Recent Advances in Security and Privacy for Wireless Sensor Networks 2016View this Special Issue
An Improved μTESLA Protocol Based on Queuing Theory and Benaloh-Leichter SSS in WSNs
Broadcast authentication is a fundamental security technology in wireless sensor networks (ab. WSNs). As an authentication protocol, the most widely used in WSN, μTESLA protocol, its publication of key is based on a fixed time interval, which may lead to unsatisfactory performance under the unstable network traffic environment. Furthermore, the frequent network communication will cause the delay authentication for some broadcast packets while the infrequent one will increase the overhead of key computation. To solve these problems, this paper improves the traditional μTESLA by determining the publication of broadcast key based on the network data flow rather than the fixed time interval. Meanwhile, aiming at the finite length of hash chain and the problem of exhaustion, a self-renewal hash chain based on Benaloh-Leichter secret sharing scheme (SRHC-BL SSS) is designed, which can prolong the lifetime of network. Moreover, by introducing the queue theory model, we demonstrate that our scheme has much lower key consumption than μTESLA through simulation evaluations. Finally, we analyze and prove the security and efficiency of the proposed self-renewal hash chain, comparing with other typical schemes.
We can imagine there will be thousands of sensors deployed in the future space, but how can we ensure the security of these sensors? Aside from confidential communications, authentication is one of the essential services in security protocols of wireless sensor networks (ab. WSNs) system . If the authentication system stays defective or noneffective, attackers may launch threats to the whole network such as the wormhole attack, the man-in-the-middle attack, and the multiple identities attack. Data leakage may occur even in a military area, which can cause serious consequences. Therefore, the study of authentication system especially the broadcast authentication protocol for large-scale WSNs still remains challenging. However, restrained by the finite resources of WSNs, many previous protocols cannot be directly applied to the broadcast authentication of WSNs. For example, most protocols rely on asymmetric mechanism such as the public key cryptography, but this mechanism has heavy communication, computation, and storage overhead, which are impractical for WSNs.
Therefore, designing a protocol that can guarantee the data integrity, confidentiality, and authentication in the broadcast has been a popular research topic in WSNs. One straightforward solution is to let the base station and all other nodes share a common broadcast authentication key, but the key will be disclosed if one of nodes is corrupt. Another solution is to use one-time key for each packet so that the leak of current key will not have a bad influence on the following packets, but the cost of frequently updating keys is unacceptable for WSNs. Perrig et al. proposed a classic broadcast authentication protocol μTESLA , which has a great improvement over the original protocol TESLA [3, 4]. The contribution of μTESLA protocol is to implement a broadcast authentication process based on the symmetric key mechanism instead of the asymmetric one, and it overcomes the problems in traditional protocols by delaying the publication of one-way hash function key. This protocol decreases the computational complexity for broadcast authentication and improves the authentication efficiency as well. In the following paragraph, we will give a brief overview of μTESLA.
The main idea of μTESLA is to broadcast a packet authenticated by the key at first and then publish so that there is no way to forge the broadcast packets before the publication of the key. In addition, the protocol achieves the secret sharing with the key generation algorithm shared by the entire network. The one-way hash function and the key chain mechanism can ensure the safety of keys and the tolerance of packet loss. Figure 1 illustrates the broadcast authentication process of μTESLA.
μTESLA protocol consists of three phases: securely initializing the configuration of base station, bootstrapping the new receivers, and authenticating the broadcast packets. The base station generates a key pool by one-way hash function in the first phase and determines the synchronization time interval and the key-delayed-disclosure time interval . The synchronization time interval represents the lifetime of a broadcast key, which means the broadcast packets sent from the base station use the same key in a synchronous period . The value of integer should make longer than the time of packet-switching between the base station and the farthest node so that all the nodes can be ensured to have received the broadcast packet before the corresponding key is disclosed.
When the new node joins the network, μTESLA distributes the key synchronized parameters and initialized related keys to the new node based on the SNEP protocol . For example, Figure 1 shows the process of node requesting to join the broadcast network during the time interval . Considerwhere is a nonce which is generated by to achieve a strong freshness authentication; is a request data packet; is an authentication key between and ; is the current time; is an initial key; is the starting time of the current synchronization interval; is the synchronization interval; and is the disclosure delay. The key will be published after .
