A novel node level security policy framework for wireless sensor networks

Journal of Network and Computer Applications 34 (2011) 418–428

Contents lists available at ScienceDirect

Journal of Network and Computer Applications journal homepage: www.elsevier.com/locate/jnca

A novel node level security policy framework for wireless sensor networks William R. Claycomb , Dongwan Shin Secure Computing Laboratory, New Mexico Tech, 801 Leroy Place, Socorro, NM 87801, USA

a r t i c l e in f o

a b s t r a c t

Article history: Received 18 April 2009 Received in revised form 2 March 2010 Accepted 18 March 2010

Wireless sensor networks are commonly used for critical security tasks such as intrusion or tamper detection, and therefore must be protected. To date, security of these networks relies mostly on key establishment and routing protocols. We present an approach to protecting wireless sensor networks based on a security policy, enforced at the node level. This policy is based on a new approach to key establishment, which combines a group-based distribution model and identity-based cryptography. Using this solution enables nodes to authenticate each other, and provides them with a structure to build secure communications between one another, and between various groups. Using our key establishment protocol and security policy, we show how to reduce or prevent significant attacks on wireless sensor networks. & 2010 Elsevier Ltd. All rights reserved.

Keywords: Security application for sensor networks Security policy Identity based cryptography

1. Introduction Wireless sensor networks (WSNs) have become commonplace in applications ranging from simple light, temperature, and sound measurements to sophisticated military and industrial applications. In some cases the security of the sensors, the data collection, and the communication of that data to a collection point is unimportant. However, for sensitive applications, the security of these tasks is paramount. Various solutions have been proposed to protect the node-to-node communication from eavesdropping or attack. However, sensors are often considered too simple to make complex security decisions on their own, instead relying on secure pairings and clever routing table algorithms to ensure messages are delivered safely. In this paper, we present a security policy for WSNs that enables sensor nodes to make critical security decisions about how they share information with others. We present a policy that introduces risk and trust to sensor decision making, and show how these are affected by various communication configurations. The main contributions of this paper include a novel technique for WSN key establishment. This is a group-based pairwise key establishment protocol which uses identity-based cryptography. Using the capabilities and properties of this technique, we show how to specify and implement a new group-based security policy using trust and risk to determine behavior of sensor nodes. Furthermore, we show how our solution addresses attacks on WSNs, including Sybil and wormhole attacks. The remainder of this paper is structured as follows. Section 2 describes related work, including group-based and asymmetric  Corresponding author.

E-mail addresses: [email protected] (W.R. Claycomb), [email protected] (D. Shin). 1084-8045/$ - see front matter & 2010 Elsevier Ltd. All rights reserved. doi:10.1016/j.jnca.2010.03.004

key agreement protocols for WSNs, as well as a description of identity based cryptography components. Section 3 describes our new key establishment protocol, which provides the basis for the security policy described in Section 4. In Section 5, we detail various attacks and show how our solution addresses them. Section 6 presents a discussion of group distribution decisions and the impact to sensor nodes. In Section 7, we conclude the paper with a discussion of future work.

2. Background and related work Our security policy relies heavily on the information gathered during key establishment between sensor nodes, so it is important to understand the basic concepts of this topic. Key establishment in WSNs has been an active area of research for many years, and several approaches have been proposed. The simplest method of key establishment between nodes in a WSN is to preload each node with the same shared secret key, and use that key to secure transmission between every node pair. While this is simple in terms of protocol and storage requirements, it has the disadvantage that compromising a single node reveals all communication to an adversary. The simple solution to prevent this is to pre-load each node with a unique shared key for pairwise communication with every other node in the network. This is a more secure network than the previous one, as compromising a single node only reveals the data transmitted between it and its node partners. However, the storage overhead per node is unrealistic, particularly in the case of very large networks. Several researchers have proposed solutions for pairwise key establishment that fall between these two extremes. Recently, proposals have included the notion of location-based, or group-based schemes. These approaches observe that in large-

W.R. Claycomb, D. Shin / Journal of Network and Computer Applications 34 (2011) 418–428

scale sensor node distributions, nodes deployed in a group tend to end up near each other physically. By tailoring key predistribution to take advantage of this property, efficient schemes have been proposed (Du et al., 2004; Huang et al., 2004; Liu and Ning, 2003; Yu and Guan, 2008). However, these solutions rely on symmetric key agreement protocols, and largely ignore the application of asymmetric key agreement methods. It has been commonly believed that the increased computational and time constraints required by asymmetric solutions are too costly for WSNs. Recently, though, researchers have studied implementations of asymmetric protocols such as elliptic curve cryptography (ECC) on sensor nodes (Gaubatz et al., 2005; Gura et al., 2004; Malan et al., 2004; Wander et al., 2005; Watro et al., 2004). Results have been promising, and various proposals for key establishment and key management using ECC-based approaches have been suggested (Zhou et al., 2007). 2.1. Identity based cryptography Zhang et al. (2006) propose using an identity based cryptography technique called pairing (Boneh and Franklin, 2001; Scott et al., 2006) to facilitate secure key establishment between nodes in WSNs. First proposed by Shamir (1985), identity based cryptography (IBC), or identity based encryption, is similar to traditional public-key based cryptography systems, but instead of using a randomly generated public key, entities use unique strings or other short identifiers, such as email addresses, as their public key. For instance, to send an encrypted email to ‘‘[email protected]’’, Alice would encrypt the message using the email address as the public key. Bob would obtain his corresponding private key from a Private Key Generator to decrypt the message. Therefore, IBC helps negate the use of public key certificate in PKC-based applications. As one of the critical components to optimizing the performance of WSNs is minimizing data storage and transmission size, IBC is an excellent choice for exchanging key establishment information in this regard. The only thing necessary to begin key establishment is the identity of the source node, which only has to be large enough to ensure a unique ID among the entire network. A 16 bit ID would provide unique IDs for 216 ¼65 536 sensor nodes. 2.1.1. Definitions The following definitions will be used in describing our solution. p,q

