Sage Journals: Discover world-class research

Abstract

Nodes in a sensor network may be lost because of power exhaustion or malicious attacks. To extend the span of sensor network, new nodes deployment is necessary. To prevent malicious nodes from joining the sensor networks, access control is a designed requirement for controlling sensor node deployment. Based on elliptic curve cryptography (ECC), this paper presents a new access control protocol for secure wireless sensor networks. The proposed scheme not only prevents malicious nodes from joining sensor networks, but also key establishment is included in the authentication procedure. Compared to the previously proposed schemes, the authentication procedure and common key generation of the proposed method are very simple and efficient. It could offer computational efficiency, energy, and bandwidth savings. In addition, it can be easily implemented as a dynamic access control, because all the old secret keys and information in existing nodes should not be updated once a new node is added or an old node is lost.

1. Introduction

Wireless sensor networks applied to the monitoring of physical environments have recently emerged as an important infrastructure. It usually consists of one or more base stations and lots of sensor nodes, which are densely deployed either inside the phenomenon or very close to it. To save manufacturing, a sensor node is usually built as a small device, which has limited memory, a low-end processor, and is powered by a battery [1]. The position of sensor nodes need not to be engineered or predetermined. This allows random deployment in inaccessible terrain or disaster relief operations. Therefore, sensor networks are being deployed for a wide variety of applications, including military sensing and tracking, patient monitoring, and environmental monitoring, and airport and home security [1, 2]. Owing to the property of sensor devices, sensor networks may easily be compromised by adversaries who modify messages or provide misleading information to other sensor nodes. To prevent information and communication systems from illegal delivery and modification, the receiver must authenticate messages transmitted from the sensor nodes over a wireless sensor network.

Because of the sensor devices, after several days or weeks of operation, some nodes in the network may exhaust their power or lost. That is, nodes in a sensor network may exhaust their battery or be stolen by malicious attacks. In addition, some nodes may be destroyed by adversaries so that the entire network may become useless. To extend the lifetime of the sensor network, new node deployment is necessary. However, an adversary can also deploy malicious nodes into the network for eavesdropping purposes or insert false reports. Hence, a new node should prove that it is a legitimate node through the authentication.

Today, the practical option for the distribution of keys to the sensor nodes of wireless sensor networks rely on key predistribution. That is, keys are preinstalled in the sensor nodes, and the nodes having a common key are provided with a secure connection between them. One solution is all the nodes carrying a master secret key. Any pair of nodes can use this master key to achieve key agreement and obtain a new common key [3]. This procedure does not exhibit network resiliency: if the master secret key is compromised by one node, the security of the entire sensor network will be compromised. Recently, many key predistribution schemes were proposed to protect sensor networks [4–8]. They provide that any pair of sensor nodes can find a common shared key between them with simple calculations, and this common key is pairwise. Then, it could reduce the risk of the entire sensor network. However, the above-mentioned key predistribution schemes cannot be easily implemented as a dynamic access control, because all the old secret keys and information of existing nodes should be updated once a new node is added.

To prevent malicious nodes from joining the sensor networks, access control is required in the design for controlling new nodes deployment. Some approaches [9, 10] try to detect malicious nodes after they join the sensor networks, but adversaries can still attack the networks [11]. Besides, the authors in [12, 13] proposed key management protocols called LEAP and LEAP+ for sensor networks. They assumed that each sensor node can sustain a tolerance time interval before it is compromised. That is, the adversary cannot compromise a sensor node within a time interval. Their scheme can establish a pairwise key shared between any two neighboring sensor nodes by exchanging their identities. Later, Wang et al. proposed an access control for sensor networks [14]. In their scheme, they assume an offline certification authority (CA) that deploys an ECC cryptosystem and maintains a secret polynomial function f() of degree t. The basic idea of Wang et al.'s scheme is that usershave to be authenticated and endorsed by t local sensors before they can send the remote query. They develop a threshold endorsement scheme (inspired by the Shamir's secret sharing [15]) to perform the remote access control. Then, the secret polynomial function f() of degree t may not be flexibly updated for applications. To the best of our knowledge, recently, Zhou et al. [11] proposed an access control protocol based on ECC for sensor networks that are more efficient than those public key-based schemes. Their scheme can prevent malicious nodes from joining sensor networks at the very beginning, and key establishment is also included in their access control protocol. In their scheme [11], two sensor nodes may have the same bootstrapping time if deployed simultaneously. Besides, they also suppose that the adversary cannot compromise a sensor node within a time interval. It is the same assumption in [12, 13]. However, it is required to send twenty one transmissions in Zhou et al.'s authentication protocol [11]. The bandwidth consumption rates are quite demanding and likely to bottleneck in many applications.

