176 Int. J. Communication Networks and Distributed Systems, Vol. 10, No.

2, 2013

ESF: an efficient security framework for wireless

sensor network

Somanath Tripathy
Department of Computer Science and Engineering,
Indian Institute of Technology Patna,
Pataliputra Colony, Patna, Bihar, India
E-mail: [email protected]

Abstract: A wireless sensor network (WSN) consists of a large number of

resource constrained sensor nodes, usually deployed in hostile environments,
where they face a variety of malicious attacks. To address the security
vulnerabilities in WSN, this paper proposes an efficient security framework
(ESF), which comprises of two security building blocks. The first one security
building block is to establish key between the sending and receiving nodes
while other component provides confidentiality and integrity of data. Owing to
the limited resources available with the sensor nodes, ESF avoids intensive
computations like public key cryptography and encryption mechanisms.
Analysis of ESF shows that the framework provides a secure environment and
resistant against the wireless threats using simple bit-wise operations and
cryptographic hash functions.

Keywords: wireless sensor network; WSN; security; authentication; cellular

automata; CA.

Reference to this paper should be made as follows: Tripathy, S. (2013)

‘ESF: an efficient security framework for wireless sensor network’, Int. J.
Communication Networks and Distributed Systems, Vol. 10, No. 2,
pp.176–194.

Biographical notes: Somanath Tripathy received his PhD in Computer Science

and Engineering from the Indian Institute of Technology Guwahati in 2007. At
present, he is an Assistant Professor at the Indian Institute of Technology Patna.
His research interest includes lightweight cryptography, network security, and
security issues in resource constrained devices (RFID, sensor networks). He has
published more than 20 research papers in journals and conferences.

1 Introduction

Wireless sensor network (WSN) (Akyildiz et al., 2002) is a popular technology that plays
a vital role in sensing, gathering and disseminating information about environmental
phenomena. WSN can be used for a variety of applications (Arora et al., 2004; Burne
et al., 2001; Szewezyk et al., 2004) include target tracking in the battle field, habitat
monitoring, etc. For different applications there are different technical issues arise.
A common WSN comprises of a large number of resource restrained sensor nodes
and a powerful base station (BS). The sensor nodes are resource constrained in terms of
computational capability, storage capacity and energy, as these are battery powered.

Copyright © 2013 Inderscience Enterprises Ltd.

 ESF: an efficient security framework for wireless sensor network 177

Therefore in common applications, a few nodes called aggregators in a WSN, gather the
sensed data from their neighbourhoods and send the refined information (removing
redundant), to the BS to save traffic as well as energy.
Though it is understood that ability to develop complex cryptosystems in the WSN
space is limited, the threats are definitely not so! There are many possible attacks because
of the common wireless channel and hostile environment. A subset of such threats would
include denial of services (DoS) attacks (Wood and Stankovic, 2002; Deng et al., 2005),
time synchronisation attacks (Manzo and Roosta, 2005), injecting malicious traffic (Yu
and Liu, 2005) and routing threats (Karlof and Wagner, 2003).
To secure WSNs, the data transmission must be encrypted and authenticated.
Implementing end-to-end security mechanisms like transport layer security (TLS)
(http://tools.ietf.org/html/rfc5246), internet protocol security (IPSEC) (http://tools.ietf.org/
html/rfc4301) are not an ideal solution, since the dominant traffic in WSN is many to
one. Apart from that, the traditional computational intensive cryptosystem are not
suitable for WSN due to the limited resources. To address this issue, several key
pre-distribution approaches have been proposed. Unfortunately, the key pre-distribution
mechanisms suffer from their inherent limitations that an adversary can determine the
sensitive information related to non-captured nodes by compromising few other nodes.
This paper proposes an efficient security framework (ESF) comprises of two
components to provide security:
1 ESF-AK: Authentication and key agreement to establish pairwise secret keys
between a cluster head (CH) and a group of sensor nodes in the cluster, during a
single instance of protocol execution.
2 ESF-DP: Data protection to ensure confidentiality and integrity of data using the
pairwise established keys. Preliminary idea of a part of the work has been published
in Tripathy (2009). The most attractive feature of this frameworks is that to solve the
trade-off between security feature and energy (resources), both the components use
hash operations and simple three-neighbourhood cellular automata (CA)-based
operations to simplify the hardware and software implementation.
The rest of the paper is organised as follows. A brief review of literature has been
produced in the next section. CA and reversible cellular automata (RCA) are discussed in
Section 3. Section 4 discusses the WSN and attacker’s capability. The proposed
mechanisms ESF-AK and ESF-DP are explained in Section 5 and their performance
evaluation is carried out in Section 6. Section 7 concludes the work.

