Sensor nodes in clustered WSNs should be securely partitioned into clusters. Therefore, we assume that if the adversaries exist in the field, they are unable to comprehend the exchanged information. In Figure 1, a simple network with two gateways (
and
) and 16 sensor nodes (
to
) is illustrated. The gateway
in each cluster should securely discover all the sensor nodes which belong to it. Additionally, sensor nodes should be aware of their assigned gateway/cluster.
As depicted in Figure 2(b), each gateway
broadcasts the message
to all sensor nodes with a random delay, that is,
Here,
denotes the broadcast message and as presented in (1)
calculates
as follows. First, a one-way hash function
is executed over the
, where "
" denotes the concatenation operator. Second, an elliptic curve digital signature [30] is calculated over the hash results using the private key of the gateway
, that is,
. The final message should be accompanied by the public key of the gateway
, that is,
, message
, and
. This broadcast will be repeated several times to ensure that the maximum number of sensor nodes receives it.
For the purpose of message authentication, upon receiving the broadcast message, the sensor node
makes a list for all the received messages from the gateways as
, where
,
, is the number of gateways from which a sensor node received a broadcast message. Priority of the generated list is based on signal-to-noise ratio (SNR) of the received message, that is,
, where the
is the received signal power from the gateway
for
. Afterwards, each sensor node
will verify the message integrity using ECDSA with public key of the gateways and compares the received public key with its pre-loaded one. Note that verifying the authenticity of the public key of a gateway is finding out whether the attached public key of the gateway is the same as the one embedded in the memory of a sensor node. If the received public key does not match the pre-loaded one, sensor node
will reject the broadcast message. This prevents sensor nodes from performing expensive verification on the fake signatures broadcasted from the adversaries [37].
Furthermore, each sensor node
can determine the distance
from the desired gateway
incorporating received signal strength indicator (RSSI) [38]. The minimum distance from the gateway
is called one-hop distance as
, in which sensor nodes in this distance can communicate with the gateway directly. Using a global positioning system (GPS) for location finding [36] and time distance calculation [15] requires extra hardware costs and tight time synchronization, respectively. Furthermore, it has been shown in [38] that employing RSSI is more reliable in determining connectivity compared to the location information, as the location information is not available in various applications.
The Breadth-First search algorithm [39] is used by the gateway in each cluster to find which sensor nodes select the gateway
as their cluster head. Note that a similar algorithm is used in [6]. The gateway
broadcasts a message requesting sensor nodes to notify the gateway if they are within the communication distance
from the gateway. In this case, each sensor node
encrypts its ID concatenated with its public key using the public key of the desired gateway. This message is transmitted by a sensor node at maximum power to acknowledge the desired gateway in the top of its list
as follows:
where
denotes the encryption function using the public key of gateway
. Then, the gateway
decrypts this message by using its private key as follows:
In this case, the gateway
compares the received public key from the sensor nodes with the ones that are embedded in its memory prior to deployment. This helps to prevent an adversary from throwing illegitimate nodes into a cluster and mounting a denial-of-service (DoS) attack.
As a large number of sensor nodes will respond to a gateway, avoiding contention is difficult. Since contention causes collisions, this affects the survivability of the network. Therefore, a suitable medium access control (MAC) protocol is required to be installed in each sensor node. It is noted that assuming sensor nodes to be time synchronized is infeasible because of the large number of nodes. To overcome this problem, the contention-based and self-stabilizing MAC protocol presented in [40] is incorporated here. Eventually, each gateway will compile a list of all the sensor nodes in its cluster along with their IDs and public keys.
At this point, the public keys of sensor nodes and gateways are authenticated. Now, each gateway
will ask its one-hop sensor nodes
(e.g.,
,
, and
of cluster 2 in Figure 1) within the cluster to broadcast a message to ask its one-hop neighbors in the cluster to report to
. In this case, sensor node
acts as the parent node to the nodes in its one-hop neighborhood. Similarly, the other neighbors ask their one-hop neighbors to report themselves. Therefore, every node within the cluster will connect to the gateway in a single or multi-hop route, that is,
,
,
,
,
, where
is the number of hops from a node
to the gateway
. All these sensor nodes send their information to the
node, and
notifies the gateways about these sensor nodes.
Every sensor node which has selected
as the gateway and is within the preferred cluster will be discovered by the gateway
. Note that a unique path exists from each node to the gateway as each node has just one parent. For routing the information to the gateway in each cluster, an appropriate routing algorithm is required. It defines the path that the packets can be forwarded to the gateway. Therefore, a minimum cost path algorithm can be used to find the optimal spanning tree rooted at the given node.
Theorem 5.
The nodes that immediately follow the root node
in the minimum cost tree constitute the minimum neighborhood of node
. The minimum cost routes between the node
and the gateway
are all contained in the minimum neighborhoods of the nodes [25].
4.1. Secure and Survivable Routing
In this subsection, we present the routing algorithm for the sensor nodes to forward data toward the gateway in each cluster. If data from neighborhoods are highly correlated, then the minimum spanning tree (MST) is beneficial in terms of survivability and network lifetime [41]. However, in the case of low correlation amongst sensor nodes, shortest path tree (SPT) should be incorporated to achieve survivability and better network lifetime [41]. Additionally, shorter paths are more secure than the longer paths (as we explain more in Section 6.1). Note that using the shortest path limits the number of paths which can be used to relay data toward the gateway. In [42], a shortest cost path routing algorithm for maximizing network lifetime based on link costs is presented. The costs reflect both the communication energy consumption rates and the residual energy level.
