tinyzkp: a lightweight authentication scheme based on … · · 2017-08-28tinyzkp: a lightweight...
TRANSCRIPT
Wireless Pers Commun (2014) 77:1077–1090DOI 10.1007/s11277-013-1555-4
TinyZKP: A Lightweight Authentication Scheme Basedon Zero-Knowledge Proof for Wireless Body AreaNetworks
Limin Ma · Yu Ge · Yuesheng Zhu
Published online: 20 December 2013© Springer Science+Business Media New York 2013
Abstract Secure communication over wireless body area network (WBAN) is a key issuein the design and deployment of WBAN systems, in which the authentication of sensor nodeis a critical process. Conventional authentication schemes are not suitable to the sensor nodebecause of the limitations of memory, computational power and energy in the node. In orderto provide an efficient method to verify the identity of sender sensor nodes of WBAN, in thispaper a lightweight authentication scheme, TinyZKP, based on zero-knowledge proof (ZKP)is proposed and implemented on TinyOS-based sensor nodes. Our experimental results showthat, compared to two ECDSA-based authentication schemes in TinyECC and WM-ECC,the TinyZKP runs 1.9 and 1.4 times faster and the energy cost is reduced by 48 % and 28 %,respectively.
Keywords Wireless body area network · Security · Authentication ·Zero-knowledge proof
1 Introduction
Wireless Body Area Network (WBAN) is a promising technology for various human-centricapplications, which can integrate some miniaturized intelligent low-power sensor nodes in/on,or around a human body to collect vital signals for monitoring the health status in assisted
L. Ma · Y. Zhu (B)The Communication and Information Security Lab, Shenzhen Graduate School,Peking University, Shenzhen, Chinae-mail: [email protected]
L. Mae-mail: [email protected]
L. Ma · Y. GeInstitute for Infocomm Research, Singapore, Singapore
Y. Gee-mail: [email protected]
123
1078 L. Ma et al.
rehabilitation and health care systems. A typical WBAN consists of several vital sign ormotion sensor nodes and a base station which receives and processes the aggregated data[1]. WBAN applications contain not only medical but also personal information. Securityand privacy are key concerns of all parts in WBAN [2]. Data confidentiality, data integrity,access control, no-repudiation and authentication are the major security services needed tobe supported in WBAN.
As a primary service of secure WBAN, authentication enables a node to verify the legit-imacy of other sensor nodes taking part in the communication, and only messages sent byauthorized nodes can be detected and accepted. However, the cost of computation and com-munication is high in traditional authentication schemes [3,4] designed for TCP/IP network,thus these schemes are not suitable for WBAN because of the limitations of computationpower, energy and memory. Therefore, a practical WBAN system requires efficient andeffective security and privacy mechanism which can compromise the system performance interms of delay, throughput, etc.
There are some authentication schemes based on symmetric key cryptography for WBAN,such as Tinysec [5], MiniSec [6], and µTESLA [7]. TinySec provides authentication, mes-sage integrity and confidentiality with low energy consumption and memory usage. However,it depends on the network-wide key distribution mechanism, if a single node is compromised,the entire network will be insecure [8]. MiniSec is publicly available with high security, butthe high energy consumption is required when large packets are sent by radio frequency [9].µTESLA provides source authentication and message integrity by utilizing a one-way hashchain and the delayed key disclosure technique, but it requires time synchronization betweenall nodes in the network [10] and causes authentication delay. Although these symmetric-keybased schemes are efficient in processing time for sensor networks, the complex key manage-ment will introduce large memory and communication overhead, hence limit the deploymentof practical WBAN. On the contrary, the key management of public-key based authentica-tion schemes is simple, but their computational cost is high. To reduce the computationalcomplexity on the sensor nodes, TinyPK [11] uses a low public exponent, but it is susceptibleto low exponent attacks [12]. The authentication schemes [13,14] based on Elliptic CurveDigital Signature Algorithm (ECDSA) are more efficient than TinyPK, however the trans-mission and verification of public key certificates [15] may consume substantial bandwidthand power. The Identity-Based Cryptography (IBC) based scheme improves the computa-tional efficiency because no public key certificates need to be transmitted but it requires weilpairing or tate pairing computation which leads to high energy consumption [16].
