Secure Data Aggregation with MAC Authentication in ... - IEEE Xplore

Download PDF
2 downloads 0 Views 539KB Size Report
Comment
encryption and Message Authentication Codes (MAC) to achieve confidentiality, authentication and integrity for secure data aggregation in wireless sensor ...
2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications

Secure Data Aggregation with MAC Authentication in Wireless Sensor Networks Soufiene Ben Othman UR PRINCE, ISITC, Hammam Sousse University of Sousse, Tunisia Email: [email protected]

Abdelbasset Trad, Habib Youssef UR PRINCE, ISITC, Hammam Sousse University of Sousse, Tunisia Email: [email protected]

Hani Alzaid Computer Research Institute King Abdulaziz City for Science and Technology [email protected] Abstract— Recently, several data aggregation schemes based on privacy homomorphism encryption have been proposed and investigated on wireless sensor networks. These data aggregation schemes provide better security compared with traditional aggregation since cluster heads (aggregator) can directly aggregate the ciphertexts without decryption; consequently, transmission overhead is reduced. Based on our survey of existing research efforts for ensuring secure data aggregation, a novel approach that uses homomorphic encryption and Message Authentication Codes (MAC) to achieve confidentiality, authentication and integrity for secure data aggregation in wireless sensor networks is proposed. Our experiments show that our proposed secure aggregation method significantly reduces computation and communication overhead and can be practically implemented in on-the-shelf sensor platforms.

component in a WSN is the sensor mote, which contains (i) a simple microprocessor, (ii) application-specific sensors, and (iii) a wireless transceiver. One way to reduce the energy consumption is in-network information processing (or data aggregation) that reduces the data sent to the base station. Data aggregation is an important primitive that aims to process/combine/summarize data packets from serval sensor nodes before forwarding these packets to upper nodes [3]. In-network processing is done at aggregator node or intermediate node in the case of multi-hop network, it aggregates the data coming from its child nodes by performing the aggregation function such as min, max, average, sum etc. and sends the result to the upper level node or sink.

Keywords—Wireless Sensor Networks, Data Aggregation, Homomorphic Encryption, Elliptic Curve Cryptography, MAC.

The main objective of data aggregation is to increase the network lifetime by reducing the resource consumption of sensor nodes such as battery energy and bandwidth. However, data aggregation protocols may degrade important quality of service metrics in wireless sensor networks, such as data accuracy, latency and fault-tolerance. Also, data aggregation adds more vulunnerabilities. For exemple, a compromised sensor node can either illegally reveal the data it collects from other nodes or report arbitrary values as aggregated data. Therefore, an adversary can attack both the confidentiality and the integrity of the data at a large portion of the wireless sensor network by capturing servel number of aggregator nodes that are near the base station. Therefore, designing an efficient data aggregation protocol is a challenging task because the protocol designer must trade off between energy efficiency, data accuracy, dara latency, fault-tolerance and security.

I.

INTRODUCTION

A wireless sensor network (WSN) consists of a large number of tiny sensor nodes deployed over a geographical area also referred as sensing field. Each node is a low-power device that integrates computing, wireless communication and sensing abilities [1]. Nodes organize themselves in clusters and networks and cooperate to perform task. It consists of motes equipped with task-specific sensors to measure the surrounding environnement, e.g., temperature, movement, etc. A WSN can thus be viewed as an intelligent distributed measurement technology adequate for many different monitoring and control contexts. In recent years, the number of sensor network deployments for real-life applications e.g., environmental monitoring, agriculture, production and delivery, military, structure monitoring and medical applications has rapidly grown with a trend expected to further increase in incoming years [1, 2]. A key

978-0-7695-5022-0/13 $26.00 © 2013 IEEE DOI 10.1109/TrustCom.2013.252

In this paper we introduce a novel way to provide confidential and integrity preserving aggregation in wireless sensor networks. The proposed approach uses homomorphic encryption ECEG (Elliptic Curve ElGamal) algorithm to

188

achieve data confidentiality while allowing in-network aggregation. We have used an homomorphic MAC algorithm based on MAC (Message Authentication Codes) to achieve integrity of the aggregate.

acquired by the sensors. In particular, their proposed protocols are designed especially for secure computation of the median and the average of the measurements, for the estimation of the network size and for finding the minimum and maximum sensor reading. Even though their scheme provided data authentication to provide secrecy, the data is still delivered in plaintext format which provides no privacy during transmission.

