WIRELESS NETWORK SECURITY 97 the hash of the error report message, or to apply a keyed hash on the message to only

authenticate with the source peer by using their shared-key.

With identity-based key management schemes, securing information exchange and message routing in wireless ad hoc networks becomes feasible with either asymmetric or symmetric procedures. On the other hand, the irreplaceable role of peer identity in these systems justifies the need and applicability of identity-based key management.

5.

5.1. Practical extensions

Identity-based key management schemes offer many attractive features that are highly desirable in wireless ad hoc networks, in which peer identity usually is the only means to identify autonomous and mobile peers. String-based identity can have very rich semantics (e.g., along with the date and location information). The location- aware identity (e.g., grid-based one) can assist location-aware routing in wireless ad hoc networks: when a peer sends a message to another peer, the routing path for the message is implicitly suggested by their identities. Also, a peer can propose its identity indicating the services (e.g.,[email protected]) or content (movie trailer title) provided by itself to assist resource discovery in wireless ad hoc networks. When a peer wants to obtain a specific service or content, it securely solicits the peer identified by the service description or the content hash.

IBC-based schemes with pairing are also very attractive for energy-constrained wireless ad hoc networks. For example, the BF-IBE and follow-on schemes employ bilinear pairings on elliptic curves in ECC, an approach considered much more efficient (in terms of key size and computation complexity) than regular RSA-based PKC proce- dures. Most operations in these schemes mainly involve hashing and bitwise XOR, and more efficient pairing implementations in software and hardware are appearing as well. In our secure communication schemes, we provide both asymmetric procedures (e.g., BLS-IBS signature) and their symmetric counterparts (HMAC), so that peers can trade off computing and communication overhead properly. Also, IBC-based schemes allow peers to authentically establish shared-key and bootstrap even more efficient symmet- ric operations without having any physical communications beforehand. In addition, Boyen gave a multipurpose IBC-based signcryption (IBSE) scheme (a.k.a. swiss army knife, since it can be flexibly used for encryption, signing and sign-and-encrypt proce- dures) with even stronger security properties (i.e., confidentiality, authenticity, integrity, non-repudiation, anonymity and unlinkability) and better runtime efficiency (less ci- phertext expansion and fewer high-cost operations) [32]. The Boyen scheme is also based on bilinear pairings, and can be introduced in our identity-based key management schemes. Further, secure IBE schemes without ROM are proposed recently [33], which gives more assurance on adopting them in wireless ad hoc networks.

98 JIANPING PAN, et al. 5.2. Known limitations

In our identity-based key management schemes, peers obtain their private-key from the PKG that oversees the entire system. Therefore, the PKG has total-control over the secrecy and wealth of individual peers. This is not a concern when peers can trust the PKG (e.g., the PKG is the administrator of a managed-open wireless ad hoc network). However, some peers, especially foreign peers, may be concerned about a compromised PKG or an unknown PKG that decrypts messages with their private-key extracted by the PKG, impersonates their identity, and collects their wealth during their tenure in the system. Nevertheless, these concerns also apply to any regular PKC-based systems, in which compromised CAs can always issue false certificates to malicious peers, or bogus PKIs can later reveal public-key and private-key pairs assigned to genuine peers. There are some identity-based approaches that can alleviate these concerns to some extent. First, the master-key can be distributed to several PKGs that are not under any single administration (e.g.,t-of-nPKGs). Therefore, unless the number of compromised or bogus PKGs exceeds a certain threshold, peer secrecy and wealth are still well-preserved. With this approach, peers have to derive their private-key from multiple PKGs, which unavoidably increases their computing cost. Alternatively, peers can resort to hierarchical PKGs when they roam across different systems frequently. Second, the PKG can be required to refresh its master-key and system parameters periodically. Therefore, the vulnerability of a certain master-key and the potential damage of a compromised master-key are limited. With this approach, peers have to inquire the PKG periodically as well to extract their private-key from the latest master- key and system parameters, which increases their communication cost. We argue that the PKG of a wireless ad hoc network usually is the entity, often offline, that enables the system by providing other resources (e.g., the PKG is the ticketing booth of a recreation park), and that peers should have a certain degree of trustworthiness on the PKG while they are willingly in these systems. A visiting peer can propose a PKG-dependent identity to an unknown system, while still maintaining credentials with trusted PKGs in other systems, until the peer has developed trustworthiness with the new PKG.

6.

Wireless ad hoc networks have attracted intensive research attention in recent years [1, 2, 3, 4, 5, 7]. Their intrinsic vulnerabilities due to the lack of infrastructure, unsecured media, untrusted peers, reliance on relaying, and high system dynamics (e.g., peer membership, working mode and network topology) have geared a considerable amount of research effort toward securing peer communications in these systems [5, 7]. In this section, we briefly review two research topics closely related to our work, and compare reported work with our approach.

Information exchange — Schemes proposed to secure information exchange in wireless ad hoc networks are based on either SKC or PKC. With SKC, pairwise shared- keys, derived from preshared secret or bootstrapped by other means, should be estab- lished for all peer pairs beforehand, which is very impractical to achieve for mobile

WIRELESS NETWORK SECURITY 99