1. Introduction

2. Design Constraints and Security Issues in WSNs

3. The Key Management Scheme for Cluster based WSNs

3.2. Network Initializtion and Definitions

In the network, there are n sensors, denoted as S_0,...,n−1, and m cluster heads (CH), denoted as CH_0,...,m−1. Each sensor has a unique identification code ID_si with length of 2 bytes stored in the chip. When the network is initialized, sensor nodes are randomly distributed into m groups or cluster. There is only one CH and n/m sensors in each cluster. Figure 1 shows a typical network of three clusters. Each cluster contains one CH and three sensors.

Figure 1. The network topology.

Figure 1. The network topology.

After network deployment, each CH runs a cluster forming process, and sensors are divided into clusters with no cross coverage. After a period of operation, some sensor may move into another cluster’s region. In this situation, the subsequent key distribution and update process will be done by the CH of the present cluster. In the following part, we will describe the scheme from two aspects, that is static sensors and mobile sensors.

The following definitions will be used in our scheme and analysis.

SK_i denotes the symmetric session key with a length of 128bits shared by the base station and sensors located in DG_i.

PUK denotes the public key of the BS and PVK denotes the corresponding private key. PUK can be obtained through public key Infrastructure (PKI).

The function E(x,y) denotes encryption (symmetric or asymmetric) operation, parameter x denotes encryption key and parameter y denotes the plain message need to be encrypted. The function D(x,y) denotes decryption operation.

ID__CHi denotes the identity code of the cluster with a length of 1 byte, and it can be acquired from the CH of that cluster. It is stored in the chip of each CH and tamper proof mechanism is used.

ID_si denotes the identity code of sensor S_i with a maximum length of 2 bytes. It is stored in the chip of each sensor and tamper proof mechanism is used.

3.3. Static Sensors Subscheme for Hierarchical WSNs

3.3.1. Mutual Authentication and Key Distribution Process

In our clustered architecture network, the CH plays an important role in the process of key management. The key problem here is how to distribute the key among the sensor nodes under many restrictions. We assume all the sensors are static and present the operations of handshake, key distribution, authentication, and key update. The handshake is destined to establish a symmetric key shared by sensors and BS. The operation of handshake includes three steps:

• Generation of the SK_i: The CH_i generates a random symmetric key SK_i and a challenge R. Then, the CH_i encrypts SK_i , R and ID__CHi with PUK, and we get:

  Cipher1= E(PUK, SK_i ‖ R‖ ID__CHi‖ timestamp)

  (1)
  The 2-byte timestamp is used to resist replay attacks. CH_i sends Cipher1 to the base station using traditional routing. Here, the PUK is used for authentication and confidentiality of the session key SK_i.
• Establishment of SK_i: After receiving and decrypting the message, the base station gets SK_i, R using its PVK and builds a global table of all the session keys of different clusters. This table is used to identify the cluster and its cluster head on the network. Meanwhile, if ID__Chi can be found in the database of legal CHs, the identity of the CH_i can be authenticated by BS.
• Completion of the handshake: The base station encrypts R with the established session key SK_i. and gets

  Cipher2= E(SK_i, R)

  (2)

Then, the base station sends Cipher2 to CH_i, and CH_i decrypts it. When the challenge R is correctly received, a session key is successfully established between BS and CH_i. Otherwise, CH_i will reinitiate the handshake. Considering the resource consumption caused by the computational complexity, the message authentication code (MAC) is not added in key distribution scheme.

Through the above steps, the mutual authentication between the base station and CH_i is completed. After that, each sensor in the cluster needs to achieve the session key SK_i generated by CH_i. Thus, sensor node S_i builds a message encrypted by the PUK, denoted as follows:

Cipher3= E(PUK, ID__CHi ‖ ID_si ‖ timestamp ‖ SK_si‖ R)

(3)

where SK_si is a symmetric key generated by sensor S_i. For sensor S_i, the Cipher3 is used to apply for session key and identity authentication at the same time.

When the BS receives Cipher3, it picks out the corresponding session key (SK_i) according to ID__CHi. At the same time, if the ID_si can be found in the list of legal sensor nodes, the authentication of S_i is accomplished as well.

