Anonymous and Authenticated Routing in Multi-hop Cellular Networks

Transcription

1 Anonymous and Authenticated Routing in Multi-hop Cellular Networks Mohamed Elsalih Mahmoud and Xuemin (Sherman) Shen Department of Electrical and Computer Engineering University of Waterloo, Waterloo, Ontario, Canada, N2L 3G1 Abstract Multi-hop cellular network is a promising architecture aiming to improve the performance of current cellular network. However, there are many security challenges due to the participation of the mobile nodes in the routing process. In this paper, we address two challenges: route anonymity, aiming to prevent attackers from tracking a packet flow to its source or destination; and location privacy, aiming to prevent attackers from detecting the nodes locations. Most of the existing solutions require much computational power and energy. We propose a routing protocol that provides anonymous communication by protecting the user s anonymity and location privacy. The user's anonymity is preserved for a large number of compromised nodes. Simulations results show that the proposed protocol is efficient and can be implemented with an acceptable overhead. Index Terms Anonymous Routing, Privacy, Security, Multihop Cellular Networks. I. INTRODUCTION Multi-hop cellular network (MCN) is a network architecture [1-4], which incorporates the characteristic of the ad hoc and cellular networks, as shown in Fig. (1). Unlike current single hop cellular network, packets are relayed hop by hop from an originator to a destination through the intermediate nodes and base stations (BS), where each mobile node is a potential router that forwards data packets to other peer nodes. The network has a centralized trusted party (TP) to generate the keys to the network entities. Figure (1): Multi-hop cellular network architecture There are many benefits from MCN [5-8]. The power consumption of the mobile devices can be reduced because the signal transmission distances are shorter. The interference between the nodes can be reduced. Since the coverage area of the base station increases, the capacity of the cells can be increased. However, the network suffers from security challenges due to the participation of the mobile devices in the routing process, including the user s privacy violation. Adversaries can trace the network routes and infer the source and destination causing threats against the user s privacy. Attackers can infer the user s location in number of hops, and colluders distributed in different locations can track users. In this paper, we propose a routing protocol that protects the users anonymity and considers the network characteristics such as limited resources and scalability. Our protocol uses dynamic identities to enable the mobile nodes to send their packets anonymously without identifying the sender and receiver, and to authenticate themselves without revealing their real identities. The dynamic identities can be pre-computed, which improves the end to end delay. The proposed protocol uses lightweight cryptographic tools and does not assume a long-term secret key shared between each two nodes. In addition, to establish a route, the protocol requires one broadcast packet with light computation because it is flooded to a large number of nodes. The remainder of the paper is organized as follows. We discuss some related work in section II. The adversary and trust models are shown in section III. In section IV, a new authenticated and anonymous on demand routing protocol is introduced. Performance and anonymity analyses are given in sections V and VI, followed by the conclusion in section VII. II. RELATED WORK The protocols in this section were chosen because they use different techniques, and are adopted by many anonymous routing protocols for MCN. In [9], an anonymous routing protocol called ANODR is proposed. The protocol assumes that each two nodes pre-share a long term key. In route request packet (RREQ), nodes do not know which key is going to be used to open the trapdoor because the identities of the source and destination are hidden for anonymity, so they have to try all the keys. The route establishment phase suffers from high delay due to using public key cryptography and executing much computation. The protocol also suffers from an anonymity problem, i.e., legitimate (or eavesdropping) separate nodes along the route can trace the data packets because their contents do not change from node to node. A cryptographic onion for the data packets can not be made to fix this problem, because the source and destination do not exchange session keys with the intermediate nodes. Therefore, if the attacker eavesdrops on both the sender and receiver, he can know that they are communicating. In addition, each node /09/$ IEEE

