Peace

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 21, NO. 2, FEBRUARY 2010 203

PEACE: A Novel Privacy-Enhanced Yet
Accountable Security Framework for
Metropolitan Wireless Mesh Networks
Kui Ren, Member, IEEE, Shucheng Yu, Student Member, IEEE,
Wenjing Lou, Senior Member, IEEE, and Yanchao Zhang, Member, IEEE

Abstract—Recently, multihop wireless mesh networks (WMNs) have attracted increasing attention and deployment as a low-cost
approach to provide broadband Internet access at metropolitan scale. Security and privacy issues are of most concern in pushing the
success of WMNs for their wide deployment and for supporting service-oriented applications. Despite the necessity, limited security
research has been conducted toward privacy preservation in WMNs. This motivates us to develop PEACE, a novel Privacy-Enhanced
yet Accountable seCurity framEwork, tailored for WMNs. On one hand, PEACE enforces strict user access control to cope with both
free riders and malicious users. On the other hand, PEACE offers sophisticated user privacy protection against both adversaries and
various other network entities. PEACE is presented as a suite of authentication and key agreement protocols built upon our proposed
short group signature variation. Our analysis shows that PEACE is resilient to a number of security and privacy related attacks.
Additional techniques were also discussed to further enhance scheme efficiency.

Index Terms—Wireless mesh networks, privacy, authentication, security, anonymous communication.

Ç

1 INTRODUCTION

W IRELESS mesh networks (WMNs) have recently at-
tracted increasing attention and deployment as a
promising low-cost approach to provide last-mile high-
Security and privacy issues are of most concern in
pushing the success of WMNs for their wide deployment
and for supporting service-oriented applications. Due to the
speed Internet access at metropolitan scale [2], [3]. intrinsically open and distributed nature of WMNs, it is
Typically, a WMN is a multihop layered wireless network essential to enforce network access control to cope with
as shown in Fig. 1 [4], [5]. The first layer consists of access both free riders and malicious attackers. Dynamic access to
points, which are high-speed wired Internet entry points. At WMNs should be subject to successful user authentication
the second layer, stationary mesh routers form a multihop based on the properly preestablished trust between users
backbone via long-range high-speed wireless techniques and the network operator; otherwise, network access
such as WiMAX [6]. The wireless backbone connects to should be prohibited. On the other hand, it is also critical
wired access points at some mesh routers through high- to provide adequate provisioning over user privacy as
speed wireless links. The third layer consists of a large WMN communications usually contain a vast amount of
number of mobile network users. These network users sensitive user information. The wireless medium, open
access the network either by a direct wireless link or network architecture, and lack of physical protection over
through a chain of other peer users to a nearby mesh router. mesh routers render WMNs highly vulnerable to various
WMNs represent a unique marriage of the ubiquitous coverage privacy-oriented attacks. These attacks range from passive
of wide area cellular networks with the ease and the speed of local eavesdropping to active message phishing, interception,
area Wi-Fi networks [4]. The advantages of WMNs also and alteration, which could easily lead to the leakage of
include low deployment costs, self-configuration and self- user information. Obviously, the wide deployment of
maintenance, good scalability, high robustness, etc. [2]. WMNs can succeed only after users are assured for their
ability to manage privacy risks and maintain their desired
level of anonymity.
. K. Ren is with the Department of Electrical and Computer Engineering, The necessity of security and privacy in WMNs can be
Illinois Institute of Technology, 3301 Dearborn St, Chicago, IL 60616.
E-mail: kren@ece.iit.edu. well illustrated through the following example. In a metro-
. S. Yu and W. Lou are with the Department of Electrical and Computer scale community mesh network, the citizens access WMNs
Engineering, Worcester Polytechnic Institute, 100 Institute Road, from everywhere within the community such as offices,
Worcester, MA 01609. E-mail: {yscheng, wjlou}@ece.wpi.edu.
. Y. Zhang is with the Department of Electrical and Computer
homes, restaurants, hospitals, hotels, shopping malls, and
Engineering, New Jersey Institute of Technology, University Heights, even vehicles. Through WMNs, they access the public
Newark, NJ 07102. E-mail: yczhang@njit.edu. Internet in different roles and contexts for services like e-
Manuscript received 30 Oct. 2008; revised 26 Feb. 2009; accepted 18 Mar. mails, e-banking, e-commerce, and Web surfing, and also
2009; published online 26 Mar. 2009. interact with their local peers for file sharing, teleconferen-
Recommended for acceptance by P. Mohapatra. cing, online gaming, instant chatting, etc. Integrated with
For information on obtaining reprints of this article, please send e-mail to:
tpds@computer.org, and reference IEEECS Log Number TPDS-2008-10-0399. sensors and cameras, the WMN may also be used to collect
Digital Object Identifier no. 10.1109/TPDS.2009.59. information of interest. In fact, at Boston suburb area, the
1045-9219/10/$26.00 ß 2010 IEEE Published by the IEEE Computer Society
Authorized licensed use limited to: Asha Das. Downloaded on August 05,2010 at 06:22:48 UTC from IEEE Xplore. Restrictions apply.

204 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 21, NO. 2, FEBRUARY 2010

information of the user without disclosing his full identity
information (unless necessary).
To the best of our knowledge, PEACE is the first attempt
to establish an accountable security framework with a
sophisticated privacy protection model tailored for WMNs.
PEACE also lays a solid background for designing other
upper layer security and privacy solutions, e.g., anonymous
communication.
The rest of the paper is organized as follows: Section 2 is
the introduction of the cryptographic knowledge entailed by
PEACE. Section 3 describes the problem formulation. Then,
in Section 4, the details of PEACE are described. We further
analyze in Section 5 the security and privacy properties of
PEACE, as well as its performance. Section 6 is about related
work. Finally, we conclude the paper in Section 7.

