Trust.csu.edu.cn

An Authentication Framework for Wireless Sensor Networks using Identity-Based Email: {R.Yasmin, E.Ritter, G.Wang}@cs.bham.ac.uk Abstract—In Wireless Sensor Networks (WSNs), authentica- only from the legitimate entities and to distinguish between tion is a crucial security requirement to avoid attacks against valid and fake or modified communication.
secure communication, and to mitigate DoS attacks exploiting In this paper, we address the problem of authentication the limited resources of sensor nodes. Resource constraints in WSNs, particularly authenticated broadcast/multicast by of sensor nodes are hurdles in applying strong public keycryptographic based mechanisms in WSNs. To address the sensor nodes and outside user authentication. The problem problem of authentication in WSNs, we propose an efficient of authenticated broadcast/multicast by sensor nodes is not and secure framework for authenticated broadcast/multicast addressed by the existing authentication schemes for WSNs.
by sensor nodes as well as for outside user authentication, Symmetric schemes like µTESLA [21] and its variations which utilizes identity based cryptography and online/offline [11], [17], [18] proposed for base station broadcast authen- signature schemes. The primary goals of this framework areto enable all sensor nodes in the network, firstly, to broadcast tication use Message Authentication Code (MAC) and are and/or multicast an authenticated message quickly; secondly, to efficient in terms of processing and energy consumption.
verify the broadcast/multicast message sender and the message However, they suffer from the following issues: contents; and finally, to verify the legitimacy of an outside user. The proposed framework is also evaluated using the mostefficient and secure identity-based signature schemes.
• Very slow for large scale sensor networks.
• DoS attack against storage due to late authentication.
• Not scalable in terms of number of senders.
• Multiple senders cannot broadcast simultaneously.
Low cost and immunity from cabling have become strong • If a sensor node wants to broadcast a message, it motivations for many applications of Wireless Sensor Net- unicasts the message to the base station, which then works (WSNs) like environmental monitoring, disaster han- broadcasts that message on behalf of that node.
dling, traffic control and various military applications [1], An extension of µTESLA [7], [15] attempts to enable sensor [8]. In these applications, sensor devices sense or monitor nodes to broadcast messages to nearby sensor nodes only, physical and environmental changes like temperature, pres- however, it inherits the weaknesses of µTESLA. Asymmet- sure, etc. and communicate this data to other nodes over a ric schemes, for example digital signatures, overcome the wireless network. Authentication of this data as well as of problems of symmetric schemes but require public keys and the data source is critical, as the data may ultimately be used certificates on the receiver side to verify signed messages.
to assist in some significant situations. In some applications, Moreover, it is more time and power consuming for sensor there are also outside users of the sensor network who are nodes to sign a message than to compute a MAC. Digital interested in the data collected by the sensor nodes. User signature based authentication schemes discussed in [6], authentication is equally important as data collected by the [23], [24] allow broadcast by powerful senders only and sensor nodes may be confidential, or in some situations only therefore, are not suitable for resource constrained motes.
the subscribed users are allowed to access it.
In outside user authentication, the number of outside users However, the radio links are insecure, facilitating an ad- of sensor nodes data is also restricted due to the fact that versary in intercepting, injecting or modifying communica- sensor nodes need some user specific information to verify a tion. Resource limitations of sensor nodes make it difficult to user request. For example, RRUASN [4] requires the public apply strong traditional cryptographic mechanisms to secure key and certificate of a user on the receiver side, which the communication. Moreover, WSNs are often deployed in are sent with every user request (increasing transmission a hostile environment where they are physically accessible overhead). DP2AC [32] uses a token to authenticate a user by an adversary who can discover cryptographic material and stores every used token to control re-usability.
e.g., keys, stored on the sensor nodes. In this scenario, it is To handle the above mentioned issues, we propose an challenging to enable sensor nodes to accept communication authentication framework for WSNs, using Identity-based Cryptography and Online/Offline Signature (OOS) schemes, they replace the existing ones to achieve better results.
comprised of two authentication schemes; one for quick Security and performance of the proposed framework are authenticated broadcast/multicast by sensor nodes and an- also evaluated and compared with some existing signature other for outside user authentication. The first scheme based authentication schemes for WSNs. This paper makes allows every sensor node in the network to broadcast or multicast authenticated messages very quickly without the • Points out the need of quick authenticated broadcast involvement of the base station. All potential receivers can and/or multicast by all sensor nodes in the network and verify a message sent by any sender node in the network.
