When implementing public key security ser-easy for an adversary to collect data and attack. To solve this vices in mobile ad hoc networks (MANETs), multiple problem, the distributed CA [1] is proposed, and the funccertificate authority (CA) servers are usually adopted to tionality of a single CA is distributed to a set of nodes by increase the security of the system, with each CA node secret sharing and threshold cryptography: the private key of holding only one share of the private key. To prevent an the CA is distributed to multiple entities, with each of them adversary from collecting a large enough number of holding one share of the secret, and the CA service is obshares over a long period of time to compromise the sys-tained by accessing a number of shares. This system can tem, the shares will be periodically updated. However, it only be compromised if a large enough number of the secret is not trivial how this update procedure can be done effi-shares have been obtained by an adversary from multiple ciently in a MANET. In this paper, we devise an efficient locations. Obviously, this method reduces the risk of single distributed secret key share update scheme for MANETs point of failure. However, an adversary can still recover the based on the cluster architecture. In our scheme, the secret by accumulating enough number of shares one by one secret shares are updated first by a small group of server after a long period of time. To tackle this problem, the pronodes. With the assistance of the cluster head in each active share update scheme [1], which periodically refreshes cluster, the updated servers then refresh the shares in the shares, has been proposed. Thus, if the adversary cannot the remaining servers. We evaluate our scheme by simu-recover all the secrets within a limited period, all its efforts lation and show that our scheme can expedite the share are voided by the share update. update process.The proactive share update is critical for maintaining the security of the distributed CA approach. However, effi-I. INTRODUCTION ciently performing the proactive share update scheme in MANET is non-trivial. Traditional share update schemes Public Key Infrastructure (PKI) has been considered as require all CAs to participate in the process and collect parthe foundation of providing security services in a mobile ad tial shares from all other CAs in order to generate new hoc network (MANET). For example, many secure routing shares. The communication cost is high, especially when the protocols, such as SRP [10], and ARAN [9], assume that number of CAs is large. It is not practical in MANETs. PKI has been established. In traditional PKI, each entity hasTo solve this problem, [2] made the first attempt to proa public and private key pair. There is a trusted-by-all cenpose a scalable update scheme, called the sequential share tralized authority, called Certificate Authority (CA), responupdate scheme. Their scheme is designed for a fully distribsible for key management. The CA has a public and private uted CA thresh...
