Mutual trust method for forwarding information in wireless sensor networks using random secret pre-distribution

Abstract

In wireless sensor networks, sensing information must be transmitted from sensor nodes to the base station by multiple hopping. Every sensor node is a sender and a relay node that forwards the sensing information that is sent by other nodes. Under an attack, the sensing information may be intercepted, modified, interrupted, or fabricated during transmission. Accordingly, the development of mutual trust to enable a secure path to be established for forwarding information is an important issue. Random key pre-distribution has been proposed to establish mutual trust among sensor nodes. This article modifies the random key pre-distribution to a random secret pre-distribution and incorporates identity-based cryptography to establish an effective method of establishing mutual trust for a wireless sensor network. In the proposed method, base station assigns an identity and embeds n secrets into the private secret keys for every sensor node. Based on the identity and private secret keys, the mutual trust method is utilized to explore the types of trust among neighboring sensor nodes. The novel method can resist malicious attacks and satisfy the requirements of wireless sensor network, which are resistance to compromising attacks, masquerading attacks, forger attacks, replying attacks, authentication of forwarding messages, and security of sensing information.

Keywords

Wireless sensor network random key pre-distribution random secret pre-distribution identity-based cryptograph hash-based message authentication code

Introduction

Wireless sensor networks (WSNs) were originally developed as part of a military research project at UC Berkeley.¹ Sensor nodes therein are randomly deployed to the target area. After the random deployment, these nodes start to collect data, communicate with their neighboring nodes, and transfer and relay collected data to a base station (BS). With the increasing use of WSN in recent years, the security requirements of WSNs have become increasingly important.^2–4 One of the security concerns of WSNs is the key agreement scheme for secure communication.⁵ To resolve the heavy loading of public key infrastructure (PKI), the random key pre-distribution scheme (RKP) for WSNs was proposed.⁶ However, the hardware of sensor nodes is not tamper-resistant, and once a sensor node is captured, the key information that is stored in the sensor node will be exposed to an adversary. Attackers could randomly capture nodes to retrieve the secret keys in them, and then use these keys to establish malicious nodes to eavesdrop on communication links.⁷ To eliminate the weakness of storing plain keys, a combination of identity-based cryptography⁸ and the random secret pre-distribution (RSP) scheme was proposed.⁹ Based on the hard elliptic curve discrete logarithm problem (ECDLP), the RSP scheme can prevent exposure of the secret keys. This article presents a method of establishing mutual trust that is based on embedded random secrets, which is utilized to explore the relationship among sensor nodes. According to the relationship, a sensor node can set the pairing value to authenticate a forwarded message, as a session key, or to negotiate a session key for secure communication. The proposed method includes BS initialization, neighbor set building, the pairing process, the establishment of mutual trust, message authentication, and sensor information forwarding. The proposed method can resist malicious attacks and satisfy the security requirements of WSN. The computations that are involved in the proposed method can be implemented in a sensor node. Section “Related works and preliminary techniques” of this article will present related works and preliminary techniques. Section “Proposed method” presents in detail the processes that are involved in the implementation of the proposed method. Section “Security analysis and performance evaluation” presents a security analysis and evaluates the performance of the method. The last section draws conclusions.

Related works and preliminary techniques

This section describes works on secure WSNs and the preliminary techniques that will be used in this article.

Random key pre-distribution

Chan et al.⁶ proposed the RKP scheme to perform key agreement for WSNs. In RKP, the BS holds a very large pool of keys, and sensor nodes are embedded in a random sub-set of these keys before deployment. In the WSN’s field, the sensor nodes will implement a challenge-and-response process to explore the common key among the sensor nodes, and use this common key to negotiate a session key for secure communication. However, the hardware of sensor nodes is not tamper-resistant, so once a sensor node is captured, the key information that is stored in it will be exposed. Attacks could randomly capture nodes to retrieve their keys, and use these keys to make malicious nodes to eavesdrop on some communication links.⁷

Identity-based cryptosystem

In 1985, Shamir⁸ proposed the identity-based cryptosystem (IBC) to facilitate key management in a PKI. In IBC, the public key generator (PKG) assigns a private key to every node, as determined the identity of the node and the well-known parameter. The node’s public key can be derived from the node’s identity. Hence, every node can make secure communication with another node, and the only required information about the other node is its identity.

Pairing function

In 2004, Boneh et al.¹⁰ proposed bilinear pairing to perform key agreement. As specified in Table 1, $Z_{q}$ is a finite field of $\mod q$ , and G is an additional elliptic curve cryptography (ECC) group. $e (\cdot)$ is a pairing function that maps two elements in G to a value in $Z_{q}$ , and $e (\cdot)$ satisfies the following conditions:

Bilinear

\begin{matrix} \forall P, Q, R \in G and a, b \in Z_{q} \\ e (P + Q, R) = e (P, R) \cdot e (Q, R) \\ \begin{matrix} e (P, Q) = e (Q, P) \\ e (aP, bQ) = e (bP, aQ) = e {(P, Q)}^{ab} \end{matrix} \end{matrix}

Non-degenerate

\exists P, Q \in G, such that e (P, Q) \neq 1

Computable

$\forall P, Q \in G$ , the algorithm that implements the pairing function in polynomial time exists.

