The advantage of the proposed protocol is that it embodies security improvement of LEAP [29], the time-based key management scheme [1], and the ZigBee security services. The goal of this section is to evaluate the security of our proposal and compare it with the refereed papers. We attempt to discuss the defences against node capture attack and the degree of resilience of the different schemes.
4.6.1 Advantages over LEAP and the Time-based Scheme
We assume that when a node is compromised, the key material stored in the node will be extracted by the adversary. The key material will be utilized to attack the rest of the network. In [1], the resilience of schemes is described as the additional portion of network that an adversary can compromise using the key material ob- tained from x compromised nodes. We still use this definition in this section. The security of the LEAP scheme depends on the security of the initial key IK. The whole network can be compromised once the initial key KIis disclosed. The dam- age resulting from a disclosure of an initial key IK is localized by the time-based key management scheme [1]. The lifetime of the network is divided into P gen- erations and each generation has its initial key. A compromised initial key IKa at generation Taaffects only the nodes deployed at generation Tarather than the whole network. In order to provide connectivity between nodes deployed at different gen- erations, the preloaded master key for different generation is the same. However, as we mentioned in Section4.2, the pairwise key does not exclusively belong to the two end nodes. If three nodes are preloaded with the same master key, the pairwise keys between any two groups of them are known by the other group. Once a node is captured, the pairwise keys shared by the other two nodes will be compromised as well. This property makes the scheme vulnerable to attacks against forward and backward secrecy.
In our scheme, either the pairwise key Kj
uv or Kuvgh exclusively belongs to the two end nodes. For example, the pairwise key Kj
uv shared by node u and v which are deployed at generation j is shared only by them and the pairwise key Kgh
uvshared by node u deployed at generation g and v deployed at generation h is confined to the two end nodes deployed at these two generations. We take Kgh
uv as example. Nodes deployed at generations other than g and h have no right to access this key. This is because the masked initial key Kghis preloaded to the nodes which is deployed at generation g and can be calculated by nodes if and only if these node are deployed at generation h and have the initial key IKh in their key ring. As a result, a sensor node w, which is deployed at any other generation l (for l 6= g & l 6= h) cannot calculate a masked initial key Kgh. Three conditions exist according to the value of
l:
• l < h. The node w needs IKhto calculate Kgh. Even though the node w has the masked initial key Klh = H(IKh k l), it cannot derive IKhfrom Klhdue to the one-way property of the secure hash function H.
• h < l ≤ g + Gw − 1. The node u is preloaded with the masked initial key
Kgl = H(IKl k g) and the node v is preloaded with the masked initial key
Khl = H(IKl k l). Even the node w can calculate Kgl and Khl, it cannot derive IKh or Kgh due to the one-way property of the secure hash function
H.
• l > g + Gw − 1. The node u has powered off at the generation l.
It is clear that the masked initial key Kghis known only by the nodes deployed at generations g and h. No node deployed at any other generation can calculate the key that is unique to the generation g and h. Hence, an attacker has to spend extra effort if s/he wants to acquire the pairwise key between the nodes u and v that are deployed at the generations g and h, respectively. This has an advantage over the scheme in LEAP and the time-based key management scheme [1] in restricting the information that an attack acquires if s/he captures a node.
4.6.2 Advantages over ZigBee Specification
In the proposed solution for multi-phase ZigBee architecture, each node u which is to be powered off broadcasts a revocation message to its neighbors and erases all the keys it has, including the Network key, the TCL key, and Link keys shared with its neighboring nodes. The neighboring nodes which share a Link key will erase the Link key. In this case, Network rekeying is unnecessary as the leaving node has actively erased all the keys it has.
In the case where node compromise is detected, the Network key must be re- freshed and node revocation announcement is authenticated to prevent possible at- tacks. Our solution follows the recursive rekeying method of LEAP.
In the case of node addition, the Network key must also be refreshed in order to maintain backward secrecy. The key refreshment in this case is as easy as pe- riodically rekeying. In the proposed solution, nodes are periodically added to the network in batches. In practical applications, nodes perform a normal operation such as sensing and monitoring the environment during a normal phase. At the be- ginning of each new generation, a batch of new nodes is deployed to the network. There is a corresponding relationship between the generation and period for node addition. In the time-based model, the beginning of the new generation occurs with node addition so that the number of generations approximately equals the periods of node addition [1]. Usually, the main purpose of node addition is to complement the network and keep network connectivity so the frequency of node addition is not necessarily high. In addition, in our model, the size of the initial key pool is the same as the number of generations. Therefore, the size of key pool in our model is small.