2 uses one temporary identity for the whole session, so the attacker can violate the user s privacy during the session, if he could link the real identity to the temporary one. In [10], an anonymous routing protocol called SDAR is proposed. To know that it is the destination, each node tries to open a trapdoor with its private key, which requires much computational power. The expected delay of the route establishment is large since each node performs much computation. The sizes of RREQ and route reply packets (RREP) are large, which requires more energy and bandwidth. The protocol violates the privacy of the network nodes because the destination learns the identities of all the forwarding nodes en route. The location of the destination is also disclosed to the source. In [11], a routing protocol is presented to preserve the communication privacy. The protocol is based on frequently changing the node s pseudonyms and cryptographic keys. The protocol suffers from many limitations. First, loading each node with a set of public/private keys and certificates requires a large storage space that may not be available at limited resources nodes. Second, the keys can also be misused in Sybil attack [12]. Third, key revocation is very difficult due to using a large number of keys in the network. In addition, periodically refilling the keys is much overhead on the network. The nodes also need to re-authenticate themselves periodically and exchange symmetric keys with their neighbors. An anonymity problem is that the distances from the anonymous neighbors to the base station are known. An attacker can use this information to guess the identity of the neighbor. The used pseudonyms generation technique is not efficient or secure. To link pseudonyms with each other, the base station and nodes need to calculate the pseudonyms for all the nodes. The pseudonyms require online generation because they can not be pre-computed, which leads to increasing in the end-end delay. III. PRELIMINARY A. Design Challenges and Goals Location privacy is defined as the ability to prevent other parties from learning one s current and past locations [13], and anonymity is defined as the state of being not identifiable within a set of subjects called the anonymity set [14]. There are several challenges to design protocol that enables the users anonymous and location private communication. One challenge is to achieve identity anonymity which is the property that a packet is not linkable to the real identities of the source, destination and intermediate nodes. Identity anonymity can be achieved by using dynamic identities which are not linkable to the real ones or to each other. Identity anonymity protects the network from traffic analysis attacks. Another challenge is to achieve location anonymity. The location of a node is compromised, if an attacker can infer the distance in terms of number of hops or exact physical location. The protocol should prevent an attacker from inferring the distance to the anonymous source or destination to deprive him from guessing their identities. The source and destination know the identities of each others but not their locations. In order to route the messages, the base stations need to know the real identities and locations of the source and destination. In route anonymity, the protocol should prevent an attacker from inferring the participating nodes in one session. In other words, the transmitted packets from the nodes should not show that they belong to one session, since any unchanged part in the forwarded packets of a session can easily expose the anonymous path. For authenticated routing, before forwarding the packets, the intermediate nodes should be able to ensure that they serve legitimate users. The main challenge in designing the protocol is to consider the network characteristics, especially the nodes limited resources, scalability and distribution in large geographic area. B. Adversary and Trust Model Without loss of generality, we assume the adversary knows all the network protocols and functions but does not know the secret keys. An attacker can eavesdrop to the transmission in its rage, and it can record and re-send the intercepted packets. Attackers can be legitimate users or eavesdroppers. They also can be single nodes or several nodes colluding with each other under one central attacker, but they can not be global attackers or colluding with large number of nodes due to the scalability of the network. The attacker aims to know who is communicating and to whom, and to launch traffic analysis to monitor the traffic activity between the communicating parties. An attacker tries to reveal the identities