A Privacy-Preserving Reauthentication Scheme for Mobile Wireless Sensor Networks

The mobile wireless sensor network (MWSN) is a new style WSN with mobile sinks or sensors in the network. MWSN has advantages over static WSN in the aspect of better energy efficiency, improved coverage, and superior channel capacity. However, mobile nodes also bring some security problems. For example, it is difficult to ensure secure communications among the mobile nodes and static nodes. In this paper, we design a lightweight mobile reauthentication protocol for mobile nodes. The designed protocol provides forward secure pairwise key for the mobile node when it moves from one cluster to another. Thus, the mobile sensor node can be authenticated by the new cluster head, and the privacy of his origin area is protected. In addition, the security and performance analysis shows that our scheme meets the need of lower communication and computation overhead, while achieving security requirement for mobile sensor node application in MWSN.


Introduction
WSN has become more and more prospective in human life with the development of hardware and communication technologies.However, due to the static network style, there are some natural limitations of WSN, such as network connectivity and network lifetime [1][2][3][4].Furthermore, more and more researches find that the mobility in WSN not only improves the overall network lifetime and the data capacity of the network, but also addresses delay and latency problems [5][6][7][8][9].There are many researches on how to realize better energy efficiency, improve coverage, enhance target tracking, and cause superior channel capacity for MWSN.However, limited researches consider the issue caused by the mobile sensor nodes, such as credibility with low consumption overhead and secure communication in MWSN.While more and more application scenarios require mobile sensors in WSN, such as traffic detection, animal observation E-Health, and battlefield.Furthermore, some present researches begin to consider the mobile adversary [10], which brings new security problems.Therefore, we should pay attention to realize the mutual authentication between the mobile node and the cluster efficiently, generate the new pairwise key, and make sure of the security of data transmission.
The framework of MWNS is given as in Figure 1.The network considers four types of entities: (1) base station-as usual, the base station is assumed to be absolutely secure, which has plenty bandwidth, energy, storage space, and computation capability; (2) cluster head-cluster head is assumed to have more storage space, energy, communication range, and computation capability than sensor node, and notice that, in general, the communication range of cluster head is also larger than the sensor node; (3) static sensor node-we consider static sensor nodes in our network model, since they can work for the cluster head, and relay for mobile sensor node which has smaller communication range than cluster head, and in general, we assume that it has limited storage space, energy, and communication range; (4) mobile sensor node-the mobility is the only difference between the mobile sensor node and the static sensor node, and the mobile sensor node roams from one cluster to another cluster and communicates with the nodes in the cluster.Based on the framework of MWSN, some security problems are brought by the mobility of mobile sensor node.One problem is the identity authentication of mobile sensor node in the new cluster.The other is the new session key generated between mobile sensor node and new cluster to ensure security communication.Moreover, we should protect the privacy of the mobile sensor node which means attackers cannot track it.Therefore, the security requirements of MWSN are given as follows: (1) the authentication of identity-making sure that the identities of both parties who generate the key are trusted; (2) data integrity-ensuring that only authorized person can modify the transmission of information; (3) message privacy-transferring data can only be read by authorized parties; (4) key freshness: ensuring that the existing session key is only used at current stage; (5) node Resiliency-the network recovers when some nodes are captured by malicious attackers; (6) privacy-preserving-since the mobile sensor node roams in WSN, attackers cannot track the mobile sensor node; (7) scalability-allowing revoking and joining nodes.
With the expanding of the network scale, it has little effect on the storage space of nodes and communication consumption.
In this paper, we focus on the security requirements caused by mobile sensor nodes.For the mobile sensor node in MWSN, we present an efficient node reauthentication and key generation scheme for mobile sensor nodes which consumes less communication and computation overhead and protects the privacy of the mobile sensor node.The security and performance analysis shows that our re-authentication scheme for mobile sensor node cannot only efficiently realize the secure requirements for MWSN, but also suit for the limited resource WSN.
The rest of this paper is organized as follows.In Section 2, we introduce the related work.We present our protocol in Section 3. Section 4 gives the security analysis of reauthentication protocol.Section 5 gives the performance analysis and simulation.Finally, we conclude the paper in Section 6.

