SecureDataAggregationinWirelessSensor Networks
Wirelesssensornetworks(WSNs)usuallyconsistsofalargenumberofsensors whichhavelimitedcapabilityintermsofcommunication,computationandmemory[1, 2].Thesesensorsaredeployedinaremoteandunsurveillantfieldandthey autonomouslyformbeforetheyengageinapredefinedsensingtask.WSNsrenderspossiblesolutionstomanyproblemsinbothcivilianandmilitaryapplications, includingtemperaturemonitoring,wildfiredetection,animaltracking,andbattlefield surveillance.Therefore,itischallengingtocomeupwithefficientwaystocollect desireddata,giventhesensorsonlyhavesimplehardwareandsoftwareresources.For instance,mostofthesensorsonlyhaveashortlifetimeduetothenon-rechargeable batterywhichisabottleneckfordesigningWSNsprotocols.
Therefore,inordertoreducethecommunicationcostintransmittingdata,data aggregation[2, 3]techniqueisadoptedtoachievethisgoal.Dataaggregationaims tocombinedatafromdifferentdatacollectorssothatthetotalamountofdatatransmissioniscurtailed.AnexampleofdataaggregationschemeinWSNsispresented inFig. 2.1.Asdepictedinthefigure,twogroupsofsensorsarestructuredinthefrom ofclusterandtreebeforetheystartgleaningenvironmentalinformation(e.g.,the arrivaloftanks,locomotionofbattleship)intheirtargetedregions.Whenthebase stationqueriesthesensornetwork,eachsensorwillsenditsdataalongamulti-hop pathcontainingacertainnumberofaggregatesensors(e.g.,computethesum,average)andrelaysensorswhichleadtothebasestation,insteadofuploadingdatatoit directly.Fromtheexample,dataaggregationreducestheoveralldatatransmissions, thereforeimprovingthebandwidthandservicelifeofthenetwork.
Dataaggregationperformedbytherelaynodeswillbringaboutmorebenefits withtheincreaseofnetworkscale.However,whiledataaggregationhavetheadvantageofimprovingnetworkbandwidthandenergyutilization,itwillinturnaffect othermetricsofthenetwork,suchasdelayandsecurity[3, 4].First,dataaggregation needsdatafromeverysensortoobtaintheaccuratefinalaggregationresult.Ifoneor moredataisnotavailable,thenthebasestationhastowaitforthemissingdatatobe uploadedwhichincursnetworkdelay.Second,sincesecurityisamajorconcernfor themostofWSNsapplications,itisnotpossibleforresearchersandpractitioners
©TheAuthor(s)2017
L.Zhuetal., SecureandPrivacy-PreservingDataCommunication inInternetofThings,SpringerBriefsinSignalProcessing, DOI10.1007/978-981-10-3235-6_2
totradesecurityfordataaggregation.Moreover,thereisanaturalconflictbetween securityanddataaggregation.Ononehand,securityschemesrequirethesensorsto encryptthesenseddatabeforetransmissionandthenbasestationdecryptthereceived messagetoobtainplaindata[5].Ontheother,dataaggregationschemesworkefficientlywithplaindatatoperformaggregationonaggregatesensors.Becauseofthese conflictivegoalsindesigningWSNsprotocols,securityanddataaggregationmust bedesignedinacollaborativewaysuchthatdataaggregationcanbeimplemented withoutcompromisingsecurity.
Theimportanceofachievingsecurityanddataaggregationsimultaneouslyhave ledmanyresearcherstofocusonsecuredataaggregationproblem.Inthischapter,we aimtoprovideanextensiveoverviewofsecuredataaggregationschemesinWSNs. Specifically,wewillintroducethenetworkmodelwithmaindesigngoalsandcover severaleminentworkinthisarea.Securedataaggregationproblemhasbeenstudied overthepasttenyearsandstillhasapotentialtoofferinterestingresearchdirections oropportunitieswhichcanbeadoptedinotherresearchareas,suchasparticipatory sensing[6],crowdsourcing[7]andmobilecrowdsensing[8].Meanwhile,wealso aimtogiveastartingpointforresearchersinterestedinsecuredataaggregationby introducingthepertinentworkandfutureresearchdirections.
Theremainderofthischapterisorganizedasfollows:inSect. 2.1,wepresent theproblems,modelsandgoals.Then,weintroducethecryptographicandnoncryptographicsecuredataaggregationschemesinSects. 2.2 and 2.3,respectively. Last,wedrawoursummary.
Fig.2.1 Networkmodel
2.1Problems,ModelsandGoals
Beforedataaggregation,sensornodesareclassifiedaccordingtotheirrolesinthe networkandthenthenetworkstructureisestablished.Duringdataaggregation, sensornodeswillperceivetheenvironmentandtransmitdatathoughapathtothe basestation.Inthissection,wewillbrieflyintroducetheproblems,networkmodel, securitymodelandsecuritygoalsinwirelesssensornetworks.
Problems WSNshaveuniquecharacteristicsandconstraintswhichmaketheformerschemesdesignedfortraditionalnetworksinfeasible.Therefore,understanding theuniquecharacteristicsandconstraintsofWSNsisveryhelpfultodesignpracticableschemesinWSNs.Theseproblemscomefromtwoaspects:sensorsandnetwork.
Fromtheviewpointofsensors,differentnetworksareformedfromofdifferent entities.SensorsconsistthemajorityofWSNs.However,asensor’scapacityis limitedintermsofmemory,energyandCPU.
Asensorisasmalldevicewithasmallamountofmemoryforcodeandparameters. Toillustrate,thecommonsensorMICA2has4KRAM,128Kprogrammemoryand 512Kflashstorage[9].Giventhisconstraint,thecodesizeofaproposedscheme mustbeassmallaspossible.
TheenergyisthebiggestprobleminWSNs.Oncethesensorsaredeployedinthe filed,itisassumedthattheirbatterieswillnotbereplaced.Therefore,theoperations requiredforsensorsmustbelight-weight.