Zero-knowledge proof (ZKP) developed by Goldwasser et al. [17] is an efficient crypto-graphic protocol with small computational requirement compared to other public key basedmethods and it can be applied in the authentication and key exchange. An authenticationscheme by using interactive ZKP to identify the users is developed in [18] and is applied foridentifying wireless sensor nodes in [19]. But the performance of this scheme is low becausemultiple iterations between sensor nodes and base station are needed to be performed toconfirm the identity of the senders.
Motivated by the features of ZKP in low computational requirement and simple keymanagement, a lightweight authentication scheme, TinyZKP, is proposed for WBAN basedon zero-knowledge proof in this paper. By taking full advantages of ZKP, the sensor nodes canshow their identities to the base station without leaking any secret information in the proposedscheme. We then implement the TinyZKP on MicaZ WBAN platforms. Our theoreticalanalysis and experimental results demonstrate that the performance of TinyZKP is bettercompared to other existing approaches in terms of execution time, memory requirement andenergy consumption.
123
A Lightweight Authentication Scheme 1079
Table 1 Notations Notations Explanation
IDi The node ID of sensor node i
Sm,1, Sm,2,
. . ., Sm,k
The secret keys of Zero-Knowledge used by a sensornode m
Vm,1, Vm,2,
. . ., Vm,k
The public keys of Zero-Knowledge used by a sensornode m
PR The private key of ECDSA used by the base station
PU The public key of ECDSA used by the base station
Kx,y The symmetric session key between x and y
SHA-1 Secure Hash Algorithm, a cryptographic hash function
Signature Signature generated by ECDSA algorithm
E(Kx [M]) Encrypt message M with symmetric key Kx
‖ Concatenation operator
The rest of this paper is organized as follows: the secure features of zero-knowledgeproof are introduced in Sect. 2; we propose the new authentication scheme based on zero-knowledge proof in Sect. 3; in Sect. 4, we analyze the security and performance of TinyZKP;the experiment and comparison results are shown in Sect. 5; finally we draw the conclusionsin Sect. 6.
The notations used in this paper are listed in Table 1.
2 The Secure Features of ZKP
ZKP is an interactive protocol between two parties, a prover and a verifier, which allows theprover to prove its knowledge of a secret to verifier without revealing any information aboutits secret during the proof process. The secret includes some sensitive information, such aspassword or the private key.
As a cryptographic protocol, ZKP has the special secure features [20] as follows:
(a) The verifier cannot learn anything about the secret from the protocol; it means zeroamount of knowledge is transferred.
(b) The prover cannot cheat the verifier.(c) The verifier cannot pretend to be the prover to any third party.
The cryptographic strength of zero-knowledge proof is based on one of the following hard-to-solve problems:
(a) It is computationally infeasible to solve discrete logarithms for large numbers (hundredsof bits)
(b) It is computationally infeasible to factor large numbers that are products of two or morelarge primes (hundreds of bits).
(c) It is computationally infeasible to calculate the square roots of a number mod n if factoringis unknown.
In this paper, our proposed scheme TinyZKP is based on (b) and will be described in detailin Sect. 3.
123
1080 L. Ma et al.
Fig. 1 Proposed authenticated WBAN
3 Proposed TinyZKP Authentication Scheme
To meet the security requirements in WBAN, in this paper, a lightweight scheme, TinyZKP,with challenge-response mechanism is proposed and its authentication mechanisim is illus-trated in Fig. 1. The WBAN consists of MA sensor nodes (MA = A1, . . ., Am) on person-A,MB (MB = B1, . . ., Bm) on person-B and base station which is connected with a systemserver. MA and MB collect the physiological signals of person-A and person-B, respectively,and transmit them to the base station. In this authenticated WBAN, any node needs to per-form authentication with the base station. ZKP is used to verify the identity of sender sensorto improve the security performance and reduce the energy consumption. With the authen-tication and privacy protect mechanism, it is impossible either for an unauthenticated basestation to communicate with any node of MA and/or MB , or for an illegal node C to sendmalicious signals or collect information from/in the authenticated WBAN.
