Human interactive secure key and identity exchange ... - IEEE Xplore

www.ietdl.org Published in IET Information Security Received on 15th February 2012 Accepted on 5th June 2012 doi: 10.1049/iet-ifs.2012.0080

Special Issue – Trust and Identity Management in Mobile and Internet Computing and Communications ISSN 1751-8709

Human interactive secure key and identity exchange protocols in body sensor networks Xin Huang1, Bangdao Chen2, Andrew Markham1, Qinghua Wang3, Zheng Yan3,4, Andrew William Roscoe1 1

Department of Computer Science, Institute for the Future of Computing/Oxford Martin School, University of Oxford, Oxford, UK 2 Department of Computer Science, University of Oxford, Oxford, UK 3 Department of Communications and Networking, Aalto University, Espoo, Finland 4 State Key Laboratory of ISN, Xidian University, People’s Republic of China E-mail: [email protected]

Abstract: A body sensor network (BSN) is typically a wearable wireless sensor network. Security protection is critical to BSNs, since they collect sensitive personal information. Generally speaking, security protection of BSN relies on identity (ID) and key distribution protocols. Most existing protocols are designed to run in general wireless sensor networks, and are not suitable for BSNs. After carefully examining the characteristics of BSNs, the authors propose human interactive empirical channel-based security protocols, which include an elliptic curve Diffie–Hellman version of symmetric hash commitment before knowledge protocol and an elliptic curve Diffie–Hellman version of hash commitment before knowledge protocol. Using these protocols, dynamically distributing keys and IDs become possible. As opposite to present solutions, these protocols do not need any pre-deployment of keys or secrets. Therefore compromised and expired keys or IDs can be easily changed. These protocols exploit human users as temporary trusted third parties. The authors, thus, show that the human interactive channels can help them to design secure BSNs.

1

Introduction

A body sensor network (BSN) is typically a wearable wireless sensor network. BSNs can continuously collect humans’ physiological, activity and environmental information. They enable many interesting applications including remote health monitoring, military training, sports training, interactive gaming, personal information sharing and context-aware services. Security is critical to BSNs, since they collect sensitive personal information. Inadequate protection may not only lead to user privacy leakage, but may also potentially affect proper diagnosis, treatment and invite sabotage. For example, it was recently demonstrated that an implanted defibrillator could be hacked to reveal the health data of a patient as well as administer an untimely shock [1]. Trust, identity (ID) and key management form the basis of most security mechanisms. Trust is the confidence, belief and expectation regarding the reliability, integrity, ability and other characteristics of an entity; and identity is a notation to identify a unique entity in a system. Trust establishment assures the legitimacy of communicating entities. IDs and keys are securely exchanged in this phase and require authentication: reliable binding to particular entities. Once the IDs and keys are established, various cryptographic algorithms can help us to transmit data securely. Therefore 30

& The Institution of Engineering and Technology 2013

security protection of BSNs usually relies on trust, ID and key management. However, due to the lack of centralised control and incomplete knowledge of the environment, most current secure key and ID distribution protocols in sensor networks need some form of pre-deployed secrets. This requirement makes them unsuitable for BSNs: it is always impractical to change the compromised keys and IDs because they are always pre-written into the ROM of sensors by providers who are normally not geographically near users; additionally, adding and moving nodes is not convenient. Therefore current key and ID systems need to be improved. Our research aims to provide secure key and ID distribution protocols that can keep confidentiality, authenticity and integrity in BSNs. More specifically, we are trying to bootstrap security in BSNs based on human interactive empirical channels (e.g. users see LED lights flash creating channels between users’ eyes and LED lights). These channels are always authentic, low bandwidth and do not usually require security protection. We want to establish a trustworthy ID and key system based on these human interactive empirical channels in BSNs. More specifically, our contributions are as follows. Firstly, human interactive security protocols (HISPs) are studied in BSN applications. Generally speaking, there are three kinds of channels in BSN applications: human–human IET Inf. Secur., 2013, Vol. 7, Iss. 1, pp. 30–38 doi: 10.1049/iet-ifs.2012.0080

www.ietdl.org (HH), human–device (HD) and device–device (DD) channels. Properly designed HISPs can secure the information transferred over otherwise insecure DD channels using trustworthy HH channel, HD channels or human supervised DD channels. The second contribution is a group commitment protocol model, which supports BSN applications. It is an extension of the general commitment protocol model. One useful group commitment protocol is human interactive group digest commitment protocol (HIGDCP) model. Our ID and key exchange protocols are based on this protocol model. The third contribution is an elliptic curve Diffie–Hellman version of symmetric hash commitment before knowledge protocol (ECDH-SHCBK) and an elliptic curve Diffie– Hellman version of hash commitment before knowledge protocol (ECDH-HCBK). Thanks to them, man-in-themiddle (MITM) attack, which is the main problem of ECDH, is eliminated. Meanwhile, they provide a possible way of dynamically allocating IDs and keys, changing compromised or expired IDs and keys in a network without any pre-deployed secrets. The paper is organised as follows. In Section 2, we review the previous works. Section 3 explains HISPs. Section 4 presents the ECDH-SHCBK and ECDH-HCBK protocols. Finally, some important conclusions are made in Section 5.

