Recent Advances in Security and Privacy for Wireless Sensor Networks 2016
View this Special IssueResearch Article  Open Access
AtaUllah Ghafoor, Muhammad Sher, Muhammad Imran, Imran Baig, "Disjoint Key Establishment Protocol for Wireless Sensor and Actor Networks", Journal of Sensors, vol. 2016, Article ID 5071617, 15 pages, 2016. https://doi.org/10.1155/2016/5071617
Disjoint Key Establishment Protocol for Wireless Sensor and Actor Networks
Abstract
Key distribution is essential for providing secure communication between commercial and sensitive applications of wireless sensor and actor networks (WSANs). It becomes more challenging when any of the intermediate sensor nodes is compromised by the adversaries as the messages carrying secure keys will be exposed and links will be unreliable. This paper presents a Disjoint Key Establishment Protocol (DKEP) that does not require transmitting keys across the nodes. In DKEP, each node is preloaded with one row and one column from a matrix. After the deployment, indices for row and column are exchanged between the two nodes and values at intersection of row and column index will be used to calculate the key on each node. DKEP is verified by performing formal analysis using Rubin Logic and validated using simulations in NS2. Simulation results demonstrate the effectiveness and efficiency of DKEP compared to contemporary schemes in terms of reducing storage and communication cost and improving resilience against node compromise attacks. Moreover, the proposed scheme is implemented in a groupbased mobile application scenario for secure message exchange.
1. Introduction
Recent developments in sensing, actuation, computing, communication, and networking have led to the emergence of wireless sensor and actor networks (WSANs) [1â€“3] that allow autonomous and intelligent interaction with the environment. These networks employ number of miniaturized sensors with scarce resources (in terms of computation, communication, and energy) besides fewer powerful actor nodes. Sensors continuously monitor an event of interest and report it wirelessly to corresponding actors for coordinated action. Example applications include border protection, search and rescue, fire containment, and autonomous monitoring and maintenance of lifeline infrastructures [4]. Figure 1 depicts a typical WSAN environment. While most of these applications are critical, however, nodes are vulnerable to a number of attacks including node compromising, traffic capturing, and DOS attacks [5, 6]. Among others, secure key establishment is one of the most prominent barriers in deploying WSAN for sensitive applications.
Key establishment is indispensable for secure communication between distant nodes because key is used for encryption and decryption [7, 8]. In many applications, matrixbased key distribution schemes are preferred because transmission of actual key is not required and nodes can independently calculate keys. Most of the existing matrixbased schemes either share randomly selected rows and columns values [9â€“11] from precalculated secret and public matrices or some values based on a pattern [12] from the matrices.
The main problem in these schemes is that a compromised node can reveal the rows and columns transmitted through it. At intermediate nodes, message is decrypted to plain text and then encrypted again using symmetric key of next node on the path. These messages cannot be encrypted because there is no prior end to end key between two distant nodes. The link is compromised before its establishment and many schemes such as [8â€“12] suffer from key exposure problem. Moreover, most of the existing schemes only rely on nonformal (i.e., simulations) approaches for validation and hardly employ formal techniques for verifying the correctness.
Formal methods are advanced mathematical mechanism that are based on some computer tools for designing a system model and then apply the formal specifications. The use of formal specifications has evolved in past few years with the advent of new analyzing tools to verify the characteristics of network and security protocols. Informal methods cause a number of ambiguities during the implementation phase where bugs are produced due to misinterpretation of steps [13]. Different formal modeling techniques including BAN Logic [14], PCL [15], and Rubin Logic [16] are used for formalizing the security schemes for the verification of authentication, integrity protection, send, receive, formatting, and key freshness.
This paper presents a Disjoint Key Establishment Protocol (DKEP) for secure communication between nodes. In DKEP, only row and column indices are exchanged along with nonce and timestamp between sender and receiver instead of complete row and column values. After receiving these credentials, sender and receiver identify the common values at the intersection of rows and columns and then obtain the symmetric key taking XOR with exchanged credentials. Both the nodes simultaneously obtain keys in a disjoint manner. It increases the security level because adversary will not be able to reveal the key from the transmitted messages because actual key is never transmitted on the network. We use formal approach to verify the correctness and validate the performance of the proposed protocol. Rubin logic [16] is used for formal modeling of DKEP protocol for verifying and analyzing the operation. Moreover, performance of DKEP is validated using simulation in NS2.35. Simulation results demonstrate the performance supremacy of DKEP over contemporary schemes in terms of resilience against malicious nodes, storage, and communication costs. The performance results encourage using DKEP for many applications. We also implement DKEP to demonstrate its suitability for securing mobile applications.