Fig. 1. WMN network architecture [4], [5]. 2 THE CRYPTOGRAPHIC BACKGROUND
2.1 Bilinear Groups
City of Malden [7], the police department will use the WMN
We first introduce a few concepts related to bilinear maps
“to stream video footage from local areas directly to the
as they are important to the design of PEACE. Let G 1 ; G 2 be
G G
police station, making it easier for police officers to monitor
multiplicative cyclic groups generated by g1 and g2 ,
and respond to crimes at those locations” [7]. Obviously, all
respectively, whose orders are a prime p, and G T be a
G
these communications contain various kinds of sensitive
cyclic multiplicative group with the same order p. Suppose
user information like personal identities, activities, location
that there is an efficient and computable isomorphism :
information, financial information, transaction profiles,
G 2 ! G 1 such that ðg2 Þ ¼ g1 . Let e : G 1 Â G 2 ! G T be a
G G G G G
social/business connections, and so on. Once disclosed to
bilinear pairing with the following properties [8]:
the attackers, these information could compromise any
user’s privacy, and when further correlated together, can . Bilinearity: eðaP ; bQÞ ¼ eðP ; QÞab for all P 2 G 1 ; G
cause even more devastating consequences. Hence, secur- Q 2 G 2 ; a; b 2 Z p .
G Z
ing user privacy is of paramount practical importance in . Nondegeneracy: eðg1 ; g2 Þ 6¼ 1.
WMNs. Moreover, for both billing purpose and avoiding . Computability: There is an efficient algorithm to
abuse of network resources, it is also essential to prohibit compute eðP ; QÞ for all P 2 G 1 ; Q 2 G 2 .
G G
free riders and let only legitimate residents access WMNs. In this paper, we only use the fact that G 1 ; G 2 can be of size
G G
Despite the necessity and importance, limited research has approximately 2170 , elements in G 1 are 171-bit strings, and
G
been conducted to address privacy-enhanced security me- discrete log in G 1 ; G 2 is as hard as discrete log in Z Ã , where
G G Zq
chanisms in WMNs. This motivates us to propose PEACE, a q is a 1,020-bit prime number.
novel Privacy-Enhanced yet Accountable seCurity framE-
work for WMNs. Our contributions are fourfold as follows: 2.2 Group Signature
Security: It achieves explicit mutual authentication and Group signature schemes are a relatively recent crypto-
key establishment between users and mesh routers and graphic concept introduced by Chaum and van Heyst in
between users themselves. It, thus, prohibits both illegal 1991 [9]. A group signature scheme is a method for allowing
network access from free riders and malicious users and a member of a group to sign a message on behalf of the
phishing attacks due to rogue mesh routers. group. In contrast to ordinary signatures, it provides
Anonymity: It simultaneously enables unilateral anon- anonymity to the signer, i.e., a verifier can only tell that a
ymous authentication between users and mesh routers and member of some group signed. However, in exceptional
bilateral anonymous authentication between any two users. cases, such as a legal dispute, any group signature can be
It, thus, ensures user anonymity and privacy. “opened” by a designated group manager to reveal
Accountability: It enables user accountability, at regulat- unambiguously the identity of the signature’s originator.
ing user behaviors and protecting WMNs from being Some group signature schemes support revocation, where
abused and attacked. Network communications can always group membership can be disabled. One of the most recent
be audited in the cases of disputes and frauds. It further group signature schemes is the one proposed by Boneh and
allows dynamic user revocation so that malicious users can Shacham [8], which has a very short signature size that is
be evicted. comparable to that of an RSA-1024 signature [10]. This
Sophisticated user privacy: It allows users to disclose scheme is based on the following two problems that are
minimum information possible while maintaining account- believed to be hard. Let G 1 ; G 2 ; g1 ; g2 as defined above.
G G
ability. In PEACE, the user identity is a multifaceted
q-Strong Diffie-Hellman problem: The q-SDH problem
information as network users as society members always
interact with WMNs in different roles and contexts. There- in ðG 1 ; G 2 Þ is defined as follows: given a ðq þ 2Þ-tuple
G G
ð
2 Þ ð
q Þ 1=ð
þxÞ
fore, a dispute regarding a given communication session ðg1 ; g2 ; g
; g2 ; . . . ; g2 Þ as input, output a pair ðg1
2 ; xÞ,
should only be attributed according to the role/context where x 2 Z Ã . Zp


