Sage Journals: Discover world-class research

Abstract

In recent years, the adaptation of wireless sensor networks (WSNs) to application areas requiring mobility increased the security threats against confidentiality, integrity, and privacy of the information as well as against their connectivity. Since key management plays an important role in securing both information and connectivity, a proper authentication and key management scheme is required in mobility enabled applications where the authentication of a node with the network is a critical issue. In this paper, we present an authentication and key management scheme supporting node mobility in a heterogeneous WSN that consists of several mobile sensor nodes and a few fixed sensor nodes. We analyze our proposed solution by using the OMNET++ simulator to show that it requires less memory space and provides better connectivity and network resilience against node capture attacks compared to some existing schemes. We also propose two levels of secure authentication methods for the mobile sensor nodes for secure authentication and key establishment.

1. Introduction

The wireless sensor network (WSN) was initially considered to be used for military applications but the popularity of WSN, because of its small size, low cost, and being easy to deploy and manage, makes it used in a variety of applications. This opens a door to new research challenges to the research community. Since sensor nodes are usually deployed in possibly remote and unattended locations, they are definitely prone to security attacks. Hence to secure the network operation and securely gather and forward the information, security threats and their countermeasures should be considered at design time in terms of both requirements and implementation techniques. However, such tasks are not trivial due to the limited energy, computation, memory, and bandwidth resources available in sensor nodes. Fundamentally, any practical WSN security countermeasure must be, on the one hand, secure enough to satisfy the initial requirements and, on the other hand, lightweight enough not to interfere with normal WSN operations.

The design of security algorithms considering the homogeneous sensor networks where all nodes have the same capabilities (memory, radio range, computational power, battery life, etc.) was the first step to secure sensor networks. However, some research work has shown, both theoretically [1–3] and through simulation experiments and test bed measurements [4], that homogeneous sensor networks have high communication and computation overheads and high storage requirements and suffer from severe performance bottlenecks. Hence, recent research work [5–9] introduced heterogeneous sensor networks, which consists of a small number of powerful high-end sensors (H-sensors) and large number of low-end sensors (L-sensors). To achieve better performance and scalability, H-sensors have more resources in terms of energy, computation power, storage capacity, and transmission power, and so forth compared to L-sensors. However, both H-Sensors and L-sensors are still highly vulnerable in nature and are exposed to several security threats and particularly prone to physical attacks. Thus, proper security mechanisms should be applied to protect these nodes against specific attacks including Denial of Service (DoS) attacks, Sybil attacks, compromised node attacks, node replication attacks, and physical tampering. Physical attacks become even more troublesome when the nodes are mobile and the possible intruder can more easily target them. Most security features to provide secure communication and authentication essentially rely on encryption. Nevertheless, encryption is not possible in such a distributed environment without adequate key management mechanisms. For this reason, the adoption of a suitable key management scheme plays a central role in the definition of a secure WSN.

1.1. Key Ideas of the Proposed Approach

A key management scheme for heterogeneous wireless sensor network is proposed to overcome the scalability issues by providing almost 100% network connectivity, reducing memory cost while increasing the network resilience against attacks, and reducing communication overhead to save the energy and increase of network lifetime.

Hence, a novel key management scheme for heterogeneous sensor networks suitable for scenarios with partial mobility is presented. The proposed solution relies on two types of keys: authentication keys and secret communication codes used to generate secret keys whenever needed. The key material is assigned to the different nodes of the network by adopting adequate key predistribution mechanisms. The remaining of the paper is organized as follows. Section 2 presents existing work. Section 3 describes the proposed key management scheme, while in Section 4 a performance analysis and evaluation of the proposed scheme is provided based on simulations results. Section 5 describes the security analysis of the proposed scheme, and finally conclusions are provided in Section 6.

2. Related Work

To make a system secure, cryptography is considered as one of the important security blocks which helps in implementing many security features. However, the management of these cryptographic keys has always been a challenging task.

To secure wireless sensor networks, Perrig et al. [10] proposed SPINS, in which there is a secure central entity called server which is responsible for establishing a key among the sensor nodes. Before the network deployment, each node is assigned a secret key while its corresponding key is assigned to the base station. Each sensor node needs to authenticate itself to the server (base station) during the initialization phase using the assigned key. Since it is based on centralized base station approach, two sensor nodes can only establish a secret key through its centralized trusted base station. However, the failure of base station severely affects the performance of network because of the existence of single centralized entity (base station).

To overcome the abovementioned issue, a randomly key distributed approach is proposed by Eschenauer and Gligor [7]. In this scheme, there is no centralized entity like a base station for key distribution and management. Each node in the network is assigned a set of randomly selected keys from a large key set. Since the keys are distributed randomly, the two communicating nodes need to have at least one common key in their sets for secure communication. However, the nonexistence of a common key in their sets affects the network connectivity but it improves the network security against node capturing attacks. To further improve the network security, sharing of at least q-keys concept for establishing a secret key is introduced by Chan et al. [11]. This scheme improves the network security but it further degrades the network connectivity and increases the memory requirements. But the prior knowledge of node's deployment in the network helps in increasing the network connectivity and reduces the memory requirements [12] combined with Rabin's scheme [13]. The use of Rabin's scheme makes the approach computationally expensive. Hence to achieve better security and network connectivity with less memory requirements with low computational cost, NPKPS scheme is proposed by Zhang et al. [14] for wireless sensor networks.

