A Hybrid Authenticated Group Key Agreement Protocol in Wireless Sensor Networks

Wireless sensor networks are a modern and advanced technology whose applications are fast developing in recent years. Despite being a fascinating topic with various visions of a more intelligent world, there still exist security issues to be resolved in order to make WSNs fully adoptable. Due to the resource constraints of sensor nodes, it is infeasible to use traditional key establishment techniques that find use in fixed communication systems. In this paper, the design of a new hybrid Authenticated Group Key Agreement (AGKA) protocol is described for WSNs. The AGKA protocol reduces the high cost public-key operations at the sensor side and replaces them with efficient symmetric-key based operations. The proposed AGKA protocol is not only efficient but also meets strong security requirements. In order to demonstrate the protocol is verifiably secure and trustworthy, a formal verification of the AGKA protocol is carried out. Furthermore, several experiments are conducted on MICAz and TelosB platforms in order to evaluate the performance of the proposed protocol. The evaluation results show that the AGKA protocol is well suited for use with resource-constrained sensor nodes.


Introduction
Wireless sensor networks (WSNs) are viewed as a large number of small sensing self-powered devices/nodes which gather information or detect special events and communicate in a wireless fashion, with the end goal of handing their processed data to a base station. A diverse set of applications for sensor networks encompassing different fields have already emerged including medicine, agriculture, environment, military, electrical power systems, home appliances, toys, and many others.
In these and other vital, life-critical, or security-sensitive applications, secure and fast transmission of sensitive digital information over the sensor network is essential. A solid key management framework is one of the most crucial technologies for achieving secure infrastructure in wireless sensor networks.
Considering the limited resources of both computational ability and power supply of wireless sensor devices, the design of security protocols for wireless sensor networks is a nontrivial challenge given that most public key operations require expensive computations. Therefore, there is a need to employ energy-efficient key agreement protocols in order to prolong each sensor's battery life.
In recent years, symmetric-key-based key establishment schemes have gained popularity due to their small computational overhead. A promising solution for the establishment of symmetric keys in wireless sensor network applications is to use key predistribution protocols such as those studied in various papers [1][2][3]. Although symmetric mechanisms achieve low computational overhead when compared with public key operations, the key management for symmetric key based protocols is complicated and is always subject to attack by adversaries. Therefore, many public-key-based protocols have been proposed [4][5][6][7][8][9][10][11] for wireless sensor networks which give more flexibility and scalability.
In this paper, we focus on WSN applications involving clusters of wireless sensor nodes. We have designed a new hybrid authenticated group key agreement (AGKA) protocol. The motivation of which was to exploit the difference in capabilities between gateways and sensors and put the cryptographic burden on gateways where the resources are less constrained. We have also implemented the AGKA protocol on 2 International Journal of Distributed Sensor Networks TelosB and MICAz motes and performed several experiments in order to evaluate the performance of the AGKA protocol in terms of its energy consumption and memory usage. The evaluation results show that the proposed protocol is well suited for use with resource-constrained sensor nodes with limited processing power and power resources.
The remainder of this paper is organized as follows. Section 2 describes related works. Some preliminaries and network model are reviewed in Section 3. Section 4 presents our key agreement protocol. In Section 5, the security of the proposed protocol is discussed. We present the performance evaluations in Section 6 and provide our research conclusions in Section 7.

