A Secret Sharing-Based Key Management in Hierarchical Wireless Sensor Network

Wireless sensor networks (WSNs) are subject to various attacks because of the vulnerable environment, limited recourse, and open communication channel. To protect WSNs, in this paper, we present a Secret sharing-based key management (SSKM). SSKM utilizes the advantages of hierarchical architecture and adopts two-level key management and authentication mechanism, which can efficiently protect the allover network communication security and survivability. Different from previous works, the SSKM distributes keys based on secret sharing mechanism by the clustered architecture, which not only localizes the key things but also keeps scalability. The SSKM provides various session keys, the network key for base station (BS) and cluster heads (CHs); the cluster key between the cluster head and member nodes. The SSKM dynamically generates different keys based on different polynomials from BS in different periods which can protect the network from the compromised nodes and reduce the high probability of the common keys. The security analysis shows that the SSKM can prevent several attacks effectively and reduce the energy consumption.


Introduction
Due to the development of internet of things (IoT) and cyber physical system (CPS), wireless sensors have been deployed in many applications, such as in smart grid, national security, intelligent transportation, forest detection, or chemical harmful gas monitoring [1]. However, wireless sensor networks (WSNs) usually consist of tiny sensors which have low computational capability, small storage, and limited energy; that is, the WSNs are often subject to a variety of attacks, such as eavesdropping attack and flood attack and so on. Once a sensor is compromised by adversaries, the information materials of the sensor become non secretive and intercepted by enemy, and the entire network is threatened [2].
In [5,6], the authors employed the secret sharing mechanism to distribute keys into nodes, which can effectively generate and assign keys. However, in these schemes, the network must exchange many messages to establish key system, which consumes lots of energy. In this paper, we present a novel secret sharing-based key management (SSKM).
In SSKM, considering that the energy efficiency is a dominant consideration problem of WSNs, we firstly employ the maximum energy cluster head (MECH) protocol to form cluster. Different from other hierarchical architectures, MECH protocol limits the size of cluster to generate uniform cluster. In each cluster, there is a sensor, called cluster head (CH), collecting information from other cluster member nodes and forwarding the processed information to the base station.
Therefore, to protect the communication channel from CH to BS, we present a network key. Firstly, the BS encrypts the network key with a secret, puts the secret as constant of the polynomial, and divides the secret into shares based on Lagrange interpolation formula. To reconstruct the polynomial of ( − 1) degree, any or more parameters (ID, (ID)) combination can recover and obtain the secret. Therefore, our solution tries to avoid the adversary intercept and capture sufficient parameters.
Also, similar to network key, we design a cluster key to protect the communication between the cluster head and member nodes. Unlike the BS, CHs have no sufficient energy to broadcast messages. Thus, the BS deploys key material to sensors in advance, such as polynomials and revoked list. Then, the CH just exchanges parameters to adjust polynomials to generate/cancel keys.
Compared to previous works [5,6], the salient advantages of our work are as follows: (1) SSKM establishes a relocatable key mechanism based on the secret sharing theory, which hides keys into secret and recovers them when needed; (2) SSKM adopts hierarchical architecture which is suitable for the secret sharing mechanism and localizes the security and reduces energy consumption. It makes the SSKM key management feasible; (3) SSKM presents an authentication mechanism based on the secret sharing theory, which supports the scalability (join or leave).
The rest of this paper is organized as follows. Section 2 describes the related work, Section 3 presents the system model and assumption, Section 4 describes the secret sharing key management in detail, and Section 5 evaluates SSHM using security analysis. Finally, we end the paper with a conclusion as well as the further work in Section 6.

