Keywords

1 Introduction

1.1 Motivation

With the development of sensor devices and wireless networking, wireless sensor networks (WSNs) have been widely used in a variety of areas. For example, WSNs can be deployed for structural health monitoring, habitat monitoring, pipeline monitoring, greenhouse monitoring, temperature and humidity monitoring [1], so and so forth. Once sensor nodes are deployed in a particular environment, it is often desirable and necessary to update or install software because of software bugs or new requirements. However, it is often difficult to reprogram sensor nodes one by one by hand, so some efficient reprogramming protocols need to be used. Many reprogramming protocols have been proposed to solve this problem, such as [25], but none of them took security issues into consideration. Since WSNs are often deployed in unguarded harsh circumstances, it is vulnerable to attacks. Wireless network is an open system, so it is easier to be accessed than traditional network. Thus, the security of reprogramming in WSNs should not be ignored.

To ensure the security of reprogramming in WSNs, the proposed schemes should consider how to authenticate the sender, how to verify the integrity of updated program images and how to receive the code images efficiently. Moreover, some special application environment also requires high confidentiality in sending message. For example, in human health monitoring applications, the code image may be tapped by adversaries through wiretapping and analyzing of the program images [6]. To ensure the privacy of code images, many schemes exploit symmetric and asymmetric encryption algorithms. Due to the resource constraint of sensor nodes, it is inefficient to use asymmetric encryption algorithms to encrypt code images. To acheive relatively high confidentiality of updating program images, using noisy ciphertexts can be an appropriate choice, which makes the cryptanalysis by eavesdropper more difficult [7]. Since digital signature is an expensive operation [8], it is easy to be attacked by adversaries through repeatedly sending bogus data with fake signatures. And this authentication may exhaust sensors power rapidly. To mitigate such DoS (Denial-of-Service) attacks, a weak authentication as the first safety defense is proposed in some works [811]. However, if the malicious or faked packets only make up a very small proportion of the total packets in WSNs, the scheme using weak authentication mechanism may consume much more energy than those directly authenticating digital signature. In addition, packets received out of order in WSNs are pretty common, an effective scheme should take this into consideration. The goal of our work is to propose a novel approach to ensure high confidentiality, out-of-order tolerance, DoS-resistance as well as energy saving in code image dissemination.

1.2 Our Approach and Contributions

In this paper, we propose a novel enhanced security scheme which is tolerant to wiretapping attacks of reprogramming in WSNs. To enhance the confidentiality of updated program images, we exploit the encode-then-encrypt paradigm, using simple and effective XOR operation to encode original data. At the same time, we introduce multiple one-way hash chains to enhance the confidentiality of data dissemination in WSNs. A one-time pad is one of the most secure encryption methods; each time a sensor node can decode packets with a key. Even if attackers can acquire the former key, it is impossible to decode the packet next time. Thus, our approach can enhance the confidentiality of code image. Moreover, we propose a simple and efficient way to decode using XOR operation, which will cost less memory than other approaches such as AdapCode [5].

Motivated by [7, 1214], we propose a novel encode-then-encrypt scheme to enhance the security and provide efficient performance at the same time. The advantage of encode-then-encrypt scheme is that even if a wiretapper is in a known plaintext attacking scenario, he or she can learn only a noisy version of the data and keystream, so it becomes more complex to perform the cryptanalysis of the employed keystream generator [12].

To resist DoS-attacks against signature packets, many existing protocols mitigate these attacks using weak authentication as the first defense. And they all assume that the sensor networks have already been attacked by adversaries. However, in most of the time, there are no adversaries in sensor networks. Even if an adversary sends fake packets to the networks, it needs time to collect some useful messages or to compromise some nodes. In addition, such weak authentication will consume a lot of time and energy on the sender side [10]. Thus, in this paper, we put forward a mechanism that randomly adjusts the time to reboot the weak authentication defense to prolong the lifetime of the network. The details of this mechanism will be illustrated in Sect. 4.

