address) from a local DHCP server. Then, the PANA protocol is initiated so that the mobile node discovers the *PANA access* (PAA) router to authenticate itself. After successful authentication, the MC initiates the *Internet key exchange* (IKE) protocol with the MR for establishing a security association. Finally, IPSec tunnel ensures data protection over the radio link and a data access control by the MR. During the authentication and authorization phases, PANA uses EAP message exchange between the MC and the PAA, where PAA relays EAP messages to the AS using EAP over RADIUS. EAP-TLS message is used in this approach. The protocol is suited for heterogeneous WMNs since it is independent of the technology of the wireless media. However, PANA requires use of IP addresses in the mesh nodes. This puts a restriction in its use since all elements of a

**EAP-TLS using proxy chaining:** the combinations of (Moustafa et al., 2006a; Moustafa et al., 2006b) propose adaptive EAP solutions for authentication and access control in the multihop wireless environment. In (Moustafa et al., 2006a), an adapted EAP-TLS approach is used to allow authentication of mobile nodes. A delegation process is used among mobile nodes by use of auxiliary authenticators in a recursive manner until the AS is reached. To allow extended forwarding and exchange of EAP-TLS authentication messages, proxy RADIUS is involved using proxy chaining among the intermediate nodes between the MCs requesting the authentication and the AS. This approach permits the storage of authentication keys of the MCs in the auxiliary authenticators. This speeds up the re-authentication process and enhances the performance of the adaptive EAP-TLS mechanism. This solution is applicable for WMNs, especially in multi-hop communications. However, to support secure roaming across different *wireless mesh routers* (WMRs), communication is required between the old and the new WMRs. This can be done by using central elements or switches that link the WMRs and allow storing of information in a central location and distribution of information

**EAP-enhanced pre-authentication:** an EAP-enhanced pre-authentication scheme for mobile WMN (IEEE 802.e) in the link layer has been proposed in (Hur et al., 2008). In this scheme, the PKMv2 (public key management version 2) has been slightly modified based on the key hierarchy in a way that the communication key can be established between the MC and the target MR before hand-off in a proactive way. The modification allows the master session key generated by the authentication server to bind the MR identification (i.e., base station identification) and the MAC address of the MC. In the pre-authentication phase, the authentication server generates and delivers the unique public session keys for the neighbor MRs of the MC. The neighboring MRs are the access points that the MC potentially moves to. These MRs can use the public session key to derive an authorization key of the corresponding MC. In the same way, the MC can derive the public session key and the authorization key for its neighbor MRs, with the MR identification. Once the handoff is complete, the MC only needs to perform a three-way handshake and update the encryption key since the MC and MR already possess the authentication key. Thus a re-authentication

with the authentication server is avoided and the associated delay is reduced.

WMN may not use IP as the addressing standard.

among the WMRs.

A reliable re-authentication scheme has been proposed in (Aura & Roe, 2005), in which an MR issues a credential for the MC it is currently serving. The credential can be used later (by the next MR) to certify the authenticity of the MC.

A fast authentication and key exchange mechanism to support seamless handoff has been proposed in (Soltwisch et al., 2004). The mechanism uses the *context transfer protocol* (CTP) (Loughney et al., 2005) to forward session key from the previous router to the new access router.

## **4.5 Extensible authentication protocols**

IEEE 802.1X has been applied to resolve some of the security problems in the 802.11 standard, where the MC and the AS authenticate each other by applying an upper layer authentication protocol like *extensible authentication protocol encapsulating transport layer security* (EAP-TLS) protocol (Aboba & Simon, 1999). Although EAP-TLS offers mutual authentication, it introduces high latency in WMNs because each terminal acts as an authenticator for its neighbor to reach the AS. This can lead to longer paths to the AS. Furthermore, in case of high mobility of terminals, re-authentication due to frequent handoffs can make be detrimental to real-time applications. Consequently, variants of EAP have been proposed by researchers to adapt 802.1X authentication model to multi-hop communications in WMNs. Some of these mechanisms are briefly discussed below.

**EAP with token-based re-authentication:** a fast and secure hand-off protocol is presented in (Fantacci et al., 2006), which allows mutual authentication and access control thereby preventing insider attacks during the re-authentication process. To achieve this, old authentication keys are revoked. Thus, a node should ask for the keys from its neighbors or from the AS when its needs the keys. The mechanism involves a token-based reauthentication scheme based on a two-way handshake between the node that performs the handshake and the AS. The AS is involved in every hand-off to have a centralized entity for monitoring the network. An authentication token, in the form of keying material is provided by the authenticator of the network to the AS to obtain the PMK key. The authenticator can be an AP or a host in the WMN. Initially, the MC performs a full EAP-TLS authentication, generating a PMK key that is then shared between the MC and its authenticator. Whenever the MC performs hand-off to another authenticator, the new authenticator should receive the PMK key to avoid a full re-authentication. The new authenticator issues a request to the AS for the PMK and adds a token to the request. The token is a cryptographic material to prove that the authenticator is in contact with the MC which owns the requested PMK. The token was earlier generated by the MC while performing the hand-off and was transmitted to the new authenticator. The AS verifies the token, and issues the PMK to the new authenticator. This protocol is secure and involves centralized key management. However, the need to involve the AS in each re-authentication is not suitable for scenarios where MCs have random and frequent mobility (Moustafa, 2007). A distributed token verification will be more suitable for open and multi-hop WMN environments.

**EAP-TLS over PANA:** a security architecture suitable for multi-hop mesh network is presented in (Cheikhrouhou et al., 2006) that employs EAP-TLS over *protocol for carrying authentication and network access* (PANA) (Parthasarathy, 2006). It proposes an authentication solution for WMNs adapting IEE 802.1X so that MCs can be authenticated by MRs. The

A reliable re-authentication scheme has been proposed in (Aura & Roe, 2005), in which an MR issues a credential for the MC it is currently serving. The credential can be used later (by

A fast authentication and key exchange mechanism to support seamless handoff has been proposed in (Soltwisch et al., 2004). The mechanism uses the *context transfer protocol* (CTP) (Loughney et al., 2005) to forward session key from the previous router to the new access

IEEE 802.1X has been applied to resolve some of the security problems in the 802.11 standard, where the MC and the AS authenticate each other by applying an upper layer authentication protocol like *extensible authentication protocol encapsulating transport layer security* (EAP-TLS) protocol (Aboba & Simon, 1999). Although EAP-TLS offers mutual authentication, it introduces high latency in WMNs because each terminal acts as an authenticator for its neighbor to reach the AS. This can lead to longer paths to the AS. Furthermore, in case of high mobility of terminals, re-authentication due to frequent handoffs can make be detrimental to real-time applications. Consequently, variants of EAP have been proposed by researchers to adapt 802.1X authentication model to multi-hop

communications in WMNs. Some of these mechanisms are briefly discussed below.

be more suitable for open and multi-hop WMN environments.

**EAP with token-based re-authentication:** a fast and secure hand-off protocol is presented in (Fantacci et al., 2006), which allows mutual authentication and access control thereby preventing insider attacks during the re-authentication process. To achieve this, old authentication keys are revoked. Thus, a node should ask for the keys from its neighbors or from the AS when its needs the keys. The mechanism involves a token-based reauthentication scheme based on a two-way handshake between the node that performs the handshake and the AS. The AS is involved in every hand-off to have a centralized entity for monitoring the network. An authentication token, in the form of keying material is provided by the authenticator of the network to the AS to obtain the PMK key. The authenticator can be an AP or a host in the WMN. Initially, the MC performs a full EAP-TLS authentication, generating a PMK key that is then shared between the MC and its authenticator. Whenever the MC performs hand-off to another authenticator, the new authenticator should receive the PMK key to avoid a full re-authentication. The new authenticator issues a request to the AS for the PMK and adds a token to the request. The token is a cryptographic material to prove that the authenticator is in contact with the MC which owns the requested PMK. The token was earlier generated by the MC while performing the hand-off and was transmitted to the new authenticator. The AS verifies the token, and issues the PMK to the new authenticator. This protocol is secure and involves centralized key management. However, the need to involve the AS in each re-authentication is not suitable for scenarios where MCs have random and frequent mobility (Moustafa, 2007). A distributed token verification will

**EAP-TLS over PANA:** a security architecture suitable for multi-hop mesh network is presented in (Cheikhrouhou et al., 2006) that employs EAP-TLS over *protocol for carrying authentication and network access* (PANA) (Parthasarathy, 2006). It proposes an authentication solution for WMNs adapting IEE 802.1X so that MCs can be authenticated by MRs. The

the next MR) to certify the authenticity of the MC.

**4.5 Extensible authentication protocols** 

router.

authentication between MCs and MRs requires MCs to be directly connected to the MRs. Since PANA enables MCs to authenticate to the access network using IP protocol, it is used in this mechanism to overcome the problem of association between MCs and MRs that can be attached through more than one intermediate node. When a new MC joins the network, it first gets an IP address (pre-PANA address) from a local DHCP server. Then, the PANA protocol is initiated so that the mobile node discovers the *PANA access* (PAA) router to authenticate itself. After successful authentication, the MC initiates the *Internet key exchange* (IKE) protocol with the MR for establishing a security association. Finally, IPSec tunnel ensures data protection over the radio link and a data access control by the MR. During the authentication and authorization phases, PANA uses EAP message exchange between the MC and the PAA, where PAA relays EAP messages to the AS using EAP over RADIUS. EAP-TLS message is used in this approach. The protocol is suited for heterogeneous WMNs since it is independent of the technology of the wireless media. However, PANA requires use of IP addresses in the mesh nodes. This puts a restriction in its use since all elements of a WMN may not use IP as the addressing standard.

**EAP-TLS using proxy chaining:** the combinations of (Moustafa et al., 2006a; Moustafa et al., 2006b) propose adaptive EAP solutions for authentication and access control in the multihop wireless environment. In (Moustafa et al., 2006a), an adapted EAP-TLS approach is used to allow authentication of mobile nodes. A delegation process is used among mobile nodes by use of auxiliary authenticators in a recursive manner until the AS is reached. To allow extended forwarding and exchange of EAP-TLS authentication messages, proxy RADIUS is involved using proxy chaining among the intermediate nodes between the MCs requesting the authentication and the AS. This approach permits the storage of authentication keys of the MCs in the auxiliary authenticators. This speeds up the re-authentication process and enhances the performance of the adaptive EAP-TLS mechanism. This solution is applicable for WMNs, especially in multi-hop communications. However, to support secure roaming across different *wireless mesh routers* (WMRs), communication is required between the old and the new WMRs. This can be done by using central elements or switches that link the WMRs and allow storing of information in a central location and distribution of information among the WMRs.

**EAP-enhanced pre-authentication:** an EAP-enhanced pre-authentication scheme for mobile WMN (IEEE 802.e) in the link layer has been proposed in (Hur et al., 2008). In this scheme, the PKMv2 (public key management version 2) has been slightly modified based on the key hierarchy in a way that the communication key can be established between the MC and the target MR before hand-off in a proactive way. The modification allows the master session key generated by the authentication server to bind the MR identification (i.e., base station identification) and the MAC address of the MC. In the pre-authentication phase, the authentication server generates and delivers the unique public session keys for the neighbor MRs of the MC. The neighboring MRs are the access points that the MC potentially moves to. These MRs can use the public session key to derive an authorization key of the corresponding MC. In the same way, the MC can derive the public session key and the authorization key for its neighbor MRs, with the MR identification. Once the handoff is complete, the MC only needs to perform a three-way handshake and update the encryption key since the MC and MR already possess the authentication key. Thus a re-authentication with the authentication server is avoided and the associated delay is reduced.

Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 19

Traffic privacy preservation is an important issue in WMNs. In a community mesh network, the traffic of mobile users can be observed by the MRs residing at its neighbors, which could reveal sensitive personal information. A mesh network privacy-preserving architecture is presented in (T. Wu et al., 2006). The mechanism aims to achieve traffic confidentiality based on the concept of *traffic pattern* concealment by controlling the routing process using multipaths. The traffic from the source (i.e., IGW) to the destination (i.e., MR) is split into multiple paths. Hence, each relaying nodes along the path from the source to the destination can observe only a portion of the entire traffic. The traffic is split in a random manner (both spatially and temporally) so that an intermediate node can have little knowledge to figure out the overall traffic pattern. In this way the traffic confidentially is achieved. The mechanism defines an information-theoretic metric, and then proposes a penalty-based routing algorithm to allow traffic pattern hiding by exploiting multiple available paths between a pair of nodes. Source routing strategy is adopted so that a node can easily know the topology of its neighborhood. The protocol can also ensure communication privacy in WMNs, where each destination node is able to consistently limit the proportion of mutual information it shares with the observing node. However, the traffic splitting can increase delay in communication

and hence this mechanism may not be suitable for real-time applications in WMNs.

A novel privacy and security scheme named PEACE (Privacy Enhanced yet Accountable seCurity framEwork) for WMNs has been proposed in (Ren et al., 2010). The scheme achieves explicit mutual authentication and key establishment between users (i.e. MCs) and MRs and between the users themselves (i.e., between the MCs). It also enables unilateral anonymous authentication between users and the MRs and bilateral anonymous authentication between a pair of users. Moreover, it enables user accountability by regulating user behaviors and protects WMNs from being abused and attacked. Network communications can be audited in cases of disputes and frauds. The high level architecture of PEACE trust model consists of four kinds of network entities: the network operator, user group managers, user groups and a *trusted third party* (TTP). Before accessing the WMN services, each user has to enroll in at least one user group whose manager, thus, knows the essential and non-essential attributes of the user. The users do not directly register with the network operator; instead, each group manager subscribes to the network operator on behalf of its group members. Upon registration from a group manager, the network operator allocates a set of group secret keys to this user group. The network operator divides each group secret key into two parts – one part is sent to the requesting group manager and the other part to the TTP. To access network services, each user request one part of the group secret key from his group manager and the other part from the TTP to recover a complete group secret key. The user also needs to return signed acknowledgments to both the group manager and the TTP. PEACE uses a variation of the short group signature scheme proposed in (Boneh & Shacham, 2004) to ensure sophisticated user privacy. The scheme is resistant to bogus data injection attacks, data phishing attacks and

A security architecture named "SAT" has been proposed in (Sun et al., 2008; Sun et al., 2011). The system consists of ticket-based protocols, which resolves the conflicting security requirements of unconditional anonymity for honest users and traceability of misbehaving users in a WMN. By utilizing the tickets, self-generated pseudonyms, and the hierarchical identity-based cryptography, the architecture has been demonstrated to achieve the desired

**4.7 Privacy protection schemes in WMNs** 

DoS attacks (Ren et al., 2010).

**Distributed authentication:** a distributed authentication for minimizing the authentication delay has been proposed in (Lee et al., 2008), in which multiple trusted nodes are distributed over a WMN to act on the behalf of an authentication server. This makes management of the network easy, and it also incurs less storage overhead in the MRs. However, the performance of the scheme will degrade when multiple MCs send out their authentication requests, since the number of trusted nodes acting as the authentication server is limited compared to the number of access routers. In (He et al., 2010), a distributed *authenticated key establishment scheme* (AKES) has been proposed based on *hierarchical multi-variable symmetric functions* (HMSF). In this scheme, MCs and MRs can mutually authenticate each other and establish pair-wise communication keys without the need of interaction with any central authentication server. The authors have extended the polynomial-based key generation concept (Blundo et al., 1993) to the asymmetric function for mutual authentication among the MCs and MRs. Based on the symmetric polynomial and an asymmetric function, an efficient and hierarchical key establishment scheme is designed This substantially reduces the communication overhead and authentication delay.

**Secure authentication:** an improved security protocol for WMNs has been proposed in (Lukas & Fackroth, 2009). The protocol is named "WMNSec", which is based on the fourway handshake mechanism in 802.11i. In WMNSec, a dedicated station - *mesh key distributor* (MKD) – generates one single dynamically generated key for the whole network. This key is called the *global key* (GK). The GK is distributed from the MKD to the authenticated stations (MRs) using the four-way handshake from 802.11i. A newly joined MR would become another authenticator after it is authenticated and become the authenticated part of the WMN. Thus, the iterative authentication forms a spanning tree rooted as the MKD and spanning the whole network. To provide a high level of security, each key has a limited validity period. Periodic re-keying ensures that the keys used in all stations are up-to-date.

#### **4.6 Authentication using identity-based cryptography**

*Identity-based cryptography* (IBC) is a public key cryptography in which public key of a user is derived from some publicly available unique identity information about the user, e.g. SSN, email address etc. Although the concept of IBC was first introduced by Shamir (Shamir, 1984), a fully functional IBC scheme was not established till Boneh and Franklin applied Weil pairing to construct a bilinear map (Boneh & Franklin, 2001). Using IBC, an attack-resilient security architecture called "ARSA" for WMNs has been proposed in (Zhang & Fang, 2006). The relationship among three entities in this scheme, e.g., brokers, users and network operators are made analogous to that among a bank, a credit card holder, and a merchant. The broker acts as a TTP that distributes secure pass to each authenticated user. Each secure pass has the ID of the user enveloped in it and the WMN operator grants access to all the users those possess secure passes. The users are not bound to any specific operator, and can get ubiquitous network access by a universal pass issued by a *third-party broker*. ARSA also provides an efficient mutual *authentication and key agreement* (AKA) between a user and a serving WMN domain or between users served by the same WMN domain.

#### **4.7 Privacy protection schemes in WMNs**

18 Applied Cryptography and Network Security

**Distributed authentication:** a distributed authentication for minimizing the authentication delay has been proposed in (Lee et al., 2008), in which multiple trusted nodes are distributed over a WMN to act on the behalf of an authentication server. This makes management of the network easy, and it also incurs less storage overhead in the MRs. However, the performance of the scheme will degrade when multiple MCs send out their authentication requests, since the number of trusted nodes acting as the authentication server is limited compared to the number of access routers. In (He et al., 2010), a distributed *authenticated key establishment scheme* (AKES) has been proposed based on *hierarchical multi-variable symmetric functions* (HMSF). In this scheme, MCs and MRs can mutually authenticate each other and establish pair-wise communication keys without the need of interaction with any central authentication server. The authors have extended the polynomial-based key generation concept (Blundo et al., 1993) to the asymmetric function for mutual authentication among the MCs and MRs. Based on the symmetric polynomial and an asymmetric function, an efficient and hierarchical key establishment scheme is designed This substantially reduces the communication overhead and authentication

**Secure authentication:** an improved security protocol for WMNs has been proposed in (Lukas & Fackroth, 2009). The protocol is named "WMNSec", which is based on the fourway handshake mechanism in 802.11i. In WMNSec, a dedicated station - *mesh key distributor* (MKD) – generates one single dynamically generated key for the whole network. This key is called the *global key* (GK). The GK is distributed from the MKD to the authenticated stations (MRs) using the four-way handshake from 802.11i. A newly joined MR would become another authenticator after it is authenticated and become the authenticated part of the WMN. Thus, the iterative authentication forms a spanning tree rooted as the MKD and spanning the whole network. To provide a high level of security, each key has a limited validity period. Periodic re-keying ensures that the keys used in all

*Identity-based cryptography* (IBC) is a public key cryptography in which public key of a user is derived from some publicly available unique identity information about the user, e.g. SSN, email address etc. Although the concept of IBC was first introduced by Shamir (Shamir, 1984), a fully functional IBC scheme was not established till Boneh and Franklin applied Weil pairing to construct a bilinear map (Boneh & Franklin, 2001). Using IBC, an attack-resilient security architecture called "ARSA" for WMNs has been proposed in (Zhang & Fang, 2006). The relationship among three entities in this scheme, e.g., brokers, users and network operators are made analogous to that among a bank, a credit card holder, and a merchant. The broker acts as a TTP that distributes secure pass to each authenticated user. Each secure pass has the ID of the user enveloped in it and the WMN operator grants access to all the users those possess secure passes. The users are not bound to any specific operator, and can get ubiquitous network access by a universal pass issued by a *third-party broker*. ARSA also provides an efficient mutual *authentication and key agreement* (AKA) between a user and a serving WMN domain or between users served by

delay.

stations are up-to-date.

the same WMN domain.

**4.6 Authentication using identity-based cryptography** 

Traffic privacy preservation is an important issue in WMNs. In a community mesh network, the traffic of mobile users can be observed by the MRs residing at its neighbors, which could reveal sensitive personal information. A mesh network privacy-preserving architecture is presented in (T. Wu et al., 2006). The mechanism aims to achieve traffic confidentiality based on the concept of *traffic pattern* concealment by controlling the routing process using multipaths. The traffic from the source (i.e., IGW) to the destination (i.e., MR) is split into multiple paths. Hence, each relaying nodes along the path from the source to the destination can observe only a portion of the entire traffic. The traffic is split in a random manner (both spatially and temporally) so that an intermediate node can have little knowledge to figure out the overall traffic pattern. In this way the traffic confidentially is achieved. The mechanism defines an information-theoretic metric, and then proposes a penalty-based routing algorithm to allow traffic pattern hiding by exploiting multiple available paths between a pair of nodes. Source routing strategy is adopted so that a node can easily know the topology of its neighborhood. The protocol can also ensure communication privacy in WMNs, where each destination node is able to consistently limit the proportion of mutual information it shares with the observing node. However, the traffic splitting can increase delay in communication and hence this mechanism may not be suitable for real-time applications in WMNs.

A novel privacy and security scheme named PEACE (Privacy Enhanced yet Accountable seCurity framEwork) for WMNs has been proposed in (Ren et al., 2010). The scheme achieves explicit mutual authentication and key establishment between users (i.e. MCs) and MRs and between the users themselves (i.e., between the MCs). It also enables unilateral anonymous authentication between users and the MRs and bilateral anonymous authentication between a pair of users. Moreover, it enables user accountability by regulating user behaviors and protects WMNs from being abused and attacked. Network communications can be audited in cases of disputes and frauds. The high level architecture of PEACE trust model consists of four kinds of network entities: the network operator, user group managers, user groups and a *trusted third party* (TTP). Before accessing the WMN services, each user has to enroll in at least one user group whose manager, thus, knows the essential and non-essential attributes of the user. The users do not directly register with the network operator; instead, each group manager subscribes to the network operator on behalf of its group members. Upon registration from a group manager, the network operator allocates a set of group secret keys to this user group. The network operator divides each group secret key into two parts – one part is sent to the requesting group manager and the other part to the TTP. To access network services, each user request one part of the group secret key from his group manager and the other part from the TTP to recover a complete group secret key. The user also needs to return signed acknowledgments to both the group manager and the TTP. PEACE uses a variation of the short group signature scheme proposed in (Boneh & Shacham, 2004) to ensure sophisticated user privacy. The scheme is resistant to bogus data injection attacks, data phishing attacks and DoS attacks (Ren et al., 2010).

A security architecture named "SAT" has been proposed in (Sun et al., 2008; Sun et al., 2011). The system consists of ticket-based protocols, which resolves the conflicting security requirements of unconditional anonymity for honest users and traceability of misbehaving users in a WMN. By utilizing the tickets, self-generated pseudonyms, and the hierarchical identity-based cryptography, the architecture has been demonstrated to achieve the desired

Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 21

For designing the proposed protocol and to specify the WMN deployment scenario, the

1. Each MR which is authorized to join the wireless backbone (through the IGWs), has two certificates to prove its identity. One certificate is used during the authentication phase that occurs when a new node joins the network. EAP-TLS (Aboba et al., 2004) for 802.1X authentication is used for this purpose since it is the strongest authentication method provided by EAP (Aboba et al., 2004), whereas the second certificate is used for the

2. The certificates used for authentication with the RADIUS server and the AS are signed by the same *certificate authority* (CA). Only recognized MRs are authorized to join the

3. Synchronization of all MRs is achieved by use of the *network time protocol* (NTP)

The proposed security protocol serves the dual purpose of providing security in the access network (i.e., between the MCs and the MRs) and the backbone network (i.e., between the

The access mechanism to the WMN is assumed to be the same as that of a *local area network* (LAN), where mobile devices authenticate themselves and connect to an *access point* (AP). This allows the users to the access the services of the WMN exploiting the authentication and authorization mechanisms without installing any additional software. It is evident that such security solution provides protection to the wireless links between the MCs and the MRs. A separate security infrastructure is needed for the links in the backbone networks.

Fig. 6. Secure information exchange among the MCs *A* and *B* through the MRs 1 and 2

Fig. 6 illustrates a scenario where users *A* and *B* are communicating in a secure way to MRs 1 and 2 respectively. If the wireless links are not protected, an intruder *M* will be able to eavesdrop on and possibly manipulate the information being exchanged over the network. This situation is prevented in the proposed security scheme which encrypts all the traffic transmitted on the wireless link using a stream cipher in the data link layer of the protocol

following assumptions are made.

backbone.

protocol (Mills, 1992).

**5.1 Access network security** 

This is discussed in Section 5.2.

stack.

authentication with the *authentication server* (AS).

MRs and the IGWs). These are described the following sub-sections.

security objectives and the performance efficiency. The system uses a blind signature technique from the payment systems. (Brands, 1993; Wei et al., 2006; Figueiredo et al., 2005; Chaum, 1982), and hence it achieves the anonymity by delinking user identities from their activities. The pseudonym technique also renders user location information unexposed. The pseudonym generation mechanism does not rely on a central authority, e.g. the *broker* in (Zhang & Fang, 2006), the *domain authority* in (Ateniese et al., 1999), the *transportation authority* or the *manufacturer* in (Raya & Hubaux, 2007), and the *trusted authority* in (Zhang et al., 2006), who can derive the user's identity from his pseudonyms and illegally trace on an honest user. However, the system is not intended for achieving routing anonymity. *Hierarchical identitybased cryptography* (HIBC) for inter-domain authentication is adopted to avoid domain parameter certification in order to ensure anonymous access control.

## **5. The hierarchical architecture of a WMN**

In this section, we first present a standard architecture of a typical WMN for which we propose a security and privacy protocol. The architecture is a very generic one that represents majority of the real-world deployment scenarios for WMNs. The architecture of a hierarchical WMN consists of three layers as shown in Fig. 5. At the top layers are the *Internet gateways* (IGWs) that are connected to the wired Internet. They form the backbone infrastructure for providing Internet connectivity to the elements in the second level. The entities at the second level are called wireless *mesh routers* (MRs) that eliminate the need for wired infrastructure at every MR and forward their traffic in a multi-hop fashion towards the IGW. At the lowest level are the *mesh clients* (MCs) which are the wireless devices of the users. Internet connectivity and peer-to-peer communications inside the mesh are two important applications for a WMN. Therefore design of an efficient and low-overhead communication protocol which ensure security and privacy of the users is a critical requirement which poses significant research challenges.

Fig. 5. A three-tier architecture of a wireless mesh network (WMN)

For designing the proposed protocol and to specify the WMN deployment scenario, the following assumptions are made.


The proposed security protocol serves the dual purpose of providing security in the access network (i.e., between the MCs and the MRs) and the backbone network (i.e., between the MRs and the IGWs). These are described the following sub-sections.

#### **5.1 Access network security**

20 Applied Cryptography and Network Security

security objectives and the performance efficiency. The system uses a blind signature technique from the payment systems. (Brands, 1993; Wei et al., 2006; Figueiredo et al., 2005; Chaum, 1982), and hence it achieves the anonymity by delinking user identities from their activities. The pseudonym technique also renders user location information unexposed. The pseudonym generation mechanism does not rely on a central authority, e.g. the *broker* in (Zhang & Fang, 2006), the *domain authority* in (Ateniese et al., 1999), the *transportation authority* or the *manufacturer* in (Raya & Hubaux, 2007), and the *trusted authority* in (Zhang et al., 2006), who can derive the user's identity from his pseudonyms and illegally trace on an honest user. However, the system is not intended for achieving routing anonymity. *Hierarchical identitybased cryptography* (HIBC) for inter-domain authentication is adopted to avoid domain

In this section, we first present a standard architecture of a typical WMN for which we propose a security and privacy protocol. The architecture is a very generic one that represents majority of the real-world deployment scenarios for WMNs. The architecture of a hierarchical WMN consists of three layers as shown in Fig. 5. At the top layers are the *Internet gateways* (IGWs) that are connected to the wired Internet. They form the backbone infrastructure for providing Internet connectivity to the elements in the second level. The entities at the second level are called wireless *mesh routers* (MRs) that eliminate the need for wired infrastructure at every MR and forward their traffic in a multi-hop fashion towards the IGW. At the lowest level are the *mesh clients* (MCs) which are the wireless devices of the users. Internet connectivity and peer-to-peer communications inside the mesh are two important applications for a WMN. Therefore design of an efficient and low-overhead communication protocol which ensure security and privacy of the users is a critical

parameter certification in order to ensure anonymous access control.

**5. The hierarchical architecture of a WMN** 

requirement which poses significant research challenges.

Fig. 5. A three-tier architecture of a wireless mesh network (WMN)

The access mechanism to the WMN is assumed to be the same as that of a *local area network* (LAN), where mobile devices authenticate themselves and connect to an *access point* (AP). This allows the users to the access the services of the WMN exploiting the authentication and authorization mechanisms without installing any additional software. It is evident that such security solution provides protection to the wireless links between the MCs and the MRs. A separate security infrastructure is needed for the links in the backbone networks. This is discussed in Section 5.2.

Fig. 6. Secure information exchange among the MCs *A* and *B* through the MRs 1 and 2

Fig. 6 illustrates a scenario where users *A* and *B* are communicating in a secure way to MRs 1 and 2 respectively. If the wireless links are not protected, an intruder *M* will be able to eavesdrop on and possibly manipulate the information being exchanged over the network. This situation is prevented in the proposed security scheme which encrypts all the traffic transmitted on the wireless link using a stream cipher in the data link layer of the protocol stack.

Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 23

Fig. 8 shows a collection of four MRs connected with each other by five wireless links. The MR *A* is connected with the AS by a wired link. At the time of network bootstrapping, only node *A* can connect to the network as an MR, since it is the only node that can successfully authenticate to the AS. Nodes *B* and *C* which are neighbors of *A* then detect a wireless network to which can connect and perform the authentication process following the IEEE 802.11i protocol. At this point of time, nodes *B* and *C* are successfully authenticated as MCs. After their authentication as MCs, nodes *B* and *C* are allowed to authenticate to the AS and request the information used by *A* to produce the currently used cryptographic key for communication in the network. After having derived such key, both *B* and *C* will be able to communicate with each other, as well as with node *A*, using the ad hoc mode of communication in the WMN. At this stage, *B* and *C* both have full MR functionalities. They will be able to turn on their access interface for providing node *D* a connection to the AS for

Fig. 8. Autonomous configuration of the MRs in the proposed security scheme

In this section, the details of the proposed key distribution and management protocol are presented. The protocol is essentially a server-initiated protocol (Martignon et al., 2008) and provides the clients (MRs and MCs) flexibility and autonomy during the key generation.

In the proposed key management protocol delivers the keys to all the MRs from the AS in a reactive manner. The keys are used subsequently by the MRs for a specific time interval in their message communications to ensure integrity and confidentiality of the messages. After the expiry of the time interval for validity of the keys, the existing keys are revoked and new keys are generated by the AS. Fig. 9 depicts the message exchanges between the MRs and

A newly joined MR, after its successful mutual authentication with a central server, sends its first request for key list (and its time of generation) currently being used by other existing MRs in the wireless backbone. Let us denote the *key list timestamp* as *TSKL*. Let us define a *session* as the maximum time interval for validity of the key list currently being used by each node MR and MC). We also define the duration of a session as the product of the *cardinality of the key list* (i.e., the number of the keys in the key list) and the longest time interval of

joining the network.

**6. The key distribution protocol** 

the AS during the execution of the protocol.

validity of a key (the parameter *timeout* in Fig. 9).

#### **5.2 Backbone network security**

For providing security for the traffic in the backbone network, a two-step approach is adopted. When a new MR joins the network, it first presents itself as an MC and completes the association formalities. It subsequently upgrades its association by successfully authenticating to the AS. In order to make such authentication process efficient in a high mobility scenario, the key management and distribution processes have been designed in a way so as to minimize the effect of the authentication overhead on the network performance. The overview of the protocol is discussed as follows.

Fig. 7 shows the three phases of the authentication process that a MR (say *N*) undergoes. When *N* wants to join the network, it scans all the radio channels to detect any MR that is already connected to the wireless backbone. Once such an MR (say *A*) is detected, *N* requests *A* for access to network services including authentication and key distribution. After connecting to *A*, *N* can perform the tasks prescribed in the IEEE 802.11i protocol to complete a mutual authentication with the network and establish a security association with the entity to which it is physically connected. This completes the Phase I of the authentication process. Essentially, during this phase, a new MR performs all the steps that an MC has to perform to establish a secure channel with an MR for authentication and secure communication over the WMN.

Fig. 7. Steps performed by a new MR (*N*) using backbone encrypted traffic to join the WMN

During Phase II of the authentication process, the MRs use the *transport layer security* (TLS) protocol. Only authorized MRs that have the requisite credentials can authenticate to the AS and obtain the cryptographic credentials needed to derive the key sequence used to protect the wireless backbone. In the proposed protocol, an end-to-end secure channel between the AS and the MR is established at the end of a successful authentication through which the cryptographic credentials can be exchanged in a secure way.

To eliminate any possibility of the same key being used over a long time, a server-initiated protocol is proposed for secure key management. The protocol is presented in Section 6. As mentioned earlier in this section, all the MRs are assumed to be synchronized with a central server using the NTP protocol.

Fig. 8 shows a collection of four MRs connected with each other by five wireless links. The MR *A* is connected with the AS by a wired link. At the time of network bootstrapping, only node *A* can connect to the network as an MR, since it is the only node that can successfully authenticate to the AS. Nodes *B* and *C* which are neighbors of *A* then detect a wireless network to which can connect and perform the authentication process following the IEEE 802.11i protocol. At this point of time, nodes *B* and *C* are successfully authenticated as MCs. After their authentication as MCs, nodes *B* and *C* are allowed to authenticate to the AS and request the information used by *A* to produce the currently used cryptographic key for communication in the network. After having derived such key, both *B* and *C* will be able to communicate with each other, as well as with node *A*, using the ad hoc mode of communication in the WMN. At this stage, *B* and *C* both have full MR functionalities. They will be able to turn on their access interface for providing node *D* a connection to the AS for joining the network.

Fig. 8. Autonomous configuration of the MRs in the proposed security scheme

## **6. The key distribution protocol**

22 Applied Cryptography and Network Security

For providing security for the traffic in the backbone network, a two-step approach is adopted. When a new MR joins the network, it first presents itself as an MC and completes the association formalities. It subsequently upgrades its association by successfully authenticating to the AS. In order to make such authentication process efficient in a high mobility scenario, the key management and distribution processes have been designed in a way so as to minimize the effect of the authentication overhead on the network

Fig. 7 shows the three phases of the authentication process that a MR (say *N*) undergoes. When *N* wants to join the network, it scans all the radio channels to detect any MR that is already connected to the wireless backbone. Once such an MR (say *A*) is detected, *N* requests *A* for access to network services including authentication and key distribution. After connecting to *A*, *N* can perform the tasks prescribed in the IEEE 802.11i protocol to complete a mutual authentication with the network and establish a security association with the entity to which it is physically connected. This completes the Phase I of the authentication process. Essentially, during this phase, a new MR performs all the steps that an MC has to perform to establish a secure channel with an MR for authentication and

Fig. 7. Steps performed by a new MR (*N*) using backbone encrypted traffic to join the WMN

During Phase II of the authentication process, the MRs use the *transport layer security* (TLS) protocol. Only authorized MRs that have the requisite credentials can authenticate to the AS and obtain the cryptographic credentials needed to derive the key sequence used to protect the wireless backbone. In the proposed protocol, an end-to-end secure channel between the AS and the MR is established at the end of a successful authentication through which the

To eliminate any possibility of the same key being used over a long time, a server-initiated protocol is proposed for secure key management. The protocol is presented in Section 6. As mentioned earlier in this section, all the MRs are assumed to be synchronized with a central

cryptographic credentials can be exchanged in a secure way.

server using the NTP protocol.

performance. The overview of the protocol is discussed as follows.

**5.2 Backbone network security** 

secure communication over the WMN.

In this section, the details of the proposed key distribution and management protocol are presented. The protocol is essentially a server-initiated protocol (Martignon et al., 2008) and provides the clients (MRs and MCs) flexibility and autonomy during the key generation.

In the proposed key management protocol delivers the keys to all the MRs from the AS in a reactive manner. The keys are used subsequently by the MRs for a specific time interval in their message communications to ensure integrity and confidentiality of the messages. After the expiry of the time interval for validity of the keys, the existing keys are revoked and new keys are generated by the AS. Fig. 9 depicts the message exchanges between the MRs and the AS during the execution of the protocol.

