security analysis and improvement of a secure and...

Copyright (c) 2011 IEEE. Personal use is permitted. For any other purposes, permission must be obtained from the IEEE by emailing [email protected].

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.

1

Security Analysis and Improvement of a Secure andDistributed Reprogramming Protocol for Wireless

Sensor NetworksDaojing He, Student Member, IEEE, Chun Chen, Member, IEEE,

Sammy Chan, Member, IEEE, Jiajun Bu, Member, IEEE, and Laurence T. Yang, Member, IEEE

Abstract—Wireless reprogramming in a wireless sensor net-work (WSN) is the process of propagating a new code imageor relevant commands to sensor nodes. As a WSN is usually de-ployed in hostile environments, secure reprogramming is and willcontinue to be a major concern. While all existing insecure/securereprogramming protocols are based on the centralized approach,it is important to support distributed reprogramming in whichmultiple authorized network users can simultaneously and direct-ly reprogram sensor nodes without involving the base station.Very recently, a novel secure and distributed reprogrammingprotocol named SDRP was proposed, which is the first workof its kind. However, in this paper, we identify an inherentdesign weakness in the user pre-processing phase of SDRP, anddemonstrate that it is vulnerable to an impersonation attackby which an adversary can easily impersonate any authorizeduser to carry out reprogramming. Subsequently, we proposea simple modification to fix the identified security problemwithout losing any features of SDRP. Our experimental resultsdemonstrate that it is possible to eliminate the design weaknessby adding a 1-byte redundant data, and that the execution timeof the suggested solution in a 1.6-GHz Laptop PC is no morethan one milli-second. Therefore, our solution is feasible andsecure for real world applications. Moreover, we show that, inorder to further improve the security and efficiency of SDRP,any better established identity-based signature algorithm can bedirectly employed in SDRP. Based on implementation results, wedemonstrate efficiency improvement over the original SDRP.

Index Terms—Sensor networks, reprogramming, security, userprivilege.

I. INTRODUCTION

Wireless reprogramming is the process of propagating a newcode image or relevant commands to sensor nodes throughwireless links after a wireless sensor network (WSN) isdeployed. Due to the need of removing bugs and addingnew functionalities, reprogramming is an important operation

Manuscript received May 4, 2012; revised Aug 2, 2012; accepted Aug17, 2012. This work was supported by National Science Foundation ofChina (Grant No. 61070155), Program for New Century Excellent Talents inUniversity (NCET-09-0685), and a grant from the Research Grants Councilof the Hong Kong SAR, China [Project No. CityU 111208].

Copyright (c) 2009 IEEE. Personal use of this material is permitted.However, permission to use this material for any other purposes must beobtained from the IEEE by sending a request to [email protected].

D. He, C. Chen and J. Bu are with the Zhejiang Provincial Key Labo-ratory of Service Robot, College of Computer Science, Zhejiang University,P.R.China (e-mail: [email protected]).

S. Chan is with the Department of Electronic Engineering, City Universityof Hong Kong, Hong Kong SAR, P.R.China (e-mail: [email protected]).

L. T. Yang is with the School of Computer Science, Huazhong Universityof Science and Technology, China, and also with the Department of ComputerScience, St. Francis Xavier University, Canada. (e-mail: [email protected]).

function of WSNs [1]–[9]. As a WSN is usually deployedin hostile environments such as the battlefield, an adversarymay exploit the reprogramming mechanism to launch variousattacks. Thus, secure programming is and will continue to bea major concern.

There has been a lot of research focusing on secure repro-gramming, and many interesting protocols have been proposedin recent years [10]–[18]. However, all of them are based onthe centralized approach which assumes the existence of abase station and only the base station has the authority toreprogram sensor nodes, as shown in the upper subfigure ofFig. 1. Unfortunately, the centralized approach is not reliablebecause, when the base station fails or when some sensornodes lose connections to the base station, it is impossible tocarry out reprogramming. Moreover, there are WSNs havingno base station at all and hence the centralized approach isnot applicable. Also, the centralized approach is inefficient,weakly scalable, and vulnerable to some potential attacksalong the long communication path.

Alternatively, as shown in the lower subfigure of Fig. 1,a distributed approach can be employed for reprogrammingin WSNs. It allows multiple authorized network users tosimultaneously and directly update code images on differentnodes without involving the base station. Another advantageof distributed reprogramming is that different authorized usersmay be assigned different privileges of reprogramming sensornodes. This is especially important in large scale WSNs ownedby an owner and used by different users from both public andprivate sectors [19], [20].

