The Novel Authentication Scheme Based on Theory of Quadratic Residues for Wireless Sensor Networks

Abstract

Being one of the main technologies for Internet of Things (IoT), wireless sensor network is absolutely critical and plays an increasingly important role in the development of Internet of Things. Wireless sensor network is mobile network composed of sensor nodes with limited resources, like computation capability, energy, memory storage, and communication capability. Its characteristic results in that the security of wireless sensor network faces a great challenge. Hence, the security of wireless sensor network is an important issue for the development of IoT and shall be focused on. In this paper, a novel authentication scheme is proposed for wireless sensor networks based on theory of quadratic residues. It is making the use of master key to achieve simple symmetric cryptographic primitives and authentication operation and reach the aims of great resistance against the attacks and low energy consumption. Then the proposed scheme is compared with other network-wide key management schemes, obtaining better results in the aspects of security, efficiency, and scalability.

1. Introduction

The future Internet, designed as “Internet of Things (IoT),” is foreseen to be a wide world network of interconnected objects which is uniquely addressable in various types of communication networks [1]. Internet of Things will lead to great influence and opportunities to change and improve people's lives and pushes the technologies in various areas developing rapidly. Playing an important role in the future developments of IoT, wireless sensor network can collect the information in the surrounding environments and process and transmit the data to the Internet. It is an important data resource for IoT and the development of IoT cannot be lack of wireless sensor network's support. Such a technology endows the WSN a new perspective and challenge. Therefore, wireless sensor network is more and more popular and important in technologies and applications of IoT. However, wireless sensor network is composed of small, lightweight, inexpensive sensor nodes. In the system, those sensor nodes have limited resources, like low computation capability, limited energy, limited memory storage, and narrow bandwidth [2, 3]. Meanwhile, it is usually deployed in untrusted and unsecure areas where communication is needed but there are no steady communication infrastructures or those infrastructures are absent. Therefore, we not only pay our attention to making wireless sensor networks useful, manageable, efficient, and feasible, but also focus on the improvement of security.

Security plays an important role in the wireless sensor networks' technologies [4–8], because sensor nodes are deployed mostly in hostile and tactical scenarios. Due to the nature of wireless sensor networks, they must face lots of great challenges about the security, such as limited resource of sensors, wireless transmission nature, and low resistance to attacks, which will result in that adversaries can easily eavesdrop the data transmission, impersonate other users, inject bogus data, and alter contents of legitimate messages. So the administrators must adopt effective measures to keep the security of WSNs, such as data confidentiality, data integrity, privacy, and authentication.

Therefore, authentication mechanisms need to be implemented to protect sensor nodes from various malicious attacks. While the WSN is running, when a user wants to join the WSN, it needs to be first authorized by the nodes in the WSN so that accessing the network illegally does not happen. Therefore, in recent years many researchers pay more attention to key management and authentication for WSN and make good achievements in the research field. A lot of novel, safe, and efficient authentication protocols are proposed in recent years, such as C. T. Li, M. S. Hwang and Y. P. Chu's scheme [9, 10], Das's schemes [11], and Dressler's scheme [12].

1.1. Threat Model

Due to the nature of wireless sensor network, it is vulnerable to resource consumption attacks and usually not resistant to those attacks, which facilitates physical manipulation and key material stealing. Few of the attacks are of the most concern for WSN [13] and are listed as follows.

(1) Physic Attack. Sensor nodes are usually deployed in hostile environment and exposed easily to physical intrusion with the adversary. Physic attack is gaining access to nodes' memory to extract the master key of legitimate sensor nodes in the network [14, 15].

(2) Node Capture Attack. In a WSN, an attacker can capture sensor nodes and extract desired information from nodes' memories or obtain access to the network. Once a set of sensor nodes is under the control of the attacker, this attacker has the capability of eavesdropping private information of the nodes and recovering cryptographic and authentication key [16–18].

(3) Denial-of-Service Attack. In a WSN, a denial-of-service attack (DoS attack) is an attempt to make a sensor node unavailable to its intended users [19–22]. The attackers will try to send external authentication requests to sensor nodes and want them to respond to those requests, such that it cannot respond to legitimate requests or responds so slowly as to be rendered effectively unavailable or use up the sensor nodes' energy and make authenticators cannot work normally. It prevents the sensor nodes from being authenticated by a legitimate authenticator and makes the authentication scheme not work.

(4) Reply Attack. An attacker can eavesdrop on the conversation between the claimant and the authenticator and retransmit the message to the legitimate authenticator as being authentic. It leads to legitimate access for the attackers into the network and no response to the claimant so that the authentication scheme cannot work normally.

(5) Impersonation Attack. Attackers can masquerade as legal nodes to be authenticated or authenticate others by intercepting and falsifying data and thereby gain illegal advantages.

1.2. Our Contributions

This paper aims to propose a novel authentication scheme based on quadratic residues for wireless sensor networks, which is utilizing the master key to calculate the authentication key chains. Our proposed scheme is to achieve simple key management and to provide an authentication operation for the user access to the network. It utilizes the master key to generate pairwise keys in initialization and key setup phase and then erases the master key from the memory and does not need master key during the normal operation of the network anymore. In addition, proposed authentication model has a good resistance to those attacks which are of the most concern for WSN. Therefore, a security analysis has been given to demonstrate that proposed scheme can withstand the previously mentioned attacks and have good scalability. Meanwhile, we make a simple summary and analysis of energy consumption and find it have better performance compared with other schemes.

