Internet DRAFT - draft-qin-cfrg-ibs-wsn
draft-qin-cfrg-ibs-wsn
INTERNET-DRAFT Zhongyuan Qin
Intended Status: Informational Jie Huang
Expires: October 2, 2015 Kerong Feng
Southeast University
April 2, 2015
An Identity-based Security Scheme for Wireless Sensor Networks
draft-qin-cfrg-ibs-wsn-00
Abstract
This document specifies an identity-based security scheme for
wireless sensor network (WSN) on the basis of Identity-Based
Encryption (IBE). Each cluster head can perform as a private key
generator (PKG) in case that the sole PKG is captured, which will
lead to the whole network disabled. The proposed scheme can reduce
the consumption of key resources and improve the security of the WSN
by dispersing PKG function. The analysis shows that the scheme can
resist various attacks.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
<Zhongyuan Qin> Expires <October 2, 2015> [Page 1]
�
INTERNET DRAFT <IBKM> <January 29, 2015>
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Requirements Language . . . . . . . . . . . . . . . . . . . 4
2.2. Definitions and Notation . . . . . . . . . . . . . . . . . 4
2.3. Abbreviations . . . . . . . . . . . . . . . . . . . . . . . 4
3. Network model . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Identity-based Security Scheme . . . . . . . . . . . . . . . . 5
4.1. Initialization phase . . . . . . . . . . . . . . . . . . . 5
4.2. Clustering phase . . . . . . . . . . . . . . . . . . . . . 5
4.3. Parameter distribution . . . . . . . . . . . . . . . . . . 6
4.4. Data aggregation phase . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7.1. Normative References . . . . . . . . . . . . . . . . . . . 8
7.2. Informative References . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9
<Zhongyuan Qin> Expires <October 2, 2015> [Page 2]
�
INTERNET DRAFT <IBKM> <January 29, 2015>
1. Introduction
Originated from the military field, the wireless sensor network (WSN)
has become a hot academic research topic. Wireless sensor networks
consist of a large number of tiny sensor nodes with microprocessor.
Because of the limited resource in each sensor node, volatile network
topology and openness in wireless channel, WSNs are vulnerable to
various attacks including eavesdropping, message replay, node capture
attacks, sybil attack, etc., particularly for the applications where
wireless sensor networks are deployed in a hostile environment or
used for some crucial purposes. In order to resist these threats,
recently researchers have proposed a variety of security
technologies, among that, encryption and signature are two important
technologies.
Compared with asymmetric key system, the main benefit of symmetric
key system is its low computing cost. But the drawback is that it
needs a key pre-distributed process and does not guaranty a perfect
connectivity (in random key distribution schemes, neighboring nodes
share a common key in terms of probability [EG]). To address the
problems aforementioned, researchers have been investigating more
efficient techniques of Public Key Cryptographic (PKC) in sensor
networks.
However, PKC usually needs a public key infrastructure (PKI) to
maintain the users' certificates for public keys. Besides, the
computation consumption and energy costs are high because the
certificates need to be verified in these protocols. To address such
problems, Shamir proposed the idea of identity-based public-key
cryptosystems[SHA] which simplified the certificate management.
Shamir's original motivation for suggesting identity-based encryption
was to simplify certificate management in e-mail systems. Soon after,
various identity-based techniques were proposed, but a fully
functional identity-based encryption scheme has not been found until
recently by Boneh and Franklin [BF]. Since then the ideas of IBE have
been used to design several other identity-based schemes for
different purposes.
The disadvantage of the current identity-based system lies in the
fact that the nodes' private key must be generated by the Key
Generator Center (KGC), which becomes the single point of failure in
WSNs. Once KGC is compromised, the network would be almost entirely
captured by the attacker.
This document specifies an identity-based security scheme for WSNs in
which each cluster head can perform as a KGC so as to improve the
security. It includes four procedures, i.e., initialization,
clustering, parameter distribution and data aggregation. Each node
<Zhongyuan Qin> Expires <October 2, 2015> [Page 3]
�
INTERNET DRAFT <IBKM> <January 29, 2015>
gets its private key from the cluster head which acts as KGC.
Analysis is given which shows our scheme can resist various attacks
to provide a strong protection in WSNs.
2. Terminology
2.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
in this document are to be interpreted as described in [RFC2119].
2.2. Definitions and Notation
IBE Encryption: Identity-Based Encryption (IBE) is a Public-Key
encryption technology that allows a Public Key to be calculated from
an identity, and the corresponding Private Key to be calculated from
the Public Key. Therefore, additional computations to verify the
corresponding certificates are not needed.[RFC5091], [RFC5408], and
[RFC5409] describe algorithms required to implement the IBE.