Table 1.

Notation associated with public information and function.

Notation	Definition
$Z_{q}, m$	A finite field of mod q, where q is a prime number, and $m \in Z_{q}$
$G, (P, Q, R, Q^{x})$	An additional ECC group G with generator $P . Q, R \in G$ , where $Q^{x}$ is the x-axis of Q
M	A character stream or bit stream
$H (M)$	A hash function, mapping M to m, $H (.) : M \to Z_{q}$
$HMAC (M)_{d}$	A HMAC function, mapping M to m with key d, $HMAC (.)_{d} : M \to Z_{q}$
$e (Q, R)$	A pairing function, pairing $Q, R$ to m, $e (.) : G \times G \to Z_{q}$ $e (Q, R) = e (R, Q)$ , $e (aQ, bR) = e (bQ, aR) = e (Q, R)^{ab}$
R	Root set of secret values held by BS. $R = {r_{i} \| i = 1 ~ S}$ , where S is a very large number
$E_{k} (m)$	Symmetric encrypt m with key k
$EC C_{k} (m)$	Asymmetric encrypt m with key k, using ECC

ECC: elliptic curve cryptography; BS: base station; HMAC: hash message authentication code.

Random secret pre-distribution

In 2013, Hsieh et al.⁹ proposed RSP, which is based on the concept of IBC and the pairing function. In RSP, the BS maintains a very large pool of secret keys; it randomly chooses a sub-set of these keys, embedding each one in the sub-set in the public key of a node to generate that node’s private key. The public key is derived from the node’s identity. One node can pair the set of private keys with the public keys of another node to find the common secret that is embedded in the private keys of both nodes. Section “Proposed method” describes this scheme in detail description.

Mutual trust

For secure sending the sensed information, the sender node must explore the relationship of neighboring nodes to find a secure path for relaying sensed information. The PKI⁵ may be a possible solution. But it suffered from the heavy loading for certificating verification. In 2009, Huang¹¹ proposed a mutual trust method that is based on elliptic curve and hash chain. In the following years, Kim and Lee,¹² Zeng et al.,¹³ and Lee et al.¹⁴ pointed out the Huang’s weakness and fixed it under the attacking included replay, masquerade, and deny of service. But they all need time synchronizing and heavy storage loading. In 2014, Chen et al.¹⁵ proposed a chameleon hash function-based trust method that did not need time synchronizing and table loading, but it still suffered from malicious nodes revoking.

Proposed method

Table 1 presents the notation associated with the public information and function that are used in this article.

The proposed method may involve sensor node i, j, or k. Table 2 presents information concerning these nodes.

Table 2.

Notation associated with sensor nodes.

