Safeguarding ad hoc networks with a self-organized ... · work, which is not a strong assumption in...

Computer Networks 57 (2013) 2656–2674

Contents lists available at SciVerse ScienceDirect

Computer Networks

journal homepage: www.elsevier .com/locate /comnet

Safeguarding ad hoc networks with a self-organizedmembership control system

1389-1286/$ - see front matter � 2013 Elsevier B.V. All rights reserved.http://dx.doi.org/10.1016/j.comnet.2013.06.004

⇑ Corresponding author. Tel.: +55 21 8112 4775.E-mail addresses: [email protected], [email protected]

(N.C. Fernandes).

Natalia Castro Fernandes ⇑, Marcelo Duffles Donato Moreira, Otto Carlos Muniz Bandeira DuarteGTA/COPPE, Universidade Federal do Rio de Janeiro (UFRJ), Rio de Janeiro, RJ, Brazil

a r t i c l e i n f o

Article history:Received 25 January 2012Received in revised form 22 January 2013Accepted 6 June 2013Available online 5 July 2013

Keywords:Ad hoc networksAccess controlTrust

a b s t r a c t

One of the key challenges for ad hoc networks is providing distributed membership con-trol. This paper introduces a self-organized mechanism to control user access to ad hoc net-works without requiring any infrastructure or a central administration entity. Ourmechanism authenticates and monitors nodes with a structure that we call controllerset, which is robust to the dynamic network membership. We develop analytical modelsfor evaluating the proposal and validate them through simulations. The analysis shows thatthe proposed scheme is robust even to collusion attacks and provides availability up to 90%better than proposals based on threshold cryptography. The performance improvementarises mostly from the controller sets capability to recover after network partitions andfrom the identification and exclusion of malicious nodes.

� 2013 Elsevier B.V. All rights reserved.

1. Introduction

Ad hoc networks do not rely on a physical infrastructureor a central administration entity [1–4]. Indeed, a differentuser controls each node and therefore security becomes amajor issue to keep collaborative message forwardingworking. Indeed, a small set of malicious node is able todisrupt the entire network in the absence of securitymechanisms. The network must also be self-organized,since we cannot count on a bootstrap phase in which allnodes are configured with the right parameters by a cen-tral administrator [5].

To restrict unauthorized node access in regular net-works, two complementary approaches are used: accesscontrol and authentication. When using these approaches,the network is able to punish malicious nodes and rewardthe cooperative ones. In ad hoc networks, however, theimplementation of both access control and authenticationis challenging, because they are usually based on central-ized mechanisms. Accordingly, ad hoc networks demand

self-organized mechanisms based on distributed adminis-tration and nodes with equivalent functions, which meansthat all nodes should play the same role in the network,executing the same algorithms without counting on thepresence of specialized administrative nodes in the net-work. Also, ad hoc networks must provide high availabilityeven on network partition events, in which the network istemporarily partitioned in smaller sets with no communi-cation due to membership changes, node mobility, andfading channels.

In this paper, we propose and analyze ‘A Controller-node-based Access-Control mechanIsm for Ad hoc net-works’ (ACACIA) [6]. ACACIA is a self-organized public-keymanagement and monitoring system that does not requireany trusted central authority or fixed server. In ACACIA, allnodes play an equal role and the proposed mechanismsguarantee high availability even if network membershipand topology are highly dynamic. Our mechanism providesboth authentication and access control that are suitable forad hoc networks.

ACACIA is based on two features: delegation chains[7,8] and controller nodes. The delegation chain is usedto control network access without a centralized adminis-tration. As a result, the users themselves are responsible

http://crossmark.dyndns.org/dialog/?doi=10.1016/j.comnet.2013.06.004&domain=pdf

http://dx.doi.org/10.1016/j.comnet.2013.06.004

mailto:[email protected]

mailto:[email protected]

http://dx.doi.org/10.1016/j.comnet.2013.06.004

http://www.sciencedirect.com/science/journal/13891286

http://www.elsevier.com/locate/comnet

N.C. Fernandes et al. / Computer Networks 57 (2013) 2656–2674 2657

for allowing new users to join the network. Users that al-low a malicious user to join are punished in order to keepthe network secure. The controller nodes, introduced inthis paper, manage certificates and also monitor and pun-ish nodes. Each node in the network is controlled by a dy-namic controller set composed of randomly chosen nodes.The random selection provides a distributed membershipcontrol with a different controller set for each node. In-deed, every node belongs to controller sets of other nodes.Therefore, our scheme avoids nodes with special functionsbecause all nodes have the same duties of certificating andmonitoring nodes. The controller set actions are thresholdruled to prevent colluding attacks. An action is taken onlyif the majority of the set agrees on this action.

Once ad hoc network membership is highly dynamic,our controller nodes adapt to network context by changingACACIA parameters according to the network size. Hence,if the network size is reduced under a certain threshold be-cause of nodes leaving the network or partition events,ACACIA parameters are automatically reconfigured by allnodes to adapt the size of the controller sets to the newscenario. Besides, a controller set is regenerated whenevera membership change affects this controller set. Since thecontrollers are dynamically chosen and based on voting,they provide autonomy and availability to ACACIA. As thecontroller sets monitor and punish nodes, ACACIA is safeagainst attacks and controls node access. The performedevaluations show that the controllers keep the delegationchain safe even in the presence of malicious nodes. More-over, ACACIA availability is up to 90.7% greater than thethreshold cryptography-based proposals on networkpartitions.

This paper is structured as follows. Related researchconcerning authentication are reviewed in Section 2, whilethe system model is presented in Section 3. The proposedscheme is detailed in Section 4 and the proposal perfor-mance is analytically evaluated in Section 5. We describeour simulations in Section 6. Finally, we draw conclusionsin Section 7.

2. Related work

Certificate authorities (CAs) are employed to preventidentity forgery. Nonetheless, this scheme is inadequatefor ad hoc networks because it requires infrastructureand a central administration. More specifically:

� There is no central authority in ad hoc networks. Then,there is no administrator to configure all nodes to use atrusted certificate authority or to specify the list ofauthorized users.� Connectivity problems may avoid that nodes obtain or

validate certificates. A classical certificate authority isprovided using a single node. If a partition occurs, manynodes will not be able to access this node. If a node can-not obtain a certificate, it cannot access the network.� Ad hoc networks are created on demand by wireless

devices. Hence, there is no guarantee that one nodecan communicate with any other at any time, due toconnectivity problems caused by the absence of

infrastructure. Internet connection may be available ornot in the network. In case it is available, it is not possi-ble to guarantee that all nodes will always have access tothe Internet. Hence, we also cannot use public certificateauthorities provided through the Internet.

Therefore, the challenge for ad hoc networks is toauthenticate users and control network membership.

Zhou and Haas proposed the distribution of the certifi-cate authority through the network in a threshold fashion[9]. The idea is to distribute the CA responsibilities amonga specialized group of nodes with a (k, m) thresholdscheme. Each of these special nodes receives a share ofthe master private key of the CA. Therefore, a certificateis only issued if at least k out of the m specialized nodesagree about this task. This approach, however, can degradethe CA availability, because k out of m nodes may not beaccessible to nodes all the time, especially during networkinitialization and network partitions. To mitigate this prob-lem, Kong et al. suggested to include all nodes in CA forma-tion, so that m = N, where N is the number of nodes in thenetwork. As a result, any k neighbors of a node provide CAservices [10]. This proposal, however, reduces the systemreliability. For at least k compromised nodes in the net-work, which is not a strong assumption in ad hoc networksif k� N, the authentication system security can no longerbe guaranteed. Liu et al. extended the system of Zhou andHaas to revoke certificates based on accusations [11]. Inthis system, the network is divided in clusters to controlthe access of nodes to the network. Nodes are classifiedin three classes and only the nodes on the must trustfulclass can become cluster heads. The cluster heads are ableto accuse or to recovery a certificate that was previouslyrevoked. The idea is to provide a fast certificate revocationand also to provide resilience against malicious nodes thatlie about the behavior of other nodes. Other approachesusing threshold cryptography have been proposed[12,13], but the need for an administrator to manage mem-bership or select and configure a special group of nodespersists in all of these proposals. This characteristic is notfully compatible with ad hoc networks, which are self-organized networks [14].

To prevent against Sybil attacks [15], in which a singlenode assumes many identities, He et al. proposed a schemebased on a key pre-distribution scheme called ScalableMethod Of Cryptographic Key (SMOCK) [16]. In thisscheme, a number of cryptographic keys are stored off-lineat individual nodes before network deployment. To providescalability in terms of number of nodes and storage, theauthors utilized a combinatorial design of public–privatekey pairs. Although the protocol achieves zero communica-tion overhead for authentication, it still needs an adminis-tration entity that previously knows all the nodes and hasmanagement authority over all of these nodes.