1.3. Organization of Our Paper

The rest of the paper is organized as follows. In Section 2, we reviews and describes exiting related works. In Section 3, an improved authentication scheme is proposed based on quadratic residues. Security analysis and performance evaluation are provided in Section 4. Our conclusions are presented in Section 5.

2. Related Works

This section introduces two types of previously published work: master-key-based key management protocols and authentication schemes based on quadratic residue. Those protocols make important contributions in this area and have been discussed widely.

2.1. Master-Key-Based Key Management Protocols

SPINS is a suit of security protocols optimized for wireless sensor networks [8, 23]. It is presented to achieve data confidentiality, two-party data authentication, evidence of data freshness and authenticated broadcast for severely resource-constrained environments. In SPINS, it is assumed that there is a trusted third party in the network and each node shares its master key with this trusted third party. Thus, the trusted third party has the capability of achieving the authentication and generating pairwise keys for nodes. When two nodes want to establish a pairwise key to make a communication with each other, they must ask trusted third party to guarantee the legality of each other. BROSK is an energy efficient master-key-based key management protocol [24]. In the protocol each node establishes a pairwise key with its neighbors by broadcasting key negotiation messages instead of being authenticated through the trusted third party. Once one node receives a key negotiation message, it can construct the shared pairwise key with who broadcasts this message by generating the MAC. Both protocols are proposed based on master key however, they do not take the security of master key into consideration, because it is vulnerable to physical attacks in two protocols. Once the attackers extract the master keys, they can obtain all the information of key management to compromise the whole network. Zhu et al. [25] proposed the Localized Encryption and Authentication Protocol (LEAP) which utilizes four types of keys for each sensor node. These are used for different purposes and ranges. (1) Individual key is shared between each node and base station. (2) Pairwise key is shared between a node and its neighbor node. (3) Group key is shared by all nodes in the network. (4) Cluster key is a key between a node and its all neighbor nodes. Among four types of keys, pairwise key is more important and its security guarantees the security of LEAP. However, Kim et al. [26] pointed out that in LEAP, the entire network will suffer a severe loss if the initial master key is exposed to an attacker during key setup. So they propose a quick key establishment to improve the security of LEAP. Our proposed scheme will avoid this drawback and be perfectly resistant to those attacks.

2.2. Authentication Scheme Based on Quadratic Residue

Recently Chen et al.'s scheme [27] is proposed to achieve mutual authentication based on hash function and quadratic residues assumption for RFID system. The scheme is utilizing direct indexing for each tag's authentication and avoiding servers' brute search. In condition, Chen et al.'s scheme has the capability of having good resistance to those attacks and resolution to security problems, like TID anonymity, individual location privacy, replay attack, mutual authentication and DOS attack. Soon after Chen et al.'s scheme is proposed, Yeh et al. [28] demonstrate the weaknesses of that scheme in their work and present an improved scheme to avoid those already existing problems. According to the description of Yeh et al.'s work, Chen et al.'s authentication scheme is vulnerable to impersonation attack. In condition, Chen et al.'s scheme cannot effectively resist location privacy and replay attack. So Yeh et al.'s scheme makes an additional supplement of Chen et al.'s scheme and utilizes the number generated by the tags to add in the session between the tags and the server. The solution obtains a good effect in the authentication scheme and makes it invulnerable to impersonation attack.

Two schemes described previously are proposed based on quadratic residue however, they are both specific to RFID system and not suitable for WSN system. RFID system does not take the security of master key into consideration. And the common attacks in two systems are different so that we need to improve the authentication scheme invulnerable to those common attacks in WSN system. On the other hand, the relationship between the server and the tags in RFID system is one-to-many; in other words, the tags must be authenticated by one server. However, that is different in WSN system and each legal and authenticated sensor node should have the capability of authenticating the new nodes who want to join the network. Our proposed scheme will consider those drawbacks in detail and solve those problems.

3. Proposed Authentication Scheme

In the system, it is assumed that there is not a trusted server and each sensor node directly negotiates a session key with neighboring nodes and uses the master key to authenticate itself with its neighbors. And there are three phases in this paper: key predistribution phase, network deployment phase, and authentication phase. While the authentication protocol is operating, there are authentication messages exchanged among the nodes to be used for pairwise key generation and new node authentication. That message packets format used within the network is shown in Figure 1. The meanings of those acronyms in the Figure 1 are as follows: SRC, source address; DST, destination address; LEN, message length; MT, message type; AM, authentication message. When a node broadcasts its randomly selected number or begins the authentication operation, it will send the message packet to other neighboring nodes.

Figure 1

Message packet structure of our authentication protocol.

On the clarity and conveniences of this paper, the representations are listed in the following. (i)

$k_{M}$ is the network-wide master key.

(ii)

$h (M)$ is the hash function of message M and $h_{K}$ (M) is the hash function of message M with key K.

(iii)

$h^{i} (M)$ is represented as that message M is hashed i time without key K.

