Ad Hoc Networks - College of William & Mary

Ad Hoc Networks xxx (2011) xxx–xxx

Contents lists available at ScienceDirect

Ad Hoc Networks

journal homepage: www.elsevier .com/locate /adhoc

Achieving distributed user access control in sensor networks

Haodong Wang a,⇑, Qun Li b

a Department of Computer and Information Science, Cleveland State University, Cleveland, OH 44115, United Statesb Department of Computer Science, College of William and Mary, Williamsburg, VA 23187-8795, United States

a r t i c l e i n f o a b s t r a c t

Article history:Received 20 April 2009Received in revised form 4 December 2009Accepted 25 January 2011Available online xxxx

Keywords:Sensor networksUser access controlPublic key cryptographyElliptic Curve Cryptography

1570-8705/$ - see front matter � 2011 Published bdoi:10.1016/j.adhoc.2011.01.011

⇑ Corresponding author. Tel.: +1 804 338 5573.E-mail addresses: [email protected] (H. W

edu (Q. Li).

Please cite this article in press as: H. Wang,doi:10.1016/j.adhoc.2011.01.011

User access control in sensor networks defines a process of granting user an access right tothe stored information. It is essential for future real sensor network deployment in whichsensors may provide users with different services in terms of data and resource accesses. Acentralized access control mechanism requires the base station to be involved whenever auser requests to get authenticated and access the information stored in the sensor node,which is inefficient, not scalable, and is exposed to many potential attacks along long com-munication paths. In this paper, we propose a distributed user access control under a real-istic adversary model in which sensors can be compromised and user may collude. We splitthe access control into local authentication conducted by a group of sensors physicallyclose to a user, and a light remote authentication based on the endorsement of the localsensors. We implement the access control protocols on a testbed of TelosB motes. Our anal-ysis and experimental results show that our schemes are feasible for real access controlrequirements.

� 2011 Published by Elsevier B.V.

1. Introduction

Access control defines a process of identifying users andgranting them the access right to information or resources.A sensor network is a computing platform for users to col-lect data, transmit data, and process data. The access con-trol pertaining to sensor network predominantly aims toprotect the network usage and collected data. Unautho-rized users should not be allowed to use the network sincenetwork bandwidth is very limited and, more importantly,the battery power of each node may be depleted aftermalicious users aggressively send messages to thenetwork. The data collected or processed, many times,are classified so that data of different classifications requiredifferent authorizations for legitimated accesses. Forexample, a high-rank officer may need to know moreinformation about the field deployment than a soldier. Inanother scenario, the information with the same classifica-

y Elsevier B.V.

ang), [email protected].

Q. Li, Achieving distribute

tion may be physically or logically compartmented accord-ing to its other properties, such as ownership, so that theaccess to the data has to be verified for the correspondingproperties. An example would be a user is authorized to ac-cess the data from the sensors in his own office, but notother people’s offices.

To achieve access control, it is essential for sensor nodesto authenticate the identities of the requester. This paperaims to explore an efficient and secure authenticationscheme for sensor nodes. A natural way for the authentica-tion check is to use a centralized mechanism. After receiv-ing a request, the sensor node sends the user informationto the base station. Then the base station decides whetherthe access is granted or not and replies to the sensor node.This solution may yield a good security result because ofthe fact that a base station is considered secure, and com-munication channels between sensors and the base stationare assumed secure. However, this scheme suffers two ma-jor problems. First, the centralized authentication requiresat least one round-trip communication between a sensorand a base station. If a number of users are accessing thenetwork at the same time, the authentication traffic may

d user access control in sensor networks, Ad Hoc Netw. (2011),

http://dx.doi.org/10.1016/j.adhoc.2011.01.011

mailto:[email protected]

mailto:[email protected]. edu

mailto:[email protected]. edu


http://www.sciencedirect.com/science/journal/15708705

http://www.elsevier.com/locate/adhoc


2 H. Wang, Q. Li / Ad Hoc Networks xxx (2011) xxx–xxx

easily cause network congestion. Second, this authentica-tion pattern is vulnerable to adversary DoS attacks. Sensornodes have no knowledge about user access right untilthey get replies from the base station. An adversary caneasily launch DoS attacks by forging a large number of useraccess requests, which will in-turn trigger the sameamount of authentication requests. The resulting authenti-cation traffic will saturate the network and quickly depletethe sensor power.

This paper gives a thorough exploration for sensor net-work data access control problems in a general setting. Weconsider a data access scenario that a user can access in-network stored data at any location from anywhere in anetwork, which includes local data accesses from users’nearby sensors and remote data accesses. Moreover, weconsider the access control problem in a much harsherenvironment in which users may collude and sensorsmay be compromised. Compromised sensors can get theinformation from user authentication processes and maydisclose this information to an adversary, which maypotentially help the adversary to gain more access privi-leges. Colluding users may analyze their information anddesign a scheme to counteract the access control system.Besides, we also addresses node duplication attacks andDoS attacks by inundating authentication messages tothe network.

It is our belief that our general data access model andrealistic adversary threat model define a very realisticproblem for future sensor deployment. Our work has fol-lowing four contributions. First, we propose a practicaland scalable certificate-based local authentication. Publickey cryptography (PKC) eliminates the complicated keymanagement and pre-distribution required by symmetrickey schemes, and provides a very clean interface betweenusers and sensors. The advantage of certificate-basedauthentication is that sensors do not need the storage forusers’ public keys or a third party for public key verifica-tion. Users’ public keys can be constructed from their cer-tificates and published system information. Second, wepropose a novel group endorsement scheme to authenti-cate a user locally by a group of sensors and transfer theendorsement to a remote sensor. This scheme is resilientto the compromise of a limited number of sensors andthe DoS attack launched in a form of remote access re-quests. Third, our scheme eliminates the possibility of usercollusion attacks. The polynomial based secret sharingscheme proposed in [23] suffers user collusion attacks.The collusion by a number of users can easily reconstructthe secret polynomial and reveal the system secrecy. Ourcertificate-based authentication is resilient to any user col-lusion attack. Fourth, we show our schemes are feasible ina real sensor network deployment. We have implementedboth local authentication and remote authentications onTelosB motes, which are based on our implementation of160-bit ECC security primitives.

2. Related work

Sensor network security has received the greatattention. Message authentication is an important security

Please cite this article in press as: H. Wang, Q. Li, Achieving distributedoi:10.1016/j.adhoc.2011.01.011

component, and can also be a part of user access controlcontext. Perrig et al. [12] constructed lTesla and intro-duced the asymmetric mechanism through a delayed sym-metric keys disclosure: the base station broadcasts anencrypted message first, and then releases the secret keyin scheduled time frame. Wang et al. proposed a public-key based approach and allow sensors to authenticatethe broadcast messages in a distributed way. The similarschemes are also proposed in [20,25,22]. The distinctionof user access control is that a secure channel between auser and accessed sensors has to be established. Messageauthentication schemes, however, generally do not havesuch requirement.