The rest of the paper is organized as follows: Section 2 highlights some of the existing schemes related to this work. System model is described in Section 3. Section 4 describes the working of DKEP in various scenarios. Formal modeling and analysis of the proposed protocol using Rubin Logic are presented in Section 5. Simulation results and analysis are discussed in Section 6. Implementation of the proposed protocol on android based mobile phones is discussed in Section 7. Finally, the conclusion and future works are discussed in Section 8.
2. Related Work
Key management is mandatory for secure sharing of information among different nodes in the network by using encryption and decryption. Generally, key management schemes can broadly be categorized into asymmetric and symmetric, while the former provides higher degree of confidence to communicate securely over any open channel since it does not require transmitting private key for message decryption. However, it may not be suitable for resourceconstrained sensor nodes as it requires high processing time (i.e., computationally slow) which reduces transmission speed. On the other hand, later is more appropriate for WSN as it uses same shared key for message encryption and decryption. However, secure key distribution over insecure channels is a challenging task especially in missioncritical application as some of the intermediate nodes might be compromised by the adversary. Few recent studies have investigated the challenges of key management in WSN [17, 18]. However, most of the existing key establishment schemes are proposed in the context of wireless sensor networks (WSNs) which may not be directly applicable to WSAN because of various unique characteristics such as actor mobility. Unlike most existing schemes, we focus on devising a matrixbased key establishment scheme that does not require directly exchanging the key between the communicating nodes. Therefore, we limit our discussion on matrixbased symmetric key establishment schemes afterwards.
Blomâ€™s proposed a matrixbased symmetric key establishment scheme that contained a public matrix with a size of , where is network size and is level of security because Blomâ€™s scheme was secure [9]. Secret matrix of size and matrix of size is generated where is transpose. Sink node preloads a row from a matrix and a column from matrix in each sensor. During key establishment between sender and receiver , each node exchanges its column with neighbors in a plain text. Key is calculated by multiplying â€™s row with â€™s column as described in (1), where and are row and column indices. Due to symmetric matrix, keys calculated at both nodes are the same: that is, :Blomâ€™s scheme is secure and an adversary needs to compromise nodes to compromise rows of matrix for calculating a number of keys between any two nodes in the network. Blomâ€™s scheme increases memory storage, communication, and computation overheads. However, our scheme only exchange single rows and column indices and hence reduces storage, communication, and computational overheads. Moreover, our scheme is not nodes resistant and adversary cannot access other keys by compromising even a large number of nodes. The author in [10] proposed a modified Blomâ€™s scheme (MBS) where Vandermonde matrix [19] was replaced by adjacency matrix. It was filled with 1â€™s and remaining 0â€™s were replaced by where was a prime number. It supposed a network size of 6 nodes with = 3 and . An adjacency matrix of size with was generated and then matrix was created by taking means 6 Ã— 4 submatrix from the adjacency matrix. A secret matrix of size means 4 Ã— 4 is generated to calculate of size which means 6 Ã— 4 where is transpose as elucidated in (2) which is taken from scheme.
Modified Blomâ€™s scheme using adjacency matrix is as follows:Sink node loads only a single row from matrix where row equals sensor that is, second row is loaded in sensor 2. In this scheme, column from adjacency matrix is not loaded in sensor because it can be calculated at node during key establishment. Sender can set up a key by multiplying row and column whereas receiver multiplies row and column where and are node and indices for rows and columns as well. It reduces storage overhead but the scheme is still secure. Moreover, if an adversary captures a row of matrix from some compromised node then key could be calculated by multiplying with column from identity matrix. Column can be extracted from sender or receiver .
