Hindawi Publishing Corporation International Journal of Distributed Sensor Networks Volume 2015, Article ID 397130, 10 pages http://dx.doi.org/10.1155/2015/397130
Research Article A Mutual Broadcast Authentication Protocol for Wireless Sensor Networks Based on Fourier Series Xiaogang Wang and Weiren Shi College of Automation, Chongqing University, Chongqing 40044, China Correspondence should be addressed to Xiaogang Wang; wxg
[email protected] Received 15 July 2015; Accepted 11 October 2015 Academic Editor: Antonino Staiano Copyright Β© 2015 X. Wang and W. Shi. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. This thesis presents a mural broadcast authentication protocol (MBAP) for wireless sensor networks based on Fourier series according to the issues of the main broadcast authentication protocol πTESLA being limited in authentication delay, more initial parameters, limited time, large key chain, and network congestion. Firstly, achieving the forward authentication work for common sensor nodes to base station is based on the characteristic of continuous-integrability function π(π₯) in [βπ, π] which could be expanded into Fourier series, including entity authentication and source attestation. Secondly, assume that π(π₯) is the quadratic form function, and achieve the reverse authentication work for base station to common sensor nodes by detecting the security of π(π₯). The analysis results of safety performance in MBAP show that the captured nodes in WSN will not affect the security of broadcast authentication protocol and have low computation and communication cost, the base station can make broadcast randomly, and common sensor nodes can authenticate messages instantly, which solves the problem of network congestion well. The most important thing of MBAP is the mutual broadcast authentication method which ensures the security of the network greatly.
1. Introduction In wireless sensor networks (WSN), in order to save the network bandwidth and the communication time, the base station and the cluster heads generally send messages to the common sensor nodes by broadcasting. And broadcast communication plays a very important role in WSN, and its security has a direct impact on the security of the entire network [1β5]. Therefore, it must be able to authenticate the source, the accuracy, and the integrity of the broadcast packets when the receiving nodes get the broadcast packets; it is also known as broadcast authentication. The broadcast authentication includes two parts: entity authentication and source attestation. Entity authentication is the process for confirming the identity of the sending nodes based on some authentication protocol, which insures the security for network access. And source attestation is mainly to ensure the integrity of the messages and prevent unauthorized nodes sending, forging, and tampering messages. These two partsβ authentication can be achieved by the generation and verification of message authentication code
(MAC). If the broadcast authentication takes the symmetric encryption mechanism, each captured node can modify or forge the messages and threaten the whole network security. So, it is necessary to use asymmetric encryption technique for broadcast authentication. There are many efficient broadcast protocols that have been proposed, such as broadcast transmission capacity (BTC) of heterogeneous wireless ad hoc networks with secrecy outage constraints [6], a qos-based broadcast protocol (QBBP) for multihop cognitive radio ad hoc networks under blind information [7], and a reliable and total order tree-based (RTOT) broadcast in wireless sensor network [8]. But it is hard to design broadcast authentication protocols for WSN because of the limitations of WSN. There are two kinds of WSN broadcast authentication protocols: one is the signature authentication [9β11], but it is hard to be applied because of the disadvantage of using public key cryptography and large cost, and the other one is the message authentication code (MAC) [12β15], such as the πTESLA which is proposed as the broadcast authentication protocol by Perrig based on the security protocols for sensor networks in [15],
2 which realizes the asymmetry of broadcast authentication by using the symmetric encryption mechanism, and including three key parts: key establishment, disclosing authentication key, and authenticating broadcast data. In addition, multilevel LTESLA, a broadcast authentication system for distributed sensor networks, is proposed in [16], which divides authentication into multiple levels, where the high level key chain authenticates the low level key chain, and the low layer key chain authenticates the broadcast data packets, but it is suitable for the single base station network. This thesis presents a mutual broadcast authentication protocol (MBAP) for wireless sensor networks based on Fourier series according to the problems of the main broadcast authentication protocol πTESLA being limited in authentication delay, more initial parameters, limited time, large key chain, and network congestion. And the mutual authentication between nodes and base station is achieved according to the characteristic of continuous-integrability function π(π₯) in [βπ, π] which could be expanded into Fourier series. Firstly one has pre-distributing π(π₯) for each node upon network initializing, calculating the current Fourier series coefficients, establishing authentication key πΎσΈ , verifying the correctness of the broadcast authentication information, achieving entity authentication and source attestation. Secondly, assuming that π(π₯) is the quadratic form function and achieving the reverse authentication work for base station to common sensor nodes by detecting the security of π(π₯), it also means that the MBAP protocol can achieve mutual security authentication. The analysis results of safety performance in MBAP show that the captured nodes in WSN will not affect the security of broadcast authentication protocol and have low computation and communication cost, the base station can make broadcast randomly, and common sensor nodes can authenticate messages instantly, which solves the problem of network congestion well. The most important thing of MBAP is the mutual broadcast authentication method which ensures the security of the network greatly. The paper is organized as follows. In Section 2, we analyze the related work, such as πTESLA protocol principle and its issues. In Section 3, we discuss the specific principle of MBAP, including network model assumptions, Fourier seriesβ characteristics analysis and MBAP authentication principle. Section 4 analyzes the security of MBAP compared with MBAP. And summary is made in Section 5.
