Cryptography Reference
In-Depth Information
Subsequently, if an end user is required to interact with the sensor nodes, he will need
to send an ID-based digital signature along with the requested information. Upon suc-
cessfully verifying the end user's signature, the node and the user would then establish
the session key to be used for future encrypted communication.
The system initialization and key-generation processes are similar to the schemes
described in IBS and IBOOS schemes.
User registration
: This procedure is executed whenever a new user wishes to interact
with the deployed sensor network. The user submits his identity and the sink node or
the base station authenticates his identity based on some previously shared informa-
tion. (The details of the procedure used to authenticate the end user are beyond the
scope of this topic.) After authenticating the user, the sink node computes his private
key and sends the key along with system parameters.
User authentication and verification
: To interact with the nearby deployed sensor nodes,
the end user sends a signed request and his identity, along with a time stamp. Upon
receiving the request, the nodes verify the freshness of the time stamp and the authen-
ticity of the message. If the verification process is successful, the nodes then calculate
the session key.
Session key establishment
: Session key establishment is discussed in detail in Chapter 6.
One of the important requirements for establishing a session key between the end user
and the resource-constraint sensor nodes is computing the key in an energy-efficient
way. Among the several key-establishment algorithms, identity-based one-pass key-
establishment protocol could be a suitable choice in such networks (Gorantla et al.
2008). In this protocol, the number of messages exchanged is considerably low because
only one party computes the ephemeral key and sends it to the other party. This key
could be sent along with the initial authenticated message with a time stamp, which
may further reduce the overhead in communication.
User revocation
: In end-user revocation, two cases exist, as follows:
• To revoke a malicious user
• To revoke a user whose access time period has expired
In the first case, the sink node simply broadcasts an authenticated message with the
identities of end users who should be revoked. It also includes the expiration time of
the identities that have been blacklisted. Consequently, if an end user sends an authen-
ticated message requesting access to the aggregated information by the sensor node, the
node checks to see if his identity is blacklisted. If the identity appears in this list, the
request will be dropped by the sensor. In addition, the procedure for storing identities
on nodes until the private key expires will not impose an unreasonable amount of over-
head on the sensor nodes. To increase the efficiency of storing revoked identities, the
expiration time should be short enough so that the nodes do not store the blacklisted
identities for a longer period.
In the second case, while calculating the private key for the end user, the sink node
or the cluster head takes the expiration time as one of the input parameters. Hence,
the user will not be able to interact with the sensor network after the expiration time.
Search WWH ::
Custom Search