After receiving a broadcast packet from the base station, the receiver will judge the validity of authentication key based on the synchronization time. The node will further verify the key’s validity by running the hash calculation on it. Finally, the node will use the key to authenticate the packets that have been stored in the buffer during the time interval.
In μTESLA protocol, the publication of key is dependent on a specific time interval, which is fixed after initialization. However, we notice that the current network traffic is not stable in each time interval, and we divide this unstable traffic into two cases:(i)The base station broadcasts the packets frequently to the sensor nodes. In this case, the broadcast packets in one time interval will dramatically increase. If the key is still disclosed according to the original time interval, the excessive number of packets is unable to get a timely authentication and the storage space of the sensor nodes will be exhausted inevitably.(ii)The base station just broadcasts a few packets in a long time. In this case, it is possible that there are few packets during the fixed time interval. Consequently, the release of keys will lead to the increase of communication and computation overhead, which degrades the efficiency of key chain.
To decrease unnecessary consumption as well as to ensure security in the process of broadcast authentication, in this paper, we replace the fixed time interval with network traffic to determine the publication of broadcast key. In other words, the base station will not publish the authentication key unless it has broadcasted a certain number of packets. And our experiment has shown that some drawbacks of μTESLA can be solved based on our mechanism.
Due to the one-way and lightweight characteristics, hash chains have been widely applied to various scenarios such as one-time password system , video stream security [6, 7], micropayment protocol , key distribution scheme , and broadcast authentication . However, there is a trade-off between the length and the efficiency of hash chain. The exhaustion of the current hash chain will inevitably result in producing another new hash chain initialized with the public key cryptography. And this reinitialization will bring about the extra overhead of the network.
Aimed at overcoming the inadequacies of the above schemes, another concern of this paper is to design a novel self-renewal one-way hash chain scheme based on Benaloh-Leichter SSS (SRHC-BL). This scheme can effectively prolong the lifetime of network and increase the tolerance of key loss. Comparing with the typical self-renewal hash chain schemes, our approach has the benefit of higher security and less consumption of communication, computation, and storage.
Therefore, the main contribution of this paper can be summarized as follows:(1)A novel key distribution method based on data flow instead of fixed time interval is proposed in order to keep network stable in any situations. In addition, some special cases are discussed as the supplement.(2)A self-renewal one-way hash chain scheme based on Benaloh-Leichter SSS is adapted for both keeping extending life time of network and ensuring the tolerance of key loss.(3)Simulation experiments and theoretical analysis based on queue model are conducted to compare the storage cost and calculation complex among our schemes and traditional μTESLA protocol. Consequently, the result proves that our design achieves a better performance.
2. Preliminary Knowledge
2.1. Basic Concepts of Queue Theory
Queue theory, also known as random service system theory, is a theoretical basis for the queuing problem. It is one of the interdisciplinary theories of probability, statistics, and operational research. Queuing phenomenon is composed of two aspects: demand service and provide service. Here are four common queuing models as follows: M/D/1/∞ queuing model, M/M/1/∞ queuing model, M/G/1/∞ queuing model, and G/G/1/∞ queuing model.
Queuing system has the following six features, which can be applied to the broadcast authentication in WSNs:(i)Input process, which characterizes and describes the law of data packets coming to the random service system.(ii)Service time, namely, the time for the base station to authenticate the data packets.(iii)Waiter, namely, the base station.(iv)Size of line determined by the number of customers waiting to be served, which characterizes the number of valid data packets to be processed by the base station.(v)Customer source, which corresponds to the data packets.(vi)Queue rule, determined by the detail of queuing model.
2.2. Basic Concepts of Self-Renewal Hash Chain
In this section, we introduce some basic concepts of SSS and the definition of the Benaloh-Leichter SSS.
2.2.1. Concept of SSS
First, we formally define the necessary monotone access structure.