Pretty Good Privacy (PGP) introduced the web-of-trustauthentication model using digital signatures, in whichusers digitally sign the pair (identity, public key) of the othertrusted users [17]. If user A trusts user C, which signed user Bpublic key, then A also trusts B. As this process develops, aweb of trust is built through certificate chains. Based on thisidea, some proposals for authentication in ad hoc networks

2658 N.C. Fernandes et al. / Computer Networks 57 (2013) 2656–2674

were done [18,19]. In these proposals, nodes maintainrepositories of certificates issued by themselves or receivedfrom other trusted nodes. When a node A needs to authen-ticate node B, it looks for a certificate chain from node A tonode B in its repository. If this chain is found, node A signsB’s certificate and exchanges repositories with B. One ofthe main problems of these proposals is the network initial-ization, when most nodes have a limited certificate reposi-tory and are not able to find certificate chains. Anotherissue is that nodes are free to generate fake identities dueto the absence of access control and then subvert theauthentication scheme [15].

Recent proposals use the schemes above with the ideaof clusters to make the authentication in ad hoc networkscalable. Lu and Zhou proposed an identity-based clusteraccess control model and introduced the concept of a dy-namic trust agent [20]. In this scheme, the dynamic trustagent of each cluster creates inter-cluster trust relation-ships. Ghalwash et al. proposed a scheme that combinesthe concept of clusters with the threshold key manage-ment techniques. In their proposal, the network is dividedinto clusters where the cluster heads are connected by vir-tual networks and share the private key of the CentralAuthority (CA) [21].

Li et al. proposed a certificateless key managementfor ad hoc networks also based on threshold cryptogra-phy [22]. This approach mixes the ideas of identity-based encryption1 and threshold cryptography to avoidthe need of certificates or of an entity that knows the pri-vate keys of all nodes. In this approach, the entity calledKey Generating Centre (KGC), which is distributedthrough threshold cryptographic, generates a partial pri-vate key for each node. A node uses a secret and thekey provided by the KGC to generate its private key. Mali-cious nodes are excluded by the use of a voting system. Ifthe KGC receives more votes than a predefined threshold,then the node is excluded.

Our proposal better fulfills the ad hoc network require-ments than the previous schemes because it does not needa central administrator for controlling network access orconfiguring special purpose nodes, like in threshold cryp-tography proposals. Both threshold cryptography andweb-of-trust proposals have problems in the initializationdue to a low number of nodes in the network. In ACACIA,the self-adaptation of the parameters to network condi-tions and the self-management of the controller nodes fa-vor both initialization and network partitions and stillguarantee security. Moreover, the punishment systemrun by the controllers discourages the creation of Sybilidentities, as well as the randomized choice of the control-lers reduces the probability of collusion attacks. Althoughthe proposal uses more messages than the systems basedon threshold cryptography due to the dynamic control ofnetwork membership and to the identification of parti-tions, it does not demand nodes with a high storage capac-ity or great processing ability.

1 In the identity-based encryption, the identity of the user, such as his e-mail, is used as public key. The main disadvantage of this scheme is that acentral entity is required to generate the private key of all users.

3. System model

3.1. Network model

We assume that a group of people with a commoninterest or relationship is motivated to create a private so-cial network. Examples are employees of an organization, amilitary company, friends in a party, or any other kind ofgroup of users. These people can use their social relation-ships to create a delegation chain to control the privatenetwork access. Any user that belongs to the delegationchain is called an authorized user and has free access tothe private network. We assume that authorized userscan join and leave the network at any time and that allmessages are signed.

We further assume an ad hoc network in which nodemobility and link outages cause frequent network parti-tions. Also, we assume the use of a dynamic addressingprotocol such as [23] to guarantee that there are no ad-dress collisions. For sending a message, we consider fourtypes of communication: broadcast, unicast, multicast,and flood. Broadcast represents a one-hop transmission,unicast is a transmission from one node to other, multicastis a transmission from one to n nodes,2 and the flood is atransmission for the whole network.

3.2. Adversary model

In the proposed scheme, adversaries are unauthorizedusers that try to access the network without an authoriza-tion. In addition, authorized users who try to disturb thepacket forwarding in the network, to subvert the authenti-cation or the access control provided by ACACIA, or todamage any other control system are also considered asadversaries. Authorized users that work in a maliciousway discard packets of other nodes instead of forwardingor send spoiled data to network, such as fake routing mes-sages, damaging the performance of control protocols anddata forwarding. Moreover, malicious nodes can inform anattack that never happened to reduce the reputation of aspecific node in the network. They can also try to imper-sonate many nodes to disturb voting systems. We assumethat adversaries can collude, but they are always minorityin the network.

ACACIA do not intend to avoid attacks, but to authenti-cate nodes and exclude adversaries from the networkwithout counting on a centralized access control entity,such as an administrator. We assume that the nodes areable to detect attacks in the network and spread thisinformation to other nodes. We consider that the attackdetection may be not perfect, and then there will be bothfalse-positives and false-negatives.

4. The proposed scheme

Our access control scheme authorizes, authenticates,and monitors users. To accomplish these functions, the

2 If multicast is not provided by the routing protocol, it should beimplemented as n unicasts in pro-active routing protocols and as floodingin reactive routing protocols to reduce the control overhead.


proposed scheme uses a delegation chain and controllernodes.

4.1. Membership delegation chains

We use delegation chains based on the users’ relation-ship to distribute the membership control. If the social net-work is hierarchical, this relationship hierarchy is triviallyused to define the root of the delegation chain. On theother hand, if there is no hierarchy, any user has two pos-sibilities: join an existing social network or create a newsocial network. To join a specific social network, the usermust be accepted by someone that already belongs to thisspecific delegation chain. Also, the user can create a newsocial network being the root of a membership delegationchain. Moreover, a user can participate at different privatenetworks at the same time if he is part of the delegationchain of each private network.

In our scheme, only users that belong to the delegationchain can authorize other users to join the private network,by sending an out-of-band Authorization. Therefore, anyuser must obtain an Authorization before joining the net-work. We introduce a parameter in the Authorization to re-strict malicious access by specifying the maximum numberof descendents that each user can have. This parameterindicates how much the parent trusts in the child he ac-cepted to join the delegation chain. If the parent has astrong relationship with the child, he specifies a high max-imum number of descendents. Otherwise, this number caneven be set to zero.

An example of a delegation chain based on a non-hierarchical social network is in Fig. 1(a) and (b), assumingthat Alice wants to create a new private social network.Hence, she becomes the root of a delegation chain and issuesAuthorizations to her friends, quantifying her trust on eachfriend in the parameter maximum number of descendents,D. In this example, Alice has a weak relationship with Danieland, as a consequence, she authorizes Daniel to join the so-cial network but forbids him to authorize other users, settinghis parameter to zero. On the other hand, Alice has a strongrelationship with Bob, and then Alice authorizes Bob withan unlimited maximum number of descendents. After, Bobauthorizes Fabian and attributes to him at most DF = 20descendents. The children receive part of the maximumnumber of descendents of their parents and the leftoverAuthorizations, LA, must be accordingly adjusted. Thus, foreach new child, the parent deducts from its leftover Authori-zations the number of descendants he has accorded to thenew child plus one. Then, after Fabian authorizes Ellen withDE = 10 possible descendants and Carol with DC = 1 possibledescendants, he has LA = DF � (DE + 1)� (DC + 1) = 20� 11� 2 = 7 leftover Authorizations.

4.1.1. User and node identitiesWe assume in our scenario the use of a dynamic IP ad-

dress assignment. Therefore, every time a user joins thenetwork, he will receive a different IP address and conse-quently, a different identification as a node. Due to this,the Authorizations are correlated to user identities insteadof node identities. A user identity is defined by the nameand the personal document numbers of the user, which

do not change with time. Hence, the delegation chain isbuilt based on user identities and we associate differentpublic keys to the user and node identities.

4.2. The key idea: the controller sets

The main distinguishing feature of ACACIA is the dy-namic and self-managed controller sets. ACACIA associatesto each node in the network two randomly chosen control-ler sets, which issue certificates, monitor nodes, and ex-clude malicious nodes from the network. The controllersets of a specific node control the network access of thisnode. Then, the controller sets must guarantee that adver-saries have no access to the network and are excluded fromthe delegation chain.

Since all nodes have an equal role in the network, eachnode has controller sets and is also part of the controller setsof other nodes. An example of controller sets is in Fig. 1(c).

4.2.1. Defining controller setsThe controllers perform actions correlated to the node

identity (the node IP) and the user identity (the username) of a user. For instance, the calculation of the repu-tation of a specific node is an action that is correlated tothe node identity. Indeed, a node that observes a neighborperforming an attack only knows the neighbor’s nodeidentity. An example of controller action correlated tothe user identity is to avoid that a user obtains twonode identities at the same time using only a singleAuthorization.