Notation	Definition
$R_{i}, R_{j}, R_{k}$	Set of random secret values for nodes $i, j, and k$ , assigned by BS, $T << S$ $R_{i} = {r_{i x} \| r_{i x} \in_{R} R, x = 1 ~ T}$ $R_{j} = {r_{j y} \| r_{j y} \in_{R} R, y = 1 ~ T}$ $R_{k} = {r_{k z} \| r_{k z} \in_{R} R, z = 1 ~ T}$
$N_{i}, N_{j}, N_{k}$	Anonymous IDs of nodes $i, j, and k$ , assigned by BS
$P S_{i}, P S_{j}, P S_{k}$	Set of private secret keys of nodes $i, j, and k$ , in which secret values are embedded by BS $P S_{i} = {P S_{i x} \| P S_{i x} = r_{i x} H (N_{i}) P, r_{i x} \in R_{i}, x = 1 ~ T}$ $P S_{j} = {P S_{j y} \| P S_{j y} = r_{j y} H (N_{j}) P, r_{j y} \in R_{j}, y = 1 ~ T}$ $P S_{k} = {P S_{k z} \| P S_{k z} = r_{k z} H (N_{k}) P, r_{k z} \in R_{k}, z = 1 ~ T}$
$P R_{i}, P R_{j}, P R_{k}$	Private keys of, and chosen by, nodes $i, j, and k$ , $P R_{i} = a_{i}, P R_{j} = a_{j}, P R_{k} = a_{k}, a_{i}, a_{j}, a_{k} \in_{R} Z_{q}$
$P K_{i}, P K_{j}, P K_{k}$	The public keys of nodes $i, j, and k$ $P K_{i} = P R_{i} H (N_{i}) P = a_{i} H (N_{i}) P$ $P K_{j} = a_{j} H (N_{j}) P$ $P K_{k} = a_{k} H (N_{k}) P$
$B_{i}, B_{j}, B_{k}$	The neighboring set of nodes $i, j, and k$ $\begin{matrix} • B_{i} = {B_{ix} \| B_{ix} = (N_{x}, P K_{x}, T T_{ix}, P V_{ix}, P B_{ix}), \\ where node x is the neighbor of node i, x = 1 ~ N} \\ N is the number of neighbors \end{matrix}$ , $\begin{matrix} • B_{j} = {B_{jy} \| B_{jy} = (N_{y}, P K_{y}, T T_{jy}, P V_{jy}, P B_{jy}), \\ where node y is the neighbor of node j, y = 1 ~ N} \end{matrix}$ $\begin{matrix} • B_{k} = {B_{kz} \| B_{kz} = (N_{z}, P K_{z}, T T_{kz}, P V_{kz}, P B_{kz}), \\ where node z is the neighbor of node k, z = 1 ~ N} \end{matrix}$ $B_{ix}$ contains five tuples, which are anonymous $ID (N_{x})$ , public key $(P K_{x})$ , trust type $(T T_{ix})$ , pairing value $(P V_{ix})$ , and pass node $(P B_{ix})$ $P V_{ix}$ may be ${\begin{matrix} D, nodes i and x have common secret value; \\ they can trust mutually and have direct mutual trust \\ I, nodes i and x have no common secret, but they \\ have a common trusted neighbor, so they have indirect mutual trust \\ U, nodes i and x have no common secret \\ or common trusted neighbor, so they have no mutual trust \end{matrix}$ $• P V_{ix}$ is the pairing value between nodes i and x, obtained by the pairing process $• P B_{ix}$ is null when TT_ix is “D” or “U,” but $P B_{ix}$ is a node ID when $T T_{ix}$ is “I” and TT between $(N_{i}, P B_{ix})$ and $(N_{x}, P B_{ix})$ is “D,” so nodes i and x can have mutual trust through $P B_{ix}$
$B_{i}^{D}, B_{i}^{N}$	$B_{i}^{D} = {N_{x} \| N_{x} is in B_{i x}, and T T_{i x} = D, B_{i x} \in B_{i}, x = 1 ~ N^{'}}, N^{'} < N$ $B_{i}^{D}$ is the set of IDs of neighbors, which can establish mutual trust directly with node i $B_{i}^{N} = {N_{x} \| N_{x} is in B_{ix}, and T T_{ix} \neq D, B_{ix} \in B_{i}, x = 1 ~ N ″}, N' + N ″ = N$

In the proposed method, communication will be performed between two sensor nodes. Table 3 presents the form of communication.

Table 3.

Form of communication.

Source node→ destination node	{Source ID, destination ID, “subject,” message}
$Node i \to Node j$	${N_{i}, N_{j}, subject, M_{i}}$ 1. $N_{i} and N_{j}$ are anonymous IDs of source node i and destination node j 2.Subject is the subject of this communication 3. $M_{i}$ is the attached message in this communication The subject of the communication may be HI: say hello PP: pairing process DP: direct pairing DR: direct response IP: indirect pairing NP: no pairing HK: who knows the nodes IK: I know KN: negotiation of session key SN: sensing information

Source node→ destination node

{Source ID, destination ID, “subject,” message}

Node i \to Node j

{N_{i}, N_{j}, subject, M_{i}}

N_{i} and N_{j}

are anonymous IDs of source node i and destination node j
2.Subject is the subject of this communication
3.

M_{i}

is the attached message in this communication
The subject of the communication may be
HI: say hello
PP: pairing process
DP: direct pairing
DR: direct response
IP: indirect pairing
NP: no pairing
HK: who knows the nodes
IK: I know
KN: negotiation of session key
SN: sensing information

The following sections will introduce the initialization of the BS and the deployment of nodes, building of a set of neighbors, the pairing process, indirect pairing, and proof of pairing.

BS initialization and deployment of sensor nodes

BS sets generate a very large secret pool R, $R = {r_{i} | i = 1 ~ S}$ ;

For every node (e.g. node i), BS randomly chooses a sub-set of $R, (R_{i})$ , and an anonymous $ID (N_{i})$ , and then sets the private secret key $(P S_{i})$ as

\begin{matrix} P S_{i} = {P S_{ix} | P S_{ix} = r_{ix} H (N_{i}) P, r_{ix} \in R_{i}, x = 1 ~ T}, T << S \\ R_{i} = {r_{ix} | r_{ix} \in R, x = 1 ~ T} \end{matrix}

BS records $(N_{i}, P S_{i})$ and embeds it into node i, then deploys the node to a WSN.

