Sage Journals: Discover world-class research

Abstract

This thesis presents a mural broadcast authentication protocol (MBAP) for wireless sensor networks based on Fourier series according to the issues of the main broadcast authentication protocol µTESLA being limited in authentication delay, more initial parameters, limited time, large key chain, and network congestion. Firstly, achieving the forward authentication work for common sensor nodes to base station is based on the characteristic of continuous-integrability function $f (x)$ in $[- π, π]$ which could be expanded into Fourier series, including entity authentication and source attestation. Secondly, assume that $f (x)$ is the quadratic form function, and achieve the reverse authentication work for base station to common sensor nodes by detecting the security of $f (x)$ . The analysis results of safety performance in MBAP show that the captured nodes in WSN will not affect the security of broadcast authentication protocol and have low computation and communication cost, the base station can make broadcast randomly, and common sensor nodes can authenticate messages instantly, which solves the problem of network congestion well. The most important thing of MBAP is the mutual broadcast authentication method which ensures the security of the network greatly.

1. Introduction

In wireless sensor networks (WSN), in order to save the network bandwidth and the communication time, the base station and the cluster heads generally send messages to the common sensor nodes by broadcasting. And broadcast communication plays a very important role in WSN, and its security has a direct impact on the security of the entire network [1–5]. Therefore, it must be able to authenticate the source, the accuracy, and the integrity of the broadcast packets when the receiving nodes get the broadcast packets; it is also known as broadcast authentication.

The broadcast authentication includes two parts: entity authentication and source attestation. Entity authentication is the process for confirming the identity of the sending nodes based on some authentication protocol, which insures the security for network access. And source attestation is mainly to ensure the integrity of the messages and prevent unauthorized nodes sending, forging, and tampering messages. These two parts’ authentication can be achieved by the generation and verification of message authentication code (MAC). If the broadcast authentication takes the symmetric encryption mechanism, each captured node can modify or forge the messages and threaten the whole network security. So, it is necessary to use asymmetric encryption technique for broadcast authentication.

There are many efficient broadcast protocols that have been proposed, such as broadcast transmission capacity (BTC) of heterogeneous wireless ad hoc networks with secrecy outage constraints [6], a qos-based broadcast protocol (QBBP) for multihop cognitive radio ad hoc networks under blind information [7], and a reliable and total order tree-based (RTOT) broadcast in wireless sensor network [8]. But it is hard to design broadcast authentication protocols for WSN because of the limitations of WSN. There are two kinds of WSN broadcast authentication protocols: one is the signature authentication [9–11], but it is hard to be applied because of the disadvantage of using public key cryptography and large cost, and the other one is the message authentication code (MAC) [12–15], such as the μTESLA which is proposed as the broadcast authentication protocol by Perrig based on the security protocols for sensor networks in [15], which realizes the asymmetry of broadcast authentication by using the symmetric encryption mechanism, and including three key parts: key establishment, disclosing authentication key, and authenticating broadcast data. In addition, multilevel LTESLA, a broadcast authentication system for distributed sensor networks, is proposed in [16], which divides authentication into multiple levels, where the high level key chain authenticates the low level key chain, and the low layer key chain authenticates the broadcast data packets, but it is suitable for the single base station network.

This thesis presents a mutual broadcast authentication protocol (MBAP) for wireless sensor networks based on Fourier series according to the problems of the main broadcast authentication protocol μTESLA being limited in authentication delay, more initial parameters, limited time, large key chain, and network congestion. And the mutual authentication between nodes and base station is achieved according to the characteristic of continuous-integrability function $f (x)$ in $[- π, π]$ which could be expanded into Fourier series. Firstly one has pre-distributing $f (x)$ for each node upon network initializing, calculating the current Fourier series coefficients, establishing authentication key $K^{'}$ , verifying the correctness of the broadcast authentication information, achieving entity authentication and source attestation. Secondly, assuming that $f (x)$ is the quadratic form function and achieving the reverse authentication work for base station to common sensor nodes by detecting the security of $f (x)$ , it also means that the MBAP protocol can achieve mutual security authentication. The analysis results of safety performance in MBAP show that the captured nodes in WSN will not affect the security of broadcast authentication protocol and have low computation and communication cost, the base station can make broadcast randomly, and common sensor nodes can authenticate messages instantly, which solves the problem of network congestion well. The most important thing of MBAP is the mutual broadcast authentication method which ensures the security of the network greatly.

The paper is organized as follows. In Section 2, we analyze the related work, such as μTESLA protocol principle and its issues. In Section 3, we discuss the specific principle of MBAP, including network model assumptions, Fourier series’ characteristics analysis and MBAP authentication principle. Section 4 analyzes the security of MBAP compared with MBAP. And summary is made in Section 5.

2. Related Work

2.1. μTESLA Protocol

In μTESLA, the asymmetric characteristic of broadcast authentication is realized by using the symmetric encryption mechanism on condition of the loose time synchronization of sending nodes and receiving nodes. The key points of μTESLA protocol are using hash key chain and publishing key delayed, as showed in Figure 1, a one-way function key chain is established by the sending node, where the length of key chain is $n + 1$ , and the first key $K_{n}$ of the key chain is generated randomly by the sending node, but the next keys are all generated by the one-way function $h a s h$ acting on the last key repeatedly, such as $K_{j} = H (K_{j + 1})$ . The sending node divides the communication time into equal time slices, where the length of each time slice is D, and each time slice is assigned a key in order, but the order of the assigned keys is the opposite order of the key chain, and each message $P_{i}$ of time slice j is encrypted by $K_{j}$ , such as $M A C_{K_{j}} (P_{i})$ . The sending node determines the key delay time δ based on the time slice length, and the key $K_{j}$ on time slice j will be published after δ, such as $δ = 2$ in Figure 1.