E=Fp G1 G2

large primes an elliptic curve y2 ¼x3 + ax+ b over the finite field Fp a q-order subgroup of the additive group of points of E=Fp a q-order subgroup of the multiplicative group of the finite field Fp2

a mapping G1  G1 -G2 a cryptographic hash function which maps to elements in G1 h a standard cryptographic hash function A,B,y groups of sensor nodes x,y,y individual sensor nodes IDA unique ID of group A IDx unique ID of sensor node x Kx:A secret key for node x among group A Kxy shared pairwise key between nodes x and y mA master key for group A e^ H

The modified Weil pairing scheme described by Boneh and Franklin (2001) is used for the basis of our key establishment

419

protocol. This allows two sensor nodes to establish a shared secret key using only the knowledge of an individual secret key and the unique identity of the other node, as long as the secret key of the first node was generated using the same keying information as the identity information of the second node. The pairing is based on the bilinear Diffie–Hellman Problem (DLP), which is proven to be computationally hard. 2.1.2. Pairing A pairing is the mapping of two points P and Q, from separate subgroups of points on an elliptic curve, to a third point in a finite field, and is denoted e(P,Q). Usually P and Q are linearly independent of each other, otherwise the pairing is considered degenerate, and e(P,Q)¼1. To use P and Q from the same group G1 , a distortion map c is used to make the second element linearly independent of the first. This distortion pairing is denoted ^ eðP,Q Þ ¼ eðP, cðQ ÞÞ. The distorted pairing is symmetric, that is ^ ^ ,PÞ. For a more thorough description of 8P,Q A G1 , eðP,Q Þ ¼ eðQ pairings over elliptic curves, please see Boneh and Franklin (2001) and Scott et al. (2006). Due to the distortion map, we can use a pairing which is a mapping G1  G1 -G2 . It has the following properties (Boneh and Franklin, 2001): ^ ^  Bilinear: 8P,Q A G1 and 8a,bA Z, eðaP,bQ Þ ¼ eðP,Q Þab . ^  Non-degenerate: If P is a generator of G1 then eðP,PÞ A Fp is a 2



generator of G2 . Computable: Given P,Q A G1 , there is an efficient algorithm to ^ compute eðP,Q Þ A G2 .

3. Group-based key establishment While some node deployment scenarios allow for manual or automated placement of nodes, or for key nodes to have known fixed positions (Zhang et al., 2006), we believe that certain critical applications, such as battlefield deployments, do not provide such means. Therefore, it is desirable to have a solution which provides secure key establishment without requiring specific location knowledge for each node. Instead, we propose that in a groupbased distribution, assuming nodes deployed together end up near each other (Liu and Ning, 2003; Liu et al., 2008), that each group of nodes deployed be pre-keyed using key information unique to that group. Doing so would allow nodes containing keying information for a specific group A to establish pairwise keys with nodes from group A. We will show that in order to establish this pairwise key, both nodes must have keying information for group A. To detail our solution, we propose that a successful deployment of a WSN would consist of the following phases:

   

provisioning authority initialization; sensor key initialization (key pre-distribution); sensor deployment; and pair-wise key establishment.

3.1. Provisioning authority initialization A separate provisioning authority (PA) is created for each group of nodes to be deployed. A master PA is responsible for generating the pairing information for each PA. This ^ information, as described in Section 2.1.2, is (p,q, E=Fp , G1 , G2 , e). The master PA also selects two hash functions, H and h, where H maps to non-zero elements in G1 , and h is a standard hash function such as MD5 or SHA1. Then, for a group of sensors to

420

W.R. Claycomb, D. Shin / Journal of Network and Computer Applications 34 (2011) 418–428

be deployed, A, the master PA randomly selects mA as the master secret for A. This sequence is loosely based on the work of Zhang et al. (2006), but has been modified to meet the specific needs of our solution. 3.2. Sensor key initialization During this phase, we assume each group has a unique identity IDA, and every node has a unique identity IDx. The PA provides every sensor x, in group A, a unique identity-based key Kx:A. The unique key is calculated as Kx:A ¼ mAH(IDx). Along with the unique Kx:A, each node in A is pre-loaded with the public information for ^ group A, (p,q, E=Fp , G1 , G2 , e,H,h,ID A ). Compromising a node will not reveal the group secret key mA. This is due to the intractability of the discrete logarithm problem for elliptic curves (ECDLP). That is, consider an elliptic curve E defined over Fq and P A EðFq Þ, which is a point of order n. Given Q A EðFq Þ, it is infeasible to find an integer 0 r d r n such that Q¼dP. Therefore, it is also infeasible to find mA, given Kx:A and IDx, since Kx:A ¼mAH(IDx). In addition to the unique key for group A, each node x is also pre-loaded with a unique key corresponding to each adjacent group B, which is calculated as Kx:AB ¼mAmBH(IDx). Nodes are also given the identifier for group B, IDB. At this point, it is possible to pre-load x with additional unique keys and group identifiers for the groups beyond those immediately adjacent to A. The number of adjacent and surrounding group keys loaded on each node in A is determined by the needs of the network, noting that each additional layer of depth i adds 2i + 2 public keys, if adjacent groups are arranged in a grid, as shown in Fig. 1. 3.3. Sensor deployment Sensors are deployed in groups, in a predetermined pattern, over the intended area. No additional bootstrapping is necessary for nodes to begin generating pair-wise keys. 3.4. Pairwise key establishment Pairwise keys between neighboring nodes can be established in one of two ways. The first, intragroup key establishment, involves pairwise keys generated between nodes in the same group. The second, intergroup key establishment involves nodes generating pairwise keys with nodes in different groups.

