Recent Advances in Security and Privacy for Wireless Sensor Networks 2016
View this Special IssueResearch Article  Open Access
Jiye Kim, Jongho Moon, Jaewook Jung, Dongho Won, "Security Analysis and Improvements of Session Key Establishment for Clustered Sensor Networks", Journal of Sensors, vol. 2016, Article ID 4393721, 17 pages, 2016. https://doi.org/10.1155/2016/4393721
Security Analysis and Improvements of Session Key Establishment for Clustered Sensor Networks
Abstract
WSN (wireless sensor network) is one of the main technologies in IoT (Internet of Things) applications or services. To date, several schemes have been proposed to establish a pairwise key between two nodes in WSN, and most of them are designed to establish longterm keys used throughout the network lifetime. However, in the near future, if WSN will be used for information infrastructures in various fields such as manufacturing, distribution, or public facilities management and its life cycle can be as long as that of other common networks, it will definitely be advantageous in terms of security to encrypt messages using session keys instead of longterm keys. In this paper, we propose a session key establishment scheme for clustered sensor networks that is based on elliptic curve DiffieHellman (ECDH) key exchange and hash chain. The proposed scheme eliminates vulnerabilities of existing schemes for WSN and has improved security. The proposed scheme is efficient in terms of energy costs compared to related schemes.
1. Introduction
A wireless sensor network (WSN) is composed of dozens to thousands of sensor nodes and more than one gateway and is employed with the objective of collecting data regarding the conditions or changes in the target area [1, 2]. WSN is one of the key technologies in IoT (Internet of Things) applications or services and is expected to be employed in various applications in fields such as military, healthcare, public facilities management, manufacturing, distribution, and agriculture in the near future [1, 3–5]. However, WSN is vulnerable to attacks such as node impersonation attacks, maninthemiddle (MITM) attacks, and denialofservice (DoS) attacks by eavesdropping or altering of the messages transmitted in wireless channels, as are other common wireless networks [6–8]. Therefore, WSN should employ security techniques to meet the security requirements of data confidentiality and integrity, availability of services, and node authentication [9].
The key establishment scheme is one of the most fundamental and feasible security techniques [10]. Lai et al.’s BROSK [11], Eschenauer and Gligor’s random key poolbased scheme [12], and so forth provide the function of establishing a pairwise key between sensor nodes [13]. Such schemes are designed with the objective of establishing a longterm key to be used throughout the lifetime of WSN under the assumption that the life cycle of WSN is much shorter than the life cycle of other networks [14]. For example, if WSN is installed to monitor a hostile environment that is not easily accessible to people, such as a battlefield or a disaster area, its life cycle is shorter than the attack time needed to determine the cryptographic keys. In this case, it is more effective for the cryptographic keys not to be rekeyed after being established, except when adding new nodes or eliminating existing nodes. However, if WSN is used for information infrastructures in fields such as manufacturing, distribution, or public facilities management, its life cycle may be long. In this case, there is a need for a session key establishment scheme that continuously renews cryptographic keys according to a cycle or an event [14].
In an information and communication system, the message sender encrypts the confidential data and transmits it in the form of ciphertext to the message receiver. However, if an attacker obtains the decryption key by hacking, he/she can obtain the plaintext or additionally perform other serious attacks using the key. In order to decrease the damage caused by such key exposure, a cryptographic key known as a session key is used only for a limited period of time. In communication protocols based on session keys, even if an attacker obtains one of the session keys, the number of ciphertexts he/she can decrypt with it is limited. Also, he/she needs more pairs of plaintext and ciphertext for cryptanalysis or needs to obtain more session keys for other attacks. Therefore, encryption of messages using session keys is definitely advantageous in terms of security [15].
In this paper, we focus on WSNs applied to applications such as healthcare, public facilities management, and industrial automation systems. Applying WSNs to such systems is more advantageous in terms of network performance and management costs compared to applying wired networks [18]. However, in such systems, WSNs should be operated for a long period of time and are securitycritical. Moreover, for easy network management, such applications can employ clustered and hierarchical sensor networks, as shown in Figure 1 [19, 20]. When employing clustered sensor networks for such applications, the communication between the gateway and the cluster head requires stronger security than the communication between the cluster head and the sensor node; this is because the cluster head collects the data sensed by sensor nodes in its cluster and transmits it to the gateway [17]. Therefore, it is appropriate to apply the session key to the communication between the gateway and the cluster head in order to increase security. However, we found that existing session key establishment schemes for WSNs [16, 17] have several security flaws; they do not provide mutual authentication between two nodes and are vulnerable to node impersonation attacks and MITM attacks. In addition, neither scheme can guarantee secrecy of future session keys if the longterm keying materials stored in the cluster head are exposed to an attacker.
In this paper, we propose a scheme to establish a session key between the gateway and the cluster head in order to enable the cluster head to transmit encrypted data to the gateway. Our proposed scheme should eliminate the weaknesses of existing schemes in order to achieve improved security. Moreover, not only the security but also the energy costs should be considered when designing the scheme because the nodes in WSNs are batterypowered. To meet these design requirements, the proposed scheme establishes session keys based on elliptic curve DiffieHellman (ECDH) key exchange [21, 22], an effective asymmetric key technique. Also, it employs hash chain [23–27] in order to provide mutual authentication between the gateway and the cluster head, verification of message integrity, and session key establishment, considering energy costs.
Our major contributions are as follows: first, the proposed scheme is secure against possible attacks in key establishment schemes for WSN, such as session key attacks, replay attacks, and node capture attacks. Also, it resists both node impersonation attacks and MITM attacks through mutual authentication of two communication parties and verification of message integrity. Second, compared to longterm key establishment, there is less research on session key establishment between two nodes in WSN, and the studies are relatively more recent. Third, computation and communication costs incurred by a cluster head affect its energy consumption [28–30]. Therefore, the proposed scheme is designed to minimize the number of messages transmitted between two nodes for efficiency in terms of communication costs. Also, even though it employs asymmetric key techniques, it is more efficient in terms of computation costs compared to other schemes with similar design requirements and key establishment techniques.
The remainder of the paper is organized as follows. Section 2 reviews several key establishment schemes between nodes in WSN. Section 3 describes the assumptions, design requirements, and main ideas of our proposed scheme. Section 4 proposes the improved scheme and describes its phases in detail. Section 5 analyzes the security of the proposed scheme against possible attacks in key establishment schemes for WSN. Section 6 is devoted to analyzing its energy costs compared to other schemes with similar design requirements and key establishment techniques. Finally, Section 7 concludes this paper.
