traffic and energy consumption of an ieee 802.15.4 network in the presence of authenticated, ecc...
TRANSCRIPT
Computer Networks 52 (2008) 2227–2236
Contents lists available at ScienceDirect
Computer Networks
journal homepage: www.elsevier .com/ locate/comnet
Traffic and energy consumption of an IEEE 802.15.4 network in thepresence of authenticated, ECC Diffie–Hellman ephemeral key exchange q
Jelena Mišic *
Department of Computer Science, University of Manitoba, Winnipeg, Manitoba, Canada R3T 2N2
a r t i c l e i n f o
Article history:Received 20 November 2007Received in revised form 5 April 2008Accepted 11 April 2008Available online 22 April 2008
Responsible Editor: L.G. Xue
Keywords:Wireless sensor networksSecurity in wireless sensor networksKey exchange algorithmsIEEE 802.15.4
1389-1286/$ - see front matter � 2008 Elsevier B.Vdoi:10.1016/j.comnet.2008.04.006
q This research is supported by the NSERC Strategi* Tel.: +1 204 474 6791; fax: +1 204 474 7609.
E-mail address: [email protected]
a b s t r a c t
In this paper we have modeled traffic and energy consumption in a secured, power man-aged wireless sensor network implemented using IEEE 802.15.4 technology. The networkis secured through a variant of the secure socket layer protocol, with ephemeral Diffie–Hellman key exchange using elliptic curve cryptography. Our traffic and energy modelallows calculations of cluster populations under the simultaneous constraints of prescribedsecure event sensing reliability and lifetime of the whole network.
� 2008 Elsevier B.V. All rights reserved.
1. Introduction
Traditionally link key distribution in wireless sensornetworks (WSN-s) was achieved by pre-installing link keysor master secret as a basis for link key derivation. In thecluster based environment of beacon enabled IEEE802.15.4 this means that every node has to share a dedi-cated secret with the coordinator. This approach suffersfrom management scalability problems since it is difficultto configure table of shared secrets of the nodes attachedto the coordinator and it is difficult to pre-install differentshared secrets to large number of nodes. Alternative solu-tion is to have a single master secret for all the nodes in thecluster. However, capturing a single node will jeopardizethe security of the whole cluster.
Use of asymmetric keys authenticated with digital cer-tificates can alleviate the security risks in wireless sensorclusters since compromise of a single node will not affectthe secure operation of the other nodes. Public key cryp-
. All rights reserved.
c Grant.
tography in wireless sensor networks has been consideredas computationally too expensive for a long time. However,in the past few years significant advances in cryptographicalgorithms and hardware have been made which renderasymmetric key distribution as a feasible solution forWSNs.
In this paper we investigate network traffic and energyconsumption effects of public key cryptography in powermanaged sensor network consisting of multiple IEEE802.15.4 beacon enabled clusters. We focus on periodicalkey exchange using elliptic curve cryptography [9] basedon classical Diffie–Hellman algorithm [5].
The network is formed by multiple clusters intercon-nected in a master-slave regime wherein the coordinatorof a ‘lower’ cluster acts as the bridge to the ‘upper’ one,and the coordinator of the topmost cluster acts as the net-work sink; a sample configuration with three clusters isshown in Fig. 1. In this paper we model energy consump-tion by cryptographic operations executed during the keyexchange and regular transmission of sensing packets.We also model the additional traffic caused by keyexchanges in the network where each cluster has to deliverR packets per second towards the sink. Since all traffic is
bottom coordinator+ bridge
middle coordinator+ bridge
top coordinator +network sink
beacon frame
active portion of thesuperframe (CAP only)
middle cluster
top cluster (sink)
bottom coordinator+ bridge
middle coordinator+ bridge
top coordinator +network sink
middlecluster
top cluster (sink)
data + ackexchange
k eyexchange
bottom cluster
bottom cluster
Fig. 1. Network topology and data/key exchange timing.
2228 J. Mišic / Computer Networks 52 (2008) 2227–2236
conveyed to the sink the amount of packets per second isequal to R, 2R and 3R in source, middle and sink cluster,respectively. Contention caused by bridges will consumemore energy and has to be compensated by larger numberof nodes. Moreover, bridges will need to execute key ex-change protocol more frequently than ordinary nodeswhich will consume even more energy resources. Powermanagement is implemented using redundant sensorsand targeted towards constant event sensing reliability atthe coordinator/bridge. It interferes with cluster securityby extending the period during which given number ofpackets are exchanged protected by the same secret key.
Individual sensor nodes are battery operated and theirpower consumption is modeled according to tmote_sky ul-tra low power IEEE 802.15.4 compliant wireless sensormodule [12] powered with two AA batteries. Since thecoordinators/bridges have to work without ever going tosleep, their power budget is assumed to be infinite; theuse of relaying nodes with larger power resources than or-dinary sensing nodes has been shown to increase the use-ful network lifetime [20].
The paper is organized as follows. Section 2 gives a briefoverview of the operation of 802.15.4 compliant networkswith star topology, followed by a review of power manage-ment, bridge operation. Section 3 discusses key exchangemechanism and energy consumption of its cryptographicoperations. Section 4 presents derivation of analyticalmodel for energy consumption in the cluster due to packettransmissions caused both by sensing traffic and key ex-change traffic. Section 5 integrates model of power con-
sumption from packet transmissions with energyconsumption of cryptographic operations and presentsderivation of cluster populations for the requested lifetime.Section 6 presents numerical results obtained from theanalysis. Finally, Section 7 concludes the paper.