A problem that arises from the identity duality is theselection of the controller sets. A node that observes an at-tack has access only to the malicious node IP address.Hence, this is the only information that this node can useto discover the controller set of the malicious node. There-fore, a first approach would be to use the IP address as aseed to select the controller nodes. Nevertheless, if the con-troller sets are chosen based on the IP address of a node,then a malicious user is able to use a single Authorizationto obtain two IP addresses at the same time, performing,for instance, a Sybil attack. The controllers would not beable to detect the attack because each node identity wouldgenerate a different controller set. ACACIA solves this issueby creating two different controller sets per node: the nodecontroller set (Nc), which monitors node behavior based onthe observed address, and the user controller set (Uc),which controls the delegation chain according to the nodebehavior, mapping the node address in the user identity, asshown in Fig. 2. The node controller set is selected based onthe IP address of the node and is known by any node in thenetwork, while the user controller set is selected based onfixed information of the Authorization and is known onlyby the nodes with access to the Authorization. Theseset sizes, given by jNcj = mn for the node controller setand jUcj = mu for the user controller set, are specified bythe delegation chain root in the Authorization.

The node controller set specific functions are:

� receive notifications of malicious actions of the moni-tored node sent by the other nodes in the network;� calculate the reputation of the monitored node; and

Fig. 1. Creating the delegation chain based on a social network and the controller sets after all users join the network.


� vote to exclude the monitored node if the calculatedreputation reaches a specific threshold.

The user controller set guarantees the delegation chainvalidity, and then its specific functions are:

� store the Authorization of the monitored node;� control the number of children of the monitored node,

by storing the user identification of each child;� store if the monitored node was excluded;

Both sets are responsible for the authentication and ac-cess control procedures. Hence, both sets verify the Autho-rization validity and issue Partial Certificates to themonitored node.

As any node can belong to a controller set, the decisionsare always taken based on voting. A certificate is issuedonly if at least kn node controllers and ku user controllersagree that the controlled node is authorized to accessthe network. Hereafter, we assume kn P bmn/2c + 1 andku P bmu/2c + 1, which means that both thresholds areset majorities to guarantee the system reliability againstmalicious nodes.

4.2.2. Selecting controller setsSince ad hoc network membership is highly dynamic

due to joining/leaving nodes and network partitions, a sta-tic controller set does not fit well. As a consequence, we

propose a self-managed mechanism that redefines the con-troller sets whenever there is a change in their elements.

The set selection must be executed by the controllednode every time a node join or leave the network to main-tain the controller set updated. A node/user must updateits controller set to obtain the certificate and access thenetwork. Without an updated certificate, the signature inthe messages of the node cannot be verified by the othernodes and these messages will be discarded, excludingthe node from the network. Therefore, all nodes are forcedto keep their controllers updated.

The controller set selection is also run by nodes thatwant to contact the node controllers of a malicious nodeto send an accusation about an attack. In addition, the ver-ification of a certificate also demands the node to calculateand contact the controllers of the certificate owner. Anynode that runs the proposed algorithm will discover thecurrent controller set of any other node.

The controller sets are randomly selected to avoid thatthe controlled node manipulates the controller set mem-bership. Hence, the choice of the nodes in each controllerset is made via hash functions to guarantee that the con-trollers are uniformly distributed among the nodes in thenetwork. Also, all the nodes must be able to correctly dis-cover the controllers of any other node, and all nodes mustagree in the same controller set for a specific node.

Algorithm 1 shows how to select the controller sets. Inthis algorithm, x 2 {user, node}, Ln is the ordered list of theactive nodes, add is the address of the controlled node, and

Fig. 2. Using node and user identities in ACACIA.


Cx is the controller list, which is initially empty. The list Ln

is known by all nodes due to the mechanisms described inSection 4.3 to maintain the membership control afterevents such as node joining, node leaving, network merg-ing, and network partition. In short, ACACIA announces toall nodes the events of node joining and leaving the net-work and then all nodes are able to maintain a consistentlist of the active nodes.

In Algorithm 1, the function / is a simple hash functionapplied i times over seed. In this algorithm, we considerthat the list Ln = {l1, . . . , ln} is circular. That is, after ln 2 Ln,we find l1 2 Ln. The user-controller set has size mu, whilethe node-controller set has size mn.

Algorithm 1. Controller set selection

The first step in the algorithm is to calculate the number
of nodes in the network, N, to determine the size of thecontroller sets, mu and mn. During network initialization,mu and mn are higher than the number of nodes, N. In thiscase, we choose mn = mu = N � 1. Therefore, to increase sys-tem availability, we reduce the needs for security in net-work initialization and we reestablish security thresholdsas the network membership increases. When max (mn,mu) < N � 1, the controller sets are formed by mu and mn
nodes as specified in the Authorization. These values willnot change unless the network membership is reduced sothat the number of nodes is not enough to create a control-ler set.

After establishing the sizes mu and mn, the algorithmstart to select the nodes in the controller set. The selectionof the controller sets receives the input seed. The algorithmselects a candidate for controller applying the seed in func-tion /. The result of / selects a position in the list of allo-cated addresses, Ln. Then, the algorithm checks if thiscandidate was already selected as a controller. If the nodeis not a controller, it is selected as part of the controller setCx. Otherwise, the algorithm chooses the next node in thecircular list Ln that is not a controller to be the newcontroller.

The use of the seed is described in Fig. 3. The node con-trollers, responsible for the monitoring system, must beknown by all nodes, because nodes that detect a badbehavior must warn the node controllers of the adversary.Therefore, the node address, available in all messages, isthe seed for the node controller set. For the user controllers,

Fig. 3. Simplified scheme of the selection of the node and user controller sets.

Fig. 4. Computing the node controller set of node ID 192.168.0.1, assuming N = 7 and mc = 3.


the seed is the parent public key, which is available in theAuthorization. The use of the parent public key avoids thatnodes use the same Authorization to obtain many ad-dresses simultaneously and execute a Sybil attack. Thechoice of different addresses results in different node con-troller sets. The use of the parent public key, however,guarantees the choice of same user controller set for a spe-cific Authorization independent of the chosen address.Therefore, if a node tries to use its Authorization to obtaintwo different addresses simultaneously, the user control-lers will notice the attack and will not allow the allocationof the second address. Hence, to guarantee the delegationchain security, the controllers must be separated in twodifferent sets and selected with proper seed.

Fig. 4 shows an example of the application of Algorithm 1to compute the node controllers in a network with N = 7nodes and mn = 3 node controllers. In this example, the nodeID is 192.168.0.1 and the other node IDs were randomly

chosen. For simplicity, we omitted in figure the networkprefix, which is given by the network address 192.168.0.0/24. In the first step, the node verifies that the network sizeis greater than mn. After, it applies the hash function to selecta position in Ln. In this example, the hash function computesposition 5 for the given seed, which means that node192.168.0.16 is selected as a controller. Then, in the secondstep, the node applies the hash function over the first result,obtaining a new position. Because the new position is equalto the first one, the same node would be selected. To avoidthis situation, the next node in the list is chosen, as describedby Algorithm 1. Finally, the last node controller is chosen byre-applying the hash function to select a position in Ln. Afterthat, the controller set is composed by the nodes192.168.0.16, 192.168.0.2, and 192.168.0.15.

Since we assume that network membership changes alot, this algorithm is executed many times. Nevertheless,this does not imply in a lot of computation, because the


result /(seed, i) is constant, independent of Ln. Then, nodescould store these values to reduce computations. Besides,we do not need to use a cryptographic hash function, butonly a simple hash function, because we just want the dis-tribution property of these functions. It is worth notingthat if a malicious user tries to attack ACACIA by often join-ing and leaving the network, this action will be noticed byhis user controllers and the Authorization can be revoked.

Also, another consequence of this algorithm is that thesets are as dynamic as the network membership, whichimpedes a malicious node from trying to select other col-luding nodes as node controllers by manipulating the ad-dress choice.

4.3. ACACIA detailed description

We now describe how nodes obtain their certificates inACACIA as well as how the monitoring mechanism works.

4.3.1. New node accessACACIA is expected to control network access in a dis-

tributed way without the help of a centralized administra-tor. We use delegation chains, therefore, to distribute themembership management role among the users that al-ready belong to the delegation chain. As a consequence, anew user must join the delegation chain to obtain anAuthorization before accessing the network.

The new node access mechanism, described in Fig. 5, al-lows users to obtain an address, the node public/private

Fig. 5. Message exchanges over time in

keys and the corresponding certificate needed to the usersjoin the network. First, the joining user obtains out-of-band an Authorization with a previously authorized userbased on his social relationship and on the delegationchain. After that, the joining user needs the allocated ad-dress list to choose an address and know his controllersets. Hence, after overhearing a Hello message from a node,the joining user asks for the allocated address list with aNew message. The Hello source node replies this messagewith the broadcast of a List message, which contains theallocated address list in a compact form. The broadcast isneeded because the joining user does not have an addressyet. After obtaining the allocated address list, the userchooses a pair of public/private keys and selects the firstp bits of the public key as his address suffix. This processis repeated until the user finds a pair of keys associatedto an available address, which we call node public/privatekey. We use the public key as an ID, such as in other pro-posals [24], to reduce memory requirements by only stor-ing the public key instead of the pair (address, public key)for each node. Also, we suppose that address collisionscaused by two nodes choosing the same address areavoided by an address auto configuration mechanism [23].

