Decentralized Disruption-Tolerant Military Networks for Secure Data

Retrieval

ABSTRACT

In Many military network scenarios, connections of wireless devices carried by soldiers

may be temporarily disconnected by jamming, environmental factors, and mobility, especially
when they operate in hostile environments. Sensor networks are increasingly being used in the
development and application of military surveillance sys-tems. Energy efficiency, coverage, and
connectivity are the three major quality-of-service requirements of such mission critical
applications. Energy-efficient communication is required to prolong the network lifetime. Better
coverage is required to detect the physical intrusion attempts of all kinds. Similarly, connectivity
is necessary to provide mission critical messages to thebase station in a timely manner. A scheme
that satisfies energy efficiency, coverage, and connec-tivity requirements is an N-P complete
problem. In this paper, we propose an attribute-based secure data retrieval scheme using CP-
ABE for decentralized DTNs. The pro- posed scheme features the following achievements.
First, immediate attribute revocation enhances backward/forward secrecy of confidential data
by reducing the windows of vulnerability. Second, encryptors can define a fine-grained access
policy using any monotone access structure under attributes issued from any chosen set of
authorities. Third, the key escrow problem is re- solved by an escrow-free key issuing protocol
that exploits the characteristic of the decentralized DTN architecture. This paper proposes an
energy-efficient node scheduling algorithm called EC2 that addresses the problems of energy
efficiency, coverage, and connectivity in military surveillance applications using the fuzzy
graphs.
 CHAPTER 1

INTRODUCTION

1.1 INTRODUCTION TO DELAY-TOLERANT NETWORKING

Overview

Delay and Disruption Tolerant Networks (DTNs) are networks that aim to bring
low-cost best-effort connectivity to challenged environments with no or limited
infrastructures. Nodes in DTNs are often highly mobile and experieence intermittent
connectivity. DTNs can be deployed in developing countries and are poised to play a key
part in future space networks.

Fig.1. Example DTN Scenario: Rural Area Connectivity over Transportation

Infrastructures

The key differences between DTN and other networks, e.g., Sensor Networks are:

1. No End To End Path:

 Node mobility creates partitions in the network. We cannot assume that there is a
complete end to end path between a source and destination. If a path does exist it
is assumed to be unstable. Instead, an end to end path exists over time, as nodes
move and forward messages to each other.

2. High Message Delays:

The opportunistic nature of DTNs means messages that are delivered often
experience high delays. Delays can are typically on the order of minutes or hours,
but could potentially be days depending on the exact scenario.

DTN Network Model Evolution

In setting out to implement the DTN architecture, we first had to resolve some
fundamental questions in the architecture itself, and in the process, further its design and
specification. One of the more unusual aspects of the operating environments envisioned
for the DTN architecture is that the ability to communicate may come and go and that
sometimes the periods of connectivity may be known (or predicted) in advance. In
addition, communication may involve routing messages over one or more media,
possibly simultaneously. Although this degree of flexibility is important to an overall
network model that is expected to operate in difficult environments subject to disruption,
it presents significant implementation challenges. The challenges stem largely from the
fact that the DTN network model is not simply a graph, as in most present networking
systems, but instead is a time varying multigraph. There is at present little shared
experience in implementing networking systems involving graphs of this kind.

Message Confidentiality

High node mobility and infrequent connectivity inherent to DTNs make it

challenging to implement simple and traditional security services, e.g., message integrity
and confidentiality. In particular, it is hard to retrieve credentials of peer users/nodes.
Also, multi-round security protocols (typically found in handshakes at network and
session layers) are greatly handicapped due to long and uneven delays.

This project focuses on the problem of initial secure context establishment in

DTNs. We observe that users can take advantage of social information to send secure and
confidential messages.

The basic idea is for the source and destination users to use common affiliations
that known the public key, or existing shared secret, as interemediaries to securely route
messages.

We investigate schemes that enable secure routing for both intra and inter-region
routing. We give an informal security analysis and show, by simulation, the probablity of
message interception by colluding nodes in the honest-but-curious adversarial model.

Delay-tolerant networking (DTN) is an approach to computer network architecture

that seeks to address the technical issues in heterogeneous networks that may lack
continuous network connectivity. Examples of such networks are those operating in
mobile or extreme terrestrial environments, or planned networks in space. Recently, the
term disruption-tolerant networking has gained currency in the United States due to
support from DARPA, which has funded many DTN projects. Disruption may occur
because of the limits of wireless radio range, sparsity of mobile nodes, energy resources,
attack, and noise.

In the 1970s, spurred by the decreasing size of computers, researchers began

developing technology for routing between non-fixed locations of computers. While the
field of ad hoc routing was inactive throughout the 1980s, the widespread use of wireless
protocols reinvigorated the field in the 1990s as mobile ad hoc networking (MANET) and
vehicular ad hoc networking became areas of increasing interest.
 Concurrently with (but separate from) the MANET activities, DARPA had funded
NASA, MITRE and others to develop a proposal for the Interplanetary Internet (IPN).
Internet pioneer Vint Cerf and others developed the initial IPN architecture, relating to
the necessity of networking technologies that can cope with the significant delays and
packet corruption of deep-space communications. In 2002, Kevin Fall started to adapt
some of the ideas in the IPN design to terrestrial networks and coined the term delay-
tolerant networking and the DTN acronym. A paper published in 2003 SIGCOMM
conference gives the motivation for DTNs. The mid-2000s brought about increased
interest in DTNs, including a growing number of academic conferences on delay and
disruption-tolerant networking, and growing interest in combining work from sensor
networks and MANETs with the work on DTN. This field saw many optimizations on
classic ad hoc and delay-tolerant networking algorithms and began to examine factors
such as security, reliability, verifiability, and other areas of research that are well
understood in traditional computer networking.

Routing

The ability to transport, or route, data from a source to a destination is a

fundamental ability all communication networks must have. Delay and disruption-
tolerant networks (DTNs), are characterized by their lack of connectivity, resulting in a
lack of instantaneous end-to-end paths. In these challenging environments, popular ad
hoc routing protocols such as AODVand DSR fail to establish routes. This is due to these
protocols trying to first establish a complete route and then, after the route has been
established, forward the actual data. However, when instantaneous end-to-end paths are
difficult or impossible to establish, routing protocols must take to a "store and forward"
approach, where data is incrementally moved and stored throughout the network in hopes
that it will eventually reach its destination. A common technique used to maximize the
probability of a message being successfully transferred is to replicate many copies of the
message in the hope that one will succeed in reaching its destination.[7] This is feasible
only on networks with large amounts of local storage and internode bandwidth relative to
the expected traffic. In many common problem spaces, this inefficiency is outweighed by
the increased efficiency and shortened delivery times made possible by taking maximum
advantage of available unscheduled forwarding opportunities. In others, where available
storage and internode throughput opportunities are more tightly constrained, a more
discriminate algorithm is required.

Bundle protocols

In efforts to provide a shared framework for algorithm and application

development in DTNs, RFC 4838 and RFC 5050 were published in 2007 to define a
common abstraction to software running on disrupted networks. Commonly known as the
Bundle Protocol, this protocol defines a series of contiguous data blocks as a bundle—
where each bundle contains enough semantic information to allow the application to
make progress where an individual block may not. Bundles are routed in a store and
forward manner between participating nodes over varied network transport technologies
(including both IP and non-IP based transports). The transport layers carrying the bundles
across their local networks are called bundle convergence layers. The bundle architecture
therefore operates as an overlay network, providing a new naming architecture based on
Endpoint Identifiers (EIDs) and coarse-grained class of service offerings.