of the nodes and their locations in number of hops. Colluders may cooperate to infer the anonymous route and thus to detect the communicating parties. Attackers do not aim to disrupt the routing or to launch denial of service attack. They avoid any attack that reveals their actions since they attempt to be invisible. For the trust model, the nodes do not trust each other with their identities and locations or to correctly execute the network functions and protocols. However, they trust the base stations with their identifiers and locations but not with their long term keys because they may belong to foreign networks. C. Notations The used notations in this paper are given in table (1). Symbol Description Shared between Lifetime K i Shared key Node i and TP A long term ID i Unique identity Node i and TP A long term K T (BS) Shared key TP and BS A long term K i (BS) Shared key Node i and BS One authentication ID i (BS) Dynamic identity Node i and BS One message K i (j) Shared key Node i and j One session ID i (j) Dynamic identity Node i and j One message Table (1): Description for the used keys and identities IV. THE PROPOSED PROTOCOL A. Dynamic Identities A node protects its anonymity by using dynamic identities and periodically changing them in such a way that just an intended node can link them to each other or to the real identity. If two nodes (X and Y) share a secret key (K), they

3 can start a series of dynamic identities by keyed hashing to the last used identity, where the first identity is a keyed hash of a public seed value. In order to keep the synchronization between the communicating parties, the identities are used in forward direction. The identities are not linkable to the real identity or to each other without knowing the secret key. Therefore, the identities are authenticated because no one can generate them except the owner of the secret key. They have high anonymity protection level because each identity is used only for one packet. They can not be linked to the real identity or to each other. Low computational power is required because only hash function is used. The additional end to end delay and the storage space are low because they can be precomputed. Resynchronization is easy. For instance, if the expected identity is number (10) but due to nonsynchronization, the identity number (13) is received; in this case the node does not lose synchronization because it compares the received identity with a window of expected ones. After finding identity (13), the window is shifted. The size of the dynamic identity can be reduced by truncating the output of the keyed hash function. Figure (2): Route Establishment Phase B. Proposed Protocol The proposed protocol consists of three phases: in authentication phase, a mobile node authenticates itself to the trusted party to get a membership symmetric key shared with a base station. As shown in Fig. (2), in route establishment phase, a route is established to the destination node, and the base station distributes the session keys for the nodes on the route. The keys are used to start a series of dynamic identities that are used to identify the session and to enable the nodes to authenticate each other. Finally, in the data transfer phase, an onion encryption technique is used to prevent attackers from correlating the relayed messages. B.1 Authentication Phase As shown in Fig. (3), node (i) initiates the authentication process by sending an authentication request packet (AREQ) with the latest dynamic identity shared with the trusted party. With this packet, the node authenticates itself to the trusted party because none can generate it except the owner of the shared key (K i ). The trusted party checks whether the identity is for a registered user. It replies with the node s real identity, the membership key (K i (BS)) shared between the base station and node (i), and a new shared identity ID i (TP). After executing this phase, the node and the base station authenticate each other without revealing the node s secret key. They also share a secret key used in communication and in generating the node s dynamic identities where the seed value is ID i (TP). 