Sage Journals: Discover world-class research

Abstract

In the context of Internet of Things (IoT), multiple cooperative nodes in wireless sensor networks (WSNs) can be used to monitor an event, jointly generate a report and then send it to one or more Internet nodes for further processing. A primary security requirement in such applications is that every event data report be authenticated to intended Internet users and effectively filtered on its way to the Internet users to realize the security of data collection and transmission from the WSN. However, most present schemes developed for WSNs don't consider the Internet scenario while traditional mechanisms developed for the Internet are not suitable due to the resource constraint of sensor nodes. In this paper, we propose a scheme, which we refer to as Data Authentication and En-route Filtering (DAEF), for WSNs in the context of IoT. In DAEF, signature shares are generated and distributed based on verifiable secret sharing cryptography and an efficient ID-based signature algorithm. Our security analysis shows that DAEF can defend against node compromise attacks as well as denial of service (DoS) attacks in the form of report disruption and selective forwarding. We also analyze energy consumption to show the advantages of DAEF over some comparable schemes.

1. Introduction

To become an indispensable part of the Internet of Things (IoT), wireless sensor networks (WSNs) need to adopt IP technologies to create a seamless, global network infrastructure together with the Internet. To achieve this goal, many standardization organizations have been actively pursuing standardization work for creating a global sensor network infrastructure [1, 2]. In the context of the IoT, any IP-enabled node in the Internet shall be able to communicate directly with any remote sensor node in a WSN that is used to monitor specific events. Data transmission from any WSN node to any Internet node can be event-driven, whose scenarios include events that may be sensed sporadically by multiple cooperative sensor nodes when something happens, for example, when detecting fire or door-opening, or can be scheduled at predefined intervals, for example, reporting temperature every two hours. To monitor specific events of interest, more than one sensor node can be used to collect data and transmit it via multihop wireless paths to one or more Internet nodes to improve robustness, especially in an environment in which security threats resulting from internal and external attacks due to node compromises is a serious concern. Under such circumstances, it is still required that data report be sent to one or more of the intended Internet users as accurately as possible.

Since sensor nodes in a WSN may be deployed in an unattended environment, as shown in Figure 1, attackers can relatively easily compromise one or more sensor nodes so that they can be used to inject false event data (e.g., compromised node A can report false data for the event) or disrupt the transmission of legitimate event data (e.g., compromised node B can temper or even discard true data for the event within the multi-hop forwarding process). If undetected, such attacks can cause not only the generation of false alarms but also the depletion of limited energy in the sensor nodes. Moreover, Internet users may not be notified of a real event quickly and handle the event in time to avoid serious consequences. Therefore, it becomes imperative that security services such as data authenticity and availability be provided to resist such attacks.

Figure 1

Compromised nodes can inject false event data or disrupt the transmission of legitimate event data.

In many critical applications, the data that are collected by sensor nodes can also be sensitive. Therefore, it is important to ensure data authenticity to detect the report of false or nonexisting events. If a report for an event can be collectively endorsed by multiple sensor nodes, data authenticity can be ensured in the sense that a certain number of compromised nodes cannot collectively forge a report. That is, to forge a valid report for an event, a larger number of nodes have to be compromised.

Moreover, since denial of service (DoS) attacks can occur as the result of corrupted partial endorsements or discarded true data for the event, authentication alone may not be sufficient. It thus requires that data availability measures be employed in addition to those for authenticity to make the security measures highly resilient to DoS attacks. En-route filtering of false data is vital in saving scarce network resources and in prolonging the life of the network.

Consequently, to achieve security objectives, it is evident that authentication and efficient en-route filtering of data from WSN nodes to one or more Internet users be developed to detect false data injection and to fight against DoS attacks.

Traditional detection mechanisms developed for the Internet usually rely on infrastructure equipment (e.g., firewalls) to filter out distributed denial of service (DDoS) packets, which is deemed to be not adequate for WSNs due to the resource-constrained characteristics of sensor nodes as well as the lack of a comparable infrastructure in WSNs. Meanwhile, current detection mechanisms developed for WSNs rely primarily on the use of predistributed keys shared between sensor nodes and the sink node, which cannot be directly applied to the IoT scenario since the data of the event sensed by cooperative sensor nodes is sent only to one local sink rather than to one or more Internet users who are usually situated in different locations, even in different networks, and who may not be able to establish shared keys with every sensor node to authenticate the event data from a sensor node.

In this paper, we propose a data authentication and en-route filtering (DAEF) scheme to ensure the security of data collection and transmission from WSNs in the context of IoT. In DAEF, we make use of verifiable secret sharing cryptography to distribute the shares based on the most efficient ID-based signature scheme to multiple cooperative sensor nodes. In the case of a node compromise, with the tolerance of an adversary's compromising multiple neighboring nodes in the event area, the event report should be collectively generated, digitally signed, and forwarded to one or more of the intended Internet nodes through multipath routing. The main contributions of this paper are summarized as follows.

(1)

After identifying the security requirements on data collection and transmission from WSNs in the context of IoT, we propose a secure and efficient solution to deal with the security problems which have not been sufficiently dealt with in existing solutions.

(2)

We propose a data authentication and en-route filtering scheme, referred to as DAEF, without requiring the use of any preshared keys between the Internet users and the sensor nodes. Furthermore, not only can the scheme tolerate node compromise attacks, but it can also mitigate the impact of DoS attacks while minimizing energy consumption for the WSNs.

(3)

We analyze some exiting data en-route filtering mechanisms proposed for WSNs with respect to their characteristics and limitations and compare them with DAEF.

(4)

We illustrate how DAEF can be used as a secure and efficient mechanism to counter report disruption attacks to WSNs, a capability that we have not found so far in the literature.

(5)

We conduct performance comparison between DAEF and some comparable schemes to demonstrate DAEF's advantages over those schemes in terms of energy consumption, making DAEF suitable for WSNs.

The rest of this paper is organized as follows. In the next section, we review some related work on data authentication and en-route filtering. In Section 3, we present our proposed scheme, which includes assumptions, threat model and design goals, two preliminaries, and finally the procedure of the scheme. In Section 4, we analyze our proposed scheme in terms of security and performance and compare it to some comparable schemes. Finally, in Section 5, we conclude this paper in which we also discuss some future work.

2. Related Work

2.1. Authentication Frameworks for IoT

There are currently some authentication frameworks for data reports designed specifically for WSNs in the IoT scenario. Oliveira et al. proposed the Secure-TWS scheme to authenticate the communication from a single node to multiple users by using certificate-based signature in which the certification authority (CA) is part of the existing infrastructure in the Internet and, hence, is easy to provide since the Internet users only trust the CA and do not have to allow the CA to impersonate as themselves [3]. When the users receive a data report signed by a sensor node, they download the sensor node's public key and the corresponding certificate from the CA to authenticate the report using signature verification. Yasmin et al. proposed a framework for authenticated broadcast/multicast by the sensor node using the identity-based online/offline signature (IBOOS) scheme [4]. The offline phase performs most of the signature computations to calculate the partial signature which is stored on sensor nodes. Whenever a sensor node reports an event, it performs minor computations to obtain the final signature based on the partial signature stored on it.

The above two schemes can enable all sensor nodes in the WSNs to send messages to report critical situations and allow every node on the path from the sender node to the receiver users to verify and filter out false data as early as possible without using any shared keys. The computation overhead of the first scheme is lower than that of the second, but it requires higher communication cost due to the transmission of certificates.

