Published on

Dear Students
Ingenious techno Solution offers an expertise guidance on you Final Year IEEE & Non- IEEE Projects on the following domain
For further details contact us:
044-42046028 or 8428302179.

Ingenious Techno Solution
#241/85, 4th floor
Rangarajapuram main road,
Kodambakkam (Power House)

Published in: Education, Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. 994 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010 VEBEK: Virtual Energy-Based Encryption and Keying for Wireless Sensor Networks Arif Selcuk Uluagac, Student Member, IEEE, Raheem A. Beyah, Senior Member, IEEE, Yingshu Li, Member, IEEE, and John A. Copeland, Fellow, IEEE Abstract—Designing cost-efficient, secure network protocols for Wireless Sensor Networks (WSNs) is a challenging problem because sensors are resource-limited wireless devices. Since the communication cost is the most dominant factor in a sensor’s energy consumption, we introduce an energy-efficient Virtual Energy-Based Encryption and Keying (VEBEK) scheme for WSNs that significantly reduces the number of transmissions needed for rekeying to avoid stale keys. In addition to the goal of saving energy, minimal transmission is imperative for some military applications of WSNs where an adversary could be monitoring the wireless spectrum. VEBEK is a secure communication framework where sensed data is encoded using a scheme based on a permutation code generated via the RC4 encryption mechanism. The key to the RC4 encryption mechanism dynamically changes as a function of the residual virtual energy of the sensor. Thus, a one-time dynamic key is employed for one packet only and different keys are used for the successive packets of the stream. The intermediate nodes along the path to the sink are able to verify the authenticity and integrity of the incoming packets using a predicted value of the key generated by the sender’s virtual energy, thus requiring no need for specific rekeying messages. VEBEK is able to efficiently detect and filter false data injected into the network by malicious outsiders. The VEBEK framework consists of two operational modes (VEBEK-I and VEBEK-II), each of which is optimal for different scenarios. In VEBEK-I, each node monitors its one-hop neighbors where VEBEK-II statistically monitors downstream nodes. We have evaluated VEBEK’s feasibility and performance analytically and through simulations. Our results show that VEBEK, without incurring transmission overhead (increasing packet size or sending control messages for rekeying), is able to eliminate malicious data from the network in an energy- efficient manner. We also show that our framework performs better than other comparable schemes in the literature with an overall 60-100 percent improvement in energy savings without the assumption of a reliable medium access control layer. Index Terms—Security, WSN security, VEBEK, virtual energy-based keying, resource-constrained devices. Ç1 INTRODUCTIONR APIDLY developedWSN technology is no longer nascent and will be used in a variety of application scenarios.Typical application areas include environmental, military, troop movement, evacuation, and first response deploy- ment) [3]. Protocols should be resilient against false data injected into the network by malicious nodes. Otherwise,and commercial enterprises [1]. For example, in a battlefield consequences for propagating false data or redundant datascenario, sensors may be used to detect the location of are costly, depleting limited network resources and wastingenemy sniper fire or to detect harmful chemical agents response efforts.before they reach troops. In another potential scenario, However, securing sensor networks poses unique chal-sensor nodes forming a network under water could be used lenges to protocol builders because these tiny wirelessfor oceanographic data collection, pollution monitoring, devices are deployed in large numbers, usually in unattendedassisted navigation, military surveillance, and mine recon- environments, and are severely limited in their capabilitiesnaissance operations. Future improvements in technology and resources (e.g., power, computational capacity, andwill bring more sensor applications into our daily lives and memory). For instance, a typical sensor [4] operates at thethe use of sensors will also evolve from merely capturing frequency of 2.4 GHz, has a data rate of 250 Kbps, 128 KB ofdata to a system that can be used for real-time compound program flash memory, 512 KB of memory for measure-event alerting [2]. ments, transmit power between 100 W and 1 mW, and a From a security standpoint, it is very important to communications range of 30 to 100 m. Therefore, protocolprovide authentic and accurate data to surrounding sensor builders must be cautious about utilizing the limitednodes and to the sink to trigger time-critical responses (e.g., resources onboard the sensors efficiently. In this paper, we focus on keying mechanisms for WSNs. There are two fundamental key management schemes for. A.S. Uluagac and J.A. Copeland are with the School of Electrical and WSNs: static and dynamic. In static key management Computer Engineering, Georgia Institute of Technology, Communications Systems Center (CSC) Lab, KACB 266 Ferst Drive Room. #3361, Atlanta, schemes, key management functions (i.e., key generation GA 30332. E-mail:, and distribution) are handled statically. That is, the sensors. R.A. Beyah and Y. Li are with the Department of Computer Science, have a fixed number of keys loaded either prior to or Georgia State University, 34 Peachtree Street, Atlanta, GA 30303. shortly after network deployment. On the other hand, E-mail: {rbeyah, yli} dynamic key management schemes perform keying func-Manuscript received 1 July 2009; revised 6 Nov. 2009; accepted 3 Dec. 2009; tions (rekeying) either periodically or on demand as neededpublished online 16 Mar. 2010.For information on obtaining reprints of this article, please send e-mail to: by the network. The sensors dynamically exchange keys, and reference IEEECS Log Number TMC-2009-07-0265. communicate. Although dynamic schemes are more attack-Digital Object Identifier no. 10.1109/TMC.2010.51. resilient than static ones, one significant disadvantage is 1536-1233/10/$26.00 ß 2010 IEEE Published by the IEEE CS, CASS, ComSoc, IES, SPS Authorized licensed use limited to: Asha Das. Downloaded on June 17,2010 at 06:02:04 UTC from IEEE Xplore. Restrictions apply.
