Private key agreement and secure communication for heterogeneous sensor networks

https://doi.org/10.1016/j.jpdc.2010.03.009Get rights and content

Abstract

Key management is an important building block for all security operations in sensor networks. Most existing key management schemes try to establish shared keys for all pairs of neighbor sensors; hence, a large number of keys need to be preloaded on each sensor, which necessitates a large key space for the nodes in the network. The recent trend in research is to mainly consider homogeneous sensor networks, and to a lesser degree heterogeneous sensor networks, for key management. In this paper, we propose a novel key agreement protocol which is based on pairing-based cryptography over an elliptic curve. Using this protocol, any two nodes that need to communicate can independently compute the same secret key by using pairing and identity-based encryption properties. The proposed protocol significantly reduces the key space of a node. Additionally, the security analysis of the proposed protocol shows that it is robust against a number of attacks including wormhole attack, masquerade attacks, reply attacks, and message manipulation attacks.

Introduction

Recent advancements in the domains of computation and wireless communication have made possible the formation of wireless sensor networks (WSN). These networks can be seen as large federations of low-power wireless sensors, where each sensor has a very limited CPU power, energy supply, and memory space. These sensor networks have been envisioned to have a wide range of sensing applications both in the military as well as in the civilian domain. So far, researchers have been studying several aspects of wireless sensor networks including routing, Medium Access Control (MAC), collaborative data gathering mechanisms, and security. Additionally, as these sensor nodes have serious energy constraints and their battery replenishment is often not practical, designing energy efficient protocols and applications have always been key design objectives in most of the research related to wireless sensor networks. One approach to efficiently use the scarce energy, communication and computational resources in a WSN is to divide the network into a number of clusters, where a cluster head serves as a fusion point for the aggregation of all the data gathered in a cluster. As a result, the amount of data that is actually transmitted from the cluster to the base station is reduced, which consumes less resources. Clustering has also been shown to allow graceful scalability in WSNs.

Clustered sensor networks can be classified into two broad types: homogeneous and heterogeneous sensor networks. In homogeneous networks, all the sensor nodes are identical in terms of battery energy and hardware complexity. With purely static clustering (cluster heads once elected, serve for the entire lifetime of the network) in a homogeneous network, it is evident that the cluster head nodes will be over-loaded with the long-range transmissions to the remote base station, in addition to the extra processing necessary for data aggregation and protocol co-ordination. As a result, the cluster head node can consume all its energy resources before the other nodes in the cluster [18], [10], [34]. On the other hand, in a heterogeneous sensor network (HSN) [17], [35], [15], two or more different types of nodes with different levels of battery energy and functionality are used. The argument is that by using a few designated nodes (called cluster heads, H-nodes, or H-sensors) that have complex hardware, extra battery energy, and additional functionalities while keeping the rest of the nodes simple (called leaf nodes, L-nodes, or L-sensors), the total cost for the hardware in the network can be minimized while providing a longer life span.

Security and privacy are the most pressing issues that are hindering the wide acceptance and deployment of WSNs, especially when these networks are to be deployed in hostile environments, such as a military environment. Most available data security operations require robust key management to function properly, however, due to resource constraints on the sensors, establishing a key agreement in wireless sensor networks is a non-trivial task. A number of key agreement schemes can be found in the literature [15], [11], [31], [8], [12]. The existing literature in [15], [11], [31], [8] consider homogeneous wireless sensor networks as the network model, and only in [12] is a heterogeneous sensor network considered as a network model. Our research focus in this paper is to design an efficient key agreement protocol for heterogeneous sensor networks which ensures better performance compared to the existing one.

