Improving Availability of Secure Wireless Sensor Networks

SETIT 2007 4 th International Conference: Sciences of Electronic, Technologies of Information and Telecommunications March 25-29, 2007 TUNISIA Improving Availability of Secure Wireless Sensor Networks Mohsen Sharifi *, Saeed Pourroostaei * and Saeed Sedighian Kashi * * Computer Engineering Department Iran University of Science and Technology msharifi@iust.ac.ir spourroostaei@comp.iust.ac.ir Sedighian@iust.ac.ir Abstract: As wireless sensor networks continue to grow, so does the need for effective security mechanisms. But one of the main challenges for efficient key distribution in wireless sensor networks is the resource limitation. Some nodes play a central role in key distribution. For example, cluster heads in the LEAP security protocol have the main responsibility for key distribution to their cluster nodes. Therefore, they use more resources than other nodes in their cluster. In case of a cluster head failure, e.g. battery wear out, all nodes within the cluster lose their connection to the base station and considered dead by the base station although the cluster nodes are alive. The unavailability of the base station has a similar implication too, but in a wider extent covering all live cluster heads and cluster nodes in the network leading to the failure of the whole network. This paper presents a new energy aware key distribution solution to enhance the availability of a secure wireless sensor network environment by increasing the lifetime of all constituents of the network including the base station, cluster heads and cluster nodes. Key words: Wireless Sensor Networks, Security, Key Distribution, Lifetime, Availability, Reserved Node. INTRODUCTION Wireless sensor networks (WSNs) are quickly gaining popularity due to the fact that they are potentially low cost solutions to a variety of realworld challenges [1]. Their low cost provides a means to deploy large sensor arrays in a variety of conditions capable of performing both military and civilian tasks. But sensor networks also introduce severe resource restraints due to lack of data storage and power. Both of these represent major obstacles to the implementation of traditional computer security techniques in a WSN. The unreliable communication channels and unattended operations make the security defenses even harder. Indeed, as pointed out in [8], wireless sensors often have the processing characteristics of machines that are decades old (or longer), and the industrial trend is to reduce the cost of wireless sensors while maintaining similar computing power. With that in mind, many researchers have begun to address the challenges of maximizing the processing capabilities and energy reserves of WSNs while also securing them against attackers. For example, to name a few, the following aspects of WSNs are being examined: secure and efficient routing [3,12,20], data aggregation [6,15,18,24] and group formation [2,8]. Contrary to current expectations, we observe that most general-purpose sensor networks solutions, particularly the early research, assume that all nodes are live, cooperative and trustworthy. This is not the case for most, or much of, real-world WSNs applications, which require a certain amount of trustworthiness in the application in order to maintain proper functionality. Researchers therefore have began focusing on building sensor trust models to establish security beyond the capability of traditional cryptographic security techniques [4,10,21]. But, apart from trustworthiness, all nodes of WSNs may not always be live in real world and are prone to all sorts of failures as well. The implications of node failures on security of WSNs have not been investigated much. This paper intends to present solution for the latter issue. Our thesis is that a continuous and stable secure network can be in place even in the case of unavailability of nodes. - 1 -

In this paper we assume a wireless sensor network with a single base station and as many clusters, wherein a node within each cluster heads other nodes within the cluster. The base station is the network coordinator with which cluster heads in its radio range can communicate. Since sensor nodes have limited radio coverage, the network is clustered in such a way that each cluster head can communicate to the base station in a single hop; ordinary nodes within a cluster communicate with their cluster head in a single hop too. Symmetric cryptographic keys [9,25] are used to establish the security of WSNs. The base station and cluster head nodes with limited resources are responsible for key distribution management and are thus more critical than other nodes for network availability. In case of a cluster head failure, e.g. battery wear out, all nodes within the cluster lose their connection to the base station and considered dead by the base station although the cluster nodes are alive. The unavailability of the base station has a similar implication too, but to a wider