Please do not remove this page
A secure communication protocol for ad-hoc
wireless sensor networks
Pearce, Craig; Ma, Yin-Man; Bertok, Peter
https://researchrepository.rmit.edu.au/discovery/delivery/61RMIT_INST:ResearchRepository/12246486000001341?l#13248402930001341
Pearce, Ma, Y.-M., & Bertok, P. (2004). A secure communication protocol for ad-hoc wireless sensor
networks. Proceedings of the 2004 Intelligent Sensors, Sensor Networks and Information Processing
Conference, 79–84. https://doi.org/10.1109/ISSNIP.2004.1417441
Published Version: https://doi.org/10.1109/ISSNIP.2004.1417441
Downloaded On 2022/08/10 09:28:29 +1000
© 2004 IEEE
Repository homepage: https://researchrepository.rmit.edu.au
Please do not remove this page
A Secure Communication Protocol for Ad-Hoc
Wireless Sensor Networks
# Craig Pearce, Vincent Yin-Man Ma, Peter Bertok
School of Computer Science and Information Technology
RMIT University
Melbourne, Australia
{crpearce,yma,pbertok}@cs.rmit.edu.au
Abstract
Security in wireless sensor networks is required for trust in
collected data, however, resource limitations have made the
security need of secondary importance. This paper proposes a
new application-layer SPKI/SDSI protocol that provides secure
communications, authentication and fast re-authentication. The
protocol has been formally proven secure and results indicate
the protocol to be suitable for wireless sensor networks.
Keywords: Wireless Sensor Networks, Communication Proto-
cols, Ad-hoc Network Security
1. I
NTRODUCTION
Wireless sensor networks (WSNs) are typically embedded de-
vices used for sensing and monitoring within environmental,
health-care, military and physical science areas amongst others.
Sensors are self-maintained and typically report collected data
but do not accept network input. As sensors are placed in
publicly accessible locations they need to be resistant to phys-
ical and network attacks. However, due to their size, sensors
are limited by processing power, network connectivity, storage
capacity and battery life. To preserve processing and communi-
cation speeds, security has been of secondary importance. This
is a major concern as security is imperative for the trust of data
collected and transmitted by network sensors.
We focus on providing a secure application-layer protocol
for the communication between sensors on a WSN and a
support network. Prior work shows that a dedicated proxy
for each cluster of sensor devices allows for unification of
communication between disparate devices [1]. Figure 1 shows
the architecture we envisage, with a scenario of two wireless
sensor network clusters that report to a process control service,
Fig. 1: Wireless sensor network (WSN) with external and in-built proxies
for example a chemical plant. It is crucial that data collection is
trusted and reliable in such environments. One cluster contains
sensors with in-built tamper-resistant proxies, while the other
cluster contains less-powerful sensors with a dedicated proxy
representing them. Network authorisation is achieved through
an access control list (ACL) to ensure sensors, proxies and
members of the support network are authorised to perform
certain actions (proof of rights). The ACL allows controlled
access to devices providing a shared resource, for example, the
process control service. This allows another proxy (on behalf
of their device) to make a request to the resource. Access
Authorized licensed use limited to: RMIT University. Downloaded on January 4, 2010 at 21:37 from IEEE Xplore. Restrictions apply.
0-7803-8894-1/04/$20.00 2004 IEEE
79
ISSNIP 2004
is granted or denied depending on whether the requesting
proxy possesses the required credentials to prove authorisation.
Simple Public Key Infrastructure / Simple Distributed Systems
Infrastructure (SPKI/SDSI) certificates can provide fine-grained
access control for authorisation of access requests to services,
and its simplicity makes it a platform of choice in sensor
networks.