Definition 1. Given a set , a monotone access structure on is a family of subsets such thatLet be an integer, , let the set of participants be , and let an access structure defined on be comprised of a collection of subsets of . is a monotone access structure whenever and .
Similarly, -SSS is a method of generating (, ()) such that,(1)for any , finding the element , given the set , is easy,(2)for any , finding the element , given the set , is difficult.
The set is the authorized access structure or simply the access structure, is the secret, and are the shares (or the shadows) of . The elements of the set are the authorized access sets of the scheme.
2.2.2. Benaloh-Leichter SSS
Definition 2. Let be a set. The set of variables indexed by is the set .
Definition 3. Given a monotone function on variables indexed by a set , the access structure defined by is the set of subsets of of for which is true precisely when the variables indexed by are set to be true.
It is clear that, for every monotone function , the access structure defined by is a monotone access structure.
Definition 4. For a given set and a monotone access structure denoted by on , define to be the set of monotone function on variables such that, for every formula , the output of is true if and only if the true variables in correspond exactly to a set .
Note that implies and denote the same function. They may, however, use entirely different expressions to express this function.
The formula can be expressed using only operator and operator, and it is sufficient to indicate how to “split” the secret with these operators.
Definition 5. One can recursively define the share of a secret with respect to a formula as follows:where based on Definitions 1, 2, and 3, selecting the specific integer and , for the case , one can use a -threshold secret sharing scheme for deriving some shares corresponding to the secret , and then every distinct share is assigned to each . Thus one has , for all , where is an arbitrary formula in the set .
2.2.3. Definition of Hash Chain
Definition 6. The secure hash function is a publicly known function , it takes as an input, and the output is a bit string of length . In , is generated randomly from a pseudo-random string generator. One-way hash chain can be visually expressed as follows:
3. Our Scheme
3.1. The Key Distribution Algorithm Based on Data Flow
Compared with the traditional μTESLA protocol which releases keys based on the fixed time interval, our approach releases keys according to the data flow based on the queue theory and the renewable hash chain.
(i)μTESLA protocol is as follows:(1)the packet transmission time between the base station and the farthest node is ;(2)the base station releases the key every by a fixed time interval;(3)the delay time of key publication is , and it satisfies the condition that ;(4)the verification condition is , where is the current time, is the maximum clock difference, is the start time, and is the th interval time.(ii)The improved broadcast authentication protocol based on the queue theory and the renewable hash chain is as follows:(1)the maximum speed (or frequency) for the base station to send packets is ;(2)the maximum transmission speed (or frequency) in WSNs is ;(3)the communication radius of the base station is ;(4)the base station releases the authentication key every packets based on data traffic;(5)the delay of data flow of key publication is , and it satisfies the condition that ;(6)the verification condition is , where is the identification number of packets that is currently received, is the ID number of first packet received, and is the th time interval of data flow.
3.1.2. The Process of Key Distribution Based on Data Flow
The process of broadcast authentication based on queue theory and renewable hash chain is shown in Figure 2. Comparing with Figure 1, we can see the difference between μTESLA and ours; μTESLA maps the key distribution to the time domain, while ours maps the key distribution to the flow domain.
3.1.3. Several Cases to Discuss
Case 1. If the base station has not broadcasted a packet after a long period, and the number of packets broadcasted has not achieved a certain threshold, the base station will not release the key during this long period, which disables the node to authenticate the buffered packets. In this case, we can set a time threshold ( is the upper bound of broadcast key lifetime). So after time , the base station is required to release key no matter whether the condition is satisfied.
Case 2. It is very common to have packet loss in WSNs. Consider the following case: the base station will not send packets in a long period and thus the key for the next round will not be released either, but unfortunately, at this time, one node lost the current authentication key, which implies that this node cannot authenticate the remaining packets in the buffer any more. In terms of this case, we set the interval time for the node to wait, where is the upper bound of broadcast key lifetime. If the waiting time exceeds , the node can send the request message to the base station for the key of current round.
Case 3. Synchronization problem: how do we know which packet should be authenticated by which type of key? We use the counting mechanism to solve this problem. That is, the broadcast packet sent by the base station is counted from 0 to and authentication key is also numbered from 0 to so that we can create the relations between the packet and the key by simply mapping.
