Scalable security in Wireless Sensor and Actuator Networks (WSANs): Integration re-keying with routing

Abstract

Our research aims to address the challenging security issues in Wireless Sensor and Actuator Networks (WSANs), a special type of Wireless Sensor Networks (WSNs). Since WSANs have specific network constraints and data transmission requirements compared to general ad hoc networks and other wireless/wired networks, we propose to seamlessly integrate WASN security with a ripple-zone (RZ)-based routing architecture that is scalable and energy-efficient. In this research, we will also develop a two-level re-keying/re-routing schemes that cannot only adapt to a dynamic network topology but also securely update keys for each data transmission session. Moreover, to provide the security for the in-networking processing such as data aggregation in WSANs, we define a multiple-key management scheme in conjunction with our proposed Ripple-Zone routing architecture. Extensive simulations and hardware experiments have been conducted to verify the energy-efficiency and security performance of our security scheme for WSANs.

Introduction

More recently, an important type of network, which is based on the integration of Mobile Ad hoc Network (MANET) that consists of mobile “actuators” and Wireless Sensor Networks (WSNs) with large amount of low-energy tiny “sensors”, have played more and more important roles in homeland security applications [1], [2]. Such hybrid networks are usually called Wireless Sensor and Actuator Networks (WSANs) [2], which cannot be simply regarded as MANETs due to the coexistence of mobile actuators (forming MANET) and fixed sensors (forming WSN). As shown in Fig. 1, actuators execute corresponding tasks based on the collected sensing data from sensors. Please notice that there are some important differences between the two components in a WSAN (i.e., the MANET and the WSN): (1) the number of the nodes in a WSN is significantly larger than in a MANET; (2) sensors are usually low-cost devices with severe constraints with respect to energy source, computation capabilities, and memory; while actuators generally have relatively higher energy storage, which allows longer wireless transmission distance; (3) the sensors are usually stationary or with quite limited mobility; and (4) mode of communication in WSNs typically is many-to-one (from sensors to sink), while it is typically peer-to-peer in MANETs. While WSNs are concerned only with sensor-to-sink interconnections, in WSANs four types of coordination need to be considered in the same scenario: actuator-to-actuator (A–A) (to determine which actuators should respond to which sensing area), sensor-to-sensor (S–S) (to use multi-hop communication mode to transmit sensing data), actuator-to-sensor (A–S) (downlink transmission to instruct sensors to execute a certain sensing tasks), and sensor-to-actuator (S–A) (uplink transmission to report new events or required query results). A–A coordination can be regarded as a MANET issue that has been studied extensively so far. S–S coordination is a topic of WSN that is still a largely unexplored field [3].

Security is important in many WSAN-based civilian/military applications, such as disaster recovery (earthquake and fire rescue, etc.), airport terrorist-attack prevention, industrial manufacturing control, and so on. The study of security should consider the following challenges in WSANs: (1) considering actuator/sensor coordination and actuator/sensor heterogeneity; (2) protocol simplicity (sensors have limited memory and computational capability [3]); (3) algorithm scalability (there can be hundreds, if not thousands, of sensors in a typical WSAN application [1]); and (4) low-energy consumption (to extend the lifetime of tiny sensors). The energy for one bit of wireless communication can be used to execute over 1100 local instructions in a sensor [2]. Thus the WSAN trustworthiness protocols should have low wireless communication overhead.

Many of the current sensor network security schemes are based on key pre-distribution strategy [6], [7], [8]. It works as follows: before sensor deployment, a subset of key pool are assigned to each sensor to make two sensors likely share a pairwise key. However, we argue that key pre-distribution only cannot achieve satisfactory security performance because the attackers can capture some sensors/actuators and learn those “permanent” keys. It is important to update those keys (i.e., using re-keying) from time to time for different packet transmission sessions. Re-keying is also important in terms of adaptation to network topology changes due to node failure, node addition, and interruptions in the wireless transmission medium [5]. For example, if nodes fail due to low power, messages will fail to be delivered because routes containing the dead nodes still exist. In the case of node addition, it is important to distinguish between legitimate sensor traffic, and the infiltration of the network by an enemy node. Also, intermittent connectivity must be considered because the security scheme should be able to deal with wireless errors. These considerations, along with the resource (battery, memory, etc.) constraints imposed, make the design of a WSAN security scheme an extremely difficult task.

The contributions and innovations of our proposed WSAN security scheme include the following four aspects:

(1) Seamless integration of security with scalable WSAN routing protocols: our scheme is highly practical because it was designed to integrate routing layer and security protocol without sacrificing power. It is a dynamic, distributed protocol where security is provided independent of central control. Existing work overlooks the idea that any security scheme should be seamlessly integrated with the special characteristics of sensor network architecture, especially routing protocols; otherwise, the security scheme may not be practical or energy-efficient from the network protocol point of view [3]. Our security considers special WSAN topology through a two-level keying.