  2. 2. ULUAGAC ET AL.: VEBEK: VIRTUAL ENERGY-BASED ENCRYPTION AND KEYING FOR WIRELESS SENSOR NETWORKS 995that they increase the communication overhead due to keys more energy efficient than other comparable schemes in thebeing refreshed or redistributed from time to time in the literature with an overall 60-100 percent There are many reasons for key refreshment, The paper proceeds as follows: To motivate our work, aincluding: updating keys after a key revocation has preliminary analysis of the rekeying cost with and withoutoccurred, refreshing the key such that it does not become explicit control messages is given in Section 2. Section 3stale, or changing keys due to dynamic changes in the discusses the semantics of VEBEK. VEBEK’s differenttopology. In this paper, we seek to minimize the overhead operational modes are discussed in Section 4. An analyticalassociated with refreshing keys to avoid them becoming framework and performance evaluation results including astale. Because the communication cost is the most dominant comparison with other relevant works are given in Section 5.factor in a sensor’s energy consumption [5], [6], the message Section 6 summarizes the design rationale and benefits of thetransmission cost for rekeying is an important issue in a VEBEK framework. Related work is presented in Section 7.WSN deployment (as analyzed in the next section). Finally, Section 8 concludes the paper.Furthermore, for certain WSN applications (e.g., militaryapplications), it may be very important to minimize thenumber of messages to decrease the probability of detection 2 BACKGROUND AND MOTIVATIONif deployed in an enemy territory. That is, being less One significant aspect of confidentiality research in WSNs“chatty” intuitively decreases the number of opportunities entails designing efficient key management schemes. This isfor malicious entities to eavesdrop or intercept packets. because regardless of the encryption mechanism chosen for The purpose of this paper is to develop an efficient and WSNs, the keys must be made available to the commu-secure communication framework for WSN applications. nicating nodes (e.g., sources and sink(s)). The keys could beSpecifically, in this paper, we introduce Virtual Energy- distributed to the sensors before the network deploymentBased Encryption and Keying (VEBEK) for WSNs, which is or they could be redistributed (rekeying) to nodes onprimarily inspired by our previous work [7]. VEBEK’s demand as triggered by keying events. The former is staticsecure communication framework provides a technique to key [8] management and the latter is dynamic key [9]verify data in line and drop false packets from malicious management. There are myriads of variations of these basicnodes, thus maintaining the health of the sensor network. schemes in the literature. In this work, we only considerVEBEK dynamically updates keys without exchanging dynamic keying mechanisms in our analysis since VEBEKmessages for key renewals and embeds integrity into uses the dynamic keying paradigm. The main motivationpackets as opposed to enlarging the packet by appending behind VEBEK is that the communication cost is the mostmessage authentication codes (MACs). Specifically, each dominant factor in a sensor’s energy consumption [5], [6].sensed data is protected using a simple encoding scheme Thus, in this section, we present a simple analysis for thebased on a permutation code generated with the RC4 rekeying cost with and without the transmission of explicitencryption scheme and sent toward the sink. The key to the control messages. Rekeying with control messages is theencryption scheme dynamically changes as a function of approach of existing dynamic keying schemes whereasthe residual virtual energy of the sensor, thus requiring no rekeying without extra control messages is the primaryneed for rekeying. Therefore, a one-time dynamic key is feature of the VEBEK framework.used for one message generated by the source sensor and Dynamic keying schemes go through the phase ofdifferent keys are used for the successive packets of the rekeying either periodically or on demand as needed bystream. The nodes forwarding the data along the path to the the network to refresh the security of the system. Withsink are able to verify the authenticity and integrity of the rekeying, the sensors dynamically exchange keys that aredata and to provide nonrepudiation. The protocol is able tocontinue its operations under dire communication cases as used for securing the communication. Hence, the energyit may be operating in a high-error-prone deployment area cost function for the keying process from a source sensor tolike under water. VEBEK unbundles key generation from the sink while sending a message on a particular path withother security services, namely authentication, integrity, dynamic key-based schemes can be written as followsand nonrepudiation; thus, its flexible modular architecture (assuming computation cost, Ecomp , would approximatelyallows for adoption of other encryption mechanisms if be fixed):desired. The contributions of this paper are as follows: À Á EDyn ¼ EKdisc þ Ecomp à E½h Š à ; ð1Þ 1. a dynamic en route filtering mechanism that does not exchange explicit control messages for rekey- where is the number of packets in a message, is the key ing; refresh rate in packets per key, EKdisc is the cost of shared- 2. provision of one-time keys for each packet trans- key discovery with the next hop sensor after initial mitted to avoid stale keys; deployment, and E½h Š is the expected number of hops. In 3. a modular and flexible security architecture with a the dynamic key-based schemes, may change periodically, simple technique for ensuring authenticity, integrity, on demand, or after a node-compromise. A good analytical and nonrepudiation of data without enlarging lower bound for E½h Š is given in [10] as packets with MACs; and D À tr 4. a robust secure communication framework that is E½h Š ¼ þ 1; ð2Þ operational in dire communication situations and E½dh Š over unreliable medium access control layers. where D is the end-to-end distance (m) between the sinkBoth analytical and simulation results verify the feasibility and the source sensor node, tr is the approximatedof VEBEK. We also illustrate that VEBEK is significantly transmission range (m), and E½dh Š is the expected hop Authorized licensed use limited to: Asha Das. Downloaded on June 17,2010 at 06:02:04 UTC from IEEE Xplore. Restrictions apply.
  3. 3. 996 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010 Fig. 2. Modular structure of VEBEK framework. 3 SEMANTICS OF VEBEKFig. 1. Keying cost of dynamic key-based schemes based on E½nhŠ The VEBEK framework is comprised of three modules:versus VEBEK. Virtual Energy-Based Keying, Crypto, and Forwarding. The virtual energy-based keying process involves the creation of dynamic keys. Contrary to other dynamic keyingdistance (m) [11]. An accurate estimation of E½dh Š can be schemes, it does not exchange extra messages to establishfound in [11]. Finally, EKdisc , can be written as follows: keys. A sensor node computes keys based on its residual EKdisc ¼ fE½Ne Š à Enode Þ Ã M À 2 à Enode g; ð3Þ virtual energy of the sensor. The key is then fed into the crypto module. The crypto module in VEBEK employs a simple encoding Enode ¼ Etx þ Erx þ Ecomp ; ð4Þ process, which is essentially the process of permutation ofwhere Enode is the approximate cost per node for key the bits in the packet according to the dynamically createdgeneration and transmission, E½Ne Š is the expected number permutation code generated via RC4. The encoding is aof neighbors for a given sensor, M is the number of key simple encryption mechanism adopted for VEBEK. How-establishment messages between two nodes, and Etx and ever, VEBEK’s flexible architecture allows for adoption ofErx are the energy cost of transmission and reception, stronger encryption mechanisms in lieu of encoding.respectively. Given the transmission range of sensors Last, the forwarding module handles the process of(assuming bidirectional communication links for simpli- sending or receiving of encoded packets along the path tocity), tr , total deployment area, A, total number of sensors the sink. A high-level view of the VEBEK framework and itsdeployed, N, E½Ne Š can be computed as underlying modules are shown in Fig. 2. These modules are N à à t2 r explained in further detail below. Important notations used E½Ne Š ¼ : ð5Þ are given in Table 1. AOn the other hand, VEBEK does rekeying without messages. 3.1 Virtual Energy-Based Keying ModuleThere are two operational modes of VEBEK (VEBEK-I and The virtual energy-based keying module of the VEBEKVEBEK-II). The details of these modes are given in Section 4. framework is one of the primary contributions of this paper.However, for now it suffices to know that VEBEK-I is It is essentially the method used for handling the keyingrepresentative of a dynamic system without rekeying process. It produces a dynamic key that is then fed into themessages, but with some initial neighborhood info exchange crypto module.whereas VEBEK-II is a dynamic system without rekeying In VEBEK, each sensor node has a certain virtual energymessages and without any initial neighborhood info ex- value when it is first deployed in the network. The rationalechange. Using the energy values given in [4], Fig. 1 shows the for using virtual energy as opposed to real battery levels asanalytical results for the above expressions. For both VEBEK in our earlier work, DEEF [7], is that in reality battery levelsmodes, we assume there would be a fixed cost of Ecomp 1 may fluctuate and the differences in battery levels acrossbecause VEBEK does not exchange messages to refresh keys, nodes may spur synchronization problems, which canbut for VEBEK-I, we also included the cost of EKdisc . cause packet drops. These concerns have been addressed With this initial analysis, we see that dynamic key-based in VEBEK and are discussed in detail in the performanceschemes, in this scenario, spend a large amount of their evaluation section (Section 5).energy transmitting rekeying messages. With this observa- After deployment, sensor nodes traverse several func-tion, the VEBEK framework is motivated to provide the tional states. The states mainly include node-stay-alive,same benefits of dynamic key-based schemes, but with low packet reception, transmission, encoding, and decoding. Asenergy consumption. It does not exchange extra control each of these actions occur, the virtual energy in a sensormessages for key renewal. Hence, energy is only consumed node is depleted. The current value of the virtual energy, Evc ,for generating the keys necessary for protecting the in the node is used as the key to the key generation function,communication. The keys are dynamic; thus, one key per F . During the initial deployment, each sensor node will havepacket is employed. This makes VEBEK more resilient to the same energy level Eini , therefore, the initial key, K1 , is acertain attacks (e.g., replay attacks, brute-force attacks, and function of the initial virtual energy value and an initializa-masquerade attacks). tion vector (IV ). The IV s are predistributed to the sensors. Subsequent keys, Kj , are a function of the current virtual 1. A more rigorous analysis is presented in Section 5. energy, Evc , and the previous key KjÀ1 . VEBEK’s virtual Authorized licensed use limited to: Asha Das. Downloaded on June 17,2010 at 06:02:04 UTC from IEEE Xplore. Restrictions apply.
