A Framework for Providing Redundancy and Robustness in Key Management for IPsec Security Associations in a Mobile Ad-Hoc Environment

This research investigated key management in a Mobile Ad Hoc Network (MANET) environment. At the time this research began key management schemes provided limited functionality and low service availability in a highly partitioned ad hoc environment. The purpose of this research was to develop a framework that provides redundancy and robustness for Security Association (SA) establishment between pairs of nodes. The key contribution of this research is the Key Management System (KMS) framework and, more specifically, the unique way the various components are integrated to provide the various functionalities. The KMS overcomes the limitations of previous systems by (1) minimizing pre-configuration, (2) increasing service availability, (3) and increasing flexibility for new nodes joining the network. A behavior grading scheme provides the network with a system-wide view of the trustworthiness of nodes and enables the KMS to dynamically adjust its configuration according to its environment. The introduction of behavior grading allows nodes to be less dependent on strict identity verification. This KMS was simulated with Monte Carlo and NS2 simulations and was shown to interoperate with IP Security (IPsec) to enable the establishment of IPsec SAs. The simulations have proven the effectiveness of the system in providing service to the nodes in a highly partitioned environment.

[1]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[2]  Alexey Melnikov,et al.  Simple Authentication and Security Layer (SASL) , 2006, RFC.

[3]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[4]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[5]  Gabriel Montenegro,et al.  Statistically Unique and Cryptographically Verifiable (SUCV) Identifiers and Addresses , 2002, NDSS.

[6]  Sandeep K. S. Gupta,et al.  On the Scalability of On-Demand Routing Protocols for Mobile ad hoc Networks: An Analytical Study , 2001, J. Interconnect. Networks.

[7]  Srdjan Capkun,et al.  Small worlds in security systems: an analysis of the PGP certificate graph , 2002, NSPW '02.

[8]  Srdjan Capkun,et al.  Mobility helps security in ad hoc networks , 2003, MobiHoc '03.

[9]  Sheila Frankel,et al.  The AES-CBC Cipher Algorithm and Its Use with IPsec , 2003, RFC.

[10]  Paolo Santi,et al.  The Node Distribution of the Random Waypoint Mobility Model for Wireless Ad Hoc Networks , 2003, IEEE Trans. Mob. Comput..

[11]  Robin Kravets,et al.  Security-aware ad hoc routing for wireless networks , 2001, MobiHoc '01.

[12]  Jean-Yves Le Boudec,et al.  Nodes bearing grudges: towards routing security, fairness, and robustness in mobile ad hoc networks , 2002, Proceedings 10th Euromicro Workshop on Parallel, Distributed and Network-based Processing.

[13]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[14]  Radia J. Perlman,et al.  Network security - private communication in a public world , 2002, Prentice Hall series in computer networking and distributed systems.

[15]  Tao Lin,et al.  Mobile Ad-hoc Network Routing Protocols: Methodologies and Applications , 2004 .

[16]  W. J. Adams,et al.  Calculating a node's reputation in a mobile ad hoc network , 2005, PCCC 2005. 24th IEEE International Performance, Computing, and Communications Conference, 2005..

[17]  R. Perlman,et al.  An overview of PKI trust models , 1999, IEEE Netw..

[18]  Cheryl Madson,et al.  The Use of HMAC-MD5-96 within ESP and AH , 1998, RFC.

[19]  John Linn,et al.  Privacy enhancement for Internet electronic mail: Part II - certificate-based key management , 1987, RFC.

[20]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[21]  Zygmunt J. Haas,et al.  Securing ad hoc networks , 1999, IEEE Netw..

[22]  Steven M. Bellovin,et al.  Security Mechanisms for the Internet , 2003, RFC.

[23]  Tim Jenkins IPSec Monitoring MIB , 1998 .

[24]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[25]  Theodore S. Rappaport,et al.  Wireless communications - principles and practice , 1996 .

[26]  Diana K. Smetters,et al.  Talking to Strangers: Authentication in Ad-Hoc Wireless Networks , 2002, NDSS.

[27]  Christian Bettstetter,et al.  On the minimum node degree and connectivity of a wireless multihop network , 2002, MobiHoc '02.

[28]  J. J. Garcia-Luna-Aceves,et al.  Securing distance-vector routing protocols , 1997, Proceedings of SNDSS '97: Internet Society 1997 Symposium on Network and Distributed System Security.

[29]  Victor C. M. Leung,et al.  Secure Routing for Mobile Ad Hoc Networks , 2006 .