Thorough research of the field has found that most of the existing sensor network security strategies focus only on key management/security algorithms. For example, all existing key-predistribution schemes try to establish pairwise keys between each pair of nodes. However, most sensors do not need to establish a direct point-to-point secure channel with sensors multiple hops away since sensor network use hop-to-hop communication techniques to achieve long-distance transmission. One of the most famous schemes, SPINS [9], simply assumes a flooding-based, spanning-tree architecture with the BS as the tree-root. However, the establishment and maintenance of a global spanning tree in a large-scale WSN with a large footprint may not only bring unacceptable communication overhead (and thus increased energy consumption¹), but also cause a large transmission delay and make the assumption of time synchronization in μTESLA (a broadcast authentication protocol [9]) impractical. Another important feature of our work is that it has a robust hop-to-hop transmission scheme and can recover from multiple-key losses.

(2) Dynamic security: dynamic network topology is native to WSANs because nodes can fail or be added. In the case where nodes fall out, these nodes must be recognized “dysfunctional” from the viewpoint of the rest of the network. In the case of node addition, a protocol must be able to distinguish between legitimate node addition and attempted enemy infiltration. Given these reasons, “adaptive security” should be present for WSAN applications in order to ensure overall network security.

(3) Robust re-keying: from time to time, network enemies might compromise sensors and all security information in those sensors may be obtained. Therefore, after key-predistribution and sensor deployment, a re-keying scheme should be used to update some types of keys such as group keys (for broadcast security) and session keys (for securing the current data packets). This is done to ensure that enemies cannot acquire the keys easily. In this work, a re-keying protocol that can adapt to dynamic network conditions such as sensor compromise and topology change is planned.

(4) Low-complex implementation. Our work uses a symmetric-key-based scheme because memory use is a major concern in sensors [3]. This prohibits the use of memory-intensive asymmetric keying schemes. Asymmetric keying schemes need more complex cryptography calculations and protocols, which can bring too much communication overhead compared to symmetric-key-based schemes. Our security protocol also has low transmission energy due to its cluster-based key management. Because a WSAN typically consists of hundreds, if not thousands, of nodes, network topology/densities can change; therefore, a centralized or flooding-based security scheme cannot scale well. Thus distributed algorithms and localized coordination to achieve global convergence and scalability is preferred [3].

The rest of this paper is organized as follows: in Section 2, we will point out the shortcomings of the related works and the importance of this work; Section 3 first provides our scalable routing architecture and then discusses about the security issues in high-level nodes of WSAN (i.e., among actuators); in Section 4, security among low-level nodes (among sensors in each actuator’s domain) will be described in detail; extensive simulation results will be given in Section 5. Section 6 is the security analysis; hardware experiments are stated in Section 7. Finally, Section 8 concludes this paper.

As pointed out in [2], currently, very little research work has been conducted on WSANs that have the coexistence of mobile actuators and low-energy sensors. A contention-free MAC protocol for WSAN is presented in [24]. In [25], WSANs are only examined from the control engineering perspective. While the A–A coordination is investigated in [26], existing and emerging technologies in WSANs are briefly described without consideration of the interaction between the sensors and actuators in [27], [28].

The closest related work to WSANs occurs in the general Wireless Sensor Networks (WSNs), which is a hot research field today. A survey of the early work on WSNs is provided in [3]. In terms of security issues in general sensor networks (not WSANs), the pioneering work on securing WSN end-to-end transmission is SPINS [9], which requires time synchronization among sensors. It also proposes μTESLA, an important innovation for achieving broadcast authentication of any messages sent from the base station (BS). An improved multi-level μTESLA key chain mechanism was proposed in [29], [30]. A key-pool scheme was suggested in [10] to guarantee that any two sensors share at least one pairwise key with a certain probability. Multiple pairwise keys may be found between nodes by the schemes proposed in [11]. Key-predistribution schemes utilizing location information were described in [12]. Other WSN security research works include authentication [13], Denial-of-Service (DoS) attacks [14], routing security [15], group security [16], [17], multiple-key management [18], [19], and simple system-level security analysis [20], [21], [22], [23].

Why those WSN “security” schemes do NOT work well in WSAN environments? One of the common drawbacks of those sensor network security schemes is that they do not integrate security with a hierarchical sensor network routing architecture and specific characteristics of WSANs (such as the coexistence of actuators and sensors). Because the sensors may only want to report data to the nearby actuators, it will cause much security overhead if we build secure links between any two nodes. It is necessary to reduce key management overhead through cluster-based communication architecture around each actuator [2], [3]. In this research, we integrate WSAN security issues with our proposed ripple-zone-based WSAN routing architecture (Sections 3 High-level security, 4 low-level security). We will show that clustering-based re-keying scheme can save lots of energy compared to those works based on general flat routing topology. (Note that energy consumption is the top concern in tiny, battery-driven sensors [3].)