  4. 4. ULUAGAC ET AL.: VEBEK: VIRTUAL ENERGY-BASED ENCRYPTION AND KEYING FOR WIRELESS SENSOR NETWORKS 997 TABLE 1 Notations Usedenergy-based keying module ensures that each detected as a node’s responsibility for monitoring and filtering packetspacket2 is associated with a new unique key generated based coming from a certain (configurable) number of sensor nodes,on the transient value of the virtual energy. After the Á r, where r ¼ N. is used to denote the watching operation.dynamic key is generated, it is passed to the crypto module, Definition 2. Given a sensor node i, the total number of watchedwhere the desired security services are implemented. Theprocess of key generation is initiated when data is sensed; nodes, r, which the node is configured to watch, constitutes athus, no explicit mechanism is needed to refresh or update watching list, W Li for node i and W Li ¼ ð1; 2; . . . ; rÞ.keys. Moreover, the dynamic nature of the keys makes it Node i watches node k if IDk 2 W Li .difficult for attackers to intercept enough packets to breakthe encoding algorithm. The details are given in Algorithm 1. Deciding which nodes to watch and how many depends onAs mentioned above, each node computes and updates the the preferred configuration of the VEBEK authenticationtransient value of its virtual energy after performing some algorithm, which we designate as the operational mode ofactions. Each action (or state traversal) on a node is the framework. Specifically, we propose two operationalassociated with a certain predetermined cost. Since a sensor modes VEBEK-I and VEBEK-II and they are discussed innode will be either forwarding some other sensor’s data or the next section.injecting its own data into the network, the set of actions and When an event is detected by a source sensor, that nodetheir associated energies for VEBEK includes packet recep- has remained alive for t units of time since the last event (ortion (Erx ), packet transmission (Etx ), packet encoding (Eenc ), since the network deployment if this is the first eventpacket decoding (Edec ) energies, and the energy required to detected). After detection of the event, the node sends thekeep a node alive in the idle state (Ea ).3 Specifically, the l-bit length packet toward the sink. In this case, thetransient value of the virtual energy, Ev , is computed by following is the virtual cost associated with the source node:decrementing the total of these predefined associated costs, Evc ¼ l à ðetx þ eenc Þ þ t à ea þ Esynch : ð6ÞEvc , from the previous virtual energy value. In the case where a node receives data from another node,Algorithm 1. Compute Dynamic Key the virtual perceived energy value can be updated by 1: ComputeDynamicKey(Evc ; IDclr ) decrementing the cost associated with the actions per- 2: begin formed by the sending node using the following cost 3: j txIDclr cnt equation. Thus, assuming that the receiving node has the 4: if j ¼ 1 then initial virtual energy value of the sending node and that the 5: Kj F ðEini ; IV Þ packet is successfully received and decoded associated with 6: else a given source sensor, k, the virtual cost of the perceived 7: Kj F ðKðjÀ1Þ ; Evc Þ energy is computed as follows: 8: end if k Ep ¼ l à ðerx þ edec þ etx þ eenc Þ þ t à 2 à ea ; ð7Þ 9: return Kj10: end where in both the equations, the small es refer to the one bit The exact procedure to compute virtual cost, Evc , slightly energy costs of the associated parameter. However, Esynch indiffers if a sensor node is the originator of the data or the (6) refers to a value to synchronize the source with theforwarder (i.e., receiver of data from another sensor). In watcher-forwarders toward the sink as watcher-forwarderorder to successfully decode and authenticate a packet, a nodes spend more virtual energy due to packet receptionreceiving node must keep track of the energy of the sending and decoding operations, which are not present in sourcenode to derive the key needed for decoding. In VEBEK, the nodes. Hence, Esynch ¼ l à ðerx þ edec Þ þ ea à t. The watchingoperation of tracking the energy of the sending node at the concept is illustrated with an example in Fig. 3. In the figure,receiver is called watching and the energy value that is there is one source sensor node, A, and other nodes B, C,associated with the watched sensor is called Virtual and D are located along the path to the sink. Every nodePerceived Energy (Ep ) as in [7]. More formal definitions for watches its downstream node, i.e., B watches A (B A), CÁwatching are given as follows: Á Á watches B (C B), and D watches C (D C). All the nodes have the initial virtual energy of 2,000 mJ and as packets areDefinition 1. Given a finite number of sensor nodes, N inserted into the network from the source node (A) over (N ¼ f1; . . . ; Ng), deployed in a region, watching is defined time, nodes decrement their virtual energy values. For instance, as shown in Fig. 3, node A starts with the value of 2. Indeed, the same key can be used for a certain number of 2,000 mJ as the first key to encode the packet (key generationtransmissions, n, to further save energy. 3. The set of actions can be extended to include other actions depending based on the virtual energies is explained in the cryptoon the WSN application or functionality of the network. module). Node A sends the first packet and decrements its Authorized licensed use limited to: Asha Das. Downloaded on June 17,2010 at 06:02:04 UTC from IEEE Xplore. Restrictions apply.
  5. 5. 998 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010 TABLE 2 Example Encoding OperationsFig. 3. An illustration of the watching concept with forwarding.Fig. 4. An illustration of the use of RC4 encryption mechanism inVEBEK.virtual energy to 1,998 mJ. After node B receives this firstpacket, it uses the virtual perceived energy value(Ep ¼ 2;000 mJ) as the key to decode the packet, andupdates its Ep (1,998 mJ) after sending the packet. Whenthe packet travels up to the sink, the virtual energy becomes Fig. 5. Illustration of a sample encoding operation. (a) i þ t þ d bit stringa shared dynamic cryptic credential among the nodes. before permutation. (b) Example encoding operations. (c) Example3.2 Crypto Module permutation code value. (d) i þ t þ d bit string after permutation.Due to the resource constraints of WSNs, traditional digital is responsible for generating the dynamic key according tosignatures or encryption mechanisms requiring expensivecryptography is not viable. The scheme must be simple, yet the residual virtual energy level. The resultant permuta-effective. Thus, in this section, we introduce a simple tion code is used to encode the hIDjtypejdatai message.encoding operation similar to that used in [7]. The encoding Then, an additional copy of the ID is also transmitted inoperation is essentially the process of permutation of the the clear along with the encoded message. The format ofbits in the packet, according to the dynamically created the final packet to be transmitted becomes P acket ¼permutation code via the RC4 encryption mechanism. The ½ID; fID; type; datagk Š where fxgk constitutes encoding xkey to RC4 is created by the previous module (virtual with key k. Thus, instead of the traditional approach ofenergy-based keying module). The purpose of the crypto sending the hash value (e.g., message digests and messagemodule is to provide simple confidentiality of the packet authentication codes) along with the information to beheader and payload while ensuring the authenticity and sent, we use the result of the permutation code valueintegrity of sensed data without incurring transmission locally. When the next node along the path to the sinkoverhead of traditional schemes. However, since the key receives the packet, it generates the local permutationgeneration and handling process is done in another module, code to decode the packet.VEBEK’s flexible architecture allows for adoption of Another significant step in the crypto module involvesstronger encryption mechanisms in lieu of encoding. how the permutation code dictates the details of the The packets in VEBEK consists of the ID (i-bits), type encoding and decoding operations over the fields of the(t-bits) (assuming each node has a type identifier), and packet when generated by a source sensor or received by adata (d-bits) fields. Each node sends these to its next hop. forwarder sensor.However, the sensors’ ID, type, and the sensed data are Specifically, the permutation code P can be mapped to atransmitted in a pseudorandom fashion according to the set of actions to be taken on the data stream combination.result of RC4. More specifically, the RC4 encryption As an example, the actions and their corresponding bitalgorithm takes the key and the packet fields (byte-by- values can include simple operations such as shift, inter-byte) as inputs and produces the result as a permutation leaving, taking the 1’s complement, etc. Other examplecode as depicted in Fig. 4. The concatenation of each 8-bit operations can be seen in Table 2.output becomes the resultant permutation code. As For example, if a node computed the following permuta-mentioned earlier, the key to the RC4 mechanism is taken tion code P ¼ f1100100101g, the string in Fig. 5a becomesfrom the core virtual energy-based keying module, which the string in Fig. 5d before it is transmitted. The receiver Authorized licensed use limited to: Asha Das. Downloaded on June 17,2010 at 06:02:04 UTC from IEEE Xplore. Restrictions apply.
