Secure Key Distribution Using Fragmentation and Assimilation in Wireless Sensor and Actor Networks

Abstract

Secure key distribution is one of the most important building blocks to ensure confidentiality in wireless sensor and actor networks (WSANs). However, the key distribution becomes a challenging task when keys have to be relayed by compromised nodes in order to establish secure communication between distant nodes. To deal with this issue, we propose in this paper a key distribution scheme, named key distribution using fragmentation and assimilation (KDFA). In this scheme, the sender node splits the actual key into fragments and sends them through intermediate actor nodes towards the receiver node. The latter assimilates these key fragments using XOR operation to reconstruct the actual key. In this case, attacker cannot retrieve the actual key and only gets the key fragment. KDFA is composed of two parts: (a) key distribution protocol (KDP) to distribute the key using intra-actor and interactor communication scenarios and (b) key fragmentation algorithm (KFA) to slice the key using binary calculations. KDFA execution has been specified and formally verified using Rubin logic. Moreover, the performance and the resilience of the proposed protocol are further analyzed through extensive simulations using ns-2.35. Results show that KDFA is resilient against actor node compromise and key exposure.

1. Introduction

A wireless sensor and actor network (WSAN) is a distributed system of sensor and actor nodes that are interconnected through wireless links [1, 2]. The sensor nodes gather information about the environment such as temperature and vibration and send them a base station (or sink) using a hop-by-hop communication. On the other hand, the actor nodes perform actions in response to some specific events. Such networks are widely used in applications like buildings/house monitoring [3], water sprinkling on fire detection [4], surveillance and intruder detection, traffic monitoring, health and habitat monitoring, and so forth [5, 6]. Actor nodes play a vital role at taking actions to change the behavior of the environment by analyzing and responding to the events [7]. They also communicate with ordinary sensor nodes to collect data as shown in Figure 1.

Figure 1

Communication scenarios in WSAN.

Secure key distribution in WSAN is mandatory because most of the applications require confidentiality of data exchanged between nodes located in different regions [8, 9]. In the literature, some secure key establishment schemes have been proposed to enhance security and ensure confidentiality. In existing symmetric key management schemes [10–12], if a node is compromised then the new key distribution messages passing through that node are also compromised. Therefore, the links are compromised before their establishment, and it is not possible to establish end-to-end key between the sender and the receiver as messages can be decrypted and then reencrypted at the intermediate nodes. An intermediate malicious node can interpret these keys and help other malicious nodes at joining the network using valid keys. The problem becomes more complex when indirect keys are exchanged between distant nodes in different regions because more intermediate nodes are involved and the probability of the key to be relayed by malicious intermediate nodes increases.

In the existing key distribution schemes, all the keys that pass through compromised nodes also become compromised. The issue studied in this paper is how to exchange secret keys among distant nodes in the presence of malicious intermediate nodes. To deal with this issue, we propose a key distribution using fragmentation and assimilation (KDFA) scheme for establishing indirect keys between two distant sensor nodes. The main contribution offered by KDFA is that the sender node slices the actual key into fragments and sends them via intermediate actor nodes towards the receiver node. The distant receiver node assimilates the key fragments using XOR operation to obtain the original key. In this case, the attacker can only get the key fragment because the original key is never transmitted. The condition for successful attack is to capture all the fragment key packets related to one key, which is not a trivial task. If an attacker succeeds at identifying the intermediate nodes and subverting the key fragments then only one key is exposed. Therefore, KDFA is expected to provide better secure key distribution scheme and achieve better resilience against malicious nodes in comparison to other schemes.

KDFA is composed of two parts: (a) key fragmentation algorithm (KFA), which divides the keys of different sizes into an appropriate number of key fragments, and (b) key distribution protocol (KDP) provides a stepwise description for exchanging secure messages to distribute pairwise keys. In addition, we have formally specified and verified KDFA using Rubin logic [13]. The latter validates the protocol as per standard requirements of cryptographic operations like authentication, message integrity, message freshness, encryption, decryption, and so forth. It also helps at identifying the deficiencies in the protocol and possibilities of node compromise attacks, and it is also near to real implementation. KDFA is further simulated under ns-2.35 to assess its effectiveness in terms of resilience against compromised nodes. Results show that two uncompromised nodes can distribute a key securely even if a large number of intermediate nodes are compromised.

The rest of paper is organized as follows: system model and problem statement are provided in Section 2. Section 3 presents related work. Section 4 details KDFA operations for key distribution. Section 5 provides a detailed formal specification and analysis of KDFA using Rubin logic. Simulation scenarios and results in terms of resilience, fragmentation computation, and communication overhead are given in Section 6. Finally, Section 7 concludes the work and outlines future research directions.

2. System Model and Problem Statement

We consider a model of WSAN, in which the nodes composing the networks (i.e., sensors, actors, and the sink) are randomly deployed in the network field. We assume that each actor knows the keys of all the sensor nodes in the network and can move around within the network field to collect data from sensors. We also assume that nodes within communication range of each other have already established keys among them.

During indirect key establishment between ordinary distant nodes, the sender node transmits a pairwise key via intermediate nodes. The message that contains a new key is encrypted by the preestablished key between the sender and the intermediate node. The latter decrypts the key and then reencrypts it using the preestablished key with the next intermediate node and so on. By following the same process, the new key reaches the receiver node. The problem in this scenario is that any new secret key is available to intermediate nodes in a plain text form. If one of the intermediate nodes is compromised then that key is compromised before its establishment. Similarly, future key passed through that nodes become also compromised. The same problem holds in [10–12, 14–17] for WSN and [9, 16, 18–20] for WSAN.

This allows the attacker to perform illegal activities by either code alteration or falsifying the broadcast messages. New indirect keys can also be established with that malicious node. An adversary can also introduce new node to the network by preloading the compromised keys onto it along with a duplicate ID of a sensor node that was expired by the attacker. This new duplicated node can receive the packets destined for the actual node. In a similar way the situation can be worse if a large number of new compromised actor nodes are introduced to the network.

3. Related Work

Key management schemes have been extensively investigated in the context of indirect key establishment between nodes in WSNs and WSANs. In this scenario, a symmetric key is transmitted by the sender node to the receiver node using intermediaries. Intermediate nodes in the literature are called agent [15], gateway [10], bridge [12], or proxy [17]. These nodes play a vital role for intercluster communication in WSN. We will use the name gateway to represent such nodes. Also, the similar role is played by actors for indirect key establishment in WSAN [9, 16, 18–20].

3.1. Gateway Node Based Schemes

Zhou et al. [15] provided a pairwise intergroup key distribution scenario where an agent node pair is used to share keys between senders and receivers. This scenario is depicted in Figure 2 where the sender node n2 sends the message via an agent node pair n7 and n23 to the receiver node n30. This scheme uses an agent pair to transmit a single key whereas in our proposed scheme (i.e., KDFA) actor pairs are used instead.

Figure 2

Interagent key distribution.

Addya and Turuk [10] proposed a scheme, which required the gateway node to set up an intergroup path key between nodes of two clusters. A single node is acting as a gateway node instead of a node pair because it has shared keys of both clusters. This node should be located at a common region of two clusters similar to the locations of nodes 5, 11 as illustrated in Figure 3. Intercluster communication between cluster 1 and cluster 2 is established through node 5. There could be multiple gateway nodes in a common region. The scheme uses a gateway node to transmit a single key which is similar to the intra-actor communication scheme proposed in KDFA.

Figure 3

Intercluster communication using gateway nodes.

Zhou and Fang [21] proposed a symmetric polynomial based scheme where polynomial shared keys are preloaded in each sensor to calculate the direct key after deployment. Nodes located at the junction of two clusters receive two polynomials and can play the role of gateway. To achieve satisfactory level of security, coefficient degree must satisfy (1) where $N_{i}$ is the size of group i, t is the degree of polynomial, and K is the count of preloaded security credentials:

\begin{array}{l} 0 \leq N_{i} - 2 \leq t \\ N_{i} \sqrt[K + 1]{\frac{k (K + 1)!}{2}} \\ i = 1, 2, \dots, K . \end{array}

(1)

In this scheme, if a new node joins the network or existing node leaves the network then new polynomial is calculated to refresh the existing keys. It requires a large amount of communication overhead. It could be reduced by adopting XOR based key freshness scheme [22] where a magic word is shared among all member nodes to refresh the key in an efficient manner.