In [15], Eschenauer and Gligor, presented a key management scheme based on probabilistic key pre-distribution for WSNs. To guarantee an acceptable secure connectivity between the nodes in the network, the scheme requires that the probability of each sensor sharing at least one key with a neighbor sensor (referred to as ‘key-sharing probability’) be high. Requiring a high key-sharing probability means that each node needs to store a large number of keys, and hence has a large key space. In this scheme each sensor randomly selects its key ring from a key pool of size P. To achieve a high key-sharing probability, the key pool size should be large; as a result, each sensor needs to pre-load a large number of keys. For example, when P is 10,000, each sensor needs to pre-load more than 150 keys for a key-sharing probability of 0.9. If the key length is 256 bits, then 150 keys require a storage space of 4800 bytes. Such a storage requirement is too large for many sensor nodes. For example, a smart dust sensor [23] has only 8 kB of program memory and 512 bytes of data memory.

In [12], the authors consider HSNs as the network model for their key management scheme, where sensors formed a cluster-based hierarchical network. This key management scheme for HSNs is based on elliptic curve public/private key sharing. The scheme requires that each node, during the bootstrap of the network, loads a number of public/private key pairs depending on whether the leaf nodes know their root nodes or not. Thus, prior to or at deployment time, all the L-sensors need to know the identity and the keys for their H-sensors (an L-sensor is defined as a low-end sensor or leaf node into a cluster and an H-sensor is defined as a cluster head). The problem with the protocol is that it is not always possible for all the leaf nodes to know about the root nodes prior to the network deployment. Consider the case where there are M number of H-sensors and N number of L-sensors in a HSN, and each H-sensor is pre-loaded with the public keys of all L-sensors, plus a pair of private/public keys for itself, and an extra key for a newly deployed sensor. Each L-sensor is pre-loaded with its private key and the public key of its H-sensor (the L-sensor knows its corresponding H-sensor, because nodes are deployed according to a predefined topological tree structure). Thus, an H-sensor is preloaded with N+3 keys and an L-sensor is pre-loaded with 2 keys. Therefore, the total number of pre-loaded keys is: M×(N+3)+(2×N)=(M+2)N+(3M), as the authors claimed. If the protocol in [12] does not take into consideration the case of predefined topological tree structure, then each L-sensor needs to be pre-loaded with M+1 keys. Thus the total number of pre-loaded keys is: M×(N+3)+(M+1)×N=(2×M×N)+(3×M)+N, otherwise the scheme introduces large communication overhead and further security problems. The problem with this scheme is that all the nodes in the network need to know the topological structure of the network. Hence, all the nodes must be deployed according to the predefined topological structure of the network; otherwise there will be a mismatch between the private key/public key pair of the L-sensors and their corresponding H-sensors. This scheme also assumes static life-long connections between communicating nodes, which is not realistic for WSNs.

Until recently, public-key cryptography has been deemed computationally expensive for small sensor nodes, as traditional public-key algorithms (such as RSA) require extensive computation, which is not feasible for small sensors. However, the recent progress in Elliptic Curve Cryptography (ECC) [24] provides new opportunities to utilize public-key cryptography in sensor networks. The recent implementation of 160-bit ECC on an Atmel ATmega128, which has an 8-bit 8 MHz CPU, shows that an ECC point multiplication takes less than one second [19], showing that it is possible to use ECC public-key cryptography in sensor networks. Additionally, ECC can be combined with the Diffie–Hellman approach to provide a key exchange scheme for two communication parties. ECC can also be used to generate digital signatures, encryption, and decryption. The Elliptic Curve Digital Signature Algorithm (ECDSA) uses ECC to generate a digital signature for authentication and for other security purposes [25], [4]. Several approaches for encryption and decryption using ECC have been proposed thus far [24], [25], [4]. Based on ECC, Du et al. proposed a key management scheme for a heterogeneous sensor network in [12]. The authors showed that their scheme performs better than other existing schemes. In this paper, we propose a more efficient protocol than [12] and the other existing schemes.