  6. 6. ULUAGAC ET AL.: VEBEK: VIRTUAL ENERGY-BASED ENCRYPTION AND KEYING FOR WIRELESS SENSOR NETWORKS 999will perform the same operations (since the inputs to RC4 energy value associated with the current sending node is onlyare stored and updated on each sensor) to accurately updated if this node has performed encoding on the packet.decode the packet. To ensure correctness, the receivercompares the plaintext ID with the decoded ID. Moreover, Algorithm 2. Forwarding Node Algorithm withalthough it is theoretically possible (1 in 2iþtþd ) for a hacker Communication Error Handlingto accurately inject data, it becomes increasingly unlikely as 1: Forwarder(currentNode; W atchedNode; UpstreamNode)the packet grows. 2: begin The benefits of this simple encoding scheme are: 1) since 3: i currentNode; enc 0; W Li W atchListthere is no hash code or message digest to transmit, the 4: k W atchedNode; src 0; j 0packet size does not grow, avoiding bandwidth overhead 5: Erxi ; hIDclr ; fmsggK i ReceiveP acketðÞon an already resource-constrained network, thus increas- 6: if IDclr 2 W Li thening the network lifetime, 2) the technique is simple, thus 7: while ðkeyF ound ¼ 0Þandðj ¼ thresHoldÞ doideal for devices with limited resources (e.g., PDAs), and 8: Epik F etchV irtualEnergyði; IDclr ; enc; srcÞ3) the input to the RC4 encryption mechanism, namely, the 9: K ComputeDynamicKeyðEpi ; IDclr Þkkey, changes dynamically without sending control mes- 10: Pc RC4ðK; IDclr Þsages to rekey. 11: Edeci ; MsgID decodeðP c; fmsggK Þ3.3 Forwarding Module 12: if IDclr ¼ MsgID thenThe final module in the VEBEK communication architecture 13: keyF ound trueis the forwarding module. The forwarding module is 14: elseresponsible for the sending of packets (reports) initiated at 15: jþþthe current node (source node) or received packets from other k k 16: Epi Epi À Etxi À Eenci À Erxi À Edeci À 2 à Eaisensors (forwarding nodes) along the path to the sink. The 17: end ifreports traverse the network through forwarding nodes and 18: end whilefinally reach the terminating node, the sink. The operations 19: if keyF ound ¼ true thenof the forwarding module are explained in this section. 20: if j 1 then 21: reEncode true3.3.1 Source Node Algorithm 22: elseWhen an event is detected by a source node, the next step is 23: if Ebi 0 thenfor the report to be secured. The source node uses the localvirtual energy value and an IV (or previous key value if not 24: reEncode truethe first transmission) to construct the next key. As 25: elsediscussed earlier, this dynamic key generation process is 26: reEncode falseprimarily handled by the VEBEK module. The source 27: end ifsensor fetches the current value of the virtual energy from 28: end ifthe VEBEK module. Then, the key is used as input into the 29: if reEncode ¼ true thenRC4 algorithm inside the crypto module to create a 30: enc 1permutation code for encoding the hIDjtypejdatai message. 31: E bi F etchV irtualEnergyði; IDclr ; enc; srcÞThe encoded message and the cleartext ID of the originating 32: K ComputeDynamicKeyðEbi ; IDclr Þnode are transmitted to the next hop (forwarding node or 33: Pc RC4ðK; IDclr Þsink) using the following format: ½ID; fID; type; datagP c Š, 34: Eenci ; fmsggP c encodeðP c; msgÞwhere fxgP c constitutes encoding x with permutation code 35: packet hIDclr ; fmsggP c iP c. The local virtual energy value is updated and stored for 36: Etxi ForwardPacketðÞuse with the transmission of the next report. 37: E bi Ebi À Etxi À Eenci À Erxi À Edeci À 2 à Eai3.3.2 Forwarder Node Algorithm 38: elseOnce the forwarding node receives the packet it will first 39: ForwardPacket() //Without any modificationcheck its watch-list to determine if the packet came from a 40: end ifnode it is watching. If the node is not being watched by the 41: elsecurrent node, the packet is forwarded without modification 42: DropPacket() //Packet not validor authentication. Although this node performed actions on 43: end ifthe packet (received and forwarded the packet), its local 44: elsevirtual perceived energy value is not updated. This is done to 45: ForwardPacket() //Without any modificationmaintain synchronization with nodes watching it further up 46: end ifthe route. If the node is being watched by the current node, 47: endthe forwarding node checks the associated current virtualenergy record (Algorithm 2) stored for the sending node andextracts the energy value to derive the key. It then 3.3.3 Addressing Communication Errors via Virtualauthenticates the message by decoding the message and Bridge Energycomparing the plaintext node ID with the encoded node ID. If In VEBEK, to authenticate a packet, a node must keep trackthe packet is authentic, an updated virtual energy value is of the virtual energy of the sending node to derive the keystored in the record associated with the sending node. If the needed for decoding. Ideally, once the authenticating nodepacket is not authentic it is discarded. Again, the virtual has the initial virtual energy value of the sending node, the Authorized licensed use limited to: Asha Das. Downloaded on June 17,2010 at 06:02:04 UTC from IEEE Xplore. Restrictions apply.
