SECURITY FOR WIRELESS SENSOR NETWORK

[Ali, 1(3): May, 2014] ISSN 2348 – 8034

GLOBAL JOURNAL OF ENGINEERING SCIENCE AND RESEARCHESSECURITY FOR WIRELESS SENSOR NETWORK

Dr. Qutaiba I. Ali 1, Nada I.Najim *2

Computer Engineering Department, College of Engineering, University ofMosul, Iraq

[email protected]

The integration between wireless Sensor Networks (WSN) and their serverby the base station (BS) is an important step in a variety of WSNapplications. Adding different security methods is an important and essentialprocedure to enhance the operation and safety of such integration. This paperfocused on the design and implementation challenges to localize an embeddedsecurity center into base station nodes which connects WSN to the labviewbased automation system (server). The suggested base station security centerconsists of two ciphering methods (AES & RC4) to provide data encryption tothe whole path from the WSN nodes to the server, an HMAC function to providemessage integrity and authentication between the base station and the server,a keys generation module, and a firewall. Our design takes into account the"embedded" nature of the base station (UBICOM IP2022 network processor chip inour case) and their limited resources and suggests different methods andprotocols to achieve its goals. The obtained results prove the possibility toinsert firewall functionality in the system with minimum effect of its normaloperation.Keywords: Wireless Sensor Network security, automation system, firewall, Basestation, Network Processor.

I. INTRODUCTIONWireless sensor networks (WSN) canbe used in industrial automationsystem for multiple purposes, suchas monitoring synchronous orasynchronous events that requireperiodic data collection ordetecting exceptional events,respectively [1]. For example,vibration, heat or thermal sensorscan be deployed in proximity ofmachines to monitor their health.The analysis of the measuredparameters can allow the detectionof abnormal operating conditions and

aids therefore in preventingpotential machine failure. Inaddition to machine monitoring, WSNscan be deployed to measure basicphysical quantities such aspressure, temperature, flow or morecomplex events such as processquality or automotive performance inindustrial environments [1]. Afteran event of interest occurs, one ofthe surrounding sensor nodes candetect it, generate a report, andtransmit the report to a basestations (BS) through multi hopwireless links[2], see Figure(1).

(C) Global Journal Of Engineering Science AndResearches

[26-28]

[Ali, 1(3): May, 2014] ISSN 2348 – 8034

Security is a basic requirement andessential in the design of wirelesssensor networks in order ensure thesafety of operations, and theconfidentiality of sensitive data.Security of WSN is a big challengedue to its limited resources such asenergy, Power supplies, small memory,computation and communicationcapabilities. This is the reasonthat traditional security techniquescannot be applied on sensornetworks, indirectly rising the needto make sensor network economicallyfeasible. There were many papersthat consider some of the mostsignificant WSN security problems.

Figure (1): A typical scenario of aWireless Sensor Network (WSN) and thecomponents of a sensor node

Most research on security in sensornetworks has focused on preventiontechniques, such as cryptography [3-4], key management [5-6] andauthentication techniques [7-8].Other papers study WSN attacks whichwere classified based on variouscriteria, such as the domain of theattackers, or the techniques used inattacks [9-10]. Recently, manypapers are presented an overview ofthe different applications of thewireless sensor networks andsecurity related issues due to thenature of these applications [11-12]. In this paper, a completesecurity frame work was added to theautomation system implemented byusing WSN in order to enhance itssecurity defense against differenttypes of threats and attacks. Theremainder of this paper is organizedas follows: section 2 includes thesuggested system architecture.Section 3 explains the cipheringmodule of the suggested system.Section 4 explains the keysgeneration module of the suggestedsystem. Section 5 includes thehardware implementation of WSN basestation armed with firewall onUBICOM platform with the results.Section 6 contains an overall systemevaluation and finally, section 7provides conclusions.

II. THE SUGGESTED SYSTEMARCHITECTURE

The proposed system is composed ofthree parts. See Figure (2):


[26-28]

BS

Sensor

Data flow from

Sensor to another Sensor

Data flow

from Sensor to Base station(S):

Sensor Node

S

S

SS

S

S

SS

Sensing field

Position finding system Mobilizer

Sensing unit Processing unit Transmission unit

Processor

Storage

Sensor ADC

Transceiver

Power unitPower

generator

[Ali, 1(3): May, 2014] ISSN 2348 – 8034

• The Server: A central hostcomputer (sometimes called HumanMachine Interface (HMI)).