The above described approaches are suitable for the static networks only. Because introducing node's mobility needs to increase the size of assigned key set which increases the memory requirements. Hence to reduce the memory cost, a level-based key management scheme for multicast communication is proposed by Kim and Ramakrishna [15] while a two-layered dynamic key management for clustered based wireless sensor networks is presented by Chuang et al. [16].

The management of secret keys (MASY) protocol is presented by Maerien et al. in [17] which is based on the trust assumption among the networks managers/base stations. When a node enters into an unknown networks, it can establish a secret key with the new network's manager/base station using the trust relationship assumption among the networks managers/base stations.

To further improve the network connectivity and reduce the memory requirements of the symmetric key distribution approaches, Du et al. [9] present an asymmetric key predistribution (AP) approach. Du sensor network model consists of two different types of nodes making it heterogeneous sensor networks (HSNs). This assumption significantly increases the network connectivity and reduces memory requirements compared to the existing symmetric key management approaches. Nodes with high capabilities act as cluster head and are assigned m keys, while nodes with low capabilities act as normal nodes and are assigned l keys, where $m ≫ l$ . This assumption increases the network resilience against node capturing attacks. Lu et al. [18] propose a framework for key management schemes in distributed peer-to-peer wireless sensor networks with heterogeneous sensor nodes and show by simulation that heterogeneity results in higher connectivity and higher resilience. Du et al. [19] propose a routing-driven key management scheme for heterogeneous wireless sensor networks, based on Elliptic Curve Cryptography (ECC), which provides better security with significant reduction of memory overhead. However, the prior knowledge of nodes deployment in the network further improves the network connectivity and resilience by reducing the memory cost [20].

Network Model. The considered network model is a Heterogeneous Sensor Network (HSN) composed of H-sensors, that is, powerful nodes and L-sensors, that is, having limited capabilities. More specifically, H-sensors and L-sensors have different computational resources, available storage capacity, and battery lifetime, but we assume that all nodes use the same transmission power and have the same transmission rate. In addition, a Base Station (BS) acts as a reference sink node in HSNs and as a gateway offering connectivity towards other types of networks. With respect to mobility, H-sensors have the role of fixed nodes (FNs) thus defining, along with the BS, a sort of fixed WSN infrastructure, while L-sensors are considered as mobile nodes (MNs). The virtual network organization is shown in Figure 1. From the security point of view, sensor nodes are allowed to communicate only after being authenticated by the network and having established a communication key with the peer node.

Figure 1

Virtual network architecture.

In this proposed network architecture, the base station and the fixed nodes are more powerful than mobile nodes, hence given the responsibility to play an important role in the authentication and key management. More specifically, the fixed nodes act as cluster heads (CHs) while the mobile nodes act as cluster members. The selection of cluster head by the mobile node is based on the received signal strength of fixed nodes. Since the fixed nodes and mobile nodes are using the same transmission power, a MN may come in the coverage range of transmission of more than one fixed node. Hence a mobile node selects a fixed node with the highest signal strength as its cluster head.

To introduce the mobility in the network, we use a realistic mobility model in the OMNET++ simulator. The considered mobility model for the proposed scheme is the random way-point model [21]. This model ensures that all the targeted destinations are equiprobable. Each node in the network is given (1) its initial deployed location, (2) target location, (3) velocity, and (4) time duration for taking a random decision. Once the timer expires, the node randomly chooses next location as a target and keeps its velocity constant and starts its journey toward the new selected target location in the given area. When it arrives to the new location, it repeats the process again. However, the selection of a target location in a given scenario is based on a uniform distribution.

Here we describe a list of abbreviations used in the proposed solution:

CH: cluster head,

MN: mobile node,

FN: fixed node,

$K P_{main}$ : main large key pool,

$K P_{FN}$ : subkey pool for fixed nodes,

$K P_{MN}$ : subkey pool for mobile nodes,

K_plc: public key,

K_prt: private key,

prand(): prime number generator,

AUTH: authentication code,

PRM: generated prime number,

SP_MN: scalar product of a mobile node,

SP_FN: scalar product of a fixed node,

SCC: secret communication code.

3. Proposed Scheme

The proposed key management scheme is built on top of the above network model to provide effective authentication and dynamic key establishment. The key material is generated at the BS. More specifically, a large key pool $K P_{mail}$ is created and then divided into two subkey pools $K P_{FN}$ and $K P_{MN}$ such that $K P_{FN} \cap K P_{FN} = \emptyset$ .

The key pool $K P_{FN}$ is used by the FNs of the network while the key pool $K P_{MN}$ is used by the MNs of the network for the secret key establishment. For authentication purposes, Elliptic Curve Cryptography (ECC) is used during the initialization phase for key generation. Three different phases have been taken into account: (1)

key predistribution to the different sensor nodes, that is, FNs and MNs;

(2)

node authentication;

(3)

communication key establishment among the nodes within the network.

Further details will be provided in the following subsections. Furthermore, Figure 2 presents a graphical description of all the operations foreseen in the proposed solution.

Figure 2

Overview of the proposed key management scheme.