The rest of the paper is organized thus: Section 2 reports on the related work in the field. We describe the proposed approach in section 3, followed by its security analysis and performance evaluation in Section 4 and Section 5. Finally, we summarize our work and conclude the paper and propose some future work in Section 6. II.

Yang et al. [8] introduce a scheme based on a commit and attest paradigm. In the commit phase, nodes are divided in groups and each group provides the sink with the group aggregate, while nodes commit to their measurements. The sink uses the maximum normalized residual test to decide which groups provided suspicious results. During the attest phase, a subset of those nodes is required to provide their measurements. Because of the outlier detection technique, the protocol is suitable only to sensor networks where all groups sense similar values. Moreover, the commit and attest paradigm requires multiple messages to detect the presence of an attacker.

RELATED WORK

In many applications, the physical phenomenon is sensed by sensor nodes and then reported to the base station. To reduce the energy consumption of the sensor nodes, these applications may employ in-network aggregation before the data reaches the base station. Compromised nodes can thus perform malicious activities which affect the aggregation results. Before these malicious activities are discussed, the motivation behind secure data aggregation in WSNs is explained, followed by a summary of the existing attempts in the literature to provide security in the data aggregation activities. Intanagonwiwat, Govindan, Estrin, and Heidemann [3] proposed a data-centric diffusion method to aggregate data. Their method enables diffusion to achieve energy savings by selecting empirically good paths and by caching and processing data in-network. Though their method can achieve significant energy savings, security is not put into consideration in their design.

Cam et al. [9] proposed a secure energy-efficient data aggregation (ESPDA) to prevent redundant data transmission in data aggregation. Unlike conventional techniques, their scheme prevents the redundant transmission from sensor motes to the aggregator. Before transmitting sensed data, each sensor transmits a secure pattern to the aggregator. The secure pattern is generated by associating original data with a random number. Instead of transmitting   ‘‘real’’   data,   the   sensor   mote   transmits   the   secure patter to the cluster-head before transmitting it. The cluster-head then uses these secure patterns to check which sensors have same readings. Then, the cluster-head notifies certain sensor motes to transmit their data. Only sensors with different data are allowed to transmit their data to the cluster-head. However, since each sensor at least needs to transmit a packet containing a pattern once, power cannot be significantly saved. In addition, each sensor mote uses a fixed encryption key to encrypt data; data privacy cannot be maintained in their scheme.

Wagner [4] defines the term resilient aggregation to refer to function computations that use aggregation and are robust against arbitrary changes to a subset of the sensor measurements. The authors show that some functions, like min/max computations, are inherently insecure and that a secure protocol for their computation is not likely to be found in a constrained environment such as sensor networks. Hu and Evans [5] further examined the problem that a single compromised sensor mote can render the networks useless, or worse, mislead the operator into trusting a false reading. They proposed an aggregation protocol that is resilient to both intruder devices and single device key compromises, but their scheme suffers a problem that the aggregated data will be expanded every time when it was aggregated and forwarded by any intermediate sensor mote.

In [10], the authors describe the design and implementation of a running system for energy-efficient surveillance which allows a group of cooperating sensor to detect and track the positions of moving vehicles. That method can trade off the energy-awareness and surveillance performance by adjusting the sensitivity of the system. In [11], the authors explore two methods to further reduce energy consumption in the context of network aggregation in sensor networks. Firstly, a group-aware network configuration method is designed, which groups the sensors into clusters. Secondly, a framework to use temporal coherency tolerances in conjunction with aggregation to save energy is proposed.

