Secure Precise Clock Synchronization for Interconnected Body Area Networks

2.1. Requirements

A secure time synchronization service for WSNs must comply and trade off the following requirements: low cost, accurate, precise, secure, and periodically-scheduled.

Firstly, among all sensor node components, the radio consumes the most significant amount of energy [9, 10]. Therefore, the synchronization service must minimize the number of messages exchanged by sensor nodes. Secondly, the time synchronization service must enable applications with time accuracy demands at the tens of μ s level. Thirdly, time synchronization among nodes must be precise up to the hundreds of μ s for long periods. This requirement is particularly challenging to comply with for low-cost sensor nodes. Fourthly, WSNs are especially vulnerable to security attacks. Since sensor nodes use wireless communications, an external attacker may easily delete, forge, and modify time synchronization messages. Additionally, the attacker may launch pulse-delay [4] and/or wormhole [11] attacks, in which the adversary delays and/or rushes the authenticated synchronization messages, respectively. Since sensor nodes are not tamper-proof, an attacker may also compromise a (or a few) sensor node(s). Then, the attacker can use the sensor node(s) to inject false time synchronization messages. In addition, the attacker may instruct the sensor node(s) not to cooperate in the synchronization protocol. Finally, substantial clock drift during sleep periods requires fine scheduling of the time synchronization protocol.

2.2. Existing Techniques

Ganeriwal et al. [4] proposed several techniques for secure pairwise synchronization (SPS), multihop synchronization, and groupwise synchronization. The SPS adds timestamps and message integrity codes (MICs) to protect the synchronization messages. To remove the time uncertainty introduced by the MAC access waiting time, they propose to timestamp the message below the MAC layer. Their practical measurements show that SPS can synchronize two Mica2 motes with an accuracy of 10 μ s. An attacker can delay a time synchronization message only up to 20 μ s without being noticed. However, SPS exhibits no resiliency to compromised nodes.

Secure multi-hop synchronization [4] can be used to synchronize sensor nodes not within direct wireless communication range. Ganeriwal et al. propose three similar techniques: secure opportunistic multi-hop (SOM), secure direct multi-hop (SDM), and secure transitive multi-hop (STM). The three techniques extend SPS by using one or a set of intermediate trusted nodes. For five hops, SDM and STM provide a 25 μ s time synchronization accuracy and exhibit a pulse-delay attack vulnerability window of 50 μ s to 120 μ s, respectively. However, they exhibit no resiliency to compromised nodes. SOM can cope with compromised nodes but exhibits very poor accuracy and pulse-delay protection.

Group multi-hop synchronization [4] can be used to synchronize a group of sensor nodes of a wireless neighborhood. They first propose a lightweight secure group synchronization (L-SGS) that exploits multicast authentication to synchronize the neighborhood. This technique is also vulnerable to compromised nodes. To solve this vulnerability, Ganeriwal et al. propose secure group synchronization (SGS). SGS requires nodes to exchange and process messages after the initial multicast exchange to check time consistency. SGS and L-SGS provide 10 μ s accuracy and 20 μ s pulse-delay vulnerability window. The consistency check is inefficient, since it does not exploit the broadcast nature of the wireless neighborhood. Moreover, the consistency check can only tolerate one compromised node, and no provision is made to cope with a subset of compromised nodes. Moreover, they allow for whatever neighborhood member to anarchically start the (L-)SGS protocol, which can be exploited for battery depletion attacks.

Manzo et al. [2] discuss several internal attacks against and countermeasures for Reference Broadcast Synchronization (RBS) [12], Timing-sync Protocol for Sensor Networks (TPSN) [13], and Flooding Time Synchronization Protocol (FTSP) [14]. The internal attacks can be summarized as different flavors of injecting false information to disrupt the time synchronization protocol operation, for example, introducing false timestamps. To secure time synchronization protocols, they suggest to elect time root nodes probabilistically, to send time synchronization messages through alternate paths, and to use μ TESLA [8] to authenticate broadcast synchronization messages. Unfortunately, the strength and performance of these countermeasures is not analyzed. Moreover, they provide no mechanism to authenticate the timeliness of synchronization messages and thus no protection against pulse-delay and wormhole attacks.

