This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Research ArticleEnhanced Key Management Protocols forWireless Sensor Networks
1School of Computer Beijing University of Posts and Telecommunications Beijing 100876 China2State Grid Metering Center Beijing 100192 China3Department of Electronic Systems Engineering Hanyang University Ansan 426791 Republic of Korea
Correspondence should be addressed to Baojiang Cui cuibjbupteducn
Received 29 August 2014 Accepted 1 September 2014
Academic Editor David Taniar
Copyright copy 2015 Baojiang Cui et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
With rapid development and extensive use of wireless sensor networks (WSNs) it is urgent to enhance the security for WSNs inwhich key management is an effective way to protect WSNs from various attacks However different types of messages exchangedin WSNs typically have different security requirements which cannot be satisfied by a single keying mechanism In this study abasic key management protocol is described for WSNs based on four kinds of keys which can be derived from an initial masterkey and an enhanced protocol is proposed based on Diffie-Hellman algorithmThe proposed scheme restricts the adverse securityimpact of a captured node to the rest ofWSNs andmeets the requirement of energy efficiency by supporting in-network processingThe master key protection key revocation mechanism and the authentication mechanism based on one-way hash function arerespectively discussed Finally the performance of the proposed scheme is analyzed from the aspects of computational efficiencystorage requirement and communication cost and its antiattack capability in protecting WSNs is discussed under various attackmodels In this paper promising research directions are also discussed
1 Introduction
Wireless sensor networks (WSNs) have been extensively usedin various applications such as homeland security battlefieldsurveillance environmental monitoring and health careThrough collection and processing of the sensing data fromthe coverage area WSNs enable users to access detailed andreliable information at any time and any place which is aubiquitous sensing technology
WSNs have two salient characteristics (i) it uses wirelesscommunication and anyone within the range of the networkcan attack it (ii) it may be deployed in unattended environ-ments or even hostile regions such as battlefield where it canbe physically attacked or captured [1]Thus how to ensure thesecurity of WSNs becomes a significant issue
Security researches of WSNs mainly focus on key distri-bution secure routing protocols secure transmission andsecurity defense In these scopes using key managementmechanisms to settle security issues under the wireless sensornetwork environment is the most crucial and challengingproblem [2]
Although key management mechanisms in the cable net-work have been deeply studied the research is still immaturein WSNs [3] because of limited communication bandwidthcomputing and storage capacity of sensor nodes and unfixedinfrastructures There is also a contradiction between themaximum security performance and minimum resourceconsumption
It is worth noting that due to the resource limitationsasymmetric encryption algorithms are seldom applied to thesensor network and most of the related works are based onsymmetric key systems
Although a number of classic protocols and schemes havebeen proposed for WSNs many protocols concentrated oncommunication and processing technologies without payingenough attention to security issues such as TEEN [4] andLEACH [5]
In recent years scholars have proposed more sophisti-cated protocols which are mainly divided into two categoriespredistribution scheme based on symmetric key and keymanagement scheme based on public key
Hindawi Publishing CorporationMobile Information SystemsVolume 2015 Article ID 627548 10 pageshttpdxdoiorg1011552015627548
2 Mobile Information Systems
Base station
(a)
Base station
(b)
Figure 1 Examples of in-network processing
Among the predistribution schemes SPINS [6] is rec-ognized as a classical secure protocol for WSNs It consistsof two modules SNEP for data confidentiality two-partydata authentication and data freshness and 120583TESLA forauthenticated broadcast It provides security for the entirenetwork based on a single key and is easy to implement butthe expansibility is limited
To balance the security performance and resource con-sumption random key predistribution schemes polynomialkey predistribution schemes and key predistribution schemebased on deployment knowledge are subsequently proposed
EampG [7] scheme is one of the earliest random keypredistribution schemes It achieves the establishment ofpairwise key in WSNs for the first time based on theidea of preallocated key generation solves the problem ofunpredictable network topology and provides a probability-based security After that the proposed Q-composite scheme[8] improves EampG schemes based on multicommon keys togenerate pairwise keys
Though quite a lot of superior security protocols havebeen proposed recently most of them have their own defi-ciencies Park proposed a lightweight security protocol(LISP) it can tolerate packet loss but the protocol cannothandle node revocation problem After that SRDA [9]proposed a secure data aggregation protocol which takes theintegrity into consideration but ignores the confidentiality ofthe information LDP [10] proposes a local key managementprotocol based on dynamic cluster It effectively supportsthe WSN security data fusion but does not give an effectivesolution of revoking captured nodes and updating keys
To avoid above deficiencies LEAP [11] establishes fourkinds of keys and provides a strong application and scala-bility but requires huge amount of communication for keyestablishment and update Furthermore its security is heavilydependent on the initial secure time ChengYrsquos predistri-bution scheme [12] is based on clusters with advantages of
the good connectivity network survivability and low com-munications costs However the cost for rekeying is signifi-cant
Based on previous studies this paper proposes improvedstrategies to overcome somedefects In addition how to applythe established keys to form security mechanisms to confrontkinds of attacks is described in detail
2 Requirements of Sensor Networks
Many security requirements of WSNs are similar to those oftraditional networks such as data confidentiality authenti-cation and integrity What is more it should guarantee lowenergy consumption and high efficiency [13]
It is proved in recent researches that in-network dataprocessing (shown in Figure 1) whichmainly includes passiveparticipation and data aggregation is quite energy-efficientand should be widely employed
The typical application of in-network processing is todivide the network into multiple clusters where the clusterhead node collects and aggregates information from itsneighbors and delivers the summary directly to the basestation to avoid redundant transmissions and save commu-nication bandwidth
Generally the pairwise key performs better over achiev-ing data confidentiality authentication and integrity ofWSNs whereas the cluster key or network-wide key isneeded to achieve in-network data processing (shown inFigure 1) [14]
The particularity of the WSNs requires the ability ofresistance to physical attacks and trapping For exampleonce a node is compromised the loss of secret informationdoes not threaten remaining security links Moreover well-designed security mechanism should have capabilities of keyrevocation and update
Mobile Information Systems 3
Therefore it is fundamental to design a security mecha-nism which satisfies above requirements in order to achievethe security of WSNs
3 Prerequisite Knowledge
31 Notations The notations used in this paper are given inNotations section
Note that in order to simplify the representation in thefollowing discussion notations119860 and 119861 are used to representtheir node identifiers instead of ID
119860and ID
119861
In addition since keys for various security uses can bederived from the same key 119896 such as 119870
0= 119891(119870 0) for
authentication and 1198701= 119891(119870 1) for encryption we just say
a message119872 is authenticated or encrypted with119870 instead ofsaying in detail
(i) Given 119909 it is easy to compute 119910 using function 119910 =
119867(119909)(ii) Given 119910 it is difficult to compute 119909 from function 119910 =
119867(119909)(iii) Given119909 it is difficult to find a119910meeting the condition
that 119910 = 119909 and119867(119910) = 119867(119909)
One-way hash chain is a sequence of the following hashvalue 119909
119898 119909(119898 minus 1) 119909
119895 119909
1 fulfilling the restriction
119909119895| 0 lt 119895 le 119898 119909
119895minus1= 119867(119909
119895) where 119909
119898is a random
selection of key seed Due to the unidirectional feature one-way hash key chain is widely used in secure authenticationFor example when 119909
1is given it can be verified that whether
119909119894is an element of the one-way hash key chain sequence using
the equation 1199091= 119867119894minus1(119909119894)
Key Generation Function Pseudorandom function 119891 isemployed as the key generation function here for its highcomputational efficiency When it is used in key establish-ment process the computational cost is negligible Note thatthis function is stored in all the network nodes as well as thebase station
Diffie-Hellman AlgorithmDiffie-Hellman provides a methodto ensure safety of shared key through insecure networks andit is an integral part of OAKLEY algorithm
The ingenious point is that two sides of communicationcan use this method to determine the symmetric key whichcan be used for encryption and decryption Note that the keyexchange protocol can only be used for key exchange withoutbeing able to encrypt and decrypt the messages [16]
Since the key exchange algorithm itself is usually limitedto be used as key exchange technology for many commercialproducts it is usually called Diffie-Hellman key exchange(abbreviated as DH algorithm key exchange based on DHalgorithm is also commonly referred to as DH exchange)
The purpose of this key exchange technique is to enabletwo users to achieve secure key exchange in order to ensure
the encryption of subsequent packets The effectiveness ofDiffie-Hellman key exchange algorithm relies on the diffi-culty of computing discrete logarithms [17] In short thediscrete logarithm can be defined as follows
First define primitive root of prime number 119901 whichis integer roots generated from each of its powers from 1
to 119901 minus 1 that is if 119886 is a primitive root of prime number119901 the values of 119886 mod 119901 1198862 mod 119901 119886119901minus1 mod 119901 are alldifferent integers from 1 to 119901 minus 1 in a certain arrangement
For an integer 119887 and a primitive root 119886 of prime number119901we can find the unique index 119894 making 119887 = 119886119894 mod 119901 where0 le 119894 le (119901minus1) index 119894 is called discrete logarithmor exponentof modulus 119901 which is based to cardinal number 119886 of integer119887
Based on the definition and nature of the primitive rootDiffie-Hellman key exchange algorithm is described as fol-lows [18]
(1) There are two global parameters prime number119901 andinteger 119886 where 119886 is a primitive root of 119901
(2) Suppose users 119860 and 119861 wish to exchange a key user119860 selects a random number 119883
119860(119883119860lt 119901) as private
key and calculates the public key 119884119860= 119886119883119860 mod 119901
The confidentiality store of 119883119860by user 119860 makes 119884
119860
publicly available to user 119861 Similarly user 119861 alsoselects a random number 119883
119861(119883119861lt 119901) as private
key and calculates the public key 119884119861= 119886119883119861 mod 119901
The confidentiality store of 119883119861by user 119861 makes 119884
119861
publicly available to user 119860(3) User 119860 calculates shared secret key by 119870 =
(119884119861)119883119860 mod 119901 and user 119861 similarly calculates shared
secret key 119870 by 119870 = (119884119860)119883119861 mod 119901
Since
119870 = (119884119861)119883119860 mod 119901 = (119886119883119861 mod 119901)
119883119860 mod 119901
= 119886119883119861119883119860 mod 119901 = (119886119883119860)
119883119861 mod 119901
= (119886119883119860 mod 119901)
119883119861 mod 119901 = (119884119860)119883119861 mod 119901
(1)
Thus it corresponds that two sides have exchangedthe same secret key 119870 Because 119883
119860and 119883
119861are
confidential an adversary can only use parameters119902 119886 119884
119860and 119884
119861 Thus adversary is forced to use
discrete logarithm to determine the shared key119870Thesecurity of Diffie-Hellman key exchange algorithmrelies on the fact that although computing exponentwhich takes prime number as module is relativelyeasy computing discrete logarithm is very difficultFor large prime numbers calculating the discretelogarithm is almost impossible
33 Assumptions Basic assumptions are as follows
(i) Topology is unknown before the deployment of thenodes
4 Mobile Information Systems
(ii) The sensor network is static (sensor nodes are notmobile) after deployment
(iii) Sensor nodes have similar computational and com-munication capabilities
(iv) Transmission power of nodes can be adjusted tocontrol the propagation distance
(v) The base station has enough energy supply andcomputing power
(vi) The attacker has the ability to eavesdrop on all thechannels as well as to replay former messages andinject malicious packets
(vii) Once a node is captured all the stored informationwill be obtained by the adversary
(viii) Every node has enough space to store hundreds ofbytes for key establishment materials
(ix) Each node has some degree of ability to resist attackand it will not be captured with in a limited period oftime
4 Protocol Description
This section introduces the basic protocol in detail includingfour kinds of secure key establishment mechanisms to satisfyvarious secure communication requirements and mecha-nisms for key erasure and update
41 Overview As discussed above the single keymechanismcannot provide appropriate protection to all the requiredcommunication in the WSNs Moreover the security perfor-mance and resource consumption have to be balanced whenmaking use of different kinds of keys
The degree of sharing keys in the security mechanismhas to be taken into consideration For example if uniquepairwise keys are used for each two nodes in the WSNs toguarantee secure communication the node captured by anattacker will not reveal any security information of othernormal nodes which is ideal to prevent threat to the entirenetwork However it requires significant communicationbandwidth and energy resources which is quite inefficient
On the contrary if only a network-wide key is used forauthentication and encryption no communication betweennodes is required for establishment of additional keys and thestorage costs and energy consumption can also beminimizedHowever the security will be extremely poor Once any nodein the system is captured by an attacker the whole networksuffers an enormous risk
42 Key Establishment In this section the establishment offour kinds of keys is discussed in detail as well as theircharacteristics and abilities to resist attacks
421 Individual Key Establishment Individual key is aunique key of each sensor node that sharedwith the controller(the base station) which is used for individual authenticationand secure communication assurance [19]
For example individual key can be used to encrypt sen-sitive information such as special instructions and rekeyingcommands exchanged between a sensor node and the basestation It can also be used for message authentication to getverification of the base station or other nodes
Since every node in the network shares a unique indi-vidual key with the base station it is neither practicalnor efficient to store all these keys for the base stationespecially when the network scalability is very hugeThus it isimportant to adopt a strategy to reduce the storage overheadwhich can be achieved by the key generation function 119891
First of all it is argued that each node holds the keyestablishment function 119891 and an initial key 119870
119868which is
derived from the master key 119870 that is only possessed by thecontroller all of them are preloaded in the nodes before thekey establishment phase The generation of individual keyfor node 119860 (here 119860 indicates the unique ID of node 119860) is asfollows
119870119860= 119891 (119870
119868 119860) (2)
In the above the function 119891 for key establishment is apseudorandom function and it is efficient enough to be usedon sensor nodes
Once the individual key is generated the related nodestores it within its life cycle Since the base station has fullknowledge of the initial key 119870
119868and efficient establishment
function 119891 the storage overhead for individual keys of eachsensor node can be reduced
422 Pairwise Key Establishment Pairwise keys of a nodeindicate the keys shared with each of its direct neighbors sothe storage overhead of such keys for each node depends onthe number of its neighbors [20 21]
In this protocol pairwise keys have a lot of uses Forexample it can be used for a cluster head to encrypt the clusterkey which has to be transmitted to all of its neighbors toachieve the distribution security It is also a component toimprove system security
However it will impede passive participation whichis important in saving communication energy if such keymechanism is employed individuallyThe initial pairwise keyestablishing progress is shown in the Figure 2
The generation of pairwise keys for nodes 119860 and 119861 (here119860 is assumed to be the node that call for key establishment)is as follows
Here node119860 broadcasts a nonce to all of its direct neigh-bors to request establishing pairwise without authenticatingits identity because if it cannot provide its own identity(namely it does not own the individual key) it will fail togenerate the pairwise in the following steps
119870119860119861
= 119891 (119870119861 119860) (4)
Since node 119860 possesses both the key establishmentfunction 119891 and the initial key 119870
119868 it can compute 119870
119861
independently and then obtains the pairwise key119870119860119861
as well
Mobile Information Systems 5
A B
1
2
Figure 2 Pairwise key establishing phase
Note that each node has a timer which conducts it toachieve key erasure when it makes sure that the pairwise keysestablishment is finished This process is significant becauseall the nodes keep the network-wide initial key 119870
119868to help
complete the establishments in the initial period and oncethe relatively safe period passes by it will face great risk thatsome nodes may be compromised
So it is suggested that after a reasonable length of timethe initial key 119870
119868and the neighbors individual master keys
stored in the node be all erased (but its own individualmasterkey will always be held)
In this way when almost the pairwise keys are establishedsuccessfully no nodes will possess the necessary generatingkey materials until there is a new group of nodes to bejoined The key erasure mechanism is so necessary that howto control the key erasing time is worth exploring but it is notan emphasis in this paper
In addition it can also be seen from the above equationthat after the establishing time namely related key materialsare erased once the node 119860 is compromised by an attackerand a 1198601015840 broadcasts a nonce for establishing pairwise keys itcannot success due to such establishment mechanism
But once the attacker uses 1198601015840 to take passive joiningstrategy the responding node 1198601015840 will generate the pairwisekey with 119861 (here 119861 is one of a new batch of joining nodes thatis asking to establish pairwise keywith its neighbors including1198601015840) as follows 119870
1198611198601015840 = 119891(119870
(1198601015840) 119861) and then the attacker will
be able to inject erroneous packets into the network at willFor the new added nodes an alternative is proposed to
Here 119860 is a new node who calls for establishing pairwisekey with its neighbor 119861 Here 119861 is an older node that hasgenerated all its own pairwise keys and erased the initial key119870119868 which makes it unable to generate new pairwise keyIf 119861 wants to verify the identity of node 119860 the most
credible way is asking for help of base stationHowever reducing the use of base station is an important
goal here and the improvement is worth further exploring
423 Cluster Key Establishment Cluster key is a key gener-ated by an elected cluster head and shared with its neighborsand it is mainly used for encrypting local broadcast packetsItsmost significant advantage is that it enables the in-networkprocessing such as passive participation and data aggregationwhich cannot be supported by the pairwise key but could saveenergy consumption efficiently
This key establishing process is obvious as follows
Here node 119860 is the elected cluster head and 119861119894represents
one of its immediate neighbors 1198611 1198612 119861
119899(1 le 119894 le
119899) Cluster head 119860 first generates a key 119870119862119860randomly and
encrypts it with its pairwise keys and then sends it to eachneighbor 119861
119894 Moreover node 119861
119894decrypts the cluster key and
then stores 119870119862119860in a table
When any neighbor of 119860 is revoked which means therewill be a risk to continue using the old cluster key cluster head119860 regenerates and transmits the 119870119862
1015840
119860in the same way
Cluster division and cluster head selection approaches arealso worthy of discussion But it is not an emphasis in thispaper A simple mesh division method is shown in Figure 3based on virtual cluster idea
424 Group Key Establishment The group key119870119892is used for
encryptingmessages that need to be broadcasted to the wholegroup Note that different from above situations the keypoint here is no longer about key establishment or encryptingschemes because there is only one group key shared amongthe entire network meanwhile it does not make sense toencrypt a broadcast message using master key of each sensornode separately
It is also because there is only one group key sharedamong sensor nodes once a compromised node is revoked
6 Mobile Information Systems
Cluster headActive node
Base station
Figure 3 Mesh division method
the rekeying and updating mechanism comes to be impor-tant
120583TESLA [22] is a widely employed protocol due to thehigh efficiency and perfect tolerance for packet loss A one-way hash function119867 is used here to help achieve the processFirstly the controller generates a random seed 119896
119898and uses
the function119867 to get a sequence of the following hash values119896119898 119896119898minus1
119896119895 119896
1 that meets the restriction 119896
119895| 0 lt
119895 le 119898 119896119895minus1
= 119867(119896119895)
Then preload this key chain 119896119898 119896119898minus1
119896119895 119896
1 in
the base station and use delayed key disclosure to achievemessage authentication Let 119860 be the revoked node and 1198701015840
119892
the new group key the process is as follows
Base station 997888rarr lowast 119860 119891 (1198701015840
119892 0) MAC
119896119895(119860 | 119891 (119870
1015840
119892 0))
(8)
When the verification is done all the nodes will removerelated information of node 119860 and restore the group key 1198701015840
119892
in the tableNote that the initial Group key 119870
119892is preloaded in all
the sensor nodes before their deployment like the initial key119870119868 but we cannot take 119870
119868also as the group key because
it will be erased in a very short time after the pairwise keyestablishmentThe key used for deriving related keys must beprotected separately from normal ones
Figure 4 simply illustrates the authenticationmechanism
119896119895minus1
= 119867(119896119895) (9)
5 Enhanced Protocol
51 Requirements Analysis The design of the basic schemepresented in the previous section ismotivated by the observa-tion that single keying mechanism is not suitable for meeting
K1 K2 K3 K4 K5
p1 p2 p3 p4 p5 p6
Time
Figure 4 Using the one-way hash function for source authentica-tion
all the security requirements of different types of exchangedmessages
The advantage of this scheme is that the captured nodedoes not threat the safety of the other nodes in case themasterkey 119870 is absolutely safe in time interval 119879min
During the time interval 119879min all the nodes of the WSNwill hold the general master key 119870 and we note that thisscheme cannot provide confidentiality when a node is com-promised in 119879min Because by using the stolen informationlike the master key119870 an attacker can easily derive the masterkeys of all the rest normal nodes that are deployed in thesame time interval as well as negotiating new pairwise keywith normal nodes in any region whichmeans once a node iscompromised in time interval 119879min the security of the entirenetwork is extremely dangerous
52 Enhanced Scheme Based on the Diffie-Hellman algo-rithm above presenting the improved scheme prior todeployment of the network each node prestores the largeprime number 119901 and its primitive root 119886 instead of the initialkey 119870
119868which is derived from the master key 119870
Note that the generation of individual key for node 119860 isstill same
119870119860= 119891 (119870
119868 119860) (10)
Different from the basic scheme this process is completedonce the node is deployed after that the information of theinitial key 119870
119868is deleted Thus the attacker cannot get any
information about the initial key119870119868or the master key119870 even
if it is compromised during the working periodSince the node no longer keeps initial key 119870
119868 which
is required to participate in relevant calculations (function)in the pairwise key generating process the basic schemecannot be achieved For this situation make the followingimprovements
Gain a key evolution function to each node Takes node119860 and 119861 for examples
119883119860= ℎ (119860 | 119870
119860) mod 119901
119883119861= ℎ (119861 | 119870
119861) mod 119901
(11)
Then calculate the public message
119884119860= 119886119883119860 mod 119901
119884119861= 119886119883119861 mod 119901
(12)
Mobile Information Systems 7
The pairwise key generation process is as follows
119860 997888rarr lowast Nonce119860 119884119860
119861 997888rarr 119860 MAC119870119860119861
(119861 | 119884119861) 119861 119884
119861
(13)
Here node119860 broadcasts a nonce to all its direct neighborsand asks to establish pairwise key and broadcasts the publicmessage 119884
119860at the same time When its neighbor (take node
119861 for example) receives the message it first verifies thelegitimacy of 119884
119860and then calculates the pairwise key using
the following function
119870119860119861
= (119884119860)119883119861 mod 119901 (14)
After that node 119861 sends messages 119861 and 119884119861back to the
asking node 119860 and sends a message MAC119870119860119861
(119861 | 119884119861) to
authenticate its identity If node 119861 cannot respond to node119860 in this way it means node 119861 cannot get 119870
119860119861only taking
use of 119884119860 then consider node 119861 as untrusted In addition
node 119860 does not need to send authenticating message backto node 119861 anymore because if it cannot prove its own identity(namely it cannot get 119870
119860119861only taking use of 119884
119861 and it will
fail to generate the pairwise key 119870119860119861)
Compared with the basic protocol the most obviousimprovement of enhanced protocol is that it takes use ofDiffie-Hellman algorithm to generate pairwise keys insteadof storing the initial key 119870
119868in a certain period of time Thus
even if a node is compromised in119879min the attacker canmerelyget the information of key related to the compromised nodewhich means only limited security threats can be causedavoiding the disruption of the entire network caused bylosing initial key 119870
119868 Despite the slight increment in the
computational overhead the security of the WSN is greatlyimproved
6 Performance Evaluation
The ability of the protocol to fight against kinds of attacks isdiscussed in detail in above sectionsThis section analyzes thestorage requirement and energy efficiency
61 Storage Requirement In the basic protocol a node needsto store four types of keys Considering a node with 119898
neighbors in the WSN it needs to store one individual key119898 cluster keys 119898 pairwise keys and one group key In theenhanced protocol each node stores the same number of keysas the basic protocol
When the key establishment is complete in a networkhaving a scale of 119873 there is an upper limit of the numberof keys to be stored in the nodes including119873 individual keys119862(119873 2) pairwise keys 1198732 cluster keys and 119873 group keys(though there is only one group key in a certain period)which add up to ((52)119873+(1198732(119873minus2)) = (1198732+3119873)2) andaverage to each node is (52 + (119873minus 1)2(119873minus 2) = 1198732 + 2)
Note that communication distance of sensor node islimited so that it will not reach a high complexity that eachtwo nodes are connected
In addition using an efficient clustering method canreduce the number of required cluster keys and the realstorage complexity is much smaller
Although memory is a quite scarce resource for thecurrent generation of nodes inWSNs for a reasonable degreestorage is not an issue in our protocol For example 100 keystotally take 800 bytes when the key size is 8 bytes
62 Communication Cost In this paper the average commu-nication cost increases with the connection degree of a sensornetwork and decreases with the network size 119873 Efficientpreloaded functions are widely used which greatly reducesthe message exchanges in key establishing phase so that tosave communication cost Whats more the use of locatedcluster key enables in-network data processing which alsohelps achieve communication and energy efficiency
It is worth noting that the communication cost of theenhanced protocol remains at the same level as that of thebasic protocol
63 Computational Cost Functions used in the proposedprotocols are all of high computational efficiency For exam-ple pseudorandom function 119891 is employed to be the keygeneration function and the computational cost will benegligible when it is used in key establishment process In theenhanced protocol although computational cost is slightlyincreased by using Diffie-Hellman algorithm for a networkof reasonable density we believe that the computationaloverhead is applicable for a network of reasonable density inour protocols For example for a WSN of size119873 = 1000 andconnection degree of 20 the average computational cost is27 symmetric key operations per node per revocation and alarger119873 will reduce the cost further
Overall we conclude that the protocols proposed in thisstudy are scalable and efficient enough in storage communi-cation and computation
7 Security Analysis
This section analyzes the security of the key managementprotocols The survivability of the network is discussed whenundetected compromised nodes occur and the robustness ofproposed schemes is studied in defending against variousattacks
71 Survivability Once a sensor node 119860 is compromised theadversary can launch attacks by utilizing keying materialsof node 119860 If the threat is detected somehow the protocolscan revoke node 119860 efficiently and update the information ofnodes quickly throughout the whole network Basically eachneighbor of compromised node 119860 could delete its pairwisekey shared with node 119860 as well as updating the cluster keyThe group key could also be updated efficiently by taking useof 120583TESLA mechanism When the revocation is completedthe adversary cannot launch further attacks anymore
