24-06-2013, 02:58 PM
SDRP: A Secure and Distributed Reprogramming Protocol for Wireless Sensor Networks
SDRP A Secure and Distributed.pdf (Size: 304.59 KB / Downloads: 21)
Abstract
Wireless reprogramming for a wireless sensor network
is the process of uploading new code or changing the functionality
of existing code. For security reasons, every code update
must be authenticated to prevent an adversary from installing
malicious code in the network. All existing reprogramming protocols
are based on the centralized approach in which only the
base station has the authority to initiate reprogramming. However,
it is desirable and sometimes necessary for multiple authorized
network users to simultaneously and directly reprogram sensor
nodes without involving the base station, which is referred to as
distributed reprogramming. In this case, the network owner can
also assign different reprogramming privileges to different users.
Motivated by this consideration, we develop a secure and distributed
reprogramming protocol named SDRP, which is the first
work of its kind. The protocol uses identity-based cryptography
to secure the reprogramming and to reduce the communication
and storage requirements of each node. Moreover, our theoretical
analysis demonstrates the security properties of our protocol. We
also implement SDRP in a network of resource-limited sensor
nodes to show its high efficiency in practice.
INTRODUCTION
WIRELESS SENSOR NETWORKS (WSNs) may be
deployed for long periods of time during which the
requirements from the network owner and users or the environment
in which the nodes are deployed may change. The change
may necessitate uploading a new code image or retasking the
existing code with different sets of parameters [1]–[5].We refer
to both of these activities as reprogramming. As a WSN is usually
deployed in hostile environments, secure reprogramming is
and will continue to be a major concern.
BACKGROUND AND PRELIMINARIES
Network Model
As shown in the lower subfigure in Fig. 1, a WSN consists
of a large number of resource-constrained sensor nodes, many
sensor network users, and a single network owner. The network
users (e.g., soldiers) use mobile devices such as personal digital
assistants (PDAs) or laptop PCs to reprogram the sensor nodes.
The network owner can be offline, who has bootstrapped the
keying materials for the mobile devices to enforce reprogramming
privilege policy. It is assumed that the network owner
cannot be compromised and has unlimited computational power
compared with sensor nodes. Such sensor networks are under
construction or planning by many multisponsor programs and
projects (e.g., [19]–[21]). The sensor nodes can only perform
a limited number of asymmetric cryptographic operations, such
as signature verification, due to the large energy consumption of
these operations.
Trust Model
The network owner only delegates his reprogramming privilege
to those network users who have registered. We assume
that the special modules (e.g., authentication module for each
new program image proposed in this paper and the user access
log module) reside in the bootloader section on each sensor
node and cannot be overwritten by anyone except the network
owner. To achieve this goal, some existing approaches can be
employed, such as hardware-based approaches (e.g., security
chips) and software-based approaches (e.g., binary translation
[24]). Additionally, we assume that the network owner does
not impersonate any network user to propagate a new program
image.
Threat Model
An adversary can launch a wide range of attacks against the
network, which can be divided into two kinds, namely, outside
and insider attacks. In an outside attack, the adversary does not
control any valid sensor nodes in the WSN. The adversary may
eavesdrop, modify, forge, or replay any network traffic in the
WSN. It may also inject false messages or forge nonexisting
links in the network by launching a wormhole attack (e.g.,
[25]). In an insider attack, the adversary can compromise both
network users and sensor nodes and then learn the keying
materials stored on them. However, we do assume that the
adversary cannot compromise an unlimited number of sensor
nodes.
Evaluation Results
We use the following five metrics to evaluate SDRP, namely,
memory overhead, signaturemessage overhead, execution time,
propagation delay, and energy overhead. The execution time
measures the time duration for each operation of SDRP (i.e.,
system initialization, user public-/private-key generation, user
signing, and signature verification). The propagation delay is
the time required to finish disseminating a code image to all the
nodes in the network.