The rest of this paper is organized as below. In Sect. 2, we give a brief review of related work in this area. Section 3 illustrates the background of our scheme. Our approach will be introduced in Sect. 4. Section 5 analyzes the security features of our proposed scheme. Finally, we give a conclusion of our work in Sect. 6.

2 Related Work

In this part, we briefly review the previous work in reprogramming WSNs. Researches in this field can be roughly classified into two types. One is basic reprogramming protocols and the other is security-enhanced protocols.

2.1 Basic Reprogramming Protocols

Reprogramming protocols play an important role in WSNs. After sensor nodes deployed in a given field, it is often difficult to change the software by hands. Thus, using reprogramming techniques is one of the best choices, as we can modify or install the software whenever we need. To provide such functionality, many protocols and schemes have been proposed. Among them Deluge [4] acts as the de facto standard. Deluge exploits Trickles [15] epidemic method to propagate data and maintain sensor nodes states. In Deluge, code image is divided into fixed pages and each page is further divided into fixed sized packets. Thus, Deluge sends code image packet by packet, and only if a page has been completely received, the sensor node can forward this page. This way can reduce the communication collision.

Other well known reprogramming protocols are MNP [3], MOAP [2] and AdapCode [5]. MNP is similar to Deluge. They both use negotiation mechanism to maintain effective code image dissemination. Compared with Deluge, MNP adds a sleep state which saves energy when there is no code image to be transmitted. MAOP exploits publish-subscribe mechanism to propagate code image around the neighborhood sensor nodes. In order to simplify the control about each code image, MOAP does not use pipeline mechanism. Thus, the snesor nodes using MOAP protocol cannot transmit any subsequent code image before having received the full program updates.

2.2 Secure Reprogramming Protocols

To ensure the security of reprogramming in WSNs, many schemes concentrated on the authentication and integrity of code updates. Sluice [16] adopted hash-chain and a single digital signature to ensure the authentication and integrity of code image. In Sluice, a sensor node first receives a signature and then it can leverage this signature to authenticate the first page and then use the hash value of the next page to authenticate the next page. Later, based on this work, Kim et al. proposed a symmetric cryptography mechanism called Castor [17] to reduce the computation load. Different from Sluice using digital signature to authenticate a code image, they adopted MACs to verify the source of code image. However, both of the schemes authenticate code image page by page. If one page is invalid, the whole page is discarded. This is inefficient in pipelining mechanism of code updates, because a page will be broken into fixed size packets and it is very common to lose some packets in harsh environment. Also, they take no consideration of code image privacy, which is pretty important in some harsh field such as military field, the code image should also be kept secret.

Shaheen et al. [18] suggested a one-way key chain to encrypt the code image. The main idea of the scheme is to use sequential keys to encrypt the propagation data. The propagation data is composed of the original segmented data and the next key of the encrypted key. Thus, the receiving sensor node can use the previous key to reveal the data as well as successor key. And then this new key can be used to decrypt the subsequent packet and get the next key. After iterating this procedure, the entire image can be received. However, this scheme is based on one-hop network reprogramming and only when the previous packet is correctly received can the next packet be decrypted.

Dutta et al. exploited a hash chain to bind each packet of the whole image code [19]. They first authenticate the advertisement packet which contains the hash value of the first packet and then use this hash value to authenticate the second packet, and so on. However, if packets arrive out of order, they have to wait and request the lost packet which will consume a lot of time and energy.

Seluge [11] exploited a weak authentication called specific message puzzle to resist Dos attacks based on digital signature authentication. However, it assumed that the networks have been attacked by adversaries. Thus, no matter there are adversaries or not, all received packets have to be authenticated first using such weak authentication, which will consume more energy of sensor nodes and decrease the lifetime of networks as each sensor node has limited power.

Tan et al. proposed a hash chain to encrypt the code image packets and combined CP (i.e. Cipher Puzzle) to provide a weak authentication to mitigate DoS attacks [8]. However, this approach has the same problem of [18] that need to receive packets in order.

