• No results found

Neighborhood-Based Security Protocol for Wireless Sensor Networks

N/A
N/A
Protected

Academic year: 2021

Share "Neighborhood-Based Security Protocol for Wireless Sensor Networks"

Copied!
5
0
0

Loading.... (view fulltext now)

Full text

(1)

Abstract – The main objective of this work is to minimize the intrusion attacks without causing a significant impact on energy consumption. One of the proposed methods was the neighborhood-based key agreement protocol (NEKAP). It could provide an authentication in a wireless sensor network. Unfortunately, adversaries may launch a replay attack though the loophole of NEKAP to successfully masquerade legitimate nodes and thereby compromise the communications over the network. In this paper, we present a modified security protocol for wireless sensor networks. Similarly to NEKAP, we design and provide four types of keys for each node, which adapt to different security requirements. The descriptions on the proposed protocol in conjunction to the conventional NEKAP are provided; and the improvement on the performance is also discussed and analyzed on several, typical attacks found in wireless sensor networks, i.e., replay attack and DoS attack. The study on our new security protocol shows that it can enhance the security resilience for the wireless sensor network better than the conversional method.

Index Terms—Wireless sensor networks, Authentication, Replay attack, Security protocol.

I. INTRODUCTION

Wireless sensor networks (WSNs) are distributed systems consisting of a large number of sensor nodes and a base station as a controller which interface the sensor network to the outside network. WSNs may be deployed in unattended and often adversarial environments such as battlefield. Compared with the conventional networks, they seem more vulnerable to physical destruction and man-made threats. Therefore, providing security is a particular challenge in sensor networks due to the resource limitations of sensor nodes, wireless communication and so on. As a specific example, it’s not practical to use asymmetric cryptosystems in a sensor network where each node with low operational capability and insufficient memory (e.g. Crossbow’s MICA2/MPR400CB sensor node [10]). Thus, the key management protocols for sensor networks are based upon the symmetric key algorithms, and the design of the security protocols for WSNs should be as light-weight as possible.

The authors are with Dept. of Electronic Engineering, Chonbuk National University, Chonju, Rep. of Korea, 561-756

* Kang Soo You is with Jeonju University, Chonju, Korea.

NEKAP [1], a design of link layer key agreement protocol for sensor networks which establishes two kinds of keys: pairwise keys, for link layer pairwise communications, and cluster keys, for link layer broadcast communication. In NEKAP protocol, the node keys are generated from the master keys of neighbor nodes, making the discovery of these keys more difficult to the enemy. To establish all the keys, each node broadcasts only three messages which render the protocol very energy-efficient. The main contribution of this work is a key agreement where each key is valid only in its neighborhood and the impact of a node key compromised can be restricted to the node’s neighborhood. Thus, it’s impossible for an adversary to carry out an attack in wide scale by capturing only a few nodes. Moreover, the energy cost of the solution is lower than the others presented so far.

NEKAP has many advantages for WSNs, such as intruder resilient, energy efficient and so on. Unfortunately, NEKAP is vulnerable to replay attack [8] because of the keys establishment process which has only three broadcast messages. A malicious node may transmit the old message which broadcasted from a legal node to its neighbor nodes, and the message can’t be authenticated due to these two nodes can’t communicate directly (we will show detail in Section Ⅱ). So the malicious node may gain the legal status through cheating the chosen legal nodes by transmitting old message, and then the adversary may lunch other attacks, such as DOS [9] attack, black-holes attack, masquerade attack, and so on.

In this paper, we modified the NEKAP protocol in preventing replay attack, and present a new modified security protocol for wireless sensor networks.

The rest of the paper is organized as follows. In Section Ⅱ, we review the related works in some security protocols provided for sensor networks and the overview of NEKAP, show the loopholes of NEKAP which may exploited by an adversary to lunch a replay attack. In Section Ⅲ, we discuss our system and assumptions, and then we present the details of our modified security protocol. Finally, we present security and performance analysis in Section Ⅳ, and we will show our conclusions in Section Ⅴ.

