Dynamic Clustering for IoT Key Management in Hostile Application Area

Dynamic Clustering for IoT Key Management in Hostile Application Area Soumaya Souaidi1, Tayeb Kenaza1, Badis Djamaa 1, Monther Aldwairi2 1

2

Information security laboratory, Ecole Militaire Polytechnique, Algeria College of Technological Innovation, Zayed University, P.O. Box 144534 Abu Dhabi, United Arab Emirates [email protected], [email protected], [email protected], [email protected]

Abstract. The IoT development area has drawn the attention of nowadays researchers, some of them made assumptions regarding the use of clustering in their key management schemes. For example, in CL-EKM (Certificateless Effective Key Management) protocol, cluster-heads are assumed to be with high processing capabilities and deployed within a grid topology. In fact, this is only possible in a controlled environment. In a hostile environment, such as battlefields, this assumption cannot be satisfied. In this work, an enhancement of the CL-EKM scheme has been proposed by introducing a distributed clustering algorithm. The performances of the implemented and enhanced system proved our assumptions. Keywords:

Clustering, certificate-less public key cryptography, key management, Internet of Things (IOT) security, Elliptic curves cryptography (ECC), Certificate-less Effective Key Management (CL-EKM), dynamic networks, mobility.

1 Introduction Due to recent technological developments, the IoT has grown, and it raises questions concerning the security of people and properties. This security can be ensured by securing the communications and the management of mobility in the network, since the mobility of the objects is the main feature of the IoT [1]. Since ECC (Elliptic curves cryptography) is more competent in terms of computation and ensures high security with only short key [2], several approaches have been proposed based on it. Such as Chatterjee et al in [3], where they proposed an ID-PKC (Identity-based Public Key Cryptography) based key management scheme. However, the pairing operations in this scheme are very expensive in terms of energy and calculation time compared to standard operations like ECC point multiplication. There is also Alagheband et al in [4] who proposed a ECC-based signcryption scheme for key management. Unfortunately their proposition was insecure against message forgery. CL-EKM (Certificate-Less Effective Key Management) is a certificate-less key management scheme proposed by SEO et al in [5], which supports the creation,

distribution and revocation of four (04) key types. They assume that the cluster heads are of different types from the ordinary nodes, with higher computation power and backup, their deployment is deterministic and uniform and their role is predefined. This assumption renders the deployment very difficult in real world because it is only possible in a controlled environment. In hostile environments such as battlefields or forest fire monitoring, this assumption cannot be satisfied. This fact encouraged us to propose an improved scheme of the CL-EKM protocol where it allows the creation, distribution and revocation of four keys. It is designed to protect a dynamic network against various attacks such as compromised node attack, cloning and impersonation attacks, and to ensure forward and backward secrecy. After the analysis of [6, 7], the clustering phase was improved by proposing the use of a distributed clustering algorithm. Cluster heads should be changed periodically to guarantee a balancing between nodes’ energy consumption. All these operations regarding a distributed clustering algorithm has been implemented and evaluated to highlight the effect of the proposed improvements. The rest of this paper is organized as follows; section 2 gives an overview of the proposed improvements. In Section 3 detailed implementation was presented. The performance analysis results are discussed in section 4, followed by a conclusion.

2 Overview SEO et al. [5] suppose that the cluster heads are of a different nature from the ordinary nodes with higher performances in terms of processing and storage. Besides, the cluster heads (CH) are static and their role is predefined. In addition, their deployment is deterministic and they are uniformly scattered in the network according to a grid. This assumption is unrealistic especially in hostile environments. Our solution aims to consider the general case of a dynamic distributed network. The following subsections explain the general scheme based on dynamic clustering. 2.1 Key types Like the CL-EKM [5], the modified scheme requires the use of four (04) types of keys: • Partial Public/Private Key: The KGC (Key Generation Center) in the base station (BS) generates a unique pair of private/public keys for each node. • Individual Node Key: Each node in the network shares with the BS a unique individual key used to encrypt the exchanged messages between them. • Pairwise Key: Each node shares a different key with each of its neighbors. This key is used to encrypt the exchanged messages between the node and its neighbor. • Cluster Key: In a cluster, all the members share a unique key called the cluster key or group key. This key is used to encrypt the messages broadcasted in the cluster.