extent covering all live cluster heads and cluster nodes in the network leading to the failure of the whole network. The availability of network can be however ensured if in case of failure of any cluster heads or the base station, a replacement equivalent node can serve the same duties, leading to a more stable network. This is the line of thought pursued in our approach in this paper. The base station keeps a list of properties of all sensor nodes in the network, such as security property (e.g. private key, node id, and public key). Each cluster head has a list of properties of its nodes such as security properties (e.g. cluster key) as well. If upon the failure of a cluster head, a reserved head node [19] can be assigned to the cluster, it is possible to take security properties of the nodes within that failed cluster from the base station and safely transfer them to the new replaced node. A similar scenario applies when the base station fails. So it is possible to improve the fault tolerance of our WSN in this way. In actual fact, RAP tries to realize this improvement by showing how reserved nodes can replace unavailable base station or cluster nodes, and how security properties of unavailable nodes can be transferred safely to these replacements without violating the security of the whole network. The rest of paper is organized as follows. Section 1 describes the three most relevant security protocols, namely SPINS, SNAKE and LEAP key management protocols. It describes other similar extensions to these protocols too. Section 2 presents the RAP protocol and the assumptions on which it is based. Section 3 discusses the performance evaluation of RAP, and the last section concludes the paper and presents some future thoughts. SNAKE and LEAP key distribution protocols. 1.1. SPINS SPINS (Security Protocols for Sensor Networks [8]) is a security protocol that includes two protocols, SNEP, μ-tesla [1]. SNEP provides data confidentiality, two-party data authentication and data freshness, and μ-tesla provides authenticated broadcast for severely resource-constrained environments. In this protocol, the base station (Key Server) assigns a unique key to each session for communication between any pair of nodes. All cryptographic primitives, i.e. encryption, message authentication code (MAC), hash, and random number generator, are constructed out of a single block cipher for code reuse. This, along with the symmetric cryptographic primitives used reduces the overhead on the resource constrained sensor network. In a broadcast medium such as a sensor network, data authentication through a symmetric mechanism cannot be applied as all the receivers know the key. μ- TESLA constructs authenticated broadcast from symmetric primitives, but introduces asymmetry with delayed key disclosure and one-way function key chains [1]. 1.2. SNAKE SNAKE is a protocol that can negotiate the session key in an ad-hoc way. Nodes do not need a key server to perform key management [2]. For example as is shown in Figure 1, node A which wishes to start communication with node B, sends a request message alongside with a nonce number (NA) to B. B replies with a two part message: T and MAC[T]. T includes the identifier of A (IDA), the identifier of itself (IDB), the nonce number taken from A (NA), a nonce number generated by itself (NB). NA and NB are used for data freshness, and MAC[T] acts as a message authentication code for A. When A receives this message from B, it checks the MAC and understands that B is a valid node to communicate with. In order for B to get the validity of A as well, A sends a message back to B containing its identifier (IDA), the nonce number taken from B (NB), and an authentication code named MAC[IDA NB]. Up to this point, A and B become authenticated to each other. Now a shared session key is generated by both nodes (KAB = MACK[NA NB]) which can be used in their further communications. 1. Related Works The most relevant protocols to our proposed protocol for wireless sensor networks are SPINS, - 2 -

Figure 1. A sample key establishment sequence in SNAKE 1.3. LEAP LEAP (Localized Encryption and Authentication Protocol) [13] is a key management protocol for sensor networks that is designed to support internetwork processing, while at the same time restricting the security impact of a node compromise to the immediate network neighborhood of the compromised node. The design of the protocol is motivated by the observation that different types of messages exchanged between sensor nodes have different security requirements, and that a single keying mechanism is not suitable for meeting these different security requirements. Hence, LEAP supports the establishment of four types of keys for each sensor node: an individual key shared with the base station, a pair-wise key shared with another sensor node, a cluster key shared with multiple neighboring nodes, and a group key that is shared by all the nodes in the network. The protocol used for establishing and updating these keys is communication and energy efficient, and minimizes the involvement of the base station. LEAP also includes an efficient protocol for inter-node traffic authentication based on the use of one-way key chains. A salient feature of the authentication protocol is that it supports source authentication without precluding in-network processing and passive participation [5]. 