Trust-based Mutual Authentication for Bootstrapping in 6LoWPAN

Transcription

1 634 JOURNL OF COMMUNICTIONS, VOL. 7, NO. 8, UGUST 202 Trust-based Mutual uthentcaton for Bootstrappng n 6LoWPN Hong Yu College of Computer Scence and Technology, Bejng Unversty of Technology, Bejng 0024, Chna Emal: yuhong_0826@emals.bjut.edu.cn Jngsha He School of Software Engneerng, Bejng Unversty of Technology, Bejng 0024, Chna Emal: jhe@bjut.edu.cn bstract IPv6 over Low Power Wreless Personal rea Networ (6LoWPN) has emerged as a promsng technology to realze ambent ntellgence under the vson of the Internet of Thngs. Under most crcumstances, t s mperatve that securty be addressed from bootstrappng to data transmsson. In ths paper, we propose a secure bootstrappng scheme that ncludes mutual authentcaton and trust evaluaton to provde the frst securty measure for 6LoWPN. The scheme s based on mult-hop cluster-tree herarchcal topology n whch parwse eys between neghborng nodes and trust paths to the base staton (BS) are establshed at the same tme. Mutual authentcaton that s based on parng requres only the storage of one ey and the exchange of IDs consderng the computatonal complexty of publc ey algorthms and the frangblty of shared ey protocols. Trust evaluaton reles on multple crtera to acheve securty and energy effcency and to balance the whole networ. The BS also mantans a dynamc blaclst to prevent denal of servce (DoS) attacs. nalyss shows that the proposed scheme s secure and scalable. The energy cost n terms of computaton and communcaton as well as storage are also analyzed and compared to that of shared ey protocols and publc ey algorthms through quanttatve analyss. Index Terms 6LoWPN, securty, bootstrappng, mutual authentcaton, trust evaluaton I. INTRODUCTION Wth the development of wreless sensor networ (WSN) technology, the futurstc vson of the Internet of Thngs has emerged n whch all thngs on the earth can communcate wth each other. Therefore, t has become ncreasngly more mportant to ensure the accessblty of nodes n a sensor networ over IP, especally IPv6, n the near future. However, wth the characterstcs of small sze and lmted power, storage and calculaton capablty, a sensor node s a conundrum for the classc IPv6 protocol stac. To deal wth ths lmtaton, a new protocol,.e., 6LoWPN, has been proposed by IETF Manuscrpt receved ugust 3, 20; revsed December 22, 20; accepted prl 6, LoWPN Worng Group to enable most capabltes of IPv6 n a resource-constraned node [] and the transmsson of IPv6 pacets over low power wreless personal area networs based on IEEE standard [2]. 6LoWPN has probably paved the way for the mplementaton of the Internet of Thngs. 6LoWPN s desgned to support a varety of applcatons rangng from defense systems to health care, ndustral montorng, dsaster management, home automaton, and so on [3]. Many of the applcatons have certan securty requrements from bootstrappng to data transmsson. Therefore, the 6LoWPN Worng Group has vewed securty desgn as one of the goals and set some securty requrements such as secure bootstrappng and ey management [4]. However, feasble solutons are stll yet to be proposed. Normally, any node wthn the range of rado wave may access the 6LoWPN, resultng n fatal consequence to mltary applcatons. In addton, n many ndustral and consumer applcatons, t requres that montorng data be ept prvate from adversares. Therefore, t s necessary to mplement authentcaton of a new node when t tres to jon the networ at the tme of bootstrappng to guard aganst ntruders and to avod nteractons wth nodes from a neghborng networ. Bootstrappng ncludes all steps that mae a node become part of a networ, whch at the least conssts of mang aware of the presence of a new node to the BS or other exstng nodes, gettng basc nformaton about the personal area networ (PN), exchangng securty credentals and passng authentcaton phase, establshng parwse eys wth neghborng nodes as well as trust paths to the BS, and gettng an IPv6 address fnally. However, huge energy consumpton durng the bootstrappng phase can shorten the total lfe of the networ because n many applcatons, the replacement of the batteres s not possble after deployment. More specfcally, the number of messages that are exchanged, the storage n each node and the amount of computaton must be ept as low as possble. In general, secure bootstrappng should meet the followng two do:0.4304/jcm

