Physiological-signal-based key negotiation protocols for body sensor networks: A survey

ARTICLE IN PRESS

JID: SIMPAT

[m3Gsc;February 19, 2016;16:36]

Simulation Modelling Practice and Theory 0 0 0 (2016) 1–13

Contents lists available at ScienceDirect

Simulation Modelling Practice and Theory journal homepage: www.elsevier.com/locate/simpat

Physiological-signal-based key negotiation protocols for body sensor networks: A survey Huawei Zhao a,∗, Ruzhi Xu a, Minglei Shu b, Jiankun Hu c a

Department of Internet Finance, Qilu University of Technology, Sangyuan road 58, Lichen district, Jinan, China Shandong Province Key Laboratory of Computer Network, Shandong Computer Science Center, keyuan road 19, Lixia district, Jinan China c School of Engineering and Information Technology, UNSW@ADFA, Northcott Drive, Canberra 2600, Australia b

a r t i c l e

i n f o

Article history: Available online xxx Keywords: Body sensor network Key negotiation protocols Physiological signals Fuzzy commitment Fuzzy vault

a b s t r a c t A body sensor network (BSN) is a type of network for Internet of Things. A BSN typically consists of tens (dozens) of biosensor nodes distributed on/in the human body, and these autonomous nodes can form a wireless network to measure physiological signals and execute intelligent treatment automatically. BSNs have wide application prospects in intelligent healthcare. Because physiological signals measured and processed by BSNs involve patient privacy, security mechanisms must be developed to secure BSNs, and therefore the adoption of available key negotiation protocols is fundamental. Due to stringently limited operation resources, BSNs require these protocols to be highly energy efficient. Recent development has discovered that certain physiological signals can be used for efficiently negotiating common keys among biosensor nodes. These signals and fuzzy technology are used to design lightweight key negotiation protocols, and many solutions have been proposed. In this paper, we explore and classify these solutions, and evaluate their performance by analyzing their merits and drawbacks. Finally, we present open research issues that should be solved in the future. © 2016 Elsevier B.V. All rights reserved.

1. Introduction With the recent technological development of sensors, a special type of small sensors, called biosensors, has emerged. Biosensors generally are small enough in size and can be deployed on or in the human body to measure physiological signals. Once integrated with wireless network chips, biosensors turn into biosensor nodes that can form a special kind of wireless sensor networks (WSNs) automatically, which is referred to as body sensor networks (BSNs) [1]. Typically, a BSN comprises tens of distributed biosensor nodes. These nodes can measure physiological signals of the human body and execute intelligent treatment by their interaction automatically. So BSNs are a special kind of Internet of Things [2,3] and have typical features of autonomous decentralized systems [4]. Fig. 1 shows the schematic structure of a BSN. As shown in Fig. 1, biosensor nodes can be divided into two categories: wearable nodes and implanted nodes. The former are deployed on the surface of the human body, and the latter are deployed into the human body. Wearable nodes can be used as cluster nodes since they are generally larger than implanted nodes in size and have more operation resources in terms of energy, computational capability, storage and so on. So a wearable node can form a cluster consisting of implanted nodes and other wearable nodes, and collects data from its cluster members. Generally a wearable node or an implanted ∗

Corresponding author. Tel.: +8653188631090. E-mail addresses: [email protected] (H. Zhao), [email protected] (R. Xu), [email protected] (M. Shu), [email protected] (J. Hu).

http://dx.doi.org/10.1016/j.simpat.2015.12.003 S1569-190X(15)00174-4/© 2016 Elsevier B.V. All rights reserved.

Please cite this article as: H. Zhao et al., Physiological-signal-based key negotiation protocols for body sensor networks: A survey, Simulation Modelling Practice and Theory (2016), http://dx.doi.org/10.1016/j.simpat.2015.12.003

JID: SIMPAT 2

ARTICLE IN PRESS

[m3Gsc;February 19, 2016;16:36]

H. Zhao et al. / Simulation Modelling Practice and Theory 000 (2016) 1–13

Fig. 1. The schematic structure of a BSN.

node has a transmission unit, a storage unit, a power unit, a processing unit and a sensor model with at least one biosensor. The transmission unit is used to receive and transmit data, the storage unit is used to store operation system and collected medical data, the processing unit is used to execute computation, and the sensor model integrates one or more biosensors to measure physiological signals from the human body. However, due to the comfort of the users, biosensor nodes must be small enough in size, which means that they have stringently limited operation resources such as power, processing capability and storage. Because BSNs can measure, analyze, process and transmit physiological signals in real time, their applications are quite numerous in the fields of medicine and health. For example, in the field of intelligent treatment, the implantable insulin injector can realize accurate injection by accepting and analyzing physiological signals from neighboring biosensor nodes nearby; in the field of intelligent physical training, a BSN can measure motion attitudes in real time and analyze the relationship between motion and physiological signals. So, we believe that BSNs could greatly improve medicine and health conditions of the human beings in future and have broad application prospects in the field of medicine and health. Since the signals processed by BSNs involve individual privacy, absence of security protections will easily leak individual privacy and threaten a user’s life in the worst case. For example, if an injector receives false physiological signals from a malicious biosensor node, it maybe injects excess insulin into a patient’s body, which inevitably threatens his/her life. Thus, security protection is an integrant factor to popularize BSNs. The security protections in BSNs concern some security services such as confidentiality, integrity, and authentication [5]. All of these services have a common precondition: an efficient key negotiation protocol. Up to now, many previous efforts have been done on the key negotiation protocols for WSNs, however these protocols are not suitable for BSNs for the following differences between WSNs and BSNs. The scale of key negotiation: A WSN has hundreds or thousands of sensor nodes, and it generally uses the technologies of key pools or key chains to negotiate common keys among nodes; while limited by the size of the body, a BSN comprises tens of biosensor nodes, key pools and key chains are not suitable for BSNs. Different categories of measured data: Generally, WSNs are used to measure open messages of surrounding environment such as humidity, temperature, carbon dioxide and so on. Even if some of the ambient messages have high entropies, they are not available to negotiate common keys for the public feature. While some kinds of physiological signals measured by BSNs not only have high entropies but also can hardly be measured by the adversary. So some kinds of signals measured by BSNs are good materials to negotiate common keys. The security of keys: To WSNs, there are two reasons for the adversary easily compromising secret keys in sensor nodes: one is that in most applications WSNs are deployed in open environments, which lead to the adversary captures sensor nodes easily; another reason is that sensor nodes in WSNs hardly have enough physical protection mechanisms for the reason of cost. So a core problem that must be solved in WSNs is how to decrease the influence of compromised keys in key negotiation process. While, in BSNs biosensor nodes are deployed on or in the human body, which causes that the adversary hardly have chances to capture these nodes and compromise secret keys in them. So generally the problem of keys’ compromise could be ruled out from BSNs. The difference in energy: Compared with sensor nodes in WSNs, biosensor nodes in BSNs are smaller in size and have less energy. In order to ensure long-term operation, key negotiation protocols for BSNs must be light-weight and consume less energy than WSNs. Due to the aforementioned differences, it can be concluded that existing key negotiation protocols for WSNs are not suitable for BSNs. And for exactly the reason, many new researches recently have taken the inherent features of BSNs into consideration and proposed special key negotiation protocols for BSNs. Furthermore, based on these researches, some Please cite this article as: H. Zhao et al., Physiological-signal-based key negotiation protocols for body sensor networks: A survey, Simulation Modelling Practice and Theory (2016), http://dx.doi.org/10.1016/j.simpat.2015.12.003

JID: SIMPAT

ARTICLE IN PRESS H. Zhao et al. / Simulation Modelling Practice and Theory 000 (2016) 1–13