Establishing a set of neighbors

In WSN, node i holds $(N_{i}, P S_{i})$ , chooses a random number $a_{i}$ as its private key $(P R_{i})$ , and sets its public key $(P K_{i})$ as $P K_{i} = P R_{i} H (N_{i}) P$ . Node i informs its neighbors that it presents and collects information $(B_{i})$ about its neighbors as follows:

All hello:

Every node (e.g. node i) periodically says hello to its neighbors.

$Node i \to all$ : ${N_{i}, All, HI, M_{i}}$ , where $M_{i} = {N_{i}, P K_{i}}$

Collect all:

Every node (such as node i) collects all hello messages to build its neighbor set.

$B_{i} = {B_{ix} | B_{ix} = {N_{x}, P K_{x}, U, IPV, null}, x = 1 ~ N}$ , where N is the number of neighbors of node i.

$B_{ix}$ is the information of node x, with anonymous $ID (N_{x})$ , public key $(P K_{x})$ , and the default $(TT, PV, PB)$ , as $(U, IPV, null)$ . Here, the default PV is IPV

\begin{array}{l} I P V = {(P R_{i} H (N_{i}) P K_{x})}^{x} = {(P R_{i} H (N_{i}) P R_{x} H (N_{x}) P)}^{x} \\ = {(a_{i} H (N_{i}) a_{x} H (N_{x}) P)}^{x} \end{array}

The default trust type is U, and the default PB is null.

Pairing process

After every node (such as node i) has built its neighbor set, it performs pairing with its neighbors

$Node i (N_{i}, P K_{i}, P S_{i}, P R_{i}) with B_{i} = {B_{ij} | B_{ij} = {N_{j}, P K_{j}, ″ U, ″ IPV, null}, j = 1 ~ N}$

1. For all $N_{j}$ in $B_{i}$

Node i pairs all of its private secret keys $(P S_{i})$ with its private key $(P R_{i})$ and the public key of $N_{j}, (P K_{j})$ , to yield a possible direct pairing value, $d_{ijx}$

d_{i j x} = e (P R_{i} P S_{i x}, P K_{j}), x = 1 ~ T

Then, node i sends a pairing message to node j

Node i \to Node j : {N_{i}, N_{j}, PP, M_{i}}

where $M_{i} = {M_{i x} | M_{i x} = H M A C (N_{i} | | N_{j}) d_{i j x}, x = 1 ~ T}$ .

2. Node j receives $M_{i}$ , and pairs all of its private secret keys $(P S_{jy})$ with its private key $(P R_{j})$ and the public key of $N_{i}, (P K_{i})$ , to obtain a possible direct pairing value $d_{jiy}$

d_{jiy} = e (P R_{j} P S_{jy}, P K_{i}), y = 1 ~ T

makes $M_{j}, M_{j} = {M_{jy} | M_{jy} = HMAC (N_{i} | | N_{j}) d_{jiy}, y = 1 ~ T}$ ; checks whether any $x', y'$ in $M_{i}$ and $M_{j}$ , such that $M_{ix'} = M_{jy'}$ , and if so, goes to step 4 (direct pairing).

Else, it returns NP to node i

Node j \to Node i : {N_{j}, N_{i}, NP, null}

3. Node i receives NP and does nothing;

next j goes to step 1.

Direct pairing

4. Node j sets $d_{ji} = d_{jiy'}$ ; returns $x'$ and authenticates it with $d_{ji}$

Node j \to Node i : {N_{j}, N_{i}, DP, M_{j}}

where $M_{j} = {x', HMAC (x') d_{ji}}$ .

4.1. Node i receives $M_{j}$ , sets $d_{ij} = d_{ijx'}$ , and checks whether $HMAC (x') d_{ij} = HMAC in M_{j}$ ;

if so, the node goes to step 4.2; else next j goes to step 1.

4.2. Node i sets $B_{ij} = {N_{j}, P K_{j}, D, d_{ij}, null}$ and sets a direct response to node j;

$Node j \to Node i : {N_{i}, N_{j}, DR, M_{i}}$ , where $M_{i} = HMAC (x' + 1) d_{ij}$ ;

next j goes to step 1.

4.3. Node j receives DR and checks whether $HMAC (x' + 1) d_{ji} = M_{i}$ ;

If so, it sets $B_{ji} = {N_{i}, P K_{i}, D, d_{ji}, null}$ ;

else, the process ends.

Indirect pairing

Now, every node (such as node i) has established its set of neighbors with possible direct pairing. They will be a set of direct neighbors and a set of non-direct neighbors to ask its direct neighbors for possible indirect pairing.

