Published on

Dear Students
Ingenious techno Solution offers an expertise guidance on you Final Year IEEE & Non- IEEE Projects on the following domain
For further details contact us:
044-42046028 or 8428302179.

Ingenious Techno Solution
#241/85, 4th floor
Rangarajapuram main road,
Kodambakkam (Power House)

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 21, NO. 2, FEBRUARY 2010 203 PEACE: A Novel Privacy-Enhanced Yet Accountable Security Framework for Metropolitan Wireless Mesh Networks Kui Ren, Member, IEEE, Shucheng Yu, Student Member, IEEE, Wenjing Lou, Senior Member, IEEE, and Yanchao Zhang, Member, IEEE Abstract—Recently, multihop wireless mesh networks (WMNs) have attracted increasing attention and deployment as a low-cost approach to provide broadband Internet access at metropolitan scale. Security and privacy issues are of most concern in pushing the success of WMNs for their wide deployment and for supporting service-oriented applications. Despite the necessity, limited security research has been conducted toward privacy preservation in WMNs. This motivates us to develop PEACE, a novel Privacy-Enhanced yet Accountable seCurity framEwork, tailored for WMNs. On one hand, PEACE enforces strict user access control to cope with both free riders and malicious users. On the other hand, PEACE offers sophisticated user privacy protection against both adversaries and various other network entities. PEACE is presented as a suite of authentication and key agreement protocols built upon our proposed short group signature variation. Our analysis shows that PEACE is resilient to a number of security and privacy related attacks. Additional techniques were also discussed to further enhance scheme efficiency. Index Terms—Wireless mesh networks, privacy, authentication, security, anonymous communication. Ç1 INTRODUCTIONW IRELESS mesh networks (WMNs) have recently at- tracted increasing attention and deployment as apromising low-cost approach to provide last-mile high- Security and privacy issues are of most concern in pushing the success of WMNs for their wide deployment and for supporting service-oriented applications. Due to thespeed Internet access at metropolitan scale [2], [3]. intrinsically open and distributed nature of WMNs, it isTypically, a WMN is a multihop layered wireless network essential to enforce network access control to cope withas shown in Fig. 1 [4], [5]. The first layer consists of access both free riders and malicious attackers. Dynamic access topoints, which are high-speed wired Internet entry points. At WMNs should be subject to successful user authenticationthe second layer, stationary mesh routers form a multihop based on the properly preestablished trust between usersbackbone via long-range high-speed wireless techniques and the network operator; otherwise, network accesssuch as WiMAX [6]. The wireless backbone connects to should be prohibited. On the other hand, it is also criticalwired access points at some mesh routers through high- to provide adequate provisioning over user privacy asspeed wireless links. The third layer consists of a large WMN communications usually contain a vast amount ofnumber of mobile network users. These network users sensitive user information. The wireless medium, openaccess the network either by a direct wireless link or network architecture, and lack of physical protection overthrough a chain of other peer users to a nearby mesh router. mesh routers render WMNs highly vulnerable to variousWMNs represent a unique marriage of the ubiquitous coverage privacy-oriented attacks. These attacks range from passiveof wide area cellular networks with the ease and the speed of local eavesdropping to active message phishing, interception,area Wi-Fi networks [4]. The advantages of WMNs also and alteration, which could easily lead to the leakage ofinclude low deployment costs, self-configuration and self- user information. Obviously, the wide deployment ofmaintenance, good scalability, high robustness, etc. [2]. WMNs can succeed only after users are assured for their ability to manage privacy risks and maintain their desired level of anonymity.. K. Ren is with the Department of Electrical and Computer Engineering, The necessity of security and privacy in WMNs can be Illinois Institute of Technology, 3301 Dearborn St, Chicago, IL 60616. E-mail: well illustrated through the following example. In a metro-. S. Yu and W. Lou are with the Department of Electrical and Computer scale community mesh network, the citizens access WMNs Engineering, Worcester Polytechnic Institute, 100 Institute Road, from everywhere within the community such as offices, Worcester, MA 01609. E-mail: {yscheng, wjlou} Y. Zhang is with the Department of Electrical and Computer homes, restaurants, hospitals, hotels, shopping malls, and Engineering, New Jersey Institute of Technology, University Heights, even vehicles. Through WMNs, they access the public Newark, NJ 07102. E-mail: Internet in different roles and contexts for services like e-Manuscript received 30 Oct. 2008; revised 26 Feb. 2009; accepted 18 Mar. mails, e-banking, e-commerce, and Web surfing, and also2009; published online 26 Mar. 2009. interact with their local peers for file sharing, teleconferen-Recommended for acceptance by P. Mohapatra. cing, online gaming, instant chatting, etc. Integrated withFor information on obtaining reprints of this article, please send e-mail, and reference IEEECS Log Number TPDS-2008-10-0399. sensors and cameras, the WMN may also be used to collectDigital Object Identifier no. 10.1109/TPDS.2009.59. information of interest. In fact, at Boston suburb area, the 1045-9219/10/$26.00 ß 2010 IEEE Published by the IEEE Computer Society Authorized licensed use limited to: Asha Das. Downloaded on August 05,2010 at 06:22:48 UTC from IEEE Xplore. Restrictions apply.