Related Works
SPINS [12] is one of the most popular symmetric-keybased security schemes used today. In this memory-efficient scheme, the nodes need only share a key with the base station, and establish keys with other nodes through the base station. This type of scheme is suitable for sensor networks with small numbers of sensor nodes manually deployed around the base station. The big drawback of this scheme is that the base station is a single point of attack, which could result in the compromise of the entire network. Those nodes closest to the base station must forward a high volume of traffic to the base station and this reduces the lifetime of the network as these nodes expend greater energy resources.
Key predistribution is an alternative approach, which distributes the keys to all sensors prior to the deployment of the sensors. Zhu et al. [13] proposed Localized Encryption and Authentication Protocol (LEAP) which supports the establishment of four types of keys for each sensor node including a pair-wise key and a group key (a network-wide shared key).
Eschenauer and Gligor [1] proposed the use of random graph theory, which was used to develop one of the first random predistribution schemes. A random graph is fully connected with a high probability if the average degree of its nodes is above a certain threshold. Generally high-density deployments result in a fully connected network. Hence, key establishment only needs to be performed such that any two neighbors have some probability of successfully completing key establishment. Eschenauer and Gligor used this theory to develop a framework for key random predistribution protocols. This framework involves three phases: predistribution, shared-key discovery, and path-key establishment.
The computation complexity and energy consumption of those symmetric-key-based protocols are relatively small. However, the key management for pure symmetric-keybased systems can be complicated, a key distribution center (KDC) can be required, or a large number of symmetric keys can be preloaded into devices. Both of these solutions can reduce the scalability of WSNs. In contrast, public-keybased protocols give more flexibility and scalability in large sensor networks where new devices keep entering the cluster. However, public-key-based protocols require more expensive computational power.
In cluster-based wireless sensor networks, the design of secure group key establishment protocols is a foremost security issue. A group key establishment protocol allows participants to construct a group key that is used to encrypt/ decrypt transmitted messages among participants over an open channel.
Recently several key agreement protocols have been proposed to offload public-key cryptographic computational requirements to servers and have the low-end devices do less work. Bresson et al. [4] proposed a group key agreement protocol well suited to imbalanced wireless networks consisting of devices with strict energy consumption restrictions and wireless gateways with less stringent restrictions. Their idea was to let a cluster of mobile devices and one wireless gateway dynamically agree on a session key. However, their protocol does not satisfy some important security properties such as mutual authentication and forward secrecy [14].
Nam et al. [15] further improved the mutual authentication of Bresson et al. 's protocol by adopting the Katz-Yung scalable compiler [16] whereby one online signature and − 1 verifications must be required; the computational cost, though reduced, is still expensive for resource constrained sensor devices.
Tseng [17] proposed an efficient group key agreement protocol based on the two aforementioned protocols. It employs an online/offline signature scheme [18] and shifts much of the computation to the wireless gateways possessing more computational power and energy. Nevertheless, it does not satisfy some important security properties such as mutual authentication [19].
In recent years, Elliptic-Curve-Cryptography-based-key agreement protocols [5,9,10,[20][21][22] have been designed for use in constrained mobile device environments and wireless sensor networks because of their small key sizes, such as the ECMQV protocol with ECC X.509 certificates [20] and implicit certificates [21] and the ECDSA authenticated key exchange protocol [22]. In 2004, Huang et al. proposed a hybrid authenticated key establishment protocol based on probably secure elliptic curve encryption [5] and the elliptic curve implicit certificate scheme [20]. In 2005, Liu and Ning created TinyECC [23], a software package that provides Elliptic Curve Cryptography (ECC) operations for TinyOS [24]. It supports all elliptic curve operations over prime fields , including point addition, point doubling, and scalar point multiplication, as well as ECDSA operations. In 2011, Ammayappan et al. proposed an ECC-based twoparty authenticated key agreement protocol for mobile ad hoc networks, which utilises both RSA and ECC to achieve mutual authentication. This method increases the computation burden on sensor side [10].
Using the concept of Schnorr Signature [25] and based on ECC, Huang et al. in [5] designed a key establishment in the authentication procedure of the access control scheme for WSNs. The new designed key establishment in [11] also used the concept of "timebound" in which once time period has elapsed, the sensor node in the wireless sensor network cannot access any data for a future time period in order to protect future messages. Huang et al. claimed that the authentication procedure and common key generation proposed in [5] offers computational efficiency, energy, and bandwidth savings. Nevertheless, adversaries can still apply a sensor International Journal of Distributed Sensor Networks 3 node replication attack in the period of the expiration time. The reason is that the adversary can compromise the sensor node and apply the replication attack before expiration time.
In order to reduce communication cost, some ID-based protocols for wireless sensor networks have been proposed where a sensor node does not need to transmit its implicit certificate [8]. Zhang et al. proposed three protocols for wireless sensor networks [6,26,27]. Those protocols offer low communication overhead and low memory requirements by eliminating the public key certificate. But in those protocols, sensor nodes should still perform expensive computation such as Weil/Tate pairing and Map-to-Point operations. Recently, Zhang et al. [8] proposed an efficient ID-based protocol for key agreement in wireless sensor networks. This protocol removes expensive operations from a sensor node side and eliminates the communication overhead of transmitting public-keys, but this protocol is vulnerable to replication attacks, where adversaries can use this weakness to masquerade as a security manager and share the pair-wise key with the sensor node.
From the discussion of the recent representative key agreement protocols designed for wireless sensor networks, we find that those protocols are computationally expensive for sensor nodes or vulnerable to impersonator's attacks. It can be seen that the design of a secure authenticated group agreement protocol well suited to wireless sensor networks is a nontrivial challenge, which inspires us to propose a verifiably secure authenticated group key agreement protocol.