Song et al. [3] investigated countermeasures for delay attacks against synchronization messages launched from compromised nodes. They proposed two methods for detecting and tolerating delay attacks: a generalized extreme studentized deviate (GESD) based and a threshold based. The general idea is to identify the malicious time offsets that are under delay attacks after collecting a set of time offsets from multiple involved nodes. The underlying assumption is that a malicious node magnifies its clock offset to accomplish the delay attack. Then, the GESD-based method filters out an outlier by applying the assumption that clock offsets from benign nodes follow the same (or similar) distribution or pattern. Similarly, the threshold-based method filters out outliers by rejecting clock offsets above an upper bound. They also show that these methods can be used to improve the accuracy of RBS in the presence of clock offset outliers. However, Song et al. do not provide arguments and/or proofs validating that benign clocks follow the same (or similar) distribution in practice. Moreover, both methods require each node to receive a sufficiently large number of messages to detect outliers, thus the accuracy improvement comes at a substantial energy cost.

Sun et al. [6] proposed to leverage SPS and μ TESLA to provide global time synchronization in multi-hop static WSNs. SPS is periodically and asynchronously employed to pairwise synchronize all the nodes of the WSN. Subsequently, global time is transferred from (set of) source nodes to the rest of sensor nodes. To improve the communication efficiency, authenticated global time synchronization messages are broadcasted locally in a wireless neighborhood (cf. L-SGS and SGS). To be resilient against compromised nodes, nodes already synchronized to global time rebroadcast synchronization messages. To tolerate up to t compromised neighbor nodes, the receiver must select among 2t + 1 clock differences through different neighbor nodes.

Sun et al. demonstrated experimentally that for a WSN with only 60 nodes and to tolerate up to 4 compromised nodes per neighborhood, their approach reaches an average global time accuracy below 52.08 μ s and a minimum accuracy below 121.52 μ s right after running the protocol. These numbers correspond to global time synchronization intervals of 5 to 10 seconds. Unfortunately, they do not discuss how this accuracy evolves through the 5- or 10-second interval. Since the clock drift of the CC2420 is 40 ppm [9], the time accuracy of two nodes can diverge up to 80 μ s per second after the synchronization. Then, in practice in 5 and 10 seconds the synchronization can loose precision up to 521.52 μ s and 921.52 μ s, respectively.

To avoid such poor accuracy, we can set up a lower global synchronization interval and, accordingly, also a lower pairwise synchronization interval. However, simple analysis shows that the effect is a substantial increase in energy consumption needed to send multiple re-synchronization messages.

The connectivity of the nodes with the rest of the network is not motivated or argued by Sun et al.'s proposal. In cases with cliquish neighborhoods the resiliency improving approach can turn out to be useless, since neighborhood nodes cannot get global time through different wireless paths to the rest of the WSN.

We identify a number of open issues in the previous proposals. Firstly, none of the above presented approaches analyze the period of time required to synchronize nodes with any of their proposed techniques, failing then to prove effective and efficient for low-duty cycle sensor nodes. For instance, if a WSN application requires nodes to sleep 99% of time, is 1% of time sufficient to synchronize time of sensor nodes? Which fraction of time out of that 1% is to be dedicated for time synchronization? Which is the maximum accuracy the sensor clocks will achieve? Yet more important, which accuracy will the sensor clocks maintain during each synchronization interval? and how much power needs a sensor to invest to achieve such accuracy level?

Secondly, none of these proposals discuss the scheduling of the time synchronization protocol. Unless we assume unsustainable 100% duty cycles, time synchronization cannot be completely asynchronous, but nodes need to prearrange well-delimited intervals of time to synchronize.

Finally, protection for time synchronization protocols against wormhole attacks is not analyzed. Sun et al. [6] propose to detect wormholes by detecting that the transmission delay is less than the maximum expected delay. However, this solution is at odds with the nature of a wormhole, since a wormhole attack decreases the latency of messages exchanged by two nodes at different locations in the WSN [15].

Hoepman et al. [16] consider an adversary that aims at tampering with the clock synchronization by intercepting messages, replaying intercepted messages, and capturing nodes (i.e., revealing their secret keys and impersonating them).

They present a clock sampling algorithm which tolerates attacks by this adversary, collisions, a bounded amount of losses due to ambient noise, and a bounded number of captured nodes that can jam, intercept, and send fake messages. The algorithm is self-stabilizing, so if these bounds are temporarily violated, the system can stabilize back to a correct state.