Quite recently, He et al. proposed a secure and distributedreprogramming protocol named SDRP [21], which is thefirst work of its kind. Since a novel identity-based signaturescheme is employed in generating public/private key pair ofeach authorized user, SDRP is efficient for resource-limitedsensor nodes and mobile devices in terms of communicationand storage requirements. Furthermore, SDRP can achieveall requirements of distributed reprogramming listed in [21],while keeping the merits of the well-known mechanismssuch as Deluge [22] and Seluge [17]. Also, SDRP has beenimplemented in a network of resource-limited sensor nodes toshow its high efficiency in practice. However, in this paper,we demonstrate that a design weakness exists in the UserPre-processing Phase of SDRP, and an adversary can easilyimpersonate any authorized user to carry out reprogramming.To eliminate the identified security vulnerability, we propose



2

user 1

sensor node

WSN

WSN

image

CentralizedDistributed

imagebase station

network owner

signing

image partition

signingimage

partition

user Mimage

…...

signingimage

partition

Fig. 1. A system overview of centralized and distributed reprogramming approaches.

a simple modification on SDRP without losing any features(such as distributed reprogramming, supporting different userprivileges, dynamic participation, scalability, high efficiencyand robust security) of the original protocol.

Moreover, we show that, for security and efficiency consid-eration, any efficient identity-based signature algorithm whichhas survived many years of public scrutiny can be directlyemployed in SDRP. This paper also reports the experimentalresults of the improved SDRP in Laptop PCs and resource-limited sensor nodes, which show its efficiency in practice.

The remainder of this paper is organized as follows. Webriefly review SDRP in Section II, then identify its securityweakness in Section III. Section IV presents a modificationwhich remedies the identified weakness. Section V providesan approach to further improve the security and efficiency ofSDRP. Section VI concludes the paper and points out futureresearch directions.

II. BRIEF OVERVIEW OF SDRPThe SDRP protocol consists of three phases, system ini-

tialization, user pre-processing, and sensor node verification.In system initialization phase, the network owner creates itspublic and private keys and then assigns the reprogrammingprivilege and the corresponding private key to the authorizeduser(s). Only the public parameters are loaded on each sensornode before deployment. In user pre-processing phase, if anetwork user enters the WSN and has a new code image, itwill need to construct the reprogramming packets and thensend them to the sensor nodes. In sensor node verificationphase, if the packets verification passes then the nodes acceptthe code image.

A. System Initialization PhaseThe network owner executes the following steps:a) Let G be a cyclic additive group and GT be a cyclic

multiplicative group of the same primer order q. Let P be agenerator of G. Let e : G×G→GT be a bilinear map.

b) Pick random s∈Z∗q as the master key, and computespublic key PKowner = s·P .

c) Choose two secure cryptographic hash functions H1, H2,where H1 : {0, 1}∗→G and H2 : {0, 1}∗→Z∗q . Then, the pub-lic parameters {G,GT , e, q, P, PKowner, H1, H2} are loadedin each sensor node before deployment.

d) For a user Uj with identity UIDj∈{0, 1}∗, the networkowner sets Uj’s public key as PKj = H1(UIDj‖Prij)∈G,computes the private key SKj = s·PKj , and then sends{PKj , SKj , P rij} back to Uj using a secure channel, suchas the wired Transport Layer Security protocol. Here Prijdenotes the level of user privilege such as the sensor nodes setwithin a specific region that user Uj is allowed to reprogram,and subscription period.

B. User Pre-processing Phase

User Uj takes the following actions:a) Uj partitions the code image to Y fixed-size pages,

denoted as page 1 through page Y . Uj splits page i (1≤i≤Y )into N fixed-size packets, denoted as Pkti,1 through Pkti,N .The hash value of each packet in page Y is appended tothe corresponding packet in page Y − 1. For example, thehash value of packet PktY,1, h(PktY,1), is included in packetPktY−1,1. Here PktY,1 presents the first packet of page Y .Similarly, the hash value of each packet in page Y − 1 isincluded in the corresponding packet in page Y − 2. Thisprocess continues until Uj finishes hashing all the packets inpage 2 and including their hash values in the correspondingpackets in page 1. Then a Merkle hash tree [23] is used tofacilitate the authentication of the hash values of the packetsin page 1. We refer to the packets related to this Merkle hashtree collectively as page 0. The root of the Merkle hash tree,the meta data about the code image (e.g., version number,targeted node identities set, code image size), and a signatureover all of them are included in a signature message. Thedetailed information can be referred to [17]. Assuming thatthe message m represents the root of the Merkle hash tree andthe meta data about the code image. Then, in order to ensurethe authenticity and integrity of the new code image, Uj takesthe following actions to construct the signature message:



3

b) With the private key SKj , Uj can compute the signatureσj of the message m, where σj = H2(m)·SKj .

c) Uj transmits the targeted nodes the signature message{UIDj , P rij ,m, σj}, which serves as the notification of thenew code image. SDRP relies on the underlying Delugeprotocol to distribute packets for a given code image.

