Model checking has successfully been applied on verification of security protocols, but the modeling process is always tedious and proficient knowledge of formal method is also needed although the final verification could be automatic depending on specific tools. At the same time, due to the appearance of novel kind of networks, such as wireless sensor networks (WSN) and wireless body area networks (WBAN), formal modeling and verification for these domain-specific systems are quite challenging. In this paper, a specific and novel formal modeling and verification method is proposed and implemented using an expandable tool called PAT to do WSN-specific security verification. At first, an abstract modeling data structure for CSP#, which is built in PAT, is developed to support the node mobility related specification for modeling location-based node activity. Then, the traditional Dolev-Yao model is redefined to facilitate modeling of location-specific attack behaviors on security mechanism. A throughout formal verification application on a location-based security protocol in WSN is described in detail to show the usability and effectiveness of the proposed methodology. Furthermore, also a novel location-based authentication security protocol in WBAN can be successfully modeled and verified directly using our method, which is, to the best of our knowledge, the first effort on employing model checking for automatic analysis of authentication protocol for WBAN.

1. Introduction

Formal modeling and analysis on security protocols have gained worldwide attention in recent years, particularly with the proliferation of formal method with model checking [1] since Lowe successfully found a bug on NSPK protocol through modeling and verification using CSP model checking tool FDR [2]. Recently, model checking also achieved a great success on security protocol analysis and verification for wireless sensor networks (WSN) using the Dolev-Yao attack assumption model and some specific tools [3]. For example, Ballarini modeled S-MAC protocol using probabilistic model checking tool PRISM [4], and Saxena found a flaw on TinySec protocol using AVISPA model checking tool LEAP [5].

As a new kind of wireless network security protocol, some novel wireless body area networks (WBAN) authentication protocols also appeared recently, especially in pervasive healthcare applications. The sensor on human body is more quite limited than that of WSNs; therefore, authentication schemes based on symmetric key cryptography for WSNs, such as Tinysec [6], MiniSec [7], and uTESLA [8], are not suitable because of the limitations of computation, energy, and memory in WBAN nodes. Noncryptographic security schemes are then explored to be workable for authentication purpose in WBAN. For example, Cherukuri et al. are among the first to discover biometric-based authentication in wireless networks of biosensors implanted in human body [9].

The same question comes with the popularization of WBAN, that is, how to guarantee the security property of the claimed authentication protocol. Formal method such as model checking mentioned above is first of all expected for implementing automatic verification on the noncryptographic authentication protocols. However, there are many different model checking tools existing with different modeling languages, and the protocol modeling process for security verification is always rigorous and tedious that needs large professional knowledge and experience even if the final verification process could be automated using the corresponding tools. Therefore, developing some specific modeling language, as well as specific verification tool, for different application domains becomes a useful research topic and the trend of model checking technology. To the best of our knowledge, there is no research effort on formal specification and automatic verification tool specialized for security modeling and verification for both WSN and WBAN.

This paper just explores the latest model checking framework tool PAT [10], which supports building its own specific model checker, to develop a formal modeling and verification method for location-based specific kind of security protocols in WSN and WBAN. The rest of sections are organized as follows. Section 2 firstly introduces PAT and its modeling languages CSP#. In next section, a new data structure especially for modeling node mobility is proposed as well as the location supported specification language which is developed by extending CSP#. A detailed application on how to model and find a bug in one location-based authentication protocol of WSNs, using the proposed method, is illustrated in Section 4, and also a novel and successful application example on WBAN is finally discussed in Section 5.

2. Model Checking Using PAT

2.1. Basic Architecture of PAT

PAT (Process Analysis Toolkit) is a self-contained framework to support composing, simulating, and reasoning of concurrent, real-time systems and other possible domains. The architecture design of PAT is shown in Figure 1 [11], which has four layers separating the model checking process into three steps: compilation, abstraction, and verification. The four layers are introduced in the following:(1)Modeling Layer: this layer identifies the domain-specific language syntax and well-formedness rules as well as formal operational semantics. For example, CSP# language can be used to model system in this layer.(2)Abstraction Layer: abstract technique can be applied into systems in this layer. For instance, partial order reduction to reduce all possible interleave execution orders of parallel processing into a particular execution order is an effective abstract technique.(3)Intermediate Representation Layer: this layer converts the input model to some form of internal representations, which is the basis of the model checking algorithms.(4)Analysis Layer: this layer contains reusable model checking algorithms. For each intermediate representation in IRL, a set of algorithms are developed. For example, deadlock checking, reachability checking, LTL verification, and refinement checking have been developed for LTS. If the verification result is false, a counterexample can be produced, which is visualized via the simulator.Because of the high scalability, we can abstract modeling language which can be recognized by PAT directly. The language we abstract can be converted to model language automatically. Therefore, in this paper, the modeling language specific for location-based wireless sensor networks security protocols can be proposed.

