San Diego, California USA, 6-8 February 2007. A Survey of Authentication Mechanisms. Authentication for Ad-Hoc Wireless Sensor Networks. D. Boyle, T. Newe.
SAS 2007 - IEEE Sensors Applications Symposium San Diego, California USA, 6-8 February 2007
A Survey of Authentication Mechanisms Authentication for Ad-Hoc Wireless Sensor Networks D. Boyle, T. Newe Department of Electronic and Computer Engineering University of Limerick Limerick, Ireland
David-Boyle(guLie
eavesdropping, injection, or modification of disseminated data packets. Cryptography is the standard method of defence against such attacks [4], but brings a number of trade-offs into play. Varying levels of cryptography will imply proportionately varying levels of overhead, in the form of increased packet size, for example.
Abstract - Many applications of wireless sensor networks, such as homeland security and commercial applications collect and disseminate sensitive and important information. In order for these applications to operate successfully, it is necessary to maintain the privacy and security of transmitted data. What remains undefined is an agreeable and most effective way of securing the information. This paper considers current mechanisms of authentication used to achieve security. When a node of a network can be verified as being a valid member node of the network, by some security mechanism, this is known as authentication. This node may then send and receive trustworthy messages across the network, appended with a message authentication code that only other valid nodes, holding a shared secret, may access. A comparison table is presented, illustrating various properties held by these authentications protocols. This is beneficial to designers wishing to implement the most cost effective and appropriate protocol for the intended application, as the desirable characteristics, both simulation based and implementation based, are easily identifiable.
In order for security to pervade all aspects of an implementation, it has to be provided for under the communications protocol chosen by the designer. Varying
communications protocols will have different solutions to the security problem. These will be discussed in more detail in the final paper, specifying the IEEE 802.15.4 standard and the ZigBee standard in particular. II. AUTHENTICATIONPROTOCOLS In this section, authentication protocols that are currently available will be reviewed, contrasted and compared. Although authentication is provided for under the IEEE 802.15.4 standard [5], there are no defined processes for authentication or key exchange and, therefore, cannot be considered to have an active protocol. The mechanisms for achieving authentication that are to be further considered are valid for implementation with applications based on this standard for low-rate WPAN networks. They will be compared under similar headings.
I. INTRODUCTION A wireless sensor network is constituted by a number of nodes communicating wirelessly over limited frequency and bandwidth [1]. Sensor networks depend on dense deployment and coordination to execute their tasks, unlike traditional networks. When the exact location of a particular event is unknown, this method of distributed sensing allows for closer placement to the phenomena than would be achieved with a single sensor [2]. Areas such as power management, network discovery, control and routing, collaborative signal and information processing, taskingand erng, and security are allcurrentlyunderresearch [3]. In order to design a completely secure wireless sensor network, security must be integrated into every node of the system. This is due to the possibility that a component implemented without any security could easily become a point of attack. This dictates that security must pervade every aspect of the design of a wireless sensor network application that will require a high level of security [4]. This is particularly important for military applications like homeland security, and also important for many emerging commercial applications, Similarly to conventional networks, most applications of wireless sensor networks require protection against
Data encryption and node authentication are the main defences against attack. There are numerous types of
encryption and authentication protocols available for implementation within wireless sensor networks as a result of the continuous improvement to those available and in use through the development of the Internet. They, do not, however, relate directly to sensor networks, as there is a whole new range of issues that need to be addressed. Sensor networks are, more often than not, one-off deployments of batterypowered nodes. As a result, increased network lifetime is a goal of all research groups. This implies that extensive on-chip processing to execute complex encryption/decryption techniques is not a viable option. As a result, security in wireless sensor networks is a developing area: one in which the most intelligent solutions are sought, as opposed to the most robust, which require large amounts of processing power. Authentication is a mechanism whereby the identity of a node in a network can be identified as a valid member of the
Research Sponsored by Science Foundation Ireland - Grant number:
05/RFP/CMS007l1)
1-4244-0678-1/07/$20.00 ©) 2007 IEEE
1