C. Sensor Node Verification Phase

Upon receiving a signature message {UIDj , P rij ,m, σj},each sensor node verifies it as follows:

a) The sensor node firstly pays attention to the legality ofthe programming privilege Prij and the message m. Only ifthey are valid, the verification procedure goes to the next step.

b) Given the public parameters, the sensor node performsthe following verification:

e(σj , P ) = e(H2(m)·H1(UIDj‖Prij), PKowner) (1)

If the equation holds, the signature σj is valid.c) If the above verification passes, the sensor node believes

that the message m and the privilege Prij are from anauthorized user with identity UIDj . Hence the sensor nodeaccepts the root of the Merkle hash tree constructed for page0. Thus, the nodes can authenticate the hash packets in page0 once they receive such packets, based on the security ofMerkle hash tree. The hash packets include the hash valuesof the data packets in page 1. Therefore, after verifying thehash packets, a node can easily verify the data packets inpage 1 based on the one-way property of hash functions.Likewise, the data packets in page i has been verified, a sensornode can easily authenticate the data packets in page i + 1,where i = 1, 2, . . ., Y − 1. Only if all verification proceduresdescribed above pass, the sensor node accepts the code image.

III. SECURITY WEAKNESS OF SDRP

Recall that in the user pre-processing phase of SDRP, thesignature σi is computed as H2(m)·SKj . This is, however, adesign weakness because it enables an adversary A to obtainthe private key SKj of user Uj as shown below:• While Uj transmits the targeted nodes the signature mes-

sage {UIDj , P rij ,m, σj}, the adversary A can obtain{m,σj} by eavesdropping. With the public parameter H2,the adversary A can compute υ = (H2(m))−1 (mod q),where H2(m)∈Z∗q .

Note that the above equation involves modular expo-nentiation with a negative exponent, which can be per-formed by finding the modular multiplicative inverse u ofH2(m) modulo q using the extended Euclidean algorithm.That is, υ = (H2(m))−1 (mod q) = u (mod q), whereu·H2(m)≡1(mod q). It should be noted that any integer inZ∗q has a multiplicative inverse if and only if that integeris relatively prime to q. That is, the multiplicative inverse uof H2(m) modulo q exists if and only if H2(m) and q arecoprime (i.e., gcd(H2(m), q) = 1). In SDRP, since q is prime,all of the nonzero integers in Z∗q are relatively prime to q,and therefore there exists a multiplicative inverse for all ofthe nonzero integers in Z∗q .

• The adversary A computes the private key SKj = υ·σi.Consequently, the adversary A can impersonate user Uj to

inject bogus code images to take over the control of the wholeWSN. Of course, the damage which the adversary A can makeis consistent with the reprogramming privilege of user Uj .

IV. SECURITY IMPROVEMENT OF SDRP

Obviously, if H2(m) and q are not coprime, an adversarycannot compute the private key SKj . Therefore, the designweakness of the user pre-processing phase does not existand the resulting attack is invalid. To achieve this goal, thefollowing step is suggested to be added into SDRP.

In the system initiation phase, the order q of cyclic additivegroup G and cyclic multiplicative group GT should be setto a large composite number. Note that Boneh et. al.haveintroduced composite-order bilinear groups [24], which havebeen used to successfully solve many challenging problems incryptography. In the user pre-processing phase, when user Uj

computes m, it can check whether H2(m) and q are coprime.If yes, before a signature on m is computed, redundant bitsare appended into m such that H2(m) and q are not coprime;otherwise, as described in Section II.B, user Uj directlycomputes a signature on m. On the other hand, the sensor nodeverification phase remains the same. That is, compared to theoriginal SDRP, the suggested modification does not incur anyoverhead on sensor node side.

In the design of SDRP, the length of m is 29 bytes.Also assume that the hash function H2 is implemented usingSHA-1 with a 20-byte output. Taking q as a 160-bit randomcomposite number, we carry out experiments of coprimechecking on Laptop PCs with different computational power.In each experiment, q is randomly generated for one thousandtimes. For each q, m is randomly generated for one thousandtimes. Thus, each experiment has one million measurements.The experimental results show that, without the addition ofany redundant bit, the probability that H2(m) and q are notcoprime is 58.0212%. Also, our implementation results aboutthe average search time of an appropriate redundant data andthe failure rate with the addition of 1 or 2 redundant bytes aresummarized in Table I. Here we consider a 1.6-GHz processorand the addition of 1 redundant byte as an example. The failurerate for searching an appropriate redundant data is 0.4597%for this experiment (i.e., the probability that H2(m) and q arenot coprime is 1 − 0.4597% = 99.5403%), and the searchof appropriate redundant data is very fast (i.e., the averageexecution time is 68.12 µs.). Clearly, failure rates only dependon the bit length of the added redundant data, but not processorspeed.

