Security Protocols for Use with Wireless Sensor Networks - CiteSeerX

Security Protocols for use with Wireless Sensor Networks A Survey of Security Architectures

D. Boyle, T. Newe Department of Electronic and Computer Engineering University of Limerick Limerick, Ireland [email protected]

Abstract - Wireless sensor networking continues to evolve as one of the most exciting and challenging research areas of our time. Intrinsically, there are many applications of wireless sensor networks that collect and disseminate sensitive and important information. In order for many implementations of these applications to operate successfully, it is necessary to maintain the privacy and security of the transmitted data. What remains undefined, however, is an agreeable and most effective way of securing the information. This paper considers popular and progressive security architectures available and used to-date, whilst focusing on authentication. Authentication can be defined as a security mechanism, the use of which allows the identity of a node in the network to be identified as a valid node of the network. Data authenticity can be achieved when a valid node decrypts the appended message authentication code, or applies one to an outgoing packet, using some known/shared key. Node authentication can be achieved using a number of different methods. A comparison table is presented which illustrates the various properties held by these security protocols, including authentication characteristics. This will allow the desirable characteristics of the various security architectures to be easily identifiable to designers in their struggle to implement the most cost effective and appropriate method of securing their network. Keywords-security; authentication protocols; wireless sensor networks

I.

INTRODUCTION

A number of independent nodes, communicating wirelessly over limited frequency and bandwidth constitutes a wireless sensor network [1]. Unlike traditional networks, sensor networks depend on dense deployment and coordination to execute their tasks. When the exact location of a particular event is unknown, this method of distributed sensing allows for closer placement to the phenomena than would be achieved with a single sensor [2]. Areas such as power management, network discovery, control and routing, collaborative signal and information processing, tasking and querying, and security are all currently under research [3]. Nodes are generally battery powered, where recharging would normally not be feasible, and so are considered to be Research Sponsored by Science Foundation Ireland – Grant number: 05/RFP/CMS0071)

Proceedings of the Third International Conference on Wireless and Mobile Communications (ICWMC'07) 0-7695-2796-5/07 $20.00 © 2007

disposable. Many methods of powering these sensor nodes have been indulged, including solar power, but they are still seen to be typically a “one-use” device. Eventual failure is expected and maximising lifetime and productivity is extremely important. This extends to suitable security protocols, which are required to be lightweight, in order to achieve the same goal. In order to design a completely secure wireless sensor network, security must be integrated into every node of the system. This is due to the possibility that a component implemented without any security could easily become a point of attack. This dictates that security must pervade every aspect of the design of a wireless sensor network application that will require a high level of security [4]. Similarly to conventional networks, most applications of wireless sensor networks require protection against eavesdropping, injection, or modification of disseminated data packets. Cryptography is the standard method of defence against such attacks [4], but brings a number of trade-offs into play. Varying levels of cryptography will imply proportionately varying levels of overhead, in the form of increased packet size, for example. In order for security to pervade all aspects of an implementation, it has to be provided for under the communications protocol chosen by the designer. Varying communications protocols will have different solutions to the security problem. A. Applications Two of the most security-oriented applications of wireless sensor networks are military and medical solutions. Due to the nature of the military, it is obvious that the data (sensed or disseminated) is of a private nature and is required to remain this way to ensure the success of the application. Enemy tracking and targeting are among the most useful applications of wireless sensor networks in military terms. The most up to date work can be found on the Defence Advanced Research Projects Agency (DARPA) website [4,5].

More recently, the idea of “tele-health” is being embraced. Plug and play wireless sensors have been implemented, forming a body area network (BAN), which is capable of monitoring a patients’ vital signs and transmitting information back to the health authorities (via a laptop/PDA). Such applications imply that outpatients can be monitored from their homes, freeing space in hospital beds [6]. As physiological patient data is legally required to be kept private, the implemented network must invoke a strong security protocol. II.

