Design of an Architecture for Multiple Security Levels in Wireless Sensor Networks

Transcription

1 Design of an Architecture for Multiple Security Levels in Wireless Sensor Networks Jongdeog Lee Department of Information Science Korea Military Academy Seoul, Korea Sang H. Son Department of Computer Science University of Virginia Charlottesville, VA 22094, USA Mukesh Singhal Department of Computer Science University of Kentucky Lexington, KY 40506, USA Abstract With the increased application of wireless sensor networks (WSNs) in military, commercial, and home environments, securing the data in the network is a critical issue. Several security mechanisms, such as TinySec, have been introduced to address the need for security in WSNs. There are many applications, however, which require more than just protecting the data at a single level. For those applications, it is necessary to provide multilevel security (MLS) that can accommodate the different sensitivity levels of information as well as the different clearance levels of the users. In this paper, we apply the concept of MLS to the field of WSNs by employing the approach of multiple security levels (MSL). We employ cryptography techniques to realize the key aspects of MSL: the separation of different security levels and controlled information flow. Specifically, TinyKeyMan is selected as the key management scheme for this design due to its resilience to node compromise attacks. In addition, we evaluate the two dominant costs of the design: 1) communication overhead between different security levels and 2) the cryptography cost on the lifetime of a mote. The MSL design we propose is simple and incurs low developmental costs, making it well-suited to resource constrained WSNs. Keywords-multilevel security (MLS); multiple security levels (MSL); wireless sensor networks (WSNs) I. INTRODUCTION A number of applications for wireless sensor networks (WSNs) have been developed, ranging from military surveillance to smart home applications. Security requirements of WSNs are becoming critical as WSNs become more popular and more widely-used. Several security mechanisms have been introduced by researchers to support security in WSNs. However, none of these works have considered that users and information have different security clearances and sensitivities. For example, battalion commanders have higher security clearance than platoon leaders. How to share data with the only authorized people is the motivation of multilevel security (MLS) [1]. While MLS is conceptually straightforward and several models such as the Bell-La Padula model [2] have been introduced, it is very difficult to achieve in practice. Devices and chipsets which support MLS have been developed, but they require expensive designs and non-trivial efforts to This research work was supported, in part, by NSF CNS and KOSEF WCU Project R verify their properties [1]. Multiple Security Levels (MSL) are a practical approach to achieve the MLS property. The MSL approach segregates different security levels by using a different computing infrastructure. A security domain is a discrete network consisting of a set of nodes having the same security level. The guards (or firewalls) monitor and control the information flows among different security domains. The simplicity of MSL allows a node to employ an existing operating system (OS) with little modification. We decide to apply the approach of MSL to support MLS in WSNs because its simplicity is well-suited to resource constrained sensor nodes. In this paper, we propose an architecture to implement separation and controlled information flows among different security levels based on the MSL concept. In order to achieve them, we employ encryption. Each node encrypts (or decrypts) a message before sending (or after receiving) the message with a designated key over the radio in the link layer. In the network layer, separation and controlled information flow are enforced by a key management. Keys are distributed in the following manner: nodes in the same security level share a group key with each other but not with different security levels. Since there is no shared key among different security levels, each level is isolated. Controlled information flow is preserved by the guards. The guards share keys with every security level. If a node wants to send a message to a node in a different security level, it needs to send the message to one of the guards first. The guard decrypts the message with the sender s key and sends it to the target node after encryption using the shared key of the target node. Node compromise is a critical problem to the key-based security since disclosed keys can be used by adversaries to compromise the system. Unfortunately, physical access to sensor nodes is possible since they are deployed in insecure environments in a number of applications such as VigilNet [3]. All messages exchanged in the security level to which the captured node is a member will be exposed to adversaries. TinyKeyMan [4] is used to set up pair-wise keys in each group to remedy the problem since it is known as a highly resilient key management scheme for node compromise attacks. Two nodes construct a symmetric-key using a