The core of their clock synchronization algorithm is a mechanism for sampling the clocks of neighboring nodes at reception of broadcasts called beacons. A beacon acts as a shared reference point.

3.1. Power Management

The WSN is provided of a power management service to save energy of sensor nodes. This service, in turn, guarantees the longest longevity for the WSN. The basic idea of the power management service is to put the radio of sensor nodes to sleep during idle times and wake it up right before message transmission and/or reception.

To allow communication in WSNs formed of low-duty cycle nodes, sensor nodes need to synchronize active and wake periods of time. This synchronization can be achieved synchronizing each sensor node to a common reference time. However, sensor nodes embed low-cost crystal oscillators which drift from the reference time. Consequently, sleep T_sleep and wake T_wake periods are not equally measured by all the sensor nodes.

A time period of guard T_guard is defined to enable active periods from two sensor nodes to overlap despite their respective clock drift errors. The time of guard T_guard is a local time measure. During its time of guard, a sensor node can receive but cannot send data.

3.2. Definitions

3.3. Prediction of Clock Skew

The time difference measured by two different clocks t _u and t _v depends on differences in phase and frequency of oscillation of each clock. The phase and the frequency oscillation variation of a clock is often referred in the literature to as clock offset and clock skew, respectively.

Initially, the offset counts the elapsed time from the time of start of t _u in respect to t _v or vice versa. Note that instantaneously correcting the offset between two clocks is relatively simple by running for instance a pairwise synchronization protocol. However, because of the effect of the clock skew, the two clocks drift after the initial synchronization. Therefore, to keep the clock drift under a required upper bound, all the related schemes in Section 2.2 propose to resynchronize frequently. Instead, to reduce the frequency of re-synchronization and, thus, the energy consumption of sensor nodes, we propose to predict the clock skew of each sensor node clock.

The variation of clock skew depends on different non-deterministic factors: including aging, noise, warmup, variations in temperature, atmospheric pressure, acceleration, voltage, radiation, and magnetic fields [20, 21].

We observe that temperature is the factor most influencing the frequency of the clocks. Temperature can cause variations up to several tens of ppm while the aggregated variation caused by other factors is far below 1 ppm [21].

We also observe that in typical WSN environments temperature changes smoothly. For instance, outdoors the temperature changes smoothly because of weather conditions. The temperature keeps relatively constant in normal circumstances in most indoor scenarios. In BANs, the effect of temperature change rate is even more negligible, since sensor nodes are separated just a few centimeters from each other.

Hereafter, a time period of no substantial temperature change is referred to as epoch. We assume that the clock skew for each sensor node and, thus, the relative clock skew for two nodes remain constant during an epoch [21].

Ganeriwal et al. [7] designed a prediction-based algorithm to model long-term clock skew between two sensor node clocks t _u and t _v . Wu et al. [21] and Elson et al. [12] developed similar concepts, demonstrating thus its suitability for WSNs.

After Ganeriwal et al. [7], the following P-degree polynomial represents the relative clock model between two nodes u and v:

(1)

where is the prediction of of the actual t _v measured with the clock of node u. The error includes both measurement errors and environmental factors that influence the clock stability. Over short timescales, there is the general agreement that a linear relative clock model (P = 1) is sufficient [7, 12–14].

Given a window of W past observations , , the parameters β₀ and β₁ are the values which minimize the residual sum of squares (RSS):

(2)

It is easy to see that finding the values β₀ and β₁ which minimize RSS is an extremely low-complexity problem. Then, the energy consumed by calculating these parameters can be neglected in comparison to the cost of sending a bit.

We define a sampling period S as the interval of time separating two consecutive observations and . Naturally, shorter values of S minimize the error of the prediction.

Given S, there exists an optimal window size W which minimizes the error of the prediction. For instance, Ganeriwal et al. [7] experimentally showed that W = 8 and S =60 seconds minimize the prediction error E _p for indoor environment at a temperature range from 25 to 26°C.

In practice, each time we obtain new time observations, by using the low-cost rate adaptive time synchronization algorithm (RATS) [7], we can calculate two optimal values S and W which maintain the error of the prediction within a desired error bound for the calculated S.

