Sage Journals: Discover world-class research

Abstract

Wireless sensor networks (WSNs) are subject to various attacks because of the vulnerable environment, limited recourse, and open communication channel. To protect WSNs, in this paper, we present a Secret sharing-based key management (SSKM). SSKM utilizes the advantages of hierarchical architecture and adopts two-level key management and authentication mechanism, which can efficiently protect the allover network communication security and survivability. Different from previous works, the SSKM distributes keys based on secret sharing mechanism by the clustered architecture, which not only localizes the key things but also keeps scalability. The SSKM provides various session keys, the network key for base station (BS) and cluster heads (CHs); the cluster key between the cluster head and member nodes. The SSKM dynamically generates different keys based on different polynomials from BS in different periods which can protect the network from the compromised nodes and reduce the high probability of the common keys. The security analysis shows that the SSKM can prevent several attacks effectively and reduce the energy consumption.

1. Introduction

Due to the development of internet of things (IoT) and cyber physical system (CPS), wireless sensors have been deployed in many applications, such as in smart grid, national security, intelligent transportation, forest detection, or chemical harmful gas monitoring [1]. However, wireless sensor networks (WSNs) usually consist of tiny sensors which have low computational capability, small storage, and limited energy; that is, the WSNs are often subject to a variety of attacks, such as eavesdropping attack and flood attack and so on. Once a sensor is compromised by adversaries, the information materials of the sensor become non secretive and intercepted by enemy, and the entire network is threatened [2].

Therefore, security mechanisms in WSN are required to provide data confidentiality, integrity, freshness, availability, and authentication [2]. Moreover, in view of the excellent performance of the clustering algorithm in WSN, the hierarchical architectures are often used in WSN applications [3]. Normally, cryptographic methods of securing a network are the key management strategy, and it has been intensively studied in the literature of WSNs [4–13]. Therefore, some literatures adopt hierarchical architecture to deploy key system on them to protect the communication in WSNs [4–10].

In [5, 6], the authors employed the secret sharing mechanism to distribute keys into nodes, which can effectively generate and assign keys. However, in these schemes, the network must exchange many messages to establish key system, which consumes lots of energy. In this paper, we present a novel secret sharing-based key management (SSKM).

In SSKM, considering that the energy efficiency is a dominant consideration problem of WSNs, we firstly employ the maximum energy cluster head (MECH) protocol to form cluster. Different from other hierarchical architectures, MECH protocol limits the size of cluster to generate uniform cluster. In each cluster, there is a sensor, called cluster head (CH), collecting information from other cluster member nodes and forwarding the processed information to the base station.

Therefore, to protect the communication channel from CH to BS, we present a network key. Firstly, the BS encrypts the network key with a secret, puts the secret as constant of the polynomial, and divides the secret into shares based on Lagrange interpolation formula. To reconstruct the polynomial of $(t - 1)$ degree, any t or more parameters $(ID, f (ID))$ combination can recover and obtain the secret. Therefore, our solution tries to avoid the adversary intercept and capture sufficient parameters.

Also, similar to network key, we design a cluster key to protect the communication between the cluster head and member nodes. Unlike the BS, CHs have no sufficient energy to broadcast messages. Thus, the BS deploys key material to sensors in advance, such as polynomials and revoked list. Then, the CH just exchanges parameters to adjust polynomials to generate/cancel keys.

Compared to previous works [5, 6], the salient advantages of our work are as follows: (1)

SSKM establishes a relocatable key mechanism based on the secret sharing theory, which hides keys into secret and recovers them when needed;

(2)

SSKM adopts hierarchical architecture which is suitable for the secret sharing mechanism and localizes the security and reduces energy consumption. It makes the SSKM key management feasible;

(3)

SSKM presents an authentication mechanism based on the secret sharing theory, which supports the scalability (join or leave).

The rest of this paper is organized as follows. Section 2 describes the related work, Section 3 presents the system model and assumption, Section 4 describes the secret sharing key management in detail, and Section 5 evaluates SSHM using security analysis. Finally, we end the paper with a conclusion as well as the further work in Section 6.