Since sensor nodes have limited resources such as energy and memory, it is often inefficient to use asymmetric cryptography algorithms (such as RSA [20]). And symmetric cryptography algorithms have a fatal weakness that they use the same key for both encryption and decryption. However, using encoding mechanisms can mitigate such a drawback [12]. There are two main methods in WSNs to encode data image packets. One is fountain code and the other is network coding. Both of them adopt XOR operation to encode packets. Moreover, their encoding and decoding mechanisms sometimes are too complex for sensor networks. For example, in [21] and [5] both have to wait for sufficient packets received and use Gaussian elimination to decode. However, the communication complexity of Gaussian elimination is \(O(n^2)\), where n represents the number of packets. Thus, it will consume significant power resources to decode. In contrast, this paper only introduces the encoding idea of the two approaches to construct an effective encoding scheme. Even if an adversary can get a key to decrypt the code image, he or she still does not know the original program as not knowing the encoding scheme. However, sensor nodes can easily decode to get the original data image as the mechanism is easy to compute.

Fig. 1.
figure 1

One-way hash chain

Full size image

3 Background

3.1 One-Way Hash Chain

One-way hash chain is based on a hash function h (.) with the feature that it is very easy to compute the hash value, whereas one can hardly calculate its inverse function \(h^{-1} (.)\). That is to say that for an arbitrary x, it is easy to calculate \(y = h(x)\). However when we know the value y, it is difficult to get \(x = h^{-1}(y)\). And one-way hash chain (as shown in Fig. 1) is a sequential number of hash values which is generated by using h(.) several times.

Fig. 2.
figure 2

An example of Merkle hash tree: Where \(e_1\), \(e_2\), \(e_3\) and \(e_4\) are the hash value of packet \(P_1\), \(P_2\), \(P_3\) and \(P_4\) respectively. \(h(e_{1-2})= h(e_1\Vert e_2)\), \(h(e_{3-4})= h(e_3\Vert e_4)\) and \(h(e_{1-4})= h(e_{1-2}\Vert e_{3-4}).\)

Full size image

3.2 Merkle Hash Tree

The main idea of Merkle hash tree is to build a tree structure based on a hash function h (.), the leaf nodes are the data items which can be verified through its authentication path information. Merkle hash tree is often combined with digital signature to verify code image packets sources. For example, consider a receiver sensor node wants to authenticate packets \(P_1\), \(P_2\), \(P_3\) and \(P_4\). The base station first uses hash function H(.) to build a Merkle hash tree as shown in Fig. 2. Later, the base station will use its private key to sign the root packet \(r = e_{1-4} \) to get signature packet s = \(SIG_{K_{pr}}\) \((e_{1-4})\). The base station first disseminates the root packet, and the receiver nodes verify it with the base stations public key \(K_{pb}\) to test the function \(Ver_{K_{pb}}(r,s)\). If the answer is positive, the root packet is received and used to test other authentication path in the tree. Otherwise, the packet is discarded. When a sensor node receives an authentication path \((P_1\Vert e_2\Vert e_{3-4})\) (“\(\Vert \)” denotes concatenation operation), this node can promptly verify \(P_1\) by checking whether \(h ( h( h( P_1)\Vert e_2 )\Vert e_{3-4})\) equals to \(e_{1-4}\).

4 Our Approach

Our scheme contains three phases: System initialization, Packets processing and Packets verification.

4.1 System Initialization Phase

This algorithm introduces a one-way key chain (as shown in Fig. 1) to ensure the confidentiality of code image. It is easy to calculate pseudo-function F (.), but the inverse computation is pretty difficult. The base station first chooses a one-way hash function F(.) such as SHA1 and generates a public key \(K_{pb}\) and the corresponding private key \(K_{pr}\) using a digital signature algorithm such as ECDSA. Then, the base station generates multiple one-way key chains (as shown in Fig. 3) according to the size of code image. For example, a code image contains n pages and each page has m packets. So, the base station will generate an n-way hash chain and the length of each chain is m. To create an n-way hash chain, the base station generates n nonce, and each nonce re-applies m times pseudo-function F (.) to create the multiple one-way key chains.