2. Related Work 2.1. πTESLA Protocol. In πTESLA, the asymmetric characteristic of broadcast authentication is realized by using the symmetric encryption mechanism on condition of the loose time synchronization of sending nodes and receiving nodes. The key points of πTESLA protocol are using hash key chain and publishing key delayed, as showed in Figure 1, a oneway function key chain is established by the sending node, where the length of key chain is π + 1, and the first key πΎπ of the key chain is generated randomly by the sending node, but the next keys are all generated by the one-way function βππ β acting on the last key repeatedly, such as πΎπ = π»(πΎπ+1 ).
International Journal of Distributed Sensor Networks The sending node divides the communication time into equal time slices, where the length of each time slice is π·, and each time slice is assigned a key in order, but the order of the assigned keys is the opposite order of the key chain, and each message ππ of time slice π is encrypted by πΎπ , such as MACπΎπ (ππ ). The sending node determines the key delay time πΏ based on the time slice length, and the key πΎπ on time slice π will be published after πΏ, such as πΏ = 2 in Figure 1. To avoid the additional communication cost, the published key is sent to the receiving nodes by being attached with the data packet. If there is no data packet on some time slice, the key attached with the data packet will not be published, and this key can be calculated by the next keys in one-way function βππ β. More importantly, the initial parameters πΎ0 , πΏ, and π· and starting time π0 should be sent to receiving nodes before authentication. 2.2. πTESLA Protocol Issues 2.2.1. Computation Cost. The πTESLA protocol has higher authentication efficiency in the case of sending data packets frequently, but it has a very low sending frequency in some applications, such as fire alarm and other event-driven applications, where the transmission interval of the adjacent data packets may be far greater than the time slice π· of πTESLA and causes lots of keys not to be used for the data packets authentication, and the distance between adjacent keys on the key chain is also increased and causes a large computation cost and authentication delay. Increasing π· can alleviate this problem, but it also causes a lot of authentication delay, and the receiving nodes also need more memory space for buffering packets. 2.2.2. Delay. In πTESLA, the time interval of sending message {MACπΎπ (ππ ) β πΎπβ2 β ππ β π(π‘)} will be increased gradually, and the time for buffering data packets is also increased because of the authentication delay, which also makes the protocol more vulnerable to be attacked by DoS. Therefore, the authentication mechanism of πTESLA is not suitable for the situation of large sending time interval. 2.2.3. Problem of Initialization Parameters. The most important problem of πTESLA is the distribution of initialization parameters. Each sending node has an independent authentication key chain for encrypting its own data packets, and each receiving node makes authentication for {MACπΎπ (ππ ) β πΎπβ2 β ππ β π(π‘)} after receiving the initialization parameters πΎ0 , πΏ, and π· and starting time π0 . If the nodes send the initialization parameters {πΎ0 , πΏ, π·, π0 } in unicast way, it will cause much resource consumption, because the sending node needs to encrypt the {πΎ0 , πΏ, π·, π0 } in different keys shared with the receiving node, which will cause the delay for data packet transmission and authentication, and the delay may lead to DoS attacks. 2.2.4. Authentication Aging Problem. There are some applications that require real-time authentication for broadcasting, such as real-time audio frequency, video stream, and alarm
International Journal of Distributed Sensor Networks H
K0
H
H
K1
3
T1 P0
P1
Kj
Kjβ1
Β·Β·Β·
H
Kj+1
Tjβ1
Tjβ2
Pj
Kjβ3
Kjβ2 Publish
Publish
Kn
Β·Β·Β·
Β·Β·Β· Tj+1
Tj
Pjβ1
H
t
Time slice j
Β·Β·Β· T0
H
H
Tnβ1
Tn
Pn Knβ2 Publish
Figure 1: πTESLA protocol.
information. Obviously, πTESLA is not suitable for high ageing applications because of the authentication delay. SN
2.2.5. Fixed Key Chain Length. In πTESLA, the authentication key of each time slice is predistributed upon network initialization. On the one hand, if the work time is too long, it means that the length of key chain is too large, which will cause a large computation cost and storage cost. On the other hand, if the work time is too short, it cannot meet the requirement of frequent data exchange and long-term work. Therefore, in order to meet the characteristics of lower delay, better aging, less key storage, computing fast, and better flexibility for the general broadcast authentication in WSN, this paper introduces the mathematical theory of Fourier series, which simplifies the practical issues based on characteristic of Fourier series coefficients and makes a simple and efficient broadcast authentication.
3. MBAP 3.1. Network Model Assumptions. In WSN, either the base station or the sensor node is the broadcaster (as shown in Figure 2). According to the topology of the network, it can broadcast directly when the base station is the broadcaster which can send the information to the prerecipient without intermediate nodes or can send the information to the prerecipient layer by layer, such that the base station will send the information to each cluster head first of all, and the cluster head will send the information to each common sensor node after authentication. When the sensor nodes are the broadcasters, they can only send the information to their neighbor nodes directly without intermediate nodes. In order to facilitate the description of MBAP, the network is assumed as follows: (1) Assume that the network is isomorphic and static and each of the sensor nodes has been uniformly deployed in the target area and has same configuration in software and hardware and will not move any more once they are deployed, where the network size is
BS
Figure 2: Broadcasting communication in centralized network.
