Multi-user Broadcast Authentication in Wireless Sensor Networks

More documents

Recommendations

Info

the adversary is able to compromise both network usersand the sensor nodes. The adversary hence could exploitthe compromised users/nodes for such attacks. However,we do assume that adversary cannot compromise anunlimited number of sensor nodes.Design Goals: Our security goal is straightforward:all messages broadcasted by the network users of theWSN should be authenticated so that the bogus onesinserted by the illegitimate users and/or compromisedsensor nodes can be efficiently rejected/filtered. We alsofocus on minimizing the overheads of the security design.Especially, energy efficiency (with respect to bothcommunication and computation) and storage overheadare given priority to cope with the resource-constrainednature of WSNs.IV. THE BASIC SCHEMESA. The Certificate-Based Authentication Scheme (CAS)CAS works as follows. Each user (not a sensor) ofthe WSN is equipped with a public/private key pair(PK/SK), and signs every message he broadcasts withhis SK using a digital signature scheme such as ECDSA[10]. Note that in all our designs, we do not requiresensors to have public/private key pairs for themselves.To prove the user's ownership over his public key, thesink2 is also equipped with a public/private key pair andserves as the certification authority (CA). The sink issueseach user a public key certificate, which, to its simplestform, consists of the following contents: CertuIDUID, PKUID, ExpT, SIGSKsikA{h(UID ExpT PKUID)},where UID denotes the user's ID, PKUID denotes itspublic key, ExpT denotes certificate expiration time,and SIGSKsink{h(UIDJJExpT||PKUID)} is a signatureover h(UID lExpTI PKUID) with SKSink. Hence, abroadcast message is now of the form as follows:< M, tt, SIGSK(ID{h(UID JttJ M)},CertUID > (I)Here, M denotes the broadcast message and tt denotesthe current time. For the purpose of messageauthentication, sensor nodes are preloaded with PKsinkbefore the network deployment; and message verificationcontains two steps: the user certificate verification andthe message signature verification.CAS suffers from two main drawbacks. First andforemost, it is not efficient in communication, as thecertificate has to be transmitted along with the messageacross every hop as the message propagates inthe WSN. A large per message overhead will result2We assume that the sink represents the network planner.in more energy consumption on every single sensornode. In CAS, the per message overhead is as highas |tt| + ISIGSKu D{h(UID||M)}j + ICertuID = 128bytes. As in [31], the user certificate is at least 86bytes, when ECDSA-160 [10] is used. Here, we assumethat tt and UID are both two bytes, in which case thescheme supports up to 65, 535 network users. Moreover,ISIGSKUID {h (UID M) } = 40 bytes, when ECDSA- 160[10] is assumed. Second, to authenticate each message,it always takes two expensive signature verification operations.This is because the certificate should always beauthenticated in the first place.B. The Direct Storage Based Authentication Scheme(DAS)One way to reduce the per message overhead andthe computational cost is to eliminate the existenceof the certificate. A straightforward approach is thento let sensor nodes simply store all the current users'ID information and their corresponding public keys. Inthis way, a broadcast message now only contains thefollowing contents:< M, tt, SIGSKUID {h(UID lItt JM)}, UID, PKUID > (II)Verifying the authenticity of a user public key is reducedto finding out whether or not the attached user/publickey pair is contained in the local memory. Upon userrevocation, the sink simply sends out ID informationof the revoked user, and every sensor node deletes thecorresponding user/public key pair in its memory.The drawbacks of DAS are obvious. Given a storagelimit of 5 KB, only 232 users can be supported at most;even with a memory space of 19.5 KB, DAS can onlysupport up to 1, 000 users. At the same time, CAS cansupport up to 2, 560 users given the same storage limit 5KB. The reason is that in CAS only the ID informationof the revoked users are stored by the sensor nodes.Therefore, DAS is neither memory efficient nor scalable.However, the advantage of DAS is also significant ascompared to CAS. Itsuccessfully reduces the per messageoverhead down to tt + SIGSKuID {h(UID JM) } +IUIDI + PKUID I= 64 bytes. The above analysis clearlyshows that more advanced schemes are needed other thanDAS and CAS. And the direction to seek is to improvestorage efficiency while retaining or further reducing theper message overhead.V. THE ADVANCED SCHEMESA. The Bloom Filter Based Authentication Scheme (BAS)226
