Sensor networks are used to monitor chemical, biological, physical, environmental or any other kind of phenomena in real-time environments. Sensor networks consist of resource constrained sensor devices, which relay their sensed data to a central server through the network using wireless communications [1]. This data is processed or used at the central server according to the application requirements. In order to increase efficiency, information is also filtered in the intermediate nodes.

A wireless body area network (WBAN) is formed when sensor nodes are tactfully placed on human body to collect its biometrics or activities. Applications of WBAN include healthcare, lifecare and athlete examination. Healthcare includes care for inpatients especially those who are seriously ill, unconscious or under intensive care. Lifecare includes patients who live their lives normally but may require medical care at any time. For example, lifecare facilities are useful in monitoring health of elderly people and pregnant women in real-time. Lack of timely medical care may cost some people their lives, e.g., heart patients or high risk pregnant women. Also, WBANs are very useful in examining and monitoring an athlete’s body.

The use of WBAN in applications, which are crucial for human life, highlights importance of its security. Apart from making sure that a person’s biometric information is not tampered with, it is important to ensure confidentiality of the person’s information. Key management plays a pivotal role in ensuring data integrity and protecting patient’s private data from eavesdroppers and unauthorized users.

In order to ensure confidentiality and integrity, highly secure state-of-the-art mechanisms such as TLS [2] and Kerberos [3] exist but they are too heavy to run on resource constrained sensor nodes. Mechanisms such as LEAP+ [4], SHELL [5] and MUQAMI+ [6] are resource efficient for sensor nodes but they are designed keeping in mind unattended large scale Wireless Sensor Networks (WSN), in which all nodes may not be in communication range of each other. Apart from being small scale wireless network that can have human intervention, WBAN have all nodes in communication range of each other. Also, application characteristics of WBAN can be exploited to further reduce key management overhead as discussed in [7]. Differences between WSN and WBAN are discussed in detail in the following section (Section 1.2.).

WBAN are adhoc networks formed by sensor nodes placed on different parts of a human body. Sensor nodes have less memory, computation and communication capabilities. Also, they have limited energy resources. Based on above properties, WBAN are classified into same category as WSN and treated in the same way when designing key management schemes. However, we find that WBAN are different from usual WSN in many ways.

Firstly, WBAN and WSN differ in scale. For WSN, number of nodes may be in thousands while WBAN consists of very few nodes, which may not exceed twenty. Obvious reason for this difference is usability. In humanware applications, sensor devices can be placed in watches, lockets or other wearable things. People may not agree to wear a lot of devices. If they do, it hampers their daily routine.

Secondly, nodes in WBAN are very close to each other as opposed to WSN. Nodes in WSN are scattered in large area like battlefield while nodes in WBAN are placed in small area, i.e., a human body. Placing sensor nodes on a human body brings many of them in communication range of each other. Communication protocols have been designed keeping in mind such topology [8].

Thirdly, a compromised node can be physically removed in WBAN, which may not be the case in WSN because human intervention is not always possible in WSN. In WBAN applications, which are crucial for human life, it is essential to physically replace compromised nodes. For example, if there is only one node measuring a serious patient’s heart rate, it must be replaced immediately. Since it is possible to physically remove a compromised node in WBAN, it is not efficient to use node eviction strategies in key management scheme.

Lastly, WBAN are used to measure biometrics from human body. Biometric values exhibit sufficient randomness properties and can be used to generate random numbers for cryptographic keys [9]. [9] uses “the last digit fluctuation method” to generate random sequence from biometric data and extracts the least significant bit from every reading. Also, [9] proves that the least significant bit from every reading have sufficient randomness. According to [9], about n readings are required to generate an n bit key, which is viable because sensor nodes sense biometrics a lot more often than they relay its values to the central server. There are two reasons for preferring physiological value based keying over pseudo-random number generators: Firstly, pseudo-random number generators require heavy computations as compared to physiological value based keying. Secondly, all random numbers are independent of each other in physiological value based keying as opposed to pseudo-random number generators. In pseudo-random number generators, a mathematical algorithm and a seed value are used to generate random numbers. If the algorithm and the seed value are exposed, the sequence of random numbers becomes deterministic. Also, obtaining truly random seed value is also a challenge. Phenomena that are measured in WSN applications may not have such randomness properties. WBAN can not be treated as a Wireless Personal Area Network (WPAN) because of the same reason. Some researchers use biometrics for key generation [10, 11]. Some of them argue that sensor nodes do not even need to exchange keys [12–14]. They rely on the assumption that two nodes can sense a biometric at the same time. After that, they apply error-correcting codes at both the communicating nodes. Apart from extra computations and time synchronization issues, this assumption imposes another constraint on the network, i.e., some nodes should be able to sense more than one biometric, which may not be practically possible. Also, such schemes do not take into account those nodes, which are not used for sensing biometrics. For more detail, refer to the system model of WBANs described in Section 3.