2 JOURNL OF COMMUNICTIONS, VOL. 7, NO. 8, UGUST requrements: () at deployment, attacers cannot access the networ and acqure senstve nformaton even by eavesdroppng on networ s rado frequency; (2) after deployment, the mpact of node compromse cannot spread across the entre networ and new nodes can jon at any tme wthout any mpact to exstng nodes. However, energy and resource constrants n sensor nodes present a great challenge for proposng secure bootstrappng schemes n 6LoWPN. To prevent unauthorzed nodes from jonng a PN, authentcaton of a new node s essental to meet the frst requrement. On the other hand, authentcaton schemes desgned for the Internet cannot be appled drectly to 6LoWPN due to the complexty of Publc Key Infrastructure (PKI). Meanwhle, shared ey mechansms are too vulnerable to resst node compromse attacs to meet the second requrement. Therefore, lghtweght and robust authentcaton schemes should be consdered for bootstrappng n 6LoWPN. In ths paper, we present a secure bootstrappng scheme that can meet the above requrements whle tang nto consderaton the energy constrant of the sensor nodes. When a sensor node s tryng to jon the networ, t must pass mutual authentcaton and establsh parwse eys wth ts authentcated neghborng parents. Multple crtera wll be used n our scheme for the node to choose the most trusted node from authentcated parents to establsh a trust path to the BS. The remander of ths paper s structured as follows. In the next secton, we revew some related wor on bootstrappng schemes for 6LoWPN as well as on methods for authentcaton n sensor networs and for trust evaluaton. In Secton III, we present our bootstrappng scheme n whch we descrbe 6LoWPN topology and assumptons as well as protocols for authentcaton and trust evaluaton. In Secton IV, we analyze the securty, salablty and energy consumpton of the proposed scheme. Fnally, we conclude ths paper n Secton V n whch we also dscuss some future wor. II. RELTED WORK Research on bootstrappng n 6LoWPN s stll n the ntal stage and Neghbor Dscovery (ND) of 6LoWPN [5] has not been standardzed yet. The 6LoWPN Worng Group of IETF s worng on some ssues for bootstrappng such as reducng the amount of ND multcast traffc and allowng a sngle subnet to span multple routers. However, no mechansm has been proposed for authentcatng a new node. Moreover, f more than one 6LoWPN routers relay regstraton messages to the new node, there s no specfcaton regardng how the new node can select the best router to jon the PN.. Bootstrappng schemes for 6LoWPN There are currently two bootstrappng schemes desgned specfcally for 6LoWPN. Iram et al. proposed a smple lghtweght authentc bootstrappng scheme for 6LoWPN whch s ndependent of any ey management nfrastructure [6]. The scheme uses pre-shared eys n conjuncton wth a shared secret code for mutual authentcaton. The unque shared authentcaton ey between a parent node and an mmedate chld node n herarchcal authentcaton tree and the message authentcaton code (MC) can be computed as follows: K ES ES Co a j ( j ( SID, R) a ) () j a MC CES K R ID R ID (2) (, ) j a MC CMCES K ID R (3) (, ) t ether sde, the parent or the mmedate chld, a K s generated from the system dentfer SID { } n conjuncton wth a shared random challenge R { } R R by usng the ES counter mode recursve operatons. The mutual authentcaton process can be descrbed as follows: : regstraton, ID, N (4) : reg. reply, ID, N, R (5) : ID, ID, N, N, R, R, MC (6) In the above scheme, snce Step (4) s not authentcated, an attacer can nject fae regstraton messages to legtmate node to launch a resource exhaustng attac. Moreover, legtmate node would fnsh at Step (5). So, the malcous node may never execute Step (6), whch wll cause DoS attacs. In addton, ths scheme faled to consder how a chld node would select the best parent to jon the PN f more than one parents relay the regstraton message to the chld node. Cha et al. proposed a secure and effcent networ bootstrappng protocol for 6LoWPN, called LBP, n whch three dfferent nds of nodes are defned: new devce (LBD), already bootstrapped devce (LB) and gateway or PN coordnator (LBS) [7]. In the protocol, LBS s the only node that maes the decson about whether an LBD should be allowed to jon the PN and the LB helps the LBD to communcate wth LBS. To solve the problems that are not consdered by the scheme n [6], the LB selecton algorthm s as follows: LBD LB: LB Solctaton, ID LBD (7) LB LBD: LB advertsement, ID LB, node_type, hop_dst, chld_num (8) When an LB receves a message, t frst checs ts blaclst table and, f ths LBD s not found there, t wll broadcast the LB advertsement message whch ncludes ID LB, ts type (LBS or LB), ts hop count

