Beruflich Dokumente
Kultur Dokumente
AbstractMessage authentication is one of the most effective While achieving compromise-resiliency, flexible-time authenti-
ways to thwart unauthorized and corrupted traffic from being cation and source identity protection, our scheme does not have
forwarded in wireless sensor networks (WSNs). To provide this the threshold problem. Both theoretical analysis and simulation
service, a polynomial-based scheme was recently introduced.
However, this scheme and its extensions all have the weakness of results demonstrate that our proposed scheme is more efficient
a built-in threshold determined by the degree of the polynomial: than the polynomial-based algorithms under comparable se-
when the number of messages transmitted is larger than this curity levels. To the best of our knowledge, this is the first
threshold, the adversary can fully recover the polynomial. In scheme that provides hop-by-hop node authentication without
this paper, we propose a scalable authentication scheme based on the threshold limitation, while having performance better than
elliptic curve cryptography (ECC). While enabling intermediate
node authentication, our proposed scheme allows any node to the symmetric-key based schemes. The distributed nature of
transmit an unlimited number of messages without suffering the our algorithms makes these schemes suitable for decentralized
threshold problem. In addition, our scheme can also provide networks.
message source privacy. Both theoretical analysis and simulation The major contributions of this paper include: (i) we de-
results demonstrate that our proposed scheme is more efficient velop a source anonymous message authentication (SAMA)
than the polynomial-based approach in terms of communication
and computational overhead under comparable security levels scheme on elliptic curves that can provide unconditional source
while providing message source privacy. anonymity; (ii) we offer an efficient hop-by-hop message au-
Index TermsHop-by-hop authentication, symmetric-key cryp- thentication mechanism without the threshold limitation; (iii)
tosystem, public-key cryptosystem, source privacy we devise network implementation criteria on source node pri-
vacy protection in WSNs; (iv) we provide extensive simulation
I. I NTRODUCTION results under ns-2 and TelosB on multiple security levels.
Message authentication plays a key role in thwarting unau- II. T ERMINOLOGY AND P RELIMINARY
thorized and corrupted packets from being circulated in net- In this section, we will briefly describe the terminology and
works to save precious sensor energy. For this reason, many the cryptographic tools that will be used in this paper.
schemes have been proposed in literature to provide message
authenticity and integrity in network communications [1], [2]. A. Model and Assumptions
These schemes can largely be divided into public-key-based We assume that the wireless sensor network consists of
and symmetric-key-based approaches. a large number of sensor nodes. Each node can be a data
A secret polynomial-based message authentication scheme source or a data sink, and is capable of communicating with
was introduced in [1]. To thwart the intruder from recovering its neighboring nodes directly. The whole network is fully
the polynomial by computing the coefficients of the polynomial, connected through multi-hop communications. We assume that
the idea of adding random noise, called a perturbation factor, there is a security server (SS) that is responsible for generating,
to the polynomial was proposed [2]. However, a recent study storing and distributing the security parameters among the
shows that the random noise can be completely removed from network. This server will never be compromised. However,
the polynomial using error-correcting code techniques [3]. after deployment, the sensor nodes may be captured and
In this paper, we propose an unconditionally secure and compromised by attackers. Once compromised, all information
efficient source anonymous message authentication (SAMA) stored in the sensor nodes can be accessed by the attackers. The
scheme, based on the optimal modified ElGamal signature compromised nodes can be reprogrammed and fully controlled
(MES) scheme on elliptic curves. This MES scheme is se- by the attackers. However, the compromised nodes will not be
cure against no-message attacks and adaptive chosen-message able to create new public keys that can be accepted by the SS
attacks in the random oracle model [4]. Our scheme enables and other nodes.
the intermediate nodes to authenticate the message so that all Based on the above assumptions, this paper considers both
corrupted packets can be dropped to conserve sensor power. passive attacks and active attacks. Our proposed authentication
s = rxh(m, r) + k mod (p 1), (1) where a, b Fp , and 4a3 + 27b2 0 mod p. The set E(Fp )
consists of all points (x, y) Fp on the curve, together with a
where h is a one-way hash function. The signature of message special point O, called the point at infinity.
m is defined as the pair (r, s). Let G = (xG , yG ) be a base point on E(Fp ) whose order is
Verification algorithm: The verifier checks the signature a very large value N . User A selects a random integer dA
equation g s = ry rh(m,r) mod p. If the equality holds true, then [1, N 1] as his private key. Then, he can compute his public
the verifier Accepts the signature and Rejects it otherwise. key QA from QA = dA G.