Identity-Based Cryptography (IBC) is a type of cryptography where a single piece of information that uniquely identifies a user (e.g. IP or email addresses) can be used to both exchange keys and encrypt data without requiring a Public Key Infrastructure (PKI). The concept of IBC was first introduced in Shamir’s work presented in [33], and it has only become truly practical with the advent of Pairing-Based Cryptography (PBC) [32]. Our proposed protocol is based on PBC, and it ensures better performance than the other key management schemes in the literature.

The first known implementation of PBC for sensor nodes, based on the 8-bit/7.3828-MHz ATmega128L microcontroller (e.g., MICA2 and MICAz motes), has been presented in [28]. Oliveira et al. [30], [29] argued that Identity Based Encryption (IBE) is the ideal cryptographic scheme for WSNs. The authors supported their argument with some empirical results. Specifically, the authors evaluated the time requirement for pairings, the most significant operation of IBE, over the MICAz—the new generation of MICA mote nodes [20]. The MICAz is powered by the ATmega128 microcontroller (8-bit/7.38 MHz processor, 4 kB SRAM, 128 kB flash memory), and typically runs the TinyOS operating system [27]. The authors suggested that the average execution time to compute a pairing is very feasible to use in WSNs. The authors also mentioned that the storage requirement for the pairing is 1831 bytes and 18,384 bytes for the RAM and ROM respectively. Thus, the above result shows that a pairing computation for sensor networks, using current hardware, is feasible.

In this paper, we present an efficient key management scheme for HSNs based on pairing-based cryptography (PBC). Using a pairing computation over an elliptic curve, a node in the network collects only its own secret point of the secret key from the base station, and uses it later to dynamically establish secret keys with other communicating nodes. As a result, this scheme reduces key space and communication overhead as compared to the existing schemes. The proposed key management is extremely efficient, as a node sets up shared secret keys only with the nodes that it needs to communicate with. As a result, our proposed protocol can significantly reduce communication and computation overhead, which will reduce the energy consumption of the sensor nodes.

The rest of this paper is organized as follows. Section 2 describes the preliminaries which are useful for understanding the proposed protocol. In Section 3, the proposed protocol architecture and design is given. In Section 4, the key management and authentication procedures of the proposed protocol are presented in detail. In Section 5, we present the performance evaluation of the key space requirement for the protocol. The security analysis of the proposed protocol is shown in Section 6; and finally, the conclusion and some closing remarks drawn from the paper are presented in Section 7.

Section snippets

Preliminaries

In this section, we describe the structure of HSNs together with some preliminary and mathematical properties needed to better understand the proposed protocol.

Mathematical architecture of the proposed protocol

The base station (sink node or system administrator) is responsible for determining the following parameters at the bootstrap of the network:

  • Two groups G1 and G2, of the same prime order q, where G1 as an additive group and G2 as a multiplicative group as of Section 2.2.

  • A bilinear map f:G1×G1G2.

  • Two collision resistant cryptographic hash functions H1 and H2, where H1:{0,1}G1, a mapping from an arbitrary-length strings to a points in G1;H2:{0,1}{0,1}Ω, a mapping from an arbitrary-length

Key management and authentication

The base station works as a system administrator and is responsible for generating IDs and corresponding secret points for all nodes in the network. At the bootstrap of the network, each node knows its ID, its secret point and its random number. Furthermore, each H-node knows the IDs of all L-nodes in its cluster as well as their random number. The random number of the nodes is periodically updated by the base station and distributed to the L-nodes via their corresponding H-nodes. This random

Performance evaluation of the key space requirement

In this section, we present the performance evaluation of our proposed protocol and compare it with existing protocols. For simplicity of naming convention and for comparison purposes, we refer to the ECC-based key management scheme for HSNs, proposed by Du et al., in [12] as the ECC-X scheme and the key pre-distribution scheme proposed by Eschenauer and Gligor in [15] as the E-G scheme. Since the target of our proposed protocol is HSNs, hence it is enough to compare our proposed protocol with

Security analysis

In this section, we present the security analysis for our proposed protocol. At first we discuss the probability analysis of a compromise attack, and later we will focus on the prevention of different kinds of attacks.