encryption and authentication, and have the same varying network and as such data received from this node can be levels of authentication (the encryption block remains constant verified as uncorrupted, when applied with a message as per NIST FIPS Pub 197) [9]. authentication code (prior to sending/processing a message). There are a number of methods of achieving node authentication. These range from device-to-device protocols, t Only partes that possess the symmetric key should be able where each node authenticates its neighbour's identity, to tcompute the MAC ThesMACnprotects . pkthe edein addition to the data payload. The sender appends the plaintext broadcast protocols, which enables a sender to broadcast data with the MAC. The recipient can verify the MAC by critical data and/or commands to sensor nodes in an authenticated way such that an attacker cannot forge any th MAC mode vaple geceived CC in the [l0]. Initially, CCM message from the sender [6]. Due to energy constraints on prote ovet an d protection over the header and data payload employing CBCnodes traditional broadcast authentication techniques, however, and then encrypts the data payload and MAC using the MAC, ae otdesirable. sgnaurs bseddiita ke a puli suc such as public key based digital signatures, are not desirAES-CTR mode. In this way, AES-CCM includes the fields from both the authentication and encryption operations (a A. ZigBee Authentication MAC and the frame and key counters), which serve the same functions as described above [11]. The operation of CBC-MAC The concept of a "Trust Center" is introduced in the is detailed below: specification. Generally the ZigBee coordinator performs this duty. This device allows other devices to join the network and CBC-MAC also distributes the keys. There are three roles played: 1: trust Let EK(X) denote the enciphered n-bit blockXusing keyK and manager, whereby authentication of devices requesting to join block cipher E. For completeness, assume that E = AES, the network is done, 2: network manager, maintaining and implying that n = 128. Let a ® b denote the bitwise exclusivedistributing network keys, and 3: configuration manager, or of a and b. Let (a b) denote the concatenation of strings enabling end-to-end security between devices [7]. It operates in a and b and let a denote the length of, in bits, of a. Let Oi both Residential Mode and Commercial Mode. denote i zero-bits. In Residential Mode, the Trust Center will allow devices to To authenticate with the basic CBC-MAC, one begins with a join the network, but does not establish keys with the network message M whose length is a positive multiple of n, and a key devices. It therefore cannot periodically update keys and allows K for E. Let: for the memory cost to be minimal, as it cannot scale with size Ml IIM2II ..IIMm =Mwith Mil= n for 1< i < m. of the network. In commercial mode, it establishes and Then the CBC-MAC ofM is defined as Cm, where maintains keys and freshness counters with every device in the network, allowing centralized control and update of keys. This Ci EK(M, D C_1 )for 1 .i .m, and Co O1. results in a memory cost that could scale with the size of the network [7]. I. ZiGBEE There are three types of keys employed, the Master Key, - lthe Link Key and the Network Key. Master keys are installed first, either in the factory or out ofband. They are sent from the Protocol Trust Center and are the basis for long-term security between 4 II 0Protocol two devices. The Link key is a basis of security between two devices and the Network keys are the basis of security across the entire network. Link and Network keys, which are either mmetri s e 1ys Yes Optiona installed in the factory or out of band, employ symmetrical __ Tr_ust_Center (CCM*) key-key exchange (SKKE) handshake between devices, for B. SPINS Link keys, the key is transported from the Trust Center for both Perrig et al. (2002) proposed Security Protocols for Sensor types of keys. This operation occurs in commercial mode, as Networks, SPINS, a suite of security protocols optimised for residential mode does not allow for authentication. The ZigBee specification states that CCM* mode of sensor networks [12]. It consists of two secure building blocks operation is used. CCM* is a generic combined encryption and SNEP and tTESLA, which run on top of TinyOS, a small, event driven operating system for sensor nodes [12, 13]. Secure authentication block cipher mode [8]. It's additional functionality to that of CCM mode (specified in the IEEE Network Encryption Protocol, SNEP, is used to provide confidentiality through encryption and authentication, in 802.15.4 standard upon which ZigBee is built) is that it addition to integrity, using a message authentication code provides for data that requires only encryption. (MAC). There are eight different levels of security specified by the There are a number of unique advantages with SNEP. It has ZigBee specification. They can vary depending on the amount a very low communication overhead, adding only 8 bytes per and type of security the data is required to maintain. The first message. SNEP achieves semantic security (a property which of these modes offers no security. This means that transmitted prevents an adversary from learning even partial information packets are void of any security. Then there are three levels that about a transmitted message), which is an important security include authentication only. They differ through the length Of the MAC used to achieve authentication, and include lengths Of property, as it prevents eavesdroppers from inferring the 4, 8 or 16 bytes. The remaining three are inclusive Of message content from the encrypted message; achieved as the
