7.1. Analysis of Computation Overhead
Instead of communicating with the network server every session to derive a new session key, as mentioned in the basic LoRa protocol, our protocol allows every end device to store n session keys to reduce the communication overhead and save the network bandwidth. Each end device requires initially joining the LoRa network and sharing one session key and one application key. Then it uses these keys to securely share a standard master secret key and a one-way hash function. The end device uses the shared security parameters to generate n hashed keys, n salt values for authentication, and n salt values for encryption. The computation cost for each end device is calculated only one time at the initialization phase or in the key-update process.
The hash chain generation:
We assume that hash chain generation can be offline at the initialization phase of joining a new end device to the LoRaWAN network. However, during the runtime, the hash chain generation computation time can be calculated as follows:
One hash generation using the Sha-256 hash function requires 0.006 ms. According to the LoRaWAN specification [
33], in a 24 h interval, a node transmits one packet every 14.4 min. In conclusion, a node sends approximately 11 packets per day. Therefore, the total number of session keys required to secure every transmitted message for 1 year is 3960 keys only. As well, the computation time of the hash chain of a length 5000 key element is 30 ms. Any end device can generate the required keystream during the runtime using the one-way hash function h(.) and the master secret key Sk
n.
The salt random number generation:
Salts are in place to prevent someone from cracking original keys and can be stored in cleartext in the database. We recommend an offline salt generation for each original key to reduce the network overhead. In some cases, such as key updating due to normal situations or under attacks, each end device must generate the salt numbers during runtime. The calculation time of salt numbers includes generating random numbers and XORing of the generated salts and the original keys. End devices must store only the salts numbers, the key indexes, and the salted keys in the hash chain table. Generating different salts results in different keys for both authentication and encryption. For the star topology, which is the dominant topology for LoRaWAN, each end device shares a different master secret key to generate a different hash chain that allows the devices to communicate with the network server and application server securely. In contrast, the end devices in the mesh topology share a common hash chain to communicate with each other and with the network servers. Sharing a single common hash chain can expose the system for sniffing attacks and key compromising attacks. However, the proposed key management scheme allows end devices to locally generate different salt values to hide the original keys, resulting in different salted keys at each device. This salting process makes the breaking of original keys very complex and hides the original keys in a different version of keys, preventing any attacks that target the sniffing of the original keys or the initial master seed key. The total time required for generating n random salts of 8 bytes size required approximately (0.001 n) ms, where a single random number consumes 0.001 ms. For n = 5000, the total computation time is 0.001 × 5000 = 5 ms. The computation time of the XOR operation of the random salt number and the original hashed keys are neglected since their computation time is negligibly short.
Case 1: for n = 5000 (1 year)
The total computation time of the proposed key generation method at each end device using the crypto functions execution time in
Table 3 for n = 5000 keys for 1 year battery lifetime is:
Case 2: for n = 417 (1 month)
When the hash chain generation is updated every month, the required number of keys is 417 to allow the end devices to communicate for 1 month. The total computation time for 1 month is:
The computation time required to sign one message is the consumed time to calculate a Message Integrity Code
over the message m using a salted authenticated key
One MIC operation using the AES128-CMAC algorithm according to
Table 4 is T
MIC = 0.0167. The verification time at the receiver (network server) requires one search operation for the key using the attached key index as a pointer and one XORing operation to generate the authenticated salted key, then using the key to generate
value over the same message and comparing the result with the received
to accept the message or reject it. Therefore, the total authentication time per message at the end device side is T
MIC = 0.0167 ms.
The computation time required to encrypt one message using AES-128 and a salted encryption key
requires T
enc = 4.0274ms. The decryption process at the application server side requires one search operation to find the key and XORing the key with the received encrypted salt value to generate the encrypted salt key
that was used to decrypt the received message. We neglect the search operation and XORing operation due to their short computation time. Therefore, the total encryption time per message at the end device is T
dec = 4.1524. We summarize the security computation overhead of the proposed protocol in
Table 5.
