Secure Key Management and Mutual Authentication Pro- tocol for Wireless Sensor Network using Hybrid Approach

Wireless Sensor Networks (WSNs) play a crucial role in developing the Internet of Things (IoT) by collecting data from hostile environments like military and civil domains with limited resources. The above applications are prone to eavesdropper due to cryptographic algorithms' weaknesses for providing security in WSNs. The security protocols for WSNs are different from the traditional networks because of the limited resource of sensor nodes. Existing key management schemes require large key sizes to provide high-security levels, increasing the computational and communication cost for key establishment. This paper proposes a Hybrid Key Management Scheme for WSNs based on Elliptic Curve Cryptography (ECC) and a hash function to generate key pre-distribution keys. The Key establishment is carried out by merely broadcasting the node identity. The main reason for incorporating a hybrid approach in the key pre-distribution method is to achieve mutual authentication between the sensor nodes during the establishment phase. The proposed method reduces computational complexity with greater security and the proposed scheme can be competently applied into resource constraint sensor nodes.


INTRODUCTION
Wireless Sensor Networks (WSNs) have been used in numerous fields like monitoring hostile environments, armed and civil domains in a short span of time. The sensor nodes placed in an unfriendly location are prone to the node compromise attack [1][2][3][4][5]. As the sensor node communicates wirelessly, it is easy for an attacker to compromise the nodes' communication. To overcome the attacks of the WSNs, security must be integrated with the network. Providing security in WSNs is thought-provoking due to sensor nodes' resource constraint nature, but secure communication can play a significant role in avoiding different attacks. The security in WSN can be achieved with encryption and odically in order to overcome node compromised attacks. It does not support clustering operations to minimize the consumption of energy. Chan et al. [17] proposed the Q-composite and multipath key reinforcement scheme. The Q-composite method is the extension of EG-Scheme. The sensor nodes' network resilience is improved by using more keys instead of a single key in the EG scheme. The main advantage of this scheme is improved the resilience of network against node compromise attack. However, this scheme is more susceptible to attack once more numbers of nodes are compromised.
The pairwise key is generated by Blom's scheme [19]. The pairwise key is established among neighboring nodes in the network. It uses the threshold property to attain high resilience. The attacker needs to capture more nodes (i.e., greater than the threshold value) to capture the whole network. When the threshold value increases, the storage space required to hoard the keys also increases. To secure the WSNs, several key management schemes have been suggested [2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19]. The symmetric pre-distribution scheme offers security efficiently but not appropriate for the unfriendly environment. Gandino et al. [20][21][22][23] proposed a Random Seed Distribution with Transitory Master Key scheme (RSDTMK), in which the seed keys are stored inside the sensor nodes instead of plain keys. In the initialization phase, the node generates the pairwise key using the master key within the activated time period. The main limitation of this scheme is the key cannot be generated after the time-out period. If the attacker compromised the master key, eavesdrop on the entire key information within the initialization phase and discovers the entire pairwise key shared between the nodes.
Public key cryptography plays an important role in cryptographic techniques. It has a private and public key. The key size of public-key cryptography needs to be high to offer a high level of security. The direct implementation of public-key techniques is not suitable for resource constraint sensor nodes. Many research works have been carried out on resource constraint network using public-key cryptography. Asymmetric key cryptography techniques need to perform more computation for encryption and decryption operation. It needs more computational power and processing time for performing the operation. Rivest Shamir Adleman (RSA) algorithm proposed RSA algorithm in 1977 [24]. It uses 512 to 2048 bits as key size. Many research works have been carried on Elliptic Curve Cryptography using 8-bit CPUs. As compared to RSA, the key size of ECC is small. TinyOS key pre-distribution method is depends on ECC. For the RSA algorithm, the key size is 1024 bits, whereas for ECC, the key size is 160 bits for secure communication. The elliptic curve cryptography based key pre-distribution scheme [29] is proposed for WSNs. The keys are generated by performing a point doubling operation. It offers high connectivity as well as resilience for the resource constraint nature of sensor nodes. This scheme's limitation is the plain keys (ECC points) are pre-distributed into the sensor node. The author did not address the issue of how the sensor nodes have established the key among the sensor nodes, and communication overhead is high. Du et al. [32] demonstrated routing-driven key management scheme using elliptic curve cryptography for WSN. This scheme's performance is carried out in heterogeneous sensor networks to achieve high-level security in WSNs. It establishes shared keys with neighbor nodes using ECC based digital signature. One of the evolving techniques of cryptography is Hyper Elliptic Curve Cryptography (HECC). The security level of HECC is the same as RSA and ECC and the key size is 80 bits [33][34][35], whereas 1024 bit for RSA and 60 bits for ECC.
The approaches above for WSNs emphasize the distribution of key between the sensor nodes and not on node-to-node authentication. Thus, in this paper, the hybrid key management scheme method is proposed to provide authentication between nodes and reduce storage space, computational and communication overhead.

