Professional Documents
Culture Documents
DOI 10.1007/s11276-016-1208-0
123
Wireless Netw
environmental pollutant tracking etc. To fulfill the missions et al. [38] proposed a polynomial-based compromise-re-
in these applications, sensor nodes monitor physical and silient en-route filtering (PCREF) scheme for cyber-phys-
environmental variations, e.g., temperature, pressure, and ical networked systems, e.g., WSNs. PCREF is designed by
smoke etc., and deliver data over multi-hop wireless paths adopting message authentication polynomials (MAPs)
to the sink or base station (BS). Typically, sensor nodes are rather than MACs and clusters to avoid utilizing node
resource-constrained devices with limited energy, memory localization. Of course, PCREF performs better than LEDS
size, and capabilities of communication and computation. as illustrated in [38]. Considering multiple sinks instead of
Because of the broadcast nature of wireless links, an a single sink in WSNs, Ferng et al. [9] designed a suit-
adversary can easily eavesdrop and inject/modify packets able key management protocol called multi-BS key man-
etc. in WSNs. Besides, sensor nodes in WSNs are agement protocol (MKMP) accordingly. Likewise, MKMP
inevitable to be compromised due to lack of tamper resis- can outperform LEDS as shown in [9].
tance [4]. Therefore, guaranteeing security in WSNs is a Like [31] and [38] but unlike [9], we still consider a
non-trivial and urgent task [35]. To elaborate on the status WSN with a single sink and shall design a data authenti-
of the security issues in WSNs, a separate section, i.e., cation protocol. In our design, the concept of clusters as
Sect. 2, is arranged for this purpose. employed by PCREF [38] is taken into account. Unlike
For avoiding possible attackers in WSNs, data authen- PCREF, MAPs are not utilized in our protocol. Instead,
tication becomes a feasible approach. In the past, Ren et al. digital signature is adopted by our protocol in en-route
[31] proposed a location-aware end-to-end data security filtering. Therefore, we shall design an efficient security
framework, i.e., LEDS, to provide end-to-end data security protocol to guarantee end-to-end data authentication in
for WSNs. In LEDS, each sensor node merely stores a few cluster-based WSNs with the aid of digital signature in this
location-oriented secret keys. By doing so, the impact of paper. Such a protocol is called digital signature assisted
compromised sensor nodes can be effectively confined to end-to-end data authentication (DSEDA). The contribu-
their vicinity. Besides, LEDS provides both node-to-sink tions of this paper can be summarized as follows. First, the
and node-to-node authentication schemes along the report advantages of clusters for WSNs when designing a security
forwarding paths. Finally, data delivery of LEDS offers en- protocol have been preserved as PCREF [38]. However, we
route bogus data filtering, making LEDS robust against the avoid high storage and computation overheads observed in
denial of service (DoS) attack. However, LEDS suffers PCREF by adopting digital signature. Second, an efficient
from the following drawbacks. First, due to the fact that report generation method is proposed to block bogus
LEDS has no mechanism to block compromised sensor reports injected by compromised sensor nodes. Third, a
nodes to inject bogus reports, any compromised sensor report collection mechanism is proposed to guarantee that
node in the event cell can participate in generating bogus every report will be verified at the very beginning of the
reports. Therefore, an adversary can inject a bogus report to report lifetime. With this mechanism, bogus reports can be
fool the sink with a non-existing event by compromising filtered out as soon as possible. Fourth, data availability is
enough sensor nodes in the event cell. Second, LEDS has enhanced by guaranteeing enough legitimate secret shares
no mechanism to compensate the lack of legitimate secret in report generation. Fifth, an efficient en-route filtering
shares1 [31], causing the problem of data availability. method is proposed with the aid of digital signature to
Third, no sensor node in LEDS is responsible for checking avoid forgery or false information at intermediate nodes. It
the legitimacy of the report at the very beginning of the is crystal clear that DSEDA can get rid of the drawbacks of
report lifetime. Therefore, a bogus report travels before it is LEDS [31]. However, no benefits of multiple sinks as
dropped and this results in additional communication reported in [9] are gained because our protocol is still
overheads. Fourth, the recipients of the report in LEDS can designed for a single-sink WSN. As for the strength of
attach a forged message authentication code (MAC) to the DSEDA, it will be analyzed later (Sects. 5 and 6) in this
message to fool the followers, implying that fraud com- paper. Based on the results there, it can be shown that
mitment is possible in LEDS. Finally, every sensor node DSEDA performs better than LEDS as well as PCREF.
must store a set of keys shared with the sensor nodes along The rest of this paper is organized as follows. The
the report-authentication forwarding path, causing high related work is reviewed in Sect. 2. As for the system and
storage overheads at sensor nodes. In the literature, Yang threat models, they are given in Sect. 3. Section 4 presents
the proposed protocol in detail and Sect. 5 gives the
1
Let us briefly explain as follows. In LEDS, a (t, T) threshold linear security analyses on the proposed protocol and the closely
secret sharing scheme (LSSS) is employed. Therefore, multiple sensor related protocols. In Sect. 6, the performance of the pro-
nodes may detect the event of interest simultaneously and are asked to
posed protocol is evaluated with comparison to those
generate shares based on the encrypted report. These shares generated
from these non-compromised sensor nodes are then called legitimate protocols closest to ours. Finally, Sect. 7 concludes this
secret shares. For details, one can refer to [31]. paper.
123
Wireless Netw
2 Related work signing process into offline and online phases to reduce the
computation cost of signature generation, was proposed.
In the literature, many security protocols for WSNs have The offline phase is performed to cover most computation
been proposed. Because of limited resources, most of past of signature generation and to form a partial signature
protocols were designed according to the symmetric before the message to be signed becomes available. To
cryptography, e.g., those in [37, 41, 43]. To allow the BS achieve lower computation cost, an efficient and practical
and en-route nodes to detect false data with a certain ID-based OOS scheme was proposed by Li et al. for WSNs
probability, the statistical en-route filtering (SEF) [41] was in [15]. In [39], a variant of the Fiat-Shamir transformation
proposed. For minimizing serious damages by detecting was introduced by Yao and Zhao to enable the so-called C-
and filtering false reports at the very early en-route nodes, signatures for low-power devices. To optimize the signa-
the interleaved hop-by-hop authentication (IHA) [43] was ture size, a partial message recovery algorithm was pro-
then proposed. Later, the location-based resilient secrecy posed in [26]. Using this algorithm, the signature is
(LBRS) [37] was proposed to solve the problems previ- appended to a truncated message and the lost bytes are
ously reported for SEF and IHA. Using the message recovered by the verification algorithm. In [2, 30, 32],
authentication code, i.e., MAC, lTesla [28] and its variants digital signature based authentication schemes were pro-
[5, 19, 20] were proposed for the BS broadcast authenti- posed and discussed. However, broadcast is only allowed
cation. In [17], a multi-level key chain method was pro- for a powerful sender. Therefore, the schemes in [2, 30, 32]
posed for the initial commitment distribution in lTesla. In are not feasible for WSNs. To suit WSNs, Yasmin et al.