  2. 2. 204 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 21, NO. 2, FEBRUARY 2010 information of the user without disclosing his full identity information (unless necessary). To the best of our knowledge, PEACE is the first attempt to establish an accountable security framework with a sophisticated privacy protection model tailored for WMNs. PEACE also lays a solid background for designing other upper layer security and privacy solutions, e.g., anonymous communication. The rest of the paper is organized as follows: Section 2 is the introduction of the cryptographic knowledge entailed by PEACE. Section 3 describes the problem formulation. Then, in Section 4, the details of PEACE are described. We further analyze in Section 5 the security and privacy properties of PEACE, as well as its performance. Section 6 is about related work. Finally, we conclude the paper in Section 7.Fig. 1. WMN network architecture [4], [5]. 2 THE CRYPTOGRAPHIC BACKGROUND 2.1 Bilinear GroupsCity of Malden [7], the police department will use the WMN We first introduce a few concepts related to bilinear maps“to stream video footage from local areas directly to the as they are important to the design of PEACE. Let G 1 ; G 2 be G Gpolice station, making it easier for police officers to monitor multiplicative cyclic groups generated by g1 and g2 ,and respond to crimes at those locations” [7]. Obviously, all respectively, whose orders are a prime p, and G T be a Gthese communications contain various kinds of sensitive cyclic multiplicative group with the same order p. Supposeuser information like personal identities, activities, location that there is an efficient and computable isomorphism :information, financial information, transaction profiles, G 2 ! G 1 such that ðg2 Þ ¼ g1 . Let e : G 1 Â G 2 ! G T be a G G G G Gsocial/business connections, and so on. Once disclosed to bilinear pairing with the following properties [8]:the attackers, these information could compromise anyuser’s privacy, and when further correlated together, can . Bilinearity: eðaP ; bQÞ ¼ eðP ; QÞab for all P 2 G 1 ; Gcause even more devastating consequences. Hence, secur- Q 2 G 2 ; a; b 2 Z p . G Zing user privacy is of paramount practical importance in . Nondegeneracy: eðg1 ; g2 Þ 6¼ 1.WMNs. Moreover, for both billing purpose and avoiding . Computability: There is an efficient algorithm toabuse of network resources, it is also essential to prohibit compute eðP ; QÞ for all P 2 G 1 ; Q 2 G 2 . G Gfree riders and let only legitimate residents access WMNs. In this paper, we only use the fact that G 1 ; G 2 can be of size G G Despite the necessity and importance, limited research has approximately 2170 , elements in G 1 are 171-bit strings, and Gbeen conducted to address privacy-enhanced security me- discrete log in G 1 ; G 2 is as hard as discrete log in Z Ã , where G G Zqchanisms in WMNs. This motivates us to propose PEACE, a q is a 1,020-bit prime number.novel Privacy-Enhanced yet Accountable seCurity framE-work for WMNs. Our contributions are fourfold as follows: 2.2 Group Signature Security: It achieves explicit mutual authentication and Group signature schemes are a relatively recent crypto-key establishment between users and mesh routers and graphic concept introduced by Chaum and van Heyst inbetween users themselves. It, thus, prohibits both illegal 1991 [9]. A group signature scheme is a method for allowingnetwork access from free riders and malicious users and a member of a group to sign a message on behalf of thephishing attacks due to rogue mesh routers. group. In contrast to ordinary signatures, it provides Anonymity: It simultaneously enables unilateral anon- anonymity to the signer, i.e., a verifier can only tell that aymous authentication between users and mesh routers and member of some group signed. However, in exceptionalbilateral anonymous authentication between any two users. cases, such as a legal dispute, any group signature can beIt, thus, ensures user anonymity and privacy. “opened” by a designated group manager to reveal Accountability: It enables user accountability, at regulat- unambiguously the identity of the signature’s user behaviors and protecting WMNs from being Some group signature schemes support revocation, whereabused and attacked. Network communications can always group membership can be disabled. One of the most recentbe audited in the cases of disputes and frauds. It further group signature schemes is the one proposed by Boneh andallows dynamic user revocation so that malicious users can Shacham [8], which has a very short signature size that isbe evicted. comparable to that of an RSA-1024 signature [10]. This Sophisticated user privacy: It allows users to disclose scheme is based on the following two problems that areminimum information possible while maintaining account- believed to be hard. Let G 1 ; G 2 ; g1 ; g2 as defined above. G Gability. In PEACE, the user identity is a multifaceted q-Strong Diffie-Hellman problem: The q-SDH probleminformation as network users as society members alwaysinteract with WMNs in different roles and contexts. There- in ðG 1 ; G 2 Þ is defined as follows: given a ðq þ 2Þ-tuple G G ð 2 Þ ð q Þ 1=ðþxÞfore, a dispute regarding a given communication session ðg1 ; g2 ; g ; g2 ; . . . ; g2 Þ as input, output a pair ðg1 2 ; xÞ,should only be attributed according to the role/context where x 2 Z Ã . Zp Authorized licensed use limited to: Asha Das. Downloaded on August 05,2010 at 06:22:48 UTC from IEEE Xplore. Restrictions apply.
  3. 3. REN ET AL.: PEACE: A NOVEL PRIVACY-ENHANCED YET ACCOUNTABLE SECURITY FRAMEWORK FOR METROPOLITAN WIRELESS MESH... 205 Decision linear on G 1 : Given arbitrary generators u; v; h G legitimate network users, and 3) denial-of-service (DoS)of G 1 and ua ; vb ; hc 2 G as input, output yes if a þ b ¼ c, G G1 attacks against service availability.and no, otherwise. In light of the above threat model, the following security requirements are essential to ensure that a WMN functions correctly and securely as purposed.3 PROBLEM FORMULATION AND THE SCHEME OVERVIEW . User-router mutual authentication and key agreement: A3.1 Network Architecture and System Assumptions mesh router and a user should mutually authenti- cate each other to prevent both unauthorized net-The three-layer architecture in Fig. 1 considers a metropo- work access and phishing attacks. The user and thelitan-scale WMN under the control of a network operator mesh router should also establish a shared pairwise(NO). The network operator deploys a number of APs and symmetric key for session authentication and mes-mesh routers and forms a well-connected WMN that covers sage encryption.the whole area of a city and provides network services to . User-user mutual authentication and key agreement:network users, i.e., the citizens. Network users, on the other Users should also authenticate each other beforehand, subscribe to the network operator for the services and cooperation in regard to message relaying andutilize their mobile clients to freely access the network from routing. Moreover, symmetric keys should be estab-anywhere within the city. The membership of network lished and effectively maintained to provide sessionusers may be 1) terminated/renewed according to user- authentication and message encryption over theoperator agreement in a periodic manner or 2) dynamically corresponding traffic.revoked by NO in case of dispute/attack. . Sophisticated user privacy protection: The privacy of Similar to [4], [11], we assume that the downlink from a users should be well protected, and we differentiatemesh router to all users within its coverage is one hop. user privacy against different entities such as theHowever, the uplink from a user to a mesh router may be adversary, NO, and the law authority, as will beone or multiple hops. That is, a network user needs to elaborated in the next section.transmit packets in multiple hops to a mesh router beyond . User accountability: In the cases of attacks andhis direct transmission range. In this case, network users disputes, the responsible users and/or user groupscooperate with each other on relaying the packets to mesh should be able to be audited and pinpointed. On therouters. We further assume that all the network traffic has other hand, no innocent users can be framed forto go through a mesh router except the communication disputes/attacks they are not involved in.between two direct neighboring users. We assume so as it is . Membership maintenance: The network should be ableexpected that communications to and from a mesh router to handle membership dynamics including member-will constitute the majority of traffic in a WMN [12]. ship revocation, renewing, and addition.Moreover, this assumption would significantly reduce the . DoS resilience: The WMN should maintain servicerouting complexity from the users’ point of view as mesh availability despite of DoS attacks.routers will take the responsibility. We assume that NO can always communicate with mesh 3.3 Privacy Modelrouters through preestablished secure channels, and so are In a metropolitan WMN, city residents as network usersmesh themselves. The WMN is assumed to be deployed access the WMN for services related to every aspect of theirwith redundancy in mind so that revocation of individual personal and professional lives. Inevitably, these networkmesh routers will not affect network connection. We communications will contain a large amount of personal,assume the existence of an offline trusted third party business, and organization information that are highly(TTP), which is trusted for not disclosing the information it sensitive and interested by different parties for differentstores. TTP is required only during the system setup. We purposes. The malicious adversaries are interested as theyfurther assume that there is a secure channel between TTP could gain economic benefits by stealing the identity andand each network user. other information. In fact, identity theft has been an infamous type of the Internet crimes. Furthermore, network3.2 Threat Model and Security Requirements communications accumulated over time and space mayDue to the open medium and spatially distributed nature, intentionally be collected and used for establishing userWMNs are vulnerable to both passive and active attacks. profiles by certain parties, including NO. These parties areThe passive attacks include eavesdropping, while active not necessarily malicious, but such actions certainly violateattacks range from message replaying, bogus message user privacy. Obviously, the success deployment of WMNsinjection, phishing, active impersonation to mesh router is subject to users’ assurance of their ability to managecompromise. Hence, for a practical threat model, we privacy risks and maintain their desired level of anonymity.consider an adversary that is able to eavesdrop all network The above observation leads to the establishment of acommunications, as well as inject arbitrary bogus messages. practical user privacy model, which provides sophisticatedIn addition, the adversary can compromise and control a user privacy management and addresses user accountabilitysmall number of users and mesh routers subject to his simultaneously. We observe that a user usually accesses thechoice; it may also set up rogue mesh routers to phish user WMN in different roles and under different contexts. Foraccesses. The purposes of the adversary include 1) illegal example, a user as an engineer may access the WMN in hisand unaccountable network access, 2) the privacy of office as an employee of a company. The same user may also Authorized licensed use limited to: Asha Das. Downloaded on August 05,2010 at 06:22:48 UTC from IEEE Xplore. Restrictions apply.
  4. 4. 206 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 21, NO. 2, FEBRUARY 2010 Our privacy model further considers the extreme cases such as severe attacks in which the law authority has to track the particular responsible attacker. For this purpose, we introduce the concept of user group and try to utilize the natural society hierarchy among network users. A user group refers to any society entity, which, through a user group manager, manages a certain number of network users, i.e., its staffs and/or employees, and subscribes network services onFig. 2. The format of user identity information. behalf of its users. A user group can be any company, organization, university, or government agency, etc. Aaccess the WMN from a university campus as a student, network user, on the other hand, usually belongs to multiplefrom a rented apartment as a tenant, and from a golf club as a different user groups according to his roles in the society. Inpaid member, and so on. In our privacy model, we, hence, our privacy model, we further require thatrefer to the user identity as a user’s collective attributeinformation according to his different roles in the society. In 4. only by joint effort from both a user group manager andthe above example, the user identity may include NO can a user’s full identity be disclosed; and neither of them can do so alone.{name, ssn, engineer of company X, tenant of apartment Y, Note that the capability of a user group manager itself isstudent of university Z, member of golf club V, . . . }. strictly restricted, that is, it has no more ability than an Informally, we can divide the user identity information ordinary network user. User group managers cannot link anyinto two different categories, that is, essential attribute communication session to a specific user by only them selves.information and nonessential attribute information as shown in In summary, our privacy model is aimed at the followingFig. 2. The essential attribute information includes all the privacy guarantees under the threat model discussed above.information that can be used uniquely to identify a specificuser such as user’s name, social security number, driver . Against the adversary, the user group managers, andlicense number, passport number, etc. On the other hand, the other entities (except NO and the law authority): Atnonessential attribute information of a user may include his no circumstances, the adversary could tell that twodifferent social roles as indicated in the above example. We different communication sessions are from the samenote that if essential attribute information of a user is disclosed, network user or link a communication session to athis user is fully exposed and all his attribute information specific user.will also be disclosed. On the other hand, disclosing . Against NO: Given any communication session, NOnonessential attribute information does not lead to the full can only tell which user group the correspondingexposure of the user’s identity. That is, a user can still user is from, but cannot recover user’s full identity.maintain a certain level of anonymity, when only his That is, NO can only recover the correspondingnonessential attribute information is disclosed. It is further nonessential user attribute information for theobserved that the nonessential attribute information of users accountability purpose.are still sufficient for accountability purpose from NO’s . For the law authority: With the help from both NOperspective. This is because NO can still enforce network and user group managers, the law authority could link any communication session to the correspondingaccess control and audit network communications as it network user that is responsible.makes no difference to NO whether or not a responsibleentity is a person, a company, or an organization, etc. 3.4 Trust and Key Management Model To protect the user privacy, the user identity information Given the security and privacy requirements discussedshould be well protected from network communications above, PEACE bases its design on the following trust andagainst the adversary and even NO. Therefore, it should be key management model. Fig. 3 is the high-level illustrationrequired that of PEACE trust model, which consists of four kinds of network entities: the network operator, user group man- no communication sessions should reveal any user 1. agers, users organized in groups, and a TTP. Each user identity information except that the user is a legitimate group is a collection of users according to certain aspects of network user; their nonessential attributes. For instance, a company is a 2. no entity including the adversary and NO could link user group consisting of all its employees, and all the two different communication sessions to the same tenants of an apartment is another user group maintained particular user. by the corresponding apartment management office. Each Furthermore, in the cases of disputes and attacks, user user group has one group manager responsible for addingprivacy should be protected against NO in such a way that and removing users. Before accessing the WMN, each user has to enroll in at least one user group whose manager, 3. A given communication session under audit by NO can thus, knows both the essential and nonessential attributes of only be linked according to the attribute information of the the user. In PEACE, users no longer directly register with user without disclosing his full identity information. That the network operator; instead, each group manager sub- is, only minimum necessary identity information is scribes to the network operator on behalf of its group disclosed for the security purpose so that user members. Upon registration from a group manager, the privacy can be best protected. network operator allocates a set of group secret keys to this Authorized licensed use limited to: Asha Das. Downloaded on August 05,2010 at 06:22:48 UTC from IEEE Xplore. Restrictions apply.
