- About this Journal ·
- Abstracting and Indexing ·
- Advance Access ·
- Aims and Scope ·
- Annual Issues ·
- Article Processing Charges ·
- Articles in Press ·
- Author Guidelines ·
- Bibliographic Information ·
- Citations to this Journal ·
- Contact Information ·
- Editorial Board ·
- Editorial Workflow ·
- Free eTOC Alerts ·
- Publication Ethics ·
- Reviewers Acknowledgment ·
- Submit a Manuscript ·
- Subscription Information ·
- Table of Contents
International Journal of Distributed Sensor Networks
Volume 2013 (2013), Article ID 716265, 14 pages
A Hybrid Authenticated Group Key Agreement Protocol in Wireless Sensor Networks
1School of Computer Science and Technology, Donghua University, No. 2999 North Renmin Road, Songjiang, Shanghai 201620, China
2Computer Games Academic Team EB.3.13A, Docklands Campus, ADI University of East London, London E16 2RD, UK
Received 14 October 2012; Revised 28 February 2013; Accepted 1 March 2013
Academic Editor: Motoki Sakai
Copyright © 2013 Yue Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Wireless sensor networks are a modern and advanced technology whose applications are fast developing in recent years. Despite being a fascinating topic with various visions of a more intelligent world, there still exist security issues to be resolved in order to make WSNs fully adoptable. Due to the resource constraints of sensor nodes, it is infeasible to use traditional key establishment techniques that find use in fixed communication systems. In this paper, the design of a new hybrid Authenticated Group Key Agreement (AGKA) protocol is described for WSNs. The AGKA protocol reduces the high cost public-key operations at the sensor side and replaces them with efficient symmetric-key based operations. The proposed AGKA protocol is not only efficient but also meets strong security requirements. In order to demonstrate the protocol is verifiably secure and trustworthy, a formal verification of the AGKA protocol is carried out. Furthermore, several experiments are conducted on MICAz and TelosB platforms in order to evaluate the performance of the proposed protocol. The evaluation results show that the AGKA protocol is well suited for use with resource-constrained sensor nodes.
Wireless sensor networks (WSNs) are viewed as a large number of small sensing self-powered devices/nodes which gather information or detect special events and communicate in a wireless fashion, with the end goal of handing their processed data to a base station. A diverse set of applications for sensor networks encompassing different fields have already emerged including medicine, agriculture, environment, military, electrical power systems, home appliances, toys, and many others.
In these and other vital, life-critical, or security-sensitive applications, secure and fast transmission of sensitive digital information over the sensor network is essential. A solid key management framework is one of the most crucial technologies for achieving secure infrastructure in wireless sensor networks.
Considering the limited resources of both computational ability and power supply of wireless sensor devices, the design of security protocols for wireless sensor networks is a nontrivial challenge given that most public key operations require expensive computations. Therefore, there is a need to employ energy-efficient key agreement protocols in order to prolong each sensor’s battery life.
In recent years, symmetric-key-based key establishment schemes have gained popularity due to their small computational overhead. A promising solution for the establishment of symmetric keys in wireless sensor network applications is to use key predistribution protocols such as those studied in various papers [1–3]. Although symmetric mechanisms achieve low computational overhead when compared with public key operations, the key management for symmetric key based protocols is complicated and is always subject to attack by adversaries. Therefore, many public-key-based protocols have been proposed [4–11] for wireless sensor networks which give more flexibility and scalability.
In this paper, we focus on WSN applications involving clusters of wireless sensor nodes. We have designed a new hybrid authenticated group key agreement (AGKA) protocol. The motivation of which was to exploit the difference in capabilities between gateways and sensors and put the cryptographic burden on gateways where the resources are less constrained. We have also implemented the AGKA protocol on TelosB and MICAz motes and performed several experiments in order to evaluate the performance of the AGKA protocol in terms of its energy consumption and memory usage. The evaluation results show that the proposed protocol is well suited for use with resource-constrained sensor nodes with limited processing power and power resources.
The remainder of this paper is organized as follows. Section 2 describes related works. Some preliminaries and network model are reviewed in Section 3. Section 4 presents our key agreement protocol. In Section 5, the security of the proposed protocol is discussed. We present the performance evaluations in Section 6 and provide our research conclusions in Section 7.
2. Related Works
SPINS  is one of the most popular symmetric-key-based security schemes used today. In this memory-efficient scheme, the nodes need only share a key with the base station, and establish keys with other nodes through the base station. This type of scheme is suitable for sensor networks with small numbers of sensor nodes manually deployed around the base station. The big drawback of this scheme is that the base station is a single point of attack, which could result in the compromise of the entire network. Those nodes closest to the base station must forward a high volume of traffic to the base station and this reduces the lifetime of the network as these nodes expend greater energy resources.
Key predistribution is an alternative approach, which distributes the keys to all sensors prior to the deployment of the sensors. Zhu et al.  proposed Localized Encryption and Authentication Protocol (LEAP) which supports the establishment of four types of keys for each sensor node including a pair-wise key and a group key (a network-wide shared key).
Eschenauer and Gligor  proposed the use of random graph theory, which was used to develop one of the first random predistribution schemes. A random graph is fully connected with a high probability if the average degree of its nodes is above a certain threshold. Generally high-density deployments result in a fully connected network. Hence, key establishment only needs to be performed such that any two neighbors have some probability of successfully completing key establishment. Eschenauer and Gligor used this theory to develop a framework for key random predistribution protocols. This framework involves three phases: predistribution, shared-key discovery, and path-key establishment.
The computation complexity and energy consumption of those symmetric-key-based protocols are relatively small. However, the key management for pure symmetric-key-based systems can be complicated, a key distribution center (KDC) can be required, or a large number of symmetric keys can be preloaded into devices. Both of these solutions can reduce the scalability of WSNs. In contrast, public-key-based protocols give more flexibility and scalability in large sensor networks where new devices keep entering the cluster. However, public-key-based protocols require more expensive computational power.
