Evaluation of Advanced Two Tier User ... - Semantic Scholar

The 9th Annual IEEE Consumer Communications and Networking Conference - Security and Content Protection

Evaluation of Advanced Two Tier User Authentication Scheme Ismail Butun, Yufeng Wang and Ravi Sankar Department of Electrical Engineering, University of South Florida, Tampa, FL, USA e–mails:{ibutun,ywang2}@mail.usf.edu, [email protected] Abstract—In this paper, we evaluate the performance of our Advanced Two Tier User Authentication (ATTUA) scheme [5] which is proposed for heterogeneous Wireless Sensor Networks. ATTUA scheme employs both Public Key Cryptography (PKC) and Secret Key Cryptography (SKC) approaches, such that it takes advantage of both schemes. Our analysis and simulation results have shown that, ATTUA scheme is not only more secure and yet scalable than existing SKC based schemes, but also requires less processing power and provides higher energy efficiency than existing PKC based schemes. Index Terms—wireless sensor networks, security, user authentication, public key cryptography, elliptic curve cryptography, secret key cryptography, heterogeneous network architecture

I. I NTRODUCTION Wireless Sensor Networks (WSNs) continue to grow as one of the most exciting and challenging research areas of engineering. There are many applications of WSNs, which are intended to monitor physical and environmental phenomena information, such as ocean and wildlife, earthquake, pollution, wild fire, water quality; to gather information regarding human activities, such as health care, manufacturing machinery performance, building safety, military surveillance and reconnaissance, highway traffic, and etc. User Authentication (UA) is critical for the networks that are transferring valuable information to the legitimate users, such as the coordinates of a hostile vehicle for a military surveillance application, medical statistics of a patient for a health care application, soil humidity for precision agriculture application, and etc. WSNs are characterized by severely constrained computational and energy resources, and an ad hoc operational environment. They pose unique characteristics, such as limited power supplies, low transmission bandwidth, small memory sizes and limited energy; therefore security techniques used in traditional networks cannot be adopted directly. UA in such a resource constrained WSN with minimum overhead provides significant challenges and is an ongoing area of research. Precision agriculture is a good example of UA application for WSNs: Let’s say a WSN provider offers data services to subscribed farmers regarding information on their farms. Farmers may need to know the accurate readings on the humidity of the soil in order to engage the sprinklers on time before the crops get withered. WSN provider would make profit, if only the legitimate users get response to their queries from the WSN. UA is very important for WSNs. In order to save the diminishing power resources, network should not be accessible by the unauthorized users. Any extra data transmission in the network generated by the malicious users (eg. flood messages) may cause battery power of a sensor node to be depleted faster. In a WSN, since an adversary can easily inject messages, any node receiving a message needs to make sure that the data used in any decision-making process originates from the correct source. UA prevents unauthorized parties from participating in the network: legitimate nodes should be able to detect messages from unauthorized nodes and reject them.

U.S. Government work not protected by U.S. copyright

Recently, several schemes have been introduced as a UA scheme for WSNs [1]-[4]. These schemes use either Public Key Cryptography (PKC) approach or Symmetric Key Cryptography (SKC) approach. Both approaches have advantages and disadvantages. PKC is preferable in terms of scalability and key management, but it is unsuitable for the sensor nodes due to higher processing power requirement and lower energy efficiency. In contrast, SKC is preferable in terms of lower processing power requirement and higher energy efficiency, but it is not scalable because of memory restrictions and it requires a complicated key pre-distribution and key re-distribution. Most of those schemes mentioned above are using homogenous WSNs [1][3], in which the network consists of one type of sensor node only. Nowadays, because of having better performance, heterogeneous WSNs are on demand. This kind of network consists of two types of nodes: Cluster Heads (CHs) and sensor nodes(s). A UA scheme for heterogeneous WSNs is proposed in [4]. Owing to the high processing powered CHs, their scheme offers better performance compared to [1]-[3]. On the other hand, it is based on SKC just like in [1] and [2]. It is not scalable for thousands of sensor nodes and occupies a significant memory to store authentication codes. Thus, addition of new nodes and users is troublesome in terms of key distribution. In [5], we propose a secure and scalable UA scheme named as Advanced Two Tier User Authentication (ATTUA) to overcome mentioned shortcomings of the existing schemes. It uses PKC on the backbone architecture of the network, namely between CHs and users, and SKC between CHs and sensor nodes. This paper evaluates our ATTUA scheme for heterogeneous WSNs presented in [5] and compares its performance to the other schemes in the literature (namely TTUA scheme [4], Benenson et al.’s scheme [3], and finally TJY scheme [2]). Evaluations are provided in two ways: 1) Analysis on communication and computational costs are presented, 2) Simulation on energy consumption and total delays are provided. The rest of the paper is organized as follows: Section II presents our proposed ATTUA scheme. Section III provides the security analysis of ATTUA scheme. Performance evaluation of ATTUA scheme is provided in Section IV. Finally, Section V concludes the paper and outlines future work.