proposes a secure and efficient solution to this problem It also allows sensor nodes on the path from the sender without the involvement of the base station. To the best node to the receivers to verify a valid message and drop of our knowledge, this is the first attempt to highlight false injected data. The second scheme enables all sensor nodes in the network to verify the legitimacy of any outside • Proposes the use of online/offline signature schemes for user without storing user specific information. It allows a sensor broadcast. To the best of our knowledge, this maximum possible number of legitimate users to access is the first application of online/offline signatures in data from sensor nodes in a secure way. This scheme first authenticates a user and then establishes a session key for • Provides a secure and efficient identity-based authenti- secure exchange of user queries and sensor nodes data.
cation framework which can also utilize new IBS and IBOOS schemes to achieve improved performance.
line/Offline Signature (IBOOS) scheme (an ID-based version Organization: Section 2 discusses motivations, section 3 of OOS) for the first scheme and Identity-based Signature introduces the cryptographic primitives, section 4 presents (IBS) scheme for the second scheme. IBS schemes [26] our proposed framework, section 5 evaluates its security & allow a user to use his identity information such as name, performance and section 6 concludes the paper.
email address etc., which is unique to him, as his public keywhile the corresponding private key is generated by a private key generator (PKG). It eliminates the need of a certificate Authentication in WSNs can be divided into three cate- signed by a certification authority to extract the public key gories, namely base station to sensor nodes, sensor nodes for the verification of a signed message. A message signed to other sensor nodes, and outside users to sensor nodes.
with a user’s private key can be verified using his ID.
The problem of authenticated broadcast by the base sta- Online/Offline Signature (OOS) schemes [12] divide the tion has been widely addressed [6], [11], [17], [18], [21].
process of message signing into two phases, the Offline We focus on the other two categories, i.e., authenticated phase and the Online phase. The Offline phase is performed broadcast/multicast by the sensor nodes and outside user before the message to be signed becomes available. This phase performs the most computations of signature gener- A. Authenticated Broadcast/Multicast by Sensor Nodes ation and results in a partial signature. Once the messageis known, the Online phase starts. This phase retrieves the There are many critical situations where a sensor node partial signature calculated during the Offline phase and requires to send a quick message. For example: performs some minor quick computations to obtain the final • In a forest fire alarm application [27], sensor nodes signature. The Online phase is assumed to be very fast, deployed in a forest should immediately inform author- consisting of small computations while the Offline phase can ities about the event and the exact location of the event be performed by other resourceful device. OOS enables a before the fire spreads uncontrollably.
resource constrained sensor node to sign a message quickly, • In a traffic application [5], whenever a sensor node once it has some critical event to report. IBOOS is the senses an accident (or a traffic jam) on the road it sends ID-based version of OOS, where a message signed with a an immediate message in all directions to alert other signer’s private key is verified using signer’s ID.
The primary objective of this framework is to design • Consider the military application scenario discussed in an authentication mechanism which solves the above men- [27], where a troop of soldiers needs to move through tioned authentication problems efficiently in terms of power a battlefield. Sensor nodes deployed there detect the consumption, processing time and storage overhead. The presence of the enemy and broadcast this information primary advantage of this research work is that it does not immediately throughout the network. Soldiers, passing restrict the solution to the existing IBS and IBOOS schemes, near these sensor nodes, use this information to strate- rather it provides a general authentication framework which gically position themselves in the battlefield.
can be reused with new IBS and IBOOS schemes. Once new All these scenarios require a message to be sent as quickly IBS and IBOOS schemes are available, which are more se- as possible. Due to wireless media, transmission and recep- cure and efficient than the existing IBS and IBOOS schemes, tion of a message consume considerable time. Moreover, in most cases a message propagates through several hops this approach has a few drawbacks. Firstly, it makes the to reach the desired destinations. Therefore, the signature base station a single point of failure. Secondly, it causes generation and the verification times should be as small as sensor nodes near the base station to deplete their energy possible. A delayed message may have undesirable effects.
quickly as for every user request, they relay packets be- For example, it may help a fire spreading uncontrollably and tween base station and queried sensor nodes. Furthermore, a traffic jam becoming worse. A delayed message about the it causes a severe DoS attack where an adversary sends fake presence of an enemy in the battlefield may cause the deaths request messages causing sensor nodes to relay them towards of soldiers while moving through the battlefield. In all the the base station for verification, increasing network traffic above situations, message authentication is equally important and depleting their energy. User authentication schemes otherwise a malicious entity may exploit its absence. For discussed in [10], [16], [29], [30] all suffer from these example, an adversary may send fake messages to block problems. To avoid this kind of DoS attack, a user should traffic towards a specific region or to turn traffic towards a be locally authenticated by the sensor nodes without the specific direction. In battlefield, sensor nodes added by the involvement of a third entity, i.e., a distributed approach.