π, including 2 types of nodes, base station (BS) and sensor node (SN), as shown in Figure 2. (2) Assume that base station (BS) is equipped with abundant software and hardware resources and can cover the entire network deployment area by means of a high power radio signal, and it is responsible for storing the basic information of all the nodes in network and has the ability to detect compromised or captured nodes. (3) Common sensor node is responsible for collecting environmental data. The ability to process data of sensor node is limited by storage space, energy reserves, and communication distance. Since the communication radius of the common sensor node is limited, the communication between nodes which are not in the communication radius should be transferred by neighbor node. The main symbols in the text are shown as follows: BS: base station,
4
International Journal of Distributed Sensor Networks SN: sensor node,
β«
π+2π
π
β(π₯): βππ β function,
2π
cos2 ππ₯ ππ₯ = β« cos2 ππ₯ ππ₯ 0
=β«
2π
0
πΎ: authentication key, β«
IDπ : identity symbol of node π,
π+2π
π
1 + cos 2ππ₯ ππ₯ = π, 2
(4)
sin2 ππ₯ ππ₯ = π, (π = 1, 2, . . .)
π(π₯): continuous-integrability function, π·: time slice length,
β«
π+2π
π
π: plaintext,
12 ππ₯ = 2π.
3.2.2. Fourier Series Coefficient Analysis
πΏ(π): authentication message of time slice π.
Deduction 1. Assume that function π(π₯) has been expanded to a uniformly convergent trigonometric series:
3.2. Analyzing Characteristics of Fourier Series π (π₯) =
Definition 1. If the function π(π₯) period is π, it is satisfied on the following conditions:
π0 β + β (π cos ππ₯ + ππ sin ππ₯) . 2 π=1 π
(5)
Then β
π (π₯) = π΄ 0 + β π΄ π sin (πππ₯ + ππ ) π=1
(1)
β
= π΄ 0 + β (ππ cos πππ₯ + ππ sin πππ₯) .
π0 =
1 π β« π (π₯) ππ₯, π βπ
ππ =
1 π β« π (π₯) cos ππ₯ ππ₯, π βπ
(π = 0, 1, 2, . . .) ,
ππ =
1 π β« π (π₯) sin ππ₯ ππ₯, π βπ
(π = 0, 1, 2, . . .) .
π=1
And claim that formula (1) is the Fourier series determined by π(π₯). 3.2.1. Orthogonal Analysis of Trigonometric Function. Assume that π is a real number and cos ππ₯ and sin ππ₯ are the periodic function in [π, π + 2π], where the period is 2π, and then π+2π
β«
π
β«
π
π
β« π (π₯) ππ₯ = βπ
2π
0
π+2π
Proof. Assume that π(π₯) is an integrable function in [βπ, π], where the right side of (5) can be integrable term by term. So we can get (7) by (2). Consider
π0 =
cos ππ₯ ππ₯ = β« cos ππ₯ ππ₯ = 0, 2π
(2)
sin ππ₯ ππ₯ = β« sin ππ₯ ππ₯ = 0, 0
β« π (π₯) cos ππ₯ ππ₯ = βπ
And it is easy to prove with product and difference β«
π+2π
π
β«
π+2π
π
β«
π+2π
π
π0 β
2π = π0 π, 2 1 π β« π (π₯) ππ₯. π βπ
β
π
π=1
βπ
π0 π β« cos ππ₯ ππ₯ 2 βπ
+ β (ππ β« cos ππ₯ cos ππ₯ ππ₯
sin ππ₯ cos ππ₯ ππ₯ = 0,
(7)
Set that π is a positive integer and multiplying by both sides with cos ππ₯ for π(π₯) and integration in [βπ, π] then we can get (8) by (2), (3), and (4): π
(π = 1, 2, . . .) .
(6)
(8)
π
π
βπ
βπ
+ ππ β« sin ππ₯ cos ππ₯ ππ₯) = β« ππ cos2 ππ₯ ππ₯
sin ππ₯ sin ππ₯ ππ₯ = 0,
(3)
= ππ π. Therefore
cos ππ₯ cos ππ₯ ππ₯ = 0 (π =ΜΈ π; π, π = 1, 2, . . .)
ππ =
1 π β« π (π₯) cos ππ₯ ππ₯. π βπ
(9)
International Journal of Distributed Sensor Networks
5 the first step is to abandon πΏ(π) on time π(π‘), and the second step is to verify the legitimacy of πΏ(π) on time π(π‘) by BS.
Similarly ππ =
1 π β« π (π₯) sin ππ₯ ππ₯. π βπ
(10)
Conversely, if π(π‘) is the latest time, it is showed that πΏ(π) is the authentication information which needs to be authenticated currently, and go to Step 4.
3.3. MBAP Authentication Principle. We assume that π(π₯) is a continuous-integrability function in [βπ, π] which is predistributed for each node upon initializing. So, the MBAP authentication principle is as follows.
Step 4 (entity authentication). Because π(π₯) is predistributed for each sensor node, according to the Definition 1 and Deduction 1, set
Thus Deduction 1 is proved.
Step 1 (establishing authentication key). The base station divides the communication time into equal time slices, where the length of each time slice is π·, and each time slice is assigned a key in order. Set πΎ(π) to be the authentication key distributed for the time slice π, and set πΎ (π) =
π π0 + β (ππ cos ππ₯ + ππ sin ππ₯) . 2 π=1
(11)
It is obvious that the keys for each time slice are different based on Deduction 1, and πΎ (π + 1) =
π+1
π0 + β (π cos ππ₯ + ππ sin ππ₯) 2 π=1 π
(12)
= πΎ (π) + (ππ+1 cos (π + 1) π₯ + ππ+1 sin (π + 1) π₯) .