REN ET AL.: PEACE: A NOVEL PRIVACY-ENHANCED YET ACCOUNTABLE SECURITY FRAMEWORK FOR METROPOLITAN WIRELESS MESH... 205

Decision linear on G 1 : Given arbitrary generators u; v; h
G legitimate network users, and 3) denial-of-service (DoS)
of G 1 and ua ; vb ; hc 2 G as input, output yes if a þ b ¼ c,
G G1 attacks against service availability.
and no, otherwise. In light of the above threat model, the following security
requirements are essential to ensure that a WMN functions
correctly and securely as purposed.
3 PROBLEM FORMULATION AND THE SCHEME
OVERVIEW . User-router mutual authentication and key agreement: A
3.1 Network Architecture and System Assumptions mesh router and a user should mutually authenti-
cate each other to prevent both unauthorized net-
The three-layer architecture in Fig. 1 considers a metropo-
work access and phishing attacks. The user and the
litan-scale WMN under the control of a network operator
mesh router should also establish a shared pairwise
(NO). The network operator deploys a number of APs and
symmetric key for session authentication and mes-
mesh routers and forms a well-connected WMN that covers
sage encryption.
the whole area of a city and provides network services to
. User-user mutual authentication and key agreement:
network users, i.e., the citizens. Network users, on the other
Users should also authenticate each other before
hand, subscribe to the network operator for the services and
cooperation in regard to message relaying and
utilize their mobile clients to freely access the network from
routing. Moreover, symmetric keys should be estab-
anywhere within the city. The membership of network lished and effectively maintained to provide session
users may be 1) terminated/renewed according to user- authentication and message encryption over the
operator agreement in a periodic manner or 2) dynamically corresponding traffic.
revoked by NO in case of dispute/attack. . Sophisticated user privacy protection: The privacy of
Similar to [4], [11], we assume that the downlink from a users should be well protected, and we differentiate
mesh router to all users within its coverage is one hop. user privacy against different entities such as the
However, the uplink from a user to a mesh router may be adversary, NO, and the law authority, as will be
one or multiple hops. That is, a network user needs to elaborated in the next section.
transmit packets in multiple hops to a mesh router beyond . User accountability: In the cases of attacks and
his direct transmission range. In this case, network users disputes, the responsible users and/or user groups
cooperate with each other on relaying the packets to mesh should be able to be audited and pinpointed. On the
routers. We further assume that all the network traffic has other hand, no innocent users can be framed for
to go through a mesh router except the communication disputes/attacks they are not involved in.
between two direct neighboring users. We assume so as it is . Membership maintenance: The network should be able
expected that communications to and from a mesh router to handle membership dynamics including member-
will constitute the majority of traffic in a WMN [12]. ship revocation, renewing, and addition.
Moreover, this assumption would significantly reduce the . DoS resilience: The WMN should maintain service
routing complexity from the users’ point of view as mesh availability despite of DoS attacks.
routers will take the responsibility.
We assume that NO can always communicate with mesh 3.3 Privacy Model
routers through preestablished secure channels, and so are In a metropolitan WMN, city residents as network users
mesh themselves. The WMN is assumed to be deployed access the WMN for services related to every aspect of their
with redundancy in mind so that revocation of individual personal and professional lives. Inevitably, these network
mesh routers will not affect network connection. We communications will contain a large amount of personal,
assume the existence of an offline trusted third party business, and organization information that are highly
(TTP), which is trusted for not disclosing the information it sensitive and interested by different parties for different
stores. TTP is required only during the system setup. We purposes. The malicious adversaries are interested as they
further assume that there is a secure channel between TTP could gain economic benefits by stealing the identity and
and each network user. other information. In fact, identity theft has been an
infamous type of the Internet crimes. Furthermore, network
3.2 Threat Model and Security Requirements communications accumulated over time and space may
Due to the open medium and spatially distributed nature, intentionally be collected and used for establishing user
WMNs are vulnerable to both passive and active attacks. profiles by certain parties, including NO. These parties are
The passive attacks include eavesdropping, while active not necessarily malicious, but such actions certainly violate
attacks range from message replaying, bogus message user privacy. Obviously, the success deployment of WMNs
injection, phishing, active impersonation to mesh router is subject to users’ assurance of their ability to manage
compromise. Hence, for a practical threat model, we privacy risks and maintain their desired level of anonymity.
consider an adversary that is able to eavesdrop all network The above observation leads to the establishment of a
communications, as well as inject arbitrary bogus messages. practical user privacy model, which provides sophisticated
In addition, the adversary can compromise and control a user privacy management and addresses user accountability
small number of users and mesh routers subject to his simultaneously. We observe that a user usually accesses the
choice; it may also set up rogue mesh routers to phish user WMN in different roles and under different contexts. For
accesses. The purposes of the adversary include 1) illegal example, a user as an engineer may access the WMN in his
and unaccountable network access, 2) the privacy of office as an employee of a company. The same user may also



Our privacy model further considers the extreme cases
such as severe attacks in which the law authority has to track
the particular responsible attacker. For this purpose, we
introduce the concept of user group and try to utilize the
natural society hierarchy among network users. A user group
refers to any society entity, which, through a user group
manager, manages a certain number of network users, i.e., its
staffs and/or employees, and subscribes network services on
Fig. 2. The format of user identity information.
behalf of its users. A user group can be any company,
organization, university, or government agency, etc. A
access the WMN from a university campus as a student, network user, on the other hand, usually belongs to multiple
from a rented apartment as a tenant, and from a golf club as a different user groups according to his roles in the society. In
paid member, and so on. In our privacy model, we, hence, our privacy model, we further require that
refer to the user identity as a user’s collective attribute
information according to his different roles in the society. In 4. only by joint effort from both a user group manager and
the above example, the user identity may include NO can a user’s full identity be disclosed; and neither of
them can do so alone.
{name, ssn, engineer of company X, tenant of apartment Y, Note that the capability of a user group manager itself is
student of university Z, member of golf club V, . . . }. strictly restricted, that is, it has no more ability than an
Informally, we can divide the user identity information ordinary network user. User group managers cannot link any
into two different categories, that is, essential attribute communication session to a specific user by only them selves.
information and nonessential attribute information as shown in In summary, our privacy model is aimed at the following
Fig. 2. The essential attribute information includes all the privacy guarantees under the threat model discussed above.
information that can be used uniquely to identify a specific
user such as user’s name, social security number, driver . Against the adversary, the user group managers, and
license number, passport number, etc. On the other hand, the other entities (except NO and the law authority): At
nonessential attribute information of a user may include his no circumstances, the adversary could tell that two
different social roles as indicated in the above example. We different communication sessions are from the same
note that if essential attribute information of a user is disclosed, network user or link a communication session to a
this user is fully exposed and all his attribute information specific user.
will also be disclosed. On the other hand, disclosing . Against NO: Given any communication session, NO
nonessential attribute information does not lead to the full can only tell which user group the corresponding
exposure of the user’s identity. That is, a user can still user is from, but cannot recover user’s full identity.
maintain a certain level of anonymity, when only his That is, NO can only recover the corresponding
nonessential attribute information is disclosed. It is further nonessential user attribute information for the
observed that the nonessential attribute information of users accountability purpose.
are still sufficient for accountability purpose from NO’s . For the law authority: With the help from both NO
perspective. This is because NO can still enforce network and user group managers, the law authority could link
any communication session to the corresponding
access control and audit network communications as it
network user that is responsible.
makes no difference to NO whether or not a responsible
entity is a person, a company, or an organization, etc. 3.4 Trust and Key Management Model
To protect the user privacy, the user identity information Given the security and privacy requirements discussed
should be well protected from network communications above, PEACE bases its design on the following trust and
against the adversary and even NO. Therefore, it should be key management model. Fig. 3 is the high-level illustration
required that of PEACE trust model, which consists of four kinds of
network entities: the network operator, user group man-
no communication sessions should reveal any user
1. agers, users organized in groups, and a TTP. Each user
identity information except that the user is a legitimate group is a collection of users according to certain aspects of
network user; their nonessential attributes. For instance, a company is a
2. no entity including the adversary and NO could link user group consisting of all its employees, and all the
two different communication sessions to the same tenants of an apartment is another user group maintained
particular user. by the corresponding apartment management office. Each
Furthermore, in the cases of disputes and attacks, user user group has one group manager responsible for adding
privacy should be protected against NO in such a way that and removing users. Before accessing the WMN, each user
has to enroll in at least one user group whose manager,
3. A given communication session under audit by NO can thus, knows both the essential and nonessential attributes of
only be linked according to the attribute information of the the user. In PEACE, users no longer directly register with
user without disclosing his full identity information. That the network operator; instead, each group manager sub-
is, only minimum necessary identity information is scribes to the network operator on behalf of its group
disclosed for the security purpose so that user members. Upon registration from a group manager, the
privacy can be best protected. network operator allocates a set of group secret keys to this



schemes can only provide irrevocable anonymity, while
PEACE demands user accountability, and hence, revocable
anonymity. Existing group signature schemes do provide
revocable anonymity, but cannot support sophisticated user
privacy. This motivates us to tailor a group signature
scheme to meet all the requirements. We, hence, develop a
variation of the short group signature scheme proposed in
[8] by modifying its key generation algorithm for our
purpose. PEACE is then built on this new group signature
variation by further integrating it into the authentication
and key agreement protocol design.

