Nowadays, Wireless Sensor Networks (WSNs) are currently a widely adopted technology in several fields of application [1]. Additionally, providing security and privacy to WSNs is challenging, due to the open nature of wireless communication and the limited capabilities of sensor nodes in terms of processing power, storage, bandwidth and energy. Also, widespread and unrestricted deployment of WSNs exposes them to a number of security vulnerabilities [2].
Especially, the simplicity and low-cost of these sensors make cloning of compromised nodes by attackers in the network easy. Due to the unattended nature of wireless sensor networks, an adversary can capture and compromise sensor nodes, make replicas of them and then mount a variety of attacks with these clones. In such an attack, an adversary uses the credentials of a compromised node to secretly introduce the replicas into the network. Therefore the detection of node replication or so called clone attacks in a wireless sensor network is a fundamental problem. Several clone node detection schemes have been proposed in the literature to
defend against such attacks in static sensor networks. A few various solutions to address this fundamental problem have recently been proposed. However, these solutions are not suitable because they are demanding in terms of energy input and memory: a serious drawback for any protocol used in the WSN-resource-constrained environment [3].
To overcome the above problems we propose an efficient and secure protocol for wireless sensor networks using a Physical Unclonable Function (PUF).
In 2001, Pappu et al. [4] introduced the concept of Physical Random Functions or Physical Unclonable Functions. These PUFs are innovative circuit primitives that extract secrets from physical characteristics of integrated circuits (ICs). In particular, upon challenging such a PUF with a challenge Ci, a
response Ri is generated. Thus, we write: Ri ← PUF(Ci). PUFs
essentially are comprised of two parts: i) a physical part and ii) an operational part. The physical part is a physical system that is very difficult to clone [5]. It inherits its unclonability from uncontrollable process variations during manufacturing. In the case of PUFs on an IC, such process variations are typically deep-submicron variations such as doping variations in transistors. The operational part corresponds to the function. In order to turn the physical system into a function useful for identification, a set of challenges Ci (stimuli) has to be available to which the system responds with a set of sufficiently different responses Ri. To avoid clone attack, researchers have presented some authentication protocols based on a PUF in a radio frequency identification (RFID) system. But in most of the protocols, the verifiers have to link with a database storing a large number of Challenge-Response Pairs (CRPs) of a PUF, which is not suitable for the memory limited WSN nodes [6].
In this paper, we present an efficient and anti-cloning attack node mutual authentication scheme based on a PUF, which makes it suitable for WSN.
The rest of this paper is organized as follows. Section II describes some preliminary background useful for understanding the proposed scheme. In Section III, a PUF based mutual authentication scheme is given. In Section IV,
analysis of the proposed scheme is discussed. Finally, conclusions drawn from the paper are presented in Section V.
II. RELATED WORKS
One of the first solutions for the detection of clone attacks relies on a centralized Base Station (BS) [7]. In this solution, each node sends a list of its neighbors and their locations (that is, the geographical coordinates of each node) to a BS. The same node ID, in two lists with inconsistent locations will result in clone detection. Then, the BS revokes the clones. This solution has several drawbacks, such as the presence of a single point of failure (the BS) and high communication cost due to the large number of messages. Further, nodes close to the BS will be required to route many more messages than other nodes, hence shortening their operational life.
Another centralized clone detection protocol has been recently proposed in [8]. This solution assumes that a random key pre distribution security scheme is implemented in the sensor network. That is, each node is assigned a set of k symmetric keys, randomly selected from a larger pool of keys (Bekara and Laurent-Maknavicius, 2007). For the detection, each node constructs a counting bloom filter from the keys it uses for communication. Then, each node sends its own filter to the BS. From all the reports, the BS counts the number of time each key is used in the network. The keys used too often (above a threshold) are considered cloned and a corresponding revocation procedure is raised.
Parno et al. [9] proposed two protocols for addressing node replication attacks: randomized multicast and Line-Selected Multicast. In randomized multicast, each node broadcasts a location claim to its neighbors. Then each neighbor selects some random locations within the network and forwards the location claim with a probability to the nodes (referred to as witness nodes) closest to chosen locations by using geographic routing. According to Birthday Paradox (Menezes et at. 1996), at least one witness node is likely to receive conflicting location claims when replicated nodes exist in the network. In order to reduce communication costs and increase the probability of detection, they proposed the line-selected multicast protocol. Besides storing location claims in randomly selected witness nodes, the intermediate nodes for forwarding location claims can also be witness nodes. This can be visualized as randomly drawn lines across the network and the intersection of two lines becomes the evidence node of receiving conflicting location claims.
