Abstract: Identity authentication is the first safeguard for security of Wireless Sensor Networks (WSNs). Because of the efficiency and safety issues of the existing identity authentication protocol in WSNs, a low-power identity authentication protocol which is based on Shamir-threshold-secret sharing scheme is proposed. In the premise of not compromising the network’s security, the new node need to be checked by the majority of authorized nodes, therefore, the consumption of computation can be reduced effectively during the process of authentication. One-way hash function is used for encrypting communication data and also the timestamp mechanism for being against reply attacks in authentication process. Analytical results show that the protocol is low-power consumption and has the ability of resisting eavesdropping attacks, replaying attack and attack of a few nodes captured.
INTRODUCTION
Wireless Sensor Networks (WSNs), as product, combined the computer, communications and sensor technology, is a new information acquisition and processing technology. WSNs are widely used in military struggle, national security, environmental monitoring, traffic management, health care, manufacturing and disaster areas (Wang et al., 2012). Since, WSNs nodes deployed in a relatively harsh environment and coupled with the inherent vulnerability of wireless sensor nodes, sensor network security causes great concern.
Certification is a prerequisite for all network security mechanisms. Authentication is the first barrier of WSNs security. Authentication is that the member in WSNs identify another one. This provides secure access mechanism for the network access. Authentication allows legitimate nodes to join the network but the malicious nodes will be shutdown (Cao and Lei, 2008). Authentication can add fresh blood for the entire WSNs to extend throughout the life cycle of WSNs.
At present, study on WSNs certification focused on asymmetric cryptography and symmetric cryptosystem programs. Most authentication scheme based on asymmetric cryptography is to simplify the existing internet authentication mechanism and improve outcomes, making it suitable for WSNs. Among them, TinyPK is a typical plan proposed in 2004. TinyPK (Wang et al., 2012) using a low index level RSA algorithm has smaller amounts of computation than the traditional RSA algorithm but its power consumption during the authentication phase is still large.
Simple calculation is the maximum advantage of symmetric key system certification scheme. The SPINS security framework for WSNs uses shared key to complete the authentication agreement. However, the deployment of the nodes is random so shared secret can not be guaranteed nodes within the communication range of each other. This will give a great deal of uncertainty in WSNs. Furthermore, as the number of captured nodes increase, the network’s security will rapidly decrease. Protocols (Zhou et al., 2009; Yan and Wen, 2012; Zeng et al., 2014; Zuo et al., 2010; Liu and Shen, 2009) are based on elliptic curve cryptosystem agreement, although they can have a good performance in safety but relative to the calculation of the symmetric cryptosystems, power consumption is still very large.
For the deficiencies of the existing agreement, a authentication protocol based on threshold Shamir secret sharing scheme is proposed. The new node will be authenticated by the multiple nodes that have been already in sensor network. When a small number of nodes are captured, the authentication protocol is still safe. And also, in order to resist reply attacks effectively, the timestamp mechanism in certification process is used. Authentication using a hash function to encrypt data, which can be resist to eavesdropping attacks.
PROTOCOL DESCRIPTION
One-way hash function: A one-way hash function is function that can compress a message of arbitrary length into the output value of a fixed length. It is irreversible, anti-counterfeit resistance, initial sensitivity and with data compression (Bogdanov et al., 2011). A one-way hash function has the following characteristics:
| • | Given M, easy to calculate H(M) |
| • | Given H(M), seeking M computationally infeasible |
| • | Given H(M), find another message M≠M', Meet H(M) = H(M') computationally infeasible |
Shamir secret sharing algorithm: A special type of cryptography named Shamir secret sharing algorithm was used in this protocol. First, let us review the Shamir secret sharing algorithm. Generally, Shamir (k, n) secret sharing algorithm divides a secret S into n parts called child-secret, the secret S can be recovered if only the number of the child-secret is equal to k or more (Xu and Xiao, 2004).
Encryption process: Secrets distributor (base station) holds secrets S∈GF(q) (q is a large prime number, GF(q) is in the field of Galois). There are n participants, each participant has a unique identifier xi∈GF(q), a1, a2, …, ak-1∈GF(q) and a0 = S, Polynomial constructed as following:
| (1) |
Put the the number x1, x2, …, xn into the Eq. 1 and calculate the results f(x1), f(x2)…f(xn). Then distribute (x1, f(x1)), (x2, f(x2))…(xn, f(xn)) to the participants as their unique identifier.
