A Cluster-Based Security Architecture

for Ad Hoc Networks

M. Bechler∗ , H.-J. Hof† , D. Kraft† , F. Pählke† , L. Wolf∗
∗ Institut für Betriebssysteme und Rechnerverbund, TU Braunschweig, Germany
[bechler | wolf]@ibr.cs.tu-bs.de

† Institut für Telematik, Universität Karlsruhe (TH), Germany

[hof | dkraft | paehlke]@tm.uni-karlsruhe.de

Abstract— Secure communication is very important in com- distributed over a number of nodes. While this basic idea
puter networks and authentication is one of the most eminent has been proposed earlier [1], its application on a clustered
preconditions. However, common authentication schemes are not network is a novelty of our work. Our architecture addresses
applicable in ad hoc networks because public key infrastructures
with a centralized certification authority are hard to deploy issues of authorization and access control, and a multi-level
there. We propose and evaluate a security concept based on a security model helps to adapt the complexity to the capabilities
distributed certification facility. A network is divided into clusters of mobile end systems. Moreover, an extensive evaluation is
with one special head node each. These cluster head nodes execute given.
administrative functions and hold shares of a network key used
In the following, we first give a brief overview of security
for certification. New nodes start to participate in the network
as guests; they can only become full members with a network- goals, common techniques for authentication and secret shar-
signed certificate after their authenticity has been warranted by ing, as well as related work for securing ad hoc networks.
some other members. The feasibility of this concept was verified In section III, our security concept is described in detail.
by simulation. Three different models for node mobility were An important contribution of our work is the evaluation of
used in order to include realistic scenarios as well as make the
the security architecture in section IV. We simulated ad hoc
results comparable to other work. The simulation results include
an evaluation of the log-on times, availability, and communication networks that use our architecture in order to demonstrate
overhead. its feasibility and to measure performance and overhead.
Those measurements are based upon different mobility mod-
I. I NTRODUCTION els, which are described in this section as well. We also discuss
Ad hoc networks are subject to various kinds of attacks. the results and provide information on the configuration of
Wireless communication links can be eavesdropped on without variable parameters. Finally, section V concludes the paper
noticeable effort and communication protocols on all layers and gives an outlook to further research.
are vulnerable to specific attacks. In contrast to wire-line net-
works, known attacks like masquerading, man-in-the-middle, II. S ECURITY IN A D HOC N ETWORKS
and replaying of messages can easily be carried out. Moreover,
deploying security mechanisms is difficult due to inherent In a security concept, typically striving for goals like authen-
properties of ad hoc networks, such as the high dynamics of ticity, integrity, confidentiality, non-repudiation and availabil-
their topology (due to mobility and joining/leaving devices), ity, authentication of communicating entities is of particular
limited resources of end systems, or bandwidth-restricted and importance as it forms the basis for achieving the other secu-
possibly asymmetrical communication links. rity goals: e.g., encryption is worthless if the communication
A central issue concerning the design of any service in partners have not verified their identities before. Authentica-
ad hoc networks is not to rely on any centralized entities, tion of entities and messages can be realized in different ways
because such entities would obviously be easy to attack, and using either symmetric (3DES, AES) or asymmetric (ElGamal,
their reachability could not be guaranteed at all times for all RSA) cryptographic algorithms (see e.g. [2] for details).
participants of the network. Therefore, it is not possible to While symmetric algorithms depend on the existence of
implement a centralized, trusted entity for managing public a preshared key (which does not exist in the general case),
keys of the participants as performed in local area networks authentication by asymmetric cryptography requires a secure
or the Internet. Instead, a distributed solution must be found. mapping of public keys to the owners’ identities which is often
In this paper, we propose and evaluate an architecture for realized by public key infrastructures (PKI). PKIs use digitally
securing communication in mobile ad hoc networks. Our ap- signed certificates to verify a key owner’s identity. Each user
proach divides the network into clusters and implements a de- has to prove her identity to a certification authority (CA)
centralized certification authority. Decentralization is achieved and in turn receives a digitally signed certificate proving the
using threshold cryptography and a network secret that is ownership of her public key.