(iv)

$h_{K}^{i} (M)$ is represented as that message M is hashed i time with key K.

(v)

$k_{auth}^{j}$ is the authentication key of jth cycle authentication.

(vi)

$C_{i}^{j}$ is ith tuple of jth cycle authenticator.

Then a detailed description for those phases is shown in the following.

3.1. Key Predistribution Phase

Key predistribution phase is carried out before the nodes deployed in the network, because a network-wide symmetric master key $k_{M}$ is preloaded and stored in each node and is needed to generate a session key for the authentication. In proposed scheme, a mechanism is defined as the authenticators that authenticate the nodes and make the nodes access the network legally. In fact, the authenticator is essentially the especial counter, which records the number and progress of those authenticated nodes. Each legal node in the network has its own authenticator. It is calculated with the value of tuple and cycle in the node. Each authenticator is composed of a set of numbers, including l tuples of random numbers in current cycle and the results of hash function with authentication key over those numbers. Once a new node has been authenticated successfully by a legal node, the value of tuple in this legal node is incremented and this tuple of current cycle authenticator is closed and never used. If the authentication fails, the authenticator in this tuple of current cycle remains open. When a node runs out of n tuples of current cycle in this authenticator, it shall generate a new set of l tuples in the next cycle authenticator set.

The symbol $C_{i}^{j}$ is expressed as ith tuple of jth cycle authenticator. The authenticator is initialized in each node as 0th cycle authenticator before network deployment and denoted by $C_{i}^{0}$ . Master key is assigned to the value of authentication key in 0th cycle authenticator. Authentication key and authenticator set in 0th cycle are calculated:

\begin{matrix} k_{auth}^{0} = h^{0} (k_{M}) = k_{M} \\ C_{i}^{0} = {(r_{i}, h_{k_{auth}^{0}} (r_{i}))} = {(r_{i}, h_{k_{M}} (r_{i}))}, i = 0,1, \dots, l - 1, \end{matrix}

(1)

where

r_{i}

is one of l tuples of random numbers in current cycle and 0th cycle authenticator is composed of

r_{i}

and hash function of

r_{i}

with authentication key

k_{auth}^{0}

The authentication key is changed with the cycle increasing and the authenticator set in current cycle is removed after new authenticator set in next cycle is generated by the node.

3.2. Authenticator Update

In this section, the process to update authentication key and authenticator set for ith tuple of jth cycle is introduced in the following. (1)

Update current authentication key to a new one with hash functions, getting

\begin{matrix} k_{auth}^{j + 1} = h (k_{auth}^{j}) = h^{j + 1} (k_{auth}^{0}) = h^{j + 1} (k_{M}) . \end{matrix}

(2)

Calculate new authenticator for ith tuple of next cycle with newly updated authentication key $k_{auth}^{j + 1}$ :

\begin{matrix} C_{i}^{j + 1} = {(r_{i}, h_{k_{auth}^{j + 1}} (r_{i}))}, i = 0,1, \dots, l - 1 . \end{matrix}

(3)

Obtain the new key:

\begin{array}{l} [k_{auth}^{j + 1} = h^{j + 1} (k_{M}), C_{i}^{j + 1} = {(r_{i}, h_{k_{auth}^{j + 1}} (r_{i}))}], \\ i = 0,1, \dots, l - 1 . \end{array}

(4)

3.3. Network Deployment Phase

The nodes in the network are deployed randomly in the environment during the beginning of this phase. The network structure of WSN is shown in Figure 2. The nodes in the WSN are divided into various clusters. Then the nodes will find their neighboring nodes in their cluster and exchange session messages with neighboring nodes to initialize the network after the deployment. The details are listed in the following.

Figure 2

The network structure of WSN.

(1) Update session key: each node updates its session key from 0th cycle to 1st cycle of authenticator and generates the session key. Session key for each node is including authentication key and authenticator for current cycle. The session key shall be updated as authentication key in first cycle authenticator after the deployment. For example, session key of node A in ith tuple is $[k_{M}, C^{0} = (r_{i}, h_{k_{M}} (r_{i}))]$ in initialization phase, and then it is replaced by $[k_{auth}^{1} = h (k_{M}), C^{1} = (r_{i}, h_{k_{auth}^{1}} (r_{i}))]$ .

(2) Generate pairwise keys: after authentication key is updated, each node randomly selects a random number to generate pairwise keys with neighboring nodes based on master key. The generation is shown in Figure 3. In Figure 3, node A has 8 neighboring nodes and broadcasts the message $M_{A}$ to those neighboring nodes. Then each node broadcasts its own random number with neighboring nodes for a short period of time. Setting the reasonable period of time is to keep the attackers who listen to random number broadcasting from overhearing and intercepting in this step [29]. For example, node A randomly selects a number $r_{A}$ and broadcasts the number to the neighboring node B. Broadcasted message $M_{A}$ is ${ID}_{A} | r_{A} | {[{ID}_{A} | r_{A}]}_{K_{M}}$ , including node A's ID, the random number $r_{A}$ , and the encryption values of ${ID}_{A}$ and $r_{A}$ with master key $k_{M}$ . Node B also broadcasts its message $M_{B} = {ID}_{B} | r_{B} | {[{ID}_{B} | r_{B}]}_{K_{M}}$ to neighboring nodes. When node A receives the node B's message, node A can generate the pairwise key $K_{A B} = {[r_{A} | r_{B}]}_{K_{M}}$ with node B. So each node utilizes received random number to generate a list of pairwise keys of its neighboring nodes. After pairwise keys list is established, the master key is erased from memory and replaced by authentication key. Authentication key is changing with the time of hash function changing, which could eliminate the risk of storing master key.