It is showed in (12) that the authentication key πΎ(π + 1) on time slice π + 1 can be calculated by πΎ(π) and Fourier series coefficients ππ+1 and ππ+1 . Step 2 (building broadcast authentication information). We assume that πΏ(π) is the broadcast authentication information of the time π(π‘) on time slice π, where π‘ is a certain time on time slice π, and set πΏ (π) = {ππ(π‘) β β (ππ ) β β (ππ ) β MAC
(13)
= β (πΎ (π) , ππ(π‘) , π (π‘)) β π (π‘)} , where ππ π
=
π
(1/π) β«βπ π(π₯) cos ππ₯ ππ₯ and ππ
=
(1/
π) β«βπ π(π₯) sin ππ₯ ππ₯ are last two Fourier series coefficients of πΎ(π), ππ(π‘) is the plaintext message of time π(π‘), and MAC = β(πΎ(π), ππ(π‘) , π(π‘)) makes sure that πΎ(π) is undisclosed which ensures the security of the key in the process of message communication. Then there are base station broadcasts πΏ(π). Step 3 (application verification). The common sensor node gets the authentication information πΏ(π) and time π(π‘). If the common sensor node has received the authentication information πΏ(π) on time π(π‘ + 1), it is showed that the authentication information πΏ(π) is outdated, and it is likely to be caused by network congestion or may be an enemy in disguise after being captured. For this unusual situation,
ππσΈ = ππσΈ
1 π β« π (π₯) cos ππ₯ ππ₯ π βπ
1 π = β« π (π₯) sin ππ₯ ππ₯. π βπ
(14)
If β(ππσΈ ) = β(ππ ) and β(ππσΈ ) = β(ππ ), it is showed that πΏ(π) is the authentication information sent by BS on the time slice π, and entity authentication is completed by now. Conversely, if β(ππσΈ ) =ΜΈ β(ππ ) or β(ππσΈ ) =ΜΈ β(ππ ), abandon πΏ(π) and check the legitimacy of πΏ(π) by BS. Step 5 (source attestation). After the completion of entity authentication, it is necessary to determine whether the plaintext message ππ(π‘) has been tampered by enemy, and set πΎσΈ (π) =
π π0σΈ + β (ππσΈ cos ππ₯ + ππσΈ sin ππ₯) 2 π=1
Or πΎσΈ (π) = πΎ (π β 1) + (ππσΈ cos ππ₯ + ππσΈ sin ππ₯) ,
(15) (16)
where πΎ(π β 1) is the authentication key on time slice π β 1 which has been authenticated on last time slice and β(ππσΈ ) = β(ππ ) and β(ππσΈ ) = β(ππ ) have been authenticated in Step 4, so πΎσΈ (π) = πΎ(π) based on (12), where πΎ(π) encrypted by hash function cannot be got by enemy. It is showed in (16) that the calculation of πΎσΈ (π) avoids amounts of the calculation of Fourier series coefficients each time and reduces the computation cost greatly. And if β (πΎσΈ (π) , ππ(π‘) , π (π‘)) = β (πΎ (π) , ππ(π‘) , π (π‘)) = MAC,
(17)
it is showed that the plaintext message ππ(π‘) is integrity and not tampered by enemy, and source attestation is completed by now. Conversely, if β(πΎσΈ (π), ππ(π‘) , π(π‘)) =ΜΈ β(πΎ(π), ππ(π‘) , π(π‘)), it is showed that the plaintext message ππ(π‘) is captured by enemy and checking the legitimacy of πΏ(π) by BS. The forward authentication work for common sensor nodes to base station is completed from now on, and the forward flow chart of MBAP protocol is showed in Figure 3. Step 6 (reverse authentication) Deduction 2. In order to detect the security of π(π₯), assume that π(π₯) is a quadratic polynomial and a continuousintegrability function for some variable in [βπ, π]. And
6
International Journal of Distributed Sensor Networks where, assuming ππ€π (π₯1 , π₯2 , . . . , π₯π ) is the quadratic polynomial of node π, π π1 , π π2 , . . . , π ππ are the eigenvalues of ππ€π (π₯1 , π₯2 , . . . , π₯π ), {ππ1 , ππ2 , . . . , πππ } are the eigenvectors of ππ€π (π₯1 , π₯2 , . . . , π₯π ), and assume that
Initialization Predistribution f(x)
Establishing authentication key
[ [ [ Cπ = [ [ [
K(i)
Building broadcast authentication information
Abandon
New package No
Application verification
No
Application verification
Yes h(aiσ³° ) = h(ai ), h(biσ³° ) = h(bi ) Source attestation Yes h(Kiσ³° , Pi(t) , i(t)) = h(Ki , Pi(t) , i(t)) Finish
Figure 3: Forward flow chart of MBAP protocol.
the reverse authentication work for the base station to the common sensor nodes can be completed by detecting the security of π(π₯), and it also means that the MBAP protocol can achieve mutual security authentication. Proof. Assume that π(π₯1 , π₯2 , . . . , π₯π ) is a multiple asymmetric quadratic form polynomial in field π: π (π₯1 , π₯2 , . . . , π₯π ) = π11 π₯12 + π12 π₯1 π₯2 + β
β
β
+ π1π π₯1 π₯π + π21 π₯2 π₯1 +
(19)
0 β
β
β
π ππ ]
Dπ = [ππ1 , ππ2 , . . . , πππ ] .
