1 Introduction

Researches in wireless networks, in particular Mobile Ad-Hoc Networks (MANET) have been widely concentrated in industry and academics for past several years. Providing security is a major concern for secured routing, data forwarding and other node to node communications, in an infrastructure-less and ad hoc networks like MANET. Most of the solutions provided for these issues depend on cryptography, where a mechanism is assumed to be extant for managing keys. However, due to the dynamic nature and lack of centralized infrastructure, it is difficult to provide an efficient scheme to establish a group key between the members (nodes), to communicate secretly. Such limitations create several constraints on the security architectures of ad hoc networks. Therefore, a mobility aware desirable model should be proposed for MANET with low complexities, overhead and high security.

In a traditional Public Key Infrastructure (PKI) with public–private key pair, a node’s public key is certified and issued by a trusted entity called certificate authority (CA) which distributes public keys in the certificates. Certification is a mandatory for securing network communications. It is incorporated as a data structure binding the public key with an attribute, by the sender’s digital signature, and to can be used to authenticate the identity of the node to which the public key belongs to, thereby preventing the tamper and forge in MANET. Any nodes that use a public key first verify its validity using its corresponding certificate. Validity of a certificate can be verified by ensuring that the certificate neither expired nor revoked by the CA. Revoked status of any certificate can be checked by obtaining the Certificate Revocation Lists (CRL) corresponding to that certificate. Therefore, Certificate management (CM) is considered to be a crucial task for public key distribution that promises trust in PKI. The private keys are used to sign the certificates which bind the public keys that the CA distributes for each node. MANETs cannot always promise access to a centralized CA due to the often unreliable and random nature of the wireless channel. Also if the private key of the CA is compromised, the entire network gets compromised due to the single point dependency. Thus, the presence of a standard PKI is generally likely to be tough in an ad hoc environment. Although there are prominent researches based on key management in PKI based MANET, the existing works does not optimize the security issues considering the ad hoc inaccessible framework. To solve this problem of single point failure, we propose the distribution of CA functionalities and signing key over many number of nodes divided in groups called clusters.

In a PKI based MANET system, for secured group communication, all the members should be authenticated by sharing a session key to which two or more nodes agree and share information. This type of protocols, well known as group key agreement (GKA) protocols, provides advantageous in the distributed and shared MANET environment. Consequently, the development of an efficient and secured GKA has received more attractions as an appreciable area of research. In a distributed group key agreement scheme, each member in the clusters provides its contributory share for key generation and distributions, which eliminate single point of failure-dependent. Generally, most of the existing GKA protocols adopt a top down approach where the secret keys are re-generated whenever cluster structure changes. To overcome this drawback, an efficient GKA scheme should be proposed to manage the group key while a node is added to or evicted from the clusters.

In this paper, we propose an efficient and secured group key management by combining the beneficial features of two prominent schemes of cryptography; Elliptic Curve Cryptography (ECC) and Chinese remainder theorem (CRT), to address all the above inherent problems of cluster based dynamic MANET. We also present a invulnerable system for public key distribution with efficient certificate management, which conveys trust in protecting the legitimate nodes against attacks in PKI MANET system. The proposed ECC-CRT scheme brings forth solution for intra and inters cluster public key management system. In contrast to previous work, we show that ECC-CRT scheme provide better performance by degrading the communication and computation complexities.

Our contributions are as follows:

  • Efficient certificate distribution strategy In this paper a certificate distribution strategy is presented to reduce the complexity of managing the PKI-based security framework. A cluster based certificate assignment is established by partitioning the entire MANET environment into several clusters. To avoid dynamic communication droppings, the nodes in the boundary region of any particular cluster are assigned with multiple certificates corresponding to its current region as well as several other regions in its vicinity, which in turn reduced the size of CRLs.

  • A completely distributed key agreement method ECC-CRT requires that the cluster members in each cluster participate in the construction of key, to establish a secured and authenticated sharing of group key. With this distributed approach the efficiency and flexibility in updating share keys of cluster member as well as the cluster head (CH).Also the ECC based system model secures the network against compromising attacks and other internal and external attacks with constant storage capability for public–private parameters.

  • Secret key updating scheme In order to cope up with the cryptanalysis, multiple secret key updating schemes at regular predefined intervals is advantageous. The proposed ECC-CRT based key updating scheme is effective due to the absence of any additional exchange or authentication processes.

  • Dynamic re-keying betterment ECC-CRT doesn’t support the re-generation of keys for all the clusters when a member is added into or evicted from the clustered architecture. This results in the reduction of communication and computation rounds of the network.