Castelluccia et al. [6] propose a variant of the one-time pad encryption scheme to provide privacy using inexpensive computations. Their scheme has very low bandwidth requirements but does not address integrity issues. Przydatek et al. [7] proposed a secure information aggregation protocol to answer queries over the data

189

Perrig and Tygar [12] proposed several secure broadcast schemes suitable for wireless sensor networks. The computation overhead for their schemes is affordable for tiny sensor motes. They proposed a hashed key-chain scheme to sequentially generate encryption/decryption keys for sensor motes without notifying others. Ye et al. [13] propose a detection scheme called SEF: a statistical en-route filtering of injected false data, which allows both the base station and en-route nodes to detect false data with a certain probability. SEF takes advantage of the large scale and dense deployment of sensor networks to determine the truthfulness of each report through collective decision-making by multiple detecting nodes and collective false-report-detection by multiple forwarding nodes. Figure. 1. System Architecture

Sirivianos et al. [14] state the requirements for nonmanipulable aggregator node election protocols. To this end, they design and compare three secure aggregator node election protocols, which randomly choose the aggregator node in a decentralized way. They use lightweight cryptography to guarantee that no party can manipulate the outcome of the election process. III.

A. Homomorphic encryption A homomorphic encryption scheme allows arithmetic operations on ciphertexts [15]. One example is a multiplicatively homomorphic scheme, where the decryption of the efficient manipulation of two ciphertexts yields the multiplication of the two corresponding plaintexts. Homomorphic encryption schemes are especially useful whenever some party not having the decryption key(s) needs to perform arithmetic operations on a set of ciphertexts. A more formal description of homomorphic encryptions schemes is as follows. Let Enc () denote a probabilistic encryption scheme and let M and C be its plaintext and ciphertext spaces, respectively.

PROPOSED DATA AGGREGATION METHOD

Due to cost constraints these sensors are not equipped with tamper-resistant hardware. In addition, there exists a powerful BS that communicates with the querier which resides outside of the network. We also assume that data aggregation is in place. We assume that the sensor nodes are not mobile. Base stations are assumed to have sufficient power and memory to communicate securely with all the sensor nodes and external networks such as Internet. A common technique for data aggregation is to build an aggregation tree which is the directed tree formed by the union of all the paths from the sensor nodes to the base station. These paths may be arbitrarily chosen and are not necessarily shortest paths. The optimization of the aggregation tree structure is out of the scope of this paper. As shown in Figure 1, a tiered WSN consists of three kinds of nodes, i.e. sensors nodes, Cluster Head (Aggregator) and sink node. Sensors monitor interesting events and, due to their limited storage, periodically send raw readings to the storage nodes with a RF communication channel. The design objective of our scheme is to achieve accurate data aggregation with moderate extra communication overhead to preserve data privacy.

If M is a group under operation ⊕, we say that Enc() is a ⊕homomorphic encryption scheme, if, for any instance Enc() of the encryption scheme, given c1 = Enck1 (m1) and c2 = Enck2 (m2) for some m1,m2 ∈ M, there exists an efficient algorithm that can generate-from c1 and c2 a valid ciphertext c3 ∈ C for some key k3 such that: c3 = Enck3 (m1 ⊕ m2).

(1)

In other words, decrypting c3 with k3 yields m1 ⊕ m2. In this article, we mainly consider additive homomorphisms: ⊕ is the + operation. We do not require k1, K2, k3, to be the same, although they need to be equal in most homomorphic encryption schemes. Since k3 can be distinct from k1 and k2, some identifying information, needs to be attached to the aggregated ciphertext to identify the keys required for decryption. B. Elliptic Curve ElGamal In contrast to the both privacy homomorphism (PHs) presented so far, the elliptic curve ElGamal (ECEG) based PH is an asymmetric cryptographic approach. The benefit of this PH is that the encryption key may be publicly known. As the name suggests the ECEG PH is based on the well investigated ECEG cryptographic algorithm.