2. 802.15.4 operation: medium access, powermanagement, and key exchange
Consider the network shown in Fig. 1, operating in theISM band at 2.4 GHz. We assume that all clusters operatein beacon enabled, slotted CSMA-CA mode under the con-trol of their respective cluster (PAN) coordinators. In eachcluster, the channel time is divided into superframesbounded by beacon transmissions from the coordinator[10]. All communications in the cluster take place duringthe active portion of the superframe, the duration of whichis referred to as the superframe duration SD. The super-frame is divided into 16 slots of equal size, each of whichconsists of 3 � 2SO backoff periods. The variable SO, deter-mines the duration of the superframe; its default value ofSO = 0 corresponds to the shortest active superframeduration of 48 backoff periods. In the ISM band, theduration of the backoff period is 0.32 ms for a payload of10 bytes, which results in the maximum data rate of250 kbps. The time interval between successive beaconsis BI = aBaseSuperframeDuration*2BO, where aBaseSuper-frameDuration = 48 backoff periods (SO = 0) and BO denotesthe so-called macBeaconOrder which can take valuesbetween 1 and 14. Data transfers in the uplink direction
Table 1Key lengths in bits resulting in equivalent security
Integeralgorithm
Elliptic curvealgorithm
Bits of security for symmetrickey encryption algorithm
512 106 641024 163 802048 210 112
J. Mišic / Computer Networks 52 (2008) 2227–2236 2229
use CSMA-CA aligned to backoff period boundary. Datatransfers in the downlink direction use a more complexprotocol wherein the coordinator announces the presenceof a packet which must be explicitly requested by the tar-get node before being actually sent. Both data request anddata packets are sent using slotted CSMA-CA, and bothmust be acknowledged immediately upon successfulreception.
2.1. Activity management
Power (activity) management consists of adjusting thefrequency and ratio of active and inactive periods of sensornodes [17,15]. For individual nodes it can be accomplishedthrough scheduling of their active and inactive periods.Coordinator periodically broadcasts required event sensingreliability (number of packets per second needed for reli-able event detection) and number of nodes which are alive.Based on that information node can calculate average per-iod of sleep between transmissions. When average sleepperiod is known, then some discrete random probabilitydistribution can be used to generate individual sleep dura-tions in order to prevent the collisions. When node wakesup and has a packet to transmit it turns its receiver on inorder to synchronize with the beacon. If node’s buffer isempty it will start the new sleep. After receiving the infor-mation from the beacon, node turns the transmitter on andstarts backoff count in order to transmit the packet. Afterpacket transmission, node turns the receiver on in orderto receive acknowledgement and then starts the new sleepperiod. Let us denote power consumptions as xs = 18.2 nJ,xr = 17.9 lJ and xt = 15.8 lJ per one backoff period duringsleep, receiving and transmitting (at 0 dBm), respectively.They can be derived from typical operating conditions re-ported in documentation for Ultra low power IEEE802.15.4 sensor module tmote_sky [12] operating in ISMband with raw rate 250 kbps. According to the specifica-tion of tmote_sky module, two AA batteries are neededin order to supply voltage between 2.1 and 3.6 V.
2.2. Bridge operation
During the inactive portion of the superframe, any de-vice may enter a low power mode; the cluster coordinatorcan switch to the upper cluster in order to perform thebridging function – i.e., deliver the data to the coordinatorof the upper cluster. All lower cluster coordinators use thisfacility to perform the bridging function. As soon as the ac-tive part of the superframe is completed in the lower clus-ter, the coordinator/bridge switches to the upper clusterand waits for the beacon so that it can deliver the datafrom the lower cluster to the upper cluster coordinator/network sink.
All clusters use CSMA-CA access, which means that thebridge has to compete for medium access with ordinarynodes in the upper cluster. As soon as the data is delivered,the bridge can return to its own cluster. This also meansthat, should the bridge be unable to transmit its data whenthe (active portion of the) superframe in the upper clusterends, it will freeze its backoff counter and leave the uppercluster. The backoff countdown will resume when the
bridge returns to the upper cluster for the next superframe.Upon returning to the lower cluster, the bridge transmitsthe beacon denoting the beginning of the next superframe,and the lower cluster continues to operate.
Bridge switching is schematically presented in Fig. 1. Ascan be seen, the three clusters have to operate with thesame beacon interval, and the time between successivebridge visits to the ‘upper’ cluster is therefore the sameas the period between two beacons in its own, ‘lower’ clus-ter. If the top and bottom clusters are far enough, i.e., be-yond the transmission range of each other, all threeclusters may use the same RF channel (the 802.15.4 stan-dard uses 16 channels in the ISM band). Note that obtain-ing an increased area of coverage is the main reason forusing a multi-cluster configuration. If the clusters are clo-ser to each other, the top and bottom cluster may use dif-ferent channels, and the middle cluster can use either ofthese.
3. Key exchange protocol
Recently, elliptic key cryptography (ECC) has been dem-onstrated as relatively computationally lightweight, yet itssecurity is comparable to that of RSA. For the same securitylevel, ECC has much smaller key sizes compared to RSA[9,6], as shown in Table 1. Use of smaller keys results infaster key exchanges, user authentication and digital signa-ture generation and verification. Due to smaller key size itis also more suitable for storage in limited memory re-sources of wireless sensor nodes. Computational (and con-sequently energy consumption) difference betweeninteger based and elliptic curve algorithm resides in theway in which public key (e.g. for Diffie–Hellman exchange)is computed. For RSA it requires modular exponentiation ofthe private key; for ECC it requires scalar point multiplica-tion of the secret key with selected base point on the ellip-tic curve. The inverse operation, i.e., how to recover privatekey in ECC when public key and base point are known isknown as the elliptic curve discrete logarithm problem.The first measurements from 8-bit Atmel ATmega CPUarchitecture [2] reported in [13,19] indicate almost 40%reduction of computational time.