II. A DVANCED T WO T IER U SER AUTHENTICATION S CHEME In [5], as the name implies, we further improved TTUA scheme presented in [4] and named it Advanced-TTUA (ATTUA) scheme. Our proposed scheme not only keeps all the advantages of the TTUA scheme but also enhances its security by issuing PKC. Therefore, ATTUA adopts (inherits) all the advantages of the PKC over SKC. In [6], it is shown for WSNs that Elliptic Curve Cryptography (ECC) algorithm to have a significant advantage over Rivest-ShamirAdleman (RSA) algorithm, as it reduces computation time and also the amount of data transmitted and stored. Hence ECC is the best known algorithm in PKC; we adopt it to our ATTUA scheme. By doing so, not only the scalability of the network is improved, but also security of the scheme is enhanced. In ATTUA scheme, ECC

159

Fig. 1.

User authentication scenario in the ATTUA scheme

is used for digital signature generation and verification between the users and the CHs. In our ATTUA scheme [5], we adopted the idea of two tier heterogeneous network architecture of TTUA scheme in which a user communicates with a sensor node through CH of that sensor node. In ATTUA scheme , WSN consists of basically two elements: 1) CHs having high processing capability and long lasting power supplies, such as PDA’s. 2) Sensor nodes having low processing capability and limited power supplies, such as MICA2 motes [7]. CHs are assumed as trusted gateways to the sensor nodes. ATTUA scheme takes advantage of high processing power CHs in order to decrease the processing load on the sensor nodes. Hence they have better power supplies compared to sensor nodes, they are more convenient to run power hungry PKC algorithms. In the resulting scheme, when CHs and users are communicating for authentication purpose, PKC algorithm, namely ECC, is used. When CHs and sensor nodes are communicating for the same purpose (authentication), low power demanding SKC algorithm is used. Once user is authenticated to a CH then allowed to access the sensor nodes through that CH. ATTUA allows a user to register once and authenticate to the network many times. User can also change the password anytime at will. Base station (BS) is the point of central control, which serves as a trusted key management facility. BS is many orders of magnitude powerful than sensor nodes. Typically, base stations have enough battery power to surpass the lifetime of all sensor nodes, sufficient memory to store cryptographic keys, stronger processors, and means for communicating with outside networks. After the deployment, sensor nodes form groups, called cluster, see Fig. 1. For each cluster, a powerful node (eg. PDA) is assigned as a CH. CHs have higher communication power than sensor nodes; therefore possess far more radio transmission coverage. CHs can communicate each other and also with BS. Users are equipped with portable computing devices, such as laptops, with no power constraints compared to sensor nodes. Users interact with the WSN for data query and retrieval. After processing sensed information; sensor node either sends the data upon event detection or stores it to serve for the earliest query. ATTUA includes three phases: Registration, Authentication, and Password Change. The operational functionality of all these phases are summarized and illustrated in Fig. 2. For further details of the phases, please refer to [5].

III. S ECURITY ANALYSIS In the two-party communication case, data authentication can be achieved through a purely symmetric mechanism: The sender and the receiver share a secret key to compute a Message Authentication Code (MAC) of all communicated data. When a message with a correct MAC arrives, the receiver knows that it must have been sent by the sender. In our ATTUA scheme, MAC is used for all

Fig. 2.

The sequence diagram of the ATTUA scheme

transmissions which involve sensor nodes and PKC (especially the ECC) is used in the backbone architecture of the network, namely between user side, BS and CH. Accordingly, not only the security aspect of the network is increased, but also most of the advantages of PKC and SKC are possessed. In [5] we have provided detailed security analysis of our ATTUA scheme and showed that it is resilient to many attacks and more secure than TTUA scheme.

IV. P ERFORMANCE E VALUATION A. Analysis In this section we analytically evaluate the performance of our proposed ATTUA scheme and compare it to TTUA scheme for

160

TABLE I C OMPARISON OF MEMORY STORAGE REQUIRED ON CH S ( FOR 10,000 USERS ) IN TTUA AND ATTUA SCHEMES ATTUA 40 bytes

TTUA 280,000 bytes

TABLE II C OMPARISON OF TOTAL NUMBER OF USERS TO BE SUPPORTED IN TTUA AND ATTUA SCHEMES ATTUA > 10,000

TTUA < 100 Fig. 3.

