Research Article Secure and Lightweight Key Distribution...

Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2013 Article ID 608380 8 pageshttpdxdoiorg1011552013608380

Research ArticleSecure and Lightweight Key Distribution with ZigBee Pro forUbiquitous Sensor Networks

Kyung Choi1 Mihui Kim2 and Kijoon Chae1

1 Department of Computer Science and Engineering Ewha Womans University 52 Ewhayeodae-gil Seodaemun-guSeoul 120-750 Republic of Korea

2Department of Computer Engineering Hankyong National University 327 Chungang-no Anseong-siGyeonggi-do 456-749 Republic of Korea

Correspondence should be addressed to Kijoon Chae kjchaeewhaackr

Received 6 December 2012 Revised 19 June 2013 Accepted 19 June 2013

Academic Editor Carlos Ramos

Copyright copy 2013 Kyung Choi et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

We propose a secure and lightweight key distribution mechanism using ZigBee Pro for ubiquitous sensor networks ZigBeeconsumes low power and provides security in wireless sensor networks ZigBee Pro provides more security than ZigBee and offerstwo security modes standard security mode and high security mode Despite high security mode ZigBee Pro has weakness ofkey distribution We use enhanced ECDH for secure key distribution in high security mode Our simulation results show that theenergy consumption of our approach decreases and the average run time is decreased by 39 Moreover the proposed schemeenhances security that is confidentiality message authentication and integrity We also prove that the proposed key distributioncan resist man-in-the-middle attack and replay attack

1 Introduction

Various sensors in a sensor network technology are locatedwithin wiredwireless network infrastructures Spatially dis-tributed autonomous sensors monitor physical or environ-mental conditions such as temperature humidity soundvibration pressure and motion and pass their data throughthe wiredwireless network to a base station Sensor networktechnology has been utilized in monitoring military homeautomation and health care systems as well as agricultureand weather conditions

Sensors have limited memory and throughput capacityfor wireless sensor networks Therefore limitations of thesensor itself and the underlying vulnerability of wirelesscommunication with the sensors must be considered Inaddition sensed and transmitted data in each field are usuallyprivate information or important authentication informa-tion Thus security is to be applied in most cases For thisZigBee [1] provides a low power consumption and securitystandard-based protocol for applications on wireless sensornetworks ZigBee was developed to address the following

needs low cost security reliablility and self-healing flexibil-ity and extendibility low power consumption being easy andinexpensive to deploy being global with use of unlicensedradio bands integrating intelligence for network setup andmessage routing

ZigBee Pro [2] (the latest specification for ZigBee istermed ZigBee-2007) revolves around mesh networkingenhancing security ZigBee Pro [3] also supports a largenumber of interoperable standards including ZigBee healthcare ZigBee home automation ZigBee remote control Zig-Bee smart energy ZigBee telecom services ZigBee buildingautomation ZigBee input device ZigBee light link ZigBeenetwork devices and ZigBee retail servicesTheZigBee homeautomation profile [4] for a smart home allows consumersto save money be more environmentally aware feel moresecure and enjoy a variety of conveniences that make homeseasier and less expensive to maintain

However the enhanced keymanagementmechanism stillhas vulnerabilities in key distribution The ZigBee homeautomation profile has just been applied at the network levelAn enhanced mechanism is needed for this

2 International Journal of Distributed Sensor Networks

CertiCom [5] issues ZigBee Smart Energy certificates tomanufactures whose products are certified by the ZigBeeAlliance The ZigBee Smart Energy PKI uses Elliptic CurveQu Vanstone (ECQV) implicit certificates which serve asan identity certificate for each ZigBee Smart Energy deviceHowever it does not improve ZigBee Pro itself but uses PKIseparately

In this paper we apply the ECDH (Elliptic Curve Diffie-Hellman) [6] key distribution mechanism for ZigBee Provulnerabilities and propose amore efficient ECDHusing sub-MAC [7] that has message authentication and prevents man-in-the-middle attack and replay attack Our research exhibitsan enhanced key mechanism and message authentication inZigBee Pro for ubiquitous sensor networks

The rest of this paper is organized as follows Section 2presents related works Section 3 presents the proposedenhanced key distribution mechanisms Section 4 illustratessimulation environments and analyzes the simulation toevaluate the effectiveness of our scheme In Section 5 weanalyze our approach from the view point of security Finallywe conclude this paper in Section 6

2 Related Work

21 ZigBee Pro ZigBee Pro is a standard specified in ZigBee-2007 ZigBee Pro improves the security of the ZigBee 2006versionwith twonew securitymodes standard securitymodecompatible with the residential security of ZigBee-2006- andhigh security mode compatible with the commercial securityof ZigBee 2006

ZigBee security which is based on a 128 bit AES(Advanced Encryption Standard) [8] algorithm adds to thesecurity model provided by IEEE 802154 The securityservices of ZigBee include methods for key establishmentand transport device management and frame protectionsZigBee uses three types of keys to manage security MasterNetwork and Link

Master Keys are used as an initial shared secret betweentwo devices when they perform the key establishmentprocedure (SKKE) to generate Link Keys Keys that originatefrom the Trust Center are termed Trust Center Master Keyswhile all other keys are termed Application Layer MasterKeys Network Keys perform security for the Network Layeron a ZigBee network All devices on a ZigBee network sharethe same key High Security Network Keys must always besent encrypted over the air while Standard Security NetworkKeys can be sent either encrypted or unencrypted Link Keysas an optional key secure unicast messages between twodevices at the Application Layer Keys that originate from theTrust Center are termed Trust Center Link Keys while allother keys are termed Application Layer Link Keys Table 1summarizes the security keys