Khan et al. proposed a symmetric key establishment scheme [20] where a symmetric matrix is used along with a generator matrix having maximum rank distance (MRD) codes. A symmetric matrix of size , where represents number of symbols over a finite field. Sensors of count are deployed in groups where each group contains nodes with . It also prepares number of generating matrix with a size of where represents degree of finite field. First group will get a vector of elements from this matrix and same is the case for other groups. After that key spaces matrix is generated for . Sensors of particular group are preloaded with a row from respective matrix and a seed value from secret matrix . After deployment, each sensor broadcasts its and a seed for the column from the matrix . Each receiving sensor calculates the column from the provided seed value and then multiplies it with its own row preloaded from matrix to calculate the key. Group formation improves the connectivity and reduces storage cost for matrix values and set up a link key between sender and receiver. It achieves node joining mechanism without changing existing values stored at nodes. Instead of seed, our scheme only transmits row and column indices to save communication cost. This scheme is limited for key establishment between the groups only and cross group or across the network communication will require calculating new matrices. Our scheme achieves cross WSN key establishment with very little storage cost. Chances of duplication are eliminated because in case of same timestamp, there is different nonce and cross sectional values that are used to generate a different key. Matrix of same values and size like Î± Ã— Î± should be loaded in sensor located at different deployments of WSNs where value of Î± is fixed in all categories of networks.
The authors in [21] devised a naÃ¯ve scheme for key distribution using unital design theory where a unital in geometry is represented as set consisting of points that are divided into subsets having a size of . It also imposes a condition that all pairs of distinct points of main set should be present in one subset. A unital is represented as design where author used a matrix with 9 points and 3 subsets with each pair of unique points existing in exactly one subset. The basic unital design and mapping to keying provide less probabilities in terms of key sharing; therefore, authors improved the unital design for achieving better network scalability and high key sharing probabilities. It achieves a better scalability and connectivity while providing secure key distribution and also reduces storage overhead. Our scheme reduces the risk of low percentage of finding common keys sharing among neighbors for establishing a secret key in larger networks. The proposed model also allows communication among different WSNs that are deployed nearby and rows and columns taken from a common matrix.
Parakh and Kak proposed a Symmetric Matrixbased Keying (SMK) scheme that preloads a sensor node with a rowcolumn pair from and matrices and , where is an symmetric matrix with as network size [11]. The same row and column are loaded from two different matrices. For example, th row and column are loaded from and matrices. For key establishment, nodes and exchange columns of and then calculate the key using (3) where is the row preloaded at and is column received from at :Matrices and are generated by taking as a square and nonsingular matrix and then calculate . Another approach is to calculate bivariate polynomials where size of and matrices is less than matrix as illustrated in (4) that is redrawn from scheme.
Calculation of and matrices is as follows:Authors also proposed a new Commuting Matrixbased Keying (CMK) scheme to eliminate the use of symmetric matrix and select matrices and with a condition that , where matrix is symmetric. Each node was preloaded with randomly selected th row of and th column of matrix . For key establishment, nodes and exchange columns of matrix . calculates key by taking hash of concatenated with as illustrated inQuorum based key Management Scheme (QKM) [12] requires preloading a subset of key matrix in each sensor. For key establishment, sender and receiver find a common key using preloaded subset of secret matrix as shown in Figure 2 taken from scheme.
After that both the nodes generate random number and then exchange it by encrypting with common key. Shared key is obtained by calculating XOR of common key along with random values using (6). Similarly sensor node also obtains the shared key that is used for future secure message transmission:Dai and Xu provided a key distribution scheme using matrix [22] where two groups of polynomials are selected from a pool to create lower and upper triangular matrices and , respectively. In case of a 3 Ã— 3 matrix six polynomials are selected for each and matrices. It imposes a condition that the product of and should result in a symmetric matrix . Each sensor is preloaded with one row of and one column of where row and column index number should be same like th row of and th column of . After deployment, any two sensors and initiate the key establishment process by exchanging their rows and with each other. After that, obtains the key and obtains the key by multiplying the row of other sensors with their own column. The row and column are from symmetric matrix; therefore, the same key will be generated at both nodes. Our scheme also loads one row and one column but we relax the restriction that row and column index should be the same. Sensors can have randomly selected row and column indices. Moreover, we do not exchange row or column values because it increases communication overhead; instead we share indices only. In this scheme, row and column values are directly used to calculate the secret keys and compromising a row through traffic analysis attack can expose the large amount of actual keys. In our scheme, row and column values are just used to get a common value and then nonce and time stamp are also used to generate a unique key which is not entirely dependent of row and column values.
In existing schemes, communication across the WSAN is not supported due to confined set of key pools that support specific number of network size. After that, the chances of key duplication increases. Size of matrix increases for larger networks and hence becomes infeasible in terms of storage for ordinary sensor nodes. Our scheme will resolve it by using a matrix with a fix size and values like a WSN_{1} with 2000 nodes and WSN_{2} with 1400 nodes. The matrix size and values should remain the same across the network.