Zhu et al. [10] proposed two more-efficient distributed protocols for detecting node replication attacks: Single Deterministic Cell (SDC) and Parallel Multiple Probabilistic Cells (P-MPC). Both protocols require the sensor network to be a geographic grid, each unit of which is referred to as a cell. In SDC each node’s ID is uniquely mapped to one of the cells in the grid. When executing detection procedure, each node broadcasts a location claim to its neighbors. Then each neighbor forwards the location claim with a probability to a unique cell by executing a geographic hash function (Ratnasamy et al. 2002) with the input of the node’s ID. Once any node in the destination cell receives the location claim, it floods the location claim to the entire cell. Each node in the destination cell stores the location claim with a probability.
Therefore, the clone nodes will be detected with a certain probability since the location claims of clone nodes will be forwarded to the same cell. The difference between SDC and P-MPC is the number of destination cells. In P-MPC the location claim is forwarded to multiple deterministic cells with various probabilities by executing a geographic hash function with the input of the node’s ID. The rest of the procedure is similar to SDC. Therefore, the clone nodes will be detected with a certain probability as well.
Bekara and Laurent-Maknavicious proposed a new protocol for securing WSN against node replication attacks by limiting the order of deployment [11]. Their scheme requires sensors to be deployed progressively in successive generations. Each node belongs to a unique generation. In their scheme, only newly deployed are able to establish pair-wise keys with their neighbors and all nodes in the network know the number of highest deployed generation. Therefore, the clone nodes will fail to establish pair-wise keys with their neighbors since the clone nodes belong to an older deployed generation.
The other approach that achieves real-time detection of clone attack in WSN was proposed by Xing et al., [12]. In their approach, each sensor computes a fingerprint by incorporating the neighborhood information through a superimposed s-disjunct code (Xing et al. 2007). Each node stores the fingerprint of all neighbors. Whenever a node sends a message, the fingerprint should be included in the message and thus neighbors can verify the fingerprint. The messages sent by clone nodes deployed in other locations will be detected and dropped since the fingerprint does not belong to the same “community”.
Conti et al. [13][14] proposed a recent work for detection of node clone attacks in WSNs called RED based distributed detection. When executing RED, the BS broadcasts a random value to all nodes in the network. Then the following operations are similar to the Parno et al. (2005) scheme except for the selection of witness nodes. In RED the witness nodes are selected based on a pseudo random function with the inputs of the node’s ID, random value which is broadcasted by the BS and the number of destination locations. Location claims with the same node ID will be forwarded to the same witness nodes in each detection phase. Hence the replicated nodes will be detected in each detection phase. The next time the RED is executed, the witness nodes will be different since the random value which is broadcasted by the BS has be changed.
Anandkumar et al. [6] proposed the improved version of Randomized, Efficient and Distributed protocol named SRED-Secure. When the cloned node tries to enter through another node into the network, it initially checks whether a similar kind of node is already available (or not) with the access pointer by verifying the ID. If it exists, it then runs the algorithm to find and compare the location of both similar networks with the Message Information Table (MIS) available. The comparison of location is based on its pervious history which is available in the same node with respect to previous past time periods t-1, t-2, t-3, …, t-n and with this knowledge the verifying node comes to the preliminary conclusion of which node is an original node and which is the duplicated node. Then the duplicated node is automatically relocated from the network
1315
and communication form that node is completely discarded by other nodes. This preliminary detection method considerably reduces energy expenditure and communication overhead compared to other methods available so far.
III. PROPOSED MUTUAL AUTHENTICATION SCHEME
A. Network model and Assumptions
1) Network model As shown in Fig. 1, there are four patients in a hospital.
Each patient has a set of sensors on their body forming a Wireless Body Sensor Network (WBSN). These nodes send their information to a sink node, which collects and forwards it to the access point. The access point forwards the data to a doctor, who responds with the required prescription. Then this information is further forwarded to the caregiver, who is also located in the hospital and can medicate the patient according to the doctor’s prescription.
Fig. 1 . Network model.