• The Base station: which is analways-on facility that handlestranslation and buffering betweenthe server and the WSN motes andacts as a bridge between them.

• The Sensor motes: where differentnodes are connecting together toform the wireless sensor network.

In this system, sensor nodes aresensing various signals and sendingthem to the labview based automationsystem (HMI) through base station byusing wireless or wired connection,this connection was protected usingvarious security methods. Anexperimental prototype model of thebase station was built using UbicomIP2022 network processer platformwhich provides a fully integratedplatform: real Time Operating System(RTOS), UDP protocol stack, and thenecessary hardware. UBICOM’s IP2022chip embeds some basic hardware, butit permits combining it with on-chipsoftware to support the mostprevalent protocols. The same devicecan supports Ethernet, Bluetoothwireless technology, IEEE 802.11,and so on. The key to this approachis Software System on Chip (SOC)technology [13].UBICOM’s hardware includes thefollowing components as shown inFigure (3) [13].

64KB (32K x 16) Flash programmemory

16KB (8K x 16) SRAMdata/program memory

4KB (4K x 8) SRAM data memory Can be provided with external

flash memory (2M x 8) Two SerDes communication

blocks supporting common PHYs(Ethernet, USB, UARTs,Bluetooth, Wireless IEEE802.11, and so on.) andbridging applications

120MHz RISC processor Supports software

implementation of traditionalhardware functions

In-system reprogrammable andrun time self-programmable

Figure. (3) IP2022 Block Diagram


[26-28]

[Ali, 1(3): May, 2014] ISSN 2348 – 8034

The basic components for UBICOM'scomplete development environment canseparate to three essentialcomponents [13]:

1) UBICOM’s Software DevelopmentKit (SDK): UBICOM supportsmany software packages, likeipOS™, ipStack™, ipHAL™,ipModule™ and etc.

2) Red Hat GNUPro tools whichconsist of GCC ANSI Ccompiler, Assembler, Linker,and GNU debugger.

3) UBICOM’s Configuration ToolIntegrated tool to supportrapid development efforts.

UBICOM’s Unity IntegratedDevelopment Environment (IDE)contains Editor, project manager,graphic user interface to GNUdebugger, device programmer.

From security point of view, theattacker can hit the system in manyways and locations. For example, theserver could be attacked directlyand the link between the server andthe base station is also vulnerableto different types of attacks asshown in Figure (2). While theserver could be protected usingtraditional security methods, thebase station still needs to besecured against different types ofattacks. As mentioned earlier, thebase station node acts as a bridgebetween the WSN motes and theserver, therefore it needs to beprotected in both directions. Inorder to secure a message,confidentiality, integrity andmessage authentication must beadded. Also, an efficient firewallis needed to protect the base

station against the different typesof attacks. Finally, a suitable andsecured keys exchange procedure isrequired to transfer the keys of thedifferent security algorithms.Building on the above, we suggestthat the base station architecturemust be modified to include varioussecurity methods to construct whatwe called a base station securitycenter, see Figure (4). Thesuggested base station securitycenter consists of two cipheringmethods to provide data encryptionto the whole path from the WSN nodesto the server, an HMAC function toprovide message integrity andauthentication between the basestation and the server.

Figure (4): The Suggested Base stationArchitecture

III. THE CIPHERING MODULESOur effort to build the cipheringengines of the base stations'security center in Ubicom's


[26-28]

Key Ge

nera

tion

Modu

le

AES Ciphering ModuleRC4 Module

HMAC Module

Firewall

Data Management Module

Wireless Module 1(with WSN Nodes)

Wireless or Wired Module 2(With Server)

Base Station Security Center

void aes_decrypt(aes_block a,aes_round_keysrk); aes_block a: a pointer to an array of 16bytes of ciphertext to decrypt.aes_round_keysrk: a pointer to a 176 bytearray that contains the round keys.

[Ali, 1(3): May, 2014] ISSN 2348 – 8034

environment could be explained asfollows:A.AES algorithm (Advanced EncryptionStandard)

Which is chosen to provide theprivacy or confidentialitymechanisms to protect thetransmitted packets between thebase station and the server againstunauthorized reading. The AESalgorithm is capable of usingcryptographic keys of 128, 192, and256 bits to encrypt and decryptdata in blocks of 128 bits [14].UBICOM platform supports key sizeof 128 bits only, so that thislength of key will be used. Thefunctions that are used to executethe AES algorithm in order toencrypt the transmitted packet fileare as follow: The function that expands the AESkey into the round keys array whichmust be passed to the encryption anddecryption functions, not the keyitself, is as follows:

void aes_compute_round_keys(aes_blockk, aes_round_keysrk); aes_block k: a pointer to the 16 byte AESkey.aes_round_keysrk: a pointer to a 176byte array that will contain the round keys.