2. Review of Related Works
A few key establishment schemes have been proposed to establish a pairwise key between sensor nodes and to provide the rekeying function in case of additions of new sensor nodes or revocation of existing sensor nodes [11, 12, 31–34]. In Lai et al.’s BROSK [11], all sensor nodes share only one master key, and each sensor node establishes a pairwise key with its neighboring nodes using that master key. This scheme is very efficient and simple, but the entire network can become vulnerable if even one sensor node in the network is compromised by an attacker. Eschenauer and Gligor proposed a pairwise key establishment scheme based on a random key pool [12]. In the predeployment phase of their scheme, keys are randomly chosen from one key pool and are preloaded in the sensor node. After deploying sensor nodes to the field, if a sensor node determines it has the same key as its neighboring node, it sets the same key to be the pairwise key between two nodes. In this scheme, if an attacker compromises another sensor node that has the pairwise key between two sensor nodes, he/she can decrypt the message transmitted between these two sensor nodes. Several modified schemes have been proposed in order to compensate for this weakness [32–34]. Based on Eschenauer and Gligor’s scheme, Chan et al. proposed a scheme where a pairwise key can be established only when two sensor nodes share multiple keys instead of one key [32]. On the other hand, Du et al. proposed a scheme that combines the random key poolbased method with Blom’s method [33], which establishes a pairwise key between two nodes using the symmetric matrix in , where matrix is the public information, and matrix is private information in a finite field [35]. Also, Liu et al. proposed a scheme that combines Eschenauer and Gligor’s method with the polynomialbased method [34] that establishes a pairwise key between two nodes using degree polynomial that satisfies [36]. All of Chan et al., Du et al., and Liu et al.’s schemes are proposed to securely protect the links between uncompromised nodes unless a threshold number of nodes are compromised [32–34].
All of the schemes mentioned above have been proposed to establish a longterm key used throughout the life cycle of WSN [14]. Compared to such schemes, session key establishment schemes between nodes in WSN have been proposed more recently. References [14, 37, 38] proposed EBSbased rekeying schemes. Eltoweissy et al. proposed the exclusion basis system (EBS), which updates a group key for normal nodes when it evicts malicious nodes from a communication group [39]. An EBSbased scheme has a key pool of size (, , where is the number of nodes in a group). administrative keys from the key pool are assigned to each node. When the scheme evicts some malicious nodes from the group, only messages are needed to update a group key because the messages are encrypted using unknown keys to malicious ones. Chen and Lin proposed a session key establishment scheme for gridbased sensor networks [40]. This scheme is based on oneway hash function, mutual authentication between communication parties, and symmetric key encryption as follows: first, secret parameters () and () are preloaded to the sensor node and the cluster head , respectively. Then, the scheme encrypts the messages transmitted from to using the key and the ones from to the gateway using the key . After a period of time, and are replaced with and , respectively, where both and are generated by the cluster head . Eldefrawy et al. proposed a session key agreement scheme based on asymmetric key techniques [41]. In this scheme, the gateway receives random numbers from all sensor nodes in a cluster in order to compute a session key for communication between member nodes in the cluster. The scheme encrypts the random numbers transmitted from sensor nodes to the gateway based on RSA [42] and the session keys from the gateway to sensor nodes based on elliptic curve cryptography [21]. Meanwhile, [43–45] proposed polynomial secretsharingbased session key establishment schemes to address the node compromise problem.
Chen and Li’s scheme [16] and Lee and Kim’s scheme [17] employ different key establishment techniques to establish session keys between the gateway and the cluster head in clustered sensor networks. Chen and Li’s scheme establishes the th session key by computing , where and represent the th and th session keys, respectively [16]. However, if an attacker obtains and of , the future session keys to be generated in the th and the following sessions can be computed. In other words, Chen and Li’s scheme does not guarantee the secrecy of future session keys. Lee and Kim applied a modified DiffieHellman key exchange (DHKE) technique [46] to their scheme in order to consider the efficiency in terms of computation costs of cluster heads [17]. However, because all cluster heads in this scheme share only one private key, which is a longterm key used throughout the life cycle of the WSN, it can also be compromised by an attacker. Therefore, this scheme cannot guarantee the secrecy of future session keys. Furthermore, we found that their scheme is vulnerable to node impersonation attacks or MITM attacks. In Appendices A through D, we review Chen and Li’s scheme and Lee and Kim’s scheme in detail and analyze their security.
3. Design Outline of the Proposed Scheme
We consider the applications of WSNs such as healthcare, public facilities management, and industrial automation systems. The WSNs utilized for such applications should be operated for a long period of time and are securitycritical.
3.1. Network Model
Regarding the WSN that employs the proposed scheme, we assume the following:(i)The WSN is a clustered sensor network divided into several clusters; it consists of three types of nodes: sensor nodes, cluster heads, and a gateway. In a cluster, the sensor nodes sense the conditions or change regarding the target area and transmit the data to their cluster head. The cluster heads not only control the sensor nodes in respective clusters [13] but also collect the data sensed by the sensor nodes and transmit the data to the gateway [17].(ii)Sensor nodes have limited resources such as power, computation and communication capability, memory, and transmission range [1, 47–50], whereas the gateway has an abundance of these resources.(iii)Cluster heads are fixed and not selected from ordinary sensor nodes because resources of cluster heads are richer than those of ordinary sensor nodes. Nevertheless, our scheme can still be also applied to WSNs that perform cluster head selection [51]. This will be discussed at greater length in Section 4.2.(iv)A sensor node or a cluster head communicates with a nonneighboring node in a hopbyhop fashion. We assume that the intermediate nodes between the cluster head and the gateway are not required to read the message contents exchanged between two nodes. Therefore, though the cluster head transmits its message hopbyhop to the nonneighboring gateway, the message is encrypted/decrypted only at the two nodes; that is, the message encryption/decryption is performed endtoend.(v)In WSNs, sensor nodes or cluster heads are usually batterypowered. In this study, because the WSN nodes have a long life cycle, their batteries should be replaced or charged once every few years of system operation [18].(vi)Sensor nodes or cluster heads can be randomly scattered in a target area or deployed according to a defined network topology. We assume that their spatial distribution depends on the application.(vii)All nodes in the WSN, that is, sensor nodes, cluster heads, and the gateway, are static. That is, they are not mobile.
3.2. Adversary Capabilities
We assume that an attacker can eavesdrop on or modify transmitted messages. Sensor nodes and cluster heads are vulnerable to physical attacks because they are usually deployed without tamperproof devices in unattended environments [30, 52–54]. Therefore, an attacker can perform node capture attacks, that is, the capture of a node in a WSN and the extraction of secret parameters for use in subsequent attacks. The gateway is a trusted node that is not compromised and is secure against privilegedinsider attacks or stolenverifier attacks.
3.3. Design Requirements
The goal of our proposed scheme is for the cluster head to securely transmit the data to the gateway. For this goal, the proposed scheme provides functions to establish a session key between the cluster head and the gateway and encrypt/decrypt the data using it. In addition, the security weaknesses of existing schemes described in Section 2 will be addressed in the proposed scheme. The design requirements of the proposed scheme are as follows:(i)Because the proposed scheme protects the data using a session key, the session key should not be exposed to an attacker attempting to eavesdrop on transmitted messages. Furthermore, although longterm parameters in the cluster head are exposed to an attacker, the attacker should be unable to compute future or past session keys.(ii)To achieve confidentiality and integrity of the data transmitted between the gateway and the cluster head, the proposed scheme should be designed such that it is secure against possible attacks on key establishment schemes such as node impersonation attacks, MITM attacks, and replay attacks.(iii)The security protocols alone cannot perfectly prevent node capture attacks; however, the proposed scheme should be designed to minimize the effects of such attacks [7]. That is, even if some sensor nodes are compromised by node capture attacks, it should have no effect on the communication with other normal nodes or the security of the entire network [9].(iv)Sensor nodes or cluster heads are batterypowered and their batteries should be replaced or charged once every few years of system operation [18]. This implies that the resources of cluster heads in our network model can be relatively richer than those of sensor nodes in other sensor networks; however, they are still limited. Therefore, the proposed scheme should be designed to consider the energy consumption and security. For this, the scheme will be designed to be efficient in terms of computation and communication costs.