3.4. Estimation of Prediction Error

Given a time window of W observations, , the time at node v, , can be predicted using time at node u, t _u , with (1). Following standard regression theory, we can construct a confidence interval for this prediction as

(3)

where

(4)

The first term of the product in (4) refers to an upper quantile of the t _vs distribution with degrees of freedom. The second term is the standard error (SE) of the predicted value.

3.5. The RATS Algorithm

else if , then ,

1. (6)

   if , then

    

else if , then .

RATS starts with calculating the optimal window size using the optimal time window for the given sampling period . The relative clock model is estimated using a linear estimator on the sample history equal to . The estimation of the prediction error, , is then computed and scaled using the scaling factor .

If the error of the prediction is below the lower threshold, we multiplicatively increase the sampling period. Conversely, if it is above the higher threshold, the sampling period is decreased multiplicatively. The sampling period remains unchanged if the error is between the two thresholds. At the end, we make sure that the new sampling period is within to avoid an unbounded increase/decrease of the sampling period.

During a 2–4-hour learning phase, the nodes derive the values of the optimal time window and scaling factor for a wide range of values. In [7], it is showed that this initial calibration is consistent with a great number of environments and for long periods of time. In deterministic WSN deployments, the initial calibration can be performed in factory to save postdeployment energy [7]. In random and mobile WSN deployments in factory calibration would not scale, since we ignore which sensor nodes will be neighbors after the deployment. Therefore, in these cases, the calibration must be performed autonomously by the nodes at the deployment site.

4.1. Secure Pairwise Synchronization with Sample Exchange

We propose a protocol for secure pairwise synchronization and sample exchange that leverages SPS [4]. SPS is based on sender-receiver synchronization. It performs a handshake protocol between two nodes u and v.

The integrity and authenticity of SPS-SE messages are guaranteed using message integrity codes (MICs) and a shared key . Moreover, the MIC provides resistance to pulse-delay attacks and external attackers.

where , , and is the key shared by u and v.

At the end of the protocol, both nodes calculate the SPS message end-to-end delay as specified in [4]:

(5)

The end-to-end delay is used to detect pulse-delay attacks against SPS-SE.

The clock offset is also calculated as follows:

(6)

Subsequently, u and v add the new time sample to their respective sample repository.

For sensor nodes using crystal oscillators with stability up to 100 ppm, the duration of the protocol is to be bounded to a few hundred milliseconds. In such case, we can assume the clock drift to be negligible and accept the time observations accurate enough for the prediction.

4.2. Synchronization Method

The synchronization method allows two nodes to adapt their respective time measures. We distinguish two methods: short-lasting synchronization and long-lasting synchronization.

4.2.1. Short-Lasting Synchronization

Short-lasting synchronization is used during the initialization phase of RATS for the nodes to establish short-lasting accurate clock synchronization and for exchanging samples for a clock estimation with the required target precision.

Note that because of the low quality of clock crystals, this method cannot be used to maintain a high precision during a relative long time without an expensive energy cost. For instance, the CC2420 can drift up to 80 μ s per second, and in 60 seconds the clocks may drift up to 4810 μ s. To guarantee a precision below the 100 μ s, the nodes would need to synchronize each second.

The method works as follows. Firstly, by using the SPS-SE protocol, two nodes u and v calculate their relative clock offset. Subsequently, to synchronize a node's time measure, with another's clock measure the clock offset is added (or subtracted, as needed). For instance, if sensor u collects and timestamps a data sample at , translates data collection time to to get the time measure relative to its own notion of time.

For subsequent message exchanges between u and v, the message delay d needs also to be taken into account to calculate the synchronized time. For messages timestamped below the MAC layer immediately prior to their transmission, the delay (d) adds the contribution of the transmission time, the propagation time, and the reception time. The transmission time is the time needed for the sender to transmit the message bit by bit at the physical layer. This time can be easily calculated by the receiver by knowing the length in bits of the message and the radio speed. The propagation time is the actual time taken by the message to traverse the wireless link from the sender to the receiver. In WSN, the distance among neighbor sensor nodes is of a few meters. Therefore, because radio waves move at the speed of light and the radio speed is up to a few Mbit/s, the propagation time is neglected compared to the rest of times. The reception time accounts for the time taken by the receiver in receiving the bits and passing them to the MAC layer. This time can also be easily calculated by the receiving node. Thus,

(7)

For instance, for a timestamped message that u sends at time and reaches v at time , v will interpret sent time as . For instance, v can check the time integrity of the message by verifying that the difference between and is below a certain threshold.