2 Related works

There are only a few security architectures for WSN have been proposed. The authors in
Zia and Zomaya (2006) presented a security architecture for WSN comprising of cluster
formation, secure routing and key management algorithm. The tiny security architecture
TINYSA (Johann, 2006) is implemented using elliptic curve cryptography (ECC) on
WSN, to provide confidentiality, authenticity and integrity. Prasad and Alam (2006) have
proposed an adaptive security structure for different level (low, medium, and high) of
application services. A brief survey on the important contributions related to key
establishment and data security is briefly discussed in the subsequent sections.
178 S. Tripathy

2.1 Key establishment in WSN

The pairwise key agreement problem is widely studied for common networks and variety
of schemes have been proposed. The self-enforcing key agreements schemes depend on
asymmetric key cryptography are not suitable for WSN applications (Perrig et al., 2001)
due limited resources available to the sensor nodes. Key pre-distribution schemes in
which key information is distributed over each sensor nodes before the deployment,
could be an alternative solution for WSN. A variety of key distribution schemes and their
efficiencies are compared in Seyit and Yener (2005). Random key pre-distribution
schemes like Eschenauer and Gligor (2002) are a class of key establishment protocol
consisting of three phases: key pre-distribution, shared-key discovery and path-key
establishment. Each sensor node is pre-loaded with randomly selected key forms a key
ring. A pair of sensor nodes can establish a secure communication channel as long as
their key rings have at least one key in common. Path key needs to be established if there
is no common key in between. The full pairwise key pre-distribution scheme (Chan et al.,
2003) is a similar proposal but, each node in a network of ℵ nodes carry ℵ – 1 distinct
cryptographic keys from the key pool, before the deployment to improve the robustness
against node capturing. However, each of these schemes struggles with scalability issues
especially when topology information is not available. Scalability issues are addressed in
group-based schemes (Liu et al., 2005; Zhou et al., 2005), in which a group of sensors is
associated with a portion of the overall key pools. None of these schemes can be
applicable if the topology is not predictable prior to the deployment.
The localised encryption and authentication protocol (LEAP) (Zhu et al., 2003) uses a
network wide key embedded in each sensor node which could be used for pairwise key
establishment. So the whole network becomes vulnerable once that key is revealed during
the period. The key-establishment mechanism in Perrig et al. (2001), Cheng and Agarwal
(2007), Liu and Cheng (2006) and Ma et al. (2006) compute shared keys with their
neighbours after deployment. These schemes achieve high local connectivity maintaining
low storage overhead and scalability. But, most of the proposed schemes require high
computation and communication overheads results in more energy consumption.

2.2 Data security in WSN

Authentication is necessary to enable sensor nodes to detect maliciously injected or
spoofed packets. Luk et al. (2006) in their recent paper discussed the importance of
source authentication and data authentication in sensor networks. The authors in Perrig
et al. (2001), and Shi and Perrig (2004) highlight that providing authenticity,
confidentiality, integrity and freshness of data are the essential security parameters for
WSN. Several more security issues and solutions for WSN are discussed in Walters et al.
(2006). A secure broadcast authentication mechanism to achieve asymmetric by delaying
the disclosure of symmetric key, rather using asymmetric key cryptography is proposed
in Perrig et al. (2001). Though it is most important for recipient node to authenticate the
message before taking some global decision/action, only a few works has been done in
this direction. Perrig et al. (2001) proposed a secure network encryption protocol (SNEP)
can be used in peer-node communication that achieves message authentication. A link
layer security architecture for WSN called TINYSEC is proposed in Karlof et al. (2004)
to provide authentication and maintain confidentiality. Both these techniques, Perrig et al.
 ESF: an efficient security framework for wireless sensor network 179

(2001) and Karlof et al. (2004) use symmetric key cryptography. But, using of the
computational intensive operations like symmetric key encryption, severely drains energy
from the resource restrained sensor nodes.

3 CA preliminaries

CA are used for modelling synchronous dynamical systems consisting of multiple cells or
components, where the behaviour of all cells is controlled by a fixed finite-state
automata. The state of each cell i in a CA is updated synchronously at discrete time steps
according to a local update rule that depends on both the state of i and those of some
fixed number of neighbours of i.
If σi(t) denotes the state (value) of cell i at time step t; in a two-state
three-neighbourhood CA, the evolution of ith cell can be represented as a function of the
present state of i – 1th; ith and i + 1th cells as: σi(t + 1) = f(σi–1(t), σi(t), σi+1(t)), where f is
an arbitrary function which specifies the CA rule. The vector {σ(t) = {σ1(t), σ2(t), …,
σω(t)}, represents the state values of the ω-cell CA is called a configuration at time t. σ(0)
denotes for the initial configuration, i.e., at time t = 0.
3
There are 23 distinct neighbourhood configurations and 22 = 256 possible distinct
mappings from all these neighbourhood configurations to the next state in a
three-neighbourhood CA. Each mapping represents a CA rule specified by the equivalent
decimal number. In the example (showed in Table 1), the top row represents the eight
possible states, while the subsequent rows give the corresponding states of the ith cell at
time instant t + 1. Since the output of the first row is the binary equivalent of decimal 30,
it is commonly referred to as the CA rule 30. On minimisation, the truth tables for the
rules (30, 45 and 60) results in the logic function as noted in the right part of the Table 1,
where the symbols ¬, ∨, ∧ and ⊕, respectively denotes for the logical NOT, OR, AND,
and XOR operations. For more details about CA the reader can refer to Chaudhuri et al.
(1997) and Wolfram (2002).
The proposed work uses a special class of CA called RCA, in which the previous
configuration(s) can be determined from the given configurations.
Reversible CA(RCA): A second order CA is an RCA, where the state of a cell at time
t + 1 depends on its neighbourhood (i – 1, i, i + 1) at time t as well as its (ith) state at time
t – 1. Thus, the next configuration σ(2) is evolved from two subsequent previous initial
configurations (σ(0), σ(1)). At the same time, it is possible to retrieve σ(0) from (σ(2),
σ(1)). Therefore, this class of CA is called RCA. It is simple to implement an RCA using
a single XOR operation over a CA rule, as an example, RCA with CA rule 30 can be
expressed as : σi(t + 1) = σi–1(t) ⊕ (σi(t) ∨ σi+1(t)) ⊕ σi(t – 1). A 4-cell periodic boundary
second order RCA with rule 30 is depicted in Figure 1, where σ and ξ denote the two
successive inputs and ρ be the evolved output configurations follows the relations in
equations (1) and (2).
ρ = RCA(σ , ξ ) (1)