3.1 Design Considerations of Secure System Parameters
Assumed it is computationally infeasible to factor a large integer with polynomial timecomplexity. Based on this hard-to-solve problem, in the TinyZKP two security parameters pand q are selected so that N is a more than 1,024-bit integer number, where p and q are largeprime numbers, and N = p × q, p and q are kept secret, while N is announced to public.
There are k pairs of key,{[Sm,1, Sm,2, . . . , Sm,k], [Vm,1, Vm,2, . . . , Vm,,k]
}for every sen-
sor node, when m = (MA or MB), and these keys are generated by service provider asfollows:
(1) Generation of secret keys:An integer number Sm,1 is selected randomly, 1 ≤ Sm,1 ≤ N − 1,
Sm, j = Sm,1 − j + 1(2 ≤ j ≤ k) (1)
(2) Generation of public keys:
Vm, j = (1/S2m, j ) mod N (1 ≤ j ≤ k) (2)
123
A Lightweight Authentication Scheme 1081
(4)E(KB1
[IDB1
||Data])
(3)E(KB1,S
[IDBS
||KB1
])
(2)E(KB1,S
[IDB1
|| Timestamp2|| SHA-1(X
B1) || Y
B1])(2)E(K
A1,S[ID
A1 || Timestamp
2|| SHA-1(X
A1) || Y
A1])
(1)E(KB1,S
[IDBs
|| Timestamp1|| M
chall || Signature])
Sensor node B1Sensor node A1 Base station
(1)E(KA1,S
[IDBs
|| Timestamp1|| M
chall || Signature])
(3)E(KA1,S
[IDBs
||KA1
])
(4)E(KA1
[IDA1
||Data])
Fig. 2 Communication flows of TinyZKP
Assuming the storage of the node is secure and all critical information in the node cannot beleaked even the node is captured physically. The service provider will load the secret keys,the public key of the base station, PU, and an initial session key Km,S between the sensornode and the base station to the sensor node when the sensor is deployed, and the ECDSAkey pair of base station is also generated by the service provider.
The public key of these nodes will be managed in the registration phase as follows:
3.2 Registration Phase
In the TinyZKP, the base station acts as an authentication center. In registration phase, theservice provider will register the public keys of sensor node m, {Vm,1, Vm,2, . . ., Vm,k}, tothis station so that the sensor node m can communicate with the base station.
3.3 Authentication Phase
In authentication phase, sensor node m will prove its identity to the base station based onzero-knowledge proof algorithm. The communication flows of TinyZKP between sensornodes and the base station are shown in Fig. 2.
(1) Base station → sensor node: E(Km,S[IDBs‖T imestamp1‖Mchall‖Signature])In the base station, a random challenge vector, Mchall , is generated: {e1, e2 . . . ek},where ek = 0 or 1, (k = 1, 2, . . ., 20), and a signature is created by signing Mchall
based on the ECDSA algorithm. A message which includes IDBs of the base station,T imeStamp1, Mchall and the signature is formed and encrypted by using the sessionkey Km, s. And then, this encrypted message is sent to sensor node m.
(2) Sensor node → base station: E(Km,S[IDm‖T imestamp2‖SHA-1(Xm)‖Ym])On receiving the message from the base station, the sensor node m decrypts it and verifiesthe signature. If the signature is valid, then in the sensor node m, an integer number r isselected randomly, 1 ≤ r ≤ N − 1, Xm and Ym are computed as follows:
Xm = r2 mod N (3)
Ym = rk∏
j=1
Se jm, j ( mod N )(1 ≤ j ≤ k) (4)
123
1082 L. Ma et al.
A 20-byte hashed value, SHA-1(Xm), is computed by using SHA-1 over Xm . Then amessage, which contains IDm of sensor node, T imestamp2, SHA-1(Xm) and Ym isformed, encrypted and sent to the base station.