After choosing an available address, the joining user cal-culates his controller sets based on the received allocatedaddress list, as explained in Section 4.2.2. Next, he multi-casts a message with his Authorization and his node publickey to his controllers and his father’s user controllers. Hesigns this message with the child public key specified in

the new node access mechanism.

Fig. 6. Access control messages in ACACIA for joining and validating the delegation chain.

3 We assume that the network clocks are at least loosely synchronized.


the Authorization to prove he owns the Authorization andto associate the Authorization with the chosen address.When the joining user’s controller nodes receive this mes-sage, they store the received data and waits for a period TV

for the answer of the father’s user controllers. This isneeded to validate the delegation chain. If the father’s usercontrollers guarantee the father belongs to the delegationchain, then the child also belongs to the delegation chain.Hence, the father’s user controllers verify the Authoriza-tion signature and if the father can have one more child.If these conditions hold, the father’s user controllers multi-cast the Validation message to the joining user’s control-lers, store the user identification of the child, andincrease the number of children of the father. After receiv-ing at least ku out of the mu Validations from father’s usercontrollers, the joining user’s controllers flood the networkwith a Partial Certificate and also with their list of allocatedaddresses. Provided that the joining user receives ku out ofthe mu Partial Certificates from his user controllers and kn

out of the mn Partial Certificates from his node controllers,his admission in the network has been authorized and hegenerates a Complete Certificate. Besides, he also validateshis list of available addresses according to the lists receivedfrom his controller nodes. Finally, the joining user floods anAllocation message to notify the whole network that hehas a certificate and the address is allocated. Every nodethat receives the Allocation message and at least kn outof the mn Partial Certificates from the joining user’s nodecontrollers includes the new address on the allocated ad-dress list.

After obtaining the complete certificate, the joining usercan take part with the network and becomes member ofother nodes controller sets. Furthermore, this user willstart to send periodical Hello messages informing the hashof the root public key, which identifies the delegation chainthe user belongs to, and also the hash of the allocated ad-dress list, which is used in the identification of partitionmerging events and message losses, as we explain in Sec-tion 4.3.3.

Access control messages in ACACIA – A user joins the net-work if it has an Authorization, which is described inFig. 6(a). Every Authorization has an ID, which is chosenby the user that emitted the Authorization, with the con-straint of being unique in the set of Authorizationsemitted by this user. This identification is used by the user

controllers to verify if the user has emitted more Authoriza-tions than he is authorized to. The values mn, kn, mu, ku arecopied from father to son from the first Authorization emit-ted by the root of the delegation chain. Hence, all nodesagree on the same values for these parameters. The expira-tion field allows father to control the permanency of hischildren in the network. Hence, as soon as the expirationtime is exceeded, the Authorization is no longer valid andthe user must leave the network. Consequently, this valueis copied from the Authorization to the node certificates.Also, the expiration of the children must also be equal orsmaller than the expiration of the father to maintain thedelegation chain consistency.3 Another important field ofthe Authorization is the maximum descendents, which spec-ifies the maximum number of nodes that the user can grantaccess to the network, as explained in Section 4.1. After, thereis a list of user public keys. The public key of the root useridentify the delegation chain. Indeed, nodes in the sametransmission range can belong to different delegation chains.The child public key is the key of the user receiving theAuthorization, which will be used to authenticate the newuser. The grandfather’s public key is provided to calculatethe father’s user controller, as ACACIA uses the father publickey as the seed of Algorithm 1. The father’s public key identi-fies the father and must be the same key stored by thefather’s user controllers. Finally, the Authorization is signedby the father, proving that it was emitted by him.

The Validation, described in Fig. 6(b) is sent by thefather’s user controllers after the verification of the Autho-rization. The Authorization ID and the user public key iden-tify the authentication procedure to the controllers of thejoining user. The father’s complete certificate provides allthe information about the father, for the case of the fatheror child being purged from the network, as well as the pub-lic key of the user controller, which signs the Validationmessage.

After obtaining enough Validations, the controllers ofthe new user send a Partial Certificate, described inFig. 7(a). A Partial Certificate is used to generate a Com-plete Certificate, described in Fig. 7(b), through voting.Hence, after receiving enough Partial Certificates, the newuser can generate its Complete Certificate. The Partial

Fig. 7. Certificates in ACACIA.


Certificate brings a signature over all the fields of the Com-plete Certificate, but only the variable fields are transmit-ted by the controllers to reduce the control overhead.Hence, the controllers only send the Authorization ID andthe new node address to identify the authentication proce-dure and their own public key. In the end of the PartialCertificate, the controller attaches his signature of allnon-variable fields of the Complete Certificate. Hence, theComplete Certificate is composed of the Authorization ID,the expiration, the maximum number of descendents, theuser public key of the root, the father, and the grandfather,which are copied from the Authorization, and the nodepublic keys of the new user and his controllers. Finally,the certificate presents the partial signatures of ku or moreuser controllers and kn or more node controllers.

4.3.2. Node monitoringIn ACACIA, all nodes run a bad behavior detection sys-

tem. Each node monitors its neighbors and notifies theneighbor’s node controllers whenever a bad behavior is de-tected. Based on this notification and on a trust system, thecontroller nodes exclude monitored nodes. Therefore,every node excludes a malicious node after receiving atleast kn out of mn votes from the node controllers of themalicious node. By exclusion, we mean that no messageis forwarded or received from the node classified as mali-cious. Furthermore, after receiving kn votes from node con-trollers, the user/node controllers of the malicious noderevoke the excluded node certificate. Also, all the descen-dent nodes of the malicious node must be excluded bytheir controller nodes. This is achieved hop-by-hop in thedelegation chain with the votes of the controllers, because

the Authorization does not indicate the entire delegationchain.

Any bad behavior detection system (BBDS), trust model,and fairness mechanisms [25–28] can be used withACACIA. We analyzed a simple trust model and we sup-posed a BBDS capable of detecting the most usual attacks.After receiving an accusation from a neighbor of the mon-itored node, the node controller verifies the certificate andthe signature on the message and stores this information.In the proposed simple trust model, we do not considermore than one accusation from the same source during aperiod TA to avoid message and storage overhead.

The reputation of node i for the node controller d at mo-ment j Rijd

j� �

is updated after an accusation by

Rjijd ¼ max Rijd

j�1 � 1� �

;0� �

: ð1Þ

After a period TR without accusations, the monitored nodereputation is updated to reduce the impact of false accusa-tions made by malicious nodes or false-positives in the at-tack detection. The resulting reputation is given by

Rjijd ¼ min Rijd

j�1 þ 1� �

;Rmax

� �; ð2Þ

where Rmax is the maximum value of a node reputation.Each node controller sends a vote to exclude the moni-

tored node if the reputation of the node reaches a thresh-old Tijd, which indicates the rigor on the node evaluation.Hence, the reputation of node i computed by the controllerd, Rijd, should be always greater than the tolerance thresh-old Tijd for the node to be considered non-malicious by thecontroller. Tijd initial value is chosen by the controller d toeach monitored node i and is updated in every exclusion of


monitored node descendents in the delegation chainaccording to

Tijd ¼ Tijd þFi

h � N ; ð3Þ

where Fi ¼ minðFimax ;NÞ; Fimax is the maximum number ofdescendents of node i, N is the number of nodes, and h isthe number of hops between the monitored node and theexcluded descendent node in the delegation chain. Conse-quently, a father will try to authorize only really trustfulchildren, because if children are classified as malicious,the tolerance to father’s behavior will decrease. Besides,the punishment for nodes able to add more descendentsis heavier to increase the responsibility when allowingnew nodes.

One consequence of Eq. (3) is that Sybil attacks are dis-couraged. Assuming a node is accomplishing a Sybil attack.If this node has many Sybil children classified as malicious,his threshold Tijd will increase until Rijd < Tid . Hence, thenode is purged even if his main identity has never doneany malicious action. This punishment, however, doesnot discourage the issue of Authorizations, because allthe users need a fully populated network for obtaining agood connectivity. Hence, the users which are already partof the delegation chain need to authorize new users in or-der to guarantee the network availability.

4.3.3. Node departureIn ad hoc networks, nodes can join and leave the net-

work at any moment. ACACIA must deal with nodes leav-ing the network to maintain the allocated address listand the delegation chain consistency.

The controller sets are intended to detect the departureof the nodes, based on a frequent contact with the con-trolled node. Hence, each node sends a test packet withperiod TT to its controllers. If a controller does not receiveany packet in a period pt � TT, where pt is the lost packetthreshold, then this controller announces that the moni-tored node has left the network. When at least ku user con-trollers and kn node controllers agree that the node has left,all nodes exclude that node from the allocated address list.As a consequence, this mechanism guarantees that theallocated address list is always updated when a partitionis formed or after a node leaves the network. It is impor-tant to note that this mechanism updates the allocate ad-dress list, but not the delegation chain. Hence, this nodecan return to the network at any moment.