modemployingrity
p
TABLE
2
counter value is incremented after each message, implying that the message is encrypted differently each time. The counter value is sufficiently long enough never to repeat within the lifetime of the node. Finally, it also provides data authentication, replay protection and weak message freshness [12]. To achieve data authentication, the same block cipher is used as in CBC-MAC mode. tTESLA is the "micro" version of TESLA (Timed Efficient Stream Loss-tolerant Authentication) proposed by Perrig et al in 2002 [14]. It emulates asymmetry through a delayed disclosure of symmetric keys and serves as the broadcast authentication service of SNEP. tTESLA requires that the base station and the nodes be loosely time synchronized, and that each node knows an upper bound on the maximum synchronization error. For an authenticated packet to be sent, the base station computes a M\AC on the packet with the key that is secret at that point in time. When a node gets a packet, it can confirm that the base station did not yet disclose the corresponding M\4AC key, using its loosely synchronized clock, maximum synchronization error and the time at which the keys are to be disclosed. The node stores the packet in a buffer, aware that the MAC key is only known to the base station, and that no adversary could have altered the packet during transmission. When the keys are to be disclosed, the base station broadcasts the key to all receivers. The receiver can then verify the correctness of the key and use it to authenticate the packet stored in the buffer [12]. Each MAC key is a member of a key chain, which has been generated by a one-way function F. In order to generate this chain, the sender chooses the last key Kn of the chain randomly, and applies F repeatedly to compute all other keys (1): Ki= F(Ki+). (1)
Applying the SNEP building block, each node can easily perform time synchronization and retrieve an authenticated key from the chain for the "commitment in a secure and authenticated manner" [12]. Schemes, like tTESLA, based on delayed key disclosure, can suffer from denial of service attacks (DOS). In the subsequent interval when the message is in the buffer and the receiver waits on the disclosure time, an attacker can flood the network with arbitrary messages, claiming that they belong to the current time interval. Only in the next time interval can the nodes determine that these messages are not authentic. The use of public key cryptography would eliminate the need for such complicated protocols, increasing the security of the system and only requiring the public key of the base station to be embedded into all of of nodes [13]. TABLE II.
Karlof et al. (2004) state that SNEP was, unfortunately, neither fully specified nor fully implemented, motivating the arrival of TinySec [15], which is integrated into TinyOS [16]. C. TINYSEC Karlof et aL designed the replacement for the unfiished SNEP, known as TinySec (2004) [15]. Inherently it provides similar services, including authentication, message integrity, confidentiality and replay protection. A major difference between TinySec and SNEP is that there are no counters used in TinySec. For encryption, it uses CBC mode with cipher text stealing, and for authentication, CBC-MAC is used. TinySec XORs the encryption of the message length with the first plaintext block in order to make the CBC-MAC secure for variably sized messages. There are two packet formats defined by TinySec. These are TinySec-Auth, for authenticated messages, and TinySec-AE, for authenticated and encrypted messages. For the TinySec-AE packet, a payload of up to 29 Bytes is specified, with a packet header of 8 Bytes in length. Encryption of the payload is all that is necessary, but the M\SAC is computed over the payload and the header. The TinySecThe Auth packet can carry up to 29 Bytes of payload. M\rAC is computed over the payload and the packet header, which is 4 Bytes long Generally, the security of CBC-MAC is directly related to the length of the MAC. TinySec specifies a M\AC of 4 Bytes, much less than the conventional 8 or 16 Bytes of previous security protocols. In the context of sensor networks, Karlof et al. (2004) argue that this is not detrimental. Should an adversary repeatedly attempt blind forgeries, it will succeed after 231 attempts. Adversaries can only assess the validity of an attempted forgery by forwarding it to an authorised recipient. This implies that approximately 231 packets must be sent to forge just one malicious packet. In sensor networks, this is an adequate level of security, and for an attempt like the one described above, it would take approximately 20 months (on a 19.2kb/s channel) to be successful. Implicitly, there is an effective denial of service attack launched in this way, as the radio channel would be locked for an extended period as attempts are made. It is argued that a simple heuristic, whereby the nodes signal the base station when the rate of M\AC failures exceeds a predetermined threshold [15] would alleviate the problem should such an attack occur. There is an inherent overhead in integrating TinySec to an ThereaionTherent both computating andSenergy application. There are costs, both computational and energy wise, that are incurred. It is known that there will always be a trade-off between optimal efficiency and providing a robust security system. The operational costs of TinySec are relatively low and will be further discussed in Section III.
