Public Key Encryption and Security in Wireless Network

Chapter 1

Security architecture for

multi-hop wireless sensor

networks

Authors: Ismail Mansour, Gerard Chalhoub and Michel Misson

Corresponding author: gerard.chalhoub@udamail.fr

Authors affiliation: LIMOS-CNRS, Clermont Universit´e,

Complexe scientifique des C´ezeaux, 63177 Aubi`ere cedex, France

Abstract

The security issues in wireless sensor networks have taken the attention of numerous researchers in the past several years. It has recently been proven that public keys are now feasible in wireless sensor networks but still consume a lot of processing time and memory. In this chapter, we propose a dynamic security architecture that uses public keys based on ECC to exchange symmetric keys that will be used to encrypt communications. The proposed architecture is based on a central node that takes in charge the authentication of newly arriving nodes. Symmetric key establishment is achieved in a secure manner using asymmetric keys. We evaluate the cost of different cryptographic operations and two main phases of our protocol, the join phase phase and the neighbour discovery phase. In order to give an estimate of the additional cost in terms of time and energy consumption we present results obtained using TelosB motes.

1.1

Introduction

Wireless sensor networks are more and more deployed for various applications in-cluding home monitoring, health, industrial, military, etc. It is known that wireless networks are easy to attack because of the nature of the shared medium which makes it relatively easy for intruders to eavesdrop, tamper or inject data into the network. Sen-sor nodes are known to have limited computation, storage and transmission capacities, but attackers are not necessarily using the same technology to launch their attacks.

Security techniques aim basically at offering the following proprieties: (i) data confidentiality, where only the entities concerned are able to decode information, (ii) data integrity, when the destination is able to make sure that data sent by the source has not been tampered with by a third party, (iii) data authentication, where the source of the data is authenticated, (iv) entity authentication, which is to make sure that the entity is really who it is claiming to be. Our contribution is concerning the communication inside the wireless sensor network as depicted in figure 1.1. Data is generated by the process equipments and passed through to wireless sensor nodes that route this information towards a sink that plays the role of a gateway that leads towards a wired or a wireless traditional network. Users communicate with the process by using a Middleware layer and store the collected data in adequate servers.

The required security level might vary from one application to another according to the importance of the information that is being exchanged. In this chapter, we present a security mechanism using Elliptic Curve Cryptography (ECC) [1] to establish a

cured communication. We propose a secured system for critical applications with low mobility and where a very high level of security is required. We use an existing cryp-tographic system based on ECC that enables us to exchange secret session keys and encrypt exchanged data. We evaluate the additional cost of the cryptographic system during the initial phase of the network, that is, the join phase and the neighbour dis-covery phase. Evaluations are done through real measurements using TelosB motes. It should be noted that the main contribution of this paper resides in the network protocols used to enable nodes to join the network in a secure manner and exchange messages in a secure manner as well. We adapt the cryptographic algorithms used which are based on the ECC operations, such as the Diffie-Hellman method [2] with key pre-distribution.

0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 1111111111 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 111 111 111 111 111 111 111 111 111 111 111 111 111 111 111 111 111 111 111 111 111 111 111 111 111 111 111

Sink/Gateway and servers Database WSN Middleware layer Wired or wireless network Process Application

Figure 1.1: The missing link in the security process of applications using WSN. The remainder of the paper is organized as follows. In section 1.2, we go through some of the most known attacks and countermeasures in wireless sensor networks fol-lowed by the related work in the field of cryptography and security in wireless sensor networks including the latest standardization efforts. In section 1.3, we present our proposition that is based on public key management and symmetric key encryption, ending it with a security analysis. We analyse some results in 1.4 and conclude the paper in section 1.5.

1.2. STATE OF THE ART 5

1.2

State of the art

1.2.1

Security in wireless sensor networks

Most attacks in the literature concern wireless networks like WLAN, MANET and WSN. The common vulnerability between them is the use of wireless communication. These attacks are divided into categories according to criteria or factors well defined. We cite the best known of classifications:

• Communication protocol: the attacks are distinguished according to the layer where the attacks are made [3, 4].

• Adversarial intent: attacks are classified as primary intentions of adversaries such as collecting information, perturbing communications or data aggregation, exhausting resources or capturing physically nodes of the network [5].

• Passive/active attacks: a passive attack is an attack that aims to listen and collect data that can be used later to start other types of attacks, while the active attack tries to modify, fabricate or perturb data [6, 7, 8].

• Internal/external attacks: when a node in the network is involved in an attack, it will be considered an internal attack. This can be done using the nodes of the network that are physically captured. If the node participating in the attack is not part of the network, the attack will be considered as an external attack [8].

• Place of attack: the authors in [9] define a new model of attack suited for WSN based on the target of the attack. It depends on which entity of the network the attack is performed (i.e. Sink, neighbour or source node).

Each of these methods of classification helps to see the threats from different per-spectives. In what follows we present, a list of some of the most important attacks and the basic countermeasures:

• Eavesdropping or Passive Monitoring attack: this attack is one of passive attacks where adversaries seek to monitor or collect information circulating in the net-work. The goal is to listen to traffic on the communication channels and intercept packets. Everything depends on the mechanisms used to secure communications. If they are not encrypted, the adversary can then immediately retrieve the con-tent of the packets. Otherwise, this concon-tent needs time to be decrypted before exploited.