[22], a sink-rooted tree of cluster heads was constructed for [40] proposed an appropriate scheme by adopting ID-based
the cluster-based false data filtering scheme (CFFS). With a OOS to provide both broadcast authentication and user
distributed key assignment according to the node overhead authentication. At the same time, Liu et al. [8] also pro-
within the tree, CFFS is able to filter the false report posed an efficient ID-based OOS scheme without any
generated by the source cluster earlier. certificate attached to the signature for verification. In [23],
As mentioned earlier, sensor nodes are extremely Liu et al. proposed a novel public key cryptography based
resource-constrained. For such a reason, Raymond et al. broadcast authentication scheme. It utilizes signature
[29] explored the denial-of-sleep attack targeted to exhaust amortization and employs only one elliptic curve digital
the power supply of sensor nodes and examined its effects signature algorithm (ECDSA) to authenticate all broadcast
in detail. Considering the same reason, the asymmetric key messages in WSNs.
cryptography was thought to be expensive and infeasible To achieve efficient key management, several symmet-
for WSNs in the past although it could provide better ric-key-based techniques were proposed in the literature,
resilience against attackers. However, Liu et al. [21] e.g., those in [3, 6, 7, 18, 42]. Eschenauer and Gligor [7]
recently showed that the elliptic curve cryptography (ECC) proposed a probabilistic key pre-distribution technique to
signature verification only takes 14.49 ms with 160-bit guarantee that any pair of sensor nodes can share at least
keys on a Crossbow Imote2 platform2 when running at 416 one common key with a certain probability. Chan et al. [3]
MHz [25]. As the computing technology advances, it is proposed the q-composite key pre-distribution to allow a
expected that the asymmetric key cryptography will be pair of sensor nodes to set up a pairwise key when they
widely adopted by WSNs in the near future. Therefore, share at least q common keys. Du et al. [6] developed a
some researchers have begun to investigate the feasibility pairwise key management scheme which was also inde-
to apply the asymmetric key cryptography to sensor-wise pendently developed by Liu and Ning [18]. In [42], Zhu
platforms. To possibly take care of the fact that sensor et al. proposed an efficient security mechanism named
nodes are extremely resource-constrained, some other localized encryption and authentication protocol which is
possible approaches could be investigated, too. For coming denoted by LEAP?. This protocol helps establish indi-
up with some feasible approaches, the following ideas vidual keys between sensor nodes and the BS, pairwise
proposed in the literature could be employed with proper keys between sensor nodes, cluster keys within a local area,
modification. The possible ideas are stated as follows. To and a group key shared by all sensor nodes.
reduce the storage overhead of certificates, an ID-based Actually, most of the previous designs provided data
cryptography was introduced by Shamir [34]. In [8], an security for WSNs in a hop-by-hop manner. Unlike those
online/offline signature (OOS) scheme, which divides the designs, Ren et al. [31] proposed LEDS to provide end-to-
end data security for WSNs. Via a differentiated key pre-
2
Undoubtedly, an Imote2 was a widely employed wireless sensor distribution, an end-to-end secure communication protocol
node. To save power consumption, one can design low-power
was designed by Gu et al. [10] for randomly deployed
wireless sensor nodes for this purpose, e.g., Mica2 [25]. Therefore, an
Imote2 serves as a cluster head and a Mica2 serves as a low-power WSNs. In [1], Ayday et al. provided a location-aware
sensor node in the section of performance analysis. network-coding security (LNCS) protocol to enhance data
123
Wireless Netw
confidentiality, authenticity, and availability in multi-hop only the centers of a home cell and an event cell are
WSNs. Adopting MAPs rather than MACs, Yang et al. [38] concerned as explained later.
proposed a polynomial-based compromise-resilient en- • Without loss of generality, the deployment area is
route filtering scheme, i.e., PCREF, for cyber-physical divided into multiple hexagonal clusters as illustrated in
networked systems, e.g., WSNs. Considering multiple Fig. 1. Each cluster contains many subareas called cells
sinks instead of a single sink in WSNs, Ferng et al. [9] like those defined in [31] and has a cluster head (CH)
designed a suitable key management protocol accordingly. located at the center of the hexagon. CHs are assumed
In LEDS, the symmetric secret keys are bound to geo- to be more powerful in computation and storage than
graphic locations. By this means, attackers cannot utilize the other sensor nodes. Therefore, they have the
the secret keys obtained from the compromised sensor capability to implement the public key system.
nodes to launch attacks at the other places. LEDS also • Each event of interest can be detected by multiple
achieves high-level assurance on data availability under sensor nodes in the corresponding cell called event cell
both report disruption and selective forwarding attacks. with densely deployed sensor nodes. When an event
Finally, data delivery of LEDS guarantees the ability to occurs, some sensor nodes in the event cell having
detect and drop a bogus report early in an effective and detected it can generate reports. These reports are
deterministic manner. However, LEDS still cannot prevent collected by the CH in the cluster and then forwarded
from the following drawbacks. Note that any sensor node toward the sink via CHs over multi-hop paths.
in the event cell can participate in report generation. • Each sensor node has a unique ID and the sink is
Therefore, attackers only need to compromise enough capable of getting information of all sensor nodes.
sensor nodes in an event cell to generate a valid report for a • Finally, a report-authentication forwarding area is
non-existing event. Besides, LEDS is not able to detect and defined as a set of clusters participating in the report
replace lost or illegitimate secret shares early, resulting in a forwarding to the sink. The report-authentication for-
data availability problem. Moreover, bogus reports cannot warding area is determined by the line segment
be filtered out at the very beginning of the report lifetime in connecting the center of the source cluster and the
LEDS, causing inevitable communication overheads. Last sink. Specifically, it consists of all the clusters inter-
but not least, non-repudiation is not provided by LEDS sected by this line segment. As shown in Fig. 1, an
because MACs are possibly forged. Any recipient can event occurs in the blue (starting) cluster and the report-
verify the report and generate a fake MAC to fool the authentication forwarding area is indicated by the red
following recipients. (remaining) clusters.
Unlike [9], a single-sink WSN is to be considered to
design a data authentication protocol in this paper with
inclusion of clusters like PCREF [38]. Unlike PCREF
(LEDS), digital signature rather than MAPs (MACs) is
adopted by our protocol in en-route filtering. Keeping the
advantages of clusters in PCREF and overcoming the
drawbacks in LEDS, an enhanced authentication protocol
is proposed in this paper with the contributions mentioned
in the section of introduction, which are not stated here for
saving space.
123
Wireless Netw
Next, let us detail the threat model by posing the fol- range of the CH denoted by Rc which is the radius of
lowing assumptions. the yellow circle. Typically, Rc is greater than 2rs .
• For convenience, the numbers of sensor nodes in the
• An adversary could compromise multiple sensor nodes.
cluster with originating events and the event cell are
If a sensor node is compromised, the adversary is able
denoted by Nc and n, respectively.
to get all the information held by that sensor node.
• According to Nc , n, rs , and Rc , the network planner can
• However, the sink will not be compromised because it
further determine the number of secret shares T [31] to
is usually well-protected.
be included in a valid report and the minimum number
• The adversary can eavesdrop the channel, inject false
of correct secret shares t [31] required to validate a
packets, and replay older packets. Moreover, the
report.
adversary could exploit the compromised sensor nodes
and use them to drop or alter messages passing through As far as the sensor node initialization is concerned, two
them. different parts are stated in the following subsequent
paragraphs:
3
Fig. 2 Illustration of a cluster (blue hexagon), an event cell (white circle), As for how to establish a pairwise key pool, one can refer to the
and the communication range of the CH (yellow circle) (Color figure online) literature for details, e.g., [3, 7] etc.
123
Wireless Netw
1 2
• Finally, two secret keys KCH and KCH shared between include the event location le which is the center of the event
the CH and the sink are preloaded to protect the cell along with the post-processed event time te which is a
communication between them. As for the generation of rounded integer5 derived from the time in seconds when
these two secret keys, they can be generated as follows: the event is sensed ts , e.g., te ¼ dts e or other suitable forms.