[m3Gsc;February 19, 2016;16:36] 3

surveys are developed to classify these key negotiation protocols: research in [6] presents a simple classification for key negotiation protocols according to different methods eliminating the noises in physiological signals. However it does not give a deep analysis for these schemes. The survey in [7] focuses on the quality of keys generated from physiological signals, and is not devoted to the concrete protocols of key negotiation. This paper is an extension to the survey given in [8], which divides the key management methods for BSNs into two categories: fuzzy commitment family and fuzzy vault family, and explores the merits and drawbacks of related protocols. However, the classification only focuses on how to use fuzzy technologies to remove the noise of physiological signals, and does not cover other representational protocols that do not use fuzzy technologies. So, these surveys are not comprehensive and their classifications are taken with unilateralism. Because some physiological signals have good characteristics to be used for negotiating common keys, and the use of these signals can effectively reduce the energy consumption during key negotiation, recently the research of physiologicalsignal-based key negotiation protocols for BSNs are in a dominate place, and a detailed survey for these protocols is necessary. Thus, in this paper we explore this kind of key negotiation protocols that have been published in recent literature, and give detailed analyses. Our intention is to give in-depth analyses of the kind of research in BSNs and identify some open research issues that should be further solved. In contrast to [8], our new work includes: presenting a detailed explanation that why key management protocols of WSNs are not suitable for BSNs; analyzing the challenges in designing physiologicalsignal-based key negotiation protocols for BSNs; giving a more precise classification for this kind of protocols and adding analyses of some new representational protocols. The rest of this paper is organized as follows. In Section 2, we discuss challenges in designing physiological-signal-based key negotiation protocols for BSNs. In Section 3, a classification of this kind of protocols is presented, and then a survey about family of pre-distributed secrets and a survey about family without pre-distributed secrets are given in respectively. A summary of representative protocols including their features and performances is given in Section 4. In Section 5, future research directions on this kind of protocols are discussed. Finally, we give a conclusion in Section 6. 2. Challenges in key negotiation protocols for BSNS BSNs need low-energy and lightweight key negotiation protocols to provide secure protection. However, due to unique features of BSNs, using physiological signals to design low-energy and lightweight key negotiation protocols is influenced by some challenging factors. In the following, we give a detailed analysis of these factors. Low-energy design: Energy in biosensor nodes is stringent limited, which is more prominent to implanted biosensor nodes that are deployed in the human body. Generally implanted nodes need to work for a long time and at the same time it is not easy to replace their batteries. In order to prolong their lifetime, key negotiation protocols for BSNs must be low-energy protocols. Mutual interference between BSNs: When two users are close enough, BSNs on the two users maybe interfere with each other. For example, suppose that two BSNs A and B are deployed on the two users in respectively, and both of them make use of the same kind of physiological signals to negotiate their common keys. When the two users take a close encounter, a biosensor node BN1 in A and a biosensor node BN2 in B may mistake them for being on the same user’s body, which may cause them to negotiate a common key and lead to a serious medical malpractice in all probability. Synchronous measurement of high-entropy physiological signals: When two biosensor nodes in the same body want to use a kind of physiological signals to negotiate common keys, two preconditions should be satisfied firstly: one is that the entropies of signals they measure must be high enough to resist adversaries’ attacks; the other one is the physiological signals measured by the two biosensor nodes respectively must be similar enough. However the two preconditions collide with each other: high-entropy means high randomness and variability, which causes it difficult for biosensor nodes to measure the enough similar values at different sites. So, how to measure high-entropy physiological signals synchronously among biosensor nodes is a core problem to be solved. Identifying high-entropy physiological signals: Currently, there is a debate about which physiological signals are highentropy in the literature. For example, Ref. [9] states that blood glucose, blood pressure, temperature, hemoglobin, and blood flow are high-entropy, and they can be candidate physiological signals. However, the entropy of heart rate is low. Reference [10] argues that the time information of heart rate is a good candidate signal by Chi-square test and measurement test of entropy. From the contradiction, it can be seen that identifying high-entropy physiological signals is a developing research. Security of physiological signals: In the most related researches, the protocols using physiological signals for negotiating common keys are based on a general consensus that the adversary hardly takes a close encounter with a user wearing a BSN to measure physiological signals to launch an attack. However, Ref. [10] has pointed that a developing technology, UWB (Ultra Wideband Rader), can remotely capture the information of heart rate, and in addition to this, remote capturing of body temperature already has already been known by people. The technologies of remote capturing physiological signals are gradually threatening physiological-signals-based key negotiation protocols in the related literature. So, new researches must be developed to resist this kind of security threat. Efficient generation of keys: When using physiological signals to negotiate common keys, the first step is measure enough physiological signals to generate binary sequences as key materials. If a measurement of physiological signals takes a long time, it will obstruct a BSN from processing and transmitting valuable medical or healthy data in time. So, a practical BSN should realize efficient generation of keys.

Please cite this article as: H. Zhao et al., Physiological-signal-based key negotiation protocols for body sensor networks: A survey, Simulation Modelling Practice and Theory (2016), http://dx.doi.org/10.1016/j.simpat.2015.12.003

ARTICLE IN PRESS

JID: SIMPAT 4

[m3Gsc;February 19, 2016;16:36]

H. Zhao et al. / Simulation Modelling Practice and Theory 000 (2016) 1–13

3. Physiological-signal based key negotiation protocols for BSNS Different to traditional key negotiation protocols for WSNs, the core idea of the physiological-signal-based key negotiation protocols for BSNs is as follows: two or more biosensor nodes measure the same kind of physiological signals respectively, and then with the help of special technologies, these nodes remove the noises of the measured signals to get a common key. In contrast to the key negotiation protocols in WSNs where we have more than one interactive step to get common keys, this kind of protocols for BSNs are usually non-interactive protocols, namely, after single step communication, two or more biosensor nodes can obtain a common key at the cost of few calculations. Accordingly, these protocols have two main advantages: (1) Since transmission is the most energy-intensive operation in WSNs and BSNs, physiological-signalbased protocols can greatly decrease energy consumption due to its simplification in transmission. (2) Compared with key negotiation technologies such as key pool and key chains that require large space to store pre-distributed keys, using physiological signals to negotiate common keys requires little or no key storage space, which is a good match for small biosensor nodes. As discussed above, the core problem of common key negotiation between biosensor nodes in BSNs is how to remove the noises of physiological signals measured by various biosensor nodes, and it is the foundation stone of two biosensors sharing a key. Up to now, many methods have been proposed to solve the problem, and according to the state of the art, these methods can be mainly divided into two categories: the family with pre-distributed secrets and the family without pre-distributed secret. In the former family, biosensor nodes require physiological signals and some kinds of pre-deployed secrets such as confidential error-correcting codewords and/or secret keys to negotiate common keys; in the latter family, biosensor nodes negotiate common keys only using some kind of physiological signals. In the following two subsections, we present a detailed overview of the representative physiological-signal-based key negotiation protocols.

3.1. Family with pre-distributed secrets For the protocols that fall into this family, biosensor nodes need some kind of high-entropy physiological signals plus extra secrets to negotiate common keys. In the following, we survey the main research results that fall into this category.