enemy can disseminate wrong information about enemy’s This approach reduces traffic congestion and transmission overhead within the network. However, it puts the burden Moreover, in all the above mentioned scenarios, sensor of authentication on sensor nodes. As sensor nodes are nodes on the path from the sender node to the receiver(s) resource constrained devices as compared to the base station, relay the messages towards destination. Wireless communi- a lightweight user authentication mechanism is needed for cation allowing an adversary to inject false messages during sensor nodes to verify authenticity of the users.
multi hop forwarding [19] causes sensor nodes to relayfalse data and deplete their energy. Hence, sensor nodes on the path should be able to authenticate and filter out false messages as early as possible to save relaying energy Definition 1. An ID-based signature (IBS) scheme consists [33], [34]. Therefore, they are also potential receivers of these messages, arising the need of authenticated multicast 1) System Setup (SS): Given a security parameter 1k, by sensor nodes. In battlefield application, all sensor nodes in the network are potential receivers of critical information, arising the need of authenticated broadcast by sensor nodes.
2) Key Extraction (KE): Given a user’s identity ID To summarize, all these scenarios require a secure mech- anism which, on one hand, enables all sensor nodes in the network to send an immediate authenticated message to 3) Signature Generation (Sign): Given a message m and report a critical situation, and on the other hand, enables every receiver to verify this message. For simplicity, both broadcast and multicast are referred as broadcast in the rest 4) Signature Verification (Ver): Given a message m, user’s identity IDi, a signature σ and system parame- ters SP, returns 1 if the signature is valid or 0 if not.
Sensor nodes data may be confidential and in some Namely, 0/1 ← Ver(m, IDi, σ , SP).
situations only the subscribed users, who have paid, are B. ID-based Online/Offline Signature (IBOOS) allowed to obtain this data. A user authentication mechanismaims to prevent unauthorized users to access data from Definition 2. An ID-based online/offline signature (IBOOS) sensor nodes. Usually, a mechanism to provide an outside scheme consists of five algorithms as follows: user access to sensor nodes data requires three tasks: 1) System Setup (SS): Same as in Definition 1.
1) User Authentication allows only legitimate users of 2) Key Extraction (KE): Same as in Definition 1.
3) Offline Signing (OffSign): Given a signing key DIDi 2) Access Control allows a user to access only the data and system parameters SP, outputs an offline signature S, i.e., S ← O f f Sign(DID , SP).
3) Session Key Establishment enables secure exchange of 4) Online Signing (OnSign): Given a message m and an user queries and confidential data between users and offline signature S, outputs an online signature σ , i.e., In centralized user authentication, all users are authenti- 5) Signature Verification (Ver): Given a message m, cated through the base station. This mechanism is easy to user’s identity IDi, signature σ and system parameters deploy because the base station is a powerful device which SP, returns 1 if the signature is valid and 0 if not.
can perform complex cryptographic operations. However, Namely, 0/1 ← Ver(m, IDi, σ , SP).
IV. THE PROPOSED AUTHENTICATION FRAMEWORK Authentication: On receiving a broadcast message, re- ceiver first checks the time stamp T S to avoid the verification In this section, we present the proposed authentica- of a replayed message. If it is a fresh one, the receiver further tion framework which is composed of two authentication proceeds with signature verification; otherwise it discards schemes. The first two phases of both schemes i.e., the the message. The receiver verifies the signature σ using System Initialization and the Key Generation are performed once, before the deployment of the WSN.
If the verification succeeds, the receiver accepts the mes- A. Authenticated Broadcast by Sensor Nodes sage; otherwise it discards it. If necessary, it rebroadcasts For authenticated broadcast, a message is signed using the message to sensor nodes belonging to the next hop.
IBOOS. Some IBOOS schemes [25] allow reuse of a partial Sender Revocation: To revoke a compromised sensor signature computed in the offline phase to sign more than node i, the base station broadcasts its identity IDi to all one message, which decreases energy consumption. More- other sensor nodes in the network, who store IDi. If in the over, OOS allows the offline phase to be performed on some future a sensor node receives a message containing IDi, it other resourceful device. Hence, it is possible for the base simply rejects the message without going through authen- station to perform the complex computations of the offline tication process. An adversary is assumed to compromise phase and distribute the partial signature to the sensor nodes.
only a few sensor nodes in the network. If the adversary The sensor nodes then only perform small, energy efficient compromises majority of the sensor nodes, it will break down all the security mechanisms. Therefore, storing the IDs System Initialization: In our scheme, the base station of few compromised nodes would incur a reasonable storage plays the role of PKG, a trustworthy entity, and initializes overhead for sensor nodes. Moreover, the base station can the system in this phase. Let SKBS be the secret key of the periodically update system parameters and secret keys of all base station. The base station computes the corresponding legitimate sensor nodes excluding malicious nodes. How- public key PKBS and sets up the public system parameters ever, this update might be costly. Another possible solution SP which include PKBS. The master secret key SKBS is only is to manually detach these compromised sensor nodes from kept by the base station while SP is made public.