Efficiency of implementation of ECC cryptography inWSN resides in the choice of elliptic curve parameters [9]and hardware platform. Elliptic curves suitable for cryp-tography represent some Galois field F over sets p or 2p
where p is a prime number. General form of elliptic curveequation is [9]: y2 + a1x y + a3y = x3 + a2x2 + a4x + a6 whereai 2F. Implementation over F2p is reported in [13] whileimplementation over Fp is reported in [8]. Hardware plat-forms which support elliptic curve scalar point multiplica-tions (spm-s) are also rapidly evolving since general
{G || h(randn, randc)} kl(i -1)
coordinator node
randc
randn
{kn* G} ksn
{kc* G} ksc
2spm
2spm
certc
certndonejust
once
done afterevery nk
data packets
h (kl(i) || kl(i -1) || messages)
2spm
new link key: kl(i) = kc* kn* G spm
h (kl(i) || kl(i -1) || messages)
Fig. 2. Scaled SSL with ephemeral ECDH, scalar point multiplications aredenoted as spm.
2230 J. Mišic / Computer Networks 52 (2008) 2227–2236
purpose 8-bit architectures are not very suitable for largeinteger based arithmetic operations. Recently, 16-bitmicrocontroller tmote_sky has appeared [12]. It uses8 MHz, 16 bit RISC microcontroller MSP430 F1611 withmaximal current consumption during computation (radiois off) of 2.4 mA. Under supply voltage of 3 V, power con-sumption during computation is 7.2 mVA. in [7] dedicatedhardware architecture is proposed which supports ellipticcurve operations and consumes 400 lVA at clock frequencyof 500 kHz. Recently new hardware co-processor for ECCscalar point multiplication was proposed offering energyconsumption on 8-bit architecture of 1 mJ per multiplica-tion [3]. Nevertheless, even with all the improvements,ECC scalar point multiplication is considered as computa-tionally most expensive operation in the ECC based key ex-change algorithm.
Proper key exchange has to be preceded by the authen-tication of the involved parties, namely node and coordina-tor. Therefore, nodes should exchange their certificatessigned by the certificate authority (CA). As demonstratedin [19] simplified version of ECC-160 certificate containsonly 86 bytes. This key length gives 80 bits of equivalentsymmetric key security and is probably sufficient for thewhole network lifetime which does not exceed couple ofyears. However, as indicated in [16] and re-stated forWSN in [1]: the longer a key is used, the greater is thechance that it will be compromised; the same observationholds for the potential loss caused by that compromise.Therefore, it will be beneficial for the WSN to periodicallyupdate the link key. Depending on the period of key ex-change, length of the ECC key may be less than 160 bitswhich results in faster computation and lower energy con-sumption. However, as recommended in [16] each entitymust have two public/private key pairs. For signature,elliptic curve digital signature algorithm ECDSA [9] is used.One key pair should be used for digital signature and theother key pair should be used for symmetric key exchange.Keys for digital signatures must last for the whole networklifetime, they should be at least 160 bits long and should bestored in digital certificates. The same requirement holdsfor the key used by certifying authority that signs all thecertificates, i.e., nodes’ signature keys.
3.1. Scaled SSL protocol with ephemeral ECC Diffie–Hellmankey exchange
Ephemeral key exchange using Diffie–Hellman tech-nique is one of the suggested approaches for secure socketlayer handshake (SSL) [4]. However traditional SSL usesclassic Diffie–Hellman key exchange based on discrete log-arithm problem [5]. In order to adapt it to WSN it has to betranslated to elliptic curve discrete logarithm problem aspresented in [6,13]. Classical SSL also uses X.509 RSA-1024 certificates which are more than 700 bytes long andnot suitable for WSN. However, since the size of the ECCsignature is equal to two key sizes, for ECC-160 certificatelength can be reduced to 86 bytes [19] and therefore certif-icate can be transmitted in one 802.15.4 packet which hasmaximum packet size of 126 bytes.
First attempt to adapt SSL protocol to WSN as proposedin [19]. It uses elliptic curve (cryptography) Diffie–Hellman
key exchange algorithm (ECDH) with 160 bit keys. Itmerely distributes the permanent symmetric key at thebeginning of the node operation. Under this scheme eachnode is pre-loaded with permanent private/public key pair,digital ECC certificate which contains public key signed bythe trusted certificate authority (CA) and public key of CA.Only two cycles of handshake are needed, to exchangechallenges and certificates. In this key exchange one ECCscalar point multiplication (ECC-spm) is needed for gener-ation of shared key and two ECC-spms are needed for ver-ification of a digital signature.
SSL with ephemeral ECDH is presented in Fig. 2. In thefirst two steps, coordinator and the node exchange certifi-cates with signature keys and challenges. Certificates withsignature keys need to be exchanged only once in the life-time of the node, but new challenges need to be exchangedeach time when link key needs to be updated. In the thirdstep coordinator sends ECC base point encrypted with pre-vious link key kl[n � 1] (here n denotes index of keyexchange cycle). In the first key exchange when link keyis not known, this message should be encrypted by thepublic key from the certificate. Private signature keys aredenoted as ksn and ksc for node and coordinator, respec-tively. This step is optional, since ECC base point may bepre-installed in coordinator’s certificate, however it canimprove security in some critical applications. Then, nodeand coordinator generate their random private keys kn
and kc, respectively as well as the public keys Kn = G � kn
and Kc = G � kc. In the next two steps node and coordinatorexchange public keys G � kn and G � kc, respectively. Thesekeys are signed by appropriate signature keys in order toprevent man-in-the-middle attack. On receipt of the peer’spublic key each node will compute shared link key asK = G � kn � kc. Key exchange will be completed by exchangeof the hash of link key and all previous messages.