Groups 1-level from Group A A Groups 2-level from Group A

For the purposes of our solution, the elements of a pairing ^ eðP,Q Þ are the private keying information of a source node, Kx:A, and the public keying information (identity) of the destination node, IDy. Because of the symmetry of pairing, the private keying information of the destination node, Ky:A, and the public keying information (identity) of the source node, IDx, will also produce the same value, as long as all elements originate in G1 , due to the symmetry of the pairing. 3.4.1. Intragroup key establishment To establish pairwise keys with neighboring nodes in the same group, node x broadcasts its identity IDx, its group identity IDA, and a random nonce nx, and waits for responses from neighboring nodes within range. A node y receiving the broadcast from x first checks to see if it is in the same group A. If so, node y responds with its own identity IDy, another random nonce ny, and a verification of a shared key, hKyx ðnx Jny J1Þ, where ^ y:A ,HðIDx ÞÞ. Because this is intragroup communication, Kyx ¼ eðK the group ID IDA does not need to be returned. The lack of group ID in the return message is a trigger to x that the return key information in intragroup. In this case, x is able to verify the identity of y, because Kyx ¼Kxy, due to the pairing symmetry. Node x responds with a verification message hKxy ðnx Jny J2Þ, where ^ x:A ,HðIDy ÞÞ. This verifies to y that x has established the Kxy ¼ eðK correct key. 3.4.2. Intergroup key establishment To establish a pairwise key with a node in another group, B, node x follows a similar protocol. The initial broadcast step is the same: IDx, the group identity IDA, and a random nonce nx. Upon receiving this message, node y, in group B, recognizes that x is in another group, A. y checks to see if it possesses a key corresponding to A, Ky:BA. If so, y responds with its own identity IDy, its group identity, IDB, another random nonce ny, and a verification of a shared key, hKyx ðnx Jny J1Þ, where ^ y:BA ,HðIDx ÞÞ. When x receives this message, it sees that a Kyx ¼ eðK group identity was returned. x checks to see if it possesses a key corresponding to B, Kx:AB. If so, x responds with a verification ^ x:AB ,HðIDy ÞÞ. This verifies to y message hKxy ðnx Jny J2Þ, where Kxy ¼ eðK that x has established the correct key.

4. Security policy The advantages gained by applying a group-based, identity-based key management system to WSNs allow us to add an additional measure of security to our network—a security policy. Most approaches to access control in WSNs focus on controlling access to nodes via encryption, using link-level, transport-level, and application level keys to broadly control access to a node itself. We propose providing more fine-grained access control to various components of a sensor node and the transactions it executes. While the complexity of sensors necessitates a relatively simple policy, we will show how to apply a policy to further strengthen the resistance of the network to attacks such as wormhole, Sybil, node addition, and node replication. 4.1. Syntax

Fig. 1. Layers of sensor network groups.

The primary components of our policy are sensor nodes, components, connections, and transactions. A connection is defined as an established secure channel between two nodes. The activity carried out over a connection is a transaction. Various attributes are used to describe these components.

W.R. Claycomb, D. Shin / Journal of Network and Computer Applications 34 (2011) 418–428

421

4.1.1. Nodes Nodes are described by the following attributes: identity, and group identity. Identity is the value used to establish the pairwise key, and uniquely identifies a node in the network. Group identity is the unique identity of the group, also used in pairwise key establishment. We denote a node using lower case letters, with the group ID as a subscript, as in xA.

different variations of sensor network distributions. The first is a general distribution, where nodes do not trust any adjacent group more than any other. The second variation is a specific distribution, a carefully controlled situation where trust is specifically defined between groups. For instance, group A may be directly adjacent to groups B and C, but may trust group B more than group C.

4.1.2. Components A component is some element of a sensor node that processes information. This could be an internal clock, a motion sensor, a thermometer, or anything that may need to communicate information to/from another node. We denote a component as an uppercase letter followed by a number, in case multiple identical components exist. The component is placed in superscript to its associated node, such as xTA 1, which denotes thermometer 1 on device x in group A.

4.2.1. Trust function We define S as the set of all groups. The trust level of a connection is determined by a trust function, t : S  S-½0,1. The distance between two groups A,B A S is defined as the function d : S  S-f0g [ Z þ . For general distributions, we define the trust factor for group A as fA A R, where 0 ofA r 1. This factor is used to determine how much group A trusts other groups. For specific distributions, we define the pre-determined trust level between A,B A S as t : S  S-½0,1. Because nodes in each group will behave similarly, we define our functions based on the node’s group identity, not its individual identity. Thus, for general group distributions, the trust function between groups A,B A S is

4.1.3. Connections Connections are made between components of different nodes. A single pair of nodes can have multiple connections between them, for different types of transactions. To describe a connection, we use the terms direction and trust. Direction describes the connection as symmetric or asymmetric. A symmetric connection is one that allows transactions in both directions; both nodes may act as sender or receiver. An asymmetric connection allows only one-way communication; one node is the sender, the other is the receiver. Trust is a value assigned to a node which denotes the confidence we have the node will complete requested tasks without compromise. Although we could consider trust as a function of the individual components on sensor nodes (i.e. some components of a sensor may be more protected from attack than others), for our model we will only consider trust as a function of the connecting nodes. That is, every connection from node x to node y will have the same level of trust. We denote a connection as an arrow, either single or double pointed, depending on the direction and symmetry. The connection is identified by an uppercase letter below the arrow, with a superscript integer denoting the trust level of the connection, as in ’,-,2. I0:2 J 0:1 K 0:4

4.1.4. Transactions Transactions are described by one attribute, risk. Risk is a numeric value between 0 and 1 describing the value of the information included in the transaction. A higher value indicates more important information. Transactions are denoted using a, b, g, . . ., with a superscript indicating the risk, placed above the 0:1

