Location-Based Data Encryption For Wireless Sensor Network Using Dynamic Keys

Download as pdf or txt
Download as pdf or txt
You are on page 1of 8

Wireless Netw

DOI 10.1007/s11276-015-0938-8

Location-based data encryption for wireless sensor network using


dynamic keys
Han-Yu Lin1

 Springer Science+Business Media New York 2015

Abstract Secure data transmission for the wireless sensor 1 Introduction


network (WSN) is always an important issue. The tech-
nique of traditional authenticated encryption allows a As wireless networks [12, 14] develop over time, more and
sensor node to generate a ciphertext which can only be more wireless applications can be found out in our daily life.
decrypted and authenticated by a designated data aggre- To guarantee the data transmission and communication
gator. The convertible property further enables the aggre- safety, the security requirements of integrity, authentication,
gator to announce an ordinary signature for public confidentiality and non-repudiation [5, 18, 23] must be ful-
verification. To alleviate the harm of key exposure, dy- filled. One of the popular wireless applications is WSNs [3,
namic key systems are especially suitable for implementing 4, 16] which consist of a large scale of distributed devices
in the large-scale deployment environments such as WSNs. with embedded sensors. These sensors can monitor lots of
Combining the concept of location and the merits of dy- environmental conditions such as sound, pressure and tem-
namic keys, we propose a location-based data encryption perature, etc., and hence are often utilized in military
scheme for WSNs. To the best of our knowledge, this is the surveillance. Up to the present, the WSN can be also seen in
first concrete construction considering the properties of many non-military fields like home automation, healthcare
location and dynamic keys in WSNs. The proposed scheme systems, traffic control, fire detection and so on.
not only is conversion-free, but also provides unlimited Because each sensor node has a microprocessor and a
time periods and random-access key-updates. Moreover, wireless communication device, it could be regarded as a
we utilize some reduction models to prove the security of mini computer with limited computing power and storage.
our protocol. Energized by batteries, these sensor nodes are usually de-
ployed in wilderness areas without replacement. For fa-
Keywords WSN  Location  Key-insulation  cilitating the data transmission between a data aggregator
Authenticated encryption  Message linkages and its nearby sensor nodes, each sensor has a preinstalled
secret key. However, once the key is compromised by
some malicious adversary, it will endanger the communi-
cation messages delivered to the data aggregator. It thus
can be seen that a proper data encryption mechanism with
efficient key update procedure for WSNs is crucial for
increasing the security strength and solving the node-
compromised problem.

& Han-Yu Lin 1.1 Related works


[email protected]
1 In 1984, Shamir [22] introduced the famous ID-based system
Department of Computer Science and Engineering, National
Taiwan Ocean University, 2, Beining Road, 202 Keelung, in which a private key generation center (PKG) is respon-
Taiwan, ROC sible for generating every user’s private key with a trapdoor

