2005 ACM Symposium on Applied Computing
A ZKP-based Identification Scheme for Base Nodes in Wireless Sensor Networks Dev Anshul
Suman Roy
Honeywell Technology Solutions Lab 151/1, Doraisanipalya, Bannerghatta Road Bangalore 560 076, India
Honeywell Technology Solutions Lab 151/1, Doraisanipalya, Bannerghatta Road Bangalore 560 076, India
[email protected]
[email protected]
ABSTRACT
Wireless sensor networks are different from conventional computer networks in many ways. The sensors are built to be inexpensive, low-power devices, and consequently have limited computational and communication resources. They form a self-organizing wireless network. Typical applications may periodically transmit sensor readings for processing. A typical network consists of nodes, small battery powered devices that communicate with a more powerful base station, which in turn is connected to an outside network. The energy source on these devices is a small battery and computational resources are limited. Security-related communication overheads need to be minimized because wireless communication is the most energy-consuming function on these devices to begin with. Given the severe hardware and energy constraints, we must be careful in the choice of cryptographic primitives and security protocols to be used in these networks. The sensor nodes establish a routing forest, with a base station at the root of every tree. Periodic transmission of beacons allows nodes to create a routing topology. Each node can forward a message towards a base station, recognize packets addressed to it, and handle message broadcasts. The base station accesses individual nodes using secure routing. We assume that the base station has capabilities similar to the sensor nodes, except that it has sufficient battery power to surpass the lifetime of all sensor nodes, sufficient memory to store cryptographic keys, and means for communicating with outside networks. The communication patterns within wireless sensor networks are of the following types – node to base station communication, base station to node communication and node to node communication. Basic wireless communication is not secure. Because it is broadcast, any adversary can eavesdrop on traffic, inject new messages, and replay old messages. The sensor network does not make any extraneous assumptions like the existence of trustworthy nodes with a higher level of resources. Since base stations are involved in almost all kinds of communication (including node to node communication which might happen via base nodes), they should be authenticated during the bootstrapping of nodes, using some suitable identification scheme. We shall use a Zero-Knowledge (ZK) protocol to achieve the identification of base nodes. More generally, a Zero-Knowledge protocol allows a proof of the truth of assertion, while conveying no information whatsoever about the assertion itself other than its actual truth. We shall assume that a base station B possesses some secret s, and attempts to convince all nodes in its tree that it has the knowledge of s by correctly responding to requests (involving publicly known inputs and agreed upon functions) which require knowledge of s to answer. We use a modified version of the Guillou-Quisquater (GQ) identification scheme as our Zero-Knowledge protocol which seems to be efficient in the
Most of the published work on authentication mechanisms for wireless sensor networks establishes secure authentication for sensor nodes, but not for the base node that is in fact required to authenticate other nodes in the same network. This situation can lead to an attack whereby a malicious party masquerades as the base station and fraudulently authenticates other legitimate nodes to capture and/or inject messages within the network. The trust assumption in the existing literature with regard to base stations (i.e., implicitly trusting the base station) presents a serious security loophole. We address this problem by proposing a protocol that will help build a base station authentication mechanism in the framework of a one-hop mesh network and later extend it to a multi-hop framework. Our network would consist of a commissioning/installation device, and several forests of nodes (a base node and other nodes). The installation device would be responsible for deploying nodes in an area selected and would distribute information to them as necessary. We shall use a modification of the Guillou-Quisquater identification scheme as our ZeroKnowledge (ZK) protocol in conjunction with the µTESLA protocol for authenticated broadcast, to authenticate the base station.
Categories and Subject Descriptors H.4 [Information Systems Applications]: Miscellaneous
General Terms Algorithms, Design, Security
Keywords Wireless security, sensor and ad hoc networks, base stations, security protocols, entity authentication, Zero-Knowledge protocol, Guillou-Quisquater protocol.
1.
INTRODUCTION
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SAC’05 , March 13-17, 2005, Santa Fe, New Mexico, USA Copyright 2005 ACM 1-58113-964-0/05/0003 ...$5.00.