2 shared polynomial and can securely communicate with each other until about 60% of nodes are compromised [4]. The contributions of this paper are two-fold. First, to the best of our knowledge, this is the first work to create the MLS environment in WSNs. The MSL approach is selected after carefully considering practical approaches to support MLS, and is successfully applied to WSNs after addressing the problems described above. Second, we evaluated the costs caused by the design: 1) network traffic overhead when nodes in different groups communicate and 2) the lifetime of a mote affected by cryptography. The results are beneficial to designers to estimate the costs caused by the system architecture. The rest of this paper is organized as follows. Section 2 presents related work. Our proposed MSL architecture for WSNs is described in Section 3. Section 4 provides a discussion of the important issues of the architecture, including the message overhead cost introduced by the architecture. Another cost of the architecture, cryptography, is also detailed. Section 5 concludes the work and identifies the future work. II. RELATED WORK Teng et al. [5] suggest the multi-layer encryption (MLE) scheme for multi-level access control in WSNs. In this work, users are assigned different group keys with respect to their security clearance. Lower level users have hashed keys of higher level users; thus, the highest level users can access every part of the message while lower level users are allowed to decrypt only the limited parts of the message. This work utilizes one function of MLS by using MLE rather than creating an MLS environment. Although MLS has not been examined much, security in general is not a new topic in WSNs. TinySec [6], a link layer security architecture for WSNs, is provided as a library for TinyOS. It contains two block ciphers, RC5 and Skipjack, as encryption algorithms, and Cipher Block Chaining (CBC) supports encryption and decryption of messages longer than the size of a block. Message integrity and authentication are guaranteed by CBC Message Authentication Code (CBC- MAC). Unfortunately, TinySec introduces a 10 percent overhead with respect to energy, latency, and bandwidth [6]. Another software package, TinyECC [7], implements Elliptic Curve Cryptography (ECC), which turns out to be one of the efficient types of public-key cryptography (PKC) in the context of WSNs. Liu et al. [7] provide three different levels of security strength by using different key sizes. However, since public-key encryption algorithms consume significant energy, they are not very suitable for WSNs. Therefore, TinyECC is mainly used for infrequent events such as key distribution. As the above approaches illustrate, encryption algorithms have been heavily investigated in WSNs with various key management schemes. The reason is that any node within the Figure 1. The MSL model [1]. Guards monitor and control communication between different security domains. radio range can readily overhear the transmitted messages in wireless communication. In such environments, encryption is the proper way to keep data confidential. It is why we employ an encryption scheme for separation and controlled information flow among different security levels, which are two key aspects of the MSL architecture. III. MUTIPLE SECURITY LEVELS ARCHITECTURE A. Design Decision One practical approach to implementing MLS is using MSL, in which each security domain is segregated using different computing devices. A security domain runs on the system high mode of operation as shown in Figure 1. Note that the system high mode is the opposite term to the multilevel mode. While all users are cleared to access any data on the system in the system high mode, not all users on the system have the valid security clearance for all data in the multilevel mode. MSL is relatively straightforward, requiring even less development and accreditation effort than other approaches [1]. On the downside, this architecture may cause communication overhead because inter-group communication should go through the guards. Thus, it could degrade overall performance of the network. The MSL approach is simple and incurs low developmental costs. Since the system high mode of operation has been used for many years, existing commercial off-the-shelf technologies can be used directly [1]. A typical OS, currently used on sensor nodes, can be employed to support MLS in the MSL approach with little modification. It would not only decrease the implementation cost but allow designers to use more memory space for the applications because of the small size of the OS. Based on these considerations, we decide to use MSL. B. Node Level Design 1) Sensor Nodes: We assume that the system allows nodes to be reprogrammed on-the-fly. Thus, an application loaded on a node is not necessarily trusted it could be malware. The challenge is how to enforce applications loaded on sensor nodes to use cryptography for data transmissions. As

