A Polynomial Subset-Based Efficient Multi-Party Key Management System for Lightweight Device Networks

sensors

Article A Polynomial Subset-Based Efﬁcient Multi-Party Key Management System for Lightweight Device Networks

Zahid Mahmood 1, Huansheng Ning 1,* and AtaUllah Ghafoor 2

1 School of Computer and Communication Engineering, University of Science and Technology Beijing, Beijing 100083, China; [email protected] 2 Department of Computer Science, National University of Modern Languages, Islamabad 44000, Pakistan; [email protected] * Correspondence: [email protected], Tel.: +86-136-0131-7155

Academic Editors: Yunchuan Sun, Zhipeng Cai and Antonio Jara Received: 3 February 2017; Accepted: 18 March 2017; Published: 24 March 2017

Abstract: Wireless Sensor Networks (WSNs) consist of lightweight devices to measure sensitive data that are highly vulnerable to security attacks due to their constrained resources. In a similar manner, the internet-based lightweight devices used in the Internet of Things (IoT) are facing severe security and privacy issues because of the direct accessibility of devices due to their connection to the internet. Complex and resource-intensive security schemes are infeasible and reduce the network lifetime. In this regard, we have explored the polynomial distribution-based key establishment schemes and identified an issue that the resultant polynomial value is either storage intensive or infeasible when large values are multiplied. It becomes more costly when these polynomials are regenerated dynamically after each node join or leave operation and whenever key is refreshed. To reduce the computation, we have proposed an Efficient Key Management (EKM) scheme for multiparty communication-based scenarios. The proposed session key management protocol is established by applying a symmetric polynomial for group members, and the group head acts as a responsible node. The polynomial generation method uses security credentials and secure hash function. Symmetric cryptographic parameters are efficient in computation, communication, and the storage required. The security justification of the proposed scheme has been completed by using Rubin logic, which guarantees that the protocol attains mutual validation and session key agreement property strongly among the participating entities. Simulation scenarios are performed using NS 2.35 to validate the results for storage, communication, latency, energy, and polynomial calculation costs during authentication, session key generation, node migration, secure joining, and leaving phases. EKM is efficient regarding storage, computation, and communication overhead and can protect WSN-based IoT infrastructure.

Keywords: path key; symmetric; polynomial; hashing; proxy node; node storage

1. Introduction A recent advancement in communication technology, Wireless Sensor Networks (WSNs) are widely used in several applications [1]. The science community has focused on the security of WSNs. Because of the resource-constrained environment of the WSNs, classic security mechanisms are not practical since they consume too much energy; hence researchers are proposing new lightweight security mechanisms for every possible security aspect of WSNs. WSNs consist of many small, low-cost, self-governing ends called sensor nodes with little ability to manipulate data [2] and with constrained computing, energy, and memory. MICA2 Motes use 8 bit, 16 MHz processors with 4 K bytes of

Sensors 2017, 17, 670; doi:10.3390/s17040670 www.mdpi.com/journal/sensors Sensors 2017, 17, 670 2 of 20 Sensors 2017, 17, 670 2 of 20 4 K bytes of electronically erasable programmable read only memory (EEPROM) and 128 K bytes of electronicallyprogrammable erasable memory programmable [3]. With the read passage only of memory time, the (EEPROM) sizes of WSN and 128 are K growing bytes of programmablein clusters [4]. memoryTraditional [3]. security With the mechanisms passage of time, using the public sizes of key WSN cryptography are growing cause in clusters significant [4]. Traditional overhead securityregarding mechanisms computation using and public commu keynication. cryptography Key management cause signiﬁcant is mandatory overhead regardingand more computation challenging andwith communication. limited resources Key in management WSNs [5]. Many is mandatory researchers and more have challenging been recognized with limited that grouped resources or indispersed WSNs [5 heterogeneous]. Many researchers sensor have systems been recognized can sensibly that perform grouped orwith dispersed system heterogeneous effectiveness, sensoroperational systems execution, can sensibly and enduring perform withsystem system lifetimes. effectiveness, operational execution, and enduring systemIn lifetimes. a heterogeneously grouped approach, as described in Figure 1, the low end sensor (L-sensorsIn a heterogeneously) are resource-constrained grouped approach, devices aswith described low power, in Figure short1, communication the low end sensor range, ( L-sensors) limited arememory, resource-constrained and less computation devices power with. low On power, the other short hand, communication H-sensors are range, equipped limited with memory, tamper andresistance less computation and have power.enough On resources, the other l hand,ike highH-sensors battery are power, equipped broad with communication tamper resistance ranges, and havesufficient enough memory, resources, and like high high computational battery power, capabil broadities. communication L-sensors are ranges, deliberatel sufﬁcienty conveyed memory, inand a highgroup, computational and every group capabilities. is controlL-sensorsled by a are group deliberately head (H conveyed-sensor). The in a L group,-sensors and essential every grouply sense is controlledenvironmental by a statistics group head and (H-sensor). forward it Theto theL-sensors H-sensors essentially and the senseother environmentalway around. H statistics-sensors andcan forwardperform itcompl to the exH-sensors operations and the on other the way sensor around. information,H-sensors can and perform utilize complex longer operations radio and on thestraight sensorforwardl information,y transfer and it utilizeto the longerbase-station. radio andThe straightforwardlybase-station (BS) is transfer a powerful it tothe hub, base-station. and it has Theabundant base-station sources (BS). The is aBS powerful might be hub, a remote and it has server, abundant and it sources. might Thebe connected BS might bewith a remote the external server, andworl itd mightutilizing be connectedthe accelerated with Internet. the external world utilizing the accelerated Internet.

Figure 1. HeterHeterogeneousogeneous WSN-basedWSN-based IoT architecture.architecture.

Various anonymousanonymous securitysecurity protocolsprotocols have beenbeen recommendedrecommended for heterogeneousheterogeneous WSNs in recent past,past, andand they they display display diverse diverse sorts sorts as as well wel asl as levels level ofs securityof security protection protection at various at various cost. cost. In this In section,this section, we discuss we discuss the existing the cryptographyexisting cryptography techniques that techniques addressed that the addressissue ofed authentication the issue inof heterogeneousauthentication WSNs. in heterogeneous Due to the limited WSNs. resources Due to the of WSNs,limited a resources sound balance of WSNs, between a sound security bal levelance andbetween the associated security l energyevel and utilization the associated overhead energy is needed utilization to mitigate overhead the security is needed threats. to mitigate Symmetric the parameterssecurity threats. such as Symmetric node ID, message parameters authentication such as node code, ID, nonce message number, authentication and time stamps code, are nonce the signiﬁcantnumber, and parameters time stamps for grouped are the significant key management parameters techniques for grouped which arekey energy management efﬁcient techniques and avoid thewhich different are energy type of efficient attacks fromand avoid malicious the nodesdifferent and type avoid of nodeattacks compromising from malicio attacks.us nodes Most and security avoid protocolsnode compromis developeding forattack WSNss. Most use symmetric security encryption,protocols devel dueoped to ease for of WSN its implementations use symmetric [6]. Besidesencryption, this, due single to node ease authentication of its implementation has become [6]. unableBesides to this, meet singl thee increasing node authentication communication has demand,become unabl as thee service to mee demandt the increasing increases communicationwith the passage demand, time, multiparty as the servicecomputing demand is necessary increas fores nodewith authenticationthe passage time, simultaneously multiparty computing and securely is inter-clusternecessary for and node intra-cluster authentication where simul [7] participantstaneously collectivelyand securel toy inter set up-cl auster mutual and session intra-cl keyuster to whereenable the[7] participants multi-party computing collectively and to setsecure up exchangea mutual ofsession messages. key to enable the multi-party computing and secure exchange of messages. Multi-partyMulti-party computingcomputing for securityfor security credential credential calculations calcul hasations been adopted has been using adopted many-to-many using nodesmany-to communication-many nodes scenarios. communication Conventional scenarios. node Conventional authentication node involves authentication computation atinvol singleves sensorcomputation node at for singl thee entiresensor security node for credential the entire calculation,security credential which cal iscul lessation, secure which as comparedis less secure to as compared to trustworthy multi-party involvement. These days, a new form of authentication,

Sensors 2017, 17, 670 3 of 20 trustworthy multi-party involvement. These days, a new form of authentication, known as group authentication [8] is proposed which may be used to decide whether or not all users belong to the same group or now not. The group authentication is very green for the reason that it can authenticate all members at one time. It can be used for pre-processing of node authentication to identify trustworthy contributors and non-contributors as well. To communicate securely with the same group and among different groups, we employed a polynomial (P) to achieve efficient intra-group key refreshment and generated a polynomial to create an inter-group key. For this reason, our proposed protocol could be highly effective in each authentication and key establishment because it may provide the most effective broadcast transmission. Moreover, for computations every sensor needs a polynomial assessment and key-hash feature and it is easier for performing encryption and decryption. In [9] a technique to optimize the energy consumption for computing polynomial expressions was proposed. In this context, it is, therefore, crucial to have efficient key revocation and renewal mechanisms in WSNs. The goal of this work is to propose secure and efficient protocols for key revocation and renewal. This research proposes an Efficient Keying for Multi-party (EKM) scheme to calculate the polynomial values using lightweight XOR operations. It also includes pre-deployment, node joining, and key establishment protocols. Before the nodes’ deployment in WSNs, each sensor node is pre-configured with a set of symmetric keys shared with all the other sensor nodes of the network to transmit IDs securely. After the network deployment, every sensor node identifies the specified symmetric keys used to communicate with the cluster head (CH). The cluster-head maintains all the symmetric keys shared with the sensor nodes belonging to its cluster. The main reason the use of these symmetric keys is to facilitate the multi-hop communication while transmitting secret data, particularly, the personal-proportion distribution and the exchanged facts among the cluster-heads and the base station (BS). The implementation of the polynomial that is applied for deriving an intra-group key can reduce the session key storage overhead at the member nodes and their CH. After the intra-group key is acquired, the member nodes self-generate the polynomial functions, which are necessary for growing an inter-organization key. This facilitates the reduction of the communication overhead on the CH. We have proposed a key generation and update mechanism for secure data sharing in identical clusters and among different cluster. In the session key generation mechanism for intra-clusters, the proposed technique significantly decreases the number of broadcast messages in the inter-cluster communication. The extra number of re-keying messages and communication overheads due to the proposed scheme has been conscientiously justified. Through the usage of the proposed mechanism, we have enhanced the WSN efficiency and network lifetime by reducing the number of exchanged messages to enhance the network lifetime during node mobility while reducing the coverage area of cluster heads and the need to migrate nodes to join the powerful coverage area of the CH. This research proposes a secure node migration protocol in which reliable handoff occurs and new connections are established between CHs and member nodes. The organization of the rest of the paper is as follows: the system and security model for proposed protocol established in Section2. Section3 elaborates the related work to develop existing key establishment schemes. Section4 provides a detailed discussion on a proposed EKM system for key distribution, node joining, and key establishment scenarios. The formal specification and security analysis of proposed technique is discussed in Section5. Section6 are about simulation parameters and scenarios to present results and illustrate the analytical discussion. Finally, Section7 provides conclusions and future work.