Related Work
In 1979, Shamir [14] and Blakley [15] proposed the secret sharing method based on the Lagrange interpolation formula and the nature of the vector space, respectively. Proposition: given + 1 points ( , ( )) on a polynomial ( ) of degree , one can identify a uniquely polynomial by calculating: One also defines the Lagrange coefficient Δ , for ∈ Ζ and a set ⊆ Ζ : A ( , ) threshold secret sharing scheme is as follows: given points ( , ( )) on a polynomial ( ) of degree ( − 1), randomly picking out points of ( , ( )) from points can construct the polynomial. When constructing the scheme, the credibility of the parties splits initial secret into shares (points) and assigns them to users safely. Any or more users combining their share can reconstruct the secret , but any − 1 user group or less cannot reconstruct the secret. This secret sharing method provides the security scheme in many applications, such as key distribution, secure computation, and information safe storage.
In [5], the authors present a low-cost secret-sharing scheme for sensor network. This paper provides basic building blocks to establish secure communication through exchanging secret keys between neighbor nodes without any cryptography methods. In [5], authors also design a second algorithm which extends the secret key establishment. However, due to the exchange happening among sensors, it consumes lots of energy. Moreover, the authentication between neighbor nodes also needs to exchange large messages, which makes it unsuitable for wireless sensor network.
In [6], authors presented some schemes to secure data aggregation based on secret sharing and information dispersal. In these schemes, sensor nodes split messages into subshares and forward them among several disjoint paths to defend DoS attack, eavesdropping attack, and tampering attack. They design a secret multipath aggregation (SMA) mechanism which applies secret sharing to create shares to deal with security under the contingency of node compromise. However, these schemes are not feasible for heavy energy consumption. On one hand, they want data aggregation using secret sharing; on the other hand, they have to distribute key things and messages to confuse the enemy, so that the adversary cannot find the real route, which needs a large number of messages exchange.
Comparing with previous works, our solution adopts the hierarchical network and localizes the communication and security. Also, we ingeniously use the base station to carry complicated things out, which can reduce the energy consumption.

Network Model.
The wireless sensor network is energy sensitive. Therefore, we adopt the maximum energy cluster head (MECH) protocol for our network architecture [1]. The MECH is an LEACH-like protocol (LEACH: low energy adaptive clustering hierarchy) [2] which divides the network into clusters.
As shown in Figure 1, in the MECH architecture, the sensors self-organize into some clusters and act as two types of roles: cluster heads and member nodes. In each cluster, one node as a CH manages the cluster and deals with information from member nodes forward to the base station (BS). MECH constructs clusters based on radio range and the number of cluster members. The cluster topology in the network is distributed more equally through our cluster constructing; that is, nodes in each cluster do not exceed a certain threshold.

Assumptions.
In the considered network, we consumed the following.  The secret sharing between CH and members in session CH The encrypted key CH by the secret sharing CH Revoked set before session Session period The number of nodes in WSN (iii) Each sensor has the same capabilities in energy, computation, radio range, and so forth.
(iv) If a node is compromised, all of the key things in the node are revealed [7].
(v) Each sensor is in, and only in, one cluster.
(vi) The BS can communicate with all sensors in the network.

Notations.
In Table 1, we list some notations used in this paper.

The Secret Sharing-Based Key Management
In this section, we describe the secret sharing-based key management (SSKM) in detail. After deployment, the base Network key for BS and CHs Cluster key between CH and member nodes station assigns each sensor an initial key init similar to LEAP+ [12]. And then, the BS broadcasts the key materials to the network to build the network key and the cluster key, respectively. The key architecture is shown in Figure 2 (1) share generation phase: dealer D randomly selects a polynomial ( ) of ( − 1) degree: in which the secret = (0), all coefficients , 1 , 2 , . . . , −1 are in finite field = GF( ) with elements, and dealer computes all shares = ( ) for { = 1, . . . , }; then it distributes each share to corresponding shareholder privately; (2) secret reconstruct phase: any shares ( 1 , 2 , . . . , ) of shares as input, and we can reconstruct the secret as We find that the above scheme satisfies the basic security requirement of secret sharing scheme: any shares or more than shares can reconstruct the secret ; fewer than ( − 1) shares cannot reconstruct the secret . Shamir's scheme is information theoretically secured [17]. However, there are some requirements [18] in this situation: (1) there must be a secure channel for delivering shares between dealer and users; (2) and ( ) are made publicly known. However, in key transfer protocol, for security reason, we need to keep and ( ) as each user's secret. So we adopt the discrete logarithm in finite field and DDH difficulty assumption to ensure the security in the unsecure communication channel.

