An Efficient Key Establishment Scheme for Self ... - Springer Link

An Efficient Key Establishment Scheme for Self-organizing Sensor Networks Yong Ho Kim , Kyu Young Choi, Jongin Lim, and Dong Hoon Lee Center for Information Security Technologies (CIST), Korea University, Seoul, Korea {optim,young,jilim,donghlee}@korea.ac.kr

Abstract. In this paper, we propose an efficient authenticated key establishment scheme for self-organizing sensor networks. The proposed scheme has low communication cost and eliminates expensive operations required by most ID-based schemes, such as sensor nodes calculating bilinear maps. Additionally, the proposed scheme provides perfect forward secrecy. Keywords: security, sensor network, elliptic curve cryptography.

1

Introduction

There has been a common perception that traditional public key infrastructure (PKI) is too complex, slow and power hungry to be used in sensor networks. For this reason, the most research is primarily based on symmetric key cryptography [4,5]. While symmetric mechanisms can achieve low computation overhead, they typically require significant communication overhead or a large amount of memory for each node. For these reasons, many researchers [6,9] have recently begun to challenge those old beliefs about PKI by showing that it is indeed viable in sensor networks. Huang et al. [7] proposed two efficient key establishment schemes where a FullFunctional Device (FFD) and a Reduced-Functional Device (RFD) can achieve key exchange and mutual authentication. An FFD takes the role of a coordinator, a router or a security manager, while an RFD takes on the role of an end device, such as a low-power sensor. These schemes are based on elliptic curve cryptography where each device can authenticate other devices through its certificate [8]. In this paper, we propose an efficient ID-based scheme for key establishment in self-organizing sensor networks. The proposed scheme was devised after comparing the advantages and disadvantages of certificate-based and ID-based systems. The main contributions of our approach can be summarized as follows. 

“This research was supported by the MIC(Ministry of Information and Communication), Korea, under the ITRC(Information Technology Research Center) support program supervised by the IITA(Institute of Information Technology Advancement)” (IITA-2007-(C1090-0701-0025)).

S. Rao et al. (Eds.): ICDCN 2008, LNCS 4904, pp. 345–349, 2008. c Springer-Verlag Berlin Heidelberg 2008 

346

Y.H. Kim et al.

First, when compared with Huang et al.’s schemes [7], the proposed scheme eliminates the communication overhead required to transmit public-key certificates. In wireless sensor networks, the advantage is significant because wireless transmission of a single bit consumes several orders of magnitude more power than a single 32-bit computation [1]. Furthermore, a sensor need not perform the Weil/Tate pairing and Map-To-Point operations required in most ID-based schemes [10,11]. Additionally, the proposed scheme provides perfect forward secrecy [3] where the the exposure of each device’s long-lived secret key does not compromise the security of previous session keys.

2

Bilinear Map

In this subsection, we review bilinear maps and some assumptions related to the proposed scheme. Let G1 be a cyclic additive group of prime order q and G2 be a cyclic multiplicative group of same order q. We assume that the discrete logarithm problems (DLP) in both G1 and G2 are intractable. We call e : G1 × G1 −→ G2 an admissible bilinear map if it satisfies the following properties: 1. Bilinearity: e(aP, bQ) = e(P, Q)ab for all P, Q ∈ G1 and a, b ∈ Z∗q . 2. Non-degenerancy: There exists P ∈ G1 such that e(P, P ) = 1. 3. Computability: There exists an efficient algorithm to compute e(P, Q) for all P, Q ∈ G1 .

3

Proposed Scheme

We denote the proposed scheme by SN-AKE. Before network deployment, a trusted authority (TA) performs the following operations. 1. TA constructs two groups G1 , G2 , and a map e as described above. 2. TA chooses two cryptographic hash functions H : {0, 1} −→ Z∗q and H1 : {0, 1}∗ −→ Z∗q , where  is the bit length of a node ID. 3. TA computes g = e(P, P ), where P is a random generator of G1 . 4. TA picks a random integer κ ∈ Z∗q as the network master secret and sets Ppub = κP . 5. For each device A with identification information IDA , TA calculates QA = H(IDA )P + Ppub and DA = (H(IDA ) + κ)−1 P . Next, each device A is preloaded with the public system parameters (p, q, G1 , G2 , e, h, P , Ppub , g), its identification information IDA , and its key pair (QA , DA ). When a sensor node U and a security manager V first communicate to each other, they perform an efficient authenticated key establishment as shown in Figure 1. 1. After V obtains IDU , V chooses a random number r in Zq∗ and sends (IDV , X  ) to U where X  = r QV .