2. System and Security Model In this section, the network model, adversarial model, and security model are described, respectively. For multicast communications in WSNs, the network model used here is the heterogeneous and hierarchical topology depicted in Figure2. We assume that the network consists of a sink and many groups, and each group has a powerful node which has abundant resources Sensors 2017, 17, 670 4 of 20

(energy,Sensors 2017 computing,, 17, 670 and storage) and many low ordinary nodes. The powerful node acts as4 of the 20 cluster head (CH) and is responsible for network security management, such as key issuing, updating, revocation,updating, revocation, intrusion detection, intrusion etc.detection, As an ordinaryetc. As an member, ordinaryL-sensor member, is responsible L-sensor is forresponsibl sensinge data for andsensing authentication data and authentication for secure communications. for secure communications.

Figure 2. Network model of mul multi-partyti-party key establ establishmentishment scenario.scenario.

When we consider that WSN may additionallyadditionally encounter attacks from inside by compromised nodes oror externalexternal attackers, attackers, so so its its lifetime lifetime can can be classiﬁedbe classified into into many many phases. phases. At the At beginning the beginning of every of session,every session, all types al ofl types keys like of BS- keysCH l,ikeCH BS-L-Sensor,-CH, CH and-L-SensorL-Sensor-, andL-Sensor L-Sensor for- securityL-Sensor functions for security will befunctions re-issued. will The be length re-issued. of every The l sessionength of could every be session modiﬁed coul dynamicallyd be modified with dynamical the securityly withstrength the ofsecurity the safety strength mechanism of the safety used mechanism or the regulations used or the of groupregulations members of group like newmember nodes like addition new node and migration.addition and Session migration. switching Session might switching be launched might using be cluster launched heads using for group cluster members heads andfor by group the BSmembers for cluster and heads. by the TheBS for self-restoration cluster heads. key The control self-restoration schemes proposed key control in particular schemes focusproposed on the in problems,particular updating focus on and the revocation problems, manner updating of organization and revocation keys mannerand pairwise of organization session keys. key Differents and stylespairwise of keyssession methods keys. Different may be originated styles of keys according methods to the may devices be originated for group according keys and pairwiseto the devices keys. for group keys and pairwise keys. 2.1. Threat Model 2.1. Threat Model In this section, we describe the threat model adopted in the proposed scenario. We assume that thereIn aren’t this section, any compromised we describe nodes the threat at network model deployment adopted in the time. proposed Attacks scenario. are released We aassume while afterthat thethere nodes aren’ aret any deployed. compromised With effective nodes at computing network depl capability,oyment the time. adversary Attacks can are execute released advanced a while factafter evaluation the nodes to are gather deployed. the important With effective data. The computing adversary capabil canity, be either the adversary inner or external can execute and activeadvanced or passive. fact eval Moreover,uation to gather a single the entity important or a member data. The of adversary a coordinated can be group either of inner entities or canexternal also performand active malicious or passive. activities. Moreover, An adversary a single entity can launch or a member a physical of attacka coordinated by compromising group of entities a node andcan readingalso perform secret mal dataicious to use activities. it for future An adversarytracking.An can insider launch adversary a physical is attack a malicious by compromising node that may a examine/alternode and reading all messages secret data encrypted to use it with for future its keys. tracking. Passive An adversaries insider adversary can spy on is all a mal communicationicious node channelsthat may in examine/al the communityter all messages like idea channels, encrypted or with unintended its keys. verbal Passive exchange adversaries channels. can spy Energetic on all adversariescommunication can examine, channels tamper, in the and community inject fraudulent like idea packets channel overs, or verbal unintended exchange verbal channels. exchange channels. Energetic adversaries can examine, tamper, and inject fraudulent packets over verbal 2.1.1.exchange Adversarial channels. Model Moreover, insider attackers and outside attackers can apportion the important thing, captured 2.1.1. Adversarial Model information, to interrupt the security collusively, in what is referred to as a collusive physical attack. For instance,Moreover, the insider revoked attackers nodes and and the outside newly attackers joined nodes can canappo launchrtion deceitfulthe important attacks thing on the, captured session keysinformation, no longer to belonging interrupt to the them. security We expect collusivel thaty, the in compromised what is referred or insider to as a adversary collusive behaving physical abnormallyattack. For instance, could be the revoked revoked from nodes the and network the newl insidey joined the following nodes can session launch with deceitful the assist attacks of theon intrusionthe session detection keys no mechanism,longer belongi whichng to is them. not addressed We expect in that this the research. compromised or insider adversary behaving abnormally could be revoked from the network inside the following session with the assist of the intrusion detection mechanism, which is not addressed in this research. Moreover, a comprehensive attacker can easily monitor the wireless data of WSNs and capture the wireless packets. The attacker will be able to gather plenty of useful sensor information from the

Sensors 2017, 17, 670 5 of 20

Moreover, a comprehensive attacker can easily monitor the wireless data of WSNs and capture the wireless packets. The attacker will be able to gather plenty of useful sensor information from the captured packets like node IDs and node location and might adjust packet information even as a packet is in transit. Additionally important, an attacker can intentionally apprehend a node and capture all its cryptographic keys. As a result, node capturing physical attacks are very harmful to the network if excessive numbers of cryptographic keys remain stored on a node.

2.1.2. Potential Attacks In general, attacks affecting secure key establishment are eavesdropping and node capture [10], referred to as passive adversaries and active adversaries. Passive adversaries gather some statistics via eavesdropping without any physical access to a network entry, and active adversaries encrypt information that is leaked during physical access to the node. The proposed key management technique is secure against eavesdropping and node capture, and we will explain the cause for this below. During cluster key derivation, the cluster head sends an expanded polynomial without any encryption. It is not easy to guess the intra-group key management from the polynomial, considering that it is hard to do polynomial factorization due to the fact there may be certainly a O(n((logn)) options to the polynomial enlargement problem [11,12] and the problem for polynomial factorization is NP-hard [13]. For example, P = 3x3 + 15x2 + 74x − 117 is not easy to factorize as P = hx − 5)|(x − 4)|(x − 6) + 3i for the purpose, it’s tough to guess 3. Even though the accelerated polynomial P is sent without any encryption, cluster head key credentials will no longer leak out. For this reason, it’s far tougher to generate the coefﬁcient of polynomial H(x) with the aid of an attacker due to the safety of these keys in clusters.

2.2. System Model Based on the system and attack model, we particularly grasp the subsequent security goals: for the reason that L-sensors aren’t truthful, initializing essential keys allows powerful security. To preserve the mutual authentication among the network devices (sensors, cluster-heads, and base-stations), devices have to perform mutual authentication and establish a dynamic session key before establishing the consultation, so that each the nodes/gadgets can conﬁrm their legitimacy. In vital applications (place of birth security, healthcare, smart grids), nodes’ identities are very critical, as a consequence, nodes’ identities should be stored securely and privately [14–16]. To protect the Wi-Fi communication from unlawful eavesdropping and interception all the wireless messages should be secured (i.e., personal), so that a global adversary can’t examine, reveal, intercept, or modify the Wi-Fi messages. During an adversary monitoring, the L-sensors are easily compromised, so then a key revocation mechanism can play a vital function to protect from any future misleading moves from a compromised node. Moreover, a node addition feature confers scalability to the network. The proposed model for our key distribution scheme is designed for heterogeneous sensor networks. We assume a heterogeneous sensor network consists of high resource node (H-sensors) and their member nodes having fewer resources called L-sensors. H-sensors are nodes that are more powerful and have more computation, communication, energy supply and storage capability’s sensors are ordinary sensor nodes with limited computation, communication, and energy supply and storage capability. We consider the hierarchical structure of the heterogeneous sensor network proposed in [17] in which high power sensor nodes work as cluster heads and low power sensor nodes work as their member nodes. This sensor clustering scheme enables local data processing, which reduces the communication load in the network to provide scalable solutions. To increase the lifetime of the deployed network the nodes are divided according to their workload. Initially, when a sensor network is deployed, there are large number of low power sensor nodes and a limited quantity of cluster heads. It is assumed that the H-sensor and L-sensors are deployed uniformly and randomly. It has been assumed that the CH is tamper resistant and cannot be compromised. The major issue with the polynomial calculation is that resulting multiplicative values become very large and slow for larger Sensors 2017, 17, 670 6 of 20

The more L-sensors there are, the more memory required on the cluster head for restoring their IDs Sensorsand mul2017tipl, 17icative, 670 values, which causes memory overhead. 6 of 20 values3. Related of polynomial Work factors. Due to constrained resources, when the number of L-sensors increases then theDifferent computation issues with and communicationexisting key management cost to the clustertechniques head are also discussed increases. in The conjunction more L-sensors with therethe avail are,abil theity more of memory limited required recourses on of the WSN clusters. head Minimizing for restoring the resource their IDs and consumption multiplicative and values,maximizing which security causes memory levels are overhead. two different points. The probabilistic scheme described in [18], where each node receives a group of keys smaller than the network size provides better 3. Related Work connectivity and little memory overhead. It has key pre-distribution, path-key establishment, and sharedDifferent key discovery issues with phases existing that key cause management scalability techniquesproblems. areThe discussed larger network in conjunction size for witha given the availabilitystage increases of limited the computation recourses and of WSNs. communication Minimizing overheads. the resource The secret consumption key sharing and is maximizing limited by securitythe memory levels existing are two on different the sensor points. nodes, The since probabilistic the chance scheme that next described node shares in [18], k/n where give each a key, node for receivesexample, a the group memory of keys overhead smaller than is O the(n).network For fixed size key provides chain size, better the connectivity key connectivity and little achieved memory is overhead.lower than It previousl has key pre-distribution,y. path-key establishment, and shared key discovery phases that causeIn scalability [19] a dynamic problems. generati The largeron of the network polynomial size for (DGP) a given isstage proposed increases for heterogeneous the computation WSNs and communicationscheme where nodes overheads. are pre The-loaded secret with key a sharing master iskey limited K for bysecure the memorycommunication existing during on the sensorcluster nodes,key establ sinceishment. the chance During that the next key node management shares k/n process, give a k ey,each for node example, calcul theates memory MAC(ID overhead) and then is Oencrypts(n). For ﬁxedthe concatenated key chain size, message the key connectivity with the master achieved key. is lower Each thanL-sensor previously. node (Li) generates ciphertextIn [19 ]C_ aLi dynamic = EMK(ID||MAC generation(ID of)) and the polynomial transmits it (DGP) towards is proposeda H-sensor for as heterogeneous depicted in Figure WSNs 3. schemeThe H-sensor where calnodesculates are pre-loaded the hash of with L-sensor a master IDs keyandK savesfor secure these communication values. H-Sensor during generates cluster a keypolynomial establishment. using Equation During the(1) where key management h(Li) is hashed process, function each for node L-sensor calculates Li andMAC i = 1, (…,ID )n. and then encrypts the concatenated message with the master key. Each L-sensor node (Li) generates ciphertext (x − h( l1)(x − h( l2)). . . (x − h( l푛))Kchj (1) C_Li = EMK(ID||MAC(ID)) and transmits it towards a H-sensor as depicted in Figure3. The H-sensor calculatesDuring the a hashnode of joinsL-sensor or leaveIDs operation,and saves theseH-Sensor values. revoHkes-Sensor existing generates polynomial a polynomial and broadcast using Equationthe new pol (1)ynomial where h (toLi )al isl hashedL-Sensors function by taking for L MAC-sensor(IDLi) ofand alli L=-sensors 1, . . . , n.. It increases the lifetime of sensor networks by decreasing the key pool size. Our scheme further reduces the computational cost of this scheme. (x − h(l1)(x − h(l2))... (x − h(ln))Kchj (1)

FigureFigure 3.3. PolynomialPolynomial computation atat aa HH-sensor.-sensor.