To establish a secret communication channel, a user andthe accessed sensor need to share a common secret, suchas a pairwise key. Eschenauer and Gligor proposed a ran-dom graph based key pre-distribution scheme [6]. Thescheme assigns each sensor a random subset of keys froma large key pool, and allows any two nodes to find onecommon key and use that key as their shared symmetrickey. Based on their contribution, a number of researches[3,5,9,21,16,17] have been delivered to strengthen thesecurity and improve the efficiency. In above schemes,each sensor has to hold a subset of system secret informa-tion. This requirement is not appropriate for user accesscontrol. The reason is that the users, the components out-side of sensor networks, may collude together by sharingtheir partial secret shares and aggregate the informationto subvert the system security.

The most related research to the user access control is[23,10,14,24]. Zhang et al. [23] proposed several schemesto restrict and revoke the access privilege of a mobile sink.Their approaches are based on Blundo’s scheme to estab-lish secret key between a mobile sink and sensor nodes,and then use Merkle tree technique to reduce the over-head. The limitation of the scheme is that the moving trackof the mobile sink has to be predetermined by the base sta-tion. In comparison, our schemes address a more generaluser/sensor communication problem. The mobile sink canbe regarded as one type of special users in our schemes.The restriction of the scheme in [10] is the assumption thatrequires no security attack during the initial networkdeployment period. While the public key based access con-trol schemes proposed in [14,24] are resilient to varioussecurity attacks, the cost is unfortunately very high. Thescheme in [14] needs the support of a centralized server,and the bilinear pairing scheme in [24] is too expensivefor resource constrained sensors.

3. System model

We consider a large scale wireless sensor network de-ployed in a variety of environments, e.g., at a hostile battle-field, in an office building, or in a national park. Dataaccesses to the stored data on each node are protectedaccording to the attributes of the data, e.g., data type, datalocation, data collection time, and so on. For a specific data,only authorized users are allowed to access from the stor-ing node. Since data are distributed in the entire networkinstead of in a central position, data protection by relying



H. Wang, Q. Li / Ad Hoc Networks xxx (2011) xxx–xxx 3

on a powerful base station with all data access authoriza-tion information and computational power is not practical.Instead, data access authorization should be done in a dis-tributed fashion. After the user access right is verified, thedata access is granted and the data content is delivered tothe user.

A user equipped with a powerful computing device,such as a PDA, interacts with the sensor network for dataquery and possibly network control, such as network pro-visioning or resetting. The PDA is an interface for the userto interact with the sensor network. Since the PDA is morepowerful than sensor nodes, it is capable of more computa-tionally intensive tasks. Users can query data at any loca-tion in the network through multi-hop sensor node relay.The data access capability, however, must be granted bya central authorization center. A data access list is associ-ated with the user about the types, locations, and the dura-tions of the authorized data access. This information isencrypted in a way that the user is unable to forge andcan be efficiently authenticated by sensors that receivethe access requests.

The sensor network is managed by a CertificationAuthority (CA), which is responsible for generating allsecurity primitives (i.e. random numbers, one-way hashfunction, access list) and revoking users’ access privilegeif necessary. CA distributes secret keys through the basestation. To access a sensor network, users need to applyfor the access permission from CA. CA maintains a user ac-cess list pool and associated user identifications. The accesslist defines the user’s access privilege. A typical access listis composed of uid and user access privilege mask. uid is aunique number that identifies a user. user access privilegemask is a number of binary bits; each bit represents a spe-cific information or service. An access list example isshown in Fig. 1. CA issues a proper access list to each appli-cant. The information stored at each sensor node is dividedinto multiple access privilege levels. The user with a loweraccess privilege is not allowed to access the informationthat requires a higher privilege. We assume users can se-curely acquire their access lists from CA through out-of-band secure communication channels. Once a user passesthe authentication check, the accessed sensor nodes pro-vide their stored information to the user. If the requiredinformation is not available locally, for the reason we willdiscuss later, a group of sensor nodes have to collaborateand request the information from a remote sensor thatholds the information.

In this paper, the adversary is assumed to be able tolaunch various attacks to access the data that is not autho-rized to him. We not only consider the common attackingschemes, including message eavesdropping and messagereply, we also focus on more hazard attacks, such as sensornode compromise and user collusion. We assume the

64 : 23 : 00 : 07 : E9 : 26 : F1 : A5

privilege mask timestampuid

Fig. 1. A typical user access list.


adversary can capture all information stored after captur-ing a sensor. It is even worse that the adversary may injecthis own program to the compromised sensors, which, un-der the control of the adversary, pretend to be trustworthygaining as much information as possible. A user may alsocollude with the adversary for mutual benefits by attackingthe access control system. The base station and CA, how-ever, cannot be compromised.

In particular, we consider the following two potentialattacks. First, compromised sensors may capture userinformation and give to an unauthorized user so that theadversary may access data by impersonating another user.Second, user collusion may help malicious users to subvertthe system and gain more access right than that of anyoneamong the colluding group. We assume that at most t sen-sors can be compromised. The assumption is reasonablebecause compromising sensors takes time and efforts. Onthe other hand, we assume unbounded number of userscan collude since it is not hard for mischievous users toshare information and orchestrate an aggregated analysisto the collected information. The fact that a compromisedsensor is hard to identify prevents a user from trustingany of the sensors. A user may have to disclose informationfor authentication, but the revealed information has to bespecific to the sensor in contact and should not be usedfor authentication at another sensor.

We do not explicitly address the introduction of dupli-cated compromised sensors. However, since the duplicatedcompromised sensors do not reveal more information tothe adversary, our carefully designed protocols do not al-low the adversary to access the data from an uncompro-mised sensor.

4. Proposed access control schemes

A user may request data stored locally or in a distantsensor. We first define following two types of sensor nodes.The sensor nodes which are directly within the communi-cation range of a user are called local sensors. The sensorswhich cannot establish direct communication links with auser but hold the requested data are called remote sensors.

In this section, we first propose a PKC-based local accesscontrol scheme. Then we develop a remote access controlapproach (we assume that the ID of the remote sensorfor data access is known by some scheme that is beyondthe scope of this paper, e.g., resource discovery or geo-graphic location-based routing). We provide the securityanalysis for the both schemes. Finally, we give a discussionregarding resource discovery and user certificate issuing.