Before WSNs are deployed in the environment, each sensor node will be preloaded hash function F (.) to authenticate the elements of each hash key chain. In addition, the generated public parameters should be installed in each sensor node.

\(K_i = F (K_{i+1})\), where \(0<i<m\) and \(m\le b\).

Fig. 3.
figure 3

Multiple one-way key chains: Each key chain is constructed by a random number and a one-way hash function. The value of m and n are determined by the number of pages of each code image and the number of packets of each page

Full size image
Fig. 4.
figure 4

Code image packets processing in the base station

Full size image

4.2 Packets Processing

Before code image dissemination, the base station will process code image data packet by packet. In this paper, we consider Deluge as the base protocol and exploit Deluge’s pipeline mechanism. The whole code image will be divided into n fixed pages and each page contains m fixed packets (i.e. \(S_{img} = n\cdot S_{page} = n\cdot m\cdot S_{pkt}\)). To store and process each packet and page more conveniently, n and m need to be integer power of 2 (i.e. \(n= 2^i, m = 2^j\), where i and j are integer). To get a relatively high cryptographic strength, we propose an encode-then-encrypt scheme with a light-weighted XOR operation to packets before encryption. Since each page contains m packets, we first use XOR operation to generate m encoded packets.

The rule is as follows:

In page j, it contains m packets (i.e. \(Pt_{j,1}, Pt_{j,2}, Pt_{j, 3},...,Pt_{j,m-1}, Pt_{j, m}\)). The first encoded packet is produced by these m packets doing XOR operation one by one. That is \(P_{c1} = Pt_{j, 1}\bigoplus Pt_{j, 2}\bigoplus Pt_{j, 3}\bigoplus ... \bigoplus Pt_{j,m-1} \bigoplus Pt_{j, m} \). And other encoded packets are generated by \(m-1\) arbitrary packets doing XOR operation. Since choosing \(m-1\) elements from m elements has \(C (m, m-1) = m\) different situations, to reduce the calculation complexity, we use a parameter “salt” (value from 1 to m) to determine how to choose these \(m-1\) packets. For example, if salt equals to 1, that means the other \(m-1\) encoded packets in page j all contain \(Pt_{j, 1}\).

When getting m encoded packets, the base station will exploit n way key chains to encrypt these packets. Here, the encryption algorithm is AES. The first one-way key chain encrypts the first packet of each page and the second one-way key chain encrypts the second packet of each page. So, the \(i^{th}\) one-way key chain encrypts the \(i^{th}\) packet of each page. For example, \(K_{1,0}\) encrypts \(Pt_{1,1}\) and \(K_{1,1}\) encrypts \(Pt_{2,1}\) and so on (as shown in Fig. 4).

Fig. 5.
figure 5

The construction of page 0: When each page contains 48 packets and the leaves of the tree is 4, the hash packets of page 1 can be used to created 4 leaves of the Merkle hash tree. Thus, \(V1 = h(E(Pt_{1,1}||K_{1,1}))||h(E(Pt_{1,2}||K_{2,1}))|| \cdot \cdot \cdot ||h(E(Pt_{1,12}||K_{12,1}))\). V2, V3 and V4 also contain the concatenation of other 12 hash packets of the page 1. And \(e_i=h(V_i), 1 \leqslant i \leqslant 4\).

Full size image

Then, the base station will use the encode-then-encrypt packets of the first page to construct a Merkle hash tree (as shown in Fig. 5). This hash tree will help sensor nodes to authenticate packets based on digital signature which can ensure the identity of the sender. We have illustrated how to construct and authenticate this tree in Sect. 3.

4.3 Packets Verification

Each sensor node in Deluge contains three phases (Maintenance-Request-Transmit), so three types of packets should be authenticated: Advertisement packets, Request packets and Code image Packets.

When receiving a data packet:

(1) Test timestamp

Check whether the timestamp has expired, if so just discards this packet.