System Preparation: The sink generates the publickeys for all network users, and constructs the set:S = {< UIDl: PKUID. >~< UID2, PKUID2 > ,}.where #{S} = N, and #{} denotes the cardinality ofthe set. Using the Bloom filter, the sink can apply ksystem-wide hash functions (cf. Section II.B) to map theelements of S (each with L + 2 bytes, that is, UIDI = 2bytes, and IPKUIDI= L bytes) to an m-bit vector Vwith V = vovl...Vmv, where we have m < N(L + 2)to reduce the filter size and m > kN to retain a smallprobability of a false positive. These k hash functionsare known by every node and the sink. For each vi, i E[0, m- 1], we haveVi=if 3 1 c [1, k], j c [1, N],s.t. hl (UIDj II PKUID)otherwiseAdditionally, the sink constructs a counting Bloom filterV of mr*c bits with V = VOV1...Vm- , where each vi, i E[0, m- 1] is a c-bit counter, i.e., IviI = c bits. The valueof vi is determined as follows:vi#{(IDj, PKUID3j) lh(UIDj |PKUID))for 3 1C [1,k],j C [1,N]}.And c [log2 (max(vi, i E [0, m- 1]))] bits, which isusually of 4 bits for most applications [9]. The aboveoperations are illustrated in Fig. 2. The sink finallypreloads each sensor node with V (not including V), aswell as the sink'spublic key and the common domainparameters of the ECDSA signature scheme.Message Signing and Authentication: Let PKuIDWpub = sG, be the public key of user UID, where s isthe private key of the signer, and G is the generatorof a subgroup of an elliptic curve group of order r.Let SK (.) be a symmetric key cipher such as AES. Tobroadcast a message M (IMI > 10 bytes), UID takes thesteps below following [24], a variant of ECDSA with thepartial message recovery property:Concatenate < M Itt UID >, and break it into twoparts, M1 and M2, where IMlI < 10 bytes.Generate a random key pair { u, V}, where u c[1, r -1], V = uG = (x1, yi), and (xi mod r) z0.Encode-and-hash V into an integer I [24].Form F1 from M1 by adding the proper redundancy[12].Compute C = (I + F1) mod r, and make sure thatC z 0 or repeat the above steps otherwise.Fig. 2.leiukesepublic keyshi(*) I.,h2(*) 'hk(*)The Bloom FilterThe CountingBloom FilterAn example of the Bloom filter and Counting Bloom FilterCompute F2 h(M2), and Dmod r.. Repeat all the above steps if Dsignature as < C, D > otherwise.Then, UID broadcasts,m-bitvector(III)u-(F2 +sC)0; Output thewhere tt and UID are parts of M2. And this is the knownsimplest message format that can be achieved usingPKC3. Now, upon receiving a broadcast message (notfrom the sink), a sensor node checks the authenticity ofthe message in two steps. First, it checks the authenticityof the corresponding public key by verifying its membershipin S. To do so, the sensor node checks whetherV[hl(UID |PKUID) 1, I E [1, k], and a negative resultwill lead to the discarding of the message. We note thathere a false positive may happen due to the probabilisticnature of the Bloom filter, but only with a very small(negligible) probability when appropriate parameters arechosen as we will analyze later. Second, it verifies theattached signature as follows:Discard the message if C [1, r- 1] or D [1, r -1].* Compute F2= h(M2), H D- mod r, and HIF2H mod r.Compute H2 = CH mod r, and P = H1G +H2Wpub.. Discard the message if P 0.3The claim is true only when ID-based cryptography [29] isexcluded from consideration, in which case the user's ID is also hispublic key. Furthermore, the shortest signature size possibly obtainedfrom pairing is around 22 bytes [6], which is shorter than 40 bytesobtained from ECDSA. However, to apply a pairing-based scheme(i.e., a ID-based signature or short signature) on sensor nodes, theknown reachable signature size has to be 84 bytes, even when a 32-bit microprocessor can be used [32]. And the energy cost is alsomultiple times higher than that of an ECDSA-160 signature.227
Page 1 and 2: Multi-user Broadcast Authentication
Page 3: the cryptographic mechanisms to be
Page 7 and 8: u-DO -Do -f 6636*10leq,'- f = 2.03*
Page 10: eport mechanism. If a sensor node f

Multi-user Broadcast Authentication in Wireless Sensor Networks

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?