2. Related Work

In 1979, Shamir [14] and Blakley [15] proposed the secret sharing method based on the Lagrange interpolation formula and the nature of the vector space, respectively. Proposition: given $n + 1$ points $(x_{i}, f (x_{i}))$ on a polynomial $f (x)$ of degree n, one can identify a uniquely polynomial by calculating:

\begin{matrix} f (x) = \sum_{i = 1}^{n} (f (x_{i}) \underset{1 \leq k \neq i \leq n}{∐} \frac{x - x_{k}}{x_{i} - x_{k}}) . \end{matrix}

(1)

One also defines the Lagrange coefficient $Δ_{i, s}$ for $i \in Ζ_{P}$ and a set $S \subseteq Ζ_{P}$ :

\begin{matrix} Δ_{i, s} (x) = \underset{i \in S, j \neq i}{∐} \frac{x - j}{i - j} . \end{matrix}

(2)

A $(t, n)$ threshold secret sharing scheme is as follows: given n points $(x_{i}, f (x_{i}))$ on a polynomial $f (x)$ of degree $(t - 1)$ , randomly picking out t points of $(x_{i}, f (x_{i}))$ from n points can construct the polynomial. When constructing the scheme, the credibility of the parties splits initial secret S into n shares (points) and assigns them to users safely. Any t or more users combining their share can reconstruct the secret S, but any $t - 1$ user group or less cannot reconstruct the secret. This secret sharing method provides the security scheme in many applications, such as key distribution, secure computation, and information safe storage.

In [5], the authors present a low-cost secret-sharing scheme for sensor network. This paper provides basic building blocks to establish secure communication through exchanging secret keys between neighbor nodes without any cryptography methods. In [5], authors also design a second algorithm which extends the secret key establishment. However, due to the exchange happening among sensors, it consumes lots of energy. Moreover, the authentication between neighbor nodes also needs to exchange large messages, which makes it unsuitable for wireless sensor network.

In [6], authors presented some schemes to secure data aggregation based on secret sharing and information dispersal. In these schemes, sensor nodes split messages into subshares and forward them among several disjoint paths to defend DoS attack, eavesdropping attack, and tampering attack. They design a secret multipath aggregation (SMA) mechanism which applies secret sharing to create shares to deal with security under the contingency of node compromise. However, these schemes are not feasible for heavy energy consumption. On one hand, they want data aggregation using secret sharing; on the other hand, they have to distribute key things and messages to confuse the enemy, so that the adversary cannot find the real route, which needs a large number of messages exchange.

Comparing with previous works, our solution adopts the hierarchical network and localizes the communication and security. Also, we ingeniously use the base station to carry complicated things out, which can reduce the energy consumption.

3. System Model

3.1. Network Model

The wireless sensor network is energy sensitive. Therefore, we adopt the maximum energy cluster head (MECH) protocol for our network architecture [1]. The MECH is an LEACH-like protocol (LEACH: low energy adaptive clustering hierarchy) [2] which divides the network into clusters.

As shown in Figure 1, in the MECH architecture, the sensors self-organize into some clusters and act as two types of roles: cluster heads and member nodes. In each cluster, one node as a CH manages the cluster and deals with information from member nodes forward to the base station (BS). MECH constructs clusters based on radio range and the number of cluster members. The cluster topology in the network is distributed more equally through our cluster constructing; that is, nodes in each cluster do not exceed a certain threshold.

Figure 1

The network system.

3.2. Assumptions

In the considered network, we consumed the following. (i)

All sensor nodes are static.

(ii)

Each sensor has a unique ID assigned by the base station.

(iii)

Each sensor has the same capabilities in energy, computation, radio range, and so forth.

(iv)

If a node is compromised, all of the key things in the node are revealed [7].

(v)

Each sensor is in, and only in, one cluster.

(vi)

The BS can communicate with all sensors in the network.

3.3. Notations

In Table 1, we list some notations used in this paper.

Table 1

Notations.

Notation	Explains
$K_{ini}$	The initial key shared by all nodes
$I D_{i}$	ID of sensor
BS	Base Station
$C_{i}$	The ith cluster
$C H_{i}$	The ith cluster head
$K_{^{C_{in}}}^{l}$	The session key during session l
$S_{C_{in}}^{l}$	The secret sharing among CHs during session l
$Z_{C_{in}}^{^{l}}$	The encrypted key $K_{^{C_{in}}}^{l}$ by the secret sharing $S_{C_{in}}^{l}$
$K_{C H_{i}}^{l}$	The cluster key among clusters during session l
$S_{C H_{i}}^{l}$	The secret sharing between CH and members in session l
$Z_{C H_{i}}^{^{l}}$	The encrypted key $K_{C H_{i}}^{l}$ by the secret sharing $S_{C H_{i}}^{l}$
R	Revoked set before session l
l	Session period
w	The number of nodes in WSN

4. The Secret Sharing-Based Key Management

In this section, we describe the secret sharing-based key management (SSKM) in detail. After deployment, the base station assigns each sensor an initial key $K_{init}$ similar to LEAP+ [12]. And then, the BS broadcasts the key materials to the network to build the network key and the cluster key, respectively. The key architecture is shown in Figure 2.