2.2 Protocol scheme The scheme is composed of six (06) phases namely: 1) the system setup phase where the system parameters are fixed, it takes place before the deployment of the network; 2) The pairwise key generation phase in which all nodes establish their pairwise keys; 3) The cluster forming phase where the clusters are formed by executing the LEACH (Low Energy Adaptive Clustering Hierarchy) clustering algorithm, then the group keys are established; 4) The key updating phase which is executed periodically to update the encryption and the group keys; 5) The node movement phase where the nodes can move within the network; 6) Last and not least, the node revocation phase where some nodes can be considered malicious and excluded from the network with all its keys. The general diagram of the proposed scheme is illustrated in Fig. 1 where the colored zones represent the phases we have intervened. After going into the steady state, the nodes use the AES-128 to encrypt the exchanged messages.

Fig. 1. Protocol scheme.

2.3 Implemented improvements CL-EKM is a certificate-less key management scheme provided by [5], which supports the creation, backup, and revocation of the four (04) key types listed above. It is designed to protect a dynamic network against various attacks such as replication attack and compromised key attack. Our improvements can be summarized in: 1. Key management: here a key pre-distribution method was implemented, where all the nodes retrieve their individual and partial keys from the KGC in the system setup phase before the deployment. 2. Unlike CL-EKM [5] where the CH are powerful, predefined and immobile, the improved scheme chooses the CH periodically in the cluster forming step. They are mobile and can move declining their cluster heading role while joining another CH. 3. In the cluster forming phase we aim to consider the general case of a dynamic distributed network where all the nodes are of identical features and randomly deployed. Thus, we integrated a distributed clustering algorithm namely LEACH, which is periodically launched to allow all nodes in the network to become CH, in order to calibrate the power consumption and expend network lifetime. The proposed solution is based on the following assumptions:

• • • •

The base station (BS) is powerful and cannot be compromised; The KGC is at the base station; Random deployment; where the neighbors of each node are not known before deployment. All nodes are identical in terms of energy, computing capacity and storage.

3 Implementation 3.1 System setup A key pre-distribution mechanism was adopted in our proposed scheme to obtain the system parameters and the nodes’ secret information before deployment. In order to create the individual keys, partial private/public keys and the primary private/public key, we implemented a firmware on the KGC that calculates the listed keys in the following order: • Generate the primary public/private key; • For each node, generate the partial public/private key; • For each node, compute the individual key using ECDH (Elliptic Curve Diffie-Hellman) [8]. 3.2 Pairwise key generation The output of this step is the pairwise master key PMK that will be used in the establishment of the second key which is the encryption (or session) key PEK, used later in encrypting the exchanged messages. This step is triggered by a node A broadcasting its identifier and public key. On the reception of this advertisement each neighbor B of this node starts the encapsulation process to generate an encapsulation set noted ΦB and the pairwise master key of the two nodes A and B noted PMK. After that, the node B should send the obtained encapsulation set ΦB alongside with its identifier and public key to the node A (the advertising node). Once the message is received, the node A starts the decapsulation process to obtain PMK . Afterward, the node A calculates the pairwise encryption key PEK using a random number r. Then it sends r to node B that calculates PEK. 3.3 Cluster forming After establishment of the pairwise keys, the clustering phase is executed to divide the network into subgroups named clusters. This phase was ran periodically to allow all nodes to become cluster heads to calibrate the energy consumption and extend the

network lifetime. This phase uses the clustering algorithm LEACH [9] and is executed on two (02) stages: a.

Cluster head designation

Each node calculates its probability of becoming a cluster head and compares it to a random number, if it is greater than this number this node will take the role of cluster head. Later, the cluster head will invite its neighbors to join it. Ordinary nodes may receive more than one invitation message. Therefore, they wait for some random time to ensure the reception of the whole advertisement, then choose the cluster head with the highest power of RSSI (Radio Signal Strength Indication), as it gives sign of the neighbors’ position (near or far) and their residual energy. Later the ordinary nodes send a request (NODE-JOIN) to join the selected CH. After receiving requests by neighbors, a CH responds by a confirmation message (YOU-CAN-JOIN). In the end of this stage, each CH sends the list of its members to the BS which checks all the network CHs lists for possible redundancies; a node that tries to join more than one CH is considered as malicious and will be revoked by the BS that also notifies all the CHs. b.