4.1 Scheme Setup: Key Management
The following setup operations are performed in an offline
manner by all the entities in PEACE, namely NO, a TTP, mesh
routers, network users, and user group managers. PEACE
Fig. 3. PEACE trust model. works under bilinear groups ðG 1 ; G 2 Þ with isomorphism
G G
and respective generators g1 and g2 , as in Section 2.1. PEACE
user group. Then, the network operator divides each group also employs hash functions H0 and H, with respective
secret key into two parts, one part sent to the requesting ranges G 2 and Z p . The notation below mainly follows [8].
G2 Z
group manager and the other part to the TTP. To access the NO is responsible for key generation operation. Specifi-
WMN, each user requests one part of the group secret key cally, NO proceeds as follows:
from his group manager and the other part from the TTP to
recover a complete group secret key. The user also needs to 1. Select a generator g2 in G 2 uniformly at random and
G
R
return signed acknowledgments to both the group manager set g1 À ðg2 Þ. Select
À Z Ã and set w ¼ g
.
Zp 2
and the TTP. 2. Select
The above key management scheme is based on the
R
principle of “separation of powers” and possesses a number grpi À ZÃ
Zp
of salient features. First, from network access control point
of view, every legitimate user with a valid group secret key for a registered user group i.
can generate a valid access credential, i.e., the signature of 3. Using
, generate an SDH tuple ðAi;j ; grpi ; xj Þ by
R
the authentication challenge—typically a nonce, upon selecting xj À Z Ã such that
þ grpi þ xj 6¼ 0, and
Zp
1=ð
þgrpi þxj Þ
request. The validity of this access credential can be verified setting Ai;j Àg1 .
by the network operator. Therefore, access security is 4. Repeat Step 3 for a predetermined number of times
guaranteed. Second, PEACE divides user identity informa- that are mutually agreed by NO and the user group
tion and their corresponding secret key information among manager GM i .
three autonomous entities: the network operator, the group 5. Send GM i f½i; jŠ; grpi ; xj j 8jg via a secure channel.
manager, and the TTP. In particular, the network operator 6. Repeat Steps 2, 3, and 4 for every user group.
knows the complete user secret key information, but not the 7. Send TTP: f½i; jŠ; Ai;j È xj j 8i; jg via a secure channel,
mapping of the keys to the essential attributes of the users; where È denotes bitwise exclusive OR operation.1
the group manager or the TTP knows the essential The above operation generates the group public key gpk
attributes of the users, but not the complete secret key and a number of private keys gsk:
information. The system is designed in such a way that
given an access credential submitted by a user, none of the gpk ¼ ðg1 ; g2 ; wÞ;
network operator, the group manager, and the TTP can fgsk½i; jŠ ¼ ðAi;j ; grpi ; xj Þ j8 i; jg:
determine the user’s essential attribute or compromise his
Furthermore, NO obtains a set of revocation tokens, grt,
privacy unless any two of them collude. User privacy is
with grt½i; jŠ ¼ Ai;j and also keeps the mapping between
enhanced in this way. Finally, in case of service disputes or
group id i and grpi for all user groups. Note that
is the
frauds, an authorized entity, such as a law enforcement
system secret only known to NO. For the purpose of
authority, can collect information from the network
nonrepudiation, NO signs on Steps 5 and 7 under a
operator, the user group manager, and the TTP to precisely
standard digital signature scheme, such as ECDSA [13]. In
identify the responsible user and hold him accountable.
PEACE, we assume that ECDSA-160 is used. For the same
Therefore, user accountability can be attained as well.
purpose, GM i and T T P also sign on these messages upon
receipt and send the resulted signature back to NO.
4 PEACE: THE SCHEME Additionally, NO prepares each mesh router MRk a
When designing PEACE, we find that none of the existing public/private key pair, denoted by (RPKk ; RSKk ). Each
privacy-aware crytographic primitives, such as blind mesh router also obtains an accompanied public key
signature, ring signature, and group signature schemes,
1. xj might have a larger bit length as compared to Ai;j , which is a point
suits our purpose given the security and privacy require- on the chosen elliptic curve. In this case, we simply ignore the unnecessary
ments discussed above. Blind signature and ring signature bits of xj .