[30]  Joseph D. Touch,et al.  Use of IPsec Transport Mode for Dynamic Routing , 2004, RFC.

[31]  Luiz A. DaSilva,et al.  Network mobility and protocol interoperability in ad hoc networks , 2004, IEEE Communications Magazine.

[32]  Eric Vyncke,et al.  IPsec Configuration Policy Information Model , 2003, RFC.

[33]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[34]  William Stallings,et al.  PGP Message Exchange Formats , 1996, RFC.

[35]  Manel Guerrero Zapata Secure Ad hoc On-Demand Distance Vector (SAODV) Routing , 2006 .

[36]  Luiz A. DaSilva,et al.  Protocol support for policy-based management of mobile ad hoc networks , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[37]  Scott F. Midkiff,et al.  IPSec overhead in wireline and wireless networks for Web and email applications , 2003, Conference Proceedings of the 2003 IEEE International Performance, Computing, and Communications Conference, 2003..

[38]  Scott F. Midkiff,et al.  A framework for wireless ad hoc routing protocols , 2003, 2003 IEEE Wireless Communications and Networking, 2003. WCNC 2003..

[39]  Tatu Ylonen,et al.  SSH Transport Layer Protocol , 1996 .

[40]  Charles E. Perkins,et al.  Multicast operation of the ad-hoc on-demand distance vector routing protocol , 1999, MobiCom.

[41]  Joseph D. Touch Dynamic Internet overlay deployment and management using the X-Bone , 2001, Comput. Networks.

[42]  Joseph D. Touch,et al.  Application deployment in virtual networks using the X-Bone , 2002, Proceedings DARPA Active Networks Conference and Exposition.

[43]  Xiaoyan Hong,et al.  LANMAR: landmark routing for large scale wireless ad hoc networks with group mobility , 2000, 2000 First Annual Workshop on Mobile and Ad Hoc Networking and Computing. MobiHOC (Cat. No.00EX444).

[44]  S. Cheung,et al.  An efficient message authentication scheme for link state routing , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[45]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[46]  Luiz A. DaSilva,et al.  Addressing the requirements of QoS management for wireless ad hoc networks , 2003, Comput. Commun..

[47]  W. Douglas Maughan,et al.  Internet Security Association and Key Management Protocol (ISAKMP) , 1998, RFC.

[48]  Cliff Wang,et al.  IPSec Policy Information Base , 2004 .

[49]  Bruce Schneier,et al.  A Cryptographic Evaluation of IPsec , 1999 .

[50]  Scott F. Midkiff,et al.  Minimal connected dominating set algorithms and application for a MANET routing protocol , 2003, Conference Proceedings of the 2003 IEEE International Performance, Computing, and Communications Conference, 2003..

[51]  Srdjan Capkun,et al.  Self-Organized Public-Key Management for Mobile Ad Hoc Networks , 2003, IEEE Trans. Mob. Comput..

[52]  Ray Jain,et al.  The art of computer systems performance analysis - techniques for experimental design, measurement, simulation, and modeling , 1991, Wiley professional computing.

[53]  Hilarie K. Orman,et al.  The OAKLEY Key Determination Protocol , 1997, RFC.

[54]  Tracy Camp,et al.  A survey of mobility models for ad hoc network research , 2002, Wirel. Commun. Mob. Comput..

[55]  Cheryl Madson,et al.  The ESP DES-CBC Cipher Algorithm With Explicit IV , 1998, RFC.

[56]  John R. Douceur,et al.  The Sybil Attack , 2002, IPTPS.

[57]  Anis Laouiti,et al.  Multipoint Relaying: An Efficient Technique for Flooding in Mobile Wireless Networks , 2000 .

[58]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[59]  John Linn,et al.  Privacy enhancement for Internet electronic mail: Part I: Message encipherment and authentication procedures , 1989, RFC.

[60]  Scott F. Midkiff,et al.  A dynamic topology switch for the emulation of wireless mobile ad hoc networks , 2002, 27th Annual IEEE Conference on Local Computer Networks, 2002. Proceedings. LCN 2002..

[61]  Rajendra V. Boppana,et al.  An adaptive distance vector routing algorithm for mobile, ad hoc networks , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[62]  Steven M. Bellovin,et al.  Problem Areas for the IP Security Protocols , 1996, USENIX Security Symposium.

[63]  Stephen T. Kent,et al.  IP Authentication Header , 1995, RFC.

