無基礎行動網路安全協定之研究—以數位版權管理為例

國立交通大學

資訊管理研究所

博士論文

無基礎行動網路安全協定之研究—

以數位版權管理為例

A Study on the Security Protocols for Wireless Ad-Hoc

Networks: A Case on Digital Rights Management

研 究 生 : 黃俊傑

指導教授 : 羅濟群 教授

無基礎行動網路安全協定之研究—

以數位版權管理為例

A Study on the Security Protocols for Wireless Ad-Hoc

Networks: A Case on Digital Rights Management

研 究 生 : 黃俊傑

Student : Chun-Chieh Huang

指導教授 : 羅濟群

Advisor : Chi-Chun Lo

國 立 交 通 大 學

資 訊 管 理 研 究 所

博 士 論 文

A Dissertation

Submitted to Institute of Information Management College of Management

National Chiao Tung University in Partial Fulfillment of Requirements

for the Degree of Doctor of Philosophy

in

Information Management January 2011

Hsinchu, Taiwan, Republic of China

無基礎行動網路安全協定之研究—

以數位版權管理為例

學生: 黃俊傑

指導教授: 羅濟群

國立交通大學資訊管理研究所博士班

中文摘要

無基礎行動網路(Wireless Ad-Hoc Network, WAN)是由一群具無線傳輸能力 之設備所構成之集合。因為無基礎行動網路具有動態拓樸、無線廣播之特性與本 身網路特性的特性，使得它比其他的網路架構更容易遭受攻擊，以及更難設計出 一個符合安全需求的群組通訊架構。然而，應用無基礎行動網路的環境，例如： 軍事之應用，它需要更安全與穩定的通訊環境。 本研究致力於安全機制之設計，以提供應用於無基礎行動網路環境中達到安 全通訊之目標。在本論文中，本研究以數位版權管理為核心思考幾個安全議題： 應用於數位內容管理之執照簽署(Digital License)、於群播環境之金鑰管理、應用 於點對點(Peer-to-Peer, P2P)的通訊環境中監督之管理，以及應用網頁服務(Web Service)之資源存取控制。基於上述之議題，本研究設計四個安全機制以滿足在 無基礎行動網路(特別是以叢集架構所形成的無基礎行動網路 (Cluster-based WANs))之安全性要求。 本 研 究 提 出 了 以 群 組 為 導 向 的 提 名 式 代 理 簽 章 機 制 (Group-Oriented Nominative Proxy Signature Scheme, GO-NPSS)，本機制將群組觀念融入至提名式 代理簽章機制中，以滿足無基礎行動網路環境的要求。在此機制中數位內容提供 者可將本身的簽章能力轉由一群代理人來完成，且數位內容提供者可以指派哪些

人具有簽章驗證能力。本研究希望在行動商務環境中，數位內容提供者可以順利 的提供消費者完成執照合法性驗證的方法。於本機制中，可以保證消費者所獲得 執照，確認是數位內容提供者所產生。此外，本研究亦對 GO-NPSS 機制之安全 性進行分析，以證明本研究所提之機制滿足簽章機制安全上的要求。

本研究提出以 EBS(Exclusion Basis System)為基底之批次金鑰更新機制，應 用於群組通訊的環境。本機制解決 EBS 不能提供群體成員同時加入與離開的要 求。於此機制共有三個操作：新增成員、具抵擋部份共謀攻擊之成員離開、以及 可抵共謀攻擊之成員離開。此外，於效能上之分析，本研究將從三個角度，包括： 儲存空間的成本、計算上的成本、以及通訊之負荷；來比較本論文所提之機制與 EBS 之差異。從比較結果發現，本研究所提之機制較 EBS 來的更有效率及更具 彈性。 本研究提出一個具監督能力之安全機制，並將其應用於點對點通訊架構之資 料傳遞環境。本機制基於吳等學者所提的單一階層式監督機制，修改為可提供多 個階層式監督機制。在本機制中，存在一個全域的叢集頭，由它來掌管與監督整 個點對點之通訊。在每個叢集內，存在一個叢集頭，由它來掌管與監督整個叢集 內點對點之通訊。藉由安全性之分析證明本論文所提之具監督能力的安全機制， 達到監督之目的。在叢集內任兩個通訊節點可以產生彼此的通訊金鑰，以進行秘 密通訊。叢集內或叢集外其他的節點是無法監聽通訊內容，除了該叢集內的叢集 頭及全域的叢集頭才能監聽通訊內容。 最後，本研究設計一個應用於網頁服務的具彈性之存取控機制。此機制基於 RBAC(Role-Based Access Control)之存取控制模式，調適至符合本研究環境之存 取控制機制。在此機制下，Web Service 伺服器依據目前需求者所在之位置資訊、 該需求者在此位置下信譽度、結合所有該使用者曾經拜訪過位置的整體信譽度計 算、每個領域的安全度及資料傳送路徑之信賴度等參數結合政策定義之資料庫， 做為具彈性以角色為基底控制機制設計之基礎。所有信譽值的計算是由領域代理

者完成。實作結果，證明本研究可以滿足具彈性之存取控制要求，使得需求者必 須依當時之條件存取到符合該條件的資料內容。

關鍵字：無基礎行動網路，批次金鑰更新機制，金鑰管理，數位簽章，監督機制， 具彈性之存取控制機制

A Study on the Security Protocols for Wireless Ad-Hoc

Networks: A Case on Digital Rights Management

Student: Chun-Chieh Huang

Advisor: Chi-Chun Lo

Institute of Information Management

National Chiao Tung University

ABSTRACT

A wireless ad-hoc network (WAN) is a collection of wireless mobile nodes and each of these can be considered as an individual portable devices. In such networks packets are relayed over multiple hops to reach their destination. Due to the infrastructure-less, dynamic, and broadcast nature of radio transmissions, communications in WANs are susceptible to security attacks. And, the inherent limitations of WANs impose major difficulties in establishing a suitable secure group communications framework. However, many applications, particularly those in military and critical civilian domains require that WANs be secure and stable.

For the sake of such reasons mentioned above, this dissertation focuses on the development of some security schemes and mechanisms to provide secure communications over WANs. In addition, this dissertation considers a scenario of digital rights management (DRM) in cluster-based WANs. Under this scenario, some security issues are announced and the corresponding solutions are proposed: Digital signature for digital license in DRM, key management for group communications, supervising management for peer nodes communications in peer-to-peer (P2P) application, and access control for managing the access privilege about the resources provided by web service. This dissertation is concerned with the design and development of such protocols in cluster-based WANs.

In dissertation, a group-oriented nominative proxy signature scheme (GO-NPSS) is proposed. This scheme adds the concept of group-oriented into nominative proxy signature scheme for cluster-based WANs. The scheme supports a content provider to delegate his/her signing ability to the partial members of a group of clearinghouses

and to designate the partial members of a group of consumers to verify their digital licenses. The proposed scheme can guarantee that the digital products come from the authorized providers. A formal security analysis demonstrates that our scheme is secure enough to be used in DRM systems.