3.2. A Self-Renewal Hash Chain Based on Benaloh-Leichter SSS
In this section, we propose a novel self-renewed hash chain based on Benaloh-Leichter SSS. This scheme has three phases: the hash chain initial phase, the hash chain usage phase, and the hash chain extension phase. Let and denote communication initiator and the recipient, respectively.
3.2.1. Initial Phase
In the initial phase, and are synchronized in time, and there is a maximum error time denoted as ; can reject the message which exceeds the time plus the acceptable transmission delay.(1)The initiator generates an initial random value as the seed of the first hash chain, and then uses the preloaded hash function to compute hash value of the first hash chain. Consider(2)Then, selects based on Benaloh-Leichter SSS and a new random value to generate hash value of the next hash chain. Consider(3)Therefore, according to the Benaloh-Leichter SSS, takesas the secret , divides it into parts as the set , and then defines the set as the set of formula on set . Further, we select an arbitrary formula in the set . In this case, according to we can obtain of the secret . Thus, the shares corresponding to the secret in the access structure are distributed as shadows .
3.2.2. Usage Phase
(1)Before the usage phase, and have confirmed the initial time , and meanwhile the value and the hash function have been preloaded in securely, as well as the message authentication code . During the usage phase, the hash value is used from (firstly) to (finally) corresponding to the time period .(2)In the time , releases the Msg1 and its corresponding message authentication code MAC1 to , the formats of Msg1 and MAC1 are shown, respectively, as follows:So in the time (), will compute and releasewhere is the content of current message and is used to verify .(3)For the th authentication, after receives the and , will calculate the difference between the last time of receiving packets and the current time of receiving packets. If the difference has not exceeded , will carry out the following steps:(a)Compute and verify whether is equal to , where is the valid hash value stored in the last process. If it is equal, saves it.(b)Compute and verify whether is equal to . If it is, saves and .
On the other hand, if the difference exceeds ,(a) dropsand and saves ; then it will wait until the next authentication process, which is assumed as the th authentication where ;(b)compute and verify whether is equal to , where is the valid hash value stored in the last process; if it is equal, saves it;(c)compute and verify whether is equal to ; if all checks are valid, verifies successfully and then stores the shadow .
The hash chain usage phase has a detailed description in μTESLA. If the hash chain is exhausted, the protocol goes into the hash chain extension phase.
3.2.3. Extension Phase
When one hash chain has been exhausted, has stored shadows . One thing we need to notice is that even though the number of shadows that has stored is less than (as long as the number is not less than ), we can still recover the final secret . The detailed description is as follows.(1)Based on the shadows , we can easily deduce corresponding to the secret with the -threshold secret sharing scheme.(2)With the , we can simply recover the secret . In other words, we have obtained the tail of the next hash chain. Then, a new hash chain can be applied in the right way, and we can use the same protocol in the next hash chain in order to achieve the purpose of self-renewed one.
Therefore, this protocol provides an on-demand hash chain extension without exhaustion, so the hash chain is able to work smoothly and infinitely.
4. Performance Analysis
4.1. The Key Distribution Algorithm Based on Data Flow
(1) Our algorithm releases the keys based on the data flow instead of the original timeline and takes full account of the uneven distribution of arrival of the packets in the network.
(2) Valid packets simulation in the μTESLA protocol: many simulation techniques in [11, 12] are introduced to wireless sensor networks to help researchers to understand the behavior of the network which is hard to capture in situ. In this paper, we use Matlab to simulate the four queuing models of M/D/1/∞, M/M/1/∞, M/G/1/∞, and GI/G/1/∞, respectively. We take the base station as the waiter and the broadcast packets as the customer source, so the service time obeys the distribution of the packets to be processed and broadcasted by the base station and customer source obeys the distribution of arrival of packets. By considering practical situations, we give an example of packets arriving intensively. The arrival of data packets of M/D/1/∞, M/M/1/∞, and M/G/1/∞ obeys Poisson distribution with the randomly selected parameter , while GI/G/1/∞ obeys the general random distribution. We set a fixed time interval as 60 s and the numbers of valid packets in as 20, and the simulation time was half an hour. If the number is over 20, we would consider it as invalid one. There are two reasons for that. First, overly late authentication would cause the large storage overhead caused by the accumulated packets in the node buffer. Second, the message is more likely to be vulnerable to chosen plaintext attacks. It can also be proved that the conclusions of simulation experiments will not change by altering the values of parameters such as and .