Simplicity, however, leads to several security limitations, in-
cluding lack of confidentiality, mutual authorisation and mutual
authentication The SPKI/SDSI team suggested that mutual
authorisation could be provided by replicating client-side au-
thorisation, but in reverse. Prior work suggested tunnelling
SPKI/SDSI over a transport layer security protocol, such as
Secure Sockets Layer (SSL), for authentication, confidentiality
and protection against replay and middle-person attacks [1].
This has since been proven to be impractical for mobile devices
or wireless sensors due to significant processing overheads, and
SPKI-SECURE has been proposed to provide confidentiality
and authentication to SPKI/SDSI [2].
Significant work is required to minimise performance overheads
of SPKI-SECURE to be acceptable on WSNs. In this paper,
we resolve latency concerns of a secured SPKI/SDSI protocol
by creating a fast re-authentication protocol for subsequent
resource requests, named SPKI-SECURE-FAST. A fully-scaled
implementation and experiments show that SPKI-SECURE-
FAST is suitable for wireless sensor networks, where latency
due to resource constraints were a limiting factor in the past.
Subsequently, we expect the adoption of SPKI-SECURE-FAST
on wireless sensor networks to bring much needed trust of
sensor data collection with optimised performance.
2. B
ACKGROUND
While we research application-layer network security, acknowl-
edgement is made to recent security work at lower layers.
Routing [3], key establishment [4], [5], network-level confiden-
tiality and data authentication [6] and certificate chain discovery
[7] have shown promising results, however application-layer
authentication and authorisation are still open issues. If desired,
SPKI-SECURE-FAST can build on these lower-level protocols
in a layered fashion.
SPKI/SDSI is a simplified public key infrastructure (PKI)
designed for fine-grained access control in ad-hoc networks [1].
Instead of using a pre-defined global namespace, certificates are
issued by users and given an identifying name that is local in
context. Certificates can be linked between local name spaces,
giving powerful, distributed certificate chains with global scope.
Server
Proxy
Client
Proxy
success or failure
5. After verifying certificate chain, server responds with
Message contains authentication, encryption, message integrity
2. Resource request (unauthorised)
Message contains authentication, encryption, message integrity
1. Symmetric−Key Exchange
0. Both parties generate public/private key pair (once−off cost)
3. Server verification fails. ACL and tag are provided. Server
signs tag with private key, then sends tag and certificate
chain to client (provides server authorisation)
Message contains authentication, encryption, message integrity
4. Client generates certificate chain with provided ACL and
tag. Client signs tag with private key, then sends tag and
certificate chain to server (provides client authorisation)
Message contains authentication, encryption, message integrity
Fig. 2: Schematics of the Secured SPKI/SDSI Protocol [2]
Sensors are more interested in what they can currently monitor,
as opposed to inter-communication, nonetheless, global identity
is still a useful feature.
Figure 2 shows the secured SPKI/SDSI message exchange
for two proxies communicating on behalf of their mobile de-
vices, which builds on the original insecure protocol illustrated
elsewhere [1]. Each message communicated for a resource
request is encrypted and signed to provide confidentiality and
authentication. Mutual authorisation is met by the (1) sensor-
proxy (SP) sending their chains of name and authorisation
certificates proving they are allowed to perform the request
and (2) server sending their certificate chain providing they are
allowed to authorise requests.
Due to the amount of public key cryptographic operations
involved for each resource request, latency is a concern for
wireless sensors. By optimising the protocol, we can make
significant savings in processing and communication costs for
subsequent resource requests between sensors and the support
network.
3. P
RO P O S E D PROTO C O L
To resolve latency concerns of security between the Transport
and Applications Layers for SPKI/SDSI in ad-hoc wireless
sensor networks (WSNs), we have modified SPKI-SECURE to
support fast re-authentication of subsequent resource requests.
The protocol extension works by using SPKI-SECURE’s key-
exchange protocol as a source to generate a list of one-time
secret keys for encryption of subsequent resource requests.
Authorized licensed use limited to: RMIT University. Downloaded on January 4, 2010 at 21:37 from IEEE Xplore. Restrictions apply.
