INTERNET-DRAFT Zhongyuan Qin Intended Status: Informational Jie Huang Expires: October 2, 2015 Kerong Feng Southeast University April 2, 2015 An Identity-based Security Scheme for Wireless Sensor Networks draft-qin-cfrg-ibs-wsn-00 Abstract This document specifies an identity-based security scheme for wireless sensor network (WSN) on the basis of Identity-Based Encryption (IBE). Each cluster head can perform as a private key generator (PKG) in case that the sole PKG is captured, which will lead to the whole network disabled. The proposed scheme can reduce the consumption of key resources and improve the security of the WSN by dispersing PKG function. The analysis shows that the scheme can resist various attacks. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. Expires [Page 1] INTERNET DRAFT This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Requirements Language . . . . . . . . . . . . . . . . . . . 4 2.2. Definitions and Notation . . . . . . . . . . . . . . . . . 4 2.3. Abbreviations . . . . . . . . . . . . . . . . . . . . . . . 4 3. Network model . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Identity-based Security Scheme . . . . . . . . . . . . . . . . 5 4.1. Initialization phase . . . . . . . . . . . . . . . . . . . 5 4.2. Clustering phase . . . . . . . . . . . . . . . . . . . . . 5 4.3. Parameter distribution . . . . . . . . . . . . . . . . . . 6 4.4. Data aggregation phase . . . . . . . . . . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 7.1. Normative References . . . . . . . . . . . . . . . . . . . 8 7.2. Informative References . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 Expires [Page 2] INTERNET DRAFT 1. Introduction Originated from the military field, the wireless sensor network (WSN) has become a hot academic research topic. Wireless sensor networks consist of a large number of tiny sensor nodes with microprocessor. Because of the limited resource in each sensor node, volatile network topology and openness in wireless channel, WSNs are vulnerable to various attacks including eavesdropping, message replay, node capture attacks, sybil attack, etc., particularly for the applications where wireless sensor networks are deployed in a hostile environment or used for some crucial purposes. In order to resist these threats, recently researchers have proposed a variety of security technologies, among that, encryption and signature are two important technologies. Compared with asymmetric key system, the main benefit of symmetric key system is its low computing cost. But the drawback is that it needs a key pre-distributed process and does not guaranty a perfect connectivity (in random key distribution schemes, neighboring nodes share a common key in terms of probability [EG]). To address the problems aforementioned, researchers have been investigating more efficient techniques of Public Key Cryptographic (PKC) in sensor networks. However, PKC usually needs a public key infrastructure (PKI) to maintain the users' certificates for public keys. Besides, the computation consumption and energy costs are high because the certificates need to be verified in these protocols. To address such problems, Shamir proposed the idea of identity-based public-key cryptosystems[SHA] which simplified the certificate management. Shamir's original motivation for suggesting identity-based encryption was to simplify certificate management in e-mail systems. Soon after, various identity-based techniques were proposed, but a fully functional identity-based encryption scheme has not been found until recently by Boneh and Franklin [BF]. Since then the ideas of IBE have been used to design several other identity-based schemes for different purposes. The disadvantage of the current identity-based system lies in the fact that the nodes' private key must be generated by the Key Generator Center (KGC), which becomes the single point of failure in WSNs. Once KGC is compromised, the network would be almost entirely captured by the attacker. This document specifies an identity-based security scheme for WSNs in which each cluster head can perform as a KGC so as to improve the security. It includes four procedures, i.e., initialization, clustering, parameter distribution and data aggregation. Each node Expires [Page 3] INTERNET DRAFT gets its private key from the cluster head which acts as KGC. Analysis is given which shows our scheme can resist various attacks to provide a strong protection in WSNs. 2. Terminology 2.