Figure 2

The key architecture.

4.1. Preliminaries

After deployment, the BS randomly chooses an integer, relatively primes with $p - 1$ and $q - 1$ (p and q are big primes); the base station assigns each sensor an initial key $K_{init}$ similar to LEAP. Since the BS is credible and has sufficient capacity and energy, it keeps all IDs and keys. Meanwhile, BS chooses polynomials and the corresponding number of polynomial values for each cluster. Assume that there are $m - 1$ clusters $C_{i} (i = 1, \dots, m - 1)$ , and each cluster has a cluster head ${CH}_{i}$ and $k (k \geq t)$ member nodes.

Shamir's $(t, n)$ threshold scheme based on Lagrange interpolating polynomial states that there are n shareholders $U = {U 1, \dots, U_{n}}$ and mutually trusted dealer D. The scheme consists of two steps [16]:

(1) share generation phase: dealer D randomly selects a polynomial $f (x)$ of $(t - 1)$ degree:

\begin{matrix} f (x) = S + a_{1} x + \dots + a_{t - 1} x^{t - 1} (\mod P), \end{matrix}

(3)

in which the secret

S = f (0)

, all coefficients

S, a_{1}, a_{2}, \dots, a_{t - 1}

are in finite field

F_{p} = GF (P)

with p elements, and dealer computes all shares

S_{i} = f {(x_{i})}_{}

for

{i = 1, \dots, n}

; then it distributes each share

S_{i}

to corresponding shareholder

U_{i}

privately;

(2) secret reconstruct phase: any t shares $(S_{1}, S_{2}, \dots, S_{t})$ of n shares as input, and we can reconstruct the secret S as

\begin{matrix} f (x) = \sum_{i = 1}^{t} S_{i} (\prod_{i \neq j} \frac{x - x_{j}}{x_{i} - x_{j}}) (\mod P), \\ f (0) = \sum_{i = 1}^{t} S_{i} (\prod_{i \neq j} \frac{x_{j}}{x_{j} - x_{i}}) (\mod P) . \end{matrix}

(4)

We find that the above scheme satisfies the basic security requirement of secret sharing scheme: any t shares or more than t shares can reconstruct the secret S; fewer than $(t - 1)$ shares cannot reconstruct the secret S. Shamir's scheme is information theoretically secured [17]. However, there are some requirements [18] in this situation: (1)

there must be a secure channel for delivering shares between dealer and users;

(2)

$x_{i}$ and $f (x_{i})$ are made publicly known. However, in key transfer protocol, for security reason, we need to keep $x_{i}$ and $f (x_{i})$ as each user's secret. So we adopt the discrete logarithm in finite field and DDH difficulty assumption to ensure the security in the unsecure communication channel.

4.2. Initial Phase

Once wireless sensor network has been deployed and sensors self-organized into clusters, BS starts to form the key system as follows. (1)

Firstly, BS chooses two big primes $p_{1}$ and $q_{1}$ ; let $p = 2 p_{1} + 1$ and $q = 2 q_{1} + 1$ , $N = p q$ ; it is computationally intractable to solve the factor n without p, q. Meanwhile, BS selects a generator g ( $g \in [N^{1 / 2}, N]$ ) and another prime $Q (Q > N)$ . And then, BS broadcasts the three triple $(N, g, Q)$ to sensors in the network.

(2)

Assume that during each session period $l (l = 1, \dots, M)$ , BS randomly and uniformly chooses m polynomials $f (x)$ of $(t - 1)$ -degree, where $m - 1 \geq t$ . And one of polynomials is as follows:

\begin{matrix} f_{C_{in}}^{l} (x) = S_{C_{in}}^{l} + a_{{1, C_{in}}_{}}^{l} x + \dots + a_{t - 1, C_{in}}^{l} x^{t - 1} \mod Q . \end{matrix}

(5)

Equation (5) is used to key distribute between BS and cluster head. And other $m - 1$ polynomials are utilized to key distribute among the cluster and member nodes as follows:

\begin{matrix} f_{{C H_{i}}_{}}^{l} (x) = S_{{CH}_{i}}^{l} + a_{1, {CH}_{i}}^{l} x + \dots + a_{{t - 1, {CH}_{i}}_{}}^{l} x^{t - 1} \mod Q . \end{matrix}

(6)

(3)