COMMUNICATIONS SYSTEMS

Communications systems play a pivotal role in the success of wireless sensor networks. The architectures of the networks employed, data rates, network size, span, power management and security protocols are all affected, if not dictated, by the communications protocols chosen for the application. Standardization has yet to occur for a communications system optimal for use with wireless sensor networks. The choices have been considerably narrowed down, however, with the arrival of the IEEE 802.15.4 standard [7], ZigBee [8] and Bluetooth [9]. Bluetooth (IEEE 802.15.1) was originally designed to be the industry standard for low power wireless devices. It is still, however, considerably unsuitable for use with many wireless sensor networking applications. This results explicitly from the topology and protocol design. Even though a channel hopping period of only 600 microseconds enables the low-latency and high throughput operation of Bluetooth devices, the requirement for all devices in a Bluetooth Piconet to remain synchronized to within a few microseconds is troublesome. Another concern is the expense of entering and exiting a Bluetooth network. Using a standard Bluetooth configuration, it can take over 2.4 microseconds to establish a connection [9], during which the master node must be in a high-power scanning mode. Typical Bluetooth radios can consume hundreds of milliwatts whilst monitoring the channel [10]. Because of these shortcomings, security protocols for Bluetooth will not be further investigated. The focus is instead placed on those that operate in conjunction with the IEEE 802.15.4 standard and the ZigBee Specification. The 802.15.4 standard is the IEEE specification for lowrate wireless personal area networks (LR-WPANs). Unlike wireless local area networks (WLANs), connections effected via WPANs involve little or no infrastructure. This is set to become the standard communications protocol for use in wireless sensor networking. Features allow small, power efficient, inexpensive solutions to be implemented for a wide range of devices. The main objectives of an LR-WPAN are ease of installation, reliable data transfer, short-range operation, and extremely low cost and reasonable battery life, whilst maintaining a simple and flexible protocol [7]. Specified in this standard are a number of security suites. These will be addressed in the next section. As a result of the large number of targeted application areas of this protocol, the processes of key exchange and authentication are not defined by the standard [10]. ZigBee is an industrial consortium, which was designed to build a standard data link communication layer for use in ultra

Proceedings of the Third International Conference on Wireless and Mobile Communications (ICWMC'07) 0-7695-2796-5/07 $20.00 © 2007

low power wireless communications [8]. The members of this organization came together because they felt that “existing standard technologies were not applicable to ultra-low power application scenarios” [11]. The ZigBee network layer (NWK) is designed to operate just above the PHY and MAC layers, specified in the IEEE 802.15.4 standard. The main responsibilities of the ZigBee NWK layer include the mechanisms used to join and leave a network, apply security to frames and to route frames to their intended destinations. The ZigBee specification also details extra security services, including the processes of key exchange and authentication, in addition to those provided under the IEEE 802.15.4, upon which it is built. These will also be examined further in the next section A. IEEE 802.15.4 Security Under this standard, a link layer security protocol provides four basic security services. These include access control, message integrity, message confidentiality (only intended recipients gain access to secured information), and replay protection. An application sets its security requirements by setting the appropriate parameters into the radio stack. If the application does not set any parameters then, by default, there is no security enabled. Access control and message integrity imply that this protocol should prevent unauthorized parties from participating in the network. Legitimate nodes should be able to detect messages from unauthorized nodes and reject them. Message integrity protection implies that if an adversary modifies a message from an authorized sender while the message was in transit, the receiver should be able to detect the tampering. To ensure message authentication and integrity, a message authentication code (MAC) is appended to each message sent. This MAC is viewed as a cryptographically secure checksum of the message [12]. Computing the MAC requires senders and receivers to share a secret cryptographic key, and this key is part of the input to the computation. The sender computes the MAC over the packet and includes it with the packet (using the secret key). A receiver sharing the same key re-computes the MAC and compares it with the MAC in the packet. If the two are the same then the receiver accepts the packet, or rejects it otherwise. Message authentication codes must be difficult to forge without a secret key and, resultantly, if an adversary to the network changes a valid message or introduces a phoney message, then it would be unable to compute the corresponding MAC, and authorised receivers will reject any of their attempts to damage the network [12]. The standard defines 8 different security suites. See Table 1 above. The security suites can be more broadly classified by their properties. The first of these is the Null suite and provides no security. The next is encryption only (AES-CTR), followed by authentication only (AES-CBC-MAC), and finally encryption and authentication (AES-CCM) [12].

