Вы находитесь на странице: 1из 4

2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing

An Admission Control Scheme for Sensor Networks


Wang Xiaoming
Department of Computer Science Jinan University Guangzhou 510632, China wxmsq@eyou.com

Yao Guoxiang
College of Information Science & Technology Jinan University Guangzhou 510632, China

Zhang Zhen
Department of Computer Science Jinan University Guangzhou 510632, China

AbstractAn admission control scheme for sensor networks is proposed. In proposed scheme, we employ Merkle hash tree and one-way hash chain as the basic means of constructing node authentication procedure in order to avoids the need for public key cryptography and reduce shortage overhead. The proposed scheme not only can prevent malicious nodes from joining sensor networks, but also can easily add new nodes to sensor networks. Furthermore, The proposed scheme can simply and efficient establish share key between two nodes, therefore it can perform secure communications with them. Keywords- sensor network; admission control;authentication

The rest of the paper is organized as follows. The related work is described in section. In section 3, an admission control scheme for sensor network is presented. In section 4, the security and properties of the proposed scheme are analyzed. Finally, the concluding remarks are given. II. RELATED WORK Perrig et al.[1] introduce the asymmetric mechanism through a delayed symmetric keys disclosure. In their scheme, broadcasting is still the basic, efficient to distribute or revoke secret keys in sensor networks. Zhang et al.[2] proposed scheme to restrict and revoke the access privilege of a mobile sink. Their scheme established a secret key between the mobile sink and sensor nodes, and then uses Merkle tree technique to reduce the overhead. The limitation of the scheme is that the mobile sinks moving track has to be predetermined by BS Zhang et al.[3] proposed a defending against sybil attacks in sensor network. Their scheme uses identity certificate and oneway key chains to defeat Sybil attacks. Their method thereby avoids the need for public key cryptography. The overhead of their schemes computation, storage, and messages is also lower. In 2006, Wang et al.[4]proposed a distributed user access control under a realistic adversary model in which sensors can be compromised and user may collude. Their scheme splits the access control into local authentication conducted by the sensors physically close to the user, and a light remote authentication based on the endorsement of the local sensors. In 2007, Zhou et al.[5] proposed an access control protocol based on elliptic curve. Their scheme includes both the node identity and the node bootstrapping time into the authentication procedure. The protocol also accomplishes node authentication and key establishment for new nodes. Compared with previous scheme based on RSA, the scheme is more efficient. However, their scheme assumes that each sensor node can sustain a tolerance time interval before it is compromised. Then it will be not convenient for some practical implementations[6]. In 2009, Huang et al.[6] proposed a novel access control protocol based on the elliptic curve and the hash chain. Their scheme can easily perform add new nodes and are more efficient. However, their scheme is insecure against an active attack, and the storage overhead is very high. Moreover, the high frequency update of hash chain will be not convenient for practical implementations. III. PROPOSED SCHEME

I.

INTRODUCTION

Sensor networks consist of small, inexpensive, resource constrained devices that communicate wirelessly in a multi-hop network. Each device, called a sensor node, collaborates with other devices in the network to perform some operation for the end user, such as environmental monitoring or target tracking. After several weeks or months of operation, some nodes in the network may exhaust their power because of the uneven distribution of traffic load. Therefore new node deployment is necessary in these cases. The sensor nodes are also susceptible to malicious attacks in unattended and hostile environments, and may be destroyed by attackers so that the entire network may become useless. The malicious nodes may easily modify message, eavesdrop message, insert false message and provide misleading information to other sensor nodes etc. In order to prevent malicious nodes from adding the sensor networks, access control is required in sensor networks. So far, some access control schemes have proposed[1-6]. In 2009, Huang et al.[6] proposed a novel access control protocol based on the elliptic curve. Their scheme can easily perform add new nodes and are more efficient. However, their scheme is insecure to the replay attack. Moreover, the high frequency update of hash chain will be not convenient for practical implementations. In this paper, an admission control scheme for sensor networks is proposed as an improvement of the Huang et als scheme. In proposed scheme, we employ Merkle hash tree and one-way hash chain as the basic means of constructing node authentication procedure in order to avoids the need for public key cryptography and reduce shortage overhead, therefore node authentication procedure is simply and efficient. The proposed scheme not only can prevent malicious nodes from joining sensor networks, but also can easily add new nodes to sensor networks. Furthermore, the proposed scheme can simply and efficient establish share key between two nodes, therefore it can perform secure communications with them.
Supported by National Natural Science Foundation of China under Grant (#60773083); National Natural Science Foundation of Guangdong Province (#8151063201000022)