This paper is structured as follows. The Sect. 2 deals with the works related to certificate and key management in MANET. The Sect. 3 describes the proposed cluster based certificate assignment method followed by Sect. 4 which presents the operations of MANET with proposed ECC-CRT based key agreement method with dynamic rekeying. The performance analysis and simulations of the proposed scheme is evaluated in Sect. 5 with security analysis against various attacks. The concluding remarks appear in Sect. 6.

2 Related Works

On recent years, researchers focus on MANET security issues [1]. It is difficult to provide a complete security solution to mobile networks due to its wireless connectivity, dynamic topology, and infrastructure-less features. Most of previous researches on MANETs have assumed that nodes are cooperative. To consider the issues in node cooperation, trust has been recommended as an effective mechanism in recent researches. In [2] quantified trust relationships with the risk in a PKI system. A fully trust based PKI approach for ad hoc networks was presented in [3,4,5,6]. This approach proved to eliminate security vulnerabilities to a large extend with maximized performance characteristics.

Among the different security issues in ad hoc networks, certificate management serves as a powerful means to convey trust for securing various network services in the PKI MANET system [7, 8].In a complete certificate management solution, the main factors that should be encompassed are detection, prevention and revocation. Numerous researches have been made in these factors, especially in the distribution of certificate, attack identification and certificate revocation [9,10,11,12,13,14,15,16]. Certification is essential to verify the origin of the public key by preventing the tamper and forge, to secure communications in MANET.

The other desirable property of PKI based security scheme is certificate revocation. That is the certificates of a detected attacker or malfunctioning vehicles can be revoked. The most common way to revoke certificates is the distribution of CRLs that contain the most recently revoked certificates. Many numbers of researches have been put forward for mitigating the malicious attacks by this distribution method [15,16,17]. On the demand for providing security to the legitimate nodes against attackers, many certificate management schemes have been proposed in PKI networks. In CCRVC [18] a certificate revocation method to handle attacker nodes were proposed. CCRVC revoked malicious nodes to solve false accusation. URSA [19] implemented a novel ticket certification process which used tickets to recognize and to grant access to well behaved nodes. This scheme maximized the service availability with a distributed and localized mechanism.

A good number of studies have been proposed, to secure MANET communication based on hierarchical key management and threshold cryptography. However, these works provided incomprehensive solution. Since 1990, several researches have been proposed to handle another major challenge of key management namely group key agreement. Of these works, ID- based GKA is prominent. A handful of ID based GKA protocols were proposed based on bilinear pairing and elliptic curves in [20, 21]. Even so, these schemes are vulnerable to various attacks due to the lack of authentication of communication nodes. Also the communication round and bandwidth increased as compared with other non ID based GKA. There is certain contributory key agreement schemes proposed for the purpose of key establishment as in [22]. In the later years, cryptographic concepts like Diffie Hellman, elliptic curve were encompassed along with the group key protocols over ad hoc structure [23,24,25,26].

The concept of the cryptography based key assignment scheme was first introduced in [27] for a partially ordered set hierarchy to solve access control problem. Since then, many schemes have been proposed based on cryptographic hierarchical concept for multi level access control, with many pros and cons. Most of these existing schemes adopted top-down approach for generating secret parameters, which linearly increased the size of public parameters. Whenever a node is added or evicted from the clustered architecture, all the secret keys were re-generated. This increased the communication and computation complexities, which made those schemes inapt for dynamic MANETs. In [28] the authors pointed out the security flaws in previously presented schemes, but still it possess a limitation that the A.K. Das’s scheme doesn’t suite for larger MANET hierarchy. The authors [29] recently introduced a key assignment protocol with integer factorization for dynamic access control. This scheme failed to preserve its forward security when a node is evicted from the group.

This paper, however, focused on the security flaws with regard to the certificate and key management as well as dynamic rekeying, which implies the previous works cannot attain the requirement. Finally, we proposed two schemes; one for efficient certificate assignment and other a key agreement scheme based on CRT and elliptic curve cryptosystem against the security issues. The proposed scheme efficiently supports member joining and eviction operations with Forward–Backward secrecy, Key authentication, Key secrecy and Key share security.

3 Certificate Management in PKI-MANET System

In asymmetric cryptography, a PKI system publishes its public parameters using certification process, wherein the public keys are bound. A certificate can thereby be defined as a collection of data that are digitally signed by the issuing authority called as Certificate Authority (CA). The integrity of each public key is preserved with certificates due to the public features of the verification and encryption keys. Nevertheless, there are several drawbacks in deploying PKI based communication system to the Mobile ad hoc communications. Some of them are:

  • In a traditional flat PKI system a network wide CA maintains the certificate authorization and a complete CRL list for the entire network. Single CA issues all of the certificates within the system. This list will be passed on to cluster heads (CH) and then to the cluster members (CM), to dispatch the certificates to the nodes. Such a structure can be of delay prone and also maintaining such an infrastructure that is high speed wired connection from CA to CHs and then CHs to CMs may add up the infrastructural cost to a large extend.