Node i has $B_{i} = {B_{ix} | B_{ix} = {N_{x}, P K_{x}, T T_{ix}, P V_{ix}, null}, x = 1 ~ N}$ ;

$T T_{ix}$ may be D or U for direct and non-direct

Node i sets the direct and non-direct sets as

B_{i}^{D} = {N_{x} | N_{x} in B_{i x} and T_{i x} = D, B_{i x} \in B_{i}, x = 1 ~ N^{'}}, N^{'} < N

\begin{array}{l} B_{i}^{N} = {N_{x} | N_{x} is in B_{i x} and T_{i x} = U, B_{i x} \in B_{i}, x = 1 ~ N^{″}}, \\ N^{'} + N^{″} = N . \end{array}

Node k is in $B_{i}^{D}$ with $B_{k}^{D}$ and $B_{k}^{N}$

1. For all nodes k in $B_{i}^{D}$ ,

Node i processes indirect pairing to node k

\begin{matrix} Node i \to Node k : {N_{i}, N_{k}, HK, M_{i}} \\ M_{i} = {B_{i}^{N}, HMAC (B_{i}^{N}) d_{ik}} \end{matrix}

2. Node k receives message $M_{i}$ , authenticates $M_{i}$ with key $d_{ki}$ , and sets $B_{k}^{w}$ such that

$B_{k}^{w} = B_{k}^{D} \cap_{i}^{N}$ , where $B_{k}^{w}$ is the set of nodes that are in $B_{k}^{D}$ and $B_{i}^{N}$

Node k returns $B_{k}^{w}$ to node i

\begin{matrix} Node k \to Node i : {N_{k}, N_{i}, IK, M_{k}} \\ M_{k} = {B_{k}^{w}, HMAC (B_{k}^{w}) d_{ki}} \end{matrix}

3. Node i receives $M_{k}$ , which authenticates $M_{k}$ with key $d_{ik}$ .

For node x in $B_{k}^{w}$ , node i sets TT and PB in $B_{ix}$ as I and $N_{k}$ to indicate that $N_{i}$ and $N_{x}$ can establish indirect mutual trust via node k.

Mutual trust among the sensor nodes

Node i establishes its neighbor set $B_{i}$ according to the steps above

B_{i} = {B_{ix} | B_{ix} = {N_{x}, P K_{x}, TT, PV, PB}, x = 1 ~ N}

When $T T_{ix}$ is D, $P V_{ix}$ will be $d_{ix}$ . It means that node i and node x have a common random secret $(r)$ ; it can establish mutual trust directly and use $d_{ix}$ as the encrypt key for confidential communication, with $d_{ix} = e (H (N_{i}) P, H (N_{i}) P)^{a_{i} a_{x} r}$ .

When $T T_{ix}$ is I, node i and node x have no common random secret, but they do have a common trusted neighbor $N_{k}$ . $T T_{ik}$ and $T T_{xk}$ are D so node i and node x can establish mutual trust indirectly and can get a secure path pass through $N_{k}$ with IPV

IPV = (a_{i} a_{x} H (N_{i}) H (N_{x}) P)^{x}

When $T T_{ix}$ is N, node i and node x cannot establish mutual trust, but they still can communicate confidentially with IPV.

Communicating confidentially and sensing information forwarding

Every node has $(N_{i}, P S_{i}, P R_{i}, P K_{i})$ ; it establishes a neighbor set $B_{i}$ and claims its $(N_{i}, P K_{i})$ . Node i can communicate with its directly trusted neighbor nodes using the pairing value as a session key, or it can use the pairing value to negotiate a session key for confidential communication. When node i wants to negotiate a session key with its indirect neighbor node (node j), node i takes the pass-by node (node k) in $B_{ij}$ . Now, with the pairing value of $d_{ik}$ and $d_{kj}$ , and the initial pairing value $IP V_{ij}$ . Node i sets a session key SK, which it negotiates using the following steps.

Negotiation of session key between indirectly trustingneighbors

1. Node i sets SK as a session key; encrypts SK with $IP V_{ij}$ , authenticates it with $d_{ik}$ , and sends it to node k

\begin{matrix} N_{i} \to N_{k} : {N_{i}, N_{k}, KN, M_{i}} \\ M_{i} = {M_{i 1}, M_{i 2}} \\ M_{i 1} = E_{IP V_{ij}} (SK), M_{i 2} = {N_{j}, HMAC {(N_{j} ∥ M_{i 1})}_{d_{ik}}} \end{matrix}

2. When node k receives the message, it verifies $M_{i 1}$ with $d_{ki}$ .

If the verification fails, reject it.

Else, $M_{i 1}$ is forwarded to node j

\begin{matrix} N_{k} \to N_{j} : {N_{k}, N_{j}, KN, M_{k}} \\ M_{k} = {M_{k 1}, M_{k 2}} \\ M_{k 1} = M_{i 1}, M_{k 2} = {N_{i}, HMAC {(N_{i} ∥ M_{k 1})}_{d_{kj}}} \end{matrix}

3. When node j receives the message,

it verifies $M_{k 1}$ with $d_{jk}$

If the verification fails, reject it;

else, gets $IP V_{ji}$ to decrypt $M_{k 1}$ and to retrieve SK.

