Untraceable Mobile Node Authentication in WSN

Mobility of sensor node in Wireless Sensor Networks (WSN) brings security issues such as re-authentication and tracing the node movement. However, current security researches on WSN are insufficient to support such environments since their designs only considered the static environments. In this paper, we propose the efficient node authentication and key exchange protocol that reduces the overhead in node re-authentication and also provides untraceability of mobile nodes. Compared with previous protocols, our protocol has only a third of communication and computational overhead. We expect our protocol to be the efficient solution that increases the lifetime of sensor network.


Introduction
Wireless Sensor Network (WSN) is the network that consists of light-weight battery-powered devices with short-ranged wireless communication function. The devices have sensors that gather the environmental information. After sensing the information, the devices send the information to the networks. We define such devices as sensor node, and the core parts of the network as sinks and the base station ( Figure 1).
Authenticated key distribution in WSN is one of the fundamental security problems. Employing the security protocols of other computer networks to WSN is insufficient because the light-weight devices have limited resources. Thus, the most important issues in security researches on WSN are the design of resource-efficient security protocol. Several approaches such as key pre-distribution, pairwise key agreement, group key based key agreement and hierarchical key management schemes were introduced for the efficient authenticated key distribution.
Zigbee [1] specifies the key pre-distribution method that stores the master secret between two entities for commercial application that also requires the large key storage management in scalable network. The pairwise key agreement protocols based on the random key pre-distribution that enables to share the pairwise key from the pre-distributed key pool are proposed in [2][3][4]. For the group key based key agreement, Zhu et al. [5] showed the efficient key distribution model with cluster key that enables the reduced overhead of the base station. Recently, the hierarchical key management schemes, in which the sensor nodes establish the hierarchy for the key distribution, are proposed by [6,7]. and key distribution protocol that can reduce the communication overhead between a sink and the base station. Applying our protocol, a node previously authenticated by a sink can be efficiently re-authenticated with less communication and computational overhead when the node changed position and the node movement stays untraceable.
The rest of this paper is organized as follows: Section 2 briefly presents the drawbacks of previous authentication and key distribution protocols supporting mobility in WSN and identifies the security requirements. Then, We propose the efficient mobile node re-authentication protocol in Section 3, and analyze the performance and security of our protocol in Section 4. Finally, Section 5 concludes this paper.

Issues of Mobile Node Authentication in WSN
In this section, we present the security problems on node mobility in WSN and the limits of previous authentication and key agreement models. At first, we show a sensor network model with mobile nodes as in Figure 1. We define a static sensor node as Sink, a mobile node as Node, and the base station that is the core network. The node has linear movements in the network. The base station and sinks are static, which is the same as in Ibriq and Mahgoub's model [7]. Sinks act as the gateway and link nodes to the base station, and the base station is a kind of headquarter that manages the entire networks. When a node initially joins the network, the node connects to a sink in the network and is authenticated by the sink with the help of the base station. Afterwards, the node moves and reconnects to other sink. We assume that the sink that re-authenticates the node is the neighbor sink of the sink that previously authenticated the node. The re-authentication processes frequently happen because the node continuously moves in the network.
In practical scenarios, re-authentication happens when a node lost connection to the sink or moved and connected to other sink. For the former case, the node can be easily re-authenticated to the same sink when the connection becomes available again. For the latter case, the node request the re-authentication to other sink that is closest to the previously attached sink.

