Research Article Secure and Lightweight Key Distribution...
Transcript of Research Article Secure and Lightweight Key Distribution...
Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2013 Article ID 608380 8 pageshttpdxdoiorg1011552013608380
Research ArticleSecure and Lightweight Key Distribution with ZigBee Pro forUbiquitous Sensor Networks
Kyung Choi1 Mihui Kim2 and Kijoon Chae1
1 Department of Computer Science and Engineering Ewha Womans University 52 Ewhayeodae-gil Seodaemun-guSeoul 120-750 Republic of Korea
2Department of Computer Engineering Hankyong National University 327 Chungang-no Anseong-siGyeonggi-do 456-749 Republic of Korea
Correspondence should be addressed to Kijoon Chae kjchaeewhaackr
Received 6 December 2012 Revised 19 June 2013 Accepted 19 June 2013
Academic Editor Carlos Ramos
Copyright copy 2013 Kyung Choi et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
We propose a secure and lightweight key distribution mechanism using ZigBee Pro for ubiquitous sensor networks ZigBeeconsumes low power and provides security in wireless sensor networks ZigBee Pro provides more security than ZigBee and offerstwo security modes standard security mode and high security mode Despite high security mode ZigBee Pro has weakness ofkey distribution We use enhanced ECDH for secure key distribution in high security mode Our simulation results show that theenergy consumption of our approach decreases and the average run time is decreased by 39 Moreover the proposed schemeenhances security that is confidentiality message authentication and integrity We also prove that the proposed key distributioncan resist man-in-the-middle attack and replay attack
1 Introduction
Various sensors in a sensor network technology are locatedwithin wiredwireless network infrastructures Spatially dis-tributed autonomous sensors monitor physical or environ-mental conditions such as temperature humidity soundvibration pressure and motion and pass their data throughthe wiredwireless network to a base station Sensor networktechnology has been utilized in monitoring military homeautomation and health care systems as well as agricultureand weather conditions
Sensors have limited memory and throughput capacityfor wireless sensor networks Therefore limitations of thesensor itself and the underlying vulnerability of wirelesscommunication with the sensors must be considered Inaddition sensed and transmitted data in each field are usuallyprivate information or important authentication informa-tion Thus security is to be applied in most cases For thisZigBee [1] provides a low power consumption and securitystandard-based protocol for applications on wireless sensornetworks ZigBee was developed to address the following
needs low cost security reliablility and self-healing flexibil-ity and extendibility low power consumption being easy andinexpensive to deploy being global with use of unlicensedradio bands integrating intelligence for network setup andmessage routing
ZigBee Pro [2] (the latest specification for ZigBee istermed ZigBee-2007) revolves around mesh networkingenhancing security ZigBee Pro [3] also supports a largenumber of interoperable standards including ZigBee healthcare ZigBee home automation ZigBee remote control Zig-Bee smart energy ZigBee telecom services ZigBee buildingautomation ZigBee input device ZigBee light link ZigBeenetwork devices and ZigBee retail servicesTheZigBee homeautomation profile [4] for a smart home allows consumersto save money be more environmentally aware feel moresecure and enjoy a variety of conveniences that make homeseasier and less expensive to maintain
However the enhanced keymanagementmechanism stillhas vulnerabilities in key distribution The ZigBee homeautomation profile has just been applied at the network levelAn enhanced mechanism is needed for this
2 International Journal of Distributed Sensor Networks
CertiCom [5] issues ZigBee Smart Energy certificates tomanufactures whose products are certified by the ZigBeeAlliance The ZigBee Smart Energy PKI uses Elliptic CurveQu Vanstone (ECQV) implicit certificates which serve asan identity certificate for each ZigBee Smart Energy deviceHowever it does not improve ZigBee Pro itself but uses PKIseparately
In this paper we apply the ECDH (Elliptic Curve Diffie-Hellman) [6] key distribution mechanism for ZigBee Provulnerabilities and propose amore efficient ECDHusing sub-MAC [7] that has message authentication and prevents man-in-the-middle attack and replay attack Our research exhibitsan enhanced key mechanism and message authentication inZigBee Pro for ubiquitous sensor networks
The rest of this paper is organized as follows Section 2presents related works Section 3 presents the proposedenhanced key distribution mechanisms Section 4 illustratessimulation environments and analyzes the simulation toevaluate the effectiveness of our scheme In Section 5 weanalyze our approach from the view point of security Finallywe conclude this paper in Section 6
2 Related Work
21 ZigBee Pro ZigBee Pro is a standard specified in ZigBee-2007 ZigBee Pro improves the security of the ZigBee 2006versionwith twonew securitymodes standard securitymodecompatible with the residential security of ZigBee-2006- andhigh security mode compatible with the commercial securityof ZigBee 2006
ZigBee security which is based on a 128 bit AES(Advanced Encryption Standard) [8] algorithm adds to thesecurity model provided by IEEE 802154 The securityservices of ZigBee include methods for key establishmentand transport device management and frame protectionsZigBee uses three types of keys to manage security MasterNetwork and Link
Master Keys are used as an initial shared secret betweentwo devices when they perform the key establishmentprocedure (SKKE) to generate Link Keys Keys that originatefrom the Trust Center are termed Trust Center Master Keyswhile all other keys are termed Application Layer MasterKeys Network Keys perform security for the Network Layeron a ZigBee network All devices on a ZigBee network sharethe same key High Security Network Keys must always besent encrypted over the air while Standard Security NetworkKeys can be sent either encrypted or unencrypted Link Keysas an optional key secure unicast messages between twodevices at the Application Layer Keys that originate from theTrust Center are termed Trust Center Link Keys while allother keys are termed Application Layer Link Keys Table 1summarizes the security keys
ZigBee Pro offers two different security modes (ieStandard and High) and features as shown in Table 2 [9]
In the standard security mode the list of devices MasterKeys Link Keys andNetwork Keys can bemaintained eitherby the Trust Center or by the devices themselves The TrustCenter is still responsible formaintaining a StandardNetwork
Table 1 Security keys
Layer Msg type CreationMasterKeys Application layer Unicast Key transport
PreinstallationNetworkKeys
ApplicationNetwork layer Broadcast Key transport
Preinstallation
LinkKeys Application layer Unicast
Key transportPreinstallation
Key establishment(using Master Key)
Table 2 Security modes
Feature Standard HighNetwork layer security provided using aNetwork Key or or
APS layer security provided using Link Keys or or
Centralized control and update of keys or or
Ability to switch from active to secondary keys or or
Ability to derive Link Keys between devices or
Entity authentication and permissions tablesupported or
Key it controls policies of network admittance In the highsecurity mode the Trust Center maintains a list of devicesMaster Keys Link Keys and Network Keys that it needs tocontrol and enforce the policies of Network Key updates andnetwork admittance
Unlike standard security mode high security modesupports the ability to derive Link Keys between devicesand entity authentication and permissions table supportedThe Master Keys and Network Keys are preinstalled ortransported Link Keys are used in key-establishment basedon a Master Key Unencrypted key transport will give rise toserious security vulnerability [10]
22 ECDH ECDH [6] is a key exchange algorithm the well-known Diffie Hellman [11] key agreement based on ECC(Elliptic Curve Cryptography) [12] ECDH is important inmodern protocols as a key exchange and can be adopted forECC Figure 1 shows the key exchange process
Consider two parties 119860 and 119861 willing to exchange acommon secret key Both have agreed to a common andpublicly known curve 119864 over a finite field as well as to a basepoint 119876 User 119860 randomly chooses 119896
119860 1 lt 119896 lt 2119876 and User
119861 accordingly 119896119861 1 lt 119896 lt 2119876 User 119860 computes a public
key 119876119860= 119896119860119876 User B does 119876
119861= 119896119861119876 User A sends 119876
119860
to User 119861 User 119861 sends 119876119861to User 119860 User 119860 computes the
shared secret key by 119875 = 119896119860119876119861and User B also by 119875 = 119896
119861119876119860
[13] An eavesdropper knows only119876119860and119876
119861but is unable to
compute the secret key from this However vulnerability ofECDH has no authentication [14] and no prevention of man-in-the-middle attack [15]
3 Proposed ZigBee Key Distribution
31 Standard Security Mode The transport-key commandsent from the Router to the Joiner shall not be secured in
International Journal of Distributed Sensor Networks 3
Preparation
User A User B
Publicly send
elliptic curve E base point Q
kA private keyQA
QA
= kAQ public keyP = kAkBQ secret key
kB private keyQB
QB
= kBQ public keyP = kAkBQ secret key
Figure 1 ECDH
standard security mode For this we apply ECDH for secureNetwork key generation and transmission and sub-MACmechanism for message authentication and integrity Weproved that our scheme could provide efficiency by achievinga similar run time and similar energy consumed in standardsecurity mode [16]
32 High Security Mode If the Trust Center does not alreadyshare a Master or Link Key with the newly joined deviceFigure 2 shows the high security mode authentication pro-cedure of ZigBee Pro
The Symmetric-Key Key Establishment (SKKE) protocolis a process in which an initiator device (Trust Center)establishes a Link Key with a responder device (Joiner) usingaMaster KeyThe next step is an entity authentication processbetween Router and Joiner
As in standard security mode Update-Device Commandand Secured Transport-Key Command are encrypted withMaster key but Transport-Key Command sent from theRouter to the Joiner is not secure This has a security issue
The MAC scheme is used for key confirmation in SKKEThe first 128 bits of keying data shall be a Mac Key and thesecond 128 bits shall be a Link Key during Mac Key gener-ation After SKKE the Network Key is securely transmittedusing the Master Key
We propose a procedure to ensure key secure distributionas shown in Figure 3
Trust Center rarr Joiner 119869 119886119876119873119878 sub-MAC(119886119876119873
119878 119869)
(i) 119869 Joinerrsquos 64-bit address(ii) 119886119876 Trust Center generates value for key(iii) 119873
119878 nonce value
(iv) Sub-MAC(119886119876119873119878 119869) sending message sub-MAC
When the Trust Center receives an APSME-UPDATE-DEVICErequest message the Trust Center generates an119886119876 for secure Master Key and nonce 119873
119878 and sends 119869
119886119876 119873119878 sub-MAC(119886119876 119873
119878 119869) to the Joiner The Joiner
generates sub-MAC(119886119876 119873119878 119869) to compare the transmitted
sub-MAC(119886119876119873119878 119869) If they match the Joiner confirms that
the transmitted message has not been modified Otherwisethe Joiner discards the transmitted message If the check issuccessful the Joiner computes 1198701015840 = 119886119887119876 and computes 119870using the Matyas-Meyer-Oseas (MMO) hash function [17]The 160-bit 1198701015840 becomes a 128 bit Network Key 119870
A sub-MAC [7] is constructed by selecting some bits ofan HMAC We reduce the overhead by transmitting onlya part of the actual HMAC rather than the entire HMAC
using sub-MAC Sub-MAC guarantees message integrity andauthentication Our research selects 8-bits of 16 bytes Weassume each node has the same PRNG (Pseudo RandomNumber Generator) [18]
Joiner rarr Trust Center TC 119887119876119873119878+1
sub-MAC(Master119870)
(i) TC Trust Centerrsquos 64-bit address(ii) 119887119876 Joiner generates value for key(iii) 119873
119878+1 add 1 to transmitted nonce
(iv) Sub-MAC(Master 119870) sub-MAC using Master Key
The Joiner sends 119887119876 119873119878+1
and sub-MAC(Master 119870) to theTrust Center the Trust Center computes 1198701015840 Master Key119870 = MMO(1198701015840) and then computes sub-MAC(119870) to checkmessage integrity and computation accuracy
Trust Center rarr Joiner 119864119870(119873119878+1
)
(i) 119864119870(119873119878+1
) encrypt119873119878+1
with Master Key
Next the generated Master Key encrypts 119873119878+1
and theresult 119864
119870(119873119878+1
) is sent to the Joiner to check messageintegrity and announce successful Master Key generationThe Joiner decrypts the 119864
119870(119873119878+1
) with the Master Key andchecks the 119873
119878+1to verify secure Master Key generation If
successful the Trust Center and the Joiner perform the nextstep SKKE to establish a Link Key
4 Simulation and Results
TheQualnet simulator was used to evaluate the performanceof the proposed scheme Our research uses Qualnet 45 [19]with sensor network libraries based on the ZigBee protocoland additional protocols
We composed one clustering network structures Theclusters were composed of 15 nodes Node 1 is a Joiner node16 is a Router and node 8 is a Trust Center
41 Efficiency Analysis of Enhanced Key Mechanism Wepropose an enhanced key distribution scheme using ECDHfor secure and lightweight key distribution and sub-MACto overcome the vulnerability of ECDH The simulation wasperformed ten times in each of the previous four procedureswith Trust Center Router and Joiner
First we performed the key generation in standard secu-rity mode and high security mode proposed key distributionin standard mode (Standard ECDH) and proposed keydistribution in high security mode (High ECDH) Figure 4shows the total run time measurements
The average run time of the standard security mode is05156 seconds and for proposed key distribution in standardmode (Standard ECDH) it is 05778 seconds the difference is00622 seconds When this value is compared to the averagerun time of standard security mode it adds 12 Howeverthe difference 00622 is slight in terms of the figure andcompared to the enhanced security
The average run time of high security mode is 1078 theaverage run time of proposed key distribution in high securitymode (High ECDH) is 06563 it decreases 04217 When this
4 International Journal of Distributed Sensor Networks
Trust center Router Joiner
Joined (unauthenticated)
Update-device command
Decision to accept new device
Secured transport-key command (Master Key)Unsecured transport-key command (Master Key)
EA initiator challengeEA responder challenge
EA initiator MAC and dataEA responder MAC and data
SKKE-1 command
SKKE-3 commandSKKE-2 command
SKKE-4 commandSecured transport-key command (NWK key)
Joined (authenticated)
Figure 2 High security mode authentication procedure
Trust center Router Joiner
Joined (unauthenticated)
Update-device command
Decision to accept new device
K998400= abQ masterK = MMO(K998400) subMAC check
SKKE-1 command
SKKE-3 command
SKKE-2 command
SKKE-4 command
Secured transport-key command (NWK key)
EA initiator challengeEA responder challenge
EA initiator MAC and dataEA responder MAC and data
Joined (authenticated)
J aQNS subMAC(aQ Ns J)
EK(NS+1)
K998400= abQK = MMO(K
998400) subMAC(K) check
TC bQNS+1 subMAC(master K)
Figure 3 Proposed key distribution in high security mode
International Journal of Distributed Sensor Networks 5
Standard ECDH High
05156 05778 1078 06563
0
02
04
06
08
1
12
Aver
age r
un ti
me (
s)
Standard High ECDH
Figure 4 Simulation result-run time