3 Figure 2. The architecture of a sensor node. The first employs cryptographic hardware, and the second uses a trusted kernel. shown in Figure 2, an application should not be able to bypass the cryptography. The best way to enforce cryptography is to use cryptographic hardware that is provided in a radio such as CC2420 [8] as shown in Figure 2 (a). Although an application can toggle hardware AES-128 by setting special security registers, a digital hardware filter could intercept all commands passed to the radio chip and discard any instructions that disable the cryptographic hardware. If applications cannot disable the cryptographic hardware (i.e. no interface is given to applications), the hardware digital filter would not be necessary, and the implementation cost would be reduced. If hardware support is unavailable, another way to enforce encryption is via a trusted kernel (Figure 2 (b)). Instead of an application interfacing with the radio, it requests that the kernel transmits a message. The trusted kernel encrypts the message using the agreed key before sending the message. When receiving a message, the kernel decrypts the message and passes it to the application. By preventing an application from interfacing with the radio directly, applications are enforced to use cryptography in the link layer. While a kernel-based OS is not widely used in WSNs, there has been research in this area [9]. Both cryptographic hardware and a trusted kernel enforce applications to use cryptography before transmitting data over the radio. 2) Guards: A guard is a special node that connects different security groups. While each sensor node has its own group key, a guard is given the key of every group. It decrypts a message using the sender s key and re-encrypts it using the receiver s key. Note that a guard contains information about node group membership; thus, it is able to identify the correct keys by recognizing the source and destination of the packet. Both a collator and a downgrader contain a filter to control the flow of information. As shown in Figure 3, a collator discards all requests to send messages to lower security levels. A collator compares the security levels of the source and destination, and rejects the request if the security level of the source is higher than that of the destination. In contrast, a downgrader s filter only accepts requests to send messages from higher security levels to lower security levels. While information flow from a higher Figure 3. The architecture of a collator (a) and a downgrader (b). A collator discards all messages sent from higher security levels to lower security levels. A downgrader s filter functions differently. It only allows information to flow from higher security levels to lower security levels. security level to a lower security level is typically against the default security policy, this function is essential in MLS. For instance, satellite information is considered top secret but needs to be downgraded so that pilots, who are classified users, can access the information about the exact location of the enemy force. This is known as the sensor-toshooter problem [10]. However, a general-purpose strategy of automatically downgrading information remains an open problem, and solutions proposed in the literature are handled on a case-by-case basis [10]. Especially, the MSL approach makes it difficult to downgrade information without human intervention because of a lack of flexibility [1]. A downgrader s filter should interact with the security officers so that they can make the correct judgement by understanding the semantics of the messages. Therefore, we propose that base nodes take the place of downgraders since base nodes are connected to base stations and provide an interface to the users through these connections. Further explanation of a collator and a downgrader with a key management scheme is provided in Section III-C2. C. Network Level Design In this section, we elaborate on how a sensor node communicates with other nodes in the same group and those in a different group. The overall flow of information is presented in Figure 4. In contrast to intra-group communication, intergroup communication is controlled by collators and downgraders. Users are able to join the network by using mobile devices. The base node authenticates the user s device and provides the user the appropriate group key. Users can then communicate with nodes in the same security level. 1) Intra-group Communication: Nodes in the same group communicate with each other using a group key; this scheme prevents other nodes from decrypting the message. However, if the group has a single key and if the key is disclosed by node compromise attacks, all messages in the group will be readable using the compromised key. In order to deal with this undesirable situation, we use TinyKeyMan [4], a pairwise key management scheme, which is extremely resilient to node compromise attack.