In cluster-based wireless sensor networks, the design of secure group key establishment protocols is a foremost security issue. A group key establishment protocol allows participants to construct a group key that is used to encrypt/decrypt transmitted messages among participants over an open channel.
Recently several key agreement protocols have been proposed to offload public-key cryptographic computational requirements to servers and have the low-end devices do less work. Bresson et al.  proposed a group key agreement protocol well suited to imbalanced wireless networks consisting of devices with strict energy consumption restrictions and wireless gateways with less stringent restrictions. Their idea was to let a cluster of mobile devices and one wireless gateway dynamically agree on a session key. However, their protocol does not satisfy some important security properties such as mutual authentication and forward secrecy .
Nam et al.  further improved the mutual authentication of Bresson et al.’s protocol by adopting the Katz-Yung scalable compiler  whereby one online signature and verifications must be required; the computational cost, though reduced, is still expensive for resource constrained sensor devices.
Tseng  proposed an efficient group key agreement protocol based on the two aforementioned protocols. It employs an online/offline signature scheme  and shifts much of the computation to the wireless gateways possessing more computational power and energy. Nevertheless, it does not satisfy some important security properties such as mutual authentication .
In recent years, Elliptic-Curve-Cryptography-based-key agreement protocols [5, 9, 10, 20–22] have been designed for use in constrained mobile device environments and wireless sensor networks because of their small key sizes, such as the ECMQV protocol with ECC X.509 certificates  and implicit certificates  and the ECDSA authenticated key exchange protocol . In 2004, Huang et al. proposed a hybrid authenticated key establishment protocol based on probably secure elliptic curve encryption  and the elliptic curve implicit certificate scheme . In 2005, Liu and Ning created TinyECC , a software package that provides Elliptic Curve Cryptography (ECC) operations for TinyOS . It supports all elliptic curve operations over prime fields , including point addition, point doubling, and scalar point multiplication, as well as ECDSA operations. In 2011, Ammayappan et al. proposed an ECC-based two-party authenticated key agreement protocol for mobile ad hoc networks, which utilises both RSA and ECC to achieve mutual authentication. This method increases the computation burden on sensor side .
Using the concept of Schnorr Signature  and based on ECC, Huang et al. in  designed a key establishment in the authentication procedure of the access control scheme for WSNs. The new designed key establishment in  also used the concept of “timebound” in which once time period has elapsed, the sensor node in the wireless sensor network cannot access any data for a future time period in order to protect future messages. Huang et al. claimed that the authentication procedure and common key generation proposed in  offers computational efficiency, energy, and bandwidth savings. Nevertheless, adversaries can still apply a sensor node replication attack in the period of the expiration time. The reason is that the adversary can compromise the sensor node and apply the replication attack before expiration time.
In order to reduce communication cost, some ID-based protocols for wireless sensor networks have been proposed where a sensor node does not need to transmit its implicit certificate . Zhang et al. proposed three protocols for wireless sensor networks [6, 26, 27]. Those protocols offer low communication overhead and low memory requirements by eliminating the public key certificate. But in those protocols, sensor nodes should still perform expensive computation such as Weil/Tate pairing and Map-to-Point operations. Recently, Zhang et al.  proposed an efficient ID-based protocol for key agreement in wireless sensor networks. This protocol removes expensive operations from a sensor node side and eliminates the communication overhead of transmitting public-keys, but this protocol is vulnerable to replication attacks, where adversaries can use this weakness to masquerade as a security manager and share the pair-wise key with the sensor node.
From the discussion of the recent representative key agreement protocols designed for wireless sensor networks, we find that those protocols are computationally expensive for sensor nodes or vulnerable to impersonator’s attacks. It can be seen that the design of a secure authenticated group agreement protocol well suited to wireless sensor networks is a nontrivial challenge, which inspires us to propose a verifiably secure authenticated group key agreement protocol.
3. Network Model and Notations
Before the discussion of key establishment protocols involving public key cryptography, we will first present the model of the unbalanced cluster-based wireless sensor networks.
3.1. Network Model
The IEEE 802.15.4 low-rate wireless personal area network standard  specifies the physical layer and medium access control layer of a low data rate, ultra low power, and low cost sensor network. It defines two device types: a Full Functional Device (FFD) and a Reduced Functional Device (RFD). An RFD takes on the role of an end device, such as a low-power sensor, while an FFD takes the role of a coordinator, a gateway, or a security manager.
The wireless system environment we model is an unbalanced/asymmetric cluster-based wireless sensor network, which consists of some sensor nodes with strict computational capability restrictions and a gateway with less restriction. We consider a set of resource-limited sensor nodes (also called low-power nodes) communicating with a gateway (also called powerful node), in which each low-power node can send messages to the gateway via unicast communication, and the gateway can broadcast or unicast messages to each low-power node. The gateway covers an entire group region called a cell. It is the cluster-head of the group region. In the group region, the data transmission between gateway and its client nodes uses low-power wireless technology such as IEEE 802.15.4 standard and Zigbee. The communication between gateways and the base station could use WiFi and wired LAN technology. The monitoring software on the base station can collect and analyze the sensing data and put the useful information on the web server. All the authenticated users can login to the website to not only get the information of the target object but also maintain the sensor network by performing tasks such as updating/renewing the group key, putting a particular group of sensor nodes into sleep mode or merging the neighboring groups.
Figure 1 shows the network model of the asymmetric wireless sensor network.
3.2. Key Notation and Terms
Let be the initial set of low-power sensor nodes that want to generate a group key with gateway . In Table 1, we summarize the key notations and terms used in the group key agreement protocol.