0:1

0:3

connection arrow, as in ’a ,-b ,2g . I0:2

J 0:1

K 0:4

The risk of a transaction is initially determined during network provisioning, but may be modified ad hoc during the lifetime of the network according to a policy implementation, as described later in this paper. This modification may be in response to internal or external stimuli, and takes into consideration the level of sensitivity of the data, and the level of hostility present against the transaction. Putting it all together, we would show a transaction a with risk level 0.2 over a connection J with trust level 0.3, between the primary intrusion detection devices for sensors x in group A and y a0:2 yI1 . in group B as: xI1 B AJ 0:3

tðA,BÞ ¼ ðfA ÞdðA,BÞ For specific group distributions, the trust function is tðA,BÞ ¼ tðA,BÞ Additional trust functions: The trust functions described above may seem rather arbitrary in their simplicity. This is by design; WSNs by nature, are dynamic systems, and modeling them over various distribution scenarios, topologies, and environmental conditions is very difficult. To demonstrate the validity and usefulness of our solution, we have chosen group distance (the number of groups separating two nodes) as the main factor in our trust function, simply because this factor should exist over a wide variety of potential WSN applications. However, it should be noted that additional factors could easily be added or substituted into a trust function of this nature, perhaps with more practical results. Such factors could include geo-spatial data, processing power and security of the communicating nodes, or even reputation-based systems where certain groups gain or lose trust based on behavioral activity. In general, a trust function should consider the characteristics most important to the deployment scenario. For instance, when deploying multiple sensor architectures to monitor different phenomena, platform capability or security would make a good trust function variable. Similarly, when deploying to more dynamic or fluid situations, such as mobile sensor networks, trust-based functions would be a logical choice to use. While an analysis of such factors is worthwhile, is outside the scope of this paper. 4.2.2. Evaluating trust and risk We use the trust function, combined with the risk of the associated transaction, to make a decision on executing the transaction. We call this function decide, and define it as follows, for nodes xA, yB and transaction a with risk level r. decideðA,B, ar Þ ¼ if r r tðA,BÞ then perform else abandon 4.3. Dynamic response to policy changes

4.2. Defining trust A node determines the trust level of a connection based on a trust function. To evaluate our trust function, we consider two

If we were to leave the security policy as defined up to this point, it would be a static policy, never changing once deployed to a network. However, WSNs are often subject to dynamic forces

422

W.R. Claycomb, D. Shin / Journal of Network and Computer Applications 34 (2011) 418–428

beyond the control of the designer, and a comprehensive security policy that can adapt to those changes quickly and efficiently would be a tremendous advantage. The concept of reputationbased trust schemes is not new to WSNs (Ganeriwal et al., 2008). However, in such schemes trust is managed at the node level, and is granted based on how another node behaves or misbehaves. In contrast, our solution applies dynamic trust at the group level, for specific transactions between nodes, where it can be used for much more powerful policy decisions.

4.3.1. Node addition and revocation The addition of new sensors to a network is straightforward. New nodes added to pre-existing groups are given the correct keying information as defined in Section 3.2. With this information, nodes are able to generate pairwise keys with neighboring nodes and join the network. Revoking nodes’ membership in the network is a bit more challenging. The first task is to determine that a node, or group of nodes, needs to be removed from the network, either due to compromise or for some administrative reason. Making this determination is outside the scope of this paper; our challenge is how to execute the revocation once the need is identified. We begin by setting the revocation transaction, o, risk level to 1, meaning it can only be carried out between nodes in the same group. This prevents an attacker from blocking revocation messages from reaching adjacent group nodes by modifying routing within a compromised group. Revoking group membership is fairly straightforward. Once notified that the group D is to be removed, base stations for groups with keying information related to D execute the revocation transaction, oD , with their respective nodes. Receiving nodes delete any keying information and pairwise keys related to D from their memory. Without this information, existing connections are terminated and new connections cannot be established with D. Revoking an individual node IDd:D from the network is similar, but a bit more challenging. Groups that could possibly communicate with D broadcast oIDd:D to their members. Any node x holding a shared key with d terminates any connections and removes the shared key Kxd from memory. Additionally, all nodes in that group add IDd:D to a revocation list. Because IDd:D is only a few bytes long (remember, 2 bytes will uniquely identify 65 536 nodes), storing a node revocation list should not significantly impact node memory. At some point, as the number of revoked nodes from any single group grows, the entire group will be revoked, and the entries in revocation lists for that group will be purged (after the group keying information has been deleted). Group revocation could be triggered by a specific threshold, which would need to be a specific number of revoked nodes per group, rather than a percentage of overall nodes in a group, because once deployed, there is no mechanism in our solution to determine the total number of nodes communicating from a specific group.

4.3.2. Policy updates Node revocation is a simple form of policy update. More comprehensive policy updates will provide a network with dynamic functionality such as defensive measures to counter attacks in progress. This is a significant improvement over existing network configurations, where all the communication parameters for a node are pre-loaded prior to deployment and remain static during the life of the node. By using our security policy, changes can be made to affect node behavior dynamically, even though the preloaded process behind that decision making is unchanged. That is, we can significantly modify the behavior of nodes by simply changing a few values, instead of reprogramming the entire node.

We rely on base stations to assist in the broadcast of new security policy configurations. These configurations include changes to all elements of our policy, including: risk, trust, connections, and transactions. For example, if the threat of network compromise increases, a new trust factor f can be deployed to nodes in affected groups, decreasing the likelihood they will establish communication with a compromised group. Simply increasing f is a broad approach to what could be a more delicate situation, though. Suppose administrators learn that a specific function of sensor nodes, which affects transaction a, is susceptible to manipulation. Rather than raise f for all transactions, administrators could simply increase the risk level of a so that it must be carried out over more trusted connections. 4.3.3. Automated policy response The ability to dynamically modify the security configuration of the sensor network significantly increases the network’s ability to respond to stimuli. Responses do not need to be triggered by an administrator; they could be triggered automatically. Consider two situations where policy values are modified this way, a time-based scheme and an event-driven scheme. In the time-based scheme, groups and/or nodes adjust risk and trust levels according to a predetermined schedule. For instance, intrusion detection nodes could trust other groups more highly during the daylight hours, when tampering is less likely to occur. Or, a group’s trust function could simply decline with time, as the risk of compromise grows. An event driven scheme changes policy in response to specific events that occur within the network. Using the example of intrusion detection again, if a sensor detects intrusion, the policy could change within other groups to lower the risk of the intrusion detection transaction, with the hope that any additional intrusion will be detected as soon as possible (because nodes may have more efficient routes using less trusted connections). However, it may also be desirable to raise the risk of intrusion detection, which reduces the chance of attack on this transaction, and makes subsequent alarms more reliable. These decisions must be made based on the specific needs of the network, but demonstrate how our solution enables a wide range of dynamic policy capabilities. 4.4. Policy application During network initialization, an administrator must identify all the components and their associated attributes. Careful analysis of the types of transactions, their associated risk, the nodes involved, and the chance of compromise must be undertaken. To demonstrate our solution, we describe a potential deployment scenario and show how applying a security policy strengthens the security of the network. 4.4.1. Intrusion detection Consider an intrusion detection system consisting of several sensors that detect movement in different rooms. If a sensor detects motion, it alerts an administrator and identifies the room where motion was detected. Each room has several sensors connected to a single base station. Sensors are capable of communicating with sensors in adjoining rooms, and can even transmit through two walls to the second adjacent room. An administrator would specify the security policy as follows. All nodes in a single room comprise a group. Components of the nodes consist of a clock, C 1, and a motion detector M 1. Base stations have a clock and a motion detection receiver R 1. Transactions include synchronizing the time, a0:1 , which is a low-risk operation, and 0:4

