Internet DRAFT - draft-qin-cfrg-ibkm-wsn
draft-qin-cfrg-ibkm-wsn
INTERNET-DRAFT Zhongyuan Qin
Intended Status: Informational Jie Huang
Expires: September 18, 2015 Xinshuai Zhang
Southeast University
March 18, 2015
An Identity-Based Key Management Scheme for Wireless Sensor Networks
draft-qin-cfrg-ibkm-wsn-00
Abstract
This document specifies an efficient identity-based key management
(IBKM) scheme in wireless sensor networks (WSNs),where the nodes are
resource-limited, i.e., low computing capacity, small memory, power
supply limitations and price,etc. This scheme exploits the Bloom
filter to authenticate the communication sensor node with storage
efficiency. The security analysis shows that IBKM can prevent several
attacks effectively with acceptable computation and communication
overhead.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on July 27, 2015.
Copyright Notice
<Zhongyuan Qin> Expires <August 2, 2015> [Page 1]
�
INTERNET DRAFT <IBKM> <January 29, 2015>
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Requirements Language . . . . . . . . . . . . . . . . . . . 4
2.2. Definitions and Notation . . . . . . . . . . . . . . . . . 4
2.3. Abbreviations . . . . . . . . . . . . . . . . . . . . . . . 5
3. Network model . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. IBKM Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.1. Parameters Initialization Phase . . . . . . . . . . . . . . 5
4.2. Node Registration Phase . . . . . . . . . . . . . . . . . . 6
4.3. Share Secret Key Generation between Two Nodes . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.1. Normative References . . . . . . . . . . . . . . . . . . . 9
7.2. Informative References . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
<Zhongyuan Qin> Expires <August 2, 2015> [Page 2]
�
INTERNET DRAFT <IBKM> <January 29, 2015>
1. Introduction
Wireless Sensor Networks (WSNs) are ripe for wide adoption in several
applications, such as military, healthcare, automotive, research, and
so on. For applications such as military, higher requirements on WSN
security is needed. However, WSN security is a challenging problem,
because of the openness of WSNs' network architectures, which enables
adversaries to easily eavesdrop, intercept, inject and alter
transmitted information. Besides, the existing computer network
security mechanisms cannot be directly adopted in WSNs because of the
restricted node resources and low communication bandwidth. Therefore,
it is urgent to put forward low consumption key management schemes
for WSNs.
Until now, key management schemes in WSNs were mainly based on
symmetric cryptographic algorithms. For example, Eschenauer, L. etc.
proposed probabilistic key pre-distribution schemes for pairwise key
establishment [EG]. Their basic idea is that each node randomly picks
a set of keys from a key pool before deployment, so that any two
sensor nodes have a certain probability to share at least one common
key.
On the other hand, the key management schemes based on public key
cryptography (PKC) could provide much simpler solutions with stronger
security resilience. However, PKC requires more computing capacity,
and for this reason, generally they were considered not applicable
for energy-constrained WSNs. But recent works have demonstrated the
feasibility of PKC on the resource-constrained sensor nodes.
Specially, Oliveira et al. implemented pairings for sensor nodes
based on the 8-bit/7.3828-MHz ATmega128L microcontroller (e.g., MICA
2 and MICAz motes)[OLI], and they argued that pairing-based
cryptography is indeed viable in resource-constrained nodes. Usually,
PKC schemes are used for bootstrapping security in WSNs, i.e., for
generating symmetric keys to communicate or key distribution. Kui et
al. addressed the multiuser broadcast authentication problem in WSNs
by designing PKC-based solutions [REN]. Their schemes are built upon
the integration of several cryptographic techniques, including the
Bloom filter, the Merkle hash tree, et al. However, they use the
Bloom filter between the base station and the network user, where the
network users refer to personnel or devices that use the WSN; they
are not sensor nodes. In our scheme, the Bloom filter is used among
the sensor nodes in WSN to provide an efficient authentication.