In this dissertation, an EBS-based batch rekeying scheme is proposed. This scheme is an extension of EBS and provides the batch rekeying operations. The scheme supports three operations, join, leave with collusion-resistant (L/CR), and leave with collusion-free (L/CF). This dissertation compares the performance of the proposed scheme with that of EBS in terms of three performance metrics: storage cost, computation cost, and communications overhead. By comparison results, it indicates that the proposed scheme outperforms EBS in all three categories. The simulation results also indicate that the proposed scheme is more efficient and scalable than EBS. In this dissertation, a framework for supporting a supervising mechanism is introduced in the cluster-based P2P networks. This mechanism supports multiple chains partial order supervising mechanism instead of single chain partial order supervising mechanism proposed by Wu, etc. In the proposed mechanism, a global clusterhead supervises the whole network; clusterheads in each cluster supervise their own clusters‟ communications. Security analysis shows that the proposed mechanism is secure enough for P2P in WANs. Any two nodes within the same cluster generate their common session key. In the same cluster, no nodes gain this session key except the clusterhead.

Finally, a flexible access control mechanism is designed in this dissertation. This mechanism is an extension of role-based access control (RBAC) model and adds some profiles into a new access control mechanism. The mechanism is a combination of the requester‟s role, location, reputation, and the trust degree of the routing path. By this mechanism, the service provider easily calculates the requester‟s access privilege with respect to a specific resource. This dissertation implements this mechanism using XACML. The implementation results show that the proposed mechanism is feasible.

Keywords: Wireless ad-hoc network, Batch rekeying scheme, Key management, Digital signature, Supervising mechanism, Flexible access control mechanism

Dedications

To my parents for their unconditional love,

To my father-in-law and mother-in-law for their endless support, To my wife and children for their everlasting love,

Acknowledgements

It is a pleasure to thank those who made this dissertation possible such as my Wife who gave me the moral support I required and my advisor who helped me with the research material, etc. My deepest gratitude is to my advisor, Professor Chi-Chun Lo. I appreciate very much the fact that he took me seriously when I communicated with him asking about the possibility of taking me as a Ph.D. student in his laboratory “Communication and Network” in the Institute of Information Management, National Chiao Tung University. I have been amazingly fortunate to have an advisor who gave me the freedom to explore on my own. Professor Lo taught me how to express ideas and gave me some excellent comments. His patience and continual support throughout my time in the Ph.D. program helped me overcome many problems and finish this dissertation. Without his guidance and support, this dissertation would not have been made possible. And, I hope that one day I would become as good an advisor to my students as Professor Lo has been to me.

Special thanks go to Professor Henry Ker-Chang Chang, who was my advisor when I took my master program. Professor Chang became a friend and a mentor within my Ph.D. program period. He taught me how to work hard, had confidence in me when I doubted myself, and brought out the good ideas in me. Without his encouragement and constant guidance, I could not have finished this dissertation.

I would like to thank all committee members for their comments and advice during my dissertation defense. Special thanks go to Professor Heng-Li Yang, Associate Professor Shi-Jen Lin, Professor Henry Ker-Chang Chang, and Professor Chyang Yang, for reviewing and giving me many valuable comments on my dissertation, and for kindly consenting on serving in my defense committee. Their intellectual comments about my research presentation encourage me to prepare fruitful presentation slides, thus I overcame all of my previous presentation sessions. Moreover, this dissertation would not have been possible without the financial support I received from National Science Council, recommended by Professor Chi-Chun Lo.

I also would like to make a special reference to my younger schoolmates in my Lab. Without their corporation I could not have done my dissertation and the projects. Ding-Yuan Cheng (Ph.D. student and will graduate at the same time), for helping me to prepare my dissertation defense as well as to give me many valuable suggestions

about my scenarios. Fang-Yi Lee, Kuang-Yu Chen, Ping-Hsien Ho, and Meng-Ju Lee (second-year master‟s students), help me for mental support in different situations, discussing many papers and exchanging many good ideas, and helping me prepare my dissertation defense.

Last but not least, I thank my family: my parents, Wen-Chih Huang and Chiu-Mien Huang, for giving me life in the first place, for encouraging me for whole of my educational life. Thanks to my younger sister, Wan-Shu Huang, for encouraging me to be brave and pursue without fear all challenging tasks coming in my way. Special thanks go to my father-in-law, Cheng-Te Chang, and mother-in-law, Yueh-Chiao Kuo. I would like to thank them for their faith in my abilities that gave me the strength to overcome all obstacles. Moreover, many thanks to my son, Sheng-Ju Huang and my daughter, Li-Ya Huang. Without their love, support, and encouragement, more than anything else, I would have never reached this stage in my life.

Finally, and most importantly, I would like to thank my wife Chao-Chun Chiang for her continuous hard work to maintain daily life and taking care of our children. She has given me tremendous love, support and encouragement. She gave infinite faith in me and unlimited support in everything I have set out to pursue, every dream I have ever had, possible or impossible. Without her encouragement, I wouldn‟t have been able to achieve my goals.