Comparison of energy costs on TTUA and ATTUA schemes

the following criterions: storage requirement (memory), scalability, computational cost and communication overhead.

1) Storage: As discussed in [5], for a network size of 10,000 users, the memory storage requirement for each CH of both TTUA and ATTUA schemes are as shown in Table I. Its apparent that memory storage requirement for ATTUA scheme is almost negligible compared to TTUA scheme. 2) Scalability: If the memory size of each CH for storing the keys is allocated as 2 KB, then the number of users that would be supported in both TTUA and ATTUA schemes are as shown in Table II. Its apparent that ATTUA scheme is very flexible and scalable compared to TTUA scheme in terms total number of users to be supported. For detailed discussion refer to [5]. 3) Computation: To compare the computational cost of our

ATTUA scheme to TTUA scheme we just need to compare the processing times on the CH’s. This is because of the fact that for both scheme operations involving the sensor nodes are the same. We are also not interested in the operations running on the user devices. We define EM AC , ESHA1 , ERC5 , and EV ER as computation cost of performing hash based message authentication code (HMAC), hash function (SHA-1), symmetric encryption (RC5), and digital signature verification with ECDSA, respectively. According to practical implementations on PDA’s (ie. IPAQ H3670), the energy spent for each security primitive are summarized in Table III [8]. For registration phase of the TTUA scheme, RC5 decrypts 28 bytes of data (8 bytes of user ID and 20 bytes hash value) and hash operation executes on 28 bytes of data. So, total energy spent through out this phase is calculated as follows: EReg T T U A = 28 bytes × 0.79 µJ/byte + 28 bytes × 0.76 µJ/byte = 43.4 µJ For registration phase of the ATTUA scheme no operation is required on CHs, therefore: EReg AT T U A = 0 J. For authentication phase of the TTUA scheme 20 byte of data is hashed and 18 bytes (8 bytes of user ID, 8 bytes of CH ID, 2 bytes TABLE III E NERGY SPENT ON IPAQ FOR EACH SECURITY PRIMITIVE [8] Operation ESHA1 EM AC ERC5 EV ER

Energy 0.76 µJ/byte 1.16 µJ/byte 0.79 µJ/byte 192,000.0 µJ

Fig. 4.

Comparison of computational costs on TTUA and ATTUA schemes

of time stamp) of data is processed with MAC. So total energy spent through out this phase is calculated as follows: EAut T T U A = 20 bytes × 0.76 µJ/byte + 18 bytes × 1.16 µJ/byte = 36.08 µJ. For authentication phase of the ATTUA scheme 1 ECDSA verification, 30 bytes (20 bytes of certificate, 2 bytes of time stamp, and 8 bytes of user ID) of hash operation and 18 bytes (8 bytes of user ID, 8 bytes of CH ID and 2 bytes of time stamp) of MAC operation are required which is calculated as follows: EAut AT T U A = 192 mJ + 20 bytes × 0.76 µJ/byte + 18 bytes × 1.16 µJ/byte = 192,036.0 µJ. Estimated computation costs (in terms of energy) of both ATTUA and TTUA schemes on IPAQ platform are shown in Fig. 3 In [16], ECC (for a variety of elliptic curves) execution times on signature generation and verification are provided for IPAQ H3950. For example on 160 bit elliptic curve, execution time is measured as 1.65 ms for signature verification and 0.79 ms for signature generation. Accordingly, estimated time consumption of both ATTUA and TTUA schemes on IPAQ platform are shown in Fig. 4. Benenson et al.’s scheme [3], which is a PKC approach to UA in WSNs, consumes 375 seconds of time and spends 2,448 mJ of energy (680 mC x 3.6 V) on the sensor node (Telos rev. B mote, [9]) for one UA session. Whilst, in our ATTUA scheme, one UA session (including registration) consumes 1.65 ms of time on the CH (refer to Table III) and 7.1 ms (refer to [4]) of time on the sensor node; and spends 192 mJ of energy on the CH (ET otal AT T U A = EReg AT T U A + EAut AT T U A = 0 + 192,036.0 µJ  192 mJ) and 170.4 µJ (E = U × I × t = 3.0 V × 8 mA × 7.1 ms = 170.4 µJ, refer to data sheet of MICA2 motes [7]) of energy on the sensor node. Total time and energy comparisons of both schemes are given in Fig. 5 and Fig. 6 respectively. The authentication phase takes almost 1.65 milliseconds for ATTUA scheme and 0.31 microseconds for TTUA scheme. Which

161

TABLE IV C OMPARISON OF COMMUNICATION COST [5] Phase Registration Authentication Total