The following function encrypts the16 bytes of plaintext pointed to bya, leaving the resulting ciphertextin the same array. The round keyarray must be derived from the 128bit key using the first function. The following function decryptsthe 16 bytes of ciphertext pointedto by a, leaving the resultingplaintext in the same array. Theround key array must be derived from

the 128 bit key using the firstfunction. The speed and space requirements ofthis function can be adjusted usingthe configuration tool of ipAESpackage that is specified for thisalgorithm on UBICOM platform. Figure(5a) shows the time variation of AESEncryption & Decryption delay withinthe Ubicom platform with respect topacket size (payload) variation attransport layer with UDP protocol.

B. SHA512SHA512 is one member of a family

of cryptographic hash functions thattogether are known as SHA-2. Thebasic computation for the algorithmtakes as input a block of input datathat is 1024 bits (128 bytes) and astate vector that is 512 bits (64bytes) in size, and it produces amodified state vector. It is afollow-on to the earlier hashalgorithms MD5 and SHA-1, and it isbecoming increasingly important forsecure internet traffic and otherauthentication problems. Thealgorithm operates on 64-bit QWORDs,so the state is viewed as 8 QWORDs(commonly called A…H) and the inputdata is viewed as 16 QWORDs. Thealgorithm consists of two steps. Thefirst step is a “message scheduler”that takes the input 16 QWORDs andcomputes 64 new QWORDs. Togetherwith the original 16 QWORDs, these


[26-28]

Void aes_encrypt(aes_block a,aes_round_keysrk); aes_block a: a pointer to an array of 16bytes of plaintext to encrypt.aes_round_keysrk: a pointer to a 176 bytearray that contains the round keys.

[Ali, 1(3): May, 2014] ISSN 2348 – 8034

form a vector of 80 QWORDs that isthe input to the second step. Thissecond step consists of 80 “rounds”where the form of the calculationsin each round is the same. Eachround takes as input the 8 stateQWORDs, the corresponding inputQWORD (after scheduling), and around-specific constant, generatingupdated state QWORDS. After allrounds have executed, the resultingstate vector is added to theoriginal state vector, and thisresults in the new state vector. Ifthe input consists of multipleblocks, this process is repeated foreach block [15].

The digest created by a hashfunction is normally called amodification detection code (MDC).The code can detect any modificationin the message. To provide messageauthentication, a modificationdetection code must be changed to amessage authentication code (MAC).This idea is a hashed MAC, calledHMAC that can use any standardkeyless hash function such as SHA-lor SHA-2. HMAC creates a nested MACby applying a keyless hash functionto the concatenation of the messageand an AES symmetric key [16]... TheSHA512 function that is executed tocomputes the HMAC-SHA2 messagedigest of the 128 bytes data inUbicom platform is follows:

void hmac_sha2_create_digest(u64_t*digest, u8_t *input,addr_tinput_len, u8_t *key,addr_tkey_len); u64_t *digest: Pointer to the blockof data to which the digest will bewritten.

u8_t *input: Pointer to the blockof data over which the digest willbe calculated.addr_t input_len: Amount of data tobe used to generate the digestvalue.u8_t *key: Pointer to the key to beused in generating the digest.addr_t key_len: Length of the keyin bytes.

Figure (5b) shows the time variationof HMAC delay within the Ubicomplatform with respect to packet size(payload) variation at transportlayer with UDP protocol.

C. RC4 Module: RC4 is a stream cipher widelyused in many applications today andin wireless networks. With a uniquekey, a stream of pseudo-randomnumbers is generated. Then, theencryption of data using RC4 issimply based on XORing the pseudo-random numbers from the stream withthe data [17]. RC4 is known to befast and efficient, so that, wesuggest to use 128 bit RC4 (as alight weight and fast streamciphering algorithm) to provide areasonable level of privacy (withminimum load on the motesprocessers) to protect thetransmitted packets between the basestation and its associated motes. Inorder to strength RC4 functionality,its ciphering key was changedrapidly every 30 Minute using thekeys generation module mentionedlater. Ubicom platform has ready touse RC4 software module which wasused for this


[26-28]

[Ali, 1(3): May, 2014] ISSN 2348 – 8034

Purpose. The function was used toinitializes an encryption contextthat will be used by the encryptionfunctions at Ubicom platform wasshown below. During contextinitialization we take the keydetails provided to determine theinitial encryption state.