4 Figure 4. Controlled information flow in MSL. Inter-group communication occurs via guards; the upstream flow and downstream flow are controlled by a collator and a downgrader respectively. Nodes in the same group are able to communicate using shared keys. A user s device is assigned keys with respect to his security clearance so that the device can join the group. Blundo et al. [11] established pair-wise keys using a bivariate t-degree polynomial t f(x, y) = a ij x i y j i,j=0 over a finite field F q, which has the property of f(x, y) = f(y, x). Every node has f(i, y), where i is the source ID and y is a variable for the destination ID. Suppose that nodes 1 and 2 want to generate a symmetric-key for secure communication. Node 1 having f(1, y) computes f(1, 2) to communicate with node 2. Node 2 can also derive f(2, 1) from f(2, y). Since f(1, 2) is identical to f(2, 1), it is used as a symmetric-key for communication between them. Blundo s method is limited in that it is not secure if the number of compromised nodes is more than t, the degree of the bivariate polynomial. The parameter t is dependent on memory size which is a scarce resource in WSNs. In order to address this issue, TinyKeyMan uses multiple polynomials instead of one. It consists of three phases. Phase one is predistribution, where node i has a polynomial set from the pool consisting of f 1 (i, y), f 2 (i, y),..., f n (i, y), where n is the number of polynomials in the pool. A set could be decided randomly or predetermined. In the second phase, direct key establishment, nodes having the same polynomials establish symmetric keys using the property of f(x, y) = f(y, x). If this phase fails (i.e. two nodes do not share polynomials), phase three is invoked. Intermediate nodes that share polynomials with both will form a bridge between them. An intermediate node decrypts the received message with the sender s key and send the message after encryption with the receiver s key. Liu et al. have shown that their method is extremely resistant to node compromise attacks: secure communication is guaranteed until 60% of all nodes in the network are compromised. This result outperforms the q- composite and basic probabilistic schemes [4]. We employ TinyKeyMan to establish pairwise keys among Figure 5. An example of inter-group communication. The solid line denotes the flow from the confidential node (B) to the top secret node (A) and the dot line represents the reverse flow (i.e. from A to B). Nodes are able to communicate with each other if there are shared polynomials among them. nodes in the same group. Each group has a different polynomial pool, and each node is assigned a set of polynomials from the pool of the group. A node must have a direct path (formed in phase 2) or an indirect path (formed during phase 3) to all nodes in the same group and intra-group communication is carried out using these keys. Each group s polynomial pool must be disjoint from those of other groups in order to disable direct communication between groups. Otherwise, nodes in different security levels can communicate directly using shared polynomials. 2) Inter-group Communication: Inter-group communication is controlled by two types of guards: collators and downgraders. Their architectures and roles were described in Section III-B2. Collators and downgraders are assigned polynomial sets from every group. They are able to communicate with each security level using shared polynomials as intra-group communication. Figure 5 illustrates an example of inter-group communication. Suppose that A is a top secret node, and B is a confidential node. Let C be a collator, and D be a downgrader. Node A has the polynomial set {f 1, f 3, f 5, f 7 } and node B has the set {f 23, f 24, f 28, f 29 }. Nodes C and D have polynomial sets {f 3, f 13, f 23, f 33 } and {f 5, f 15, f 25, f 35 } respectively. If node B wants to send a message to node A, it sends the message to node C after encrypting the message using f 23. Then, node C decrypts the message and re-encrypts it using f 3. In the same manner, if the flow is reversed (i.e. from A to B), node D becomes the intermediary node between A and B. Since node B does not share polynomials with node D (i.e. phase 2 fails), D needs to find an indirect path (phase 3) to deliver the message to B. Assume that E is also confidential and has polynomials {f 21, f 25, f 27, f 29 }, D sends its message to E using f 25 and, E passes it to B using f 29. A collator and a downgrader can communicate with every group. While a compromised sensor node only affects its own group, a compromised collator or downgrader endangers the whole network. We discuss the potential security