Application verification Old package
Entity authentication
0 β
β
β
0
0 π π2 β
β
β
0 ] ] ] , .. .. .. .. ] ] . . . . ]
[0
Broadcast L(i)
π22 π₯22
π π1
= β (πΎ (π) , ππ(π‘) , π (π‘)) β πΎπ (π (π₯)new ) β β (π (π₯)new ) β (20)
+ ππ2 π₯π π₯2 + β
β
β
+ πππ π₯π2 π₯1
Step 7 (update π(π₯)). For the network security, π(π₯) should be updated periodically, so we modify the broadcast authentication information πΏ(π) by the base station and set πΏ (π)σΈ = {ππ(π‘) β β (ππ ) β β (ππ ) β MAC
+ β
β
β
+ π2π π₯2 π₯π + β
β
β
+ ππ1 π₯π π₯1
π11 π12 β
β
β
π1π
We can assume that node ππ has achieved forward authentication work for base station and responded to the base station with a message π = {π(π₯) β β(Cπ ) β β(Dπ ) β IDπ } and the base station will make reverse authentication upon receiving the message π = {π(π₯) β β(Cπ ) β β(Dπ ) β IDπ }. Based on [17], we can get that the eigenvalues π π1 , π π2 , . . . , π ππ of quadratic polynomial ππ€π (π₯1 , π₯2 , . . . , π₯π ) in different sequence or incorrectness will affect the accuracy of eigenvectors {ππ1 , ππ2 , . . . , πππ } or Dπ , and the eigenvectors in different sequence that belonged to the same eigenvalue also can affect the accuracy of Dπ . For this reason, we can assume that the sequence of eigenvalues and eigenvectors of each sensor node are predistributed by base station, which can avoid the same response information by different nodes and ensure the independence of the reverse authentication work. For example, π = {π(π₯) β β(Cπ ) β β(Dπ ) β IDπ } is the response information of node ππ , and the base station can get CσΈ π and DσΈ π based on the sequence of eigenvalues and eigenvectors of node ππ . If β(Cπ ) =ΜΈ β(CσΈ π ) or β(Dπ ) =ΜΈ β(DσΈ π ), it is showed that node ππ is captured by enemy and removed by base station. If β(Cπ ) = β(CσΈ π ) and β(Dπ ) = β(DσΈ π ), it is showed that identity of node ππ is authenticated base station. Therefore, a mutual broadcasting authentication work is achieved by now and Deduction 2 is proved.
(18)
[π π β
β
β
π ] [π₯ ] [ 21 22 2π ] [ 2 ] ][ ] [ = (π₯1 , π₯2 , . . . , π₯π ) [ . [ ] . . .. ] ][ . ] [ . . . . . . ] [ .. ] [ . [ππ1 ππ2 β
β
β
πππ ] [π₯π ] = ππ π΄π, where π΄ is the quadratic matrix of π(π₯1 , π₯2 , . . . , π₯π ), πππ = πππ , π, π = 1, . . . , π, π΄ = π΄π . A key management scheme based on quadratic for WSN is proposed in [17] by the author Xiaogang Wang,
π (π‘)} ,
where the first part {ππ(π‘) β β(ππ ) β β(ππ ) β MAC = β(πΎ(π), ππ(π‘) , π(π‘))} of πΏ(π)σΈ is still the broadcast authentication information πΏ(π), so the common sensor nodes can still make forward authentication work. After forward authentication, each sensor node can get π(π₯)new by πΎπ and verify π(π₯)new by β(π(π₯)new ), removing the old π(π₯) at last. And the updating for π(π₯) is completed by now.