Table of Contents

CHAPTER 1 INTRODUCTION ... 1

1.1 RESEARCH BACKGROUND AND MOTIVATION ... 1

1.2 CONTRIBUTIONS OF THE DISSERTATION ... 8

1.3 ORGANIZATION OF THE DISSERTATION ... 9

CHAPTER 2 LITERATURES REVIEW ... 11

2.1 WIRELESS AD-HOC NETWORKS ... 11

2.2 SECURITY ISSUSES IN WANS ... 17

CHAPTER 3 A GROUP-ORIENTED NOMINATIVE PROXY SIGNATURE SCHEME FOR DIGITAL RIGHTS MANAGEMENT ... 20

3.1 DIGITAL RIGHT MANAGEMENT INTRODUCTION ... 20

3.2 RELATED WORKS ... 25

3.2.1 Proxy Signature Scheme ... 25

3.2.2 Nominative Proxy Signature Scheme ... 27

3.3 THE PROPOSED GROUP-ORIENTED NOMINATIVE PROXY SIGNATURE SCHEME 28 3.3.1 Notations ... 28

3.3.2 The Proposed Scheme ... 29

3.4 SECURITY ANALYSIS ... 40

3.5 PERFORMANCE ANALYSIS ... 42

3.6 CONCLUSION ... 43

CHAPTER 4 AN EBS-BASED BATCH REKEYING SCHEME FOR SECURE GROUP COMMUNICATIONS ... 44

4.1 KEY MANAGEMENT INTRODUCTION ... 44

4.2 RELATED WORKS ... 45

4.2.2 K-map Simplification... 46

4.2.3 Chinese Remainder Theorem ... 46

4.3 THE BATCH REKEYING SCHEME ... 47

4.3.1 Notations ... 47

4.3.2 The Proposed Scheme ... 48

4.4 SECURITY AND PERFORMANCE ANALYSES ... 69

4.4.1 Security Analysis ... 69

4.4.2 Performance Analysis ... 73

4.5 SIMULATION RESULTS ... 75

4.6 CONCLUSION ... 78

CHAPTER 5 A TWO-KEY AGREEMENT BASED SUPERVISING MECHANISM FOR CLUSTER-BASED PEER-TO-PEER APPLICATIONS .. 79

5.1 SUPERVISING INTRODUCTION ... 79

5.2 RELATED WORKS ... 81

5.3 THE PROPOSED SUPERVISING MECHANISM ... 82

5.3.1 Notations ... 83

5.3.2 Initialization phase ... 85

5.3.3 Communication Phase ... 86

5.3.4 Supervising Phase ... 89

5.4 SECURITY ANALYSIS ... 91

5.4.1 The Security of Nodes‟ Private Keys ... 91

5.4.2 The Confidentiality of Communication Data ... 91

5.4.3 Against Replay Attack ... 92

5.4.4 Against Session Key Attack ... 92

5.5 CONCLUSION ... 93

CHAPTER 6 A FLEXIBLE ACCESS CONTROL MECHANISM FOR WEB SERVICES... 94

6.1 INTRODUCTION ... 94

6.2 SYSTEM ARCHITECTURE ... 96

6.2.1 System Components... 96

6.2.2 The System Workflow ... 98

6.3 THE PROPOSED FLEXIBLE ACCESS CONTROL MECHANISM ... 98

6.3.1 Reputation Management ... 99

6.3.2 Flexible Access Control ... 101

6.4 IMPLEMENTATION RESULTS ... 102

6.5 CONCLUSION ... 104

7.1 CONCLUSIONS ... 106

7.2 FUTURE RESEARCH DIRECTIONS ... 107

REFERENCES ... 108

BIOGRAPHY ... 115

List of Tables

TABLE 1.THE CLASSIFICATION OF ROUTING PROTOCOLS IN WANS ... 13

TABLE 2.THE EBS SYSTEM WITH n5, k2, AND m2 ... 62

TABLE 3.BOOLEAN FUNCTION EXPRESSION ... 63

TABLE 4.THE SIMPLIFICATION PROCEDURE ... 64

List of Figures

FIGURE 1.THE FRAMEWORK OF THE PROPOSED DISSERTATION ... 4

FIGURE 2.THE STRUCTURE OF INFRASTRUCTURE-BASED WLANS ... 12

FIGURE 3.THE STRUCTURE OF WANS ... 13

FIGURE 4.THE ARCHITECTURE OF NEAR TERM DIGITAL RADIO (NTDR) ... 16

FIGURE 5.THE CONCEPT OF OPERATION MODE IN DRM SYSTEM ... 22

FIGURE 6.THE COMPONENTS IN DRM SYSTEM [21] ... 22

FIGURE 7.THE OVERALL DRM FRAMEWORK PROVIDED BY MICROSOFT CORPORATION [28] ... 24

FIGURE 8.THE GO-NPSS SCHEME ... 30

FIGURE 9.THE FLOW CHART OF THE GROUP PRIVATE KEY GENERATION AND KEY SHARING IN CHG ... 31

FIGURE 10.THE FLOW CHART OF THE GROUP PRIVATE KEY GENERATION AND KEY SHARING IN CVG ... 34

FIGURE 11.NUMBER OF SESSION KEYS UPDATED ... 77

FIGURE 12.NUMBER OF ADMINISTRATION KEYS UPDATED ... 77

FIGURE 13.NUMBER OF REKEYING MESSAGES SENT ... 77

FIGURE 14.NUMBER OF ADMINISTRATION KEYS UPDATED ... 78

FIGURE 15.THE FRAMEWORK OF THE TWO-KEY AGREEMENT BASED SUPERVISING MECHANISM ... 83

FIGURE 16.THE FRAMEWORK OF THE PROPOSED FLEXIBLE ACCESS CONTROL MECHANISM ... 96

FIGURE 17.THE IMPLEMENTATION ENVIRONMENT ... 102

FIGURE 18.A TABLE WITH 7 COLUMNS ... 103

FIGURE 19.THE COLUMNS THAT THE REQUESTER CAN GET AFTER APPLYING THE RBAC MODEL ... 103

FIGURE 20.THE COLUMNS THAT THE REQUESTER CAN GET AFTER APPLYING THE FLEXIBLE ACCESS CONTROL MODEL ... 104

Chapter 1 Introduction

In this chapter, research background and motivation, contributions of the dissertation, and organization of the dissertation are introduced.

1.1 Research Background and Motivation

Throughout the past decades, wireless communication network has become more popular than wired communication network. It is easier to deploy wireless communication network than conventional wired networks. They provide seamless connectivity within the coverage area. According to network attachment methods, there are two types of wireless networks: infrastructure-based and infrastructure-less wireless networks. In infrastructure-based networks, the mobile nodes rely on access points to attach the Internet. Typically examples of infrastructure-based networks are WLAN, GSM, and UMTS, etc. In infrastructure-less networks, the mobile nodes are capable of organizing themselves, by discovering their neighbors and communicating over the wireless medium. In other words, nodes in such networks, they communicate with their destination nodes by the help of their neighbors through store and forward technique. In recent years, infrastructure-less ad hoc networking technologies such as Wireless Ad-Hoc Networks (WANs) and Bluetooth have received critical attention in both academic and industry. In WANs, wireless mobile nodes are collected and each of these can be considered as an individual portable devices. The network topology in WANs changes frequently due to arbitrary movement of mobile nodes and is without any centralized administration or fixed infrastructure. Each node communicates directly with the nodes within its wireless range. However, the nodes need to collaborate together to deliver their information between nodes that are beyond the wireless range of the source. In WANs, nodes are more vulnerable to attacks because of their lack of a fixed infrastructure over the wireless environment. Any mobile node within the radio range of another node can always listen to what is being broadcasted, thus violating the privacy of the broadcasting node. Consequently, security is an important issue in WANs. Confidentiality, authentication, integrity, non-repudiation and access control are considered as the main services of a security system. Providing security support for WANs is a challenge because of: (1) wireless networks are susceptible to attacks ranging from passive eavesdropping to active interfering; (2)

mobile users demand anywhere and anytime services; (3) a scalable solution is a must for a large-scalable mobile network. To provide a secure communication environment for mobile users and applications over WANs is our goal.