BS independently selects M session keys ${K_{C_{in}}^{l^{}}}_{l = 1, \dots, M}$ and ${K_{{CH}_{i}}^{l^{}}}_{l = 1, \dots, M}$ from $GF (Q)$ in the finite field Q and hides the session keys with secret $S_{C_{in}}^{l}$ and $S_{{CH}_{i}}^{l}$ , namely, $Z_{C_{in}}^{l} = {K_{C_{in}}^{l} + S_{C_{in}}^{l}}$ in network key management and $Z_{{CH}_{i}}^{l} = {K_{{CH}_{i}}^{l} + S_{{CH}_{i}}^{l}}$ in cluster key management. The algorithm of initial phase is shown in Figure 3.

Figure 3

The initial phase.

4.3. Network Key Management

The network key is the session key between the BS and cluster heads to protect their communication.

The key shares distribution process is as follow. (1)

During the session period ${l}_{l = 1, \dots, M}$ , the BS counts out each cluster head's (CH's) share $f_{C_{in}}^{l} ({ID}_{{CH}_{i}}^{l})$ by their ID and gets the two tuples ${{ID}_{{CH}_{i}}^{l}, f_{C_{in}}^{l} ({ID}_{i}^{l})}$ , for the security between BS and CHs. Firstly, the BS randomly chooses $x_{0}^{l} (x_{0}^{l} \in [2, n])$ which relatively primes with $p - 1$ and $q - 1$ , and let $y_{0}^{l} = g^{x_{0}^{l}} \mod N$ ; meanwhile, CHs also chooses $x_{i}^{l} (x_{i}^{l} \in [2, N])$ and lets $y_{i}^{l} = g^{x_{i}^{l}} \mod N$ . And then, the CH sends $({ID}_{{CH}_{i}}^{l}, y_{i}^{l}) (i = 1, \dots, m - 1)$ to the BS, and BS unicasts $(y_{0}^{l}, ({ID}_{{CH}_{i}}^{l}, f_{C_{in}}^{l} (D_{{CH}_{i}}^{l}) (y_{{CH}_{i}}^{l})^{x_{0}} \mod N$ to each ${ID}_{{CH}_{i}}^{l}$ . Note that the BS must ensure if ${ID}_{i} \neq {ID}_{j}$ then $y_{i}^{l} = y_{j}^{l}$ ; otherwise, it should regenerate until success.

(2)

Given that R indicates the set of revoked CHs during the session period l and before, let $R = R_{2} \cup \dots \cup R_{l - 1} \cup R_{l}$ , where $| R | \leq t$ . In session l, the BS selects a group of users $V_{l} = {{ID}_{{CH}_{1}}^{l}, \dots, {ID}_{{CH}_{t}}^{l}}$ which meet ${ID}_{R} \subseteq V_{l}$ and ${ID}_{{CH}_{i}} \cap V_{l} = \emptyset$ .

(3)

BS broadcasts the information ${Z_{C_{in}}^{1}, Z_{C_{in}}^{2}, \dots Z_{C_{in}}^{l}}$ to each cluster node.

The network key process is shown in Figure 4.

Figure 4

The network in session l.

The session key recovery process is as follows. (1)

Having received the key materials, cluster heads calculate their individual share $f_{C_{in}}^{l} ({ID}_{{CH}_{i}}^{l}) \cdot (y_{i}^{l})^{x_{0}} / (y_{0}^{l})^{x_{i}} = f_{C_{in}}^{l} ({ID}_{{CH}_{i}}^{L})$ with the private key $x_{i}^{l}$ and public key $y_{0}^{l}$ . According to the information ${{ID}_{i}^{l}, f_{C_{in}} ({ID}_{i}^{l})}$ , any t sensors or more than t sensor can recover the secret $S_{C_{in}}^{l}$ with (7) as follows:

\begin{matrix} f_{C_{in}} (x) = \sum_{j = 1}^{t} (\underset{l \neq j}{∐} \frac{x - {ID}_{{CH}_{j}}^{L}}{{ID}_{{CH}_{l}}^{L} - {ID}_{{CH}_{j}}^{L}}) f ({ID}_{{CH}_{j}}^{L}) \mod Q, \\ S_{C_{in}}^{l} = \sum_{j = 1}^{t} (\underset{l \neq j}{∐} \frac{{ID}_{{CH}_{j}}^{L}}{{ID}_{{CH}_{j}}^{L} - {ID}_{{CH}_{l}}^{L}}) f ({ID}_{{CH}_{j}}^{L}) \mod Q . \end{matrix}

(7)

(2)

Using $Z_{C_{in}}^{l}$ and $S_{C_{in}}^{l}$ , users can get the secret $K^{l} = Z_{C_{in}}^{l} - S_{C_{in}}^{l}$ .