3.1.1. Protocols with pure fuzzy commitment Fuzzy commitment [11] is the first mainstream technology used in physiological-signal-based key negotiation protocols in BSNs. In this technology, if a part A wants to send a secret s to a second part B, it uses a secret value x to generate a commitment of s, Com = h(s)||f(x, s), where h(·) is a public hash function, f(·) is a public commitment function and || means concatenation operation. Next, A sends Com to B. If B has a secret value x similar enough to x, it can open f(x, s) to get a value s using an error-correcting code. And then, B uses h(s ) and h(s) to verify whether s is equal to s . If h(s ) = h(s), it means that B obtains s from A by a secure way. Using fuzzy commitment technology, the first physiological-signal-based key negotiation protocol for BSNs originated from [12]. In the protocol, biosensor nodes A and B are pre-distributed with an error-correcting code C, and appoint a kind of high-entropy physiological signal in advance. And then both of them measure the kind of signals and encode the signals into binaries x and x respectively. Next, A selects a codeword c from C, and uses x and c to generate a commitment: Com=f(x, c)=(h(c),x⊕c), where⊕means XOR operation. Finally, A sends Com to B in a public way. Once receiving Com, B calculates x ⊕x⊕c to get e⊕c where e is the bit differences between x and x . If e is small enough, B can obtain c by C, and using h(c) to verify the soundness of c. The protocol implies a premise: the error-correcting code and its codewords are confidential to the adversary. Ref. [13] has pointed out that if an error-correcting code C is known to all, and when a biosensor node A wants to negotiate a common key with another node B, though the adversary does not directly know which codeword c∗ is selected by A from C, he can search each codeword in C and find c∗ by comparing the hash value of c∗ with the hash value of each codeword. And knowing c∗ is equal to knowing the secret common key. Therefore, we look C and its codewords as pre-distributed shared secrets in biosensor nodes, and classify protocols using fuzzy commitment technology into the family with pre-distributed secrets. In addition, the protocol has an assumption that biosensor nodes could measure physiological signals in an approximate synchronous way, and the differences between measured signals are small enough so that they could be corrected by an appointed error-correcting code. Under this assumption, two biosensor nodes can negotiate a common key in a non-interactive way which greatly reduces the transmission energy of biosensor nodes and prolongs the lifetime of BSNs. However, the protocol leaves the following practical problems unsolved yet: (1) The assumption is not a trivial goal which BSNs can easily reach, in other words physiological signals used as key materials are high-entropy signals and vary greatly in a very short period. It is difficult to measure them synchronously at different points. (2) The common keys shared by biosensor nodes can only be drawn from an appointed error-correcting code, which causes the key space to be small and vulnerable to the adversary. (3) The protocol is not suitable for key negotiation among nodes more than two and does not take the mutual interference of BSNs into consideration. Subsequently, many researches are developed to address these problems. In the following, we give the core ideas of these researches and summarize their characteristics. Please cite this article as: H. Zhao et al., Physiological-signal-based key negotiation protocols for body sensor networks: A survey, Simulation Modelling Practice and Theory (2016), http://dx.doi.org/10.1016/j.simpat.2015.12.003

JID: SIMPAT

ARTICLE IN PRESS H. Zhao et al. / Simulation Modelling Practice and Theory 000 (2016) 1–13

[m3Gsc;February 19, 2016;16:36] 5

Fig. 2. The time schedule.

3.1.2. Protocols with physiological certificate Ref. [14] proposed a physiological-certificate-based method to negotiate common random keys. In the research, to secure the communication between two nodes, one node A sends to B a physiological certificate defined as Cert[data]= MAC(Randkey, Data)|| λ, where Randkey is a random number generated by A to generate the Message Authentication Code (MAC) of Data, λ is the XOR result of Randkey and PVKeyA , and PVKeyA is a binary value of a pointed physiological signal. Once B receives Cert[data], it first measures PVKeyB at its own side, and uses an error-correcting code mentioned in [12] to reproduce Randkey and verify the soundness of Data. Furthermore, the research presents that the physiological signal used to negotiate Randkey must be time-variant and unpredictable signal, which requires A and B to measure the signal at the same time. To satisfy the requirement, the research proposes a time-period-based method to let biosensor nodes measure physiological signals synchronously. In the method, BS is in charge of generating and broadcasting a time schedule consisting of time-periods (TPs). Each TP indicates a sender and one or more receivers, and has a measurement time (MT) and a solicitation time (ST), as shown in Fig. 2. In the first TP, node 2 is the sender and nodes 1, 6 are the receivers. In the second TP, node 5 acts as the sender and node 3 acts as a receiver. The last TP presents a broadcast, and ∗ means that all other nodes are receivers of node 8. After BS broadcasts the time schedule, biosensor nodes should measure the pointed physiological signal according to the TP they belong to. For instance, in the first TP nodes 2, 1, 6 should measure physiological signals at MT, and then, node 2 sends its physiological certificate to nodes 1 and 6 at ST. The research argues that nodes in the same TP could ensure the measured signals are similar enough, which is superior to research in [12]. However, the research does not address an important precondition: how to synchronize the clocks of biosensor nodes. To tackle the precondition, in Ref. [15] the same authors give a further research on key negotiation with physiological certificate, and use eleven patients’ ECG and PPG data from MIT PhysioBank MIMIC database to contend that when using IPI to negotiate shard keys, the loose synchronization of hundreds milliseconds will be enough. In the research, measurementsync messages are designed to realize the loose synchronization. Since the security of references [14,15] depends on the assumption that PVKeyA and PVKeyB cannot be measured by the adversary, the Ref. [15] further gives some reasons to support the assumption. For example, Ref. [12] argues that the remote radar attack (such as Ultra Wide-Band attack) cannot obtain the host’s IPI signals effectively, for remote measurement can be interfered by the environment, movement of host, and the density of the crowd. However, the radar measurement is an active research, and we are not sure that whether the technology can measure the host’s physiological signal effectively in the recent future. In addition, researches in [14,15] have an essential difference to the research in [12], that is, when negotiating common keys using fuzzy commitment, research in [12] requires that common key should be a codeword in an error-correcting code, while research in [14,15] uses a random number as a common key (Randkey). To the difference, research in [14,15] do not give the soundness proof. 3.1.3. Protocols with multipoint key negotiation Generally, many protocols based on fuzzy commitment have a common feature: a common key is produced at a single biosensor node and then is distributed to other nodes. Ref. [16] calls these protocols a single-point fuzzy key negotiation protocols, and points out that they are not energy-efficient protocols since unnecessary information bits are sent to negotiate common keys. Furthermore, to further reduce transmission energy, the research in [16] proposes a multipoint fuzzy key negotiation protocol present below. Before negotiating common keys, the multipoint fuzzy key negotiation protocol appoints an error-correcting code with n-bit codewords, and then any n-bit sequence can be looked as a result of a n-bit codeword plus some noises. Thus, when biosensor nodes in the same BSN want to negotiate a common key, they first measure the same kind of physiological signals, such as ECG (Electrocardiography) at different sites synchronously, and then they encode these signals into n-bit binary sequences which could be considered as a n-bit codeword plus different noises. If these noises could be corrected by the appointed error-correcting code, biosensor nodes could use the codeword to negotiate a common key. The process is shown by Fig. 3. As shown in Fig. 3, decoder of the appointed error-correcting code can decode a n-bit sequence u1 into the closest codeword km1 if the noise in the sequence is tolerant to the error-correcting code. Then, the codeword can be used to produce a session key. In Fig. 3, m(·) is a morphing function to hide km1 that is a modified version of physiological signal and maybe leak user’s individual privacy; mindex is a public parameter with length of 2 or 4 bits; E(·) is a check code function to check the soundness of session key. Please cite this article as: H. Zhao et al., Physiological-signal-based key negotiation protocols for body sensor networks: A survey, Simulation Modelling Practice and Theory (2016), http://dx.doi.org/10.1016/j.simpat.2015.12.003

JID: SIMPAT 6

ARTICLE IN PRESS

[m3Gsc;February 19, 2016;16:36]

H. Zhao et al. / Simulation Modelling Practice and Theory 000 (2016) 1–13

Fig. 3. The framework of multipoint key negotiation protocol.