• Sinkhole or Black hole attack: this attack is part of series of attacks that cause a denial-of-service of the network. It is an internal attack performed on the network level. The malicious node acts as a base station, attracts packets and prevents them from continuing their ways. One of the counter-attacks technique is entity authentication where nodes are authenticated before they are allowed to take part of the network activity.

• Sybil attack: a malicious node can claim to have multiple identities by using those of nodes targeted by the attack. It is an example of place of attack attacks. The goal of this attack is to degrade the integrity of data, the level of security and resource utilization. The use of public key cryptography can help to defend against this attack. The key is to verify the identities of neighbouring nodes or sons.

1.2.2

Related work

In this section, we go through the related work in the field of security in wireless sensor networks including key management and the standardization tendencies.

Key management in wireless sensor networks

In order to provide security in wireless sensor networks, communication should be encrypted and authenticated. The main issue is how to set up secret keys between nodes to be used for the cryptographic operations, which is known as the key agreement.

The public key cryptography (PKC) has been proven to be applied in spite of mem-ory constraints of sensor nodes and have interesting properties for the security of wire-less networks[10, 11, 12]. To avoid many attacks like Sybil or man-in-the-middle, the nodes of the network and all the public keys must be authenticated before the start of communications. Many authentication schemes are proposed in the literature in order to establish secure public key exchange [13, 14, 15, 16].

The most common criticism on using PKC in sensor networks is its computational complexity and communication overhead. However, in [17, 18, 19], the authors show that public-key cryptography based on ECC is viable on small wireless devices. ECC is based on the problem of discrete logarithm. The main attraction of ECC over com-peting technologies such as RSA [20] and DSA [21] is the use of smaller parameters but with equivalent level of security [22]. For example, 160-bit ECC key is equiva-lent to 1024-bit RSA key. The performance of ECC depends mainly on the efficiency of finite field computation and fast algorithms for elliptic scalar multiplications. The private key of the ECC is a random numberdchosen in[1, n−1], wherenis a fixed parameter in the domain of the curve. The public key is then obtained by multiplying

dbyG, whereGis the global point of the curve. ECC has 3 fundamental protocols: (i) Elliptic Curve Diffie-Hellman (ECDH) which is the elliptic version of the well-known Diffie-Hellman key agreement method, (ii) Elliptic Curve Digital Signature Algorithm (ECDSA) which is the analogue of the DSA and (iii) Elliptic Curve Authenticated Encryption Scheme (ECAES) which is a variant of public-key encryption. In [23], authors evaluate the energy consumption of the ECC cryptographic operations using 160-bit keys. In our paper, we evaluate the time and energy consumption of these op-erations using an implementation on TelosB motes and compare them to symmetric cryptographic algorithms.

Symmetric key systems are known for their light weight cryptographic operations compared to public key systems, thus they were the first to be considered for wireless sensor networks where computational resources are scarce. One of the most known

1.2. STATE OF THE ART 7 symmetric key systems that were proposed for wireless sensor networks is SPINS (Se-curity Protocols for Sensor Networks) [24] which uses a simplified version of TESLA (Timed, Efficient, Streaming, Loss-tolerant Authentication) protocol [25]. In [26], au-thors used three types of symmetric keys: (i) a set of symmetric keys pre-distributed on every node, nodes with a common key are able to communicate, (ii) a wedge key shared by all nodes of the same wedge, and (iii) a path key established from source to destination. In [27], authors compared hardware implementation with a software implementation of the AES algorithm using MicaZ motes. Results show that the hard-ware implementation consumes less time but more energy. In our paper, we considered a software implementation driven by cases where energy efficiency is more important than time efficiency. Which is the case for most applications that uses wireless sensor networks and aim at achieving a maximum network lifetime.

While symmetric key schemes are efficient in execution time, they require com-plicated key management which consumes a lot of memory and overhead. In contrast, public key based schemes have simple and adapted key management, but they are more complex to execute and thus consume more time.

The pre-distribution of symmetric or asymmetric keys is the most widespread and used in our days. It tries to replace somehow the vacuum created by the absence of public key infrastructures in WSN. Other concepts to overcome the absence of certifi-cate exist, such as the Identity-Based Cryptography (IBC) [28], where every node in the network is able to compute the public key of another node based on the identity of that node. This method is used by [29], where authors proposed TinyPBC and showed that their implementation is less time consuming and more optimized than that of [30]. The authors used the pairing operation in order to obtain the mutual secret key, they criticized the Diffie-Hellman method because of the lack of authentication and because of the messages that need to be exchanged between nodes before generating the mutual secret key. In our proposal, we used an authenticated No Interaction Diffie-Hellman method to avoid the additional messages over the air as explained in 1.3.2.

Authors in [31] proposed a multi-hop key establishment between nodes called Micro-PKI. Their method is based on the pre-distribution of the public key of the base station. Using this public key, every node is able to create a secret key with any other node of the network. The authentication process in this proposal is only dependent on the public key of the base station, if a node has this key, it is considered authenti-cated. This makes the procurement of this public key very critical on which depends the whole security architecture. The evaluation presented in the paper is based on results from [32] and does not take into account the fact the messages transit over multiple intermediate nodes. In addition, the authors did not implement their method, they only give estimated results. In our proposal, we emphasis on the authentication phase during a join process, and we evaluate the authentication cost over a multi-hop network based on implementation results.