7.3. Power Consumption Analysis
In this section, we analyze the required power consumption of the end devices due to the security overhead. We used the LoRa energy calculator [
34] to calculate the end device’s battery lifetime under defined assumptions and different packet sizes using real-world measurements. The inputs to the LoRa energy calculator are packet size, transmission period, and battery type. The measured outputs are the time on the air, the number of transmitted packets, and the Time To Live (TTL) of the end device battery. To demonstrate the differences between the proposed protocol and other related LoRaWAN protocols, we choose also the enhanced LoRaWAN protocol proposed by You et al. [
19]. In [
19], the authors proposed an enhanced protocol of LoRaWAN using Elliptic Curve Diffie Hellman (ECDH) key generation, which is authenticated by Elliptic Curve Digital Signatures. Their protocol supports end-to-end security and suggests the generation of DevNonce to avoid replay attacks. In [
19], the authors proposed two different cases for their method, the first one is the Default Option (DO) and the second one is the Security-Enhanced Option (SEO). Both options are to prevent the network server from generating any vulnerabilities and breaking the security between the end node device and the application server. The first case DO targets to defend against network server eavesdropping attacks that attempt to break the communication security between the end device and its related application server. The second SEO case prevents the data manipulating between the end device and application server and also prevents the impersonation of both entities. The malicious network server is blocked from manipulating packets between a device and its application server, as well as impersonating these two parties. However, although this protocol supports the LoRaWAN end-to-end security, it suffers from high computation cost and high communication cost due to using expensive elliptic curve operations. In this section, we analyze the original LoRaWAN protocol, the proposed protocol, and both cases of enhanced LoRaWAN mentioned in [
19]. During the performance evaluation process, we used a Li-ion(1000 mAh, 3.3 Volt) battery that consumes a processing power of 15 mW for reading a sensor value within a 5 ms period, and the sleep consumption is 10uW. The packet transmission is periodic every 14.4 min according to the LoRaWAN standard. LoRaWAN communication supports multiple spread factors (SF) (between 6 and 12) to compromise the data transfer rate and the communication range. Each node transmits every 14.4 ms, approximately 11 packets are transmitted every day. We analyze the protocol of [
19] using the LoRa energy calculator under defined assumptions and different packet sizes using real-world measurements.
Table 1 shows the results for time on the air, the number of transmitted packets, and the battery life during the communication. The original LoRaWAN MAC payload size ranges between 51 and 222 bytes. We added the security overhead in terms of bytes to the original payload size to study the security impact on the battery lifetime. The total communication cost and computation cost for the Do case are 94 bytes and 11 ms, respectively.
Table 7 lists the main parameters of the LoRa communication protocol, such as the spreading factor, channel bandwidth, and the transmitted power. The SF is the modulation technique that represents the number of chips per symbol. It is an integer value between 6 and 12: the greater the SF value, the more capable the receiver is to move away from the signal noise. Therefore, the greater the SF value, the more time is required to transmit a packet. The channel bandwidth represents the range of transmission band frequencies [
35]. The channel BW can be 125 kHz, 250 kHz, or 500 kHz. For a fast transmission, a 500 kHz BW is recommended. We used a 125 kHz channel BW to support a long-wide communication. We studied the power consumption using two cases (worst case and best case). The worst case supports SF12, the channel BW 125 kHz, and the transmission power is 14 dBm. The best case supports SF7, a channel BW of 125 kHz, and a transmission power of 2 dBm.The original message format of the LoRaWAN for an authenticated message is as follows: The LoRaWAN message format that consists of the MAC header (MHDR), Frame header (FHDR), message payload from end device to the server (m), and the Message Integrity Code (MIC), as shown in
Figure 16. The power analysis for the original LoRaWAN is calculated for message payload sizes
51,136, and 222 bytes using the LoRaWAN parameters in
Table 7 and excluding the message headers. To study the impact of security on power consumption, a 4 bytes MIC is included for authentication for each transmitted packet. From
Table 8, the measured parameters for the original LoRaWAN are time on the air, the number of packets, and Time To Live (TTL). Time on the air represents the total transmission time for this end device during the battery life.