II. RELATED WORKS

Link layer key agreement between neighboring nodes is a fundamental issue for securing sensor networks deployed in unattended and hostile environments [2]. There are several approaches present in literature [3] [4] [5]. In this way, two nodes can communicate with a shared pairwise key directly.

Neighborhood-Based Security Protocol for Wireless

Sensor Networks

Di Zhang, Ung Heo, Yi Zhao, Kang Soo You* and Jaeho Choi

Dept. of Electronic Engineering, Chonbuk National University, Chonju, Chonbuk, Korea

E-mail: wave @chonbuk.ac.kr

(2)

Fig. 1 Replay attack by one node

Localized Encryption and Authentication Protocol (LEAP) [6] was proposed by Zhu et al as a key management protocol for sensor networks designed to support in-network processing, while solving the problem of key distribution and restricting the impact of a compromised node to the network. LEAP establishes four types of keys, for each node and communication type: 1) individual node key, shared between each node and the base station, used in communication with base station, pre-load before its deployment; 2) pairwise key, shared between a node and each one of its neighbors, used in pairwise communication among them; 3) cluster key, shared between a node and all its neighbors, used in local broadcast communication; and 4) group key, shared by all nodes, used in broadcast multi-hop from base station. In sensor networks, pre-deployed key was the most practical approach for bootstrapping secret keys in sensor nodes. In LEAP protocol, nodes were loaded before they were deployed in the sensor field. Pairwise keys could be generated between two nodes based on this pre-deployed key information. The problem of LEAP is the excessive number of messages exchanged in the establishment of the keys; the communication cost will be very high.

Oliveira et al present SPINS [7], a security protocol for WSNs. This work proposed two building security blocks optimized for sensor networks: SNEP and μTESLA. SNEP provides end-to-end data confidentiality, two part date authentication, and data freshness between the base station and each node; μTESLA is a protocol which provides multihop broadcast from the base station.

As NEKAP is a peer-to-peer approach, it can be used with SNEP or μTESLA protocol to increase security for sensor networks.

A. Overview of NEKAP

NEKAP is a link layer key management protocol that establishes two kinds of keys: pairwise keys, for link layer pairwise communication; and cluster keys, for link layer broadcast communication. It is similar to LEAP protocol; however, NEKAP is more resilient to node tampering and even more energy-efficient.

In NEKAP, each node pre-loaded with a master key, broadcast to its neighbors its key encrypted with a global

Fig. 2 Replay attack by two nodes

shared key. The node keys are generated from the master keys of neighbor nodes, making the discovery of these keys more difficult to the adversary. To establish all the keys, each node broadcasts only three messages, which render the protocol very energy-efficient.

Due to the key is valid only in its neighborhood and the impact of a node key compromised can be restricted to the node’s neighborhood, these results render the NEKAP protocol intruder resilient.

B. Loopholes of NEKAP

In NEKAP protocol, the process of key establishment is only three broadcast messages, which broadcasted from each node to its neighbor nodes. NEKAP can provide the data confidentiality, but cannot provide broadcast authentication in the key establishment phase. Thus, they are vulnerable to the replay attack.

It can be seen that some malicious nodes are deployed in a sensor network in the initialization phase. If the malicious node retransmits the legitimate old messages which broadcasted from a legal node to another one while these two nodes cannot communicate directly. The malicious node can impersonate as a legal node in network, as shown in figure 1.

In figure 1, the malicious node can retransmit node A’s broadcast messages to node B, so node B will regard the malicious node as node A. Similarly, the malicious node also can be as a neighbor node B to node A, if it retransmitted node B’s broadcast messages to node A. But actually, node A and B cannot communicate to each other directly, and the malicious node as an intermediate node between node A and B in network. It can be seen that the malicious node cannot threaten the security of its region when it between two nodes which they can communicate directly. So, the figure 1 shows one condition which attack by one node and the figure 2 shows the other condition which attack by two nodes.

Combining these two conditions, random diffusion with several malicious nodes will confuse the framework of the network (as shown in figure 3). The adversary can make a DOS attack or black-hole attack after the routing establishment completed.