3 636 JOURNL OF COMMUNICTIONS, VOL. 7, NO. 8, UGUST 202 from the LBS and the number of LBDs t has already served. The LBD wll select the best LB f there are more than one LB. The LBD would select the LBS f there s a drect advertsement from t. Otherwse, t would chec the hop count of an LB to the LBS and choose the LBD wth the mnmum dstance to the LBS. The selected LB wll forward an LBP request message to the LBS. However, the authentcaton between the LBS and the LBP s omtted. The LBP scheme uses a blaclst to prevent DoS attacs n the bootstrappng process. When LBS receves an LBP request message but the LBD doesn t pass the authentcaton procedure, the LBS would nsert a new entry n the blaclst table for the LBD or ncrease the number of llegal tres for the LBD. If the number of llegal tres exceeds a defned threshold, the LBS wll dentfy the LBD as a DoS attacer. Whenever a new LBD s determned to be an attacer, the LBS broadcast the blaclst table to all LBs. Because every LBD must be authentcated by the LBS, the communcaton overhead s hgh and the LBS can be a sngle pont of falure for networ securty. Let us consder the case n whch an attacer broadcasts an LB Solctaton message wth a fresh llegal ID constantly. LBs must broadcast ths nd of unencrypted messages whch can be easly exploted by the attacer. Because authentcaton s performed after LB selecton algorthm, the LB must broadcast the LB advertsement message constantly. However, the attacer may never execute the next step, whch wll cause another form of DoS attacs. We can see from the above analyss that mutual authentcaton and parent selecton are essental. It s also mperatve that DoS attacs be bloced at the frst step n the phase of new node regstraton. B. uthentcaton n sensor networs uthentcaton can be acheved by usng two types of messages: MC and dgtal sgnature. MC s based on pre-dstrbutng shared eys or performng shared ey agreement. The sender uses the shared ey to generate a MC that can be verfed by the recever. Computaton overhead for symmetrc ey cryptography s very low. Dgtal sgnature allows a sender to generate a sgnature wth ts prvate ey on a message. The recever can verfy the authentcty of the sgnature wth the sender s publc ey to ensure that the massage ndeed orgnates from the clamed sender and has not been modfed. Verfcaton causes more computatonal complexty than sgnng. Moreover, t would consume more tme and energy to sgn and verfy a message than to compute a MC. Based on the characterstcs of communcaton devces and the current 6LoWPN, such as lmted resources and lac of physcal protecton, some authentcaton protocols have been proposed based manly on publc ey algorthms usng dgtal sgnature and shared ey protocols usng MC. Watro et al. presented an authentcaton protocol based on RS called Tny PK whch needs PKI [8] n whch the BS s treated as a Certfcate uthorty (C). Sensor nodes perform encrypton and verfcaton by usng publc eys whle decrypton and sgnature are mplemented by the BS by usng prvate eys or other exteror devces that have suffcent energy. Ths scheme cannot be appled to authentcatng a sensor node because RS consumes a lot of energy, so do decrypton and sgnature by usng prvate eys. Moreover, f one node s compromsed, the whole networ wll be n danger and attacers can jon the networ as legtmate nodes though the compromsed node. Benenson et al. proposed RRU [9], an authentcaton protocol based on ECC, n whch a node must broadcast an authentcaton request to n nodes among whch t nodes wll certfy and respond (n s the average number of nodes wthn the communcaton range of an authentcatng node and t s the threshold for the number of captured nodes). lthough ECC consumes less energy than RS does, the protocol cannot defend DoS attacs effectvely snce a node must complete fve steps to detect an attacer that eeps sendng forged certfcaton to t. Olvera et al. presented the TnyPBC scheme that uses parngs for the dstrbuton of authentcated dentty-based eys n sensor networs [0]. By only nowng the ID of the other, two partes can agree on eys wthout any nteracton. The frst two authentcaton schemes are based on publc ey certfcates whle the last one s based on dentty, mang certfcates unnecessary. However, a trusted thrd party nows the secret eys of all the nodes. In the case of 6LoWPN, the trusted thrd party s the deployer of the networ. Consequently, there s lttle doubt n ts trustworthness. uthentcaton protocols based on shared ey algorthms n sensor networs have taen two extreme forms. One smple dea s that all the nodes n the networ share one ey for communcaton. In ths case, f one node s compromsed, the entre networ s n danger. The other extreme s that each node (assumng that there are n nodes) stores n- eys each of whch s shared wth each of the other n- nodes. Therefore, t requres a large amount of storage n each node n a large scale networ and may result n waste because not every node can communcate wth every other node. In addton, f a new node enters the