Figure 1

μTESLA protocol.

To avoid the additional communication cost, the published key is sent to the receiving nodes by being attached with the data packet. If there is no data packet on some time slice, the key attached with the data packet will not be published, and this key can be calculated by the next keys in one-way function $h a s h$ . More importantly, the initial parameters $K_{0}$ , δ, and D and starting time $T_{0}$ should be sent to receiving nodes before authentication.

2.2. μTESLA Protocol Issues

2.2.1. Computation Cost

The μTESLA protocol has higher authentication efficiency in the case of sending data packets frequently, but it has a very low sending frequency in some applications, such as fire alarm and other event-driven applications, where the transmission interval of the adjacent data packets may be far greater than the time slice D of μTESLA and causes lots of keys not to be used for the data packets authentication, and the distance between adjacent keys on the key chain is also increased and causes a large computation cost and authentication delay.

Increasing D can alleviate this problem, but it also causes a lot of authentication delay, and the receiving nodes also need more memory space for buffering packets.

2.2.2. Delay

In μTESLA, the time interval of sending message $\{M A C_{K_{i}} (P_{i}) ∥ K_{i - 2} ∥ P_{i} ∥ i (t)\}$ will be increased gradually, and the time for buffering data packets is also increased because of the authentication delay, which also makes the protocol more vulnerable to be attacked by DoS. Therefore, the authentication mechanism of μTESLA is not suitable for the situation of large sending time interval.

2.2.3. Problem of Initialization Parameters

The most important problem of μTESLA is the distribution of initialization parameters. Each sending node has an independent authentication key chain for encrypting its own data packets, and each receiving node makes authentication for $\{M A C_{K_{i}} (P_{i}) ∥ K_{i - 2} ∥ P_{i} ∥ i (t)\}$ after receiving the initialization parameters $K_{0}$ , δ, and D and starting time $T_{0}$ . If the nodes send the initialization parameters $\{K_{0}, δ, D, T_{0}\}$ in unicast way, it will cause much resource consumption, because the sending node needs to encrypt the $\{K_{0}, δ, D, T_{0}\}$ in different keys shared with the receiving node, which will cause the delay for data packet transmission and authentication, and the delay may lead to DoS attacks.

2.2.4. Authentication Aging Problem

There are some applications that require real-time authentication for broadcasting, such as real-time audio frequency, video stream, and alarm information. Obviously, μTESLA is not suitable for high ageing applications because of the authentication delay.

2.2.5. Fixed Key Chain Length

In μTESLA, the authentication key of each time slice is predistributed upon network initialization. On the one hand, if the work time is too long, it means that the length of key chain is too large, which will cause a large computation cost and storage cost. On the other hand, if the work time is too short, it cannot meet the requirement of frequent data exchange and long-term work.

Therefore, in order to meet the characteristics of lower delay, better aging, less key storage, computing fast, and better flexibility for the general broadcast authentication in WSN, this paper introduces the mathematical theory of Fourier series, which simplifies the practical issues based on characteristic of Fourier series coefficients and makes a simple and efficient broadcast authentication.

3. MBAP

3.1. Network Model Assumptions

In WSN, either the base station or the sensor node is the broadcaster (as shown in Figure 2).

Figure 2

Broadcasting communication in centralized network.

According to the topology of the network, it can broadcast directly when the base station is the broadcaster which can send the information to the prerecipient without intermediate nodes or can send the information to the prerecipient layer by layer, such that the base station will send the information to each cluster head first of all, and the cluster head will send the information to each common sensor node after authentication.

When the sensor nodes are the broadcasters, they can only send the information to their neighbor nodes directly without intermediate nodes.

In order to facilitate the description of MBAP, the network is assumed as follows: (1)

Assume that the network is isomorphic and static and each of the sensor nodes has been uniformly deployed in the target area and has same configuration in software and hardware and will not move any more once they are deployed, where the network size is N, including 2 types of nodes, base station (BS) and sensor node (SN), as shown in Figure 2.

(2)

Assume that base station (BS) is equipped with abundant software and hardware resources and can cover the entire network deployment area by means of a high power radio signal, and it is responsible for storing the basic information of all the nodes in network and has the ability to detect compromised or captured nodes.

(3)

Common sensor node is responsible for collecting environmental data. The ability to process data of sensor node is limited by storage space, energy reserves, and communication distance. Since the communication radius of the common sensor node is limited, the communication between nodes which are not in the communication radius should be transferred by neighbor node.

The main symbols in the text are shown as follows:

$B S$ : base station,

$S N$ : sensor node,

$h (x)$ : $h a s h$ function,

K: authentication key,

$I D_{i}$ : identity symbol of node i,

$f (x)$ : continuous-integrability function,

D: time slice length,

P: plaintext,

$L (i)$ : authentication message of time slice i.

3.2. Analyzing Characteristics of Fourier Series

Definition 1.