DuringIn [20] awhere node joinseach or node leave receives operation, a uniqueH-Sensor ID, revokesa private existing key, and polynomial a master and key broadcast K. After thedepl newoyment, polynomial sensor nodes to all L broadcas-Sensorst bytheir taking IDs encryptedMAC(ID) ofwith all Lthe-sensors. global key. It increases A loop theis constructed lifetime of sensorby using networks a certain by number decreasing of thea node key poolfrom size.set S Our. If sensor scheme node further A creates reduces l theoop computationalL with set S, then cost ofloop this-key scheme. 퐾퐿 = 퐻푎푠ℎ(푡푠||퐾퐴||퐼퐷퐴||{퐼퐷}) is computed. The global key protects the distribution of the lInoop [20 key] where inside each the node loop. receives A network a unique-wide ID, a key private can key, reduce and communication, a master key K. After but deployment, capturing a sensorsingle nodesnode exposes broadcast all their the IDs links encrypted in the network. with the Our global approach key. A loop prevents is constructed it from taking by using the acredential certain numbers from member of a node nodes. from set S. If sensor node A creates loop L with set S, then loop-key KL =InHash [21]( everyts||KA sensor||IDA ||{nodeID} randoml) is computed.y picks The up globala unique key secret protects key the from distribution the large of key the pool loop and key insideproduces the loop.a new A secret network-wide key by appl keyying can one reduce-way communication, hash function. butThe capturingH-sensor abroadcasts single node a message exposes allin theits communication links in the network. range Our and approach then, the prevents L-sensors it fromdiscover taking their the neighbors. credentials It from provides member compl nodes.ete connectivity,In [21] every resil sensorience against node randomly sensor node picks capture up a unique and routing secret key attack. from Our the scheme large key fol poollows and the producessame depl aoyment new secret pattern. key bySajid applying recommended one-way fol hashlowing function. a sequence The H -sensorof Key broadcastsPool  Key a messageChain inKey its Ring communication [22]. It achieves range an and equal then, probabil the L-sensorsity of discover key sharing their amon neighbors.g nodes It andprovides stores complete a small connectivity,number of key resilience generations against on sensorthe node. node It capturereduces andthe memory routing attack. overhead Our if scheme the wrong follows parameter the same is deploymentfixed, but forpattern. maximum Sajid key recommended sharing, it needs following a larger apool sequence size. of Key Pool → Key Chain→ Key Ring [22]. It achieves an equal probability of key sharing among nodes and stores a small number of Sensors 2017, 17, 670 7 of 20 key generations on the node. It reduces the memory overhead if the wrong parameter is fixed, but for maximum key sharing, it needs a larger pool size. In [23] a secure symmetric key used for member nodes and public key cryptography for powerful nodes was proposed. Three scenario-based schemes reduce the memory and computational overhead along with high resilience against node capture attacks. A key management regime described in [24] used a keyed hash chain. It supports the establishment and renewal of five keys, and it also overcomes the drawback of a single key. A critical decision is to how determine the length of a key-chain. A large key-chain size increases the memory overhead and on the other hand, decreasing the chain size compromises the security strength. A random key pre-distribution scheme where seeds are taken from the base station to drive a new key that is providing adequate security was described in [17]. It allows privately distributing a secret to a set of recipients with only one multicast communication [25]. A lightweight XOR-based re-keying scheme is illustrated in [26] that does not require message exchange from common nodes. In this system, CH transmits a Magic code and a nonce number in the encrypted message to all member nodes. Sensors take XOR of an existing key with a left shifted Magic word and get a new value that is further used to establish XOR with the nonce. Similarly, our scheme also supports key freshness on each node join or leave operation. A technique put forth in [27] enforces mutual authentication between a member and group key distributor while executing a re-keying process. During the last decades, various applications have been benefitting from WSNs, such as environmental monitoring, battlefield intelligence, and reconnaissance, medical caring, intelligent home, industrial control [28]. However, in some harsh and critical environments, malicious attacks, including eavesdropping, Denial of Service (DOS) attacks, and packet tampering and infection, may disturb the network operations and degrade the system performance. Security issues should be considered carefully during the design of WSNs’ protocols to defend against and tolerate attacks [29]. Cryptography is typically used to provide security features, such as confidentiality, authentication, integrity, and availability [30]. As the core role of security, key management is responsible for key distribution, updating, and revocation for sensor nodes, and establishes security associations between nodes [31]. As per scientific techniques, some related works explore polynomial [32,33] vector space secret sharing [34], bilinear pairings [35] and elliptic curve cryptography [36]. Polynomials can be used to improve the trade-off between security performances, computation complexity, and resource consumption better than other methods [37]. In this paper we concentrate on a polynomial-based strategy to achieve better system performance. References [38,39] elaborate that radio-frequency identification (RFID) is a program distinguishing proven innovation and a promising innovation to be naturally incorporated into conventional remote sensor systems (WSNs) including a novel recognizable proof measurement into WSNs and forming RFID-based sensor frameworks. The lightweight protocol provides the security properties because basic logarithmic and intelligent operations without requiring costly cryptographic calculations are implemented in low-cost and resource-restricted wireless systems. The scheme in [40] enforces mutual authentication between a member and the group key distributor while executing the rekeying process. It provides forward secrecy and backward secrecy properties, and resists replay attacks, impersonation attacks, group key disclosure attacks and malicious insider attacks. The proposed scheme can be used for rekeying purposes in a secure multicast scenario. The second one is an authentication mechanism to be used in environments in which a public-key infrastructure is not available. Forceful characteristics such as changing the key of a user in a chain of command influences the performance of an admittance organize scheme more than other dynamic properties such as adding or deleting a security class to the hierarchy [41]. To overcome forgery attacks, the authors focuses on the security of the data provenance specific to a wireless sensor network. The paper provides a scheme to detect forgeries in provenance data, detection of packet drop attacks and also identifies the attacker of packet drop attacks [42]. This scheme used a packet bloom filter data structure for encoding provenance data. Hash functions are used to encode the provenance data in Sensors 2017, 17, 670 8 of 20 packet bloom filter. The use of a bloom filter data structure results in a lightweight scheme which is suitable for wireless sensor networks. Each packet consists of the sequence id of the packet, actual sensor data, and an n-bit bloom filter vector. To detect a forgery attack, the ID of the each node in the path is encoded into the bloom filter vector. It is assumed that base station knows the path of the received packet. When a packet is reached at the base station in the WSN, a fresh bloom filter is taken and encoded with all nodes in the path. If the generated bloom filter and bloom filter extracted from the received packet are the same, then there is no forgery attack, and otherwise there is a forgery attack. Actual sensor data is also secured along with provenance data with the scheme proposed in this paper. Experimental results proved the effectiveness and the lightweight nature of the scheme.

4. Efﬁcient Keying for Multi-Party Scheme (EKM) In this phase, mutual authentication and session key establishment takes place between the participants. During cluster key establishment, an H-sensor or cluster head (CH) receives encrypted IDs of L-sensors from neighboring nodes. CH decrypts these IDs using the pre-distributed master key K. After receiving the IDs, a hash of these IDs is calculated and stored in memory as illustrated in Figure3. CH selects random IDs from the stored hash list to compute the polynomial. Finally, the polynomial is concatenated with its MAC and encrypted using a master key to transmit towards all neighboring nodes. In our scheme, we considered the hierarchical structure of [20] for the deployment. It has been assumed that the H-sensor and L-sensors are deployed uniformly. It is also presumed that the CH is tamper resistant and cannot be compromised. A list of the notations for EKM is provided in Table1.

Table 1. List of Notations for EKM.

Notation Description

Phj Polynomial Value IDLi ID of member Node Li h(IDLi) Hash of Node ID γ, n Cluster Size, Network Size

NIDLi Array of Node IDs from i = 1 to n R Number of Random Hash Values CH, BS Cluster Head, Base Station KC–B Key between CH and BS KM Master Key KCL Key between CH and Li MAC(Li) Message Authentication Code of Li

LISTLi List of ordinary sensors Ah(ID) Array of Hash values PLi Polynomial for Li M1–M4 Message 1 to 4 C1–C3 Cipher texts of M1 to M3 HLi Hash calculated at Li PLi, PCHJ, PBS Concatenated string at Li, CHj and BS for transmission

Every common node has been preloaded with a hash function, master key, encryption and decryption functions along with a unique ID by the sink. The CH is also pre-loaded with similar credentials along with a polynomial calculation function. The CH and sink server have secure authentication mechanisms, including ECC which is hard to reverse. The CH forwards this request after making it secure to s sink that veriﬁes the request and responds to the CH granting or denying this request. Figure4 shows that the CH receives an encrypted message EKM(IDLi||MAC(IDLi)) containing the ID of Li and MAC(IDLi). The CH selects the random IDs and hashing to calculate a polynomial using Equation (3). Finally, the CH transmits the encrypted message EKM(Ph||MAC (Ph)) to the L-sensors. Sensors 2017, 17, 670 9 of 20

Initially, the polynomial Ph is calculated by using Equation (2) where x is a pre-deﬁned signiﬁcant Sensors 2017, 17, 670 9 of 20 value, and the hashes h are calculated for all member node identities from IDLa to IDLa+γ where γ be the cluster size. We further reduced the computation overhead by taking XOR of a randomly selected of a randomly selected number of hash values instead of taking the XOR of all values. The CH numberSensors of 2017 hash, 17 values, 670 instead of taking the XOR of all values. The CH generates the hashes9 ofof 20 all IDs generates the hashes of all IDs received from neighboring L-sensors using the initialize procedure. received from neighboring L-sensors using the initialize procedure. of a randomly selected number of hash values instead of taking the XOR of all values. The CH generates the hashes of all IDs received from neighboring L-sensors using the initialize procedure.