But there are still several problems. For example, how does one
verify the validness of a public key? Conventional solutions, such as
Public Key Infrastructure (PKI) and certificate are non-
implementable in WSNs, due to their constrained resource. How does
one apply Identity-Based Encryption (IBE) [BF] in WSNs efficiently
<Zhongyuan Qin> Expires <August 2, 2015> [Page 3]
�
INTERNET DRAFT <IBKM> <January 29, 2015>
and securely with the integrity of a public key? Public key validness
is hard to be verified in present IBE schemes, because it usually
depends on the certificate and CA. Additionally, the certificate will
result in a large communication overhead and expensive signature
verification operations, which consume more energy .
Because of the absence of PKI and certificate in WSNs, there is no
authentication in the state-of-the-art IBE schemes, which are subject
to many attacks, such as the Sybil attack, the man-in-the-middle
attack, etc. Focused on addressing these problems, we propose an
efficient identity-based key management scheme (IBKM), which adopts
an identity-based cryptosystem to distribute session keys between
nodes without the complicated operations of the public key
certificate; specifically, we exploit the Bloom filter to provide
authentication with storage efficiency. A Bloom filter is a simple
space-efficient randomized data structure based on a hash function
for representing a set in order to support membership queries.
Although Bloom filters allow false positives, for many applications,
e.g., WSNs, the space savings outweigh this drawback when the
probability of an error is sufficiently low.
2. Terminology
2.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
in this document are to be interpreted as described in [RFC2119].
2.2. Definitions and Notation
IBE Encryption: Identity-Based Encryption (IBE) is a Public-Key
encryption technology that allows a Public Key to be calculated from
an identity, and the corresponding Private Key to be calculated from
the Public Key. Therefore, additional computations to verify the
corresponding certificates are not needed.[RFC5091], [RFC5408], and
[RFC5409] describe algorithms required to implement the IBE.
E(k, x) Encryption of x with the key k
e(x, y) Bilinear map of x and y
PU_CH Public key of a cluster head
PR_CH Private key of a cluster head
PU_N Public key of a sensor node
<Zhongyuan Qin> Expires <August 2, 2015> [Page 4]
�
INTERNET DRAFT <IBKM> <January 29, 2015>
PR_N Private key of a sensor node
2.3. Abbreviations
IBK Identity-Based Key Management
BS Base Station
CH Cluster Head
N Sensor Node
PR Private Key
PU Public Key
TS Time Stamp
3. Network model
Basically, there are two architectures for WSNs. One is a distributed
flat architecture, and the other is a hierarchical architecture.
Considering the limitations of WSNs, such as low energy supply,
extremely large network size and redundant low-rate data, the
hierarchical network model has more operational advantages than the
flat homogeneous model for wireless sensors.
In this work, we focus on the hierarchical network model.
There are three different kinds of nodes in our WSN; base station
(BS), cluster head (CH) and sensor node (N). We assume that the BS is
trusted and CH is more capable than normal nodes. In a cluster, the
CH collects and aggregates packets from its member nodes and forwards
them to the BS. Normally, a member sensor node can transfer packets
to CH through several hops.
4. IBKM Scheme
4.1. Parameters Initialization Phase
BS selects large prime p, q and generates a random elliptic curve E
over finite field F(p). One point P on curve E is selected and used
as generator to construct an additive group G1, and e:G1*G1->F(p) is
a bilinear map. H1 is a cryptographic hash function.
1.BS selects a random number s and computes P_pub=s*P. BS broadcasts
the public parameters.
<Zhongyuan Qin> Expires <August 2, 2015> [Page 5]
�
INTERNET DRAFT <IBKM> <January 29, 2015>
2.BS generates each node's ID and calculates the public and private
key pair of the node. Public key is PU_N=H1(ID_N),while private key
is PR_N=s*PU_N. Then, BS preloads them into the node.
3.BS generates the CH's ID and calculates the public and private key
pair of the CH. Public key is PU_CH=H1(ID_CH),while private key is
PR_CH=s*PU_CH. Then, BS stores them in the CH.
4.BS keeps a list of all nodes' IDs and their public-private key
pairs. BS also keeps all CHs' IDs and public keys for the next steps.