E(k, x) Encryption of x with the key k
e(x, y) Bilinear map of x and y
PU_CH Public key of a cluster head
PR_CH Private key of a cluster head
PU_i Public key of a sensor node i
PR_i Private key of a sensor node i
s_ch a secret random number chose by CH
2.3. Abbreviations
BS Base Station
CH Cluster Head
N Sensor Node
PR Private Key
PU Public Key
3. Network model
<Zhongyuan Qin> Expires <October 2, 2015> [Page 4]
�
INTERNET DRAFT <IBKM> <January 29, 2015>
There are two types of WSN architectures available for WSN, one is
the hierarchical architecture and the other is the distributed flat
architecture. In this document we focus on the hierarchical
architecture.
In a hierarchical wireless sensor network, all nodes are classified
into three categories: base station, cluster heads and sensor nodes.
A base station/sink node (BS) is typically a gateway to another
network. It collects sensor node readings, performs costly operations
for sensor nodes and manages the network. It is assumed to be trusted
and be the center of the entire network. In contrast, sensor nodes
are with limited battery power, memory size, data processing
capability and short radio transmission range. Cluster heads have
more resources than ordinary nodes which are equipped with high power
batteries, large memory storage, powerful antenna and data processing
capabilities.
In our scheme, we choose the cluster head within a certain distance
in case that the cluster head consumes more energy during
communicating with base station. Each sensor node in the same cluster
has the same opportunity to be chosen as cluster head. Periodic
replacement of cluster head can avoid the death of the main nodes,
and guarantee the connectivity of WSNs.
4. Identity-based Security Scheme
4.1. Initialization phase
Base station (BS) randomly chooses an elliptic curve E in finite
field F(p)and a point P in the elliptic curve E before the nodes
deployment. The master key s is only known by the base station. All
nodes preset the same parameters(q,G1,G2,e,n,r,P_pub,H1,H2), where q
is a prime number, G1 and G2 are two groups of order q, e:G1*G1->G2
is a bilinear map, n is the length of hash function, r is used to
calculate the mapping value of the public key, P is a random point in
elliptic curve E, H1 and H2 denote two different hash functions,
P_pub=s*P is the public value, PU_i=H1(ID_i) is the public key and
PR_i=s*PU_i is the private key of node i. BS computes private key and
then preloads it into each node.
4.2. Clustering phase
By default BS is deployed at the center of the region and all nodes
are randomly deployed in the monitoring field. According to the
geographical position, BS selects n cluster heads and puts all nodes
into n temporary clusters distributed evenly in geographical
position. Then, BS generates n random numbers K1,K2,...,Kn as a group
key of each cluster, distributes Ki to CH_i and stores the
<Zhongyuan Qin> Expires <October 2, 2015> [Page 5]
�
INTERNET DRAFT <IBKM> <January 29, 2015>
corresponding relationship between K and CH in the list. After that,
CH needs to register its identity CH_i in BS for the authentications
of the cluster-heads through base station to ensure the validity of
CH. At the same time, each CH broadcasts its identity to all nodes in
its cluster. Sensor node registers its identity to CH after receiving
the message.
Each CH performs as the function of private key generator (PKG) which
selects a random number s_ch to calculate a public value P_ch=s_ch*P.
CH also calculates public key PU_ch=H1(ID_ch) and private key
PR_ch=s_ch*PU_ch.
4.3. Parameter distribution
During this phase, PU_ch and group key K are distributed to the
sensor nodes in the cluster by the CH. The detail is described as
follow:
1. CH chooses a random number sigma and computes public key value
mapping g_i=H2(e(PU_i,P_pub)^r) for every node in the cluster.
2. CH constructs a polynomial F(g)=sigma*(sigma*e)^(g-g_i) by using
g_i and sigma, where e=2.718 is a constant. CH generates the
ciphertext C=((P_ch xor K)||(sigma xor K)||F(g)) and broadcasts it to
all sensor nodes in the cluster.
3. After receiving the broadcast message C=(U||V||F(g)), sensor node
i computes g_i=H2(e(PU_i,P_pub)^r)and substitutes g_i into the
polynomial F(g). Node i can get F(g_i)=sigma, V xor sigma=K,K xor
U=P_ch and uses P_ch to exchange messages between CH and sensor node
later. The value P_ch changes with the different cluster head, but
P_pub is always the same.
4.4. Data aggregation phase
In data aggregation phase, the data collected by sensor nodes is sent
to CH through multi-hop. Suppose a sensor node belongs to cluster j,
thus its cluster head is CH_j and group key is Kj. For simplicity we
use CH and K to represent CH_j and Kj.
1. Sensor node i generates a random number t and calculates the
mapping value g=e(PU_ch,P_ch). The ciphertext is C=E(K, ID_i||t*P||(m
xor H2(g^t))), where K is the group key and m is the collected data.