Compared to RSA [16], it has been shown that 160-bit ECC provides comparable security to 1024-bit RSA, and 224-bit ECC provides comparable security to 2048-bit RSA [17–19]. Hence, under the same security level, smaller key sizes of ECC offer merits of computational efficiency, as well as memory, and bandwidth saving. Sensor nodes adopt 802.15.4 standard which allows a variable payload of up to 102 bytes [20]. Such a packet provides enough space to include digital signature for broadcast authentication [20]. Moreover, in Wang et al.'s experiment [14], they show that the public key-based protocol is more advantageous than the symmetric key in terms of the memory usage, message complexity, and security resilience. Therefore, based on ECC and the concept of Schnorr signature [21], this paper designs a simple access control protocol to prevent malicious nodes joining sensor networks, and key establishment is also included in the authentication protocol.

The new access control protocol uses the concept of timebound in which once time period has elapsed the sensor node in wireless network cannot access any data for future time period. It means that each node has its own expiration time of w, then the node can achieve authentication and communication to other nodes in the z time period if and only if the time period $z \leq w$ . Once the time period $z > w$ elapses, this node cannot achieve authentication and communication to other nodes for any useful messages. So, our access control in wireless sensor networks is constrained by the time period. Our purpose is to protect future messages. That is, the impact of the node compromises attack to be decreased or minimized. In the proposed scheme, it actually divides the total time into t time periods, starting with l. The time is not necessarily a real time. Compared with Zhou et al.'s scheme, the authentication procedure and common key generation of the proposed scheme are very simple and efficient for each sensor node. And it does not suppose that each sensor node can sustain a tolerance time interval before it is compromised. In addition, the proposed scheme can be easily implemented as a dynamic access control, because the old secret keys and information of existing nodes should not be changed once a new node is added. Comparing to Zhou et al.'s scheme, the proposed scheme could significantly reduce the overhead of communications for sensor nodes to achieve secure connectivity. It could offer more energy and bandwidth savings than Zhou et al.'s scheme.

The rest of this paper is organized as follows. In Section 2, this paper will introduce a new access control in sensor networks. The security analyses and the performance of the proposed scheme are discussed in Section 3. Some conclusions are given in Section 4.

2. The Proposed Scheme

At the very beginning of a network, a lot of sensor nodes are deployed in a designated area. New node deployment is inevitable, because nodes in a sensor network may be lost or destroyed. We assume that all sensor nodes have the same transmission range and communication with each other. And, the time during the wireless network is divided into t periods, numbered $1,2, \dots, t$ . For simplicity, we let t be an integer; that is, the system ends at time t. This maximum number of (expired) time period t should not be considered as a limitation of the system. For example, if each time period represents twenty minutes, then $t = 360$ denotes roughly five days. Using the concepts of Schnorr signature [21] and based on ECC, we will develop an access control method to prevent malicious nodes from joining sensor networks. Without loss of generality, the proposed method would accomplish two tasks. (1)

Node Authentication. a deployed node establishes its identity with its neighboring nodes and shows that it has the right to access the sensor network through authentication.

(2)

Key Establishment. through authentication, shared keys should be created between a deployed node and its neighboring nodes to provide secure communication. This guarantees that any two sensor nodes can find a common shared key between themselves. This shared key is pairwise. A shared key refers to the relationship between the node and one of its direct neighbors.

The proposed method consists of an initialization phase and an authentication and key establishment phase. The basic idea is stated as follows.

Initialization Phase

(1) Before a sensor network is deployed, the system (trusted center or base station) chooses a large prime number $q (q \approx 2^{160})$ and an elliptic curve $E_{q}$ (the elliptic curve E is over the finite field $F_{q}$ ); a cyclic group $G = 〈 P 〉$ of points over the elliptic curve $E_{q}$ , where P is the generator of the group and has an order n of at least 160 bits [17–19, 22]. It provides $P = O$ , and its point at infinity is O. Then, the system selects a secret key $x \in Z_{q}$ and computes the system's public key $Q = x P$ of the point over the elliptic curve $E_{q}$ . Next, the system (or base station) chooses a secure one-way hash function $h ()$ .

(2) Suppose that there are a number of v neighborhood nodes with identities ${N_{1}, N_{2}, \dots, N_{v}}$ in a designated area. For each node $N_{i}$ , the system (or base station) first generates a random number $r_{i}$ and the expiration time $w_{i} < t$ then computes the point $R_{i} = r_{i} P = (R x_{i}, R y_{i})$ and the value $s_{i} = r_{i} + c_{i} x mod q$ , where $c_{i} = h (N_{i} ∥ R x_{i} ∥ R y_{i} ∥ w_{i})$ . Next, the system preloads the elliptic curve $E_{q}$ , the system's public key Q, the generator P of the group $G = 〈 P 〉$ over the elliptic curve $E_{q}$ , one-way hash function $h ()$ , its expiration time $w_{i}$ , and the secret pair $(R_{i}, s_{i})$ to node $N_{i}$ , for $i = 1,2, \dots, v$ . Here, “ $∥$ ” is the concatenation of operation; $R x_{i}$ and $R y_{i}$ are the x-component and y-component of point $R_{i}$ , respectively.

