Neighborhood-Based Security Protocol for Wireless Sensor Networks

Transcription

1 The 6th International Conference on Information Technology and pplications (ICIT 2009) Neighborhood-Based Security Protocol for Wireless Sensor Networks Di Zhang, Ung Heo, Yi Zhao, Kang Soo You* and Jaeho Choi Dept. of Electronic Engineering, Chonbuk National University, Chonju, Chonbuk, Korea bstract The main objective of this work is to minimize the intrusion attacks without causing a significant impact on energy consumption. One of the proposed methods was the neighborhood-based key agreement protocol (NEKP). It could provide an authentication in a wireless sensor network. Unfortunately, adversaries may launch a replay attack though the loophole of NEKP to successfully masquerade legitimate nodes and thereby compromise the communications over the network. In this paper, we present a modified security protocol for wireless sensor networks. Similarly to NEKP, we design and provide four types of keys for each node, which adapt to different security requirements. The descriptions on the proposed protocol in conjunction to the conventional NEKP are provided; and the improvement on the performance is also discussed and analyzed on several, typical attacks found in wireless sensor networks, i.e., replay attack and DoS attack. The study on our new security protocol shows that it can enhance the security resilience for the wireless sensor network better than the conversional method. Index Terms Wireless sensor networks, uthentication, Replay attack, Security protocol. I. INTRODUCTION Wireless sensor networks (WSNs) are distributed systems consisting of a large number of sensor nodes and a base station as a controller which interface the sensor network to the outside network. WSNs may be deployed in unattended and often adversarial environments such as battlefield. Compared with the conventional networks, they seem more vulnerable to physical destruction and man-made threats. Therefore, providing security is a particular challenge in sensor networks due to the resource limitations of sensor nodes, wireless communication and so on. s a specific example, it s not practical to use asymmetric cryptosystems in a sensor network where each node with low operational capability and insufficient memory (e.g. Crossbow s IC2/PR400CB sensor node [10]). Thus, the key management protocols for sensor networks are based upon the symmetric key algorithms, and the design of the security protocols for WSNs should be as light-weight as possible. The authors are with Dept. of Electronic Engineering, Chonbuk National University, Chonju, Rep. of Korea, * Kang Soo You is with Jeonju University, Chonju, Korea. ICIT 2009 ISBN: NEKP [1], a design of link layer key agreement protocol for sensor networks which establishes two kinds of keys: pairwise keys, for link layer pairwise communications, and cluster keys, for link layer broadcast communication. In NEKP protocol, the node keys are generated from the master keys of neighbor nodes, making the discovery of these keys more difficult to the enemy. To establish all the keys, each node broadcasts only three messages which render the protocol very energy-efficient. The main contribution of this work is a key agreement where each key is valid only in its neighborhood and the impact of a node key compromised can be restricted to the node s neighborhood. Thus, it s impossible for an adversary to carry out an attack in wide scale by capturing only a few nodes. oreover, the energy cost of the solution is lower than the others presented so far. NEKP has many advantages for WSNs, such as intruder resilient, energy efficient and so on. Unfortunately, NEKP is vulnerable to replay attack [8] because of the keys establishment process which has only three broadcast messages. malicious node may transmit the old message which broadcasted from a legal node to its neighbor nodes, and the message can t be authenticated due to these two nodes can t communicate directly (we will show detail in Section Ⅱ). So the malicious node may gain the legal status through cheating the chosen legal nodes by transmitting old message, and then the adversary may lunch other attacks, such as DOS [9] attack, black-holes attack, masquerade attack, and so on. In this paper, we modified the NEKP protocol in preventing replay attack, and present a new modified security protocol for wireless sensor networks. The rest of the paper is organized as follows. In Section Ⅱ, we review the related works in some security protocols provided for sensor networks and the overview of NEKP, show the loopholes of NEKP which may exploited by an adversary to lunch a replay attack. In Section Ⅲ, we discuss our system and assumptions, and then we present the details of our modified security protocol. Finally, we present security and performance analysis in Section Ⅳ, and we will show our conclusions in Section Ⅴ. II. RELTED WORKS Link layer key agreement between neighboring nodes is a fundamental issue for securing sensor networks deployed in unattended and hostile environments [2]. There are several approaches present in literature [3] [4] [5]. In this way, two nodes can communicate with a shared pairwise key directly. 271