To secure the session key, the base station encrypts SK_i with the session key SK_si and builds the Cipher4 as follows:

Cipher4= E(SK_si, SK_i ‖ R).

(4)

Then, the Cipher4 is sent to S_i, and S_i will decrypt it by the symmetric key SK_si. Finally, all the sensors in the same cluster share the same session key SK_i with its cluster head. Through the above key distribution subscheme, the confidentiality of traffic between the cluster head and the sensor is guaranteed. Besides, mutual authentication between the BS and S_i is successfully done. The detailed key distribution process is depicted in Figure 2.

Figure 2. The process of authentication and key distribution in static subscheme.

Figure 2. The process of authentication and key distribution in static subscheme.

3.3.2. Session Key Update Process

To protect the nodes from long term attacks, a periodic key update mechanism is designed. The steps of the key update are given as follows.

• The new session key SK_i’ is generated by the cluster head CH_i at a certain moment.
• CH_i notifies the base station to update the session key.
• Using the proposed handshake operation, the new session key SK_i’ is distributed between the BS and the CH_i. After that, the CH_i notifies all the sensors to update their session key in its cluster with a broadcasting message. Sensors will stop encrypting sessions until they receive new session key SK_i’.
• After the establishment of SK_i’, the CH_i distributes SK_i’ encrypted with the original session key SK_i to all the sensors by broadcasting cipher5, denoted as

  Cipher5= E(SK_i, SK_i’).

  (5)
• Each sensor in the cluster decrypts the cipher5 with the old session key SK_i and substitutes with the SK_i’. The subsequent dialog is decrypted by the new session key.

3.4. Mobile Sensors Subscheme for Hierarchical WSNs

3.4.1. Mutual Authentication and Key Distribution Process

Since sensor nodes have a high probability of moving between different clusters of the network, the dynamic subscheme for hierarchical architecture is more complicated. In Figure 3, S₀ moves from the cluster C₀ into another cluster named C₂. Because the location of each CH is assumed to be unchanged, the process of authentication and key distribution between CH and BS is the same as the static subscheme. The main difference between the static subscheme and the mobile one lies in the key distribution process.

The key distribution process of the mobile scene includes six steps.

• When S₀ moves into cluster2, it will send a cluster-entry request to CH₂. The cluster forming and cluster head detection process is not described here, please refer to [24].
• CH₂ detects and receives this message. Then, CH₂ replies to S₀ with a message including its identification code ID__CH2.
• S₀ updates the identification of the present cluster, replacing ID__CH0 with ID__CH2.
• S₀ applies for the latest session key SK₂ from the base station with the cipher6 denoted as follows:

  Cipher6= E(PUK, ID__CH2 ‖ ID__S0 ‖ timestamp ‖ SK_ _S0 ‖ R)

  (6)
• The BS decrypts cipher6 with the PVK and gets ID__CH2, SK_ _S0, and ID__S0 from
  Plain6 = D(PVK, Cipher6)= D(PVK, E(PUK, ID__CH2 ‖ ID__S0 ‖ timestamp ‖ SK_ _S0 ‖ R)) = ID__CH2 ‖ ID__S0‖ SK_ _S0 ‖ R.
  The latest session key SK₂ can be picked out in terms of ID__CH2, and the S₀ is authenticated by BS according to ID__S0. Then, the cipher7 will be sent to S₀. The cipher7 is built as follows:

  Cipher7= E(SK_ _S0, SK₂ ‖ R).

  (7)
• S₀ decrypts the cipher7 with the symmetric key SK_ _S0 and successfully gets SK₂.

Figure 3. Sensor S₀ moves from Cluster0 to Cluster2.

Figure 3. Sensor S₀ moves from Cluster0 to Cluster2.

Thus, the mobile sensor is able to achieve the latest session key of the present cluster and send encrypted traffic to the corresponding cluster head. The detailed key distribution process in mobile subscheme is depicted in Figure 4.

Figure 4. The process of authentication and key distribution in mobile subscheme.

Figure 4. The process of authentication and key distribution in mobile subscheme.