  • Issuing network wide certificate to the nodes may lead to resource under utilizations. We may require to restrict the usage of communication resources by node to certain cluster only, for example the cluster where it has been registered.

  • A large CRL consumes significant computational resources to check the revocation status of a particular node also; a large CRL takes significant bandwidth to download.

Therefore, it is clear that the complexity of the PKI system and also the size of the CRL have to be minimized in order to make the PKI based security viable for node to node security deployment. On this pursuit we make our contributions in this paper.

  1. 1.

    In this paper, we propose a novel certificate assignment strategy for use in ad hoc networks in order to reduce the complexity of managing the underlying PKI-based security framework. The strategy involves segmenting the network into a number of cluster regions, and the assignment of region-specific certificates to a node. This approach of assigning vehicles with the cluster-specific certificates is an attempt to exploit the spatial locality of MANET communications to reduce the complexity in managing the PKI-based security framework.

  2. 2.

    Further, to avoid the dynamic communication droppings we assign multiple certificates to the vehicles which are lying around the border regions. To be in consistent with the cellular structure and for geometrical simplifications we assume the cluster regions are hexagonal in shape [30].

The end result of our proposed certificate management strategy is a significant reduction in the communication cost in certificate assignment and also reduction in the size of the CRLs. In addition we also ensure the infrastructural complexity is not growing further. The associated reduction in the complexity of managing the PKI significantly improves the performance of the PKI-based security framework. In particular, it reduces the load on the wireless communication medium for disseminating the certificates. It also reduces the memory requirements at each node for storing the CRLs, and leads to an efficient operation of the entire system.

3.1 Proposed Certificate Assignment Scheme

This section provides a detailed description of our proposed cluster based certificate assignment strategies (CCA) that lead to a significant reduction in the complexity of managing the PKI. Generally, most of the security protocols for PKI MANET system require the public key certificates for signing messages. By ensuring whether a certificate is neither expired nor revoked by the CA, the validity of the certificate can be verified. Revoked status of any certificate can be checked by obtaining the CRL corresponding to that certificate. While transmitting an information, the sender appends to the message with the sender’s certificate and signature of (the hash of) the message using the sender’s private key. On the other hand, when receiving a message, the receiver verifies the validity of the sender’s certificate as well as the signature on the message (using the sender’s public key that is a part of the sender’s certificate) before accepting it.

In the proposed cluster based certificate assignment technique, the first step is to divide the entire network into several clusters. We assign each node region specific certificates depending upon the location of the node. The constraint is that nodes should use only the certificate corresponding to their current cluster and discard (i.e., no attempt is made to verify the sender’s certificate) signed messages that are not appended with a certificate assigned to that particular cluster. Apart from this, the other main feature of our proposed approach is that a node can be assigned with multiple certificates corresponding to several regions in its vicinity, as advance preparation for possible roaming between adjacent clusters. For example, a node can be assigned one certificate corresponding to the current cluster region, and one for each of the neighbouring cluster regions.

The multiple certificates corresponding to adjacent regions clusters can in fact be derived from the same key pair. Even though the multiple certificates are derived from same key pair, the digital signature of the message remains unchanged with the cluster region. On the other hand, if multiple certificates assigned to a node derive from different public -private key pair, then both the certificate as well as the digital signature of the message depends on the geographic region. The first method is a simpler because when the vehicle moves across the region, the certificate assignment is simplified. However, the lack of privacy associated with the node is a concern with this method, since all the certificates are derived from the same key pair. The CA combines all the certificates corresponding to a particular cluster into one master CRL list. With this, all nodes in a cluster region (say \(A\)) append signed messages with certificates that have the same CRL master list (i.e.,\(CML\left( A \right)\)).Therefore, in order to verify a message received, a node \(n_{x}\) in cluster \(A\) needs to acquire only the CRL corresponding to its current cluster (\(CML\left( A \right)\)). This reduces the size of the CRL and hence the communication cost to a large extend. However, for nodes positioned in the border with adjacent clusters, there is also a need for CRLs corresponding to those adjacent regions. In that case, the size of the CRL can be further reduced by combining the expiry time of CRL of particular cluster with distance of the node from that region. For example, the CA can tailor the expiry time of certificates assigned to a node corresponding to a given cluster \(A\) to be inversely proportional to the distance between cluster \(A\) and the registered home cluster region of the node. Let us consider the distance between positions \(p\) and \(q\) be \(D\left( {p,q} \right)\) and the boundary of \(A\) be \(Bo\left( A \right)\).Then

$$D\left( {n_{x} ,A} \right) = Min_{p in Bo\left( A \right) } [D\left( {GPS(n_{x} } \right),A)]$$
(1)