Protocols using bundling must leverage application-level preferences for sending

bundles across a network. Due to the store and forward nature of delay-tolerant protocols,
routing solutions for delay-tolerant networks can benefit from exposure to application-
layer information. For example, network scheduling can be influenced if application data
must be received in its entirety, quickly, or without variation in packet delay. Bundle
protocols collect application data into bundles that can be sent across heterogeneous
network configurations with high-level service guarantees. The service guarantees are
generally set by the application level, and the RFC 5050 Bundle Protocol specification
includes "bulk", "normal", and "expedited" markings.

Security
 Addressing security issues has been a major focus of the bundle protocol.

Security concerns for delay-tolerant networks vary depending on the environment

and application, though authentication and privacy are often critical. These security
guarantees are difficult to establish in a network without persistent connectivity because
the network hinders complicated cryptographic protocols, hinders key exchange, and
each device must identify other intermittently visible devices.[8][9] Solutions have
typically been modified from mobile ad hoc network and distributed security research,
such as the use of distributed certificate authorities[10] and PKI schemes. Original
solutions from the delay-tolerant research community include: 1) the use of identity-
based encryption, which allows nodes to receive information encrypted with their public
identifier; and 2) the use of tamper-evident tables with a gossiping protocol;

A delay-tolerant network is a network designed to operate effectively over extreme

distances such as those encountered in space communications or on an interplanetary
scale. In such an environment, long latency -- sometimes measured in hours or days is
inevitable. However, similar problems can also occur over more modest distances when
interference is extreme or network resources are severely overburdened.

Delay-tolerant networking involves some of the same technologies as are used in a

disruption-tolerant network but there are important distinctions. A delay-tolerant network
requires hardware that can store large amounts of data. Such media must be able to
survive extended power loss and system restarts. It must also be immediately accessible
at any time. Ideal technologies for this purpose include hard drives and high-volume flash
memory. The data stored on these media must be organized and prioritized by software
that ensures accurate and reliable store-and-forward functionality.

In a delay-tolerant network, traffic can be classified in three ways, called

expedited, normal and bulk in order of decreasing priority. Expedited packets are always
transmitted, reassembled and verified before data of any other class from a given source
to a given destination. Normal traffic is sent after all expedited packets have been
successfully assembled at their intended destination. Bulk traffic is not dealt with until all
packets of other classes from the same source and bound for the same destination have
been successfully transmitted and reassembled.

Cryptographic hash function

A cryptographic hash function is a hash function which is considered practically

impossible to invert, that is, to recreate the input data from its hash value alone. These
one-way hash functions have been called "the workhorses of modern cryptography".The
input data is often called the message, and the hash value is often called the message
digest or simply the digest.

The ideal cryptographic hash function has four main properties:

 it is easy to compute the hash value for any given message

 it is infeasible to generate a message that has a given hash
 it is infeasible to modify a message without changing the hash
 it is infeasible to find two different messages with the same hash.

Cryptographic hash functions have many information security applications,

notably in digital signatures, message authentication codes (MACs), and other forms of
authentication. They can also be used as ordinary hash functions, to index data in hash
tables, for fingerprinting, to detect duplicate data or uniquely identify files, and as
checksums to detect accidental data corruption. Indeed, in information security contexts,
cryptographic hash values are sometimes called (digital) fingerprints, checksums, or just
hash values, even though all these terms stand for more general functions with rather
different properties and purposes.

Properties
 Most cryptographic hash functions are designed to take a string of any length as
input and produce a fixed-length hash value.

A cryptographic hash function must be able to withstand all known types of

cryptanalytic attack. At a minimum, it must have the following properties:

These properties imply that a malicious adversary cannot replace or modify the
input data without changing its digest. Thus, if two strings have the same digest, one can
be very confident that they are identical.

Ideally, one may wish for even stronger conditions. It should be impossible for an
adversary to find two messages with substantially similar digests; or to infer any useful
information about the data, given only its digest. Therefore, a cryptographic hash
function should behave as much as possible like a random function while still being
deterministic and efficiently computable.

Checksum algorithms, such as CRC32 and other cyclic redundancy checks, are
designed to meet much weaker requirements, and are generally unsuitable as
cryptographic hash functions. For example, a CRC was used for message integrity in the
WEP encryption standard, but an attack was readily discovered which exploited the
linearity of the checksum.

Degree of difficulty

In cryptographic practice, “difficult” generally means “almost certainly beyond the

reach of any adversary who must be prevented from breaking the system for as long as
the security of the system is deemed important”. The meaning of the term is therefore
somewhat dependent on the application, since the effort that a malicious agent may put
into the task is usually proportional to his expected gain. However, since the needed
effort usually grows very quickly with the digest length, even a thousand-fold advantage
in processing power can be neutralized by adding a few dozen bits to the latter.
 In some theoretical analyses “difficult” has a specific mathematical meaning, such
as "not solvable in asymptotic polynomial time". Such interpretations of difficulty are
important in the study of provably secure cryptographic hash functions but do not usually
have a strong connection to practical security. For example, an exponential time
algorithm can sometimes still be fast enough to make a feasible attack. Conversely, a
polynomial time algorithm (e.g., one that requires n20 steps for n-digit keys) may be too
slow for any practical use.

Illustration

An illustration of the potential use of a cryptographic hash is as follows: Alice

poses a tough math problem to Bob and claims she has solved it. Bob would like to try it
himself, but would yet like to be sure that Alice is not bluffing. Therefore, Alice writes
down her solution, computes its hash and tells Bob the hash value (whilst keeping the
solution secret). Then, when Bob comes up with the solution himself a few days later,
Alice can prove that she had the solution earlier by revealing it and having Bob hash it
and check that it matches the hash value given to him before. (This is an example of a
simple commitment scheme; in actual practice, Alice and Bob will often be computer
programs, and the secret would be something less easily spoofed than a claimed puzzle
solution).

Applications

Verifying the integrity of files or messages

An important application of secure hashes is verification of message integrity.

Determining whether any changes have been made to a message (or a file), for example,
can be accomplished by comparing message digests calculated before, and after,
transmission (or any other event).
 For this reason, most digital signature algorithms only confirm the authenticity of
a hashed digest of the message to be "signed". Verifying the authenticity of a hashed
digest of the message is considered proof that the message itself is authentic.

MD5, SHA1, or SHA2 hashes are sometimes posted along with files on websites
or forums to allow verification of integrity.[3] This practice establishes a chain of trust so
long as the hashes are posted on a site authenticated by HTTPS.

Password verification

A related application is password verification (first invented by Roger Needham).

Storing all user passwords as cleartext can result in a massive security breach if the
password file is compromised. One way to reduce this danger is to only store the hash
digest of each password. To authenticate a user, the password presented by the user is
hashed and compared with the stored hash. (Note that this approach prevents the original
passwords from being retrieved if forgotten or lost, and they have to be replaced with
new ones.) The password is often concatenated with a random, non-secret salt value
before the hash function is applied. The salt is stored with the password hash. Because
users have different salts, it is not feasible to store tables of precomputed hash values for
common passwords. Key stretching functions, such as PBKDF2, Bcrypt or Scrypt,
typically use repeated invocations of a cryptographic hash to increase the time required to
perform brute force attacks on stored password digests.