4.1. PKC-based local authentication

PKC has been used extensively in data encryption, digi-tal signature, and user authentication. Compared withmany symmetric-key schemes proposed sensor networks,PKC provides a more flexible and simple interface requir-ing no complicated key pre-distribution and managementas normally required in symmetric-key schemes. It is apopular belief, however, in sensor network researchcommunity that public-key cryptography is not practical




because the required computational intensity is not suit-able for resource constrained sensor nodes. The recent pro-gress in Elliptic Curve Cryptography (ECC) implementationon small devices, however, proves the public key is viableon resource constrained sensors. It is reported [7] thatthe ECC point multiplication only takes less than one sec-ond on Atmel ATmega128 processor, an 8-bit and 8 MHzCPU.

We present our ECC based local authentication schemeas follows. Certification authority (CA) selects a particularelliptic curve over a finite field GF(p) (where p is a largeprime), and publishes base point P with order q (where qis also a large prime). CA picks a random number x 2 GF(q)as the system private key, and publishes the correspondingpublic key Q = x � P. Given point P and Q, it is computation-ally infeasible to get system secret x.

A straightforward user authentication scheme can bedescribed as follows. A user uses her private key to signher access list and sends to a local sensor. The sensor ver-ifies the signature by using user’s public key. However, it isdifficult for the sensor to find an trusted third party to ver-ify that the user is who she claims to be. To solve this prob-lem, we adopt the certificate-based authentication in ourlocal authentication scheme. To access the sensor network,a user has to present her certificate first. Based on the cer-tificate, the sensor generates the user public key, and thenuses it to encrypt a random number as the challenge. Asuccessful response proves that the user is legitimate.

To access the data stored in the sensor network, theuser comes to CA to apply for an access permission. CApicks a random number cA 2 GF(p), and then calculatesthe user’s public key constructor CA = cA � P. Based on theuser’s request, CA issues a proper access control list acA,and attaches it to public key constructor CA as the certifi-cate. Meanwhile, a digest eA is generated for the access list,where eA = H(TA) (H is a {0,1}⁄? {0,1}q hash function),where TA = CAkacA (k is the concatenation). Then, CA con-structs the user’s private key qA = eAcA + x and public keyQA = eA � CA + Q. Note qA and QA satisfy QA = qA � P. Finally,the user holds qA, QA and TA. We assume above procedure isconducted at an out-of-band secure channel.

The user authentication protocol is illustrated in Fig. 2.We denote sl as a local sensor. When a user approaches asensor node sl, she sends her access request with access listTA. Given access list TA, sl constructs the public keyQA = eA � CA + Q. To verify that the user indeed holds pri-vate key qA, sl starts the following challenge procedure.First, sl selects a random number r 2 GF(p) (to be used as

Fig. 2. User access list authentication protocol. We let sl be the localsensor, TA be the user certificate, which includes a public-key constructorCA and an access list acA.


the session key with the user), and calculate its digestH(r) over GF(q). Second, sl generates a temporary publickey Yr = H(r) � P, and computes Zr = H(r) � QA. Third, sl en-crypts the session key by doing an XOR operation r � X(Zr),where X(Zr) is the X coordinate of point Zr. Finally, sl sendsciphertext hzr, Yri to the user, attached with the encryptionof a nonce NA. We denote ENC(k,M) as an encryption on Mby using the secret key k. Similarly, we denote DEC(k,C) asa decryption on ciphertext C by the secret key k.

With her private key qA, the user can regenerate Zr be-cause qA � Yr = qA � H(r) � P = H(r) � QA = Zr. She then de-crypts session key r = zr � X(Zr), and verifies if Yr equals toH(r) � P. If yes, She uses r as the session key to encryptthe nonce NA concatenated with her access privilege acA,and sends to sl.

Local sensor sl decrypts the ciphertext and verifies NA

and acA. A successful verification proves that the user isthe legitimate owner of access list TA. Finally, sl repliesthe information requested by the user, which again is en-crypted by the session key r.

4.2. Remote access control

In remote access control, the remote sensor node cannotdirectly contact the user due to the limitation of radiotransmission range. Therefore, the user query has to travelmultiple hops to reach the remote sensor. With this com-munication pattern, the authentication scheme used in lo-cal access control cannot be applied to remote accesscontrol. In other words, it is improper for the user to di-rectly contact the remote sensor. Otherwise, the adversarycan easily take the advantage and launch the bogus datainjection attack to deplete the sensor network. We thus de-velop a remote access scheme that uses local sensors to en-dorse the user query to the remote sensor. It is widelyaccepted [11,12] that a single sensor node cannot betrusted. In our scheme, the user’s remote access requesthas to be endorsed by k local sensor nodes, where k is asystem parameter. We assume the adversary cannot com-promise k sensors at a time. Any user remote access querywithout k local endorsements will be dropped immediatelyby either forwarding sensor nodes or the remote sensor. Acaveat is that some sensors may be compromised if a validuser cannot be authenticated by a group of sensors. In thatcase, the user can move to find another group of sensors forauthentication or report the failure to the base station foranalysis.

The above local sensor endorsement raises a new secu-rity challenge: how does the remote sensor verify that theuser is indeed endorsed by k local sensors? If each localendorsing sensor can share a secret with the remote sensor,then the endorsement can be easily verified by the remotesensor. We use the polynomial-based scheme for secretsharing between the local and remote sensors. More spe-cifically, CA randomly generates a bivariate t-degree poly-nomial f ðx; yÞ ¼

Pti;j¼0aijxiyj over the finite field GF(q). The

polynomial has the symmetric property such that f(x,y) =f(y,x). To endorse a user access list, each local sensor canencrypt the access list with the key shared with the remotesensor, computed by substituting x and y with the sensorIDs. This scheme, however, has to provide the remote




sensor with the IDs of the local sensors for verification,which leads to a long message. To reduce the message size,we adopt the following optimization. Before the deploy-ment, sensor nodes are divided into k groups {g1,g2, . . . ,gk},where gj(1 6 j 6 k) is a group ID. From now on, we denote asensor node as s

gj

i , where si is the sensor id, and gj is thegroup ID. During configuration procedure, each sensor s

gj

i

is pre-loaded with two shares of the polynomial, f(x,si)and f(x,gj). Given the remote sensor ID sr, a local sensor s

gj

i

can establish a pairwise key with the remote sensor byplugging sr in f(x,gj). Similarly, the remote sensor can alsogenerate the pairwise key by plugging group ID gj in itsf(x,sr). By using group ID instead of sensor ID, we canachieve a shorter message due to a small number ofgroups. For the remote sensor to check the authenticationlist, we attach a bitmap in the message showing whichgroup IDs are used for authentication. We incorporatethe remote sensor ID in the polynomial computation ratherthan the group ID of the remote sensor to avoid the attackdue to the scenario that a compromised sensor has thesame group ID with the remote sensor and then can decodethe shared keys between the local sensors and the remotesensor.