PROPOSED KEY MANAGEMENT ALGORITHM FOR WSNs
In the proposed hybrid key management scheme, key pre-distribution depends on ECC and a hash function. Before deploying sensor nodes, three offline and one online phase are performed, namely parameter selection for the elliptic curve, generation of unique seed key, identity-based key ring generation, key establishment, and mutual authentication phase. A unique seed key is generated from the elliptic curve equation, which is preloaded to each sensor node, and a hash function is used on the seed key to generate the private key. Then, the generated key-ring and their corresponding identities are loaded into the sensor nodes memory. Once nodes are placed in the field, sensor nodes disseminate their ID to form common keys with other nodes. The nodes are mutually authenticated using their own identity of nodes without a huge communication overhead.

Parameter Selection for Elliptic Curve
Before sensor nodes deployment, the server generates the key pool using the Elliptic Curve Cryptography equation over an integer finite field. The elliptic curve parameters selection is vital in wireless sensor networks to reduce the number of links compromised by an attacker and improve network connectivity. The elliptic curve parameters , a, and are chosen where the value of prime number p should be greater than the total nodes deployed in the field. For example, if the number of nodes deployed in an area is 50, the prime number's value should be greater than 50 to improve the connectivity at the same time to increase the resilience.

Generation of Unique Keys
Unique keys are generated before sensor nodes are deployed in the area. Once the ECC equation's coefficients are chosen, the unique seed keys are produced for sensor nodes.

Identity based Key Ring Generation
In this proposed scheme, the key-ring selection depends on the node's ID, unique seed key, and hash function. The identity-based key-ring selection has more advantages compared to the pseudo-random sequence [20]. During the key establishment phase, the node has to interchange its identity for peer nodes to obtain the shared key. This also provides legitimacy of the entity. In the pre-deployment phase, the server assigns a unique identifier , hash function ℎ , and seed key [ , ] to each sensor node. The server randomly chooses ' ' other sensor nodes to generate the unique key-ring using a simple hash function and store the keys and their corresponding identities into the sensor node memory. The following equation generates the key Ki, = ℎ ( , ) (1) Consider an example as presented in Fig.1, the sensor mote 1 randomly selects three sensor nodes 2 , 6 and 8 from the network and generates the key-ring 2 , 6 and 8 using a hash function on their corresponding seed key and load the key indices and ID of the sensor nodes in key-pool. Similarly, it stores ′ ′ pairs of key and ID in the key-ring, where is the key-ring size.