Huang's scheme [14] mitigated the effects of compromised nodes by applying the Reed-Solomon encoding scheme to divide the seed of a key into n codewords and transmit each codeword via different node-disjoint path. KDFA applies the idea of partitioning on indirect keys as in [14]. However, instead of using some encoding scheme, it just uses a lightweight fragmentation mechanism to partition the key into small-sized fragments.

3.2. Actor Node Based Schemes

Du et al. [9] proposed a distributed key establishment scheme for WSAN, in which actors are preloaded with symmetric keys and public key certificates as well. After deployment, node A can request from its neighbors to sign its certificate where an actor can also be one of the signers. Neighboring nodes sign the received certificate by using their self-generated private key $K_{N_{i}}^{- 1}$ and return the signatures ${{C e r t}_{a}}_{K_{N_{i}}^{- 1}}$ back to node A. Afterwards, communicating nodes can exchange a key by sharing symmetric session key encrypted using public keys. If a node is captured then its certificates are also removed from the list of neighboring nodes. It claims to achieve guaranteed security if a small number of nodes are malicious. In this scheme, nodes are relying on ordinary intermediate nodes for signing the certificates where a malicious node can also take part in establishing keys. KDFA is a reliable scheme that ensures the resilience and the secure key distribution in case a large number of nodes are compromised.

Mármol et al. [19] proposed WSANRep to maintain node reputation to detect the malicious nodes and exclude from the network. Global reputation of a network WSAN_j can be calculated by a group $G_{i}$ at the tth transaction using (2) where α, β, and γ are weights assigned based on previous experiences:

\begin{array}{l} {GRep}_{〈 G_{i}, {WSAN}_{j} 〉}^{(t)} = (α_{〈 G_{i}, {WSAN}_{j} 〉} \cdot {GRep}_{〈 G_{i}, {WSAN}_{j} 〉}^{(t - 1)}) \\ + (β_{〈 G_{i}, {WSAN}_{j} 〉} \cdot {Rep}_{〈 G_{i}, {WSAN}_{j} 〉}) \\ + (γ_{〈 G_{i}, {WSAN}_{j} 〉} \cdot {Rep}_{〈 O, {WSAN}_{j} 〉}) . \end{array}

(2)

Kashi and Sharifi [23] illustrated a categorical comparison for weak coordination and connectivity between actors and sensor nodes. It recommends that powerful actor nodes can help sensor nodes in routing and forwarding data to the sink. KDFA provides a strong resilience to protect the key exposure at intermediate compromised nodes. Interactor connectivity is the mandatory part for this communication; therefore, connectivity restoration [24–26] should also be considered to achieve sustainable communication and coordination [27] in different regions using actor nodes.

Y. Lee and S. Lee [20] proposed a scheme to establish pairwise keys between two sensors and between sensors and actors for secure communication in WSAN. A region key is also distributed by actor nodes to its neighboring sensor nodes for a specific task and keys expire after a fixed time quanta. Public key cryptography was proposed only for upper layer communication between actors and the sink nodes. Key distribution through public key cryptography is an expensive task in terms of computation and a central KDC could be a single point of failure. KDFA does not require a KDC and it ensures secure key distribution as compared to the existing schemes.

4. Key Distribution Using Fragmentation and Assimilation (KDFA)

The proposed scheme KDFA provides a reliable solution to the key exposure problem at compromised intermediate nodes. A sender node transmits a request to nearby actors for establishing key with a distant receiver node that is located outside the communication range. Actors can play a vital role at routing keys between sender and receiver nodes. Key distribution process begins when a sender uses a light weight fragmentation mechanism to divide the key into f fragments and transmits them through f intermediate actor nodes in the paths towards the receiver. The receiver calculates the actual key by taking XOR of these key fragments. In this process, number of key fragments “f” is decided by the administrator and it depends on the safety of deployment region and the security level required by the application. In most of the cases, the recommended value for f is either 2 or 3. In KDFA, the attacker can only get the key fragment by capturing intermediate nodes and not the complete original key. It provides an efficient way to secure the pairwise key establishment scheme by improving the resilience against the node capture attacks.

Actor nodes can distribute the key fragments using one of the following communication scenarios. In the first scenario, the sender requests to establish an indirect key with a node located outside its transmission range but exist within the communication range of nearby actor nodes. The actor node has keys of all the nodes in the network and can act as an intermediate node to establish a secret key between sender $S_{i}$ and receiver $R_{k}$ . This scenario is shown in Figure 4 where $f = 2$ fragments are transmitted using actor nodes $A_{x}$ and $A_{y}$ . Afterwards, $S_{i}$ and $R_{k}$ can exchange encrypted messages via ordinary intermediate sensor nodes.

Figure 4

Intra-actor communication for key distribution.

In the second scenario, the sender node transmits two key fragments to the actor node pair to establish indirect key with a distant node $R_{k}$ that is not within transmission range of actor $A_{x}$ and $A_{y}$ . Actors request the adjacent actor to distribute the key fragments to $R_{k}$ . It requires interactor communication between two actor pairs for $f = 2$ fragments, as illustrated in Figure 5.

Figure 5

Inter-actor communication for key distribution.

In the third scenario, the sender node requests from nearby actor node pair to establish indirect key with a distant node by distributing key fragments. Actor $A_{x}$ is within the transmission range of $R_{k}$ and directly sends the key fragment to $R_{k}$ . But the receiver node $R_{k}$ is out of the transmission range of the second actor $A_{y}$ , which requires interactor communication to distribute the key fragment to $R_{k}$ . Figure 6 depicts the key establishment for the $f = 2$ key fragments using hybrid communication scenario.

Figure 6

Hybrid communication for key distribution.

During the key distribution process, if there is only one actor in the range of the sender node and the second actor node is not available within a threshold value of time then f key fragment messages are sent via a single actor node. An upper-bound on the delay between consecutive transmissions of fragments can be imposed so that the receiver node will wait for the next fragment. An extra functionality can be added to the receiver code to manage the freshness as different messages originated by the same node reach the receivers at different time instants. During the waiting phase, another actor can visit the sender node's area to transmit other fragments because the actors frequently visit areas to collect data from the sensor nodes. In all case, the property ensured by KDFA is that a single key is never sent in one message.

KDFA is applicable for static and mobile sensor nodes. In war field, two or more distant soldiers can exchange their current positions securely to move together towards the target. In industry, big machines are turned on in a sequential manner to avoid power hazards. Distant machines can be synchronized to turn on or off by exchanging secure messages. There exist a number of similar application scenarios where our scheme can effectively provide secure messaging.

A list of notations used in KDFA is provided with brief description in Table 1.

Table 1

Notations.

Sr.	Notation	Description
1	$S_{i}$	Sender node
2	$R_{k}$	Receiver node
3	F	Number of key fragments
4	$A_{x}$ , $A_{y}$	Actor nodes
5	$K_{F_{m}}$ , $K_{F_{m + 1}}$	Two key fragments
6	$n_{i}$ , $n_{i + 1}$	Nonce values form $S_{i}$
7	$t_{i}$ , $t_{i + 1}$	Timestamps from $S_{i}$
8	$C_{1}$ , $C_{2}$ , $C_{3}$	Cipher text of messages 1, 2, and 3
9	$K_{S_{i} - A_{x}}$ , $K_{S_{i} - A_{y}}$	Secret keys between sender $S_{i}$ and actors $A_{x}$ and $A_{y}$
10	$K_{A_{x} - R_{k}}$ , $K_{A_{y} - R_{k}}$	Secret keys between receiver $R_{k}$ and actors $A_{x}$ and $A_{x}$
11	$K_{S_{i} - R_{k}}$	New key established between distant nodes $S_{i}$ and $R_{k}$

4.1. Key Fragmentation Algorithm (KFA)

It is used by the sender node to divide the key into f fragments. If the key size is divisible by f then equal-sized fragments are produced like 32-bit key is divided into 2 fragments of size 16-bit each, but in case of 3 fragments the result will be two fragments of size 10 and the last fragment of size 12. The size of the last fragment is calculated as per line 7 in Pseudocode 1.

Pseudocode 1: Key fragmentation.

(1) if Remainder of (keySize, f) is 0 then

(2) fragmentSize = keySize/f

(3) $L F_{z}$ = fragmentSize

(4) else

(5) fragmentSize = $^{⌞} {k e y S i z e / f}^{⌟}$

(6) addBits = keySize − (fragmentSize * f)

(7) $L F_{z}$ = fragmentSize + addBits

(8) end if

Step 1, 2. If a selected key size in bits is completely divisible by f, for example, a 32-bit key with $f = 2$ , then the remainder Rem(32,2) is zero. It produces 2 fragments of 16-bit each.