File or data identifier

A message digest can also serve as a means of reliably identifying a file; several
source code management systems, including Git, Mercurial and Monotone, use the
sha1sum of various types of content (file content, directory trees, ancestry information,
etc.) to uniquely identify them. Hashes are used to identify files on peer-to-peer
filesharing networks. For example, in an ed2k link, an MD4-variant hash is combined
with the file size, providing sufficient information for locating file sources, downloading
the file and verifying its contents. Magnet links are another example. Such file hashes are
often the top hash of a hash list or a hash tree which allows for additional benefits.

One of the main applications of a hash function is to allow the fast look-up of a
data in a hash table. Being hash functions of a particular kind, cryptographic hash
functions lend themselves well to this application too.

However, compared with standard hash functions, cryptographic hash functions

tend to be much more expensive computationally. For this reason, they tend to be used in
contexts where it is necessary for users to protect themselves against the possibility of
forgery (the creation of data with the same digest as the expected data) by potentially
malicious participants.

Pseudorandom generation and key derivation

Hash functions can also be used in the generation of pseudorandom bits, or to

derive new keys or passwords from a single, secure key or password.

Hash functions based on block ciphers

There are several methods to use a block cipher to build a cryptographic hash
function, specifically a one-way compression function.

The methods resemble the block cipher modes of operation usually used for
encryption. All well-known hash functions, including MD4, MD5, SHA-1 and SHA-2 are
built from block-cipher-like components designed for the purpose, with feedback to
ensure that the resulting function is not invertible. SHA-3 finalists included functions
with block-cipher-like components (e.g., Skein, BLAKE) though the function finally
selected, Keccak, was built on a cryptographic sponge instead.

A standard block cipher such as AES can be used in place of these custom block
ciphers; that might be useful when an embedded system needs to implement both
encryption and hashing with minimal code size or hardware area. However, that approach
can have costs in efficiency and security. The ciphers in hash functions are built for
hashing: they use large keys and blocks, can efficiently change keys every block, and
have been designed and vetted for resistance to related-key attacks. General-purpose
ciphers tend to have different design goals. In particular, AES has key and block sizes
that make it nontrivial to use to generate long hash values; AES encryption becomes less
efficient when the key changes each block; and related-key attacks make it potentially
less secure for use in a hash function than for encryption.

Merkle–Damgård construction

A hash function must be able to process an arbitrary-length message into a fixed-

length output. This can be achieved by breaking the input up into a series of equal-sized
blocks, and operating on them in sequence using a one-way compression function. The
compression function can either be specially designed for hashing or be built from a
block cipher. A hash function built with the Merkle–Damgård construction is as resistant
to collisions as is its compression function; any collision for the full hash function can be
traced back to a collision in the compression function.

The last block processed should also be unambiguously length padded; this is
crucial to the security of this construction. This construction is called the Merkle–
Damgård construction. Most widely used hash functions, including SHA-1 and MD5,
take this form.

The construction has certain inherent flaws, including length-extension and

generate-and-paste attacks, and cannot be parallelized. As a result, many entrants in the
current NIST hash function competition are built on different, sometimes novel,
constructions.

Use in building other cryptographic primitives

 Hash functions can be used to build other cryptographic primitives. For these other
primitives to be cryptographically secure, care must be taken to build them correctly.
Message authentication codes (MACs) (also called keyed hash functions) are often built
from hash functions. HMAC is such a MAC. Just as block ciphers can be used to build
hash functions, hash functions can be used to build block ciphers. Luby-Rackoff
constructions using hash functions can be provably secure if the underlying hash function
is secure. Also, many hash functions (including SHA-1 and SHA-2) are built by using a
special-purpose block cipher in a Davies-Meyer or other construction. That cipher can
also be used in a conventional mode of operation, without the same security guarantees.
See SHACAL, BEAR and LION.

Pseudorandom number generators (PRNGs) can be built using hash functions.

This is done by combining a (secret) random seed with a counter and hashing it. Some
hash functions, such as Skein, Keccak, and RadioGatún output an arbitrarily long stream
and can be used as a stream cipher, and stream ciphers can also be built from fixed-length
digest hash functions. Often this is done by first building a cryptographically secure
pseudorandom number generator and then using its stream of random bytes as keystream.
SEAL is a stream cipher that uses SHA-1 to generate internal tables, which are then used
in a keystream generator more or less unrelated to the hash algorithm. SEAL is not
guaranteed to be as strong (or weak) as SHA-1. Similarly, the key expansion of the HC-
128 and HC-256 stream ciphers makes heavy use of the SHA256 hash function.

Concatenation of cryptographic hash functions

Concatenating outputs from multiple hash functions provides collision resistance

as good as the strongest of the algorithms included in the concatenated result. For
example, older versions of TLS/SSL use concatenated MD5 and SHA-1 sums—this
ensures that a method to find collisions in one of the functions doesn't allow forging
traffic protected with both functions.
 For Merkle-Damgård hash functions, the concatenated function is as collision-
resistant as its strongest component,[5] but not more collision-resistant.[6] Joux[7] noted
that 2-collisions lead to n-collisions: if it is feasible to find two messages with the same
MD5 hash, it is effectively no more difficult to find as many messages as the attacker
desires with identical MD5 hashes. Among the n messages with the same MD5 hash,
there is likely to be a collision in SHA-1. The additional work needed to find the SHA-1
collision (beyond the exponential birthday search) is polynomial. This argument is
summarized by Finney. A more current paper and full proof of the security of such a
combined construction gives a clearer and more complete explanation of the above.[8]

Cryptographic hash algorithms

There is a long list of cryptographic hash functions, although many have been
found to be vulnerable and should not be used. Even if a hash function has never been
broken, a successful attack against a weakened variant thereof may undermine the
experts' confidence and lead to its abandonment. For instance, in August 2004
weaknesses were found in a number of hash functions that were popular at the time,
including SHA-0, RIPEMD, and MD5. This has called into question the long-term
security of later algorithms which are derived from these hash functions — in particular,
SHA-1 (a strengthened version of SHA-0), RIPEMD-128, and RIPEMD-160 (both
strengthened versions of RIPEMD). Neither SHA-0 nor RIPEMD are widely used since
they were replaced by their strengthened versions. As of 2009, the two most commonly
used cryptographic hash functions are MD5 and SHA-1. However, MD5 has been
broken; an attack against it was used to break SSL in 2008.

The SHA-0 and SHA-1 hash functions were developed by the NSA. On 12 August
2004, a collision for the full SHA-0 algorithm was announced by Joux, Carribault,
Lemuet, and Jalby. This was done by using a generalization of the Chabaud and Joux
attack. Finding the collision had complexity 251 and took about 80,000 CPU hours on a
supercomputer with 256 Itanium 2 processors. (Equivalent to 13 days of full-time use of
the computer.

In February 2005, an attack on SHA-1 was reported that would find collision in
about 269 hashing operations, rather than the 280 expected for a 160-bit hash function. In
August 2005, another attack on SHA-1 was reported that would find collisions in 263
operations. Though theoretical weaknesses of SHA-1 exist, no collision (or near-
collision) has yet to be found. Nonetheless, it is often suggested that it may be practical to
break within years, and that new applications can avoid these problems by using later
members of the SHA family, such as SHA-2, or using techniques such as randomized
hashing[12][13] that do not require collision resistance.

1.2 NEED

Delay Tolerant Networking (DTN) is an end-to-end network architecture designed to

provide communication in and/or through highly stressed networking environments. Stressed
networking environments include those with intermittent connectivity, large and/or variable
delays, and high bit error rates. The DTN research group (DTNRG) leads the field in DTN
research.