Figure 4. IntraIntra-cluster-cluster key establishme establishment.nt. Figure 4. Intra-cluster key establishment.

h AfterAfter thethehashing thehashing hashing calculation, cal calculculation,ation, the the theCH CHCHmakes makesmakes a polynomial a a pol polynomialynomialPh byP hP takingby by taking takingXOR XOR ofXOR randomlyof randomlof randoml choseny y Rchosenhashchosen valuesR hash R hash asval shown uesvalues as inasshown Equationshown in in Equation (3),Equation where (3)(3)a,,, whereb and aca, are,b b and and indices c arec are indices of indices randomly of randomlof randoml selectedy selyected node selected IDs fornodeRnode =IDs3: forIDs R for = R3: = 3: = ( − − − Ph x ha(IDLa ) XOR x ha+1 IDLa+1 ...XOR(x ha+γ(IDa+γ)) (2) 푃ℎ =푃ℎ(=푥 −(푥ℎ−푎ℎ(퐼퐷푎(퐼퐷퐿 퐿)푎 푋푂푅) 푋푂푅 ( 푥(푥−−ℎℎ푎푎++1(퐼퐷퐿퐿푎+1))). . ..푋푂푅. 푋푂푅(푥(−푥 −ℎ푎 +ℎ훾푎(+퐼퐷훾(푎퐼퐷+훾)푎)+ 훾)) (2) (2) 푎 푎+1 P = (x − ha(ID ) XOR x − h ID XOR (x − hc(IDc)) (3) h 푃 = (푥 − ℎ (L퐼퐷a ) 푋푂푅 (푥 − ℎb (퐼퐷 Lb)) 푋푂푅 (푥 − ℎ (퐼퐷 )) ℎ 푎 퐿푎 푏 퐿푏 푐 (푐 ) (3) 푃ℎ = (푥 − ℎ푎(퐼퐷퐿푎) 푋푂푅 (푥 − ℎ푏(퐼퐷퐿푏)) 푋푂푅 (푥 − ℎ푐 퐼퐷푐 ) (3) Moreover, the algorithmic steps of Equation (3) are illustrated in Figure5. We recommend using Moreover, the algorithmic steps of Equation (3) are illustrated in Figure 5. We recommend R = 3Moreover,, i.e., randomly the altakinggorithmic three hashsteps values of Equation and using (3) XORare iltolustrated generate in the Figure polynomial. 5. We recommend It is enough using R = 3, i.e., randomly taking three hash values and using XOR to generate the polynomial. It is tousing create R = confusion 3, i.e., randoml for they attackertaking three in the hash selection values of andIDs usingout of XORN .to generate the polynomial. It is enough to create confusion for the attacker in the selection of IDs outIDs of NIDs. enough to create confusion for the attacker in the selection of IDs out of NIDs. public: public: Set 푁퐼퐷푠 as Array //To store neighbor IDs SetSet 푁 퐼퐷푠퐴ℎ( 퐼퐷as) Arrayas ArrayList //To //To store store neighbor hash of IDs IDs

SetSet 퐴 ℎP(h퐼퐷 //To) as save ArrayList Polynomial //To store hash of IDs

Setprocedure Ph //To save Initialize Polynomial() { procedurefor iInitialize = 1 to sizeof() { (푁퐼퐷푠) - 1 퐴ℎ(퐼퐷)[푖] = hash(푁퐼퐷푠[푖]) for i = 1 to sizeof(푁퐼퐷푠) - 1 end } 퐴ℎ(퐼퐷)[푖] = hash(푁퐼퐷푠[푖]) procedure generatePolynomial() { end } Set R as Array //Random Node IDs<<푁퐼퐷푠 procedure generatePolynomial() { Ph = x - 퐴ℎ(퐼퐷)[푅[0]] Set R as Array for //Random i = 1 TO Node sizeof IDs<<(R)-1 푁퐼퐷푠

Ph P=h =Px - h 퐴XORℎ(퐼퐷 ()x[ 푅- [퐴0ℎ](]퐼퐷 )[푅[푖]]) end } for i = 1 TO sizeof(R)-1

Ph =PFigureh XOR 5. ( Polx - ynomial퐴ℎ(퐼퐷) cal[푅cul[푖]ation]) algorithm. Figure 5. Polynomial calculation algorithm. end } 4.1. Addition of New Node 4.1. Addition of New Node Figure 5. Polynomial calculation algorithm. After deployment of WSN, the addition of a new sensor node in the cluster may also occur. For Afternew node deployment addition, ofthe WSN, base station the addition plays a of vital a new role sensor in the nodeauthentication in the cluster process may and also performs occur. the For new 4.1. Addition of New Node nodesetup addition, phase. the Into base the station network plays setup a model vital role phase, in thethe authenticationBS introduces the process new sens andor performsto the CH. theThe setup Aftersensor depl nodeoyment is pre-l oadedof WSN, with the the addition master keyof a (K), new a onesensor-way node hash in function the cluster h(x) andmay a al randomlso occury . For new node addition, the base station plays a vital role in the authentication process and performs the setup phase. Into the network setup model phase, the BS introduces the new sensor to the CH. The sensor node is pre-loaded with the master key (K), a one-way hash function h(x) and a randomly

Sensors 2017, 17, 670 10 of 20

Sensors 2017, 17, 670 10 of 20 phase.Sensors Into 2017 the, 17 network, 670 setup model phase, the BS introduces the new sensor to the CH.10 The of 20 sensor node is pre-loaded with the master key (K), a one-way hash function h(x) and a randomly selected selected node id IDL . After that, Bthe S broadcasts an encrypted message containing nonceB, NID selected node id ID i . After that, Bthe S broadcasts an encrypted message containing nonce , N L i node id IDLi . After that,Li Bthe S broadcasts an encrypted message containing nonceB, NB IDLiIDL(listi of (list of L-sensor IDs) and MAC_ADRSIDLi to all cluster head nodes as illustrated in Protocol-1. CH L-sensor(list of IDs) L-sensor and MAC_ADRS IDs) and MAC_ADRSto allID clusterLi to all head cluster nodes head as nodes illustrated as illustrated in Protocol-1. in ProtocolCH replies-1. CH with replies with an encrypted messageIDLi containing IDCH and nounceB. The cluster head multicasts the replies with an encrypted message containing ID and nounce . The cluster head multicasts the an encryptedsession key, message list of containing member nodesIDCH andand MACnounce in encryptedCHB. The cluster form.B head This multicasts ensures the the o sessionriginality key, and list of session key, list of member nodes and MAC in encrypted form. This ensures the originality and memberreliabil nodesity of and the MAC node joiningin encrypted process. form. The This new ensures node addition the originality protocol andand reliability flow diagram of the are node reliability of the node joining process. The new node addition protocol and flow diagram are joiningdepicted process. in Figures The new 6 and node 7, respectivel additiony, protocol where before and ﬂownew node diagram addition are depictedCH get an in authentication Figures6 and 7, depicted in Figures 6 and 7, respectively, where before new node addition CH get an authentication respectively,from the whereBS. After before successful new node authentication, addition CH CHget runs an authentication Protocol-2 forfrom verification the BS. Afterusing successful secret from the BS. After successful authentication, CH runs Protocol-2 for verification using secret credentials. authentication,credentials. CH runs Protocol-2 for veriﬁcation using secret credentials.

FigureFigure 6. 6.6. NetworkNetwork setupsetup setup protocol protocol protocol.. .

Figure 7. Node addition protocol flow diagram. FigureFigure 7. 7.Node Node additionaddition protocol protocol fl ﬂowow diagram diagram..

TheThe new new LL--sensorsensor is deployed randomlyy in in the the sensor sensor network network area. area. TheThe new new L -Lsensor-sensor encryptsThe new itsL-sensor id and isMAC deployed_ADRS퐼퐷 randomly through inits thepre- sensorloaded networkmaster key area. KM The. The new clusterL-sensor head, encryptswhich its encrypts its id and MAC_ADRS퐼퐷퐿푖 through its pre-loaded master key KM. The cluster head, which already has a list of new sensors,퐿푖 verifies it by comparing the received MAC with its list. After id andalreadyMAC_ADRS has a listID ofLi through new sensors, its pre-loaded verifies it master by comparing key KM. theThe received cluster head, MAC which with its already list. After has a list verification, it replies with polynomials 푃ℎ encrypted using KM. The new L-senor decrypts the of new sensors, verifies it by comparing the received푗 MAC with itsM list. After verification, it replies with verification, it replies with polynomials 푃ℎ푗 encrypted using K . The new L-senor decrypts the message and gets a polynomial to calculate a cluster key 퐸 between CH and 퐿 . Finally, CH polynomials Ph encrypted using KM. The new L-senor decrypts퐾퐶퐿 the message and gets푖 a polynomial to message andj gets a polynomial to calculate a cluster key 퐸퐾퐶퐿 between CH and 퐿푖. Finally, CH informs all members to add 퐼퐷퐿푖 in member list as illustrated in Protocol 2. If a new node is a calculateinforms a cluster all members key EK CL to between add 퐼퐷퐿푖CH in and memberLi. Finally, list as CH illustratedinforms in all Protocol members 2. toIf aadd newID nodeLi in member is a list as illustrated in Protocol 2. If a new node is a malicious node, then the CH sends an adversary Sensors 2017, 17, 670 11 of 20