Network Model and Notations
Before the discussion of key establishment protocols involving public key cryptography, we will first present the model of the unbalanced cluster-based wireless sensor networks.

Network
Model. The IEEE 802.15.4 low-rate wireless personal area network standard [28] specifies the physical layer and medium access control layer of a low data rate, ultra low power, and low cost sensor network. It defines two device types: a Full Functional Device (FFD) and a Reduced Functional Device (RFD). An RFD takes on the role of an end device, such as a low-power sensor, while an FFD takes the role of a coordinator, a gateway, or a security manager.
The wireless system environment we model is an unbalanced/asymmetric cluster-based wireless sensor network, which consists of some sensor nodes with strict computational capability restrictions and a gateway with less restriction. We consider a set of resource-limited sensor nodes (also called low-power nodes) communicating with a gateway (also called powerful node), in which each low-power node can send messages to the gateway via unicast communication, and the gateway can broadcast or unicast messages to each low-power node. The gateway covers an entire group region called a cell. It is the cluster-head of the group region. In the group region, the data transmission between gateway and its client nodes uses low-power wireless technology such as IEEE 802. 15 station can collect and analyze the sensing data and put the useful information on the web server. All the authenticated users can login to the website to not only get the information of the target object but also maintain the sensor network by performing tasks such as updating/renewing the group key, putting a particular group of sensor nodes into sleep mode or merging the neighboring groups. Figure 1 shows the network model of the asymmetric wireless sensor network.

Key Notation and
Terms. Let = 1 be the initial set of low-power sensor nodes that want to generate a group key with gateway . In Table 1, we summarize the key notations and terms used in the group key agreement protocol.

The Proposed Group Key Agreement Protocol
This section specifies the algorithms and features of the proposed AGKA protocol. The new AGKA protocol is implemented using the elliptic curve version of the Diffie-Hellman problem [29]. In addition to the use of an ECC cryptosystem, the proposed AGKA protocol also adopts a symmetric-key cryptosystem. The protocol reduces the cost of elliptic curve random point scalar multiplications at the sensor side and replaces them with low cost and efficient symmetric-keybased operations. Furthermore, it authenticates the entities based on a combination of the Elliptic Curve Digital Signature Algorithm (ECDSA) [30] and the Message Authentication Code (MAC). The AGKA protocol consists of four algorithms.
(1) The key generation algorithm AGKA.Kgen(ℓ) is a probabilistic algorithm which on input of a security parameter ℓ provides each client ∈ and the gateway with long-lived keys.  wireless client group to be = and provides each client in with a secret value shared with the gateway.
(3) The join algorithm AGKA.join( ) is an interactive protocol which on input of a set of clients updates the wireless client group to be ∪ and provides each client in with a (new) shared secret value . (4) The remove algorithm AGKA.Remove( ) is an interactive protocol which on input of subset of the wireless client group updates the latter to be \ and provides each client in with a new shared secret value .
Each cluster/group in a hierarchical cluster-based WSN is represented as the set , which consists of sensor devices (also called clients), and a gateway. A nonempty subset of is called sensor client group , which consists of clients communicating with the gateway. An elliptic curve defined over prime fields F with coefficients and a base point of large order is selected and made public to all users. The protocol considers a signature scheme SIGN = (SIGN.Kgen, SIGN.Sig, SIGN.Ver). Each client holds a pair of signing private/public key (SK , PK ), which are the output of the key generation signature scheme algorithm SIGN.Kgen.

Key Generation.
The algorithm AGKA.Kgen, on input of the set of clients and a security parameter ℓ, performs the following steps.
(1) Execute SIGN.Kgen(ℓ) for each client in to provide each client with a pair (SK , PK ) of signing/verifying keys. The private key SK is given to the client in a confidential way, while each public key PK is sent to the gateway.
(2) Choose random integer V , compute = * , and set the gateway's private/public keys (SK , PK ) = ( , ). The private key is given to the gateway in a confidential way, while the public key is certified and sent to the clients. The pair ( , ) will be the longterm Diffie-Hellman pair of the gateway.
Basically, for an ECC-based key agreement, each client will generate an ephemeral Diffie-Hellman pair ( , ), which thus leads to a session key ( = * ) shared between the client and the gateway . Meanwhile, ECDSA signature is used for authenticating each client node. Figure 2, the group key agreement setup runs as follows.