Previous Works on the Authenticated Key Agreement in WSN
Currently, most researches on the authentication and key distribution assume WSN as a static environments. Thus, they only focused on the efficient initial authentication and key setup.
Commercially deployed Zigbee [1] specifies the key agreement architecture that pre-distribute keys. In their architecture, each node pre-installs their unique keys, such as the master key (MK) and the link key (LK), that are shared to other entities and the network key (NK) is shared to entire network by the manufacturer. In order to support node mobility using the unique key, each node has to contain the key as well as the number of nodes. Figure 2 shows the required keys in Zigbee. Seven keys (three MKs, three LKs, and a NK) were required for the secure communication in the network with only four nodes. Thus, deploying Zigbee in the large scale networks requires quite large storage for the key management.
In 2002, Eschenauer and Gligor [2] proposed the pairwise key agreement protocols based on the random key pre-distribution that enables sharing the pairwise key from the pre-distributed key pool. In the initial stage, each node stores m numbers of keys selected in a key pool. After the nodes are deployed, each node shares the key information to its neighbor nodes. When the shared keys are found, the node establishes the secure links between sinks that share the keys. After the links are established, nodes generate the pairwise key with the sink that has no shared information via the secure link. Later, Chan et al. [3] improved the model by generating the pairwise key from multiple numbers of shared key, and Liu and Ning [11] proposed a model in which the pairwise key is not directly distributed but derived by a bivariate polynomial. However, the networks cannot be completely connected by probabilistic methods. The probability of failure increases in the case of irregular deployment of sensor nodes or unpredictable interruptions. Zhu et al. [5] introduced the group key based key agreement model that minimized threats of compromised nodes. Every node has a unique key, pairwise keys with neighbor nodes, a cluster key shared with all neighbor nodes, and the global key shared with the entire network. However, they only assumed static networks.
In 2006, Abraham and Ramanatha [6] proposed an authentication and initial shared key establishment model in hierarchical clustered networks. In 2006, Ibriq and Mahgoub [7] proposed an efficient hierarchical key establishment model with "partial key escrow table". Using the key escrow table, a sink can self-generate the shared key for the attached nodes. Figure 3 shows the brief model of [7]. However, any sinks have to maintain the information of every node in the table to support the node mobility.
Fantacci et al. [10] proposed the distributed node authentication model that does not require the base station as the centralized authenticator. Figure 4 shows the brief model with no centralized authenticator. Every node shares the partial authentication information of each node based on Shamir's Secret Sharing Scheme [12], which enables node mobility support. When a node requests to be authenticated to other node, the Node 2 is the authenticator, while other nodes such as Node 5 and Node 6 are distributed authentication servers. However, the issue in this model is the overhead on each node. Since the node has to participate in the authentication procedures as authenticator or an authentication server, the computational and communication overhead can increase significantly with frequent authentication requests.
Huang et al. [13] proposed self-organizing algorithm by using Elliptic Curve Cryptography (ECC). Once the certificates are issued to nodes, nodes can self-establish the pairwise key by exchanging the certificates with any node. Even though the public key based security architecture requires more advanced computational power and resources, efficient applications for the sensor networks will be available in near future with light weight implementation such as TinkPK [14] and TinyECC [15].    [10]: When Node 1 request to join the network, Node 2 acts as the authenticator. Other nodes act as authentication server. In the initial setup of network, all node share the partial information of each node. When a node request to be authenticated, they gather the authentication information using secret sharing.

Frequent Re-authentication
Since the sensor has battery of limited power and low-end processor with short-range wireless communication, reducing communication and computational overheads is important to increase the lifetime of the sensor. However, the mobile sensor node may incur large overhead for security computation due to the frequent requests of node re-authentication. When a node connects to a sink, the sink has to authenticates the node. Afterwards, the node will connect to another sink after the movement, and the new sink has to authenticate the node again. If the node moves continuously, the authentication process will also occur repeatedly. It is obvious that the frequent re-authentication processes significantly drain the resources in battery-based sensor nodes.
Current authentication and key distribution protocols lacks the consideration of node mobility and are thus insufficient to be applied in such environment. Using the current protocols such as [7], the communication pass (1)-(2)-(3)-(4) is required for the initial authentication and key distribution in Figure 5. When the node moves and reconnects to sink 2, the communication pass (5)-(6)-(7)-(8) is required for authentication and key distribution, which have the similar communication overhead to the initial authentication. Such overhead will create huge problem in the environment where large numbers of nodes moves frequently. Thus, the reduction of computational and communication overheads in re-authentication are very urgent requirement for the node mobility support in the WSN. (1)

Tracing Node Movements
Considering the mobility of sensor nodes, the tracking of node movement is one of the possible attacks. For example, when the mobile nodes are deployed in battle fields, the tracking by enemies is of significant threat to the networks. Also, tracking node movement threats privacy. Thus, the authentication and key agreement protocols should provide the privacy of the mobile node. Current protocols do not consider the mobility of the node.

Security and Privacy Requirements
We define the security requirements as follows. We assume that when the node N communicates with a sink S 2 after disconnection to the sink S 1 , S 1 cannot receive any message between N and S 2 . S 2 is one of neighbor sinks of S 1 .
"Confidentiality", "message authentication", and "key freshness" are important requirements to protect against the attacks such as the replay attack or man-in-the-middle attack. "Node/Sink resiliency" is a practical threat as the sensor nodes are generally deployed in the environment out of administration.

