Secure and Lightweight Key Distribution with ZigBee Pro for Ubiquitous Sensor Networks

We propose a secure and lightweight key distribution mechanism using ZigBee Pro for ubiquitous sensor networks. ZigBee consumes low power and provides security in wireless sensor networks. ZigBee Pro provides more security than ZigBee and offers two security modes, standard security mode and high security mode. Despite high security mode, ZigBee Pro has weakness of key distribution. We use enhanced ECDH for secure key distribution in high security mode. Our simulation results show that the energy consumption of our approach decreases and the average run time is decreased by 39%. Moreover, the proposed scheme enhances security, that is, confidentiality, message authentication, and integrity. We also prove that the proposed key distribution can resist man-in-the-middle attack and replay attack.


Introduction
Various sensors in a sensor network technology are located within wired/wireless network infrastructures. Spatially distributed autonomous sensors monitor physical or environmental conditions such as temperature, humidity, sound, vibration, pressure, and motion and pass their data through the wired/wireless network to a base station. Sensor network technology has been utilized in monitoring military, home automation, and health care systems, as well as agriculture and weather conditions. Sensors have limited memory and throughput capacity for wireless sensor networks. Therefore, limitations of the sensor itself and the underlying vulnerability of wireless communication with the sensors must be considered. In addition, sensed and transmitted data in each field are usually private information or important authentication information. Thus, security is to be applied in most cases. For this, ZigBee [1] provides a low power consumption and security standard-based protocol for applications on wireless sensor networks. ZigBee was developed to address the following  [6] is a key exchange algorithm, the wellknown Diffie Hellman [11] key agreement based on ECC (Elliptic Curve Cryptography) [12]. ECDH is important in modern protocols as a key exchange and can be adopted for ECC. Figure 1 shows the key exchange process.

ECDH. ECDH
Consider two parties, and , willing to exchange a common secret key. Both have agreed to a common and publicly known curve over a finite field, as well as to a base point . User randomly chooses , 1 < < 2 and User accordingly , 1 < < 2 . User computes a public key = , User B does = . User A sends to User , User sends to User . User computes the shared secret key by = and User B also by = [13]. An eavesdropper knows only and but is unable to compute the secret key from this. However, vulnerability of ECDH has no authentication [14] and no prevention of manin-the-middle attack [15].  standard security mode. For this, we apply ECDH for secure Network key generation and transmission and sub-MAC mechanism for message authentication and integrity. We proved that our scheme could provide efficiency by achieving a similar run time and similar energy consumed in standard security mode [16].

High Security Mode.
If the Trust Center does not already share a Master or Link Key with the newly joined device, Figure 2 shows the high security mode authentication procedure of ZigBee Pro.
The Symmetric-Key Key Establishment (SKKE) protocol is a process in which an initiator device (Trust Center) establishes a Link Key with a responder device (Joiner) using a Master Key. The next step is an entity authentication process between Router and Joiner.
As in standard security mode, Update-Device Command and Secured Transport-Key Command are encrypted with Master key, but Transport-Key Command sent from the Router to the Joiner is not secure. This has a security issue.
The MAC scheme is used for key confirmation in SKKE. The first 128 bits of keying data shall be a Mac Key and the second 128 bits shall be a Link Key during Mac Key generation. After SKKE, the Network Key is securely transmitted using the Master Key.
We propose a procedure to ensure key secure distribution as shown in When the Trust Center receives an APSME-UPDATE-DEVICE.request message, the Trust Center generates an for secure Master Key and nonce , and sends , , , sub-MAC( , , ) to the Joiner. The Joiner generates sub-MAC( , , ) to compare the transmitted sub-MAC( , , ). If they match, the Joiner confirms that the transmitted message has not been modified. Otherwise, the Joiner discards the transmitted message. If the check is successful, the Joiner computes = , and computes using the Matyas-Meyer-Oseas (MMO) hash function [17]. The 160-bit becomes a 128 bit Network Key, . A sub-MAC [7] is constructed by selecting some bits of an HMAC. We reduce the overhead by transmitting only a part of the actual HMAC, rather than the entire HMAC using sub-MAC. Sub-MAC guarantees message integrity and authentication. Our research selects 8-bits of 16 bytes. We assume each node has the same PRNG (Pseudo Random Number Generator) [18].
Joiner Next, the generated Master Key encrypts +1 , and the result, ( +1 ) is sent to the Joiner to check message integrity and announce successful Master Key generation. The Joiner decrypts the ( +1 ) with the Master Key and checks the +1 to verify secure Master Key generation. If successful, the Trust Center and the Joiner perform the next step, SKKE, to establish a Link Key.

Simulation and Results
The Qualnet simulator was used to evaluate the performance of the proposed scheme. Our research uses Qualnet 4.5 [19] with sensor network libraries based on the ZigBee protocol and additional protocols.
We composed one clustering network structures. The clusters were composed of 15 nodes. Node 1 is a Joiner, node 16 is a Router, and node 8 is a Trust Center.