(3) Base station → sensor node: E(Km,S[IDBs‖Km])In Step 3, the base station decrypts the message from sensor node and computes �t =T imestamp2 − T imestamp1. If �t > �T , where �T is the expected response timeinterval, the base station will reject this sensor node. Otherwise, X ′
m is computed asfollows:
X ′m = Y 2
m
k∏
j=1
Ve jm, j ( mod N )(1 ≤ j ≤ k) (5)
X ′m and Xm are the same, which can be proved as follow:
X ′m = Y 2
m
k∏
j=1
Ve jm, j ( mod N ) =
⎛
⎝rk∏
j=1
Se jm, j
⎞
⎠
2
Ve jm, j ( mod N )
= r2k∏
j=1
Se jm, j
2Ve jm, j ( mod N )
= r2k∏
j=1
(S2m, j Vm, j )
e j ( mod N )
= r2 mod N = Xm
Subsequently, the base station computes the hash value of X ′m, SHA-1(X ′
m). IfSHA-1(X ′
m) is equal to SHA-1(Xm), the base station accepts this sensor node as a legalone, as only legal sensor node is able to generate the valid Xm . Then a message whichincludes IDBs and a new session key Km to be used in the future communication isencrypted and sent to the sensor node m. Otherwise, the base station denies the sensornode.After the sensor node m is authenticated successfully by the base station, its MAC addressand node ID will be recorded in the base station to form an Access Control List (ACL). Inthe future communication, on receiving the packets from sensor nodes, the base stationwill check its ACL first. Only the packets from the legal nodes can be accepted andprocessed by the base station.
(4) Sensor node → base station: E(Km[IDm‖Data])In this step, on receiving the message from the base station, the sensor node m decryptsit and gets the new session key Km . Then a message which includes IDm and the dataof corresponding person is encrypted by using Km and sent to the base station. With thenew session key Km , even a forge base station or other sensor nodes receive the datafrom node m, they cannot decrypt the data even they have the old session key Km,S .
4 Security and Efficiency Analysis
In this section, the performance of TinyZKP in term of security and efficiency will be dis-cussed.
123
A Lightweight Authentication Scheme 1083
4.1 Security Analysis
In the proposed TinyZKP scheme, the authentication mechanism is designed based on thezero-knowledge proof, no information about secret key Sm, j is revealed during the authenti-cation process. Also Xm is a random square and Ym contains an independent random variablewhich masks the value of Sm, j . Thus, the messages sent from sensor nodes to base station areuniformly distributed, and the adversary is not able to get crucial cryptographic informationfrom the communication procedure between the sensor nodes and the base station. Thus,many different attacks can be resisted as discussed below:
4.1.1 Replay Attack
In this attack, an adversary captures messages from an authorized user and resends thesemessages, pretending to be a legal node. Because the TinyZKP is based on challenge-responsemechanism, the base station sends different challenge message each time corresponding todifferent response message. Without the secret keys of legal node, the adversary cannotgenerate valid response message. If the adversary simply replies with the earlier capturedmessage, the authentication will fail.
4.1.2 Forge Base Station Attack
In this attack, an adversary acts as the base station to collect the data from a legal sensornode. In our scheme, before sending data to base station, the sensor node requires to checkthe random challenge vector and its signature. If the signature is forged, the sensor node willnot send anything to the base station. Mutual authentication can be achieved in our system. Inthe method of literature [19], the base station is assumed to be absolutely secure, but, in fact,a forge base station is easy to be setup to attack the system. Therefore, mutual authenticationis necessary to enhance the security in practical systems.
4.1.3 Clone Attack
Clone attack is an important physical attack. After capturing the legal sensor node, theadversary will copy the cryptographic information to a clone one. In [19], a detailed analysisof this attack is presented, but the scenario in which the same ID with the same secret key ina cluster is not discussed. In this case, the clone one can actually act as a legal node. In theTinyZKP, after the legal node is authenticated by the base station, its MAC address and nodeID will be recorded as an ACL in the base station. Even with the same secret keys, the MACaddress of each node is different. After checking ACL, if it is not matched, the malicioussensor node will be rejected.