1.3 OBJECTIVE

Asynchronously interconnecting different networks

 Network of regional networks Network of regional networks

Each networks can have

 Arbitrary underlying technologies

 Different administrative controls
 No accessible infrastructure

CHAPTER 2
 LITERATURE SURVEY

L. Ibraimi, M. Petkovic, S. Nikova, P. Hartel, and W. Jonker, Mediated ciphertext-policy

attribute-based encryption and its application

Modern distributed information systems require flexible access control models which go beyond
discretionary, mandatory and role-based access control. Recently proposed models, such as
attribute-based access control, define access control policies based on different attributes of the
requester, environment, or the data object. On the other hand, the current trend of service-based
information systems and storage outsourcing require increased protection of data including
access control methods that are cryptographically enforced. The concept of Attribute-Based
Encryption(ABE) fulfills the aforementioned requirements. It provides an elegant way of
encrypting data such that the encryptor defines the attribute set that the decryptor needs to posses
in order to decrypt the cipher- text. Since Sahai and Waters proposed the basic ABE scheme,
several more advanced schemes have been developed, such as most notably Ciphertext-Policy
ABE schemes (CP-ABE). In these schemes, a ciphertext is associated with an access policy and
the user secret key is associated with a set of attributes. A secret key holder can decrypt the
ciphertext if the attributes associated with his secret key satisfy the access policy associated with
the ciphertext. For example, consider a situation when two organizations, a Hospital and a
University, conduct research in the Field of neurological disorders. The Hospital wants to allow
access to their research results to all stafe from the University who have the role Professor and
belong to the Department of Neurology (DN). To en- force the policy, the Hospital encrypts the
data according to the access policy Results =(University Professor ^ Member of DN). Only users
who have a secret key associated with a set of attributes ! =(University Professor, Member of
DN) can satisfy the access policy Results and be able to decrypt the ciphertext. The state-of-the-
art CP-ABE schemes provide limited support for revocation of attributes, a feature, which is
becoming increasingly important in modern access control systems. In general, attribute
revocation may happen due to the following reasons: 1) an attribute is not valid because it has
expired, for instance, the attribute "project manager-January 2009 " is valid until January 2009,
or 2) a user is misusing her secret key associated with a set of attributes, for instance, Alice
might give a copy of her secret key to Bob who is not a legitimate user. In particular, attribute
revocation is an important requirement in the domain of access control to personal health data,
which is our application Field for attribute- based encryption. In this paper, we propose a new
scheme for attribute revocation in CP-ABE called mediated Ciphertext-Policy Attribute-Based
Encryption (mCP-ABE). Previous CP-ABE systems proposed to use a system where at- tributes
are valid within a speciFIc time frame. However, the drawback of this approach is that there is
no way to revoke an attribute before the expiration date. In our scheme the secret key is divided
into two shares, one share for the mediator and the other for the user. To decrypt the data, the
user must contact the mediator to receive a decryption token. The mediator keeps an attribute
revocation list (ARL) and refuses to issue the decryption token for revoked at- tributes. Without
the token, the user cannot decrypt the ciphertext, therefore the attribute is implicitly revoked.

ADVANTAGES

Provide a scheme which would have a security proof under standard complexity assumptions

DISADVANTAGES

A secret key holder can decrypt the ciphertext if the attributes associated with the ciphertext
satisfy the access policy associated with the secret key.

N. Chen, M. Gerla, D. Huang, and X. Hong, Secure, selective group broadcast in vehicular
networks using dynamic attribute based encryption

Cautious landlords replace the house locks after tenants leave because they worry those tenants
might keep copies of the keys. The same concept applies to protecting confidential information.
Whenever a user leaves a communication group that has been exchanging and sharing
confidential information, the remaining group members will replace the key used to encrypt the
messages with a new one. However, given the high cost of key redistribution, this can impact
performance especially when the group is made of thousands of users and the group members are
likely to move in and out frequently. Sahai et al. recent Attribute Based Encryption (ABE)
scheme makes it possible to dynamically reassign group keys when requirements and conditions
change. To introduce the concept of ABE, consider the following example: There are often
several restrictions to redeem a coupon, say, California resident, UC or CSU students, plus AAA
or UHaul membership, etc.. One must show resident ID, student ID and AAA or UHaul ID etc.
to get the coupon. In the ABE context, the coupon is the object or information that we must
protect, and the IDs are so-called attributes. The secret message (the coupon) is encrypted with
an access control policy tree that contains the logical combination of the different attributes. The
policy tree for the above coupon example would be “CA resident AND (UC student OR CSU
student) AND (AAA membership OR UHaul member)”. Each qualified user can apply and
obtain a private key from certifying authority (Key Master). The key is associated with the
various qualifications (i.e., attributes) of the applicant. The users can decrypt only if the
attributes satisfy the policy tree. Attributes can be expanded to represent all kinds of pro erties
related to applicants, e.g., skin color, car brand, size, occupation and time window when these
properties are valid, etc.. A policy tree defines a target multicast group to which a secret must be
delivered - for example, a group key to be used for future communications. ABE saves the
trouble to issue a group key in advance to each foreseen multicast group (thus avoiding
combinatorial explosion). Or, conversely, it avoids the problem (and latency) of finding and
certifying all the qualified members on the spot whenever the need arises. ABE requires the
customers to pre-qualify (off line) for the attributes that may correspond to multicast groups they
will be asked to join. Thus, the work is done ahead of time; and, it does not require
combinatorial complexity. To prevent users holding certain attributes forever, ABE adds
expiration timers to revoke private keys. The problem with this revocation scheme is that the
entire private key expires after a period of time. It works well in some scenarios but significantly
reduce the performance in the applications such as Situation Aware Trust, proposed by Xiaoyan
Hong et al., where attributes tend to change frequently. In SAT, locations are also encoded into
attributes. Considering that the location attribute can be as specific as a street or a neighborhood,
a mobile user’s attribute is expected to change in a matter of less than one minute. Each time the
location attribute changes, the entire private key which may be associated with hundreds of
attributes must be changed. This is not efficient since the cost of generating new private key is
proportional to the number of attributes associated with that private key. If there are 100
attributes associated with a private key and even only one change, the authority must generate a
new private key with 100 attributes at considerable expense of CPU resources. In fact, the bigger
the key, the longer transmission time - not a welcome proposition in applications like vehicular
networks with short road-side unit and vehicle contacts. To save CPU resources, bandwidth and
time, we avoid updating those attributes that stay unchanged. To achieve this, we introduce in
this paper the concept of attribute fading function, making attributes “independent” and
“dynamic”. With fading function, an attribute associated with a private key has its own
expiration time. When an underlying property changes, the user requests a new attribute from the
authority to represent his new property and the out-of-date attribute expires after a certain period
of time. By this mean, a user can update partial attributes, rather than all of them, in one update.
Our simulation results show that this approach significantly reduces the overhead comparing
with traditional ABE especially when there are a number of “dynamic” attributes associated with
users’ private keys.