SPINS
;C ~~ -~ 2tu
TABLE
F
; c; B ;
7~
TINYSEC
III.
Protocol 3 ~~~~~~~~~~~~~~~~~~~
Protocol ~~~~~~~~~~~~~~~~~~~~~
r
0~~c
; :
;
D. LEAP
Localised Encryption and Authentication Protocol (LEAP) was proposed by Zhu et al (2003) as a key management protocol for sensor networks designed to support in- network processing, while restricting the impact of a compromised node to the network [17]. Four types of keys are supported for each sensor node - an individual key shared with the base station, a pairwise key shared with another node, a cluster key shared with multiple neighbouring nodes and a group key shared by all network nodes. At the time, pre-deployed keying was the most practical approach for bootstrapping secret keys in sensor nodes. This implies that the keys were loaded into all of the sensors before they were deployed in the sensor field. This may seem primitive at this point in time, but is included to achieve thoroughness. Pairwise keys could be generated between two nodes based on this pre-deployed keying information. The overhead is variable depending on the types of keys specified for use in the implementation. All four types may not be used for a particular application.
3Protocol | LEAP
TABLE IV.
LEAP
-
X
b
Yes No V
Pre-deployed Variable
E. Security Manager Heo and Hong (2006) proposed a new method of key agreement, whereby, when a new device joins a network the Security Manager (SM) gives static domain parameters such as at the base station, the order of the curve and the elliptic curve coefficients [18]. After calculating a public key using the base point and a private key, the device sends a public key to the SM. Therefore the SM would have the public key list for all the devices in the network. They define two security levels (medium and high), based on the devices' power and security policies. These two levels are defined by either normal or polynomial basis calculations. Elliptic Curve Cryptography (ECC) algorithms offer reasonable computational loads and smaller key lengths for equivalent security than other techniques. These smaller key lengths reduce the size of message buffers and reduce implementation cost of protocols. The EC-MQV (Menezes-QuVanstone) scheme is more advanced than the Diffie-Heliman scheme, and the main idea is to prevent the man-in-the-middle attack and perform authentication of key holders. Under this scheme, each side of the communication holds two keys [12].
tTESLA is employed for broadcast authentication from the controller, but is unsuitable for authentication between the nodes, as it cannot provide immediate authentication (nodes would have to wait for one tTESLA interval before receiving the disclosed M\AC key, increasing with the number of hops travelled). This is important, as it is mandatory for a message to be authenticated before it is sent or processed in order to maintain a secure network [17]. The use of pairwise keys for authentication is cited as a possible solution, but this would preclude passive participation. To combat this, the use of cluster keys is considered. This method would mean that every node authenticates a packet it transmits using its own cluster key as the M\AC key. The node in receipt of the packet first verifies the packet using the same cluster key received from the sending node in the "cluster key establishment phase", then authenticates the packet to its' neighbours with its own cluster key [17]. Implied is that the message is authenticated repeatedly on a hop-by-hop basis, if it traverses multiple hops. Even though only a small overhead is incurred (nodes only add one MAC to each packet), this method is flawed in that it is susceptible to insider attacks, should a node become compromised. What is instead proposed is a one-way hash key chain for one hop authentication [17]. Every node, under this scheme, generates a one-way key chain, of a certain length, and forwards the first key (commitment) to each of its neighbours, encrypted with the shared pairwise key. These keys are disclosed in reverse order, as the next key in the chain is sent whenever a node has a message to send. The reasoning is that a message sent to a neighbouring node will be received by that node before a forwarded copy of it (due to the triangular inequality of the distances between the nodes involved), and therefore, an adversary cannot use a key chain key of a node to impersonate it without being recognised as such (copies of messages can be disregarded). There remain a number of possible attacks, but are addressed by Zhu et al [17].