value is compared to the average run time of high securitymode it is decreased by 39 It also provides enhancedsecurity
Next we measured energy consumption in Joiner(Node 1) Router (Node 16) and Trust Center (Node 18)Figure 5 shows average energy consumption in transmitmode Figure 6 shows average energy consumption in receivemode The average energy consumption of each node fortransmit mode and receive mode is similar
Table 3 details the values When the proposed key distri-bution in security mode is compared to the standard securitymode it consumes more energy Especially the receive modeof the Trust Center (N18-R) shows the maximum difference0001447mJoule However the Trust Center has sufficientcapacity and energy so this difference is negligible Thesecond difference is 0001412mJoule in the receive mode ofthe Joiner (N1-R) The sensor node uses two AA alkaloidbatteries An AA alkaloid battery contains a maximum of3000mAh so the total energy is 6000mAh The formalvoltage of an AA battery assumes 15 volts The amount ofeletric power is 9Wh products of 6Ah and 15 V and this isconverted into 32400 J 3600X 9 (J) [20] The difference isslight compared to 32400 J
The energy consumption of the high security modeand proposed key distribution in high security mode(High ECDH) is similar The energy consumption of pro-posed key distribution in high security mode (High ECDH)decreases except for the transmit mode of the Joiner (N1-T)and the receive mode of the Router (N16-R) Moreover theproposed scheme enhances security
5 Security Analysis
In this section we analyze our enhanced key distributionfor ZigBee Pro that provides security properties and resistssome general attacks ZigBee Pro is vulnerable in the caseof key distribution in two security modes ECDH cannotprevent man-in-the-middle attack and does not provideauthentication However our proposed scheme overcomesthese vulnerabilities and enhances security Our schemecould resist man-in-the-middle attack replay attack and
00005
0010015002
0025003
0035004
0045005
0055
Node 1Node 16
Node 18
0000217
0049272
0000365
0000899
0050564
0000853
0000663
0050272
000091
0050224
0000909
Ener
gy co
nsum
ptio
n pe
r a n
ode
(mJo
ule)
Standard HighStandard ECDH High ECDH
00000 0002170 000365
0000899000085
0000663000
0
249272004920050564
00050564
00502720 05027200502244
0000666
Figure 5 Energy consumed in transmit mode
Standard High
0
0005
001
0015
002
0025
Node 1Node 16 Node 18
0020517
0000435
0020515
0021929
0001348
00219620021754
0001212
00216210021687
0001214
0021573En
ergy
cons
umpt
ion
per a
nod
e (m
Joul
e)
Standard ECDH High ECDH
Figure 6 Energy consumed in receive mode
Table 3 Energy consumption
STANDARD Stand ECDH High High ECDHN1-T 0000217 0000899 0000663 0000666N1-R 0020517 0021929 0021754 0021687N16-T 0049272 0050564 0050272 0050224N16-R 0000435 0001348 0001212 0001214N18-T 0000365 0000853 000091 0000909N18-R 0020515 0021962 0021621 0021573
ensure confidentiality of keys message authentication andmessage integrity [16]
We assume that an attacker does not know the sub-MACmethod Therefore even if the attacker knows the Joinerrsquosprivate key b heshe cannot make the sub-MAC messageIf the attacker tries to make the sub-MAC message theprobability of failure enhances because the attacker doesnot know how to create a sub-MAC message using MasterKey Additionally there is a public key infrastructure (PKI)
6 International Journal of Distributed Sensor Networks
system The Trust Center assures the private key 119887 using thereceived public key 119887119876 through a certificate authority (CA)
The security of a MAC scheme can be quantified in termsof the success probability achievable as a function of totalnumber of queries to forge the MAC [21] The security of a119894-byte MAC is quantified as 2(119894times8) because an intruder has a 1in 2(119894times8) chance in blindly forging the MAC To increase thesecurity of aMAC its size should be increased Increasing thesize of the MAC also increases the communication overhead[22] Our sub-MAC selects 8 bits of 128 bits Therefore thesecurity of the sub-MAC is 28 Hence the possibility that thefalse data are not detected by a sub-MAC is 128 (=00039)Moreover the communication overhead is reduced by 116(=00625) Consequently the size of the sub-MAC is directlyrelated to the strength of the security and the communicationoverhead A balance needs to be achieved between the desiredsecurity level and the transmission overhead [7]
51 BAN Analysis BAN logic (the Logic of Authenticationof Burrows Abadi and Needham) [23] is widely used andstudied in formal analysis due to its simplicity and efficiencyThe BAN logic is a model logic based on belief and can beused in the analysis and design of a cryptographic protocolThe use of a formal language in the analysis and designprocess can exclude faults and improve the security of theprotocol
511 Basic Notations The symbols 119860 119861 119875 and 119876 are prin-cipals involved in this sort of key agreement protocol 119870
119860119861
represents a good session key for communication between 119860and 119861 [24]
119875| equiv 119883 Principal 119875 believes 119883 119875 believes as if 119883 istrue119875 ⊲ 119883 119875 sees119883 119860 principal has sent 119875 a messagecontaining119883119875| sim 119883 Principal 119875 once said 119883 119875 at some time be-lieved119883 and sent it as part of a message119875 rArr 119883 Principal 119875 has jurisdiction over119883 Principal119875 has authority over119883 and is trusted in this matter(119883) The formula 119883 is fresh That is 119883 has not beensent in amessage at any time before the current run ofthe protocol Amessage that is created for the purposeof being fresh is called a nonce
119875119870
larrrarr 119876 119875 and 119876 may use a shared key 119870 tocommunicate The key is good and will always beknown only to 119875 and 119876 and to any other principaltrusted by either of them119883119870119883 is encrypted using key 119870
512 Inference Rules Message Meaning Rules for sharedkeys
119875 |equiv 119875119870
larrrarr 119876 119875 ⊲ 119883119870
119875 |equiv 119876 |sim 119883
(1)
If principal 119875 believes that key 119870 is shared only withprincipal 119876 and sees a message 119883 encrypted under a key 119870it believes only with principal 119876 119875 may conclude that it wasoriginally created by 119876 who once said its contentsJurisdiction Rule is as Follows
119875 |equiv 119875 997904rArr 119876 119875 |equiv 119876 |equiv 119883
119875 |equiv 119883
(2)
If119875 believes that119876 believes119883 and also believes that119876 hasjurisdiction over119883 then 119875 should believe119883 tooNonce Verification Rule is as Follows
119875 |equiv (119883) 119875 |equiv 119876 |sim 119883119875 |equiv 119876 |equiv 119883
(3)
If119875 believes that119883 is fresh and that119876 once said119883 then119875believes that 119876 has said119883 during the current run of protocoland hence that 119876 believes119883 at present In order to apply thisrule 119883 should not contain any encrypted text The nonceverification rule is the only way of ldquopromotingrdquo once saidassertion to actual belief
52 BAN Analysis of the Proposed Key Distribution
Initialization Hypothesis is as Follows
(1) Trust Center |equiv TC
(2) Trust Center |equiv Joiner |equiv 119869
(3) Trust Center |equiv JoinerrArr 119886119876
(4) Trust Center |equiv sub-MAC
(5) Joiner |equiv 119869
(6) Joiner |equiv Trust Center |equiv TC
(7) Joiner |equiv Trust CenterrArr 119887119876
(8) Joiner |equiv sub-MAC
Proposed Key Distribution Idealization
(1) Trust Center rarr Joiner 119869 119886119876119873119878 and sub-MAC(119886119876
119873119878 119869)
(2) Joiner rarr Trust Center TC 119887119876 119873119878+1
and sub-MAC(119870)
(3) Trust Center rarr Joiner 119864119870(119873119878+1
)
Goal
Trust Center |equiv Trust Center 119870larrrarr Joiner
Joiner |equiv Trust Center 119870larrrarr Joiner
Trust Center |equiv Joiner |equiv Trust Center 119870larrrarr Joiner
Joiner |equiv Trust Center |equiv Trust Center 119870larrrarr Joiner
International Journal of Distributed Sensor Networks 7
AnalysisThrough the proposed key distribution idealization(1) we can get
Joiner⊲119869 119886119876119873119878 sub-MAC(119886119876119873
119878 119869) Joiner |equiv sub-MAC
Joiner |equiv 119869 119886119876119873119878
Joiner |equiv 119886119876Joiner |equiv 119870
(4)
Through the proposed key distribution idealization (2)we can get
Trust Center ⊲ TC 119887119876119873119878+1 (5)
The Trust Center computes 119870 and then sub-MAC(119870) asfollows
Trust Center ⊲ sub-MAC (119870) Trust Center |equiv sub-MACTrust Center |equiv 119870
Trust Center |equiv 119870Trust Center |equiv 119887119876Trust Center |equiv (119873
119878+1)
Trust Center |equiv 119870
Trust Center |equiv Trust Center 119870larrrarr Joiner
(6)
And then Trust Center |equiv Joiner |equiv Trust Center 119870larrrarrJoiner
Through the proposed key distribution idealization (3)we can get
Joiner ⊲ 119873119878+1119870
Joiner |equiv Truster Center 119870larrrarr Joiner (7)
And then Joiner |equiv Trust Center |equiv Trust Center 119870larrrarrJoiner
According to the formalization analysis we can get theconclusion that the proposed key distribution can resist man-in-the-middle-attack and replay attack
6 Conclusion
This work proposed an enhanced key distribution schemeusing ECDH and sub-MAC for efficiency and security Wehave applied ECDH for secure key distribution and improvedvulnerability of ECDH using sub-MAC and nonce formessage freshness and integrity
We compared ZigBee Pro to the proposed scheme Weproved that our scheme could provide efficiency by achievinga shorter run time and lower energy consuming in highsecurity mode Security analysis proved our scheme couldresist man-in-the-middle attack replay attack and provideconfidentiality message authentication and integrity Conse-quenly the proposed scheme provides lightweight and securekey distribution compared to ZigBee Pro We are going toexperiment our proposed scheme with ZigBee devices infuture work
Acknowledgments
The work was supported by Ewha Global Top 5 Grant 2011of Ewha Womans University and World Class UniversityProgram (R33-10085) throughNational Research Foundationof Korea funded by the Ministry of Education Science andTechnology It was also in part supported by Basic ScienceResearch Program through the National Research Founda-tion of Korea (NRF) funded by the Ministry of EducationScience and Technology (2011-0014020)
References
[1] IEEE Std 802154-2003 ldquoWireless Medium Access Control andPhysical Layer Specifications for Low-Rate Wireless PersonalArea Networksrdquo IEEE 2003
[2] ZigBee Alliance ldquoZigBee-2007 Specificationrdquo January 2008[3] httpwwwzigbeeorgStandardsOverviewaspx[4] ZigBeeAlliance ldquoZigBeeHomeAutomation PublicApplication
Profilerdquo ZigBee Document 053520r26 February 2010 httpzigbeeorgStandardsZigBeeHomeAutomationdownloadaspx
[5] httpwwwcerticomcomindexphpdevice-authentication-servicesmart-energy-device-certificate-service
[6] Certicom ldquoStandards for Efficient Cryptography SEC 1 EllipticCurve Cryptographyrdquo Ver 10 September 2000 httpwwwsecgorgdownloadaid-385sec1 finalpdf
[7] H Cam N Challa and M Sikri ldquoSecure and efficient datatransmission over body sensor and wireless networksrdquo EurasipJournal onWireless Communications and Networking vol 2008Article ID 291365 18 pages 2008
[8] Advanced Encryption Standard FIPS 197 November 2001httpcsrcnistgovpublicationsfipsfips197fips-197pdf
[9] Daintree Networks Inc ldquoGetting Started with ZigBee and IEEE802154rdquo February 2008
[10] C Alcaraz and J Lopez ldquoA security analysis for wireless sensormesh networks in highly critical systemsrdquo IEEE Transactionson Systems Man and Cybernetics C vol 40 no 4 pp 419ndash4282010
[11] W Diffie and M E Hellman ldquoNew direction in cryptographyrdquoIEEE Transactions on Information Theory vol IT-22 no 6 pp644ndash654 1976
[12] N Koblitz ldquoElliptic curve cryptosystemsrdquo Mathematics ofComputation vol 48 no 177 1987
[13] E Blaszlig and M Zitterbart ldquoEfficient implementation of ellipticcurve cryptography for wireless sensor networksrdquo TeleMaticsTechnical Report 2005
[14] G DeMeulenaer F Gosset F-X Standaert andO Pereira ldquoOnthe energy cost of communication and cryptography in wirelesssensor networksrdquo in Proceedings of the 4th IEEE InternationalConference on Wireless and Mobile Computing Networking andCommunication (WiMob rsquo08) pp 580ndash585 October 2008
[15] T Chung and U Roedig ldquoDHB-KEY an efficient key distribu-tion scheme for wireless sensor networksrdquo in Proceedings of the5th IEEE International Conference onMobile Ad-Hoc and SensorSystems (MASS rsquo08) pp 840ndash846 October 2008
[16] K Choi M J Yoon M H Kim and K J Chae ldquoAn enhancedkey management using ZigBee Pro for wireless sensor net-worksrdquo in Proceedings of the 26th International Conference onInformation Networking (ICOIN rsquo12) Bali Indonesia February2012
8 International Journal of Distributed Sensor Networks
[17] A JMenezes P C vanOorschot and S AVanstoneHandbookof Applied Cryptography CRC Press 1996
[18] D Seetharam and S Rhee ldquoAn efficient pseudo randomnumbergenerator for low-power sensor networksrdquo in Proceedings of the29th Annual IEEE International Conference on Local ComputerNetworks (LCN rsquo04) pp 560ndash562 Tampa Fla USA November2004
[19] QualNet 4 5 Scalable Network Technologies Inc httpwwwscalable-networkscom
[20] K Choi M-H Kim K-J Chae J-J Park and S-S Joo ldquoAnefficient data fusion and assurance mechanism using temporaland spatial correlations for home automation networksrdquo IEEETransactions on Consumer Electronics vol 55 no 3 pp 1330ndash1336 2009
[21] P Gauravaram W Millan J G Nieto and E Dawson ldquo3C-Aprovably secure pseudorandom function and message authen-tication code a new mode of operation for cryptographic hashfunctionrdquo Cryptology ePrint Archive Rep 2005
[22] S Ozdemir and H Cam ldquoIntegration of false data detectionwith data aggregation and confidential transmission in wirelesssensor networksrdquo IEEEACM Transactions on Networking vol18 no 3 pp 736ndash749 2010
[23] M Burrows M Abadi and R Needham ldquoLogic of authentica-tionrdquo ACM Transactions on Computer Systems vol 8 no 1 pp18ndash36 1990
[24] S Yang andX Li ldquoA limitation of BAN logic analysis on anman-in-the-middle attackrdquo Journal of Information and ComputingScience vol 1 no 3 pp 131ndash138 2006
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
2 International Journal of Distributed Sensor Networks
CertiCom [5] issues ZigBee Smart Energy certificates tomanufactures whose products are certified by the ZigBeeAlliance The ZigBee Smart Energy PKI uses Elliptic CurveQu Vanstone (ECQV) implicit certificates which serve asan identity certificate for each ZigBee Smart Energy deviceHowever it does not improve ZigBee Pro itself but uses PKIseparately
In this paper we apply the ECDH (Elliptic Curve Diffie-Hellman) [6] key distribution mechanism for ZigBee Provulnerabilities and propose amore efficient ECDHusing sub-MAC [7] that has message authentication and prevents man-in-the-middle attack and replay attack Our research exhibitsan enhanced key mechanism and message authentication inZigBee Pro for ubiquitous sensor networks
The rest of this paper is organized as follows Section 2presents related works Section 3 presents the proposedenhanced key distribution mechanisms Section 4 illustratessimulation environments and analyzes the simulation toevaluate the effectiveness of our scheme In Section 5 weanalyze our approach from the view point of security Finallywe conclude this paper in Section 6
2 Related Work
21 ZigBee Pro ZigBee Pro is a standard specified in ZigBee-2007 ZigBee Pro improves the security of the ZigBee 2006versionwith twonew securitymodes standard securitymodecompatible with the residential security of ZigBee-2006- andhigh security mode compatible with the commercial securityof ZigBee 2006