TABLE I.

SECURITY SUITES DEFINED BY IEEE802.15.4 [12]

Name Null AES-CTR AES-CBC-MAC-128 AES-CBC-MAC-64 AES-CBC-MAC-32 AES-CCM-128 AES-CCM-64 AES-CCM-32

Description No Security Encryption only, CTR Mode 128 bit MAC 64 bit MAC 32 bit MAC Encryption & 128 bit MAC Encryption & 64 bit MAC Encryption & 32 bit MAC

B. ZigBee Security ZigBee uses all of the basic security elements of the IEEE 802.15.4 standard. In addition, the ZigBee security specification employs a simpler and unified mode of operation of CCM (this modes in an amalgamation of both the encryption and authentication suites listed above), defines key types (Master, Link, Network) and describes key setup and maintenance (Commercial, Residential) [13]. Additionally, ZigBee provides freshness through the use of freshness checks. These checks prevent replay attacks, as ZigBee devices maintain incoming and outgoing freshness counters. Whenever a new key is created, the counters are reset. It is postulated that devices that communicate once per second will not overflow their freshness counters for 136 years [13]. Message integrity and encryption are also provided under the ZigBee security specification, the operations of which are documented in [8] and [13]. Under the ZigBee specification, authentication is defined to provide assurance about the originator of a message. This prevents an attacker from mimicking the operation of another device in any attempt to compromise the network. Authentication is possible at both the network level and the device level. At the network level, authentication is achieved using a common network key, thus preventing outside attacks whilst adding very little in memory cost. Device level authentication is achieved by using unique link keys between pairs of devices. Insider and outsider attacks are now preventable, but there is a higher memory cost involved. III.

SECURITY ARCHITECTURES

In this section, security architectures that are currently available will be reviewed, contrasted and compared, focussing on their authentication capabilities. The architectures considered are compatible with the IEEE 802.15.4 standard, and illustrate recent progression in the area. Although authentication is provided for under the IEEE 802.15.4 standard, there are, as stated, no defined processes for authentication or key exchange and, therefore, cannot be considered to have an active protocol. The mechanisms for achieving authentication that are to be further considered are valid for implementation with applications based on this standard for low-rate WPAN networks. They will be compared under similar headings.

Proceedings of the Third International Conference on Wireless and Mobile Communications (ICWMC'07) 0-7695-2796-5/07 $20.00 © 2007

Privacy of data can be vital to the success of many of the applications that such networks are currently being used for. Data encryption and node authentication are the main defences against attack. There are numerous types of encryption and authentication protocols available for implementation within wireless sensor networks as a result of the continuous improvement to those available and in use through the development of the Internet. They, do not, however, relate directly to sensor networks, as there is a whole new ranges of issues that need to be addressed. Sensor networks are, more often than not, one-off deployments of battery-powered nodes. As a result, increased network lifetime is a goal of all research groups. This implies that extensive on-chip processing to execute complex encryption/decryption techniques is not a viable option. As a result, the area of security in wireless sensor networks is a developing area: one in which the most intelligent solutions are sought, as opposed to the most robust, which require large amounts of processing power. Authentication is a mechanism whereby the identity of a node in a network can be identified as a valid member of the network and as such data authenticity can be achieved. This is where the data is appended with a message authentication code (MAC) and can only be viewed by valid nodes capable of decrypting the MAC, through some determinable means. There are a number of methods of achieving node authentication. These range from device-to-device protocols, where each node authenticates its neighbour’s identity, to broadcast protocols, which enables a sender to broadcast critical data and/or commands to sensor nodes in an authenticated way such that an attacker cannot forge any message from the sender [14]. Traditional broadcast authentication techniques, however, such as public key based digital signatures, are not desirable due to energy constraints on nodes. A. ZigBee Security Architecture The concept of a “Trust Center” is introduced in the specification. Generally the ZigBee coordinator performs this duty. This device allows other devices to join the network and also distributes the keys. There are three roles played: 1:trust manager, whereby authentication of devices requesting to join the network is done, 2:network manager, maintaining and distributing network keys, and 3:configuration manager, enabling end-to-end security between devices [13]. It operates in both Residential Mode and Commercial Mode. The Trust Center running Residential Mode is used for low security residential applications. Commercial Mode is designed for high-security commercial applications. In Residential Mode, the Trust Center will allow devices to join the network, but does not establish keys with the network devices. It therefore cannot periodically update keys and allows for the memory cost to be minimal, as it cannot scale with size of the network. In commercial mode, it establishes and maintains keys and freshness counters with every device in the network, allowing centralized control and update of keys. This results in a memory cost that could scale with the size of the network [13].