If the function $f (x)$ period is T, it is satisfied on the following conditions:

\begin{matrix} f (x) = A_{0} + \sum_{n = 1}^{\infty} A_{n} \sin (n ω x + φ_{n}) = A_{0} + \sum_{n = 1}^{\infty} (a_{n} \cos n ω x + b_{n} \sin n ω x) . \end{matrix}

(1)

And claim that formula (1) is the Fourier series determined by $f (x)$ .

3.2.1. Orthogonal Analysis of Trigonometric Function

Assume that c is a real number and $\cos k x$ and $\sin k x$ are the periodic function in $[c, c + 2 π]$ , where the period is $2 π$ , and then

\begin{matrix} \int_{c}^{c + 2 π} \cos k x d x = \int_{0}^{2 π} \cos k x d x = 0, \\ \int_{c}^{c + 2 π} \sin k x d x = \int_{0}^{2 π} \sin k x d x = 0, \\ (k = 1,2, \dots) . \end{matrix}

(2)

And it is easy to prove with product and difference

\begin{matrix} \int_{c}^{c + 2 π} \sin k x \cos l x d x = 0, \\ \int_{c}^{c + 2 π} \sin k x \sin l x d x = 0, \\ \int_{c}^{c + 2 π} \cos k x \cos l x d x = 0 \\ (k \neq l; k, l = 1,2, \dots) \end{matrix}

(3)

\begin{matrix} \int_{c}^{c + 2 π} \cos^{2} k x d x = \int_{0}^{2 π} \cos^{2} k x d x = \int_{0}^{2 π} \frac{1 + \cos 2 k x}{2} d x = π, \\ \int_{c}^{c + 2 π} \sin^{2} k x d x = π, \\ (k = 1,2, \dots) \\ \int_{c}^{c + 2 π} 1^{2} d x = 2 π . \end{matrix}

(4)

3.2.2. Fourier Series Coefficient Analysis

Deduction 1.

Assume that function $f (x)$ has been expanded to a uniformly convergent trigonometric series:

\begin{matrix} f (x) = \frac{a_{0}}{2} + \sum_{k = 1}^{\infty} (a_{k} \cos k x + b_{k} \sin k x) . \end{matrix}

(5)

Then

\begin{matrix} a_{0} = \frac{1}{π} \int_{- π}^{π} f (x) d x, \\ a_{k} = \frac{1}{π} \int_{- π}^{π} f (x) \cos k x d x, (k = 0,1, 2, \dots), \\ b_{k} = \frac{1}{π} \int_{- π}^{π} f (x) \sin k x d x, (k = 0,1, 2, \dots) . \end{matrix}

(6)

Proof.

Assume that $f (x)$ is an integrable function in $[- π, π]$ , where the right side of (5) can be integrable term by term. So we can get (7) by (2). Consider

\begin{matrix} \int_{- π}^{π} f (x) d x = \frac{a_{0}}{2} \cdot 2 π = a_{0} π, \\ a_{0} = \frac{1}{π} \int_{- π}^{π} f (x) d x . \end{matrix}

(7)

Set that n is a positive integer and multiplying by both sides with $\cos n x$ for $f (x)$ and integration in $[- π, π]$ then we can get (8) by (2), (3), and (4):

\begin{matrix} \int_{- π}^{π} f (x) \cos n x d x = \frac{a_{0}}{2} \int_{- π}^{π} \cos n x d x + \sum_{k = 1}^{\infty} (a_{k} \int_{- π}^{π} \cos k x \cos n x d x + b_{k} \int_{- π}^{π} \sin k x \cos n x d x) = \int_{- π}^{π} a_{n} \cos^{2} n x d x = a_{n} π . \end{matrix}

(8)

Therefore

\begin{matrix} a_{n} = \frac{1}{π} \int_{- π}^{π} f (x) \cos n x d x . \end{matrix}

(9)

Similarly

\begin{matrix} b_{n} = \frac{1}{π} \int_{- π}^{π} f (x) \sin n x d x . \end{matrix}

(10)

Thus Deduction 1 is proved.

3.3. MBAP Authentication Principle

We assume that $f (x)$ is a continuous-integrability function in $[- π, π]$ which is predistributed for each node upon initializing. So, the MBAP authentication principle is as follows.

Step 1 (establishing authentication key). The base station divides the communication time into equal time slices, where the length of each time slice is D, and each time slice is assigned a key in order. Set $K (i)$ to be the authentication key distributed for the time slice i, and set

\begin{matrix} K (i) = \frac{a_{0}}{2} + \sum_{k = 1}^{i} (a_{k} \cos k x + b_{k} \sin k x) . \end{matrix}

(11)

It is obvious that the keys for each time slice are different based on Deduction 1, and

\begin{matrix} K (i + 1) = \frac{a_{0}}{2} + \sum_{k = 1}^{i + 1} (a_{k} \cos k x + b_{k} \sin k x) = K (i) + (a_{i + 1} \cos (i + 1) x + b_{i + 1} \sin (i + 1) x) . \end{matrix}

(12)

It is showed in (12) that the authentication key $K (i + 1)$ on time slice $i + 1$ can be calculated by $K (i)$ and Fourier series coefficients $a_{i + 1}$ and $b_{i + 1}$ .