123
Wireless Netw

one-way function. Without the secret, no one can perform et al. failed to incorporate the advantage of dynamic keys
the trapdoor one-way function, so as to guarantee the con- into the design of their security protocols.
fidentiality of private keys. The corresponding public key is
explicitly verified, as it consists of some identity information 1.2 Our contribution
(such as the user name and e-mail address, etc.) To make the
ID-based system suitable for practical implementation, in Consider the security in WSNs, in this paper, we combine
2001, Boneh and Franklin [2] proposed an ID-based system the concept of location with the advantages of dynamic
from the Weil pairing. Since then, ID-based systems have keys to construct a concrete location-based data encryption
been widely adopted for designing various security proto- mechanism for WSNs. Unlike previous location-based se-
cols. However, once a user’s private key is accidentally curity mechanisms which only used unique private keys for
compromised, the corresponding confidential information sensors in WSNs, we incorporate the dynamic property of
might be decoded by a malicious adversary. key-insulated systems into the design and construction of
To withstand above key exposure attacks, Dodis et al. the proposed scheme. Without redeployment, each sensor
[6, 7] addressed the first key-insulated system with dy- node can periodically update its private key at different
namic private keys. In a key-insulated system, each user time periods. The proposed scheme possesses the proper-
owns two private keys. One is a short-term private key kept ties of conversion-free, unlimited time periods and random-
secret by the user and the other is a long-term one stored in access key-updates. Moreover, a theoretic proof model is
a physically-secure but computation limited device (called adopted to demonstrate the feasibility of our work.
base or helper). With the assistance of the helper, a user can
periodically update his short-term private key for per-
forming various security protocols such as public key en- 2 Proposed protocol
cryption and digital signature schemes [8, 20, 21] at
different time periods. Note that the public key of each user There are four involved parties of our protocol, including a
is still unchanged. The general idea of key-insulated sys- PKG, a helper (embedded chipset), a sensor node and a
tems is that even if an adversary has the knowledge of all designated data aggregator. Initially, the PKG is responsi-
previous private keys for some user, he cannot perform any ble for generating each node’s initial private key and a
private key operation on behalf of the user in relation to the master helper key. At the beginning of every time period i,
current time period. a sensor node can update its i-th short-term private key
Considering the advantages of ID-based systems and the with the helper’s aid. Let (IDA, lA) and (IDB, lB) be a sensor
key-insulated ones, Hanaoka et al. [10] proposed the first node and a data aggregator along with their corresponding
ID-based key-insulated encryption (KIE). In their lit- locations, respectively. Figure 1 shows how the four parties
erature, they demonstrated how to construct a partially collaborate with each other. Details of each phase are de-
collusion resistant hierarchical identity-based encryption scribed below:
from arbitrary IBE. The next year, Zhou et al. [28] pro-
• Setup: Taking as input 1k where k is a security
posed an identity-based key-insulated signature scheme
parameter, the PKG first chooses a master secret key
based on the computational Diffie–Hellman problem
s [R Zq and a master helper key w [R Zq. The
(CDHP). To reduce the possibility of helper exposure,
corresponding public keys are computed as PTA = sP
Hanaoka et al. [9] adopted two independent helpers to
and PHK = wP. The master helper key w is then pre-
construct a KIE scheme. The two helpers will be alterna-
stored in the helper. Let (G1, ?) and (G2, 9) be two
tively selected for helping with user’s key-updates. Such a
groups of the same prime order q where |q| = k, P a
scheme is called the parallel-KIE. It can be seen that a
generator of order q over G1, e: G1 9 G1 ? G2 a
parallel-KIE reaches a higher security level with respect to
bilinear pairing, H: {0, 1}k ? G1, F1: G1 9 G2 ? Zq,
the helper’s security. So far, lots of protocols [11, 17, 24,
F2: {0, 1}k 9 {0, 1}* 9 G1 9 G2 9 G2 ? Zq and F3:
26] for key-insulated systems have been proposed.
In 2005, Lazos et al. [15] utilized the property of loca-
tion to address a location-based mechanism for securing Block
the wireless security. The next year, Zhang et al. [27] (IDA1, lA1)
PKG
further proposed a location-based compromise-tolerant helper
initialize (IDA3, lA3)
security protocol for WSNs. In their scheme, the private Designated
Node IDAi data
key of each node is bound with its ID and geographic (IDA2, lA2) aggregator
location. They also developed a so-called neighborhood
authentication scheme to reduce the impact of compro- Fig. 1 A block diagram illustrating the four collaborated parties of
mised nodes. Nevertheless, both Lazos et al. and Zhang our protocol

123
Wireless Netw

Zq ? Zq collision resistant hash functions. The public


SA, 0 SA, 1 SA, 2 SA, 3 ….. SA, N
parameter params includes {PTA, PHK, G1, G2, q, P, e,
H, F1, F2, F3}. Time periods
0 1 2 3 4 … N
• KeyExtract (KE): The PKG computes the initial
private key for IDA as SA, 0 = sH(IDA, lA) ? wH(IDA, Fig. 2 The update of private keys with different time periods
lA, 0). The corresponding public key is computed as
rA = e(PTA, H(IDA, lA)).
• KeyUpdate (KU): For any time period i [ {1, …, N}, Choose r ∈R Zq and C0 = 0;
Node Compute R = rP;
the helper first generates the corresponding helper key dB = [e(PHK, H(IDB, lB, i))σB] ;
r

dA = [e(PHK, H(IDA, lA, i))σA] ;


r
as HKA, i = w[H(IDA, lA, i) - H(IDA, lA, i - 1)]. Then
Cv = Mv ⋅ F3(Cv − 1 ⊕ F1(R, dB)), for v = 1, 2,…, l;
the sensor node can update its private key by computing Q = (r + F2(i, M, R, dA, dB))SA, i;
SA, i = SA, i - 1 ? HKA, i. The values (SA, i - 1, HKA, i) The ciphertext δ = (i, C1, C2, …, Cl, R, Q, dA).
are deleted subsequently. Figure 2 illustrates the update
of private keys with different time periods. δ

• Encryption (EN): For encrypting a packet M = M1 || Derive dB = e(R, SB, i);