4. The Proposed Group Key Agreement Protocol
This section specifies the algorithms and features of the proposed AGKA protocol. The new AGKA protocol is implemented using the elliptic curve version of the Diffie-Hellman problem . In addition to the use of an ECC cryptosystem, the proposed AGKA protocol also adopts a symmetric-key cryptosystem. The protocol reduces the cost of elliptic curve random point scalar multiplications at the sensor side and replaces them with low cost and efficient symmetric-key-based operations. Furthermore, it authenticates the entities based on a combination of the Elliptic Curve Digital Signature Algorithm (ECDSA)  and the Message Authentication Code (MAC).
The AGKA protocol consists of four algorithms.(1)The key generation algorithm AGKA.Kgen() is a probabilistic algorithm which on input of a security parameter provides each client and the gateway with long-lived keys.(2)The setup algorithm AGKA.Setup() is an interactive protocol which on input of a set of clients sets the wireless client group to be and provides each client in with a secret value shared with the gateway.(3)The join algorithm AGKA.join() is an interactive protocol which on input of a set of clients updates the wireless client group to be and provides each client in with a (new) shared secret value .(4)The remove algorithm AGKA.Remove() is an interactive protocol which on input of subset of the wireless client group updates the latter to be and provides each client in with a new shared secret value .
Each cluster/group in a hierarchical cluster-based WSN is represented as the set , which consists of sensor devices (also called clients), and a gateway. A nonempty subset of is called sensor client group , which consists of clients communicating with the gateway. An elliptic curve defined over prime fields with coefficients and a base point of large order is selected and made public to all users. The protocol considers a signature scheme SIGN = (SIGN.Kgen, SIGN.Sig, SIGN.Ver). Each client holds a pair of signing private/public key , which are the output of the key generation signature scheme algorithm SIGN.Kgen.
4.1. Key Generation
The algorithm AGKA.Kgen, on input of the set of clients and a security parameter , performs the following steps.(1)Execute SIGN.Kgen() for each client in to provide each client with a pair of signing/verifying keys. The private key is given to the client in a confidential way, while each public key is sent to the gateway.(2)Choose random integer , compute , and set the gateway’s private/public keys . The private key is given to the gateway in a confidential way, while the public key is certified and sent to the clients. The pair will be the long-term Diffie-Hellman pair of the gateway.
Basically, for an ECC-based key agreement, each client will generate an ephemeral Diffie-Hellman pair , which thus leads to a session key shared between the client and the gateway . Meanwhile, ECDSA signature is used for authenticating each client node.
4.2. Group Key Setup
As depicted in Figure 2, the group key agreement setup runs as follows.
Step 1. To establish the group key in the cluster, each node randomly selects a -bit integer and a ()-bit integer as the nonce. Additionally, randomly picks a random integer as its ephemeral private key and gets the ephemeral public key . Then, computes and cipher text , where is the coordinator of . The client node then generates an ECDSA signature under the private key of . Finally, each node sends to gateway . Note that generations of the ephemeral public key and the shared secret can be precomputed before the node joins the network, which requires additional memory space but speeds up the protocol’s execution.
Step 2. For each node, the gateway first checks if the nonce is fresh and then checks the signature to authenticate each node . If the authentication holds, it computes and then decrypts and gets and . Subsequently, the gateway initializes counter and computes a group session key . The gateway then creates a cipher text and sends each client node the cipher text , counter , and nonce with . Note that secret key is selected as the MAC key between node and the gateway since is only known to the node and the gateway.
Step 3. Each sensor node first performs the authentication of the gateway through verifying MAC. If the authentication holds, the client calculates the group session key . HMAC with MD5 hash algorithm is used to calculate the MAC value. MAC is used to verify the integrity of the received message. MAC can also be used to confirm that the received message is sent by the sender who knows the MAC key .
4.3. Algorithm for New Node Joining
The algorithm AGKA.Join, on input of the set of appearing client devices , performs the following steps.(1) When a new member wants to join a group, it must first be authenticated by the base station.(2) Update the wireless client group .(3) Each appearing client chooses at random a -bit integer , a ()-bit integer as the nonce, and the ephemeral private key and pre-computes the ephemeral public key and the shared session key . Then, pre-computes the cipher text and the signature under the private key .(4) Each appearing client sends the value to the gateway .(5) The gateway verifies the incoming signatures and if correct, operates as in the Setup phase with an increased counter and computes the group session key After that, the gateway sends to each client the counter , cipher text , and . (6) Each client already holds the value , the shared secret , and the old counter value. So, it first checks that the new counter is greater than the old one and the MAC value, and if the check holds, it simply recovers the group session key .
4.4. Algorithm for Node Removing
The algorithm AGKA.Remove, on input of the set of disappearing client-sensors, performs the following steps.(1)Update the sensor group .(2)The gateway operates as in the Setup phase. It increases the counter and computes the shared group session key .(3)Then, it sends to each client the values , cipher text , and . (4)Each client already holds the value , the shared secret , and the old counter value. So, it first checks that the new counter is greater than the old one and the MAC value, and if the check holds, it simply recovers the group session key .
5. Security Evaluation
The presented AGKA protocol overcomes the security weaknesses detected in the previously discussed protocols. The security evaluation is discussed in this section.
5.1. Sensor Node Replication Attack
The fresh nonce is used in the message sent from the client node for , so that it can make sure no replayed message (cloning fraud) will be allowed in the protocol. For instance, if an adversary wants to replay the previously transmitted message from one client, it would use the same nonce value in previous round, which will be realized by the gateway who knows the last nonce generated by the client. If an adversary wants to replay the previously transmitted message from the gateway, it would not pass the check of the counter implemented in Step 3 on the client side. Meanwhile, the signature of the message sent from the client node is also utilized in Step 1 to provide the authentication of the client nodes. Therefore, the proposed protocol prevents the replication attacks.