The multipoint key negotiation protocol has two main advantages: one is that it can help more than two biosensor nodes negotiate a common key when the difference among measured signals are tolerant to the error-correcting code, which is the reason that protocols is called as multipoint key negotiation protocol; another one is that biosensor node transmits not the modified version of session key with more than 128 bits but mindex with 2 or 4 bits, which will greatly reduce the transmission energy. However, the multipoint key negotiation protocol leaves two problems unsolved. One problem is that the security of the protocol is partly dependent on the confidentiality of physiological signals, such as the confidentiality of ECG. While, as discussed in [10], a developing technology, UWB (ultra wideband), can remotely capture heart rate, which will pose a threat on ECG and further threaten the security of the multipoint key negotiation protocol. The other problem is the high-energy consumption in time synchronization, namely, negotiating common keys with high-entropy physiological signals requires biosensor nodes measure these signals in a synchronization way, and in order to reach the goal, the protocol needs an external channel to broadcast synchronization signals to all biosensor nodes frequently. While, the frequent transmitting and receiving broadcast synchronization signals will consume a great amount of energy. 3.1.4. Protocols with pre-distributed keys The confidentiality of common keys in protocols mentioned above depends on the confidentiality of selected physiological signals, which causes these protocols not to resist UWB attack. To address the problem, Ref. [17] proposed a key negotiation protocol combining fuzzy commitment with pre-deployed keys. In the research, all of biosensor nodes are preassigned with two keys, called K1 and K2, to provide confidential service and integrity service respectively. K1 is used to encrypt cluster keys generated by cluster heads. K2 has two functions: one function is that K2 is used to generate MAC result to provide integrity service; in another function, K2 is used to produce common keys k=H(K2,d) where H(·) is the hash function and d is a binary value of the physiological signals shared by two parts using fuzzy commitment. The advantage is two-fold: one is that even the adversary captures d by UWB attack, he does not know K2, and then he cannot get k; another one is that since each BSN has distinct K1 and K2, two BSNs cannot interfere with each other when they take a close encounter with each other. However, the disadvantages of research are obvious: if the adversary captures a biosensor node from a BSN, he maybe compromise K1 and K2, which will threaten the whole BSN; in addition, using pre-distributed keys will lose the functionality of plug-and-play, that is, each biosensor node has to be preprocessed (implanting two keys in it) before being added into a BSN. Another contribution of the research in [17] is that it proposed a weak time synchronization mechanism to reduce the energy consumption in negotiating common keys. The core idea of the weak time synchronization mechanism is reducing the communication energy at the cost of little more computation. In other words, in the weak time synchronization mechanism, if the receiver cannot draw out the common key from the original commitment sent by the sender, it means the difference of physiological signals between the sender and receiver is out of tolerance of the error-correcting code. Then the receiver will search an available physiological signal from a time window to calculate the common key, rather than both of them restarting the whole negotiation process. 3.2. Family without pre-distributed secrets For the protocols that fall into this family, biosensor nodes only need some kinds of physiological signals to negotiate common keys. In the following, we survey the main research results that fall into this category. 3.2.1. Protocol with fuzzy vault Fuzzy vault is a cryptography primitive that uses a structure called vault to hide a secret value S using a set A. S could be unhidden if another set B is similar enough to set A. The fuzzy vault technology is the second representative technology used in physiological-signal-based key negotiation protocols for BSNs. Based on fuzzy vault, research in [18] firstly proposed a protocol called PKA that uses photoplethysmogram (PPG) signals to negotiate a common key between two biosensor nodes. The protocol consists of 5 steps: Please cite this article as: H. Zhao et al., Physiological-signal-based key negotiation protocols for body sensor networks: A survey, Simulation Modelling Practice and Theory (2016), http://dx.doi.org/10.1016/j.simpat.2015.12.003

JID: SIMPAT

ARTICLE IN PRESS H. Zhao et al. / Simulation Modelling Practice and Theory 000 (2016) 1–13

[m3Gsc;February 19, 2016;16:36] 7

(1) Producing PPG vector: Under certain time synchronization mechanism, the sender A and the receiver B measure PPG signals in a loose synchronization mechanism, and then both of them encode these signals into vectors Fs =< fs1 , fs2 , ..., fsa > and Fr =< fr1 , fr2 , ..., fra > respectively using a fast Fourier transform (FFT). (2) Polynomial creation. The sender A creates a polynomial p with ath order and random coefficients where the ath order is a public parameter and the coefficients are encoded to be a common key. For example, if the coefficients are ba , ba-1 ,…, b1 ,b0 , the common key will be K=ba || ba-1 ||,…,|| b1 ||b0 . (3) Producing vault. A first computes a real points set D = { f si , p( fsi )}, 1 ≤ i ≤ a. And then constructs a chaff points set C={ci , di },1≤i≤N, where N is a value previously defined by A; ci and di are random values, di =p(ci ). Next, A mixes the values in D and C to produce a vault R = D ∪ C. (4) Vault transmission. A sends the vault R to B in an authentication manner, namely, the integrity of R is protected by a keyed MAC function with K. (5) Opening vault. Upon receiving the vault, B draws a points set Q from R, where the x ordinates of points in Q are elements in Fr . Next, B tries to reconstruct the polynomial p based on points in Q using Lagrangian Interpolation. If B could reconstruct a polynomial p’, it will use the coefficients of p’ to produce a key K’ as mentioned in the first step. Finally, B use K’ to check validity of the MAC it receives, and the soundness of the MAC means that A and B share the common key K (or K’). The advantages of the research are: (1) The protocol in the research can negotiate a common key between two biosensor nodes without any pre-distributed secret. (2) In protocols with fuzzy commitment, physiological signals measured by two parts must have the same order to negotiate a common key; while in protocols with fuzzy vault, two parts can negotiate a common key without considering the order of physiological signals. In research [19], the same authors furthermore proposed a protocol called as PSKA based on PKA and validated PSKA using two common physiological signals PPG and ECG. Analysis shows that using FFT instead of IPI to extract features from physiological signals has the following advantages: (1) Low latency. Using FFT, the best duration result of measuring PPG with required length is 12.8 s with 60 Hz, and 4 s with 125 Hz to ECG. However, 30 s of data are required when using IPI of PPG and ECG to negotiate common keys. (2) Distinctiveness. FFT peaks are easy to measure and these peaks are good candidates to distinguish different subjects, which is useful to authenticate biosensor nodes and negotiate common keys in a BSN. Later, similar work appears in reference [20], where FFT is used to extract physiological features from ECG with 360 Hz and 3 s. Based on these features, fuzzy vault is used to negotiate shared keys. 3.2.2. Protocol with fuzzy vault and encoded features Ref. [21] pointed out that the researches in [18,19] cannot increase the successful probability of negotiating common keys, and then proposed a protocol with an error-correcting code to address the problem. In the scheme after the sender and the receiver respectively generate two sets B and B of real points that are binary form of physiological signals, the sender uses a public pre-distributed error-correcting code (such as Reed–Salomon or Golay code) to encode its real points in B to generate a new redundancy set U. Next, the sender produces a public random value set R to hide the set of real points by XOR operation to produce a set D, and then uses D as the input of a polynomial to produce a point set G. Finally the sender generates a very large chaff set C of random points, and sends G∪C∪Hash(key)∪U∪R to the receiver, where Hash(·) is a hash function, and key is the encoded result of the polynomial’s coefficients and used as the intended common key. The receiver first decodes B and U using the pre-distributed error correction code to produce a new set B . Secondly, a set D is produced by performing XOR on B and R. Thirdly, the receiver draws a set G from D and G where the elements in D are the horizontal ordinates in G, and uses the elements in G to reproduce the polynomial. Finally, Hash(key) is used to verify the validation of key. The research focuses on how to increase the tolerance of bits difference between the sender and the receiver when they negotiate a common key, and analysis shows that the result is better than results in [18,19]. However the result also leaves some problems unsolved: (1) In the process of negotiating keys, the length of message sent from the sender to the receiver is much longer than the original work in [18], which will consume much more transmission energy. (2) Compared with protocol with fuzzy commitment, the main advantage of original protocol with fuzzy vault is that it does not consider the order of the real points, while in the research the real points must keep the order when they are transmitted due to the participation of the error-correcting code. (3) In [18,19], fuzzy vault leaks some entropies of real points, and the research in [21] don’t fully solve the problem yet. 3.2.3. Protocol with fuzzy vault and encoded key materials Research in [22] gives a deep analysis for PSKA, and contends that using fuzzy vault to protect BSNs has many practical problems unsolved. For example: (1) PSKA requires at least v+1 feature points between the sender and the receiver to reproduce a vth order polynomial, however it is not a goal that is easy to reach. (2) In PSKA, some important parameters are inversely correlated. For instance, when the length of keying material K is confirmed, the order of the chosen polynomial v and the average length of each coefficient of the polynomial c are inversely correlated, while for the sake of security, both v and c are all required to be large enough to resist brute-force attacks. To address these problems, Ref. [22] proposed an improved protocol with the following process: The sender first produces key material and encodes it into RS (Reed–Solomon) codewords using RS code. Next these RS codewords are used as the Please cite this article as: H. Zhao et al., Physiological-signal-based key negotiation protocols for body sensor networks: A survey, Simulation Modelling Practice and Theory (2016), http://dx.doi.org/10.1016/j.simpat.2015.12.003