The remote access control protocol is described in Fig. 3.To start a remote access procedure, a user has to find kendorsing sensors s

gj

i such that no two sensors have thesame group ID. In the beginning, the user broadcasts aremote access request. The local sensors receiving therequest reply with their group IDs. Then, the user select klocal sensors with different group IDs to form an endorsingsensor group. Note that the user may have to broadcast therequest several times due to the possible transmissioncollisions. After the endorsing group is formed, eachendorsing sensor performs the local authentication asdescribed previously. Once the user is authenticated, eachsensor s

gj

i computes the pairwise key f(sr,gj) with theremote sensor, and use the key to encrypt the verified useraccess list. The user collects k encrypted endorsementsfrom these local sensors and generates a hash digest,mac = H(mac1k� � �kmack), where g1 < g2 <� � �< gk.

After computing the hash digest, the user encrypts heraccess list TA and NA with mac. Again, NA is a nonce to guar-antee the message freshness. Then, the user sends it alongwith her access list TA and the local endorsing sensor grouplist, to the remote sensor.

Fig. 3. The polynomial based remote access control protocol.


Upon the receipt of the access request from the user, sr

retrieves the information in the group list. Given the grouplist, sr easily generates k encrypted endorsements by plug-ging in the group IDs to its secret polynomial share, andcorrespondingly, the digest mac. The successful decryptionof TA by using the derived mac proves that the user has al-ready been authenticated and endorsed by k local sensors.Sensor sr replies the user with the requested information,along with a nonce NB randomly picked by sr. Again, alldata is encrypted by mac.

4.3. Security analysis

In two proposed access control schemes, the authenti-cation messages are encrypted by the encryption algo-rithm ENC in the access control protocol, except the usercertificate. As long as ENC is secure (such as RC5 [15]),and the secret key is large enough (at least 80 bits), anynumber of compromised sensors cannot break the cipher-text in the messages.

In the local authentication, the sensor nodes cannotcapture any secret from the user, nor can the user gainmore access privilege than granted due to the hardnessof discrete logarithm problem in ECC. The 160-bit ellip-tic-curve crypto-system is considered to have the samesecurity level as 1024-bit RSA. Given an elliptic curve Eover finite field GF(p), to find system secret x from the rela-tion Q = xP (where P,Q are published system parameters) isequivalent to solve the discrete logarithm problem, whichis considered computationally infeasible. In the localauthentication, the user’s certificate TA (with the access listcaA) is transmitted in plaintext. The malicious sensors mayduplicate the user certificate, or the adversary may capturethe certificate by eavesdropping. The certificate informa-tion, however, cannot help the adversary to impersonatethe user and get the data service. The reason is that the lo-cal sensors use the derived user public key to launch thechallenge. It is easy for the adversary to calculate the pub-lic key given the captured certificate, but it is computation-ally infeasible to acquire the private key that is associatedto the public key. As the result, the adversary is not able tocorrectly respond the challenge, so the access request willbe rejected by local sensors. Due to the same reason, theuser cannot forge or alter her access list to acquire moreaccess privileges or to extend the allowed access time per-iod. Otherwise, the user will not be able to decrypt thechallenge message from the local sensor because she doesnot have the private key associated to the certificate sheclaims. More importantly, the certificate-based localauthentication effectively defends against user collusionattacks. The collusion among any number of users doesnot jeopardize the system secret for the reason explainedabove.

The security features of our remote access scheme lie onthe local sensor group endorsement. The combination ofour local endorsement scheme with existing false reportfiltering schemes, including the symmetric-key based SEF[20] scheme or the public-key based PDF [18] scheme,can effectively prevent the potential DoS attacks. To inte-grate the SEF scheme, each of the local endorsing sensorsgenerates an event report and forward to the user. The user




collects k reports and attach them to the remote access re-quest message. Actually, each report is the encryption ofthe user’s access list TA, which will be verified the the for-warding sensors on the routing path to the remote sensor.In the original SEF scheme, the report encryption keys arerandomly pre-distributed to each sensor node. In ourscheme, the complicated key pre-distribution can beavoided because the encryption keys can be easily gener-ated from the secret polynomial share in each sensor node.In particular, considering a sensor s

gj

i (which has a sensorID si and a group ID gj), the encryption key is f(gj,h(TA)).When the message is on the way to the remote sensor,any forwarding node with the same group ID can verifywhether or not the report is legitimate. Any report thatfails the verification is immediately dropped. The robust-ness of this filtering scheme relies on the fact that the dif-ferent groups should be evenly distributed cross the sensorfield. Given the assumption that the number of compro-mised sensor is limited, the forged report by compromisedsensors can be effectively detected and dropped. The obvi-ous disadvantage of the symmetric-key based scheme isthe overhead. Each user remote access request has to be at-tached with k reports. An alternative scheme to reduce themessage overhead is to use the public-key based PDFscheme. In that case, the k endorsing sensors jointly gener-ate a system digital signature. As the result, each forward-ing sensor can easily verify the remote request by using thesystem public key. Compared to the symmetric keyscheme, the public-key solution only costs a fixed messageoverhead (the length of a system signature) no matter howlarge k is. The tradeoff, obviously, is the computation over-head in the signature generation and the verification.

In our scheme, users are not allowed to send requestsdirectly to the remote sensor. Any remote access requesthas to be enforced by k local sensors. Since the adversarycannot compromise up to k sensors (the system assump-tion), there is no way for an illegitimate user to get kendorsements to access the remote sensor. If the adversaryattempts to forge k endorsements, the bogus request willbe immediately dropped by forwarding sensors in false re-port filtering. Again, the user still cannot alter or forge heraccess list in the remote access request. The reason is thatthe endorsements are generated and encrypted using theauthenticated user access list. If the user forges her accesslist in the remote access request, the verification at theremote sensor will fail, and the remote access will berejected.

4.4. Other design issues

4.4.1. Resource discoveryCareful readers may notice that the proposed access

control scheme requires the user to identify the sensorsthat hold the requested information. The user can acquiresuch information in the following two ways. First, sincethe base station knows the approximate locations wherethe sensors are deployed, a coarse-grained data sensingmap can be generated to help the user to locate the inter-ested sensors (e.g., by using GPS localization). After arriv-ing at the desired location, the user can listen to thesensor broadcasts (the sensors can periodically broadcast


the attributes of their collected data) and find the localsensors that hold the user interested data. Second, in casethe user cannot find the interested information at a certainlocation, some resource discovery protocols [13] can be ap-plied to identify the ID of the remote sensor that containsthe user interested data. The implementation detail of suchprotocols is beyond the scope of this paper.