  7. 7. 1000 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010value can be updated by decrementing the cost associated records the newest perceived energy value and associates itwith the actions performed by the sending node using the with the sender node (lines 7-18 in Algorithm 2). Thiscost equations defined in the previous sections on every approach may also be helpful in severe packet loss casessuccessful packet reception. However, communication (i.e., bursty errors) by just properly configuring theerrors may cause some of the packets to be lost or dropped. virtualKeySearchThreshold value. However, if the watcherSome errors may be due to the deployment region (e.g., node exhausts all of the virtual energies within theunderwater shadow zones) while operating on unreliable threshold, it then classifies the packet as malicious.underlying protocols (e.g., medium access control protocol). The combined use of virtual perceived and bridgeFor instance, ACK or data packets can be lost and the sender energies assure the continued synchronization of the net-may not be able to determine which one actually was lost. work as whole. The forwarding node algorithm including theMoreover, malicious packets inserted by attackers who handling of communication errors is shown in Algorithm 2.impersonate legitimate sensors will be dropped intention-ally by other legitimate sensors to filter the bad data out ofthe network. In such communication errors or intentional 4 OPERATIONAL MODES OF VEBEKpacket drop cases, the virtual energy value used to encode The VEBEK protocol provides three security services:the next data packet at the sending node may differ from the Authentication, integrity, and nonrepudiation. The funda-virtual energy value that is stored for the sending node at its mental notion behind providing these services is thecorresponding watching node. Specifically, the node that watching mechanism described before. The watchingshould have received the dropped packet and the nodes mechanism requires nodes to store one or more recordsabove that node on the path to the sink lose synchronization (i.e., current virtual energy level, virtual bridge energywith the nodes below (because the upper portion never sees values, and Node-Id) to be able to compute the dynamicthe lost packet and does not know to decrement the virtual keys used by the source sensor nodes, to decode packets,energy associated with servicing the lost transmission). If and to catch erroneous packets either due to communica-another packet was to be forwarded by the current watching tion problems or potential attacks. However, there are costsnode using its current virtual energy, the upstream node(s) (communication, computation, and storage) associated withthat watch this particular node would discard the packet. providing these services. In reality, applications may haveThus, this situation needs to be resolved for proper different security requirements. For instance, the securityfunctioning of the VEBEK framework. need of a military WSN application (e.g., surveiling a To resolve potential loss of packets due to possible portion of a combat zone) may be higher than that of acommunication errors in the network, all the nodes are civilian application (e.g., collecting temperature data from aconfigured to store an additional virtual energy value, national park). The VEBEK framework also considers thiswhich we refer to as the Virtual Bridge Energy, Ebi , value to need for flexibility and thus, supports two operationalallow resynchronization (bridging) of the network at the modes: VEBEK-I and VEBEK-II. The operational mode ofnext watching sensor node that determines that packets VEBEK determines the number of nodes a particular sensorwere lost. node must watch. Depending on the vigilance requiredDefinition 3. Given a node, i, bridging is defined as the process inside the network, either of the operational modes can be of encoding the incoming packet coming from any sensor node configured for WSN applications. The details of both in W Li for the upstream sensor node, j, with the key generated operational modes are given below. The performance using the local copy of Ebi . evaluation of both modes is given in Section 5. That is, as subsequent packets generated from the node 4.1 VEBEK-Iof interest pass through the next watching node, the next In the VEBEK-I operational mode, all nodes watch theirwatching node will decode the packet with the virtual neighbors; whenever a packet is received from a neighborperceived energy key of the originating node and reencode sensor node, it is decoded and its authenticity and integritythe packet with the virtual bridge energy key, thus, the are verified. Only legitimate packets are forwarded towardnetwork will be kept synchronized. It is important to note the sink. In this mode, we assume there exists a shortthat once this value is activated for a watched node, it will window of time at initial deployment that an adversary isbe always used for packets coming from that node and used not able to compromise the network, because it takes timeeven if an error does not occur for the later transmissions of for an attacker to capture a node or get keys. During thisthe same watched node. The watching node always updates period, route initialization information may be used by eachand uses this parameter to keep the network bridged. node to decide which node to watch and a record r is stored Another pertinent point is the determination of packet for each of its one-hop neighbors in its watch-list. To obtainloss by the first upstream watching node who will bridge a neighbor’s initial energy value, a network-wise master keythe network. The VEBEK framework is designed to avoid can be used to transmit this value during this period similarextra messages and not increase the packet size to to the shared-key discovery phase of other dynamic keydetermine packet loss in the network. Thus, the next management schemes. Alternatively, sensors can be pre-watching node tries to find the correct value of the virtual loaded with the initial energy value.perceived energy for the key within a window of virtual When an event occurs and a report is generated, it isenergies. For this, a sensor is configured with a certain encoded as a function of a dynamic key based on theVirtualKeySearchThreshold value. That is, the watching node virtual energy of the originating node and transmitted.decrements the predefined virtual energy value from the When the packet arrives at the next-hop node, thecurrent perceived energy at most virtualKeySearchThres- forwarding node extracts the key of the sending node (thishold times. When the node extracts the key successfully, it could be the originating node or another forwarding node) Authorized licensed use limited to: Asha Das. Downloaded on June 17,2010 at 06:02:04 UTC from IEEE Xplore. Restrictions apply.
  8. 8. ULUAGAC ET AL.: VEBEK: VIRTUAL ENERGY-BASED ENCRYPTION AND KEYING FOR WIRELESS SENSOR NETWORKS 1001from its record. (The virtual perceived energy value (where it is detected). However, in contrast to the VEBEK-Iassociated with the sending node and decodes the packet.) mode, it reduces the processing overhead (because lessAfter the packet is decoded successfully, the plaintext ID is reencoding is performed and decoding is not performed atcompared with the decoded ID. In this process, if the every hop). The trade-off is that an illegitimate packet mayforwarding node is not able to extract the key successfully, traverse several hops before being dropped. The effective-it will decrement the predefined virtual energy value from ness of this scheme depends primarily on the value r, thethe current perceived energy (line 16 in Algorithm 2) and number of nodes that each node watches. Note that in thistries another key before classifying the packet as malicious scheme, reencoding is not done at forwarding nodes unless(because packet drops may have occurred due to commu- they are bridging the network.nication errors). This process is repeated several times;however, the total number of trials that are needed toclassify a packet as malicious is actually governed by the 5 PERFORMANCE ANALYSISvalue of virtualKeySearchThreshold. If the packet is In this section, we evaluate the effectiveness of the VEBEKauthentic, and this hop is not the final hop, the packet is framework via both simulations and analysis.reencoded by the forwarding node with its own keyderived from its current virtual bridge energy level. If the 5.1 Assumptionspacket is illegitimate, the packet is discarded. This process Due to the broadcast nature of the wireless medium used incontinues until the packet reaches the sink. Accordingly, sensor networks, attackers may try to eavesdrop, intercept,illegitimate traffic is filtered before it enters the network. or inject false messages. In this paper, we mainly consider Reencoding at every hop refreshes the strength of the the false injection and eavesdropping of messages from anencoding. Recall that the general packet structure is outside malicious node; hence, similar to [12], insider½ID; fID; type; datagk Š. To accommodate this scheme, the attacks are outside the scope of this paper. This attacker isID will always be the ID of the current node and the key is thought to have the correct frequency, protocol, andderived from the current node’s local virtual bridge energy possibly a spoofed valid node ID. Throughout this work,value. If the location of the originating node that generated the following assumptions are also made:the report is desired, the packet structure can be modified toretain the ID of the originating node and the ID of the . Directed Diffusion [14] routing protocol is used, butforwarding node. others such as [15] can also be used. According to VEBEK-I reduces the transmission overhead as it will be specifics of Directed Diffusion, after the sink asks forable to catch malicious packets in the next hop, but data via interest messages, a routing path isincreases processing overhead because of the decode/ established from the sources in the event region toencode that occurs at each hop. the sink. We assume that the path is fixed during the delivery of the data and the route setup is secure.4.2 VEBEK-II . The routing algorithm is deployed on an unreliableIn the VEBEK-II operational mode, nodes in the network are medium access control protocol. The network mayconfigured to only watch some of the nodes in the network. experience ACK or data packet drops.Each node randomly picks r nodes to monitor and stores . The sensor network is densely populated such thatthe corresponding state before deployment. As a packet multiple sensors observe and generate reports forleaves the source node (originating node or forwarding the same event.node) it passes through node(s) that watch it probabilisti- . Sensors are assumed to have the same communicationcally. Thus, VEBEK-II is a statistical filtering approach like ranges and may have different initial battery supplies.SEF [12] and DEF [13]. If the current node is not watchingthe node that generated the packet, the packet is forwarded. 5.2 Simulation ParametersIf the node that generated the packet is being watched by We use the Georgia Tech Sensor Network Simulatorthe current node, the packet is decoded and the plaintext ID (GTSNetS) [16], which is an event-based object-orientedis compared with the decoded ID. Similar to VEBEK-I, if the sensor network simulator with C++, as our simulationwatcher-forwarder node cannot find the key successfully, it platform to perform the analysis of the VEBEK commu-will try as many keys as the value of virtualKeySearch- nication framework. The topology used for the simulation isThreshold before actually classifying the packet as mal- shown in Fig. 6, while the parameters used in theicious. If the packet is authentic, and this hop is not the final simulation are summarized in Tables 3 and 4. Nodes weredestination, the original packet is forwarded unless the distributed randomly in the deployment region and onnode is currently bridging the network. In the bridging case, average, the distance between the source nodes and the sinkthe original packet is reencoded with the virtual bridge was around 25-35 hops. The virtualKeySearchThresholdenergy and forwarded. Since this node is bridging the value was 15 [17]. The energy costs for different operationsnetwork, both virtual and perceived energy values are in the table are computed based on the values given in [4].decremented accordingly. If the packet is illegitimate, However, the costs for encoding and decoding operationswhich is classified as such after exhausting all the virtual are computed based on the reported values of theperceived energy values within the virtualKeySearchThres- implementation of RC4 [18] on real sensor devices.hold window, the packet is discarded. This processcontinues until the packet reaches the sink. 5.3 Attack Resilience This operational mode has more transmission overhead In this section, the performance of VEBEK is analyzed whenbecause packets from a malicious node may or may not be there are malicious source nodes in the data collection fieldcaught by a watcher node and they may reach the sink who insert bad packets into the network. Specifically, the Authorized licensed use limited to: Asha Das. Downloaded on June 17,2010 at 06:02:04 UTC from IEEE Xplore. Restrictions apply.