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2.2. Definitions and Notation IBE Encryption: Identity-Based Encryption (IBE) is a Public-Key encryption technology that allows a Public Key to be calculated from an identity, and the corresponding Private Key to be calculated from the Public Key. Therefore, additional computations to verify the corresponding certificates are not needed.[RFC5091], [RFC5408], and [RFC5409] describe algorithms required to implement the IBE. E(k, x) Encryption of x with the key k e(x, y) Bilinear map of x and y PU_CH Public key of a cluster head PR_CH Private key of a cluster head PU_i Public key of a sensor node i PR_i Private key of a sensor node i s_ch a secret random number chose by CH 2.3. Abbreviations BS Base Station CH Cluster Head N Sensor Node PR Private Key PU Public Key 3. Network model Expires [Page 4] INTERNET DRAFT There are two types of WSN architectures available for WSN, one is the hierarchical architecture and the other is the distributed flat architecture. In this document we focus on the hierarchical architecture. In a hierarchical wireless sensor network, all nodes are classified into three categories: base station, cluster heads and sensor nodes. A base station/sink node (BS) is typically a gateway to another network. It collects sensor node readings, performs costly operations for sensor nodes and manages the network. It is assumed to be trusted and be the center of the entire network. In contrast, sensor nodes are with limited battery power, memory size, data processing capability and short radio transmission range. Cluster heads have more resources than ordinary nodes which are equipped with high power batteries, large memory storage, powerful antenna and data processing capabilities. In our scheme, we choose the cluster head within a certain distance in case that the cluster head consumes more energy during communicating with base station. Each sensor node in the same cluster has the same opportunity to be chosen as cluster head. Periodic replacement of cluster head can avoid the death of the main nodes, and guarantee the connectivity of WSNs. 4. Identity-based Security Scheme 4.1. Initialization phase Base station (BS) randomly chooses an elliptic curve E in finite field F(p)and a point P in the elliptic curve E before the nodes deployment. The master key s is only known by the base station. All nodes preset the same parameters(q,G1,G2,e,n,r,P_pub,H1,H2), where q is a prime number, G1 and G2 are two groups of order q, e:G1*G1->G2 is a bilinear map, n is the length of hash function, r is used to calculate the mapping value of the public key, P is a random point in elliptic curve E, H1 and H2 denote two different hash functions, P_pub=s*P is the public value, PU_i=H1(ID_i) is the public key and PR_i=s*PU_i is the private key of node i. BS computes private key and then preloads it into each node. 4.2. Clustering phase By default BS is deployed at the center of the region and all nodes are randomly deployed in the monitoring field. According to the geographical position, BS selects n cluster heads and puts all nodes into n temporary clusters distributed evenly in geographical position. Then, BS generates n random numbers K1,K2,...,Kn as a group key of each cluster, distributes Ki to CH_i and stores the Expires [Page 5] INTERNET DRAFT corresponding relationship between K and CH in the list. After that, CH needs to register its identity CH_i in BS for the authentications of the cluster-heads through base station to ensure the validity of CH. At the same time, each CH broadcasts its identity to all nodes in its cluster. Sensor node registers its identity to CH after receiving the message. Each CH performs as the function of private key generator (PKG) which selects a random number s_ch to calculate a public value P_ch=s_ch*P. CH also calculates public key PU_ch=H1(ID_ch) and private key PR_ch=s_ch*PU_ch. 4.3. Parameter distribution During this phase, PU_ch and group key K are distributed to the sensor nodes in the cluster by the CH. The detail is described as follow: 1. CH chooses a random number sigma and computes public key value mapping g_i=H2(e(PU_i,P_pub)^r) for every node in the cluster. 2. CH constructs a polynomial F(g)=sigma*(sigma*e)^(g-g_i) by using g_i and sigma, where e=2.718 is a constant. CH generates the ciphertext C=((P_ch xor K)||(sigma xor K)||F(g)) and broadcasts it to all sensor nodes in the cluster. 