2 Fig. 1 Replay attack by one node Localized Encryption and uthentication Protocol (LEP) [6] was proposed by Zhu et al as a key management protocol for sensor networks designed to support in-network processing, while solving the problem of key distribution and restricting the impact of a compromised node to the network. LEP establishes four types of keys, for each node and communication type: 1) individual node key, shared between each node and the base station, used in communication with base station, pre-load before its deployment; 2) pairwise key, shared between a node and each one of its neighbors, used in pairwise communication among them; 3) cluster key, shared between a node and all its neighbors, used in local broadcast communication; and 4) group key, shared by all nodes, used in broadcast multi-hop from base station. In sensor networks, pre-deployed key was the most practical approach for bootstrapping secret keys in sensor nodes. In LEP protocol, nodes were loaded before they were deployed in the sensor field. Pairwise keys could be generated between two nodes based on this pre-deployed key information. The problem of LEP is the excessive number of messages exchanged in the establishment of the keys; the communication cost will be very high. Oliveira et al present SPINS [7], a security protocol for WSNs. This work proposed two building security blocks optimized for sensor networks: SNEP and μtesl. SNEP provides end-to-end data confidentiality, two part date authentication, and data freshness between the base station and each node; μtesl is a protocol which provides multihop broadcast from the base station. s NEKP is a peer-to-peer approach, it can be used with SNEP or μtesl protocol to increase security for sensor networks.. Overview of NEKP NEKP is a link layer key management protocol that establishes two kinds of keys: pairwise keys, for link layer pairwise communication; and cluster keys, for link layer broadcast communication. It is similar to LEP protocol; however, NEKP is more resilient to node tampering and even more energy-efficient. In NEKP, each node pre-loaded with a master key, broadcast to its neighbors its key encrypted with a global Fig. 2 Replay attack by two nodes shared key. The node keys are generated from the master keys of neighbor nodes, making the discovery of these keys more difficult to the adversary. To establish all the keys, each node broadcasts only three messages, which render the protocol very energy-efficient. Due to the key is valid only in its neighborhood and the impact of a node key compromised can be restricted to the node s neighborhood, these results render the NEKP protocol intruder resilient. B. Loopholes of NEKP In NEKP protocol, the process of key establishment is only three broadcast messages, which broadcasted from each node to its neighbor nodes. NEKP can provide the data confidentiality, but cannot provide broadcast authentication in the key establishment phase. Thus, they are vulnerable to the replay attack. It can be seen that some malicious nodes are deployed in a sensor network in the initialization phase. If the malicious node retransmits the legitimate old messages which broadcasted from a legal node to another one while these two nodes cannot communicate directly. The malicious node can impersonate as a legal node in network, as shown in figure 1. In figure 1, the malicious node can retransmit node s broadcast messages to node B, so node B will regard the malicious node as node. Similarly, the malicious node also can be as a neighbor node B to node, if it retransmitted node B s broadcast messages to node. But actually, node and B cannot communicate to each other directly, and the malicious node as an intermediate node between node and B in network. It can be seen that the malicious node cannot threaten the security of its region when it between two nodes which they can communicate directly. So, the figure 1 shows one condition which attack by one node and the figure 2 shows the other condition which attack by two nodes. Combining these two conditions, random diffusion with several malicious nodes will confuse the framework of the network (as shown in figure 3). The adversary can make a DOS attack or black-hole attack after the routing establishment completed. 272

3 Fig. 3 Replay attack by more than two nodes. System and ssumptions III. PROPOSED ETHOD We assume that a typical sensor network forms around one or more base stations as a controller (or key server) with sufficient power, memory and computational capabilities which interface the sensor network to the outside network. The sensor nodes establish a routing forest, with a base station at the root of every tree. However, we assume that the base station will not be compromised. Nodes deployment is random, the neighborhood of any node is unknown in advance, the wireless communication is not secure and it is subject to eavesdropping, insertion of packages and replay older messages. The nodes are vulnerable to tampering. We assume that if a node was compromised, the enemy can know all the information it handles. B. Notation The following symbols are used in the text: - ID : Node identifier, C address; - f : Pseudo-random function; : lobal key shared in each node; : aster key, which only known by the BS; : Individual key of node ; : Cluster key of node ; n : The n th key of node s one-way key chain for local broadcast authentication; : entification key of node ; : entification master key, which only known by the BS; B : Pairwise key shared between node and B; In : The insertion key which used for new nodes insertion in the insertion phase; - BS *: Sending a broadcast message by BS; - { } K : The encryption of message with encryption key K; - { }( K, IV ): Denote the encryption of massage, with key K and the initialization vector IV which is used in encryption modes; - C{ } K : Denotes the computation of the message authentication code (C) of message, with C key K. C. Protocol Description Similar to LEP and NEKP protocols, the design of our protocol supports for multiple keying mechanisms which is motivated by the observation that different types of messages exchanged between sensor nodes have different security requirements, and that a single keying mechanism is not suitable for meeting these different security requirements. Specifically, we support the establishment of four types of keys for each sensor node an individual key shared with the base station, a pairwise key shared with another sensor node, a cluster key shared with multiple neighboring nodes, and a global key shared by all the nodes in the network. Our protocol also includes an efficient protocol for local broadcast authentication based on the use of one-way key chains. In order to prevent the threat of replay attack, our protocol provides a malicious node detection phase to detect and remove the malicious nodes which may have existed in the network. In addition, we provide a new bootstrapping method in our protocol which solves the security threat of the initialization phase (detailed in Section Ⅳ). Our procedure is described as follows. 1) The Initialization Phase Step 1: Each node should pre-loaded a unique number as its node identifier (ID). Step 2: Create a master Key ( ) and an identification K master key ( K ) for all nodes by the controller which only known by base station (BS). Step 3: Compute and install an identification key ( K ) for each node : K = f( K, ) Step 4: Each node should pre-load its individual key ( K ), cluster key ( K ) and global key ( K ): K = f( K, ) K = f ( K, ) 2) The Broadcast Phase Step 1: When the broadcast phase starts each node broadcasts message to its neighbor nodes: *:{ K,, K }, 1 ( K, K ) Step 2: short waiting phase for that all nodes completed broadcasting of messages. Step 3: The base station (BS) broadcasts and reveals the ) to all nodes. BS K *: 273

4 applicable to our sensor network since that the compromised nodes can t communicate directly. In our protocol, we use a malicious node detecting and diagnosing mechanism based on acknowledgment message (CK) to solve the above problems. When a message is received, an CK is generated and sent to the node that sent the message. Then the message is saved in a temporary buffer until the CK comes back. If the CK is received in a certain amount of time, then the node is an honest node, but if the message is not received in that amount of time then it is a dishonest node, the message may be transmitted by the malicious node. Thus, the node will erase all the related information, such as the pairwise key. (The procedure is shown in figure 4). The new node insertion phase is the same way as NEKP protocol, so we skip the details of this part. IV. SECURITY ND PERFORNCE NLYSIS In this section, we discuss some issues and problems about our modified protocol.. Security nalysis: Fig. 4 The procedure on malicious node detecting and diagnosing mechanism The neighbor nodes can compute the identification key ( K ) of node, and then they can decrypt the packet to get the cluster key of node, the first key of node s one-way key chain for local broadcast authentication and verify the identification of the packet. t last, erase the identification key ( K ) and ). Step 4: when the node has finished the above process it will broadcast its neighbor nodes list to its neighbor nodes: *:{ IDi i N} K, K, ({ }, ) C IDi 2 i N K K 2 K Node s neighbor nodes B can receive the list of node, and the pairwise key ( K B ) between node and B will be: KB = f( K, K B, IDi i N NB ) The pairwise key between node and B is computed by their cluster keys and the identifier of their common neighbors. That makes the adversary more difficult to compromise the network. For example, in figure 1, the common neighbor of node and B is node C. 3) alicious Node Detection and Diagnosing Phase Replay attack is a malicious node stores a received message and attempts to send it at a later time. When the nodes receive the message, they believe that it is an original message, which it is not. That causes the nodes to come up with the wrong distance and signal strength since the node sending the original message is not where they think it is. ost proposals for preventing the replay attack rely on timestamp or sequence number. ethod based on timestamp must be supported by a synchronization mechanism which can made more complex computation and energy consumption; and the other method which based on sequence number is not 1) bout the new bootstrapping method In LEP and NEKP protocols, there is an important assumption. They assume there exists a lower bound on time interval T min that is necessary time for an adversary to compromise a sensor node, and that the time T est for a newly deployed sensor node to discover its immediate neighbors is smaller than T min. In practical, it seems a reasonable assumption that T min >T est, but if an adversary can compromise a sensor node within the time