Standardization tendencies

In the ZigBee-2007 specifications [33], the protocol proposes a cryptographic mech-anism based on AES-CTR (AES in CounTeR mode) with a 128-bit symmetric key to secure communications between devices. Three types of keys are used: (i)Link key

which is shared pairwise and used for unicast communications between peer entities (ii) Network Key which is used for broadcast communication, and (iii)Master Key

which is shared pairwise and used for exchanging keys. In each ZigBee network, there is a Trust Center application (configured on the ZigBee Coordinator by default) that manages the key distribution which is unique and known by all devices.

Other industrial standards that target monitoring and control [34] such as ISA100 [35] and WirelessHart [36] also use AES-CTR with 128-bit key and have a central security control entity that manages and authenticate the nodes.

Symmetric encryption is known to be faster when it comes to computational com-plexity compared to an asymmetric encryption, but it lacks digital signature and non-repudiation. ZigBee published the Smart Energy profile [37] that includes public key encryption mechanisms.

1.3

Security architecture

As discussed in 1.2.1, a lot of attacks like Sinkhole, Blackhole and tampering can be avoided using public key encryption infrastructure that offers the means to ensure entity authentication, source authentication, and data integrity and confidentiality. Our proposition is based on ECC encryption for the asymmetric operations and AES-CTR for the symmetric operations.

1.3.1

Network topology

We consider a hierarchical multi-hop topology as depicted on figure 1.2, where the nodeSis the sink of the topology and the default destination for the traffic. Hierarchical topologies are known to be more convenient for energy efficiency in wireless sensor networks as discussed in [38, 39].

Nodes are grouped into stars, each star has one central node that we call router and several devices. Routers have more processing and memory capacities than end-devices and they constitute about 10% of the network end-devices. End-end-devices represent the sensors and actors of the networks. End-devices are only allowed to communicate with the router of the star to which they belong. The creation of stars is done during the network deployment phase. Routers are allowed to communicate with each other but not with end-devices that are not associated to them. This clustering technique is similar to the one used in IEEE 802.15.4 [40] and MaCARI [41].

The hierarchical aspect of the topology will serve to facilitate the key management as explained in the next section where the sink node will play an important role in authenticating newly arrived nodes.

1.3.2

Key management

We use ECAES encryption for ensuring data integrity and authentication, and we use session keys (symmetric keys) for data encryption. Session keys are exchanged using ECAES encryption. Our key management is based on two phases: pre-deployment

1.3. SECURITY ARCHITECTURE 9 S A B C D E F Router End-device

Figure 1.2: Network architecture. The network is organized in stars. Each star is under the control of one router. Sensor and actors are associated to a router and belong to only star.

phase and deployment phase. The objective is to authenticate the nodes and gener-ate session keys between the nodes and the sink, and between the nodes that need to communicate.

Pre-deployment phase

In order to gain time at the deployment phase, public keys are generated and pre-distributed before deployment. Nodes in a wireless sensor network, where security is an issue, can often be configured before the deployment unlike the internet where nodes are very heterogeneous. This feature makes it easier to be able to distribute keys to nodes in a controlled manner.

For each node in the network (routers and end-devices) we generate a pair of keys (a public key and a private key). Keys are then distributed as follows: (i) we store in each node its own pair of public keys and the public key of the sink, (ii) in the sink, we store its own pair of public keys and the list of all the public keys of the nodes of the network. Every time a new node has to join the network, a simple command to the sink to add its public key is done. This mechanism ensures the dynamic aspect of the network and the ability to add new nodes once the network is created. Nodes, routers and end-devices, have thus the ability to be part of the network when they are in range of another node that is already part of the network. The dynamic aspect makes it possible to deal with topology changes and link failures.

The sink thus plays the role of a security manager that will authenticate the newly arriving nodes. A node that does not have a public key stored at the sink cannot be part of the network.

Deployment phase

During the deployment phase, the sink is the first node to be activated. Then, when a new node is activated, it probes the medium in order to find either the sink or other previously joined nodes. When it finds a node in its communication range it proceeds to the join process as described in this section. This incremental creation of the network guarantees that when a node is activated it is going to join a secured network where nodes had already created session keys in order to secure the communications.

Once a node is activated, it should proceed to the join phase and authenticate with the sink as described in what follows.

Join process: The first step after the activation of a node is the join phase. Let us consider a new nodeRthat wants to join the network through the nodeF (see figure 1.2).

R calculates a common key DHRS = KR ∗ PS according to Diffie-Hellman

method without interaction (No Interaction Diffie-Hellman, NIDH) between R and

S, whereKRis the private key ofRandPS is the public key ofS. No interaction is

needed betweenRandSbecausePSis pre-distributed in all the nodes of the network,

thusRhas it already and no need to exchange it over the air, andShasPRas already

1.3. SECURITY ARCHITECTURE 11 andShavePRandPSat the same time and are able to compute the DH key combine

with their respective private keys.

A derivation of the calculatedDH key is used as a symmetric key to encrypt the join request message (joinReq) that should be sent to the sinkS. Note that the header of the message is not encrypted in order to avoid encryption and decryption operations on the intermediate node. Thus, address fields are sent in clear and the routing protocol can choose the next hop without any cryptographic operation.