(3) Simulation comparison of key packets consumed: we use Matlab to simulate the four queuing models of M/D/1/∞, M/M/1/∞, M/G/1/∞, and GI/G/1/∞, respectively, and we take the example of packets arriving sparsely. (a) The arrival of packets of M/D/1/∞ obeys the Poisson distribution with parameter and the service time obeys the uniform distribution with a fixed value s. (b) The arrival of packets of M/M/1/∞ obeys the Poisson distribution with parameter and the service time obeys the Poisson distribution with parameter . (c) The arrival of packets of M/G/1/∞ obeys the Poisson distribution with parameter and the service time obeys the general random distribution. (d) The arrival of packets of GI/G/1/∞ and the service time obey the general random distribution. We set a fixed time interval s, and the data flow interval is ; the simulation time was ten hours.(i)In terms of the intensive rate of packets arrival, based on the fixed time interval, the simulation results of valid data packets, dropped packets, and total packets for 4 queuing models M/D/1/∞, M/M/1/∞, M/G/1/∞, and GI/G/1/∞ are shown in Figures 3–6, respectively.(ii)In terms of the sparse rate of packets arrival, we draw a comparison between μTESLA (based on the fixed interval) and our protocol (based on the data flow). The simulation results of key consumption for 4 queuing models M/D/1/∞, M/M/1/∞, M/G/1/∞, and GI/G/1/∞ are shown in Figures 7–10, respectively.
From Figures 3–6, we notice that the intensive rate of broadcast packets will cause the packets to be cached in the nodes and unable to be authenticated timely, which eventually results in the loss of packets. Also, the probability of choosing plaintext attack will become large if the number of packets exceeds the threshold .
Furthermore, from Figures 7–10, the key consumption of our proposal is much lower than that of μTESLA. Consequently, the life cycle of the key chain would be prolonged, and the network overhead would be reduced.
(4) The calculation complexity of the proposed algorithm is low. From Figures 1 and 2, we can find that there is no fallback process in both μTESLA protocol and our algorithm. Although different network environments can contribute to different consumption of calculation, the proposed algorithm and μTESLA both keep , where is the number of hash calculations during authentication processes. However, in the protocol of multilevel μTESLA , repeated hash operations are conducted to guarantee life time of keys at the expense of large amounts of calculations. For instance, denotes the time of high-level calculation while denotes that of low-level calculation in a 2-level μTESLA process, which leads to times of calculation. When , the complexity achieves ; the order of magnitudes increases sharply and contributes to high calculation complexity if becomes large. The variation tendency can be seen in Figure 11.
4.2. A Self-Renewal Hash Chain Based on Benaloh-Leichter SSS
In this section, we will present the security and performance analysis of the proposed hash chain in Section 3.
The security of this scheme is based on one-way function and Benaloh-Leichter SSS. The purpose of XOR with hash value is to maintain the integrity and confidentiality of shadows. And the purpose of delaying key publication is to achieve nonrepudiation.
Meanwhile, Benaloh-Leichter SSS can efficiently generate a much richer family of access structures than the current schemes, and it is convenient to view an access structure as a function. Any monotone Boolean function over variables can be computed by a monotone formula. Thus, every access structure can be realized by the scheme of Benaloh-Leichter SSS. On the other hand, for every set that does not belong to the access structure, the elements in the set do not have any information on ; hence they will not reveal any information about secret .
Also in the phase of authentication, the tolerance of packet loss or fault is embodied in our proposal. However, in Benaloh-Leichter SSS, even some was dropped or lost; secret can still be verified by other valid as long as the number of shadows is not less than .