Proposed Protocol
In this section, we propose our novel authentication and key distribution scheme that provides efficient mobile node re-authentication and untraceablity. In Section 3.1, we briefly overview the overall process of proposed protocol. In Section 3.2, we introduce the concept of "authentication ticket" that enables fast re-authentication. After that, we show our efficient node re-authentication protocol in Section 3.3.

Overview of Proposed Protocol
We briefly describe the procedure of our proposed protocol in Figure 6. Assume that there are a base station BS, a sink S 1 , a neighbor sink S 2 , and a mobile node N in the network. We define the neighbor sink as the sink that is in the 1 hop communication range. S 1 periodically broadcasts HELLO in Phase 0. When S 2 receives HELLO, S 2 initiates the neighbor relationship if S 1 is a newly discovered sink. After the pairwise key between S 1 and S 2 has been exchanged in Phase 1, S 1 and S 2 exchange the authentication key that is used to verify the authenticated user in Phase 2. Phase 1 and Phase 2 are only required during establishing the static sensor network. We let the establishment of the static sensor network follow any previous protocol, such as [7].
When N first joins the network, N may be connected to S 1 in the network, as in Figure 6. After receiving HELLO of S 1 , N initiates the initial authentication with S 1 in Phase 3. After N is authenticated S 1 , N only needs the re-authentication in Phase 4 when N continuously moves and request the authentication again. The authentication process in Phase 3 is only necessary when the re-authentication fails in certain case, e.g., when the neighbor sink is not available.

Authentication Ticket
The "Authentication Ticket" is used for the node re-authentication. When a node requests authentication to a sink, the sink generates the authentication ticket and sends it to the node. The authentication ticket can be verified by the authentication key that is given to the neighbor sinks. Using the authentication ticket, the node movement is untraceable. Verification of the authentication ticket is available to neighbor sinks of the sink that issued the ticket. We adopt the idea of "cluster key" in [16] that shared to neighbor sinks. The main difference is that the cluster key in [16] is used for broadcast communication in the cluster, while the key in our protocol is used for verifying the authentication ticket. Thus, we rename the key as "authentication key" because of its different use in the protocol. Figure 7 shows that neighbor sinks of Sink 1 (S 1 ) shares the authentication key AK S 1 .

Protocol Description
The protocol consists of five phases as follows: Phase 0 The common neighbor discovery, Phase 1 Neighbor sink relationship set up, Phase 2 Neighbor group authentication key share, Phase 3 Initial node authentication, and Phase 4 Node re-authentication.
The notations used in the protocol are defined in Table 1. Key IK N is the integrity key derived from K N , where IK N = KDF (K N ). KDF is an one-way key derivation function. We can also use a hash function for KDF . A sink S 1 periodically generates a random nonce R 0 . S 1 also generates u 0 = E K S 1 {R 0 ||T S 0 } and v 0 = M AC IK S 1 (S 1 ||HELLO||u 0 ), where T S 0 is time stamp. u 0 and v 0 are included in the HELLO message as in Figure 8. Then S 1 broadcasts u 0 and v 0 as follows: Phase 0 is the periodical common procedure. When a sink receives HELLO, the sink initiates Phase 1 or Phase 2. When a node receives HELLO, the node initiates Phase 3 or Phase 4.

Phase 1: Neighbor Sink Relationship Set Up
Assume another sink S 2 receives HELLO message. S 2 checks whether the sender of HELLO S 1 is known or not. If S 2 already knows S 1 , S 2 discards the message. Otherwise, S 2 requests to set up the neighbor relationship as follows: P-1.a. S 2 randomly selects R 1 and generates u 1 = E K S 2 {R 1 ||u 0 }, v 1 = M AC IK S 2 (S 2 ||BS||S 1 ||u 1 ||v 0 ).

Phase 2: Neighbor Group Authentication Key Share
Phase 2 can be operated solely or after Phase 1 is completed. In Phase 2, S 1 initiates following procedures. P-2.a. S 1 randomly selects two nonces ASEED S 1 and R 1 .
After the Phase 2 is completed, sinks share their neighbor sink's authentication keys as in Figure 9.