However, these two schemes do not take into consideration of the existence of compromised nodes that may inject false event data as well as can disrupt the transmission of legitimate event data. Firstly, an event may be reported by a single sensor node which may have been compromised but not yet detected, the false report can get propagated to the users who may then mistakenly take incorrect measures. Secondly, should there be a compromised node in the routes to the Internet users, the users might be misled or might even not be able to receive any messages. Therefore, it is necessary to use multiple surrounding sensor nodes to collectively generate a legitimate data report which should also be forwarded to the Internet users via multipath routing.

2.2. Authentication Based on Symmetric Cryptography in WSNs

In WSNs, the problem of authenticating an event report collected by multiple sensors to the local sink node has attracted a great deal of attention in recent years [5–20]. Most of the schemes achieve the goals through using message authentication codes (MAC) based on symmetric keys. The basic idea is to attach MACs to the event reports and to ensure that a legitimate report must have a certain number of valid MACs. When the event report is forwarded to the sink along a routing path, intermediate nodes can detect and drop a forge report if it does not carry enough number of valid MACs. SEF [5] and IHA [6] are two such schemes for filtering injected false data in WSNs. SEF allows both the sink node and the en-route nodes to authenticate a report that has T MACs generated by a cluster attached to it with a certain probability by using the keys from different partitions in a global key pool. IHA verifies a report that has $T (T = t + 1)$ MACs and one compressed MAC attached that are computed by the cluster lead node in a deterministic and hop-by-hop fashion through using pairwise keys between two upper or lower associated nodes that are T hops away. All the following schemes are based on this T-authentication fashion, but on different technologies to be achieved. In DSF [7], dual key-sharing is used, that is, the random keys sharing and the associated keys sharing, to reduce the number of hops for the forwarded false data. In RAS [8], dynamic authentication tokens from one-way hash chain are used based on a predesigned partition-overlapping key pool scheme. In KAEF [9], a one-way key chain authentication method is used to generate and verify endorsements for transferred data. In STEF [10], the query response operation mode is adopted and the concept of ticket is proposed based on lightweight one-way functions so that messages are only forwarded if they contain a valid ticket that is originally issued by the base station. In PCREF [11], polynomials stored in each node are adopted, including an authentication polynomial and a check polynomial derived from the primitive polynomial, and used for endorsing and verifying the reports. In DEFS [12], the so-called Hill Climbing approach is used to ensure that nodes close to a source cluster hold more keys for the source cluster than those that are further away to balance the network. In GPREF [13], a multiaxis division based approach for deriving location-aware keys is used. In DREF [14], an authentication scheme capable of filtering invalid messages, called CFA [21], and a novel idea of embedding proximity information into a Bloom filter prepared for the query purpose are employed. In EAB [15], an en-route authentication bitmap is developed by using the Bloom filter techniques to build an authentication manifest. In BECAN [16], a bandwidth-efficient cooperative authentication scheme is proposed based on random graph characteristics of sensor node deployment and the cooperative bit-compressed authentication technique. Last, but not the least, in LBRS [17] and LEDS [18], location-based keys are utilized to authenticate a data report to prevent compromised nodes from breaking the entire WSN even though a certain area of the WSN may have been affected.

2.3. Authentication Based on Asymmetric Cryptography in WSNs

Some asymmetric cryptographic schemes, such as CCEF [19], PDF [20], and LTE [22], that rely on signature approaches can enable any report, not just the report that is sent to the sink node, to be authenticated and en-route filtered. Moreover, they do not require any preshared keys. CCEF employs a commutative cipher based on public key cryptography filtering mechanism in which cluster nodes can establish a secret association with the sink on a per-session basis, while the en-route nodes are equipped with a witness key to be used to verify the authenticity of reports without knowing the original session key. PDF leverages Shamir's threshold cryptography and elliptic curve cryptography (ECC) to reject false data packets while LTE makes use of identity-based cryptography (IBC) based on bilinear pairing to bind the private key of each sensor node to both its identity and geographic location.

2.4. Critical Analysis and Comparison of Existing Schemes

Although the existing schemes can effectively perform the functionality of authentication and false data report filtering, there are still some limitations in different aspects, such as key-sharing limitation, T-threshold limitation, node location limitation, static route limitation, lack of tolerance to report disruption attacks, lack of tolerance to selective forwarding attacks, to name a few. The notion of such limitations is discussed below.

(1)

Key-sharing limitation refers to the requirement that every node that generates a report must share key material with the sink.

(2)

T-threshold limitation refers to the situation in which the compromise of more than T-authentication partitions would put the whole WSN in danger. Such a limitation makes the network less resilient to the increase in the number of compromised nodes.

(3)

Node location limitation refers to the requirement that each node be equipped with GPS capability to locate itself since only rough estimation on the location can be achieved for sensor nodes that are not equipped with GPS.

(4)

Static route limitation refers to the reality in which reports get forwarded to a fixed sink along a preestablished path and each en-route node is associated with the source nodes in the event area.

(5)

Lack of tolerance to report disruption attacks refers to the situation in which intentional submission of corrupted partial MACs or signatures by compromised sensor nodes would disrupt the process of data filtering by some sensor nodes on the forwarding route, also called packet pollution attacks or false-endorsement based DoS (FEDoS) attacks [23].

(6)

Lack of tolerance to selective forwarding attacks refers to the situation in which one or more compromised forwarding sensor nodes can drop a legitimate report, also called path-based DoS (PDoS) attacks [24].

Table 1 provides an analysis on the limitations of some of the main existing schemes. We can see from the table that all symmetric key-based schemes exhibit the key-sharing limitation since it is practically infeasible for every remote user to establish a shared key with each and every one of the sensor nodes. Therefore, these symmetric keys based schemes are not suitable for WSNs in the context of IoT. A result, only PDF and LTE that are asymmetric cryptography-based signature schemes can be used for event data authentication and filtering in the IoT scenario. However, PDF suffers from the vulnerability of both report disruption attacks and selective forwarding attacks. Only DREF, LEDS, and LTE can resist report disruption attacks and selective forwarding attacks that result from node compromises in the event area and from the use of a single route from a sensor node to the sink node. The result of the analysis shows that only LTE is applicable to the IoT scenario and can provide some level of tolerance to both types of DoS attacks. Therefore, we will compare our proposed scheme in terms of performance only to LTE at the same security level.

Table 1

Analysis of limitations.

Schemes	Key-sharinglimitation	T-thresholdlimitation	Node locationlimitation	Static routelimitation	Lack of tolerance toFEDoS attacks	Lack of tolerance toPDoS attacks
SEF	Yes	Yes	No	No	Yes	Yes
IHA	Yes	Yes	No	Yes	Yes	Yes
DSF	Yes	No	No	No	Yes	Yes
RAS	Yes	No	No	No	Yes	Yes
KAEF	Yes	No	No	No	Yes	Yes
STEF	Yes	No	Yes	Yes	Yes	Yes
PCREEF	Yes	No	No	No	Yes	Yes
DEFS	Yes	Yes	No	No	Yes	Yes
GPREF	Yes	No	Yes	No	Yes	Yes
DREF	Yes	No	No	No	No	No
EAB	Yes	No	No	Yes	Yes	Yes
BECAN	Yes	No	No	No	Yes	No
LBRS	Yes	No	Yes	Yes	Yes	Yes
LEDS	Yes	No	Yes	Yes	No	No
CCEF	Yes	No	Yes	Yes	Yes	Yes
PDF	No	Yes	No	No	Yes	Yes
LTE	No	No	Yes	No	No	No

2.5. Location-Based Threshold-Endorsement (LTE) Mechanism

Due to its functional capability as well as its applicability to the IoT scenario, we would like to elaborate a little more on the LTE scheme. In LTE, the sensor network is divided into $M * N$ square cells of equal side length r. Each cell is labeled with a pair of integers $〈 m, n 〉$ , where $1 \leq m \leq M$ and $1 \leq n \leq N$ . $〈 X_{0}, Y_{0} 〉$ is the location of the sink. The cell key of cell $〈 m, n 〉$ is $K_{m, n} = k H (m ∥ n)$ where k is the network master secret key. Let $I D_{m, n}^{i}$ denote the ith node with location $l_{m, n}^{i}$ in cell $〈 m, n 〉$ . LTE utilizes the secret sharing technique to assign a share of $K_{m, n}$ to each $I D_{m, n}^{i}$ ; that is, $I D_{m, n}^{i}$ has the share $K_{m, n}^{i}$ .