3. System Model
This section elaborates the possible key exchange scenarios. We consider WSAN model in which actors are responsible for managing sensors in their cluster. Both sensors and actors are randomly deployed and they exchange security credentials once the network is set up. Sensors are stationary while actors can move on demand. Afterwards, any two nodes can distribute the key using DKEP procedure where an actor node is considered first priority to act as the intermediate node between sender and receiver. In other scenarios, ordinary sensor nodes or mixer of both is used as intermediaries between distant sender and receiver. We have considered scenarios where an actor is either stationary or mobile to collect desired data from sensor nodes. We assume that an actor contains the symmetric keys of all the sensor nodes in the network, and the sink node maintains a list of all actors and sensor nodes. It is also assumed that an intrusion detection system is available to detect the malicious nodes.
We consider four possible scenarios for message exchange between sender and receiver containing security parameters. In the first scenario, and can directly exchange messages when both are within direct communication range of each other. In second scenario, an actor serves as an intermediary between and when they are not within range of each other as shown in Figure 3. In third scenario, both and belong to different clusters managed by the actors and , respectively, which require intercluster communication as illustrated in Figure 3.
In the fourth scenario we have considered that multiple WSANs are deployed in a region to perform activities for different categories of applications. Actors and are not in direct communication range and want to communicate for establishing secret key between distant nodes located in different WSAN. In this scenario, an intermediate ordinary sensor node named gateway node (GN) which is located at common boundary of both WSAN can exchange messages to a distant receiver via as illustrated in Figure 4. The GN receives key messages from and and then proceeds with key establishment. It does not use an actoractor link during such type of communication. Node transmits encrypted message to that decrypts the message and then reencrypts it with a key established between and the GN. Similarly, GN decrypts and reencrypts the message to forward towards actor that further transmit to receiver . After exchanging security parameters, both the nodes simultaneously perform XOR to obtain the keys.
This work is also applicable to mobile environments such as mobile ad hoc networks and vehicular ad hoc networks where same sized matrix can be preloaded on all devices. Most of the modern WSN applications such as [23] have to be integrated with other networks which may require establishing keys across the network. For example, the proposed DKEP can provide such ability to establish keys in these networks.
4. Disjoint Key Establishment Protocol (DKEP)
This section elaborates our proposed DKEP protocol. Key exchange between the communicating parties including sender, receiver, actor, and intermediaries is discussed in this protocol to ensure the secure transmission. Message structure for encryption and decryption procedure is elucidated in stepwise manner along with security parameters that are part of message. Role of message authentication code (MAC) is also highlighted to ensure integrity for each message. Finally key establishment procedure is explored. Moreover, the key establishment scenarios for sensorsensor and actoractor are illustrated briefly to show relevant steps of DKEP in those cases. A brief description for all notations used in proposed DKEP is provided in Notations.
In DKEP, security credentials are exchanged using intermediaries to obtain actual key at sender and receiver. We have used a matrixbased approach for key establishment scheme that securely distributes the key without transmitting the actual key on the network. Key distribution begins when rows and columns are taken from matrix where Î± is selected as per security requirement and much less than cluster size. Before deployment, each node is preloaded with randomly selected rows and columns. After deployment, rows and column indices and security credentials can be exchanged between the sender and receiver. After receiving the parameters, both nodes decrypt the message, check message freshness by comparing timestamps, and check message integrity by using hash values. After that, common values are located at intersection of row and column indices. Finally the key is obtained simultaneously on both nodes by taking XOR of parameters and the common values as illustrated in Figure 5 where and represent sender and receiver.