However security detection in WSNs is more difficultthan in other systems since sensor systems are often deployedin unattended environments Thus the survivability of
8 Mobile Information Systems
the network is one of most important security requirementswhen compromised nodes is not detected
Firstly because individual key is only shared between thebase station and each sensor node it usually does not help theattacker launch attacks
Secondly obtaining the cluster keys and pairwise keys ofa compromised node enables the attacker to establish trustwith the neighbor nodes which can be used by the attackerto inject malicious sensor readings and routing controlinformation into the network However in the proposedprotocols in this study the attacker usually has to achieve suchattacks by taking use of the identity of the captured node
Note that a salient feature of the proposed protocols isthe ability in localizing possible threats Because after thedeployment of the network and the pairwise key establishingphase every node will keep a list of trusted neighbor nodesAs compromised node and its copy nodes cannot establishtrust relationship with other nodes except its neighbors theattacker can only damage secure links within limited range
Finally obtaining the group key enables the attacker todecryptmessages broadcast by the base stationThebroadcastmessages by their nature are intended to be received by allthe nodes in the network Thus compromising any singlenode is enough to possess this message whatever securitymechanism is used However obtaining the group key doesnot allow the attacker to damage the entire network withmalicious packets by impersonating the base station becauseall messages sent from the base station are authenticated by120583TESLA mechanism
72 Dealing with the Attacks on Secure Routing Ciou et alhave described various possible attacks of routing protocolsforWSNs [18] How the proposed schemes can defend againstsuch attacks is shown in this section
An inside attackermay attempt to alter and replay routinginformation to make routing loops attract or repel networktraffic and generate false messages Moreover the attackercan launch the selective forwarding attack in which thecaptured node suppresses routing packets sent from a fewselected nodes while forwarding the other packets reliably
In this paper the schemes cannot protect theWSNs fromsuch attacks however the schemes can hinder or minimizethe consequences caused by such attacks
First based on the key establishment and authenticationphases of the proposed protocols it is apparent that suchattacks are only possible within a small area of two-hops fromthe captured node
Second since such attacks are localized in a certainzone the attacker faces a high risk of being detected whenlaunching such attacks For example the probabilistic chal-lenge mechanism can help detect the spoofing attack and thedetection of altering attack is also possible since the relatedsending node may overhear the forwarded messages alteredby the captured node
Last but not least once a compromised node is detectedthe group rekeying process of the protocols can efficientlyrevoke the compromised node from the network
The proposed protocol can protect WSNs from thefollowing attacks
Sybil Attacks In Sybil attacks the attacker may replicatethe captured node and deploy multiple replicas into theoriginal network With help of the base station such replicanodes will then try to establish pairwise and cluster keyswith normal nodes that are not neighbors of the capturednode [23] If the base station does not know the precisetopology of the wireless network this attack may work inpairwise key establishment However it cannot happen forproposed protocols because each normal node keeps a list ofits approved neighbors and the base station is not involved forpairwise or cluster key establishments in this study
HELLO Flood Attack The attacker may send a HELLOmessage to all nodes in the network by increasing thetransmission power to be high enough to make all the nodesconvinced that it is their neighbor Once this attack succeedsnodes of the entire networkmay send their readings and someother packets in vainHowever it cannot succeed in proposedprotocols because the attacked does not have a network-widekey for authentication
It is worth noting that the group key in the protocols is notfor authentication purpose but for the distribution of securemessages to the entire network from the base station
73 Defending against Sinkhole and Wormhole Attacks Thecombination of the sinkhole and the wormhole attacks is oneof the most difficult attacks to be prevented
In the sinkhole attack a malicious node tries to attractpackets from the neighbor nodes and then drops them Itcan launch such attack by advertising information of highreliability or high remaining energy which is very hard todetect in the WSNs
In the wormhole attack two distant malicious nodesconceal their distance information to the network Afterplacing one such node near the target zone and another onenear the base station the attacker will convince the nodeswithin the target area which are usually multiple hops awayfrom the base station as only one or two hops to create asinkholeMoreover nodes which aremultiple hops awaymaybelieve that they are neighbors of each other Since to launchwormhole attack the attacker does not need to compromiseany sensor nodes such attack is very powerful in practice[24]
In the proposed protocols an outside attacker cannotsucceed in launching wormhole attack except in the neighbordiscovery process since a node will know all its neighbornodes after the pairwise key is established which means theattacker cannot convince two distant nodes to believe thatthey are neighbors of each other
Because the time of neighbor discovery process is veryshort (usually for seconds) the probability that the attackerachieves such attacks is also quite small If an inside attackercompromises two or more nodes it can launch such attacksHowever it cannot convince two distant nodes as neighborswhen the neighbor discovery phase is finished The authen-ticated neighborhood information is critical to deal with thewormhole attacks
In the sinkhole attack if the attacker compromises a node119860 that is close to the base station and another node 119861 in
Mobile Information Systems 9
the target area the attacker will succeed in making node119860 asa sinkhole Since the number of hops between node 119861 and thebase station turns smaller node 119861will be especially attractiveto surrounding nodes In practice the location of base stationis usually static When the network is constructed topologywill be known to the entire network and then sensor nodeswill know the approximate number of hops from the basestation Thus it is difficult for an attacker to make a veryattractive sinkhole in the WSN without being detected
74 Conclusion This paper proposes a basic keymanagementprotocol based on initial secure time which assumes thatthe attacker cannot compromise a node in a short timeIt satisfies various security requirements of WSNs usingthe combination of four kinds of secure keys Meanwhilethe erasure and update mechanism of keys is important tosupport network security
To further improve the security of the basic schemean enhanced protocol based on Diffie-Hellman algorithmis proposed which avoids storing the master key in sensornodes so as to restrict the security impact of a captured nodeto the rest network
The proposed protocol achieves high communication andenergy efficiency by supporting in-network data processingand enhances the network security through strict authenti-cation and encryption mechanisms Compared to originalideas the proposed scheme improves not only the networksecurity but also the extensibility of WSNs
This paper presents a proposal for key establishment andachieves security mainly based on the combining applicationof four kinds of keys This is a critical step and how to usesuch keys to found a protection mechanism is a focus in ourfuture research
Notations
119873 The number of nodes in the network119860 119861 Two communicating nodes in the network
(also represents the node identifier)119891(119870119860) Calculate with parameter 119860 using the key
119870 in pseudorandom function 119891119867(119870) One-way hash function to generate a
chain of keys using the seed119870MAC119870(119898) Message authentication code (MAC) of
message119898 using MAC key 119870119870 The master key only possessed by base
station119870119860 Individual key of node 119860
119864119870(119898) Encryption of message119898 with a
symmetric key 1198701198721| 1198722 Concatenation of the sequences119872
1and
1198722
119860 rarr 119861 119872 Node 119860 sends a message119872 to node 119861119860 rarr lowast 119872 Node 119860 sends a local broadcast message
119872 to all its neighborsℎ(119898) Calculate hash value of message119898
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was supported by National ratural Science Foun-dation of China (nos 61170268 61100047 and 61272493)International SampTCooperation Special Projects of China (no2013DFG72850) and The National Basic Research Programof China (973 Program) (no 2012CB724400)
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] X HeM Niedermeier andH deMeer ldquoDynamic keymanage-ment in wireless sensor networks a surveyrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 611ndash622 2013
[3] R Riaz A Naureen A Akram A H Akbar K H Kim and HFarooq Ahmed ldquoA unified security framework with three keymanagement schemes for wireless sensor networksrdquo ComputerCommunications vol 31 no 18 pp 4269ndash4280 2008
[4] C Intanaonwiwat R Govindan and D Estrin ldquoDirected dif-fusion a scalable and robust communication paradigm forsensor networksrdquo in Proceedings of the 6th Annual ACMIEEEInternational Conference on Mobile Computing and Networking(MobiCom rsquo00) pp 56ndash67 ACMIEEE Boston Mass USAAugust 2000
[5] AManjeshwar andD PAgrawal ldquoTEEN a routing protocol forenhanced efficiency in wireless sensor networksrdquo in Proceedingsof the 15th International Parallel andDistributed Processing Sym-posium (IPDPS rsquo01) pp 2009ndash2015 IEEEComputer Society SanFrancisco Calif USA April 2001
[6] A Perrig R Szewczyk V Wen D Culler and J D TygarldquoSPINS security protocols for sensor networksrdquo in Proceedingsof the 7th Annual International Conference onMobile Computingand Networking (Mobicom rsquo01) pp 189ndash199 Rome Italy July2001
[7] W Du J Deng Y S Han and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 ACM PressWashington DC USA October 2003
[8] H Chan A Perrig and D Song ldquoRandom key predistributionschemes for sensor networksrdquo in Proceedings of the IEEESymposium on Security and Privacy pp 197ndash213 Oakland CalifUSA May 2003
[9] H O Sanli S Ozdemir and H Cam ldquoSRDA secure reference-based data aggregation protocol for wireless sensor networksrdquoin Proceedings of the IEEE 60th Vehicular Technology Conference(VTC rsquo04) pp 406ndash410 IEEE Los Angeles Calif USA 2004
[10] T Dimitriou and I Krontiris ldquoA localized distributed protocolfor secure information exchange in sensor networksrdquo in Pro-ceedings of the 19th IEEE International Parallel and DistributedProcessing Symposium (IPDPS rsquo05) pp 37ndash45 IEEE April 2005
10 Mobile Information Systems
[11] S Zhu S Setia and S Jajodia ldquoLEAP efficient security mech-anisms for large-scale distributed sensor networksrdquo in Proceed-ings of the 10th ACM Conference on Computer and Communica-tions Security (CCS rsquo03) pp 62ndash72 ACM New York NY USAOctober 2003
[12] J Shen and L Xu ldquoCluster-based key pre-distribution sehemefor wireless sensor networksrdquo Journal ofWuhanUniversity Nat-ural Science Edition vol 55 no 1 pp 117ndash120 2009 (Chinese)
[13] X Huang M Yang and S-S Lv ldquoSecure and efficient key man-agement protocol for wireless sensor network and simulationrdquoJournal of System Simulation vol 20 no 7 pp 1898ndash1903 2008
[14] X Chen J Li J Ma Q Tang and W Lou ldquoNew algo-rithms for secure outsourcing of modular exponentiationsrdquo inComputer SecuritymdashESORICS 2012 17th European Symposiumon Research in Computer Security (ESORICS rsquo12) Pisa ItalySeptember 10ndash12 2012 vol 7459 of Lecture Notes in ComputerScience pp 541ndash556 Springer Berlin Germany 2012
[15] L-C Li J-H Li and J Pan ldquoSelf-healing group key man-agement scheme with revocation capability for wireless sensornetworksrdquo Journal on Communications vol 30 no 12 pp 12ndash172009
[16] Z Ming W Suo-ping and X He ldquoDynamic key managementscheme for wireless sensor networks based on clusterrdquo Journalof Nanjing University of Posts and Telecommunications (NaturalScience) vol 32 no 1 2012
[17] G-J Wang T-T Lv and M-Y Guo ldquoTransitory initial key-based key management protocol in wireless sensor networksrdquoChinese Journal of Sensors and Actuators vol 20 no 7 pp 1581ndash1586 2007
[18] Y-F Ciou F-Y Leu Y-L Huang and K Yim ldquoA han-dover security mechanism employing the Diffie-Hellman keyexchange approach for the IEEE80216e wireless networksrdquoMobile Information Systems vol 7 no 3 pp 241ndash269 2011
[19] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grained access control system based on outsourced attribute-based encryptionrdquo in Computer SecuritymdashESORICS 2013 18thEuropean Symposium on Research in Computer Security EghamUK September 9ndash13 2013 Proceedings vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013
[20] A Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols (ICNP rsquo03) pp 326ndash335 Atlanta GaUSA November 2003
[21] W Du Y S Han J Deng and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 WashingtonDC USA October 2003
[22] D Liu and P Ning ldquoMulti-level 120583TESLA broadcast authenti-cation for distributed sensor networksrdquo ACM Transactions onEmbedded Computing Systems vol 3 no 4 pp 800ndash836 2004
[23] J Li Q Wang C Wang and K Ren ldquoEnhancing attribute-based encryptionwith attribute hierarchyrdquoMobileNetworks andApplications vol 16 no 5 pp 553ndash561 2011
[24] Y S Lee J W Park and L Barolli ldquoA localization algorithmbased on AOA for ad-hoc sensor networksrdquoMobile InformationSystems vol 8 no 1 pp 61ndash72 2012
Among the predistribution schemes SPINS [6] is rec-ognized as a classical secure protocol for WSNs It consistsof two modules SNEP for data confidentiality two-partydata authentication and data freshness and 120583TESLA forauthenticated broadcast It provides security for the entirenetwork based on a single key and is easy to implement butthe expansibility is limited
To balance the security performance and resource con-sumption random key predistribution schemes polynomialkey predistribution schemes and key predistribution schemebased on deployment knowledge are subsequently proposed
EampG [7] scheme is one of the earliest random keypredistribution schemes It achieves the establishment ofpairwise key in WSNs for the first time based on theidea of preallocated key generation solves the problem ofunpredictable network topology and provides a probability-based security After that the proposed Q-composite scheme[8] improves EampG schemes based on multicommon keys togenerate pairwise keys
Though quite a lot of superior security protocols havebeen proposed recently most of them have their own defi-ciencies Park proposed a lightweight security protocol(LISP) it can tolerate packet loss but the protocol cannothandle node revocation problem After that SRDA [9]proposed a secure data aggregation protocol which takes theintegrity into consideration but ignores the confidentiality ofthe information LDP [10] proposes a local key managementprotocol based on dynamic cluster It effectively supportsthe WSN security data fusion but does not give an effectivesolution of revoking captured nodes and updating keys
To avoid above deficiencies LEAP [11] establishes fourkinds of keys and provides a strong application and scala-bility but requires huge amount of communication for keyestablishment and update Furthermore its security is heavilydependent on the initial secure time ChengYrsquos predistri-bution scheme [12] is based on clusters with advantages of
the good connectivity network survivability and low com-munications costs However the cost for rekeying is signifi-cant
Based on previous studies this paper proposes improvedstrategies to overcome somedefects In addition how to applythe established keys to form security mechanisms to confrontkinds of attacks is described in detail
2 Requirements of Sensor Networks
Many security requirements of WSNs are similar to those oftraditional networks such as data confidentiality authenti-cation and integrity What is more it should guarantee lowenergy consumption and high efficiency [13]
It is proved in recent researches that in-network dataprocessing (shown in Figure 1) whichmainly includes passiveparticipation and data aggregation is quite energy-efficientand should be widely employed
The typical application of in-network processing is todivide the network into multiple clusters where the clusterhead node collects and aggregates information from itsneighbors and delivers the summary directly to the basestation to avoid redundant transmissions and save commu-nication bandwidth
Generally the pairwise key performs better over achiev-ing data confidentiality authentication and integrity ofWSNs whereas the cluster key or network-wide key isneeded to achieve in-network data processing (shown inFigure 1) [14]
The particularity of the WSNs requires the ability ofresistance to physical attacks and trapping For exampleonce a node is compromised the loss of secret informationdoes not threaten remaining security links Moreover well-designed security mechanism should have capabilities of keyrevocation and update
Mobile Information Systems 3
Therefore it is fundamental to design a security mecha-nism which satisfies above requirements in order to achievethe security of WSNs
3 Prerequisite Knowledge
31 Notations The notations used in this paper are given inNotations section
Note that in order to simplify the representation in thefollowing discussion notations119860 and 119861 are used to representtheir node identifiers instead of ID
119860and ID
119861
In addition since keys for various security uses can bederived from the same key 119896 such as 119870
0= 119891(119870 0) for
authentication and 1198701= 119891(119870 1) for encryption we just say
a message119872 is authenticated or encrypted with119870 instead ofsaying in detail
(i) Given 119909 it is easy to compute 119910 using function 119910 =
119867(119909)(ii) Given 119910 it is difficult to compute 119909 from function 119910 =
119867(119909)(iii) Given119909 it is difficult to find a119910meeting the condition
that 119910 = 119909 and119867(119910) = 119867(119909)
One-way hash chain is a sequence of the following hashvalue 119909
119898 119909(119898 minus 1) 119909
119895 119909
1 fulfilling the restriction
119909119895| 0 lt 119895 le 119898 119909
119895minus1= 119867(119909
119895) where 119909
119898is a random
selection of key seed Due to the unidirectional feature one-way hash key chain is widely used in secure authenticationFor example when 119909
1is given it can be verified that whether
119909119894is an element of the one-way hash key chain sequence using
the equation 1199091= 119867119894minus1(119909119894)
Key Generation Function Pseudorandom function 119891 isemployed as the key generation function here for its highcomputational efficiency When it is used in key establish-ment process the computational cost is negligible Note thatthis function is stored in all the network nodes as well as thebase station
Diffie-Hellman AlgorithmDiffie-Hellman provides a methodto ensure safety of shared key through insecure networks andit is an integral part of OAKLEY algorithm
The ingenious point is that two sides of communicationcan use this method to determine the symmetric key whichcan be used for encryption and decryption Note that the keyexchange protocol can only be used for key exchange withoutbeing able to encrypt and decrypt the messages [16]
Since the key exchange algorithm itself is usually limitedto be used as key exchange technology for many commercialproducts it is usually called Diffie-Hellman key exchange(abbreviated as DH algorithm key exchange based on DHalgorithm is also commonly referred to as DH exchange)
The purpose of this key exchange technique is to enabletwo users to achieve secure key exchange in order to ensure
the encryption of subsequent packets The effectiveness ofDiffie-Hellman key exchange algorithm relies on the diffi-culty of computing discrete logarithms [17] In short thediscrete logarithm can be defined as follows
First define primitive root of prime number 119901 whichis integer roots generated from each of its powers from 1
to 119901 minus 1 that is if 119886 is a primitive root of prime number119901 the values of 119886 mod 119901 1198862 mod 119901 119886119901minus1 mod 119901 are alldifferent integers from 1 to 119901 minus 1 in a certain arrangement
For an integer 119887 and a primitive root 119886 of prime number119901we can find the unique index 119894 making 119887 = 119886119894 mod 119901 where0 le 119894 le (119901minus1) index 119894 is called discrete logarithmor exponentof modulus 119901 which is based to cardinal number 119886 of integer119887
Based on the definition and nature of the primitive rootDiffie-Hellman key exchange algorithm is described as fol-lows [18]
(1) There are two global parameters prime number119901 andinteger 119886 where 119886 is a primitive root of 119901
(2) Suppose users 119860 and 119861 wish to exchange a key user119860 selects a random number 119883
119860(119883119860lt 119901) as private
key and calculates the public key 119884119860= 119886119883119860 mod 119901
The confidentiality store of 119883119860by user 119860 makes 119884
119860
publicly available to user 119861 Similarly user 119861 alsoselects a random number 119883
119861(119883119861lt 119901) as private
key and calculates the public key 119884119861= 119886119883119861 mod 119901
The confidentiality store of 119883119861by user 119861 makes 119884
119861
publicly available to user 119860(3) User 119860 calculates shared secret key by 119870 =
(119884119861)119883119860 mod 119901 and user 119861 similarly calculates shared
secret key 119870 by 119870 = (119884119860)119883119861 mod 119901
Since
119870 = (119884119861)119883119860 mod 119901 = (119886119883119861 mod 119901)
119883119860 mod 119901
= 119886119883119861119883119860 mod 119901 = (119886119883119860)
119883119861 mod 119901
= (119886119883119860 mod 119901)
119883119861 mod 119901 = (119884119860)119883119861 mod 119901
(1)
Thus it corresponds that two sides have exchangedthe same secret key 119870 Because 119883
119860and 119883
119861are
confidential an adversary can only use parameters119902 119886 119884
119860and 119884
119861 Thus adversary is forced to use
discrete logarithm to determine the shared key119870Thesecurity of Diffie-Hellman key exchange algorithmrelies on the fact that although computing exponentwhich takes prime number as module is relativelyeasy computing discrete logarithm is very difficultFor large prime numbers calculating the discretelogarithm is almost impossible
33 Assumptions Basic assumptions are as follows
(i) Topology is unknown before the deployment of thenodes
4 Mobile Information Systems
(ii) The sensor network is static (sensor nodes are notmobile) after deployment
(iii) Sensor nodes have similar computational and com-munication capabilities
(iv) Transmission power of nodes can be adjusted tocontrol the propagation distance
(v) The base station has enough energy supply andcomputing power
(vi) The attacker has the ability to eavesdrop on all thechannels as well as to replay former messages andinject malicious packets
(vii) Once a node is captured all the stored informationwill be obtained by the adversary
(viii) Every node has enough space to store hundreds ofbytes for key establishment materials
(ix) Each node has some degree of ability to resist attackand it will not be captured with in a limited period oftime
4 Protocol Description
This section introduces the basic protocol in detail includingfour kinds of secure key establishment mechanisms to satisfyvarious secure communication requirements and mecha-nisms for key erasure and update
41 Overview As discussed above the single keymechanismcannot provide appropriate protection to all the requiredcommunication in the WSNs Moreover the security perfor-mance and resource consumption have to be balanced whenmaking use of different kinds of keys
The degree of sharing keys in the security mechanismhas to be taken into consideration For example if uniquepairwise keys are used for each two nodes in the WSNs toguarantee secure communication the node captured by anattacker will not reveal any security information of othernormal nodes which is ideal to prevent threat to the entirenetwork However it requires significant communicationbandwidth and energy resources which is quite inefficient
On the contrary if only a network-wide key is used forauthentication and encryption no communication betweennodes is required for establishment of additional keys and thestorage costs and energy consumption can also beminimizedHowever the security will be extremely poor Once any nodein the system is captured by an attacker the whole networksuffers an enormous risk
42 Key Establishment In this section the establishment offour kinds of keys is discussed in detail as well as theircharacteristics and abilities to resist attacks
421 Individual Key Establishment Individual key is aunique key of each sensor node that sharedwith the controller(the base station) which is used for individual authenticationand secure communication assurance [19]
For example individual key can be used to encrypt sen-sitive information such as special instructions and rekeyingcommands exchanged between a sensor node and the basestation It can also be used for message authentication to getverification of the base station or other nodes
Since every node in the network shares a unique indi-vidual key with the base station it is neither practicalnor efficient to store all these keys for the base stationespecially when the network scalability is very hugeThus it isimportant to adopt a strategy to reduce the storage overheadwhich can be achieved by the key generation function 119891
First of all it is argued that each node holds the keyestablishment function 119891 and an initial key 119870
119868which is
derived from the master key 119870 that is only possessed by thecontroller all of them are preloaded in the nodes before thekey establishment phase The generation of individual keyfor node 119860 (here 119860 indicates the unique ID of node 119860) is asfollows
119870119860= 119891 (119870
119868 119860) (2)
In the above the function 119891 for key establishment is apseudorandom function and it is efficient enough to be usedon sensor nodes
Once the individual key is generated the related nodestores it within its life cycle Since the base station has fullknowledge of the initial key 119870
119868and efficient establishment
function 119891 the storage overhead for individual keys of eachsensor node can be reduced
422 Pairwise Key Establishment Pairwise keys of a nodeindicate the keys shared with each of its direct neighbors sothe storage overhead of such keys for each node depends onthe number of its neighbors [20 21]
In this protocol pairwise keys have a lot of uses Forexample it can be used for a cluster head to encrypt the clusterkey which has to be transmitted to all of its neighbors toachieve the distribution security It is also a component toimprove system security
However it will impede passive participation whichis important in saving communication energy if such keymechanism is employed individuallyThe initial pairwise keyestablishing progress is shown in the Figure 2
The generation of pairwise keys for nodes 119860 and 119861 (here119860 is assumed to be the node that call for key establishment)is as follows
Here node119860 broadcasts a nonce to all of its direct neigh-bors to request establishing pairwise without authenticatingits identity because if it cannot provide its own identity(namely it does not own the individual key) it will fail togenerate the pairwise in the following steps
119870119860119861
= 119891 (119870119861 119860) (4)
Since node 119860 possesses both the key establishmentfunction 119891 and the initial key 119870
119868 it can compute 119870
119861
independently and then obtains the pairwise key119870119860119861
as well
Mobile Information Systems 5
A B
1
2
Figure 2 Pairwise key establishing phase
Note that each node has a timer which conducts it toachieve key erasure when it makes sure that the pairwise keysestablishment is finished This process is significant becauseall the nodes keep the network-wide initial key 119870
119868to help
complete the establishments in the initial period and oncethe relatively safe period passes by it will face great risk thatsome nodes may be compromised
So it is suggested that after a reasonable length of timethe initial key 119870
119868and the neighbors individual master keys
stored in the node be all erased (but its own individualmasterkey will always be held)
In this way when almost the pairwise keys are establishedsuccessfully no nodes will possess the necessary generatingkey materials until there is a new group of nodes to bejoined The key erasure mechanism is so necessary that howto control the key erasing time is worth exploring but it is notan emphasis in this paper
In addition it can also be seen from the above equationthat after the establishing time namely related key materialsare erased once the node 119860 is compromised by an attackerand a 1198601015840 broadcasts a nonce for establishing pairwise keys itcannot success due to such establishment mechanism
But once the attacker uses 1198601015840 to take passive joiningstrategy the responding node 1198601015840 will generate the pairwisekey with 119861 (here 119861 is one of a new batch of joining nodes thatis asking to establish pairwise keywith its neighbors including1198601015840) as follows 119870
1198611198601015840 = 119891(119870
(1198601015840) 119861) and then the attacker will
be able to inject erroneous packets into the network at willFor the new added nodes an alternative is proposed to
Here 119860 is a new node who calls for establishing pairwisekey with its neighbor 119861 Here 119861 is an older node that hasgenerated all its own pairwise keys and erased the initial key119870119868 which makes it unable to generate new pairwise keyIf 119861 wants to verify the identity of node 119860 the most
credible way is asking for help of base stationHowever reducing the use of base station is an important
goal here and the improvement is worth further exploring
423 Cluster Key Establishment Cluster key is a key gener-ated by an elected cluster head and shared with its neighborsand it is mainly used for encrypting local broadcast packetsItsmost significant advantage is that it enables the in-networkprocessing such as passive participation and data aggregationwhich cannot be supported by the pairwise key but could saveenergy consumption efficiently
This key establishing process is obvious as follows
Here node 119860 is the elected cluster head and 119861119894represents
one of its immediate neighbors 1198611 1198612 119861
119899(1 le 119894 le
119899) Cluster head 119860 first generates a key 119870119862119860randomly and
encrypts it with its pairwise keys and then sends it to eachneighbor 119861
119894 Moreover node 119861
119894decrypts the cluster key and
then stores 119870119862119860in a table
When any neighbor of 119860 is revoked which means therewill be a risk to continue using the old cluster key cluster head119860 regenerates and transmits the 119870119862
1015840
119860in the same way