2

Background

In this section, we will first introduce empirical channel and the HISPs. Second, we will summarise the key-distribution methods used in sensor networks. Finally, we will survey research on ID management in sensor networks.

2.1 Empirical channel and human interactive security protocol There are many experience-based trustworthy channels; for example, based on experience, users believe that the strings read from the display are the strings shown on the display. Formally, we define these channels as follows. Definition 1 (empirical channel and human interactive empirical channel): If a channel is believed to be trustworthy based on experience, the channel is a empirical channel. Especially, if the establishment of the channel relies on human–human or human–machine interactions, the channel is named as human interactive empirical channel. In this paper, → and ↔ represent electronic channels; and →E and ↔E represent empirical channels. The empirical channels are always authentic, low bandwidth and do not usually require confidentiality protection; however, they do not usually has to be secret. Users can establish these channels by utilising cable, camera, bar code, LEDs, speaker, microphones and many other mechanisms [2–8]. From the point of view of security, these channels can also be classified as follows [9]: † No over-hearing channel: This channel protects the confidentiality of any message sent on it from all but the intended recipient. This is equivalent to a confidential channel. † No spoofing channel (NS): The attacker cannot spoof messages on this channel. IET Inf. Secur., 2013, Vol. 7, Iss. 1, pp. 30–38 doi: 10.1049/iet-ifs.2012.0080

† No blocking channel (NB): The attacker cannot block messages on the channel. Therefore session hijacking, redirecting and deny-of-service attacks are impossible. Empirical channels, especially human interactive empirical channels can be helpful when we want to bootstrap security in networks. We define this type of protocol as follows: Definition 2 (HISP): An HISP is a protocol that transfers the trust of human interactive empirical channels to the data communication channels based on their security properties, and therefore bootstraps security in the networks. This interesting type of protocol is studied in both two-party and group communication scenarios by Balfanz et al. [10], Creese et al. [9], Gehrmann and Nyberg [11], Vaudenay [12], Cagalj et al. [13], Wong and Stajano [14] and Roscoe and Nguyen [15, 16]. Several closely related protocols are discussed as follows. More HISPs can be found in the survey paper [16]. 2.2

Key distribution in sensor networks

Both symmetric- and asymmetric-cryptography-based key distribution techniques in sensor network are studied by many researchers. Most symmetric key distribution schemes for sensor networks are pre-deployment based. They require storing keys in sensor nodes before network deployment. Keys could be deployed deterministically, for example, a single master key or a pair-wise key [17]. There are also many non-deterministic key pre-deployment techniques, for example, key distribution schemes in [18–20]. As we mentioned in previous section, the pre-deployment-based schemes are unsuitable for BSNs. Asymmetric cryptography key distribution schemes are also developed [21, 22]. They use a pair of public and private keys to initiate secure connections between nodes. However, without a trusted third party, the public keys cannot be exchanged securely. 2.3

ID distribution in sensor networks

Generally speaking, sensor networks use the following IDs [23]: † Unique node identifier: A unique node identifier is a unique persistent data item associated with every node. For example, a serial number could be a unique node identifier. † MAC address: An MAC address is used to distinguish neighbour nodes. † Network address: A network address is used to distinguish nodes over multiple hops. † Network identifier: A network identifier is used to distinguish different networks. † Resource identifier: A resource identifier is used to identify resources, for example, temperature. The fundamental tasks of address management are listed as follows: address allocation and de-allocation, conflict detection and resolution and binding of different IDs. These IDs might be allocated globally unique, network wide unique or local unique (unique in sub-network). When conflict happens, different strategies may be used to resolve this. Vaidya [24] introduces strong and weak duplicate address detection (DAD). In strong DAD, the duplicate assignment must be detected in a short period. In weak DAD, if session is not distorted, the duplicate addresses 31


www.ietdl.org are tolerated. Perkins et al. [25], Nesargi and Prakash [26] and Schurgers et al. [27, 28] propose several address configuration protocols. However, these mentioned protocols have not paid attention to security protections.

3

HISPs in BSNs

In this section, firstly, we will introduce the human interactive empirical channels involved in BSNs, and introduce how to design HISPs in BSNs. In order to improve the usability, strings compared over human interactive channels should be short; digest is one of the best choices, which is described in Section 2. In Section 3, the human interactive group commitment protocol model will be described. The group commitment protocol will be defined; and the countermeasures to the security problems of digestfunction-based HISPs will be listed. 3.1

Channels and HISPs in BSNs

Typically, the BSN is a simple star network; the network size is very small (less than ten nodes). This network uses a few sensor nodes Ss for collecting data. The sensors have limited processing capability, memory and energy. A local controller or/and a sink node L aggregate and submit the sensor data. An example BSN is as follows. Example 1 (BSN for elderly): An elderly person lives alone. He wears several sensor nodes Ss to measure heartbeat, pulse etc. A mobile phone, which works as the local controller L, aggregates and submits the sensor data to a health-care centre. 3.1.1 BSN channels: Generally speaking, there are three kinds of channels in the BSN applications: † Channels among devices (DD), for example, wireless connection between two BSN nodes. The involved wireless communication channels DD are generally as follows S↔S DD = S↔L † Channels among human users (HH), for example, conversation between patient and doctor. Normally, only one user is involved in one BSN, but it is also possible that several persons are involved. For example, patient’s BSN and doctor’s devices may need to work cooperatively in the hospital. In this scenario, several persons are involved. † Channels among human users and devices (HD), for example, patient reads the string shown on the display of his BSN nodes. We adopt the Dolev–Yao threat model [29] as the attack model for DD channels. In this model, the attacker controls wireless communication channels: he/she can obtain and modify any messages which are transmitted over these channels; he/she can initiate a conversation with any other user. However, the attacker is computationally bounded. HH, especially HD channels in BSNs are always trustworthy; in most cases, they are NS and NB channels. In BSNs, sensors are worn by people. Thus, in most cases, people can directly see and hear signals from them. In addition, the nodes are legitimate, and function correctly. Thus, the attacker cannot spoof and block messages 32