5 vulnerability of collators and downgraders in the following subsections. Collator: A collator is responsible for an information flow from lower security levels to higher security levels. Since it is possible for the collators to be deployed in insecure environments (i.e. node capture is possible), they are vulnerable to node compromise attacks. As discussed earlier, however, TinyKeyMan is very resilient to node compromise attacks. Thus, non-compromised nodes can still communicate securely even if the polynomials of some collators are disclosed. A more serious problem occurs when attackers capture a collator and manipulate its codes. As defined above, a collator provides uni-directional communication. If the device is manipulated so information flows from high security levels to low security levels, it could be a serious problem. Suppose that a secret level node sends a message to a top secret level node through the manipulated collator. Instead of routing the message to the top secret level node, it could send it to a different node with a lower security level. This is a violation of the security policy since secret information is leaked to unauthorized nodes (confidential or unclassified). In order to make it more difficult for adversaries to compromise a collator, we assume that a collator has memory with security protection. Curry created an embedded memory with security row lock protection [12]. The device allows external memory access by first reading the corresponding security bit. If the security bit is unlocked, the device returns the actual value stored in the requested position. However, if the security bit is set for the requested location, a zero value is returned. Even if the security bits are erased, the secured contents in the locked positions are also removed at the same time [12]. Since adversaries acquire neither programming codes nor keys by capturing collators, it would be very difficult for them to manipulate the code of a collator. Memory protection may require additional implementation effort and may increase the price of the device. However, these costs and effort remain minimal since collators represent only a small portion of the whole network. Further, collators presumably already contain important information. It is reasonable to assume that collators possess better computing resources than other sensor nodes. Downgrader: A downgrader releases information from high security levels to low security levels. When a downgrader is compromised, a message could be downgraded below its designated level. For instance, a top secret message, which is supposed to be downgraded to the secret level, could be downgraded to the unclassified level by a malicious downgrader. Because the damage by a malicious downgrader can affect all security levels, it is a more serious problem than a malicious collator, which does not affect the top secret level. It is important to note that the security policy can be broken without compromising a downgrader. A malfunction of the system or malware could request that information, which should remain secret, be downgraded. Since the information is sent to a downgrader, the downgrader would introduce the message to a lower security level. Once the information is downgraded, it would not be easy to find and to remove the information. In order to prevent this situation, a downgrader needs to understand the semantics of the message to make a correct judgment with respect to downgrading. As Hinton states, human intervention is necessary to resolve the downgrading problem [1]. A downgrader needs to interface with users and it must not be compromised. Since base nodes are connected to base stations and assumed to be more secure than other nodes, we believe that a base node should take the place of a downgrader. IV. EXPERIMENTS AND RESULTS A. Communication Overhead Evaluation Since it is necessary to send messages to guards in order to communicate with different security levels, network traffic overhead is an unavoidable cost for inter-group communication. We simulate inter-group communication to estimate the communication overhead. The purpose of the experiment is to estimate the message overhead in inter-group communication and to show that communication overhead can be reduced if the number of guards is increased. We use TinyOS-2 and TOSSIM for the simulation. MicaZ is selected as a sensor platform. Since a point-to-point traffic pattern is assumed, we selected the Tymo protocol, which is implemented in TinyOS- 2 [13]. Tymo is a TinyOS version of the Dymo protocol, a point-to-point routing protocol designed for Mobile Ad-hoc Networks (MANET). We created two network topologies consisting of 64 nodes: grid and random. In the grid topology, the distance between nodes is 2 meters. In the random topology, nodes are randomly deployed on a 20 meter by a 20 meter field. Let G denote the grid topology, and let R denote the random topology. To create a more realistic network environment, asymmetric links are assumed for both networks. Ten pairs of nodes are selected and each pair of nodes sends 100 messages between each other. We count the number of forwarded messages at intermediate nodes (M F ), and the number of successfully delivered messages at target nodes, (M D ). The average number of forwarded messages for one delivered message, M A, is computed by M F / M D. We performed our experiments using the Tymo protocol first without guards (intra-group communication) and then add a number of guards (1, 2, 4, 6, and 8) since we anticipate that increasing the number of guards will reduce network traffic overhead. Each experiment is performed 10 times. Topology G is examined first, and the result is shown in Figure 6. The result of the Tymo protocol without collators (intra-group communication) shows the fewest forwarded messages, M F, and most successfully delivered mesages,