1) i BS: <AREQ, ID i (TP), E Ki (ID i (TP),ID i )> 2) BS TP: < AREQ, ID i (TP), E Ki (ID i (TP),ID i )> 3)TP BS:<AREP,ID i (TP),E KT(Bs) [ID i,k i (BS),E Ki (ID i (TP),K i (BS))] > Figure (3) Authentication phase B.2 Route Establishment Phase When a node wants to initiate a communication, a route to the destination node should be established and each two neighbors in the route need to share a secret key. 1) Uplink Route Establishment RREQ Phase As shown in Fig. (4), the communicating source node initiates the session by broadcasting a RREQ packet which contains the latest dynamic identity shared with the base station. With this identity and the encrypted part with E KS(BSs), the node authenticates itself to the base station. In order to bound the propagation area of the request, TTL (time to live) is used. Each intermediate node decrements it, and when it reaches zero the request is no longer forwarded. Moreover, a padding (PD) is added. The length of the padding (PL) and the real identity of the destination node are encrypted. As shown in the figure, each intermediate node adds its dynamic identity and broadcasts the request locally to its neighbors. It also stores in the routing table the dynamic identities for the source node and itself. If it receives a route reply packet with its next dynamic identity, it means that it is chosen a member in the session route. In order to avoid loops in the routes or degrading the network performance, the intermediate nodes discard any further packets with the same request. As the request packet moves towards the base station, it stores the identifiers of the nodes on the route, so when the base station receives the request packet, it determines what nodes were on the route, and then it composes and sends a RREP packet. In order to protect the location anonymity of the source node and to confuse attackers whether the packet is originated or forwarded from the previous node, the values of the padding and the TTL are randomly chosen. We use the techniques in [15] to select the random values of padding and TTL. S *: <RREQ,ID S (BS s ), TTL,E KS(BSs) (PL,ID d,id S (BS s )), PD> A *:<RREQ,ID S (BS s ),TTL-1,E KS(Bss) (PL,ID d,id S (BS s )),PD, ID A (BS s )> B *:<RREQ,ID S (BS s ),TTL-2,E KS(BSs) (PL,ID d,id S (BS s )),PD, ID A (BS s ),ID B (BS s )> BS s : <RREQ,ID S (BS s ), TTL-2, E KS(BSs) (PL,ID d,id S (BS s )),PD, ID A (BS s ),ID B (BS s )> Figure (4): RREQ in the uplink route establishment RREP Phase As shown in Fig. (5), the RREP packet contains one part for

4 each node participating in the session route. Each part contains the latest dynamic identity, and the session key shared with the previous node in the route. The node hashes this key to derive the shared key with the next node. For instance, node A uses K A (B) to communicate with node B, and K A (S)= H KA(BSs) (K A (B)) to communicate with B. By this way, the number of transmitted keys is nearly halved. Padding is added to the part related to the source to protect its location anonymity. After receiving the RREP packet, each intermediate node checks whether it is on the route. Then, it broadcasts the packet after taking off its part. Finally, the base station sends a call request to the destination base station. BS s B: < RREP, ID B (BS s ),E KB(BSs) [ID B (BS s ),K B (BS s )], ID A (BS s ),E KA(BSs) [ID A (BS s ),K A (B)], ID S (BS s ),E KS(BSs) [ID S (BS s ),K S (A), PD]> B A < RREP, A S: < RREP, Figure (5): RREP in the uplink route establishment 2) Downlink Route Establishment ID A (BS s ),E KA(BSs) [ID A (BS s ),K A (B)], ID S (BS s ),E KS(BSs) [ID S (BS s ),K S (A), PD]> ID S (BS s ),E KS(BSs) [ID S (BS s ),K S (A), PD]> After a base station receives a call request, it establishes a route to the destination node by broadcasting a RREQ packet. The destination node replies with RREP with the identities of session nodes. Finally, the base station distributes the keys. RREQ Phase As shown in Fig. (6), the base station broadcasts a RREQ packet containing a new dynamic identity to the destination node and the encryption to both the fresh dynamic identity of the destination node and the real identity of the calling node. After receiving the request, each node adds its identity and rebroadcasts the packet, if it is not the destination and TTL is greater than zero. Each node stores the routing information which contains the dynamic identities for both the previous node and itself. The destination node sends a RREP packet and re-broadcasts the packet after adding its identity to deprive attackers from inferring the destination of the packet. after changing the identity of the next hop. D Y: < RREP, ID Y (BS d ),E KD(BSd) [PL, ID Y (BS d ), ID X (BS d ), PD]> Y X: < RREP, ID X (BS d ), E KD(BSd) [PL, ID Y (BS d ),ID X (BS d ), PD]> X BS d : < RREP, BS d, E KD(BSd) [PL, ID Y (BS d ), ID X (BS d ), PD]> Figure (7): RREP in the downlink route establishment Session Keys Distribution After the base station receives the RREP packet, it knows the identities of the nodes participating in the route. In order to distribute the session keys, it sends the same packet as RREP packet in the uplink route establishment shown in Fig. (5) Uplink S A: < DATA, ID S (A), E KS(BSs) (M, H(M))> A B: < DATA, ID A (B), E KA(BSs) (E KS(BSs) (M, H(M)))> B BS s : <DATA,ID B (C), E KB(BSs) (E KA(BSs) (E KS(BSs) (M, H(M))))> Downlink BS d X: < DATA, ID BSd (X), E KX(BSd) (E KY(BSd) (E KD(BSd) (M,H(M))))> X Y: < DATA, ID X (Y), E KY(BSd) (E KD(BSd) (M,H(M)))> Y D: < DATA, ID Y (D), E KD(BSd) (M, H(M)) > B.3 Data Transfer Phase Figure (8): Data Transfer Phase Onion routing is used to change the content of the message after each hop. As shown in Fig.