3354
Signature generation algorithm: For Alice to sign a C. Verification of SAMA
message m, she follows these steps: Verification algorithm: For Bob to verify an alleged
1) Select a random integer kA , 1 kA N 1. SAMA (m, S, r1 , y1 , , rn , yn , s), he must have a copy of
2) Calculate r = xA mod N , where (xA , yA ) = kA G. If the public keys Q1 , , Qn . Then he:
r = 0, go back to step 1. 1) Checks that Qi = O, i = 1, , n, otherwise it is invalid
l
3) Calculate hA h(m, r), where h is a cryptographic 2) Checks that Qi , i = 1, , n lies on the curve
l
hash function, such as SHA-1, and denotes the l 3) Checks that nQi = O, i = 1, , n
leftmost bits of the hash. After that, Bob follows these steps:
4) Calculate s = rdA hA + kA mod N . If s = 0, go back to
1) Verify that ri , yi , i = 1, , n, and s are integers in
step 2.
[1, N 1]. If not, the signature is invalid.
5) The signature is the pair (r, s). l
2) Calculate hi h(m, ri ), where h is the same function
When computing s, the string hA that results from h(m, r) used in the signature generation.
shall be converted into an integer. Note that hA can be greater n
3355
A. Theoretical Analysis 40bit, 64bit, and 80bit, respectively. The comparable key sizes
The secret bivariate polynomial is defined as [1]: of our scheme are 48bit, 64bit, 80bit, 128bit, and 160bit,
respectively.
dx
dy
We also need to determine dx and dy for the bivariate
f (x, y) = Ai,j xi y j ,
polynomial-based scheme, and the n for our scheme. In our
i=0 j=0
simulation, we select dx equal dy and choose three values for
where each coefficient Ax,y is an element of a finite field Fp , them: 80, 100, and 150. We assume that WSNs do not contain
and dx and dy are the degrees of this polynomial. dx and dy more than 216 nodes in our simulation, which is reasonably
are also related to the message length and the computational large. For size n of the AS, we choose three values in the
complexity of this scheme. From the performance aspect, dx simulation: 10, 15, and 20.
and dy should be as short as possible. 2) Computational overhead: For a public-key based authen-
On the other hand, it is easy to see that the intruders can tication scheme, computational overhead is one of the most
recover the polynomial f (x, y) via Lagrange interpolation when important performance measurements. Thus we first conducted
either more than dy + 1 messages transmitted from the base simulation to measure the process time. The simulations were
station are received and recorded by the intruders, or more than carried out in 16-bit, 4 MHz TelosB mote.
dx + 1 sensor nodes have been compromised, In this case, the Table I shows the process time of our scheme and the bivari-
security of the system is totally broken and cannot be used ate polynomial-based scheme for both authentication generation
anymore. This property requires both dx and dy to be very large and verification. In the simulations, we assume that the key
for the scheme to be resilient to node compromising attack. length of our scheme is 2l.