1 1 2 2 As aforementioned, the IDs in each cell can be config-
KCH ¼ HCH ðCHjICH Þ; KCH ¼ HCH ðCHjICH Þ; ð2Þ
urable. This allows us to assume that each sensor node
where HCH1 2
ðÞ and HCH ðÞ are two preselected pseudo- knows the range of sensor node IDs in the same event cell.
random functions, the CH in the argument stands for Therefore, sensor nodes can determine the T IDs closer to
the ID of the CH, and ICH denotes the center of the vr than the others. The T sensor nodes with such IDs are
cluster which the CH belongs to. then picked to generate the report. In this paper, the closest
ID to the reference value is defined as the most immediate
successor of the reference value. As for the most imme-
Algorithm 1: Report Generation diate successor with ID IDis regarding a reference value vr ,
1. Once the sensor nodes in the event cell detect an event, each of
it is determined as follows: IDis is the smallest ID among
them computes vr ¼ hðte kle Þ. the subset of IDs fIDjID [ vr g if vr \IDmax or
2. The T sensor nodes with the IDs closer to vr than the others then fIDjID IDmin g if vr IDmax . Note that IDmax and IDmin
participate in report generation. denote the maximum ID and the minimum ID, respec-
3. Each of them, say, node u, computes a unique secret share Su for tively. Following this definition, the T IDs closer to the
the report S using the predefined (t, T) LSSS. reference value vr than the others can be defined accord-
4. Encrypt Su to obtain Eu ¼ EKu;CH ðSu Þ. ingly. They are the ID of the most immediate successor to
5. Compute MAC Ku;CH ðEu ; uÞ and send fEu ; u; MAC Ku;CH ðEu ; uÞg to vr and T 1 IDs of the next most immediate successors to
the CH. the current most immediate successors. Each sensor node
6. The non-participating sensor nodes start timers and overhear the in the event cell checks whether it belongs to the set of
channel.
sensor nodes with closer IDs to vr or not. If yes, it com-
7. Generate alternative secret shares to be sent to the CH to maintain
putes a unique secret share Su (here u denotes the node ID)
enough secret shares for generating a legitimate report by some non-
participating sensor nodes, if necessary. of the report S using the predefined (t, T) threshold LSSS
[33]. Specifically, Su can be obtained through the following
bivariate polynomial of degree t over the finite field GF(p)
by using two secret keys shared with the sink, i.e., Ku1 and
Ku2 .
4.2 Report generation X iþ1 t
Su ¼ ai Ku1 þat1 Ku2 mod p; ð3Þ
0 i t2
The procedure of report generation is shown in Algo-
rithm 1. When an event occurs, multiple sensor nodes in where the set of ai , i ¼ 0; 1; . . .; t 1, denotes a full partition
the event cell can detect it (based on the assumption in of S. For each participating sensor node, say, node u, it
Sect. 3). In LEDS, any T ð\nÞ of these sensor nodes can encrypts Su using the secret key shared with the CH to obtain
participate in report generation. Therefore, an attacker only Eu ¼ EKu;CH ðSu Þ. It then computes its MAC, i.e.,
needs to compromise at least t sensor nodes from the T MAC Ku;CH ðEu ; uÞ, and sends the encrypted secret share
sensor nodes in the event cell to successfully generate a along with its ID and MAC, i.e., fEu ; u; MAC Ku;CH ðEu ; uÞg,
fake report to fool the sink with a non-existing event. to the CH.
Instead of allowing any T sensor nodes in the event cell to
participate in report generation, our proposed protocol, i.e.,
DSEDA, needs to choose T sensor nodes in the event cell 5
As stated in Sect. 4.1, the size of a cell (an event cell) is covered by
properly for generating the report. In particular, the sensor a circle with the radius of sensing range rs . Therefore, an event in the
nodes in the event cell will use a hash function to map the event cell falls within the sensing range of the sensor nodes in the
event cell. This implies that the difference between two time instants
event to a reference value vr within the same range of
to sense that event by two sensor nodes should be negligible even if it
sensor node IDs which are pre-configurable and in inte- exists. To achieve the same event time calculated by the sensor nodes
gers.4 Because a WSN is considered, sensor nodes are in the same event cell sensing the event for sure, such a rounded value
static and can be pre-configured. Therefore, the IDs in each is then used by sensor nodes to stand for the ‘‘true’’ event time.
Undoubtedly, time synchronization is an important issue in the
cell can be configurable. The information of the event may
wireless sensor network but it does not fall within the scope of this
paper. However, our solution does not rely on perfect time
4
This is a feasible approach because it comes from the concept of a synchronization because a post-processed event time rather than an
distributed hash table (DHT) in a peer-to-peer (P2P) network. exact event time is utilized.
123
Wireless Netw
Explicitly, some of the sensor nodes chosen to generate the CH. Therefore, the bogus report is possibly dropped by
the report may not contribute the secret share for generat- the CH. On the other hand, the CH can check the legiti-
ing a legitimate report if they are compromised or not macy of secret shares. If the CH detects any illegitimate
operating, causing the problem of data availability. For secret share, it will further request some of the non-par-
LEDS, it has no mechanism to compensate the lack of ticipating sensor nodes to send alternative secret shares.
participating sensor nodes in report generation due to the
refusal of the compromised (non-operating) sensor nodes.
Algorithm 2: Report Collection at the CH
This forces the report to be discarded. To avoid such a
drawback, DSEDA tries to maintain enough sensor nodes 1. Check the freshness of secret shares according to the event time.
to participate in report generation. Specifically, non-par- 2. Checks the condition dðIs ; lu Þ\rs for all the sensor nodes in the
ticipating sensor nodes, i.e., those sensor nodes do not current event cell.
participate in report generation initially, are asked to start 3. Check the legitimacy of the participating sensor nodes.
timers and overhear the channel.6 Within a time period, 4. Discard the report if fewer than t legitimate sensor nodes
say, Tr which denotes the report generation time for the CH participate in report generation within time period Tr .
to collect enough (i.e., T) secret shares, participating sensor 5. Verify the MAC of each secret share and drop secret shares with
incorrect MACs.
nodes generate the secret shares and send them to the CH.
Meanwhile, the non-participating sensor nodes count the 6. Request alternative secret shares from the other sensor nodes in the
event cell, if necessary.
number of secret shares overheard over the channel. After
7. Stop report collection when the CH collects T legitimate secret
the report generation time elapses, some of the non-par- shares or all the sensor nodes are exhausted.
ticipating sensor nodes with IDs closer to the reference 8. Discard the report if fewer than t legitimate secret shares are
value vr than the other non-participating sensor nodes may collected.
respond as follows. They are allowed to generate alterna-
tive secret shares to be sent to the CH if the count is less
than T. By doing so,7 enough sensor nodes are maintained
to participate in report generation. Now, let us detail the procedure of report collection at
the CH (see Algorithm 2).
4.3 Report collection at the CH
• Upon receiving secret shares, the CH checks the
freshness of secret shares according to the event time.
Note that T participating sensor nodes agree on the event
• Then, the CH checks the location information of all the
report S in LEDS and generate secret shares to form the
sensor nodes in the current event cell. In particular, the
report to be sent to the sink. The report will be endorsed by
condition dðIs ; lu Þ\rs should be satisfied, where Is is
multiple sensor nodes along the report-authentication for-
the center of the event cell (event location), lu is the
warding path. One can easily find the following two dis-
position of sensor node u, and dðIs ; lu Þ stands for the
advantages of LEDS. First, no sensor node in LEDS is
distance between Is and lu .
responsible for checking the legitimacy of the report at the
• If the CH detects any illegitimate secret share which is
very beginning of the report lifetime. Therefore, the bogus
either sent from an illegitimate sensor node not
report from an affected cell can travel before it is dropped.
belonging to the event cell or is not one of the T secret
Second, no mechanism to compensate the lack of legiti-
shares generated by the participating sensor nodes, it
mate secret shares, causing the problem of data availability.
takes the following action. It drops that secret share
In the proposed protocol, each report is first endorsed by
immediately.
• If fewer than t sensor nodes among the participating
6
Such overhearing happens in an individual event cell only. sensor nodes send secret shares to the CH, the report
Therefore, the range of overhearing is limited to the range of an will be discarded.
event cell. This will not become difficult for such a communication
range even if the real-world development with different geographical • Otherwise, the CH verifies the MAC of each secret
areas or buildings is considered. share. If it is incorrect, the corresponding secret share
7
Of course, a tradeoff between energy consumption in overhearing will be dropped accordingly.
and security enhancement is inevitable. To alleviate possible energy • For each illegitimate secret share detected, the CH
consumption incurred, the number of non-participating sensor nodes requests an alternative secret share from the other
to overhear can be properly controlled. For example, a random
approach my be utilized to allow each non-participating sensor node sensor nodes in the event cell. The CH finishes report
to overhear and participate later or not by specifying a suitable prob- collection when T legitimate secret shares are collected.
ability po . Such a random approach can then reduce the number of • If the CH cannot collect T legitimate secret shares even
non-participating sensor nodes to overhear by a factor of 1 po on if all the sensor nodes in the event cell have participated
average.