networ after deployment, new eys must be ssued that nvolve all the nodes. Zhu et al. proposed LEP protocol [] usng only symmetrc prmtves for sngle hop communcaton whch s perhaps the most effcent proposal. In the protocol, a new node u authentcates ts neghborng node v usng v s ndvdual ey K v derved through K v =f(k, ID v ) where K s a pre-shared master ey. However, LEP has some drawbacs. Frstly, LEP assumes that a pre-dstrbuted ey s shared among all the nodes and won t be dsclosed durng the t ntal tme unts of networ operaton. Secondly, LEP assumes that once ths pre-dstrbuted ey s erased, t cannot be recovered from memory. However, ths cannot always be guaranteed. Lastly, LEP does not provde dgtal

4 JOURNL OF COMMUNICTIONS, VOL. 7, NO. 8, UGUST authentcaton and repudaton of messages s stll possble. Bauer et al. proposed a dstrbuted authentcaton protocol that maes use of secret sharng and the cryptographc concept of group agreement [2]. new node and the BS share a ey S whch s dvded nto n- parts by the BS and dstrbuted to n- nodes except the new node. ll the nodes send ther partal eys to a specfed node who reverts the orgnal ey S and compares t wth S from the new node. The specfed node then broadcasts a relay message. If any node receves n-2 copes of the relay message and among whch more than half are determnate, the new node s authentcated. Snce there s no encrypton or decrypton nvolved, t has a good performance on fault tolerance and computaton. However, t requres that all nodes wthn a group communcate collaboratvely, whch may cause data collson when all the nodes are sendng determnate messages. C. Trust evaluaton The 6LoWPN ND draft goes to standardze the regstraton messages but doesn t address how a new node can fnd the edge router. Moreover, f there are more than one 6LoWPN routers that can relay the regstraton message to the edge router, a decson has to be made as to whch 6LoWPN router or routers wll relay the message or how a new node can select the best 6LoWPN router. In the bootstrappng phase, after deployment, begnnng wth the BS, sensor nodes gradually jon the networ and a cluster-tree structure could be formed. fter a node sends out a regstraton message, t may receve one or more response messages from nodes located n the hgher herarchy. It s necessary for the node to authentcate recprocally and choose the most trusted one to access the networ. Smply consderng energy [3] or hop counts from the BS [4] may not acheve desred securty and effcency. We propose to compute the trust value of every legal parent based on four factors: hop count from the BS, number of chldren, consumed energy and delay. Mang use of the utlty value method n a multple crtera decson mang scheme from the perspectve of smplcty and energy effcency can mae the networ more secure and effectve from the begnnng. III. THE PROPOSED SCHEME. 6LoWPN topology 6LoWPN networ conssts of one or more PNs of full functon devces (FFDs) and reduced functon devces (RFDs). The 6LoWPN standard supports star and peer-to-peer topologes. In a star topology, FFDs and RFDs communcate wth a sngle central PN coordnator whose role can be represented by a FFD. FFDs are responsble for communcaton wthn the networ whle RFDs can only serve as end nodes. In a peer-to-peer topology, FFDs and RFDs can communcate wth each other drectly. There are therefore two types of topology: mesh and cluster-tree. In ths paper, a mult-hop cluster-tree herarchcal networ topology s assumed. The BS that acts as a PN coordnator s the root of the whole tree whle all the FFDs and RFDs are the chldren nodes that can form many sub-trees n whch only FFDs can be the roots. Fg. shows a cluster-tree consstng of BS, FFDs and RFDs. Fgure. mult-hop cluster-tree herarchcal networ topology B. ssumptons We assume that ntruders may exst n the target area before deployment or at the bootstrappng phase. These ntruders can passvely eavesdrop on networ s rado frequency and collect transmsson data. Moreover, they can also tamper or forge messages. We also assume that nodes that have already been authentcated by hgher level parents are trusted at the bootstrappng phase. C. The proposed scheme By consderng the computatonal complexty of publc ey algorthms and the frangblty of shared ey protocols, we decde to combne the two authentcaton approaches n our proposed scheme. t the deployment phase, a unque secret ey based on ID s generated for each node. Ths requrement may be consdered hgh n computatonal cost, but t has no mpact to the networ because ey generaton s performed before deployment. Furthermore, we only use the ey as a secure bootstrappng mechansm. Once the nodes are bootstrapped securely, they can use