4. Security Analysis Because of the limited resource in WSN, it should meet 3 basic requirements for designing efficient broadcast authentication
International Journal of Distributed Sensor Networks
4.1. Anticapture. In MBAP, we know that π(π₯) is the key point of authentication, and the network will not be safe once π(π₯) leaked, so the selection of π(π₯) is very important. On the basis of [17], we assume that π(π₯) is π-variate quadratic polynomial in field π, which has a high anticapture. For example, a key management scheme for distributed sensor networks is proposed by Eschenauer and Gligor in [18], and the main idea of this scheme is based on the binary π‘th symmetric polynomials, if the enemy captures some nodes which all include the same binary π‘th symmetric polynomial, and the nodesβ number is more than π‘, such that the communication key will be decrypted by enemy, it is also called π‘-collusion attack. In MBAP, if the enemy wants to get the communication keys, it should decrypt the binary π‘th symmetric polynomial π(π₯) or the matrix π΄ in formula (18), but π΄ is a symmetric matrix, it means that there are π(π+1)/2 different elements in matrix π΄ needed to be decrypted, and the difficulty of decrypting π΄ will be multiplied when the dimension π of matrix π΄ is slightly changed (as shown in Figure 4). So it shows that it is very difficult to capture the binary π‘th symmetric polynomialπ(π₯). In addition to this, we assume that the size of the network in WSN is π, and if π < π(π+1)/2, it shows that the enemy is unable to decrypt matrix π΄ and also unable to decrypt π(π₯). Therefore, for the small or middle size network, the network is absolutely safe as long as π < π(π + 1)/2. And, for the large network, it also can guarantee the network security as long as there is reasonable network structure, such as increasing the number of clusters space and limiting the number of cluster members. It shows that MBAP in this paper has good anticapture performance. 4.2. Low Cost. In this paper, the computation cost and communication cost of MBAP protocol are relatively low, which can meet the requirements of low cost. Firstly, the broadcast authentication information πΏ(π) = {ππ(π‘) β β(ππ ) β β(ππ ) β MAC = β(πΎ(π), ππ(π‘) , π(π‘)) β π(π‘)} is verified by single hash operation, while the πTESLA is operated by key chain. Secondly, we can get πΎσΈ (π) = πΎ(π β 1) + (ππσΈ cos ππ₯ + ππσΈ sin ππ₯) in (16), where πΎ(πβ1) is the authentication key on time slice πβ1 which has been authenticated on last time slice, so we can get πΎσΈ (π) = πΎ(π) by verifying β(ππσΈ ) = β(ππ ) and β(ππσΈ ) = β(ππ ) in Step 4 of Section 3.3, which shows that the calculation of πΎ(π) avoids amounts of the calculation for Fourier series coefficients each time and reduces the computation cost greatly. 4.3. Instant Authentication. In MBAP, we can make authentication immediately based on the characteristics of Fourier series coefficients when the authentication information πΏ(π) is broadcasted by the base station. But the πTESLA protocol needs to make the authentication after the delay time πΏ, which may cause a communication blocking.
1400 1200 Captured nodes, n
protocol: Firstly, insure the lower computation and communication cost. Secondly, the base station can make authentication randomly. Thirdly, the sensor nodes can make a real-time authentication. In this paper, the TWBAP protocol has some own security features besides the above the 3 conditions.
7
1000 800 600 400 200 0
0
10 20 30 40 Space dimension of quadratic polynomial, d
50
Anticapture performance of MBAP
Figure 4: Anticapture performance of MBAP.
4.4. Delay. In πTESLA, we know that the time interval of sending message {MACπΎπ (ππ ) β πΎπβ2 β ππ β π(π‘)} will be increased gradually, and the time for buffering data packets is also increased because of the authentication delay, which also makes the protocol more vulnerable to be attacked by DoS. In MBAP, the authentication information πΏ(π) = {ππ(π‘) β β(ππ ) β β(ππ ) β MAC = β(πΎ(π), ππ(π‘) , π(π‘)) β π(π‘)} and we get that the plaintext message ππ(π‘) and authentication key πΎ(π) are sent together in πΏ(π), and there is no such problem that the time interval of sending message is increased gradually. We know that authentication delay includes the transmission cost and the computation cost, where the transmission cost is the necessary cost which cannot be avoided. For πTESLA, the authentication delay should also include delay time πΏ. In order to analyze the delay problems between MBAP and πTESLA by simulation, we assume that π is the authentication delay and π· is the length of time slice, which can be set to 1 in here, and assume delay time πΏ = 2, πΎ0 is the initial key, and π‘ is the computation time of a hash calculation. In πTESLA, {MACπΎπ (ππ ) β πΎπβ2 β ππ β π(π‘)} is the message authentication code on time slice π, we can judge the correctness of πΎπβ2 by πΎ0 = π»πβ2 (πΎπβ2 ), it shows that the entity authentication is completed by π β 2 times hash calculation, and we can verify the integrity of ππβ2 by MACπΎπβ2 (ππβ2 ), and it shows that the source attestation is completed by a hash calculation. So, we assume that π1 is the authentication cost on time slice π in πTESLA, and π1 = (π β 2) π‘ + π‘ + πΏ = (π β 1) π‘ + πΏ = (π β 1) π‘ + 2.
(21)
In MBAP, πΏ(π) = {ππ(π‘) β β(ππ ) β β(ππ ) β MAC = β(πΎ(π), ππ(π‘) , π(π‘)) β π(π‘)} is the message authentication code on time slice π, for the entity authentication, we should calculate ππσΈ = π π (1/π) β«βπ π(π₯) cos ππ₯ ππ₯ and ππσΈ = (1/π) β«βπ π(π₯) sin ππ₯ ππ₯ by two conventional operation and calculate β(ππσΈ ) = β(ππ ) and β(ππσΈ ) = β(ππ ) by two times hash calculation, for the source attestation, and we should calculate πΎπσΈ = π0σΈ /2 +
8
International Journal of Distributed Sensor Networks 4 Authentication delay, T (s)
Authentication delay, T (s)
2.5 2 1.5 1 0.5 0
2
4
6
8
10
12
14
16
18
3.5
3
2.5
2
20
2
4
6
8
Time slice, i (s) T1 T2
10 12 14 Time slice, i (s)
16
18
20
18
20
18
20
T1 T3
Figure 5: π changes.
Figure 6: π changes of πTESLA protocol.
(22)
And the authentication cost of π1 and π2 is showed in Figure 5, where π‘ = 0.01 s. It is obvious that π1 is increased gradually with the time change, which also shows that the πTESLA needs more authentication cost with the time change, while the authentication cost of MBAP is not changed all the time. It shows the cost changes of once authentication calculation on different time slices in Figure 5, but there will be amounts of authentication calculation happening on each time slice actually, which can cause some time delay for each authentication calculation. So, the authentication delay is increased with the time changes. For this reason, we assume that there will be π times authentication calculation happening on each time slice, and we assume that π3 is the authentication cost on time slice π by π times authentication calculation in πTESLA, and π3 = π ((π β 2) π‘ + π‘) + πΏ = π (π β 1) π‘ + πΏ = π (π β 1) π‘ + 2.