Efficiency Analysis of Enhanced Key Mechanism.
We propose an enhanced key distribution scheme using ECDH for secure and lightweight key distribution and sub-MAC to overcome the vulnerability of ECDH. The simulation was performed ten times in each of the previous four procedures with Trust Center, Router, and Joiner.
First, we performed the key generation in standard security mode and high security mode, proposed key distribution in standard mode (Standard ECDH), and proposed key distribution in high security mode (High ECDH). Figure 4 shows the total run time measurements.
The average run time of the standard security mode is 0.5156 seconds, and for proposed key distribution in standard mode (Standard ECDH) it is 0.5778 seconds; the difference is 0.0622 seconds. When this value is compared to the average run time of standard security mode, it adds 12%. However, the difference, 0.0622, is slight in terms of the figure and compared to the enhanced security.
The  value is compared to the average run time of high security mode, it is decreased by 39%. It also provides enhanced security. Next, we measured energy consumption in Joiner (Node 1), Router (Node 16), and Trust Center (Node 18). Figure 5 shows average energy consumption in transmit mode. Figure 6 shows average energy consumption in receive mode. The average energy consumption of each node for transmit mode and receive mode is similar. Table 3 details the values. When the proposed key distribution in security mode is compared to the standard security mode, it consumes more energy. Especially, the receive mode of the Trust Center (N18-R) shows the maximum difference, 0.001447 mJoule. However, the Trust Center has sufficient capacity and energy, so this difference is negligible. The second difference is 0.001412 mJoule in the receive mode of the Joiner (N1-R). The sensor node uses two AA alkaloid batteries. An AA alkaloid battery contains a maximum of 3000 mAh, so the total energy is 6000 mAh. The formal voltage of an AA battery assumes 1.5 volts. The amount of eletric power is 9 Wh, products of 6 Ah and 1.5 V, and this is converted into 32,400 J, 3600 X 9 (J) [20]. The difference is slight compared to 32,400 J.
The energy consumption of the high security mode and proposed key distribution in high security mode (High ECDH) is similar. The energy consumption of proposed key distribution in high security mode (High ECDH) decreases, except for the transmit mode of the Joiner (N1-T) and the receive mode of the Router (N16-R). Moreover, the proposed scheme enhances security.

Security Analysis
In this section, we analyze our enhanced key distribution for ZigBee Pro that provides security properties and resists some general attacks. ZigBee Pro is vulnerable in the case of key distribution in two security modes. ECDH cannot prevent man-in-the-middle attack and does not provide authentication. However, our proposed scheme overcomes these vulnerabilities and enhances security. Our scheme could resist man-in-the-middle attack, replay attack, and  ensure confidentiality of keys, message authentication, and message integrity [16]. We assume that an attacker does not know the sub-MAC method. Therefore, even if the attacker knows the Joiner's private key b, he/she cannot make the sub-MAC message. If the attacker tries to make the sub-MAC message, the probability of failure enhances because the attacker does not know how to create a sub-MAC message using Master Key. Additionally, there is a public key infrastructure (PKI) 6 International Journal of Distributed Sensor Networks system. The Trust Center assures the private key using the received public key through a certificate authority (CA). The security of a MAC scheme can be quantified in terms of the success probability achievable as a function of total number of queries to forge the MAC [21]. The security of a -byte MAC is quantified as 2 ( ×8) because an intruder has a 1 in 2 ( ×8) chance in blindly forging the MAC. To increase the security of a MAC, its size should be increased. Increasing the size of the MAC also increases the communication overhead [22]. Our sub-MAC selects 8 bits of 128 bits. Therefore, the security of the sub-MAC is 28. Hence, the possibility that the false data are not detected by a sub-MAC is 1/2 8 (=0.0039). Moreover, the communication overhead is reduced by 1/16 (=0.0625). Consequently, the size of the sub-MAC is directly related to the strength of the security and the communication overhead. A balance needs to be achieved between the desired security level and the transmission overhead [7].

BAN Analysis.
BAN logic (the Logic of Authentication of Burrows, Abadi and Needham) [23] is widely used and studied in formal analysis due to its simplicity and efficiency. The BAN logic is a model logic based on belief and can be used in the analysis and design of a cryptographic protocol. The use of a formal language in the analysis and design process can exclude faults and improve the security of the protocol.

Basic Notations.
The symbols , , , and are principals involved in this sort of key agreement protocol: represents a good session key for communication between and [24].
| ≡ : Principal believes . believes as if is true.
⊲ : sees . principal has sent a message containing . | ∼ : Principal once said . at some time believed and sent it as part of a message. ⇒ : Principal has jurisdiction over . Principal has authority over and is trusted in this matter.

#( ):
The formula is fresh. That is, has not been sent in a message at any time before the current run of the protocol. A message that is created for the purpose of being fresh is called a nonce.

←→
: and may use a shared key to communicate. The key is good and will always be known only to and and to any other principal trusted by either of them. { } : is encrypted using key .

Inference Rules.
Message Meaning Rules for shared keys: If principal believes that key is shared only with principal and sees a message encrypted under a key , it believes only with principal . may conclude that it was originally created by who once said its contents.

Jurisdiction Rule is as Follows
If believes that believes and also believes that has jurisdiction over , then should believe too.
Nonce Verification Rule is as Follows: If believes that is fresh and that once said , then believes that has said during the current run of protocol and hence that believes at present. In order to apply this rule, should not contain any encrypted text. The nonce verification rule is the only way of "promoting" once said assertion to actual belief.

BAN Analysis of the Proposed Key Distribution Initialization Hypothesis is as Follows
(1) Trust Center |≡ TC.
According to the formalization analysis, we can get the conclusion that the proposed key distribution can resist manin-the-middle-attack and replay attack.

Conclusion
This work proposed an enhanced key distribution scheme using ECDH and sub-MAC for efficiency and security. We have applied ECDH for secure key distribution and improved vulnerability of ECDH, using sub-MAC and nonce for message freshness and integrity.
We compared ZigBee Pro to the proposed scheme. We proved that our scheme could provide efficiency by achieving a shorter run time and lower energy consuming in high security mode. Security analysis proved our scheme could resist man-in-the-middle attack, replay attack, and provide confidentiality, message authentication, and integrity. Consequenly, the proposed scheme provides lightweight and secure key distribution compared to ZigBee Pro. We are going to experiment our proposed scheme with ZigBee devices in future work.