ZigBee Pro offers two different security modes (ieStandard and High) and features as shown in Table 2 [9]

In the standard security mode the list of devices MasterKeys Link Keys andNetwork Keys can bemaintained eitherby the Trust Center or by the devices themselves The TrustCenter is still responsible formaintaining a StandardNetwork

Table 1 Security keys

Layer Msg type CreationMasterKeys Application layer Unicast Key transport

PreinstallationNetworkKeys

ApplicationNetwork layer Broadcast Key transport

Preinstallation

LinkKeys Application layer Unicast

Key transportPreinstallation

Key establishment(using Master Key)

Table 2 Security modes

Feature Standard HighNetwork layer security provided using aNetwork Key or or

APS layer security provided using Link Keys or or

Centralized control and update of keys or or

Ability to switch from active to secondary keys or or

Ability to derive Link Keys between devices or

Entity authentication and permissions tablesupported or

Key it controls policies of network admittance In the highsecurity mode the Trust Center maintains a list of devicesMaster Keys Link Keys and Network Keys that it needs tocontrol and enforce the policies of Network Key updates andnetwork admittance

Unlike standard security mode high security modesupports the ability to derive Link Keys between devicesand entity authentication and permissions table supportedThe Master Keys and Network Keys are preinstalled ortransported Link Keys are used in key-establishment basedon a Master Key Unencrypted key transport will give rise toserious security vulnerability [10]

22 ECDH ECDH [6] is a key exchange algorithm the well-known Diffie Hellman [11] key agreement based on ECC(Elliptic Curve Cryptography) [12] ECDH is important inmodern protocols as a key exchange and can be adopted forECC Figure 1 shows the key exchange process

Consider two parties 119860 and 119861 willing to exchange acommon secret key Both have agreed to a common andpublicly known curve 119864 over a finite field as well as to a basepoint 119876 User 119860 randomly chooses 119896

119860 1 lt 119896 lt 2119876 and User

119861 accordingly 119896119861 1 lt 119896 lt 2119876 User 119860 computes a public

key 119876119860= 119896119860119876 User B does 119876

119861= 119896119861119876 User A sends 119876

119860

to User 119861 User 119861 sends 119876119861to User 119860 User 119860 computes the

shared secret key by 119875 = 119896119860119876119861and User B also by 119875 = 119896

119861119876119860

[13] An eavesdropper knows only119876119860and119876

119861but is unable to

compute the secret key from this However vulnerability ofECDH has no authentication [14] and no prevention of man-in-the-middle attack [15]

3 Proposed ZigBee Key Distribution

31 Standard Security Mode The transport-key commandsent from the Router to the Joiner shall not be secured in

International Journal of Distributed Sensor Networks 3

Preparation

User A User B

Publicly send

elliptic curve E base point Q

kA private keyQA

QA

= kAQ public keyP = kAkBQ secret key

kB private keyQB

QB

= kBQ public keyP = kAkBQ secret key

Figure 1 ECDH

standard security mode For this we apply ECDH for secureNetwork key generation and transmission and sub-MACmechanism for message authentication and integrity Weproved that our scheme could provide efficiency by achievinga similar run time and similar energy consumed in standardsecurity mode [16]

32 High Security Mode If the Trust Center does not alreadyshare a Master or Link Key with the newly joined deviceFigure 2 shows the high security mode authentication pro-cedure of ZigBee Pro

The Symmetric-Key Key Establishment (SKKE) protocolis a process in which an initiator device (Trust Center)establishes a Link Key with a responder device (Joiner) usingaMaster KeyThe next step is an entity authentication processbetween Router and Joiner

As in standard security mode Update-Device Commandand Secured Transport-Key Command are encrypted withMaster key but Transport-Key Command sent from theRouter to the Joiner is not secure This has a security issue

The MAC scheme is used for key confirmation in SKKEThe first 128 bits of keying data shall be a Mac Key and thesecond 128 bits shall be a Link Key during Mac Key gener-ation After SKKE the Network Key is securely transmittedusing the Master Key

We propose a procedure to ensure key secure distributionas shown in Figure 3

Trust Center rarr Joiner 119869 119886119876119873119878 sub-MAC(119886119876119873

119878 119869)

(i) 119869 Joinerrsquos 64-bit address(ii) 119886119876 Trust Center generates value for key(iii) 119873

119878 nonce value

(iv) Sub-MAC(119886119876119873119878 119869) sending message sub-MAC

When the Trust Center receives an APSME-UPDATE-DEVICErequest message the Trust Center generates an119886119876 for secure Master Key and nonce 119873

119878 and sends 119869

119886119876 119873119878 sub-MAC(119886119876 119873

119878 119869) to the Joiner The Joiner

generates sub-MAC(119886119876 119873119878 119869) to compare the transmitted

sub-MAC(119886119876119873119878 119869) If they match the Joiner confirms that

the transmitted message has not been modified Otherwisethe Joiner discards the transmitted message If the check issuccessful the Joiner computes 1198701015840 = 119886119887119876 and computes 119870using the Matyas-Meyer-Oseas (MMO) hash function [17]The 160-bit 1198701015840 becomes a 128 bit Network Key 119870