Fig. 1 Test bed sensor

transmitted over these channels. The NS and/or NB channels widely exist in BSN applications ⎧ ⎨ User ↔see/hear/simpleinput S HD/HH = User ↔see/hear/input L ⎩ UserA ↔ talk/email/SMS/phonecall UserB Example 2 (test bed): As a demonstrating example, we build a hardware test bed as in Fig. 1. It comprises a microprocessor, a radio transceiver, a colour OLED display, a user button, five LED lights and a buzzer. The usages of HD channels are as follows: † The display can show strings and simply images, which can be read securely by users. † The user button on sensor board can input one-bit information. † The LED lights can show numbers as in Fig. 1. Certainly, image processing technologies can be helpful regarding the LED lights recognition process. An augmented reality application in a mobile phone is one of the best potential choices. † The buzzer can generate sound with different frequency. Signal processing technologies can be helpful. Normally, all these HD channels are NS and NB channels. 3.1.2 HISPs in BSNs: In HISPs, we will use these NB and NS HD/HH channels in order to compare strings (e.g. digests introduced in Section 3.2) and input confirmation signals. With the HISPs, we can easily keep entity authenticity, data authenticity and integrity in BSNs. One example is as follows. Example 3(HISP example): This example shows that the NS and NB HD/HH channels in BSNs are helpful when sensor data are transmitted over insecure DD channels. Steps 1–3 clearly demonstrate the concept of trust transmission from trusted HD channels to DD channel with the help of HISP. 1. Sensor S sends temperature data T to sink L; and S also shows the data to patient P: S → L∧P:T 2. L shows received temperature data T′ on the display, which will be checked by P: L → EP:T′ 3. The patient compares T and T′; if T = T′, the transmission is correct. Steps 4–6 shows that trust transmission from trusted HH and HD to DD with the help of HISP: IET Inf. Secur., 2013, Vol. 7, Iss. 1, pp. 30–38 doi: 10.1049/iet-ifs.2012.0080

www.ietdl.org 4. L sends T′ to doctor’s device 5. HC shows received temperature data T″ on its display, which will be checked by the doctor Doc: HC → EDoc:T″ 6. P and Doc compare T, T′ and T″; if T = T′ = T″, all the transmissions are correct.

public key of S; and IDL and PKL are identity and public key of L. ID’S and PK’S are identity and public key that L received from S; and ID’L and PK’L are identity and public key that S received from L. The protocol is working as follows.

If the HH channel in the sixth step is an NS and NB channel, the protocol is secure. Therefore the human interactive empirical channels such as HH and HD in BSNs can be used to design the BSN security protocols.

† S → L:IDS, PKS † L → S:IDL, PKL † L → displayUser:DL = HD(IDL, PKL, ID’S, PK’S) † S → displayUser:DS = HD(ID’L, PK’L, IDS, PKS) † If DL = DS, user pushes the confirmation buttons on L and S.

3.2 Usability improvement: digest-function-based HISPs

Thanks to digest function, users only need to compare 32 or 64 bits long digests. In addition, it is easier to be shown by sensors. However, the combinatorial attack is possible. When sensor S and sink L exchange their IDs and keys, since the digest function is vulnerable to the combinatorial attack, attacker I can search IDI(S), PKI(S), IDI(L) and PKI(L) that fulfil HD IDL , PKL , IDI(S) , PKI(S) = HD IDI(L) , PKI(L) , IDS , PKS

In HISPs, users are always required to compare strings, but it is difficult to compare long strings for the human users over HD or HH empirical channels. Moreover, these channels are always established using small displays, even LED lights and buzzers, which are unable to convey large amount of information efficiently. Thus, in order to use empirical channels in BSN applications, the string must be short. Digest is one of the best short strings compared over HD/ HH channels; it is always helpful to keep message authenticity and integrity. The definition of digest function is as follows.

Then, I sends IDI(S) and PKI(S) to L; meanwhile I sends IDI(L) and PKI(L) to S. L and S will show the same short digest strings, but the protocol is compromised.

Definition 3 (digest function): A digest function HD takes as input a message M of arbitrary length and produce as output a short message digest D of fixed length. In other words, if K is a key domain, HD:K × M → D, where D are usually 32 or 64 bits.

3.2.2 Potential weakness two: group size attack: The group size attack is another weakness. The network itself does not know the group size. Example 5 shows the group size attack against the protocol in Example 4.