  5. 5. REN ET AL.: PEACE: A NOVEL PRIVACY-ENHANCED YET ACCOUNTABLE SECURITY FRAMEWORK FOR METROPOLITAN WIRELESS MESH... 207 schemes can only provide irrevocable anonymity, while PEACE demands user accountability, and hence, revocable anonymity. Existing group signature schemes do provide revocable anonymity, but cannot support sophisticated user privacy. This motivates us to tailor a group signature scheme to meet all the requirements. We, hence, develop a variation of the short group signature scheme proposed in [8] by modifying its key generation algorithm for our purpose. PEACE is then built on this new group signature variation by further integrating it into the authentication and key agreement protocol design. 4.1 Scheme Setup: Key Management The following setup operations are performed in an offline manner by all the entities in PEACE, namely NO, a TTP, mesh routers, network users, and user group managers. PEACEFig. 3. PEACE trust model. works under bilinear groups ðG 1 ; G 2 Þ with isomorphism G G and respective generators g1 and g2 , as in Section 2.1. PEACEuser group. Then, the network operator divides each group also employs hash functions H0 and H, with respectivesecret key into two parts, one part sent to the requesting ranges G 2 and Z p . The notation below mainly follows [8]. G2 Zgroup manager and the other part to the TTP. To access the NO is responsible for key generation operation. Specifi-WMN, each user requests one part of the group secret key cally, NO proceeds as follows:from his group manager and the other part from the TTP torecover a complete group secret key. The user also needs to 1. Select a generator g2 in G 2 uniformly at random and G Rreturn signed acknowledgments to both the group manager set g1 À ðg2 Þ. Select À Z à and set w ¼ g . Zp 2and the TTP. 2. Select The above key management scheme is based on the Rprinciple of “separation of powers” and possesses a number grpi À Zà Zpof salient features. First, from network access control pointof view, every legitimate user with a valid group secret key for a registered user group i.can generate a valid access credential, i.e., the signature of 3. Using , generate an SDH tuple ðAi;j ; grpi ; xj Þ by Rthe authentication challenge—typically a nonce, upon selecting xj À Z à such that þ grpi þ xj 6¼ 0, and Zp 1=ðþgrpi þxj Þrequest. The validity of this access credential can be verified setting Ai;j Àg1 .by the network operator. Therefore, access security is 4. Repeat Step 3 for a predetermined number of timesguaranteed. Second, PEACE divides user identity informa- that are mutually agreed by NO and the user grouption and their corresponding secret key information among manager GM i .three autonomous entities: the network operator, the group 5. Send GM i f½i; jŠ; grpi ; xj j 8jg via a secure channel.manager, and the TTP. In particular, the network operator 6. Repeat Steps 2, 3, and 4 for every user group.knows the complete user secret key information, but not the 7. Send TTP: f½i; jŠ; Ai;j È xj j 8i; jg via a secure channel,mapping of the keys to the essential attributes of the users; where È denotes bitwise exclusive OR operation.1the group manager or the TTP knows the essential The above operation generates the group public key gpkattributes of the users, but not the complete secret key and a number of private keys gsk:information. The system is designed in such a way that given an access credential submitted by a user, none of the gpk ¼ ðg1 ; g2 ; wÞ;network operator, the group manager, and the TTP can fgsk½i; jŠ ¼ ðAi;j ; grpi ; xj Þ j8 i; jg:determine the user’s essential attribute or compromise his Furthermore, NO obtains a set of revocation tokens, grt,privacy unless any two of them collude. User privacy is with grt½i; jŠ ¼ Ai;j and also keeps the mapping betweenenhanced in this way. Finally, in case of service disputes or group id i and grpi for all user groups. Note that is thefrauds, an authorized entity, such as a law enforcement system secret only known to NO. For the purpose ofauthority, can collect information from the network nonrepudiation, NO signs on Steps 5 and 7 under aoperator, the user group manager, and the TTP to precisely standard digital signature scheme, such as ECDSA [13]. Inidentify the responsible user and hold him accountable. PEACE, we assume that ECDSA-160 is used. For the sameTherefore, user accountability can be attained as well. purpose, GM i and T T P also sign on these messages upon receipt and send the resulted signature back to NO.4 PEACE: THE SCHEME Additionally, NO prepares each mesh router MRk aWhen designing PEACE, we find that none of the existing public/private key pair, denoted by (RPKk ; RSKk ). Eachprivacy-aware crytographic primitives, such as blind mesh router also obtains an accompanied public keysignature, ring signature, and group signature schemes, 1. xj might have a larger bit length as compared to Ai;j , which is a pointsuits our purpose given the security and privacy require- on the chosen elliptic curve. In this case, we simply ignore the unnecessaryments discussed above. Blind signature and ring signature bits of xj . Authorized licensed use limited to: Asha Das. Downloaded on August 05,2010 at 06:22:48 UTC from IEEE Xplore. Restrictions apply.