ADVANTAGES

 It transforms trust from Internet social communities to VANET trust in order to enhance
and promote VANET applications.
 Making key management in presence of dynamic attributes much more efficient and
scalable

DISADVANTAGES

 Does not help much since updating is still in terms of (private) keys, instead of attributes
 Does not need to check with Key Master anymore as long as the fading function is not
replaced, if he wants to reuse the same attribute later

D.Huang and M.Verma, ASPE:Attribute-based secure policy enforcement in vehicular ad

hoc networks

Vehicular ad hoc networks (VANETs) are usually operated among vehicles moving at high
speeds, and thus their communication relations can be changed frequently. In such a highly
dynamic environment, establishing trust among vehicles is difficult. To solve this problem, we
propose a flexible, secure and decentralized attribute based secure key management framework
for VANETs. Our solution is based on attribute based encryption (ABE) to construct an attribute
based security policy enforcement (ASPE) framework. ASPE considers various road situations
as attributes. These attributes are used as encryption keys to secure the transmitted data. ASPE is
flexible in that it can dynamically change encryption keys depending on the VANET situations.
At the same time, ASPE naturally incorporates data access control policies on the transmitted
data. ASPE provides an integrated solution to involve data access control, key management,
security policy enforcement, and secure group formation in highly dynamic vehicular
communication environments. Our performance evaluations show that ASPE is efficient and it
can handle large amount of data encryption/decryption flows in VANETs. Attribute-based
encryption (ABE) is an expansion of public key encryption that allows users to encrypt and
decrypt messages based on user attributes. In a key-policy ABE (KP-ABE) system, an encrypted
message can be tagged with a set of attributes, such as tagging an email with the metadata. The
master authority for the system can issue private decryption keys to users including an access
policy, such as giving to Bob a decryption key that enables him to decrypt any ciphertexts. This
access control functionality can be very powerful, but also costly. In this work, we focus on the
cost of decryption. In many key-policy ABE systems, such as that of Goyal, Pandey, Sahai and
Waters (GPSW), the decryption algorithm requires one pairing for each attribute used during
decryption. (Encryption does not require any pairings, and is thus already fast by comparison.) It
seems conceivable that one might reduce the cost of decryption by making tradeos elsewhere.
One tradeo we allow ourselves in this work is to increase the private key size, although we
ideally want to limit any increase as much as possible. We do not, however, consider tradeo
s that increase the ciphertext size or that place any limitations on how the ABE system can be
used. That is, we focus on fast decryption for the most general setting possible an expressive,
large-universe system, where there are no bounds on, say, the number of attributes that can
appear in a ciphertext or private key. While good progress has been made on efficient ABE in
\bounded settings", as we discuss shortly, our focus is to develop techniques for improving
efficiency in the most general setting and for applications where it is infeasible to trade system-
wide usability for performance.

ADVANTAGES

 A nice feature of this approach is that each user can tune their own performance based on
how they think they are likely to use their private key.
 Achieving fast decryption

DISADVANTAGES

 But this should be done with care or the decryption time will increase without reducing
the private key size
  The average overhead incurred on future ciphertexts would be dependent on the overhead
from past ciphertexts, so one could try a random setting and then observe performance

A. Lewko and B. Waters, Decentralizing attribute-based encryption X. Liang, Z. Cao, H.

Lin, and D. Xing, Provably secure and efficient bounded ciphertext policy attribute based
encryption

Ciphertext Policy Attribute based Encryption (CP-ABE), similar with role-based access control
system, can be widely applied to realize access control in many applications including medical
systems and education systems. For example, the sensitive medical records, tightly related to
patients’ pri- vacy, must be accessed only if the users are authorized with patients’ consent;
solutions of exams in the education on- line system also should be only read by professors or
spec- ified teaching assistants. The CP-ABE scheme deals with those situations, by encrypting
the target information with expressive access policies, such as “Medicine” and
“Physician”,“Professor”or (“Computer Science”and“Teaching Assistant”). In fact, CP-ABE can
provide a perfect solution to an access control system by considering, efficient distributing,
expressive access control and data confidentiality. In the traditional CP-ABE scheme, once users
obtain the credentials from a system manager at the beginning of setup phase, the access ability
is always valid for those who may even break the confidential rules by abusing these private
information. Upon detecting those malicious adversaries, without any revocation mechanism
embedded, the system manager has to rebuild up the whole system. Therefore, revocation
mechanism should be designed into the system from the beginning rather than being added after
the other issues are addressed, as it requires careful planning on where functionality should be
placed and how to reduce the computational and communication costs. In this paper, we aim at
developing the CP-ABE scheme with efficient revocation. Designing a revocation mechanism
for CP-ABE is not a simple task while considering the following aspects: first, system manager
only associates user secret keys with different sets of attributes instead of individual
characteristics. The fuzzy identities therefore encumber the system’s revocation on one specified
user; second, users’ individuality are taken place by several common attributes, and thus
revocation on attributes or attribute sets cannot accurately exclude the users with misbehaviors;
third, the sys- tem must be secure against collusion attack from revoked users even though they
share some common attributes with non-revoked users. To consider the revocation problem in a
traditional CP- ABE scheme, limited choices are available. One is the revocation of a single
attribute, which is not in connection with users’ behaviors but more likely to be periodical update
of universal attribute set of the whole system. Another possible solution is to revoke one attribute
set corresponding to one specific set of users. In this way, all the users’ access abilities will be
revoked if they share the same attribute set with the malicious user, which is inappropriate in the
real application.

ADVANTAGES

 Delegating capability can be easily provided in the proposed scheme

 Feasible revocation operations

DISADVANTAGES

 However, the encryption and decryption algorithms are completed without the
involvement of these unique identifiers.
 However, the periodical change of system public parameters introduces extra
computational and communication costs

M. Chase and S. S.M. Chow, Improving privacy and security inmultiauthority attribute-
based encryption

We often identify people by their attributes. In 2005, Sahai and Waters proposed a system
(described in more re- cent terminology as a key-policy attribute-based encryption (ABE) system
for threshold policies) in which a sender can encrypt a message specifying an attribute set and a
numberd , such that only a recipient with at least d of the given at- tributes can decrypt the
message. However, the deployment implications of their scheme may not be entirely realistic, in
that it assumes the existence of a single trusted party who monitors all attributes and issues all
decryption keys. Instead, we often have different entities responsible for monitoring different
attributes of a person, e.g. the Department of Motor Vehicles tests whether you can drive, a
university can certify that you are a student, etc. Thus, Chase gave a multi-authority ABE
scheme which supports many different authorities operating simultaneously, each handing out
secret keys for a different set of attributes. However, this solution was still not ideal. There are
two main problems: one concern of security of the encryption, the other the privacy of the users.
Since each authority is responsible for different attribute s, we want to allow them to issue
decryption keys independently, without having to communicate with one another. As argued, in
order to prevent collusion in such a set- ting, we need some consistent notion of identity.
(Otherwise, a user could easily obtain keys from one authority and then give them all to a
friend.) The solution in that work is to require that each user have a unique global identifier
(GID), which they must present to each authority (and to require that the user prove in some way
that he is the owner of the GID he presents). Unfortunately, the mere existence of GID makes it
very hard for the users to guarantee any kind of privacy. Because a user must present the same
GID to each authority, it is very easy for colluding authorities to pool their data and build a
“complete profile” of all of the attributes corresponding to each GID. However, this might be
undesirable, particularly if the user uses the ABE system in many different settings, and wishes
to keep information about some of those settings private. Regardless, as the attribute-authorities
(AAs) are responsible for managing each user’s attributes, it seems inevitable that they will learn
which subsets of its attributes are held by different users. However, we could imagine
applications where some of the authorities are different online service providers giving attributes
related to online activities like blog/wiki contributions, access to online news sites, participation
in social networking sites, or purchases at an online store. In this case, it would make sense for
the user to be able to maintain different, unlinkable attribute sets with each authority. At the
same time, it also makes sense for each AA to gather the statistics of their system usage (e.g. the
number of users subscribed a particular service as indicated by the number of users who
requested a decryption key for a certain attribute) without compromising individual’s privacy.