Authentication and Key Establishment Phase

Suppose that the time period is T now. The processes of authentication and key establishment for two nodes $N_{i}$ and $N_{j}$ are described in the following steps.

Step 1.

The node $N_{i}$ generates a random number $t_{i}$ and computes the point $A_{i} = t_{i} P$ over the elliptic curve $E_{q}$ , then it sends $A_{i}$ and its identity $N_{i}$ to the node $N_{j}$ . Similarly, node $N_{j}$ generates a random number $t_{j}$ and computes the point $A_{j} = t_{j} P$ over elliptic curve $E_{q}$ then it sends $A_{j}$ and its identity $N_{j}$ to node $N_{i}$ . For security, the random numbers $t_{i}$ and $t_{j}$ cannot be reused.

Step 2.

After receiving $A_{j}$ , node $N_{i}$ computes a shared session key $K_{i j} = t_{i}^{} A_{j} = t_{i} t_{j} P = (K x_{i j}, K y_{i j})$ and $z_{i} = t_{i} + e_{i} s_{i} m o d q$ , where $e_{i} = h (N_{i} ∥ K x_{i j} ∥ K y_{i j})$ . Then, it delivers the signature $z_{i}$ , the expiration time $w_{i}$ of $N_{i}$ , and its point $R_{i} = (R x_{i}, R y_{i})$ to node $N_{j}$ . Here, $K x_{i j}$ and $K y_{i j}$ are the x-component and y-component of point $K_{i j}$ , respectively. Similarly, after receiving $A_{i}$ , node $N_{j}$ computes a shared session key $K_{i j} = t_{j}^{} A_{i} = t_{j} t_{i} P = (K x_{i j}, K y_{i j})$ and $z_{j} = t_{j} + e_{j} s_{j} mod q$ , where $e_{j} = h (N_{j} ∥ K x_{i j} ∥ K y_{i j})$ . Then, it also delivers the signature $z_{j}$ , the expiration time $w_{j}$ , and its point $R_{j} = (R x_{j}, R y_{j})$ to node $N_{i}$ .

To make sure that node $N_{i}$ is a legitimate node and confirms their shared session key $K_{i j}$ , node $N_{j}$ carries out the following steps. (1)

Node $N_{j}$ first compares $N_{i}$ 's expiration time $w_{i}$ with the broadcasted time period T from the system. If the expiration time $w_{i} < T$ then node $N_{i}$ is rejected and continued otherwise.

(2)

It computes $c_{i} = h (N_{i} ∥ R x_{i} ∥ R y_{i} ∥ w_{i})$ and $e_{i} = h (N_{i} ∥ K x_{i j} ∥ K y_{i j})$ .

(3)

It checks whether the equality $z_{i} P = A_{i} + e_{i} (R_{i} + c_{i} Q)$ holds, where Q is the public point of the system.

The signature is accepted if the answer is yes and rejected otherwise. In the same way, from the signature $z_{j}$ , the expiration time $w_{j}$ , and its point $R_{j} = (R x_{j}, R y_{j})$ of node $N_{j}$ ; if $w_{j} > T$ and $z_{j} P = A_{j} + e_{j} (R_{j} + c_{j} Q)$ hold, then node $N_{i}$ can verify the identity of node $N_{j}$ , where $c_{j} = h (N_{j} ∥ R x_{j} ∥ R y_{j} ∥ w_{j})$ and $e_{j} = h (N_{j} ∥ K x_{i j} ∥ K y_{i j})$ . Thus, two nodes, $N_{i}$ and $N_{j}$ , could achieve mutual authentication and generate a common session key $K_{i j}$ . The above authentication and key establishment are briefly illustrated in Figure 1.

Figure 1

The proposed authentication and key establishment protocol.

According to the Diffie-Hellman algorithm over elliptic curve [23], it provides that $K_{i j} = t_{j} {A_{i}}^{} = t_{i} A_{j} = t_{i} t_{j} P$ over elliptic curve $E_{q}$ . Hence, two nodes, $N_{i}$ and $N_{j}$ , can obtain their common shared key $K_{i j}$ by using their secret parameter $t_{i}$ and $t_{j}$ , respectively. This common shared key $K_{i j}$ is pairwise. Therefore, by means of the signature verification, any pair of nodes $N_{i}$ and $N_{j}$ can mutually authenticate each other and construct a shared session key for securing communications. For security and creating a different session key for nodes $N_{i}$ and $N_{j}$ , the random numbers $t_{i}$ and $t_{j}$ should be used only once. In the following, we state the correctness of the signature verification.