3.4. Notations
Notations section shows the notations used in the remainder of the paper:(i)A pair of private and public keys for RSA signature [42] () is generated as follows: the scheme chooses two large primes and and computes . It chooses which fulfills the notion that , where . Then, it computes which fulfills the notion that . Here, the public key is and , and the private key is . In this paper, denotes the signing of a message with the private key , and it means . denotes the verifying of a message and its signature with the public key . It computes and then compares with . If , then the signature is valid; otherwise, it is invalid.(ii)A pair of private and public keys for ECDH [21, 22] () is generated as follows: the scheme chooses a large prime and defines the elliptic curve over which is the set of all pairs which fulfills the notion that and an imaginary point of infinity , where . When is a primitive element on the elliptic curve and “” denotes an elliptic curve multiplication, the scheme chooses an integer (, where is the number of points on ) and computes . Here, is another element on .
3.5. Main Ideas
Symmetric keybased session key establishment schemes are efficient with regard to computation costs; however, one of their persisting issues is the sharing and updating of the symmetric key, that is, the session key encryption key (KEK) by two nodes [15]. Moreover, if the KEK is a longterm key, it is futile to employ the session key because it can be exposed to an attacker. Meanwhile, another method to establish a session key is to generate the next session key using keying materials stored in the previous session, similar to Chen and Li’s scheme [16]. However, in such schemes, if an attacker obtains keying materials in a session, the past or future session keys can be computed.
To meet the requirements described in Section 3.3, our proposed scheme is designed as follows:(i)The proposed scheme establishes a session key based on asymmetric key techniques in order to resist session key attacks and provide secrecy of past or future session keys. To take into account computation costs and energy consumption of cluster heads, the proposed scheme chooses an efficient key exchange technique, ECDH [21, 22], from asymmetric key techniques with the same security level.(ii)To resist node impersonation attacks, MITM attacks, and so forth, the proposed scheme should provide mutual authentication between the gateway and the cluster head and verify message integrity. To realize this, the proposed scheme is designed based on the hash chain containing the digests of public keys generated by the gateway, as shown in Figure 2. The gateway transmits one element of the hash chain to the cluster head for each session. Using the received hash chain element, the cluster head can authenticate the message sender and verify the integrity of the message. In our scheme, the cluster head can perform these processes efficiently in terms of computation and communication costs by computing only a single hash value.
4. Description of the Proposed Scheme
Our scheme is composed of the following three phases: predeployment phase, hash chain setup phase, and key establishment phase. The predeployment phase is performed before cluster heads are deployed in the field. After that, the hash chain setup phase and the key establishment phase are performed. Each of these phases is described in detail from Section 4.1 to Section 4.3.
4.1. Predeployment Phase
Keying materials include information or algorithms required for key establishment. Not only in the proposed scheme but also in many secure protocols for WSN, keying materials are preloaded into nodes before they are deployed in the field [16, 17, 33, 55]. There are two reasons for preloading the keying materials. First, WSN is difficult to be equipped with secure channels such as mail compared to other common networks. Second, computation or communication costs can be reduced by skipping the initialization process after nodes are deployed in the target area. The predeployment phase of our scheme is as follows (steps (P1) to (P4)):(P1)The scheme generates a pair of private and public keys for RSA signature [42] (, ) as described in Section 3.4.(P2)The two keys (, ) are preloaded into . The private key is stored only in and is not shared with other nodes. The public key is preloaded into all cluster heads. In the hash chain setup phase described in Section 4.2, signs the first element of the hash chain using , and verifies the signature using .(P3)The scheme generates a pair of private and public keys for ECDH [21, 22] () as described in Section 3.4.(P4)The two keys and are preloaded into . is not shared with any cluster heads or sensor nodes other than . are stored in the database of . In the hash chain setup phase described in Section 4.2, () are used for to establish a session key based on ECDH [21, 22].
When this phase is completed, (, ) and are preloaded into . (, ) and are preloaded into . The private key of , , and the private key of , , are secret parameters that cannot be shared with other nodes.
4.2. Hash Chain Setup Phase
In the hash chain setup phase, generates a hash chain to be used in the key establishment phase discussed in Section 4.3. If the number of elements in the hash chain is , during sessions, the hash chain setup phase is performed once only in the first session, and the key establishment phase is performed times in total, once in each session from the second to the th session. In this phase, when transmits the first element of the hash chain, , with its signature to , verifies that is generated by and is not altered during the transmission using the signature. Figure 3 depicts the hash chain setup phase. The detailed process of this phase is as follows (steps (H1) to (H11)):(H1) generates private keys used for ECDH [21, 22] of sessions. Then, computes public keys () corresponding to the private keys.(H2) generates a single hash chain containing elements, as shown in Figure 2, using the public keys (). First, computes the hashed value of ; that is, , and it then computes the following values in order, :(H3) signs the first element of the hash chain () using its private key ; that is, , where is the identity of , and is the current timestamp of system. Then, transmits the message to .(H4) determines if , where is the current timestamp of system, and is the maximum permitted transmission delay time. If , then the next step proceeds; otherwise, this phase is aborted.(H5) verifies using the preloaded public key ; that is, performs . If the verification is successful, then the next step is performed.(H6) compares the hashed value of and with . In , it is very difficult to compute or from because of the characteristics of the oneway hash function. Therefore, can verify that and are generated by and not altered during the transmission by verifying . If the verification is obtained, then stores , and the next step will be performed.(H7) generates a pair of private and public keys for ECDH [21, 22] in the next session.(H8) computes the session key for this first session. Then, replaces with .(H9) encrypts and using the session key ; that is, it performs , where represents the data that wants to transmit to in this session. Then, transmits the message to .(H10)Upon receiving the message from , finds from its database and then computes the session key .(H11) decrypts using . If the decryption is completed and the result values are correct, it means that the message sender computed the same session key as of . Therefore, can authenticate as the message sender and verify that the message is not altered during the transmission by checking the decryption result. will replace with in its database for the next session.
Our proposed scheme is more suitable for a network model wherein cluster heads are fixed and not selected from ordinary sensor nodes. In this case, the resources of cluster heads are usually richer than those of ordinary sensor nodes. Nevertheless, our scheme can still be applied to WSNs that perform random node deployment, clustering, or cluster head selection [51]. In the predeployment phase, our scheme preloads only three keys, that is, , , and , to the cluster head . Even though nodes in WSNs have limited memory, they do not require additional memory to store these three keys. Therefore, when the cluster heads are replaced, the scheme preloads three keys to all cluster head candidates in the predeployment phase. Then, only the selected cluster heads perform the hash chain setup phase in the field.