5.2. Sybil Attack
In this attack, a malicious sensor claims multiple IDs (identities) or locations . In the proposed scheme, each client sensor is authenticated by the base station and gets a unique ID. In addition, each client owns a long-term key pair , where the private key is used to generate the digital signature of the client. The private key is only known by the private key’s owner and kept in secret. A malicious sensor cannot masquerade a forge ID and forge key pair without the base station’s authentication. During the AGKA.Setup phase, the client’s private key is used to sign the sending message, when the gateway in the group receives the signed message from a client node; it will first verify the signature in order to authenticate the identity of the client node. Elliptic Curve Digital Signature Algorithm (ECDSA) is chosen in the proposed protocol to generate and verify the signature of each client. The security of ECDSA is founded in the difficulty of solving the discrete logarithm problem in prime order subgroups of . The adversary cannot masquerade the client and generate the legal signature to pass gateway’s authentication without the private key of the client . Even in worst case, the adversary compromise one client sensor but still is not able to claim a new identity in the vicinity of node because the adversary only knows the private key of the compromised node but not the private key of node . As a result, with the use of ECDSA on the gateway to authenticate the identity of each client sensor, the proposed protocol can withstand the Sybil attack.
5.3. Mutual Authentication
The signature of the message sent from the client node is generated in Step 1, which is verified by the gateway in Step 2. This provides the authentication of the client node. Meanwhile, a Message Authentication Code (MAC) is applied in Step 2. This will provide proof of authentication and integrity for the sent message. In the proposed protocol, the MAC key is generated by client node and sent to the gateway in a confidential way, where is encrypted by . Only the gateway with the private key of can decrypt the encrypted message and recover . Thus, only the gateway and client node knows the MAC key . Therefore, the MAC code can be used to authenticate the identity of the gateway. As a result, the AGKA protocol provides the authentication between the client nodes and the gateway.
5.4. Perfect Forward Secrecy
A key agreement protocol offers forward secrecy if compromisation of a long-term key cannot result in the compromisation of previously established session keys. As mentioned in Step 1 of the AGKA protocol, is stored in the memory storage of the low-power node and each tuple is used only once. In this case, must be erased as soon as they are no longer useful. Obviously, since the low-power nodes’ long-term keys are used only for authentication and they are not used for hiding the group key, the leakage of any client node’s long-term key does not reveal anything about the group key. Furthermore, strong (partial) forward-secrecy (where any internal data is revealed, that is, the signing key but also the , , and ) is also achieved if the ’s and ’s are erased as soon as they are no longer useful (the client has left from the group). As a consequence, no information about previous session keys can be found in the memory of the low-power sensor nodes.
6. Formal Verification of the AGKA Protocol
Traditionally, cryptographic protocols have been designed and verified using informal and intuitive techniques. However, an absence of formal verification has proven [32, 33] to lead to flaws and security errors remaining undetected in a protocol. Formal verification aims at providing a rigid and thorough means of testing the correctness of a cryptographic protocol so that even subtle defects can be uncovered. A number of formal techniques have been developed for this purpose. This section first discusses the Coffey-Saidha-Newe (CSN) logical technique  and then formally analyzes and verifies the proposed group key agreement protocol using this logic.
6.1. CSN Modal Logic
The CSN logic provides a means of verifying hybrid cryptographic protocols. The logic can analyze the evolution of both knowledge and belief during a protocol execution, and is therefore useful in addressing issues of both security and trust. The inference rules provided are the standard inferences required for natural deduction and the axioms of the logic are sufficiently low-level to express the fundamental properties of hybrid cryptographic protocols, such as the ability of a principal to encrypt/decrypt based on knowledge of a cryptographic key. The logic is capable of analyzing a wide variety of hybrid cryptographic protocols because the constructs of the logic areof general purpose and therefore provide the user with increased flexibility allowing him to develop his own theorem.
The underlying assumptions of the logic can also be stated as follows. The communication environment is hostile but reliable; the cryptosystems used are ideal. That is, the encryption and decryption functions are completely noninvertible without knowledge of the appropriate cryptographic key and are invertible with knowledge of the appropriate cryptographic key. Keys used by the system are considered valid if they have not exceeded their validity period and only known by the rightful owner(s).
6.1.1. The CSN Logic Language
: general propositional variables : an arbitrary statement and : arbitrary entities and : individual entities ENT: the set of all possible entities : a cryptographic key. In particular, is the public key of entity and is the corresponding private key of entity : moments in time. For example, represents time after Step 1 of protocol has completed : encryption function, encryption of using key : decryption function, decryption of using key : shared secret key for entities and : set of good shared keys for entities and : shared secret for entities and (secret can be fresh) : set of good shared secrets for entities and : encryption of plaintext message using the shared secret key of entities and : decryption of ciphertext message using the shared secret key of entities and : propositional knowledge operator (true or false evaluation) of Hintikka  : knows statement at time : knowledge predicate (assigns an object a property). means that knows and can reproduce object at time : belief operator. means that believes at time that statement is true : “Contains” operator. means that the object contains the object . The object may be cleartext or ciphertext in : emission operator. means that sends message at time : reception operator. means that receives message at time : authentication operator. means that authenticates at time .
The language includes the classical logical connectives of conjunction , disjunction , complementation , and material implication (). The symbols and denote universal and existential quantification, respectively. The symbol indicates membership of a set and denotes set exclusion. The symbol denotes a logical theorem. The logic does not contain specific temporal operators, but the knowledge, belief, and message transfer operators are time-indexed.
6.1.2. Inference Rule
The logic incorporates the following rules of inference.(R1) From and infer .(R2)(a) From infer ; (b) from infer .
(R1) is the Modus Ponens and states that if can be deduced and can be deduced, then can also be deduced. (R2) consists of the generalisation rules which state that if is a theorem, then knowledge and belief in are also theorems.