Step 2 (building broadcast authentication information). We assume that $L (i)$ is the broadcast authentication information of the time $i (t)$ on time slice i, where t is a certain time on time slice i, and set

\begin{matrix} L (i) = \{P_{i (t)} ∥ h (a_{i}) ∥ h (b_{i}) ∥ M A C = h (K (i), P_{i (t)}, i (t)) ∥ i (t)\}, \end{matrix}

(13)

where

a_{i} = (1 / π) \int_{- π}^{π} f (x) \cos i x d x

and

b_{i} = (1 / π) \int_{- π}^{π} f (x) \sin i x d x

are last two Fourier series coefficients of

K (i)

P_{i (t)}

is the plaintext message of time

i (t)

, and

M A C = h (K (i), P_{i (t)}, i (t))

makes sure that

K (i)

is undisclosed which ensures the security of the key in the process of message communication.

Then there are base station broadcasts $L (i)$ .

Step 3 (application verification). The common sensor node gets the authentication information $L (i)$ and time $i (t)$ .

If the common sensor node has received the authentication information $L (i)$ on time $i (t + 1)$ , it is showed that the authentication information $L (i)$ is outdated, and it is likely to be caused by network congestion or may be an enemy in disguise after being captured. For this unusual situation, the first step is to abandon $L (i)$ on time $i (t)$ , and the second step is to verify the legitimacy of $L (i)$ on time $i (t)$ by BS.

Conversely, if $i (t)$ is the latest time, it is showed that $L (i)$ is the authentication information which needs to be authenticated currently, and go to Step 4.

Step 4 (entity authentication). Because $f (x)$ is predistributed for each sensor node, according to the Definition 1 and Deduction 1, set

\begin{matrix} a_{i}^{'} = \frac{1}{π} \int_{- π}^{π} f (x) \cos i x d x \\ b_{i}^{'} = \frac{1}{π} \int_{- π}^{π} f (x) \sin i x d x . \end{matrix}

(14)

If $h (a_{i}^{'}) = h (a_{i})$ and $h (b_{i}^{'}) = h (b_{i})$ , it is showed that $L (i)$ is the authentication information sent by BS on the time slice i, and entity authentication is completed by now.

Conversely, if $h (a_{i}^{'}) \neq h (a_{i})$ or $h (b_{i}^{'}) \neq h (b_{i})$ , abandon $L (i)$ and check the legitimacy of $L (i)$ by BS.

Step 5 (source attestation). After the completion of entity authentication, it is necessary to determine whether the plaintext message $P_{i (t)}$ has been tampered by enemy, and set

\begin{matrix} K^{'} (i) = \frac{a_{0}^{'}}{2} + \sum_{k = 1}^{i} (a_{k}^{'} \cos k x + b_{k}^{'} \sin k x) \end{matrix}

(15)

\begin{matrix} Or K^{'} (i) = K (i - 1) + (a_{i}^{'} \cos i x + b_{i}^{'} \sin i x), \end{matrix}

(16)

where

K (i - 1)

is the authentication key on time slice

i - 1

which has been authenticated on last time slice and

h (a_{i}^{'}) = h (a_{i})

and

h (b_{i}^{'}) = h (b_{i})

have been authenticated in Step 4, so

K^{'} (i) = K (i)

based on (12), where

K (i)

encrypted by hash function cannot be got by enemy.

It is showed in (16) that the calculation of $K^{'} (i)$ avoids amounts of the calculation of Fourier series coefficients each time and reduces the computation cost greatly.

And if

\begin{matrix} h (K^{'} (i), P_{i (t)}, i (t)) = h (K (i), P_{i (t)}, i (t)) = M A C, \end{matrix}

(17)

it is showed that the plaintext message

P_{i (t)}

is integrity and not tampered by enemy, and source attestation is completed by now.

Conversely, if $h (K^{'} (i), P_{i (t)}, i (t)) \neq h (K (i), P_{i (t)}, i (t))$ , it is showed that the plaintext message $P_{i (t)}$ is captured by enemy and checking the legitimacy of $L (i)$ by BS.

The forward authentication work for common sensor nodes to base station is completed from now on, and the forward flow chart of MBAP protocol is showed in Figure 3.

Figure 3

Forward flow chart of MBAP protocol.

Step 6 (reverse authentication)

Deduction 2.

In order to detect the security of $f (x)$ , assume that $f (x)$ is a quadratic polynomial and a continuous-integrability function for some variable in $[- π, π]$ . And the reverse authentication work for the base station to the common sensor nodes can be completed by detecting the security of $f (x)$ , and it also means that the MBAP protocol can achieve mutual security authentication.

Proof.

Assume that $f (x_{1}, x_{2}, \dots, x_{n})$ is a multiple asymmetric quadratic form polynomial in field P:

\begin{matrix} f (x_{1}, x_{2}, \dots, x_{n}) = a_{11} x_{1}^{2} + a_{12} x_{1} x_{2} + \dots + a_{1 n} x_{1} x_{n} + a_{21} x_{2} x_{1} + a_{22} x_{2}^{2} + \dots + a_{2 n} x_{2} x_{n} + \dots + a_{n 1} x_{n} x_{1} + a_{n 2} x_{n} x_{2} + \dots + a_{n n} x_{n}^{2} = (x_{1}, x_{2}, \dots, x_{n}) [\begin{bmatrix} a_{11} & a_{12} & \dots & a_{1 n} \\ a_{21} & a_{22} & \dots & a_{2 n} \\ ⋮ & ⋮ & ⋮ & ⋮ \\ a_{n 1} & a_{n 2} & \dots & a_{n n} \end{bmatrix}] [\begin{bmatrix} x_{1} \\ x_{2} \\ ⋮ \\ x_{n} \end{bmatrix}] = X^{T} A X, \end{matrix}