A message is returned to node i

\begin{matrix} N_{j} \to N_{i} : {N_{j}, N_{i}, KN, M_{j}} \\ M_{j} = HMAC (N_{j} ∥ N_{i} ∥ SK)_{SK} \end{matrix}

4. When node i authenticates the return message, the SK becomes the session key for confidential communication between nodes i and j.

Forwarding sensed information

When node i wants to send sensing information (M) to the BS.

It randomly chooses one of $P S_{i}$ ( $P S_{ix}$ ) as the encrypting key to encrypt M using ECC, and then forwards the encrypted message to its direct or indirect neighbors using any routing protocol. The supported routing path is $N_{i} \to N_{j} \to N_{k} \to N_{e} \to BS$ .

The forwarding process is as follows:

$\begin{matrix} V_{i} \to V_{j} : {N_{i}, N_{j}, SN, M_{i}} \\ M_{i} = {M_{i 1}, M_{i 2}} \\ \begin{matrix} M_{i 1} = EC C_{P S_{ix}} (M ∥ N_{i} ∥ t) \\ M_{i 2} = HMAC {(N_{i} ∥ N_{j} ∥ M_{i 1})}_{d_{ij}} \end{matrix} \end{matrix}$

$\begin{matrix} V_{j} \to V_{k} : {N_{j}, N_{k}, SN, M_{j}} \\ M_{j} = {M_{j 1}, M_{j 2}} \\ M_{j 1} = M_{i 1}, M_{j 2} = HMAC {(N_{j} ∥ N_{k} ∥ M_{j 1})}_{d_{jk}} \end{matrix}$

$\begin{matrix} V_{e} \to B_{s} : {N_{e}, B_{s}, SN, M_{e}} \\ M_{e} = {M_{e 1}, M_{e 2}} \\ M_{e 1} = M_{i 1}, M_{e 2} = HMAC {(N_{e} ∥ BS ∥ M_{e 1})}_{d_{e_{BS}}} \end{matrix}$

When BS receives the message, it verifies the message with $d_{B S_{e}}$ , and decrypts $M_{e 1}$ with the secret value of $P S_{ix}$ to retrieve the information that was sensed by node i. Since BS has the pool of root secrets, it can have the pairing value of any node.

Proof of pairing with common random secret

\begin{matrix} \begin{matrix} For node i, d_{ijx} = e (P R_{i} P S_{ix}, P K_{j}) \\ = e (a_{i} P S_{ix}, P K_{j}) \\ = e (a_{i} r_{ix} H (N_{i}) P, P R_{j} H (N_{j}) P) \\ = e (a_{i} H (N_{i}) r_{ix} P, a_{j} H (N_{j}) P) \\ = e (H (N_{i}) P, H (N_{j}) P)^{a_{i} a_{j} r_{ix}} \end{matrix} \\ \begin{matrix} For node j, d_{jiy} = e (P R_{j} P S_{jy}, P K_{i}) \\ = e (a_{j} r_{jy} H (N_{j}) P, P R_{i} H (N_{i}) P) \\ = e (a_{j} H (N_{j}) r_{jy} P, a_{i} H (N_{i}) P) \\ = e (H (N_{i}) P, H (N_{j}) P)^{a_{j} a_{i} r_{jy}} \end{matrix} \end{matrix}

If any $r_{ix'} = r_{jy'}$ , then $d_{ij} = d_{ijx'} = d_{jiy'} = d_{ji}$ .

Security analysis and performance evaluation

This section analyzes the security and evaluates the performance of the proposed scheme.

Security analysis

A WSN may be subject to many attacks, including compromising attacks, masquerading attacks, forgery attacks, and replaying attacks. To provide the required security of a WSN, the forwarded message must be authenticated and the sensor nodes must communicate confidentially with their neighbor nodes.

Compromising attack

An attacker who compromises a node can obtain information about its identity and its private secret key, but cannot retrieve any secrets from private secret key because the ECDLP is a hard problem. Therefore, such an attacker cannot issue the valid secret key to any malicious node.

Masquerading attack

In the proposed scheme, the mutual trust of two nodes may be based on common secrets, but these secrets are hidden using private secret keys. Therefore, no node can masquerade as having another identity without information from the secret pool. In establishment of the neighbor set, the exposed information includes only identity and public key, so an attacker cannot retrieve any private information. Therefore, masquerading attacks are impossible.

Forgery attack

In the forwarding of sensing information, this information is encrypted by the sensor’s private secret key, and the encrypted message is decrypted using the secret value that is only found in the private secret key. The hash message authentication code (HMAC) of the forwarded message is keyed with pairing value of the sender and the receiver. Without the secret value and the pairing value, an attacker cannot forge the sensing information and forwarding message.

Replay attack

The “hello” message is used to announce that the node is present, and neighbor nodes use the hello message to build the neighbor set. If the hello message is replayed, it affects one more neighbor, but this neighbor cannot establish mutual trust to perform any attack. The time stamp in the sensing information can resist the replay attack.