Group Key Setup. As depicted in
Step 1. To establish the group key in the cluster, each node ∈ randomly selects a -bit integer and a (160 − )bit integer as the nonce. Additionally, randomly picks a random integer ∈ [2, −2] as its ephemeral private key and gets the ephemeral public key = * . Then, computes = * and cipher text = ( ‖ )⊕ ⋅ , where ⋅ is the coordinator of . The client node then generates an ECDSA signature = Sig ( ‖ ) under the private key SK of . Finally, each node sends ( , , ) to gateway . Note that generations of the ephemeral public key and the shared secret can be precomputed before the node joins the network, which requires additional memory space but speeds up the protocol's execution.
Step 2. For each node, the gateway first checks if the nonce is fresh and then checks the signature to authenticate each node . If the authentication holds, it computes = * and then decrypts and gets and . Subsequently, the gateway initializes counter and computes a group session key GK = ( ‖ 1 ‖ 2 ‖ ⋅ ⋅ ⋅ ‖ ). The gateway then creates a cipher text = GK ⊕ ⋅ and sends each client node the cipher text , counter , and nonce with MAC(( ‖ ), ). Note that secret key is selected as the MAC key between node and the gateway since is only known to the node and the gateway.
Step 3. Each sensor node first performs the authentication of the gateway through verifying MAC. If the authentication holds, the client calculates the group session key GK = ⊕ ⋅ . HMAC with MD5 hash algorithm is used to calculate the MAC value. MAC is used to verify the integrity of the received message. MAC can also be used to confirm that the received message is sent by the sender who knows the MAC key .

Algorithm for New Node
Joining. The algorithm AGKA.Join, on input of the set of appearing client devices , performs the following steps.
(1) When a new member +1 ∈ wants to join a group, it must first be authenticated by the base station.
International Journal of Distributed Sensor Networks 5 Public key for gateway = * Verify the MAC Verify the MAC Verify the MAC  Figure 2: The AGKA protocol with five devices 1 , 2 , 3 , 4 , and .
(4) Each appearing client sends the value ( , , ) to the gateway .

(6) Each client
∈ already holds the value , the shared secret , and the old counter value. So, it first checks that the new counter is greater than the old one and the MAC value, and if the check holds, it simply recovers the group session key GK = ⊕ ⋅ .

Algorithm for Node
Removing. The algorithm AGKA.Remove, on input of the set of disappearing client-sensors, performs the following steps.
(2) The gateway operates as in the Setup phase. It increases the counter and computes the shared group session key GK = ( ‖ { } ∈ ).
(4) Each client ∈ already holds the value , the shared secret , and the old counter value. So, it first checks that the new counter is greater than the old one and the MAC value, and if the check holds, it simply recovers the group session key GK = ⊕ ⋅ .

Security Evaluation
The presented AGKA protocol overcomes the security weaknesses detected in the previously discussed protocols. The security evaluation is discussed in this section.

Sensor Node Replication Attack.
The fresh nonce is used in the message sent from the client node for = 1, 2, . . . , so that it can make sure no replayed message (cloning fraud) will be allowed in the protocol. For instance, if an adversary wants to replay the previously transmitted message from one client, it would use the same nonce value in previous round, which will be realized by the gateway who knows the last nonce generated by the client. If an adversary wants to replay the previously transmitted message from the gateway, it would not pass the check of the counter implemented in Step 3 on the client side. Meanwhile, the signature of the message sent from the client node is also utilized in Step 1 to provide the authentication of the client nodes. Therefore, the proposed protocol prevents the replication attacks.