Responsibilities of the SM are carried out by the coordinator in a LR-WPAN (devices defined under the IEEE 802.15.4 standard). Devices in the network use initial trust parameters (pre-deployed recognition function) to establish the public key and ephemeral public key, which are in turn used for secure communication ofthe data payloads [18]. The overhead here will depend on the number of bits chosen for the elliptic curve system. An elliptical curve algorithm provides the same security for 160 bit key lengths as a symmetric algorithm can for 128 Byte lengths [18]. This level of security can then be increased as security needs to be increased and, therefore, allowing a variable overhead. The coordinator is (node with SM capabilities) is employed bining is sens nework T he to configure the sensor network by defining initial trust parameters such as base point and elliptic curve coefficientsto network devices The network devices then use initial trust parameters to establish permanent and public key and ephemeral public keys, subsequently used for secure communications of the actual payload. Network nodes are required to have th e ability to recognise a SM before initial trust parameters can be accepted. Another requirement of this system is that when a SM manager becomes lost or stolen (physical insecurity or possible battery failure) the network should be able to recover and continue seamlessly. trust
4
TABLE V.
SECURITY MANAGER
7m ;
Protocol
;
SM
Yes
l' t l= 9 = Y. O
;
v
0
No
Variable
> E
>
existing TinyOS stack. This increase seems large but it is a known and expected trade-off, and this increased energy consumption is still extremely low (0.000176 mAH). Also expected were message latency increases of 8% for TinySec&AE and 1.5% for TinySec-Auth [15]. Implemented in under 3000 lines of nesC code, TinySec is embeddedandinto the TOSSIM [19], in addition TinyOS, specifies the use ofsimulator Skipjack as the block cipher. to
¢
EC-MQV Initial trust
Yes
D. LEAP This protocol provides varying levels of security, enhanced the fact that a single keying method is unsuitable in many by cases in wireless sensor networks, and there are four types of keys defined under the protocol to increase security where necessary. Included is an efficient protocol for inter-node col In message authentication (one-way key chain). In network message processing is also supported, resultant from the key-sharing approach undertaken. This is useful as it restricts the damaging effects of node compromise in a network to the neighbouring nodes. It is claimed that the establishment of keys and their updating procedures are efficient, and that per-node memory .
III. EVALUATION The descriptions of the aforementioned authentication protocols allows for the construction of a comparison table (Table VI below), where they can be compared under similar headings. The table provides a look at the characteristics of the achiectre inoled,focssng he authentication uthntcaton security secrit architectures involved, focussing on the
audedtican efficiey
n
attributes of these protocols.
A. ZigBee Authentication Authentication mechanisms are written into the ZigBee specification as part of the Commercial Mode of operation. They can be implemented with relative ease, as a flag denoting the level of security (including authentication) required can be h securit level subfild, is used . he 3 A 3i bitaflagthe set. security level identifier '000' implies that no security is required, whereas '111' denotes the full encryption and authentication levels are required (16 byte M\AC) [8]. Implicitly there will be an increase in both message latency and power consumption. This is currently under investigation. The actual loss of network operation lifetime due to extra power consumed during the authentication process is as yet unknown, but it is not expected to be detrimental to the usefulness of ZigBee in wireless sensor networking.
requireent arelatency sall.figures furtesrore, and If consumption to-date,andaunablepow unavailable. this protocol is proven to be are, "scalable efficient in computation, communication and storage", it delivers some useful conventions [17].
E. Security Manager Under Heo and Hong's Security Manager scheme, there are two modes of operation [18]. These modes "high-security" and "medium-security" both require the initial trust primitive. This requires that each network node communicate with the Security Manager (or network coordinator) at the beginning to establish trust. The processes for key exchange and authentication are specified for each security mode. Recently it has been experimentally verified that authentication and key exchange protocols using optimised software implementations are viable for use with wireless sensor networking, and that the use of Elliptical Curve Cryptography over RSA can lead to significant energy savings
B. SPINS Due to the fact that SPINS was never fully completed or implemented, it cannot be considered further as an alternative authentication protocol for use with wireless sensor networks. Based on the use of tTESLA for time delayed key release authentication, it would never have been a successful optimal solution to the authentication problem in wireless sensor
[20].
networking.