Designated
M2 || … || Ml at any time period i [ {1, …, N}, IDA data Compute
−1
chooses r [R Zq and C0 = 0 to compute R = rP, aggregator Mv = Cv ⋅ F3(Cv − 1 ⊕ F1(R, dB)) , for v = 1, 2,…, l;
Recover M = M1 || M2 || … || Ml;
dB = [e(PHK, H(IDB, lB, i))rB]r, dA = [e(PHK, H(IDA, Verify if
lA, i))rA]r, Cv = Mv  F3(Cv - 1  F1(R, dB)), for F (i, M, R, dA, dB)
e(P, Q) = dA ⋅ [σA ⋅ e(PHK, H(IDA, lA, i))] 2 .
v = 1, 2,…, l, and Q = (r ? F2(i, M, R, dA, dB))SA, i.
The ciphertext for M is d = (i, C1, C2, …, Cl, R, Q, dA). Fig. 3 The EN and DV processes for a packet M
• Decryption-and-Verification (DV): To decrypt d, the
data aggregator IDB first derives dB = e(R, SB, i),
computes Mv = Cv  F3(Cv - 1  F1(R, dB))-1, for The correctness for the authenticity of the recovered
v = 1, 2,…, l, and then recovers the original packet packet M can also be verified below:
M = M1 || M2 || … || Ml. IDB further verifies its
eðP;QÞ
authenticity by checking if eðP; QÞ ¼ dA  ½rA  eðPHK ;
¼ eðP; ðr þF2 ði;M;R;dA ;dB ÞÞSA;i Þ
HðIDA ; lA ; iÞÞF2 ði;M;R;dA ;dB Þ . Figure 3 shows the EN and
¼ eðP; ðr þF2 ði;M;R;dA ;dB ÞÞðsHðIDA ;lA Þ þwHðIDA ;lA ;iÞÞÞ
DV processes for a packet M = M1 || M2 || … || Ml.
¼ eðP; ðr þF2 ði;M;R;dA ;dB ÞÞðsHðIDA ;lA ÞÞÞ
The correctness of each datagram Mv is shown as eðP; ðr þF2 ði;M;R;dA ;dB ÞÞðwHðIDA ;lA ;iÞÞÞ
follows:
¼ eðP;rsHðIDA ;lA ÞÞeðP;F2 ði;M;R;dA ;dB ÞðsHðIDA ;lA ÞÞÞ
Cv  F3 ðCv1  F1 ðR; dB ÞÞ1 eðP;rwHðIDA ;lA ;iÞÞeðP;F2 ði;M;R;dA ;dB ÞðwHðIDA ;lA ;iÞÞÞ
¼ Cv  F3 ðCv1  F1 ðR; eðR; SB;i ÞÞÞ1 ¼ rrA rA2
F ði;M;R;dA ;dB Þ
eðPHK ;rHðIDA ;lA ;iÞÞ
¼ Cv  F3 ðCv1  F1 ðR; eðR; sHðIDB ; lB Þ eðPHK ;F2 ði;M;R;dA ;dB ÞHðIDA ;lA ;iÞÞ
þ wHðIDB ; lB ; iÞÞÞÞ1 ¼ dA rA2
F ði;M;R;dA ;dB Þ
eðPHK ;F2 ði;M;R;dA ;dB ÞHðIDA ;lA ;iÞÞ
¼ Cv  F3 ðCv1  F1 ðR; eðR; sHðIDB ; lB ÞÞe ¼ dA ½rA eðPHK ;HðIDA ;lA ;iÞÞF2 ði;M;R;dA ;dB Þ
1
ðR; wHðIDB ; lB ; iÞÞÞÞ
¼ Cv  F3 ðCv1  F1 ðR; eðsR; HðIDB ; lB ÞÞe
ðwR; HðIDB ; lB ; iÞÞÞÞ1
3 Security analyses
¼ Cv  F3 ðCv1  F1 ðR; eðsrP; HðIDB ; lB ÞÞe
ðwrP; HðIDB ; lB ; iÞÞÞÞ1 Two fundamental security assumptions employed in our
¼ Cv  F3 ðCv1  F1 ðR; eðPTA ; rHðIDB ; lB ÞÞe protocol are CDHP over elliptic curves and BDHP de-
scribed below [2]:
ðPHK ; rHðIDB ; lB ; iÞÞÞÞ1
CDHP (Computational Diffie–Hellman Problem) over
¼ Cv  F3 ðCv1  F1 ðR; dB ÞÞ1
elliptic curves Let P be a random point in G1 and a, b [R
¼ Mv  F3 ðCv1  F1 ðR; dB ÞÞ  F3 ðCv1  F1 ðR; dB ÞÞ1 Zq . It is computationally infeasible to derive abP from a
¼ Mv given instance (P, aP, bP)