0-7803-8356-7/04/$20.00 (C) 2004 IEEE IEEE INFOCOM 2004

 In contrast to fixed networks, a centralized PKI or even nodes instead of a subset only. Upon this, Luo et al. build an
a centralized certification authority is not feasible in ad hoc access control system based on signed tickets issued (using
networks, as has been pointed out in the previous section. threshold cryptography) by neighbors of the node seeking
Distributing the signing key and the functionality of a CA over access. Misbehaving nodes are excluded from service after
a number of different nodes by the means of secret sharing and they have been detected.
threshold cryptography is a possible solution to this problem, Another different solution was proposed by Hubaux et
as we will study here. al. [12]. In order to avoid any distributed certification mech-
anism, the authors instead rely on every participant to issue
A. Secret Sharing certificates for other nodes in a web-of-trust manner. Each
Secret sharing schemes realize confidentiality of a cryp- participant has to store a number of certificates, and two nodes
tographic secret by spreading it across different entities. As can only communicate securely when the union of their local
secret sharing schemes need no central authorities, they are stores contains a certificate path between them.
predestined for ad hoc networks. One secret sharing scheme
is threshold cryptography: A trusted dealer divides a secret III. A C LUSTER - BASED C ONCEPT FOR
D into n parts so that the knowledge of k parts (k ≤ n) S ECURING A D HOC N ETWORKS
allows the reconstruction of the secret, which is not possible The security concept described in this section was de-
with the knowledge of k − 1 or fewer parts. This is called a signed with the main aim of providing a basis for secure
(k, n) threshold scheme [3]. In general, a trusted dealer is a communication and access control in ad hoc networks. Pro-
central authority and thus another central target for attacks. To viding for secure authentication without relying on single
avoid this, the participants have to construct the secret without centralized entities is the most important issue; methods for
any central authority. The construction algorithm has to ensure ensuring integrity, confidentiality or non-repudiation for end-
that participants can only transmit correct values and that each to-end communication were not considered in detail, as these
participant can verify both secret and shares, which is called can easily be realized using well-known techniques if secure
verifiable secret sharing [4]. authentication is possible.
In order to protect the secret from attackers that move Other requirements for the design of the concept were
around and compromise multiple share holders over a long that it should support open networks, allowing new nodes to
period of time, a proactive secret sharing (PSS) scheme should join without any mutual a-priori knowledge, it should allow
be used in ad hoc networks. In PSS schemes, secret shares are fine-grained access control for services and resources in the
changed periodically without changing the secret itself, so an network, and it should be scalable to support hardly predictable
attacker cannot use a secret’s whole lifetime to compromise network sizes and react quickly to dynamic changes.
k participants. All information an attacker collected about
the secret becomes worthless after refreshing the shares [5]. A. Clustering
Threshold shared secret schemes can be transformed into In order to make our concept scalable, to avoid expensive
PSS schemes using discrete logarithms [5]. Proactive digital long-range traffic, and to enhance availability by providing
signatures, which are used in our work, are an implementation service locally, we partition an ad hoc network into a number
of PSS schemes [6], [7]. of clusters. In each cluster, exactly one distinguished node
Due to the movement of mobile nodes, the topology of ad – the cluster head (CH) – is responsible for establishing
hoc networks changes frequently, and moreover, nodes can and organizing the cluster. Gateways (GWs, which need not
join or leave the network at any time. Hence, an algorithm necessarily be CHs) manage communication with adjacent
for distributing the same key to a different set of participants clusters. The CHs are responsible for sending CH beacons
is required. Such a refresh algorithm [8] can be triggered in their clusters, containing administrative information for the
periodically, event-based, or both. cluster members, e.g., lists of nodes and GWs in the cluster.
Also, GWs periodically transmit GW beacons to inform their
B. Related Work on Securing Ad hoc Networks respective clusters about adjacent clusters.
The idea to use a distributed certification authority based Clustering is also used in some routing protocols for ad hoc
on a shared certification key and threshold cryptography for networks. Routing is then typically divided into two parts:
securing ad hoc networks was first presented by Zhou and routing within a cluster (intra-cluster) and routing between
Haas [1]. It was further developed in the COCA system [9], different clusters (inter-cluster). One solution for such a sce-
a general distributed authentication service. nario is the zone routing protocol, a combination of proactive
Our approach is based on the same general idea, but intra-cluster and reactive inter-cluster routing; communication
introduces several new concepts like a cluster-based network between two clusters is always routed via GWs [13].
structure, a process for admitting new participants and a If a cluster-based routing protocol is used, the clusters
framework for access control within the network. established by the routing protocol can also be used for our
Luo et al. [10], [11] chose a different way to distribute security concept, and some additional advantages are to be
the certification process. They use a specially crafted key expected. However, as we do not want to limit the applicability
sharing algorithm distributing the key amongst all network of the security concept to ad hoc networks with particular

0-7803-8356-7/04/$20.00 (C) 2004 IEEE IEEE INFOCOM 2004

 routing protocols, we do not require that clustering is provided to those of the encryption in IEEE 802.11 or Bluetooth; it can
by a routing scheme. In case no clusters are given from outside replace such mechanisms where they are too weak, or it can
the security part, they are formed as needed: Nodes finding no be integrated with them to provide key management functions.
existing clusters create some themselves, and existing clusters 3) Node Status and Authorization: A new node that joins a
are merged and split on demand. The techniques used for this cluster has an initial status of a guest with practically no access
are described in section III-C. rights. Only when its public key is signed by the CH network
(after authentication has completed successfully), it becomes
B. Conceptual Building Blocks
a full member and can acquire additional access rights by
In our concept, a network-wide distributed certification having authorization certificates issued to it. In contrast to
infrastructure forms a basis for securing end-to-end commu- identity-based key certificates, authorization certificates can be
nication by public key cryptography. Additional security of issued by any network node managing a particular service or
communication links within single clusters is provided by resource, like a printer or Internet access. Such services or
symmetric encryption. For controlling access to resources and resources can then be used by the subject of the certificate,
services, authorization certificates are used. These building who can also transitively grant access to other nodes if the
blocks will be described in more detail now. certificate allows it.
1) Network-Wide Certification Infrastructure: The basis for For the initial authentication of new nodes and for judg-
our security concept is the use of public key cryptography ing their trustworthiness when granting them access rights,
for ensuring authentication, integrity and confidentiality. Every additional trust relationships are needed that do not yet exist
node participating in the network holds a self-generated key for nodes unknown to the network. Therefore, new nodes are
pair, which is used for providing end-to-end security between obliged to first acquire a certain number of warranty certifi-
arbitrary nodes. cates from other network nodes. Warranting nodes can be, e.g.,
Public keys are distributed in the ad hoc network using immediate neighbors to the new node, where personal contact
certificates issued by a trustworthy CA. In contrast to PKIs between human users is possible and allows for authentication
common in fixed networks, the CA is distributed: It is formed on other than technical levels. In this respect, warranting nodes
by a subset of all network nodes. For issuing certificates, a are similar to registration authorities in conventional PKIs. The
certain share (e.g. a majority) of these nodes must actively more warranty certificates a node collects the more certain is
take part. This concept has two advantages: Firstly, availability its authentication. Considering this, the CH network can give
is enhanced, because certificates can be issued even if some more or higher level access rights to new nodes holding more
certification nodes are not reachable. Secondly, the security than the minimum number of warranty certificates.
infrastructure becomes more resistant against intruders, as it
can tolerate the compromise of single nodes without the CA C. Details and Protocols
as a whole becoming compromised.
In this work, we assign the role of the distributed CA to In the following, some procedures and mechanisms are
the cluster heads of the network. Regarding the protocols elaborated in more detail, and some of the used protocols are
used for generation, management and usage of the common described in an informal manner.
certification key and for organizing the whole ad hoc network, 1) Key Distribution and Key Refreshment: The network key,
the CHs therefore form a logical network, the so-called CH which is shared amongst the CHs of an ad hoc network, is
network. The private key of the CA is distributed over the created using proactive secret sharing according to the Digital
CHs, i.e., every CH holds a fragment of the whole key. Signature Scheme [14] (cf. section II-A). As the composition
The extent of an ad hoc network in respect to our architec- of the CH network changes dynamically when CHs join or
ture is determined by the extent of a CH network sharing a leave the network, the secret shares also have to be renewed
single private key, i.e. forming a single distributed CA; the regularly, because the number of shares needs to be adapted
shared key is also called the network key. More than one to the number of CHs. Apart from that, it has to be made
network, each having a different network key, can be neighbors sure that the key shares are renewed after a certain period
in the same area (or even overlap, if clustering is independent of time in order to make it hard for a moving attacker to
of routing). They may or may not be merged into a single compromise a number of k CHs over time. In our approach,
network (cf. section III-C.6) at a later point in time. we always combine joining or leaving of CHs with a key
2) Intra-Cluster Security: Independent of end-to-end secu- share renewal and only schedule additional renewals if the
rity measures that can be built upon the asymmetric key of CH network remains unchanged for some time.
every node, we use a cluster-wide symmetric key that is known The public key of the CH network must be known to all
to the cluster’s nodes. This key can be used, e.g., to protect all nodes in the ad hoc network. It is propagated via the CH
traffic on the links between the nodes. This may be useful for beacons, which are broadcasted periodically in every cluster.
cluster internal traffic that is not protected by other means, and Besides of the public network key, a CH beacon also contains
also to hide information like source and destination addresses the CHs own public key, a list of nodes of the current cluster
of transmitted packets from eavesdroppers not belonging to the including their status, and a list of gateways connecting to
cluster. The benefits of such a link-wise encryption are similar adjacent clusters.