2.2. CSP# Modeling Language

The model language CSP# (Communicating Sequential Programs) offers great flexibility on how to model network protocol. It supports low-level shared variables, arrays, and general programming syntax such as for and while. Also, it employs high-level modeling operators including parallel composition, interleaving, and asynchronous message passing channel. Furthermore, CSP# semantic framework supports an interpretation of state/event Linear Temporal Logic.

Now, we will introduce a case study on security verification using CSP# approach, Needham Schroeder Public Key Protocol. The model should contain two honest agents which send and receive message by each other. The views of protocol sequences are as in Algorithm 1.

’s view:
Message 1: sends to : // is the nonce produced by and pk is the public key of .
Message 2: gets from : // is the nonce produced by and pk is the public key of .
Message 3: sends to :
’s view:
Message 1: gets from :
Message 2: sends to :
Message 3: gets from :

CSP# can describe the running sequence of protocol as the input model for PAT. The processes representing the communication between and are in Algorithm 2.

Ini(sender, receiver, nonce) =
ca! receiver. nonce. sender. receiver -> //
ca? receiver. nonce. g1. sender ->
cb! receiver. g1. receiver -> //
Res(receiver, nonce) =
ca? receiver. g2. g3. receiver ->
ca! receiver. g2. nonce. g3 -> //
cb? receiver. nonce. receiver ->

As we can see, the processes described by CSP# are simple and easy to understand. The protocol employs public key system, where pk and pk are the public key of and and Na and Nb are the nonce produced by and .

3. Extending CSP# to Model Location Behavior

3.1. Node Mobility Specification

Considering the mobility of node, we should add the location information to the model of WSN. Therefore, a method to abstract node mobility is proposed which is based on CSP# extension. To represent the location information, a two-dimensional coordinate as a natural way is required (see Algorithm 3).

public class Location = ExpressionValue
   public int ;
   public int ;
   public int CalculateDistance(Location other)

Class location contains a two-dimensional coordinate of node; CalculateDistance() function is used to compute the Euclidean distance. We assume the location information of nodes , is and . The node transmission distance is represented by . If inequality is satisfied, the distance between and is just within an acceptable range.

In order to represent all the possible mobility, the following statement is required:: ; : @ (Init (Node, new Location ) ∣∣∣ Res (Node, new Location )).

The values of both and are between 0 and , and the total range is within a square whose length and width are . denotes value arbitrary choice, and denotes processes and running interleaved.

3.2. Data Structure-Based CSP# Extension

Using the location class, the key of node can be presented as shown in Algorithm 4.

public class Key = ExpressionValue
   public int Type;
   public int ID;
   public Location Loc;

Class key contains key information based on ID and location, where “type” denotes key type with public or private (see Algorithm 5).

public class KnowledgeSet = ExpressionValue
   public SortedList <MessageUnit, Object> list;

Class KnowledgeSet can store message knowledge in the process of protocol execution such as the random nonce and key information. MessageUnit denotes knowledge identification and object denotes what MessageUnit contains. For example, SortedList denotes node ’s location information.

Employing location, key, and knowledge, new data structure WSNNode can be further defined which is shown in Table 1.

WSNNode denotes an abstract WSN sensor, which contains information for the protocol such as node ID, , location, knowledge, and random nonce.

4. On Location-Based Security Protocol for Wireless Sensor Networks

4.1. Location-Based WSN Protocol Introduction

Wireless sensor networks are often deployed in unattended and hostile environments, leaving individual sensors vulnerable to security compromise. Therefore, Zhang et al. proposed a location-based compromise-tolerant security mechanism [12], which was designed on identity-based cryptography. It can effectively restrict the threat of attack to a limited range. The mechanism assumes a trusted authority (TA) does the following operations in the initial stage:(1)TA determines a -order additive group , a -order multiplicative group , and a pairing map . Select an arbitrary generator of .(2)Pick a random as the network master secret and set .(3)Choose two cryptographic Hash functions: and ; , .(4)Calculate for each node an ID-based key (IBK for short): public key and private key .Each node possesses its public key and private key denoted by and .