This dissertation considers a scenario of designing some security schemes and mechanisms for digital rights management (DRM) system, electronic book as an example in this dissertation, in cluster-based WANs. This scenario provides a pure mobile commerce environment for participants. Traditionally, there are four roles in the publication system: authors, publishers, distributers, and consumers. An author or editor is responsible for writing articles and essays. A publisher is responsible for revising authors‟ manuscripts and adding some plates and contacting with distributers to discuss how to set up a distribution channel to sell these published books. A distributer is responsible for selling the books from publishers. And, a consumer could buy the books he/she wanted from a brick-and-mortar store. However, with the advent of digital information systems and the Internet, the scope of publishing has expended to include electronic resources, such as the electronic versions of books. They could be sold online. There are three roles to online selling services in this dissertation: authors, distributers, and consumers. The role of a publisher is substituted by the authors and distributers. Assume there is a virtual team which offers the team work of authors. Each of them concentrates on their own expertise. Then, they integrate their works and deliver the final work to a distributer. The distributer distributes the digital contents to customers using cluster-based WANs. Hence, authors could co-work and focus on their domain knowledge to finish their works under this scenario. For example, a producing procedure of electronic voice book, to finish this work, the members should include: an editor, a drawer, and a recording engineer, etc. Because of their cooperation, the work could be done by themselves without a publisher. For a distributer, the duties of him/her include: to distribute the digital contents to his/her customers, to be a clusterhead and construct cluster-based WANs, to provide a repository to store published and protected e-books, and maintain a web service system. The web service keeps the related works which are not finished and unpublished. These works could be cited by other valid authors.

In this framework, shown in Figure 1, users or clients could request their favorite contents from a content provider, author, and then the content provider delivers the protected contents to users. The content received by client cannot be used without a

legal license because of encryption. When the user pays money and starts a license acquisition protocol with clearinghouse, the role of a distributer, for the content through DRM Agent in the client, the client can get the corresponding license for the content from the clearinghouse, and then the content can be rendered according to the usage rules in the license. A legal license should be confirmed by a consumer. This confirmation could be done by signature scheme. In addition, users in the communication network are legal group members. Members or authors, in the same cluster, could communicate and form a communication group by multicasting protocol. Thus, they could co-work to create an attractive work. Multicasting is an efficient way to deliver data to a large group of users in many applications such as Internet stock quotes, audio and music delivery, file and video distribution, etc. Data confidentiality is one of the most challenging problems in secure multicast. To achieve this goal, a secure multicast scheme must address key management issues, which include efficient organization and distribution of keys with low communication overheads, key storage cost, and scheme complexity. Moreover, in the proposed DRM system, it also supports peer-to-peer communications. Members or authors in the same cluster share their files, video, and audios with each other. For a supervising requirement, the clusterhead, the distributor, should supervise their communications to prevent the members violate some regulations. Furthermore, the proposed DRM system also provides web service for the group members. A legal member, author, who wants to get resources or gain access to the web service should register to the web service and be assigned a corresponding role associated with his/her identity. Then, he/she could issue a request in any cluster to access resources to the web service in the communications network.

Figure 1. The framework of the proposed dissertation

For these reasons mentioned above, this dissertation focuses on the signature, key management, access control, and supervision security problems in WANs. The design principles of our study are developing some security protocols which support such security problems. Here, the related issues in signature, key management, supervision, and access control areas are described roughly, and more detailed discussions are explored in the further sections.

(1) Signature:

Signature is an important mechanism in any real applications. Digital signature is especially used in electronic-based transactions. The digital signature is analogous to the handwritten signature. The digital signature scheme allows a recipient of data to prove the source and integrity of data and protect against forgery. A group-oriented digital signature scheme is a kind of digital signature scheme. It supports a group of authenticated users to cooperatively sign a message instead of a single user. The same, the verification procedure must be done by the verifier. Such collaborative and group-oriented applications and protocols are useful in WANs.

In this work, the scenario of signature issues in DRM systems deployed in WANs is discussed. In DRM systems, digital licensing controls the contents to be accessed by the consumers. One of the major issues raised by DRM systems concerns the integrity of this license. Digital signatures provide data integrity, non-repudiation, and authentication. Therefore, digital signature is an important security mechanism for license-based DRM systems. Because of the properties of WANs, nodes may leave the network with high possibility than wired or infrastructure-based networks. In such case, a digital content provider may not sign the digital license in time. The consumer could not verify the validity of the protected digital contents and play digital contents on his/her platform. In this work, a group-oriented nominative proxy signature scheme is proposed. In such way, the content provider delegates his/her signing ability to the partial members of the proxy group having n members and to designates the partial members of the verifier group having l members to verify his/her digital licenses signed by a group of proxy signers. Therefore, (t, n) proxy signers sign the specific license on behalf of the original signer and (w, l) verifiers verify the validity of this proxy signature.

(2) Key management:

Securing group communications in resource constrained, infrastructure-less environments such as WANs has become one of the most challenging research directions in the area of wireless network security. This dissertation focuses on providing security from the perspective of enabling and protecting communication data among nodes, so that the appropriate data reaches the intended recipients and only these recipients have access right to read it. An important issue of providing such secure group communications in WANs is group key management. The group key shared by all group members is suitable for multicast communications. This key is used to encrypt communication data. Thus, only the group members could decrypt the encrypted data. Therefore, the group key must be protected from taking by non-group members. In addition, there are two important key factors while trying to design an efficient key management protocol, they are: the number of keys each node should keep and the number of rekeying operations should be done. Because of the nature topologies of WANs, nodes may join or leave the group frequently. Key management is an important security issue. In general, the key management protocol supports three kinds of rekeying operations: join, leave, and periodic rekeying operations.

In this work, a group key management protocol is proposed in WANs. It is based on the centralized key management frameworks. A key management protocol is designed such that batch rekeying operations are supported in cluster-based WANs. Therefore, the group key for encrypting multicast data is protected.

(3) Supervision:

Supervision is one of the security considerations. The term supervision is used to imply somewhat indirect degree of control over security operations. In supervising mechanism, a supervisor supervises the communications among nodes whose security level is lower than him/her. The concept of the supervising idea is especially important for government networks.

In this work, the supervising problem in Peer-to-Peer applications in cluster-based WANs is considered. A two-key agreement based supervising mechanism is proposed. The mechanism supports any two nodes within the same cluster communicate with each other and no other nodes overhear their communications other than the clusterhead of their domain and the global clusterhead. The proposed mechanism is designed for cluster-based applications in P2P.

(4) Access control:

Access control is the ability to limit and control the access to systems and applications via communications networks. It is a variety of mechanisms that enforce access rights to resources. A role-based access control model (RBAC) [43] is a kind of access control. In RBAC, roles are defined based on job functions, permissions are associated with roles, and users are made members of appropriate roles, thereby acquiring the roles‟ permissions. This indirect association between users and permissions greatly simplifies the management of user‟s permissions. There are many access control models which are designed based on the concept of RBAC model, such as Spatially Aware RBAC model [4][26][23], etc.