Step 3. Last fragment size is equal to the fragment size because the key size is completely divisible.

Step 4, 5. If the key size is not completely divisible by f, for example, a 32-bit key with $f = 3$ . In this case, the remainder Rem(32,3) is not zero. It will create three fragments of 10-bit each with a total of 30 bits and an extra fourth fragment of size 2-bit is also created. The last fragment is smaller than the selected fragment size, which is 10 in this case.

Step 6. This problem is mitigated by calculating additional bits and then padded them to the last fragment. Initially a fragment size is calculated by dividing the key size by f and the floor is taken to get the lower value for the fragment size. If a key size is 32 with $f = 3$ then the fragment size is 10. It will create ( $f - 1$ ) fragments of $(f r a g m e n t S i z e \times (f - 1))$ bits. It will produce two fragments of 20 bits when key size = 32, $f = 3$ and fragment Size = 10. Additional number of bits required for padding for the last fragment is calculated by multiplying the fragment size by f to get the total size in bits of all fragments. Then, we ignore extra bits left due to floor operation. It will result into 32 − 30 = 2 bits.

Step 7. The last fragment size LF_z is calculated by adding the number of padded additional bits to the fragment size. In the case of above scenario, fragment size is 10 and additional bits are 2; therefore, the last fragment size equals 12 bits.

Bitwise representation of this technique is elaborated in the following example where a 16-bit key 1110011101010101 is divided into $f = 2$ fragments that are 1110011100000000 and 0000000001010101. In this case the remainder Rem(16,2) = 0 that satisfies the if condition where fragment size is equal to 8 bit. The original key will be obtained by taking the XOR as follows:

\begin{matrix} \begin{matrix} 0000000001010101 \\ \underline{1110011100000000} \\ 1110011101010101 \end{matrix} . \end{matrix}

(3)

In another scenario, 16-bit key 1110011101010101 is divided into $f = 3$ fragments including 1110000000000000 , $0000011101000000$ , and $0000000000010101$ . It is obvious that the first two fragments contain 5 key bits and 11 padded zeros whereas the last fragment contains one extra bit from the original key, that is, 6 bits of key and 10 zeros. In this case the remainder Rem(16,3) = 1 which is not equal to zero. Therefore the else part of algorithm (i.e., line $(4)$ ) is executed where the fragment size equals 5 and the last fragment size equals 6. By applying the XOR operation on these fragments, the original key is obtained as follows:

\begin{matrix} \begin{matrix} 1110000000000000 \\ 0000011101000000 \\ \underline{0000000000010101} \\ 1110011101010101 \end{matrix} . \end{matrix}

(4)

4.2. Key Distribution Protocol (KDP)

The sender and receiver nodes establish the secret keys using KDP protocol. In this section, all the protocol steps are elaborated along with description of message contents for intra-actor distribution scenario. It includes sender $S_{i}$ , actors $A_{x}$ , $A_{y}$ , and receiver node $R_{k}$ . KDP starts when the sender node $S_{i}$ randomly selects an actor node for sending one key fragment $K_{F_{m}}$ and sends it to actor $A_{x}$ encrypted with the association key it shares with $A_{x}$ . Key fragment $K_{F_{m}}$ represents the mth key fragment where $1 \leq m \leq f$ . $A_{x}$ is the actor node where x represents the randomly selected actor ID. The value of x could be any number from 1 to Q, which represents the total number of actors in the network. Node $S_{i}$ will encrypt the message ( $K_{F_{m}}$ , $R_{k}$ , $n_{i}$ , $t_{i}$ , MAC( $K_{F_{m}} ∥ n_{i} ∥ t_{i}$ )) using a shared preestablished key with the actor node $A_{x}$ as described in (5). In the message, $n_{i}$ is nonce value, $t_{i}$ is timestamp, MAC( $K_{F_{m}} ∥ n_{i} ∥ t_{i}$ ) is hash of concatenated strings of $K_{F_{m}}$ , and $n_{i}$ and $t_{i}$ are used to ensure integrity protection of key fragment and also guard against replay attacks:

\begin{matrix} C_{1} = E_{K_{S_{i} - A_{x}}} (K_{F_{m}}, R_{k}, n_{i}, t_{i}, M A C (K_{F_{m}} ∥ n_{i} ∥ t_{i})) . \end{matrix}

(5)

Sender node

S_{i}

sends the message (

{I D}_{S_{i}}

C_{1}

) to actor node

A_{x}

After receiving the message, actor $A_{x}$ decrypts the message, as per

\begin{array}{l} (K_{F_{m}}, R_{k}, n_{i}, t_{i}, MAC (K_{F_{m}} ‖ n_{i} ‖ t_{i})) \\ = D_{K_{S_{j - A_{x}}}} ({ID}_{S_{i}, C_{1}}) . \end{array}

(6)

Actor

A_{x}

reencrypts the retrieved message using the association key

K_{A_{x} - R_{k}}

shared with the receiver node

R_{k}

, as shown in

\begin{matrix} C_{2} = E_{K_{A_{x} - S_{i}}} (K_{F_{m}}, n_{i}, t_{i}, M A C (K_{F_{m}} ∥ n_{i} ∥ t_{i})) . \end{matrix}

(7)

Actor

A_{x}

sends the message

({I D}_{A_{x}}, C_{2})

to the receiver node

R_{k}

Upon receiving the message, the receiver node $R_{k}$ decrypts the message using its preestablished key with $A_{x}$ , as illustrated in

\begin{matrix} (K_{F_{m}}, n_{i}, t_{i}, M A C (K_{F_{m}} ∥ n_{i} ∥ t_{i})) = D_{K_{A_{x} - R_{k}}} ({I D}_{A_{x}}, C_{2}) . \end{matrix}

(8)

Actor

A_{y}

also reencrypts the message according to (9) by using the preestablished key between actor

A_{y}

and the receiver node

R_{k}

\begin{matrix} C_{3} = E_{K_{A_{y} - S_{i}}} (K_{F_{m + 1}}, n_{i + 1}, t_{i + 1}, M A C (K_{F_{m + 1}} ∥ n_{i + 1} ∥ t_{i + 1})) . \end{matrix}

(9)

Actor

A_{y}

sends the message

({I D}_{A_{y}}, C_{3})

to the receiver Node

R_{k}

$R_{k}$ then recovers $K_{F_{m + 1}}$ as identified in (10) by using its preloaded association key $K_{A_{y} - R_{k}}$ established with $A_{y}$ :

\begin{array}{l} (K_{F_{m + 1}}, n_{i + 1}, t_{i + 1}, MAC (K_{F_{m + 1}} ‖ n_{i + 1} ‖ t_{i + 1})) \\ = D_{K_{A_{y - R_{k}}}} ({ID}_{A_{y}}, C_{3}) . \end{array}

(10)

Finally

R_{k}

receives f key fragments and assimilates the pairwise key using (11) where × represents XOR operation:

\begin{matrix} K_{S_{i} - R_{k}} = K_{F_{m}} \times K_{F_{m + 1}} . \end{matrix}

(11)

For Interactor distribution scenario, $A_{x}$ transmits the message to $B_{x}$ and then $B_{x}$ sends it to the receiver node $R_{k}$ . Similarly $A_{y}$ transmits via $B_{y}$ to the receiver node $R_{k}$ . Following additional messages are sent for interactor scenario:

$A_{x} \to B_{x}$ : $E_{K_{A_{x} - B_{x}}} (K_{F_{m}}, n_{i}, t_{i}, M A C (K_{F_{m}} ∥ n_{i} ∥ t_{i}))$

$A_{y} \to B_{y}$ : $E_{K_{A_{y} - B_{y}}} (K_{F_{m + 1}}, n_{i + 1}, t_{i + 1}, M A C (K_{F_{m + 1}} ∥ n_{i + 1} ∥ t_{i + 1}))$

$B_{x} \to R_{k}$ : $E_{K_{B_{x} - R_{k}}} (K_{F_{m}}, n_{i}, t_{i}, M A C (K_{F_{m}} ∥ n_{i} ∥ t_{i}))$

$B_{y} \to R_{k}$ : $E_{K_{B_{y} - R_{k}}} (K_{F_{m + 1}}, n_{i + 1}, t_{i + 1}, M A C (K_{F_{m + 1}} ∥ n_{i + 1} ∥ t_{i + 1}))$ .