In LoRaWAN, for a Spreading Factor (SF) of 12 (worst case) and payload size of 51 bytes, the time on the air is 2465 ms, while for payload size, 222 is 8036 ms. The time on the air for a maximum LoRaWAN payload size of 222 bytes is increased by 3 times more than the minimum LoRaWAN payload size of 51. In contrast, the total transmitted packets for an SF of 12 is 32,339 packets with a payload size of 51 bytes, while for a payload size of 222, the number of transmitted packets is 10847. The total transmitted packets are decreased by 3 times for the maximum payload size of 222 bytes. The Time To Live for an SF 12 for the original LoRaWAN with a payload size of 51 bytes is 0.8 years, while for a payload size of 222 bytes, the battery’s lifetime is dropped dramatically for 0.2 years. We conclude that the worst-case scenario for the LoRaWAN with SF (12), the greater packet size, and the shorter battery lifetime.
The results for the LoRaWAN in the best-case scenario with an SF of 7 for a payload size 51, 136, and 222 bytes are also shown in
Table 7. For a payload size of 51 bytes, the time on the air is 102 ms, the transmitted packets are 267664, and the battery life is 7.3 years. For a payload size of 222 bytes, the time on the air is 353 ms, the transmitted packets are 182,980 packets, and the battery lifetime is 4.9 years. We conclude the results of LoRaWAN for the best case that the battery lifetime is dropped by 3 years for the maximum payload size of 222.
The battery life analysis of the proposed protocol low power case and extremely low power case are shown in
Table 9 and
Table 10, respectively. From
Table 9, the proposed protocol low power authentication is analyzed with a security overhead of 20 bytes to each transmitted payload. For an SF of 12 (worst case) and payload size of 51 bytes, the time on the air is 2957 ms, the transmitted packets are 27,527, and the TTL is 0.7 years. In contrast to the payload size of 222 bytes, the time on the air is 8527 ms, the transmitted packets are 10,246, and the TTL is 0.26 years. For the SF of 12, when the packet size increased by more than 3 times, the battery life dropped by 3 times.
For an SF of 7 (best case) and a payload size of 51 bytes, the time on the air is 128 ms, the transmitted packets are 255,593, and the TTL is 6.9 years. For a maximum packet size of 222 bytes, the proposed protocol can support a time on the air of 374 ms, the total transmitted packets are 178,373, and the TTL is 4.8 years. For the SF of 7, when the packet size increased by 3 times, the battery life dropped by one time.
In the same way, the proposed protocol for extremely low power authentication with a security overhead of 10 bytes is illustrated in
Table 10. From
Table 10, we prove that decreasing the security overhead from 20 bytes to 10 bytes enhances the overall performance and extends the battery life.
Table 11 and
Table 12 show the battery analysis for [
19] options (DO, SEO). In the same way, we analyze the You et al. protocol cases in terms of Time on the air, Number of packets, and the Time to Live in years.
Table 11 shows the results for the DO option for security overhead 94 bytes using the elliptic Curve Diffie Hellman (ECDH) key exchange that introduces very high computation cost and communication cost as explained previously. Under the same environment and assumptions, we measured the options of [
19] for different packet sizes (51,136 and 222) bytes. For the SEO option when the security is enhanced with 126 bytes overhead, the battery life is decreased, and time on the air is increased compared with the DO option, in which the security overhead is only 94 bytes.
We compare the proposed protocol (low power authentication and extremely low power authentication) with the other related LoRaWAN mentioned protocols in terms of time on the air and Time To Live (TTL) for different packet sizes (51,136,222) bytes, as shown in
Figure 17,
Figure 18,
Figure 19 and
Figure 20.