Furthermore, taking q as a 160-bit random even number,we repeat the above experiments of coprime checking. Theexperimental results show that, without the addition of anyredundant bit, the probability that H2(m) and q are not co-prime is 59.4491%. Also, with the addition of 1 or 2 redundantbytes, the failure rates for searching an appropriate redundantdata are all 0 for each experiment (i.e., the probability thatH2(m) and q are not coprime is 100%). On the other hand,our implementation results about the average search time of an



4

TABLE IFAILURE RATES AND SEARCH TIME FOR THE ADDITION OF 1 OR 2 REDUNDANT BYTES WHEN q IS A COMPOSITE NUMBER.

Experiment 1 Experiment 2 Experiment 3 Experiment 4 Experiment 5processor speed (GHz) 1.6 2 2.4 2.6 3.1

redundancy (byte) 1 2 1 2 1 2 1 2 1 2search time (µs) 68.12 608.91 50.82 598.01 49.34 529.85 48.18 368.77 40.02 300.65failure rate (%) 0.4597 0.0691 0.7380 0.1851 0.7550 0.1780 0.9752 0.1566 0.9916 0.2772

TABLE IISEARCH TIME FOR THE ADDITION OF 1 OR 2 REDUNDANT BYTES WHEN q IS AN EVEN NUMBER.

Experiment 1 Experiment 2 Experiment 3 Experiment 4 Experiment 5 Experiment 6processor speed (GHz) 1.6 1.8 2 2.4 2.6 3.1

redundancy (byte) 1 2 1 2 1 2 1 2 1 2 1 2search time (µs) 40.38 40.88 36.50 36.05 32.63 32.48 27.05 27.35 24.93 24.91 21.01 21.10

appropriate redundant data of 1 or 2 bytes are summarized inTable II. It can be seen that the search of appropriate redundantdata is very fast. For example, with the addition of 1 redundantbyte, the average execution time are 40.38 µs and 36.50 µson 1.6-GHz and 1.8-GHz Laptop PCs, respectively. Here it issuggested to only use 1 redundant byte when q is a 160-bitrandom even number. With this setting, not only zero failurerate is achieved, many advantages in the user pre-processingprocedure are also obtained in terms of computation, memoryusage, as well as transmission and reception power.

As shown in Tables I and II, our experimental resultsdemonstrate that the search time for a 2-byte redundantdata is no more than one milli-second in a 1.6-GHz LaptopPC. Considering that the clock frequencies of typical mobiledevices (e.g., iPhones or Laptop PCs) are more than 1 GHz, thesuggested modification is efficient for most of mobile devices.According to the above analysis, the suggested solution isfeasible and secure for real world applications.

V. FURTHER IMPROVEMENT OF SDRP

Designing a seccure reprogramming protocol is a difficulttask, because there are so may details involved (e.g., the com-plicated interactions with the environment) that the designercan only try his/her best to make sure his/her protocol isinfallible. This holds regardless of whether security proofs aresupported by heuristic arguments or formal ways. In reality,the degree of confidence accompanying a security mechanismincreases with time only if the underlying algorithms cansurvive many years of public scrutiny [18].

SDRP is based on a novel and newly designed identity-based signature algorithm. The simple modification presentedin Section III can fix the identified security problem of thissignature algorithm, but it is still uncertain whether there isany other security weakness in this modified identity-basedsignature algorithm. To address this issue, it is suggested thatinstead of this novel identity-based signature algorithm, someefficient identity-based signature algorithms which have sur-vived many years of public scrutiny can be directly employedin SDRP. For example, we can choose the provably-secureidentity-based signature proposed by Barreto et al. [25]. Be-sides providing better security, Barreto’s method also improvesthe efficiency of SDRP due to the following two reasons.First, its signature verification operation only needs 1 pairing

computation and hence is among the most efficient ones.Second, the length of its signature is reduced due to bilinearpairing.

A. The improved SDRP protocol

1) System Initialization Phase: The network owner exe-cutes the following steps:

a) Key Setup: Generate the public parameters params ={G1,G2,G3, g1, g2, g, e, ψ,Qpub, H3, H4}, and load them ineach sensor node before deployment, where (G1,G2,G3)are bilinear groups of large prime order p with generatorsg2∈G2, g1 = ψ(g2)∈G1, and g = e(g1, g2). The networkowner picks a random number s∈Z∗p as the master key, andcomputes public key Qpub = s·g2∈G2. H3 and H4 arecryptographic hash functions, where H3 : {0, 1}∗→Z∗p andH4 : {0, 1}∗×G3→Z∗p.

b) User Public/private Key Generation: For a user Uj withidentity UIDj∈{0, 1}∗, the network owner sets Uj’s publickey as Pj = H3(UIDj‖Prij)∈Z∗p, computes the privatekey Sj = 1

Pj+s ·g1 = 1H3(UIDj‖Prij)+s ·g1, and then sends

{Pj , Sj , P rij} back to Uj through a secure channel. HerePrij denotes the level of user privilege such as the sensornodes set within a specific region that user Uj is allowed toreprogram, and subscription period.