190

ECEG Algorithm 

Parameter: private key integer x public key (G,H), G and H are points on EC, H=xG



Encryption: C = [c1, c2] = [kG, kH + mG] = tuple of EC points Decryption: mG  =  (kH  +  mG)  −  x(kG) demap: mG  →  m Aggregation: scalar EC-point addition C12 = C1 + C2 = [(c11 + c21), (c12 + c22)]

underlying hash function; additional complexity should be nearly negligible. Simple key management: keys should be used and handled in a simple way. Provable security: it should be easy to prove the algorithm security, assuming the security of the underlying hash function.

D. Approach Many previous secure aggregation schemes in wireless sensor networks were devoted to data confidentiality, while few practical, efficient message authentication schemes accommodating valid data aggregation have been proposed. In fact, resembling general security cases in other fields, message integrity might be one of the most important objectives in sensor networks, because invalid, undetected data alteration will cause very dangerous outcomes. For example, in a sensor network monitoring battlefield and providing vital decision-supported information, it would be devastating that enemies are able to manipulate the sensor network outputs and trick users into accepting misleading data. In fact, data aggregation reduces the degree of difficulty for adversaries faking false reports, as the adversaries do not need to manipulate the readings of majority of sensor nodes, which is difficult and impractical; instead, by compromising several nodes close to the base station, they can easily alter the aggregated results to whatever match their interests. Therefore, the verifiable integrity of aggregated messages is an imperative security objective in sensor network data aggregation, and should be fulfilled by corresponding protocols [19]. As one of principles for the cryptography primitives, those schemes that merely provide data confidentiality cannot serve as message authentication mechanisms. Message integrity objective should be addressed by specific detection or authentication schemes. Based on new cryptographic homomorphic primitives [20, 21], we propose, the homomorphic MAC scheme for data aggregation.

ECEG introduces a serious issue. The message text must be mapped on the EC. In [16] and [17] an approach has been proposed that multiplies the message text with the generator of the EC. It is also our preferred mapping algorithm, even though it causes some problems. The decryption leads again to the mapped point mG, but it is not trivial to compute m out of mG. Since it is the fundamental property of ECC that the point multiplication is not efficiently invertible, the only solution is a brute force computation that relies on a limited domain of the mapping. In most cases this approach is very reasonable. Please notice that without a valid key it is not even feasible to compute the point mG, so that the security is not interfered by the de/mapping. C. Message Authentication Codes Message Authentication Codes are cryptographic constructions that are designed to identify manipulation and falsification on electronic messages. Although there is MAC constructions defined over symmetric cipher as modes of operation, the most known MAC codes are constructed using one-way hash cryptographic functions, just like SHA1 [18] or MD5. Examples of former are HMAC, NMAC and UMAC. One way hash functions are also known as Modification Detection Codes, but are commonly called hash functions providing a very efficient integrity verification method. A message authentication code uses a secret key k which is known for two entities that communicate a message of arbitrary length m, the code gives a MAC output value MAC = Hk (m). The MAC value generated by the issuer protects the integrity and its authenticity in a message, enabling the receiving entity to recalculated MAC value through the secret key, to verify any change in content message, as well as the source of the sender indicated. HMAC shall be used in combination with an approved cryptographic hash function and needs a secret key for the calculation and the verification of the MACs. While designing it, the authors planned to achieve the following goals:  Black-box approach: use available hash functions without modifications; enable easy replacement of the underlying hash function.  Preserved performance: HMAC should essentially have the same performance of the

One of the ways of working on encrypted data is through the use of homomorphic encryption. An encryption algorithm is said to be homomorphic, if it allows for the following property to hold. 𝑒𝑛𝑐 𝑎 ⊗𝑒𝑛𝑐 𝑏 = 𝑒𝑛𝑐 (𝑎 ⊗ 𝑏)

(2)

The two data items a and b are encrypted and the operation ⊗ is applied on the encrypted data. If the encryption scheme is homomorphic than its result would be the same when the operation ⊗ is performed on a and b first and the result is encrypted. Homomorphisms can be of two types, additive homomorphism and multiplicative homomorphism. The data collected is encrypted using the public key, and the MAC of thedata is computed. A possible technique is suggested in [19], where the authors prove that MACs can be aggregated by means of bitwise XORing operations and that the result still enables authenticity verification.