Authentication of forwarded message and security of sensing information

In the construction of a neighboring set, the pairing value, trust type, and pass-by node between two nodes are negotiated. The pairing value will be used for message authentication, session key negotiation, or confidential communication. If two nodes do not have a common secret, but do have a commonly trusted neighbor node, then they can negotiate the session key through the commonly trusted node. In the forwarding of sensing information, this information is encrypted using the sensor’s private secret key, and the encrypted message is decrypted using only the secret value in the private secret key. The HMAC of the forwarded message is keyed with pairing value of the sender and the receiver. Therefore, the sensing information can be retrieved only by the BS, and the forwarded message can be authenticated node by node.

Performance evaluation

This section discusses the probability that a node establishes direct or indirect trust with a neighbor to forward sensing information. The performance of the computations in initializing BS, construction a neighbor set, negotiating session keys, and forwarding sensing information are evaluated.

Probability that a node has no directly or indirectly trusted neighbor

As described in section “Proposed method,”S denotes the size of root secret pool in BS; T is the number of secrets in the node assigned by BS. Let the number of neighbor nodes be N. $P_{NP}$ is the probability that two nodes have no common secret. $P_{P}$ is the probability that two nodes have a common secret so it can generate a pairing value for message authentication or confidential communication. $P_{U}$ is the probability that two vehicles do not have a common secret or a common trust neighbor, so sensing information cannot be forwarded through a secure path

\begin{matrix} P_{NP} = \frac{C (S - T, T)}{C (S, T)} \\ P_{P} = 1 - P_{NP} \\ P_{U} = P_{NP} P_{NP}^{N P_{P}} = {P_{NP}}^{(1 + P_{P} N)} \end{matrix}

The $P_{NP}^{N P_{P}}$ in $P_{U}$ is the probability that all directly trusted neighbors of a node have no secret in common with another node. When $P_{NP}$ is less than 50% and the number of neighbors exceeds 10, the probability that sensing information cannot be forwarding is very small.

Performance evaluation

The proposed methods involve many computations, including bilinear pairing $(T_{p})$ , ECC multiplication $(T_{m})$ , symmetric encryption $(T_{e})$ , the hash function $(T_{h})$ , and $HMAC (T_{H})$ . The computational loads in the proposed process are as follows:

BS initialization: $T \cdot T_{m} - T_{h} + (T + 1) T_{m}$ per node for embedding private secret keys

Establishment of neighbor set

2.1. All hello: $T_{h} + T_{m}$ per node for setting public key

2.2Collect all: $T_{m}$ per neighbor for calculating IPV

2.3. Pairing process: $T (T_{P} + T_{H}) + T_{H}$ for each pairing node

Negotiation of session key

For directly trusted neighbors: $T_{e}$ for each node

For indirectly trusted neighbors: $T_{e} + T_{H}$ for each indirectly trust node; $2 T_{H}$ for each pass-by node

4. Forwarding information

For sender (sensing node) and receiver (BS): $2 T_{m} + T_{H}$

For forwarding nodes (relay nodes): $2 T_{H}$

The computations in the proposed method are bilinear pairing, ECC multiplication, symmetric encryption, the hash function, and the HMAC function, which all can be implemented in the sensor node.

Comparison with the related works

The proposed method will be compared to Huang,¹¹ Kim and Lee,¹² Lee et al.,¹⁴ and Chen et al.¹⁵ with respect to functions and performance in mutual trusting. Table 4 compares schemes in terms of functionality and shows that the proposed scheme fits all functional requirement without time synchronizing and verify table.

Table 4.

Comparison of functionality.

Functions	Scheme
Functions	Huang¹¹	Kim and Lee¹²	Lee et al.¹⁴	Chen et al.¹⁵	Proposed scheme
Resist various attacks	Partial	Partial	Partial	Yes	Yes
Deploy new nodes	Yes	Yes	Yes	Yes	Yes
Verify table	Yes	Yes	Yes	No	No
Time synchronization	Yes	Yes	Yes	No	No
Secure path for sending	Yes	Yes	Yes	Yes	Yes

The BS initialization and establishing of neighbor set are performed offline, so the associated loading can be ignored. For secure forwarding the sensed information, the session key will be set to do message authentication so that we compare the computation cost of message forwarding and session key negotiation. The computation times for T_m, T_e, T_n, and T_H, measured on a 3 GHz Pentium 4 PC¹⁶ are 0.6, 0.54, 0.002, and 0.002 ms, respectively. Table 5 shows the computation cost of message forwarding, computation cost of session key negotiation and the respective required times. In the proposed scheme, T_e is the cost of session key negotiation, and the T_m + T_H is the cost of encrypting and HMAC message forwarding.

Table 5.

Comparison of computation cost of message forwarding and session key negotiation.