To make sure the validity of node $N_{i}$ and their shared key $K_{i j}$ for node $N_{j}$ , the equality $z_{i} P = A_{i} + e_{i} (R_{i} + c_{i} Q)$ always holds, while the signature $z_{i}$ , the expiration time $w_{i}$ , and the point $R_{i} = (R x_{i}, R y_{i})$ of node $N_{i}$ are correct, where Q is the public point of the system. According to the authentication and key establishment phase, the node $N_{j}$ can compute a shared session key $K_{i j} = t_{j}^{} A_{i} = (K x_{i j}, K y_{i j})$ , $c_{i} = h (N_{i} ∥ R x_{i} ∥ R y_{i} ∥ w_{i})$ , and $e_{i} = h (N_{i} ∥ K x_{i j} ∥ K y_{i j})$ . Since $z_{i} = t_{i} + e_{i} s_{i}$ and $s_{i} = r_{i} + c_{i} x mod q$ , then it has $z_{i} P = (t_{i} + e_{i} s_{i}) P = t_{i} P + e_{i} (r_{i} + c_{i} x) P = A_{i} + e_{i} (R_{i} + c_{i} Q)$ , where $t_{i} P = A_{i}$ , $r_{i} P = R_{i}$ , and $x P = Q$ . Therefore, node $N_{j}$ can confirm the legality of node $N_{i}$ and generate a common session key $K_{i j}$ .

Adding a New Node

During the network operation phase, if some sensor nodes are lost or destroyed, new sensor nodes need to be deployed. When a new node with identity $N_{v + 1}$ is added, the system (or base station) first generates a random number $r_{v + 1}$ and its expiration time $w_{v + 1}$ , and then computes the point $R_{v + 1} = r_{v + 1} P = (R x_{v + 1}, R y_{v + 1})$ and the secret key $s_{v + 1} = r_{v + 1} + c_{v + 1} x mod q$ , where $c_{v + 1} = h (N_{v + 1} ∥ R x_{v + 1} ∥ R y_{v + 1} ∥ w_{v + 1})$ . Next, the system preloads the elliptic curve $E_{q}$ , the system's public key Q, the generator P of the group $G = 〈 P 〉$ over the elliptic curve $E_{q}$ , the one-way hash function $h ()$ , its expiration time of $w_{v + 1} < t$ , and the secret pair $(R_{v + 1}, s_{v + 1})$ to the new node $N_{v + 1}$ . The authentication and key establishment for any old node with the new node $N_{v + 1}$ is the same as the above authentication and key establishment phase. In addition, the other information in existing nodes is not updated. Hence, the proposed scheme can be easily implemented as a dynamic access control, because all the old secret keys and messages of existing nodes need not be changed once a new node is added or an old node is lost.

3. Discussions

The proposed scheme is based on the ECC. Thus, the security of our scheme is founded in the difficulty of solving the discrete logarithm problem in $E_{q}$ . We will review some security terms needed for security analysis [17–19, 22, 23].

Definition 1.

A secure hash function, $h () : x \to y$ , is one-way; if given x, it is easy to compute $h (x) = y$ ; however, given y, it is hard to compute $h^{- 1} (y) = x$ .

Definition 2.

The elliptic curve discrete logarithm problem (ECDLP) in $E_{q}$ is as follows: given $P \in E_{q}$ with order n (that is $n P = O$ ) and Q is a point in the cyclic group $G = 〈 P 〉$ . It is intractable to find r such that $Q = r P$ .

Definition 3.

The elliptic curve computational Diffie-Hellman problem (ECDHP) is as follows: given $t_{1} P$ and $t_{2} P$ over elliptic curve $E_{q}$ , it is hard to compute $t_{1} t_{2} P$ for any positive integers $t_{1}$ and $t_{2}$ .

Next, we will discuss the security and performance of our scheme as follows.

3.1. Security Analysis

The security of the proposed scheme can be showed as follows.