0-7803-8356-7/04/$20.00 (C) 2004 IEEE IEEE INFOCOM 2004

 (need more warrants)/
CH1 warrant request
“S may warrant”
...
CH beacon/ log-on reply/
S
CHk no log-on request warrant request
guest
Warrant status

(enough warranty certificates)/

A A authenticates to S m × certification request
(need more CHs)/
Guest S full CH request
Node Warrant member
cluster key/ (certificate complete)/
“S warrants for A” cluster key request
“S may warrant”
certification reply/
A PubKey(A)
“S may warrant”“S warrants for A” CH1 Fig. 2. States of a new node during log-on
Guest Node
...
A CHk
Full Cluster Certificate Fragments 1,..., k trusted external root CA the public key of which the warrant
Member happens to know.
When CHs are being asked for certificate shares by a new
Fig. 1. Authentication process
node, they first have to make sure that the issuers of the given
WarrantCerts are really authorized to vouch for a guest. This
is verified using warranty authorization certificates (Warrant-
2) Log-On Procedure: The log-on procedure described in
AutCert). Each warrant S sends a copy of its certificate to A:
the following is the means for a new node to join a network
by becoming a guest node first and a full member later. WarrantAutCert(S) := Node(S), PubKey(S),
In order to log on, a new node first has to find a cluster. If it Fct("S may warrant"), Sign(CH-Network)
receives CH beacons, it sends its log-on request to the cluster’s Both certificates together can be used to request a signature
CH. The new node and the CH negotiate some parameters for A’s public key from the CH network. The CHs check
(like the number of warranty certificates required and how the the WarrantAutCert and the WarrantCert presented by A and
symmetric cluster key is to be used later on), and the new send their shares of an identity certificate if all the certificates
node becomes a guest. If, instead, a nodes does not receive are valid. After A collected enough certificate shares, it can
any CH beacons, it establishes its own cluster and acts as a complete its identity certificate:
CH of this cluster. For this, it generates a secret symmetric IdCert(A) := Node(A), PubKey(A), Validity(t),
cluster key and starts to transmit CH beacons. Sign(CH-Network)
For authenticating themselves to the network, new nodes Now having its key signed, A is a full member. The CH sends
need warranty certificates (WarrantCert). Such certificates can the symmetric cluster key to A (encrypted with A’s public
be acquired from warrants, i.e. from full members that have key).
been granted the privilege of warranting by the network Fig. 1 illustrates the message exchange during a successful
because they are believed to be trustworthy. A new node A log-on: The top fraction shows a WarrantAutCert being issued
may request a signature of the CH network if it possesses to a warrant (at some earlier time), in the middle a new node
a (previously negotiated) number of WarrantCerts. Each of asks a warrant for a WarrantCert and receives it together with
these certificates is signed by a warrant S to guarantee its the warrant’s WarrantAutCert, and at the bottom the new node
authenticity, and also includes a period of validity: sends WarrantCerts and WarrantAutCerts to a number of CHs
WarrantCert(A) := Node(A), PubKey(A), Validity(t), and receives IdCert fragments. Fig. 2 summarizes the states a
Fct("S warrants for A"), Sign(S) new node goes through during this process.
A warrant may only vouch for a node if it has verified the In order to ask for identity certificate shares, A has to know
node’s identity. One method of securing the message exchange about at least k CHs in a (k, n) threshold scheme. If A does
necessary for this is to use a location-limited side channel [15], not already know enough CHs, it can send a query for further
[16], i.e. a channel where the users can control which devices CHs to its own CH. As the CH is in regular contact to other
are communicating. How this is done in detail depends of the CHs in the CH network, it is able to provide a list of the
deployment scenario: In the simplest case – e.g. on confer- network’s CHs to the requesting node. Alternatively, A can
ences where network nodes are personal devices – this could extract information on further clusters and their CHs from
be visual contact and voice communication between users received GW beacons.
and physical contact (wired, or infrared) between devices. In The procedure of warranting and key certification utilizes
less “intimate” scenarios – like vehicle communication on the restricted resources sparingly, as only few messages are
motorways – other methods like directed short-range radio necessary to get a key certificate. If a side channel is used for
or number plate recognition are needed. Another possibility, authentication, a (k, n) threshold cryptography system needs
which may be useful in some cases and has the advantage 2k messages for requesting and receiving certificate shares. If
of being remotely applicable, is using some certificate of a the requests to and replies from w warrants are transmitted