ξ = RCA(σ , ρ ). (2)
180 S. Tripathy

Table 1 Next state configuration of some CA rules

Nbd.
111 110 101 100 011 010 001 000 RN Next State function
state:
Next 0 0 0 1 1 1 1 0 30 σi(t + 1) = σi–1(t) ⊕ (σi(t) ∨ σi+1(t))
state:
Next 0 0 1 0 1 1 0 1 45 σi(t + 1) = σi–1(t) ⊕ (σi(t) ∨
state: ¬σi+1(t))
Next 0 0 1 1 1 1 0 0 60 σi(t + 1) = σi–1(t) ⊕ σi(t)
state:

Figure 1 Logic structure of four-cell rule-30 periodic boundary RCA

Similarly, a τth order RCA can be designed in which, every (τ + 1)th configuration results
from the previous consecutive τ configurations:
σ i (t + 1) = f (σ i (t ), σ i −1 (t ), σ i +1 (t ) )©
f (σ i (t − 1), σ i −1 (t − 1), σ i +1 (t − 1) )©
...© (3)
f (σ i (t − τ + 1), σ i −1 (t − τ + 1), σ i +1 (t − τ + 1) )
⊕ f (σ i (t − τ ), σ i −1 (t − τ ), σ i +1 (t − τ ) )

where © denotes for any logical operation. The evolution of such an RCA (denoted by
RCAτ) consecutively for q times referred as RCAτq can be expressed as

(σ (q + 1), ..., σ (q + τ ) ) = RCAτq (σ (0), ..., σ (τ − 1) ) . (4)

Also, the original (previous) configurations can be determined from τ consecutive

configurations through backward evolution as
 ESF: an efficient security framework for wireless sensor network 181

(σ (τ − 1), ..., σ (0) ) = RCAτq (σ (q + τ ), ..., σ (q + 1) ) (5)

4 System model

4.1 Network model

A commonly used WSN constitutes of a large number of sensor nodes, which are
randomly dispersed in the monitoring area. Each sensor node is assigned with an
l(= 32)-bit identity. The identity is static and unique through out the network.
We assume a hierarchical WSN consists of a BS and a number of nodes grouped in
clusters as showed in Figure 2. A node called CH serves as an intermediary between BS
and cluster nodes (CNs, CN ∈2 {C1, C2, …, Cη}) of a cluster. Thus, each CH acts as an
aggregator to combine the data obtained from the CNs and route the result data to the BS.
The role of CH is changed (among all CNs in the cluster) using an existing CH
selection/election algorithm. This balances the energy level of each node. Thus each
sensor node (CN and CH) has two transmission capability: short range radio (shown
through solid lines in Figure 2) to communicate with the neighbours and long range radio
(shown through dashed lines in Figure 2) to communicate with the BS.
BS is the central point of control within the network, and is assumed to have large
storage, energy and computational capability, while sensor nodes are resource
constrained. Usually, the sensor nodes are deployed via aerial scattering or by physical
installation, therefore, no sensor node can predict its immediate neighbouring node in
advance.

Figure 2 Cluster-based WSN (see online version for colours)

182 S. Tripathy

4.2 Attacker model

In this work, we assume that an attacker Æ is external with the following capability.
• Æ can monitor the entire network
• Æ can inject false information
• Æ can replay the older message
• Æ is also capable enough to compromise a few nodes in the network.
Table 2 List of used notation

Notation Description
Æ Attacker
BS Base station
CA Cellular automata
CH Cluster head
|| Concatenation
CTRs Counter shared with BS and node s
CTRChi Counter shared with CH and node i
G Hash function results n-bit digest
H Hash function results l-bit digest
IDs Identity of sensor node s
ks Key assigned by BS to node s
LTl(p) l-bit of p from left
Ci ith neighbour nodes in the cluster
RCA (second order) Reversible CA
q
RCAτ qth evolution of τth order RCA
RTm(p) m-bit of p from right
s Sensor node ∈ {CH, Ci}
⊕ XOR
X → Y: message X communicates message to Y
X → ∗: message X broadcasts message

5 Efficient security framework

In the proposed framework, each sensor node sends their gathered data to CH, which
aggregates and sends those to the BS. Since WSN uses shared wireless communication
medium, the attacker can easily determine the traffic, inject spurious data or read the
information flows. To defend against this, data must be authenticated enabling the
recipient node to distinguish the genuine packet from the spurious one. At the same time,
to protect from the external attackers (those nodes are not a part of the communication),
 ESF: an efficient security framework for wireless sensor network 183

key establishment mechanism is essential. Therefore, the proposed frame work ESF
comprises of two security building blocks as showed in Figure 3, namely:
1 authenticated key-agreement (ESFAK)
2 data protection (ESF-DP).
ESF-DP takes the service from ESF-AK, i.e., it uses the key (agreed during ESF-AK) for
achieving confidentiality and authenticity of data. The network operation through ESF is
summarised in Figure 4.