Figure 3

The generation of pairwise keys between nodes.

(3) After the deployment of the network, each node stores a series of keys, including its own encryption key, a list of pairwise keys of its neighboring nodes, its authentication key, and its session key in first cycle authenticator.

Following the previously steps, each node could begin to communicate with its neighboring nodes using pairwise key. In addition, each node is capable of authenticating new node that tries to join the network and confirming whether new node is a legal and permitted user.

3.4. Authentication Protocol Phase

During the authentication operation, node A is assumed as a new node that wants to join the network and stores network-wide master key, its 0th cycle authenticator. Node B is selected as a decision maker to confirm if node A is legal user. Node A must pass the authentication of node B, while node A shall also judge node B not to be a compromised and hostile user. The whole procession is a two-way authentication and they must authenticate each other.

(1) Node A randomly selects a number $r_{A}$ and sends a message $M_{1}$ including this random number to node B:

\begin{matrix} M_{1} = r_{A} . \end{matrix}

(5)

$(2)$ Node B receives the message $M_{1}$ from node A and makes the following calculation and operation.

Step 1.

Generate a pairwise key $k_{A B}$ shared with node A.

Step 2.

Select a random number t and choose ith tuple random number $r_{i}$ , and obtain authentication key $k_{auth}^{j}$ and jth cycle authenticator:

\begin{matrix} C_{i}^{j} = {(r_{i}, h_{k_{auth}^{j}} (r_{i}))} . \end{matrix}

(6)

Step 3.

Calculate the values of $x = h (k_{auth}^{j}) \oplus r_{A} \oplus r_{i} \oplus t$ and $y = r_{i} \oplus t$ with current authentication key in jth cycle.

Step 4.

Compute the quadratic residue of x, $r_{i}$ , and t to hide those numbers to guarantee the security not to be revealed during the transmission: $X = x^{2} \mod n$ , $R = ({r_{i}}^{2} \mod n) \oplus t$ , and $T = t^{2} \mod n$ .

Step 5.

Send the message $M_{2}$ encrypted by pairwise key $k_{A B}$ to node A, including X, R, T, hash function of x, y, t with authentication key $k_{auth}^{j}$ and the current cycle of authenticator, j:

\begin{matrix} M_{2} = h_{k_{auth}^{j}} (x), h_{k_{auth}^{j}} (y), h_{k_{auth}^{j}} (t), j, X, R, T . \end{matrix}

(7)

(3) Node A receives the message $M_{2}$ from node B and performs the following operations.

Step 1.

Update current cycle authenticator with this message and compute authentication key from current cycle to jth cycle with hash function: $k_{auth}^{j} = h^{j} (k_{M})$ .

Step 2.

Calculate x and t based on the parameters X and T in message $M_{2}$ , obtaining the group $(x_{1}, x_{2}, x_{3}, x_{4})$ and $(t_{1}, t_{2}, t_{3}, t_{4})$ . Then node A compares $h_{k_{auth}^{j}} (x_{p}), h_{k_{auth}^{j}} (t_{p})$ with $h_{k_{auth}^{j}} (x)$ and $h_{k_{auth}^{j}} (t)$ in $M_{2}$ , where $p = 1, 2, 3, 4$ . Finally, node A obtains the values of x and t.

Step 3.

Determines the value of $r_{i}$ with the values of R, t, and y. Firstly, obtain all the possible values of $r_{i}$ , like the group $(r_{i 1}, r_{i 2}, r_{i 3}, r_{i 4})$ . Next, compare $h_{k_{auth}^{j}} (r_{i p} \oplus t)$ with $h_{k_{auth}^{j}} (y) = h (r_{i} \oplus t)$ , where $p = 1, 2, 3, 4$ , and confirm the value of $r_{i}$ .

Step 4.

Authenticate whether node B is a legal user. At first, calculate the authentication key of node B: $k_{auth}^{'} = x \oplus r_{A} \oplus r_{i} \oplus t$ . Then compare $k_{auth}^{'}$ with $k_{auth}^{j}$ and make the following decision for node B. (1) If $k_{auth}^{'} \neq k_{auth}^{j}$ , node A will consider node B to be a comprised node and could not authenticate node B successfully. Node A will terminate this authentication operation with node B and wait for a certain time period to start another authentication process with other nodes. (2) If $k_{auth}^{'} = k_{auth}^{j}$ , go to next step to calculate and send response message to node B.

Step 5.