TheCPUinMICA2isthe16b,8MHzmicrocontroller[9].Generally,theCPUs insensorsarenotthatpowerfulandcomplexoperationsshouldbeavoided.Since sensorscommunicatewitheachotherwirelessly,theirradiocoverageareaisalso limited.ForMICA2,itis152meters.Therefore,multi-hoproutingisneededfor sensorstosendreportstobasestationwhichwillfurtherincurgreattransmission latencyanddifficultsynchronizationamongsensors.
Fromtheviewpointofnetwork,whensensorsaredeployedinthefield,they alwaysformanetworkautonomously.Severalproblemsalsoarise.
First,thesensorsareinaremoteorevenhostileenvironment,likebattlefield,and theymaybeleftunattendedforalongtime.Therefore,sensorsarevulnerableto physicalattacksfromadversariesornaturalactivities.Second,thetopologyofthe environmentmaynotbecleartoownerofthesensorsandsomesensorsmaybeout ofthenetworkunexpectedlyduetoabadlocationfromparadrop,drainedenergy,or beingdamagedbyanimals.
Models Herewewillintroducenodeclassification,networkstructure,anddifferentattacksonwirelesssensornetworks.
NodeClassification.Typically,therearefourtypesofsensornodesinwireless sensornetworkswhichare:(i)sensingnodes,(ii)aggregatenodes,(iii)relaynode, and(iv)querier(e.g.,basestation).
ThesensingnodesarethemajorityofwhichcomposetheWSNsandtheyusually containssensingunit,processingunit,powerunitandtransceiverunit[10].Whena sensingtaskisinitiated,sensingnodessensedatafromenvironmentandpreprocessit
beforesendingtothenexthopinthenetwork.Thepreprocessingincludesmapping, encryption,signature,etc.
Theaggregatenodesaretheintermediatenodescollectingpreprocesseddatafrom downstreamsensornodes,andapplyacertainaggregationfunctionontothosedata. TheaggregationfunctionincludesMax,Min,Sum,Average,etc.Thentheysendthe processeddatatothenexthopalongthetransmissionpathuntilquerierreceivesit.
Therelaynodesaresimplyrelaythedatatheyreceivetothenexthopalongthe transmissionpath.
Atlast,thequerierreceivesallthesemi-processeddatafromaggregate/relaynode (s)andperformaggregationfunctionorotherpertinentfunctionsonittoderiveusefulinformationindicatingtheoccurrenceofsomeeventswhichthebasestationis expectingtodetect.Thesefunctionsincludemapping,decryption,signatureverifying,etc.
NetworkStructure.Sincethesesensorsaredeployedinaremoteandhostile environment,theyhavetoformanetworkwithastaticstructureinordertohelp intranetcommunicationanddatatransmission.Inordertocompletedatatransmission fromsensingnodestobasestation,thenetworkstructureneedstobedetermined. Generally,thenetworkstructureisalwaysdividedintotwocategories:cluster[11–17]andtree[18–27].
Aclusterisconsistedofclustermembersandoneclusterhead.Clustermembers arethenormalsensingnodes,andclusterheadiselectedtobetheclustermanager whichisresponsibleforlocaldataaggregation.Theroleofclusterheadcanbeeither determinedbeforetheyaredeployedinthefieldoradaptivelyselectedaccordingto thenetworkstructure.Presumably,clusterheadisconsideredtohavestrongercommunicationandcomputationcapabilitythanclustermembers.AsshowninFig. 2.1, acluster-structurednetworkisontheleftcircledbyanimaginarylineandthecenter sensornodeinsideistheclusterheadwhiletherestofsensornodesarethecluster members.
Atreeisconsistedofleafnodes,intermediatenodesandonerootnode.Leaf nodesarethenormalsensingnodes,andeachofthemsendsdatatotheirownparent nodewhichistheintermediatenode.Dataaggregationhappensatintermediatenodes, performingtheaggregationfunctionondatacollectedfromallchildnodesandsends thesemi-aggregatedresultupwards.Inaddition,theintermediatenodescanjust relaywhattheyreceivecanperformnoaggregationfunctions.Rootnodecontrols thesubtreerootedatitselfandawaitsfordownstreamdata.AsshowninFig. 2.1,a tree-structurednetworkisontherightcircledbyanimaginarylineandthesensor nodeonthetopistherootnodeofthetreewhiletherestofsensornodesarethe intermediatenodesandleafnodes.
Clusterheadscansenddatatothequerierdirectlybylongrangeradiotransmission.However,thisisquiteinefficientforsensornodeswithlimitedenergy.In practice,clusterheadsfromdifferentclustersusuallyformatreewithrelaynodesto transmittheirdatabymulti-hoppingthrougheachother,resultinginbetterenergy efficiency.Bothclusterstructureandtreestructurecanenablebetterresourceallocationandhelpimproveenergycontrol.Theconstruction[12, 21]ofaclusteroratree isalsoanimportantphasepriortodatacollectinganddataaggregation,however,
thischaptermainlyintroducessecuredataaggregation,andtheconstructionphase willnotbeparaphrased.
AttacksonWSNs WSNsarevulnerabletovarioustypesofattacks.Thedamage causedbythemvariesaccordingtotheadversarymodelandnetworkstructure. Generally,theyaresixtypicalattacks.Basically,theadversary’spurposeistocover histrack,interferewithdataaggregationprocessandultimatelymisleadthebase stationtoacceptfalseaggregationresult.
NodeCompromiseAttack.Oneoftheseverestattacksisnodecompromise attack[28],wheretheadversaryisinfullcontrolofasensornode(sensingnode, aggregatenode,orrelaynode),andcanextractandaccessalltheinformationstored onit,especiallythecryptographickeys.Thisattackcanbeveryharmfulnomatter whatsensornodetheadversarymaycorruptandhecanreplaytheoldmessages, selectivelyforwardmessageswithoutbeingnoticed.
SelectiveForwardingAttack.Afterasensingnodeorintermediatenodeiscompromised,itisuptotheadversarywhichcontrolsthemtodecidewhetherornot forwardsthesenseddataorreceivedmessages.Oncetheadversarysucceededin stoppingsensornodesfromsendingmessages,hecanpreventthebasestationfrom recordingorrespondingtothetargetedevent.Forexample,anadversarycouldstopa capturedsensingnodefromsendingamessageindicatingthemovementofanenemy tank.