(8), the source node composes the data packet by encrypting the message and its hash with the shared key with the base station. Then, the node transmits the packet to the next node after adding the shared dynamic identity. Each intermediate node re-encrypts the message with the shared key with the base station and changes the next hop identity. The source base station removes the encryption layers from the packet and sends the message to the destination base station, which encrypts the message with the keys shared with the session nodes and transmits it. Each intermediate node removes one encryption layer and forwards the packet. BS d *: < RREQ, TTL, ID D (BS d ), E KD(BSd) (ID D (BS d ),ID s )> X *: < RREQ, TTL-1, ID D (BS d ), E KD(BSd) (ID D (BS d ),ID s ), ID X (BS d )> Y *: < RREQ, TTL-2, ID D (BS d ), E KD(BSd) (ID D (BS d ),ID s ), ID X (BS d ), ID Y (BS d )> D *: < RREQ, TTL-3, ID D (BS d ), E KD(BSd) (ID D (BS d ),ID s ), ID X (BS d ), ID Y (BS d ), ID D (BS d )> Figure (6): RREQ in the downlink route establishment RREP Phase As shown in Fig. (7), the destination node composes the RREP packet and sends it to the first node in the route. The packet contains the identities of the nodes on the route and padding to protect the location anonymity of the destination node. The intended intermediate node re-transmits the packet V. SECURITY ANALYSIS For the proposed protocol, we have used dynamic identities to preserve the anonymity of the nodes real identities. The used dynamic identities can not be linked to each other without knowing a secret key, and they also can not be linked to the real identity. The used dynamic identities raise the anonymity protection level because they are used for one route and just one session. Each identity is used just for one packet. Therefore, even if attackers could link the identity to a node, they can not violate the node s privacy for a long time. The used dynamic identities achieve conditional anonymity because the base stations can link them to the real ones. For location anonymity, we have used padding and random valued TTL to hide the locations of the anonymous sender and receiver. Therefore, an adversary can not differentiate whether the packet is originated or forwarded from a node. To further

5 improve the location anonymity, each node does not know its anonymous neighbours except for the session time. Although long relations among a node and its neighbours may simplify the protocol, attackers can violate the node's privacy, if they could link the long term temporary identity to the real one. For route anonymity, attackers can not link the identities of the nodes participating in one session. In route establishment phase, a global attacker listening to all the nodes can not infer the chosen nodes in a session due to using fresh dynamic identities in the RREP packets. An attacker can not correlate the session data packets to one session because their contents change after each hop due to using onion encryption and decryption operations. In brief, session data packets do not expose the anonymous path because they completely change from node to node. Each node en route knows just two anonymous neighbours on the session route. If a node is compromised, the adversary can link two dynamic identities together for each route going through this node. If the compromised nodes are not consecutive, then the attacker can detect route segments. However, it is difficult to link them together. Therefore, in order to infer an anonymous route, the attacker has to compromise all the nodes in the route. Eq. (1) is the probability to compromise all the nodes in a route. In other words, it gives the probability to track a packet, assuming the probabilities to compromise a node and to participate in a session are uniform, where (n) is the number of nodes in the base station area, (nc) is the number of compromised nodes, and (x) is the number of nodes in one session. Pr ( nc! )(( n x )! ) = (1) (( nc x )! )( n! ) Figure (9): The probability of tracing packets For ANODR [9], separate malicious legitimate nodes or eavesdroppers can correlate the packets and infer the packet path. Compromising separate nodes is much more likely than compromising consecutive ones. Fig. (9) shows that the probability to trace an anonymous route in our protocol is much