3.1.1. Sensor Node Replication Attack

In this attack [10], an adversary can deploy malicious nodes which are clones of a compromised node into the sensor network. In the proposed scheme, for each node $N_{i}$ , the system (or base station) first gives the expiration time $w_{i}$ and generates a random number $r_{i}$ for the node $N_{i}$ then computes the point $R_{i} = r_{i} P = (R x_{i}, R y_{i})$ and the value $s_{i} = r_{i} + c_{i} x mod q$ , where $c_{i} = h (N_{i} ∥ R x_{i} ∥ R y_{i} ∥ w_{i})$ . Next, the system preloads the elliptic curve $E_{q}$ , the system's public key Q, the generator P of the group $G = 〈 P 〉$ over the elliptic curve $E_{q}$ , the one-way hash function $h ()$ , and the secret pair $(R_{i}, s_{i})$ to node $N_{i}$ . Thus, based on the timebounded $w_{i}$ , the secret key $s_{i}$ of node $N_{i}$ is computed by $s_{i} = r_{i} + c_{i} x$ , where $c_{i} = h (N_{i} ∥ R x_{i} ∥ R y_{i} ∥ w_{i})$ . Therefore, once the time period $T > w_{i}$ elapses, the clones of a compromised node $N_{i}$ cannot impersonate the real node of $N_{i}$ to achieve authentication and communication to other nodes for any future messages. Hence, the proposed method can withstand the sensor node replication attack. On the other hand, the public key $Q = x P$ and x is the private key of the system. Based on the elliptic curve discrete logarithm problem (ECDLP), with points $R_{i} = r_{i} P$ and Q, it is very difficult for anyone to obtain the secret number $r_{i}$ and x. Then, even if knowing $s_{i}$ , an attacker cannot easily derive the private key x of the system. Without the private key x, it is extremely hard for the attacker to achieve the sensor node replication attack.

3.1.2. Sybil Attack

In this attack, a malicious sensor claims multiple IDs (identities) or locations [24]. In the proposed scheme, the secret key $s_{i}$ of node $N_{i}$ is to use the timebounded and the identity $N_{i}$ for computing $s_{i} = r_{i} + c_{i} x$ and $c_{i} = h (N_{i} ∥ R x_{i} ∥ R y_{i} ∥ w_{i})$ . Therefore, a compromised node $N_{i}$ cannot claim a new identity ${N_{i}'}_{}$ in the vicinity of node $N_{j}$ . It can withstand the Sybil attack [24]. Therefore, without knowing x, it is very difficult for an adversary to update the expiration time $w_{i}$ and the identity $N_{i}$ so that the node $N_{i}$ might construct communication with other nodes through authentication. On the other hand, if node $N_{i}$ is compromised within its lifetime $w_{i}$ , then the adversary can impersonate $N_{i}$ and even mount a Sybil attack for the time $T < w_{i}$ . However, once the time period $T > w_{i}$ elapses, the adversary cannot impersonate $N_{i}$ to achieve authentication and communication to other nodes for any useful messages. Thus, without the knowledge of x, the malicious sensor node cannot successfully impersonate other nodes to inject forged data into the sensor network. To reduce the Sybil attack for this case, the lifetime for each node may be shorter. That is the impact of the node compromise attack to be decreased or minimized. It could be dependent on the applications and its area for a node.

3.1.3. Wormhole Attack

In this attack, an adversary tries to tunnel normal messages between a new node and other distant old nodes so that these nodes might construct communication through handshakes. This attack does not compromise any sensor node, but it may lead to many serious threats, for example, the chaos of the routing operations [9, 25]. However, in our authentication, the secret key $s_{i}$ of node $N_{i}$ is based on the timebounded. Once the time period has elapsed, an adversary could not use the Wormhole attack to establish a tunnel between a new node and other distant old nodes. Thus, for each node $N_{i}$ , using x and the expiration time $w_{i}$ , only the system can generate the secret key $s_{i} = r_{i} + c_{i} x$ for the node $N_{i}$ such that the signature verification $z_{i} P = A_{i} + e_{i} (R_{i} + c_{i} Q)$ holds, where $z_{i} = t_{i} + e_{i} s_{i} mod q$ , $c_{i} = h (N_{i} ∥ R x_{i} ∥ R y_{i} ∥ w_{i})$ , and $e_{i} = h (N_{i} ∥ K x_{i j} ∥ K y_{i j})$ . Without knowing the private key x of the system, an attacker cannot easily forge the system to deploy new nodes in the sensor networks.

3.1.4. Key Establishment

Based on the ECDLP, even if attackers can obtain $A_{i} = t_{i} P$ and $A_{j} = t_{j} P$ , it is very hard for them to derive the random numbers $t_{i}$ and $t_{j}$ from $A_{i}$ and $A_{j}$ . Without knowing $t_{i}$ and $t_{j}$ , an attacker obtains nothing about the shared key $K_{i j} = t_{j} A_{i} = t_{i} A_{j} = t_{i} t_{j} P$ for nodes $N_{i}$ and $N_{j}$ . It is based on the elliptic curve computational Diffie-Hellman problem (ECDHP) [23]. Hence, the proposed method can generate a shared key for secure communications. Moreover, a common key between two nodes is pairwise. If the common key $K_{i j}$ of nodes $N_{i}$ and $N_{j}$ is compromised, without knowing any other nodes' session keys $w_{i}$ , it would not be helpful for the attacker to obtain other nodes' messages.

