Hash chains were first proposed by Lamport [8]. They involve applying a hash function h(·) N times to a seed (s) to form a hash chain of length N: (1) h 1 ( s ) , h 2 ( s ) , … , h N − 1 ( s ) , h N ( s )

The user calculates the i-th key according to this relation: (2) k i ( s ) = h N − i ( s )

The host authenticates the user by checking that the following equality holds: (3) h ( k t ( s ) ) = h N − i + 1 ( s )where the value h^N−i+1(s) is already saved in the host system’s file from the previous i-th authentication. After any successful authentication, the system password file is updated with the new key. This scheme has a limitation on the number of authentications, so that after reaching N authentications, a process restart is required. In addition, it is vulnerable to an opponent who sends small challenge values to users that respond with the chain initial values [9]. This attack can be referred to as a small challenge attack. Also, the users are charged with computational processes through the initialization phase, which makes the system unsuitable for WSNs.

The infinite length hash chains (ILHC) proposed by [10] use a public-key algorithm, A, to produce a forward and infinite one way function (OWF). Bicakci et al. utilized RSA [11], where d is the private key and e is the public key. The OTP originating from initial input “s” using the RSA public-key algorithm for the i-th authentication is: (4) k i ( s ) = A i ( s , d )and the verification of the i-th key is done by: (5) k i − 1 ( s ) = A     ( k i , e )increasing the number of cascaded exponentiations increases the computational complexity, making this algorithm very difficult to implement in limited computation devices [12].

If the integers n₁, n₂,…,n_k are pair-wise relatively prime, then the system of simultaneous congruence: (6) x ≡ r 1   mod   n 1 x ≡ r 2   mod   n 2 ⋮ x ≡ r k   mod   n khas a unique solution: x = ∑ i = 1 k r i N i − 1 N i   mod   N where; (7) N = ∏ i = 1 k n i (8) N i = N n i (9) N i − 1 N i ≡ 1   mod   n i

Timed Efficient Stream Loss-tolerant Authentication (TESLA) [3] is a multicast stream authentication protocol. Keys used to authenticate the i-th message is disclosed along with (i + 1)-th message. μTESLA [4] provides authentication for data broadcasts, and requires that base station and sensor nodes be loosely time synchronized. According to Lamport’s scheme, a base station (BS) randomly selects the last key k_n, the chain seed, and applies a one-way public function h(·) to generate the rest of keys: k₀, k₁,..., k_n−1 as k_i = h(k_i+1). Given k_i, every sensor node can generate the sequence k₀, k₁, ..., k_n−1. However, given k_i, no one can generate k_i+1. At i-th time slot, BS sends an authenticated message MAC_ki (message). Sensor nodes store the message till the verification key in the (i + 1)-th time slot is disclosed. Sensor nodes verify disclosed key k_i+1 by using key k_i as k_i = h(k_i+1). In μTESLA, nodes are required to store a message until the authentication key is disclosed. This operation may create storage problems, and encourages DoS types of attacks.

μTESLA has been expanded to Multi-level μTESLA [4] by simplifying the key distribution phase and introducing a new concept of a multi-level key chain generation using pseudo-random functions that improves the protocol efficiency. Multi-level μTESLA reduces the need to reinitialize the network (although re-initialization is still required) by implementing multiple levels of key chains, in which high-level keys are used to communicate root-keys (or commitments) for low-level chains which are used in turn for broadcast authentication as in standard μTESLA. The chains are further connected in that each root-key is derived from the corresponding high-level chain using another pseudo-random function. Network lifetime is extended many times over, but it is still limited. A problem would result if a receiver dropped a related commitment distribution message initializing a new low-level chain; it would be unable to verify any broadcast data received during this entire lifetime of the chain itself. The data would still be verifiable eventually as the receiver could use any later commitment distribution message to reconstruct all the lost high-level keys and the corresponding chains. This would require significant computation and storage.