Key Establishment and Mutual Authentication Phase
Once the keys are distributed, the sensor nodes are randomly disseminated in the field. In the initialization step, each sensor node shares its and receives neighborhood nodes' ID.
Consider the nodes , which is in the range of sensor mote , verifying that the received belongs to the key-ring stored in the sensor node before the deployment. If it is in their key-ring, it chooses a timestamp to avoid replay attack and shares the joint request message to the corresponding node . Once the sensor node receives the joint request message, it computes ′ and verifies that = ′ . If = ′ , the node is mutually authenticated and generated the session key by computing = + . There are two cases in the key establishment phase, namely the direct and indirect key establishment phase. The algorithm is explained as follows, After sensor nodes are disseminated in the area, it broadcasts the unique ID and timestamp to the neighboring nodes within the broadcasting range. The sensor node which receives the neighbor information validates the timestamp to avoid the replay attack and checks the received identity as to whether it belongs to the key-ring or not. If the sensor node's identities belong to the key-ring, then it transmits = ℎ( 1 , 1 ) where 1 = ℎ(1,6, 1 , 1 ) and timestamp to node 1.
Node 1 receives the authentication message from node 6; it checks the timestamp and verifies its key-ring. If 6 belongs to the key-ring, 1 calculates the ′ = ℎ( 1 , 1 ) and verifies if = ′ , then it authenticates node 6 and computes the session key = 1 ⊕ 6 . Fig.2 shows the direct establishment of keys among the sensor nodes.

Case: 2 Indirect key establishments between the nodes
If the identity of the 1 does not belong to the key-ring, then the sensor node 6 computes where = ℎ( 6 , 1 ) and shares it to the sensor node 1. The sensor node 1 verifies the identity of sensor node 6, and if it belongs to the key-ring, it verifies ′ = and authenticates node 6. Node 1 computes ′ ′ , where = 6 ( 1 ) and transmits the value of ′ ′ and its identity to node 6. Node 6 decrypts the message with the help of 6 and obtains the 1 . Then the session key is formed by = 1 ⨁ 6 . Fig.3 shows the operation of indirect key establishment between the sensor nodes.

Path Key Establishment
If the common key is not shared among the two nodes, it tries to establish a path key through an intermediate node using the same handshake protocol.

PERFORMANCE ANALYSIS OF THE PROPOSED HYBRID APPROACH
The proposed system's effectiveness has been analyzed theoretically with the help of storage requirements and communication costs. The proposed scheme's performance is analyzed with the help of the parameters such as the number of nodes in the network, keys in the key pool, and hop count.

Memory Storage Requirement Analysis
The storage requirement has been analyzed to evaluate the efficiency of the protocol. The metrics that describe the efficiency of storage are key ring size ( ), length of the seed key ( ), key identifier ( ), length of the key ( ), and the number of neighbors ( ).   Table 1 shows the storage space required to store the key material in sensor nodes. The following metrics can assess the memory capacity required for the proposed scheme, namely the key-size( ) as 160 bits long, node ID 2 bytes, key-ring size of 10, the memory required to store the key information for the HKMS is 202 bytes, whereas in E-G scheme it is 220 bytes [18] and for the RSDTMK 316 bytes [22]. The proposed scheme's storage capacity is 18 bytes less compared to the E-G and 114 bytes compared to the RSDTMK scheme.

Communication Efficiency
In this proposed scheme, finding the key among two nodes requires one-hop communication between nodes as in E-G and RSDTMK; but the message's size is different for each scheme. In HKMS, once nodes are disseminated in the field, it initiates the communication by sending a hello message containing the node and timestamp's identifiers. The acknowledged message contains the node's identifier, neighbor node identifier, and Message Authentication Code (MAC) of the message ( ). , RSDTMK needs 43 bytes to establish a pairwise key, whereas in E-G scheme, 42 bytes and HKMS requires only 26 bytes to establish a secure key establishment. From this theoretical analysis, it is inferred that the proposed HKMS requires a smaller number of bytes to form a secure communication between the sensor nodes.

SIMULATION RESULTS AND DISCUSSION
To assess the performance of the HKMS protocol, the NS 2.35 simulator has been used. The analysis is emphasized on the formation of the keys in the network. Generally, the key establishment schemes are focused only on the generation and establishment of keys which does not provide mutual authentication and key exchange among the sensor nodes. The proposed key management's performance is analyzed in terms of resilience, connectivity/channel existence of the network, network availability, broadcast delay, and energy consumption. The simulation parameters used to assess HKMS, E-G and RSDTMK are given in Table 3.