Differences between WBAN and WSN are summarized in Table 1. The only difference in security requirement of WBAN and WSN evident from Table 1 is that a compromised node in WBAN scenario need not be evicted through software because human intervention is always possible. However, there is also difference between types of attack that can take place through compromised nodes in WBAN and WSN scenarios. In WBAN, we do not need to take care of routing attacks such as selective forwarding, wormhole and sinkhole attacks because many nodes have the cluster head node in their communication range. Nodes, which have very limited communication range, can communicate through one intermediate node. Moreover, due to the fact that WBAN are small scale networks, in which many nodes are in communication range of each other, we do not need to employ strategies to prevent attack propagation in WBAN. Table 2 outlines the differences between security requirements of WBAN and WSN.

From Table 2, it is clear that the security requirements of WBAN are less complex than that of WSN. Also, from Table 1 we learn that we can achieve more efficiency in key management solutions if we exploit the characteristics of WBAN applications while designing key management scheme for WBANs.

Key management schemes of WSN prove to be overly complex for WBAN because security requirements of WSN are more complex than that of WBAN. Also, key management schemes designed for WSN can not take advantage of the characteristics of WBAN applications in order to achieve more efficiency. Therefore, we present BARI+ (In the conference version, we named this protocol BARI [15]. Since it is improved and described more elaborately in this journal version, we have named it BARI+), which is a distributed key management scheme that fulfills the security requirements (as stated in Table 2) of WBAN. Apart from fulfilling security requirements of WBANs, BARI+ also exploits application characteristics of WBAN to achieve more efficiency.

BARI+ is a distributed key management scheme, which makes use of key refreshment schedules to distribute key management responsibility among all nodes in a WBAN in a fair manner. All nodes in WBAN are able to take part in key management because nodes need not generate keys themselves. After presenting our scheme, its overhead is analyzed and compared with other state-of-the-art schemes. Apart from analyzing storage and communication overhead, security of our scheme is also analyzed.

Rest of this paper is organized as follows: Section 2. outlines the related work followed by section 3., which states the system model and assumptions. Section 4. presents our scheme. Section 5. analyzes our scheme and compares it with other state-of-the-art key management schemes. Section 6. presents simulation results and then Section 7. concludes the paper. In this paper we use many abbreviations and notations like WBAN for wireless body area networks. Refer to Table 3 for complete list of notations used in this paper.

PS is deployed in the beginning. Throughout network lifetime, PS is connected with the medical server through an external secure communication channel, which may be the internet. PS comes pre-loaded with K_admin, K_comm and basic keys of all nodes that are to be deployed in the network. Also, identities and authentication codes of all nodes are pre-loaded in the PS. These codes are used to authenticate the sensor nodes. After the PS is deployed, sensor devices are deployed on various parts of the body. Sensor nodes come pre-loaded with authentication codes of all nodes in the network, K_admin and their respective K_bsc and K_SN,MS. Soon after deployment, every node sends discovery message to the PS as follows: m 1 : ∀ i                   if   ∃   SN i : SN i → PS : E K admin { ID i | Auth _ Code i }In WBAN, some sensor nodes may have very little communication range. MS informs the PS about deployment of such nodes in advance. If such nodes are to be deployed, the PS commands other nodes to forward discovery messages of such nodes to the PS. After all the sensor nodes are deployed, the PS generates a key refreshment schedule for K_admin. It then broadcasts the refreshment schedule and initial value of K_comm in the network as follows: m 2 : PS → * : E K admin { K comm | Key _ Ref _ Schedule | Auth _ Code PS | Timestamp }In order to prevent the PS from waiting forever, there is a timer. As soon as the last expected node’s discovery message is received or the timer expires, the PS calculates the refreshment schedule and broadcasts its initial message m2. All subsequent nodes are treated as added nodes and deployed through the procedure explained in Subsection 4.3.