319
highly resource-constrained environment of wireless sensor networks. Related work In [5], an efficient authenticated key establishment protocol between a sensor node and security manager in an imbalanced ZigBee wireless sensor network has been considered. This scheme eliminates high-cost publickey operations at the sensor side and replaces them with efficient symmetric-key based operations. In [8], the authors present a suite of security protocols for sensor networks, which they call SPINS. SPINS consists of two secure building blocks: SNEP and µTESLA. SNEP includes data confidentiality, two-party data authentication and evidence of data freshness, and µTESLA provides authenticated broadcast for severely resource-constrained environments. µTESLA provides only data authentication. In [9], the authors propose new cryptographic schemes such as replication and threshold cryptography for ad hic wireless networks to build a highly secure and available key management service. This forms the core of their security framework. In the trust requirements for most of the published wireless sensor network security architectures, the base station is commonly assumed to be trusted completely. Since the base station is the gateway for nodes to communicate with the outside world, compromising the base station can render the entire sensor network useless [8]. Over-reliance on base stations exposes vulnerabilities [2]. As they are few and expensive, it might be tempting to rely on them as a source of trust, but this invites attack on the base stations and limits the application of other security protocols. Thus considering base stations as a necessary part of the trusted computing machinery becomes questionable.
2.
SYSTEM ASSUMPTIONS
We shall define the system architecture and trust requirements in this section.
2.1
Communication Architecture
Most communications in sensor networks involve the base station. Based on the manner in which sensor nodes communicate with the base station, we can classify sensor networks into two catagories: master-slave networks and meshnetworks [1]. In master-slave networks, the sensor nodes communicate directly with the base station in one hop. The base station allocates predefined time slots for the sensors, and the sensors communicate during these slots only. Mesh networks are ad hoc networks, in which a collection of autonomous nodes or terminals communicate with each other, forming a multi-hop radio network that maintains connectivity in a decentralized manner. Each node in a network functions both as a host and a router, and the control of the network is distributed among the nodes. As a result, a packet originating from a sensor beyond the radio range of the base station may have to hop through many intermediate nodes before reaching the base station. The network topology is in general dynamic, because the connectivity among the nodes may vary with time due to node departures, new node arrivals, and the possibility of having mobile nodes. For our purpose, we will consider a mesh network which uses single hop, i.e., all nodes lie within communication range of each other and then propose an extension to a multi-hop framework.
2.2
eralize to the majority of sensor networks. Instead we assume that individual sensors are not trusted. Basic wireless communication is not secure: as it is broadcast, any adversary can eavesdrop on traffic, inject new messages, and replay old messages. Our protocols will not place any trust assumptions on the communication infrastructure, except that the messages are delivered with non-zero probability. It is clear that placing implicit trust in the base station is a hazardous assumption, and so our trust setup requires the base station to be authenticated by providing suitable information at the installation phase and subsequently whenever necessary. We also assume that each node trusts itself, which is necessary to make any forward progress. This is a reasonable assumption because sensor nodes are low cost devices and having tamper-resistant hardware installed in them would push up their cost manyfold.
3.
ZKP-BASED IDENTIFICATION
In currently existing security architectures for sensor networks, the base stations are assumed to be a necessary part of the trusted computing base which is an assumption that might lead to a gaping security loophole. As the fundamental nature of communication is broadcast, a malicious node can masquerade as the base station after the deployment phase of the network and start communicating with the other sensors in very specific ways to suit its subversive intentions. If the other nodes are able to authenticate the base station then such attacks can be prevented. In order to identify a base station we shall use a modified version of the Guillou-Quisquater (GQ) identification scheme as our Zero-Knowledge (ZK) protocol in conjunction with the µTESLA protocol [8]. For our purpose, we initially consider a mesh network of sensor nodes in a single hop communication mode, i.e., each sensor node can communicate with any other node in the network. We assume that the network consists of a single base node and other nodes. The nodes will initially choose a node amongst themselves to put forth a query to the base station regarding the challenge e. For successive authentications, this node will be chosen in a round-robin manner from amongst nodes that are above a minimum specified battery level. In the first round of the protocol, the chosen node asks the base station to identify itself by broadcasting a challenge e to which the base station must respond. The challenge is broadcast because otherwise it would be possible for a fraudulent base station to fool the protocol by replacing the given challenge with its own challenge. In the last round of the protocol the base station will broadcast the authentication message to all the nodes using the µTESLA protocol [8].