3. After receiving the broadcast message C=(U||V||F(g)), sensor node i computes g_i=H2(e(PU_i,P_pub)^r)and substitutes g_i into the polynomial F(g). Node i can get F(g_i)=sigma, V xor sigma=K,K xor U=P_ch and uses P_ch to exchange messages between CH and sensor node later. The value P_ch changes with the different cluster head, but P_pub is always the same. 4.4. Data aggregation phase In data aggregation phase, the data collected by sensor nodes is sent to CH through multi-hop. Suppose a sensor node belongs to cluster j, thus its cluster head is CH_j and group key is Kj. For simplicity we use CH and K to represent CH_j and Kj. 1. Sensor node i generates a random number t and calculates the mapping value g=e(PU_ch,P_ch). The ciphertext is C=E(K, ID_i||t*P||(m xor H2(g^t))), where K is the group key and m is the collected data. Nodes near the CH send message directly to the CH, the other nodes far away from CH need multi-hop to deliver the collected information. 2. After receiving the message C=(M||W||F), CH decrypts ciphertext C with group key K and authenticates the ID's legal status in order to Expires [Page 6] INTERNET DRAFT prevent illegal member. 3. After authenticating, the CH computes e(PR_ch, W) with its private key. And the collected data can be computed as m = F xor H2(e(PR_ch,W)). The correctness cab be proved as following. e(PR_ch,W)=e(s_ch*PU_ch,t*P)=e(PU_ch,t*P)^s_ch=e(PU_ch, s_ch*P)^t=e(PU_ch, P_ch)^t=g^t 5. Security Considerations Former schemes including IBE suffered from this "the security of master key" problem [SHA]. Once getting the master key s, adversary can easily compute all nodes' private key. In our scheme each cluster head acts as a PKG, which changes the situation that there is only one PKG in the whole network. The analysis and simulations show that the proposed scheme has high ability to resist various attacks and provides strong protection for the WSNs. Hello Flood Attack: In our scheme, there is no hello message between each node at the first time. Instead, CH broadcasts its identity after being chosen as the cluster head, BS verifies the nodes in each cluster's list and non-CH nodes directly register their identity to CH. The session keys are distributed in a group key form. Sinkhole Attack: In initialization phase, BS randomly chooses K cluster heads based on location. This avoids dividing cluster only relying on energy. In a cluster, CH will be periodically changed, and the criterions of selecting a new cluster head include energy, distance to former cluster head, et al. Therefore it is difficult to appear sinkhole attack. Sybil Attack: The proposed scheme ensures that each entity in the WSNs always has a unique identification and its identity and vicinity in terms of transmission range is securely authenticated and verified. Each node must register to CH, after that, BS compares the list received from every cluster head with its own list. During forwarding message, only those sensor nodes with the same group key have the right to forward message received. Forward Secrecy: Assume that the adversary named Eve achieved the group key K, and Eve try to decrypt the eavesdropped ciphertext. However, Eve can't get the plaintext M because she cannot get the CH's private key PR_ch which is used to generate plaintext M through Expires [Page 7] INTERNET DRAFT bilinear mapping. In addition, after finishing collecting message, group key would be revoked and replaced by a new random number. 6. IANA Considerations This memo includes no request to IANA. 7. References 7.1. Normative References [BF] Boneh, D. and M. Franklin, "Identity-Based Encryption from the Weil Pairing", in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. [EG] Eschenauer, L.; Gligor, V.D. A key-management scheme for distributed sensor networks.9th ACM Conference on Computer and Communications Security, Washingtion, DC, USA, 18-22 November 2002; pp. 41-47. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [SHA] Shamir, A.: "Identity-based cryptosystems and signature schemes". Proc. Advances in cryptology, Springer, 1985 pp. 47-53. 7.2. Informative References [RFC5091] Boyen, X. and L. Martin, "Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems", RFC 5091, December 2007. [RFC5408] Appenzeller, G., Martin, L., and M. Schertler, "Identity- Based Encryption Architecture and Supporting Data Structures", RFC 5408, January 2009. [RFC5409] Martin, L. and M. Schertler, "Using the Boneh-Franklin and Boneh-Boyen Identity-Based Encryption Algorithms with the Cryptographic Message Syntax (CMS)", RFC 5409, January 2009. Expires [Page 8] INTERNET DRAFT Authors' Addresses Zhongyuan Qin Southeast University No.9, MoZhou East Street, Nan Jing, Jiang Su Province 211100 EMail: zyqin@seu.edu.cn Jie Huang Southeast University No.9, MoZhou East Street, Nan Jing, Jiang Su Province 211100 EMail: jhuang@seu.edu.cn Kerong Feng Southeast University No.9, MoZhou East Street, Nan Jing, Jiang Su Province 211100 EMail: fengkerong@163.com Expires [Page 9]