In order to refresh K_comm, PS computes a value from biometrics as the value of new K_comm. It then encrypts the new value of K_comm with K_admin and broadcasts it into the network as follows: m 1 : PS → * : E K admin { K comm | Auth _ Code PS }Administrative key is refreshed periodically. When the turn of sensor node i arrives, sensor node i waits for a certain period of time, computes a new value for K_admin from biometrics and broadcasts it in the network as follows: m 1 : SN i → * : E K admin old { K admin new | Auth _ Code i }When the key refreshment schedule expires, the PS calculates the new schedule, encrypts it in the current value of K_admin and broadcasts it into the network as follows: m 1 : PS → * : E K admin { Key _ Ref _ Schedule | Auth _ Code PS | Timestamp }When a network is deployed, key refreshment timeout of every sensor node is decided according to pre-defined criteria. However, PS can decide to refresh K_admin at any point in time if it detects malicious activities. In such scenario, the PS sends key refresh message to the node, which is supposed to refresh K_admin next time. For example, if it is the turn of sensor node i to refresh the administrative key, following messages will be exchanged to refresh K_admin: m 1 : PS → SN i : E K admin { Key _ Refersh _ Msg | Auth _ Code PS | Timestamp } m 2 : SN i → * : E K admin old { K admin new | Auth _ Code i }In order to maintain forward secrecy, K_admin needs to be refreshed through K_bsc regularly. Also, K_admin needs to be refreshed through K_bsc in case of sensor node compromise. In order to refresh K_admin through K_bsc, the PS computes new values of basic keys and refreshes K_admin using K_bsc of the sensor nodes: m 1 : ∀ i                   if   ∃   SN i : PS → SN i : E K bsc _ old i { K admin | K bsc _ new i | Auth _ Code new i | Auth _ Code PS } m 2 : PS → * : E K admin { K comm | Auth _ Code PS }Although basic keys are used only once and refreshed after every use, it is possible that they need to be refreshed using some other key. For example, if the PS is compromised. Therefore, we think it is important to have a procedure to recover from such catastrophic failures. In such scenario, authentication code of the PS is also refreshed. If a new PS is deployed, it comes pre-loaded with K_admin and K_comm. MS sends identities, authentication codes and basic keys of the sensor nodes to the newly deployed PS. If the PS is not replaced, MS sends new values of K_bsc to the PS. Also, MS encrypts new values of K_bsc, along with the new authentication code of PS, in K_SN,MS of all sensor nodes and sends them to the PS through an external secure communication channel, which may be the internet. After receiving messages encrypted in K_SN,MS of the sensor nodes, PS just forwards them to the respective sensor nodes. Whenever K_bsc is refreshed, K_admin and K_comm are also refreshed. Following message exchanges take place between the PS and sensor nodes when K_bsc is refreshed using K_SN,MS: m 1 : ∀ i                   if   ∃   SN i : PS → SN i : E K SN , MS _ old i { K bsc i | Auth _ Code new PS | K SN , MS _ new i | Auth _ Code MS } m 2 : ∀ i                   if   ∃   SN i : PS → SN i : E K bsc _ old i { K admin | K bsc _ new i | Auth _ Code new i | Auth _ Code PS } m 3 : PS → * : E K admin { K comm | Auth _ Code PS }Note that K_SN,MS is refreshed whenever it is used. Also, the PS does not get to know key K_SN,MS of any sensor node. Remaining key refreshment schedule is followed after the refreshment of K_admin irrespective of the way K_admin is refreshed.

In some cases, new nodes are added to the network or the existing nodes are replaced. One possible scenario of node addition can be the deployment of a new device to monitor some biometric. Similarly, one possible scenario of node replacement is malfunction of a device. Under such circumstances new nodes are added to the network.