Sensors 2017, 17, 670 11 of 20 identification message to the base station. After the deployment in a heterogeneous network, new nodes are placedmalicious in such node, a positionthen the whereCH sends they an canadversary communicate identification directly message with the to the cluster base head.station. Figure After6 the shows the overalldeployment scenarios in a ofheterogeneous Protocol-1 in network, steps 1 tonew 3 whereasnodes are Protocol-2 placed in issuch in stepsa position 4 to 7.where they can communicate directly with the cluster head. Figure 6 shows the overall scenarios of Protocol-1 in 4.2. Migrationsteps 1 to of3 whereas Node Protocol-2 is in steps 4 to 7. To increase the lifetime of a WSN network, we have proposed a secure node join protocol for 4.2. Migration of Node moved nodes. The main purpose of this phase is to add displaced nodes to existing clusters by the CH sensingTo rangeincrease in the their lifetime locality. of a WSN There network, are instances we have in proposed which a nodea secure can node belong join protocol to two clusters,for inducingmoved a loss node ofs. capability The main purpose in the different of this phase one, whichis to add will displ resolveaced node this issue;s to exist theing cluster cluster headss by the that do CH sensing range in their locality. There are instances in which a node can belong to two clusters, not have a speciﬁc sensor kind in their clusters invite the missing sensor to join or suggest another CH inducing a loss of capability in the different one, which will resolve this issue; the cluster heads that according to its sensing range. This achieves better security in an environment where nodes are mobile do not have a specific sensor kind in their clusters invite the missing sensor to join or suggest and leave/joinanother CH the according cluster to frequently. its sensing We range. have This maintained achieves better a binary security search in treean environment for all network where nodes at thenodes BS that are ismobil awaree and of l eacheave/join leave the and cluster join frequentl operation.y. We Similarly, have maintained a Binary a Searchbinary search Tree (BST) tree for is also maintainedall network at the nodesCH atto the keep BS that the nodeis aware list of updated each leave and and maintain join operation. a record Simil ofarl leavingy, a Binary nodes. Search It also keepsTree a list (BST of rejected) is also maintainednodes which at dothe notCH haveto keep security the node credentials list updated as per and issued maintain by BS. a record This guardsof againstleaving intruders nodes. joining It also thekeeps network a list of during rejected migration nodes which from do other not have networks. security We credential have supposeds as per that an intrusionissued by detection BS. This system guards is against working intruders to identify joining those the nodes network that during were migrationtrustworthy from but other now are performingnetworks. malicious We have activitiessupposed duethat an to intrusion some attack. detection Such system nodes is areworking also to added identify to thethose rejected nodes list. that were trustworthy but now are performing malicious activities due to some attack. Such nodes Due to this record keeping, the CH intimates in a timely way the nodes that want to send a message are also added to the rejected list. Due to this record keeping, the CH intimates in a timely way the to a nodenodes that that haswant left to thesend network a message or to been a node set that as malicioushas left the to network saves extraor been communication set as malicious costs to at low-poweredsaves extra nodes. communication During thecost nodes at low migration-powered and nodes. addition During scenario, the node themigration protocol and inaddition Figure 8 is describedscenario, in a the stepwise protocol manner in figure in following8 is described section. in a stepwise Figure9 elucidatesmanner in thesefollowing protocol section. steps Figure in a 9 node wise interactionelucidates these scenario. protocol steps in a node wise interaction scenario.

Figure 8. Node migrations and addition protocol. Figure 8. Node migrations and addition protocol. Sensors 2017, 17, 670 12 of 20

Before node migration, CHi sends a node migration notation to BS with the valid Sensors 2017, 17, 670ID of a sensor node that needs to migrate. A migrated node sends a joining request12 of 20 to join new cluster CHj with a pre-shared key and transmits secret credentials for Steps 1–3 the joining process. Upon receiving a migrated node joining request, the CHj get Before node migration, CHi sends a node migration notation to BS with the valid ID of a sensor nodeverification that needs to from migrate. the BS A migrated by sending node a sendsverification a joining request. request toThe join BS new verifies cluster orCH rejectj withs a pre-sharedthe node key joining and transmits procedure secret by credentials comparing for said the joining node’s process. identity Upon in receivingthe block node Steps 1–3 a migrateddatabase. node joining request, the CHj get verification from the BS by sending a verification request.After The the BS verifiesmigrated or rejects node the joining node joining request procedure verification, by comparing the saidBS node’scomputes identity an in Steps 4–5 the blockauthentication node database. message for CHj and transmits it in encrypted form using a shared After the migrated node joining request verification, the BS computes an authentication message Steps 4–5 key. for CH and transmits it in encrypted form using a shared key. Thej CHj verifies the message credibility using secret parameters before adding the The CHj verifies the message credibility using secret parameters before adding the migrated node Steps 6–7 migrated node in its cluster. Carrying out verification, CHj sends a join success Steps 6–7 in its cluster. Carrying out verification, CH sends a join success message to the migrated node and message to the migrated node andj an acknowledgment bit to the BS an acknowledgment bit to the BS Upon the migrated node successfully joining, CHj computes a fresh polynomial Upon the migrated node successfully joining, CH computes a fresh polynomial using Steps 8–9 j Steps 8–9 Equationsusing (2)Equations and (3), and (2) updatesand (3), theand cluster update keys the for futurecluster communication key for future and communication process aborts. and process aborts.

Figure 9. Node migration setup and new intra intra-group-group session keys.keys.

5. EKM Formal S Specificationpecification We have carried out aspect modelingmodeling the use of Non Non-monotonic-monotonic Cryptographic Protocol Protocol (NCP), (NCP), as wel welll referred referred to to as asRubin Rubin logic logic [43] [ 43by] anal byyzing analyzing and verify and verify the EKM the protocol EKM protocol as much as as much possibl ase possiblethrough through formal formalspecifications. specifications. It validates It validates the the protocol protocol as as approximating approximating through through standard requirements about cryptographic operations l likeike node authentication, message integrity, message freshness, encryption, decryption, etc. It It additional additionallyly hel helpsps to to become become aware of any deficienciesdeficiencies within the proposed protocol and possibilitiespossibilities regarding compromise attacks. It It is cl closeose to the real implementationimplementation and fl flowow of programming functions. In Rubin l logic,ogic, the entities are allocatedallocated rolesroles and a globalglobal set is additionallyadditionally maintained where data about thethe protocol is maintained in sets then these alsoalso keep keep updated updated states states on the on users the users after everyafter every updateable updateabl operation.e operation. Global sets Global are availablesets are

Sensors 2017, 17, 670 13 of 20 in conformity with entire the part nodes, however, may stand labeled as secret, observer, rule and essential sets. A local set is maintained at each entity or node and can be classified into possession POSS(), belief BEL(), seen and behavior sets BL(), the explicit specifications from [13] of these sets investigated. By applying Rubin logic on EKM, the local set involved is in Table2, and then its verification and analysis part provides a detailed overview of all sets continue under the grouping of the local set. Local sets for all the participants including sender, receiver and actor nodes are independently managed. A possession set POSS (entity) holds all the constraints involved in message encryption, decryption and other procedures executed at a local RAM of each entity as described in the section below. A behavior list BL() holds the list of operations and input arguments that are performed in near to execution steps by entities Li, CH and BS.

Table 2. Local set for EKM.

1. Sender (Li)

POSS(Li) = {IDLi,KLi − CHj} Receive(CHj, {IDBS,C3}) BEL(Li) = {#(IDLi), #(KLi − CHj) } Split({IDBS,C3}) BL(Li) = Hash(h(.); IDLi) → HLi Decrypt({C3}, KCHj-BS) to get Concat(IDLi, nonceLi, Join-Req, MAC_ADRSLi,HLi) → PLi [IDBS, IDLi, Join-CodeT, MAC(Concat(IDBS, IDLi)] Encrypt({PLi}, KLi − CHj ) → C1 Verify Join-CodeT for IDLi Send(CHj, {IDLi,C1}) → M1 If false then abort Update(nonceLi,HLi) Add IDLi in node_list ~ Receive(Li, {IDCHj,M4}) Concat(IDCHj, ‘Join_Success’) → PCHj ~ Split({IDCHj,M4}) Send(BS, {PCHj }) → M4 If message does not equal “Join_Success” then abort 3. Base Station (BS) 2. Cluster Head (CH) POSS(BS) = { IDBS,KBS–CHi,KBS–CHj, List_Nodes} POSS(CH) = {IDCHj,KLi - CHi, K, KBS-CHj,KM} BEL(BS) = {#(IDBS), #(KBS–CHi), #(KBS–CHj)} BEL(CH) = {#(IDCHj), #(KLi - CHi), #(KBS-CHj), #(KM)} BL(BS) = BL(CH) = Receive(BS, {IDCHj,C2}) Receive(CHj, {IDLi,C1}) Split({IDCHj,C2}) Split({IDLi,C1}) Decrypt({C2}, KCHj-BS) to get [IDCHj, IDLi, nonceCHj, Decrypt({C1}, KCHj-Li) to get Ver-Req, MAC_ADRSLi,HLi] [IDLi, nounceLi, Join-Req, MAC_ADRSLi,HLi] Verify Li and check in Block_List Concat(IDCHj, IDLi, nonceCHj, Ver-Req, If not veriﬁed then Abort MAC_ADRSLi)→PCHj Concat(IDBS, IDLi, Join-CodeT) → PBS Encrypt({PCHj,HLi}, KCHj-BS ) → C2 Encrypt({PBS, MAC(Concat(IDBS, IDLi)}, KCHj-BS) → C3 Send(BS, {IDCHj,C2}) → M2 Send(CHj, {IDBS,C3}) → M3 Update(MID) Update(MID)

The detailed analysis of the proposed scheme is presented in Table2 by considering all communication actors. The sensor node Li authenticates itself to its cluster head by sending a join request message containing Hash(h(.); IDLi). Upon receiving this message, CHi computes polynomial PLi and reply C1 in encrypted message M1 to Li. Upon receiving Li splits the received message and verifies it by getting CH and its information for joining a group. On the other hand, CHi contains its own (ID), member node (IDs), master key, and encryption key to communicate with CHi and member node Li in its possession. In CHi, we believe the received messages and participant information are reliable and trustworthy. Upon receiving credentials from member nodes, CHi decrypts them by using the corresponding secret key and verifying the information after decrypting the ciphered text. Based on strong verification CHi accepts or aborts the member node join, leave and migration requests as well as communicates with the BS. The third and the most important entity of this scenario is (BS), which has more computation, communication, and storage power. CHi possess their own (ID), CH(IDs), secret keys and a list of member nodes with their (IDs) It believes it has secure communication mechanisms for (BS) − CHi, (CHi) − CHi and strong, secure key generation protocols. It verifies, CHi sensor nodes, and their authentication credentials and the validities of their identities. Sensors 2017, 17, 670 14 of 20

EKM Analysis and Veriﬁcation In this subsection, EKM is broken down for a node migration situation as discussed in Section 4.2. In this case, the key circulation is started by the base station that preloads the security credentials in Li and then (Li) transmits a message M1 to the cluster heads CHj. After receiving the message, CHj gets the node ids of participant sensor node and calculates the shared session key. Upon the completion of the transmission operation, an update operation is performed to refresh the spectator list demonstrated as follows. Related parameters including messages, ciphers, nonce values, actual key, and hashes are saved in possession set at Li during the key establishment phase as shown below. At the end of the migration, the forget operation removes the temporary values used in operations including nonceLi, PLi, HLi, C1, M1, M4.