(2) Test signature packet

If this packet is a signature packet, comparing the version number with current version. If the version number is larger than the current one, receive this packet; otherwise discard it.

Here, we set a parameter called F_Count to count the failures of authentication of digital signature packets. And we set the failure threshold times of signature authentication as F_MAX. When receiving a digital signature packet, we first just verify it directly. If it fails, F_Count increase by 1. If the value of F_Count is larger than F_MAX, the sensor node regards it as an attack action and reboots the weak authentication to resist such DoS attacks. Moreover, our scheme will adjust the value of F_Count according to the successful authentication of digital signature. If the verification is successful and F_Count is larger than 1, the F_Count will decrease by 1. And when the value of F_Count equals to ZERO, the mechanism restores to its original state. Thus, our scheme can automatically adjust the defense methods, which will reduce the consumption of the energy and prolong the lifetime of the networks.

But how can we choose this threshold? We assume that malicious packets arrive as Poisson process, so we can adjust this threshold according to the probability and the collected data. In order to select an appropriate threshold for F_MAX, one should investigate the failure times of digital authentication in a specific time (such as one month). Thus, we can calculate the expectation of the failure times in normal situation. And this expectation can be set as F_MAX.

(3) Test Request packets

In our scheme, we use cluster keys for local request packets authentication which is similar to Seluge’s local broadcast authentication. However, we add an additional array for this authentication which is a public parameter in each sensor node. The array in each sensor node records the number of requests of requesters. When one requester sends the same request packets more than a particular times, the sensor node will just ignore the request from this requester in a specific time period. As a result, even some sensor nodes have been compromised to pretend to be neighbors, they will be discovered. Hence, the request-based DoS attacks cannot destroy the entire networks.

(4) Test code image packets

If the node listens to the image summary is what recently received, it will adjust the Trickle listening interval. This can save node power.

If the version number of the received data is less than the current version number, it will propagate packets it has already stored.

Otherwise: We note the root packet as t and the signature packet as s. The first step is to receive t and then verify whether \(Ver_{K_{pb}}(r,s)\) is true. If the answer is yes, that is to say t is a valid packet. And then verify the authentication path packets of Merkle hash tree according to the structure of this tree. The details can be seen in Sect. 3.2. As page 0 is constructed by the hash packets of page 1 packets, the authentication of page 0 can be used to authenticate page 1. And then following the procedures, the whole source pages are received using the Algorithms 1 and 2. Since our scheme exploits encode-then-encrypt method to process source packets, we use decrypt-then-decode method to recover source packets.

figure a

Algorithm 2: Decoding algorithm

figure b

5 Performance and Analysis

5.1 Performance of Encode-then-encrypt

To test whether our scheme is efficient, we use a testbed composed Telosb, a TinyOS [22] supported hardware. Each sensor node contains a 8-MHz, 16-bit MSP430 microcontroller, 10-KB RAM, 48-KB ROM and 1-MB flash Memory. Here, each sensor node uses an AES algorithm as the underlying encryption algorithm and we test the impact of packet size on propagation delay. From Fig. 6, it can be seen that our scheme has a slight influence on the execution time. Thus, the proposed scheme is light-weighted. Moreover, from the experiment result, we can see that different size of data block has different influence on propagation delay. For example, when the size of data block is smaller than 36 bytes, it can be found that this effect to be small. So we can choose an appropriate pipeline scheme which is secure and light-weighted.