It is necessary to distinguish the digest function from a hash function. The hash function H has similar definition with digest function except that the output is much longer. Today, the output of a secure hash function is generally longer than 256 bits. A cryptographic hash function has the following properties: † Preimage resistance: Given a hash value h, it is difficult to find the message m such that h = H(m). Otherwise, the hash function is vulnerable to preimage attacks. † Second-preimage resistance: Given an input m1, it is difficult to find another input m2, where m1 ≠ m2, such that H(m1)= H(m2). Otherwise, the hash function is vulnerable to second-preimage attacks. † Collision resistance: It should be difficult to find m1 and m2, where m1 ≠ m2, such that H(m1)= H(m2). It is more strict than the second-preimage resistance, since the m1 is not given. The hash function without such property is vulnerable to birthday attack. 3.2.1 Potential weakness one: combinatorial attack: The short digest string D is easy to be shown, and easy to be compared. However, the digest function is vulnerable to second-preimage attack and the birthday attack. Since these attacks are based on combinatorial search, we name them combinatorial attack. The following example shows one example protocol using digest function and the combinatorial attack. Example 4 (an HISP using digest and combinatorial attack): The following protocol exchanges identities and keys between S and L. Suppose IDS and PKS are identity and IET Inf. Secur., 2013, Vol. 7, Iss. 1, pp. 30–38 doi: 10.1049/iet-ifs.2012.0080

Example 5 (group size attack): Suppose there are two members L and S; and there is one intruder I. 1. S → L∧I:IDS, PKS 2. I → L∧S:IDI, PKI 3. L → S∧I:IDL, PKL 4. L → displayUser:DL = HD(IDL, PKL, ID′S, PK′S, ID′I, PK′I) 5. S → displayUser:DS = HD(ID′L, PK′L, IDS, PKS, ID′I, PK′I) 6. Since DL = DS, user pushes the confirmation buttons on L and S. The protocol fails to find out that the intruder named IDI has joined in the group.

3.3

Security improvement: HIGDCP model

In order to eliminate the combinatorial attack, we introduce the group commitment protocol model. A group commitment protocol allows members to commit to a secret value Θ; it also allows this value to be revealed and checked later. In other words, there are two phases in this protocol. Definition 4 (commit phase): In commit phase, all members exchange partial commitment messages PCMs. Using these messages, members cooperatively choose a secret value Θ. Definition 5 (reveal phase): In reveal phase, all members exchange partial opening messages POMs. Using these messages, Θ is revealed and checked. The group commitment protocol normally holds two properties: z-knowing and binding properties. 33


www.ietdl.org Definition 6 (z-knowing property): Suppose there are only z members (m > z ≥ 0, where m is the group size) who know the value Θ legitimately during the commit phase, and we call this protocol fulfils z-knowing property.

Three concepts are helpful. The first concept is one round of protocol; the second one is named as commit point (CP); and the last one is also a crucial time, which is named as reveal point (RP).

Definition 7 (binding property): During the reveal phase, Θ must be the only value that all the members can compute and that validates. This is called binding property.

Definition 10 (one round): One round of protocol is a process that only contains one commit phase and one reveal phase.

In summary, we can define the group commitment protocol as follows. Definition 8 (group commitment protocol): A group commitment protocol consists of two phases: commit phase and reveal phase. In addition, the protocol holds the z-knowing and the binding properties. Especially, when Θ is a digest D, which is compared over HD/HH empirical channels, the protocol can keep the integrity of all information transferred in the commit phase. This useful protocol scheme is defined as follows. Definition 9 (HIGDCP): A protocol is an HIGDCP iff it is a secure group commitment protocol, and the validation of the commitment is based on the comparisons of a digest string D over HD/HH empirical channels. Generally speaking, the entity authenticity, data authenticity and integrity are guaranteed. Example 6 (HIGDCP example): When L and sensors S1Sm−1 want to exchange IDs, we can use HIGDCP as follows: 1. L → ∀S:IDL∥H(k), where k is a long random string. 2. ∀S → L∧S′:IDS, where S′ represents all other sensor nodes except the node S. 3. When no new commitment messages have been received for a while, each member shows the number of received partial commitment messages. From now on, no further partial commitment message will be accepted. 4. User pushes the user button on L when all numbers are shown and are equal to the group size. 5. L → ∀S:k 6. L and each S generate and show D on displays D = HD IDL ID1 · · · IDm−1 k where ID1∥…∥IDm−1 is a concatenation of all the partial commitment messages from S1 to Sm−1. 7. User compares the D shown by each device. The NB and NS human interactive empirical channels are established using displays in steps 6 and 7. This protocol is a one-knowing protocol, and it holds the binding property. The analysis is as follows. During the commit phase (steps 1 and 2), it is easy to see that L knows the final value D. Any S cannot get D because S does not know k. Thus, the protocol is a one-knowing protocol. Obviously, validity of D can be checked by the hashes in the reveal phase (steps 5–7). In addition, since H(k) is long hash function, k is determined; thus, D is the only value that all the group members can compute. Therefore this protocol also holds the binding property. 3.3.1 Combinatorial attack elimination: phase separation: The HIGDCP can eliminate the combinatorial attack with properly separated commit and reveal phases. 34