3.1. Key Predistribution

As already mentioned, in our proposed scheme, the key material is organized at the BS in a large key pool $K P_{main}$ which is then randomly divided into key pool $K P_{FN}$ and into key pool $K P_{MN}$ such that $K P_{FN} \cap K P_{MN} = \emptyset$ . Now each FN i is assigned a randomly selected key pool $K P_{F N_{i}}$ from the key pool $K P_{FN}$ where $K P_{{FN}_{i}} ≪ K P_{FN}$ and contains $| K P_{{FN}_{i}} |$ keys while each MN j is assigned a randomly selected key pool $K P_{{MN}_{j}}$ from the key pool $K P_{MN}$ where $K P_{{MN}_{j}} ≪ K P_{MN}$ and contains $| K P_{{MN}_{j}} |$ keys. Since these two key pools are disjoint, $K P_{{FN}_{i}} \cap K P_{{MN}_{j}} = \emptyset$ . These assigned key pools will be used by the FNs and by the MNs for the establishment of a secret communication key using the assigned key generation algorithm.

Concerning the authentication key material, each FN and each MN are assigned an elliptic curve $E (a, b)$ over a finite Galois field $F (G)$ and a base point G along with a unique authentication code $AUTH$ . Each FN and each MN are also assigned an ECC-based public/private key pair ( $K_{plc}, K_{prt}$ ) and a prime number generator ( $prand ()$ ).

As previously described, FNs and the BS compose the fixed infrastructure of the overall heterogeneous sensor network; they are powerful devices and are responsible for the authentication and key management services offered to the MNs. In order to maintain the availability of these services and to avoid the full network being compromised by attackers, a higher level of security is thus required for FNs and the BS. As a consequence, the authentication of FNs to the network and the communication between the FNs and between a FN and the BS will be based on a standard ECC-based private/public key mechanism. Accordingly, each FN has its own private key and the public key of the BS and of all the other FNs of the network. At the same time, the BS has the public keys of all the FNs.

All the previously introduced key material is transferred to each node of the network by means of secure side channels. Then, after this predistribution phase, the specific key material assigned to each type of node of the network is as follows: (i)

the BS owns all the key material that needs to be predistributed (plus, as already described, the public key of each FN);

(ii)

each FN i has been given $E (a, b)$ , G, and ${AUTH}_{i}$ for authentication purposes and key pool $K P_{{FN}_{i}}$ for communication key establishment;

(iii)

each MN j has been given $E (a, b)$ , G, and $AUT H_{j}$ for authentication purposes and $K P_{{MN}_{j}}$ for communication key establishment.

3.2. Node Authentication

After the deployment and key predistribution phase, each FN of the network broadcasts periodic Hello messages. This mechanism enables each FN to fill a table with all neighboring MNs. These Hello messages include the FN ID and a random nonce signed by the FN's private key. Upon the reception of those Hello messages, each MN selects a FN as its cluster head (CH), for example, the one with the highest signal strength, after the verification of Hello message by using the FN public key. Since Hello message verification is a part of the authentication phase, at this point the authentication phase among the FNs and the MNs can start. To this aim, each ${MN}_{j}$ authenticates the Hello message of the selected ${FN}_{i}$ as a CH as follows. First ${MN}_{j}$ uses the ${FN}_{i}$ ID and generates a prime number ${PRM}_{{FN}_{i}}$ using the prime number generator prand()

\begin{matrix} {PRM}_{{FN}_{j}} = prand ({ID}_{{FN}_{i}}) . \end{matrix}

(1)

After the generation of

{PRM}_{{FN}_{i}}

, the

{MN}_{j}

generates the public key of the

{FN}_{i}

using the scalar multiplication as

\begin{matrix} K_{plc} = ({PRM}_{{FN}_{i}} + {ID}_{{FN}_{i}}) \cdot G . \end{matrix}

(2)

Then the

{MN}_{j}

can verify the Hello message signature. Successful verification of the Hello message signature authenticates the CH, that is,

{FN}_{i}

to the

{MN}_{j}

. The MN then calculates the scalar product of the assigned authentication code

{AUTH}_{j}

and its private key K_prt as

\begin{matrix} {SP}_{{MN}_{j}} = ({AUTH}_{j} + {ID}_{{MN}_{j}}) \cdot K_{prt} . \end{matrix}

(3)

Then the

{MN}_{j}

sends a joining request including its ID,

{SP}_{{MN}_{j}}

, and the nonce it had received from the CH back to its selected CH, all signed by its private key. After receiving the

{MN}_{j}

's joining request message, the

{FN}_{i}

first authenticates

{MN}_{j}

before registering it as a trusted cluster member. The

{FN}_{i}

follows the same procedure as the

{MN}_{j}

did to check the authenticity of the received messages. First the

{FN}_{i}

uses the

{MN}_{j}

ID and generates a prime number

{PRM}_{{MN}_{j}}

using the prime number generator prand()

\begin{matrix} PR M_{M N_{j}} = prand (I D_{M N_{j}}) . \end{matrix}

(4)

After the generation of

PR M_{M N_{j}}

, the

F N_{i}

generates the public key of the

M N_{j}

using scalar multiplication as

\begin{matrix} K_{plc} = (PR M_{M N_{j}} + I D_{M N_{j}}) \cdot G . \end{matrix}

(5)

After the generation of the

M N_{j}

public key, the

F N_{i}

verifies the joining message signature. Successful verification and reception of the correct nonce ensure that the

M N_{j}

is an authentic mobile node belonging to the network. The CH registers this

M N_{j}

into its authentic MN member list and calculates the scalar product of

AUT H_{i}

and its private key as

\begin{matrix} S P_{F N_{i}} = (AUT H_{i} + I D_{F N_{i}}) \cdot K_{prt} . \end{matrix}

(6)

Finally the CH generates an authentication certificate for this MN using

S P_{M N_{j}}

and

S P_{F N_{i}}

\begin{matrix} Authentication Certificate = S P_{M N_{j}} \cdot S P_{F N_{i}} \mod G . \end{matrix}

(7)

The CH sends

S P_{F N_{i}}

to the

M N_{j}

which is used in the secret key generation and for the authentication certificate generation.