2) Assumptions
We assume that the microprocessors of the sensor nodes are equipped with PUFs, which are inseparably linked to the chips, and any operations attempting to remove the PUFs from the chips will lead to destruction of the PUF.
We assume that the sink acting as the controller (or a server) is trusted, secure and there are no energy restrictions. However, the nodes are powered by batteries and resources are restricted.
We assume that an adversary can eavesdrop on all traffic, inject packets or replay older messages. We also assume that if an End is compromised, all its information may be lost, but the Sink is secure and cannot be compromised.
B. Proposed mutual authentication protocol
In the following subsections, we describe our protocol. The entire process includes two phases: a setup phase and a mutual authentication phase. Before describing the whole process, we first list notations, which will appear in the rest of the discussion in Table 1.
TABLE.1. NOTATIONS
Notation Significance
IDi Identity of node i
noncei Random number
C0 Shared initial challenge
Ri(C) The response of node I’s PUF according to challenge C
H(M) Hash operation on message M
XOR operation
|| Concatenation operator
1) Setup phase Let us suppose that there are n sensor nodes in a network
and their identities are (Fig. 2). Before the network is deployed, the sink generates a serial of parameter for each node. The setup phase proceeds according to the following process:
R1: the sink self-generates a random number RN and computes P using RN and Keys (sink's identity)
R2: the sink sends P and RN to the HIS
R3: the HIS generates a password PW and a shared initial challenge C
0 and computes X
R4: the sink receives the node's ID, X and C0 from HIS
R5: the sink sends C0 to each node
R6: the sink receives the responses from their
PUFs
R7: the sink selects a one-way hash function H and computes H(PW) for the node. After that, the sink loads the H function, IDi, C
0 and H(PW) into the node.
Therefore, as for the node, there are IDi, C0, H(PW) in its
memory, which are known only by itself. However the sink has all the secret information and it can update when there are new nodes added to the network.
Fig. 2 . Setup phase.
2) Mutual authentication phase As shown in Fig. 3, the broadcasting Hello message
contains its identity and a random number . To prevent the replay attack, the random numbers in the message are different for each broadcast. As for node i, after receiving the
1316
Hello message from the sink, it must return a response to the sink according to the following two steps, if it wants to establish a link with the sink:
Step 1: The node searches the
in its memory and gets the responses
and from its
PUF according to the challenges C0 and C
1, here C
n+1=H(C
n),
n≥0. Then the node calculates the H(Ri(C1)) by hash function H.
Step 2: The node forwards the following message to sink and then erases Ri(C
0), Ri(C
1), and H(Ri(C
1)) in its memory. In
the response message, Ri(C0), H(Ri(C
1)) are all protected by C
0,
and the MAC operation can effectively guarantee the integrity of the message.
Receiving the response message from node i, the sink first verifies the legitimacy of node i. Then authentication process is as follows (see Fig. 3):
Step 1: The sink searches the [IDi, C0, H(Ri(C
0))] in its
memory and verifies the integrity of the response message according to C
0 and its noncei. If the message does not show
integrity, the sink will give up the connection.
Step 2: Assume that the sink extracts
from the response message using . Here
is the second part of the received response
message. Then the sink computes the value , and
compares it with in its memory. If they are equal,
the node i is legal, because only the node i can generate the correct
. After the above operations, the sink can confirm the legitimacy of the node i, and then it extracts
from the response message and stores it in its memory.
Step 3: The sink computes base on , and calculates the by the hash function H and transmits the following authentication messages to node i( nodei ).
Step 4: Receiving the above message from the sink, the node i can verify the legitimacy of the sink by performing the same operation as the sink did above in the step 1. Then the node computes from the received response message and compares it with in its memory. If they are equal, the sink is legal. After the above operations, the node can confirm the legitimacy of the sink.
For security considerations, the nodes have to authenticate each other no matter if they have authenticated or not. Hence, after the sink and node confirm the legitimacy of each other, they have to update the related values for the next authentication. The updating process is simple: the shared
challenge should be replaced by and ( ) be
replaced by . Hence, the parameters in the next
authentication process are different from the parameters of this time, which can improve the security of the network.
Fig. 3 . Mutual authentication phase.