ADVANTAGES

 The scheme allows the encryptor to encrypt a message according to an access policy over
a set of attributes
 The mCP-ABE scheme can also support the offline use of data

DISADVANTAGES

 The data is encrypted according to an access policy, and the policy moves with the
encrypted data.
  Thus, even if the server which stores health records gets compromised, the confidentiality
of the data is preserved since the data is encrypted, and the attacker cannot decrypt the
encrypted data without having a secret key

CHAPTER 3

SYSTEM DESCRIPTION

EXISTING SYSTEM

Attribute based encryption (ABE) determines decryption ability based on a user’s

attributes. In a multi-authority ABE scheme, multiple attribute-authorities monitor different sets
of attributes and issue corresponding decryption keys to users and encryptions can require that a
user obtain keys for appropriate attributes from each authority before decrypting a message.
Chase gave a multi-authority ABE scheme using the concepts of a trusted central authority (CA)
and global identifiers (GID). However, the CA in that construction has the power to decrypt
every cipher text, which seems somehow contradictory to the original goal of distributing control
over many potentially untrusted authorities. Moreover, in that construction, the use of a
consistent GID allowed the authorities to combine their information to build a full profile with
all of a user’s attributes, which unnecessarily compromises the privacy of the user. In this paper,
we propose a solution which removes the trusted central authority, and protects the users’
privacy by preventing the authorities from pooling their information on particular users, thus
making ABE more usable in practice.

DISADVANTAGES

 The keys are a bit more complex

 However, this decryption power seems somehow contradictory to the original
motivation of distributing control of the attributes over many potentially untrusted
authorities.
PROPOSED SYSTEM

Mobile nodes in military environments such as a battlefield or a hostile region are likely to suffer
from intermittent network connectivity and frequent partitions. Disruption-tolerant network
(DTN) technologies are becoming successful solutions that allow wireless devices carried by
soldiers to communicate with each other and access the confidential information or command
reliably by exploiting external storage nodes. Some of the most challenging issues in this
scenario are the enforcement of authorization policies and the policies update for secure data
retrieval. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising cryptographic
solution to the access control issues. However, the problem of applying CP-ABE in decentralized
DTNs introduces several security and privacy challenges with regard to the attribute revocation,
key escrow, and coordination of attributes issued from different authorities. In this paper, we
propose a secure data retrieval scheme using CP-ABE for decentralized DTNs where multiple
key authorities manage their attributes independently. We demonstrate how to apply the
proposed mechanism too securely and efficiently manage the confidential data distributed in the
disruption-tolerant military network.

ADVANTAGES

 Different users are allowed to decrypt different pieces of data per the security policy
 The proposed mechanism to securely and efficiently manage the confidential data
distributed in the disruption-tolerant military network

SYSTEM SPECIFICATION

Hardware specification

This section describes the hardware components with which the tool was developed and the
minimum hardware configuration with which the system operates best.

o Processor : Intel Core 2 Duo

o RAM : 2GB

o Mother Board : Intel Board

 o Hard Disk : 80 GB Hard Disk

Software specification

This section describes the software in which the application was developed and using the same
software would make it more compatible.

o Operating System : Windows 7

o Language : Java

Software Details

JAVA:

Java is a set of several computer software products and specifications from Oracle Corporation
that provides a system for developing application software and deploying it in a cross platform
computing environment. Java is used in a wide variety of computing platforms from embedded
devices and mobile phones on the low end, to enterprise servers and supercomputers on the high
end. While less common, Java applets are sometimes used to provide improved and secure
functions while browsing the World Wide Web on desktop computers.

Writing in the Java programming language is the primary way to produce code that will be
deployed as Java byte code. There are, however, byte code compilers available for other
languages such as Ada, JavaScript, Python, and Ruby. Several new languages have been
designed to run natively on the Java Virtual Machine (JVM), such as Scala, Clojure and Groovy.
Java syntax borrows heavily from C and C++, but object oriented features are modeled after
Smalltalk and Objective C. Java eliminates certain low level constructs such as pointers and has
a very simple memory model where every object is allocated on the heap and all variables of
object types are references. Memory management is handled through integrated automatic
garbage collection performed by the JVM.

The Java platform has become a mainstay of enterprise IT development since the introduction of
the Enterprise Edition in 1998, in two different ways:
Through the coupling of Java to the web server, the Java platform has become a leading platform
for integrating the Web with enterprise backend systems. This has allowed companies to move
part or all of their business to the Internet environment by way of highly interactive online
environments (such as highly dynamic websites) that allow the customer direct access to the
business processes (e.g. online banking websites, airline booking systems and so on). This trend
has continued from its initial Web based start:

The Java platform has matured into an Enterprise Integration role in which legacy systems are
unlocked to the outside world through bridges built on the Java platform. This trend has been
supported for Java platform support for EAI standards like messaging and Web services and has
fueled the inclusion of the Java platform as a development basis in such standards as SCA, XAM
and others.

Java has become the standard development platform for many companies' IT departments, which
do most or all of their corporate development in Java. This type of development is usually related
to company specific tooling (e.g. a booking tool for an airline) and the choice for the Java
platform is often driven by a desire to leverage the existing Java infrastructure to build highly
intelligent and interconnected tools.

The Java platform has become the main development platform for many software tools and
platforms that are produced by third party software groups (commercial, open source and hybrid)
and are used as configurable (rather than programmable) tools by companies. Examples in this
category include Web servers, application servers, databases, enterprise service buses, business
process management (BPM) tools and content management systems.

Enterprise use of Java has also long been the main driver of open source interest in the platform.
This interest has inspired open source communities to produce a large amount of software,
including simple function libraries, development frameworks (e.g. the Spring Framework,
Apache Wicket, Dojo Toolkit, Hibernate), and open source implementations of standards and
tools (e.g. Apache Tomcat, the GlassFish application server, the Mule and Apache ServiceMix
Enterprise service buses).
METHODOLOGY

Attribute Based Encryption

The concept of ABE was introduced along with another cryptography called fuzzy identity
based encryption (FIBE) by Sahai and Waters. Both schemes are based on bilinear maps
(pairing). In ABE system, users’ private keys and ciphertext are labelled with sets of descriptive
attributes and access policies respectively, a nd a particular key can decrypt a particular
ciphertext only if associated attributes and policy are matched.

A. Key Policy Attribute Based Encryption

The key policy attribute based encryption (KP - ABE) was first introduced in 2006 by
Goyal et al. In this cryptography system, ciphertext are labelled with sets of attributes.
Private keys, on the other hand, are associated with access structures A. A private key can
only decrypt a ciphertext whose attributes set is authorized set of the private key’s access
structure. KP - ABE is a cryptography system built upon bilinear map and L inear Secret
Sharing Schemes .