ZigBee security which is based on a 128 bit AES(Advanced Encryption Standard) [8] algorithm adds to thesecurity model provided by IEEE 802154 The securityservices of ZigBee include methods for key establishmentand transport device management and frame protectionsZigBee uses three types of keys to manage security MasterNetwork and Link
Master Keys are used as an initial shared secret betweentwo devices when they perform the key establishmentprocedure (SKKE) to generate Link Keys Keys that originatefrom the Trust Center are termed Trust Center Master Keyswhile all other keys are termed Application Layer MasterKeys Network Keys perform security for the Network Layeron a ZigBee network All devices on a ZigBee network sharethe same key High Security Network Keys must always besent encrypted over the air while Standard Security NetworkKeys can be sent either encrypted or unencrypted Link Keysas an optional key secure unicast messages between twodevices at the Application Layer Keys that originate from theTrust Center are termed Trust Center Link Keys while allother keys are termed Application Layer Link Keys Table 1summarizes the security keys
ZigBee Pro offers two different security modes (ieStandard and High) and features as shown in Table 2 [9]
In the standard security mode the list of devices MasterKeys Link Keys andNetwork Keys can bemaintained eitherby the Trust Center or by the devices themselves The TrustCenter is still responsible formaintaining a StandardNetwork
Table 1 Security keys
Layer Msg type CreationMasterKeys Application layer Unicast Key transport
PreinstallationNetworkKeys
ApplicationNetwork layer Broadcast Key transport
Preinstallation
LinkKeys Application layer Unicast
Key transportPreinstallation
Key establishment(using Master Key)
Table 2 Security modes
Feature Standard HighNetwork layer security provided using aNetwork Key or or
APS layer security provided using Link Keys or or
Centralized control and update of keys or or
Ability to switch from active to secondary keys or or
Ability to derive Link Keys between devices or
Entity authentication and permissions tablesupported or
Key it controls policies of network admittance In the highsecurity mode the Trust Center maintains a list of devicesMaster Keys Link Keys and Network Keys that it needs tocontrol and enforce the policies of Network Key updates andnetwork admittance
Unlike standard security mode high security modesupports the ability to derive Link Keys between devicesand entity authentication and permissions table supportedThe Master Keys and Network Keys are preinstalled ortransported Link Keys are used in key-establishment basedon a Master Key Unencrypted key transport will give rise toserious security vulnerability [10]
22 ECDH ECDH [6] is a key exchange algorithm the well-known Diffie Hellman [11] key agreement based on ECC(Elliptic Curve Cryptography) [12] ECDH is important inmodern protocols as a key exchange and can be adopted forECC Figure 1 shows the key exchange process
Consider two parties 119860 and 119861 willing to exchange acommon secret key Both have agreed to a common andpublicly known curve 119864 over a finite field as well as to a basepoint 119876 User 119860 randomly chooses 119896
119860 1 lt 119896 lt 2119876 and User
119861 accordingly 119896119861 1 lt 119896 lt 2119876 User 119860 computes a public
key 119876119860= 119896119860119876 User B does 119876
119861= 119896119861119876 User A sends 119876
119860
to User 119861 User 119861 sends 119876119861to User 119860 User 119860 computes the
shared secret key by 119875 = 119896119860119876119861and User B also by 119875 = 119896
119861119876119860
[13] An eavesdropper knows only119876119860and119876
119861but is unable to
compute the secret key from this However vulnerability ofECDH has no authentication [14] and no prevention of man-in-the-middle attack [15]
3 Proposed ZigBee Key Distribution
31 Standard Security Mode The transport-key commandsent from the Router to the Joiner shall not be secured in
International Journal of Distributed Sensor Networks 3
Preparation
User A User B
Publicly send
elliptic curve E base point Q
kA private keyQA
QA
= kAQ public keyP = kAkBQ secret key
kB private keyQB
QB
= kBQ public keyP = kAkBQ secret key
Figure 1 ECDH
standard security mode For this we apply ECDH for secureNetwork key generation and transmission and sub-MACmechanism for message authentication and integrity Weproved that our scheme could provide efficiency by achievinga similar run time and similar energy consumed in standardsecurity mode [16]
32 High Security Mode If the Trust Center does not alreadyshare a Master or Link Key with the newly joined deviceFigure 2 shows the high security mode authentication pro-cedure of ZigBee Pro
The Symmetric-Key Key Establishment (SKKE) protocolis a process in which an initiator device (Trust Center)establishes a Link Key with a responder device (Joiner) usingaMaster KeyThe next step is an entity authentication processbetween Router and Joiner
As in standard security mode Update-Device Commandand Secured Transport-Key Command are encrypted withMaster key but Transport-Key Command sent from theRouter to the Joiner is not secure This has a security issue
The MAC scheme is used for key confirmation in SKKEThe first 128 bits of keying data shall be a Mac Key and thesecond 128 bits shall be a Link Key during Mac Key gener-ation After SKKE the Network Key is securely transmittedusing the Master Key
We propose a procedure to ensure key secure distributionas shown in Figure 3
Trust Center rarr Joiner 119869 119886119876119873119878 sub-MAC(119886119876119873
119878 119869)
(i) 119869 Joinerrsquos 64-bit address(ii) 119886119876 Trust Center generates value for key(iii) 119873
119878 nonce value
(iv) Sub-MAC(119886119876119873119878 119869) sending message sub-MAC
When the Trust Center receives an APSME-UPDATE-DEVICErequest message the Trust Center generates an119886119876 for secure Master Key and nonce 119873
119878 and sends 119869
119886119876 119873119878 sub-MAC(119886119876 119873
119878 119869) to the Joiner The Joiner
generates sub-MAC(119886119876 119873119878 119869) to compare the transmitted
sub-MAC(119886119876119873119878 119869) If they match the Joiner confirms that
the transmitted message has not been modified Otherwisethe Joiner discards the transmitted message If the check issuccessful the Joiner computes 1198701015840 = 119886119887119876 and computes 119870using the Matyas-Meyer-Oseas (MMO) hash function [17]The 160-bit 1198701015840 becomes a 128 bit Network Key 119870
A sub-MAC [7] is constructed by selecting some bits ofan HMAC We reduce the overhead by transmitting onlya part of the actual HMAC rather than the entire HMAC
using sub-MAC Sub-MAC guarantees message integrity andauthentication Our research selects 8-bits of 16 bytes Weassume each node has the same PRNG (Pseudo RandomNumber Generator) [18]
Joiner rarr Trust Center TC 119887119876119873119878+1
sub-MAC(Master119870)
(i) TC Trust Centerrsquos 64-bit address(ii) 119887119876 Joiner generates value for key(iii) 119873
119878+1 add 1 to transmitted nonce
(iv) Sub-MAC(Master 119870) sub-MAC using Master Key
The Joiner sends 119887119876 119873119878+1
and sub-MAC(Master 119870) to theTrust Center the Trust Center computes 1198701015840 Master Key119870 = MMO(1198701015840) and then computes sub-MAC(119870) to checkmessage integrity and computation accuracy
Trust Center rarr Joiner 119864119870(119873119878+1
)
(i) 119864119870(119873119878+1
) encrypt119873119878+1
with Master Key
Next the generated Master Key encrypts 119873119878+1
and theresult 119864
119870(119873119878+1
) is sent to the Joiner to check messageintegrity and announce successful Master Key generationThe Joiner decrypts the 119864
119870(119873119878+1
) with the Master Key andchecks the 119873
119878+1to verify secure Master Key generation If
successful the Trust Center and the Joiner perform the nextstep SKKE to establish a Link Key
4 Simulation and Results
TheQualnet simulator was used to evaluate the performanceof the proposed scheme Our research uses Qualnet 45 [19]with sensor network libraries based on the ZigBee protocoland additional protocols
We composed one clustering network structures Theclusters were composed of 15 nodes Node 1 is a Joiner node16 is a Router and node 8 is a Trust Center
41 Efficiency Analysis of Enhanced Key Mechanism Wepropose an enhanced key distribution scheme using ECDHfor secure and lightweight key distribution and sub-MACto overcome the vulnerability of ECDH The simulation wasperformed ten times in each of the previous four procedureswith Trust Center Router and Joiner
First we performed the key generation in standard secu-rity mode and high security mode proposed key distributionin standard mode (Standard ECDH) and proposed keydistribution in high security mode (High ECDH) Figure 4shows the total run time measurements
The average run time of the standard security mode is05156 seconds and for proposed key distribution in standardmode (Standard ECDH) it is 05778 seconds the difference is00622 seconds When this value is compared to the averagerun time of standard security mode it adds 12 Howeverthe difference 00622 is slight in terms of the figure andcompared to the enhanced security
The average run time of high security mode is 1078 theaverage run time of proposed key distribution in high securitymode (High ECDH) is 06563 it decreases 04217 When this
4 International Journal of Distributed Sensor Networks
Trust center Router Joiner
Joined (unauthenticated)
Update-device command
Decision to accept new device
Secured transport-key command (Master Key)Unsecured transport-key command (Master Key)
EA initiator challengeEA responder challenge
EA initiator MAC and dataEA responder MAC and data
SKKE-1 command
SKKE-3 commandSKKE-2 command
SKKE-4 commandSecured transport-key command (NWK key)
Joined (authenticated)
Figure 2 High security mode authentication procedure
Trust center Router Joiner
Joined (unauthenticated)
Update-device command
Decision to accept new device
K998400= abQ masterK = MMO(K998400) subMAC check
SKKE-1 command
SKKE-3 command
SKKE-2 command
SKKE-4 command
Secured transport-key command (NWK key)
EA initiator challengeEA responder challenge
EA initiator MAC and dataEA responder MAC and data
Joined (authenticated)
J aQNS subMAC(aQ Ns J)
EK(NS+1)
K998400= abQK = MMO(K
998400) subMAC(K) check
TC bQNS+1 subMAC(master K)
Figure 3 Proposed key distribution in high security mode
International Journal of Distributed Sensor Networks 5
Standard ECDH High
05156 05778 1078 06563
0
02
04
06
08
1
12
Aver
age r
un ti
me (
s)
Standard High ECDH
Figure 4 Simulation result-run time
value is compared to the average run time of high securitymode it is decreased by 39 It also provides enhancedsecurity
Next we measured energy consumption in Joiner(Node 1) Router (Node 16) and Trust Center (Node 18)Figure 5 shows average energy consumption in transmitmode Figure 6 shows average energy consumption in receivemode The average energy consumption of each node fortransmit mode and receive mode is similar
Table 3 details the values When the proposed key distri-bution in security mode is compared to the standard securitymode it consumes more energy Especially the receive modeof the Trust Center (N18-R) shows the maximum difference0001447mJoule However the Trust Center has sufficientcapacity and energy so this difference is negligible Thesecond difference is 0001412mJoule in the receive mode ofthe Joiner (N1-R) The sensor node uses two AA alkaloidbatteries An AA alkaloid battery contains a maximum of3000mAh so the total energy is 6000mAh The formalvoltage of an AA battery assumes 15 volts The amount ofeletric power is 9Wh products of 6Ah and 15 V and this isconverted into 32400 J 3600X 9 (J) [20] The difference isslight compared to 32400 J
The energy consumption of the high security modeand proposed key distribution in high security mode(High ECDH) is similar The energy consumption of pro-posed key distribution in high security mode (High ECDH)decreases except for the transmit mode of the Joiner (N1-T)and the receive mode of the Router (N16-R) Moreover theproposed scheme enhances security
5 Security Analysis
In this section we analyze our enhanced key distributionfor ZigBee Pro that provides security properties and resistssome general attacks ZigBee Pro is vulnerable in the caseof key distribution in two security modes ECDH cannotprevent man-in-the-middle attack and does not provideauthentication However our proposed scheme overcomesthese vulnerabilities and enhances security Our schemecould resist man-in-the-middle attack replay attack and
00005
0010015002
0025003
0035004
0045005
0055
Node 1Node 16
Node 18
0000217
0049272
0000365
0000899
0050564
0000853
0000663
0050272
000091
0050224
0000909
Ener
gy co
nsum
ptio
n pe
r a n
ode
(mJo
ule)
Standard HighStandard ECDH High ECDH
00000 0002170 000365
0000899000085
0000663000
0
249272004920050564
00050564
00502720 05027200502244
0000666
Figure 5 Energy consumed in transmit mode
Standard High
0
0005
001
0015
002
0025
Node 1Node 16 Node 18
0020517
0000435
0020515
0021929
0001348
00219620021754
0001212
00216210021687
0001214
0021573En
ergy
cons
umpt
ion
per a
nod
e (m
Joul
e)
Standard ECDH High ECDH
Figure 6 Energy consumed in receive mode
Table 3 Energy consumption
STANDARD Stand ECDH High High ECDHN1-T 0000217 0000899 0000663 0000666N1-R 0020517 0021929 0021754 0021687N16-T 0049272 0050564 0050272 0050224N16-R 0000435 0001348 0001212 0001214N18-T 0000365 0000853 000091 0000909N18-R 0020515 0021962 0021621 0021573
ensure confidentiality of keys message authentication andmessage integrity [16]
We assume that an attacker does not know the sub-MACmethod Therefore even if the attacker knows the Joinerrsquosprivate key b heshe cannot make the sub-MAC messageIf the attacker tries to make the sub-MAC message theprobability of failure enhances because the attacker doesnot know how to create a sub-MAC message using MasterKey Additionally there is a public key infrastructure (PKI)
6 International Journal of Distributed Sensor Networks
system The Trust Center assures the private key 119887 using thereceived public key 119887119876 through a certificate authority (CA)
The security of a MAC scheme can be quantified in termsof the success probability achievable as a function of totalnumber of queries to forge the MAC [21] The security of a119894-byte MAC is quantified as 2(119894times8) because an intruder has a 1in 2(119894times8) chance in blindly forging the MAC To increase thesecurity of aMAC its size should be increased Increasing thesize of the MAC also increases the communication overhead[22] Our sub-MAC selects 8 bits of 128 bits Therefore thesecurity of the sub-MAC is 28 Hence the possibility that thefalse data are not detected by a sub-MAC is 128 (=00039)Moreover the communication overhead is reduced by 116(=00625) Consequently the size of the sub-MAC is directlyrelated to the strength of the security and the communicationoverhead A balance needs to be achieved between the desiredsecurity level and the transmission overhead [7]
51 BAN Analysis BAN logic (the Logic of Authenticationof Burrows Abadi and Needham) [23] is widely used andstudied in formal analysis due to its simplicity and efficiencyThe BAN logic is a model logic based on belief and can beused in the analysis and design of a cryptographic protocolThe use of a formal language in the analysis and designprocess can exclude faults and improve the security of theprotocol
511 Basic Notations The symbols 119860 119861 119875 and 119876 are prin-cipals involved in this sort of key agreement protocol 119870
119860119861
represents a good session key for communication between 119860and 119861 [24]