IV. ANALYSIS
A. Security analysis
Our proposed scheme is based on the physical unclonable function (PUF). In this scheme, we assume the PUF is un-separated from the chip of the sensor node and any operations aimed at destroying the chip will lead to the damaging of the PUF. At the same time, it is impossible to tamper with the communication between the chip and PUF. Therefore, sensor nodes will not leak any information about the PUF even in the situation of being compromised. Also, in our scheme, the integrity of the authentication messages can be verified by the message authentication code (MAC). The following discusses different types of security attacks that are resisted by our proposed scheme.
1) Clone attack: An attacker may capture a sensor node
and copy the cryptographic information to another node
known as cloned node. Then this cloned sensor node can be
installed to capture network information. The attacker can also
inject false information or manipulate the information passing
through cloned nodes. However, our scheme can efficiently
defend WBSN from this attack because the PUF cannot be
cloned even though sensor nodes are compromised. The anti-
clone attack capability is the most significant advantage of our
scheme.
2) Replay attack: A reply attack is a form of network
attack in which a valid data transmission is maliciously or
fraudulently repeated or delayed. This is carried out either by
the originator or by an adversary who intercepts the data and
retransmits it. This type of attack can easily overrule
encryption. Especially, because the sensor communicates
using the wireless signal, it can be intercepted easily. Thus,
attacker can carry out a replay attack very easily. In our
scheme, the sink generates different random numbers which
are used throughout the entire authentication process.
Therefore, replay attack can be effectively inhibited in our
scheme.o change the default, adjust the template as follows.
3) Eavesdropping: In wireless sensor network
communications, an adversary can gain access to private
information by monitoring transmissions between nodes. A
passive listener will fail in any tracking attempts since the
response of the PUF is protected by the XOR operation of the
shared challenge.
1317
B. Performance analysis
Since the sink is assumed to not be resource limited; we only consider the performance of the node. From Figure 3, we can see that each node only needs to complete three hashes and two MAC operations in the entire verification process, which is very efficient. AS for the delay of the PUF operation, we can omit it because the PUF operation is carried out by hardware and only takes tens of milliseconds [15]. Assuming that the response of the PUF and the identity of nodes are 128 bits, the max-length of verification messages is not more than 512 bit in our scheme, which is less than many signature schemes. Hence, our scheme is simple and its transmission overhead is low.
V. CONCLUSION
In this paper, we propose a mutual authentication scheme for wireless body sensor networks which it based on a physical unclonable function. We reduce the overall performance leading to reduced transmission overhead, low computation complexity and space cost and many good security characteristics which are important for the memory-limited nodes of WSN. Especially, our scheme can prevent sensor nodes from clone attack, which is an outstanding advantage compared to most other authentication schemes. The analysis presented here indicates that our scheme is secure and efficient and can be used in WSN. Our future work will continue to explore this research area and will attempt to implement and simulation by use our own mutual authentication protocol.
ACKNOWLEDGMENT
The authors would like to thank the SIMSALA project, in the Optoelectronics and Measurement Techniques Laboratory of the University of Oulu, and it’s funders for the resources and environment that enabled this study.
REFERENCES
[1] G. Dini and M. Tiloca, "ASF: an Attack Simulation Framework for
wireless sensor networks,” Proceeding of the 8th IEEE International Conference on Wireless and Mobile computing, Networking and communications (WiMob 2012), 2012.
[2] S. Puri, "Security and Privacy Control for Wirelss Sensor Networks,” International journal of Advanced scientific and technical research, 2012.
[3] K. M. Anandkumar and C. Jayakumar, "Pro-Active Prevention of Clone Node Attacks in Wireless Sensor networks," Journal of computer Science, 2012.
[4] R. S. Pappu, Physical one-way functions, PhD thesis, Massachusetts Institute of Technology, March 2001.
[5] J. Guajardo, S. Kumar, D. Tuyls, "Key Distribution for Wireless Sensor Networks and Physical Unclonable functions," Proceeding of Secure component and System Identification (SECSI), 2008.
[6] K. Yang, K. Zheng, Y. Guo and D. Wei, "PUF-based Node Mutual Authentication Scheme for Delay Tolerant Mobile Sensor Network," 7th International Conferenece on Wireless communications, Networking and Mobile Computing (WiCOM), 2011.
[7] L. Eschenauer and V. D. Gligor, "A Key-Management Scheme for Distributed Sensor Networks," Proceedings of the 9th ACM conference on Computer and Communications Security, 2002.