Cluster division and cluster head selection approaches arealso worthy of discussion But it is not an emphasis in thispaper A simple mesh division method is shown in Figure 3based on virtual cluster idea
424 Group Key Establishment The group key119870119892is used for
encryptingmessages that need to be broadcasted to the wholegroup Note that different from above situations the keypoint here is no longer about key establishment or encryptingschemes because there is only one group key shared amongthe entire network meanwhile it does not make sense toencrypt a broadcast message using master key of each sensornode separately
It is also because there is only one group key sharedamong sensor nodes once a compromised node is revoked
6 Mobile Information Systems
Cluster headActive node
Base station
Figure 3 Mesh division method
the rekeying and updating mechanism comes to be impor-tant
120583TESLA [22] is a widely employed protocol due to thehigh efficiency and perfect tolerance for packet loss A one-way hash function119867 is used here to help achieve the processFirstly the controller generates a random seed 119896
119898and uses
the function119867 to get a sequence of the following hash values119896119898 119896119898minus1
119896119895 119896
1 that meets the restriction 119896
119895| 0 lt
119895 le 119898 119896119895minus1
= 119867(119896119895)
Then preload this key chain 119896119898 119896119898minus1
119896119895 119896
1 in
the base station and use delayed key disclosure to achievemessage authentication Let 119860 be the revoked node and 1198701015840
119892
the new group key the process is as follows
Base station 997888rarr lowast 119860 119891 (1198701015840
119892 0) MAC
119896119895(119860 | 119891 (119870
1015840
119892 0))
(8)
When the verification is done all the nodes will removerelated information of node 119860 and restore the group key 1198701015840
119892
in the tableNote that the initial Group key 119870
119892is preloaded in all
the sensor nodes before their deployment like the initial key119870119868 but we cannot take 119870
119868also as the group key because
it will be erased in a very short time after the pairwise keyestablishmentThe key used for deriving related keys must beprotected separately from normal ones
Figure 4 simply illustrates the authenticationmechanism
119896119895minus1
= 119867(119896119895) (9)
5 Enhanced Protocol
51 Requirements Analysis The design of the basic schemepresented in the previous section ismotivated by the observa-tion that single keying mechanism is not suitable for meeting
K1 K2 K3 K4 K5
p1 p2 p3 p4 p5 p6
Time
Figure 4 Using the one-way hash function for source authentica-tion
all the security requirements of different types of exchangedmessages
The advantage of this scheme is that the captured nodedoes not threat the safety of the other nodes in case themasterkey 119870 is absolutely safe in time interval 119879min
During the time interval 119879min all the nodes of the WSNwill hold the general master key 119870 and we note that thisscheme cannot provide confidentiality when a node is com-promised in 119879min Because by using the stolen informationlike the master key119870 an attacker can easily derive the masterkeys of all the rest normal nodes that are deployed in thesame time interval as well as negotiating new pairwise keywith normal nodes in any region whichmeans once a node iscompromised in time interval 119879min the security of the entirenetwork is extremely dangerous
52 Enhanced Scheme Based on the Diffie-Hellman algo-rithm above presenting the improved scheme prior todeployment of the network each node prestores the largeprime number 119901 and its primitive root 119886 instead of the initialkey 119870
119868which is derived from the master key 119870
Note that the generation of individual key for node 119860 isstill same
119870119860= 119891 (119870
119868 119860) (10)
Different from the basic scheme this process is completedonce the node is deployed after that the information of theinitial key 119870
119868is deleted Thus the attacker cannot get any
information about the initial key119870119868or the master key119870 even
if it is compromised during the working periodSince the node no longer keeps initial key 119870
119868 which
is required to participate in relevant calculations (function)in the pairwise key generating process the basic schemecannot be achieved For this situation make the followingimprovements
Gain a key evolution function to each node Takes node119860 and 119861 for examples
119883119860= ℎ (119860 | 119870
119860) mod 119901
119883119861= ℎ (119861 | 119870
119861) mod 119901
(11)
Then calculate the public message
119884119860= 119886119883119860 mod 119901
119884119861= 119886119883119861 mod 119901
(12)
Mobile Information Systems 7
The pairwise key generation process is as follows
119860 997888rarr lowast Nonce119860 119884119860
119861 997888rarr 119860 MAC119870119860119861
(119861 | 119884119861) 119861 119884
119861
(13)
Here node119860 broadcasts a nonce to all its direct neighborsand asks to establish pairwise key and broadcasts the publicmessage 119884
119860at the same time When its neighbor (take node
119861 for example) receives the message it first verifies thelegitimacy of 119884
119860and then calculates the pairwise key using
the following function
119870119860119861
= (119884119860)119883119861 mod 119901 (14)
After that node 119861 sends messages 119861 and 119884119861back to the
asking node 119860 and sends a message MAC119870119860119861
(119861 | 119884119861) to
authenticate its identity If node 119861 cannot respond to node119860 in this way it means node 119861 cannot get 119870
119860119861only taking
use of 119884119860 then consider node 119861 as untrusted In addition
node 119860 does not need to send authenticating message backto node 119861 anymore because if it cannot prove its own identity(namely it cannot get 119870
119860119861only taking use of 119884
119861 and it will
fail to generate the pairwise key 119870119860119861)
Compared with the basic protocol the most obviousimprovement of enhanced protocol is that it takes use ofDiffie-Hellman algorithm to generate pairwise keys insteadof storing the initial key 119870
119868in a certain period of time Thus
even if a node is compromised in119879min the attacker canmerelyget the information of key related to the compromised nodewhich means only limited security threats can be causedavoiding the disruption of the entire network caused bylosing initial key 119870
119868 Despite the slight increment in the
computational overhead the security of the WSN is greatlyimproved
6 Performance Evaluation
The ability of the protocol to fight against kinds of attacks isdiscussed in detail in above sectionsThis section analyzes thestorage requirement and energy efficiency
61 Storage Requirement In the basic protocol a node needsto store four types of keys Considering a node with 119898
neighbors in the WSN it needs to store one individual key119898 cluster keys 119898 pairwise keys and one group key In theenhanced protocol each node stores the same number of keysas the basic protocol
When the key establishment is complete in a networkhaving a scale of 119873 there is an upper limit of the numberof keys to be stored in the nodes including119873 individual keys119862(119873 2) pairwise keys 1198732 cluster keys and 119873 group keys(though there is only one group key in a certain period)which add up to ((52)119873+(1198732(119873minus2)) = (1198732+3119873)2) andaverage to each node is (52 + (119873minus 1)2(119873minus 2) = 1198732 + 2)
Note that communication distance of sensor node islimited so that it will not reach a high complexity that eachtwo nodes are connected
In addition using an efficient clustering method canreduce the number of required cluster keys and the realstorage complexity is much smaller
Although memory is a quite scarce resource for thecurrent generation of nodes inWSNs for a reasonable degreestorage is not an issue in our protocol For example 100 keystotally take 800 bytes when the key size is 8 bytes
62 Communication Cost In this paper the average commu-nication cost increases with the connection degree of a sensornetwork and decreases with the network size 119873 Efficientpreloaded functions are widely used which greatly reducesthe message exchanges in key establishing phase so that tosave communication cost Whats more the use of locatedcluster key enables in-network data processing which alsohelps achieve communication and energy efficiency
It is worth noting that the communication cost of theenhanced protocol remains at the same level as that of thebasic protocol
63 Computational Cost Functions used in the proposedprotocols are all of high computational efficiency For exam-ple pseudorandom function 119891 is employed to be the keygeneration function and the computational cost will benegligible when it is used in key establishment process In theenhanced protocol although computational cost is slightlyincreased by using Diffie-Hellman algorithm for a networkof reasonable density we believe that the computationaloverhead is applicable for a network of reasonable density inour protocols For example for a WSN of size119873 = 1000 andconnection degree of 20 the average computational cost is27 symmetric key operations per node per revocation and alarger119873 will reduce the cost further
Overall we conclude that the protocols proposed in thisstudy are scalable and efficient enough in storage communi-cation and computation
7 Security Analysis
This section analyzes the security of the key managementprotocols The survivability of the network is discussed whenundetected compromised nodes occur and the robustness ofproposed schemes is studied in defending against variousattacks
71 Survivability Once a sensor node 119860 is compromised theadversary can launch attacks by utilizing keying materialsof node 119860 If the threat is detected somehow the protocolscan revoke node 119860 efficiently and update the information ofnodes quickly throughout the whole network Basically eachneighbor of compromised node 119860 could delete its pairwisekey shared with node 119860 as well as updating the cluster keyThe group key could also be updated efficiently by taking useof 120583TESLA mechanism When the revocation is completedthe adversary cannot launch further attacks anymore
However security detection in WSNs is more difficultthan in other systems since sensor systems are often deployedin unattended environments Thus the survivability of
8 Mobile Information Systems
the network is one of most important security requirementswhen compromised nodes is not detected
Firstly because individual key is only shared between thebase station and each sensor node it usually does not help theattacker launch attacks
Secondly obtaining the cluster keys and pairwise keys ofa compromised node enables the attacker to establish trustwith the neighbor nodes which can be used by the attackerto inject malicious sensor readings and routing controlinformation into the network However in the proposedprotocols in this study the attacker usually has to achieve suchattacks by taking use of the identity of the captured node
Note that a salient feature of the proposed protocols isthe ability in localizing possible threats Because after thedeployment of the network and the pairwise key establishingphase every node will keep a list of trusted neighbor nodesAs compromised node and its copy nodes cannot establishtrust relationship with other nodes except its neighbors theattacker can only damage secure links within limited range
Finally obtaining the group key enables the attacker todecryptmessages broadcast by the base stationThebroadcastmessages by their nature are intended to be received by allthe nodes in the network Thus compromising any singlenode is enough to possess this message whatever securitymechanism is used However obtaining the group key doesnot allow the attacker to damage the entire network withmalicious packets by impersonating the base station becauseall messages sent from the base station are authenticated by120583TESLA mechanism
72 Dealing with the Attacks on Secure Routing Ciou et alhave described various possible attacks of routing protocolsforWSNs [18] How the proposed schemes can defend againstsuch attacks is shown in this section
An inside attackermay attempt to alter and replay routinginformation to make routing loops attract or repel networktraffic and generate false messages Moreover the attackercan launch the selective forwarding attack in which thecaptured node suppresses routing packets sent from a fewselected nodes while forwarding the other packets reliably
In this paper the schemes cannot protect theWSNs fromsuch attacks however the schemes can hinder or minimizethe consequences caused by such attacks
First based on the key establishment and authenticationphases of the proposed protocols it is apparent that suchattacks are only possible within a small area of two-hops fromthe captured node
Second since such attacks are localized in a certainzone the attacker faces a high risk of being detected whenlaunching such attacks For example the probabilistic chal-lenge mechanism can help detect the spoofing attack and thedetection of altering attack is also possible since the relatedsending node may overhear the forwarded messages alteredby the captured node
Last but not least once a compromised node is detectedthe group rekeying process of the protocols can efficientlyrevoke the compromised node from the network
The proposed protocol can protect WSNs from thefollowing attacks
Sybil Attacks In Sybil attacks the attacker may replicatethe captured node and deploy multiple replicas into theoriginal network With help of the base station such replicanodes will then try to establish pairwise and cluster keyswith normal nodes that are not neighbors of the capturednode [23] If the base station does not know the precisetopology of the wireless network this attack may work inpairwise key establishment However it cannot happen forproposed protocols because each normal node keeps a list ofits approved neighbors and the base station is not involved forpairwise or cluster key establishments in this study
HELLO Flood Attack The attacker may send a HELLOmessage to all nodes in the network by increasing thetransmission power to be high enough to make all the nodesconvinced that it is their neighbor Once this attack succeedsnodes of the entire networkmay send their readings and someother packets in vainHowever it cannot succeed in proposedprotocols because the attacked does not have a network-widekey for authentication
It is worth noting that the group key in the protocols is notfor authentication purpose but for the distribution of securemessages to the entire network from the base station
73 Defending against Sinkhole and Wormhole Attacks Thecombination of the sinkhole and the wormhole attacks is oneof the most difficult attacks to be prevented
In the sinkhole attack a malicious node tries to attractpackets from the neighbor nodes and then drops them Itcan launch such attack by advertising information of highreliability or high remaining energy which is very hard todetect in the WSNs
In the wormhole attack two distant malicious nodesconceal their distance information to the network Afterplacing one such node near the target zone and another onenear the base station the attacker will convince the nodeswithin the target area which are usually multiple hops awayfrom the base station as only one or two hops to create asinkholeMoreover nodes which aremultiple hops awaymaybelieve that they are neighbors of each other Since to launchwormhole attack the attacker does not need to compromiseany sensor nodes such attack is very powerful in practice[24]
In the proposed protocols an outside attacker cannotsucceed in launching wormhole attack except in the neighbordiscovery process since a node will know all its neighbornodes after the pairwise key is established which means theattacker cannot convince two distant nodes to believe thatthey are neighbors of each other
Because the time of neighbor discovery process is veryshort (usually for seconds) the probability that the attackerachieves such attacks is also quite small If an inside attackercompromises two or more nodes it can launch such attacksHowever it cannot convince two distant nodes as neighborswhen the neighbor discovery phase is finished The authen-ticated neighborhood information is critical to deal with thewormhole attacks
In the sinkhole attack if the attacker compromises a node119860 that is close to the base station and another node 119861 in
Mobile Information Systems 9
the target area the attacker will succeed in making node119860 asa sinkhole Since the number of hops between node 119861 and thebase station turns smaller node 119861will be especially attractiveto surrounding nodes In practice the location of base stationis usually static When the network is constructed topologywill be known to the entire network and then sensor nodeswill know the approximate number of hops from the basestation Thus it is difficult for an attacker to make a veryattractive sinkhole in the WSN without being detected
74 Conclusion This paper proposes a basic keymanagementprotocol based on initial secure time which assumes thatthe attacker cannot compromise a node in a short timeIt satisfies various security requirements of WSNs usingthe combination of four kinds of secure keys Meanwhilethe erasure and update mechanism of keys is important tosupport network security
To further improve the security of the basic schemean enhanced protocol based on Diffie-Hellman algorithmis proposed which avoids storing the master key in sensornodes so as to restrict the security impact of a captured nodeto the rest network
The proposed protocol achieves high communication andenergy efficiency by supporting in-network data processingand enhances the network security through strict authenti-cation and encryption mechanisms Compared to originalideas the proposed scheme improves not only the networksecurity but also the extensibility of WSNs
This paper presents a proposal for key establishment andachieves security mainly based on the combining applicationof four kinds of keys This is a critical step and how to usesuch keys to found a protection mechanism is a focus in ourfuture research
Notations
119873 The number of nodes in the network119860 119861 Two communicating nodes in the network
(also represents the node identifier)119891(119870119860) Calculate with parameter 119860 using the key
119870 in pseudorandom function 119891119867(119870) One-way hash function to generate a
chain of keys using the seed119870MAC119870(119898) Message authentication code (MAC) of
message119898 using MAC key 119870119870 The master key only possessed by base
station119870119860 Individual key of node 119860
119864119870(119898) Encryption of message119898 with a
symmetric key 1198701198721| 1198722 Concatenation of the sequences119872
1and
1198722
119860 rarr 119861 119872 Node 119860 sends a message119872 to node 119861119860 rarr lowast 119872 Node 119860 sends a local broadcast message
119872 to all its neighborsℎ(119898) Calculate hash value of message119898
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was supported by National ratural Science Foun-dation of China (nos 61170268 61100047 and 61272493)International SampTCooperation Special Projects of China (no2013DFG72850) and The National Basic Research Programof China (973 Program) (no 2012CB724400)
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] X HeM Niedermeier andH deMeer ldquoDynamic keymanage-ment in wireless sensor networks a surveyrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 611ndash622 2013
[3] R Riaz A Naureen A Akram A H Akbar K H Kim and HFarooq Ahmed ldquoA unified security framework with three keymanagement schemes for wireless sensor networksrdquo ComputerCommunications vol 31 no 18 pp 4269ndash4280 2008
[4] C Intanaonwiwat R Govindan and D Estrin ldquoDirected dif-fusion a scalable and robust communication paradigm forsensor networksrdquo in Proceedings of the 6th Annual ACMIEEEInternational Conference on Mobile Computing and Networking(MobiCom rsquo00) pp 56ndash67 ACMIEEE Boston Mass USAAugust 2000
[5] AManjeshwar andD PAgrawal ldquoTEEN a routing protocol forenhanced efficiency in wireless sensor networksrdquo in Proceedingsof the 15th International Parallel andDistributed Processing Sym-posium (IPDPS rsquo01) pp 2009ndash2015 IEEEComputer Society SanFrancisco Calif USA April 2001
[6] A Perrig R Szewczyk V Wen D Culler and J D TygarldquoSPINS security protocols for sensor networksrdquo in Proceedingsof the 7th Annual International Conference onMobile Computingand Networking (Mobicom rsquo01) pp 189ndash199 Rome Italy July2001
[7] W Du J Deng Y S Han and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 ACM PressWashington DC USA October 2003
[8] H Chan A Perrig and D Song ldquoRandom key predistributionschemes for sensor networksrdquo in Proceedings of the IEEESymposium on Security and Privacy pp 197ndash213 Oakland CalifUSA May 2003
[9] H O Sanli S Ozdemir and H Cam ldquoSRDA secure reference-based data aggregation protocol for wireless sensor networksrdquoin Proceedings of the IEEE 60th Vehicular Technology Conference(VTC rsquo04) pp 406ndash410 IEEE Los Angeles Calif USA 2004
[10] T Dimitriou and I Krontiris ldquoA localized distributed protocolfor secure information exchange in sensor networksrdquo in Pro-ceedings of the 19th IEEE International Parallel and DistributedProcessing Symposium (IPDPS rsquo05) pp 37ndash45 IEEE April 2005
10 Mobile Information Systems
[11] S Zhu S Setia and S Jajodia ldquoLEAP efficient security mech-anisms for large-scale distributed sensor networksrdquo in Proceed-ings of the 10th ACM Conference on Computer and Communica-tions Security (CCS rsquo03) pp 62ndash72 ACM New York NY USAOctober 2003
[12] J Shen and L Xu ldquoCluster-based key pre-distribution sehemefor wireless sensor networksrdquo Journal ofWuhanUniversity Nat-ural Science Edition vol 55 no 1 pp 117ndash120 2009 (Chinese)
[13] X Huang M Yang and S-S Lv ldquoSecure and efficient key man-agement protocol for wireless sensor network and simulationrdquoJournal of System Simulation vol 20 no 7 pp 1898ndash1903 2008
[14] X Chen J Li J Ma Q Tang and W Lou ldquoNew algo-rithms for secure outsourcing of modular exponentiationsrdquo inComputer SecuritymdashESORICS 2012 17th European Symposiumon Research in Computer Security (ESORICS rsquo12) Pisa ItalySeptember 10ndash12 2012 vol 7459 of Lecture Notes in ComputerScience pp 541ndash556 Springer Berlin Germany 2012
[15] L-C Li J-H Li and J Pan ldquoSelf-healing group key man-agement scheme with revocation capability for wireless sensornetworksrdquo Journal on Communications vol 30 no 12 pp 12ndash172009
[16] Z Ming W Suo-ping and X He ldquoDynamic key managementscheme for wireless sensor networks based on clusterrdquo Journalof Nanjing University of Posts and Telecommunications (NaturalScience) vol 32 no 1 2012
[17] G-J Wang T-T Lv and M-Y Guo ldquoTransitory initial key-based key management protocol in wireless sensor networksrdquoChinese Journal of Sensors and Actuators vol 20 no 7 pp 1581ndash1586 2007
[18] Y-F Ciou F-Y Leu Y-L Huang and K Yim ldquoA han-dover security mechanism employing the Diffie-Hellman keyexchange approach for the IEEE80216e wireless networksrdquoMobile Information Systems vol 7 no 3 pp 241ndash269 2011
[19] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grained access control system based on outsourced attribute-based encryptionrdquo in Computer SecuritymdashESORICS 2013 18thEuropean Symposium on Research in Computer Security EghamUK September 9ndash13 2013 Proceedings vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013
[20] A Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols (ICNP rsquo03) pp 326ndash335 Atlanta GaUSA November 2003
[21] W Du Y S Han J Deng and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 WashingtonDC USA October 2003
[22] D Liu and P Ning ldquoMulti-level 120583TESLA broadcast authenti-cation for distributed sensor networksrdquo ACM Transactions onEmbedded Computing Systems vol 3 no 4 pp 800ndash836 2004
[23] J Li Q Wang C Wang and K Ren ldquoEnhancing attribute-based encryptionwith attribute hierarchyrdquoMobileNetworks andApplications vol 16 no 5 pp 553ndash561 2011
[24] Y S Lee J W Park and L Barolli ldquoA localization algorithmbased on AOA for ad-hoc sensor networksrdquoMobile InformationSystems vol 8 no 1 pp 61ndash72 2012
Therefore it is fundamental to design a security mecha-nism which satisfies above requirements in order to achievethe security of WSNs
3 Prerequisite Knowledge
31 Notations The notations used in this paper are given inNotations section
Note that in order to simplify the representation in thefollowing discussion notations119860 and 119861 are used to representtheir node identifiers instead of ID
119860and ID
119861
In addition since keys for various security uses can bederived from the same key 119896 such as 119870
0= 119891(119870 0) for
authentication and 1198701= 119891(119870 1) for encryption we just say
a message119872 is authenticated or encrypted with119870 instead ofsaying in detail
(i) Given 119909 it is easy to compute 119910 using function 119910 =
119867(119909)(ii) Given 119910 it is difficult to compute 119909 from function 119910 =
119867(119909)(iii) Given119909 it is difficult to find a119910meeting the condition
that 119910 = 119909 and119867(119910) = 119867(119909)
One-way hash chain is a sequence of the following hashvalue 119909
119898 119909(119898 minus 1) 119909
119895 119909
1 fulfilling the restriction
119909119895| 0 lt 119895 le 119898 119909
119895minus1= 119867(119909
119895) where 119909
119898is a random
selection of key seed Due to the unidirectional feature one-way hash key chain is widely used in secure authenticationFor example when 119909
1is given it can be verified that whether
119909119894is an element of the one-way hash key chain sequence using
the equation 1199091= 119867119894minus1(119909119894)
Key Generation Function Pseudorandom function 119891 isemployed as the key generation function here for its highcomputational efficiency When it is used in key establish-ment process the computational cost is negligible Note thatthis function is stored in all the network nodes as well as thebase station
Diffie-Hellman AlgorithmDiffie-Hellman provides a methodto ensure safety of shared key through insecure networks andit is an integral part of OAKLEY algorithm
The ingenious point is that two sides of communicationcan use this method to determine the symmetric key whichcan be used for encryption and decryption Note that the keyexchange protocol can only be used for key exchange withoutbeing able to encrypt and decrypt the messages [16]
Since the key exchange algorithm itself is usually limitedto be used as key exchange technology for many commercialproducts it is usually called Diffie-Hellman key exchange(abbreviated as DH algorithm key exchange based on DHalgorithm is also commonly referred to as DH exchange)
The purpose of this key exchange technique is to enabletwo users to achieve secure key exchange in order to ensure
the encryption of subsequent packets The effectiveness ofDiffie-Hellman key exchange algorithm relies on the diffi-culty of computing discrete logarithms [17] In short thediscrete logarithm can be defined as follows
First define primitive root of prime number 119901 whichis integer roots generated from each of its powers from 1
to 119901 minus 1 that is if 119886 is a primitive root of prime number119901 the values of 119886 mod 119901 1198862 mod 119901 119886119901minus1 mod 119901 are alldifferent integers from 1 to 119901 minus 1 in a certain arrangement
For an integer 119887 and a primitive root 119886 of prime number119901we can find the unique index 119894 making 119887 = 119886119894 mod 119901 where0 le 119894 le (119901minus1) index 119894 is called discrete logarithmor exponentof modulus 119901 which is based to cardinal number 119886 of integer119887
Based on the definition and nature of the primitive rootDiffie-Hellman key exchange algorithm is described as fol-lows [18]
(1) There are two global parameters prime number119901 andinteger 119886 where 119886 is a primitive root of 119901
(2) Suppose users 119860 and 119861 wish to exchange a key user119860 selects a random number 119883
119860(119883119860lt 119901) as private
key and calculates the public key 119884119860= 119886119883119860 mod 119901
The confidentiality store of 119883119860by user 119860 makes 119884
119860
publicly available to user 119861 Similarly user 119861 alsoselects a random number 119883
119861(119883119861lt 119901) as private
key and calculates the public key 119884119861= 119886119883119861 mod 119901
The confidentiality store of 119883119861by user 119861 makes 119884
119861
publicly available to user 119860(3) User 119860 calculates shared secret key by 119870 =
(119884119861)119883119860 mod 119901 and user 119861 similarly calculates shared
secret key 119870 by 119870 = (119884119860)119883119861 mod 119901
Since
119870 = (119884119861)119883119860 mod 119901 = (119886119883119861 mod 119901)
119883119860 mod 119901
= 119886119883119861119883119860 mod 119901 = (119886119883119860)
119883119861 mod 119901
= (119886119883119860 mod 119901)
119883119861 mod 119901 = (119884119860)119883119861 mod 119901
(1)
Thus it corresponds that two sides have exchangedthe same secret key 119870 Because 119883
119860and 119883
119861are
confidential an adversary can only use parameters119902 119886 119884
119860and 119884
119861 Thus adversary is forced to use
discrete logarithm to determine the shared key119870Thesecurity of Diffie-Hellman key exchange algorithmrelies on the fact that although computing exponentwhich takes prime number as module is relativelyeasy computing discrete logarithm is very difficultFor large prime numbers calculating the discretelogarithm is almost impossible
33 Assumptions Basic assumptions are as follows
(i) Topology is unknown before the deployment of thenodes
4 Mobile Information Systems
(ii) The sensor network is static (sensor nodes are notmobile) after deployment
(iii) Sensor nodes have similar computational and com-munication capabilities
(iv) Transmission power of nodes can be adjusted tocontrol the propagation distance
(v) The base station has enough energy supply andcomputing power
(vi) The attacker has the ability to eavesdrop on all thechannels as well as to replay former messages andinject malicious packets
(vii) Once a node is captured all the stored informationwill be obtained by the adversary
(viii) Every node has enough space to store hundreds ofbytes for key establishment materials
(ix) Each node has some degree of ability to resist attackand it will not be captured with in a limited period oftime
4 Protocol Description
This section introduces the basic protocol in detail includingfour kinds of secure key establishment mechanisms to satisfyvarious secure communication requirements and mecha-nisms for key erasure and update
41 Overview As discussed above the single keymechanismcannot provide appropriate protection to all the requiredcommunication in the WSNs Moreover the security perfor-mance and resource consumption have to be balanced whenmaking use of different kinds of keys
The degree of sharing keys in the security mechanismhas to be taken into consideration For example if uniquepairwise keys are used for each two nodes in the WSNs toguarantee secure communication the node captured by anattacker will not reveal any security information of othernormal nodes which is ideal to prevent threat to the entirenetwork However it requires significant communicationbandwidth and energy resources which is quite inefficient
On the contrary if only a network-wide key is used forauthentication and encryption no communication betweennodes is required for establishment of additional keys and thestorage costs and energy consumption can also beminimizedHowever the security will be extremely poor Once any nodein the system is captured by an attacker the whole networksuffers an enormous risk