123
Wireless Netw

BDHP (Bilinear Diffie–Hellman Problem) Let P be a • KE(IDj) queries: B returns the initial private key
generator, A = aP, B = bP and C = cP for some a, b, Sj, 0 = hj(uP) ? (hj, 0)xP.
c 2 Zq. It is computationally infeasible to derive e(P, • HK(i, IDj, lj) queries: B returns the helper key
P)abc 2 G2 from a given an instance (P, A, B, C) [ G41 : HKj, i = (hj, i)xP - (hj, i - 1)xP.
• KU(i, IDj, lj) queries: B returns the private key
When it comes to the security requirements of any hy-
Sj, i = hj(uP) ? (hj, i)xP.
brid security protocol providing encryption and digital
• EN(i, M, IDA, IDB) queries: B first derives the private
signature, we should consider the property of confiden-
key SA, i = hA(uP) ? (hA, i)xP and follows the steps of
tiality against indistinguishability under adaptive chosen-
EN algorithm to return a corresponding ciphertext
ciphertext attacks (IND-CCA2) and that of unforgeability
d = (i, C, R, Q, dA).
against existential forgery under adaptive chosen-message
• DV(d, IDA, IDB) queries: B first computes the private
attacks (EF-CMA). We use well-defined theoretic proof
key SB, i = hB(uP) ? (hB, i)xP and then runs the DV
models to show the security of our approach as Theorems 1
algorithm. If the recovered packet is valid, returns {M,
and 2.
X = (i, R, Q, dA, dB)}; else, an error symbol } is
Theorem 1 The proposed protocol is (t, e)-secure against returned.
IND-CCA2 if no probabilistic adversary is able to break
the BDHP within polynomial-time and with the advantage Challenge: A chooses two fresh identities (IDA , IDB ),
e0 . two packets, M0 and M1, of equal length and a time period
i* [ {1, …, N}. The challenger B flips a coin k / {0, 1}
Proof In the notion of adaptive chosen-ciphertext attacks, and produces a ciphertext d* for (i*, Mk, IDA , IDB ) as
we assume that within the polynomial-time t, there is a follows:
probabilistic adversary A who is able to break the proposed
scheme with non-negligible advantage e. The adversary A 1. Insert the entry ((IDB , lB*, i*), null, yP) into H_list,
is permitted to issue the queries of H, F1, F2, KE, HK i.e., implicitly define H(IDB , lB*, i*) = yP where y is
(helper key), KU, EN and DV, meaning that the result for unknown to B.
these queries can only be obtained through a challenger. 2. Choose Q* [R G1, C0 = 0 and set R* = zP;
The total times limitations for above queries are qH, qF1 , 3. Compute dA = e(uP, (hA )(zP))  e(xP, (hA;i ))zP);
qF2 , qKE, qHK, qKU, qEN and qDV, respectively. We claim 4. Choose f1 [R Zq and insert the entry (R*, null, f1 ) into
that if A exists, a polynomial-time algorithm B extended F1_list, i.e., implicitly define F1(R*, dB ) = f1 where dB
from A is able to compute e(P, P)xyz for the BDHP instance is unknown to B.
(P, xP, yP, zP). Let F3 be a collision resistant hash func- 5. Compute Cv = Mv  F3(Cv1 
 f1 ), for v = 1, 2,…, l.
tion. In the following processes, B acts as a challenger to
A. The ciphertext d* = (i*, C1 , C2 , …, Cl , R*, Q*, dA ) is
then sent to A as a target challenge.
Setup: B first initializes the Setup(1k) phase to obtain
Phase 2: A is able to issue new queries as those stated in
params = {G1, G2, q, P, e, F3} and sets PTA = uP,
Phase 1 except the HK(i*, IDB ), KU(i*, IDB ) and DV(d*,
PHK = xP where u [R Zq. Then (params, PTA, PHK) is sent
IDA , IDB ) queries. B might directly terminate in the event
to the adversary A.
that A queries HK(i* ? 1, IDB ). When A asks DV(d, IDA,
Phase 1: For each query made by A in the time period IDB ) where d = (i*, C1, C2, …, Cl, R, Q, dA), B checks
i [ {1, …, N}, B responses as follows: F1_list table for a possible entry (Rj, dj, f1) where Rj = R
• H(IDj, lj) queries: B first checks a maintained table and then computes Mv = Cv  F3(Cv - 1  f1)-1, for
H_list for previous inquiries. If there is no matched v = 1, 2,…, l. If eðP; QÞ ¼ dA  ½rA  eðuP; HðIDA ; lA ;

entry, B chooses hj [R Zq, adds one entry (IDj, lj, hj, hj iÞÞF2 ði ;M;R;dA ;dB Þ , the packet M and its signature X = (i*, R,
P) and then returns hj P. Q, dA, dj) is returned. Otherwise, send an error symbol }
• F1(Rj, dj) queries: B first searches a maintained table back.
F1_list for previous inquiries. If there is no matched Analysis of the game: In Phase 2, B can derive the
entry, B chooses f1 [R Zq, inserts one entry (Rj, dj, f1) private key SA*, i* = (hA )(uP) ? (hA;i )xP where i* [ {1,
and finally returns f1.
…, N} to respond each EN query in relation to IDA .
• F2(i, Mj, Rj, dj, dj0 ) queries: B first checks a maintained
Consider the case that a DV(d, IDA, IDB ) query might re-
table F2_list for previous inquiries. If no entry matches, turn } for a valid d = (i*, C1, C2, …, Cl, R, Q, dA) seeing
B chooses f2 [R Zq, adds one entry (i, Mj, Rj, dj, dj0 , f2) that the corresponding F1(R, dB ) query has never been
and then returns f2. made. However, the probability for such an event is not