3.3. Communication Key Establishment

Once the MN and CH/FN authenticate each other successfully, the key establishment phase starts. During this phase, the MN sends one of its secret communication codes $SC C_{1}$ , randomly selected from $K P_{MN}$ and encrypted by the CH public key to its CH as described above. The CH also selects randomly another secret communication code $SC C_{2}$ from its pool $K P_{FN}$ and sends it to the corresponding MN. After the reception of this secret code by the MN, the MN and the FN both have the same $SC C_{1}$ and $SC C_{2}$ . Now the MN and the FN use $SC C_{1}$ , $SC C_{2}$ , $S P_{M N_{j}}$ and $S P_{F N_{i}}$ to generate secret key using standard approach defined in [22] as

\begin{matrix} Secret Key = SC C_{1} \cdot SC C_{2} \mod (S P_{M N_{j}} \cdot S P_{F N_{i}}) . \end{matrix}

(8)

Once a secret key is established between the CH and each MN, the CH has assigned a Shared Secret Code (SSC) to its all member MNs. This shared secret code is updated both periodically and when a MN compromission is detected. Since the MNs move in the network to perform their duties, they may need to establish a secure communication link also with neighboring MNs, possibly very frequently due to their movement within the network. In order to keep track of their neighboring MNs, each MN broadcasts a short range Hello message to know about its neighboring MNs. To establish a secret key with a neighboring MN, both MNs will share their secret communication code IDs assigned to them as

K P_{MN}

. Now both the MNs will find the maximum number of shared codes with one another and will generate a secret key using all of them as

\begin{matrix} Secret Key = \prod_{l = 1}^{f} ‍ SC C_{1 l} \mod SSC, \end{matrix}

(9)

where “f” represents the total number of common secret communication codes. Since the distributions of the

SC C_{1}

codes to the MNs is random and probabilistic, two neighboring MNs might not have any secret communication code in common. In this case, to avoid any discontinuity, the MNs will use the assigned Shared Secret Code (SSC) from their common CH and their IDs to establish a secret key with its neighboring MNs. For example, if

M N_{m}

wants to establish a secret key with

M N_{n}

but these two nodes do not have any common secret communication code (SCC), then they establish a secret key by first calculating and sharing L and K with each other as

\begin{matrix} L = prand (I D_{M N_{n}}) \cdot S P_{M N_{m}} \cdot AUT H_{m} \cdot SSC \mod G, \end{matrix}

(10)

\begin{matrix} K = prand (I D_{M N_{m}}) \cdot {SP}_{{MN}_{n}} \cdot {AUTH}_{n} \cdot SSC \mod G, \end{matrix}

(11)

\begin{matrix} Secret key = L \cdot K \mod SSC . \end{matrix}

(12)

3.4. Handover

The MNs are moving and they may leave their current CH and join a new CH. In order to know when they need to perform the handover to remain connected to the network, each MN monitors (e.g., by sending periodically a signal strength inquiry message) the SNR of its CH. Once the MN detects that its CH SNR is below a predefined threshold value, it broadcasts a request to find its neighboring FNs. Upon the reception of the response, the MN selects the FN with the highest SNR as its new CH. When the MN performs the transition from its old CH to the new CH, it sends its old CH identity, $S P_{M N_{j}}$ , and authentication certificate to the new CH and a cluster leaving message to the old CH. The new CH communicates directly with the old CH of the MN, using its public key, to confirm the MNs transition and for the verification of the authentication certificate. Once the new CH receives the MNs transition confirmation and the authentication certificate verification, it adds this incoming MN to its trusted member MN list. Also the new CH generates its own $S P_{F N_{i}}$ and sends it to the MN to update the certificate.

3.5. Protection of Key Material

Since the sensor network may be deployed in unattended or even hostile areas, for example, when used for military applications, node capture and physical damage cannot be avoided. In order to protect the key material, we assume that each node is provided with tamper resistant hardware [23] and with a mechanism operating in such a way that when a node is captured and physically damaged, its keys become invalid. More specifically, once a manumission attempt is detected, both the original authentication and communication keys and the relevant IDs are replaced by fake ones: this would ensure that the original keys material is never revealed to an adversary.

Once the FN receives a joining request and key request from a compromised MN, it will inform the BS and all its neighboring FNs about the compromised MN's ID so that each FN can delete the key map of this compromised MN. In case the FN itself is compromised, however, it would not be able to generate the secret key and when it tries to authenticate the MN, the MN will understand that the FN is compromised. The MN would then contact other neighboring FNs for authentication and communication key establishment and eventually notify them about the compromised FN. This information will be also propagated to the BS for verification. The BS will then ask the compromised FN about its communication key IDs. If the BS receives the wrong key IDs, then the BS would declare this FN as compromised and inform all the other FNs of the network about it.