42 Key Establishment In this section the establishment offour kinds of keys is discussed in detail as well as theircharacteristics and abilities to resist attacks
421 Individual Key Establishment Individual key is aunique key of each sensor node that sharedwith the controller(the base station) which is used for individual authenticationand secure communication assurance [19]
For example individual key can be used to encrypt sen-sitive information such as special instructions and rekeyingcommands exchanged between a sensor node and the basestation It can also be used for message authentication to getverification of the base station or other nodes
Since every node in the network shares a unique indi-vidual key with the base station it is neither practicalnor efficient to store all these keys for the base stationespecially when the network scalability is very hugeThus it isimportant to adopt a strategy to reduce the storage overheadwhich can be achieved by the key generation function 119891
First of all it is argued that each node holds the keyestablishment function 119891 and an initial key 119870
119868which is
derived from the master key 119870 that is only possessed by thecontroller all of them are preloaded in the nodes before thekey establishment phase The generation of individual keyfor node 119860 (here 119860 indicates the unique ID of node 119860) is asfollows
119870119860= 119891 (119870
119868 119860) (2)
In the above the function 119891 for key establishment is apseudorandom function and it is efficient enough to be usedon sensor nodes
Once the individual key is generated the related nodestores it within its life cycle Since the base station has fullknowledge of the initial key 119870
119868and efficient establishment
function 119891 the storage overhead for individual keys of eachsensor node can be reduced
422 Pairwise Key Establishment Pairwise keys of a nodeindicate the keys shared with each of its direct neighbors sothe storage overhead of such keys for each node depends onthe number of its neighbors [20 21]
In this protocol pairwise keys have a lot of uses Forexample it can be used for a cluster head to encrypt the clusterkey which has to be transmitted to all of its neighbors toachieve the distribution security It is also a component toimprove system security
However it will impede passive participation whichis important in saving communication energy if such keymechanism is employed individuallyThe initial pairwise keyestablishing progress is shown in the Figure 2
The generation of pairwise keys for nodes 119860 and 119861 (here119860 is assumed to be the node that call for key establishment)is as follows
Here node119860 broadcasts a nonce to all of its direct neigh-bors to request establishing pairwise without authenticatingits identity because if it cannot provide its own identity(namely it does not own the individual key) it will fail togenerate the pairwise in the following steps
119870119860119861
= 119891 (119870119861 119860) (4)
Since node 119860 possesses both the key establishmentfunction 119891 and the initial key 119870
119868 it can compute 119870
119861
independently and then obtains the pairwise key119870119860119861
as well
Mobile Information Systems 5
A B
1
2
Figure 2 Pairwise key establishing phase
Note that each node has a timer which conducts it toachieve key erasure when it makes sure that the pairwise keysestablishment is finished This process is significant becauseall the nodes keep the network-wide initial key 119870
119868to help
complete the establishments in the initial period and oncethe relatively safe period passes by it will face great risk thatsome nodes may be compromised
So it is suggested that after a reasonable length of timethe initial key 119870
119868and the neighbors individual master keys
stored in the node be all erased (but its own individualmasterkey will always be held)
In this way when almost the pairwise keys are establishedsuccessfully no nodes will possess the necessary generatingkey materials until there is a new group of nodes to bejoined The key erasure mechanism is so necessary that howto control the key erasing time is worth exploring but it is notan emphasis in this paper
In addition it can also be seen from the above equationthat after the establishing time namely related key materialsare erased once the node 119860 is compromised by an attackerand a 1198601015840 broadcasts a nonce for establishing pairwise keys itcannot success due to such establishment mechanism
But once the attacker uses 1198601015840 to take passive joiningstrategy the responding node 1198601015840 will generate the pairwisekey with 119861 (here 119861 is one of a new batch of joining nodes thatis asking to establish pairwise keywith its neighbors including1198601015840) as follows 119870
1198611198601015840 = 119891(119870
(1198601015840) 119861) and then the attacker will
be able to inject erroneous packets into the network at willFor the new added nodes an alternative is proposed to
Here 119860 is a new node who calls for establishing pairwisekey with its neighbor 119861 Here 119861 is an older node that hasgenerated all its own pairwise keys and erased the initial key119870119868 which makes it unable to generate new pairwise keyIf 119861 wants to verify the identity of node 119860 the most
credible way is asking for help of base stationHowever reducing the use of base station is an important
goal here and the improvement is worth further exploring
423 Cluster Key Establishment Cluster key is a key gener-ated by an elected cluster head and shared with its neighborsand it is mainly used for encrypting local broadcast packetsItsmost significant advantage is that it enables the in-networkprocessing such as passive participation and data aggregationwhich cannot be supported by the pairwise key but could saveenergy consumption efficiently
This key establishing process is obvious as follows
Here node 119860 is the elected cluster head and 119861119894represents
one of its immediate neighbors 1198611 1198612 119861
119899(1 le 119894 le
119899) Cluster head 119860 first generates a key 119870119862119860randomly and
encrypts it with its pairwise keys and then sends it to eachneighbor 119861
119894 Moreover node 119861
119894decrypts the cluster key and
then stores 119870119862119860in a table
When any neighbor of 119860 is revoked which means therewill be a risk to continue using the old cluster key cluster head119860 regenerates and transmits the 119870119862
1015840
119860in the same way
Cluster division and cluster head selection approaches arealso worthy of discussion But it is not an emphasis in thispaper A simple mesh division method is shown in Figure 3based on virtual cluster idea
424 Group Key Establishment The group key119870119892is used for
encryptingmessages that need to be broadcasted to the wholegroup Note that different from above situations the keypoint here is no longer about key establishment or encryptingschemes because there is only one group key shared amongthe entire network meanwhile it does not make sense toencrypt a broadcast message using master key of each sensornode separately
It is also because there is only one group key sharedamong sensor nodes once a compromised node is revoked
6 Mobile Information Systems
Cluster headActive node
Base station
Figure 3 Mesh division method
the rekeying and updating mechanism comes to be impor-tant
120583TESLA [22] is a widely employed protocol due to thehigh efficiency and perfect tolerance for packet loss A one-way hash function119867 is used here to help achieve the processFirstly the controller generates a random seed 119896
119898and uses
the function119867 to get a sequence of the following hash values119896119898 119896119898minus1
119896119895 119896
1 that meets the restriction 119896
119895| 0 lt
119895 le 119898 119896119895minus1
= 119867(119896119895)
Then preload this key chain 119896119898 119896119898minus1
119896119895 119896
1 in
the base station and use delayed key disclosure to achievemessage authentication Let 119860 be the revoked node and 1198701015840
119892
the new group key the process is as follows
Base station 997888rarr lowast 119860 119891 (1198701015840
119892 0) MAC
119896119895(119860 | 119891 (119870
1015840
119892 0))
(8)
When the verification is done all the nodes will removerelated information of node 119860 and restore the group key 1198701015840
119892
in the tableNote that the initial Group key 119870
119892is preloaded in all
the sensor nodes before their deployment like the initial key119870119868 but we cannot take 119870
119868also as the group key because
it will be erased in a very short time after the pairwise keyestablishmentThe key used for deriving related keys must beprotected separately from normal ones
Figure 4 simply illustrates the authenticationmechanism
119896119895minus1
= 119867(119896119895) (9)
5 Enhanced Protocol
51 Requirements Analysis The design of the basic schemepresented in the previous section ismotivated by the observa-tion that single keying mechanism is not suitable for meeting
K1 K2 K3 K4 K5
p1 p2 p3 p4 p5 p6
Time
Figure 4 Using the one-way hash function for source authentica-tion
all the security requirements of different types of exchangedmessages
The advantage of this scheme is that the captured nodedoes not threat the safety of the other nodes in case themasterkey 119870 is absolutely safe in time interval 119879min
During the time interval 119879min all the nodes of the WSNwill hold the general master key 119870 and we note that thisscheme cannot provide confidentiality when a node is com-promised in 119879min Because by using the stolen informationlike the master key119870 an attacker can easily derive the masterkeys of all the rest normal nodes that are deployed in thesame time interval as well as negotiating new pairwise keywith normal nodes in any region whichmeans once a node iscompromised in time interval 119879min the security of the entirenetwork is extremely dangerous
52 Enhanced Scheme Based on the Diffie-Hellman algo-rithm above presenting the improved scheme prior todeployment of the network each node prestores the largeprime number 119901 and its primitive root 119886 instead of the initialkey 119870
119868which is derived from the master key 119870
Note that the generation of individual key for node 119860 isstill same
119870119860= 119891 (119870
119868 119860) (10)
Different from the basic scheme this process is completedonce the node is deployed after that the information of theinitial key 119870
119868is deleted Thus the attacker cannot get any
information about the initial key119870119868or the master key119870 even
if it is compromised during the working periodSince the node no longer keeps initial key 119870
119868 which
is required to participate in relevant calculations (function)in the pairwise key generating process the basic schemecannot be achieved For this situation make the followingimprovements
Gain a key evolution function to each node Takes node119860 and 119861 for examples
119883119860= ℎ (119860 | 119870
119860) mod 119901
119883119861= ℎ (119861 | 119870
119861) mod 119901
(11)
Then calculate the public message
119884119860= 119886119883119860 mod 119901
119884119861= 119886119883119861 mod 119901
(12)
Mobile Information Systems 7
The pairwise key generation process is as follows
119860 997888rarr lowast Nonce119860 119884119860
119861 997888rarr 119860 MAC119870119860119861
(119861 | 119884119861) 119861 119884
119861
(13)
Here node119860 broadcasts a nonce to all its direct neighborsand asks to establish pairwise key and broadcasts the publicmessage 119884
119860at the same time When its neighbor (take node
119861 for example) receives the message it first verifies thelegitimacy of 119884
119860and then calculates the pairwise key using
the following function
119870119860119861
= (119884119860)119883119861 mod 119901 (14)
After that node 119861 sends messages 119861 and 119884119861back to the
asking node 119860 and sends a message MAC119870119860119861
(119861 | 119884119861) to
authenticate its identity If node 119861 cannot respond to node119860 in this way it means node 119861 cannot get 119870
119860119861only taking
use of 119884119860 then consider node 119861 as untrusted In addition
node 119860 does not need to send authenticating message backto node 119861 anymore because if it cannot prove its own identity(namely it cannot get 119870
119860119861only taking use of 119884
119861 and it will
fail to generate the pairwise key 119870119860119861)
Compared with the basic protocol the most obviousimprovement of enhanced protocol is that it takes use ofDiffie-Hellman algorithm to generate pairwise keys insteadof storing the initial key 119870
119868in a certain period of time Thus
even if a node is compromised in119879min the attacker canmerelyget the information of key related to the compromised nodewhich means only limited security threats can be causedavoiding the disruption of the entire network caused bylosing initial key 119870
119868 Despite the slight increment in the
computational overhead the security of the WSN is greatlyimproved
6 Performance Evaluation
The ability of the protocol to fight against kinds of attacks isdiscussed in detail in above sectionsThis section analyzes thestorage requirement and energy efficiency
61 Storage Requirement In the basic protocol a node needsto store four types of keys Considering a node with 119898
neighbors in the WSN it needs to store one individual key119898 cluster keys 119898 pairwise keys and one group key In theenhanced protocol each node stores the same number of keysas the basic protocol
When the key establishment is complete in a networkhaving a scale of 119873 there is an upper limit of the numberof keys to be stored in the nodes including119873 individual keys119862(119873 2) pairwise keys 1198732 cluster keys and 119873 group keys(though there is only one group key in a certain period)which add up to ((52)119873+(1198732(119873minus2)) = (1198732+3119873)2) andaverage to each node is (52 + (119873minus 1)2(119873minus 2) = 1198732 + 2)
Note that communication distance of sensor node islimited so that it will not reach a high complexity that eachtwo nodes are connected
In addition using an efficient clustering method canreduce the number of required cluster keys and the realstorage complexity is much smaller
Although memory is a quite scarce resource for thecurrent generation of nodes inWSNs for a reasonable degreestorage is not an issue in our protocol For example 100 keystotally take 800 bytes when the key size is 8 bytes
62 Communication Cost In this paper the average commu-nication cost increases with the connection degree of a sensornetwork and decreases with the network size 119873 Efficientpreloaded functions are widely used which greatly reducesthe message exchanges in key establishing phase so that tosave communication cost Whats more the use of locatedcluster key enables in-network data processing which alsohelps achieve communication and energy efficiency
It is worth noting that the communication cost of theenhanced protocol remains at the same level as that of thebasic protocol
63 Computational Cost Functions used in the proposedprotocols are all of high computational efficiency For exam-ple pseudorandom function 119891 is employed to be the keygeneration function and the computational cost will benegligible when it is used in key establishment process In theenhanced protocol although computational cost is slightlyincreased by using Diffie-Hellman algorithm for a networkof reasonable density we believe that the computationaloverhead is applicable for a network of reasonable density inour protocols For example for a WSN of size119873 = 1000 andconnection degree of 20 the average computational cost is27 symmetric key operations per node per revocation and alarger119873 will reduce the cost further
Overall we conclude that the protocols proposed in thisstudy are scalable and efficient enough in storage communi-cation and computation
7 Security Analysis
This section analyzes the security of the key managementprotocols The survivability of the network is discussed whenundetected compromised nodes occur and the robustness ofproposed schemes is studied in defending against variousattacks
71 Survivability Once a sensor node 119860 is compromised theadversary can launch attacks by utilizing keying materialsof node 119860 If the threat is detected somehow the protocolscan revoke node 119860 efficiently and update the information ofnodes quickly throughout the whole network Basically eachneighbor of compromised node 119860 could delete its pairwisekey shared with node 119860 as well as updating the cluster keyThe group key could also be updated efficiently by taking useof 120583TESLA mechanism When the revocation is completedthe adversary cannot launch further attacks anymore
However security detection in WSNs is more difficultthan in other systems since sensor systems are often deployedin unattended environments Thus the survivability of
8 Mobile Information Systems
the network is one of most important security requirementswhen compromised nodes is not detected
Firstly because individual key is only shared between thebase station and each sensor node it usually does not help theattacker launch attacks
Secondly obtaining the cluster keys and pairwise keys ofa compromised node enables the attacker to establish trustwith the neighbor nodes which can be used by the attackerto inject malicious sensor readings and routing controlinformation into the network However in the proposedprotocols in this study the attacker usually has to achieve suchattacks by taking use of the identity of the captured node
Note that a salient feature of the proposed protocols isthe ability in localizing possible threats Because after thedeployment of the network and the pairwise key establishingphase every node will keep a list of trusted neighbor nodesAs compromised node and its copy nodes cannot establishtrust relationship with other nodes except its neighbors theattacker can only damage secure links within limited range
Finally obtaining the group key enables the attacker todecryptmessages broadcast by the base stationThebroadcastmessages by their nature are intended to be received by allthe nodes in the network Thus compromising any singlenode is enough to possess this message whatever securitymechanism is used However obtaining the group key doesnot allow the attacker to damage the entire network withmalicious packets by impersonating the base station becauseall messages sent from the base station are authenticated by120583TESLA mechanism
72 Dealing with the Attacks on Secure Routing Ciou et alhave described various possible attacks of routing protocolsforWSNs [18] How the proposed schemes can defend againstsuch attacks is shown in this section
An inside attackermay attempt to alter and replay routinginformation to make routing loops attract or repel networktraffic and generate false messages Moreover the attackercan launch the selective forwarding attack in which thecaptured node suppresses routing packets sent from a fewselected nodes while forwarding the other packets reliably
In this paper the schemes cannot protect theWSNs fromsuch attacks however the schemes can hinder or minimizethe consequences caused by such attacks
First based on the key establishment and authenticationphases of the proposed protocols it is apparent that suchattacks are only possible within a small area of two-hops fromthe captured node
Second since such attacks are localized in a certainzone the attacker faces a high risk of being detected whenlaunching such attacks For example the probabilistic chal-lenge mechanism can help detect the spoofing attack and thedetection of altering attack is also possible since the relatedsending node may overhear the forwarded messages alteredby the captured node
Last but not least once a compromised node is detectedthe group rekeying process of the protocols can efficientlyrevoke the compromised node from the network
The proposed protocol can protect WSNs from thefollowing attacks
Sybil Attacks In Sybil attacks the attacker may replicatethe captured node and deploy multiple replicas into theoriginal network With help of the base station such replicanodes will then try to establish pairwise and cluster keyswith normal nodes that are not neighbors of the capturednode [23] If the base station does not know the precisetopology of the wireless network this attack may work inpairwise key establishment However it cannot happen forproposed protocols because each normal node keeps a list ofits approved neighbors and the base station is not involved forpairwise or cluster key establishments in this study
HELLO Flood Attack The attacker may send a HELLOmessage to all nodes in the network by increasing thetransmission power to be high enough to make all the nodesconvinced that it is their neighbor Once this attack succeedsnodes of the entire networkmay send their readings and someother packets in vainHowever it cannot succeed in proposedprotocols because the attacked does not have a network-widekey for authentication
It is worth noting that the group key in the protocols is notfor authentication purpose but for the distribution of securemessages to the entire network from the base station
73 Defending against Sinkhole and Wormhole Attacks Thecombination of the sinkhole and the wormhole attacks is oneof the most difficult attacks to be prevented
In the sinkhole attack a malicious node tries to attractpackets from the neighbor nodes and then drops them Itcan launch such attack by advertising information of highreliability or high remaining energy which is very hard todetect in the WSNs
In the wormhole attack two distant malicious nodesconceal their distance information to the network Afterplacing one such node near the target zone and another onenear the base station the attacker will convince the nodeswithin the target area which are usually multiple hops awayfrom the base station as only one or two hops to create asinkholeMoreover nodes which aremultiple hops awaymaybelieve that they are neighbors of each other Since to launchwormhole attack the attacker does not need to compromiseany sensor nodes such attack is very powerful in practice[24]
In the proposed protocols an outside attacker cannotsucceed in launching wormhole attack except in the neighbordiscovery process since a node will know all its neighbornodes after the pairwise key is established which means theattacker cannot convince two distant nodes to believe thatthey are neighbors of each other
Because the time of neighbor discovery process is veryshort (usually for seconds) the probability that the attackerachieves such attacks is also quite small If an inside attackercompromises two or more nodes it can launch such attacksHowever it cannot convince two distant nodes as neighborswhen the neighbor discovery phase is finished The authen-ticated neighborhood information is critical to deal with thewormhole attacks
In the sinkhole attack if the attacker compromises a node119860 that is close to the base station and another node 119861 in
Mobile Information Systems 9
the target area the attacker will succeed in making node119860 asa sinkhole Since the number of hops between node 119861 and thebase station turns smaller node 119861will be especially attractiveto surrounding nodes In practice the location of base stationis usually static When the network is constructed topologywill be known to the entire network and then sensor nodeswill know the approximate number of hops from the basestation Thus it is difficult for an attacker to make a veryattractive sinkhole in the WSN without being detected
74 Conclusion This paper proposes a basic keymanagementprotocol based on initial secure time which assumes thatthe attacker cannot compromise a node in a short timeIt satisfies various security requirements of WSNs usingthe combination of four kinds of secure keys Meanwhilethe erasure and update mechanism of keys is important tosupport network security
To further improve the security of the basic schemean enhanced protocol based on Diffie-Hellman algorithmis proposed which avoids storing the master key in sensornodes so as to restrict the security impact of a captured nodeto the rest network
The proposed protocol achieves high communication andenergy efficiency by supporting in-network data processingand enhances the network security through strict authenti-cation and encryption mechanisms Compared to originalideas the proposed scheme improves not only the networksecurity but also the extensibility of WSNs
This paper presents a proposal for key establishment andachieves security mainly based on the combining applicationof four kinds of keys This is a critical step and how to usesuch keys to found a protection mechanism is a focus in ourfuture research
Notations
119873 The number of nodes in the network119860 119861 Two communicating nodes in the network
(also represents the node identifier)119891(119870119860) Calculate with parameter 119860 using the key
119870 in pseudorandom function 119891119867(119870) One-way hash function to generate a
chain of keys using the seed119870MAC119870(119898) Message authentication code (MAC) of
message119898 using MAC key 119870119870 The master key only possessed by base
station119870119860 Individual key of node 119860
119864119870(119898) Encryption of message119898 with a
symmetric key 1198701198721| 1198722 Concatenation of the sequences119872
1and
1198722
119860 rarr 119861 119872 Node 119860 sends a message119872 to node 119861119860 rarr lowast 119872 Node 119860 sends a local broadcast message
119872 to all its neighborsℎ(119898) Calculate hash value of message119898
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was supported by National ratural Science Foun-dation of China (nos 61170268 61100047 and 61272493)International SampTCooperation Special Projects of China (no2013DFG72850) and The National Basic Research Programof China (973 Program) (no 2012CB724400)
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] X HeM Niedermeier andH deMeer ldquoDynamic keymanage-ment in wireless sensor networks a surveyrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 611ndash622 2013
[3] R Riaz A Naureen A Akram A H Akbar K H Kim and HFarooq Ahmed ldquoA unified security framework with three keymanagement schemes for wireless sensor networksrdquo ComputerCommunications vol 31 no 18 pp 4269ndash4280 2008
[4] C Intanaonwiwat R Govindan and D Estrin ldquoDirected dif-fusion a scalable and robust communication paradigm forsensor networksrdquo in Proceedings of the 6th Annual ACMIEEEInternational Conference on Mobile Computing and Networking(MobiCom rsquo00) pp 56ndash67 ACMIEEE Boston Mass USAAugust 2000
[5] AManjeshwar andD PAgrawal ldquoTEEN a routing protocol forenhanced efficiency in wireless sensor networksrdquo in Proceedingsof the 15th International Parallel andDistributed Processing Sym-posium (IPDPS rsquo01) pp 2009ndash2015 IEEEComputer Society SanFrancisco Calif USA April 2001
[6] A Perrig R Szewczyk V Wen D Culler and J D TygarldquoSPINS security protocols for sensor networksrdquo in Proceedingsof the 7th Annual International Conference onMobile Computingand Networking (Mobicom rsquo01) pp 189ndash199 Rome Italy July2001
[7] W Du J Deng Y S Han and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 ACM PressWashington DC USA October 2003
[8] H Chan A Perrig and D Song ldquoRandom key predistributionschemes for sensor networksrdquo in Proceedings of the IEEESymposium on Security and Privacy pp 197ndash213 Oakland CalifUSA May 2003
[9] H O Sanli S Ozdemir and H Cam ldquoSRDA secure reference-based data aggregation protocol for wireless sensor networksrdquoin Proceedings of the IEEE 60th Vehicular Technology Conference(VTC rsquo04) pp 406ndash410 IEEE Los Angeles Calif USA 2004
[10] T Dimitriou and I Krontiris ldquoA localized distributed protocolfor secure information exchange in sensor networksrdquo in Pro-ceedings of the 19th IEEE International Parallel and DistributedProcessing Symposium (IPDPS rsquo05) pp 37ndash45 IEEE April 2005
10 Mobile Information Systems
[11] S Zhu S Setia and S Jajodia ldquoLEAP efficient security mech-anisms for large-scale distributed sensor networksrdquo in Proceed-ings of the 10th ACM Conference on Computer and Communica-tions Security (CCS rsquo03) pp 62ndash72 ACM New York NY USAOctober 2003
[12] J Shen and L Xu ldquoCluster-based key pre-distribution sehemefor wireless sensor networksrdquo Journal ofWuhanUniversity Nat-ural Science Edition vol 55 no 1 pp 117ndash120 2009 (Chinese)
[13] X Huang M Yang and S-S Lv ldquoSecure and efficient key man-agement protocol for wireless sensor network and simulationrdquoJournal of System Simulation vol 20 no 7 pp 1898ndash1903 2008
[14] X Chen J Li J Ma Q Tang and W Lou ldquoNew algo-rithms for secure outsourcing of modular exponentiationsrdquo inComputer SecuritymdashESORICS 2012 17th European Symposiumon Research in Computer Security (ESORICS rsquo12) Pisa ItalySeptember 10ndash12 2012 vol 7459 of Lecture Notes in ComputerScience pp 541ndash556 Springer Berlin Germany 2012
[15] L-C Li J-H Li and J Pan ldquoSelf-healing group key man-agement scheme with revocation capability for wireless sensornetworksrdquo Journal on Communications vol 30 no 12 pp 12ndash172009
[16] Z Ming W Suo-ping and X He ldquoDynamic key managementscheme for wireless sensor networks based on clusterrdquo Journalof Nanjing University of Posts and Telecommunications (NaturalScience) vol 32 no 1 2012
[17] G-J Wang T-T Lv and M-Y Guo ldquoTransitory initial key-based key management protocol in wireless sensor networksrdquoChinese Journal of Sensors and Actuators vol 20 no 7 pp 1581ndash1586 2007
[18] Y-F Ciou F-Y Leu Y-L Huang and K Yim ldquoA han-dover security mechanism employing the Diffie-Hellman keyexchange approach for the IEEE80216e wireless networksrdquoMobile Information Systems vol 7 no 3 pp 241ndash269 2011
[19] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grained access control system based on outsourced attribute-based encryptionrdquo in Computer SecuritymdashESORICS 2013 18thEuropean Symposium on Research in Computer Security EghamUK September 9ndash13 2013 Proceedings vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013
[20] A Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols (ICNP rsquo03) pp 326ndash335 Atlanta GaUSA November 2003
[21] W Du Y S Han J Deng and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 WashingtonDC USA October 2003
[22] D Liu and P Ning ldquoMulti-level 120583TESLA broadcast authenti-cation for distributed sensor networksrdquo ACM Transactions onEmbedded Computing Systems vol 3 no 4 pp 800ndash836 2004
[23] J Li Q Wang C Wang and K Ren ldquoEnhancing attribute-based encryptionwith attribute hierarchyrdquoMobileNetworks andApplications vol 16 no 5 pp 553ndash561 2011
[24] Y S Lee J W Park and L Barolli ldquoA localization algorithmbased on AOA for ad-hoc sensor networksrdquoMobile InformationSystems vol 8 no 1 pp 61ndash72 2012
(ii) The sensor network is static (sensor nodes are notmobile) after deployment
(iii) Sensor nodes have similar computational and com-munication capabilities
(iv) Transmission power of nodes can be adjusted tocontrol the propagation distance
(v) The base station has enough energy supply andcomputing power
(vi) The attacker has the ability to eavesdrop on all thechannels as well as to replay former messages andinject malicious packets
(vii) Once a node is captured all the stored informationwill be obtained by the adversary
(viii) Every node has enough space to store hundreds ofbytes for key establishment materials
(ix) Each node has some degree of ability to resist attackand it will not be captured with in a limited period oftime
4 Protocol Description
This section introduces the basic protocol in detail includingfour kinds of secure key establishment mechanisms to satisfyvarious secure communication requirements and mecha-nisms for key erasure and update