An event occurs in cell $〈 m, n 〉$ and is detected by $s \geq t$ nodes. The lead node AP in cell $〈 m, n 〉$ chooses a random $α \in Z_{q}^{*}$ and computes $θ = e {(W, W)}^{α}$ to be broadcast to the other detecting nodes. Upon receiving θ, each detecting node $I D_{m, n}^{i}$ endorses the report $Λ$ by computing $U_{m, n}^{i} = K_{m, n}^{i} h (Λ ∥ θ)$ . The node then sends to AP $U_{m, n}^{i}$ encrypted and authenticated with the pairwise key shared with the AP. Once receiving t or more such endorsements, AP would randomly select t endorsers denoted by a set notation Ω which may include itself. AP would then calculate $U_{m, n} = \sum_{i \in Ω} λ_{i} U_{m, n}^{i} = K_{m, n} h (Λ ∥ θ)$ and $Υ_{m, n} = U_{m, n} + α W$ . The final report is $〈 Λ, Υ_{m, n}, h (Λ ∥ θ) 〉$ . Once deriving $U_{m, n}$ , AP verifies its authenticity by checking if equation $e (U_{m, n}, W) = {(v_{m, n}^{(0)})}^{h (Λ ∥ θ)}$ holds, where $v_{m, n}^{(0)} = e (K_{m, n}, W)$ . If the check does not succeed, AP should proceed to verify each received $U_{m, n}^{i}$ by checking if (1) holds. Consider the following:

\begin{matrix} e (U_{m, n}^{i}, W) = \prod_{j = 0}^{t - 1} {(v_{m, n}^{(j)})}^{{(I D_{m, n}^{i} ∥ l_{m, n}^{i})}^{j} \cdot h (Λ ∥ θ)} . \end{matrix}

(1)

If the check succeeds, AP considers node $I D_{m, n}^{i}$ legitimate. AP is therefore able to pinpoint all the endorsers offering false signatures and delete them from Ω.

AP then sends to the sink the final report along a multihop path discovered using a secure multipath routing protocol. Upon receiving a report $〈 Λ, Υ_{m, n}, h (Λ ∥ θ) 〉$ to be forwarded, each intermediate node computes

\begin{matrix} θ^{'} = e (Υ_{m, n}, W) e {(H (m ∥ n), - W_{pub})}^{h (Λ ∥ θ)}, \end{matrix}

(2)

where $W_{pub} = k W$ is a public system parameter. If the report is authentic, then $θ^{'} = θ$ . Therefore, if $h (Λ ∥ θ^{'}) = h (Λ ∥ θ)$ , then an intermediate node would consider the report authentic and hence forward it to the next hop.

However, LTE is not always feasible because it requires that every sensor node be equipped with localization capability, which incurs extra communication overhead as well as latency. Moreover, the bilinear pairing utilized in LTE is too expensive for low energy sensor nodes. In LTE, a data report must be cosigned by t out of T nodes ( $t \leq T$ ) in the event area. Thus, an adversary needs to compromise at least t nodes in order to inject false data. It is worth mentioning, however, that the relationship between t and T is not fully discussed in LTE with respect to dealing with report disruption attacks. From our analysis, we have found that the critical relationship $T - (t - 1) \geq t$ , that is, the maximum number of compromised nodes, that is, $t - 1$ , for the scheme to tolerate false data injection attacks cannot cooperatively cause the report disruption attacks. Thus, we have $T \geq 2 t - 1$ .

3. The Proposed Scheme

In this section, we describe the proposed DAEF, a data authentication and en-route filtering scheme, that can be used to ensure the security of data collection and transmission from WSNs in the context of IoT. In applications to which DAEF can be applied, we assume that a group of sensor nodes are used to monitor an event. In the proposed DAEF, a group ID-based signature is introduced for each event report so that any intermediate node and any Internet user with the identity of the group lead node can easily verify the event report, which easily removes the key-sharing and the T-threshold limitations, while realizing T-authentication to tolerate node compromise attacks without requiring static route and node localization technology. DAEF also employs the verifiable secret sharing algorithm to distribute and verify signature shares in order to defend against report disruption attacks. Last, but not the least, we employ the most efficient ID-based signature algorithm in DAEF to reduce computation overhead that results from signature generation and verification operations. Moreover, a multi-path routing protocol should be used in DAEF to resist selective forwarding attacks.

3.1. Assumptions

We assume that all the sensor nodes in WSNs are deployed uniformly and bootstrapped securely using the scheme proposed in [25] so that the one-hop neighboring sensor nodes can establish pairwise keys and trust relationships to form a network with multi-hop cluster-tree hierarchical topology. Each node establishes and stores a neighbor trust list as shown in Figure 2. We also assume that every event of interest can be detected by multiple, say $T (T > 1)$ , sensor nodes in one group, each group covering a detecting area. Then, the event needs to be reported during which a group of at least $t (T \geq 2 t - 1)$ nearby legitimate nodes should collaboratively agree on the event that will be forwarded to one or more Internet users. In this scenario, T and t are predefined system parameters and are determined by the application requirements. For each group, a lead head is elected and is responsible for collecting and summarizing all the received detection results from detecting nodes in the group, and generating a final report on behalf of the group. This group of neighboring nodes generates and broadcasts the signed report to a lead node which then aggregates the signatures before sending them to one or more Internet users through one or more forwarding nodes.

Figure 2

Neighbor trust list: neighbor ID is the ID of the node's neighbor; short address is the short address of the node's neighbor; shared key is the pairwise key shared between the node and its neighbor; relationship points that the neighbor is the node's father, child, sibling, and so on; hop count is the distance between the node and the edge route, trust value is the computed result making use of the utility value method in a multiple criteria decision making scheme.

Moreover, we assume that the Internet users are determined by the service provider (SP) based on the service provided by the sensor nodes. Take the smart home applications as an example, the detection of fire in a home should be reported to the family members, security guards of the community, and the fire department, while the temperature in the home may be reported to all family members every two hours. The corresponding software code can be preloaded in the sensor nodes prior to deployment. Furthermore, the code can be dynamically updated by using an end-to-end secure communication protocol (referring to [26]).

3.2. Threat Model and Design Goals

An adversary can eavesdrop on all traffic, inject packets, replay older packets, and take full control of the compromised nodes to launch false report injection attacks and DoS attacks. In our model, we assume that most T- $t$ neighboring nodes in an event area can be compromised. Our objective is to design a scheme to detect these attacks for the event report in the IoT scenario. DAEF should achieve the following goals.

(1)

It should not require the establishment of preshared keys between Internet users and sensor nodes (to overcome the key-sharing limitation).

(2)

It should not depend on the localization technology to prevent compromised nodes from breaking the whole WSN (to overcome the T-threshold limitation).

(3)

It should tolerate node compromises in the WSNs even if the locations of the sensor nodes may not be known (to overcome the node location limitation).

(4)

It can mitigate the impact of DoS attacks including report disruption attacks and selective forwarding attacks (to overcome the FEDoS and PDoS attacks).

(5)

It should keep the overhead of communication and computation as low as possible in the WSNs.