ATTUA 0 2CU −A + 2CA−s 2CU −A + 2CA−s

TTUA Cbr 2CU −A + 2CA−s Cbr + 2CU −A + 2CA−s

Fig. 5. Comparison of computational times on the authentication of the user for ATTUA and Benenson et al.’s schemes

Fig. 7. Comparison of energy consumptions on sensor nodes for three different schemes

Fig. 6. Comparison of energy consumptions on the authentication of the user for ATTUA and Benenson et al.’s schemes

means that ATTUA scheme is much slower than TTUA scheme for the authentication phase. This is the trade off for changing cryptography approach from SKC to PKC. But keeping in mind Benenson et al.’s scheme [3], which was requiring minutes (375 seconds) for the authentication phase (actually it was given as 440 seconds including user side calculations, but in order to make comparison more accurately we accounted for time spent on sensor node only), our scheme is 42,857 times faster owing to the high processing powered CHs, see Fig. 5.

4) Communication: According to [4], the communication costs involving the phases shown in Fig. 2 are summarized in Table IV. This table provides the communications between; 1) the users and CHs, 2) CHs and sensor nodes (s). The notation for Table IV is given as follows: • Cbr : Communication cost for broadcasting user ID and password to all CHs • CU −A : Communication cost between the user and the cluster head A • CA−s : Communication cost between cluster head A and sensor node s According to the comparison of Table IV, we can conclude that both ATTUA and TTUA schemes have same communication cost for the authentication phase. However, for the registration phase TTUA scheme requires a costly network-wide broadcast message, where as ATTUA scheme requires none. B. Simulation We used SENSE (Sensor Network Simulator and Emulator) [10] to simulate and compare energy consumption and delay between ATTUA [5], TTUA [4], and TJY [2]. The simulation result shows the average energy consumption and delay time of different network topologies. Because cluster heads are much more powerful than sensors, we only considered energy consumption of the sensor nodes.

For each network topology, user’s location and the login-node are randomly changed within the sensor field.

1) Simulation Model: The network deployment is similar to [12] with a BS and 300 sensors randomly distributed in a 300 m x 300 m area. There are additional 20 CHs in the sensor field [12]. The transmission range of a sensor s and a CH is 60 m and 150 m, respectively. Sensors and CHs are formed in clusters. Each cluster has one CH. Sensors in the same cluster are connected with its CH via one or more hops. We use the same energy model used in ns-2.1b8a [11] that requires 0.66 W, 0.359 W, and 0.035 W for transmitting, receiving, and idling, respectively. We set the power consumption rate according to [12][13] for SHA-1 and CBCMAC calculation 0.48 W. As analyzed in [14][15], we set the time consumption for computing a CBC-MAC and a SHA-1 as 7.1 ms and 3.5 ms, respectively. The simulation uses MAC802.11 Distributed Coordination Function (DCF). Two-ray ground is used as the radio propagation model. For routing in ATTUA, TTUA and TJY schemes, we applied Ad hoc On-Demand Distance Vector (AODV) protocol. User ID length is 8 bytes, SHA-1 value is 20 bytes. As discussed in [14], the choice of 4-bytes MAC is not security detrimental in the context of sensor networks. So we applied 4-byte CBC-MAC for every message and ran the simulation with five different network topologies. For each topology, five scenarios are applied, in which user’s location and the login-node is randomly selected. For TJY scheme, we set the gate-way node in the center of the sensor field. We then averaged the results from those scenarios. 2) Results: Our simulation results are shown in Fig. 7 (this graphic compares total energy consumption on the sensor nodes for the authentication and registration phases) and Fig. 8 (this graphic compares overall computational times for the authentication and registration phases). For one registration, the user is authenticated 1, 5, 10, and 20 times and in the graphs it is shown on the x-axis respectively. Fig. 7 shows that the energy consumption (the energy consumption on sensor nodes for computation processes and for communication packets) of ATTUA and TTUA is almost same and they are about

162

R EFERENCES

Fig. 8. Comparison of computational times on the authentication phase for three different schemes

half of TJY scheme. This is because computation cost of ATTUA and TTUA are less than TJY scheme and they do not require any extra communication with the gate-way node during authentication process. However, ATTUA and TTUA consume the same amount of energy because in both schemes the communication cost between the user and targeted sensor, and the computational cost of the sensors are the same. Fig. 8 shows that total delay time of ATTUA is slightly greater than of TTUA but far less than TJY. Although we used ECC signature verification in our scheme, this did not drop the overall performance significantly, owing to CHs with high processing speed (ECC signature verification takes about 1.65 milliseconds on CH equipped with IPAQ [16]). 0.2 second total delay of ATTUA scheme is very compatible with TTUA scheme and way much better than TJY and Benenson et al.’s schemes. Furthermore, if the processing speed of the CH is increased (i.e. more powerful mobile devices), the delay on CH would be decreased dramatically, and our scheme would perform better than TTUA scheme.