A sub-MAC [7] is constructed by selecting some bits ofan HMAC We reduce the overhead by transmitting onlya part of the actual HMAC rather than the entire HMAC

using sub-MAC Sub-MAC guarantees message integrity andauthentication Our research selects 8-bits of 16 bytes Weassume each node has the same PRNG (Pseudo RandomNumber Generator) [18]

Joiner rarr Trust Center TC 119887119876119873119878+1

sub-MAC(Master119870)

(i) TC Trust Centerrsquos 64-bit address(ii) 119887119876 Joiner generates value for key(iii) 119873

119878+1 add 1 to transmitted nonce

(iv) Sub-MAC(Master 119870) sub-MAC using Master Key

The Joiner sends 119887119876 119873119878+1

and sub-MAC(Master 119870) to theTrust Center the Trust Center computes 1198701015840 Master Key119870 = MMO(1198701015840) and then computes sub-MAC(119870) to checkmessage integrity and computation accuracy

Trust Center rarr Joiner 119864119870(119873119878+1

)

(i) 119864119870(119873119878+1

) encrypt119873119878+1

with Master Key

Next the generated Master Key encrypts 119873119878+1

and theresult 119864

119870(119873119878+1

) is sent to the Joiner to check messageintegrity and announce successful Master Key generationThe Joiner decrypts the 119864

119870(119873119878+1

) with the Master Key andchecks the 119873

119878+1to verify secure Master Key generation If

successful the Trust Center and the Joiner perform the nextstep SKKE to establish a Link Key

4 Simulation and Results

TheQualnet simulator was used to evaluate the performanceof the proposed scheme Our research uses Qualnet 45 [19]with sensor network libraries based on the ZigBee protocoland additional protocols

We composed one clustering network structures Theclusters were composed of 15 nodes Node 1 is a Joiner node16 is a Router and node 8 is a Trust Center

41 Efficiency Analysis of Enhanced Key Mechanism Wepropose an enhanced key distribution scheme using ECDHfor secure and lightweight key distribution and sub-MACto overcome the vulnerability of ECDH The simulation wasperformed ten times in each of the previous four procedureswith Trust Center Router and Joiner

First we performed the key generation in standard secu-rity mode and high security mode proposed key distributionin standard mode (Standard ECDH) and proposed keydistribution in high security mode (High ECDH) Figure 4shows the total run time measurements

The average run time of the standard security mode is05156 seconds and for proposed key distribution in standardmode (Standard ECDH) it is 05778 seconds the difference is00622 seconds When this value is compared to the averagerun time of standard security mode it adds 12 Howeverthe difference 00622 is slight in terms of the figure andcompared to the enhanced security

The average run time of high security mode is 1078 theaverage run time of proposed key distribution in high securitymode (High ECDH) is 06563 it decreases 04217 When this


Trust center Router Joiner

Joined (unauthenticated)

Update-device command

Decision to accept new device

Secured transport-key command (Master Key)Unsecured transport-key command (Master Key)

EA initiator challengeEA responder challenge

EA initiator MAC and dataEA responder MAC and data

SKKE-1 command

SKKE-3 commandSKKE-2 command

SKKE-4 commandSecured transport-key command (NWK key)

Joined (authenticated)

Figure 2 High security mode authentication procedure





K998400= abQ masterK = MMO(K998400) subMAC check

SKKE-1 command

SKKE-3 command

SKKE-2 command

SKKE-4 command

Secured transport-key command (NWK key)




J aQNS subMAC(aQ Ns J)

EK(NS+1)

K998400= abQK = MMO(K

998400) subMAC(K) check

TC bQNS+1 subMAC(master K)

Figure 3 Proposed key distribution in high security mode


Standard ECDH High

05156 05778 1078 06563

0

02

04

06

08

1

12

Aver

age r

un ti

me (

s)

Standard High ECDH

Figure 4 Simulation result-run time

value is compared to the average run time of high securitymode it is decreased by 39 It also provides enhancedsecurity

Next we measured energy consumption in Joiner(Node 1) Router (Node 16) and Trust Center (Node 18)Figure 5 shows average energy consumption in transmitmode Figure 6 shows average energy consumption in receivemode The average energy consumption of each node fortransmit mode and receive mode is similar

Table 3 details the values When the proposed key distri-bution in security mode is compared to the standard securitymode it consumes more energy Especially the receive modeof the Trust Center (N18-R) shows the maximum difference0001447mJoule However the Trust Center has sufficientcapacity and energy so this difference is negligible Thesecond difference is 0001412mJoule in the receive mode ofthe Joiner (N1-R) The sensor node uses two AA alkaloidbatteries An AA alkaloid battery contains a maximum of3000mAh so the total energy is 6000mAh The formalvoltage of an AA battery assumes 15 volts The amount ofeletric power is 9Wh products of 6Ah and 15 V and this isconverted into 32400 J 3600X 9 (J) [20] The difference isslight compared to 32400 J

The energy consumption of the high security modeand proposed key distribution in high security mode(High ECDH) is similar The energy consumption of pro-posed key distribution in high security mode (High ECDH)decreases except for the transmit mode of the Joiner (N1-T)and the receive mode of the Router (N16-R) Moreover theproposed scheme enhances security