If the node moves closer to the border, then \(D\left( {n_{x} ,A} \right) < Max_{R}\), where \(Max_{R}\) is the maximum range of a cluster. Besides, if a node is said to be in the centre of a cluster, then \(D\left( {n_{x} ,A} \right) > Max_{R}\). It is assumed that a cluster \(B\) is said to be the neighbour of \(A\), if there exists position \(p\) and \(q\) and \(D\left( {p,q} \right) <\,Max_{R}\). Here we assume that node is close to the border region of cluster \(A\) if \(D\left( {n_{x} ,A} \right) <\) \(Max_{T}\) where \(Max_{T}\) is the maximum range of transmission of a node. Similarly, a node is assumed to be located within a cluster \(A\) centrally if it is within cluster \(A\), and \(D\left( {n_{x} ,Bo\left( A \right)} \right) > Max_{T}\).Finally, a cluster \(B\) is assumed to be a neighbour of \(A\) if \(D\left( {A,B} \right) <\) \(Max_{T}\) for any two points in \(A\) and \(B\).

3.2 Functionalities of Certificate Assignment Scheme

There are different cluster shapes such as circle, square, polygon as mentioned in [30, 31]. To gain advantage in faster searching speed and to have successive search patterns overlapped, we consider the clusters are partitioned into are disjoint hexagons, as shown in Fig. 1.

Fig. 1
figure 1

Hexagon shaped clustering of MANET nodes

Full size image

We make use of Location Based Multicast (LBM) protocol [32] to update the location information of each node in the cluster, whenever required. Moreover, the nodes can be determined even before they are about to move from its current cluster location to the neighbouring cluster of its vicinity. The diagram given below in Fig. 2 describes the assignment of multiple certificates to a node by the CA at initial stage.

Fig. 2
figure 2

Certificate assignment

Full size image

We considered this certificate assignment process in three different stages.

  • Initialization stage During this stage, node sends a Request for Certificate Assignment (\(CA_{Req}\)) along with its current location and pubic key (\(pub_{k}\)) to the CA. Each node signs the \(CA_{Req}\) message using its private key (\(pri_{k}\)) before sending to CA.

  • Verification stage At the CA side, the message is verified first using the public key, which is a part of \(CA_{Req}\). The CA then determines the cluster in which the node is currently located as well as its neighbouring clusters, from \(CA_{Req}\).

  • Assignment stage The CA replies with multiple certificates (\(CA_{Reply}\)) corresponding to the node’s current and neighbouring locations.

Each cluster nodes in the PKI MANET performs four main actions as given below

  1. 1.

    Send data To perform a secure communication, each node signs the message (data) and further appends the signed information with the certificate related to its current cluster.

  2. 2.

    Receive data While receiving a message, a node verifies three main factors: certificate, validity and signature.

    • Certificate The certificate of the sender is verified first to check whether it belong to the current cluster \(\left( A \right)\) or its adjacent cluster (\(B)\). If the sender’s certificate does not belong to either cluster \(A {\text{or}} B\), the message is discarded.

    • Validity verification The validity of the certificate i.e., whether it has not expired or has not been revoked, is analyzed at this stage. Such expired or revoked certificates are discarded after verification.

    • Signature The signature of the message is verified and accepted if the certificate and its validity verifications pass.

  3. 3.

    Mobility awareness When a node in cluster \(A\) moves closer to the boundary of neighbouring cluster \(B\), it accepts signed messages from CA that are appended with certificates related to cluster \(B\), in addition to the current cluster.

  4. 4.

    Re-Organize When the certificate related to the cluster the node likely to move in near future expires, the node sends a re-organizing request to the CA for a fresh set of certificates.

4 Proposed ECC CRT Key Agreement Model

In this section, we discuss in details about our proposed Elliptic Curve and Chinese Remainder Theorem (ECC-CRT) based key agreement scheme for secure dynamic group communications. This ECC CRT scheme allows two parties to agree a share secret, each with an elliptic curve key pair. This secret shared can either be used directly as a key or for deriving a master key that can then be used to encrypt future communications. The protocol is explained in three steps namely initialization, key agreement and join-evict operation. The distinguished schemes such as RSA, Diffie–Hellman [33] based key exchange are not concerted computationally. Therefore the use of ECC for DH will make the key agreement scheme more efficient, due to its marked feature of less memory requirement and computation time, and greater key length. Here, we use CRT to exchange each member’s key share to the remaining members in the cluster [33]. This scheme provides an advantage of two rounds of communication for initial key establishment and member join operations and only one round for member evict operations.