4.2. Node Registration Phase
In this phase, all sensor nodes register to the cluster heads and a
session key is generated between each node and their cluster head.
1.CH broadcasts a message that contains its own identity ID_CH and
public key PU_CH to all neighboring sensor nodes.
CH->N: ID_CH,PU_CH
2.Upon the receipt of CH's messages, each sensor node sends its ID
and public key to the CH with whom it wants to join.
Node->CH: ID_N, PU_N
3.After receiving the ID and public key of a node, CH calculates the
session key K_s1.
K_s1=e(PR_CH, PU_N)
4.Node calculates the session key K_s2.
K_s2=e(PR_N,PU_CH)
It can be proved that K_s1=K_s2, which is given as follows:
K_s1=e(PR_CH,
PU_N)=e(s*PU_CH,PU_N)=e(s*PU_N,PU_CH)=e(PR_N,PU_CH)=K_s2
5.CH generates a Bloom filter of all nodes' IDs and public keys
within its cluster and sends the Bloom filter encrypted by the
session key generated before to all nodes in the cluster.
CH->N:E(K_s1,Bloom filter)
4.3. Share Secret Key Generation between Two Nodes
<Zhongyuan Qin> Expires <August 2, 2015> [Page 6]
�
INTERNET DRAFT <IBKM> <January 29, 2015>
1.Sensor Node A chooses a random number r1 and broadcasts a message
that contains its ID, public key and a time stamp encrypted by its
own private key to neighboring nodes after it registers to the CH.
A->Neighbor Nodes: ID_A,E(PR_A,(r1*PU_A,TS))
2.When the neighboring Node B receives the message, it verifies the
authenticity of A by checking if the hash mapping of (ID_A,PU_A) is
contained in the Bloom filter obtained from CH.
A negative answer means authentication failure. If the authentication
is passed, B chooses its random number r2 and returns its ID, public
key and a time stamp encrypted by its own private key. Then, B
calculates the session key K_B.
B->A: ID_B,E(PR_B,(r2*PU_B,TS))
K_B=e(r2*PR_B,r1*PU_A)
3.A decrypts the message and get B's ID and public key. A verifies
the authenticity of B using the Bloom filter obtained from CH. If B
is authenticated, A calculates the session key K_A.
K_A=e(r1*PR_A,r2*PU_B)
It can also be proved that K_A=K_B using the properties of bilinear
map.
Afterwards, Nodes A and B can communicate with each other using the
shared session key.
5. Security Considerations
Due to the unreliable wireless channel and volatile topology, a key
agreement scheme for WSNs is subject to various attacks, such as
node-compromise attack, Sybil attack, etc. Compared to previous
works, our scheme can resist these attacks using the bilinear map and
authentication through the Bloom filter.
Sybil Attack: Before node deployment, the BS allocates an ID for each
node in the WSNs, and then, the CH generates a Bloom filter of nodes
in its own cluster. Therefore, before sharing the secret key between
two nodes, they authenticate each other using the Bloom filter
generated by CH. Therefore, IBKM can resist Sybil attack because an
adversary cannot convince another node that it has a legal ID.
Node-compromise attack: It is easy to capture a node in WSNs and
steal secret information about the network stored in the node.
<Zhongyuan Qin> Expires <August 2, 2015> [Page 7]
�
INTERNET DRAFT <IBKM> <January 29, 2015>
Compared to the EG and other key pre-distribution schemes, IBKM can
resist node-compromise attack and ensure the security of the entire
network. For the EG scheme and its variants, if the number of node
adversaries captured exceeds a certain threshold, the adversaries
will get almost all of the keys of the WSN. However, in our scheme,
different node pairs share different keys; even if a node is
compromised, it will not affect other node pairs' keys.
Rekeying and forward secrecy: IBKM employs a random number r in the
process of secret key generation between two nodes. On the one hand,
we can stipulate the secret key agreement period; therefore, nodes
must renegotiate a new session key in a certain period. In this way,
we can enhance the security of the network. On the other hand, the
rekeying can provide forward secrecy of the network when a node is
captured by the adversary. Even if the adversary gets the current
secret key, he cannot deduce the keys used before, because different
random numbers generate different secret keys.