interval T est, they can known all the information in this node, then the adversary can decrypt all broadcasting information by the global key. In our protocol, each node sends { K,, K }, to 1 ( K, K ) its neighbor nodes. Notice that each node does not know the identification key ( K ) of any other node since it constructed from the ). Even if the adversary compromises a sensor node within the time interval T est, they cannot decrypt any packets. The adversary can t known any node s information except the compromised node s before the ) reveals. In other words, this packet cannot be fabricated and falsified since nobody can decrypt the message without the ) and the identifier contained in the packet can authenticate the same one outside. The construction of pairwise key is also based on its neighbor nodes. So similar to NEKP protocol, our modified protocol also has the good characters of NEKP, such as intruder resilient. 2) bout the malicious node detecting and diagnosing mechanism In order to solve the threat of replay attack, we present a malicious node detecting and diagnosing mechanism based on acknowledgment message. 274

5 This method is based on the fact that sending CK through a malicious node would take a longer time than transmitted by straight-line. That is a light-weight and effective protocol. The controller can detect and define most of malicious nodes, and then disposal these malicious nodes betimes. B. Performance nalysis: We mainly consider the following performance metrics in our protocol. 1) Communication Overhead In our protocol, there are only two broadcast messages need to be transmitted during the key establishment phase, and the malicious node detecting and diagnosing mechanism is a light-weight protocol, so the communication overhead is very low. 2) Computational Overhead The main computational overhead for each node is to verify a C and establishing a pairwise key with every neighbor node. ll these processes are easy to complete, so the computational overhead is also low. V. CONCLUSIONS We have presented our modified protocol for wireless sensor networks, it not only has the advantages which the NEKP protocol has, but also solves some problems on security threat of NEKP. The properties of our protocol as followed: Our protocol support for establishing four types of keys per node individual keys shared with the base station, pairwise keys shared with individual neighboring nodes, cluster keys shared with a set of neighbors, a group key shared with all the nodes in the network and an efficient protocol for local broadcast authentication based on the use of one-way key chains. These keys can be used to increase the security of many non-secure protocols. In our protocol, we give a new bootstrapping scheme to our key establishment phase to avoid the threat when the adversary can compromise a sensor node within the time interval T est. It uses an encrypted massage by the global key ( K ) and an identification key ( K ), no nodes know the identification key until the base station discloses the ). Therefore, the new bootstrapping scheme can increase the security of the sensor network against the node compromising. Our protocol gives a light-weight and effective malicious node detecting and diagnosing mechanism based on acknowledgment message. It can effectively decrease the number of intermediate malicious nodes to make our protocol more secure to replay attack. To generate the keys, our protocol requires only two broadcasted messages from each node and thus energy-efficient and appropriate to be used in WSNs. REFERENCES [1] De Oliveira S., Hao Chi Wong and Nogueira J.., "NEKP: Intruder Resilient and Energy Efficient Key Establishment in Sensor Networks", International Conference Computer Communication and Networks, 2007 (ICCCN '07), Honolulu, Hawaii, US, [2] Y. Zhou and Y. Fang, "Scalable Link-Layer Key greement in Sensor Networks", ilitary Communications Conference, 2006, (ILCO 06), Washington, D.C., US, [3] L. Eschenauer and V. D. licor, " key-management scheme for distributed sensor network", 9 th C conference on Computer and Communication Security, November 2002, (CCS 02), Washington, D.C., US, [4] H. Chan,. Perrig and D. Song, "Random key predistribution schemes for sensor networks", 2003 IEEE Symposium on Security and Privacy ay 11-14, 2003, Berkeley, C, pp. 197, [5] D. Liu, P. Ning and R. Li, "Establishing Pairwise Keys in Distributed Sensor Networks" C Transactions on Information and System Security, Vol. 8, No. 1, February [6] S. Zhu, S. Setia and S. Jajodia, "LEP: efficient security mechanisms for large-scale distributed sensor networks", 10 th C Conference on Computer and Communications Security (CCS '03), Washington D.C., US, October [7]. Perrig, R. Szewczyk, J. D. Tygar, V. Wen and D. E. Culler, "SPINS: security protocols for sensor networks", Wireless Networks 8, 2002, Kluwer cademic Publishers, Netherlands, pp , [8] atthew Vella and hmed ahdy, "Survey of wireless sensor network security", The 2008 National Conference for the Society for dvancement of Chicanos and Native mericans (SCNS '08), Salt Lake, Utah, US, [9] D. Raymond, S. idkiff, "Denial-of-Service in Wireless Sensor Networks: ttacks and Defenses", IEEE Pervasive Computing, vol. 7, pp , [10] Wireless Sensor Networks: etting Started uide, Rev., Doc. # , Crossbow Technology, Inc, San Jose, C, Sep pdf [Viewed online 10 ay 2009]. 275