  6. 6. 208 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 21, NO. 2, FEBRUARY 2010certificate signed by NO to prove key authenticity. The private keys, which is a subset of grt. Both CRLsigning key pair of NO is denoted by (NPK, NSK). The and URL are signed by NO.certificate contains the following fields at the minimum: 2. Upon receipt of (M.1), a network user uidj proceeds as follows: Certk ¼ fMRk ; RPKk ; ExpT ; SigNSK g; a. Check the time stamp ts1 to prevent replaywhere ExpT is the expiration time and Sig denotes an attack. Examine Certk to verify public keyECDSA-160 signature signed on a given message using a authenticity and the certificate expiration time;private key . examine CRL and see if Certk has been revoked Before accessing the WMN, a network user has to by applying NPK. Further verify the authenti-authenticate himself to his belonging user groups.2 From city of SigRSKk by applying RPKk .each such user group i, a network user uidj is assigned a b. Upon positive check results, uidj believes thatrandom group private key as follows: MRk is legitimate and does the following: R GM i sends uidj ð½i; jŠ; grpi ; xj Þ as well as the related 1. i. Pick two random nonce r; rj Z p , compute Z system parameters. grj , and prepare the current time stamp ts2 . 2. GM i requests T T P to send uidj ð½i; jŠ; Ai;j È xj Þ by Further obtain two generators ð^; vÞ in G 2 u ^ G providing the index ½i; jŠ. from H0 as 3. uidj assembles his group private key as gsk½i; jŠ ¼ ðAi;j ; grpi ; xj Þ. ð^; vÞ u ^ H0 ðgpk; grj ; grR ; ts2 ; rÞ 2 G 2 ; G2 ð1ÞNote that in our setting, and compute their images in G 1 : u G ð^Þ u . GM i only keeps the mapping of ðuidj ; ðgrpi ; xj ÞÞ but and v ð^Þ. v has no knowledge of the corresponding Ai;j . ii. Compute T1 u and T2 Ai;j v by se- R . NO only knows the mapping of ðGM i ; gsk½i; jŠÞ but lecting an exponent Z p . Set Z ðgrpi þ has no knowledge regarding to whom gsk½i; jŠ is xj Þ 2 Z p . Pick blinding values r ; rx , and Z R assigned. r Z p. Z . T T P has the mapping of ðuidj ; ðAi;j È xj ; grpi ÞÞ as it iii. Compute helper values R1 ; R2 , and R3 : sends uidj this information through a secure channel R1 ur ; R2 eðT2 ; g2 Þrx Á eðv; wÞÀr Á eðv; Àr r between the two upon the request from GM i . But T T P g2 Þ , and R3 T1 x Á uÀr . Compute a chal- has no knowledge of the corresponding xj or Ai;j . lenge value c 2 Z p using H: Z Here, we use uidj the user’s essential attribute information. c Hðgpk; grj ; grR ; ts2 ; r; T1 ; T2 ; R1 ; R2 ; R3 ÞFor the purpose of nonrepudiation, uidj signs on the messagesit receives from GM i and T T P under ECDSA-160, and sends 2 Z p: Zback GM i the corresponding signature. iv. Compute s ¼ r þ c; sx ¼ rx þ cðgrpi þ4.2 User-Router Mutual Authentication and Key xj Þ and s ¼ r þ c 2 Z p . Obtain the group Z Agreement signature on fgrj ; grR ; ts2 g asTo access the WMN, a network user follows the user-routermutual authentication and key agreement protocol as d SIGgsk½i;jŠ ðr; T1 ; T2 ; c; s ; sx ; s Þ:specified below, when a mesh router is within his directcommunication range.3 v. Compute the shared symmetric key with R MRk : 1. The mesh router MRk first picks a random nonce rR Z à and a random generator g in G 1 and then computes Zp G Kk;j ¼ ðgrR Þrj : grR . MRk further signs on g; grR , and current time stamp ts1 , using ECDSA-160. MRk then broadcasts c. Unicast back to MRk g; grR ; ts1 ; SigRSKk ; Certk ; CRL; URL ðM:1Þ d grj ; grR ; ts2 ; SIGgsk½i;jŠ : ðM:2Þ as part of beacon messages that are periodically broadcasted to declare service existence. Here, CRL and URL denote the mesh router certificate 3. Upon receipt of (M.2), MRk carries out the following revocation list and the user revocation list, respec- to authenticate uidj : tively. Specifically, URL contains a set of revocation a. Check grR and ts2 to make sure the freshness tokens that corresponds to the revoked group of (M.2). b. d Check that SIGgsk½i;jŠ is a valid signature by 2. Such an authentication is based on the preestablished trust relation-ship between the user and the user group and may be done through in- applying the group public key gpk as follows:person contact. 3. If direct communication is not possible due to lack of mobility, a user i. Compute u and v using ð1Þ, and their images ^ ^can increase transmit power to reach the mesh router during this phase.After this phase, the user should reduce transmit power back to the normal u and v in G 1 : u G ð^Þ and v u ð^Þ. vlevel to help increase spatial concurrency and frequency reuse [4]. ii. Retrieve R1 ; R2 , and R3 as: Authorized licensed use limited to: Asha Das. Downloaded on August 05,2010 at 06:22:48 UTC from IEEE Xplore. Restrictions apply.
  7. 7. REN ET AL.: PEACE: A NOVEL PRIVACY-ENHANCED YET ACCOUNTABLE SECURITY FRAMEWORK FOR METROPOLITAN WIRELESS MESH... 209 ~ R1 us =T1 ; c 2.Equation (3) holds when there is an element A of ~ R2 eðT2 ; g2 Þsx Á eðv; wÞÀs Á eðv; g2 ÞÀs URL encoded in ðT1 ; T2 Þ because of the following. Á ðeðT2 ; wÞ=eðg1 ; g2 ÞÞc ; We know that : G 2 ! G 1 is an isomorphism such G G that ðg2 Þ ¼ g1 . According to the definition of isomorph- ~ and R3 s T1 x Á uÀs . ism, we have ðP QÞ ¼ ðP Þ ðQÞ for any P ; Q 2 G 2 . G iii. Check that the challenge c is correct: Using this property and mathematical induction, it is ? easy to know the following fact: For any natural number ~ ~ ~ c ¼ Hðgpk; grj ; grR ; ts2 ; r; T1 ; T2 ; R1 ; R2 ; R3 Þ: m 2 N; ðgm Þ ¼ gm . 2 1 ð2Þ Hence, if a group private key ðAi;j ; grpi ; xj Þ with Ai;j 2 URL signed the group signature . For simplicity, let u ¼ ^ ga and v ¼ gb for some integers a and b.4 On one hand, 2 ^ 2 c. For each revocation token A 2 URL, check whether A is encoded in ðT1 ; T2 Þ by checking if eðT2 =Ai;j ; uÞ ¼ eðAi;j v =Ai;j ; uÞ ¼ eðv ; uÞ ¼ eðð ð^ÞÞ ; uÞ ^ ^ ^ v ^ ? ¼ eðð ðgb ÞÞ ; uÞ ¼ eððgb Þ ; ga Þ ¼ eðg1 ; g2 Þab : 2 ^ 1 2 eðT2 =A; uÞ ¼ eðT1 ; vÞ: ^ ^ ð3Þ On the other hand, If no revocation token of URL is encoded in d ðT1 ; T2 Þ, then the signer of SIGgsk½i;jŠ has not eðT1 ; vÞ ¼eðu ; vÞÞ ¼ eðð ð^ÞÞ ; vÞ ¼ eðð ðga ÞÞ ; vÞ ^ ^ u ^ 2 ^ been revoked. If all the above checks succeed, MRk is now ¼ eððga Þ ; gb Þ ¼ eðg1 ; g2 Þab : 1 2 assured that the current user is a legitimate Therefore, eðT2 =Ai;j ; uÞ ¼ eðT1 ; vÞ. ^ ^ network user, although MRk does not know which particular user this is. Note that uidj is 4.3 User-User Mutual Authentication and Key never disclosed or transmitted during protocol Agreement execution. In PEACE, neighboring legitimate network users may help d. MRk further computes the shared symmetric to relay each other’s traffic. To this end, two network users key as Kk;j ¼ ðgrj ÞrR and sends back uidj : within each other’s direct communication range first authenticate each other and establish shared secret pairwise grj ; grR ; EKk;j ðMRk ; grj ; grR Þ; ðM:3Þ key as follows: where E ðÞ denotes symmetric encryption of the R 1. uidj picks a random nonce rj Z à and computes grj , Zp given message within the brackets using key . where g is obtained from the beacon messages broad- The above protocol enables explicit mutual authentication casted by the current service mesh router. uidj furtherbetween a mesh router and a legitimate network user; it alsoenables unilateral anonymous authentication for the net- signs on g; grj , and current time stamp ts1 , using hiswork user. Upon successful completion of the protocol, the group private key gsk½i; jŠ following Steps 2b(i) tomesh router and the user also establish a shared symmetric 2b(iv), as in Section 4.2. uidj then locally broadcastskey used for the subsequent communication session. And d g; grj ; ts1 ; SIGgsk½i;jŠ: e ðM:1Þthis session is uniquely identified through ðgrR ; grj Þ.Remarks. 