An alternative approach based on perturbation of the polyno-
3) Communication overhead and message transmission de-
mial was also explored. The main idea is to add a small amount
lay: The communication overhead is determined by the mes-
of random noise to the polynomial in the original scheme so that
sage length. For the bivariate polynomial-based scheme, each
the adversaries will no longer be able to solve the coefficients
message is transmitted in the form of < m, M AFm (y) >,
using Lagrange interpolation. However, this technique is proven
where M AFm (y) is defined as: M AFm (y) = f (h(m), y) =
to be vulnerable to security attacks [3] since the random noise dy j
can be removed from the polynomial using error-correcting j=0 Mj y . M AFm (y) is represented by its dy + 1 coeffi-
3356
7 30 1.005
dx,dy = 80 dx,dy = 80
dx,dy = 100 dx,dy = 100
1
dx,dy = 150 dx,dy = 150
6 25
n = 10 n = 10
0.995
n = 15 n = 15
n = 20 n = 20
5 20 0.99
n = 30 n = 30
Delay / seconds
Energy / Joule
Delivery Ratio
0.985
4 15
0.98
dx,dy = 80
3 10 0.975
dx,dy = 100
dx,dy = 150
0.97
n = 10
2 5
n = 15
0.965
n = 20
n = 30
1 0 0.96
1 1.5 2 2.5 3 3.5 4 1 1.5 2 2.5 3 3.5 4 1 1.5 2 2.5 3 3.5 4
Security Level Security Level Security Level
TABLE I. P ROCESS TIME ( S ) FOR THE TWO SCHEMES (16- BIT, 4 MH Z T ELOS B MOTE )
TABLE II. M EMORY (KB) AND TIME ( S ) CONSUMPTION FOR THE TWO SCHEMES (T ELOS B) (F STANDS FOR FLASH MEMORY )
.
P OLYNOMIAL BASED APPROACH P ROPOSED APPROACH
dx , dy = 80 dx , dy = 100 dx , dy = 150 n=1 n = 10 n = 15 n = 20
ROM RAM F ROM RAM F ROM RAM F ROM RAM F ROM RAM F ROM RAM F ROM RAM F
l= 24 21 3 26 21 4 40 26 4 90 21 1 0 21 2 0 21 2 0 21 2 0
l= 32 21 4 39 21 5 60 26 6 135 21 2 0 21 2 0 21 2 0 21 2 0
l= 40 21 4 39 21 5 60 26 6 135 21 2 0 21 2 0 21 2 0 21 3 0
l= 64 21 6 64 21 7 100 26 9 225 21 2 0 22 3 0 22 3 0 22 3 0
l= 80 21 7 77 21 8 120 26 10 270 20 2 0 21 3 0 21 3 0 21 4 0
our proposed scheme is more efficient than the bivariate [4] D. Pointcheval and J. Stern, Security proofs for signature schemes,
polynomial-based scheme in terms of computational overhead, in Advances in Cryptology - EUROCRYPT, Lecture Notes in Computer
Science Volume 1070, pp. 387398, 1996.
energy consumption, delivery ratio, message delay, and memory [5] L. Harn and Y. Xu, Design of generalized ElGamal type digital signature
consumption. schemes based on discret logarithm, Electronics Letters, vol. 30, no. 24,
pp. 20252026, 1994.
ACKNOWLEDGEMENTS [6] K. Nyberg and R. A. Rueppel, Message recovery for signature schemes
based on the discrete logarithm problem, in Advances in Cryptology -
This research was partially supported by the NSF under EUROCRYPT, Lecture Notes in Computer Science Volume 950, pp. 182
grants CNS-0845812, CNS-1050326 and CND-1117831. 193, 1995.
[7] H. Wang, S. Sheng, C. Tan, and Q. Li, Comparing symmetric-key and
R EFERENCES public-key based security schemes in sensor networks: A case study of
user access control, in IEEE ICDCS, (Beijing, China), pp. 1118, 2008.
[1] C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung, [8] D. Chaum, Untraceable electronic mail, return addresses, and digital
Perfectly-secure key distribution for dynamic conferences, in Advances pseudonyms, Communications of the ACM, vol. 24, pp. 8488, February
in Cryptology - Crypto92, Lecture Notes in Computer Science Volume 1981.
740, pp. 471486, 1992. [9] R. Rivest, A. Shamir, and Y. Tauman, How to leak a secret, in Advances
[2] W. Zhang, N. Subramanian, and G. Wang, Lightweight and compromise- in CryptologyASIACRYPT, Lecture Notes in Computer Science, vol
resilient message authentication in sensor networks, in IEEE INFOCOM, 2248/2001, Springer Berlin / Heidelberg, 2001.
(Phoenix, AZ.), April 15-17 2008.
[3] M. Albrecht, C. Gentry, S. Halevi, and J. Katz, Attacking cryptographic
schemes based on perturbation polynomials. Cryptology ePrint Archive,
Report 2009/098, 2009. http://eprint.iacr.org/.
3357