119875| equiv 119883 Principal 119875 believes 119883 119875 believes as if 119883 istrue119875 ⊲ 119883 119875 sees119883 119860 principal has sent 119875 a messagecontaining119883119875| sim 119883 Principal 119875 once said 119883 119875 at some time be-lieved119883 and sent it as part of a message119875 rArr 119883 Principal 119875 has jurisdiction over119883 Principal119875 has authority over119883 and is trusted in this matter(119883) The formula 119883 is fresh That is 119883 has not beensent in amessage at any time before the current run ofthe protocol Amessage that is created for the purposeof being fresh is called a nonce
119875119870
larrrarr 119876 119875 and 119876 may use a shared key 119870 tocommunicate The key is good and will always beknown only to 119875 and 119876 and to any other principaltrusted by either of them119883119870119883 is encrypted using key 119870
512 Inference Rules Message Meaning Rules for sharedkeys
119875 |equiv 119875119870
larrrarr 119876 119875 ⊲ 119883119870
119875 |equiv 119876 |sim 119883
(1)
If principal 119875 believes that key 119870 is shared only withprincipal 119876 and sees a message 119883 encrypted under a key 119870it believes only with principal 119876 119875 may conclude that it wasoriginally created by 119876 who once said its contentsJurisdiction Rule is as Follows
119875 |equiv 119875 997904rArr 119876 119875 |equiv 119876 |equiv 119883
119875 |equiv 119883
(2)
If119875 believes that119876 believes119883 and also believes that119876 hasjurisdiction over119883 then 119875 should believe119883 tooNonce Verification Rule is as Follows
119875 |equiv (119883) 119875 |equiv 119876 |sim 119883119875 |equiv 119876 |equiv 119883
(3)
If119875 believes that119883 is fresh and that119876 once said119883 then119875believes that 119876 has said119883 during the current run of protocoland hence that 119876 believes119883 at present In order to apply thisrule 119883 should not contain any encrypted text The nonceverification rule is the only way of ldquopromotingrdquo once saidassertion to actual belief
52 BAN Analysis of the Proposed Key Distribution
Initialization Hypothesis is as Follows
(1) Trust Center |equiv TC
(2) Trust Center |equiv Joiner |equiv 119869
(3) Trust Center |equiv JoinerrArr 119886119876
(4) Trust Center |equiv sub-MAC
(5) Joiner |equiv 119869
(6) Joiner |equiv Trust Center |equiv TC
(7) Joiner |equiv Trust CenterrArr 119887119876
(8) Joiner |equiv sub-MAC
Proposed Key Distribution Idealization
(1) Trust Center rarr Joiner 119869 119886119876119873119878 and sub-MAC(119886119876
119873119878 119869)
(2) Joiner rarr Trust Center TC 119887119876 119873119878+1
and sub-MAC(119870)
(3) Trust Center rarr Joiner 119864119870(119873119878+1
)
Goal
Trust Center |equiv Trust Center 119870larrrarr Joiner
Joiner |equiv Trust Center 119870larrrarr Joiner
Trust Center |equiv Joiner |equiv Trust Center 119870larrrarr Joiner
Joiner |equiv Trust Center |equiv Trust Center 119870larrrarr Joiner
International Journal of Distributed Sensor Networks 7
AnalysisThrough the proposed key distribution idealization(1) we can get
Joiner⊲119869 119886119876119873119878 sub-MAC(119886119876119873
119878 119869) Joiner |equiv sub-MAC
Joiner |equiv 119869 119886119876119873119878
Joiner |equiv 119886119876Joiner |equiv 119870
(4)
Through the proposed key distribution idealization (2)we can get
Trust Center ⊲ TC 119887119876119873119878+1 (5)
The Trust Center computes 119870 and then sub-MAC(119870) asfollows
Trust Center ⊲ sub-MAC (119870) Trust Center |equiv sub-MACTrust Center |equiv 119870
Trust Center |equiv 119870Trust Center |equiv 119887119876Trust Center |equiv (119873
119878+1)
Trust Center |equiv 119870
Trust Center |equiv Trust Center 119870larrrarr Joiner
(6)
And then Trust Center |equiv Joiner |equiv Trust Center 119870larrrarrJoiner
Through the proposed key distribution idealization (3)we can get
Joiner ⊲ 119873119878+1119870
Joiner |equiv Truster Center 119870larrrarr Joiner (7)
And then Joiner |equiv Trust Center |equiv Trust Center 119870larrrarrJoiner
According to the formalization analysis we can get theconclusion that the proposed key distribution can resist man-in-the-middle-attack and replay attack
6 Conclusion
This work proposed an enhanced key distribution schemeusing ECDH and sub-MAC for efficiency and security Wehave applied ECDH for secure key distribution and improvedvulnerability of ECDH using sub-MAC and nonce formessage freshness and integrity
We compared ZigBee Pro to the proposed scheme Weproved that our scheme could provide efficiency by achievinga shorter run time and lower energy consuming in highsecurity mode Security analysis proved our scheme couldresist man-in-the-middle attack replay attack and provideconfidentiality message authentication and integrity Conse-quenly the proposed scheme provides lightweight and securekey distribution compared to ZigBee Pro We are going toexperiment our proposed scheme with ZigBee devices infuture work
Acknowledgments
The work was supported by Ewha Global Top 5 Grant 2011of Ewha Womans University and World Class UniversityProgram (R33-10085) throughNational Research Foundationof Korea funded by the Ministry of Education Science andTechnology It was also in part supported by Basic ScienceResearch Program through the National Research Founda-tion of Korea (NRF) funded by the Ministry of EducationScience and Technology (2011-0014020)
References
[1] IEEE Std 802154-2003 ldquoWireless Medium Access Control andPhysical Layer Specifications for Low-Rate Wireless PersonalArea Networksrdquo IEEE 2003
[2] ZigBee Alliance ldquoZigBee-2007 Specificationrdquo January 2008[3] httpwwwzigbeeorgStandardsOverviewaspx[4] ZigBeeAlliance ldquoZigBeeHomeAutomation PublicApplication
Profilerdquo ZigBee Document 053520r26 February 2010 httpzigbeeorgStandardsZigBeeHomeAutomationdownloadaspx
[5] httpwwwcerticomcomindexphpdevice-authentication-servicesmart-energy-device-certificate-service
[6] Certicom ldquoStandards for Efficient Cryptography SEC 1 EllipticCurve Cryptographyrdquo Ver 10 September 2000 httpwwwsecgorgdownloadaid-385sec1 finalpdf
[7] H Cam N Challa and M Sikri ldquoSecure and efficient datatransmission over body sensor and wireless networksrdquo EurasipJournal onWireless Communications and Networking vol 2008Article ID 291365 18 pages 2008
[8] Advanced Encryption Standard FIPS 197 November 2001httpcsrcnistgovpublicationsfipsfips197fips-197pdf
[9] Daintree Networks Inc ldquoGetting Started with ZigBee and IEEE802154rdquo February 2008
[10] C Alcaraz and J Lopez ldquoA security analysis for wireless sensormesh networks in highly critical systemsrdquo IEEE Transactionson Systems Man and Cybernetics C vol 40 no 4 pp 419ndash4282010
[11] W Diffie and M E Hellman ldquoNew direction in cryptographyrdquoIEEE Transactions on Information Theory vol IT-22 no 6 pp644ndash654 1976
[12] N Koblitz ldquoElliptic curve cryptosystemsrdquo Mathematics ofComputation vol 48 no 177 1987
[13] E Blaszlig and M Zitterbart ldquoEfficient implementation of ellipticcurve cryptography for wireless sensor networksrdquo TeleMaticsTechnical Report 2005
[14] G DeMeulenaer F Gosset F-X Standaert andO Pereira ldquoOnthe energy cost of communication and cryptography in wirelesssensor networksrdquo in Proceedings of the 4th IEEE InternationalConference on Wireless and Mobile Computing Networking andCommunication (WiMob rsquo08) pp 580ndash585 October 2008
[15] T Chung and U Roedig ldquoDHB-KEY an efficient key distribu-tion scheme for wireless sensor networksrdquo in Proceedings of the5th IEEE International Conference onMobile Ad-Hoc and SensorSystems (MASS rsquo08) pp 840ndash846 October 2008
[16] K Choi M J Yoon M H Kim and K J Chae ldquoAn enhancedkey management using ZigBee Pro for wireless sensor net-worksrdquo in Proceedings of the 26th International Conference onInformation Networking (ICOIN rsquo12) Bali Indonesia February2012
8 International Journal of Distributed Sensor Networks
[17] A JMenezes P C vanOorschot and S AVanstoneHandbookof Applied Cryptography CRC Press 1996
[18] D Seetharam and S Rhee ldquoAn efficient pseudo randomnumbergenerator for low-power sensor networksrdquo in Proceedings of the29th Annual IEEE International Conference on Local ComputerNetworks (LCN rsquo04) pp 560ndash562 Tampa Fla USA November2004
[19] QualNet 4 5 Scalable Network Technologies Inc httpwwwscalable-networkscom
[20] K Choi M-H Kim K-J Chae J-J Park and S-S Joo ldquoAnefficient data fusion and assurance mechanism using temporaland spatial correlations for home automation networksrdquo IEEETransactions on Consumer Electronics vol 55 no 3 pp 1330ndash1336 2009
[21] P Gauravaram W Millan J G Nieto and E Dawson ldquo3C-Aprovably secure pseudorandom function and message authen-tication code a new mode of operation for cryptographic hashfunctionrdquo Cryptology ePrint Archive Rep 2005
[22] S Ozdemir and H Cam ldquoIntegration of false data detectionwith data aggregation and confidential transmission in wirelesssensor networksrdquo IEEEACM Transactions on Networking vol18 no 3 pp 736ndash749 2010
[23] M Burrows M Abadi and R Needham ldquoLogic of authentica-tionrdquo ACM Transactions on Computer Systems vol 8 no 1 pp18ndash36 1990
[24] S Yang andX Li ldquoA limitation of BAN logic analysis on anman-in-the-middle attackrdquo Journal of Information and ComputingScience vol 1 no 3 pp 131ndash138 2006
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 3
Preparation
User A User B
Publicly send
elliptic curve E base point Q
kA private keyQA
QA
= kAQ public keyP = kAkBQ secret key
kB private keyQB
QB
= kBQ public keyP = kAkBQ secret key
Figure 1 ECDH
standard security mode For this we apply ECDH for secureNetwork key generation and transmission and sub-MACmechanism for message authentication and integrity Weproved that our scheme could provide efficiency by achievinga similar run time and similar energy consumed in standardsecurity mode [16]
32 High Security Mode If the Trust Center does not alreadyshare a Master or Link Key with the newly joined deviceFigure 2 shows the high security mode authentication pro-cedure of ZigBee Pro
The Symmetric-Key Key Establishment (SKKE) protocolis a process in which an initiator device (Trust Center)establishes a Link Key with a responder device (Joiner) usingaMaster KeyThe next step is an entity authentication processbetween Router and Joiner
As in standard security mode Update-Device Commandand Secured Transport-Key Command are encrypted withMaster key but Transport-Key Command sent from theRouter to the Joiner is not secure This has a security issue
The MAC scheme is used for key confirmation in SKKEThe first 128 bits of keying data shall be a Mac Key and thesecond 128 bits shall be a Link Key during Mac Key gener-ation After SKKE the Network Key is securely transmittedusing the Master Key
We propose a procedure to ensure key secure distributionas shown in Figure 3
Trust Center rarr Joiner 119869 119886119876119873119878 sub-MAC(119886119876119873
119878 119869)
(i) 119869 Joinerrsquos 64-bit address(ii) 119886119876 Trust Center generates value for key(iii) 119873
119878 nonce value
(iv) Sub-MAC(119886119876119873119878 119869) sending message sub-MAC
When the Trust Center receives an APSME-UPDATE-DEVICErequest message the Trust Center generates an119886119876 for secure Master Key and nonce 119873
119878 and sends 119869
119886119876 119873119878 sub-MAC(119886119876 119873
119878 119869) to the Joiner The Joiner
generates sub-MAC(119886119876 119873119878 119869) to compare the transmitted
sub-MAC(119886119876119873119878 119869) If they match the Joiner confirms that
the transmitted message has not been modified Otherwisethe Joiner discards the transmitted message If the check issuccessful the Joiner computes 1198701015840 = 119886119887119876 and computes 119870using the Matyas-Meyer-Oseas (MMO) hash function [17]The 160-bit 1198701015840 becomes a 128 bit Network Key 119870
A sub-MAC [7] is constructed by selecting some bits ofan HMAC We reduce the overhead by transmitting onlya part of the actual HMAC rather than the entire HMAC
using sub-MAC Sub-MAC guarantees message integrity andauthentication Our research selects 8-bits of 16 bytes Weassume each node has the same PRNG (Pseudo RandomNumber Generator) [18]
Joiner rarr Trust Center TC 119887119876119873119878+1
sub-MAC(Master119870)
(i) TC Trust Centerrsquos 64-bit address(ii) 119887119876 Joiner generates value for key(iii) 119873
119878+1 add 1 to transmitted nonce
(iv) Sub-MAC(Master 119870) sub-MAC using Master Key
The Joiner sends 119887119876 119873119878+1
and sub-MAC(Master 119870) to theTrust Center the Trust Center computes 1198701015840 Master Key119870 = MMO(1198701015840) and then computes sub-MAC(119870) to checkmessage integrity and computation accuracy
Trust Center rarr Joiner 119864119870(119873119878+1
)
(i) 119864119870(119873119878+1
) encrypt119873119878+1
with Master Key
Next the generated Master Key encrypts 119873119878+1
and theresult 119864
119870(119873119878+1
) is sent to the Joiner to check messageintegrity and announce successful Master Key generationThe Joiner decrypts the 119864
119870(119873119878+1
) with the Master Key andchecks the 119873
119878+1to verify secure Master Key generation If
successful the Trust Center and the Joiner perform the nextstep SKKE to establish a Link Key
4 Simulation and Results
TheQualnet simulator was used to evaluate the performanceof the proposed scheme Our research uses Qualnet 45 [19]with sensor network libraries based on the ZigBee protocoland additional protocols
We composed one clustering network structures Theclusters were composed of 15 nodes Node 1 is a Joiner node16 is a Router and node 8 is a Trust Center
41 Efficiency Analysis of Enhanced Key Mechanism Wepropose an enhanced key distribution scheme using ECDHfor secure and lightweight key distribution and sub-MACto overcome the vulnerability of ECDH The simulation wasperformed ten times in each of the previous four procedureswith Trust Center Router and Joiner
First we performed the key generation in standard secu-rity mode and high security mode proposed key distributionin standard mode (Standard ECDH) and proposed keydistribution in high security mode (High ECDH) Figure 4shows the total run time measurements
The average run time of the standard security mode is05156 seconds and for proposed key distribution in standardmode (Standard ECDH) it is 05778 seconds the difference is00622 seconds When this value is compared to the averagerun time of standard security mode it adds 12 Howeverthe difference 00622 is slight in terms of the figure andcompared to the enhanced security
The average run time of high security mode is 1078 theaverage run time of proposed key distribution in high securitymode (High ECDH) is 06563 it decreases 04217 When this
4 International Journal of Distributed Sensor Networks
Trust center Router Joiner
Joined (unauthenticated)
Update-device command
Decision to accept new device
Secured transport-key command (Master Key)Unsecured transport-key command (Master Key)
EA initiator challengeEA responder challenge
EA initiator MAC and dataEA responder MAC and data
SKKE-1 command
SKKE-3 commandSKKE-2 command
SKKE-4 commandSecured transport-key command (NWK key)
Joined (authenticated)
Figure 2 High security mode authentication procedure
Trust center Router Joiner
Joined (unauthenticated)
Update-device command
Decision to accept new device
K998400= abQ masterK = MMO(K998400) subMAC check
SKKE-1 command
SKKE-3 command
SKKE-2 command
SKKE-4 command
Secured transport-key command (NWK key)
EA initiator challengeEA responder challenge
EA initiator MAC and dataEA responder MAC and data
Joined (authenticated)
J aQNS subMAC(aQ Ns J)
EK(NS+1)
K998400= abQK = MMO(K
998400) subMAC(K) check
TC bQNS+1 subMAC(master K)
Figure 3 Proposed key distribution in high security mode
International Journal of Distributed Sensor Networks 5
Standard ECDH High
05156 05778 1078 06563
0
02
04
06
08
1
12
Aver
age r
un ti
me (
s)
Standard High ECDH
Figure 4 Simulation result-run time
value is compared to the average run time of high securitymode it is decreased by 39 It also provides enhancedsecurity