JID: SIMPAT 8

ARTICLE IN PRESS

[m3Gsc;February 19, 2016;16:36]

H. Zhao et al. / Simulation Modelling Practice and Theory 000 (2016) 1–13

coefficients of the chosen polynomial p. Then, the sender measures and encodes physiological signals into a feature vector, which is used as the input of p to construct a vault. To the receiver, once he receives a vault from the sender, he uses a new reconstruction method called as Lower-Order Twice Reconstruction (LOTR) to reproduce p. That is to say, firstly a small number of matched points are used to construct a polynomial with lower-order. Secondly, the receiver estimates the remaining points in p according to the lower-order polynomial. Finally, the receiver recovers p using the matched points and the estimated points. After the LOTR process, the receiver can obtain the coefficients of p, and then he can calculate the key material by performing RS code on these coefficients. In the process, the function of RS is to confirm the length of the coefficients and to correct the errors of physiological signals and computational deviation, so RS code is a public code shared between the sender and the receiver. In the stage of LOTR, the receiver does not need as much matched points as the researches in [18,19,20] need to reconstruct p, which solves the first problem above. In addition, because RS codewords are used as the coefficients, the bit length of each coefficient in p is q for RS code is used in q-ary field, which breaks the inverse correlation between the length of coefficient and the order of p, and solves the second problem aforementioned to some extent. While the operation of LOTR needs a hypothesis: difference between unmatched points must be small enough. However, the research does not give the theoretical and practical bases of the hypothesis.

3.2.4. Fuzzy vault with a cubic spline curve Ref. [23] combined fuzzy vault with a cubic spline curve to propose a key negotiation protocol for biosensor nodes in BSNs. In the protocol, the sender A encodes pointed physiological signals as x-ordinate, and uses random numbers after cyclic redundancy check as y-coordinate, and the pairs, , form knots of the spline. Next, cubic spline interpolation is used in these pairs to produce coefficients. Then, these coefficients are multiplied by a proper zoom factor to generate a 64n bit key for n+1 knot points. Finally, similar to the protocol mentioned in Section 3.2.1, chaff points are produced to protect knots, and then the transmitted data is constructed by: IDs , IDr , R, No, MAC(Key, R|No|IDs ), where IDs and IDr are the identities of the sender and the receiver, R is the vault including the knots and the chaff points, No is the nonce, and, MAC() is the authentication code. When the receiver B receives the vault from A, it first encodes its physiological signals as A does to get a points set P. Then B uses the nearest-neighbor method to pick a knots subset K from the vault by sorting the vault’s x-coordinates that are the nearest ones to the points in P. Next, CRC (Cycle Redundancy Check) code is used to check y-coordinates in K, and if no error occurs, B will use K to generate the same coefficients as A does. And then, both A and B share a secret key that is deduced from the shared coefficients. The advantage of the research is that the length of key produced by cubic spline interpolation will increase 3 times compared with polynomial interpolation. However, the research does not give a good solution to removing the noise between A and B. That is, when B finds error occurs after receiving vault from A, both of them have to restart the process of key negotiation, which will consume a lot of energy.

3.2.5. Protocols with other technologies Protocols mentioned above are all related to fuzzy vault technology. In the following, we present some other representative protocols falling into this category irrelevant to fuzzy vault.

3.2.5.1. A protocol with multiple commitments. Ref. [13] proposed a protocol to use multiple commitments to negotiate common keys between biosensor nodes and a special node called central device. The special thing of the method is that the method is based on fuzzy commitment, but it regards error-correcting codes as public codes. So we classify the protocol into family without pre-distributed secrets. The method contends that an open error-correcting code will cause serious security problem to key negotiation protocols based on fuzzy commitment. And in order to address the security problem, Ref. [13] advances a protocol with multiple commitments under the condition that the error-correcting code is open. For instance, suppose that each physiological signal could produce an 8-bit binary sequence, and if we want to obtain a 128-bit key, the number of physiological signals is 128/8 = 16. And then, we can select 16 codewords, c1 …c16 , from an error-correcting code with 8-bit codewords, and each codeword is used to commit an 8-bit sequence of physiological signal. Next, to address the above security problem, the protocol transmits MAC = h(c1 ||…||c16 ) from A to B after transmitting 16 commitments ci ⊕pvi where 1 ࣚ i ࣚ 16, pvi is the binary form of a physiological signal, and h(·) is a hash function. Because the length of ci is 8 bits, the length of c1 ||…||c16 is 128 bits that causes the adversary hardly can guess which codewords are selected by A. Finally, after B confirms the validation of MAC, B can recover pv1 ||…||pv16 , and then both A and B can get the common key K = H(pv1 ||…||pv16 ). Compared with research in [12], the superiority of this research is two-fold: one is enhancing the security of commitment even in the condition that the error-correction code is open; the other one is that the protocol does not send h(c1 ), …, h(c16 ) separately but a MAC = h(c1 ||…||c16 ), which saves the transmission energy. However, its disadvantage is obvious: when B finds the received MAC is wrong, B does not know which commitment has errors exactly, thus B has to require A to restart the whole session to negotiate a new key, which will executes many transmission steps between A and B and consumes great energy. Please cite this article as: H. Zhao et al., Physiological-signal-based key negotiation protocols for body sensor networks: A survey, Simulation Modelling Practice and Theory (2016), http://dx.doi.org/10.1016/j.simpat.2015.12.003

JID: SIMPAT

ARTICLE IN PRESS H. Zhao et al. / Simulation Modelling Practice and Theory 000 (2016) 1–13