41 Overview As discussed above the single keymechanismcannot provide appropriate protection to all the requiredcommunication in the WSNs Moreover the security perfor-mance and resource consumption have to be balanced whenmaking use of different kinds of keys
The degree of sharing keys in the security mechanismhas to be taken into consideration For example if uniquepairwise keys are used for each two nodes in the WSNs toguarantee secure communication the node captured by anattacker will not reveal any security information of othernormal nodes which is ideal to prevent threat to the entirenetwork However it requires significant communicationbandwidth and energy resources which is quite inefficient
On the contrary if only a network-wide key is used forauthentication and encryption no communication betweennodes is required for establishment of additional keys and thestorage costs and energy consumption can also beminimizedHowever the security will be extremely poor Once any nodein the system is captured by an attacker the whole networksuffers an enormous risk
42 Key Establishment In this section the establishment offour kinds of keys is discussed in detail as well as theircharacteristics and abilities to resist attacks
421 Individual Key Establishment Individual key is aunique key of each sensor node that sharedwith the controller(the base station) which is used for individual authenticationand secure communication assurance [19]
For example individual key can be used to encrypt sen-sitive information such as special instructions and rekeyingcommands exchanged between a sensor node and the basestation It can also be used for message authentication to getverification of the base station or other nodes
Since every node in the network shares a unique indi-vidual key with the base station it is neither practicalnor efficient to store all these keys for the base stationespecially when the network scalability is very hugeThus it isimportant to adopt a strategy to reduce the storage overheadwhich can be achieved by the key generation function 119891
First of all it is argued that each node holds the keyestablishment function 119891 and an initial key 119870
119868which is
derived from the master key 119870 that is only possessed by thecontroller all of them are preloaded in the nodes before thekey establishment phase The generation of individual keyfor node 119860 (here 119860 indicates the unique ID of node 119860) is asfollows
119870119860= 119891 (119870
119868 119860) (2)
In the above the function 119891 for key establishment is apseudorandom function and it is efficient enough to be usedon sensor nodes
Once the individual key is generated the related nodestores it within its life cycle Since the base station has fullknowledge of the initial key 119870
119868and efficient establishment
function 119891 the storage overhead for individual keys of eachsensor node can be reduced
422 Pairwise Key Establishment Pairwise keys of a nodeindicate the keys shared with each of its direct neighbors sothe storage overhead of such keys for each node depends onthe number of its neighbors [20 21]
In this protocol pairwise keys have a lot of uses Forexample it can be used for a cluster head to encrypt the clusterkey which has to be transmitted to all of its neighbors toachieve the distribution security It is also a component toimprove system security
However it will impede passive participation whichis important in saving communication energy if such keymechanism is employed individuallyThe initial pairwise keyestablishing progress is shown in the Figure 2
The generation of pairwise keys for nodes 119860 and 119861 (here119860 is assumed to be the node that call for key establishment)is as follows
Here node119860 broadcasts a nonce to all of its direct neigh-bors to request establishing pairwise without authenticatingits identity because if it cannot provide its own identity(namely it does not own the individual key) it will fail togenerate the pairwise in the following steps
119870119860119861
= 119891 (119870119861 119860) (4)
Since node 119860 possesses both the key establishmentfunction 119891 and the initial key 119870
119868 it can compute 119870
119861
independently and then obtains the pairwise key119870119860119861
as well
Mobile Information Systems 5
A B
1
2
Figure 2 Pairwise key establishing phase
Note that each node has a timer which conducts it toachieve key erasure when it makes sure that the pairwise keysestablishment is finished This process is significant becauseall the nodes keep the network-wide initial key 119870
119868to help
complete the establishments in the initial period and oncethe relatively safe period passes by it will face great risk thatsome nodes may be compromised
So it is suggested that after a reasonable length of timethe initial key 119870
119868and the neighbors individual master keys
stored in the node be all erased (but its own individualmasterkey will always be held)
In this way when almost the pairwise keys are establishedsuccessfully no nodes will possess the necessary generatingkey materials until there is a new group of nodes to bejoined The key erasure mechanism is so necessary that howto control the key erasing time is worth exploring but it is notan emphasis in this paper
In addition it can also be seen from the above equationthat after the establishing time namely related key materialsare erased once the node 119860 is compromised by an attackerand a 1198601015840 broadcasts a nonce for establishing pairwise keys itcannot success due to such establishment mechanism
But once the attacker uses 1198601015840 to take passive joiningstrategy the responding node 1198601015840 will generate the pairwisekey with 119861 (here 119861 is one of a new batch of joining nodes thatis asking to establish pairwise keywith its neighbors including1198601015840) as follows 119870
1198611198601015840 = 119891(119870
(1198601015840) 119861) and then the attacker will
be able to inject erroneous packets into the network at willFor the new added nodes an alternative is proposed to
Here 119860 is a new node who calls for establishing pairwisekey with its neighbor 119861 Here 119861 is an older node that hasgenerated all its own pairwise keys and erased the initial key119870119868 which makes it unable to generate new pairwise keyIf 119861 wants to verify the identity of node 119860 the most
credible way is asking for help of base stationHowever reducing the use of base station is an important
goal here and the improvement is worth further exploring
423 Cluster Key Establishment Cluster key is a key gener-ated by an elected cluster head and shared with its neighborsand it is mainly used for encrypting local broadcast packetsItsmost significant advantage is that it enables the in-networkprocessing such as passive participation and data aggregationwhich cannot be supported by the pairwise key but could saveenergy consumption efficiently
This key establishing process is obvious as follows
Here node 119860 is the elected cluster head and 119861119894represents
one of its immediate neighbors 1198611 1198612 119861
119899(1 le 119894 le
119899) Cluster head 119860 first generates a key 119870119862119860randomly and
encrypts it with its pairwise keys and then sends it to eachneighbor 119861
119894 Moreover node 119861
119894decrypts the cluster key and
then stores 119870119862119860in a table
When any neighbor of 119860 is revoked which means therewill be a risk to continue using the old cluster key cluster head119860 regenerates and transmits the 119870119862
1015840
119860in the same way
Cluster division and cluster head selection approaches arealso worthy of discussion But it is not an emphasis in thispaper A simple mesh division method is shown in Figure 3based on virtual cluster idea
424 Group Key Establishment The group key119870119892is used for
encryptingmessages that need to be broadcasted to the wholegroup Note that different from above situations the keypoint here is no longer about key establishment or encryptingschemes because there is only one group key shared amongthe entire network meanwhile it does not make sense toencrypt a broadcast message using master key of each sensornode separately
It is also because there is only one group key sharedamong sensor nodes once a compromised node is revoked
6 Mobile Information Systems
Cluster headActive node
Base station
Figure 3 Mesh division method
the rekeying and updating mechanism comes to be impor-tant
120583TESLA [22] is a widely employed protocol due to thehigh efficiency and perfect tolerance for packet loss A one-way hash function119867 is used here to help achieve the processFirstly the controller generates a random seed 119896
119898and uses
the function119867 to get a sequence of the following hash values119896119898 119896119898minus1
119896119895 119896
1 that meets the restriction 119896
119895| 0 lt
119895 le 119898 119896119895minus1
= 119867(119896119895)
Then preload this key chain 119896119898 119896119898minus1
119896119895 119896
1 in
the base station and use delayed key disclosure to achievemessage authentication Let 119860 be the revoked node and 1198701015840
119892
the new group key the process is as follows
Base station 997888rarr lowast 119860 119891 (1198701015840
119892 0) MAC
119896119895(119860 | 119891 (119870
1015840
119892 0))
(8)
When the verification is done all the nodes will removerelated information of node 119860 and restore the group key 1198701015840
119892
in the tableNote that the initial Group key 119870
119892is preloaded in all
the sensor nodes before their deployment like the initial key119870119868 but we cannot take 119870
119868also as the group key because
it will be erased in a very short time after the pairwise keyestablishmentThe key used for deriving related keys must beprotected separately from normal ones
Figure 4 simply illustrates the authenticationmechanism
119896119895minus1
= 119867(119896119895) (9)
5 Enhanced Protocol
51 Requirements Analysis The design of the basic schemepresented in the previous section ismotivated by the observa-tion that single keying mechanism is not suitable for meeting
K1 K2 K3 K4 K5
p1 p2 p3 p4 p5 p6
Time
Figure 4 Using the one-way hash function for source authentica-tion
all the security requirements of different types of exchangedmessages
The advantage of this scheme is that the captured nodedoes not threat the safety of the other nodes in case themasterkey 119870 is absolutely safe in time interval 119879min
During the time interval 119879min all the nodes of the WSNwill hold the general master key 119870 and we note that thisscheme cannot provide confidentiality when a node is com-promised in 119879min Because by using the stolen informationlike the master key119870 an attacker can easily derive the masterkeys of all the rest normal nodes that are deployed in thesame time interval as well as negotiating new pairwise keywith normal nodes in any region whichmeans once a node iscompromised in time interval 119879min the security of the entirenetwork is extremely dangerous
52 Enhanced Scheme Based on the Diffie-Hellman algo-rithm above presenting the improved scheme prior todeployment of the network each node prestores the largeprime number 119901 and its primitive root 119886 instead of the initialkey 119870
119868which is derived from the master key 119870
Note that the generation of individual key for node 119860 isstill same
119870119860= 119891 (119870
119868 119860) (10)
Different from the basic scheme this process is completedonce the node is deployed after that the information of theinitial key 119870
119868is deleted Thus the attacker cannot get any
information about the initial key119870119868or the master key119870 even
if it is compromised during the working periodSince the node no longer keeps initial key 119870
119868 which
is required to participate in relevant calculations (function)in the pairwise key generating process the basic schemecannot be achieved For this situation make the followingimprovements
Gain a key evolution function to each node Takes node119860 and 119861 for examples
119883119860= ℎ (119860 | 119870
119860) mod 119901
119883119861= ℎ (119861 | 119870
119861) mod 119901
(11)
Then calculate the public message
119884119860= 119886119883119860 mod 119901
119884119861= 119886119883119861 mod 119901
(12)
Mobile Information Systems 7
The pairwise key generation process is as follows
119860 997888rarr lowast Nonce119860 119884119860
119861 997888rarr 119860 MAC119870119860119861
(119861 | 119884119861) 119861 119884
119861
(13)
Here node119860 broadcasts a nonce to all its direct neighborsand asks to establish pairwise key and broadcasts the publicmessage 119884
119860at the same time When its neighbor (take node
119861 for example) receives the message it first verifies thelegitimacy of 119884
119860and then calculates the pairwise key using
the following function
119870119860119861
= (119884119860)119883119861 mod 119901 (14)
After that node 119861 sends messages 119861 and 119884119861back to the
asking node 119860 and sends a message MAC119870119860119861
(119861 | 119884119861) to
authenticate its identity If node 119861 cannot respond to node119860 in this way it means node 119861 cannot get 119870
119860119861only taking
use of 119884119860 then consider node 119861 as untrusted In addition
node 119860 does not need to send authenticating message backto node 119861 anymore because if it cannot prove its own identity(namely it cannot get 119870
119860119861only taking use of 119884
119861 and it will
fail to generate the pairwise key 119870119860119861)
Compared with the basic protocol the most obviousimprovement of enhanced protocol is that it takes use ofDiffie-Hellman algorithm to generate pairwise keys insteadof storing the initial key 119870
119868in a certain period of time Thus
even if a node is compromised in119879min the attacker canmerelyget the information of key related to the compromised nodewhich means only limited security threats can be causedavoiding the disruption of the entire network caused bylosing initial key 119870
119868 Despite the slight increment in the
computational overhead the security of the WSN is greatlyimproved
6 Performance Evaluation
The ability of the protocol to fight against kinds of attacks isdiscussed in detail in above sectionsThis section analyzes thestorage requirement and energy efficiency
61 Storage Requirement In the basic protocol a node needsto store four types of keys Considering a node with 119898
neighbors in the WSN it needs to store one individual key119898 cluster keys 119898 pairwise keys and one group key In theenhanced protocol each node stores the same number of keysas the basic protocol
When the key establishment is complete in a networkhaving a scale of 119873 there is an upper limit of the numberof keys to be stored in the nodes including119873 individual keys119862(119873 2) pairwise keys 1198732 cluster keys and 119873 group keys(though there is only one group key in a certain period)which add up to ((52)119873+(1198732(119873minus2)) = (1198732+3119873)2) andaverage to each node is (52 + (119873minus 1)2(119873minus 2) = 1198732 + 2)
Note that communication distance of sensor node islimited so that it will not reach a high complexity that eachtwo nodes are connected
In addition using an efficient clustering method canreduce the number of required cluster keys and the realstorage complexity is much smaller
Although memory is a quite scarce resource for thecurrent generation of nodes inWSNs for a reasonable degreestorage is not an issue in our protocol For example 100 keystotally take 800 bytes when the key size is 8 bytes
62 Communication Cost In this paper the average commu-nication cost increases with the connection degree of a sensornetwork and decreases with the network size 119873 Efficientpreloaded functions are widely used which greatly reducesthe message exchanges in key establishing phase so that tosave communication cost Whats more the use of locatedcluster key enables in-network data processing which alsohelps achieve communication and energy efficiency
It is worth noting that the communication cost of theenhanced protocol remains at the same level as that of thebasic protocol
63 Computational Cost Functions used in the proposedprotocols are all of high computational efficiency For exam-ple pseudorandom function 119891 is employed to be the keygeneration function and the computational cost will benegligible when it is used in key establishment process In theenhanced protocol although computational cost is slightlyincreased by using Diffie-Hellman algorithm for a networkof reasonable density we believe that the computationaloverhead is applicable for a network of reasonable density inour protocols For example for a WSN of size119873 = 1000 andconnection degree of 20 the average computational cost is27 symmetric key operations per node per revocation and alarger119873 will reduce the cost further
Overall we conclude that the protocols proposed in thisstudy are scalable and efficient enough in storage communi-cation and computation
7 Security Analysis
This section analyzes the security of the key managementprotocols The survivability of the network is discussed whenundetected compromised nodes occur and the robustness ofproposed schemes is studied in defending against variousattacks
71 Survivability Once a sensor node 119860 is compromised theadversary can launch attacks by utilizing keying materialsof node 119860 If the threat is detected somehow the protocolscan revoke node 119860 efficiently and update the information ofnodes quickly throughout the whole network Basically eachneighbor of compromised node 119860 could delete its pairwisekey shared with node 119860 as well as updating the cluster keyThe group key could also be updated efficiently by taking useof 120583TESLA mechanism When the revocation is completedthe adversary cannot launch further attacks anymore
However security detection in WSNs is more difficultthan in other systems since sensor systems are often deployedin unattended environments Thus the survivability of
8 Mobile Information Systems
the network is one of most important security requirementswhen compromised nodes is not detected
Firstly because individual key is only shared between thebase station and each sensor node it usually does not help theattacker launch attacks
Secondly obtaining the cluster keys and pairwise keys ofa compromised node enables the attacker to establish trustwith the neighbor nodes which can be used by the attackerto inject malicious sensor readings and routing controlinformation into the network However in the proposedprotocols in this study the attacker usually has to achieve suchattacks by taking use of the identity of the captured node
Note that a salient feature of the proposed protocols isthe ability in localizing possible threats Because after thedeployment of the network and the pairwise key establishingphase every node will keep a list of trusted neighbor nodesAs compromised node and its copy nodes cannot establishtrust relationship with other nodes except its neighbors theattacker can only damage secure links within limited range
Finally obtaining the group key enables the attacker todecryptmessages broadcast by the base stationThebroadcastmessages by their nature are intended to be received by allthe nodes in the network Thus compromising any singlenode is enough to possess this message whatever securitymechanism is used However obtaining the group key doesnot allow the attacker to damage the entire network withmalicious packets by impersonating the base station becauseall messages sent from the base station are authenticated by120583TESLA mechanism
72 Dealing with the Attacks on Secure Routing Ciou et alhave described various possible attacks of routing protocolsforWSNs [18] How the proposed schemes can defend againstsuch attacks is shown in this section
An inside attackermay attempt to alter and replay routinginformation to make routing loops attract or repel networktraffic and generate false messages Moreover the attackercan launch the selective forwarding attack in which thecaptured node suppresses routing packets sent from a fewselected nodes while forwarding the other packets reliably
In this paper the schemes cannot protect theWSNs fromsuch attacks however the schemes can hinder or minimizethe consequences caused by such attacks
First based on the key establishment and authenticationphases of the proposed protocols it is apparent that suchattacks are only possible within a small area of two-hops fromthe captured node
Second since such attacks are localized in a certainzone the attacker faces a high risk of being detected whenlaunching such attacks For example the probabilistic chal-lenge mechanism can help detect the spoofing attack and thedetection of altering attack is also possible since the relatedsending node may overhear the forwarded messages alteredby the captured node
Last but not least once a compromised node is detectedthe group rekeying process of the protocols can efficientlyrevoke the compromised node from the network
The proposed protocol can protect WSNs from thefollowing attacks
Sybil Attacks In Sybil attacks the attacker may replicatethe captured node and deploy multiple replicas into theoriginal network With help of the base station such replicanodes will then try to establish pairwise and cluster keyswith normal nodes that are not neighbors of the capturednode [23] If the base station does not know the precisetopology of the wireless network this attack may work inpairwise key establishment However it cannot happen forproposed protocols because each normal node keeps a list ofits approved neighbors and the base station is not involved forpairwise or cluster key establishments in this study
HELLO Flood Attack The attacker may send a HELLOmessage to all nodes in the network by increasing thetransmission power to be high enough to make all the nodesconvinced that it is their neighbor Once this attack succeedsnodes of the entire networkmay send their readings and someother packets in vainHowever it cannot succeed in proposedprotocols because the attacked does not have a network-widekey for authentication
It is worth noting that the group key in the protocols is notfor authentication purpose but for the distribution of securemessages to the entire network from the base station
73 Defending against Sinkhole and Wormhole Attacks Thecombination of the sinkhole and the wormhole attacks is oneof the most difficult attacks to be prevented
In the sinkhole attack a malicious node tries to attractpackets from the neighbor nodes and then drops them Itcan launch such attack by advertising information of highreliability or high remaining energy which is very hard todetect in the WSNs
In the wormhole attack two distant malicious nodesconceal their distance information to the network Afterplacing one such node near the target zone and another onenear the base station the attacker will convince the nodeswithin the target area which are usually multiple hops awayfrom the base station as only one or two hops to create asinkholeMoreover nodes which aremultiple hops awaymaybelieve that they are neighbors of each other Since to launchwormhole attack the attacker does not need to compromiseany sensor nodes such attack is very powerful in practice[24]
In the proposed protocols an outside attacker cannotsucceed in launching wormhole attack except in the neighbordiscovery process since a node will know all its neighbornodes after the pairwise key is established which means theattacker cannot convince two distant nodes to believe thatthey are neighbors of each other
Because the time of neighbor discovery process is veryshort (usually for seconds) the probability that the attackerachieves such attacks is also quite small If an inside attackercompromises two or more nodes it can launch such attacksHowever it cannot convince two distant nodes as neighborswhen the neighbor discovery phase is finished The authen-ticated neighborhood information is critical to deal with thewormhole attacks
In the sinkhole attack if the attacker compromises a node119860 that is close to the base station and another node 119861 in
Mobile Information Systems 9
the target area the attacker will succeed in making node119860 asa sinkhole Since the number of hops between node 119861 and thebase station turns smaller node 119861will be especially attractiveto surrounding nodes In practice the location of base stationis usually static When the network is constructed topologywill be known to the entire network and then sensor nodeswill know the approximate number of hops from the basestation Thus it is difficult for an attacker to make a veryattractive sinkhole in the WSN without being detected
74 Conclusion This paper proposes a basic keymanagementprotocol based on initial secure time which assumes thatthe attacker cannot compromise a node in a short timeIt satisfies various security requirements of WSNs usingthe combination of four kinds of secure keys Meanwhilethe erasure and update mechanism of keys is important tosupport network security
To further improve the security of the basic schemean enhanced protocol based on Diffie-Hellman algorithmis proposed which avoids storing the master key in sensornodes so as to restrict the security impact of a captured nodeto the rest network
The proposed protocol achieves high communication andenergy efficiency by supporting in-network data processingand enhances the network security through strict authenti-cation and encryption mechanisms Compared to originalideas the proposed scheme improves not only the networksecurity but also the extensibility of WSNs
This paper presents a proposal for key establishment andachieves security mainly based on the combining applicationof four kinds of keys This is a critical step and how to usesuch keys to found a protection mechanism is a focus in ourfuture research
Notations
119873 The number of nodes in the network119860 119861 Two communicating nodes in the network
(also represents the node identifier)119891(119870119860) Calculate with parameter 119860 using the key
119870 in pseudorandom function 119891119867(119870) One-way hash function to generate a
chain of keys using the seed119870MAC119870(119898) Message authentication code (MAC) of
message119898 using MAC key 119870119870 The master key only possessed by base
station119870119860 Individual key of node 119860
119864119870(119898) Encryption of message119898 with a
symmetric key 1198701198721| 1198722 Concatenation of the sequences119872
1and
1198722
119860 rarr 119861 119872 Node 119860 sends a message119872 to node 119861119860 rarr lowast 119872 Node 119860 sends a local broadcast message
119872 to all its neighborsℎ(119898) Calculate hash value of message119898
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was supported by National ratural Science Foun-dation of China (nos 61170268 61100047 and 61272493)International SampTCooperation Special Projects of China (no2013DFG72850) and The National Basic Research Programof China (973 Program) (no 2012CB724400)
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] X HeM Niedermeier andH deMeer ldquoDynamic keymanage-ment in wireless sensor networks a surveyrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 611ndash622 2013
[3] R Riaz A Naureen A Akram A H Akbar K H Kim and HFarooq Ahmed ldquoA unified security framework with three keymanagement schemes for wireless sensor networksrdquo ComputerCommunications vol 31 no 18 pp 4269ndash4280 2008
[4] C Intanaonwiwat R Govindan and D Estrin ldquoDirected dif-fusion a scalable and robust communication paradigm forsensor networksrdquo in Proceedings of the 6th Annual ACMIEEEInternational Conference on Mobile Computing and Networking(MobiCom rsquo00) pp 56ndash67 ACMIEEE Boston Mass USAAugust 2000
[5] AManjeshwar andD PAgrawal ldquoTEEN a routing protocol forenhanced efficiency in wireless sensor networksrdquo in Proceedingsof the 15th International Parallel andDistributed Processing Sym-posium (IPDPS rsquo01) pp 2009ndash2015 IEEEComputer Society SanFrancisco Calif USA April 2001
[6] A Perrig R Szewczyk V Wen D Culler and J D TygarldquoSPINS security protocols for sensor networksrdquo in Proceedingsof the 7th Annual International Conference onMobile Computingand Networking (Mobicom rsquo01) pp 189ndash199 Rome Italy July2001
[7] W Du J Deng Y S Han and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 ACM PressWashington DC USA October 2003
[8] H Chan A Perrig and D Song ldquoRandom key predistributionschemes for sensor networksrdquo in Proceedings of the IEEESymposium on Security and Privacy pp 197ndash213 Oakland CalifUSA May 2003
[9] H O Sanli S Ozdemir and H Cam ldquoSRDA secure reference-based data aggregation protocol for wireless sensor networksrdquoin Proceedings of the IEEE 60th Vehicular Technology Conference(VTC rsquo04) pp 406ndash410 IEEE Los Angeles Calif USA 2004
[10] T Dimitriou and I Krontiris ldquoA localized distributed protocolfor secure information exchange in sensor networksrdquo in Pro-ceedings of the 19th IEEE International Parallel and DistributedProcessing Symposium (IPDPS rsquo05) pp 37ndash45 IEEE April 2005
10 Mobile Information Systems
[11] S Zhu S Setia and S Jajodia ldquoLEAP efficient security mech-anisms for large-scale distributed sensor networksrdquo in Proceed-ings of the 10th ACM Conference on Computer and Communica-tions Security (CCS rsquo03) pp 62ndash72 ACM New York NY USAOctober 2003
[12] J Shen and L Xu ldquoCluster-based key pre-distribution sehemefor wireless sensor networksrdquo Journal ofWuhanUniversity Nat-ural Science Edition vol 55 no 1 pp 117ndash120 2009 (Chinese)
[13] X Huang M Yang and S-S Lv ldquoSecure and efficient key man-agement protocol for wireless sensor network and simulationrdquoJournal of System Simulation vol 20 no 7 pp 1898ndash1903 2008
[14] X Chen J Li J Ma Q Tang and W Lou ldquoNew algo-rithms for secure outsourcing of modular exponentiationsrdquo inComputer SecuritymdashESORICS 2012 17th European Symposiumon Research in Computer Security (ESORICS rsquo12) Pisa ItalySeptember 10ndash12 2012 vol 7459 of Lecture Notes in ComputerScience pp 541ndash556 Springer Berlin Germany 2012
[15] L-C Li J-H Li and J Pan ldquoSelf-healing group key man-agement scheme with revocation capability for wireless sensornetworksrdquo Journal on Communications vol 30 no 12 pp 12ndash172009
[16] Z Ming W Suo-ping and X He ldquoDynamic key managementscheme for wireless sensor networks based on clusterrdquo Journalof Nanjing University of Posts and Telecommunications (NaturalScience) vol 32 no 1 2012
[17] G-J Wang T-T Lv and M-Y Guo ldquoTransitory initial key-based key management protocol in wireless sensor networksrdquoChinese Journal of Sensors and Actuators vol 20 no 7 pp 1581ndash1586 2007
[18] Y-F Ciou F-Y Leu Y-L Huang and K Yim ldquoA han-dover security mechanism employing the Diffie-Hellman keyexchange approach for the IEEE80216e wireless networksrdquoMobile Information Systems vol 7 no 3 pp 241ndash269 2011
[19] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grained access control system based on outsourced attribute-based encryptionrdquo in Computer SecuritymdashESORICS 2013 18thEuropean Symposium on Research in Computer Security EghamUK September 9ndash13 2013 Proceedings vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013
[20] A Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols (ICNP rsquo03) pp 326ndash335 Atlanta GaUSA November 2003
[21] W Du Y S Han J Deng and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 WashingtonDC USA October 2003
[22] D Liu and P Ning ldquoMulti-level 120583TESLA broadcast authenti-cation for distributed sensor networksrdquo ACM Transactions onEmbedded Computing Systems vol 3 no 4 pp 800ndash836 2004
[23] J Li Q Wang C Wang and K Ren ldquoEnhancing attribute-based encryptionwith attribute hierarchyrdquoMobileNetworks andApplications vol 16 no 5 pp 553ndash561 2011