Decryption process: Expressed in matrix form as follows:
| (2) |
| Fig. 1: | Typical model for wireless sensor network |
Get a0, a1, …, ak-1, construct f(x) = a0+a1x+a2x2+…+ak-1xk-1, then let x = 0; finally, get S = a0.
Model for the protocol in wireless sensor network: The model of the proposed protocol is show in Fig. 1. The sensor networks are consisted of a Base Station (BS) and a large No. of same-functioned sensor nodes and each node has a unique identity.
Base station (BS): BS is considered as a trusted party in this protocol. BS always works well and always be safe with a certain computational speed, memory capacity, BS encryption and routing power to meet the requirements.
The main task of BS are as follows:
| • | Preservation of all legitimate sensor nodes’ IDi |
| • | BS choose a secret S and each node calculates the share SHIDi |
| • | Calculates H(SHIDi) according to SHIDi |
| • | Generated TBS and T0 |
Node: Each node has the same function, detecting the surrounding environment, data collection, data transmission and the new authentication data forwarding nodes. Each node has the parameters: {ID, H(SHIDi), Tnode, T0}.
New Node: It has the same function with a legitimate node. Each node has parameters: {ID, H(SHIDi), Tnode, T0}. At the same time, a new node also has a secret of S to be authenticated. It can calculate the H(SHIDi) with ID.
Any attacker can capture one or more nodes and the attacker can obtain all the information from the captured node in this protocol, including ID, H(SHIDi), Tnode and T0 and the attacker can also tamper with the information within the node.
This authentication protocol uses the "ask-answer" mode. When a new node need to join to the sensor networks, it must send T0' as a broadcast to all nodes in its communication range as request information. After the legitimate node receiving a request message, it firstly determines whether T0' is the same as T0; If not the same, without any reaction; If the same, then sent to the requesting node identity IDi.
| Table 1: | Related symbols for the protocol |
Requesting node will receive IDi as a parameter to calculate the shared secret SHIDi, then using SHA-1 encrypt it to get H(SHIDi)', the encrypted shares will be transmitted to the nodes; when the legitimate node received H(SHIDi)', then compared it with H(SHIDi) it stored. If the same, the node will be considered as legitimate; otherwise, refused to join the network nodes. Only more than t nodes authenticated successfully, the new nodes will join to the sensor networks. Related symbols of the protocol are described in Table 1.
Authentication process of this protocol
Initialization phase: Firstly, BS select a secret S∈GF(q) and a1, a2, … ak-1∈GF(q) and make a0 = S, T0’ will be assigned to the new node. When a new node joins the sensor network, it will calculate each legitimate nodes using the secret S. Secondly, BS will calculate the share of each node to get SHIDi by each node IDi using Shamir secret sharing scheme. Finally, using the SHA-1 algorithm, encrypts shares to get H(SHIDi). Distribute IDI, H(SHIDi) and T0 to node as a basis for authentication.