3.1.5. Mutual Authentication

In the proposed authentication and key establishment phase, after receiving information $A_{i} = t_{i} P$ and $A_{j} = t_{j} P$ , only the legal nodes $N_{i}$ and $N_{j}$ can derive their signatures $z_{i} = t_{i} + e_{i} s_{i}$ and $z_{j} = t_{j} + e_{j} s_{j} mod q$ with their secret key $s_{i}$ and $s_{j}$ , respectively. Here, $e_{i} = h (N_{i} ∥ K x_{i j} ∥ K y_{i j})$ , $e_{j} = h (N_{j} ∥ K x_{i j} ∥ K y_{i j})$ , and $K_{i j} = t_{j} {A_{i}}^{} = t_{i} A_{j} = t_{i} t_{j} P = (K x_{i j}, K y_{i j})$ . Through signature verification, if two equations $z_{i} P = A_{i} + e_{i} (R_{i} + c_{i} Q)$ and $z_{j} P = A_{j} + e_{j} (R_{j} + c_{j} Q)$ hold, then two nodes $N_{i}$ and $N_{j}$ could achieve mutual authentication and generate a common session key $K_{i j}$ . Moreover, based on the ECC public key infrastructure, each sensor node does not know the secret keys of other nodes, and each shared common key is only known to neighboring nodes that created it. Hence, based on the security of Schnorr signature [21], without knowing the private key x or the secret key $s_{i}$ of node $N_{i}$ , no one can easily masquerade as the system or the node $N_{i}$ to compute the actuality signature of $z_{i}$ for cheating other nodes. Therefore, it can withstand a forgery attack. On the other hand, the random numbers $t_{i}$ and $t_{j}$ are used only once. It can resist the reply attack.

3.1.6. No Entire Secret Exposure

If the secret key $s_{i}$ of node $N_{i}$ is compromised, an attacker can only forge node $N_{i}$ to construct the new pairwise key $K_{i j}^{'}$ between nodes $N_{i}$ and $N_{j}$ in the z time period if and only if the time period $z \leq w_{i}$ . Once the time period $z > w_{i}$ elapses, this node cannot achieve authentication to other nodes for future time. These nodes are constrained by the time period. It could decrease the risk of the entire sensor network. The proposed method could protect all future secret information and the security of the entire sensor network will not be revealed. Thus, it could provide more secure connectivity for sensor networks.

3.1.7. Perfect Forward Secrecy

According to the Diffie-Hellman algorithm over elliptic curve, it provides that $K_{i j} = t_{j} {A_{i}}^{} = t_{i} A_{j} = t_{i} t_{j} P$ over elliptic curve $E_{q}$ . Hence, only two nodes $N_{i}$ and $N_{j}$ can obtain their common shared key $K_{i j}$ by using their secret parameter $t_{i}$ and $t_{j}$ , respectively. This common shared key $K_{i j}$ is pairwise. Therefore, by means of the signature verification, any pair of nodes $N_{i}$ and $N_{j}$ can mutually authenticate each other and construct a shared session key for securing communications. Thus, the proposed scheme can prevent external adversaries from eavesdropping normal messages or injecting bogus data into the sensor network. For security and creating a different session key for nodes $N_{i}$ and $N_{j}$ , the random numbers $t_{i}$ and $t_{j}$ should be used only once. Then, even if an intruder obtains the current session key $K_{i j}$ , it is difficult for him to obtain private messages from the past. The new scheme can provide perfect forward security even if the current secret key $K_{i j}$ has been compromised.

3.2. Performance

To the best of our knowledge, most previous key predistribution schemes cannot be easily implemented as a dynamic access control, because all the old secret messages of existing nodes have to be changed once a new sensor node is added [4–8, 15]. Therefore, with regard to efficiency and communications, we compare the proposed protocol with Zhou et al.'s [11] which is an access control scheme based on ECC. For convenience, we define related notations to analyze the computational complexity. The notation $T e_{m}$ means the time for one multiplication computation over an elliptic curve, $T_{i}$ denotes the time for one modular inverse computation, and $T_{h}$ denotes the time for executing the adopted one-way hash function in one's scheme. Note that the times for computing modular addition is ignored, since they are much smaller than $T e_{m}$ , $T_{i}$ , and $T_{h}$ .

In the proposed method and Zhou et al.'s protocol, the most expensive operation is the point multiplication of the form $k P$ for $k \in Z_{n}^{*}$ and P is a cyclic group of points over an elliptic curve [17–19]. Zhou et al. [11] and Gura et al. [26] evaluated the assembly language implementations of ECC and RSA on the Atmel ATmega128 processor [26, 27], which is popular for sensor platform such as crossbow MICA motes. In their implementation, a 160-bit point multiplication of ECC requires only 0.81 s (second), while 1024-bit RSA public key operation and private key operation require about 0.43 s (second) and 10.99 s (second), respectively. Besides, an inverse computation in $z_{q}^{*}$ takes about the same time as that of a modular exponentiation computation in $z_{q}^{}$ [28, 29]. And a hashing computation is more efficient than $T e_{m}$ and $T_{i}$ [28, 29]. Therefore, under the same security level, smaller key sizes of ECC could offer faster computation, as well as memory, energy, and bandwidth savings.