An Efficient Key Establishment Scheme Sensor Node U

347

Security Manager V

P, Ppub , [IDU , QU , DU ]

P, Ppub , [IDV , QV , DV ]

g = e(P, P ) ID

−−−−−−U−−−→ r  ← Zq∗ R

,X 

ID

R

r←

Zq∗

←−−−−V−−−−−−



X = r  QV

sk = h(gr ||rX  ||IDU ||IDV ) X = rh(IDV )P + rPpub Y = (r + sk)DU

X,Y

−−−−−−−−−→

eu = e(X, DV ) sk = h(eu ||r  X||IDU ||IDV ) ?

e(Y, h(IDU )P + Ppub ) = eu gsk



MacKey||LinkKey = KDF (sk ||IDU ||IDV ) z

←−−−−−−−−−

z = MACMacKey (IDU ||IDV )

MacKey||LinkKey = KDF (sk||IDU ||IDV ) ?

z = MACMacKey (IDU ||IDV )

Fig. 1. SN-AKE

2. After U obtains (IDV , X  ), U chooses a random number r in Zq∗ and computes sk = h(g r ||rX  ||IDU ||IDV ). Next, U sends (X, Y ) to V where X = rh(IDV )P + rPpub and Y = (r + sk)DU . 3. V calculates eu = e(X, DV ) and sk  = h(eu ||r X||IDU ||IDV ). Once deriving eu and sk  , it verifies that the following equation holds: 

e(Y, h(IDU )P + Ppub ) = eu g sk . If the equality holds, the security manager V believes that the sensor node U has the knowledge of its private key, DU = (h(IDU ) + κ)−1 P . Also, it computes MacKey||LinkKey = KDF (sk||IDU ||IDV ) and sends z = MACMacKey (IDU ||IDV ) to U , where KDF is the specified key derivation function. 4. After U computes MacKey||LinkKey = KDF (sk||IDU ||IDV ), it verifies z = MACMacKey (IDU ||IDV ), where MAC is a message authentication code function. If the equality holds, the sensor node U believes that the security manager V has the knowledge of its private key, DV = (h(IDV ) + κ)−1 P . SN-AKE suitable for wireless sensor networks is a simplified adaptation of the ID-based AKE [2]. The previous scheme provides implicit key authentication if a participant is assured that no other participants except its intended partner can possibly learn the value of a particular secret key. However, SN-AKE provides explicit key authentication. Also, it has the property of perfect forward secrecy while the previous schemes [2,7] provide half forward secrecy.

348

Y.H. Kim et al. Table 1. Comparison of the proposed scheme and Huang et al.’s schemes

Hybrid [7] MSR-Hybrid[7] SN-AKE

EC-RP 1 0 2

EC-FP 2 3 2

EXP 0 1 1

CC 1437 bits 3682 bits 736 bits

FS Half Half Perfect

Hybrid : Huang et al.’s hybrid authenticated key establishment MSR-Hybrid : Huang et al.’s MSR-combined Hybrid EC-RP : elliptic curve scalar multiplication of a random point EC-FP : elliptic curve scalar multiplication of a fixed point EXP : small modular exponentiation CC : communication complexity FS : forward secrecy

4

Analysis

Efficiency. Unlike ID-based schemes [10,11] for sensor networks, a sensor need not perform Map-To-Point operation and Weil/Tate pairing which is several times more costly than a scalar multiplication. For each sensor, we summarize the efficiency of SN-AKE and Huang et al.’s schemes in Table 1. When compared to Huang et al.’s schemes [7], SN-AKE features remarkable communication efficiency since it does not require the transmission of public-key certificates. Key Confidentiality. After performing the key establishment, an adversary can obtain h(IDV ), P , Ppub = κP , and r(h(IDV ) + κ)P . However, she can1