5. KDFA Formal Specification

We have performed formal modeling using nonmonotonic cryptographic protocol (NCP) also called Rubin logic [13] to analyze and verify the KDFA protocol as per formal specifications. It validates the protocol as per standard requirements of cryptographic operations like authentication, message integrity, message freshness, encryption, decryption, and so forth. It also helps to identify the deficiencies in the proposed protocol and possibilities of compromise attacks. It is close to the actual implementation and flow of programming functions. In Rubin logic, the entities are assigned roles and a global set is also maintained where information about the protocol is maintained in these sets and it also maintains updated states of the users after each updateable operation. Global sets are accessible to all the member nodes and can be categorized into secret, observer, rule, and principal sets. A detailed discussion on formal specification for WSAN protocols is provided in [25, 28] along with appropriate case studies.

We have reutilized the notations of KDFA predefined earlier in Table 1 and a brief description is provided in Table 2 for all notations used in the following local set for formal specifications.

Table 2

Notations of local set for KDFA.

Sr.	Notation	Description
1	$K_{F_{m}}$ , $K_{F_{m + 1}}$	First and second key fragment for $f = 2$
2	$P_{S_{i} F_{m}}$ , $P_{S_{i} F_{m + 1}}$	Concatenated string at $S_{i}$ for the first and the second key fragment
3	$M_{1} – M_{2}$	Messages 1 to 2
4	$C_{1} – C_{5}$	Cipher texts of $M_{1}$ to $M_{5}$
5	$H_{S_{i} F_{m}}$ , $H_{S_{i} F_{m + 1}}$	Hash calculated at $S_{i}$ for $K_{F_{m}}$ and $K_{F_{m + 1}}$
6	$H^{*}$ , $H^{\land}$	Hash of message ( $K_{F_{m}}$ , $n_{i}$ , $t_{i}$ ) received at $A_{x}$ and $R_{k}$ for the first key fragment
7	$H^{+}$	Hash of message ( $K_{F_{m + 1}}$ , $n_{i + 1}$ , $t_{i + 1}$ ) received at $A_{y}$
8	$H^{~}$	Hash of concatenated reply message ( $n_{i}$ , $t_{k}$ , $H_{R_{k}}$ ) from $R_{k}$
9	$H_{R_{k}}$	Hash calculated at $R_{k}$ for reply to $S_{i}$
10	$P_{R_{k}}$	Concatenated string at $R_{k}$ for reply
11	$m_{c}$	Message count at $R_{k}$

A local set is maintained at each entity or node and can be categorized into possession POSS(), belief BEL(), and seen and behavior sets BL(). Detailed specification of this sets can be explored from [13, 16]. By applying Rubin logic on KDKF-AN, the local set is elaborated as follows and then its verification and analysis part provides a detailed overview of all sets maintained under the category of local set.

Local Set for KDFA (1)

Sender ( $S_{i}$ )

POSS( $S_{i}$ ) = ${{I D}_{S_{i}}$ , $K_{S_{i} - A_{x}}$ , $K_{S_{i} - A_{y}}}$

BEL( $S_{i}$ ) = {#( ${I D}_{S_{i}}$ ), #( $K_{S_{i} - A_{x}}$ ), #( $K_{S_{i} - A_{y}}$ )}

BL ( $S_{i}$ ) =

Hash( $h (\cdot)$ ; $K_{F_{m}}, n_{i}, t_{i}$ ) → $H_{S_{i} F_{m}}$

Concat( $K_{F_{m}}, n_{i}, R_{k}, t_{i}, H_{S_{i} F_{m}}$ ) → $P_{S_{i} F_{m}}$

Encrypt( ${P_{S_{i} F_{m}}}_{K_{S_{i} - A_{x}}}$ ) → $C_{1}$

Send( $A_{x}$ , ${{I D}_{S_{i}}$ , $C_{1}}$ ) → $M_{1}$

Update $(n_{i}, t_{i}, K_{F_{m}})$

Hash $(h (\cdot)$ ; $K_{F_{m + 1}}, n_{i + 1}, t_{i + 1})$ → $H_{S_{i} F_{m + 1}}$

Concat( $K_{F_{m + 1}}, R_{k}, n_{i + 1}, t_{i + 1}, H_{S_{i} F_{m + 1}}$ ) → $P_{S_{i} F_{m + 1}}$

Encrypt( ${P_{S_{i} F_{m + 1}}}_{K_{S_{i} - A_{y}}}$ ) → $C_{2}$

Send( $A_{y}$ , ${{I D}_{S_{i}}$ , $C_{2}}$ ) → $M_{2}$

Update( $n_{i + 1}$ , $t_{i + 1}$ , $K_{F_{m + 1}}$ )

Receive( $R_{k}$ , ${{I D}_{R_{k}}$ , $C_{5}}$ )

Split( ${{I D}_{R_{k}}$ , $C_{5}}$ )

Decrypt $({C_{5}}_{K_{R_{k} - S_{i}}})$ to get

[ ${n_{i}}^{*}$ , $t_{k}$ , $H_{R_{k}}$ ]

Check-freshness( $t_{A_{x}} - t_{k}$ ) ≥ $Δ t$

if yes, then abort

Check( $n_{i}$ , ${n_{i}}^{*}$ )

MAC({Concat $(n_{i}$ , $t_{k}$ , $H_{R_{k}})}$ ) → $H^{~}$

Check( $H_{R_{k}}$ , $H^{~}$ )

(2a)

Actor ( $A_{x}$ )

POSS( $A_{x}$ ) = ${{I D}_{A_{x}}$ , $K_{A_{x} - S_{i}}$ , $K_{A_{x} - R_{k}}}$

BEL( $A_{x}$ ) = {#( ${I D}_{A_{x}}$ ), #( $K_{A_{x} - S_{i}}$ ), #( $K_{A_{x} - R_{k}})}$

BL( $A_{x}$ ) =

Receive $(S_{i}$ , ${{I D}_{S_{i}}, C_{1}})$

Split( ${{I D}_{S_{i}}$ , $C_{1}}$ )

Decrypt( ${C_{1}}_{K_{A_{x} - S_{i}}}$ ) to get

[ $K_{F_{m}}, R_{k}, n_{i}, t_{i}, H_{S_{i} F_{m}}$ ]

Check-freshness( $t_{A_{x}} - t_{i}$ ) ≥ $Δ t$

if yes, then abort

MAC({Concat ( $K_{F_{m}}$ , $n_{i}$ , $t_{i}$ )}) → $H^{*}$

Check( $H_{S_{i} F_{m}}$ , $H^{*}$ )

Concat( $K_{F_{m}}$ , $n_{i}$ , $t_{i}$ , $H_{S_{i}} F_{m}$ ) → $P_{A_{x}}$

Encrypt( ${P_{A_{x}}}_{K_{A_{x} - R_{k}}}$ ) → $C_{3}$

Send( $R_{k}$ , ${{I D}_{A_{x}}, C_{3}}$ ) → $M_{3}$

Update( $M_{I D}$ )

(2b)

Actor ( $A_{y}$ )

POSS( $A_{y}$ ) = ${{I D}_{A_{y}}, K_{A_{y} - S_{i}}, K_{A_{y} - A_{x}}, K_{A_{y} - R_{k}}}$

BEL( $A_{y}$ ) = {#( ${I D}_{A_{y}}$ ), #( $K_{A_{y} - S_{i}}$ ), #( $K_{A_{y} - A_{x}}$ ), # $(K_{A_{y} - R_{k}})}$

BL( $A_{y}$ ) =

Receive( $S_{i}$ , ${{I D}_{S_{i}}, C_{2}}$ )

Split( ${{I D}_{S_{i}}, C_{2}}$ )

Decrypt( ${C_{2}}_{K_{A_{y} - S_{i}}}$ ) to get

[ $K_{F_{m + 1}}$ , $R_{k}$ , $n_{i + 1}$ , $t_{i + 1}$ , $H_{S_{i} F_{m + 1}}$ ]

Check-freshness( $t_{A_{y}} - t_{i + 1}$ ) ≥ $Δ t$

if yes, then abort

MAC({Concat( $K_{F_{m} + 1}$ , $n_{i + 1}$ , $t_{i + 1}$ )}) → $H^{+}$

Check( $H_{S_{i} F_{m + 1}}$ , $H^{+}$ )