Group key generation

After forming the clusters, each cluster head "CHj" calculates its group key GKj, encrypts it using the session key of each node i of the members then transmits it to the node i. It repeats this process for each member of the cluster. Once the node i receives the message from the CH, it decrypts it to restore GKj. 3.4 Key updating To be protected against cryptanalysis, a frequent encryption keys updating is crucial. Thus, we used a periodic update of the encryption keys namely the session keys and the group keys. To update the session key both nodes should use the pairwise master key to generate a new session key.Only the cluster head can trigger the group key update process, so any node attempts to update the group key is considered malicious and will be revoked. To update this key the CH calculates the new key GKj’, encrypts it using the old group key then broadcasts the encryption in the cluster. After receiving the encrypted key, each node decrypts it to get the new group key. 3.5 Node movement Because this work considers a dynamic network, all the nodes regardless of its nature can move physically among the network area. A moving node can leave a cluster and join another. When an ordinary node intends to move between clusters, it informs the cluster heads to correctly manage their group keys and inform the BS of the new state. Otherwise, if a cluster head decides to move it informs the cluster members and become

an ordinary node. Then, the members dedicate one of them to be a cluster head in case they cannot join any nearby cluster. 3.6 Node revocation A node is considered compromised or malicious if: • It tries to modify the group key while it is still an ordinary node; • It disappeared for enough time to an attacker to change its behavior, and reappears in the network later; • It tries to join more than one cluster at the same time. A compromised node can be an ordinary node as well as a cluster head. The revocation of the two is slightly different: • In case of the compromised node (noted C) is an ordinary node, the BS updates its revocation list and informs the network CH of node C status, so that they inform their members to delete any shared keys with it. Finally, the CH of the revoked node’s cluster updates the group key with the remaining members. • If the compromised node is a CH (denoted by CHj), the BS updates its revocation list and informs all the members in the cluster j of their leader’s status as well as the rest of the CH in the network, so that they delete their shared keys. As for the compromised CH member nodes, they delete all the keys established with it, then each of them tries to join a new cluster. If a node fails to find a neighbor CH it decides to become a CH itself and informs its neighborhood.

4 Performance analysis In the simulation phase, an EXP5438 sensor is used as network nodes. It uses a 16 bits CPU (MSP430F5438A) with a clock rate varying from 8 MHz to 25 MHz, and memory of 16 kb. The BS is simulated using Cooja-Mote, which is a powerful virtual sensor with 32 bits CPU. After an empirical study of the parameters of the elliptic curve, we chose the curve "SECP192R1" which represents the most consuming curve in terms of storage capacity and computation time, since it is the curve that ensures the highest level of security compared to SECP160R1 and SECP128R2. SECP192R1 requires 1.5 times more time than SECP160R1 [5], and the SECP128R2 requires almost 4% less time than SECP160R1. Simulation parameters are given in Table 1. Table 1. Simulation parameters Parameter Sensor CPU Simulation area

Value EXP5438 (clock rate 8 MHZ) MSP430F5438A (100 x 100)m2

Number of nodes Communication range Routing protocol Number of maximum hops Cryptography

a.

up to 100 25m RPL 50 ECC (SECP192R1), AES-128,SHA2-256

Necessary time for key generation

To calculate the necessary time to generate each of the keys, two nodes are used to exchange the messages needed in calculating those keys. As it is illustrated in Table 2, compared to other processes, encapsulation and decapsulation are the most consuming, this is caused by the high number of point multiplications needed; four (04) multiplications in the encapsulation and six (06) in the decapsulation. Noting that the master key PMK is established (using encapsulation and decapsulation) only once in the network lifetime and used to derive the session key. Once two nodes establish the pairwise keys, they do not require further ECC operations. Partial Keys use about a quarter (0.29) of the time needed for the encapsulation. The required time for session and cluster key is negligible, this is due to no ECC multiplications are used. Table 2. Keys generation time

b.

