Authentication in Wireless Sensor Networks Using Virtual Certificate Authorities

International Journal of Emerging Technology and Advanced Engineering

81

Authentication in Wireless Sensor Networks Using Virtual

Certificate Authorities

Manjula M. Ramannavar

, Monica M. Jagtap

1

Gogte Institute of Technology, Belgaum 2 _{Dr. Daulatrao Aher College of Engineering, Karad}

Abstract — Authentication using virtual certificate Authorities (AVCA) deals directly with the issue of initial trust by the structured presigning of the certificates that are implanted prior to the deployment, at the time of manufacture. The AVCA architecture has two virtual devices, GVCA and MVCA which are not deployed on the actual network, hence tampering with the device will not affect the issue of initial trust. Also two levels of CAs allow for high degree of interoperability while giving individual manufacturer a high degree of control.

Keywords - AVCA, structured presigning, GVCA, MVCA, CAs.

I. INTRODUCTION

Many researches have been carried out in the field of wireless sensor networks since a long time. The issues that make this research more challenging are the wireless nature of these sensor nodes. Wireless sensor networks are difficult to secure as, the limited memory resources rule out the predistribution of keys or certificates, and manual device configuration in the field is not feasible due to the dynamic and ad-hoc nature of wireless sensor networks.

The issue of securing a wireless sensor network is

further challenging due to the fact that WSN nodes are not

tamper resistant and operate over an unsecure wireless medium. Public key infrastructures (PKI) can help to address this problem. By providing initial trust between network nodes PKI can resolve this problem. Public key encryption methods like Elliptic Curve Cryptography can be implemented on with very limited resources on a sensor network; a complete PKI infrastructure that enables many different devices from different manufacturers to participate in different distributed networks in a secure manner has not been introduced yet.

This paper presents PKI Based architecture,

“Authentication in Wireless Sensor Networks using Virtual Certificate”. This architecture is particularly designed for resource constrained devices on distributed ad-hoc networks, in order to overcome difficulties in securing non tamper-proof devices. AVCA architecture does not store the basis for initial trust on any of the sensor devices and hence the devices do not require significant memory.

The architecture can be integrated into existing protocol stacks including IEEE 802.11, IEEE 802.15.4[1] and ZigBee [2]. The architecture enhances wireless sensor

network

and scalability.

II. PREVIOUS WORK

IEEE 802.15.4 Part 15.4 [1]: This paper defines a standard for a low-rate WPAN (LR-WPAN). The scope of this revision is to produce specific enhancements and corrections to IEEE Std 802.15.4, all of which will be

backward compatible with IEEE Std 802.15.4-2003. These

enhancements and corrections include resolving

ambiguities, reducing unnecessary complexity, increasing flexibility in security key usage, considerations for newly available frequency allocations and others. IEEE Std 802.15.4 defines physical layer (PHY) and media access control (MAC) sub layer specifications for low data rate wireless connectivity with fixed, portable and moving devices with no battery or very limited battery consumption requirements typically operating in the personal operating space (POS) of 10m.

ZigBee Alliance. ZigBee Specification, Dec 2004. [2]: ZigBee is a specification or a suite of high level communication protocols using small, low-power digital radios based on an IEEE 802 standard for personal area networks. ZigBee devices are often used in mesh network form to transmit data over longer distances, passing data through intermediate devices to reach more distance ones. This allows ZigBee networks to be formed ad-hoc, with no centralized control or high-power transmitter/receiver able to reach all of the devices. ZigBee is targeted at applications that require a low data rate, long battery life and secure networking. ZigBee has defined rate of 250kbit/s. The technology defined by the ZigBee specification is intended to be simpler and less expensive than other WPANs, such as Bluetooth.

International Journal of Emerging Technology and Advanced Engineering

82

Technical report NAI Laboratories, 2000 [3]: This paper analyses security challenges in wireless sensor networks and addresses the key issues that should be solved for achieving the ad hoc security. This paper gives an overview of the current state of solutions on key issues as secure

routing, prevention of denial-of-service and key

management service along with some method to achieve security in wireless sensor networks.

D. Anshul and S. Roy. A ZKP-based identification scheme for base nodes in wireless sensor networks [4]: The key issue of initial trust is addressed in this paper. This situation can lead to an attack whereby a malicious party masquerades as the base station and frequently authenticates other legitimate nodes to capture messages within the network. This paper proposes a protocol that will help build a base station authentication mechanism in the framework of a one-hop mesh network and later extend it to a multi-hop framework.

III. AVCAARCHITECTURE

Fig 1. AVCA network with Virtual Certificate Authorities5

AVCA defines major devices and the association among these devices is depicted here.

The major devices used in this architecture are TC- Trust centre, which is the device responsible for starting the network, defining the communication channel, key management, key distribution and implementation of a network access control policy.

The end sensor node in the architecture is the MED i.e., Manufacturer’s End Device and MCA i.e., Manufacturer’s Certificate Authorities acts as a trusted third party between the MED and the TC.

We have two devices shown in dotted circles and their

association to other devices is also through dotted lines,

which indicates that these two devices are virtual.

The GVCA stands for Global Virtual Certificate Authority and it is the trusted third party between the TC

and the MCA. It is also responsible for signing the

certificates ofthe TC

a

the time of manufacture.

The second virtual device i.e., Manufacturer’s Virtual Certificate Authority (MVCA), is the trusted third party between the MCA and the MED. Both the MED and the MCA have their certificates signed by the MVCA and implanted prior to the deployment.