5 Security Analysis

In this section we analyze our enhanced key distributionfor ZigBee Pro that provides security properties and resistssome general attacks ZigBee Pro is vulnerable in the caseof key distribution in two security modes ECDH cannotprevent man-in-the-middle attack and does not provideauthentication However our proposed scheme overcomesthese vulnerabilities and enhances security Our schemecould resist man-in-the-middle attack replay attack and

00005

0010015002

0025003

0035004

0045005

0055

Node 1Node 16

Node 18

0000217

0049272

0000365

0000899

0050564

0000853

0000663

0050272

000091

0050224

0000909

Ener

gy co

nsum

ptio

n pe

r a n

ode

(mJo

ule)

Standard HighStandard ECDH High ECDH

00000 0002170 000365

0000899000085

0000663000

0

249272004920050564

00050564

00502720 05027200502244

0000666

Figure 5 Energy consumed in transmit mode

Standard High

0

0005

001

0015

002

0025

Node 1Node 16 Node 18

0020517

0000435

0020515

0021929

0001348

00219620021754

0001212

00216210021687

0001214

0021573En

ergy

cons

umpt

ion

per a

nod

e (m

Joul

e)

Standard ECDH High ECDH

Figure 6 Energy consumed in receive mode

Table 3 Energy consumption

STANDARD Stand ECDH High High ECDHN1-T 0000217 0000899 0000663 0000666N1-R 0020517 0021929 0021754 0021687N16-T 0049272 0050564 0050272 0050224N16-R 0000435 0001348 0001212 0001214N18-T 0000365 0000853 000091 0000909N18-R 0020515 0021962 0021621 0021573

ensure confidentiality of keys message authentication andmessage integrity [16]

We assume that an attacker does not know the sub-MACmethod Therefore even if the attacker knows the Joinerrsquosprivate key b heshe cannot make the sub-MAC messageIf the attacker tries to make the sub-MAC message theprobability of failure enhances because the attacker doesnot know how to create a sub-MAC message using MasterKey Additionally there is a public key infrastructure (PKI)


system The Trust Center assures the private key 119887 using thereceived public key 119887119876 through a certificate authority (CA)

The security of a MAC scheme can be quantified in termsof the success probability achievable as a function of totalnumber of queries to forge the MAC [21] The security of a119894-byte MAC is quantified as 2(119894times8) because an intruder has a 1in 2(119894times8) chance in blindly forging the MAC To increase thesecurity of aMAC its size should be increased Increasing thesize of the MAC also increases the communication overhead[22] Our sub-MAC selects 8 bits of 128 bits Therefore thesecurity of the sub-MAC is 28 Hence the possibility that thefalse data are not detected by a sub-MAC is 128 (=00039)Moreover the communication overhead is reduced by 116(=00625) Consequently the size of the sub-MAC is directlyrelated to the strength of the security and the communicationoverhead A balance needs to be achieved between the desiredsecurity level and the transmission overhead [7]

51 BAN Analysis BAN logic (the Logic of Authenticationof Burrows Abadi and Needham) [23] is widely used andstudied in formal analysis due to its simplicity and efficiencyThe BAN logic is a model logic based on belief and can beused in the analysis and design of a cryptographic protocolThe use of a formal language in the analysis and designprocess can exclude faults and improve the security of theprotocol

511 Basic Notations The symbols 119860 119861 119875 and 119876 are prin-cipals involved in this sort of key agreement protocol 119870

119860119861

represents a good session key for communication between 119860and 119861 [24]

119875| equiv 119883 Principal 119875 believes 119883 119875 believes as if 119883 istrue119875 ⊲ 119883 119875 sees119883 119860 principal has sent 119875 a messagecontaining119883119875| sim 119883 Principal 119875 once said 119883 119875 at some time be-lieved119883 and sent it as part of a message119875 rArr 119883 Principal 119875 has jurisdiction over119883 Principal119875 has authority over119883 and is trusted in this matter(119883) The formula 119883 is fresh That is 119883 has not beensent in amessage at any time before the current run ofthe protocol Amessage that is created for the purposeof being fresh is called a nonce

119875119870

larrrarr 119876 119875 and 119876 may use a shared key 119870 tocommunicate The key is good and will always beknown only to 119875 and 119876 and to any other principaltrusted by either of them119883119870119883 is encrypted using key 119870

512 Inference Rules Message Meaning Rules for sharedkeys

119875 |equiv 119875119870

larrrarr 119876 119875 ⊲ 119883119870

119875 |equiv 119876 |sim 119883

(1)

If principal 119875 believes that key 119870 is shared only withprincipal 119876 and sees a message 119883 encrypted under a key 119870it believes only with principal 119876 119875 may conclude that it wasoriginally created by 119876 who once said its contentsJurisdiction Rule is as Follows

119875 |equiv 119875 997904rArr 119876 119875 |equiv 119876 |equiv 119883

119875 |equiv 119883

(2)

If119875 believes that119876 believes119883 and also believes that119876 hasjurisdiction over119883 then 119875 should believe119883 tooNonce Verification Rule is as Follows

119875 |equiv (119883) 119875 |equiv 119876 |sim 119883119875 |equiv 119876 |equiv 119883

(3)

If119875 believes that119883 is fresh and that119876 once said119883 then119875believes that 119876 has said119883 during the current run of protocoland hence that 119876 believes119883 at present In order to apply thisrule 119883 should not contain any encrypted text The nonceverification rule is the only way of ldquopromotingrdquo once saidassertion to actual belief