A newly joined MR, after its successful mutual authentication with a central server, sends its first request for key list (and its time of generation) currently being used by other existing MRs in the wireless backbone. Let us denote the *key list timestamp* as *TSKL*. Let us define a *session* as the maximum time interval for validity of the key list currently being used by each node MR and MC). We also define the duration of a session as the product of the *cardinality of the key list* (i.e., the number of the keys in the key list) and the longest time interval of validity of a key (the parameter *timeout* in Fig. 9).

Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 25

In the proposed protocol, the correction factor is estimated based on the time to receive the response from the AS using (3), where *ts* is the time instance when the first key request was sent, *tr* is the time instance when the key response was received from the AS, and *timeout* is the validity period of the key. Therefore, if a node fails to receive a response (i.e., the key list) from the AS during timeout, and takes a time *tlast*, it must send the next request to the

= 0 if *last t timeout*

*last r s t tt*

The first request of the key list sent by the new node to the AS is forwarded by the peer to which it is connected as an MC through the wireless access network. However, the

As mentioned in Section 1, to ensure privacy of the users, the proposed security protocol is complemented with a privacy protocol so as to ensure user anonymity and privacy. The same *authentication server* (AS) used in the security protocol is used for managing the key distribution for preserving the privacy. To enable user authentication and anonymity, a novel protocol has been designed extending the *ring signature authentication* scheme in (Cao et al., 2004). It is assumed that a symmetric encryption algorithm *E* exists such that for any key *k*, the function *Ek* is a permutation over *b*-bit strings. We also assume the existence of a family of *keyed combining functions Ck,v*(*y1, y2, …., yn*), and a publicly defined *collision-resistant* hash function *H*(.) that maps arbitrary inputs to strings of constant length which are used as keys for *Ck,v*(*y1, y2, …., yn*) (Rivest et al., 2001). Every keyed combining function *Ck,v*(*y1, y2, …., yn*) takes as input the key *k*, an initialization *b*bit value *v*, and arbitrary values *y1, y2, …., yn*. A user *Ui* who wants to generate a session key with the authentication server, uses a ring of *n* logged-on-users and performs the

**Step 1.** *Ui* chooses the following parameters: (i) a large prime *pi* such that it is hard to

**Step 2.** *Ui* chooses *A q i i x Z* as his private key, and computes the public

compute discrete logarithms in *GF*(*pi*), (ii) another large prime *qi* such that *qi* | *pi* – 1,

 

> and

*i i Ai i f y gp* 

. Its inverse function

are computed as follows (*K* is

if *last timeout t* (3)

*last timeout*

*timeout <sup>t</sup>*

*c*

subsequent requests are sent directly over the wireless backbone.

and (iii) a generator *gi* in *GF*(*pi*) with order *qi*.

**Step 3.** *Ui* defines a trap-door function mod ( , ) . . mod *<sup>i</sup> <sup>q</sup>*

() (, ) *<sup>i</sup> f y* , where

**7. The privacy and anonymity protocol** 

following steps.

key *Ai* mod *<sup>i</sup> x <sup>A</sup> <sup>i</sup> <sup>i</sup> yg p* .

( ) *<sup>i</sup> f y* is defined as <sup>1</sup>

a random integer in *Zqi* .

1

AS before setting the last key.

Fig. 9. Message exchanges between an MR and the AS in the key management protocol

The validity of a key list is computed from the time instance when the list is generated (i.e., *TSKL*) by the AS. An MR, based on the time instance at which it joins the backbone (*tnow* in Fig. 9), can find out the key (from the current list) being used by its peers (*keyidx*) and the interval of validity of the key (*Ti*) using (1) and (2) as follows:

$$key\_{idx} = \left\lfloor \frac{t\_{now} - TS\_{KL}}{timeout} \right\rfloor + 1\tag{1}$$

$$T\_i = key\_{idx} \, \* \, time \, out \, - \left(t\_{nuv} - TS\_{KL}\right) \tag{2}$$

In the proposed protocol, each WMN node requests the AS for the *key list* that will be used in the next session before the expiry of the current session. This is feature is essential for nodes which are located multiple hops away from the AS, since, responses from the AS take longer time to reach these nodes. The responses may also get delayed due to fading or congestion in the wireless links. If the nodes send their requests for key list to the AS just before expiry of the current session, then due to limited time in hand, only the nodes which have good quality links with the AS will receive the key list. Hence, the nodes which will fail to receive responses for the server will not be able to communicate in the next session due to non-availability of the current key list. This will lead to an undesirable situation of network partitioning.

The *key index* value that triggers the request from the nodes to the server can be set equal to the difference between the *cardinality of the list* and a *correction factor*. The correction factor can be estimated based on parameters like the network load, the distance of the node from the AS and the time required for the previous response.

In the proposed protocol, the correction factor is estimated based on the time to receive the response from the AS using (3), where *ts* is the time instance when the first key request was sent, *tr* is the time instance when the key response was received from the AS, and *timeout* is the validity period of the key. Therefore, if a node fails to receive a response (i.e., the key list) from the AS during timeout, and takes a time *tlast*, it must send the next request to the AS before setting the last key.

$$\mathbf{c} = \begin{bmatrix} \mathbf{f}\_{last} - \text{time}ut \\ \text{time}ut \end{bmatrix} \text{ if } \mathbf{f}\_{last} \ge \text{time}ut \tag{3}$$

= 0 if *last t timeout*

$$t\_{last} = t\_r - t\_s$$

The first request of the key list sent by the new node to the AS is forwarded by the peer to which it is connected as an MC through the wireless access network. However, the subsequent requests are sent directly over the wireless backbone.

#### **7. The privacy and anonymity protocol**

24 Applied Cryptography and Network Security

Fig. 9. Message exchanges between an MR and the AS in the key management protocol

*idx t TS key timeout*

interval of validity of the key (*Ti*) using (1) and (2) as follows:

the AS and the time required for the previous response.

network partitioning.

The validity of a key list is computed from the time instance when the list is generated (i.e., *TSKL*) by the AS. An MR, based on the time instance at which it joins the backbone (*tnow* in Fig. 9), can find out the key (from the current list) being used by its peers (*keyidx*) and the

1 *now KL*

(1)

\*( ) *T key timeout t TS i idx now KL* (2)

In the proposed protocol, each WMN node requests the AS for the *key list* that will be used in the next session before the expiry of the current session. This is feature is essential for nodes which are located multiple hops away from the AS, since, responses from the AS take longer time to reach these nodes. The responses may also get delayed due to fading or congestion in the wireless links. If the nodes send their requests for key list to the AS just before expiry of the current session, then due to limited time in hand, only the nodes which have good quality links with the AS will receive the key list. Hence, the nodes which will fail to receive responses for the server will not be able to communicate in the next session due to non-availability of the current key list. This will lead to an undesirable situation of

The *key index* value that triggers the request from the nodes to the server can be set equal to the difference between the *cardinality of the list* and a *correction factor*. The correction factor can be estimated based on parameters like the network load, the distance of the node from As mentioned in Section 1, to ensure privacy of the users, the proposed security protocol is complemented with a privacy protocol so as to ensure user anonymity and privacy. The same *authentication server* (AS) used in the security protocol is used for managing the key distribution for preserving the privacy. To enable user authentication and anonymity, a novel protocol has been designed extending the *ring signature authentication* scheme in (Cao et al., 2004). It is assumed that a symmetric encryption algorithm *E* exists such that for any key *k*, the function *Ek* is a permutation over *b*-bit strings. We also assume the existence of a family of *keyed combining functions Ck,v*(*y1, y2, …., yn*), and a publicly defined *collision-resistant* hash function *H*(.) that maps arbitrary inputs to strings of constant length which are used as keys for *Ck,v*(*y1, y2, …., yn*) (Rivest et al., 2001). Every keyed combining function *Ck,v*(*y1, y2, …., yn*) takes as input the key *k*, an initialization *b*bit value *v*, and arbitrary values *y1, y2, …., yn*. A user *Ui* who wants to generate a session key with the authentication server, uses a ring of *n* logged-on-users and performs the following steps.


Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 27

*Round 3*: *Ui* verifies whether ' *KS* is from the server *AS*. For this purpose, *Ui* computes ' *<sup>a</sup>* mod *<sup>x</sup> K Y <sup>S</sup> <sup>p</sup>* , hashes *K*, *X*, *Y* to get ' *<sup>h</sup>* using '' ' ( , ,,) *<sup>s</sup> h HK XYI* . If ' *h h* , *Ui*

*User anonymity*: For a given signature *X*, the server can only be convinced that the ring signature is actually produced by at least one of the possible users. If the actual user does not reveal the seed *K*, the server cannot determine the identity of the user. The strength of the anonymity depends on the security of the pseudorandom number generator. It is not possible to determine the identity of the actual user in a ring of size *n* with a probability greater than 1/*n*. Since the values of *k* and *v* are fixed in a ring signature, there are <sup>1</sup> (2 ) *b n* number of 1 2 ( , ,... ) *<sup>n</sup> xx x* that satisfy the equation , 12 ( , ,... ) *Ck v <sup>n</sup> yy y v* , and the probability of generation of each 1 2 ( , ,... ) *<sup>n</sup> xx x* is the same. Therefore, the signature can't leak the identity

*Mutual authentication*: In the proposed scheme, not only the server verifies the users, but the users can also verify the server. Because of the hardness of inverting the hash function *f(.)*, it

for him to forge a signature. If the attacker wants to masquerade as the *AS*, he needs to compute ( ,,) *<sup>s</sup> h HK XY* . He requires *xB* in order to compute *X*. However, *xB* is the private

*Forward secrecy*: The forward secrecy of a scheme refers to its ability to defend leaking of its keys of previous sessions when an attacker is able to catch hold of the key of a particular session. The forward secrecy of a scheme enables it to prevent *replay attacks*. In the proposed scheme, since *xa* and *xb* are both selected randomly, the session key of each period has not relation to the other periods. Therefore, if the session key generated in the period *j* is leaked, the attacker cannot get any information of the session keys generated before the period *j*.

The proposed security and privacy protocols have been implemented in the Qualnet network simulator, version 4.5 (Network Simulator, Qualnet). The simulated network consists of 50 nodes randomly distributed in the simulation area forming a dense WMN. The WMN topology is shown in Fig. 10, in which 5 are MRs and remaining 45 are MCs. Each MR has 9 MCs associated with it. To evaluate the performance of the security protocol, first the network is set as a full-mesh topology, where each MR (and also MC) is directly connected to two of its neighbors. In such as scenario, the throughput of a TCP connection established over a wireless link is measured with the security protocol activated in the nodes. The obtained results are then compared with the throughput obtained on the same

After having 10 simulation runs, the average throughput of a wireless link between a pair of MRs was found to be equal to 30.6 MBPS, when the link is protected by a static key. However, the average throughput for the same link was 28.4 MBPS when the link was

*i i* 

, and hence it is infeasible

is computationally infeasible for the attacker to determine (,)

The proposed protocol is, therefore, resistant to replay attack.

wireless link protected by a static key to encrypt the traffic.

key of *AS* to which the attacker has no access.

**8. Performance evaluation** 

*Security analysis*: The key exchange scheme satisfies the following requirements.

accepts *Ks* as the session key.

information of the user.

$$\alpha = y\_{Ai} \cdot g\_i^{-\mathbb{K}.(g\_i^{\kappa} \bmod p\_i) \bmod q\_i} \bmod p\_i \tag{4}$$

$$a^\* = a \bmod q\_i \tag{5}$$

$$\beta = \text{K.}(\text{g}\_i^\text{K} \bmod p\_i) - \text{x}\_{Ai}.a^" \bmod q\_i \tag{6}$$

*Ui* makes *pi*, *qi*, *gi* and *Ai y* public, and keeps *Ai x* as secret.

The *authentication server* (*AS*) chooses: (i) a large prime *p* such that it is hard to compute discrete logarithms in *GF*(*p*), (ii) another large prime *q* such that *q* | *p* – 1, (iii) a generator *g* in *GF*(*p*) with order *q*, (iv) a random integer *xB* from *Zq* as its private key. *AS* computes its public key *<sup>B</sup>* mod *<sup>x</sup> <sup>B</sup> yg p* and publishes (*yB*, *p*, *q*, *g*).

*Anonymous authenticated key exchange*: The key-exchange is initiated by the user *Ui* and involves three rounds to compute a secret session key between *Ui* and *AS*. The operations in these three rounds are as follows:

*Round 1*: When *Ui* wants to generate a session key on the behalf of *n* ring users *U1*, *U2*, …..*Un*, where 1 *i n* , *Ui* does the following:


Finally, *Ui* sends and *I* to the server *AS*.

*Round 2*: *AS* does the following to recover and verify *X* from the signature.


*Round 3*: *Ui* verifies whether ' *KS* is from the server *AS*. For this purpose, *Ui* computes ' *<sup>a</sup>* mod *<sup>x</sup> K Y <sup>S</sup> <sup>p</sup>* , hashes *K*, *X*, *Y* to get ' *<sup>h</sup>* using '' ' ( , ,,) *<sup>s</sup> h HK XYI* . If ' *h h* , *Ui* accepts *Ks* as the session key.

*Security analysis*: The key exchange scheme satisfies the following requirements.

*User anonymity*: For a given signature *X*, the server can only be convinced that the ring signature is actually produced by at least one of the possible users. If the actual user does not reveal the seed *K*, the server cannot determine the identity of the user. The strength of the anonymity depends on the security of the pseudorandom number generator. It is not possible to determine the identity of the actual user in a ring of size *n* with a probability greater than 1/*n*. Since the values of *k* and *v* are fixed in a ring signature, there are <sup>1</sup> (2 ) *b n* number of 1 2 ( , ,... ) *<sup>n</sup> xx x* that satisfy the equation , 12 ( , ,... ) *Ck v <sup>n</sup> yy y v* , and the probability of generation of each 1 2 ( , ,... ) *<sup>n</sup> xx x* is the same. Therefore, the signature can't leak the identity information of the user.

*Mutual authentication*: In the proposed scheme, not only the server verifies the users, but the users can also verify the server. Because of the hardness of inverting the hash function *f(.)*, it is computationally infeasible for the attacker to determine (,) *i i* , and hence it is infeasible for him to forge a signature. If the attacker wants to masquerade as the *AS*, he needs to compute ( ,,) *<sup>s</sup> h HK XY* . He requires *xB* in order to compute *X*. However, *xB* is the private key of *AS* to which the attacker has no access.

*Forward secrecy*: The forward secrecy of a scheme refers to its ability to defend leaking of its keys of previous sessions when an attacker is able to catch hold of the key of a particular session. The forward secrecy of a scheme enables it to prevent *replay attacks*. In the proposed scheme, since *xa* and *xb* are both selected randomly, the session key of each period has not relation to the other periods. Therefore, if the session key generated in the period *j* is leaked, the attacker cannot get any information of the session keys generated before the period *j*. The proposed protocol is, therefore, resistant to replay attack.

## **8. Performance evaluation**

26 Applied Cryptography and Network Security

\* mod *<sup>i</sup>*

\* .( mod ) . mod *<sup>K</sup> K i i Ai <sup>i</sup>*

The *authentication server* (*AS*) chooses: (i) a large prime *p* such that it is hard to compute discrete logarithms in *GF*(*p*), (ii) another large prime *q* such that *q* | *p* – 1, (iii) a generator *g* in *GF*(*p*) with order *q*, (iv) a random integer *xB* from *Zq* as its private key. *AS* computes its

*Anonymous authenticated key exchange*: The key-exchange is initiated by the user *Ui* and involves three rounds to compute a secret session key between *Ui* and *AS*. The operations in

*Round 1*: When *Ui* wants to generate a session key on the behalf of *n* ring users *U1*, *U2*, …..*Un*,

i. (i) *Ui* chooses two random integers *x1*, *xA* \* *Zq* and computes the following:

iii. (iii) *Ui* randomly chooses a *b*-bit initialization value *v*, and finds the value of *<sup>i</sup> y* from

 

i. *AS* computes mod mod *Bx Q R p q* , recovers *X* using . mod *<sup>Q</sup> X V g p* and hashes *X*, *Q*,

iii. *AS* checks whether , 1, 2, ( ......... ) . *Ck v <sup>n</sup> yy y v* If it is true, *AS* accepts *X* as valid; otherwise, *AS* rejects *X*. If *X* is valid, *AS* chooses a random integer *xb* from \* *Zq* , and computes the

following: mod *<sup>b</sup> <sup>x</sup> <sup>Y</sup> g p* mod *<sup>b</sup> <sup>x</sup> K X <sup>s</sup> <sup>p</sup>* and ' ( , ,,) *<sup>s</sup> h HK XYI* . *AS* sends {*h*, *Y*, '

, for *t* = 1,2,…..*n*.

 

.

*f y* by using the trap-door information of *<sup>i</sup> <sup>f</sup>* . First, it

*<sup>n</sup>* is the ring signature

*<sup>i</sup>* using (6).

<sup>1</sup> mod *<sup>x</sup> <sup>R</sup> g p* , 1 mod mod *<sup>x</sup> Qy p q <sup>B</sup>* , mod *<sup>a</sup> <sup>x</sup> <sup>X</sup> g p* and ( , , , ,) *<sup>B</sup> l HXQV y I* .

*t t* 

a pseudorandom way, and computes *yt ttt t f p* ( , )mod

*i* using (5) and finally computes

*Round 2*: *AS* does the following to recover and verify *X* from the signature

and *I* to the server *AS*.

*V* and *yb* to recover *l*, where ( , , , ,) *<sup>B</sup> l HXQV y I* .

   

 

*<sup>B</sup> yg p* and publishes (*yB*, *p*, *q*, *g*).

*Ui* makes *pi*, *qi*, *gi* and *Ai y* public, and keeps *Ai x* as secret.

public key *<sup>B</sup>* mod *<sup>x</sup>*

computes \*

Finally, *Ui* sends

*Ui*.

ii. *AS* computes *yt itt i f p* ( , )mod

these three rounds are as follows:

where 1 *i n* , *Ui* does the following:

ii. (ii) *Ui* Chooses a pair of values (,)

the equation , 1, 2,........ ( ) *Ck v <sup>n</sup> yy y v* . iv. (iv) *Ui* computes <sup>1</sup> (,) () *ii i i*

 

chooses a random integer *<sup>i</sup> K Z <sup>q</sup>* , computes

v. (v) 1 2 , 11 22 ( , ., , , ,( , ),( , ),.,( , ) *U U U vV R n n* 

.( mod )mod . mod *<sup>K</sup> Kg p q iii Ai i i*

*y g p* (4)

*g p x q* (6)

*q* (5)

for every other ring member *Ut* (1 , ) *t nt k* in

*<sup>i</sup>* using (6), and keeps *K* secret. It then

on *X*.

> .

> > *I* } to

The proposed security and privacy protocols have been implemented in the Qualnet network simulator, version 4.5 (Network Simulator, Qualnet). The simulated network consists of 50 nodes randomly distributed in the simulation area forming a dense WMN. The WMN topology is shown in Fig. 10, in which 5 are MRs and remaining 45 are MCs. Each MR has 9 MCs associated with it. To evaluate the performance of the security protocol, first the network is set as a full-mesh topology, where each MR (and also MC) is directly connected to two of its neighbors. In such as scenario, the throughput of a TCP connection established over a wireless link is measured with the security protocol activated in the nodes. The obtained results are then compared with the throughput obtained on the same wireless link protected by a static key to encrypt the traffic.

After having 10 simulation runs, the average throughput of a wireless link between a pair of MRs was found to be equal to 30.6 MBPS, when the link is protected by a static key. However, the average throughput for the same link was 28.4 MBPS when the link was

Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 29

rich and high-speed content access, recent research has focused on developing high performance communication protocols, while security and privacy issues have received relatively little attention. However, given the wireless and multi-hop nature of communication, WMNs are subject to a wide range of security and privacy threats. This chapter has provided a comprehensive discussion on the current authentication, access control and user privacy protection schemes for WMNs. It has also presented a novel security and key management protocol that can be utilized for secure authentication in WMNs. The proposed security protocol ensures security in both the access and the backbone networks. A user privacy protection algorithm has also been presented that enables anonymous authentication of the users. Simulation results have shown the effectiveness of the protocol. Future research issues include the study of a distributed and collaborative system where the authentication service is provided by a dynamically selected set of MRs. The integration with the current centralized scheme would increase the robustness of the proposed protocol, maintaining a low overhead since MRs would use the distributed service only when the central server is not available. Authentication on the backbone network in a hybrid and open WMN is still an unsolved problem. In addition, authentication between MRs and IGWs from different operators in a hybrid WMN environment is another challenge. Authentication and key distribution in a mobile WMN such as mobile WiMAX or LTE networks is another open problem. High mobility users make the challenge even more difficult. Owing to very limited coverage IEEE 802.11-based MRs (e.g., 100 meters), the high-mobility users (e.g. a user on a fast moving car) will migrate from the coverage area of an MR to that of another. It is not acceptable for the user to authenticate and negotiate the key with each MR. Novel solutions possibly using group keys are needed for this purpose. The requirements of user anonymity and privacy of users

Aboba, B.; Bluk, L.; Vollbrecht, J.; Carlson, J. & Levkowetz, H. (2004). *Extensible* 

Aboba, B. & Vollbrecht, J. (1999). *Proxy Chaining and Policy Implementation in Roaming, RFC* 

Akyildiz, I. F.; Wang, X. & Wang, W. (2005). Wireless Mesh Networks: A Survey. *Computer* 

Ateniese, G.; Herzberg, A.; Krawczyk, H. & Tsudik, G. (1999). Untraceable Mobility or How to Travel Incognito. *Computer Networks*, Vol 31, No 8, pp. 871–884, April 1999. Aura, T. & Roe, M. (2005). Reducing Reauthentication Delay in Wireless Networks.

Ben Salem, N. & Hubaux, J.-P. (2006). Securing Wireless Mesh Networks. *IEEE Wireless* 

Blake-Wilson, S. & Menezes, A. (1998). Entity Authentication and Authenticated Key

*Proceedings of the 1st IEEE International Conference on Security and Privacy for Emerging Areas in Communications Networks (SecureComm'05)*, pp. 139-148, Athens, Greece,

Transport Protocols Employing Asymmetric Techniques. *Proceedings of the 5th International Workshop on Security Protocols*, *Lecture Notes in Computer Science*, Vol

Aboba, B. & Simon, D. (1999). *PPP EAP TLS Authentication Protocol*. RFC 2716, 1999.

should be integrated to most of the applications in WMNs.

*Authentication Protocol (EAP).* RFC 3748, June 2004*.* 

*Networks*, Vol 47, No 4, pp. 445–487, March 2005.

*Communication*, Vol 13, No 2, pp. 50-55, April 2006.

**10. References** 

*2607,* October 1999.

September 2005.

protected by the proposed security protocol. The results confirm that the protocol does not cause any significant overhead on the performance of the wireless link, since the throughput in a link on average decreased by only 7%.

The impact of the security protocol for key generation and revocation on packet drop rate in real-time applications is also studied in the simulation. For this purpose, a VoIP application is invoked between two MRs which generated UDP traffic in the wireless link. The packet drop rates in wireless link when the link is protected with the proposed security protocol and when the link is protected with a static key. The transmission rate was set to 1 MBPS. The average packet drop rate in 10 simulation runs was found to be only 4%. The results clearly demonstrate that the proposed security scheme has no adverse impact on packet drop rate even if several key switching (regeneration and revocation) operations are carried out.

Fig. 10. The simulated network topology in Qualnet Simulator

The performance of the privacy protocol is also analyzed in terms of its storage, communication overhead. Both storage and communication overhead were found to increase linearly with the number of nodes in the network. In fact, it has been analytically shown that overhead due to cryptographic operation on each message is: 60*n* + 60 bytes, where *n* represents the number of public key pairs used to generate the ring signature (Xiong et al., 2010). It is clear that the privacy protocol has a low overhead.

### **9. Conclusion and future work**

WMNs have become an important focus area of research in recent years owing to their great promise in realizing numerous next-generation wireless services. Driven by the demand for rich and high-speed content access, recent research has focused on developing high performance communication protocols, while security and privacy issues have received relatively little attention. However, given the wireless and multi-hop nature of communication, WMNs are subject to a wide range of security and privacy threats. This chapter has provided a comprehensive discussion on the current authentication, access control and user privacy protection schemes for WMNs. It has also presented a novel security and key management protocol that can be utilized for secure authentication in WMNs. The proposed security protocol ensures security in both the access and the backbone networks. A user privacy protection algorithm has also been presented that enables anonymous authentication of the users. Simulation results have shown the effectiveness of the protocol. Future research issues include the study of a distributed and collaborative system where the authentication service is provided by a dynamically selected set of MRs. The integration with the current centralized scheme would increase the robustness of the proposed protocol, maintaining a low overhead since MRs would use the distributed service only when the central server is not available. Authentication on the backbone network in a hybrid and open WMN is still an unsolved problem. In addition, authentication between MRs and IGWs from different operators in a hybrid WMN environment is another challenge. Authentication and key distribution in a mobile WMN such as mobile WiMAX or LTE networks is another open problem. High mobility users make the challenge even more difficult. Owing to very limited coverage IEEE 802.11-based MRs (e.g., 100 meters), the high-mobility users (e.g. a user on a fast moving car) will migrate from the coverage area of an MR to that of another. It is not acceptable for the user to authenticate and negotiate the key with each MR. Novel solutions possibly using group keys are needed for this purpose. The requirements of user anonymity and privacy of users should be integrated to most of the applications in WMNs.

#### **10. References**

28 Applied Cryptography and Network Security

protected by the proposed security protocol. The results confirm that the protocol does not cause any significant overhead on the performance of the wireless link, since the throughput

The impact of the security protocol for key generation and revocation on packet drop rate in real-time applications is also studied in the simulation. For this purpose, a VoIP application is invoked between two MRs which generated UDP traffic in the wireless link. The packet drop rates in wireless link when the link is protected with the proposed security protocol and when the link is protected with a static key. The transmission rate was set to 1 MBPS. The average packet drop rate in 10 simulation runs was found to be only 4%. The results clearly demonstrate that the proposed security scheme has no adverse impact on packet drop rate

even if several key switching (regeneration and revocation) operations are carried out.

Fig. 10. The simulated network topology in Qualnet Simulator

**9. Conclusion and future work** 

(Xiong et al., 2010). It is clear that the privacy protocol has a low overhead.

The performance of the privacy protocol is also analyzed in terms of its storage, communication overhead. Both storage and communication overhead were found to increase linearly with the number of nodes in the network. In fact, it has been analytically shown that overhead due to cryptographic operation on each message is: 60*n* + 60 bytes, where *n* represents the number of public key pairs used to generate the ring signature

WMNs have become an important focus area of research in recent years owing to their great promise in realizing numerous next-generation wireless services. Driven by the demand for

in a link on average decreased by only 7%.


Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 31

He, B.; Joshi, S.; Agrawal, D. P. & Sun, D. (2010). An Efficient Authenticated Key

Hur, J.; Shim, H.; Kim, P.; Yoon, H. & Song, N.-O. (2008). Security Consideration for

IEEE Standard 802.1X (2001). *Local and Metropolitan Area Networks Port-Based Network Access* 

Kassab, M.; Belghith, A.; Bonnin, J.-M. & Sassi, S. (2005). Fast Pre-Authentication Based on

Lamport, L. (1981). Password Authentication with Insecure Communication. *Communications of the ACM*, Vol. 24, No. 11, pp. 770-772, November 1981. Lee, I.; Lee, J.; Arbaugh, W. & Kim, D. (2008). Dynamic Distributed Authentication Scheme

Vol. 5200, pp. 649–658, Springer-Verlag, Heidelberg, Germany, 2008. Lin, X.; Ling, X.; Zhu, H.; Ho, P.-H. & Shen, X. (2008). A Novel Localised Authentication

Loughney, L.; Nakhjiri, M.; Perkins, C. & Koodli, R. (2005). *Context Transfer Protocol (CXTP)*.

Lukas, G. & Fackroth, C. (2009). WMNSec: Security for Wireless Mesh Networks. *Proceedings* 

Martignon, F.; Paris, S. & Capone, A. (2008). MobiSEC: A Novel Security Architecture for

Mishra, A. & Arbaugh, W. A. (2002). *An Initial Security Analysis of the IEEE 802.1X Standard.* 

Mishra, A.; Shin, M.H.; Petroni, N. I.; Clancy, J. T. & Arbauch, W. A. (2004). Proactive Key

Moustafa, H. (2007). Providing Authentication, Trust, and Privacy in Wireless Mesh

*Security and Networks*, Vol. 3, No. 2, pp. 122–132, 2008.

IETF RFC 4067, July 2005.

October 2008.

USA, February 2002.

Press, USA, 2007.

pp. 26–36, February 2004.

2009, ACM Press, New York, USA.

Mills, D.L. (1992). *Network Time Protocol,* RFC 1305, March 1992.

IEEE Standard 802.11i (2004). *Medium Access Control Security Enhancements*, 2004.

*(WMuNeP 2005)*, pp. 46–53, Montreal, Canada, October 2005.

December 2010.

*Control*, 2001.

2008.

Establishment Scheme for Wireless Mesh Networks. *Proceedings of IEEE Global Telecommunications Conference (GLOBECOM'10)*, pp. 1-5, Miami, Florida, USA,

Handover Schemes in Mobile WiMAX Networks. *Proceedings of IEEE Wireless Communications and Networking Conference (WCNC '08)*, Las Vegas, NV, March,

Proactive Key Distribution for 802.11 Infrastructure Networks. *Proceedings of the 1st ACM Workshop on Wireless Multimedia Networking and Performance Modeling* 

for Wireless LAN-Based Mesh Networks. *Proceedings of International Conference on Information, Networking, Towards Ubiquitous Networking and Services (ICOIN '07),* Estril, Portugal, January, 2007. *Lecture Notes in Computer Science*, Vazao et al. (eds.),

Scheme in IEEE 802.11 Based Wireless Mesh Networks. *International Journal of* 

*of the International Conference on Wireless Communications and Mobile Computing: Connecting the World Wirelessly (IWCMC'09)*, pp. 90–95, Leipzig, Germany, June,

Wireless Mesh Networks. *Proceedings of the 4th ACM Symposium on QoS and Security for Wireless and Mobile Networks (Q2SWinet'08)*, pp. 35-42, Vancouver, Canada,

*Computer Science Department Technical Report CS-TR-4328*, University of Maryland,

Distribution Using Neighbor Graphs. *IEEE Wireless Communications*, Vol. 11, No. 1,

Networks, pp. 261-295. *Security in Wireless Mesh Networks*. Zhang et al. (eds.), CRC

1361, pp. 137–158, Christianson et al. (eds.), Springer-Verlag, Heidelberg, Germany, 1998.


Blundo, C.; Santis, A. D.; Herzberg. A.; Kutten, S.; Vaccaor, U. & Yung, M. (1993). Perfectly-

Boneh, D. & Franklin, M. (2001). Identity-Based Encryption from the Weil Pairing.

Boneh, D. & Shacham, H. (2004). Group Signatures with Verifier-Local Revocation.

Brands, S. (1993). Untraceable Off-Line Cash in Wallets with Observers. *Proceedings of the* 

Buttyan, L. & Dora, L. (2009). An Authentication Scheme for QoS-Aware Multi-Operator

Cao, T.; Lin, D. & Xue, R. (2004). Improved Ring Authenticated Encryption Scheme.

Cao, Z; Zhu, H. & Lu, R. (2006). Provably Secure Robust Threshold Partial Blind Signature.

Chaum, D. (1982). Blind Signatures for Untraceable Payments. *Proceedings of the Annual* 

Cheikhrouhou, O.; Maknavicius, M. & Chaouchi, H. (2006). Security Architecture in a Multi-

Clarke, R. (1999). Internet Privacy Concerns Confirm the Case for Intervention.

Figueiredo, D.; Shapiro, J. & Towsley, D. (2005). Incentives to Promote Availability in Peer-

He, B.; Xie, B.; Zhao, D. & Reddy, R. (2011). Secure Access Control and Authentication in

*WMN, WANET*, Al-Sakib Khan Pathan (ed.), CRC Pres, USA, 2011.

*Communications of the ACM*, Vol 42, No 2, pp. 60–67, February 1999. Fantacci, R.; Maccari, L.; Pecorella, T. & Frosali, F. (2006). A Secure and Performant Token-

*Network Protocols (ICNP'05)*, pp. 110–121, November 2005.

*Notes in Computer Science*, Brickell (ed.), Vol 740, pp. 471-486, 1993.

*(CCS)*, pp. 168-177, Washington DC, USA, October 2004.

*Journal of Computer Communications*, Vol 33, Issue 8, May 2010.

203, Plenum Press, New York, USA, August 1983.

*(SAR 2006)*, Seignosse-Landes, France, June 2006.

Poster Paper, Barcelona, Spain, April 2006.

*Academic Publishers World Publishing Corporation*, pp. 341-346, 2004.

*Science* Vol 773, pp. 302–318, August 1993.

1998.

August 2001.

2006.

1361, pp. 137–158, Christianson et al. (eds.), Springer-Verlag, Heidelberg, Germany,

Secure Key Distribution for Dynamic Conferences. *Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO'92)*. *Lecture* 

*Proceedings of the Annual International Cryptology Conference (CRYPTO'01). Lecture Notes in Computer Science*, Vol 2139, pp. 213–229, Springer-Verlag, Berlin, Germany,

*Proceedings of the 11th ACM Conference on Computer and Communication Security* 

*Annual International Cryptology Conference (CRYPTO'93). Lecture Notes in Computer* 

Maintained Wireless Mesh Networks. *Proceedings of the 1st IEEE WoWMoM Workshop on Hot Topics in Mesh Networking (HotMESH '09)*, Kos, Greece, June 2009. Buttyan, L.; Dora, L; Martinelli, F. & Petrochhi, M. (2010). Fast Certificate-based

Authentication Scheme in Multi-Operator Maintained Wireless Mesh Networks.

*Proceedings of 10th Joint International Computer Conference (JICC)*, *International* 

*Science in China Series F: Information Sciences*, Vol 49, No 5, pp. 604–615, October

*International Cryptology Conference (CRYPTO'82). Advances in Cryptology,* pp. 199–

Hop Mesh Network. *Proceedings of the 5th Conference on Security Architecture Research* 

Based Authentication for Infrastructure and Mesh 802.1X Networks. *Proceedings of the 25th IEEE International Conference on Computer Communications (INFOCOM'06)*,

to-Peer Anonymity Systems. *Proceedings of the 13th IEEE International Conference on* 

Wireless Mesh Networks. *Security of Self-Organizing Networks: MANET, WSN,* 


Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks 33

Sen, J. (2009). A Survey on Wireless Sensor Network Security. *International Journal of* 

Sen, J. (2010a). A Distributed Trust and Reputation Framework for Mobile Ad Hoc

Sen, J. (2010b). Reputation- and Trust-Based Systems for Wireless Self-Organizing

Sen, J. (2010c). A Robust and Efficient Node Authentication Protocol for Mobile Ad Hoc

Sen, J. (2011). Secure Routing in Wireless Mesh Networks, pp. 237-280. *Wireless Mesh* 

Shamir, A. (1984). Identity-Based Cryptosystems and Signature Schemes. *Proceedings of the* 

Sun, J.; Zhang, C. & Fang, Y. (2008). A Security Architecture Achieving Anonymity and

Sun, J.; Zhang, C. ; Zhang, Y. & Fang, Y. (2011). SAT: A Security Architecture Achieving

Wu, T.; Xue, Y. & Cui, Y. (2006). Preserving Traffic Privacy in Wireless Mesh Networks.

Wu, X. & Li, N. (2006). Achieving Privacy in Mesh Networks. *Proceedings of the 4th ACM* 

Xiong, H.; Beznosov, K.; Qin, Z. & Ripeanu, M. (2010). Efficient and Spontaneous Privacy-

*Dependable and Secure Computing*, Vol 8, No 2, pp. 295–307, March 2011. Wei, K.; Chen, Y. R.; Smith, A. J. & Vo, B. (2006). WhoPay: A Scalable and Anonymous

Vol 35, No. 10, pp. 54–62, October 2002.

*Networks*, Nobuo Funabiki (ed.), InTech, Croatia, January 2011.

Vol. 196, pp. 47–53, Springer-Verlag, Berlin, Germany, August 1984. Soltwisch, R.; Fu, X.; Hogrefe, D. & Narayanan, S. (2004). A Method for Authentication and

Springer- Verlag, Heidelberg, Germany, July 2010.