4.1.4 Man-in-the-Middle Attack
In this attack, the adversary makes independent connections with the two endpoints to modifyand relay messages between them. However, the adversary will not be able to generate a validresponse message because it cannot get any useful information about the secret keys of thesensor nodes.
123
1084 L. Ma et al.
Table 2 Communication costcomparison
Schemes Communication cost Exchanged messages
Method in [19] 40,980 bits 40
Method in [13] 2,784 bits 3
TinyZKP 1,204 bits 2
4.1.5 Guessing Attack
Any password-based protocol is easy to suffer from password guessing attack. Our TinyZKPis immune to this attack since there is no password transmission in the system and theadversary cannot get any useful information from the communications between sensor nodeand base station even it captures the challenge and response message.
4.2 Efficiency Analysis
In order to analyze the efficiency performance of our scheme, the performance comparisonis carried out among the methods in [13,19] and TinyZKP.
4.2.1 Computation Cost
In the TinyZKP scheme, in order to attain a security level of 2−20, set k = 20, and Nis a 1,024-bit integer. Modular multiplications consume the most computation power ofsensor node in the TinyZKP. According to literature [21], the average number of modularmultiplications for generating or verifying the identity in our scheme is 1 × (20 + 2)/2 = 11which is the same as the scheme in [19]. As a popular public-key encryption algorithm,RSA algorithm can provide both secrecy and digital signatures based on the intractabilityof the integer factorization problem, but in the 1,024-bit RSA-based scheme 1,024 modularmultiplications are required. While in the 160-bit ECDSA-based scheme [13] almost thesame computation cost as that in 1,024-bit RSA-based scheme is required. It means that thecomputation cost in our scheme is low.
4.2.2 Communication Cost
In the TinyZKP scheme, to perform a successful mutual authentication process, two messagesare exchanged and the communication cost is: LMchall + LSHA-1(Xm) + LY m = 1,204 bits,where the length of Ym, LY m , is 1,024 bits, the length of SHA-1(Xm), LSHA-1(Xm), is 160bits and the length of Mchall , LMchall , is 20 bits. To finish node’s identity authentication tothe base station, for the scheme in [19], forty (2 × 20) messages are exchanged, thus thecommunication cost is: LMchall + 20 × (LXm + LY m) = 40,980 bits. While for the schemein [13], three messages are exchanged and the length of each message Lm is 116 bytes, thusthe communication cost is: 3 × Lm = 2,784 bits. It means that the computation cost of ourscheme is the lowest as shown in Table 2.
5 Experiment Results
5.1 Design of Experiments
In our experiments, a ZigBee [22] WBAN consists of 18 MicaZ sensor nodes deployed on anadult body of height 1.713 m and weight 70 kg as shown in Fig. 1. A sensor node connecting
123
A Lightweight Authentication Scheme 1085
1.919
1.246 1.127
2.413
1.89
1.133
4.332
3.136
2.26
0.0
1.5
3.0
4.5
6.0
time of verifyidentity/signature
TinyZKP
W-ECDSA
time
(s)
time of generateidentity/signature
T-ECDSA
total time of authentication
Fig. 3 Average execution time comparison
to the PC acts as the base station. The sensor nodes on the body receive the challengemessage from the base station and respond the identity proof information to the base station.The verification is then processed at base station. The MicaZ sensor node consists of anATmegal 128L microcontroller, a 2.4 GHz CC2420 RF transceiver, 4 KB RAM and 128 KBROM developed by Crossbow Technology [23]. In this paper, our implementation is basedon TinyOS 2.1.0 [24] using nesC programming language.
In the experiments, the performance, energy consumption and memory usage of differentschemes, which are analyzed in Sect. 4, are evaluated and compared as follows:
• Execution time includes the time of generating identity/signature information T1, the timeof verifying identity/signature information T2 and the total time T = T1 + T2, and isdirectly measured on the sensor nodes.
• Energy consumption is used to evaluate the energy cost of different schemes. The powerconsumption is calculated as U × I × T based on the execution time T , the voltage U andthe current I on the sensor node.