Here, the use of link estimation and parent selection (LEPS) scheme was employed as proposed in [43] as a routing algorithm. In this method, each node monitors all traffic received within the one-hop range, including route updates from the neighbor nodes. Using the least cost path, it manages the nearest available neighbor node and decides the next hop. To find a least cost path, one needs to calculate the costs of all edges between each sensor node then obtain a set of least cost paths. To accomplish this, we use the cost function as formulated in [5].
-
(i)
: the function of remaining energy of the sensor node
, for all
.
-
(ii)
: the distance between sensor nodes
and
.
-
(iii)
: the error function between sensor node
and
.
Then, the cost function for a link between sensor node
and
can be estimated as
where α is free space loss exponent and typically
. The error function is related to the maximum data buffered in sensor node
and the distance between sensor nodes
and
. Then one can write it as
where
is a constant coefficient. To find the least cost path from a sensor node
to the gateway
, the number of hops should be considered as well [5].
4.2. Symmetric Key Establishment
After secure clustering, broadcast authentication, and determining the desired routing algorithm among sensor nodes and gateways, sensor nodes should establish secure communication between each other to reach the gateway securely in a multi-hop path. Since gateways are aware of the one-hop neighbors of the sensor nodes and have enough information to control sensor nodes, they send pairwise keys to each sensor node and its potential one-hop neighbors. To achieve this, gateway
will send the pairwise key to the sensor node
which is common between its neighbors
regarding the least-cost path routing algorithm.
First, the symmetric key generated for the sensor node
and
, that is,
, should be encrypted using the public key of the sensor node
, that is,
, for
. Then, each gateway
unicasts this message to the sensor node
. Each sensor node decrypts this message using its own private key
and obtains the symmetric key
. Since this message should be encrypted by the public key (based on ECC) of every individual sensor node, then disclosing symmetric key is not possible to the adversary. As an example, in Figure 1, the sensor node
will receive the symmetric keys for nodes
,
, and
as
,
, and
, respectively.
In the proposed scheme, we do not consider unicast authentication for performance reasons. However, the following explains unicast authentication mechanism for the proposed symmetric key establishment method.
Unicast Authentication
The question is how sensor node
ensures that the encrypted symmetric key, that is,
, is originated from gateway
and not from the adversary?
To address this issue, ECDSA authentication can be incorporated as follows. To ensure that the message, that is,
, is unicasted from the gateway
, the elliptic curve digital signature can be calculated by the gateway on the message. Therefore, sensor node
can verify the signature using the public key of gateway
, and this assures that the message is coming from a legitimate gateway, and not from an adversary. This scheme requires
times signature generation by the gateways, and all the sensor nodes should verify and decrypt the unicasted message. Note that this increases the computation cost as the verification of a signature is an expensive operation. However, a one-time digital signature generation can reduce some of the overheads.
Another scheme is to allow each sensor node and its corresponding gateway to obtain a shared symmetric key during the first broadcast authentication (secure clustering) incorporating elliptic curve Diffie-Hellman (ECDH) method. Then, using symmetric key, the unicast authentication can be performed by generating a message authentication code (MAC). Therefore, any unicast from the gateway can be authenticated by the sensor nodes.
Authentication methods imply overheads in computation and communication times. Therefore, a trade-off must be achieved between the required level of security in the authentication and the time costs, otherwise the arising overheads could be against the survivability of the network.
Message Freshness
Beyond guaranteeing confidentiality and authentication, it is important to ensure that data is recent, fresh, and no adversary replayed old messages. A sensor node
can achieve this through a nonce (which is a unpredictable random number). In the proposed scheme, before unicasting the symmetric keys by the gateways, sensor node
can send a key request message to the gateway
accompanying with a random nonce, i.e.,
and encrypted by
. Therefore, when a gateway wants to unicast the symmetric key (encrypted by
) to node
, gateway
includes its random nonce, that is,
and
to the unicast message. After this exchange, node
ensures that the message is recently initiated and is not a replay of old messages.
4.3. Survivable-Secure Connectivity
To better present the connectivity in each cluster of the proposed infrastructure for a WSN, we define a graph
to model the connectivity between a set of sensor nodes. Each sensor node is represented by a vertex in
,
, where
represents the number of sensor nodes within each cluster (In Section 5.1, we study the average number of sensor nodes inside a cluster.). For any two nodes
and
in
, the edge
exists if and only if the nodes are within communication range of each other. The node degree is defined as the number of edges connected to the node. For example, in Figure 1,
. Now, let us assume that node
wishes to send information to the node
, and let
be the received power at
. In this case, gateway
compares the SNR with the environment noise threshold, and if it is more than the noise threshold, then
can send a message to the
. In this situation, these nodes have achieved survivable connectivity and the edge
exists. To obtain the
in each cluster, the following steps should be completed.
-
(1)
The gateway broadcasts a start message.
-
(2)
Each sensor node
transmits a message with its
.
-
(3)
All the sensor nodes record the received signal strength.
-
(4)
The gateways request each sensor node to report (the recorded information) to the gateway.
To achieve secure connectivity, in addition to the above conditions for survivable connectivity, sensor nodes should have previously established a symmetric/secret common key
for each edge in
. In this case, the proposed graph is securely connected. Finally, the gateway
will be aware of the degree of each sensor node within its cluster. Note that
determines the amount of symmetric keys which should be loaded from the gateway
to each sensor node.