Key Generation: In this phase, the base station computes the secret keys of all sensor nodes corresponding to their IDs using the master secret key SKBS. For a sensor node In order to access data from sensor nodes, a user first i with identity IDi, the corresponding secret key is DID registers himself to the base station and obtains his private key and other system parameters. After that, whenever he private keys and system parameters are stored on sensor wants to access data, he sends a signed request to the nodes before deployment. Hence, every sensor node i stores sensor nodes in his range who verify his signed request locally using his ID. If the verification succeeds, the sensor Message Broadcast and Authentication: In this phase, nodes and the user both compute a session key for further the sensor nodes broadcast authenticated messages which communication. This session key establishment enables the are verified using their IDs. The signature generation of a user to send encrypted queries to the sensor nodes and get broadcast message is divided into two phases: Offline phase: The offline phase is performed by the base System Initialization and Key Generation phases are the station, before the message to broadcast becomes available.
same as described in the first scheme.
The offline signature algorithm runs in this phase on the base User Registration: This phase is performed whenever a station, and performs the most signature computations to new user is added to the system. In this phase, a user U calculate the partial signature S as S ← O f f Sign(DID , SP).
U registers with the system. The base station The resulting partial signature S is stored on sensor node i.
Online phase: Whenever a sensor node i senses an event The user gets his private key and other system parameters which requires quick reporting, the online phase starts. In from the base station through a secure channel. Hence, every this phase, the sensor node i retrieves the partial signature S calculated during the offline phase. The online signature User Authentication: In order to query sensor nodes, algorithm runs in this phase on sensor node i, and performs a user U sends his signed request to the sensor nodes in very minor and fast computations to obtain the final signa- his range. Let N be the number of sensor nodes in his ture σ over message m as σ ← OnSign(m, T S, IDi, S), where range. U ’s request contains his request message RM, current T S is the current time stamp. The final broadcast message time stamp T S, identity IDU , and the signature σ calculated then contains the message m, time stamp T S, identity of the on these parameters using his secret key i.e., U → N: sensor node IDi and the signature σ i.e., {m, T S, IDi, σ }.
{RM, T S, IDU , σ }, where σ = Sign((RM, T S, IDU ), DID ).
On receiving a user request, each sensor node first checks time will not impose an unreasonable storage overhead on the time stamp T S to filter out a replayed request message.
sensor nodes. To efficiently handle storage, user’s access If it is a fresh one, sensor node verifies the signature period can be kept short so that sensor nodes do not store using U ’s ID and other system parameters stored on it as malicious users’ IDs for a long time. After that time period 0/1 ← Ver(RM, T S, IDU , σ , SP). If the verification succeeds, only the private keys of the legitimate users are updated for it proceeds with session key establishment else it stops next time period. The duration of this period depends on further computation and communication.
how frequently the event of the malicious users occur.
Session Key Establishment: To provide secure trans- Although some figures would help to improve the read- mission of data from sensor nodes to user, a session key ability of framework, space limitation does not allow it.
needs to be established. For this purpose, any secure key C. Instantiation of the Proposed Framework exchange protocol could be used here. However, an identitybased one-pass key establishment protocol is an attractive There are many IBS and IBOOS schemes available, for choice for resource constrained sensor nodes. It reduces the example, based on ECC and RSA signatures. Verifying RSA number of messages exchanged during key establishment signature is efficient for sensor nodes [14] since we can phase i.e., only one party computes and sends its ephemeral set small verification exponents. This fact can be utilized in key to the other party, for example, identity based one-pass user authentication scheme, where sensor nodes only verify key establishment protocol presented in [13]. That single a signed user request. However, RSA based signatures are message can be combined with user request message (in large, resulting in a considerably increased message size.
user authentication phase) which is signed by the user. It ECC based signatures are equally useful for signing and further reduces the communication. It also avoids the man- verification of messages and have short signature sizes.