• ROM and RAM consumptions are used to evaluate the memory cost of operating of dif-ferent schemes. Measurements of ROM and RAM consumption are provided by TinyOS,which provides a function to display memory consumption after successful compilation.
5.2 Performance Results
5.2.1 Execution Time
The TinyZKP scheme is implemented with a modified NN module of TinyECC 2.0. Com-pared with the ECDSA-based authentication schemes proposed in literature [13] and [14],respectively, our scheme is the most efficient in execution time (among 100 times of inde-pendent operations). The results are shown in Fig. 3, where the T-ECDSA is implementedbased on TinyECC library [13,25] and the W-ECDSA is implemented based on WM-ECC
123
1086 L. Ma et al.
Fig. 4 Number of modularmultiplications
0 20 40 60 80 100
2
4
6
8
10
12
14
16
18
20
22 times of modulo mutiplicationY
X
Table 3 Average modular multiplication in 10 groups
No 1 2 3 4 5 6 7 8 9 10 Avr
Mul no 11.3 11.5 11.1 10.2 12.1 12.5 10.6 10.8 11.2 10.7 11.2
library, respectively. (WM-ECC library is a customized ECC primitive which comprises ofa number of techniques for optimization [14].)
Figure 3 demonstrates that our proposed scheme runs the fastest and the results are con-sistent with the theoretical analysis in Sect. 4. In our scheme, modular multiplications are themajor computation consuming operations, so the times of modular multiplication directlydetermine the performance of the scheme. According to Sect. 4, the average number of modu-lar multiplications needed to generate or verify the identity in our scheme is 11. The statisticsof modular multiplication times in 100 authentication process are shown in Fig. 4. X axisstands for the sequence of authentication reply from a sensor node, and Y axis stands for thetimes of modular multiplication. Due to the randomness of challenge vector, the number ofmodular multiplication is different in each authentication process. The maximum value is 20and the minimum is 3. The average modular multiplication number is 11.3 in this test. 10groups of authentication process are executed in our experiment and the results are presentedin Table 3. We can see that the experiment result matches theoretical analysis.
5.2.2 Energy Consumption
The energy consumption of different schemes is evaluated by using E = U × I × T , whereU is the voltage supply to sensor node, I is the current in the circuit and T is the total time ofauthentication measured in Sect. 5.2. According to the MicaZ datasheet [23], the processorruns at U = 3 V and the current draw is 8 mA when the processor is active. The energyconsumption shown in Fig. 5 demonstrates our authentication scheme consumes the lowestenergy.
5.2.3 Memory Consumption
The memory consumption includes RAM and ROM consumptions. The memory usage forthree authentication schemes is given in Fig. 6a, b, respectively. They show that there are
123
A Lightweight Authentication Scheme 1087
Fig. 5 Energy consumptioncomparison
103.968
75.264
54.24
0
100
TinyZKPW-ECDSA
Ene
rgy
( mj)
Energy cosume comparison
T -ECDSA
2178
13011496
0
500
1000
1500
2000
2500
3000
TinyZKPW-ECDSA
RA
M (
byte
)
RAM cosume comparison
T-ECDSA 26122
20618
14704
0
5000
10000
15000
20000
25000
30000 T-ECDSAW-ECDSATinyZKP
ROM consume comparison
RO
M (
byte
)(a) (b)
Fig. 6 a RAM consumption comparison. b ROM consumption comparison
only minor differences in RAM consumption between W-ECDSA scheme and the proposedTinyZKP scheme. The T-ECDSA scheme needs the largest amount of memory usage. RAMusage in our scheme is 69 % of RAM usage in T-ECDSA scheme, but lightly higher thanthat in W-ECDSA. Also the ROM consumption of our scheme is the lowest, only 56 % ofT-ECDSA scheme.