Next we measured energy consumption in Joiner(Node 1) Router (Node 16) and Trust Center (Node 18)Figure 5 shows average energy consumption in transmitmode Figure 6 shows average energy consumption in receivemode The average energy consumption of each node fortransmit mode and receive mode is similar
Table 3 details the values When the proposed key distri-bution in security mode is compared to the standard securitymode it consumes more energy Especially the receive modeof the Trust Center (N18-R) shows the maximum difference0001447mJoule However the Trust Center has sufficientcapacity and energy so this difference is negligible Thesecond difference is 0001412mJoule in the receive mode ofthe Joiner (N1-R) The sensor node uses two AA alkaloidbatteries An AA alkaloid battery contains a maximum of3000mAh so the total energy is 6000mAh The formalvoltage of an AA battery assumes 15 volts The amount ofeletric power is 9Wh products of 6Ah and 15 V and this isconverted into 32400 J 3600X 9 (J) [20] The difference isslight compared to 32400 J
The energy consumption of the high security modeand proposed key distribution in high security mode(High ECDH) is similar The energy consumption of pro-posed key distribution in high security mode (High ECDH)decreases except for the transmit mode of the Joiner (N1-T)and the receive mode of the Router (N16-R) Moreover theproposed scheme enhances security
5 Security Analysis
In this section we analyze our enhanced key distributionfor ZigBee Pro that provides security properties and resistssome general attacks ZigBee Pro is vulnerable in the caseof key distribution in two security modes ECDH cannotprevent man-in-the-middle attack and does not provideauthentication However our proposed scheme overcomesthese vulnerabilities and enhances security Our schemecould resist man-in-the-middle attack replay attack and
00005
0010015002
0025003
0035004
0045005
0055
Node 1Node 16
Node 18
0000217
0049272
0000365
0000899
0050564
0000853
0000663
0050272
000091
0050224
0000909
Ener
gy co
nsum
ptio
n pe
r a n
ode
(mJo
ule)
Standard HighStandard ECDH High ECDH
00000 0002170 000365
0000899000085
0000663000
0
249272004920050564
00050564
00502720 05027200502244
0000666
Figure 5 Energy consumed in transmit mode
Standard High
0
0005
001
0015
002
0025
Node 1Node 16 Node 18
0020517
0000435
0020515
0021929
0001348
00219620021754
0001212
00216210021687
0001214
0021573En
ergy
cons
umpt
ion
per a
nod
e (m
Joul
e)
Standard ECDH High ECDH
Figure 6 Energy consumed in receive mode
Table 3 Energy consumption
STANDARD Stand ECDH High High ECDHN1-T 0000217 0000899 0000663 0000666N1-R 0020517 0021929 0021754 0021687N16-T 0049272 0050564 0050272 0050224N16-R 0000435 0001348 0001212 0001214N18-T 0000365 0000853 000091 0000909N18-R 0020515 0021962 0021621 0021573
ensure confidentiality of keys message authentication andmessage integrity [16]
We assume that an attacker does not know the sub-MACmethod Therefore even if the attacker knows the Joinerrsquosprivate key b heshe cannot make the sub-MAC messageIf the attacker tries to make the sub-MAC message theprobability of failure enhances because the attacker doesnot know how to create a sub-MAC message using MasterKey Additionally there is a public key infrastructure (PKI)
6 International Journal of Distributed Sensor Networks
system The Trust Center assures the private key 119887 using thereceived public key 119887119876 through a certificate authority (CA)
The security of a MAC scheme can be quantified in termsof the success probability achievable as a function of totalnumber of queries to forge the MAC [21] The security of a119894-byte MAC is quantified as 2(119894times8) because an intruder has a 1in 2(119894times8) chance in blindly forging the MAC To increase thesecurity of aMAC its size should be increased Increasing thesize of the MAC also increases the communication overhead[22] Our sub-MAC selects 8 bits of 128 bits Therefore thesecurity of the sub-MAC is 28 Hence the possibility that thefalse data are not detected by a sub-MAC is 128 (=00039)Moreover the communication overhead is reduced by 116(=00625) Consequently the size of the sub-MAC is directlyrelated to the strength of the security and the communicationoverhead A balance needs to be achieved between the desiredsecurity level and the transmission overhead [7]
51 BAN Analysis BAN logic (the Logic of Authenticationof Burrows Abadi and Needham) [23] is widely used andstudied in formal analysis due to its simplicity and efficiencyThe BAN logic is a model logic based on belief and can beused in the analysis and design of a cryptographic protocolThe use of a formal language in the analysis and designprocess can exclude faults and improve the security of theprotocol
511 Basic Notations The symbols 119860 119861 119875 and 119876 are prin-cipals involved in this sort of key agreement protocol 119870
119860119861
represents a good session key for communication between 119860and 119861 [24]
119875| equiv 119883 Principal 119875 believes 119883 119875 believes as if 119883 istrue119875 ⊲ 119883 119875 sees119883 119860 principal has sent 119875 a messagecontaining119883119875| sim 119883 Principal 119875 once said 119883 119875 at some time be-lieved119883 and sent it as part of a message119875 rArr 119883 Principal 119875 has jurisdiction over119883 Principal119875 has authority over119883 and is trusted in this matter(119883) The formula 119883 is fresh That is 119883 has not beensent in amessage at any time before the current run ofthe protocol Amessage that is created for the purposeof being fresh is called a nonce
119875119870
larrrarr 119876 119875 and 119876 may use a shared key 119870 tocommunicate The key is good and will always beknown only to 119875 and 119876 and to any other principaltrusted by either of them119883119870119883 is encrypted using key 119870
512 Inference Rules Message Meaning Rules for sharedkeys
119875 |equiv 119875119870
larrrarr 119876 119875 ⊲ 119883119870
119875 |equiv 119876 |sim 119883
(1)
If principal 119875 believes that key 119870 is shared only withprincipal 119876 and sees a message 119883 encrypted under a key 119870it believes only with principal 119876 119875 may conclude that it wasoriginally created by 119876 who once said its contentsJurisdiction Rule is as Follows
119875 |equiv 119875 997904rArr 119876 119875 |equiv 119876 |equiv 119883
119875 |equiv 119883
(2)
If119875 believes that119876 believes119883 and also believes that119876 hasjurisdiction over119883 then 119875 should believe119883 tooNonce Verification Rule is as Follows
119875 |equiv (119883) 119875 |equiv 119876 |sim 119883119875 |equiv 119876 |equiv 119883
(3)
If119875 believes that119883 is fresh and that119876 once said119883 then119875believes that 119876 has said119883 during the current run of protocoland hence that 119876 believes119883 at present In order to apply thisrule 119883 should not contain any encrypted text The nonceverification rule is the only way of ldquopromotingrdquo once saidassertion to actual belief
52 BAN Analysis of the Proposed Key Distribution
Initialization Hypothesis is as Follows
(1) Trust Center |equiv TC
(2) Trust Center |equiv Joiner |equiv 119869
(3) Trust Center |equiv JoinerrArr 119886119876
(4) Trust Center |equiv sub-MAC
(5) Joiner |equiv 119869
(6) Joiner |equiv Trust Center |equiv TC
(7) Joiner |equiv Trust CenterrArr 119887119876
(8) Joiner |equiv sub-MAC
Proposed Key Distribution Idealization
(1) Trust Center rarr Joiner 119869 119886119876119873119878 and sub-MAC(119886119876
119873119878 119869)
(2) Joiner rarr Trust Center TC 119887119876 119873119878+1
and sub-MAC(119870)
(3) Trust Center rarr Joiner 119864119870(119873119878+1
)
Goal
Trust Center |equiv Trust Center 119870larrrarr Joiner
Joiner |equiv Trust Center 119870larrrarr Joiner
Trust Center |equiv Joiner |equiv Trust Center 119870larrrarr Joiner
Joiner |equiv Trust Center |equiv Trust Center 119870larrrarr Joiner
International Journal of Distributed Sensor Networks 7
AnalysisThrough the proposed key distribution idealization(1) we can get
Joiner⊲119869 119886119876119873119878 sub-MAC(119886119876119873
119878 119869) Joiner |equiv sub-MAC
Joiner |equiv 119869 119886119876119873119878
Joiner |equiv 119886119876Joiner |equiv 119870
(4)
Through the proposed key distribution idealization (2)we can get
Trust Center ⊲ TC 119887119876119873119878+1 (5)
The Trust Center computes 119870 and then sub-MAC(119870) asfollows
Trust Center ⊲ sub-MAC (119870) Trust Center |equiv sub-MACTrust Center |equiv 119870
Trust Center |equiv 119870Trust Center |equiv 119887119876Trust Center |equiv (119873
119878+1)
Trust Center |equiv 119870
Trust Center |equiv Trust Center 119870larrrarr Joiner
(6)
And then Trust Center |equiv Joiner |equiv Trust Center 119870larrrarrJoiner
Through the proposed key distribution idealization (3)we can get
Joiner ⊲ 119873119878+1119870
Joiner |equiv Truster Center 119870larrrarr Joiner (7)
And then Joiner |equiv Trust Center |equiv Trust Center 119870larrrarrJoiner
According to the formalization analysis we can get theconclusion that the proposed key distribution can resist man-in-the-middle-attack and replay attack
6 Conclusion
This work proposed an enhanced key distribution schemeusing ECDH and sub-MAC for efficiency and security Wehave applied ECDH for secure key distribution and improvedvulnerability of ECDH using sub-MAC and nonce formessage freshness and integrity
We compared ZigBee Pro to the proposed scheme Weproved that our scheme could provide efficiency by achievinga shorter run time and lower energy consuming in highsecurity mode Security analysis proved our scheme couldresist man-in-the-middle attack replay attack and provideconfidentiality message authentication and integrity Conse-quenly the proposed scheme provides lightweight and securekey distribution compared to ZigBee Pro We are going toexperiment our proposed scheme with ZigBee devices infuture work
Acknowledgments
The work was supported by Ewha Global Top 5 Grant 2011of Ewha Womans University and World Class UniversityProgram (R33-10085) throughNational Research Foundationof Korea funded by the Ministry of Education Science andTechnology It was also in part supported by Basic ScienceResearch Program through the National Research Founda-tion of Korea (NRF) funded by the Ministry of EducationScience and Technology (2011-0014020)
References
[1] IEEE Std 802154-2003 ldquoWireless Medium Access Control andPhysical Layer Specifications for Low-Rate Wireless PersonalArea Networksrdquo IEEE 2003
[2] ZigBee Alliance ldquoZigBee-2007 Specificationrdquo January 2008[3] httpwwwzigbeeorgStandardsOverviewaspx[4] ZigBeeAlliance ldquoZigBeeHomeAutomation PublicApplication
Profilerdquo ZigBee Document 053520r26 February 2010 httpzigbeeorgStandardsZigBeeHomeAutomationdownloadaspx
[5] httpwwwcerticomcomindexphpdevice-authentication-servicesmart-energy-device-certificate-service
[6] Certicom ldquoStandards for Efficient Cryptography SEC 1 EllipticCurve Cryptographyrdquo Ver 10 September 2000 httpwwwsecgorgdownloadaid-385sec1 finalpdf
[7] H Cam N Challa and M Sikri ldquoSecure and efficient datatransmission over body sensor and wireless networksrdquo EurasipJournal onWireless Communications and Networking vol 2008Article ID 291365 18 pages 2008
[8] Advanced Encryption Standard FIPS 197 November 2001httpcsrcnistgovpublicationsfipsfips197fips-197pdf
[9] Daintree Networks Inc ldquoGetting Started with ZigBee and IEEE802154rdquo February 2008
[10] C Alcaraz and J Lopez ldquoA security analysis for wireless sensormesh networks in highly critical systemsrdquo IEEE Transactionson Systems Man and Cybernetics C vol 40 no 4 pp 419ndash4282010
[11] W Diffie and M E Hellman ldquoNew direction in cryptographyrdquoIEEE Transactions on Information Theory vol IT-22 no 6 pp644ndash654 1976
[12] N Koblitz ldquoElliptic curve cryptosystemsrdquo Mathematics ofComputation vol 48 no 177 1987
[13] E Blaszlig and M Zitterbart ldquoEfficient implementation of ellipticcurve cryptography for wireless sensor networksrdquo TeleMaticsTechnical Report 2005
[14] G DeMeulenaer F Gosset F-X Standaert andO Pereira ldquoOnthe energy cost of communication and cryptography in wirelesssensor networksrdquo in Proceedings of the 4th IEEE InternationalConference on Wireless and Mobile Computing Networking andCommunication (WiMob rsquo08) pp 580ndash585 October 2008
[15] T Chung and U Roedig ldquoDHB-KEY an efficient key distribu-tion scheme for wireless sensor networksrdquo in Proceedings of the5th IEEE International Conference onMobile Ad-Hoc and SensorSystems (MASS rsquo08) pp 840ndash846 October 2008
[16] K Choi M J Yoon M H Kim and K J Chae ldquoAn enhancedkey management using ZigBee Pro for wireless sensor net-worksrdquo in Proceedings of the 26th International Conference onInformation Networking (ICOIN rsquo12) Bali Indonesia February2012
8 International Journal of Distributed Sensor Networks
[17] A JMenezes P C vanOorschot and S AVanstoneHandbookof Applied Cryptography CRC Press 1996
[18] D Seetharam and S Rhee ldquoAn efficient pseudo randomnumbergenerator for low-power sensor networksrdquo in Proceedings of the29th Annual IEEE International Conference on Local ComputerNetworks (LCN rsquo04) pp 560ndash562 Tampa Fla USA November2004
[19] QualNet 4 5 Scalable Network Technologies Inc httpwwwscalable-networkscom
[20] K Choi M-H Kim K-J Chae J-J Park and S-S Joo ldquoAnefficient data fusion and assurance mechanism using temporaland spatial correlations for home automation networksrdquo IEEETransactions on Consumer Electronics vol 55 no 3 pp 1330ndash1336 2009
[21] P Gauravaram W Millan J G Nieto and E Dawson ldquo3C-Aprovably secure pseudorandom function and message authen-tication code a new mode of operation for cryptographic hashfunctionrdquo Cryptology ePrint Archive Rep 2005
[22] S Ozdemir and H Cam ldquoIntegration of false data detectionwith data aggregation and confidential transmission in wirelesssensor networksrdquo IEEEACM Transactions on Networking vol18 no 3 pp 736ndash749 2010
[23] M Burrows M Abadi and R Needham ldquoLogic of authentica-tionrdquo ACM Transactions on Computer Systems vol 8 no 1 pp18ndash36 1990
[24] S Yang andX Li ldquoA limitation of BAN logic analysis on anman-in-the-middle attackrdquo Journal of Information and ComputingScience vol 1 no 3 pp 131ndash138 2006
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
4 International Journal of Distributed Sensor Networks
Trust center Router Joiner
Joined (unauthenticated)
Update-device command
Decision to accept new device
Secured transport-key command (Master Key)Unsecured transport-key command (Master Key)
EA initiator challengeEA responder challenge
EA initiator MAC and dataEA responder MAC and data
SKKE-1 command
SKKE-3 commandSKKE-2 command
SKKE-4 commandSecured transport-key command (NWK key)
Joined (authenticated)
Figure 2 High security mode authentication procedure
Trust center Router Joiner
Joined (unauthenticated)
Update-device command
Decision to accept new device
K998400= abQ masterK = MMO(K998400) subMAC check
SKKE-1 command
SKKE-3 command
SKKE-2 command
SKKE-4 command
Secured transport-key command (NWK key)
EA initiator challengeEA responder challenge
EA initiator MAC and dataEA responder MAC and data
Joined (authenticated)
J aQNS subMAC(aQ Ns J)
EK(NS+1)
K998400= abQK = MMO(K
998400) subMAC(K) check
TC bQNS+1 subMAC(master K)
Figure 3 Proposed key distribution in high security mode
International Journal of Distributed Sensor Networks 5
Standard ECDH High
05156 05778 1078 06563
0
02
04
06
08
1
12
Aver
age r
un ti
me (
s)
Standard High ECDH
Figure 4 Simulation result-run time
value is compared to the average run time of high securitymode it is decreased by 39 It also provides enhancedsecurity
Next we measured energy consumption in Joiner(Node 1) Router (Node 16) and Trust Center (Node 18)Figure 5 shows average energy consumption in transmitmode Figure 6 shows average energy consumption in receivemode The average energy consumption of each node fortransmit mode and receive mode is similar