[m3Gsc;February 19, 2016;16:36] 9

3.2.5.2. A protocol with matrices comparison. Ref. [24] proposed a key negotiation protocol that uses matrices comparison to negotiate common keys between two biosensor nodes. In the protocol, when two biosensor nodes, A and B, want to negotiate a common key, they first respectively encode electrocardiogram (ECG) signals into 20 blocks with 64 bits in a block using FFT (Fast Fourier Transform) method. In other words, each node firstly produces 20×64 matrices. As the two matrices are the materials to produce the common keys, they cannot be exchanged in an open way. Thus, before being exchanged, these matrices are hashed by an appointed hash function. After receiving the exchanged matrix, A denotes the local matrix and the received matrix as U and V. And then, by comparing U and V, A generates a matrix W with 20×20 bits where W(i,j) is the hamming distance between the ith block of U and the jth block of V. Next, A searches all of elements in W to find zero elements, and the indices of zero elements indicate the blocks that are equal in both A and B. For instance, if the zero elements include W(2,5), W(5,7), W(8,12), W(13,2), W(17,7), it means that the 2th, 5th,8th, 13th, 17th blocks in U are equal to the 5th,7th,12th, 2th, 7th blocks in V respectively, and these blocks in U and V are the key materials. Finally, A and B can produce a common key using the key materials. The advantage of the research is that production of common keys is very simple, and only concerns hash operation, calculation of hamming distance and comparison of values. The main disadvantage is that in order to exchange hashed blocks securely, both of A and B have to transmit and receive 20 hash values and their message authentication code (MAC) respectively, which will consume large energy. Furthermore, the research points out that as the length of each block is only 64 bits long, the adversary with strong attack capability could draw the content of these blocks from their hash values by the brute-force attack. Therefore, the research proposed to hash blocks “2n” times to resist the brute-force attack, and the blocks is more secure when n is higher. While the higher of n causes more hash operations, which will consume more energy. To address the problem, Ref. [25] proposed a protocol with watermark technology. The protocol adds a watermark process on the basis of the protocol in [24]. That is to say, after 64-bit blocks are hashed, a watermark process is performed on hashed blocks to lock them. In the process of locking, each part, A or B, first produces an iris (or a fingerprint) matrix, and then draws a seed from the matrix and puts it into a random machine to generate some indices. Next, A or B draws some values from the matrix by an appointed rule and puts them into some blocks according to the generated indices. For example, if the generated indices is {23,7,16,9}, the values drawn from iris matrix should be put into the 23th, 7th, 16th, 9th blocks, respectively. After A and B finish the process of locking, they exchange the locked matrices. When A receives the locked matrix from B, it can unlock the locked matrix for the reason that B could produce the same indices due to the constant nature of iris. The research contends that the adversary hardly gets the information of iris or fingerprint, which causes it hardly launch a brute-force attack to the locked matrix. In addition, the research uses DWT (discrete wavelet transform) method to extract features. The advantage of DWT over FFT in feature extraction is that its time complexity is O(n), while FFT’s time complexity is O(nlogn). However, the research has the following main shortcomings: One is that the protocol requires each biosensor node can measure iris or fingerprints, but it is impossible for all of biosensor nodes, especially for implanted nodes. Another one is that the research uses iris and fingerprint to negotiate shared keys, while the two physiological features are not time variant, and what is more, their values are not secure as imagination. For instance, the adversary can easily obtain a user’s fingerprint from the cup he uses. So the adversary can easily unlock the exchanged matrix by capturing information of iris or fingerprints. To address the second problem, Ref. [26] proposed to use Keyed-Hashing Message Authentication Code (HMAC-MD5) to protect the physiological information. That is when 64-bit feature blocks extracted from physiological signals, HMACMD5 rather than a hash function is used to hide original features, and the values of HMAC-MAC5 are exchanged between biosensor nodes to negotiate a common key. While the research does not address the synchronization problem of extracting physiological features, which cause the successful probability of negotiating shared keys to be uncertain. 3.2.5.3. Protocols with Reed–Solomon decoding . Ref. [27] proposed a protocol to use Reed–Solomon decoding to negotiate common keys. In the protocol, when two biosensor nodes A and B want to negotiate a common key, both of them first measure the same kind of physiological signals using a time synchronization mechanism, and encode these signals into ordered points sets X:{(1,x1 ), (2,x2 ),…, (m,xm )} and Y:{(1,y1 ), (2,y2 ),…, (m,ym )} respectively. In the following, the sender A produces s = 2(m-t)
Please cite this article as: H. Zhao et al., Physiological-signal-based key negotiation protocols for body sensor networks: A survey, Simulation Modelling Practice and Theory (2016), http://dx.doi.org/10.1016/j.simpat.2015.12.003

ARTICLE IN PRESS

JID: SIMPAT 10

[m3Gsc;February 19, 2016;16:36]

H. Zhao et al. / Simulation Modelling Practice and Theory 000 (2016) 1–13

Table 1 Family with pre-distributed secrets.

Family with pre-distributed secrets

Ref.

Basic tech.

EC

Performance

Technology feature

[11] (2003)

FC

Conf.

Using codewords as common keys

[12] (2010)

FC

Conf.

[13] (2006)

FC

Conf.

[14] (2008)

FC

Conf.

[15] (2013)

FC

Conf.

Non-interactive key negotiation protocol Non-interactive key negotiation protocol Non-interactive key negotiation protocol Negotiating common keys with less transferred messages Negotiating a new common key without restarting a session

Physiological certificate; measurement-sync messages Physiological certificate; a synchronization schedule Only check-code is delivered Weak time synchronization

Table 2 Family without pre-distributed secrets.

Family without pre-distributed secrets

Ref.

Basic tech.

EC

Performance

Technology feature

[16] (2008)

FV

N/A

Using 12.8 s of PPG data with 60 Hz or 4 s of ECC data with 125 Hz to negotiate common keys

FFT, polynomial interpolation

[17] (2010) [18] (2009)

FV

N/A

FFT, polynomial interpolation

[19] (2010)

FC with EC

open

Using 3 s of ECG data with 360 Hz to negotiate keys HTER can reach 0 in the best case

[20] (2011)

FC with EC

N/A

[21] (2012)

FC with a cubic spline curve FC

N/A

needs less matched feature points to negotiate common keys The common keys have long length

Open

Against passive and active attacks Common keys have good randomness and temporal variance Less time complexity

[10] (2012) [22] (2008)

Metrics comparison

N/A

[23] (2010)

Metrics comparison Metrics comparison Lagrange Interpolation

open

[24] (2013) [25] (2009)

N/A N/A

Robust protocol and less computation complexity Protocol leak no entropy of common keys

Using random value and XOR operation to secure physiological feature Using LOTR to reconstruct polynomial Cubic spline interpolation Using multiple codewords to commit physiological sequence Using metrics comparison to negotiate common keys Watermark; DWT HMAC-MD5;DWT Using Lagrange Interpolation to produce commitment

4. Summary of protocols In this section we summarize the above protocols. Firstly in view of two mainstream technologies, fuzzy commitment and fuzzy vault, we simulate and compare the transmission quantity of related protocols, for the transmission in BSNs is the high energy-consuming operation during negotiating session keys. And then we present features and performances of protocols mentioned in Section 3 by Tables 1 and 2. 4.1. Simulation of transmission quantity In order to simulate the transmission quantity of protocols using fuzzy commitment and protocols using fuzzy vault, we first give the simulation environment and presetting: we use 5 bits to denote the IDs of biosensor nodes, for a BSN consists of a dozen biosensor nodes without loss of generality, and use 17 bits to denote a synchronization time message where the hour is represented with 5 bits, the minute and the second are represented with 6 bits respectively; according to Ref. [18], in protocols using fuzzy vault each individual feature obtained from a single FFT measurement is 13 bits long, its polynomial projection is 23 bits long, and 10 0 0 chaff points are usually used to hide the real points; in addition, we assume that the lengths of keys, message authentication codes, hash values, codewords of error-correcting codes and the nonce are all 128 bits. Under the environment, we compute the transmission quantity of protocols using fuzzy commitment and using fuzzy vault, as follows: First, we analyze the protocols using fuzzy commitment. In Ref. [12], the transmitted commitment is Com = h(s)||f(x, s), according to the aforementioned simulation environment, the transmission quantity is 256 bits. In Ref. [14], the length of Cert[data] = MAC(Randkey, Data)|| λ is 256 bits. Suppose a TP includes two synchronization times and 4 IDs (one is Please cite this article as: H. Zhao et al., Physiological-signal-based key negotiation protocols for body sensor networks: A survey, Simulation Modelling Practice and Theory (2016), http://dx.doi.org/10.1016/j.simpat.2015.12.003

JID: SIMPAT

ARTICLE IN PRESS H. Zhao et al. / Simulation Modelling Practice and Theory 000 (2016) 1–13

[m3Gsc;February 19, 2016;16:36] 11

Fig. 4. Transmission quantity of protocols using fuzzy commitment.