[64]  Levente Buttyán,et al.  Stimulating Cooperation in Self-Organizing Mobile Ad Hoc Networks , 2003, Mob. Networks Appl..

[65]  Fred B. Schneider,et al.  COCA: a secure distributed online certification authority , 2002 .

[66]  Michael Roe,et al.  Child-proof authentication for MIPv6 (CAM) , 2001, CCRV.

[67]  Luiz A. DaSilva,et al.  Design and demonstration of policy-based management in a multi-hop ad hoc network , 2005, Ad Hoc Networks.

[68]  Steve Kent,et al.  Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management , 1989, RFC.

[69]  T. Dierks,et al.  The TLS protocol , 1999 .

[70]  Hans-Joachim Hof,et al.  A cluster-based security architecture for ad hoc networks , 2004, IEEE INFOCOM 2004.

[71]  Derrell Piper,et al.  The Internet IP Security Domain of Interpretation for ISAKMP , 1998, RFC.

[72]  Refik Molva,et al.  Core: a collaborative reputation mechanism to enforce node cooperation in mobile ad hoc networks , 2002, Communications and Multimedia Security.

[73]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[74]  Gregory A. Hansen,et al.  The Optimized Link State Routing Protocol , 2003 .

[75]  Hugo Krawczyk,et al.  SKEME: a versatile secure key exchange mechanism for Internet , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[76]  Charles E. Perkins,et al.  Ad hoc On-Demand Distance Vector (AODV) Routing , 2001, RFC.

[77]  Sachin Agarwal,et al.  On the scalability of data synchronization protocols for PDAs and mobile devices , 2002, IEEE Netw..

[78]  Chai-Keong Toh,et al.  An evaluation of centralized and distributed service location protocols for pervasive wireless networks , 2001, 12th IEEE International Symposium on Personal, Indoor and Mobile Radio Communications. PIMRC 2001. Proceedings (Cat. No.01TH8598).

[79]  Elizabeth M. Belding-Royer,et al.  A secure routing protocol for ad hoc networks , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[80]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[81]  Angelos D. Keromytis,et al.  IP Security Policy (IPSP) Requirements , 2003, RFC.

[82]  Tatu Ylonen,et al.  The SSH (Secure Shell) Remote Login Protocol , 1995 .

[83]  J.-Y. Le Boudec,et al.  Toward self-organized mobile ad hoc networks: the terminodes project , 2001, IEEE Commun. Mag..

[84]  Ashar Aziz,et al.  SKIP-securing the Internet , 1996, Proceedings of WET ICE '96. IEEE 5th Workshop on Enabling Technologies; Infrastucture for Collaborative Enterprises.

[85]  J. J. Garcia-Luna-Aceves,et al.  Source-tree routing in wireless networks , 1999, Proceedings. Seventh International Conference on Network Protocols.

[86]  Jean-Pierre Hubaux,et al.  The quest for security in mobile ad hoc networks , 2001, MobiHoc '01.

[87]  Christian Bettstetter,et al.  Mobility modeling in wireless networks: categorization, smooth movement, and border effects , 2001, MOCO.

[88]  Mingyan Liu,et al.  Random waypoint considered harmful , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[89]  Warwick Ford,et al.  Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework , 1999, RFC.

[90]  Sandra L. Murphy,et al.  Digital signature protection of the OSPF routing protocol , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[91]  Panagiotis Papadimitratos,et al.  Secure Routing for Mobile Ad Hoc Networks , 2002 .

[92]  Jiejun Kong,et al.  Providing robust and ubiquitous security support for mobile ad-hoc networks , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[93]  Krzysztof Pawlikowski,et al.  On credibility of simulation studies of telecommunication networks , 2002, IEEE Commun. Mag..

[94]  Bartosz Mielczarek,et al.  Scenario-based performance analysis of routing protocols for mobile ad-hoc networks , 1999, MobiCom.

[95]  Radia J. Perlman,et al.  Key Exchange in IPSec: Analysis of IKE , 2000, IEEE Internet Comput..

[96]  Binoy Ravindran,et al.  IP Quality of Service Support for Soft Real-Time Applications , 2005 .

[97]  Robin Kravets,et al.  MOCA : MObile Certificate Authority for Wireless Ad Hoc Networks , 2004 .

[98]  George C. Hadjichristofi,et al.  A framework for key management in mobile ad hoc networks , 2005, International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II.

[99]  Bill Sommerfeld Requirements for an IPsec API , 2003 .