ISSNIP 2004
80
Fig. 3: Symmetric Key-Exchange Protocol
Figure 3 shows a diagram for the symmetric key exchange
protocol.
For a sensor-proxy (SP) to request access to a resource governed
by a server-proxy for the first time, the following steps will take
place:
1) SP performs Service Discovery (not discussed in this
paper) to locate the nearest server governing the resource
requested by the SP;
2) If not already done, both SP and server generate their pub-
lic/private key-pairs for public key cryptographic support
(Figure 3 step 0);
3) Both parties perform a symmetric key exchange by shar-
ing public keys (Figure 3 step 1). We use the Diffie-
Hellman key agreement protocol as this allows for a
shared secret to be established without having to com-
municate secrets over an insecure channel;
4) SP and server use the symmetric key as a master key and
generate a list of one-time keys (OTK List) by repeatedly
hashing the master key (described shortly). The session
ID and SP ID is assigned by the server. Hashing the SP’s
public key will provide a unique SP identification value
(assuming that both the SP public key is unique and a
secure message digest function is used);
5) SP now provides a resource request to the server using the
next available OTK from the OTK List as a secret key
for message integrity and confidentiality (Figure 3 step
2). When SP and server certificate chains are validated,
each issues the other with a re-authorisation certificate.
This allows subsequent resource requests to validate a
single re-authorisation certificate instead of a chain of
certificates, which in turn reduces processing overhead.
This suggestion was made by the SPKI/SDSI team for a
server validating a SP. We have extended the notion to
operate for validating both server to SP and SP to server;
6) Subsequent resource requests (Figure 3 step 3) involve a
request encrypted with the next OTK in the OTK List.
Performance is significantly improved as authentication,
exchange of public keys and secret key generation has
already taken place and there is no need for public key
cryptographic operations;
Fast re-authentication is implemented as a more secure ap-
proach to SSL’s session resumption. Fast re-authentication is
enabled by:
1) both SP and server generating a OTK List in the sym-
metric key exchange
2) checking authenticity and authorisation in the initial re-
source request
3) using re-authorisation certificates and not repeatedly us-
ing public key operations for re-authenticating in subse-
quent requests
4) authenticating based on knowledge of the next OTK in
the OTK list which is much faster than repeated use of
public key cryptography
One-time keys are generated by both SP and server indepen-
dently and not transmitted over the communication channel.
However, if the SP did not have the resources for OTK list
generation then the protocol would support the server gener-
ating the OTK List and transporting it to the SP. Similarly,
the SP could easily generate the OTK List and communicate
it to the server if the server was burdened with too many
concurrent requests. Both choices could be determined at run-
time, however, here we assume the SP
is powerful enough.
Obviously the OTK List would need to be encrypted if it
was communicated (by using the shared key generated by the
symmetric-key exchange protocol).
Table 1 gives an example of OTK List generation with a formal
description showing hashed output to be the input for the
next generation and applied in an iterative fashion. The list is
reversed once enough keys have been generated. Using a secure
hash function provides the ’one-way’ property whereby it is
computationally easy to generate the hash output, but infeasible
to determine the hash input given the hash output [8]. As a
result, subsequent encrypted communication is not broken if
an attacker obtains a prior key.
We also extend usage of fast re-authorisation, a concept al-
ready introduced to SPKI/SDSI [1]. It involves the server
Authorized licensed use limited to: RMIT University. Downloaded on January 4, 2010 at 21:37 from IEEE Xplore. Restrictions apply.
81
ISSNIP 2004
TABLE 1: ONE-TIME KEY (OTK) LIST GENERATION AND USAGE
Generated
−→
a
1
= f (a
0
) a
2
= f (a
1
) ... a
n
= f (a
n−1
)
←−
Used
proxy creating a new certificate for the SP once the SP has
successfully been authorised. The certificate states the SP is
authorised to perform the requested operation on the resource
and is signed by the server proxy. This is then used within
subsequent resource requests to save repeated chain generation
and validation. Due to resource constraints, fast re-authorisation
is crucial to reduce public key operations on mobile devices.