3.4.2. Session Key Update Process

In mobile scene, a sensor updates session key like the static model for most of time. However, when S₀ moves to the junction of two adjacent clusters, for example C₀ and C₂ in Fig.2, it may receive key update messages from CH₀ and CH₂ at the same time. It should be noted that S₀ only knows the previous session key SK₀ of cluster0, but unaware of the previous session key of cluster2. Thus, S₀ can only decrypt the broadcasting message from CH₀ to update SK₀’. After joining cluster2, S₀ can obtain the present session key SK₂ from the base station and wait for key updating again.

4. Analysis and Comparison

4.1. Key Storage of Sensor Nodes

In our scheme, the public key is preload into sensor’s memory during the network initialization. Since the strength of encryption with the 256 bits ECC key is equal to that of the 3072 bits RSA key, a public key of 256-bit length is used in our simulation. Besides, two 32-byte session keys are used in the key distribution process. When a sensor receives the refreshed session key, the original will be deleted to save the memory. Therefore, the memory overhead is only 96 bytes and that of the CH is also 96 bytes.

The key distribution in [15] is that k keys are preloaded into each sensor, while m keys (m ≫ k) are preloaded into each CH. If any two nodes share a pairing key, they can establish a secure link. Thus, the more keys stored, the higher probability of sharing common keys. In [23], the memory is divided into two parts. One is used to store α predistributed keys and the other is for β post-deployment keys.

Table 1 presents the key storage overhead in different schemes. For large and medium-sized wireless sensor networks, sensors in our scheme require less storage space than others. But cluster heads require slightly more memory space than Erfani’s scheme. Since the number of sensors is much larger than that of CHs, our scheme is valuable for resource limited WSNs.

Table 1. Key storage overhead (bytes) in different schemes.

Table 1. Key storage overhead (bytes) in different schemes.

	Du [15]	Erfani [23]	Our Scheme
Sensor	32l	32(α+β)	96
Cluster Head	32m	32	96

4.3. Security Analysis

4.3.1. Mutual Authentication

In both subschemes, mutual authentication of BS and sensors (including CHs) is assured by the challenge-response mechanism. Terminals without legal identifier (ID__CHi or ID_si) cannot pass the identity authentication. Since the identifier is stored in the chip of each sensor with tamper proof mechanism and it is encrypted for transmission, the confidential and integrity can be guaranteed. Only the authenticated sensors can participate in the wireless sensor network and get the session key for data encryption.

4.3.2. Security Connectivity

The security connectivity is defined as the probability that two nodes successfully establish a session key. Since authentication and key distribution in our proposal are cluster based, we define “inter-cluster connectivity” as the probability that a CH shares a pairwise key with the sensors in its cluster.

In our deterministic key distribution scheme, each authenticated sensor can always successfully share a session key with present cluster head. Compared with the probabilistic key distribution approaches in [15,16,25], the inter-cluster connectivity in our scheme is 100%. Those random schemes, like AP [15], can only achieve higher security connectivity by increasing the amount of key storage. Figure 5 depicts the secure connectivity versus key pool size in the AP. As the number of preloaded keys increases, the performance of the secure connectivity gradually improves. For fixed parameters [l, M], the security connectivity decreases significantly as the key pool increases.

Figure 5. Secure connectivity versus key pool size P.

Figure 5. Secure connectivity versus key pool size P.

4.3.3. Resistance to Attacks

The new scheme provides a set of session keys to secure data exchange between the base station and sensors. Our proposal based on session key and public key can effectively resist common network attacks.

Eavesdropping can be avoided using symmetric encryption as well as the key update mechanism proposed in this article. Spoofing attack is avoided in our scheme through mutual authentication based on public key encryption. Besides, the authenticity of sensors is achieved by challenge-response mechanism and the identity code preloaded before deployment.

Attacks like modification, reply and insertion can be resisted by symmetric encryption and message authentication code added to each message. Only those authenticated nodes can send or modify data packets on the network.