3.1
The identification scheme:
The Guillou-Quisquater (GQ) identification scheme is an extension of the Fiat-Shamir Protocol [6]. It allows a reduction in both the number of messages exchanged and memory requirements for user secrets and, like Fiat-Shamir, is suitable for applications in which the claimant has limited power and memory. It involves three messages between a claimant whose identity is to be corroborated (i.e., the base station B), and a verifier, possibly a representative sensor node Q. See [6] for a detailed discussion on the GQ protocol. Below we discuss a modified version of the GQ protocol which we propose to suit our purpose. Protocol A Modified version of the GQ protocol
Trust Requirements
Generally sensor networks may be deployed in adverse locations. While it may be possible to guarantee the integrity of each node through dedicated micro-controllers, such an architecture assumption is too restrictive and does not gen-
In what follows, Q is a requester sensor node and B is the prover base node, and S is the set of all sensor nodes in the network, including Q (each sensor node in the network is a verifier). We may assume that for a sensor network the ID
320
of the base node, IB , is stored on each node in the network and does not need to be explicitly transmitted (appropriate modifications can be made in case this assumption is to be changed). SUMMARY B proves its identity (via the knowledge of a secret sB ) to S in a 2-pass protocol.
4. Protocol actions B proves its identity to S in the i-th base node authentication by the following; the members of S accept the identity only if all the verifications discussed below are successful: • Q selects a random integer e (the challenge), 1 ≤ e ≤ v, and sends it to B. • B selects the i-th one-way sequence member ri (the commitment), and computes (the witness) x = riv mod n. B also computes y = ri ·seB mod n. • B sends to each node R in S the composite message {ri , x, y} through authenticated broadcast using µTESLA. • Each member R of S receives the above message, and verifies the following (a) x = riv mod n, (b) Using IB and the known redundancy function f , each R computes JB (or retrieves it from storage). It further computes z = JB e · y v mod n and checks if both z = x and z 6= 0. (c) ri−1 = h(ri ), where each sensor node stores the commitment from the last authentication i−1 for the next authentication i, except for r0 : the authentication commitment issued at network initialization. Each node carries out these verifications and authenticates the base node on completion of the same.
1. Selection of system parameters. • An authority T , trusted by all parties with respect to binding identities to public keys, selects secret random RSA-like primes p and q yielding a modulus n = pq. (As for RSA, it must be computationally infeasible to factor n). • T defines a public exponent v ≥ 3 with gcd(v, φ) = 1, where φ = (p − 1)(q − 1) is the Euler-Totient function computed on n, and computes its private exponent s = v −1 mod φ. • System parameters (v, n) are available (with guaranteed authenticity) for all users, for instance through factory-fitted tamper-resistant hardware (this assumption is justifiable because base nodes are relatively fewer in number and expensive). • T chooses a public one-way function h : W → W , where W = {a ∈ {0, 1}dlog2 ne | 1 ≤ val(a) < n}, and val : {0, 1}k → N with k ∈ Z+ is a function that maps binary strings to their corresponding natural number values. The function h(·) is programmed into each sensor device and the base station. 2. Selection of per-user parameters • The base node B is given a unique identity IB , from which (the redundant identity) JB = f (IB ), satisfying 1 < JB < n, is derived using a known redundancy function f (·). • T gives to B the secret (accreditation data) sB = (JB )−s mod n • The base node B computes a sequence {ri } of values as follows: B first selects a random positive integer r < n, and then calculates h(r), h2 (r), . . . , hk (r) (where the notation hi is understood to mean i applications of h), to compute a one way sequence of length k+1. k+1 must be long enough for the lifetime of the network, or the life of the base station’s battery. B performs the following computations: (a) rk = r. (b) For i = k, k−1, . . . , 1, ri−1 = h(ri ). The sequence {r0 , r1 , . . . rk } defines a reverse oneway chain of k + 1 values which B stores in its secondary storage for further usage.