  9. 9. 1002 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010 Fig. 7. Theoretical and simulation results with varying number of watched nodes.Fig. 6. Simulation topology with GTSNetS. TABLE 3 General Simulation Parameters TABLE 4 Energy Related Parameters Fig. 8. Comparison of filtering efficiency for VEBEK-I and VEBEK-II with varying number of malicious nodes. (PdropÀII ) is a function of the effectiveness of the watching nodes as well as the ability for a hacker to correctly guess the encoded packet structure. Accordingly, the probability of detecting and dropping a false packet at one hop whenanalytical basis of the VEBEK framework’s resilience randomly choosing r records (nodes to watch) is:against malicious activities is formulated. Then, thistheoretical basis is verified with the simulation results. We r PdropÀII ¼ Ã ð1 À Pforge Þ: ð10Þcompare VEBEK-I and VEBEK-II considering the drop Nprobability versus number of hops. We also take a closer Thus, the probability to detect and drop the packet whenlook at VEBEK-II and how it is affected by the parameter, r choosing r records after h hops is:(the number of records). In VEBEK-I and VEBEK-II, in order for an attacker to be PdropÀII ¼ 1 À ð1 À PdropÀII Þh : r;h ð11Þable to successfully inject a false packet, an attacker mustforge the packet encoding (which is a result of dynamically Moreover, even if one false packet successfully makes it tocreated permutation code via RC4). Given that the complex- the sink, we assume that the sink has enough resources toity of the packet is 2l , where l is the sum of the ID, TYPE, determine which data to process and accept.and DATA fields in the packet, the probability of an Fig. 7 shows both the theoretical and simulation resultsattacker correctly forging the packet is: for VEBEK-II based on the above equations for a varying number of watched nodes, r, in the WSN. Note that 1 1 VEBEK-I is not shown in this figure because it eliminates Pforge ¼ ¼ : ð8Þ 2packetsize 2l malicious data immediately. The x-axis represents theAccordingly, the probability of the hacker incorrectly number of hops a malicious packet travels before it has been detected and taken out of the network. As can be seenforging the packet, and therefore, the packet being dropped from the figure, VEBEK-II is able to eliminate malicious(pdropÀI ) is: packets from the WSN within 15 hops with 0.5 probability PdropÀI ¼ 1 À Pforge : ð9Þ when nodes watch 25 randomly chosen nodes (r value). However, if more storage is available on the sensors, thenSince VEBEK-I authenticates at every hop, forged packets VEBEK-II can detect and remove malicious packets withinwill always be dropped at the first hop with a probability 15 hops with 0.90 probability when r is 60. A similar trend isof PdropÀI . observed in the same figure with the simulation results. On the other hand, VEBEK-II statistically drops packets On the other hand, Fig. 8 presents the comparison ofalong the route. Thus, the drop probability for VEBEK-II VEBEK-I (VI in the figure) and VEBEK-II (VII in the figure) Authorized licensed use limited to: Asha Das. Downloaded on June 17,2010 at 06:02:04 UTC from IEEE Xplore. Restrictions apply.
  10. 10. ULUAGAC ET AL.: VEBEK: VIRTUAL ENERGY-BASED ENCRYPTION AND KEYING FOR WIRELESS SENSOR NETWORKS 1003Fig. 9. (a) Computation costs (Attack-Scenario-1). (b) Transmissions costs (Attack-Scenario-1). (c) Total energy cost (Attack-Scenario-1).via simulation in terms of their filtering efficiency. The x-axis watch, where EF Ww ¼ EF W and EF Wnw ¼ Erx þEtx þEsa . Hence,represents the number of watched nodes (r) that each node is the average cost to transmit a packet using VEBEK-II is:configured to watch in VEBEK-II and the y-axis shows thepercent of in-network malicious packet dropped with EF WII ¼ ESo þ ðE½hw Š à EF Ww Þ þ ðE½hnw Š à EF Wnw Þ; ð15Þvarying number of malicious nodes in the simulation. As where E½hw Š and E½hnw Š represent the expected numberexpected, we see that VEBEK-I is always able to filter of nodes along the path who are watcher and nonwatchermalicious packets from the network with its 100 percent nodes, respectively. The values for these expectations canfiltering efficiency. This is mainly due to the fact that be computed given the total expected number of hopsmalicious packets are immediately taken out from the with E½h Š from (2), where E½h Š ¼ E½hw Š þ E½hnw Š fornetwork at the next hop. However, the filtering efficiency i ¼ 1; 2; 3; . . . ; h .of VEBEK-II is closely related to the number of nodes (r) that Let Xi ¼ 1 if the ith sensor is a watcher and let Xi ¼ 0,each node watches. The more nodes watched by other nodes, otherwise for a given path to the sink with probabilitiesthe more efficient VEBEK-II is with filtering malicious data. P fp ¼ 1g ¼ N , P fq ¼ 0g ¼ NÀr , and N sensors. Then, Xi $ rAdditionally, as seen when r is equal to 40, it is possible to Nachieve almost 90 percent filtering efficiency. This particular BernoulliðpÞ i.i.d. random variables and hw ¼ X1 þ Á Á Á þ Xh .observation with VEBEK-II is significant because for some # ## X h XhWSN applications, energy can be saved by properly E½hw Š ¼ E Xi ¼ E E Xi jh : ð16Þconfiguring the r parameter. Finally, with respect to Fig. 8, i¼1 i¼1we observe that the VEBEK framework is independent of the Hence, by the independence of Xi and h ;number of malicious nodes as the framework still filters themalicious data from the network successfully. r E½hw Š ¼ E½h Š à E½Xi Š ¼ à E½h Š: ð17Þ N5.4 Energy Consumption of VEBEK-I and VEBEK-IIIn this section, we look at the associated costs to transmit With a similar reasoning, an expression for the expectedvalid data in VEBEK-I and VEBEK-II. number of nonwatchers, E½hnw Š, can be written as follows: In both operational modes, there is a single cost (ESo ) to N Àrstay-alive, sense the event, encode the packet, and transmit E½hnw Š ¼ E½h Š à E½Xi Š ¼ à E½h Š: ð18Þ Nthe packet (Esa ; Esens ; Eenc ; Etx ) at the source sensor. Thus, Implementing these costs inside the GTSNetS simulator, we ESo ¼ Esens þ Eenc þ Etx þ Esa : ð12Þ have evaluated the energy performance of the scheme both for VEBEK-I and VEBEK-II and plotted the results. In all theAdditionally, there is a recurring forwarding cost (EF W ) to figures, the x-axis represents the number of malicious nodesmarshal the packet through the network depending on the while the y-axis is the energy consumption. Different valuesnumber of hops. In VEBEK-I, this cost is for the number of watched nodes (r) were analyzed for EF W ¼ Erx þ Edec þ Eenc þ Etx þ Esa ð13Þ VEBEK-II. Furthermore, two attack scenarios were consid- ered: Attack-Scenario-1 and Attack-Scenario-2. VEBEK-Ifor all of the intermediate nodes since all of the nodes and VEBEK-II are abbreviated as VI and VII in the figures.perform the same operations. Hence, the average cost to In Attack-Scenario-1, less powerful malicious nodes aretransmit a packet in VEBEK-I using E½h Š from (2) is: assumed. The total number of healthy source nodes that collect the event information and send it toward the sink is EF WI ¼ ESo þ ðE½h Š à EF W Þ: ð14Þ assumed to be fixed, whereas the number of malicious nodesOn the other hand, in VEBEK-II, the cost of EF WII consists of are increased over time. Letting i be the number of healthyEF Ww and EF Wnw for variable fractions of the forwarding source nodes and j be the number of malicious nodes, innodes depending on the number of nodes each node chose to Attack-Scenario-1, j i, where i ¼ n and n 0. Figs. 9a, 9b, Authorized licensed use limited to: Asha Das. Downloaded on June 17,2010 at 06:02:04 UTC from IEEE Xplore. Restrictions apply.
