Multi-user Broadcast Authentication in Wireless Sensor Networks

More documents

Recommendations

Info

all the messages received within one time interval, anadversary can hence flood the whole network arbitrarily.All he has to do is to claim that the flooding messagesbelong to the current time interval which should bebuffered for authentication until the next time interval.Since wireless transmission is very expensive in WSNs,and WSNs are extremely energy constrained, the abilityto flood the network arbitrarily could cause devastatingDenial of Service (DoS) attacks. Moreover, this type ofenergy-depletion DoS attacks become more devastatingin multiuser scenario as the adversary now can havemore targets and hence more chances to generate bogusmessages without being detected. Obviously, all theseattacks are due to delayed authentication of the broadcastmessages. In [11], TIK is proposed to achieve immediatekey disclosure and hence immediate message authenticationbased on precise time synchronization betweenthe sink and receiving nodes. However, this techniqueis not applicable in WSNs as pointed out by the authors.Therefore, multiuser broadcast authentication stillremains a wide open problem in WSNs.When ,uTESLA was proposed, sensor nodes wereassumed to be extremely resource-constrained, especiallywith respect to computation capability, bandwidth availability,and energy supply [26]. Therefore, public keycryptography (PKC) was thought to be too computationallyexpensive for WSNs, though it could provide muchsimpler solutions with much stronger security resilience.At the same time, the computationally efficient onetimesignature schemes are also considered unsuitable forWSNs, as they usually involve intense communications[26]. However, recent studies [8], [28], [31] showedthat, contrary to widely held beliefs, PKC with evensoftware implementations only is very viable on sensornodes. For example [31], Elliptic Curve Cryptography(ECC) signature verification takes 1.61s with 160-bitkeys on ATmegal28 8MHz, a processor used in currentCrossbow motes platform [7]. Furthermore, the computationalcost is expected to fall faster than the costto transmit and receive. For example, ultra-low-powermicrocontrollers such as the 16-bit Texas InstrumentsMSP430 [30] can execute the same number of instructionsat less than half the power required by the 8-bitATmega128L. The benefits of transmitting shorter ECCkeys and hence shorter messages/signatures will in turnbe more significant. Moreover, next generation sensornodes are expected to combine ultra-low power circuitrywith so-called power scavengers such as Heliomote [15],which allow continuous energy supply to the nodes.At least 8- 20uW of power can be generated usingMEMS-based power scavengers [3]. Other solar-basedsystems are even able to deliver power up to 100mW forthe MICA Motes [15], [16]. These results indicate that,with the advance of fast growing technology, PKC isno longer impractical for WSNs, though still expensivefor the current generation sensor nodes, and its wideacceptance is expected in the near future [8].Having this observation and knowing that symmetrickey-basedsolutions such as ,uTESLA are insufficient forbroadcast authentication in WSNs, we resort to PKCfor more effective solutions. In this paper, we addressmultiuser broadcast authentication problem in WSNs bydesigning PKC-based solutions with minimized computationaland communication costs.Overview of the paper: In this paper, we propose fourdifferent public-key-based approaches and provide indepthanalysis of their advantages and disadvantages.In all the four approaches, the users are always authenticatedthrough their public keys. We first proposea straightforward certificate-based approach and pointout its high energy inefficiency with respect to bothcommunication and computation costs. We then proposea direct storage based scheme, which has high efficiencybut suffers from the scalability problem. A Bloom filterbased scheme is further proposed to improve the memoryefficiency over the direct storage based scheme. Furthertechniques are also developed to increase the securitystrength of the proposed scheme. Lastly, we propose ahybrid scheme to support a larger number of networkusers by employing the Merkle hash tree technique. Wegive an in-depth quantitative analysis of the proposedschemes and demonstrate their effectiveness and efficiencyin WSNs in terms of energy consumption.Contributions: This paper makes the following contributions:1) We identify the problem of multiuser broadcastauthentication in WSNs and point out a serious securityvulnerability inherent to the symmetric-key based,uTESLA-like schemes. 2) We come up with severalPKC-based schemes to address the proposed problemwith minimized computational and communication costs.We achieve our goal by integrating several cryptographicbuilding blocks, such as the Bloom filter, the partialmessage recovery signature scheme, and the Merklehash tree, in an innovative manner. 3) We analyze boththe performance and security resilience of the proposedschemes. A quantitative energy consumption analysis isgiven in detail and demonstrates the effectiveness andefficiency of the proposed schemes.Organization of the paper: The remaining part ofthis paper is as follows: In Section II, we introduce224