Generate a response message, showing $x_{response} = k_{auth}^{'} \oplus r_{i} \oplus t$ . Then response message $M_{3}$ is sent to node B:

\begin{matrix} M_{3} = x_{response} . \end{matrix}

(8)

(4) Node B receives message $M_{3}$ and judges whether node A is a legal node. Calculate $x^{'} = k_{auth}^{j} \oplus r_{i} \oplus t$ , compare $x_{response}$ with $x^{'}$ , and make the authentication. If $x_{response} \neq x^{'}$ , node A should not be authenticated unsuccessfully by node B. Otherwise, node A is verified by node B as a legal user. Then update the values of tuple i and cycle j. If all l tuple authenticators in jth cycle run out, the value of cycle j shall be incremented to $j + 1$ ; that is, a new cycle authenticator is starting. Therefore, there are two possible conditions listed in the following.

If all l tuples of random number in jth cycle authenticator run out, update j and authentication key $k_{auth}^{j}$ to $j + 1$ and $k_{auth}^{j + 1}$ . The jth authenticator $C_{i}^{j} = {(r_{i}, h_{k_{auth}^{j}} (r_{i}))}$ is replaced by $C_{i}^{j + 1} = {(r_{0}, h_{k_{auth}^{j + 1}} (r_{0}))}$ . If there also remain other tuples of random numbers in jth cycle authenticator, ith tuple of random number $r_{i}$ is updated to another tuple of random number $r_{e}$ , where $e \in {0,1, \dots, l - 1}$ . The authenticator $C_{i}^{j} = {(r_{i}, h_{k_{auth}^{j}} (r_{i}))}$ is replaced by $C_{e}^{j} = {(r_{e}, h_{k_{auth}^{j}} (r_{e}))}$ .

Then the whole authentication operation is shown in Figure 4.

Figure 4

The authentication protocol.

4. Security Analysis and Performance Evaluation

In this section we make the security analysis and performance evaluation of our scheme and compare it with other schemes, like SPINS [8, 23], BROSK [24, 30], LEAP [25], KMS [26], and LWAS [31]. The reason why we choose those schemes is that all the schemes are based on network-wide key. The comparisons of various security attributes among our scheme and other works are listed in Table 1, while the performance comparisons are revealed clearly in Table 2.

Table 1

Security comparisons.

Scheme	Nodeauthentication	Node revocation	Node capture attack	Secrecy	Forwardsecrecy	Replayattack	DoSattack	Physicalattack	Impersonationattack	Overallsecurity
SPINS	Yes	Very difficult: revocation of master key	No	Yes	No	Yes	Yes	No	No	Low
BROSK	Yes	Very difficult: revocation of master key	No	Yes	No	Yes	Yes	No	No	Low
LEAP	Yes	Easy: delete the key	No	Yes	No	Yes	Yes	Yes	No	Medium
KMS	Yes	Easy: delete the key	Yes	Yes	No	Yes	Yes	Yes	No	Medium
LWAS	Yes	Easy: delete the key	Yes	Yes	Yes	Yes	Yes	Yes	No	High
Ours	Yes	Easy: delete the key	Yes	Yes	Yes	Yes	Yes	Yes	Yes	High

Table 2

Security comparisons.

Scheme	Scalability	Computation cost	Communication overhead	Energy consumption
SPINS	No	PRF	$n \cdot (2 L_{ID} + 2 L_{NONCE} + 3 L_{MAC})$	High
BROSK	Yes	H + PRF	$L_{ID} + L_{NONCE} + L_{MAC}$	Low
LEAP	Yes	2H + 2PRF	$L_{ID} + L_{NONCE} + L_{MAC}$	Low
KMS	Yes	2H + PRF	$L_{ID} + L_{NONCE} + L_{MAC}$	Medium
LWAS	Yes	H +PRF	$L_{ID} + L_{NONCE}$	Low
Ours	Yes	H + PRF	$L_{ID} + L_{NONCE}$	Low

4.1. Security Analysis

As we all know for this area, there are a certain number of attacks [14, 15] and security issues to be ubiquitous and inevitable in wireless sensor networks. Then our proposed authentication scheme will be proved to be resistant to those most common attacks in Section 4.1.

Secrecy. Due to good protection for transmitted data, the resident data $(r_{i}, j, k_{auth}^{j}, C_{i}^{j})$ in the nodes could not be retrieved during the communication. Only the legal nodes could get the related data x, $r_{i}$ , t by using the theory of quadratic residues. Even if the attackers get the data x, $r_{i}$ , t, $k_{auth}^{j}$ , they could not obtain the master keys of those nodes because of one-way property of the hash function. And x, $r_{i}$ , t, $k_{auth}^{j}$ will be modified with beginning next round of the authentication operation and the data retrieved by those attackers could not make sense for next authentication. Hence, secrecy for our authentication scheme is guaranteed.

Forward Secrecy. The data transmitted between applicant and decision maker is well protected so as to be obtained difficultly by the adversary from the transmission. To prove forward secrecy of our authentication scheme, we assume that the attacker compromises the decision maker and obtains the data in this decision maker. Let the decision maker's current data be $(r_{i}, j, k_{auth}^{j}, C_{i}^{j})$ . The value of $r_{i}$ is selected randomly for each cycle by decision-maker and we could not use current value of $r_{i}$ to derive the value in previous cycle so that the attacker is not able to track the previous authentication. According to the value of $k_{auth}^{j} = h (k_{auth}^{j - 1})$ and $C_{i}^{j} = {(r_{i}, h_{k_{auth}^{j}} (r_{i}))}$ , the value of $k_{auth}^{j - 1}$ is not exposed to the attacker, because hash function is one way only and the values of the hash are unique for the hashed message. Meanwhile, the master key $k_{M}$ is erased after the deployment phase and attackers could not use the value of j to obtain authentication key of each cycle. Therefore, attackers will not be able to find the previous authentication data using the current data $(r_{i}, j, k_{auth}^{j}, C_{i}^{j})$ .