The logic also includes the following standard propositional rules of natural deduction.(R3) From infer .(R4) From and infer .
Two types of axioms are used in this logic, logical and nonlogical. Logical axioms are general statements made in relation to any system, while non-logical are system specific.
Logical Axioms. The logic includes the following standard modal axioms for knowledge and belief: (A1);(A2).
The axiom (A1) is application of the Modus Ponens to the knowledge operator. The axiom (A2) is called the knowledge axiom and is said to logically characterise knowledge. If something is known, then it is true. This property distinguishes between knowledge and belief. Consider(A3)(a); (b).
Axioms (A3)(a) and (A3)(b) assert that knowledge, once gained, cannot be lost. Consider(A4).
If a piece of data is constructed from other pieces of data, then each piece of data involved in the construction must be known to some entity.
Nonlogical Axioms. The non-logical axioms reflect the underlying assumptions of the logic. These assumptions relate to the emission and reception of messages and to the use of encryption and decryption in these messages. Consider(A5).
The emission axiom (A5) states that if sends a message at time , then knows at time and some entity other than that will receive at time subsequent to . Consider(A6).
The reception axiom (A6) states that: if receives a message at time , then knows at time and some entity other than that has sent at time prior to . Consider(A7)(a);(b).
Axioms (A7)(a) and (A7)(b) refer to the ability of an entity to encrypt or decrypt a message when it has knowledge of a public or private cryptographic key. Consider(A8)(a) ;(b) .
Axioms (A8)(a) and (A8)(b) refer to the impossibility of encrypting or decrypting a message without knowledge of the correct key. Axiom (A8)(a) states that if an entity does not know at and does not know, prior to , the encryption and also does not receive at in a message, then the entity cannot know at time . Axiom (A8)(b) makes a similar statement for the decryption of a message without knowledge of the decryption key. Consider(A9).
The key secrecy axiom (A9) states that the private keys used by the system are known only to their rightful owners. Consider(A10).
Axiom (A10) states that if an entity knows and can reproduce and at time ; then it knows and can reproduce , and this implies that this entity knows at time that knows and can reproduce prior to . Consider(A11)(a);(b).
Axiom (A11) refers to the ability an entity has to encrypt or decrypt a message using a symmetric system when it has knowledge of a secret key. Consider(A12)(a) ;(b) .
Axiom (A12) refers to the inability of an entity to encrypt or decrypt data without knowledge of the appropriate shared secret key. Consider(A13).
Axiom (A13) states that only the rightful owners of a shared secret key know that key; this implies that this key is a good key. Consider(A14).
Axiom (A14) states that only the rightful owners of a shared secret know that secret; this implies that this is a good secret. Finally(A15)(a) ;(b), .
(A15)(a) states that if knows a secret that it shares with (the secret can be fresh), and this secret is a good secret, and receives a message containing at that it did not send, then knows that sent this message prior to .
(A15)(b) states that if knows the public key of and message , and if receives a message containing , then knows that sent message prior to .
6.2. Formal Verification of the Proposed Protocol
To provide assurance that the new AGKA protocol is verifiably secure and trustworthy, a formal verification on its specifications is performed in this section. CSN logic was adopted to perform formal verifications of security protocols in Chapter 6, and is therefore adopted here to perform the formal verification of the new proposed group key agreement protocol.
6.2.1. Goals of the Proposed AGKA Protocol
The goals of the key-agreement protocol are defined as follows: Goal 1: , for ; Goal 2: , for .
Goal 1 states that the gateway knows that it will obtain a signed message from containing the ephemeral public key and the concatenation value prior to the end of Step 1.
6.2.2. Initial Assumptions
Consider the following:(1);(2);(3);(4);(5);(6).
Assumption states that the public keys and , where , are known to all entities.
Assumption states that the private keys of and are known only to its owner and not known to any other entity.
Assumption refers to the timely revelation of the random nonce by the client .
Assumption refers to the timely revelation of the shared key by the client .
Assumption states that only the entities and will know the shared key after Step 1, and this implies that is a good secret.
Assumption states that generates the shared MAC key and that knows that no other entity knows this key prior to , and that the key is a good key.
6.2.3. Formal Analysis
Step 1. where .
This states that knows at time , it will receive a message containing the ephemeral public key and encrypted message . And this message will be signed by the private key of the client.
By application of Axiom (A2), Applying Axiom (A6) and Inference Rule (R2), Applying Inference Rule (R3), Using Assumption which states that only has knowledge of before and Assumption which states that only has knowledge of before , Using Axioms (A7)/(A8)/(A15)(b) which reflect the ability of an entity to authenticate another entity when it has knowledge of its public key and a message with a signature of the message, Assumption which states that the public key of is known to all entities, and Assumption which states the private key of is only known to its owner , we get, This shows that the client is authenticated at Step 1 of the protocol since only it could have encrypted Mes with its secret key and Mes contains the ephemeral public key , and the cipher text .
Using Axioms (A11) and (A12), which reflect the ability of an entity to decrypt a message when it has knowledge of the secret key, and Assumption which states that is a good secret key only known to , and we get,
Step 2. where .
This states that knows at time that it will receive a message containing cipher text , nonce , and a message authentication code of this message.
By application of Axiom (A2), Applying Axiom (A6) and Inference Rule (R2), Applying Inference Rule (R3) Applying Axioms (A11)/(A12) and (A13) and Assumption , and using Assumption which states that is a good secret key only known to entities and : Using Assumption which states the timely revelation of (after time ) by , we get The client is authenticated at this point of the protocol since only and could have encrypted Mes2 and generate the Message Authentication Code with its secret key (Axioms (A11)/(A12)/(A15)(a) and Assumption ), and Mes2 contains the cipher text , the nonce , and the counter ; therefore Using Axioms (A11) and (A12), which reflect the ability of an entity to decrypt a message when it has knowledge of the secret key, and Assumption which states that is a good secret key only known to and , we get From the analysis it can be seen that all goals of the proposed group key agreement protocol are achieved and no security flaw is detected. This indicates that the proposed protocol is verifiably secure and trustworthy.