V. C ONCLUSION AND F UTURE W ORK In this paper, we evaluate the performance of our novel UA scheme for heterogeneous WSNs, named as Advanced Two Tier User Authentication scheme (ATTUA) [5]. The scheme employs both the PKC and SKC approaches, so that it takes advantage of both schemes while leaving the disadvantages aside. Our analysis and simulation results have shown that ATTUA scheme is not only more secure and yet scalable than existing SKC based schemes, but also requires lesser processing power and provides higher energy efficiency than existing PKC based schemes. In our future work, hardware implementation (with real sensor devices, namely MICA2 motes) of the proposed ATTUA scheme will be carried out and resulting outcomes will be published.

[1] K.H.M. Wong, Y. Zheng, J. Cao, and S. Wang. “A dynamic user authentication scheme for wireless sensor networks.” IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing, 2006. [2] H.R. Tseng, R.H. Jan, and W. Yang. “An Improved Dynamic User Authentication Scheme for Wireless Sensor Networks.” IEEE Global Communications Conference, (GLOBECOM 2007), USA, November 2007, pp. 986-990. [3] Z. Benenson, N. Gedicke, and O. Raivio, “Realizing robust user authentication in sensor networks.” in Worshop on Real-World Wireless Sensor Networks, 2005. [4] X.H. Le, S. Lee, and Y.K. Lee. “Two-Tier User Authentication Scheme for Heterogeneous Sensor Networks.” the 5th IEEE International Conference on Distributed Computing in Sensor Systems, (DCOSS ’09), Marina Del Rey, California, USA, June 8-10, 2009. [5] I. Butun and R. Sankar, “Advanced Two Tier User Authentication Scheme for Heterogeneous Wireless Sensor Networks.” in Proc. of the Communications and Networking Conference (CCNC), Las Vegas, Nevada, January 2011. [6] A.S. Wander, N. Gura, H. Eberle, V. Gupta, and S.C. Shantz. “Energy analysis of public-key cryptography for wireless sensor networks.” in Proc. of the Third IEEE International Conference on Pervasive Computing and Communications, 2005, pp. 324-328. [7] Crossbow MICA2 Mote - Data Sheet, available at: http://www.xbow.com/products/Product pdf files/Wireless pdf/ MICA2 Datasheet.pdf [8] N.R. Potlapally, S. Ravi, A. Raghunathan, and N.K. Jha, “Analyzing the energy consumption of security protocols.” in Proceedings of the 2003 international symposium on Low power electronics and design, ACM New York, NY, USA, 2003, pp. 30-35. [9] Telos Revision B Mote - Data Sheet, available at: http://www.ece.osu.edu/∼bibyk/ee582/telosMote.pdf [10] SENSE - Sensor Network Simulator and Emulator, available at: http://www.ita.cs.rpi.edu/sense/index.html [11] NS-2 - Network Simulator and Emulator, available at: http://www.isi.edu/nsnam/ns [12] X. Du, G. Mohsen, X.O. Yang, C. Hsiao-Hwa. “Two Tier Secure Routing Protocol for Heterogeneous Sensor Networks.” IEEE Transactions on Wireless Communications, Vol.6 (9), September 2007, pp. 3395-3401. [13] Q. Xue and A. Ganz, “Runtime security composition for sensor networks” in Proc. IEEE Veh. Technol. Conf., Oct. 2003, pp. 105-111 [14] C. Karlof, S. Naveen, and W. David, “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks.” Proceedings of the Second ACM Conference on Embedded Networked Sensor Systems (SenSys’04), pp. 162-175. [15] H. Lee, Y. Choi, H. Kim, “Implementation of TinyHash based on Hash Algorithm for Sensor Network.” Proceedings of World Academy of Science, Engineering and Technology, vol.10, December 2005. [16] F. Rodr´ıguez-Henr´ıquez, C.E. L´opez-Peza, M.A. Le´on-Ch´avez, P. Puebla, “Comparative performance analysis of public-key cryptographic operations in the WTLS handshake protocol”, in 1st International Conference on Electrical and Electronics Engineering, pages 124-129, 2004.

VI. ACKNOWLEDGEMENT We would like to give special thanks to our colleagues Dr. Xuan Hung Le and Dr. Murad Khalid for their reviews and valuable comments regarding preparation of this paper.

163