The scheme proposed in [13] is divided into three phases: Distribution, Message Signing, and finally Message Authentication phase. Before deployment all nodes are loaded with the chain seed, k_n, the OWHF h(·), and two different modules values, n_A and n_B for the CRT. When the BS needs to broadcast a message m to sensor nodes for the i-th session, BS calculates the MAC of the message m using k_i to get M = MAC_ki (m). After that BS cipher k_i and M using the two secrets values n_A and n_B through the CRT to get: U ≡ k_i mod n_A and U ≡ M mod n_B, then it broadcast U. Upon the occurrence of U reception by sensor nodes, they recover k_i from U, and then apply the OWHF h(·), to check k j = ? h i − j ( k i ) where k_j is the last authentic key that sensor nodes have received. Finally, to verify the message integrity, the sensor nodes compute the corresponding MAC using k_i of the received message and then compare the result. Unfortunately, this scheme also has a length restriction considering the use of a backward hashing chain to generate keys.

Data integrity ensures that data has not been altered by unauthorized entities.

Data Origin Authentication guarantees the origin of data. It is a fundamental step in achieving entity authentication in protocols as well as establishing keys. We may say that data origin authentication implies data integrity. So it is not possible to achieve data integrity without data origin authentication.

Packets that have been captured and replayed at a later time should be ignored by the sensor nodes.

No time synchronization should be required in the system for data verification. Each packet must be verifiable without having to wait for additional data.

Confidentiality ensures that data is only available to those authorized to obtain it.

The denial of service attack is an attempt to make a node resource unavailable to its intended users.

This attack challenges the backward hashing with small values to respond with the chain initial values.

Process re-initialization after N of authentications is necessary.

Each node n_j is loaded with two unique CRT modules r n j A and r n j B. Those modules, regarding the all nodes, are relatively primes. Also all sensors are loaded with key seed〈s〉 and the two different hash functions, h_A(·) and h_B(·). From the other way the base station is loaded with all this information considering the all the CRT modules for all the network’s nodes, the key seed〈s〉, and the two different hash functions h_A(·) and h_B(·).

Before the broadcasting operation, BS has to do the following:

Calculate the session key k x i , y i = h B y i ( h A x i ( s ) ) for the i-th authentication.

The BS constructs the broadcasted packet to be P_i = {E_kxi,yi (m‖k_xi,yi)‖X} and then broadcast it to all sensors.

Upon the reception of P_i by the all sensors, they will need to ensure that the broadcast packets come from the authenticated BS. The verification process is done as follows:

Each sensor node will extract X to perform the module operation to obtain the chain indexes, e.g., n₁ will get x i ≡ X   mod   r n 1 A and y i ≡ X   mod   r n 1 B.

The storage complexity is the amount of memory (RAM size) required to store security credentials. The storage complexity affects the hardware price of sensor nodes. Our proposal requires the base station to save two keys for each sensor nodes to build the conference X, two different hash functions h_A(·) and h_B(·), and one seed〈s.〉 This storage overhead is neglected to the base station, since the base station regarded as resource-rich node. In the other way, sensor node n_j has to store two privet keys r n j A and r n j B, and one seed 〈s〉, each one of them is 160-bit. This tells us that the memory required for credentials per module (RAM) is 160 × 3-bit = 480-bit = 60-bytes. Hash functions h_A(·) and h_B(·) are implemented, written in nesC code for TinyOS, in approximately 20 Kbyte of memory (ROM.)

Considering the computational complexity, base station has to build the congruent equation (10) to reach the chain indexes for all sensors, X, also it has to perform two different hash operations to build the session key k_xi,yi this computation is affordable in the base station. Alternatively sensor nodes have to do two different modulo operation and to perform the same two different hash operations according to h_A(·) and h_B(·). This also is very easy to the sensor nodes. Rather than the previous techniques which use backward hash functions. Those previous techniques cost the sensor nodes to perform hashing operations for many times, especially through the chain initial values.

Example: Considering the chain length to be N = 1,000 the number of required hash operation considering Lamport scheme will be. (N + 1) × (N/2) = 500,500. On the contrary the usage of nested hashing will require the sensors to perform 2N hash operations which are equal to 2,000, according to our illustration. This could show how the nested hashing using two different hash chains is very cheap, in a very simple way.