In this work, a scenario of access control for web services in WANs is discussed. In this scenario, the idea of reputation management is introduced into the access control model. In other words, each user‟s access ability is determined by both the initial assigned role and its reputation information. This access control mechanism is called flexible access control. Flexible access control is designed to enable access control while a requester asks for services from the web server. Flexible access

control is a combination of requester‟s role, location, requester‟s reputation, and the trust degree of the routing path. This mechanism is especially applicable to web services in WANs. Because users in WANs may roam randomly, they may suffer from some security attacks. The physical place where they stay may be insecure. Therefore, the user‟s access right has to be changed to prevent the possible attacks.

Finally, this dissertation describes the roles of each member in this communications network. They will be shown while constructing security schemes and mechanisms for a DRM system which supports digital content provision, group communication, peer-to-peer file sharing, and web service in cluster-based WANs. The roles of a global clusterhead and a clusterhead will be characterized in this session.

(1) The roles of a clusterhead:

 It is a domain broker and a key server. To be a domain broker, it has to manage the network of this cluster. To be a key server, it has to manage all kinds of keys for its domain users.

 It is a cleaninghosue and one of the proxy signers. To be a cleaninghouse, it has to sign a message for any content provider.

 A group of clusterheads should cooperatively sign a digital license on behalf of the content provider.

(2) The roles of a global clusterhead:

 There is a unique global clusterhead in cluster-based WANs.

 In addition, being one of the clusterheads, it has to manage the whole network. (3) The roles of a group member in a cluster

 It could be a content provider or a consumer.  It could join or leave a cluster freely.

 Peer members in the same cluster have to cooperatively generate their common session key for file sharing.

 A group of members purchase the goods from a content provider and they should cooperatively verify a signed digital license.

1.2 Contributions of the Dissertation

In this dissertation, we contribute towards the design and development of some security schemes and mechanisms to provide secure communications over WANs. There are four security issues are discussed under a scenario of DRM in WANs, they are: Digital signature, key management, supervising, and access control. The schemes or mechanisms designed in the proposed dissertation are new ones or an extension of existing methods so that the security and performance considerations are improved. The following paragraphs depict the contributions of the proposed four schemes and mechanisms.

The group-oriented nominative proxy signature scheme is proposed in this dissertation. The scheme supports a content provider to delegate his/her signing ability to the partial members of a group of clearinghouses and to designate the partial members of a group of consumers. Because of this scheme, even though the content provider is not in the network, his/her work will be done by a group of clearinghouses. A formal security analysis demonstrates that our scheme is secure enough to be used in DRM systems in WANs.

The key management problem is addressed for secure group communications in cluster-based WANs. There are three different batch rekeying operations. These operations provide a user easily or a group of users easily join or leave the group. Both the security and performance are discussed and compared in the dissertation. These results notice that the proposed scheme is secure and efficient.

A two-key agreement based supervising mechanism is proposed. The mechanism supports any two nodes within the same cluster communicate with each other and no other nodes overhear their communications other than the clusterhead of their domain and the global clusterhead. Because of this mechanism, the communications between mobile users could be managed. Thus, P2P applications are acceptable by the supervisor in WANs. Security analysis shows that the proposed mechanism supports the security requirements and guarantees only the supervisors overlook their communications.

A framework for implementing a flexible access control mechanism for web services is outlined. The framework uses a combination of the RBAC model and a user profile-based access control model which considers the location, the trust value

of the route path, and a requester‟s reputation as a profile about a specific requester. And, the access privilege for a requester is a combination of his/her access role and the profile evaluation result. Furthermore, implementation results demonstrate that the proposed mechanism dynamically adjusts requester‟s access privilege in no time.

1.3 Organization of the Dissertation

The remainder of the thesis is organized as follows. Chapter 2 presents background information and reviews related information security work. The characteristics and topologies of WANs are firstly reviewed. Then, information security is continued. Moreover, some security problems which may happen to WANs are discussed.

From chapter 3 to chapter 6, some security issues in WANs are discussed. Chapter 3 describes the security issue of a specific application – digital right management (DRM) in WANs. This chapter focuses on the signature of the digital license. Because of the properties of WANs, a group-oriented nominative proxy signature scheme is proposed. The scheme supports a content provider to delegate his/her signing ability to the partial members of a group of clearinghouses having n members and to designate the partial members of a group of consumers to verify their digital licenses. Some proofs are shown to demonstrate the validity of the signature. By security analysis, it shows that the proposed scheme satisfies the security requirements for proxy signatures. Chapter 4 describes the key management issue. In WANs, an important issue of providing secure group communications is group key management. In this dissertation, An EBS-based batch rekeying scheme is proposed. The scheme supports three operations, join, leave with collusion-resistant (L/CR), and leave with collusion-free (L/CF) for cluster-based communications in WANs. Some security and performance analyses with respect to the proposed scheme are given in this chapter. Chapter 5 also describes the security issue of a specific application – peer-to-peer (P2P) in cluster-based WANs. This chapter focuses on the supervising issue, one of the security issues, in P2P applications. A two-key agreement based supervising mechanism is proposed in this chapter. The mechanism supervises the communications between peer nodes. There are three phases in this mechanism to fulfill the supervising requirements. The same, security analysis shows that the proposed scheme satisfies the security requirements. Chapter 6 describes the access control mechanism for web service in cluster-based WANs. In this chapter, a flexible access control mechanism is proposed. The mechanism is a combination of the

requester‟s role, location, reputation, and the trust degree of the routing path. By this mechanism, the service provider easily calculates the requester‟s access privilege with respect to a specific resource. Therefore, a requester‟s access right not only depends on the initial assigned role also relies on the user‟s profile. The implementation results show that the proposed mechanism is feasible. Finally, in the last chapter, some conclusions are made and the possible future work in this area is described.

Chapter 2 Literatures Review

In this chapter, the characteristics and topologies of WANs are firstly reviewed. Then, information security will be reviewed. Moreover, some security problems which may happen to WANs will be discussed. These surveyed researches will be introduced respectively as follows.

2.1

Wireless Ad-Hoc Networks

It is easier to deploy wireless communication network than conventional wired networks. As the industry standards are maturing and the availability of wireless networking hardware is growing, wireless local area networks (WLANs) are being rapidly deployed in industrial, commercial, and home networks. As a result, use of wireless communications is increasingly becoming pervasive in our daily lives. Wireless networks include local, metropolitan, wide, and global areas. This dissertation focuses its attention on WLANs. In WLANs, it uses radio waves as its carrier. According to network attachment methods, there are two types of wireless networks: infrastructure-based and infrastructure-less wireless networks. Figure 2 illustrates the structure of infrastructure-based WLANs. In infrastructure-based WLANs, there is a need of an access point (AP) that bridges wireless LAN traffic into the wired LAN. An AP can also act as a repeater for wireless nodes. The basic service set (BSS) is a set of all stations that can communicate with each other. And an extended service set (ESS) is a set of connected BSSs. APs in an ESS are connected by a distribution system (DS). The concept of a DS can be used to increase network coverage through roaming between cells.