2. e Upon receipt of (M:1), uidl checks the time stamp 1. Equation (2) holds because d and verifies the authenticity of SIGgsk½i;jŠ by applying a. R1 ¼ us =T1 ¼ ur þc =ðu Þc ¼ u ¼ R1 . ~ c the group key gpk following Step 3b, as in Section 4.2. b. uidl further checks if the signature is generated from a revoked group private key following Step 3c, as in eðT2 ; wÞ c Section 4.2. Note that URL can always be obtained R2 ¼ eðT2 ; g2 Þsx Á eðv; wÞÀs Á eðv; g2ÞÀs Á ~ from the beacon messages. eðg1 ; g2 Þ ¼ ðeðT2 ; g2 Þrx Á eðv; wÞÀr Á eðv; g2 ÞÀr Þ If all checks succeed, uidl is assured that the current user it communicates with is legitimate. uidl proceeds Á ðeðT2 ; g2 Þgrpi þxj Á eðv; wÞÀ to pick a random nonce rl R Z à and computes grl . uidl Zp eðT2 ; wÞ c rj rl further signs on g ; g , and current time stamp ts2 , Á eðv; g2 ÞÀðgrpi þxj Þ Á Þ eðg1 ; g2 Þ using an appropriate group private key gsk½t; lŠ of his. !c grp þx eðT2 vÀ ; wg2 i j Þ uidl also computes the shared pairwise session key as ¼ R2 Á Krj ;rl ¼ ðgrj Þrl . uidl then replies uidj eðg1 ; g2 Þ !c d e grp þx eðAi;j ; wg2 i j Þ eðg1 ; g2 Þ c grj ; grl ; ts2 ; SIGgsk½t;lŠ: ðM:2Þ ¼ R2 Á ¼ R2 Á ¼ R2 : eðg1 ; g2 Þ eðg1 ; g2 Þ 3. e Upon receipt of (M:2), uidj first checks whether ts2 À ~ s ts1 is within the acceptable delay window. uidj also c. R3 ¼ T1 x uÀs ¼ ðu Þrx þcðgrpi þxj Þ Á uÀr Àcðgrpi þxj Þ 4. Note that we do not know the exact value of a and b, but they indeed ¼ ðu Þrx Á uÀr ¼ T1 x Á uÀr ¼ R3 . r exist due to the fact that g2 is a generator of G 2 . G Authorized licensed use limited to: Asha Das. Downloaded on August 05,2010 at 06:22:48 UTC from IEEE Xplore. Restrictions apply.
  8. 8. 210 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 21, NO. 2, FEBRUARY 2010 TABLE 1 Link SummarizationFig. 4. A sample date session initiated by a network user. d examines SIGgsk½i;jŠ and URL as uidl did above. If all checks succeed, uidj is also assured that its commu- nicating counterpart is legitimate. uidj computes the using Kr1 ;r1 . If the verification succeeds, uid2 proceeds shared pairwise session key as Krj ;rl ¼ ðgrl Þrj . uidj 1 2 to update MAC2 using Kr2 ;r1 shared with uid3 , that is, 2 3 finally replies uidl 1 1 1 2 MAC2 ¼ MACKr2 ;r1 ðgr1 ; gr2 ; grk ; gr1 ; MRk ; C; MAC1 Þ: rj rl rj rl g ; g ; EKrj ;rl ðg ; g ; ts1 ; ts2 Þ: e ðM:3Þ 2 3 e uid2 next sends uid3 : Upon receipt of (M:3) and successful decryption of rj rl EKrj ;rl ðg ; g ; ts1 ; ts2 Þ; uidl is assured that uidj has 2 1 1 2 gr2 ; gr3 ; grk ; gr1 ; MRk ; C; MAC1 ; MAC2 : ðM:2Þ successfully completed the authentication protocol and established the shared key for their subsequent If the verification fails, the message is bogus and will communication session, which is uniquely identified be immediately dropped. through ðgrj ; grl Þ. 3. Upon receipt of ðM:2Þ; uid3 processes it the same way as uid2 does, and so are all the intermediate users.4.4 Data Traffic Authentication 4. When the message arrives at MRk from uidj ; MRkFig. 4 denotes a typical scenario, where the message sent by further verifies it in three steps:a network user has to travel multihops before reaching the a. verify MAC2 usingnearest service mesh router. The following protocoldescribes how such a message sent by uid1 is forwarded Krj ;r3 ; k jand efficiently authenticated in a hop-by-hop manner. Notethat only symmetric cryptographic operations are required b. verify MAC1 using K1 calculated from Kr1 ;r2 ; andfor data traffic authentication. k 1 c. check whether C can be properly decrypted Assume that all the involving network users and mesh using K1 .routers have mutually authenticated each other andestablished respective corresponding symmetric keys as If all checks succeed, MRk now forwards M to itssummarized in Table 1, following the protocols described in destination dest probably through more intermedi- ate mesh routers.the previous section. We also note that secure channelsalready exist among mesh routers themselves as the In PEACE, dest may be either a remote destination outside the WMN belonging to the public Internet, whichconsequence of preconfiguration. can be indicated by its IP address, or another network user 1. uid1 first prepares the message M to be sent to a of the WMN. That is, two peer WMN users may also destination dest and calculates K1 ¼ hðKr1 ;r2 ; 0Þ and communicate with each other. Obviously, for the purpose of k 1 privacy protection, dest cannot use IP address of the K2 ¼ hðKr1 ;r2 ; 1Þ shared with and MRk . uid1 further k 1 1 2 destination user or put user’s ID in plain text in this latter encrypts M; dest; grk ; gr1 using K1 and obtains case. This is because both approaches violate user privacy. 1 2 C ¼ EK1 ðM; dest; grk ; gr1 Þ. uid1 also computes two The solution to this is to encrypt the destination user’s ID in message authentication codes (MAC) using K2 and dest so that no other network users or mesh routers, except Kr1 ;r1 , respectively: the purposed receiver, are able to recover its content. The 1 2 straightforward adoption of this solution in the above MAC1 ¼ MACK2 ðCÞ; protocol will require all mesh routers to broadcast the 1 0 MAC2 ¼ MACKr1 ;r1 ðgr1 ; gr2 ; grk ; gr1 ; MRk ; C; MAC1 Þ: message so that the real destination user is guaranteed to 1 2 receive it. That is, the straightforward solution demands Finally, uid1 sends uid2 : network-wide flooding for message delivery, which is highly inefficient. To deal with this problem, anonymous 1 1 1 2 gr1 ; gr2 ; grk ; gr1 ; MRk ; C; MAC1 ; MAC2 : ðM:1Þ routing techniques [14], [15], [16], [17] are required, which usually make use of network-wide flooding only at the 1 1 routing discovery phase but utilize unicast approach for the 2. Upon receipt of ðM:1Þ; uid2 checks ðgr1 ; gr2 Þ, fetches subsequent data transmission. Many anonymous routing Kr1 ;r1 from the memory, and further verifies MAC2 1 2 approaches [14], [15], [16], [17] can be almost directly Authorized licensed use limited to: Asha Das. Downloaded on August 05,2010 at 06:22:48 UTC from IEEE Xplore. Restrictions apply.