J. Mišic / Computer Networks 52 (2008) 2227–2236 2231
3.2. Energy considerations of ephemeral ECC Diffie–Hellmankey exchange
Public key computation, shared key computation, anddigital signature generation will require one ECC-spm each[13,3]. Therefore one key exchange cycle will have twoECC-spms for key computations, two digital signature ver-ifications (with two ECC-spms each) and one digital signa-ture generation.
According to the analysis from [14] for TelosB [11](which has the same microcontroller as tmote_sky butconsumes 4 mA), we have used the results for energy con-sumption from [14] scaled with factor 0.6. Therefore, weassumed that ECC scalar point multiplication takes 0.5 sand consumes 3.6 mJ.
We estimated time and energy for signature generationon tmote_sky as 0.52 s and 3.75 mJ and 1.02 s and 7.44 mJfor signature verification based on [14].
For message authentication code we adopted HMAC.For energy consumption of hashing we scaled results from[19] derived for 8-bit microcontroller ATMEL ATmega128Lusing relationships between TelosB and MICA2DOT re-ported in [14] and further comparison of data sheets forTelosB and tmote_sky. We adopted energy consumptionfor calculation of SHA-1 hash value to be 0.814 lJ/byte.For energy consumption of encryption/decryption opera-tion we used scaled numbers reported in [19], i.e., we used0.25 lJ/byte for encryption and 0.39 lJ/byte for decryption.
4. Modeling key exchanges
From Fig. 2 we notice that every round of key updatewill take ns = 3 uplink packet transmissions with key re-lated information and ns + 1 = 4 downlink packet transmis-sions each preceded by uplink request packet. Totalnumber of packet transmissions in key exchange processwill be equal to S = 11. We assume that key exchange istriggered when nk sensing packets are exchanged betweennode and the coordinator.
In order to model overall performance of the securepower managed sensor network we integrate power man-
phase 1coordinator
node
CSMAUplink
coordinator
BeaconSync
CSMAUplink
CSMADownlink
sleep cycle nk
BeaconSync
CSMAUplink
Collisionavoidance
sleep
Psleep
phase 1node
phase 2coordinator
phase 2node
Fig. 3. Markov chain for node under th
aged sensing function with key exchange process as shownby the Markov chain of Fig. 3. Power managed reliablesensing further consists of nk sub-phases of alternatingsleep and transmissions. After nk packet transmissionskey exchange will be initiated which contains ns sub-phases initiated by the coordinator. by advertising pendingkey data for a node.
Furthermore, each of the steps which involves down-link transmission requires synchronization with the bea-con, transmission of the uplink request packet andtransmission of the downlink packet. Every transmissionis implemented using slotted CSMA-CA specified by thestandard [10]. Markov sub-chain for single CSMA-CAtransmission (as the component of the Fig. 3) is shownin Fig. 4. The delay line from Fig. 4 models the require-ment from the standard that every transmission whichcan not be fully completed within the current superframehas to be delayed to the beginning of the next superframe.The probability that packet will be delayed is denoted asPd ¼ Dd=SD where SD denotes duration of active super-frame part (in backoff periods) and Dd ¼ 2þ Gp þ 1þ Ga
denotes total packet transmission time including two clearchannel assessments, transmission time Gp, waiting timefor the acknowledgement and acknowledgement trans-mission time Ga. The block labeled Tr denotes Dd linearlyconnected backoff periods needed for actual transmission.Fig. 5.
Within the transmission sub-chain, the process {i, c, k,d} defines the state of the device at backoff unit boundarieswhere i 2 (0� � �m) is the index of current backoff attempt,where m is a constant defined by MAC with default value4. c 2 (0, 1, 2) is the index of the current Clear ChannelAssessment (CCA) phase. Standard prescribes two CCAsafter the backoff countdown and if both are successful,transmission can start. k 2 (0� � �Wi � 1) is the value ofbackoff counter, with Wi being the size of backoff windowin ith backoff attempt. The minimum window size isW0 = 2macMinBE, while other values are equal to Wi =W02min(i,5-macMinBE) (by default, macMinBE = 3). d 2ð0 � � �Dd � 1Þ denotes the index of the state within the de-lay line mentioned above; in order to reduce notational
ACK
BeaconSync
sleep cycle 1
BeaconSync
CSMAUplink
Collisionavoidance
sleep
CSMAUplink
CSMADownlink
ACKphase ns
coordinatorphase ns
node
Psleep
reshold triggered key exchange.
CSMA-CA Markov Chain building block
0,2,W0-1 0,2,W0-2 0,2,1 0,2,01
0,1,0
0,0,0
m,2,Wm-1 m,2,Wm-2 m,2,1 m,2,0
m+1,0,0
m,1,0
m,0,0
1
1
1
(1-Pd)α
β
β1-β
1-β
(1-Pd)(1-α)
uniformly distributed among the Wm states
uniformly distributed among the W0 states
"delayline" 0
Pd
1
(1-Pd)α(1-Pd)(1-α)
"delayline" m
Pd
1 Od
γδ
1-γδ
Tr
Tr
γδ
1-γδ
Tr
Tr
1
γδτ0000
γδτ0000
from previous stage
to nextstage
Fig. 4. Markov sub-chain for single CSMA-CA transmission.
Populations for given lifetime
Lifetime = 1600 days
Lifetime = 1000 days
Lifetime = 2200 days
40
60
80
100
120
140
160
1000 2000 3000 4000 5000nk
Fig. 5. Cluster populations as functions of the threshold of key exchangesand the requested network lifetime.
2232 J. Mišic / Computer Networks 52 (2008) 2227–2236
complexity, it will be shown only within the delay line andomitted in other cases.