Moreover, dual authentication in our scheme can strengthen the security and integrity. The first authentication is that whether and are received in a valid interval and they will not be stored unless both of them are verified correctly. And the second authentication is to judge whether is valid according towhich has been stored in the first authentication and whether is valid by the exclusive-OR function. The shadow will be accepted only if the packet passes the dual authentication.
Finally, our self-renewal hash chain has satisfactory confidentiality. However, the shadow exists in the packet with the form of plaintext and the attacker can obtain the key shadow information by snooping the packet. However, the attacker is unlikely to recover the secret unless he or she can get more than pieces of shadow, which obviously increases the difficulty. And even though the attacker can finally recover the secret , he or she is still unable to produce the fake broadcast packets to play the role of the base station. The reason is that the secret , namely, , is the tail of the next hash chain, which can only be used to authenticate the subsequent keys. And due to one-way feature of the hash function, the attacker cannot generate , so he or she is unable to fake the packet to deceive other sensor nodes. If the attacker does, these nodes can easily detect the validity of packets with .
In this part, we will analyze the performance of our proposal. Before that, we first define some parameters which are mentioned as follows: : the output of hash function which is an -bit string, : the length of hash chain, : the number of secret shadows in SRHC-BL, : the computation consumption of the hash function, : the computation consumption of the union operation, , , : the computation consumptions of generating a random number in RHC, ERHC, and SUHC (or SRHC), respectively, , : the computation consumption of obtaining one bit from a random number by hard core predicate in SUHC and SRHC, respectively, , , : the computation consumption of obtaining , computing the shadows , and picking secret shadows from in SRHC-BL successively, : the computation consumption of XOR, : the communication or memory consumption of , : the communication or memory consumption of the seed of hash chain, : the communication or memory consumption of the generated random number, : the communication or memory consumption of shadows in SRHC-BL, : the communication or memory consumption of the secret shadows in SRHC-BL.
Then, we compare the computation, communication, and storage cost of our scheme SRHC-BL with the current schemes RHC, ERHC, SUHC, and SRHC. The comparison results are shown as follows. RHC is as follows: Computation: Communication: Storage: SUHC is as follows: Computation: Communication: Storage: ERHC is as follows: Computation: Communication: Storage: SRHC is as follows: Computation: Communication: Storage: SRHC-BL is as follows: Computation: Communication: Storage:
For simplicity, we assumed that , , , , , and , so that it is easy to know the performance of our SRHC-BL relative to RHC, ERHC, SUHC, and SRHC. Through comparison, we can draw the following conclusion: the consumption of SRHC-BL in the initialization phase is much less than other schemes, while, in the phase of key distribution and authentication, SRHC-BL’s consumptions of communication and storage are a little more than SRHC’s but much less than RHC’s, ERHC’s, and SUHC’s.
5. Related Work
5.1. Improved μTESLA Protocol
Many hybrid broadcast authentication protocols have been proposed. Reference  proposed a broadcast authentication protocol with Bloom Filter compression to mainly reduce error rate of data broadcasting. Reference  introduced a multiuser broadcast authentication protocol to synchronously meet the requirements of multiuser. A lightweight secure authentication protocol was proposed in , which mainly focuses on the storage performance optimization. Reference  is a μTESLA-like scheme based on symmetric keys, but the signature takes a large storage cost. A secure protocol named GPLD (Global Partition, Local Diffusion) was proposed in ; this scheme based on the symmetric encryption system and the geographical location information allows the different multicast group to exist in wireless sensor networks, and nodes can also act as the broadcast source and relay. On the basis of [18, 19] a broadcast authentication scheme based on users, which achieves the promising security, scalability, and performance, was proposed. Reference  proposes an enhanced broadcast authentication protocol based on multilevel μTESLA, however, whose overhead has not achieved the satisfactory efficiency. Reference  put forward a broadcast authentication scheme with the Merkle tree; although it can effectively resist the DoS attacks, the authentication delay seems to be inappropriate for most applications. Taking the tolerance of data loss into account,  presents a link-layer packet recovery algorithm which improves the reliability and minimizes the latency.
So we can see that μTESLA protocol and its improved protocols are the mainstream of broadcast authentication protocol research in wireless sensor networks.