123
Wireless Netw
123
Wireless Netw
key system, the key length is at least 160 bits when Algorithm 5: Sink Verification
ECDSA-160 [11] is used. Given a storage limit of 5
Kbytes, only 256 public keys can be stored at most. 1. Verify signature, recover message m, and check the freshness of the
Actually, the CHs store not only public keys of other CHs report.
but also the other information required. This implies that 2. Determine all the sensor nodes in the current event cell via the
condition dðIs ; lu Þ\rs .
reducing the number of the public keys to be stored by the
3. Concatenate any T distinct IDs in the event cell.
CH is a must. Now, a method to solve such a problem is
4. Compute hash functions hi ðÞ (1 i k) of these T distinct IDs and
proposed as follows. check whether the corresponding bit is 1 or not in bit stream F.
Allowing a sub-authentication area (sub-auth) to cover a 5. If at least one of them is 0, go to step 3 with another T distinct IDs.
fixed number of CHs, say, /, one can divide the report-
6. If all of them are 1, try to recover S from any t secret shares to get
authentication forwarding area into several sub-auths. For the report.
each CH, it merely stores the public keys of the CHs that k 7. If the report is meaningful, the recovery operation is successful.
ð1 k /Þ cluster away from itself. The CHs which are Otherwise, try to recover S from another t secret shares.
exactly i/ (i ¼ 1; 2; . . .) cluster away from the souce CH 8. If no correct report can be got from the T secret shares, the report
then serve as the main CHs. As illustrated in Fig. 5, where will be discarded.
/ ¼ 3 and 3 sub-auths are formed, CH1 is the source CH
with an originating event and CH1 , CH4 , and CH7 are the
main CHs in sub-auths. For the main CHs, two operations,
i.e., verifying and signing messages are performed using
private keys. For the other CHs, the public key of the main 4.5 Sink verification
CH in the same sub-auth is used for message verification.
Specifically, the CH which is f clusters away from the One can refer to Algorithm 5 for the sink verification
source CH uses the public key of the CH which is v ¼ procedure. In the following, this procedure is described
/b/f c clusters away from the source CH to verify the sig- with explanation.
nature. In Fig. 5, CH9 is 8 clusters away from the source • Upon receiving the report, the sink verifies the signa-
CH, then CH9 finds the public key of the CH which is ture and recovers message m. Then, it checks the
v ¼ 3b83c ¼ 6 clusters away from the source CH, i.e., CH7 , freshness of the report with the help of the event time.
in its memory for signature verification using the algorithm • Next, it determines all the sensor nodes in the current
depicted in Algorithm 4. event cell via the condition dðIs ; lu Þ\rs .
• Using the property of the bloom filter, all the sensor
nodes participating in report generation are determined
Algorithm 4: Signature Verification Using the Partial Message
Recovery
accordingly. Specifically, the sink computes hash
functions hi ðÞ (1 i k) of T distinct IDs in the event
1. Discard the message if h 62 [1, r 1] or d 62 [1, r 1]. cell and checks whether the corresponding bit is ‘‘1’’ or
2. Compute f2 =hðm2 Þ, h^ ¼ d1 mod r, and h^1 ¼ f2 h^ mod r. not in bit stream F.
3. Compute h^2 ¼ hh^ mod r and P ¼ h^1 G þ h^2 K, where K is the • If at least one of the corresponding bits is ‘‘0’’, it tries
public key of the CH on the elliptic curve. another T distinct IDs.
4. Discard the message if P ¼ O, where O is the point at infinity. • If all of them are ‘‘1’’, it can then determine all the IDs
5. Encode and hash P into an integer i [26] and compute of the sensor nodes participating in report generation.
f1 ¼ ðh iÞ mod r. • If fewer than t legitimate sensor nodes generate the
6. Discard the message if the redundancy of f1 is incorrect [26]. report, the sink will discard the report. Otherwise, the
7. Otherwise, accept m1 which is obtained from f1 and the signature. sink tries to recover S from any t secret shares to get the
Finally, reconstruct m ¼ m1 jjm2 . report.
123
Wireless Netw
• If the report is meaningful, the recovery operation is needs to compromise at least t sensor nodes in the corre-
successful. If not, it tries to recover S from other t secret sponding event cell. Given that the number of compro-
shares. mised sensor nodes in the cluster with originating events is
• If it cannot get a correct report from the received x, the probability that an event cell is compromised
message, the report will be discarded accordingly. regarding data authenticity is given by
nN n
Xn Xn c
LEDS LEDS i xi
PAuth ðxÞ ¼ Pi;Comp ðxÞ ¼ N
; ð5Þ
c
5 Security analysis of the proposed protocol i¼t i¼t x
where PLEDS
i;Comp ðxÞ denotes the probability that exactly i
As far as the analysis on security of the signature and ver-
sensor nodes in the event cell are compromised given x
ification algorithms, i.e., Algorithms 3-4, is concerned, it
compromised sensor nodes in the cluster with originating
can be referred to [26] which has proven that these algo-
events and is given as follows:
rithms are secure under the adaptive message attacks. nN n
c
Therefore, we further examine the security strength of the LEDS
Pi;Comp ðxÞ ¼ i Nxi : ð6Þ
proposed protocol with respect to data authenticity, data c
x
availability, and expected filtering position of the bogus
report via an analytical approach in this section. With the
analytical results, it can be shown later that the proposed 5.1.2 Data authenticity for PCREF and t-PCREF
protocol offers a much higher resilience capability against
attacks as compared to LEDS, PCREF, and t-PCREF [38]. As claimed in [38], it is quite hard to derived the desired
In the following paragraphs, the analysis is to be carried out. primitive polynomial for the adversary in PCREF and t-
PCREF. Therefore, the following calculation ignores such
5.1 Security strength regarding data authenticity a case and simply considers the random node capture
attack. For PCREF and t-PCREF, an attacker needs to
As mentioned previously, sensor nodes are inevitable to be compromise at least T and t, respectively, sensor nodes in
compromised in WSNs due to lack of tamper resistance. the corresponding event cell to pass both the en-route fil-
The attacker could launch the random node capture attack tering and sink verification successfully to inject a bogus
[31] to compromise multiple sensor nodes in the event cell report. Given that the number of compromised sensor
to inject bogus reports to fool the sink with non-existing nodes in the cluster with originating events is x, the
events. Note that the random node capture attack has been probability that an event cell is compromised regarding
employed by [31] for LEDS and [38] for PCREF and t- data authenticity is given by
nN n
PCREF to investigate the security analysis. Of course, a Xn c
PCREF i xi
coordinated attack which may compromise some or all PAuth ðxÞ ¼ N
; ð7Þ
c
i¼T x
neighboring nodes can bring a strong impact on the
nN n
aforementioned protocols. However, such a coordinated X
n c
123
Wireless Netw
participating in report generation in the event cell. Note 5.1.4 Comparison on data authenticity among DSEDA,
that the T participating sensor nodes are selected/deter- LEDS, PCREF, and t-PCREF
mined according to the event location and event time. It
then becomes harder for the attacker to take control of this Figure 6 illustrates the comparison among DSEDA, LEDS,
process to compromise these participating sensor nodes to PCREF, and t-PCREF regarding data authenticity under
generate a bogus report arbitrarily. For the purpose of Nc ¼ 100, n ¼ 10, and ðT; tÞ ¼ ð5; 4Þ. The data authentic-
comparison, the probability that the attacker is able to ity here is shown through the probability that an attacker is
inject a bogus report to fool the sink in DSEDA is derived able to inject a bogus report to fool the sink versus the
as follows. Given x compromised sensor nodes in the number of compromised sensor nodes in the cluster with
cluster with originating events, the probability that exactly originating events, i.e., x defined previously. From this
i sensor nodes in the event cell are compromised is given in figure, one can explicitly see that DSEDA significantly
(6). To inject a bogus report to fool the sink in DSEDA, it outperforms LEDS, PCREF, and t-PCREF when
is further asked that j sensor nodes out of the i compro- 10\x\100. Specifically checking the results at x ¼ 40,
mised sensor nodes in the event cell should come from the the corresponding probabilities are about 0.626 for LEDS
T participating sensor nodes with the following constraints: (and t-PCREF), 0.361 for PCREF, and 0.082 for DSEDA.