3.2
Analysis of the modified protocol
The protocol must be robust against any attempt by a malicious base node B0 to pass the authentication without knowledge of the secret sB . If the base node happens to possess the genuine secret sB , there would be no incentive for it to cheat, so a cheater is implicitly assumed not to possess the secret sB . We look at the possible ways in which a fraudulent base node B0 can try to cheat:
3. Protocol messages For authentication number i, there is one round with two messages as follows Q→B∪S : B→S:
Remark 1. Modular exponentiation by repeated squaring has time complexity of O(lg x) (where x is the exponent). Using the basecase multiplication method for arbitrary precision arithmetic one gets time complexity in O(M N ), where M, N are the sizes in bits of the multiplicands. The time complexity of 1 squaring is in 1.5 O(N 2 ), where N is the size in bits of the squared integer. Using Karatsuba multiplication the time ln 3 complexity of multiplication becomes O (N ln 2 ) ≈ O(N 1.585 ) (where N is the adjusted size of each multiplicand) with a minimum threshold value of about 320 bits for the constants to produce a faster multiplication than the base-case multiplication method. The similar minimum threshold for Karatsuba squaring is about twice that for multiplication which means about 640 bits. For adequate security in the context of wireless sensor networks we may assume that the size of the modulus n is about 512 bits. Using this value of N = 512 we get, for the exponentiation and multiplication operations performed on a sensor node, a total time complexity of about 1 (lg e+lg v) 1.5 N 2 +N 1.585 = 3165416 operations. Assuming a clock speed of 3 arithmetic MIPS on a typical sensor microprocessor this entire series of arithmetic operations should not exceed 2 − 3 seconds taking into account the constant multipliers in the time complexity order expressions.
e (where 1 ≤ e ≤ v) (1) {ri , x, y} (where ri = hk−i (rk ), x = riv mod n and y = ri · seB mod n) (2)
1. B0 could try and use his own value e0 instead of the genuine challenge e sent by Q. He will be caught when he tries to do this, since the challenge e is broadcast by Q to all nodes in the network.
321
2. Suppose B0 has complete freedom in choosing the message elements in {ri , x, y}. In that case, for his broadcast message {ri , x, y}, he must choose e, ri , and a false secret s0B so as to satisfy ⇒ ⇒
difficulty of factoring n. This ensures that the protocol remains Zero-Knowledge even in the modified version. 2. Instead of storing the complete reverse one-way sequence {ri }ki=0 , B could alternatively store only the last element rk and compute the commitment for the i-th authentication as ri = hk−i (rk ). This entails a saving in secondary storage memory for B at the cost of higher computational overhead in determining the commitment ri for authentication i. This approach is suitable for base nodes which do not have a large quantity of secondary storage memory with respect to their battery lifetime. For base stations that have medium amounts of secondary storage memory and computation power, a hybrid approach that optimizes both computation and storage might be adopted – deriving such an approach with the given framework is straightforward.
JBe · y v ≡ riv mod n v v JBe · (ri · s0e B ) ≡ ri mod n e 0ev v v JB · sB · ri ≡ ri mod n
The assumption that n is difficult to factor implies gcd(ri v , n) = 1, and so we get from the above congruence on dividing both sides by riv , whilst changing the notation to imply operations in Z∗n , JBe · s0ev B = 1 −e ∗ Now let a = s0ev B , to be computed as a = JB in Zn on 0 ∗ choosing arbitrary e ∈ Zn . So B is able to deduce the 0 required s0ev B , but not the required sB itself. Indeed, in order to determine the required s0B from a = s0ev B , B would need to find an ev-th root in Z∗n , which is computationally infeasible by the intractability of the factorization of n. Now, in order to compute y = ri · 0 s0e B , B would need to determine the v-th root of a, which again is computationally infeasible due to the intractability of the factorization of n. Thus in this case B0 would fail to construct a y that can pass the test in his broadcast message {ri , x, y}. If he tries to use some other value y 0 , the second test z = JB e · y 0v mod n = x would necessarily fail.
3.3
µTESLA overview Authenticated broadcast requires an asymmetric mechanism, otherwise any compromised receiver could forge messages from the sender. Unfortunately, asymmetric cryptographic mechanisms have high computation, communication and storage overhead, making their usage on resourceconstrained devices impractical. µTESLA overcomes this problem by introducing asymmetry through a delayed disclosure of symmetric keys, which results in an efficient broadcast authentication scheme (cf. [8]). µTESLA requires that the base station and nodes be loosely time synchronized, and each node knows an upper bound on the maximum synchronization error. To send an authenticated packet, the base station computes a MAC on the packet with a key which is secret at that point in time. When a node gets a packet, it can verify that the corresponding MAC key was not yet disclosed by the base station (based on its loosely synchronized clock, its maximum synchronization error, and the time schedule at which keys are disclosed). Since a receiving node is assured that the MAC key is known only by the base station, the receiving node is assured that no adversary could have altered the packet in transit. The node stores the packet in a buffer. At the time of key disclosure, the base station broadcasts the verification key to all receivers. When a node receives the disclosed key, it can verify the correctness of the key. If the key is correct, the node can use it to authenticate the packet stored in the buffer. Each MAC key is a key belonging to a one-way key chain, generated by a public key one-way function F . To generate the one-way key chain, the sender chooses the last key Kn of the chain randomly, and repeatedly applies F to compute all other keys: Ki = F (Ki+1 ). Each node can easily perform time synchronization and retrieve an authenticated key of the key chain for the commitment in a secure and authenticated manner. For our protocol, the base station can break the message (ri , x, y) into two packets P1 = (ri , x) and P2 = (e, y) and broadcast them using the µTESLA protocol.