0-7803-8356-7/04/$20.00 (C) 2004 IEEE IEEE INFOCOM 2004

 over the ad hoc network, another 2w messages are needed. 5) Delegation of Cluster Heads: If a node is no longer able
Of course, how easy or difficult it is for a new node to to act as a CH, it delegates this role to another trusted node
find some warrants depends of the distribution of the warrants within the cluster. This avoids an expensive re-configuration
and the degree of mobility. However, there is no fixed time of the cluster and possibly of the whole network. If a CH is
limit for the process of finding warrants, and the new node looking for a successor, it queries for a node that will continue
can already use the network as a guest while searching for the CH functionality further on. Once a trustworthy successor
warrants. Besides, it is assumed that most full members are is determined, the old CH securely migrates its state to the
granted the warranting privilege after some time, so there successor and sends a signed broadcast message containing
should be no lack of potential warrants. the new CH’s identity, so all nodes in the cluster are able to
3) Interaction with Routing: In section III-A, we mentioned adapt themselves to the new CH and to its CH beacons they
the possibility of reusing cluster structures of the underlying will receive. Nodes that do not receive this broadcast message
routing protocol of the ad hoc network for the security concept will consider the CH beacons they receive after the change as
as well. This also allows to offer “secure routing” in the foreign. However, they are still full members as their network
sense of restricting the set of nodes that are considered for certificates are still valid.
forwarding packets. Apart from the nodes in the cluster, the CH also has to notify
In general, routing in cluster-based ad hoc networks is the members of the CH network about the CH delegation; this
different for intra-cluster and inter-cluster communication. If is realized by separate encrypted messages to each other CH.
proactive routing is used for intra-cluster routing, a sender As the old CH transfers his share of the private network key to
may specify (by setting a flag in the routing header) if either the new CH, the sharing of the network key will be unaffected.
only full members or all nodes in the cluster are allowed During the next refresh of the key shares, the new CH will be
to forward a packet. As a result, each node possibly has to updated instead of the old one.
manage two routing tables, one for routing via full members Without explicit delegation of the CH function, a failing CH
only, and one considering all nodes in the cluster. In case of results in the break-up of the cluster. Former cluster members
a reactive intra-cluster routing strategy, the sender has to find have to join neighboring clusters or form a new cluster after
a route before transmitting a packet. As the CH beacons also a new CH has been found. Because of the changes in the
propagate the status of the involved nodes along the route, CH network and in the cluster membership of the abandoned
a sender is able to specify its security requirements in the nodes, this is a rather costly process and should therefore be
route request packet, which limits the route replies to, e.g., full avoided.
members. Note that each CH individually defines the cluster’s 6) Merging Networks: The merging of two complete net-
security guidelines for intra-cluster routing. Those guidelines works into a single network is one of the most difficult
specify, e.g., encryption of link state updates for proactive and expensive operations to occur. As the two network keys
routing. cannot be mixed, one of them must be dropped and the other
Inter-cluster routing must be adapted as well: For both distributed over the whole network. All the certificates that
reactive and proactive routing, a sender has to notify the GWs had been signed with the dropped key have to be reissued in
about whether each node or only full members may forward the long run, although it is possible to keep the dropped key
packets. This is necessary because only GWs know the status for some period of time to facilitate this process. Possibly, it
of nodes in adjacent clusters. might become necessary to adapt the (k, n) threshold for the
4) Gateways: Each node N that gets in contact with a changed number of nodes and CHs in the new network.
foreign cluster can potentially act as a gateway. Optionally, Before merging starts, a decision must be made on which
the permission to act as a gateway can be controlled using of the networks is to remain. In the simplest case, one of the
gateway authorization certificates (GwAutCert) signed by the networks consists of just one cluster. Its single CH can then be
CH network: integrated into the other network quite simply, or, if the single
cluster has only few members, it can be dissolved, leaving its
GwAutCert := Node(N ), PubKey(N ), Fct("Gateway"), members to join the other network on their own. In contrast,
Sign(CH-Network) merging two bigger networks is rather difficult. The decision
A potential gateway notifies both its CH and the CH in the about the remaining network depends on parameters like the
discovered cluster about the contact. The address of the new number of CHs and the number of nodes that would have to
CH can be requested from the foreign node the gateway first apply for new certificates.
got in contact to. In turn, both CHs send the information about A requirement for the incorporation of a new CH into an
the new gateway in their CH beacons, and the new gateway existing network is that a particular number of nodes from the
itself starts to transmit GW beacons containing its public key existing network have expressed their trust into the new CH
and its status in the corresponding clusters (guest node or full by issuing warranty certificates to it. If the CH has collected
member, possession of a GwAutCert). If the discovered cluster enough certificates, it receives its share of the private network
was not associated with the network previously, the gateway key with a following key share refreshment. Otherwise, it has
will initially be a guest node there although it is a full member to delegate the CH role to another node in its cluster that has
in its original network. collected enough warranty certificates. The integration will not

0-7803-8356-7/04/$20.00 (C) 2004 IEEE IEEE INFOCOM 2004

 TABLE I 1000
L EVELS OF C ONTROL OVER A DMITTED U SERS
800

User or provider group Credential 600

all nodes none
all full members secret cluster key or 400
certified public node key
200
specific nodes authorization certificate
directly trusted nodes any of the above,
0 200 400 600 800 1000
or a preshared key
Fig. 3. Mobility pattern for random waypoint