123
Wireless Netw

greater than (qDV)2-k for total DV inquiries. We express it extended from A is able to compute xyP for the
as DV_ERR and Pr[DV_ERR] B (qSRV)2-k. Additionally, CDH instance (P, xP, yP). We will utilize the Forking
when A queries HK(i* ? 1, IDB , lB), B aborts directly. We Lemma [19] to prove this theorem. Let F3 also be a col-
represent such an event as HK_ERR and Pr[HK_ERR] lision resistant hash function and B acts as a challenger
B ((N - 1)qH)-1. Note that in the challenge phase, B to A.
generates a simulated ciphertext d* = (i*, C1 , C2 , …, Cl ,
Setup: B first initializes the Setup(1k) phase to obtain
R*, Q*, dA ) where H(IDB , lB*, i*) = yP and R* = zP,
params = {G1, G2, q, P, e, F3} and selects a random tape h
which implies dB is implicitly defined as
(consisting of a long sequence of random bits). Next B sets
PTA = uP, PHK = xP where u [R Zq and simulates two
dB ¼ eðPTA ; zHðIDB ; lB ÞÞeðPHK ; zHðIDB ; lB ; iÞÞ
runs of the proposed protocol A on input (params, PTA,
¼ eðuP; hB ðzPÞÞeðxP; zðyPÞÞ PHK, h).
¼ eðuP; hB ðzPÞÞeðP; PÞxyz :
Phase 1: A can adaptively ask allowed queries and B
Let NA denote that the simulation is perfect and such responds just like those defined in Theorem 1. Note that
probability depends on the event that the F1(R*, dB ) query when A queries H(IDA, lA, i), B responses with yP. In the
is never made in Phase 2. We use QF1 to stand for that such event that A queries HK(i ? 1, IDA, lA), B aborts directly.
an event indeed happens in Phase 2. When the entire
Analysis of the game: Since B directly aborts whenever
simulation is perfect, A has no advantage in returning a
A asks HK(i ? 1, IDA, lA), we denote the situation as
correct k due to the randomness of simulation, i.e.,
HK_ERR and Pr[HK_ERR] B ((N - 1)qH)-1. Let EN-V
Pr[k0 = k | NA] = 1/2. Based on the theorem of prob-
be the case that a ciphertext d* = (i*, C1 , C2 , …, Cl , R*,
ability inequality, we can also have j Pr½k0 ¼ k1=2j 
Q*, dA ) for M* in relation to (IDA , IDB ) is valid, meaning
ð1=2Þ Pr½:NA. By the initial assumption, A has non-neg-
that Pr[EN - V] = e by the initial assumption. Consider
ligible probability e to break the proposed scheme. Con-
the case that A produces a valid d* without querying F2(i*,
sequently, we can derive
M*, R*, dA , dB ). That is, A guesses the correct f2, denoted
e ¼ j Pr½k0 ¼ k  1=2 j as NH and we know that Pr[NH] B 2-k. Then, we can
 ð1=2Þ Pr½:NA express the probability that a forgery d* = (i*, C1 , C2 , …,
 ð1=2ÞðPr½QF1  þ Pr½DV ERR þ Pr½HK ERRÞ Cl , R*, Q*, dA ) is valid and the corresponding F2 query is
also made as Pr[(EN - V ^ :NH) | :HK_ERR] C
which means that   
e  21k 1  ðN1Þq1
H
. When i* = i and IDA = IDA, we
Pr½QF1  2e  Pr½SRV ERR  Pr½HK ERR obtain
qDV 1
2e  k  e ¼ Pr½ðEN  V ^ :NHÞ j:HK ERR
2 ðN  1ÞqH
^ ði ¼ i; IDA ¼ IDA Þ
and the value dB = e(uP, hB (zP))e(P, P)xyz would be stored    
1 1 1
in F1_list on condition that QF1 occurs. Hence, we claim e k 1
2 ðN  1ÞqH N  qH
that B is able to solve the given BDHP instance by com-   
puting e(uP, hB (zP))-1dB and the success probability is 1 ðN  1ÞqH  1
¼ e k
  2 ðN 2  NÞq2H
0
 1  qDV 1
e qF1 2e  k  : B again runs the second simulation on the same input
2 ðN  1ÞqH
(params, PTA, PHK, h) and responses with identical values as
h those in the first run. When A asks F2(i*, M*, R*, dA , dB ), B
Theorem 2 The proposed protocol is (t, e)-secure against returns a different value f2** [ R Zq. Based on the ‘‘Forking
EF-CMA if no probabilistic adversary is able to break the lemma’’, if A finally generate another valid forgery
CDHP within polynomial-time and with the advantage e0 . d** = (i*, C1 , C2 , …, Cl , R*, Q**, dA ) with i* = i,
0
IDA = IDA and F2(i*, M*, R*, dA , dB ) = F2 (i*, M*, R*, dA ,
Proof In the notion of adaptive chosen-message attacks,
dB ), B could derive eðP; Q  Q Þ ¼ ½eðuP; ðhA ÞPÞ 
we suppose that within the polynomial-time t, there is a
probabilistic adversary A who is able to break the proposed eðxP; yPÞðf2 f2 Þ and then solve the given CDH instance by
scheme with non-negligible advantage e. The adversary is computing xyP ¼ ðf2  f2 Þ1 ½ðQ  Q Þ  ðf2  f2 Þ
allowed to make queries defined in Theorem 1 except DV. uðhA ÞP. To evaluate B’s success probability, we can first
We claim that if A exists, a polynomial-time algorithm B utilize the ‘‘Splitting lemma’’ [19] to learn that the