Initialization In this phase, all the system parameters required for key processes are determined by the CA. As the foremost step, CA chooses two large prime values \(p\) and \(q\) randomly and two integer parameters \(x,y \in Z_{p}^{*}\) that satisfys the elliptic curve equation \(4x^{3} + 27y^{2} mod p \ne 0\). Let us consider \(E_{p} \left( {x,y} \right)\) as an elliptic curve over the field \(GF_{p}\) with points \(\left( {a,b} \right)\); where \(a,b \in Z_{p}^{*}\). Let \(G\) be the generator of \(G^{\prime}\), an additive cyclic group of order \(q\). CA then chooses one way hash functions \(H_{1} , H_{2}\) and determines its secret key \(sk_{CA}\) and distributes its public parameter \(k_{pub}^{CA}\), where \(k_{pub}^{CA} = sk_{CA} *G\).

We assume \(C = \left\{ {C_{1} ,C_{2} \ldots \ldots C_{n} } \right\}\) be a set of hexagonal clusters partitioned with each \(C_{i}\) having different number of cluster members. Each secured clusters chooses a secret key \(sk_{i} \in Z_{q}^{*}\) and determine corresponding public key \(pk_{i} = sk_{i} G\) and encryption key \(ek_{i}\) for \(i = \left( {1,2, \ldots ..n} \right)\).

4.1 ECC-CRT Key Agreement

In order to establish the group key, each cluster chooses its secret key for the computation of public key. Then with the secret key and public parameters, each node computes the encryption key \(\left( {ek} \right)\), which is send to the CA. The CA then extracts the \(ek\) of each cluster and constructs a polynomial function by interpolation. The detailed execution of the proposed ECC CRT based key agreement scheme is given below.

Step 1:

Each cluster \(C_{i}\) generates its secret information \(s_{i}\) by the following steps.

  1. a.

    \(C_{i}\) chooses a random number \(a_{i} \in Z_{q}^{*}\) to compute the public parameter \(A_{i} = a_{i} G\).

  2. b.

    \(C_{i}\) computes the key for encryption; i.e.;

    $$ek_{i} = H_{1} \left( {sk_{i} ,A_{i} } \right)$$
    (2)
  3. c.

    \(C_{i}\) computes the secret value \(s_{i}\) as

    $$s_{i} = ek_{i} \left( {H_{2} \left( {a_{i} pk_{CA} } \right)} \right)mod\,q$$
    (3)

    and sends it to CA through secured channel.

Step 2:

On receiving the \(s_{i}\) values f-rom each cluster \(C_{i}\), with \(i = \left\{ {1,2, \ldots \ldots n} \right\}\), the CA extracts the encryption key \(ek_{i} ,\) using its secret key \(sk_{CA}\) as:

$$ek_{i} = s_{i} \left( {H_{2} \left( {sk_{CA} A_{i} } \right)^{ - 1} } \right)mod\,q$$
(4)
Step 3:

CA computes decryption key (\(dk_{i} )\) for each clusters in-order to derive the encryption key of its members \(C_{m}\), where \(C_{m} \subset C_{i}\). The \(dk\) value is calculates as:

$$dk_{i \mapsto m} = H_{1} \left( {ek_{i} pk_{m} } \right)$$
(5)
Step 4:

CA constructs a polynomial function \(f_{x}^{m}\) by interpolation of points for each clusters, to determine the public information. The polynomial is constructed as:

$$f_{x}^{m} \Rightarrow (dk_{i \mapsto m} , Encrypt_{{H_{1} \left( {ek_{i} A_{m} } \right)}} \left( {ek_{m} } \right)$$
(6)
Step 5:

Each \(C_{i}\) computes its share key as

$$k_{{s_{i} }} = \mathop \sum \limits_{i = 1}^{n} f_{x}^{m} \left( {I_{i} } \right)G$$
(7)

where \(f_{x}^{m} \left( {I_{i} } \right)\) is the encrypted subshare with \(I_{i} = H_{1} \left( {id_{i} } \right)\). To send each \(C_{i}\)’s key information to all the remaining residual members within each cluster, we use computations with CRT.