Sybil Attack.
In this attack, a malicious sensor claims multiple IDs (identities) or locations [31]. In the proposed scheme, each client sensor is authenticated by the base station and gets a unique ID. In addition, each client owns a longterm key pair (SK , PK ), where the private key SK is used to generate the digital signature of the client. The private key is only known by the private key's owner and kept in secret. A malicious sensor cannot masquerade a forge ID and forge key pair without the base station's authentication. During the AGKA.Setup phase, the client's private key is used to sign the sending message, when the gateway in the group receives the signed message from a client node; it will first verify the signature = Sig ( ‖ ) in order to authenticate the identity of the client node. Elliptic Curve Digital Signature Algorithm (ECDSA) is chosen in the proposed protocol to generate and verify the signature of each client. The security of ECDSA is founded in the difficulty of solving the discrete logarithm problem in prime order subgroups of Z * . The adversary cannot masquerade the client and generate the legal signature to pass gateway's authentication without the private key of the client . Even in worst case, the adversary compromise one client sensor but still is not able to claim a new identity in the vicinity of node because the adversary only knows the private key of the compromised node but not the private key of node . As a result, with the use of ECDSA on the gateway to authenticate the identity of each client sensor, the proposed protocol can withstand the Sybil attack.

Mutual Authentication.
The signature of the message sent from the client node is generated in Step 1, which is verified by the gateway in Step 2. This provides the authentication of the client node. Meanwhile, a Message Authentication Code (MAC) is applied in Step 2. This will provide proof of authentication and integrity for the sent message. In the proposed protocol, the MAC key is generated by client node and sent to the gateway in a confidential way, where is encrypted by = ( ‖ ) ⊕ ⋅ . Only the gateway with the private key of can decrypt the encrypted message and recover . Thus, only the gateway and client node knows the MAC key . Therefore, the MAC code MAC(( ‖ ), ) can be used to authenticate the identity of the gateway. As a result, the AGKA protocol provides the authentication between the client nodes and the gateway.

Perfect Forward Secrecy.
A key agreement protocol offers forward secrecy if compromisation of a long-term key cannot result in the compromisation of previously established session keys. As mentioned in Step 1 of the AGKA protocol, ( , , , , ) is stored in the memory storage of the lowpower node and each tuple ( , , , , ) is used only once. In this case, ( , , , , ) must be erased as soon as they are no longer useful. Obviously, since the low-power nodes' long-term keys SK are used only for authentication and they are not used for hiding the group key, the leakage of any client node's long-term key does not reveal anything about the group key. Furthermore, strong (partial) forward-secrecy (where any internal data is revealed, that is, the signing key but also the , , and ) is also achieved if the 's and 's are erased as soon as they are no longer useful (the client has left from the group). As a consequence, no information about previous session keys can be found in the memory of the lowpower sensor nodes.

Formal Verification of the AGKA Protocol
Traditionally, cryptographic protocols have been designed and verified using informal and intuitive techniques. However, an absence of formal verification has proven [32,33] to lead to flaws and security errors remaining undetected in a protocol. Formal verification aims at providing a rigid and thorough means of testing the correctness of a cryptographic protocol so that even subtle defects can be uncovered. A number of formal techniques have been developed for this purpose. This section first discusses the Coffey-Saidha-Newe (CSN) logical technique [32] and then formally analyzes and verifies the proposed group key agreement protocol using this logic.

CSN Modal Logic.
The CSN logic provides a means of verifying hybrid cryptographic protocols. The logic can analyze the evolution of both knowledge and belief during a protocol execution, and is therefore useful in addressing issues of both security and trust. The inference rules provided are the standard inferences required for natural deduction and the axioms of the logic are sufficiently low-level to express the fundamental properties of hybrid cryptographic protocols, such as the ability of a principal to encrypt/decrypt based on knowledge of a cryptographic key. The logic is capable of analyzing a wide variety of hybrid cryptographic protocols because the constructs of the logic areof general purpose and therefore provide the user with increased flexibility allowing him to develop his own theorem.
The underlying assumptions of the logic can also be stated as follows. The communication environment is hostile but reliable; the cryptosystems used are ideal. That is, the encryption and decryption functions are completely noninvertible without knowledge of the appropriate cryptographic key and are invertible with knowledge of the appropriate cryptographic key. Keys used by the system are considered valid if they have not exceeded their validity period and only known by the rightful owner(s). The language includes the classical logical connectives of conjunction (∧), disjunction (∨), complementation (¬), and material implication ( → ). The symbols ∀ and ∃ denote universal and existential quantification, respectively. The symbol ∈ indicates membership of a set and / denotes set exclusion. The symbol ⊢ denotes a logical theorem. The logic does not contain specific temporal operators, but the knowledge, belief, and message transfer operators are timeindexed.
(R1) is the Modus Ponens and states that if can be deduced and ( → ) can be deduced, then can also be deduced.
(R2) consists of the generalisation rules which state that if is a theorem, then knowledge and belief in are also theorems. The logic also includes the following standard propositional rules of natural deduction.