(3)

Fig. 3 Replay attack by more than two nodes III. PROPOSED METHOD

A. System and Assumptions

We assume that a typical sensor network forms around one or more base stations as a controller (or key server) with sufficient power, memory and computational capabilities which interface the sensor network to the outside network. The sensor nodes establish a routing forest, with a base station at the root of every tree. However, we assume that the base station will not be compromised. Nodes deployment is random, the neighborhood of any node is unknown in advance, the wireless communication is not secure and it is subject to eavesdropping, insertion of packages and replay older messages. The nodes are vulnerable to tampering. We assume that if a node was compromised, the enemy can know all the information it handles.

B. Notation

The following symbols are used in the text:

- ID: Node identifier, MAC address;

- f : Pseudo-random function;

- K : Global key shared in each node; G

- KM: Master key, which only known by the BS;

- KA: Individual key of node A; - K ′A: Cluster key of node A; -

n A

K : The nth key of node A’s one-way key chain for local

broadcast authentication; - Id

A

K : Identification key of node A;

- K : Identification master key, which only known by the BS; IM

- KAB: Pairwise key shared between node A and B;

- KIn: The insertion key which used for new nodes insertion in the insertion phase;

- BS⇒ *: Sending a broadcast message by BS;

- { }M K: The encryption of message M with encryption key K;

- { }M ( ,K IV): Denote the encryption of massage M, with key K

and the initialization vector IV which is used in encryption modes;

- { }MAC M K : Denotes the computation of the message authentication code (MAC) of message M, with MAC key K.

C. Protocol Description

Similar to LEAP and NEKAP protocols, the design of our protocol supports for multiple keying mechanisms which is motivated by the observation that different types of messages exchanged between sensor nodes have different security requirements, and that a single keying mechanism is not suitable for meeting these different security requirements. Specifically, we support the establishment of four types of keys for each sensor node – an individual key shared with the base station, a pairwise key shared with another sensor node, a cluster key shared with multiple neighboring nodes, and a global key shared by all the nodes in the network.

Our protocol also includes an efficient protocol for local broadcast authentication based on the use of one-way key chains.

In order to prevent the threat of replay attack, our protocol provides a malicious node detection phase to detect and remove the malicious nodes which may have existed in the network.

In addition, we provide a new bootstrapping method in our protocol which solves the security threat of the initialization phase (detailed in Section Ⅳ).

Our procedure is described as follows.

1) The Initialization Phase

Step 1: Each node should pre-loaded a unique number as its node identifier (ID).

Step 2: Create a master Key (K ) and an identification M

master key (K ) for all nodes by the controller which only IM

known by base station (BS).

Step 3: Compute and install an identification key ( Id A K ) for each node A: ( , ) Id A IM K = f K A

Step 4: Each node A should pre-load its individual key (K ), A cluster key (K ′ ) and global key (A K ): G

( , ) ( , ) A M A M K f K A K f K A = ′ = ′

2) The Broadcast Phase

Step 1: When the broadcast phase starts each node broadcasts message to its neighbor nodes:

1 ( , )

*:{ , , } Id , G A A A K K

AK A KA

Step 2: A short waiting phase for that all nodes completed broadcasting of messages.

Step 3: The base station (BS) broadcasts and reveals the identification master key (K ) to all nodes. IM

*: IM

(4)

Fig. 4 The procedure on malicious node detecting and diagnosing mechanism

The neighbor nodes can compute the identification key

( Id A

K ) of node A, and then they can decrypt the packet to get the

cluster key of node A, the first key of node A’s one-way key chain for local broadcast authentication and verify the identification of the packet. At last, erase the identification key

( Id A

K ) and identification master key (K ). IM

Step 4: when the node has finished the above process it will broadcast its neighbor nodes list to its neighbor nodes:

2 2

*:{ } , , ({ } , )

A A A

i A K A i A K A K

AID i N∈ ′ K MAC ID i N∈ ′ K

Node A’s neighbor nodes B can receive the list of node A, and the pairwise key (K ) between node A and B will be: AB

( , , )

AB A B i A B

K = f K K ID i N′ ′ ∈ ∩N

The pairwise key between node A and B is computed by their cluster keys and the identifier of their common neighbors. That makes the adversary more difficult to compromise the network. For example, in figure 1, the common neighbor of node A and B is node C.