123
Wireless Netw

probability for A to generate a valid forgery in the second run messages from one to the other location, so as to cause
is at least (2-1e)2 = 4-1e2 . Since we have known that the the chaotic situation. Yet, in our scheme, all transmit-
probability to eventually create another valid d** = (i*, C1 , ted messages can only be accepted if they contain valid
C2 , …, Cl , R*, Q**, dA ) with F2(i*, M*, R*, dA , signatures with respect to the sender’s location and key
dB ) = F20 (i*, M*, R*, dA , dB ) by A is q1 information. Thus, our scheme is secure against the
F2 , the success
probability for B after two simulation runs can be repre- wormhole attack.
h  i3 5. Key Exposure Attacks: In our scheme, each sensor
sented as e0 C ð4qF2 Þ1 e  21k ðN1Þq H 1
ðN 2 NÞq 2 : h node is equipped with a long-term private key w and a
H

Based on our location-based data encryption mechan- short-term session key SA, i which will be updated with
ism, we further consider the following practical attacks in different time periods. The former must be stored in a
WSNs from the perspective of message confidentiality. It lightweight tamper-resistant on-chip security co-pro-
should be noted that the proposed scheme is mainly de- cessor such as the microprocessors of ST19 and ST22
signed for guaranteeing the end-to-end data transmission series ICs developed by STMicroelectronics Corpora-
security, rather than an overall security solution to WSNs. tion. Xie et al. [25] also introduced a lightweight
For defeating some specific attacks such as the sinkhole tamper-resistance design structure for WSNs to raise
attack which aims at causing the failure of network routing the secret-keeping capability for sensor nodes and
functions, we have to combine additional detecting or au- withstand potential attacks. We note that the proposed
thentication protocol [27] to gain a more comprehensive scheme cannot prevent key exposure attacks entirely.
protection in WSNs. Yet, in case that an adversary captures a compromised
node, he can only obtain its short-term session key and
1. Node Spoofing Attacks: An adversary might attempt to
then derive the related confidential messages for that
impersonate any legitimate node or the designated data
specific time period. That is, the impact caused by the
aggregator for obtaining confidential messages. How-
key exposure attacks can be mitigated and limited in
ever, all encrypted packets can only be decrypted with
only certain time periods depending on the exposed
the private key of designated data node/aggregator.
short-term session keys.
Based on the proofs of Theorem 2, we conclude that
the adversary cannot derive the confidential informa-
tion without the knowledge of valid private key.
2. Sybil Attacks: When launching this attack, an adver- 4 Performance evaluation
sary might utilize forged identities to masquerade as a
large number of nodes. In our scheme, if these nodes We make a performance evaluation with respect to the
forward bogus data to any legitimate node, it will be proposed scheme in this section. The evaluation is made in
detected during the DV phase, since bogus data cannot terms of computational costs and communication over-
pass the verification procedure. heads. Since the data aggregator is usually more powerful
3. Identity Replication Attacks: In this attack, a compro- than sensor nodes, we only take the capability of sensors
mised node will be replicated and put in different into account. It is believed that the most time-consuming
locations to cause the inconsistence of network routing operation for pairing-based systems is the bilinear pairing
information. Nevertheless, in our scheme, all forward- computation. For simplicity, we will employ the number of
ed routing messages must contain valid signature required bilinear pairing to approximate the computational
information (Q, dA) to be verified and accepted by any costs for sensor nodes. Let the symbol of ‘TB’ be the time
legitimate node or the data aggregator. Therefore, the for performing one bilinear pairing. The detailed eval-
identity replication attack cannot work in the proposed uation is demonstrated as Table 1.
scheme. In this table, we assume that a 32-bit Intel PXA255
4. Wormhole Attacks: In this attack, an adversary first processor at 400 MHz is adopted for sensor nodes. The
generates a wormhole link between different network PXA25x family is Intel’s first generation of XScale pro-
locations and then uses this link to tunnel routing cessors and has been widely utilized in WSNs. Let the