Fig. 5. Transmission quantity of protocols using fuzzy vault.

the sender, the other are the receivers) averagely, then the length of a TP is 2∗ 17 + 4∗ 5 = 54 bits. Without loss of generality, we suppose in a key negotiation session, BS broadcasts 5 TPs, and uses a MAC value to protect the broadcast messages, and then the transmission quantity is 256 + 54∗ 5 + 128 = 654 bits. In Ref. [16], the transmitted commitment is Com=mindex ||E(ksession ,mindex ), and the transmission quantity is 132 bits under the condition that mindex is represented with 4 bits. The transmitted messages of the scheme in Ref. [17] include a commitment, a synchronization message and its MAC value, and the total transmission quantity is 256 + 17+128 = 401bits. Next, we analyze the protocols using fuzzy vault. In Refs. [18] and [22], each real point in the protocol PKA is represented with 36 bits. In addition a biosensor node generates about 30 real points and 10 0 0 chaff points in a PKA iteration to negotiate a session key. So the transmission quantity is 36∗ (30 + 10 0 0) = 37080bits. In reference [21], the transmitted messages are G∪C∪Hash(key)∪U∪R, where the length of G∪C is 36∗ (30 + 10 0 0) = 37080bits, the length of Hash(key) is 128 bits, and the length of U∪R is (13 + 13)∗ 30 = 690bits. So the transmission quantity is 37080 + 128+690 = 37898bits. In Ref. [23], the transmitted messages are IDs , IDr , R, No, MAC(Key, R|No|IDs ), where the vault R consists of 30 knots and 10 0 0 chaff points. A knot is represented with a 13-bit x-coordinate and a 16-bit y-coordinate, and the length of a chaff point is equal to the length of a knot. Then the transmission quantity is 5 + 5+29∗ (30 + 10 0 0)+128∗ 2 = 30136 bits. According to analyses above, we simulate the transmission quantity by Figs. 4 and 5. Because the physiological signals used to negotiate session keys have noises, maybe it needs a few attempts of protocol executions to successfully negotiate a session key. Under this consideration, in Figs. 4 and 5 we use the x ordinate to present the times of attempts and use the y ordinate to present the transmission quantity. Fig. 4 shows that due to Ref. [17] having a mechanism of re-negotiating session keys within a protocol execution, the protocol will consume the least energy in transmission than other protocols when the number of attempts exceed 3. Comparing Fig. 5 with Fig. 4, it can be seen that due to a great deal of chaff points (10 0 0 chaff points in Ref. [18]) being used to hide the real feature points in protocols using fuzzy vault, these protocols transmit many more messages than protocols using fuzzy commitment as a whole, which means the former will consume much more energy than the latter in transmission. Please cite this article as: H. Zhao et al., Physiological-signal-based key negotiation protocols for body sensor networks: A survey, Simulation Modelling Practice and Theory (2016), http://dx.doi.org/10.1016/j.simpat.2015.12.003

JID: SIMPAT 12

ARTICLE IN PRESS

[m3Gsc;February 19, 2016;16:36]

H. Zhao et al. / Simulation Modelling Practice and Theory 000 (2016) 1–13

4.2. Summary of features and performances Below we summarize the performance and technology feature of the protocols in family with pre-distributed secrets and family without pre-distributed secrets by Tables 1 and 2, and the advantages and disadvantages of these protocols are already analyzed in Section 3 . In Tables 1 and 2, FC indicates fuzzy commitment, FV indicates fuzzy vault, EC indicates error-correcting code, PDS indicates pre-distributed secrets, and Conf. is the abbreviation of “confidential”. From these Tables, it can be seen that in recent years many researches focus on negotiating common keys without predistributed secrets, and try to endow negotiation protocols with the plug-n-play feature. That is, new biosensor nodes can deployed in a BSN without being pre-assigned with secrets, which makes negotiation protocols more practical. Though some FC-based protocols contend that they have no pre-distributed secret, such as the research in [15], and have the feature of plug-n-play, they are not the real protocols without pre-distributed secrets for they ignore the confidence of error-correcting codes. Because the error-correcting codes are confidential, sensor nodes have to be assigned an error-correcting code before being deployed in a BSN, which means FC-based protocols hardly having the feature of plug-n-play. 5. Future directions The final goals of physiological-signal based key negotiation protocols are secure, lightweight and easy-to-use. Although significant efforts have been made so far on achieving these goals, many problems are still unsolved. In the following, we give some future directions of designing physiological-signal based key negotiation protocols by presenting these unsolved problems. New energy-consuming model: Up to now, most researches still use the energy-consuming model of WSNs [28] to evaluate the performance of physiological-signal-based key negotiation protocols for BSNs. While due to the difference of application scenarios, the energy mode of WSNs is not available to BSNs. For instance, signals will be transmitted harder in human tissue than in the air. So, new energy-consuming model of BSNs should come into the picture to evaluate the performance of key negotiation protocols. By building the new energy-consuming model, we could answer at least two important questions: one is that whether computation consumes much less energy than transmission; the other one is that whether multi-hop consumes much less energy than single-hop. The aforementioned two questions, especially the first question, have a significant influence on the design philosophy of physiological-signal-based key negotiation protocols. Resisting UWB attack and retaining plug-n-play: with the development of UWB attack, many physiological signals could be measured remotely, which poses a serious threat to physiological-signal-based key negotiation protocols. An effective solution to the threat is using pre-secret. While there is a conflict between pre-secret and plug-n-play, that is to say, if each biosensor node is implanted a pre-secret before deployed in a BSN, the BSN will lose the feature of plug-n-play. Since plugn-play is a practical and important feature for BSNs, the work of resisting UWB attack and retaining plug-n-play feature at the same time should be done in the next step of work. Avoiding restarting protocols: Due to physiological noises, two biosensor nodes can negotiate a common key successfully only with a certain probability. In most researches, when negotiation of keys fails, the key negotiation protocol will restart, which will consume much energy. Thus, developing a method that can execute multiple computations of common keys in a session of protocol is an important step to realize lightweight protocols. In this field, Ref. [14] already made a primary exploration as mentioned in Section 3.1.4. 6. Conclusions BSNs have broad application prospects. The security problems of BSNs lead to physiological-signal-based key negotiation protocol becoming a hot area of research in BSNs. In this paper, we have presented a detailed survey of these protocols that were published in the literature in recent years. These protocols are all strive to achieve two main goals: security and light-weight. In summary, the physiological-signal-based key negotiation protocols can be classified into two families: a family with pre-secret and a family without pre-secret. Protocols in the two families achieved good results in terms of security and light-weight. However, some problems still are left unsolved. We present these problems and point out the future research directions of physiological-signal-based key negotiation protocols. Acknowledgments This work was supported in part by following funds: Shandong Provincial Natural Science Foundation (ZR2015FM020); National Natural Science Foundation (71171122); Open Research Fund from Shandong provincial Key Laboratory of Computer Network (SDKL-2013-05). Supplementary materials Supplementary material associated with this article can be found, in the online version, at doi:10.1016/j.simpat.2015.12. 003. Please cite this article as: H. Zhao et al., Physiological-signal-based key negotiation protocols for body sensor networks: A survey, Simulation Modelling Practice and Theory (2016), http://dx.doi.org/10.1016/j.simpat.2015.12.003