POSS(Li) = {IDLi,KLi−CHj, nonceLi,PLi,HLi,C1,M1,M4}

After receiving messages, CHj, decrypts them to retrieve a concatenated message that is further split to get the actual parameters. The possession set at CHj contains the following parameters during execution of the abovementioned operations. The forget operation will result in removing the temporary values including PCHj, nonceLinounce, C1, C2C, M2M, C3C, M4, HCHj, PCHj∼, nonceCHj nounce from the possession set:

POSS(CHj) = {IDCHj, KCHj−Li, KCHj−BS, PCHj, nounceLi, C1, C2, M2, C3, M4, HCHj, PCHj, nounceCHj, IDBS, IDLi}

The BS receives the message from CHj and after decryption, it veriﬁes the Li and its security credentials. The possession set values at the BS contain temporary values as shown below. Forget operations are performed to remove the values PBS, C2, C3 and M3:

POSS(BS) = {IDBS, KBS−CHj, PBS, C2, C3, M3, IDLi, Join-CodeT}

The receiver node BS veriﬁes the credentials sent by the CHj and then returns a message containing Join-CodeT to CHj. Finally, the possession set at Li is refreshed after the completion of node migration from CHi and successful joining at the CHj.

6. Results and Analysis The proposed scheme is simulated using NS2.35 using C on Fedora core-12. TCL is utilized for simulating the nodes in multiple clusters. H-sensors are separately configured for an initial energy of 10,000 Joules, and message transmission and receiving has a cost of 0.5809 J and 0.049 J, respectively. The transmission radii of the H-sensor and L-sensor are set at 300 m and 50 m, respectively. We deploy five clusters with varying cluster size from 10 to 100 in a region of 1300 × 1300 m for measuring energy consumption, computational and storage overheads. The polynomial calculation algorithm is also implemented in Visual Studio 2013 using C#, as a programming language. PERL scripts are written to extract the resulting values from the trace file and plot the graph.

6.1. Computation Overheads We have considered some basic operations v during long multiplication of two numbers x, y. Computation cost is (2 × v) × v = 2 × v2 by taking the same count of digits n for both numbers. Results of short multiplications are aligned under the respective numbers of β. To simplify, we put zeros in the empty positions. Figure 10a shows that a multiplication operation in DGP [18] takes 449.2 signiﬁcant process shares and EKM consumes only 4.7 operation shares. The computational complexity to perform n-XOR operations is O(n) in the EKM. The computational complexity of adding Sensors 2017, 17, 670 15 of 20

Sensors 2017, 17, 670 15 of 20

2 twoadding binary two numbers binary isnumbersO(n) whereas is O(n) whereas that of multiplying that of multipl twoying numbers two numbers is O(n is). O Doubling(n2). Doubl theing numberthe Sensors 2017, 17, 670 2 2 15 of 20 of bitsnumber in values of bitsx ,iny ,val resultsues x, iny, resul a quadruplets in a quadrupl value ase val (2nue) as= ( 42nn ).2 = 4n2. adding two binary numbers is O(n) whereas that of multiplying two numbers is O(n2). Doubling the number of bits in values x, y, results in a quadruple value as (2n)2 = 4n2.

(a) (b)

FigureFigure 10. 10.Polynomial Polynomial computational computational cost cost in in (a (a) )and and energy energy consumptions consumptions in (b in). (b). (a) (b) To compute the hash value of a message using SHA-1, a sensor node consumed 5.9 μJ/Byte. For To computeFigure the hash 10. Polynomial value of computational a message usingcost in (SHA-1a) and energy, a sensor consumptions node consumed in (b). 5.9 µJ/Byte. a 16-bit ID, it requires 11.8 μJ. For n = 20 member nodes 11.8 × 20 = 236 μJ energy is required just to For a 16-bit ID, it requires 11.8 µJ. For n = 20 member nodes 11.8 × 20 = 236 µJ energy is required calculToate compute the hash the of hash IDs. val It isue directlof a messagey proportional using SHA to - cl1,uster a sensor size node for DGP consumed [18] as 5.9 il lμJ/Byte.ustrated For in justFigurea to 16 calculate-bit 10b ID,. it In therequires the hash proposed 11.8 of IDs. μJ. EKM, For It is n onl directly= 20y member three proportional hash nodes values 11.8 to are × cluster20 randoml = 236 size μJy energy sel forected DGP is torequired [ 18 cal]cul asate illustratedjust the to in Figureactualcalcul ate10key b. the Inand hash the hence proposed of IDs. it is It isindependent EKM, directl onlyy proportional three of the hash cluster to values cl uster size. are size This randomly for greatl DGPy selected reduces[18] as il tol theustrated calculate energy in the actualconsumptionFigure key and 10b. hence In without the it proposed is reducing independent EKM, the security onl ofy the three clusterstrength. hash size. values This are greatly randoml reducesy selected the energy to calcul consumptionate the withoutactual reducing key and the hence security it is strength. independent of the cluster size. This greatly reduces the energy 6.2.consumption Latency Time without reducing the security strength. 6.2. Latency Time Latency is the time consumed for a data packet to move from one cluster head in the sensor 6.2. Latency Time networkLatency to is the the L time-sensors consumed. Our resul fort a in data Figure packet 11a toindicates move fromthat the one latency cluster time head isin re theduced sensor networkconsiderablL toatency theyL -sensors. whenis the ittime is Our comparedconsumed result in with for Figure a DGP data 11 a [packet18 indicates]. EKM to movecomputed that the from latency theone cl cl timeuster,uster is keyhead reduced efficiency in the considerably sensor and whenreducednetwork it is compared the to del theay L with-onsensors cl DGPuster. Our [head18 ]. resul EKMlatencyt in computed Figuremeasured 11a the by indicates cluster,finding keythethat efficiencyinitiatingthe latency protocol and time reduced foris resessionduced the delay on clusterkeyconsiderabl and head endy time.when latency In it theis measured comparedproposed by scenariowith finding DGP the the[18 group]. initiating EKM head computed and protocol member the for cl nodeuster, sessions participatekey key efficiency and during end and time. session key generation and symmetric parameters consuming less time in establishing a session key In thereduced proposed the del scenarioay on thecluster group head head latency and mea membersured nodes by finding participate the initiating during protocol session keyfor session generation forkey group and end members. time. In Figure the proposed 11a,b show scenario the time the delgroupay with head respect and member to group node sizes participateand the proposed during and symmetric parameters consuming less time in establishing a session key for group members. schemesession showskey generation less latency and which symmetric is efficient. parameters consuming less time in establishing a session key Figure 11a,b show the time delay with respect to group size and the proposed scheme shows less for group members. Figure 11a,b show the time delay with respect to group size and the proposed latencyscheme which shows is efficient. less latency which is efficient.

(a) (b)

Figure 11. Latency comparisons in (a) communication energy in (b). (a) (b)

Figure 11. Latency comparisons in (a) communication energy in (b). Figure 11. Latency comparisons in (a) communication energy in (b).

SensorsSensors2017 2017, ,17 17,, 670 670 1616 of of 2020

6.3. Communication Overhead 6.3. Communication Overhead Communication cost is measured by taking the ratio of transmitting bytes to received bytes. EKMCommunication significantly reduces cost is measuredthe number by of taking messages the ratio transmitted of transmitting during bytes new to node received addition bytes. as EKM significantly reduces the number of messages transmitted during new node addition as compared compared to DGP [18], as depicted in Figure 11b. We have set the transmission cost Tc = 59.2 μJ to to DGP [18], as depicted in Figure 11b. We have set the transmission cost T = 59.2 µJ to transmit and transmit and the message receiving cost Rc = 28.6 μJ per byte. The total cenergy consumed during the message receiving cost Rc = 28.6 µJ per byte. The total energy consumed during transmission transmission is 푚 × (푇푐 + 푅푐 ) where m is the number of messages. The lifetime of a sensor isnetworkm × (T c is+ inverselRc) wherey proportionalm is the number to its of messages.energy consumption. The lifetime ofThe a sensor proposed network plan is is inversely a very proportionalcomputational toly its lightweight energy consumption. procedure outlTheined proposed particul planarly is for a very the computationally client validation lightweight of WSNs in procedurethe IoT environment. outlined particularly The method for theguarantees client validation high security of WSNs whil ine util theizing IoT environment. just straightforward The method hash guaranteesand XOR cal highculati securityons, al whileong these utilizing lines, just it requires straightforward more stockpil hash anding thanXOR othercalculations, related alongideas. theseSince lines,the novel it requiresty of the more proposed stockpiling plan thanis the other “sensor related-hub ideas. first-contact Since the-approach”, novelty of together the proposed with its plan high is thesecurity, “sensor-hub the sensor first-contact-approach”, hubs and the CH togetherneed to withconvey its highsome security, additional the cap sensoracity hubs weight. and the In CH this needsubsection, to convey we some displ additionalay the capacity capacity util weight.ization Inof thisoursubsection, proposed pl wean display and compare the capacity it with utilization related ofideas. our proposed plan and compare it with related ideas. EKMEKM refreshesrefreshes keyskeys duringduring nodenode migration,migration, keykey freshnessfreshness andand nodenode joiningjoining moremore thanthan otherother similarsimilar ones,ones, but but it it is is stil stilll bel belowow the the existing existing schemes schemes concerning concerning performance performance and andefficiency. efficiency. The Theanal analysisysis compl completedeted by assessing by assessing every every scheme scheme in detail in detail and cal andcul calculatingating the whol thee whole length length of every of everyvariabl variablee the CH the orCH theor sensor the sensor node nodeneed needto save to saveinto intoits memory, its memory, whil whilee efficientl efficientlyy executing executing one oneregistration registration andand authentication authentication stage stage.. Before Before the the review, review, with with the the end end goal goal of of a a targeted targeted investigation,investigation, we firstl firstlyy determined determined the the length length of ofeach each type type of a of variabl a variable,e, which which could could be used be in used the inschemes, the schemes, regardl regardlessess of the of lengths the lengths some someauthors authors proposed. proposed. WeWe havehave comparedcompared our proposed EKM EKM scheme scheme for for efficiency efficiency of of communication communication and and number number of ofof ofdata data exchange exchangess in in contrast contrast to to authentication authentication protocol protocol for for healhealthcarethcare applicationsapplications (APHA) (APHA) [ [44],44], mutualmutual authenticationauthentication andand keykey agreement agreement (MAKA) (MAKA) scheme scheme [ 45[4]5 and] and enhanced enhanceduser user authenticationauthentication protocolprotocol (EUAP) (EUAP) [46 [46]] that that are recently are recentl proposedy proposed in IoT scenarios.in IoT scenarios. We used someWe used messages some exchanged messages afterexchanged deployment after depl of theoyment network of andthe network the results and show the thatresul thets proposedshow thatprotocol the proposed is efficient protocol for all is possibleefficient scenarios. for all possibl Thee communication scenarios. The and communication data used between and data all participating used between entities all participating for secure nodeentities registration, for secure migrationnode registration, and addition migration has been and consideredaddition has in been Figure considered 12a,b. in Figure 12a,b.