  9. 9. REN ET AL.: PEACE: A NOVEL PRIVACY-ENHANCED YET ACCOUNTABLE SECURITY FRAMEWORK FOR METROPOLITAN WIRELESS MESH... 211applied here, the detail of which, however, is beyond the 1. Given the link and the session identifier, find thescope of this paper and is a part of our ongoing work. corresponding authentication session message d ðM:2Þ ¼ grj ; grR ; ts2 ; SIGgsk½i;jŠ from the network log4.5 Privacy-Enhanced User Accountability file.This design of PEACE protects user privacy in a sophisti- 2. For each revocation token Ai;j 2 grt, check whether ?cated manner, while still maintaining user accountability. eðT2 =Ai;j ; uÞ ¼ eðT1 ; vÞ. Output the first element ^ ^ Ai;j 2 grt such that eðT2 =Ai;j ; uÞ ¼ eðT1 ; vÞ. ^ ^4.5.1 User Anonymity against the Adversary, 3. For the found revocation token Ai;j , output the the User Groups, and T T P corresponding mapping between Ai;j and grpi .In PEACE, a user only authenticates himself as a legitimate Since grpi maps to a particular user group i, nowservice subscriber without disclosing any of his identity a responsible entity is found from the perspectiveinformation by utilizing the group signature technique. of NO.Neither the adversary nor the user group managers can tell From the user’s perspective, only part of his nonessentialwhich particular user generates a given signature. The attribute information is disclosed from the audit. But suchadversary, even by compromising mesh routers and other nonessential attribute information will not reveal hisnetwork users, that is, knowing a number of group private essential attribute information. For example, the abovekeys in addition to the group public key, still cannot deduce audit may find that the responsible user is a member ofany information regarding the particular group private key Company XYZ but cannot reveal any other informationused for signature generation. This is due to the hardness of regarding the user. Yet NO still has sufficient evidence tothe underlying q-SDH problem, where q is a 1,020-bit prime prove to Company XYZ that one of his members violatesnumber. Due to the same reason, neither a user group certain network access rule so that Company XYZ shouldmanager can distinguish whether or not one of his group take the corresponding responsibility specified in theirmembers has signed a particular signature as he has no service subscription agreement.knowledge of the corresponding Ai;j s nor can he computethem. The same conclusion also holds for T T P as T T P can 4.5.3 Revocable User Anonymity against Law Authoritycompute neither xj nor Ai;j given Ai;j È xj . Furthermore, When law authority decides to track the particular attackerevery data session in PEACE is identified only through that is responsible for a certain communication session, thepairs of fresh random numbers, which again discloses following procedure is taken: NO reports to the lawnothing regarding user identity information. In addition, authority ðAi;j ; grpi Þ by executing the above protocol againstPEACE requires a network user to refresh session identi- the session in audit. ðAi;j ; grpi Þ is then further forwarded tofiers and the shared symmetric keys for each different GM i . GM i checks its local record, finds out the mappingsession. This further eliminates the linkability between any between ðgrpi and xi Þ, and hence, the corresponding usertwo sessions initiated by the same network user. We note identity information uidj , to whom gsk½i; jŠ is assignedthat even with the help of compromised mesh routers and during the system setup. GM i then replies uidj to the lawother network users, the adversary still cannot judge authority. At this point, law authority and only lawwhether two communication sessions are from the same authority gets to know about which particular user isuser. This is because, fundamentally, none of them can tell responsible for the communication session in audit. Wewhether two signatures are from the same user, given q- point out that this tracing procedure has the nonrepudiationSDH problem and decision linear on G 1 problem are hard. G property because 1) GM i signed on all gsks that are assigned from NO as the proof of receipt; 2) uidj also4.5.2 User Privacy against NO and User Accountability signed on the messages when obtaining gsk½i; jŠ from GM iSince NO knows grt, it can always tell which gsk½i; jŠ and T T P as the proof of receipt. PEACE also hasproduces a given signature. However, NO has no knowledge nonframeability property because no one else knowsregarding to whom gsk½i; jŠ is assigned as PEACE allows a gsk½i; jŠ except NO and uidj or is able to forge a signaturelate binding between group private keys and network users. on behalf of uidj .Furthermore, it is user group managers’ sole responsibilityto assign group private keys to each network user without 4.6 System Maintenanceany involvement of NO. Therefore, NO could only map PEACE supports both member addition and revocation in agsk½i; jŠ to the user group i based on grpi . Because no other dynamic manner. In PEACE, a group private key can beentities except NO and the key holder himself has the revoked, and no network users holding the same key areknowledge of the corresponding Ai;j , and can therefore, able to access the WMN afterward. Specifically, to revoke agenerate the given signature, the key holder must be a group private key gsk½i; jŠ, NO simply adds the correspond-member of the user group i. This audit result serves our both ing Ai;j to URL and sends the updated URL to mesh routers via secure channels. We note that the size of URL is linear torequirements. On one hand, the result only reveals partial the accumulated number of group private keys beingnonessential attribute information of the user and still revoked, which can potentially grow fairly large as timeprotects user privacy to an extent. On the other hand, the elapses. To deal with this problem, we observe thatresult is sufficient for user accountability purposes for NO. revocations of group privacy keys are mainly due to two When NO (on behalf of mesh routers) finds certain reasons: 1) expiration of service subscription and 2) violationcommunication session disputable or suspicious, it con- of network access policy. According to the nature of theducts the following protocol to audit the responsible entity: network access service, key revocations due to the former Authorized licensed use limited to: Asha Das. Downloaded on August 05,2010 at 06:22:48 UTC from IEEE Xplore. Restrictions apply.