4.4.2. User certificate issuingThe user can receive her accessing certificate (including

secret keys and the digital certificate) from a central certif-icate authority (CA) through an off-line transaction (as theway how the driver’s licenses are issued by the Depart-ment of Motor Vehicles) or an out-of-band security chan-nel (email message delivery). Since the certificate is notdelivered through the sensor network, the centralized cer-tificate issuing does not limit the user’s in-network dataqueries. The sensors enforce the access control by verifyingthe user’s certificate and checking the user’s correspondingaccessing privilege. The public-key cryptography providesa flexible way to specify the access privilege level with atime window by using the access control list discussed pre-viously. It is possible that two sensors hold the user inter-ested data at the same time. Our proposed scheme requiresthe user to be authenticated twice to get all data even if thetwo sensors are very close to each other. The design of themore efficient scheme that only needs one authenticationin this situation is arranged in our future work.

5. Revocation

It is possible that a user’s access list would be revokeddue to security reasons. For example, a group of sensorsmay find a misbehaving user, and those sensors will gener-ate a report and send back to the base station. The basestation collects all the reports and makes the decisionwhether the user’s access list should be revoked or not.In this section, we propose two revocation schemes.

5.1. Revocation using blacklist

A simple revocation scheme is to use a blacklist. Whenthe base station decides to revoke a user, it broadcasts theuser access list to all the network through the secure chan-nels between the base station and sensor nodes [12]. Eachsensor node maintains a table to store the revoked accesslists. This screening check can be conducted immediatelybefore the local authentication.

The blacklist revocation scheme is effective when thenumber of revoked users is small. This simple schemehowever will have the scalability issue when the blacklistis inflating. A blacklist with hundreds of revoked users willconsume too much precious memory space. Moreover, alarge blacklist also costs extra energy and time when useraccess lists are scanned during the authentication check.

5.2. Revocation using Bloom filters

To solve the scalability problem in blacklist revocation,we propose an efficient revocation scheme by using Bloom



50 100 150 200 25010−20

10−15

10−10

10−5

100

Number of Access Lists in the Blacklist

The

Prob

abilit

y of

Fal

se P

ositi

ve

m=1024m=2048m=4096m=8192

Fig. 5. The probability of false positives (log-scale) as the function of thenumber of access lists in the blacklist of a Bloom filter with six (k = 6)independent hash functions and different bit vector length.


filters [1]. Bloom filter is a space-efficient data structure tosupport membership queries. Given a user blacklistU = {u1,u2, . . . ,un}, we allocate a bit vector with the spaceof m bits (initially cleared to 0), and then choose kindependent hash functions H1, H2, . . . ,Hk, with range{0,1,2, . . . ,m � 1}. For each user access list ui 2 U(1 6 i 6 n),the bits at position H1(ui), H2(ui), . . . ,Hk(ui) are set to 1. Anexample of a Bloom filter is illustrated in Fig 4.

To check if a user access list T is in the blacklist, weapply H1, H2, . . . ,Hk to T. If any one of the results is 0, theaccess list T is not in the blacklist. If all results are 1, wethen consider T is in the blacklist. Note Bloom filter mayresult in false positive with a certain probability (i.e. a useraccess list T is not in the black list but all hash functionsyield 1). Suppose the hash functions are uniformly random,the probability for a specific bit to be 0 after n memberinsertions is 1� 1

m

� �kn. Thus, the probability of the falsepositive after n member insertions is

1� 1� 1m

� �kn !k

� ð1� e�kn=mÞk: ð1Þ

The detail revocation scheme (choose k = 6, m = 4096 as anexample) using Bloom filters is described as follows. Thesix hash functions H1, H2, . . . ,H6 are pre-loaded in the sen-sor nodes during the configuration period. Each sensornode allocates a 512-byte memory space and clears with0 as the bit vector. Same as in blacklist revocation scheme,sensor nodes report suspicious users to the base station.The base station maintains a revocation blacklist. When-ever there is an insertion in the blacklist, the base stationbroadcast the results of six hash functions applied on thenew item. The results are the positions of the bit vectorwhere need to be set to 1. Fig 5 illustrates the false positiveprobabilities of a Bloom filter with six hash functions anddifferent bit vector length. Consider an example m = 4096(or 512 bytes), the false positive probability is less than10�4 when more than 200 users are blacklisted. Compara-tively, in the blacklist scheme, the sensor has to allocate atleast 1.6 KB memory space to store the blacklisted users.

1user access list u

Bit Vector

m bits

H (u )

H (u )

H (u )

H (u )

1

1

1

1

12

3

4

1

1

1

1

Fig. 4. A Bloom filter with four hash functions.


6. Evaluation

In this section, we first study the performance of theproposed scheme by a real world implementation on acommodity sensor platform. Then, we perform the perfor-mance comparison between the proposed distributed ac-cess control and a centralized scheme. The comparisonstudy is based on the experimental data in the real worldexperiments.

6.1. Metrics and methodology

In the experiments, we use four metrics: authenticationtime, computation cost, communication cost, and powerconsumption, to evaluate the performance of access con-trol protocol. The authentication time measures the userperceived waiting time from sending out the request toreceiving the authentication confirmation. Computationalcost is the amount of energy consumed in data processing.Similarly, communication cost is the energy used by RFtransceiver. The power consumption is the total amountof energy used by all participating sensor nodes to assistthe user access request. The two metrics, query responsetime and power consumption, are used in the comparisonstudy.

The processing energy consumption E can be calculatedby E = U � I � t, where U is the voltage, I is the current and t isthe time duration. TelosB motes are powered by two AAbatteries, so U is approximated equal to 3.0 V. The currentvalue varies in different operations as shown in Table 1(abstracted from [4]). We use authentication time as thetime duration for MCU data processing. The energyconsumption measuring for communication, however, is

Table 1The amount of current draw on different operations for TelosB motes.

Operation Normal (mA) Max (mA)

MCU On, Radio Off 1.8 2.4MCU On, Radio Rx 21.8 23MCU On, Radio Tx 19.5 21




more complicated. The data transmitting time is deter-mined by multiple factors, such as wireless channel condi-tion and the corresponding data rate. For simplification, weestimate the communication energy consumption (foreither sending or receiving) by multiplying the totalamount of data length by an average 18 lJ/bit [2].

6.2. Experiment of local access control

We have implemented both local access control and re-mote access control scheme on TelosB motes, a researchoriented mote developed by UC Berkeley. TelosB is pow-ered by an MSP430 micro-controller. MSP430 incorporatesan 8 MHz, 16-bit RISC CPU, 48 KB flash memory (ROM) and10 KB RAM. The RF transceiver on TelosB is IEEE 802.15.4/ZigBee compliant, and can have up to 250 kbps data rate.We choose SECG recommended 160-bit elliptic curve,secp160r1, in our ECC implementation because large inte-ger multiplication and reduction over prime number finitefield can be more effectively optimized than those overbinary finite field. The most expensive operation in ECCexponentiation is point multiplication. To achieve the bet-ter performance as possible, we have adopted a number oftechniques including hybrid multiplication, modularreduction over pseudo-Mersenne prime field, Great Divi-sion and mixed Jacobian Coordinate. Due to the space limit,we omit the detail implementation and correspondingoptimization of our ECC implementation on TelosB motes.Interested readers may refer to [19] for detail explanation.On average, it takes 1.4 s for a TelosB sensor mote to do afixed point multiplication, and 1.5 s to do a random pointmultiplication.