be possible if no node in the new cluster possesses enough

certificates. In that case, each node has to join the remaining the performance of the security protocols independently of the
ad hoc network separately. For the merging of whole networks, communication characteristics. Hence, we assumed an abstract
mutual consent can be found by an explicit decision of a link layer with a maximum transmission range of 180 m and
majority of the CHs of both networks. This is necessary a delay of 100 ms per hop, which is similar to the values
because the networks in effect have to trust each other. Various published by Compaq, Cisco, and Siemens for their IEEE
possible decision mechanisms are issues for further study. 802.11b products (see respective web pages of the companies).
7) Access Control: Access to services and resources can Furthermore, we assumed no bandwidth restrictions, no trans-
be controlled using authorization certificates. Entities that are mission collisions, no packet drops, and no bit errors in our
responsible for controlling access to a particular service or simulation in order to measure the undisturbed performance
resource, or the service provider or owner of the resource itself, of the security mechanisms.
can give authorization certificates to the users they wish to
admit. These certificates include the public key of the subject A. Evaluation Scenarios
and some authorization information. Nodes may pass those The mobility patterns of mobile nodes in an ad hoc network
rights transitively to other nodes if they also hold a permission are a very fundamental factor for its evaluation. Hence, we ex-
for doing so. amined our security architecture with three different scenarios:
Apart from using authorization certificates, simpler methods random waypoint, a motorway scenario, and a conferencing
of access control can be applied as well. Altogether, for the scenario. Due to space constraints, we only present the results
providing as well as for the using side, four different levels of of the random waypoint and the motorway scenario in this
control over the group of admitted users, respectively trusted paper.
providers, can be distinguished; Table I shows them together 1) Random Waypoint: The random waypoint mobility pat-
with the credentials used for access control. tern [18] divides a participant’s movement into two phases.
8) Adaptable complexity: Different types of keys (symmet- First, a participant waits for a random idle time period. In the
ric cluster key, asymmetric public key) and certificates can be second phase, the participant chooses a random destination
used for communication. Nodes decide in each case which within the simulation area and moves towards this destination
security level is needed and use the appropriate encryption. In at a randomly chosen speed. If the participant reaches this
order of increasing complexity these levels are: destination, the process continues with the first phase. Waiting
1) No encryption time, destination within the simulation area, and speed are cho-
2) Secret cluster key (intra-cluster only) sen with a uniform distribution. Fig. 3 illustrates an exemplary
3) Public node keys, directly exchanged trace of a mobile node moving according to random waypoint
4) Public node keys, certified by the CH network in a square of 1000 m × 1000 m.
Allowing an adaptable complexity is an advantage for nodes Although random waypoint is a rather unrealistic mobility
with low resources, which can choose a suitable security level. model, it is widely used for the performance evaluation of
However, if nodes cannot agree to a common level of security, various ad hoc networking aspects. Hence, we consider this
communication may be impossible. mobility model in our evaluation as well in order to allow a
comparison of our work with the research of others.
IV. E VALUATION 2) Motorway Scenario: Future vehicular communication
In order to evaluate our concept, we developed a simulation scenarios will be a very important application field of ad
prototype using the OMNeT++ simulation framework [17]. hoc networks. In such scenarios, vehicles traveling along
OMNeT++ is an object-oriented, discrete event simulation a motorway organize themselves in ad hoc networks for
system developed at Budapest University. The goals of our exchanging local data. Due to the high mobility of vehicles,
simulation were twofold: One goal was the proof of concept, the network topology is very dynamic and, thus, challenging
i.e. to demonstrate that our security architecture can be de- for ad hoc networking protocols. Several research projects
ployed in ad hoc networks. The second goal was to determine deal with vehicular ad hoc networking, e.g., FleetNet [19] or
the performance of our approach. Our intention was to evaluate CarNet [20].

0-7803-8356-7/04/$20.00 (C) 2004 IEEE IEEE INFOCOM 2004

 interaction would result in higher log-on times, and the num-
ber of unsuccessful log-ons due to timeouts would possibly
increase as well. In order to route the IP packets through the
ad hoc network, we used an OMNeT++ implementation of the
Fish-eye State Routing protocol [23]. Although routing has an
obvious impact on the timing values measured, this influence
has shown to be very small: The differences to some later
Fig. 4. Movement in the motorway scenario experiments with “direct” routing on the shortest path without
any routing protocol overhead were rather marginal.
In order to determine the impact of the scenario chosen,
In order to model the motorway scenario, we used a modi- we compared the random waypoint measurements with the
fied city selection mobility pattern [21], [22]. The simulation motorway scenario. For the motorway scenario, we used a
area consists of a road network with specific characteristics simulation area of 2 km × 2 km with the model described in
of each road (e.g., a speed limit). Each vehicle starts at a section IV-A.2. In this area, 60 vehicles traveled along the
predefined point and seeks for an arbitrary destination. The predefined road. For some measurements, we also tried to
mobility algorithm calculates the shortest path to this point examine the impact of different parameters (e.g., the number
and the vehicle travels along this path to the destination. of nodes) on the performance. We evaluated the following
Once a vehicle arrives at the destination, it waits a predefined performance criteria:
period of time and repeats the algorithm from the beginning.
• Log-On time: the period of time between the receipt of
Note that vehicles have to follow predefined paths on their
a CH beacon and the full membership of a mobile node
way to the destination. Compared to other mobility patterns,
(for which a guest node had to find three warrants).
the movement of a vehicle is possible along the roadway
• Availability: the percentage of all nodes within the ad hoc
only. Within these regions, we use speed vectors depicting
network that are able to communicate securely.
the direction of the vehicles’ movements. Their absolute value
• Overhead: the additional network traffic caused by our
simulates road conditions, speed limits etc. According to their
security architecture for the different types of mobile
speed v, we modeled three types of vehicles:
nodes (cluster heads, gateways, and full members).
• trucks with 40 km/h ≤ v ≤ 80 km/h,
1) Log-On Time: In order to determine a mobile node’s log-
• slow cars with 60 km/h ≤ v ≤ 120 km/h, and
on time, we measured the time period between the first receipt
• fast cars with 100 km/h ≤ v ≤ 220 km/h.
of a CH beacon and the achievement of a full membership.
We simulated two motorway sections of 2 km length each, Within this log-on time, the mobile node has to find three
connected by a motorway interchange as illustrated in Fig. 4. warrants and collect three shares of the identity-based key
The speed and direction of each vehicle depends on the road certificate. Finally, it combines the shares and requests the
speed vector at the current position and the current vehicle’s symmetrical cluster key from the cluster head. Ideally, the log-
speed. At the motorway interchange, a vehicle leaves the on procedure should be short to guarantee the mobile nodes a
motorway with a probability of 0.1. quick admission to participate at the ad hoc network.
A simulation run for the log-on time period was performed
B. Simulation Results as follows: In the first step, we assigned each of the 15 nodes
For our evaluations, we implemented a simulation of our a randomly chosen type (cluster head, gateway, or guest node).
security architecture using OMNeT++. We first measured the Cluster heads transmitted their CH beacons every 20 s via
performance with the random waypoint mobility model. The 2 hops. In the second step, all nodes began to move randomly
simulation area spanned a square of 600 m × 600 m in which and the guest nodes tried to obtain a full membership.
15 nodes moved around (if not stated otherwise; there were Fig. 5 shows the measured distribution of log-on times.
also runs with 30 and 60 nodes). As described previously, a We aggregated the results in 5 s steps; we also aggregated
node’s transmission range was 180 m with a delay of 100 ms the probabilities for log-on times larger than 100 s. In this
per hop. Cluster heads broadcasted their beacons over 2 hops configuration, the log-on of a guest node requires 24.9 s on
every 20 s. In order to achieve full membership, a guest node average and approximately 25 % of the guest nodes achieve
required three warrants to receive its identity certificate. The full membership within the first 10 s. The distribution has
lifetime of this certificate was chosen randomly between 200 s peaks at all multiples of the CH beacon interval (20 s), i.e.
and 300 s. For the evaluation, we varied some of the pa- at 25 s and 45 s respectively. Note that the simulation also
rameters to determine their overall performance impact. Each contains unsuccessful log-ons, which are restarted after a
measurement comprised 50 simulation runs with a simulated predefined period of 30 s. The log-on procedure of a guest
duration of 240 s each. The time for seeking warrants was node can fail for one of the following reasons:
ignored because it includes social factors that are impossible to • The guest is not able to collect enough warranty certifi-
simulate; warrants answered to warrant requests immediately cates within the predefined period of time.
and with a positive ratio of 85 %. The consideration of social • After having received a CH beacon, the guest cannot