Table 3 details the values When the proposed key distri-bution in security mode is compared to the standard securitymode it consumes more energy Especially the receive modeof the Trust Center (N18-R) shows the maximum difference0001447mJoule However the Trust Center has sufficientcapacity and energy so this difference is negligible Thesecond difference is 0001412mJoule in the receive mode ofthe Joiner (N1-R) The sensor node uses two AA alkaloidbatteries An AA alkaloid battery contains a maximum of3000mAh so the total energy is 6000mAh The formalvoltage of an AA battery assumes 15 volts The amount ofeletric power is 9Wh products of 6Ah and 15 V and this isconverted into 32400 J 3600X 9 (J) [20] The difference isslight compared to 32400 J
The energy consumption of the high security modeand proposed key distribution in high security mode(High ECDH) is similar The energy consumption of pro-posed key distribution in high security mode (High ECDH)decreases except for the transmit mode of the Joiner (N1-T)and the receive mode of the Router (N16-R) Moreover theproposed scheme enhances security
5 Security Analysis
In this section we analyze our enhanced key distributionfor ZigBee Pro that provides security properties and resistssome general attacks ZigBee Pro is vulnerable in the caseof key distribution in two security modes ECDH cannotprevent man-in-the-middle attack and does not provideauthentication However our proposed scheme overcomesthese vulnerabilities and enhances security Our schemecould resist man-in-the-middle attack replay attack and
00005
0010015002
0025003
0035004
0045005
0055
Node 1Node 16
Node 18
0000217
0049272
0000365
0000899
0050564
0000853
0000663
0050272
000091
0050224
0000909
Ener
gy co
nsum
ptio
n pe
r a n
ode
(mJo
ule)
Standard HighStandard ECDH High ECDH
00000 0002170 000365
0000899000085
0000663000
0
249272004920050564
00050564
00502720 05027200502244
0000666
Figure 5 Energy consumed in transmit mode
Standard High
0
0005
001
0015
002
0025
Node 1Node 16 Node 18
0020517
0000435
0020515
0021929
0001348
00219620021754
0001212
00216210021687
0001214
0021573En
ergy
cons
umpt
ion
per a
nod
e (m
Joul
e)
Standard ECDH High ECDH
Figure 6 Energy consumed in receive mode
Table 3 Energy consumption
STANDARD Stand ECDH High High ECDHN1-T 0000217 0000899 0000663 0000666N1-R 0020517 0021929 0021754 0021687N16-T 0049272 0050564 0050272 0050224N16-R 0000435 0001348 0001212 0001214N18-T 0000365 0000853 000091 0000909N18-R 0020515 0021962 0021621 0021573
ensure confidentiality of keys message authentication andmessage integrity [16]
We assume that an attacker does not know the sub-MACmethod Therefore even if the attacker knows the Joinerrsquosprivate key b heshe cannot make the sub-MAC messageIf the attacker tries to make the sub-MAC message theprobability of failure enhances because the attacker doesnot know how to create a sub-MAC message using MasterKey Additionally there is a public key infrastructure (PKI)
6 International Journal of Distributed Sensor Networks
system The Trust Center assures the private key 119887 using thereceived public key 119887119876 through a certificate authority (CA)
The security of a MAC scheme can be quantified in termsof the success probability achievable as a function of totalnumber of queries to forge the MAC [21] The security of a119894-byte MAC is quantified as 2(119894times8) because an intruder has a 1in 2(119894times8) chance in blindly forging the MAC To increase thesecurity of aMAC its size should be increased Increasing thesize of the MAC also increases the communication overhead[22] Our sub-MAC selects 8 bits of 128 bits Therefore thesecurity of the sub-MAC is 28 Hence the possibility that thefalse data are not detected by a sub-MAC is 128 (=00039)Moreover the communication overhead is reduced by 116(=00625) Consequently the size of the sub-MAC is directlyrelated to the strength of the security and the communicationoverhead A balance needs to be achieved between the desiredsecurity level and the transmission overhead [7]
51 BAN Analysis BAN logic (the Logic of Authenticationof Burrows Abadi and Needham) [23] is widely used andstudied in formal analysis due to its simplicity and efficiencyThe BAN logic is a model logic based on belief and can beused in the analysis and design of a cryptographic protocolThe use of a formal language in the analysis and designprocess can exclude faults and improve the security of theprotocol
511 Basic Notations The symbols 119860 119861 119875 and 119876 are prin-cipals involved in this sort of key agreement protocol 119870
119860119861
represents a good session key for communication between 119860and 119861 [24]
119875| equiv 119883 Principal 119875 believes 119883 119875 believes as if 119883 istrue119875 ⊲ 119883 119875 sees119883 119860 principal has sent 119875 a messagecontaining119883119875| sim 119883 Principal 119875 once said 119883 119875 at some time be-lieved119883 and sent it as part of a message119875 rArr 119883 Principal 119875 has jurisdiction over119883 Principal119875 has authority over119883 and is trusted in this matter(119883) The formula 119883 is fresh That is 119883 has not beensent in amessage at any time before the current run ofthe protocol Amessage that is created for the purposeof being fresh is called a nonce
119875119870
larrrarr 119876 119875 and 119876 may use a shared key 119870 tocommunicate The key is good and will always beknown only to 119875 and 119876 and to any other principaltrusted by either of them119883119870119883 is encrypted using key 119870
512 Inference Rules Message Meaning Rules for sharedkeys
119875 |equiv 119875119870
larrrarr 119876 119875 ⊲ 119883119870
119875 |equiv 119876 |sim 119883
(1)
If principal 119875 believes that key 119870 is shared only withprincipal 119876 and sees a message 119883 encrypted under a key 119870it believes only with principal 119876 119875 may conclude that it wasoriginally created by 119876 who once said its contentsJurisdiction Rule is as Follows
119875 |equiv 119875 997904rArr 119876 119875 |equiv 119876 |equiv 119883
119875 |equiv 119883
(2)
If119875 believes that119876 believes119883 and also believes that119876 hasjurisdiction over119883 then 119875 should believe119883 tooNonce Verification Rule is as Follows
119875 |equiv (119883) 119875 |equiv 119876 |sim 119883119875 |equiv 119876 |equiv 119883
(3)
If119875 believes that119883 is fresh and that119876 once said119883 then119875believes that 119876 has said119883 during the current run of protocoland hence that 119876 believes119883 at present In order to apply thisrule 119883 should not contain any encrypted text The nonceverification rule is the only way of ldquopromotingrdquo once saidassertion to actual belief
52 BAN Analysis of the Proposed Key Distribution
Initialization Hypothesis is as Follows
(1) Trust Center |equiv TC
(2) Trust Center |equiv Joiner |equiv 119869
(3) Trust Center |equiv JoinerrArr 119886119876
(4) Trust Center |equiv sub-MAC
(5) Joiner |equiv 119869
(6) Joiner |equiv Trust Center |equiv TC
(7) Joiner |equiv Trust CenterrArr 119887119876
(8) Joiner |equiv sub-MAC
Proposed Key Distribution Idealization
(1) Trust Center rarr Joiner 119869 119886119876119873119878 and sub-MAC(119886119876
119873119878 119869)
(2) Joiner rarr Trust Center TC 119887119876 119873119878+1
and sub-MAC(119870)
(3) Trust Center rarr Joiner 119864119870(119873119878+1
)
Goal
Trust Center |equiv Trust Center 119870larrrarr Joiner
Joiner |equiv Trust Center 119870larrrarr Joiner
Trust Center |equiv Joiner |equiv Trust Center 119870larrrarr Joiner
Joiner |equiv Trust Center |equiv Trust Center 119870larrrarr Joiner
International Journal of Distributed Sensor Networks 7
AnalysisThrough the proposed key distribution idealization(1) we can get
Joiner⊲119869 119886119876119873119878 sub-MAC(119886119876119873
119878 119869) Joiner |equiv sub-MAC
Joiner |equiv 119869 119886119876119873119878
Joiner |equiv 119886119876Joiner |equiv 119870
(4)
Through the proposed key distribution idealization (2)we can get
Trust Center ⊲ TC 119887119876119873119878+1 (5)
The Trust Center computes 119870 and then sub-MAC(119870) asfollows
Trust Center ⊲ sub-MAC (119870) Trust Center |equiv sub-MACTrust Center |equiv 119870
Trust Center |equiv 119870Trust Center |equiv 119887119876Trust Center |equiv (119873
119878+1)
Trust Center |equiv 119870
Trust Center |equiv Trust Center 119870larrrarr Joiner
(6)
And then Trust Center |equiv Joiner |equiv Trust Center 119870larrrarrJoiner
Through the proposed key distribution idealization (3)we can get
Joiner ⊲ 119873119878+1119870
Joiner |equiv Truster Center 119870larrrarr Joiner (7)
And then Joiner |equiv Trust Center |equiv Trust Center 119870larrrarrJoiner
According to the formalization analysis we can get theconclusion that the proposed key distribution can resist man-in-the-middle-attack and replay attack
6 Conclusion
This work proposed an enhanced key distribution schemeusing ECDH and sub-MAC for efficiency and security Wehave applied ECDH for secure key distribution and improvedvulnerability of ECDH using sub-MAC and nonce formessage freshness and integrity
We compared ZigBee Pro to the proposed scheme Weproved that our scheme could provide efficiency by achievinga shorter run time and lower energy consuming in highsecurity mode Security analysis proved our scheme couldresist man-in-the-middle attack replay attack and provideconfidentiality message authentication and integrity Conse-quenly the proposed scheme provides lightweight and securekey distribution compared to ZigBee Pro We are going toexperiment our proposed scheme with ZigBee devices infuture work
Acknowledgments
The work was supported by Ewha Global Top 5 Grant 2011of Ewha Womans University and World Class UniversityProgram (R33-10085) throughNational Research Foundationof Korea funded by the Ministry of Education Science andTechnology It was also in part supported by Basic ScienceResearch Program through the National Research Founda-tion of Korea (NRF) funded by the Ministry of EducationScience and Technology (2011-0014020)
References
[1] IEEE Std 802154-2003 ldquoWireless Medium Access Control andPhysical Layer Specifications for Low-Rate Wireless PersonalArea Networksrdquo IEEE 2003
[2] ZigBee Alliance ldquoZigBee-2007 Specificationrdquo January 2008[3] httpwwwzigbeeorgStandardsOverviewaspx[4] ZigBeeAlliance ldquoZigBeeHomeAutomation PublicApplication
Profilerdquo ZigBee Document 053520r26 February 2010 httpzigbeeorgStandardsZigBeeHomeAutomationdownloadaspx
[5] httpwwwcerticomcomindexphpdevice-authentication-servicesmart-energy-device-certificate-service
[6] Certicom ldquoStandards for Efficient Cryptography SEC 1 EllipticCurve Cryptographyrdquo Ver 10 September 2000 httpwwwsecgorgdownloadaid-385sec1 finalpdf
[7] H Cam N Challa and M Sikri ldquoSecure and efficient datatransmission over body sensor and wireless networksrdquo EurasipJournal onWireless Communications and Networking vol 2008Article ID 291365 18 pages 2008
[8] Advanced Encryption Standard FIPS 197 November 2001httpcsrcnistgovpublicationsfipsfips197fips-197pdf
[9] Daintree Networks Inc ldquoGetting Started with ZigBee and IEEE802154rdquo February 2008
[10] C Alcaraz and J Lopez ldquoA security analysis for wireless sensormesh networks in highly critical systemsrdquo IEEE Transactionson Systems Man and Cybernetics C vol 40 no 4 pp 419ndash4282010
[11] W Diffie and M E Hellman ldquoNew direction in cryptographyrdquoIEEE Transactions on Information Theory vol IT-22 no 6 pp644ndash654 1976
[12] N Koblitz ldquoElliptic curve cryptosystemsrdquo Mathematics ofComputation vol 48 no 177 1987
[13] E Blaszlig and M Zitterbart ldquoEfficient implementation of ellipticcurve cryptography for wireless sensor networksrdquo TeleMaticsTechnical Report 2005
[14] G DeMeulenaer F Gosset F-X Standaert andO Pereira ldquoOnthe energy cost of communication and cryptography in wirelesssensor networksrdquo in Proceedings of the 4th IEEE InternationalConference on Wireless and Mobile Computing Networking andCommunication (WiMob rsquo08) pp 580ndash585 October 2008
[15] T Chung and U Roedig ldquoDHB-KEY an efficient key distribu-tion scheme for wireless sensor networksrdquo in Proceedings of the5th IEEE International Conference onMobile Ad-Hoc and SensorSystems (MASS rsquo08) pp 840ndash846 October 2008
[16] K Choi M J Yoon M H Kim and K J Chae ldquoAn enhancedkey management using ZigBee Pro for wireless sensor net-worksrdquo in Proceedings of the 26th International Conference onInformation Networking (ICOIN rsquo12) Bali Indonesia February2012
8 International Journal of Distributed Sensor Networks
[17] A JMenezes P C vanOorschot and S AVanstoneHandbookof Applied Cryptography CRC Press 1996
[18] D Seetharam and S Rhee ldquoAn efficient pseudo randomnumbergenerator for low-power sensor networksrdquo in Proceedings of the29th Annual IEEE International Conference on Local ComputerNetworks (LCN rsquo04) pp 560ndash562 Tampa Fla USA November2004
[19] QualNet 4 5 Scalable Network Technologies Inc httpwwwscalable-networkscom
[20] K Choi M-H Kim K-J Chae J-J Park and S-S Joo ldquoAnefficient data fusion and assurance mechanism using temporaland spatial correlations for home automation networksrdquo IEEETransactions on Consumer Electronics vol 55 no 3 pp 1330ndash1336 2009
[21] P Gauravaram W Millan J G Nieto and E Dawson ldquo3C-Aprovably secure pseudorandom function and message authen-tication code a new mode of operation for cryptographic hashfunctionrdquo Cryptology ePrint Archive Rep 2005
[22] S Ozdemir and H Cam ldquoIntegration of false data detectionwith data aggregation and confidential transmission in wirelesssensor networksrdquo IEEEACM Transactions on Networking vol18 no 3 pp 736ndash749 2010
[23] M Burrows M Abadi and R Needham ldquoLogic of authentica-tionrdquo ACM Transactions on Computer Systems vol 8 no 1 pp18ndash36 1990
[24] S Yang andX Li ldquoA limitation of BAN logic analysis on anman-in-the-middle attackrdquo Journal of Information and ComputingScience vol 1 no 3 pp 131ndash138 2006
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 5
Standard ECDH High
05156 05778 1078 06563
0
02
04
06
08
1
12
Aver
age r
un ti
me (
s)
Standard High ECDH
Figure 4 Simulation result-run time
value is compared to the average run time of high securitymode it is decreased by 39 It also provides enhancedsecurity
Next we measured energy consumption in Joiner(Node 1) Router (Node 16) and Trust Center (Node 18)Figure 5 shows average energy consumption in transmitmode Figure 6 shows average energy consumption in receivemode The average energy consumption of each node fortransmit mode and receive mode is similar
Table 3 details the values When the proposed key distri-bution in security mode is compared to the standard securitymode it consumes more energy Especially the receive modeof the Trust Center (N18-R) shows the maximum difference0001447mJoule However the Trust Center has sufficientcapacity and energy so this difference is negligible Thesecond difference is 0001412mJoule in the receive mode ofthe Joiner (N1-R) The sensor node uses two AA alkaloidbatteries An AA alkaloid battery contains a maximum of3000mAh so the total energy is 6000mAh The formalvoltage of an AA battery assumes 15 volts The amount ofeletric power is 9Wh products of 6Ah and 15 V and this isconverted into 32400 J 3600X 9 (J) [20] The difference isslight compared to 32400 J
The energy consumption of the high security modeand proposed key distribution in high security mode(High ECDH) is similar The energy consumption of pro-posed key distribution in high security mode (High ECDH)decreases except for the transmit mode of the Joiner (N1-T)and the receive mode of the Router (N16-R) Moreover theproposed scheme enhances security
5 Security Analysis