j t; i j n T; j i; j T; ð9Þ The previous results yield approximately 87% and 77% of
improvement achieved by DSEDA as compared to LEDS
i.e., (or t-PCREF) and PCREF, respectively. As for the results
at x ¼ 60, the corresponding probabilities are about 0.954
max ðt; i n þ TÞ j min ði; TÞ: ð10Þ
for LEDS (and t-PCREF), 0.846 for PCREF, and 0.332 for
The first constraint of (9) asks that at least t participating DSEDA. These results yield approximately 65% and 61%
sensor nodes in the event cell are compromised. The sec- of improvement achieved by DSEDA as compared to
ond constraint of (9) says that the remaining i j com- LEDS (or t-PCREF) and PCREF, respectively. According
promised nodes should be chosen from the n T non- to the aforementioned description, it is crystal clear that
participating sensor nodes in the event cell. The third DSEDA is superior to LEDS, PCREF, and t-PCREF in
constraint of (9) indicates that j sensor nodes out of the i terms of data authenticity. No doubt, it is harder for the
compromised sensor nodes in the event cell. The final attacker in DSEDA than that in LEDS, PCREF, and t-
constraint of (9) stands for that at most T participating PCREF to inject a bogus report to fool the sink.
sensor nodes in the event cell can be compromised. As for
the corresponding probability for this further requirement,
it follows the probability mass function (pmf) of the 1
ðT ÞðnT Þ LEDS
hypergeometric distribution, i.e., j n ij . Putting the DSEDA
Probability of injecting a bogus report
PtPCREF
Auth ðxÞ: To make the equality hold, the full summation 0
0 20 40 60 80 100
of pmf of the hypergeometric distribution is required.
Number of compromised nodes in the cluster (x)
Obviously, this happens under the extreme cases only.
With the aforementioned statements, the proof of this Fig. 6 Data authenticity comparison among DSEDA, LEDS, PCREF,
theorem is then completed. h and t-PCREF, where Nc ¼ 100, n ¼ 10, and ðT; tÞ ¼ ð5; 4Þ
123
Wireless Netw
5.2 Expected filtering position of the bogus report 5.2.2 Expected filtering position of the bogus report
for PCREF and t-PCREF
In the following, we consider the situation that an attacker
can take control of some compromised sensor nodes in the Given x and y, the expected filtering positions in cell of the
event cell to insert a bogus report into the WSN. We derive bogus report sent from an affected cell for PCREF
the expected filtering positions of the bogus report sent p^PCREF ðx; yÞ and t-PCREF p^tPCREF ðx; yÞ are given as fol-
from an affected event cell in which at least one but at most lows [38]:
t 1 cells are compromised given the number of com-
X
y
promised sensor nodes in the cluster, i.e., x. In the subse- p^PCREF ðx; yÞ ¼ ipif ;PCREF ; ð13Þ
quent paragraphs, the corresponding results for LEDS, i¼1
PCREF, t-PCREF, and DSEDA will be derived.
X
y
p^tPCREF ðx; yÞ ¼ ipfi ;tPCREF ; ð14Þ
5.2.1 Expected filtering position of the bogus report i¼1
for LEDS
where pfi ;PCREF and pfi ;tPCREF are the probabilities that the
Notice that an event cell will become an affected cell if the bogus report is filtered after being forwarded i cells away
attacker in that event cell is able to compromise from that affected cell and follow the following
i ð1 i t 1Þ sensor nodes in the event cell. The asso- relationship:
ciated probability given x compromised sensor nodes in the T 1 n Nc n
P X j xj
cluster can then be denoted by t1 LEDS
i¼1 Pi;Comp ðxÞ. Under the pfi ;PCREF ¼ N ð1 pf Þi1 pf ; i ¼ 1; 2; . . .; y;
c
precondition that an event cell becomes an affected cell, j¼1 x
the attacker has to forge at least t i MACs to insert a ð15Þ
bogus report. To let these forged MACs pass through the
n Nc n
en-route filtering, at least t i cells of the first T cells in its X
t1
j xj
report-authentication forwarding area should be pfi ;tPCREF ¼ N
c
ð1 pf Þi1 pf ; i ¼ 1; 2; . . .; y;
P j¼1 x
affected/compromised with the probability of Tj¼ti Tj ð16Þ
j Tj
ð1 PLEDS LEDS
Secure ðxÞÞ ðPSecure ðxÞÞ . Note that PLEDS
Secure ðxÞ ¼ where pf is the probability that a sensor node in an inter-
ð Þ
Nc n mediate cell can filter the bogus report.
x
stands for the probability that the cell is secure
ð Þ
Nc
x
without being compromised or affected. If so, the bogus 5.2.3 Expected filtering position of the bogus report
report can be relayed to the sink but then filtered by the for DSEDA
sink. Otherwise, the report will be dropped at the T2 -th cell
on average under the random node capture attack. Further If there are fewer than t sensor nodes among the T par-
denoting y (y T) to be the distance in cell from this ticipating sensor nodes sending secret shares to the CH in
affected event cell to the sink, the expected filtering posi- DSEDA, the report will be rejected immediately by the CH
tion in cell of the bogus report sent from an affected cell for if it is not compromised. Note that the probability that the
LEDS p^LEDS ðx; yÞ given x and y is then expressed as CH is not compromised is 1 Nxi c T
given that i cells are
follows: compromised among the T participating sensor nodes
T
sending secret shares to the CH and x cells are compro-
X
t1 X T
LEDS
ðx;yÞ ¼y LEDS
Pi;Comp ðxÞ ð1PLEDS j mised in the cluster. Therefore, any bogus report sent from
p^ Secure ðxÞÞ
i¼1 j¼ti
j an affected cell will be rejected at the CH after one-hop
communication with distance z in cell on average. Under
Tj TXt1
ðPLEDS
Secure ðxÞÞ þ PLEDS ðxÞ the homogeneous node deployment, z can be related to Nc
2 i¼1 i;Comp pffiffiffiffiffiffiffi
N =n
XT and n via z ¼ 2c . However, The report will be relayed
T j LEDS Tj
ð1 ð1PLEDS
Secure ðxÞÞ ðPSecure ðxÞÞ Þ: to the sink if the CH is compromised and then rejected by
j¼ti
j the sink. For the latter case, the bogus report is filtered y
ð12Þ cells away from this affected event cell. Note that the CH
123
Wireless Netw
PCREF
Given x compromised sensor nodes in the cluster, the
20 security strength regarding data availability in LEDS under
t-PCREF
15 the report disruption attack is then derived as follows:
10 X
Tt T Nc T
LEDS i xi
PAvail;D ðxÞ ¼ N
: ð18Þ
c
5 30 i¼0 x
25
0 (y) Next, the selective forwarding attack is considered. If any
0 20 ink
5 es sensor node from the T participating sensor nodes refuses
15 o th
Numb 10 t
er o f
comp 15
10 nce to participate in report generation in LEDS, then sensor
romis sta
e d nod
es (x) 20
5 Di nodes will fail to collect enough (i.e., T) secret shares to
forward to the sink, causing the legitimate report to be
Fig. 7 Comparison on the expected filtering position of the bogus rejected. Given x compromised sensor nodes in the cluster,
report among DSEDA, LEDS, PCREF, and t-PCREF, where the security strength regarding data availability in LEDS
Nc ¼ 100, n ¼ 10, pf ¼ 0:1, and ðT; tÞ ¼ ð5; 4Þ under the selective forwarding attack is derived as follows:
123
Wireless Netw
N T
c contributing incorrect MACs in the corresponding event
PLEDS
Avail;S ðxÞ ¼ Nx :
c
ð19Þ cell. Given x compromised sensor nodes in the cluster, the
x
security strength regarding data availability in DSEDA
under the report disruption attack is derived as follows:
5.3.2 Data availability for PCREF and t-PCREF
X
nt n Nc n
DSEDA i xi
under the report disruption and selective forwarding PAvail;D ðxÞ ¼ N
: ð24Þ
c
attacks i¼0 x
PtPCREF
Avail;S ðxÞ ¼ i xi
N
:
c
ð23Þ Proof First, it is trivial to show PPCREF tPCREF
Avail;D ðxÞ ¼ PAvail;D ðxÞ
i¼0 x PnT ðniÞðNxic n
Þðni
T Þ
because PPCREF
Avail;D ðxÞ ¼ i¼0 ¼ PtPCREF
Avail;D ðxÞ.
