INTERNET-DRAFT Zhongyuan Qin Intended Status: Informational Jie Huang Expires: September 18, 2015 Xinshuai Zhang Southeast University March 18, 2015 An Identity-Based Key Management Scheme for Wireless Sensor Networks draft-qin-cfrg-ibkm-wsn-00 Abstract This document specifies an efficient identity-based key management (IBKM) scheme in wireless sensor networks (WSNs),where the nodes are resource-limited, i.e., low computing capacity, small memory, power supply limitations and price,etc. This scheme exploits the Bloom filter to authenticate the communication sensor node with storage efficiency. The security analysis shows that IBKM can prevent several attacks effectively with acceptable computation and communication overhead. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on July 27, 2015. Copyright Notice Expires [Page 1] INTERNET DRAFT Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Requirements Language . . . . . . . . . . . . . . . . . . . 4 2.2. Definitions and Notation . . . . . . . . . . . . . . . . . 4 2.3. Abbreviations . . . . . . . . . . . . . . . . . . . . . . . 5 3. Network model . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. IBKM Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.1. Parameters Initialization Phase . . . . . . . . . . . . . . 5 4.2. Node Registration Phase . . . . . . . . . . . . . . . . . . 6 4.3. Share Secret Key Generation between Two Nodes . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.1. Normative References . . . . . . . . . . . . . . . . . . . 9 7.2. Informative References . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 Expires [Page 2] INTERNET DRAFT 1. Introduction Wireless Sensor Networks (WSNs) are ripe for wide adoption in several applications, such as military, healthcare, automotive, research, and so on. For applications such as military, higher requirements on WSN security is needed. However, WSN security is a challenging problem, because of the openness of WSNs' network architectures, which enables adversaries to easily eavesdrop, intercept, inject and alter transmitted information. Besides, the existing computer network security mechanisms cannot be directly adopted in WSNs because of the restricted node resources and low communication bandwidth. Therefore, it is urgent to put forward low consumption key management schemes for WSNs. Until now, key management schemes in WSNs were mainly based on symmetric cryptographic algorithms. For example, Eschenauer, L. etc. proposed probabilistic key pre-distribution schemes for pairwise key establishment [EG]. Their basic idea is that each node randomly picks a set of keys from a key pool before deployment, so that any two sensor nodes have a certain probability to share at least one common key. On the other hand, the key management schemes based on public key cryptography (PKC) could provide much simpler solutions with stronger security resilience. However, PKC requires more computing capacity, and for this reason, generally they were considered not applicable for energy-constrained WSNs. But recent works have demonstrated the feasibility of PKC on the resource-constrained sensor nodes. Specially, Oliveira et al. implemented pairings for sensor nodes based on the 8-bit/7.3828-MHz ATmega128L microcontroller (e.g., MICA 2 and MICAz motes)[OLI], and they argued that pairing-based cryptography is indeed viable in resource-constrained nodes. Usually, PKC schemes are used for bootstrapping security in WSNs, i.e., for generating symmetric keys to communicate or key distribution. Kui et al. addressed the multiuser broadcast authentication problem in WSNs by designing PKC-based solutions [REN]. Their schemes are built upon the integration of several cryptographic techniques, including the Bloom filter, the Merkle hash tree, et al. However, they use the Bloom filter between the base station and the network user, where the network users refer to personnel or devices that use the WSN; they are not sensor nodes. In our scheme, the Bloom filter is used among the sensor nodes in WSN to provide an efficient authentication. But there are still several problems. For example, how does one verify the validness of a public key? Conventional solutions, such as Public Key Infrastructure (PKI) and certificate are non- implementable in WSNs, due to their constrained resource. How does one apply Identity-Based Encryption (IBE) [BF] in WSNs efficiently Expires [Page 3] INTERNET DRAFT and securely with the integrity of a public key? Public key validness is hard to be verified in present IBE schemes, because it usually depends on the certificate and CA. Additionally, the certificate will result in a large communication overhead and expensive signature verification operations, which consume more energy . Because of the absence of PKI and certificate in WSNs, there is no authentication in the state-of-the-art IBE schemes, which are subject to many attacks, such as the Sybil attack, the man-in-the-middle attack, etc. Focused on addressing these problems, we propose an efficient identity-based key management scheme (IBKM), which adopts an identity-based cryptosystem to distribute session keys between nodes without the complicated operations of the public key certificate; specifically, we exploit the Bloom filter to provide authentication with storage efficiency. A Bloom filter is a simple space-efficient randomized data structure based on a hash function for representing a set in order to support membership queries. Although Bloom filters allow false positives, for many applications, e.g., WSNs, the space savings outweigh this drawback when the probability of an error is sufficiently low. 2. Terminology 2.