0-7803-8356-7/04/$20.00 (C) 2004 IEEE IEEE INFOCOM 2004

 35
20
30 Hops = 1
Hops = 2
25 Hops = 3

Frequency [%]
15
20
Frequency [%]

15
10
10

5
5
0
5 15 25 35 45 55 65 75 85 95
Log-On Time [s]
0
5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100
Log-On Time [s]
Fig. 7. Log-on times for different cluster sizes

Fig. 5. Log-on (15 nodes, random waypoint) 20

18
22
16
20

14
18

12

Frequency [%]
16

14 10
Frequency [%]

12 8

10 6

8
4
6
2
4
0
2 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100
Log-On Time [s]
0
5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100
Log-On Time [s] Fig. 8. Log-on (60 nodes, motorway)

Fig. 6. Log-on (30 nodes, random waypoint)

size: The probability of CH network merges increases with

increasing cluster size. In order to determine the effects of
communicate with the CH because the network topology
the cluster size, we repeated the measurements from Fig. 5
has changed in the meantime.
with different cluster sizes, determined by the number of hops
• A merge of CH networks occurs during the log-on
a CH beacon is forwarded. Fig. 7 shows the results with
procedure.
cluster sizes of 1, 2, and 3 hops respectively. As expected,
Separate examinations showed that the typical log-on time small cluster sizes resulted in very quick log-on times; in this
for successful log-ons only was approximately 2 s, and about measurement, the average log-on time was 21.1 s for one hop,
50 % of the guests nodes are able to become full members 24.5 s for 2 hops, and 27.1 s for 3 hops. Further measurements
within the first second. (not shown here) approved that the log-on times of successful
In order to determine the effect of the nodes’ density on log-ons changed only marginally.
the log-on time, we repeated the random waypoint simulation A different situation occurs in the motorway scenario, as
with 30 mobile nodes. The remaining parameters were not illustrated in Fig. 8, for which we used 60 mobile nodes.
modified. As illustrated in Fig. 6, the log-on times increased The performance was by far lower compared to the previous
with the number of nodes; the average log-on time increased scenarios. The average log-on time was 41.5 s, whereas only
to 28.7 s. Notice again the peaks at 25 s and 45 s, which are 11 % of the guest nodes were able to log-on within the first
correlated to the CH beacon frequency. The increase of the log- 10 s.
on times is caused by the increased probability for the merging 2) Availability: The availability is another important pa-
of CH networks in the setup phase since due to the higher rameter of a security architecture for ad hoc networks. The
density of nodes, each node has contact to more neighbors. following fraction defines the availability:
As described previously, this effect is costly (cf. section III-
C.6) and influences the log-on of the nodes. number of full members
Another important configuration parameter is the cluster availability =
total number of nodes

0-7803-8356-7/04/$20.00 (C) 2004 IEEE IEEE INFOCOM 2004

 1 1

0,9 0,9
0,8 0,8

0,7 0,7

0,6 0,6
Availability

Availability
0,5 0,5
0,4 0,4
0,3 0,3
CH Interval = 10s
0,2 CH Interval = 10s 0,2 CH Interval = 30s
CH Interval = 30s
0,1 0,1
0 0
0 20 40 60 80 100 120 140 160 180 200 220 240 0 20 40 60 80 100 120 140 160 180 200 220 240
Time [s] Time [s]

Fig. 9. Availability (15 nodes, random waypoint) Fig. 10. Availability (60 nodes, motorway)

After a successful log-on with the cluster head, secure com- 0,9

munication is possible until a mobile node’s certificate expires. 0,8

The validity of the certificate was chosen randomly between

Availability
200 s and 300 s. The merge of two CH networks plays an 0,7

important role for the availability. In this case, the availability

0,6
will decrease as a new secret network key must be generated. Hops = 1
Hops = 2
Hence, all mobile nodes have to obtain a new certificate, which 0,5 Hops = 3

must be signed with the new network key.

0,4
First, we studied the impact of the CH beacon frequency 0 20 40 60 80 100 120 140 160 180 200 220 240
Time [s]
on the availability. For our measurements with the random
waypoint mobility model, we used the same parameters as Fig. 11. Availability depending on the cluster size (random waypoint)
specified in the previous section, apart from the varied CH
beacon interval. Fig. 9 illustrates the results with CH beacon
intervals of 10 s and 30 s. We can clearly identify two phases: result, it is easier for a guest node to find a sufficient number
In the first phase (from the beginning to approximately 55 s), of warrants in order to achieve full membership.
the structure of the security architecture establishes slowly. 3) Communication Overhead: Obviously, security proto-
During this phase, approximately 58 % of the nodes are able cols always cause additional overhead, which burdens both
to communicate securely. The low average availability results network and end systems. In this section, we consider the
from several CH networks being merged in the beginning. In “costs” incurred for the establishment and maintenance of
the second phase (starting at 55 s), the cluster topology and the our security architecture. We therefore measured the number
security infrastructure are well established. About 90 % of the of packets/s that were transmitted in the simulation using
mobile nodes are able to communicate securely. In general, the same parameters as in the previous measurements. Note
our measurements showed that the CH beacon interval does that this measurement is independent of the radio technology;
not affect the availability significantly. we also do not consider the overhead caused by the routing
In order to investigate the impact of the mobility scenario on protocol. Fig. 12 shows the overhead (in packets/s) for a
the availability, we repeated the simulation using the motorway CH beacon interval of 10 s and 30 s using random waypoint.
model. We used the same parameters as described in the Especially in the setup phase, the overhead is very high. The
previous section, and varied the frequency of CH beacons. significant increase of overhead after 20 s coincides with the
Fig. 10 shows the results: An interesting observation is that increase of availability illustrated in Fig. 9. When the security
the availability increased much slower compared to the random infrastructure is established (after about 55 s), the overhead
waypoint model; it takes about 125 s until the availability decreases slowly to less than 50 packets/s. As observed
reaches an average of more than 90 %. These characteristics previously, the CH beacon interval seems to have very little
result from the relatively high number of cluster merges that effect on the overhead in the random waypoint scenario. Note
occurred throughout the simulation time. Like in the random that the overhead refers to the overall ad hoc network, i.e. the
waypoint simulation, the impact of the frequency of CH aggregated traffic of all communication links.
beacons was very small. A comparison with the motorway scenario illustrates the
Finally, we examined the impact of the cluster size on the influence of different mobility patterns. Fig. 13 illustrates the
availability. For this, we used the random waypoint model with results of the measurements using the motorway scenario with
the cluster sizes of 1, 2, and 3 hops respectively. Fig. 11 shows the previous configuration. In contrast to random waypoint, the
the results of the three measurements. The larger the clusters CH beacon interval has a significant impact on the overhead.
are, the longer a mobile node is associated to its cluster. As a Comparing a CH interval of 10 s with a CH interval of 30 s, we