the cryptographic mechanisms to be used. Section IIIpresents the system assumption, adversary model, andsecurity objectives. In Section IV, we introduce two basicschemes. We further propose two advanced schemes anddetail the underlying design logic in Section V. SectionVI analyzes the performance of the proposed schemes,and we conclude our paper in Section VII.II. PRELIMINARIESThe Bloom Filter: A Bloom filter is a simple spaceefficientrandomized data structure for representing a setin order to support membership queries [23]. A Bloomfilter for representing a set S = sI, S2, ..., sn of nelements is described by a vector V of m bits, initiallyall set to 0. A Bloom filter uses k independent hashfunctions h1, ..., hk with range 0, ..., m- 1, which mapeach item in the universe to a random number uniformover [0, ..., m- 1]. For each element s E S, the bits hi(s)are set to 1 for 1 in S,we check whether all bits hi (x) are set to 1. If not, x isnot a member of S for certain, that is, no false negativeerror. If yes, x is assumed to be in S. A Bloom filter mayyield a false positive. It may suggest that an element xis in S even though it is not. The probability of a falsepositive for an element not in the set can be calculated asfollows. After all the elements of S are hashed into theBloom filter, the probability that a specific bit is still 0 is(1 1)k e-k/m* The probability of a false positivef is then f = (1 -(1 - )k)k (1_ e-km)kThe Merkle Hash Tree: A Merkle Tree is a constructionintroduced by Merkle in 1979 to build secureauthentication schemes from hash functions [22]. It is atree of hashes where the leaves in the tree are hashesof the authentic data values nI, n2, ..., n,. Nodes furtherup in the tree are the hashes of their respective children.For instance, assuming that w = 4 in Fig. 1, the valuesof the four leaf nodes are the hashes of the data values,h(ni), i = 1, 2, 3, 4, respectively, under a one-way hashfunction ho (e.g., SHA-1 [25]). The value of an internalnode A is ha= h(h(ni) Ih(n2)), and the value of theroot node is hr h(ha Ihb). hr is used to commit to theentire tree to authenticate any subset of the data valuesni, n2, n3, and n4 in conjunction with a small amountof auxiliary authentication information AAI (i.e., log2 Nhash values where N is the number of leaf nodes). Forexample, a receiver with the authentic hr requests for n3and requires the authentication of the received n3. Thesource sends the AAI :< ha, h(n4) > to the receiver. Thereceiver can then verify n3 by first computing h(n3),Roothe,h(ni) h(n2) h(n3) h(n4)n1 X n2 n3X n44~~~~~~~~bFig. 1. An example of Merkle hash treehb = h(h(n3)lh(n4)) and hr = h(ha Jhb), and thenchecking if the calculated hr is the same as the authenticroot value hrIII.SYSTEM MODEL, ADVERSARY MODEL, ANDDESIGN GOALSSystem Model: In this paper, we consider a largespatially distributed WSN, consisting of a fixed sink(s)and a large number of sensor nodes. The sensor nodesare usually resource-constrained with respect to memoryspace, computation capability, bandwidth, and powersupply. The WSN is aimed to offer information servicesto many network users that roam in the network, inaddition to the fixed sink(s) [20]. The network usersmay include mobile sinks, vehicles, and people withmobile clients, and they are assumed to be more powerfulthan sensor nodes in terms of computation andcommunication abilities. For example, the network userscould consist of a number of doctors, nurses, medicalequipment (acting as actuators) and so on, in the caseof CodeBlue [19], where the WSN is used for emergencymedical response. These network users broadcastqueries/commands through sensor nodes in the vicinity,and expect the replies that reflect the latest networkinformation. The network users can also communicatewith the sink or the backend server directly withoutgoing through the WSN if necessary. We assume thatthe sink is always trustworthy but the sensor nodes aresubject to compromise. At the same time, the users ofthe WSN may be dynamically revoked due to eithermembership changes or compromise, and the revocationpattern is not restricted. We also assume that the WSNisloosely synchronized.Adversary Model: In this paper, we assume that theadversary's goal is to inject bogus messages into thenetwork, attempt to deceive sensor nodes, and obtainthe information of his interest. Additionally, Denial ofService (DoS) attacks such as bogus message flooding,aiming at exhausting constrained network resources, isanother important focus of the paper. We assume that225
Page 1: Multi-user Broadcast Authentication
Page 5 and 6: System Preparation: The sink genera
Page 7 and 8: u-DO -Do -f 6636*10leq,'- f = 2.03*
Page 10: eport mechanism. If a sensor node f

Multi-user Broadcast Authentication in Wireless Sensor Networks

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?