August 2009.

2010.

2004.

2008.

June 2006.

Africa, May 2010.

September 2010.

*Communication Networks and Information Security (IJCNIS)*, Vol 1, No2, pp. 59-82,

Networks. *Recent Trends in Network Security and its Applications*, Meghanathan et al. (eds.), pp. 528–537, *Communications in Computer and Information Science (CCIS)*,

Networks, pp. 91-122. *Security of Self-Organizing Networks: MANET, WSN, WMN, VANET*, A-S. K. Pathan (ed.), Aurbach Publications, CRC Press, USA, December

Networks. *Proceedings of the 2nd International Conference on Computational Intelligence, Modelling and Simulation (CIMSiM'10)*, pp. 476-481, Bali, Indonesia,

*International Cryptology Conference (CRYPTO'84). Lecture Notes in Computer Science*,

Key Exchange for Seamless Inter-Domain Handovers. *Proceedings of the 12th IEEE International Conference on Networks (ICON '04)*, pp. 463–469, Singapore, November

Traceability in Wireless Mesh Networks. *Proceedings of the 27th IEEE International Conference on Computer Communications (IEEE INFOCOM'08)*, pp. 1687–1695, April

Anonymity and Traceability in Wireless Mesh Networks. *IEEE Transactions on* 

Payment system for Peer-to-Peer Environments. *Proceedings of the 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06)*, July 2006. Wood, A. D. & Stankovic, J. A. (2002). Denial of Service in Sensor Networks. *IEEE Computer*,

*Proceedings of the International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM'06), pp.* 459-461*,* Buffalo-Niagara Falls, NY, USA,

*Workshop on Security of Ad Hoc and Sensor Networks (SASN)*, pp. 13-22, October 2006.

Preserving Protocol for Secure Vehicular Communication. *Proceedings of IEEE International Conference on Communications (ICC'10)*, pp. 1-6, Cape Town, South


Moustafa, H.; Bourdon, G. & Gourhant, Y. (2006a). Authentication, Authorization and

Pack, S. & Choi, Y. (2004). Fast Handoff Scheme Based on Mobility Prediction in Public

Parthasarathy, M. (2006). *Protocol for Carrying Authentication and Network Access (PANA)* 

Perrig, A.; Canetti, R.; Song, D. & Tygar, J. (2001). Efficient and Secure Source

Prasad, N. R.; Alam, M. & Ruggieri, M. (2004). Light-Weight AAA Infrastructure for

Prasad, A. R. & Wang, H. (2005). Roaming Key Based Fast Handover in WLANs. *Proceedings* 

Raya, M. & Hubaux, J.-P. (2007). Securing Vehicular Ad Hoc Networks. *Journal of Computer* 

Reed, M.; Syverson, P. & Goldschlag, D. D. (1998). Anonymous Connections and Onion

Ren, K.; Yu, S.; Lou, W. & Zhang, Y. (2010). PEACE: A Novel Privacy-Enhanced Yet Accountable

Rivest, R.; Shamir, A. & Tauman, Y. (2001). How to Leak a Secret. *Proceedings of the 7th*

2248, pp. 552-565, Boyd, C. (ed.), Springer, Heidelberg, December 2001. Sen, J.; Chowdhury, P. R. & Sengupta, I. (2006). *Proceedings of the International Symposium on* 

Sen, J. & Subramanyam, H. (2007). An Efficient Certificate Authority for Ad Hoc Networks.

*Science*, Janowski & Mohanty (eds.), Vol 4882, pp. 97-109, 2007.

*Parallel and Distributed Systems*, Vol 21, No 2, pp. 203–215, February 2010. Rigney, C.; Willens, S.; Rubins, A. & Simpson, W. (2000). *Remote Authentication Dial in User* 

*Threat Analysis and Security Requirements.* RFC 4016, March 2005.

Network Simulator QUALNET. URL: http://www.scalable-networks.com.

*Communications*, Vol 29, No 3–4, pp. 205–219, June 2004.

1570–1576, New Orleans, Louisiana, USA, March 2005.

*Service (RADIUS), RFC 2865*, June 2000.

Sweden, May 2006.

2004.

2001.

68, January 2007.

India, December, 2006.

May 1998.

Accounting (AAA) in Hybrid Ad Hoc Hotspot's Environments. *Proceedings of the 4th ACM International Workshop on Wireless Mobile Applications and Services on WLAN Hotspots (WMASH'06)*, pp. 37-46, Los Angeles, California, USA, September 2006. Moustafa, H.; Bourdon, G. & Gourhant, Y. (2006b). Providing Authentication and Access

Control in Vehicular Network Environment. *Proceedings of the 21st IFIP TC- 11 International Information Security Conference (IFIP-SEC'06)*, pp. 62-73, Karlstad,

Wireless LAN Systems. *IEEE Communications*, Vol. 151, No. 5, pp. 489–495, October

Authentication for Multicast. *Proceedings of the Network and Distributed System Security Symposium (NDSS 2001)*, pp. 35-46, San Diego, California, USA, February

Mobility Support across Heterogeneous Networks. *Wireless Personal* 

*of IEEE Wireless Communications and Networking Conference (WCNC 2003)*, Vol 3, pp.

*Security, Special Issue on Security of Ad Hoc and Sensor Networks*, Vol 15, No 1, pp. 39–

Routing. *IEEE Journal on Selected Areas in Communications*, Vol 16, No 4, pp. 482-494,

Security Framework for Metropolitan Wireless Mesh Networks. *IEEE Transactions on* 

*International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Security (ASIACRPT'01). Lecture Notes in Computer Science*, Vol

*Ad Hoc and Ubiquitous Computing (ISAHUC'06)*, pp. 62-67, Surathkal, Mangalore,

*Proceedings of the 4th International Conference on Distributed Computing and Internet Technology (ICDCIT'07)*, Bangalore, India, December 2007. *Lecture Notes in Computer* 


**2** 

*Stanford University United States of America* 

**Security from Location** 

Di Qiu, Dan Boneh, Sherman Lo and Per Enge

The emergence of the Internet and personal computers has led to an age of unprecedented information content and access. The proliferation of Internet connectivity, personal computers, and portable, high density data storage has put volumes of data are at one's fingertips. While the spread of such technology has increased efficiency and knowledge, it

The emerging problems have made the field of information security grow significantly in recent years. Geoencryption or location-based encryption is a means to enhance security. Precise location and time information can be used to restrict access of the system or equipment at certain locations and time frames (Qiu et al., 2007). The term "geo-security" or "locationbased security" refer to the authentication algorithm that limits the access (decryption) of information content to specified locations and/or times. More generically, the restriction can be based on any set of location-dependent parameters. The algorithm does not replace any of the conventional cryptographic algorithms, but instead adds an additional layer of security. When a device wishes to determine its position, it does two things (Qiu et al., 2010). First, the hardware uses an antenna and receiver to capture and record a location measurement. Second, the location measurement is converted into a global position in the form of longitude and latitude. Most often these two steps are conflated, and both are seen as necessary to enable location-based applications. In this paper we show that for many security applications only the first step is needed: there is no need to accurately map the location measurement to an accurate global position. Therefore, these location-based security applications can be implemented using a variety of radio frequency (RF) signals, including broadcast communication signals, such as AM/FM, cellular, DTV, Wi-Fi, etc,

While GPS provides accurate position data, other location services are far less accurate. LOng RAnge Navigation (Loran), for example, uses a 3km wavelength, and standalone Loran has an absolute accuracy of several hundred meters (Loran-C, 1994). Loran-C, the most recent version of Loran in use, is a terrestrial navigation system originally designed for naval applications. Its modernized version, enhanced Loran (eLoran), together with differential corrections can achieve an accuracy of 8 to 20 meter. This paper uses standalone Loran-C, which has good repeatable accuracy but low absolute accuracy, as a case study and shows that high absolute accuracy is not a requirement for a number of location-based security applications. As with all radio-based systems, Loran-C radio signals are distorted by buildings and other objects

has also made information theft easier and more damaging.

navigation signals, and an integration of various signals.

**1. Introduction** 


## **Security from Location**

Di Qiu, Dan Boneh, Sherman Lo and Per Enge *Stanford University United States of America* 

#### **1. Introduction**

34 Applied Cryptography and Network Security

Yi, P.; Wu, Y.; Zou, F. & Liu, N. (2010). A Survey on Security in Wireless Mesh Networks.

Zhang, Y. & Fang, Y. (2006). ARSA: An Attack-Resilient Security Architecture for Multihop

Zhang, Y.; Liu, W.; Lou, W. & Fang, Y. (2006). MASK: Anonymous On-demand Routing in

Zheng, X.; Chen, C.; Huang, C.-T.; Matthews, M. & Santhapuri, N. (2005). A Dual

Zhu, S.; Xu, S.; Setia, S. & Jajodia, S. (2003). LHAP: A Lightweight Hop-by-Hop

Zhu, S.; Xu, S.; Setia S. & Jajodia, S. (2006). LHAP: A Lightweight Network Access Control

Zhu, H.; Lin, X.; Lu, R.; Ho, P.-H. & Shen, X. (2008). SLAB: A Secure Localized

*on Wireless Communications*, Vol 7, No. 10, pp. 3858–3868, October 2008.

Wireless Mesh Networks. *IEEE Journal of Selected Areas in Communication*, Vol. 24,

Mobile Ad Hoc Networks. *IEEE Transactions on Wireless Communications*, Vol. 5. No.

Authentication Protocol for IEEE 802.11 Wireless LANs. *Proceedings of the 2nd IEEE International Symposium on Wireless Communication Systems*, pp. 565–569, September

Authentication protocol for Ad-hoc Networks. *Proceedings of the 23rd IEEE International Conference on Distributed Computing Systems Workshops (ICDCSW'03)*,

Protocol for Ad Hoc Networks. *Ad Hoc Networks*, Vol 4, No 5, pp. 567-585,

Authentication and Billing Scheme for Wireless Mesh Networks. *IEEE Transactions* 

*IETE Technical Review*, Vol 27, No 1, pp. 6-14.

No. 10, pp. 1916–1928, October 2006.

9, pp. 2376–2385, September 2006.

pp. 749–755, May 2003.

September 2006.

2005.

The emergence of the Internet and personal computers has led to an age of unprecedented information content and access. The proliferation of Internet connectivity, personal computers, and portable, high density data storage has put volumes of data are at one's fingertips. While the spread of such technology has increased efficiency and knowledge, it has also made information theft easier and more damaging.

The emerging problems have made the field of information security grow significantly in recent years. Geoencryption or location-based encryption is a means to enhance security. Precise location and time information can be used to restrict access of the system or equipment at certain locations and time frames (Qiu et al., 2007). The term "geo-security" or "locationbased security" refer to the authentication algorithm that limits the access (decryption) of information content to specified locations and/or times. More generically, the restriction can be based on any set of location-dependent parameters. The algorithm does not replace any of the conventional cryptographic algorithms, but instead adds an additional layer of security.

When a device wishes to determine its position, it does two things (Qiu et al., 2010). First, the hardware uses an antenna and receiver to capture and record a location measurement. Second, the location measurement is converted into a global position in the form of longitude and latitude. Most often these two steps are conflated, and both are seen as necessary to enable location-based applications. In this paper we show that for many security applications only the first step is needed: there is no need to accurately map the location measurement to an accurate global position. Therefore, these location-based security applications can be implemented using a variety of radio frequency (RF) signals, including broadcast communication signals, such as AM/FM, cellular, DTV, Wi-Fi, etc, navigation signals, and an integration of various signals.

While GPS provides accurate position data, other location services are far less accurate. LOng RAnge Navigation (Loran), for example, uses a 3km wavelength, and standalone Loran has an absolute accuracy of several hundred meters (Loran-C, 1994). Loran-C, the most recent version of Loran in use, is a terrestrial navigation system originally designed for naval applications. Its modernized version, enhanced Loran (eLoran), together with differential corrections can achieve an accuracy of 8 to 20 meter. This paper uses standalone Loran-C, which has good repeatable accuracy but low absolute accuracy, as a case study and shows that high absolute accuracy is not a requirement for a number of location-based security applications. As with all radio-based systems, Loran-C radio signals are distorted by buildings and other objects

Security from Location 37

The deterministic approach simply takes the location-dependent parameter vector as a geotag, shown in Equation (1). This technique is similar to the location fingerprinting except that a geotag is computed from various location-dependent parameters rather than the

The binary geotag generation algorithm consists of three steps: a receiver function to extract location dependent parameters from the received signals , a quantizer to quantize the parameters with adequate step sizes , and a mapping function to convert the quantized parameters into a binary string . The binary mapping process can be done using a hash function, which is one-way and collision resistant. A one-way hash function is a fundamental building block in many cryptographic algorithms and protocols (Schneier, 1996), and outputs a fixed-length hash value regardless the length of inputs. Oneway-ness means that it is easy to compute but hard or computationally infeasible to invert the function. In addition, since it is collision resistant, it is hard to generate the same hash values from two different inputs. Let be the quantized parameter vector; its calculation is illustrated in Equation (2). All of these vectors , , and have the size . The quantization steps can be determined based on the standard deviations of the location dependent

where is the partition set and indicates the number of quantization levels

We next describe different matching algorithms for the two geotag generation functions. Two matching algorithms – the nearest neighbor method (NNM) and the probabilistic

Let denote the matching function. NNM is a common technique (Roos et al., 2002) used for indoor location estimation and pattern matching. The algorithm measures the distance between the location parameter vector from the verification phase and the previously stored vectors

corresponding to a particular . Thus the binary geotag can be calculated as

(1)

(2)

(3)

Fig. 1. Geo-security system: Calibration and verification phases

received signal strength (Bahl & Padmanabhan, 2000).

parameters to allow a certain degree of variations.

approach – can be applied to the deterministic geotag.

**2.1.2 Geotag matching** 

causing measurements to change greatly over short distances. Our main result shows that one can exploit these chaotic changes to obtain a precise and reproducible geotag with an accuracy of about 20 meters. Reproducibility means that measurements at the same location at different times always produce the same tag. While there is no way to map location measurements to an accurate position, there are still many applications, primarily security applications, for which a reproducible and precise tag is sufficient.

We build a reproducible and precise tag using recent results from biometric authentication for location-based security applications. In particular, we rely on fuzzy extractors and secure sketches, originally designed for fingerprint-based authentication. The idea is to store some public information that enables anyone to convert an erroneous measurement into a consistent tag. We develop specific fuzzy extractors designed to handle radio-type errors. The challenge is to correct for signal variations due to day/night, humidity, and seasonal changes.

The rest of the chapter is organized as follows. Section 2 develops a standardized process to quantify the precision, reproducibility and security of a geotag for security applications. Section 3 provides definitions and background information on fuzzy extractors. The design and implementation of fuzzy extractors for location-based security discussed in Section 4 will apply to all radio-based signals. We use Loran-C as a convenient example and evaluate the geotag performance using real data, which will be addressed in Section 5.

## **2. Geo-security**

#### **2.1 System model**

The geo-security system works in two steps, calibration and verification, as illustrated in Figure 1. The calibration phase builds the database of geotags for service areas: , where *T* is the geotag of the calibration associated with location , and *t* represents the time interval when the geotag is generated. The use of time information for geotags is optional. The calibration phase requires one to survey the service areas with a location sensor, such as a Loran receiver that integrates a geotag generation module. Geotags associated with the calibrated areas are computed based on the recorded location information and stored on a database for future use. In the verification phase, a user derives a geotag using the same geotag generation device and matches it with the precomputed ones in the database. If the two tags are matched, the user's location is validated and the authorization for an application is granted; otherwise, the authorization is denied.

#### **2.1.1 Geotag generation**

In this section we introduce two geotag generation methods: the deterministic approach and the binary approach. The methods differ in geotag representation, efficiency in computation and implementation in practice.

Let be the location-dependent parameters, where denotes the signals received at location and time , and is the function performed in a receiver. Typical functions in a receiver include signal conditioning, digitizing, and parameter extraction. The extracted is a vector , where is the number of locationdependent parameters.

causing measurements to change greatly over short distances. Our main result shows that one can exploit these chaotic changes to obtain a precise and reproducible geotag with an accuracy of about 20 meters. Reproducibility means that measurements at the same location at different times always produce the same tag. While there is no way to map location measurements to an accurate position, there are still many applications, primarily security applications, for

We build a reproducible and precise tag using recent results from biometric authentication for location-based security applications. In particular, we rely on fuzzy extractors and secure sketches, originally designed for fingerprint-based authentication. The idea is to store some public information that enables anyone to convert an erroneous measurement into a consistent tag. We develop specific fuzzy extractors designed to handle radio-type errors. The challenge

The rest of the chapter is organized as follows. Section 2 develops a standardized process to quantify the precision, reproducibility and security of a geotag for security applications. Section 3 provides definitions and background information on fuzzy extractors. The design and implementation of fuzzy extractors for location-based security discussed in Section 4 will apply to all radio-based signals. We use Loran-C as a convenient example and evaluate

The geo-security system works in two steps, calibration and verification, as illustrated in Figure 1. The calibration phase builds the database of geotags for service areas:

represents the time interval when the geotag is generated. The use of time information for geotags is optional. The calibration phase requires one to survey the service areas with a location sensor, such as a Loran receiver that integrates a geotag generation module. Geotags associated with the calibrated areas are computed based on the recorded location information and stored on a database for future use. In the verification phase, a user derives a geotag

computed ones in the database. If the two tags are matched, the user's location is validated and

In this section we introduce two geotag generation methods: the deterministic approach and the binary approach. The methods differ in geotag representation, efficiency in computation

Let be the location-dependent parameters, where denotes the signals received at location and time , and is the function performed in a receiver. Typical functions in a receiver include signal conditioning, digitizing, and parameter extraction. The extracted is a vector , where is the number of location-

the authorization for an application is granted; otherwise, the authorization is denied.

, where *T* is the geotag of the calibration associated with location , and *t*

using the same geotag generation device and matches it with the pre-

is to correct for signal variations due to day/night, humidity, and seasonal changes.

the geotag performance using real data, which will be addressed in Section 5.

which a reproducible and precise tag is sufficient.

**2. Geo-security 2.1 System model** 

**2.1.1 Geotag generation** 

dependent parameters.

and implementation in practice.

Fig. 1. Geo-security system: Calibration and verification phases

The deterministic approach simply takes the location-dependent parameter vector as a geotag, shown in Equation (1). This technique is similar to the location fingerprinting except that a geotag is computed from various location-dependent parameters rather than the received signal strength (Bahl & Padmanabhan, 2000).

$$T = \epsilon \mathbb{R}^{n \times 1} \tag{1}$$

The binary geotag generation algorithm consists of three steps: a receiver function to extract location dependent parameters from the received signals , a quantizer to quantize the parameters with adequate step sizes , and a mapping function to convert the quantized parameters into a binary string . The binary mapping process can be done using a hash function, which is one-way and collision resistant. A one-way hash function is a fundamental building block in many cryptographic algorithms and protocols (Schneier, 1996), and outputs a fixed-length hash value regardless the length of inputs. Oneway-ness means that it is easy to compute but hard or computationally infeasible to invert the function. In addition, since it is collision resistant, it is hard to generate the same hash values from two different inputs. Let be the quantized parameter vector; its calculation is illustrated in Equation (2). All of these vectors , , and have the size . The quantization steps can be determined based on the standard deviations of the location dependent parameters to allow a certain degree of variations.

$$q\_i = \mathcal{E}(x\_i) = k; x \epsilon S\_i = [k\Delta, (k+1)\Delta), k = 1, \ldots, N,\tag{2}$$

where is the partition set and indicates the number of quantization levels corresponding to a particular . Thus the binary geotag can be calculated as

$$T = \hbar(q) \, \epsilon \, \mathbb{Z}^{m \times 1}. \tag{3}$$

#### **2.1.2 Geotag matching**

We next describe different matching algorithms for the two geotag generation functions. Two matching algorithms – the nearest neighbor method (NNM) and the probabilistic approach – can be applied to the deterministic geotag.

Let denote the matching function. NNM is a common technique (Roos et al., 2002) used for indoor location estimation and pattern matching. The algorithm measures the distance between the location parameter vector from the verification phase and the previously stored vectors

Security from Location 39

content is related to the spatial decorrelation of the parameter. Greater spatial decorrelation results in more unique information. By having many parameters each providing its unique

At the same time, it is desirable to have the parameters be relatively insensitive to temporal changes, which weaken the uniqueness of the information. Temporal variations essentially reduce the uniqueness of the location-dependent information. As a result, repeatability and repeatable accuracy are desirable qualities. They allow a user to have his location-dependent parameters or the derived geotag at one time—and still have those parameters valid at a later time. In other words, the signal characteristics should be consistent enough so that when the user is ready to authenticate, measurements at the same location will yield the same previously generated geotag. These are several features

In addition, the signal should have anti-spoofing capabilities. If the signal is vulnerable to spoofing, it may be possible for an attacker to bypass the location check and authenticate correctly. Furthermore, it is desirable that the signal be available indoors. This is because many of the anticipated applications of geo-security will likely occur indoors. This includes applications such as the management and distribution of secure digital data. Often, it is

Loran-C is a terrestrial, low frequency, pulsed navigation system that operates in much of the northern hemisphere (Loran-C, 1994). Although the absolute accuracy of standalone Loran-C is not comparable to GPS, it has several advantages over GPS for security applications. First, Loran uses static transmitters and, as a result, its signals provide many parameters that are location-dependent. Each parameter offers different certain amount of information or potential information density. Parameters with higher information density result in stronger security. This is important, as the security strength of the geotag is derived from the information used to generate it. A combination of various parameters and the accuracy of these parameters increase the security strength. Second, Loran has good repeatable position accuracy, which benefits the design and guarantees the reproducibility of the geotag. Furthermore, Loran-C has good regional coverage in Northern Europe and much of East Asia like China, Japan, and Korea. Although the transmission of Loran-C signals in North America has been terminated in Feb. 2010, the decision with eLoran has yet to be made. eLoran will have a data channel (e-Loran, 2007). While some uses of the data have been defined, others have not. Therefore, several message types have been left unassigned to support useful application such as location-based security in the course of eLoran design. Loran antenna size may have been a practical issue in many applications. Recent research (Lee et al., 2009) has shown that a miniature H-field antenna of 2x2 cm can be achieved. With this size, a Loran H-field antenna can be easily fit into a number of

We discuss a number of potential security applications where the desired properties of geotags – high spatial decorrelation and reproducibility – come into play. Different geotag generation and system implementation methods should be applied to achieve optimized

information content, we can generate a strong geotag.

good if this data is only accessible inside certain buildings.

that are highly desirable.

portable electronic devices.

performance for various applications.

**2.3 Applications** 

in the database, . The generalized distance measure is defined in Equation (4), where is a weighting factor and is the norm parameter. For instance, and represent the Euclidean distance. Based on the calculated distances between and the previously computed , the geotag that gives the minimum distance is chosen. It is necessary to set an upper bound to guarantee that the location is registered at the calibration phase. A modification of NNM that uses the standard deviation of the location parameters is called the weighted nearest neighbor method (WNNM). The new distance measure is shown in Equation (5), where is a covariance matrix, and is the mean value of location-dependent parameters. The matching function for the deterministic geotag is illustrated in Equation (6), where is the geotag associated with the authorized location.

$$D(x, x') = \frac{1}{n} (\sum\_{i=1}^{n} \frac{1}{w\_i} |x'\_i - x\_i|^p)^{\frac{1}{p}} \tag{4}$$

$$D(x, x') = \left[ (x - x')^T C^{-1} (x - x') \right]^{\frac{\Lambda}{2}} \tag{5}$$

$$\mathcal{M}(\tilde{T}, T') = \begin{cases} 1 & \text{if } \arg\min D(T, T') = \tilde{T}, \; D(T, T') \le d\_0; \\ 0 & \text{otherwise}. \end{cases} \tag{6}$$

The probabilistic approach models a geotag with a conditional probability, and uses Bayesian methods to estimate the location (Roos et al., 2002). Both the location-dependent parameters and the standard deviations are estimated at the calibration phase. Assuming that the location-dependent parameters have Gaussian distributions, we use the probability density function shown in Equation (7) to compare the calculated likelihoods. The geotag that gives the maximum probability is chosen. The corresponding matching function is shown as follows:

$$P = \frac{1}{n} \sum\_{i=1}^{n} \left[ \frac{1}{\sqrt{2\pi\sigma\_i}} \exp\left(-\frac{\left^2}{2\sigma\_i^2}\right) \right] \tag{7}$$

$$\mathcal{M}(\tilde{T}, T) = \begin{cases} 1 & \text{if } \arg\max P = \tilde{T}; \\ 0 & \text{otherwise.} \end{cases} \tag{8}$$

The matching process for a binary geotag only involves the correlations between and the previously stored ones. The correlation function is shown as follows:

$$\mathcal{M}(\tilde{T}, T') = \begin{cases} 1 & \text{if } \frac{1}{m} \sum\_{i=1}^{m} \tilde{T}(i) \oplus T'(i) = 1, \,\forall \tilde{T} \epsilon \mathbb{S}; \\ 0 & \text{otherwise}. \end{cases} \tag{9}$$

#### **2.2 Loran-C for geo-security**

The most important required feature of a signal for geo-security is its ability to generate a strong geotag. The strength of the geotag is determined by the quantity and quality of location-dependent signal parameters. By the quantity, we mean the number of different location-dependent parameters that can be generated. By the quality, we mean the amount of unique location-dependent information provided by each parameter. The information

in the database, . The generalized distance measure is defined in Equation (4), where is a weighting factor and is the norm parameter. For instance, and represent the Euclidean distance. Based on the calculated distances between and the previously computed , the geotag that gives the minimum distance is chosen. It is necessary to set an upper bound to guarantee that the location is registered at the calibration phase. A modification of NNM that uses the standard deviation of the location parameters is called the weighted nearest neighbor method (WNNM). The new distance measure is shown in Equation (5), where is a covariance matrix, and is the mean value of location-dependent parameters. The matching function for the deterministic geotag is illustrated in Equation (6),

The probabilistic approach models a geotag with a conditional probability, and uses Bayesian methods to estimate the location (Roos et al., 2002). Both the location-dependent parameters and the standard deviations are estimated at the calibration phase. Assuming that the location-dependent parameters have Gaussian distributions, we use the probability density function shown in Equation (7) to compare the calculated likelihoods. The geotag that gives the maximum probability is chosen. The corresponding matching function is

The matching process for a binary geotag only involves the correlations between and the

The most important required feature of a signal for geo-security is its ability to generate a strong geotag. The strength of the geotag is determined by the quantity and quality of location-dependent signal parameters. By the quantity, we mean the number of different location-dependent parameters that can be generated. By the quality, we mean the amount of unique location-dependent information provided by each parameter. The information

previously stored ones. The correlation function is shown as follows:

(4)

(5)

(7)

(8)

(9)

(6)

where is the geotag associated with the authorized location.

shown as follows:

**2.2 Loran-C for geo-security** 

content is related to the spatial decorrelation of the parameter. Greater spatial decorrelation results in more unique information. By having many parameters each providing its unique information content, we can generate a strong geotag.

At the same time, it is desirable to have the parameters be relatively insensitive to temporal changes, which weaken the uniqueness of the information. Temporal variations essentially reduce the uniqueness of the location-dependent information. As a result, repeatability and repeatable accuracy are desirable qualities. They allow a user to have his location-dependent parameters or the derived geotag at one time—and still have those parameters valid at a later time. In other words, the signal characteristics should be consistent enough so that when the user is ready to authenticate, measurements at the same location will yield the same previously generated geotag. These are several features that are highly desirable.

In addition, the signal should have anti-spoofing capabilities. If the signal is vulnerable to spoofing, it may be possible for an attacker to bypass the location check and authenticate correctly. Furthermore, it is desirable that the signal be available indoors. This is because many of the anticipated applications of geo-security will likely occur indoors. This includes applications such as the management and distribution of secure digital data. Often, it is good if this data is only accessible inside certain buildings.

Loran-C is a terrestrial, low frequency, pulsed navigation system that operates in much of the northern hemisphere (Loran-C, 1994). Although the absolute accuracy of standalone Loran-C is not comparable to GPS, it has several advantages over GPS for security applications. First, Loran uses static transmitters and, as a result, its signals provide many parameters that are location-dependent. Each parameter offers different certain amount of information or potential information density. Parameters with higher information density result in stronger security. This is important, as the security strength of the geotag is derived from the information used to generate it. A combination of various parameters and the accuracy of these parameters increase the security strength. Second, Loran has good repeatable position accuracy, which benefits the design and guarantees the reproducibility of the geotag. Furthermore, Loran-C has good regional coverage in Northern Europe and much of East Asia like China, Japan, and Korea. Although the transmission of Loran-C signals in North America has been terminated in Feb. 2010, the decision with eLoran has yet to be made. eLoran will have a data channel (e-Loran, 2007). While some uses of the data have been defined, others have not. Therefore, several message types have been left unassigned to support useful application such as location-based security in the course of eLoran design. Loran antenna size may have been a practical issue in many applications. Recent research (Lee et al., 2009) has shown that a miniature H-field antenna of 2x2 cm can be achieved. With this size, a Loran H-field antenna can be easily fit into a number of portable electronic devices.

#### **2.3 Applications**

We discuss a number of potential security applications where the desired properties of geotags – high spatial decorrelation and reproducibility – come into play. Different geotag generation and system implementation methods should be applied to achieve optimized performance for various applications.

Security from Location 41

 **Public locations:** in this case the attacker has complete access to the data center and the attacker can measure the authorized geotag. After stealing the device the attacker can try to spoof the Loran-C signal to make the device think it is still in the data center. Unlike the DMP application where any location confusion was sufficient for the attacker, here the attacker must cause the device to think it is precisely in the right place in the data center, with 20 meter accuracy. Simply adding delay loops to the antenna

In both threat models we must assume that the device is tamper-resistant. Otherwise, the attacker can simply modify the device and bypass the location check. In the case of a public location we must also assume cryptographic authentication on Loran-C signals, as discussed

Interestingly, for the private location settings, the unpredictability of the Loran-C geotag implies that we do not need any signal authentication nor do we need to protect the antenna connection to the device. In Section 5 we show that even if the attacker takes many measurements several hundreds of meters away (say in the parking lot) he still cannot tell

One option available to the attacker is to build a list of candidate geotags and try them one by one. In Section 5 we show that the list would need to include several dozen candidate tags. But the device can easily shutdown if it ever receives a sequence of incorrect geotags.

We note that location-based access control using encryption was studied by Scott and Denning (Scott & Denning, 2003) under the name Geoencryption, which uses physical locations, such as latitude, longitude and altitude measurements from GPS, for security applications. Our geotag derived from raw location measurements is more unpredictable

In the previous section we showed applications for a precise and reproducible geotag. We now show how to build such tags using standalone Loran-C system. To ensure that our tags are reproducible we will make use of fuzzy extractors (Juels & Wattenberg, 1999; Dodis et al., 2004). Fuzzy extractors were originally designed for biometric authentication systems. Since biometric scanners introduce errors, one needs same way to extract a reproducible tag from the scanner's output. While biometric fuzzy extractors are designed with a specific error model in mind, here we need a fuzzy extractor tailored for the Loran error model.

We follow the definitions in (Dodis et al., 2004). Measurements live in a set which is equipped with a distance function denoted . Roughly speaking, is small if is

**Fuzzy extractor.** A fuzzy extractor works in two steps. During the registration step one runs algorithm on input to generate a public value and a tag . Later, given a noisy version of , denoted , one runs algorithm on input and to reproduce the tag .

will not work.

in the DMP application.

for sure what tag to supply.

Consequently, a trial and error attack will not get very far.

and provides more information entropy.

**3. Background on fuzzy extractors** 

**3.1 Fuzzy extractors: Definitions** 

"close" to .

## **2.3.1 Digital manners policies (DMP)**

Technologies for digital manners (DMP) (Hruska, 2008) attempt to enforce manners at public locations. A DMP-enabled cell phone can be programmed by the phone provider to turn off the camera while inside a hospital, a locker room, or a classified installation. Or the phone can be programmed to switch to vibrate mode while inside a movie theater. Many other applications have been considered. Although these ideas are highly controversial (Schneier, 2008), we only focus on the technical contents and feasible implementation of the ideas.

To implement DMP one assumes that the device needs to know its precise location. We argue that this is incorrect. Using our radio-based tag, one can build a list of geotags where the camera is to be turned off. The device downloads an updated list periodically. When the device encounters a geotag on this blocklist, it turns the camera off. When the device leaves the blocked location the camera is turned back on. Hence, digital manners are enforced without ever telling the device its precise location.

A DMP system must survive the following attack: the attacker owns the device and tries to make the device think it is somewhere else. Since most places are not blocked, any location confusion will do. To survive this threat any location-based DMP system must make the following two assumptions:


Both assumptions are necessary to build an effective DMP system regardless of the navigation system used. Our goal is not to promote DMP but rather to show that an accurate DMP system can be built from standalone Loran-C signals.

### **2.3.2 Location-based access control**

While DMP is a blocklisting application, access control is a whitelisting example. Consider a location-aware disk drive. The drive can be programmed to work only while safely in the data center. An attacker who steals the device will not be able to interact with it.

We consider two attack models:

 **Private locations:** suppose the device is located in a guarded data center and the attacker has no access to the insides of the data center. The attacker steals the device (say, while in transit (Sullivan, 2007)) and tries to make the device think it is still in the data center.

Technologies for digital manners (DMP) (Hruska, 2008) attempt to enforce manners at public locations. A DMP-enabled cell phone can be programmed by the phone provider to turn off the camera while inside a hospital, a locker room, or a classified installation. Or the phone can be programmed to switch to vibrate mode while inside a movie theater. Many other applications have been considered. Although these ideas are highly controversial (Schneier, 2008), we only focus on the technical contents and feasible implementation of the

To implement DMP one assumes that the device needs to know its precise location. We argue that this is incorrect. Using our radio-based tag, one can build a list of geotags where the camera is to be turned off. The device downloads an updated list periodically. When the device encounters a geotag on this blocklist, it turns the camera off. When the device leaves the blocked location the camera is turned back on. Hence, digital manners are enforced

A DMP system must survive the following attack: the attacker owns the device and tries to make the device think it is somewhere else. Since most places are not blocked, any location confusion will do. To survive this threat any location-based DMP system must make the

 First the device, including the antenna connection, must be tamper resistant. If the antenna connection is not protected then anyone can tamper with signals from the antenna. The simplest attack is to add a delay loop to the antenna. Since location measurements are time based, the delay loop will fool the device into thinking it is

 Second, it should be difficult to spoof the Loran-C radio signals by transmitting fake signals from a nearby transmitter. The safest defense against spoofing is cryptographic authentication for Loran-C signals. In our previous study we (Qiu et al., 2007) proposed a method for embedding TESLA (Perrig, 2002) authenticators into Loran-C signals to prevent spoofing. We point out that even without cryptography, spoofing Loran-C signals is far harder than spoofing GPS: In fact, GPS spoofers are commercially

Both assumptions are necessary to build an effective DMP system regardless of the navigation system used. Our goal is not to promote DMP but rather to show that an accurate

While DMP is a blocklisting application, access control is a whitelisting example. Consider a location-aware disk drive. The drive can be programmed to work only while safely in the

 **Private locations:** suppose the device is located in a guarded data center and the attacker has no access to the insides of the data center. The attacker steals the device (say, while in transit (Sullivan, 2007)) and tries to make the device think it is still in the data center.

available and are regularly used by GPS vendors for testing their products.

data center. An attacker who steals the device will not be able to interact with it.

DMP system can be built from standalone Loran-C signals.

**2.3.2 Location-based access control** 

We consider two attack models:

**2.3.1 Digital manners policies (DMP)** 

without ever telling the device its precise location.

following two assumptions:

somewhere else.

ideas.

 **Public locations:** in this case the attacker has complete access to the data center and the attacker can measure the authorized geotag. After stealing the device the attacker can try to spoof the Loran-C signal to make the device think it is still in the data center. Unlike the DMP application where any location confusion was sufficient for the attacker, here the attacker must cause the device to think it is precisely in the right place in the data center, with 20 meter accuracy. Simply adding delay loops to the antenna will not work.

In both threat models we must assume that the device is tamper-resistant. Otherwise, the attacker can simply modify the device and bypass the location check. In the case of a public location we must also assume cryptographic authentication on Loran-C signals, as discussed in the DMP application.