7. Implementation and Performance Evaluation
In order to evaluate the suitability of our protocol in sensor networks, we carried out a set of experiments based on the TelosB  and MICAz  mote platforms. Table 2 lists the configuration and the architecture of TelosB and MICAz motes.
A low-end PC (1.0 GHz Intel Pentium III processor, 512 MB RAM, and 30 GB hard drive) with a mote attached is used to simulate the gateway. The TelosB mote or the MICAz mote attached to the PC is responsible for transmitting and receiving messages. Using the PC as the security manager enables the security manager to implement all operations by the Java program and store all members’ public keys in the local memory device without worrying about memory constraints. This method reduces the execution time of the protocol and releases the memory and power constraints existing in sensor nodes. Most cryptographic algorithms, such as ECDSA, RC5, and Skipjack, are supported by Java, and these algorithms can be found in the Java security packages or the third-party security packages. Another reason for using the PC to simulate the gateway is that the handshaking messages and execution process can be displayed on PC, which eases the researchers in tracing the messages received from the group members and the authentication process during the AGKA protocol.
The implementation is divided into two modules, the client (group member) module and the security manager module.(i) The client module implements all the operations required by the proposed protocol on the client side, which involves ECC point multiplication, ECDSA signature generation, and MAC generation.(ii) The security manager module has two parts. The first part powernode.nc is written in nesC code and implemented on the MICAz and TelosB that are attached to the security manager (computer), and the other part is securitymanger.java which is written in Java and implemented on the security manager (computer). These two parts are linked by a Java class MoteIF which enables Java applications to send and receive the message through Universal Asynchronous Receiver/Transmitter (UART).
TinySec is the first fully implemented link layer security architecture for wireless sensor networks. It is also a research platform that is easily extendable and has been incorporated into higher level protocols. Some well-studied cryptographic primitives are applied in TinySec, such as Message Authentication Codes (MACs), Initialization Vectors (IVs), and Cipher Block Chaining (CBC). It is noteworthy that TinySec was distributed with official releases of TinyOS version 1.x. It has proven that efficient secure communication in wireless sensor networks is a feasible reality. Table 3 summarizes the security characteristics of TinySec.
The TinyECC package supports all elliptic curve operations over prime fields , including point addition, point doubling, and scalar point multiplication, as well as ECDSA operations. It also includes elliptic curve parameters recommended by Stands for Efficient Cryptography Group (SECG), such as secp160k1, secp160r1, and secp160r2. The natural number operations in TinyECC are based on RSAREF2.0 [23, 38].
Bouncy Castle  is a collection of APIs used in cryptography. It includes APIs for both the Java and the C# programming languages. It provides a Java library to implement all elliptic curve operations over , including point addition, point doubling, and scalar point multiplication, as well as ECDSA operations. In order to implement ECDSA operations in Java, a number of Bouncy Castle classes are imported into our implementation.
7.2. Experimental Setup
The performance evaluation is performed on both TelosB and MICAz motes. We set two experimental networks, both consist of groups of seven client motes and a single gateway. The performance of the protocol in each network is evaluated. As mentioned in Section 4, some values such as and can be pre-computed before the sensor node AKGA.SETUP phase. This is to facilitate a speeding up of the protocol’s operation. The impact of the use of precomputation methods will be evaluated.
To enable TelosB and MICAz motes to execute the ECC computations required by the AGKA protocol, the 128-bit and 160-bit ECC parameters recommended by SECG  are chosen for use in the tests presented in the experiment, while the 192-bit ECC parameters are not included in the evaluation. This is because the 192-bit ECC requires 48 bytes to represent the point (public key pair) on the curve, which results in 120 bytes payload in the communication message; such large payload size exceeds the maximum TinyOS payload size of 114 bytes.
The following evaluating measurements are used in our performance evaluation experiments: (i) ROM consumption;(ii) RAM consumption;(iii) execution time;(iv) energy consumption.
7.3. Evaluation Results
A comparison between the results on the TelosB and the results on the MICAz, as well as between the results with pre-computation disabled and with pre-computation enabled, will now be presented.
7.3.1. Execution Time
The execution time can be one of the most meaningful attributes when evaluating security protocols, especially with regard to resource-constrained sensor nodes. The execution time is measured using an oscilloscope.
In comparing two different mote architectures with the same protocol running, it can be seen that the resulting execution time depends on the clock frequency of the microcontroller on the sensor platform.
Figure 3 plots the average execution times for the AGKA protocol implemented on both the TelosB and the MICAz motes with different elliptic curves.
From Figure 3, it can be seen that the value for the execution time on the MICAz mote is about half that of the TelosB mote results, and this can be attributed to the clock frequency of the MICAz being 8 MHz which is double the clock frequency of the TelosB mote. Different elliptic curves affect the execution time of the protocol, and this can be seen in the fact that there is at least a 1.00 second difference with 128-bit elliptic curves implemented compared with 160-bit elliptic curves. It is noticeable that the execution time is significantly reduced when pre-computation is enabled; the reason for this is that two public-key generations are pre-computed and the corresponding results are installed in the memory before the nodes join the network. This saves at least 9 seconds in execution time for the TelosB mote and saves at least 4.50 seconds in execution time for the MICAz mote. The fastest execution time observed from the experimental results is 2.64 seconds, when the AGKA protocol with the secp128k1 elliptic curve was implemented on the MICAz motes. Although pre-computation speeds up the protocol, considerable increases in ROM usage are traded.