4.3. Key Establishment Phase
After the hash chain setup phase generates a hash chain with elements in the first session, the key establishment phase is performed for each session from the second session to the last, th session. transmits a key establishment request message including one element of the hash chain to . Then, verifies the message, generates the session key based on ECDH [21, 22], encrypts the data using the key, and transmits it as the response message to . If all verifications in this phase are passed successfully, and can share the same session key and encrypt/decrypt the data using the key. Figure 4 shows the process of the key establishment phase as follows (steps (K1) to (K7)):(K1) transmits the key establishment request message to .(K2) computes and verifies that , where is stored in the previous session. If the verification is passed, then replaces with , and the next step is performed.(K3) computes the session key .(K4) generates its new private and public keys and for the next th session and replaces with .(K5) encrypts and using the session key ; that is, , where is the data that wants to transmit to in this session, and is the identity of . Then, it transmits the response message to .(K6)When receives the message from , it finds from its database and computes the session key .(K7) decrypts using and determines whether or not the decryption result is correct. If the verification is passed successfully, can authenticate as the message sender and verify that the message was not altered during the transmission. replaces with in its database.
After exhausts the last element of the hash chain in the key establishment phase for the th session, the scheme performs the hash chain setup phase for a set of new sessions.
5. Security Analysis of the Proposed Scheme
The existing schemes are not able to protect past or future session keys if longterm keying materials are exposed to an attacker. The proposed scheme employs asymmetric key techniques to improve this problem, especially ECDH [21, 22], considering computation efficiency in cluster heads. Additionally, it employs the hash chain composed of digests of public keys generated by the gateway in order to resist MITM attacks or node impersonation attacks and to provide mutual authentication of two nodes and the verification of message integrity, considering computation and communication costs:(i)Data Encryption Using a Session Key. If the life cycle of WSN is much longer than the time required for an attacker to obtain cryptographic keys through cryptanalysis or hacking, it is better in terms of security to use the session key instead of a longterm key [15, 16, 56]. In the proposed scheme, or encrypts/decrypts the data using keys renewed in every session. Therefore, it is relatively more difficult for an attacker to guess cryptographic keys in our proposed scheme than in longterm keybased schemes because the information that he/she can obtain by eavesdropping messages is limited and valid in only one session. Furthermore, even when an attacker succeeds in guessing the cryptographic keys, the damage is significantly reduced because he/she can decrypt the data in only one session.(ii)Session Key Attacks. This attack is to obtain session keys by eavesdropping the messages exchanged between two nodes. In the key establishment phase of the proposed scheme, even if an attacker eavesdrops the key establishment request message transmitted from to , he/she cannot compute the session key. Even if he/she can extract the public key of , from the message, it is very difficult to compute the private key of , , because of the elliptic curved discrete logarithm problem (ECDLP) [21, 22]. Also, the private key of or , or , respectively, is not transmitted to other nodes in an insecure channel because it is a secure parameter. As a result, the attacker cannot decrypt or alter because he/she cannot compute the session key without knowing anything of the private keys of two nodes.(iii)Mutual Authentication. This means that one node should be authenticated as a legitimate node by another node with which it is in communication. After generates a hash chain in the hash chain setup phase, it transmits the first element of the hash chain, , and its signature, , to . verifies and using the public key of , . If the verification is passed, can authenticate as the sender of . An attacker cannot impersonate because he/she cannot forge the signature without knowing the private key of , . Meanwhile, generates the public key for the th session and transmits it to in the th session. Then, stores this in its database. When receives the message from in the next th session, it finds the public key of , , in its database and computes the session key . If can decrypt using , that is, if the result value of decryption is a correct plaintext, then can authenticate as the sender of the message . However, if fails to decrypt or the result value of decryption is a meaningless random value, the session key is the wrong value. In this case, cannot be sure that the message sender is .(iv)Node Impersonation Attacks. Node impersonation attacks in WSN mean that an attacker communicates with a legitimate node by impersonating a gateway, a sensor node, or a cluster head. In the proposed scheme, if or receives a message, it performs the authentication process of the message sender. Therefore, an attacker cannot impersonate or .(v)MITM Attacks. This means that a malicious node decrypts or alters the messages transmitted between two legitimate nodes. The proposed scheme resists MITM attacks by the mutual authentication between and and the verification of the received messages integrity. In the hash chain setup phase, when receives the message from , it checks if is the first element of the hash chain generated by ; that is, it verifies the signature of , . If this verification is passed successfully, it means that the message sender is and that the value of is not altered during the transmission. Each element of the hash chain, , is the digest of and , that is, . Other nodes except are not able to compute or from because is a oneway hash function. Therefore, after completes one verification of and , the following key establishment request messages can be successively verified using . That is, whenever receives the key establishment request message , it compares with the digest of and to verify the message integrity. As a result, an attacker cannot alter the first element of the hash chain, , because he/she cannot forge the signature of , . Also, he/she cannot alter the rest of the elements from to because of the characteristics of the oneway hash function. Meanwhile, the message transmitted from to is secure, unless the session key is exposed to the attacker because it is encrypted using the session key. Also, an attacker cannot alter this message without knowing the session key.(vi)Secrecy of Past or Future Session Keys. This means that an attacker should not be able to compute past or future session keys that were already used in the previous sessions or will be generated in the following sessions even when he/she obtains longterm keying materials. In the proposed scheme, and exchange their public keys, and , and generate the session key based on ECDH [21, 22]. The parameters stored in are and , where is a longterm key, and are values renewed in each session. When they are exposed to an attacker, past or future session keys are protected as follows. Even though an attacker obtains , he/she is not able to compute the private key because of the integer factorization problem [42]. That is, because he/she cannot forge the signature of , , he/she cannot alter transmitted from to . and are ephemeral keys renewed in each session. This means that replaces and with and , respectively, in the end of the th session. Assume the worst scenario in which an attacker obtains the private key, , between the th and th sessions through some methods. Even in this case, the proposed scheme can protect the data securely transmitted before and after the th session. For example, if an attacker knows the private key of , , and eavesdrops on the message of transmitted from to in the th session, he/she can compute the session key and decrypt the message using . However, he/she cannot obtain any more information to restore the other session keys except from the decryption result of , . As a result, the proposed scheme can assure the confidentiality of the data transmitted in all other sessions except the th session.(vii)Replay Attacks. This means an attacker stores messages transmitted on security protocols and transmits them again later. The proposed scheme resists replay attacks as follows: In the proposed scheme, the message transmitted from to is the message in the hash chain setup phase or the message in the key establishment phase. The former contains the current timestamp of system, , and is verified by the message receiver . The latter consists of the values that depend on the former because both are elements of a hash chain. Therefore, an attacker is not able to perform replay attacks using these messages. The message is transmitted from to as a response to the hash chain setup request of or to the key establishment request of . Therefore, an attacker cannot use this message for replay attacks.(viii)Node Capture Attacks. This means that an attacker physically captures some nodes deployed in WSN and extracts secret parameters from them for other attacks. In the proposed scheme, each cluster head generates a unique session key. Therefore, the links between uncompromised nodes are still secure even when one cluster head is compromised by node capture attacks. For example, assume that an attacker captures and extracts , , or from it. The public key of , , is preloaded into not only but also all cluster heads. However, an attacker cannot use it for any other attacks because he/she is not able to compute the private key from . Also, and are not shared with other nodes except , so the attacker cannot obtain other session keys except a session key between and using these two values.