in-the-middle attack. The only message exchanged between Therefore, for WSN, ECC based signatures are considered the user U and the sensor node A for key establishment will more efficient than RSA signatures. To instantiate the pro- be signed by U and verified by A, which makes it difficult posed authentication framework, we have selected the most for an intruder to send fake ephemeral key to the sensor secure and efficient ECC based signature schemes from the available IBS and IBOOS schemes. Keeping in mind the To establish a session key, U randomly computes its security and efficiency requirements, an IBS scheme given ephemeral key R. U then sends R, together with his signa- in [6] is selected for user authentication scheme while two ture, to A in authentication phase. If U ’s signature is valid different IBOOS schemes given in [25] and [31] are selected and user authentication succeeds, both A and U compute to evaluate sensor broadcast scheme.
session key SK using the key derivation function χ as ID-based Signature (IBS) Schemes: ID-based signature schemes are suitable for the proposed user authentication A||IDU ||T S||TAU ), where T S is the time stamp scheme. IBS scheme in [6] presents an ID-based signature computed by both parties using R and their secret keys as which is actually an improvement over BNN-IBS [2] to described in [13]. At this point, the session key SK is ready reduce the signature size. Security of this signature scheme depends on Elliptic Curve Discrete Logarithm Problem.
User Revocation: User revocation can be divided into ID-based Online/Offline Signature (IBOOS) Schemes: two cases; firstly, to revoke a user whose access time period ID-based online/offline signature schemes are suitable for has been expired, and secondly, to revoke a malicious user.
the proposed sensor broadcast authentication scheme. An These two cases can be treated differently. To handle the first IBOOS scheme in [25] presents a method to convert any case, at the time when base station calculates the secret key underlying signature scheme into an online/offline signa- for a user U , the expiry time ET of the user can be used as ture scheme. The Offline signature in this scheme can a parameter to calculate the secret key. After his access time be securely reused to sign more than one message. This period expires, his secret key will automatically expire. If signature scheme is proved to be existentially unforgeable.
he now sends a signed request, it will not pass verification.
Its security depends on Discrete Logarithm Problem. Un- In the second case, the base station issues an authenticated like [25], an IBOOS scheme presented in [31] provides revocation list containing malicious user’s ID. Sensor nodes a direct online/offline signature scheme, which does not store it until the malicious user’s expiry time is passed.
require another underlying signature scheme. This signature Thus, if next time that user attempts to access data from scheme is existentially unforgeable under adaptive chosen sensor nodes, the sensor nodes reject his request without going through authentication process. After his access time expiration, his secret key will expire and he will not beable to successfully authenticate himself to the system. In WSN, the case of the malicious users is not very common.
This section analyses the security achieved by the pro- Therefore, storing IDs of malicious users until their expiry Authentication: Authentication is achieved as only the outside users for verification, it provides storage efficiency.
legitimate broadcast senders and the outside users with valid Computation Efficiency: In sensor broadcast, by per- forming the offline phase on base station, the sensor nodes Verification: Every sensor node can verify a broadcast are only left with the online phase computation which is message by any sender and authenticity of any outside user.
very efficient in terms of time and energy consumption.
Integrity: Provides message integrity as any changes Communication Efficiency: ID-based schemes do not made in the contents of the messages during transmission require a broadcast sender or an outside user to send public are detected through signature verification.
keys/certificates with all messages, thus reducing communi- Freshness: Replayed data can be distinguished through timestamp, providing freshness of data.
Multiple Senders: ID-based signatures handle public Session Key: After successful user authentication, session keys/certificates issue. Therefore, the proposed framework key establishes a secure communication between the user allows multiple broadcast senders and outside users.
Scalability: New sensor nodes and outside users can be Now we consider some usual security threats and show added to the WSN easily at any time. Preloaded with ID, how our proposed framework counters them: secret key and public parameters, new sensor nodes can 1) Active attack: The proposed framework employs se- broadcast messages as well as verify messages by any other cure digital signature schemes providing strong au- broadcast sender. New users simply need to register them- thentication and message integrity, and making it selves to the base station and get their secret information impossible for an intruder to sign or modify a valid message sent by another legitimate sender. Time stamp prevents replay of a broadcast message or a previoussuccessful authentication message by a valid user.