The design idea of the proposed scheme is motivated by [2,3,6]. The proposed scheme employs Merkle hash tree and one-way hash chain as the basic means of constructing node authentication procedure in order to avoid the need for public

978-0-7695-4011-5/10 $26.00 2010 IEEE DOI 10.1109/NSWCTC.2010.205

301 302

Authorized licensed use limited to: Reva Institute of Tehnology and Management. Downloaded on June 23,2010 at 06:38:41 UTC from IEEE Xplore. Restrictions apply.

key cryptography and reduce storage overhead. The proposed scheme consists of following sections. A. Network model The proposed scheme uses the same network model as [7,8,9], that is, the sensor network is classed into a set of cluster, and each cluster is composed of a cluster head (CH) and a set of sensor nodes (distinct from other sets). Illustrated by Fig. 1.

random numbers x1,x2,xn and computes identities IDi=xiP (i=1,2,n) for each sensor node. (3) BS computes the commitment Cj for each cluster j (j=1,2,,m) from the set { kir||IDi||j}, i=1,2,.w. It does this by creating a Merkle hash tree Hj for each cluster j. In Hj, whose some leaf nodes are the sensor nodes in the cluster j, e.g. N1Ni, and is labeled with its hash value, e.g. ui=h(kir||IDi||j), where || stands for the concatenation operator, and some leafs are empty in order to add new nodes in future, that is, their labels are respectively ui+1uw. The label of each non-leaf vertex is a hash of the concatenation of the labels of its two child vertexes. The label of the root of Hj is the value of the commitment Cj. BS publishes the commitment Cj (j=1,2,,m). Illustrated by Fig. 2.

Fig. 1. wireless sensor network architecture.

Sensor node (N): Sensor nodes are inexpensive, limitedcapability, generic wireless devices in this paper. Each sensor has limited battery power, memory size, data processing capability and short radio transmission range. Sensor nodes can communicate with each other directly in the same cluster and communicate with its cluster head (CH) directly. Cluster head node (H): Cluster heads have considerably more resources than sensors. Equipped with high power batteries, large memory storages, powerful antenna and data processing capacities, cluster heads can execute relatively complicated numerical operations and has much longer radio transmission range than sensor nodes. Cluster heads can communicate with each other directly and relay data between its cluster members and base station. Base station (BS): BS is the most powerful node in a wireless sensor network, it has virtually unlimited computational and communication power, unlimited memory storage capacity, and very large radio transmission range which can reach all the nodes in a network. Moreover, the proposed scheme also assumes that BS is located in a well-protected place and takes charge of the whole networks operation. B. Initialization Let the system contain a set of sensor nodes N1,N2,Nn, and the sensor network is classed into m clusters. Before a sensor network is deployed, the initialization includes following several steps. (1) BS choose a finite field Fq, where q is a large odd prime of at least 160bits, an elliptic cure E over Fq, a cyclic group G={P} of points over the elliptic curve E(Fq), where P is the generator of the group and has an order N of at least 160 bits, It provides NP=O and the point at infinity is O, a one-way hash function h(). Base station publishes the E(Fq), P, N. (2) BS first generates a secret key ki for each sensor node (i=1,2,n), computes hr(ki), where hr(ki) is a key chain commitment for the entire chain and denotes the application r cascade hash operations starting from ki, that is, k1i=h1(ki)= h(ki),ki2=h2(ki)=h(h(ki)),, kir=hr(ki)=h(hr-1(ki)), r is the length of the key chain and is a large constant. Then BS chooses