V not compute eu = g r = e(P, P ) κ+h(IDV ) and sk = sk  since there is no polynomial time algorithm solving mBIDH problem [2] with non-negligible.

r(h(ID )+κ)

Authentication and Key Confirmation. In SN-AKE, if e(Y, h(IDU )P +  Ppub ) = eu g sk holds, the security manager V has verified that the sensor node U has the knowledge of sk  and its private key DV . Also, if z = MACMacKey (IDU ||IDV ) holds, the sensor node U has verified that the security manager V has the knowledge of sk and its private key DU . Forward Secrecy. In SN-AKE and Huang et al.’s schemes[7], compromise of the sensor node’s private key does not appear to allow an adversary to recover any past session keys. However, in Huang et al.’s schemes, compromise of the security manager’s private key induces that all previous session key can be recovered from the transcripts. Thereby, the schemes have the property of half forward secrecy. On the other hand, in SN-AKE, even if the security manager’s private key is compromised, data protected with a previous session key is still secure because derivation of the key requires the knowledge of previous random integer r . Therefore, SN-AKE provides perfect forward secrecy while the previous schemes [2,7] provide half forward secrecy.

An Efficient Key Establishment Scheme

5

349

Conclusion

In SN-AKE, a sensor need not transmit public-key certificates and perform expensive computation such as Weil/Tate pairing and Map-To-Point operation. Particulary, SN-AKE guarantees perfect forward secrecy and thereby is suitable for some weaker security manager applications.

References 1. Barr, K., Asanovic, K.: Energy aware lossless data compression. In: 1st Int. Conf. Mobile Syst., Applicat., Services, pp. 231–244 (May 2003) 2. Choi, K.Y., Hwang, J.Y., Lee, D.H.: ID-based Authenticated Key Agreement for Low-Power Mobile Devices. In: Boyd, C., Gonz´ alez Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 494–505. Springer, Heidelberg (2005) 3. Carman, D.W., Kruus, P.S., Matt, B.J.: Constraints and approaches for distributed sensor network security, NAI Labs Technical Report 00-010 (September 2000) 4. Chan, H., Perrig, A., Song, D.: Random key predistribution schemes for sensor networks. In: IEEE Symposium on Security and Privacy, pp. 197–213 (May 2003) 5. Eschenauer, L., Gligor, V.D.: A key-management scheme for distributed sensor networks. In: ACM CCS 2002, pp. 41–47 (November 2002) 6. Gaubatz, G., Kaps, J., Sunar, B.: Public keys cryptography in sensor networksrevisited. In: Castelluccia, C., Hartenstein, H., Paar, C., Westhoff, D. (eds.) ESAS 2004. LNCS, vol. 3313, pp. 2–18. Springer, Heidelberg (2005) 7. Huang, Q., Cukier, J., Kobayashi, H., Liu, B., Zhang, J.: Fast authenticated key establishment protocols for self-organizing sensor networks. In: ACM WSNA 2003, pp. 141–150 (2003) 8. Menezes, A.: Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, Dordrecht (1993) 9. Watro, R., Kong, D., fen Cuti, S., Gardiner, C., Lynn, C., Kruus, P.: Tinypk: Securing sensor networks with public key technology. In: ACM SASN 2004, pp. 59–64 (October 2004) 10. Zhang, Y., Liu, W., Lou, W., Fang, Y.: Location-based compromise-tolerant security mechanisms for wireless sensor networks. IEEE JSAC, Special Issue on Security in Wireless Ad Hoc Networks 24(2), 247–260 (2006) 11. Zhang, Y., Liu, W., Lou, W., Fang, Y., Wu, D.: Secure localization and authentication in ultra-wideband sensor networks. IEEE JSAC, Special Issue on UWB Wireless Communications - Theory and Applications 24(4), 829–835 (2006)