ReplayAttack.Replayattack[28]istheeasiestattacktobelaunchedbyan adversarybecausehedoesnothavetocompromiseanysensornodeoranalyzethe networktraffic.Hecanrecordssometransmitteddataandreplaythemlateronto misleadtheaggregatenodeorbasestationthatthismessageissentfromsomesensor node.Forexample,anadversarycouldcontinuouslysendapre-capturedreportthat indicatesasignificantriseintemperaturetotriggerafalsealarmofforrestfire.
StealthyAttack.Theadversarylaunchesstealthyattack[28, 29]byinjecting falsedataintothenetwork,whichwillleadtoafalsefinalaggregationresult.For example,anadversarycouldinjectfalsetrajectorydataofillegalcargoshiptoavoid beingdetected.Stealthyattackcanalsobelaunchedbyanadversarycompromising asensingnodefirst.
SpoofedDataAttack.Anadversarycanalsointerceptthetransmitteddataand resendittothenetworkafteranalternationonit.Tosuccessfullylaunchaspoofed dataattack,theadversaryhastoensurethatthemodifieddatawillbeacceptedas validbyaggregatenodeandbasestation.Forexample,anadversarycouldchange theincreasingtemperaturereadingcausedbyaforrestfiretoanormalvalueandlet therampantfirespread.Spoofeddataattackcanalsobelaunchedbyanadversary compromisingasensingnodefirst.
SybilAttack.Thisattack[28, 30]iswheretheadversarycanpresentmorethan onesensornodeandwieldmuchpowerinthenetwork.Forexample,anadversary cangeneratemultiplesensornodestovalidateacounterfeiteventinanwitnessbasedaggregationscheme[31]andthefinalaggregationresultwillbeaffectedifthe majorityofsensorreadingsaregeneratedbyoneadversarylaunchingSybilattack.
Fig.2.2 InteractionbetweenWSNssecurityrequirementsanddataaggregation[4]
Denial-of-ServiceAttack.It[32, 33]isastandardattackwhichcanbelaunched atanylayerofWSNsbytransmittingradiosignalsofhighfrequencythatinterfere withthenetworkradiofrequenciesandcausenetworkparalysis.DoSattackscan leadtoexcessivecommunicationorcomputationandexhaustthebatteryofsensor nodeswhichcandisablethenetworkpermanently.Forexample,sincetheavailability ofaggregatenodeismuchmoreimportantthantheothersensornodes,adversaries launchingDoSattackscanpreventaggregatenodesfromsendingdataintothehigher levels.
Goals Securedataaggregationschemesinwirelesssensornetworksoughttosatisfythesecurityrequirements.Duetotheremoteandhostileenvironmentandunique characteristicsofWSNs,itischallengingtoprotectsensitiveinformationtransmitted bysensornodes[1].Inthissubsection,wepresenttheprimarysecurityrequirements thatarediscussedinWSNsandexplainhowtheserequirementsinterweavewith dataaggregation.Thesesecurityrequirementsaredataconfidentiality,dataintegrity, sourceauthentication,datafreshness,networkavailability[4].Figure 2.2 showsthe interactionbetweenWSNssecurityrequirementsanddataaggregation.
DataConfidentiality.InWSNs,dataconfidentialityisthemostimportantsecurity issueanditensuresthatthecontentofsenseddataisnotleakedtoothersensor nodesoradversaries.Theothersensornodesincludeneighbouringnodes,aggregate nodes,andrelaynodes.Theadversariesincludeinternaladversariesandexternal adversarieswhichpossessdifferentcapabilities.
Dataconfidentialitymeanstheprotectionofsensitiveinformationincludingsecret keystransferredinthenetworkanditisimperativetoconstructsecurechannels amidsensornodes.Intuitively,thestandardwaytokeepsensitivedatasecretisto encryptdatausingasymmetrickeyorthereceiver’spublickey.Theformalapproach onerequiresthatthesymmetrickeyshouldbeestablishedbetweenthesenderand
receiver.However,dataaggregationfunctionscannotbeperformedonencrypted datadirectly.Therefore,theaggregatenodemustdecrypttheciphertextfirstand thenaggregatesalltheplaintexts.Thenitencryptstheaggregateddataandtransmits ittobasestation.Thedecryption/encryptionofsenseddataofaggregatenodesincurs extracomputation,leadingtonotonlynetworkdelayandenergyconsumption,but alsopreventionofdataconfidentialityfromsensingnodetobasestation.
Homomorphicencryption[34]canachievethedirectaggregationonciphertext withoutthedecryption/encryption,maintainingend-to-enddataconfidentiality.
DataIntegrity.Althoughdataconfidentialityensuresthatonlyauthorizedreceivers obtaintheplaintextdata,itdoesnotguaranteethatthefinalresultisnotaltered.Even ifdataconfidentialityisprovided,acompromisedsensornodecanstillcorruptthe aggregationandpreventthenetworkfromproperfunctionbychangingonebit. Moreover,datacanstillbealteredbecauseofthenatureofwirelesscommunication channel,evenwithouttheinterferenceofadversaries.
Dataintegrityensuresthatamessageintransitisnotaltered.Insomeapplications, dataintegrityweighsmorethandataconfidentialityanditissometimesacceptable foradversariestolearnabouttheintermediateaggregationresultorfinalaggregation result,butnottochangeanyofit.Twocommonmethodsofprovidingdataintegrity aremessageauthenticationcodes(MAC)andcycliccodes.
DataFreshness.Providingdataconfidentialityanddataintegrityisnotenoughfor securedataaggregation.Acompromisedsensornodeisabletolistentotransmitted messagesandreplaytheminsubsequentsensingtasktodisruptthedataaggregation result.Datafreshnessprotectsdataaggregationagainstreplayattacksbyensuring thatthetransmitteddataisnewandrecent.Insomeapplications,datafreshnessis akeyrequirement.Forinstance,anadversarycanreplayanormalsenseddatawith itspertinentinformationwhenatargetedeventhappensormisleadanormalsensing nodebyreplayinganolddistributedkeywithoutapropertimestamp.