In this section we analyze our enhanced key distributionfor ZigBee Pro that provides security properties and resistssome general attacks ZigBee Pro is vulnerable in the caseof key distribution in two security modes ECDH cannotprevent man-in-the-middle attack and does not provideauthentication However our proposed scheme overcomesthese vulnerabilities and enhances security Our schemecould resist man-in-the-middle attack replay attack and
00005
0010015002
0025003
0035004
0045005
0055
Node 1Node 16
Node 18
0000217
0049272
0000365
0000899
0050564
0000853
0000663
0050272
000091
0050224
0000909
Ener
gy co
nsum
ptio
n pe
r a n
ode
(mJo
ule)
Standard HighStandard ECDH High ECDH
00000 0002170 000365
0000899000085
0000663000
0
249272004920050564
00050564
00502720 05027200502244
0000666
Figure 5 Energy consumed in transmit mode
Standard High
0
0005
001
0015
002
0025
Node 1Node 16 Node 18
0020517
0000435
0020515
0021929
0001348
00219620021754
0001212
00216210021687
0001214
0021573En
ergy
cons
umpt
ion
per a
nod
e (m
Joul
e)
Standard ECDH High ECDH
Figure 6 Energy consumed in receive mode
Table 3 Energy consumption
STANDARD Stand ECDH High High ECDHN1-T 0000217 0000899 0000663 0000666N1-R 0020517 0021929 0021754 0021687N16-T 0049272 0050564 0050272 0050224N16-R 0000435 0001348 0001212 0001214N18-T 0000365 0000853 000091 0000909N18-R 0020515 0021962 0021621 0021573
ensure confidentiality of keys message authentication andmessage integrity [16]
We assume that an attacker does not know the sub-MACmethod Therefore even if the attacker knows the Joinerrsquosprivate key b heshe cannot make the sub-MAC messageIf the attacker tries to make the sub-MAC message theprobability of failure enhances because the attacker doesnot know how to create a sub-MAC message using MasterKey Additionally there is a public key infrastructure (PKI)
6 International Journal of Distributed Sensor Networks
system The Trust Center assures the private key 119887 using thereceived public key 119887119876 through a certificate authority (CA)
The security of a MAC scheme can be quantified in termsof the success probability achievable as a function of totalnumber of queries to forge the MAC [21] The security of a119894-byte MAC is quantified as 2(119894times8) because an intruder has a 1in 2(119894times8) chance in blindly forging the MAC To increase thesecurity of aMAC its size should be increased Increasing thesize of the MAC also increases the communication overhead[22] Our sub-MAC selects 8 bits of 128 bits Therefore thesecurity of the sub-MAC is 28 Hence the possibility that thefalse data are not detected by a sub-MAC is 128 (=00039)Moreover the communication overhead is reduced by 116(=00625) Consequently the size of the sub-MAC is directlyrelated to the strength of the security and the communicationoverhead A balance needs to be achieved between the desiredsecurity level and the transmission overhead [7]
51 BAN Analysis BAN logic (the Logic of Authenticationof Burrows Abadi and Needham) [23] is widely used andstudied in formal analysis due to its simplicity and efficiencyThe BAN logic is a model logic based on belief and can beused in the analysis and design of a cryptographic protocolThe use of a formal language in the analysis and designprocess can exclude faults and improve the security of theprotocol
511 Basic Notations The symbols 119860 119861 119875 and 119876 are prin-cipals involved in this sort of key agreement protocol 119870
119860119861
represents a good session key for communication between 119860and 119861 [24]
119875| equiv 119883 Principal 119875 believes 119883 119875 believes as if 119883 istrue119875 ⊲ 119883 119875 sees119883 119860 principal has sent 119875 a messagecontaining119883119875| sim 119883 Principal 119875 once said 119883 119875 at some time be-lieved119883 and sent it as part of a message119875 rArr 119883 Principal 119875 has jurisdiction over119883 Principal119875 has authority over119883 and is trusted in this matter(119883) The formula 119883 is fresh That is 119883 has not beensent in amessage at any time before the current run ofthe protocol Amessage that is created for the purposeof being fresh is called a nonce
119875119870
larrrarr 119876 119875 and 119876 may use a shared key 119870 tocommunicate The key is good and will always beknown only to 119875 and 119876 and to any other principaltrusted by either of them119883119870119883 is encrypted using key 119870
512 Inference Rules Message Meaning Rules for sharedkeys
119875 |equiv 119875119870
larrrarr 119876 119875 ⊲ 119883119870
119875 |equiv 119876 |sim 119883
(1)
If principal 119875 believes that key 119870 is shared only withprincipal 119876 and sees a message 119883 encrypted under a key 119870it believes only with principal 119876 119875 may conclude that it wasoriginally created by 119876 who once said its contentsJurisdiction Rule is as Follows
119875 |equiv 119875 997904rArr 119876 119875 |equiv 119876 |equiv 119883
119875 |equiv 119883
(2)
If119875 believes that119876 believes119883 and also believes that119876 hasjurisdiction over119883 then 119875 should believe119883 tooNonce Verification Rule is as Follows
119875 |equiv (119883) 119875 |equiv 119876 |sim 119883119875 |equiv 119876 |equiv 119883
(3)
If119875 believes that119883 is fresh and that119876 once said119883 then119875believes that 119876 has said119883 during the current run of protocoland hence that 119876 believes119883 at present In order to apply thisrule 119883 should not contain any encrypted text The nonceverification rule is the only way of ldquopromotingrdquo once saidassertion to actual belief
52 BAN Analysis of the Proposed Key Distribution
Initialization Hypothesis is as Follows
(1) Trust Center |equiv TC
(2) Trust Center |equiv Joiner |equiv 119869
(3) Trust Center |equiv JoinerrArr 119886119876
(4) Trust Center |equiv sub-MAC
(5) Joiner |equiv 119869
(6) Joiner |equiv Trust Center |equiv TC
(7) Joiner |equiv Trust CenterrArr 119887119876
(8) Joiner |equiv sub-MAC
Proposed Key Distribution Idealization
(1) Trust Center rarr Joiner 119869 119886119876119873119878 and sub-MAC(119886119876
119873119878 119869)
(2) Joiner rarr Trust Center TC 119887119876 119873119878+1
and sub-MAC(119870)
(3) Trust Center rarr Joiner 119864119870(119873119878+1
)
Goal
Trust Center |equiv Trust Center 119870larrrarr Joiner
Joiner |equiv Trust Center 119870larrrarr Joiner
Trust Center |equiv Joiner |equiv Trust Center 119870larrrarr Joiner
Joiner |equiv Trust Center |equiv Trust Center 119870larrrarr Joiner
International Journal of Distributed Sensor Networks 7
AnalysisThrough the proposed key distribution idealization(1) we can get
Joiner⊲119869 119886119876119873119878 sub-MAC(119886119876119873
119878 119869) Joiner |equiv sub-MAC
Joiner |equiv 119869 119886119876119873119878
Joiner |equiv 119886119876Joiner |equiv 119870
(4)
Through the proposed key distribution idealization (2)we can get
Trust Center ⊲ TC 119887119876119873119878+1 (5)
The Trust Center computes 119870 and then sub-MAC(119870) asfollows
Trust Center ⊲ sub-MAC (119870) Trust Center |equiv sub-MACTrust Center |equiv 119870
Trust Center |equiv 119870Trust Center |equiv 119887119876Trust Center |equiv (119873
119878+1)
Trust Center |equiv 119870
Trust Center |equiv Trust Center 119870larrrarr Joiner
(6)
And then Trust Center |equiv Joiner |equiv Trust Center 119870larrrarrJoiner
Through the proposed key distribution idealization (3)we can get
Joiner ⊲ 119873119878+1119870
Joiner |equiv Truster Center 119870larrrarr Joiner (7)
And then Joiner |equiv Trust Center |equiv Trust Center 119870larrrarrJoiner
According to the formalization analysis we can get theconclusion that the proposed key distribution can resist man-in-the-middle-attack and replay attack
6 Conclusion
This work proposed an enhanced key distribution schemeusing ECDH and sub-MAC for efficiency and security Wehave applied ECDH for secure key distribution and improvedvulnerability of ECDH using sub-MAC and nonce formessage freshness and integrity
We compared ZigBee Pro to the proposed scheme Weproved that our scheme could provide efficiency by achievinga shorter run time and lower energy consuming in highsecurity mode Security analysis proved our scheme couldresist man-in-the-middle attack replay attack and provideconfidentiality message authentication and integrity Conse-quenly the proposed scheme provides lightweight and securekey distribution compared to ZigBee Pro We are going toexperiment our proposed scheme with ZigBee devices infuture work
Acknowledgments
The work was supported by Ewha Global Top 5 Grant 2011of Ewha Womans University and World Class UniversityProgram (R33-10085) throughNational Research Foundationof Korea funded by the Ministry of Education Science andTechnology It was also in part supported by Basic ScienceResearch Program through the National Research Founda-tion of Korea (NRF) funded by the Ministry of EducationScience and Technology (2011-0014020)
References
[1] IEEE Std 802154-2003 ldquoWireless Medium Access Control andPhysical Layer Specifications for Low-Rate Wireless PersonalArea Networksrdquo IEEE 2003
[2] ZigBee Alliance ldquoZigBee-2007 Specificationrdquo January 2008[3] httpwwwzigbeeorgStandardsOverviewaspx[4] ZigBeeAlliance ldquoZigBeeHomeAutomation PublicApplication
Profilerdquo ZigBee Document 053520r26 February 2010 httpzigbeeorgStandardsZigBeeHomeAutomationdownloadaspx
[5] httpwwwcerticomcomindexphpdevice-authentication-servicesmart-energy-device-certificate-service
[6] Certicom ldquoStandards for Efficient Cryptography SEC 1 EllipticCurve Cryptographyrdquo Ver 10 September 2000 httpwwwsecgorgdownloadaid-385sec1 finalpdf
[7] H Cam N Challa and M Sikri ldquoSecure and efficient datatransmission over body sensor and wireless networksrdquo EurasipJournal onWireless Communications and Networking vol 2008Article ID 291365 18 pages 2008
[8] Advanced Encryption Standard FIPS 197 November 2001httpcsrcnistgovpublicationsfipsfips197fips-197pdf
[9] Daintree Networks Inc ldquoGetting Started with ZigBee and IEEE802154rdquo February 2008
[10] C Alcaraz and J Lopez ldquoA security analysis for wireless sensormesh networks in highly critical systemsrdquo IEEE Transactionson Systems Man and Cybernetics C vol 40 no 4 pp 419ndash4282010
[11] W Diffie and M E Hellman ldquoNew direction in cryptographyrdquoIEEE Transactions on Information Theory vol IT-22 no 6 pp644ndash654 1976
[12] N Koblitz ldquoElliptic curve cryptosystemsrdquo Mathematics ofComputation vol 48 no 177 1987
[13] E Blaszlig and M Zitterbart ldquoEfficient implementation of ellipticcurve cryptography for wireless sensor networksrdquo TeleMaticsTechnical Report 2005
[14] G DeMeulenaer F Gosset F-X Standaert andO Pereira ldquoOnthe energy cost of communication and cryptography in wirelesssensor networksrdquo in Proceedings of the 4th IEEE InternationalConference on Wireless and Mobile Computing Networking andCommunication (WiMob rsquo08) pp 580ndash585 October 2008
[15] T Chung and U Roedig ldquoDHB-KEY an efficient key distribu-tion scheme for wireless sensor networksrdquo in Proceedings of the5th IEEE International Conference onMobile Ad-Hoc and SensorSystems (MASS rsquo08) pp 840ndash846 October 2008
[16] K Choi M J Yoon M H Kim and K J Chae ldquoAn enhancedkey management using ZigBee Pro for wireless sensor net-worksrdquo in Proceedings of the 26th International Conference onInformation Networking (ICOIN rsquo12) Bali Indonesia February2012
8 International Journal of Distributed Sensor Networks
[17] A JMenezes P C vanOorschot and S AVanstoneHandbookof Applied Cryptography CRC Press 1996
[18] D Seetharam and S Rhee ldquoAn efficient pseudo randomnumbergenerator for low-power sensor networksrdquo in Proceedings of the29th Annual IEEE International Conference on Local ComputerNetworks (LCN rsquo04) pp 560ndash562 Tampa Fla USA November2004
[19] QualNet 4 5 Scalable Network Technologies Inc httpwwwscalable-networkscom
[20] K Choi M-H Kim K-J Chae J-J Park and S-S Joo ldquoAnefficient data fusion and assurance mechanism using temporaland spatial correlations for home automation networksrdquo IEEETransactions on Consumer Electronics vol 55 no 3 pp 1330ndash1336 2009
[21] P Gauravaram W Millan J G Nieto and E Dawson ldquo3C-Aprovably secure pseudorandom function and message authen-tication code a new mode of operation for cryptographic hashfunctionrdquo Cryptology ePrint Archive Rep 2005
[22] S Ozdemir and H Cam ldquoIntegration of false data detectionwith data aggregation and confidential transmission in wirelesssensor networksrdquo IEEEACM Transactions on Networking vol18 no 3 pp 736ndash749 2010
[23] M Burrows M Abadi and R Needham ldquoLogic of authentica-tionrdquo ACM Transactions on Computer Systems vol 8 no 1 pp18ndash36 1990
[24] S Yang andX Li ldquoA limitation of BAN logic analysis on anman-in-the-middle attackrdquo Journal of Information and ComputingScience vol 1 no 3 pp 131ndash138 2006
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
6 International Journal of Distributed Sensor Networks
system The Trust Center assures the private key 119887 using thereceived public key 119887119876 through a certificate authority (CA)
The security of a MAC scheme can be quantified in termsof the success probability achievable as a function of totalnumber of queries to forge the MAC [21] The security of a119894-byte MAC is quantified as 2(119894times8) because an intruder has a 1in 2(119894times8) chance in blindly forging the MAC To increase thesecurity of aMAC its size should be increased Increasing thesize of the MAC also increases the communication overhead[22] Our sub-MAC selects 8 bits of 128 bits Therefore thesecurity of the sub-MAC is 28 Hence the possibility that thefalse data are not detected by a sub-MAC is 128 (=00039)Moreover the communication overhead is reduced by 116(=00625) Consequently the size of the sub-MAC is directlyrelated to the strength of the security and the communicationoverhead A balance needs to be achieved between the desiredsecurity level and the transmission overhead [7]
51 BAN Analysis BAN logic (the Logic of Authenticationof Burrows Abadi and Needham) [23] is widely used andstudied in formal analysis due to its simplicity and efficiencyThe BAN logic is a model logic based on belief and can beused in the analysis and design of a cryptographic protocolThe use of a formal language in the analysis and designprocess can exclude faults and improve the security of theprotocol
511 Basic Notations The symbols 119860 119861 119875 and 119876 are prin-cipals involved in this sort of key agreement protocol 119870
119860119861
represents a good session key for communication between 119860and 119861 [24]
119875| equiv 119883 Principal 119875 believes 119883 119875 believes as if 119883 istrue119875 ⊲ 119883 119875 sees119883 119860 principal has sent 119875 a messagecontaining119883119875| sim 119883 Principal 119875 once said 119883 119875 at some time be-lieved119883 and sent it as part of a message119875 rArr 119883 Principal 119875 has jurisdiction over119883 Principal119875 has authority over119883 and is trusted in this matter(119883) The formula 119883 is fresh That is 119883 has not beensent in amessage at any time before the current run ofthe protocol Amessage that is created for the purposeof being fresh is called a nonce
119875119870
larrrarr 119876 119875 and 119876 may use a shared key 119870 tocommunicate The key is good and will always beknown only to 119875 and 119876 and to any other principaltrusted by either of them119883119870119883 is encrypted using key 119870
512 Inference Rules Message Meaning Rules for sharedkeys
119875 |equiv 119875119870
larrrarr 119876 119875 ⊲ 119883119870
119875 |equiv 119876 |sim 119883
(1)
If principal 119875 believes that key 119870 is shared only withprincipal 119876 and sees a message 119883 encrypted under a key 119870it believes only with principal 119876 119875 may conclude that it wasoriginally created by 119876 who once said its contentsJurisdiction Rule is as Follows
119875 |equiv 119875 997904rArr 119876 119875 |equiv 119876 |equiv 119883