Step 6:

\(C_{i}\) computes the LCM (Least Common Multiple),\(L_{i}\) of all the ECC shared key \(k_{{s_{i} }}\) received from each member nodes

Step 7:

\(C_{i}\) randomly selects \(r_{i}\) as its share for group key establishment, such that \(r_{i} <\,k_{{s_{i,j} }} L_{i} ,\) where j = \(\{1 \ldots\,{\text{i }} - 1, {\text{i }} + 1, \ldots {\text{n}}\}\)

Step 8:

To solve the CRT, \(C_{i}\) generates random numbers \(N\) and \(N^{\prime}\), such that \(gcd\left( {N^{\prime},L_{i} } \right) = 1\) and \(N \ne r_{i}\)

Step 9:

On solving the CRT

$$\begin{aligned} X_{i} \equiv r_{i} \left( {mod\,L_{i} } \right) \hfill \\ X_{i} \equiv N \left( {mod\,N^{'} } \right) \hfill \\ \end{aligned}$$
(8)

and broadcasts \(X_{i}\) to the cluster so that each member nodes receives the CRT values of all the other members, within the cluster.

Step 10:

On receiving all the \(X_{i}\) values of the members in the cluster, calculate

$$r_{j} = X_{j} \left( {mod\,k_{{s_{i,j} }} } \right)$$
(9)
Step 11:

The group key is computed by performing XOR operation as

$$K_{g} = r_{1 } \oplus \varvec{ }r_{2} \oplus \ldots \ldots \oplus r_{n}$$
(10)

4.2 Dynamic Rekeying with ECC

This section describes the solution for rekeying problem when a member is added to or evicted from a cluster.

4.2.1 Member Joining Operation

Consider a member \(C_{j}\) is added to an existing cluster \(C_{i}\). The newly added member computes \(ek_{j}\) to generate secret value \(s_{j}\). The \(s_{j}\) value is then sent to the CA; therein the public information gets updated. The operation is as follows:

Step 1:

\(C_{j}\) computes

$$s_{j} = ek_{j} \left( {H_{2} \left( {a_{j} pk_{CA} } \right)} \right) mod\,q$$
(11)
$$ek_{j} = s_{j} \left( {H_{2} \left( {sk_{CA} A_{j} } \right)^{ - 1} } \right)mod\,q$$
(12)

with randomly chosen number \(a_{j}\) and public data \(A_{j} = a_{j} G\)

Step 2:

CA execute step 2, 3 and 4 explained in Sect. 4.1 and generates the public polynomial function \(f_{x}^{j}\)

Step 3:

\(C_{j}\) computes its CRT value \(X_{j}\) with randomly selected \(r_{j}\) and broadcasts \(X_{j}\) along with the public information

Step 4:

To compute the new group key, the hash of the existing key is XORed with \(r_{j}\)

$$K_{g} \left( {new} \right) = h\left( {K_{g} } \right) \oplus r_{j }$$
(13)

To attain backward security, we assume that the secret key update for all the members in the cluster \(C_{i}\) is performed before the implementing the above steps.

4.2.2 Member Eviction Operation

Let \(C_{j}\) be a member evicted from an existing cluster \(C_{i}\). The CA deletes all the information related to \(C_{j}\) and updates the revocation information to the cluster. The eviction operation can be explained with the steps given below.

Step 1:

CA discards the public and the secret parameters of \(C_{j}\) and reconstructs a new \(f_{x}^{j}\).

Step 2:

\(C_{i}\) computes the LCM and CRT calculations as in the previous section.

Step 3:

\(C_{i}\) distributes the new \(X_{i}\) value to the members and generate the new group key by

XORing the new \(r_{i}\) value as

$$K_{g} \left( {new} \right) = K_{g} \oplus r_{i }$$
(14)

We assume the secret key update for all the cluster members of \(C_{i}\) to be performed before implementing the above eviction steps, in order to achieve a perfect forward security.

4.3 Secret Key Update

A periodic key updating is required for a PKI MANET system to resist cryptanalysis. In ECC CRT scheme all the private keys of the cluster head remains unchanged throughout the lifetime of the network. Whereas, the share key \(k_{{s_{i} }}\) are refreshed at predefined regular intervals (\(t)\), using secret key updating scheme. On the other hand, they may be updated in key revocation time, when the number of CH deleted has reached a specific threshold of updating (ɗ). The updating scheme functions by replacing the generator \(G\) with the generator of \(k_{{s_{i} }}\), \(G_{y}\) as

$$k_{{s_{i} }}^{'} = \mathop \sum \limits_{{{\text{i}} = 1}}^{\text{n}} f_{x}^{m} (I_{i} ) G_{y}$$
(15)

with (\(1 \le y \le p)\) and \(p\) is the maximum value of update index.

5 Performance Analysis and Simulation Results

In this section, we evaluate the performance of the proposed schemes in terms of reliability of certificate assignment scheme, effectiveness of ECC-CRT GKA and security analysis.