the authentcated shared parwse ey as a statc and long-term ey to derve the sesson eys wthn ther own neghborhood. The proposed secure bootstrappng protocol s based on the dffculty of solvng the Ellptc Curve Dscrete Logarthm Problem (ECDLP) that bulds on Identty-Based Cryptography (IBC) and parngs. The protocol conssts of two phases. The frst phase taes place before deployment. Durng ths phase, each node s preloaded wth the nformaton to be used for authentcaton and ey generaton. fter deployment, dentty and parngs-based mutual authentcaton s performed to establsh the parwse ey between neghborng nodes. For the chld node, then, trust evaluaton s performed to select the most trusted parent to establsh a path to the BS whle other paths are ept n trust tables as the optonal paths for the future. Before the deployment of the sensor nodes, the deployer performs the followng tass: Choose an addtve group G and a multplcatve group G 2 of the same prme order q. Let P be an arbtrary generator of G. Then, a blnear map ê: G G G 2 and two collson resstant cryptographc hash

5 638 JOURNL OF COMMUNICTIONS, VOL. 7, NO. 8, UGUST 202 functons H and H 2 are determned where H :{0,} * G, a mappng from arbtrary-length strngs to ponts n G ; H 2 :{0,} * {0,} m, a mappng from arbtrary-length strngs to m-bts fxed length output. Pc a random number s Zq * as the master ey to dentfy the networ. No one n the networ nows ths ey except the deployer. Use the master ey s to generate a secret ey S for every node n the networ. The publc and the secret eys for node s P =H (ID ) and S =[s]p =[s]h (ID ), respectvely. Preload each node n the networ wth a unque ID and the correspondng secret ey S. ll the nodes are powered on and deployed nto the target area. Startng from the BS, all the nodes then gradually jon the networ. Only a legtmate chld can compute the shared parwse ey wth ts parent and generate an authentcaton message to correctly respond to the challenge from the parent and hence authentcate tself and vce versa. Node X broadcasts the regstraton message Reg =(ID X, N X ) that contans the unque ID of X and a nonce. Here, represents the strng concatenaton. To prevent two or more nodes from attemptng to transmt at the same tme, every node would mplement a bnary exponental bacoff algorthm to avod collsons before broadcastng ts Reg message. X *: Reg, ID X, N X, H 2 (ID X N X ) (9) Wthn the transmsson range of Reg, one or more FFDs who have joned the networ may receve t, say nodes and B, whle llegtmate nodes C (to mpersonate on a legtmate parent node) and D (to mpersonate on a legtmate node X) may also exst, as shown n Fgure. Frst, and B wll chec ther own blaclsts and, f there s already a record for X, wll dscard the Reg message. Otherwse, they wll valdate N X to fght aganst replay attacs to ensure the freshness of data and then chec H 2 (ID X N X ) to ensure the ntegrty of the message. They then respond to node X. Tae node as an example. wll generate a random number R and send Res =(ID, R, ID X, N X ) to X. X: Res, ID, R, ID X, N X, H 2 (ID R ID X N X ) B X: Res, ID B, R B, ID X, N X, H 2 (ID B R B ID X N X ) (0) fter X receves the Res messages, t checs N X to ensure that the Res s a response to ts regstraton. X then computes shared eys K X, wth and B, respectvely, accordng to () and generates authentcaton messages M X, respectvely, where M X =MC(K X,, ID ID X R ) and M XB =MC(K X,B, ID B ID X R B ). Then, X generates the random challenge numbers R X and R XB, respectvely, and sends the authentcaton messages m to and B. K X, =ê(s X, P )=ê(sx, H (ID )) K X,B =ê(s X, P B )=ê(sx, H (ID B )) () X : m, ID X, N X, ID, R, R X, M X, H 2 (ID X N X ID R R X M X ) X B: m, ID X, N X, ID B, R B, R XB, M XB, H 2 (ID X N X ID B R B R XB M XB ) (2) computes the shared ey K,X wth X accordng to (3) as well as a chec message CM X =MC(K,X, ID ID X R ). checs the authentcty of X by matchng the receved M X wth ts own computed CM X. If they match, taes X as a legtmate node and then computes an authentcaton message M X : M X =MC(K,X, ID ID X R R X ) wth the random number generated by X whle respondng to. Otherwse, slently dscards the messages sent by X and termnates the authentcaton process. In addton, wll report to the BS that X s an llegtmate node. K,X =ê(s, P X )=ê(s, H (ID X )) K B,X =ê(s B, P X )=ê(s B, H (ID X )) (3) X: Cm, ID, ID X, N X, M X, H 2 (ID ID X N X M X ) B X: Cm, ID B, ID X, N X, M BX, H 2 (ID B ID X N X M BX ) (4) X computes a chec message CM X : CM X =MC(K X,,ID ID X R R X ) and compares t wth M X. If they match, X adds to ts trust evaluaton group and requests to send data. Let s denote the tme as TS. potental parent who receves the request message wll generate a reply message. prepares Rep =(ID, HN, CN, CE, R ) that contans ID, hop count from the BS, number of chldren, consumed energy and the orgnal random number sent to X. So does node B. Whle HN and CN are obvous, how CE s computed deserves some mentonng. In 6LoWPN, energy consumpton s determned by communcaton and computaton. The communcaton cost for a node s related to transmsson voltage (Tv), transmsson electrcty (Te) and transmsson speed (Ts). The computatonal cost for a node s manly on computng the shared ey usng a parng operaton whch may be dfferent due to the style of nodes. We assume that computng a parng operaton consumes p c and the number of parng operatons s p n. Then, the