Definition 11 (CP): In one round, a node E’s CP is the time that the node E stops from accepting new partial commitment messages. Definition 12 (RP): In one round, the RP is the time that a node which is not one of z-knowing members knows the value of D. The sequence of CP and RP in one round of HIGDCP is critical. Theorem 1: Combinatorial attack can be eliminated in an HIGDCP if an event sequence RP → … → CP does not exist in one round of the protocol. In addition, combinatorial attack happens in an HIGDCP if and only if the event sequence RP → … → CP exist in one round of the protocol. Proof: (i) If a event sequence RP → … → CP exist in one round of the protocol, an attacker may know the final digest D in the commit phase. Since the digest function in an HIGDCP is weak, the combinatorial attack is possible. (ii) Assume that the sequence RP → … → CP does not exist in one round. It means that the attacker cannot know the value of D in the commit phase. Thus, the attacker only has a negligible chance of generating fake partial commitment messages that commit to the same D. In summary, the combinatorial attack happens iff the sequence exist in one round. More discussion can be found in [15, 16]. Therefore if there is no such sequence, the combinatorial attack is eliminated. □ Example 7: In Example 6, the combinatorial attack against the digest is eliminated. Steps 3 and 4 separate the commit phase (steps 1 and 2) and reveal phase (steps 5–7). CP is in step 3, and RP is in step 5. The attacker does not know the digest value in the commit phase (steps 1 and 2). Thus, the attacker cannot initiate a combinatorial search, which means that the attacker cannot find a fake ID that generates the same digests in the final step. 3.3.2 Group size attack elimination: group size check: In order to eliminate the group size attack, the group size check is necessary in a group commitment protocol. For instance, in Example 6, the group size is checked in step 4. In this case, attack similar with Example 5 cannot happen anymore. 3.4

Summary

In this section, we have proposed the HIGDCP. The core of the new protocol is the human interactive empirical channels. We have investigated the possible human interactive empirical channels in the BSN applications. Besides, we have studied how the digest-based HISPs is secured using HIGDCP. Generally speaking, using the HISPs, the entity authenticity, data authenticity and integrity are guaranteed in BSNs. IET Inf. Secur., 2013, Vol. 7, Iss. 1, pp. 30–38 doi: 10.1049/iet-ifs.2012.0080

www.ietdl.org 4 Human interactive ID and key distribution protocols Secure communication in BSNs relies on ID and key distribution protocols. Since current static ID and key pre-distribution schemes are not suitable for BSNs, this section aims to provide dynamic ID and key distribution protocols that do not depend on any pre-deployment of keys or secrets. In addition, the security and implementation issues are discussed. 4.1

ID and key distribution protocols

The ID system is an important part of a BSN. This system mainly focuses on the relationship between IDs/names and addresses. ID or name is a title, which is used to denote things. Address supplies the information needed to find these things. For example, a unique node identifier is a name, and a MAC address is an address. However, this distinction is not sharp: an IP address contains information to both find and identify a node. Binding is a mapping between names and the addresses, since a single node can have many names and addresses. As an example, the domain name service provides the mapping from a hypertext name to an IP address [23]. Out protocols are aimed at binding the IDs and keys with the correct communication parties. They are extended from ECDH protocol. ECDH allows two parties, for example, sink and sensor, to establish a shared secret over an insecure channel. However, it is well known that ECDH is vulnerable to the MITM attack. Hence, the objective of our protocol is that all parties can receive the correct public keys and IDs without worrying about the MITM attack. Therefore our dynamic binding protocols are designed. Initially, the public base point G and its order n, the elliptic curve y 2 = x 3 + ax + b (mod p) and cofactor h must be configured. Additionally, each party must have a key pair suitable for elliptic curve cryptography; the key pair consists of a private key d (a randomly selected integer in the interval [25, n–1]) and a public key Q (Q = dG). It is infeasible to find d from Q with the knowledge of base point G since it is difficult to solve the elliptic curve discrete logarithm problem. The new symbols used are listed as follows: † E represents any one node, and E′ represents an entity other than E. Assume there are totally m − 1 sensors and one sink. † QE is the public key of entity E. † ADE is the address of entity E † CE is a concatenation IDE∥ADE∥QE; and ∥ means concatenation. Based on the concept of HIGDCP, a value HD kE1 · · · kEm CE1 · · · CEm m) will be committed; and partial commitment/opening pairs [CE∥H(kE), kE] are generated. The ECDH-SHCBK runs as in Fig. 2, and it is explained as follows. Protocol 1 (ECDH-SHCBK): 1. User inputs the group size m on L. In addition, L broadcasts the group size: L → ∀S:m 2. In the commit phase, partial commitments (PCMs) are exchanged in wireless channels: ∀E → ∀E′:CE∥H(kE) 3. As the commitment point CP, E stops from accepting new PCM when the number of previously received partial commitments (PCMs) is larger than or equal to m. IET Inf. Secur., 2013, Vol. 7, Iss. 1, pp. 30–38 doi: 10.1049/iet-ifs.2012.0080

Fig. 2 One round of ECDH-SHCBK protocol

3. In the reveal phase, partial openings (POMs) are exchanged in wireless channels: ∀E → ∀E′:kE 4. After all partial openings are exchanged (the reveal points RPE and RPE′), E shows HD kE1 · · · kEm CE1 · · · CEm m using display or LED lights. User compares all digests. In the commit phase, CE∥H(kE) reveals no information about HD kE1 · · · kEm CE1 · · · CEm m . In reveal phase, the partial commitment/opening pairs jointly reveal the digest, and it is infeasible to find k′E such that [CE∥H(kE), kE] and [CE∥H (kE), k′E] reveals the same digest value thanks to the low collision probability of long hash function. Therefore this is a zero-knowing HIGDCP. The second distribution protocol is extended from Example 6. More human work is required, but less wireless communications are needed. We assume that i = 1,…, m − 1, j = 1,…, m − 1 and i ≠ j. The ECDH-HCBK is shown as in Fig. 3 (the procedure of L is shown in the left, and the procedure of S is shown in the right); and it is explained as follows.