One important issue about non-malicious nodes thatleave the network is how to grant access to their children.When a user joins the network, his access depends on thevalidation of his Authorization by the user controllers ofhis father. Hence, the user controllers must be availableeven if the father is offline. ACACIA provides a self-organization of the user controllers to solve this issue.After a user joins the network, his user controller set isformed and is automatically maintained even if the userleaves the network. Whenever the user controller setchanges, the user controllers exchange information, suchas the Authorization fields and the number of authorizedchildren, so that the new user controller knows all dataabout the monitored node. As a consequence, a child can

join the network even if his father is not active at that mo-ment in the network.

The information about nodes that already left the net-work is stored only while the certificates are valid. Whena certificate expires, all the data about that node and itsdescendents is discarded. Thus, the storage overhead is fi-nite and the average load on each node depends on thenumber of distributed certificates and their validity.

4.3.4. Network partitionsA network partition event is similar to many nodes

leaving the network at the same time. A partition mergingevent causes a different challenge, in which there are a lotof new nodes joining the network that will not execute thenew node access mechanism. To solve this, ACACIA identi-fies partition merging events using the hash of the allo-cated address list in the Hello messages. Indeed,partitions have different allocated address lists, and, conse-quently, different hashes of the list. If two neighbors havedifferent hashes of the list, they are probably in differentpartitions and must merge their lists. Hence, an ACACIAnode floods its allocated address list whenever there aremore than TU seconds since the last list update and thehash of the list received in its neighbor’s Hello is differentfrom its own hash of the list. When a node receives a mes-sage with a list, it checks if there is more than TU secondssince the last list update. If this condition holds, the nodemerges its list with the received one, accepting as presentall the absent nodes which are considered as present in thereceived list. It should be noticed that address collisionsamong two partitions should be resolved by an addressauto configuration protocol [23].

After a partition merging, the user controllers of a nodethat were in different partitions exchange information toassure that the number of issued Authorizations is correct.Besides, the controllers verify if the user was excluded inthe other partition due to bad behavior or to the exclusionof an ascendant in the delegation chain.

The controllers also prevent malicious node from usingthe merging of the allocated address lists to join the net-work. If an address is selected as allocated, but the nodecontrollers have not received an Authorization associatedto that address, then the controllers vote to exclude thatnode.

The partition merging mechanism also solves messagelosses, guarantying the consistence of the allocated addresslist. If Partial Certificates or an Allocation message of a spe-cific node is lost, some nodes allocate the node addresswhile other nodes do not. Hence, there will be differenceson the hash of the allocated address list, which will startthis mechanism until all the nodes have the same allocatedaddress list.

5. Analytical evaluation of ACACIA

We now evaluate the proposed scheme robustness inthe generation of certificates, the resilience to partitions,and the storage requirements.


5.1. Robustness to collusions against ACACIA authentication

ACACIA is resistant to collusions attacks even if thereare up to ku + kn � sk � 1 malicious node in the network,where sk = jKu

TKnj, Ku is a user controller subset, Kn is a

node controller subset, jKuj = ku, and jKnj = kn. Nevertheless,this robustness is even greater due to the random choice ofthe controllers and the voting system.

The collusion success probability to allow a non-authorized node to obtain a fake certificate, PM, dependson the number of nodes, N, the number of malicious nodes,M, the number of controllers per node (mu, mn), and thecorresponding threshold (ku, kn). The collusion successprobability, PM, is calculated as the probability of the mali-cious nodes being the majority in both controller sets of aspecific identity, which means that there are from ku up tomu malicious nodes in the user controller set and from kn

up to mn malicious nodes in the node controller set of thisspecific identity, so that the malicious nodes can issue afake certificate for that identity. Assuming thatN � 1 > max(mu, mn) and (N � 1 �M) P max(mu � ku, mn -� kn), which represents the general case, then

PMAC¼

PLui¼0

M

kuþ i

� ��

N�1�M

mu�ku� i

� �

N�1mu

� � �

PLni¼0

M

knþ i

� ��

N�1�M

mn�kn� i

� �

N�1mn

� � ;

if M P maxðku;knÞ;0; if M<maxðku;knÞ;

8>>>>>>><>>>>>>>:

ð4Þ

where Lu = mu � ku, if M P mu, and Lu = M � ku, if mu >M P ku, and also Ln = mn � kn, if M P mn, and Ln = M � kn,if mn > M P kn. Similarly, we can obtain the equation forthe proposal of Zhou and Haas (PMZH ), which distributesthe certificate authority (CA) over mt special nodes [9].By means of comparison, we consider mt = mu + mn to guar-antee that the CA has the same size in both proposals.Moreover, assuming mt = N nodes, we obtain the proposalof Kong et al. [10], which extends the Zhou and Haas pro-posal in a way that all nodes participate in the CA to in-crease the availability. The equation for PMZH is notpresented for the sake of brevity. Fig. 8(a) shows PM forACACIA (AC), the proposal of Zhou and Haas (ZH), andthe proposal of Kong et al. (Kong), assuming thatm = mt = 2 �mu = 2 �mn and N = 52 nodes.

We also calculated the collusion success probability tohinder a non-malicious node from obtaining a certificate(PNM). In ACACIA, if there are at least mu � ku + 1 maliciousnodes in a user controller set or at least mn � kn + 1 mali-cious nodes in a node controller set which never answerfor certificates for non-malicious nodes, then the certificateis not issued. Assuming N > M > 0, N � 1 P max(mu, mn)and (N � 1 �M) P max(mu, mn), then we infer PNMAC bythe probability of having less than mu � ku + 1 maliciousnodes in the user controller set and less than mn � kn + 1malicious nodes in the node controller set (PN). Then,PNMAC ¼ 1� PN , where

PN ¼

Pmu�kui¼L0u

M

mu�ku� i

� ��

N�1�M

kuþ i

� �

N�1mu

� � �

Pmn�kni¼L0n

M

mn�kn� i

� ��

N�1�M

knþ i

� �

N�1mn

� � ; ð5Þ

L0u ¼ 0, if M P mu � ku, and L0u ¼ mu � ku �M, if 0 < M <mu � ku and L0n ¼ 0, if M P mn � kn, and L0n ¼ mn � kn �M,if 0 < M < mn � kn. Again, the equation for the thresholdcryptography proposals (PNMZH ) can be obtained in a similarway. Fig. 8(b) depicts PNM, assuming m = mt = 2 �mu = 2 �mn

and N = 52 nodes.Fig. 8(a) and (b) shows the balance between k/m and the

security. If we increase k/m, we also increase ACACIA reli-ability against malicious nodes trying to join the network.Choosing a great k/m, however, implies in an easier way tostop non-malicious nodes from getting a certificate. Asidefrom this, if k/m = 1, ACACIA availability is reduced againstnode departures and partitions. Hence, k/m is chosen as theminimum value that attends to the maximum specified PM.Comparing ACACIA with the Zhou and Haas proposal, weobserve that ACACIA has a better result for PM and a worseresult for PNM, assuming that both certificate authorities(CA) have the same size. Both differences arise from theexistence of two different controller sets in ACACIA, whilein the Zhou and Haas proposal the CA is composed of onlyone set of size m = mt. Selecting a high m with a small k toprovide availability, such as in the proposal of Kong et al.,however, creates a security problem due to PM, becauseonly k malicious nodes in the network are enough to createfake certificates and allow other malicious node to join thenetwork. Therefore, it is important to have a small PM to se-cure the network against malicious access. It is worth not-ing that these results do not suppose the existence of amonitoring system.

5.2. Network partition and massive node leaving impact onthe network

Since nodes joining/leaving and frequent partitions arecharacteristics of ad hoc networks, we evaluated ACACIAand the proposal of Zhou and Haas (ZH), which is basedon threshold cryptography, in configurations with thesecharacteristics. We supposed a network with NF nodes,in which NP randomly chosen nodes leave the networksimultaneously. After that, a group of NL nodes join thenetwork. In this configuration, all the ZH certificateauthority nodes are among the first NF nodes. Besides,the first NF nodes of the ACACIA delegation chain corre-spond to the first NF nodes joining the network. As a con-sequence, the first NF nodes always obtain the certificatefor both mechanisms. The probability of the last NL nodesobtain the certificate shows the system availability after apartition of size NP or after NP nodes abruptly leaving thenetwork. Assuming that all nodes request for a certificatewhen joining the network and NR = NF � NP, the probabil-ity of obtaining a certificate after the partition for ACACIAis given by

POAC ¼ ð1� ðPk � Pf ÞÞ; ð6Þ

where Pk is the conditional probability that at least ku

user controllers of a specific node are not among theremaining nodes, NR, given that this specific node alsois not among the NR nodes, and Pf is the probability thatthis specific node is not among the remaining nodes.Therefore,

5 10 15 20 250

0.05

0.1

0.15

0.2

Number of Malicious Nodes (M)Prob

. of f

alsi

fyin

g a

certi

ficat

e (P

M)

Kong,m=52,k=8

ZH,m=8,k=6

ZH,m=8,k=8AC,m=8,k=8

AC,m=8,k=6

(If M>k−1, PM=1)

5 10 15 20 250

0.2

0.4

0.6

0.8

1

Number of Malicious Nodes (M)Prob

. of d

enyi

ng a

cer

tific

ate

(PN

M)

AC,m=8,k=8

ZH,m=8,k=8

AC,m=8,k=6

ZH,m=8,k=6

Kong,m=52,k=8

5 10 15 20 250

0.2

0.4

0.6

0.8

1

Partition Size (NP)

Prob

. of S

uc. C

ert.