Yes

Symmetric Trust Center

B. SPINS Perrig et al. (2002) proposed Security Protocols for Sensor Networks, SPINS, a suite of security protocols optimised for sensor networks [15]. It consists of two secure building blocks SNEP and µTESLA, which run on top of TinyOS, a small, event driven operating system for sensor nodes [15, 16]. Secure Network Encryption Protocol, SNEP, is used to provide confidentiality through encryption and authentication, in addition to integrity, using a message authentication code (MAC). There are a number of unique advantages with SNEP. It has a very low communication overhead, adding only 8 bytes per message. SNEP achieves semantic security (a property which prevents an adversary from learning even partial information about a transmitted message), which is an important security property, as it prevents eavesdroppers from inferring the message content from the encrypted message; achieved as the counter value is incremented after each message, implying that the message is encrypted differently each time. The counter value is sufficiently long enough never to repeat within the lifetime of the node. Finally, it also provides data authentication, replay protection and weak message freshness [15]. To achieve data authentication, the same block cipher is used as in CBC-MAC mode. µTESLA is the “micro” version of TESLA (Timed Efficient Stream Loss-tolerant Authentication) proposed by Perrig et al in 2002 [17]. It emulates asymmetry through a delayed disclosure of symmetric keys and serves as the broadcast authentication service of SNEP. µTESLA relies solely on this delayed disclosure, unlike its predecessor, which authenticates the initial packet using the digital signature. It has been argued that while symmetric key techniques are attractive, due to their energy efficiency, limitations have been exhibited in the flexibility of these symmetric key exchange protocols

Proceedings of the Third International Conference on Wireless and Mobile Communications (ICWMC'07) 0-7695-2796-5/07 $20.00 © 2007

Ki = F(Ki+1). Applying the SNEP building block, each node can easily perform time synchronization and retrieve an authenticated key from the chain for the “commitment in a secure and authenticated manner” [15]. Schemes, like µTESLA, based on delayed key disclosure, can suffer from denial of service attacks (DOS). In the subsequent interval when the message is in the buffer and the receiver waits on the disclosure time, an attacker can flood the network with arbitrary messages, claiming that they belong to the current time interval. Only in the next time interval can the nodes determine that these messages are not authentic. This type of attack can lead to buffers overflowing in the nodes and battery exhaustion as all messages are forwarded to the nodes. The use of public key cryptography would eliminate the need for such complicated protocols, increasing the security of the system, and only requiring the public key of the base station to be embedded into all of the nodes [16]. TABLE III.

Protocol SPINS

SPINS SECURITY CHARACTERISTICS Key Agreement

4, 8 or 16 Bytes

MAC Used

Key Agreement

Yes

Overhead

MAC Used

Yes

Freshness (CTR)

Overhead

ZigBee (Commercial Mode)

Freshness (CTR)

Protocol

ZIGBEE SECURITY CHARACTERISTICS Encryption

TABLE II.

[16]. µTESLA requires that the base station and the nodes be loosely time synchronized, and that each node knows an upper bound on the maximum synchronization error. For an authenticated packet to be sent, the base station computes a MAC on the packet with the key that is secret at that point in time. When a node gets a packet, it can confirm that the base station did not yet disclose the corresponding MAC key, using its loosely synchronized clock, maximum synchronization error and the time at which the keys are to be disclosed. The node stores the packet in a buffer, aware that the MAC key is only known to the base station, and that no adversary could have altered the packet during transmission. When the keys are to be disclosed, the base station broadcasts the key to all receivers. The receiver can then verify the correctness of the key and use it to authenticate the packet stored in the buffer [15]. Each MAC key is a member of a key chain, which has been generated by a one-way function F. In order to generate this chain, the sender chooses the last key Kn of the chain randomly, and applies F repeatedly to compute all other keys:

Encryption

There are three types of keys employed, the Master Key, the Link Key and the Network Key. Master keys are installed first, either in the factory or out of band. They are sent from the Trust Center and are the basis for long-term security between two devices. The Link key is a basis of security between two devices and the Network keys are the basis of security across the entire network. Link and Network keys, which are either installed in the factory or out of band, employ symmetrical key-key exchange (SKKE) handshake between devices. The key is transported from the Trust Center for both types of keys. This operation occurs in commercial mode, as residential mode does not allow for authentication.

Yes

Yes

8 Bytes

Yes

Symmetric Delayed

Karlof et al. (2004) state that SNEP was, unfortunately, neither fully specified nor fully implemented, motivating the arrival of TinySec [18], which is integrated into TinyOS [19]. C. TINYSEC Karlof et al. designed the replacement for the unfinished SNEP, known as TinySec (2004) [18]. Inherently it provides similar services, including authentication, message integrity, confidentiality and replay protection. A major difference between TinySec and SNEP is that there are no counters used

Key Agreement

No

4 Bytes

Yes

Any

D. LEAP Localised Encryption and Authentication Protocol (LEAP) was proposed by Zhu et al (2003) as a key management protocol for sensor networks designed to support in- network processing, while restricting the impact of a compromised node to the network [20]. Four types of keys are supported for each sensor node – an individual key shared with the base station, a pairwise key shared with another node, a cluster key shared with multiple neighbouring nodes and a group key shared by all network nodes. At the time, pre-deployed keying was the most practical approach for bootstrapping secret keys in sensor nodes. This implies that the nodes were loaded into all of the sensors before they were deployed in the sensor field. This may seem primitive at this point in time, but is included to achieve thoroughness. Pairwise keys could be generated between two Proceedings of the Third International Conference on Wireless and Mobile Communications (ICWMC'07) 0-7695-2796-5/07 $20.00 © 2007

Encryption

Freshness (CTR)

Overhead

MAC Used

Key Agreement

LEAP

Yes

No

Variable

Yes

Pre-deployed Variable

E. Security Manager Heo and Hong (2006) proposed a new method of key agreement, whereby, when a new device joins a network the Security Manager (SM) gives static domain parameters such as at the base station, the order of the curve and the elliptic curve coefficients [10]. After calculating a public key using the base point and a private key, the device sends a public key to the SM. Therefore the SM would have the public key list for all the devices in the network. They define two security levels (medium and high), based on the devices’ power and security policies. These two levels are defined by either normal or polynomial basis calculations. Elliptic Curve Cryptography (ECC) algorithms offer reasonable computational loads and smaller key lengths for equivalent security than other techniques. These smaller key lengths reduce the size of message buffers and reduce implementation cost of protocols. The EC-MQV (Menezes-QuVanstone) scheme is more advanced than the Diffie-Hellman scheme, and the main idea is to prevent the man-in-the-middle attack and perform authentication of key holders. Under this scheme, each side of the communication holds two keys [10]. Responsibilities of the SM are carried out by the coordinator in a LR-WPAN (devices defined under the IEEE 802.15.4 standard). Devices in the network use initial trust parameters (pre-deployed recognition function) to establish the public key and ephemeral public key, which are in turn used for secure communication of the data payloads [10]. The overhead here will depend on the number of bits chosen for the elliptic curve system. An elliptical curve algorithm provides the same security for 160 bit key lengths as a symmetric algorithm can for 128 Byte lengths [10]. This level of security can then be increased as security needs to be increased and, therefore, allowing a variable overhead. TABLE VI.

SM SECURITY CHARACTERISTICS

Protocol

Key Agreement

MAC Used

Y/N

Protocol

MAC Used

Overhead

TINYSEC

LEAP SECURITY CHARACTERISTICS

Overhead

Protocol

Freshness (CTR)

TINYSEC SECURITY CHARACTERISTICS Encryption

TABLE IV.

TABLE V.