Figure 3 ESF: efficient security framework (see online version for colours)

Figure 4 Operation of ESF

184 S. Tripathy

The proposed framework uses CA-based components due to their inherent advantages
which includes simple, regular and modular structure. Moreover, the simple binary (bit
wise) operation makes them more suitable to implement in WSN environment. On the
other hand, implementing traditional strong cryptographic algorithms like advance
encryption standard AES (2001), uses intensive computations which severely drains
energy from the sensor nodes reducing lifetime of WSN. Both the modules (ESF-AK and
ESF-DP) are discussed in subsequent sections.

5.1 ESF-AK: authenticated key agreement mechanism

The proposed scheme ESF-AK follows the trusted server-based solution being realistic
for establishing secret keys between Ci and CH. On the other hand, unlike the schemes
proposed in Perrig et al. (2001), Zhu et al. (2003), and Cheng and Agarwal (2007),
ESF-AK can establish keys between τ number of neighboured nodes at a single instance
and therefore, it reduces the communication as well as computation overheads.
In this section, we discuss the way in which, CH can establish pairwise keys between
all the nodes in its cluster using ESF-AK. ESF-AK executes through the following three
operational phases:
1 Secret-token assignment phase: It is a predeployment phase. Before the deployment
each sensor node s, is assigned with an m(= 128)-bit secret token kS and an
l(= 32)-bit counter value CTRS. BS stores IDs and corresponding kS, CTRs in a
secret-matrix.
2 Multiple pairwise key establishment phase: This phase is to establish pairwise secret
keys between CH and its communicating nodes ({Cj}: j ∈ {1 … τ}) in the cluster.
This phase executes after the new CH is assigned and operates as follows:
Step 1.1 CH broadcasts a key setup request (Req) through the short range radio.
CH → ∗ : Req
Step 1.2 Each sensor node Ci (i ∈ {1 … τ}) in the cluster, verifies whether the
request was initiated from the present CH. If the received request is not
initiated from the present CH or Ci has a valid pairwise key with the CH,
Ci discards the request. Otherwise, Ci generates a (m – bit) random
number RCi and sends IDCi || α i to BS after computing αi as follows:

KCi = G ( kci || CTRi ) (6)

α i = RCA ( KCi , ( IDCH || RCi ) ) . (7)

Now, Ci uses RCi as (kCHi ) pairwise key with CH. Finally, Ci

increments its counter value (CTRi).
Ci ( i∈{1...η}) → BS : IDCi || α i

Step 1.3 BS retrieves kCi and CTRi corresponding to IDCi from its secret-matrix
and determines RCi from i as
 ESF: an efficient security framework for wireless sensor network 185

KCi = G ( kci || CTRi ) (8)

(
IDCH = LTl RCA ( K Ci , α i ) , ) (9)

(
RCi = RTm RCA ( KCi , α i ) . ) (10)

If BS determines the same IDCH from at least τ number of Ci within a

period of time, it proceeds to Step 1.4, otherwise stops the execution
further. Here, τ(1 < τ < η) is the threshold number of nodes chosen to
establish distinguished pairwise keys between CH and Ci at a time. If the
threshold number is chosen to be as small as 1, the mechanism results in
establishing a single pairwise session key and therefore, average
complexity increases. On the other hand, large η value leads to DoS, if a
single selfish node does not react, the whole protocol execution stops at
BS. Therefore, value of τ would be η ÷ 2 would be a better choice.
Step 1.4 BS computes (β1, β2, …, βτ–1, (βτ)′) using equation (12) and sends it to
CH. BS increments the CTRCH and CTRi(i ∈ {1, …, τ}) values.

( β1 , β 2 , ..., βτ −1 , βτ )
(11)
= RCAτq ( I | DC1 || RC1 , IDC2 || RC2 ,..., IDCτ −1 || RCτ −1 , IDCτ || RCτ )
( βτ )′ = βτ ⊕ ( kCH || CTRCH ) (12)

(
BS → CH : β1 , β 2 , ..., βτ −1 , ( βτ )′ )
Step 1.5 CH computes ( IDC j || RC j , ∀j ∈ {1...τ }) from ( β1 , β 2 , ..., βτ −1 , ( βτ )′)
using equations (13) and (14)

βτ = ( βτ )′ ⊕ ( kCH || CTRCH ) (13)

( IDC τ
|| RCτ , IDCτ −1 || RCτ −1 , ..., IDC2 || RC2 , IDC1 || RC1 )
(14)
= RCAτq ( β1 , β 2 , ..., βτ −1 , βτ ) .
Hereafter, CH uses RC j as (kCH j ) pairwise key with Cj. Finally, CH
increments its CTRCH.
This scheme does not implement any key conformation as it is implicit. However, if
by any chance CH could not establish a pairwise key with a node (say Ci for some
i ∈ {1, …, η}) in the cluster, then it executes the following phase.
3 Single-key establishment phase: If a node (Ci) sleeps during the execution of the
multiple key establishment phase, or RCi sent by Ci gets delayed or lost, BS could
not include Ci in the multiple key establishment phase. So a pairwise key between
CH and Ci was not being established during the multiple key establishment phases.
In such case, to establish pairwise key with that Ci, CH initiates the execution as
186 S. Tripathy

explained below. This procedure is equally applicable if the pairwise key is

compromised or expired.
Step 2.1 CH generates a random number RCH i and computes α CH i using
equation (16). Then, it sends α CH i to BS. Hereafter, CH uses RCH i
as (kCH i ) pairwise key with Ci. CH increments the CTRCH.