SourceAuthentication.SinceWSNsuseasharedwirelesscommunication medium,sensornodesneedauthenticationmechanismstodetectillegalmessages. Sourceauthenticationallowsasensornodetoverifywhetherornotareceivedmessageissentbyalegalandclaimedsender.Withoutsourceauthentication,anadversary isabletoinjectarbitrarydataintothenetwork.Moreover,hecanimpersonatean aggregatenodecanreportfalseaggregationresult.
NetworkAvailability.Networkavailabilityisthenetworkusability.First,secure dataaggregationschemesmustbedesignedwithnetworkavailabilitytoprevent excessivecommunicationorcomputationwhichexhaustsasensornode’senergy. Second,networkavailabilitycanguaranteethesurvivabilityandcontinuumofnetworkservicesagainstDenial-of-Service(DoS)attacks[32, 33].
Networkavailabilityisthefoundationofenhancingothersecurityaspectsin WSNs.Theconsequencecanbecatastrophicwithoutnetworkavailability.Forexample,iftheavailabilitylossofsensornodesincriticbattlefieldcouldleadtoanenemy invasion.Therefore,itisrecommendedthatthenetworkresponsetotheexistenceof bassensornodesandexcludethemassoonaspossible.
2.2Cryptographic-BasedDataAggregationSchemes
Inthissection,wepresentthecryptographicsecuredataaggregationschemes[29, 35–45].Theseschemesarebasedonclassiccryptographyprimitives.Thoughtheir securitygoalsvaryfromeachother.
SecureInformationAggregation(SIA)[29]isaschemewheretheauthorsconstructrandomsamplingmechanismsandinteractiveproofsforthebasestationto verifythefinalaggregationresultisagoodapproximationofthetruevalue,even thoughtheaggregatenodeandacertainnumberofsensingnodesarecompromised. Theirsecuritygoalistopreventstealthyattacksandguaranteethatifthebasestation acceptsafinalaggregationresult,thenthisresultis‘close’tothetrueaggregation valuewithhighprobability.ThispaperisthefirstpaperonsecureinformationaggregationinWSNsthatcanhandleamaliciousaggregatenodeandsensingnodes.
Specifically,eachsensornodewithauniqueidentifiersharesaseparatesecret keywiththebasestationandwiththeaggregatenode.Thekeysareusedtoenable encryptionandsourceauthentication.Then,theyproposedanewapproachcalled aggregate-commit-proveanditconsistsofthreeparts:computationoftheresult, committothecollecteddataandreporttheaggregationresult,andprovethecorrectnessoftheresult.First,aggregatenodecollectsthedatafromsensorsandlocally computestheaggregationresult,anditcanverifytheauthenticityofeachsensed data.Second,theaggregatenodecommitstothelocalaggregateddatabycomputing vi = H (mi ) where mi isthesenseddataofsensingnode i .Oneefficientwayof committingtotheaggregationdataisMerklehash-tree[46, 47].Inthishash-tree, allthesenseddataisattheleavenodes,andtheaggregatenodethencomputeshash valuesofsenseddatastartingfromtheleafnodes;eachintermediatenodecomputes thehashvalueoftheconcatenationofitstwochildnodes.Therootofthehash-tree iscalledthecommitmentoftheaggregationdata.Third,theaggregatenodereports thelocalaggregationresultwiththecommitmenttothebasestationandprovesthat thereportedresultiscorrect.Figure 2.3 depictsanexampleofMerklehashtreeconstruction.SIAprovidesdataconfidentiality,dataintegrityandsourceauthentication. SecureDataAggregationandVerification(SecureDAV)[35]pointedoutthat bootstrappingkeyswasachallengeinWSNsandpublickeycryptosystemswere unsuitableforuseinresource-constrainedsensornetworks.Theyfirstpresenteda protocolforestablishingclusterkeysusingverifiablesecretsharingandtheychose
Fig.2.3 Anexampleof Merklehash-tree construction[46, 47]
ellipticcurvecryptosystemsforencryptionduetotheirfastcomputationsandsmaller keysize.Besides,theyproposedSecureDAVprotocolthatcouldensurethatthebase stationneveracceptedafalseaggregationresult.
Specifically,theydevelopedaclusterkeyestablishmentprotocolthatallsensor nodeswithinaclustersharesasecretclusterkeyandeachsensornodeonlyhasa shareofthesecretclusterkey.Thesecretkeyisusedtogeneratepartialsignatures (viaECDSA[48]).Intheirsecuredataaggregationandverificationprotocol,the sensingnode i transmitstheidentifier,encrypteddata ci andthehashvalue hi ofthe reading Ri totheclusterhead CHi :
= Enc (k CHi i , Ri ), hi = H (Ri )
where k CHi i isthesecretkeysharedbetweensensornode i andclusterhead CHi . Then,clusterhead CHi aggregatesallsensingdatato avgi = avgi + (Rj /|CHi |) for eachsensingnode j incluster i afterdecryption,andgeneratespartialsignaturesand combinethemintoawholesignature. CHi transmitstheclusteridentifier,encrypted messageon avgi andcombinedsignaturetobasestation.Last,basestationverifiesthe signatureusingpublickey.SecureDAVprovidesdataconfidentiality,dataintegrity andsourceauthentication.
ConcealedDataAggregation(CDA)[36]providedend-to-endencryptionfor reversemulticasttrafficbetweenthesensornodesandbasestation.Aggregatenodes canperformaggregationfunctionsonciphertexts,whichsavingthetimeincostly decryptionandencryptionoperations.Theyusetheencryptiontransformationand decryptiontransformationoftheprivacyhomomorphism(PH)[49].ThePHisprobabilisticinthesensethattheencryptiontransformationinvolvessomerandomness thatchoosesoneciphertextcorrespondingtoagivenplaintextfromasetofpossible ciphertexts.
Specifically,eachsensingnodesharesasecretkey k = (r , g ) withbasestation anditrandomlysplitsitssenseddata a intoasecretsequence a1 ,..., ad suchthat a = d j =1 aj mod g and aj ∈ Zg .Thenitcomputestheencryptionif a:
).