Protocol 2 (ECDH-HCBK): 1. User inputs the group size m on L. In addition, L broadcasts the group size and its partial commitment PCMLL → ∀Si:CL∥sessionL∥H(k)∥m

Fig. 3 One round of ECDH-HCBK protocol 35


www.ietdl.org 2. All S broadcast their partial commitments (PCMSs): ∀Si → L∧∀Sj:Ci∥sessioni. 3. As the commitment point CP, any node stops from accepting new PCM when the number of previously received partial commitments (PCMs) is larger than or equal to m − 1. Meanwhile, the node flashes LED. User pushes the user button on L when all sensor nodes are signalling. 4. L broadcasts k as POML. L ∀Si : k S knows the committed digest after it receives this message, which is the RPS. 5. User reads digests from the OLED display or LED flash and compares them. The digests are as follows HD

kmC L sessionL m−1 i=1 Ci sessioni

In some cases, trustworthy ID distribution is enough. For example, when several body sensors look for possible gateways, the users only need to make sure that the sensors do not connect to a fake gateway. In this case, correct ID distribution is always good enough, so CE is a concatenation IDE∥ADE. When key and ID change and update are required, there are two possible methods. The first method is that the users re-run the two protocols. The advantage is that the security protection of new keys does not depend on the old ones. The second method is that new keys and IDs are protected using old keys, which is similar to the secure socket layer. The advantage of this method is that no human effort is required. 4.2

Security analysis

Theorem 2: If all nodes are trustworthy and the human interactive channels are NB and NS, ECDH-SHCBK protocol is authentic. Proof: In step 5, the communication is over empirical channels. Thus, any two nodes A and B can believe that they are communicating with each other. We assume that KA and KB are different from KA and KB , which represent random strings used in other rounds of the protocol. Therefore A and B have run the protocol once and only once with KA and KB. In addition, in step 5, the exchanged digest is trustworthy. Thus, when A’s digest is equal to B’s, received CA and CB are trustworthy, unless the digest function has been suffered from the combinatorial attack. However, the combinatorial attack is impossible in ECDH-SHCBK protocol. For any entity E, one round of the protocol is represented as in Fig. 2. One round of the protocol starts when new kE is generated, and ends when the digest is shown. The condition of no MITM-combinatorial attack becomes as follows: in one round, before sending kE, there must be a CP. It is clearly fulfilled in ECDH-SHCBK. Therefore there is no combinatorial attack, which means that A and B agree on the CA and CB in this round of protocol. □ 36


Theorem 3: If all nodes are trustworthy and the human interactive channels are NB and NS, ECDH-HCBK protocol is authentic. Proof: In step 5, the communication is over empirical channels. Thus, any two nodes A and B can believe that they are communicating with each other. We assume that KL is different from KL , which represent random strings used in other rounds of the protocol. Therefore A and B have run the protocol once and only once with KL. In addition, in step 5, the exchanged digest is trustworthy. Thus, when A’s digest is equal to B’s, received CA and CB are trustworthy, unless the digest function has been suffered from the combinatorial attack. However, the combinatorial attack is impossible in ECDH-HCBK protocol. For any node, one round of the protocol is represented as in Fig. 3. One round of the protocol starts when new kL is generated, and ends when the digest is shown. Since the CPs are synchronised, there is no the sequence RPS → … → CP, theoretically. Therefore there is no combinatorial attack, which means that A and B agree on the CA and CB in this round of protocol. □ 4.3

Implementation issues

The actions of sensors are mainly controlled in a thread. In this thread, we trace the power consumption in every five time units. After this, the broadcast channel is open. The communication steps of our ECDH-SHCBK are implemented in a while loop. The network is lossy, so we modify the theoretical protocol to handle the lost messages. Since the sequence of the messages are controlled by human interactions, adding acknowledgements is good enough. The implementation of ECDH-HCBK is similar with ECDH-SHCBK. The main structure of the ECDHSHCBK thread is shown in Fig. 4. 4.3.1 Energy consumption: In ECDH-SHCBK, each node sends out two messages and receives 2(m − 1) messages. In ECDH-HCBK, each node sends out average (m + 1)/m messages; and it receives average (m − 1) + (m − 1)/m messages. The simple broadcasting protocol sends out one message and receive m − 1 messages. In order to examine the energy consumption of the binding protocols, simulations have been done in Cooja simulator [30] using Tmote sky nodes. In the simulation, we neglect the steps of human interactions, since there are not any computation and communication in these steps. We also modify the broadcast protocol to handle the lost messages. The normalised energy consumptions E with different group sizes are shown in Fig. 5. As we can see, the energy consumption of ECDH-SHCBK is around the double of reliable broadcast, and ECDH-HCBK is around 1.5 times; they meet our expectations and very efficient. The elliptic curve cryptography is not our main concern, the energy consumptions are typically 7.13 mJ for ECDH initialisation and 9.48 mJ for key establishment in Tmote sky node [31], which is acceptable. Besides, these protocols are mainly used in the network initialisation phase, which means that they only run once, therefore the energy consumption can be accepted. 4.3.2 Human sensor interface: Display-based human sensor interactions are relatively better. Several possible human sensor interaction methods are designed and tested. IET Inf. Secur., 2013, Vol. 7, Iss. 1, pp. 30–38 doi: 10.1049/iet-ifs.2012.0080