1.4. Other Protocols There are other researches too that have presented their solutions to key management in wireless sensor networks, as extensions to or complements of the aforementioned three basic protocols. Liu and Ning [10] propose an enhancement to the μ-tesla system that uses broadcasting of the key chain commitments rather than μ-tesla unicasting technique. They present a series of schemes starting with a simple pre-determination of key chains and finally settling on a multi-level key chain technique. The multi-level key chain scheme uses predetermination and broadcasting to achieve a scalable key distribution technique that is designed to be resistant to some types of wireless sensor networks attacks [19]. Huang et al. [7] propose a hybrid key establishment scheme that makes use of the differences in computational and energy constraints between a sensor node and the base station. They posit that an individual sensor node possesses far less computational power and energy than a base station. In light of this, they propose to place the major cryptographic burden on the base station where the resources tend to be greater. On the sensor side, symmetric-key operations are used in place of their asymmetric alternatives. The sensor and the base station authenticate based on elliptic curve cryptography. Elliptic curve cryptography is typically used in sensors due to the fact that relatively small key lengths are required to achieve a given level of security [19]. 2. Our Approach All key management protocols noted in Section 1 introduced alternatives to efficiently perform key management. However, none were concerned about the availability (failure or the lifetime) of the server responsible for key management. In other words, they do not guarantee a stable secure network in the long run. We try to propose a protocol, nicknamed RAP, which provides a continuous and stable secure network even in the case of unavailability of the server key. In other words, we believe that a continuous and stable secure network can be in place even in the case of unavailability of the server key. This is achieved by providing and exchanging equivalent reserved nodes for unavailable nodes responsible for key distribution or key establishment. It should be noted that [19] deploys the idea of reserved nodes too, but it presumes specific locations for nodes for particular usage. Furthermore, it does not present a fault-tolerant and secure data transfer between the nodes of network. Before presenting our approach, let s first go through a scenario in a secure WSN, such as the LEAP protocol. Consider a number of sensor nodes organized into clusters. Each cluster has a cluster head through which nodes can communicate with the base station. Four types of keys are used to establish security in this network. Each new node in a cluster uses a pair-wise shared key between itself and its immediate neighboring node in the same cluster to which it wants to communicate. Data transferred to cluster nodes are first encrypted with the cluster key by the relevant cluster head. In this way, a secure message communication between nodes is established as long as neither the cluster heads nor the base station for any reason fails to perform. So this scenario as it stands fails to take account of such key server nodes whose failure probability is higher than other nodes, i.e. does not lead to a stable secure network. Having said that, we have made the following assumptions in our proposed protocols: - 3 -

Each node has one unique ID. All nodes have the same physical property such as processing power and memory capacity. Base station acts as a controller and has a list of all nodes with their private keys. Each cluster head has a list of its cluster nodes. All nodes within a given cluster, including the cluster head, share a unique key (known as the cluster key) which is created by following any reasonable protocol, such as LEAP, when the WSN containing the head is configured. Each node has a pseudo-random function [5] (F) for generating the next key in sequence. Each node has a list of its neighbors and their count (C). Every node in the network has a built-in private key embedded inside during manufacturing. It should be pointed out that in order to be able to find a suitable replacement node radio covering as much live nodes within its cluster as possible in case of the failure of the base station or any cluster head, each node in the network must keep the count of its neighboring nodes. Now on the basis of the aforementioned assumptions, this protocol is described in case of two types of failures: (1) base station failure and (2) cluster head failure. In both cases, a counter C is used that denotes the number of neighbors. To begin with, every node broadcasts a hello message containing its id to all its neighboring nodes. Each receiver node then adds every received id to its id list and increments the counter (C). In case of base station failure, e.g. when the base station battery becomes low or near a specified minimum threshold, it sends a query which is encrypted by the group key (shared by all nodes in the network, as in e.g. LEAP protocol) to all nodes in its radio range (i.e. cluster heads in its range). Each receiver node replies to the base station enquiry by sending its remaining energy and the value in its counter C. The base station then checks all replies received within an arbitrary time period and typically selects a replying node for replacement which can take as many nodes in its coverage as possible and has sufficient energy to serve for the longest period of time to come. The base station then sends a message to the selected replacement node giving it all information about network such as list of node identifiers, list of private keys of nodes and the group key for the whole network. This message is an encrypted message which is encrypted by the selected node s private key. Now the base station can fail gracefully and the new replacement node can start acting as the base station from now onwards. In the second case when a cluster head becomes prone to failure, it broadcasts a query to all nodes in its cluster. Each receiver node replies to the cluster head enquiry by sending its remaining energy and the value in its counter C. When the cluster head consequently receives the replies within an arbitrary time period from these nodes, it selects a replying node for replacement which can take as many nodes in its coverage as possible, has sufficient energy to serve for the longest period of time to come, and can communicate with the current base station in a single hop. Having selected the appropriate replacement, the cluster head sends it a message informing that it has been selected as such. Now the information known by the cluster head must be passed to the selected node. But, contrary to the first case, in the second case the cluster head does not know about the private key of the node it has selected to replace itself. So in order to securely transfer information held by the cluster head to the selected node, there is a need for the creation of a shared session key between these two nodes. This shared key is generated as formula (1): K ex = F idn (K ck ) (1) where K ck is the cluster key for this cluster, idn is the identifier of the selected node and K ex is the shared key. Now the old cluster head can fail gracefully and the new replacement node can start acting as the new cluster head from now onwards. 3. Evaluation Computational cost of RAP is equal to the computational cost of other related security protocols for wireless sensor networks. The additional communication cost due to the additional required messages, in comparison to other related security protocols for wireless sensor networks, pertains only when the base station s energy becomes low. This is an acceptable overhead paid for achieving fault tolerance of the network though. Cluster head switching entails further communication and computation overheads too. But this is a trade off to avoid cluster head failure that can cause the failure of the whole network. The storage overhead in all related algorithms, including RAP, are the same. RAP does not enforce any special storage requirements. We set up a grid topology in PARSEC [13] (Parallel Simulation Environment for Complex Systems) and implemented our proposed protocol (RAP) in its C-based discrete event simulation language. Two cases were simulated consequently. The first case compares the network lifetime under RAP with the network lifetime without using RAP, when the base station fails. The results are plotted separately for 4 groups of 16, 64, 256 and 1024 sensors as shown in Figure 2. Network lifetime is increased nearly 25% in all 4 groups. - 4 -

25 20 15 10 5 0 16 64 256 1024 Normal RAP Figure 2. Network lifetime in case of base station failure. The second case compares the network lifetime under RAP with the network lifetime without using RAP, when a cluster head fails. The results are plotted separately for 4 groups of 16, 64, 256 and 1024 sensors as shown in Figure 3. Network lifetime is increased more than 30% in all 4 groups. 40 35 30 25 20 15 10 5 0 16 64 256 1024 Normal RAP Figure 3. Network lifetime in case of cluster head failure. 