3.3. Preliminaries

3.3.1. ID-Based Signature

As discussed above, ECC-based signature (i.e., ECDSA) requires one point multiplication operation to generate a signature and two point multiplication operations to verify a signature. Moreover, authentication of the public key of the signer also requires two point multiplication operations. For an ECC of 160 bites, ECDSA produces a 60-byte signature, resulting in more than a 160-byte message payload (including a 60-byte ECDSA signature and a certificate with at least 100 bytes). With the current state of the art technology, the most efficient ID-based signature (i.e., vBNN [27]) needs one point multiplication operation to sign a message and three point multiplication operations to verify the signature with the length of a signature being 83 bytes. Let us briefly describe the vBNN scheme below.

Given a sensor node $I D_{i}$ , the SP picks a random number $r_{i} \in Z_{q}$ , where the multiplicative group $Z_{q} = [1, \dots, q - 1]$ computes $R_{i} = r_{i} P$ , where P is a large prime, and an elliptic curve $E (F_{p})$ is defined over a finite field $F_{p} = [1,2, \dots, P - 1]$ . Then, SP calculates $S_{i} = r_{i} + x H_{1} (I D_{i} ∥ R_{i})$ in which x is the master key of the WSN picked by SP and $H_{1} : {0,1}^{*} \times G_{1} \to Z_{q}$ , where $G_{1}$ is an additive group of the prime order q. $R_{i}$ and $S_{i}$ are stored in the sensor node $I D_{i}$ .

Given a message $M$ , the signer $I D_{i}$ performs the following steps to sign the message.

(1)

Choose a random number $y \in Z_{q}$ , and compute $Y = y P$ .

(2)

Compute $h = H_{2} (I D_{i} ∥ M ∥ R_{i} ∥ Y)$ and $z = y + S_{i} h$ , where $H_{2} : {0,1}^{*} \to Z_{q}$ .

(3)

$(R_{i}, h, z)$ is the digital signature.

The signer then sends $(M, R_{i}, h, z)$ to the receiver. To verify the message and the signature, the receiver does the following steps.

(1)

Compute $c = H_{1} (I D_{i} ∥ R_{i})$ .

(2)

Check the equation $h = H_{2} (I D_{i} ∥ R_{i} ∥ M ∥ z P - h (R_{i} + c P_{pub}))$ , where $P_{pub} = x P$ is a public parameter.

3.3.2. Verifiable Secret Sharing

Sensor node $I D_{i}$ generates a secret polynomial $f_{S_{i}} (x) = a_{0} + a_{1} x + a_{2} x^{2} + \dots + a_{t - 1} x^{t - 1}$ , where $a_{0}, \dots, a_{t - 1}$ are random numbers picked by the sensor node $I D_{i}$ and the secret key $S_{i}$ can be picked as $S_{i} = a_{0}$ . The secret share of $S_{i}$ for the neighboring node $I D_{j}$ is thus $C_{S_{i}}^{j} = f_{S_{i}} (I D_{j})$ . Then, any t sensor nodes together can reconstruct $S_{i}$ by using Lagrange interpolation $S_{i} = \sum_{j = 1}^{t} l_{j} C_{S_{i}}^{j}$ , where $l_{j} = \prod_{k = 1, k \neq j}^{t} (I D_{k} / (I D_{k} - I D_{j}))$ is the Lagrange coefficient. However, it is computationally infeasible if fewer than t sensor nodes try to reconstruct the secret key $S_{i}$ . All $C_{S_{i}}^{j}$ must be distributed through the secure communication channels. The sensor node $I D_{i}$ broadcasts $ε_{0} = g^{a_{0}}$ and $ε_{n} = g^{a_{n}} (\mod p) (n = 1,2, \dots, t - 1)$ , and every $I D_{j}$ can verify the received $C_{S_{i}}^{j}$ by using the equation $g^{C_{S_{i}}^{j}} = \prod_{k = 0}^{t - 1} {ε_{k}}^{I {D_{j}}^{k}} (\mod p)$ , while $I D_{i}$ can verify the reconstructed $S_{i}$ by using the equation $g^{S_{i}} = ε_{0}$ .

3.4. The Data Authentication and Filtering Scheme

3.4.1. Initialization

During the bootstrapping phase, the lead node in every group distributes the secret share of $S_{i}$ to all group nodes. Specifically, in ith group, the lead node $I D_{i}$ generates a secret polynomial $f_{S_{i}} (x)$ and distributes the secret share $f_{S_{i}} (I D_{j})$ to every group node $I D_{j}$ using the shared key between them. Then, $I D_{i}$ deletes $S_{i}$ and $f_{S_{i}} (x)$ but stores $f_{S_{i}} (I D_{i})$ . Therefore, $I D_{i}$ only needs to be authenticated by any other $t - 1$ group nodes and get $t - 1$ secret shares in order to reconstruct $S_{i}$ .

3.4.2. Report Generation

When an event occurs, the lead node will prepare a report, say, E. To get an agreement on the event from other group nodes, the lead node $I D_{i}$ broadcasts E to all the group nodes and authenticates itself to them. After receiving E, a group node will find the difference between the received E and what it has sensed. If the difference is within a predefined error range, it will agree on E and endorse the signature. These T group members including $I D_{i}$ itself, taking one node $I D_{j}$ as an example, will generate one random polynomial $f_{y_{i}}^{j} (x)$ as shown in (3), in which the share of the random number is $C_{y_{i}}^{j} (k) = f_{y_{i}}^{j} (I D_{k}) (k = 1,2, \dots, T)$ , distribute $C_{y_{i}}^{j} (k)$ to the other sensor nodes $I D_{k}$ , and broadcast $ε_{j_{n}} = g^{{a_{j}}_{n}} (\mod p) (n = 0,1, 2, \dots, t - 1)$ . Consider the following:

\begin{matrix} f_{y_{i}}^{j} (x) = a_{j_{0}} + a_{j_{1}} x + a_{j_{2}} x^{2} + \dots + a_{j_{t - 1}} x^{t - 1} . \end{matrix}

(3)

Note that the distribution of secret shares should be protected using the shared keys between the communicating peers. Therefore, each node will receive no less than $m - 1 (t \leq m \leq T)$ secret shares which should be verified as discussed in Section 3.3.2. For example, $I D_{k}$ should verify $C_{y_{i}}^{j} (k)$ received from $I D_{j}$ according to formula (4). Consider the following:

\begin{matrix} g^{C_{y_{i}}^{j} (k)} = \prod_{n = 0}^{t - 1} ε_{j_{n}}^{I D_{k}^{n}} (\mod p) . \end{matrix}

(4)

During the verification phase, a compromised group member may be detected. If $I D_{j}$ find a corrupted partial secret share sent by a group member, $I D_{j}$ broadcasts the $I D$ of the compromised group member. If more than t members claim that one node has been compromised, each legitimate sensor node can find all compromised group members and no less than t legitimate group members. These m legitimate sensor nodes should use the verified $m - 1$ secret shares and its own share to compute the share of $y_{i}$ , denoted as $y_{i}^{j}$ , shown in (5). Consider the following:

\begin{array}{l} y_{i}^{j} = \sum_{n = 1}^{m} f_{y_{i}}^{n} (I D_{j}) \\ = (\sum_{n = 1}^{m} a_{n 0}) + (\sum_{n = 1}^{m} a_{n 1}) I D_{j} + (\sum_{n = 1}^{m} a_{n 2}) I D_{j}^{2} \\ + \dots + (\sum_{n = 1}^{m} a_{n t - 1}) I D_{j}^{t - 1} . \end{array}

(5)