We need to include synchronization time from the mo-ment when node wakes up till the next beacon. This syn-
chronization time is uniformly distributed between 0 andBI � 1 backoff periods, and its probability generating func-tion (PGF) is D1ðzÞ ¼ 1�zBI
BIð1�zÞ. Collision separation line isneeded to separate potential collisions among the nodeswhich wake up in the same superframe. It is uniformly dis-tributed in the range from 0 to 7 backoff periods with thePGF D2ðzÞ ¼ 1�z8
8ð1�zÞ. Synchronization with the beacon is alsoneeded to receive the acknowledgement from the coordi-nator that whole SKKE transaction is completed. We as-sume that this acknowledgement is sent in downlinkpacket.
Data and key information packet sizes are assumed tobe 12 backoff periods long and therefore we assume thatprobability to access the medium s0 as well as probabilitiesof transmission without the collision c have the stationaryvalue after every transmission attempt. The same assump-tion holds for probabilities that the medium is idle on firsta and second CCA with b, respectively. Probability thatpacket will not be corrupted by the noise at the physicallayer is modeled as d ¼ 1� ð1� BERÞðDd�2Þ where BER rep-resents the bit error rate of the medium.
J. Mišic / Computer Networks 52 (2008) 2227–2236 2233
Let us assume that the input probability to arbitrarytransmission block is s0cd where s0 ¼
Pmi¼0xi;0;0 is medium
access probability after each packet transmission. We alsoassume that medium access control layer is reliable andthat it will repeat transmission until the packet isacknowledged.
Therefore the probability of finishing the firstbackoff phase in transmission block is equal to x0,2,0 =s0cd + s0(1 � cd) = s0.
Using the transition probabilities indicated in Fig. 4, wecan derive the relationships between the state probabili-ties and solve the Markov chain. For brevity, we will omitdetailed derivation and present sum of probabilities forone transmission sub-chain as
st ¼ s0C4 C3ðDd � 2Þ þ að1� PdÞ þPdðDd � 1Þ
2
!
þ s0
Xm
i¼0
Ci2ðWi þ 1Þ
2þ Cmþ1
2
!; ð1Þ
where C2 = (1 � Pd)(1 � ab), C3 = (1 � Pd)ab + Pd and C4 ¼1�Cmþ1
21�C2
.
The sum of probabilities within the beacon synchroni-zation line is equal to sb ¼ s0cd
PBIi¼0
iBI ¼ s0cdðSDþ 1Þ=2
and the sum of probabilities for the collision avoidance lineis equal to sc = 3.5s0cd.
In order to model node’s sleep time we will assume thatsleep time is geometrically distributed with parameterPsleep. Then the sum of probabilities of being in single sleepis equal to ss1 = s0 cd/(1 � Psleep). However, if node wakesup from sleep and finds its buffer empty it will start thenew sleep. We will denote the probability of finding emptybuffer after sleep as Qc and derive it later. The sum of prob-abilities of being in consecutive sleep then becomesss = s0cd/((1 � Psleep)(1 � Qc)). If we denote the thresholdvalue of the number of packets sent using the same keyas nk then the normalization condition for the whole Mar-kov chain becomes
nsðsb þ 3stÞ þ 2st þ nkðss þ st þ sb þ scÞ ¼ 1: ð2Þ
However, the total access probability by the node isequal to the sum of access probabilities in each transaction,i.e.,
s ¼ ð3ns þ 2þ nkÞs0 ¼ ðSþ nkÞs0: ð3Þ
4.1. Analysis of node’s packet queue
In order to find probability Qc we need to considernode’s buffer as M/G/1/K queuing model with vacations.We assume that when node wakes up it will transmit onlyone packet and go to sleep again which is known as 1-lim-ited scheduling [18]. However, we are also able to deriveapproximate value of Qc for small buffer size of 1–2 packetswhich is reasonable for sensor networks. In the discussionthat follows, packets are arriving to each node followingthe Poisson process with the rate k.
The PGF for one geometrically distributed sleep periodis VðzÞ ¼
P1k¼1ð1� PsleepÞPk�1
sleepzk. We also note [18] thatthe PGF for the number of packet arrivals to the sensor buf-
fer during the sleep time is equal to F(z) = V* (k-zk) whereV* denotes the Laplace–Stieltjes transform (LST) of thesleep time which (since sleep time is discrete random var-iable) can be obtained by substituting the variable z withe�s in the expression for V(z). Since the packet service timeis much smaller than the sleep time, new sleep will bestarted only if there were zero packet arrivals during thecurrent sleep time, i.e., with probability Qc = F(0) = V*(k).Then, the average value of total inactive time becomes
I ¼ 1=ðð1� PsleepÞð1� QcÞÞ: ð4Þ
Given that there are n nodes in the cluster the total eventsensing reliability is equal to
R ¼ nkcds0=tboff ; ð5Þ
where tboff = 0.32 ms corresponds to the duration of onebackoff period. Value R has to be set by the sensing appli-cation. Satisfying Eq. (5) will result in minimal energyconsumption.
4.2. Success probabilities
As we mentioned earlier, we denoted the probabilitiesthat the medium is idle on first and second CCA with aand b, respectively, and the probability that the transmis-sion is successful with c. Note that the first CCA may failbecause a packet transmission from another node is in pro-gress; this particular backoff period may be at any positionwith respect to that packet. The second CCA, however, willfail only if some other node has just started its transmis-sion – i.e., the backoff period in which the second CCA isundertaken must be the first backoff period of that packet.Note that the first medium access by any node will happenwithin the first 16 backoff periods of the superframe. Incalculating success probabilities for a target node we willuse background traffic contributed by n � 1 other nodesin the cluster and possibly traffic from the bridge.