This section gives a rough-and-ready estimation of apply- 2) DoS attack: The proposed sensor broadcast scheme ing our proposed authentication schemes on sensor nodes provides authentication without any delay. Hence, it and comparison with other existing digital signature based prevents DoS attack faced in µTESLA. In user authen- authentication schemes for WSN. We assume the capabilities tication scheme, a user is locally authenticated by the of standard MICA2 mote [9], a popular choice among sensor nodes, and not by the base station, which avoids research community. Figures in Table 1 and Table 2 are the DoS attack caused by fake intruder’s requests.
computed considering only the expensive operations of 3) Node Compromise Attack: In symmetric key schemes, pairing, point multiplication, exponentiation and ECDSA where a single key or a subset of keys are used by & RSA signature costs, based on the actual experimental more than one sensor node to calculate a MAC for results of these operations for MICA2 given in [14], [22] and a message, a compromise of a single node enables [28]. A point multiplication operation on MICA2 takes 0.81s an intruder to impersonate all sensor nodes sharing [14]. For MICA2, active power consumption is 30mW [22].
that MAC key(s). In our scheme, an intruder can only Therefore, computation of one point multiplication operation impersonate the compromised node. Furthermore, with consumes 0.81*30 = 24.3mWs. According to [28], comput- revocation process he will not be able to successfully ing a pairing operation on MICA2 takes 2.66s and consumes broadcast further messages in the network.
62.73mWs. Signing and verifying an ECDSA takes 0.89s 4) False Data Injection Attack: The proposed sensor and 1.77s and consumes 26.96mWs and 53.42mWs, respec- broadcast scheme enables all sensor nodes on the tively [22]. One RSA signature verification with 1024 bit message path, during multi-hop forwarding, to verify key size takes 0.47s and consumes 14.05mWs [22].
and filter out false injected data earlier.
For broadcast authentication schemes, we only consider computation cost and message size. Transmission cost is pro- portional to the message size. Assuming number of sensor This section evaluates the performance of the proposed nodes N = 65,000, message m = 20 bytes, timestamp T S = 2 bytes and ID = 2 bytes, Table 1 gives a comparison with Broadcast by Sensor Nodes: Unlike µTESLA, in our existing signature based schemes. Existing authentication proposed sensor broadcast scheme, a sensor node can broad- schemes assume broadcast senders as powerful devices, cast a message itself without the involvement of base station.
however for comparison purposes, we estimate the cost Quick Broadcast: An online/offline signature scheme of applying these schemes to ordinary sensor nodes. CAS performs the most time consuming offline phase of message in [24] propose ECDSA to sign a message.
generation beforehand. It enables sensor nodes to sign and CAS requires signer’s public key and certificate to be sent broadcast a message quickly once the message is known.
with every message, increasing message size. The receiver Storage Efficiency: As sensor nodes do not store IDs verifies two ECDSA signatures for every message; one to and corresponding public keys of all broadcast senders and verify certificate and other to verify message. DAS requires COMPARISON OF PROPOSED BROADCAST AUTHENTICATION SCHEME WITH EXISTING BROADCAST AUTHENTICATION SCHEMES.
Existing Broadcast Authentication Schemes τ * and ρ * show the computational cost and the signature size of underlying signature scheme respectively and ε * shows negligible cost all sensor nodes to store public keys of all senders. For N COMPARISON OF PROPOSED USER AUTHENTICATION SCHEME WITH = 65,000, public key size = 22 bytes, every sensor node EXISTING USER AUTHENTICATION SCHEMES.
is required to store 1441KB which is beyond the storage capabilities of sensor nodes. Signature generation in IDS [23] comprises one pairing and one point multiplication Existing Distributed User Authentication Schemes while in IMBAS [6] three point multiplications as expensive Proposed Distributed User Authentication Scheme The proposed broadcast authentication scheme using first IBOOS [25] allows the secure reuse of offline signature,computed on base station. The only cost a sensor node bearsin message signing is the cost of the online phase which and verification of token reusability. An issue with this is two scalar exponentiations in group G. Computing one scheme is the communication overhead per user request and scalar exponentiation (of the form Bt ) in G requires roughly storage overhead. Every used token is stored on more than t squaring and t/2 multiplications in G (Chap 14, Algorithm one sensor nodes in the network. Assuming a token size = 14.79, [20]), where t is the bit length of exponent. For 10 bytes and number of used token T =10,000, the overall simplicity, we assume computing one squaring is equivalent storage overhead will be 100,000 bytes which is considerable to one multiplication (squaring can be almost twice as fast as for resource constrained sensor nodes. Verification cost multiplying distinct elements [20]). For t = 160, one expo- involves energy and time costs to verify RSA signature plus nentiation requires 240 multiplications. One multiplication transmission energy (T E) and transmission time (T T ) costs on MICA2 takes 0.39ms [14] and consumes 0.0117mW [22].