Aggregatenodecollectsmessages c fromsensingnodesandcomputestheaggregationresult S ,andsentittobasestation:
c
Fig.2.4 Concealeddata aggregationforWSNswith privacyhomomorphism[36]
Inaddition,CDAcanbeappliedtotheproblemofaconcealedmovementdetection function.Forexample,therearefivesensingnodeswhichareawareoftheirrelative position,andwesetthedomainofsenseddatainto0, 1.Thenamessagetuple (0, 0, 0, 1, 1) meansthatanentityhasmovedfromposition1toposition2,orvice versa.Figure 2.2 depictstheconcealeddataaggregationprocess.
Theauthorsrecededthattheencryption,decryptionandadditionoperationsare moreexpensivewhencomparingtheclockcyclesthatarenecessarytoperform Domingo-Ferrer’sPHwiththosenecessarytoperformRC5.However,theyargued thatthisdisadvantageisacceptablesincetheaggregatornodeistheperformance bottleneckforaconnectedWSNwiththemainobjectivetobalancetheenergy consumption.Atlast,CDAonlyprovidesdataconfidentiality.Figure 2.4 showsan exampleofdataaggregationphaseinCDA.
Chanetal.[37]focusesontheproblemofsecurelyandefficientlyperforming aggregationqueries(suchasMEDIAN,SUMandAVERAGE),andpresentsthefirst algorithmforprovablySecureHierarchicalIn-NetworkAggregation(SHIA)forgeneralsensornetworksandmultipleadversarialnodes.Thisalgorithmcanguarantee thattheadversarycannothaveanyadvantagefrommanipulatingintermediateaggregationaggregations.Itsupportsarbitrarytree-basedstructure,andretainsresistance againstaggregationmanipulationinthepresenceofarbitrarynumbersofmalicious sensornodes.
ThemainalgorithmisbasedonperformingtheSUMaggregationsecurelyandthe goalistocompute a1 +···+ an ,where ai isthedatavalueofsensingnode i .Generally,theybulitontheaggregate-commit-proveframeworkfrom[29]butextended theirsingleaggregatenodemodeltoafullydistributedsetting.Thealgorithmincludes computingacommitmentstructureonthedatavaluesaswellastheaggregation process.Thenthesensornodesverifiesthattheircontributionsareaddedtothe aggregationresultbyauditingthecommitmentstructure.Iftheadversarytriesto excludethecontributionofonesensingnode,thiswillinduceaninconsistencyin thecommitmentresultwhichcanbedetectedbythevictimnode.
Specifically,thealgorithmmainlycontainsthreephases:querydissemination phase,aggregation-commitphase,andresult-checkingphase.
Querydissemination.Thebasestationbroadcaststhequerytotheallthesensor nodes.Anaggregationtreewiththebasestationbeingtherootnode,isformedif oneisnotalreadypresent.TinyAggregationService(TAG)[23]isoneofvarious algorithmsforselectingthestructureofanaggregationtreeandeachnodechooses
Fig.2.5 Anexampleof commitmenttreein SHIA[37]
thenodefromwhichitfirstheardthetree-formationmessageasitsparentnode. Afterthetreeisestablished,thebasestationinitiatesaqueryrequestwhichincludes anonce N topreventreplayattack,andtheentirerequestmessageisauthenticated.
Aggregationcommit.Inthenaiveapproach,eachsensingnodesendsthenumber1,senseddata,thecomplementofsenseddataandIDtoitsparentnode.Each aggregatenodeperformscomputesacryptographichashofallitsinputs(including itsowndatavalueifithasany).Thehashvalueisthenpassedontotheparentnodein theaggregationtreealongwiththeintermediateaggregationresult.Figure 2.5 depicts acommitmenttreeconsistingofhashesofdatavaluesandintermediateaggregation results.
Definition1 Acommitmenttreeisatreewhereeachsensingnodehasanassociated labelrepresentingthedatasenttoitsparentnode.Thelabelhasthefollowingformat:
< count , value, complement , commitment > wherecountisthenumberofsensing/contributingnodesinthesubtreerootedatthis node;valueistheSUMcomputedoverallthesensingnodesinthesubtree;complementistheaggregateovertheCOMPLEMENTofthedatavalues;andcommitment isthehashvalueontheconcatenationofN,count,value,complement,andlabels fromthesensingnodeinone-hoprange.
Result-checking.Thepurposeofthisphaseistoenableeachsensornode i to independentlyverifythatitscontribution ai wasaddedintoSUMaggregationresult, andthecomplement r ai wasalsoaddedintotheCOMPLEMENTaggregation result.
First,theaggregationresultsareauthenticatedandbroadcasttoeverysensornode. Eachsensornodeindividuallyverifiesthatitsdatawascounted.Ifso,itsendsan authenticationcodetothebasestation.Whenthebasestationhasreceivedallthe authenticationcodes,itthenconcedesthatallsensornodes’contributiontotheaggregationresulthasbeencorrectlyadded.
Itisworthnotingthattheygaveadefinitionof optimallysecure andtheyhave provedthatSHIAcanprovidethestrongestsecurityboundwhichcanbeprovenfor anysecureaggregationschemewithoutmakinganyassumptionaboutthedistribution ofsenseddata.SHIAonlyprovidesdataintegrity.
Fig.2.6 Anexampleofdataaggregationphaseandresult-checkingphaseinE2IPAP[38]
Definition2 Anaggregationalgorithm optimallysecure if,bytamperingwiththe aggregationprocess,anadversaryisunabletoinducethebasestationtoacceptany aggregationresultwhichisnotalreadyachievablebydirectdatainjection.
Zhuetal.[38]pointedoutthattheresult-checkingphasein[37]suffersfrom highcommunicationoverhead.Particularly,[37]needs O(hΔ) congestionforeach sensornodetoverifytheaggregationresult,andincurs O(log2 n) edgecongestion and O(Δlog2 n) nodecongestion(where Δ isthemaximumnodedegree),whenthe basestationdisseminatestheoff-pathvaluesdownthecommitmenttree.According to[38],itisimportanttooptimizetheresult-checkingphaseandsavenetworkenergy becausetheenergyconsumptionisascribedtotheoff-pathdisseminationstep.They proposedanintegritypreservingprotocolEnergyEfficientandIntegrity-Preserving AggregationProtocol(E2IPAP)fortree-basedsensornetworkswhichcanreducethe numberofmessagespersensornodeto O(Δ),andtheedgecongestionto O(log2 n)
Specifically,intheaggregation-commitphase,eachsensornode i sendsthedatacommitmenttuple < wi , Hi > toitsparentnode,where wi containscount,sensed dataandthecomplementdata.Theaggregatenodeperformsaggregationfunction, andsendstheintermediateresultupwardsalongthetree.