3. Suppose B0 tries to cheat in the classical cheating mode of the GQ protocol, i.e., by using his own value of the challenge, e0 , choosing an arbitrary y, and constructing 0 x = JBe · y v mod n. In this case, B0 would have to, in addition, compute an ri such that 0 x = riv = JBe · y v mod n, i.e., he would have to find a v-th root in Z∗n , which is computationally infeasible by the intractability of the factorization of n. Then there is the additional difficulty that ri is part of a one-way sequence and would also have to satisfy ri−1 = h(ri ). Thus, the conventional method of defeating the GQ protocol is prevented by the fact that in the modified protocol, B0 has to broadcast the commitment ri . 4. B0 might try to cheat by replaying a captured message {ri , x, y} after having captured the same from a previous broadcast made by a genuine base node B. In this case, the one-way sequence commitment ri would ensure that he is not able to pass the authentication. Since h(·) is a one-way function, and ri = h(ri+1 ), B0 has no way of predicting ri even if has successfully captured all the values {rj }i−1 j=0 . The third verification ri−1 = h(ri ) ensures that a such a replay attack by B is ruled out. This seems to cover all the substantial ways of cheating that can be employed by a malicious base node B0 which does not happen to possess the genuine secret sB . Remark 2. 1. The Zero-Knowledge property of GQ is not altered by this modification. The only additional information obtained by the verifier in the modification is the commitment ri , which was kept secret in the original GQ protocol. Does this help any verifier to compute the secret sB ? Not quite, for a verifier can compute seB in Z∗n by knowing y = ri · seB and ri , but computing sB from seB in Z∗n would require him to find an e-th root in Z∗n , which is computationally infeasible by the
4.
EXTENSION OF THE PROPOSED PROTOCOL TO A MULTI-HOP FRAMEWORK
Towards this we need to ensure that the challenge e sent by the requestor node Q and also the authentication message sent by the base station B reach all the nodes in a multi-hop network. To enable node broadcast for the challenge e to propagate to other nodes in multi-hop communication, we propose
322
protocol requires 10-16 bits for a local authentication, 20-30 bits for a remote authentication, and at least 60 bits for signature schemes based upon non-interactive zero-knowledge techniques”. As claimed in [8], the µTESLA protocol uses about 574 bytes of code space. For a popular radio with an optimized 8051 core processor having 32 KB total code space, the available code space is about 22 KB, excluding the code space for the TinyOS scheduler and RF libraries. The smallest version of the other cryptographic routines occupies about 20% of the code space, thereby leaving about 16 KB which can easily accommodate both our protocol and µTESLA.