(a) (b)

Figure 12. Performance analysis on communication cost where (a) represents the message count and Figure 12. Performance analysis on communication cost where (a) represents the message count and (b) represents the size of data exchanged. (b) represents the size of data exchanged.

6.4. Storage Overhead 6.4. Storage Overhead The amount of memory required to store security parameters and key space is considered the The amount of memory required to store security parameters and key space is considered the storage cost. The total number of sensor nodes in a network are 푛푇 = 푛퐻 + 푛퐿 where nH and nL storage cost. The total number of sensor nodes in a network are nT = nH + nL where nH and nL represent the total high power nodes and member nodes, respectively. DGP [18] requires represent the total high power nodes and member nodes, respectively. DGP [18] requires multiplication multiplication factors 퐹 = ID × 푛퐿 to calculate a polynomial. It stores (IDB × (훾 − 1)) + (ℎ(ID)퐵 ×

Sensors 2017, 17, 670 17 of 20

Sensors 2017, 17, 670 17 of 20 factors F = ID × nL to calculate a polynomial. It stores (IDB × (γ − 1)) + (h(ID)B × (γ − 1)). bytes (훾 − 1)) ID 훾 ℎ(ID) where ID Bbytesrepresents where the sizeB represents of ID in bytes, the sizeγ is of cluster ID in size, bytes and, h (isID cl)Buster. is the size, size and of the hash퐵 valuesis the insize bytes. of the For hashγ = val30,ues it requires in bytes. 30 For factors 훾 = to30 be, it multiplied requires 30 for factors calculating to be just mul atipl one-timeied for polynomial.calculating ID = 16 − ℎ(ID) = Moreover,just a one-time we havepolynomial considered. Moreover, a value we of haveIDB = considered16−bits and a valhue(ID of)B =B160 bitsbits for aand secure hash퐵 function.160 bits for It coulda secure be much hash expensive function. Itas coul the clusterd be much size increases. expensive In as proposing the clusterEKM size, the increases. suggested In valueproposing of F =EKM3 and, the requires suggested 87% lessvalue factors of F = as 3 comparedand requires to DGP87% l [ess18] factors with a clusteras compared size of to 30-nodes DGP [18 as] illustratedwith a cluster in Figure size of 13 30. -nodes as illustrated in Figure 13.

Figure 13. StorageStorage overhead comparison.comparison.

6.5. Energy Consumption To compute the hash hash val valueue of of a amessage message using using SHASHA-1-1, a, sensor a sensor node node consumed consumed 5.9 5.9μJ/Byte.µJ/Byte. For Fora 16 a-bit 16-bit ID, it ID, requires it requires 11.8 11.8μJ. ForµJ. n For = 20n =member 20 member nodes nodes 11.8 × 11.8 20 =× 23620 μ =J 236energyµJ energy is required is required just to justcalcul toate calculate the hash the of hash IDs. of It IDs. is directl It is directlyy proportional proportional to cl touster cluster size size for forDGP DGP [18] [ 18as] asillustrated illustrated in inFigure Figure 14 b14. b. In Inthe the proposed proposed EKM, EKM, onl onlyy three three hash hash va valueslues are are randoml randomlyy sel selectedected to calculatecalculate the actual keykey and and hence hence it is it independent is independent of the cluster of the size. cluster This size. greatly This reduces greatl they reducesenergy consumption the energy consumption without reducing the security strength. withoutSensors 2017 reducing, 17, 670 the security strength. 18 of 20 The amount of energy required to compute a polynomial by the cluster is linear and existing schemes have a multiple of n, where n is the number of nodes in a cluster. In the existing technique, cluster head calculates the polynomial after receiving all the ids of the L-sensors in its communication range. To compute the secure hash of a sensor node consumes 5.9 μJ/Byte [6]. To compute the hash of n L-sensors, the sensor node consumes the bulk of energy. We enhanced the existing technique for a more comprehensive decision about energy consumption for generating polynomials at cluster heads. To compute on a hash of an L-sensor id uses 5.9 μJ/Byte, so when we generated polynomials through the existing technique supposing the number of L-sensors is n then the consumption of energy is n × 5.9 which means it is directly proportional to the increment of L-sensors. The simulation of the proposed technique saves four-time more energy than existing techniques. A hash has 128-bit data to be processed which mean that 16-byte × 5.9 μJ is consumed for one way hashing. These results show that the generation of polynomials through multiplication is more energy consuming than the XOR. The number of sensor nodes varies from 10 to 100. The simulation results are shown in Figure 14a,b. We can find that the DGP [18] scheme consumes much more energy as compared to our proposed(a) EKM scheme. This is due to the extensive energy(b) consumption during executionFigure of 14 point. Energy mul fortipl polication,ynomial pairing, generation and is presentedmapping inal (gorithms.a) and key Eachgeneration node energy needs in to ( brun). these algorithmsFigure many 14. Energy times foraccording polynomial to the generation number is of presented neighbors in (a around) and key the generation computing energy node. in ( b). 7. Conclusions The amount of energy required to compute a polynomial by the cluster is linear and existing schemesThe have main a objectivemultiple of of nthe, where proposedn is the research number was of nodes to enhance in a cluster. and Inoptimize the existing the pol technique,ynomial generation during node joining in WSN clusters. In existing schemes, the concept of sequential multiplication was used to calculate the polynomial, which is expensive. This polynomial is recalculated every time a node joins or leaves the cluster, increasing communication, computation and storage overheads. EKM is based on generating polynomials using XOR of randomly selected

values. It increases the lifetime of sensor networks and reduces communication cost and memory overheads. Multiplication operations require a complexity of O(n2) whereas XOR requires O(n). Moreover, the majority of schemes have opted for a centralized approach, where a central node is fully responsible for secure authentication. The proposed research adopted a hybrid approach which is adequate for WSNs as this shares the tasks of the group controller among group members. During our systematic and simulation results, we have exposed that our proposed scheme requires a constant number of hash values to calculate a polynomial whereas in existing schemes that number increases rapidly with cluster size. Our scheme requires 87% less factors for a cluster size of 30 nodes per cluster. In the future, we plan to implement EKM in the Ubiquitous to Internet of Thing (U2IoT) scenario.

Author Contributions: Zahid Mahmood and Ata Ullah Ghafoor conceived and designed the experiments; Zahid performed the experiments; Huansheng Ning analyzed the data and overall proposed protocols, models, structure and flow of entire paper; Ata performed the formal modeling and verification of proposed scheme. Zahid contributed reagents/materials/analysis tools and also wrote the paper along with literature.

Conflict of Interest: The authors declare that there is no conflict of interest.

References

1. Jawhar, I.; Mohamed, N.; Agrawal, D.P. Linear wireless sensor networks: Classification and applications. J. Netw. Comput. Appl. 2011, 34, 1671–1682. 2. Yick, J.; Mukherjee, B.; Ghosal, D. Wireless sensor network survey. Comput. Netw. 2008, 52, 2292–2330. 3. Karlof, C.; Sastry, N.; Wagner, D. TinySec: A Link Layer Security Architecture for Wireless Sensor Networks, In Proceedings of the 2nd International Conference on Embedded Networked Sensor Systems, Baltimore, MD, USA, 3–5 November 2004; pp. 162–175. 4. Abbasi, A.A.; Younis, M. A survey on clustering algorithms for wireless sensor networks. Comput. Commun. 2007, 30, 2826–2841.

Sensors 2017, 17, 670 18 of 20 cluster head calculates the polynomial after receiving all the ids of the L-sensors in its communication range. To compute the secure hash of a sensor node consumes 5.9 µJ/Byte [6]. To compute the hash of n L-sensors, the sensor node consumes the bulk of energy. We enhanced the existing technique for a more comprehensive decision about energy consumption for generating polynomials at cluster heads. To compute on a hash of an L-sensor id uses 5.9 µJ/Byte, so when we generated polynomials through the existing technique supposing the number of L-sensors is n then the consumption of energy is n × 5.9 which means it is directly proportional to the increment of L-sensors. The simulation of the proposed technique saves four-time more energy than existing techniques. A hash has 128-bit data to be processed which mean that 16-byte × 5.9 µJ is consumed for one way hashing. These results show that the generation of polynomials through multiplication is more energy consuming than the XOR. The number of sensor nodes varies from 10 to 100. The simulation results are shown in Figure 14a,b. We can ﬁnd that the DGP [18] scheme consumes much more energy as compared to our proposed EKM scheme. This is due to the extensive energy consumption during execution of point multiplication, pairing, and mapping algorithms. Each node needs to run these algorithms many times according to the number of neighbors around the computing node.

7. Conclusions The main objective of the proposed research was to enhance and optimize the polynomial generation during node joining in WSN clusters. In existing schemes, the concept of sequential multiplication was used to calculate the polynomial, which is expensive. This polynomial is recalculated every time a node joins or leaves the cluster, increasing communication, computation and storage overheads. EKM is based on generating polynomials using XOR of randomly selected values. It increases the lifetime of sensor networks and reduces communication cost and memory overheads. Multiplication operations require a complexity of O(n2) whereas XOR requires O(n). Moreover, the majority of schemes have opted for a centralized approach, where a central node is fully responsible for secure authentication. The proposed research adopted a hybrid approach which is adequate for WSNs as this shares the tasks of the group controller among group members. During our systematic and simulation results, we have exposed that our proposed scheme requires a constant number of hash values to calculate a polynomial whereas in existing schemes that number increases rapidly with cluster size. Our scheme requires 87% less factors for a cluster size of 30 nodes per cluster. In the future, we plan to implement EKM in the Ubiquitous to Internet of Thing (U2IoT) scenario.

Acknowledgments: This work was funded by the National Natural Science Foundation of China (61471035), and Fundamental Research Funds for the Central Universities (06105031, 06500010). In particular, it was supported by Cybermatics and Cyberspace International Science and Technology Cooperation Base. Author Contributions: Zahid Mahmood and Ata Ullah Ghafoor conceived and designed the experiments; Zahid Mahmood performed the experiments; Huansheng Ning analyzed the data and overall proposed protocols, models, structure and flow of entire paper; Ata Ullah performed the formal modeling and verification of proposed scheme. Zahid Mahmood contributed reagents/materials/analysis tools and also wrote the paper along with literature. Conflicts of Interest: The authors declare that there is no conflict of interest.