detecting intrusion, b , a high risk operation. Nodes form symmetric connections with their base station, as well as any other

W.R. Claycomb, D. Shin / Journal of Network and Computer Applications 34 (2011) 418–428

nodes in adjacent rooms. Because the rooms tend to be long and narrow, it is possible a sensor may find its own base station farther away than another node two rooms distant. Because this is a general distribution of nodes—trust between groups is not specifically assigned beforehand—the trust factor f for each group is set to the same value, 0.33. This means that when the distance between groups is 1, dðA,BÞ ¼ 1, and the decide function will allow transactions with risk r0:331 ¼ 0:33. When dðA,BÞ ¼ 2, the maximum risk allowable is 0.332 ¼0.11. Time updates are considered low-risk in this scenario because they do not interfere with the ability of the node to detect motion. They also occur more frequently, so it makes sense to allow nodes to use adjacent groups to update time, if they can find a shorter route to a base station (the source of authoritative time). A time update transaction between x in group A and y in group C, over 0:1

I connection I would be represented as: xT1 yT1 C . Note that the A 2

a0:11

transaction is symmetric, and the connection has a trust level of 0.11. Because the risk level, 0.1, is o0:11, our decide would determine this transaction is allowable. Intrusion detection is a higher-risk transaction, and the notification of intrusion is more important than the need to find a power-saving route. Also, we cannot be sure that the node in the next room has not been compromised. This transaction, between xA and zA, the base station, on connection J, is shown as

423

attacker could only place x into a group where the nodes have shared key information with A. In a large network, the number of such groups is likely to be small. Additionally, placing x0 into one of these groups would be likely to cause detection, as the real x is nearby, and nodes receiving another authentication request from a duplicate node proclaiming to be x would detect the attack. 5.2. Node addition attack In a node addition attack (Zhu et al., 2003), an adversary injects new nodes into a WSN. This differs from a node replication attack because the new nodes are not duplicates of an existing node, but rather are provisioned correctly as unique nodes in the network. To carry out this attack in a network with pairwise key establishment, an adversary must have access to keying information, such as a master key (mA in our solution). While some solutions allow the master key to exist for a short period of time on individual nodes during the distribution of a new network (Zhang et al., 2006; Zhu et al., 2003), ours does not allow mA to exist on any node or base station in the network. Without mA, an attacker can only gain information such as IDx, Kx:A, IDA, etc. Even with the pairing components (IDx,Kx:A), mA cannot be deduced, due to the properties of the pairing scheme.

0:4

J zR1 xM1 A A . We can see that the connection is trusted at level

b1:0

1.0, and the transaction risk is 0.4, so it is allowed. Also, the transaction is asymmetric, because the sensor node does not need to receive any incoming messages for this transaction. An attacker may try to circumvent the intrusion detection system by first compromising a node m in an adjacent room. He would then place m in a position as close to sensor x as possible (assuming he knows the position of x), trying to cause x to send its intrusion detection message via m, instead of another route. Because m is a legitimate node in B, x will authenticate and establish a connection, but only at trust level 0.33, because tðA,BÞ ¼ ðfA ÞdðA,BÞ ¼ 0:33. Since this transaction requires trust level Z0:4, it cannot be executed between x and y—the attack is foiled.

5. Attacks and resistance Various attacks on WSNs have been described in the literature. Some of the more difficult to defend against are the node replication, node addition, Sybil, and wormhole attacks. Our solution either prevents these attacks from occurring, or minimizes their impact to the point of inefficacy. 5.1. Node replication attack A node replication attack (Parno et al., 2005) consists of an adversary compromising one or more existing nodes, duplicating (and perhaps modifying) the information retrieved, provisioning new nodes with the stolen information, and placing the replicated nodes into the network. Under simple authentication schemes, a network is unable to detect the duplicated nodes, particularly if they are placed far apart, and they are able to authenticate and interact with existing nodes. This provides the attacker with a means of intercepting communication, affecting network routing, or even skewing reputation-based trust management systems. Our solution eliminates the node replication attack over multiple groups. To show this, consider a compromised node x, from group A. If placed in a group where nodes do not share keying information with A, the replicated node (denoted x0 ) would be unable to establish any pairwise keys. To be successful, an

5.3. Sybil attack The Sybil attack (Douceur, 2002) describes a situation where an attacker generates multiple fake identities in one location, appearing to be many legitimate nodes, and uses those identities to influence the existing WSN. This influence can be against routing, trust management, reputation, or other elements of network management. In contrast to the node replication attack, the nodes in the Sybil attack are not real nodes, nor are they distributed throughout the network. Our solution prevents this attack by preventing an attacker from spoofing legitimate nodes. Without the master key to generate pairing information, an attacker cannot generate correct pairing information. Without this information, a Sybil node cannot establish pairwise keys with any legitimate node in the network. 5.4. Wormhole attack One of the more interesting attacks in WSNs, the wormhole attack involves an attacker using a covert, high-speed side channel to tunnel information across the network. The effect is to allow two distant nodes to communicate with each other, fooling them into believing they are neighbors. This can disrupt network routing, potentially preventing critical messages from being received by the correct locations. It can also affect networks which use relative node location for decision-making. The wormhole attack is shown in Fig. 2. Detecting and preventing wormhole attacks are challenging issues. Most solutions to date involve the use of mechanisms based on the physical location of nodes, or the physical distance between them. These solutions use either location-fixing devices, such as GPS, or tight time synchronization between nodes to detect wormholes (Zhang et al., 2006; Hu et al., 2003; Lazos et al., 2005). Our solution prevents wormhole attacks between nodes in distant groups because they do not share key information, and cannot form pairwise keys, as shown in Fig. 3. However, a wormhole between two nearby groups is possible. Creating a wormhole for nodes within adjacent groups would have a

424

W.R. Claycomb, D. Shin / Journal of Network and Computer Applications 34 (2011) 418–428

Attacker Tx/Rx Device

High speed Convert Channel

Attacker Tx/Rx Device

Fig. 2. A wormhole attack.