HELLO flood attack: In this attack, the main aim of the attacker is
to deplete the node energy. In our scheme, every node possesses a
Bloom filter for node identity authentication. Therefore, if an
adversary sends a HELLO message, the receiver nodes will firstly
check if the message is legitimate or not. If the result is negative,
later calculation will not be carried on. Therefore, no more energy
of the received node will be consumed.
Man-in-the-middle attack: In our scheme, the adversary cannot
calculate the pairwise session key, even if he intercepts the system
parameters, since the messages transmitted in our scheme are all
encrypted in the public key cryptosystem. On the other hand, the
session key is generated by the private key and the random number. It
is assumed to be hard for an adversary to decrypt the message on air
or to calculate the session key.
Mutual authentication: Our scheme achieves both identity
authentication and key authentication. Before the session key is
agreed upon, the nodes verify the authenticity of each other by
checking if the corresponding hash mapping is contained in the local
Bloom filter. A negative answer means that the node is illegal in
this cluster. Then, we verify the identity of the node by the
signature of the private key. While, after, Node A and Node B share
the same session key, they can realize identity authentication by the
session key, because only A and B share the same key. In this way, we
can prevent the unauthenticated node from accessing the sensor
network.
6. IANA Considerations
<Zhongyuan Qin> Expires <August 2, 2015> [Page 8]
�
INTERNET DRAFT <IBKM> <January 29, 2015>
This memo includes no request to IANA.
7. References
7.1. Normative References
[BF] Boneh, D. and M. Franklin, "Identity-Based Encryption from
the Weil Pairing", in SIAM J. of Computing, Vol. 32, No.
3, pp. 586-615, 2003.
[EG] Eschenauer, L.; Gligor, V.D. A key-management scheme for
distributed sensor networks.9th ACM Conference on Computer
and Communications Security, Washingtion, DC, USA, 18-22
November 2002; pp. 41-47.
[OLI] Oliveira, L.B.; Aranha, D.F.; Morais, E.; Daguano, F.;
Lopez, J.; Dahab, R. Tinytate: Computing the tate pairing
in resource-constrained sensor nodes. In Proceedings of
Sixth IEEE International Symposium on Network Computing
and Applications (NCA 2007), Cambridge, MA, USA, 12-14
July 2007; pp. 318-323.
[REN] Ren, K.; Yu, S.C.; Lou, W.J.; Zhang, Y.C. Multi-User
Broadcast Authentication in Wireless Sensor Networks. IEEE
Trans. Veh. Technol. 2009, 58, 4554-4564.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
7.2. Informative References
[RFC5091] Boyen, X. and L. Martin, "Identity-Based Cryptography
Standard (IBCS) #1: Supersingular Curve Implementations of
the BF and BB1 Cryptosystems", RFC 5091, December 2007.
[RFC5408] Appenzeller, G., Martin, L., and M. Schertler, "Identity-
Based Encryption Architecture and Supporting Data
Structures", RFC 5408, January 2009.
[RFC5409] Martin, L. and M. Schertler, "Using the Boneh-Franklin and
Boneh-Boyen Identity-Based Encryption Algorithms with the
Cryptographic Message Syntax (CMS)", RFC 5409, January
2009.
<Zhongyuan Qin> Expires <August 2, 2015> [Page 9]
�
INTERNET DRAFT <IBKM> <January 29, 2015>
Authors' Addresses
Zhongyuan Qin
Southeast University
N0.9, Mo Zhoudong Street, Nan Jing, Jiang Su Province 211100
EMail: zyqin@seu.edu.cn
Jie Huang
Southeast University
N0.9, Mo Zhoudong Street, Nan Jing, Jiang Su Province 211100
EMail: jhuang@seu.edu.cn
Xinshuai Zhang
Southeast University
N0.9, Mo Zhoudong Street, Nan Jing, Jiang Su Province 211100
EMail: shuaishuaizhang@yahoo.com.cn
<Zhongyuan Qin> Expires <August 2, 2015> [Page 10]