3) Malicious Node Detection and Diagnosing Phase

Replay attack is a malicious node stores a received message and attempts to send it at a later time. When the nodes receive the message, they believe that it is an original message, which it is not. That causes the nodes to come up with the wrong distance and signal strength since the node sending the original message is not where they think it is.

Most proposals for preventing the replay attack rely on timestamp or sequence number. Method based on timestamp must be supported by a synchronization mechanism which can made more complex computation and energy consumption; and the other method which based on sequence number is not

applicable to our sensor network since that the compromised nodes can’t communicate directly.

In our protocol, we use a malicious node detecting and diagnosing mechanism based on acknowledgment message

(ACK) to solve the above problems.

When a message is received, an ACK is generated and sent to the node that sent the message. Then the message is saved in a temporary buffer until the ACK comes back. If the ACK is received in a certain amount of time, then the node is an honest node, but if the message is not received in that amount of time then it is a dishonest node, the message may be transmitted by the malicious node. Thus, the node will erase all the related information, such as the pairwise key. (The procedure is shown in figure 4).

The new node insertion phase is the same way as NEKAP protocol, so we skip the details of this part.

IV. SECURITY AND PERFORMANCE ANALYSIS In this section, we discuss some issues and problems about our modified protocol.

A. Security Analysis:

1) About the new bootstrapping method

In LEAP and NEKAP protocols, there is an important assumption. They assume there exists a lower bound on time interval Tmin that is necessary time for an adversary to

compromise a sensor node, and that the time Test for a newly

deployed sensor node to discover its immediate neighbors is smaller than Tmin. In practical, it seems a reasonable assumption

that TminTest, but if an adversary can compromise a sensor

node within the time interval Test, they can known all the

information in this node, then the adversary can decrypt all broadcasting information by the global key.

In our protocol, each node sends “

1 ( , )

{ , , } Id , G A A A K K

K A KA” to its neighbor nodes. Notice that each node does not know the identification key ( Id

A

K ) of any other node since it constructed

from the identification master key (K ). Even if the adversary IM compromises a sensor node within the time interval Test, they

cannot decrypt any packets. The adversary can’t known any node’s information except the compromised node’s before the identification master key (K ) reveals. In other words, this IM packet cannot be fabricated and falsified since nobody can decrypt the message without the identification master key (K ) IM and the identifier contained in the packet can authenticate the same one outside.

The construction of pairwise key is also based on its neighbor nodes. So similar to NEAKP protocol, our modified protocol also has the good characters of NEKAP, such as intruder resilient.

2) About the malicious node detecting and diagnosing mechanism

In order to solve the threat of replay attack, we present a malicious node detecting and diagnosing mechanism based on acknowledgment message.

(5)

This method is based on the fact that sending ACK through a malicious node would take a longer time than transmitted by straight-line.

That is a light-weight and effective protocol. The controller can detect and define most of malicious nodes, and then disposal these malicious nodes betimes.

B. Performance Analysis:

We mainly consider the following performance metrics in our protocol.

1) Communication Overhead

In our protocol, there are only two broadcast messages need to be transmitted during the key establishment phase, and the malicious node detecting and diagnosing mechanism is a light-weight protocol, so the communication overhead is very low.

2) Computational Overhead

The main computational overhead for each node is to verify a

MAC and establishing a pairwise key with every neighbor node.

All these processes are easy to complete, so the computational overhead is also low.

V. CONCLUSIONS

We have presented our modified protocol for wireless sensor networks, it not only has the advantages which the NEKAP protocol has, but also solves some problems on security threat of NEKAP. The properties of our protocol as followed:

• Our protocol support for establishing four types of keys per node – individual keys shared with the base station, pairwise keys shared with individual neighboring nodes, cluster keys shared with a set of neighbors, a group key shared with all the nodes in the network and an efficient protocol for local broadcast authentication based on the use of one-way key chains. These keys can be used to increase the security of many non-secure protocols. • In our protocol, we give a new bootstrapping scheme to

our key establishment phase to avoid the threat when the adversary can compromise a sensor node within the time interval Test. It uses an encrypted massage by the global

key (K ) and an identification key (G Id A

K ), no nodes know

the identification key until the base station discloses the identification master key (KIM ). Therefore, the new bootstrapping scheme can increase the security of the sensor network against the node compromising.