certificate signed by NO to prove key authenticity. The private keys, which is a subset of grt. Both CRL
signing key pair of NO is denoted by (NPK, NSK). The and URL are signed by NO.
certificate contains the following fields at the minimum: 2. Upon receipt of (M.1), a network user uidj proceeds
as follows:
Certk ¼ fMRk ; RPKk ; ExpT ; SigNSK g;
a. Check the time stamp ts1 to prevent replay
where ExpT is the expiration time and Sig denotes an
attack. Examine Certk to verify public key
ECDSA-160 signature signed on a given message using a authenticity and the certificate expiration time;
private key . examine CRL and see if Certk has been revoked
Before accessing the WMN, a network user has to by applying NPK. Further verify the authenti-
authenticate himself to his belonging user groups.2 From city of SigRSKk by applying RPKk .
each such user group i, a network user uidj is assigned a b. Upon positive check results, uidj believes that
random group private key as follows: MRk is legitimate and does the following:
R
GM i sends uidj ð½i; jŠ; grpi ; xj Þ as well as the related
1. i. Pick two random nonce r; rj Z p , compute
Z
system parameters. grj , and prepare the current time stamp ts2 .
2. GM i requests T T P to send uidj ð½i; jŠ; Ai;j È xj Þ by Further obtain two generators ð^; vÞ in G 2
u ^ G
providing the index ½i; jŠ. from H0 as
3. uidj assembles his group private key as gsk½i; jŠ ¼
ðAi;j ; grpi ; xj Þ. ð^; vÞ
u ^ H0 ðgpk; grj ; grR ; ts2 ; rÞ 2 G 2 ;
G2 ð1Þ
Note that in our setting, and compute their images in G 1 : u G ð^Þ
u
. GM i only keeps the mapping of ðuidj ; ðgrpi ; xj ÞÞ but and v ð^Þ.
v
has no knowledge of the corresponding Ai;j . ii. Compute T1 u and T2 Ai;j v by se-
R
. NO only knows the mapping of ðGM i ; gsk½i; jŠÞ but lecting an exponent Z p . Set
Z ðgrpi þ
has no knowledge regarding to whom gsk½i; jŠ is xj Þ 2 Z p . Pick blinding values r ; rx , and
Z
R
assigned. r Z p.
Z
. T T P has the mapping of ðuidj ; ðAi;j È xj ; grpi ÞÞ as it iii. Compute helper values R1 ; R2 , and R3 :
sends uidj this information through a secure channel R1 ur ; R2 eðT2 ; g2 Þrx Á eðv; wÞÀr Á eðv;
Àr r
between the two upon the request from GM i . But T T P g2 Þ , and R3 T1 x Á uÀr . Compute a chal-
has no knowledge of the corresponding xj or Ai;j . lenge value c 2 Z p using H:
Z
Here, we use uidj the user’s essential attribute information.
c Hðgpk; grj ; grR ; ts2 ; r; T1 ; T2 ; R1 ; R2 ; R3 Þ
For the purpose of nonrepudiation, uidj signs on the messages
it receives from GM i and T T P under ECDSA-160, and sends 2 Z p:
Z
back GM i the corresponding signature.
iv. Compute s ¼ r þ c; sx ¼ rx þ cðgrpi þ
4.2 User-Router Mutual Authentication and Key
xj Þ and s ¼ r þ c 2 Z p . Obtain the group
Z
Agreement
signature on fgrj ; grR ; ts2 g as
To access the WMN, a network user follows the user-router
mutual authentication and key agreement protocol as d
SIGgsk½i;jŠ ðr; T1 ; T2 ; c; s ; sx ; s Þ:
specified below, when a mesh router is within his direct
communication range.3
v. Compute the shared symmetric key with
R MRk :
1. The mesh router MRk first picks a random nonce rR
Z Ã and a random generator g in G 1 and then computes
Zp G
Kk;j ¼ ðgrR Þrj :
grR . MRk further signs on g; grR , and current time
stamp ts1 , using ECDSA-160. MRk then broadcasts
c. Unicast back to MRk
g; grR ; ts1 ; SigRSKk ; Certk ; CRL; URL ðM:1Þ
d
grj ; grR ; ts2 ; SIGgsk½i;jŠ : ðM:2Þ
as part of beacon messages that are periodically
broadcasted to declare service existence. Here,
CRL and URL denote the mesh router certificate 3. Upon receipt of (M.2), MRk carries out the following
revocation list and the user revocation list, respec- to authenticate uidj :
tively. Specifically, URL contains a set of revocation
a. Check grR and ts2 to make sure the freshness
tokens that corresponds to the revoked group
of (M.2).
b. d
Check that SIGgsk½i;jŠ is a valid signature by
2. Such an authentication is based on the preestablished trust relation-
ship between the user and the user group and may be done through in- applying the group public key gpk as follows:
person contact.
3. If direct communication is not possible due to lack of mobility, a user i. Compute u and v using ð1Þ, and their images
^ ^
can increase transmit power to reach the mesh router during this phase.
After this phase, the user should reduce transmit power back to the normal u and v in G 1 : u
G ð^Þ and v
u ð^Þ.
v
level to help increase spatial concurrency and frequency reuse [4]. ii. Retrieve R1 ; R2 , and R3 as:



~
R1 us =T1 ;
c
2.Equation (3) holds when there is an element A of
~
R2 eðT2 ; g2 Þsx Á eðv; wÞÀs Á eðv; g2 ÞÀs URL encoded in ðT1 ; T2 Þ because of the following.
Á ðeðT2 ; wÞ=eðg1 ; g2 ÞÞc ; We know that : G 2 ! G 1 is an isomorphism such
G G
that ðg2 Þ ¼ g1 . According to the definition of isomorph-
~
and R3 s
T1 x Á uÀs . ism, we have ðP QÞ ¼ ðP Þ ðQÞ for any P ; Q 2 G 2 . G
iii. Check that the challenge c is correct: Using this property and mathematical induction, it is
?
easy to know the following fact: For any natural number
~ ~ ~
c ¼ Hðgpk; grj ; grR ; ts2 ; r; T1 ; T2 ; R1 ; R2 ; R3 Þ: m 2 N; ðgm Þ ¼ gm .
2 1
ð2Þ Hence, if a group private key ðAi;j ; grpi ; xj Þ with Ai;j 2
URL signed the group signature . For simplicity, let u ¼ ^
ga and v ¼ gb for some integers a and b.4 On one hand,
2 ^ 2
c. For each revocation token A 2 URL, check
whether A is encoded in ðT1 ; T2 Þ by checking if eðT2 =Ai;j ; uÞ ¼ eðAi;j v =Ai;j ; uÞ ¼ eðv ; uÞ ¼ eðð ð^ÞÞ ; uÞ
^ ^ ^ v ^
? ¼ eðð ðgb ÞÞ ; uÞ ¼ eððgb Þ ; ga Þ ¼ eðg1 ; g2 Þab :
2 ^ 1 2
eðT2 =A; uÞ ¼ eðT1 ; vÞ:
^ ^ ð3Þ
On the other hand,
If no revocation token of URL is encoded in
d
ðT1 ; T2 Þ, then the signer of SIGgsk½i;jŠ has not eðT1 ; vÞ ¼eðu ; vÞÞ ¼ eðð ð^ÞÞ ; vÞ ¼ eðð ðga ÞÞ ; vÞ
^ ^ u ^ 2 ^
been revoked.
If all the above checks succeed, MRk is now ¼ eððga Þ ; gb Þ ¼ eðg1 ; g2 Þab :
1 2
assured that the current user is a legitimate Therefore, eðT2 =Ai;j ; uÞ ¼ eðT1 ; vÞ.
^ ^
network user, although MRk does not know
which particular user this is. Note that uidj is 4.3 User-User Mutual Authentication and Key
never disclosed or transmitted during protocol Agreement
execution. In PEACE, neighboring legitimate network users may help
d. MRk further computes the shared symmetric to relay each other’s traffic. To this end, two network users
key as Kk;j ¼ ðgrj ÞrR and sends back uidj : within each other’s direct communication range first
authenticate each other and establish shared secret pairwise
grj ; grR ; EKk;j ðMRk ; grj ; grR Þ; ðM:3Þ
key as follows:
where E ðÞ denotes symmetric encryption of the R
1. uidj picks a random nonce rj Z Ã and computes grj ,
Zp
given message within the brackets using key .
where g is obtained from the beacon messages broad-
The above protocol enables explicit mutual authentication
casted by the current service mesh router. uidj further
between a mesh router and a legitimate network user; it also
enables unilateral anonymous authentication for the net- signs on g; grj , and current time stamp ts1 , using his
work user. Upon successful completion of the protocol, the group private key gsk½i; jŠ following Steps 2b(i) to
mesh router and the user also establish a shared symmetric 2b(iv), as in Section 4.2. uidj then locally broadcasts
key used for the subsequent communication session. And
d
g; grj ; ts1 ; SIGgsk½i;jŠ: e
ðM:1Þ
this session is uniquely identified through ðgrR ; grj Þ.
Remarks.
2. e
Upon receipt of (M:1), uidl checks the time stamp
1. Equation (2) holds because d
and verifies the authenticity of SIGgsk½i;jŠ by applying
a. R1 ¼ us =T1 ¼ ur þc =ðu Þc ¼ u ¼ R1 .
~ c the group key gpk following Step 3b, as in Section 4.2.
b. uidl further checks if the signature is generated from
a revoked group private key following Step 3c, as in