Fig. 2 Merkle hash tree H

Fig. 3 Merkle hash tree H j

(4) BS computes the commitment C for system from the set {Cj ||j},j=1,2,,m, and constructs a Merkle hash tree H. In H, each leaf vertex corresponds to one cluster j in the sensor network, and is labeled with its hash value of the commitment Cj for the cluster j and identity j for cluster j, e.g. gj=h(Cj ||j), the label of each non-leaf vertex is a hash of the concatenation of the labels of its two child vertexes. The root label of the Merkle hash tree H is the value of the commitment C. BS publishes the commitment C. Illustrated by Fig. 3. (5) BS creates an identity certificate for each sensor node Ni, denoted Certi. Cert consists of the label of the node corresponding to that node along with its authentication path. For example, for the 1th leaf of the cluster j in the Merle hash tree, its identity certificate Cert1={Cert11={k1r||ID1||j,u2,,v4, v2}, Cert12={Cj||j,gi-1,, d3, d2}}. The Cert11 part in certificate Cert1 proves the fact that information k1r,ID1 are legitimate. The Cert12 part in certificate Cert1 proves the fact that node N1 belongs to cluster j accord ing to the properties of the Merkle hash tree. (6) Finally, BS preloads the secret keys (xi, ki), identity certificate Certi, the commitment C, and h() to each sensor node Ni (i=1,2,n) . C. Authentication and key establishment phase The processes of mutual authentication and generating a common session key kit for two nodes Ni and Nt are described in the following. (1) The node Ni chooses a random number A, computes wi= iIDt =(wix, wiy), then sends wi and its identity certificate Certi. Similarly, the node Nt chooses a random number B, computes wt= tIDi=(wtx, wty), then sends wt and its identity certificates Certt. (2) On receiving wt, Ni computes kit= ixiwt= i txixtP, si=h(wix||kit||hr-z(ki)||z), then delivers (hr-z(ki), z, si) to Nt. Here, assuming Ni had passed through authentication (z-1) times.

302 303

Authorized licensed use limited to: Reva Institute of Tehnology and Management. Downloaded on June 23,2010 at 06:38:41 UTC from IEEE Xplore. Restrictions apply.

(3) After receiving (hr-z(ki), z, si), Nt first verify h(kir||IDi||j) included in Certi with respect to the publicly know the commitment C of system, that is, the label of each non-leaf vertex is a hash of the concatenation of the labels of its two child vertexes.
Cj
C

h(h...h(h(kir || IDi || j ) || ui 1 ) || ... || v3 || v2 )...) (1)

(2) h(h...h(h(C j || j ) || g j 1 ) || ... || d 3 || d 2 )...) r z r-z then checks whether equations k =h (h (ki)), si=h(wix||kit||hrz (kt)||z) hold. If they hold, then the node Nt can make sure that the node Ni is a legitimate node and has established their share session key kit. Nt computes kit= txtwi= t ixixtP, st=h(wtx||kit|hra (kt)|| a), then delivers (hr-a(kt), a, st) to Ni. Here,assuming Nt had passed through authentication (a-1) times. (4) In same way, Ni can check whether Nt is a legitimate node and computes their shared session key kit. D. Adding a new node, authentication and key establishment phase If some sensor nodes are lost, new sensor nodes need to be deployed. The processes of adding a new node and authentication between a new node Nnew and an old node Nold are described in the following. (1) When a new Nnew is added, BS first checks the cluster instance of system, and decides to deploy Nnew to which cluster f and which empty node in cluster f. Then BS generates secret keys(knew, xnew), identity IDnew= xnewP, and identity certificate Certnew={Certnew1={knewr||IDnew||f,...}, Certnew2={Cf|| f,}} for Nnew. Finally BS preloads the secret keys (xnew , knew), identity IDnew , identity certificate Certnew and h() to Nnew . (2) The authentication and key establishment for the new node with any old node are the same as the C. section authentication steps. IV. PROPOSED SCHEME ANALYSIS

A. Security Analysis (1) The identity certificate Certi and the use of the one-way key chain allows node Nis legal identity to be proved to any other node. The valid of verifying Certi can prove the fact that receiving node Nj has received a legitimate identity certificate and information (k ri, IDi) are legitimate. Because a node of creating a false (k ri, IDi) will not be able to easily forge an identity certificate for which C is the public commitment according to the properties of Merkle hash tree. Also because only the node Ni know secret key ki , and can give hr-z(ki) and derive the valid hash chain kri=hz(hr-z(ki)) the hold before it is released, therefore, the valid of verifying the hash chain kri such that kri=hz(hr-z(ki)) can prove the fact that the legitimate identity certificate that Nj has received is from node Ni. (2) The proposed scheme can withstand a forgery attack. Because Merkle hash tree and the public commitment C are generated by BS and any other nodes cannot forge them, therefore a forgery identify certificate Certi can easily be detected according to the properties of Merkle hash tree. According certified key-chain commitment kri, the validity of each key can be determined from the initial, certified keychain commitment kri. So a node presenting or replaying