ðNxc ÞðTn Þ
5.3.3 Data availability for DSEDA under the report Next, let us show PPCREF tPCREF LEDS
Avail;D ðxÞ ¼ PAvail;D ðxÞ PAvail;D ðxÞ.
LEDS DSEDA
disruption and selective forwarding attacks Further checking PAvail;D ðxÞ and PAvail;S ðxÞ, we know that
Pnt ðniÞðNxi
c n
Þ PminðTt;iÞ ðTj ÞðnT ij Þ
In DSEDA, the secret share with an incorrect MAC con- PLEDS
Avail;D ðxÞ¼P DSEDA
Avail;S ðxÞ¼ i¼0 ðNc Þ j¼0
x ðniÞ
tributed by any compromised sensor node participating in which can be further written as
report generation will be dropped by the CH and an
0minðTt;iÞ T nT 1
alternative secret share from the non-participating sensor Xnt n Nc n X j ij
nodes will be required further. Therefore, the legitimate PLEDS
Avail;D ðxÞ ¼ N
@
i xi n A; ð27Þ
c
i¼0 x j¼0 i
report will be dropped only when there are fewer than t
1
legitimate sensor nodes left in the event cell. In other nN n 0 minðTt;iÞ T nT
X
nt c nT X j ij
words, the sink can still obtain the legitimate report even if ¼ i xi
@ i
n þ n A; ð28Þ
Nc
there are up to n t compromised sensor nodes i¼0 x i j¼1 i
123
Wireless Netw
nN n 0ni minðTt;iÞ T nT 1 when s2½xjþ1;nT, yielding
Pntj
X
nt c X Pxj nT Nc n
j ij s¼0
¼ @ Tn þ
i xi n A; ð29Þ nT N n PnT nT Nc n
xjs ¼ xjs ¼
N
xjs .
c c
i¼0 x T j¼1 i s s¼0 s s¼0 s
(31) into two summations over range f0; . . .; T tg and PtPCREF DSEDA
Avail;S ðxÞ. Note that PAvail;S ðxÞ can be written as follows:
fT t þ 1; . . .; n tg, respectively, regarding the outer- N T Tt T N T
X
Tt T Nc T c X c
123
Wireless Netw
From the fact that the summation over the entire range for t-PCREF). Notice that PCREF and t-PCREF perform even
ðnT ÞðNc nÞ worse than LEDS in terms of data availability under the
hypergeometric pmf gðiÞ ¼ i Nc Txi , i ¼ 0; 1; . . .; n T
ð Þ report disruption attack. In Fig. 8(b), we show the data
P x nT N n
yields 1, we have NcxT ¼ nT i¼0 i xi . Therefore,
c
availability comparison among DSEDA, LEDS, PCREF,
ð x Þ
Nc T P nT ð i Þð xi Þ
nT Nc n P ðniÞðNxi
c n
Þ and t-PCREF under the selective forwarding attack. Again,
PLEDS
Avail;S ðxÞ ¼ ðNc Þ ¼ i¼0 nT
i¼0 ¼
x ðxÞ
Nc
ðxÞ
Nc
DSEDA significantly outperforms LEDS. Fixing x at 40,
PPCREF
Avail;S ðxÞ. The proof of this theorem is then totally com- DSEDA reveals 357% of improvement as compared to
pleted. h LEDS. This firmly indicates that DSEDA is much more
resilient against the selective forwarding attack than LEDS.
Remark 2 Theorem 3 shows that t-PCREF always out- However, DSEDA shows 61% and 65% of decline as
performs LEDS, PCREF, and DSEDA in data availability compared to PCREF and t-PCREF, respectively. It says that
when considering the selective forwarding attack for sure. PCREF and t-PCREF are much more effective to combat
However, LEDS performs worst among these four the selective forwarding attack than DSEDA.
protocols.
To deeply explore the data availability of DSEDA,
LEDS, PCREF, and t-PCREF, the following paragraph 6 Performance analysis of the proposed protocol
shows the comparison on data availability among them via
some numerical examples. In this section, performance, including key storage, com-
putation overhead, computation time, and communication
5.3.4 Comparison on data availability among DSEDA, overhead, is evaluated for LEDS, DSEDA, PCREF and t-
LEDS, PCREF, and t-PCREF PCREF. Generally speaking, sensor nodes are resource-
limited devices. Therefore, a Mica2 [25] is employed to
Shown in Fig. 8(a) is the data availability protection for serve as a regular sensor node. As for CHs, they are
DSEDA, LEDS, PCREF, and t-PCREF under the report resourceful devices. We then employ an Imote2 [25] to
disruption attack. It clearly shows that the probability of serve as a CH. Let us check the key storage overhead first.
successfully generating a legitimate report is much higher
for DSEDA than LEDS, PCREF, and t-PCREF. When 6.1 Key storage overhead
x ¼ 40, the corresponding probabilities in LEDS, DSEDA,
and PCREF as well as t-PCREF are 0.332, 0.954, and 0.073, As shown in [31] for LEDS, the total number of keys stored
respectively, revealing 188% and 1200% of improvement in each sensor node is bounded by ðT þ 1ÞðT þ 2Þ=2 þ 5.
achieved by DSEDA as compared to LEDS and PCREF (or The corresponding number is 26 when T ¼ 5. Unlike
(a) (b)
1 1
Probability of successfully generating a legitimate report
LEDS LEDS
DSEDA DSEDA
0.9 PCREF 0.9 PCREF
t-PCREF t-PCREF
0.8 0.8
0.7 0.7
0.6 0.6
0.5 0.5
0.4 0.4
0.3 0.3
0.2 0.2
0.1 0.1
0 0
0 20 40 60 80 100 0 20 40 60 80 100
Number of compromised nodes in the cluster (x) Number of compromised nodes in the cluster (x)
Fig. 8 Data availability comparison among DSEDA, LEDS, PCREF, and t-PCREF where Nc ¼ 100, n ¼ 10, and ðT; tÞ ¼ ð5; 4Þ. a Under the
report disruption attack. b Under the selective forwarding attack
123
Wireless Netw
LEDS, DSEDA does not ask sensor nodes to store similar case for DSEDA, the total energy consumption for
authentication keys shared with the sensor nodes in the signature generation (verification) of DSEDA is then
report-authentication forwarding area. Each sensor node in 2:86 d20=3:16e ¼ 20:02 mJ (3:51 d20=3:16e ¼ 24:57
DSEDA then stores two unique secret keys shared with the mJ). Clearly, ð20:02 þ 24:57Þ mJ
166 mJ . Further
sink and one secret key shared with the CH only. There- distinguishing the power/computation capacity of CHs and
fore, the total number of keys stored in each sensor node sensor nodes, moving computation overhead from sensor
for DSEDA is fixed at 3 which is significantly less than that nodes to CHs is more desired for sure. The aforementioned
for LEDS because ðT þ 1ÞðT þ 2Þ=2 þ 5 3 for positive description clearly indicates that DSEDA is more efficient
integer T. Therefore, DSEDA gains storage efficiency for than LEDS in terms of energy consumption, i.e., compu-
each sensor node as compared to LEDS. As for PCREF or tation overhead. As for PCREF or t-PCREF, the computa-
t-PCREF, each sensor node stores not only a large amount tion overhead becomes higher than both DSEDA and LEDS
of keys but also many polynomials as shown in [38]. if the generation of authentication and check polynomials is
Compared to both LEDS and DSEDA, much more storage further included.
overhead is required in PCREF or t-PCREF. In our design, Therefore, let us further examine the computation time
CHs are responsible for en-route filtering. Therefore, each for report verification in DSEDA and LEDS. As reported in
CH needs to store the public keys of / sensor nodes in its [13], it takes 7.56 ms to perform the SHA-1 hash function
downstream report-authentication forwarding area. on the Mica2 platform. For sensor nodes in LEDS, they
Besides, it stores two secret keys shared with the sink and then take 2 7:56 ¼ 15:12 ms for report verification.