2) User Pre-processing Phase: User Uj takes the followingactions:

a) This step is same as Step a) of the User Pre-processingPhase of the original SDRP protocol.

b) With the private key Sj , Uj can compute the signature σjof the message m as described below. Pick a random num-ber x∈Z∗p and compute r = gx. Set h = H4(m, r)∈Z∗p,and compute W = (x + h)·Sj . The signature σj is thepair (h,W )∈Z∗p×G1.

c) This step is same as Step c) of the User Pre-processingPhase of the original SDRP protocol.

3) Sensor Node Verification Phase: Upon receiving asignature message {UIDj , P rij ,m, σj}, each sensor nodeverifies it as follows:

a) This step is same as Step a) of the Sensor NodeVerification Phase of the original SDRP protocol.

b) Given the public parameters, the sensor node computes:

h∗ = H4(m, e(W,H3(UIDj‖Prij)·g2 +Qpub)g−h)



5

TABLE IIIRUNNING TIME FOR EACH PHASE OF THE IMPROVED SDRP PROTOCOL (EXCEPT THE SENSOR NODE VERIFICATION PHASE).

Key setup User public/private key generation User signingTime (CPU = 1.6 GHz) (µs) 5709.5 1216.5 6617.5Time (CPU = 1.8 GHz) (µs) 5094.5 1050 5909.5Time (CPU = 2 GHz) (µs) 4595.5 995.5 5211

Time (CPU = 2.2 GHz) (µs) 4153 852.5 4841Time (CPU = 2.4 GHz) (µs) 3813 801 4437Time (CPU = 2.6 GHz) (µs) 3505 720.5 4099Time (CPU = 3.1 GHz) (µs) 2933 621 3414.5

TABLE IVTHE CODE SIZES OF VERIFICATION IMPLEMENTATION OF SIGNATURE MESSAGES IN THE ORIGINAL SDRP AND THE IMPROVED SDRP.

The original SDRP The improved SDRP

TelosB ROM (bytes) 22,990 22,504RAM (bytes) 660 864

MicaZ ROM (bytes) 24,530 24,216RAM (bytes) 620 816

and then sees whether h∗ is equal to h or not, where h is fromσj . If the result is positive, the signature σj is valid; otherwise,the node simply drops the signature.

c) This step is same as Step c) of the Sensor NodeVerification Phase of the original SDRP protocol.

B. Implementation and Performance Evaluation

First, we evaluate the performance of the improved SDRPwith respect to the protocols operated by the network ownerand user. In our experiment, the network owner and sen-sor network user side programs have been implemented inC++ (using the integer arithmetic in the publicly availablecryptographic library MIRACL [26]) and executed in LaptopPCs (with 2 GB RAM) under Ubuntu 11.04 environmentwith different computational power. The ηT [27] pairingalgorithm over the field F397 is used (using Barreto’s opensource code [28]). Thus, the pairing is symmetric, the lengthof each element of G1 is 20 bytes, and the length of eachelement of Z∗p is also 20 bytes. As the original SDRP, in ourimplementation, the byte length of UIDj , Prij , and m are setto 2, 16, and 29. Table III gives the execution time of somemajor operations in the improved SDRP. We have executedeach operation for twenty thousand times and taken an averageover them. For example, the execution time of the networkowner for the key setup phase and generating public/privatekey operation (for each network user) are 3.505 ms and0.7205 ms on a 2.6-GHz Laptop PC, respectively. Also, thesignature generation time for a network user is 6.6175 ms ona 1.6-GHz Laptop PC.

Next, we consider the signature message overhead of theimproved SDRP without considering packet headers. Theoverhead is |UIDj | + |Prij | + |m| + |σj | = 2 + 16 + 29 +20 + 20 = 87 bytes. Obviously, the transmission overhead ofthe improved SDRP is very low, which is very suitable forlow-bandwidth WSNs.

In typical WSNs, sensor nodes are usually resource-constrained and battery-limited, they may not be able to ex-ecute expensive cryptographic operations efficiently and thusbecome the bottleneck of a security protocol. Compared to thesignature verification algorithm of the original SDRP protocol

which mainly requires two pairing, one hash-to-point (with18-byte message (i.e., (UIDj‖Prij)) as input), and one pointscalar multiplication operations on a sensor node, the signatureverification algorithm of the improved SDRP protocol mainlyrequires one pairing, one point scalar multiplication, and oneexponentiation (over the field F(397)6 ) operations on a sensornode, and thus is more efficient.