Intheresult-checkingphase,basestationbroadcastsfinalaggregationresultand finalcommitmenttothenetwork.Aftercheckingthevalidity,eachsensornode i sendsanauthenticationcode MAC (Ki , N ||OK ) tobasestation.Otherwise,itsends MAC (Ki , N ||NK ) torefusetoaccepttheaggregationresult.E2IPAPprovidesonly dataintegrity.
Figure 2.6 showsanexampleofdataaggregationphaseandresult-checkingphase inE2IPAP.Thenode B, E and A allhavetheirownsenseddata,therefore,thefinal aggregationcountis9.
Nodecompromiseattackrequiresprotocolsfordataaggregationwheretheintermediatenodescontributetheirowndatavaluestotheintermediateaggregationresult withoutaccessingit.Homomorphicencryptionallowsaggregationonciphertextand canprovideend-to-enddataconfidentiality.n-LDA[39]isaprotocolforsecure dataaggregationwhichoffersend-to-enddataconfidentialitybyusinghomomorphicfunctionandinterleavedencryption.Rodheetal.[39]proposedalayereddata aggregationprotocolwhichensuresthatanattackercannotgetaccesstoanyaggre-
Fig.2.7 AnexampleofLayersandtheaggregationphaseinn-LDA[39]
gationresultfromthenetworkiflessthan n sensornodesarecaptured.Whenmore than n sensornodesarecaptured,theattackercanonlygetaccesstotheaggregation resultreceivedbythecapturednodes.
Specifically,thesensornodesaredividedintolayersaccordingtotheirhopdistancefromthebasestationafterawavealgorithmislaunchedtodeterminethelayers inthenetwork.Thenodesinlayer i shareacommonaggregationkey ki whichisalso knownbythebasestationfor i ≤ n andbyallnodesinlayer i n for i > n.
Duringaggregationprocess,eachnode ui receivesencrypteddatafromnodesin thelowerlayerandaggregatesthemwithitsownencrypteddatabeforechoosing aneighbor wi 1 fromtheupperlayerandsendingtheaggregateddata. ui ’sdatais encryptedwith ki andthepairwisekey kuw sharedwith wi 1 .Theaggregationkeywill beremovedbythecorrespondingnodeinlayer i n,whichprovidesprivacyfrom layers i 1to i n + 1.Thepairwisekey kuw isremovedbynode wi 1 .Finally,base stationremovesthelastkeysandobtainstheaggregationresult.n-LDAprovidesonly dataconfidentiality.Figure 2.7 depictsasensornetworkwithfivelayersinn-LDA. n-LDAisresilienttonodecompromiseornodefailurebecausetheaggregation resultisnotrelayedalongafixedpath,insteaditcanbedynamicallychosen.This makesithardforanadversarytochoosewhichnodestocompromisetoachieve hisgoal.Moreover,theadditionalinformationsentwithaggregationresultreveals nothingabouttheidentityofthecontributingsensornodes.
EPAS[40]proposedanefficientandprovablysecureencryptionschemeonallowingadditiveaggregationoftheencrypteddatatominimizethenumberofmessages sentandreceivedbysensornodes,andmaximizenetworklifetime.Theaggregation basedonthisschemecanbeusedtoefficientlycomputestatisticaldata,suchas MEAN,andVARIANCE,whilecurtailingbandwidthsavings.
Specifically,theyadoptedanadditivelyhomomorphicencryptionschemeusing aPRFfamilyandthestepsaredescribedasfollows.
1.KeyGeneration:
(a)Arandom K ispickedfrom {0, 1}λ whichissetasthedecryptionkeyof basestation.
(b) eki = fK (i ) foreachsensornode i issetastheencryptionkey.
2.Encryption:
(a)Givenplaintext mi ,nonce r andencryptionkey eki ,output: ci = Enceki (mi ) = mi + h(feki (r )) mod M
(b)Set hdri = i
(c)Outputciphertext (hdri , ci )
3.Decryption:
(a)Givenciphertext (hdr , c ) and r ,compute eki = fK (i ) for i ∈ hdr
(b)Computeplaintext:
4.AdditionofCiphertexts
(a)Giventwociphertexts (hdr1 , c1 ) and (hdr2 , c2 ).compute c1 2 = (c1 + c2 ) mod M .
(b)Set hdr1 2 = hdr1 hdr2 .
(c)Outputaggregationciphertext (hdr1 2 , c1 2 ).
Thestandardsecuritygoalforencryptionisindistinguishabilityagainstchosenciphertextattack.ThesecurityofEPSAisbasedontheindistinguishabilityofa pseudorandomfunction(PRF).Theyhaveprovedthattheschemeissemantically secureagainstacollusionattackwithatmost n 1compromisedsensornodesfora networkwith n sensornodes.EPSAprovidesdataconfidentialityanddataintegrity. Chenetal.[41]pointedoutthatwhilethesedataaggregationschemesbasedon privacyhomomorphismencryptioncouldprovidebettersecurityandreducetransmissionoverhead,however,thebasestationonlyobtainedtheaggregationresult insteadoftheindividualvaluesfromsensingnodes.Twoconsequencesare(1)the usageofaggregationfunctionsisconstrainedand(2)thebasestationcannotconfirmdataintegrityandsourceauthentication.Therefore,theyproposedtheconcept of“recoverable”andthebasestationcanrecoverallsensingdataintheirdesign RecoverableConcealedDataAggregation(RCDA).
Mykletunetal.’s[50]andBonehetal.’sschemes[51]arereviewedsincetheyare thefoundationoftheproposedschemes.Specifically,RCDAschemeforhomogenous WSNiscomposedoffourphases:Setup,Encrypt-Sign,Aggregate,andVerify.The detailedphasesaredescribedasfollows.