Related Work
We introduce our related work from three aspects: the lightweight authentication schemes for WSN, the research of mobile sink in MWSN, and the re-authentication schemes for the mobile sensor node in MWSN.
The demand of lightweight is mostly considered in sensor network.All nodes in sensor network are considered to be static initially.For example, Perrig et al. [11] proposed a typical authentication scheme named TESLA (Timed Efficient Stream Loss-Tolerant Authentication) by using the oneway hash chain.The protocol publishes the authentication key  mac through delay to ensure that before the  mac is published, the attacker cannot forge the correct broadcast packets.Du et al. [12] constructed an authentication path based on the public key mechanism by using Merkle Tree to reduce the computation and communication overheads.He also proposed dividing the entire WSN network into region Merkle Tree which can reduce the height of the Tree and the hops of the authentication.Ibriq and Mahgoub [13] proposed an efficient authentication program in which BS (Base Station) acts as the role of Certificate Authentication (CA) and assigns part of its functions to CH (Cluster Head).A sink can generate a key from "Partial Key Escrow Tab" [13] in all nodes and can be elected as Cluster Head.After the data integrated, messages are exchanged among cluster heads and finally transmitted to BS.However, since the partial key escrow Tab should be stored in every node, this scheme needs additional storage space.All these authentication protocols are for static nodes without considering roaming issue.
The advantages of mobile sink in MWSN have attracted much attention.Zhang et al. [14] proposed several efficient schemes to restrict the privilege of a mobile sink without impeding its capability of carrying out authorized operations for an assigned task.To prevent the authenticator from revealing information due to mobile sink compromises, the privileges of the authenticator are restricted by adding parameters, such as the starting time and the ending time of a task, the type of a task, and ID of the mobile sink.Vieira et al. [15] proposed a bioinspired location service named Phero-Trail location service protocol.In Phero-Trail, location information is stored in a 2D upper hull of a Sensor Equipped Aquatic Swarm, and a mobile sink uses its trajectory projected to the 2D hull to maintain location information.This enables mobile sensors to efficiently locate a mobile sink.The results show that Phero-Trail performs better than existing approaches.Agrawal et al. [16] proposed a key update protocol which securely updates the session key between a pair of nodes with the help of random inputs in mobile sensor networks.The security analysis shows that the proposed protocol resists known-key, impersonation, replay, worm, and sink hole attacks, while also provides forward secrecy, key freshness, and key control.The pair-wise key for  and  {}  Encrypt message  by  MAC(, ) The message authentication code of  using  () Recently the security of mobile sensor nodes in WSN has been paid more and more attention.Han and Kim [17] proposed the re-authentication issue concerning mobile nodes moving among sink nodes.The scheme considers the sink in the home cluster as a trusted third party.It prestores authentication information in all surrounding neighbor clusters and transfers the credible information to the new sink.The communication and computation overhead of reauthentication is reduced through credible trust.Qiu et al. [18] considered a sensor node roaming within a very large and distributed wireless sensor network, such as the application of healthcare field, in which the sensor nodes are deployed in the patient's body.When a dynamic sensor node moves to new area and wants to attack a router or a cluster head in this area, it first sends a request message to the base station.After verifying validity of the request message, the base station generates the session key for mobile node and the router and sends it to the router, and then the router sends the material of session key to the mobile node to generate the session key.Qiu also improves the E-G scheme to guarantee that two sensor nodes share at least one key with probability 1 with less storage and energy overhead.The disadvantages of Han's scheme are as follows.First, it only takes the mobile node, sink node, and base station into consideration.Then, the communication overhead of the program mostly concentrates on the mobile node, so it has influence on the lifetime of the mobile node.Lastly, the re-authentication material is prestored in the neighbor clusters, which exists unnecessary communication overhead and information leak.In Qiu's scheme, the basestation is always online and provides the full utilities.The reauthentication also depends on the base station which incurs large communication overhead.