Our local access control implementation strictly followsthe protocol presented in Section 4. For the operation ofencryption and decryption, we adapt the RC5 block cipherto TelosB platform. Our experiment result shows RC5 isvery efficient on TelosB and only produces around 1mscomputational overhead.

The challenge generation produces the most time la-tency in local access control procedure. Recall that a sensornode needs to perform two ECC random point multiplica-tions and one fixed point multiplication to generate a chal-lenge. The three point multiplications combined contributeat least 4.5 s delay. To reduce this delay in challenge gener-ation, we further adopt Shamir’s trick [8] to efficientlycompute the two random point multiplications so thatthe improved challenge generation time reduces from4.5 s to 3.8 s. Accordingly, the energy consumption forcomputation is 3.8 s � 3.0 V � 1.8 mA = 20.5 mJ.

To estimate the communication energy consumption,we need to count the amount of data sent and receivedby the sensor node. The user certificate TA has 48 bytes,including 40-byte public key constructor and 8-byte accesslist. The challenge from the sensor node has 80 bytes,including a 40 byte ECC point, 20 byte zr and a 20 byteciphertext. The challenge response contains 20 byte in size.Overall, the power consumption is 88bytes � 18 lJ/bit = 12.7 mJ.1

1 We ignore the message overhead in the estimation for the simplicity.


Overall, the computing and communication consumesimilar amount of energy in the location access control.Even though our estimation shows that authenticationoperation uses a little more power, the difference couldbe much smaller if the message header in communicationpower consumption is considered in practice.

6.3. Experiment of remote access control

The essential part of the experiment of remote accesscontrol is the polynomial based local endorsement schemeand endorsement decryption at the remote sensor. We areparticularly interested in the performance of the t-degreepolynomial computation in sensors. Given a share of thepolynomial f(x) = a0 + a1x+ � � � +atx

t over GF(q), the compu-tation of f(x) requires t modular multiplications and t mod-ular additions, plus the computation of values x2, . . . ,xt. Atypical block cipher (e.g., RC5) suggests q should be at least64 bits. Therefore, t 64-bit � 64-bit modular multiplica-tions are required to compute the polynomial. On TelosB’s16-bit CPU platform, each 64-bit � 64-bit multiplicationcosts 16 word multiplications. To reduce the computa-tional cost, we adopt the simplification proposed in [9].The simplification is based on the fact that variable x iseither sensor id or group id, which is normally a 16-bitinteger. We can use another finite field GF(q0) for x,x2, . . . ,xt.Therefore, the modular multiplication in polynomial f(x) isalways performed between a 64-bit integer and 16-bitinteger. As the result, the cost of multiplication is reducedby four times.

The modular reduction operation is as important asmodular multiplication. Each multiplication must be fol-lowed by a reduction operation. To further reduce the com-putational cost, we pick a pseudo-Mersenne prime as qbecause modular reduction cost on field of a pseudo-Mersenne prime can be optimized to a negligible amount.A pseudo-Mersenne prime can be represented as q =2m �x, where x� 2m. Given a 2 m-bit multiplication re-sult B = (b1,b0), (b1,b0 are two m-bit halves), the reductioncan be computed based on the congruence 2m �x:

while ðb1–0Þðb1; b0Þ ¼ b1 xþ b0

B ¼ b0 mod q:

ð2Þ

In our experiment, we choose q = 264 � 28 � 1, q0 = 216 �24 � 1. We test the average time delay and power con-sumption for computing the polynomial with different tvalues. In each test, we randomly generate t + 1 64-bitcoefficients and a 16-bit variable x, we repeat 20 times toget the average time delay. The test results are shown inFig. 6.

The test results show the polynomial computation isefficient even in low-power sensor nodes. Considering werequire 16 local sensors to endorse user’s remote access,and each sensor has to store two shares of the polynomial,the system should at least be deployed with a 32-degreepolynomial. Therefore, it only takes an endorsing sensor17.1 ms time to generate pairwise key with the remotesensor.



10 20 30 40 50 60 70

5

10

15

20

25

30

35

40

The polynomial degree t

Tim

e co

msu

mpt

ion

(ms)

10 20 30 40 50 60 7020

40

60

80

100

120

140

160

180

200

The polynomial degree t

Ener

gy (u

J)

Fig. 6. The time consumption and power consumption to calculate the polynomial.

2 4 6 8 10 12 14 160

1

2

3

4

5

6

7

8

The number of endorsing sensors

The

time

dura

tion

(s)

Local authentication timeTime to find k sensors

Fig. 7. The upper line shows the time duration for the user to getauthenticated by k local sensor, k is changing from 1 to 16. The lower linereveals the time delay for the user to find k endorsing sensors.


To evaluate the remote access control procedure, we di-vide the experiment into two parts. The first part includeslocal sensor discovery, local sensor authentication andendorsement collecting. In the second part, we performthe endorsement reconstruction and verification at the re-mote sensor. The message routing between the user andthe remote sensor is a typical communication process thathas been investigated extensively and the time delay isvery small, so in our experiment we omit the messagerouting between the user and the remote sensor.

During the experiment, we assume the sensor field isdense enough so that the user can reach all the sensorsfrom different groups without moving. To acquire theendorsements from local sensors, the user first broadcastsa remote access request. Each local sensor replies the userwith its group id. The user picks those sensors from differ-ent groups to fill in her endorsing list. Due to the messagecollision, some replying messages are corrupted, so theuser may not find enough endorsing sensors with onebroadcast. The user thus has to broadcast several timesto find all k endorsing nodes. Our experiments show theuser needs to broadcast at least twice if k P 6. After suc-cessfully finding k endorsing sensors, the user unicasts anendorse acknowledge to each of the k sensors. The endors-ing sensors process the user authentication in parallel. Theuser first broadcasts her certificate, and then sequentiallyreceives and responses the challenge from each local sen-sor. A simple scheduling algorithm can be used for theendorsing sensors to send challenges without packet colli-sion. In our implementation, we arrange the endorsingsensors to send the challenge in ascending order of theirgroup IDs. If the user is successfully authenticated, theneach endorsing sensor generates the endorsement and re-turns it to the user. After collecting all k endorsementsfrom local sensors, the user finally generates the digestmac and sends the access request to the remote sensor.We perform the experiment with k changing from 2 to16. The result of endorsing time consumption is shown inFig. 7. Note that the time duration includes the time foruser’s broadcasts for request, receiving the group id replyfrom sensors, unicasts to sensors for acknowledging


receiving their group IDs, and sensor nodes’ data process-ing time to generate the endorsements.