5.2. Reinitializable Hash Chain
Hash function has the characteristics of one-wayness and high computational efficiency. Therefore, the hash chain mechanism has been widely used into many encryption applications and services. Furthermore, the length of the hash chain is limited, which makes it difficult to meet the requirement of sustainability. And extending the length of the hash chain is difficult because a secure channel established through other encryption mechanisms is needed, and a large overhead is required.
To solve this contradiction, researchers have proposed some hash chain schemes. Goyal introduced the reinitializable hash chain (RHC) scheme with the idea that a fire-new RHC will be regenerated safely and undeniably when the old RHC is exhausted. On the basis of RHC,  put forward the elegant reinitializable hash chain (ERHC) scheme, which uses the one-way hash function to regenerate the hash chain safely and infinitely instead of using the public key mechanism. However, due to the publication part of to authentication for the next seed of hash chain, it is likely to be susceptible to the chosen plaintext attack. Reference  proposed the self-updating hash chain (SUHC) scheme based on the hard core predicate algorithm. The solution of SUHC is that the sender distributes the first chain’s every key value with one bit in the seed of second. In such a way, while the first one is exhausted, the receiver would receive all bits of second chain’s seed. On the basis of [23, 24] the self-renewal hash chain (SRHC) scheme was proposed. The main difference between the above two schemes is the generation method of the random numbers. The security distributions of the seed of SUHC and SRHC rely on the security distribution of random numbers, where denotes the length of chain. Furthermore, these two schemes require all the received random numbers to satisfy integrity and inevitability. And then the seed of a new chain can be reconstructed. However, both of them have given up the original fault tolerance of hash chain. Based on SUHC,  put forward a novel self-updating hash chain (NSUHC) scheme; afterwards, according to NSUHC,  proposed a new self-updating hash chain based on erasure coding (SUHC-EC). In the former scheme, the seed of a new hash chain is transformed from -dimensional to -dimensional () and the latter one is transformed from one-dimensional to -dimensional. Therefore, two schemes select one of the random values to release without repeating. The new seed can be resumed after times. These two schemes seem to realize the renewable hash chain, but actually there is no difference from the conventional hash chain. Reference  proposed a new self-updating hash chain based on fair exchange idea (SRHC-FEI); this scheme uses one-time signature key to encrypt the first bit of the seed of a new hash chain in transmission when releasing the new hash value each time. It can enhance the security and fairness, but it inevitably increases the system time delay. After analysis, we can see that this scheme is also an enhanced scheme more than a strict hash chain renewable construction scheme.
From the analysis of the above typical schemes we can see that they all transform every bit of the new chain’s seed into a random number and make the security of the new seed dependent on the security of distributed random numbers. Besides, they can successfully regenerate the new seed only when they receive all the random numbers correctly. As a result, they all weaken the security and increase the consumptions for reinitialization. On the other hand, NSUHC and SUHC-EC only expand the dimension of the seed of a new hash chain, but compared with RHC and ERHC and so forth, they increase the chance of encountering the man-in-the-middle attack. Above all, from a perspective of application of a hash chain, only RHC, ERHC, SUHC, and SRHC belong to the renewable construction scheme of hash chain.
This paper proposes a novel secret key release scheme based on the data flow, which addresses some problems of traditional key release schemes based on the fixed time interval, effectively improves the efficiency of the utilization of keys, prolongs the life cycle of hash chain, and reduces the network communication overhead and computational cost.
Moreover, we consider the scenario that when the number of packets using the same key to authenticate is greater than the threshold , it may disable some packets to get a timely authentication and thus results in the loss of data. Also, the probability of chosen plaintext attack will be increased. To solve these problems, we introduce the flow threshold mechanism to prevent the attacks and enhance network security as well.
After that we put forward a new renewable hash chain based on Benaloh-Leichter SSS (SRHC-BL). The renewable process can be executed infinitely. And we have theoretically proved that SRHC-BL has better performance on integrity, confidentiality, and nonrepudiation by adopting the delay disclosure and one-wayness. In addition, our scheme can also tolerate message loss or fault due to the property of the shadows in Benaloh-Leichter SSS. Furthermore, the dual authentication and transformed secret shadows enable our scheme to have higher security than other schemes. Finally, the analysis of complexity has proved that SRHC-BL has less consumption than those typical schemes.