4. Performance Evaluation

In this section, we discuss the results obtained by using OMNET++ simulators. In order to introduce the mobility in OMNET++ simulation, we use MixiM 2.0.1 framework. Simulations are based on a network with 400 mobile nodes (MNs) and 16 fixed nodes (FNs). The area where the MNs are deployed and move is 400 m × 400 m. As mentioned earlier, we are using the same transmission power for both the fixed nodes and the mobile nodes, using the CSMA 802.15.4 standard and the radio specifications based on the CC2420 radio chip. The velocity of the mobile nodes is kept constant at 1 m/s while the next target's location selection interval is set to 0.1 s. The transmission power is set to 10 mW and the receiver sensitivity is set to −95 dBm.

4.1. Connectivity

Network connectivity is considered an essential part in evaluating the performance of the network. From the security point of view, two neighboring nodes in a network are said to be connected if they have a secret key for secure communication. In this section, we are evaluating the performance of the proposed scheme against some existing schemes in terms of probability that two nodes can authenticate each other and establish a secret key (i.e., connectivity). In the scheme discussed above, we use both (1) online key generation for authentication and (2) secret communication key establishment and key predistribution to ensure one-hop network connectivity among the MNs.

Here the network connectivity is evaluated by using the OMNET++ simulation results. In case of the key predistribution techniques, the probability of single key sharing defines the network connectivity and is given by

\begin{matrix} \Pr [Match] = \frac{(|K P_{main}| - |K P_{MN}|)! (|K P_{main}| - |K P_{FN}|)!}{|K P_{main}|! (|K P_{main}| - |K P_{MN}| - |K P_{FN}|)!}, \end{matrix}

(13)

where

K P_{main}

is a large key set containing

| K P_{main} |

keys from which a key set

K P_{MN}

containing

| K P_{MN} |

keys is assigned to each mobile node and a key set

K P_{FN}

containing

| K P_{FN} |

keys is assigned to each fixed node, where

| K P_{FN} | ≫ | K P_{MN} |

. In balanced key distribution schemes where each node of a homogeneous sensor networks is assigned the same number of keys, that is,

K P_{MN} = K P_{FN} = K P_{node}

, and the single key sharing probability is given by

\begin{matrix} \Pr [Match] = \frac{(|K P_{main}| - |K P_{node}|)!^{2}}{|K P_{main}|! (|K P_{main}| - 2 |K P_{node}|)!} . \end{matrix}

(14)

Figure 3 represents the OMNET++ simulation results comparing the connectivity of a MN to the CH with some of the existing schemes [7, 9, 14, 24]. It is clear that the online authentication key generation technique substantially improves the network connectivity because the network connectivity provided by the proposed scheme is almost 100%.

Figure 3

Single authentication key sharing probability between fixed node and mobile node.

In order to further analyze the effect of key pool size on network connectivity in the key predistribution schemes, we carried out OMNET++ simulation to find the key sharing probability between the FNs and MNs by limiting the MN key pool sizes ( $| K P_{MN} |$ ) to 10, 20, and 30 and the FN key pool sizes ( $| K P_{FN} |$ ) to 450, 550, and 650 from a large key pool of size $| K P_{main} | = 10,000$ . A simulation of 10,000 seconds for each combination of FN and MN key pool size is performed. For each we evaluate how many key requests were received from MNs by FNs and for how many key requests the FN has a shared key. If the total number of key requests received by all the FNs is X and the total number of key requests for which FNs have a share key is Y, the key sharing probability is given by

\begin{matrix} \Pr {[Match]}_{Simulation} = \frac{X}{Y} . \end{matrix}

(15)

Figure 4 represents the comparison of the effects of assigning different key pools to the MNs and FNs in terms of network connectivity obtained from OMNET++. The results show that the connectivity increases by assigning large key pools to the FNs and to the MNs in the existing key predistribution schemes while the proposed scheme is independent of the assigned key pool sizes and provides almost 100% network connectivity as shown in Figure 3.

Figure 4

Single key sharing probability with different key pool size.

The deployment of the fixed nodes is such that it covers the whole area of the network. Under this assumption, a mobile node may come into the coverage area of more than one fixed node; hence the probability of authentication of each MN by any in-range authentic FN is given by

\begin{matrix} \Pr [Authentication] = 1 - {(1 - \Pr [Match])}^{d}, \end{matrix}

(16)

where d represents the total number of neighboring fixed nodes, Pr[Authentication] is the probability of authentication, and Pr[Match] is single key sharing probability defined by (11). Figure 5 shows that the coverage of each MN by more than one FN dramatically increases the authentication probability of the MN, which in turn improves the connectivity of the MN to the network. However, it is still less than what is achieved by the proposed algorithm. This is because the selection of the FN depends on the link quality, availability, and bandwidth but the common key matching also plays an important role in case of key predistribution schemes, while it is not necessary in the proposed scheme. Figure 5 shows the OMNET++ result when the MN is within the range of one FN. So far, we assumed that each MN is at least under the radio coverage of one FN, but in a real network deployment, this may not be always possible. In that case, a MN may communicate with the FN through another intermediate MN. For that, a MN must share at least one common key with the other MNs in case of the key predistribution schemes, which further affects the performance of the network in terms of connectivity. The probability of sharing at least one common key between the MNs can be obtained analytically using (12). Figure 6 shows the results obtained by using OMNET++ simulator.