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2.2. Definitions and Notation IBE Encryption: Identity-Based Encryption (IBE) is a Public-Key encryption technology that allows a Public Key to be calculated from an identity, and the corresponding Private Key to be calculated from the Public Key. Therefore, additional computations to verify the corresponding certificates are not needed.[RFC5091], [RFC5408], and [RFC5409] describe algorithms required to implement the IBE. E(k, x) Encryption of x with the key k e(x, y) Bilinear map of x and y PU_CH Public key of a cluster head PR_CH Private key of a cluster head PU_N Public key of a sensor node Expires [Page 4] INTERNET DRAFT PR_N Private key of a sensor node 2.3. Abbreviations IBK Identity-Based Key Management BS Base Station CH Cluster Head N Sensor Node PR Private Key PU Public Key TS Time Stamp 3. Network model Basically, there are two architectures for WSNs. One is a distributed flat architecture, and the other is a hierarchical architecture. Considering the limitations of WSNs, such as low energy supply, extremely large network size and redundant low-rate data, the hierarchical network model has more operational advantages than the flat homogeneous model for wireless sensors. In this work, we focus on the hierarchical network model. There are three different kinds of nodes in our WSN; base station (BS), cluster head (CH) and sensor node (N). We assume that the BS is trusted and CH is more capable than normal nodes. In a cluster, the CH collects and aggregates packets from its member nodes and forwards them to the BS. Normally, a member sensor node can transfer packets to CH through several hops. 4. IBKM Scheme 4.1. Parameters Initialization Phase BS selects large prime p, q and generates a random elliptic curve E over finite field F(p). One point P on curve E is selected and used as generator to construct an additive group G1, and e:G1*G1->F(p) is a bilinear map. H1 is a cryptographic hash function. 1.BS selects a random number s and computes P_pub=s*P. BS broadcasts the public parameters. Expires [Page 5] INTERNET DRAFT 2.BS generates each node's ID and calculates the public and private key pair of the node. Public key is PU_N=H1(ID_N),while private key is PR_N=s*PU_N. Then, BS preloads them into the node. 3.BS generates the CH's ID and calculates the public and private key pair of the CH. Public key is PU_CH=H1(ID_CH),while private key is PR_CH=s*PU_CH. Then, BS stores them in the CH. 4.BS keeps a list of all nodes' IDs and their public-private key pairs. BS also keeps all CHs' IDs and public keys for the next steps. 4.2. Node Registration Phase In this phase, all sensor nodes register to the cluster heads and a session key is generated between each node and their cluster head. 1.CH broadcasts a message that contains its own identity ID_CH and public key PU_CH to all neighboring sensor nodes. CH->N: ID_CH,PU_CH 2.Upon the receipt of CH's messages, each sensor node sends its ID and public key to the CH with whom it wants to join. Node->CH: ID_N, PU_N 3.After receiving the ID and public key of a node, CH calculates the session key K_s1. K_s1=e(PR_CH, PU_N) 4.Node calculates the session key K_s2. K_s2=e(PR_N,PU_CH) It can be proved that K_s1=K_s2, which is given as follows: K_s1=e(PR_CH, PU_N)=e(s*PU_CH,PU_N)=e(s*PU_N,PU_CH)=e(PR_N,PU_CH)=K_s2 5.CH generates a Bloom filter of all nodes' IDs and public keys within its cluster and sends the Bloom filter encrypted by the session key generated before to all nodes in the cluster. CH->N:E(K_s1,Bloom filter) 4.3. Share Secret Key Generation between Two Nodes Expires [Page 6] INTERNET DRAFT 1.Sensor Node A chooses a random number r1 and broadcasts a message that contains its ID, public key and a time stamp encrypted by its own private key to neighboring nodes after it registers to the CH. A->Neighbor Nodes: ID_A,E(PR_A,(r1*PU_A,TS)) 2.When the neighboring Node B receives the message, it verifies the authenticity of A by checking if the hash mapping of (ID_A,PU_A) is contained in the Bloom filter obtained from CH. A negative answer means authentication failure. If the authentication is passed, B chooses its random number r2 and returns its ID, public key and a time stamp encrypted by its own private key. Then, B calculates the session key K_B. B->A: ID_B,E(PR_B,(r2*PU_B,TS)) K_B=e(r2*PR_B,r1*PU_A) 3.A decrypts the message and get B's ID and public key. A verifies the authenticity of B using the Bloom filter obtained from CH. If B is authenticated, A calculates the session key K_A. K_A=e(r1*PR_A,r2*PU_B) It can also be proved that K_A=K_B using the properties of bilinear map. Afterwards, Nodes A and B can communicate with each other using the shared session key. 5. Security Considerations Due to the unreliable wireless channel and volatile topology, a key agreement scheme for WSNs