Securing tuple space: secure ad hoc group communication using PKI

Secure group communication in an ad hoc network is a largely unexplored research area. Currently available key exchange protocols were not designed to be implemented in an ad hoc network where nodes sporadically enter and leave the group. This project explores establishing secure group communication in an ad hoc network through public key infrastructure. Public key infrastructure (PKI) provides a framework for establishing and authenticating secure communication between users. A trusted certificate authority (CA) generates an identifying token, or certificate, for an authorized user. The certificate contains the user\u27s public key and other identifying information and is digitally signed by the CA to prevent forging. This public key may then be used to initiate secure communication with the user. This project uses the tuple space distributed computing paradigm for all ad hoc group communication. A tuple space is a store of tuples, or lists of objects, from which consumers may read tuples matching filter criteria and to which producers may post new tuples. An easily made physical analogy to this concept is that of an announcement board, where people may read flyers and post new ones. Professor Alan Kaminsky\u27s TupleBoard API is an implementation of tuple space designed for developing ad hoc distributed applications in Java. This project extends this library by adding a public key framework enabling dynamic group key exchange, public key encryption and digital signatures. To showcase the newly added security features an ad hoc music distribution application was developed in which all communication is encrypted and authenticated and users may only share or download songs authorized by certificates in their possession. Finally, a performance analysis was done to evaluate the impact of the new security features

Energy-Efficient ID-based Group Key Agreement Protocols for Wireless Networks

One useful application of wireless networks is for secure group communication, which can be achieved by running a Group Key Agreement (GKA) protocol. One well-known method of providing authentication in GKA protocols is through the use of digital signatures. Traditional certificate-based signature schemes require users to receive and verify digital certificates before verifying the signatures but this process is not required in ID-based signature schemes. In this paper, we present an energy-efficient ID-based authenticated GKA protocol and four energy-efficient ID-based authenticated dynamic protocols, namely Join, Leave, Merge and Partition protocol, to handle dynamic group membership events, which are frequent in wireless networks. We provide complexity and energy cost analysis of our protocols and show that our protocols are more energyefficient and suitable for wireless networks.

A Certificate-based Light-weight Authentication Algorithm For Resource-constrained Devices

In this work, we analyze and extend a recently proposed design of digital certificates called TESLA certificates. Certificates are a necessary tool in today's secure networks to certify the identity of nodes taking part in communication. Most prevalent certificate technologies make use of public-key cryptography. Messages generated by the user are signed using its private key, and the signature can be verified by any node who knows the user's public key via its certificate. Signature generation and verification using public-key cryptography is computationally expensive for devices with limited computation power and energy resources. In this situation TESLA certificates can be very useful to certify identity, since they rely on symmetric cryptography which is computationally much more efficient. In this paper we explain the concept of TESLA certificates and provide a preliminary description of proposed modifications to the original algorithm to strengthen its security. We extend the original proposal by combining hash chains with TESLA certificates and come up with an efficient source and message authentication protocol based on symmetric key certificates. We also propose a new type of TESLA certificates called Group Certificates for use in multicast group communication. Through analysis, we show that our protocol is secure against malicious adversaries. We also give an initial estimate of the performance of our algorithm and the related comparison to public-key signatures, and we highlight network scenarios where the TESLA certificates could be particularly useful

Secure Identification in Social Wireless Networks

The applications based on social networking have brought revolution towards social life and are continuously gaining popularity among the Internet users. Due to the advanced computational resources offered by the innovative hardware and nominal subscriber charges of network operators, most of the online social networks are transforming into the mobile domain by offering exciting applications and games exclusively designed for users on the go. Moreover, the mobile devices are considered more personal as compared to their desktop rivals, so there is a tendency among the mobile users to store sensitive data like contacts, passwords, bank account details, updated calendar entries with key dates and personal notes on their devices. The Project Social Wireless Network Secure Identification (SWIN) is carried out at Swedish Institute of Computer Science (SICS) to explore the practicality of providing the secure mobile social networking portal with advanced security features to tackle potential security threats by extending the existing methods with more innovative security technologies. In addition to the extensive background study and the determination of marketable use-cases with their corresponding security requirements, this thesis proposes a secure identification design to satisfy the security dimensions for both online and offline peers. We have implemented an initial prototype using PHP Socket and OpenSSL library to simulate the secure identification procedure based on the proposed design. The design is in compliance with 3GPP‟s Generic Authentication Architecture (GAA) and our implementation has demonstrated the flexibility of the solution to be applied independently for the applications requiring secure identification. Finally, the thesis provides strong foundation for the advanced implementation on mobile platform in future