We summarize the comparisons of the proposed scheme with Zhou et al.'s scheme in Table 1. As shown in Table 1, in Zhou et al.'s scheme [11], each node needs to perform two hash function computations ( $2 T_{h}$ ), two inverse modular computations ( $2 T_{i}$ ), and four-point multiplications ( $4 T e_{m}$ ) over an elliptic curve for authentication. In the proposed method, each node requires two hash function computations ( $2 T_{h}$ ) and five-point multiplications ( $5 T e_{m}$ ) over an elliptic curve for authentication. In the implementation of [9, 27] for sensor platform, a 160-bit point multiplication of ECC requires only 0.81 s. Under their implementation [9, 27], the time to perform the proposed scheme is 4.05 s ( $5 \times 0.81$ ) for the five-point multiplications ( $5 T e_{m}$ ) over an elliptic curve. The time for Zhou et al.'s scheme is 3.24 s ( $4 \times 0.81$ ) for the four-point multiplications ( $4 T e_{m}$ ). Moreover, in Zhou et al.'s scheme, each node needs to use two inverse modular computations ( $2 T_{i}$ ). However, the proposed method need not to use inverse modular computations. As reported in [28, 29], an inverse computation in $z_{q}^{*}$ takes about the same time as that of a modular exponentiation computation in $z_{q}^{}$ . Therefore, the computational time of the Zhou et al.'s scheme is not significantly less than that of the proposed scheme.

Table 1

Comparisons of computation and transmission for two schemes.

Schemes	Zhou et al.'s scheme	The proposed scheme
Computations for each node to achieve authentication and compute a common key	$4 T e_{m} + 2 T_{i} + 2 T_{h}$	$5 T e_{m} + 2 T_{h}$
Total number of transmissions for the protocol	21	10

With regard to the communications, in the proposed authentication and key establishment phase, for the node $N_{i}$ , it requires to send five messages, $A_{i}, N_{i}, z_{i}, R_{i}$ , and $w_{i}$ , to the node $N_{j}$ ; similarly, the node $N_{j}$ needs to deliver five messages, $A_{j}, N_{j}, z_{j}, R_{j}$ , and $w_{j}$ , to the node $N_{i}$ . The total number of transmissions for the proposed protocol only needs ten transmissions. However, it is required to send twenty-one transmissions in Zhou et al.'s protocol [11]. Compared to Zhou et al.'s scheme, the proposed method could significantly reduce the overhead of communications for sensor nodes to achieve secure connectivity. Therefore, under the same security level, the proposed method could offer more energy and bandwidth savings than Zhou et al.'s scheme.

4. Conclusions

Based on ECC, this paper presents a simple dynamic access control protocol to prevent malicious nodes from joining sensor networks. Compared to the previously proposed schemes, the authentication procedure and common key generation of the proposed method are very simple and efficient. The proposed method could significantly reduce the overhead by avoiding modular exponentiation and inverse computations for any pair of nodes to establish a common key in the authentication procedure. It could offer computational efficiency, energy, and bandwidth savings.

Footnotes

Acknowledgment

The authors wish to thank many anonymous referees for their suggestions to improve this paper.

References

Akyildiz

I. F.

Sankarasubramaniam

Cayirci

A survey on sensor networks

IEEE Communications Magazine 2002 40 8 102 114

2-s2.0-0036688074

10.1109/MCOM.2002.1024422

Rodriguez-Mozaz

Alda

M. J. L. D.

Marco

M. P.

Barceló

Biosensors for environmental monitoring: a global perspective

Talanta 2005 65 2 291 297

2-s2.0-8544280003

10.1016/j.talanta.2004.07.006

Liu

Ning

Establishing pairwise keys in distributed sensor networks

Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS '03)

October 2003

52 61

2-s2.0-3042822764

Chan

Perrig

Song

Random key predistribution schemes for sensor networks

Proceedings of IEEE Symposium on Security and Privacy

May 2003

197 213

2-s2.0-0038487088

Choi

S. J.

Youn

H. Y.

An efficient key pre-distribution scheme for secure distributed sensor networks

Proceedings of the IFIP International Conference on Embedded and Ubiquitous Computing (EUC '05)

December 2005

1088 1097

10.1007/11596042_111

Eschenauer

Gligor

V. D.

A key-management scheme for distributed sensor networks

Proceedings of the 9th ACM Conference on Computer and Communications Security

November 2002

41 47

2-s2.0-0038341106

Huang

H. F.

A new design of efficient key pre-distribution scheme for secure wireless sensor networks

Proceedings of the 3rd International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIHMSP '07)

Novemebr 2007

Kaohsiung, Taiwan

253 256

Park

C. W.

Choi

S. J.

Youn

H. Y.

A novel key pre-distribution scheme with LU matrix for secure wireless sensor networks

Proceedings of the International Conference on Computational Intelligence and Security (CIS '05)

December 2005

Springer

494 499

Y. C.

Perrig

Johnson

D. B.

Packet leashes: a defense against wormhole attacks in wireless networks

Proceeding of the 22nd Annual Joint Conference on the IEEE Computer and Communications Societies

April 2003

1976 1986

2-s2.0-0041973497

10.

