2017 2nd Internatonal Conference on Computer, Network Securty and Communcaton Engneerng (CNSCE 2017) ISBN: 978-1-60595-439-4 Dstrbuted Secret Key Management Based on ECC for Ad-hoc Network Y-xuan WU, Hua-we CHEN * and Le WANG School of Aeronautcs and Astronautcs, Unversty of Electronc Scence and Technology of Chna, Chna *Correspondng author Keywords: Dstrbuted secret key, Ellptc curve cryptography, Combned RSA, Ad-hoc. Abstract. Ad-hoc network wthout centralzed nfrastructure makes ts securty problem trcky. In ths paper, we proposed a full dstrbuted secret key management scheme to handle t. The man contrbuton of ths paper s that we combned combned-rsa threshold scheme wth ellptc curve cryptography (ECC) to construct a full dstrbuted secret key management scheme. There are several advantages n our scheme comparng wth tradtonal dstrbuted secret key management key: Frst we transfer the secret share generaton process from ntator to nodes whch belong to ths network so that ECC generaton process and secret share generaton process can be performed n parallel. Second, the establshment of secure communcaton between nodes s straghtforward and effcent. Thrd the secret share generaton process for new node non-nteractve, furthermore secret share update process s also non-nteractve. At last we also analyzed the strength of securty of the scheme to show t can fulfll the securty requrements of ad-hoc. Introducton Ad-hoc network s defned as a set of autonomous devces connectng each other through the wreless lnk wthout centralzed nfrastructure. That s to say some of nodes n network play the role of routers to transmt packets to destnaton [1]. Consderng some of the characterstcs such as open envronment, shared wreless medum, lack of nfrastructure and etc. [2], provdng securty servce s harder for ad-hoc than network wth nfrastructure. At ths stage, the publc key cryptography s an deal soluton to solve the ad-hoc securty problem. The man content of publc cryptography for ad-hoc s a secure key management. Evaluatng the qualty of a key management scheme depends on whether t can provde some of the functons requred n a partcular envronment, such as the dstrbuton of keys, the reconstructon of keys, and the verfcaton of secret share. Pror to ths, many scholars have proposed the key management schemes. There are three general approaches n lterature contrbuton for solvng the key management problem. 1. Key management based on ID. 2. Key management based on nter-certfcate. 3. Key management based on publc key cryptography. But maorty of scheme can t fulfll the whole requrement of the ad-hoc network. Ad-hoc network exsts many vulnerabltes towards key management scheme, such as mddle attack [3], eavesdrop problem [3] and so on. In order to solve the problem of man-n-the-mddle attacks, Hölbl et al. comes up wth [4]. In ths paper, He used dentty-based authentcated scheme to handle t, But Nose proved Hölbl s scheme could not hold man-n-the-mddle attacks n [5]. As for eavesdrop problem, Harn et al. present a Threshold scheme n [6] whch mentoned the secret share should be transmtted secretly, but he ddn t show how to transmt. In addton to securty problem, there s another problem n ad-hoc. Most of key management scheme need an ntator to generate the essental system parameters. If there are lots of parameters that need to be generated, t takes a pretty long tme to ntalze the system. Gharb put forward [7] and ts ntalzaton phase needs to generate parameter for each node n the network. If there are n nodes n the network, ntator needs to generate 2n parameter n total. Besdes, ntator needs to transmt these parameters secretly. Ths process wll take some tme. Therefore, we propose a key management scheme to solve the weakness mentoned above. The man contrbuton of our paper s that we come up wth a novel fully dstrbuted secret key management scheme based on ECC. The detal contrbutons of our paper are as follow: 1) Explot 136