5.1 Reliability of Certificate Assignment Scheme

5.1.1 Simulation Environment

The PKI MANET simulation model is setup in QualNet 4.5 environment. The nodes are programmed to follow a Random Way Point approach (RWP), by which the direction and speed of each nodes in a cluster can be varied independently and randomly. Each node chooses a random location within the simulation field, when simulation starts, and moves within a velocity range of (\(0,V_{max}\)). We consider a pause time (\(T_{p}\)) to recognize the state of node; for example \(T_{p} = 0\) shows a continuous mobility of nodes, whereas,\(T_{p} = 1\) represents a node reached its steady position within the destination cluster. We analyze the performance of the proposed certificate assignment by varying the two parameters \(V_{max}\) and \(T_{p}\) for topology alterations.i.e. If \(V_{max}\) is less and \(T_{p}\) is high, a stable topology can be achieved. While, a highly dynamic topology can be obtained if \(V_{max}\) is high and \(T_{p}\) is less.

The reliability of the proposed CCA scheme can be evaluated by two factors namely revocation time revocation rate and communication cost, as shown in Figs. 3, 4 and 5. Revocation time is an important factor to measure the performance of certificate management strategy. It is defined as the time by which an attacker launch an attack before its certificate gets revoked. The Fig. 3 shows the advantage of cluster based mechanism in terms of revocation time compared to voting scheme [19] and CCRVC scheme [18]. The revocation time get reduced in a larger amount when a certificate assignment is performed in cluster based, which is shown in Fig. 3. To analyse the impact of attacker nodes on revocation, we deploy 100 nodes in the network, whereas the attacker nodes ranges up-to 50%. Figure 3 shows the change in the revocation time with the increase in attacker nodes, between the proposed CCA scheme and existing schemes. It is clear that the voting scheme requires a longer time for revocation compared to the other two schemes. On the other hand, the proposed scheme maintains a beneficial and steady revocation time even with higher percentage of attackers. Figure 4 shows the rate of revocation for different number of attackers. Revocation rate can be defined as the rate of rate of attackers revoked before launching the attacks. It is noted that rate of revocation improves with the increasing number of attackers for proposed CCA scheme. Even though the rate gets down a little for some attacker percentage, it gradually increases for larger number of attackers.

Fig. 3
figure 3

Revocation time

Full size image
Fig. 4
figure 4

Rate of revocation

Full size image
Fig. 5
figure 5

Communication cost

Full size image

The main factors that add up the cost of communication during the message exchange between CA and nodes, within a particular cluster region, are certificate request (\(Req_{c} )\) certificate assignment (\(Assign_{c} )\) and certificate revocation (\(Revoke_{c} )\), in which the certificate assignment cost includes the verification cost (\(Verify_{c} )\), certificate issuing cost (\(Issue_{c} )\) and the duration of response (\(Res_{l}\)).

The communication cost can be calculates as

$$\begin{aligned} Comm cost & = Req_{c} + Assign_{c} + Revoke_{c} \\ Assign_{c} & = Verify_{c} *Issue_{c} *Res_{l} \\ \end{aligned}$$
(16)

Figures 5 and 6 represents the efficiency of our scheme in terms of communication cost. The communication cost can be maintained in a successful manner with our scheme. The proposed CCA scheme runs in an environment with 50 nodes moving in random walk mobility manner whose mobility changes with time. We assume an optimal value for the size of the hexagonal cluster where communication cost and infrastructural cost are kept minimal. From Fig. 6, the revocation cost of different schemes can be analysed by varying the average number of certificate revoked from 10 to 50. It can be noted that, when a cluster based scheme is used, the Revoke c reduced and increases linearly with larger slope of flat PKI system.

Fig. 6
figure 6

Cost of revocation

Full size image

5.2 Effectiveness of ECC-CRT GKA

This section compares the effectiveness of the proposed scheme with three other popular GKA schemes: ID-AGKA [35], CRTDH [25] and CRTDH [34], in terms of communication round, Mobility awareness, time complexity, communication complexity, bandwidth and scalar multiplication as in Table 1.

Table 1 Comparison of GKA schemes
Full size table

  • Round: The total number of communication rounds

  • Mobility awareness: The capability to adapt well the dynamic change in the node position within a cluster as well as between clusters.

  • Time complexity: The amount of time taken by the scheme to run to completion, commonly represented by notation Big O. The time complexity of ECC CRT GKA mainly include two operations: computing ECC and solving CRT.

  • Communication complexity: Quantifies the communication bits required for all computational steps or the memory size used to perform certain tasks.