0-7803-8356-7/04/$20.00 (C) 2004 IEEE IEEE INFOCOM 2004

 300 500

CH Interval = 10s 450

250 Hops = 1
CH Interval = 30s 400 Hops = 2
Overhead [Packets/s]
Hops = 3

Overhead [Packets/s]
200 350

300
150
250
100 200

150
50
100
0 50
0 20 40 60 80 100 120 140 160 180 200 220
0
Time [s]
0 20 40 60 80 100 120 140 160 180 200 220
Time [s]
Fig. 12. Overhead (random waypoint)

120
Fig. 14. Overhead depending on the cluster size (random waypoint)

100

• full members caused 18.3 % of the traffic, and

Overhead [Packets/s]

80
• gateways caused 34.2 % of the traffic.
60

C. Discussion
40

CH Interval = 10s
From the evaluation, several interesting performance aspects
20
CH Interval = 30s of our security architecture can be observed. One important
0 result is that the mobility patterns of mobile nodes have a
0 20 40 60 80 100 120 140 160 180 200 220 highly significant impact on performance. All measurements
Time [s]
revealed remarkable differences between the random waypoint
Fig. 13. Overhead (motorway) and the motorway scenario.
Our measurements also show the impact of different pa-
rameters. Whereas the frequency of CH beacons seems to
found that starting at about 120 s, the average overhead further have little impact (motorway scenario) or almost no impact
increases for a CH interval of 30 s, whereas it decreases for at all (random waypoint) on the availability, the overhead
a CH interval of 10 s. Moreover, the peaks in the motorway differs noticeably for different CH beacon intervals in the
scenario are by far less significant compared to the random motorway scenario. The cluster size plays an important role
waypoint model (100 packets/s compared to 250 packets/s). for the overhead caused by our security architecture. One
Notice again the correspondence to Fig. 10: with an increasing drawback is the considerable additional load for cluster heads
availability, the overhead also increases. and gateways: Together, they generate about 80 % of the
We also studied the influence of the cluster size on the additional network load.
overhead. In Fig. 14, we examined the overhead for the random Besides the examined aspects, further parameters are also
waypoint mobility model with cluster sizes of 1, 2, and 3 hops. relevant for the performance of the described security architec-
This simulation shows that the overhead remains small if ture. One parameter is the time period a mobile node waits for
the CH beacons are only broadcasted across one hop. The incoming CH beacons. If this timer expires (without receiving
overhead increases with increasing cluster size. The reason a CH beacon), the mobile node nominates itself as a cluster
for this effect is that the probability of merging two CH head. This timeout parameter is of interest in the bootstrapping
networks increases with an increasing cluster size, because phase. For our simulations, we set the timer to the CH beacon
separated clusters will discover each other earlier. In this case, interval plus a randomly chosen time (up to 10 s). In other
the merging of two cluster head networks requires a new log- measurements, this configuration turned out to be suitable for
on of some nodes, which causes additional overhead. the scenarios deployed.
Finally, we examined the distribution of node types and Another tuning parameter is the minimum number of re-
the overhead caused by each type. We assumed a cluster quired warrants. This value should be chosen carefully, as a
radius of 2 hops and considered the overhead caused by the high value results in low availability, whereas a low value
Fish-eye State Routing. In our measurements of the random might violate the trustworthiness of our security architecture.
waypoint model with 15 nodes, we had an average of 20.4 % We suggest a value of about 40 % of the number of full
cluster heads, whereas 61.8 % of the nodes (on average) were members. This value proved to be a good choice. In this
full members, and 17.8 % of the nodes acted as gateways. context, the validity of the received certificate needs to be
A comparison of the overhead traffic caused by the different configured according to the requirements of the given scenario.
types of nodes showed the following results: As stated previously, we used a validity between 200 s and
• cluster heads caused 47.5 % of the traffic, 300 s for a mobile node’s identity certificate.