another nodes identity certificate can easily be detected, therefore the proposed scheme can prevent key forgeries or reuse. Moreover, information(si,st) cannot also be forged. Now assuming authenticate hash chain for nodes Ni and Nt are hr-z(ki) and hr-a(kt) respectively, if a attacker can obtain si=h(wix||kit|| hr-z(ki)||z) and st=h(wtx||kit|hr-a(kt)|| a) in authentication and key establishment phase, it is difficult for him to derive hr-z(ki) and hr-a(kt) from si and st under the secure hash function. Without knowing hr-z(ki) and hr-a(kt), the attacker cannot easily masquerade as node Ni or Nt to compute the actuality si and st for cheating other nodes. Furthermore, the use of kit in si and st also guarantees that only nodes Ni and Nt can verify and generate(si , st). Therefore, the proposed scheme can withstand any forgery attacks. (3) The proposed scheme can prevent that an attacker uses the old hash chain to masquerade the legal nodes. Supposing the node Ni had passed through authentication z-1 times, the node Ni will generates si by (kit, hr-z(ki), z ) and sends (si, hr-z(ki), z ) to the node Nt when the node Nt proves its identity for the node Nt. The node Nt computes kit and verifies the valid of the (si, hr-z(ki), z) in order to check the valid of the node Ni. Because only nodes Ni and Nt can calculate kit(see section C.) and other nodes cannot know secret key xi or xt , and cannot compute kit, therefore other nodes cannot forge si. If the node Nt saves (wi, si, hr-z(ki), z) after he finished the authentication with node Ni, and masquerades the node Ni to perform authentication with other node NC, then the Nt can be detected. Supposing the node Nt has obtained the node Nis identity certificate Certi, and sends (wi, si, hr-z(ki), z ) and Certi to the node NC, the node NC computes kCi= C xC IDi= i C xC xiP by IDi in Certi and verify the valid of the (si, hr-z(ki), z ) by kCi. It is affirmable that the (si, hr-z(ki), z ) cannot be passed through the authentication since kCi kit(kit= i t xi xtP). Supposing the node Nt sends (wi ,si, hr-z(ki), z ) with its Certt to the node NC, the node NC computes kCt= C xC IDt = C t xC xtP by IDt in Certt and verify the valid of the (si, hr-z(ki), z ) by kCt. It is affirmable that the (si, hr-z(ki), z ) cannot be passed through the authentication since kCt kit(kit= i t xi xtP). Again assuming the node Nt generates si=h(wix||kiC||hr-z(ki)||z) using the node Nis old (hr-z(ki), z), and sends (si, hr-z(ki), z ) to the node NC with its identity certificate Certt, though node NC computes kCt is equal to the ktC of the si(kCt= ktC) , but it is affirmable that hr-z(ki) can not be passed through the authentication since krt hz(hr-z(ki)). Therefore, any attacker cannot use the old hash chain to masquerade the legal nodes. (4) The proposed scheme can resist the reply attack. In our scheme, a random number i or t is used one time when the node Ni or the node Nt generates wi, si or wt, st. The random numbers i and t are used one time, so it can resist the reply attack. Assuming a attacker can obtain wi , si (wi= iIDt =(wix, r-z iy), si=h(wix||kit||h (ki)|| z), or wt, st, it is very hard for an attacker to derive the random number i or t and form wi , si or wt, st. Moreover, when two nodes mutually authenticate each other, the validity of each identify certificate and each key must be checked according the Merkle hash tree and certified key-chain commitment kri, it can prevent a attack from replying another nodes identity certificate.

303 304

Authorized licensed use limited to: Reva Institute of Tehnology and Management. Downloaded on June 23,2010 at 06:38:41 UTC from IEEE Xplore. Restrictions apply.