  • Bandwidth: Total number of messages exchanged by cluster heads.

  • Scalar multiplication: Total number of scalar multiplication in \(G\)

We assume a prime for the system \(q\) with \(n\) number of clusters. The proposed scheme holds advantages of two rounds of completions with highly mobility adaptive capability. Additionally, the time complexity is improved to \(O\left( {n \left( {log q} \right)} \right)\), which shows a faster and efficient computation compared to the existing schemes. The communication complexity, of the proposed scheme as well as CRTDH is of \(\left( {n - 1} \right)\left( {log q} \right)\) bits in length, which posses same cost of communication

Another performance advantage of our scheme is the cost of computation. The fundamental operation of our scheme is ECC which operates with points over an elliptic curve rather than modular exponentiations and having a key length of 160 (224) number of bits to ensure security. This significant increase key length makes ECC-CRT scheme apparent when used in a resource constrained network, such as a MANET.

Table 2 shows the key update completion time with respect to various cluster sizes and mobility. The update time considers the packet exchange time and the cryptographic procedure time. Table 3 represents the comparison of average traffic sent by the nodes in a cluster. From the table, it can be noted that the overhead at different mobility rate are almost similar, which make both the schemes adapt to mobility. However, the CRTDH scheme needs larger overhead that our scheme.

Table 2 Average completion time of key update (Sec)
Full size table
Table 3 Comparison of overhead (number of bytes) for different mobility rate
Full size table

5.3 Security Analysis

In this section, we analyze the certain security factors of proposed certificate and key assignment schemes as follows

  1. 1.

    Security against forging attack In order to forge information, an attacker should gather the details of successive interactions and the location information of nodes. Also, the messages signed by the CA cannot be easily forged which resists the proposed CCA scheme against forging attacks.

  2. 2.

    Security against Certificate collusion attack In our scheme, the node requests for a new set of certificates in prior, whenever its certificate for near future starts expiring. This assures that the revoked node cannot fetch the entire revocation certificate to revoke other nodes. Therefore the proposed CCA can be shown as tough against collusion attack.

  3. 3.

    Security against Revocation Denial attack The proposed scheme conducts the verification phase, each time, by which the CA detects and discards erroneous process. In addition, CA excludes the duplicate copies of revocation information from the multiple copies identified. Hence the CCA scheme possesses robustness against revocation denial attacks.

  4. 4.

    Forward and Backward Security Forward security prevents an evicted node, user who has left a secure cluster from accessing the present and future secure keys. Whereas, backward security prevents a newly added node from accessing the previous secure keys. Our ECC CRT scheme supports these main properties with the member joining and eviction operations explained in Sect. 4.2.

  5. 5.

    Resilience against key compromise impersonation If the private key of a node is compromised, an attacker can impersonate that node alone; however, the other members cannot be impersonated by the attacker.

  6. 6.

    Key control Since all nodes involve in determining the group key, single party controlling is unavailable. Therefore, no single party can alter the group key range to some predefined value.

  7. 7.

    Security on key share ECC-CRT GKA prevents the attackers from cogent and sharing the keys of a node unknowingly, unless the secret key is disclosed.

  8. 8.

    Security against key collusion The proposed scheme performs a secret key update after evicting a cluster node, to achieve forward secrecy. Hence the evicted nodes cannot collude to acquire any information of the cluster. This makes the proposed scheme to achieve collusion deliverance.

  9. 9.

    Security against compromising attack When an adversary cluster member attempts to derive the encryption key of CH, it should reverse the hash function, which is a one-way function. Therefore, the members cannot derive an encryption key of high order.

  10. 10.

    Cluster confidentiality In ECC-CRT scheme, all information for a cluster is encrypted by its secret key, using one-way hash function. Except the cluster members and CH, it will be hard for others to reverse the hash function and thus the cluster confidentiality can be achieved.

6 Conclusion

In this paper, we have proposed two schemes; a cluster based certificate assignment strategy and a contributory key agreement scheme, ECC-CRT for use in ad hoc networks with the aim to reduce the complexity of managing the PKI system. In most of the existing schemes, within this framework of the cluster based certificates, key agreement and dynamic rekeying, it was shown that there are significant increases in the computational and communication complexities as well as rounds. Hence, to achieve a trade-off between these factors, optimal schemes were presented in this paper. The proposed design is scalable and can be applied to various cluster shapes. Finally, a simulation analysis to highlight the benefits of the proposed strategies was presented. Moreover, our scheme achieved certain security requirements for certificate and key management and is secured against the potential attacks in the PKI MANET environment. In the future, we plan to analyze some analytic models as proof of security and mobility adaptive properties while implementing the proposed schemes.