After the initial process, any two neighboring nodes should validate each other’s network membership. Figure 2 shows an instance of location-based neighborhood authentication, where node is the neighbor of both and , while and are nonneighbors of each other. Nodes and are taken, for example, to explain the neighborhood authentication process:(1): ,(2): ,(3): .

At start, node locally broadcasts an authentication request including its , location , and a random nonce . Upon receipt of such a request, node first needs to ascertain that the claimed location is in its transmission range by verifying if the Euclidean distance . If the inequality does not hold, node simply discards the authentication request; otherwise, unicasts a reply to node including , location , a random nonce , and an authenticated message computed as . Upon receiving the reply, node also first checks if . If the inequality is satisfied, finally returns to a message code computed as .

The keys used for generating the message codes actually satisfy the following equality:

Therefore, we can derive the following two results: and .

is possessed by node alone, so does . Therefore, we can guarantee can be computed only by node and can be computed only by node . Subsequently, node compares computed by itself with received through . If the two results are equal, node considers an authentic neighbor. As the same, if of node is equal to what sent, node regards node as an authentic neighbor as well.

4.2. Legitimate Sensor Node Modeling

The model of WSN security protocol contains two legitimate sensor nodes named and , where acts as protocol initiator and acts as protocol responder. We use two processes to describe them:: Initiator(senderNode, loc),information of node as input.: Responder(receiverNode, loc),information of node as input.

To model Zhang’s scheme, the finite-state machine is required to describe the state transition of the protocol. The state transition of initiator is shown in Figure 3, where the initial state - is supposed to skip to state - automatically, then broadcasts an authentication request to all nodes in range , and then reaches state - awaiting a response message from . Upon receipt of such a response, reaches state - to verify whether is in its transmission range. If it holds, sends a confirmation message to and reaches state -. After finishing aforementioned authentication process, reaches state again.

The same process as protocol responder is shown in Figure 4. Once receiving an authentication request, skips to state - to verify whether is in its transmission range. If it does not hold, returns to initial state -; otherwise, responds by a message and reaches state - awaiting the response message code. If time is out, returns back to state -. Upon the receipt of , reaches state - to verify the message code received from . If the code is confirmed, the authentication process is finished.

According to Figures 3 and 4, the main snippet codes of model are illustrated in Algorithm 6.

//the process of the initial :
Initiator(SenderNode, loc) =
    IniRunning_ -> //initialize paramenters
    ca!SenderNode. everyone ->
    cb?Node_. Sk_.pk_. Nonce. Nonce. CONSTANT_1 ->
    cc!SenderNode. Node__ID. Sk_. pk_. SenderNodeNonce. Node__Nonce. CONSTANT_2 ->
//the process of the responding :
Responder(ReceiverNode, loc) =
    ResInitial_   -> //initialize paramenters
    ca?Node_.everyone ->
    cb!ReceiverNode. Sk. pk. Node__Nonce. ReceiverNodeNonce. CONSTANT_1 ->
    cc?Node_. ReceiverNodeID. Sk_. pk_. Nonce. Nonce. CONSTANT_2 ->

Processes and communicate to each other through channels , , and . The statement !Node_x.everyone sends a message with the values of two expressions listed to channel.

4.3. Moving-Free Adversary Modeling

Adversary model should be the most complex part because of the node moving-free scheme. Combining Dolev-Yao model [13] and node moving-free scheme, this protocol is easy to break by an intruder in the following way:(1) intercepts the message sent between and .(2) sends to or messages by pretending to be a legitimate sensor node.(3) decodes to find the plaintext .(4) has much more powerful resources regarding energy and communication capacities than legitimate sensor nodes, so can communicate over a high bandwidth to legitimate sensor nodes whose locations are out of range.

The abstract modeling data structure WSNNode supports adversary modeling. The type of attack can be classified as intercepting and retransmission. can not only intercept every message sent from one node to another, but also resend messages intercepted or faked. The key snippet of adversary model is as shown in Algorithm 7.

Intruder() =
//intercept messages from channel , ,
   ca?Node_.to1 ->
      Node.addItem(); //intercept from channel and store knowledge decoded if possible.
    -> Intruder()
   cb?Node_.to2.K_q_1.N1h.N2h ->
      Node.addItem(); //intercept from channel and store knowledge decoded if possible.
    -> Intruder()
   cc?Node_.to3.K_q_2.N4h ->
      Node.addItem(); //intercept from channel and store knowledge decoded if possible.
    -> Intruder()
//resend message intercepted or faked a new message from the knowledge decoded.
   ca!(No.RandID()).everyone.(No.RandLoc()).(No.RandNonce()) -> Intruder()
   cb!(No.RandID())..(No.RandLoc()).(No.RandNonce()).(No.RandSk()).pk..(No.RandNonce()).CONSTANT_1 ->
cc!(No.RandID())..(No.RandSk()).pk...CONSTANT_2 -> Intruder();

Intruder stores messages intercepted and decoded into object by a function . After that, sends a new message combined by ID, Key, Location, and Nonce which are randomly selected.