6 Conclusions
In this paper, based on zero-knowledge proof a lightweight authentication scheme, TinyZKP,is proposed and designed for verifying the identity of sensor nodes of WBAN whose com-putation and memory resource are strict constraint. The advantages of low computationalrequirement and simple key management in ZKP can realize the identity authentication ofsensor node in WBAN effectively. The theoretical analysis shows that TinyZKP can resista variety of attacks in WBAN such as replay attack and guessing attack, without leakingany information regarding the secret keys to adversary. The performance comparison amongthe our TinyZKP, T-ECDSA and W-ECDSA in term of execution time, energy and memoryconsumption have shown that TinyZKP runs 1.9 times and 1.4 times faster; and the energyconsumption of TinyZKP is reduced by 48 % and 28 % compared to T-ECDSA and W-ECDSA, respectively. Our experimental results have indicated that the authentication processof TinyZKP is effective and efficient even implemented in severely resource-constrainedembedded system. Therefore, it is more suitable for sensor node authentication in WBAN.
123
1088 L. Ma et al.
Acknowledgments The authors would like to thank all the reviewers for their insightful comments and kindguidance to improve the paper quality. This work was supported by 973 Program # 2012CB315904, Chinaand Shenzhen Engineering Laboratory for Broadband Wireless Network Security.
References
1. Liang, X., Li, X., Shen, Q., Lu, R., Lin, X., Shen, X., et al. (2012). Exploiting prediction to enable secureand reliable routing in wireless body area networks. In Proceedings of INFOCOM’12 (pp. 388–396).Orlando, FL, USA: IEEE.
2. Ameen, M. A., Liu, J., & Kwak, K. (2012). Security and privacy issues in wireless sensor networks forhealthcare applications. Journal of Medical Systems, 36(1), 93–101.
3. Neuman, C., Yu, T., Hartman, S., & Raeburn, K. (2005). The Kerberos network authentication service(V5), RFC 4120, IETF.
4. Housley, R., Polk, W., Ford, W., & Solo, D. (2002). Internet X.509 public key infrastructure certificateand certificate revocation list (crl) profile, RFC 3280, IETF.
5. Karlof, C., Sastry, N., & Wagner, D. (2004). TinySec: A link layer security architecture for wireless sensornetworks. In Proceedings of the 2nd international conference on embedded networked sensor system (pp.162–175). New York, USA: ACM.
6. Luk, M., Mezzour, G., Perrig, A., & Gligor, V. (2007). MiniSec: A secure sensor network communicationarchitecture. In Proceedings of 6th international conference on information processing in sensor networks(pp. 479–488). Cambridge, England: IEEE.
7. Perrig, A., Canetti, R., Tygar, J.-D., & Song, D. (2002). The TESLA broadcast authentication protocol.UC Berkeley and IBM Research, 5(2), 2–13.
8. AlMheiri, S. M., & AlQamzi, H. S. (2013). Data link layer security protocols in wireless sensor networks:A survey. In Proceedings of 10th IEEE international conference on networking, sensing and control (pp.312–317). Evry, France: IEEE.
9. Ullah, F., Ahmad, M., Habib, M., & Muhammad, J. (2011). Analysis of security protocols for wirelesssensor networks. In Proceedings of 3rd international conference on computer research and development(pp. 383–387). Shanghai, China: IEEE.
10. Chuchaisri, P., & Newman, R. (2012). Fast response PKC-based broadcast authentication in wirelesssensor networks. Mobile Networks & Applications, 17(4), 508–525.
11. Watro, R., Kong, D., Cuti, S., Gardiner, C., Lynn, C., & Kruus, P. (2004). TinyPK: Securing sensornetworks with public key technology. In Proceedings of 2nd ACM workshop on security of ad hoc andsensor networks (pp. 59–64). New York, USA: ACM.
12. Tripathy, S. (2010). Tin-key: Effective key-establishment for wireless sensor. In Proceedings of 10th IEEEinternational conference on computer and information technology (pp. 916–921). Bradford, England:IEEE.
13. Wang, W. H., Cui, Y. L., & Chen, T. M. (2009). Design and implementation of an ECDSA-based identityauthentication protocol on WSN. In Proceedings of 3rd IEEE international symposium on microwave,antenna, propagation and EMC technologies for wireless communications (pp. 1202–1205). Beijing,China: IEEE.