Conclusion

Key management for sensor networks is one the main building blocks for any security operation. There are many existing key management protocols for homogeneous sensor networks, and a few for heterogeneous sensor networks, yet they all have some drawbacks in terms of key space and/or security. In this paper, we have proposed a new key management protocol for heterogonous sensor networks which is based on pairing based cryptography over an elliptic curve. The proposed protocol does not need to

Dr. Sk.Md. Mizanur Rahman is a postdoctoral fellow in the School of Information Technology and Engineering (SITE) at the University of Ottawa, Canada. Prior to his current position, he was for a year in the University of Ontario Institute of Technology (UOIT), where he conducted this research work. He also worked for another year in the University of Guelph, Canada. He completed a Ph.D. in Risk Engineering (Cyber Risk) in the Laboratory of Cryptography and Information Security, Department of

References (35)

  • E.J. Duarte-Melo et al.

    Data-gathering wireless sensor networks: organization and capacity

    Wireless Sensor Networks

    Computer Networks (COMNET)

    (2003)
  • D. Balfanz et al.

    Secure handshakes from pairing-based key agreements

    IEEE Symposium on Security & Privacy

    (2003)
  • P.S.L.M. Barreto et al.

    Efficient algorithms for pairing-based cryptosystems

  • P.S.L.M. Berreto et al.

    Efficient algorithms for pairing-based cryptosystems

  • I. Blake et al.
  • D. Boneh et al.

    Identity based encryption from the Weil pairing

    SIAM Journal on Computing

    (2003)
  • D. Boneh et al.

    Identity-based encryption from the Weil pairing

  • D. Boneh et al.

    Short signatures from the Weil pairing

  • H. Chan, A. Perrig, D. Song, Random key predistribution schemes for sensor networks, in: Proc. of the 2003 IEEE...
  • R. Cristescu, B. Beferull-Lozano, Lossy network correlated data gathering with high-resolution coding, in: Proc. of...
  • W. Du et al.

    A pairwise key predistribution scheme for wireless sensor networks

    ACM Transactions on Information and System Security

    (2005)
  • X. Du et al.

    A routing-driven elliptic curve cryptography based key management scheme for heterogeneous sensor networks

    IEEE Transactions on Wireless Communications

    (2007)
  • X. Du et al.

    Maintaining differentiated coverage in heterogeneous sensor networks

    EURASIP Journal on Wireless Communications and Networking

    (2005)
  • X. Du et al.

    Energy efficient chessboard clustering and routing in heterogeneous sensor network

    International Journal of Wireless and Mobile Computing (IJWMC)

    (2006)
  • L. Eschenauer, V.D. Gligor, A key management scheme for distributed sensor networks, in: Proc. of the 9th ACM...
  • S. Galbraith et al.

    Implementing the tate pairing

  • L. Girod, T. Stathopoulos, N. Ramanathan, et al. A system for simulation, emulation, and deployment of heterogeneous...
  • Cited by (51)

    • A versatile Key Management protocol for secure Group and Device-to-Device Communication in the Internet of Things

      2020, Journal of Network and Computer Applications
      Citation Excerpt :