www.ietdl.org

Fig. 4 Structure of the ECDH-SHCBK thread

Fig. 5 Normalised energy consumption B is the broadcast protocol, S is the ECDH-SHCBK protocol and H is the ECDH-HCBK protocol IET Inf. Secur., 2013, Vol. 7, Iss. 1, pp. 30–38 doi: 10.1049/iet-ifs.2012.0080

First method is that users directly read the LED flash or listen to the buzzer beep. Suppose the time unit is 0.5 s. Each dot occupy one time unit; each dash is three time units; and the interval is two time units. Two LEDs are used: A and B. The tested methods are shown in Table 1. However, none of these interaction methods are preferred by users. The second method uses image processing technologies. The results are not stable. It is possible that the computers recognise the LED flash using cameras, but if there are interferences, the recognition results are always not usable. The third method is that users directly read strings from small displays. It is stable, and is preferred (remember that the digest is very short). Nowadays, string-comparison-based protocols are used in Bluetooth network initiation or even Windows-based family sharing network initiation, thus it is acceptable. 37


www.ietdl.org Table 1 Human sensor interaction tests Test

1

2

3

4

dot dash dot dot dash dash dot dot dot dot dash dash

A A A A A A A A A A A A

beep beep beep beep beep beep beep beep beep beep beep beep

A beep A A beep beep A A A A beep beep

A beep A B beep beep A B A B beep beep

5

Conclusion and future work

In this paper, we have studied the possibility of using the human interactive channel in BSN applications. Properly designed HH and HD channels can offer the authenticity and integrity of data transferred over them. They can be helpful to protect information transferred over DD channel which can be overheard, deleted or modified by the attacker. In addition, we have proposed a group commitment protocol model. The human-interactive-channels-based group commitment protocols are also studied. We have investigated the possible attacks and countermeasures. Thirdly, ECDH-SHCBK and ECDH-HCBK are designed. Thanks to them, MITM attack, which is the main problem of ECDH, is eliminated. Comparing to key pre-distribution protocols, These two protocols can easily change compromised and expired keys. Meanwhile, they provide a possible way of dynamically allocating IDs in a network. In the next stage, we will try other human sensor interfaces, for example, visible light communication channels, audiobased channels and vibration-based channels. In addition, we will optimise our protocols based on the characteristics of these channels.

6

Acknowledgment

This work was supported in part by the Oxford Martin School and US Office of Naval Research.

7

References

1 Halperin, D., Heydt-Benjamin, T.S., Ransford, B., et al.: ‘Pacemakers and implantable cardiac defibrillators: software radio attacks and zero-power defenses’. Proc. IEEE SP 08, Oakland, CA, USA, 2008, pp. 129–142 2 Stajano, F., Anderson, R.: ‘The resurrecting duckling: security issues for ad-hoc wireless networks’, in Christianson, B., Crispo, B., Malcolm, J. A., Roe, M. (Eds.): ‘Security protocols workshop’ (LNCS, 1976) (Springer, 1999), pp. 172–194 3 McCune, J.M., Perrig, A., Reiter, M.K.: ‘Seeing-is-believing: using camera phones for human-verifiable authentication’. Proc. IEEE SP 05, Oakland, CA, USA, 2005, pp. 110–124 4 Saxena, N., Ekberg, J.E., Kostiainen, K., Asokan, N.: ‘Secure device pairing based on a visual channel’. Proc. IEEE SP 06, Oakland, CA, USA, 2006, pp. 306–313 5 Chen, C.H.O., Chen, C.W., Kuo, C., et al.: ‘GAnGS: gather, authenticate’n group securely’. Proc. ACM MobiCom 08, San Francisco, CA, USA, 2008, pp. 92–103 6 Lin, Y.H., Studer, A., Chen, Y.H., et al.: ‘Spate: small-group pki-less authenticated trust establishment’, IEEE Trans. Mob. Comput., 2010, 9, (12), pp. 1666–1681