When nodeF receives the join request, it forwards it towards the sink. NodeC

does the same. When the sinkSreceives the join request, it examines the join request and decides whether to accept it or not. The verification process is out of the scope of this paper, it could be done using an external authentication server to which the sink has access, or the sink can be the authentication server if it has enough storage capacity. In case nodeRis allowed to be part of the network,Screates locally the same key created byR DHRS =KS∗PR(note thatDHRS =KR∗PS =KR∗(G∗KS) =

(KR∗G)∗KS =PR∗KS). S sends back a positive join response (joinRes) toF

(the node through whichRis joining the network) encrypted usingDHF S(this key

was previously created during the join phase of nodeF). This join response contains the public keyPR ofR. Using this public key,F is able to encrypt and to exchange

a symmetric session keySKF R withRthat will be used to encrypt communication

betweenFandR. This join phase is depicted in figure 1.3.

UsingDHRS makes the join process an authenticated operation becauseSis the

only node that is able to calculateDHRS using its own private keyKS. The fact that

the public keys are pre-deployed, avoids any man in the middle attack. All public keys are published by the sink using the authenticated keys DH. At the end of the join phase, the nodeRis authenticated and a session key betweenRand the sinkSis established.

In case any of these operations does not succeed (the node does not figure in the allowed nodes list of the sink, or theDHkey created by the new node is not compatible with theDHkey created by the sink), the node is not allowed to join the network.

In the case of an end-device that wants to join the network, the same procedure is applied. The end-device will only need to join the network and be authenticated by the sink, and later on they only need to communicate with the parent router (the node through which they join the network). If an end-device changes position and is no longer in communication range with its parent, it can switch to another parent and rejoin the network.

The main reason behind the separation between end-devices and routers is related to the energy efficiency of communications. In an energy network, end-devices will spend most of the time in sleep mode to save energy, thus, routers will store messages destined to end-devices until they wake up and be able to receive them. This energy efficient communication mode is adopted by IEEE 802.15.4 and Zigbee standards [33].

Neighbour discovery: The sink plays a critical role in the join phase. It needs to authenticate the public keys of every node that wants to join the network. When this authentication fails, it sends back a reject message to that node. Otherwise, it sends a positive join response. The sink saves all the public keys of the nodes in the network.

F S R C DHRS(joinReq) DHRS(joinReq) DHRS(joinReq) DHF S(joinRes, PR) DHF S(joinRes, PR) PR(joinRes, SKF R) SKF R(dataR) SKF R(dataF)

Figure 1.3: Join process. A multi-hop process guarantees that nodes are authenticated before taking part in the network. At the end of the join process, the new nodeR

obtains a session key that enables it to communicate with the node through which it joined the network. (F,CandSare the nodes form the topology of figure 1.2). This way, whenever a node wants to obtain the public key of another node, it sends a public key request to the sink with the identifier of the other node (the identifier can be its physical address for example). The sink sends back the public key encrypted using its private key in order to ensure the authenticity of the sink.

Session key exchange is done with every neighbour with which the routing protocol needs to communicate. In the case of session key creation between neighbouring nodes (for example, nodesAandBin figure 1.2), the node that creates the session key is the node that needs to send a message destined to the other.

Let us consider the case whereAneeds to send a message toB. Asends a public key request (pkReq) to the sink to obtain the public key of nodeB(PB). ThepkReqis

encrypted using the Diffie-Hellman keyDHASbetweenAandS.

S sends back a public key response (pkRes) to A containing the public key of nodeB(PB) encrypted using the Diffie-Hellman keyDHASbetweenAandS. Then,

A sends a session key establishment (skEst) message toB encrypted with PB that

includes a session key (SKAB) and the public key ofA (PA). B replies with an

acknowledgement (ACK) encrypted with the newly established session key to confirm that it was able to decrypt the key establishment message. This phase is represented on figure 1.4.

Session keys are then updated periodically, where the periodicity is the maximum duration tolerated before compromising the session key.

Concerning end-devices, they do not need to do network discovery. If the link between an end-device and its parent router is broken, then the end-device needs to

1.3. SECURITY ARCHITECTURE 13 A S B SKAS(pkReq) SKAS(pkRes, PB) PB(skEst, SKAB, PA) SKAB(ACK) SKAB(dataB) SKAB(dataA)

Figure 1.4: Neighbour discovery phase. The neighbour discovery enables the estab-lishment of symmetric session keys between neighbouring nodes.

find a new parent by doing a new join process.

Diffusion: In order to make encrypted diffusion possible using symmetric cryptogra-phy, the sink creates a global network session key. This session key is then propagated to all the nodes of the network in a hop by hop manner along the parent child rela-tionship starting from the sink. This session key is used to encrypt diffused messages such as synchronization beacons for example. The global session key is updated pe-riodically, where the periodicity is the maximum duration tolerated before the global session key is compromised.

1.3.3

Security Analysis

In what follows we go through the different security aspects that are taken into consid-erations in this architecture.

Confidentiality: During the join phase after the node activation, exchanges are en-crypted using the ECAES protocol. Once pairwise session keys are established be-tween nodes, data is exchanged and encrypted using a symmetric key using AES-CTR encryption.

Source authentication and Integrity: Message integrity and source authentication can be ensured using ECDSA for creating the hash of the message and signing it using

the private key of the sender.