Figure 5

MN authentication probability by more than one FN $K P_{MN} = 30$ .

Figure 6

Single key sharing probability among the mobile nodes.

4.2. Memory Cost

The secret communication code key pool $K P_{main}$ is divided into two subkey pools $K P_{FN}$ for the FNs and $K P_{MN}$ for the MNs such that $K P_{FN} \cap K P_{MN} = 0$ . Each individual key $SC C_{1}$ of $K P_{FN}$ can be used to create a secret key with all the keys of $K P_{MN}$ and vice versa. Thus the total possible number of secret keys is

\begin{matrix} Total secret keys = |K P_{FN}| * |K P_{MN}| . \end{matrix}

(17)

Let us assume that $| K P_{FN} | = | K P_{MN} | = 30$ keys. The total possible number of secret keys generated by these two key pools is 900. If we compare our proposed scheme with the existing schemes proposed by Eschenauer and Gligor in [7], instead of storing 900 keys in a sensor node, only 30 keys are required in each FN and in each MN to get 900 possible secret key combinations. This reduces the memory cost of the node while maintaining the same level of security by assigning only 30 keys instead of assigning 900 keys.

4.3. Node Energy Consumption

In this section, the energy consumption in the authentication and in key establishment phases has been observed using OMNET++ by optimizing the proposed algorithm in terms of the total number of exchanged message. Figure 2 shows that we need only two messages in the proposed scheme for the authentication purpose compared to [25–27] which require 4, 3, and 3 messages, respectively. Hence it is clear that less messages exchange consumes less energy in the proposed scheme. Again the total number of messages required in key establishment phase has been reduced to only two messages in the proposed scheme which is less than the existing approaches [25–27]. Hence the overall message exchanges by each node in the authentication phase and in the key establishment phase, including the acknowledgement, of the proposed algorithm are 5 while in the other schemes [25–27] they are 6, 7, and 6, respectively.

Figure 7 shows the comparison of the overall energy consumption of a node in the proposed algorithm with [25–27]. It is clear from the results that the proposed scheme consumes less energy than other algorithms. Hence it increases the network life time.

Figure 7

Overall energy consumption of a node.

5. Security Evaluation

5.1. Denial of Service Attack

In this section we describe some kind of Denial of Service attacks (DoS attacks) that can be brought against our proposed scheme, as well as possible countermeasures. The main objective of DoS attacks is to make the resources unavailable to an intended user of the network.

( 1) FN Hello Messages. The first possible DoS attack against the proposed scheme is to broadcast Hello messages pretending to be a FN of the network to exhaust the resources of the MNs. Since each Hello message is signed by the private key of the FN, MNs will verify it using the public key of that FN. Since the adversary FN is not an authentic node, the MN would not be able to verify that Hello message and once a MN detects this attack, it will inform its other neighboring authentic FNs. The authentic FNs would then inform the BS and neighboring MNs about this fake FN ID so that they can avoid the messages from that node.

( 2) MN Hello Messages. When a MN finds its current CH signal strength value below a threshold value, it starts broadcasting the MN Hello messages to know about its new neighboring FNs. The attacker can launch such MN Hello message broadcast attack by introducing a fake MN. Since the MN Hello broadcast message is also signed by the MN private key, the new FNs first verify it by using the MN public key. This would not be possible for a fake MN. Thus the FNs inform the BS and other neighboring FNs about this malicious MN.

5.2. Sybil Attack

Sybil attacks are those in which a malicious node illegitimately takes on multiple identities. We call the nodes performing these attacks as Sybil nodes. Sybil attacks can be of different forms, for example, using direct or indirect communication and fabricated or stolen identities. In the direct communication Sybil attacks, a Sybil node communicates directly with a legitimate node. But since, in the proposed scheme, the Sybil node is first authenticated by sending a message signed with its private key, the FN would not be able to authenticate it. In the indirect communication Sybil attacks, malicious node (who deploys Sybil nodes in the network) becomes a router for forwarding the communication to the Sybil node from the FN which is not possible in the proposed scheme because each MN is the end user of the network. In the fabricated Sybil attacks, the attacker assigns an unuse identity to the Sybil node. In this case, this Sybil node needs to authenticate itself to the FNs which would again not be possible in the proposed scheme as described above. Stolen identity based Sybil attacks are very dangerous in such resource constrained networks. But this type of Sybil attack does not affect the proposed scheme because each communication is encrypted with the key agreed already with the original node having this ID, and the Sybil node does not have these keys.

However, we compare the proposed scheme with the balanced key predistribution scheme [7] and an unbalanced key predistribution scheme [9] to show the effectiveness of proposed scheme. Although the proposed scheme is partially based on key predistribution approach by assigning $| K P_{FN} |$ to the FNs and $| K P_{MN} |$ to the MNs but in the proposed scheme $| K P_{FN} | \cap | K P_{FN} | = \emptyset$ while in [7, 9], it should be $| K P_{FN} | \cap | K P_{FN} | \neq \emptyset$ .