52 BAN Analysis of the Proposed Key Distribution

Initialization Hypothesis is as Follows

(1) Trust Center |equiv TC

(2) Trust Center |equiv Joiner |equiv 119869

(3) Trust Center |equiv JoinerrArr 119886119876

(4) Trust Center |equiv sub-MAC

(5) Joiner |equiv 119869

(6) Joiner |equiv Trust Center |equiv TC

(7) Joiner |equiv Trust CenterrArr 119887119876

(8) Joiner |equiv sub-MAC

Proposed Key Distribution Idealization

(1) Trust Center rarr Joiner 119869 119886119876119873119878 and sub-MAC(119886119876

119873119878 119869)

(2) Joiner rarr Trust Center TC 119887119876 119873119878+1

and sub-MAC(119870)

(3) Trust Center rarr Joiner 119864119870(119873119878+1

)

Goal

Trust Center |equiv Trust Center 119870larrrarr Joiner

Joiner |equiv Trust Center 119870larrrarr Joiner

Trust Center |equiv Joiner |equiv Trust Center 119870larrrarr Joiner

Joiner |equiv Trust Center |equiv Trust Center 119870larrrarr Joiner


AnalysisThrough the proposed key distribution idealization(1) we can get

Joiner⊲119869 119886119876119873119878 sub-MAC(119886119876119873

119878 119869) Joiner |equiv sub-MAC

Joiner |equiv 119869 119886119876119873119878

Joiner |equiv 119886119876Joiner |equiv 119870

(4)

Through the proposed key distribution idealization (2)we can get

Trust Center ⊲ TC 119887119876119873119878+1 (5)

The Trust Center computes 119870 and then sub-MAC(119870) asfollows

Trust Center ⊲ sub-MAC (119870) Trust Center |equiv sub-MACTrust Center |equiv 119870

Trust Center |equiv 119870Trust Center |equiv 119887119876Trust Center |equiv (119873

119878+1)

Trust Center |equiv 119870


(6)

And then Trust Center |equiv Joiner |equiv Trust Center 119870larrrarrJoiner


Joiner ⊲ 119873119878+1119870

Joiner |equiv Truster Center 119870larrrarr Joiner (7)

And then Joiner |equiv Trust Center |equiv Trust Center 119870larrrarrJoiner

According to the formalization analysis we can get theconclusion that the proposed key distribution can resist man-in-the-middle-attack and replay attack

6 Conclusion

This work proposed an enhanced key distribution schemeusing ECDH and sub-MAC for efficiency and security Wehave applied ECDH for secure key distribution and improvedvulnerability of ECDH using sub-MAC and nonce formessage freshness and integrity

We compared ZigBee Pro to the proposed scheme Weproved that our scheme could provide efficiency by achievinga shorter run time and lower energy consuming in highsecurity mode Security analysis proved our scheme couldresist man-in-the-middle attack replay attack and provideconfidentiality message authentication and integrity Conse-quenly the proposed scheme provides lightweight and securekey distribution compared to ZigBee Pro We are going toexperiment our proposed scheme with ZigBee devices infuture work

Acknowledgments

The work was supported by Ewha Global Top 5 Grant 2011of Ewha Womans University and World Class UniversityProgram (R33-10085) throughNational Research Foundationof Korea funded by the Ministry of Education Science andTechnology It was also in part supported by Basic ScienceResearch Program through the National Research Founda-tion of Korea (NRF) funded by the Ministry of EducationScience and Technology (2011-0014020)

References

[1] IEEE Std 802154-2003 ldquoWireless Medium Access Control andPhysical Layer Specifications for Low-Rate Wireless PersonalArea Networksrdquo IEEE 2003

[2] ZigBee Alliance ldquoZigBee-2007 Specificationrdquo January 2008[3] httpwwwzigbeeorgStandardsOverviewaspx[4] ZigBeeAlliance ldquoZigBeeHomeAutomation PublicApplication

Profilerdquo ZigBee Document 053520r26 February 2010 httpzigbeeorgStandardsZigBeeHomeAutomationdownloadaspx

[5] httpwwwcerticomcomindexphpdevice-authentication-servicesmart-energy-device-certificate-service

[6] Certicom ldquoStandards for Efficient Cryptography SEC 1 EllipticCurve Cryptographyrdquo Ver 10 September 2000 httpwwwsecgorgdownloadaid-385sec1 finalpdf

[7] H Cam N Challa and M Sikri ldquoSecure and efficient datatransmission over body sensor and wireless networksrdquo EurasipJournal onWireless Communications and Networking vol 2008Article ID 291365 18 pages 2008

[8] Advanced Encryption Standard FIPS 197 November 2001httpcsrcnistgovpublicationsfipsfips197fips-197pdf

[9] Daintree Networks Inc ldquoGetting Started with ZigBee and IEEE802154rdquo February 2008

[10] C Alcaraz and J Lopez ldquoA security analysis for wireless sensormesh networks in highly critical systemsrdquo IEEE Transactionson Systems Man and Cybernetics C vol 40 no 4 pp 419ndash4282010

[11] W Diffie and M E Hellman ldquoNew direction in cryptographyrdquoIEEE Transactions on Information Theory vol IT-22 no 6 pp644ndash654 1976