191

Specifically, given n MACs, MAC1... aggregated MAC can be computed as: MACagg = MAC1 ⊗ MAC2…..⊗ MACn

MACn,

the

IV.

SECURITY ANALYSIS

This section discusses that CDA-MAC protocol how matches such security requirements separately of security level and efficiency of data integrity check. The proposed scheme focuses on protecting the encryption of sensed data and the goal is securely delivers the concealed aggregation data from nodes to sink node. The protocol CDA-MAC aims at ensuring data confidentiality, authentication and integrity.

(3)

It is proven that an adversary, in order to forge MACagg, should be able to forge at least one MACi (which is assumed to be unfeasible). Unfortunately, while achieving the compression of multiple MAC tags into a single one, the aggregated MAC, MACaggr , still needs all the original data on which all MACs where computed in order to be verified. To preserve data integrity during aggregation, the MAC of each node is combined using the XOR function, resulting in a single MAC that is verified by the base station. During the decryption of the aggregated data, the base station is able to classify the aggregated data based on the encryption keys and verify the MAC of the aggregated data, thereby achieving data integrity. This method is particularly useful when the base station needs to analyze the data in the network. For example, in a battlefield surveillance application, the base station may need to analyze data from a certain part of the battlefield. In this case, CDA-MAC is able to serve this specific information to the base station without violating the data confidentiality, integrity, or energy efficiency requirements of the application.

A. Data confidentiality Data aggregation can be exploited by an adversary to violate the confidentiality of the aggregated data, for example by compromising a few nodes close to the BS. We discuss how to ensure data confidentiality, i.e. preventing data from being disclosed to storage nodes (aggregator and sink) or other sensors. For this purpose, all the readings are encrypted with a secret key that is shared by the sink node and the sensor. Since the data readings are time-sensitive, we also need to hide the time distribution of reported readings. In our scheme, we attach the encrypted data count in each epoch such that the data distribution is also protected. B. Data authentication We then discuss how to ensure data authentication and freshness. Since wireless sensor networks use a shared wireless medium, sensor nodes need authentication mechanisms to detect maliciously injected or spoofed packets. Source authentication enables a sensor node to ensure the identity of the peer node it is communicating with. Without source authentication, an adversary could masquerade a node, thus gaining unauthorized access to resource and sensitive information and interfering with the operation of other nodes. Moreover, a compromised node may send data to its data aggregator under several fake identities so that the integrity of the aggregated data is corrupted.

The flow chart of the algorithm can be summarized as below:  The sensor network is organized.  Instead of each node sending data directly to the base station, the data is aggregated at certain nodes in the network, called aggregators. This helps in minimizing the number of transmissions in the network.  Base station send keysBS to nodes  Each sensor encrypts the sensed data using ECEG (EC-ElGamal) algorithm, calculate MACi with keysBS.  The sensor then communicates the encrypted data, the MACi to aggregator (Custer Head).  The aggregator adds encrypted data and XORing MACBS. MACagg = MAC1 ⊗ MAC2…..⊗ MACn  The aggregator sends encrypted data and MACagg to base station.  The aggregate encrypted data can be decrypted at the base station and this data can be verified by the keysBS.

C. Data integrity Data integrity guarantees that a message being transferred is never corrupted. A malicious node may just corrupt messages to prevent network from functioning properly. In fact, due to unreliable communication channels, data may be altered without the presence of an intruder, ensures that the transmitted data has not been tempered either by the spiteful node or by any accident during the transmission. It means it ensures that the data are received as sent, with no duplication, insertion, modification, reordering. Confidentiality itself is not enough since an adversary is still able to change the data although it knows nothing about it. Suppose a secure data aggregation protocol provides only data confidentiality in order to defeat an adversary that is capable to compromise sensor nodes near aggregator points. The adversary can alter the sensed information to affect the overall aggregation results. Moreover, even without the existence of an adversary, data might be damaged or lost due to the nature of the wireless environment. Data integrity

The CDA-MAC protocol aims at ensuring data confidentiality, authentication and integrity even if an adversary can compromise sensors and storage agents (clusters and sink).