We first perform a separate experiment just to test thetime delay to find k sensors only (without local authentica-tion and endorsement generation). The result is shown asthe dotted line in the same Fig. 7. It is interesting to find thatit takes 105 ms to find just 2 endorsing sensors and consid-erable time for discovering 4, 8, and 16 sensors, which is sur-prisingly slow, considering 1 ms transmitting/receivingdelay. Two factors contribute to the long delay. First, as dis-cussed in previous section, the user may not get all informa-tion from local endorsing sensors after the first broadcast.The user may have to broadcast the request more thantwice. Second, more importantly, a timer is set betweenany two broadcasts in our implementation to regulate thepacket transmission and reception. Every time the timerfires, the user checks whether the endorsing list is complete.If not complete, the user will do broadcast again. The timedelay between the fires of the timer predominantly ac-counts for the sensor discovery delay. We can reduce thistime duration by setting a higher timer frequency.




The total endorsing time is presented in Fig. 7. Appar-ently, the expensive local authentication still dominatesother delays. However, because k local sensors authenti-cate the user in parallel, the total endorsing time is practi-cal and not much longer than the local authenticationdelay. When k = 16, it only takes 5.8 s for the user toget all endorsements.

Although the endorsement can be done in parallel, theenergy consumption has to be calculated for each endors-ing sensor individually and will increase linearly as thenumber grows. For energy consumption in processing, weignore the sensor discovery period because authenticatetime dominates the latency, so the energy cost is simplythe product of the time latency in Fig. 7 and 3.0 �1.5 mW (with the radio off). The energy cost for communi-cation can be estimated in a similar way as in the localauthentication. As indicated in Fig. 3, in addition to theauthentication, each endorsing sensor sends an extra48-byte mac, which costs extra 48 � 8 � 18 = 6.9 mJ.

Upon receipt of the user remote access request, theremote sensor has to verify whether the request isendorsed by k local sensors. To do so, the remote sensorreconstructs k secret keys by using the received groupIDs and its own share of polynomial. These derived secretkeys are immediately used to generate the endorsementsand finally verify the digest mac. In the experiment, wemeasure the time duration for the remote sensor to dothe verification with k = 4, 5, . . . ,16 endorsing sensors.The experiment results are shown in Fig. 8. The corre-sponding energy consumption at the remote sensor canalso be calculated given the processing time and thecommunication data size.

Finally, we estimate the total time and the powerconsumption for a user to be authenticated for remote dataaccess. Suppose the network requires the user to get 16endorsing sensors to access a remote sensor. First, the userhas to get local authentication by all 16 local sensors andreceive corresponding endorsements. This procedure costs5.8 s according to Fig. 7. Then, the remote sensor needs283 ms to reconstruct and verify 16 endorsements. In total,a remote access with 16 local sensor endorsements willcost around 6 s. Note that our estimation does not include

4 6 8 10 12 14 1650

100

150

200

250

300


Tim

e du

ratio

n (m

s)

Fig. 8. The time duration and energy cost for the rem


the message traveling time from the user to the remotesensor and then back to the user. The power consumptionfor the remote access control is also plotted in the abovefigure, which shows the combined amount of the powerconsumed for processing and communication, includingthe local authentication at the endorsing sensors and theprocessing at the remote sensor. We notice the remote ac-cess control consumes much more energy then the localaccess control. When the number of endorsing sensors is16, almost 500 mJ energy is need to support a remoteaccess control (not including the message transmissionbetween the user and the remote sensor).

6.4. Performance comparison with a centralized scheme

Finally, we investigate the performance comparison be-tween the proposed user access control and a centralizeduser access control scheme. Without loss of generality,we describe a centralized scheme in the following way. Auser enters the sensor field and queries a nearby sensorfor the information. The queried sensor has no informationabout the user, and has to forward the request to the basestation through the multi-hop communication. The basestation verifies the user and then sends the reply to thecorresponding sensor. The sensor finally either replies theuser with the queried information or rejects the accessbased on the base station’s response. For the convenience,we only compare the local user access control.

Two performance metrics, query response time and thenetwork energy consumption, are used in the performancecomparison. The query response time indicates the respon-siveness of the user query by the sensor system. The en-ergy consumption, in the other hand, measures the totalnetwork energy cost to support the query.

In the centralized scheme, we ignore the user verifica-tion processing delay in the base station since the basestation is a resource-rich computer. The user responsetime thus is the communication latency between the que-ried sensor and the base station, which is determined bythe hop-count distance. In an ideal situation where thereis no congestion and radio communication disturbance,the communication delay is the product of the hop count

4 6 8 10 12 14 16100

200

300

400

500


Ener

gy (m

J)

ote sensor to verify k endorsing local sensors.



0 10 20 30 40 500

1

2

3

4

5

6

Distance between the sensor and base station (hops)

time

(s)

Centralized SchemeDistributed Scheme

0 10 20 30 40 500

200

400

600

800

1000

1200

Distance (hops)

Ener

gy (m

J)

Distributed SchemeCentralized Scheme

Fig. 9. The comparison of time duration and energy cost.


with the transmission time in each hop. Our experimentshows that on average it takes about 17 ms to transmita 40-byte data packet on a TelosB mote. Thus, we can eas-ily plot the figure of the user response time as shown be-low in Fig. 9.

Obviously, the centralized scheme has the edge in userresponse time when the network size is relatively small.When the sensor is 50 hops away from the base station,the user response time in the centralized scheme is onlyhalf of that in the distributed scheme. However, the dis-tributed user access control significantly reduces the net-work energy consumption compared to the centralizedcounterpart. Regardless of the network size, the distributedscheme only consumes 33.2 mJ for each user local query.The energy consumption is proportional to the distance be-tween the queried sensor and the base station. When thesensor is 50 hops away from the base station, the central-ized scheme consumes 34 times more energy than the dis-tributed approach.

Comparing the 3.8 s user response time and the net-work energy consumption. We argue that the latter is amore important factor in the sensor network design. Fur-ther, the user response time estimation for the centralizedscheme is under an ideal situation that there is no com-munication loss and no network congestion. In practice,the communication latency would be longer due thewireless channel fluctuations. More importantly, as wepreviously indicated in Section 1, the communication pat-tern in the centralized scheme is vulnerable to the adver-sary’s DoS attacks. By compromising any one sensor, theadversary can easily flood the network by sending a largeamount of messages through the compromised sensorand deplete the battery power of the sensor nodes.Combining all above factors, we believe the distributedscheme scores a clear-cut win over the centralizedscheme.