4.4. Cluster Key Management

In this phase, the protocol establishes the cluster key between CH and members. Similar to the network key, the cluster key can be generated as follows.

(1) Firstly, cluster head chooses $x_{{ch}_{i}}^{l} (x_{{ch}_{i}}^{l} \in [2, N])$ randomly which relatively primes with $p - 1$ and $q - 1$ , and CH sends it to BS. Then, BS counts out $y_{{ch}_{i}}^{l} = g^{x_{{ch}_{i}}^{l}}$ and sends $({ID}_{{CH}_{i}}^{l}, y_{{CH}_{i}}^{l})$ to sensor node in cluster ${CH}_{i}$ ; meanwhile, sensor node picks $x_{i, r}^{l}$ randomly which relatively primes with $p - 1$ and $q - 1$ , computes $y_{i, r}^{l} = g^{x_{i, r}^{l}} \mod N$ , and then sends $({ID}_{i, r}^{l}, y_{i, r}^{l}) (i = 1, \dots, m - 1, r = 1, \dots, k)$ to the BS. The BS ensures that if ${ID}_{i, r}^{l} \neq {ID}_{i, z}^{l}$ , there should be no $y_{i, r}^{l} = y_{i, z}^{l}$ ; otherwise it reselects until success.

Furthermore, the BS utilizes CH's ${ID}_{{CH}_{i}}^{l}$ and members' ${ID}_{i, r}^{l} (r = 1, \dots, k)$ to count out the share $f_{{CH}_{i}}^{l} ({ID}_{{CH}_{i}}^{l})$ and $f_{{CH}_{i}}^{l} ({ID}_{i, r}^{l})$ , respectively.

(2) Given that R indicates the set of revoked sensors during the session period l and before, let $R = R_{2} \cup \dots \cup R_{l - 1} \cup R_{l}$ , where $| R | \leq t$ . During session l, the CH selects a group of users $V_{l} = {{ID}_{i, 1}^{l}, \dots, {ID}_{i, k}^{l}}$ , where ${ID}_{R} \subseteq V_{l}$ and ${ID}_{R} \cap V_{l} = \emptyset$ , while BS unicasts $({ID}_{{CH}_{i}}^{l}, f_{{CH}_{i}}^{l} ({ID}_{{CH}_{i}}^{l}) \cdot (y_{{i, r}_{}}^{l})^{x_{{ch}_{i}}^{l}} \mod N)$ to sensor node in ${CH}_{i}$ and sends $({ID}_{i, r}^{l}, f_{{CH}_{i}}^{l} ({ID}_{i, r}^{l}) \cdot (y_{{CH}_{i}}^{l})^{x_{i, r}^{l}} \mod N)$ to ${CH}_{i}$ .

(3) Then, BS independently selects M session keys ${K^{l}}_{l = 1, \dots, M}$ from $GF (Q)$ , in finite field Q, hiding the $K^{l}$ : $Z_{{CH}_{i}}^{l} = {K^{l} + S_{{CH}_{i}}^{l}}_{l = 1, \dots, M; i = 1, \dots, m}$ with the secret $S_{{CH}_{i}}^{l}$ . The purpose is not to leak the $K^{l}$ . The cluster key process is shown in Figure 5.

Figure 5

The cluster key process.

4.5. Secret Recovery

Depending on the received information from base station, public generator, node's private key $x_{i, r}^{l}$ , and cluster node's own key $x_{{ch}_{i}}^{l}$ , cluster head and members can obtain their share through the following formulas:

\begin{matrix} \frac{f_{{CH}_{i}}^{l} ({ID}_{{CH}_{i}}^{l}) \cdot {(y_{{i, r}_{}}^{l})}^{x_{{ch}_{i}}^{l}}}{{(y_{{ch}_{i}}^{l})}^{x_{{i, r}_{}}^{l}}} = f_{{CH}_{i}}^{l} ({ID}_{{CH}_{i}}^{l}), \\ \frac{f_{{CH}_{i}}^{l} ({ID}_{i, r}^{l}) \cdot {(y_{{ch}_{i}}^{l})}^{x_{i, r}^{l}}}{{(y_{i, r}^{l})}^{x_{{ch}_{i}}^{l}}} = f_{{CH}_{i}}^{l} ({ID}_{i, r}^{l}) . \end{matrix}