The Proposed Protocol
With the mobility of MWSN, the mobile sensor nodes may move from one cluster to another.If we repeat the new nodes addition process proposed in [4], the scheme will degrade to the E-G [19] scheme.Besides, some predistribution schemes need to interrupt the operation of network and implemented by man, which is unrealistic for the running wireless network.Therefore, the roaming behavior of mobile sensor nodes must consider how to get trust from the new cluster and The re-authentication of mobile sensor node.generate the pair-wise key to achieve security communication.Considering the security requirements caused by mobile sensor nodes in the MWSN, we design our re-authentication protocol as follows.For convenience, we assume that after the static WSN generated the communication keys for the entities, the mobile sensor nodes join the network from some clusters.
As Figure 2 shows, the whole process can be divided into two phrases.Phrase 1 the mobile sensor node   first registers at the base station and then joins the network from the fixed cluster CH  (home cluster).The main purpose of this phase is to make   initial trustily join the network.To ensure security, this phrase is realized by offline distribution.Phrase 2   moves to another new cluster CH  (foreign cluster), and it should pass the legal identify authentication of CH  before enjoying the resource of this cluster.To realize the mutual authentication of   and CH  , we can use the trusted relationship among   , CH  , and CH  .We describe the further details of re-authentication as follows.The notation used throughout our scheme is shown in Table 1.

Predistribution for Mobile Sensor
Node.Before roaming in the network,   should register in the base station and get the pre-distribution material by offline.Then,   joins the network from cluster head CH  .After being authenticated by CH  ,   has the information including a hash number (), a random number  1 , and the session key  CH  ,  .

Mobile Sensor Node Reauthentication.
After registering at the base station and trusted joining CH  ,   can roam in the network among clusters.As Figure 2 shows, after completing Phase 1, the mobile sensor node   moves to a foreign cluster CH  , and   should pass the authentication of CH  before communicating with other nodes in CH  .The implementation mutual authentication of re-authentication protocol is shown in Figure 3.
After generating the session key,   verifies the correctness of MAC 4 .If the validation is right, the session key is right.
During the communication with CH  , () and  1 should be updated as (  ) and   1 which are used as the authentication material for the further re-authentication.CH  also sends these information to the base station.
For convenience, the role of home cluster is acted by the foreign cluster node through which the mobile sensor nodes have completed the re-authentication process.That means that after   completes re-authentication in the foreign cluster CH  , CH  is the new home cluster of mobile sensor node.When   moves to another foreign cluster CH  , CH  acts as the home cluster which responsibly completes the reauthentication between   and CH  .
Taking the issue of tracking and protecting the privacy of   into account, we use the pseudonyms methods [20,21] during the communication.The whole time of   in CH  is divided in accordance with the time slice TS  , and the length of each time slice is Δ, which means we can get  time slices.We denote PID , as the pseudonym of   in the time slice TS  , where PID , is generated by two hash seeds () and  2 as formula ( 2) Notice that since CH  knows  2 and (), so it can trace the messages sent by   in its communication range.While   moves to CH  at TS  (actually CH  only knows a mobile sensor node named PID , joining its cluster), because CH  does not have the materials to generate the pseudonyms, so it cannot trace the messages sent by   out of its communication range.By this way, we can protect the privacy of   .

Protocol Security Analysis
4.1.The Protocol Satisfies Forward Security.Suppose that the attacker gets the session key  CH  ,  between the mobile sensor node   and cluster node CH  .It is difficult for attackers to derive the session key used before such as  CH  ,  .The session key between   and CH  is determined by two random numbers  1 and  2 . 1 is produced in the last reauthentication cycle and is transmitted in the ciphertext. 2 is transmitted by the XOR hash value ℎ 1 in message 4. If the attacker wants to obtain the plaintext  1 , he must know the session key  CH  ,  between   and CH  .Thus, the problem is deduced into how to get the session key between   and the first cluster CH  . CH  ,  is sent offline, which is assumed to be secure. 2 is gotten by the hash and XOR of the hash value of  1 , and according to the irreversibility of hash, the problem of obtaining the plaintext of  2 is derived to obtain the plaintext  1 .Even if attackers get the current session key of   , they cannot derive the previous session key of   through the previously analysis.The protocol satisfies forward security.