Table 1 shows the comparison of the security in the proposed scheme and that in other schemes that have design requirements similar to ours. Table 1 shows which scheme is secure against possible attacks in key establishment schemes or provides security functionalities. This table shows that the proposed scheme is clearly improved in terms of security. In Appendices A through D, we review and analyze the security of the schemes proposed by Chen and Li and Lee and Kim.
 
Yes: the scheme resists the attacks or provides the functionality; No: the scheme does not resist the attacks or provide the functionality. Partially: “Yes” under the condition that the secret parameters stored in have not been exposed to an attacker. 
6. Energy Cost Analysis of the Proposed Scheme
In this section, we analyze the efficiency of the proposed scheme in terms of computation and communication costs. Computation costs refer to the number of times each operation is performed on a cluster head or a gateway system in a scheme. Communication costs refer to the number of messages exchanged between two nodes in a scheme. In a WSN, these two costs affect the energy consumption of nodes [28–30]. In addition, we compare the computation and communication costs of our scheme with those of existing schemes that are similar to ours in terms of design requirements or key establishment techniques.
We focus on the repeatedly performed phases, that is, the hash chain set up phase and the key establishment phase, and exclude the predeployment phase. The predeployment phase does not directly affect the efficiency because it is performed only prior to the deployment of sensor nodes and cluster heads in the field.
6.1. Computation Costs
Table 2 shows the kinds of operations and the number of times they are performed on a cluster head or gateway system in the proposed scheme during sessions. In the proposed scheme, the hash chain setup phase is performed once, and the key establishment phase is performed times:(i)When the hash chain setup phase is performed once, the gateway performs one signing of RSA signature ((H3) in Figure 3), data decryption ((H11) in Figure 3), and ECDH key exchange ((H10) in Figure 3) each. Moreover, the oneway hash operation ((H2) in Figure 3) and ECDH key generation ((H1) in Figure 3) are performed times each.(ii)When the hash chain setup phase is performed once, the cluster head performs one verification of RSA signature ((H5) in Figure 3), oneway hash operation ((H6) in Figure 3), data encryption ((H9) in Figure 3), ECDH key generation ((H7) in Figure 3), and ECDH key exchange ((H8) in Figure 3) each.(iii)When the key establishment phase is performed times, the gateway performs data decryption ((K7) in Figure 4) and ECDH key exchange ((K6) in Figure 4), times each.(iv)When the key establishment phase is performed times, the gateway performs oneway hash operation ((K2) in Figure 4), data encryption ((K5) in Figure 4), ECDH key exchange ((K3) in Figure 4), and ECDH key generation ((K4) in Figure 4) times each.

Table 3 also shows the types of operations and the number of times they are performed on a cluster head or gateway system in Lee and Kim’s scheme [17] during sessions. In terms of design requirements and key establishment techniques, our scheme is similar to that of Lee and Kim.

To analyze the energy costs of the proposed scheme, we define several notations as follows:(i): the energy cost of performing a signing of bit RSA signature.(ii): the energy cost of performing a verification of bit RSA signature.(iii): the energy cost of performing a SHA1.(iv): the energy cost of performing a bit AES encryption.(v): the energy cost of performing a bit AES decryption.(vi): the energy cost of performing a bit DHKE key generation.(vii): the energy cost of performing a bit DHKE key exchange.(viii): the energy cost of performing a bit ECDH key generation. (ix): the energy cost of performing a bit ECDH key exchange.
Potlapally et al. described the energy consumption of wellknown cryptographic algorithms and security protocols using the experimentation results in [28] (Table 5).
Table 4 shows the energy costs of our scheme and Lee and Kim’s scheme based on computation cost analysis of the two schemes and Potlapally et al.’s experimentation results. Assume that the cluster head transmits the total of byte data to the gateway during sessions. To perform the proposed scheme, the gateway uses about mJ , and the cluster head uses about mJ . Under the same conditions, to perform Lee and Kim’s scheme, the gateway uses about mJ , and the cluster head uses about mJ .
 
Energy cost comparison based on the experimental results in [28]. We assume that the cluster head transmits the total of byte data to the gateway during sessions. 
 
These values are the experimental results in [28], in which the cryptographic algorithms were developed on a Compaq iPAQ H3670 equipped with a 206 MHz Intel SA1110 StrongARM processor and 64 MB RAM. 
Given that the cluster heads are batterypowered, we have to focus more on the energy costs in the cluster head than in the gateway. Table 4 shows that the energy cost of the cluster head in our scheme is smaller than that in Lee and Kim’s scheme . Therefore, in terms of energy consumption based on computation costs, the proposed scheme is more efficient than Lee and Kim’s scheme. This can be attributed to the difference in the energy costs of the two key exchange algorithms, that is, bit ECDH and bit DHKE; bit ECDH and bit DHKE schemes have the same security level, but the energy consumption of the former is only onequarter that of the latter ( in Table 5) [28]. Meanwhile, the verification of RSA signature in the proposed scheme does not significantly affect the total energy costs of , even though the scheme is an asymmetric key technique. This is because, for sessions, the operation is performed only once in the hash chain setup phase and the verification is performed more efficiently than the signing in RSA signature ( in Table 5) [15, 28].
6.2. Communication Costs
Communication costs as well as computation costs affect the energy costs of cluster heads [29, 30]. In our scheme, the messages and are exchanged between the cluster head and the gateway in the hash chain setup phase, while the messages and are exchanged in the key establishment phase. That is, in the proposed scheme, two message exchanges are needed between the two nodes during one session, which is same as the number of messages in Lee and Kim’s scheme and less than the three messages in Chen and Li’s scheme. The proposed scheme minimizes the number of messages, considering that it provides all functions of session key establishment, node authentication, and data encryption.
7. Conclusion
In this paper, we propose a session key establishment scheme for clustered sensor networks based on ECDH [21, 22] and hash chain [23–27]. Our proposed scheme is secure against the possible attacks in key establishment schemes of WSN such as session key attacks, node impersonation attacks, MITM attacks, replay attacks, and node capture attacks. The scheme eliminates vulnerabilities of existing session key establishment schemes for WSN and provides secrecy of past or future session keys. Additionally, the proposed scheme is designed to minimize the number of messages for efficiency in terms of communication costs. Also, it is more efficient in terms of computation costs compared to other schemes based on asymmetric key techniques. Because of the efficiency of the proposed scheme, the cluster head requires less energy to operate.