Entity authentication: During the join process, the nodes are authenticated by the sink. When computing the DH key, the sinkSand a nodeRare the only nodes that are able to calculateDHRS using their private keys. ThejoinReqis encrypted byRand

decrypted byS, and it contains information to verify the identity ofR(i.e. physical address).

1.4

Results

In this section, we present, on one hand, the evaluation of the symmetric operations of AES algorithm (in CTR mode [42]), and on the other hand, we evaluate asymmetric operations which are: (i) the initialization phase of ECC, ECDH and ECAES (ii) the generation of ECC private and public keys, (iii) the calculation of a common symmetric key between two nodes using ECDH, (iv) the encryption/decryption using ECAES. These evaluations are done in terms of execution time and energy consumption. We conclude the results with an analysis of the additional cost depending on the size of the network.

In what follows, we fixed the key size of AES-CTR algorithm to128bits, which is used with 10 rounds according to the standard recommendations, and the key size of ECC suite to160bits.

Results presented in this chapter are obtained through real measurements. We im-plemented the algorithms in nesC, a programming language for networked embedded systems [43], on TelosB motes[44]. These motes use a 16-bit 8MHz TI MSP430 mi-croprocessor.

It should be noted that our implementation of asymmetric algorithms is based on TinyECC [45], which is a configurable library for ECC operations in wireless sensor networks. It provides a number of optimization switches, that can turn specific opti-mizations on or off. We used this library with all optiopti-mizations enabled to achieve a smaller execution time and less energy consumption with an acceptable cost of memory occupation.

The ECIES algorithm provided in [45] uses simple XOR operations for the sym-metric encryption algorithm for ensuring the confidentiality of data exchanged between nodes. For better security, we integrated our implementation of the AES algorithm in the implementation of ECIES. The notations in this chapter for the use of ECIES with AES will be ECAES. The impact of this integration is evaluated in terms of execution time and energy consumption.

1.4.1

Computation of the energy consumption

The energy consumption evaluation that we propose here is the evaluation of the ad-ditional power consumption caused by the execution of the code of the different cryp-tographic algorithms. This evaluation is based on the measurements of the execution time of the components of the algorithms that have been introduced and justified

pre-1.4. RESULTS 15 viously. The global energy consumption of an IEEE 802.15.4 standard based network is studied with more precision in [46].

In what follows, we have calculated the energy consumption using the following formula:U×I×tbased on the execution time (t), the voltage (U), and current draw (I). For TelosB motes, we have fixed the voltage at 3 Volts, supposing that the batteries are all the time in full charge state. The current draw in active mode (with radio off) is

1.8mA[44]. The current draw of the radio in receive and in transmit state is23mA. Note that this means that the energy consumption is directly related to the execution time.

1.4.2

Elementary values

In this section, we present previously published results [47] that constitute the ele-mentary values for our evaluation. These results include the initialization phase of the different algorithms (AES, ECC, ECDH, ECAES) in figure 1.5(a), and the cost of en-cryption and deen-cryption of1byteof data in terms of time and energy using AES on one hand and ECAES on the other hand in figure 1.5(b). For more details and comments on these results please refer to [47].

In addition to the encryption and decryption operations, in order to establish secure links between nodes, other operations are necessary. To generate a private/public key, a node takes2684.6msand consumes14.49mJ. To compute the secret key using the NIDH method a node takes3255msand consumes17.57mJ.

1.4.3

Time and energy consumption of the join process

In this section, we evaluate the join process presented in section 1.3.2 in terms of time consumption. This evaluation is divided into two parts. The first part being the calculation of execution time of processors at every node, and the second part being the time needed for sending and receiving packets between nodes.

Figure 1.6 shows the decomposition of the process into periods of timeTiwhere

1 ≤ i ≤ 5. In this example, we suppose that a node R wants to join the network through nodeF, andSis the sink of the network.

T1denotes the time needed byRandSto calculate theDH_RSsecret key.

T2denotes the time needed for encryption/decryption of thejoinReqmessage (where

only 16 bytes of the message is encrypted) using AES-CTR with theDHF Skey

cal-culated inT1which was already established betweenS andF before the arrival ofR

(during the join phase of nodeF).

T3denotes the time needed for encryption/decryption of the joinRes, containing

the public key ofR(40 bytes of the message are encrypted), with AES-CTR using to

DHF Skey.

T4denotes the time needed for encrypting the symmetric key SK_{F R} (dedicated

to encrypt the future communications betweenF andR) with ECAES. This operation costs21,92mJfor a symmetric key of16bytes, which is a very similar result compared to the same operation presented in [31] that costs22,82mJ.

2684.1 (14.49) 2682.1 (14.48) 11163.2 (60.28) 14965.2 (80.81) 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 0 2000 4000 6000 8000 10000 12000 14000 16000 Execution time in ms AES

ECC ECDH ECAES

(a) Execution time of the initialization phase of the different algorithms.

00 11 00 00 11 11 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 00 00 11 11 00 00 11 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 Encryption Decryption 0 50 100 150 200 250 300 350 400 450 Execution time in ms 377.75 (2.03) 254.23 (1.37) 12.78 (0.07) 12.76 (0.07) AES ECAES

(b) Execution time for encrypting and decrypting1byteof data.

Figure 1.5: Elementary values for the different cryptographic operations used by AES et ECAES. The energy consumption of these operations are presented between brackets and expressed in mJ. Each value represents the mean of the10 measurements on TelosB motes.