Let the clusters contain nbot, nmid, and ntop ordinary sen-sor nodes, respectively, with the packet arrival rate of k pernode. (References to specific clusters will use the sub-scripts bot, mid, and top, respectively.) The top clustercoordinator acts as the network sink.
4.2.1. Bottom clusterIn order to find access probability in the bottom cluster
we can apply two approaches: the exact approach is to useexpression (3) for sbot. Second, faster and less accurate ap-proach is to assume that the access probability is equal tothe reciprocal of the mean inactive time of the node scaledwith impact of key exchange. In that case we start withexpression (4) and obtain approximate access probabilityas: sbot � Sþnk
nkIwhere Sþnk
nkis the scaling factor which models
increase of access probability due to key exchange.Since sbot is very small and the number of nodes is large,
we may estimate the per cluster arrival rate of mediumaccess events for background traffic as: kc;bot ¼ðnbot � 1Þsð1ÞbotSD=16.
The probability that the medium is not busy at the firstCCA may, then, be approximated with abot ¼ 1
16
P15i¼0e�ikc;bot .
The probability that the medium is idle on the secondCCA for a given node is, in fact, equal to the probability that
2234 J. Mišic / Computer Networks 52 (2008) 2227–2236
neither one of the remaining nbot � 1 nodes has started atransmission in that backoff period, bbot ¼ e�kc;bot .
By the same token, the overall probability of success ofa transmission attempt is cbot ¼ ðbbotÞ
Dd .
4.2.2. Middle clusterIn the middle cluster, besides ordinary nodes we must
account for the presence of the bridge, i.e., the coordinatorfrom the bottom cluster. For ordinary node, we apply themodel from Section 4 to the environment of middle clusterand use expression (3) for smid.
The access probability for the bridge coming from thebottom cluster can be modeled as sbri,mid = nbotsbotSD/16.
The success probability for bridge transmissionsdepends on all the nodes in the middle cluster, i.e.,cbri;mid ¼ ð1� smidÞDdnmid .
The medium access event rate for a middle cluster nodemust also account for both the ordinary nodes and thebridge, hence: kc,mid = (nmid � 1)smidSD/16 + sbri,mid.
Parameters a, b and c can, then, be calculated in a sim-ilar way as their bottom cluster counterparts, i.e.,
amid ¼1
16
X15
i¼0
e�ikc;mid ; ð6Þ
bmid ¼ e�kc;mid ; ð7Þ
cmid ¼ e�kc;midDd : ð8Þ
4.2.3. Top clusterFinally, success probabilities atop, btop and ctop for the
sink (top) cluster can be found starting from
sbri;top ¼ ðnbotsbot þ nmidsmidÞSD=16: ð9Þ
5. Cluster lifetime
We assume that network operator needs to find popula-tions in the clusters such that all the clusters operate dur-ing the same requested time Life. This is not an easy tasksince we have seen that sleep policy controls the eventsensing reliability at the coordinator, but the traffic gener-ated by key exchanges and injected by the bridges in-creases the contention in the clusters. If node populationsin all three clusters are equal then clusters with more traf-fic will die before peripheral clusters without bridges.Therefore we propose to find node population for the mostperipheral cluster first and to continue calculating nodepopulations in clusters according to increasing amount oftraffic.
If the node’s energy budget is b J and requested lifetimeis Life days, then average energy consumption per backoffperiods has to be
ureq ¼btboff
Life � 3600 � 24; ð10Þ
where tboff = 0.32 ms corresponds to the duration of onebackoff period.
The Laplace–Stieltjes transform (LST) for the energyconsumption during jth backoff time prior to transmissionis E�Bj
ðsÞ ¼ e�sxr Wi�1Wjðe�sxr�1Þ :
Let the PGF of the data packet length be Gp(z) = zk, andlet Ga(z) = z stand for the PGF of the ACK packet duration.Let the PGF of the time interval between the data and sub-sequent ACK packet be tack(z) = z2; and PGF for packettransmission time and receipt of acknowledgement asTd(z) = Gp(z)tack(z)Ga(z).
Then, the PGF for the time needed for one completetransmission attempt, including backoffs, becomes
AðzÞ ¼
Pmi¼0
Qij¼0
BjðzÞ !
ð1� abÞiz2ðiþ1ÞðabTdðzÞÞ
abPmi¼0ð1� abÞi
: ð11Þ
The LST for the energy consumption during pure packettransmission time is e�skxt . The LST for energy consumptionduring two CCAs is equal to e�s2xr . The LST for energyconsumption during waiting for and receiving theacknowledgement is e�s3xr . Beacon length sufficient fortransmitting information about the number of live nodesand requested event sensing reliability is 3 backoff periodsand LST for energy consumption while receiving it is e�s3xr .The LST for energy consumption during reception of thebeacon frame which is three backoff periods long has thesame LST. Then the LST for energy consumption duringtransmission time of the data packet and receptionof acknowledgement will be denoted with T�dðsÞ ¼e�skxt e�s3xr . The LST for energy consumption for one trans-mission attempt then becomes:
E�AðsÞ ¼
Pmi¼0
Qij¼0
E�BjðzÞ
!ð1� abÞie�s2xrðiþ1ÞabT�dðsÞ
abPmi¼0ð1� abÞi
: ð12Þ
By taking packet collisions into account, the probabilitydistribution of the packet service time follows the geomet-ric distribution, and its PGF becomes
TðzÞ ¼X1k¼0
ðAðzÞð1� cÞÞkAðzÞc ¼ cAðzÞ1�AðzÞ þ cAðzÞ : ð13Þ
The LST for the energy spent on a packet service time isthen equal to
E�TðsÞ ¼cE�AðsÞ
1� E�AðsÞ þ cE�AðsÞ: ð14Þ
In bottom cluster, the LST for the energy spent in packetservice is obtained by substituting those values in Eq.(14). Average value of energy consumed for packet serviceis obtained as ET;bot ¼ � d
ds E�T;botðsÞjs¼0.The average battery energy consumption per backoff
period can be found as
ubot¼S1xrþS2xrþ3xrþ IbotxsþET;botð1þ S
nkÞþEhþEcryptþEECC
Snk
S1þS2þ3þ IbotþTbotð1þ SnkÞ
;
ð15Þ
where Eh denotes energy spent on hashing a packet, Ecrypt
denotes energy spent on encrypting the packet and EECC
denotes energy spent in scalar point multiplications inone round of key exchange process.