Appendix
A. Review of Chen and Li’s Scheme
In Chen and Li’s scheme [16], two secret parameters and are preloaded in before deploying nodes to the field. knows every secret parameter of cluster heads and sensor nodes in the network. After the nodes are deployed to the field, performs the following (CL1) to (CL10) in order to transmit the data to (in [16], Chen and Li’s scheme is composed of two parts of data transmission from the sensor node to the cluster head and from the cluster head to the gateway. Section II reviews only the latter considering our topic). In the first session, all the steps of (CL1) to (CL10) are performed. After the second session, the steps except (CL1) and (CL3) are repeated in each session. Figure 5 shows session key establishment between the gateway and the cluster head in Chen and Li’s scheme:(CL1) computes using its secret parameters and . will use the result value as the session key to communicate with .(CL2) transmits the message to to request the keys to decrypt the data received from the sensor nodes. Here, , where is the list of sensor nodes that sent the data, is the identity of , and is a random number generated by .(CL3)When receives the request message , it finds the secret parameters and of in its database and computes the session key .(CL4) decrypts using ; that is, .(CL5) computes , where is the identity of , is the decryption key list in regard to , and is a random number generated by . Then, it returns the response message to .(CL6)When receives the response message from , it decrypts the messages using key ; that is, . Then, compares with , where is a random number generated in step (CL2), and is a part of the decrypted results . If the verification is passed, the next step is performed.(CL7) decrypts each data received from sensor nodes using the decryption keys in the . Then, derives from the decrypted results to transmit them to .(CL8) encrypts using session key ; that is, . Then, it transmits the message to .(CL9) decrypts using when it receives the message ; that is, . Then, compares with . If the verification is passed, can use .(CL10) and separately compute the next session key and replace secret parameters and with and .
B. Cryptanalysis of Chen and Li’s Scheme
In the th session of Chen and Li’s scheme, or encrypts the message using the session key and then transmits it to the other node. Before the end of the session, two nodes separately compute the new session key for the next session and replace secret parameters and with and , respectively. The following analyzes the security of their scheme against possible attacks in key establishment schemes for WSN:(i)Session key attacks and MITM attacks: session key attacks mean that an attacker obtains session keys by eavesdropping the messages exchanged between two nodes. MITM attacks refer to attacks in which an attacker eavesdrops or alters the messages transmitted between two legitimate nodes. In Chen and Li’s scheme, an attacker cannot compute the session key using only the transmitted messages without knowing the secret parameters and , stored in .(ii)Node impersonation attacks: this attack means an attacker impersonates a gateway or a cluster head to communicate with legitimate nodes. Chen and Li’s scheme does not provide any node authentication process. However, an attacker cannot impersonate or without knowing the secret parameters such as or because the secret parameters are unique values for only and , and the two nodes encrypt/decrypt messages using the session keys derived from them.(iii)Secrecy of past session keys: this means that an attacker should be unable to compute the past session keys already used in the previous sessions even when the longterm keying materials are exposed to the attacker. In Chen and Li’s scheme, even if an attacker obtains and from because of the characteristics of the oneway hash function, he/she cannot recover the past session keys used in the previous sessions, that is, from the first session to the th session [16].(iv)Secrecy of future session key: this means that an attacker should be unable to compute the future session keys to be generated subsequent to the current session even when the longterm keying materials are exposed to the attacker. If an attacker obtains and of , he/she can compute the future session keys to be generated in the th and the following sessions. That is, their scheme cannot assure the confidentiality or integrity of all messages transmitted, since the th session until the system determines that the secret parameters of are compromised.(v)Node capture attacks: this means that an attacker captures sensor nodes or cluster heads deployed in the target field and uses secret parameters extracted from them for other attacks. Because and are derived from unique values and for , the link between uncompromised nodes is still secure even when an attacker captures and extracts the secret parameters and from it.
C. Review of Lee and Kim’s Scheme
Lee and Kim proposed a session key establishment scheme based on DiffieHellman key exchange (DHKE) technique [46] for secure communication between the gateway and the cluster head [17]. Before nodes are deployed in the field, a large prime for modulus operations, , and a primitive element, (), are stored in each cluster head and the gateway. After cluster heads are deployed in the field, procedure 1 is performed for the first session and procedure 2 is performed for the second and subsequent sessions. Figure 6 illustrates both procedures. In procedure 1, the following steps ((LK1) to (LK5)) are performed for key setup:(LK1)The cluster head computes the hashed value of , . Then, it generates a random number and encrypts and its identity using the key ; that is, . Then, transmits the key setup request message to .(LK2)Upon receiving the message from , computes the key and then decrypts using the key ; that is, . generates a random number and computes the session key .(LK3) computes and encrypts the result and its identity using the key ; that is, . Then, it returns the message to .(LK4)Upon receiving the message from , decrypts using the key . Then, computes .(LK5) encrypts using the session key and transmits the result to . Then, decrypts the message to obtain .
Procedure 2 comprises the following steps ((LK6) to (LK10)) and is performed for to transmit data to for the second and subsequent sessions.(LK6) generates a new random number and computes , where is the previous session key shared with .(LK7) computes a new session key , where is the random number received from in procedure 1.(LK8) computes and encrypts the result and using the key ; that is, . Then, it sends the message to .(LK9)Upon receiving the data request message from , decrypts using the key . Then, computes a new session key .(LK10) encrypts using the session key and then transmits the result to . Then, decrypts using the key to obtain .
D. Cryptanalysis of Lee and Kim’s Scheme
In procedure 1 of Lee and Kim’s scheme, and exchange their random numbers and in order to share the first session key ). In procedure 2, they compute the session key for the second and subsequent sessions, where is a new random number of , and . However, and are likely to be exposed to attackers because they are shared by not only and but also all cluster heads in the network, and they are longterm parameters used throughout the lifetime of the network. If and are exposed to an attacker, this scheme can be vulnerable to node impersonation attacks and MITM attacks and cannot assure the secrecy of future session keys. The following analyzes the security of Lee and Kim’s scheme against possible attacks in key establishment schemes for WSN:(i)Session key attacks: in this scheme, all the messages exchanged between and are encrypted with the key . Therefore, an attacker cannot restore session keys using only these messages without knowing secret parameters and .(ii)Node impersonation attacks and MITM attacks: upon receiving a message, or only determines whether the message is encrypted using the key without the message sender authentication process. Even if an attacker obtains the value of from other cluster heads excluding , he/she can compute the key and transmit data request messages to just like or can alter the messages.(iii)Secrecy of future session keys: stored in is a random number but is a longterm parameter that is not updated. If an attacker obtains after the th session ended, he/she can compute future session keys between and in the following sessions. In this case, confidentiality and integrity of the data encrypted using these session keys cannot be guaranteed.(iv)Replay attacks: this means that an attacker resends the messages transmitted on security protocols. In their scheme, neither checks random numbers or timestamps nor authenticates in order to resist replay attacks using the data request messages from . Therefore, an attacker can repeatedly broadcast one of the data request messages to cluster heads to cause DoS attacks in WSN.(v)Node capture attacks: in their scheme, if an attacker extracts the values of , , and from a cluster head in the target area, he/she can compromise even links with other cluster heads. This vulnerability causes more serious problems when new cluster heads are added for expansion or changes in the network. When a new cluster head starts procedure 1 for key setup, and the new cluster head exchange their random numbers after encrypting them using the key . If an attacker already knows the key through node capture attacks against existing cluster heads, he/she can perform node impersonation attacks, MITM attacks, and so forth by eavesdropping the exchanged messages or altering the random numbers.
Notations
:  Gateway node 
:  th cluster head 
:  Identity of 
:  Identity of 
:  Private and public keys of for RSA signature scheme [42] 
:  Private and public keys of for elliptic curve DiffieHellman key exchange (ECDH) [21, 22] 
:  Signing of a message with a key in RSA signature scheme [42] 
:  Verification of a message and its signature with a key in RSA signature scheme [42] 
:  Encryption of a plaintext using a symmetric key 
:  Decryption of a ciphertext using a symmetric key 
:  Oneway hash function 
or :  Random number generated by or 
:  Data that transmits to in the th session 
:  Session key for the th session 
Concatenation operation  
or :  Verification operation 
or :  Current timestamp of or 
:  The maximum of transmission delay time permitted. 