192

mechanisms that are compatible with general message aggregation are important in sensor networks.

Figure 3 illustrates the consumed energy by protocol while increasing the size of the network up to 250 sensors. We remark that the energy consumption depends on the verification mechanism used. For example in CDA-MAC the broadcast used by the sink node to reveal the keys used in MAC computation and verification to the entire network, consumes an important amount of energy. Our protocol requires contributing sensors to generate the encryption key and the HMACs. Aggregating sensors are further required to generate the encryption key ki in case of contributor’s  failures.  Peer  monitoring  sensors  carry  out  the   same set of computations performed by the aggregator. However, note that computing an HMAC can be considered a lightweight operation.

The CDA-MAC protocol aims at ensuring data confidentiality, authentication and integrity even if an adversary can compromise sensors and storage agents (clusters and sink). MACBS is used in order to maintain the integrity of the data packet. The sink can detect any changes performed by the aggregator including the verification information, by checking of the MAC value using its shared key. If the data packet is found to be modified, then it will be discarded. In CDA-MAC, the base station, upon receiving the aggregation result from a aggregator, needs to verify whether the received aggregation result is accurate and came from a genuine leader node. Integrity and authenticity is ensured by calculating MAC for both data. We discovered that algorithm provides all the desirable security goals. In this part, the proposed protocol is compared with other methods based on security features. Table 1, we display the comparisons of security features. Therefore, these methods cannot guarantee data confidentiality and data authentication. In other words, an attacker can easily obtain the contents of messages by overhearing transmitted packets. Table 1. Comparisons of security features Data Confidentiality

Data Authentication

+

+ -

+ -

+

-

+

Figure. 3. Total Energy consumption

Chan [25]

-

-

+

Proposed scheme

+

+

+

Based on the analysis above, our scheme is more suitable for applications that have relative loose requirements of privacy-preservation, but place more emphasis on energyefficiency and accuracy level.

Roy[24] Castelluccia [6] Cam [9]

V.

Data Integrity

B. Operation Time To evaluate the performance of the proposed scheme, execution time is the main measurement of performance evaluation. Without loss of generality, we define processing delay and aggregation delay for deployed sensors. Processing delay indicates the execution time for sensors to produce ciphertexts and corresponding signatures before transmission. Aggregation delay is also evaluated by measuring time spent on aggregating ciphertexts and signatures in the proposed schemes. The last delay, decryption delay, is not considered since the base station is considerably powerful as a workstation. Therefore, this delay is negligible and can be ignored. The execution time showed in figure 4. Moreover, CDAMAC needs additional time to reveal all required keys to the whole network. This time increases when the number of nodes increases, since it will require sending more keys. Similarly, in CDA-MAC leaf nodes wait for the reception of the proof value calculated at the sink before committing the

PERFORMANCE EVALUATION

This section presents a comparative performance and energy consumption analysis of this approch. Using the PowerTossim extension, the average consumed energy is studied when varying the number of sensors in the network and the number of data packets sent by leaf nodes. The implementation was done on the MicaZ mote [15], which is a typical device for WSNs that equipped with 8-bit processor. The operating system employed in the implementation was TinyOS [16], an open-source operating system designed for wireless embedded sensor networks. A. Energy Efficiency : In this work three levels (sensor, Cluster Head (aggregator) and base station levels) are considered. The network size n varies from 10 nodes to 250 nodes.

193

Table 2. Performance and Cost Evaluation of the Proposed Scheme

validation of the aggregation value. The verification process must be delayed until the reception of all data by the sink node.

Number of nodes

50

100

150

200

250

Aggregation Time (s)

0.71

1.19

1.87

2.54

3.21

Aggregation Energy (µJ)

534.2

1027.1

1663.8

2193.3

2775.4

Send

8.640

17.280

25.920

34.560

43.200

receive

9.648

19.296

28.944

38.592

48.240

Comm. Cost (mJ)

We know that the energy dissipation of communication plays an important role in the total energy consumption. Data transmitting and receiving is the major portion of power consumption for sensor nodes. So reducing the communication cost is an efficient way to save energy. VI.