4.3. Secure CN Pairwise (Re-)Synchronization

Secure CN pairwise (re-)synchronization is used to periodically synchronize two neighbor CNs. Each and every pair of neighboring CNs of the WSN is to synchronize following this method. In this manner, WSN time is established.

The interval of time starts right after two newly elected CNs and discover each other by physical and MAC layer means (the description of these means is out of the scope of this paper).

During time periods , , BAN controller nodes use the short-lasting synchronization method. Additionally, this time is also employed to exchange the first time samples. Right at the beginning of each time period , , by using the SPS-SE protocol nodes and synchronize and exchange a time sample , . To detect wormhole and pulse-delay attacks, each CN also measures the maximum SPS-SE expected message delay .

At the beginning of period both CNs calculate the first clock estimations and initialize RATS for the first time. At the end of both CNs estimate their relative clock offset as follows:

(8)

If is below the required accuracy threshold , then RATS is considered to be fine-tuned. Consequently, BAN controller nodes switch to the long-lasting synchronization method for the following BAN periods.

Otherwise, yet the synchronization method to be used is short-lasting synchronization for subsequent BAN periods , , till the condition is satisfied. Let us refer to the period when this condition is satisfied as . Typically, .

During BAN periods , , BAN controller nodes use the long-lasting synchronization methods. Right at the beginning of each of these periods, and exchange a new time sample ( , ) by using the SPS-SE protocol and add it to their respective sample repository. RATS is employed to periodically recalculate (see Section 4.3.1). Additionally, the clock estimations are recalculated using (1). Finally, a real measure of the clock offset is calculated using the SPS-SE protocol to validate the estimation of the clock offset and, thus, to continuously monitor the quality of the clock estimations.

Since the clocks of CN _u and CN _v drift throughout , , the measure of at the end of the period will likely be different at and . To counter this relativistic effect, we define pairwise period-dependent time of guard. Despite the fact that clocks can get desynchronized, the time of guard guarantees that both CNs are ready to concurrently use the radio channel after long sleeping periods. In order to preserve energy of nodes the time of guard needs to be accurately minimized.

The pairwise period-dependent time of guard to be used at the beginning of , , is calculated as follows:

(9)

During its each CN is only allowed to receive messages. The first CN exhausting its triggers the re-synchronization.

At the very end of each period , , the offset is accurately predicted by using (8).

The uncertainty included by the data rate is just 4 ppm at 250 kbps. Because nodes of a WSN are separated at most a few tens of meters, the contribution by the propagation delay can be neglected.

4.3.1. Calculation of Optimal Sample Period and Window Size

By using RATS, the two CNs calculate the optimal window size for the current period . Additionally, the optimal duration for the the current period is recalculated. The pseudocode for the RATS algorithm is as follows:

1. (1)

   compute ,

    
2. (2)

   calculate ( ) using a window of samples in (2),

    
3. (3)

   compute using (4),

    
4. (4)

   compute ,

    
5. (5)

   if , then

    

else if , then ,

1. (6)

   if , then

    

else if , then .

4.4. Secure BAN (Re-)Synchronization

Secure BAN (re-)synchronization is used to periodically synchronize BAN members with the CN. This, in turn, guarantees that each BAN member is synchronized to the same reference time. This process establishes BAN time without the need for each BAN member to pairwisely synchronize.

BAN wise synchronization can be scheduled in two different manners. First, we let each node to independently schedule its re-synchronization interval. That is, each node has an own measure of the BAN period . At the beginning of each node-dependent BAN period, the node synchronizes with the CN. This manner requires the CN to be asleep each time a BAN member is to synchronize. Because of the independency of the length of each , , the requirement of low-duty cycling is hard to comply for the CN.

A second manner consists of letting the CN to schedule a unique re-synchronization interval for all the BAN members. At the beginning of each BAN period, a slot of time is reserved for each node to synchronize with the CN. This scheduling can be designed to accommodate for CN duty cycling requirements.

Observe that to comply that clock estimations are below the required accuracy level during the period , then the must select as the minimum duration for a BAN period required by all the nodes of the BAN.