Nc secret keys shared with the sensor nodes in the cluster. Considering the previous case, the total computation time
In short, the total number of keys stored in each CH is required when the report travels from the source to the sink
given by Nc þ 2 symmetric keys plus / asymmetric keys. is 15:12 20 ¼ 302:4 ms. As illustrated in [21], Imote2
Although CHs must store more keys than sensor nodes, the takes 14.49 ms to verify an ECDSA signature when run-
storage capacity of CHs is much higher than that of sensor ning at 416 MHz and 56.02 ms to verify an ECDSA sig-
nodes. Specifically, CHs may be powerful Imote2 devices nature when running at 104 MHz. This then gives the total
with 32 MB of flash memory, whereas sensor nodes are computation time to verify the report in DSEDA, i.e.,
resource-constrained Mica2 devices with 4 KB of storage 14:49 d20=3:16e ¼ 101:43 (
302:4) ms when running
capacity. Considering the storage capacity of CHs, the key at 416 MHz and 56:02 d20=3:16e ¼ 392:14 ( [ 302:4)
storage overhead brought by our design causes little burden ms when running at 104 MHz. Therefore, DSEDA may
to CHs and falls within an acceptable level. process comparably as LEDS in terms of computation time
as far as the report verification is concerned.
The main computation overhead in LEDS comes from Let us first compare the size of payload data between
MAC operations. The one-to-many forwarding paradigm DSEDA and LEDS. Each message in LEDS contains T IDs
for delivering data in LEDS forces all the sensor nodes in and T secret shares in payload data, while DSEDA utilizes
the report-authentication forwarding area to verify the the bloom filter to reduce the size of T IDs to 3 bytes only.
message. Consider the case that the number of sensor nodes If T ¼ 5, the size of T IDs will be 10 bytes in LEDS, giving
in a cell is 10 on average and the event cell is 20 cells away 7 bytes of reduction in payload data for such a case. Then,
from the sink. Then, 20 sensor nodes need to generate a new the communication overhead coming from signature is
MAC to forward to next cell and the total number of sensor compared. In LEDS, each report contains T þ 1 MACs. As
nodes for message verification is bounded by 200. As reported in [27], the minimum length of MAC is 4 bytes.
reported in [36], Mica2 consumes 5.9 lJ for hashing 1 byte With this minimum size and T ¼ 5, the data size for MACs
of data when SHA-1 is employed. If HMAC [27], which in LEDS then becomes 24 bytes. Note that the size of
contains two SHA-1 operations, and 64-byte data message ECDSA signature is 40 bytes and up to 14 bytes can be
are considered, the total energy consumption for this case in saved if the partial message recovery algorithm is applied
LEDS is then approximated by ð200 þ 20Þ 2 5:9 64 as reported in [26]. The communication overhead of sig-
lJ ¼ 166 mJ. In DSEDA, the computation overhead lies in nature in DSEDA is then 26 bytes, giving 2 additional
signature verification at CHs. As reported in [21], Imote2 bytes in signature as compared to that of LEDS. However,
needs 2.86 mJ and 3.51 mJ, respectively, to generate an the situation can be totally changed when T 6, for which
ECDSA signature and verify it when running at 104 MHz. at least 2 bytes can be saved for DSEDA as compared to
pffiffiffiffiffiffiffiffiffiffi
Because the radius of a CH is Nc =n in cell, it turns to be LEDS in signature. As shown in [38], the extra commu-
pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
100=10 3:16 if Nc ¼ 100 and n ¼ 10. Considering a nication overhead of PCREF is 40 bytes which is explicitly
123
Wireless Netw
higher than those of DSEDA and LEDS. Finally, let us 7. Eschenauer, L., & Gligor, V. D. (2002, November). A key-
check some additional messages brought by DSEDA. management scheme for distributed sensor networks. In Pro-
ceedings of ACM conference on computer and communications
Sensor nodes and CHs must exchange some additional security (CCS’02) (pp. 41–47).
messages to compensate lack of secret shares in DSEDA. 8. Even, S., Goldreich, O., & Micali, S. (1996). On-line/off-line
By doing so, it helps improve data availability against digital signatures. Journal of Cryptology, 9(1), 35–67.
compromised sensor nodes greatly as compared to LEDS. 9. Ferng, H. W., Nurhakim, J., & Horng, S. J. (2014). Key management
protocol with end-to-end data security and key revocation for a multi-
Therefore, this minus of communication overhead brings a BS wireless sensor network. Wireless Networks, 20(4), 625–637.
great advantage in security strength, showing that it 10. Gu, W., Dutta, N., Chellappan, S., & Bai, X. (2011). Providing
deserves. end-to-end secure communications in wireless sensor networks.
IEEE Transactions on Network and Service Management, 8(3),
205–218.
11. Hankerson, D., Menezes, A., & Vanstone, S. (2004). Guide to
7 Conclusions elliptic curve cryptography. New York: Springer.
12. IEEE. (2000, May). Standard specifications for public key cryp-
An efficient security protocol, i.e., DSEDA, to guarantee tography, IEEE P1363a/D4. http://grouper.ieee.org/groups/1363/
index.html.
end-to-end data authentication in cluster-based WSNs has 13. Krontiris, I., & Dimitriou, T. (2006, June). A practical authenti-
been proposed in this paper. DSEDA contains a mechanism cation scheme for in-network programming in wireless sensor
to compensate lack of legitimate secret shares to greatly networks. In Proceedings of ACM REALWSN’06.
enhance data availability. Moreover, it employs CHs to 14. Lee, S., & Kim, K. (2010, November). Sensor authentication
scheme for clustering routing protocols in wireless sensor net-
verify the report at the very beginning of report lifetime so works. In Proceedings of IEEE sensors (pp. 1819–1822).
that the bogus report can be dropped as soon as possible. 15. Li, F., Zhong, D., & Takagi, T. (2012). Practical identity-based
Based on digital signature, an en-route filtering mechanism signature for wireless sensor networks. IEEE Wireless Commu-
is further endowed with DSEDA to prevent intermediate nications Letters, 1(6), 637–640.
16. Li, X., Zhou, F., & Du, J. (2013). LDTS: A lightweight and
nodes from forgery or false information. Through evalua- dependable trust system for clustered wireless sensor networks.
tion on security strength and performance, we have suc- IEEE Transactions on Information Forensics and Security, 8(6),
cessfully demonstrated that the DSEDA significantly 924–935.
outperforms LEDS in terms of both security strength and 17. Liu, D., & Ning, P. (2003). Efficient distribution of key chain
commitments for broadcast authentication in distributed sensor
performance. Except for the data availability under the networks. In Proceedings of network and distributed system
selective forwarding attack, DSEDA also performs better security symposium (NDSS’03).
than PCREF and t-PCREF. No doubt, DSEDA is strongly 18. Liu, D., Ning, P., & Li, R. (2005). Establishing pairwise keys in
recommended for use in WSNs. distributed sensor networks. ACM Transactions on Information
and System Security, 8(1), 41–77.