The secret random number $y_{i}$ is generated from the polynomial $f_{y_{i}} (x) = \sum_{n = 1}^{m} f_{y_{i}}^{n} (x)$ , shown in formula (6), which is endorsed by these m legitimate sensor nodes and $y_{i} = f_{y_{i}} (0)$ . Therefore, no sensor node knows $y_{i}$ , and any t sensor nodes can reconstruct $y_{i}$ using Lagrange interpolation: $y_{i} = \sum_{j = 1}^{t} l_{j} y_{i}^{j}$ , in which $l_{j} = \prod_{n = 1, n \neq j}^{m} (I D_{n} / (I D_{n} - I D_{j}))$ . Consider

\begin{array}{l} f_{y_{i}} (x) = \sum_{n = 1}^{m} f_{y_{i}}^{n} (x) \\ = (\sum_{n = 1}^{m} a_{n 0}) + (\sum_{n = 1}^{m} a_{n 1}) x + (\sum_{n = 1}^{m} a_{n 2}) x^{2} \\ + \dots + (\sum_{n = 1}^{m} a_{n t - 1}) x^{t - 1} . \end{array}

(6)

Each legitimate neighboring node $I D_{j}$ except the lead node $I D_{i}$ sends $l_{j} y_{i}^{j} P$ to $I D_{i}$ which then sums up the received m shares to get $Y_{i} = \sum_{j = 1}^{m} l_{j} y_{i}^{j} P$ and broadcasts $Y_{i}$ along with $R_{i}$ . Each legitimate neighboring node $I D_{j}$ including the lead node $I D_{i}$ computes $z_{j} = l_{j} y_{i}^{j} + l_{j} C_{S_{i}}^{j} h$ , where $h = H_{2} (I D_{i} ∥ E ∥ R_{i} ∥ Y_{i})$ and sends $z_{j}$ to $I D_{i}$ which then sums up $z$ (7). It is possible that some of the neighboring nodes have been compromised during this phase and, thus, may provide the lead node $I D_{i}$ with incorrect signatures. Therefore, $I D_{i}$ should verify their authenticity by checking the equation $Y_{i} = z P - h (R_{i} + c P_{pub})$ where $c = H_{1} (I D_{i} ∥ R_{i})$ . Consider the following:

\begin{matrix} z = \sum_{j = 1}^{m} (l_{j} y_{i}^{j} + l_{j} C_{S_{i}}^{j} h) = \sum_{j = 1}^{m} l_{j} y_{i}^{j} + \sum_{j = 1}^{m} l_{j} C_{S_{i}}^{j} h = y_{i} + S_{i} h . \end{matrix}

(7)

Finally, $I D_{i}$ broadcasts the final data report $(E, R_{i}, h, z)$ and assigns multiple upstream nodes in its neighbor trust list to make the report forwarded to the Internet users through multipath routing. In the cases in which the compromised lead node may either not send the final report or transmit a bogus report with a wrong $(E, R_{i}, h, z)$ , it will be detected by all legitimate group nodes. The verification is the same as the en-route filtering operations to be described in Section 3.4.3. In this case, the legitimate neighboring nodes will randomly elect a new lead node among themselves to generate a new threshold-endorsement and send the final report to the Internet users. The whole report generation procedure is illustrated in Algorithm 1.

Algorithm 1: Report generation procedure.

for (each sensor $I D_{j}$ , $j = 1,2, \dots, T)$

$I D_{j}$ : $C_{y_{i}}^{j} (k) = f_{y_{i}}^{j} (I D_{k}) (k = 1,2, \dots, T)$

$I D_{j} \to I D_{k}$ : $C_{y_{i}}^{j} (k)$

$I D_{j} \to^{*}$ : $ε_{j_{n}} = g^{a_{j_{n}}} (\mod p) (n = 0,1, 2, \dots, t - 1)$

for (each sensor $I D_{j}$ , $j = 1,2, \dots, T$ )

$I D_{j}$ : $g^{C_{y_{i}}^{j} (k)} = \prod_{n = 0}^{t - 1} {ε_{j_{n}}}^{I {D_{k}}^{n}} (\mod p)$

$I D_{j}$ : $y_{i}^{j} = \sum_{n = 1}^{m} f_{y_{i}}^{n} (I D_{j})$

$I D_{j} \to I D_{i}$ : $l_{j} y_{i}^{j} P$

$I D_{i} \to^{*}$ : $Y_{i} = \sum_{j = 1}^{m} l_{j} y_{i}^{j} P, R_{i}$

for (each sensor $I D_{j}$ , $j = 1,2, \dots, m$ )

$I D_{j} \to I D_{i}$ : $z_{j} = l_{j} y_{i}^{j} + l_{j} C_{_{S_{i}}}^{j} h$

$I D_{i}$ : $z = \sum_{j = 1}^{m} (l_{j} y_{i}^{j} + l_{j} C_{_{S_{i}}}^{j} h)$

$I D_{i} \to^{*}$ : $(E, R_{i}, h, z)$

3.4.3. En-Route Filtering of Data Report

We denote $P_{f}$ as the en-route verification probability. The forwarding sensor node verifies the signature of a report with the probability $P_{f}$ which is a predefined system parameter. As discussed in Section 3.3.1, the verifying intermediate node or the final Internet user first computes $c = H_{1} (I D_{i} ∥ R_{i})$ , then checks (8). The data report will be regarded as authentic and forwarded to multiple upstream nodes in their neighbor trust lists if the verification is successful, otherwise, it will be immediately discarded. Consider

\begin{matrix} h = H_{2} (I D_{i} ∥ R_{i} ∥ E ∥ z P - h (R_{i} + c P_{pub})) . \end{matrix}

(8)

4. Analysis

4.1. Security Analysis

4.1.1. Resilience to Node Compromise Attacks

DAEF uses the threshold signature generation to sign any event report. The attacker must know the private key $S_{i}$ and the secret random number $y_{i}$ to forge the signature of $I D_{i}$ by compromising at least t nodes in the event area. In some cases, the lead node itself may have been compromised, resulting in a higher level of risk. However, DAEF does not reveal any $C_{S_{i}}^{j}$ and $y_{i}^{j}$ at any step. Firstly, the initialization phase is secure in which the lead node distributes the shares of $S_{i}$ within a short time after bootstrapping. Secondly, each neighboring node submits $l_{j} y_{i}^{j} P$ rather than $y_{i}^{j}$ , making it impossible for the lead node to derive $y_{i}^{j}$ from $y_{i}^{j} P$ due to the difficulty of solving the elliptic curve discrete logarithm problem (ECDLP). Thirdly, $z_{j} = l_{j} y_{i}^{j} + l_{j} C_{S_{i}}^{j} h$ that is submitted by each neighboring node has two unknown numbers $y_{i}^{j}$ and $C_{S_{i}}^{j}$ , so the lead node cannot derive $y_{i}^{j}$ and $C_{S_{i}}^{j}$ from $z_{j}$ . Finally, should the lead node change the report with a wrong $(E, R_{i}, h, z)$ in the final step, it would be detected by the forwarding nodes as well as by all the legitimate neighboring nodes. These nodes can then elect a new lead node to generate a new threshold-endorsement and send the final report to the Internet nodes. In the worst case, even if the attacker can derive the private key $S_{i}$ by compromising t nodes in the event area, it will not affect any other groups.

4.1.2. Mitigation of Report Disruption Attacks

DAEF leverages verifiable Shamir's secret sharing cryptography described in Section 3.3.2 which has been shown to be secure [28]. In the report generation phase, at least t legitimate sensor nodes cooperatively generate the secret random number $y_{i}$ by exchanging the shares $C_{y_{i}}^{j} (k) = f_{y_{i}}^{j} (I D_{k})$ , which may be disrupted by compromised nodes. For example, an attacker may provide an incorrect share $C_{y_{i}}^{j} (k)$ to a neighboring node so that it will not get the right share $y_{i}^{j} = \sum_{k = 1}^{m} f_{y_{i}}^{k} (I D_{j})$ . However, in DAEF, each node will verify the received shares, detect compromised neighboring nodes, and broadcast the detection result so that only legitimate shares will be used in the $y_{i}^{j}$ and only the shares $z_{j}$ computed by legitimate neighboring nodes can be used by the lead node. Note, however, that if the attacker only distributes the wrong shares to only some of the legitimate neighboring nodes that are able to detect the wrong shares, based on the detected results broadcast by such neighboring nodes, it is not possible for the legitimate neighboring nodes to identify the compromised nodes.