6 JOURNL OF COMMUNICTIONS, VOL. 7, NO. 8, UGUST computatonal cost s p c *p n. So, a rough estmaton of consumed energy for a node s CE CE=Tv*Te*/Ts + p c * p n (5) where s the total number of transmsson bts. If CE exceeds CE max or HN exceeds HN max, where CE max and HN max are defned by the networ deployer, the FFD won t send a reply message to X. X: Rep, E K,X (ID,HN,CN,CE,R ), H 2 ( E K,X (ID,HN,CN,CE,R )) B X: Rep, E KB,X (ID B,HN B,CN B,CE B,R B ), H 2 ( E KB,X (ID B,HN B,CN B,CE B,R B )) (6) Trust evaluaton by X on ts parents s performed followng the followng steps: X records tme TR X as soon as t receves a Rep message and deals mmedately wth t f TR X doesn t exceed TS X +TD max, where TD max s defned by the networ deployer and s the maxmum tme delay that can be tolerated by any node. Otherwse, X dscards the message. If X doesn t receve any Rep message wthn tme nterval TD max, t wll request and B to resend the messages. X then computes the trust evaluaton value for and B, respectvely, mang use of the utlty value method n multple crtera decson mang technology. X computes the utlty value for four crtera. Let s denote ΗΝ and HN as the max and mn values of all the HN, CN and CN as the max and mn values of all the CN, CE and CE as the max and mn values of all the CE, and TD and TD as the max and mn values of all the TD, and TD =TR -TS. ΗΝ-HN U HN =, HN-HN CE-CE U CE =, CE-CE CΝ-CN U CN = CN-CN TD-TD U TD = (7) TD-TD X computes trust evaluaton value. If the weghts of HN, CN, CE, TD are a, b, c and d, respectvely, that are defned by the networ deployer based on applcaton requrements, then T=a* U HN + b* U CN + c* U CE + d* U TD (8) X chooses the most trusted node whch has the largest value of T, among all the nodes evaluated and all the others are reserved n the trust table as optonal paths for the future. IV. PROTOCOL NLYSIS We now show that our proposed scheme can effectvely defend the varous major attacs. We also analyze the salablty. The energy cost n terms of computaton and communcaton as well as storage are also analyzed and compared to that of shared ey protocols and publc ey algorthms through quanttatve analyss.. Securty analyss Masqueradng attacs: n attacer can pretend to be a vald node to deceve a chld node to connect to t or to cheat a parent node to accept ts access requests. In our proposed scheme, snce nodes authentcate each other along all the lns, the attacer cannot become a chld because t cannot pass the authentcaton after (2). Nether can t become a parent due to falure n authentcaton after (4). Relay attacs: n attacer can replay the old regstraton messages to threaten message freshness. In our proposed scheme, ths nd of attacs can be prevented because every regstraton message has a nonce, as shown n (9), that can guarantee the freshness of the message. Eavesdroppng, tamperng and forgng attacs: n attacer can eavesdrop on the nformaton n the transmsson process and then tamper or forge t to threaten message ntegrty. In our proposed scheme, the hash functon H 2 s used to prevent false messages and the nformaton for computng the trust value s encrypted to ensure confdentalty. Capture attacs: Should an attacer capture a node, t could totally control the node and get the secret ey. In our proposed scheme, although we cannot solve the node compromse problem, the attacer cannot get the master ey of the whole networ due to ECDLP even f the attacer has the secret eys. Therefore, the mpact s strctly regonal. That s, even f an attacer could compromse a node, t would not get any nformaton about uncompromsed nodes. Resource exhauston and DoS attacs: Every new node needs to broadcast a Reg message perodcally to as for jonng the networ. If an attacer njects fae Reg messages wth llegal IDs, FFDs wthn the coverage of Reg need to compute share eys usng the llegal IDs, resultng n resource exhauston and DoS attacs. In our proposed scheme, the BS mantans a blaclst and updates t to all FFDs and thus FFDs can bloc the attacer.