References

1. Jawhar, I.; Mohamed, N.; Agrawal, D.P. Linear wireless sensor networks: Classiﬁcation and applications. J. Netw. Comput. Appl. 2011, 34, 1671–1682. [CrossRef] 2. Yick, J.; Mukherjee, B.; Ghosal, D. Wireless sensor network survey. Comput. Netw. 2008, 52, 2292–2330. [CrossRef] 3. Karlof, C.; Sastry, N.; Wagner, D. TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. In Proceedings of the 2nd International Conference on Embedded Networked Sensor Systems, Baltimore, MD, USA, 3–5 November 2004; pp. 162–175. 4. Abbasi, A.A.; Younis, M. A survey on clustering algorithms for wireless sensor networks. Comput. Commun. 2007, 30, 2826–2841. [CrossRef] Sensors 2017, 17, 670 19 of 20

5. Djenouri, D.; Khelladi, L.; Badache, N. A survey of security issues in mobile ad hoc networks. IEEE Commun. Surv. 2005, 7, 2–28. [CrossRef] 6. Venkatraman, K.; Daniel, J.V.; Murugaboopathi, G. Various attacks in wireless sensor network: Survey. Int. J. Soft Comput. Eng. 2013, 3, 208–211. 7. Diop, A.; Qi, Y.; Wang, Q. An Efficient and Secure Session Key Management Scheme for Cluster Based Wireless Sensors Networks. In Proceedings of the Joint International Conference on Pervasive Computing and the Networked World, Vina del Mar, Chile, 5–7 December 2013; pp. 33–44. 8. Harn, L.; Hsu, C.-F.; Ruan, O.; Zhang, M.-Y. Novel design of secure end-to-end routing protocol in wireless sensor networks. IEEE Sens. J. 2016, 16, 1779–1785. [CrossRef] 9. Hosangadi, A.; Kastner, R.; Fallah, F. Energy Efficient Hardware Synthesis of Polynomial Expressions. In Proceedings of the 18th IEEE International Conference on VLSI Design, Washington, DC, USA, 3–7 January 2005; pp. 653–658. 10. Saied, Y.B.; Olivereau, A.; Zeghlache, D. Energy Efficiency in M2M Networks: A Cooperative Key Establishment System. In Proceedings of the 2011 3rd International Congress on Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT), Budapest, Hungary, 5–7 October 2011; pp. 1–8. 11. Sipser, M. Introduction to the theory of computation. ACM SIGACT News. 1996, 27, 27–29. [CrossRef] 12. Roche, D.S. Space-and Time-Efficient Polynomial Multiplication. In Proceedings of the International Symposium on Symbolic and Algebraic Computation, Seoul, Korea, 28–31 July 2009; pp. 295–302. 13. Gao, S.; Van Hoeij, M.; Kaltofen, E.; Shoup, V. The computational complexity of polynomial factorization. Am. Inst. Math. 2006, 364, 1–5. 14. Kumar, P.; Lee, H.-J. Security issues in healthcare applications using wireless medical sensor networks: A survey. Sensors 2011, 12, 55–91. [CrossRef][PubMed] 15. Lopez, J.; Roman, R.; Alcaraz, C. Analysis of security threats, requirements, technologies and standards in wireless sensor networks. Found. Secur. Anal. Des. V. 2009, 5705, 289–338. 16. Misra, S.; Xue, G. Efficient anonymity schemes for clustered wireless sensor networks. Int. J. Sens. Netw. 2006, 1, 50–63. [CrossRef] 17. Banihashemian, S.; Bafghi, A.G. A New Key Management Scheme in Heterogeneous Wireless Sensor Networks. In Proceedings of the 12th International Conference on Advanced Communication Technology (ICACT), Gangwon-Do, Korea, 7–10 February 2010; pp. 141–146. 18. Traynor, P.; Cao, G.; La Porta, T. The Effects of Probabilistic Key Management on Secure Routing in Sensor Networks. In Proceedings of the IEEE Wireless Communications and Networking Conference (WCNC), Las Vegas, NV, USA, 3–6 April 2006; pp. 659–664. 19. Li, M.; Long, J.; Yin, J.; Wu, Y.; Cheng, J. An Efficient Key Management Based on Dynamic Generation of Polynomials for Heterogeneous Sensor Networks. In Proceedings of the 2nd International Conference on Computer Engineering and Technology (ICCET), Chengdu, China, 16–18 April 2010. 20. Zeng, Y.; Zhao, B.; Su, J.; Yan, X.; Shao, Z. A Loop-Based Key Management Scheme for Wireless Sensor Networks. In Proceedings of the IFIP International Conference on Embedded and Ubiquitous Computing, Taipei, Taiwan, 17–20 December 2007; pp. 103–114. 21. Kausar, F.; Hussain, S.; Yang, L.T.; Masood, A. Scalable and efficient key management for heterogeneous sensor networks. J. Supercomput. 2008, 45, 44–65. [CrossRef] 22. Kausar, F.; Hussain, S.; Park, J.H.; Masood, A. Secure Group Communication with Self-Healing and Rekeying in Wireless Sensor Networks. In Proceedings of the International Conference on Mobile Ad-Hoc and Sensor Networks, Beijing, China, 12–14 December 2007; pp. 737–748. 23. Yang, Q.; Li, Q.; Li, S. An Efficient Key Management Scheme for Heterogeneous Sensor Networks. In Proceedings of the 4th International Conference on Wireless Communications, Networking and Mobile Computing, Dalian, China, 12–14 October 2008; pp. 1–4. 24. Tian, B.; Han, S.; Dillon, T.S. A Key Management Scheme for Heterogeneous Sensor Networks Using Keyed-Hash Chain. In Proceedings of the 5th International Conference on Mobile Ad-Hoc and Sensor Networks, Fujian, China, 14–16 December 2009; pp. 448–456. 25. Naranjo, J.A.M.; Antequera, N.; Casado, L.G.; López-Ramos, J.A. A suite of algorithms for key distribution and authentication in centralized secure multicast environments. J. Comput. Appl. Math. 2012, 236, 3042–3051. [CrossRef] Sensors 2017, 17, 670 20 of 20

26. Ghafoor, A.; Sher, M.; Imran, M.; Saleem, K. A Lightweight Key Freshness Scheme for Wireless Sensor Networks. In Proceedings of the 12th International Conference on Information Technology-New Generations (ITNG), Las Vegas, NV, USA, 13–15 April 2015; pp. 169–173. 27. Wuu, L.-C.; Hung, C.-H.; Kuo, W.-C. Group Key Management based on (2, 2) Secret Sharing. TIIS 2014, 8, 1144–1156. 28. Akyildiz, I.F.; Su, W.; Sankarasubramaniam, Y.; Cayirci, E. A survey on sensor networks. IEEE Commun. Mag. 2002, 40, 102–114. [CrossRef] 29. Chen, X.; Makki, K.; Yen, K.; Pissinou, N. Sensor network security: A survey. IEEE Commun. Surv. Tutor. 2009, 11.[CrossRef] 30. Roman, R.; Alcaraz, C.; Lopez, J. A survey of cryptographic primitives and implementations for hardware-constrained sensor network nodes. Mob. Netw. Appl. 2007, 12, 231–244. [CrossRef] 31. Zhang, J.; Varadharajan, V. Wireless sensor network key management survey and taxonomy. J. Netw. Comput. Appl. 2010, 33, 63–75. [CrossRef] 32. Staddon, J.; Miner, S.; Franklin, M.; Balfanz, D.; Malkin, M.; Dean, D. Self-Healing Key Distribution with Revocation. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, 12–15 May 2002; pp. 241–257. 33. Han, S.; Tian, B.; He, M.; Chang, E. Efficient threshold self-healing key distribution with sponsorization for infrastructureless wireless networks. IEEE Trans. Wirel. Commun. 2009, 8.[CrossRef] 34. Gu, J.; Xue, Z. An Efficient Self-Healing Key Distribution with Resistance to the Collusion Attack for Wireless Sensor Networks. In Proceedings of the IEEE International Conference on Communications (ICC), Cape Town, South Africa, 23–27 May 2010; pp. 1–5. 35. Han, S.; Tian, B.; Zhang, Y.; Hu, J. An Efficient Self-Healing Key Distribution Scheme with Constant-Size Personal Keys for Wireless Sensor Networks. In Proceedings of the IEEE International Conference on Communications (ICC), Cape Town, South Africa, 23–27 May 2010; pp. 1–5. 36. Ye, N.; Zhu, Y.; Wang, R.-C.; Lin, Q.-M. An efficient authentication and access control scheme for perception layer of internet of things. Source Appl. Math. Inf. Sci. 2014, 8, 1617. [CrossRef] 37. Rams, T.; Pacyna, P. A survey of group key distribution schemes with self-healing property. IEEE Commun. Surv. Tutor. 2013, 15, 820–842. [CrossRef] 38. Liu, H.; Ning, H. Zero-knowledge authentication protocol based on alternative mode in RFID systems. IEEE Sens. J. 2011, 11, 3235–3245. [CrossRef] 39. Ning, H.; Liu, H.; Mao, J.; Zhang, Y. Scalable and distributed key array authentication protocol in radio frequency identification-based sensor systems. IET Commun. 2011, 5, 1755–1768. [CrossRef] 40. Hsu, C.-F.; Harn, L.; Mu, Y.; Zhang, M.; Zhu, X. Computation-efficient key establishment in wireless group communications. Wirel. Netw. 2017, 23, 289–297. [CrossRef] 41. Odelu, V.; Das, A.K.; Goswami, A. A New Key Management Scheme for a User Hierarchy based on a Hybrid Cryptosystem. Smart Comput. Rev. 2013, 3, 42–54. [CrossRef] 42. Sultana, S.; Ghinita, G.; Bertino, E.; Shehab, M. A lightweight secure scheme for detecting provenance forgery and packet dropattacks in wireless sensor networks. IEEE Trans. Dependable Secure Comput. 2015, 12, 256–269. [CrossRef] 43. Rubin, A.D.; Honeyman, P. Nonmonotonic Cryptographic Protocols. In Proceedings of the Computer Security Foundations Workshop VII, (CSFW 7), Franconia, NH, USA, 14–16 June 1994; pp. 100–116. 44. Li, X.; Niu, J.; Kumari, S.; Liao, J.; Liang, W.; Khan, M.K. A new authentication protocol for healthcare applications using wireless medical sensor networks with user anonymity. Secur. Commun. Netw. 2016, 9, 2643–2655. [CrossRef] 45. Kumari, S.; Li, X.; Wu, F.; Das, A.K.; Arshad, H.; Khan, M.K. A user friendly mutual authentication and key agreement scheme for wireless sensor networks using chaotic maps. Future Gener. Comput. Syst. 2016, 63, 56–75. [CrossRef] 46. Choi, Y.; Lee, D.; Kim, J.; Jung, J.; Nam, J.; Won, D. Security enhanced user authentication protocol for wireless sensor networks using elliptic curves cryptography. Sensors 2014, 14, 10081–10106. [CrossRef] [PubMed]

© 2017 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).