1.Setup:basestationgeneratesthepairs:
(a) (PBS , RBS ):ThesetwokeysaregeneratedasintheKenGenfunctionin[50]. PBS ={Y , E , p, G, n} and RBS = ζ .
2.2Cryptographic-BasedDataAggregationSchemes17
(b) (Pi , Ri ):Foreachsensornode i ,thebasestationgeneratesthembyKeyGen functionin[51]. Pi = vi and Ri = xi .
Then, Pi , Ri and H areloadedtosensornode i .
2.Encrypt-Sign:Whenasensingnode i isreadytosenditssenseddatatothecluster head(CHi ),it
(a)Encodessenseddata di as mi = di ||0β ,where β = l (i 1)
(b)Computessignature σi = xi × H (di ) and ci = (ri , si ) = (ki × G, mi × G + ki × Y ),where ki ∈{0,..., n 1}
(c)Sends (ci ,σi ) to CHi
After CHi collectsallciphertext-signaturepairs,itcanaggregatethemasfollows:
3.Aggregateciphertext:
(a)Computes
(b)Computessignature:
(c)Sendstheaggregationresult (c , σ) tobasestation.
Afterreceiving (c , σ) from CHi ,basestationcanrecoverandverifyeachsensed dataasfollows:
4.Verify:
(a)Computes
(b)Computes m = rmap(M ) = m1 +···+ mw 1 .
(c)Obtainseachsenseddatafrom m : di = m [(i 1) · l , i · l 1].
(d)Verifieseach di bycheckingwhether en (σ1 , g2 ) =
1
=1 (hi , Pi ) where en is bilinearmapand hi = H (di )
Basestationcanrecoverallsenseddatafromotherclustersandperformany statisticaloperationsafterconfirmingtheintegrityofalldata.RCDAprovidesdata confidentialityanddataintegrity.
Yangetal.[42]focusedonpreservingdataintegrityandproposedanEfficient Integrity-PreservingDataAggregationProtocol(EIPDAP)wherethebasestation canverifytheintegrityofaggregationresult.Comparedwithpertinentschemeson preservingdataintegrity,EIPDAPreducesthecommunicationoverheadpernodeto O(Δ),where Δ isthedegreeoftheaggregationtree.
ThedesignofEIPDAPisbasedontheellipticcurvediscretelogarithmproblem andtheiralgorithmconsistsofthreemainphases:querydissemination,aggregationcommit,andresult-checking.
Fig.2.8 Anexampleof aggregationphaseof EIPDAP[42]
Specifically,thebasestationfirstbroadcaststhequerytothenetworkandsends thepath-keysandedge-keysencryptedwiththesecretkeysharedbetweenitselfand nodestothecorrespondingnodes.Inaggregation-commitphase,eachsensornode sensesenvironmentaldataandcalculatestwotagsbeforereportingthemtoparent node.Afterreceivingallthedatadownstream,theaggregatenodeperformsmodulo additionoperationsandforwardstheresulttobaststation.Intheend,basestation verifiestheintegrityoftheaggregationresultwithtwoaggregationtags.EIPDAP providesdataconfidentialityanddataintegrity.
Forexample,basestationcalculatestheedge-key ki j foreachsensornodeusing thehashfunction H : ki j = H (si , sj , N )
wherenode i istheparentnodeofnode j and si istheuniqueidentityofnode i .Base stationalsocalculatestwopath-keys ki ,1 and ki ,2 : ki ,1 = θ kpath ,
where θ isapointin E (Zp ) and l isaninteger.Ifthepathfrombasestationtonode i is bs 1 2 i ,then kpath = kbs 1 k1 2 k2 i .Figure 2.8 showsanexampleofdata aggregationphaseofEIPDAP.
Zhuetal.[43]haspointedoutthatmanyexistingaggregationprotocolshad totransferthewholelistofsensornodesIDforbasestationtoknowwhichsensornodeshadcontributedsenseddata.However,thetransmissionoftheseIDscan incuroverwhelmingcommunicationoverhead.Therefore,theyproposedaprovably secureaggregationschemeperturbation-basedefficientconfidentialitypreserving protocol(PEC2P).ThegeneralideaofPEC2Pisthatafterthebasestationreceives theaggregationresultandthehashtag,itwillgothroughabrutesearchonthepossiblecombinationofsensornodeswhichcanformthehashtag.PEC2Pcanavoid transferringanyIDinformationandallowsefficientaggregationofperturbeddata.
PEC2Pmainlyconsistsofthreephases:bootstrappingphase,dataaggregation phase,andresultretrievingphase.Specifically,inthebootstrappingphase,modulus
2.2Cryptographic-BasedDataAggregationSchemes19
M ,acollision-resistantcryptographichashfunction H :{0, 1}←{0, 1} andaPRF f :{0, 1}←{0, 1} arestoredinallsensornodes.Inaddition,auniquevector IVi an asecretkey ki = IVi arestoredinbasestationandnode i . Eachsensornodewithcombinedfunctionscanbelogicallysplitintoasensing nodeandanaggregatenode.Indataaggregationphase,eachleafsensornode i with environmentaldata xi computesitaggregationresult < ci , haxi > as: ci = 1, haxi = xi + H (ki ).
Then,itforwardstheresulttoitsparentnodefordataaggregation.Atlast, i updatesits secretkeyas ki = f (ki ).Eachaggregatenode j startsatimerandwaitsformessages beforeitexpires.Then,itcomputespartialaggregationresult < cj , haxj > as:
Then, j forwardstheaggregationresulttobasestation.Notethatthecountisusedto tracethecontributingnodesforbasestationandsynchronizationamongsensornodes isnotneeded.Intheresultretrievingphase,basestationretrievesthecontributingID listandtheaggregationresult.First,itorderlyselectsalist IDL of C sensornodes withtheirkeysandcomputes: Agg = HAXbs
(ki ) mod M
∈IDL
If Agg ∈[C ∗ vmin, C ∗ vmax ],basestationwillaccept Agg astheaggregationresult andupdatethekeysforthe C nodes,oritwillcontinuetosearchforthesensorset. PEC2Pprovidesdataconfidentialityanddataintegrity.Figure 2.9 depictsanexampleofdataaggregationinPEC2P.