Competing Interests
The authors declare that they have no competing interests.
Acknowledgments
This work was supported by Institute for Information & Communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (no. R0126151111, The Development of Riskbased Authentication Access Control Platform and Compliance Technique for Cloud Security).
References
 J. Yick, B. Mukherjee, and D. Ghosal, “Wireless sensor network survey,” Computer Networks, vol. 52, no. 12, pp. 2292–2330, 2008. View at: Publisher Site  Google Scholar
 I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “A survey on sensor networks,” IEEE Communications Magazine, vol. 40, no. 8, pp. 102–114, 2002. View at: Publisher Site  Google Scholar
 P. Porambage, C. Schmitt, P. Kumar, A. Gurtov, and M. Ylianttila, “Pauthkey: a pervasive authentication protocol and key establishment scheme for wireless sensor networks in distributed IoT applications,” International Journal of Distributed Sensor Networks, vol. 2014, Article ID 357430, 14 pages, 2014. View at: Publisher Site  Google Scholar
 M. K. Khan and K. Alghathbar, “Cryptanalysis and security improvements of ‘twofactor user authentication in wireless sensor networks’,” Sensors, vol. 10, no. 3, pp. 2450–2459, 2010. View at: Publisher Site  Google Scholar
 D. Nyang and M.K. Lee, “Improvement of das's twofactor authentication protocol in wireless sensor networks,” IACR Cryptology ePrint Archive, vol. 2009, p. 631, 2009. View at: Google Scholar
 J. Nam, M. Kim, J. Paik, Y. Lee, and D. Won, “A provablysecure ECCbased authentication scheme for wireless sensor networks,” Sensors, vol. 14, no. 11, pp. 21023–21044, 2014. View at: Publisher Site  Google Scholar
 J. Kim, D. Lee, W. Jeon, Y. Lee, and D. Won, “Security analysis and improvements of twofactor mutual authentication with key agreement in wireless sensor networks,” Sensors, vol. 14, no. 4, pp. 6443–6462, 2014. View at: Publisher Site  Google Scholar
 W. Jeon, J. Kim, J. Nam, Y. Lee, and D. Won, “An enhanced secure authentication scheme with anonymity for wireless environments,” IEICE Transactions on Communications, vol. 95, no. 7, pp. 2505–2508, 2012. View at: Publisher Site  Google Scholar
 S. A. Camtepe and B. Yener, “Key distribution mechanisms for wireless sensor networks: a survey,” Tech. Rep., Rensselaer Polytechnic Institute, Troy, NY, USA, 2005. View at: Google Scholar
 Y. Lee, S. Kim, and D. Won, “Enhancement of twofactor authenticated key exchange protocols in public wireless LANs,” Computers & Electrical Engineering, vol. 36, no. 1, pp. 213–223, 2010. View at: Publisher Site  Google Scholar
 B. Lai, S. Kim, and I. Verbauwhede, “Scalable session key construction protocol for wireless sensor networks,” in Proceedings of the IEEE Workshop on Large Scale RealTime and Embedded Systems (LARTES '02), p. 7, December 2002. View at: Google Scholar
 L. Eschenauer and V. D. Gligor, “A keymanagement scheme for distributed sensor networks,” in Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 41–47, Washington, DC, USA, November 2002. View at: Google Scholar
 Y. Wang, G. Attebury, and B. Ramamurthy, “A survey of security issues in wireless sensor networks,” IEEE Communications Surveys and Tutorials, vol. 8, no. 2, pp. 2–23, 2007. View at: Publisher Site  Google Scholar
 M. Eltoweissy, M. Moharrum, and R. Mukkamala, “Dynamic key management in sensor networks,” IEEE Communications Magazine, vol. 44, no. 4, pp. 122–130, 2006. View at: Publisher Site  Google Scholar
 C. Paar and J. Pelzl, Understanding Cryptography: A Textbook for Students and Practitioners, Springer Science & Business Media, 2009.
 C.L. Chen and C.T. Li, “Dynamic sessionkey generation for wireless sensor networks,” EURASIP Journal on Wireless Communications and Networking, vol. 2008, no. 1, Article ID 691571, 2008. View at: Publisher Site  Google Scholar
 S. Lee and K. Kim, “Key renewal scheme with sensor authentication under clustered wireless sensor networks,” Electronics Letters, vol. 51, no. 4, pp. 368–369, 2015. View at: Publisher Site  Google Scholar
 G. Zhao, “Wireless sensor networks for industrial process monitoring and control: a survey,” Network Protocols and Algorithms, vol. 3, no. 1, pp. 46–63, 2011. View at: Publisher Site  Google Scholar
 O. K. Sahingoz, “Large scale wireless sensor networks with multilevel dynamic key management scheme,” Journal of Systems Architecture, vol. 59, no. 9, pp. 801–807, 2013. View at: Publisher Site  Google Scholar
 B. Premamayudu, K. V. Rao, and P. S. Varma, “A novel pairwise key establishment and management in hierarchical wireless sensor networks (HWSN) using matrix,” in ICT and Critical Infrastructure: Proceedings of the 48th Annual Convention of Computer Society of India—Vol I, pp. 425–432, Springer, 2014. View at: Publisher Site  Google Scholar
 N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, no. 177, pp. 203–209, 1987. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 V. S. Miller, “Use of elliptic curves in cryptography,” in Advances in Cryptology—CRYPTO '85 Proceedings, vol. 218 of Lecture Notes in Computer Science, pp. 417–426, Springer, 1986. View at: Publisher Site  Google Scholar  MathSciNet
 J. Deng, R. Han, and S. Mishra, “Secure code distribution in dynamically programmable wireless sensor networks,” in Proceedings of the 5th International Conference on Information Processing in Sensor Networks (IPSN '06), pp. 292–300, ACM, Nashville, Tenn, USA, April 2006. View at: Publisher Site  Google Scholar
 P. K. Dutta, J. W. Hui, D. C. Chu, and D. E. Culler, “Securing the deluge network programming system,” in Proceedings of the 5th International Conference on Information Processing in Sensor Networks (IPSN '06), pp. 326–333, Nashvill, Tenn, USA, April 2006. View at: Publisher Site  Google Scholar
 S. Lee, H. Kim, and K. Chung, “Hashbased secure sensor network programming method without public key cryptography,” in Proceedings of the Workshop on WorldSensorWeb (WSW '06), Boulder, Colo, USA, 2006. View at: Google Scholar
 P. E. Lanigan, R. Gandhi, and P. Narasimhan, “Sluice: secure dissemination of code updates in sensor networks,” in Proceedings of the 26th IEEE Internationa26th IEEE International Conference on Distributed Computing Systems (ICDCS '06), p. 53, IEEE, July 2006. View at: Publisher Site  Google Scholar
 M. L. Das and A. Joshi, “Dynamic program update in wireless sensor networks using orthogonality principle,” IEEE Communications Letters, vol. 12, no. 6, pp. 471–473, 2008. View at: Publisher Site  Google Scholar