Key

Time (ms)

Partial Key

4664

Encapsulation

15667.5

Decapsulation

17550

Session Key

23

Cluster Key

62

Network density

A network is called dense if each node has at least eight (08) neighbors. According to Fig. 2 the network will be denser by containing sixty (60) nodes going from just one neighbor to fourteen (14).

NUMBER OF NEIGHBORS

16 14 12 10 8 6 4 2 0 2

10 30 50 75 100 NUMBER OF NODES

Fig. 2. Network density.

c.

Necessary time for the whole protocol execution

EXECUTION TIME(S)

The objective here is to examine the impact of the network’s density on the required time to each phase of the protocol, namely; system setup, key generation, and clustering. As shown in Fig. 3, the clustering phase just added few seconds (about 8 seconds) to the global protocol time. Most of the time elapsed in this phase is a random waiting time up to 5 seconds to avoid collisions. Moreover, the clustering is not affected by the network density because of the distributed execution of the algorithm where all clusters can be built in parallel. We conclude that even for a high dense network (more than 14 neighbors) running the modified protocol, it can be ready and secure in less than 50 seconds. phase 1

phase 2

phase 3

60 40 20 0 2

10

30

50

75

NUMBER OF NODES

Fig. 3. Execution time for the 3 phases.

100

d.

Energy consumption

ENERGY CONSUMPTION (MW)

As shown in Fig. 4, the energy consumption in LMP (Low Power Mode) is insignificant compared to the other modes. In general, CPU energy consumption is negligible compared to the transmission energy consumption. However, in this case, a high-energy consumption of the CPU is caused by the computing complexity of the ECC operations. Nevertheless, this huge CPU energy is consumed only once after deployment, by each node during the entire network lifetime.

transmission

CPU

LPM

0,25 0,2 0,15 0,1 0,05 0 0 10 20 30 40 50 60 70 80 90 100 NUMBER OF NODES

Fig. 4. Energy consumption.

5 Conclusion and future works This work helped the examination of the certificate-less key management scheme, based on elliptic curve cryptography characterized by a reduced key size, which makes it suitable for the context of miniaturized networks. The proposed scheme focused on managing keys in a dynamic hierarchical network to ensure security and minimize power consumption. The implemented propositions have been tested and the performances have been evaluated. The obtained results showed the effectiveness of the proposed improvements in terms of computing capacity and low energy consumption while keeping the high level of security. Nevertheless, a large-scale simulation is required. Besides, as the used clustering algorithm is based on random calculations, it can affect the performance, hence the use and test of different clustering algorithm is desirable to get the best compromise between security and clustering.

References 1. Moskowitz, R.: HIP diet exchange (DEX). Internet draft, IETF, (2011). 2. Nils Gura, Arun Patel, Arvinderpal Wander, Hans Eberle,Sheueling Chang Shantz: Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs (2004) 3. Chatterjee, K., De, A., Gupta, D.: An improved ID-based key management scheme in wireless sensor network. In Proc. 3rd Int. Conf. ICSI, vol. 7332, pp. 351–359, (2012). 4. M.R. Alagheband and M.R. Aref, “Dynamic and secure key management model for hierarchical heterogeneous sensor networks,” IET Inf. Secur., vol. 6, no. 4, pp. 271–280, (December 2012) 5. Seo, S.H., Won, J., Sultana, S., Bertino, E.: Effective Key Management in Dynamic Wireless Sensor Networks. 3rd IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 2, (FEBRUARY 2015). 6. Du, X., Xiao, Y., Guizani, M., Chen, H.-H.: An effective key management scheme for heterogeneous sensor networks. Ad Hoc Networks, vol.5 no.1, pp.24–34, (2007). 7. Zhu, S., Setia, S., Jajodia, S.: LEAP: efficient security mechanisms for large-scale distributed sensor networks. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS ’03), Washington, DC, USA, pp. 62–72, (October 2003). 8. Hankerson.D, S. Vanstone, A. J Menezes. Guide to elliptic curve cryptography. Springer, 2004. 9. Arora, V.K., Sharma, V., Sachdeva, M.: A survey on LEACH and others routing protocols in wireless sensor network. Optik - International Journal for Light and Electron Optics, Volume 127, Issue 16, pp. 6590-6600, (August 2016).