  10. 10. 212 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 21, NO. 2, FEBRUARY 2010reason usually happen periodically and are prescheduled; However, such bogus data traffic will be all immediatelyand this is the major reason causing the size growth of URL. filtered in PEACE. First, with respect to outsiders, they doAt the same time, key revocations due to the latter is often not know any group private keys. Thus, they cannot producerandom and sporadic. Based on this observation, PEACE correct message signatures, when attempting to initialize aadopts a hybrid membership maintenance approach to keep communication session with NO and/or other networkthe size of URL to the minimum. users. They also cannot bypass the authentication procedure Assume that the minimum subscription period of the and directly send out bogus data to others as they do notnetwork service is time unit, which can be set, for possess any shared symmetric session keys with them, andexample, as one month. For the duration of each minimum thus, cannot produce correct MACs. Then, regardingsubscription period, NO prepares a new group public key revoked users, there are two situations: 1) they do not haveand a sufficient number of corresponding private keys. NO any group private key currently in use due to group publicalso arranges the usage of these group public keys in a key update or 2) the corresponding group private keyssequential manner. That is, NO will attach the current gpk in owned by them are already revoked and are published inuse in every ðM:1Þ, which is part of the beacon messages URL in beacon messages. Obviously, the revoked usersbeing periodically broadcasted by each mesh router. Then, a cannot gain network access in neither cases. Finally, fornetwork user that subscribes the network service for x revoked mesh routers, they are no longer valid members oftime units through user group i will obtain x group private the WMN. By checking CRL, no legitimate mesh routers willkeys from GM i and T T P . Each of these group private keys accept/relay data traffic from revoked mesh routers. Also,will only be valid for time unit and expires automatically since the downlink from a mesh router to its service range isafterward. Next, within each minimum subscription period, only one hop, network users never need to and will not relayif a group private key has to be revoked on the fly, NO data traffic for mesh routers in PEACE.simply follows the procedure described above to update Data phishing attacks: In such attacks, the adversary mayURL. Now the size of URL will not grow very large as URL set up bogus mesh routers and try to phish user connectionsis always periodically emptied. to such routers. In this way, the adversary could control PEACE also supports the dynamic addition and revoca- network connection and analyze users’ data traffic for theirtion of mesh routers. To add a new mesh router, NO only benefits. The phishing mesh routers can be either comple-needs to assign the router a new certificate and establish tely new mesh routers or revoked mesh routers both at thesecure channels between the new router and the existing adversary’s control. In the former case, the mesh router willones. To revoke a mesh router, NO simply revokes its not be able to authenticate itself to the network user.certificate and updates CRL. In PEACE, CRL is constantly Therefore, no network user will establish any session withupdated by NO in a prescheduled frequency known as a such a mesh router. Even if the mesh router could interceptsystem parameter to every network user. That is, CRL is the network traffic between a network user and a legitimateupdated periodically such as once per hour, even if there is mesh router, it will not be able to decrypt the message andno mesh router being revoked. Moreover, an additional obtain any useful information. In the latter case, a newlyCRL update is always immediately issued once a mesh revoked mesh router, however, will possibly be able torouter is revoked. Every user in PEACE also keeps a most authenticate itself to a network user, if such a user does notup-to-date version of CRL when interacting with different possess the latest version of CRL. The network user may bemesh routers and checks CRL against its current service cheated in this case but only for up to (inverse of themesh router whenever receiving a newer version. With this update frequency—(current time—last period-certification revocation approach, network users can easily ical update time)) time period. This is because thejudge whether or not a currently received CRL is up-to-date revoked mesh router will not be able to provide a legal CRLwith a guaranteed delay upper bound: min{inverse of update at the next periodical CRL update time point.the update frequency, (current time—the update DoS attacks: In such attacks, the adversary may flood atime of the locally stored CRL)}. We note that the large number of illegal access request messages to meshsize of CRL is usually much smaller than that of URL as we routers. The purpose is to exhaust their resources and renderconsider that the compromise of mesh routers is not very them less capable of serving legitimate users. In PEACE, foroften. At the same time, the size of CRL can be easily every access request message ðM:2Þ, the corresponding meshcontrolled by setting a shorter valid period. router has to verify a group signature and check the validity of the signer. Both operations involve expensive pairing operations, which, hence, can easily be exploited by the5 SCHEME ANALYSIS adversary. To deal with this issue, we adopt the same client-5.1 System Security Analysis puzzle approach as adopted in [18]. The idea of this approachAs its fundamental security functionality, PEACE enforces is as follows: When there is no evidence of attack, a meshnetwork access control. Hence, we are most concerned with router processes ðM:2Þ normally. But, when under athe following three different types of attacks, i.e., bogus data suspected DoS attack, the mesh router will attach a crypto-injection attacks, data phishing attacks, and DoS attacks. graphic puzzle to every ðM:1Þ and require the solution to the Bogus data injection attacks: In such attacks, the adversary puzzle be attached to each ðM:2Þ. The mesh router commitswants to inject bogus data to the WMN aimed at utilizing the resources to process ðM:2Þ only when the solution is service for free. The sources of the bogus data could Typically, solving a client puzzle requires a brute-force searchbe outsiders, revoked users, or revoked mesh routers. in the solution space, while solution verification is trivial [18]. Authorized licensed use limited to: Asha Das. Downloaded on August 05,2010 at 06:22:48 UTC from IEEE Xplore. Restrictions apply.