The authors declare that there are no competing interests regarding the publication of this paper.
This work was supported in part by grants from the National Natural Science Foundation of China (nos. 61373138 and 61272422), the Key Research and Development Program of Jiangsu Province (Social Development Program, no. BE2015702), the Natural Science Foundation of Jiangsu Province (no. BK20151511), Postdoctoral Foundation (nos. 2015M570468 and 2016T90485), the Sixth Talent Peaks Project of Jiangsu Province (no. DZXX-017), the Fund of Jiangsu High Technology Research Key Laboratory for Wireless Sensor Networks (WSNLBZY201516), and Science and Technology Innovation Fund for Postgraduate Education of Jiangsu Province (no. KYLX15_0853).
A. Perrig, R. Canetti, D. Song, and J. D. Tygar, “Efficient and secure source authentication for multicast,” in Proceedings of the Network and Distributed System Security Symposium (NDSS ’01), pp. 35–46, San Diego, Calif, USA, February 2001.View at: Google Scholar
M. H. Eldefrawy, M. K. Khan, and K. Alghathbar, “One-time password system with infinite nested Hash chains,” in Security Technology, Disaster Recovery and Business Continuity, pp. 161–170, Springer, Berlin, Germany, 2010.View at: Google Scholar
X. Li, N. Ruan, F. Wu, J. Li, and M. Li, “Efficient and enhanced broadcast authentication protocols based on multilevel μTESLA,” in Proceedings of the 33rd IEEE International Performance Computing and Communications Conference (IPCCC ’14), pp. 1–8, Austin, Tex, USA, December 2014.View at: Publisher Site | Google Scholar
Y.-S. Chen, I.-L. Lin, C.-L. Lei, and Y.-H. Liao, “Broadcast authentication in sensor networks using compressed bloom filters,” in Distributed Computing in Sensor Systems, pp. 9–111, Springer, Berlin, Germany, 2008.View at: Google Scholar
M. Sharifi, S. S. Kashi, and S. P. Ardakani, “LAP: a lightweight authentication protocol for smart dust wireless sensor networks,” in Proceedings of the International Symposium on Collaborative Technologies and Systems (CTS ’09), pp. 258–265, Baltimore, Md, USA, May 2009.View at: Publisher Site | Google Scholar
C. Benzaid, S. Medjadba, A. Al-Nemrat, and N. Badache, “Accelerated verification of an ID-based signature scheme for broadcast authentication in wireless sensor networks,” in Proceedings of the IEEE 15th International Conference on Computational Science and Engineering (CSE ’12), pp. 633–639, Nicosia, Cyprus, December 2012.View at: Publisher Site | Google Scholar
R. D. Pietro, F. Martinelli, and N. V. Verde, “Broadcast authentication for resource constrained devices: a major pitfall and some solutions,” in Proceedings of the 31st IEEE International Symposium on Reliable Distributed Systems (SRDS ’12), pp. 213–218, Irvine, Calif, USA, October 2012.View at: Publisher Site | Google Scholar
Y.-C. Zhao and D.-B. Li, “An elegant construction of re-initializable hash chains,” Journal of Electronics & Information Technology, vol. 28, no. 9, pp. 1717–1720, 2006.View at: Google Scholar
H. Zhang and Y. Zhu, “Self-updating hash chains and their implementations,” in Web Information Systems-WISE 2006, pp. 387–397, Springer, Berlin, Germany, 2006.View at: Google Scholar
X.-Y. Yang, J.-J. Wang, J.-Y. Chen, and X.-Z. Pan, “A self-renewal hash chain scheme based on fair exchange idea(SRHC-FEI),” in Proceedings of the 3rd IEEE International Conference on Computer Science and Information Technology (ICCSIT ’10), pp. 152–156, Chengdu, China, July 2010.View at: Publisher Site | Google Scholar