Resistance to Node Capture Attack. Sensor nodes in most applications are mostly deployed in public or hostile environment. Most nodes are low cost and not tamper resistant. Therefore, the adversary may have the capability of taking physical control of nodes undetectably and compromise the cryptographic keys. As a result, this type of attack [16–18, 30] is considered as the main threat and the resistance against node capture is regarded as an important criterion to protect the security of the network. The performance of the resistance toward node capture is evaluated in the work [30] by H. Chan, A. Perrig, and D. Song. They calculate the fraction of total network communications that are compromised by a capture of x nodes not including the communications in which the compromised nodes are directly involved. By utilizing this method, we could get the performance of our scheme's resistance against node capture. This metric shows our scheme's resistance against this attack is pretty good, because those nodes erase their master keys before the authentications begin and then the capture of nodes could not obtain any information, like mater keys and authentication keys of next cycle, about the links that are directly involved.

Resistance to Physical Attacks. In proposed scheme, nodes' master keys are erased after the deployment of the network. So there are no master keys in those nodes before the authentication phase. Sensor nodes deployed in public or hostile environment must be exposed easily to physical intrusion with the adversary. However, due to the erased master keys, those nodes are vulnerable to physical attacks [14, 15] and the information in them is unrelated to direct linked nodes.

Resistance to Replay Attack. In proposed scheme, both the decision-maker and applicant generate a random number during the authentication. The random number generated by node B is added to the session tokens $x_{response}$ responded by node A. The session token of each authentication procession is different for the randomly selected number. If the adversary is eavesdropping on the authentication conversation between node B and node A, the data transmitted is intercepted by the adversary during the procession. However, the data intercepted could not be sent to answer the session token $x_{response}$ in the next requested authentication and not be utilized to impersonate the legal user to pass the authentication and join the network.

Resistance to Denial-of-Service Attack. This type of attack, which is described in works [19–22] in detail, is ubiquitous in wireless sensor network and proposed scheme has an effective resistance against this type of attack. The adversary will try to continue to send the request messages to the authenticators and receive the authenticators' response. But their goal of those actions is to use up the authenticators' energy and make the authenticators set cannot work normally. So those adversaries do not respond to the reply or supply the authenticators' incorrect replies after they request the authentication procession. If the authenticators could not have any measures to protect themselves and make the resistance to DoS attack, they will exhaust their energy and have no ability of working normally. The attack could be resistant by utilizing a timing controller to check the responding time. If an authenticator's reply has not be responded correctly in a certain time period, it is releasing this authentication procession, becoming a free authenticator again and available to other authentication claimants. The threshold of responding time could be updated according to the state of the in-progress attack. If the authenticator releases authentication procession to one claimant for a certain number of times, the claimant will be marked as untrusted user and could not be authenticated by the authenticators set in a future period.

Resistance to Impersonation Attack. The applicant node A and the decision maker B authenticate each other with the master key and authenticators. Only the legal applicant node A has master key and calculates the right authenticator and synchronizes its authenticator with node B. Meanwhile, only node A has the value of p and q and is able to obtain the correct x, $r_{i}$ , t according to Chinese Remainder Theorem. So those guarantee node A to pass the node B's authentication. To avoid attackers impersonating node A to pass the authentication of node B, node A sends a random number $r_{A}$ to node B, while node B's response is calculated with the random number $r_{A}$ . If the attackers impersonate node A to transmit another number to node B, node B will find node A's response $x_{response}$ in $M_{3}$ is wrong, because $x_{response}$ is calculated with random number and master key and attackers do not have right master key. In addition, node A could judge whether the response in $M_{2}$ is right or wrong by using its master key so that node A could exclude those attackers to impersonate node B. Thus, proposed scheme will be of great resistance against impersonation attack.

After the analysis is discussed, the comparisons in the security of our scheme are summarized with others in Table 1. It is concluded in Table 1 that security levels of our scheme and LWAS are highest, followed by LEAP and KMS. SPINS and BROSK schemes are in lowest security in the comparisons. In addition, our scheme has great resistance against impersonation attack and is more secure than LWAS scheme.

4.2. Performance Evaluation

The performance evaluation for wireless sensor network is very important due to sensor nodes' limited resource. So the analysis of energy consumption is key point in the performance evaluation for wireless sensor network.

As we all know, energy consumption of the security in wireless sensor network is mainly divided into two types: communication overhead and computation cost. However, it is concluded from previous and recent works that communication overhead plays a more important role in energy consumption than computation cost and accounts for a significantly larger part of energy consumption. For example, most of energy cost of adding SPINS protocol to wireless sensor network arises from communication and transmission overhead of extra data for security protocol rather than from computation cost. According to the work [8, 23], transmission cost is increased for SPINS protocol by 98%, while the MAC and encryption computation cost just only account for 2%. Thus, deceasing data transmission for security protocols and minimizing the communication overhead as soon as possible are one of the design goals for security protocols.