119875 |equiv 119883
(2)
If119875 believes that119876 believes119883 and also believes that119876 hasjurisdiction over119883 then 119875 should believe119883 tooNonce Verification Rule is as Follows
119875 |equiv (119883) 119875 |equiv 119876 |sim 119883119875 |equiv 119876 |equiv 119883
(3)
If119875 believes that119883 is fresh and that119876 once said119883 then119875believes that 119876 has said119883 during the current run of protocoland hence that 119876 believes119883 at present In order to apply thisrule 119883 should not contain any encrypted text The nonceverification rule is the only way of ldquopromotingrdquo once saidassertion to actual belief
52 BAN Analysis of the Proposed Key Distribution
Initialization Hypothesis is as Follows
(1) Trust Center |equiv TC
(2) Trust Center |equiv Joiner |equiv 119869
(3) Trust Center |equiv JoinerrArr 119886119876
(4) Trust Center |equiv sub-MAC
(5) Joiner |equiv 119869
(6) Joiner |equiv Trust Center |equiv TC
(7) Joiner |equiv Trust CenterrArr 119887119876
(8) Joiner |equiv sub-MAC
Proposed Key Distribution Idealization
(1) Trust Center rarr Joiner 119869 119886119876119873119878 and sub-MAC(119886119876
119873119878 119869)
(2) Joiner rarr Trust Center TC 119887119876 119873119878+1
and sub-MAC(119870)
(3) Trust Center rarr Joiner 119864119870(119873119878+1
)
Goal
Trust Center |equiv Trust Center 119870larrrarr Joiner
Joiner |equiv Trust Center 119870larrrarr Joiner
Trust Center |equiv Joiner |equiv Trust Center 119870larrrarr Joiner
Joiner |equiv Trust Center |equiv Trust Center 119870larrrarr Joiner
International Journal of Distributed Sensor Networks 7
AnalysisThrough the proposed key distribution idealization(1) we can get
Joiner⊲119869 119886119876119873119878 sub-MAC(119886119876119873
119878 119869) Joiner |equiv sub-MAC
Joiner |equiv 119869 119886119876119873119878
Joiner |equiv 119886119876Joiner |equiv 119870
(4)
Through the proposed key distribution idealization (2)we can get
Trust Center ⊲ TC 119887119876119873119878+1 (5)
The Trust Center computes 119870 and then sub-MAC(119870) asfollows
Trust Center ⊲ sub-MAC (119870) Trust Center |equiv sub-MACTrust Center |equiv 119870
Trust Center |equiv 119870Trust Center |equiv 119887119876Trust Center |equiv (119873
119878+1)
Trust Center |equiv 119870
Trust Center |equiv Trust Center 119870larrrarr Joiner
(6)
And then Trust Center |equiv Joiner |equiv Trust Center 119870larrrarrJoiner
Through the proposed key distribution idealization (3)we can get
Joiner ⊲ 119873119878+1119870
Joiner |equiv Truster Center 119870larrrarr Joiner (7)
And then Joiner |equiv Trust Center |equiv Trust Center 119870larrrarrJoiner
According to the formalization analysis we can get theconclusion that the proposed key distribution can resist man-in-the-middle-attack and replay attack
6 Conclusion
This work proposed an enhanced key distribution schemeusing ECDH and sub-MAC for efficiency and security Wehave applied ECDH for secure key distribution and improvedvulnerability of ECDH using sub-MAC and nonce formessage freshness and integrity
We compared ZigBee Pro to the proposed scheme Weproved that our scheme could provide efficiency by achievinga shorter run time and lower energy consuming in highsecurity mode Security analysis proved our scheme couldresist man-in-the-middle attack replay attack and provideconfidentiality message authentication and integrity Conse-quenly the proposed scheme provides lightweight and securekey distribution compared to ZigBee Pro We are going toexperiment our proposed scheme with ZigBee devices infuture work
Acknowledgments
The work was supported by Ewha Global Top 5 Grant 2011of Ewha Womans University and World Class UniversityProgram (R33-10085) throughNational Research Foundationof Korea funded by the Ministry of Education Science andTechnology It was also in part supported by Basic ScienceResearch Program through the National Research Founda-tion of Korea (NRF) funded by the Ministry of EducationScience and Technology (2011-0014020)
References
[1] IEEE Std 802154-2003 ldquoWireless Medium Access Control andPhysical Layer Specifications for Low-Rate Wireless PersonalArea Networksrdquo IEEE 2003
[2] ZigBee Alliance ldquoZigBee-2007 Specificationrdquo January 2008[3] httpwwwzigbeeorgStandardsOverviewaspx[4] ZigBeeAlliance ldquoZigBeeHomeAutomation PublicApplication
Profilerdquo ZigBee Document 053520r26 February 2010 httpzigbeeorgStandardsZigBeeHomeAutomationdownloadaspx
[5] httpwwwcerticomcomindexphpdevice-authentication-servicesmart-energy-device-certificate-service
[6] Certicom ldquoStandards for Efficient Cryptography SEC 1 EllipticCurve Cryptographyrdquo Ver 10 September 2000 httpwwwsecgorgdownloadaid-385sec1 finalpdf
[7] H Cam N Challa and M Sikri ldquoSecure and efficient datatransmission over body sensor and wireless networksrdquo EurasipJournal onWireless Communications and Networking vol 2008Article ID 291365 18 pages 2008
[8] Advanced Encryption Standard FIPS 197 November 2001httpcsrcnistgovpublicationsfipsfips197fips-197pdf
[9] Daintree Networks Inc ldquoGetting Started with ZigBee and IEEE802154rdquo February 2008
[10] C Alcaraz and J Lopez ldquoA security analysis for wireless sensormesh networks in highly critical systemsrdquo IEEE Transactionson Systems Man and Cybernetics C vol 40 no 4 pp 419ndash4282010
[11] W Diffie and M E Hellman ldquoNew direction in cryptographyrdquoIEEE Transactions on Information Theory vol IT-22 no 6 pp644ndash654 1976
[12] N Koblitz ldquoElliptic curve cryptosystemsrdquo Mathematics ofComputation vol 48 no 177 1987
[13] E Blaszlig and M Zitterbart ldquoEfficient implementation of ellipticcurve cryptography for wireless sensor networksrdquo TeleMaticsTechnical Report 2005
[14] G DeMeulenaer F Gosset F-X Standaert andO Pereira ldquoOnthe energy cost of communication and cryptography in wirelesssensor networksrdquo in Proceedings of the 4th IEEE InternationalConference on Wireless and Mobile Computing Networking andCommunication (WiMob rsquo08) pp 580ndash585 October 2008
[15] T Chung and U Roedig ldquoDHB-KEY an efficient key distribu-tion scheme for wireless sensor networksrdquo in Proceedings of the5th IEEE International Conference onMobile Ad-Hoc and SensorSystems (MASS rsquo08) pp 840ndash846 October 2008
[16] K Choi M J Yoon M H Kim and K J Chae ldquoAn enhancedkey management using ZigBee Pro for wireless sensor net-worksrdquo in Proceedings of the 26th International Conference onInformation Networking (ICOIN rsquo12) Bali Indonesia February2012
8 International Journal of Distributed Sensor Networks
[17] A JMenezes P C vanOorschot and S AVanstoneHandbookof Applied Cryptography CRC Press 1996
[18] D Seetharam and S Rhee ldquoAn efficient pseudo randomnumbergenerator for low-power sensor networksrdquo in Proceedings of the29th Annual IEEE International Conference on Local ComputerNetworks (LCN rsquo04) pp 560ndash562 Tampa Fla USA November2004
[19] QualNet 4 5 Scalable Network Technologies Inc httpwwwscalable-networkscom
[20] K Choi M-H Kim K-J Chae J-J Park and S-S Joo ldquoAnefficient data fusion and assurance mechanism using temporaland spatial correlations for home automation networksrdquo IEEETransactions on Consumer Electronics vol 55 no 3 pp 1330ndash1336 2009
[21] P Gauravaram W Millan J G Nieto and E Dawson ldquo3C-Aprovably secure pseudorandom function and message authen-tication code a new mode of operation for cryptographic hashfunctionrdquo Cryptology ePrint Archive Rep 2005
[22] S Ozdemir and H Cam ldquoIntegration of false data detectionwith data aggregation and confidential transmission in wirelesssensor networksrdquo IEEEACM Transactions on Networking vol18 no 3 pp 736ndash749 2010
[23] M Burrows M Abadi and R Needham ldquoLogic of authentica-tionrdquo ACM Transactions on Computer Systems vol 8 no 1 pp18ndash36 1990
[24] S Yang andX Li ldquoA limitation of BAN logic analysis on anman-in-the-middle attackrdquo Journal of Information and ComputingScience vol 1 no 3 pp 131ndash138 2006
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 7
AnalysisThrough the proposed key distribution idealization(1) we can get
Joiner⊲119869 119886119876119873119878 sub-MAC(119886119876119873
119878 119869) Joiner |equiv sub-MAC
Joiner |equiv 119869 119886119876119873119878
Joiner |equiv 119886119876Joiner |equiv 119870
(4)
Through the proposed key distribution idealization (2)we can get
Trust Center ⊲ TC 119887119876119873119878+1 (5)
The Trust Center computes 119870 and then sub-MAC(119870) asfollows
Trust Center ⊲ sub-MAC (119870) Trust Center |equiv sub-MACTrust Center |equiv 119870
Trust Center |equiv 119870Trust Center |equiv 119887119876Trust Center |equiv (119873
119878+1)
Trust Center |equiv 119870
Trust Center |equiv Trust Center 119870larrrarr Joiner
(6)
And then Trust Center |equiv Joiner |equiv Trust Center 119870larrrarrJoiner
Through the proposed key distribution idealization (3)we can get
Joiner ⊲ 119873119878+1119870
Joiner |equiv Truster Center 119870larrrarr Joiner (7)
And then Joiner |equiv Trust Center |equiv Trust Center 119870larrrarrJoiner
According to the formalization analysis we can get theconclusion that the proposed key distribution can resist man-in-the-middle-attack and replay attack
6 Conclusion
This work proposed an enhanced key distribution schemeusing ECDH and sub-MAC for efficiency and security Wehave applied ECDH for secure key distribution and improvedvulnerability of ECDH using sub-MAC and nonce formessage freshness and integrity
We compared ZigBee Pro to the proposed scheme Weproved that our scheme could provide efficiency by achievinga shorter run time and lower energy consuming in highsecurity mode Security analysis proved our scheme couldresist man-in-the-middle attack replay attack and provideconfidentiality message authentication and integrity Conse-quenly the proposed scheme provides lightweight and securekey distribution compared to ZigBee Pro We are going toexperiment our proposed scheme with ZigBee devices infuture work
Acknowledgments
The work was supported by Ewha Global Top 5 Grant 2011of Ewha Womans University and World Class UniversityProgram (R33-10085) throughNational Research Foundationof Korea funded by the Ministry of Education Science andTechnology It was also in part supported by Basic ScienceResearch Program through the National Research Founda-tion of Korea (NRF) funded by the Ministry of EducationScience and Technology (2011-0014020)
References
[1] IEEE Std 802154-2003 ldquoWireless Medium Access Control andPhysical Layer Specifications for Low-Rate Wireless PersonalArea Networksrdquo IEEE 2003
[2] ZigBee Alliance ldquoZigBee-2007 Specificationrdquo January 2008[3] httpwwwzigbeeorgStandardsOverviewaspx[4] ZigBeeAlliance ldquoZigBeeHomeAutomation PublicApplication
Profilerdquo ZigBee Document 053520r26 February 2010 httpzigbeeorgStandardsZigBeeHomeAutomationdownloadaspx
[5] httpwwwcerticomcomindexphpdevice-authentication-servicesmart-energy-device-certificate-service
[6] Certicom ldquoStandards for Efficient Cryptography SEC 1 EllipticCurve Cryptographyrdquo Ver 10 September 2000 httpwwwsecgorgdownloadaid-385sec1 finalpdf
[7] H Cam N Challa and M Sikri ldquoSecure and efficient datatransmission over body sensor and wireless networksrdquo EurasipJournal onWireless Communications and Networking vol 2008Article ID 291365 18 pages 2008
[8] Advanced Encryption Standard FIPS 197 November 2001httpcsrcnistgovpublicationsfipsfips197fips-197pdf
[9] Daintree Networks Inc ldquoGetting Started with ZigBee and IEEE802154rdquo February 2008
[10] C Alcaraz and J Lopez ldquoA security analysis for wireless sensormesh networks in highly critical systemsrdquo IEEE Transactionson Systems Man and Cybernetics C vol 40 no 4 pp 419ndash4282010
[11] W Diffie and M E Hellman ldquoNew direction in cryptographyrdquoIEEE Transactions on Information Theory vol IT-22 no 6 pp644ndash654 1976
[12] N Koblitz ldquoElliptic curve cryptosystemsrdquo Mathematics ofComputation vol 48 no 177 1987
[13] E Blaszlig and M Zitterbart ldquoEfficient implementation of ellipticcurve cryptography for wireless sensor networksrdquo TeleMaticsTechnical Report 2005
[14] G DeMeulenaer F Gosset F-X Standaert andO Pereira ldquoOnthe energy cost of communication and cryptography in wirelesssensor networksrdquo in Proceedings of the 4th IEEE InternationalConference on Wireless and Mobile Computing Networking andCommunication (WiMob rsquo08) pp 580ndash585 October 2008
[15] T Chung and U Roedig ldquoDHB-KEY an efficient key distribu-tion scheme for wireless sensor networksrdquo in Proceedings of the5th IEEE International Conference onMobile Ad-Hoc and SensorSystems (MASS rsquo08) pp 840ndash846 October 2008
[16] K Choi M J Yoon M H Kim and K J Chae ldquoAn enhancedkey management using ZigBee Pro for wireless sensor net-worksrdquo in Proceedings of the 26th International Conference onInformation Networking (ICOIN rsquo12) Bali Indonesia February2012
8 International Journal of Distributed Sensor Networks
[17] A JMenezes P C vanOorschot and S AVanstoneHandbookof Applied Cryptography CRC Press 1996
[18] D Seetharam and S Rhee ldquoAn efficient pseudo randomnumbergenerator for low-power sensor networksrdquo in Proceedings of the29th Annual IEEE International Conference on Local ComputerNetworks (LCN rsquo04) pp 560ndash562 Tampa Fla USA November2004
[19] QualNet 4 5 Scalable Network Technologies Inc httpwwwscalable-networkscom
[20] K Choi M-H Kim K-J Chae J-J Park and S-S Joo ldquoAnefficient data fusion and assurance mechanism using temporaland spatial correlations for home automation networksrdquo IEEETransactions on Consumer Electronics vol 55 no 3 pp 1330ndash1336 2009
[21] P Gauravaram W Millan J G Nieto and E Dawson ldquo3C-Aprovably secure pseudorandom function and message authen-tication code a new mode of operation for cryptographic hashfunctionrdquo Cryptology ePrint Archive Rep 2005
[22] S Ozdemir and H Cam ldquoIntegration of false data detectionwith data aggregation and confidential transmission in wirelesssensor networksrdquo IEEEACM Transactions on Networking vol18 no 3 pp 736ndash749 2010
[23] M Burrows M Abadi and R Needham ldquoLogic of authentica-tionrdquo ACM Transactions on Computer Systems vol 8 no 1 pp18ndash36 1990
[24] S Yang andX Li ldquoA limitation of BAN logic analysis on anman-in-the-middle attackrdquo Journal of Information and ComputingScience vol 1 no 3 pp 131ndash138 2006
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
8 International Journal of Distributed Sensor Networks
[17] A JMenezes P C vanOorschot and S AVanstoneHandbookof Applied Cryptography CRC Press 1996
[18] D Seetharam and S Rhee ldquoAn efficient pseudo randomnumbergenerator for low-power sensor networksrdquo in Proceedings of the29th Annual IEEE International Conference on Local ComputerNetworks (LCN rsquo04) pp 560ndash562 Tampa Fla USA November2004
[19] QualNet 4 5 Scalable Network Technologies Inc httpwwwscalable-networkscom
[20] K Choi M-H Kim K-J Chae J-J Park and S-S Joo ldquoAnefficient data fusion and assurance mechanism using temporaland spatial correlations for home automation networksrdquo IEEETransactions on Consumer Electronics vol 55 no 3 pp 1330ndash1336 2009
[21] P Gauravaram W Millan J G Nieto and E Dawson ldquo3C-Aprovably secure pseudorandom function and message authen-tication code a new mode of operation for cryptographic hashfunctionrdquo Cryptology ePrint Archive Rep 2005
[22] S Ozdemir and H Cam ldquoIntegration of false data detectionwith data aggregation and confidential transmission in wirelesssensor networksrdquo IEEEACM Transactions on Networking vol18 no 3 pp 736ndash749 2010
[23] M Burrows M Abadi and R Needham ldquoLogic of authentica-tionrdquo ACM Transactions on Computer Systems vol 8 no 1 pp18ndash36 1990
[24] S Yang andX Li ldquoA limitation of BAN logic analysis on anman-in-the-middle attackrdquo Journal of Information and ComputingScience vol 1 no 3 pp 131ndash138 2006
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of