      Symmetric approaches (Baburajet al., 2017; Bechkit et al., 2013; Blom, 1984; Blundo et al., 1992; Chan et al., 2003; Choi et al., 2013; Du et al., 2004; Du et al., 2005; Eltoweissy et al., 2004; Eltoweissy et al., 2006; Eltoweissy et al., 2005; Eschenauer and Gligor, 2002; Huang et al., 2004; Kandi et al., 2018; Kandi et al., 2019; Lei et al., 2016; Li et al., 2001; Liu and Ning, 2005; McGrew and Sherman, 1998; Tiloca and Dini, 2016; Tsai et al., 2017; Veltri et al., 2013; Wallner et al., 1999; Wong et al., 2000; Younis et al., 2006; Yu and Guan, 2005; Zhan et al., 2017; Zhang et al., 2018) involve the use of the same key for encryption and decryption. On the contrary, asymmetric protocols (Alagheband and Aref, 2012; Ayuso et al., 2010; Chatterjee et al., 2012; Liu et al., 2017; Mall et al., 2017; Qin et al., 2014; Rahman and El-Khatib, 2010; Seo et al., 2015; Singh et al., 2017; Wan, 2017; Wang et al., 2015) use two different keys: a public key which may be disseminated widely and a private key which is known only to the owner. Finally, a hybrid approach (Azarderakhsh et al., 2008) consists of combining a symmetric scheme with an asymmetric one.

    • EDAK: An Efficient Dynamic Authentication and Key Management Mechanism for heterogeneous WSNs

      2019, Future Generation Computer Systems
      Citation Excerpt :

      The authors claim that the proposed protocol can significantly reduce the key space of a node. Additionally, it is robust against a number of attacks including wormhole attack, masquerade attacks, reply attacks, and message manipulation attacks [15]. CL-EKM (A certificateless effective key management protocol) was proposed in [16] to secure communication in dynamic mobile heterogeneous WSN.

    • A Lightweight Secure Group Communication Methodology for RPL Based IoT Networks

      2024, International Journal of Intelligent Systems and Applications in Engineering
    • A HIBE using Blockchain for Hierarchical Key Management Approach in Wireless Sensor Networks

      2023, SSRG International Journal of Electrical and Electronics Engineering
    View all citing articles on Scopus

    Dr. Sk.Md. Mizanur Rahman is a postdoctoral fellow in the School of Information Technology and Engineering (SITE) at the University of Ottawa, Canada. Prior to his current position, he was for a year in the University of Ontario Institute of Technology (UOIT), where he conducted this research work. He also worked for another year in the University of Guelph, Canada. He completed a Ph.D. in Risk Engineering (Cyber Risk) in the Laboratory of Cryptography and Information Security, Department of Risk Engineering, University of Tsukuba, Japan, on March 2007. Information Processing Society Japan (IPSJ) awarded Dr. Rahman with “IPSJ Digital Courier Funai Young Researcher Encouragement Award” for his research article “Anonymous On-Demand Position-based Routing in Mobile Ad-hoc Networks”. He completed an M.Sc. and a B.Sc.(Hons) in Computer Science, securing first class first with distinction marks both in M.Sc. and B.Sc.(Hons). He was awarded with “Gold Medal” for his result of excellence.

    Dr. Mizanur Rahman has over 30 peer-reviewed journal and international conference publications. He is a member of IEEE and ACM. His research interests include cryptography and privacy, network security, anonymous communication, sensor and mobile ad-hoc network security, algorithm, secure data exchange in P2PDBMS, WiMax Security, secure computation in a distrusted environment, RFID and smart grid security.

    Dr. Khalil El-Khatib was an assistant professor at the University of Western Ontario prior to joining the Faculty of Business and Information Technology, University of Ontario Institute of Technology, in July 2006. Between the years of 1992 and 1994, he worked as a research assistant in the Computer Science Dept. at AUB. In 1996, he joined the High Capacity Division at Nortel Networks as a software designer. From Feb. 2002, he worked as a Research Officer in the Network Computing Group (lately renamed the Information Security Group) at the National Research Council of Canada for two years, and continued to be affiliated with the group for another two years. His research interests include:

    • security and privacy issues in wireless sensor network and in mobile wireless ad hoc networks (MANET),

    • cloud computing,

    • biometrics,

    • ubiquitous computing environments (smart spaces),

    • E-health,

    • IP telephony,

    • feature interaction for VoIP,

    • QoS for multimedia applications, and finally,

    • personal and service mobility.

    View full text