Research Express@NCKU - Articles Digest
Research Express@NCKU Volume 7 Issue 1 - December 19, 2008 [ http://research.ncku.edu.tw/re/articles/e/20081219/3.html ]
VLAN-based Secure Group Communication
over Wireless Ad Hoc Networks
Yueh-Min Huang
Department of Engineering Science, College of Engineering, National Cheng Kung University
*This article is tailored from the paper: Y.M. Huang*, C.H. Yeh, T.I. Wang, and H.C.
Chao, Constructing Secure Group Communication over Wireless Ad Hoc Networks based on a Virtual Subnet Model, IEEE Wireless Communications, 14(5), Oct. 2007, (Rank 3/66, SCI-indexed)
I
n recent years, our lives have been profoundly affected by mobile devices such as PDAs and notebooks, resulting in the trend of using Mobile ad hoc network (MANET) as the networking system with respect to station-based conventional wirelesses system by taking the advantage of featuring mobility to form dynamic groups on demand. Data packets can be broadcasted and received by all nodes within a group. However, more than onecommunication group may exist in the same time and a malicious non-group member node can sense the broadcast and may eavesdrop to the transmitted
data. Consequently, the efficiency and security of group communication in MANET are vital. The aim of this study proposes a virtual subnet model to construct a secure group communication over a MANET. We design a virtual subnet model in a MANET, which includes an initiation stage to assign related parameters, a creation stage to construct groups, a group key agreement stage to share the secure key, maintenance and transmission mechanisms to achieve the virtual subnet behavior and communication. With our model, the group communications in MANET can completely satisfy the needs for both security and efficiency.
In 1976, the original two-party Diffie-Hellman key exchange protocol was proposed, which use two system parameters, q a prime number and a an integer less than q. If two participators, I and J, need to share a secure key, they create random private values XI and XJ respectively. By exchange their public values and the following equation, they can share a common secret key, where I’s public value is
YI= and J’s public value is YJ= .
The GDH.3 has extended the original two-party key exchange protocol to n-party setting that n participants can share a common group key, since the participants know each other. However, the dynamic MANET has uncertain topology that is difficult for a node to know other members of the group in advance. Our model also solves this situation with both group construction and group key exchange for secure communication.
Research Express@NCKU - Articles Digest
With the progress of networking technology, Virtual Local Area Network (VLAN) is one of the effective technologies to connect those devices without a physical connection in the same network segment. It is necessary to partition the network into multi-domains as a VLAN when multi-groups communicate in the same MANET, but the question arises as that how a node knows other members of the group in advance. It motives us to design an agent node to take charge of announcing pre-defined groups or accepting and registering new groups, since groups are formed by a common interest or topic. In addition, we design three rules to implement the virtual subnet in MANET.
a. Each packet includes a virtual subnet identification field (VSID) in the packet header to
distinguish which virtual subnet it belongs to. If the packet is a non-virtual subnet packet then the field is null.
b. Each node reserves a forwarding cache table to store VSID as a filter which can detect whether a
packet should be relayed or not.
c. After receiving a cache request packet (CREQ) contained in hello messages that a virtual subnet
advertises its existence, the receiving node inserts the VSID in the hello messages into the forwarding cache table.
Initiation stage
When a node arrives at a specific area, it goes to the agent node to register its group or it can create a new group in the agent node for joining. Meanwhile, the agent node prepares an individual hash function h(), security parameters q and a for each group and assigns to node.
Creation stage
We consider in the source-initiate communication that a virtual subnet can be initiated. The source node broadcasts an advertisement, VS-REQUEST packet including s, IDs, h(Nonces||IDs)>. Other nodes receive and identify whether the source node is in the same group or not by inspecting h(Nonces|| IDs). Because that the same group has the same h(), only the node belonging to same group can accurately verify and reply with a VS-REPLY packet, including i, IDi, h(Noncei||IDi)>. Similarly, the source node identifies whether the replying node is in the same group or not via inspecting h(Noncei||IDi) and collects the IDs of group members then adopts its own ID to be VSID. Finally, source node propagates the virtual subnet information < Nonces, IDs, VSID, virtual subnet member list, h(Nonces||IDs)> to the same virtual subnet member.
Maintenance Mechanism
The forwarding cache table work as the filter in a VLAN, since distinguishing groups from virtual subnets rely on VSIDs. When a node receives a CREQ packet which contains a VSID from its neighbor node, it inserts the VSID into its forwarding cache table. On the other hand, a node deletes useless VSID from its forwarding cache table when the node never forwards the packets to the virtual subnet of the VSID representation in a period of time.
Transmission Mechanism
When communications initiate in a virtual subnet, their packets include a VSID and the receiving node will inspect and process packets by the following algorithm:
Research Express@NCKU - Articles Digest Begin
If the packet is never received before then /* for avoid forwarding loop */
If received node is in the same virtual subnet as the source node then {Accept and forward the packet;
Reply ACK packet to the source node }
Else-if the VSID exists in the forwarding cache table then Forward the packet
Else
/*VSID does not exist in the forwarding cache table of the receiving node */ Drop the packet
End-if End-if End-if End
Group Key Agreement Stage
In order to prevent eavesdropping and tampering the information between group key agreement
procedures, our model extends GDH.3 to accommodate a MANET environment. The method is shown in Figure and following notations are used.
n: Number of participants
i, j: Index of virtual subnet members Mi: i-th virtual subnet member Xi: i-th private value
Yi: i-th public value
Our model achieves not only confidentiality but also the effectiveness and efficiency via individual hash function and security parameters. However, a node may quit or join a group any time, sophisticated
Research Express@NCKU - Articles Digest
group regeneration method must be developed to facilitate MANET feature.