Mutual Identity Authentication.
In our scheme, as there is no shared information between CH  and CH  , CH  cannot verify the identity of   , so when CH  receives message 1, it transfers the message to CH  .CH  helps CH  authenticate the identity of   by computing MAC 1 through using the hidden ().  authenticates the identity of the foreign cluster CH  mainly through MAC 4 which also uses the hidden ().If MAC 4 is right, we believe that CH  has the right identity.By this way, we realize mutual identity authentication.

Prevent Man-in-the-Middle Attack.
From the analysis of our scheme, an attacker can track or intercept message 1 to act the mobile sensor node   and continue communicating with foreign cluster head.It makes the entire protocol go on running.Finally, feedback message (message 4) is gotten to extract the session key material.However, according to the analysis of forward security,  1 and  2 are not sent in plaintext.In order to attack the protocol, the previous session key should be known.And the whole problem is back to the security of  CH  ,  .For man-in-the-middle attack, as mentioned in mutual identity authentication, mutual identity authentication ensures the correctness of the identity of the message sender.MAC used in every message ensures the message integrity.According to the general security assumption of MAC [17], attackers cannot construct a valid message to achieve communication.So the protocol can prevent man-in-the-middle attack.

Prevent Replay Attack.
When the mobile node   applies to join registered foreign cluster, every message of our scheme has the current timestamp ( 1 ,  2 ,  3 ,  4 ).The message received in Δ time, to some extent, can prevent replay attack.According to the session key generated in formula (1), the generation of session key selects new random number, which ensures the freshness of session key and prevents replay attack effectively.

Protect the Privacy of the Mobile Node.
Since the communication of mobile sensor node uses the pseudonyms, attackers and other entities cannot distinguish them which protects the privacy of the mobile sensor node.But to the base station and cluster heads, they can track the mobile sensor node.After the mobile node joins the foreign cluster, the cluster head sends the () and  1 to the base station, which helps the base station to track and manage the mobile sensor node.However, for the cluster head (such as CH  ), CH  only knows that the pseudonyms of the mobile sensor node   is in its cluster.When the mobile sensor node   moves to a new cluster head (such as CH  ), CH  does not know the pseudonyms of   , and it cannot track   .Therefore, the privacy preserving of mobile sensor node is conditional.

Protocol Performance Analysis
We give the performance analysis of our scheme in this section in terms of communication pass, message size, and International Journal of Distributed Sensor Networks computation overhead.We also give the simulation of our scheme on the NS2 simulation platform and use the time delay to reflect the efficiency of our scheme.

Communication Pass.
We compared the required number of communication passes with Han's [17] and Qiu's [18] schemes, since both of them propose the reauthentication protocols for mobile sensor nodes in WSN.Table 2 shows the comparison of communication passes for mobile node reauthentication, where  denotes the number of hops from   to the foreign cluster head (sink),  denotes the number of neighbor cluster heads (sinks) around the home cluster head, and  denotes the number of hops from foreign cluster (sink) to the base station which is used in Qiu's scheme.Since Han's and our schemes use the relation among cluster heads to realize re-authentication for mobile sensor node, which do not need communication with the base station, in Qiu's scheme, when the node joins a new sink, it first sends the requirement message to the base station.Actually, the message is first sent to the foreign cluster head ( hops) and then to the base station via the foreign cluster ( hops) which incurs large communication overhead.The hole communication passes are ( + ) hops.
Although the re-authentication of Han's scheme does not need communication with the base station, he prestores the authentication information in all surrounding neighbor cluster heads which are related with the number of neighbor cluster ( hops), while our scheme realizes the re-authentication by the tradition tripartite authentication, which results in less communication pass.