We use the following two metrics to compare the originalSDRP with the improved SDRP, namely, memory overheadand execution time. The memory overhead measures the exactamount of data space required in the real implementation.Similarly, the execution time measures the time duration forthe signature verification operation of the two protocols.

The sensor node side programs are written in nesC and runon two kinds of resource-limited sensor nodes, i.e., MicaZ andTelosB motes. Our motes run TinyOS [29] version 2.x. TheMicaZ mote features an 8-bit, 8-MHz Atmel microcontrollerwith 4-kB RAM and 128-kB ROM. Also, the TelosB motehas an 8-MHz CPU, 10 kB RAM, 48-kB ROM, 1MB of flashmemory, and an 802.15.4/ZigBee radio.

Different from [21], here the implementation of sensornode side programs is completely based on TinyPairing (apairing-based cryptographic library) [30] and we do notdo any optimization. For example, the pairing, point scalarmultiplication, and SHA-1 hash operations from TinyPairingare employed. This implementation mainly involves Pairing,BaseField, ExtField2, SHA1, PointArith, and NN componentsof TinyPairing. According to Barreto’s open source code forthe ηT pairing operation, we implement the exponentiationoperation over the field F(397)6 based on TinyPairing.

Table IV shows the code sizes of verification implemen-tation in the original SDRP and the improved SDRP. Forexample, the implementation of signature verification in theimproved SDRP on a MicaZ mote uses only 816 bytes ofRAM and 24,216 bytes of ROM, respectively. On the otherhand, it uses only 864 bytes of RAM and 22,504 bytes ofROM on a TelosB mote, respectively. The resulting size ofour implementation for the improved SDRP corresponds toonly 19.92% and 18.47% of the RAM and ROM capacitiesof MicaZ, respectively. It is clear that the memory overhead



6

TABLE VEXECUTION TIME FOR SIGNATURE VERIFICATION OF THE ORIGINAL SDRP AND THE IMPROVED SDRP.

The original SDRP The improved SDRPTime on MicaZ mote (second) 13.793164 10.654834Time on TelosB mote (second) 33.578467 24.848052

TABLE VIEXECUTION TIME FOR EACH CRYPTOGRAPHIC OPERATION ON MICAZ AND TELOSB MOTES.

ηT pairing Hash-to-point (18 bytes as input) Exponentiation (over the field F(397)6 ) Point scalar multiplicationTime on MicaZ mote (second) 5.321611 0.642383 2.504658 2.498828Time on TelosB mote (second) 13.013672 1.451131 5.208311 6.041389

of the improved SDRP is comparable to that of the originalSDRP.

Table V gives the execution time for signature verificationof the original SDRP and the improved SDRP. For example,with respect to the improved SDRP, the execution time forsignature verification on a MicaZ mote and TelosB moteare about 10.65 seconds and 24.85 seconds, respectively.As demonstrated in [21], the proportion of this signatureverification time in the total reprogramming time is very small.Clearly, our experiment results show that for the signatureverification operation on sensor nodes, the improved SDRPis more efficient than the original SDRP.

Table VI gives the execution time for each cryptographicoperation on MicaZ and TelosB motes. For example, the ηTpairing operation takes 5.3216 seconds and 13.0137 secondson a MicaZ mote and TelosB mote, respectively. For the resultsin Tables V and VI, we perform each operation 200 times andtake an average over them.

Note that the time for signature verification on sensor nodescan be reduced through the use of the optimized cryptographicoperations. For example, in our implementation, the exponen-tiation operation can be optimized.

VI. CONCLUSION AND FUTURE WORK

In this paper, we have pointed out an inherent designweakness in the user pre-processing phase of a secure and dis-tributed reprogramming protocol, SDRP. The identified designweakness allows an adversary to impersonate any authorizeduser to reprogram sensor nodes. We also presented a mod-ification to fix the problem without sacrificing any desirablefeature of SDRP. Moreover, we have chosen Barreto’s identity-based signature algorithm as an example to show that, forsecurity and efficiency consideration, any efficient identity-based signature algorithm which has survived many years ofpublic scrutiny can be directly employed in SDRP.