Interestingly, for the private location settings, the unpredictability of the Loran-C geotag implies that we do not need any signal authentication nor do we need to protect the antenna connection to the device. In Section 5 we show that even if the attacker takes many measurements several hundreds of meters away (say in the parking lot) he still cannot tell for sure what tag to supply.

One option available to the attacker is to build a list of candidate geotags and try them one by one. In Section 5 we show that the list would need to include several dozen candidate tags. But the device can easily shutdown if it ever receives a sequence of incorrect geotags. Consequently, a trial and error attack will not get very far.

We note that location-based access control using encryption was studied by Scott and Denning (Scott & Denning, 2003) under the name Geoencryption, which uses physical locations, such as latitude, longitude and altitude measurements from GPS, for security applications. Our geotag derived from raw location measurements is more unpredictable and provides more information entropy.

## **3. Background on fuzzy extractors**

In the previous section we showed applications for a precise and reproducible geotag. We now show how to build such tags using standalone Loran-C system. To ensure that our tags are reproducible we will make use of fuzzy extractors (Juels & Wattenberg, 1999; Dodis et al., 2004). Fuzzy extractors were originally designed for biometric authentication systems. Since biometric scanners introduce errors, one needs same way to extract a reproducible tag from the scanner's output. While biometric fuzzy extractors are designed with a specific error model in mind, here we need a fuzzy extractor tailored for the Loran error model.

#### **3.1 Fuzzy extractors: Definitions**

We follow the definitions in (Dodis et al., 2004). Measurements live in a set which is equipped with a distance function denoted . Roughly speaking, is small if is "close" to .

**Fuzzy extractor.** A fuzzy extractor works in two steps. During the registration step one runs algorithm on input to generate a public value and a tag . Later, given a noisy version of , denoted , one runs algorithm on input and to reproduce the tag .

Security from Location 43

An example measurement from the Middletown, CA station taken at Stanford is a triple:

The exact meaning of these numbers is not important for our discussion here. What is important is that each transmitter produces a triple of real numbers (features) per pulse. Collecting the signals from all four stations gives a 12-dimensional real vector from which

Fig. 3. Stanford seasonal monitor data for 90-day period for Middletown: (a) TOA; (b) ECD;

**Loran-C error patterns.** Due to measurement errors and environmental changes, taking multiple measurements at the same location, but at different times, produces different 12 dimensional vectors. Figure 3 shows temporal variations in the triple (TOA, ECD and SNR) as measured from the Middletown station over a 90 day period. These measurements were taken at Stanford, CA. The wild swings in TOA, for example, reflect seasonal variations between winter and spring. We next explain the reason for these variations and how to model them.

 The most common error source is the thermal noise in all electronic devices, considered as white Gaussian noise. This noise cannot be eliminated and is always presenting in

 Many environmental factors cause signal variation, including temperature changes between night and day, changes in soil conductivity over time, humidity, local weather, etc. (Swaszek et al., 2007). In particular, temperature and humidity variations have a considerable effect on propagation speed. The extra delay in propagation time or TOA can introduce a position error of hundreds of meters (Lo et al., 2008). This particular error source in Loran is called additional secondary factor (ASF) and represents one of

 Location vectors are continuous and need to be quantized. Quantization error, which is the difference between value of continuous feature and the quantized value, can lead to errors in the derived geotag. The quantization error is usually correlated with the two

 The last type error results from maintenance of any radio-based system. A transmitter can go offline, in which case we lose all measurements associated with that station. Ideally, we would like this to have no effect on the geotag produced by our system. A fuzzy extractor for Loran signals must take seasonal variations into account and can

(496.8 microseconds, -0.145 microseconds, 41dB).

all electronic devices and transmission media.

correct errors differently depending on the time of year.

the largest error sources in Loran.

types of errors discussed above.

we wish to derive a geotag.

(c) SNR.

The idea is that if and are fingerprint scans of the same finger, then is "close" to and both should produce the same tag . If has sufficient entropy then it can used as a login password. Clearly we require that reveal little or no information about the tag .

**Definition 1.** A fuzzy extractor is a tuple , where is the metric space with a distance function dis, is a generate procedure and is a reproduce procedure, which has the following properties:

If outputs , then , whenever . If , then there is no guarantee will be output. In addition, if , , and .

$$\begin{array}{c} \begin{array}{c} \text{x} \ \end{array} \longrightarrow \begin{array}{c} \begin{array}{c} \text{Generation} \\ \text{U} \end{array} \longrightarrow \begin{array}{c} \text{x}' \\ \text{P} \end{array} \longrightarrow \begin{array}{c} \text{x}' \\ \text{P} \end{array} \longrightarrow \begin{array}{c} \text{x}' \\ \text{Rep produce} \end{array} \longrightarrow \begin{array}{c} \text{T} \\ \end{array} \end{array} \end{array}$$

Fig. 2. Fuzzy extractor in action

#### **3.2 Known constructions for fuzzy extractors**

Initial constructions were proposed by Juels and Wattenberg (Juels & Wattenberg, 1999). Their scheme uses an error correcting code to handle the hamming metric on binary data. Juels and Sudan (Juels & Sudan, 2002) provide a fuzzy extractor for the set difference metric, which is the first construction for a non-hamming metric. Dodis (Dodis et al., 2004) gives precise definitions for the problem and provide constructions for hamming distance, set distance and edit distance.

All these schemes primarily apply to binary data which does not fit our settings where location measurements are vectors of real numbers. One exception is a construction of Chang and Li (Chang & Li, 2005) that can be adapted to give a fuzzy extractor for the scenario where one of the Loran-C transmitters is offline (e.g. for maintenance).

#### **4. Generating a reproducible and precise geotag from Loran-C**

Our goal is to build a reproducible and precise geotag from standalone Loran-C measurements. We first explain what a Loran-C measurement looks like and then discuss the error model for these measurements. Finally, we present a simple fuzzy extractor for this error model.

**Loran-C measurements.** Radio-based navigation uses signals from multiple transmitters to estimate the receiver's positions. Four transmitters on the west coast of the US, called the west coast Loran chain (GRI9940) are used for navigation in the western US. These four stations are located at Fallon, NV; George, WA; Middletown, CA; and Searchlight, NV. Pulses from this chain are broadcast every 0.0994 seconds (Loran-C, 1994). Fallon is the master station and the remaining three follow in sync. From each station we obtain three values, called location parameters or **features**, per pulse:


The idea is that if and are fingerprint scans of the same finger, then is "close" to and both should produce the same tag . If has sufficient entropy then it can used as a login password. Clearly we require that reveal little or no information about the tag .

**Definition 1.** A fuzzy extractor is a tuple , where is the metric space with a distance function dis, is a generate procedure and is a reproduce procedure,

If outputs , then , whenever . If , then there is no guarantee will be output. In addition, if , ,

Initial constructions were proposed by Juels and Wattenberg (Juels & Wattenberg, 1999). Their scheme uses an error correcting code to handle the hamming metric on binary data. Juels and Sudan (Juels & Sudan, 2002) provide a fuzzy extractor for the set difference metric, which is the first construction for a non-hamming metric. Dodis (Dodis et al., 2004) gives precise definitions for the problem and provide constructions for hamming distance, set

All these schemes primarily apply to binary data which does not fit our settings where location measurements are vectors of real numbers. One exception is a construction of Chang and Li (Chang & Li, 2005) that can be adapted to give a fuzzy extractor for the

Our goal is to build a reproducible and precise geotag from standalone Loran-C measurements. We first explain what a Loran-C measurement looks like and then discuss the error model for

**Loran-C measurements.** Radio-based navigation uses signals from multiple transmitters to estimate the receiver's positions. Four transmitters on the west coast of the US, called the west coast Loran chain (GRI9940) are used for navigation in the western US. These four stations are located at Fallon, NV; George, WA; Middletown, CA; and Searchlight, NV. Pulses from this chain are broadcast every 0.0994 seconds (Loran-C, 1994). Fallon is the master station and the remaining three follow in sync. From each station we obtain three

Time-of-arrival (TOA) or time difference (TD): measures the propagation time from the

envelope-to-cycle difference (ECD): measures carrier propagation rate, and

scenario where one of the Loran-C transmitters is offline (e.g. for maintenance).

these measurements. Finally, we present a simple fuzzy extractor for this error model.

**4. Generating a reproducible and precise geotag from Loran-C** 

values, called location parameters or **features**, per pulse:

transmitter to the receiver,

signal-to-noise ratio (SNR).

which has the following properties:

Fig. 2. Fuzzy extractor in action

distance and edit distance.

**3.2 Known constructions for fuzzy extractors** 

and .

An example measurement from the Middletown, CA station taken at Stanford is a triple: (496.8 microseconds, -0.145 microseconds, 41dB).

The exact meaning of these numbers is not important for our discussion here. What is important is that each transmitter produces a triple of real numbers (features) per pulse. Collecting the signals from all four stations gives a 12-dimensional real vector from which we wish to derive a geotag.

Fig. 3. Stanford seasonal monitor data for 90-day period for Middletown: (a) TOA; (b) ECD; (c) SNR.

**Loran-C error patterns.** Due to measurement errors and environmental changes, taking multiple measurements at the same location, but at different times, produces different 12 dimensional vectors. Figure 3 shows temporal variations in the triple (TOA, ECD and SNR) as measured from the Middletown station over a 90 day period. These measurements were taken at Stanford, CA. The wild swings in TOA, for example, reflect seasonal variations between winter and spring. We next explain the reason for these variations and how to model them.


A fuzzy extractor for Loran signals must take seasonal variations into account and can correct errors differently depending on the time of year.

Security from Location 45

is based on the property of secret sharing: a secret can be reconstructed given a subset of

.

**Claim 3.** If , then a geotag can be reproduced. When the hamming distance between two vectors is less than , the polynomial can be reconstructed

**Claim 4.** If , then a geotag . The precision of a geotag relies on

This construction increases reproducibility but reduces entropy because we only use out

In this section we use real standalone Loran-C data to evaluate the precision and reproducibility of Loran-C geotag and evaluate the effect of the Euclidean metric fuzzy extractor. We performed two experiments: (1) collected data at various test locations to examine the precision of geotags, and (2) collected data at one location over 90-day period to

We selected three different environments, where our proposed location-based security applications may occur, to perform the precision test: parking structure, soccer field and office building. At each location we used multiple test points for five minutes at each test point. An H-field antenna and Locus Satmate receiver, shown in Figure 4, were used for the data collection. The receiver averages and outputs Loran location features every

shared information. The construction is as follows:

.

Let be an integer and .

with the assistance of thus .

of features to compute a geotag.

study the reproducibility of geotags.

**5.1 Data at different locations evaluating tag precision**

Fig. 4. Loran-C H-field antenna(left) and SatMate receiver (right)

**5. Experimental results** 

minute.

the features .

Create a polynomial , such that .

#### **4.1 Construction 1: Fuzzy extractor for Euclidean distance**

We propose a fuzzy extractor when all Loran-C transmitters are present (Qiu et al., 2010). Thus the features are real numbers over and Euclidean distance is sufficient for the distance metric. Let be a location feature vector at registration while be the feature vector at verification time, is the step size to quantize the feature. The distance can be bounded by adequate threshold. This threshold, , can be a design parameter. We need to develop a fuzzy extractor that can reproduce geotag when the errors . The fuzzy extractor is designed to tolerate the random noise, biases and quantization errors.

Let the metric space if we use the triple from four Loran-C stations. Thus , and are vectors that have dimensions. The quantization step is a design parameter and chosen by a user. We consider the distance measure for Loran-C features is norm to be conservative.

$$dis(x, x') = \left(\max\_{\Delta\_i} \frac{|x\_i - x'\_i|}{\Delta\_i}\right)\_{i=1}^n \tag{10}$$

The construction of fuzzy extractor for Euclidean distance is as follows: during calibration or registration, feature vector is quantized to get and store public value , whereas, during verification, given a slightly different location feature and , compute . , and are also -dimensional vectors. represents the feature in vector . The elements in vector are integers but they are not necessarily positive. For instance, it is possible to result in a negative TD if the distance between the secondary station and a user is shorter than the distance between master station and the user. The basic idea of this fuzzy extractor is to adjust the offsets between the continuous features and the discrete ones due to quantization.

$$Gen(x) = \begin{cases} T = \lfloor \frac{x\_i}{\Delta\_i} \rfloor\_{i=1}^n \\ P = \left( x\_i - \Delta\_i \lfloor \frac{x\_i}{\Delta\_i} \rfloor \right)\_{i=1}^n \end{cases} \tag{11}$$

$$\operatorname{Rep}(x', P) = \lfloor \frac{x'\_i - P\_i + \frac{\Delta\_i}{2}}{\Delta\_i} \rfloor\_{i=1}^n = T' \tag{12}$$

**Claim 1.** If , then a geotag can be reproduced, that is, . This claim defines the reproducibility of geotags. If is measured at the same location of , we can reproduce when the distance of and is less than .

**Claim 2.** If , then a geotag . This claim defines the precision of geotags. If is measured at a different location but close to the location of , it is not expected that achieves the same tag as .

It is easy to see that our construction is a fuzzy extractor (as in **Definition 1**).

#### **4.2 Construction 2: Secret sharing based fuzzy extractor for hamming distance**

The distance metric in this construction is Hamming. The input to the fuzzy extractor is quantized feature vector instead of , where is -dimensional. The scheme

We propose a fuzzy extractor when all Loran-C transmitters are present (Qiu et al., 2010). Thus the features are real numbers over and Euclidean distance is sufficient for the distance metric. Let be a location feature vector at registration while be the feature

can be bounded by adequate threshold. This threshold, , can be a design parameter. We need to develop a fuzzy extractor that can reproduce geotag when the errors . The fuzzy extractor is designed to tolerate the random noise, biases and quantization errors. Let the metric space if we use the triple from four Loran-C stations. Thus , and are vectors that have dimensions. The quantization step is a design parameter and chosen by a user. We consider the distance measure for Loran-C features is

The construction of fuzzy extractor for Euclidean distance is as follows: during calibration or registration, feature vector is quantized to get and store public value , whereas, during verification, given a slightly different location feature and , compute . , and are also -dimensional vectors. represents the feature in vector . The elements in vector are integers but they are not necessarily positive. For instance, it is possible to result in a negative TD if the distance between the secondary station and a user is shorter than the distance between master station and the user. The basic idea of this fuzzy extractor is to adjust the offsets between the continuous features and the discrete ones due to

**Claim 1.** If , then a geotag can be reproduced, that is, . This claim defines the reproducibility of geotags. If is measured at the same location of , we can

**Claim 2.** If , then a geotag . This claim defines the precision of geotags. If is measured at a different location but close to the location of , it is not expected that

The distance metric in this construction is Hamming. The input to the fuzzy extractor is quantized feature vector instead of , where is -dimensional. The scheme

It is easy to see that our construction is a fuzzy extractor (as in **Definition 1**).

**4.2 Construction 2: Secret sharing based fuzzy extractor for hamming distance** 

reproduce when the distance of and is less than .

(10)

(11)

(12)

vector at verification time, is the step size to quantize the feature. The distance

**4.1 Construction 1: Fuzzy extractor for Euclidean distance**

norm to be conservative.

quantization.

achieves the same tag as .

is based on the property of secret sharing: a secret can be reconstructed given a subset of shared information. The construction is as follows:


$$\bullet \quad Cen(x) = \begin{cases} T = \langle f(1), f(2), \dots, f(m) \rangle \\ P = \langle f(j), \dots, f(j+n-m-1) \rangle \\ \end{cases}, where \ j, \dots, j+n-m-1 \notin \{1, \dots, n\}.$$

.

**Claim 3.** If , then a geotag can be reproduced. When the hamming distance between two vectors is less than , the polynomial can be reconstructed with the assistance of thus .

**Claim 4.** If , then a geotag . The precision of a geotag relies on the features .

This construction increases reproducibility but reduces entropy because we only use out of features to compute a geotag.

## **5. Experimental results**

In this section we use real standalone Loran-C data to evaluate the precision and reproducibility of Loran-C geotag and evaluate the effect of the Euclidean metric fuzzy extractor. We performed two experiments: (1) collected data at various test locations to examine the precision of geotags, and (2) collected data at one location over 90-day period to study the reproducibility of geotags.

## **5.1 Data at different locations evaluating tag precision**

We selected three different environments, where our proposed location-based security applications may occur, to perform the precision test: parking structure, soccer field and office building. At each location we used multiple test points for five minutes at each test point. An H-field antenna and Locus Satmate receiver, shown in Figure 4, were used for the data collection. The receiver averages and outputs Loran location features every minute.

Fig. 4. Loran-C H-field antenna(left) and SatMate receiver (right)

Security from Location 47

Fig. 5. Visualization of Loran geotags: (a) parking structure (left); (b) soccer field (middle);

In this section we use the seasonal data shown in Figure 3 to compare the reproducibility of a geotag with and without a fuzzy extractor. Again same triple is used in this experiment. We use TD instead of TOA to minimize the impact of ASF errors: TOA of the master station is used as a reference to mitigate the temporal variations of secondary stations. Our experiments show that the standard deviation of TOA from Middletown is 12.19 meters and the standard deviation of TD from Middletown is reduced to 3.83 meters (Qiu et al., 2008). However, TD provides less information entropy in comparison with TOA as we lose the

**Performance metrics**. Before we discuss the experimental results from the seasonal data we introduce the performance metrics that help to quantify and measure the reproducibility of a geotag. The problem of deciding whether the derived geotag is authentic or not, can be seen as a hypothesis testing problem. The task is to decide which of the two hypotheses H0 (accepting as an authorized user) or H1 (rejecting as an attacker) is true for the observed location measurements. Location-based system makes two types of errors: 1) mistaking the measurements or derived tag from the same location to be from two different locations and accepting hypothesis H1 when H0 is true, called false reject; and 2) mistaking the measurements or derived tags from two different locations to be from the same location and accepting H0 when H1 is true, called false accept. Both false reject rate (FRR) and false accept rate (FAR) depend on the accuracy of equipments used, step sizes chosen to quantize location features and environmental conditions. These two types of errors can be traded off against each other by varying the quantization steps. A more secure system aims for low FARs at the expense of high FRRs, while a more convenient system aims for low FRRs at the expense of high FARs. Figure 6 illustrates the two error rates of geotags with the assumption that the probability distributions are Gaussian, which is not necessarily true in practice. The grey tails represent the false reject of an authorized user while the red area is the false accept

20 meters.

(c) Durand building (right)

TOA entropy from master station.

of an attacker.

**5.2 Data at one location evaluating reproducibility**

tag to the system. The smallest colored cell or the highest tag precision in this indoor scenario is approximately 5 meters depicted in purple in the middle of the right plot in Figure 4. An upper bound on actual tag precision at this location is the largest cell, 8 x


We used the triple (TD, ECD, SNR) from four stations in the west coast chain (GRI 9940). Quantization steps are chosen based on the measured SNR. Low SNR signals are often attenuated more and pick up more noise. In general, features from low SNR stations are less consistent; thus larger quantization steps should be applied. We then created twodimensional cells using Voronoi diagrams and mapped the tags into the cells accordingly. The color map is superimposed on the Google map. A color bar is used to label the hexadecimals of the first 16-bit of tag. This distribution plot can help us visualize how geotag varies in a two-dimensional view. Each black dot together with the numbered label at the center of the cells represents a test location.

The left of Figure 4 is the tag plot on the top floor of the parking structure, the middle plot represents the results of a soccer field, and the right plot shows the top floor/roof of Durand building. Loran signals are very sensitive to the environment, especially to metal structures. The re-radiation of signals from metals can cause more distortion to the RF signals thus higher precision or spatial variation of tags at certain locations. We observe this from the geotag maps of scenario 1 and scenario 3. The locations with very small separations still result in different geotags. It is worth to mention that only two stations, Fallon and Middletown, are used to compute tags for scenario 3 while the other two scenarios use all four stations from GRI 9940. Due to the low signal strength indoors, the SatMate receiver was not able to acquire the other two low SNR stations, George and Searchlight. The averaged precision of three different scenarios is as follows:


 **Scenario 1.** The first data set was collected at 21 different test points on the top floor of a parking structure at Stanford University. This place has open sky view and no obstruction from the environments but there are some metal structures nearby. The altitude is relatively high compared with the other two scenarios. The dimension of the

 **Scenario 2.** The second data set selected 16 test points in a soccer field. This environment has some obstructions from trees and buildings. The field has a dimension of 176 x 70 meters so the distribution of the test locations are less dense compared to the

 **Scenario 3.** The third data set, which includes 21 test points, was collected on the top floor both inside and outside a building. The concrete building with metal frames attenuates signal strength more but introduces more uniqueness in the location

We used the triple (TD, ECD, SNR) from four stations in the west coast chain (GRI 9940). Quantization steps are chosen based on the measured SNR. Low SNR signals are often attenuated more and pick up more noise. In general, features from low SNR stations are less consistent; thus larger quantization steps should be applied. We then created twodimensional cells using Voronoi diagrams and mapped the tags into the cells accordingly. The color map is superimposed on the Google map. A color bar is used to label the hexadecimals of the first 16-bit of tag. This distribution plot can help us visualize how geotag varies in a two-dimensional view. Each black dot together with the numbered label

The left of Figure 4 is the tag plot on the top floor of the parking structure, the middle plot represents the results of a soccer field, and the right plot shows the top floor/roof of Durand building. Loran signals are very sensitive to the environment, especially to metal structures. The re-radiation of signals from metals can cause more distortion to the RF signals thus higher precision or spatial variation of tags at certain locations. We observe this from the geotag maps of scenario 1 and scenario 3. The locations with very small separations still result in different geotags. It is worth to mention that only two stations, Fallon and Middletown, are used to compute tags for scenario 3 while the other two scenarios use all four stations from GRI 9940. Due to the low signal strength indoors, the SatMate receiver was not able to acquire the other two low SNR stations, George and Searchlight. The

 The precision of Loran-C tags in the parking structure ranges from 8 meters to 35 meters. There are four locations that resulted in the same tag shown in dark blue on the

 The precision of tags in the soccer field is lower compared with that of the parking structure due to the large separations between the selected test locations or insufficient number of test points used. The averaged size of the colored cells that represents geotag

 Although the indoor signals are not good enough to solve a position fix because low-SNR signals are not able to track. The generation of a geotag does not rely on the solved position fix as the geotags are derived from location-dependent features. As a result, it is not required to have more than four transmitters to implement location-based security although more transmitters would provide more information entropy or longer

parking structure is approximately 70 x 50 meters.

at the center of the cells represents a test location.

averaged precision of three different scenarios is as follows:

features, which can be beneficial to the computation of geotags.

other two scenarios.

left of Figure 5.

is approximately 30 x 50 meters.

tag to the system. The smallest colored cell or the highest tag precision in this indoor scenario is approximately 5 meters depicted in purple in the middle of the right plot in Figure 4. An upper bound on actual tag precision at this location is the largest cell, 8 x 20 meters.

Fig. 5. Visualization of Loran geotags: (a) parking structure (left); (b) soccer field (middle); (c) Durand building (right)

#### **5.2 Data at one location evaluating reproducibility**

In this section we use the seasonal data shown in Figure 3 to compare the reproducibility of a geotag with and without a fuzzy extractor. Again same triple is used in this experiment. We use TD instead of TOA to minimize the impact of ASF errors: TOA of the master station is used as a reference to mitigate the temporal variations of secondary stations. Our experiments show that the standard deviation of TOA from Middletown is 12.19 meters and the standard deviation of TD from Middletown is reduced to 3.83 meters (Qiu et al., 2008). However, TD provides less information entropy in comparison with TOA as we lose the TOA entropy from master station.

**Performance metrics**. Before we discuss the experimental results from the seasonal data we introduce the performance metrics that help to quantify and measure the reproducibility of a geotag. The problem of deciding whether the derived geotag is authentic or not, can be seen as a hypothesis testing problem. The task is to decide which of the two hypotheses H0 (accepting as an authorized user) or H1 (rejecting as an attacker) is true for the observed location measurements. Location-based system makes two types of errors: 1) mistaking the measurements or derived tag from the same location to be from two different locations and accepting hypothesis H1 when H0 is true, called false reject; and 2) mistaking the measurements or derived tags from two different locations to be from the same location and accepting H0 when H1 is true, called false accept. Both false reject rate (FRR) and false accept rate (FAR) depend on the accuracy of equipments used, step sizes chosen to quantize location features and environmental conditions. These two types of errors can be traded off against each other by varying the quantization steps. A more secure system aims for low FARs at the expense of high FRRs, while a more convenient system aims for low FRRs at the expense of high FARs. Figure 6 illustrates the two error rates of geotags with the assumption that the probability distributions are Gaussian, which is not necessarily true in practice. The grey tails represent the false reject of an authorized user while the red area is the false accept of an attacker.

Security from Location 49

The system FRR can be estimated as if we assume the location features are independent from each other, where is the error rate of one feature. Practically, location features are slightly correlated in some environments. For instance, the signal strength is inversely proportional to the propagation distance, which is determined by TOA. This is true when the antenna is placed in an open sky area and has no obstructions from surroundings. To solve the reliability problem using multiple features, secret sharing based fuzzy extractor can be used together with the Euclidean metric fuzzy extractor. Only a

**Euclidean metric fuzzy extractor performance of multiple features.** Now we use the triple from four stations to evaluate experimentally the performance of Euclidean metric fuzzy extractor. We reduce the quantization steps of the features gradually to observe the change of FRR and the number of quantization levels, which determine the entropy of geotag. The plot is shown in Figure 8. The blue line represents the FRR without the use of the fuzzy extractor while the red line is the results using the fuzzy extractor. As expected, the FRR is dramatically reduced after the use of the fuzzy extractor. The fuzzy extractor guarantees the measurements lying in the center of quantization interval. The graph shows that we can

achieve total entropy of 86 bits with FRR is less 0.1 with adequate quantization steps.

Next we ask whether Loran-C geotags are predictable from a distance. In this chapter unpredictability refers to the difficulty of an individual in predicting the Loran measurements at a given time and place. The temporal variations due to propagation path delay variations and skywave as well as the unexpected distortions in the RF signals due to local features such as buildings and large metallic structures can introduce randomness and entropy in the generation of a geotag, which makes attackers to take more time and effort to

We discussed applications for this unpredictability test in Section 2.3. To justify the claim

that Loran-C geotags are unpredictable, we perform two experiments.

subset of features is used to compute tags thus the total FRR is limited.

Fig. 8. Performance of Euclidean metric fuzzy extractor

**5.3 Loran-C geotags are unpredictable**

break into the system.

Fig. 6. Performance metrics illustration

**Choosing a reliable quantization step for a location feature.** Users' false reject rate significantly depends on the standard deviation of the features. Large standard deviation implies high temporal variations; thus the distance between the received features at verification and the ones at registration might be large. Therefore, the quantization step should be chosen to be proportional to the standard deviation of features.

In this analysis we show that the quantization step has to be larger than 4to achieve reasonably small FRR, less than 0.1. The FRR analysis is illustrated in Figure 7. The quantization step ranges from to 6 . The x-axis is the feature offset between registration and verification. The y-axis is the estimated FRR. The solid lines are analytical results and we assumed the distribution of location feature is near-Gaussian after the ASF mitigation. The dots are derived using the seasonal data. We used ECD from four stations in this experiment. To estimate FRR we take the first day of the 90-day ECD data as registration to compute a geotag and the data from the rest of 89 days for verification. The experimental FRR is the number of days, in which the tags are matched with the registered tag on day one, divided by 89. The experimental results match well with the analytical curves. As expected, FRR increases as offset goes up and quantization step goes down.

Fig. 7. FRR of a location feature

**Using multiple features.** The derived FRR in Figure 6 only represents the error rate of one particular location feature. Practically, multiple features are used to achieve more entropy, precision and higher difficulty in predicting the desired tag. However, one drawback using multiple features is that the FRR of the system is increased or reproducibility is reduced.

**Choosing a reliable quantization step for a location feature.** Users' false reject rate significantly depends on the standard deviation of the features. Large standard deviation implies high temporal variations; thus the distance between the received features at verification and the ones at registration might be large. Therefore, the quantization step

In this analysis we show that the quantization step has to be larger than 4to achieve reasonably small FRR, less than 0.1. The FRR analysis is illustrated in Figure 7. The quantization step ranges from to 6 . The x-axis is the feature offset between registration and verification. The y-axis is the estimated FRR. The solid lines are analytical results and we assumed the distribution of location feature is near-Gaussian after the ASF mitigation. The dots are derived using the seasonal data. We used ECD from four stations in this experiment. To estimate FRR we take the first day of the 90-day ECD data as registration to compute a geotag and the data from the rest of 89 days for verification. The experimental FRR is the number of days, in which the tags are matched with the registered tag on day one, divided by 89. The experimental results match well with the analytical curves. As

**Using multiple features.** The derived FRR in Figure 6 only represents the error rate of one particular location feature. Practically, multiple features are used to achieve more entropy, precision and higher difficulty in predicting the desired tag. However, one drawback using multiple features is that the FRR of the system is increased or reproducibility is reduced.

should be chosen to be proportional to the standard deviation of features.

expected, FRR increases as offset goes up and quantization step goes down.

Fig. 6. Performance metrics illustration

Fig. 7. FRR of a location feature

The system FRR can be estimated as if we assume the location features are independent from each other, where is the error rate of one feature. Practically, location features are slightly correlated in some environments. For instance, the signal strength is inversely proportional to the propagation distance, which is determined by TOA. This is true when the antenna is placed in an open sky area and has no obstructions from surroundings. To solve the reliability problem using multiple features, secret sharing based fuzzy extractor can be used together with the Euclidean metric fuzzy extractor. Only a subset of features is used to compute tags thus the total FRR is limited.

Fig. 8. Performance of Euclidean metric fuzzy extractor

**Euclidean metric fuzzy extractor performance of multiple features.** Now we use the triple from four stations to evaluate experimentally the performance of Euclidean metric fuzzy extractor. We reduce the quantization steps of the features gradually to observe the change of FRR and the number of quantization levels, which determine the entropy of geotag. The plot is shown in Figure 8. The blue line represents the FRR without the use of the fuzzy extractor while the red line is the results using the fuzzy extractor. As expected, the FRR is dramatically reduced after the use of the fuzzy extractor. The fuzzy extractor guarantees the measurements lying in the center of quantization interval. The graph shows that we can achieve total entropy of 86 bits with FRR is less 0.1 with adequate quantization steps.

#### **5.3 Loran-C geotags are unpredictable**

Next we ask whether Loran-C geotags are predictable from a distance. In this chapter unpredictability refers to the difficulty of an individual in predicting the Loran measurements at a given time and place. The temporal variations due to propagation path delay variations and skywave as well as the unexpected distortions in the RF signals due to local features such as buildings and large metallic structures can introduce randomness and entropy in the generation of a geotag, which makes attackers to take more time and effort to break into the system.

We discussed applications for this unpredictability test in Section 2.3. To justify the claim that Loran-C geotags are unpredictable, we perform two experiments.

Security from Location 51

Fig. 10. Spatial variation of location data from Middletown in Durand building: (a) TD;

schemes. We discussed applications to DMP, inventory control and data access control.

distance, which is beneficial to location-based security applications.

usability and cost, and serivce coverage.

URL: *http://www.loran.org/ILAArchive*

**7. References** 

We showed that a radio navigation system with high absolute accuracy and low repeatable accuracy such as standalone Loran-C can be used to generate a precise and reproducible geotag. A geotag is computed from location-dependent features and can be used for a number of security applications. A geotag is not a replacement but builds on the conventional security

Fuzzy extractors were developed for radio-based signals to achieve high consistency. Euclidean metric fuzzy extractor and Hamming metric fuzzy extractor were designed for different location measurement errors. Adequate quantization step should be chosen as it determines the system performance. FAR and FRR can be traded off by varying the quantization steps of location features. We used Loran-C real data to show that the Euclidean metric fuzzy extractor significantly improves the reproducibility of a generated geotag. In addition we proved that the Loran-C location features can achieve high spatial variation using measurements at three different sites, a parking structure, a soccer field and an office building. In addition, we gave evidence that a geotag is unpredictable from a

This paper only focused on the evaluation of geo-security using Loran-C as a case study; however, there are many available radio signals that might be feasible to implement geosecurity, such as digital television, cellullar, Wi-Fi, and RFID. The proposed location-based security technique needs to be validated and compared with case studies. Future work shall be directed toward design of experimental setups, evaluating the feasibility and performance of each signal, comparing the different signals in terms of performance,

Enhanced Loran (eLoran) Definitions Document (2007). International Loran Association.

(b) ECD; (c) Signal strength.

**6. Conclusion** 

While we cannot prove the difficulty of prediction mathematically as it is not possible to come up a universal model that suits for all the environments; however, we can show the nonlinear of the Loran-C features experimentally. The predictions can be based on path propagation, reflection, diffraction, diffuse wall scattering and transmission through various materials. The sum of all the components is taken to get TD, ECD and SNR. Moving objects like people can cause not only attenuation but also fluctuation. The irregularities make the prediction even harder.

Fig. 9. Spatial variation of TD measurements collected in a parking structure

We perform the following two experiments to test the difficulty to predict a geotag. The first experiment uses the data set collected in a parking structure from 11 test points. The test locations are lined up in one dimension and the separation between adjacent points is approximately three meters. We chose the first point as our target or user location. Figure 8 plots the spatial variations of TD of George, Middletown and Searchlight. The x-axis is the measured distance of test points from the target point. The y-axis is the relative TD in microseconds. We zeroed out the means of the TDs to achieve the same scale for the measurements from three stations. The nonlinearity of the Loran-C measurements is clear from the graph. Low-SNR stations, George and Searchlight, are attenuated more from the obstructions in the environment compared to the strongest station Middletown. This results in more nonlinear variations in the low-SNR stations.

The second experiment uses the same data set collected in Durand building for the precision test discussed in Section 5.1. We chose the center point as our target point and measured Loran-C features with increasing distances from the target point. The point is shown as white dots in the plots of Figure 10. The color contour plot is again superimposed on the Google map. The color bar shown at the bottom represents feature values of various locations. Figure 10 illustrates the spatial variations of TD, ECD and Signal strength measured from Middletown. If feature variations are linearly proportional to distance, the color of the map should change from blue to red gradually with equal diameter. We observe that ECD are more nonlinear in comparison with TD and signal strength because phase is very sensitive to building structures and environments. The non-linearity of location features can significantly benefit the design of location-based security applications as it results in the features are highly unpredictable.

While we cannot prove the difficulty of prediction mathematically as it is not possible to come up a universal model that suits for all the environments; however, we can show the nonlinear of the Loran-C features experimentally. The predictions can be based on path propagation, reflection, diffraction, diffuse wall scattering and transmission through various materials. The sum of all the components is taken to get TD, ECD and SNR. Moving objects like people can cause not only attenuation but also fluctuation. The irregularities make the

Fig. 9. Spatial variation of TD measurements collected in a parking structure

in more nonlinear variations in the low-SNR stations.

We perform the following two experiments to test the difficulty to predict a geotag. The first experiment uses the data set collected in a parking structure from 11 test points. The test locations are lined up in one dimension and the separation between adjacent points is approximately three meters. We chose the first point as our target or user location. Figure 8 plots the spatial variations of TD of George, Middletown and Searchlight. The x-axis is the measured distance of test points from the target point. The y-axis is the relative TD in microseconds. We zeroed out the means of the TDs to achieve the same scale for the measurements from three stations. The nonlinearity of the Loran-C measurements is clear from the graph. Low-SNR stations, George and Searchlight, are attenuated more from the obstructions in the environment compared to the strongest station Middletown. This results

The second experiment uses the same data set collected in Durand building for the precision test discussed in Section 5.1. We chose the center point as our target point and measured Loran-C features with increasing distances from the target point. The point is shown as white dots in the plots of Figure 10. The color contour plot is again superimposed on the Google map. The color bar shown at the bottom represents feature values of various locations. Figure 10 illustrates the spatial variations of TD, ECD and Signal strength measured from Middletown. If feature variations are linearly proportional to distance, the color of the map should change from blue to red gradually with equal diameter. We observe that ECD are more nonlinear in comparison with TD and signal strength because phase is very sensitive to building structures and environments. The non-linearity of location features can significantly benefit the design of

location-based security applications as it results in the features are highly unpredictable.

prediction even harder.

Fig. 10. Spatial variation of location data from Middletown in Durand building: (a) TD; (b) ECD; (c) Signal strength.

## **6. Conclusion**

We showed that a radio navigation system with high absolute accuracy and low repeatable accuracy such as standalone Loran-C can be used to generate a precise and reproducible geotag. A geotag is computed from location-dependent features and can be used for a number of security applications. A geotag is not a replacement but builds on the conventional security schemes. We discussed applications to DMP, inventory control and data access control.