less than ANODR. For example, when the session nodes are four, even if an attacker could compromise 50% of the network nodes (which is very difficult in such scalable network), it can track less than 6% of the packets in our protocol and 25% in ANODR. Even if an attacker could compromise the anonymous route, the base station works as a mixer. It is difficult to link the input and output messages to each other. Therefore, severe attack may infer the anonymous route to the base station but not to the destination node. The proposed routing is authenticated in order to enable the network nodes to verify that the received packets come from registered nodes. It also ensures that the network infrastructure can track the actions of the nodes and their misbehaviors. Our protocol is secure against modification, replay, Sybil and traffic analysis attacks. Eavesdropper can not correlate the transmitted packets to a session. It can only know that a packet is transmitted from a certain group of nodes, but it can not know whether it is originated or relayed from the group. In addition, if a node is participating in more than one sessions, eavesdropper can not link the transmitted packets to their sessions. Every time the same source and destination nodes initiate a communication, they send completely different uplink and downlink route request packets. Therefore, even if an attacker eavesdrops on the source and destination, it can not know that they are communicating. The protocol uses ondemand routing which is more secure than source routing because it does not advertise the routes in advance. It just establishes the routes when needed. In authentication phase, a node does not reveal its long term secret key to the base station, that is extremely important when the base station belongs to a foreign network. In addition, although the protocol assumes that the base station knows the real identities of the nodes, it can be modified easily to hide them. However, more overhead is encountered in contacting the trusted party to convert the dynamic identity into real one. VI. PERFORMANCE ANALYSIS The protocol uses lightweight cryptographic tools which are more suitable for resource-limited devices. An efficient technique to generate the dynamic identities is used. It requires a small storage space and computational power. Reducing the computational overhead of the trapdoor and the broadcast packets has a significant positive impact on the protocol performance because they are received by a large number of nodes. Our solution requires one broadcast packet in route request phase and the computational load is just adding the pre-computed identities. In packet transfer phase, we have alleviated the load on the nodes by using onion routing in opposite order, where most of the loads are with the base stations. The number of session keys transmitted from the base station is nearly halved by allowing the nodes to derive the other half locally. In packet transfer phase, the overhead is one dynamic identity instead of the whole route identities. The same protocol without any modifications can be used in bidirectional communication. In order to evaluate the performance of the proposed protocol, we implement it using a laptop computer and a network simulator. The resources of the real mobile node may be less than a laptop but the results can be scaled to give estimation to the expected overhead. According to the recommended key sizes by NIST [16], we consider AES (128 bit key) as a secure symmetric key cryptosystem. We use a

6 well known hash function HMAC/MD5 (128 bits). Without knowing the secret key, the probability to generate a correct hash value is 2 (-128/2) =5.42e-20 by birthday paradox [17], which is negligible. First, we run an experiment to measure the computational overhead of the specified cryptographic tools. Our mobile node is a laptop: 1.6 GHZ Intel CPU, 1 GB Ram and Windows XP operating system. Crypto++5 libraries [18] are used for the cryptographic tools. The resultant computational times are 0.256μs/16bytes for encryption and decryption and 0.272μs/16 bytes for HMAC/MD5, respectively. To measure the expected number of intermediate nodes in one session, we used Matlab to simulate a network size as 500m by 500m and two network densities with 100 and 50 nodes. The coverage area of the base stations and nodes are 150 and 75m, respectively. The results show that the average numbers of intermediate nodes are and at the low and high densities, respectively. Network density High Low Route establishment computational time(μs) Average end-end computational time (μs) Data packets overhead (Bytes) 16 Route establishment Overhead Av. RREQ at the BS (Bytes) Max. broadcast RREQ (TTL=10) 240 