(18)

where A is the quadratic matrix of

f (x_{1}, x_{2}, \dots, x_{n}), a_{i j} = a_{j i}

i, j = 1, \dots, n, A = A^{T}

A key management scheme based on quadratic for WSN is proposed in [17] by the author Xiaogang Wang, where, assuming $f_{w_{i}} (x_{1}, x_{2}, \dots, x_{n})$ is the quadratic polynomial of node i, $λ_{i 1}, λ_{i 2}, \dots, λ_{i n}$ are the eigenvalues of $f_{w_{i}} (x_{1}, x_{2}, \dots, x_{n})$ , $\{ξ_{i 1}, ξ_{i 2}, \dots, ξ_{i n}\}$ are the eigenvectors of $f_{w_{i}} (x_{1}, x_{2}, \dots, x_{n})$ , and assume that

\begin{matrix} C_{i} = [\begin{bmatrix} λ_{i 1} & 0 & \dots & 0 \\ 0 & λ_{i 2} & \dots & 0 \\ ⋮ & ⋮ & ⋮ & ⋮ \\ 0 & 0 & \dots & λ_{i n} \end{bmatrix}], \\ D_{i} = [ξ_{i 1}, ξ_{i 2}, \dots, ξ_{i n}] . \end{matrix}

(19)

We can assume that node $n_{i}$ has achieved forward authentication work for base station and responded to the base station with a message $M = \{f (x) ∥ h (C_{i}) ∥ h (D_{i}) ∥ I D_{i}\}$ and the base station will make reverse authentication upon receiving the message $M = \{f (x) ∥ h (C_{i}) ∥ h (D_{i}) ∥ I D_{i}\}$ .

Based on [17], we can get that the eigenvalues $λ_{i 1}, λ_{i 2}, \dots, λ_{i n}$ of quadratic polynomial $f_{w_{i}} (x_{1}, x_{2}, \dots, x_{n})$ in different sequence or incorrectness will affect the accuracy of eigenvectors $\{ξ_{i 1}, ξ_{i 2}, \dots, ξ_{i n}\}$ or $D_{i}$ , and the eigenvectors in different sequence that belonged to the same eigenvalue also can affect the accuracy of $D_{i}$ . For this reason, we can assume that the sequence of eigenvalues and eigenvectors of each sensor node are predistributed by base station, which can avoid the same response information by different nodes and ensure the independence of the reverse authentication work. For example, $M = \{f (x) ∥ h (C_{i}) ∥ h (D_{i}) ∥ I D_{i}\}$ is the response information of node $n_{i}$ , and the base station can get $C_{i}^{'}$ and $D_{i}^{'}$ based on the sequence of eigenvalues and eigenvectors of node $n_{i}$ . If $h (C_{i}) \neq h (C_{i}^{'})$ or $h (D_{i}) \neq h (D_{i}^{'})$ , it is showed that node $n_{i}$ is captured by enemy and removed by base station. If $h (C_{i}) = h (C_{i}^{'})$ and $h (D_{i}) = h (D_{i}^{'})$ , it is showed that identity of node $n_{i}$ is authenticated base station.

Therefore, a mutual broadcasting authentication work is achieved by now and Deduction 2 is proved.

Step 7 (update $f (x)$ ). For the network security, $f (x)$ should be updated periodically, so we modify the broadcast authentication information $L (i)$ by the base station and set

\begin{matrix} L {(i)}^{'} = \{P_{i (t)} ∥ h (a_{i}) ∥ h (b_{i}) ∥ M A C = h (K (i), P_{i (t)}, i (t)) ∥ K_{i} (f {(x)}_{n e w}) ∥ h (f {(x)}_{n e w}) ∥ i (t)\}, \end{matrix}

(20)

where the first part

\{P_{i (t)} ∥ h (a_{i}) ∥ h (b_{i}) ∥ M A C = h (K (i), P_{i (t)}, i (t))\}

L (i)^{'}

is still the broadcast authentication information

L (i)

, so the common sensor nodes can still make forward authentication work. After forward authentication, each sensor node can get

f {(x)}_{n e w}

K_{i}

and verify

f {(x)}_{n e w}

h (f {(x)}_{n e w})

, removing the old

f (x)

at last.

And the updating for $f (x)$ is completed by now.

4. Security Analysis

Because of the limited resource in WSN, it should meet 3 basic requirements for designing efficient broadcast authentication protocol: Firstly, insure the lower computation and communication cost. Secondly, the base station can make authentication randomly. Thirdly, the sensor nodes can make a real-time authentication. In this paper, the TWBAP protocol has some own security features besides the above the 3 conditions.

4.1. Anticapture

In MBAP, we know that $f (x)$ is the key point of authentication, and the network will not be safe once $f (x)$ leaked, so the selection of $f (x)$ is very important. On the basis of [17], we assume that $f (x)$ is n-variate quadratic polynomial in field P, which has a high anticapture. For example, a key management scheme for distributed sensor networks is proposed by Eschenauer and Gligor in [18], and the main idea of this scheme is based on the binary tth symmetric polynomials, if the enemy captures some nodes which all include the same binary tth symmetric polynomial, and the nodes’ number is more than t, such that the communication key will be decrypted by enemy, it is also called t-collusion attack. In MBAP, if the enemy wants to get the communication keys, it should decrypt the binary tth symmetric polynomial $f (x)$ or the matrix A in formula (18), but A is a symmetric matrix, it means that there are $n (n + 1) / 2$ different elements in matrix A needed to be decrypted, and the difficulty of decrypting A will be multiplied when the dimension n of matrix A is slightly changed (as shown in Figure 4). So it shows that it is very difficult to capture the binary tth symmetric polynomial $f (x)$ .