To solve this issue, we have again two possible approaches. The first approach consists of letting each node of the BAN, , calculate its own measure of , that is, . Then, each node independently sends to the CN. Finally, the CN heads select for all .

The second approach consists of the calculating for all , . Then, the CN heads select for all .

We favor the second approach because it does not require the nodes to send to the CN. The need to send messages has implications of added energy consumption and delay both for the BAN members and the CN. The second approach requires much more computational effort in the CN than the first approach. However, the implied energy consumption and delay are neglected compared to the overhead of the first approach.

The rest of the section describes the details of this second approach.

The interval of time starts right after the BAN is formed. Right at its beginning the CN generates a BAN broadcast key chain of length by repeatedly hashing a random value . The successive keys , , are to be used with μ TESLA to protect broadcast synchronization messages. We assume that the reader is familiar with μ TESLA [8].

The duration of the first time periods , , is fixed by default. The intervals , , are used to exchange the first time samples that allow for RATS initialization and for the first clock estimations. At the beginning of each of these periods the and each node of the BAN, , synchronize and exchange a new time sample , , by using the SPS-SE protocol. In one of these SPE-SE exchanges, the CN sends the last value of the key chain for each BAN member.

Because the clocks are not yet estimated, during time periods , , the CN and each node u of the BAN, , use the short-lasting synchronization method. Note that because of clock drifts, and each node u may need to re-synchronize multiple times during the duration of any period , .

At the beginning of period the CN calculates the first clock estimations , , and initializes RATS for the first time. At the end of the CN and each node u estimate their relative clock offset as follows:

(10)

If is below the required accuracy threshold , then RATS is considered to be fine-tuned for the CN and the corresponding node u. Consequently, the CN and the node u complying switch to the long-lasting synchronization method for the following BAN periods.

The nodes not yet complying are to use the short-lasting synchronization method for subsequent BAN periods , , till the condition is satisfied.

In this moment the BAN can have from 0 to n nodes synchronized with the long-lasting method. The remaining nodes, up to the n nodes still use the short-lasting method. This status exists till all the BAN members switch to long-lasting synchronization. For both groups of nodes the subsequent measure of is different. The first adapts the measure of by using RATS. The second keep using the default value of .

Let us refer to the period when one or more BAN members first switch to long-lasting synchronization as . Typically, . Let us use n′ to refer to the BAN members using long-lasting synchronization. In the rest of the section we describe the details of long-lasting synchronization.

Secure BAN long-lasting re-synchronization is performed at the beginning of each period , . By using the SPS-SE protocol, nodes CN and u, , re-synchronize and exchange a new time sample and add it to their respective repository. Additionally, each node u calculates . RATS is employed to periodically recalculate (see Section 4.4.1).

When each and every pair (CN, u), for , of the BAN is synchronized, then BAN time is established.

Since the clocks of CN and u, , drift throughout , the measure of at the end of the period will likely be different at and . To counter this relativistic effect, we define BAN period and node-dependent times of guard (see Figure 1) to be used at the beginning of :

(11)

where , is the local identifier of each BAN member and B is the time required to run the SPS-SE protocol in three steps. This method allocates a different time slot for SPS-SE-based synchronization between the CN and a node u.

At the very end of each period the CN calculates , for . Each node calculates .

The CN does not need to contend to access the wireless media. After and each subperiod are exhausted, the CN is the only node in the BAN allowed to start communication. After receiving an initial message from the CN, just the corresponding node u, , is allowed to answer.

4.4.1. Calculation of Optimal Sample Period

By leveraging RATS, the CN calculates the optimal duration for the current period . The pseudocode for the RATS algorithm is as follows:

1. (1)

   compute ,

    
2. (2)

   calculate ( ,) using a window of samples in (2),

    
3. (3)

   compute using (4),

    
4. (4)

   compute ,

    
5. (5)

   if , then

    

else if , then ,

( 6) if , then

else if , then .

Finally, for all u, .

Right after , the CN broadcasts the current period in an integrity-protected message under key . After seconds, for all u, the CN reveals (see Figure 2).

In receiving each node u first validates the authenticity of the key by hashing it and comparing it with the previous stored authentic value . If the validation is positive, then the node stores to be used in the next BAN time period. Subsequently, the integrity of the message containing is verified. Finally, the value is stored for scheduling the next re-synchronization.