Concat( $K_{F_{m + 1}}, n_{i + 1}, t_{i + 1}, H_{S_{i} F_{m + 1}}$ ) → $P_{A_{y}}$

Encrypt( ${P_{A_{y}}}_{K_{A_{y} - R_{k}}}$ ) → $C_{4}$

Send( $R_{k}$ , ${{I D}_{A_{y}}, C_{3}}$ ) → $M_{4}$

Update( $M_{I D}$ )

(3)

Receiver ( $R_{k}$ )

POSS( $R_{k}$ ) = ${{I D}_{R_{k}}$ , $K_{A_{y} - S_{i}}$ , $K_{A_{y} - S_{i}}$ , $m_{c}}$

BEL( $R_{k}$ ) = {#( ${I D}_{R_{k}}$ ), #( $K_{A_{y} - S_{i}}$ ), # $(K_{A_{y} - S_{i}})$ , $m_{c}}$

BL( $R_{k}$ ) =

Receive( $A_{x}$ , ${{I D}_{A_{x}}, C_{3}}$ )

Split( ${{I D}_{A_{x}}, C_{3}}$ )

Decrypt( ${C_{3}}_{K_{A_{x} - R_{k}}}$ ) to get

[ $K_{F_{m}}, n_{i}, t_{i}, H_{S_{i} F_{m}}$ ]

Check-freshness( $t_{k} - t_{i}$ ) ≥ $Δ t$

if yes, then abort

MAC({Concat $(K_{F_{m}}, n_{i}, t_{i})}$ ) → $H^{\land}$

Check( $H_{S_{i} F_{m}}, H^{\land}$ )

INCR( $m_{c}, 1$ )

Compare ( $m_{c}$ equals f) if NO continue

XOR( $K_{F_{m}}$ , $K_{F_{m + 1}}$ ) → $K_{R_{k} - S_{i}}$

Hash( $h (\cdot)$ ; $n_{i}$ , $t_{k}$ ) → $H_{R_{k}}$

Concat( $n_{i}$ , $t_{k}$ , $H_{R_{k}}$ ) → $P_{R_{k}}$

Encrypt( ${P_{R_{k}}}_{K_{R_{k} - S_{i}}}$ ) → $C_{5}$

Send( $S_{i}$ , ${{I D}_{R_{k}}$ , $C_{5}}$ ) → $M_{5}$

Update( $M_{I D}$ ).

Local sets for all the entities including sender, receiver, and actor nodes are separately maintained. A possession set POSS(entity) contains all the parameters involved in encryption, decryption, and other operations performed at local memory of each entity as described in section below. A Behavior List BL() contains the list of operations and input arguments that are performed in near to implementation steps by entities $S_{i}$ , $A_{x}$ , $A_{y}$ , and $R_{k}$ .

5.1. KDFA Analysis and Verification

In this section, KDFA is analyzed for intra-actor distribution scenario as discussed in Section 4. In this scenario, the key distribution is initiated by the sender node ( $S_{i}$ ) by transmitting message $M_{1}$ and $M_{2}$ to actor node $A_{x}$ and $A_{y}$ , respectively, and by considering $f = 2$ fragments. $R_{k}$ receives the fragments and calculates the secret key. After sending operation, an update operation is performed to refresh the observer list as shown below. (i)

Concat( $K_{F_{m}}$ , $n_{i}$ , $R_{k}$ , $t_{i}$ , $H_{S_{i} F_{m}}$ ) → $P_{S_{i} F_{m}}$

(ii)

Encrypt( ${P_{S_{i} F_{m}}}_{K_{S_{i} - A_{x}}}$ ) → $C_{1}$

(iii)

Send( $A_{x}$ , ${{I D}_{S_{i}}, C_{1}}$ ) → $M_{1}$

(iv)

Update ( $n_{i}$ , $t_{i}$ , $K_{F_{m}}$ ).

Sender node further unicasts another message to actor node

A_{y}

for transmitting the second key fragment using message

M_{2}

towards receiver node

R_{k}

. The steps are similar whereas new parameters are included as shown below.

(i)

Hash( $h (\cdot)$ ; $K_{F_{m + 1}}$ , $n_{i + 1}$ , $t_{i + 1}$ ) → $H_{S_{i} F_{m + 1}}$

(ii)

Concat( $K_{F_{m + 1}}$ , $R_{k}$ , $n_{i + 1}$ , $t_{i + 1}$ , $H_{S_{i} F_{m + 1}}$ ) → $P_{S_{i} F_{m + 1}}$

(iii)

Encrypt( ${P_{S_{i} F_{m + 1}}}_{K_{S_{i} - A_{y}}}$ ) → $C_{2}$

(iv)

Send( $A_{y}$ , ${{I D}_{S_{i}}, C_{2}}$ ) → $M_{2}$

(v)

Update( $n_{i + 1}$ , $t_{i + 1}$ , $K_{F_{m + 1}}$ ).

Related parameters including messages, ciphers, nonce values, actual key, key fragments, and hashes are saved in possession set at

S_{i}

during the key establishment phase as shown below.

POSS( $S_{i}$ ) = ${{I D}_{S_{i}}$ , $K_{S_{i} - A_{x}}$ , $K_{S_{i} - A_{y}}$ , $P_{S_{i} F_{m}}$ , $n_{i}$ , $t_{i}, K_{F_{m}}, H_{S_{i} F_{m}} C_{1}$ , $M_{1}$ , $K_{F_{m + 1}}$ , $R_{k}, n_{i + 1}$ , $t_{i + 1}, P_{S_{i} F_{m + 1}}, H_{S_{i} F_{m + 1}}$ , $C_{2}, M_{2}$ , $K_{S_{i} - R_{k}}}$

BEL( $S_{i}$ ) = ${# ({I D}_{S_{i}}), # (K_{S_{i} - A_{x}}), # (K_{S_{i} - A_{y}})}$ .

After sending two messages, control is passed to receive operation in appropriate actor node where messages are decrypted to retrieve concatenated message that are further split to get actual parameters. Freshness of message is checked by subtracting timestamp received

t_{i}

t_{i + 1}

from the actor's timestamp

t_{A_{x}}

t_{A_{y}}

and if the answer is greater than the threshold

Δ t

then further calculations are proceeded. Otherwise, message is discarded. MAC is also calculated as MAC({Concat(

K_{F_{m}}

n_{i}

t_{i}

)}) for concatenated parameters including

K_{F_{m}}

n_{i}

t_{i}

and compared to the hash values to ensure integrity protection. These operations, as shown in the following steps, are executed at actor node

A_{x}

and similar steps are followed by

A_{y}

with different parameters.

(i)

Receive( $S_{i}$ , ${{I D}_{S_{i}}, C_{1}}$ )

(ii)

Split( ${{I D}_{S_{i}}, C_{1}}$ )

(iii)

Decrypt( ${C_{1}}_{K_{A_{x} - S_{i}}}$ ) to get [ $K_{F_{m}}, R_{k}, n_{i}, t_{i}, H_{S_{i} F_{m}}$ ]

(iv)

Check-freshness( $t_{A_{x}} - t_{i}$ ) ≥ $Δ t$ if yes, then abort

(v)

MAC({Concat( $K_{F_{m}}$ , $n_{i}$ , $t_{i}$ )}) → $H^{*}$

(vi)

Check( $H_{S_{i} F_{m}}$ , $H^{*}$ ).

Actor nodes

A_{x}

and

A_{y}

further send these key fragments towards the receiver node by encrypting with the preestablished key with receiver node

R_{k}

(i)

Concat( $K_{F_{m}}$ , $n_{i}$ , $t_{i}$ , $H_{S_{i} F_{m}}$ ) → $P_{A_{x}}$

(ii)

Encrypt( ${P_{A_{x}}}_{K_{A_{x} - R_{k}}}$ ) → $C_{3}$

(iii)

Send( $R_{k}$ , ${{I D}_{A_{x}}, C_{3}}$ ) → $M_{3}$

(iv)

Update( $M_{I D}$ )

(v)

Forget( $P_{A_{x}}$ , $n_{i}$ , $t_{i}$ , $K_{F_{m}}$ , $R_{k}$ , $C_{3}$ , $M_{3}$ , $H^{*}$ ).

Possession set at actor nodes

A_{x}

and

A_{y}

contains the following parameters during execution of the above-mentioned operations as shown below.