[12] N Koblitz ldquoElliptic curve cryptosystemsrdquo Mathematics ofComputation vol 48 no 177 1987

[13] E Blaszlig and M Zitterbart ldquoEfficient implementation of ellipticcurve cryptography for wireless sensor networksrdquo TeleMaticsTechnical Report 2005

[14] G DeMeulenaer F Gosset F-X Standaert andO Pereira ldquoOnthe energy cost of communication and cryptography in wirelesssensor networksrdquo in Proceedings of the 4th IEEE InternationalConference on Wireless and Mobile Computing Networking andCommunication (WiMob rsquo08) pp 580ndash585 October 2008

[15] T Chung and U Roedig ldquoDHB-KEY an efficient key distribu-tion scheme for wireless sensor networksrdquo in Proceedings of the5th IEEE International Conference onMobile Ad-Hoc and SensorSystems (MASS rsquo08) pp 840ndash846 October 2008

[16] K Choi M J Yoon M H Kim and K J Chae ldquoAn enhancedkey management using ZigBee Pro for wireless sensor net-worksrdquo in Proceedings of the 26th International Conference onInformation Networking (ICOIN rsquo12) Bali Indonesia February2012


[17] A JMenezes P C vanOorschot and S AVanstoneHandbookof Applied Cryptography CRC Press 1996

[18] D Seetharam and S Rhee ldquoAn efficient pseudo randomnumbergenerator for low-power sensor networksrdquo in Proceedings of the29th Annual IEEE International Conference on Local ComputerNetworks (LCN rsquo04) pp 560ndash562 Tampa Fla USA November2004

[19] QualNet 4 5 Scalable Network Technologies Inc httpwwwscalable-networkscom

[20] K Choi M-H Kim K-J Chae J-J Park and S-S Joo ldquoAnefficient data fusion and assurance mechanism using temporaland spatial correlations for home automation networksrdquo IEEETransactions on Consumer Electronics vol 55 no 3 pp 1330ndash1336 2009

[21] P Gauravaram W Millan J G Nieto and E Dawson ldquo3C-Aprovably secure pseudorandom function and message authen-tication code a new mode of operation for cryptographic hashfunctionrdquo Cryptology ePrint Archive Rep 2005

[22] S Ozdemir and H Cam ldquoIntegration of false data detectionwith data aggregation and confidential transmission in wirelesssensor networksrdquo IEEEACM Transactions on Networking vol18 no 3 pp 736ndash749 2010

[23] M Burrows M Abadi and R Needham ldquoLogic of authentica-tionrdquo ACM Transactions on Computer Systems vol 8 no 1 pp18ndash36 1990

[24] S Yang andX Li ldquoA limitation of BAN logic analysis on anman-in-the-middle attackrdquo Journal of Information and ComputingScience vol 1 no 3 pp 131ndash138 2006

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of



RotatingMachinery


Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics


Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks



CertiCom [5] issues ZigBee Smart Energy certificates tomanufactures whose products are certified by the ZigBeeAlliance The ZigBee Smart Energy PKI uses Elliptic CurveQu Vanstone (ECQV) implicit certificates which serve asan identity certificate for each ZigBee Smart Energy deviceHowever it does not improve ZigBee Pro itself but uses PKIseparately

In this paper we apply the ECDH (Elliptic Curve Diffie-Hellman) [6] key distribution mechanism for ZigBee Provulnerabilities and propose amore efficient ECDHusing sub-MAC [7] that has message authentication and prevents man-in-the-middle attack and replay attack Our research exhibitsan enhanced key mechanism and message authentication inZigBee Pro for ubiquitous sensor networks

The rest of this paper is organized as follows Section 2presents related works Section 3 presents the proposedenhanced key distribution mechanisms Section 4 illustratessimulation environments and analyzes the simulation toevaluate the effectiveness of our scheme In Section 5 weanalyze our approach from the view point of security Finallywe conclude this paper in Section 6

2 Related Work

21 ZigBee Pro ZigBee Pro is a standard specified in ZigBee-2007 ZigBee Pro improves the security of the ZigBee 2006versionwith twonew securitymodes standard securitymodecompatible with the residential security of ZigBee-2006- andhigh security mode compatible with the commercial securityof ZigBee 2006

ZigBee security which is based on a 128 bit AES(Advanced Encryption Standard) [8] algorithm adds to thesecurity model provided by IEEE 802154 The securityservices of ZigBee include methods for key establishmentand transport device management and frame protectionsZigBee uses three types of keys to manage security MasterNetwork and Link

Master Keys are used as an initial shared secret betweentwo devices when they perform the key establishmentprocedure (SKKE) to generate Link Keys Keys that originatefrom the Trust Center are termed Trust Center Master Keyswhile all other keys are termed Application Layer MasterKeys Network Keys perform security for the Network Layeron a ZigBee network All devices on a ZigBee network sharethe same key High Security Network Keys must always besent encrypted over the air while Standard Security NetworkKeys can be sent either encrypted or unencrypted Link Keysas an optional key secure unicast messages between twodevices at the Application Layer Keys that originate from theTrust Center are termed Trust Center Link Keys while allother keys are termed Application Layer Link Keys Table 1summarizes the security keys

ZigBee Pro offers two different security modes (ieStandard and High) and features as shown in Table 2 [9]