K CH = G ( kCH || CTRCH ) (15)

α CH i = KCH ⊕ ( IDCi || RCH i ) . (16)

CH → BS : IDCH || α CH i
Step 2.2 BS retrieves kCH and CTRCH corresponding to IDCH from its secret-matrix
and determines RCH i from α CH i using equation (19).

K CH = G ( kCH || CTRCH ) (17)

IDCi = LTl ( K CH ⊕ α CH i ) , (18)

RCH i = RTm ( K CH ⊕ α CH i ) . (19)

Finally, BS sends αBS computed from equation (21) to Ci [corresponding

to IDCi obtained from equation (18)] and increments CTRCH and CTRCi.

K Ci = G ( kci || CTRi ) (20)

α BS = K Ci ⊕ ( IDCH || RCH i ) . (21)

BS → Ci : α BS .
Step 2.3 Ci computes the RCH i from αBS using equation (24).

KCi = G ( kci || CTRi ) (22)

IDCH = LTl ( K Ci ⊕ α i ) , (23)

RCH i = RTm ( K Ci ⊕ α i ) . (24)

If IDCH is identity of the present CH, then Ci stores RCH i as kCH i and
increments its counter CTRi. To withstand against counter de-
synchronisation attacks, Ci may repeat Step 2.3 by incrementing CTRi
once more, if fails in the first trial. Further, if fails in both the trials, Ci
believes that the request is not genuine and restore the original CTRi.
 ESF: an efficient security framework for wireless sensor network 187

5.2 ESF-DP: data protection mechanism

ESF-DP is to provide data security during communication between Ci and CH as well as
CH and BS. Each node(s) has a pairwise key and CTR with BS. Apart from that, in this
stage, each Cj has already been established (kCH j ) with CH (executing ESF-AK). After
pairwise key has been established, both Cj and CH starts maintaining a counter value
(CTRCH j ).
In this section, we discuss the secure data communication between Cj and CH using
ESF-DP. In similar fashion CH to BS communication can be performed. ESF-DP
comprises of two basic operations data security phase and counter initialisation phase
discussed below:
1 Data security phase: This phase executes through the following steps.
Step 3.1 While transmitting data, Cj uses the format of Ψj as expressed in
equation (26). Cj increments the counter value CTRCH j .

φ j = H ( IDC j || CTRCH j )
(25)
γ j = G ( kCH j || CTRCH j )

Ψ j = RCA (γ j , φ j || data ) (26)

For smaller or larger sized data some padding/or stripping algorithms can
be used accordingly.
Step 3.2 To validate the data, CH obtains the kCH j and CTRCH j of corresponding
IDC j . It assures the data to be authentic if equation (28) holds and then
proceeds to Step 3.3.

γ j = G ( kCH j || CTRCH j ) (27)

( ) (
H IDC j || CTRCH j = LTl RCA (γ j , Ψ j ) ) (28)

Step 3.2a Otherwise [if equation (28) does not hold], CH iterates the verification of
equation (28) once again, after incrementing its CTRCH j value and
proceeds to Step 3.3 if match occurs. CH discards the data and restores
the original CTRCH j value, if both the (verification) iterations fails.

Step 3.3 CH retrieves the data as

(
data = RTm RCA (γ j , Ψ j ) . ) (29)

Finally, CH increments CTRCH j value.

2 Counter initialisation phase: Using this phase, the CH (re)initialises the counter
value CTRCH j and distribute it to the corresponding Cj. This phase is invoked to
188 S. Tripathy

start maintaining the counter, or if the counter shared between Ci and CH gets
de-synchronised.
Step 4.1 The CH computes a random value as counter CTRnew and uses the format
of Ψi as expressed in equation (31).

φi = H ( kCH j || CTRnew )
(30)
γ j = G ( kCH j || CTRCH j )

Ψ j = RCA (γ j , φ j || CTRnew ) (31)

Step 4.2 Cj determines CTRnew from equation (32) and assures the CTRnew is
authentic if equation (34) is conformed. If the equality in (34 holds, Cj
updates its counter value to CTRnew.

(
CTRnew = RTm RCA (γ j , Ψ i ) ) (32)

γ j = G ( kCH j || CTRnew ) (33)

( ) (
H kCH j || CTRnew = LTl RCA (γ j , Ψ i ) ) (34)

6 Efficiency of ESF

In this section, we evaluate efficiency of the proposed framework ESF in terms of both
the aspects: security and performance. The security analysis will be done according to the
wireless security requirements as well as resistant to various common threats. We carry
out the performance analysis based on theoretical determining of computation,
communication and storage complexity. While analysing we assume the following
characteristics:
p1 It is computationally infeasible to find out the τ original configurations from τ – 1
consecutive configurations after evolution of q times RCAτq , but simple to determine
if τ original configuration is being given. This is because, for each possible guess
configuration there would be a unique set of initial configurations due to the
reversibility of RCA. The CA-rule 30 based components would be used in the RCA
to achieve better security (Wolfram, 1986).
p2 Given ρ = RCA(σ, ξ), it is computationally infeasible to have a correct guess of ξ or
σ.
p3 Both G and H have one-way and collision resistant properties.