[24] Y S Lee J W Park and L Barolli ldquoA localization algorithmbased on AOA for ad-hoc sensor networksrdquoMobile InformationSystems vol 8 no 1 pp 61ndash72 2012
Note that each node has a timer which conducts it toachieve key erasure when it makes sure that the pairwise keysestablishment is finished This process is significant becauseall the nodes keep the network-wide initial key 119870
119868to help
complete the establishments in the initial period and oncethe relatively safe period passes by it will face great risk thatsome nodes may be compromised
So it is suggested that after a reasonable length of timethe initial key 119870
119868and the neighbors individual master keys
stored in the node be all erased (but its own individualmasterkey will always be held)
In this way when almost the pairwise keys are establishedsuccessfully no nodes will possess the necessary generatingkey materials until there is a new group of nodes to bejoined The key erasure mechanism is so necessary that howto control the key erasing time is worth exploring but it is notan emphasis in this paper
In addition it can also be seen from the above equationthat after the establishing time namely related key materialsare erased once the node 119860 is compromised by an attackerand a 1198601015840 broadcasts a nonce for establishing pairwise keys itcannot success due to such establishment mechanism
But once the attacker uses 1198601015840 to take passive joiningstrategy the responding node 1198601015840 will generate the pairwisekey with 119861 (here 119861 is one of a new batch of joining nodes thatis asking to establish pairwise keywith its neighbors including1198601015840) as follows 119870
1198611198601015840 = 119891(119870
(1198601015840) 119861) and then the attacker will
be able to inject erroneous packets into the network at willFor the new added nodes an alternative is proposed to
Here 119860 is a new node who calls for establishing pairwisekey with its neighbor 119861 Here 119861 is an older node that hasgenerated all its own pairwise keys and erased the initial key119870119868 which makes it unable to generate new pairwise keyIf 119861 wants to verify the identity of node 119860 the most
credible way is asking for help of base stationHowever reducing the use of base station is an important
goal here and the improvement is worth further exploring
423 Cluster Key Establishment Cluster key is a key gener-ated by an elected cluster head and shared with its neighborsand it is mainly used for encrypting local broadcast packetsItsmost significant advantage is that it enables the in-networkprocessing such as passive participation and data aggregationwhich cannot be supported by the pairwise key but could saveenergy consumption efficiently
This key establishing process is obvious as follows
Here node 119860 is the elected cluster head and 119861119894represents
one of its immediate neighbors 1198611 1198612 119861
119899(1 le 119894 le
119899) Cluster head 119860 first generates a key 119870119862119860randomly and
encrypts it with its pairwise keys and then sends it to eachneighbor 119861
119894 Moreover node 119861
119894decrypts the cluster key and
then stores 119870119862119860in a table
When any neighbor of 119860 is revoked which means therewill be a risk to continue using the old cluster key cluster head119860 regenerates and transmits the 119870119862
1015840
119860in the same way
Cluster division and cluster head selection approaches arealso worthy of discussion But it is not an emphasis in thispaper A simple mesh division method is shown in Figure 3based on virtual cluster idea
424 Group Key Establishment The group key119870119892is used for
encryptingmessages that need to be broadcasted to the wholegroup Note that different from above situations the keypoint here is no longer about key establishment or encryptingschemes because there is only one group key shared amongthe entire network meanwhile it does not make sense toencrypt a broadcast message using master key of each sensornode separately
It is also because there is only one group key sharedamong sensor nodes once a compromised node is revoked
6 Mobile Information Systems
Cluster headActive node
Base station
Figure 3 Mesh division method
the rekeying and updating mechanism comes to be impor-tant
120583TESLA [22] is a widely employed protocol due to thehigh efficiency and perfect tolerance for packet loss A one-way hash function119867 is used here to help achieve the processFirstly the controller generates a random seed 119896
119898and uses
the function119867 to get a sequence of the following hash values119896119898 119896119898minus1
119896119895 119896
1 that meets the restriction 119896
119895| 0 lt
119895 le 119898 119896119895minus1
= 119867(119896119895)
Then preload this key chain 119896119898 119896119898minus1
119896119895 119896
1 in
the base station and use delayed key disclosure to achievemessage authentication Let 119860 be the revoked node and 1198701015840
119892
the new group key the process is as follows
Base station 997888rarr lowast 119860 119891 (1198701015840
119892 0) MAC
119896119895(119860 | 119891 (119870
1015840
119892 0))
(8)
When the verification is done all the nodes will removerelated information of node 119860 and restore the group key 1198701015840
119892
in the tableNote that the initial Group key 119870
119892is preloaded in all
the sensor nodes before their deployment like the initial key119870119868 but we cannot take 119870
119868also as the group key because
it will be erased in a very short time after the pairwise keyestablishmentThe key used for deriving related keys must beprotected separately from normal ones
Figure 4 simply illustrates the authenticationmechanism
119896119895minus1
= 119867(119896119895) (9)
5 Enhanced Protocol
51 Requirements Analysis The design of the basic schemepresented in the previous section ismotivated by the observa-tion that single keying mechanism is not suitable for meeting
K1 K2 K3 K4 K5
p1 p2 p3 p4 p5 p6
Time
Figure 4 Using the one-way hash function for source authentica-tion
all the security requirements of different types of exchangedmessages
The advantage of this scheme is that the captured nodedoes not threat the safety of the other nodes in case themasterkey 119870 is absolutely safe in time interval 119879min
During the time interval 119879min all the nodes of the WSNwill hold the general master key 119870 and we note that thisscheme cannot provide confidentiality when a node is com-promised in 119879min Because by using the stolen informationlike the master key119870 an attacker can easily derive the masterkeys of all the rest normal nodes that are deployed in thesame time interval as well as negotiating new pairwise keywith normal nodes in any region whichmeans once a node iscompromised in time interval 119879min the security of the entirenetwork is extremely dangerous
52 Enhanced Scheme Based on the Diffie-Hellman algo-rithm above presenting the improved scheme prior todeployment of the network each node prestores the largeprime number 119901 and its primitive root 119886 instead of the initialkey 119870
119868which is derived from the master key 119870
Note that the generation of individual key for node 119860 isstill same
119870119860= 119891 (119870
119868 119860) (10)
Different from the basic scheme this process is completedonce the node is deployed after that the information of theinitial key 119870
119868is deleted Thus the attacker cannot get any
information about the initial key119870119868or the master key119870 even
if it is compromised during the working periodSince the node no longer keeps initial key 119870
119868 which
is required to participate in relevant calculations (function)in the pairwise key generating process the basic schemecannot be achieved For this situation make the followingimprovements
Gain a key evolution function to each node Takes node119860 and 119861 for examples
119883119860= ℎ (119860 | 119870
119860) mod 119901
119883119861= ℎ (119861 | 119870
119861) mod 119901
(11)
Then calculate the public message
119884119860= 119886119883119860 mod 119901
119884119861= 119886119883119861 mod 119901
(12)
Mobile Information Systems 7
The pairwise key generation process is as follows
119860 997888rarr lowast Nonce119860 119884119860
119861 997888rarr 119860 MAC119870119860119861
(119861 | 119884119861) 119861 119884
119861
(13)
Here node119860 broadcasts a nonce to all its direct neighborsand asks to establish pairwise key and broadcasts the publicmessage 119884
119860at the same time When its neighbor (take node
119861 for example) receives the message it first verifies thelegitimacy of 119884
119860and then calculates the pairwise key using
the following function
119870119860119861
= (119884119860)119883119861 mod 119901 (14)
After that node 119861 sends messages 119861 and 119884119861back to the
asking node 119860 and sends a message MAC119870119860119861
(119861 | 119884119861) to
authenticate its identity If node 119861 cannot respond to node119860 in this way it means node 119861 cannot get 119870
119860119861only taking
use of 119884119860 then consider node 119861 as untrusted In addition
node 119860 does not need to send authenticating message backto node 119861 anymore because if it cannot prove its own identity(namely it cannot get 119870
119860119861only taking use of 119884
119861 and it will
fail to generate the pairwise key 119870119860119861)
Compared with the basic protocol the most obviousimprovement of enhanced protocol is that it takes use ofDiffie-Hellman algorithm to generate pairwise keys insteadof storing the initial key 119870
119868in a certain period of time Thus
even if a node is compromised in119879min the attacker canmerelyget the information of key related to the compromised nodewhich means only limited security threats can be causedavoiding the disruption of the entire network caused bylosing initial key 119870
119868 Despite the slight increment in the
computational overhead the security of the WSN is greatlyimproved
6 Performance Evaluation
The ability of the protocol to fight against kinds of attacks isdiscussed in detail in above sectionsThis section analyzes thestorage requirement and energy efficiency
61 Storage Requirement In the basic protocol a node needsto store four types of keys Considering a node with 119898
neighbors in the WSN it needs to store one individual key119898 cluster keys 119898 pairwise keys and one group key In theenhanced protocol each node stores the same number of keysas the basic protocol
When the key establishment is complete in a networkhaving a scale of 119873 there is an upper limit of the numberof keys to be stored in the nodes including119873 individual keys119862(119873 2) pairwise keys 1198732 cluster keys and 119873 group keys(though there is only one group key in a certain period)which add up to ((52)119873+(1198732(119873minus2)) = (1198732+3119873)2) andaverage to each node is (52 + (119873minus 1)2(119873minus 2) = 1198732 + 2)
Note that communication distance of sensor node islimited so that it will not reach a high complexity that eachtwo nodes are connected
In addition using an efficient clustering method canreduce the number of required cluster keys and the realstorage complexity is much smaller
Although memory is a quite scarce resource for thecurrent generation of nodes inWSNs for a reasonable degreestorage is not an issue in our protocol For example 100 keystotally take 800 bytes when the key size is 8 bytes
62 Communication Cost In this paper the average commu-nication cost increases with the connection degree of a sensornetwork and decreases with the network size 119873 Efficientpreloaded functions are widely used which greatly reducesthe message exchanges in key establishing phase so that tosave communication cost Whats more the use of locatedcluster key enables in-network data processing which alsohelps achieve communication and energy efficiency
It is worth noting that the communication cost of theenhanced protocol remains at the same level as that of thebasic protocol
63 Computational Cost Functions used in the proposedprotocols are all of high computational efficiency For exam-ple pseudorandom function 119891 is employed to be the keygeneration function and the computational cost will benegligible when it is used in key establishment process In theenhanced protocol although computational cost is slightlyincreased by using Diffie-Hellman algorithm for a networkof reasonable density we believe that the computationaloverhead is applicable for a network of reasonable density inour protocols For example for a WSN of size119873 = 1000 andconnection degree of 20 the average computational cost is27 symmetric key operations per node per revocation and alarger119873 will reduce the cost further
Overall we conclude that the protocols proposed in thisstudy are scalable and efficient enough in storage communi-cation and computation
7 Security Analysis
This section analyzes the security of the key managementprotocols The survivability of the network is discussed whenundetected compromised nodes occur and the robustness ofproposed schemes is studied in defending against variousattacks
71 Survivability Once a sensor node 119860 is compromised theadversary can launch attacks by utilizing keying materialsof node 119860 If the threat is detected somehow the protocolscan revoke node 119860 efficiently and update the information ofnodes quickly throughout the whole network Basically eachneighbor of compromised node 119860 could delete its pairwisekey shared with node 119860 as well as updating the cluster keyThe group key could also be updated efficiently by taking useof 120583TESLA mechanism When the revocation is completedthe adversary cannot launch further attacks anymore
However security detection in WSNs is more difficultthan in other systems since sensor systems are often deployedin unattended environments Thus the survivability of
8 Mobile Information Systems
the network is one of most important security requirementswhen compromised nodes is not detected
Firstly because individual key is only shared between thebase station and each sensor node it usually does not help theattacker launch attacks
Secondly obtaining the cluster keys and pairwise keys ofa compromised node enables the attacker to establish trustwith the neighbor nodes which can be used by the attackerto inject malicious sensor readings and routing controlinformation into the network However in the proposedprotocols in this study the attacker usually has to achieve suchattacks by taking use of the identity of the captured node
Note that a salient feature of the proposed protocols isthe ability in localizing possible threats Because after thedeployment of the network and the pairwise key establishingphase every node will keep a list of trusted neighbor nodesAs compromised node and its copy nodes cannot establishtrust relationship with other nodes except its neighbors theattacker can only damage secure links within limited range
Finally obtaining the group key enables the attacker todecryptmessages broadcast by the base stationThebroadcastmessages by their nature are intended to be received by allthe nodes in the network Thus compromising any singlenode is enough to possess this message whatever securitymechanism is used However obtaining the group key doesnot allow the attacker to damage the entire network withmalicious packets by impersonating the base station becauseall messages sent from the base station are authenticated by120583TESLA mechanism
72 Dealing with the Attacks on Secure Routing Ciou et alhave described various possible attacks of routing protocolsforWSNs [18] How the proposed schemes can defend againstsuch attacks is shown in this section
An inside attackermay attempt to alter and replay routinginformation to make routing loops attract or repel networktraffic and generate false messages Moreover the attackercan launch the selective forwarding attack in which thecaptured node suppresses routing packets sent from a fewselected nodes while forwarding the other packets reliably
In this paper the schemes cannot protect theWSNs fromsuch attacks however the schemes can hinder or minimizethe consequences caused by such attacks
First based on the key establishment and authenticationphases of the proposed protocols it is apparent that suchattacks are only possible within a small area of two-hops fromthe captured node
Second since such attacks are localized in a certainzone the attacker faces a high risk of being detected whenlaunching such attacks For example the probabilistic chal-lenge mechanism can help detect the spoofing attack and thedetection of altering attack is also possible since the relatedsending node may overhear the forwarded messages alteredby the captured node
Last but not least once a compromised node is detectedthe group rekeying process of the protocols can efficientlyrevoke the compromised node from the network
The proposed protocol can protect WSNs from thefollowing attacks
Sybil Attacks In Sybil attacks the attacker may replicatethe captured node and deploy multiple replicas into theoriginal network With help of the base station such replicanodes will then try to establish pairwise and cluster keyswith normal nodes that are not neighbors of the capturednode [23] If the base station does not know the precisetopology of the wireless network this attack may work inpairwise key establishment However it cannot happen forproposed protocols because each normal node keeps a list ofits approved neighbors and the base station is not involved forpairwise or cluster key establishments in this study
HELLO Flood Attack The attacker may send a HELLOmessage to all nodes in the network by increasing thetransmission power to be high enough to make all the nodesconvinced that it is their neighbor Once this attack succeedsnodes of the entire networkmay send their readings and someother packets in vainHowever it cannot succeed in proposedprotocols because the attacked does not have a network-widekey for authentication
It is worth noting that the group key in the protocols is notfor authentication purpose but for the distribution of securemessages to the entire network from the base station
73 Defending against Sinkhole and Wormhole Attacks Thecombination of the sinkhole and the wormhole attacks is oneof the most difficult attacks to be prevented
In the sinkhole attack a malicious node tries to attractpackets from the neighbor nodes and then drops them Itcan launch such attack by advertising information of highreliability or high remaining energy which is very hard todetect in the WSNs
In the wormhole attack two distant malicious nodesconceal their distance information to the network Afterplacing one such node near the target zone and another onenear the base station the attacker will convince the nodeswithin the target area which are usually multiple hops awayfrom the base station as only one or two hops to create asinkholeMoreover nodes which aremultiple hops awaymaybelieve that they are neighbors of each other Since to launchwormhole attack the attacker does not need to compromiseany sensor nodes such attack is very powerful in practice[24]
In the proposed protocols an outside attacker cannotsucceed in launching wormhole attack except in the neighbordiscovery process since a node will know all its neighbornodes after the pairwise key is established which means theattacker cannot convince two distant nodes to believe thatthey are neighbors of each other
Because the time of neighbor discovery process is veryshort (usually for seconds) the probability that the attackerachieves such attacks is also quite small If an inside attackercompromises two or more nodes it can launch such attacksHowever it cannot convince two distant nodes as neighborswhen the neighbor discovery phase is finished The authen-ticated neighborhood information is critical to deal with thewormhole attacks
In the sinkhole attack if the attacker compromises a node119860 that is close to the base station and another node 119861 in
Mobile Information Systems 9
the target area the attacker will succeed in making node119860 asa sinkhole Since the number of hops between node 119861 and thebase station turns smaller node 119861will be especially attractiveto surrounding nodes In practice the location of base stationis usually static When the network is constructed topologywill be known to the entire network and then sensor nodeswill know the approximate number of hops from the basestation Thus it is difficult for an attacker to make a veryattractive sinkhole in the WSN without being detected
74 Conclusion This paper proposes a basic keymanagementprotocol based on initial secure time which assumes thatthe attacker cannot compromise a node in a short timeIt satisfies various security requirements of WSNs usingthe combination of four kinds of secure keys Meanwhilethe erasure and update mechanism of keys is important tosupport network security
To further improve the security of the basic schemean enhanced protocol based on Diffie-Hellman algorithmis proposed which avoids storing the master key in sensornodes so as to restrict the security impact of a captured nodeto the rest network
The proposed protocol achieves high communication andenergy efficiency by supporting in-network data processingand enhances the network security through strict authenti-cation and encryption mechanisms Compared to originalideas the proposed scheme improves not only the networksecurity but also the extensibility of WSNs
This paper presents a proposal for key establishment andachieves security mainly based on the combining applicationof four kinds of keys This is a critical step and how to usesuch keys to found a protection mechanism is a focus in ourfuture research
Notations
119873 The number of nodes in the network119860 119861 Two communicating nodes in the network
(also represents the node identifier)119891(119870119860) Calculate with parameter 119860 using the key
119870 in pseudorandom function 119891119867(119870) One-way hash function to generate a
chain of keys using the seed119870MAC119870(119898) Message authentication code (MAC) of
message119898 using MAC key 119870119870 The master key only possessed by base
station119870119860 Individual key of node 119860
119864119870(119898) Encryption of message119898 with a
symmetric key 1198701198721| 1198722 Concatenation of the sequences119872
1and
1198722
119860 rarr 119861 119872 Node 119860 sends a message119872 to node 119861119860 rarr lowast 119872 Node 119860 sends a local broadcast message
119872 to all its neighborsℎ(119898) Calculate hash value of message119898
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was supported by National ratural Science Foun-dation of China (nos 61170268 61100047 and 61272493)International SampTCooperation Special Projects of China (no2013DFG72850) and The National Basic Research Programof China (973 Program) (no 2012CB724400)
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] X HeM Niedermeier andH deMeer ldquoDynamic keymanage-ment in wireless sensor networks a surveyrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 611ndash622 2013
[3] R Riaz A Naureen A Akram A H Akbar K H Kim and HFarooq Ahmed ldquoA unified security framework with three keymanagement schemes for wireless sensor networksrdquo ComputerCommunications vol 31 no 18 pp 4269ndash4280 2008
[4] C Intanaonwiwat R Govindan and D Estrin ldquoDirected dif-fusion a scalable and robust communication paradigm forsensor networksrdquo in Proceedings of the 6th Annual ACMIEEEInternational Conference on Mobile Computing and Networking(MobiCom rsquo00) pp 56ndash67 ACMIEEE Boston Mass USAAugust 2000
[5] AManjeshwar andD PAgrawal ldquoTEEN a routing protocol forenhanced efficiency in wireless sensor networksrdquo in Proceedingsof the 15th International Parallel andDistributed Processing Sym-posium (IPDPS rsquo01) pp 2009ndash2015 IEEEComputer Society SanFrancisco Calif USA April 2001
[6] A Perrig R Szewczyk V Wen D Culler and J D TygarldquoSPINS security protocols for sensor networksrdquo in Proceedingsof the 7th Annual International Conference onMobile Computingand Networking (Mobicom rsquo01) pp 189ndash199 Rome Italy July2001
[7] W Du J Deng Y S Han and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 ACM PressWashington DC USA October 2003
[8] H Chan A Perrig and D Song ldquoRandom key predistributionschemes for sensor networksrdquo in Proceedings of the IEEESymposium on Security and Privacy pp 197ndash213 Oakland CalifUSA May 2003
[9] H O Sanli S Ozdemir and H Cam ldquoSRDA secure reference-based data aggregation protocol for wireless sensor networksrdquoin Proceedings of the IEEE 60th Vehicular Technology Conference(VTC rsquo04) pp 406ndash410 IEEE Los Angeles Calif USA 2004
[10] T Dimitriou and I Krontiris ldquoA localized distributed protocolfor secure information exchange in sensor networksrdquo in Pro-ceedings of the 19th IEEE International Parallel and DistributedProcessing Symposium (IPDPS rsquo05) pp 37ndash45 IEEE April 2005
10 Mobile Information Systems
[11] S Zhu S Setia and S Jajodia ldquoLEAP efficient security mech-anisms for large-scale distributed sensor networksrdquo in Proceed-ings of the 10th ACM Conference on Computer and Communica-tions Security (CCS rsquo03) pp 62ndash72 ACM New York NY USAOctober 2003
[12] J Shen and L Xu ldquoCluster-based key pre-distribution sehemefor wireless sensor networksrdquo Journal ofWuhanUniversity Nat-ural Science Edition vol 55 no 1 pp 117ndash120 2009 (Chinese)
[13] X Huang M Yang and S-S Lv ldquoSecure and efficient key man-agement protocol for wireless sensor network and simulationrdquoJournal of System Simulation vol 20 no 7 pp 1898ndash1903 2008
[14] X Chen J Li J Ma Q Tang and W Lou ldquoNew algo-rithms for secure outsourcing of modular exponentiationsrdquo inComputer SecuritymdashESORICS 2012 17th European Symposiumon Research in Computer Security (ESORICS rsquo12) Pisa ItalySeptember 10ndash12 2012 vol 7459 of Lecture Notes in ComputerScience pp 541ndash556 Springer Berlin Germany 2012
[15] L-C Li J-H Li and J Pan ldquoSelf-healing group key man-agement scheme with revocation capability for wireless sensornetworksrdquo Journal on Communications vol 30 no 12 pp 12ndash172009
[16] Z Ming W Suo-ping and X He ldquoDynamic key managementscheme for wireless sensor networks based on clusterrdquo Journalof Nanjing University of Posts and Telecommunications (NaturalScience) vol 32 no 1 2012
[17] G-J Wang T-T Lv and M-Y Guo ldquoTransitory initial key-based key management protocol in wireless sensor networksrdquoChinese Journal of Sensors and Actuators vol 20 no 7 pp 1581ndash1586 2007
[18] Y-F Ciou F-Y Leu Y-L Huang and K Yim ldquoA han-dover security mechanism employing the Diffie-Hellman keyexchange approach for the IEEE80216e wireless networksrdquoMobile Information Systems vol 7 no 3 pp 241ndash269 2011
[19] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grained access control system based on outsourced attribute-based encryptionrdquo in Computer SecuritymdashESORICS 2013 18thEuropean Symposium on Research in Computer Security EghamUK September 9ndash13 2013 Proceedings vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013
[20] A Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols (ICNP rsquo03) pp 326ndash335 Atlanta GaUSA November 2003
[21] W Du Y S Han J Deng and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 WashingtonDC USA October 2003
[22] D Liu and P Ning ldquoMulti-level 120583TESLA broadcast authenti-cation for distributed sensor networksrdquo ACM Transactions onEmbedded Computing Systems vol 3 no 4 pp 800ndash836 2004
[23] J Li Q Wang C Wang and K Ren ldquoEnhancing attribute-based encryptionwith attribute hierarchyrdquoMobileNetworks andApplications vol 16 no 5 pp 553ndash561 2011
[24] Y S Lee J W Park and L Barolli ldquoA localization algorithmbased on AOA for ad-hoc sensor networksrdquoMobile InformationSystems vol 8 no 1 pp 61ndash72 2012
the rekeying and updating mechanism comes to be impor-tant
120583TESLA [22] is a widely employed protocol due to thehigh efficiency and perfect tolerance for packet loss A one-way hash function119867 is used here to help achieve the processFirstly the controller generates a random seed 119896
119898and uses
the function119867 to get a sequence of the following hash values119896119898 119896119898minus1
119896119895 119896
1 that meets the restriction 119896
119895| 0 lt
119895 le 119898 119896119895minus1
= 119867(119896119895)
Then preload this key chain 119896119898 119896119898minus1
119896119895 119896
1 in
the base station and use delayed key disclosure to achievemessage authentication Let 119860 be the revoked node and 1198701015840
119892
the new group key the process is as follows
Base station 997888rarr lowast 119860 119891 (1198701015840
119892 0) MAC
119896119895(119860 | 119891 (119870
1015840
119892 0))
(8)
When the verification is done all the nodes will removerelated information of node 119860 and restore the group key 1198701015840
119892
in the tableNote that the initial Group key 119870
119892is preloaded in all
the sensor nodes before their deployment like the initial key119870119868 but we cannot take 119870
119868also as the group key because
it will be erased in a very short time after the pairwise keyestablishmentThe key used for deriving related keys must beprotected separately from normal ones
Figure 4 simply illustrates the authenticationmechanism
119896119895minus1
= 119867(119896119895) (9)
5 Enhanced Protocol
51 Requirements Analysis The design of the basic schemepresented in the previous section ismotivated by the observa-tion that single keying mechanism is not suitable for meeting
K1 K2 K3 K4 K5
p1 p2 p3 p4 p5 p6
Time
Figure 4 Using the one-way hash function for source authentica-tion
all the security requirements of different types of exchangedmessages
The advantage of this scheme is that the captured nodedoes not threat the safety of the other nodes in case themasterkey 119870 is absolutely safe in time interval 119879min
During the time interval 119879min all the nodes of the WSNwill hold the general master key 119870 and we note that thisscheme cannot provide confidentiality when a node is com-promised in 119879min Because by using the stolen informationlike the master key119870 an attacker can easily derive the masterkeys of all the rest normal nodes that are deployed in thesame time interval as well as negotiating new pairwise keywith normal nodes in any region whichmeans once a node iscompromised in time interval 119879min the security of the entirenetwork is extremely dangerous
52 Enhanced Scheme Based on the Diffie-Hellman algo-rithm above presenting the improved scheme prior todeployment of the network each node prestores the largeprime number 119901 and its primitive root 119886 instead of the initialkey 119870
119868which is derived from the master key 119870
Note that the generation of individual key for node 119860 isstill same
119870119860= 119891 (119870
119868 119860) (10)
Different from the basic scheme this process is completedonce the node is deployed after that the information of theinitial key 119870
119868is deleted Thus the attacker cannot get any
information about the initial key119870119868or the master key119870 even
if it is compromised during the working periodSince the node no longer keeps initial key 119870
119868 which
is required to participate in relevant calculations (function)in the pairwise key generating process the basic schemecannot be achieved For this situation make the followingimprovements
Gain a key evolution function to each node Takes node119860 and 119861 for examples
119883119860= ℎ (119860 | 119870
119860) mod 119901
119883119861= ℎ (119861 | 119870
119861) mod 119901
(11)
Then calculate the public message
119884119860= 119886119883119860 mod 119901
119884119861= 119886119883119861 mod 119901
(12)
Mobile Information Systems 7
The pairwise key generation process is as follows
119860 997888rarr lowast Nonce119860 119884119860