If new nodes are to be added in the network, MS informs PS about new deployments by sending identities, basic keys and authentication codes of new nodes to the PS. Also, MS informs the PS about initial value of K_admin that is preloaded into the new nodes. All this communication is done through an external secure communication channel. Under normal circumstances, if the PS receives messages from stranger nodes, it ignores them and indicates malicious activity on its own output. If informed by the MS, the PS expects discovery messages from new nodes. This is important because otherwise malicious nodes can drain its energy by sending fake discovery messages. New nodes send their respective discovery messages encrypted in the pre-loaded value of K_admin as follows: m 1 : ∀ SN j ∈ { New _ Nodes } : SN j → PS : E K admin pre − load { ID j | Auth _ Code j }If nodes, which have very limited communication range, are deployed, then the PS commands other sensor nodes to forward their discovery messages to the PS. PS waits for all expected nodes for a certain period of time. After that, it broadcasts the remaining key refreshment schedule and current values of K_comm and K_admin to newly deployed nodes as follows: m 2 : PS → * : E K admin pre − load { K comm | K admin | Remaining _ Sched | Auth _ Code PS | Timestamp }All nodes, except the newly deployed ones, ignore such message from the PS. Newly deployed nodes can participate in key refreshment procedure after the next key refreshment schedule is issued by the PS.

Storage and exchange of authentication codes is common in all key management schemes. Also, storage requirements of authentication codes do not make much difference when key management schemes are compared with respect to their storage overhead. For simplicity, storage requirements of authentication codes is not included in storage analysis. Considering storage overhead of sensor nodes, only four keys are stored: K_comm, K_admin, K_bsc and K_SN,MS. Apart from that, key refreshment schedule is stored on sensor nodes. A sensor node keeps track of its turn with the help of two short integers. One integer contains a counter to keep track of its turn. The other one indicates timeout after which it refreshes K_admin. If we consider that a short integer requires 2 bytes and key length is z bytes, Then the storage requirement of a sensor nodes becomes: (1) SR SN BARI + = ( 4 × z ) + 4PS stores K_bsc of all sensor nodes, K_admin and K_comm. Also, it stores complete key refreshment schedule for K_admin. Storing a sensor node’s identity requires 2 bytes. Another 2 bytes are required to specify timeout after which sensor node refreshes K_admin. So, the storage requirements of PS becomes: (2) SR PS BARI + = ( ( r + 2 ) × z ) + ( 4 × r )where r is the number of nodes in WBAN formed on a body. Note that key K_SN,MS is not stored on the PS.

Storage requirements of a node (sensor node or personal server) in LEAP+ is fairly straightforward. Apart from pairwise keys shared with each node in its cluster, every node stores its cluster key and the communication key. So, the storage requirement of a node in LEAP+ becomes: (3) SR PS ∨ SN LEAP + = z × ( r + 2 )In MUQAMI+, each PS node has to store K_comm and K_cn,ch. Also, PS has to store K_ch,sn of all SN nodes and key-chains of key K_ch,kg of all KG nodes in its cluster. In addition to that, PS has to store EBS matrix. If EBS data for each node takes 4 bytes (2 bytes for storing node identity and 2 bytes for storing key pattern), it takes 4 × r bytes to store EBS matrix. So, the average storage requirement of a PS node (in bytes) of MUQAMI+ becomes: (4) SR PS MUQAMI + = ( z × ( ( l × ( k + m ) ) + r − ( k + m ) + 2 ) ) + ( 4 × r )where l is the length of key-chains [27], which are used by MUQAMI+ for key management and k and m are EBS [26] parameters. In MUQAMI+, SN nodes have to store k admin keys apart from four other keys: K_ch,sn, K_comm, K_bsc and K_disc. So, the average storage requirement of a sensor node in MUQAMI+ can be expressed as: (5) SR SN MUQAMI + = z × ( k + 4 )

Among sensor nodes, MUQAMI+ also has key generating (KG) nodes, which store two key-chains: one for the admin key, which it generates and one for K_ch,kg. Also, KG nodes store k − 1 EBS keys along with three other keys: K_comm, K_bsc and K_disc. So, the average storage requirement of a KG node can be expressed as: (6) SR KG MUQAMI + = z × ( 2 × l + ( k − 1 ) + 3 ) = z × ( 2 × ( l + 1 ) + k )In MUQAMI+, we have k + m KG nodes out of a total of r nodes in a cluster. Therefore, average storage requirement of each node within a cluster comes out to be: (7) SR SN ∪ KG MUQAMI + = z × ( r − ( k + m ) ) ( k + 4 ) + ( k + m ) ( 2 ( l + 1 ) + k ) r = z × r × ( k + 4 ) + ( k + m ) + ( 2 × ( l + 1 ) − 4 ) r = z × ( ( k + 4 ) + 2 × ( l − 1 ) × ( k + m ) r )Note that (k + m) << r only for large scale networks. For small scale networks like WBAN, k and m are comparable to r, which degrades the performance of MUQAMI+ considerably.