The interfaces of message resending and faking are as follows: function is used to enumerate all the information knows. Function is used to enumerate all the location information decoded from interception message. Function selects a random nonce from object . Function is used to encrypt message by security key decoded from interception message. Using these functions can not only reduce the scale of modeling code, but also enhance the accuracy of modeling.

Intruder process runs infinitely to search all the state space. The symbols of the key code mentioned above are explained in Table 2.

4.4. Protocol Goal Property Specification

Linear Temporal Logic is applied in this paper to describe various properties that WSN security protocol should hold. The following variables are defined to facilitate the property specification:#define iniRunning (req_ == true), set to 1 when initial broadcasts the authentication request.#define iniCommit (ack_2_ == true), set to 1 when responder receives .#define resRunning (req_ == true), set to 1 when receives the authentication request.#define resCommit (ack_2_ == true), set to 1 when receives and verifies successfully.#define nodeMoved (moved_ == true ∣∣ moved_ == true), set to 1 when or is moved.#define MoveOutRadius (outRadius_ == true ∣∣ outRadius_ == true), set to 1 when or is out of the transmission range of each other.

Using the variables mentioned above, the protocol property can be described as follows:(1)Security: it requires that messages cannot be intercepted and decoded. We define formulas : ((!iniCommit) ∣∣ (! iniCommit U resRunning)) and : (( !resCommit) ∣∣ (! resCommit U iniRunning)) to ensure this property. If does not hold, it implies that there is an adversary intercepted message from to . If does not hold, it implies the adversary intercepted message from to .(2)Internal authentication property: the underlying assumption here is that adversaries do not move out of the transmission range of legitimate sensor nodes. We define formula : (nodeMoved -> <>(iniRunning -> resCommit) to ensure this property).(3)External authentication property: the adversaries, however, might move out of the transmission range of legitimate sensor nodes and they can communicate over a high bandwidth to legitimate sensor nodes. We define formula : (MoveOutRadius -> <>(iniRunning -> resCommit)) to ensure this property. It can judge adversary’s legality by verifying the security key based on location.

Here, denotes always, U denotes until, and <> denotes eventually.

4.5. Verification Results and Analysis

We have performed this verification in model checking tool PAT using two legitimate processes, adversary process and LTL formulae as input. The results of and are true, but results of and are false. The counterexample of and is generated in Figure 5.

The counterexample illustrated in Figure 5 shows that the process stops when sends the first message with location (3, 3). By comparing the initial location of calls (0, 0), it is clear that node cannot authenticate because of the location change of . Therefore, there is a bug in this location-based compromise-tolerant security mechanism so that it does not support the authentication when the node moves off.

5. Towards Authentication Protocol for Wireless Body Area Networks

5.1. Novel Authentication Scheme for WBAN

As we know, security in WBAN is the most important requirement to guarantee and protect the personal body parameters. Existing authentication schemes in WBAN typically use a single antenna, which are susceptible to environments. Recently, Chitra proposed SeAK, a light-weight secure device pairing protocol based on RSS obtained by dual-antenna transceivers [14]. The mechanism assumes there is one CU and one or more sensor devices to be authenticated. The CU, equipped with two antennas and , is the only device to authenticate other devices by its two spatially separated antennas.

The formalizing description of this protocol is as follows:(1) : (2) : () : () : .

The analysis steps of the protocol are introduced as below.

The CU sends a probe packet to the device E to be authenticated from antenna , including sending power , the location of CU , and a random number .

After receiving the packet sent by CU, device measures the RSS indicator (RSSI) of the packet and sends a response packet to CU. The computational formula of RSSI is

Here, denotes the distance between CU and device and denotes an index of energy.

Because of the mobility of device , should send a total of packets, and CU responds with packets by randomly switching between the two antennas and . Let represent the set of RSSIs measured by and let represent the set of RSSIs measured by .

The average RSSI difference is calculated as follows:

The CU compares RDavg with threshold . If is greater than , the device is confirmed as legitimate. Then, CU sends message to the device.