7.3.2. Memory Usage
Due to the limited storage available on the sensor nodes, memory usage is an important attribute when evaluating the new key agreement protocol. As already mentioned, the pre-computation method improves the execution speed of the protocol; however, extra memory required is the tradeoff. The check_size script provided by the TinyOS is used to obtain the ROM and RAM sizes required by the AGKA protocol in each experiment.
The experiment evaluates the increases in ROM requirements of the proposed AGKA protocol with pre-computation enabled. Table 4 illustrates the ROM consumption for the AGKA protocol on the TelosB and MICAz motes when the pre-computation method is enabled.
It can be seen that the ROM consumption increases with a rise in the number of AGKA.Setup algorithms run. The reason for that is discussed in the following. In Step 1, each low-power node uses the offline pre-computing technique to compute , , and a signature . Certainly, some tuples should be stored in the memory storage of the low-power node in advance. When the proposed protocol plans to run four AGKA.Setup algorithms, it will store 4 tuples in the memory at beginning and give each tuple a sequence number; for example, the tuple 1 is named as and tuple 2 is named as . This is the reason why the ROM consumption increases with a rise in the number of AGKA.Setup algorithms run. After each run, the proposed protocol will remove the corresponding used tuple ; for example, the protocol will remove the tuple 1 at the end of the first execution of the AGKA.Setup algorithm.
7.3.3. Energy Consumption
Another important evaluation measurement besides the memory usage and the execution time is the energy consumption. The energy consumption by the AGKA protocol is measured by the using of the Agilent mobile communication DC Source (DCS). Figure 4 illustrates the energy consumption for the AGKA protocol implemented on the TelosB and the MICAz motes with specific elliptic curves.
It is shown that the protocol with 128-bit elliptic curves consumes less energy than with 168-bit elliptic curves. This is attributed to a reduction in computational complexity and shorter message size when the protocol uses the 128-bit elliptic curves. With the same elliptic curve, the energy consumed by the protocol on the MICAz is less than that on the TelosB. The reason for this is that the execution times on the MICAz are about half that on the TelosB. Furthermore, with the same elliptic curve, at least 35 μWH of energy is saved with pre-computation enabled on the MICAz mote, while at least 32 μWH of energy is saved with pre-computation enabled on the TelosB mote.
7.4. Limitation and Further Improvement
The comparison results identify that execution time and energy consumption are reduced with short elliptic curves, and those measurements are also improved with pre-computation enabled, while the significant increases in memory usage is the critical tradeoff. Therefore, further improvements and optimizations on memory usage need to be implemented in future work.
The experiment only evaluates the protocol with a group size of seven. With increasing the group size, the execution time will increase. The major reason is that the clients’ handshaking packets will queue in the transceiver of the security manager and may cause the jam in the communication channel. Further experiments and simulations on protocol performance versus group size should be carried out.
8. Conclusion and Future Work
In this paper, a secure authenticated group key agreement protocol well suited for wireless sensor networks has been proposed. We showed that the proposed protocol provides forward secrecy and mutual authentication between low-power nodes and the powerful node (gateway). We also demonstrated that the proposed protocol is verifiably secure against node replication attacks and Sybil attacks. Meanwhile, the implementation of the protocol on the TelosB and the MICAz motes was also described in detail. In addition to the implementation of the protocol, a number of evaluation experiments were developed and performed on the motes and described. The experimental results were analyzed based on the following evaluation metrics: execution time, memory usage, and energy consumption. The evaluation results indicate that the protocol is suitable for use with energy-constrained sensor networks. We plan to further investigate the reduction method that can be used to reduce the bit-length of the pre-computed key pairs and signatures, which will in turn reduce the memory usage of the proposed protocol. In addition, we plan to carry out a further evaluation of the proposed protocol with a larger number of group members than used in this study.
This research work was supported by the National Natural Science Foundation of China (61103238 and 61003278). This research is also supported by the Fundamental Research Funds for the Central Universities.
- L. Eschenauer and V. D. Gligor, “A key-management scheme for distributed sensor networks,” in Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 41–47, November 2002.
- H. Chan, A. Perrig, and D. Song, “Random key predistribution schemes for sensor networks,” in Proceedings of the IEEE Symposium on Security And Privacy, pp. 197–213, May 2003.
- D. Liu and P. Ning, “Establishing pairwise keys in distributed sensor networks,” in Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS '03), pp. 52–61, October 2003.
- E. Bresson, O. Chevassut, A. Essiari, and D. Pointcheval, “Mutual authentication and group key agreement for low-power mobile devices,” Computer Communications, vol. 27, no. 17, pp. 1730–1737, 2004.
- Q. Huang, J. Cukier, H. Kobayashi, B. Liu, and J. Zhang, “Fast authenticated key establishment protocols for self-organizing sensor networks,” in Proceedings of the 2nd ACM International Workshop on Wireless Sensor Networks and Applications (WSNA '03), pp. 141–150, September 2003.
- Y. Zhang, W. Liu, W. Lou, and Y. Fang, “Location-based compromise-tolerant security mechanisms for wireless sensor networks,” IEEE Journal on Selected Areas in Communications, vol. 24, no. 2, pp. 247–260, 2006.
- Y. H. Kim, H. Lee, J. H. Park, L. T. Yang, and D. H. Lee, “Key establishment scheme for sensor networks with low communication cost,” in Proceedings of the 4th International Conference on Autonomic and Trusted Computing: Bringing Safe, Self-x and Organic Computing Systems into Reality (ATC '07), vol. 4610, pp. 441–448, Hong Kong, Hong Kong, 2007.
- L. P. Zhang and Y. Wang, “An ID-based authenticated key agreement protocol for wireless sensor networks,” Journal of Communications, vol. 5, no. 8, pp. 620–626, 2010.