Nodes near the CH send message directly to the CH, the other nodes
far away from CH need multi-hop to deliver the collected information.
2. After receiving the message C=(M||W||F), CH decrypts ciphertext C
with group key K and authenticates the ID's legal status in order to
<Zhongyuan Qin> Expires <October 2, 2015> [Page 6]
�
INTERNET DRAFT <IBKM> <January 29, 2015>
prevent illegal member.
3. After authenticating, the CH computes e(PR_ch, W) with its private
key. And the collected data can be computed as m = F xor
H2(e(PR_ch,W)).
The correctness cab be proved as following.
e(PR_ch,W)=e(s_ch*PU_ch,t*P)=e(PU_ch,t*P)^s_ch=e(PU_ch,
s_ch*P)^t=e(PU_ch, P_ch)^t=g^t
5. Security Considerations
Former schemes including IBE suffered from this "the security of
master key" problem [SHA]. Once getting the master key s, adversary
can easily compute all nodes' private key. In our scheme each cluster
head acts as a PKG, which changes the situation that there is only
one PKG in the whole network.
The analysis and simulations show that the proposed scheme has high
ability to resist various attacks and provides strong protection for
the WSNs.
Hello Flood Attack: In our scheme, there is no hello message between
each node at the first time. Instead, CH broadcasts its identity
after being chosen as the cluster head, BS verifies the nodes in each
cluster's list and non-CH nodes directly register their identity to
CH. The session keys are distributed in a group key form.
Sinkhole Attack: In initialization phase, BS randomly chooses K
cluster heads based on location. This avoids dividing cluster only
relying on energy. In a cluster, CH will be periodically changed, and
the criterions of selecting a new cluster head include energy,
distance to former cluster head, et al. Therefore it is difficult to
appear sinkhole attack.
Sybil Attack: The proposed scheme ensures that each entity in the
WSNs always has a unique identification and its identity and vicinity
in terms of transmission range is securely authenticated and
verified. Each node must register to CH, after that, BS compares the
list received from every cluster head with its own list. During
forwarding message, only those sensor nodes with the same group key
have the right to forward message received.
Forward Secrecy: Assume that the adversary named Eve achieved the
group key K, and Eve try to decrypt the eavesdropped ciphertext.
However, Eve can't get the plaintext M because she cannot get the
CH's private key PR_ch which is used to generate plaintext M through
<Zhongyuan Qin> Expires <October 2, 2015> [Page 7]
�
INTERNET DRAFT <IBKM> <January 29, 2015>
bilinear mapping. In addition, after finishing collecting message,
group key would be revoked and replaced by a new random number.
6. IANA Considerations
This memo includes no request to IANA.
7. References
7.1. Normative References
[BF] Boneh, D. and M. Franklin, "Identity-Based Encryption from
the Weil Pairing", in SIAM J. of Computing, Vol. 32, No.
3, pp. 586-615, 2003.
[EG] Eschenauer, L.; Gligor, V.D. A key-management scheme for
distributed sensor networks.9th ACM Conference on Computer
and Communications Security, Washingtion, DC, USA, 18-22
November 2002; pp. 41-47.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[SHA] Shamir, A.: "Identity-based cryptosystems and signature
schemes". Proc. Advances in cryptology, Springer, 1985 pp.
47-53.
7.2. Informative References
[RFC5091] Boyen, X. and L. Martin, "Identity-Based Cryptography
Standard (IBCS) #1: Supersingular Curve Implementations of
the BF and BB1 Cryptosystems", RFC 5091, December 2007.
[RFC5408] Appenzeller, G., Martin, L., and M. Schertler, "Identity-
Based Encryption Architecture and Supporting Data
Structures", RFC 5408, January 2009.
[RFC5409] Martin, L. and M. Schertler, "Using the Boneh-Franklin and
Boneh-Boyen Identity-Based Encryption Algorithms with the
Cryptographic Message Syntax (CMS)", RFC 5409, January
2009.
<Zhongyuan Qin> Expires <October 2, 2015> [Page 8]
�
INTERNET DRAFT <IBKM> <January 29, 2015>
Authors' Addresses
Zhongyuan Qin
Southeast University
No.9, MoZhou East Street, Nan Jing, Jiang Su Province 211100
EMail: zyqin@seu.edu.cn
Jie Huang
Southeast University
No.9, MoZhou East Street, Nan Jing, Jiang Su Province 211100
EMail: jhuang@seu.edu.cn
Kerong Feng
Southeast University
No.9, MoZhou East Street, Nan Jing, Jiang Su Province 211100
EMail: fengkerong@163.com
<Zhongyuan Qin> Expires <October 2, 2015> [Page 9]