(5) The proposed scheme can prevent attackers from directly deploying malicious nodes into sensor networks. Because the validity of each identify certificate must be checked in authentication phase, and only base station can generate a legitimate identify certificate, so any attacker cannot forge certificates for malicious nodes, therefore attackers cannot directly deploying malicious nodes into sensor networks. (6) The proposed scheme can prevent attackers from eavesdropping and injecting false reports into sensor networks. When a node passes the authentication procedure with other node, a shared key has already established between them. The shared key between the two nodes is pair-wise, so it is used to secure communications between the two nodes since the shared key is only know to two nodes. So the shared key can be used to secure communications among sensor networks. Therefore the proposed scheme can prevent attackers from eavesdropping and injecting false reports into sensor network. Moreover, because each shared key is only know to two nodes who established it, even if an attacker compromised node knows, he can only know what the compromised node knows, but not the shared keys between other non-compromised nodes. Hence, the security of the entire sensor network is not compromised. (7) The proposed scheme can overcome Huang et al.s insecure flaws. In Huang et al.s scheme, after the two nodes Ni and Nj has performed authentication each other, they must update their hash chain and inform base station to broadcast their new hash chains so as to the other nodes of sensor networks update their hash chains. It is possibly that the broadcast messages of base station are tamped and forged by attackers or attackers masquerade base station to broadcast false message since the communication is not secure in sensor networks. If a sensor node receives a false or forgery updated hash chain or a sensor node does not update in time its hash chains according the broadcast message, the sensor node world not perform authentication with other nodes in future. The security of system will be affected. However, the proposed scheme does not need base station to broadcast any authentication messages, therefore, the proposed scheme can overcome Huang et al.s insecure flaws. B. Performance Analysis (1) The proposed scheme is constructed base on elliptic curve as Huang et als scheme. Compared to RSA, elliptic cure can achieve the same level of security with smaller key sizes, and a smaller key size could offer faster computation, as well as memory, energy and bandwidth savings. (2) In Huang et al.s scheme, each node must deposit all nodes hash chains value hr(ki) (i=1,2,n) or listen update hash chains all time in order to authenticate with other nodes. If the network is consisted of a large number of sensor nodes, then the storage overhead associated with the all nodes hash chains value for each node will be very high, it is unsuitable for the sensor node that has limited storage resources, computational and communication. Listing update hash chains all time will be not convenient for practical implementations. In the proposed scheme, the storage overhead for each node only includes one

identify certificate, the commitment C and its hash key chain value hr(ki), and it does not need to store all nodes hash chains value. Therefore, the storage overhead of the proposed scheme is lower than Huang et al. s scheme. (3) In Huang et al.s scheme, it is required to send ten transmissions, 5 hash function computations and two point multiplications over an elliptic cure for each node to achieve mutual authentication. The proposed scheme also only needs ten transmissions, and two point multiplications over an elliptic cure for each node to achieve mutual authentication. Although the computation times of the hash function in our scheme are more than Huang et al. scheme, a hash function computation is very low. Therefore, the proposed scheme is the same level efficient as Huang et al.s scheme. V. CONCLUSION This paper proposes an admission control scheme for sensor networks based on Merkle hash tree and one-way hash chain. The proposed scheme not only can prevent malicious nodes from joining sensor networks, but also can easily add new nodes to sensor networks. Moreover, the proposed scheme also analyzes all possible attacks and performances, and shows that the scheme is secure and practical for sensor networks. REFERENCES
[1] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and D. Tygar. Spins: Security protocols for sensor networks. ACM/Kluwer Wireless Networks Journal (WINET),September 2002 W. Zhang, H. Song, S. Zhu, and G. Cao. Least privilege and privilege deprivation: Towards tolerating mobile sink compromises in wireless sensor networks. In MobiHoc05, Chicago, IL, May 2005. Q. Zhang, P. Wang, and D. P. N. Reeves. Defending against sybil attacks in sensor networks. In Proceedings of the 25th IEEE International on Conference Distributed Computing Systems Workshops, 2005. H. Wang, Q. Li. Distributed User Access Control in Sensor Networks. Second IEEE international conference on Distributed Computing in Sensor Systems 2006, San Francisco, CA, USA, June 18-20, 2006. Y. Zhou, Y. Zhang, Y. Fang, Access control in wireless sensor networks, Ad Hoc Networks 5 (2007) 3 13. H. F. Huang. A novel access control protocol for secure sensor networks. Computer Standards & Interfaces 31 (2009) 272 276. Y. Cheng, D.P.Agrawal .An improved key distribution mechanism for large-scale hierarchical wireless sensor networks. Ad Hoc Networks 5 (2007) ,35 48 M. Younis, M. Youssef, K. Arisha, Energy-aware routing in clusterbased sensor networks, in: Proceedings of the 10th IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (MASCOTS2002), (Forth Worth, TX), October 2002. K. Arisha, M. Youssef, M. Younis, Energy-Aware TDMABased MAC for Sensor Networks, in: Proceedings of the IEEE Workshop on Integrated Management of Power Aware Communications, Computing and Networking (IMPACCT 2002), May 2002.

[2]

[3] [4] [5] [6] [7] [8]

[9]

304 305

Authorized licensed use limited to: Reva Institute of Tehnology and Management. Downloaded on June 23,2010 at 06:38:41 UTC from IEEE Xplore. Restrictions apply.

Вам также может понравиться