J. Mišic / Computer Networks 52 (2008) 2227–2236 2235
Then the population in bottom cluster which satisfiesthe lifetime requirement of Life days can be found fromthe equation
ubot ¼ ureq: ð16Þ
By using appropriate values of amid, bmid and cmid the PGFsfor a single transmission attempt and for the overall packettransmission time can be calculated as AmidðzÞ and Tmid(z),respectively. Both PGFs depend on the number of nodesnmid as the parameter. Average battery energy consump-tion per backoff period is calculated as
umid¼S1xrþS2xrþ3xrþ ImidxsþET;midð1þ S
nkÞþEhþEcryptþEECC
Snk
S1þS2þ3þ ImidþTmidð1þ SnkÞ
:
ð17Þ
In order to achieve same lifetime of Life days in bothclusters, the average energy which node consumes perbackoff period in both clusters should have equal values,i.e., condition : umid = ubot = ureq must hold from whichwe can obtain population of the middle cluster nmid.
The procedure is then repeated for the top cluster. Thisalgorithm is scalable since overall model can be broken inindividual cluster models with input from all clusters atlower level.
Populations for given event sensing reliability
R = 8
R = 5
R = 240
60
80
100
120
140
160
1000 2000 3000 4000 5000nk
Fig. 6. Cluster populations as functions of the threshold of key exchangesand the requested event sensing reliability (lifetime is set to 1600 days).
6. Performance evaluation
In this section we present numerical results obtained bysolving the system of equations presented in Sections 4and 5. As solution we obtain system parameters s0, s, Psleep,a, b, c and Qc. We assumed that each node is powered withtwo AA batteries which supply voltage between 2.1 and3.6 V and 1000 mA h as required by tmote_sky [12] operat-ing conditions with total energy b = 205200 J.
We have assumed that the network operates in the ISMband at 2.45 GHz, with raw data rate 250 kbps andBER = 10�4. Superframe size was controlled with SO,BO = 0. The packet size has been set to Gp ¼ 12 backoffperiods, while the device buffer had a fixed size of L = 2packets. The packet size includes message authenticationcode and all physical layer and medium access control pro-tocol sublayer headers, and is expressed as the multiple ofthe backoff period [10]. We also assume that the physicallayer header has 6 bytes, and that the medium access con-trol sublayer header and frame check sequence fields havea total of 9 bytes. Other parameters from medium accesscontrol layer were kept at default values.
6.1. Impact of lifetime requirements
In order to investigate the impact of lifetime require-ments we have first set the event sensing reliability percluster to R = 5 packets per second. We have controlledthe length of the lifetime of the network by setting the life-time requirement in the source cluster and then by equal-izing the populations in the middle and sink cluster.Equalization was performed by equating the averagepower consumption per backoff period in all the clusters.In addition, the threshold to start the key exchangebetween node (bridge) and coordinator was varied
between 500 and 5000 packets. The diagram shown inFig. 6 shows cluster populations when key exchangethreshold is changing with lifetime as the parameter.Graphs with lifetime of 2200 days are denoted with dia-monds, graphs with lifetime of 1600 days are denoted withcircles and graphs with lifetime of 1000 days are denotedwith crosses. In each group bottom line corresponds tothe source cluster, middle line corresponds to the middlecluster and top line corresponds to the population in topcluster. Differences between populations in clusters forthe same lifetime are due to the activities of the bridgessince the amount of the traffic carried by the cluster in-creases with each hop towards the sink.
We notice that space between the population lines forgiven lifetime increases with the value of the lifetimealthough the event sensing reliability is constant. The rea-son for this is in the increased number of nodes per cluster.Even with randomized sleep policy increased number ofnodes will result in increased probability of collision. Morecollisions will consume battery resources.
6.2. Impact of event sensing reliability
We have also modeled and investigated impact of eventsensing reliability R on the cluster lifetimes. Fig. 6, presentsequalized populations with network lifetime of 1600 days.Event sensing reliability was varied and we present graphsfor R = 2, R = 5 and R = 8, respectively. Graphs are denotedwith diamonds, circles and crosses for R = 8, R = 5 andR = 2, respectively. Lines in a group with given R are or-dered so that topmost one corresponds to the sink clusterand bottom one corresponds to the source cluster. Fig. 8presents results taken for lifetime of 2200 days. We notethat for higher event sensing reliability spacing betweenthe lines increases which is a result of higher node popula-tions and higher probability of collision.
Fig. 7 presents the duration of key period in days. Wenotice that key period is little sensitive to changes in eventsensing reliability. This is the result of choosing the sourcecluster population which compensates changes of eventsensing reliability for a constant lifetime. Since populationas well as individual event sensing reliability per node willgrow with increase in R, sleep period will remain almost
Populations for given event sensing reliability
R = 2
R = 8
R = 5
100
150
200
250
1000 2000 3000 4000 5000nk
Fig. 7. Cluster populations as functions of the threshold of key exchangesand the requested event sensing reliability (lifetime is set to 2200 days).
key period in days in source cluster
24
68
10
R1000
20003000
40005000
nk
0.20.40.60.8
11.21.41.6
keyp
erio
d
Fig. 8. Key exchange period in days as function of the threshold of keyexchanges and the requested event sensing reliability (lifetime is set to2200 days).