In the key predistribution approach, if every MN is assigned $| K P_{MN} |$ keys and every FN is assigned $| K P_{FN} |$ keys from a key pool of size $| K P_{main} |$ and an attacker compromises “c” nodes to create a compromised key pool of size “n”, then the probability of a Sybil node to be successfully created is

\begin{matrix} P r_{sybil node} = \sum_{t = 1}^{K P_{MN}} ‍ \frac{(\begin{smallmatrix} n \\ t \end{smallmatrix}) (\begin{smallmatrix} K P_{main} - n \\ K P_{MN} - t \end{smallmatrix}) \begin{smallmatrix}  \end{smallmatrix}}{(\begin{smallmatrix} K P_{main} \\ K P_{MN} \end{smallmatrix}) \begin{smallmatrix}  \end{smallmatrix}} \frac{(\begin{smallmatrix} K P_{main} - K P_{MN} + t \\ K P_{MN} \end{smallmatrix}) \begin{smallmatrix}  \end{smallmatrix}}{(\begin{smallmatrix} K P_{main} \\ K P_{MN} \end{smallmatrix}) \begin{smallmatrix}  \end{smallmatrix}} . \end{matrix}

(18)

Figure 8 shows the probability of successfully generated Sybil nodes in the proposed scheme compared with scheme [7, 9].

Figure 8

Probability of generation Sybil nodes.

5.3. Node Compromission

As described in Section 3.5, we assume that a node is secured by hardware means against access to its keys. However, no such scheme is ever perfect; hence here we analyze the effects of such attacks on our key management scheme.

In existing key predistribution schemes for both homogeneous and heterogeneous sensor networks, each node is assigned a key pool, and for secure communication the two nodes must have a shared common key. In that case, once the node is compromised by an adversary, it can compromise all the secure links with neighbors with whom this node has a shared key. Thus the fraction of communications compromised by compromising c MNs is given by

\begin{matrix} P [Compromised] = 1 - {(1 - \frac{|K P_{M N_{j}}|}{|K P_{MN}|})}^{c}, \end{matrix}

(19)

where

| K P_{M N_{j}} |

is the number of keys stored in the MN and

| K P_{MN} |

is the size of the authentication key pool from which

K P_{M N_{j}}

is randomly selected for each MN. Figure 9 shows the OMNET++ simulation results of the effect of this kind of attack on our proposed scheme compared with the key predistribution scheme in [7, 9, 14, 24]. The graph shows that our scheme provides almost 100% resilience against this kind of attack.

Figure 9

Network resilience against compromised mobile nodes.

6. Conclusion

In this paper, we proposed a new authentication and key management scheme for heterogeneous sensor networks including mobile nodes. The relevant network and mobility models have been presented as well. The proposed key management scheme is based on two different types of the key pools, that is, an authentication key pool and a communication key pool. Based on these pools, a key predistribution mechanism has been defined. Moreover, we compared our solution with some of the existing key management protocols for both homogeneous and heterogeneous sensor networks. The results showed that the two considered key pools not only provide better network connectivity in terms of authentication key sharing in the mobile scenario but also offer better security, while consuming less memory space compared with balanced key predistribution protocols. Furthermore, the proposed solution provides better network resilience against the node capture attacks compared to the other reference protocols considered.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding to the publication of this paper.

Acknowledgment

This paper has been partially supported by the European FP7 project BUTLER, under Contract no. 287901.

References

Xiao

Rayi

V. K.

Sun

Galloway

A survey of key management schemes in wireless sensor networks

Computer Communications 2007 30 11-12 2314 2341

10.1016/j.comcom.2007.04.009

2-s2.0-34548038583

Gupta

Kumar

P. R.

The capacity of wireless networks

IEEE Transactions on Information Theory 2000 46 2 388 404

10.1109/18.825799

ZBL0991.90511

2-s2.0-33747142749

Duarte-Melo

E. J.

Liu

Data-gathering wireless sensor networks: organization and capacity

Computer Networks 2003 43 4 519 537

2-s2.0-0141509887

10.1016/S1389-1286(03)00357-8

Hong

Gerla

An ad hoc network with mobile backbones

Proceedings of the IEEE International Conference on Communications (ICC ′02)

May 2002

3138 3143

2-s2.0-0036286440

Girod

Stathopoulos

Ramanathan

A system for simulation, emulation, and deployment of heterogeneous sensor networks

Proceedings of the 2nd International Conference on Embedded Networked Sensor Systems (SenSys ′04)

2004

201 213

10.1145/1031495.1031519

Yarvis

Kushalnagar

Singh

Rangarajan

Liu

Singh

Exploiting heterogeneity in sensor networks

Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM ′05)

March 2005

878 890

10.1109/INFCOM.2005.1498318

Eschenauer

Gligor

V. D.

A key-management scheme for distributed sensor networks

Proceedings of the 9th ACM Conference on Computer and Communication Security

November 2002

41 47

10.1145/586110.586117

Rahman

Nasser

Saleh

Identity and pairing-based secure key management scheme for heterogeneous sensor networks

Proceedings of the 4th IEEE International Conference on Wireless and Mobile Computing, Networking and Communication (WiMob ′08)

October 2008

423 428

10.1109/WiMob.2008.79

2-s2.0-56749105661

Xiao

Guizani

Chen

H.-H.

An effective key management scheme for heterogeneous sensor networks

Ad Hoc Networks 2007 5 1 24 34

2-s2.0-33750023217

10.1016/j.adhoc.2006.05.012

10.