6.1 Security analysis

The security analysis is done according to the following wireless security requirements:
 ESF: an efficient security framework for wireless sensor network 189

• Authentication: ESF-AK module of the framework enables CH to establish pairwise

keys between each neighbour node Ci. The mechanism provides implicit mutual
authentication as both CH as well as Ci trust the BS and key establishment executes
through BS.
• Confidentiality: Confidentiality of data is provided by ESF-DP module in its data
security phase using RCA. It is difficult to have a correct guess for data from the
information flow ψj due to property p2. Besides this, each node have a different key
with the CH, therefore, data transferred from a node Ci cannot be correctly read by
node other than Ci.
• Semantic security: The counter value is incremented at both the ends after each
successful transmission results in altered γj. Therefore, different ψj will be
transmitted in subsequent session even if same data has sent. Thus, the scheme
provides Semantic security.
• Integrity: Integrity of data during data security phase of ESF-DP is achieved as
follows. On receipt of the message (ψj) the receiver computes the hash digest
G (kCH j || CTR j ) and compares with the φj obtained from ψj to verify whether the
message is modified during communication.
• Availability: Availability is a serious problem especially for the WSN because of the
limited resources. Therefore, the less intensive computations are used in the
framework.
Apart from the above mentioned security requirements, ESF is assessed against the
following threats based on the Æ’s capability discussed in Section 4.
• Passive eavesdropping: An adversary can eavesdrop the message, but Æ cannot read
the correct data as it is scrambled using RCA operation.
• Message injection: Æ can inject message into the network easily, but the receiver can
detect due to integrity check used in data security phase of ESF-DP.
• Session hijacking: Due to the authentication and integrity mechanism session
hijacking is not feasible.
• Man-in the middle attack: Due to mutual authentication (implicit) man-in-the-middle
attack is not feasible in the proposed framework.
• Masquerading BS: During deployment each node has shared a key and counter with
BS. This has performed in secure which may be carried out physically. Since all the
communications are performed using this key and counter a rogue BS cannot have
the keys.
• Replay attack: The scheme achieves week freshness using counter which updates at
each success transmission.
• Node capturing: If a node gets compromised, Æ can retrieve the secret inside that
node, but, it cannot get information regarding the secrets of other nodes. Therefore,
all communications (between the parties other than that compromised node) are
secure. Moreover, if Æ attempts to make busy BS by sending random numbers and
190 S. Tripathy

key-establishment request, BS does not forward as it waits for random numbers from
τ different nodes. Æ needs to capture τ nodes for succeeding in this form of attacks.
• Message disclosure attack: The similar form of attacks are possible in WEP, in
which Æ can fabricate message if a valid data is known by any chance from the
information flow. In the proposed mechanism counter is incremented on each
successful communication. Therefore, φi in data security phase of ESF-DP changes.
Moreover, if φi is determined, Æ cannot fabricate a valid message because of the
property p3: and non-linear property of used RCA.
• Counter de-synchronisation attack: If the message flows has been dropped more than
once it is considered as intentional. Therefore, the sink node (CH or BS) may take
some appropriate actions and counter re-initialisation phase is executed. Thus, the
protocol is robust against de-synchronisation attack.
• DoS attack: DoS at the MAC layer can be easily executed to decrease the
availability. During the key establishment Æ can broadcast key establishment
request to create the unwanted traffic masquerading a node Cx. Æ fails in ESF,
as the neighbour node Ci reacts only if the request node CÆ is CH, and Ci has no
shared key with CÆ. On the other way, Æ attempts to exclude a node from the
cluster by disallowing Ci to establish key during multiple key establishment phase.
However, CH can have a track on the node who has not established key with it and it
can initiate the single key establishment mechanism. Moreover, in both the multiple
and single key establishment, session is initiated by CH to reduce the DoS attack.

6.2 Performance analysis

To achieve better performance, ESF considers the following two major points.
• As WSN uses resource limited sensor nodes, the cryptographic mechanisms those
involve intensive computations are avoided. As hash functions are less
computational intensive than the other cryptographic primitives like PKC and
symmetric key encryption mechanism, ESF uses only hash operation.
• For achieving high throughput the hash operations can be carried out in off-line
(before the communication starts).

Computation overhead: The initiating node CH requires an execution of RCAτq operation

while each communicating node (Ci) needs a simple RCA operation during the execution
of that phase in the proposed scheme. To execute ESF-DP, both the sender node CN
(CH) and receiver node CH (BS) performs a simple RCA operation. The hash operation
executed at CH and CN can be carried out in off-line.
Thus, the entire security framework ESF requires a hash function and RCA
operations need to embed inside the sensor nodes. The three-neighbourhood CA-based
operations are simple bit wise operations and easier to execute/implement in both
hardware as well as software. This ensures the low computation overhead of the proposed
key-establishment mechanism.
Communication overhead: To establish keys among τ neighbourhood, CH requires l-bit
broadcast (short range traffic) communication overhead. Each communicating
 ESF: an efficient security framework for wireless sensor network 191

neighbourhood node generates traffic of n + l bits to communicate BS, while BS needs

τ ∗ n-bit to CH for complete execution of the protocol.
Storage overhead: Our framework does not need any extra storage overhead.