In this paper, the number of transmitted messages is utilized to make the evaluation of energy consumption, which is approximately equal to real energy consumption. We set the network in a certain area of 500 m × 500 m and deployed n sensors. Let us randomly select one node for analyzing the size of exchanged messages and estimating the communication overhead. At first, the lengths of different types of messages shall be defined: $L_{ID}$ , $L_{NONCE}$ , $L_{KEY}$ , and $L_{MAC}$ are the length of node ID, nonce, symmetric keys, and MAC, respectively. In addition, it is assumed that each node has n neighboring nodes in the network. Because the nodes exchange the messages with a trusted third party during the pairwise key establishment, the length of exchanged messages for those security protocols is significantly larger than others, which is expressed as $n \cdot (2 L_{ID} + 2 L_{NONCE} + 3 L_{MAC})$ . For BROSK, LEAP, and KMS protocols, node ID, nonce, and MAC need to be broadcasted to establish pairwise keys with neighboring nodes so that the size of transmitted messages is $L_{ID} + L_{NONCE} + L_{MAC}$ . Compared with the protocols previously, the establishment of pairwise keys just needs to broadcast node ID and nonce, so that the size of transmitted messages in LWAS and our proposal is $L_{ID} + L_{NONCE}$ . From the analysis of the size of transmitted messages, we can conclude that transmission cost of LWAS and our proposal is lowest in those protocols.

Besides analyzing communication overhead of those protocols, computation cost is also a part of estimating energy consumption, which is listed in Table 2. From the result in Table 2, it is concluded that computation cost of SPINS protocol is lowest, followed by BROSK, LWAS, our proposal, and others because the nodes in SPINS protocol are just only needed to generate a nonce and other computations are done by a trusted third party. Summarizing the previously analysis, our proposal's energy consumption that is proportional to communication overhead is lower than others except LWAS protocol. In addition to lower energy consumption, guarantying the network scalable is also an important design goal. In SIPINS, pairwise keys are established by exchanging the messages with a trusted third party. Hence, the scale of the network in SPINS is not too large, or a lot of collisions will be generated in this network and the performance is degrading with the network running. Nodes in other protocols are only exchanging messages with neighboring nodes and are independent of network size. So proposed scheme scales very well with the size of the network and achieves good scalability for the network.

5. Conclusion

Being an important part of IoT, the security of wireless sensor networks should be focused on greatly. As wireless sensor networks are generally deployed in unsecured and untrusted areas, the transmitted data is vulnerable to all kinds of intrusions, like eavesdropping, interception, and modification. Those intrusions threaten the security and privacy of the users in the whole network and propose a great challenge for the development of wireless sensor network and IoT.

In this paper, our scheme is proposed to utilize the master key to achieve key management and the authentication operation based on quadratic residue for wireless sensor network, which is to provide the protection of the master key and offer the new users legal access to the network. It has a perfect resistance against those attacks which are of the most concern for WSN and achieves higher level of the security. Meanwhile, its energy consumption is in a lower position in comparison with other schemes. Therefore, it is concluded that our scheme achieves key management and node authentication, protects the node from a series of attacks which has reached a higher point in the security, and has very little increase in energy consumption.

Footnotes

Acknowledgments

This research is partly supported by National Natural Science Foundation of China under Grants 61071076, National High-Tech Research and Development Plans (863 Program) under Grants 2011AA010104-2, and the Academic Discipline and Postgraduate Education Project of Beijing Municipal Commission of Education.

References

Internet of Things in 2020: Roadmap for the Future

2008, http://www.smart-systems-integration.org/public/internet-of-things

Akyildiz

I. F.

Sankarasubramaniam

Cayirci

A survey on sensor networks

IEEE Communications Magazine 2002 40 8 102 105

2-s2.0-0036688074

10.1109/MCOM.2002.1024422

Yick

Mukherjee

Ghosal

Wireless sensor network survey

Computer Networks 2008 52 12 2292 2330

2-s2.0-46449122114

10.1016/j.comnet.2008.04.002

Giruka

V. C.

Singhal

Royalty

Varanasi

Security in wireless sensor networks

Wireless Communications and Mobile Computing 2008 8 1 1 24

2-s2.0-38149062124

10.1002/wcm.422

Perrig

Stankovic

Wagner

Security in wireless sensor networks

Communications of the ACM 2004 47 6 53 57

2-s2.0-4243082091

10.1145/990680.990707

Chen

H. H.

Security in wireless sensor networks

IEEE Wireless Communications 2008 15 4 60 66

2-s2.0-49749084392

10.1109/MWC.2008.4599222

Wang

Attebury

Ramamurthy

. Securing wireless sensor networks: a survey

IEEE Communications Surveys Tutorials 2006 10 3 2 23

Perrig

Szewczyk

Tygar

J. D.

Wen

Culler

D. E.

SPINS: security protocols for sensor networks

Wireless Networks 2002 8 5 521 534

2-s2.0-0036738266

10.1023/A:1016598314198

C. T.

Hwang

M. S.

Chu

Y. P.

An efficient sensor-to-sensor authenticated path-key establishment scheme for secure communications in wireless sensor networks

International Journal of Innovative Computing, Information and Control 2009 5 8 2107 2124

2-s2.0-69949155644

10.