6 Figure 6. The result of the grid topology with 64 nodes. Figure 8. The average number of forwarded messages for one delivered message in the grid topology and the random topology. Figure 7. The result of the random topology with 64 nodes. M D. When we add one collator to the network and force two nodes to communicate through the collator, there is a 240% increase in M F over intra-group communication while M D falls to 89% of that seen during intra-group communication. When we increase the number of collators, M F is reduced, and M D is close to that of intra-group communication. In the case of 4 collators, only 157% of the M F of intra-group communication is required, and M D is almost the same. Even if we continue to add more collators, the additional units do not help to reduce M F and to increase M D in topology G. As shown in Figure 8, M A is minimized when there are at least 4 collators in topology G. Figure 7 represents the results of the random topology. Comparing topology R to topology G, topology R requires more M F and delivers fewer M D than the grid topology. This is because the node density of the random topology is irregular. Some parts of the network are sparse; thus, there is a higher probability of dropping messages than the grid topology. With one collator, only 167% of the M F of intra-group communication is required, but there is a 23% reduction in M D. As in topology G, Figure 7 shows that increasing the number of collators reduces M F and increases M D. Although the number of nodes is the same for both topologies, more collators are required to minimize the network traffic overhead. While M A of 4 collators is about 197% of intra-group communication, M A of 8 collators is less than 150% as is shown in Figure 8. In our experiments, we increased the number of guards to determine an appropriate number of guards for both networks, G and R. As a result, about 6% of all nodes (4 collators) in topology G should be guards to minimize the network overhead while topology R requires about 12% (8 collators). It is simple to increase the number of collators, but it is difficult to add downgraders in our design since downgraders are base nodes (discussed in Section III-C2). Further, very few base nodes are typicially assumed in most applications. If we fix the number of base nodes to be 1, the message overhead of inter-group communication is about 268% of intra-group communication in topology G and 215% of that in topology R as shown in Figure 8. Based on these results, users can estimate overall network traffic overhead if they know the proportions of intra-group communication and inter-group communication. Note that inter-group communication has two components: the upstream (i.e., from low to high security) and the downstream (i.e., from high to low security). Suppose one network (called network A) whose traffic pattern is 50% intra-group communication, 40% upstream communication, and 10% downstream communication. The overall communication overhead in network A would be: Overhead G = Overhead R = If the ratio of inter-group communication increases, network traffic overhead also increases. Let network B have a traffic pattern of 10% intra-group communication, 50% upstream communication, and 40% downstream communication. In this case, the expected communication overhead in network B is: Overhead G = Overhead R = = 1.70 In comparison, between 30% and 40% overhead is introduced to network A while network B has between 70% and 96% overhead. Note that the traffic pattern of network B mainly consists of inter-group communication, while the dominant traffic pattern of network A is intra-group communication. This example indicates that the MSL architecture incurs higher overhead for the network consisting of high proportions of inter-group communication.