Parno

Perrig

Gligor

Distributed detection of node replication attacks in sensor networks

Proveedings of IEEE Symposium on Security and Privacy

May 2005

49 63

2-s2.0-27544460282

11.

Zhou

Zhang

Fang

Access control in wireless sensor networks

Ad Hoc Networks 2007 5 1 3 13

10.1016/j.adhoc.2006.05.014

12.

Zhu

Setia

Jajodia

LEAP: efficient security mechanisms for large-scale distributed sensor networks

Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS '03)

October 2003

62 72

2-s2.0-10044284351

13.

Zhu

Setia

Jajodia

LEAP+: efficient security mechanisms for large-scale distributed sensor networks

ACM Transactions on Sensor Networks 2006 2 4 500 528

2-s2.0-33847120377

10.1145/1218556.1218559

14.

Wang

Sheng

Tan

C. C.

Comparing symmetric-key and public-key based security schemes in sensor networks: a case study of user access control

Proceedings of the 28th International Conference on Distributed Computing Systems (ICDCS '08)

July 2008

Beijing, China

1 8

10.1109/ICDCS.2008.77

15.

Shamir

How to share a secret

Communications of the ACM 1979 22 11 612 613

2-s2.0-0018545449

10.1145/359168.359176

16.

Rivest

R. L.

Shamir

Adleman

A method for obtaining digital signatures and public key cryptosystems

Communications of the ACM 1978 21 2 120 126

2-s2.0-0017930809

10.1145/359340.359342

17.

Koblitz

Elliptic curve cryptosystems

Mathematics of Computation 1987 48 203 209

18.

Miller

Uses of elliptic curves in cryptography

218

Advances in Cryptology (CPYPTO '85)

1986

Springer

417 426 Lecture Notes in Computer Science

19.

Vanstone

Responses to NIST's proposal

Communications of the ACM 1992 35 50 52

20.

2.4 GHZ IEEE 802.15.4/ZigBee-ready RF Transceiver

2007, http://focus.ti.com/lit/ds/symlink/cc2420.pdf

21.

Schnorr

C. P.

Efficient identification and signatures for smart cards

435

Advances in Cryptology (Crypto '89)

1990

Springer

339 351 Lecture Notes in Computer Science

22.

Kumanduri

Number Theory with Computer Applications 1998

Upper Saddle River, NJ, USA

Prentice Hall

23.

Diffie

Hellman

M. E.

New directions in cryptology

IEEE Transactions on Information Theory 1976 22 6 644 654

2-s2.0-0017018484

24.

Douceur

J. R.

The Sybil attack

Proceedings of the 1st International Workshop on Peer-to-peer Systems (IPTPS '02)

March 2002

25.

Wang

Bhargava

Visualization of wormholes in sensor networks

Proceedings of the ACM Workshop on Wireless Security (WiSe '04)

October 2004

Philadelphia, Pa, USA

51 60

2-s2.0-11244309139

26.

Gura

Patel

Wander

Eberle

Shantz

S. C.

Comparing elliptic curve cryptography and RSA on 8-Bit CPUs

Proceedings of the 6th International Workshop Cryptographic Hardware and Embedded Systems (CHES '04)

2004

119 132

2-s2.0-35048818581

27.

Atmel Corporation http://www.atmel.com/

28.

Dimitrov

Cooklev

Two algorithms for modular exponentiation using nonstandard arithmetics

IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences 1995 E78-A 1 82 87

2-s2.0-0029223753

29.

Fan

C. I.

Lei

C. L.

Low-computation partially blind signatures for electronic cash

IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences 1998 E81-A 5 818 824

2-s2.0-0032066059

A New Design of Access Control in Wireless Sensor Networks

Abstract

1. Introduction

2. The Proposed Scheme

Initialization Phase

Authentication and Key Establishment Phase

Step 1.

Step 2.

Adding a New Node

3. Discussions

Definition 1.

Definition 2.

Definition 3.

3.1. Security Analysis

3.1.1. Sensor Node Replication Attack

3.1.2. Sybil Attack

3.1.3. Wormhole Attack

3.1.4. Key Establishment

3.1.5. Mutual Authentication

3.1.6. No Entire Secret Exposure

3.1.7. Perfect Forward Secrecy

3.2. Performance

4. Conclusions

Footnotes

Acknowledgment

References