CONCLUSION

Reducing energy consumption is a compulsory objective in the design of any communication protocol for Wireless Sensor Networks. Indeed, in this kind of networks, sensors are supplied with limited energy batteries, and it is not feasible to replace them after their failure. It is well known that more than 70% of energy is consumed in transmissions in WSN. Therefore, most of this energy can be saved through data aggregation, given that most of the sensed information is redundant due to geographically collocated sensors. However, a second compulsory design objective of any communication protocol for WSN is security. Unfortunately, while aggregation eliminates redundancy (and hence saves energy), it makes data integrity verification more complicated since the received data is unique, a novel approach that uses homomorphic encryption and Message Authentication Codes (MAC) to achieve confidentiality, authentication and integrity for secure data aggregation in wireless sensor networks is proposed. The performance evaluation shows that the proposed scheme is feasible for large heterogeneous wireless sensor networks. The future research directions are to propose concealed data aggregation schemes for homogeneous/heterogeneous WSNs and optimize the implementation of the operation.

Figure. 4. Total time Operation

It is clear that by using aggregators reduces significantly the computation overhead at aggregator nodes and hence the network lifetime is improved. C. Communication Energy To evaluate the performance of proposed schemes, we consider two aspects: execution time ans energy costat three levels (nodes, aggregator and sink). Execution time involves processing time (computation aspects) and aggregation time. Energy cost includes computation and aggregation energy. Given that sink has highen energy than ordinary nodes, we do not consider sink energy consumption for energy cost evaluation. Energy cost evaluation is based on energy model indicated in [22]. For communication, we choose Mykletun et  al.’s  result  [23]. They found that a MICAz node consumes 0.6 mJ to send per bit 0.67 mJ toreceive per bit averagely. Generallt, communication time depends on network architecture and aggregator position according to nodes. Processing time indicates the execution time for sensors to produce ciphertexts and corresponding signatures before transmission. Aggregation delay is also evaluated by measuring time spent on processing time on aggregating ciphertexts, public keys.and signatures in the proposed schemes. The last delay, decryption delay, is not considered since the base station is considerably powerful as a workstation. Therefore, this delay is negligible and can be ignored. Table 2 represents time and energy cost evaluation of the proposed schemes.

REFERENCES [1] [2]

[3] [4]

194

M. C. Vuran, I. F. Akylidiz, Wireless Sensor Networks. Wiley, 2010. A. Mainwaring, D. Culler, J. Polastre, R. Szewczyk, and J. Anderson, « Wireless sensor networks for habitat monitoring, » Proc. ACM international workshop on Wireless sensor networks and applications, pp. 88–97, 2002. Intanagonwiwat, C., Govindan, R., Estrin, D., & Heidemann, J. Directed diffusion for wireless sensor networking. In IEEE/ACM transactions on networking (pp. 2–16), 2003. D. Wagner, Resilient aggregation in sensor networks, ACM Workshop on Security of Ad Hoc and Sensor Networks  (SASN’04),   2004.

[5] [6]

[7] [8]

[9]

[10]

[11] [12] [13] [14]

[15] [16]

[17]

[18] [19] [20]

[21]

[22]

[23]

[24]