Fuzzy extractors were developed for radio-based signals to achieve high consistency. Euclidean metric fuzzy extractor and Hamming metric fuzzy extractor were designed for different location measurement errors. Adequate quantization step should be chosen as it determines the system performance. FAR and FRR can be traded off by varying the quantization steps of location features. We used Loran-C real data to show that the Euclidean metric fuzzy extractor significantly improves the reproducibility of a generated geotag. In addition we proved that the Loran-C location features can achieve high spatial variation using measurements at three different sites, a parking structure, a soccer field and an office building. In addition, we gave evidence that a geotag is unpredictable from a distance, which is beneficial to location-based security applications.

This paper only focused on the evaluation of geo-security using Loran-C as a case study; however, there are many available radio signals that might be feasible to implement geosecurity, such as digital television, cellullar, Wi-Fi, and RFID. The proposed location-based security technique needs to be validated and compared with case studies. Future work shall be directed toward design of experimental setups, evaluating the feasibility and performance of each signal, comparing the different signals in terms of performance, usability and cost, and serivce coverage.

## **7. References**

Enhanced Loran (eLoran) Definitions Document (2007). International Loran Association. URL: *http://www.loran.org/ILAArchive*

**0**

**3**

*Peking University P. R. China*

**Anonymous Authentication Protocols for Vehicular Ad Hoc Networks: An Overview**

*Institute of Software, School of Electronics Engineering and Computer Science,*

*Key Laboratory of Network and Software Security Assurance of the Ministry of Education,*

According to car crash statistics, over six million motor vehicle crashes occur on U.S. highways each year. More than 42,000 people are killed in these accidents which injure three million others, and cost more than \$230 billion each year. Astonishingly, five people die every hour in these crashes in the United States which is about one death every 12 minutes IVI (2001). In order to alleviate the threats of these crashes and improve the driving experience, car manufactures and the telecommunication industry have made great efforts to equip each vehicle with wireless devices that allow vehicles to communicate with each other as well as with the roadside infrastructure located in critical points of the road, such as intersections or construction sites. Misener (2005); VII (2011). Technologies built on 802.11p and IEEE 1609 standards, 5.9 GHz Dedicated Short Range Communications (DSRC) protocols <sup>1</sup> DSRC (1999), are proposed to support these advanced vehicle safety applications such as secure and effective vehicle-to-vehicle (V2V) (also known as Inter-Vehicle Communica- tion (IVC)) and vehicle-to-infrastructure (V2I) communications, which are also known as Vehicle Safety Communications (VSC) technologies. As shown in Fig. 1, the wireless communication devices installed on vehicles, also known as onboard units (OBUs), and the roadside units (RSUs), form a self-organized Vehicular Ad Hoc Network (VANET) Lin (2008); Sun (2007). Furthermore, the RSUs are connected to the backbone network via the high speed network connections. In this way, VANETs inherently provide a way to collect traffic and road information from vehicles, and to deliver road services including warnings and traffic information to users in the vehicles. Thus, an increasing interest has been raised recently on the VANETs-based applications Bishop (2000), aiming to improve driving safety and traffic management by the method of providing drivers and passengers with Internet access.

Due to the open broadcasting of wireless communications and the high-speed mobility of the vehicles, extensive research efforts have been launched by academic institutions and industrial research labs several years ago to investigate key issues in VANETs, especially

<sup>1</sup> The United States Federal Communications Commission (FCC) has allocated in the USA 75MHz of spectrum in the 5.9GHz band for DSRC and the European Telecommunications Standards Institute (ETSI) has allocated in the Europe 30 MHz of spectrum in the 5.9GHz band for Intelligent

Transportation Systems in October 1999 and August 2008, respectively

**1. Introduction**

Hu Xiong, Zhi Guan, Jianbin Hu and Zhong Chen


## **Anonymous Authentication Protocols for Vehicular Ad Hoc Networks: An Overview**

Hu Xiong, Zhi Guan, Jianbin Hu and Zhong Chen

*Key Laboratory of Network and Software Security Assurance of the Ministry of Education, Institute of Software, School of Electronics Engineering and Computer Science, Peking University P. R. China*

#### **1. Introduction**

52 Applied Cryptography and Network Security

Loran-C Signal Specifications (1994). United States Coast Guard (USCG), COMDTINST

Bahl, P. & Padmanabhan V.N. (2000). RADAR: an in-building RF-based user location and

Boyen, X. (2004). Reusable cryptographic fuzzy extractors, *Proceeding of the 11th ACM Conference on Computer and Communications Security*, ACM Press, pp. 82-91. Chang, E. & Li, L. (2005). Small secure sketch for point-set difference, *Cryptology ePrint* 

Dodis, Y.; Reyzin, L. & Smith, A. (2004). Fuzzy extractors: How to generate strong keys

Hruska, J. (2008). Microsoft patent brings miss manners into the digital age, *Arstechnica* 

Juels, A. & Sudan, M. (2002). A fuzzy vault scheme, *Proceeding of IEEE Intl. Symp. on* 

Juels, A. & Wattenberg, M. (1999). A fuzzy commitment scheme, *Sixth ACM Conference on* 

Lee, D.; Best, S.; Hanna, D. & Rosario, E. (2009). A miniature Loran H-field antenna for low-

Lo, S.; Wenzel, R.; Johnson, G. & Enge, P. (2008). Assessment of the methodology for

Qiu, D.; Boneh, D.; Lo, S.; Enge, P. Reliable location-based srvices from radio navigation

Qiu, D.; Lo, S.; Enge, P.; Boneh, D. & Peterson, B. (2007). Geoencryption using Loran,

Qiu, D.; Lo, S. & Enge, P. (2008). A measure of Loran location information, *Proceeding of* 

Roos, T.; Myllymaki, P.; Tirri, H.; Misikangas, P. & Sievanen, J. (2002). A probabilistic

Schneier, B. (2008). Kill switches and remote control, *A blog covering security and security* 

Scott, L. and Denning, D. (2003). A location based encryption technique and some of its

Swaszek, P.; Johnson, G.; Hartnett, R. & Lo, S. (2007). An investigation into the temporal

Schneier, B. (1996). *Applied Cryptography*, John Wiley & Sons, ISBN 0-471-11709-9.

Sullivan, B. (2007). The biggest data disaster ever, *MSNBC news.* Nov. 30th, 2007*.*

*Information Theory*, IEEE Press, pp.408, Lausanne, Switzerland.

Navigation, Jan. 2009, Anaheim, California, United States.

protocol, *CryptoBytes*, 5:2, Summer/Fall 2002, pp. 2-13.

systems, *Sensors* 2010, *10*, 11369-11389.

*Information Networks*, 9(3): 155-164, July 2002.

California, United States.

California, United States.

*technology*, July 1, 2008.

Anaheim, California, United States.

*Computer and Communications Security*, ACM Press, pp.28-36, 1999.

of Navigation, Jan. 28-30, 2008, San Diego, California, United States. Perrig, A.; Canetti, R.; Tygar, J.D. & Song, D. (2002). The TESLA broadcast authentication

tracking system, *Proceedings of IEEE in INFOCOM 2000*, IEEE, Vol. 2 (2000), pp. 775-784.

from biometrics and other noisy data, *Eurocrpt'04*, Springer-Verlag, Vol. 3027 of

profile conformal hybrid applications, *Proceeding of ION ITM 2009*, Institute of

bounding Loran temporal ASF for aviation, *Proceeding of ION NTM 2008*, Institute

*Proceeding of ION NTM 2007*, Institute of Navigation, Sep. 25-28, 2007, San Diego,

*IEEE/ION PLANS 2008*, Institute of Navigation, May 6-8, 2008, Monterey,

appraoch to WLAN user location estimation, *International Journal of Wireless* 

applications, *Proceedings of ION NTM 2003*, Institute of Navigation, Jan. 22-24, 2003,

correlation at the ASF monitor sites, *Proceedings of ILA 36th Annual Meeting 2007*, International Loran Association, Oct. 14-17, 2007, Orlando, Florida, United States.

M15662.4A, May 1994.

*Archive, Report 2005/145.*

*Hardware news*, June 11, 2008.

LNCS, pp. 523-540.

According to car crash statistics, over six million motor vehicle crashes occur on U.S. highways each year. More than 42,000 people are killed in these accidents which injure three million others, and cost more than \$230 billion each year. Astonishingly, five people die every hour in these crashes in the United States which is about one death every 12 minutes IVI (2001). In order to alleviate the threats of these crashes and improve the driving experience, car manufactures and the telecommunication industry have made great efforts to equip each vehicle with wireless devices that allow vehicles to communicate with each other as well as with the roadside infrastructure located in critical points of the road, such as intersections or construction sites. Misener (2005); VII (2011). Technologies built on 802.11p and IEEE 1609 standards, 5.9 GHz Dedicated Short Range Communications (DSRC) protocols <sup>1</sup> DSRC (1999), are proposed to support these advanced vehicle safety applications such as secure and effective vehicle-to-vehicle (V2V) (also known as Inter-Vehicle Communica- tion (IVC)) and vehicle-to-infrastructure (V2I) communications, which are also known as Vehicle Safety Communications (VSC) technologies. As shown in Fig. 1, the wireless communication devices installed on vehicles, also known as onboard units (OBUs), and the roadside units (RSUs), form a self-organized Vehicular Ad Hoc Network (VANET) Lin (2008); Sun (2007). Furthermore, the RSUs are connected to the backbone network via the high speed network connections. In this way, VANETs inherently provide a way to collect traffic and road information from vehicles, and to deliver road services including warnings and traffic information to users in the vehicles. Thus, an increasing interest has been raised recently on the VANETs-based applications Bishop (2000), aiming to improve driving safety and traffic management by the method of providing drivers and passengers with Internet access.

Due to the open broadcasting of wireless communications and the high-speed mobility of the vehicles, extensive research efforts have been launched by academic institutions and industrial research labs several years ago to investigate key issues in VANETs, especially

<sup>1</sup> The United States Federal Communications Commission (FCC) has allocated in the USA 75MHz of spectrum in the 5.9GHz band for DSRC and the European Telecommunications Standards Institute (ETSI) has allocated in the Europe 30 MHz of spectrum in the 5.9GHz band for Intelligent Transportation Systems in October 1999 and August 2008, respectively

Communication protocol

Fig. 1. Vehicular Ad Hoc Networks

by using false identities to fool the others.

an accident.

Wired connection IEEE 802.11p 802.16

Base station

Anonymous Authentication Protocols for Vehicular Ad Hoc Networks: An Overview 55

Mesh router Mesh router

• Message modification attack: A message is altered during or after transmission. The adversary may wish to change the source or content of the message in terms of the position and/or time information that had been sent and saved in its device notably in the case of

• Impersonation attack: The adversary may pretend to be another vehicle or even an RSU

• RSU preemption/replication attack: An RSU may be compromised such that the adversary can relocate the compromised RSU to launch any malicious attack, such as broadcasting fake traffic information. Moreover, the adversary may illegally interrupt and manipulate traffic lights which is controlled by the corrupted RSU to get a better traffic condition • Denial of service (DoS) attack: The adversary injects irrelevant jamming and aggressive dummy messages to take up the channels and consume the computational resources of

• Movement tracking: Since wireless communication is on an openly shared medium, an adversary can easily eavesdrop on any traffic. After the adversary intercepts a significant amount of messages in a certain region, the adversary may trace a vehicle in terms of its physical position and moving patterns simply through information analysis. Assuming that the attacker does not make use of cameras, physical pursuit, or onboard tracking devices to reveal the identity of his target; otherwise, the tracking problem becomes

the other nodes, such as RF interference or jamming or layer 2 packet flooding.

simpler but also more expensive and limited to few specific targets.

security and privacy preservation for mobile vehicles Calandriello *et al.* (2007); Chen *et al.* (2011); Daza *et al.* (2009); Hubaux *et al.* (2004); Kamat *et al.* (2006); Kounga *et al.* (2009); Li *et al.* (2008); Lin *et al.* (2007; 2008a;b); Lu *et al.* (2008; 2009; 2010); Mak *et al.* (2005); Plö*β*l & Federrath (2008); Raya & Hubaux (2005; 2007); Sun *et al.* (2007; 2010a;b); Wasef *et al.* (2010); Wang *et al.* (2008); Wu *et al.* (2010); Xu *et al.* (2007); Xi *et al.* (2007; 2008); Xiong *et al.* (2010a;b); Zhang *et al.* (2008a;b). Obviously, any malicious behaviors of user, such as injecting beacons with false information, modifying and replaying the previously disseminated messages, could be fatal to the other users. Thus, identifying the message issuer is mandatory to reduce the risk of such attacks. Meanwhile, in order to protect the user-related private information, such as the driver's name, the license plate, speed, position, and travelling routes along with their relationship, authentication in VANETs should be privacy-preserving.

It is natural to observe that achieving privacy and liability simultaneously is conflicting goal. On one aspect, a well-meaning OBU is willing to offer as much local information as possible to RSUs and other OBUs to create a safer driving environment so long as its locations cannot be tracked. And on the other, a misbehaving OBU may abuse the privacy protection mechanism to avoid legal responsibility when it involved in a dispute involving safety messages 2attempts. Therefore, the *conditional privacy-preserving authentication* should be fulfilled in VANETs where a trusted authority can reveal the real identity of targeted OBU in case of a traffic event dispute, even though the OBU itself is not traceable by the public.

This chapter surveys the literature on privacy issues in VANETs from different perspectives, and thus provides researchers with a better understanding of this primitive. This chapter does not propose or advocate any specific anonymous authentication mechanisms. Even though some sections might point out vulnerabilities in certain classes of authentication protocols, our purpose is not to criticize, but to draw attention to these problems so that they might be solved.

The remainder of this chapter is organized as follows. Section 2 presents attack model, security requirements and related VANETs network architecture. All previous privacy-preserving protocols for VANETs are classified in Section 3, together with the basic cryptographic primitives. An example of Ring-signature based anonymous authentication protocol based on bilinear pairing are given in Section 4. Section 5 discusses how to use the taxonomies. Section 6 concludes the paper by stating some possible future research directions.

#### **2. Motivation**

#### **2.1 Attack model**

According to Lin (2008); Lin *et al.* (2007); Raya & Hubaux (2005; 2007); Sun *et al.* (2007), several possible security attacks in VANETs have been defined and listed as follows:


<sup>2</sup> A safety message reports on the state of the sender vehicle, e.g., its location, speed, heading, etc.

Fig. 1. Vehicular Ad Hoc Networks

2 Will-be-set-by-IN-TECH

security and privacy preservation for mobile vehicles Calandriello *et al.* (2007); Chen *et al.* (2011); Daza *et al.* (2009); Hubaux *et al.* (2004); Kamat *et al.* (2006); Kounga *et al.* (2009); Li *et al.* (2008); Lin *et al.* (2007; 2008a;b); Lu *et al.* (2008; 2009; 2010); Mak *et al.* (2005); Plö*β*l & Federrath (2008); Raya & Hubaux (2005; 2007); Sun *et al.* (2007; 2010a;b); Wasef *et al.* (2010); Wang *et al.* (2008); Wu *et al.* (2010); Xu *et al.* (2007); Xi *et al.* (2007; 2008); Xiong *et al.* (2010a;b); Zhang *et al.* (2008a;b). Obviously, any malicious behaviors of user, such as injecting beacons with false information, modifying and replaying the previously disseminated messages, could be fatal to the other users. Thus, identifying the message issuer is mandatory to reduce the risk of such attacks. Meanwhile, in order to protect the user-related private information, such as the driver's name, the license plate, speed, position, and travelling routes along with their

It is natural to observe that achieving privacy and liability simultaneously is conflicting goal. On one aspect, a well-meaning OBU is willing to offer as much local information as possible to RSUs and other OBUs to create a safer driving environment so long as its locations cannot be tracked. And on the other, a misbehaving OBU may abuse the privacy protection mechanism to avoid legal responsibility when it involved in a dispute involving safety messages 2attempts. Therefore, the *conditional privacy-preserving authentication* should be fulfilled in VANETs where a trusted authority can reveal the real identity of targeted OBU in case of a traffic event dispute, even though the OBU itself is not traceable by the public. This chapter surveys the literature on privacy issues in VANETs from different perspectives, and thus provides researchers with a better understanding of this primitive. This chapter does not propose or advocate any specific anonymous authentication mechanisms. Even though some sections might point out vulnerabilities in certain classes of authentication protocols, our purpose is not to criticize, but to draw attention to these problems so that they might be

The remainder of this chapter is organized as follows. Section 2 presents attack model, security requirements and related VANETs network architecture. All previous privacy-preserving protocols for VANETs are classified in Section 3, together with the basic cryptographic primitives. An example of Ring-signature based anonymous authentication protocol based on bilinear pairing are given in Section 4. Section 5 discusses how to use the taxonomies.

According to Lin (2008); Lin *et al.* (2007); Raya & Hubaux (2005; 2007); Sun *et al.* (2007), several

• Fake information attack: The adversary may diffuse bogus messages to affect the behavior of others. For instance, in order to divert traffic from a given road, one may send a fake

• Message replay attack: The adversary replays the valid messages sent by a legitimate user

<sup>2</sup> A safety message reports on the state of the sender vehicle, e.g., its location, speed, heading, etc.

Section 6 concludes the paper by stating some possible future research directions.

possible security attacks in VANETs have been defined and listed as follows:

relationship, authentication in VANETs should be privacy-preserving.

solved.

**2. Motivation**

**2.1 Attack model**

traffic jam message to the others.

some time before in order to disturb the traffic.


private keys to be used generates the need for a tamper-proof device in each vehicle. According to existing works, only the authorized parties can access to this tamper-proof device. OBUs are mobile and moving most of the time. When the OBUs are on the road, they regularly broadcast routine safety messages, such as position, current time, direction, speed, traffic conditions, traffic events. The information system on each vehicle aggregates and diffuses these messages to enable drivers form a better awareness of their environment (Fig. 2). The assumed communication protocol between neighboring OBUs (IVC) or between an OBU and a RSU (V2I) is 5.9 GHz Dedicated Short Range Communication

Anonymous Authentication Protocols for Vehicular Ad Hoc Networks: An Overview 57

• RSU: The RSUs, which are subordinated by the TA, form a wireless multi-hop mesh network (mesh mode in WiMax) aiming to extend the wireless coverage and increase the network robustness and throughput. Some of these RSUs are connected to the backbone networks with wired connections or to the WiMax base stations with wireless connections. Vehicles and passengers can gain access to the Internet for a short moment when passing through any of the RSUs by communicating with it. Thus, the RSUs should be able to perform fast handoff in order to support basic Internet services such as e-mail and TCP applications. We remark that the handoff process should be predictive when the moving pattern and speed of the vehicle are given. In addition, the RSUs should work as gateways which also support the 802.11p protocol and can transform the safety messages broadcasted by the vehicles into IP packets. With the support from RSUs, the workload of the vehicles is reduced. Otherwise, the vehicles need to send multiple copies of safety messages in different formats: one to the other vehicles with 802.11p, and one to the base stations with 802.16e. Different from the vehicles, we assume that RSUs have neither

• TA: The TA is in charge of the registration of all RSUs and OBUs each vehicle is equipped with. The TA can reveal the real identity of a safety message sender by incorporating with its subordinate RSUs. To the end, the TA requires ample computation and storage capability, and the TA cannot be compromised and is fully trusted by all parties in the

The network dynamics are characterized by quasi-permanent mobility, high speed, and (in most cases) short connection times between neighboring vehicles or between a vehicle and a

Zhang *et al*.Zhang *et al.* (2008a;b) presented a novel RSU-aided message authentication scheme (RSUB), in which the RSUs are responsible for validating the authenticity of messages sent from vehicles and for sending the results back to peer vehicles. Compared to the solutions without support from RSUs, this kind of schemes enables lower computation and communication overheads for each vehicle. Independently, Lu *et al*. Lu *et al.* (2008) introduced another anonymous authentication protocol for VANETs based on generating on-the-fly short-lived anonymous keys for the communication between vehicles and RSUs. These keys enable fast anonymous authentication and conditional privacy. All of these schemes employ RSUs to assist vehicles in authenticating messages. To keep a centralized certificate issuer from

**3. Taxonomy of privacy-preserving authentication protocol for VANETs**

computation and energy constraints nor buffer size constraints.

(DSRC) DSRC (1999) IEEE 802.11p.

roadside infrastructure network access point.

system.

**3.1 RSU-based approach**

#### **2.2 Security requirements**

To countermeasure and mitigate the potential threats in the aforementioned attack models, a security system for safety messaging in a VANET should satisfy the following requirements.


#### **2.3 Network model**

Similar to previous work Calandriello *et al.* (2007); Chen *et al.* (2011); Daza *et al.* (2009); Hubaux *et al.* (2004); Kamat *et al.* (2006); Kounga *et al.* (2009); Li *et al.* (2008); Lin *et al.* (2007; 2008a;b); Lu *et al.* (2008; 2009; 2010); Mak *et al.* (2005); Plö*β*l & Federrath (2008); Raya & Hubaux (2005; 2007); Sun *et al.* (2007; 2010a;b); Wasef *et al.* (2010); Wang *et al.* (2008); Wu *et al.* (2010); Xu *et al.* (2007); Xi *et al.* (2007; 2008); Xiong *et al.* (2010a;b); Zhang *et al.* (2008a;b), the security system should include at least three types of entities: the top Trusted authority (TA), the immobile RSUs at the roadside, and the moving vehicles equipped with on-board units (OBUs).

• OBU: A vehicle can not join the VANETs unless it registers its own public system parameters and corresponding private key to the TA. The secret information such as private keys to be used generates the need for a tamper-proof device in each vehicle. According to existing works, only the authorized parties can access to this tamper-proof device. OBUs are mobile and moving most of the time. When the OBUs are on the road, they regularly broadcast routine safety messages, such as position, current time, direction, speed, traffic conditions, traffic events. The information system on each vehicle aggregates and diffuses these messages to enable drivers form a better awareness of their environment (Fig. 2). The assumed communication protocol between neighboring OBUs (IVC) or between an OBU and a RSU (V2I) is 5.9 GHz Dedicated Short Range Communication (DSRC) DSRC (1999) IEEE 802.11p.


The network dynamics are characterized by quasi-permanent mobility, high speed, and (in most cases) short connection times between neighboring vehicles or between a vehicle and a roadside infrastructure network access point.

#### **3. Taxonomy of privacy-preserving authentication protocol for VANETs**

#### **3.1 RSU-based approach**

4 Will-be-set-by-IN-TECH

To countermeasure and mitigate the potential threats in the aforementioned attack models, a security system for safety messaging in a VANET should satisfy the following requirements. 1. *Efficient anonymous authentication of safety messages*: The security system should provide an *efficient* and *anonymous* message authentication mechanism. First of all, all accepted messages should be delivered unaltered, and the origin of the messages should be authenticated to guard against impersonation attacks. Meanwhile, from the point of vehicle owners, it may not be acceptable to leak personal information, including identity and location, to unauthorized observers while authenticating messages. Therefore, providing a secure yet anonymous message authentication is critical to the applicability of VANETs. Furthermore, considering the limited storage and computation resource of OBUs, the authentication scheme should have low overheads for safety message

2. *Efficient tracking of the source of a disputed safety message*: An important and challenging issue in these conditions is enabling a trusted third party (such as police officers) to retrieve a vehicle's real identity from its pseudo identity. If this feature is not provided, anonymous authentication can only prevent an outside attack, but cannot deal with an inside one. Furthermore, the system should not only provide safety message traceability to prevent inside attacks, but also have reasonable overheads for the revealing the identity of a

3. *Threshold authentication* Chen *et al.* (2011); Daza *et al.* (2009); Kounga *et al.* (2009); Wu *et al.* (2010): A message is viewed as trustworthy only after it has been endorsed by at least *n* vehicles, where *n* is a threshold. The threshold mechanism is a *priori* countermeasure that improves the confidence of other vehicles in a message. In addition, the threshold in the proposed scheme should be adaptive, that is to say, the sender can dynamically change the

4. *Confidentiality* Kamat *et al.* (2006); Li *et al.* (2008); Plö*β*l & Federrath (2008); Wang *et al.* (2008) Some research teams pointed out that the privacy of the communication content should be protected against unauthorized observers. While confidentiality of communicating message can be negligible in most cases, it is e.g. crucial for services subject to costs. Besides application data administrative messages like routing protocol information or messages containing cryptographic material, the cryptographic information held by participants or centralized instances should also be protected against unauthorized access.

Similar to previous work Calandriello *et al.* (2007); Chen *et al.* (2011); Daza *et al.* (2009); Hubaux *et al.* (2004); Kamat *et al.* (2006); Kounga *et al.* (2009); Li *et al.* (2008); Lin *et al.* (2007; 2008a;b); Lu *et al.* (2008; 2009; 2010); Mak *et al.* (2005); Plö*β*l & Federrath (2008); Raya & Hubaux (2005; 2007); Sun *et al.* (2007; 2010a;b); Wasef *et al.* (2010); Wang *et al.* (2008); Wu *et al.* (2010); Xu *et al.* (2007); Xi *et al.* (2007; 2008); Xiong *et al.* (2010a;b); Zhang *et al.* (2008a;b), the security system should include at least three types of entities: the top Trusted authority (TA), the immobile RSUs at the roadside, and the moving vehicles equipped with on-board units (OBUs).

• OBU: A vehicle can not join the VANETs unless it registers its own public system parameters and corresponding private key to the TA. The secret information such as

threshold according to the traffic context and scenarios.

**2.2 Security requirements**

verification and storage.

message sender.

**2.3 Network model**

Zhang *et al*.Zhang *et al.* (2008a;b) presented a novel RSU-aided message authentication scheme (RSUB), in which the RSUs are responsible for validating the authenticity of messages sent from vehicles and for sending the results back to peer vehicles. Compared to the solutions without support from RSUs, this kind of schemes enables lower computation and communication overheads for each vehicle. Independently, Lu *et al*. Lu *et al.* (2008) introduced another anonymous authentication protocol for VANETs based on generating on-the-fly short-lived anonymous keys for the communication between vehicles and RSUs. These keys enable fast anonymous authentication and conditional privacy. All of these schemes employ RSUs to assist vehicles in authenticating messages. To keep a centralized certificate issuer from

(2004); Boneh & Shacham (2004); Chaum & Hevst (1991); Nakanishi & Funabiki (2005) have

Anonymous Authentication Protocols for Vehicular Ad Hoc Networks: An Overview 59

Lin *et al*. Lin *et al.* (2007; 2008a); Sun *et al.* (2007) proposed the group signature based (GSB) protocol, based on the efficient group signature Boneh *et al.* (2004). With GSB, each vehicle stores only a private key and a group public key. Messages are signed using the group signature scheme without revealing any identity information to the public. Thus privacy is preserved while the trusted authority is able to expose the identity of a sender. However, the time for safety message verification grows linearly with the number of revoked vehicles in the revocation list in the entire network. Hence, each vehicle has to spend additional time on safety message verification. Furthermore, when the number of revoked vehicles in the revocation list is larger than some threshold, the protocol requires every remaining vehicle to calculate a new private key and group public key based on the exhaustive list of revoked vehicles whenever a vehicle is revoked. Lin *et al*. Lin *et al.* (2007; 2008a); Sun *et al.* (2007) do not explore solutions to effectively updated the system parameters for the participating to vehicles in a timely, reliable and scalable fashion. This issue is not explored and represents an

Ring signature scheme, introduced by Rivest, Shamir and Tauman Rivest *et al.* (2001), offers two main properties: anonymity and spontaneity. In practice, anonymity in a ring signature means 1-out-of-*n* signer verifiability, which enables the signer to keep anonymous in these "rings" of diverse signers. Spontaneity is a property which makes the distinction between ring signatures and group signatures Boneh *et al.* (2004); Chaum & Hevst (1991). Different from group signatures which allow the anonymity of a real signer in a group can be revoked by a group manager, the ring signature only gives the group manager the absolute power to control the formation of the group, and does not allow anyone to revoke the signer anonymity, while allowing the real signer to form a ring arbitrarily without being controlled by any other party. Since Rivest *el al.*'s scheme, many ring signature schemes have been proposed Abe *et al.* (2002); Bresson *et al.* (2002); Dodis *et al.* (2004); Wong *et al.* (2003); Xiong *et al.* (2009; 2011). In 2007, Liu *et al.* Liu *et al.* (2007) have introduced a new variant for the ring signature, called revocable ring signature. This scheme allows a real signer to form a ring arbitrarily while allowing a set of authorities to revoke the anonymity of the real signer. In other words, the real signer will be responsible for what has signed as the anonymity is revocable by authorities

To address the scalability concern in Lin *et al.* (2007), Xiong *et al.* Xiong *et al.* (2010a) proposed a spontaneous protocol based on the revocable ring signature Liu *et al.* (2007), which allows the vehicle to generate the message without requiring online assistance from the RSUs or the other vehicles. In this solution, the remaining vehicles are not required to update their system parameters regardless of the number of revoked vehicles. However, this protocol suffers larger communication overhead than that of other protocols because the length of ring signature depends on the size of the ring. Furthermore, Xi *et al.* Xi *et al.* (2007; 2008) also introduced a random key-set-based authentication protocol to preserve the vehicle's privacy based on ring signature. However, this solution only provides unconditional anonymity without an effective and efficient mechanism to reveal message sender's identities when

been proposed since 1991 due to its attractive features.

important obstacle to the success of this scheme.

while the real signer still has full freedom on ring formation.

**3.2.2 Ring signature-based scheme**

necessary.

Fig. 2. VANETs Architecture

being a bottleneck, an RSU is allowed to issue certificates for the vehicles. However, it brings a privacy risk when an RSU is compromised by the adversaries. Once the service records of an RSU are leaked, it is easy for the adversary to link the pseudonymous certificates that a vehicle has obtained from the compromised RSU. In particular, when the number of compromised RSUs increases, it possibly provides a solution for the adversaries to revert the mobile trace of the target vehicles. However, relying on the roadside infrastructure for safety message authentication is a precarious solution: while these messages enable critical assisted driving features the roadside infrastructure will likely offer only partial coverage (for example during the deployment stage, for economic considerations, or simply due to physical damage).

#### **3.2 Group-oriented signature-based approach**

#### **3.2.1 Group signature-based scheme**

In Chaum & Hevst (1991), Chaum and Heyst proposed a new type of signature scheme for a group of entities, called group signatures. Such a scheme allows a group member to sign a message on the group's behalf such that everybody can verify the signature but no one can find out which group member provided it. However, there is a trusted third party, called the group manager, who can reveal the identity of the originator of a signature in the case of later dispute. This act is referred to as "opening" a signature or also as revocation of a signer's anonymity. The group manager can either be a single entity or a number of coalitions of several entities (e.g., group members). Dozens of group signature schemes Boneh *et al.* (2004); Boneh & Shacham (2004); Chaum & Hevst (1991); Nakanishi & Funabiki (2005) have been proposed since 1991 due to its attractive features.

Lin *et al*. Lin *et al.* (2007; 2008a); Sun *et al.* (2007) proposed the group signature based (GSB) protocol, based on the efficient group signature Boneh *et al.* (2004). With GSB, each vehicle stores only a private key and a group public key. Messages are signed using the group signature scheme without revealing any identity information to the public. Thus privacy is preserved while the trusted authority is able to expose the identity of a sender. However, the time for safety message verification grows linearly with the number of revoked vehicles in the revocation list in the entire network. Hence, each vehicle has to spend additional time on safety message verification. Furthermore, when the number of revoked vehicles in the revocation list is larger than some threshold, the protocol requires every remaining vehicle to calculate a new private key and group public key based on the exhaustive list of revoked vehicles whenever a vehicle is revoked. Lin *et al*. Lin *et al.* (2007; 2008a); Sun *et al.* (2007) do not explore solutions to effectively updated the system parameters for the participating to vehicles in a timely, reliable and scalable fashion. This issue is not explored and represents an important obstacle to the success of this scheme.

#### **3.2.2 Ring signature-based scheme**

6 Will-be-set-by-IN-TECH

Wired connection IEE E802.11p

T rusted Authority

being a bottleneck, an RSU is allowed to issue certificates for the vehicles. However, it brings a privacy risk when an RSU is compromised by the adversaries. Once the service records of an RSU are leaked, it is easy for the adversary to link the pseudonymous certificates that a vehicle has obtained from the compromised RSU. In particular, when the number of compromised RSUs increases, it possibly provides a solution for the adversaries to revert the mobile trace of the target vehicles. However, relying on the roadside infrastructure for safety message authentication is a precarious solution: while these messages enable critical assisted driving features the roadside infrastructure will likely offer only partial coverage (for example during the deployment stage, for economic considerations, or simply due to physical damage).

In Chaum & Hevst (1991), Chaum and Heyst proposed a new type of signature scheme for a group of entities, called group signatures. Such a scheme allows a group member to sign a message on the group's behalf such that everybody can verify the signature but no one can find out which group member provided it. However, there is a trusted third party, called the group manager, who can reveal the identity of the originator of a signature in the case of later dispute. This act is referred to as "opening" a signature or also as revocation of a signer's anonymity. The group manager can either be a single entity or a number of coalitions of several entities (e.g., group members). Dozens of group signature schemes Boneh *et al.*

Fig. 2. VANETs Architecture

**3.2 Group-oriented signature-based approach**

**3.2.1 Group signature-based scheme**

C ommunication technology

Ring signature scheme, introduced by Rivest, Shamir and Tauman Rivest *et al.* (2001), offers two main properties: anonymity and spontaneity. In practice, anonymity in a ring signature means 1-out-of-*n* signer verifiability, which enables the signer to keep anonymous in these "rings" of diverse signers. Spontaneity is a property which makes the distinction between ring signatures and group signatures Boneh *et al.* (2004); Chaum & Hevst (1991). Different from group signatures which allow the anonymity of a real signer in a group can be revoked by a group manager, the ring signature only gives the group manager the absolute power to control the formation of the group, and does not allow anyone to revoke the signer anonymity, while allowing the real signer to form a ring arbitrarily without being controlled by any other party. Since Rivest *el al.*'s scheme, many ring signature schemes have been proposed Abe *et al.* (2002); Bresson *et al.* (2002); Dodis *et al.* (2004); Wong *et al.* (2003); Xiong *et al.* (2009; 2011). In 2007, Liu *et al.* Liu *et al.* (2007) have introduced a new variant for the ring signature, called revocable ring signature. This scheme allows a real signer to form a ring arbitrarily while allowing a set of authorities to revoke the anonymity of the real signer. In other words, the real signer will be responsible for what has signed as the anonymity is revocable by authorities while the real signer still has full freedom on ring formation.

To address the scalability concern in Lin *et al.* (2007), Xiong *et al.* Xiong *et al.* (2010a) proposed a spontaneous protocol based on the revocable ring signature Liu *et al.* (2007), which allows the vehicle to generate the message without requiring online assistance from the RSUs or the other vehicles. In this solution, the remaining vehicles are not required to update their system parameters regardless of the number of revoked vehicles. However, this protocol suffers larger communication overhead than that of other protocols because the length of ring signature depends on the size of the ring. Furthermore, Xi *et al.* Xi *et al.* (2007; 2008) also introduced a random key-set-based authentication protocol to preserve the vehicle's privacy based on ring signature. However, this solution only provides unconditional anonymity without an effective and efficient mechanism to reveal message sender's identities when necessary.