1.4. RESULTS 17 In figure 1.7 we presented the time and energy consumption of these periods. Each value is the mean of10measurements of the same operation on the TelosB motes.

00 00 00 11 11 11

00

11

0

1

0

0

1

1

0

0

1

1

0

0

0

1

1

1

...

...

Figure 1.6: Decomposition of the join process into periods of execution time. In addition of these time periods, the sending and receiving of packets must be taken into account. To send or receive a packet of16bytesit takes23.95mswhich we denoteS16. While sending or receiving a packet of40bytes(joinResmessage that

contains the public key of the new node) take 25.75ms which we denote S40, and

sending or receiving80bytes(joinResmessage sent with40additionalbytesin order to establish a symmetric key) takes30,89ms. These values were also obtained through real measurements on TelosB motes. We calculated the duration between the instant the mote is asked to send a message and the instant the message is sent on the medium. It should be noted that the execution time of the send command takes more time than the duration of the transmission. In case of sending or receiving 16bytes,40bytes, and80bytes, only0.512ms,1.28ms, and2.52msrespectively are spent by the radio activity (this calculation do not take into account the medium access delays).

TJoindenotes the total time needed for a node to finish its join process,TJoin is

given in equation 1.1. Note thatTi in equation 1.1 denote the execution times shown

in the figure 1.7 andndenotes the number of intermediate nodes on the route between

RandS.

The energy is calculated in the same manner by replacing Ti (1 ≤ i ≤ 5) in

equation 1.1 by the energy consumed in each of the time periods. S16 andS40 are

replaced by their calculated energy.

00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 0 0 1 1 00 00 00 11 11 11 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 0 1000 2000 3000 4000 5000 6000 7000 3270.8 (17.66) 205.6 (1.11) 612.2 (3.30) 6348.4 (34.28) 4369.8 (23.59) Execution time in ms T1 T2 T3 T4 T5

Figure 1.7: Execution time of the different periods of the join process. The energy consumption is presented between brackets and expressed in mJ.

1.4.4

Time and energy consumption of the neighbour discovery

phase

Figure 1.8 shows the decomposition of the Neighbour Discovery Phase into time peri-ods. These periods are the following:

T2denotes the time needed for encryption/decryption of thepkReqmessage (where

only 16 bytes of the message is encrypted) using AES-CTR with theDHASkey.

T3denotes the time needed for encryption/decryption of thepkRes, containing the

public key ofR (40 bytes of the message are encrypted), using AES-CTR with the

DHAS key.

T4denotes the time needed for encrypting thepkResmessage (containing a session

key dedicated to encrypt the future communications betweenAandB) with ECAES. Finally,T5denotes the time needed for decrypting thepkResmessage with ECAES.

TDiscoverydenotes the total time needed by a node to finish the neighbour

discov-ery phase,TDiscovery is given in equation 1.2. Wherenis the number of intermediate

nodes on the route betweenAandS.

TDiscovery = 4∗T2+ 2∗T3+T4+T5+ (n+ 2)∗S16+ (n+ 1)∗S40+S80 (1.2)

1.4. RESULTS 19

0

0

1

1

0

1

00

11

0

0

1

1

0

0

0

1

1

1

0

0

1

1

00

11

...

...

Figure 1.8: Decomposition of the Neighbour Discovery Phase into periods of execution time.

i ≤ 5) in equation 1.2 by the energy consumed. S16 andS40 are replaced by their

calculated energy.

1.4.5

Network size effect

In this section, we study the effect of the network size in terms of number of hops on the energy and time consumption. When the number of nodes separating the newly arriving node and the sink is bigger the energy and time consumption is bigger as shown in equations 1.1. The same can be noticed for the neighbour discovery process as shown in equation 1.2.

In our proposal, the number of cryptographic operations remains the same regard-less of the number of hops separating the nodes in the join phase and the neighbour discovery phase. Indeed, using theDH keys, only end-to-end encryption is needed and intermediate nodes only relay the message. Hence, when the network size gets bigger, only theS16andS40are affected, as both equations 1.1 and 1.2 show.

Figures 1.9(a) and 1.9(b) show the time consumption for the join process and the neighbour discovery process respectively when the number of intermediate nodes varies from0to20.

It should be noted that during these processes, nodes are not necessarily awake during the entire process time, so the energy consumption varies according to the MAC protocol and the duty cycle of each node. We only presented the time consumed before each process is completed. Which is the minimum and optimal delay consumed before each process is completed (we do not consider packet loss, repetitions nor medium access delays). This delay is very dependent on the MAC and routing protocols, as well as on the traffic charge of the network.

1.5

Conclusion

In this chapter we presented a dynamic lightweight security architecture for multi-hop wireless sensor networks based on pre-distributed ECC public keys before deployment. These public keys are then used to create session symmetric keys to encrypt the ex-changed data and accelerate the cryptographic operations. A symmetric key can be established between any two nodes in the network in a secure manner. Our solution is dynamic for it allows nodes to join the network after the network creation and in case of a link failure nodes can establish keys dynamically.

We are aware of the consequences that the encryption operations have on the net-work performance in terms of delay, memory usage and processing. In order to evaluate our proposition, we implemented the different security algorithms on TelosB motes and evaluated the time and energy consumption for the main phases: join phase and neigh-bour discovery phase. We showed how the network size does not affect the number of cryptographic operations needed for authenticated join process and authenticated neighbour discovery process.