POSS( $A_{x}$ ) = ${{I D}_{A_{x}}$ , $K_{A_{x} - S_{i}}$ , $K_{A_{x} - R_{k}}$ , $P_{A_{x}}$ , $R_{k}$ , $n_{i}$ , $t_{i}$ , $K_{F_{m}}$ , $C_{3}$ , $M_{3}$ , $H^{*}}$

BEL( $A_{x}$ ) = {#( ${I D}_{A_{x}}$ ), #( $K_{A_{x} - S_{i}}$ ), #( $K_{A_{x} - R_{k}}$ )}

POSS( $A_{y}$ ) = ${{I D}_{A_{y}}$ , $K_{A_{y} - S_{i}}$ , $K_{A_{y} - R_{k}}$ , $P_{A_{y}}$ , $R_{k}$ , $n_{i + 1}$ , $t_{i + 1}$ , $K_{F_{m} + 1}$ , $C_{4}$ , $M_{4}$ , $H^{+}}$

BEL( $A_{y}$ ) = {#( ${I D}_{A_{y}}$ ), #( $K_{A_{y} - S_{i}}$ ), # $(K_{A_{y} - R_{k}})}$ .

Forget operation will result in removing these temporary values (

P_{A_{x}}

n_{i}

t_{i}

K_{F_{m}}

R_{k}

C_{3}

M_{3}

H^{*}

) from the possession set at

A_{x}

. Actor node

A_{y}

also performs the same operation with different parameters.

The receiver node $R_{k}$ checks the freshness of message after decryption. Node $R_{k}$ maintains a count in $m_{c}$ for key fragment messages, if $m_{c}$ is less than number of fragments f then $R_{k}$ will continue to receive messages as shown in following steps. (i)

Receive( $A_{x}$ , ${{I D}_{A_{x}}$ , $C_{3}}$ )

(ii)

Split( ${{I D}_{A_{x}}$ , $C_{3}}$ )

(iii)

Decrypt( ${C_{3}}_{K_{A_{x} - R_{k}}}$ ) to get [ $K_{F_{m}}$ , $n_{i}$ , $t_{i}$ , $H_{S_{i} F_{m}}$ ]

(iv)

Check-freshness ( $t_{k} - t_{i}$ ) ≥ $Δ t$ if yes, then abort

(v)

MAC({Concat( $K_{F_{m}}$ , $n_{i}$ , $t_{i}$ )}) → $H^{\land}$

(vi)

Check( $H_{S_{i} F_{m}}$ , $H^{\land}$ )

(vii)

INCR( $m_{c}, 1$ )

(viii)

Compare( $m_{c}$ equals f) if no then continue.

m_{c}

is equal to f then

R_{k}

will apply the XOR operation on all the key fragments to calculate the actual key and then sends the acknowledgement message to the sender node

S_{i}

as shown below.

(i)

XOR( $K_{F_{m}}$ , $K_{F_{m + 1}}$ ) → $K_{R_{k} - S_{i}}$

(ii)

Hash( $h (\cdot)$ ; $n_{i}$ , $t_{k}$ ) → $H_{R_{k}}$

(iii)

Concat( $n_{i}$ , $t_{k}$ , $H_{R_{k}}$ ) → $P_{R_{k}}$

(iv)

Encrypt( ${\{P_{R_{k}}\}}_{K_{R_{k} - S_{i}}}$ ) → $C_{5}$

(v)

Send( $S_{i}$ , ${{I D}_{R_{k}}, C_{5}}$ ) → $M_{5}$

(vi)

Forget( $P_{S_{i} F_{m}}$ , $n_{i}$ , $t_{i}$ , $K_{F_{m}}$ , $H_{S_{i} F_{m}}$ , $H^{\land}$ , $C_{1}$ , $K_{F_{m + 1}}$ , $n_{i + 1}$ , $t_{i + 1}$ , $P_{S_{i} F_{m + 1}}$ , $H_{S_{i} F_{m + 1}}$ , $C_{3}$ , $H_{R_{k}}$ , $P_{R_{k}}$ , $C_{5}$ , $M_{5}$ ).

Possession set values including nonce values

n_{i}

n_{i + 1}

, time stamps

t_{i}

t_{i + 1}

, key fragments

K_{F_{m}}

K_{F_{m + 1}}

, cipher texts,

C_{1}

C_{3}

, and

C_{5}

, hash values

H_{S_{i} F_{m}}

H^{\land}

, and

H_{R_{k}}

, concatenated strings

P_{S_{i} F_{m}}

P_{S_{i} F_{m + 1}}

, and

P_{R_{k}}

, and secure keys are maintained at the receiver node

R_{k}

during the execution of the above-mentioned operations.

POSS( $R_{k}$ ) = ${{I D}_{R_{k}}, K_{R_{k} - A_{x}}$ , $K_{R_{k} - A_{y}}$ , $P_{S_{i} F_{m}}$ , $n_{i}$ , $t_{i}$ , $K_{F_{m}}$ , $H_{S_{i} F_{m}}$ , $H^{\land}$ , $C_{1}$ , $K_{F_{m + 1}}$ , $n_{i + 1}$ , $t_{i + 1}$ , $P_{S_{i} F_{m + 1}}$ , $H_{S_{i} F_{m + 1}}$ , $C_{3}$ , $H_{R_{k}}$ , $P_{R_{k}}$ , $C_{5}$ , $M_{5}$ , $K_{R_{k} - S_{i}}}$

BEL( $S_{i}$ ) = {#( ${I D}_{S_{i}}$ ), #( $K_{S_{i} - A_{x}}$ ), #( $K_{S_{i} - A_{y}}$ ), # $(K_{R_{k} - S_{i}})}$ .

After execution of all steps, secure key

K_{R_{k} - S_{i}}

is saved in belief set. Unnecessary values are removed by using Forget(

P_{S_{i} F_{m}}

n_{i}

t_{i}

K_{F_{m}}

H_{S_{i} F_{m}}

H^{\land}

C_{1}

K_{F_{m + 1}}

n_{i + 1}

t_{i + 1}

P_{S_{i} F_{m + 1}}

H_{S_{i} F_{m + 1}}

C_{3}

H_{R_{k}}

P_{R_{k}}

C_{5}

M_{5}

) operation after successful transmission of message from receiver

R_{k}

back to sender

S_{i}

The sender node $S_{i}$ receives the acknowledgement message $M_{5}$ encrypted with currently established key $K_{S_{i} - R_{k}}$ . Node $S_{i}$ decrypts the cipher text C5 to get [ ${n_{i}}^{*}$ , $t_{k}$ , $H_{R_{k}}$ ] and verify the nonce value as shown in the following steps. (i)

Receive( $R_{k}$ , ${{I D}_{R_{k}}, C_{5}}$ )

(ii)

Split( ${{I D}_{R_{k}}, C_{5}}$ )

(iii)

Decrypt( ${C_{5}}_{K_{R_{k} - S_{i}}}$ ) to get [ ${n_{i}}^{*}$ , $t_{k}$ , $H_{R_{k}}$ ]

(iv)

Check-freshness( $t_{A_{x}} - t_{k}$ ) ≥ $Δ T$ if yes, then abort

(v)

Check( $n_{i}$ , ${n_{i}}^{*}$ )

(vi)

MAC({Concat( $n_{i}$ , $t_{k}$ , $H_{R_{k}}$ )}) → $H^{~}$

(vii)

Check( $H_{R_{k}}$ , $H^{~}$ )

(viii)

Forget( $P_{S_{i} F_{m}}$ , $n_{i}$ , $t_{i}$ , $K_{F_{m}}$ , $H_{S_{i} F_{m}}$ , $C_{1}$ , $M_{1}$ , $K_{F_{m + 1}}$ , $n_{i + 1}$ , $t_{i + 1}$ , $P_{S_{i} F_{m + 1}}$ , $H_{S_{i} F_{m + 1}}$ , $C_{2}$ , $M_{2}$ ).

Possession set at

S_{i}

is refreshed after the completion of key distribution process and receiving the acknowledging message from the receiver node

R_{k}

. Secret key

K_{S_{i} - R_{k}}

is also saved in the belief set.

S_{i}

executes the above-mentioned Forget (

P_{S_{i} F_{m}}

n_{i}

t_{i}

K_{F_{m}}

H_{S_{i} F_{m}}

C_{1}

M_{1}

K_{F_{m + 1}}

n_{i + 1}

t_{i + 1}

P_{S_{i} F_{m + 1}}

H_{S_{i} F_{m + 1}}

C_{2}

M_{2}

) operation to clear the unnecessary values from possession set that is shown below.