MAC tag to it. This MAC tag is derived using the next corresponding MAC key in the hash chain based on negotiated key disclosure delay schedule between the sender and the receiver. Obviously, upon receiving the packet, the receiver can ˛a´rt verify the authenticity of the packet yet. After key disclosure delay, the sender discloses MAC key, and then the receiver is able to authenticate the message after verifying the released MAC key is indeed the corresponding element of the chain. One requirement for TESLA scheme is the loose synchronization among

Anonymous Authentication Protocols for Vehicular Ad Hoc Networks: An Overview 61

Lin *et al*. Lin *et al.* (2008b) developed the 'time-efficient and secure vehicular communication' scheme (TSVC) based on the Timed Efficient Stream Loss-tolerant Authentication (TESLA) standard (RFC 4082) Perrig *et al.* (2002a). With TSVC, a vehicle first broadcasts a commitment of hash chain to its neighbors and then uses the elements of the hash chain to generate a message authentication code (MAC) with which other neighbors can authenticate this vehicles' following messages. Because of the fast speed of MAC verification, the computation overhead of TSVC is reduced significantly. However, TSVC also requires a huge set of anonymous public/private key pairs as well as their corresponding public key certificates to be preloaded in each vehicle. Furthermore, TSVC may not be robust when the traffic becomes extremely dynamic as a vehicle should broadcast its key chain commitment much

Proxy re-signature schemes, introduced by Blaze, Bleumer, and Strauss Blaze *et al.* (1998), and formalized later by Ateniese and Hohenberger Ateniese & Hohenberger (2005), allow a semi-trusted proxy to transform a delegatee ˛a´rs signature into a delegator ˛a´rs signature on the same message by using some additional information. Proxy re-signature can be used to implement anonymizable signatures in which outgoing messages are first signed by specific users. Before releasing them to the outside world, a proxy translates signatures into ones that verify under a system's public key so as to conceal the original issuer's identity and the internal structure of the organization. Recently, Libert et al. Libert & Vergnaud (2008) have introduced the first *multi-hop unidirectional* proxy re-signature scheme wherein the proxy can only translate signatures in one direction and messages can be resigned a polynomial number

The size of the certificate revocation list (CRL) and the checking cost are two important performance metrics for the revocation mechanism in VANETs. Unfortunately, the pseudonymous authentication schemes are prone to generating a huge CRL, whereas the checking cost in the group-signature-based schemes is unacceptable for the vehicles with limited computation power. Since the CRL is usually transmitted by vehicle-to-vehicle communication, the quick increase of the CRL in the pseudonymous authentication schemes brings large communication cost. Moreover, the larger the CRL size, the longer the transmission delay to all vehicles, and during this period, the misbehaving vehicles can compromise VANETs continually. Sun et al. Sun *et al.* (2010a;b) proposed an efficient authentication protocol which supports RSU-aided distribution certificate service that allows a vehicle to update its certificate set from an RSU on the road based on the proxy re-signature Libert & Vergnaud (2008). In their scheme, the vehicle only needs to request the re-signature keys from an RSU and re-sign numbers of the certificates issued by the TA to be the same as those issued by the RSU itself, and thus significantly reduces the revocation cost and the

the nodes. The disadvantage is the delayed message authentication.

more frequently.

of times.

**3.3.3 Proxy re-signature-based scheme**

#### **3.2.3** *k***-TAA-based scheme**

In a *k*-times anonymous authentication (*k*-TAA) system Teranisi *et al.* (2004), participants are a group manager (GM), a number of application providers (AP) and a group of users. The GM registers users into the group and each AP independently announces the number of times a user can access his application. A registered user can then be anonymously authenticated by APs within their allowed numbers of times (*k* times) and without the need to contact the GM. Dishonest users can be traced by anyone while no one, even the GM or APs, can identify honest users or link two authentication executions performed by the same user. Finally no one, even the GM, is able to successfully impersonate an honest user to an AP. In *dynamic k*-TAA Nguyen & Safavi-Naini (2005), APs have more control over granting and revoking access to their services and so have the required control on their clients.

Sun *et al.* Sun & Fang (2009); Sun *et al.* (2010c) proposed a new misbehavior defense technique leveraging the idea of dynamic revocation, to provide a means of limiting the impact of misbehavior by adjusting it to an acceptable level during the vulnerable period existing in the automatic revocation technique based on *dynamic k*-TAA. However, the downside of Sun *et al.*'s scheme is obviously the lack of capability to trace misbehaving users.

#### **3.3 Pseudonyms-based approach**

#### **3.3.1 Basic scheme**

Raya *et al*.Raya & Hubaux (2005; 2007) introduced the large number of anonymous key based (LAB) protocol. Their key idea is to install on each OBU a large number of private keys and their corresponding anonymous certificates. To sign each launched message, a vehicle randomly selects one of its anonymous certificates and uses its corresponding private key. The other vehicles use the public key of the sender enclosed with the anonymous certificate to authenticate the source of the message. These anonymous certificates are generated by employing the pseudo-identity of the vehicles, instead of taking any real identity information of the drivers. Each certificate has a short life time to meet the drivers'privacy requirement. Although LAB protocol can effectively meet the conditional privacy requirement, it is inefficient and may become a scalability bottleneck. The reason is that a sufficient numbers of certificates must be issued to each vehicle to maintain anonymity over a significant period of time. (Raya *et al*.Raya & Hubaux (2005; 2007) suggest using *large pseudo* certificates for each vehicle). As a result, the certificate database to be searched by the TRC in order to match a compromised certificate to its owner's identity is huge. In addition, the protocols of Raya & Hubaux (2007) are extended for providing confidentiality in specific scenarios of VANET implementations in Wang *et al.* (2008).

#### **3.3.2 TESLA-based scheme**

TESLA is an efficient and message-loss tolerant protocol for broadcast authentication with low communication and computation overhead Perrig *et al.* (2002a). It is widely used in areas of sensor networks Perrig *et al.* (2002b). It uses one-way hash chain where the chain elements are the secret keys to compute message authentication code (MAC). With TESLA, a sender sends data packets at a predefined schedule, which has been known in advance to the receivers as well as the commitment to a hash chain as a key commitment. Each hash chain element as a MAC key corresponds to a certain time interval. For each packet, the sender attaches a MAC tag to it. This MAC tag is derived using the next corresponding MAC key in the hash chain based on negotiated key disclosure delay schedule between the sender and the receiver. Obviously, upon receiving the packet, the receiver can ˛a´rt verify the authenticity of the packet yet. After key disclosure delay, the sender discloses MAC key, and then the receiver is able to authenticate the message after verifying the released MAC key is indeed the corresponding element of the chain. One requirement for TESLA scheme is the loose synchronization among the nodes. The disadvantage is the delayed message authentication.

Lin *et al*. Lin *et al.* (2008b) developed the 'time-efficient and secure vehicular communication' scheme (TSVC) based on the Timed Efficient Stream Loss-tolerant Authentication (TESLA) standard (RFC 4082) Perrig *et al.* (2002a). With TSVC, a vehicle first broadcasts a commitment of hash chain to its neighbors and then uses the elements of the hash chain to generate a message authentication code (MAC) with which other neighbors can authenticate this vehicles' following messages. Because of the fast speed of MAC verification, the computation overhead of TSVC is reduced significantly. However, TSVC also requires a huge set of anonymous public/private key pairs as well as their corresponding public key certificates to be preloaded in each vehicle. Furthermore, TSVC may not be robust when the traffic becomes extremely dynamic as a vehicle should broadcast its key chain commitment much more frequently.

#### **3.3.3 Proxy re-signature-based scheme**

8 Will-be-set-by-IN-TECH

In a *k*-times anonymous authentication (*k*-TAA) system Teranisi *et al.* (2004), participants are a group manager (GM), a number of application providers (AP) and a group of users. The GM registers users into the group and each AP independently announces the number of times a user can access his application. A registered user can then be anonymously authenticated by APs within their allowed numbers of times (*k* times) and without the need to contact the GM. Dishonest users can be traced by anyone while no one, even the GM or APs, can identify honest users or link two authentication executions performed by the same user. Finally no one, even the GM, is able to successfully impersonate an honest user to an AP. In *dynamic k*-TAA Nguyen & Safavi-Naini (2005), APs have more control over granting and revoking

Sun *et al.* Sun & Fang (2009); Sun *et al.* (2010c) proposed a new misbehavior defense technique leveraging the idea of dynamic revocation, to provide a means of limiting the impact of misbehavior by adjusting it to an acceptable level during the vulnerable period existing in the automatic revocation technique based on *dynamic k*-TAA. However, the downside of Sun

Raya *et al*.Raya & Hubaux (2005; 2007) introduced the large number of anonymous key based (LAB) protocol. Their key idea is to install on each OBU a large number of private keys and their corresponding anonymous certificates. To sign each launched message, a vehicle randomly selects one of its anonymous certificates and uses its corresponding private key. The other vehicles use the public key of the sender enclosed with the anonymous certificate to authenticate the source of the message. These anonymous certificates are generated by employing the pseudo-identity of the vehicles, instead of taking any real identity information of the drivers. Each certificate has a short life time to meet the drivers'privacy requirement. Although LAB protocol can effectively meet the conditional privacy requirement, it is inefficient and may become a scalability bottleneck. The reason is that a sufficient numbers of certificates must be issued to each vehicle to maintain anonymity over a significant period of time. (Raya *et al*.Raya & Hubaux (2005; 2007) suggest using *large pseudo* certificates for each vehicle). As a result, the certificate database to be searched by the TRC in order to match a compromised certificate to its owner's identity is huge. In addition, the protocols of Raya & Hubaux (2007) are extended for providing confidentiality in specific scenarios of VANET

TESLA is an efficient and message-loss tolerant protocol for broadcast authentication with low communication and computation overhead Perrig *et al.* (2002a). It is widely used in areas of sensor networks Perrig *et al.* (2002b). It uses one-way hash chain where the chain elements are the secret keys to compute message authentication code (MAC). With TESLA, a sender sends data packets at a predefined schedule, which has been known in advance to the receivers as well as the commitment to a hash chain as a key commitment. Each hash chain element as a MAC key corresponds to a certain time interval. For each packet, the sender attaches a

access to their services and so have the required control on their clients.

*et al.*'s scheme is obviously the lack of capability to trace misbehaving users.

**3.2.3** *k***-TAA-based scheme**

**3.3 Pseudonyms-based approach**

implementations in Wang *et al.* (2008).

**3.3.2 TESLA-based scheme**

**3.3.1 Basic scheme**

Proxy re-signature schemes, introduced by Blaze, Bleumer, and Strauss Blaze *et al.* (1998), and formalized later by Ateniese and Hohenberger Ateniese & Hohenberger (2005), allow a semi-trusted proxy to transform a delegatee ˛a´rs signature into a delegator ˛a´rs signature on the same message by using some additional information. Proxy re-signature can be used to implement anonymizable signatures in which outgoing messages are first signed by specific users. Before releasing them to the outside world, a proxy translates signatures into ones that verify under a system's public key so as to conceal the original issuer's identity and the internal structure of the organization. Recently, Libert et al. Libert & Vergnaud (2008) have introduced the first *multi-hop unidirectional* proxy re-signature scheme wherein the proxy can only translate signatures in one direction and messages can be resigned a polynomial number of times.

The size of the certificate revocation list (CRL) and the checking cost are two important performance metrics for the revocation mechanism in VANETs. Unfortunately, the pseudonymous authentication schemes are prone to generating a huge CRL, whereas the checking cost in the group-signature-based schemes is unacceptable for the vehicles with limited computation power. Since the CRL is usually transmitted by vehicle-to-vehicle communication, the quick increase of the CRL in the pseudonymous authentication schemes brings large communication cost. Moreover, the larger the CRL size, the longer the transmission delay to all vehicles, and during this period, the misbehaving vehicles can compromise VANETs continually. Sun et al. Sun *et al.* (2010a;b) proposed an efficient authentication protocol which supports RSU-aided distribution certificate service that allows a vehicle to update its certificate set from an RSU on the road based on the proxy re-signature Libert & Vergnaud (2008). In their scheme, the vehicle only needs to request the re-signature keys from an RSU and re-sign numbers of the certificates issued by the TA to be the same as those issued by the RSU itself, and thus significantly reduces the revocation cost and the

Anonymous Traceability Confidentiality GSBS RSUS *Priori* PBS authentication -based

Zhang *et al.* (2008a;b) Lu *et al.* (2008)

Anonymous Authentication Protocols for Vehicular Ad Hoc Networks: An Overview 63

Raya & Hubaux (2005; 2007) Lin *et al.* (2008b) Sun *et al.* (2010a;b) Li *et al.* (2008) Plö*β*l & Federrath (2008) Kamat *et al.* (2006) Wang *et al.* (2008) Kounga *et al.* (2009)<sup>3</sup> Daza *et al.* (2009) Wu *et al.* (2010) GSBS: Group-oriented signature based scheme; RSUS: RSU based scheme; PBS: Pseudonyms-based scheme

A linkable group signature Nakanishi *et al.* (1999) is a variant of group signatures. In a linkable group signature, it is easy to distinguish the group signatures produced by the same signer, even though the signer is anonymous. Linkable group signatures can thwart the Sybil attack but are not compatible with vehicle privacy due to the linkability of signer identities, i.e., the various message endorsements signed by a certain vehicle can be linked. Wu *et al.* Wu *et al.* (2010) proposed a novel protocol based on linkable group signature, which is equipped with both *priori* and *posteriori* countermeasures. However, they face the same adverse conditions in GSB protocol in which the verification time grows linearly with the number of revoked vehicles and every remaining vehicle need to update its private key and group public key

when the number of revoked vehicles is larger than some threshold.

**4. An example of ring-signature based anonymous authentication protocols**

protocol along with the notion of bilinear pairing Xiong *et al.* (2010a) as follows.

In order to be self-contained, we give an example of Ring-signature based authentication

Note that the publication of an identity based encryption scheme Boneh & Franklin (2001) built on bilinear pairings has triggered a real upsurge in the popularity of pairings among

Lin *et al.* (2007; 2008a) Sun *et al.* (2007) Xiong *et al.* (2010a) Xi *et al.* (2007; 2008) Sun & Fang (2009) Sun *et al.* (2010c)

Table 1. Summary of related protocols

**3.4.2 Group signature-based scheme**

**4.1 Bilinear pairing**

certificate updating overhead. However, their scheme also rely on the RSUs which only cover partial high-way or city roads during the deployment stage.

#### **3.3.4 Confidentiality-oriented scheme**

The need for confidentiality in specific scenarios of VANET implementations has also been discussed in recent works Kamat *et al.* (2006); Li *et al.* (2008); Plö*β*l & Federrath (2008); Wang *et al.* (2008). Specifically in Wang *et al.* (2008), the protocols of Raya & Hubaux (2007) are extended: session keys for pairs of vehicles are established by using the Diffie-Hellman key agreement protocol while group session keys are established using the key transfer approach. These keys are used for both message authentication and confidentiality Wang *et al.* (2008). A lightweight authenticated key establishment scheme with privacy preservation and confidentiality to secure the communications in VANET is proposed by Li *et al.* Li *et al.* (2008). Meantime, two security frameworks for VANETs to provide authentication, confidentiality, non-repudiation and message integrity have also been proposed by Plö*β*l & Federrath (2008) and Kamat *et al.* (2006) independently. Nevertheless, all of these works Kamat *et al.* (2006); Li *et al.* (2008); Plö*β*l & Federrath (2008); Wang *et al.* (2008) suffer from the same criticism in LAB, in other words, each OBU has to take a large storage space to store a huge number of anonymous key pairs.

#### **3.4** *Priori***-based approach**

By taking strict punitive action, a *posteriori* countermeasures can exclude some rational attackers, but they are ineffective against irrational attackers such as terrorists. Even for rational attackers, damage has already occurred when punitive action is taken. To reduce the damage to a bare minimum, the *priori* countermeasures have been proposed to prevent the generation of fake messages. In this approach, a message is not considered valid unless it has been endorsed by a number of vehicles above a certain threshold.

#### **3.4.1 Basic scheme**

Most recently, Kounga *et al.* Kounga *et al.* (2009) proposed a solution that permits vehicles to verify the reliability of information received from anonymous origins. In this solution, each vehicle can generate the public/private key pairs by itself. However, the assumption in this solution is very restricted in that additional hardware is needed on the OBU. However, Chen and Ng Chen & Ng (2010) showd that the Kounga *et al.*'s scheme does not achieve the goals of authenticity of a message, privacy of drivers and vehicles, reliability of distributed information, and revocation of illegitimate vehicles.

After that, a proposal is also presented following the *priori* protection paradigm based on threshold signature by Daza *et al.* Daza *et al.* (2009). Nevertheless, to obtain the anonymity, this protocol assumes that the OBU installed on the vehicle can be removable and multi OBUs could alternatively be used with the same vehicle (like several cards can be used within a cell phone in the same time). Thus, this assumption may enable malicious adversary to mount the so-called Sybil attack: vehicles using different anonymous key pairs from corresponding OBUs can sign multiple messages to pretend that these messages were sent by different vehicles. Since multi OBUs can be installed on the same vehicle, no one can find out whether all of these signatures come from the same vehicle or not.


GSBS: Group-oriented signature based scheme; RSUS: RSU based scheme; PBS: Pseudonyms-based scheme

Table 1. Summary of related protocols

10 Will-be-set-by-IN-TECH

certificate updating overhead. However, their scheme also rely on the RSUs which only cover

The need for confidentiality in specific scenarios of VANET implementations has also been discussed in recent works Kamat *et al.* (2006); Li *et al.* (2008); Plö*β*l & Federrath (2008); Wang *et al.* (2008). Specifically in Wang *et al.* (2008), the protocols of Raya & Hubaux (2007) are extended: session keys for pairs of vehicles are established by using the Diffie-Hellman key agreement protocol while group session keys are established using the key transfer approach. These keys are used for both message authentication and confidentiality Wang *et al.* (2008). A lightweight authenticated key establishment scheme with privacy preservation and confidentiality to secure the communications in VANET is proposed by Li *et al.* Li *et al.* (2008). Meantime, two security frameworks for VANETs to provide authentication, confidentiality, non-repudiation and message integrity have also been proposed by Plö*β*l & Federrath (2008) and Kamat *et al.* (2006) independently. Nevertheless, all of these works Kamat *et al.* (2006); Li *et al.* (2008); Plö*β*l & Federrath (2008); Wang *et al.* (2008) suffer from the same criticism in LAB, in other words, each OBU has to take a large storage space to store a huge number of

By taking strict punitive action, a *posteriori* countermeasures can exclude some rational attackers, but they are ineffective against irrational attackers such as terrorists. Even for rational attackers, damage has already occurred when punitive action is taken. To reduce the damage to a bare minimum, the *priori* countermeasures have been proposed to prevent the generation of fake messages. In this approach, a message is not considered valid unless it

Most recently, Kounga *et al.* Kounga *et al.* (2009) proposed a solution that permits vehicles to verify the reliability of information received from anonymous origins. In this solution, each vehicle can generate the public/private key pairs by itself. However, the assumption in this solution is very restricted in that additional hardware is needed on the OBU. However, Chen and Ng Chen & Ng (2010) showd that the Kounga *et al.*'s scheme does not achieve the goals of authenticity of a message, privacy of drivers and vehicles, reliability of distributed

After that, a proposal is also presented following the *priori* protection paradigm based on threshold signature by Daza *et al.* Daza *et al.* (2009). Nevertheless, to obtain the anonymity, this protocol assumes that the OBU installed on the vehicle can be removable and multi OBUs could alternatively be used with the same vehicle (like several cards can be used within a cell phone in the same time). Thus, this assumption may enable malicious adversary to mount the so-called Sybil attack: vehicles using different anonymous key pairs from corresponding OBUs can sign multiple messages to pretend that these messages were sent by different vehicles. Since multi OBUs can be installed on the same vehicle, no one can find out whether

has been endorsed by a number of vehicles above a certain threshold.

information, and revocation of illegitimate vehicles.

all of these signatures come from the same vehicle or not.

partial high-way or city roads during the deployment stage.

**3.3.4 Confidentiality-oriented scheme**

anonymous key pairs.

**3.4.1 Basic scheme**

**3.4** *Priori***-based approach**

#### **3.4.2 Group signature-based scheme**

A linkable group signature Nakanishi *et al.* (1999) is a variant of group signatures. In a linkable group signature, it is easy to distinguish the group signatures produced by the same signer, even though the signer is anonymous. Linkable group signatures can thwart the Sybil attack but are not compatible with vehicle privacy due to the linkability of signer identities, i.e., the various message endorsements signed by a certain vehicle can be linked. Wu *et al.* Wu *et al.* (2010) proposed a novel protocol based on linkable group signature, which is equipped with both *priori* and *posteriori* countermeasures. However, they face the same adverse conditions in GSB protocol in which the verification time grows linearly with the number of revoked vehicles and every remaining vehicle need to update its private key and group public key when the number of revoked vehicles is larger than some threshold.

#### **4. An example of ring-signature based anonymous authentication protocols**

In order to be self-contained, we give an example of Ring-signature based authentication protocol along with the notion of bilinear pairing Xiong *et al.* (2010a) as follows.

#### **4.1 Bilinear pairing**

Note that the publication of an identity based encryption scheme Boneh & Franklin (2001) built on bilinear pairings has triggered a real upsurge in the popularity of pairings among

**4.2.2 OBU safety message generation**

1. Randomly select *r* ∈*<sup>R</sup>* **Z***<sup>q</sup>* and compute *R* = *rP*.

For clear presentation, we divide *SPK*(1) into two components:

This can be done by randomly picking *l* ∈*<sup>R</sup>* **Z***<sup>q</sup>* and computing

(*s*1, ··· ,*sn*, *<sup>c</sup>*1, ··· , *cn*) as the transcript such that *<sup>c</sup>*<sup>0</sup> <sup>=</sup> <sup>∑</sup>*<sup>n</sup>*

*si*, *ci* ∈*<sup>R</sup>* **Z***<sup>q</sup>* for 1 ≤ *i* ≤ *n*, *i* �= *π*, then computes

2. For *yTRC*, compute *ETRC* = *e*ˆ(*yπ*, *yTRC*)*r*.

 *i*∈[1,*n*]

*SPK*{*<sup>α</sup>* :

*i*∈[1,*n*]

transcript such that

*snP* + *cnyn* � *M*)

and then setting *s* = *l* − *cx<sup>π</sup>* mod *q*.

transcript of *SPK*(1).

Vehicle *V<sup>π</sup>* signs the message *M* before sending it out. Suppose *S* = {*y*1, ··· , *yn*} is the set of public keys collected by vehicle *V<sup>π</sup>* and it defines the ring of unrevoked public keys. Note that the public key set *S*, collected and stored temporarily by *Vπ*, is dynamic. We assume that all public keys *yi*, 1 ≤ *i* ≤ *n* and their corresponding private keys *xi*'s are generated by TRC, and *π* (1 ≤ *π* ≤ *n*) is the index of the actual message sender. In other words, as *V<sup>π</sup>* travels through the road network, the set of public keys collected by it keeps changing over time. Otherwise, a unique set of public keys used by a vehicle may enable the adversary to infer its traveling trajectory. The signature generation algorithm *Sig*(*S*, *xπ*, *yTRC*, *M*) is carried out as follows.

Anonymous Authentication Protocols for Vehicular Ad Hoc Networks: An Overview 65

3. Generate a non-interactive proof *SPK*(1) as follows: *SPK*{*<sup>α</sup>* : {*ETRC* <sup>=</sup> *<sup>e</sup>*ˆ(*R*, *yTRC*)*α*} {

*SPK*{*<sup>α</sup>* : *ETRC* <sup>=</sup> *<sup>e</sup>*ˆ(*R*, *yTRC*)*α*}(*M*), (1a)

To generate a transcript of *SPK*(1*a*), given *ETRC*, *R*, *yTRC*, the actual message sender indexed by *π* proves the knowledge of *x<sup>π</sup>* such that *ETRC* = *e*ˆ(*R*, *yTRC*)*x<sup>π</sup>* by releasing (*s*, *c*) as the

*<sup>c</sup>* <sup>=</sup> <sup>H</sup>(*yTRC* � *<sup>R</sup>* � *ETRC* � *<sup>e</sup>*ˆ(*R*, *yTRC*)*<sup>l</sup>* � *<sup>M</sup>*)

To generate the transcript of *SPK*(1*b*), given *S*, the actual message sender indexed by *π*, for some 1 ≤ *π* ≤ *n*, proves the knowledge of *x<sup>π</sup>* out of *n* discrete logarithms *xi*, where *yi* = *xiP*, for 1 ≤ *i* ≤ *n*, without revealing the value of *π*. This can be done by releasing

*c*<sup>0</sup> = H(*S* � *s*1*P* + *c*1*y*<sup>1</sup> �··· � *snP* + *cnyn* � *M*).

To generate this transcript, the actual message sender first picks randomly *l* ∈*<sup>R</sup>* **Z***<sup>q</sup>* and

*<sup>c</sup>*<sup>0</sup> = H(*<sup>S</sup>* � *<sup>s</sup>*1*<sup>P</sup>* + *<sup>c</sup>*1*y*<sup>1</sup> � ··· � *<sup>s</sup>π*−1*<sup>P</sup>* + *<sup>c</sup>π*−1*yπ*−<sup>1</sup> � *lP* � *<sup>s</sup>π*+1*<sup>P</sup>* + *<sup>c</sup>π*+1*yπ*+<sup>1</sup> � ··· �

*<sup>c</sup>* <sup>=</sup> <sup>H</sup>(*yTRC* � *<sup>R</sup>* � *ETRC* � *<sup>e</sup>*ˆ(*R*, *yTRC*)*<sup>s</sup>*

*yi* = *αP*}}(*M*). The signature *σ* of *M* with respect to *S* and *yTRC* is (*R*, *ETRC*) and the

*yi* <sup>=</sup> *<sup>α</sup>P*}(*M*). (1b)

*Ec*

*TRC* � *M*)

*<sup>i</sup>*=<sup>1</sup> *ci* mod *q* and

cryptographers. Following Boneh and Franklin, a lot of cryptosystems based on pairings have been proposed which would be hard to construct using more conventional cryptographic primitives. At this moment, pairing-based cryptography is a highly active field of research, with several hundreds of publications.

Let **G**<sup>1</sup> denote an additive group of prime order *q* and **G**<sup>2</sup> be a multiplicative group of the same order. Let *P* be a generator of **G**1, and *e*ˆ be a bilinear map such that *e*ˆ : **G**<sup>1</sup> × **G**<sup>1</sup> → **G**<sup>2</sup> with the following properties:


#### **4.2 Ring-signature based**

#### **4.2.1 System initialization**

Firstly, as described in section 2.3, we assume each vehicle is equipped with a tamper-proof device, which is secure against any compromise attempt in any circumstance. With the tamper-proof device on vehicles, an adversary cannot extract any data stored in the device including key material, data, and codes. We assume that there is a trusted Transportation Regulation Center (TRC) which is in charge of checking the vehicle's identity, and generating and pre-distributing the private keys of the vehicles. Prior to the network deployment, the TRC sets up the system parameters for each OBU as follows:

	- **–** The vehicle *Vi* first chooses *xi* ∈*<sup>R</sup>* **Z***<sup>q</sup>* as its private key, and computes *yi* = *xiP* as its public key.
	- **–** *Vi* randomly selects an integer *ti* ∈*<sup>R</sup>* **Z***<sup>q</sup>* to determine the verification information of *yi*: *ai* = H(*tiP* � *RIDi*) and *bi* = (*ti* + *xi* · *ai*). Then *Vi* sends {*yi*, *RIDi*, *ai*, *bi*} to TRC.
	- **–** After receiving {*yi*, *RIDi*, *ai*, *bi*}, TRC checks whether the following equation holds:

$$a\_i \stackrel{?}{=} \mathcal{H}((b\_i P - a\_i y\_i) \parallel RID\_i).$$

If it holds, then {*yi*, *RIDi*} is identified as the valid public key and identity. Otherwise, it will be rejected. In the end, the TRC stores the (*yi*, *RIDi*) in its records.

• Each vehicle is preloaded with the public parameters {**G**1, **G**2, *q*, *yTRC*, H}. In addition, the tamper-proof device of each vehicle is preloaded with its private/public key pairs (*xi*, *yi*) and corresponding anonymous certificates (these certificates are generated by taking the vehicle's pseudo-identity *IDi*). Finally, the vehicle will preload the revocation list (RL) from the TRC.

#### **4.2.2 OBU safety message generation**

12 Will-be-set-by-IN-TECH

cryptographers. Following Boneh and Franklin, a lot of cryptosystems based on pairings have been proposed which would be hard to construct using more conventional cryptographic primitives. At this moment, pairing-based cryptography is a highly active field of research,

Let **G**<sup>1</sup> denote an additive group of prime order *q* and **G**<sup>2</sup> be a multiplicative group of the same order. Let *P* be a generator of **G**1, and *e*ˆ be a bilinear map such that *e*ˆ : **G**<sup>1</sup> × **G**<sup>1</sup> → **G**<sup>2</sup>

Firstly, as described in section 2.3, we assume each vehicle is equipped with a tamper-proof device, which is secure against any compromise attempt in any circumstance. With the tamper-proof device on vehicles, an adversary cannot extract any data stored in the device including key material, data, and codes. We assume that there is a trusted Transportation Regulation Center (TRC) which is in charge of checking the vehicle's identity, and generating and pre-distributing the private keys of the vehicles. Prior to the network deployment, the

• Let **G**1, **G**<sup>2</sup> be two cyclic groups of same order *q*. Let *e*ˆ : **G**<sup>1</sup> × **G**<sup>1</sup> → **G**<sup>2</sup> be a bilinear map. • The TRC first randomly chooses *xTRC* ∈*<sup>R</sup>* **Z***<sup>q</sup>* as its private key, and computes *yTRC* = *xTRCP* as its public key. The TRC also chooses a secure cryptographic hash function H :

• Each vehicle *Vi* with real identity *RIDi* generates its public/private key pair as follows: **–** The vehicle *Vi* first chooses *xi* ∈*<sup>R</sup>* **Z***<sup>q</sup>* as its private key, and computes *yi* = *xiP* as its

> *ai* ?

**–** *Vi* randomly selects an integer *ti* ∈*<sup>R</sup>* **Z***<sup>q</sup>* to determine the verification information of *yi*: *ai* = H(*tiP* � *RIDi*) and *bi* = (*ti* + *xi* · *ai*). Then *Vi* sends {*yi*, *RIDi*, *ai*, *bi*} to TRC. **–** After receiving {*yi*, *RIDi*, *ai*, *bi*}, TRC checks whether the following equation holds:

= H((*biP* − *aiyi*) � *RIDi*)

If it holds, then {*yi*, *RIDi*} is identified as the valid public key and identity. Otherwise,

it will be rejected. In the end, the TRC stores the (*yi*, *RIDi*) in its records.

• Each vehicle is preloaded with the public parameters {**G**1, **G**2, *q*, *yTRC*, H}. In addition, the tamper-proof device of each vehicle is preloaded with its private/public key pairs (*xi*, *yi*) and corresponding anonymous certificates (these certificates are generated by taking the vehicle's pseudo-identity *IDi*). Finally, the vehicle will preload the revocation list (RL)

1. Bilinearity: For all *<sup>P</sup>*, *<sup>Q</sup>* <sup>∈</sup> **<sup>G</sup>**1, and *<sup>a</sup>*, *<sup>b</sup>* <sup>∈</sup> **<sup>Z</sup>***q*, *<sup>e</sup>*ˆ(*aP*, *bQ*) = *<sup>e</sup>*ˆ(*P*, *<sup>Q</sup>*)*ab*.

3. Computability: It is efficient to compute *e*ˆ(*P*, *Q*) for all *P*, *Q* ∈ **G**<sup>1</sup>

TRC sets up the system parameters for each OBU as follows:

with several hundreds of publications.

with the following properties:

**4.2 Ring-signature based 4.2.1 System initialization**

{0, 1}<sup>∗</sup> → **Z***q*.

public key.

from the TRC.

2. Non-degeneracy: *e*ˆ(*P*, *P*) �= 1**G**<sup>2</sup>

Vehicle *V<sup>π</sup>* signs the message *M* before sending it out. Suppose *S* = {*y*1, ··· , *yn*} is the set of public keys collected by vehicle *V<sup>π</sup>* and it defines the ring of unrevoked public keys. Note that the public key set *S*, collected and stored temporarily by *Vπ*, is dynamic. We assume that all public keys *yi*, 1 ≤ *i* ≤ *n* and their corresponding private keys *xi*'s are generated by TRC, and *π* (1 ≤ *π* ≤ *n*) is the index of the actual message sender. In other words, as *V<sup>π</sup>* travels through the road network, the set of public keys collected by it keeps changing over time. Otherwise, a unique set of public keys used by a vehicle may enable the adversary to infer its traveling trajectory. The signature generation algorithm *Sig*(*S*, *xπ*, *yTRC*, *M*) is carried out as follows.


For clear presentation, we divide *SPK*(1) into two components:

$$\text{SPK}\{\mathfrak{u}:\text{E}\_{\text{TRC}}=\mathfrak{e}(\mathcal{R}\_{\text{\text{\textdegree}}}y\_{\text{TRC}})^{a}\}(M),\tag{1a}$$

$$\text{SPK}\{\mathfrak{a}:\bigvee\_{i\in\{1,n\}} y\_i = \mathfrak{a}P\}(M). \tag{1b}$$

To generate a transcript of *SPK*(1*a*), given *ETRC*, *R*, *yTRC*, the actual message sender indexed by *π* proves the knowledge of *x<sup>π</sup>* such that *ETRC* = *e*ˆ(*R*, *yTRC*)*x<sup>π</sup>* by releasing (*s*, *c*) as the transcript such that

$$\mathcal{L} = \mathcal{H}(y\_{TRC} \parallel R \parallel E\_{TRC} \parallel \ell(R\_\prime y\_{TRC})^s E\_{TRC}^c \parallel M)$$

This can be done by randomly picking *l* ∈*<sup>R</sup>* **Z***<sup>q</sup>* and computing

*<sup>c</sup>* <sup>=</sup> <sup>H</sup>(*yTRC* � *<sup>R</sup>* � *ETRC* � *<sup>e</sup>*ˆ(*R*, *yTRC*)*<sup>l</sup>* � *<sup>M</sup>*)

and then setting *s* = *l* − *cx<sup>π</sup>* mod *q*.

To generate the transcript of *SPK*(1*b*), given *S*, the actual message sender indexed by *π*, for some 1 ≤ *π* ≤ *n*, proves the knowledge of *x<sup>π</sup>* out of *n* discrete logarithms *xi*, where *yi* = *xiP*, for 1 ≤ *i* ≤ *n*, without revealing the value of *π*. This can be done by releasing (*s*1, ··· ,*sn*, *<sup>c</sup>*1, ··· , *cn*) as the transcript such that *<sup>c</sup>*<sup>0</sup> <sup>=</sup> <sup>∑</sup>*<sup>n</sup> <sup>i</sup>*=<sup>1</sup> *ci* mod *q* and

$$\mathcal{L}\_0 = \mathcal{H}(\mathbb{S} \parallel s\_1 P + c\_1 y\_1 \parallel \dots \parallel s\_n P + c\_n y\_n \parallel M).$$

To generate this transcript, the actual message sender first picks randomly *l* ∈*<sup>R</sup>* **Z***<sup>q</sup>* and *si*, *ci* ∈*<sup>R</sup>* **Z***<sup>q</sup>* for 1 ≤ *i* ≤ *n*, *i* �= *π*, then computes *<sup>c</sup>*<sup>0</sup> = H(*<sup>S</sup>* � *<sup>s</sup>*1*<sup>P</sup>* + *<sup>c</sup>*1*y*<sup>1</sup> � ··· � *<sup>s</sup>π*−1*<sup>P</sup>* + *<sup>c</sup>π*−1*yπ*−<sup>1</sup> � *lP* � *<sup>s</sup>π*+1*<sup>P</sup>* + *<sup>c</sup>π*+1*yπ*+<sup>1</sup> � ··· � *snP* + *cnyn* � *M*)

message generator. The TRC then broadcasts the (*yπ*, *RIDπ*) to all OBUs and each OBU adds

Anonymous Authentication Protocols for Vehicular Ad Hoc Networks: An Overview 67

Once a message is received, the receiving vehicle *Vj*, one of the group *GGNO*, uses his group's

3. Check whether *<sup>c</sup>* ∈ {0, 1}*k*, and *<sup>s</sup>*<sup>1</sup> <sup>∈</sup>*<sup>R</sup>* ±{0, 1}*�*(*γ*2+*k*)+1, *<sup>s</sup>*<sup>2</sup> <sup>∈</sup>*<sup>R</sup>* ±{0, 1}*�*(*λ*2+*k*)+1, *<sup>s</sup>*<sup>3</sup> <sup>∈</sup>*<sup>R</sup>*

A membership tracing operation is performed when solving a dispute, where the real *IDi* of the signature generator is desired. The *MM* first decrypts (*T*1, *T*2) in a decrypted *C*<sup>2</sup> message

Then the *MM* looks up the record (*Ai*, *IDi*) to find the corresponding identity *IDi* meaning that vehicle with identity *IDi* is the actual message generator. The *MM* then broadcasts the

In designing the above taxonomies, we selected those components and approach of existing mechanisms that, in our opinion, offer critical information regarding design philosophy and

• *A map of anonymous authentication protocols for VANETs*. For novice researchers, these taxonomies offer a comprehensive overview for a quick introduction to this field. Experienced researchers can use and extend these taxonomies to structure and organize

• *Exploring new strategies*. Besides the existing mechanisms, the taxonomy explored a few

• *Understanding solution constrains*. The taxonomy highlights common constraints and weaknesses for each class of mechanisms. Understanding these problems will focus

• *Identifying unexplored research areas*. Examining the effectiveness of different mechanism classes achieving different security properties will highlight unexplored venues for

(*Ai*, *IDi*) to all OBUs and each OBU adds the *IDi* into his local revocation list (RL).