the node to generate secret share rather than ntator. 2) Construct a securty communcaton method between nodes. 3) Smplfy the on/leave process of node usng combned RSA scheme. 4) Analyze the securty of our scheme. The rest of the paper would be organzed as followng. Prelmnares wll be ntroduced n secton 2. We present our scheme n secton 3. Secton 4 shows the securty analyss of our scheme. We conclude our work n secton 5 Prelmnares In ths secton, we show the basc background used n our scheme, ncludng ECC[10], RSA, Combned RSA[11] Ellptc Curve Cryptography The equaton of the ellptc curve on a prme feld F p s Eq. (1), where 4a 3 +27b 2 0(mod p),a, b F p and p s a large prme number. We have a base pont B wth order q. Choose a prvate key x. Calculate publc key y, where y=x B. Gven y and B, x could not be calculated n polynomal-tme. RSA 2 3 y x + ax + b(mod p) (1) RSA s a publc key encrypton algorthm proposed by Rvest et al. In ther scheme, they choose two large prme number p, q, then compute n=p q. Let ø(n)=lcm(p-1,q-1) Select a nteger e from (1,ø(n)) as ts publc key. Calculate d as ts prvate key accordng to Eq. (2) usng Extended Eucldean algorthm. Gven e and n, d couldn't be calculated n polynomal-tme. ed 1(modφ ( n)) (2) Combned RSA Threshold Scheme Ths scheme was proposed by Zhang et al. Gven several RSA nstances, we can use RSA nsta- nces to construct a (t, n) threshold [12]. Let λ =lcm(p -1,q -1). [N] denotes the set {1, 2 N}. If ø={l 1,l 2 l u } [N], So λ ø =lcm{λ l1,λ l2 λ lu }. E s an nteger and s relatvely prme wth λ [N], Gven λ ø and e, We can calculate d ø accordng to Eq. (2) usng Extended Eucldean algorthm. 2k Encrypton Phase. Gven message m, Use Eq.(3) to encrypt m. where (0, M ),M denotes a large prme. e c = m mod n (3) [ N ] Decrypton Phase. Gven cphertext c, f and only f u can decrypt c as follow where ø and ø =k. 1)Calculate d ø accordng to Eq.(2) usng Extended Eucldean algorthm. 2)Calculate m usng Eq.(4) d φ m = c mod n (4) [ φ ] m Proposed Scheme Assumpton We assume there are n nodes n adhoc network and there s no trusty relatonshp between nodes before communcaton. There s also a sgnature collector n the network whose responsblty s to gather secret share from nodes and sgn the message but won t store the master secret key n ts memory. Besdes, t has a lst whch stores the nodes that are new to the network. All nodes are n an 137
open envronment and nodes can on/leave network freely. The number of neghbors n the node s greater than t. All nodes have the ablty to generate two large prme numbers and store thers product. There s a system ntator n the network whose responsblty s to generate necessary system parameters. After generatng the necessary system parameters, t leaves the network. We also assume there are always adversary nodes n the network. The adversary node can ntercept any nformaton n the network. In a certan perod, we allow there are t-1 compromsed nodes n our network under t>n/2 condton [13]. Table 1 presents some necessary annotatons. Intalzaton Phase p,q E(F p ) B (x,y) key(,) m c Table 1. Necessary annotatons. large prme number ellptc curve constructed on doman F base pont of ellptc curve ellptc curve prvate and publc key communcaton key between node, message cphertext In ths part, we wll ntroduce the ntalzaton phase whch contans four sub-phases. The detals of phases are ntroduced as follow. Intator. Intator generates a large prme number p and construct a ellptc curve E(F p ) whch satsfes 4a 3 +27b 2 0(mod p) where a, b F p over F p usng Eq.(1). Choose a base pont B wth order q where q s also a prme number and q #(E(F p )), then Intator generate prvate key x. Calculate the publc key y, where y = x B. Furthermore, ntator needs to generate a hash functon h of collson free, such as SHA-3[15].At last t chooses an nteger e and then t publshes y, e, B, q, h. Node Intalzaton. Whle the ntator generates system parameters, the node also generates ts secret share. Each node chooses p, q from (M, 2M) such that gcd(e, λ )=1, where M s a large prme number and λ =lcm- (p -1,q -1). Calculate n usng Eq. (5), and Then each node chooses a secret value a, where a Z q. Compute communcaton secret key and publc key usng Eq. (6) and Eq. (7), then publsh y, n. At the same tme each node collects y, and n, that comes from other nodes. n = p q (5) x = λ + a modq (6) y = x B (7) Threshold Construct. After nodes n the network fnshng generatng secret shares, Intator encrypts master secret key x usng