a variant of the method enlisted in the section on “Scalable Variation” in [4], in the following manner: we assume that there an unkeyed one-way function F known publicly throughout the network, a keyed-MAC function M AC and a randomly generated session secret KQ of the requester node Q. The successive temporary node keys are generated by the relation KQi = F n−i (KQ ), i = 0, . . . , n. For the sake of illustration, let us assume that e is broken into two data packets P1 and P2 . Then the transmission from Q to one of the nodes in its one-hop neighborhood, Q1 , would consist of the following three messages:
6. Q → Q1 :
IDQ | P1 | M ACKQ0 (P1 )
(1)
Q → Q1 :
IDQ | P2 | KQ0 | M ACKQ1 (P2 )
(2)
Q → Q1 :
IDQ | KQ1
(3)
The delayed key disclosure illustrated here is for an interval of one packet, but this may be increased in a particular implementation. On receiving the second packet, Q1 is able to authenticate P1 , and on receiving the third packet, Q1 is able to authenticate P2 . To extend this broadcast mechanism for multi-hop networks, Q1 follows a similar mechanism to broadcast e to nodes deeper in the network, and so on. An obvious drawback with this multi-hop extension is that a compromised node can launch a DoS attack on parts of the network by broadcasting a modified value of e. A compromised node can do so by using a correct authentication tag computed using the correct keys of Q and the correct ID of Q, on a false challenge e0 , so that the genuine base station B fails the authentication with the nodes to which the compromised node broadcasts the doctored message, when B broadcasts its genuine authentication message {ri , x, y}. The basic µTESLA protocol applies to networks in which the base station is able to reach all nodes within a single hop, and our protocol has been designed for such networks. However, to extend the base station broadcast scheme to multi-hop networks, we need to consider ways of extending the basic µTESLA protocol. For this purpose, we assume that all nodes in the network share knowledge of a secret un-keyed hash function g(·). One of the nodes Q in the one-hop neighborhood of the base station B receives the authentication message {ri , x, y} from B through authenticated broadcast using µTESLA, and broadcasts the authentication message {ri , x, y} along with the hash value g(ri | x | y) to the nodes deeper in the network. These nodes can authenticate the message by computing the hash on the received authentication message {ri , x, y} and comparing with the received hash to verify that they match, and re-transmit the authentication message and the hash to deeper layers of the network in a similar manner, and so on. Although this scheme would prevent a man-in-the-middle DoS attack by keeping the un-keyed hash function g(·) secret, it suffers from the drawback that a single compromised node can launch a DoS attack by modifying the authentication message {ri , x, y} and transmitting a false authentication message with a genuine authentication tag, and thereby falsely implicate a genuine base station.
5.
CONCLUSION
The novelty of our scheme is the use of a variant of a ZeroKnowledge protocol where instead of a single party, a group of nodes verifies the identity of the base node in the network. In a digital-signature based authentication method, a certificate chain is required in order to certify the public key of even a single entity. While this approach may be feasible for computer networks, it becomes very difficult to use in wireless sensor networks due to the huge communication and computation overheads. Hence our approach is more suited for resource-constrained wireless sensor networks. Since GQ scheme is not provably secure an interesting future work would be to use another (possibly) three move identification scheme (Okamoto [7]) which is provably secure. Using a ZKP with GF (2m ) Galois field instead of Z∗n would significantly reduce the code size of the software implementation, code size typically being a severe limitation for sensor devices.
7.
REFERENCES
[1] D. Bertsekas and R. Gallager. Data Networks. Prentice Hall of India, 2nd edition, 2002. [2] H. Chan, A. Perrig, and D. Song. Random key predistribution schemes for sensor networks. In IEEE Symposium on Security and Privacy, 2003. Preliminary version in 17th STOC, 1985. [3] L. C. Guillou and J.-J. Quisquater. A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In C. G. Guenther, editor, Advances in Cryptology - EUROCRYPT’88, volume 330 of LNCS, pages 123–128. Springer, 1988. [4] L. Hu and D. Evans. Secure aggregation for wireless networks. In IEEE Symposium on Applications and the Internet Workshops, January 2003. [5] Q. Huang, J. Cukier, B. L. H. Kobayashi, and J. Zhang. Fast authenticated key establishment protocols for zigbee wireless sensor networks. Technical Report TR-20030-102, MERL - A Mitsubishi Electric Research Laboratory, August 2003. [6] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, fifth reprint edition, August 2001. [7] T. Okamoto. Provably secure and practical idenitification schemes and corresponding signature schemes. In Advances in Cryptology - CRYPTO 92, volume 740 of LNCS, pages 31–53. Springer, 1992. [8] A. Perrig, V. W. Robert Szewczyk, J. D. Tygar, and D. E. Culler. Spins: Security protocols for sensor networks. Wireless Networks, 8:521–534, 2002. [9] L. Zhou and Z. J. Haas. Securing ad hoc networks. IEEE Network Magazine, 13(6), 1999.
PRACTICAL ISSUES
Our modification of the GQ protocol holds lot of promise for implementation in the resource constrained environment of wireless sensor networks as it is efficient in terms of communication, computations, bandwidth and memory for secrets. The original version of the GQ protocol had been designed to fit into a security microprocessor [3] minimizing transmission and memory. We quote their claim: “the
323