Bytes Av. RREP at the BS (Bytes) Av. RREQ at the Destination (Bytes) Max. broadcast RREQ (TTL=10) 224 Bytes Av. RREP at the BS (Bytes) Key distribution As RREP in uplink Table (2): Performance evaluation Uplink Downlink Table (2) summarizes the performance results of the proposed model, which indicates that the expected end to end computational time is acceptable due to using lightweight cryptographic tools and pre-computing dynamic identities. For the uplink RREQ, the measurement is for the maximum packet size at the base station. Each node reduces the packet by 16 bytes. RREP packet is unicast, it is reduced by 48 bytes at each node. The overhead of data packets is just one dynamic identity with 16 bytes. The overhead of the data packets is more effective than that of route establishment because they are sent more frequently. The table shows that the effect of the network density is negligible, and the overall cost of using the protocol is acceptable. VII. CONCLUSION In this paper, we have proposed an anonymous and authenticated on-demand routing protocol for MCNs. The proposed protocol is based on frequently changing lightweight, pre-computed and authenticated dynamic identities to the nodes. The protocol has high anonymity protection level, and it is secure against many attacks. The performance evaluation shows that the overhead is acceptable. In our future work, we will propose a routing protocol for pure ad hoc mode. In addition, we will do more simulations to measure the network performance metrics such as the end to end delay and the throughout. REFERENCES [1] Y.-D. Lin and Y.-C. Hsu, Multihop Cellular: A New Architecture for Wireless Communications. In Proceedings of the 19th Annual Joint Conference of the IEEE Computer and Communications Societies,2000. [2] X. J. Li, B.-C. Seet, P. H. J. Chong, "Multihop cellular networks: Technology and economics", Computer Networks 52 (2008) , [3] N. V. Marathe, U. B. Desai, S. N. Merchant, "Base Station Selection Strategy in Multihop Cellular Networks: A New Approach" IEEE- International Conference on Signal processing, Communications and Networking, pp , Jan 4-6, [4] S. Bah, R. Glitho, R. Dssouli, "SIP Servlets for Service Provisioning in Multihop Cellular Networks: High-Level Architectural Alternatives", IEEE Communications Society, in proceedings of the IEEE CCNC, Pages , [5] M. Kubisch, S. Mengesha, D. Hollos, H. Karl, and A. Wolisz, Applying ad-hoc relaying to improve capacity, energy efficiency, and immission in infrastructure-based WLANs. In Proceedings of Kommunikation in Verteilten Systemen, Leipzig, Germany, [6] R. Schoenen, R. Halfmann, and B. H. Walke, "MAC Performance of a 3GPP-LTE Multihop Cellular Network". In proceeding of IEEE Communications Society, pages , ICC [7] F. Hossain, H. Chowdhury "Impact of Mobile Relays on Throughput and Delays in Multihop Cellular Network". In proceeding of the Fourth International Conference on Wireless and Mobile Communications, IEE computer society, pages , ICWMC [8] R. Schoenen, R. Halfmann and B. Walke, An FDD Multihop Cellular Network for 3GPP-LTE, in Proceedings of the VTC Spring Conference, Singapore, May [9] J. Kong and X. Hong, ANODR: Anonymous on Demand Routing with Untraceable Routes for Mobile Ad-Hoc Networks. In Proceedings of the 4th ACM International Symposium on Mobile Ad Hoc Networking and Computing (MobiHoc'03), pp , 2003 [10] A. Boukerche, K. El-Khatib, L. Xu, and L. Korba, SDAR: A Secure Distributed Anonymous Routing Protocol for Wireless and Mobile Ad Hoc Networks. In Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks, pages , [11] S. Capkun, J. Hubaux, and M. Jakobsson, Secure and Privacy Preserving Communication in Hybrid Ad Hoc Networks. Technical Report IC/2004/104, EPFL-DI-ICA, Jan [12] J. Douceur, The Sybil Attack. In Proceedings of First IPTPS, [13] A. R. Beresford and F. Stajano, Location Privacy in Pervasive Computing, IEEE Pervasive Computing, vol. 2(1): pp , [14] A. Pfitzmann and M. Kohntopp, Anonymity, unobservability and pseudonymity - a proposal for terminology. In Designing Privacy Enhancing Technologies: Proceedings of the International Workshop on the Design Issues in Anonymity and Observability, LNCS [15] S. Seys, B. Preneel, ARM: anonymous routing protocol for mobile ad hoc networks, Proceedings of the 20th IEEE International Conference on Advanced Information Networking and Applications Workshops (AINA 2006 Workshops). [16] National Institute of Standards and Technology (NIST), Special Publication , Recommendation for Key Management - Part 1: General (Revised), 142 pages, March [17] A. J. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography. CRC Press, [18] W. Dai, Crypto Benchmarks, cryptopp.com/ benchmarks.html, 2008.