<sup>2</sup> *<sup>g</sup>s*<sup>4</sup> mod *<sup>n</sup>*, *<sup>d</sup>*�

(·) denotes a symmetric

<sup>1</sup> /(*as*2−*c*2*λ*<sup>1</sup>

*hs*<sup>4</sup> mod *n*.

<sup>4</sup>�*M*�*C*1)

*ys*<sup>3</sup> )

1�*d*� 2�*d*� 3�*d*�

0*Ts*1−*c*2*γ*<sup>1</sup>

<sup>1</sup> <sup>=</sup> *<sup>a</sup><sup>c</sup>*

<sup>3</sup> *<sup>g</sup>s*1−*c*2*γ*<sup>1</sup>

<sup>4</sup> <sup>=</sup> *<sup>T</sup><sup>c</sup>*

(*C*2) = *M*�*σ*�*GNO* with the session key *ks*, where *Dks*

<sup>4</sup> are computed by the following equations: *d*�

<sup>3</sup> <sup>=</sup> *<sup>T</sup><sup>c</sup>*

±{0, 1}*�*(*λ*1+2*lp*+*k*+1)+1, and *<sup>s</sup>*<sup>4</sup> <sup>∈</sup>*<sup>R</sup>* ±{0, 1}*�*(2*lp*+*k*)+<sup>1</sup> and *<sup>T</sup>*1, *<sup>T</sup>*2, *<sup>T</sup>*<sup>3</sup> <sup>∈</sup> **<sup>Z</sup>***n*. 4. Accept the signature if and only if *c* = H(*g*�*h*�*y*�*a*0�*a*�*T*1�*T*2�*T*3�*d*�

shared secret key *κGNO* to do the following with ciphertext (*C*1, *C*2):

decryption with key *ks* and *σ* = (*c*,*s*1,*s*2,*s*3,*s*4, *T*1, *T*2, *T*3).

<sup>2</sup> /*gs*<sup>3</sup> mod *<sup>n</sup>*, *<sup>d</sup>*�

to find the membership certificate *Ai* as follows:

2 . 2. Prove that *loggy* = *logT*<sup>2</sup> (*T*1/*Ai* mod *n*).

security properties. How can these taxonomies be used?

strategies seen rarely in the wild and some novel methods.

the *y<sup>π</sup>* into his local revocation list (RL).

1. Recover the session key *ks* <sup>←</sup> *<sup>b</sup>*1/(*b*0)*κGNO* .

**4.2.5 Message verification**

2. Decrypt *Dks*

where *d*�

mod *n*, *d*�

<sup>1</sup>, *d*� <sup>2</sup>, *d*� <sup>3</sup>, *d*�

**4.2.6 OBU fast tracing**

1. Recover *Ai* = *T*1/*T<sup>x</sup>*

**5. Using the taxonomies**

their knowledge in the field.

research efforts on solving them.

research.

<sup>2</sup> <sup>=</sup> *<sup>T</sup>s*1−*c*2*γ*<sup>1</sup>


Table 2. Message Format for OBU

and finds *c<sup>π</sup>* such that *c*<sup>0</sup> = *c*<sup>1</sup> + ··· + *cn* mod *q*. Finally the actual message sender sets *s<sup>π</sup>* = *l* − *cπx<sup>π</sup>* mod *q*.

Now we combine the constructions of *SPK*(1*a*) and *SPK*(1*b*) together. First, the actual message sender randomly picks *l*1, *l*<sup>2</sup> ∈*<sup>R</sup>* **Z***<sup>q</sup>* and *si*, *ci* ∈*<sup>R</sup>* **Z***<sup>q</sup>* for 1 ≤ *i* ≤ *n*, *i* �= *π*, then computes

$$\begin{split} \mathcal{L} &= \mathcal{H}(\mathcal{S} \parallel y\_{TR\mathcal{C}} \parallel R \parallel E\_{TR\mathcal{C}} \parallel \mathcal{E}(\mathcal{R}, y\_{TR\mathcal{C}})^{l\_1} \parallel s\_1 P + c\_1 y\_1 \parallel \cdots \parallel s\_{\pi -1} P + c\_{\pi -1} y\_{\pi -1} \parallel l\_2 P \parallel \cdots \parallel s\_{\pi -1} P\\ &\quad s\_{\pi + 1} P + c\_{\pi + 1} y\_{\pi + 1} \parallel \cdots \parallel s\_{\pi} P + c\_{\pi} y\_{\pi} \parallel M \text{)}. \end{split}$$

After that, the actual message sender sets *s* = *l*<sup>1</sup> − *cx<sup>π</sup>* mod *q*, finds *c<sup>π</sup>* such that *c* = *c*<sup>1</sup> + ··· + *cn* mod *q*, and sets *s<sup>π</sup>* = *l*<sup>2</sup> − *cπx<sup>π</sup>* mod *q*. The transcript of *SPK*(1) is therefore (*s*,*s*1, ··· ,*sn*, *c*1, ··· , *cn*).

According to DoT (2006), the payload of a safety message is 100 bytes. The first two fields are signed by the vehicle, by which the "signature" field can be derived. A timestamp is used to prevent the message replay attack. The last field is the public key sets, which records the public key pairs employed by the OBU. The format of messages in our protocol is defined in Table 2.

#### **4.2.3 Message verification**

Once a message is received, the receiving vehicle first checks if the *RL S* ? = ∅. If so, the receiver performs signature verification by verifying of *SPK*(1) as follows:

$$\sum\_{i=1}^{n} c\_i \stackrel{?}{=} \mathcal{H}(\mathcal{S} \parallel \mathcal{Y}\_{TRC} \parallel \mathcal{R} \parallel E\_{TRC} \parallel \mathcal{C} (\mathcal{R}, \mathcal{Y}\_{TRC})^s) \\ \stackrel{\mathcal{S}}{=} \stackrel{\sum\_{i=1}^{n} c\_i}{\parallel} \parallel s\_1 P + c\_1 \mathcal{y}\_1 \parallel \dots \parallel s\_n P + c\_n \mathcal{y}\_n \parallel$$

After that, the receiving vehicle updates its own public key set by randomly choosing public keys from *S*.

#### **4.2.4 OBU fast tracing**

A membership tracing operation is performed when solving a dispute, where the real ID of the signature generator is desired. The TRC first checks the validity of the signature and then uses its private key *xTRC* and determines if

$$E\_{TRC} \stackrel{?}{=} \mathcal{E}(y\_{i\prime}, \mathbb{R})^{\times\_{TRC}}$$

for some *i*, 1 ≤ *i* ≤ *n*.

If the equation holds at, say when *i* = *π*, then the TRC looks up the record (*yπ*, *RIDπ*) to find the corresponding identity *RID<sup>π</sup>* meaning that vehicle with identity *RID<sup>π</sup>* is the actual message generator. The TRC then broadcasts the (*yπ*, *RIDπ*) to all OBUs and each OBU adds the *y<sup>π</sup>* into his local revocation list (RL).

#### **4.2.5 Message verification**

14 Will-be-set-by-IN-TECH

Payload Timestamp Signature Public Key Sets 100 bytes 4 bytes 40n+60 bytes 20n bytes

and finds *c<sup>π</sup>* such that *c*<sup>0</sup> = *c*<sup>1</sup> + ··· + *cn* mod *q*. Finally the actual message sender sets *s<sup>π</sup>* =

Now we combine the constructions of *SPK*(1*a*) and *SPK*(1*b*) together. First, the actual message sender randomly picks *l*1, *l*<sup>2</sup> ∈*<sup>R</sup>* **Z***<sup>q</sup>* and *si*, *ci* ∈*<sup>R</sup>* **Z***<sup>q</sup>* for 1 ≤ *i* ≤ *n*, *i* �= *π*, then

*<sup>c</sup>* <sup>=</sup> <sup>H</sup>(*<sup>S</sup>* � *yTRC* � *<sup>R</sup>* � *ETRC* � *<sup>e</sup>*ˆ(*R*, *yTRC*)*l*<sup>1</sup> � *<sup>s</sup>*1*<sup>P</sup>* <sup>+</sup> *<sup>c</sup>*1*y*<sup>1</sup> �··· � *<sup>s</sup>π*−1*<sup>P</sup>* <sup>+</sup> *<sup>c</sup>π*−1*yπ*−<sup>1</sup> � *<sup>l</sup>*2*<sup>P</sup>* �

After that, the actual message sender sets *s* = *l*<sup>1</sup> − *cx<sup>π</sup>* mod *q*, finds *c<sup>π</sup>* such that *c* = *c*<sup>1</sup> + ··· + *cn* mod *q*, and sets *s<sup>π</sup>* = *l*<sup>2</sup> − *cπx<sup>π</sup>* mod *q*. The transcript of *SPK*(1) is therefore

According to DoT (2006), the payload of a safety message is 100 bytes. The first two fields are signed by the vehicle, by which the "signature" field can be derived. A timestamp is used to prevent the message replay attack. The last field is the public key sets, which records the public key pairs employed by the OBU. The format of messages in our protocol is defined in

> *E*∑*<sup>n</sup> <sup>i</sup>*=<sup>1</sup> *ci*

After that, the receiving vehicle updates its own public key set by randomly choosing public

A membership tracing operation is performed when solving a dispute, where the real ID of the signature generator is desired. The TRC first checks the validity of the signature and then

If the equation holds at, say when *i* = *π*, then the TRC looks up the record (*yπ*, *RIDπ*) to find the corresponding identity *RID<sup>π</sup>* meaning that vehicle with identity *RID<sup>π</sup>* is the actual

= *e*ˆ(*yi*, *R*)*xTRC*

= ∅. If so, the

*TRC* � *s*1*P* + *c*1*y*<sup>1</sup> �··· � *snP* + *cnyn* �

Once a message is received, the receiving vehicle first checks if the *RL S* ?

*ETRC* ?

receiver performs signature verification by verifying of *SPK*(1) as follows:

<sup>=</sup> <sup>H</sup>(*<sup>S</sup>* � *yTRC* � *<sup>R</sup>* � *ETRC* � *<sup>e</sup>*ˆ(*R*, *yTRC*)*<sup>s</sup>*

Table 2. Message Format for OBU

*sπ*+1*P* + *cπ*+1*yπ*+<sup>1</sup> �··· � *snP* + *cnyn* � *M*).

*l* − *cπx<sup>π</sup>* mod *q*.

(*s*,*s*1, ··· ,*sn*, *c*1,

**4.2.3 Message verification**

··· , *cn*).

Table 2.

*n* ∑ *i*=1 *ci* ?

keys from *S*.

**4.2.4 OBU fast tracing**

for some *i*, 1 ≤ *i* ≤ *n*.

uses its private key *xTRC* and determines if

computes

Once a message is received, the receiving vehicle *Vj*, one of the group *GGNO*, uses his group's shared secret key *κGNO* to do the following with ciphertext (*C*1, *C*2):


#### **4.2.6 OBU fast tracing**

A membership tracing operation is performed when solving a dispute, where the real *IDi* of the signature generator is desired. The *MM* first decrypts (*T*1, *T*2) in a decrypted *C*<sup>2</sup> message to find the membership certificate *Ai* as follows:


Then the *MM* looks up the record (*Ai*, *IDi*) to find the corresponding identity *IDi* meaning that vehicle with identity *IDi* is the actual message generator. The *MM* then broadcasts the (*Ai*, *IDi*) to all OBUs and each OBU adds the *IDi* into his local revocation list (RL).

#### **5. Using the taxonomies**

In designing the above taxonomies, we selected those components and approach of existing mechanisms that, in our opinion, offer critical information regarding design philosophy and security properties. How can these taxonomies be used?


M. Blaze, G. Bleumer, M.Strauss. (1998). Divertible Protocols and Atomic Proxy Cryptography, In: *Nyberg, K. (ed.) EUROCRYPT 1998*, LNCS 1403, pp. 127-144. Springer. D. Boneh and M. K. Franklin. (2001). Identity-Based Encryption from the Weil Pairing, in:

Anonymous Authentication Protocols for Vehicular Ad Hoc Networks: An Overview 69

D. Boneh, X. Boyen, H. Shacham. (2004). Short group signatures, In: Franklin, M.K. (ed.) CRYPTO 2004. vol 3152 of LNCS, pp. 227-242, Springer, Heidelberg. D. Boneh and H. Shacham. (2004). Group signatures with verifier-local revocation, in *Proc.*

E. Bresson, J. Stern, M. Szydlo. (2002). Threshold ring signatures and applications to ad-hoc

G. Calandriello, P. Papadimitratos, J.-P. Hubaux, A. Lioy. (2007). Efficient and robust pseudonymous authentication in VANET, *Vehicular Ad Hoc Networks* pp. 19-28. D. Chaum, E. van Hevst. (1991). Group Signature, In *EUROCRYPT 1991*,volume 547 of LNCS,

L. Chen and S. Ng. (2010). Comments on "Proving Reliability of Anonymous Information in

L. Chen, S.-L. Ng and G. Wang. (2011). Threshold anonymous announcement in VANETs. IEEE Journal on Selected Areas in Communications, Vol. 29, No. 3, pp. 605-615. V. Daza, J. Domingo-Ferrer, F. Seb*e*´, and A. Viejo. (2009). Trustworthy Privacy-Preserving

Y. Dodis, A. Kiayias, A. Nicolosi, V. Shoup. (2004). Anonymous identification in ad doc groups,

U.S. Department of Transportation. (2006). National Highway Traffic Safety Administration,

*Dedicated Short Range Communications* (5.9 GHz DSRC), Available: http://www.

J.P. Hubaux, S. Capkun, L. Jun. (2004). The Security and Privacy of Smart Vehicles, *IEEE*

Saving Lives Through Advanced Vehicle Safety Technology: Intelligent Vehicle

P. Kamat, A. Baliga, W. Trappe. (2006). An Identity-Based Security Framework For VANETs,

G. Kounga, T. Walter, and S. Lachmund. (2009). Proving Reliability of Anonymous

C.-T. Li, M.-S. Hwang, Y.-P. Chu. (2008). A secure and efficient communication scheme

B. Libert, D. Vergnaud. (2008). Multi-Use Unidirectional Proxy Re-Signatures, *ACM Conference on Computer and Communications Security (CCS 2008)*, Alexandria, Virginia, USA.

networks, *Computer Communications*, Vol. 31, pp. 2803-2814.

*on Vehicular Technology*, vol. 58, no. 4, pp. 1876-1886.

leearmstrong.com/DSRC/DSRCHomeset.htm

JPODOCS/REPTS PR/14153 files/ivi.pdf

*VANET ˛a´r06*, pp. 94-95.

2977-2989.

*Security & Privacy Magazine*, Vol. 2, No. 3, pp. 49-55.

Full version: http://www.cs.nyu.edu/ nico-lo-si/pa-pers/

32, No. 3, pp. 586-615, 2003.

*ACM CCS' 04*, pp. 168-177.

Springer-Verlag, pp.465 480.

pp. 257-265.

Security.

3, pp. 1503-1505.

*CRYPTO 2001*, LNCS 2139, pp. 213-229. Springer. SIAM Journal of Computing, Vol.

groups, In *Proc. CRYPTO 2002*, USA, Lecture Notes in Computer Science, 2442,

VANETs" by Kounga *et al*., IEEE Transactions on Vehicular Technology, Vol. 59, No.

Car-Generated Announcements in Vehicular Ad Hoc Networks", *IEEE Transactions*

In *Proc. EUROCRYPT 2004*, Switzerland, LNCS 3027, Springer-Verlag, pp.609 626,

*Vehicle Safety Communications Project*, Final Report. Appendix H: WAVE/DSRC

Initiative Final Report. [Online]. Available: http://www.itsdocs.fhwa.dot.gov/

Information in VANETs, *IEEE Transactions on Vehicular Technology*, vol. 58, no. 6, pp.

with authenticated key establishment and privacy preserving for vehicular ad hoc

### **6. Conclusion**

The anonymous authentication protocols for VANETs can be constructed based on a multitude of cryptographic primitives, which obscures a global view of this field. This chapter is an attempt to cut through the obscurity and structure the knowledge in this field. The proposed taxonomies are intended to help the community think about the constrains of existing works and the possible countermeasures.

## **7. Acknowledgements**

This work is partially supported by National Natural Science Foundation of China under Grant No. 61003230, China Postdoctoral Science Foundation under Grant No. 20100480130, Chongqing Key Lab of Computer Network and Communication Technology under Grant No. CY-CNCL-2010-01 and National Research Foundation for the Doctoral Program of Higher Education of China under Grant No. 200806140010.

## **8. Nomenclature**


Table 3. Notations

#### **9. References**


16 Will-be-set-by-IN-TECH

The anonymous authentication protocols for VANETs can be constructed based on a multitude of cryptographic primitives, which obscures a global view of this field. This chapter is an attempt to cut through the obscurity and structure the knowledge in this field. The proposed taxonomies are intended to help the community think about the constrains of existing works

This work is partially supported by National Natural Science Foundation of China under Grant No. 61003230, China Postdoctoral Science Foundation under Grant No. 20100480130, Chongqing Key Lab of Computer Network and Communication Technology under Grant No. CY-CNCL-2010-01 and National Research Foundation for the Doctoral Program of Higher

**6. Conclusion**

and the possible countermeasures.

Education of China under Grant No. 200806140010.

Notations Descriptions TA: **T**rusted **A**uthority OBU: **O**n**B**oard **U**nit RSU: **R**oad**S**ide **U**nit

VANETs: **V**ehicular **A**d Hoc **Net**works

IVC: **I**nter-**V**ehicle **C**ommunication

VSC: **V**ehicle **S**afety **C**ommunications

MAC: **M**essage **A**uthentication **C**ode CRL: **C**ertificate **R**evocation **L**ist

V2V: **V**ehicle-to-**V**ehicle

DoS: **D**enial **o**f **s**ervice

Springer-Verlag, pp.415 432.

*2005)*, pp. 310-319.

DSRC: **D**edicated **S**hort **R**ange **C**ommunications

FCC: **F**ederal **C**ommunications **C**ommission

ETSI: **E**uropean **T**elecommunications **S**tandards **I**nstitute

TESLA: **T**imed **E**fficient **S**tream **L**oss-tolerant **A**uthentication

TSVC: **T**ime-efficient and **S**ecure **V**ehicular **C**ommunication

M. Abe, M. Ohkubo, K. Suzuki. (2002). 1-out-of-n signatures from a variety of keys, In

G. Ateniese, S. Hohenberger. (2005). Proxy Re-Signatures: New Definitions, Algorithms, and

R. Bishop. (2000). A survey of intelligent vehicle applications worldwide, in *Proceedings of the IEEE Intelligent Vehicles Symposium 2000*, Dearborn, MI, USA, Oct. pp. 25-30.

*Proc. ASIACRYPT 2002*, New Zealand, Lecture Notes in Computer Science, 2501,

Applications, In: *ACM Conference on Computer and Communications Security (CCS*

**7. Acknowledgements**

**8. Nomenclature**

Table 3. Notations

**9. References**


R. L. Rivest, A. Shamir, Y. Tauman. (2001). How to Leak a Secret, In *AsiaCrypt 2001*, volume

Anonymous Authentication Protocols for Vehicular Ad Hoc Networks: An Overview 71

X. Sun, X. Lin, P. Ho. (2007). Secure Vehicular Communications Based on Group Signature

X. Sun. (2007). Anonymous, secure and efficient vehicular communications, Master thesis,

J. Sun, Y. Fang. (2009). Defense against misbehavior in anonymous vehicular ad hoc networks,

Y. Sun, R. Lu, X. Lin, X. Shen, and J. Su. (2010). A Secure and Efficient Revocation Scheme

Y. Sun, R. Lu, X. Lin, X. Shen, and J. Su. (2010). An Efficient Pseudonymous Authentication

J. Sun, C. Zhang, Y. Zhang, Y. Fang. (2010). An Identity-Based Security System for User Privacy

I. Teranisi, J. Furukawa, and K. Sako. (2004). *k*-Times Anonymous Authentication, in

Vehicle infrastructure integration. U.S. Department of Transportation, [Online]. Available:

A. Wasef, Y. Jiang, and X. Shen. (2010). DCS: An efficient distributed certificate service scheme

G. Wang. (2004). Security Analysis of Several Group Signature Schemes. [Online]. Available:

N. W. Wang, Y. M. Huang, and W. M. Chen. (2008). A novel secure communication scheme in vehicular ad hoc networks, *Computer Communications*, Vol. 31, pp. 2827-2837. D. S. Wong, K. Fung, J. Liu, V. Wei. (2003). On the RS-code construction of ring signature

Q. Wu, J. Domingo-Ferrer, and *U*´ rsula Gonz*a*´lez-Nicol*a*´s. (2010). Balanced Trustworthiness,

Q. Xu, T. Mak, J. Ko and R. Sengupta. (2007). Medium Access Control Protocol Design for

Y. Xi, K. Sha, W. Shi, L. Scnwiebert, and T. Zhang. (2007). Enforcing Privacy Using

Y. Xi, W. Shi, L. Schwiebert. (2008). Mobile anonymity of dynamic groups in vehicular networks, *Security and Communication Networks*, Vol. 1, No.3, pp. 219-231. H. Xiong, Z. Qin, F. Li. (2011). Identity-based Ring Signature Scheme based on quadratic

*on Autonomous Decentralized Systems (ISADS'07)*, pp. 344-351.

residues, High Technology Letters, Vol. 15, No.1, pp. 94-100.

*Transactions on Vehicular Technology*, Vol. 59, No. 7, pp. 3589-3603.

*ASIACRYPT 2004*, Springer-Verlag, LNCS 3329, pp. 308-322.

and ID-Based Signature Scheme, *International Communications Conference (ICC 2007)*,

Ad Hoc Networks (Special Issue on Privacy and Security in Wireless Sensor and Ad

for Anonymous Vehicular Communications, *International Communications Conference*

Scheme With Strong Privacy Preservation for Vehicular Communications, *IEEE*

in Vehicular Ad Hoc Networks, IEEE Transactions on Parallel and Distributed

for vehicular networks, IEEE Transactions on Vehicular Technology, vol. 59, no. 2, pp.

schemes and a threshold setting of RST, In *Proc. 5th Int. Conference on Infoation and Communication Security (ICICS 2003)*, China, Lecture Notes in Computer Science,

Safety, and Privacy in Vehicle-to-Vehicle Communications, *IEEE Transactions on*

Vehicle-Vehicle Safety Messages, *IEEE Transactions on Vehicular Technology*, Vol. 56,

Symmetric Random Key-Set in Vehicular Networks, *Eighth International Symposium*

2248 of LNCS, pp. 552-565.

Glasgow, Scotland, June 24-28.

University of Waterloo, Waterloo, Ontario, Canada.

Hoc Networks), Vol. 7, No. 8, pp. 1515-1525.

*(ICC 2010)*, Cape Town, South Africa.

Systems, Vol. 21, No. 9, pp. 1227-1239.

http://www.its.dot.gov/index.htm

http://eprint.iacr.org/2003/194

2836, Springer-Verlag, pp.34 46.

No. 2, pp. 499-518.

*Vehicular Technology*, vol. 59, no. 2, pp. 559-573.

533-549.


18 Will-be-set-by-IN-TECH

D. Y. W. Liu, J. K. Liu, Y. Mu, W. Susilo, D.S. Wong. (2007). Revocable Ring Signature, *J. Comput.*

X. Lin. (2008). Secure and Privacy-Preserving Vehicular Communications, PhD thesis,

X. Lin, X. Sun, P.-H. Ho and X. Shen. (2007). GSIS: A Secure and Privacy-Preserving Protocol

X. Lin, R. Lu, C. Zhang, H. Zhu, P.-H. Ho and X. Shen. (2008a). Security in Vehicular Ad Hoc Networks, *IEEE Communications Magazine*, vol. 46, no. 4, pp. 88-95, 2008. X. Lin, X. Sun, X. Wang, C. Zhang, P.-H. Ho and X. Shen. (2008b). TSVC: Timed Efficient

R. Lu, X. Lin, H. Zhu, P.-H. Ho and X. Shen. (2008). ECPP: Efficient Conditional

R. Lu, X. Lin, H. Zhu, and X. Shen. (2009). SPARK: A New VANET-based Smart Parking

R. Lu, X. Lin, and X. Shen. (2010). SPRING: A Social-based Privacy-preserving Packet

T. K. Mak, K. P. Laberteaux and R. Sengupta. (2005). A Multi-Channel VANET Providing

T. Nakanishi, T. Fujiwara, and H. Watanabe. (1999). A linkable group signature and its

T. Nakanishi and N. Funabiki. (2005). Verifer-local revocation group signature schemes with

L. Nguyen, R. Safavi-Naini. (2005). Dynamic *k*-times anonymous authentication, in *ACNS*

A. Perrig, R. Canetti, J. D. Tygar, D. Song. (2002). The TESLA Broadcast Authentication

A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D. Tygar. (2002). Spins: security protocols for

K. Pl*o*¨*β*l, H. Federrath. (2008). A privacy aware and efficient security infrastructure for vehicular ad hoc networks, *Computer Standards & Interfaces*, Vol. 30, pp. 390-397. M. Raya, J. P. Hubaux, (2005). The security of vehicular ad hoc networks, *3rd ACM workshop*

M. Raya and J. P. Hubaux. (2007). Securing Vehicular Ad Hoc Networks, *Journal of Computer*

*Security*, Special Issue on Security of Ad Hoc and Sensor Networks, Vol. 15, Nr. 1, pp.

sensor networks, Wireless Networks, vol. 8, no. 11, pp. 521-534.

*Workshop on Vehicular Ad Hoc Networks*, Cologne, Germany, Sep. pp. 1-9. J. A. Misener. (2005). Vehicle-infrastructure integration (VII) and safety, *Intellimotion*, Vol. 11,

for Vehicular Communications, *IEEE Transactions on Vehicular Technology*, vol. 56(6),

and Secure Vehicular Communications with Privacy Preserving, *IEEE Transactions on*

Privacy Preservation Protocol for Secure Vehicular Communications, *The 27th IEEE International Conference on Computer Communications (INFOCOM 2008)*, Phoenix,

Scheme for Large Parking Lots, *The 28th IEEE International Conference on Computer*

Forwarding Protocol for Vehicular Delay Tolerant Networks, *The 29th IEEE International Conference on Computer Communications (INFOCOM 2010)*, San Diego,

Concurrent Safety and Commercial Services, in *Proceedings of 2nd ACM International*

application to secret voting, Transactions of Information Processing Society of Japan,

backward unlinkability from bilinear maps, in *Proc. ASIACRYPT' 05*, LNCS, vol.

*Sci. Technol.* 22(6): pp. 785-794.

pp. 3442-3456, 2007.

Arizona, USA.

California, USA.

No. 2, pp. 1-3.

3788, pp. 533-548.

39-68.

vol. 40, no. 7, pp. 3085-3096.

*2005*, LNCS 3531, pp. 318-333.

Protocol, RSA CryptoBytes, vol. 5, no. 2, pp. 2-13.

*on Security of ad hoc and sensor networks*, pp. 11-21.

University of Waterloo, Waterloo, Ontario, Canada.

*Wireless Communications*, vol. 7, no. 12, pp. 4987-4998.

*Communications (INFOCOM 2009)*, Rio de Janeiro, Brazil.


**0**

**4**

*Brazil*

**Security Approaches for**

*University of Campinas*

**Information-Centric Networking**

Walter Wong and Maurício Ferreira Magalhães

The increasing demand for highly scalable infrastructure for efficient content distribution has stimulated the research on new architectures and communication paradigms, where the focus is on the efficient content delivery without explicit indication of the resource location. One of these paradigms is known as information-centric networking (ICN) and its main focus is on data retrieval regardless of the source at the network level. This scenario usually happens when content providers (e.g. Warner Bros, BBC News) produce information (movies, audios, news in a Web page, etc.) and hire delivery systems such as Akamai<sup>1</sup> to deliver their content to the customers. In this model, there is a decoupling between content generation from the server storing the content itself (the actual machine serving the content for clients). Originally, servers used to generate and deliver data to the clients, however, nowadays data may be generated in specialized locations and placed in strategic servers in the network to speed up

From the security perspective, the decoupling of data production and hosting opens new challenges for content authentication. The first issue regards the trust establishment for content authentication and a second one is the time decoupling between data consumption and production. Previously, data was generated in servers and the authentication of the hosting server resulted into an *implicit* data authentication because the content producer is the same as the content server. Nowadays, a common scenario is the separation between content generation and delivery, breaking the previous trust relationship established between the serving host and the content. Servers are deployed by content delivery companies to deliver data according to a contract, thus, there might not be a correlation between serving host and the data itself. The second issue regards the time decoupling between data consumption and production, which is a direct consequence of content production and hosting separation. Content providers produce content (e.g. news feeds) that may not be synchronously consumed, i.e., BBC News web-site produces news every 5 minutes, but clients access the data after some period of time. As a consequence, content providers and consumers are *decoupled in time* and *synchronization*, and there might not be any interaction between clients and servers to ensure the content authenticity2. Some threats such as fake and unauthorized content publication or content data blocks corruption may appear, requiring a new security

model focused on the content itself rather than securing the connection.

<sup>2</sup> Sometimes the original content provider is not online to provide authentication data.

**1. Introduction**

the content delivery to content consumers.

<sup>1</sup> http://www.akamai.com


## **Security Approaches for Information-Centric Networking**

Walter Wong and Maurício Ferreira Magalhães *University of Campinas Brazil*

#### **1. Introduction**

20 Will-be-set-by-IN-TECH

72 Applied Cryptography and Network Security

H. Xiong, K. Beznosov, Z. Qin, M. Ripeanu. (2010). Efficient and Spontaneous

H. Xiong, Z. Qin, F. Li. (2010). Secure Vehicle-to-roadside communication protocol using certificate-based cryptosystem, IETE Technical Review, Vol 27, No 3, pp. 214-219. H. Xiong, Z. Qin, F. Li. (2011). A Certificateless Proxy Ring Signature Scheme with Provable Security, International Journal of Network Security, Vol.12, No.2, pp.113-127. C. Zhang, X. Lin, R. Lu and P.-H. Ho. (2008). RAISE: An Efficient RSU-aided Message

C. Zhang, X. Lin, R. Lu, P.-H. Ho and X. Shen. (2008). An Efficient Message Authentication

*Communications Conference (ICC 2010)*, Cape Town, South Africa.

Conference on Communications (ICC'08), Beijing, China.

57, no. 6, pp. 3357-3368.

Privacy-Preserving Protocol for Secure Vehicular Communication, *International*

Authentication Scheme in Vehicular Communication Networks. IEEE International

Scheme for Vehicular Communications, *IEEE Transactions on Vehicular Technology*, vol.

The increasing demand for highly scalable infrastructure for efficient content distribution has stimulated the research on new architectures and communication paradigms, where the focus is on the efficient content delivery without explicit indication of the resource location. One of these paradigms is known as information-centric networking (ICN) and its main focus is on data retrieval regardless of the source at the network level. This scenario usually happens when content providers (e.g. Warner Bros, BBC News) produce information (movies, audios, news in a Web page, etc.) and hire delivery systems such as Akamai<sup>1</sup> to deliver their content to the customers. In this model, there is a decoupling between content generation from the server storing the content itself (the actual machine serving the content for clients). Originally, servers used to generate and deliver data to the clients, however, nowadays data may be generated in specialized locations and placed in strategic servers in the network to speed up the content delivery to content consumers.

From the security perspective, the decoupling of data production and hosting opens new challenges for content authentication. The first issue regards the trust establishment for content authentication and a second one is the time decoupling between data consumption and production. Previously, data was generated in servers and the authentication of the hosting server resulted into an *implicit* data authentication because the content producer is the same as the content server. Nowadays, a common scenario is the separation between content generation and delivery, breaking the previous trust relationship established between the serving host and the content. Servers are deployed by content delivery companies to deliver data according to a contract, thus, there might not be a correlation between serving host and the data itself. The second issue regards the time decoupling between data consumption and production, which is a direct consequence of content production and hosting separation. Content providers produce content (e.g. news feeds) that may not be synchronously consumed, i.e., BBC News web-site produces news every 5 minutes, but clients access the data after some period of time. As a consequence, content providers and consumers are *decoupled in time* and *synchronization*, and there might not be any interaction between clients and servers to ensure the content authenticity2. Some threats such as fake and unauthorized content publication or content data blocks corruption may appear, requiring a new security model focused on the content itself rather than securing the connection.

<sup>1</sup> http://www.akamai.com

<sup>2</sup> Sometimes the original content provider is not online to provide authentication data.

Fig. 1. Naive zero-padding in the Merkle Tree.

comprehension of the proposed mechanism.

section.

**3. Security design**

**3.1 Definitions**

plus in the intermediate and top nodes. Consequently, we have:

*H* ∑ *i*=0

Therefore, a MT with *<sup>N</sup>* leaves (where *<sup>N</sup>* <sup>=</sup> <sup>2</sup>*H*) requires 2*<sup>N</sup>* <sup>−</sup> 1 hash function calls to generate the *root hash*, regardless of the number of empty leaves in the tree. In order to tackle this limitation, we propose two mechanisms based on hash trees for information-centric data authentication, called *skewed hash tree* and *composite hash tree* that will be presented in the next

Security Approaches for Information-Centric Networking 75

In this section we present two hash tree techniques, the skewed hash tree and the composite hash tree, that provide content authentication based solely on the content. These two techniques transfer the trust placed on the root hash to the data blocks through strong cryptographic hash functions, allowing for efficient and trusted content authentication. We

In order to better describe the hash tree data structure and the verification procedures associated to it, we start with some definitions used through the text to ease the

• **Block.** A block or data block is a fragment of a larger file and is considered as the *smallest*

start describing the skewed hash tree and then we describe the composite hash tree.

unity of data used as input of the skewed hash tree algorithms.

<sup>2</sup>*<sup>i</sup>* <sup>=</sup> <sup>2</sup>*H*+<sup>1</sup> <sup>−</sup> <sup>1</sup> <sup>=</sup> <sup>2</sup>*<sup>N</sup>* <sup>−</sup> <sup>1</sup> (1)

In this paper, we present two hash tree techniques to provide content authentication based on the content rather than the communication channel to provide content authentication in information-centric networks. The authentication model uses *skewed hash trees* (SHT) and *composite hash trees* (CHT) to provide amortized content authentication and integrity for a set of data blocks with one single digital signature. Moreover, the security model is independent of the underlying transport protocol, allowing it to verify the content with the original content owner, regardless of the storage or mirror where it was retrieved. The SHT mechanism allows for secure content caching in the network, enabling data verification by intermediate devices at low processing costs. The CHT mechanism allows for parallel authentication over HTTP, enabling parallel content download in the Internet. As a proof-of-concept, we implemented a prototype with the SHT and CHT libraries and evaluated in these two scenarios, outlining the main experimental results.

The organization of this paper is as follows. Section 2 presents the background information about Merkle Trees. Section 3 presents the SHT and CHT techniques for content authentication in information-centric networks. Section 4 describes the SHT and CHT implementations in the secure caching and parallel authentication scenarios. Finally, Section 5 summarizes the paper.

### **2. Background**

The Merkle Tree (MT) (Merkle, 1989) is a *balanced binary tree* structure containing summary information of a large piece of data or a message set. The data structure was originally proposed in the late 70's as an alternative to provide compact representation of public keys and the main idea is to apply a cryptographic hash over a set of messages and use these hash values as input for a balanced tree. Each parent node contains the hash of the concatenation of the hash values stored in the children's nodes and it goes recursively until reaching the top of the tree. This value is known as *root hash* and it represents the *fingerprint* over a set of messages. Each data block has a list of hash values called *authentication path* (AP) that allows users to verify the integrity by computing the path from the leaves towards the *root hash*, and comparing it with the securely retrieved *root hash* value.

Some applications use MTs to provide efficient content authentication in different scenarios, such as HTTP (Bayardo & Sorensen, 2005) and P2P networks (Tamassia & Triandopoulos, 2007). These applications create a MT over a set of data blocks and append an AP on each block to allow data verification in the receiver side. However, the construction of a MT requires a balanced binary tree, demanding a number of data blocks that are multiple of power of two, otherwise the original MT algorithms will not work due to the unbalance in the tree. There are two simple solutions to tackle this issue: (1) fit the number of blocks to be a power of two; (2) pad with zeros. The first one is restrictive because it intervenes with the application's requirements, e.g., maximum transmission unit, and the second one results in additional computation overhead.