Attacker Tx/Rx Device

High speed Convert Channel

Attacker Tx/Rx Device

Fig. 3. A wormhole attack in a group-based network.

limited effect, and would be physically more difficult, because creating a high-speed side-channel and processing information through it faster than the normal network routing becomes tricky as the distance between the wormhole ends grows smaller. With this in mind, a network designer can carefully plan node group size to reduce the threat of wormhole attacks to an acceptable level. For instance, if an attack between nodes 50 m apart would not compromise the overall integrity of the system, then groups can be distributed with a diameter of 25 m, so the greatest distance between any two nodes allowed to communicate is 50 m. Wormhole attacks can be prevented by a carefully designed security policy as well. If a policy is designed such that a group A only trusts connections to group B, then a wormhole attack is only possible from group A to group B. Because this is an asymmetric trust, a wormhole attack from B to A is not possible. This is an

important step towards preventing a wormhole attack that seeks to ‘‘skip’’ a sensor or group of sensors in a sequence by generating a wormhole around it.

6. Discussion The discussion of our solution will focus on two areas. The first part deals with the network design, including topics such as trust levels and node distributions. Next, we discuss the impact to sensor nodes themselves. 6.1. Network design When looking at a group-based deployment, several factors must be considered. Among them is the question—how many adjacent groups should be trusted? Is only one level trusted, or

W.R. Claycomb, D. Shin / Journal of Network and Computer Applications 34 (2011) 418–428

are multiple levels trusted? How do we determine the trust factor? Secondly, we must consider how the nodes will be distributed. Will they be distributed evenly over an area, or will they tend to be more densely populated near the center of an area? How does this affect the chances of multi-group communication? We attempt to answer those questions here. 6.1.1. Considerations for key sharing depth We define key sharing depth as the number of layers with which a group’s nodes may establish shared keys. For instance, if only adjacent groups are allowed, the key sharing depth is 1. If all immediately adjacent groups and their adjacent groups are included in key pre-distribution for key sharing, the key sharing depth is 2. When deciding how many adjacent and surrounding groups to include in the key sharing setup phase for nodes in group A, several factors must be considered, most importantly the group distribution size and group overlap. There must be at least one level of key sharing, otherwise node communication would be limited to intragroup communication only. However, multiple levels of shared keys greatly increases the storage overhead on each node, as well as reduces the effectiveness of this solution in preventing certain types of attacks. In the simple case, it is assumed that a node’s transmission range is much smaller than the area over which the group A is deployed, and that adjacent groups have a small overlap with A. In this scenario, only one layer of adjacent group keys is necessary to provide complete coverage for every node—that is, every node will be able to establish a pairwise key with every other node within transmission range, even if the other nodes are in another group. 6.1.2. Trust level Another important consideration in network design is how much to trust adjacent groups. Recall our trust function, between groups A,B A S the level of trust is tðA,BÞ ¼ ðfA ÞdðA,BÞ . This function depends on group A’s trust factor fA, and the distance between the groups, determined by the function dðA,BÞ. Since we have chosen an exponential model, trust tends to decline quickly for distant groups, particularly if fA is much smaller than 1. Fig. 4 shows the level of trust calculated using various values of fA for groups from 0 to 5 levels away from the source in a general distribution. Note that if distant groups are to be trusted, a high value of fA must be chosen, in contrast to a lower fA, where nearby groups are still trusted somewhat highly, but more distant groups are trusted

425

very little. Also note that nodes within the same group (dðA,BÞ ¼ 0) have trust levels of 1, regardless of fA.

6.1.3. Node distribution affects communication Node distributions are not always uniform. Sometimes the reasons for this are simple physics (i.e. dropping a box of sensor nodes from an airplane at different heights, with different wind patterns, will result in greatly different distributions on the ground). Other times, the reasons for a certain distribution are more sophisticated, such as the desire to prevent a wormhole attack between nodes of a certain distance, n. To help analyze communication between groups in our solution, we consider two variations of node distribution, one where nodes are distributed evenly over the entire group, and one where nodes are distributed according to a normal (Gaussian) distribution. Two key factors in determining how well two groups will communicate are the node coverage over the group, and the overlap between groups. Our simulation results show the percentage of nodes within a group able to communicate with adjacent groups, given the node coverage and overlap size of the network. Fig. 5 shows the results for an even distribution of nodes over a group, and Fig. 6 shows the results for a Gaussian distribution of nodes over a group. Based on these results, it is clear that a more even distribution of nodes is desirable when implementing a group-based model. It is interesting to note the much higher percentage of nodes able to communicate in even distributions. The lower figure for the Gaussian distribution is due to the lower density of nodes distributed over the edge of the Gaussian group. Based on these results, we can make decisions regarding network architecture, taking into account the distribution method, and how nodes are likely to be distributed in their final state.

6.2. Comparison to existing work A critical analysis of any sensor network application must include a comparison to existing work; specifically concerning the impact to the sensors in terms of space requirements, processing time, and power consumed. We believe the solution presented here has an acceptable footprint upon the sensor nodes. For analysis purposes, we will consider an implementation where p is a 512-bit prime and q is a 160-bit prime.

Fig. 4. Trust level calculated for various values of fA.