JID: SIMPAT

ARTICLE IN PRESS H. Zhao et al. / Simulation Modelling Practice and Theory 000 (2016) 1–13

[m3Gsc;February 19, 2016;16:36] 13

References [1] M. Quwaider, Y. Jararweh, Cloudlet-based efficient data collection in wireless body area networks, Simul. Model. Pract. Theory 50 (Jan. 2015) 57–71. [2] H.D. Karatza, C. Mavromoustakis, Introduction to the special issue on simulation-based performance evaluation of infrastructures for the internet of things: connectivity and resource considerations in the mobility era, Simul. Model. Pract. Theory 34 (May 2013) 157–158. [3] Y. Chen, H. Hu, Internet of intelligent things and robot as a service, Simul. Model. Pract. Theory 34 (2013) 159–171. [4] T. Thanamitsomboon, H. Endo, X. Lu, K. Mori, Autonomous heterogeneous community technology for effective resource utilization, in: IEEE Proceedings of the 10th International Symposium on Autonomous Decentralized Systems, 2011, pp. 317–320. [5] Y. Chen, W.T. Tsai, Service-Oriented Computing and Web Software Integration, 5th edition, Kendall Hunt Publishing, 2015. [6] F. Miao, L. Jiang, Y.T. Zhang, A novel biometrics based security solution for body sensor networks, in: Proceedings of the 2nd International Conference on BioMedical Engineering and Informatics, Oct.17 – 19, Tianjin, China, 2009. [7] F. Miao, S.D. Bao, Y. Li, “Physiological signal based biometrics for securing body sensor network”, New Trends and Developments in Biometrics, Chapter 11, Intech, pp. 251–274, 2012. [8] H.W. Zhao, R.Z. Xu, M.L. Shu, J.K. Hu, Physiological-signal-based key negotiation protocols for body sensor networks: a survey, in: Proceedings of the 12th International Symposium on Autonomous Decentralized Systems, Mar. 2015, pp. 63–70. [9] S. Cherukuri, K.K Venkatasubramanian, S.K.S. Gupta, BioSec: a biometric based approach for securing communication in wireless networks of biosensors implanted in the human body, in: Proceedings of the 32nd International Conference on Parallel Processing, 2003, pp. 432–439. [10] C.C.Y. Poon, Y.T. Zhang, S.D. Bao, A novel biometrics method to secure wireless body area sensor networks for telemedicine and m-health, IEEE Commun. Mag. 44 (4) (Apr.2006) 73–81. [11] A. Jules, M. Wattenberg, A fuzzy commitment scheme, in: Proceedings of the 6th ACM Conference on Computer and Communications Security, 1999, pp. 28–36. [12] S. Cherukuri, K.K. Venkatasubramanian, S.K.S. Gupta, Biosec: a biometric based approach for securing communication in wireless networks of biosensors implanted in the human body, in: Proceedings of the 32nd International Conference on Parallel Processing, Taiwan, 2003, pp. 432–439. [13] K. Cho, D.H. Lee, Biometric based secure communications without pre-deployed key for biosensor implanted in body sensor networks, Lecture Notes in Comput. Sci. 7115 (2012) 203–218. [14] K.K. Venkatasubramanian, S.K.S. Gupta, Security for pervasive health monitoring sensor applications, in: Proceedings of the Fourth International Conference on Intelligent Sensing and Information Processing, Bangalore, 2006, pp. 197–202. [15] K.K. Venkatasubramanian, S.K.S. Gupta, Physiological vaule-based efficient usable security solutions for body sensor networks, ACM Trans. Sens. Netw. 6 (4) (2010) 1–36. [16] F.M. Bui, D. Hatzinakos, Biometric methods for secure communications in body sensor networks resource-efficient key management and signal-level data scrambling, in: EURASIP J. Adv. Signal Process., 2008, 2008, pp. 1–16. [17] Huawei Zhao, Jing Qin, Jiankun Hu, Energy efficient key management scheme for body sensor networks, IEEE Trans. Parallel Distrib. Syst. 24 (11) (2013) 2202–2210. [18] K.K. Venkatasubramanian, A. Banerjee, S.K.S. Gupta, Plethysmogram-based secure inter-sensor communication in body area networks, in: Proceedings of IEEE Military Communications Conference, San Diego, 2008, pp. 1–7. [19] K.K. Venkatasubramanian, A. Banerjee, S.K.S. Gupta, PSKA usable and secure key agreement scheme for body area networks, IEEE Trans. Inf. Technol. Biomed. 14 (1) (2010) 60–68. [20] Fen Miao, Lei Jiang, Yuan-Ting Zhang, A novel biometrics based security solution for body sensor networks, in: Proceedings of the 2nd International Conference on BioMedical Engineering and Informatics, Tianjin, 2009, pp. 1–5. [21] F. Miao, S.D. Bao, Y. Li, A modified fuzzy vault scheme for biometrics-based body sensor networks security, in: Proceedings of IEEE Global Telecommunications Conference, Miami, 2010, pp. 1–5. [22] C.Z. Cao, C.G. He, S.D. Bao, Y. Li, Improvement of fuzzy vault scheme for securing key distribution in body sensor network, IEEE Eng. Med. Biol. Soc. (2011) 3563–3567. [23] R.T. Rajasekaran, V. Manjula, V. Kishore, T.M Sridhar, C. Jayakumar, An efficient and secure key agreement scheme using physiological signals in body area networks, in: Proceedings of the International Conference on Advances in Computing, Communications and Informatics, 2012, pp. 1143–1147. [24] K.K. Venkatasubramanian, A. Banerjee, S.K.S. Gupta, EKG-based key agreement in body sensor networks, in: Proceedings of IEEE INFOCOM Workshops, Phoenix, 2008, pp. 1–6. [25] A.A. Sarah, F.A. Khan, An improved EKG-based key agreement scheme for body area networks, in: Proceedings of the 4th International Conference on Information Security and Assurance, Miyazaki, 2010, pp. 298–308. [26] A.A. Sarah, I.F. Kausar, F.A. Khan, A cluster-based key agreement scheme using keyed hashing for body area networks, Multimed. Tools Appl. (2013) 201–214. [27] J.Y. Shi, K.Y. Lam, M. Gu, M.Z. Li, S.L. Leung, Towards energy-efficient secure communications using biometric key distribution in wireless biomedical healthcare networks, in: Proeedings of the 2nd International Conference on Biomedical Engineering and Informatics, Tianjin, 2009, pp. 1–5. [28] W.R. Heinzhlman, A. Chandrakasa, H. Balakrishnan, Energy-efficient communication protocol for wireless microsensor networks, in: Proceedings of the 33rd Hawaii International Conference on System Sciences, 20 0 0, pp. 1–10.

Please cite this article as: H. Zhao et al., Physiological-signal-based key negotiation protocols for body sensor networks: A survey, Simulation Modelling Practice and Theory (2016), http://dx.doi.org/10.1016/j.simpat.2015.12.003