• Our protocol gives a light-weight and effective malicious node detecting and diagnosing mechanism based on acknowledgment message. It can effectively decrease the number of intermediate malicious nodes to make our protocol more secure to replay attack.

• To generate the keys, our protocol requires only two broadcasted messages from each node and thus energy-efficient and appropriate to be used in WSNs.

REFERENCES

[1] De Oliveira S., Hao Chi Wong and Nogueira J.M., "NEKAP: Intruder Resilient and Energy Efficient Key Establishment in Sensor Networks",

International Conference Computer Communication and Networks, 2007 (ICCCN '07), Honolulu, Hawaii, USA, 2007.

[2] Y. Zhou and Y. Fang, "ScalableLink-Layer Key Agreement in Sensor Networks", Military Communications Conference, 2006, (MILCOM ‘06), Washington, D.C., USA, 2006.

[3] L. Eschenauer and V. D. Glicor, "A key-management scheme for distributed sensor network", 9th ACM conference on Computer and

Communication Security, November 2002, (CCS ‘02), Washington, D.C.,

USA, 2002.

[4] H. Chan, A. Perrig and D. Song, "Random key predistribution schemes for sensor networks", 2003 IEEE Symposium on Security and Privacy May 11

- 14, 2003, Berkeley, CA, pp. 197, 2003.

[5] D. Liu, P. Ning and R. Li, "Establishing Pairwise Keys in Distributed Sensor Networks" ACM Transactions on Information and System Security, Vol. 8, No. 1, February 2005.

[6] S. Zhu, S. Setia and S. Jajodia, "LEAP: efficient security mechanisms for large-scale distributed sensor networks", 10th ACM Conference on

Computer and Communications Security (CCS '03), Washington D.C.,

USA, October 2003.

[7] A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen and D. E. Culler, "SPINS: security protocols for sensor networks", Wireless Networks 8, 2002, Kluwer Academic Publishers, Netherlands, pp. 521-534, 2002.

[8] Matthew Vella and Ahmed Mahdy, "Survey of wireless sensor network security", The 2008 National Conference for the Society for Advancement

of Chicanos and Native Americans (SACNAS '08), Salt Lake, Utah, USA,

2008.

[9] D. Raymond, S. Midkiff, "Denial-of-Service in Wireless Sensor Networks: Attacks and Defenses", IEEE Pervasive Computing, vol. 7, pp. 74-81, 2008.

[10] Wireless Sensor Networks: Getting Started Guide, Rev. A, Doc. # 7430-0022-07, Crossbow Technology, Inc, San Jose, CA, Sep. 2005.

http://www.xbow.com/Support/Support_pdf_files/getting_started_guide. pdf [Viewed online 10 May 2009].

References

Related documents

shooting day, Sunday, March 20 th , 2011 we dedicated to all of the high school classroom scenes.. When I requested to use the Liberal Arts building room 129, I found out that due

The present study tested a conceptual model of the relationships among religious well-being, existential well-being, positive religious coping, and family

When examining patterns of polymorphism and di- vergence in individual genes, we conducted tests with both polarized and unpolarized mutations; here we report the results of

Management Sciences for Health (MHS), USA 1/2008-4/2008 Virtual Leadership Development Program (VLDP), as a team member of ten persons responsible for educational activities

The linear approximation method requires the probability of voltage distribution, probability of contingency and the severity function to evaluate the risk

line to study the response of mammalian cells to EMFs of 18 GHz, a type of EMF radiation known to induce membrane permeabilization with minimal detriment to cell

The aim and objectives of the study are to produce the recovery or recycling process flow for potential scheduled wastes that can be recovered or recycled, identify the