38


7 Goodrich, M.T., Sirivianos, M., Solis, J., Tsudik, G., Uzun, E.: ‘Loud and clear: human-verifiable authentication based on audio’. Proc. IEEE ICDCS 06, Lisboa, Portugal, 2006, p. 10 8 Soriente, C., Tsudik, G., Uzun, E.: ‘HAPADEP: human-assisted pure audio device pairing’, in Wu, T.C., Lei, C.L., Rijmen, V., Lee, D.T. (Eds.): ‘Information security’ (LNCS, 5222) (Springer, 2008), pp. 385–400 9 Creese, S.J., Goldsmith, M.H., Harrison, R., Roscoe, A.W., Whittaker, P., Zakiuddin, I.: ‘Exploiting empirical engagement in authentication protocol design’, in Hutter, D., Ullmann, M. (Eds.): ‘Security in pervasive computing’ (LNCS, 3450) (Springer, 2005), pp. 119–133 10 Balfanz, D., Smetters, D.K., Stewart, P., Wong, H.C.: ‘Talking to strangers: authentication in ad-hoc wireless networks’. Proc. NDSS 02, San Diego, CA, USA, 2002, pp. 7–19 11 Gehrmann, C., Nyberg, K.: ‘Security in personal area networks’, in Mitchell, C.J. (Ed.): ‘Security for mobility’, (IEE Press, 2004, 1st edn.), pp. 191–230 12 Vaudenay, S.: ‘Secure communications over insecure channels based on short authenticated strings’, in Shoup, V. (Ed.): ‘Advances in cryptology–CRYPTO 2005’ (LNCS, 3621) (Springer, 2005), pp. 309–326 13 Cagalj, M., Capkun, S., Hubaux, J.P.: ‘Key agreement in peer-to-peer wireless networks’, Proc. IEEE, 2006, 94, (2), pp. 467–478 14 Wong, F.L., Stajano, F.: ‘Multichannel security protocols’, IEEE Pervasive Comput., 2007, 6, (4), pp. 31–39 15 Nguyen, L.H., Roscoe, A.W.: ‘Authenticating ad hoc networks by comparison of short digests’, Inf. Comput., 2008, 206, (2–4), pp. 250–271 16 Nguyen, L.H., Roscoe, A.W.: ‘Authentication protocols based on low-bandwidth unspoofable channels: a comparative survey’, J. Comput. Sec., 2011, 19, (1), pp. 139–201 17 Perrig, A., Szewczyk, R., Tygar, J.D., Wen, V., Culler, D.E.: ‘SPINS: security protocols for sensor networks’, Wirel. Netw., 2002, 8, (5), pp. 521–534 18 Eschenauer, L., Gligor, V.D.: ‘A key-management scheme for distributed sensor networks’. Proc. ACM CCS 02, Washington, DC, USA, 2002, pp. 41–47 19 Chan, H.W., Perrig, A., Song, D.: ‘Random key predistribution schemes for sensor networks’. Proc. IEEE SP 03, Oakland, CA, USA, 2003, pp. 197 20 Du, W., Deng, J., Han, Y.S., Varshney, P.K., Katz, J., Khalili, A.: ‘A pairwise key predistribution scheme for wireless sensor networks’, ACM Trans. Inf. Syst. Sec., 2005, 8, (2), pp. 228–258 21 Malan, D.J., Welsh, M., Smith, M.D.: ‘A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography’. Proc. IEEE SECON 2004, Santa Clara, CA, USA, 2004, pp. 71–80 22 Huang, Q., Cukier, J., Kobayashi, H., Liu, B., Zhang, J.: ‘Fast authenticated key establishment protocols for self-organizing sensor networks’. Proc. ACM WSNA 03, San Diego, CA, USA, 2003, pp. 141–150 23 Karl, H., Willig, A.: ‘Protocols and architectures for wireless sensor networks’ (Wiley-Interscience, 2007, 1st edn.) 24 Vaidya, N.H.: ‘Weak duplicate address detection in mobile ad hoc networks’. Proc. ACM MobiHoc 02, Lausanne, Switzerland, 2002, pp. 206–216 25 Perkins, C.E., Royer, E.M., Das, S.R.: ‘IP address autoconfiguration for ad hoc networks’. Internet Draft, 2000 26 Nesargi, S., Prakash, R.: ‘MANETconf: configuration of hosts in a mobile ad hoc network’. Proc. IEEE INFOCOM 2002, New York, USA, 2002, pp. 1059–1068 27 Schurgers, C., Kulkarni, G., Srivastava, M.B.: ‘Distributed assignment of encoded MAC addresses in sensor networks’. Proc. ACM MobiHoc 01, Long Beach, CA, USA, 2001, pp. 295–298 28 Schurgers, C., Kulkarni, G., Srivastava, M.B.: ‘Distributed on-demand address assignment in wireless sensor networks’, IEEE Trans. Parallel Distrib. Syst., 2002, 13, (10), pp. 1056–1065 29 Dolev, D., Yao, A.: ‘On the security of public key protocols’, IEEE Trans. Inf. Theory, 1983, 29, (2), pp. 198–208 30 Osterlind, F., Dunkels, A., Eriksson, J., Finne, N., Voigt, T.: ‘Cross-level sensor network simulation with cooja’. Proc. IEEE LCN 06, Tampa, FL, USA, 2006, pp. 641–648 31 Liu, A., Ning, P.: ‘TinyECC: a configurable library for elliptic curve cryptography in wireless sensor networks’. Proc. IEEE IPSN 08, St. Louis, MO, USA, 2008, pp. 245–256

IET Inf. Secur., 2013, Vol. 7, Iss. 1, pp. 30–38 doi: 10.1049/iet-ifs.2012.0080