426

W.R. Claycomb, D. Shin / Journal of Network and Computer Applications 34 (2011) 418–428

90% 80% 70% 60% 50% 40%

10% 0%

Percent

overlap betw

een grou

95% 85% 75% 65% 55% 45% 35% 25% 15% 5%

ove rag eo ver gro up

20%

No de c

30%

5% 10 % 15 % 20 % 25 % 30 % 35 % 40 % 45 % 50 % 55 % 60 % 65 % 70 % 75 % 80 % 85 % 90 % 95 % 10 0%

interg Nodes engaging in

roup communicatio

n

100%

ps

Fig. 5. Nodes able to communicate with other groups using an even distribution.

90% 80% 70% 60% 50% 40% 30% 20% 10% 100% 75% 50% 25% 0%

de gro dens up ity siz vs e

0% 0% 10% 20% 30% 40% 50% 60% Overlap betwee n groups 70% 80% 90%

No

communication Nodes engaging in intergroup

100%

Fig. 6. Nodes able to communicate with other groups using a normal (Gaussian) distribution.

6.2.1. Sensor memory requirements The use of elliptic curve cryptography (ECC) based mechanisms means that less space is required to store key information. To achieve the same public key security as a 1024-bit RSA (Rivest et al., 1978) implementation, only 160-bit keys are needed for ECC (Gura et al., 2004). Standard ECC-based digital certificates, used in traditional key establishment, are  530 bytes in size. This can be reduced to 86 bytes by removing all but the most important data (Wander et al., 2005). Our proposal reduces this size even further, requiring only 40 bytes to store node identification and keying information. This improvement becomes even more important when we consider how much energy is consumed during data transmission—sending a singe bit of information can take the same power as 2090 clock cycles of execution (Wander et al., 2005). This comparison is shown in Table 1.

Table 1 Sensor memory requirements for digital certificates. Method

Memory required (bytes)

Standard ECC certificates Reduced ECC certificates (Wander et al., 2005) Our solution

 530 86 40

However, in our solution, more than just one key is stored on each node. Adding keys for adjacent group key establishment depends on the topology of the network. Without loss of generality, we assume a topology similar to Fig. 1. In this instance, P the total number of keys to be stored on each node is ni¼ 1 2i þ 2 . To store one layer of key establishment information

W.R. Claycomb, D. Shin / Journal of Network and Computer Applications 34 (2011) 418–428

requires 160 bytes. For two layers, 480 bytes are needed. Three layers require 1120 bytes. This must be considered in network design. ^ Group public information, ðp,q, E=Fp , G1 , G2 , e,H,h,ID A Þ, must also be loaded onto each node. Due to space requirements, we will not detail each component, but will note that p is a 512 bit prime, G1 , G2 are 160 bit primes, IDA can be relatively small (16 bits), and the components relating to key generation code can be estimated at  3:6 KB (Gura et al., 2004) for 160-bit ECC operations. We note that the Atmel ATmega128 (Amtel Corporation, 2009), a common micro-controller used on many sensor devices, has 128 kB of FLASH program memory. Another common sensor network node, the Crossbow Imote2 has 256 kB of SRAM memory, 32 MB of SDRAM memory, and 32 MB of FLASH memory (Crossbow Technology, 2009). We believe sensor deployments where 43 layers of shared key information are unlikely, so a total overhead of o 5 kB seems reasonable for this application. 6.2.2. Processing time Other papers have shown efficient implementations of pairing schemes. Zhang et al. (2006) show that a commonly used processor, the Intel PXA255, can generate a Tate pairing in approximately 62 ms. However, this is a 32-bit processor typically used on network gateway devices, such as the Crossbow Stargate, not on actual sensor nodes. Typical 8-bit sensor nodes take 4 30 s on average to compute Tate pairings (Oliveira et al., 2007). Recent advances in sensor nodes have included the addition of more powerful 32-bit processors at the node level. Scott et al. (2006) show that it takes 290 ms to compute a Tate pairing on a 32-bit MIPS-32 based SmartMIPS architecture for smartcards, running at 36 MHz. For our solution, we consider the Crossbow Imote2, which uses a 32-bit Intel PXA271 scalable processor (13–416 MHz), and would require  23:2 ms to compute the Tate pairing at its highest speed, 92 ms at 104 MHz (normal operating speed), and 736 ms at 13 MHz (low-power operating speed). A comparison of these processing times is shown in Table 2. 6.2.3. Processing power Power consumption figures, including both computational operations and radio transmission, for computing a Tate pairing between two sensor nodes are shown in Table 3. While not lower than previous work, our solution shows comparable performance using a modern processing platform (Intel PXA271 at 13 MHz). 6.2.4. Transmission power Because our solution uses such a small footprint for identity and group identification information, the transmission power necessary to establish a pairing is small. The total power required Table 2 Time to compute tate pairing on various microprocessors. Microprocessor

Time (s)

ST22 (33 MHz) (Bertoni et al., 2005) SmartMips (36 MHz) (Scott et al., 2006) Intel PXA255 (400 MHz) (Zhang et al., 2006) Intel PXA271 (416 MHz)

0.752 0.290 0.062 0.023

Table 3 Power consumption of pairwise key establishment operations. Operation

Energy (mJ)

Intel PXA255 (Zhang et al., 2006) Intel PXA271

25.5 27.53

427

to establish a pairing, using a CC2420 IEEE 802.15.4 radio transceiver (Texas Instruments, 2008), is approximately 203 mJ. This figure represents all transmission and reception power for a single node involved in the pairing operation, regardless of whether the node initiates the transaction or not.

7. Conclusion We have demonstrated how to apply a security policy to wireless sensor networks which leverages the properties of node authentication and group-based keys to strengthen the security of the network. Our policy is based on a novel approach to key establishment in WSNs that uses a group-based technique combined with identity based cryptography to provide node authentication and intergroup communication. We showed how our solution is resistant to some of the more difficult attacks to prevent in WSNs, including the node replication, Sybil, and wormhole attacks. Future work will include multi-hop key establishment, which would further enhance the capabilities of a network of this type. Another interesting area of study would be to consider delegation between sensor nodes in the security policy. With node identification and authentication provided, delegating certain tasks or capabilities from one node to others is an interesting challenge. Sensor networks will continue to be part of everyday life. As sensors become smaller and more capable, their potential uses will only increase. In many cases, the security of the networks they form is critical to maintain, and we believe this will continue to be an important area of research.