is subject to various attacks, such as node-compromise attack, Sybil attack, etc. Compared to previous works, our scheme can resist these attacks using the bilinear map and authentication through the Bloom filter. Sybil Attack: Before node deployment, the BS allocates an ID for each node in the WSNs, and then, the CH generates a Bloom filter of nodes in its own cluster. Therefore, before sharing the secret key between two nodes, they authenticate each other using the Bloom filter generated by CH. Therefore, IBKM can resist Sybil attack because an adversary cannot convince another node that it has a legal ID. Node-compromise attack: It is easy to capture a node in WSNs and steal secret information about the network stored in the node. Expires [Page 7] INTERNET DRAFT Compared to the EG and other key pre-distribution schemes, IBKM can resist node-compromise attack and ensure the security of the entire network. For the EG scheme and its variants, if the number of node adversaries captured exceeds a certain threshold, the adversaries will get almost all of the keys of the WSN. However, in our scheme, different node pairs share different keys; even if a node is compromised, it will not affect other node pairs' keys. Rekeying and forward secrecy: IBKM employs a random number r in the process of secret key generation between two nodes. On the one hand, we can stipulate the secret key agreement period; therefore, nodes must renegotiate a new session key in a certain period. In this way, we can enhance the security of the network. On the other hand, the rekeying can provide forward secrecy of the network when a node is captured by the adversary. Even if the adversary gets the current secret key, he cannot deduce the keys used before, because different random numbers generate different secret keys. HELLO flood attack: In this attack, the main aim of the attacker is to deplete the node energy. In our scheme, every node possesses a Bloom filter for node identity authentication. Therefore, if an adversary sends a HELLO message, the receiver nodes will firstly check if the message is legitimate or not. If the result is negative, later calculation will not be carried on. Therefore, no more energy of the received node will be consumed. Man-in-the-middle attack: In our scheme, the adversary cannot calculate the pairwise session key, even if he intercepts the system parameters, since the messages transmitted in our scheme are all encrypted in the public key cryptosystem. On the other hand, the session key is generated by the private key and the random number. It is assumed to be hard for an adversary to decrypt the message on air or to calculate the session key. Mutual authentication: Our scheme achieves both identity authentication and key authentication. Before the session key is agreed upon, the nodes verify the authenticity of each other by checking if the corresponding hash mapping is contained in the local Bloom filter. A negative answer means that the node is illegal in this cluster. Then, we verify the identity of the node by the signature of the private key. While, after, Node A and Node B share the same session key, they can realize identity authentication by the session key, because only A and B share the same key. In this way, we can prevent the unauthenticated node from accessing the sensor network. 6. IANA Considerations Expires [Page 8] INTERNET DRAFT This memo includes no request to IANA. 7. References 7.1. Normative References [BF] Boneh, D. and M. Franklin, "Identity-Based Encryption from the Weil Pairing", in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. [EG] Eschenauer, L.; Gligor, V.D. A key-management scheme for distributed sensor networks.9th ACM Conference on Computer and Communications Security, Washingtion, DC, USA, 18-22 November 2002; pp. 41-47. [OLI] Oliveira, L.B.; Aranha, D.F.; Morais, E.; Daguano, F.; Lopez, J.; Dahab, R. Tinytate: Computing the tate pairing in resource-constrained sensor nodes. In Proceedings of Sixth IEEE International Symposium on Network Computing and Applications (NCA 2007), Cambridge, MA, USA, 12-14 July 2007; pp. 318-323. [REN] Ren, K.; Yu, S.C.; Lou, W.J.; Zhang, Y.C. Multi-User Broadcast Authentication in Wireless Sensor Networks. IEEE Trans. Veh. Technol. 2009, 58, 4554-4564. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 7.2. Informative References [RFC5091] Boyen, X. and L. Martin, "Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems", RFC 5091, December 2007. [RFC5408] Appenzeller, G., Martin, L., and M. Schertler, "Identity- Based Encryption Architecture and Supporting Data Structures", RFC 5408, January 2009. [RFC5409] Martin, L. and M. Schertler, "Using the Boneh-Franklin and Boneh-Boyen Identity-Based Encryption Algorithms with the Cryptographic Message Syntax (CMS)", RFC 5409, January 2009. Expires [Page 9] INTERNET DRAFT Authors' Addresses Zhongyuan Qin Southeast University N0.9, Mo Zhoudong Street, Nan Jing, Jiang Su Province 211100 EMail: zyqin@seu.edu.cn Jie Huang Southeast University N0.9, Mo Zhoudong Street, Nan Jing, Jiang Su Province 211100 EMail: jhuang@seu.edu.cn Xinshuai Zhang Southeast University N0.9, Mo Zhoudong Street, Nan Jing, Jiang Su Province 211100 EMail: shuaishuaizhang@yahoo.com.cn Expires [Page 10]