Figure 4

Anticapture performance of MBAP.

In addition to this, we assume that the size of the network in WSN is N, and if $N < n (n + 1) / 2$ , it shows that the enemy is unable to decrypt matrix A and also unable to decrypt $f (x)$ . Therefore, for the small or middle size network, the network is absolutely safe as long as $N < n (n + 1) / 2$ . And, for the large network, it also can guarantee the network security as long as there is reasonable network structure, such as increasing the number of clusters space and limiting the number of cluster members. It shows that MBAP in this paper has good anticapture performance.

4.2. Low Cost

In this paper, the computation cost and communication cost of MBAP protocol are relatively low, which can meet the requirements of low cost. Firstly, the broadcast authentication information $L (i) = \{P_{i (t)} ∥ h (a_{i}) ∥ h (b_{i}) ∥ M A C = h (K (i), P_{i (t)}, i (t)) ∥ i (t)\}$ is verified by single hash operation, while the μTESLA is operated by key chain. Secondly, we can get $K^{'} (i) = K (i - 1) + (a_{i}^{'} \cos i x + b_{i}^{'} \sin i x)$ in (16), where $K (i - 1)$ is the authentication key on time slice $i - 1$ which has been authenticated on last time slice, so we can get $K^{'} (i) = K (i)$ by verifying $h (a_{i}^{'}) = h (a_{i})$ and $h (b_{i}^{'}) = h (b_{i})$ in Step 4 of Section 3.3, which shows that the calculation of $K (i)$ avoids amounts of the calculation for Fourier series coefficients each time and reduces the computation cost greatly.

4.3. Instant Authentication

In MBAP, we can make authentication immediately based on the characteristics of Fourier series coefficients when the authentication information $L (i)$ is broadcasted by the base station. But the μTESLA protocol needs to make the authentication after the delay time δ, which may cause a communication blocking.

4.4. Delay

In μTESLA, we know that the time interval of sending message $\{M A C_{K_{i}} (P_{i}) ∥ K_{i - 2} ∥ P_{i} ∥ i (t)\}$ will be increased gradually, and the time for buffering data packets is also increased because of the authentication delay, which also makes the protocol more vulnerable to be attacked by DoS.

In MBAP, the authentication information $L (i) = \{P_{i (t)} ∥ h (a_{i}) ∥ h (b_{i}) ∥ M A C = h (K (i), P_{i (t)}, i (t)) ∥ i (t)\}$ and we get that the plaintext message $P_{i (t)}$ and authentication key $K (i)$ are sent together in $L (i)$ , and there is no such problem that the time interval of sending message is increased gradually.

We know that authentication delay includes the transmission cost and the computation cost, where the transmission cost is the necessary cost which cannot be avoided. For μTESLA, the authentication delay should also include delay time δ.

In order to analyze the delay problems between MBAP and μTESLA by simulation, we assume that T is the authentication delay and D is the length of time slice, which can be set to 1 in here, and assume delay time $δ = 2$ , $K_{0}$ is the initial key, and t is the computation time of a hash calculation.

In μTESLA, $\{M A C_{K_{i}} (P_{i}) ∥ K_{i - 2} ∥ P_{i} ∥ i (t)\}$ is the message authentication code on time slice i, we can judge the correctness of $K_{i - 2}$ by $K_{0} = H^{i - 2} (K_{i - 2})$ , it shows that the entity authentication is completed by $i - 2$ times hash calculation, and we can verify the integrity of $P_{i - 2}$ by $M A C_{K_{i - 2}} (P_{i - 2})$ , and it shows that the source attestation is completed by a hash calculation. So, we assume that $T_{1}$ is the authentication cost on time slice i in μTESLA, and

\begin{matrix} T_{1} = (i - 2) t + t + δ = (i - 1) t + δ = (i - 1) t + 2 . \end{matrix}

(21)

In MBAP, $L (i) = \{P_{i (t)} ∥ h (a_{i}) ∥ h (b_{i}) ∥ M A C = h (K (i), P_{i (t)}, i (t)) ∥ i (t)\}$ is the message authentication code on time slice i, for the entity authentication, we should calculate $a_{i}^{'} = (1 / π) \int_{- π}^{π} f (x) \cos i x d x$ and $b_{i}^{'} = (1 / π) \int_{- π}^{π} f (x) \sin i x d x$ by two conventional operation and calculate $h (a_{i}^{'}) = h (a_{i})$ and $h (b_{i}^{'}) = h (b_{i})$ by two times hash calculation, for the source attestation, and we should calculate $K_{i}^{'} = a_{0}^{'} / 2 + \sum_{k = 1}^{i} (a_{k}^{'} \cos k x + b_{k}^{'} \sin k x)$ by a conventional operation and calculate $h (K^{'} (i), P_{i (t)}, i (t)) = h (K (i), P_{i (t)}, i (t))$ by a hash calculation. For ease of calculation, we assume that a conventional operation cost also is t and $T_{2}$ is the authentication cost on time slice i in MBAP, and

\begin{matrix} T_{2} = 4 t . \end{matrix}

(22)

And the authentication cost of $T_{1}$ and $T_{2}$ is showed in Figure 5, where $t = 0.01 s$ . It is obvious that $T_{1}$ is increased gradually with the time change, which also shows that the μTESLA needs more authentication cost with the time change, while the authentication cost of MBAP is not changed all the time.