Aggregatingdatawhilepreservingdataconfidentialityanddataintegrityisa challengingtaskforadversariescaneavesdroponthenetworkandmodifytheaggregationresultsreadilybylaunchingnodecompromiseattack.Zhuetal.[44]proposed
Fig.2.9 Anexampleof aggregationphaseof PEC2P[43]
anefficientconfidentialityandintegritypreservingaggregationprotocol(ECIPAP) basedonhomomorphicencryptionandresult-checkingmechanism.
Specifically,eachsensornode i sharesasecretkey ki ,alargeinteger M ,anda uniqueidentifier IDi withthebasestation.Ineachdatacollectiontask,itbroadcasts aquerymessagetothenetworkalongwitharandomnumber r .Eachsensornode i hasenseddata vi ∈[vmin , vmax ], vi = vmax v,and counti = 1.Thenitcomputes threetemporarykeys ki ,r , ki ,r and ki ,r :
andthenitencrypts vi , vi and counti as:
ccounti ,i = Enc (ki ,r , counti , M ), cvi ,i = Enc (ki ,r ,
i computesmessageauthenticationcodeas:
= H (ccounti ,i ||cvi ,i ||c vi ,i ||IDi ),
andthedatatuple ui is:
Whenaggregatenodereceivesdatatuplesdownstream,itcanperformaggregation functionslikeSUM,COUNT,AVERAGE,onthem.AsshowninFig. 2.10,base stationcandecrypttheaggregationresultas: countagg = Dec Ua count , n i =1 ki ,r , M ,
Fig.2.10 Anexampleof aggregationphaseof ECIPAP[44]
Finally,basestationcancalculate MACagg :
Whentheaggregationresultreachedatbasestation,basestationbroadcaststhe authenticatedaggregateddatatuple.Tocompleteresultchecking,eachsensornode willsendacheckingmessageusingreversecomputationaloperation toitschild nodes.Everysensornodecanverifyifitsowndatawasaddedtotheaggregation processbycomparingitsowndatatothedatasentbyparentnodes.Ifso,node i sends anauthenticationmessage MAC (ki ||r ||OK ) upwards.Otherwise, MAC (ki ||r ||NO) willbesent.ECIPAPprovidesdataintegrityandsourceauthentication.
Sen-SDA[45]isapracticalandsecuredataaggregationschemeinheterogeneous clusteredWSNs,basedonthecombinationofanadditivehomomorphicencryption scheme,anidentity-basedsignaturescheme,andabatchverificationtechniquewith analgorithmforfilteringinjectedfalsedata.
Specifically,Sen-SDAfivephases:Setup,Privatekeyextraction,Encryptthen sign,Verify,AggregatethenSignandVerifythenDecrypt.
1.Setup:Basestationgenerates para1 =< Fp , E, q, P, PPub , H1 , H2 > and para2 = < Fp , E , q , P , PE >,thenitsetsthepublicparameters para = para1 para2 .Basestationkeepsamastersecretkey s and x
2.Privatekeyextraction:basestationpicksanewidentifier IDi forsensornode i and generates ski = (Ri , vi ).Afterperformingtheclusteringalgorithm,eachsensor nodehasitsownclusterhead,Then CHi keepsalistofmembernodesinthe i th cluster LCMi
3.Encryptthensign:asensornode CM i j encryptsitsmessage mi j withbasestation’s publickeyandobtainsciphertext: c i j =< kj P , kj Pbs + m i j P >.
Then i computesasignaturewithprivatekey SKj andcurrenttimestamp ct i j :
σ i j =< Rj , T i j , z i j >, where T i j = tj P , z i j = vj + hj tj mod q , hj = H2 (IDj , IDi , Rj , T i j , ct i j ).Thennode i sends M i j =< ci j ,σ i j , IDj , IDi , ct i j > toclusterhead.
4.Verify,AggregatethenSign:Afterreceivingmessagesfromallmembernodes, CHi looksupthelisttofindthecorrespondingnode IDj .Ifitexistsand {ct i j }ni j =1 arevalid, CHi verifies {σ i j }ni j =1 .Iftheyarevalid, CHi computes ci = ni j =1 ci j .Then CHi generatesasignature:
<τi >=< Ri , Ti , zi > where zi = vi + hi ti mod q .Finally, CHi sends Mi =< ci ,τi , IDi , IDbs , ct i > to basestation.
5.VerifythenDecrypt:Afterreceivingmessagesfromallclusterheads,basestation looksupthelisttofindthecorrespondingcluster IDi .Ifitexistsand {ct i }nC i =1 arevalid,basestationverifies {τi }nC i =1 .Iftheyarevalid,basestationrecovers Mi = ( ni j =1 )P anddecrypts ci = (ci1 , ci2 ) as:
Table2.1 Comparisonofsecuredataaggregationprotocols
Protocol Data confidentiality Dataintegrity
Another random document with no related content on Scribd:
ARTOC (Army Tactical Operations Central) uses computer techniques for battlefield display and communications to aid field commanders
At Picatinny Arsenal, computers evaluate ammunition by simulating as many as a thousand battles per item. Design and management studies for projects like Nike-Zeus and Davy Crockett are also conducted at Picatinny. A mobile computer, called MOBIDIC, is designed for field combat use and has been moved in three 30-foot trailers to location with the Seventh Army in Europe. There it handles requisitions for rockets, guided missiles, electronic equipment, and other items. MOBIDIC is just part of the Army’s FIELDATA family of computers that includes helicopter-transported equipment to provide field commanders with fast and accurate data on which to base their risk decisions. Another concept is ARTOC, for Army Tactical Operations Central, an inflatable command post in which computers receive and process information for display on large screens. This is a project of Aeronutronic.
Aeronutronic Division, Ford Motor Co.
In 1961 an IBM 7090 computer was installed at Ispra, Italy, for use by the European Atomic Energy Commission (EURATOM). The computer would have as its duties the cataloging of technical information on atomic energy, the translation of technical publications, and use in basic research on solutions of Boltzmann equations and other advanced physics used in atomic work. In this country, the National Science Foundation has acknowledged the importance of the computer in scientific investigation by underwriting costs for such equipment for research centers in need of them.
Command post of SAGE, the most complex computer application to date
International Business Machines Corp