  11. 11. 1004 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010Fig. 10. (a) Computation costs (Attack-Scenario-2). (b) Transmissions costs (Attack-Scenario-2). (c) Total energy costs (Attack-Scenario-2).and 9c show the results for Attack-Scenario-1. As seen from to observe the same patterns as Attack-Scenario-1. The onlythe computation costs (i.e., Eenc and Edec ) (Fig. 9a), VEBEK- difference is the downward slope with some of the plots.II’s consumption is less than that of VEBEK-I. The primary This is attributed to the fact that the ratio of the healthyreason for this behavior stems from decoding and reencod- traffic diminishes in this attack scenario as the number ofing of packets at every hop in the network for VEBEK-I. Also, bad packets increases due to the number of malicious nodesas the number of watched nodes (r) increases, VEBEK-II’s in the network.computation cost increases because more packets are So, if a more secure application is desired or if the WSNprocessed for the filtering operation. On the other hand, application is deployed in an hostile environment, thenthe more malicious nodes in the system, the more resources VEBEK-I is recommended because VEBEK-I providesare consumed to filter the increased number of malicious security services at every hop. VEBEK-I also watches fewerpackets in the network. As for the transmission costs (i.e., Etx nodes in comparison to VEBEK-II. Thus, the lower storageand Erx ) in Fig. 9b, VEBEK-I is better as the nodes are able to requirement (i.e., fewer watched nodes) and providingcatch and drop malicious packets and do not let malicious security at every hop make VEBEK-I well suitable forpackets traverse the network. As r decreases, fewer nodes military WSN applications where immediate reaction toare watched by the sensors. Thus, the transmission cost enemy units is necessary. However, the downside of theincreases in the network because more traffic traverses the VEBEK-I operational mode is its high processing costs. Onnetwork as a result of less filtering capability with smaller r the other hand, if the deployment region is expected to be avalues. Furthermore, as the number of malicious nodes relatively safe environment, which may be true for someincreases in the network, the transmission cost increases due civilian WSN applications, then VEBEK-II can be more malicious traffic. Finally, analyzing the results for But, as discussed above, to provide a comparable level ofthe total energy consumption, we see that the total energy vigilance to the network, this operational mode uses muchconsumption in the network exhibits a similar behavior as more storage than VEBEK-I.transmission costs because the overall energy consumptionis greatly dominated by the transmission costs. Moreover, 5.5 Comparison of VEBEK-II with Other Statisticalwe observe that the total energy consumption for VEBEK-II Schemesis smaller than VEBEK-I up to a certain number of malicious In this section, we evaluate the energy performance ofnodes (1 and 2) for certain values of r (all watching values at VEBEK-II with other “en-route dynamic filtering” works in1 malicious node; and watching values of 30, 40, and 60 at the literature. We focus on statistical schemes because they2 malicious nodes). The implication of this result is have received a lot of attention in recent years. Specifically,interesting. If the deployment region is a relatively safe we compare the expected energy costs of DEF [13], SEF [12],environment (2 malicious nodes in our scenario), a similar and STEF [19]4 with that of VEBEK-II because VEBEK-II isfiltering efficiency of VEBEK-I can be achieved using the statistical mode of the VEBEK framework. First, weVEBEK-II (100 percent for VEBEK-I versus 99 percent for briefly summarize each protocol and discuss their draw-VEBEK-II with r ¼ 60) (Fig. 8) if more storage is available on backs. Then, the comparison results are presented. Anthe nodes. This can be accomplished while consuming less illustration of each protocol is given in Fig. than VEBEK-I (3,400 mJ for VEBEK-I versus 2,800 mJ In the Dynamic En-route Filtering (DEF) scheme by Yufor VEBEK-II). and Guan [13], a legitimate report is endorsed by multiple In Attack-Scenario-2, more powerful malicious nodes are sensing nodes using their own authentication keys. Beforeassumed. For instance, they can jam the signal and not deployment, each node is preloaded with a seed authenti-allow healthy nodes to transmit. Over time, more powerful cation key and l þ 1 secret keys randomly chosen from anodes are assumed to replace the number of healthy source global key pool. Before sending reports, the cluster headnodes. Hence, j ¼ 0; 1; 2; . . . ; n and i ¼ n; n À 1; n À 2; . . . ; 0where again n 0. Figs. 10a, 10b, and 10c present the 4. Although STEF is not a statistical approach, we included in ourresults for Attack-Scenario-2. In all the figures, it is possible comparison because it is a relevant en route filtering study. Authorized licensed use limited to: Asha Das. Downloaded on June 17,2010 at 06:02:04 UTC from IEEE Xplore. Restrictions apply.