Figure 17 shows the time on the air comparison for the proposed two cases against the original LoRaWAN and the two DO and SEO cases of [
19] using an SF of 12. The time on the air for the mentioned protocols is increased linearly with the payload size, while the LoRaWAN experiences the lowest time on the air compared with the proposed protocol cases (low power, extremely low power) and [
19] cases.
Figure 17 also shows that Do and SEO protocols introduce very high transmission time (time on the air) compared with the proposed protocol and standard LoRaWAN. SEO introduces very high time on the air due to high-security overhead that reaches approximately 126 bytes. The proposed protocol extremely low power case reducing the time on the air by 36%, 26% compared with SEO and DO, respectively, for a packet size of 222 bytes using an SF of 12.
However, reducing the security overhead in extremely low power cases reduces the time on the air compared with the low power cases that extend the battery lifetime.
Figure 18 shows the time on the air comparison for the proposed security cases (low power, extremely low power) and the other LoRaWAN protocols (original, Do, SEO) using an SF of 7. The spread factor value of 7 allows the end devices to reduce the time on the air and save the power consumption compared with spread factor 12. The LoRaWAN original protocol experiences the lowest time on the air compared with the other protocols since the total security overhead for the LoRaWAN is 4 bytes. The proposed extremely low power case reduced the time on the air by two times compared with the SEO case. The end devices in SEO use a complex and expensive elliptic curve to provide authentication that introduces high power consumption and high time on the air.
Figure 19 compares the battery life in years of the proposed protocol in two cases and the other mentioned protocols for different payload sizes (51,136,222) bytes using the worst-case environment parameters (SF of 12). The battery life (Time To Live) is decreased dramatically with the increase of the payload size; for the LoRaWAN protocol, the TTL of an end device is 0.88 years for a payload size of 51 bytes, compared with 0.72 years and 0.78 years for the proposed protocol cases (low power, extremely low power), respectively. In contrast, for a payload size of 222 bytes, the TTL for LoRaWAN is decreased from 0.88 to 0.29 years, and for the proposed protocol is decreased from 0.72, 0.78 to 0.27, 0.28 for the low power case and extremely low power case, respectively. The proposed protocol for the extremely low power case enhances the battery life of the end devices by two times over the SEO protocol for a payload size of 222 bytes due to using a negligible hash chain key generation compared with the digital certificate authentication that is used in the SEO protocol.
Figure 20 shows the TTL comparison of the proposed protocol cases and other compared protocols using a Spread Factor of 7 that extends the battery life to a couple of years, compared with the worst-case scenario with SF 12. For the best-case scenario of SF 7, the battery life is extended to 7 years in LoRaWAN for a payload size of 51 and decreased to 5 years for a payload size of 222 bytes. The extremely low power protocol case extends the battery life by two times compared with the SEO protocol for a payload size of 222 bytes. SEO introduces 126 bytes security overhead to establish end-to-end security between the end device and network server that extends the time on the air and consumes the battery power very quickly.
The advantages of the proposed protocol are summarized as follows:
The proposed key management protocol introduces a little computation overhead compared with the original LoRaWAN to enhance the security by generating salts random values and n authentication keys;
The two proposed cases outperform the SEO and DO protocols in terms of time on the air and battery life;
The proposed key management protocol uses a negligible hash chain generation that supports security with low power consumption;
The proposed protocol uses salt encryption that hides the originally generated keys in different forms and prevents physical attacks;
The proposed protocol protects the network from replay attacks by including a fresh timestamp per each transmitted message;
For various IoT applications, where high-security levels and battery lifetime are traded off, our protocol can be configured as demanded. For example, test results for two cases (low power, extremely low power) are presented;
The proposed protocol can be implemented in extremely low power mode. For example, case 2 can further reduce the power consumption over case 1 by reducing the security overhead from 20 bytes to 10 bytes;
The proposed protocol enhances the security level of the IoT networks at a little sacrifice in power consumption.