19. Liu, D., & Ning, P. (2004). Multilevel lTESLA: Broadcast
Acknowledgments The work of H. W. Ferng was supported by the authentication for distributed sensor networks. ACM Transactions
Ministry of Science and Technology (MOST), Taiwan under con- on Embeded Computing Systems, 3(4), 800–836.
tracts MOST 104-2221-E-011-052-MY2, MOST 103-2221-E-011- 20. Liu, D., Ning, P., Zhu, S., & Jajodia, S. (2005, July). Practical
012, and MOST 102-2221-E-011-004. broadcast authentication in sensor networks. In Proceedings of
IEEE international conference on mobile and ubiquitous systems:
Networking and services (MobiQuitous’05) (pp. 118–129).
21. Liu, A., & Ning, P. (2008, April). TinyECC: A configurable
References library for elliptic curve cryptography in wireless sensor networks.
In Proceedings of IEEE international conference on information
1. Ayday, E., Delgosha, F., & Fekri, F. (2012). Data authenticity processing in sensor networks (IPSN ’08) (pp. 245–256).
and availability in multihop wireless sensor networks. ACM 22. Liu, Z., Wang, J., & Zhang, X. (2011, June). A false data filtering
Transactions on Sensor Networks (TOSN), 8(2), 10–26. scheme using cluster-based organization in sensor networks. In
2. Cao, X., Kou, W., Dang, L., & Zhao, B. (2008). IMBAS: Iden- Proceedings of IEEE international conference on communica-
tity-based multi-user broadcast authentication in wireless sensor tions (ICC’11) (pp. 1–5).
networks. Computer Communications, 31(4), 659–667. 23. Liu, Y., Li, J., & Guizani, M. (2012). PKC based broadcast
3. Chan, H., Perrig, A., & Song, D. (2003, May). Random key pre- authentication using signature amortization for WSNs. IEEE
distribution schemes for sensor networks. In Proceedings of IEEE Transactions on Wireless Communications, 11(6), 2106–2115.
symposium on security and privacy (SP’03) (pp. 197–213). 24. Mitzenmacher, M. (2002). Compressed bloom filters. IEEE/ACM
4. Chan, H., & Perrig, A. (2003). Security and privacy in sensor Transactions on Networking, 10(5), 604–612.
networks. IEEE Computer Magazine, 36(10), 103–105. 25. Moog Crossbow. (2008). Mica2/Imote2 Mote datasheet. http://
5. Drissi, J., & Gu, Q. (2006, July). Localized broadcast authenti- www.xbow.com.
cation in large sensor networks. In Proceedings of IEEE inter- 26. Naccache, D., & Stern, J. (2001). Signing on a postcard. In
national conference on networking and services (ICNS’06). Proceedings of international conference on financial cryptogra-
6. Du, W., Deng, J., Han, Y. S., & Varshney, P. K. (2005). A phy (FC ’01) (pp. 121–135).
pairwise key pre-distribution scheme for wireless sensor net- 27. National Institute of Standards and Technology. (2002, March).
works. ACM Transactions on Information and System Security, Keyed-hashing for message authentication (HMAC). Federal
8(2), 228–258. Information processing Standards Publication.
123
Wireless Netw
28. Perrig, A., Szewczyk, R., Tygar, J. D., Wen, V., & Culler, D. E. injected false data in sensor networks. In Proceedings of IEEE
(2002). SPINS: Security protocols for sensor networks. Wireless symposium on security and privacy (SP’04) (pp. 259–271).
Networks, 8(5), 521–534.
29. Raymond, D. R., Marchany, R. C., Brownfield, M. I., & Midkiff,
S. F. (2009). Effects of denial-of-sleep attacks on wireless sensor Huei-Wen Ferng received the
network MAC protocols. IEEE Transactions on Vehicular B.S. degree in electrical engi-
Technology, 58(1), 367–380. neering from the National Tsing
30. Ren, K., Lou, W., Zeng, K., & Moran, P. J. (2007). On broadcast Hua University, Hsinchu, Tai-
authentication in wireless sensor networks. IEEE Transactions on wan, in 1993 and the Ph.D.
Wireless Communications, 6(11), 4136–4144. degree in electrical engineering
31. Ren, K., Lou, W., & Zhang, Y. (2008). LEDS: Providing loca- from the National Taiwan
tion-aware end-to-end data security in wireless sensor networks. University, Taipei, Taiwan, in
IEEE Transactions on Mobile Computing, 7(5), 585–598. 2000. He joined the Department
32. Ren, K., Lou, W., & Zhang, Y. (2009). Multi-user broadcast of Computer Science and
authentication in wireless sensor networks. IEEE Transactions on Information Engineering,
Vehicular Technology, 58(8), 4554–4564. National Taiwan University of
33. Shamir, A. (1979). How to share a secret. Communications of the Science and Technology, Tai-
ACM, 22(11), 612–613. pei, as an assistant professor in
34. Shamir, A. (1984). Identity-based cryptosystems and signature August 2001. From February
schemes. In Proceedings of CRYPTO’84. 2005 to January 2011, he was an associate professor. Since February
35. Shi, E., & Perrig, A. (2004). Designing secure sensor networks. 2011 and June 2012, he has been a professor and a distinguished
IEEE Wireless Communications Magazine, 11(6), 38–43. professor, respectively. Funded by the Pan Wen-Yuan Foundation,
36. Wander, A. S., Gura, N., Eberle, H., Gupta, V., & Shantz, S. C. Taiwan, he spent the summer of 2003 visiting the Department of
(2005, March). Energy analysis of public-key cryptography on Electrical Engineering and Computer Science, University of Michi-
small wireless devices. In Proceedings of IEEE international gan, Ann Arbor. His research interests include wireless networks,
conference on pervasive computing and communications (Per- mobile computing, high-speed networks, design of fair scheduling,
Com’05) (pp. 324–328). teletraffic modeling, queuing theory, and performance analysis. He
37. Yang, H., Ye, F., Yuan, Y., Lu, S., & Arbaugh, W. (2005, May). was a recipient of the research award for young researchers from the
Toward resilient security in wireless sensor networks. In Pro- Pan Wen-Yuan Foundation, Taiwan, in 2003 and was a recipient of
ceedings of ACM international symposium on mobile ad hoc the Outstanding Young Electrical Engineer Award from the Chinese
networking and computing (MobiHoc’05) (pp. 34–45). Institute of Electrical Engineering (CIEE), Taiwan, in 2008. He is a
38. Yang, X., Lin, J., Yu, W., Moulema, P., Fu, X., & Zhao, W. senior member of the IEEE.
(2015). A novel en-route filtering scheme against false data
injection attacks in cyber-physical networked systems. IEEE Nguyen Minh Khoa received
Transactions on Computers, 64(1), 4–18. the M.S. degree in computer
39. Yao, A. C.-C., & Zhao, Y. (2013). Online/offline signatures for science and information engi-
low-power devices. IEEE Transactions on Information Forensics neering from the National Tai-
and Security, 8(2), 283–294. wan University of Science and
40. Yasmin, R., Ritter, E., & Wang, G. (2010, June–July). An Technology, Taipei, in 2011.
authentication framework for wireless sensor networks using His research interests include
identity-based signatures. In Proceedings of IEEE international wireless sensor networks, secu-
conference on computer and information technology (CIT’10) rity, and performance analysis.
(pp. 882–889).
41. Ye, F., Luo, H., Lu, S., & Zhang, L. (2004). Statiscal enroute
filtering of injected false data in sensor networks. In Proceedings
of IEEE INFOCOM’04.
42. Zhu, S., Setia, S., & Jajodia, S. (2006). LEAP?: Efficient security
mechanisms for large-scale distributed sensor networks. ACM
Transactions on Sensor Networks, 2(4), 500–528.
43. Zhu, S., Setia, S., Jajodia, S., & Ning, P. (2004, May). An
interleaved hop-by-hop authentication scheme for filtering of
123