eðT2 ; wÞ c Section 4.2. Note that URL can always be obtained
R2 ¼ eðT2 ; g2 Þsx Á eðv; wÞÀs Á eðv; g2ÞÀs Á
~
from the beacon messages.
eðg1 ; g2 Þ
¼ ðeðT2 ; g2 Þrx Á eðv; wÞÀr Á eðv; g2 ÞÀr Þ If all checks succeed, uidl is assured that the current
user it communicates with is legitimate. uidl proceeds
Á ðeðT2 ; g2 Þgrpi þxj Á eðv; wÞÀ to pick a random nonce rl
R
Z Ã and computes grl . uidl
Zp
eðT2 ; wÞ c rj rl
further signs on g ; g , and current time stamp ts2 ,
Á eðv; g2 ÞÀðgrpi þxj Þ Á Þ
eðg1 ; g2 Þ using an appropriate group private key gsk½t; lŠ of his.
!c
grp þx
eðT2 vÀ ; wg2 i j Þ uidl also computes the shared pairwise session key as
¼ R2 Á Krj ;rl ¼ ðgrj Þrl . uidl then replies uidj
eðg1 ; g2 Þ
!c d e
grp þx
eðAi;j ; wg2 i j Þ eðg1 ; g2 Þ c grj ; grl ; ts2 ; SIGgsk½t;lŠ: ðM:2Þ
¼ R2 Á ¼ R2 Á ¼ R2 :
eðg1 ; g2 Þ eðg1 ; g2 Þ
3. e
Upon receipt of (M:2), uidj first checks whether ts2 À
~ s ts1 is within the acceptable delay window. uidj also
c. R3 ¼ T1 x uÀs
¼ ðu Þrx þcðgrpi þxj Þ Á uÀr Àcðgrpi þxj Þ 4. Note that we do not know the exact value of a and b, but they indeed
¼ ðu Þrx Á uÀr ¼ T1 x Á uÀr ¼ R3 .
r
exist due to the fact that g2 is a generator of G 2 .
G



TABLE 1
Link Summarization

Fig. 4. A sample date session initiated by a network user.

d
examines SIGgsk½i;jŠ and URL as uidl did above. If all
checks succeed, uidj is also assured that its commu-
nicating counterpart is legitimate. uidj computes the using Kr1 ;r1 . If the verification succeeds, uid2 proceeds
shared pairwise session key as Krj ;rl ¼ ðgrl Þrj . uidj 1 2
to update MAC2 using Kr2 ;r1 shared with uid3 , that is,
2 3
finally replies uidl
1 1 1 2
MAC2 ¼ MACKr2 ;r1 ðgr1 ; gr2 ; grk ; gr1 ; MRk ; C; MAC1 Þ:
rj rl rj rl
g ; g ; EKrj ;rl ðg ; g ; ts1 ; ts2 Þ: e
ðM:3Þ 2 3