Attackers obtain the secret information by capturing nodes or other physical means. We define resilience against node capture as the probability F(x) that attackers obtain the key from uncaptured node according to a certain number of captured nodes x. So we get

$$F\left(x\right)=\frac{\mathrm{number}\mathrm{of}\mathrm{compromised}\mathrm{links}\mathrm{between}\mathrm{uncaptured}\mathrm{nodes}}{\mathrm{number}\mathrm{of}\mathrm{uncompromised}\mathrm{links}}$$

(8)

Resilience against sensor capture is evaluated firstly. Different from the random key predistribution schemes in [10,11,26], sensors only need to preload a public key in our approach, which saves memory of sensor node. Due to the periodical key update applied, it is too hard for attackers to get the constantly updated session key despite capturing a sensor physically in our proposal. Thus, the probability of resilience against node capture F(x_s)= 0, where x_s represents the number of captured sensor nodes. As shown in Figure 6, the resilience performance gets worse with the increasing number of captured nodes for random key predistribution schemes, because of the storage of a large number of session keys. Since the sensors store matrixes instead of keys, the resilience performance of Boujelben’s scheme [16] is better than the AP scheme [15]. Simulation results indicates that threat of sensor capture is perfectly eliminated by our scheme.

Figure 6. The probability of resilience against sensor capture in different schemes.

Figure 6. The probability of resilience against sensor capture in different schemes.

Finally, Table 2 presents several typical schemes of key management in WSN recent years. In our scheme, we provide a simple and feasible mutual authentication mechanism compared with [15,20,23]. Lee in [17] used an asymmetric encryption algorithm with more computation overhead than [20] and our proposal. Furthermore, our scheme outperforms other schemes in terms of resilience against node capture and resistant to eavesdropping.

Table 2. Comparisons of different key distribution solutions.

Table 2. Comparisons of different key distribution solutions.

Scheme features	Du [15]	Lee [17]	Benamar [20]	Erfani [23]	Our Scheme
Public key encryption	—	√	√	—	√
Key predistribution	√	ⅹ	√	√	√
Mobility of sensors	—	ⅹ	ⅹ	√	√
Perfect resilience against node capture	ⅹ	—	—	ⅹ	√
Mutual authentication	ⅹ	√	ⅹ	ⅹ	√
Resistant to eavesdropping attacks	—	—	√	√	√

—: Not involved.