of sending a token to a set of sensor nodes for reusability Therefore, one exponentiation takes 0.09s and consumes checking. The proposed outside user authentication scheme 2.81mW. These results further can be improved by applying based on IBS [6] involves one signature verification consist- fixed-base exponentiation and fixed-exponent exponentiation ing of three point multiplications by the sensor nodes during algorithms, and finding the exact cost of squaring on MICA2 the authentication phase. Table 2 shows that the proposed motes. For 160 bits ECC, the message size is 64 bytes plus user authentication scheme consumes less energy and time ρ (ρ is size of underlying signature). Using second IBOOS as compared to RRUASN and eliminates the storage and [31] requires two point multiplications in offline phase, while communication overhead of DP2AC. It also provides session only integer addition and multiplication operations (which are very efficient for sensor nodes in terms of time andenergy consumption) in the online phase. Therefore, the time D. Impact of Applying PKC on Sensor Nodes and energy cost of the online phase is almost negligible. For Application of PKC operations on sensor nodes does not 160-bit ECC, the signature size is 60 bytes. Table 1 shows affect node’s life time drastically, if the number of public key that the proposed sensor broadcast scheme using IBOOS operations is smaller or spread over time [22]. Broadcast of schemes consume less energy and time in broadcasting a a message by a sensor node is not a very frequent event in message as compared to applying existing authentication considered applications. For example, in case of a fire alarm application, a message is sent by the sensor node only when In user authentication schemes, two existing schemes a fire is set up anywhere. Signing a message occasionally, provide distributed user authentication, RRUASN [3] and only in critical situations, is not very expensive for sensor DP2AC [32]. In RRUASN, authentication by sensor nodes nodes. With 2AA batteries in ordinary MICA sensor motes, involves verification of two ECDSA signatures as expensive the available energy is 6750,000mWs [22]. If only 2% of this operations. DP2AC involves one RSA signature verification energy i.e., 135,000mWs, is available for signing broadcast messages, a sensor mote can sign 24,021 messages applying [8] C. Chong and S. Kumar, “Sensor networks: evolution, opportuni- first IBOOS scheme and 2,778 messages applying second ties, and challenges,” Proceedings of the IEEE, vol. 91, no. 8, pp.
1247–1256, Aug. 2003.
IBOOS scheme during the life time of the batteries. This [9] Crossbow, “MICA2.” [Online]. Available: www.xbow.com number of broadcast messages is big enough for the above [10] M. Das, “Two-factor user authentication in wireless sensor net- works,” Wireless Communications, IEEE Transactions on, vol. 8, mentioned applications. With the same available energy, a sensor node can sign 1,550 messages in IDS scheme [11] J. Drissi and Q. Gu, “Localized broadcast authentication in large and 1,852 messages in IMBAS scheme which shows that sensor networks,” in Proc. ICNS ’06.
[12] S. Even, O. Goldreich, and S. Micali, “On-Line/Off-Line digital our proposed sensor broadcast authentication scheme gives signatures,” in Proc. Advances in Cryptology CRYPTO ’89, ser.
better results than applying existing broadcast authentication Springer Berlin, 1990, pp. 263–275.
[13] M. C. Gorantla, C. Boyd, and J. M. Gonz´alez Nieto, “ID-based one- pass authenticated key establishment,” in Proc. sixth Australasianconference on Information Security, AISC ’08, pp. 39–46.
[14] N. Gura, A. Patel, A. Wander, H. Eberle, and S. C. Shantz, “Com- paring Elliptic Curve Cryptography and RSA on 8-bit CPUs,” in The main contribution of this research work is an au- thentication framework which provides two features; quick [15] J. W. Kim, Y. H. Kim, H. Lee, and D. H. Lee, “A practical inter- sensor broadcast authentication scheme,” in HCI (5), ser. LNCS, authenticated broadcast by sensor nodes and user authentica- Springer Berlin / Heidelberg, 2007, pp. 399–405.
tion. Existing broadcast authentication schemes in WSNs do [16] T. Lee, “Simple dynamic user authentication protocols for wireless sensor networks,” in Proc. SENSORCOMM ’08, pp. 657–660.
not handle the problem of authenticated broadcast by sen- [17] D. Liu and P. Ning, “Multilevel µTESLA: Broadcast authentication sor nodes. The proposed ID-based Online/Offline Signature for distributed sensor networks,” ACM Trans. Embed. Comput.
Syst., vol. 3, no. 4, pp. 800–836, 2004.
(IBOOS) based broadcast authentication scheme is an attrac- [18] D. Liu, P. Ning, S. Zhu, and S. Jajodia, “Practical broadcast tive solution to this problem. An ID-based Signature (IBS) authentication in sensor networks,” in Proc. MobiQuitous ’05: based distributed user authentication scheme is proposed to IEEE Computer Society, pp. 118–132.