7 640 JOURNL OF COMMUNICTIONS, VOL. 7, NO. 8, UGUST 202 Fgure 2. Energy consumpton of all the nodes for one authentcaton Fgure 3. Energy consumpton of the new node n our scheme and publc ey schemes based on ECC B. Scalablty analyss fter deployment, t s smple to add more nodes nto the networ. The new nodes could easly buld new trust relatonshps wth exstng nodes as the mutual authentcaton s based only on exchangng IDs. In addton, our scheme supports moblty of the nodes. When a node s dsconnected from the orgnal parent, t can act le a new node and perform authentcaton wth a new parent. However, ts mmedate chldren wll have to regster wth new parents. C. Performance analyss In our proposed scheme, energy consumpton s determned by communcaton and computaton. Energy consumpton s estmated n the process of trust evaluaton, as shown n (5). We now perform a quanttatve analyss on energy consumpton for two FFDs n one mutual authentcaton process n whch we assume that the FFDs have the same capabltes as those of a standard MIC2 mote [5]. MIC2 has the 8-bt Tmegal 28L cloced at about 8-MHz mcrocontroller and comples wth the IEEE standards. It wors on 3V and 8m. The sendng electrcty s 27m whle the recevng electrcty s 0m and the data transmsson rate s 2.4bps. ccordng to [6], computng a parng operaton on MIC2 taes T 2.66s and consumes 62.73mJ. We also assume that the lengths of the ID, the random number and the nonce are each 2 bytes. Usng ES-CBC-MC-28 mode n the IEEE standards, the head s then 25+2=46 bytes, the lengths of H 2 () and MC() are each 6 bytes, and the hop count, number of chldren, consume energy and delay are each 2 bytes. Table I lsts the communcaton cost for each message transmsson n terms of both sendng and recevng.

8 JOURNL OF COMMUNICTIONS, VOL. 7, NO. 8, UGUST Communcaton (#) (9) (0) (2) (4) (6) TBLE I THE COST OF COMMUNICTION. Length (bytes) Sendng (mj) Recevng (mj) ssumng that the number of neghborng nodes that wll respond to the Reg message broadcast by a new node s N, n Fg. 2, we show the energy consumpton of all the nodes ncludng the new node and N parent nodes. Durng one mutual authentcaton process, the energy consumpton of the new node and all the other nodes are N mj and N mj, respectvely. We can see that the energy consumpton s manly due to the parng operaton. However, wth 2 batteres of 600ms n the MIC2 node, the avalable energy s 2*.5*800*3600=8640J. Performng one mutual authentcaton wth one neghborng node only consumes 0.009% of the total energy. Due to the parng operaton, our scheme consumes more energy for authentcaton than that for the shared ey schemes whch are much more vulnerable to attacs. However, our scheme requres only the storage of one ey and the exchange of IDs, whch s the advantage n terms of storage and communcaton cost. Fg.3 shows the comparson between the publc ey schemes based on ECC [7] and our proposed scheme for authentcaton. We can see from Fg. 3 that energy consumpton of the new node n our scheme based on parng s slghtly more than that for the publc ey schemes based on ECC whch requres two pont multplcaton for node authentcaton and one pont multplcaton for computng the parwse ey. ccordng to [8], completng a 60-bt pont multplcaton of ECC s 0.8s n the MIC2 mote. Therefore, the computng cost for the scheme n [7] s 3*8*0.8*3=58.32mJ, whch s less than that for the parng operaton. However, our proposed scheme has the advantage of requrng less storage space because the scheme n [7] requres that each node store the prvate and the publc eys, the C s sgnature and the C s publc ey, wth a total reachng more than 00 bytes. In our scheme, the node only needs the storage of ts secret ey and ID whch only requres 24 bytes, thus much less than the storage space requred n the scheme n [7]. V. CONCLUSION In ths paper, we proposed a secure bootstrappng scheme for 6LoWPN that s comprsed of parng based mutual authentcaton and trust evaluaton. nalyss on the proposed scheme showed that the scheme can effectvely defend aganst varous major attacs. In addton, our bootstrappng protocol reles on a herarchcal cluster-tree structure based on 6LoWPN and, therefore, can scale well nto a large networ and s adaptable to a relatvely less moblty scenaro. Quanttatve analyss of energy consumpton showed that although our scheme based on parng s a lttle more complex than protocols that are based on ECC