Axioms.
Two types of axioms are used in this logic, logical and nonlogical. Logical axioms are general statements made in relation to any system, while non-logical are system specific.
Logical Axioms. The logic includes the following standard modal axioms for knowledge and belief: The axiom (A1) is application of the Modus Ponens to the knowledge operator. The axiom (A2) is called the knowledge axiom and is said to logically characterise knowledge. If something is known, then it is true. This property distinguishes between knowledge and belief. Consider If a piece of data is constructed from other pieces of data, then each piece of data involved in the construction must be known to some entity. The emission axiom (A5) states that if Σ sends a message at time , then Σ knows at time and some entity other than that Σ will receive at time subsequent to . Consider (A6) ∃ ∃ ( (Σ, , ) → Σ, ∧ ∃ , ∈ {ENT/Σ}∃ , < ( , , )).
Axiom (A12) refers to the inability of an entity to encrypt or decrypt data without knowledge of the appropriate shared secret key. Consider Axiom (A13) states that only the rightful owners of a shared secret key know that key; this implies that this key is a good key. Consider Axiom (A14) states that only the rightful owners of a shared secret know that secret; this implies that this is a good secret.  ( (Ψ, , )))); ) ∧ ( , (x, −1 Ψ ))) → (∀ , < , Σ, ( (Ψ, , )))).
(A15)(a) states that if Σ knows a secret ss (Σ,Ψ) that it shares with Ψ (the secret can be fresh), and this secret is a good secret, and Σ receives a message containing ss (Σ,Ψ) at that it did not send, then Σ knows that Ψ sent this message prior to .
(A15)(b) states that if Σ knows the public key of Ψ ( Ψ) and message , and if Σ receives a message containing ( , −1 Ψ ), then Σ knows that Ψ sent message prior to .

Formal Verification of the Proposed Protocol.
To provide assurance that the new AGKA protocol is verifiably secure and trustworthy, a formal verification on its specifications is performed in this section. CSN logic was adopted to perform formal verifications of security protocols in Chapter 6, and is therefore adopted here to perform the formal verification of the new proposed group key agreement protocol.
Goal 1 states that the gateway knows that it will obtain a signed message from containing the ephemeral public key and the concatenation value ‖ prior to the end of Step 1.
Goal 2 states that the low power node will obtain a message from containing the group key GK, the counter , and the nonce after Step 1 but before the end of Step 2.
Assumption (2) states that the private keys of and are known only to its owner and not known to any other entity.
Assumption (3) refers to the timely revelation of the random nonce by the client .
Assumption (4) refers to the timely revelation of the shared key ⋅ by the client .
Assumption (5) states that only the entities and will know the shared key ⋅ after Step 1, and this implies that ⋅ is a good secret. Assumption (6) states that generates the shared MAC key and that knows that no other entity knows this key prior to 1, and that the key is a good key.

Formal Analysis
Step 1. This states that knows at time 1, it will receive a message containing the ephemeral public key and encrypted message ( ‖ , ⋅ ). And this message will be signed by the private key of the client.
Applying Axiom (A6) and Inference Rule (R2), ( Applying Inference Rule (R3), Using Assumption (4) which states that only has knowledge of ⋅ before 1 and Assumption (3) which states that only has knowledge of before 1,