Figure 5

T changes.

It shows the cost changes of once authentication calculation on different time slices in Figure 5, but there will be amounts of authentication calculation happening on each time slice actually, which can cause some time delay for each authentication calculation. So, the authentication delay is increased with the time changes. For this reason, we assume that there will be n times authentication calculation happening on each time slice, and we assume that $T_{3}$ is the authentication cost on time slice i by n times authentication calculation in μTESLA, and

\begin{matrix} T_{3} = n ((i - 2) t + t) + δ = n (i - 1) t + δ = n (i - 1) t + 2 . \end{matrix}

(23)

Similarly, we assume that $T_{4}$ is the authentication cost on time slice i by n times authentication calculation in MBAP, and

\begin{matrix} T_{4} = n (4 t) = 4 n t . \end{matrix}

(24)

For ease of calculating, we assume $n = 10$ , and the authentication cost of these two protocols is showed in Figures 6, 7, and 8.

Figure 6

T changes of μTESLA protocol.

Figure 7

T changes of MBAP protocol.

Figure 8

T changes between two protocols.

It is indicated in Figures 6 and 7 that the authentication delays of these two protocols are all increased with the time changes, but the authentication delays of μTESLA are increased much faster with the authentication calculation increasing, while the authentication delay of MBAP is changed stably.

It is indicated in Figure 8 that there will be some messages abandoned on some slices with the authentication delay increasing in μTESLA; it is one of the issues in μTESLA analyzed in Section 2.

4.5. Initialization Parameter

In MBAP, the only predistributed initialization parameter is $f (x)$ , and if $f (x)$ is a quadratic polynomial, this can make a mutual authentication.

While in μTESLA the initialization parameters are $\{K_{0}, δ, D, T_{0}\}$ and if the nodes send the initialization parameters $\{K_{0}, δ, D, T_{0}\}$ in unicast way upon network initialization, that will cause much resource consumption, because the sending node needs to encrypt $\{K_{0}, δ, D, T_{0}\}$ in different keys shared with the receiving node, which will cause the delay for data packet transmission and authentication, and the delay may lead to DoS attacks.

4.6. Length of the Key Chain

In μTESLA, when the sensor nodes receive the published key $K_{j}$ , we can verify the correctness of $K_{j}$ by $K_{0} = H^{j} (K_{j})$ or $K_{i} = H^{(j - i)} (K_{j})$ , where $K_{i}$ is the verified key before $K_{j}$ and $K_{0}$ is the initial key. So in order to complete the authentication task in μTESLA, it needs to save a long secret key chain and needs to reconstruct the key chain sometimes, which makes a large network load.

In MBAP, the authentication key $K (i)$ is Fourier series, and we can get $K^{'} (i) = K (i - 1) + (a_{i}^{'} \cos i x + b_{i}^{'} \sin i x)$ in (16), where $K (i - 1)$ is the authentication key on time slice $i - 1$ which has been authenticated on last time slice, so we can get $K^{'} (i) = K (i)$ by verifying $h (a_{i}^{'}) = h (a_{i})$ and $h (b_{i}^{'}) = h (b_{i})$ in Step 4 of Section 3.3, which shows that the calculation of $K (i)$ avoids amounts of the calculation of Fourier series coefficients each time and reduces the computation cost greatly.

5. Summary

This thesis presents a mutual broadcast authentication protocol (MBAP) for wireless sensor networks based on Fourier series according to the problems of the main broadcasting authentication protocol μTESLA being limited in authentication delay, more initial parameters, limited time, large key chain, and network congestion. And the mutual authentication between nodes and base station is achieved according to the characteristic of continuous-integrability function $f (x)$ in $[- π, π]$ which could be expanded into Fourier series. Firstly, one has predistributing $f (x)$ for each node upon network initializing, calculating the current Fourier series coefficients, establishing authentication key $K^{'}$ , verifying the correctness of the broadcast authentication information, achieving entity authentication, and source attestation. Secondly, assuming that $f (x)$ is the quadratic form function and achieving the reverse authentication work for base station to common sensor nodes by detecting the security of $f (x)$ , it also means that the MBAP protocol can achieve mutual security authentication. The analysis results of safety performance in MBAP show that the captured nodes in WSN will not affect the security of broadcast authentication protocol and have a low computation and communication cost, the base station can make broadcast randomly, and common sensor nodes can authenticate messages instantly, which solves the problem of network congestion well. The most important thing of MBAP is the mutual broadcast authentication method which ensures the security of the network greatly.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work is funded by the National Nature Science Foundation of China (no. 61473050), National Science and Technology Planning of China (2011BAJ03B13-2), and National Basic Research Program of China (2013CB328903).