Acknowledgment This work was partially supported at the Secure Computing Laboratory at New Mexico Tech by the grant from the National Science Foundation (NSF-CNS-0709437).

References Amtel Corporation, 2009. Amtel ATmega128 /http://www.atmel.com/dyn/pro ducts/product_card.asp?part_id=2018S. Bertoni GM, Chen L, Fragneto P, Harrison KA, Pelosi G. Computing tate pairing on smartcards, 2005 /http://www.st.com/stonline/products/families/smartcard/ ches2005_v4.pdfS. Boneh D, Franklin M. Identity-based encryption from the weil pairing. In: Advances in cryptology—CRYPTO; 2001. p. 213–29. Crossbow Technology, 2009. iMote2 /http://www.xbow.com/Products/Pro duct_pdf_files/Wireless_pdf/Imote2_Datasheet.pdfS. Douceur JR. The sybil attack. In: IPTPS ’01: revised papers from the first international workshop on peer-to-peer systems. London, UK: SpringerVerlag; 2002. p. 251–60. Du W, Deng J, Han Y, Chen S, Varshney P. A key management scheme for wireless sensor networks using deployment knowledge. In: INFOCOM 2004. 23rd annual joint conference of the IEEE computer and communications societies, vol. 1. 2004. p. 597. Ganeriwal S, Balzano LK, Srivastava MB. Reputation-based framework for high integrity sensor networks. ACM Trans Sensor Networks 2008;4(3):1–37. Gaubatz G, Kaps J, Sunar B. Public key cryptography in sensor networks—revisited. In: The proceedings of the first European workshop on security in ad-hoc and sensor networks (ESAS), 2005. Gura N, Patel A, Wander A, Eberle H, Shantz SC. Comparing elliptic curve cryptography and RSA on 8-bit CPUs. In: Workshop on cryptographic hardware and embedded systems—CHES; 2004. p. 119–32. Hu Y-C, Perrig A, Johnson D. Packet leashes: a defense against wormhole attacks in wireless networks. In: 22nd annual joint conference of the IEEE computer and communications societies, vol. 3, 3 March–3 April 2003. p. 1976–86. Huang D, Mehta M, Medhi D, Harn L. Location-aware key management scheme for wireless sensor networks. In: Proceedings of the second ACM workshop on security of ad hoc and sensor networks. Washington, DC, USA: ACM; 2004. p. 29–42.

428

W.R. Claycomb, D. Shin / Journal of Network and Computer Applications 34 (2011) 418–428

Lazos L, Poovendran R, Meadows C, Syverson P, Chang L. Preventing wormhole attacks on wireless ad hoc networks: a graph theoretic approach. In: IEEE wireless communications and networking conference, vol. 2, March 2005. p. 1193–9. Liu D, Ning P. Location-based pairwise key establishments for static sensor networks. In: Proceedings of the first ACM workshop on security of ad hoc and sensor networks. Fairfax, Virginia: ACM; 2003. p. 72–82. Liu D, Ning P, Du W. Group-based key predistribution for wireless sensor networks. ACM Trans Sensor Networks 2008;4(2):1–30. Malan D, Welsh M, Smith M. A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography. In: First annual IEEE communications society conference on sensor and ad hoc communications and networks, SECON 2004, IEEE; 2004. p. 71–80. Oliveira L, Aranha D, Morais E, Daguano F, Lopez J, Dahab R. Tinytate: computing the tate pairing in resource-constrained sensor nodes. In: Sixth IEEE international symposium on network computing and applications, NCA 2007, July 2007. p. 318–23. Parno B, Perrig A, Gligor V. Distributed detection of node replication attacks in sensor networks. In: SP ’05: proceedings of the 2005 IEEE symposium on security and privacy. Washington, DC, USA: IEEE Computer Society; 2005. p. 49–63. Rivest RL, Shamir A, Adleman L. A method for obtaining digital signatures and public-key cryptosystems. Commun ACM 1978;21(2):120–6. Scott M, Costigan N, Abdulwahab W. Implementing cryptographic pairings on smartcards. In: Proceedings of cryptographic hardware and embedded systems—CHES, 2006.

Shamir A. Identity-based cryptosystems and signature schemes. In: Proceedings of CRYPTO 84 on advances in cryptology. New York, Inc., Santa Barbara, California, USA: Springer-Verlag; 1985. p. 47–53. Texas Instruments, 2008. CC2420 /http://focus.ti.com/lit/ds/symlink/cc2420. pdfS. Wander AS, Gura N, Eberle H, Gupta V, Shantz SC. Energy analysis of public-key cryptography for wireless sensor networks. In: Proceedings of the third IEEE international conference on pervasive computing and communications. IEEE Computer Society; 2005. p. 324–8. Watro R, Kong D, fen Cuti S, Gardiner C, Lynn C, Kruus P. TinyPK: securing sensor networks with public key technology. In: Proceedings of the second ACM workshop on security of ad hoc and sensor networks. Washington, DC, USA: ACM; 2004. p. 59–64. Yu Z, Guan Y. A key management scheme using deployment knowledge for wireless sensor networks. IEEE Trans Parallel Distrib Systems 2008;19(10):1411–25. Zhang Y, Liu W, Lou W, Fang Y. Location-based compromise-tolerant security mechanisms for wireless sensor networks. IEEE J Selected Areas Commun 2006;24(2):247–60. Zhou Y, Zhang Y, Fang Y. Access control in wireless sensor networks. Ad Hoc Networks 2007;5(1):3–13. Zhu S, Setia S, Jajodia S. LEAP: efficient security mechanisms for large-scale distributed sensor networks. In: Proceedings of the 10th ACM conference on computer and communications security. Washington, DC, USA: ACM; 2003. p. 62–72.