Eq. (3). Hence, we can construct a (t, n) threshold scheme. One can decrypt c.e. master secret key x usng Eq. (4) f and only f he gets t or more dfferent secret shares. Node Communcaton. If node decdes to communcates wth node, It sends hs publc number n to node. So node knows whch node needs to communcate wth t, then node fnds the publc communcaton key of node and calculate communcaton key usng Eq. (8). Eq. (9) and Eq. (10) present how to send message securty. Fgure.1 presents the detal and encrypton and decrypton. key(, ) = h( y x ) = h( x Bx ) = h( x y ) key(, ) (8) = c = m + h x y ) (9) ( m = c h( x y ) = c h( y x ) = m + h( x y ) h( y x ) = m (10) 138
Fgure 1. Node communcaton phase Message Sgnature Phase For some specal message, network needs to sgn t to provde a method that anyone can verfy the correctness of ths message. Accordng to what we dscussed above, sgnature collector has to gather t or more dfferent secret shares to sgn a message. Hence, sgnature process wll have the followng steps: 1) Sgnature collector collects t dfferent shares (λ, n ) whch are not n the newly added nodes lst. 2) Frst, It computes d ø usng Extended Eucldean algorthm, then computes master secret key d usng Eq.(4). 3) It chooses an nteger k, where 0<k<q and compute R usng Eq. (11). 4) Let r =x R, where x R denotes the coordnates of the R s x-axs. 5) Gven a message m, calculate s usng Eq. (12). So the sgnature s (r, s). Through the above steps we completed the sgnature of the message. Message sgnature verfcaton also has the followng steps: 1) Calculate auxlary value w usng Eq. (13). 2) Calculate auxlary value u 1 usng Eq. (14). 3) Calculate auxlary value u 2 usng Eq. (15). 4) Compute P usng Eq. (16). 5) Check the equaton that f x p r (mod q). If x p and r s equal, then sgnature s vald, otherwse t s nvald [15]. After fnshng message sgnature phase, sgnature collector drops the master secret key d and recalculates the c usng Eq. (3), where [N] ncludes the former node and newly added node. Then Reset the newly added nodes lst. R = ky (11) 1 s ( h( m) + d r) k (modq) (12) -1 w s (modq) (13) u w h( m)(mod ) (14) u 1 q w r(mod ) (15) 2 q = u y u B (16) P 1 + 2 Node Jon/Leave Phase If A new node requests to on the network, then t needs to get p, e, B, q, n. These parameters are stored n each node n the network. Therefore, node on phase has the followng steps: 1) New node needs to generate ts own secret share by generatng three numbers p new, q new, a new satsfyng gcd(e, λ )=1, where p new and q new are large prme numbers and λ =lcm(p new -1,q new -1). Besdes, a new s an nteger. 139
2) New node calculates n new = p new q new, x new, y new usng Eq. (6) and Eq. (7), then publshes n new, y new. 3) At the same, sgnature collector adds n new to ts newly added nodes lst. Ths s the whole process of onng nodes to the network. For node that leaves the network, t ust needs to broadcast leavng request and n leave, then any node receves the n leave, t drops the n leave from ts node lst. Secret Share Update Phase In our scheme, secret share update process s easy to mplement.in a perod of tme, secret share s constant. After a perod of tme, secret share needs to be updated.so the update node needs to regenerate two large prme as node ntalzaton phase dscussed above. When the update process fnshed, t republshes ts n r, y r. Securty Analyss In ths secton, we wll analyze the securty of our proposed scheme. The securty of key mamagement scheme can be evaluated by securty of servces that the scheme provdes. Our scheme provdes maorty of servces ncludng key confdentalty, backward and forward secrecy, resstance aganst compromsng, full dstrbuted key, node authentcaton. Key confdentalty [16] means that n an open envronment adversary can not learn any key nformaton. In our scheme, the generaton of new node s secret share s non-nteractve whch means There s no secret key nformaton leak durng transmsson. Besdes, our scheme s bult on ECC based on dscrete logarthm problem and RSA based on a large number of decomposton. Both questons are hard problems.e. there s no algorthm that can fnd the prvate key n polynomal tme. As for backward and forward secrecy [16], they both focus on preventng adversary