Even though the computation time (and the energy consumed) can vary slightly according to the manner the code is implemented, this kind of optimal values shows that security in WSN remains a heavy option in terms of time and energy.

1.5. CONCLUSION 21 19 19.2 19.4 19.6 19.8 20 0 2 4 6 8 10 12 14 16 18 20 Time in sec

Number of intermediate nodes

(a) Join process process.

13 13.2 13.4 13.6 13.8 0 2 4 6 8 10 12 14 16 18 20 Time in sec

Number of intermediate nodes

(b) Neighbour discovery process.

Figure 1.9: The effect of the network size in terms of number of hops on the time consumption of the join process and the neighbour discovery process.

It should be noted that additional cost should be considered, compared to an un-secured network, for application traffic exchange, but this is out of the scope of this paper. It is clear that the cost of cryptographic operations remains today very expen-sive on low capacity nodes such wireless sensor nodes. Nevertheless, if the application traffic is low, cryptographic can be tolerated.

In our future work, we will evaluate the cost of key revocation and key updates. Public keys should be updated periodically in order to protect the system. This update generates message exchanges between nodes and symmetric key updates. We based our test-bed measurements on ECC operations from the TinyECC library, we will consider more optimized algorithms based on PBC and the use of more recent libraries such as RELIC [48].

Bibliography

[1] “Standards for efficient cryptography, sec 1: Elliptic curve cryptography,” Certi-com Research, Tech. Rep., September 2000.

[2] W. Diffie and M. Hellman, “New directions in cryptography,”IEEE Transactions on Information Theory, vol. 22, p. 644–654, 1976.

[3] T. Kavitha1 and D. Sridharan, “Security vulnerabilities in wireless sensor net-works: A survey,”Journal of Information Assurance and Security, vol. 5, pp. 31–34, 2010.

[4] Y. Wang, G. Attebury, and B. Ramamurthy, “Security vulnerabilities in wireless sensor networks: A survey,”CSE Journal Articles, vol. 5, 2006.

[5] M. Al and K. Yoshigoe, “Security and attacks in wireless sensor networks,” in

Network Security, Administration and Management: Advancing Technology and Practice, 2011, pp. 183–216.

[6] D. G. Padmavathi and M. D. Shanmugapriya, “A survey of attacks, security mech-anisms and challenges in wireless sensor networks,” inInternational Journal of Computer Science and Information Security, vol. 4, 2009.

[7] W. Stallings, Cryptography and Network Security: Principles and Practice. Prentice Hall, 2006.

[8] A. S. K. Pathan and C. S. Hong, “Security attacks and challenges in wireless sensor networks,” inEncyclopedia on ad hoc and ubiquitous computing: theory and design of wireless ad hoc, sensor, and mesh networks, vol. 16, 2009.

[9] A. Uluagac, R. Lee, and J. Copeland, “Designing secure protocols for wireless sensor networks,” inWireless Algorithms, Systems, and Applications, vol. 5258, 2008.

[10] A. Wander, N. Gura, H. Eberle, V. Gupta, and S. Shantz, “Energy analysis of public-key cryptography for wireless sensor networks,” inInternational Confer-ence on Pervasive Computing and Communication, 2005.

[11] H. Seo, S. Kim and R. Ramakrishna, “A new security protocol based on elliptic curve cryptosystems for securing wireless sensor networks,” inEUC Workshops, 2006.

[12] P. Hong, “Feasibility of pkc in resource-constrained wireless sensor networks,” in

ICCIT, December 2008.

[13] K.-A. Shim, Y.-R. Lee, and C.-M. Park, “An efficient identity-based broadcast authentication scheme in wireless sensor networks,”Ad Hoc Networks, 2012. [14] A. K. Das, P. Sharma, S. Chatterjee, and J. K. Sing, “A dynamic password-based

user authentication scheme for hierarchical wireless sensor networks,”Journal of Network and Computer Applications, vol. 35, pp. 1646–1656, Sep. 2012. [15] Y. Liu, J. Li, and M. Guizani, “PKC based broadcast authentication using

signa-ture amortization for WSNs,” IEEE Transactions on Wireless Communications, vol. 11, pp. 2106–2115, Jun. 2012.

[16] C. Jiang, B. Li, and H. Xu, “An efficient scheme for user authentication in wire-less sensor networks,” in21st International Conference on Advanced Information Networking and Applications Workshop, vol. 1, May 2007, pp. 438–442. [17] L. Batina, N. Mentens, K. Sakiyama, B. Preneel, and I. Verbauwhede, “Low-cost

elliptic curve cryptography for wireless sensor networks,” inSecurity and Privacy in Ad-Hoc and Sensor Networks, 2006, vol. 4357, pp. 6–17.

[18] K. Piotrowski, P. Langendoerfer, and S. Peter, “How public key cryptography in-fluences wireless sensor node lifetime,” inProceedings of the fourth ACM work-shop on Security of ad hoc and sensor networks, 2006, p. 169–176.

[19] N. Gura, A. Patel, A. W, H. Eberle, and S. C. Shantz, “Comparing elliptic curve cryptography and RSA on 8-bit CPUs,” 2004, p. 119–132.

[20] R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,”Communications of the ACM, vol. 21, pp. 120– 126, 1978.