4. Conclusion and Future Works The paper presented a new protocol to delay or stop network failure and prolong the network lifetime in case of base station, cluster head or sensor nodes. The relative 20% to 30% improvement to lifetime was achieved at the cost of mostly communicative overheads upon failure of network constituents. No considerable overhead was introduced during normal operation of network. Most importantly, our protocol for finding a replacement node for the failed node did not violate the security of the network. So it can equally well be applied to other security protocols for wireless sensor networks to securely enhance the availability of such networks. We ran our tests in a grid of 16, 64, 256 and 1024 nodes. Application of RUP under other topologies, like mesh, with these number of nodes and higher number of nodes as in smart dust networks are under current investigation. REFERENCES [1] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam and E. Cayirci, A Survey on Sensor Networks, IEEE Communications Magazine 40(8):102 114, Aug. 2002. [2] A. R. Beresford and F. Stajano, Location Privacy in Pervasive Computing, IEEE Pervasive Computing 2(1):46 55, 2003. [3] J. Deng, R. Han, and S. Mishra, INSENS: Intrusion- Tolerant Routing in Wireless Sensor Networks, Technical Report CUCS- 939-02, Department of Computer Science, University of Colorado, 2002. [4] S. Ganeriwal and M. Srivastava, Reputation-Based Framework for High Integrity Sensor Networks, 2nd ACM workshop on Security of Ad Hoc and Sensor Networks, 2004. [5] O. Goldreich et al., How to Construct Random Functions, Journal of the ACM, Vol. 33, No. 4, 1986. [6] L. Hu and D. Evans, Secure Aggregation for Wireless Networks, SAINT-W 03: Proceedings of the 2003 Symposium on Applications and the Internet Workshops, p. 384. IEEE Computer Society, 2003. [7] Q. Huang, J. Cukier, H. Kobayashi, B. Liu and J. Zhang, Fast Authenticated Key Establishment Protocols for Self-Organizing Sensor Networks, Proceedings of the 2nd ACM international conference on Wireless sensor networks and applications, pp. 141 150, 2003. [8] T. Kaya, G. Lin, G. Noubir and A. Yilmaz, Secure Multicast Groups on Ad hoc Networks, Proceedings of the 1st ACM workshop on Security of Ad hoc and Sensor Networks (SASN 03), pp. 94 102. ACM Press, 2003. [9] B.C. Lai, S. Kim, and I. Verbauwhede, "Scalable session key construction protocol for wireless sensor networks," Proc. IEEE Workshop on Large Scale Real-Time and Embedded Systems (LARTES), December 2002 [10] Z. Liang and W. Shi, Enforcing Cooperative Resource Sharing in Untrusted Peer-to-Peer Environment, ACM Journal of Mobile Networks and Applications (MONET) special issue on Non-cooperative Wireless networking and computing, 2005. [11] D. Liu and P. Ning, Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks, Proceedings of the 10th Annual Network and Distributed System Security Symposium, pp. 263 276, 2003. [12] P. Papadimitratos and Z. J. Haas, Secure Routing for Mobile Ad hoc Networks, Proceedings of the SCS Communication Networks and Distributed System Modeling and Simulation Conference (CNDS 2002), 2002. [13] Parallel Simulation Environment for Complex Systems (PARSEC), http://pcl.cs.ucla.edu/project/parsec [14] A. Perrig, R. Szewczyk, V. Wen, D. Culler and J. D. Tygar, SPINS: Security Protocols for Sensor Networks, Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001), 2001. [15] B. Przydatek, D. Song and A. Perrig, SIA: Secure Information Aggregation in Sensor Networks, ACM SenSys 2003 (Conference on Embedded Networked Sensor Systems), 2003. [16] M. Saraogi, Security in Wireless Sensor Networks, - 5 -

Project Paper, 2003. [17] S. Seys, Key Establishment and Authentication Suite to Counter DoS Attacks in Distributed Sensor Networks, unpublished manuscript, COSIC, 2002. [18] N. Shrivastava, C. Buragohain, D. Agrawal and S. Suri, Medians and Beyond: New Aggregation Techniques for Sensor Networks, SenSys 04: Proceedings of the 2nd international conference on Embedded networked sensor systems, pp. 239 249. ACM Press, 2004. [19] M..Taleghan et al., Fault-Tolerance Considerations for Wireless Sensor Networks, ICEE 2006, Tehran, Iran. [20] S. Tanachaiwiwat, P. Dave, R. Bhindwale and A. Helmy, Poster Abstract Secure Locations: Routing on Trust and Isolating Compromised Sensors in Location- Aware Sensor Networks, Proceedings of the 1st international conference on Embedded networked sensor systems, pp. 324 325. ACM Press, 2003. [21] J. P.Walters, Z. Liang, W. Shi and V. Chaudhary, Wireless Sensor Network Security: A Survey, Technical Report MIST-TR-2005-007, 2005. [22] X. Wang, W. Gu, S. Chellappan, D. Xuan and T. H. Laii, Search-Based Physical Attacks in Sensor Networks: Modeling and Defense, Tech. rep., Dept. of Computer Science and Engineering, The Ohio-State University, 2005. [23] X. Wang, W. Gu, S. Chellappan, K. Schoseck and D. Xuan, Lifetime Optimization of Sensor Networks Under Physical Attacks, Proc. of IEEE Internationl Conference on Communications, 2005. [24] F. Ye, H. Luo, S. Lu and L. Zhang, Statistical En- Route Detection and Filtering of Injected False Data in Sensor Networks, IEEE INFOCOM 2004, 2004. [25] S. Zhu, S. Setia and S. Jajodia, LEAP: Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks, In The Proceedings of the 10th ACM conference on Computer and communications security, 2003. - 6 -