Figure 2. The structure of infrastructure-based WLANs

As wireless technology becomes more robust and sophisticated, multihop wireless networks are rapidly gaining attention. Multihop wireless networks, infrastructure-less WLANs, consist of wireless devices that communicate with each other either directly or using one or more other devices as intermediate forwarders. These networks can be deployed either as stand-alone networks or as edge networks extending the reach of the Internet. A kind of infrastructure-less topology is supported by WANs. They are a collection of mobile nodes dynamically forming a temporary network without using any existing network infrastructure. In addition, some cooperative networks are deployed in WANs with a specific purpose. They are widely used in the fields of military, collaborative business environment, etc. Unlike a fixed wireless network, the framework of WANs is characterized by the lack of infrastructure. Mobile nodes in WANs are free to move and organize themselves in an arbitrary fashion. Figure 3 illustrates the structure of WANs. In addition, each user is free to roam about while communicating with others. The path between each pair of the users may have multiple links, and the radio between them can be heterogeneous. This allows an association of various links to be a part of the same network. The challenges of WANs are included:

 Limited wireless transmission range  Packet losses due to transmission errors  Mobility-induced route changes

 Battery constraints  Security issues

Figure 3. The structure of WANs

There are three types of routing protocols in WANs [36][41], they are: table table-driven routing protocols, on-demand routing protocols, and hybrid routing protocols. Examples of some routing protocols in WANs are shown in Table 1.

Table 1. The classification of routing protocols in WANs

Source routing Hop-by-hop routing

Table-driven DSDV, CGSR

On-demand DSR TORA, AODV, CBRP

Hybrid ZRP

A table-driven routing protocol is a kind of proactive protocol. It propagates topology information periodically and finds routes continuously between any two nodes in the network. Some of the well-known table-driven routing protocols, such as the Destination-Sequenced Distance Vector (DSDV) protocol [37] and the Clusterhead Gateway Switch Routing Protocol (CGSR) [2], require each mobile node

to update and maintain the route entries within their own routing table whenever a change of network topology occurs so that the most recent and shortest path can be chosen. It also requires a relatively large number of route control messages to keep each node informed of the latest network topology. Thus, this approach consumes significant amount of network resources in general.

An on-demand routing protocol is a kind of reactive protocol. It finds routes only when it needs routes to send data packets. Some of the well-known on-demand routing protocols such as Dynamic Source Routing (DSR) [13], Ad-Hoc On-Demand Distance Vector (AODV) [38], Cluster-based Routing Protocol (CBRP) [12] and Temporally-Ordered Routing Algorithm (TORA) [35], etc. They do not use up resources to maintain a routing table with the entire topology views, but instead routes are only established or maintained when a source demands a route to transmit packets or when the routes are currently in use. Taking AODV routing protocol for example, it was designed specifically for operating in WANs. Mobile nodes that are not involved in any active route do not maintain any routing information and periodic routing table exchanges. Since AODV is an on-demand routing protocol, it is not necessary for a node to discover and maintain a route to any other node in the network until a source node demands a communication with another destination node. AODV also makes use of the destination sequence numbers from the DSDV protocol to ensure that the most recent routing information is chosen between nodes. Every node in AODV maintains a sequence number which increases monotonically when it sends a new message. The greater the sequence number a route has, the fresher the route is. Thus, if there are two or more routes to a destination, the node always selects one with the greatest sequence number. In addition, CBRP is a cluster based routing algorithm like CGSR except that it is an on-demand routing mechanism as opposed to CGSR that is table-driven. The concept of the cluster will be discussed in detail in the next paragraph. In short, in table-driven protocols, each node maintain up-to-date routing information to all the nodes in the network whereas in on-demand protocols a node finds the route to a destination when it desires to send packets to the destination.

Compared to table-driven and on-demand routing protocols, a hybrid routing protocol combines features of both these two protocols such as: the Zone Routing Protocol (ZRP) [8]. In ZRP, each node dynamically maintains a zone centered at itself. A zone is a collection of neighbors and links within a predefined number of hops

called the zone radius. The construction of a zone requires a node to discover its neighbors. ZRP uses a separate Neighbor Discovery Protocol (NDP) for this purpose. In NDP, nodes typically broadcast periodic hello messages.

Because the cluster-based structure in WANs is used in the dissertation, it will be discussed in detail. Cluster-based is a kind of control structure or routing mechanism in WANs. For example, in CGSR, it organizes a network into clusters and elects a clusterhead in each cluster by running an efficient clustering algorithm. Other nodes in each cluster are one hop away from the clusterhead. Nodes that belong to more than one cluster are gateways. With cluster-based control, the physical network is transformed into a virtual network of interconnected node cluster. Each cluster has one or more controllers acting on its behalf to make control decisions for cluster members and to represent the cluster to communicate with other clusters. There are three types of controlling architectures: link-clustered, near-term digital radio (NTDR), and hierarchy [36].

In link-clustered architecture, each cluster contains a clusterhead, one or more gateways, and zero or more ordinary nodes that are neither clusterheads nor gateways. With the link-clustered architecture, all cluster members are within one hop of the clusterhead and hence within two hops of each other. This arrangement provides low-delay paths between cluster members that may communicate frequently, and it places clusterheads in the idea locations to coordinate transmissions among their cluster members.

In NTDR control architecture [40][41][53][54], it is an army data communication network component, with applications currently targeted at IP backbone responsibilities in the Tactical Internet. It produces a set of clusters, each containing a clusterhead, which when linked together form a routing backbone. The NTDR uses a contention-based, channel access protocol that utilizes a sender-receiver handshake. And, the NTDR used clustering and link state routing, and self-organized into a two-tier hierarchical ad-hoc network: intra-cluster and inter-cluster. The two-tier hierarchical ad-hoc network is used to increase capacity and reduce multiple access interference and relay delays. In NTDR, the clusterheads are themselves fully mobile. Cluster members automatically re-affiliate when moving out of range of one cluster and into another. The NTDR architecture restricts direct inter-cluster communication to clusterheads only; hence, the clusterheads function as the gateway. Inter-cluster

communication is restricted to provide secure communication among the c1usterheads. Furthermore, a cluster cannot be treated as an arbitrary multihop network; neighboring nodes within one hop of each other can communicate directly, but all other intra-cluster communication must traverse the clusterhead. An NTDR node elects itself as clusterheads if it does not detect any other clusterheads in its vicinity or if it detects that it can heal a network partition. In addition, intra-cluster communication is used to provide secure communication for one cluster. Any pair nodes must complete their communication via c1usterheads. Figure 4 illustrates the architecture of NTDR. There are three clusters: A, B, and C in the network. A host a in cluster A who wants to communicate with host b. Then, the messages sent from host a will be delivered to host b through the routing path A.a → A.CH → B.CH → B.b.