[21] S.-M. Yen and L. C.-S., “Improved digital signature algorithm,”IEEE Transac-tions on Computers, vol. 44, pp. 729–730, 1995.

[22] J. Lopez and R. Dahab, “An overview of elliptic curve crytography,” University of Campinas, Tech. Rep., May 2000.

[23] G. Meulenaer, F. Gosset, F. Standaert, and O. Pereira, “On the energy cost of com-munication and cryptography in wireless sensor networks,” inIEEE International Conference on Wireless and Mobile Computing, 2008.

[24] A. Perrig, R. Szewczyk, J. Tygar, V. Wen, and D. Culler, “SPINS: Security proto-cols for sensor networks,”Wireless Networks, 2002.

[25] A. Perrig, R. Canetti, J. Tygar, and D. Song, “Efficient authentication and signing of multicast streams over lossy channels,” inIEEE Symposium on Security and Privacy, April 2000.

BIBLIOGRAPHY 25 [26] K. Jones, A. Wadaa, S. Oladu, L. Wilson, and M. Eltoweissy, “Towards a new paradigm for securing wireless sensor networks,” in New Security Paradigms Workshop, 2003.

[27] F. Zhang, R. Dojen, and T. Coffey, “Comparative performance and energy con-sumption analysis of different AES implementations on a wireless sensor network node,”International Journal of Sensor Networks, vol. 10, pp. 192–201, Jan. 2012. [28] A. Shamir, “Identity-based cryptosystems and signature schemes,” inFourth

An-nual International Cryptology Conference, 1984, pp. 47–53.

[29] L. Oliveira, D. Aranha, P. Gouvea, M. Scott, D. Camara, J. Lopez, and R. Dahab, “Tinypbc: Pairings for authenticated identity-based non-interactive key distribu-tion in sensor networks,”Computer Communications, vol. 34, pp. 485–493, 2011. [30] P. Szczechowiak, A. Kargl, M. Scott, and M. Collier, “On the application of pair-ing based cryptography to wireless sensor networks,” inACM conference on Wire-less network security, 2009, pp. 1–12.

[31] E. Munivel and G. Ajit, “Efficient public key infrastructure implementation in wireless sensor networks,” inInternational Conference on Wireless Communica-tion and Sensor Computing, 2010, pp. 1–6.

[32] A. Wander, N. Gura, H. Eberle, V. Gupta, and S. Shantz, “Energy analysis of public-key cryptography for wireless sensor networks,” inInternational Confer-ence on Pervasive Computing and Communication, 2005.

[33] Zigbee, “Zigbee Specification,” ZigBee Standards Organization, Zigbee Standard 053474r17, January 2008.

[34] P. Zand, C. Chatterjea, K. Das, and P. Havinga, “Wireless industrial monitoring and control networks: The journey so far and the road ahead,”Computer Com-munications, vol. 1, pp. 123–152, 2012.

[35] International Society of Automation Std., “ISA100.11a: 2009 wireless systems for industrial automation: Process control and related applications,” Draft stan-dard, in preparation, 2009.

[36] HART Communication Foundation Std., “HART field communication protocol specifications,” Tech. Rep., 2008.

[37] Zigbee, “Zigbee zigbee smart energy Specification,” ZigBee Standards Organiza-tion, Zigbee Standard 075356r15, December 2008.

[38] K. Akkaya and M. Younis, “A survey on routing protocols for wireless sensor networks,”Ad hoc networks, vol. 3, pp. 325–349, 2005.

[39] J. Ibriq and I. Mahgoub, “Cluster-based routing in wireless sensor networks: is-sues and challenges,” inSPECTS, 2004.

[40] IEEE 802.15, “Part 15.4: Wireless medium access control (MAC) and phys-ical layer (PHY) specifications for low-rate wireless personal area networks (WPANs),” ANSI/IEEE, Standard 802.15.4 R2006, 2006.

[41] G. Chalhoub, A. Guitton, and M. Misson, “MAC specifications for a WPAN al-lowing both energy saving and guaranted delay - Part A: MaCARI: a synchro-nized tree-based mac protocol,” inIFIP WSAN, 2008.

[42] “Recommendation for block cipher modes of operation, methods and techniques,” U.S. DoC/NIST, Tech. Rep., December 2001.

[43] D. Gay, P. Levis, R. von Behren, M. Welsh, E. Brewer, and D. Culler, “The nesc language: A holistic approach to networked embedded systems,” inProgramming Language Design and Implementation (PLDI), June 2003.

[44] Crossbow, “TelosB datasheet,” document Part Number: 6020-0094-01 Rev B. [45] A. Liu and N. Ning, “Tinyecc: A configurable library for elliptic curve

cryptogra-phy in wireless sensor networks,” in7th International Conference on Information Processing in Sensor Networks, April 2008, pp. 245–256.

[46] N. Fourty, A. van den Bossche, and T. Val, “An advancedstudy of energycon-sumption in an ieee 802.15.4 based network: Everything but the truth on 802.15.4 node lifetime,”Computer Communications, vol. 35, pp. 1759–1767, 2012. [47] I. Mansour and G. Chalhoub, “Evaluation of different cryptographic algorithms

on wireless sensor network nodes,” inInternational Conference on Wireless Com-munications in Unusual and Confined Areas, 2012.

[48] D. Aranha and C. Gouv, “RELIC is an efficient library for cryptography,” http://code.google.com/p/relic-toolkit/.