Now, we consider the required execution time for a sensor node to calculate the session key k x i , y i = h B y i ( h A x i ( s ) ). The utilization of the microprocessor Sparc(400) as the sensor nodes’ platform, will give us the following: the required time to digitize a plain text of size 80 bytes using MD5 will cost us a = 39 μs and also, the required time to digitize a plain text of size 64 bytes using SHA-1 will cost us b = 56 μs as shown in Table 2 [15], such that the total time required to calculate the session key k x i , y i = h B y i ( h A x i ( s ) ) is t_exec = a×x_i + b×y_i. Considering that the maximum values for x_i and y_i are w = 10, hence t_exec = 10(56 + 39) = 0.95 ms. Note we have considered the worst case, hence we have considered the largest input plaintext for the both two hash algorithms, but in fact the plain text size will be no more than 160-bits = 20-bytes, rather than the 80 bytes or 64 bytes.

However, the time required for individual modulo operations mod   r n j A and mod   r n j B for node n_j is tiny compared to the calculation of the two different hash operations.

An implicit check for data integrity has been provided. Any data modifications that could be done will consequently affect the received vector U = E_kxi,yi (m‖k_xi,yi) which will be discovered through the key checking, by comparing the two sessions they have established and received.

Sending an original copy of the session key concatenated with the message and then encrypting them with the same key provides the originality authentication in a straightforward way. No one has the ability to build the broadcasted packet P_i = {E_kxi,yi (m‖k_xi,yi)‖X} except for the base-station or an intruder that has captured the entire congruence keys r n j A and r n j B for all nodes. This broadcast message has to provide the positivity authentication check considering the all sensor nodes.

Our proposal allows the base station to challenge the sensor nodes with unpredictable uniformly distributed values of (x_i, y_i). According to these values, and according to the seed updating every session, new refreshed keys have been established every session, so the communication system has a new and refreshed session key, and previous messages cannot be replayed. If we suppose that x_i and y_i can take one value of forward m values, the probability of successfully guessing a challenge will be the joint probability of x_i and y_i, which is equal to 1/m². We can refer to this property as the ability to resist predictable attacks.

Our proposed scheme provides an instant authentication. Every broadcasted packet contains the authentication information for itself, independently of previous and following messages. The authentication process is done in the same session.

Confidentiality cannot be guaranteed if one or more nodes have been compromised. If an intruder acquires the ability to capture one node or more he will be able to solve the congruent equation using the captured node n_j congruent keys r n j A and r n j B. The CRTBA [13] algorithm also did not cover this property, furthermore the broadcasted messages are sent in the plain form without encryption. Actually, regarding certain applications like the broadcasting of urgent alert notifications and warning systems need instant message authentication rather than confidentiality.

In μTESLA scheme, the sensor nodes can’t authenticate the received message immediately after reception. The intruder can send a large amount of forged messages to consume the sensor nodes buffer. The instant authentication provided in our scheme, overcomes this weakness. The authentication process is done in the same session independently of the previous or the next sessions. This vulnerability is overcome without resources an extra bandwidth or an extra storage memory like [5] and [6].

All TESLA families and also CRTBA, use backward hash chain. The backward chain has a restriction of an N time for authentications; a process restart is required after reaching this number of authentications. Our algorithm utilizes a new technique of employing two nested and different hash functions for the key production. This technique uses forward hashing and has no need for process restarting after reaching any number of authentications.

Utilizing a one way hash function to construct a hashing chain in the backward fashion encourages a new kind of attack called small challenge attack. This type of attack discloses the hash chain initial values. These initial values help the intruder to extract the remaining chain values by hashing those initial values. Our algorithm covers this vulnerability by the utilization of two different and nested hash functions in the forward fashion, which prevents this kind of attack.

The ability of generating a truly random sequence of key bits can defeat a brute force attack, as a brute force attack would have no way of distinguishing one key from the other. Relying on the generation of random number can impede the brute force. The nested hashing progress random values for i-th authentication (x_i, y_i). play a great role in preventing this type of attacks according to the entropy of their random generation.