n computaton and communcaton, the storage requrement for each node s much less than that based on ECC. In the future, we wll further optmze the trust evaluaton model and verfy our scheme n real applcatons. We wll also study securty ssues to confront after the completon of bootstrappng, such as ey management, ntruson detecton, etc. REFERENCES [] N. Kushalnagar, G. Montenegro and C. Schumacher, IPv6 over Low-Power Wreless Personal rea Networs (6LoWPNs): Overvew, ssumptons, Problem Statement, and Goals, IETF RFC 499, ug [2] G. Montenegro, N. Kushalnagar and J. Hu, Transmsson of IPv6 Pacets over IEEE Networs, IETF RFC 4944, Sept [3] R. Raz, K. K-Hyung and H. F. hmed, Securty nalyss Survey and Framewor Desgn for IP Connected 6LoWPNs, Proc. Internatonal Symposum on utonomous Decentralzed Systems, thens, Greece, Mar. 2009, pp.-6. [4] S. D. Par et al., IPv6 over Low Power WPN Securty nalyss draft-6lowpan-securty-analyss-05, IETF Internet Draft, Mar. 20. [5] Z. Shelby et al., Neghbor Dscovery Optmzaton for Low Power and Lossy Networs (6LoWPN) draft-etf-6lowpan-nd-7, IETF Internet Draft, Jun. 20. [6] M. Iram et al., Smple Lghtweght uthentc Bootstrappng Protocol for IPv6-based Low Rate Wreless Personal rea Networs (6LoWPNs), Proc. CM Internatonal Wreless Communcatons and Moble Computng Conference, Lepzg, Germany, Jun. 2009, pp [7] H. Cha, K. Km and S. Yoo, LBP: Secure and Effcent Networ Bootstrappng Protocol for 6LoWPN, Proc. 5th Internatonal Conference on Ubqutous Informaton Management and Communcaton, Seoul, Korea, Feb. 20. [8] R. Watro et al, TnyPK: Securng Sensor Networs wth Publc Key Technology, Proc. 2nd CM Worshop on Securty of d Hoc and Sensor Networs, Washngton, DC, Oct. 2004, pp [9] Z. Benenson, N. Gedce and O. Ravo, Realzng Robust User uthentcaton n Sensor Networs, Proc. Worshop on Real-World Wreless Sensor Networs, Stocholm, Sweden, Jun

9 642 JOURNL OF COMMUNICTIONS, VOL. 7, NO. 8, UGUST 202 [0] L. B. Olvera, M. Scott, J. Lopez and R. Dahab. TnyPBC: Parngs for uthentcated Identty-based Non-nteractve Key Dstrbuton n Sensor Networs, Computer Communcatons, vol. 34, no. 3, Mar. 20, pp [] S. Zhu, S. Seta and S. Jajoda, LEP: Effcent Securty Mechansms for Large-scale Dstrbuted Sensor Networs, Proc.0th CM Conference on Computer and Communcatons Securty, Washngton, DC, Oct. 2003, pp [2] K. Bauer and H. Lee, Dstrbuted uthentcaton Scheme for a Wreless Sensng System, CM Transactons on Informaton and System Securty, vol., no. 3, Mar. 2008, pp [3] H. Song, S. H. Lee and H. S. Lee, 6LoWPN-based Tactcal Wreless Sensor Networ rchtecture for Remote Large-scale Random Deployment Scenaros, Proc. IEEE Mltary Communcatons Conference, Boston, M, Oct. 2009, pp.-7. [4] K. Zeng, K. Ren, W. Lou and P. J. Moran, Energy ware Effcent Geographc Routng n Lossy Wreless Sensor Networs wth Envronmental Energy Supply, Wreless Networs, vol. 5, no., Jan. 2009, pp [5] Crossbow, MIC2, /Product_pdf_fles/Wreless_pdf/MIC2_Datasheet.pdf. [6] P. P. Szczechowa,. Kargl, M. Scott and M. Coller, On the pplcaton of Parng based Cryptography to Wreless Sensor Networs, Proc. 2nd CM Conference on Wreless Networ Securty, Zurch, Swtzerland, Mar. 2009, pp. -2. [7] X. Zhang, J. He and Q. We, EDDK: Energy-Effcent Dstrbuted Determnstc Key Management for Wreless Sensor Networs, EURSIP Journal on Wreless Communcatons and Networng, vol. 20, Jan. 20. [8] N. Gura,. Patel,. Wander, H. Eberle and S. C. Shantz, Comparng Ellptc Curve Cryptography and RS on 8-Bt CPUs, Proc. 6th Internatonal Worshop on Cryptographc Hardware and Embedded Systems, Cambrdge, M, ug. 2004, pp Hong Yu was born on 2th September 984 n Hunan provnce, Chna. She receved her Master s degree n Computer Scence and Technology n 20 from Bejng Unversty of Technology n Bejng, Chna and s currently a Ph.D. student there. Her research nterest s manly n the area of securty and prvacy n wreless sensor networs. Jngsha He was born on 5 prl 96 n Chna. He receved hs M.S. and Ph.D. degrees from the Unversty of Maryland, US n 984 and 990, respectvely. He joned Bejng Unversty of Technology n Bejng, Chna n 2003 and s currently a professor n the unversty. Prof. He s research nterests are manly n the areas of securty and prvacy n wreless networs, networ measurement and nformaton securty. He has receved 2 U.S. patents and Chna patents and has publshed extensvely n techncal journals and major nternatonal conferences.