Authentication phase:
| • | The new node broadcasts requests to all nodes within its communication range: T0' |
| • | Nodes in the network will determine IF(T0 == T0'); If the same, the legitimate nodes transmits IDiqT0||Tnode to the requesting node as reply messages; If not equal, then do nothing |
| • | After the new node receiving the reply message and getting Tnode, then calculate (IDiqT0)qT0 to get IDi; Using Shamir secret sharing scheme compute nodes’ share SHIDi' = f(IDi), Then encrypt the shares by SHA-1 to generate H(SHIDi'); At last, transmit H(SHIDi’)q(Tnode+1) to the nodes in the sensor networks |
| • | After the legitimate node receiving messages, it calculates (H(SHIDi')q(Tnode+1)) q(Tnode+1) and compared it with H(SHIDi) it stored; If the same, the node is a legitimate node; Otherwise, reject the malicious node. Only more than t nodes authenticated successfully, the new nodes will join to the sensor networks. The specific authentication process is shown in Fig. 2 |
Secret update phase: Since deployment environment of WSNs is insecurity, therefore, updates must secret S periodically. When one or more nodes in WSNs are captured or failure, BS must promptly update secret S, prevented from the node information leakage, resulting in the entire network secure. BS will randomly select a secret S and divide into N shares. However, there are two cases:
| Fig. 2: | Authentication process of the protocol |
| • | Initiative update: WSNs works well, BS updates the secret S periodically. The new secret S and encrypted shares will send to the legitimate nodes by BS |
| • | Passive update: When parts of nodes are failure, BS need to find a list of failure nodes to remove them, and broadcast information of failure nodes to the entire WSN nodes; At last, updates the secret S |
PROTOCOL ANALYSIS
Security analysis
Against captured attacks: The protocol uses a multi-node authentication method to authenticate nodes. When one or a few nodes were captured, the WSNs still remains safe as long as the number of nodes captured below the threshold secret sharing program. Assume that the probability of each legitimate node who captured is p(x). If a malicious node wants to join the network, it needs to capture more than t legitimate nodes, its probability of success is p(x)t; if t is large enough, then the probability of successful invasion will be approach 0. Even if the node is captured, it is unable to share the secret of reverse recovery.
Against eavesdropping attacks: The protocol can completely resist eavesdropping attacks, because the channel is transmitted through irreversible hash function encrypted data. Even if an attacker eavesdrop data in certification process, according to the irreversible nature of the hash function, an attacker cannot recover any meaningful information. So, in the certification process, the share of node secret is absolutely safe.
Against replay attacks: In the initial phase of this protocol, the initialization timestamp will be allocated to sensor node, any new node wants to apply to join the sensor network it must transmit the initial timestamp as request information to sensor network nodes. After the network node receiving a request message it will determine IF(T0 == T0'); If it is determined successful, the certification process will be continued; Otherwise, stop the certification process, the node in the sensor network will do nothing with the request. In authentication phase 3, a new node is added with the timestamps the sensor network node transmits to. Then operate xor with the encrypted shares H(SHIDi')q(Tnode+1). In the authentication phase 5, each node within the network will update itself through a certified timestamp Tnode+1→Tnode. Attacker intercepts any stage of authentication data using replay attacks are useless, because each time the authentication data are not the same, even within the same network with a new node. Each updating timestamp ensures authentication data’s freshness.
| Table 2: | Complexity of algorithms |
| M: Multiplication, S: Square, I: Inverse operation, n: Binary bits of d of point multiplication in dP, k: Value of Shamir secret sharing threshold | |
Storage analysis: Compared with literature and their authentication protocols using public key algorithm program, the internal nodes of the network in this protocol does not have to store complex private or public key information, the internal nodes of the network will only store (IDi, H(SHIDi), Tnode, T0) as the basic information to complete the authentication. The new node in this protocol needs to store (IDi, H(SHIDi), Tnode, T0, S). Compared with the nodes in the sensor network, the new node only requires a store shared secret S. The proposed protocol has great advantages in the storage space occupied.
Power consumption analysis: The authentication process in this protocol does not use complex symmetric or asymmetric encryption algorithm, Shamir secret sharing threshold cryptography concepts is used to reduce the computational complexity of authentication process. Consumption of this scheme is divided into SHA-1 cryptographic hash function and Shamir secret sharing computing shares. SHA-1 algorithm is the basic addition of a full machine cycle can be executed, XOR and rotate other simple logic operations. Computing complexity of Shamir secret sharing scheme is:
Compared with the current typical scheme based on elliptic curve, this protocol has low computing complexity as shown in Table 2.
CONCLUSION
Due to large amount of calculation of asymmetric cryptographic authentication scheme and poor security of symmetric cryptography scheme, this study proposes an authentication protocol based on the threshold Shamir secret sharing. The characteristics of this protocol are: (1) If there is less than the threshold number of nodes captured, the agreement is still safe, (2) It can resist eavesdropping attacks and replay attacks. Meanwhile, the program uses a shared-secret cryptographic concepts to further reducing the amount of computation with high security.
ACKNOWLEDGMENT
This study was supported by the Natural Science Foundation of Xinjiang University No. 21361355. The authors would like to thank the anonymous reviewers for their constructive comments that helped to improve the quality of this study.