Phase	Method
Phase	Huang¹¹	Kim and Lee¹²	Lee et al.¹⁴	Chen et al.¹⁵	Proposed scheme
Total computations	2T_m + 5T_n	2T_m + 8T_n	2T_m + 5T_n	5T_m + T_e	T_e + T_m + T_H
Required time	1.21 ms	1.216 ms	1.21 ms	3.54 ms	1.142 ms

Conclusion

In this article, the concept of RSP is utilized in a method for establishing mutual trust information forwarding path in a WSN.

In the proposed method, T private secret keys with an identity must be embedded in all nodes before they are deployed. At any time, the nodes set their private key to a random number and compute the respective public key, before announcing the identity and the key. Based on the identity and the public key, the neighboring nodes can implement the establishment of a neighbor set such that information about the announcing node includes the type of trust, the pairing value, and the pass-by node. Based on the information of the neighbor set, nodes can communicate confidentially, authenticate messages, and forward sensing information to the BS.

The sensing information will be encrypted by the private secret key of sensing node, and the encrypted sensing information can be decrypted only by the BS, because the secret value is in the private secret key. The encrypted sensing information will be forwarded to a directly trusted or indirectly trusted neighbor, and the pairing value of the sending node and receiving nodes is used as the HMAC key of the forwarded message. The forwarded message can be verified by HMAC. According to a probability analysis, the probability that the sensing information can be forwarded node-by-node to the BS is very high.

The proposed method resists malicious attacks and satisfies the security requirements of a WSN: it resists compromising attacks, masquerading attacks, forger attacks and replying attacks, enables authentication of forwarded messages, and secures sensing information. The computations in the proposed method are bilinear pairing, ECC multiplication, and HMAC, which can be implemented in a sensor node. The comparison shows that the proposed scheme is superior to the related works in terms of functionality and computation cost.

Footnotes

Academic Editor: Stephen D Prior

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This paper is based on some of the results of projects NSC101-2221-E-366-003, MOST103-2632-E366-001, and MOST104-2632-E366-001, which were supported by the Ministry of Science and Technology, ROC.

References

Smart Dust, 2008, pp.1229–1237, http://robotics.berkerley.edu/~pister/SmartDust/

Chintalapudi

Paek

. Monitoring civil structures with a wireless sensor network. J Internet Comput 2006; 10: 26–34.

Pathan

ASK

Hyung-Woo

Choong Seon

. Security in wireless sensor networks: issues and challenges. In: Proceedings of the 8th international conference on advanced communication technology (ICACT 2006), Gangwon-Do, Korea, 20–22 February 2006, pp.1043–1048. New York: IEEE.

Kundur

Luh

Okorafor

. Security and privacy for distributed multimedia sensor networks. P IEEE 2008; 96: 112–130.

Yong

Attebury

Ramamurthy

A survey of security issues in wireless sensor networks. IEEE Commun Surv Tutor 2006; 8: 2–23.

Chan

Perring

Song

. Random key pre-distribution scheme for sensor network. In: Proceedings of the 2003 IEEE symposium on research in security and privacy, Oakland, CA, 11–14 May 2003, pp.197–213. New York: IEEE.

Yein

AD-G

Chen

Hsu

. Attack wireless sensor network using compromised key redistribution. Appl Mech Mater 2012; 263–266: 920–925.

Shamir

Identity-based cryptosystems and signature schemes. In: Proceedings of the CRYPTO’84 on advanced in cryptology, LNCS 196, 1985, pp.47–53. Berlin, Heidelberg: Springer Verlag.

Hsieh

Yan

Liao

SY.

The random secret pre-distribution for wireless sensor network. In: Proceedings of the conference on information technology and applications in outlying Islands, Kinmen, Taiwan, 24 May 2013, pp.844–846.

10.

Boneh

Lynn

Shacham

Short signature from the Weil pairing. J Cryptol 2004; 17: 297–319.

11.

Huang

HF.

A novel access control protocol for secure sensor networks. Comp Stand Inter 2009; 31: 272–276.

12.

Kim

Lee

SW.

Enhanced novel access control protocol over wireless sensor networks. IEEE T Consum Electr 2009; 55: 492–498.

13.

Zeng

Choo

KKR

Sun

DZ.

On the security of an enhanced novel access control protocol for wireless sensor networks. IEEE T Consum Electr 2010; 56: 566–569.

14.

Lee

Shin

Lee

DH.

PACPS: practical access control protocols for wireless sensor networks. IEEE T Consum Electr 2012; 58: 491–499.

15.

Chen

Yein

ADG

Hsu

. Secure access control method for wireless sensor networks. Int J Distrib Sens N 2015; 2015: 261966.

16.

Long

CHJ

Irwin

JD.

Reducing communication overhead for wireless roaming authentication: methods and performance evaluation. Int J Netw Secur 2008; 6: 331–341.