Figure (5c) shows the time variationof RC4 Encryption & Decryption delaywithin the Ubicom platform withrespect to packet size (payload)variation at transport layer withUDP protocol. Figure (6) shows thesecurity techniques which areexecuted at update sever and UBICOMPlatform.


[26-28]

[Ali, 1(3): May, 2014] ISSN 2348 – 8034

(a)

IV. KEYS GENERATION &DISTRIBUTION MODULE

The above security algorithms needdifferent keys in order to performtheir functionality. Also, thesekeys must be changed at regular timeintervals to harden the task of theeavesdroppers who attempt to breakthe ciphering algorithm bydiscovering its secured key. It isobvious that keys exchanging amongthe server, the base station and theWSN nodes is essential to performkeys update process. In this paper


[26-28]

[Ali, 1(3): May, 2014] ISSN 2348 – 8034

we suggest a new method to performkeys updating procedure withoutexchanging any piece of data. Ourkeys updating method suppose theexistence of synchronized and equivalentpseudo random number generators in thethree parts of the system, havingthe same code functionality, theirseeds are equal and generate theiroutputs at the same time intervals,see Figure(7). In order to performthis keys exchanging method, theadministrator must first configurethe base station to have the sametiming values (i.e., Date and Time)of the server prior to place it inthe field (the same procedure isrepeated for the WSN nodes withrespect to their base station).Then, the administrator must alsodetermine the keys update interval,e.g., every one hour. We used theUbicoms' function RND ( ) as thepseudorandom number generators andfed it with the same seed value ofthe servers' pseudorandom numbergenerator (another pseudorandomnumber generator has the motes seedswas used to update the RC4 keys).This function was programmed toproduce an (128 bit AES key + 128bit HMAC key + 128 bit RC4 Key =384bit) output (AES & HMAC & RC4)every one hour in synchronous withthe server (PRNG1 & PRNG2 pair). Onthe other hand, PRNG3 & PRNG4 pairare triggered every 30 Minute tochange the 128 bit RC4 Keys.

Figure (7): The Suggested KeysGeneration Algorithm

V. FIREWALLThe suggested security system wasalso armed with an embedded firewallat the base station. A data packetthat matches a rule in the rule baseis allowed to pass through thefirewall into the base station; theremaining packets are consideredunsafe and hence, are discarded bythe firewall. A packet filteringrule specifies the filtering policyfor a data packet, i.e. whether toadmit the packet into the system orto discard it at the firewall. Theoperation of a rule is based on thedata packet’s source and destinationIP addresses the source anddestination port numbers, andtransport protocol of the packet.The Firewall Operation Flowchart atUbicom platform will perform asshown in Figure (8) below.


[26-28]

[Ali, 1(3): May, 2014] ISSN 2348 – 8034

Figure (8): IP2022 Firewall OperationFlowchart

The execution time at the proposedfirewall system for analysis IP andTCP headers is 30μs. Figure (6)shows the time variation of packetfiltering delay with respect tovariation the number of rules.

Figure (9): Filtering Delay vs. Numberof Rulse

VI. SYSTEM EVALUATIONIn order to evaluate the overallperformance of the suggested system,two additional tests were performed.The first one is to investigate thememory resources utilization by thedifferent security methods. Table 1declares that our software codeswere compact and consumes reasonable

amount (50%) of (80 Kbyte programram) and (less than 50%) of (4Kbyteof Data ram) at the Ubicom. Thisresources optimization allows theUbicoms' platform to perform itsbase station functionality withoutreaching memory bottleneck (orfullness) state.

Table 1: Memory Utilization of theSuggested Security Algorithms

The second test was performed tomeasure the total delay caused bythe adoption of the base stationsecurity methods. Response time canbe defined as the time needed totransfer a packet from Ubicomplatform to the server. The response time was measuredbetween the server and the basestation. See figure (10) shows thevariation in the delay value withrespect to different packets sizes(payload size). It is noted that thedelay values could be effective whentransferring relatively largepackets due to the furtherprocessing needed to perform thedifferent security tasks in variouslocations in the system.