- H. L. Yeh, T. H. Chen, P. C. Liu, T. H. Kim, and H. W. Wei, “A secured authentication protocol for wireless sensor networks using Elliptic Curves Cryptography,” Sensors, vol. 11, no. 5, pp. 4767–4779, 2011.
- K. Ammayappan, A. Negi, V. N. Sastry, and A. K. Das, “An ECC-based two-party authenticated key agreement protocol for mobile Ad Hoc networks,” Journal of Computers, vol. 11, pp. 2408–2416, 2011.
- H. F. Huang, “A new design of access control in wireless sensor networks,” International Journal of Distributed Sensor Networks, vol. 2011, Article ID 412146, 7 pages, 2011.
- A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen, and D. E. Culler, “SPINS: security protocols for sensor networks,” Wireless Networks, vol. 8, no. 5, pp. 521–534, 2002.
- S. Zhu, S. Setia, and S. Jajodia, “LEAP: efficient security mechanisms for large-scale distributed sensor networks,” in Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS '03), pp. 62–72, Washington, DC, USA, October 2003.
- J. Nam, S. Kim, and D. Won, “A weakness in the Bresson-Chevassut-Essiari-Pointcheval's group key agreement scheme for low-power mobile devices,” IEEE Communications Letters, vol. 9, no. 5, pp. 429–431, 2005.
- J. Nam, J. Lee, S. Kim, and D. Won, “DDH-based group key agreement in a mobile environment,” Journal of Systems and Software, vol. 78, no. 1, pp. 73–83, 2005.
- J. Katz and M. Yung, “Scalable protocols for authenticated group key exchange,” Journal of Cryptology, vol. 20, no. 1, pp. 85–113, 2007.
- Y. M. Tseng, “A secure authenticated group key agreement protocol for resource-limited mobile devices,” Computer Journal, vol. 50, no. 1, pp. 41–52, 2007.
- A. Shamir and Y. Tauman, “Improved on-line/off-line signature schemes,” in Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, pp. 355–367, Springer, Berlin, Germany, 2001.
- Y. Li and T. Newe, “On the logical verification of a group key agreement protocol for resource constrained mobile devices,” in Proceedings of the Australasian Telecommunication Networks and Applications Conference (ATNAC '07), pp. 277–281, Christchurch, New Zealand, December 2007.
- R. Struik and G. Rasor, Mandatory ECC Security Algorithm Suite, IEEE P802.15 Wireless Personal Area Networks, 2002.
- SECG, SEC1: Elliptic Curve Cryptography, Standards For Efficient Cryptography Group, Certicom Research, 2000.
- M. Aydos, T. Yan, and C. K. Koc, “A High-speed ECC-based wireless authentication protocol on an ARM microprocessor,” in Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC '00), New Orleans, La, USA, 2000.
- A. Liu and P. Ning, “TinyECC: a configurable library for elliptic curve cryptography in wireless sensor networks,” in Proceedings of the International Conference on Information Processing in Sensor Networks (IPSN '08), pp. 245–256, April 2008.
- U. Berkeley, TinyOS Community Forum: An Open Source OS for the Networked Sensor Regime, 2007.
- C. P. Schnorr, “Efficient signature generation by smart cards,” in Proceedings of the 9th Annual International Cryptology Conference (CRYPTO '89), vol. 434 of Lecture Notes in Computer Science, pp. 688–689, Santa Barbara, Calif, USA, January 1991.
- Y. Zhang, W. Liu, Y. Fang, and D. Wu, “Secure localization and authentication in ultra-wideband sensor networks,” IEEE Journal on Selected Areas in Communications, vol. 24, no. 4, pp. 829–835, 2006.
- Y. Zhang, W. Liu, W. Lou, and Y. Fang, “Securing sensor networks with location-based keys,” in Proceedings of the IEEE Wireless Communications and Networking Conference (WCNC '05), pp. 1909–1914, March 2005.
- IEEE Standard for Information Technology-Telecommunications and Information Exchange Between Systems-Local and Metropolitan Area Networks- Specific Requirements-Part 15.4: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Low Rate Wireless Personal Area Networks (WPANs), 2003.
- W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644–654, 1976.
- D. Johnson, A. Menezes, and S. Vanstone, “The elliptic curve digital signature algorithm (ECDSA),” International Journal of Information Security, vol. 1, pp. 36–63, 2001.
- J. Douceur, “The sybil attack,” in Procceeding of the 1st International Workshop on Peer-to-Peer Systems (IPTPS '02), 2002.
- T. Coffey and P. Saidha, “Logic for verifying public-key cryptographic protocols,” IEE Computers and Digital Techniques, vol. 144, pp. 28–32, 1997.
- M. Burrows, M. Abadi, and R. Needham, “Logic of authentication,” ACM Transactions on Computer Systems, vol. 8, no. 1, pp. 18–36, 1990.
- J. Hintikka, Knowledge and Belief: An Introduction to the Logic of Two Notions, Cornell University Press, Ithaca, NY, USA, 1962.
- Crossbow. TelosB producthttp://www.xbow.com/Products/productsdetails.aspx?sid=147>.
- Crossbow-Technology. MICAz Datasheet, 2008, http://www.xbow.com/Products/Product_pdf_files/Wireless_pdf/MICAz_Datasheet.pdf.
- C. Karlof, N. Sastry, and D. Wagner, “TinySec: a link layer security architecture for wireless sensor networks,” in Proceedings of the 2nd International Conference on Embedded Networked Sensor Systems (SenSys '04), pp. 162–175, Baltimore, Md, USA, November 2004.
- RSA Laboratories, RSAREF: A cryptographic toolkit (version 2.0), 1994.
- Bouncy Castle, http://www.bouncycastle.org/.
- CC2431. Texas Instruments Incorporated, 2008, http://focus.ti.com/docs/prod/folders/print/cc2431.html.