119861 997888rarr 119860 MAC119870119860119861
(119861 | 119884119861) 119861 119884
119861
(13)
Here node119860 broadcasts a nonce to all its direct neighborsand asks to establish pairwise key and broadcasts the publicmessage 119884
119860at the same time When its neighbor (take node
119861 for example) receives the message it first verifies thelegitimacy of 119884
119860and then calculates the pairwise key using
the following function
119870119860119861
= (119884119860)119883119861 mod 119901 (14)
After that node 119861 sends messages 119861 and 119884119861back to the
asking node 119860 and sends a message MAC119870119860119861
(119861 | 119884119861) to
authenticate its identity If node 119861 cannot respond to node119860 in this way it means node 119861 cannot get 119870
119860119861only taking
use of 119884119860 then consider node 119861 as untrusted In addition
node 119860 does not need to send authenticating message backto node 119861 anymore because if it cannot prove its own identity(namely it cannot get 119870
119860119861only taking use of 119884
119861 and it will
fail to generate the pairwise key 119870119860119861)
Compared with the basic protocol the most obviousimprovement of enhanced protocol is that it takes use ofDiffie-Hellman algorithm to generate pairwise keys insteadof storing the initial key 119870
119868in a certain period of time Thus
even if a node is compromised in119879min the attacker canmerelyget the information of key related to the compromised nodewhich means only limited security threats can be causedavoiding the disruption of the entire network caused bylosing initial key 119870
119868 Despite the slight increment in the
computational overhead the security of the WSN is greatlyimproved
6 Performance Evaluation
The ability of the protocol to fight against kinds of attacks isdiscussed in detail in above sectionsThis section analyzes thestorage requirement and energy efficiency
61 Storage Requirement In the basic protocol a node needsto store four types of keys Considering a node with 119898
neighbors in the WSN it needs to store one individual key119898 cluster keys 119898 pairwise keys and one group key In theenhanced protocol each node stores the same number of keysas the basic protocol
When the key establishment is complete in a networkhaving a scale of 119873 there is an upper limit of the numberof keys to be stored in the nodes including119873 individual keys119862(119873 2) pairwise keys 1198732 cluster keys and 119873 group keys(though there is only one group key in a certain period)which add up to ((52)119873+(1198732(119873minus2)) = (1198732+3119873)2) andaverage to each node is (52 + (119873minus 1)2(119873minus 2) = 1198732 + 2)
Note that communication distance of sensor node islimited so that it will not reach a high complexity that eachtwo nodes are connected
In addition using an efficient clustering method canreduce the number of required cluster keys and the realstorage complexity is much smaller
Although memory is a quite scarce resource for thecurrent generation of nodes inWSNs for a reasonable degreestorage is not an issue in our protocol For example 100 keystotally take 800 bytes when the key size is 8 bytes
62 Communication Cost In this paper the average commu-nication cost increases with the connection degree of a sensornetwork and decreases with the network size 119873 Efficientpreloaded functions are widely used which greatly reducesthe message exchanges in key establishing phase so that tosave communication cost Whats more the use of locatedcluster key enables in-network data processing which alsohelps achieve communication and energy efficiency
It is worth noting that the communication cost of theenhanced protocol remains at the same level as that of thebasic protocol
63 Computational Cost Functions used in the proposedprotocols are all of high computational efficiency For exam-ple pseudorandom function 119891 is employed to be the keygeneration function and the computational cost will benegligible when it is used in key establishment process In theenhanced protocol although computational cost is slightlyincreased by using Diffie-Hellman algorithm for a networkof reasonable density we believe that the computationaloverhead is applicable for a network of reasonable density inour protocols For example for a WSN of size119873 = 1000 andconnection degree of 20 the average computational cost is27 symmetric key operations per node per revocation and alarger119873 will reduce the cost further
Overall we conclude that the protocols proposed in thisstudy are scalable and efficient enough in storage communi-cation and computation
7 Security Analysis
This section analyzes the security of the key managementprotocols The survivability of the network is discussed whenundetected compromised nodes occur and the robustness ofproposed schemes is studied in defending against variousattacks
71 Survivability Once a sensor node 119860 is compromised theadversary can launch attacks by utilizing keying materialsof node 119860 If the threat is detected somehow the protocolscan revoke node 119860 efficiently and update the information ofnodes quickly throughout the whole network Basically eachneighbor of compromised node 119860 could delete its pairwisekey shared with node 119860 as well as updating the cluster keyThe group key could also be updated efficiently by taking useof 120583TESLA mechanism When the revocation is completedthe adversary cannot launch further attacks anymore
However security detection in WSNs is more difficultthan in other systems since sensor systems are often deployedin unattended environments Thus the survivability of
8 Mobile Information Systems
the network is one of most important security requirementswhen compromised nodes is not detected
Firstly because individual key is only shared between thebase station and each sensor node it usually does not help theattacker launch attacks
Secondly obtaining the cluster keys and pairwise keys ofa compromised node enables the attacker to establish trustwith the neighbor nodes which can be used by the attackerto inject malicious sensor readings and routing controlinformation into the network However in the proposedprotocols in this study the attacker usually has to achieve suchattacks by taking use of the identity of the captured node
Note that a salient feature of the proposed protocols isthe ability in localizing possible threats Because after thedeployment of the network and the pairwise key establishingphase every node will keep a list of trusted neighbor nodesAs compromised node and its copy nodes cannot establishtrust relationship with other nodes except its neighbors theattacker can only damage secure links within limited range
Finally obtaining the group key enables the attacker todecryptmessages broadcast by the base stationThebroadcastmessages by their nature are intended to be received by allthe nodes in the network Thus compromising any singlenode is enough to possess this message whatever securitymechanism is used However obtaining the group key doesnot allow the attacker to damage the entire network withmalicious packets by impersonating the base station becauseall messages sent from the base station are authenticated by120583TESLA mechanism
72 Dealing with the Attacks on Secure Routing Ciou et alhave described various possible attacks of routing protocolsforWSNs [18] How the proposed schemes can defend againstsuch attacks is shown in this section
An inside attackermay attempt to alter and replay routinginformation to make routing loops attract or repel networktraffic and generate false messages Moreover the attackercan launch the selective forwarding attack in which thecaptured node suppresses routing packets sent from a fewselected nodes while forwarding the other packets reliably
In this paper the schemes cannot protect theWSNs fromsuch attacks however the schemes can hinder or minimizethe consequences caused by such attacks
First based on the key establishment and authenticationphases of the proposed protocols it is apparent that suchattacks are only possible within a small area of two-hops fromthe captured node
Second since such attacks are localized in a certainzone the attacker faces a high risk of being detected whenlaunching such attacks For example the probabilistic chal-lenge mechanism can help detect the spoofing attack and thedetection of altering attack is also possible since the relatedsending node may overhear the forwarded messages alteredby the captured node
Last but not least once a compromised node is detectedthe group rekeying process of the protocols can efficientlyrevoke the compromised node from the network
The proposed protocol can protect WSNs from thefollowing attacks
Sybil Attacks In Sybil attacks the attacker may replicatethe captured node and deploy multiple replicas into theoriginal network With help of the base station such replicanodes will then try to establish pairwise and cluster keyswith normal nodes that are not neighbors of the capturednode [23] If the base station does not know the precisetopology of the wireless network this attack may work inpairwise key establishment However it cannot happen forproposed protocols because each normal node keeps a list ofits approved neighbors and the base station is not involved forpairwise or cluster key establishments in this study
HELLO Flood Attack The attacker may send a HELLOmessage to all nodes in the network by increasing thetransmission power to be high enough to make all the nodesconvinced that it is their neighbor Once this attack succeedsnodes of the entire networkmay send their readings and someother packets in vainHowever it cannot succeed in proposedprotocols because the attacked does not have a network-widekey for authentication
It is worth noting that the group key in the protocols is notfor authentication purpose but for the distribution of securemessages to the entire network from the base station
73 Defending against Sinkhole and Wormhole Attacks Thecombination of the sinkhole and the wormhole attacks is oneof the most difficult attacks to be prevented
In the sinkhole attack a malicious node tries to attractpackets from the neighbor nodes and then drops them Itcan launch such attack by advertising information of highreliability or high remaining energy which is very hard todetect in the WSNs
In the wormhole attack two distant malicious nodesconceal their distance information to the network Afterplacing one such node near the target zone and another onenear the base station the attacker will convince the nodeswithin the target area which are usually multiple hops awayfrom the base station as only one or two hops to create asinkholeMoreover nodes which aremultiple hops awaymaybelieve that they are neighbors of each other Since to launchwormhole attack the attacker does not need to compromiseany sensor nodes such attack is very powerful in practice[24]
In the proposed protocols an outside attacker cannotsucceed in launching wormhole attack except in the neighbordiscovery process since a node will know all its neighbornodes after the pairwise key is established which means theattacker cannot convince two distant nodes to believe thatthey are neighbors of each other
Because the time of neighbor discovery process is veryshort (usually for seconds) the probability that the attackerachieves such attacks is also quite small If an inside attackercompromises two or more nodes it can launch such attacksHowever it cannot convince two distant nodes as neighborswhen the neighbor discovery phase is finished The authen-ticated neighborhood information is critical to deal with thewormhole attacks
In the sinkhole attack if the attacker compromises a node119860 that is close to the base station and another node 119861 in
Mobile Information Systems 9
the target area the attacker will succeed in making node119860 asa sinkhole Since the number of hops between node 119861 and thebase station turns smaller node 119861will be especially attractiveto surrounding nodes In practice the location of base stationis usually static When the network is constructed topologywill be known to the entire network and then sensor nodeswill know the approximate number of hops from the basestation Thus it is difficult for an attacker to make a veryattractive sinkhole in the WSN without being detected
74 Conclusion This paper proposes a basic keymanagementprotocol based on initial secure time which assumes thatthe attacker cannot compromise a node in a short timeIt satisfies various security requirements of WSNs usingthe combination of four kinds of secure keys Meanwhilethe erasure and update mechanism of keys is important tosupport network security
To further improve the security of the basic schemean enhanced protocol based on Diffie-Hellman algorithmis proposed which avoids storing the master key in sensornodes so as to restrict the security impact of a captured nodeto the rest network
The proposed protocol achieves high communication andenergy efficiency by supporting in-network data processingand enhances the network security through strict authenti-cation and encryption mechanisms Compared to originalideas the proposed scheme improves not only the networksecurity but also the extensibility of WSNs
This paper presents a proposal for key establishment andachieves security mainly based on the combining applicationof four kinds of keys This is a critical step and how to usesuch keys to found a protection mechanism is a focus in ourfuture research
Notations
119873 The number of nodes in the network119860 119861 Two communicating nodes in the network
(also represents the node identifier)119891(119870119860) Calculate with parameter 119860 using the key
119870 in pseudorandom function 119891119867(119870) One-way hash function to generate a
chain of keys using the seed119870MAC119870(119898) Message authentication code (MAC) of
message119898 using MAC key 119870119870 The master key only possessed by base
station119870119860 Individual key of node 119860
119864119870(119898) Encryption of message119898 with a
symmetric key 1198701198721| 1198722 Concatenation of the sequences119872
1and
1198722
119860 rarr 119861 119872 Node 119860 sends a message119872 to node 119861119860 rarr lowast 119872 Node 119860 sends a local broadcast message
119872 to all its neighborsℎ(119898) Calculate hash value of message119898
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was supported by National ratural Science Foun-dation of China (nos 61170268 61100047 and 61272493)International SampTCooperation Special Projects of China (no2013DFG72850) and The National Basic Research Programof China (973 Program) (no 2012CB724400)
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] X HeM Niedermeier andH deMeer ldquoDynamic keymanage-ment in wireless sensor networks a surveyrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 611ndash622 2013
[3] R Riaz A Naureen A Akram A H Akbar K H Kim and HFarooq Ahmed ldquoA unified security framework with three keymanagement schemes for wireless sensor networksrdquo ComputerCommunications vol 31 no 18 pp 4269ndash4280 2008
[4] C Intanaonwiwat R Govindan and D Estrin ldquoDirected dif-fusion a scalable and robust communication paradigm forsensor networksrdquo in Proceedings of the 6th Annual ACMIEEEInternational Conference on Mobile Computing and Networking(MobiCom rsquo00) pp 56ndash67 ACMIEEE Boston Mass USAAugust 2000
[5] AManjeshwar andD PAgrawal ldquoTEEN a routing protocol forenhanced efficiency in wireless sensor networksrdquo in Proceedingsof the 15th International Parallel andDistributed Processing Sym-posium (IPDPS rsquo01) pp 2009ndash2015 IEEEComputer Society SanFrancisco Calif USA April 2001
[6] A Perrig R Szewczyk V Wen D Culler and J D TygarldquoSPINS security protocols for sensor networksrdquo in Proceedingsof the 7th Annual International Conference onMobile Computingand Networking (Mobicom rsquo01) pp 189ndash199 Rome Italy July2001
[7] W Du J Deng Y S Han and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 ACM PressWashington DC USA October 2003
[8] H Chan A Perrig and D Song ldquoRandom key predistributionschemes for sensor networksrdquo in Proceedings of the IEEESymposium on Security and Privacy pp 197ndash213 Oakland CalifUSA May 2003
[9] H O Sanli S Ozdemir and H Cam ldquoSRDA secure reference-based data aggregation protocol for wireless sensor networksrdquoin Proceedings of the IEEE 60th Vehicular Technology Conference(VTC rsquo04) pp 406ndash410 IEEE Los Angeles Calif USA 2004
[10] T Dimitriou and I Krontiris ldquoA localized distributed protocolfor secure information exchange in sensor networksrdquo in Pro-ceedings of the 19th IEEE International Parallel and DistributedProcessing Symposium (IPDPS rsquo05) pp 37ndash45 IEEE April 2005
10 Mobile Information Systems
[11] S Zhu S Setia and S Jajodia ldquoLEAP efficient security mech-anisms for large-scale distributed sensor networksrdquo in Proceed-ings of the 10th ACM Conference on Computer and Communica-tions Security (CCS rsquo03) pp 62ndash72 ACM New York NY USAOctober 2003
[12] J Shen and L Xu ldquoCluster-based key pre-distribution sehemefor wireless sensor networksrdquo Journal ofWuhanUniversity Nat-ural Science Edition vol 55 no 1 pp 117ndash120 2009 (Chinese)
[13] X Huang M Yang and S-S Lv ldquoSecure and efficient key man-agement protocol for wireless sensor network and simulationrdquoJournal of System Simulation vol 20 no 7 pp 1898ndash1903 2008
[14] X Chen J Li J Ma Q Tang and W Lou ldquoNew algo-rithms for secure outsourcing of modular exponentiationsrdquo inComputer SecuritymdashESORICS 2012 17th European Symposiumon Research in Computer Security (ESORICS rsquo12) Pisa ItalySeptember 10ndash12 2012 vol 7459 of Lecture Notes in ComputerScience pp 541ndash556 Springer Berlin Germany 2012
[15] L-C Li J-H Li and J Pan ldquoSelf-healing group key man-agement scheme with revocation capability for wireless sensornetworksrdquo Journal on Communications vol 30 no 12 pp 12ndash172009
[16] Z Ming W Suo-ping and X He ldquoDynamic key managementscheme for wireless sensor networks based on clusterrdquo Journalof Nanjing University of Posts and Telecommunications (NaturalScience) vol 32 no 1 2012
[17] G-J Wang T-T Lv and M-Y Guo ldquoTransitory initial key-based key management protocol in wireless sensor networksrdquoChinese Journal of Sensors and Actuators vol 20 no 7 pp 1581ndash1586 2007
[18] Y-F Ciou F-Y Leu Y-L Huang and K Yim ldquoA han-dover security mechanism employing the Diffie-Hellman keyexchange approach for the IEEE80216e wireless networksrdquoMobile Information Systems vol 7 no 3 pp 241ndash269 2011
[19] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grained access control system based on outsourced attribute-based encryptionrdquo in Computer SecuritymdashESORICS 2013 18thEuropean Symposium on Research in Computer Security EghamUK September 9ndash13 2013 Proceedings vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013
[20] A Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols (ICNP rsquo03) pp 326ndash335 Atlanta GaUSA November 2003
[21] W Du Y S Han J Deng and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 WashingtonDC USA October 2003
[22] D Liu and P Ning ldquoMulti-level 120583TESLA broadcast authenti-cation for distributed sensor networksrdquo ACM Transactions onEmbedded Computing Systems vol 3 no 4 pp 800ndash836 2004
[23] J Li Q Wang C Wang and K Ren ldquoEnhancing attribute-based encryptionwith attribute hierarchyrdquoMobileNetworks andApplications vol 16 no 5 pp 553ndash561 2011
[24] Y S Lee J W Park and L Barolli ldquoA localization algorithmbased on AOA for ad-hoc sensor networksrdquoMobile InformationSystems vol 8 no 1 pp 61ndash72 2012
Here node119860 broadcasts a nonce to all its direct neighborsand asks to establish pairwise key and broadcasts the publicmessage 119884
119860at the same time When its neighbor (take node
119861 for example) receives the message it first verifies thelegitimacy of 119884
119860and then calculates the pairwise key using
the following function
119870119860119861
= (119884119860)119883119861 mod 119901 (14)
After that node 119861 sends messages 119861 and 119884119861back to the
asking node 119860 and sends a message MAC119870119860119861
(119861 | 119884119861) to
authenticate its identity If node 119861 cannot respond to node119860 in this way it means node 119861 cannot get 119870
119860119861only taking
use of 119884119860 then consider node 119861 as untrusted In addition
node 119860 does not need to send authenticating message backto node 119861 anymore because if it cannot prove its own identity(namely it cannot get 119870
119860119861only taking use of 119884
119861 and it will
fail to generate the pairwise key 119870119860119861)
Compared with the basic protocol the most obviousimprovement of enhanced protocol is that it takes use ofDiffie-Hellman algorithm to generate pairwise keys insteadof storing the initial key 119870
119868in a certain period of time Thus
even if a node is compromised in119879min the attacker canmerelyget the information of key related to the compromised nodewhich means only limited security threats can be causedavoiding the disruption of the entire network caused bylosing initial key 119870
119868 Despite the slight increment in the
computational overhead the security of the WSN is greatlyimproved
6 Performance Evaluation
The ability of the protocol to fight against kinds of attacks isdiscussed in detail in above sectionsThis section analyzes thestorage requirement and energy efficiency
61 Storage Requirement In the basic protocol a node needsto store four types of keys Considering a node with 119898
neighbors in the WSN it needs to store one individual key119898 cluster keys 119898 pairwise keys and one group key In theenhanced protocol each node stores the same number of keysas the basic protocol
When the key establishment is complete in a networkhaving a scale of 119873 there is an upper limit of the numberof keys to be stored in the nodes including119873 individual keys119862(119873 2) pairwise keys 1198732 cluster keys and 119873 group keys(though there is only one group key in a certain period)which add up to ((52)119873+(1198732(119873minus2)) = (1198732+3119873)2) andaverage to each node is (52 + (119873minus 1)2(119873minus 2) = 1198732 + 2)
Note that communication distance of sensor node islimited so that it will not reach a high complexity that eachtwo nodes are connected
In addition using an efficient clustering method canreduce the number of required cluster keys and the realstorage complexity is much smaller
Although memory is a quite scarce resource for thecurrent generation of nodes inWSNs for a reasonable degreestorage is not an issue in our protocol For example 100 keystotally take 800 bytes when the key size is 8 bytes
62 Communication Cost In this paper the average commu-nication cost increases with the connection degree of a sensornetwork and decreases with the network size 119873 Efficientpreloaded functions are widely used which greatly reducesthe message exchanges in key establishing phase so that tosave communication cost Whats more the use of locatedcluster key enables in-network data processing which alsohelps achieve communication and energy efficiency
It is worth noting that the communication cost of theenhanced protocol remains at the same level as that of thebasic protocol
63 Computational Cost Functions used in the proposedprotocols are all of high computational efficiency For exam-ple pseudorandom function 119891 is employed to be the keygeneration function and the computational cost will benegligible when it is used in key establishment process In theenhanced protocol although computational cost is slightlyincreased by using Diffie-Hellman algorithm for a networkof reasonable density we believe that the computationaloverhead is applicable for a network of reasonable density inour protocols For example for a WSN of size119873 = 1000 andconnection degree of 20 the average computational cost is27 symmetric key operations per node per revocation and alarger119873 will reduce the cost further
Overall we conclude that the protocols proposed in thisstudy are scalable and efficient enough in storage communi-cation and computation
7 Security Analysis
This section analyzes the security of the key managementprotocols The survivability of the network is discussed whenundetected compromised nodes occur and the robustness ofproposed schemes is studied in defending against variousattacks
71 Survivability Once a sensor node 119860 is compromised theadversary can launch attacks by utilizing keying materialsof node 119860 If the threat is detected somehow the protocolscan revoke node 119860 efficiently and update the information ofnodes quickly throughout the whole network Basically eachneighbor of compromised node 119860 could delete its pairwisekey shared with node 119860 as well as updating the cluster keyThe group key could also be updated efficiently by taking useof 120583TESLA mechanism When the revocation is completedthe adversary cannot launch further attacks anymore
However security detection in WSNs is more difficultthan in other systems since sensor systems are often deployedin unattended environments Thus the survivability of
8 Mobile Information Systems
the network is one of most important security requirementswhen compromised nodes is not detected
Firstly because individual key is only shared between thebase station and each sensor node it usually does not help theattacker launch attacks
Secondly obtaining the cluster keys and pairwise keys ofa compromised node enables the attacker to establish trustwith the neighbor nodes which can be used by the attackerto inject malicious sensor readings and routing controlinformation into the network However in the proposedprotocols in this study the attacker usually has to achieve suchattacks by taking use of the identity of the captured node
Note that a salient feature of the proposed protocols isthe ability in localizing possible threats Because after thedeployment of the network and the pairwise key establishingphase every node will keep a list of trusted neighbor nodesAs compromised node and its copy nodes cannot establishtrust relationship with other nodes except its neighbors theattacker can only damage secure links within limited range
Finally obtaining the group key enables the attacker todecryptmessages broadcast by the base stationThebroadcastmessages by their nature are intended to be received by allthe nodes in the network Thus compromising any singlenode is enough to possess this message whatever securitymechanism is used However obtaining the group key doesnot allow the attacker to damage the entire network withmalicious packets by impersonating the base station becauseall messages sent from the base station are authenticated by120583TESLA mechanism
72 Dealing with the Attacks on Secure Routing Ciou et alhave described various possible attacks of routing protocolsforWSNs [18] How the proposed schemes can defend againstsuch attacks is shown in this section
An inside attackermay attempt to alter and replay routinginformation to make routing loops attract or repel networktraffic and generate false messages Moreover the attackercan launch the selective forwarding attack in which thecaptured node suppresses routing packets sent from a fewselected nodes while forwarding the other packets reliably
In this paper the schemes cannot protect theWSNs fromsuch attacks however the schemes can hinder or minimizethe consequences caused by such attacks
First based on the key establishment and authenticationphases of the proposed protocols it is apparent that suchattacks are only possible within a small area of two-hops fromthe captured node
Second since such attacks are localized in a certainzone the attacker faces a high risk of being detected whenlaunching such attacks For example the probabilistic chal-lenge mechanism can help detect the spoofing attack and thedetection of altering attack is also possible since the relatedsending node may overhear the forwarded messages alteredby the captured node
Last but not least once a compromised node is detectedthe group rekeying process of the protocols can efficientlyrevoke the compromised node from the network
The proposed protocol can protect WSNs from thefollowing attacks
Sybil Attacks In Sybil attacks the attacker may replicatethe captured node and deploy multiple replicas into theoriginal network With help of the base station such replicanodes will then try to establish pairwise and cluster keyswith normal nodes that are not neighbors of the capturednode [23] If the base station does not know the precisetopology of the wireless network this attack may work inpairwise key establishment However it cannot happen forproposed protocols because each normal node keeps a list ofits approved neighbors and the base station is not involved forpairwise or cluster key establishments in this study
HELLO Flood Attack The attacker may send a HELLOmessage to all nodes in the network by increasing thetransmission power to be high enough to make all the nodesconvinced that it is their neighbor Once this attack succeedsnodes of the entire networkmay send their readings and someother packets in vainHowever it cannot succeed in proposedprotocols because the attacked does not have a network-widekey for authentication
It is worth noting that the group key in the protocols is notfor authentication purpose but for the distribution of securemessages to the entire network from the base station
73 Defending against Sinkhole and Wormhole Attacks Thecombination of the sinkhole and the wormhole attacks is oneof the most difficult attacks to be prevented
In the sinkhole attack a malicious node tries to attractpackets from the neighbor nodes and then drops them Itcan launch such attack by advertising information of highreliability or high remaining energy which is very hard todetect in the WSNs
In the wormhole attack two distant malicious nodesconceal their distance information to the network Afterplacing one such node near the target zone and another onenear the base station the attacker will convince the nodeswithin the target area which are usually multiple hops awayfrom the base station as only one or two hops to create asinkholeMoreover nodes which aremultiple hops awaymaybelieve that they are neighbors of each other Since to launchwormhole attack the attacker does not need to compromiseany sensor nodes such attack is very powerful in practice[24]
In the proposed protocols an outside attacker cannotsucceed in launching wormhole attack except in the neighbordiscovery process since a node will know all its neighbornodes after the pairwise key is established which means theattacker cannot convince two distant nodes to believe thatthey are neighbors of each other
Because the time of neighbor discovery process is veryshort (usually for seconds) the probability that the attackerachieves such attacks is also quite small If an inside attackercompromises two or more nodes it can launch such attacksHowever it cannot convince two distant nodes as neighborswhen the neighbor discovery phase is finished The authen-ticated neighborhood information is critical to deal with thewormhole attacks
In the sinkhole attack if the attacker compromises a node119860 that is close to the base station and another node 119861 in
Mobile Information Systems 9
the target area the attacker will succeed in making node119860 asa sinkhole Since the number of hops between node 119861 and thebase station turns smaller node 119861will be especially attractiveto surrounding nodes In practice the location of base stationis usually static When the network is constructed topologywill be known to the entire network and then sensor nodeswill know the approximate number of hops from the basestation Thus it is difficult for an attacker to make a veryattractive sinkhole in the WSN without being detected