0-7803-8356-7/04/$20.00 (C) 2004 IEEE IEEE INFOCOM 2004

 Concerning the security aspects of our protocols, the param- scenario. Furthermore, the configuration of further parameters
eter k of the (k, n) threshold scheme needs to be determined. (e.g., timeouts for the log-on procedure) still needs to be
If k is configured too low, an attacker might be able to evaluated. We are also going to evaluate our approach with
compromise the security architecture before the network key additional ad hoc routing protocols and application scenarios.
is refreshed. In case of a high value for k, a guest node has to
contact more cluster heads. Hence, its log-on time increases,
or it even fails if the guest node cannot find enough cluster R EFERENCES
heads. Of course, it must be ensured that k will be always
[1] L. Zhou and Z. J. Haas, “Securing ad hoc networks,” IEEE Network,
lower than n, even if the number of cluster heads varies. In vol. 13, no. 6, pp. 24–30, 1999.
our simulations, a value of about 50 % of the total number of [2] B. Schneier, Applied Cryptography. John Wiley, 1996.
cluster heads seemed to be a good choice. [3] A. Shamir, “How to share a secret,” ACM Comm., vol. 22, no. 11, 1979.
[4] T. Pedersen, “A threshold cryptosystem without a trusted party,” in
Of course, additional fine tuning of those and other protocol Advances in Cryptology, Proc. Eurocrypt’91, ser. LNCS, vol. 547.
parameters may still result in further optimizations. However, Springer-Verlag, 1991.
[5] A. Herzberg, M. Jakobsson, S. Jarecki, H. Krawczyk, and M. Yung,
depending on the actual deployment scenario, optimizations “Proactive public key and signature systems,” in ACM Conf. on Com-
will always require a tradeoff between required security and puter and Comm. Security, Zürich, 1997.
availability, acceptable overhead, and expected performance. [6] A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung, “Proactive secret
sharing, or: How to cope with perpetual leakage,” in Advances in
Cryptology, Proc. CRYPTO’95, ser. LNCS, vol. 936. Santa Barbara,
California: Springer-Verlag, Aug. 1995, pp. 339–352.
V. C ONCLUSION [7] K. Takaragi, K. Miyazaki, and M. Takahashi, “A threshold digital
signature issuing scheme without secret communication,” IEEE P1363
In this article, we introduced a cluster-based architecture for Study, Nov. 2000.
[8] Y. Desmedt and S. Jajodia, “Redistributing secret shares to new access
a distributed public key infrastructure that is highly adapted structures and its applications,” George Mason Univ., Tech. Rep., 1997.
to the characteristics of ad hoc networks. In order to adapt to [9] L. Zhou, F. B. Schneider, and R. van Renesse, “COCA: A secure dis-
the highly dynamic topology and varying link qualities in ad tributed on-line certification authority,” ACM Trans. Computer Systems,
vol. 20, no. 4, pp. 329–368, Nov. 2002.
hoc networks, we consequently avoided any central instances [10] H. Luo, P. Zerfos, J. Kong, S. Lu, and L. Zhang, “Self-securing
that would form single points of attack and failure. Instead, ad hoc wireless networks,” in Proc. 7th IEEE Symp. on Comp. and
the ad hoc network was divided into clusters, and the cluster Communications (ISCC), Taormina, 2002.
[11] J. Kong, P. Zerfos, H. Luo, S. Lu, and L. Zhang, “Providing robust
heads jointly perform the tasks of a certification authority. and ubiquitous security support for mobile ad-hoc networks,” in Proc.
Our concept uses a proactive secret sharing scheme, which 9th International Conference on Network Protocols (ICNP). Riverside,
distributes the private network key to the cluster heads in the ad California: IEEE, Nov. 2001, pp. 251–260.
[12] J. Hubaux, L. Buttyan, and S. Čapkun, “The quest for security in mobile
hoc network. Instead of a registration authority, arbitrary nodes ad hoc networks,” in Proc. ACM Symp. on Mobile Ad Hoc Networking
with respective warranty certificates may warrant for a new and Computing (MobiHOC), Long Beach, Oct. 2001.
node’s identity. Based upon this authentication infrastructure, [13] C. Perkins, Ad Hoc Networking. Addison-Wesley, 2001.
[14] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Robust threshold
we provide a multi level security model ensuring authenti- DSS signatures,” in Advances in Cryptology, Proc. Eurocrypt’96, ser.
cation, integrity, and confidentiality. Authentication itself is LNCS, vol. 1070. Saragossa: Springer-Verlag, 1996, pp. 354–371.
realized in two stages. First, a node gets the status of a guest [15] D. Balfanz, D. K. Smetters, P. Stewart, and H. C. Wong, “Talking to
strangers: Authentication in ad-hoc wireless networks,” in Proc. Symp.
node. After sufficient authentication, the node will become a on Network and Distributed System Security (NDSS), San Diego, Feb.
full member. An additional important feature is the possibility 2002.
to delegate the cluster head functionality to another node. We [16] F. Stajano and R. Anderson, “The resurrecting duckling: Security issues
for ad-hoc wireless networks,” in Proc. 7th International Workshop on
also pointed out how the security concept can be integrated Security Protocols, ser. LNCS, vol. 1796. Springer-Verlag, 1999, pp.
with routing protocols in order to achieve routing on secure 172–194.
paths. [17] A. Varga, “The OMNeT++ discrete event simulation system,” in Proc.
European Simulation Multiconference (ESM), Prague, Czech Republic,
In order to evaluate our approach, we used two different June 6–9, 2001.
scenarios in our simulations: random waypoint and motorway. [18] D. B. Johnsson and D. A. Maltz, “Dynamic source routing in ad hoc
wireless networks,” in Mobile Computing. Dordrecht, The Netherlands:
Based upon these mobility models, the evaluation of the Kluwer Academic Publishers, 1996, vol. 353.
mobile nodes’ log-on times, the availability of the security [19] W. Franz, R. Eberhardt, and T. Luckenbach, “Fleetnet – Internet on the
infrastructure, and the overhead shows that it is possible to road,” in Proc. 8th World Congress on Intelligent Transport Systems,
Sydney, Oct. 2001.
deploy a security architecture with an acceptable performance [20] R. Morris, J. Jannotti, F. Kaashoek, J. Li, and D. Decouto, “Carnet: A
and overhead. We also showed how different parameter vari- scalable ad hoc wireless network System,” in Proc. 9th ACM SIGOPS
ations affect the performance. A very interesting observation European Workshop, Kolding, Sept. 2000.
[21] J. Markoulidakis, G. Lyberopoulos, D. Tsirkas, and E. Sykas, “Mobility
was that the mobility model highly impacts the behavior of modeling in third-generation mobile telecommunications systems,” IEEE
such an security architecture. Personal Commun. Mag., vol. 4, no. 4, 1997.
Future work should address the impact and limitations of [22] V. Davies, “Evaluating mobility models within an ad hoc network,”
Master’s thesis, Colorado School of Mines, 2000.
the communication technology deployed. These investigations [23] M. Gerla, X. Hong, and G. Pei, “Fisheye state routing for ad hoc
allow an evaluation of our security architecture in a real-world networks,” Internet Draft, IETF, June 2002, draft-ietf-manet-fsr-03.txt.

0-7803-8356-7/04/$20.00 (C) 2004 IEEE IEEE INFOCOM 2004