4.5. UTC Synchronization

We propose to securely pairwise synchronize the base station(s) with the CNs to which it is wireless connected using secure pairwise CN synchronization. Additionally, the base station is to be securely synchronized to UTC time by other means (the details of this synchronization means is out of the scope of this paper). Then, a correspondence WSN to UTC is then simple at the base station.

5.1. Coping with a Compromised CN

Because of their key mission in the synchronization system, CNs are an interesting target for attackers. In any case the effect of a compromised CN is bounded to the interval R.

A compromised CNc may fake (a subset of) the time samples to be sent to v, .

To detect this attack, we use the end-to-end delay. The end-to-end delay is bounded by the maximum and minimum expected delay d_max and d_min, respectively. After the SPS-SE protocol is run, v can confidently approximate . If , then each faked time sample is rejected.

This method serves us to also detect wormhole and pulse-delay attacks. Recall that in pulse-delay and wormhole attacks the adversary delays and rushes the authenticated synchronization messages, respectively. To detect a pulse-delay, the sensor node checks if . To detect a wormhole, the sensor node checks if .

In secure BAN re-synchronization, a compromised CN _c can fake samples and for a given k. It may assign a value substantially greater or lower than the actual . If , then the value of for all u becomes expanded. If , then the value of for all u becomes contracted. Additionally, the nodes need to re-synchronize more frequently than the optimal re-synchronization period. In both situations, the effect is to increase the required duty cycle in nodes and, in turn, to consume more energy than the optimal.

To overcome this threat, when a CN broadcasts , it must commit the identity of the node u _x such that . Node u _x verifies that the released corresponds to .

Alternatively, especially to cope with scenarios where CN and node u _x are compromised, lower and upper acceptable bounds for can be calculated by each node.

5.2. Coping with Colluding CNs

A number of neighbor compromised CNs may collide together to create a delayed path through them.

We discuss this attack by assuming the BAN controller nodes in the path collide, that is, in the moment of secure pairwise CN synchronization they introduced an additional delay in the links and .

To solve the attack we exploit a design property of WSNs for increased reliability and power-efficiency. We assume that there exist multiple routes connecting each pair of CNs.

We propose that a fourth legitimate BAN controller node CN₄, which is connected to any of the colliding nodes, detects the delay attack. CN₄ compares the delay introduced by the compromised path with the delay introduced by any or a number t of other paths. The countermeasure consists of adding , and to a blacklist of untrusted nodes and trigger re-election of controller node.

5.3. Coping with Compromised BAN Members

A compromised node u _c can fake (a number of) time samples to be sent to its CN, .

The CN can detect the attack by using the end-to-end delay, as in the case for a CN cheating a node.

To counter this attack, u _c is added to the blacklist of untrusted nodes.

5.4. Temperature Attacks

In order to de-synchronize some nodes, an attacker may select a location and rapidly vary the temperature in the surroundings of one or group of BANs. For instance, in an indoor scenario, the attacker could increase the heating temperature or decrease the cooling temperature.

We believe this kind of attack to be unpractical in BAN applications since the users would quickly realise and stop the heating or cooling system.

6.1. Pairwise Accuracy and Precision of SPS-SE

The minimum pairwise clock precision (maximum error) of the SPS-SE protocol is 8.46 μ s. Therefore, right after two sensors run the SPS-SE protocol, the accuracy of their synchronized clocks ranges from 0 to 8.46 μ s.

This high level of accuracy can only be maintained at a expensive energy cost, since the node clocks can drift up to 80 μ s per second. For instance, in 60 seconds the clocks may drift up to 4810 μ s.

Therefore, SPS-SE clock synchronization is to be used uniquely to initially exchange the samples for RATS and/or to synchronize the clocks for application requirements.

6.2. Accuracy and Precision of BAN Time

The minimum precision of BAN time combines both the precision of SPS-SE and RATS.

The precision of BAN time depends on the values and . Figure 3 shows the minimum precision for a range of values for three scenarios: Indoor with a temperature range of 25-26°C, Outdoor I with a temperature range of 17–21°C, and Outdoor II with a temperature range of 22–27°C. The value of used in the experiments is 2.