Fig. 6.
figure 6

Code image packets encryption propagation delay

Full size image

5.2 Enhanced Confidentiality with Light-Weighted Mechanism

We use an encode-then-encrypt mechanism to enhance the security of code image dissemination. Our security scheme can enhance the resistance against traffic analysis and brute force cryptographic. If the eavesdropper does not get the decryption key, he or she can only analyze the data traffic or use brute force to decrypt the encrypted message. Thus, the strength of this encode-then-encrypt process is measured by the amount of computations that a wiretapper needs to retrieve the plaintext from the ciphertext. If a wiretapper needs at least \(2^{64}\) computing operations to decrypt the source code image, we note that the strength is 64-bit. Because of the encoding process, our scheme can enhance the security strength of this process. For example, if one code image page consists of 2 packets and each packet contains 32-bit data, the parameter salt is 32. When a wiretapper gets the first bit of the ciphertext, he or she not only needs to decrypt the ciphertext but also needs to decode the coding text. Since we use XOR operation to encode the packets, when the first bit is 0 it cannot tell whether this bit is 0 or 1 originally as \(0 \bigoplus 0 = 0\) and \(1 \bigoplus 1 = 0\). In this encoding situation, the security strength is 32-bit. However, in a pipeline reprogramming scheme a page may contain \(n (n\geqslant 2)\) packets. Thus, our scheme can largely enhance the confidentiality with this light-weighted mechanism.

5.3 Efficiency and Resistance to DoS Attacks

In WSNs, packets arriving to sensors are a probabilistic event. Here, we assume that it follows Poisson distribution. So, not all of the packets arriving to sensors are coming from malicious nodes. However, almost all the security scheme with weak authentication to resist signature based DoS attacks assume that all the packets received are fake packets. Although some earlier works pointed out that such weak authentication (such as message specific puzzle in [11] and Cipher puzzle in [8]) is efficient to the receiver, it will consume a lot of energy and resources in senders. Thus, such weak authentication will lead to reduced lifetime of the networks.

Our approach modifies the scheme to reboot weak authentication according to the attack action in networks. Attackers in sensor networks are very different, some attackers only wiretap the code image message. Thus, we propose a method to save energy when there is no DoS attack against sensor networks. However, if an attacker launches DoS attacks against signature packets, we can react to this action promptly and reboot weak authentication to prevent this attacks. So, our scheme is more efficient than any other schemes which ignore this situation.

5.4 Out of Order Tolerance

Due to the collision of multiple senders in WSNs, out of order of packets dissemination often occurs. It will take a lot of resources and energy to deal with these packets especially in lossy channels. Thus, it is very helpful to tolerate packets received out of order. Our scheme exploits multiple one-way key chains to encrypt code image packets. Moreover, the first one-way key chain encrypts the first packet of each page and the i-th one-way key chain encrypts the i-th packet of each page. Thus, to decrypt the packets of the same page does not rely on each other, but only rely on packets of the previous page. Moreover, in Deluge a receiver node receives the next page only after all the packets of the previous page are received. So, our scheme is very appropriate to Deluge-based scheme.

5.5 Integrity and Data Freshness

The code image packets integrity can be ensured by digital signature and multiple one-way key chains. Before authenticating page 0, the base station first sends digital signature to each sensor node, which can be verified by the public key installed in sensor nodes. Since the digital signature packet can hardly be faked, the receiver can correctly authenticate page 0. The Merkle hash tree contains the hash message of page 1, so page 1 can be verified after authenticating the hash value. The later page can be authenticated with the multiple key chains. Thus, our scheme can ensure the integrity of code image program. In our scheme, when correctly receiving a packet, the key in the last page can be dynamically updated. Thus, adversaries cannot transmit the old version packets and launch replay attacks. Therefore, our scheme can ensure the freshness of each code image packet.

6 Conclusion

In this paper, we have proposed a novel and light-weighted scheme to ensure code image privacy and, at same time, resist DoS attacks against sensor nodes. To ensure the confidentiality of code image packets, we construct an encode-then-encrypt scheme. Our work is different from others in two main aspects. On one hand we exploit encode-then-encrypt mechanism to ensure confidentiality of code image dissemination. Unlike other encoding methods which need high computation to decode packets, such as Fountain codes [23] and network coding [24], we use a relatively simple rule to decode packets which is determined by the number of pages of code image and the random parameter salt. On the other hand, we manipulate multiple one-way key chains to encrypt code image packet by packet. This ensures that out-of-order packet delivery is tolerable, which is desirable in lossy channels.