7 B. The Price of Cryptography The MSL architecture we propose employs cryptographic engines for each security domain. Although it is possible for every security domain to use the same encryption algorithm, having more powerful algorithms for higher security domains would be reasonable as security levels correspond to sensitivity. The strength of encryption algorithms, however, is not the only concern in WSNs due to the resource limitations of sensor nodes. Powerful algorithms may take up more memory as well as consume more energy. A good rule of thumb is to use the most powerful algorithm for every message, but the cost of the algorithm should not exceed the system s budget. While a low level security domain may use a light encryption algorithm rather than a heavy one, a high level security domain should use a powerful algorithm even if its cost is expensive. In order to balance the tradeoff between security strength and the cost of encryption, we must investigate several cryptography algorithms. 1) Examined Block Ciphers: We have implemented and analyzed four widely used block ciphers: Advanced Encryption Standard (AES), RC5, Skipjack, and Corrected Block Tiny Encryption Algorithm (XXTEA). RC5 and Skipjack are chosen because they are implemented in TinySec, while AES is the current encryption standard of the U.S. government and one of the most broadly used radios, CC2420, provides a hardware AES encryption. XXTEA is notable for its simplicity of implementation and small memory footprint, which make it a good candidate for running on the resourceconstrained sensor motes. 2) Security Strength: Currently, brute force is the only cryptanalysis that can be applied against AES, Skipjack, and XXTEA when they are used with the correct number of rounds and key-length. Because of that, we can directly compare the security strength of AES, Skipjack, and XXTEA based on the length of the key they use. The following hierarchy can be built: AES-256 > AES-192 > AES-128 = XXTEA (128-bit) > Skipjack (80-bit). In contrast to the above algorithms, all cryptographic parameters including the number of rounds are adjustable in RC5. Therefore, RC5 s security strength is determined by both the key size and the number of rounds. This makes RC5 difficult to compare to the other block ciphers. According to [14], using more than 16 rounds is considered to be sufficient protection. Based on this, the security strength of RC5-32/18/16 is equal to AES-128 and XXTEA, where 32 is the block size in bits, 18 is the number of rounds, and 16 is the key size in bytes. 3) Lifetime: We estimate the lifetime of a mote for better understanding of the cost of cryptography. We have implemented block ciphers on a MicaZ mote in nesc, which is the language used in TinyOS. We used a Tektronix MSO 4034 oscilloscope to measure the latency of the program in MicaZ. The MicaZ motes have 4 KB of RAM, 128 KB of ROM, and use a CC2420 radio. A micro-controller unit mode transmit receive sense MCU sleep current (ma) Table I CURRENT DRAW OF MICAZ FOR DIFFERENT STATES. of MicaZ is ATmega128L. The oscilloscope allowed us to measure the voltage drop in the circuit and determine the time it took for the different algorithms to execute. To measure the execution time of the algorithms we connect one of the mote s pins to the oscilloscope and use it to signal when a phase begins and finishes execution. The oscilloscope registers the changes of the pin s level and displays them on the screen. We believe that this method provides accurate measurements since the controlling of the pin does not significantly affect the MCU s latency or energy consumption. The results are given in [15]. The lifetime is dependent on the fraction of active and inactive states of a mote. Suppose that we have a MicaZ sensor node with an accelerometer sensor. The current draw for each mode is listed in Table I. Note that the current draw of transmit, receive, and sleep modes include the current draw of MCU, since we assume that a radio operates with an MCU. For example, the current draw of a radio is 17.4 ma when it transmits a message; thus, the current draw of the transmit mode, including the current draw of the MCU, is 17.4 ma + 8 ma = 25.4 ma. Let P (T ) denote the proportion of the lifetime that the mote sends a message, and P (R) denote the proportion of the lifetime of receiving a message. Let P (S) denote the proportion of the lifetime that the mote gets the value from the accelerometer. The proportion of the lifetime of inactive mode is denoted as P (I). P(E) and P(D) are the proportion of the lifetime of encryption and decryption, respectively. Then, average current, C, can be calculated in ma as C = P (E) 8 + P (T ) P (D) 8 +P (R) P (S) 9 + P (I) (1) A MicaZ mote is typically powered by a pair of AA batteries, which supply approximately 2200mAh at 3V. Therefore, its lifetime in hours can be computed as 2200 / C. We omitted other factors that can affect lifetime such as routing and MAC protocols for simplicity. This method has been used in lifetime estimation of a sentry in VigilNet [3]. If P (T ), P (R), and P (S) are 0.05, 0.05, and 0.2 respectively, the lifetime of a mote without security (i.e. P(E) and P(D) are 0) is about 492 hours (20.52 days). When using ciphers, the lifetime of a mote decreases. Suppose that the mote currently uses AES-128 and the length of payload is 16 bytes long. We compute P (E) and P (D) by comparing them to transmission delay. Chintalapudi et al. [16] estimated transmitting delay in µ sec as τ s = d, where d is the payload length in bytes