  12. 12. ULUAGAC ET AL.: VEBEK: VIRTUAL ENERGY-BASED ENCRYPTION AND KEYING FOR WIRELESS SENSOR NETWORKS 1005Fig. 11. Illustrations of (a) DEF, (b) SEF, and (c) STEF.disseminates the authentication keys to forwarding nodes hashing and encryption mechanisms would use MD5 andencrypted with secret keys that will be used for endorsing. RC4, respectively. The real sensor implementation values forThe forwarding nodes stores the keys if they can decrypt these crypto mechanisms are taken from [18] and [20].them successfully. Later, cluster heads send authentication Another necessary assumption was that all protocols wouldkeys to validate the reports. The DEF scheme involves the work in perfect communication cases without packet lossusage of authentication keys and secret keys to disseminatethe authentication keys; hence, it uses many keys and is because only the VEBEK framework has been designed withcomplicated for resource-limited sensors. handling communication error cases and it would not be Ye et al., proposed statistical en-route filtering (SEF) [12]. meaningful to compare VEBEK with others when others wereIn SEF, each sensing report is validated by multiple keyed not designed to handle errors. As can be seen, VEBEK-II ismessage authentication codes. Specifically, each node is better than all the schemes, exhibiting a performanceequipped with some number of keys that are drawn improvement of 60-100 percent in energy consumption thanrandomly from the global key pool. First, a center of stimulus the closest scheme, SEF. We note that all other schemesis selected among the source sensor nodes in the event provide a nice framework for filtering malicious data enregion. Then, once a report is generated by a source node, a route; however, the other schemes exchange many messages,MAC is appended to the report. Next, another upstream involve the use of many keys, and do not have anynode that has the same key as the source can verify the mechanism to cope with packet loss.validity of the MAC and filters the packet if the MAC is Moreover, we analyze how VEBEK improves the syn-invalid. However, the downside of SEF is that the nodes must chronization problems that may occur due to communica-store keys and packets are enlarged by MACs. Although the tion errors in our previous work, DEEF [7]. Since DEEF isauthors suggest the use of bloom-filters to decrease the MAC based on generating communication keys with real batteryoverhead, SEF is a static key-based scheme and it inherits all levels, packet drops may cause the nodes to easily loosethe downsides of static key management schemes. synchronization with other nodes along the path to the sink. The scheme, Secure Ticket-Based En-route Filtering To analyze the synchronization problem, we define synchro-(STEF) [19], by Krauss et al., proposes using a ticket concept, nization ratio as a metric to measure the performance of thewhere tickets are issued by the sink and packets are only VEBEK framework during packet drops. Specifically, weforwarded if they contain a valid ticket. If a packet does not denote the synchronization ratio, ’, as follows:contain a valid ticket, it is immediately filtered out. STEF issimilar in nature to SEF and DEF. The packets contain aMAC and cluster heads share keys with their immediatesource sensor nodes in their vicinity and with the sink. Thedownside of STEF is its one way communication in thedownstream for the ticket traversal to the cluster head. Since DEF and SEF are probabilistic schemes, a compar-ison of each scheme with VEBEK-II in terms of their energyconsumption is presented in Fig. 12. The results are generatedfor one round of communication from a source node to thesink, which is assumed to be located n hops away from thesource node. The x-axis represents the hop count and isvaried, while the y-axis is the energy. To simplify thecomparisons, we assumed that all the nodes in DEF, SEF,and VEBEK-II would have the necessary keying materialwith 0.7 probability to do the desired security featuresimposed by the specific protocol in a benign environment (nomalicious nodes). We also assumed that the protocols that use Fig. 12. Comparison of VEBEK, DEF [13], SEF [12], and STEF [19]. Authorized licensed use limited to: Asha Das. Downloaded on June 17,2010 at 06:02:04 UTC from IEEE Xplore. Restrictions apply.
  13. 13. 1006 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010 across nodes may spur synchronization problems, which can cause packet drops. Second, VEBEK integrates handling of communication errors into its logic, which is missing in DEEF. Last, VEBEK is implemented based on a realistic WSN routing protocol, i.e., Directed Diffusion [14], while DEEF articulates the topic only theoretically. Another crucial idea of this paper is the notion of sharing a dynamic cryptic credential (i.e., virtual energy) among the sensors. A similar approach was suggested inside the SPINS study [24] via the SNEP protocol. In particular, nodes share a secret counter when generating keys and it is updated for every new key. However, the SNEP protocolFig. 13. Synchronization ratio of nodes along the path to the sink. does not consider dropped packets in the network due to hw communication errors. Although another study, Minisec X i [25], recognizes this issue, the solution suggested by the ’¼ ; ð19Þ i¼1 i þ i study still increases the packet size by including some parts of a counter value into the packet structure. Finally, onewhere i is the node, is the number of forwarded-watched useful pertinent work [6] surveys cryptographic primitivespackets, is the number of dropped-watched packets, and and implementations for sensor nodes.hw is the number of watcher nodes between the source andthe sink. Fig. 13 presents the simulation results of thesynchronization ratio with respect to DEEF and VEBEK. As 7 CONCLUSION AND FUTURE WORKcan be seen, VEBEK outperforms DEEF and it is able to Communication is very costly for wireless sensor networkskeep its synchronization even in dire communication (WSNs) and for certain WSN applications. Independent ofscenarios. The x-axis is the the percent of the packets that the goal of saving energy, it may be very important toare dropped due to communication errors. minimize the exchange of messages (e.g., military scenar- ios). To address these concerns, we presented a secure6 RELATED WORK communication framework for WSNs called Virtual Energy- Based Encryption and Keying.En route dynamic filtering of malicious packets has been In comparison with other key management schemes,the focus of several studies, including DEF by Yu and Guan VEBEK has the following benefits: 1) it does not exchange[13], SEF, [12], and STEF [19]. As the details are given in the control messages for key renewals and is therefore able toperformance evaluation section (Section 5) where they were save more energy and is less chatty, 2) it uses one key percompared with the VEBEK framework, the reader is message so successive packets of the stream use differentreferred to that section for further details as not to replicate keys—making VEBEK more resilient to certain attacks (e.g.,the same information here. Moreover, Ma’s work [21] replay attacks, brute-force attacks, and masquerade at-applies the same filtering concept at the sink and utilizes tacks), and 3) it unbundles key generation from securitypackets with multiple MACs appended. A work [22] services, providing a flexible modular architecture thatproposed by Hyun and Kim uses relative location informa- allows for an easy adoption of different key-based encryp-tion to make the compromised data meaningless and to tion or hashing schemes.protect the data without cryptographic methods. In [23], We have evaluated VEBEK’s feasibility and perfor-using static pairwise keys and two MACs appended to the mance through both theoretical analysis and simulations.sensor reports, “an interleaved hop-by-hop authentication Our results show that different operational modes ofscheme for filtering of injected false data” was proposed by VEBEK (I and II) can be configured to provide optimalZhu et al. to address both the insider and outsider threats. performance in a variety of network configurationsHowever, the common downside of all these schemes is depending largely on the application of the sensor net-that they are complicated for resource-constrained sensors work. We also compared the energy performance of ourand they either utilize many keys or they transmit many framework with other en route malicious data filteringmessages in the network, which increases the energy schemes. Our results show that VEBEK performs better (inconsumption of WSNs. Also, these studies have not been the worst case between 60-100 percent improvement indesigned to handle dire communication scenarios unlike energy savings) than others while providing support forVEBEK. Another significant observation with all of these communication error handling, which was not the focus ofworks is that a realistic energy analysis of the protocols was earlier studies. Our future work will address insider threats and dynamic paths.not presented. Last, the concept of dynamic energy-basedencoding and filtering was originally introduced by theDEEF [7] framework. Essentially, VEBEK has been largely REFERENCESinspired by DEEF. However, VEBEK improves DEEF in [1] I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci,several ways. First, VEBEK utilizes virtual energy in place “Wireless Sensor Networks: A Survey,” Computer Networks,of actual battery levels to create dynamic keys. VEBEK’s vol. 38, no. 4, pp. 393-422, Mar. 2002. [2] C. Vu, R. Beyah, and Y. Li, “A Composite Event Detection inapproach is more reasonable because in real life, battery Wireless Sensor Networks,” Proc. IEEE Int’l Performance, Comput-levels may fluctuate and the differences in battery levels ing, and Comm. Conf. (IPCCC ’07), Apr. 2007. Authorized licensed use limited to: Asha Das. Downloaded on June 17,2010 at 06:02:04 UTC from IEEE Xplore. Restrictions apply.