6.3 Discussion
As a first step the proposed module ESF-AK is compared with the existing schemes
discussed in earlier section (Introduction), in terms of the important features: storage
requirements, scalability, network connectivity and robust against node capturing. The
result is summarised in Table 3. It is obvious from Table 3 that, the protocols proposed
ESF-AK, Cheng and Agarwal (2007), Zhu et al. (2003) and Perrig et al. (2001) are
achieving the important features (entire connectivity and scalability requiring constant
amount of storage). However, either of the protocol proposed in Zhu et al. (2003), and
Cheng and Agarwal (2007) is not completely secure against single node capturing attack.
Table 3 Important features comparison among ESF-AK and other existing protocols

Random key
Group-based
IKDM SPINS protocols
The protocols
(Cheng and (Perrig LEAP (Zhu (Eschenauer
proposed (Liu et al.,
Agarwal, et al., et al., 2003) and Gligor,
ESF-AK 2005; Zhou
2007) 2001) 2002; Chan
et al., 2005)
et al., 2003)
Storage Constant Constant Constant Constant Network Group and
requirements size network size
dependent dependent
Entire Yes Yes Yes Yes No No
network
connectivity
Scalability Yes Yes Yes Yes No No
Protection Complete Medial Complete After key Low Medial
against node- establishment
capture attack

Table 4 Performance analysis of multiple key establishment phase

Computation complexity Communication overhead

Scheme
CH Ci BS CH → BS CH → Ci Ci → BS BS → CH
ESF-AK rτk r m + η r + rτk - - l+m τ ∗ (l + m)
SPINS τ ∗ (e + m) e + 2m τ ∗ (2 ∗ e =2 ∗ (l + m) ∗ τ 5 ∗ lτ 2 ∗ lτ τ ∗∗ (l +
(Perrig et m) m)
al., 2001)

Note: m, r , rτq are respectively denote for the computational overhead for MAC/hash,
RCA and RCAτq operation.

Further, ESF-AK is compared with its competent key establishment technique proposed
in SPINS (Perrig et al., 2001), in terms of resource (computation and communication)
consumption for τ pairwise key establishments. Table 4 shows that ESF-AK consumes
192 S. Tripathy

lesser computation as well as communication resources than that of SPINS. This could be
possible due to the fact that ESF-AK establishes τ pairwise key among its communicating
nodes during a single instance of protocol execution.
Packet format: The packet format in ESF-DP is as shown in Figure 5 which is similar to
that for Tinysec (showed in Figure 6 in authenticated encryption mode). The common
fields include destination address, active message type, length, source address and data.
On the other hand, ESF-DP packet format does not include the CTR, which is agreed
upon and updated at both the communication ends. Besides this, the data part of ESF-DP
is ψ in equation (26). Note that this field (data) is protected and only the legitimate
recipient can authenticate and retrieve the original data using the pairwise key. Thus,
ESF-DP packet format does not contain MAC field and CTR field, so consumes lesser
bandwidth. Moreover, the algorithm considers that those nodes are participating in the
communication as (intermediary) forwarding node does not apply any operation on the
packets to sanitise the data.

Figure 5 Packet format in ESF-DP

Dest AM Len Src Data

(2) (1) (1) (2) (0..29)

Figure 6 Packet format in Tinysec

Dest AM Len Src Ctr Data Mac

(2) (1) (1) (2) (4) (0..29) (4)

7 Conclusions

Security issues in WSNs constitute a potential stumbling block to the impending wide
deployment of WSN. This paper proposed an ESF comprises of two major components.
ESF-AK provides facility to CH for establishing pairwise key between τ communicating
nodes at a single instance of execution, while ESF-DP is a lightweight authentication
mechanism that achieves semantic security, data freshness and data integrity with
minimum computation and communication overhead. ESF uses only cryptographic hash
operation, being the less intensive computation compared with PKC and symmetric key
encryption mechanism. After all, the hash operations are executed offline in ESF.
Therefore, the scheme is considered to be more suitable towards sensor networks.

References
Advanced Encryption Standard (AES) (2001) Federal Information Processing Standards
Publication 197, 26th November.
Akyildiz, A.F., Su, W., Sankarasubramaniam, Y. and Cayiric, E. (2002) ‘A survey on sensor
networks’, IEEE Communication Mag., Vol. 20, No. 8, pp.102–114.
Arora, A. et al. (2004) ‘A line in the send: a wireless sensor network for target detection,
classification and tracking’, Computer Networks, Vol. 46, No. 5, pp.605–634.
 ESF: an efficient security framework for wireless sensor network 193