Freshness (CTR)

Generally, the security of CBC-MAC is directly related to the length of the MAC. TinySec specifies a MAC of 4 Bytes, much less than the conventional 8 or 16 Bytes of previous security protocols. In the context of sensor networks, Karlof et al. (2004) argue that this is not detrimental [18]. Should an adversary repeatedly attempt blind forgeries, it will succeed after 231 attempts. Adversaries can only assess the validity of an attempted forgery by forwarding it to an authorised recipient. This implies that approximately 231 packets must be sent to forge just one malicious packet. In sensor networks, this is an adequate level of security, and for an attempt like the one described above, it would take approximately 20 months (on a 19.2kb/s channel) to be successful. Implicitly, there is an effective denial of service attack launched in this way, as the radio channel would be locked for an extended period as attempts are made. It is argued that a simple heuristic, whereby the nodes signal the base station when the rate of MAC failures exceeds a predetermined threshold [18] would alleviate the problem should such an attack occur.

nodes based on this pre-deployed keying information. The overhead is variable depending on the types of keys specified for use in the implementation. All four types may not be used for a particular application.

Encryption

in TinySec. For encryption, it uses CBC mode with cipher text stealing [18], and for authentication, CBC-MAC is used. TinySec XORs the encryption of the message length with the first plaintext block in order to make the CBC-MAC secure for variably sized messages. There are two packet formats defined by TinySec. These are TinySec-Auth, for authenticated messages, and TinySec-AE, for authenticated and encrypted messages. For the TinySec-AE packet, a payload of up to 29 Bytes is specified, with a packet header of 8 Bytes in length. Encryption of the payload is all that is necessary, but the MAC is computed over the payload and the header. The TinySecAuth packet can carry up to 29 Bytes of payload. The MAC is computed over the payload and the packet header, which is 4 Bytes long.

SM

Yes

No

Variable

Yes

EC-MQV Initial trust

IV. CONCLUSION The discussion of the aforementioned security protocols and authentication mechanisms allow for the construction of a comparison table (Table VII below), where they can be compared under similar headings. It can be seen, from this flavour of authentication mechanisms, that the trend has moved from pre-deployed keying mechanisms, to symmetric keying agreements (SKA) to Elliptical Curve Cryptography (ECC) based algorithms to perform authentication in wireless sensor networking. What is evident, however, is that there is continuing uncertainty as to what is the most effective way of providing security and authentication in particular.

Overhead

MAC Used

SPINS

Yes

Yes

8 Bytes

Yes

LEAP

Yes

No

Variable

Yes

TINYSEC

Yes

No

4 Bytes

Yes

Symmetric Delayed Pre-Deployed Variable Any

Yes

Yes

4, 8 or 16 Bytes

Yes

Trust Center

2005

Yes

No

Variable

Yes

EC-MQV Initial Trust

2006

Key Agreement

Freshness (CTR)

Release Year

SECURITY ARCHITECTURE COMPARISON TABLE

Encryption

TABLE VII.

Protocol

ZigBee (Commercial Mode) SM

2002 2003 2004

Included in the table is a column detailing the year of publication of each of these authentication mechanisms. This illustrates the ongoing development in the last few years and suggests that this trend will continue. V. FUTURE WORK Each of the authentication mechanisms are to be examined in a simulated environment and evaluated under the headings speed of operation, power consumption, efficiency and security level offered. Figures for these should be available for addition to the comparison table at the time of presentation of this paper. This is to further evaluate the effectiveness of these protocols and define their more desirable characteristics. The future goal of this research is to develop a new authentication protocol, by combining the most desirable traits of what currently exists and implementing some new ideas, which is optimal for implementation in wireless sensor network applications. VI.

REFERENCES

[1] Akyildiz, I. F., Su, W., Sankarasubramaniam, Y., Cayirci, E. (2002) ‘A Survey on Sensor Networks’, IEEE Communications Magazine, 40(8), 102114.