e uid2 next sends uid3 :
Upon receipt of (M:3) and successful decryption of
rj rl
EKrj ;rl ðg ; g ; ts1 ; ts2 Þ; uidl is assured that uidj has 2 1 1 2
gr2 ; gr3 ; grk ; gr1 ; MRk ; C; MAC1 ; MAC2 : ðM:2Þ
successfully completed the authentication protocol
and established the shared key for their subsequent If the verification fails, the message is bogus and will
communication session, which is uniquely identified be immediately dropped.
through ðgrj ; grl Þ. 3. Upon receipt of ðM:2Þ; uid3 processes it the same way
as uid2 does, and so are all the intermediate users.
4.4 Data Traffic Authentication 4. When the message arrives at MRk from uidj ; MRk
Fig. 4 denotes a typical scenario, where the message sent by further verifies it in three steps:
a network user has to travel multihops before reaching the
a. verify MAC2 using
nearest service mesh router. The following protocol
describes how such a message sent by uid1 is forwarded Krj ;r3 ;
k j
and efficiently authenticated in a hop-by-hop manner. Note
that only symmetric cryptographic operations are required
b. verify MAC1 using K1 calculated from Kr1 ;r2 ; and
for data traffic authentication. k 1
c. check whether C can be properly decrypted
Assume that all the involving network users and mesh
using K1 .
routers have mutually authenticated each other and
established respective corresponding symmetric keys as If all checks succeed, MRk now forwards M to its
summarized in Table 1, following the protocols described in destination dest probably through more intermedi-
ate mesh routers.
the previous section. We also note that secure channels
already exist among mesh routers themselves as the In PEACE, dest may be either a remote destination
outside the WMN belonging to the public Internet, which
consequence of preconfiguration.
can be indicated by its IP address, or another network user
1. uid1 first prepares the message M to be sent to a of the WMN. That is, two peer WMN users may also
destination dest and calculates K1 ¼ hðKr1 ;r2 ; 0Þ and communicate with each other. Obviously, for the purpose of
k 1
privacy protection, dest cannot use IP address of the
K2 ¼ hðKr1 ;r2 ; 1Þ shared with and MRk . uid1 further
k 1
1 2 destination user or put user’s ID in plain text in this latter
encrypts M; dest; grk ; gr1 using K1 and obtains case. This is because both approaches violate user privacy.
1 2
C ¼ EK1 ðM; dest; grk ; gr1 Þ. uid1 also computes two The solution to this is to encrypt the destination user’s ID in
message authentication codes (MAC) using K2 and dest so that no other network users or mesh routers, except
Kr1 ;r1 , respectively: the purposed receiver, are able to recover its content. The
1 2
straightforward adoption of this solution in the above
MAC1 ¼ MACK2 ðCÞ; protocol will require all mesh routers to broadcast the
1 0
MAC2 ¼ MACKr1 ;r1 ðgr1 ; gr2 ; grk ; gr1 ; MRk ; C; MAC1 Þ: message so that the real destination user is guaranteed to
1 2 receive it. That is, the straightforward solution demands
Finally, uid1 sends uid2 : network-wide flooding for message delivery, which is
highly inefficient. To deal with this problem, anonymous
1 1 1 2
gr1 ; gr2 ; grk ; gr1 ; MRk ; C; MAC1 ; MAC2 : ðM:1Þ routing techniques [14], [15], [16], [17] are required, which
usually make use of network-wide flooding only at the
1 1
routing discovery phase but utilize unicast approach for the
2. Upon receipt of ðM:1Þ; uid2 checks ðgr1 ; gr2 Þ, fetches subsequent data transmission. Many anonymous routing
Kr1 ;r1 from the memory, and further verifies MAC2
1 2
approaches [14], [15], [16], [17] can be almost directly



applied here, the detail of which, however, is beyond the 1. Given the link and the session identifier, find the
scope of this paper and is a part of our ongoing work. corresponding authentication session message
d
ðM:2Þ ¼ grj ; grR ; ts2 ; SIGgsk½i;jŠ from the network log
4.5 Privacy-Enhanced User Accountability file.
This design of PEACE protects user privacy in a sophisti- 2. For each revocation token Ai;j 2 grt, check whether
?
cated manner, while still maintaining user accountability. eðT2 =Ai;j ; uÞ ¼ eðT1 ; vÞ. Output the first element
^ ^
Ai;j 2 grt such that eðT2 =Ai;j ; uÞ ¼ eðT1 ; vÞ.
^ ^
4.5.1 User Anonymity against the Adversary, 3. For the found revocation token Ai;j , output the
the User Groups, and T T P corresponding mapping between Ai;j and grpi .
In PEACE, a user only authenticates himself as a legitimate Since grpi maps to a particular user group i, now
service subscriber without disclosing any of his identity a responsible entity is found from the perspective
information by utilizing the group signature technique. of NO.
Neither the adversary nor the user group managers can tell From the user’s perspective, only part of his nonessential
which particular user generates a given signature. The attribute information is disclosed from the audit. But such
adversary, even by compromising mesh routers and other nonessential attribute information will not reveal his
network users, that is, knowing a number of group private essential attribute information. For example, the above
keys in addition to the group public key, still cannot deduce audit may find that the responsible user is a member of
any information regarding the particular group private key Company XYZ but cannot reveal any other information
used for signature generation. This is due to the hardness of regarding the user. Yet NO still has sufficient evidence to
the underlying q-SDH problem, where q is a 1,020-bit prime prove to Company XYZ that one of his members violates
number. Due to the same reason, neither a user group certain network access rule so that Company XYZ should
manager can distinguish whether or not one of his group take the corresponding responsibility specified in their
members has signed a particular signature as he has no service subscription agreement.
knowledge of the corresponding Ai;j s nor can he compute
them. The same conclusion also holds for T T P as T T P can 4.5.3 Revocable User Anonymity against Law Authority
compute neither xj nor Ai;j given Ai;j È xj . Furthermore, When law authority decides to track the particular attacker
every data session in PEACE is identified only through that is responsible for a certain communication session, the
pairs of fresh random numbers, which again discloses following procedure is taken: NO reports to the law
nothing regarding user identity information. In addition, authority ðAi;j ; grpi Þ by executing the above protocol against
PEACE requires a network user to refresh session identi- the session in audit. ðAi;j ; grpi Þ is then further forwarded to
fiers and the shared symmetric keys for each different GM i . GM i checks its local record, finds out the mapping
session. This further eliminates the linkability between any between ðgrpi and xi Þ, and hence, the corresponding user
two sessions initiated by the same network user. We note identity information uidj , to whom gsk½i; jŠ is assigned
that even with the help of compromised mesh routers and during the system setup. GM i then replies uidj to the law
other network users, the adversary still cannot judge authority. At this point, law authority and only law
whether two communication sessions are from the same authority gets to know about which particular user is
user. This is because, fundamentally, none of them can tell responsible for the communication session in audit. We
whether two signatures are from the same user, given q- point out that this tracing procedure has the nonrepudiation
SDH problem and decision linear on G 1 problem are hard.
G property because 1) GM i signed on all gsks that are
assigned from NO as the proof of receipt; 2) uidj also
4.5.2 User Privacy against NO and User Accountability signed on the messages when obtaining gsk½i; jŠ from GM i
Since NO knows grt, it can always tell which gsk½i; jŠ and T T P as the proof of receipt. PEACE also has
produces a given signature. However, NO has no knowledge nonframeability property because no one else knows
regarding to whom gsk½i; jŠ is assigned as PEACE allows a gsk½i; jŠ except NO and uidj or is able to forge a signature
late binding between group private keys and network users. on behalf of uidj .
Furthermore, it is user group managers’ sole responsibility
to assign group private keys to each network user without 4.6 System Maintenance
any involvement of NO. Therefore, NO could only map PEACE supports both member addition and revocation in a
gsk½i; jŠ to the user group i based on grpi . Because no other dynamic manner. In PEACE, a group private key can be
entities except NO and the key holder himself has the revoked, and no network users holding the same key are
knowledge of the corresponding Ai;j , and can therefore, able to access the WMN afterward. Specifically, to revoke a
generate the given signature, the key holder must be a group private key gsk½i; jŠ, NO simply adds the correspond-
member of the user group i. This audit result serves our both ing Ai;j to URL and sends the updated URL to mesh routers
via secure channels. We note that the size of URL is linear to
requirements. On one hand, the result only reveals partial
the accumulated number of group private keys being
nonessential attribute information of the user and still
revoked, which can potentially grow fairly large as time
protects user privacy to an extent. On the other hand, the
elapses. To deal with this problem, we observe that
result is sufficient for user accountability purposes for NO.
revocations of group privacy keys are mainly due to two
When NO (on behalf of mesh routers) finds certain
reasons: 1) expiration of service subscription and 2) violation
communication session disputable or suspicious, it con- of network access policy. According to the nature of the
ducts the following protocol to audit the responsible entity: network access service, key revocations due to the former