4.1.3. Mitigation of Selective Forwarding Attacks

In DAEF, in order to mitigate selective forwarding attacks, the lead node and the intermediate nodes would forward the final report $(E, R_{i}, h, z)$ to multiple upstream nodes that are in their neighbor trust lists to ensure that the report is forwarded to the Internet users through multipath routing. Unless all the forwarding nodes are compromised, the legitimate report will ultimately be delivered to the destinations. However, this solution will incur high communication overhead. In the worst case in which all the upstream nodes of a forwarding node are compromised, another route path should be used by using a secure multi-path routing protocol in the WSN, such as SPREAD [29], which is out of the scope of this paper.

4.2. Performance Analysis

In this section, we evaluate the performance of DAEF in terms of filtering efficiency, the number of hops that false data can travel, and the ratio of compromised area, which are the main metrics for the evaluation of en-routing filtering schemes [30]. We also analyze and compare DAEF to LTE in terms of computation, communication, and energy consumption. We conducted all experiments in the analysis, evaluation, and comparison by using MATLAB [31] plus some programming in VC⁺⁺ whenever necessary.

4.2.1. General Analysis

First, let us analyze filtering efficiency $P_{h}$ which is defined as the probability of successful filtering of false data within a specified number of hops. Similar to LTE, the probability of false data that can be filtered out within h hops is

\begin{matrix} P_{h} = 1 - {(1 - P_{f})}^{h} . \end{matrix}

(9)

Clearly, the greater the value of $P_{f}$ , the greater the $P_{h}$ can achieve, that is, the better the filtering efficiency. However, a smaller $P_{f}$ can lower the computation overhead of intermediate nodes. Figure 3 shows the filtering efficiency with different $P_{f}$ from which we can see that when $P_{f}$ is 0.5, more than 90% of false reports can be filtering out within 4 hops. Ever for a small $P_{f}$ , say 0.2, less than 11% of false reports can travel over 10 hops. Therefore, for a large WSN which has long forwarding paths, DAEF can efficiently filter out false reports as early as possible to save the energy of legitimate nodes.

Figure 3

The filtering efficiency with different $P_{f}$ .

The number of hops that false data can travel $E (h)$ is defined as the average hops that false data are forwarded before being filtered and dropped, which reflects the filtering effectiveness. Similar to LTE, the average number of hops that a false report is forwarded before being filtered out is

\begin{matrix} E (h) = \sum_{i = 1}^{\infty} i P_{f} {(1 - P_{f})}^{i - 1} = \frac{1}{P_{f}} . \end{matrix}

(10)

The ratio of compromised area $P s$ is defined as the percentage of compromised sensor nodes in the terrain, which reflects the effectiveness of filtering resilience to the increase on the number of compromised nodes. Given that the network size is N and that the average number of nodes in each group is $T$ , when the attacker successfully compromises $N c$ sensor nodes, the probability that no node in an event group is compromised is

\begin{matrix} P_{(0)} = \frac{C_{N - T}^{N c}}{C_{N}^{N c}} . \end{matrix}

(11)

Let $P_{(i)}$ represent the probability that i nodes are compromised in a group. Then,

\begin{matrix} P_{(i)} = \frac{C_{T}^{i} C_{N - T}^{N c - i}}{C_{N}^{N c}} . \end{matrix}

(12)

Therefore, the percentage of compromised nodes is

\begin{matrix} P s = 1 - \sum_{i = 0}^{t - 1} P_{(i)} = 1 - P_{(0)} - \sum_{i = 1}^{t - 1} \frac{C_{T}^{i} C_{N - T}^{N c - i}}{C_{N}^{N c}} . \end{matrix}

(13)

Figure 4 shows the resilience as the number of compromised nodes increases. We can observe that the percentage of compromised groups increases very slowly with an increasing number of compromised nodes when less than 20% of all the nodes are compromised. Even if the number of compromised nodes reaches 200, only 10% of groups are compromised in all the cases except ( $t, T$ ) = ( $3,11$ ) and ( $t, T$ ) = ( $4,11$ ).

Figure 4

The percentage of compromised groups with the increased number of compromised nodes when $N = 1000$ .

4.2.2. Comparison Analysis

We analyze DAEF and LTE in terms of computation cost and communication overhead and then compare them in terms of energy consumption to show the advantages that DAEF has over LTE.

First, we perform the analysis on computation cost. In all the schemes, expensive operations are normally pairing ( $P a$ ), point multiplication ( $P m$ ), and exponentiation ( $Exp$ ). In DAEF, each endorsing sensor node needs to do one point multiplication operation to generate $l_{j} y_{i}^{j} P$ and $T \times t$ exponentiation operations which include t exponentiation operations to generate $ε_{n} (n = 0,1, 2, \dots, t - 1)$ and $(T - 1) \times t$ exponentiation operations to verify $T - 1$ received shares. Thus, the total number of computational operations in an event group is $T * P m + T^{2} t * Exp$ . Meanwhile, each verifying forwarding sensor node needs three point multiplication operations to authenticate an event report. In contrast, in LTE, the number of computational operations in an event group is $2 * P a + (T + 1) * P m + 2 * Exp$ in cases in which no compromised nodes are selected by the lead node but is $(T + 1) * P a + (T + 1) * P m + (T t - t + 2) * Exp$ in the worst case. In addition, each forwarding sensor node needs two pairing operations and one exponentiation operation to authenticate an event report.

For communication overhead, which is defined as the total number of messages generated in an event group, in DAEF, the T sensor nodes have to jointly generate a random number $y_{i}$ for each report, which contributes most to the communication overhead because the private key $S_{i}$ can be distributed during the bootstrapping phase. For a share $y_{i}$ , each sensor node needs to send $T - 1$ secret shares to the $T - 1$ neighboring nodes and broadcast one promise $ε_{n} (n = 0, 1,2, \dots, t - 1)$ and one detection result. In the signature generation phase, each legitimate group sensor node sends $l_{j} y_{i}^{j} P$ and $z_{j}$ to the lead node and the lead node broadcasts $Y_{i}$ along with $R_{i}$ . Thus, the total number of messages required to generate a signature for an event report is $(T + t + 1) T$ . In contrast, in LTE, each endorsing node only needs to send one share $U_{m, n}^{i}$ to the lead node which should broadcast θ. Thus, the total number of messages required to generate a signature for an event report is $T$ .

Note that in the above analysis, we assume that there is no compromised node in any of the event groups. Let us now analyze and compare DAEF to LTE in terms of energy consumption for the whole WSN under the assumption that there is at least one compromised node in an event group at the time of reporting an event, for these two schemes offer a similar level of security and both can deal with report disruption attacks and selective forwarding attacks.