 N. R. Potlapally, S. Ravi, A. Raghunathan, and N. K. Jha, “A study of the energy consumption characteristics of cryptographic algorithms and security protocols,” IEEE Transactions on Mobile Computing, vol. 5, no. 2, pp. 128–143, 2006. View at: Publisher Site  Google Scholar
 W. Wang, S. Zhang, G. Duan, and H. Song, “Security in wireless sensor networks,” in Wireless Network Security, pp. 129–177, Springer, Berlin, Germany, 2013. View at: Google Scholar
 J. P. Walters, Z. Liang, W. Shi, and V. Chaudhary, “Wireless sensor network security: a survey,” in Security in Distributed, Grid, Mobile, and Pervasive Computing, Y. Xiao, Ed., vol. 1, p. 367, 2007. View at: Google Scholar
 G. Wang, S. Kim, D. Kang, D. Choi, and G. Cho, “Lightweight key renewals for clustered sensor networks,” Journal of Networks, vol. 5, no. 3, pp. 300–312, 2010. View at: Publisher Site  Google Scholar
 H. Chan, A. Perrig, and D. Song, “Random key predistribution schemes for sensor networks,” in Proceedings of IEEE Symposium on Security and Privacy, pp. 197–213, Berkeley, Calif, USA, May 2003. View at: Google Scholar
 W. Du, J. Deng, Y. S. Han, P. K. Varshney, J. Katz, and A. Khalili, “A pairwise key predistribution scheme for wireless sensor networks,” ACM Transactions on Information and System Security, vol. 8, no. 2, pp. 228–258, 2005. View at: Publisher Site  Google Scholar
 D. Liu, P. Ning, and R. Li, “Establishing pairwise keys in distributed sensor networks,” ACM Transactions on Information and System Security, vol. 8, no. 1, pp. 41–77, 2005. View at: Publisher Site  Google Scholar
 R. Blom, “An optimal class of symmetric key generation systems,” in Advances in Cryptology, pp. 335–338, Springer, Berlin, Germany, 1985. View at: Google Scholar
 C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung, “Perfectlysecure key distribution for dynamic conferences,” in Advances in Cryptology—CRYPTO' 92: 12th Annual International Cryptology Conference Santa Barbara, California, USA August 16–20, 1992 Proceedings, vol. 740 of Lecture Notes in Computer Science, pp. 471–486, Springer, Berlin, Germany, 1993. View at: Publisher Site  Google Scholar
 M. Eltoweissy, A. Wadaa, S. Olariu, and L. Wilson, “Group key management scheme for largescale sensor networks,” Ad Hoc Networks, vol. 3, no. 5, pp. 668–688, 2005. View at: Publisher Site  Google Scholar
 M. F. Younis, K. Ghumman, and M. Eltoweissy, “Locationaware combinatorial key management scheme for clustered sensor networks,” IEEE Transactions on Parallel and Distributed Systems, vol. 17, no. 8, pp. 865–882, 2006. View at: Publisher Site  Google Scholar
 M. Eltoweissy, M. H. Heydari, L. Morales, and I. H. Sudborough, “Combinatorial optimization of group key management,” Journal of Network and Systems Management, vol. 12, no. 1, pp. 33–50, 2004. View at: Publisher Site  Google Scholar
 C.L. Chen and I.H. Lin, “Locationaware dynamic sessionkey management for gridbased wireless sensor networks,” Sensors, vol. 10, no. 8, pp. 7347–7370, 2010. View at: Publisher Site  Google Scholar
 M. H. Eldefrawy, M. K. Khan, and K. Alghathbar, “A key agreement algorithm with rekeying for wireless sensor networks using public key cryptography,” in Proceedings of the International Conference on AntiCounterfeiting, Security and Identification (ASID '10), pp. 1–6, IEEE, Chengdu, China, July 2010. View at: Publisher Site  Google Scholar
 R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and publickey cryptosystems,” Communications of the ACM, vol. 21, no. 2, pp. 120–126, 1978. View at: Publisher Site  Google Scholar  MathSciNet
 W. Zhang, S. Zhu, and G. Cao, “Predistribution and local collaborationbased group rekeying for wireless sensor networks,” Ad Hoc Networks, vol. 7, no. 6, pp. 1229–1242, 2009. View at: Publisher Site  Google Scholar
 S. Guo and A.N. Shen, “A compromiseresilient pairwise rekeying protocol in hierarchical wireless sensor networks,” Computer Systems Science and Engineering, vol. 25, no. 6, pp. 397–405, 2010. View at: Google Scholar
 Y. Zhang, C. Wu, J. Cao, and X. Li, “A secret sharingbased key management in hierarchical wireless sensor network,” International Journal of Distributed Sensor Networks, vol. 2013, Article ID 406061, 7 pages, 2013. View at: Publisher Site  Google Scholar
 W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644–654, 1976. View at: Google Scholar
 J. Nam, K.K. R. Choo, S. Han, M. Kim, J. Paik, and D. Won, “Efficient and anonymous twofactor user authentication in wireless sensor networks: achieving user anonymity with lightweight sensor computation,” PLoS ONE, vol. 10, no. 4, Article ID e0116709, 2015. View at: Publisher Site  Google Scholar
 M. L. Das, “Twofactor user authentication in wireless sensor networks,” IEEE Transactions on Wireless Communications, vol. 8, no. 3, pp. 1086–1090, 2009. View at: Publisher Site  Google Scholar
 C.T. Li, C.Y. Weng, and C.C. Lee, “An advanced temporal credentialbased security scheme with mutual authentication and key agreement for wireless sensor networks,” Sensors, vol. 13, no. 8, pp. 9589–9603, 2013. View at: Publisher Site  Google Scholar
 Y. Choi, D. Lee, J. Kim, J. Jung, J. Nam, and D. Won, “Security enhanced user authentication protocol for wireless sensor networks using elliptic curves cryptography,” Sensors, vol. 14, no. 6, pp. 10081–10106, 2014. View at: Publisher Site  Google Scholar
 W. R. Heinzelman, A. Chandrakasan, and H. Balakrishnan, “Energyefficient communication protocol for wireless microsensor networks,” in Proceedings of the 33rd Annual Hawaii International Conference on System Siences (HICSS '33), p. 10, January 2000. View at: Google Scholar
 J. Rehana, “Security of wireless sensor network,” Tech. Rep. TKKCSEB5, Helsinki University of Technology, Helsinki, Finland, 2009. View at: Google Scholar
 J. Zhang and V. Varadharajan, “Wireless sensor network key management survey and taxonomy,” Journal of Network and Computer Applications, vol. 33, no. 2, pp. 63–75, 2010. View at: Publisher Site  Google Scholar
 J. Sen, “A survey on wireless sensor network security,” International Journal of Communication Networks and Information Security, vol. 1, no. 2, 2010. View at: Google Scholar
 S. Lee and K. Kim, “Sensor authentication scheme for clustering routing protocols in wireless sensor networks,” in Proceedings of the IEEE Sensors, pp. 1819–1822, IEEE, November 2010. View at: Publisher Site  Google Scholar
 M. Stamp, Information Security: Principles and Practice, John Wiley & Sons, 2011.
Copyright
Copyright © 2016 Jiye Kim et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.