Scalability for use with large scale wireless sensor networks could prove troublesome for the Security Manager approach, as every node in the network, due to it's distributed nature, may not come in range of the network coordinator. A solution to this could be to increase the number of nodes with Security Manager capabilities (similarly to cluster heads) to scale up with the size of the network. This ECC and Security Manager approach is included due to the scalable nature of ECC. The level of security required can be implemented easily by changing the key lengths. Obviously a trade-off between power conservation and security will still apply, but may be significantly less than that of the other public key approaches.
C. TinySec TinySec is somewhat proven as a solution to the security problem wireless sensor problem in wireless sensor networks.Since networks. Since its itS emergence it has
emergencuity
been integrated into TinyOS, and also into many other emerging applications developed by a number of companies. It does, however, rely on the CBC-MAC to perform authentication. And cannot be considered to be better from an authentication perspective than any other algorithm using the same scheme. There
heef ar.rsutaaiabedeaiin
netwode
e
usn th TinySe arhtetr [1] Enryws .hr sa increase of 300O for TinySec-Auth (authentication only) and lO0% for TinySec-AE (authentication and encryption), from the
5
TABLE VI.
AUTHENTICATION CHARACTERISTIC COMPARISON TABLE
V.
REFERENCES
[1] Akyildiz, I. F., Su, W., Sankarasubramaniam, Y. and Cayirci, E. (2002) 'A 7~~~~~~~ ~~~Survey on Sensor Networks', IEEE Communications Magazine, 40(8), 102H
ct
z
Protocol SPINS SPINS Yes
Yes
88 Bytes Bytes
Yes
Symmetric Delayed
LEAP
Yes
No
Variable
Yes
TINYSEC
Optional
No
Yes
ZigBee (CCM*)
Optional
Yes
4 Bytes 4, 8 or 16
P areiDeloed Variable
SMYes smYes
No
Variable
Yes
Bytes
Yes
Pre-Deployed
202 20
2003
Any
2004
Trust Center
2005
Initial Trust
20-MQ 206
tble iclude he year off publcation ubliction The tabe The incldes a clumn nting nting te a
coumn
yer
of each of the authentication mechanisms considered in this paper. What is illustrated is the progressive nature of this research area and suggests that this trend will continue until a
viable and agreeable solution is defined. Comparative power
consuptionduring consumptionthe implementation of each of the
protocols is currently under experimentation and results will be available at the time of presentation.
~~~~~~~~~~~~~114. [2] Bharathidasan, A., Anand, V., Ponduru, 5. (2001), Sensor Networks: An Department of Computer Science, University of California, Davis ~~~~~~~Overview, 2001. Technical Report
[3] Chee-Yee Chong, and Kumar, S. P. (2003), "Sensor Networks: Evolution, Opportunities, and Challenges", Proceedings of the IEEE, Vol. 91, No. 8, August 2003: IEEE, 1247-1256. [4] Perrig, A., Stankovic, J., Wagner, D. (2004), "Security in Wireless Sensor ~~Networks", Communications of the ACM,I 47(6), 53-57. [5] IEEE 802.15.4: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Lo-w-Rate Wireless Personal Area Net-works (LR- WPANs) (2003), 3 Park Avenue, New York, USA: IEEE. [6] Liu, D., Ning, P., Zhu, S., Jajodia, 5. (2005) 'Practical Broadcast Authentication in Sensor Networks', The Second Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services (Mo biQuitous '05), San Diego, California, USA, 17-2 1 July 2005: IEEE Computer Society Press, 118-132. [7] ZigBee Alliance (2006) ZigBee Security Specification Overview [online], available: http://www.zigbee.org/en/events/documents/dcember2OO5 ,,,,open. ,,,house ...,pres entations/zigbee security layer technical overview.pdf [accessed 12 Dec 06] [8] ZigBee Specification vl.0: ZigBee Specification (2005), San Ramon, CA, USA: ZigBee Alliance. Information Processing Standards Publication 197: Advanced [9] Federal Standard (AES) (2001), USA: National Institute of Standards and ~~~~~~~~~~~~~~Encryption
Technology (NIST).