reason usually happen periodically and are prescheduled; However, such bogus data traffic will be all immediately
and this is the major reason causing the size growth of URL. filtered in PEACE. First, with respect to outsiders, they do
At the same time, key revocations due to the latter is often not know any group private keys. Thus, they cannot produce
random and sporadic. Based on this observation, PEACE correct message signatures, when attempting to initialize a
adopts a hybrid membership maintenance approach to keep communication session with NO and/or other network
the size of URL to the minimum. users. They also cannot bypass the authentication procedure
Assume that the minimum subscription period of the and directly send out bogus data to others as they do not
network service is time unit, which can be set, for possess any shared symmetric session keys with them, and
example, as one month. For the duration of each minimum thus, cannot produce correct MACs. Then, regarding
subscription period, NO prepares a new group public key revoked users, there are two situations: 1) they do not have
and a sufficient number of corresponding private keys. NO any group private key currently in use due to group public
also arranges the usage of these group public keys in a key update or 2) the corresponding group private keys
sequential manner. That is, NO will attach the current gpk in owned by them are already revoked and are published in
use in every ðM:1Þ, which is part of the beacon messages URL in beacon messages. Obviously, the revoked users
being periodically broadcasted by each mesh router. Then, a cannot gain network access in neither cases. Finally, for
network user that subscribes the network service for x revoked mesh routers, they are no longer valid members of
time units through user group i will obtain x group private the WMN. By checking CRL, no legitimate mesh routers will
keys from GM i and T T P . Each of these group private keys accept/relay data traffic from revoked mesh routers. Also,
will only be valid for time unit and expires automatically since the downlink from a mesh router to its service range is
afterward. Next, within each minimum subscription period, only one hop, network users never need to and will not relay
if a group private key has to be revoked on the fly, NO data traffic for mesh routers in PEACE.
simply follows the procedure described above to update Data phishing attacks: In such attacks, the adversary may
URL. Now the size of URL will not grow very large as URL set up bogus mesh routers and try to phish user connections
is always periodically emptied. to such routers. In this way, the adversary could control
PEACE also supports the dynamic addition and revoca- network connection and analyze users’ data traffic for their
tion of mesh routers. To add a new mesh router, NO only benefits. The phishing mesh routers can be either comple-
needs to assign the router a new certificate and establish tely new mesh routers or revoked mesh routers both at the
secure channels between the new router and the existing adversary’s control. In the former case, the mesh router will
ones. To revoke a mesh router, NO simply revokes its not be able to authenticate itself to the network user.
certificate and updates CRL. In PEACE, CRL is constantly Therefore, no network user will establish any session with
updated by NO in a prescheduled frequency known as a such a mesh router. Even if the mesh router could intercept
system parameter to every network user. That is, CRL is the network traffic between a network user and a legitimate
updated periodically such as once per hour, even if there is mesh router, it will not be able to decrypt the message and
no mesh router being revoked. Moreover, an additional obtain any useful information. In the latter case, a newly
CRL update is always immediately issued once a mesh revoked mesh router, however, will possibly be able to
router is revoked. Every user in PEACE also keeps a most authenticate itself to a network user, if such a user does not
up-to-date version of CRL when interacting with different possess the latest version of CRL. The network user may be
mesh routers and checks CRL against its current service cheated in this case but only for up to (inverse of the
mesh router whenever receiving a newer version. With this update frequency—(current time—last period-
certification revocation approach, network users can easily ical update time)) time period. This is because the
judge whether or not a currently received CRL is up-to-date revoked mesh router will not be able to provide a legal CRL
with a guaranteed delay upper bound: min{inverse of update at the next periodical CRL update time point.
the update frequency, (current time—the update DoS attacks: In such attacks, the adversary may flood a
time of the locally stored CRL)}. We note that the large number of illegal access request messages to mesh
size of CRL is usually much smaller than that of URL as we routers. The purpose is to exhaust their resources and render
consider that the compromise of mesh routers is not very them less capable of serving legitimate users. In PEACE, for
often. At the same time, the size of CRL can be easily every access request message ðM:2Þ, the corresponding mesh
controlled by setting a shorter valid period. router has to verify a group signature and check the validity of
the signer. Both operations involve expensive pairing
operations, which, hence, can easily be exploited by the
5 SCHEME ANALYSIS adversary. To deal with this issue, we adopt the same client-
5.1 System Security Analysis puzzle approach as adopted in [18]. The idea of this approach
As its fundamental security functionality, PEACE enforces is as follows: When there is no evidence of attack, a mesh
network access control. Hence, we are most concerned with router processes ðM:2Þ normally. But, when under a
the following three different types of attacks, i.e., bogus data suspected DoS attack, the mesh router will attach a crypto-
injection attacks, data phishing attacks, and DoS attacks. graphic puzzle to every ðM:1Þ and require the solution to the
Bogus data injection attacks: In such attacks, the adversary puzzle be attached to each ðM:2Þ. The mesh router commits
wants to inject bogus data to the WMN aimed at utilizing the resources to process ðM:2Þ only when the solution is correct.
network service for free. The sources of the bogus data could Typically, solving a client puzzle requires a brute-force search
be outsiders, revoked users, or revoked mesh routers. in the solution space, while solution verification is trivial [18].


Peace

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (6)

Ähnlich wie Peace

Ähnlich wie Peace (20)

Mehr von ingenioustech

Mehr von ingenioustech (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Peace