Connectivity Analysis for HKMS with E-G and RSDTMK
The connectivity is the establishment of a communication channel among two sensor nodes when they share a minimum of one key. The probability of secure link establishment among the two nodes [18] can be defined by,

Fig. 4. Connectivity Analysis of HKMS with E-G and RSDTMK
The probability of link established between the sensor nodes in the network depends on the value of and m; where is key size and m is key-ring size. The value of m is the same for all the sensor nodes. Fig.4. shows that the probability of the link exists between the nodes disseminated in the network. From the resulting output, it is inferred that 100% of connectivity is achieved by the proposed scheme for the key-ring size of 10 whereas in E-G and RSDTMK were 10% and 80%, respectively for key-ring size of 10. The simulated results indicate that the proposed HKMS scheme increases 80% and 10% of connectivity compared with E-G and RSDTMK.

Comparison of Resilience for HKMS with E-G and RSDTMK
The resilience is defined as the ability to reduce the compromising of secret key materials loaded in the sensor nodes. Assuming that the link between sensor and is under the attack, the attacker compromises the link form a union = { 1 , … } of > 0 means compromised sensor nodes.
The probability of key sharing among the node and is not present in the set [22] is given by, The probability of the coalition of trials can be given by, In the E-G scheme, the attacker compromised 50% of a communication link in the network by capturing 10 sensor nodes that are minimal resistant to node capture attack. When the invader/attacker captures 50 to 60 nodes, the whole network is thoroughly compromised. In the proposed approach, the invader requires capturing more sensor nodes to compromise the link between the nodes. It provides more resistance against node capture attack even though the attacker knows the key-ring compromised node's key-ring. The key pool reconstruction is not possible because the key-rings are generated by one way hash function. In the initialization phase, the sensor node broadcasts its identity instead of sharing the seed key stored in the key-ring. The proposed HKMS abides against the node capture attack and provides mutual authentication between the sensor nodes.

Analysis of Energy Consumption for HKMS with E-G and RSDTMK
Energy consumption is referred to as the total quantities of energy drained by the nodes in the wireless sensor network to establish a common key by performing computation and broadcasting the key information related to the key establishment.

Fig. 6. Comparison of Transmission Energy Consumption of HKMS with Existing Schemes
The decisive factor of communication consumption is the message's size being transmitted or broadcasted to form a key between sensor nodes. The energy consumed by each protocol to establish a shared key is shown in Fig.6.
The simulated results concluded that energy consumption for HKMS conserves 30.67% of transmission energy compared to the existing E-G and RSDTMK scheme.

Comparison of Packet Broadcast Delay for HKMS with Existing Schemes
The broadcast delay is an important problem for critical event monitoring in WSNs. Fig.7 shows the broadcast delay of the sensor nodes in the network. The proposed protocol broadcast delay is 13.07% lesser than the existing scheme. It requires minimum time delay to establish a key between the neighbor nodes. Each node requires only to broadcast its identity during the key establishment phase. The proposed protocol reduces the time delay and the number of packets needed to communicate with neighboring sensor nodes for establishing a session key.

Fig. 7. Packet Broadcast Delay Analysis of HKMS with E-G and RSDTMK
The proposed HKM scheme is compared with the E-G scheme [18] and RSDTMK Scheme [20] for the above-discussed metrics. The performance values are tabulated in Table 4. From Table 4, it is inferred that the performance of HKMS is better when compared to E-G and RSDTMK.

CONCLUSIONS
A hybrid key management scheme for WSNs to pre-distribute and establish the secure and authenticated communication link between the nodes using symmetric and asymmetric key cryptography have been proposed. The hybrid scheme incorporates the advantages of ECC based key pre-distribution scheme with a hash function and shared key between the nodes, which can be achieved by broadcasting the node's identity without sharing the key materials. The proposed Hybrid Key Management scheme conserves 30.67% of transmission energy and broadcast delay is 13.07% lesser than the existing scheme. The HKMS increases the connectivity and the probability of link compromise between the sensor nodes decreased by 39% than the existing methods. The performance