Message Size.
The message size during the re-authentication process is quantified by the byte which is to show the communication overhead.We compare the message size with Han's.We use the base parameter setting of message as Han's [17] in Table 3.
From Table 4, we can see that our scheme has less message size of the whole re-authentication process.Notice that Han pre-stores authentication information in all surrounding neighbor clusters and we only consider that the number of authentication material of transmission size is 36 bytes, while the actual number may be more than 36.
During re-authentication for mobile sensor node, we reduce the message length transmission among the entities since the data transmission consumes much more energy than computation in WSN.

Computation Overhead.
Computation overhead is quantified by the number of execution encryption algorithm.As Table 5 shows, the total number of encryption/decryption of our scheme is the same as Han's, both more than Qiu's scheme.Since the re-authentication of Qiu's scheme is based on the base station, our scheme and Han's scheme are based on the relation among clusters.

Protocol Simulation.
We use NS2.29 to simulate our scheme and Han' scheme [17], since both of them realize mobile node re-authentication without requiring communication with the base station.We use the transmission delay to quantify the message size, which can reveal the availability and efficiency of our scheme.The simulation uses the mesh network topology, MAC layer uses the 802.15.4 protocol written by Zheng and Lee [22] for NS2, the routing layer uses the AODV routing protocol which has the shortest hops, the transportation layer uses the UDP protocol, and the application layer transmits the CBR packet.The message size is set as Table 4.The data transmission speed is 250 KB/S, which adopts the recommended beacon mode standard setting in reference [22].Supposing the communication radius of the mobile sensor node and the common sensor nodes within the cluster to be 20 m, the communication radius of cluster head is 100 m.The computation delay of message 1 and message 4 in mobile sensor node is 6 ms and 3 ms [23], respectively, while the computation delay of message 2 and message 3 node is 1 ms for cluster head.
To reflect the comparison of Table 4, we design two groups of simulation for our scheme and Han's scheme [17].The number of each group simulation is 100 times.In Figure 4,  = 1, and  = 2.The simulation delay of Han's scheme is 26.217 ms, while our scheme is 18.432 ms.However, the time delay of our schemes simulation is not as good as the comparison in Table 4. Since there is an addition MAC layer head for each message, the time delay of simulation is not the same as the comparison of message size in Table 4. From Figure 4, we can know the whole delay of our scheme is less than Han's.On one hand, our scheme has less message size, on the other hand, we reduce the number of messages sending.The fluctuation of the simulation in Figure 4 is caused by  = 2. Since the message transmitted by the static nodes in cluster needs to consume transmission delay (when node transmits message, it will repeat calling the sending and receiving process, and seek the routing table, which leads to more delay time), and it results in the unstability of time.
In Figure 5,  = 1, and  = 5.The simulation delay of Han's scheme is 60.384 ms, while our scheme is 34.8608 ms.Compared with Figure 4, with the number of relay hops increasing, the advantage of our scheme is more obvious.This is due to less communication message size of mobile sensor node.Moreover, with the number of hops increasing, the instability of the simulation is more obvious.

Conclusion
The security problem brought by the mobile sensors in MWSN attracts more and more attention of researchers.In this paper, we propose a re-authentication protocol for the mobile node roaming among clusters.Our protocol can transfer the credibility among the clusters which can efficiently achieve the requirements of secure identity authentication and establish the forward secure pairwise key.Meanwhile, the base station can track the mobile trajectory and protect the privacy of the mobile sensor node.We also give performance analysis and simulation for our reauthentication protocol.The results and comparison show that our protocol achieves better security and has better performance on communication overhead, message size, and computation cost.

Figure 3 :
Figure 3: Re-authentication of mobile sensor nodes.

Table 2 :
The required number of communication passes.

Table 3 :
The base parameter setting of message.

Table 4 :
The required message size for re-authentication (byte).

Table 5 :
The required message size for re-authentication.