Figure 6 shows the layout of CU and sensor devices. Node denotes the attack node while node denotes legitimate node. The distances between and CU’s two antennas are and . As we can see, the difference between and is far smaller than and , because legitimate node is closer to CU than node .

5.2. Security Modeling and Verification
5.2.1. Protocol Specification

As we can see from Figure 6, the two antennas and of CU are separated by  cm. The two antennas are responsible for capturing the radio signals and then calculating the received power ratio which makes up the RSS value. As for devices and , the RSS values measured by and will result in a large difference as device is placed at a distance of which is much closer than device .

In the protocol, the RSS value is dependent only on the two distances between device and CU’s two antennas. The RSS value difference is big when the device is nearby to CU, in contrast to similar RSS value difference when device is far away from CU. This allows legitimate nearby devices to be distinguished from attacker faraway devices.

5.2.2. Attack Model

In the attack model, we assume an attacker can easily vary its transmission power to get authenticated as a legitimate device. In addition, the location of an attacker is removable. This makes the attack model be the most complex part. By extending Dolev-Yao model [9], this protocol is easy to break by an intruder using the following way:(1) increases the transmission power, so CU will consider it as an in-range node.(2) moves into the transmission range of CU; the RSS value difference will be smaller than that out of the range.(3) intercepts the message sent between CU and device .(4) sends to CU messages by pretending to be a legitimate sensor node.

The attack model can be divided into two parts; one is to intercept the message from the channel, and the other is to send messages to the channel which may be generated with intercepted knowledge. Here, we use the abstract modeling data structure WSNNode too (see Algorithm 8).

enum ;
#define RadiusCU 5;
#define Radius 3;
var<Location> lCU_1 = new Location (0, 0);
var<Location> lCU_2 = new Location (0, 1);
var<Location> lE = new Location (0, 6);

and are two spatially separated antennas and . The distance between and is 1 cm. denotes the initial location information of attacker. Function is used to enumerate all the information knows. denotes the legitimate transmission range of CU. denotes the available transmission range of intruder.

The behavior of intruder is uncertain, so the intrusion process may be actually an infinite loop. The key code of adversary model is as in Algorithm 9.

Intruder() =
  //sends to CU messages by pretending to be a legitimate sensor node
  ca!ID.(No.RandLoc()).CU_1 -> Intruder()
  ca!ID.(No.RandLoc()).CU_2 -> Intruder()
  //intercept messages from the channel
  ca?ID_.Loc_.ID_ -> Intruder()
  cb?ID_.Loc_.ID_ -> Intruder()

Here, is a function to enumerate all the information knows. is the who sends the message. and are the location information of sender node. and denote the of two spatially separated antennas and .

5.2.3. Security Property and Verification Results

As the same to WSN, we use LTL to describe the property which WBAN authentication protocol should hold. The following variables are again defined to facilitate the property specification:, set to true when the intruder sends an authentication request to CU., set to true when the intruder completed all the communication with CU., set to true when the intruder moves into the transmission range of CU.

After defining these variables above, protocol property can be described as follows:: <>.

If formula results in True, it denotes that the intruder moves into the legitimate range of CU and has been authenticated with CU.

We have performed this verification in model checking tool PAT using two legitimate processes, adversary process and LTL formulae as input. The results of are true. The process of authentication is in Figure 7.

As we assumed before, the initial location of intruder is (0, 6) which is out-range of CU’s legitimate range. However, the intruder moved to location (0, 4) which is in-range of CU. Then, the intruder is authenticated with CU by faking itself as a legitimate device. Therefore, the authentication protocol based on dual antennas for WBAN cannot support the authentication when the intruder moves off.

6. Conclusions

In this paper, we have proposed an abstract modeling language based on CSP# to support node moving-free behavior modeling especially for wireless sensor networks, where both abstract data structure and attack model beyond Dolev-Yao are designed and developed in PAT. Using the proposed modeling method specifically for WSNs and WBAN, the automatic verification for different kinds of location-based security protocols can be quickly implemented. At first, a bug for a compromise-tolerant and location-based cryptographic protocol on WSNs is found by employing our modeling and verification framework. Then, the latest and noncryptographic location-based authentication security scheme on WBAN is also modeled and analyzed as a successful demonstration to show the suitability and effectiveness of our proposed methodology. To the best of our knowledge, it is the first effort work on formally modeling and verifying WBAN security protocols using CSP.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.


This work is supported by National Science Foundation of China with Grant no. 61103044.