C. T.

Hwang

M. S.

Chu

Y. P.

A secure and efficient communication scheme with authenticated key establishment and privacy preserving for vehicular ad hoc networks

Computer Communications 2008 31 12 2803 2814

2-s2.0-46749099079

10.1016/j.comcom.2007.12.005

11.

Das

A. K.

Improving identity-based random key establishment scheme for large-scale hierarchical wireless sensor networks

International Journal of Network Security 2012 14 1 1 21

12.

Dressler

Authenticated reliable and semi-reliable communication in wireless sensor networks

International Journal of Network Security 2008 7 1 61 68

13.

Kavitha

Sridharan

Security vulnerabilities in wireless sensor networks: a survey

Journal of Information Assurance and Security 2010 5 1 31 44

14.

Benenson

Cholewinski

P. M.

Freiling

F. C.

Vulnerabilities and attacks in wireless sensor networks

Wireless Sensors Networks Security 2008

Lansdale, Pa, USA

IOS Press

22 43 Cryptology & Information Security Series (CIS)

15.

Kwon

Park

S. H.

Experimental study on wireless sensor network security

Intelligence and Security Informatics 2006 3975 741 743 Lecture Notes in Computer Science

10.1007/11760146_114

16.

Tague

Poovendran

Modeling node capture attacks in wireless sensor networks

Proceedings of the 46th Annual Allerton Conference on Communication, Control, and Computing

September 2008

IEEE Press

1221 1224

2-s2.0-64549111325

10.1109/ALLERTON.2008.4797699

17.

Tague

Poovendran

Modeling adaptive node capture attacks in multi-hop wireless networks

Ad Hoc Networks 2007 5 6 801 814

2-s2.0-34248339107

10.1016/j.adhoc.2007.01.002

18.

Eschenauer

Gligor

V. D.

A key-management scheme for distributed sensor networks

Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS ′02)

November 2002

ACM Press

41 47

2-s2.0-0038341106

19.

Wood

A. D.

Stankovic

J. A.

Denial of service in sensor networks

Computer 2002 35 10 54 62

2-s2.0-0036793924

10.1109/MC.2002.1039518

20.

Raymond

D. R.

Midkiff

S. F.

Denial-of-service in wireless sensor networks: attacks and defenses

IEEE Pervasive Computing 2008 7 1 74 81

2-s2.0-38349154579

10.1109/MPRV.2008.6

21.

Bellardo

Savage

802.11 denial-of-service attacks: real vulnerabilities and practical solutions

Proceedings of USENIX Security Symposium

2003

Washington, DC, USA

15 28

22.

Liu

Chu

C. H.

Analysis of area-congestion-based DDoS attacks in ad hoc networks

Ad Hoc Networks 2007 5 5 613 625

2-s2.0-33947309586

10.1016/j.adhoc.2006.04.002

23.

Perrig

Szewczyk

Wen

Culler

Tygar

J. D.

SPINS: security protocols for sensor networks

Proceedings of the 7th Annual International Conference on Mobile Computing and Networking (MobiCom ′01)

July 2001

ACM Press

189 199

2-s2.0-0034771605

24.

Lai

B. C. C.

Hwang

D. D.

Kim

S. P.

Verbauwhede

Reducing radio energy consumption of key management protocols for wireless sensor networks

Proceedings of the International Symposium on Lower Power Electronics and Design (ISLPED ′04)

August 2004

ACM Press

351 356

2-s2.0-16244391794

25.

Zhu

Setia

Jajodia

LEAP: efficient security mechanisms for large-scale distributed sensor networks

Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS ′03)

October 2003

62 72

2-s2.0-10044284351

26.

Kim

Y. H.

Lee

D. H.

Lim

A key management scheme for large scale distributed sensor networks

4217

Proceedings of the IFIP TC6 11th International Conference (PWC ′06)

2006

Springer

437 446 Lecture Notes in Computer Science

27.

Chen

Chou

J. S.

Sun

H. M.

A novel mutual authentication scheme based on quadratic residues for RFID systems

Computer Networks 2008 52 12 2373 2380

2-s2.0-46749130059

10.1016/j.comnet.2008.04.016

28.

Yeh

T. C.

C. H.

Tseng

Y. M.

Improvement of the RFID authentication scheme based on quadratic residues

Computer Communications 2011 34 3 337 341

2-s2.0-78751649779

10.1016/j.comcom.2010.05.011

29.

Anderson

Chan

Perrig

Key infection: smart trust for smart dust

Proceedings of the 12th IEEE International Conference on Network Protocols (ICNP ′04)

October 2004

IEEE Press

206 215

2-s2.0-17744386714

30.

Chan

Perrig

Song

Random key predistribution schemes for sensor networks

Proceedings of IEEE Symposium on Security and Privacy

May 2003

IEEE Press

197 213

2-s2.0-0038487088

31.

Delgado-Mohatar

Fúster-Sabater

Sierra

J. M.

A light-weight authentication scheme for wireless sensor networks

Ad Hoc Networks 2011 9 5 727 735

2-s2.0-79952574261

10.1016/j.adhoc.2010.08.020