Although Deluge is a de fecto standard and has beenincluded in TinyOS distributions [29], several more efficientcentralized reprogramming protocols have recently been pro-posed for WSNs, such as Rateless Deluge [31] and DIP [32].For example, compared to Deluge, Rateless Deluge has manyadvantages such as reducing latency at moderate levels ofpacket loss, being more scalable to dense networks, andgenerally consuming far less energy, a premium resource inWSNs. Thus, in order to further improve the reprogrammingefficiency of SDRP, future work should focus on how to

integrate SDRP with a more efficient reprogramming protocollike Rateless Deludge, leading to more secure and efficientdistributed reprogramming.

In some applications, the network owner and users aredifferent entities. A user may want to hide his/her reprogram-ming privacy from anyone else including the network owner.In future work, we will study how to support user privacy-preservation in distributed reprogramming.

REFERENCES

[1] V.C. Gungor and G.P. Hancke, “Industrial wireless sensor networks:challenges, design principles, and technical approaches,” IEEE Trans.Ind. Electron., vol. 56, no. 10, pp. 4258-4265, Oct. 2009.

[2] V.C. Gungor, B. Lu, and G.P. Hancke, “Opportunities and challengesof wireless sensor networks in smart grid,” IEEE Trans. Ind. Electron.,vol. 57, no. 10, pp. 3557-3564, Oct. 2010.

[3] J. Chen, X. Cao, P. Cheng, Y. Xiao, and Y. Sun, “Distributed collabora-tive control for industrial automation with wireless sensor and actuatornetworks,” IEEE Trans. Ind. Electron., vol. 57, no. 12, pp. 4219-4230,Dec. 2010.

[4] X. Cao, J. Chen, Y. Xiao, and Y. Sun, “Building-environment controlwith wireless sensor and actuator networks: centralized versus dis-tributed,” IEEE Trans. Ind. Electron., vol. 57, no. 11, pp. 3596-3604,Nov. 2010.

[5] J. Carmo, P. Mendes, C. Couto, and J. Correia, “A 2.4-GHz CMOS short-range wireless-sensor-network interface for automotive applications,”IEEE Trans. Ind. Electron., vol. 57, no. 5, pp. 1764-1771, May 2010.

[6] V. Naik, A. Arora, P. Sinha, and H. Zhang, “Sprinkler: a reliable andenergy efficient data dissemination service for extreme scale wirelessnetworks of embedded devices,” IEEE Trans. Mobile Computing, vol.6, no. 7, pp. 762-776, July 2007.

[7] L. Mottola and G. Picco, “Programming wireless sensor networks:fundamental concepts and state of the art,” ACM Computing Surveys,vol. 43, no. 3, pp. 1-51, April 2011.

[8] H. Song, V. Shin, and M. Jeon, “Mobile node localization using fusionprediction-based interacting multiple model in cricket sensor network,”IEEE Trans. Ind. Electron., vol. 59, no. 11, pp. 4349-4359, Nov. 2010.

[9] R.C. Luo and O. Chen, “Mobile sensor node deployment and asyn-chronous power management for wireless sensor networks,” IEEE Trans.Ind. Electron., vol. 59, no. 5, pp. 2377-2385, May 2012.

[10] H. Tan, J. Zic, S. Jha, and D. Ostry,“Secure multihop network pro-gramming with multiple one-way key chains,” IEEE Trans. MobileComputing, vol. 10, no. 1, pp.16-31, Jan. 2011.

[11] P. K. Dutta, J. W. Hui, D. C. Chu, and D. E. Culler, “Securing the delugenetwork programming system,” in Proc. IPSN ’06, pp. 326-333, 2006.

[12] C. Lim, “Secure code dissemination and remote image managementusing short-lived signatures in WSNs,” IEEE Commu. Letters, vol. 15,no. 4, pp. 362-364, April 2011.

[13] I. Doh, J. Lim, and K. Chae, “Code updates based on minimal backboneand group key management for secure sensor networks,” Mathematicaland Computer Modelling, Accepted and to appear, 2012.

[14] Y. Law, Y. Zhang, J. Jin, M. Palaniswami, and P. Havinga,“Securerateless deluge: pollution-resistant reprogramming and data dissemi-nation for wireless sensor networks,” EURASIP Journal on WirelessCommunications and Networking, vol. 2011, pp.1-21, 2011.

[15] C. Parra and J. Garcia-Macias,“A protocol for secure and energy-awarereprogramming in WSN,” in Proc. IWCMC ’09, pp. 292-297, 2009.



7

[16] N. Bui, O. Ugus, M. Dissegna, M. Rossi, and M. Zorzi, “An integratedsystem for secure code distribution in wireless sensor networks,” in Proc.Percom ’10, pp. 575-581, 2010.

[17] S. Hyun, P. Ning, A. Liu, and W. Du, “Seluge: Secure and dos-resistantcode dissemination in wireless sensor networks,” in Proc. IPSN ’08,pp. 445-456, 2008.