(8)

f_{{CH}_{i}}^{l} ({ID}_{{CH}_{i}}^{l}) \cdot (y_{_{i, r}}^{l})^{x_{{ch}_{i}}^{l}}, f_{{CH}_{i}}^{l} ({ID}_{i, r}^{l}) \cdot (y_{{ch}_{i}}^{l})^{x_{i, r}^{l}}

is broadcast information;

y_{i, r}^{l}

and

y_{{ch}_{i}}^{l}

are public information. So cluster head and common nodes can obtain their own shares, respectively, and then members send

({ID}_{i, r}^{l}, f_{{CH}_{i}}^{l} ({ID}_{i, r}^{l}))

to CH. CH uses

({ID}_{{CH}_{i}}^{l}, f_{{CH}_{i}}^{l} (D_{{CH}_{i}}^{l}))

and

t - 1

sensors'

({ID}_{i, r}^{l}, f_{{CH}_{i}}^{l} ({ID}_{i, r}^{l}))

to recover the secret S. According to (7), we can carry

S_{{CH}_{i}}^{l}

out. Furthermore, CH can get

Z_{{CH}_{i}}^{l} = K^{l} + S_{{CH}_{i}}^{l}

, and then we can calculate

K^{l}

to unicast

K^{l}

t - 1

sensors

({ID}_{i, r}^{l}, K^{l})

4.6. Scalability

In our solution, we also consider the scalability of network.

4.6.1. New Member Join

When a new member $P_{u} (u \neq 1, \dots, n)$ wants to join during session period l, $P_{u}$ should randomly choose an integer $x_{u} (x_{u} \in [2, N])$ and count out $y_{u} = g^{x_{u}} \mod N$ . And then, $P_{u}$ keeps $x_{u}$ secretly and chooses randomly an ${ID}_{u} ({ID}_{u} > n)$ ; n is the largest node identity in network, and then sends $({ID}_{u}, y_{u})$ to the BS. The BS will authenticate $P_{u}$ . If ${ID}_{u} > N$ and $P_{i} (i = 1, \dots, N)$ and $y_{i} \neq y_{u}$ , then $P_{u}$ is acceptable and can join the network.

4.6.2. Node Isolation

Once CH or neighbor nodes find a compromised node $P_{h}$ , the CH sends its information ${ID}_{h}$ to BS. Meanwhile, BS and CH add their IDs into $R : {R} \cup {{ID}_{h}}$ .

5. Security Analyses

Due to the unreliable wireless environment, dynamic clustering cluster key distribution scheme is subject to a variety of attacks, such as eavesdropping, tampering, and replay attacks. Compared to previous works, the salient advantage of our solution is that we addressed challenging runtime security issues using localizing key things and group key management based on secret sharing mechanism.

5.1. Robustness

In the recovery phase, for any user $P_{i} \in P$ , if anyone wants to recover $K^{l}$ , they must obtain both $Z_{{CH}_{i}}^{l}$ and $S_{{CH}_{i}}^{l}$ , which makes it very difficult to recover keys.

Furthermore, assume that any set $F \subseteq P$ and $| F | \leq t - 1$ , if an unrevoked user $P_{i} \in F$ , any other user collusions in F cannot get information about the $P_{i}$ 's personal secret $S_{i}$ . Because in each session l, user $P_{i}$ 's secret $S_{i}^{l} = f_{{CH}_{i}}^{l} (0)$ or $S_{i}^{l} = f_{C_{in}}^{l} (0)$ is $t - 1$ degree polynomial $f_{{CH}_{i}}^{l} (x)$ or $f_{C_{in}}^{l} (x)$ , the users in F only know $t - 1$ values about $f_{{CH}_{i}}^{l} (x)$ or $f_{C_{in}}^{l} (x)$ . And the difficulty to reconstruct a polynomial $f_{{CH}_{i}}^{l} (x)$ or $f_{C_{in}}^{l} (x)$ by $t - 1$ values is equivalent to breaking a Shamir's $(t, n)$ secret sharing problem, which is not feasible in computation. Therefore, user collusions in F have no ability to obtain user $P_{i}$ 's secret $S_{i}^{l}$ .

Moreover, because the cluster session key $K^{l}$ is selected from a uniform distribution, and independent of the user's personal secret, no one can obtain information about the session key $K^{l}$ separated from personal secret collection. Also, in each session $l = 1, \dots, M$ , because of $Z_{{CH}_{i}}^{l} = K^{l} + S_{{CH}_{i}}^{l}$ , $Z_{{CH}_{i}}^{l}$ hides session key $K^{l}$ with personal secret $S_{{CH}_{i}}^{l}$ , and adversary has no ability to obtain any useful information just from the collection of broadcast messages.