8 Figure 9. The lifetime of a mote according to different block ciphers. The leftmost bar denotes AES-256 and the rightmost bar denotes no security. Overall, the lifetime is decreased as the security strength increases except hardware AES-128. Hardware AES-128, which is built in CC2420, guarantees the almost same lifetime as no security, providing security as strong as AES-128, XXTEA, and RC5-32/18/16. We assume that the encryption delay of hardware AES-128 is same as its decryption delay. Since we assume that d is 16, the total time for transmission is about 1.24 ms. According to [15], encryption and decryption for 16 bytes take 1.53 ms and 3.52 ms respectively. By comparing them, P (E) = 0.06 and P (D) = According to equation (1), C is 6.06 ma; thus, the lifetime of a MicaZ mote in 363 hours (15.05 days). Figure 9 shows the expected lifetime of a mote according to different encryption algorithms. Up to 34.82% of lifetime reduction is measured. These results indicate that the choice of encryption algorithms can dramatically affect the lifetime of a mote. Certainly, the proper choice of cryptographic algorithms is critical to satisfy the requirements of the security strength and lifetime. The system designer must select an appropriate cryptography combination in order to satisfy both requirements. V. CONCLUSIONS AND FUTURE WORK While there is a need to support MLS in WSNs, not much research has been done in this area. To the best of our knowledge, we are the first to propose an architecture supporting MLS in WSNs. In order to separate security domains and control information flow, cryptographic technologies are employed. Confidentiality, authenticity, and integrity of information are maintained by the underlying cryptography. Also, the architecture inherits resilience to node compromise attacks from TinyKeyMan. However, intergroup communication introduces traffic overhead. Also, the choice of cryptography can change the lifetime dramatically. One-to-many and many-to-one traffic patterns would be inefficient in our architecture since the architecture is based on pair-wise keys. For efficiency, a global key or group key could be used but these are vulnerable to node compromise attacks. We plan to implement secure dissemination and collection protocols in our architecture as future work. We also plan to implement a prototype on a real platform. REFERENCES [1] G. D. Hinton, Multiple independent levels of security: The changing face of range information management in the 21st century, ITEA journal, pp , June/July [2] D. Bell and L. LaPadula, Secure computer system unified exposition and multics interpretation, MITRE Corp., Bedford, MA, Tech. Rep. MTR-2997, July [3] T. He, S. Krishnamurthy, J. A. Stankovic, T. Abdelzher, L. Luo, R. Stoleru, T. Yan, L. GU, G. Zhou, J. Hui, and B. Krogh, Vigilnet: An integrated sensor network system for energy-efficient surveillance, in ACM Transactions on Sensor Networks, [4] D. Liu and P. Ning, Establishing pairwise keys in distributed sensor networks, in Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 03), Washington D.C, October 2003, pp [5] P.-Y. Teng, S.-I. Huang, and A. Perrig, Multi-layer encryption for multi-level access control in wireless sensor networks, in Proceedings of The Ifip Tc 11 23rd International Information Security Conference, ser. IFIP International Federation for Information Processing, vol Springer Boston, July 2008, pp [6] C. Karlof, N. Sastry, and D. Wagner, TinySec: a link layer security architecture for wireless sensor networks, in SenSys 04: Proceedings of the 2nd international conference on Embedded networked sensor systems. New York, NY, USA: ACM, 2004, pp [7] A. Liu and P. Ning, Tinyecc: A configurable library for elliptic curve cryptography in wireless sensor networks, in IPSN. Los Alamitos, CA, USA: IEEE Computer Society, April 2008, pp [8] CC2420 Data Sheet, cc2420.pdf. [9] L. Gu and J. A. Stankovic, t-kernel: Providing reliable os support to wireless sensor networks, in ACM SenSys, November [10] Introduction to Multilevel Security, [11] C. Blundo, A. D. Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung, Perfectly-secure key distribution for dynamic conferences, Lecture Notes in Computer Science, vol. 740, pp , [12] D. Curry, Embedded memory with security row lock protection, U.S. Patent 6,879,518 B1, filed November 21, 2003, and issued April 12, 2005, San Jose, CA, USA. [13] [14] N. R. Potlapally, S. Ravi, A. Raghunathan, and N. K. Jha, A study of the energy consumption characteristics of cryptographic algorithms and security protocols, IEEE Transactions on Mobile Computing, vol. 5, no. 2, pp , December [15] J. Lee, K. Kapitanova, and S. H. Son, Supporting multilevel security in wireless sensor networks, University of Virginia Department of Computer Sciences, Tech. Rep. CS , October [16] K. K. Chintalapudi and L. Venkatraman, On the design of mac protocols for low-latency hard real-time discrete control applications over hardware, in International Conference on Information Processing in Sensor Networks, 2008.