Table 1 Performance Processor Intel PXA255 32-bit/400 MHz


evaluation for sensors
Item
Computation complexity for the EN process &4 TB
Energy consumption for the EN process &102 mJ
Communication costs for the EN process (l ? 4)|q|

123
Wireless Netw

order q of G1 and G2 be a 160-bit prime and the bilinear map 4. Cheng, C. T., Tse, C. K., & Lau, F. C. M. (2011). A delay-aware
e be Tate pairing [1]. According to Zhang et al.’s analyses data collection network structure for wireless sensor networks.
IEEE Sensors Journal, 11(3), 699–710.
[27], a Tate pairing on the Intel PXA255 processor at 5. Delfs, H., & Knebl, H. (2002). Introduction to cryptography:
400 MHz roughly takes 62.04 ms and consumes 25.5 mJ, Principles and applications. New York: Springer.
which helps derive that a sensor might approximately spend 6. Dodis, Y., Katz, J., Xu, S., & Yung, M. (2002). Key-insulated
248.16 ms and consume 102 mJ for running the EN process public key cryptosystems. In: L. R. Knudsen (Ed.), Advances in
cryptology—EUROCRYPT’02 (pp. 65–82). New York: Springer.
of the proposed scheme. As for the communication over- 7. Dodis, Y., Katz, J., Xu, S., & Yung, M. (2003). Strong key-
head, we evaluate it with the actual message length. One insulated signature schemes. In Proceedings of public key cryp-
can observe that the transmitted messages include (i, C1, C2, tography 2003 (PKC’03), LNCS 2567 (pp. 167–144), Springer.
…, Cl, R, Q, dA). That is, the total communication overheads 8. ElGamal, T. (1985). A public key cryptosystem and a signature
scheme based on discrete logarithms’’. IEEE Transactions on
are (l ? 4)|q|. Based on the Intel PXA255 processor Information Theory, IT-31(4), 469–472.
specification [13], the energy consumption of 121 mW is 9. Hanaoka, G., Hanaoka, Y., & Imai, H. (2006) .Parallel key-in-
required in idle mode while 411 mW power consumption is sulated public key encryption. In Proceedings of public key
needed in active mode. The EN process of our protocol only cryptography 2006 (PKC’06), LNCS 3958, pp. 105–122.
10. Hanaoka, Y., Hanaoka, G., Shikata, J., & Imai, H. (2005).
takes roughly 102 mJ; therefore, we can conclude that the Identity-based hierarchical strongly key-insulated encryption and
computational costs involved in the proposed scheme can its application. Advances in cryptology—ASIACRYPT’05 (pp.
be handled by sensors in WSNs. 495–514), Springer.
11. Hsu, C. L., & Lin, H. Y. (2011). New identity-based key-insu-
lated convertible multi-authenticated encryption scheme. Journal
of Network and Computer Applications, 34(5), 1724–1731.
5 Conclusions 12. Huang, P. K., Lin, X., & Wang, C. C. (2013). A low-complexity
congestion control and scheduling algorithm for multihop wire-
less networks with order-optimal per-flow delay. IEEE/ACM
Combining the concept of location with the merits of key- Transactions on Networking, 21(2), 495–508.
insulated systems, we introduced the first location-based 13. Intel PXA255 processor electrical, mechanical, and thermal
data encryption for WSNs using dynamic keys. Our scheme specification. http://int.xscale-freak.com/XSDoc/PXA255/2787
allows a sensor node to generate a flexible ciphertext for 8002.pdf
14. Ko, S. W., Yu, S. M., & Kim, S. L. (2013). The capacity of
some packet composed of many datagrams such that only energy-constrained mobile networks with wireless power trans-
the designated data aggregator has the ability to decrypt. To fer. IEEE Communications Letters, 17(3), 529–532.
demonstrate the authenticity of some packet, the data ag- 15. Lazos, L., Poovendran, R., Meadows, C., Syverson, P., & Chang,
gregator is capable of revealing an ordinary signature for L. (2005). Preventing wormhole attacks on wireless ad hoc net-
works: A graph theoretic approach. In Proceedings of IEEE
public verification. Our proposed protocol is conversion- wireless communications and networking conference (WCNC’05)
free and provides unlimited time periods and random-ac- (pp. 1193–1199), New Orleans, LA.
cess key-updates. In the proposed scheme, each sensor node 16. Liao, Y., Qi, H., & Li, W. (2013). Load-balanced clustering al-
can periodically update its private key while the corre- gorithm with distributed self-organization for wireless sensor
networks. IEEE Sensors Journal, 13(5), 1498–1506.
sponding public one remains unchanged. The underlining 17. Lin, H. Y., & Hsu, C. L. (2011). A novel identity-based key-
security assumption of our scheme is based on the well- insulated convertible authenticated encryption scheme. Interna-
known BDHP along with CDHP over elliptic curves. We tional Journal of Foundations of Computer Science, 22(3),
also addressed detailed security proofs and precise advan- 739–756.
18. Menezes, A., Oorschot, P., & Vanstone, S. (1997). Handbook of
tage analyses to show the feasibility of our work. applied cryptography. Boca Raton, FL: CRC Press, Inc.
19. Pointcheval, D., & Stern, J. (2000). Security arguments for digital
Acknowledgments This work was supported in part by the Ministry signatures and blind signatures. Journal of Cryptology, 13(3),
of Science and Technology of Republic of China under the contract 361–396.
number MOST 103-2221-E-019-001. 20. Rivest, R., Shamir, A., & Adleman, L. (1978). A method for
obtaining digital signatures and public-key cryptosystems. Com-
munications of the ACM, 21(2), 120–126.
References 21. Schnorr, C. P. (1991). Efficient signature generation by smart
cards. Journal of Cryptology, 4(3), 161–174.
1. Barreto, P., Kim, H., Bynn, B., & Scott, M. (2002). Efficient 22. Shamir, A. (1984). Identity-based cryptosystems and signature
algorithms for pairing-based cryptosystems. Advances in cryp- schemes. Advances in cryptology—CRYPTO’84 (pp. 47–53),
tology—CRYPTO’02 (pp. 354–368), Springer. Springer.
2. Boneh, D., & Franklin, M. (2001). Identity-based encryption 23. Stallings, W. (2005). Cryptography and network security: Prin-
from the Weil pairing. Advances in cryptology—CRYPTO’01 ciples and practices, 4th edn., New York: Pearson.
(pp. 213–229), Springer. 24. Weng, J., Liu, S., Chen, K., Zheng, D., & Qiu, W. (2008).
3. Cheng, C. T., Leung, H., & Manupin, P. (2013). A delay-aware Identity-based threshold key-insulated encryption without ran-
network structure for wireless sensor networks with in-network dom oracles. In Proceedings of CT-RSA 2008, LNCS 4964 (pp.
data fusion. IEEE Sensors Journal, 13(5), 1622–1631. 203–220). Heidelberg: Springer.