Fig. 1 illustrates the problem with the naive zero padding. The worst case happens when a user has a number of blocks that fits in a balanced tree plus one, requiring a binary tree that is the double of the size. As the height of a MT grows, the number of required zero leaves increases proportionally, resulting in 2(*H*−1) <sup>−</sup> 1 zero leaves, when the number of blocks is equal to *N*/2 + 1, and it requires a tree with height *H* + 1 to hold the hash information of all data blocks. Hence, the number of hash function calls in the zero padding scheme is the same as in the balanced tree since the zero leaves are computed as a regular leaf. Thus, the total number of hash function calls is the sum of all hash functions calls over the *N* data blocks, 2 Will-be-set-by-IN-TECH

In this paper, we present two hash tree techniques to provide content authentication based on the content rather than the communication channel to provide content authentication in information-centric networks. The authentication model uses *skewed hash trees* (SHT) and *composite hash trees* (CHT) to provide amortized content authentication and integrity for a set of data blocks with one single digital signature. Moreover, the security model is independent of the underlying transport protocol, allowing it to verify the content with the original content owner, regardless of the storage or mirror where it was retrieved. The SHT mechanism allows for secure content caching in the network, enabling data verification by intermediate devices at low processing costs. The CHT mechanism allows for parallel authentication over HTTP, enabling parallel content download in the Internet. As a proof-of-concept, we implemented a prototype with the SHT and CHT libraries and evaluated in these two scenarios, outlining the

The organization of this paper is as follows. Section 2 presents the background information about Merkle Trees. Section 3 presents the SHT and CHT techniques for content authentication in information-centric networks. Section 4 describes the SHT and CHT implementations in the secure caching and parallel authentication scenarios. Finally, Section 5 summarizes the paper.

The Merkle Tree (MT) (Merkle, 1989) is a *balanced binary tree* structure containing summary information of a large piece of data or a message set. The data structure was originally proposed in the late 70's as an alternative to provide compact representation of public keys and the main idea is to apply a cryptographic hash over a set of messages and use these hash values as input for a balanced tree. Each parent node contains the hash of the concatenation of the hash values stored in the children's nodes and it goes recursively until reaching the top of the tree. This value is known as *root hash* and it represents the *fingerprint* over a set of messages. Each data block has a list of hash values called *authentication path* (AP) that allows users to verify the integrity by computing the path from the leaves towards the *root hash*, and

Some applications use MTs to provide efficient content authentication in different scenarios, such as HTTP (Bayardo & Sorensen, 2005) and P2P networks (Tamassia & Triandopoulos, 2007). These applications create a MT over a set of data blocks and append an AP on each block to allow data verification in the receiver side. However, the construction of a MT requires a balanced binary tree, demanding a number of data blocks that are multiple of power of two, otherwise the original MT algorithms will not work due to the unbalance in the tree. There are two simple solutions to tackle this issue: (1) fit the number of blocks to be a power of two; (2) pad with zeros. The first one is restrictive because it intervenes with the application's requirements, e.g., maximum transmission unit, and the second one results in

Fig. 1 illustrates the problem with the naive zero padding. The worst case happens when a user has a number of blocks that fits in a balanced tree plus one, requiring a binary tree that is the double of the size. As the height of a MT grows, the number of required zero leaves increases proportionally, resulting in 2(*H*−1) <sup>−</sup> 1 zero leaves, when the number of blocks is equal to *N*/2 + 1, and it requires a tree with height *H* + 1 to hold the hash information of all data blocks. Hence, the number of hash function calls in the zero padding scheme is the same as in the balanced tree since the zero leaves are computed as a regular leaf. Thus, the total number of hash function calls is the sum of all hash functions calls over the *N* data blocks,

comparing it with the securely retrieved *root hash* value.

additional computation overhead.

main experimental results.

**2. Background**

Fig. 1. Naive zero-padding in the Merkle Tree.

plus in the intermediate and top nodes. Consequently, we have:

$$\sum\_{i=0}^{H} \mathbf{2}^{i} = \mathbf{2}^{H+1} - \mathbf{1} = \mathbf{2}N - \mathbf{1} \tag{1}$$

Therefore, a MT with *<sup>N</sup>* leaves (where *<sup>N</sup>* <sup>=</sup> <sup>2</sup>*H*) requires 2*<sup>N</sup>* <sup>−</sup> 1 hash function calls to generate the *root hash*, regardless of the number of empty leaves in the tree. In order to tackle this limitation, we propose two mechanisms based on hash trees for information-centric data authentication, called *skewed hash tree* and *composite hash tree* that will be presented in the next section.

#### **3. Security design**

In this section we present two hash tree techniques, the skewed hash tree and the composite hash tree, that provide content authentication based solely on the content. These two techniques transfer the trust placed on the root hash to the data blocks through strong cryptographic hash functions, allowing for efficient and trusted content authentication. We start describing the skewed hash tree and then we describe the composite hash tree.

#### **3.1 Definitions**

In order to better describe the hash tree data structure and the verification procedures associated to it, we start with some definitions used through the text to ease the comprehension of the proposed mechanism.

• **Block.** A block or data block is a fragment of a larger file and is considered as the *smallest* unity of data used as input of the skewed hash tree algorithms.

Fig. 2. Skewed Hash Tree proposal.

set.

**3.2.1 SHT construction**

one extra height in the skewed hash tree. The advantage of splitting the tree in balanced tree and skewed leaves is to maintain the compatibility with the original Merkle tree algorithms

Security Approaches for Information-Centric Networking 77

Fig. 2 illustrates an example of skewed hash tree, where the balanced tree comprehends the leaves with hash values H01, H2, H3 and H4 and the skewed leaves contain the hash values H0 and H1. The SHT construction starts with the computation of the smallest tree height that can hold all data blocks minus one3, which in this case is *h* = 2 and results in four balanced leaves. Next, the mechanism computes the number of balanced leaves that will receive the skewed leaves in order to hold all data blocks. Finally, it computes the root hash over the data

In order to differentiate the skewed leaves from the balanced ones, the skewed leaves are inserted at the height *h* = −1, indicating that they are appended leaves and they should be

The algorithm to calculate the root hash starts in the first leaf of the balanced tree, in this case, H01. The first step of the algorithm is to check whether it has skewed leaves appended in that leaf or not. In the example, the leaf H01 has appended the skewed leaves H0 and H1, thus the algorithm must compute first these two leaves and later the algorithm returns again to the balanced tree. The balanced tree algorithm now goes to the second leaf H2. It checks whether there are appended leaves or not and treats the skewed leaves. From leaf H2 onward, there is no more skewed leaves, thus, the balanced Merkle tree algorithms can work normally.

The skewed hash tree computation is divided into three phases: *root hash generation, AP generation* and *data blocks verification*. The first phase generates the public signature of a target file, the second phase generates the AP for each data block and the third phase authenticates each data block. In the following algorithms, we use the *stack* data structure to ease the algorithm description and understanding. The decision to use a stack is because it can hold

<sup>3</sup> The motivation to reduce the tree height in one is to avoid empty leaves, for example, if we choose a

tree of height *h* = 3 for this example, we would have 5 data blocks and three empty blocks.

for the balanced tree while handling correctly the skewed leaves.

handled as a special case when using regular Merkle tree algorithms.


#### **3.2 Skewed hash tree**

In this section, we present the *skewed hash tree* (SHT), a variant of the original Merkle Tree that supports random size file verification with the minimum overhead associated with each data block. The SHT introduces an easy yet powerful algorithms to leverage the file partitioning procedure, allowing applications to freely divide the data blocks according to their requirements. The proposed mechanism is useful for applications that require: (i) low verification overhead; (ii) content-based or connection-less verification; (iii) random order verification; (iv) random size file authentication.

The SHT extends the original Merkle Tree algorithms to allow data authentication in cases where the number of chunks (data fragments) is not multiple of power of two. In order to achieve this requirement, we separate the hash tree into two parts: one balanced tree and a second one with the *skewed leaves*. A skewed leaf is a leaf that is going to be appended under a balanced leaf and it has a special handling in the algorithm. The balanced tree is created over a partitioned content and later the skewed leaves are added under the balanced tree, creating 4 Will-be-set-by-IN-TECH

• **Leaf.** A leaf is the bottom node of a binary tree. It contains the cryptographic hash value

• **Balanced leaf.** A balanced leaf is a leaf of a balanced binary tree. Even though they are leaves, they may have some skewed leaves appended, but they are called balanced leaves to identify the lowest level of a balanced tree. These leaves can be handled using regular

• **Skewed leaf.** A skewed leaf is the leaf that is appended under a balanced leaf. It needs special handling in order to generate a coherent root hash value that can be used in the

• **Height.** The height *h* is the total height of the entire skewed hash tree, which is the height of a balanced tree if there is no skewed leaf, or the balanced tree plus one if there are

• **Hash Tree (HT).** A binary hash tree is a complete binary tree with height *h* and 2*<sup>h</sup>* leaves. Each leaf stores a cryptographic hash value of over a data block and each internal node

• **Root Hash (RH).** The *Root Hash* is the hash value in the top of an intermediate hash tree, representing the signature over a set of data blocks. The RH algorithmically binds together all data blocks, and any change in any data block will result in a different signature; • **Composite Root Hash (CH).** The *Composite Root Hash* is the hash value in the top of a composite hash tree used to authenticate the incoming *Authentication Data Blocks*. The CH can be digitally signed to provide both content authentication and integrity regardless of

• **Authentication Data Block (AD).** The *Authentication Data Block* contains intermediate RH values of the hash trees used in the composition. It is used to authenticate the smaller trees

• **Authentication Path (AP).** The *Authentication Path* is the list of hash values needed to authenticate a specific data block. The AP hash value in a given height *h* is the sibling hash in the hash tree towards the root hash. The main difference between AP and AD is that the first one is used to authenticate one data block and the second one is used to

In this section, we present the *skewed hash tree* (SHT), a variant of the original Merkle Tree that supports random size file verification with the minimum overhead associated with each data block. The SHT introduces an easy yet powerful algorithms to leverage the file partitioning procedure, allowing applications to freely divide the data blocks according to their requirements. The proposed mechanism is useful for applications that require: (i) low verification overhead; (ii) content-based or connection-less verification; (iii) random order

The SHT extends the original Merkle Tree algorithms to allow data authentication in cases where the number of chunks (data fragments) is not multiple of power of two. In order to achieve this requirement, we separate the hash tree into two parts: one balanced tree and a second one with the *skewed leaves*. A skewed leaf is a leaf that is going to be appended under a balanced leaf and it has a special handling in the algorithm. The balanced tree is created over a partitioned content and later the skewed leaves are added under the balanced tree, creating

stores the hash of the concatenation of its children's node;

and data blocks as they arrive in the receiver side;

authenticate the RH of intermediate hash trees.

verification; (iv) random size file authentication.

of a data block.

Merkle tree algorithms.

verification process.

the number of data blocks;

**3.2 Skewed hash tree**

skewed leaves.

#### Fig. 2. Skewed Hash Tree proposal.

one extra height in the skewed hash tree. The advantage of splitting the tree in balanced tree and skewed leaves is to maintain the compatibility with the original Merkle tree algorithms for the balanced tree while handling correctly the skewed leaves.

Fig. 2 illustrates an example of skewed hash tree, where the balanced tree comprehends the leaves with hash values H01, H2, H3 and H4 and the skewed leaves contain the hash values H0 and H1. The SHT construction starts with the computation of the smallest tree height that can hold all data blocks minus one3, which in this case is *h* = 2 and results in four balanced leaves. Next, the mechanism computes the number of balanced leaves that will receive the skewed leaves in order to hold all data blocks. Finally, it computes the root hash over the data set.

In order to differentiate the skewed leaves from the balanced ones, the skewed leaves are inserted at the height *h* = −1, indicating that they are appended leaves and they should be handled as a special case when using regular Merkle tree algorithms.

The algorithm to calculate the root hash starts in the first leaf of the balanced tree, in this case, H01. The first step of the algorithm is to check whether it has skewed leaves appended in that leaf or not. In the example, the leaf H01 has appended the skewed leaves H0 and H1, thus the algorithm must compute first these two leaves and later the algorithm returns again to the balanced tree. The balanced tree algorithm now goes to the second leaf H2. It checks whether there are appended leaves or not and treats the skewed leaves. From leaf H2 onward, there is no more skewed leaves, thus, the balanced Merkle tree algorithms can work normally.

#### **3.2.1 SHT construction**

The skewed hash tree computation is divided into three phases: *root hash generation, AP generation* and *data blocks verification*. The first phase generates the public signature of a target file, the second phase generates the AP for each data block and the third phase authenticates each data block. In the following algorithms, we use the *stack* data structure to ease the algorithm description and understanding. The decision to use a stack is because it can hold

<sup>3</sup> The motivation to reduce the tree height in one is to avoid empty leaves, for example, if we choose a tree of height *h* = 3 for this example, we would have 5 data blocks and three empty blocks.

**Algorithm 1** SHT treehash algorithm

skewed\_count = 0; height = 0; **while** height <= max\_height **do**

**Output:** Root hash

*hR* ← *pop*() *hL* ← *pop*() *height* = *hL*.*height hx* ← *hash*(*hL* || *hR*) *stack*.*push*(*hx*, *height* + 1)

**else**

**end if end if end if**

*height* ← *stack*[0].*height*

the original *treehash* Merkle tree algorithm.

**else**

**end while** Return *stack*[0]

with Eq. 2.

AP computation.

**Input:** File, max\_height, num\_skewed\_leaves

**if** top 2 values have equal height **then**

**if** read\_data NOT EOF **then** data = read\_data(file)

**if** skewed\_count < num\_skewed\_leaves **then** stack.push(hash(data), height=-1) skewed\_count = skewed\_count + 1

Alg. 1 describes the root hash generation procedure in a skewed hash tree, which is based on

Security Approaches for Information-Centric Networking 79

The algorithm receives as input a file, the block size, the maximum height of the tree (which is calculated dividing the file size by data block size and verifying the smallest height of a balanced tree that can hold that number of leaves) and the number of skewed leaves computed

The second phase corresponds to the AP generation for each data block and is divided into two steps: (1) initial stack filling and (2) AP generation. The first step uses the skewed treehash algorithm to store all hash values of the leftmost and rightmost leaves (*hL* ← *pop*() and *hR* ← *pop*() in Alg. 1) in the *Sh* and *APh* stacks respectively. The *Sh* stack contains the hash value to be used in the next AP generation and the *APh* stack contains the AP value at the height *h* and it contains the authentication path of the first block. These stacks are used as temporary variables to store the previous hash computed hash values to be used in the next

The second step uses the pre-filled *Sh* and *APh* stacks to output each AP in sequence with one tree traversal. Alg. 2 describes the skewed hash tree traversal algorithm. The algorithm receives as input the file, the number of balanced leaves with appended skewed leaves and

The third phase comprehends the data block verification procedure, described in Alg. 3, where the receiver gets the data block with its corresponding AP and the block index. We assume

the height of the balanced tree and outputs the AP for each data block in sequence.

stack.push(hash(data), height=0)

the last two values in the top of the stack, easing the comparison process of the last two values. Also, we consider that the stack has the *pop* and *push(element)* primitives, where pop removes the top element of the stack and push adds an element in the top of the stack.

The number of skewed leaves in a skewed hash tree with height *h* is the number of current leaves in the hash tree minus the number of data blocks of a balanced hash tree with height *<sup>h</sup>* <sup>−</sup> 1, multiplied by two4. Therefore:

$$num\\_skewed\\_leaves = 2\*(N-2^{balanced\\_tree\\_height})\tag{2}$$

where the *balanced\_tree\_height* is height of the balanced tree. The number of balanced leaves with appended skewed leaves is:

$$num\\_balance\\_leaves = N - 2^{balance\\_tree\\_height} \tag{3}$$

Fig. 3 presents a comparison between the number of hash function calls in the MT and SHT.

Fig. 3. Comparison between the number of hash function calls in Merkle trees and Skewed hash trees.

Note that MT has a constant overhead per tree height while SHT adapts to the current number of data blocks. The main reason why MT has a constant processing overhead is due to the computation of the empty leaves in order to reach to the *root hash*. On the other hand, SHT just computes the leaves with data blocks, skipping the empty ones. Thus, the worst case for SHT is to have the same computational overhead as regular MT.

#### **3.2.2 SHT algorithms**

There are three algorithms associated to SHT: *skewed\_treehash*, *skewed\_ap* and *skewed\_verify*. The skewed\_treehash computes the root hash of a skewed hash tree; the skewed\_ap computes the authentication path for each data block; and skewed\_verify checks whether a data block is consistent with a given root hash or not. We are going to describe each one in detail.

<sup>4</sup> The next height of a binary tree has two times the number of leaves of the previous height.

#### **Algorithm 1** SHT treehash algorithm

6 Will-be-set-by-IN-TECH

the last two values in the top of the stack, easing the comparison process of the last two values. Also, we consider that the stack has the *pop* and *push(element)* primitives, where pop removes

The number of skewed leaves in a skewed hash tree with height *h* is the number of current leaves in the hash tree minus the number of data blocks of a balanced hash tree with height

where the *balanced\_tree\_height* is height of the balanced tree. The number of balanced leaves

Fig. 3 presents a comparison between the number of hash function calls in the MT and SHT.

Fig. 3. Comparison between the number of hash function calls in Merkle trees and Skewed

Note that MT has a constant overhead per tree height while SHT adapts to the current number of data blocks. The main reason why MT has a constant processing overhead is due to the computation of the empty leaves in order to reach to the *root hash*. On the other hand, SHT just computes the leaves with data blocks, skipping the empty ones. Thus, the worst case for

There are three algorithms associated to SHT: *skewed\_treehash*, *skewed\_ap* and *skewed\_verify*. The skewed\_treehash computes the root hash of a skewed hash tree; the skewed\_ap computes the authentication path for each data block; and skewed\_verify checks whether a data block is consistent with a given root hash or not. We are going to describe each one in detail.

<sup>4</sup> The next height of a binary tree has two times the number of leaves of the previous height.

SHT is to have the same computational overhead as regular MT.

*num*\_*skewed*\_*leaves* <sup>=</sup> <sup>2</sup> <sup>∗</sup> (*<sup>N</sup>* <sup>−</sup> <sup>2</sup>*balanced*\_*tree*\_*height*) (2)

*num*\_*balanced*\_*leaves* <sup>=</sup> *<sup>N</sup>* <sup>−</sup> <sup>2</sup>*balanced*\_*tree*\_*height* (3)

the top element of the stack and push adds an element in the top of the stack.

*<sup>h</sup>* <sup>−</sup> 1, multiplied by two4. Therefore:

with appended skewed leaves is:

hash trees.

**3.2.2 SHT algorithms**

```
Input: File, max_height, num_skewed_leaves
Output: Root hash
skewed_count = 0; height = 0;
while height <= max_height do
  if top 2 values have equal height then
     hR ← pop()
     hL ← pop()
     height = hL.height
     hx ← hash(hL || hR)
     stack.push(hx, height + 1)
  else
     if read_data NOT EOF then
       data = read_data(file)
       if skewed_count < num_skewed_leaves then
          stack.push(hash(data), height=-1)
          skewed_count = skewed_count + 1
       else
          stack.push(hash(data), height=0)
       end if
     end if
  end if
  height ← stack[0].height
end while
Return stack[0]
```
Alg. 1 describes the root hash generation procedure in a skewed hash tree, which is based on the original *treehash* Merkle tree algorithm.

The algorithm receives as input a file, the block size, the maximum height of the tree (which is calculated dividing the file size by data block size and verifying the smallest height of a balanced tree that can hold that number of leaves) and the number of skewed leaves computed with Eq. 2.

The second phase corresponds to the AP generation for each data block and is divided into two steps: (1) initial stack filling and (2) AP generation. The first step uses the skewed treehash algorithm to store all hash values of the leftmost and rightmost leaves (*hL* ← *pop*() and *hR* ← *pop*() in Alg. 1) in the *Sh* and *APh* stacks respectively. The *Sh* stack contains the hash value to be used in the next AP generation and the *APh* stack contains the AP value at the height *h* and it contains the authentication path of the first block. These stacks are used as temporary variables to store the previous hash computed hash values to be used in the next AP computation.

The second step uses the pre-filled *Sh* and *APh* stacks to output each AP in sequence with one tree traversal. Alg. 2 describes the skewed hash tree traversal algorithm. The algorithm receives as input the file, the number of balanced leaves with appended skewed leaves and the height of the balanced tree and outputs the AP for each data block in sequence.

The third phase comprehends the data block verification procedure, described in Alg. 3, where the receiver gets the data block with its corresponding AP and the block index. We assume

**3.3 Composite hash tree**

The Composite Hash Tree (CHT)(Wong et al., 2010a;b) is a data structure created over a set of data blocks belonging to a complete file. The main idea is to create a set of small binary hash trees of fixed height over a set of data blocks and recursively construct other binary hash tree over the previous hash trees in the first level, until reaching one single hash tree in the top level. The motivation for this approach is the high overhead present in the Merkle tree and also skewed hash tree, because the latter one is mainly based on the original Merkle tree algorithms. In these approaches, each data block has a list of cryptographic hash values (authentication path) that is the same length of the hash tree. Therefore, each authentication path has *log*2*N* values and the sum of all authentication overhead grows *N* ∗ *log*2*N*, where *N* is the number of blocks. Thus, for large files, this overhead might be considerable, especially

Security Approaches for Information-Centric Networking 81

In order to attack the authentication overhead problem, we propose CHT as an alternative to both Merkle and skewed hash trees for authentication purposes with low overhead. The proposed mechanism also provides signature amortization, allowing one piece of content to be authenticated with one digital signature regardless of the number of data blocks, requiring on average *O*(*N*) fingerprints to authenticate *N* data blocks that are components of the original content for small composing Merkle tree with height *h*. A CHT(*α*, *h*) is a composite hash tree using smaller Merkle trees of height *h* (MT(*h*)) whose root hash values are aggregated in blocks of *α* elements. Fig. 4 illustrates an example of CHT(1, 2) using internal hash tree value *h* = 1 and intermediate RH aggregation of two blocks (*α* = 2). In this example, a file is divided in eight data blocks (*D*<sup>0</sup> to *D*7) and an intermediate hash tree of height *h* = 1 is constructed using the cryptographic hash of the data blocks as input (*H*<sup>0</sup> and *H*1), resulting in an intermediate *Root Hash* (*H*01). This intermediate RH is used as the verification information for the data blocks *D*<sup>0</sup> and *D*1, which later on will be aggregated in *Authentication Data Blocks*. The CHT has two configuration parameters: aggregation index (*α*) and internal hash tree height (*h*). The *α* parameter is used to define the aggregation level of the intermediate RH values in the binary hash tree in *α* values. The internal hash tree height (*h*) defines the height of the internal hash trees used in the composition. These two parameters allow for the customization of the tree behavior, for instance, the initial verification ordering and the verification overhead, according to the application requirements. Higher *h* values provide smaller authentication hierarchy, meaning that data and authentication blocks have low interdependency at the cost of higher authentication overhead per data block. On the other hand, small *h* values results in low authentication overhead, but longer data block authentication hierarchies (thus, higher dependency between data and authentication blocks). In this example of Fig. 4, intermediate RH values in the first level (*H*<sup>01</sup> and *H*23) are aggregated together in blocks of two (*α* = 2), resulting in the *Authentication Data Blocks* with hash values *H*01||*H*<sup>23</sup> and *H*45||*H*67, where || represents the concatenation operation. In the second level, the *Authentication Data Blocks* are considered as input data blocks. Hence, the CHT applies the cryptographic hash over the ADs, resulting in the hash values *H*<sup>03</sup> and *H*<sup>47</sup> and another intermediate hash tree of height *h* = 1 is constructed over these two data blocks, resulting in the *Composite Root Hash* that will be used in the verification procedure. In the case of larger

files, this procedure is applied recursively until reaching the *Composite Root Hash*.

In order to provide data verification, each data chunk carries a list of hash values represented by the AP used to verify with the CH. The AP for each data block is the sibling hash value in the hash tree, for instance, in the example described in Fig. 4, the AP for the *D*<sup>0</sup> is *H*1, since

in scenarios using low processing devices such as mobile phones.

#### **Algorithm 2** SHT authentication path generation

```
Input: File, num_balanced_leaves, H
Output: Data blocks with Authentication Paths
leaf = 0, skewed_count = 0
if leaf < 2H − 1 then
  if skewed_count < num_balanced_leaves then
     data0 = read_block(); data1 = read_block()
     Output data0, hash(data1), AP; Output data1, hash(data0), AP
     skewed_count = skewed_count + 1
  else
     data = read_block()
     Output data, AP
  end if
  for h = 0 to H do
     if (leaf + 1) mod 2h == 0 then
       APh = Stackh
       startnode = (leaf+1+2h) XOR 2h
       Stackh = skewed_tree_hash(startnode, h)
     end if
  end for
  leaf = leaf + 1
end if
```
**Algorithm 3** SHT verification

```
Input: Root Hash, block index, data block, AP
Output: True or False
pos = index
digest = hash(data_block)
for each APi value in AP do
  if (pos % 2 == 0) then
     digest = hash(digest || APi)
  else
     digest = hash(APi || digest)
     pos = �pos/2�
  end if
end for
if (digest == Root Hash) then
  Return True
else
  Return False
end if
```
the root hash was previously transferred to the receiver in a secure way, for example, using the security plane model. The algorithm starts reading the data block's AP and appends each hash value in the correct side to reach the root hash.

#### **3.3 Composite hash tree**

8 Will-be-set-by-IN-TECH

the root hash was previously transferred to the receiver in a secure way, for example, using the security plane model. The algorithm starts reading the data block's AP and appends each

**Algorithm 2** SHT authentication path generation

**Output:** Data blocks with *Authentication Paths*

skewed\_count = skewed\_count + 1

**if** (leaf + 1) mod 2*<sup>h</sup>* == 0 **then**

startnode = (leaf+1+2*h*) XOR 2*<sup>h</sup>*

**Input**: Root Hash, block index, data block, AP

digest = hash(digest || *APi*)

digest = hash(*APi* || digest)

hash value in the correct side to reach the root hash.

*Stackh* = skewed\_tree\_hash(startnode, h)

**if** skewed\_count < num\_balanced\_leaves **then** *data*<sup>0</sup> = read\_block(); *data*<sup>1</sup> = read\_block()

Output *data*0, hash(*data*1), AP; Output *data*1, hash(*data*0), AP

**Input:** File, num\_balanced\_leaves, H

leaf = 0, skewed\_count = 0 **if** leaf < 2*<sup>H</sup>* <sup>−</sup> <sup>1</sup> **then**

> data = read\_block() Output data, AP

> > *APh* = *Stackh*

**Algorithm 3** SHT verification

digest = hash(data\_block) **for** each *APi* value in *AP* **do if** (pos % 2 == 0) **then**

*pos* = �*pos*/2�

**if** (digest == *Root Hash*) **then**

**Output:** True or False

pos = index

**else**

**end if end for**

**else**

**end if**

Return **True**

Return **False**

**for** *h* = 0 to *H* **do**

**else**

**end if**

**end if end for** leaf = leaf + 1

**end if**

The Composite Hash Tree (CHT)(Wong et al., 2010a;b) is a data structure created over a set of data blocks belonging to a complete file. The main idea is to create a set of small binary hash trees of fixed height over a set of data blocks and recursively construct other binary hash tree over the previous hash trees in the first level, until reaching one single hash tree in the top level. The motivation for this approach is the high overhead present in the Merkle tree and also skewed hash tree, because the latter one is mainly based on the original Merkle tree algorithms. In these approaches, each data block has a list of cryptographic hash values (authentication path) that is the same length of the hash tree. Therefore, each authentication path has *log*2*N* values and the sum of all authentication overhead grows *N* ∗ *log*2*N*, where *N* is the number of blocks. Thus, for large files, this overhead might be considerable, especially in scenarios using low processing devices such as mobile phones.

In order to attack the authentication overhead problem, we propose CHT as an alternative to both Merkle and skewed hash trees for authentication purposes with low overhead. The proposed mechanism also provides signature amortization, allowing one piece of content to be authenticated with one digital signature regardless of the number of data blocks, requiring on average *O*(*N*) fingerprints to authenticate *N* data blocks that are components of the original content for small composing Merkle tree with height *h*. A CHT(*α*, *h*) is a composite hash tree using smaller Merkle trees of height *h* (MT(*h*)) whose root hash values are aggregated in blocks of *α* elements. Fig. 4 illustrates an example of CHT(1, 2) using internal hash tree value *h* = 1 and intermediate RH aggregation of two blocks (*α* = 2). In this example, a file is divided in eight data blocks (*D*<sup>0</sup> to *D*7) and an intermediate hash tree of height *h* = 1 is constructed using the cryptographic hash of the data blocks as input (*H*<sup>0</sup> and *H*1), resulting in an intermediate *Root Hash* (*H*01). This intermediate RH is used as the verification information for the data blocks *D*<sup>0</sup> and *D*1, which later on will be aggregated in *Authentication Data Blocks*.

The CHT has two configuration parameters: aggregation index (*α*) and internal hash tree height (*h*). The *α* parameter is used to define the aggregation level of the intermediate RH values in the binary hash tree in *α* values. The internal hash tree height (*h*) defines the height of the internal hash trees used in the composition. These two parameters allow for the customization of the tree behavior, for instance, the initial verification ordering and the verification overhead, according to the application requirements. Higher *h* values provide smaller authentication hierarchy, meaning that data and authentication blocks have low interdependency at the cost of higher authentication overhead per data block. On the other hand, small *h* values results in low authentication overhead, but longer data block authentication hierarchies (thus, higher dependency between data and authentication blocks).

In this example of Fig. 4, intermediate RH values in the first level (*H*<sup>01</sup> and *H*23) are aggregated together in blocks of two (*α* = 2), resulting in the *Authentication Data Blocks* with hash values *H*01||*H*<sup>23</sup> and *H*45||*H*67, where || represents the concatenation operation. In the second level, the *Authentication Data Blocks* are considered as input data blocks. Hence, the CHT applies the cryptographic hash over the ADs, resulting in the hash values *H*<sup>03</sup> and *H*<sup>47</sup> and another intermediate hash tree of height *h* = 1 is constructed over these two data blocks, resulting in the *Composite Root Hash* that will be used in the verification procedure. In the case of larger files, this procedure is applied recursively until reaching the *Composite Root Hash*.

In order to provide data verification, each data chunk carries a list of hash values represented by the AP used to verify with the CH. The AP for each data block is the sibling hash value in the hash tree, for instance, in the example described in Fig. 4, the AP for the *D*<sup>0</sup> is *H*1, since

Fig. 5. Authentication Window for CHT.

The CHT overhead has two components associated, the *Authentication Path* (*OAP*) overhead of each data and *Authentication Data Block* (*OAD*) overhead, which are the aggregated *Root Hash*

Security Approaches for Information-Centric Networking 83

The *OAP* is the sum of the product between the number of data blocks on each height by the size of the AP, which is defined by the height of the Merkle Tree used in the CHT. From the CHT construction examples above (Figs. 4), we can notice that the factor 2*hα* repeats recursively *i* times to create the CHT over the data blocks. Note that the last MT created over the data blocks does not follow the pattern because they are the data blocks on which the composite hash tree is being created over. These data blocks add 2*<sup>h</sup>* leaves, thus we need to add it separately in the formula to compute the overhead. Therefore, the *OAP* formula is the product of the *i* recursions plus 2*<sup>h</sup>* leaves over the data blocks plus the AP length (which is the

*OT* = *OAP* + *OAD* (4)

(2*hα*)*<sup>i</sup>* <sup>∗</sup> <sup>2</sup>*<sup>h</sup>* <sup>∗</sup> (*AP length* <sup>=</sup> *<sup>h</sup>*) (5)

values of the intermediate Merkle Trees. Thus, the total overhead is:

*OAP* =

*H*� ∑ *i*=0

**CHT overhead complexity**

same as *h*).

Fig. 4. (a) Composite Hash Tree with internal HT of height *h* = 1 and *α* = 2.

this value is the sibling value of *H*0. For larger hash trees, the AP is composed of the sibling hash value at each height towards the RH5. Therefore, the overhead per data chunk is defined by the height of the internal hash tree. In this approach, the CHT maintains just one hash value needed to authenticate a target data block, discarding the repeated values of the regular Merkle Tree. On the other hand, this mechanism introduces an authentication hierarchy between data and authentication blocks, requiring that some blocks to be authenticated prior to the data blocks authentication.

The *α* index reduces the authentication hierarchy needed to authenticate all data blocks in an order of *α* elements. Thus, the index reduces log*<sup>α</sup> N* authentication levels, where *N* is the number of partitioned data blocks.

Fig. 5 illustrates an example of authentication hierarchy using a sliding window for a CHT(*α* = 2, *h* = 1). The figure has two columns, the first one indicates the received data blocks in the receiver side and the second column shows the next blocks window to be downloaded. As authentication blocks arrive, the next blocks to be downloaded *slides* to the next set of data blocks that can be downloaded with the arrival of the new set of *Root Hashes*. For example, after the receiver authenticates the *AD*<sup>0</sup> containing the hash values H01|| H23, the user can start downloading data blocks D0, D1, D2 and D3, in any sequence.

The same procedure is taken when the *AD* with concatenated hash values H45||H67 is received in the destination, allowing the download and authentication of data blocks D4, D5, D6, D7 in any sequence.

<sup>5</sup> Recalling that the AP length is the height of the Merkle Tree, thus, this is the motivation to use really small Merkle trees.

10 Will-be-set-by-IN-TECH

Fig. 4. (a) Composite Hash Tree with internal HT of height *h* = 1 and *α* = 2.

start downloading data blocks D0, D1, D2 and D3, in any sequence.

to the data blocks authentication.

number of partitioned data blocks.

any sequence.

small Merkle trees.

this value is the sibling value of *H*0. For larger hash trees, the AP is composed of the sibling hash value at each height towards the RH5. Therefore, the overhead per data chunk is defined by the height of the internal hash tree. In this approach, the CHT maintains just one hash value needed to authenticate a target data block, discarding the repeated values of the regular Merkle Tree. On the other hand, this mechanism introduces an authentication hierarchy between data and authentication blocks, requiring that some blocks to be authenticated prior

The *α* index reduces the authentication hierarchy needed to authenticate all data blocks in an order of *α* elements. Thus, the index reduces log*<sup>α</sup> N* authentication levels, where *N* is the

Fig. 5 illustrates an example of authentication hierarchy using a sliding window for a CHT(*α* = 2, *h* = 1). The figure has two columns, the first one indicates the received data blocks in the receiver side and the second column shows the next blocks window to be downloaded. As authentication blocks arrive, the next blocks to be downloaded *slides* to the next set of data blocks that can be downloaded with the arrival of the new set of *Root Hashes*. For example, after the receiver authenticates the *AD*<sup>0</sup> containing the hash values H01|| H23, the user can

The same procedure is taken when the *AD* with concatenated hash values H45||H67 is received in the destination, allowing the download and authentication of data blocks D4, D5, D6, D7 in

<sup>5</sup> Recalling that the AP length is the height of the Merkle Tree, thus, this is the motivation to use really


Fig. 5. Authentication Window for CHT.

#### **CHT overhead complexity**

The CHT overhead has two components associated, the *Authentication Path* (*OAP*) overhead of each data and *Authentication Data Block* (*OAD*) overhead, which are the aggregated *Root Hash* values of the intermediate Merkle Trees. Thus, the total overhead is:

$$O\_T = O\_{AP} + O\_{AD} \tag{4}$$

The *OAP* is the sum of the product between the number of data blocks on each height by the size of the AP, which is defined by the height of the Merkle Tree used in the CHT. From the CHT construction examples above (Figs. 4), we can notice that the factor 2*hα* repeats recursively *i* times to create the CHT over the data blocks. Note that the last MT created over the data blocks does not follow the pattern because they are the data blocks on which the composite hash tree is being created over. These data blocks add 2*<sup>h</sup>* leaves, thus we need to add it separately in the formula to compute the overhead. Therefore, the *OAP* formula is the product of the *i* recursions plus 2*<sup>h</sup>* leaves over the data blocks plus the AP length (which is the same as *h*).

$$O\_{AP} = \sum\_{i=0}^{H'} (2^h a)^i \ast 2^h \ast (AP \, length = h) \tag{5}$$