(23)
Similarly, we assume that π4 is the authentication cost on time slice π by π times authentication calculation in MBAP, and π4 = π (4π‘) = 4ππ‘.
(24)
For ease of calculating, we assume π = 10, and the authentication cost of these two protocols is showed in Figures 6, 7, and 8. It is indicated in Figures 6 and 7 that the authentication delays of these two protocols are all increased with the time
0.35 Authentication delay, T (s)
π2 = 4π‘.
0.4
0.3 0.25 0.2 0.15 0.1 0.05 0 2
4
6
8 10 12 Time slice, i (s)
14
16
T2 T4
Figure 7: π changes of MBAP protocol.
4 Authentication delay, T (s)
βππ=1 (ππσΈ cos ππ₯ + ππσΈ sin ππ₯) by a conventional operation and calculate β(πΎσΈ (π), ππ(π‘) , π(π‘)) = β(πΎ(π), ππ(π‘) , π(π‘)) by a hash calculation. For ease of calculation, we assume that a conventional operation cost also is π‘ and π2 is the authentication cost on time slice π in MBAP, and
3.5 3 2.5 2 1.5 1 0.5 0 2
4 T1 T2
6
8
10 12 14 Time slice, i (s)
16
T3 T4
Figure 8: π changes between two protocols.
International Journal of Distributed Sensor Networks changes, but the authentication delays of πTESLA are increased much faster with the authentication calculation increasing, while the authentication delay of MBAP is changed stably. It is indicated in Figure 8 that there will be some messages abandoned on some slices with the authentication delay increasing in πTESLA; it is one of the issues in πTESLA analyzed in Section 2. 4.5. Initialization Parameter. In MBAP, the only predistributed initialization parameter is π(π₯), and if π(π₯) is a quadratic polynomial, this can make a mutual authentication. While in πTESLA the initialization parameters are {πΎ0 , πΏ, π·, π0 } and if the nodes send the initialization parameters {πΎ0 , πΏ, π·, π0 } in unicast way upon network initialization, that will cause much resource consumption, because the sending node needs to encrypt {πΎ0 , πΏ, π·, π0 } in different keys shared with the receiving node, which will cause the delay for data packet transmission and authentication, and the delay may lead to DoS attacks. 4.6. Length of the Key Chain. In πTESLA, when the sensor nodes receive the published key πΎπ , we can verify the correctness of πΎπ by πΎ0 = π»π (πΎπ ) or πΎπ = π»(πβπ) (πΎπ ), where πΎπ is the verified key before πΎπ and πΎ0 is the initial key. So in order to complete the authentication task in πTESLA, it needs to save a long secret key chain and needs to reconstruct the key chain sometimes, which makes a large network load. In MBAP, the authentication key πΎ(π) is Fourier series, and we can get πΎσΈ (π) = πΎ(π β 1) + (ππσΈ cos ππ₯ + ππσΈ sin ππ₯) in (16), where πΎ(π β 1) is the authentication key on time slice π β 1 which has been authenticated on last time slice, so we can get πΎσΈ (π) = πΎ(π) by verifying β(ππσΈ ) = β(ππ ) and β(ππσΈ ) = β(ππ ) in Step 4 of Section 3.3, which shows that the calculation of πΎ(π) avoids amounts of the calculation of Fourier series coefficients each time and reduces the computation cost greatly.
5. Summary This thesis presents a mutual broadcast authentication protocol (MBAP) for wireless sensor networks based on Fourier series according to the problems of the main broadcasting authentication protocol πTESLA being limited in authentication delay, more initial parameters, limited time, large key chain, and network congestion. And the mutual authentication between nodes and base station is achieved according to the characteristic of continuous-integrability function π(π₯) in [βπ, π] which could be expanded into Fourier series. Firstly, one has predistributing π(π₯) for each node upon network initializing, calculating the current Fourier series coefficients, establishing authentication key πΎσΈ , verifying the correctness of the broadcast authentication information, achieving entity authentication, and source attestation. Secondly, assuming that π(π₯) is the quadratic form function and achieving the reverse authentication work for base station to common sensor nodes by detecting the security of π(π₯), it also means that the MBAP protocol can achieve
9 mutual security authentication. The analysis results of safety performance in MBAP show that the captured nodes in WSN will not affect the security of broadcast authentication protocol and have a low computation and communication cost, the base station can make broadcast randomly, and common sensor nodes can authenticate messages instantly, which solves the problem of network congestion well. The most important thing of MBAP is the mutual broadcast authentication method which ensures the security of the network greatly.
Conflict of Interests The authors declare that there is no conflict of interests regarding the publication of this paper.
Acknowledgments This work is funded by the National Nature Science Foundation of China (no. 61473050), National Science and Technology Planning of China (2011BAJ03B13-2), and National Basic Research Program of China (2013CB328903).