[8] R. Brooks, D. Y. Govindaraju, M. Pirretti and N. Vijaykrishnan, "On the detection of clones in sensor networks using random key predistiribution," IEEE Trans. Syst. Man. Cybernetics, 2007.
[9] B. Parno, A. Perrig and V. Gligor, "Distributed Detection of node replication attacks in sensor networks," Proceeding of the IEEE Symposium on Security and Privacy, 2005.
[10] B. Zhu, V. G. K. Addada, S. Setia, S. Jojodia and S. Roy, "Efficient distributed detection of node replication attacks in sensor networks," Proceedings of the 23rd Annual computer Security Applications conferenece, 2007.
[11] C. Bekara and M. Laurent-maknavicius, "A new protocol for securing wireless sensor networks against nodes replication attacks," Proceedings of the 3rd IEEE International Conference on Wireless and mobile computing, Networking and Communications, 2007.
[12] K. Xing, F. Liu, X. Cheng and D. H. C. Du, "Real-time detection of clone attacks in wireless sensor networks," Proceeding of the IEEE International 1st Conference Distributed Computing Systems, 2008.
[13] M. Conti, R. D. Pietro and L. V. Mancini, "A randomized, efficient and distributed protocol for the detection of node replication attacks in wireless sensor networks," Proceeding of the ACM (MobIHoc'07), 2007.
[14] M. Conti, R. D. Pietro, L. V. Mancini and A. Mei, "Distributed Detection of Clone Attacks in Wireless Sensor Networks," IEEE Trans. Dependable Secure comput., 2011.
[15] P. F. Cortese, F. Gemmiti, B. Palazzi, M. Pizzonia and M. Rimondini, "Bernardo, Efficient and Practical Autentication of PUF-Based RFID Tags in Supply Chains," IEEE International conference on RFID-Technology and Applications (RFID-TA), 2010.
[16] M. B. Shemaili, C. Y. Yeun, K. Mubarak and M. J. Zemerly, "Security Threats and chanllenges for RFID and WSN Integration," International Journal of RFID SEcurity and Cryptography (IJRFIDSC), 2012.
[17] K. Rosenfeld, E. Gavas and R. Karri, "Sensor Physical Unclonable Functions," IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), 2010.
[18] A. R. Sadeghi, S. Schulz and C. Wachsmann, "Short Paper: Lightweight Remote Attestation using Physical Functions," WiSec'11, 2011.
[19] H. H. Wu, C. H. Huang and Y. J. Huang, "Mutual Authentication Protocol for WSN on Medication Safety," International conference on Intelligent Information and Networks (ICIIN 2012), 2012.
![Page 1: [IEEE 2013 9th International Wireless Communications and Mobile Computing Conference (IWCMC 2013) - Sardinia, Italy (2013.07.1-2013.07.5)] 2013 9th International Wireless Communications](https://reader042.documents.pub/reader042/viewer/2022020615/5750953c1a28abbf6bc01233/html5/page/1.jpg)
![Page 2: [IEEE 2013 9th International Wireless Communications and Mobile Computing Conference (IWCMC 2013) - Sardinia, Italy (2013.07.1-2013.07.5)] 2013 9th International Wireless Communications](https://reader042.documents.pub/reader042/viewer/2022020615/5750953c1a28abbf6bc01233/html5/page/2.jpg)
![Page 3: [IEEE 2013 9th International Wireless Communications and Mobile Computing Conference (IWCMC 2013) - Sardinia, Italy (2013.07.1-2013.07.5)] 2013 9th International Wireless Communications](https://reader042.documents.pub/reader042/viewer/2022020615/5750953c1a28abbf6bc01233/html5/page/3.jpg)
![Page 4: [IEEE 2013 9th International Wireless Communications and Mobile Computing Conference (IWCMC 2013) - Sardinia, Italy (2013.07.1-2013.07.5)] 2013 9th International Wireless Communications](https://reader042.documents.pub/reader042/viewer/2022020615/5750953c1a28abbf6bc01233/html5/page/4.jpg)
![Page 5: [IEEE 2013 9th International Wireless Communications and Mobile Computing Conference (IWCMC 2013) - Sardinia, Italy (2013.07.1-2013.07.5)] 2013 9th International Wireless Communications](https://reader042.documents.pub/reader042/viewer/2022020615/5750953c1a28abbf6bc01233/html5/page/5.jpg)