Req

uest

(PO

)

AC,m=8,k=8AC,m=8,k=6

ZH,m=8,k=6

ZH,m=8,k=8

Kong,m=52,k=8

Fig. 8. Analytical performance evaluation of ACACIA and threshold cryptography-based proposals for collusion robustness and network partitions.


Pf ¼

NF � 1NR

� �

NF

NR

� � ; if ðNF � 1 P NRÞ;

0; if NF � 1 < NR;

8>>>>><>>>>>:

ð7Þ

Pk ¼

PLsi¼Li

mu

i

� ��

NF �mu � 1NR � i

� �

NF

NR

� � ; ð8Þ

where Li = max(0, NR + mu + 1 � NF) and Ls = min(ku � 1, NF).The idea is that if the node or the majority of its user con-troller set remains on the network after the partition, thenthe user controller set can be recovered and the children ofthat node will be accepted in the network. Otherwise, thechildren of this user will not receive a certificate.

Again, the equation for the threshold cryptography pro-posals, POZH , was omitted for brevity. Indeed, POZH dependson the probability of having more than k � 1 certificateauthority nodes among the remaining NR nodes, whilePOAC

depends on the probabilities of the father or his usercontrollers be among the remaining NR nodes. Accordingto Eqs. (6)–(8), ACACIA always presents a greater availabil-ity than the proposal of Zhou and Haas, as we observe inFig. 8(c).

6. Simulations

We performed simulations to evaluate the controller setselection in ACACIA, as well as to evaluate the impact ofACACIA parameters in overhead and security.

6.1. Controller set selection

We evaluate the impact of the proposed algorithm toselect controllers in ACACIA. In ACACIA, the controller setsare recalculated whenever a node joins or leaves the net-work. This procedure guarantees that the controller setsare dynamic, making it hard for malicious node to colludefor creating a controller set with majority of maliciousnodes. Nevertheless, changing the controller sets implieson message overhead. Hence, there is a tradeoff betweensecurity and overhead.

Our analysis aims to determine the average number ofchanges in the controller set when the network member-ship is modified. Hence, we implemented the proposedalgorithm, named ‘Strategy 1’ in the graphs, in Matlaband simulated the impact over the controller set when anode leaves the network. We also implemented a secondselection strategy, named ‘Strategy 2’, which is less aggres-sive than the proposed approach, reducing the overhead.This strategy is described in Algorithm 2, where R is the


size of the range of available addresses. In this strategy, in-stead of selecting the controllers among the current set ofallocated addresses, the node selects as controllers thenodes with addresses closest to the result of (/(seed,i)mod R) + 1.

Algorithm 2. A less-aggressive strategy for controller setselection

4 We performed validation tests of ACACIA in networks of small andmedium sizes, observing if the messages diagrams were respected, as wellas the counters, such as the number of leftover authorizations and thereputation of each node. We also manually checked the selection ofcontrollers in networks with different number of nodes.

Fig. 9 shows the impact of the number of available ad-dresses and the number of nodes in the controller set.We measured the number of changes in the controller setwhen a node leaves the network. We assumed a networkwith 100 nodes without partitions. In Fig. 9(a), we assumedthat each controller set has 4 nodes, while in Fig. 9(b), weassumed 256 available addresses.

According to Fig. 9(a), Strategy 1 generates an averageof�3 controller changes in each controller set when a nodeleaves the network. Hence, it is a highly dynamic mecha-nism in comparison with Strategy 2, in which a node leaveimplies in a low probability of changing each controller set.It is noteworthy that both mechanisms are less impactingthan the network initialization, in which all the four con-trollers must be contacted by each node.

Fig. 9(b) shows that the size of the controller set doesnot impact the probability of changing controllers after anode leaves the network in Strategy 2. Hence, the morethe number of controllers per set, the lower the dynamicityof Strategy 2. Strategy 1, instead, increases the number ofchanges when we enlarge the controller set size. Hence,this strategy guarantees the dynamicity of the controllerset, which is important for network security.

We assume in the rest of the paper the use Strategy 1,described in Algorithm 1, because we focuses on providingsecurity for ad hoc networks. The remaining analyzed sce-narios consider the presence of malicious node and, hence,a highly dynamic controller selection is advisable. It isnoteworthy that the use of the second strategy (Algorithm2) is more suitable for non-malicious scenarios, becausethis strategy greatly reduces the control overhead and stillmaintains the dynamism in the controller sets. Also, Strat-egy 2 is suitable for scenarios with a high rate of nodesjoining and leaving the network, because this high rate will

guarantee the dynamicity of the controller sets withoutincurring in a high overhead or in network instability.

6.2. ACACIA performance

We implemented ACACIA in the Network Simulator-2(NS-2).4 The simulations model radio propagation usingthe Shadowing model and the Medium Access Control usingthe IEEE 802.11 model. As routing protocol, we used the Adhoc On-demand Distance Vector routing protocol (AODV).These choices account for creating a model that closelymatches a community network, using indoor parametersof commercial equipments. Therefore, the parameters usedfor our simulation are an average transmission range of18.5 m, a maximum carrier sense range of 108 m, and a den-sity of about 0.0121 nodes/m2 [29]. We evaluated the con-trol traffic, the certificate distribution, and the monitoringsystem of ACACIA.

We compare ACACIA with the protocol proposed byZhou and Haas, which we call ZH. ZH is considered themain proposal for authentication in ad hoc networks, be-cause it distributes the certificate authority among a groupof nodes. ZH proposes the use of a threshold-based certifi-cate authority in ad hoc networks. This proposal assumesthat there is an administrator that is able to configurethe nodes in the network, specially the nodes that composethe certificate authority. This administrator controls theaccess to the network by creating an access list containingthe authorized users and their public keys. The certificateauthority nodes only issue partial certificates to the userspreviously authorized by the administrator. The goal ofour simulations that follow is to determine the merits ofthe controllers in ACACIA. By comparing ZH with ACACIA,we show that ACACIA not only avoids the use of an admin-istrator, but also it increases the authentication robustnessto the frequent network partitions of ad hoc networks. Weconsider a confidence level of 95% in the results.

Both ACACIA and ZH are based on threshold values toreach to a decision. The certificate authority (CA) iscomposed of mt nodes in ZH and the threshold is given bykt = bmt/2c + 1. For the purpose of a fair comparison, wechoose the parameters of ACACIA as m = 2 �mn = 2 �mu = mt.Consequently, both CAs have size m. We suppose that thethreshold for user-controller set, whose size is mu, is givenby ku = bmu/2c + 1 and the threshold for node-controller set,whose size is mn, is given by kn = bmn/2c + 1. Instead westate differently, the other simulation parameters are inTable 1. The field configuration was chosen as a square areain which nodes are randomly distributed.

The first experiment analyzes the control load. It is ex-pected that ACACIA control load is greater than ZH, be-cause our protocol updates the certificate authorityaccording to the network parameters and monitors nodes.Fig. 10(a) shows the control overhead after 50 s of

Table 1Simulation parameters.

Description Value

Number of nodes (N) 52e Density 0.03 nodes/m2

mt = 2 �mu = 2 �mn 8kt 5ku = kn 3Maximum reputation (Rmax) 10Initial threshold (Tijd) 5Increasing reputation period (TR) 3 sAccusing period (TA) 3 sTest packets interval (TT) 2 sLost packet threshold (pt) 3Validation waiting time (TV) 1 sList update interval (TU) 1 s

100 200 300 4000

1

2

3

4

Number of available addresses

Num

ber o

f con

trolle

r cha

nges

Strategy 1

Strategy 2

2 4 6 8 100

2

4

6

8

10

Number of controllers

Strategy 1

Strategy 2

Fig. 9. Evaluation of different controller set selection strategies when a node leaves a network with 100 nodes.

5 The detection of attacks is not in the scope of the proposal. Our analysisis based on an ideal bad behavior detection system. Hence, attacks to ad hocnetworks, such as Byzantine attack, wormhole, and greedy, are simulatedas randomly generated events. Hence, the malicious node generatesmalicious events and the neighbors can detect that a malicious eventhappened.


simulation. The number of nodes impacts in both resultsdue to the floods in the routing protocol and in ACACIA.