Phase 3: Initial Node Authentication
When N receives HELLO that S 1 broadcasts in Phase 0 and is not yet authenticated by any sink, N proceeds followings. P-3.a.
Node N randomly selects R 1 and generates u 1

Analysis
In this section, we show the performance and security analysis of our protocol. Section 4.1 shows the comparison to the previous protocols, and Section 4.2 shows the security analysis for the requirements and known attacks in WSN.

Performance Analysis
For the performance analysis, we compared the number of communication passes, the required message sizes, and the number of computation of the protocol. We do not count the overhead in Phase 0, since Phase 0 does not initiate the protocol. The node just ignores Phase 0 when the node receives HELLO from the sink that already authenticated the node.   [7]. The reason is that [10] considered node mobility without requiring sinks or base station in the key distribution, and [7] showed the efficient key distribution in static networks. Table 2 shows the comparison of communication passes for node re-authentication, where n denotes the number of nodes and t denotes the number of sinks. Since nodes act as the authentication server (the base station) and the authenticator (the sink), all the communications in [10] are operated among nodes.
Comparison of required number of communication pass in initial authentication is the same as the previous models. In node re-authentication, our novel protocol has much more efficiency compared with other protocols [7,10], since our protocol does not require the communication with the base station in re-authentication.
In practical application, we can deploy the network that all nodes directly connect to any sinks (i.e., n = 1). In that case, the communication passes in our protocol are just three passes (challenge-response-confirmation).

Message Size
We compared Abraham and Ramanatha's model [6,7] for the required message size for authentication. Based on the results in [6], we approximately compared the message sizes based on the message size with MAC size as 4 bytes, the time stamp as 8 bytes, nonce as 8 bytes, and key size as 16 bytes. We also set the source and target IDs as 1 byte, respectively. Tables 3 and 4 show the message sizes in the initial authentication and the message sizes in re-authentication with 2 hops between sink and base station, respectively. Table 3 shows that the performance for the initial authentication is similar to other protocols. In initial authentication (Phase 3), Abraham and Ramanatha's model [6] showed the best result-30 bytes less in message sizes than our protocol. However, as Table 4 shows, our protocol achieves about a third overall message size than other protocols. Even when we increase the size of each parameter, our protocol is still much more efficient than any other protocols in node re-authentication. For the comparison in multi-hop environments, Figures 11 and 12 show the message sizes of initial authentication (Phase 3) and re-authentication (Phase 4) in our protocol and the comparison with other protocols, respectively. When the hop distances between the sinks to which the node is attached and the base station increase, the required message size and the communication pass also increase.

Computation
Now, we compare the computational overhead of initial authentication (Phase 3) and re-authentication (Phase 4). In total, 10 times of encryption/decryption and 14 times of MAC generation/verification are required for initial authentication, while 4 times of encryption/decryption and 10 times of MAC generation/verification are required for re-authentication. For node specific operation, 3 times of encryption/decryption for initial authentication, 1 time of encryption/decryption are required. Both cases require 4 times of MAC generation/verification. Since the computation of MAC does not have significant overhead, comparing the computation of encryption and decryption, our computation is 2-3 times more efficient. The comparison of computation is shown in Table 5. We do not measure the computation time of each operation that depends on the encryption and hash algorithms in this paper. Note that we can apply TinySEC [17] and TinyHash [18] for the implementation.

Security Analysis
We show the security analysis of our protocol that holds the requirements defined in Section 2.3. "re-authentication", "untraceability", "confidentiality", "message integrity", "key freshness", and "node/sink resiliency". Then, we analyze the security of our protocol against known attacks.

Re-Authentication
After a node N is initially authenticated by a sink S 1 in phase 3, the node receives the authentication ticket (t, w) and v 1 , When N moves and requests re-authentication to the neighbor sink S 2 , S 2 can verifies (t, w) since the authentication key of S 1 , AK S 1 is shared to S 2 . N can authenticates S 2 with u 3 and v 3 with N K N . Finally, S 2 authenticates N after verification of v 4 . In the re-authentication phase, the base station is not involved.

Untraceability
A sink S 1 issues the authentication ticket (t, w) to a node N . However, S 1 does not know the next move of N . N can be re-authenticated by any neighbor sinks of S 1 . For the re-authenticated sink S 2 , S 2 only knows that N was previously authenticated by S 1 , but never knows the direction N ahead. Sinks only know N was previously authenticated by neighbor sinks, but never predict N 's next direction as in Figure 13.