[18] D. He, S. Chan, C. Chen, and J. Bu, “Secure and efficient dynamic pro-gram update in wireless sensor networks,” Security and CommunicationNetworks, vol. 5, no. 7, pp. 823-830, July 2012.

[19] Geoss. http://www.epa.gov/geoss/.[20] NOPP, http://www.nopp.org/.[21] D. He, C. Chen, S. Chan, and J. Bu, “SDRP: A secure and efficient

reprogramming protocol for wireless sensor networks,” IEE Trans. Ind.Electron., vol. 59, no. 11, pp. 4155-4163, Nov. 2012.

[22] J. W. Hui and D. Culler, “The dynamic behavior of a data disseminationprotocol for network programming at scale,” in Proc. SenSys ’04, 2004.

[23] R. Merkle, “Protocols for public key cryptosystems,” in Proc. IEEES&P, pp. 122-134, 1980.

[24] D. Boneh, E. Goh, and K. Nissim, “Evaluating 2-dnf formulas onciphertexts,” in Proc. TCC 2005, vol. 3378 of LNCS. Springer-Verlag,2005.

[25] P. Barreto, B. Libert, N. McCullagh, and J.-J. Quisquater, “Efficient andprovably-secure identity-based signatures and signcryption from bilinearmaps,” in Proc. Asiacrypt 2005, pp. 515-532, 2005.

[26] M. Scott. MIRACL- A Multiprecision Integer and RationalArithmetic C/C++ Library. Shamus Software Ltd. Availableat http://www.shamus.ie/index.php?page=Downloads

[27] P. Barreto, S. Galbraith, C. O. hEigeartaigh, and M. Scott, “Efficientpairing computation on supersingular abelian varieties,” Designs, Codesand Cryptography, vol. 42, pp. 239-271, 2007.

[28] Paulo S. L. M. Barreto’s main-page: http://www.larc.usp.br/∼pbarreto/[29] TinyOS: An open-source OS for the networked sensor regime.

http://www.tinyos.net/.[30] X. Xiong, D. S. Wong, and X. Deng, “TinyPairing: A fast and

lightweight pairing-based cryptographic library for wireless sensor net-works,” in Proc. IEEE WCNC, pp. 1-6, 2010.

[31] A. Hagedorn, D. Starobinski, and A. Trachtenberg, “Rateless Deluge:Over-the-air programming of wireless sensor networks using randomlinear codes,” in Proc. ACM/IEEE IPSN, pp. 457-466, 2008.

[32] K. Lin and P. Levis, “Data discovery and dissemination with DIP,” inProc. ACM/IEEE IPSN, pp. 433-444, 2008.

Daojing He received his B.Eng. and M.Eng. de-grees in Computer Science from Harbin Institute ofTechnology in 2007 and 2009, respectively. He iscurrently a Ph.D. student in Zhejiang University, P.R.China. His research interests include network andsystems security with focuses on wireless security.He is associate editor or on the editorial board ofsome international journals such as Wiley’s Securityand Communication Networks Journal and KSIITransactions on Internet and Information Systems.He serves as TPC for IEEE Globecom 2011, IEEE

PIMRC 2011-2012, IEEE ICC 2012-2013, IEEE WCNC 2011-2012, etc.

Chun Chen received the bachelor degree in mathe-matics from Xiamen University, China, in 1981, andthe masters and PhD degrees in computer sciencefrom Zhejiang University, China, in 1984 and 1990,respectively. He is a professor in the College ofComputer Science, and the director of the Instituteof Computer Software at Zhejiang University. Hisresearch activity is in image processing, computervision, and embedded system.

Sammy Chan received his B.E. and M.Eng.Sc. de-grees in electrical engineering from the University ofMelbourne, Australia, in 1988 and 1990, respective-ly, and a Ph.D. degree in communication engineeringfrom the Royal Melbourne Institute of Technology,Australia, in 1995. From 1989 to 1994, he was withTelecom Australia Research Laboratories, first as aresearch engineer, and between 1992 and 1994 asa senior research engineer and project leader. SinceDecember 1994, he has been with the Departmentof Electronic Engineering, City University of Hong

Kong, where he is currently an associate professor.

Jiajun Bu received B.S. and Ph.D. degrees in com-puter science from Zhejiang University, China, in1995 and 2000, respectively. He is a professor in theCollege of Computer Science and deputy directorof the Institute of Computer Software at ZhejiangUniversity. His research interests include embeddedsystems, mobile multimedia, and data mining.

Laurence T. Yang is a professor in computerscience at St. Francis Xavier University, Canada.His research interests include parallel and distributedcomputing, embedded and ubiquitous computing.His research is supported by the National Sciencesand Engineering Research Council, and the CanadaFoundation for Innovation.

security analysis and improvement of a secure and...

Documents