[26-28]

[Ali, 1(3): May, 2014] ISSN 2348 – 8034

0

40

80

120

160Ad

diti

onal

Del

ay

(ms)

Figure (10): Response Delay Variationvs. Packet Size

VII. CONCLUSIONSWSNs can be used for multiplepurposes, such as monitoringsynchronous or asynchronous eventsthat require periodic datacollection or detecting exceptionalevents, respectively. So, the needfor security becomes vital.However, in this paper, we suggestthe adoption of low cost embeddednetwork processor to support thesecurity. We believe that thecurrent method has severaladvantages which make it as anattractive, flexible, reasonableresource utilization and strongsecurity solution. This method canwork on any UBICOM platform and canbe upgraded at any time easily.

VIII. REFERENCES[1] Christin, Delphine, Parag S. Mogre,

and Matthias Hollick. "Survey onwireless sensor network technologiesfor industrial automation: thesecurity and quality of serviceperspectives." Future Internet 2.2

(2010): 96-125.

[2] Kavitha T., Sridharan D. "SecurityVulnerabilities in Wireless SensorNetworks: A Survey.” Journal ofInformation Assurance and Security5 (2010) 031-044.

[3] Didla S., Ault A., and Bagchi S.,“Optimizing AES for embeddeddevices and wireless sensornetworks,” in Proceedings of the 4thInternational Conference onTestbeds and researchinfrastructures for the developmentof networks & communities,Belgium, 2008.

[4] Vivaksha Jariwala, Devesh Jinwala. "ANovel Approach for Secure DataAggregation in Wireless SensorNetworks." arXiv preprint arXiv:1203.4698 (2012).

[5] Kausar F., Masood F. and Hussain S...“An Authenticated Key ManagementScheme for Hierarchical WirelessSensor Networks,” In Advances inCommunication Systems andElectrical Engineering, Lecture Notesin Electrical Engineering, Vol. 4,2008, pp. 85-98.

[6] Gawdan I., Chow C., Zia T., SarhanQ., “A Novel Secure Key Managementfor Hierarchical Wireless SensorNetworks,” In Proceeding of2011Third Conference on ComputationalIntelligence, Modeling andSimulation (CIMSiM), 2011 , pp. 312 -316.

[7] He, D.; Gao, Y.; Chan, S.; Chen, C.; Bu,J. An enhanced two-factor userauthentication scheme in wirelesssensor networks', Int. J. Ad-HocSensor Wireless Network. 2010, pp1-11.

[8] Pardeep Kumar, Sang-Gon Lee,Hoon-Jae Lee, “E-SAP: Efficient-StrongAuthentication Protocol for


[26-28]

[Ali, 1(3): May, 2014] ISSN 2348 – 8034

Healthcare Applications UsingWireless Medical Sensor Networks,”Sensors 2012, 12, 1625-1647; doi:10.3390/s120201625.

[9] Manju. V.C, “Study of Security Issuesin Wireless Sensor Network”,International Journal of EngineeringScience and Technology (IJEST), Vol.3, No.10, October 2011.

[10]Alazemi, Abdulaziz Rashid."Defending WSNs against jammingattacks.”American Journal ofNetworks and Communications 2.2

(2013): 28-39.[11]Alcaraz, Cristina, and Javier Lopez. "A

security analysis for wireless sensormesh networks in highly criticalsystems." Systems, Man, andCybernetics, Part C: Applications andReviews, IEEE Transactions on 40.4

(2010): 419-428.[12]Prasanna, S., and Srinivasa Rao. "An

Overview of Wireless SensorNetworks Applications andSecurity." International Journal of

Soft Computing and Engineering

(IJSCE), ISSN (2012): 2231-2307.[13] IP2022 Wireless Network Processor

Features and PerformanceOptimized for Network ConnectivityIP2022 Data Sheet”, UBICOM, Inc.,22 Jan. 2009, Web Site:http//www.ubicom.com.

[14]Castellani, A. P.," Architecture andProtocols for the Internet of Things:A Case Study", In Proceedings of FirstInternational Workshop on the Webof Things (WoT), 2010.

[15]Gallagher, Patrick. "Secure HashStandard (SHS)." (2008).

[16] Forouzan, Behrouz, CatherineCoombs, and Sophia Chung Fegan.Introduction to dataCommunications and networking.McGraw-Hill, Inc., 1997.

[17]Büsching F., Kulau U., and Wolf l.“Architecture and Evaluation of INGA- An Inexpensive Node for GeneralApplications,” in IEEE SensorsConference, Taiwan, 2012, pp. 842–845.


[26-28]

SECURITY FOR WIRELESS SENSOR NETWORK

Documents

Transcript of SECURITY FOR WIRELESS SENSOR NETWORK