74 Conclusion This paper proposes a basic keymanagementprotocol based on initial secure time which assumes thatthe attacker cannot compromise a node in a short timeIt satisfies various security requirements of WSNs usingthe combination of four kinds of secure keys Meanwhilethe erasure and update mechanism of keys is important tosupport network security
To further improve the security of the basic schemean enhanced protocol based on Diffie-Hellman algorithmis proposed which avoids storing the master key in sensornodes so as to restrict the security impact of a captured nodeto the rest network
The proposed protocol achieves high communication andenergy efficiency by supporting in-network data processingand enhances the network security through strict authenti-cation and encryption mechanisms Compared to originalideas the proposed scheme improves not only the networksecurity but also the extensibility of WSNs
This paper presents a proposal for key establishment andachieves security mainly based on the combining applicationof four kinds of keys This is a critical step and how to usesuch keys to found a protection mechanism is a focus in ourfuture research
Notations
119873 The number of nodes in the network119860 119861 Two communicating nodes in the network
(also represents the node identifier)119891(119870119860) Calculate with parameter 119860 using the key
119870 in pseudorandom function 119891119867(119870) One-way hash function to generate a
chain of keys using the seed119870MAC119870(119898) Message authentication code (MAC) of
message119898 using MAC key 119870119870 The master key only possessed by base
station119870119860 Individual key of node 119860
119864119870(119898) Encryption of message119898 with a
symmetric key 1198701198721| 1198722 Concatenation of the sequences119872
1and
1198722
119860 rarr 119861 119872 Node 119860 sends a message119872 to node 119861119860 rarr lowast 119872 Node 119860 sends a local broadcast message
119872 to all its neighborsℎ(119898) Calculate hash value of message119898
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was supported by National ratural Science Foun-dation of China (nos 61170268 61100047 and 61272493)International SampTCooperation Special Projects of China (no2013DFG72850) and The National Basic Research Programof China (973 Program) (no 2012CB724400)
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] X HeM Niedermeier andH deMeer ldquoDynamic keymanage-ment in wireless sensor networks a surveyrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 611ndash622 2013
[3] R Riaz A Naureen A Akram A H Akbar K H Kim and HFarooq Ahmed ldquoA unified security framework with three keymanagement schemes for wireless sensor networksrdquo ComputerCommunications vol 31 no 18 pp 4269ndash4280 2008
[4] C Intanaonwiwat R Govindan and D Estrin ldquoDirected dif-fusion a scalable and robust communication paradigm forsensor networksrdquo in Proceedings of the 6th Annual ACMIEEEInternational Conference on Mobile Computing and Networking(MobiCom rsquo00) pp 56ndash67 ACMIEEE Boston Mass USAAugust 2000
[5] AManjeshwar andD PAgrawal ldquoTEEN a routing protocol forenhanced efficiency in wireless sensor networksrdquo in Proceedingsof the 15th International Parallel andDistributed Processing Sym-posium (IPDPS rsquo01) pp 2009ndash2015 IEEEComputer Society SanFrancisco Calif USA April 2001
[6] A Perrig R Szewczyk V Wen D Culler and J D TygarldquoSPINS security protocols for sensor networksrdquo in Proceedingsof the 7th Annual International Conference onMobile Computingand Networking (Mobicom rsquo01) pp 189ndash199 Rome Italy July2001
[7] W Du J Deng Y S Han and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 ACM PressWashington DC USA October 2003
[8] H Chan A Perrig and D Song ldquoRandom key predistributionschemes for sensor networksrdquo in Proceedings of the IEEESymposium on Security and Privacy pp 197ndash213 Oakland CalifUSA May 2003
[9] H O Sanli S Ozdemir and H Cam ldquoSRDA secure reference-based data aggregation protocol for wireless sensor networksrdquoin Proceedings of the IEEE 60th Vehicular Technology Conference(VTC rsquo04) pp 406ndash410 IEEE Los Angeles Calif USA 2004
[10] T Dimitriou and I Krontiris ldquoA localized distributed protocolfor secure information exchange in sensor networksrdquo in Pro-ceedings of the 19th IEEE International Parallel and DistributedProcessing Symposium (IPDPS rsquo05) pp 37ndash45 IEEE April 2005
10 Mobile Information Systems
[11] S Zhu S Setia and S Jajodia ldquoLEAP efficient security mech-anisms for large-scale distributed sensor networksrdquo in Proceed-ings of the 10th ACM Conference on Computer and Communica-tions Security (CCS rsquo03) pp 62ndash72 ACM New York NY USAOctober 2003
[12] J Shen and L Xu ldquoCluster-based key pre-distribution sehemefor wireless sensor networksrdquo Journal ofWuhanUniversity Nat-ural Science Edition vol 55 no 1 pp 117ndash120 2009 (Chinese)
[13] X Huang M Yang and S-S Lv ldquoSecure and efficient key man-agement protocol for wireless sensor network and simulationrdquoJournal of System Simulation vol 20 no 7 pp 1898ndash1903 2008
[14] X Chen J Li J Ma Q Tang and W Lou ldquoNew algo-rithms for secure outsourcing of modular exponentiationsrdquo inComputer SecuritymdashESORICS 2012 17th European Symposiumon Research in Computer Security (ESORICS rsquo12) Pisa ItalySeptember 10ndash12 2012 vol 7459 of Lecture Notes in ComputerScience pp 541ndash556 Springer Berlin Germany 2012
[15] L-C Li J-H Li and J Pan ldquoSelf-healing group key man-agement scheme with revocation capability for wireless sensornetworksrdquo Journal on Communications vol 30 no 12 pp 12ndash172009
[16] Z Ming W Suo-ping and X He ldquoDynamic key managementscheme for wireless sensor networks based on clusterrdquo Journalof Nanjing University of Posts and Telecommunications (NaturalScience) vol 32 no 1 2012
[17] G-J Wang T-T Lv and M-Y Guo ldquoTransitory initial key-based key management protocol in wireless sensor networksrdquoChinese Journal of Sensors and Actuators vol 20 no 7 pp 1581ndash1586 2007
[18] Y-F Ciou F-Y Leu Y-L Huang and K Yim ldquoA han-dover security mechanism employing the Diffie-Hellman keyexchange approach for the IEEE80216e wireless networksrdquoMobile Information Systems vol 7 no 3 pp 241ndash269 2011
[19] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grained access control system based on outsourced attribute-based encryptionrdquo in Computer SecuritymdashESORICS 2013 18thEuropean Symposium on Research in Computer Security EghamUK September 9ndash13 2013 Proceedings vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013
[20] A Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols (ICNP rsquo03) pp 326ndash335 Atlanta GaUSA November 2003
[21] W Du Y S Han J Deng and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 WashingtonDC USA October 2003
[22] D Liu and P Ning ldquoMulti-level 120583TESLA broadcast authenti-cation for distributed sensor networksrdquo ACM Transactions onEmbedded Computing Systems vol 3 no 4 pp 800ndash836 2004
[23] J Li Q Wang C Wang and K Ren ldquoEnhancing attribute-based encryptionwith attribute hierarchyrdquoMobileNetworks andApplications vol 16 no 5 pp 553ndash561 2011
[24] Y S Lee J W Park and L Barolli ldquoA localization algorithmbased on AOA for ad-hoc sensor networksrdquoMobile InformationSystems vol 8 no 1 pp 61ndash72 2012
the network is one of most important security requirementswhen compromised nodes is not detected
Firstly because individual key is only shared between thebase station and each sensor node it usually does not help theattacker launch attacks
Secondly obtaining the cluster keys and pairwise keys ofa compromised node enables the attacker to establish trustwith the neighbor nodes which can be used by the attackerto inject malicious sensor readings and routing controlinformation into the network However in the proposedprotocols in this study the attacker usually has to achieve suchattacks by taking use of the identity of the captured node
Note that a salient feature of the proposed protocols isthe ability in localizing possible threats Because after thedeployment of the network and the pairwise key establishingphase every node will keep a list of trusted neighbor nodesAs compromised node and its copy nodes cannot establishtrust relationship with other nodes except its neighbors theattacker can only damage secure links within limited range
Finally obtaining the group key enables the attacker todecryptmessages broadcast by the base stationThebroadcastmessages by their nature are intended to be received by allthe nodes in the network Thus compromising any singlenode is enough to possess this message whatever securitymechanism is used However obtaining the group key doesnot allow the attacker to damage the entire network withmalicious packets by impersonating the base station becauseall messages sent from the base station are authenticated by120583TESLA mechanism
72 Dealing with the Attacks on Secure Routing Ciou et alhave described various possible attacks of routing protocolsforWSNs [18] How the proposed schemes can defend againstsuch attacks is shown in this section
An inside attackermay attempt to alter and replay routinginformation to make routing loops attract or repel networktraffic and generate false messages Moreover the attackercan launch the selective forwarding attack in which thecaptured node suppresses routing packets sent from a fewselected nodes while forwarding the other packets reliably
In this paper the schemes cannot protect theWSNs fromsuch attacks however the schemes can hinder or minimizethe consequences caused by such attacks
First based on the key establishment and authenticationphases of the proposed protocols it is apparent that suchattacks are only possible within a small area of two-hops fromthe captured node
Second since such attacks are localized in a certainzone the attacker faces a high risk of being detected whenlaunching such attacks For example the probabilistic chal-lenge mechanism can help detect the spoofing attack and thedetection of altering attack is also possible since the relatedsending node may overhear the forwarded messages alteredby the captured node
Last but not least once a compromised node is detectedthe group rekeying process of the protocols can efficientlyrevoke the compromised node from the network
The proposed protocol can protect WSNs from thefollowing attacks
Sybil Attacks In Sybil attacks the attacker may replicatethe captured node and deploy multiple replicas into theoriginal network With help of the base station such replicanodes will then try to establish pairwise and cluster keyswith normal nodes that are not neighbors of the capturednode [23] If the base station does not know the precisetopology of the wireless network this attack may work inpairwise key establishment However it cannot happen forproposed protocols because each normal node keeps a list ofits approved neighbors and the base station is not involved forpairwise or cluster key establishments in this study
HELLO Flood Attack The attacker may send a HELLOmessage to all nodes in the network by increasing thetransmission power to be high enough to make all the nodesconvinced that it is their neighbor Once this attack succeedsnodes of the entire networkmay send their readings and someother packets in vainHowever it cannot succeed in proposedprotocols because the attacked does not have a network-widekey for authentication
It is worth noting that the group key in the protocols is notfor authentication purpose but for the distribution of securemessages to the entire network from the base station
73 Defending against Sinkhole and Wormhole Attacks Thecombination of the sinkhole and the wormhole attacks is oneof the most difficult attacks to be prevented
In the sinkhole attack a malicious node tries to attractpackets from the neighbor nodes and then drops them Itcan launch such attack by advertising information of highreliability or high remaining energy which is very hard todetect in the WSNs
In the wormhole attack two distant malicious nodesconceal their distance information to the network Afterplacing one such node near the target zone and another onenear the base station the attacker will convince the nodeswithin the target area which are usually multiple hops awayfrom the base station as only one or two hops to create asinkholeMoreover nodes which aremultiple hops awaymaybelieve that they are neighbors of each other Since to launchwormhole attack the attacker does not need to compromiseany sensor nodes such attack is very powerful in practice[24]
In the proposed protocols an outside attacker cannotsucceed in launching wormhole attack except in the neighbordiscovery process since a node will know all its neighbornodes after the pairwise key is established which means theattacker cannot convince two distant nodes to believe thatthey are neighbors of each other
Because the time of neighbor discovery process is veryshort (usually for seconds) the probability that the attackerachieves such attacks is also quite small If an inside attackercompromises two or more nodes it can launch such attacksHowever it cannot convince two distant nodes as neighborswhen the neighbor discovery phase is finished The authen-ticated neighborhood information is critical to deal with thewormhole attacks
In the sinkhole attack if the attacker compromises a node119860 that is close to the base station and another node 119861 in
Mobile Information Systems 9
the target area the attacker will succeed in making node119860 asa sinkhole Since the number of hops between node 119861 and thebase station turns smaller node 119861will be especially attractiveto surrounding nodes In practice the location of base stationis usually static When the network is constructed topologywill be known to the entire network and then sensor nodeswill know the approximate number of hops from the basestation Thus it is difficult for an attacker to make a veryattractive sinkhole in the WSN without being detected
74 Conclusion This paper proposes a basic keymanagementprotocol based on initial secure time which assumes thatthe attacker cannot compromise a node in a short timeIt satisfies various security requirements of WSNs usingthe combination of four kinds of secure keys Meanwhilethe erasure and update mechanism of keys is important tosupport network security
To further improve the security of the basic schemean enhanced protocol based on Diffie-Hellman algorithmis proposed which avoids storing the master key in sensornodes so as to restrict the security impact of a captured nodeto the rest network
The proposed protocol achieves high communication andenergy efficiency by supporting in-network data processingand enhances the network security through strict authenti-cation and encryption mechanisms Compared to originalideas the proposed scheme improves not only the networksecurity but also the extensibility of WSNs
This paper presents a proposal for key establishment andachieves security mainly based on the combining applicationof four kinds of keys This is a critical step and how to usesuch keys to found a protection mechanism is a focus in ourfuture research
Notations
119873 The number of nodes in the network119860 119861 Two communicating nodes in the network
(also represents the node identifier)119891(119870119860) Calculate with parameter 119860 using the key
119870 in pseudorandom function 119891119867(119870) One-way hash function to generate a
chain of keys using the seed119870MAC119870(119898) Message authentication code (MAC) of
message119898 using MAC key 119870119870 The master key only possessed by base
station119870119860 Individual key of node 119860
119864119870(119898) Encryption of message119898 with a
symmetric key 1198701198721| 1198722 Concatenation of the sequences119872
1and
1198722
119860 rarr 119861 119872 Node 119860 sends a message119872 to node 119861119860 rarr lowast 119872 Node 119860 sends a local broadcast message
119872 to all its neighborsℎ(119898) Calculate hash value of message119898
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was supported by National ratural Science Foun-dation of China (nos 61170268 61100047 and 61272493)International SampTCooperation Special Projects of China (no2013DFG72850) and The National Basic Research Programof China (973 Program) (no 2012CB724400)
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] X HeM Niedermeier andH deMeer ldquoDynamic keymanage-ment in wireless sensor networks a surveyrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 611ndash622 2013
[3] R Riaz A Naureen A Akram A H Akbar K H Kim and HFarooq Ahmed ldquoA unified security framework with three keymanagement schemes for wireless sensor networksrdquo ComputerCommunications vol 31 no 18 pp 4269ndash4280 2008
[4] C Intanaonwiwat R Govindan and D Estrin ldquoDirected dif-fusion a scalable and robust communication paradigm forsensor networksrdquo in Proceedings of the 6th Annual ACMIEEEInternational Conference on Mobile Computing and Networking(MobiCom rsquo00) pp 56ndash67 ACMIEEE Boston Mass USAAugust 2000
[5] AManjeshwar andD PAgrawal ldquoTEEN a routing protocol forenhanced efficiency in wireless sensor networksrdquo in Proceedingsof the 15th International Parallel andDistributed Processing Sym-posium (IPDPS rsquo01) pp 2009ndash2015 IEEEComputer Society SanFrancisco Calif USA April 2001
[6] A Perrig R Szewczyk V Wen D Culler and J D TygarldquoSPINS security protocols for sensor networksrdquo in Proceedingsof the 7th Annual International Conference onMobile Computingand Networking (Mobicom rsquo01) pp 189ndash199 Rome Italy July2001
[7] W Du J Deng Y S Han and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 ACM PressWashington DC USA October 2003
[8] H Chan A Perrig and D Song ldquoRandom key predistributionschemes for sensor networksrdquo in Proceedings of the IEEESymposium on Security and Privacy pp 197ndash213 Oakland CalifUSA May 2003
[9] H O Sanli S Ozdemir and H Cam ldquoSRDA secure reference-based data aggregation protocol for wireless sensor networksrdquoin Proceedings of the IEEE 60th Vehicular Technology Conference(VTC rsquo04) pp 406ndash410 IEEE Los Angeles Calif USA 2004
[10] T Dimitriou and I Krontiris ldquoA localized distributed protocolfor secure information exchange in sensor networksrdquo in Pro-ceedings of the 19th IEEE International Parallel and DistributedProcessing Symposium (IPDPS rsquo05) pp 37ndash45 IEEE April 2005
10 Mobile Information Systems
[11] S Zhu S Setia and S Jajodia ldquoLEAP efficient security mech-anisms for large-scale distributed sensor networksrdquo in Proceed-ings of the 10th ACM Conference on Computer and Communica-tions Security (CCS rsquo03) pp 62ndash72 ACM New York NY USAOctober 2003
[12] J Shen and L Xu ldquoCluster-based key pre-distribution sehemefor wireless sensor networksrdquo Journal ofWuhanUniversity Nat-ural Science Edition vol 55 no 1 pp 117ndash120 2009 (Chinese)
[13] X Huang M Yang and S-S Lv ldquoSecure and efficient key man-agement protocol for wireless sensor network and simulationrdquoJournal of System Simulation vol 20 no 7 pp 1898ndash1903 2008
[14] X Chen J Li J Ma Q Tang and W Lou ldquoNew algo-rithms for secure outsourcing of modular exponentiationsrdquo inComputer SecuritymdashESORICS 2012 17th European Symposiumon Research in Computer Security (ESORICS rsquo12) Pisa ItalySeptember 10ndash12 2012 vol 7459 of Lecture Notes in ComputerScience pp 541ndash556 Springer Berlin Germany 2012
[15] L-C Li J-H Li and J Pan ldquoSelf-healing group key man-agement scheme with revocation capability for wireless sensornetworksrdquo Journal on Communications vol 30 no 12 pp 12ndash172009
[16] Z Ming W Suo-ping and X He ldquoDynamic key managementscheme for wireless sensor networks based on clusterrdquo Journalof Nanjing University of Posts and Telecommunications (NaturalScience) vol 32 no 1 2012
[17] G-J Wang T-T Lv and M-Y Guo ldquoTransitory initial key-based key management protocol in wireless sensor networksrdquoChinese Journal of Sensors and Actuators vol 20 no 7 pp 1581ndash1586 2007
[18] Y-F Ciou F-Y Leu Y-L Huang and K Yim ldquoA han-dover security mechanism employing the Diffie-Hellman keyexchange approach for the IEEE80216e wireless networksrdquoMobile Information Systems vol 7 no 3 pp 241ndash269 2011
[19] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grained access control system based on outsourced attribute-based encryptionrdquo in Computer SecuritymdashESORICS 2013 18thEuropean Symposium on Research in Computer Security EghamUK September 9ndash13 2013 Proceedings vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013
[20] A Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols (ICNP rsquo03) pp 326ndash335 Atlanta GaUSA November 2003
[21] W Du Y S Han J Deng and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 WashingtonDC USA October 2003
[22] D Liu and P Ning ldquoMulti-level 120583TESLA broadcast authenti-cation for distributed sensor networksrdquo ACM Transactions onEmbedded Computing Systems vol 3 no 4 pp 800ndash836 2004
[23] J Li Q Wang C Wang and K Ren ldquoEnhancing attribute-based encryptionwith attribute hierarchyrdquoMobileNetworks andApplications vol 16 no 5 pp 553ndash561 2011
[24] Y S Lee J W Park and L Barolli ldquoA localization algorithmbased on AOA for ad-hoc sensor networksrdquoMobile InformationSystems vol 8 no 1 pp 61ndash72 2012
the target area the attacker will succeed in making node119860 asa sinkhole Since the number of hops between node 119861 and thebase station turns smaller node 119861will be especially attractiveto surrounding nodes In practice the location of base stationis usually static When the network is constructed topologywill be known to the entire network and then sensor nodeswill know the approximate number of hops from the basestation Thus it is difficult for an attacker to make a veryattractive sinkhole in the WSN without being detected
74 Conclusion This paper proposes a basic keymanagementprotocol based on initial secure time which assumes thatthe attacker cannot compromise a node in a short timeIt satisfies various security requirements of WSNs usingthe combination of four kinds of secure keys Meanwhilethe erasure and update mechanism of keys is important tosupport network security
To further improve the security of the basic schemean enhanced protocol based on Diffie-Hellman algorithmis proposed which avoids storing the master key in sensornodes so as to restrict the security impact of a captured nodeto the rest network
The proposed protocol achieves high communication andenergy efficiency by supporting in-network data processingand enhances the network security through strict authenti-cation and encryption mechanisms Compared to originalideas the proposed scheme improves not only the networksecurity but also the extensibility of WSNs
This paper presents a proposal for key establishment andachieves security mainly based on the combining applicationof four kinds of keys This is a critical step and how to usesuch keys to found a protection mechanism is a focus in ourfuture research
Notations
119873 The number of nodes in the network119860 119861 Two communicating nodes in the network
(also represents the node identifier)119891(119870119860) Calculate with parameter 119860 using the key
119870 in pseudorandom function 119891119867(119870) One-way hash function to generate a
chain of keys using the seed119870MAC119870(119898) Message authentication code (MAC) of
message119898 using MAC key 119870119870 The master key only possessed by base
station119870119860 Individual key of node 119860
119864119870(119898) Encryption of message119898 with a
symmetric key 1198701198721| 1198722 Concatenation of the sequences119872
1and
1198722
119860 rarr 119861 119872 Node 119860 sends a message119872 to node 119861119860 rarr lowast 119872 Node 119860 sends a local broadcast message
119872 to all its neighborsℎ(119898) Calculate hash value of message119898
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was supported by National ratural Science Foun-dation of China (nos 61170268 61100047 and 61272493)International SampTCooperation Special Projects of China (no2013DFG72850) and The National Basic Research Programof China (973 Program) (no 2012CB724400)
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] X HeM Niedermeier andH deMeer ldquoDynamic keymanage-ment in wireless sensor networks a surveyrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 611ndash622 2013
[3] R Riaz A Naureen A Akram A H Akbar K H Kim and HFarooq Ahmed ldquoA unified security framework with three keymanagement schemes for wireless sensor networksrdquo ComputerCommunications vol 31 no 18 pp 4269ndash4280 2008
[4] C Intanaonwiwat R Govindan and D Estrin ldquoDirected dif-fusion a scalable and robust communication paradigm forsensor networksrdquo in Proceedings of the 6th Annual ACMIEEEInternational Conference on Mobile Computing and Networking(MobiCom rsquo00) pp 56ndash67 ACMIEEE Boston Mass USAAugust 2000
[5] AManjeshwar andD PAgrawal ldquoTEEN a routing protocol forenhanced efficiency in wireless sensor networksrdquo in Proceedingsof the 15th International Parallel andDistributed Processing Sym-posium (IPDPS rsquo01) pp 2009ndash2015 IEEEComputer Society SanFrancisco Calif USA April 2001
[6] A Perrig R Szewczyk V Wen D Culler and J D TygarldquoSPINS security protocols for sensor networksrdquo in Proceedingsof the 7th Annual International Conference onMobile Computingand Networking (Mobicom rsquo01) pp 189ndash199 Rome Italy July2001
[7] W Du J Deng Y S Han and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 ACM PressWashington DC USA October 2003
[8] H Chan A Perrig and D Song ldquoRandom key predistributionschemes for sensor networksrdquo in Proceedings of the IEEESymposium on Security and Privacy pp 197ndash213 Oakland CalifUSA May 2003
[9] H O Sanli S Ozdemir and H Cam ldquoSRDA secure reference-based data aggregation protocol for wireless sensor networksrdquoin Proceedings of the IEEE 60th Vehicular Technology Conference(VTC rsquo04) pp 406ndash410 IEEE Los Angeles Calif USA 2004
[10] T Dimitriou and I Krontiris ldquoA localized distributed protocolfor secure information exchange in sensor networksrdquo in Pro-ceedings of the 19th IEEE International Parallel and DistributedProcessing Symposium (IPDPS rsquo05) pp 37ndash45 IEEE April 2005
10 Mobile Information Systems
[11] S Zhu S Setia and S Jajodia ldquoLEAP efficient security mech-anisms for large-scale distributed sensor networksrdquo in Proceed-ings of the 10th ACM Conference on Computer and Communica-tions Security (CCS rsquo03) pp 62ndash72 ACM New York NY USAOctober 2003
[12] J Shen and L Xu ldquoCluster-based key pre-distribution sehemefor wireless sensor networksrdquo Journal ofWuhanUniversity Nat-ural Science Edition vol 55 no 1 pp 117ndash120 2009 (Chinese)
[13] X Huang M Yang and S-S Lv ldquoSecure and efficient key man-agement protocol for wireless sensor network and simulationrdquoJournal of System Simulation vol 20 no 7 pp 1898ndash1903 2008
[14] X Chen J Li J Ma Q Tang and W Lou ldquoNew algo-rithms for secure outsourcing of modular exponentiationsrdquo inComputer SecuritymdashESORICS 2012 17th European Symposiumon Research in Computer Security (ESORICS rsquo12) Pisa ItalySeptember 10ndash12 2012 vol 7459 of Lecture Notes in ComputerScience pp 541ndash556 Springer Berlin Germany 2012
[15] L-C Li J-H Li and J Pan ldquoSelf-healing group key man-agement scheme with revocation capability for wireless sensornetworksrdquo Journal on Communications vol 30 no 12 pp 12ndash172009
[16] Z Ming W Suo-ping and X He ldquoDynamic key managementscheme for wireless sensor networks based on clusterrdquo Journalof Nanjing University of Posts and Telecommunications (NaturalScience) vol 32 no 1 2012
[17] G-J Wang T-T Lv and M-Y Guo ldquoTransitory initial key-based key management protocol in wireless sensor networksrdquoChinese Journal of Sensors and Actuators vol 20 no 7 pp 1581ndash1586 2007
[18] Y-F Ciou F-Y Leu Y-L Huang and K Yim ldquoA han-dover security mechanism employing the Diffie-Hellman keyexchange approach for the IEEE80216e wireless networksrdquoMobile Information Systems vol 7 no 3 pp 241ndash269 2011
[19] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grained access control system based on outsourced attribute-based encryptionrdquo in Computer SecuritymdashESORICS 2013 18thEuropean Symposium on Research in Computer Security EghamUK September 9ndash13 2013 Proceedings vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013
[20] A Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols (ICNP rsquo03) pp 326ndash335 Atlanta GaUSA November 2003
[21] W Du Y S Han J Deng and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 WashingtonDC USA October 2003
[22] D Liu and P Ning ldquoMulti-level 120583TESLA broadcast authenti-cation for distributed sensor networksrdquo ACM Transactions onEmbedded Computing Systems vol 3 no 4 pp 800ndash836 2004
[23] J Li Q Wang C Wang and K Ren ldquoEnhancing attribute-based encryptionwith attribute hierarchyrdquoMobileNetworks andApplications vol 16 no 5 pp 553ndash561 2011
[24] Y S Lee J W Park and L Barolli ldquoA localization algorithmbased on AOA for ad-hoc sensor networksrdquoMobile InformationSystems vol 8 no 1 pp 61ndash72 2012
[11] S Zhu S Setia and S Jajodia ldquoLEAP efficient security mech-anisms for large-scale distributed sensor networksrdquo in Proceed-ings of the 10th ACM Conference on Computer and Communica-tions Security (CCS rsquo03) pp 62ndash72 ACM New York NY USAOctober 2003
[12] J Shen and L Xu ldquoCluster-based key pre-distribution sehemefor wireless sensor networksrdquo Journal ofWuhanUniversity Nat-ural Science Edition vol 55 no 1 pp 117ndash120 2009 (Chinese)
[13] X Huang M Yang and S-S Lv ldquoSecure and efficient key man-agement protocol for wireless sensor network and simulationrdquoJournal of System Simulation vol 20 no 7 pp 1898ndash1903 2008
[14] X Chen J Li J Ma Q Tang and W Lou ldquoNew algo-rithms for secure outsourcing of modular exponentiationsrdquo inComputer SecuritymdashESORICS 2012 17th European Symposiumon Research in Computer Security (ESORICS rsquo12) Pisa ItalySeptember 10ndash12 2012 vol 7459 of Lecture Notes in ComputerScience pp 541ndash556 Springer Berlin Germany 2012
[15] L-C Li J-H Li and J Pan ldquoSelf-healing group key man-agement scheme with revocation capability for wireless sensornetworksrdquo Journal on Communications vol 30 no 12 pp 12ndash172009
[16] Z Ming W Suo-ping and X He ldquoDynamic key managementscheme for wireless sensor networks based on clusterrdquo Journalof Nanjing University of Posts and Telecommunications (NaturalScience) vol 32 no 1 2012
[17] G-J Wang T-T Lv and M-Y Guo ldquoTransitory initial key-based key management protocol in wireless sensor networksrdquoChinese Journal of Sensors and Actuators vol 20 no 7 pp 1581ndash1586 2007
[18] Y-F Ciou F-Y Leu Y-L Huang and K Yim ldquoA han-dover security mechanism employing the Diffie-Hellman keyexchange approach for the IEEE80216e wireless networksrdquoMobile Information Systems vol 7 no 3 pp 241ndash269 2011
[19] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grained access control system based on outsourced attribute-based encryptionrdquo in Computer SecuritymdashESORICS 2013 18thEuropean Symposium on Research in Computer Security EghamUK September 9ndash13 2013 Proceedings vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013
[20] A Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols (ICNP rsquo03) pp 326ndash335 Atlanta GaUSA November 2003
[21] W Du Y S Han J Deng and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 WashingtonDC USA October 2003
[22] D Liu and P Ning ldquoMulti-level 120583TESLA broadcast authenti-cation for distributed sensor networksrdquo ACM Transactions onEmbedded Computing Systems vol 3 no 4 pp 800ndash836 2004
[23] J Li Q Wang C Wang and K Ren ldquoEnhancing attribute-based encryptionwith attribute hierarchyrdquoMobileNetworks andApplications vol 16 no 5 pp 553ndash561 2011
[24] Y S Lee J W Park and L Barolli ldquoA localization algorithmbased on AOA for ad-hoc sensor networksrdquoMobile InformationSystems vol 8 no 1 pp 61ndash72 2012