This section provides the detailed discussion on secure key distribution protocol for second scenario discussed earlier in Section 3. Key distribution process begins when sender node encrypts message using preestablished key between sender and actor as illustrated in (7). In the message, is row index, is column index, is timestamp, is the nonce from node , and hash of values is also concatenated: Sender node sends the message to the actor node . The message is decrypted by actor to extract the values as illustrated inActor node checks the message freshness by calculating difference of systemâ€™s timestamp with and then comparing with threshold value. In case of successful result, actor checks integrity of message by concatenating and then taking hash of values to compare it with hash value in the message. Finally the message is reencrypted using key preestablished between actor and receiver as shown inActor node sends the message to the receiver . The message is decrypted by receiver to extract the values as illustrated inSimilarly receiver validates the freshness and integrity of message. In case of success, sends a message ( after encrypting with key preestablished between sender and actor as illustrated in (11). In the message, is row index, is column index, is timestamp, is the nonce from node , and hash of these values is also concatenated:Receiver responds to the actor with a message for forwarding to node . The message is further decrypted by the actor to extract the values as illustrated inActor checks freshness and integrity of the message. In case of success a message is sent towards after encrypting it using key preestablished between actor and as shown in Actor node sends the message to the sender . The message is decrypted by to extract the values as illustrated in Symmetric key can be obtained after exchanging row and column indices along with timestamp and nonce values. The sender and receiver simultaneously obtain keys by taking XOR of two nonce values with time stamps and the common value as illustrated inIn this equation, represents XOR and is the set of values at intersection of rows and columns of two nodes, for example, row , column , and row , column as illustrated inFor example, node contains 5th row and 3rd column and node contains 4th row and 1st column; then . Both the nodes contain the row and column indices of each other; therefore, could be calculated using (16) on both nodes by identifying the values at intersection. Same values are selected at both sender and receiver . Moreover, same key value is obtained at both nodes and key is never transmitted on the network as illustrated in Figure 6. In case of sensorsensor key distribution scenario, there is no end to end key and messages are not encrypted as illustrated inIn case of actoractor key distribution scenario, actors are preloaded with three row and column pairs. During key establishment between and , one row and one column indices are randomly selected to exchange between them. After that, key is calculated usingIn DKEP, the communication is not stopped even if the actor is compromised or damaged. Only the routing paths that were using the actor as intermediary node are affected and an alternate node can be selected for that path by establishing on demand symmetric keys. It also reduces the memory overhead as compared to the existing cluster based schemes because each node does not require nodes at the beginning. The number of keys stored in the memory grows according to the on demand contact with other nodes of the cluster. This contact can be done only to route the query to neighboring nodes and then route the required data towards the sink node. If a node is compromised and its rows and columns are exposed to the attacker then attacker is not able to get those keys that were established particularly using these rows and columns. These keys were calculated by using one value from matrix and taking its XOR with the two nonce values with timestamp which are not stored in the permanent memory. It means nothing is revealed by retrieving the rows and columns. It also does not affect the keys in other nodes. It achieves much better resilience against node and traffic capturing attacks. In this way the key exposure problem at intermediate node is also resolved. It also ensures that any two distant nodes can establish keys securely and hence achieves much better connectivity. Moreover, the receiver transmits message using disjoint paths that confuse the traffic analysis attacker and strengthens the proposed scheme. If symmetric key is compromised from a node then intruder cannot recover any past keys established earlier or current keys between other nodes.
A possible variation in the scheme could be the use of lightweight public key cryptography like Elliptic Curve Cryptography (ECC) to secure only those key exchange messages that are shared between the ordinary nodes where actor nodes are not present nearby. In other scenarios discussed in system model, ordinary nodes encrypt the key exchange messages using preestablished secret keys between ordinary sensors and actor nodes.
5. DKEP Formal Specification
To verify correctness of DKEP, we use Rubin Logic [16] and performed stepwise formal modeling of the scheme. It verifies the proposed protocol for the standardized requirements of cryptographic functions including encryption, decryption, authentication, integrity protection, and freshness of message. Rubin Logic is equally applicable to verify the send, receive, and update operations performed during message exchange between distant nodes. This modeling technique includes the formalization steps that are similar to the flow of programming functions in real implementation of the scheme. A global set is maintained that contains information about entities, their roles, and global variables of protocol. The information saved in global set can be subdivided into observer, rule, secret, and principal sets. The schemes that provide stepwise discussion on formalization [24â€“26] of WSAN security protocols are illustrated in the form of case studies.
A list of notations is provided earlier in Notations to elaborate the symbols used to describe DKEP protocol. In this section, additional notations are included in Notations to further elaborate the symbols used in local set during formal specification of DKEP.
Each entity maintains a local set that is subdivided into possession set POSS, belief set BEL, seen set, and behavior List BL where detailed discussion is provided in [16, 27]. Local set for DKEP scenario is illustrated in Table 1 that includes the procedural steps performed at sender, receiver, and the actor individually. In this scenario, POSS() and BEL() sets explore the storage requirements during and after execution of protocol steps at sender node . Computational and communication oriented details of the DKEP are enumerated in BL(). All these steps are performed individually for each entity including , , and . It also highlights the parameters and operations that are performed during protocol implementation of the scheme using C language for adding it in NS2 protocols.