7. Conclusion

In this paper, we show our effort in designing accesscontrol scheme for sensor networks. We describe our local


access control and remote access control under a veryrealistic adversary model. We also discuss the revocationscheme to efficiently deprive a misbehaving user of heraccess right. Finally, We implement the protocols on aTelosB mote test-bed. The security and performanceanalysis and the experimental results show that our accesscontrol schemes are efficient and feasible for real worldapplications.

References

[1] Burton Bloom, Space/time trade-offs in hash coding with allowableerrors, Communications of ACM 13 (7) (1970) 422–426.

[2] D. Carman, B. Matt, P. Kruus, D. Balenson, D. Branstad, KeyManagement in Ditributed Sensor Networks, in: DARPA Sensor ITWorkshop, 2000.

[3] H. Chan, A. Perrig, D. Song, Random Key Predistribution Schemes forSensor Networks, in: IEEE Symposium on Security and Privacy,Berkeley, California, 2003, pp. 197–213 (May).

[4] Moteiv Co. Telos Datasheet. <http://www.moteiv.com/products/docs/tmote-sky-datasheet.pdf>.

[5] W. Du, J. Deng, A pairwise key pre-distribution scheme for wirelesssensor networks, in: ACM CCS, 2003.

[6] L. Eschenauer, V.D. Gligor, A key-management scheme fordistributed sensor networks, in: ACM CCS, 2002 (November).

[7] N. Gura, A. Patel, A. Wander, H. Eberle, S.C. Shantz, Comparing ellipticcurve cryptography and RSA on 8-bit CPUs, in: CHES, Cambridge, MA,2004 (August).

[8] D. Hankerson, A.J. Menezes, S. Vanstone, Guide to Elliptic CurveCryptography, Springer-Verlag, 2004.

[9] D. Liu, P. Ning, Establishing pairwise keys in distributed sensornetworks, in: ACM CCS, Washington, DC, 2003 (October).

[10] Donggang Liu, Efficient and distributed access control for sensornetworks, in: The International Conference on DistributedComputing in Sensor Systems (DCOSS), 2007 (June).

[11] A. Perrig, J. Stankovic, D. Wagner, Security in wireless sensornetworks, Communications of The ACM 47 (6) (2004) 53–57. June.

[12] A. Perrig, R. Szewczyk, V. Wen, D. Culler, D. Tygar, SPINS: securityprotocols for sensor networks, ACM/Kluwer Wireless NetworksJournal (WINET) (September) (2002).

[13] S. Ratnasamy, B. Karp, S. Shenker, D. Estrin, R. Govindan, L. Yin, F. Yu,Data-centric storage in sensornets with GHT: a geographic hashtable, Mobile Networks and Applications 8 (4) (2003) 427–442.

[14] Kui Ren, Wenjing Lou, Privacy enhanced access control in pervasivecomputing environments, in: Proceedings of BroadNet, October2005.

[15] Ronald L. Rivest, The RC5 encryption algorithm, in: Proceedings ofthe 1994 Leuven Workshop on Fast Software Encryption, Springer,1995, pp. 86–96.


http://www.moteiv.com/products/docs/tmote-sky-datasheet.pdf

http://www.moteiv.com/products/docs/tmote-sky-datasheet.pdf



[16] P. Traynor, H. Choi, G. Cao, S. Zhu, T.L. Porta, Establishing pair-wisekeys in heterogeneous sensor networks, in: INFOCOM, Barcelona,Spain, 2006 (April).

[17] P. Traynor, R. Kumar, H.B. Saad, G. Cao, T.L. Porta, LIGER:implementing efficient hybrid security mechanisms forheterogeneous sensor networks, in: MOBISYS, Uppsala, Sweden,2006 (June).

[18] H. Wang, Q. Li, Achieving robust message authentication in sensornetworks: a public-key based approach, ACM Journal of WirelessNetworks (WINET) (2009).

[19] Haodong Wang, Bo Sheng, Chiu C. Tan, Qun Li, WM-ECC: an EllipticCurve Cryptography Suite on Sensor Motes, Technical Report WM-CS-2007-11, College of William and Mary, Computer Science,Williamsburg, VA, 2007.

[20] F. Ye, H. Luo, S. Lu, L. Zhang, Statistical En-Route Filtering of InjectedFalse Data in Sensor Networks, in: INFOCOM, 2004.

[21] Zhen Yu, Yong Guan, A key pre-distribution scheme usingdeployment knowledge for wireless sensor networks, in: The 4thACM/IEEE International Conference on Information Processing inSensor Networks (IPSN), Los Angeles, CA, USA, 2005.

[22] Zhen Yu, Yong Guan, A dynamic en-route scheme for filtering falsedata in wireless sensor networks, in: INFOCOM, Spain, 2006 (April).

[23] W. Zhang, H. Song, S. Zhu, G. Cao, Least privilege and privilegedeprivation: towards tolerating mobile sink compromises inwireless sensor networks, in: MOBIHOC, Chicago, IL, 2005 (May).

[24] Y. Zhang, W. Liu, W. Lou, Y. Fang, Location-based compromise-tolerant security mechanisms for wireless sensor networks, IEEEJournal on Selected Areas in Communications 24 (2) (2006) 247–260.

[25] S. Zhu, S. Setia, S. Jajodia, P. Ning, An interleaved hop-by-hopauthentication scheme for filtering of injected false data in sensornetworks, in: IEEE Symposium on Security and Privacy, Oakland, CA,2004 (May).


Haodong Wang is an assistant professor ofComputer and Information Science at Cleve-land State University. He received his PhD inComputer Science at College of William andMary, VA, USA, in Aug 2009. He also earnedhis Master of Science in Electrical Engineeringfrom Penn State University, University Park,PA, USA, and Bachelor of Engineering in Elec-tronic Engineering from Tsinghua University,Beijing, China. Before joining Cleveland StateUniversity, Haodong was an Assistant Profes-sor in the Department of Math and Computer

Science at Virginia State University. His main research focuses on per-vasive computing, including security and privacy in wireless embeddednetworks, efficient information management system, privacy-aware
routing in wireless sensor networks, mobile 802.11 WLAN performanceenhancements and cognitive radio MAC design.
Qun Li is an assistant professor in theDepartment of Computer Science at College ofWilliam and Mary. He holds a PhD degree incomputer science from Dartmouth College.His research interests include wireless net-works, sensor networks, RFID, and pervasivecomputing systems. He received the NSFCareer award in 2008.



Date post:	11-Dec-2021
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Ad Hoc Networks - College of William & Mary

Documents