Initial Phase.
Once wireless sensor network has been deployed and sensors self-organized into clusters, BS starts to form the key system as follows.
(2) Assume that during each session period ( = 1, . . . , ), BS randomly and uniformly chooses polynomials ( ) of ( − 1)-degree, where − 1 ≥ . And one of polynomials is as follows: Equation (5) is used to key distribute between BS and cluster head. And other − 1 polynomials are utilized to key distribute among the cluster and member nodes as follows: (3) BS independently selects session keys { in } =1,..., and { CH } =1,..., from GF( ) in the finite field and hides the session keys with secret in and CH , namely, in = { in + in } in network key management and CH = { CH + CH } in cluster key management. The algorithm of initial phase is shown in Figure 3.

Network Key Management.
The network key is the session key between the BS and cluster heads to protect their communication.
The key shares distribution process is as follow. (2) Given that indicates the set of revoked CHs during the session period and before, let = 2 ∪⋅ ⋅ ⋅∪ −1 ∪ , where | | ≤ . In session , the BS selects a group of users = {ID CH 1 , . . . , ID CH } which meet ID ⊆ and ID CH ∩ = 0.
(3) BS broadcasts the information { 1 in , 2 in , . . . in } to each cluster node. The network key process is shown in Figure 4. The session key recovery process is as follows.
(1) Having received the key materials, cluster heads calculate their individual share in (ID CH ) ⋅ ( ) 0 / ( 0 ) = in (ID CH ) with the private key and public key 0 . According to the information {ID , in (ID )}, any sensors or more than sensor can recover the secret in with (7) as follows: International Journal of Distributed Sensor Networks (2) Using in and in , users can get the secret = in − in .

Cluster Key Management.
In this phase, the protocol establishes the cluster key between CH and members. Similar to the network key, the cluster key can be generated as follows.
(1) Firstly, cluster head chooses ch ( ch ∈ [2, ]) randomly which relatively primes with − 1 and − 1, and CH sends it to BS. Then, BS counts out ch = ch and sends (ID CH , CH ) to sensor node in cluster CH ; meanwhile, sensor node picks , randomly which relatively primes with Furthermore, the BS utilizes CH's ID CH and members' ID , ( = 1, . . . , ) to count out the share CH (ID CH ) and CH (ID , ), respectively.
(2) Given that indicates the set of revoked sensors during the session period and before, let  cluster node's own key ch , cluster head and members can obtain their share through the following formulas: CH (ID CH )⋅( , ) ch , CH (ID , )⋅( ch ) , is broadcast information; , and ch are public information. So cluster head and common nodes can obtain their own shares, respectively, and then members send (ID , , CH (ID , )) to CH. CH uses (ID CH , CH ( CH )) and − 1 sensors' (ID , , CH (ID , )) to recover the secret . According to (7), we can carry CH out. Furthermore, CH can get CH = + CH , and then we can calculate to unicast to − 1 sensors (ID , , ).

Scalability.
In our solution, we also consider the scalability of network.

New Member Join. When a new member
( ̸ = 1, . . . , ) wants to join during session period , should randomly choose an integer ( ∈ [2, ]) and count out = mod . And then, keeps secretly and chooses randomly an ID (ID > ); is the largest node identity in network, and then sends (ID , ) to the BS. The BS will authenticate . If ID > and ( = 1, . . . , ) and ̸ = , then is acceptable and can join the network.

Node Isolation.
Once CH or neighbor nodes find a compromised node ℎ , the CH sends its information ID ℎ to BS. Meanwhile, BS and CH add their IDs into : { }∪{ID ℎ }.