Implementation and Performance Evaluation
In order to evaluate the suitability of our protocol in sensor networks, we carried out a set of experiments based on the TelosB [35] and MICAz [36] mote platforms. Table 2 lists the configuration and the architecture of TelosB and MICAz motes. A low-end PC (1.0 GHz Intel Pentium III processor, 512 MB RAM, and 30 GB hard drive) with a mote attached is used to simulate the gateway. The TelosB mote or the MICAz mote attached to the PC is responsible for transmitting and receiving messages. Using the PC as the security manager enables the security manager to implement all operations by the Java program and store all members' public keys in the local memory device without worrying about memory constraints. This method reduces the execution time of the protocol and releases the memory and power constraints existing in sensor nodes. Most cryptographic algorithms, such as ECDSA, RC5, and Skipjack, are supported by Java, and these algorithms can be found in the Java security packages or the third-party security packages. Another reason for using the PC to simulate the gateway is that the handshaking messages and execution process can be displayed on PC, which eases the researchers in tracing the messages received from the group members and the authentication process during the AGKA protocol. 7.1. Implementation. The implementation is divided into two modules, the client (group member) module and the security manager module.
(i) The client module implements all the operations required by the proposed protocol on the client side, which involves ECC point multiplication, ECDSA signature generation, and MAC generation.
(ii) The security manager module has two parts. The first part powernode.nc is written in nesC code and implemented on the MICAz and TelosB that are attached to the security manager (computer), and the other part is securitymanger.java which is written in Java and implemented on the security manager (computer). These two parts are linked by a Java class MoteIF which enables Java applications to send and receive the message through Universal Asynchronous Receiver/Transmitter (UART).
In software, we implemented our protocol by the use of the nesC programming language and work with the TinySec [37] module and the TinyECC [23] software package, implemented specifically for TinyOS.
TinySec is the first fully implemented link layer security architecture for wireless sensor networks. It is also a research platform that is easily extendable and has been incorporated into higher level protocols. Some well-studied cryptographic primitives are applied in TinySec, such as Message Authentication Codes (MACs), Initialization Vectors (IVs), and Cipher Block Chaining (CBC). It is noteworthy that TinySec was distributed with official releases of TinyOS version 1.x. It has proven that efficient secure communication in wireless sensor networks is a feasible reality. Table 3 summarizes the security characteristics of TinySec.
The TinyECC package supports all elliptic curve operations over prime fields , including point addition, point doubling, and scalar point multiplication, as well as ECDSA operations. It also includes elliptic curve parameters recommended by Stands for Efficient Cryptography Group (SECG), such as secp160k1, secp160r1, and secp160r2. The natural number operations in TinyECC are based on RSAREF2.0 [23,38].
Bouncy Castle [39] is a collection of APIs used in cryptography. It includes APIs for both the Java and the C# programming languages. It provides a Java library to implement all elliptic curve operations over , including point addition, point doubling, and scalar point multiplication, as well as ECDSA operations. In order to implement ECDSA operations in Java, a number of Bouncy Castle classes are imported into our implementation.

Experimental Setup.
The performance evaluation is performed on both TelosB and MICAz motes. We set two experimental networks, both consist of groups of seven client motes and a single gateway. The performance of the protocol in each network is evaluated. As mentioned in Section 4, some values such as and can be pre-computed before the sensor node AKGA.SETUP phase. This is to facilitate a  speeding up of the protocol's operation. The impact of the use of precomputation methods will be evaluated.
To enable TelosB and MICAz motes to execute the ECC computations required by the AGKA protocol, the 128-bit and 160-bit ECC parameters recommended by SECG [40] are chosen for use in the tests presented in the experiment, while the 192-bit ECC parameters are not included in the evaluation. This is because the 192-bit ECC requires 48 bytes to represent the point (public key pair) on the curve, which results in 120 bytes payload in the communication message; such large payload size exceeds the maximum TinyOS payload size of 114 bytes.
The following evaluating measurements are used in our performance evaluation experiments: (i) ROM consumption; (ii) RAM consumption; (iii) execution time; (iv) energy consumption.

Evaluation Results.
A comparison between the results on the TelosB and the results on the MICAz, as well as between the results with pre-computation disabled and with pre-computation enabled, will now be presented.

Execution Time.
The execution time can be one of the most meaningful attributes when evaluating security protocols, especially with regard to resource-constrained sensor nodes. The execution time is measured using an oscilloscope.
In comparing two different mote architectures with the same protocol running, it can be seen that the resulting execution time depends on the clock frequency of the microcontroller on the sensor platform. Figure 3 plots the average execution times for the AGKA protocol implemented on both the TelosB and the MICAz motes with different elliptic curves.
From Figure 3, it can be seen that the value for the execution time on the MICAz mote is about half that of the TelosB mote results, and this can be attributed to the clock frequency of the MICAz being 8 MHz which is double the clock frequency of the TelosB mote. Different elliptic curves affect the execution time of the protocol, and this can be seen in the fact that there is at least a 1.00 second difference  with 128-bit elliptic curves implemented compared with 160bit elliptic curves. It is noticeable that the execution time is significantly reduced when pre-computation is enabled; the reason for this is that two public-key generations are precomputed and the corresponding results are installed in the memory before the nodes join the network. This saves at least 9 seconds in execution time for the TelosB mote and saves at least 4.50 seconds in execution time for the MICAz mote. The fastest execution time observed from the experimental results is 2.64 seconds, when the AGKA protocol with the secp128k1 elliptic curve was implemented on the MICAz motes. Although pre-computation speeds up the protocol, considerable increases in ROM usage are traded.