Proceedings of the Third International Conference on Wireless and Mobile Communications (ICWMC'07) 0-7695-2796-5/07 $20.00 © 2007

[2] Bharathidasan, A., Anand, V., Ponduru, S. (2001), Sensor Networks: An Overview, Department of Computer Science, University of California, Davis 2001. Technical Report [3] Chee-Yee Chong, and Kumar, S. P. (2003), “Sensor Networks: Evolution, Opportunities, and Challenges”, Proceedings of the IEEE, Vol. 91, No. 8, August 2003: IEEE, 1247-1256. [4] Perrig, A., Stankovic, J., Wagner, D. (2004), “Security in Wireless Sensor Networks”, Communications of the ACM, 47(6), 53-57. [5] Defence Advanced Research Projects Agency (13 Oct 2006) Defence Advanced Research Projects Agency Home [online], available: http://www.darpa.mil/index.html [accessed 13 Dec 06] [6] Jovanov, E., Milenkovic, A., Otto, C., de Groen, PC. (2005) ‘A Wireless Body Area Network of Intelligent Motion Sensors for Computer Assisted Physical Rehabilitation’, Journal of Neuroengineering and Rehabilitation, 2(6). [7] IEEE 802.15.4: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Low-Rate Wireless Personal Area Networks (LR-WPANs) (2003), 3 Park Avenue, New York, USA: IEEE. [8] ZigBee Specification v1.0: ZigBee Specification (2005), San Ramon, CA, USA: ZigBee Alliance. [9] Bluetooth SIG (2006) How Bluetooth Technology Works [online], available: http://www.bluetooth.com/Bluetooth/Learn/Works/ [accessed 13 Dec 2006] [10] Heo, J., Hong, C.S. (2006) “Efficient and Authenticated Key Agreement Mechanism in Low-Rate WPAN Environment”, International Symposium on Wireless Pervasive Computing 2006, Phuket, Thailand 16 – 18 January 2006, IEEE 2006, 1-5. [11] Hill, J.L., (2003) System Architecture for Wireless Sensor Networks, PhD, University of California, Berkeley. [12] Sastry, N. and Wagner, D. (2004) ‘Security Considerations for IEEE 802.15.4 Networks’, Proceedings of the 2004 ACM Workshop on Wireless Security, Philadelphia, PA, USA, October 1, 2004, New York, USA: ACM Press, 32-42. [13] ZigBee Alliance (2006) ZigBee Security Specification Overview [online], available: http://www.zigbee.org/en/events/documents/december2005_open_house_pres entations/zigbee_security_layer_technical_overview.pdf [Accessed 13 Dec 2006] [14] Liu, D., Ning, P., Zhu, S., Jajodia, S. (2005) ‘Practical Broadcast Authentication in Sensor Networks’, The Second Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services (MobiQuitous’05), San Diego, California, USA, 17-21 July 2005: IEEE Computer Society Press, 118-132. [15] Perrig, A., Szewczyk, R., Tygar, J.D., Wen, V. and Culler, D (2002) ‘SPINS: Security Protocols for Sensor Networks’, Wireless Networks, 8(5), 521-534. [16] Kaps, J. -P. (2006) Cryptography for Ultra-Low Power Devices, unpublished thesis (PhD), Worcester Polytechnic Institute. [17] Perrig, A., Canetti, R., Tygar, J.D. and Song, D. (2002) ‘The TESLA Broadcast Authentication Protocol’, CryptoBytes, 5(2), 2-13. [18] Karlof, C., Sastry, N., Wagner, D. (2004) ‘TinySec: A Link Layer Security Architecture for Wireless Sensor Networks’, Proceedings of the 2nd International Conference on Embedded Networked Sensor Systems, Baltimore, MD, USA, 03 – 05 November 2004, New York, NY, USA: ACM Press, 162 – 175. [19] Levis, P., Madden, S., Gay, D., Polastre, J., Szewczyk, R., Woo, A., Brewer, E., Culler, D. (2004) ‘The Emergence of Networking Abstractions and Techniques in TinyOS’, Proceedings of the First Symposium on Networked Systems Design and Implementation, 29th-31st March, 2004, San Francisco, CA, USA. [20] Zhu, S., Setia, S., Jajodia, S. (2003) ‘LEAP: Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks’, CCS ’03, Washington D.C., USA, 27 – 31 October 2003, New York, USA: ACM Press, 62-72.