Burne, R.A., Buczak, A.L., Jamalabad, V.R., Kadar, I. and Eadan, E.R. (2001) ‘Self-organizing
cooperative sensor network for remote surveillance improved target tracking results’, in Proc.
of the SPIE 2001, Vol. 4232, pp.313–321.
Chan, H., Perrig, A. and Song, D. (2003) ‘Random key predistribution schemes for sensor
networks’, in IEEE Symposium on Security and Privacy.
Chaudhuri, P.P., Chowdhury, D.R., Nandi, S. and Chatterjee, S. (1997) Additive Cellular Automata
Theory and Applications, June, Vol. 1, Wiley-IEEE Computer Society Press, ISBN: 0-8186-
7717-1.
Cheng, Y. and Agarwal, D.P. (2007) ‘An improved key distribution mechanism for large scale
hierachical wireless sensor networks’, in Ad hoc Networks Journal, Vol. 1, No. 1, pp.35–48.
Deng, J., Han, R. and Mishra, S. (2005) ‘Defending against path-based DoS attacks in wireless
sensor networks’, in Proc. of ACM Workshop on Security of Ad Hoc and Sensor Networks,
SASN 2005, pp.89–96.
Eschenauer, L. and Gligor, V. (2002) ‘A key-management scheme for distributed sensor networks’,
in 9th ACM Conference on Computer and Communication Security Proceedings, pp.41–47.
Johann, G. (2006) ‘TinySA: a security architecture for wireless sensor networks’, in Proc. of the
Intl. Conf. on Emerging Networking Experiments and Technologies Archive 2006.
Karlof, C. and Wagner, D. (2003) ‘Secure routing in wireless sensor networks: attacks and
countermeasures’, in Proc of IEEE Intl. Workshop on Sensor Network Protocols and
Applications (SNPA’03), pp.113–127.
Karlof, C., Sastry, N. and Wagner, D. (2004) ‘TinySec: a link layer security architecture for
wireless sensor networks’, in Proc. of ACM Intl. Conf. on Sensor Networks Security, SENSYS
2004.
Liu, D., Ning, P. and Du, W. (2005) ‘Group-based key predistribution in wireless sensor networks’,
in Proc. of 4th ACM Workshop on Wireless Security: WiSe 05, pp.11–20.
Liu, F. and Cheng, X. (2006) ‘SBK: a self-configuring framework for bootstrapping keys in sensor
networks’, in Proc. of IEEE Intl. Conf. on Mobile Ad-hoc and Sensor Systems: MASS 2006.
Luk, M., Perrig, A. and Whillock, B. (2006) ‘Seven cardinal properties of sensor network broadcast
authentication’, in Proc. of ACM Conference on Security of Ad Hoc and Sensor Networks,
SASN 06, pp.147–156.
Ma, L., Liu, F., Cheng, X. and An, F. (2006) ‘ipak: an in-Situ pairwise key bootstrapping scheme
for wireless sensor networks’, IEEE Transactions on Parallel and Distributed Systems,
Vol. 18, No. 8, pp.1174–1184.
Manzo, M. and Roosta, T. (2005) ‘Time synchronization attacks in sensor networks’, in Proc. of
ACM Workshop on Security of Ad Hoc and Sensor Networks, SASN 2005, pp.107–116.
Perrig, A., Szewczyk, R., Wen, V., Culler, D. and Tygar, J.D. (2001) ‘SPINS: security protocols for
sensor networks’, in 7th ACM/IEEE Intl. Conf. on Mobile Computing and Networking:
MobiCom 2001, pp.189–199.
Prasad, N.R. and Alam, M. (2006) ‘Security framework for wireless sensor networks’, in Wireless
Personal Communications, Vol. 37, Nos. 3–4, pp.455–469.
Security Architecture for the Internet Protocol, online available RFC4301, available at
http://tools.ietf.org/html/rfc4301.
Seyit, A.C. and Yener, B. (2005) ‘Key distribution mechnisms for wireless sensor networks: a
survey’, in Technical report, TR-05-07, Rensselacr Polytech. Inst., Troy, March.
Shi, E. and Perrig, A. (2004) ‘Designing secure sensor networks’, IEEE Wireless Communications,
Vol. 11, No. 6,pp.38–43.
Szewezyk, R., Osterweil, E., Polastre, J., Hamilon, M., Mainwaring, A. and Estrin, D. (2004)
‘Habitat monitoring with sensor networks’, Communication of ACM, Vol. 47, No. 6,
pp.34–40.
The TLS Protocol version 1.2 RFC5246, available at http://tools.ietf.org/html/rfc5246.
194 S. Tripathy

Tripathy, S. (2009) ‘Effective pair-wise key establishment scheme for wireless sensor networks’, in
Proc. of the 2nd Intl. Conf. on Security of Information and Networks, SIN 2009, pp.158–163.
Walters, J.P., Liang, Z., Shi, W. and Chaudhary, V. (2006) ‘Security in distributed, grid and
pervasive computing’, in Chapter 17: Wireless Sensor Network Security: A Survey, CRC
Press.
Wolfram, S. (1986) ‘Cryptography with cellular automata’, in Proc. of Crypto85, LNCS, Vol. 218,
pp.429–432.
Wolfram, S. (2002) A New Kind of Sciences, Wolfram Media Place, Champaign, IL, ISBN:
1-57955-008-8.
Wood, A.D. and Stankovic, J.A. (2002) ‘Denial of service in sensor networks’, IEEE Computer,
Vol. 35, No. 10, pp.54–62.
Yu, W. and Liu, K.J.R. (2005) ‘Secure cooperative mobile ad hoc networks against injecting traffic
attacks’, in Proc of IEEE SECON 2005, pp.55–64.
Zhou, L., Ni, J. and Ravishankar, C.V. (2005) ‘Efficient key establishment for group-based
wireless sensor deployments’, in Proc. of 4th ACM Workshop on Wireless Security: WiSe05
Proceedings, pp.1–10.
Zhu, S., Setia, S. and Jajodia, S. (2003) ‘Leap: efficient security mechanisms for large scale
distributed sensor networks’, in Proc. of 10th ACM Conf. on Computer and Communications
Security: CCS03, pp.62–72.
Zia, T. and Zomaya, A. (2006) ‘A security framework for wireless sensor networks’, in Proc. of the
Sensors Applications Symposium, pp.49–53.