POSS( $S_{i}$ ) = ${{I D}_{S_{i}}, K_{S_{i} - A_{x}}, K_{S_{i} - A_{y}}, K_{S_{i} - R_{k}}}$

BEL( $S_{i}$ ) = ${# ({I D}_{S_{i}}), # (K_{S_{i} - A_{x}}), # (K_{S_{i} - A_{y}}), # (K_{S_{i} - R_{k}})}$ .

6. Simulation and Results

For simulation, we have used ns-2.35 on Fedora Core 12. During simulation scenarios, C language is used for providing send and receive functionalities along with packet formats for sensor nodes, actors, and sink. Encryption, decryption, fragmentation, and hash functions are also provided in C. Tcl is used to create nodes, deployment of network field, and linking the nodes. Messages scenarios are also exchanged as per KDP specifications. In WSAN, nodes and actors are randomly deployed in a region of 1200 × 1200 meters where nodes were static and actors can move within the network field. We have focused on providing key distribution services and data collection scenario is left for future work. Transmission range of nodes is set to 40 meters with different network sizes from 100 to 1000 nodes. It also includes 5 to 20 powerful actor nodes. Queue type is set to Queue/DropTail/PriQue as shown in Table 3.

Table 3

Simulation parameters.

Simulation Setup
Parameters	Values
Network field	1200 × 1200 meters
Actor Tx radius	300 m
Initial energy at node	1000 J
Tx power at node	0.819 J
Receiving power	0.049 J
Physical type	Wireless physical
Queue type	Queue/DropTail/PriQue
Antenna type	Omni antenna
Max packet in queue	50
Routing protocol	DSDV
Agent trace	ON
Router trace	ON

6.1. Resilience

During interactor communication (IAC) two ordinary nodes from different regions communicate using two actor nodes. The probability that an actor node being compromised in the path can be calculated using (12), where N is the network size and cp is the number of nodes captured by an attacker in the network:

\begin{matrix} P_{N A C} = \frac{(\begin{smallmatrix} N - 3 \\ c p \end{smallmatrix})}{(\begin{smallmatrix} N - 2 \\ c p \end{smallmatrix})} . \end{matrix}

(12)

The total number of uncompromised nodes $N - 2$ means that 2 ordinary nodes are excluded from compromised nodes in network whereas $N - 3$ represents the further exclusion of one actor node. The probability that a certain actor node is captured at either sender or receiver side can be calculated using

\begin{matrix} P_{A C} = 1 - P_{N A C} = \frac{c p}{N - 2} . \end{matrix}

(13)

Considering the scenario of dividing a key into two fragments, we can calculate the probability of capturing exactly $f = 2$ actor nodes that are randomly selected for IAC as $P_{A C F = 2} = P_{A C} \times P_{A C}$ . We simulated KDFA scheme for a network of 1000 ordinary nodes with a transmission range of 40 meters and 50 actor nodes with transmission range of 250 meters.

Results in Figure 7(a) show that if 150 nodes are captured then there are 15% of chances to capture one actor node in the path. In case of fragmentation, there are only 2% for $f = 2$ and 0.3% for $f = 3$ , which are exactly those actor nodes that are randomly selected to transmit the key fragments. Figure 7(b) further evaluates the scenario when more than 60% of the nodes are compromised. If 600 nodes are compromised then there are only 13% of chances for $f = 4$ , 21.7% for $f = 3$ , and 36% for $f = 2$ scenario that f Actor nodes are captured. Hence resilience is very much improved due to fragmentation.

Figure 7

Probability of an actor node being compromised when less than 40% nodes in the entire network are captured in (a) and more than 60% in (b).

6.2. Fragmentation Computation Cost

A key fragment size is calculated using KFA as discussed in Section 4.1 where the size of the last fragment varies in case of odd number of fragments. Additional bits are added to last fragment as illustrated in step 7 and that is used to generate (14), where $L_{f}$ is the size of the last fragment, $K_{z}$ is the key size, and f is the number of fragments. The last key fragment size dependents on the remainder of $⌊K_{z} / f⌋$ operation:

\begin{matrix} L_{f} = K_{z} + ⌊\frac{K_{z}}{f}⌋ (1 - f) . \end{matrix}

(14)

Figure 8(a) shows the size of the last fragment by selecting $f = 2,3$ and 4 key fragmentation scenarios for distributing the keys of sizes 16 bits, 32 bits, 64 bits, and 128 bits. In case of $f = 3$ fragments, last fragment size is 24 bits whereas initial two fragments are 20 bits for distributing a 64-bit key. These 4 extra bits are produced because $K_{z}$ is indivisible by f. Figure 8(b) illustrates the size of the initial key fragments. By considering a 32-bit bit scenario for $f = 3$ fragments, the size of the initial two fragments is 10 bits. In case of even value for f, the last fragment size is the same as the initial key fragments.

Figure 8

Size in bits of the last fragment in (a) and size of initial fragments in (b) where the number of total fragments is $f = 2, 3, 4$ .

6.3. Communication Overhead Analysis

In KDFA, the number of messages ( $M_{C}$ ) transmitted during intra- or interactor communication scenarios can be calculated using (15) where f represents the number of fragments. In this equation, $M_{N}$ and $M_{A}$ represent the number of messages transmitted by ordinary node and actor, respectively, during intra- or interactor communication scenario without fragmentation:

\begin{matrix} M_{C} = (M_{N} + M_{A}) \times f . \end{matrix}

(15)

In case of intra-actor communication, $M_{N} = M_{A} = 1$ because the actual key was sent in single message like NEKM [20]. By applying fragmentation, the value of $M_{C} = 4$ for $f = 2$ fragments using (15). Similarly, in interactor communication scenario, $M_{N} = 1$ and $M_{A} = 2$ and $M_{C} = 6$ for $f = 2$ fragments using (15). Our main concern is to calculate the communication cost incurred by ordinary nodes. Therefore, we have ignored the value of $M_{A}$ . A sender transmits ${(M}_{N} \times f)$ messages to actor nodes, and hence $(f - 1)$ extra messages are sent by ordinary node due to fragmentation. If 2 key fragments are exchanged then only 2 messages are sent by the ordinary nodes to actors where 1 message is extra as compared to fragmentation less scenarios.

An ordinary node can establish indirect keys with distant sensor nodes in outer circle of its transmission range as illustrated in Figure 9(a). The total communication cost for indirect keying ( ${T M}_{C}$ ) can be calculated using (16) where $N_{O C}$ represents the total number of nodes in outer circle:

\begin{matrix} {T M}_{C} = N_{O C} \times (M_{N} + M_{A}) \times f . \end{matrix}

(16)

Figure 9(a) illustrates that if an ordinary node establishes keys with 6 nodes in its outer circle then 12 messages are exchanged by that node for

f = 2

key fragments. The same number of messages was sent in STSK [10] where an ordinary node was used as intermediary to exchange a single actual key per message without fragmentation. In NEKM [20], only 6 messages were sent to 6 nodes for key distribution using single actor without fragmentation. Message size for exchanging key fragment is 14 bytes that contains 16-bit sender ID, 32-bit key fragment, 16-bit nonce value, 16-bit timestamp, and 32-bit hash value according to (5). Our scheme requires extra 14 bytes to transmit one extra message in case of

f = 2

but such a little amount of overhead ensures the secure key distribution in severe environments even when a large number of nodes or actors are compromised. Fragmentation is only required for indirect key establishment that is less frequent as compared to direct keying. Once the key is distributed then that key is reused for future communication between these two nodes.

Figure 9

(a) Effects of key fragmentation on communication overhead. (b) Probability of links between nodes and actors.

M intra and M inter represent the values of communication cost ( $M_{C}$ ) for both scenarios. In this case, ordinary node transmits 12 messages for $N_{O C} = 6$ and $f = 2$ in both intra- and interactor communication scenarios. The sender transmits the same number of messages to actors whether intra-, interactor, or hybrid communication scenarios is adopted by actors.