References [1] R. Q. Zhao, X. H. Shen, X. M. Zhang, and J. P. Hou, βMaximum life-time broadcast protocol for wireless sensor networks,β in Proceedings of the International Conference on Computer Application and System Modeling (ICCASM β10), vol. 11, pp. 440β 444, Taiyuan, China, October 2010. [2] X. Ma, J. Zhang, X. Yin, and K. S. Trivedi, βDesign and analysis of a robust broadcast scheme for VANET safety-related services,β IEEE Transactions on Vehicular Technology, vol. 61, no. 1, pp. 46β61, 2012. [3] K. C. Ramalingam, V. Subramanian, A. S. Uluagac, and R. Beyah, βSIMAGE: secure and link-quality cognizant image distribution for wireless sensor networks,β in Proceedings of the IEEE Global Communications Conference (GLOBECOM β12), pp. 616β621, Piscataway, NJ, USA, December 2012. [4] X.-F. Liu, Y.-Q. Zhang, H. Wang, and G.-H. Zhang, βAn efficient anonymity message authentication with backward secure revocation for vehicular ad hoc networks,β Journal of Electronics and Information Technology, vol. 36, no. 1, pp. 94β100, 2014. [5] R. Xie, C.-X. Xu, W.-J. Chen, and W.-P. Li, βAn RFID authentication protocol anonymous against readers,β Journal of Electrical Systems & Information Technology, vol. 37, no. 5, pp. 1241β1247, 2015. [6] W. C. Ao and K. C. Chen, βBroadcast transmission capacity of heterogeneous wireless ad hoc networks with secrecy outage constraints,β in Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM β11), pp. 1β5, IEEE Press, Houston, Tex, USA, December 2011. [7] Y. Song and J. Xie, βA QoS-based broadcast protocol for multihop cognitive radio ad hoc networks under blind information,β in Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM β11), pp. 1β5, Houston, Tex, USA, December 2011. [8] S. Chakraborty, S. Chakraborty, S. Nandi, and S. Karmakar, βA reliable and total order tree based broadcast in wireless sensor
10
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
International Journal of Distributed Sensor Networks network,β in Proceedings of the 2nd IEEE International Conference on Computer & Communication Technology (ICCCT β11), pp. 618β623, IEEE, Allahabad, India, September 2011. J. Yu, F. Y. Kong, X. G. Cheng, R. Hao, and G. Li, βOne forward-secure signature scheme using bilinear maps and its applications,β Information Sciences, vol. 279, pp. 60β76, 2014. J. Yu, R. Hao, F. Y. Kong, X. G. Cheng, J. Fan, and Y. Chen, βForward-secure identity-based signature: security notions and construction,β Information Sciences, vol. 181, no. 3, pp. 648β660, 2011. J. Yu, F. Kong, X. Cheng, R. Hao, and J. Fan, βIntrusion-resilient identity-based signature: security definition and construction,β Journal of Systems and Software, vol. 85, no. 2, pp. 382β391, 2012. T. Kwon and J. Hong, βSecure and efficient broadcast authentication in wireless sensor networks,β IEEE Transactions on Computers, vol. 59, no. 8, pp. 1120β1133, 2010. J. Zhang, W. Yu, and X. Liu, βCRTBA: Chinese remainder theorem-based broadcast authentication in wireless sensor networks,β in Proceedings of the International Symposium on Computer Network and Multimedia Technology (CNMT β09), pp. 1β5, Wuhan, China, January 2009. K. Ren, W. Lou, K. Zeng, and P. J. Moran, βOn broadcast authentication in wireless sensor networks,β IEEE Transactions on Wireless Communications, vol. 6, no. 11, pp. 4136β4144, 2007. A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen, and D. E. Culler, βSPINS: security protocols for sensor networks,β Wireless Networks, vol. 8, no. 5, pp. 521β534, 2002. L. Dong-Gang and P. Ning, βMulti-level πTESLA: a broadcast authentication system for distributed sensor networks,β ACM Transactions on Embedded Computing Systems, vol. 3, no. 4, pp. 800β836, 2004. X.-G. Wang, W.-R. Shi, W. Zhou, P. Gao, and Y.-S. Jiang, βA key management scheme based on quadratic form for wireless sensor network,β Acta Electronica Sinica, vol. 41, no. 2, pp. 214β 219, 2013. L. Eschenauer and V. D. Gligor, βA key-management scheme for distributed sensor networks,β in Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS β02), pp. 41β47, ACM, Washington, DC, USA, November 2002.
International Journal of
Rotating Machinery
Engineering Journal of
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
The Scientific World Journal Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
International Journal of
Distributed Sensor Networks
Journal of
Sensors Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Journal of
Control Science and Engineering
Advances in
Civil Engineering Hindawi Publishing Corporation http://www.hindawi.com
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Volume 2014
Submit your manuscripts at http://www.hindawi.com Journal of
Journal of
Electrical and Computer Engineering
Robotics Hindawi Publishing Corporation http://www.hindawi.com
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Volume 2014
VLSI Design Advances in OptoElectronics
International Journal of
Navigation and Observation Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Hindawi Publishing Corporation http://www.hindawi.com
Chemical Engineering Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Volume 2014
Active and Passive Electronic Components
Antennas and Propagation Hindawi Publishing Corporation http://www.hindawi.com
Aerospace Engineering
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Volume 2014
International Journal of
International Journal of
International Journal of
Modelling & Simulation in Engineering
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Shock and Vibration Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Advances in
Acoustics and Vibration Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014