[10] Sastry, N. and Wagner, D. (2004) 'Security Considerations for IEEE 802.15.4 Networks', Proceedings of the 2004 ACM Workshop on Wireless Philadelphia, PA, USA, October 1, 2004, New York, USA: ACM ~~~~~~~Press,32-42. [11] D. Whiting R. Housley and N. Ferguson, "Counter with CBC-MAC
~~~~~Security,
IV. IV.CONCLUSION CONCLUSION
Authentication remains to be a troublesome area within
wireless sensor networking. There are not currently many optios to inorde torouhly ecure optionavalabl avaiable o dsignrs desgnersin orer to tothoroghly their networks, with the minimal power and communications
scure
cost.
For commercial applications ZigBee is the most advanced
provider of authentication. This is as a result of the availability
ZigBee ready devices, generally plug and play, combining a numbe oofscurit leves ofproecton. of rotecion. numbr wth adjstabl ite, wih seuriysuits, djutabe lvel Trade-offs between prolonged network lifetime and high security implementation are to be expected, but can be evaluated before implementing an actual application. TinySec could be considered more useful to those developing wireless sensor networks; as it is embedded into TinyOS and the TOSSIM simulator, its operation can be more widely experimented. Its architecture remains rigid in
proviingaconsitentlevelof conistet leel ofprotctio, proviing prtecton, an ad hasbeen hasbeen
embraced by many sensor network developing companies and institutes due to its low overhead and minimal extra power consumption. For applications that require the highest levels of security with the least cost (military for example), the optimal soluton to asthat soluionhs ye as tobe yt b defned.Scalale dfine. Sclabl scuriy, secrity suh suc as hat provided by ECC, is desirable, but to-date a fully defined protocol is unavailable. The future goal of this research is to develop a new authentication protocol, through the combination of the most
(CCM)", RFC 3610, Internet Eng. Task Force, Sept. 2003. [12] Perrig, A., Szewczyk, R., Tygar, J.D., Wen, V. and Culler, D (2002) 'SPINS: Security Protocols for Sensor Networks', Wireless Netwvorks, 8(5),
521-534. [13] Kaps, J. -P. (2006) Cryptography for Ultra-Lowl Powler Devices, unpublished thesis (PhD), Worcester Polytechnic Institute. [14] Perrig, A., Canetti, R., Tygar, J.D. and Song, D. (2002) 'The TESLA Broadcast Authentication Protocol', CryptoBytes, 5(2), 2-13. [15] Karlof, C., Sastry, N., Wagner, D. (2004) 'TinySec: A Link Layer Architecture for Wireless Sensor Networks', Proceedings of the 2nd Security International Conference on Embedded Networked Sensor Systems, Baltimore, MD, USA, 03 - 05 November 2004, New York, NY, USA: ACM Press, 162 - 175.
[16] Levis, P., Madden, S., Gay, D., Polastre, J., Szewczyk, R., Woo, A.,
Brewer, E., Culler, D. (2004) 'The Emergence of Networking Abstractions and Techniques in TinyOS', Proceedings of the First Symposium on
Netwlorked Systems Design and Implementation, 29th-31st March, 2004, San Francisco, CA, USA. [17] Zhu, S., Setia, S., Jajodia, 5. (2003) 'LEAP: Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks', CCS '03, Washington D.C., USA, 27 - 31 October 2003, New York, USA: ACM Press,
62-72.
[18] Heo, J., Hong, C.S. (2006) "Efficient and Authenticated Key Agreement Mechanism in Low-Rate WPAN Environment", International Symposium on Wireless Pervasive Computing 2006, Phuket, Thailand 16 - 18 January 2006, IEEE 2006, 1-5. [19] Levis, P., Lee, N., Welsh, M & Culler, D. (2003) 'TOSSIM: Accurate and Scalable Simulation of Entire TinyOS Applications', Proceedings of the 1st International Conference on Embedded NetworkedSensor Systems, Los Angeles, California, USA, 05-07 Nov 2003, New York, USA: ACM Press, 126-137. [20] Wander, A. S., Gura, N., Eberle, H., Gupta, V., and Shantz, S. C. (2005)