Perrig

Szewczyk

Tygar

J. D.

Wen

Culler

D. E.

SPINS: security protocols for sensor networks

Wireless Networks 2002 8 5 521 534

11.

Chan

Perrig

Song

Random key predistribution schemes for sensor networks

Proceedings of the IEEE Symposium on Security and Privacy

May 2003

197 213

2-s2.0-0038487088

12.

Liu

Rivera

Cheng

Location-aware key establishment in wireless sensor networks

Proceedings of the International Wireless Communications and Mobile Computing Conference (IWCMC ′06)

July 2006

21 26

10.1145/1143549.1143556

2-s2.0-34247401809

13.

Rabin

M. O.

Digitalized signatures and public-key functions as intractable as factorization

1979 MIT/LCS/TR-212

Laboratory for Computer Science, MIT

14.

Zhang

Sun

Liu

NPKPS: a novel pairwise key pre-distribution scheme for wireless sensor networks

Proceedings of the IET Conference on Wireless, Mobile and Sensor Networks (CCWMSN ′07)

December 2007

Shanghai, China

446 449

15.

Kim

K. T.

Ramakrishna

R. S.

A level-based key management for both in-network processing and mobility in WSNs

Proceedings of the IEEE Internatonal Conference on Mobile Adhoc and Sensor Systems (MASS ′07)

October 2007

Pisa, Italy

1 8

2-s2.0-50249160106

10.1109/MOBHOC.2007.4428761

16.

Chuang

I.-H.

W.-T.

C.-Y.

Hsu

J.-P.

Kuo

Y.-H.

Two-layered dynamic key management in mobile and long-lived cluster-based wireless sensor networks

Proceedings of the IEEE Wireless Communications and Networking Conference (WCNC ′07)

March 2007

Kowloon, Hong Kong

IEEE

4145 4150

10.1109/WCNC.2007.757

2-s2.0-36348971223

17.

Maerien

Michiels

Huygens

Joosen

MASY: MAnagement of Secret keYs for federated mobile wireless sensor networks

Proceedings of the IEEE 6th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob '10)

October 2010

Niagara Falls, Canada

121 128

10.1109/WIMOB.2010.5644977

18.

Qian

A framework for distributed key management schemes in heterogeneous wireless sensor networks

Proceedings of the 25th IEEE International Performance, Computing, and Communications Conference (IPCCC '06)

April 2006

Phoenix, Ariz, USA

520

10.1109/.2006.1629447

19.

Xiao

Guizani

Chen

H.-H.

A routing-driven key management scheme for heterogeneous sensor networks

Proceedings of the IEEE International Conference on Communications, (ICC ′07)

June 2007

3407 3412

2-s2.0-38549120367

10.1109/ICC.2007.564

20.

Yang

An efficient key management scheme for heterogeneous sensor networks

Proceedings of the International Conference on Wireless Communications, Networking and Mobile Computing (WiCOM ′08)

October 2008

Dalian, China

1 4

10.1109/WiCom.2008.896

2-s2.0-58049129347

21.

Camp

Boleng

Davies

A survey of mobility models for ad hoc network research

Wireless Communications and Mobile Computing 2002 2 5 483 502

10.1002/wcm.72

2-s2.0-0038675868

22.

Diffie

Hellman

M. E.

New directions in cryptography

IEEE Transactions on Information Theory 1976 22 6 644 654

2-s2.0-0017018484

23.

FIPS 140-2 Standard

Security Requirements for Cryptographic modules

2001

24.

Sarmad

U. K.

Lavagno

Pastrone

A key management scheme supporting node mobility in heterogeneous sensor networks

Proceedings of the 6th International Conference on Emerging Technologies (ICET ′10)

October 2010

Islamabad, Pakistan

364 369

10.1109/ICET.2010.5638458

2-s2.0-78650311627

25.

Tseng

H.-R.

Jan

R.-H.

Yang

An improved dynamic user authentication scheme for wireless sensor networks

Proceedings of the 50th Annual IEEE Global Telecommunications Conference (GLOBECOM ′07)

November 2007

986 990

10.1109/GLOCOM.2007.190

2-s2.0-39349093196

26.

Cheikhrouhou

Koubaa

Boujelben

Abid

A lightweight user authentication scheme for wireless sensor networks

Proceedings of the IEEE/ACS International Conference on Computer Systems and Applications (AICCSA ′10)

May 2010

Hammamet, Tunisie

1 7

10.1109/AICCSA.2010.5586995

27.

Khan

S. U.

Lavagno

Pastrone

Spirito

An effective key management scheme for mobile heterogeneous sensor networks

Proceedings of the International Conference on Information Society (i-Society ′11)

June 2011

98 103

Online Authentication and Key Establishment Scheme for Heterogeneous Sensor Networks

Abstract

1. Introduction

1.1. Key Ideas of the Proposed Approach

2. Related Work

3. Proposed Scheme

3.1. Key Predistribution

3.2. Node Authentication

3.3. Communication Key Establishment

3.4. Handover

3.5. Protection of Key Material

4. Performance Evaluation

4.1. Connectivity

4.2. Memory Cost

4.3. Node Energy Consumption

5. Security Evaluation

5.1. Denial of Service Attack

5.2. Sybil Attack

5.3. Node Compromission

6. Conclusion

Footnotes

Conflict of Interests

Acknowledgment

References