Next, the impact of network partition events on the net-work control was analyzed as described in Section 5.2.Accordingly, NP out of NF nodes leave the network due toa partition and, subsequently, NL nodes join the network.Fig. 10(b) shows the probability of obtaining a certificateafter the partition for the last NL nodes, assumingNF = NL = 26 and NP = NF/2 = 13 nodes. We further plot thedeveloped analytical results, to show the accuracy of bothanalyses. The number of obtained certificates in ZH is al-most the same for all m = mt values, because while mt in-creases, kt = bmt/2c + 1 also increases. For ACACIA, ifm = 4, then mu = 2, and ku = 2, which means that the proto-col has no redundancies on the controller sets. Therefore,the ability to recover user controllers after a partition is de-graded, depending on the presence of the node to reestab-lish its controllers. For m = 6, 8, and 10, ACACIA availabilityincreases because mu > ku and the user-controller set canbe automatically recovered after a partition. Fig. 10(b)shows that ACACIA outperforms ZH availability by up to65%.

Using the same configuration, we evaluated the impactof the partition event on ACACIA and on ZH according tothe partition size. Fig. 11(a) depicts the probability ofobtaining a certificate after a partition. In all the cases,ACACIA has a greater availability than ZH. ZH availability

quickly decreases as more nodes leave the network, whileACACIA is more robust to the size of the partition. If 16 outof the 26 first nodes leave the network in ZH, there is aprobability of 6.6% that the system works for the last NL

nodes. In the same situation, the success probability inACACIA is 97.3%.

We also evaluate the delays for obtaining a certificate inboth protocols. Fig. 11(b) plots the delay for one node to becertified, assuming that the certificate chain is completefor ACACIA and that all the certificate authority nodes arein the network for ZH. Although ACACIA seems to be morecomplex, the delays with m > 4 for ACACIA are statisticallythe same of the ones obtained for ZH. For m = 4, ACACIAhas a greater delay because mu = 2, mn = 2, and, conse-quently, ku = 2 and kn = 2. As a result, if there are any mes-sage errors, the node needs to wait before asking for thecertificate again. In ZH, if m = 4, then k = 3, which meansthat if one of the partial certificates is lost, the completecertificate can still be obtained.

The next experiment evaluates the monitoring systemin three configurations. In the first, there is no collusionamong nodes and the malicious actions are against appli-cations, which we call ‘common attacks’. In the second,called ‘attacks to ACACIA’, nodes do not collude, but theydo not send Validation or Partial Certificate messages toany node in the network. On the third configuration, called‘collusion attacks’, malicious nodes cooperate and denyValidation and Partial Certificate messages for all non-malicious nodes. We supposed a bad behavior detectionsystem which can detect all these malicious actions.5 Inaddition, we consider the node initial reputation as well asthe reputation threshold as 5, while the node reputationinterval is 0–10.

Fig. 11(c) depicts the node classification with ACACIAaccording to the number of malicious nodes. ACACIA has ahigh accuracy in the detection of malicious nodes even ifthere are colluding nodes, assuming an ideal bad behavior

101

103

105

107

9 16 25 36 49 64Rec

eive

d m

essa

ge s

ize

(Byt

es)

Number of nodes

ACACIAZH

0

0.2

0.4

0.6

0.8

1

4 6 8 10Prob

. of s

ucc.

cer

tific

ate

requ

ests

Certificate authority size (m)

ACACIASim ACACIAMath

ZHSimZHMath

Fig. 10. Simulation results for ACACIA and the proposal of Zhou and Haas (ZH).

0

0.2

0.4

0.6

0.8

1

0 5 10 15 20 25Prob

. of s

ucc.

cer

tific

ate

requ

ests

Number of nodes leaving the network (P)

ACACIA

ZH

0

0.5

1

1.5

2

2.5

3

4 6 8 10Del

ay to

obt

ain

a ce

rtific

ate

(s)

Certificate authority size (m)

ACACIA

ZH

0.6

0.7

0.8

0.9

1

0.1 0.3 0.5Prob

. of c

orre

ct c

lass

ifica

tion

Fraction of malicious nodes

Common attacks

Attacks to ACACIA

Collusion attacks 0

0.2

0.4

0.6

0.8

1

0.1 0.3 0.5

Prob

. of s

ucc.

cer

tific

ate

requ

ests

Fraction of malicious nodes

(Non−malicious)sim

(Non−mal., no monit.)math

Fig. 11. Simulation results for ACACIA and the proposal of Zhou and Haas (ZH).


detection system. Besides, there are no false positives orfalse negatives in ACACIA classification in which all nodesagree, independent of the configuration or the number ofattackers. Nevertheless, as the number of malicious nodein the network increases, it is harder for ACACIA nodes toreach unanimity in node classification. This occurs becausemalicious nodes are excluded from the network and cannotforward control messages, compromising the network

connectivity and creating partitions. With a low connectiv-ity, some messages for excluding a malicious node are re-stricted to the partition with the malicious node. Hence,some nodes in other partitions notice the malicious nodeis absent and take out its address from the allocated addresslist, but they never classify the node as malicious.

Fig. 11(d) shows the monitoring system effectiveness.We plotted the probability of a non-malicious node

Table 2Comparison of the main authentication and access control proposals.

Proposal Authentication Access control Absence of admin. Availability Resilience

Single CA + +� � � +Duplicated CA + +� � + +Zhou and Haas [9] + +� � +� +Kong et al. [10] + +� � + �Liu et al. [11] + + � +� +SMOCK [16] + +� � + +�Capkun et al. [18] + � + +� �Li et al. [22] + + � +� +ACACIA + + + + +


obtaining a certificate in ACACIA in the absence of a mon-itoring system and in the presence of collusion attacksagainst the proposal, given by PN (Eq. (5)), called(Non-mal., no monit.)math in the graph. Also, we plottedthe percentage of obtained certificates at the end of thesimulation in the presence of the described collusion at-tack, using ACACIA’s monitoring system, called (Non-malicious)sim. We suppose that certificate requests wererepeated until a successful reply. In the simulations, allnon-malicious nodes obtain the certificates, because themajority of the malicious nodes were correctly classified.Then, after the classifications, the controller set majoritiesare composed of non-malicious nodes, which answer forthe certificate requests. Even with the collusion attacks,more than 70% of the nodes were correctly classified evenif 50% of the nodes are malicious. Although a high numberof malicious node could avoid some nodes from obtainingtheir certificates, as shown in Section 5.1, if we identify andexclude these nodes, all the non-malicious nodes can ob-tain their certificates. ZH and other authentication mecha-nisms do not provide any monitoring system, which isprimordial in ad hoc networks due to the collaborationamong nodes. ACACIA not only provides authenticationwith a greater availability, but also provides an accuratemonitoring system, assuming the existence of an idealbad behavior detection system. ACACIA presents a highresilience to attacks because each node runs our algorithmindependent of the other nodes in the network. Hence, allthe non-malicious nodes will always follow the proposedalgorithm. The random and dynamic choice of controllersguarantees that collusions are not as effective as if the con-troller sets were static, increasing the resilience of theproposal.

6.3. Discussion

ACACIA provides a scheme for authentication and ac-cess control that does not depend on an administratorand also provides high availability. In Table 2, we compareACACIA to the previously mentioned approaches.6 We eval-uate the following characteristics:

� authentication provision;� access control provision;� administrator avoidance;

6 More details about each proposal are in Section 2.

� high availability, even in the presence of networkpartitions;� resilience to the presence of a small set of malicious

nodes in the network.

The symbol ‘+’ indicates that the proposal accomplishesthe characteristic, ‘+�’ indicates the characteristic is notguaranteed, and ‘�’ indicates that the characteristic is notprovided.

All the analyzed proposals are able to authenticatenodes in ad hoc network. Nevertheless, access control isan issue for many proposals. ACACIA and the proposal ofCapkun et al. are the only that avoids an administrator.ACACIA performs this task by using a modified delegationchain and Capkun et al. proposed to use a web of trust.

The availability is related to the ability of the proposal toresist to partitions. A single certificate authority node doesnot resist to network partitions. Duplicate the certificateauthority node increases the availability, obtaining a betterresult than the use of threshold cryptography. If at least onecopy of the certificate authority is present in each partition,then nodes can authenticate themselves. As we showed inthe simulation results, threshold-cryptography-basedproposals are less resilient to partitions than ACACIA.

The last characteristic is the resilience to maliciousnodes. We evaluated whether the approach providesmechanisms to avoid that a small number of maliciousnodes corrupt the authentication scheme.

According to the previous analysis, only ACACIA is ableto provide all the characteristics required by ad hocnetworks.

7. Conclusion

We proposed an access control mechanism, calledACACIA, which introduces a new strategy to distributeadministrator duties among all the authorized users. Ourscheme restricts the capacity of untrustworthy users ofissuing Authorizations for new users and also punishesthe users that issue Authorizations to malicious users,reducing the success probability of Sybil and collusion at-tacks. Moreover, we proposed a scheme to validate the del-egation chain with controller nodes that avoids theverification of the whole chain to issue/validate certificates.By virtue of controller sets, ACACIA also monitors nodebehavior and purges from the network non-cooperativenodes, which safeguards the ad hoc network performance.