2236 J. Mišic / Computer Networks 52 (2008) 2227–2236
constant. Since key exchange period is mostly affected by amultiple of the sleep period it will be almost constantwhen R is changing.
7. Conclusion
In this paper we have evaluated a variant of SSL withephemeral Diffie–Hellman key exchange using ellipticcurve cryptography deployed in the power managed sen-sor network. Sensor network consisted of three intercon-nected beacon enabled IEEE 802.15.4 clusters. We haveshown the efficient way to calculate populations in allthree clusters which will satisfy the lifetime requirementof the whole network. We have also shown the impact ofevent sensing reliability on the population/energy require-ment of the clusters. Our performance results were derivedfor nodes equipped with two AA batteries with 1000 mA hand they demonstrate that SSL with ephemeral ECC Diffie–Hellman exchange is feasible with tmote_sky ultra lowpower IEEE 802.15.4 compliant wireless sensor module.However our results can be easily scaled to any kind of bat-teries with smaller capacity which can render lifetime ofseveral hundreds of days.
References
[1] B. Arazi, I. Elhahnany, H. Qi, Revisiting public-key cryptography forwireless sensor networks, IEEE Computer, 2005, pp. 103–105.
[2] Atmega128(l) - 8-bit avr microcontroller with 128 k bytesin-system programmable flash. datasheet, ATMEL Corporation.<www.atmel.com/dyn/resources/prod_documents/doc2467.pdf>,2006.
[3] G. Bertoni, L. Breveglieri, M. Venturi, Power aware design of an ellipticcurve coprocessor for 8 bit platforms, in: Proceeding of the FourthAnnual IEEE Conference on Pervasive Computing andCommunications, 2006 IEEE PERCOM 2006, 2006.
[4] M. Bishop, Computer Security – Art and Science, Pearson Education,Inc., Boston, MA, 2003.
[5] W. Diffie, M.E. Hellman, New directions in cryptography, IEEETransactions on Information Theory 22 (6) (1976) 644–654.
[6] A. Fiskiran, R. Lee, Workload characterization of elliptic curvecryptography and other network security for constrainedenvironments, in: Proceedings of IEEE International Workshop onWorkload Characterization 2002, 2002, pp. 127–137.
[7] G. Gaubatz, J.-P. Kaps, E. Ozturk, B. Sunar, State of the art in ultra-lowpower public key cryptography for wireless sensor networks, in:Proceedings of Percom 2005, 2005.
[8] J. Groszschaedl, Tinysa: a security architecture for wireless sensornetworks, in: Proceedings of CoNEXT 2006, 2006.
[9] D. Hankerson, A. Menezes, S. Vanstone, Guide to Elliptic CurveCryptography, first ed., Springer-Verlag, Inc., New York, NY, 2004.
[10] IEEE, Wireless MAC and PHY specifications for low rate WPAN, IEEEStd 802.15.4-2006 (Revision of IEEE Std 802.15.4-2003), IEEE, NewYork, NY, 2006.
[11] Telosb mote platform datasheet. mote datasheet, CrossBowTechnology. <www.xbow.com/Products/Product_pdf_files/Wireless_pdf/TelosB_Datasheet.pdf>.
[12] tmote_sky low power wireless sensor module, Technical report,Moteiv Corporation, San Francisco, CA. <www.moteiv.com>,2006.
[13] D. Malan, M. Welsh, M. Smith, A public-key infrastructure for keydistribution in TinyOS based on elliptic curve cryptography, in:Proceeding of the First Annual IEEE Communications SocietyConference on Sensor and Ad Hoc Communications and Networks,IEEE SECON 2004, 2004, pp. 71–80.
[14] K. Piotrowski, S. Peter, How public key cryptography influenceswireless sensor node lifetime, in: Proceedings of the Fourth ACMWorkshop on Security of Ad Hoc and Sensor Networks, 2006, pp.169–176.
[15] Y. Sankarasubramaniam, Ö.B. Akan, I.F. Akyildiz, ESRT: event-to-sinkreliable transport in wireless sensor networks, in: Proceedings of the4th ACM MobiHoc, Annapolis, MD, June 2003, pp. 177–188.
[16] B. Schneier, Applied Cryptography, 2nd ed., John Wiley & Sons, Inc.,New York, NY, 1996.
[17] I. Stojmenovic (Ed.), Handbook of Sensor Networks: Algorithms andArchitectures, John Wiley & Sons, 2005.
[18] H. Takagi, Queueing Analysis, Vacation and Priority Systems, vol. 1,North-Holland, Amsterdam, The Netherlands, 1991.
[19] A. Wander, N. Gura, H. Eberle, V. Gupta, S. Chang, Energy analysis ofpublic-key cryptography for wirless semsor networks, in: Proceedingof the Third Annual IEEE Conference on Pervasive Computing andCommunications, 2005 IEEE PERCOM, 2005, pp. 324–328.
[20] M. Yarvis, N. Kushalnagar, H. Singh, A. Rangarajan, Y. Liu, S. Singh,Exploiting heterogeneity in sensor networks, in: Proceedings of theINFOCOM05, vol. 2, Miami, FL, March 2005, pp. 878–890.
Jelena Mišic received her Ph.D., degree inComputer Engineering from the University ofBelgrade, Yugoslavia, in 1993. She is currentlyAssociate Professor of Computer Science atthe University of Manitoba in Winnipeg,Manitoba, Canada. Her current researchinterests include wireless networks andsecurity in wireless networks. She is a mem-ber of IEEE and ACM.