Hu, L., & Evans, D. Secure aggregation for wireless networks. In proceedings of applications and internet workshops (pp. 27–31). 2003. C. Castelluccia, E. Mykletun and G. Tsudik, Efficient aggregation of encrypted data in wireless sensor networks, 2nd Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services  (MobiQuitous’05),  2005. Przydatek, B., Song, D., & Perrig, A. SIA: Secure information aggregation in sensor networks. In proceedings of ACM SenSys conference (pp. 255–265). 2003. Y. Yang, X. Wang, S. Zhu and G. Cao, SDAP: A Secure Hop-by-Hop Data Aggregation Protocol for Sensor Networks, 6th ACM International Symposium on Mobile Ad Hoc Networking and Computing  (MOBIHOC’  06),  2006. Cam, H., Ozdemir, S., Nair, P., Muthuavinashinappan, D., & Ozgur Sanli, H. ESPDA: Energy-efficient secure pattern based data aggregation for wireless sensor networks. Computer Communication, 29, (2006). 446–455. T. He, S. Krishnamurthy, J. Stankovic, T. Abdelzaher, L. Luo, R. Stoleru, T. Yan, L. Gu, J. Hui, B. Krogh, Energy-efficient surveillance system using wireless sensor networks, in: Proceedings of the 2nd International Conference on Mobile Systems, Applications, and Services, ACM, 2004, pp. 270–283. M. Sharaf, J. Beaver, A. Labrinidis, P. Chrysanthis, Balancing energy efficiency and quality of aggregate data in sensor networks, VLDB J. 13 (4) (2004) 384–403. Perrig, A., & Tygar, J. D. Secure boradcast communication in wired and wireless networkss. Dordrecht: Kluwer Academic Publisher. 2002. F. Ye, H. Luo, S. Lu, L. Zhang, Statistical en-route detection and filtering of injected false data in sensor networks, in: Proceeding of IEEE INFOCOM, 2004. M. Sirivianos, D. Westhoff, F. Armknecht, J. Girao, Non-manipulable Aggregator Node Election Protocols for Wireless Sensor Networks, Proceedings of the International Symposium on Modeling and Optimization  in  Mobile,  Ad  Hoc,  and  Wireless  Networks  (WiOpt’07),   2007. J. Domingo-Ferrer,   “A   Provably   Secure   Additive   and   Multiplicative   Privacy   Homomorphism”,   in   Proc.   Information   Security   Conf.,   pp.   471- 483, Oct. 2002. Malan D. J., Welsh, M., Smith, M. D.: A Public-Key Infrastructure for Key Distribution in TinyOS Based on Elliptic Curve Cryptography. First IEEE International Conference on Sensor and Ad Hoc Communications and Networks, 2004 J.   Girao,   D.Westhoff,   E.   Mykletun,   and   T.   Araki,   “Tinypeds:   Tiny   persistent encrypted data storage in asynchronous wireless sensor networks,”   Ad   Hoc   Networks,   vol.   5,   no.   7,   pp.   1073–1089, September 2007. Bellare, M., T, J. K., and Rogaway, P. The Security of the Cipher Block Chaining Message Authentication Code, 2001. J.   Katz   and   Y.   Lindell,   “Aggregate   Message   Authentication   Codes”,   In CT-RSA, Springer-Verlag (LNCS 4964), 2008. S.   Ozdemir,   “Concealed Data Aggregation in Heterogeneous Sensor Networks   using   Privacy   Homomorphism”,   Proc.   of   ICPS’07   :   IEEE   International Conference on Pervasive Services, pp. 165-168, Istanbul, Turkey, 2007. V.   Bhoopathy,   R.   M.   S.   Parvathi,”Energy   Efficient   Secure   Data   Aggregation   Protocol   for   Wireless   Sensor   Networks’,   European   Journal of Scientific Research, 2011. D.  Westhoff,  J.  Girao,  M.  Acharya,  “Concealed  Data  Aggregation  for   Reverse Multicast Traffic in Sensor Networks: Encryption, Key Distribution and Routing Adaptation”,  IEEE  Transactions  on  Mobile   Computing, Vol. 5, No. 10, pp. 1417-1431, October 2006. E.   Mykletun,   J.   Girao,   and   D.   Westhoff,   “Public   Key   Based   Cryptoschemes  for  Data  Concealment  in  Wireless  Sensor  Networks,”   IEEE International Conference on Communications ICC, 2006. Roy, S. Setia and S. Jajodia, Attack-resilient hierarchical data aggregation in sensor networks, Proc. of the 4th ACM workshop on Security of Ad Hoc and Sensor Networks, pp.71-82, 2006.

[25] H. Chan, A. Perrig and D. Song, Secure hierarchical in-network aggregation in sensor networks, Proc. of the 13th ACM Conference on Computer and Communications Security, pp.278-287, 2006.

195