ACACIA is robust and self-adaptive to network conditions,even during network initialization and network partitions.The cost for flexibility and for the absence of infrastructureor a central administration is a higher message overheadwhen compared to systems based on threshold cryptogra-phy, due to the dynamic update of the controller sets.

The analysis results bring out characteristics of ACACIA,such as a high availability even in the presence of parti-tions when compared to other mechanisms. The systemis resistant to malicious node attacks due to the randommodel used to choose the controllers. Therefore, ACACIAis well-suited to ad hoc characteristics and is a feasiblealternative for ad hoc networks applications that requiresecurity.

Acknowledgments

The authors thank CNPq, CAPES, FINEP, FUNTTEL,FAPERJ, and FUJB.

References

[1] L. Abusalah, A. Khokhar, M. Guizani, A survey of secure mobile ad hocrouting protocols, IEEE Communications Surveys Tutorials 10 (4)(2008) 78–93.

[2] C. Ververidis, G. Polyzos, Service discovery for mobile AdHocnetworks: a survey of issues and techniques, IEEE CommunicationsSurveys Tutorials 10 (3) (2008) 30–45.

[3] C. Perkins, E. Royer, Ad-hoc on-demand distance vector routing, in:Second IEEE Workshop on Mobile Computing Systems andApplications (WMCSA ’99), 1999, pp. 90–100.

[4] A. Sendonaris, E. Erkip, B. Aazhang, User cooperation diversity – PartI: system description, IEEE Transactions on Communications 51 (11)(2003) 1927–1938.

[5] N.C. Fernandes, O.C.M.B. Duarte, A lightweight group-keymanagement protocol for secure ad-hoc-network routing,Computer Networks 55 (3) (2011) 759–778.

[6] N.C. Fernandes, M.D. Moreira, O.C.M.B. Duarte, A self-organizedmechanism for thwarting malicious access in ad hoc networks, in:The 29th Conference on Computer Communications (IEEE INFOCOMminiconference 2010), San Diego, California, USA, 2010, pp. 1–5.

[7] D. Yao, R. Tamassia, Compact and anonymous role-basedauthorization chain, ACM Transactions on Information and SystemSecurity (TISSEC) 12 (3) (2009) 1–27.

[8] J.-E. Elien, Certificate Discovery Using SPKI/SDSI 2.0 Certificates,Master’s Thesis, Massachusetts Institute of Technology, 1998.

[9] L. Zhou, Z.J. Haas, Securing ad hoc networks, IEEE Network 13 (6)(1999) 24–30.

[10] J. Kong, P. Zerfos, H. Luo, S. Lu, L. Zhang, Providing robust andubiquitous security support for mobile ad-hoc networks, in: NinthInternational Conference on Network Protocols (ICNP’01), Riverside,California, USA, 2001, pp. 251–260.

[11] W. Liu, H. Nishiyama, N. Ansari, N. Kato, A study on certificaterevocation in mobile ad hoc networks, in: 2011 IEEE InternationalConference on Communications (ICC), 2011, pp. 1–5.

[12] J. Luo, J.-P. Hubaux, P.T. Eugster, DICTATE: Distributed CerTificationAuthority with probabilistic frEshness for Ad Hoc Networks, IEEETransactions on Dependable and Secure Computing 2 (4) (2005)311–323.

[13] H. Luo, J. Kong, P. Zerfos, S. Lu, L. Zhang, URSA: ubiquitous and robustaccess control for mobile ad hoc networks, IEEE/ACM Transactionson Networking 12 (6) (2004) 1049–1063.

[14] J.V.D. Merwe, D. Dawoud, S. McDonald, A survey on peer-to-peer keymanagement for mobile ad hoc networks, ACM Computing Surveys39 (1) (2007).

[15] S. Hashmi, J. Brooke, Authentication mechanisms for mobile ad-hocnetworks and resistance to sybil attack, in: Second InternationalConference on Emerging Security Information, Systems and

Technologies (SECURWARE ’08), Cap Esterel, France, 2008, pp.120–126.

[16] W. He, Y. Huang, K. Nahrstedt, W.C. Lee, SMOCK: A self-containedpublic key management scheme for mission-critical wireless ad hocnetworks, in: Fifth Annual IEEE International Conference onPervasive Computing and Communications (PerCom’07), 2007, pp.201–210.

[17] P.R. Zimmemann, The Official PGP User’s Guide, London, 1995.[18] S. Capkun, L. Buttyán, J.-P. Hubaux, Self-organized public-key

management for mobile ad hoc networks, IEEE Transactions onMobile Computing 2 (1) (2003) 25–64.

[19] J.-P. Hubaux, L. Buttyán, S. Capkun, The quest for security in mobilead hoc networks, in: 2nd ACM International Symposium on MobileAd Hoc Networking & Computing (MobiHoc ’01), ACM, Long Beach,CA, USA, 2001, pp. 146–155.

[20] F. Lu, T. Zhou, Research on identity-based cluster access controlmodel with dynamic trust agent for mobile ad hoc networks, in:International Conference on Wireless Communications, Networkingand Mobile Computing (WiCOM 2006), 2006, pp. 1–5.

[21] A.Z. Ghalwash, A.A.A. Youssif, S.M. Hashad, R. Doss, Self adjustedsecurity architecture for mobile ad hoc networks (MANETs), in: 6thIEEE/ACIS International Conference on Computer and InformationScience (ICIS 2007), 2007, pp. 682–687.

[22] L. Li, Z. Wang, W. Liu, Y. Wang, A certificateless key managementscheme in mobile ad hoc networks, in: 2011 7th InternationalConference on Wireless Communications, Networking and MobileComputing (WiCOM), 2011, pp. 1 –4.

[23] N.C. Fernandes, M.D. Moreira, O.C.M.B. Duarte, An efficient filter-based addressing protocol for autoconfiguration of mobile ad hocnetworks, in: The 28th Conference on Computer Communications(IEEE INFOCOM 2009), Rio de Janeiro, RJ, Brazil, 2009, pp. 2464–2472.

[24] D.G. Andersen, H. Balakrishnan, N. Feamster, T. Koponen, D. Moon, S.Shenker, Accountable internet protocol (AIP), in: Proceedings of theACM SIGCOMM 2008 Conference on Data Communication(SIGCOMM ’08), ACM, New York, NY, USA, 2008, pp. 339–350.

[25] M. Xu, H. Zhang, R. Du, J. Zhan, A trust chain build scheme forenhancing wireless network security, in: International Conferenceon Wireless Communications, Networking and Mobile Computing(WiCom 2007), Shanghai, China, 2007, pp. 2314–2317.

[26] P.B. Velloso, R.P. Laufer, O.C.M.B. Duarte, G. Pujolle, HIT: A human-inspired trust model, in: 8th IFIP IEEE International Conference onMobile and Wireless Communications Networks (MWCN’2006),2006, pp. 35–46.

[27] V. Srinivasan, P. Nuggehalli, C.-F. Chiasserini, R.R. Rao, An analyticalapproach to the study of cooperation in wireless ad hoc networks,IEEE/ACM Transactions on Wireless Communications 4 (2) (2005)722–733.

[28] L. Dai, W. Chen, L.J. Cimini, K.B. Letaief, Fairness improvesthroughput in energy-constrained cooperative ad-hoc networks,IEEE/ACM Transactions on Wireless Communications 8 (7) (2009)3679–3691.

[29] M.E.M. Campista, I.M. Moraes, P. Esposito, A. Amodei Jr., L.H.M.K.Costa, O.C.M.B. Duarte, The ad hoc return channel: a low-costsolution for brazilian interactive digital TV, IEEE CommunicationsMagazine 45 (1) (2007) 136–143.

Natalia Castro Fernandes received the Elec-tronics and Computer Engineering degree in2006, the M.Sc. degree in 2008, and the D.Sc.degree in 2011 from Federal University of Riode Janeiro (UFRJ), Brazil. Also, she completed apost-doctorate in 2011 at UFRJ. Her majorresearch interests are in ad hoc networks,security, identification, and Future Internet.

http://refhub.elsevier.com/S1389-1286(13)00188-6/h0005
















































Marcelo Duffles Donato Moreira receivedthe Electronics and Computer Engineeringdegree and the M.Sc. degree in ElectricalEngineering from Federal University of Rio deJaneiro (UFRJ) in 2009. His major researchinterests are in network security, wirelessnetworks and future Internet architectures.

Otto Carlos M.B. Duarte received the Elec-tronic Engineer degree and the M.Sc. degree inelectrical engineering from Federal Universityof Rio de Janeiro (UFRJ), Brazil, in 1976 and1981, respectively, and the Dr. Ing. degreefrom ENST/Paris, France, in 1985. His majorresearch interests are in multicast, QoS guar-antees, security, and mobile communications.

Safeguarding ad hoc networks with a self-organized ... · work, which is not a strong assumption in...

Documents

Transcript of Safeguarding ad hoc networks with a self-organized ... · work, which is not a strong assumption in...