14. Wang, H. D., Sheng, B., Tan, C. C., & Li, Q. (2011). Public-key based access control in sensornet. WirelessNetworks, 17(5), 1217–1234.
15. Shim, K. A., Lee, Y. R., & Park, C. M. (2013). EIBAS: An efficient identity-based broadcast authenticationscheme in wireless sensor networks. Ad Hoc Networks, 11(1), 182–189.
16. JayaKumar, C., & Sujihelen, L. (2013). Authentication solutions for wireless sensor network based on vir-tual certificate authority. In 2013 International conference on circuits, power and computing technologies(pp. 1003–1007). Nagercoil, India: IEEE.
17. Goldwasser, S., Micali, S., & Rackoff, C. (1989). The knowledge complexity of interactive proof-systems.SIAM Journal on Computing, 18, 186–208. doi:10.1137/0218012.
18. Feige, U., Fiat, A., & Shamir, A. (1987). Zero-knowledge proofs of identity. In Proceedings of 19thannual ACM symposium on the theory of computing (pp. 210–217). New York, USA: ACM.
19. Udgata, S., Mubeen, A., & Sabat, S. (2011). Wireless sensor network security model using zero knowledgeprotocol. In Proceedings of 2011 IEEE international conference on communications (ICC) (pp. 1–5).Kyoto, Japan: IEEE.
20. Cheng, M. Q. (2009). A Zero-knowledge proof of digital signature scheme based on the elliptic curvecryptosystem. In Proceedings of 3rd international symposium on intelligent information technology appli-cation (pp. 612–615). Nanchang, China: IEEE.
123
A Lightweight Authentication Scheme 1089
21. Fiat, A., & Shamir, A. (1987). How to prove yourself: practical solutions to identification and signatureproblems. In Advances in cryptology-CRYPTO’86 (pp. 186–194). Berlin: Springer.
22. Yang, B. (2009). Study on security of wireless sensor network based on zigbee standard. In Proceedingsof CIS ’09 international conference on computational intelligence and security (pp. 426–430). Beijing,China: IEEE.
23. CrossBow. (2010). MICAZ datasheet. http://www.openautomation.net/uploadsproductos/micaz_datasheet.pdf. Accessed 25 Oct 2012.
24. Zhang, F., Dojen, R., & Coffey, T. (2011). Comparative performance and energy consumption analysisof different AES implementations on a wireless sensor network node. International Journal of SensorNetworks, 10(4), 192–201.
25. Liu, A., & Ning, P. (2008). TinyECC: A configurable library for elliptic curve cryptography in wirelesssensor networks. In Proceedings of the 7th international conference on information processing in sensornetworks (pp. 245–256). St. Louis, USA: IEEE.
Limin Ma is currently a Ph.D. candidate at Peking University. His cur-rent research interests include communication and information security,wireless networks and wireless sensor networks.
Yu Ge is a scientist in the Institute for Infocomm Research (I2R),A-Star, Singapore. She received her M.Eng. and Ph.D. degrees fromNational University of Singapore and Nanyang Technological Univer-sity, respectively, all in wireless communication networks area. Shejoined I2R in 2001 and worked in various research areas including VoIPin heterogeneous wireless networks, wireless mesh/ad hoc networks,and wireless sensor networks. She is currently leading a research teamin the area of wireless body sensor networks (WBSNs) for human-centric sensing. Her current research interests are transmission andsensing technologies in wireless communication networks for end-to-end human-centric service provisioning.
123
1090 L. Ma et al.
Yuesheng Zhu received his B.Eng. degree in Radio Engineering,M.Eng. degree in Circuits and Systems and Ph.D. degree in Electron-ics Engineering in 1982, 1989, and 1996, respectively. He is currentlyworking as a Professor at the Communication and Information Secu-rity Lab, Shenzhen Graduate School, Peking University. He is a seniormember of IEEE, fellow of China Institute of Electronics, and seniormember of China Institute of Communications. His interests includedigital signal processing in communications, wireless communications,cryptography and internet security, digital home networking, and multi-media technology. He is listed in the Marquis Whos Who in the World.
123