from dervng new key from old keys. In our scheme, nodes communcaton key s ndependent. Besdes, new node constructs hs communcaton key ndependently. Even f adversary knows one key or subset keys, adversary can t get the other key. So our scheme provdes backward and forward secrecy. Resstance aganst compromsng the nodes [16] s the capablty of the scheme to defend aganst or tolerate attacks. Our scheme dstrbutes the key among all nodes whch can solve sngle pont of falure problem. Our scheme s full securty unless adversary compromses t or more nodes. Because n (t, n)-threshold, If anyone wants to get the prvate key or secret, he has to collect t or more dfferent shares. Therefore, our scheme s resstance aganst compromsng nodes under the premse of t n/2 +1. If there s a trusted center, then adversary s able to corrupt t.so f trusted center s compromsed, then the whole network s compromsed. There s no trusted center n network n our scheme, because our scheme s fully dstrbuted. Ths scheme avods the problem we dscussed above. Another mportant servce s securty communcaton between nodes. In our scheme, each node publshes ts publc communcaton key and publc number n. If one node receves publc number n. t checks whether t s legal. If t s legal, t authentcates the sender, otherwse gnores t. Our scheme also prevents adversary from forgng the communcaton key. Therefore, our scheme can deal wth key authentcaton. Summary In ths paper, we proposed a fully dstrbuted secret key management scheme usng ECC and combned RSA threshold. Our scheme s desgned to be used n ad-hoc network. We ntroduce the basc background of our scheme then show our scheme n detal. At last we analyze the securty of our scheme. There are three man contrbutons n our scheme: 1) Utlze the node to generate the secret share rather than ntator. 2) Buld a securty communcaton method between nodes. 3) Smplfy the on/leave process of node usng combned RSA scheme. Next we wll focus on applyng ths scheme to computng equpment wth lmted resources. 140
References [1] Jyot N S. Comparatve Study of Adhoc Routng Protocol AODV, DSR and DSDV n Moble Adhoc NETwork[J]. Internatonal Journal of Appled Engneerng Research, 2011, 7(11): 2012. [2] Hoebeke J, Moerman I, Dhoedt B, et al. An overvew of moble ad hoc networks: Applcatons and challenges[j]. Journal-Communcatons Network, 2004, 3(3): 60-66. [3] Goyal P, Batra S, Sngh A. A lterature revew of securty attack n moble ad-hoc networks[j]. Internatonal Journal of Computer Applcatons, 2010, 9(12): 11-15. [4] Hölbl M, Welzer T. Two mproved two-party dentty-based authentcated key agreement protocols[j]. Computer Standards & Interfaces, 2009, 31(6): 1056-1060. [5] Nose P. Securty weaknesses of authentcated key agreement protocols[j]. Informaton Processng Letters, 2011, 111(14): 687-696. [6] Harn L, Wang F. Threshold Sgnature Scheme wthout Usng Polynomal Interpolaton[J]. IJ Network Securty, 2016, 18(4): 710-717. [7] Gharb M, Moradlou Z, Doostar M A, et al. Fully Dstrbuted ECC-based Key Management for Moble Ad Hoc Networks[J]. Computer Networks, 2017. [8] Rvest R L, Shamr A, Adleman L. A method for obtanng dgtal sgnatures and publc-key cryptosystems[j]. Communcatons of the ACM, 1978, 21(2): 120-126. [9] Dffe W, Hellman M. New drectons n cryptography[j]. IEEE transactons on Informaton Theory, 1976, 22(6): 644-654. [10] Kobltz N. Ellptc curve cryptosystems[j]. Mathematcs of computaton, 1987, 48(177): 203-209. [11] Zhang C, Luo Y, Xue G. A new constructon of threshold cryptosystems based on RSA[J]. Informaton Scences, 2016, 363: 140-153. [12] Shamr A. How to share a secret[j]. Communcatons of the ACM, 1979, 22(11): 612-613. [13] L L C, Lu R S. Securng cluster-based ad hoc networks wth dstrbuted authortes[j]. IEEE transactons on wreless communcatons, 2010, 9(10): 3072-3081. [14] Ste B. SHA-3 Standard: Permutaton-Based Hash and Extendable-Output Functons[J]. 2014. [15] Johnson D, Menezes A, Vanstone S. The ellptc curve dgtal sgnature algorthm (ECDSA)[J]. Internatonal Journal of Informaton Securty, 2001, 1(1): 36-63. [16] Merwe J V D, Dawoud D, McDonald S. A survey on peer-to-peer key management for moble ad hoc networks[j]. ACM computng surveys (CSUR), 2007, 39(1): 1. 141