Figure 3 shows that the sampling period does not significantly affect precision of the clock prediction in Indoor and Outdoor II. Indoor achieves a precision of 20.96 μ s with 16 minutes. This result is a great achievement for BANs in terms of expected accuracy level and energy requirements.

6.3. SPS-SE Duration

6.4. Minimum Accuracy and Precision of WSN Time

In the initial phase, while RATS is not yet tuned, CNs use SPS-SE for synchronization. Let us define as N_CN the maximum number of CNs in the longest synchronization path of the WSN. When WSN time synchronization is triggered, the nodes of the path synchronize sequentially by consecutive pairs. The first pair of nodes synchronizes with minimum accuracy 8.46 μ s. While the second pair of nodes synchronize, the clock of the first two synchronized nodes may drift up to 40 ppm times the duration of SPS-SE. The SPS-SE is used times after the initial one. Therefore, the minimum accuracy of WSN time can be approximated as μ s.

During the RATS phase, the precision of WSN time depends on the values , and on the number of intermediate CNs. Figure 4 shows the minimum precision for and a range of values for three scenarios: Indoor with a temperature range of 25-26°C, Outdoor I with a temperature range of 17–21°C, and Outdoor II with a temperature range of 22–27°C. The value of used in the experiments is 2.

Figure 4 (cf. Figure 3) demonstrates that the number of intermediate CNs N_CN does not significantly affect precision of the clock prediction.

6.5. Applicability for Low-Duty Cycle Nodes

In this section we demonstrate applicability of the synchronization system for low-duty cycle nodes. Since CNs need to be active longer periods than BAN members and any node may become CN, we only analyze the minimum duty cycle required for a CN.

We use sampling window size and period minutes, which allow a high level of precision in any scenario, as demonstrated in Figures 3 and 4.

During the RATS phase, a CN needs to be active for each secure pairwise CN re-synchronization and for secure BAN re-synchronization. The initial synchronization is ignored in this analysis as it occurs when nodes need to otherwise increase their duty cycle for BAN formation purposes.

For BAN time synchronization, in each period , a CN needs to be active a minimum of for all u seconds, where is given by (11). Again, we consider a worst case where the maximum clock skew during the re-synchronization period is the minimum BAN time precision:

(i)Indoor: μ s,

(ii)Outdoor I: μ s,

(iii)Outdoor II: μ s.

Similarly, the period of activity of a CN is the time used for secure pairwise CN re-synchronization. Its value is for all CN _u seconds. Here ch accounts for the maximum number of neighboring CNs, and , so that WSN reliability and scalability is maximized.

The value of can be approximated by the time to send the largest message (in step (2)) of SPS-SE. This adds 2.34 ms. The optimal BAN size of a WSN is [23]. For this study, we consider the upper limit for a BAN size, that is, n = 8. We also assume that a CN may have up to ch = 8 neighbouring CNs.

Table 3 shows the period of activity and the duty cycle for the CN. As it can be seen, the duty cycle is much below 1% (considering a sampling period of 16 minutes).

Scenario	Period of activity (msec.)	Duty cycle
Indoor	94,25936	0,0000981868
Outdoor I	644,01136	0,000670845
Outdoor II	643,41936	0,000670229

6.6. Communication Overhead

The maximum number of bytes a CN needs to send is . This same CN receives bytes. We use to denote the length of message i of the SPS - SE protocol.

A BAN member sends and receives bytes.

We can codify periods of 16 minutes at the μ s precision with 4 bytes. A key length of 16 bytes is considered to be secure for WSNs. As in the previous section ch is bounded by n, and we consider n = 8.

Further considering the values for IDs, timestamps, and MICs of previous sections, the maximum number of bytes sent and received by a CN is 1580 and 1095, respectively.

6.7. Energy Efficiency

The number of Ah consumed by the CC2420 can be calculated according to the formulas in [10]. To send 1580 bytes, the radio module consumes 276.67 nAh, and, to receive 1095 bytes, consumes 169.36 nAh. The total battery consumption for a CN for synchronization is 446.03 nAh over 16 minutes.

Equipped with a 30 mAh cell battery, the node can assume the CN role for over 2 years. If the n = 8 nodes of the BAN, rotate the CN role, then the BAN will survive approximately 16 years (assuming that the nodes do nothing else but synchronizing).