5. Conclusions

References

1. Dludla, A.G.; Abu-Mahfouz, A.M.; Kruger, C.P.; Isaac, J.S. Wireless sensor networks testbed: ASNTbed. In Proceedings of the 2013 IEEE IST-Africa Conference and Exhibition (IST-Africa), Nairobi, Kenya, 29–31 May 2013; pp. 1–10. [Google Scholar]
2. Abu-Mahfouz, A.M.; Steyn, L.P.; Isaac, S.J.; Hancke, G.P. MultiLevel Infrastructure of Interconnected Testbeds of Large-Scale Wireless Sensor Networks (MI2T-WSN). In Proceedings of the International Conference on Wireless Networks (ICWN), Athens, Greece, 1–7 January 2012; p. 1. [Google Scholar]
3. Carman, D.W.; Kruus, P.S.; Matt, B. Constraints and approaches for distributed sensor network security (final); NAI Labs Technical Report; NAI Labs: MD, USA, 2000; pp. 1–139. [Google Scholar]
4. Ren, Y.; Leng, Y.; Qi, J.; Sharma, P.K.; Wang, J.; Almakhadmeh, Z.; Tolba, A. Multiple cloud storage mechanism based on blockchain in smart homes. Future Generation Computer Systems 2021, 115, 304–313. [Google Scholar] [CrossRef]
5. Xiong, J.; Zhao, M.; Bhuiyan, M.Z.A.; Chen, L.; Tian, Y. An AI-enabled three-party game framework for guaranteed data privacy in mobile edge crowdsensing of IoT. IEEE Transactions on Industrial Informatics 2021, 17, 922–933. [Google Scholar] [CrossRef]
6. Aysal, T.C.; Barner, K.E. Sensor data cryptography in wireless sensor networks. IEEE Transactions on Information Forensics and Security 2008, 3, 273–289. [Google Scholar] [CrossRef]
7. Giruka, V.C.; Singhal, M.; Royalty, J.; Varanasi, S. Security in wireless sensor networks. Wireless Communications and Mobile Computing 2008, 8, 1–24. [Google Scholar] [CrossRef]
8. Kundur, D.; Luh, W.; Okorafor, U.N.; Zourntos, T. Security and privacy for distributed multimedia sensor networks. Proceedings of the IEEE 2008, 96, 112–130. [Google Scholar] [CrossRef]
9. Wang, Y.; Attebury, G.; Ramamurthy, B. A survey of security issues in wireless sensor networks. IEEE Communications Surveys & Tutorials 2006, 8, 2–23. [Google Scholar]
10. Liu, G.; Yang, Q.; Wang, H. Trust assessment in online social networks. IEEE Transactions on Dependable and Secure Computing 2018, 2, 994–1007. [Google Scholar] [CrossRef]
11. Ge, C.; Susilo, W.; Baek, J.; Liu, Z.; Xia, J.; Fang, L. Revocable attribute-based encryption with data integrity in clouds. IEEE Transactions on Dependable and Secure Computing 2021, 21, 1. [Google Scholar] [CrossRef]
12. Ge, C.; Susilo, W.; Liu, Z.; Xia, J.; Szalachowski, P.; Liming, F. Secure keyword search and data sharing mechanism for cloud computing. IEEE Transactions on Dependable and Secure Computing 2020, 20, 1. [Google Scholar] [CrossRef]
13. Zheng, J.; Jamalipour, A. Wireless Sensor Networks: A Networking Perspective; a book published by A John & Sons, Inc, and IEEEE; 2009. [Google Scholar]
14. Singh, S.K.; Singh, M.P.; Singh, D.K. Routing Protocols in Wireless Sensor Networks – A Survey. International Journal of Computer Science & Engineering Survey 2010, 1. [Google Scholar]
15. Du, X.; Xiao, Y.; Guizani, M.; Chen, H.-H. An effective key management scheme for heterogeneous sensor networks. Ad Hoc Networks 2007, 5, 24–34. [Google Scholar] [CrossRef]
16. Boujelben, M.; Cheikhrouhou, O.; Abid, M.; Youssef, H. Establishing pairwise keys in heterogeneous two-tiered wireless sensor networks. In Proceedings of the 3rd International Conference on Sensor Technologies and Applications Athens, Athens, Greece; 2009; pp. 18–23. [Google Scholar]
17. Lee, S.; Kim, K. Key renewal scheme with sensor authentication under clustered wireless sensor networks. Electronics Letters 2015, 51, 368–369. [Google Scholar] [CrossRef]
18. Tian, Y.; Wang, Z.; Xiong, J.; Ma, J. A blockchain-based secure key management scheme with trustworthiness in DWSNs. IEEE Transactions on Industrial Informatics 2020, 16, 6193–6202. [Google Scholar] [CrossRef]
19. Gura, N.; Patel, A.; Wander, A.; Eberle, H.; Shantz, S.C. Comparing elliptic curve cryptography and RSA on 8-bit CPUs. In Proceedings of the Sixth Workshop on Cryptographic Hardware and Embedded Systems; 2004; pp. 119–132. [Google Scholar]
20. Benamar, K.; Mohammed, F.; Abdellah, M. Architecture aware key management scheme for wireless sensor networks. International Journal of Information Technology & Computer Science 2012, 4, 50–59. [Google Scholar]
21. Crossbow Technology Inc., Processor/Radio Modules, 2008. (http://www.xbow.com).
22. Chatterjee, U.; Chakraborty, R.S.; Mukhopadhyay, D. A PUF-based secure communication protocol for IoT. ACM Transactions on Embedded Computing Systems 2017, 16, 1–25. [Google Scholar] [CrossRef]
23. Erfani, S.H.; Javadi, H.H.S.; Rahmani, A.M. A dynamic key management scheme for dynamic wireless sensor networks. Security and Communication Networks 2015, 8, 1040–1049. [Google Scholar] [CrossRef]
24. Mohamed, Y.; Moustafa, Y.; Khaled, A. Energy-aware management for cluster-based sensor networks. Computer Networks 2003, 43, 649–668. [Google Scholar]
25. Eschenauer, L.; Gligor, V.D. A key management scheme for distributed sensor networks. In Proceedings of the ACM Conference on Computer and Communication Security, Washington, DC, USA, November 2002; pp. 41–47. [Google Scholar]
26. Chen, C.Y.; Chao, H.C. A survey of key distribution in wireless sensor networks. Security and Communication Networks 2014, 7. [Google Scholar] [CrossRef]
27. University of Southern California: “The network simulator – ns-2”. Available at http://www.isi.edu/nsnam/ns/, September 2005.