We employ the similar model to LTE when performing analysis and comparison on energy consumption which is determined by communication overhead as well as computation cost. We assume that the sensor nodes have the same capabilities as those of a standard Crossbow's MICA2 mote [32] which has 8-bit ATmegal 128L clocked at about 7.37 MHz microcontroller and complies with the IEEE 802.15.4 standards with data transmission rate of 12.4 kbps. According to [4], completing a 160-bit point multiplication operation of ECC, a pairing operation, and an exponentiation operation consumes 24.3 mJ, 62.73 mJ and 2.81 mJ, respectively. In addition, MICA2 consumes 52.2 μJ, and 19.4 μJ to transmit and to receive one byte, respectively. We assume that the length of the node's ID is 2 bytes, making the lengths of $C_{y_{i}}^{j} (k)$ , $ε_{n}$ , $l_{j} y_{i}^{j} P$ , $z_{j}$ , $Y_{i}$ and $R_{i}$ to be 2t bytes, 20t bytes, 40 bytes, 20 bytes, 40 bytes, and 40 bytes, respectively. The original report is assumed to be 15 bytes, thus allowing us to transmit a report in one data packet. We denote ε as the average number of hops a report travels in the WSNs. For the sake of simplicity, we only consider the single routing path; thus, both schemes involve $ε P_{f}$ en-route filtering operations.

In the analysis, we specify ( $t, T$ ) to be (2,3), (3,5), (4,7), (5,9), and (6,11), respectively, because of the relationship between t and T discussed in Section 2.4. Figure 5 shows the energy consumption for various ε when $P_{f} = 0.2$ under the condition that the number of compromised nodes in the event group is the maximum value $t - 1$ . We can see from the figure that energy consumption in DAEF is lower than that in LTE for (2,3), (3,5), (4,7), and (5,9). However, the difference narrows as the value of T increases until when ( $t, T$ ) is larger than (6,11) where DAEF will consume more energy than LTE. In addition, when ε increases by one hop, the increase in energy consumption in DAEF is about 15 mJ whereas that in LTE is more than 25 mJ. That is because the energy consumption of computation in DAEF that incurs $O (t)$ cost of point multiplication and $O (t^{2} T)$ cost of exponentiation for report generation and three point multiplication operations for report en-route verification is lower than that in LTE that incurs $O (T)$ cost of pairing and $O (t)$ cost of point multiplication as well as $O (t T)$ cost of exponentiation for report generation and two pairing operations and one exponentiation operation for report en-route verification. However, the energy consumption of communication in DAEF for generating $O (t^{2}, T)$ communication cost is higher than that in LTE which only generates $O (t, T)$ communication cost.

Figure 5

Energy consumption for various ε when $P_{f} = 0.2$ .

Figure 6 shows the energy consumption for various $P_{f}$ when $ε = 10$ under the condition that the number of compromised nodes in the event group is the maximum value $t - 1$ . With the same ( $t, T$ ), the difference in energy consumption gets higher as $P_{f}$ increases. This is because one filtering operation requires two pairings and one exponentiation in LTE which incurs more cost of computation, about 128 mJ, than three point multiplications, about 72 mJ, of one filtering operation in DAEF.

Figure 6

Energy consumption for various $P_{f}$ when $ε = 10$ .

Figure 7 shows the energy consumption as the number of compromised nodes increases in an event group when $P_{f} = 0.2$ and $ε = 10$ . We can see from the figure that both DAEF and LTE perform better as the number of compromised nodes increases with the same ( $t, T$ ). This is because the number of legitimate nodes will decrease as the number of compromised nodes increases, hence reducing the computation cost and communication overhead in both schemes. Meanwhile, in DAEF, the larger the value of T is, the larger the difference is for the same ( $t, T$ ). In LTE, however, the reduction in energy consumption becomes less significant as the value of T increases. That is because the change in the communication overhead in DAEF is more than that in LTE in terms of the number of compromised nodes, which can be seen when ( $t, T$ ) = ( $5,9$ ).

Figure 7

Energy consumption with an increasing number of compromised nodes for various ( $t, T$ ) when $P_{f} = 0.2$ and $ε = 10$ .

Figure 8 shows the energy consumption for various parameter t when $P_{f} = 0.2$ and $ε = 10$ under the condition that the number of compromised nodes in the event group is maximum value $t - 1$ . The energy consumption in DAEF is lower than that in LTE except for the values $T \geq 11$ and $t > 4$ . However, the former increases slowly while the latter decreases as t increases. In LTE, regardless of the value of t, the computation cost has little difference, which results from the number of valid shares $U_{m, n}^{i}$ randomly selected by the lead node. Moreover, the larger value of t, the more effective computation and communication get, which reduces the waste of energy. In DAEF, the slowly increasing energy consumption results from the computation and broadcasting of promise $ε_{n} (n = 0,1, 2, \dots, t - 1)$ .

Figure 8

Energy consumption for various t when $P_{f} = 0.2$ and $ε = 10$ .

In conclusion, DAEF outperforms LTE for data authentication and en-route filtering when an event group has a smaller number of nodes and larger number of compromised nodes.

5. Conclusion

In this paper, we proposed DAEF, a new data authentication and filtering scheme, to ensure the security of data collection and transmission from WSNs in the context of IoT. In the scheme, the verifiable secret sharing cryptography is used for the distribution of the shares to multiple neighboring collective sensor nodes based on the most efficient ID-based signature scheme. As long as an adversary does not compromise more than $T$ - $t$ neighboring nodes in an event area, any event report can be collectively generated with a digital signature attached and forwarded via multipath routing to multiple Internet nodes. Analysis on the proposed scheme showed that DAEF can effectively defend against node compromised attacks and DoS attacks in the forms of report disruption attacks and selective forwarding attacks. Quantitative analysis to compare DAEF to the LTE scheme has also been performed in terms of energy consumption in which we showed that DAEF outperforms LTE in terms of energy consumption when fewer numbers of nodes and more numbers of compromised nodes of a group exist in the event group. In the future, we will conduct more experiment in real network settings to verify the results and to further improve the performance in terms of latency in DAEF.

Footnotes

Acknowledgments

The work in this paper has been supported by funding from National Natural Science Foundation of China (61272500) and from Beijing Education Commission Science and Technology Fund (KM201010005027).

References

Kushalnagar

Montenegro

Schumacher

IPv6 over low-power wireless personal area networks (6LoWPANs): overview, assumptions, problem statement, and goals

IETF RFC 2007 4919

Internet Engineering Task Force

Montenegro

Kushalnagar

Hui

Transmission of IPv6 packets over IEEE 802.15.4 networks

IETF RFC 2007 4944

Internet Engineering Task Force

Oliveira

L. B.

Kansal

Gouvêa

C. P. L.

Aranha

D. F.

López

Priyantha

Goraczko

Zhao

Secure-TWS: authenticating node to multi-user communication in shared sensor networks

The Computer Journal 2012 55 4 384 396

2-s2.0-84859306176

10.1093/comjnl/bxr089

Yasmin

Ritter

Wang

An authentication framework for wireless sensor networks using identity-based signatures

Proceedings of the 10th IEEE International Conference on Computer and Information Technology (CIT ′10)

July 2010

Bradford, West Yorkshire, UK

882 889

2-s2.0-78249241819

10.1109/CIT.2010.165

Luo

Zhang

Statistical en-route filtering of injected false data in sensor networks

Proceedings of the 23rd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM ′04)

March 2004

Hong Kong, China

2446 2457

2-s2.0-3543100577

10.1109/INFCOM.2004.1354666

Zhu

Setia

Jajodia

Ning

An interleaved hop-by-hop authentication scheme for filtering of injected false data in sensor networks

Proceedings of the IEEE Symposium on Security and Privacy

May 2004

Oakland, Calif, USA

259 271

2-s2.0-3543056512

Sun

A double key-sharing based false data filtering scheme in wireless sensor networks

Proceedings of the 10th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom ′11), 8th IEEE International Conference on Embedded Software and Systems (ICESS ′11), 6th International Conference on Frontier of Computer Science and Technology (FCST ′11)

November 2011

Changsha, China

509 516

2-s2.0-84856205961

10.1109/TrustCom.2011.66

Lin

Liu

Zeng

RAS: a robust authentication scheme for filtering false data in wireless sensor networks

Proceedings of the 15th IEEE International Conference on Networks (ICON ′07)

November 2007

Adelaide, Australia

200 205

2-s2.0-48149096744

10.1109/ICON.2007.4444086

Yuan

Zhang

Zhong

KAEF: an en-route scheme of filtering false data in wireless sensor networks

Proceedings of the IEEE International Performance Computing and Communications Conference (IPCCC ′08)

December 2008

193 200

2-s2.0-62849119348

10.1109/PCCC.2008.4745144

10.