In the standard security mode the list of devices MasterKeys Link Keys andNetwork Keys can bemaintained eitherby the Trust Center or by the devices themselves The TrustCenter is still responsible formaintaining a StandardNetwork

Table 1 Security keys

Layer Msg type CreationMasterKeys Application layer Unicast Key transport

PreinstallationNetworkKeys

ApplicationNetwork layer Broadcast Key transport

Preinstallation

LinkKeys Application layer Unicast

Key transportPreinstallation

Key establishment(using Master Key)

Table 2 Security modes

Feature Standard HighNetwork layer security provided using aNetwork Key or or

APS layer security provided using Link Keys or or

Centralized control and update of keys or or

Ability to switch from active to secondary keys or or

Ability to derive Link Keys between devices or

Entity authentication and permissions tablesupported or

Key it controls policies of network admittance In the highsecurity mode the Trust Center maintains a list of devicesMaster Keys Link Keys and Network Keys that it needs tocontrol and enforce the policies of Network Key updates andnetwork admittance

Unlike standard security mode high security modesupports the ability to derive Link Keys between devicesand entity authentication and permissions table supportedThe Master Keys and Network Keys are preinstalled ortransported Link Keys are used in key-establishment basedon a Master Key Unencrypted key transport will give rise toserious security vulnerability [10]

22 ECDH ECDH [6] is a key exchange algorithm the well-known Diffie Hellman [11] key agreement based on ECC(Elliptic Curve Cryptography) [12] ECDH is important inmodern protocols as a key exchange and can be adopted forECC Figure 1 shows the key exchange process

Consider two parties 119860 and 119861 willing to exchange acommon secret key Both have agreed to a common andpublicly known curve 119864 over a finite field as well as to a basepoint 119876 User 119860 randomly chooses 119896

119860 1 lt 119896 lt 2119876 and User

119861 accordingly 119896119861 1 lt 119896 lt 2119876 User 119860 computes a public

key 119876119860= 119896119860119876 User B does 119876

119861= 119896119861119876 User A sends 119876

119860

to User 119861 User 119861 sends 119876119861to User 119860 User 119860 computes the

shared secret key by 119875 = 119896119860119876119861and User B also by 119875 = 119896

119861119876119860

[13] An eavesdropper knows only119876119860and119876

119861but is unable to

compute the secret key from this However vulnerability ofECDH has no authentication [14] and no prevention of man-in-the-middle attack [15]

3 Proposed ZigBee Key Distribution

31 Standard Security Mode The transport-key commandsent from the Router to the Joiner shall not be secured in


Preparation

User A User B

Publicly send


kA private keyQA

QA


kB private keyQB

QB


Figure 1 ECDH








119878 119869)


119878 nonce value



119878 and sends 119869

119886119876 119873119878 sub-MAC(119886119876 119873












The Joiner sends 119887119876 119873119878+1



)

(i) 119864119870(119873119878+1

) encrypt119873119878+1

with Master Key



119870(119873119878+1


119870(119873119878+1



















SKKE-1 command










SKKE-1 command

SKKE-3 command

SKKE-2 command

SKKE-4 command






EK(NS+1)






Standard ECDH High

05156 05778 1078 06563

0

02

04

06

08

1

12

Aver

age r

un ti

me (

s)

Standard High ECDH






5 Security Analysis


00005

0010015002

0025003

0035004

0045005

0055

Node 1Node 16

Node 18

0000217

0049272

0000365

0000899

0050564

0000853

0000663

0050272

000091

0050224

0000909

Ener

gy co

nsum

ptio

n pe

r a n

ode

(mJo

ule)


00000 0002170 000365

0000899000085

0000663000

0

249272004920050564

00050564

00502720 05027200502244

0000666


Standard High

0

0005

001

0015

002

0025


0020517

0000435

0020515

0021929

0001348

00219620021754

0001212

00216210021687

0001214

0021573En

ergy

cons

umpt

ion

per a

nod

e (m

Joul

e)












119860119861



119875119870



119875 |equiv 119875119870

larrrarr 119876 119875 ⊲ 119883119870

119875 |equiv 119876 |sim 119883

(1)



119875 |equiv 119883

(2)



(3)














119873119878 119869)


and sub-MAC(119870)


)

Goal







Joiner⊲119869 119886119876119873119878 sub-MAC(119886119876119873


Joiner |equiv 119869 119886119876119873119878


(4)


Trust Center ⊲ TC 119887119876119873119878+1 (5)




119878+1)



(6)



Joiner ⊲ 119873119878+1119870




6 Conclusion



Acknowledgments


References



























RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










Preparation

User A User B

Publicly send


kA private keyQA

QA


kB private keyQB

QB


Figure 1 ECDH








119878 119869)


119878 nonce value



119878 and sends 119869

119886119876 119873119878 sub-MAC(119886119876 119873












The Joiner sends 119887119876 119873119878+1



)

(i) 119864119870(119873119878+1

) encrypt119873119878+1

with Master Key



119870(119873119878+1


119870(119873119878+1



















SKKE-1 command










SKKE-1 command

SKKE-3 command

SKKE-2 command

SKKE-4 command






EK(NS+1)






Standard ECDH High

05156 05778 1078 06563

0

02

04

06

08

1

12

Aver

age r

un ti

me (

s)