5.2. Tolerance

The normal user $P_{i} \notin R$ (unrevoked user or normal node) can utilize the broadcast messages and private secret to recover the session key $K^{l}$ ; however, the revoked user can only obtain $t - 1$ values from the broadcasted polynomial $f^{l} (x)$ ; thus, they have no ability to reconstruct $t - 1$ degree polynomial $f^{l} (x)$ as mentioned above. Therefore, the user in R cannot get $f^{l} (0)$ . Moreover, because of $K^{l} = Z_{{CH}_{i}}^{l} - f^{l} (0)$ , it is not feasible to recover personal secret $K^{l}$ by $Z_{{CH}_{i}}^{l}$ and ${S_{r {p_{r} \in R}}}_{}$ .

5.3. Security

Our solution also has both $t - 1$ forward secrecy and $t - 1$ backward secrecy.

5.3.1. $t - 1$ Forward Secrecy

Let $R \subseteq P$ , $| R | \leq t - 1$ , and each $P_{i} \in R$ is a revoked user before session l. Even if user collusions know all cluster keys before the session l, they cannot obtain any information of current session key $K^{l}$ , because they cannot recover $f^{l} (0)$ with just $t - 1$ values of $f^{l} (x)$ . Therefore, the solution is $t - 1$ forward secrecy.

5.3.2. $t - 1$ Backward Secrecy

Let $J \subset P$ , $| J | \leq t - 1$ . Each user $P_{i} \in J$ joined the group before session l. Even if user collusions in J know all cluster keys $K^{l}$ before the session l, they cannot obtain any information of current session key $K^{l_{1}} (l_{1} < l)$ . Because if a user wants to get $K^{l_{1}}$ , the user $P_{i} \in J$ at least recovers t points of $f^{l_{1}} (x)$ for $f^{l_{1}} (0)$ . However, each user $P_{i}$ after session J at least obtains $t - 1$ value from $t - 1$ degree $f^{l_{1}} (x)$ and has no ability to reconstruct $f^{l_{1}} (x)$ ; that is, the solution is $t - 1$ backward secrecy.

5.4. Complexity Analysis

In this section, we discuss the complexity of our scheme from computation complexity, communication complexity, and storage cost needed by common node and cluster. (1)

Computation complexity: we assume that base station has a large computation capacity, the pickout of polynomial and share distribution as well as the choice of generator. Common node only needs to compute division, and cluster head needs to reconstruct the polynomial beside division.

(2)

Communication costs include the broadcast cost: $j (lo g^{q})$ and download the publishing information from publish board: $t * j * (lo g^{q})$ , where t indicates a session period; j is the number of nodes in one cluster, and q is an enough secure prime.

(3)

Storage cost: in our scheme, we only need to save a private respective key, which is $lo g^{q}$ .

6. Conclusion and Future Work

In this paper, we propose a secret sharing-based key management scheme (SSKM) to enhance network security and survivability. Different from previous works, although we employ the hierarchical architecture, we limited the size of clusters to balance the overall energy consumption of the network. In contrast to other clustered architectural security solutions, the salient advantage of this work is that we addressed challenging security issues by localizing key things based on secret sharing theory. We present the network key and cluster key and generate new keys from various polynomials by Lagrange interpolation formula. Also, we present a rekey mechanism in the cluster head selection with low energy consumption. Meanwhile, SSKM has an authentication mechanism to ensure the scalability, which cannot only authenticate the new sensor but also can isolate the compromised node. The security analysis shows that our solution cannot only reduce the energy consumption effectively but also enhance the security level. In the future, we will focus on how to enhance security in mobile and scalable WSNs.

Footnotes

Acknowledgments

This work was supported by China Postdoctoral Science Foundation Funded Project (2012M510367); the National Basic Research Program of China (973 Program) (2011CB302900).