Secure Mobile Social Networks using USIM in a Closed Environment

Online social networking and corresponding mobile based applications are gaining popularity and now considered a well-integrated service within mobile devices. Basic security mechanisms normally based on passwords for the authentication of social-network users are widely deployed and poses a threat for the user security. In particular, for dedicated social groups with high confidentiality and privacy demands, stronger and user friendly principles for the authentication and identification of group members are needed. On the other hand, most of the mobile units already provide strong authentication procedures through the USIM/ISIM module. This paper explores how to build an architectural framework for secure enrollment and identification of group members in dedicated closed social groups using the USIM/SIM authentication and in particular, the 3GPP Generic Authentication Architecture (GAA), which is built upon the USIM/SIM capabilities. One part of the research is to identify the marketable use-cases with corresponding security challenges to fulfill the requirements that extend beyond the online connectivity. This paper proposes a secure identification design to satisfy the security dimensions for both online and offline peers. We have also implemented an initial proof of the concept prototype to simulate the secure identification procedure based on the proposed design. Our implementation has demonstrated the flexibility of the solution to be applied independently for applications requiring secure identification

Security and Privacy Issues in Wireless Mesh Networks: A Survey

This book chapter identifies various security threats in wireless mesh network (WMN). Keeping in mind the critical requirement of security and user privacy in WMNs, this chapter provides a comprehensive overview of various possible attacks on different layers of the communication protocol stack for WMNs and their corresponding defense mechanisms. First, it identifies the security vulnerabilities in the physical, link, network, transport, application layers. Furthermore, various possible attacks on the key management protocols, user authentication and access control protocols, and user privacy preservation protocols are presented. After enumerating various possible attacks, the chapter provides a detailed discussion on various existing security mechanisms and protocols to defend against and wherever possible prevent the possible attacks. Comparative analyses are also presented on the security schemes with regards to the cryptographic schemes used, key management strategies deployed, use of any trusted third party, computation and communication overhead involved etc. The chapter then presents a brief discussion on various trust management approaches for WMNs since trust and reputation-based schemes are increasingly becoming popular for enforcing security in wireless networks. A number of open problems in security and privacy issues for WMNs are subsequently discussed before the chapter is finally concluded.Comment: 62 pages, 12 figures, 6 tables. This chapter is an extension of the author's previous submission in arXiv submission: arXiv:1102.1226. There are some text overlaps with the previous submissio

A Multi-User, Single-Authentication Protocol for Smart Grid Architectures

open access articleIn a smart grid system, the utility server collects data from various smart grid devices. These data play an important role in the energy distribution and balancing between the energy providers and energy consumers. However, these data are prone to tampering attacks by an attacker, while traversing from the smart grid devices to the utility servers, which may result in energy disruption or imbalance. Thus, an authentication is mandatory to efficiently authenticate the devices and the utility servers and avoid tampering attacks. To this end, a group authentication algorithm is proposed for preserving demand–response security in a smart grid. The proposed mechanism also provides a fine-grained access control feature where the utility server can only access a limited number of smart grid devices. The initial authentication between the utility server and smart grid device in a group involves a single public key operation, while the subsequent authentications with the same device or other devices in the same group do not need a public key operation. This reduces the overall computation and communication overheads and takes less time to successfully establish a secret session key, which is used to exchange sensitive information over an unsecured wireless channel. The resilience of the proposed algorithm is tested against various attacks using formal and informal security analysis