Krauß

Schneider

Bayarou

Eckert

STEF: a secure ticket-based en-route filtering scheme for wireless sensor networks

Proceedings of the 2nd International Conference on Availability, Reliability and Security (ARES ′07)

April 2007

Vienna, Austria

310 317

2-s2.0-34548186480

10.1109/ARES.2007.144

11.

Yang

Lin

Moulema

Zhao

A novel en-route filtering scheme against false data injection attacks in cyber-physical networked systems

Proceedings of the 32nd IEEE International Conference on Distributed Computing Systems

2012

Macau, China

92 101

12.

Guan

A dynamic en-route filtering scheme for data reporting in wireless sensor networks

IEEE/ACM Transactions on Networking 2010 18 1 150 163

2-s2.0-77249083598

10.1109/TNET.2009.2026901

13.

Grouping-based resilient statistical en-route filtering for sensor networks

Proceedings of the 28th Conference on Computer Communications (INFOCOM ′09)

April 2009

Rio de Janeiro, Brazil

1782 1790

2-s2.0-70349653217

10.1109/INFCOM.2009.5062098

14.

C.-M.

C.-S.

Kuo

S.-Y.

Poster abstract: a dos-resilient en-route filtering scheme for sensor networks

Proceedings of the 10th ACM International Symposium on Mobile Ad Hoc Networking and Computing (MobiHoc ′09)

May 2009

New Orleans, La, USA

343 344

2-s2.0-70450169460

10.1145/1530748.1530805

15.

Chen

Y.-S.

Lei

C.-L.

Filtering false messages en-route in wireless multi-hop networks

Proceedings of the IEEE Wireless Communications and Networking Conference (WCNC ′10)

April 2010

Sydney, Australia

1 6

2-s2.0-77955028672

10.1109/WCNC.2010.5506127

16.

Lin

Zhu

Liang

Shen

BECAN: a bandwidth-efficient cooperative authentication scheme for filtering injected false data in wireless sensor networks

IEEE Transactions on Parallel and Distributed Systems 2012 23 1 32 43

2-s2.0-82555196697

10.1109/TPDS.2011.95

17.

Yang

Yuan

Arbaugh

Toward resilient security in wireless sensor networks

Proceedings of the 6th ACM International Symposium on Mobile Ad Hoc Networking and Computing (MOBIHOC ′05)

May 2005

Chicago, Ill, USA

34 45

2-s2.0-29844441128

18.

Ren

Lou

Zhang

LEDS: providing location-aware end-to-end data security in wireless sensor networks

Proceedings of the 25th IEEE International Conference on Computer Communications (INFOCOM ′06)

April 2006

Barcelona, Spain

1 12

2-s2.0-36248933437

10.1109/INFOCOM.2006.303

19.

Yang

Commutative cipher based en-route filtering in wireless sensor networks

Proceedings of the IEEE 60th Vehicular Technology Conference: Wireless Technologies for Global Security

September 2004

Los Angeles, Calif, USA

1223 1227

2-s2.0-17144414947

20.

Wang

Achieving robust message authentication in sensor networks: a public-key based approach

Wireless Networks 2010 16 4 999 1009

2-s2.0-77954085269

10.1007/s11276-009-0184-z

21.

C.-M.

C.-S.

Kuo

S.-Y.

A constrained function based message authentication scheme for sensor networks

Proceedings of the IEEE Wireless Communications and Networking Conference (WCNC ′09)

April 2009

Budapest, Hungary

1 6

2-s2.0-70349182882

10.1109/WCNC.2009.4917492

22.

Zhang

Liu

Lou

Fang

Location-based compromise-tolerant security mechanisms for wireless sensor networks

IEEE Journal on Selected Areas in Communications 2006 24 2 247 260

2-s2.0-33144476837

10.1109/JSAC.2005.861382

23.

Krauß

Schneider

Eckert

Defending against false-endorsement-based DoS attacks in wireless sensor networks

Proceedings of the 1st ACM Conference on Wireless Network Security (WiSec ′08)

April 2008

New York, NY, USA

13 23

2-s2.0-56749170948

10.1145/1352533.1352537

24.

Deng

Han

Mishra

Defending against path-based dos attacks in wireless sensor networks

Proceedings of the ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN ′05)

November 2005

Alexandria, Va, USA

89 96

2-s2.0-33745969132

10.1145/1102219.1102235

25.

Trust-based mutual authentication for bootstrapping in 6LoWPAN

Journal of Communications 2012 7 8 634 642

26.

Zhang

Xiao

Zhang

Enabling end-to-end secure communication between wireless sensor networks and the internet

World Wide Web 2013 16 4 515 540

27.

Cao

Kou

Zeng

Dang

Identity-based anonymous remote authentication for value-added services in mobile networks

IEEE Transactions on Vehicular Technology 2009 58 7 3508 3517

2-s2.0-69549116775

10.1109/TVT.2009.2012389

28.

Feldman

A practical scheme for non-interactive verifiable secret sharing

Proceedings of the 28th Annual Symposium on Foundations of Computer Science

1987

427 438

29.

Lou

Liu

Fang

SPREAD: enhancing data confidentiality in mobile ad hoc networks

Proceedings of the 23rd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM ′04)

March 2004

Hong Kong, China

2404 2413

2-s2.0-4444237581

10.1109/INFCOM.2004.1354662

30.

Lin

Yang

Towards effective en-route filtering against injected false data in wireless sensor networks

Proceedings of the 2011 IEEE Global Telecommunications Conference

December 2011

Houston, Tex, USA

1 5

2-s2.0-84857224628

10.1109/GLOCOM.2011.6134278

31.

Chapra

Applied Numerical Methods W/MATLAB: For Engineers & Scientists 2011 3rd

New York, NY, USA

McGraw-Hill Science

32.

Crossbow

MICA2

http://www.xbow.com/Products/Product_pdf_files/Wireless_pdf/MICA2_Datasheet.pdf

On the Security of Data Collection and Transmission from Wireless Sensor Networks in the Context of Internet of Things

Abstract

1. Introduction

2. Related Work

2.1. Authentication Frameworks for IoT

2.2. Authentication Based on Symmetric Cryptography in WSNs

2.3. Authentication Based on Asymmetric Cryptography in WSNs

2.4. Critical Analysis and Comparison of Existing Schemes

2.5. Location-Based Threshold-Endorsement (LTE) Mechanism

3. The Proposed Scheme

3.1. Assumptions

3.2. Threat Model and Design Goals

3.3. Preliminaries

3.3.1. ID-Based Signature

3.3.2. Verifiable Secret Sharing

3.4. The Data Authentication and Filtering Scheme

3.4.1. Initialization

3.4.2. Report Generation

Algorithm 1: Report generation procedure.

3.4.3. En-Route Filtering of Data Report

4. Analysis

4.1. Security Analysis

4.1.1. Resilience to Node Compromise Attacks

4.1.2. Mitigation of Report Disruption Attacks

4.1.3. Mitigation of Selective Forwarding Attacks

4.2. Performance Analysis

4.2.1. General Analysis

4.2.2. Comparison Analysis

5. Conclusion

Footnotes

Acknowledgments

References