Security Analyses
Due to the unreliable wireless environment, dynamic clustering cluster key distribution scheme is subject to a variety of attacks, such as eavesdropping, tampering, and replay attacks. Compared to previous works, the salient advantage of our solution is that we addressed challenging runtime security issues using localizing key things and group key management based on secret sharing mechanism.

Robustness.
In the recovery phase, for any user ∈ , if anyone wants to recover , they must obtain both CH and CH , which makes it very difficult to recover keys.
Furthermore, assume that any set ⊆ and | | ≤ − 1, if an unrevoked user ∈ , any other user collusions in cannot get information about the 's personal secret . Because in each session , user 's secret = CH (0) or = in (0) is − 1 degree polynomial CH ( ) or in ( ), the users in only know − 1 values about CH ( ) or in ( ). And the difficulty to reconstruct a polynomial CH ( ) or in ( ) by −1 values is equivalent to breaking a Shamir's ( , ) secret sharing problem, which is not feasible in computation. Therefore, user collusions in have no ability to obtain user 's secret . Moreover, because the cluster session key is selected from a uniform distribution, and independent of the user's personal secret, no one can obtain information about the session key separated from personal secret collection. Also, in each session = 1, . . . , , because of CH = + CH , CH hides session key with personal secret CH , and adversary has no ability to obtain any useful information just from the collection of broadcast messages.

Tolerance. The normal user
∉ (unrevoked user or normal node) can utilize the broadcast messages and private secret to recover the session key ; however, the revoked user can only obtain − 1 values from the broadcasted polynomial ( ); thus, they have no ability to reconstruct − 1 degree polynomial ( ) as mentioned above. Therefore, the user in cannot get (0). Moreover, because of it is not feasible to recover personal secret by CH and { ∈ } .

Security.
Our solution also has both −1 forward secrecy and − 1 backward secrecy.

−1 Forward Secrecy. Let
⊆ , | | ≤ − 1, and each ∈ is a revoked user before session . Even if user collusions know all cluster keys before the session , they cannot obtain any information of current session key , because they cannot recover (0) with just − 1 values of ( ). Therefore, the solution is − 1 forward secrecy.

−1 Backward Secrecy.
Let ⊂ , | | ≤ − 1. Each user ∈ joined the group before session . Even if user collusions in know all cluster keys before the session , they cannot obtain any information of current session key 1 ( 1 < ). Because if a user wants to get 1 , the user ∈ at least recovers points of 1 ( ) for 1 (0). However, each user after session at least obtains − 1 value from − 1 degree 1 ( ) and has no ability to reconstruct 1 ( ); that is, the solution is − 1 backward secrecy.

Complexity Analysis.
In this section, we discuss the complexity of our scheme from computation complexity, communication complexity, and storage cost needed by common node and cluster.
(1) Computation complexity: we assume that base station has a large computation capacity, the pickout of polynomial and share distribution as well as the choice of generator. Common node only needs to compute division, and cluster head needs to reconstruct the polynomial beside division. (2) Communication costs include the broadcast cost: (log ) and download the publishing information from publish board: * * (log ), where indicates a session period; is the number of nodes in one cluster, and is an enough secure prime. (3) Storage cost: in our scheme, we only need to save a private respective key, which is log .

Conclusion and Future Work
In this paper, we propose a secret sharing-based key management scheme (SSKM) to enhance network security and survivability. Different from previous works, although we employ the hierarchical architecture, we limited the size of clusters to balance the overall energy consumption of the network. In contrast to other clustered architectural security solutions, the salient advantage of this work is that we addressed challenging security issues by localizing key things based on secret sharing theory. We present the network key and cluster key and generate new keys from various polynomials by Lagrange interpolation formula. Also, we present a rekey mechanism in the cluster head selection with low energy consumption. Meanwhile, SSKM has an authentication mechanism to ensure the scalability, which cannot only authenticate the new sensor but also can isolate the compromised node. The security analysis shows that our solution cannot only reduce the energy consumption effectively but also enhance the security level. In the future, we will focus on how to enhance security in mobile and scalable WSNs.