TABLE I

Devices used in the AVCA Architecture and their association relationships5

Fig 2. Certificate implanted on the device prior to deployment5

All the devices from fig 1. are dependent on each other for the network to function. The dependencies among the modules are shown in fig 2.

The GVCA implants its certificate data on the TC. The TC also has the root certificate of GVCA. The MED has

the root certificate of MVCA along with its signature and

data. MCA has the root certificate of both the GVCA and

the MVCA and also the signature and data of both the

International Journal of Emerging Technology and Advanced Engineering

83

IV. AVCAEND DEVICE AUTHENTICATION

The AVCA authentication procedure provides a mechanism that allows two devices that have no prior knowledge of each other to perform secure authentication.

The MCA can establish the address of the TC from the beacon. It will request the TC’s certificate signed by a trusted third party (the GVCA). The MCA will then verify the TC’s certificate by using the GVCA’s public key. On successful verification of the TC’s certificate it can initiate a challenge and response procedure using the TC’s public key. This is illustrated in Fig 3.

Fig 3. AVCA end device authentication procedure5

The MCA can establish the address of the TC from the beacon. It will request the TC’s certificate signed by a trusted third party (the GVCA). The MCA will then verify the TC’s certificate by using the GVCA’s public key. On successful verification of the TC’s certificate it can initiate

a challenge and response procedure using the TC’s public

key. This is illustrated in Fig 3.

This authentication process is significant as we are

trying to provide the initial trust wherein the basis for

initial trust, i.e., the signature and the data of GVCA and

MVCA is not implanted on the devices which are deployed actually on the network. The basis for initial trust i.e., the private key of GVCA is not on the network and hence cannot be gleaned by tempering. In addition to this trust we also implement a challenge-response phase so that the issue of authentication can be handled efficiently.

For the challenge response phase after the MCA receives the certificate of the TC it in turn sends a challenge to the TC where in it sends an encrypted message to the TC and ask it to decrypt the same with its private key.

If the response from the TC is the same original string sent by the MCA as the response the process of authentication can proceed as shown in the Fig 3.

V. AVCAEND DEVICE ASSOCIATION

Before the MED joins the network, an MCA from that device’s manufacturer must first join the network.

Fig 4. AVCA end device association procedure5

Before the MED joins the network, an MCA from that device’s manufacturer must first join the network.

In order to achieve this, MCA authenticates the TC as described above and requests to associate to the network. The TC then authenticates the MCA and authorizes it to associate. The MED issues a per-authentication request to the TC for a certificate of an MCA device. The MCA passes two parameters in the certificate request:

I. the manufacturer’s id and

II.the address of the trusted MVCA

The TC does not have this certificate. It has previously authenticated an MCA from the same manufacturer. It requests this certificate from the MCA. This certificate has been implanted on the MCA which forwards it to the TC which in turn forwards it to the unauthenticated MED which finally authenticates the MCA and the process continues as shown in the Fig 4.

VI. INTEGRATION OF AVCAWITH IEEE 802.11

International Journal of Emerging Technology and Advanced Engineering

84

The 802.11 frame format is depicted in the Fig. 5. The region of our interest is the Rsvd field i.e.; the reserved field in which we integrate the AVCA architecture.

Fig 5. 802.11 Frame Format5

VII. EVALUATION

As seen from the two outputs, we can see the key exchange and the challenge response phases of the AVCA architecture.

Also we can see in the output that whenever a malicious activity is detected the initial trust of the network is kept intact by erasing previous data and redistributing the certificates.

Fig 6. Result analysis

Fig 7. Result analysis

VIII. CONCLUSION AND FUTURE WORK

The concept of AVCA, a virtual certificate authority, solves the issue of initial trust via the structured signing of certificates, which are implanted on devices prior to deployment along with the support for node authentication and a private key distribution mechanism. It also enhances many WSN design goals including simplicity, scalability, interoperability and control for individual manufacturers.

The AVCA architecture has been successfully implemented in IEEE 802.15.4 as well as ZigBee protocol stack and can be easily incorporated into other WSN protocols, and accordingly it has been adapted to IEEE 802.11

The future research includes:

1. A mechanism for the revocation of certificates.

2. Analysis is required to document the exact effects on

performance, network bandwidth and resource usage etc.

REFERENCES

[1 ] IEEE Computer Society. IEEE 802.15.4 Part 15.4: Wireless Medium

Access Control (MAC) and Physical Layer (PHY) Specification for Low-Rate Wireless Personal Area Networks (LR-WPANs), May 2003.

International Journal of Emerging Technology and Advanced Engineering

85

[3 ] P. S. Kruus, D. W. Caraman and B. J. Matt. Constraints and

approaches for distributed sensor network security. Tech. Rep. 00-010. Technical report NAI Laboratories, 2000[3].

[4 ] D. Anshul and S. Roy. A ZKP-based identification scheme for base

nodes in wireless sensor networks. In SAC ’05: Proceedings of the 2005 ACM symposium on applied computing, pages 319-323, New York, NY, USA, 2005. ACM Press.

[5 ] Edmond Holohan (IEEE Member) Previously with the National

University of Ireland, Galway -Discipline of Information Technology. Michael Schukat (IEEE Member) National University of Ireland, Galway -Discipline of Information Technology.

[6 ] A. Perrig et al. SPINS: Security protocols for sensor networks.

Proceeding for Mobile Networking and Computing, 2001.

[7 ] S. Zhu, S. Setia, and S. Jajodia. Leap: Efficient security mechanism

for large-scale distributed sensor networks. In Proc. of the 10th ACM. Conference on Computer and Communications Security (CCS ’03).

[8 ] T. Lennvall, S. Svensson and F. Hekland. A comparison of Wireless