[19] M. Luk, A. Perrig, and B. Whillock, “Seven cardinal properties authenticate outside users. Session keys secure the further of sensor network broadcast authentication,” in Proc. SASN ’06.
communication between the users and the sensor nodes. The [20] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook main advantage of this framework is its re-usability, that is, it can also be reused with new IBS and IBOOS schemes for [21] A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen, and D. E. Culler, “SPINS: security protocols for sensor networks,” Wireless Net- security and performance improvements. In the future, we works, vol. 8, no. 5, pp. 521–534, 2002.
intend to focus on user access control to provide a complete [22] K. Piotrowski, P. Langendoerfer, and S. Peter, “How public key ID-based authentication framework which would enable the cryptography influences wireless sensor node lifetime,” in Proc.
SASN ’06.
sensor nodes, on one hand, to broadcast a message to quickly [23] K. Ren, W. Lou, K. Zeng, and P. Moran, “On broadcast authentica- respond to some critical situations and, on the other hand, tion in wireless sensor networks,” Wireless Communications, IEEETransactions on, vol. 6, no. 11, pp. 4136–4144, Nov. 2007.
to control user access according to his access privileges. We [24] K. Ren, W. Lou, and Y. Zhang, “Multi-user broadcast authentica- are on the way to implement the proposed framework on tion in wireless sensor networks,” in IEEE SECON ’07, pp. 223–232.
real sensor nodes to get actual results.
[25] Q. Ren, Y. Mu, and W. Susilo, “Mitigating phishing with ID-based online/offline authentication,” in Proc. Australasian conference on Information Security, AISC ’08, pp. 59–64.
[26] A. Shamir, “Identity-based cryptosystems and signature schemes,” This work has been partially supported by the EPSRC in Proc. CRYPTO ’84 on Advances in cryptology, ser. LNCS. NY, project Verifying Interoperability Requirements in Pervasive USA: Springer-Verlag, 1985, pp. 47–53.
[27] I. Stojmenovi, Ed., Handbook of Sensor Networks - Algorithms WileyBlackwell, November 2005. [Online].
[28] P. Szczechowiak, A. Kargl, M. Scott, and M. Collier, “On the appli- cation of pairing based cryptography to wireless sensor networks,” [1] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “Wireless sensor networks: a survey,” Computer Networks, vol. 38, [29] H. Tseng, R. Jan, and W. Yang, “An improved dynamic user authentication scheme for wireless sensor networks,” in Proc.
[2] M. Bellare, C. Namprempre, and G. Neven, “Security proofs for identity-based identification and signature schemes,” in Proc. EU- [30] K. H. M. Wong, Y. Zheng, J. Cao, and S. Wang, “A dynamic Springer-Verlag, 2004, pp. 268–286.
user authentication scheme for wireless sensor networks,” in Proc.
[3] Z. Benenson, “Realizing robust user authentication in sensor net- IEEE Computer Society, 2006, pp. 244–251.
works,” in Proc. REALWSN ’05, 2005.
[31] S. Xu, Y. Mu, and W. Susilo, “Efficient authentication scheme for [4] Z. Benenson, F. Gartner, and D. Kesdogan, “User authentication in routing in mobile ad hoc networks,” in Proc. EUC ’05 Workshops, sensor networks (Extended Abstract),” in Proc. Informatik 2004, [32] R. Zhang, Y. Zhang, and K. Ren, “DP2AC: Distributed privacy- [5] J. Bohli, A. Hessler, O. Ugus, and D. Westhoff, “A secure and preserving access control in sensor networks,” in Proc. IEEE resilient WSN roadside architecture for intelligent transport sys- [33] W. Zhang, N. Subramanian, and G. Wang, “Lightweight and [6] X. Cao, W. Kou, L. Dang, and B. Zhao, “IMBAS: Identity-based compromise-resilient message authentication in sensor networks,” multi-user broadcast authentication in wireless sensor networks,” Computer Communications, vol. 31, no. 4, pp. 659 – 667, 2008.
[34] S. Zhu, S. Setia, S. Jajodia, and P. Ning, “Interleaved hop-by- [7] W. Chen and Y. Chen, “A bootstrapping scheme for inter-sensor hop authentication against false data injection attacks in sensor authentication within sensor networks,” Communications Letters, networks,” ACM Trans. Sensor Networks, vol. 3, no. 3, p. 14, 2007.
IEEE, vol. 9, no. 10, pp. 945–947, Oct. 2005.

Source: http://trust.csu.edu.cn/conference/tsp2010/TSP10-Best%20Paper%20Award%202%20-%20An%20Authentication%20Framework%20for%20Wireless%20Sensor%20Networks%20using%20Identity-Based%20Signatures.pdf