If there are Q actor nodes in the network then $P_{A c t o r} = (\begin{smallmatrix} N - 1 \\ Q - 1 \end{smallmatrix}) / (\begin{smallmatrix} N \\ Q \end{smallmatrix})$ is the probability that a certain node is an actor. A node being an ordinary node could be identified with a probability $(1 - P_{A c t o r})$ . The probability of establishing links with gateway nodes at one end is $P_{A c t o r} \times (1 - P_{A c t o r})$ . Figure 9(b) elucidates that in case of 50 actors in a network of 1000 nodes, only 9.5% links are established between actors and nodes, 90% between nodes, and only 0.2% between actors. By referring to these probabilities, we can claim that the chances of intra-actor communication are higher than the interactor communication scenarios.

7. Conclusion

Key distribution schemes require agent nodes as intermediaries to establish keys between distant nodes. A compromised actor node can reveal all the keys passing through that node. Therefore, we have proposed a lightweight key fragmentation and assimilation scheme to mitigate the key exposure problem. Rubin logic is applied to model the proposed scheme KDFA and analysis is also performed to evaluate its accuracy of cryptographic operations and transmissions. Simulation results show the effectiveness of the proposed scheme over contemporary schemes in literature. According to results, 75% of communication is compromised in existing schemes whereas the proposed KDFA has the probability of exposing only 13% of communication when 60% of nodes are compromised. In the proposed scheme, sender transmits extra 14 bytes during key distribution process but using powerful actor nodes reduces the overhead for those messages exchanged through actors. In future, the proposed scheme will be analyzed to measure the effects of poor interactor connectivity on data extraction and aggregation.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

The authors would like to extend their sincere appreciation to the Deanship of Scientific Research at King Saud University for funding this research through Research Group Project (RG no. 1435-051).

References

Dinh

N.-T.

Kim

Potential of information-centric wireless sensor and actor networking

Proceedings of the International Conference on Computing, Management and Telecommunications (ComManTel ‘13)

January 2013

IEEE

163 168

10.1109/commantel.2013.6482384

2-s2.0-84875935763

Abbas

Jaleel

Egerstedt

Energy-efficient data collection in heterogeneous wireless sensor and actor networks

Proceedings of the 52nd Annual Conference on Decision and Control (CDC ‘13)

December 2013

Firenze, Italy

4164 4169

10.1109/CDC.2013.6760528

Binodkumar Malathi

Dbalaji

Ramkumar

Wireless sensor and actor network—security analysis

Journal of Wireless Networking and Communications 2014 4 1 1 6

10.5923/j.jwnc.20140401.01

Xia

Tian

Y.-C.

Sun

Wireless sensor/actuator network design for mobile control applications

Sensors 2007 7 10 2157 2173

10.3390/s7102157

2-s2.0-36049027106

Akyildiz

I. F.

Kasimoglu

I. H.

Wireless sensor and actor networks: research challenges

Ad Hoc Networks 2004 2 4 351 367

10.1016/j.adhoc.2004.04.003

2-s2.0-5444275208

Chen

Díaz

Llopis

Rubio

Troya

J. M.

A survey on quality of service support in wireless sensor and actor networks: requirements and challenges in the context of critical infrastructure protection

Journal of Network and Computer Applications 2011 34 4 1225 1239

2-s2.0-79956147659

10.1016/j.jnca.2011.01.008

Cuevas

Á.

Urueña

de Veciana

Cuevas

Crespi

Dynamic data-centric storage for long-term storage in wireless sensor and actor networks

Wireless Networks 2014 20 1 141 153

10.1007/s11276-013-0598-5

Kalyanasundaram

Priyadharshini

Gnanasekaran

The unceasing detection of adjoining nodes, its connectivity, weakness impact on wireless sensor networks and actor networks

2014 3 1 1346 1362

Kranakis

Nayak

Distributed key establishment in disruption tolerant location based social wireless sensor and actor network

Proceedings of the 9th Annual Communication Networks and Services Research Conference (CNSR ‘11)

May 2011

Ottawa, Canada

IEEE

109 116

2-s2.0-79959202864

10.1109/cnsr.2011.24

10.

Addya

S. K.

Turuk

A. K.

A technique for communication of distance node on key pre-distribution in wireless sensor networks

International Journal on Recent Trends in Engineering & Technology 2010 4 1 87 92

11.

Reddy

Key management in mobile sensor networks

Journal of Wireless Sensor Networks 2011 3 6

12.

Liu

Ning

Group-based key predistribution for wireless sensor networks

ACM Transactions on Sensor Networks 2008 4 2, article 11

10.1145/1340771.1340777

2-s2.0-42149172778

13.

Rubin

A. D.

Honeyman

Nonmonotonic cryptographic protocols

Proceedings of the Computer Security Foundations Workshop VII (CSFW ‘94)

June 1994

100 116

10.1109/csfw.1994.315943

14.

Huang

Medhi

Secure pairwise key establishment in large-scale sensor networks: an area partitioning and multi-group key predistribution approach

ACM Transactions on Sensor Networks 2007 3 3, article 16

10.1145/1267060.1267064

2-s2.0-34548396246

15.

Zhou

Ravishankar

C. V.

Efficient key establishment for group-based wireless sensor deployments

Proceedings of the ACM Workshop on Wireless Security (WiSe ‘05)

September 2005

1 10

2-s2.0-33646400365

16.

Kumar

Choudhury

A. J.

Sain

Lee

S.-G.

Lee

H.-J.

RUASN: a robust user authentication framework for wireless sensor networks

Sensors 2011 11 5 5020 5046

10.3390/s110505020

2-s2.0-79957718973

17.

Mehallegue

Bouridane

Garcia

Efficient path key establishment for wireless sensor networks

EURSIP Journal on Wireless Communications and Networking 2008 2008

456703

10.1155/2008/456703

2-s2.0-43949107866

18.

Alfadhly

Baroudi

Younis

Optimal node repositioning for tolerating node failure in wireless sensor actor network

Proceedings of the 25th Queen's Biennial Symposium on Communications (QBSC ‘10)

May 2010

67 71

10.1109/bsc.2010.5473000

2-s2.0-77954356165

19.

Mármol

F. G.

Sorge

Ugus

Pérez

G. M.

WSANRep, WSAN reputation-based selection in open environments

Wireless Personal Communications 2013 68 3 921 937

10.1007/s11277-011-0490-5

2-s2.0-84879787631

20.

Lee

A new efficient key management protocol for wireless sensor and actor networks

International Journal of Computer Science and Information Security 2009 6 2 15 22

21.

Zhou

Fang

A two-layer key establishment scheme for wireless sensor networks

IEEE Transactions on Mobile Computing 2007 6 9 1009 1020

10.1109/tmc.2007.1008

2-s2.0-34547411877

22.

Ghafoor

Sher

Imran

Saleem

A lightweight key freshness scheme for wireless sensor networks

Proceedings of the 12th International Conference on Information Technology: Next Generation (ITNG ‘15)

April 2015

Las Vegas, Nev, USA

23.

Kashi

S. S.

Sharifi

Connectivity weakness impacts on coordination in wireless sensor and actor networks

IEEE Communications Surveys & Tutorials 2012 15 1 145 166

10.1109/SURV.2011.122811.00096

24.

Acharya

Tripathy

C. R.

Inter-actor connectivity restoration in wireless sensor actor networks: an overview

ICT and Critical Infrastructure: Proceedings of the 48th Annual Convention of Computer Society of India—Vol I 2014 248

Springer

351 360 Advances in Intelligent Systems and Computing

10.1007/978-3-319-03107-1_38

25.

Imran

Zafar

N. A.

Formal specification and validation of a hybrid connectivity restoration algorithm for wireless sensor and actor networks

Sensors 2012 12 9 11754 11781

10.3390/s120911754

2-s2.0-84866980747

26.

Wang

S.-G.

Mao

X.-F.

Tang

S.-J.

X.-Y.

Zhao

J.-Z.

Dai

G.-J.

On movement-assisted connectivity restoration in wireless sensor and actor networks

IEEE Transactions on Parallel and Distributed Systems 2011 22 4 687 694

10.1109/tpds.2010.102

2-s2.0-79952072255

27.

Salarian

Chin

K.-W.

Naghdy

Coordination in wireless sensor-actuator networks: a survey

Journal of Parallel and Distributed Computing 2012 72 7 856 867

10.1016/j.jpdc.2012.02.013

2-s2.0-84861186182

28.

Kazemeyni

Owe

Johnsen

E. B.

Balasingham

Learning-based routing in mobile wireless sensor networks: applying formal modeling and analysis

Proceedings of the 2013 14th International Conference on Information Reuse and Integration

August 2013

San Francisco, Calif, USA

504 511