B. Multi Authority attribute Based encryption

In a multi authority ABE system, we have many attribute authorities, and many users. There are
also a set o f system wide public parameters available to everyone (either created by a
distributed protocol between the authorities). A user can choose to go to an attribute
authority, prove that it is entitled to some of the attributes handled by that authority, and
request the corresponding decryption keys. The authority will run the attribute key generation
algorithm, and return the result to the user. Any party can also choose to encrypt a message, in
which case he uses the public parameters together with an attribute set of his choice to form
the ciphertext. Any user who has decryption keys corresponding to an appropriate attribute
set can use them for decryption.
CP-ABE

In this section, we provide a multiauthority CP-ABE scheme for secure data

retrieval in decentralized DTNs. Each local authority issues partial personalized
and attribute key components to a user by performing secure 2PC protocol with the
central authority. Each attribute key of a user can be updated individually and
immediately. Thus, the scalability and security can be enhanced in the proposed
scheme. Since the first CP-ABE scheme proposed by Bethencourt et al. dozens of
CP-ABE schemes have been proposed. The subsequent CP-ABE schemes are
mostly motivated by more rigorous security proof in the standard model. However,
most of the schemes failed to achieve the expressiveness of the Bethencourt et al.’s
scheme, which described an efficient system that was expressive in that it allowed
an encryptor to express an access predicate in terms of any monotonic formula
over attributes. Therefore, in this section, we develop a variation of the CP-ABE
algorithm partially based on (but not limited to) Bethencourt et al.’s construction
in order to enhance the expressiveness of the access control policy instead of
building a new CP-ABE scheme from scratch.A. Access Tree

1) Description: Let T be a tree representing an access structure. Each nonleaf node

of the tree represents a threshold gate. If nu m x is the number of children of a node
x and k x is its threshold value, then 0 ≤ k x ≤ nu mx. Each leaf node of the tree is
described by an attribute and a threshold value k x =1. λ x denotes the attribute
associated with the leaf node x in the tree. p ( x ) represents the parent of the node in
the tree. The children of every node are numbered from 1 to num. The function
index ( x )returns such a number associated with the node x . The index values are

uniquely assigned to nodes in the access structure for a given key in an arbitrary
manner.
2) Satisfying an Access Tree: LetT x be the subtree of T rooted at the node x . If a set
of attributes satisfies the access tree T x ,we denote it as T x ( γ )=1,. We compute
recursively as follows. If is a nonleaf node, evaluate for all children of node x .T x ( γ )
returns 1 iff at least children return 1. If is a leaf node, then returns 1 iff .

1) System Setup: At the initial system setup phase, the trusted initializer chooses a
bilinear group of prime order with generator according to the security parameter. It
also chooses hash functions from a family of universal one-way hash functions.
The public parameter param is given by ( G0 , g , H ). For brevity, the public parameter
param is omitted below. Central Key Authority: chooses a randomexponent. It sets
h=g β. The master public/private key pair is given by( G0 , g , H ). Local Key
Authorities: Each chooses a random exponent α i ∈R Z p. The master public/private
¿

key pair is given by ( P K CA =h , M K CA =β ) .

2) Key Generation: In CP-ABE, user secret key components consist of a single

personalized key and multiple attribute keys. The personalized key is uniquely
determined for each user to prevent collusion attack among users with different
attributes. The proposed key generation protocol is composed of the personal key
generation followed by the attribute key generation protocols. It exploits arithmetic
secure 2PC protocol to eliminate the key escrow problem such that none of the
authorities can determine the whole key components of users individually.
Personal Key Generation: The central authority and each local authority are
involved in the following protocol. For brevity, the knowledge of proofs is omitted
below. 1) When authenticates a user, it selects random exponents for every local
authority for every local authority.
Revocation

We observed that it is impossible to revoke specific attribute keys of a user without

rekeying the whole set of key components of the user in ABE key structure since
the whole key set of a user is bound with the same random value in order to
prevent any collusion attack. Therefore, revoking a single attribute in the system
requires all users who share the attribute to update all their key components even if
the other attributes of them are still valid. This seems very in efficient and may
cause severe overhead in terms of the computation and communication cost,
especially in large-scaled DTNs. For example, suppose that a user is qualified with
different attributes. Then, all attribute keys of the user are generated with the same
random number in the ABE key archi- tecture. When an attribute of the user is
required to be revoked (other attribute keys of the user are still valid), the other
valid keys should be updated with another new that is different from and delivered
to the user. Unless the other keys are updated, the attribute key that is to be
revoked could be used as a valid key until their updates since it is still bound with
the same . Therefore, in order to revoke a single attribute key of a user, keys of the
user need to be updated. If users are sharing the attribute, then total keys need to be
updated in order to revoke just a single attribute in the system. One promising way
to immediately revoke an attribute of specific users is to reencrypt the
ciphertextwith each attribute group key and selectively distribute the attribute
group key to authorized (non-revoked) users who are qualified with the attribute.
Before distributing the ciphertext, the storage node receives a set of membership
information for each attribute group that appears in the access tree of from the
corresponding authorities and reencrypts it.
Key Update

When a user comes to hold or drop an attribute, the corresponding key should be
updated to prevent the user from accessing the previous or subsequent encrypted
data for backward or forward secrecy, respectively. The key update procedure is
launched by sending a join or leave request for some attribute group from a user
who wants to hold or drop the attribute to the corresponding authority. On receipt
of the membership change request for some attribute groups, it notifies the storage
node of the event. Without loss of generality, suppose there is any membership
change in (e.g., a user comes to hold or drop an attribute at some time instance).
 CHPTER 4

SYSTEM IMPLEMENTATION

LIST OF MODULES

1 Network Architecture
2 Scheme Construction
3 Revocation
4 Key Update
5 Performance Comparison

MODULE DESCRIPTION

Network Architecture

Since the key authorities are semi-trusted, they should be deterred from accessing plaintext of the
data in the storage node; meanwhile, they should be still able to issue secret keys to users. In
order to realize this somewhat contradictory requirement, the central authority and the local
authorities engage in the arithmetic 2PC protocol with master secret keys of their own and issue
independent key components to users during the key is- suing phase. The 2PC protocol prevents
them from knowing each other’s master secrets so that none of them can generate the whole set
of secret keys of users individually. Thus, we take an assumption that the central authority does
not collude with the local authorities (otherwise, they can guess the secret keys of every user by
sharing their master secrets).

Scheme Construction

Novel Clustering and Cluster Head Selection Strategy

In proposes a novel hand shaking mechanism based clustering scheme. a novel concept called
‘bypass nodes’ is introduced to identify the appropriate cluster head in the clusters. The
clustering scheme helps to execute the EC2 approach in a distributed fashion so as to make the
approach more scalable in performance.
In CP-ABE, user secret key components consist of a single personalized key and multiple
attribute keys. The personalized key is uniquely determined for each user to prevent collusion
attack among users with different attributes. The proposed key generation protocol is composed
of the personal key generation followed by the attribute key generation protocols. It exploits
arithmetic secure 2PC protocol to eliminate the key escrow problem such that none of the
authorities can determine the whole key components of users individually. Personal Key
Generation: The central authority and each local authority are involved in the following
protocol. When a sender wants to deliver its confidential data, hedefines the tree access structure
over the universe of attributes, encrypts the data under to enforce attribute-based access control
on the data, and stores it into the storage node. Then a user receives the ciphertext from the
storage node, the user decrypts the ciphertext with its secret key. The algorithm performs in a
recursive way. We first define a recursive algorithm that takes as inputs a ciphertext , a private
key , which is associated with a set of attributes, and a node from the tree.

Revocation

We observed that it is impossible to revoke specific attribute keys of a user without rekeying the
whole set of key components of the user in ABE key structure since the whole key set of a user is
bound with the same random value in order to prevent any collusion attack. Therefore, revoking
a single attribute in the system requires all users who share the attribute to update all their key
components even if the other attributes of them are still valid. This seems very inefficient and
may cause severe overhead in terms of the computation and communication cost, especially in
large-scaled DTNs.