Memory
Usage. Due to the limited storage available on the sensor nodes, memory usage is an important attribute when evaluating the new key agreement protocol. As already mentioned, the pre-computation method improves the execution speed of the protocol; however, extra memory required is the tradeoff. The check size script provided by the TinyOS is used to obtain the ROM and RAM sizes required by the AGKA protocol in each experiment. The experiment evaluates the increases in ROM requirements of the proposed AGKA protocol with pre-computation enabled. Table 4 illustrates the ROM consumption for the  Secp128r1  27716  2492  27938  2560  28216  2628  28514  2702  Secp128r2  27684  2492  27962  2560  28228  2628  28636  2702  Secp160k1  28876  2868  29214  2952  29536  3036  29874  3110  Secp160r1  28844  2868  29182  2952  29516  3036  29842  3110 AGKA protocol on the TelosB and MICAz motes when the pre-computation method is enabled. It can be seen that the ROM consumption increases with a rise in the number of AGKA.Setup algorithms run. The reason for that is discussed in the following. In Step 1, each low-power node uses the offline pre-computing technique to compute = * , = * , = ( ‖ ) ⊕ ⋅ and a signature = Sig ( ‖ ). Certainly, some tuples ( , , , , ) should be stored in the memory storage of the low-power node in advance. When the proposed protocol plans to run four AGKA.Setup algorithms, it will store 4 tuples ( , , , , ) in the memory at beginning and give each tuple a sequence number; for example, the tuple 1 is named as ( , , , , ) 1 and tuple 2 is named as ( , , , , ) 2 . This is the reason why the ROM consumption increases with a rise in the number of AGKA.Setup algorithms run. After each run, the proposed protocol will remove the corresponding used tuple ( , , , , ); for example, the protocol will remove the tuple 1 ( , , , , ) 1 at the end of the first execution of the AGKA.Setup algorithm.

Energy Consumption.
Another important evaluation measurement besides the memory usage and the execution time is the energy consumption. The energy consumption by the AGKA protocol is measured by the using of the Agilent mobile communication DC Source (DCS). Figure 4 illustrates the energy consumption for the AGKA protocol implemented on the TelosB and the MICAz motes with specific elliptic curves.
It is shown that the protocol with 128-bit elliptic curves consumes less energy than with 168-bit elliptic curves. This is attributed to a reduction in computational complexity and shorter message size when the protocol uses the 128-bit elliptic curves. With the same elliptic curve, the energy consumed by the protocol on the MICAz is less than that on the TelosB. The reason for this is that the execution times on the MICAz are about half that on the TelosB. Furthermore, with the same elliptic curve, at least 35 WH of energy is saved with pre-computation enabled on the MICAz mote, while at least 32 WH of energy is saved with pre-computation enabled on the TelosB mote.

Limitation and Further Improvement.
The comparison results identify that execution time and energy consumption are reduced with short elliptic curves, and those measurements are also improved with pre-computation enabled, while the significant increases in memory usage is the critical tradeoff. Therefore, further improvements and optimizations on memory usage need to be implemented in future work. The experiment only evaluates the protocol with a group size of seven. With increasing the group size, the execution time will increase. The major reason is that the clients' handshaking packets will queue in the transceiver of the security manager and may cause the jam in the communication channel. Further experiments and simulations on protocol performance versus group size should be carried out.

Conclusion and Future Work
In this paper, a secure authenticated group key agreement protocol well suited for wireless sensor networks has been proposed. We showed that the proposed protocol provides forward secrecy and mutual authentication between lowpower nodes and the powerful node (gateway). We also demonstrated that the proposed protocol is verifiably secure against node replication attacks and Sybil attacks. Meanwhile, the implementation of the protocol on the TelosB and the MICAz motes was also described in detail. In addition to the implementation of the protocol, a number of evaluation experiments were developed and performed on the motes and described. The experimental results were analyzed based on the following evaluation metrics: execution time, memory usage, and energy consumption. The evaluation results indicate that the protocol is suitable for use with energyconstrained sensor networks. We plan to further investigate the reduction method that can be used to reduce the bitlength of the pre-computed key pairs and signatures, which will in turn reduce the memory usage of the proposed protocol. In addition, we plan to carry out a further evaluation of the proposed protocol with a larger number of group members than used in this study.