Figure 4. The architecture of Near Term Digital Radio (NTDR)

In hierarchical cluster-based control architecture, a network consisting of N

nodes is organized into an m-level hierarchy of nested clusters of nodes such that all level-i clusters are disjoint for 0im. In addition, a clusterhead selection can be

done by some criterion, e.g. lowest ID in the cluster. 2.2

Security Issuses in WANs

The primary object of this dissertation is to propose protocols which provide secure communications for users over WANs. Hence, this section describes some security issues. Due to dynamic nature and lack of centralized monitoring points, nodes in WANs are vulnerable to various kinds of attacks. There are several reasons that make security issues in WANs are different and more challenging than wired networks. First, owing to the broadcasting nature of WANs, the nodes use the wireless medium to communicate with each other. Any node within the radio range of another node can always listen to what is being broadcasted; thus it is easy for an adversary to eavesdrop, modify, or inject false packets as the medium is open and the attacker does not have to physically tap into network wires to gain access. Moreover, in WANs, there is no clear line of defense to prevent illegitimate access to the network. In addition, nodes in WANs also act as routers and are required to forward packets sent from their neighbors in a multi-hop manner. Thus a selfish or malicious node can choose to drop and not forward packet in order to save its energy or disrupt the network operation. It is also easy for any malicious node to broadcast false information and disturb the operation of the network. Another property of WANs posing challenging threats to its security is its constantly changing topology. The nodes in WANs are expected to join on the fly as they move in and out of the network. Therefore, key management is an important issue when users issue a join or leave request.

In addition, authentication, availability, confidentiality, integrity, authorization, and non-repudiation are also security needs in WANs. ITU-T Recommendation X.800 [46], Security Architecture for OSI, defines some security services to ensure adequate security of the systems or of data transfers and a availability service to ensure a system‟s availability. X.800 divides these services into five categories: Authentication, access control, data confidentiality, data integrity, and non-repudiation. X.800 also defines some security mechanisms associated with these security services. They are: Encipherment, digital signature, access control, data integrity, authentication exchange, traffic padding, routing control, and notarization. The definition of these security services [27] is described as follows:

(1) Authentication: Authentication is a service related to identification. In other words, authentication is any process by which you verify that someone is who they claim they are. Two parties entering into a communication should identify each other. Information delivered over a channel should be authenticated as to origin, date of origin, data content, time sent, etc. For these reasons this aspect of cryptography is subdivided into two classes: entity authentication and data origin authentication. In entity authentication, it is required to make sure that the network is not deceived by malicious nodes, which provide false information or intercept data from genuine users.

(2) Availability: Availability is a service which refers to the availability of information resources. An information system or network system that is not available when you need it. In WANs, data packets from source node are relayed over a sequence of intermediate nodes to destination node. All nodes in WANs are required to relay packets on behalf of other nodes. However, a node may misbehave by agreeing to forward packets and failing to do so, because it is overloaded, selfish, or malicious. A selfish node is unwilling to spend battery life or available network bandwidth to forward packets. A malicious node redirects the packets into another routing path or launches denial-of-service (DoS) attacks. These misbehaving nodes severely degrade the network performance and cause the network could not provide service to users. Consequently, misbehaving nodes are a significant security problem in WANs.

(3) Data confidentiality: Confidentiality is a service used to keep the content of information from all but those authorized to have it. This service is important to make sure that information about the network is not exposed to malicious nodes. (4) Data integrity: Integrity is a service which addresses the unauthorized alternation

of data. To assure data integrity, one must have the ability to detect data manipulation by unauthorized parties. In WANs, integrity assures that data packets will not be modified or altered by an adversary.

(5) Authorization: Authorization is a service which specifies access rights to resources, which is related to information security and computer security in general and to access control in particular. Hence, authorization is the act of checking to see if a user has the proper permission to access a particular file or

perform a particular action. In WANs, Rules and regulations define restriction of responsibilities of network and individual nodes. In addition,

(6) Non-repudiation: Non-repudiation is a service which prevents an entity from denying previous commitments or actions. When disputes arise duo to an entity denying that certain actions were taken, a means to resolve the situation is necessary. In WANs, Non-repudiation prevents a node from denying that it has sent a message after it does so.

Chapter 3 A Group-Oriented Nominative Proxy Signature Scheme

for Digital Rights Management

The increasing availability of information technology and computer networks has made the process of trading digital content through Internet very convenient. However, digital contents are easy to be copied and redistributed in ways that violate the intended use of the product. Digital Rights Management (DRM) is a system used to protect digital assets and control the distribution and usage of those digital assets. DRM systems separate protected content and digital license. A digital license controls the contents to be accessed by consumers. A consumer could download digital license after paying his/her money. DRM systems provide confidentiality, integrity and authenticity protection for digital contents.

Nowadays, mobile commerce is getting more important as the mobile networks and services expand widely. While mobility presents some special requirements and limitations, it also creates new possibility for DRM. A DRM system must be adapted into a new one, Mobile DRM (M-DRM). One of the major issues raised by M-DRM systems concerns the integrity of this license. In this dissertation, a group-oriented nominative proxy signature scheme (GO-NPSS) is proposed. The scheme supports a content provider to delegate his/her signing ability to the partial members of a group of clearinghouses having n members and to designate the partial members of a group of consumers, purchasing the same products, having l members to verify their digital licenses. In the proposed scheme, (t, n) proxy signers sign the specific digital license on behalf of the content provider and (w, l) verifiers verify the proxy signature. The proposed scheme can guarantee that the digital products come from the authorized providers. A formal security analysis demonstrates that our scheme is secure enough to be used in DRM systems.

3.1

Digital Right Management Introduction

Digital Rights Management (DRM) systems are the technologies to distribute digital contents in a secure manner that can protect and manage the rights for all participants. DRM provide a solution to the problem of illegal content distribution on the Internet. A DRM system should offer a persistent content protect against

unauthorized access to the digital content, and limiting access to only those with the proper authorization. The core concept in DRM is the use of digital licenses. Through digital licensing, content providers can gain much more control over what the consumer can do with the content. Figure 5 illustrates the concept of operation mode in DRM system. The basic DRM process involves four parties [21], as shown in Figure 6: the content provider, the distributor, the clearinghouse, and the consumer. These terms are described in detail as follows:

 Content Provider: A content provider may be an organization, a company, or a person in C2C business model who offers digital content to consumers protected with their own DRM tools. Protected content is bound to a set of rights, a notion that is described in a license.

 Distributor: A distributor provides distribution channels. The distributor receives the digital content from the content provider and creates a web catalogue presenting the contents and rights metadata.

 Clearinghouse: A clearinghouse handles the financial transaction for issuing the digital license to the consumer and pays royalty fees to the content provider and distribution fees to the distributor accordingly. The clearinghouse is also responsible for logging license consumptions for every consumer.