Key Update

The EC2 approach is divided into two sub-phases-the initialization phase and the activation
phase. The main objective of the initialization sub-phase is to identify efficient α-barrier disjoint
paths in the network. The objective of the activation sub-phase is to schedule an energy efficient
α-barrier in each distinct time slot. On receipt of the membership change request for some
attribute groups, it notices the storage node of the event. Without loss of generality, suppose
there is any membership change in (e.g., a user comes to hold or drop an attribute at some time
instance). The key update procedure is launched by sending a join or leave request for some
attribute group from a user who wants to hold or drop the attribute to the corresponding
authority.

Performance Comparison

First analyze and compare the efficiency of the proposed scheme to the previous multiauthority
CP-ABE schemes in theoretical aspects. Then, the efficiency of theproposed scheme is
demonstrated in the network simulation in terms of the communication cost. We also discuss its
efficiency when implemented with specific parameters and compare these results to those
obtained by the other schemes.

CHAPTER 5

EXPERIMENTAL RESULTS AND DISCUSSION

Both simulated and real data experiments are carried out to test the performance of the proposed
defocus blur estimation framework. In the local probability estimation step, we use square
windows with side lengthN=41. Our default noise setting isσ 2n=10− 4. The coherent blur maps
choose the blur radius r from the set{ 0 , 0.1 , 0.2, ... ,7.9 , 8 }. Our default parameter settings for the
coherent blur labeling are λ 0=20 and σ λ =0.1 (for intensities in the range [0, 1]). The settings for
the binary foreground/background segmentation problem are τ =2 , λ0=1000 andσ λ =0.04 .
Unless otherwise noted, the default parameter values are used. As can be seen in the results, the
default settings work well for nearly all the test images shown in this section. In fact, the only
parameter we varied in these experiments is the noise varianceσ 2n. In a few of the examples

presented here, we found it useful to set σ 2n=10−6 (very low noise).

SCREEN SHOTS

CHAPTER 6

CONCLUSION AND FUTURE WORK

CONCLUSION
DTN technologies are becoming successful solutions in military applications that allow wireless
devices to communicate with each other and access the confidential information reliably by
exploiting external storage nodes. CP-ABE is a scalable cryptographic solution to the access
control and secure data retrieval issues. In this paper, we proposed an efficient and secure data
retrieval method using CP-ABE for decentralized DTNs where multiple key authorities manage
their attributes independently. The inherent key escrow problem is resolved such that the
confidentiality of the stored data is guaranteed even under the hostile environment where key
authorities might be com- promised or not fully trusted. In addition, the fine-grained key
revocation can be done for each attribute group. We demonstrate how to apply the proposed
mechanism to securely and efficiently manage the confidential data distributed in the disruption-
tolerant military network.

FUTURE WORK

Future research will also focus TBSSM that uses a unique stack based process model which
gives security add-ons to the existing methods. It provides the end user security through attribute
based encryption (ABE) by which we can pass the file & user attributes as a key during
encryption. It will also calculate the trust value of each user before providing any access to any
type of data.

REFERENCES

[1] J. Burgess, B. Gallagher, D. Jensen, and B. N. Levine, “Maxprop: Routing for vehicle-based
disruption tolerant networks,” in Proc. IEEE INFOCOM, 2006, pp. 1–11.
[2] M. Chuah and P. Yang, “Node density-based adaptive routing scheme for disruption tolerant
networks,” in Proc. IEEE MILCOM, 2006, pp. 1–6.
[3] M.M.B.Tariq,M.Ammar,andE.Zequra,“Mesage ferry route de- sign for sparse ad hoc
networks with mobile nodes,” in Proc. ACM MobiHoc, 2006, pp. 37–48.
[4] S. Roy andM. Chuah, “Secure data retrieval based on ciphertext policy attribute-based
ncryption (CP-ABE) system for the DTNs,” Lehigh CSE Tech. Rep., 2009.
[5] M. Chuah and P. Yang, “Performance evaluation of content-basedinformation retrieval
schemes for DTNs,” in Proc. IEEE MILCOM,2007, pp. 1–7.
[6] M. Kallahalla, E. Riedel, R. Swaminathan, Q. Wang, and K. Fu,“Plutus: Scalable secure file
sharing on untrusted storage,” in Proc.Conf. File Storage Technol., 2003, pp. 29–42.
[7] L. Ibraimi, M. Petkovic, S. Nikova, P. Hartel, and W. Jonker, “Mediated ciphertext-policy
attribute-based encryption and its application,” n Proc. WISA, 2009, LNCS 5932, pp. 309–
323.
[8] N. Chen, M. Gerla, D. Huang, and X. Hong, “Secure, selective group broadcast in vehicular
networks using dynamic attribute based encryption,” in Proc. Ad Hoc Netw. Workshop,
2010, pp. 1–8.
[9] D.HuangandM.Verma,“ASPE:Attribute-based secure policy enforcement in vehicular ad
hoc networks,” Ad Hoc Netw., vol. 7, no. 8,pp. 1526–1535, 2009.
[10] A. Lewko and B. Waters, “Decentralizing attribute-based encryption,” Cryptology ePrint
Archive: Rep. 2010/351, 2010.
[11] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Proc.Eurocrypt, 2005, pp.
457–473.
[12] V.Goyal,O.Pandey,A.Sahai,andB. Waters, “Attribute-based en-cryption for fine-grained
access control of encrypted data,” in Proc.ACM Conf. Comput. Commun. Security, 2006,
pp. 89–98.
[13] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” in
Proc. IEEE Symp. Security Privacy, 2007, pp.321–334.
[14] R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-based encryption with non-monotonic
access structures,” in Proc. ACM Conf. Comput. Commun. Security, 2007, pp. 195–203.
[15] S. Yu, C. Wang, K. Ren, and W. Lou, “Attribute based data sharing with attribute
revocation,” in Proc. ASIACCS, 2010, pp. 261–270.
[16] A. Boldyreva, V. Goyal, and V. Kumar, “Identity-based encryption with efficient
revocation,” in Proc. ACM Conf. Comput. Commun. Security, 2008, pp. 417–426.
[17] M. Pirretti, P. Traynor, P. McDaniel, and B. Waters, “Secure attribute based systems,” in
Proc. ACMConf. Comput. Commun. Security, 2006,pp. 99–112.
[18] S. Rafaeli and D. Hutchison, “A survey of key management for securegroup
communication,” Comput. Surv., vol. 35, no. 3, pp. 309–329,2003.
[19] S. Mittra, “Iolus: A framework for scalable secure multicasting,” inProc. ACM
SIGCOMM, 1997, pp. 277–288.
[20] P. Golle, J. Staddon, M. Gagne, and P. Rasmussen, “A content-drivenaccess control
system,” in Proc. Symp. Identity Trust Internet, 2008,pp. 26–35.
[21] L. Cheung and C. Newport, “Provably secure ciphertext policy ABE,”in Proc. ACM Conf.
Comput. Commun. Security, 2007, pp. 456–465.
[22] V.Goyal,A. Jain,O. Pandey, andA. Sahai, “Bounded ciphertext policyattribute-based
encryption,” in Proc. ICALP, 2008, pp. 579–591.
[23] X. Liang, Z. Cao, H. Lin, and D. Xing, “Provably secure and efficientbounded ciphertext
policy attribute based encryption,” in Proc. ASI-ACCS, 2009, pp. 343–352.
[24] M. Chase and S. S.M. Chow, “Improving privacy and security inmultiauthority attribute-
based encryption,” in Proc. ACM Conf. Comput.Commun. Security, 2009, pp. 121–130.
[25] M. Chase, “Multi-authority attribute based encryption,” in Proc. TCC, 2007, LNCS 4329,
pp. 515–534.