Table 4 compares the storage requirements of BARI+ with MUQAMI+ and LEAP+. It is clear from Table 4 that storage overhead of our scheme is less as compared to other schemes especially on sensor nodes.

Communication is the most energy consuming activity in WBAN. Since all nodes are in communication range of each other, we only need to analyze average number of messages transmitted by each type of node in every phase. Initial deployment phase of BARI+ is very lightweight and simple because every node has to send one message each.

Initial deployment phase of MUQAMI+ is also simple. Every sensor node has to send one discovery message each. In return, the PS has to send one message to each node in the network, which makes the total number of messages transmitted by the PS equal to r. In LEAP+’s initial deployment phase, the PS has to send one broadcast message to all nodes in the network. All nodes reply and pair-wise keys are established. After that, it sends its cluster key to each of the r nodes one by one and then broadcasts its group key in the network. Also, it replies to the initial messages sent by other nodes. So, the average number of messages transmitted by PS in the initial deployment phase of LEAP+ becomes: (8) Avg _ Msg _ Count _ Init PS LEAP + = ( 2 × r ) + 2 = 2 × ( r + 1 )The sensor nodes does not have to broadcast the communication key. Therefore, average number of messages transmitted by sensor nodes in the initial deployment phase of LEAP+ becomes: (9) Avg _ Msg _ Count _ Init SN LEAP + = ( 2 × r ) + 1Comparison of our scheme with MUQAMI+ and LEAP+ is given in Table 5, which indicates that our scheme BARI+ is more efficient as compared to other schemes. Nodes are added in the same way as they are initially deployed.

In BARI+, PS broadcasts one message to refresh communication key. Similarly, PS broadcasts one message in the network to refresh communication keyin LEAP+ too. Both in BARI+ and LEAP+, sensor nodes need not send any message to refresh communication key. In MUQAMI+, PS sends k + m messages to the key generating nodes, which in turn broadcast one message each. So, average number of messages transmitted by a sensor node for communication key refreshment is expressed as: (10) Avg _ Msg _ Count _ Rekey _ Comm SN MUQAMI + = k + m rComparison of communication overhead for refreshment of communication keyis given in Table 6.

Refreshment of administrative key is also lightweight in our scheme. In order to refresh administrative key, each node sends one message in every schedule. If all nodes participate in administrative key refreshment, average number of messages sent by each node to refresh K_admin one time comes out to be 1/r. However, K_admin is also refreshed by K_bsc. If refreshed through K_bsc, PS sends two messages for the purpose. If K_admin is refreshed by K_bsc y times in every key refreshment schedule, then average number of messages transmitted by PS for administrative key refreshment becomes: (11) Avg _ Msg _ Count _ Rekey _ Admin PS BARI + = ( 2 × y ) + 1 rIn LEAP+, every node has to send one message to each of r other nodes in the network. In MUQAMI+, PS has to send k + m messages to key generating nodes and one message after every l key refreshments to get new seed values for key-chains. So, average number of messages transmitted by PS for refreshment of administrative key in MUQAMI+ becomes: (12) Avg _ Msg _ Count _ Rekey _ Admin PS MUQAMI + = ( k + m ) × ( 1 + ( 1 / l ) )Similarly, average number of messages transmitted by a sensor node for refreshment of administrative key in MUQAMI+ comes out to be: (13) Avg _ Msg _ Count _ Rekey _ Admin SN MUQAMI + = ( k + m ) r × ( 1 + ( 1 / l ) )

Table 7 compares our scheme BARI+ with MUQAMI+ and LEAP+ in administrative key refreshment phase.

Establishing efficacy of a key management scheme for WBAN in different attack scenarios is as important as establishing its energy efficiency. In fact, a key management scheme is useless if it does not fulfill security requirements of the target network. This section analyzes security of our scheme from different perspectives. Also, analysis of protection against various attacks, applicable to WBAN domain, is included in this section. We refer to [32] for the list of attacks that can take place is WSN.