123
Wireless Netw

25. Xie, L., Zhu, H., Xu Y., & Zhu, Y.(2006). A tamper-resistance CyberTrust Technology Institute, Institute for Information Industry,
key pre-distribution scheme for wireless sensor networks. In Taiwan from January 2012 to July 2012. Since August 2012, he has
Proceedings of 5th international conference on grid and coop- been an Assistant Professor in the Department of Computer Science
erative computing workshops (GCCW’06) (pp. 437–443). and Engineering, National Taiwan Ocean University, Taiwan. His
26. Yu, C. W., Tseng Y. M., & Wu, T. Y. (2010). A new key- research interests include cryptology, network security, digital
insulated signature and its novel application. In Proceedings of forensics, RFID privacy and application, cloud computing security
cryptology and information security conference (CISC 2010), and e-commerce security.
Taiwan.
27. Zhang, Y. C., Liu, W., Lou, W. J., & Fang, Y. G. (2006). Lo-
cation-based compromise-tolerant security mechanisms for
wireless sensor networks. IEEE Journal on Selected Areas in
Communications, 24(2), 247–260.
28. Zhou, Y., Cao, Z., & Chai, Z. (2006). Identity based key insulated
signature. In Proceedings of ISPEC 2006, LNCS 3903 (pp.
226–234).

Han-Yu Lin received B.A. de-


gree in economics from the Fu-
Jen University, Taiwan in June
2001, his M.S. degree in infor-
mation management from the
Huafan University, Taiwan in
June 2003, and his Ph.D. degree
in computer science and engi-
neering from the National Chiao
Tung University, Taiwan in
December 2010. He served as a
research assistant in the
Department of Computer Sci-
ence and Engineering, National
Taiwan Ocean University, Tai-
wan from March 2011 to December 2011. He was a senior engineer in

123

You might also like