References

Akyildiz

I. F.

Sankarasubramaniam

Cayirci

A survey on sensor networks

IEEE Communications Magazine 2002 40 8 102 114

2-s2.0-0036688074

10.1109/MCOM.2002.1024422

Zhou

Fang

Zhang

Securing wireless sensor networks: a survey

IEEE Communications Surveys and Tutorials 2008 10 3 6 28

Vivek

Narottam

Surender

A survey on clustering algorithms for heterogeneous wireless sensor networks

International Journal of Advanced Networking and Applications 2011 2 4 745 754

Xiao

Guizani

Chen

H. H.

An effective key management scheme for heterogeneous sensor networks

Ad Hoc Networks 2007 5 1 24 34

2-s2.0-33750023217

10.1016/j.adhoc.2006.05.012

Bertier

Mostefaoui

Trédan

Low-cost secret-sharing in sensor networks

Proceedings of the IEEE 12th International Symposium on High Assurance Systems Engineering (HASE '10)

November 2010

1 9

2-s2.0-79951930887

10.1109/HASE.2010.16

Claveirole

Dias De Amorim

Abdalla

Viniotis

Securing wireless sensor networks against aggregator compromises

IEEE Communications Magazine 2008 46 4 134 141

2-s2.0-42649115167

10.1109/MCOM.2008.4481352

Seyed

H. N.

Amir

H. J.

Vanesa

A distributed group rekeying scheme for wireless sensor networks

Proceedings of the 6th International Conference on Systems and Networks Communications (ICSNC '11)

2011

127 135

Zhang

Y. Y.

X. Z.

Liu

J. M.

Yang

J. C.

Cui

B. J.

A secure hierarchical key management scheme in wireless sensor network

The International Journal of Distributed Sensor Networks 2012 2012 8

547471

10.1155/2012/547471

Zhang

Y. Y.

X. Z.

Yang

J. C.

Liu

Y. A.

Xiong

N. X.

Vasilakos

A. V.

A real-time dynamic key management for hierarchical wireless multimedia sensor network

Multimedia Tools and Applications 2012

2-s2.0-84857964060

10.1007/s11042-012-1054-8

10.

Zhang

Y. Y.

Yang

W. C.

Kim

K. B.

Park

M. S.

An AVL tree-based dynamic key management in hierarchical wireless sensor network

Proceedings of the 4th International Conference on Intelligent Information Hiding and Multiedia Signal Processing (IIH-MSP '08)

August 2008

298 303

2-s2.0-54049088996

10.1109/IIH-MSP.2008.138

11.

Luk

Mezzour

Perrig

Gligor

MiniSec: a secure sensor network communication architecture

Proceedings of the 6th International Symposium on Information Processing in Sensor Networks (IPSN '07)

April 2007

479 488

2-s2.0-35348897342

10.1145/1236360.1236421

12.

Zhu

Setia

Jajodia

LEAP+: efficient security mechanisms for large-scale distributed sensor networks

ACM Transactions on Sensor Networks 2006 2 4 500 528

2-s2.0-33847120377

10.1145/1218556.1218559

13.

Eltoweissy

Moharrum

Mukkamala

Dynamic key management in sensor networks

IEEE Communications Magazine 2006 44 4 122 130

2-s2.0-33646918277

10.1109/MCOM.2006.1632659

14.

Shamir

How to share a secret

Communications of the ACM 1979 22 11 612 613

2-s2.0-0018545449

10.1145/359168.359176

15.

Blakley

Safeguarding cryptgraphic keys

Proceedings of the National Computer Conference (AFIPS '79)

1979

New York, NY, USA

AFIPS Press

313 317

16.

Agrawal

Verifiable secret sharing in a total of three rounds

Information Processing Letters 2012 112 856 859

17.

Hua

Liao

Cheng

Verifiable multi-secret sharing based on LFSR sequences

Theoretical Computer Science 2012 445 52 62

18.

Liu

Y.-X.

Harn

Yang

C.-N.

Zhang

Y.-Q.

Efficient (n, t, n) secret sharing schemes

Journal of Systems and Software 2012 85 6 1325 1332

2-s2.0-84859553604

10.1016/j.jss.2012.01.027

A Secret Sharing-Based Key Management in Hierarchical Wireless Sensor Network

Abstract

1. Introduction

2. Related Work

3. System Model

3.1. Network Model

3.2. Assumptions

3.3. Notations

4. The Secret Sharing-Based Key Management

4.1. Preliminaries

4.2. Initial Phase

4.3. Network Key Management

4.4. Cluster Key Management

4.5. Secret Recovery

4.6. Scalability

4.6.1. New Member Join

4.6.2. Node Isolation

5. Security Analyses

5.1. Robustness

5.2. Tolerance

5.3. Security

5.3.1. t - 1 Forward Secrecy

5.3.2. t - 1 Backward Secrecy

5.4. Complexity Analysis

6. Conclusion and Future Work

Footnotes

Acknowledgments

References

5.3.1. $t - 1$ Forward Secrecy

5.3.2. $t - 1$ Backward Secrecy