A. Applica bility to wireless ad-hoc sensors
The proposed protocol is within the limitations of WSNs, as
shown below:
• Memory requirements: Both SP and server proxy will
require a state table that records session information, an
OTK List and an identifier noting which OTK will be
used for the currently negotiated or next resource request.
Devices will need enough storage capacity to contain
the Java Virtual Machine, which is the implementation
platform used for the SPKI/SDSI framework, including
SPKI-SECURE cryptographic functions.
• Processing Costs: The most expensive operations re-
quired involve public key cryptographic operations of key
generation (a once-off cost), public key encryption and
decryption. Public key operations have been minimised
with:
– one public and one private key operation needed for
fast re-authorisation
– one private and public key operation for authentication
of initial resource requests
– only secret key operations for subsequent resource
requests
Fast and computationally less intensive algorithms can
be used with our protocol (for example, Extensible Tiny
Encryption Algorithm), but there is always a trade-off
between security and speed. Completely removing public
key cryptography is not favoured as it provides certificate-
based access control, painless symmetric key distribution
and strong user authentication.
• Network Connectivity: In a wireless network, devices are
connected to a mobile base station that provides network
coverage to a specific region (known as a cell). Roaming
devices disconnect and reconnect to the network as they
traverse cell perimeters. We chose TCP as the transport
protocol due to its reliability. Network disconnection in-
volves connection re-establishment through the TCP 3-way
handshake and a repeat of the message exchange for the
current protocol invocation (be it symmetric-key exchange,
initial resource request or subsequent resource request).
Recent work in the viability of TCP/IP connectivity for
wireless sensors has shown proxies to be a promising
approach [9]. Our protocol extension involves quicker
secure connection establishment and significantly faster
support for subsequent resource requests.
B. Informal S ecurity Analysis
Taking an informal look at the message flow, we attempt to
note weaknesses:
• We assume host security to be intact. While not researched
here, host security is important for sensor networks as they
are often in unmanned, but publicly accessible environ-
ments. Tamper-proofing is a popular method of enabling
host security;
• Care was taken to ensure it was as simple as possible.
Complex protocols make security analysis increasingly dif-
ficult to perform, resulting in missed security flaws. Prior
analysis showed SSL to be rather complex and burden-
some, if not suitable for wireless sensors [2]. Reducing the
number of exchanged messages, non-deterministic choices
and public key operations helped make the protocol both
simpler in design and computationally faster than SSL, as
our results will show.
• Due to keys changing for each request, an attacker cannot
hope to gain enough ciphertext over time to perform
a ciphertext-only attack (gathering a large collection of
ciphertext encrypted with the same key will have periodic
patterns over time);
• If an attacker discovers the shared symmetric key from
the symmetric key exchange and then catches the first
resource request message, they can decrypt the message
and have the entire list of one time passwords. This allows
the attacker to view, and possibly modify, resource requests
and responses. This problem is difficult to circumvent. One
solution is to limit the number of fast re-authentications.
Such attacks involve breaking host security, an act that our
research assumes safe, or discovering an unknown weak-
ness within the Diffie-Hellman key agreement protocol;
• Replay attacks involve an eavesdropper catching a message
in transit and replaying it at a later time to attempt to
gain unauthorised access. Using OTKs prevents this as a
replayed message will be encrypted with an out-of-date
Authorized licensed use limited to: RMIT University. Downloaded on January 4, 2010 at 21:37 from IEEE Xplore. Restrictions apply.
ISSNIP 2004
82
![Fig. 2: Schematics of the Secured SPKI/SDSI Protocol [2]](/figures/fig-2-schematics-of-the-secured-spki-sdsi-protocol-2-3cjouptg.webp)