Standard High ECDH






5 Security Analysis


00005

0010015002

0025003

0035004

0045005

0055

Node 1Node 16

Node 18

0000217

0049272

0000365

0000899

0050564

0000853

0000663

0050272

000091

0050224

0000909

Ener

gy co

nsum

ptio

n pe

r a n

ode

(mJo

ule)


00000 0002170 000365

0000899000085

0000663000

0

249272004920050564

00050564

00502720 05027200502244

0000666


Standard High

0

0005

001

0015

002

0025


0020517

0000435

0020515

0021929

0001348

00219620021754

0001212

00216210021687

0001214

0021573En

ergy

cons

umpt

ion

per a

nod

e (m

Joul

e)












119860119861



119875119870



119875 |equiv 119875119870

larrrarr 119876 119875 ⊲ 119883119870

119875 |equiv 119876 |sim 119883

(1)



119875 |equiv 119883

(2)



(3)














119873119878 119869)


and sub-MAC(119870)


)

Goal







Joiner⊲119869 119886119876119873119878 sub-MAC(119886119876119873


Joiner |equiv 119869 119886119876119873119878


(4)


Trust Center ⊲ TC 119887119876119873119878+1 (5)




119878+1)



(6)



Joiner ⊲ 119873119878+1119870




6 Conclusion



Acknowledgments


References



























RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation

















SKKE-1 command










SKKE-1 command

SKKE-3 command

SKKE-2 command

SKKE-4 command






EK(NS+1)






Standard ECDH High

05156 05778 1078 06563

0

02

04

06

08

1

12

Aver

age r

un ti

me (

s)

Standard High ECDH






5 Security Analysis


00005

0010015002

0025003

0035004

0045005

0055

Node 1Node 16

Node 18

0000217

0049272

0000365

0000899

0050564

0000853

0000663

0050272

000091

0050224

0000909

Ener

gy co

nsum

ptio

n pe

r a n

ode

(mJo

ule)


00000 0002170 000365

0000899000085

0000663000

0

249272004920050564

00050564

00502720 05027200502244

0000666


Standard High

0

0005

001

0015

002

0025


0020517

0000435

0020515

0021929

0001348

00219620021754

0001212

00216210021687

0001214

0021573En

ergy

cons

umpt

ion

per a

nod

e (m

Joul

e)












119860119861



119875119870



119875 |equiv 119875119870

larrrarr 119876 119875 ⊲ 119883119870

119875 |equiv 119876 |sim 119883

(1)



119875 |equiv 119883

(2)



(3)














119873119878 119869)


and sub-MAC(119870)


)

Goal







Joiner⊲119869 119886119876119873119878 sub-MAC(119886119876119873


Joiner |equiv 119869 119886119876119873119878


(4)


Trust Center ⊲ TC 119887119876119873119878+1 (5)




119878+1)



(6)



Joiner ⊲ 119873119878+1119870




6 Conclusion



Acknowledgments


References



























RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










Standard ECDH High

05156 05778 1078 06563

0

02

04

06

08

1

12

Aver

age r

un ti

me (

s)

Standard High ECDH






5 Security Analysis


00005

0010015002

0025003

0035004

0045005

0055

Node 1Node 16

Node 18

0000217

0049272

0000365

0000899

0050564

0000853

0000663

0050272

000091

0050224

0000909

Ener

gy co

nsum

ptio

n pe

r a n

ode

(mJo

ule)


00000 0002170 000365

0000899000085

0000663000

0

249272004920050564

00050564

00502720 05027200502244

0000666


Standard High

0

0005

001

0015

002

0025


0020517

0000435

0020515

0021929

0001348

00219620021754

0001212

00216210021687

0001214

0021573En

ergy

cons

umpt

ion

per a

nod

e (m

Joul

e)












119860119861



119875119870



119875 |equiv 119875119870

larrrarr 119876 119875 ⊲ 119883119870

119875 |equiv 119876 |sim 119883

(1)



119875 |equiv 119883

(2)



(3)














119873119878 119869)


and sub-MAC(119870)


)

Goal







Joiner⊲119869 119886119876119873119878 sub-MAC(119886119876119873


Joiner |equiv 119869 119886119876119873119878


(4)


Trust Center ⊲ TC 119887119876119873119878+1 (5)




119878+1)



(6)



Joiner ⊲ 119873119878+1119870




6 Conclusion



Acknowledgments


References



























RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation














119860119861



119875119870



119875 |equiv 119875119870

larrrarr 119876 119875 ⊲ 119883119870

119875 |equiv 119876 |sim 119883

(1)



119875 |equiv 119883

(2)



(3)














119873119878 119869)


and sub-MAC(119870)


)

Goal







Joiner⊲119869 119886119876119873119878 sub-MAC(119886119876119873


Joiner |equiv 119869 119886119876119873119878


(4)


Trust Center ⊲ TC 119887119876119873119878+1 (5)




119878+1)



(6)



Joiner ⊲ 119873119878+1119870




6 Conclusion



Acknowledgments


References



























RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











Joiner⊲119869 119886119876119873119878 sub-MAC(119886119876119873


Joiner |equiv 119869 119886119876119873119878


(4)


Trust Center ⊲ TC 119887119876119873119878+1 (5)




119878+1)



(6)



Joiner ⊲ 119873119878+1119870




6 Conclusion



Acknowledgments


References



























RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation




















RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









Research Article Secure and Lightweight Key Distribution...

Documents

Transcript of Research Article Secure and Lightweight Key Distribution...