Confidentiality
Any sinks and nodes pre-share secret keys only with the base station. For the Neighbor discovery phase, the neighbor discovery message is encrypted using K S that is only shared between a sink and the base station. For setting up the neighbor group and node authentication, the adversary requires shared secret key to know the information. For the node re-authentication, the responses u 3 and v 3 are encrypted using N K N that is known to S 1 . However, we assume that the re-authentication happens, where S 1 cannot involve in the communication from out-of-reach.

Message Authentication
In our protocol, every packet is protected by 4 bytes MAC. The outside adversary should be able to forge the message to succeed in the attack. The security of the MAC depends on the security of the hash function. The recommended MAC size in [17] is 4 bytes for practical application, since only 40 forgery attempts per second are available on a 19.2 kb/s channel while 2 31 trials are required for successful forgery. However, the performance of communication channel is increasing, and the size of MAC should be increased in future applications. Recently the efficient implementation of hash functions is introduced in [18]. Thus, our protocol is secure against the man-in-the-middle attack, as the adversary has no efficient way to forge MAC even when the part of the network is compromised by the attacker.

Key Freshness
In Phase 0, the sink S 1 periodically generates random nonce R 0 . Thus, S 1 can verify that the requests of authentication are from the directly linked sinks or nodes. In Phase 1, two entities generate the random nonces whose freshness can be checked by both entities. In Phase 2, S 1 also generates random nonce R 1 for the freshness check. In Phase 3 and 4, the node also generates random nonce R 1 to check the freshness.

Node/Sink Resiliency
We can define two kinds of threat of sink capture: the sink missing case and the compromised sink case. When a sink S 1 is just missing, the node will lose the connection S 1 and find other sink such as S 2 . Thus, we only need to consider the compromised sink case.
When the sink is compromised, we can assume that the keys in the sink are leaked. However, even if the group authentication key is leaked, only will the neighbor sinks be affected. The compromised sink can self-attach the fake nodes that will request re-authentication without initial authentication. For this case, we add h(K N ||R 1 ) in the authentication ticket that is sent to the sink when the node requests re-authentication. For suspicious nodes, the sink can check if the node is genuine with help of the base station. Also, we need to define the security policy for the extreme abnormality in deploying sensor network application. When the node is compromised, we can define that the compromised node may try to know the information of the sinks or impersonate other nodes. However, the compromised node will fail in both cases, since the node does not share any information in the protocol. Thus, our protocol has node and sink resiliency, and is practically secure against selective forwarding and acknowledgement spoofing.

Security Against Known Attacks
We analyze the security of our protocol against the attacks identified in [19]. Since the static parts in the networks could follow the previous models such as [7], we only focus on the security of node re-authentication in this section.
The sinkhole attack against our protocol fails without knowing the keys. An adversary A may capture the authentication ticket (t, w) that N initially sent to S 2 , and A send (t, w) to S 2 or other sink S 5 that is also a neighbor sink of S 1 . However, A fails in such attack without knowing AK S 1 . Wormhole attack on our protocol fails since the adversary cannot send the confirmation message. Spoofed, altered or replayed routing information attack also fail without knowing the encrypted nonce in our protocol. To succeed in the replay attack, the adversary has to be able to re-use the intercepted packet. We do not consider relaying through the attackers as successful attack. Sybil attack also fails from verification of identity of nodes through sinks and the base station. As for HELLO flood attacks, we can apply the global key shared to all entities in the network that many researches such as [7,16] used for the efficient message broadcast and DoS attack protection.

Conclusions
Node mobility is one of the emerging issues in WSN that needs to be adequately addressed. In this paper, we outlined the drawbacks of previous authentication protocols supporting mobile nodes in WSN, and identified the following requirements: efficient node re-authentication and untraceability. We then proposed our novel efficient node authentication and key distribution protocol that provides re-authentication and untraceability. Also, we analyzed our protocol by comparing it with the previous protocols. Our protocol requires only three passes of communication with one third of communication message sizes compared with previous protocols in node re-authentication. The computational overhead of node re-authentication of a single mobile node achieves about 2-3 times more efficiency than that of initial node authentication. It is obvious that deploying our protocol in the environment with large numbers of mobile nodes will achieve much higher cost efficiency than any previous methods. Our future plan is to gain the energy efficiency of sensor network in the initial authentication process of our protocol. Thus, We expect that our proposed protocol will be the efficient security solution supporting mobile nodes in WSN.