References

Zhao

R. Q.

Shen

X. H.

Zhang

X. M.

Hou

J. P.

Maximum life-time broadcast protocol for wireless sensor networks

Proceedings of the International Conference on Computer Application and System Modeling (ICCASM ′10)

October 2010

Taiyuan, China

440 444

10.1109/ICCASM.2010.5623171

Zhang

Yin

Trivedi

K. S.

Design and analysis of a robust broadcast scheme for VANET safety-related services

IEEE Transactions on Vehicular Technology 2012 61 1 46 61

10.1109/tvt.2011.2177675

2-s2.0-84862932754

Ramalingam

K. C.

Subramanian

Uluagac

A. S.

Beyah

SIMAGE: secure and link-quality cognizant image distribution for wireless sensor networks

Proceedings of the IEEE Global Communications Conference (GLOBECOM ′12)

December 2012

Piscataway, NJ, USA

616 621

10.1109/glocom.2012.6503181

2-s2.0-84877655157

Liu

X.-F.

Zhang

Y.-Q.

Wang

Zhang

G.-H.

An efficient anonymity message authentication with backward secure revocation for vehicular ad hoc networks

Journal of Electronics and Information Technology 2014 36 1 94 100

10.3724/sp.j.1146.2013.00342

2-s2.0-84893830818

Xie

C.-X.

Chen

W.-J.

W.-P.

An RFID authentication protocol anonymous against readers

Journal of Electrical Systems & Information Technology 2015 37 5 1241 1247

10.11999/JEIT140902

W. C.

Chen

K. C.

Broadcast transmission capacity of heterogeneous wireless ad hoc networks with secrecy outage constraints

Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM ′11)

December 2011

Houston, Tex, USA

IEEE Press

1 5

10.1109/GLOCOM.2011.6133745

Song

Xie

A QoS-based broadcast protocol for multi-hop cognitive radio ad hoc networks under blind information

Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM ′11)

December 2011

Houston, Tex, USA

1 5

10.1109/GLOCOM.2011.6134457

Chakraborty

Nandi

Karmakar

A reliable and total order tree based broadcast in wireless sensor network

Proceedings of the 2nd IEEE International Conference on Computer & Communication Technology (ICCCT ′11)

September 2011

Allahabad, India

IEEE

618 623

10.1109/iccct.2011.6075099

2-s2.0-82955202732

Kong

F. Y.

Cheng

X. G.

Hao

One forward-secure signature scheme using bilinear maps and its applications

Information Sciences 2014 279 60 76

10.1016/j.ins.2014.03.082

2-s2.0-84901836903

10.

Hao

Kong

F. Y.

Cheng

X. G.

Fan

Chen

Forward-secure identity-based signature: security notions and construction

Information Sciences 2011 181 3 648 660

10.1016/j.ins.2010.09.034

2-s2.0-78449305489

11.

Kong

Cheng

Hao

Fan

Intrusion-resilient identity-based signature: security definition and construction

Journal of Systems and Software 2012 85 2 382 391

10.1016/j.jss.2011.08.034

2-s2.0-84355162191

12.

Kwon

Hong

Secure and efficient broadcast authentication in wireless sensor networks

IEEE Transactions on Computers 2010 59 8 1120 1133

10.1109/TC.2009.171

2-s2.0-77954163084

13.

Zhang

Liu

CRTBA: Chinese remainder theorem-based broadcast authentication in wireless sensor networks

Proceedings of the International Symposium on Computer Network and Multimedia Technology (CNMT ′09)

January 2009

Wuhan, China

1 5

10.1109/CNMT.2009.5374495

14.

Ren

Lou

Zeng

Moran

P. J.

On broadcast authentication in wireless sensor networks

IEEE Transactions on Wireless Communications 2007 6 11 4136 4144

10.1109/twc.2007.060255

2-s2.0-36248988077

15.

Perrig

Szewczyk

Tygar

J. D.

Wen

Culler

D. E.

SPINS: security protocols for sensor networks

Wireless Networks 2002 8 5 521 534

10.1023/a:1016598314198

2-s2.0-0036738266

16.

Dong-Gang

Ning

Multi-level μTESLA: a broadcast authentication system for distributed sensor networks

ACM Transactions on Embedded Computing Systems 2004 3 4 800 836

10.1145/1027794.1027800

17.

Wang

X.-G.

Shi

W.-R.

Zhou

Gao

Jiang

Y.-S.

A key management scheme based on quadratic form for wireless sensor network

Acta Electronica Sinica 2013 41 2 214 219

10.3969/j.issn.0372-2112.2013.02.002

2-s2.0-84875634215

18.

Eschenauer

Gligor

V. D.

A key-management scheme for distributed sensor networks

Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS ′02)

November 2002

Washington, DC, USA

ACM

41 47

10.1145/586110.586117

2-s2.0-0038341106

A Mutual Broadcast Authentication Protocol for Wireless Sensor Networks Based on Fourier Series

Abstract

1. Introduction

2. Related Work

2.1. μTESLA Protocol

2.2. μTESLA Protocol Issues

2.2.1. Computation Cost

2.2.2. Delay

2.2.3. Problem of Initialization Parameters

2.2.4. Authentication Aging Problem

2.2.5. Fixed Key Chain Length

3. MBAP

3.1. Network Model Assumptions

3.2. Analyzing Characteristics of Fourier Series

Definition 1.

3.2.1. Orthogonal Analysis of Trigonometric Function

3.2.2. Fourier Series Coefficient Analysis

Deduction 1.

Proof.

3.3. MBAP Authentication Principle

Deduction 2.

Proof.

4. Security Analysis

4.1. Anticapture

4.2. Low Cost

4.3. Instant Authentication

4.4. Delay

4.5. Initialization Parameter

4.6. Length of the Key Chain

5. Summary

Footnotes

Conflict of Interests

Acknowledgments

References