 Consumer: A consumer uses the system to consume the digital content by retrieving downloadable or streaming content through the distribution channel and then paying for the digital license.

Figure 5. The concept of operation mode in DRM system

Figure 6. The components in DRM system [21]

A DRM system requires persist content protection, meaning that protection has to stay with the content. Essential security requirements in DRM systems include data protection which protects against unauthorized interception and modification, identification of recipients which protects unauthorized access and enables access control for the digital content, and tamper-resistant mechanism which manages protected data and enforces content usage rights.

Most DRM systems adopt a license-based mechanism which separates the keys from encrypted content [10]. The encrypted content is delivered to a consumer from the distributor while the license including the keys is transported to the DRM client

from a license server [10]. For example, the DRM system provided by Microsoft, as shown in Figure 7, is a license-based system [28]. There are three components in the system, they are: the content provider, the license server, and the consumer. The protected content is encrypted by an encryption key. This key is generated by the seed and key ID and is a part of signed license. A consumer downloads the protected content from the service provider. Then, the DRM management platform in end-user site checks the status of digital license associated with this content. The consumer has to get the valid digital license from the license server before using the digital content. In addition, OMA, Open Mobile Alliance, has released two versions in DRM [32]. They are OMA DRM 1.0, approved in 2004, and OMA 2.0, approved in 2006. In OMA DRM 1.0, it specifies three main methods: Forward Lock, Combined Delivery, and Separate Delivery. In Forward Lock mode, the content is packaged and sent to the mobile terminal as a DRM message. The mobile terminal could use the content, but could not forward it to other devices or modify it. However, the Forward Lock content is not encrypted when it is received or when stored in phone memory. In Combined Delivery mode, the digital rights are packaged with a content object in the DRM message. The user could use the content as defined in the rights object, but could not forward or modify it. The rights object is written in DRMREL (DRM Rights Expression Language) and defines the number of times and length of time that the content can be used thus enabling the preview feature. In the Forward-lock mode and the Combined Delivery mode, the content is not encrypted. In the Separate Delivery mode, the content and rights are packaged and delivered separately. The content is encrypted into DRM Content Format (DCF) using a symmetric cryptograph method. In the Separate Delivery mode, the symmetric encryption key is not encrypted. The OMA DRM 2.0 standard is an extension of version 1.0. The OMA DRM 2.0 is composed of four parts: Public Key Infrastructure (PKI), Rights Object Acquisition Protocol (ROAP), DRM Content Format (DCF), and Rights Expression Language (REL). DRM 2.0 looks like the Separate Delivery in DRM 1.0 but the Rights Object (RO) is signed and passed with the PKI mechanism to assure security, authenticity and integrity. The DRM Agent is the entity in the device that manages permissions for media objects on the device. With the mobile DRM Agent, devices not connected to a network could use the DRM content.

especially in mobile networks. Digital signatures provide data integrity, non-repudiation, and authentication. Therefore, digital signature is an important security mechanism for license-based DRM systems.

Figure 7. The overall DRM framework provided by Microsoft Corporation [28]

In mobile networks where the nodes constantly move and in some specific networks, like WANs or sensor networks, the network topology changes continuously;

thus, a normal signature scheme is not suitable for DRM systems. Instead, an original-nominative proxy signature scheme is suitable for this situation. An original-nominative proxy signature is a scheme that the original signer can delegate his/her signing power to a proxy signer who generates a proxy signature on behalf of the original signer and can designate the verifier to verify the proxy signature. In this scheme, only the nominee, the verifier, can verify the signature and if necessary, only the nominee can prove its validity to the third party [52].

In this dissertation, a group-oriented nominative proxy signature scheme (GO-NPSS) is proposed. The scheme supports a content provider, named original signer hereafter, to delegate his/her signing ability to the partial members of the distributors, named proxy group hereafter, having n members and to designate the partial members of the consumers, named verifier group hereafter, having l members to verify the validity of his/her digital licenses for the mobile users. Therefore, (t, n) proxy signers sign the specific license on behalf of the original signer and (w, l) verifiers verify the proxy signature. Most important of all, our scheme can prevent the original signer from repudiating the validity of the digital license which had delivered previously to the clients. In addition, the proposed scheme complies with all security requirements in digital signature, proxy signature and original-nominative proxy signature schemes.

The remainder of this chapter is organized as follows: In section 3.2, related works are discussed. The proposed scheme is detailed in section 3.3. In section 3.4, security analysis is given. In section 3.5, performance analysis is discussed. In the last section, conclusion is presented.

3.2

Related Works

In this section, the concepts of the proxy signature scheme and the nominative proxy signature scheme are introduced.

3.2.1 Proxy Signature Scheme

Proxy signatures originated from the concept of digital signature and have found numerous practical applications, particularly in distributed computing [7][14][18], such as: Strong proxy signature scheme [18] and one-time proxy signature scheme [14], etc. A digital signature is used to establish both of the signer authenticity and the data integrity assurance. Therefore, a digital signature has some good properties:

Integrity, authenticity, verifiability, unforgeability, and non-repudiability, etc. Proxy signature not only inherits these properties but also some useful properties. It is useful when the original signer is not available to a specific document. In 1996, Mambo et al. [25] first introduced the concept of a proxy signature scheme, which permits an entity to delegate its signing rights to one or more entities, called proxy signer(s), to sign messages on its behalf, in case of temporal absence, lack of time or computational power, etc. A delegated proxy signer can generate a verifiable proxy signature that can be verified by anyone. And a verifier can verify the proxy signature and the original signer‟s delegation by using a proxy verification algorithm and the public key information of both original signer and proxy signer. Furthermore, many extensions of the basic proxy signature primitive have been considered. These include threshold proxy signatures [48][49][57], nominative proxy signatures [34] and multi-proxy signature scheme [9], etc.

There are three kinds of proxy signatures: full delegation, partial delegation, and delegation by warrant. These terms are described in detail as follows:

 Full delegation: Full delegation is a kind of proxy unprotected proxy signature. In the full delegation, a proxy signer is given the same private key as the original signer has, and computes the same signatures as the original signer does. Therefore, the original signer should take all the responsibility for messages signed by the proxy signer.

 Partial delegation: partial delegation is further classified into two parts: proxy-unprotected and proxy-protected according to protection of proxy signer. In the proxy-unprotected partial delegation, the original signer uses his/her private key and a random key to create a proxy signature key and sends it to the proxy signer. The proxy signer uses the proxy signature key to compute proxy signatures on behalf of the original signer. In the proxy-protected partial delegation, the proxy signer generates the proxy signature using the delegation key generated by the original signer and its private key.

 Delegation by warrant: Delegation by warrant is a kind of proxy protected proxy signature. In the delegation by warrant, the original signer restricts the proxy signer‟s signing ability by warrant which records the identities of the original signer and the proxy, the type of message delegated and the delegation