THE PROPOSED ENERGY-EFFICIENT SECURE ROUTING PROTOCOL

We now describe our proposed secure routing protocol in detail. In the following, the energy-efficient routing protocol is designed first, then the security mechanism follows.

A. Design of the Energy-Efficient Routing Protocol

Our routing protocol mainly includes the sink-oriented grid construction and farthest-highest energy dissemination node search, which are depicted in detail as follows.

1) Sink-oriented grid construction: The grid construction for our routing protocol is done based on that of TTDD.

Assuming a two-dimensional area of interest, the grid is built on the per-source basis with the size of a grid or a cell𝛼 × 𝛼 (m²), where 𝛼 is equal to the half of the transmission range 𝑅. To construct grids, every node first draws a virtual grid by letting itself be one of corners of the grid. As for the other three

Fig. 1. A grid inside the transmission range of the source node (node𝐴).

corners, they are called dissemination points. Given the source location𝐿𝑠= (𝑥,𝑦), the locations of dissemination points 𝐿𝑝= (𝑥𝑖,𝑦𝑗) then satisfy:

𝑥𝑖= 𝑥 + 𝑖𝛼, 𝑦𝑗 = 𝑦 + 𝑗𝛼,

where𝑖 and 𝑗 are indices used to determine the direction of the grid. In order to direct grids to the sink located at (𝑥𝑠,𝑦𝑠), the values of𝑖 and 𝑗 should be properly selected by using the following rules: if𝑥 (𝑦) is greater than 𝑥𝑠 (𝑦𝑠), the value of 𝑖 (𝑗) is set to a negative integer; otherwise, the value of 𝑖 (𝑗) is set to a non-negative integer. Once the source builds the grid as shown in Fig. 1, it records the positions of the dissemination points. For each dissemination point, the source needs to choose a dissemination node to be the alternative for path forwarding by the source. To select a dissemination node, the source first sends an announcement message to all of its neighbors by using simple geographic greedy forwarding.

The neighbors continue to forward this message until this announcement message reaches a node falling within the circle with radius of𝛼/2 and the center at the dissemination point and closest to the dissemination point. With the sink-oriented grids, the delivery ratio of reports sent by source nodes can be significantly improved. However, a loop may occur because of different directions of other grids. Since the direction of the grid constructed by the source is determined according to its direction to the sink, two or more grids may overlap.

As shown in Fig. 2, node 𝐴 might choose node 𝐵 as its dissemination node, meanwhile node 𝐵 also chooses node 𝐴 as its dissemination node. For this case, a loop occurs.

To avoid loops, the mechanism to determine a dissemination node should be slightly modified as follows. Before adding a dissemination node, the source needs to check whether the candidate of the dissemination node is one of its upstream node. If yes, drop this node and consider the other neighbors.

2) Farthest-highest energy dissemination node search: In our proposed energy-efficient routing protocol, the mechanism called farthest-highest energy dissemination node search is also incorporated and described as follows. Once the source determines its dissemination nodes, one or more alternative paths to forward the data to the sink are possible. To prolong the network lifetime, the path selection can be done with the following considerations. First, the source node considers a dissemination node associated with the farthest dissemination point of the grid. We simply call such a node the farthest dissemination node. Second, the source node considers the

106 2012 IEEE Network Operations and Management Symposium (NOMS)

Fig. 2. Overlapping grids.

Fig. 3. An example to illustrate the farthest-highest energy dissemination node search.

dissemination node with the highest remaining energy as its next hop. Before further elaborating on when/how to utilize the two considerations, let us define some auxiliary notations as follows. With a given transmission range of the sink denoted by a circle as shown in Fig. 3, the grids inside the transmission range of the sink form a big rectangle. The area within (outside) the elongated line segments of the big rectangle is then called𝑖𝑛𝑛𝑒𝑟𝑎𝑟𝑒𝑎 (𝑜𝑢𝑡𝑒𝑟𝑎𝑟𝑒𝑎). On detecting a stimulus, the source node generates a packet to be forwarded to the sink. The source node located nearby the sink then delivers the packet directly to the sink. If the source node can not detect the sink within its transmission range, the packet is delivered via the following way. The source node first checks whether itself is in the 𝑖𝑛𝑛𝑒𝑟𝑎𝑟𝑒𝑎 or not. If not, the farthest dissemination node is selected as the forwarding node if and only if the energy of the farthest dissemination node is not the lowest one amongst all considered dissemination nodes.

In the same way, the intermediate node forwards the packet until the packet reaches the sink; otherwise, the dissemination node with the highest residual energy is selected. The farthest-highest dissemination node search mechanism lets the node find a closer path from the source to the sink than the others.

Therefore, the energy consumption can be lower and the network lifetime can be prolonged by balancing energy level of sensor nodes in the network.

The security mechanisms of our proposed energy-efficient routing protocol is implemented during route discovery and data forwarding. To enhance the security of the proposed routing protocol, confirming that every node joining the net-work is legitimate is done in the route discovery phase and countermeasures are designed when an outsider interrupts the network in the data forwarding phase. To achieve these security goals, the following three encryption keys are pre-distributed:

∙ 𝐺𝑙𝑜𝑏𝑎𝑙 𝑘𝑒𝑦: a secret key known by the sink and all sensor nodes.

∙ 𝑁𝑜𝑑𝑒 𝑘𝑒𝑦: a secret key shared by two neighboring nodes and refreshed in the route discovery phase.

∙ 𝑃 𝑟𝑖𝑚𝑎𝑟𝑦 𝑘𝑒𝑦: a unique key shared by each sensor node with the sink only.

To provide countermeasures against security attacks, our proposed secure routing protocol incorporates the following features: 1) two-way handshake with key refreshment, 2) route request, 3) secure grid construction, 4) route reply, 5) routing update in the route discovery phase, and 6) data forwarding.

Now, they are described in detail as follows.

1) Two-way handshake with key refreshment: After the deployment of all sensor nodes, every sensor node needs to recognize its neighbors. For this purpose with security enhancement, we introduce a two-way handshake with key refreshment which is a secure neighbor discovery performed by each sensor node to construct the local topology. After setting up the keys, each sensor node has several keys to communicate with the sink and with the other sensor nodes.

Before exchanging data, each sensor node performs a two-way handshake. Assuming node ID of𝑋 < node ID of 𝑌 and node 𝑋 needs to send a challenge message to node 𝑌 , the format of this challenge message is

𝑋 → 𝑌 : 𝐶𝐻𝐿∣∣𝐼𝐷𝑋∣∣𝐸𝐾𝑋,𝑌(𝑁0),

where𝐶𝐻𝐿 is the message type of challenge, 𝐼𝐷𝑋 is the ID of node 𝑋, 𝑁0 is the nonce or a one-time random number generated by node𝑋, 𝐸𝐾𝑋,𝑌 is the encryption secured with the shared node key 𝐾𝑋,𝑌 between nodes 𝑋 and 𝑌 , and ∣∣

denotes the operation of concatenation. After receiving the challenge message, node𝑌 answers with a response message to node 𝑋. To prove that node 𝑌 can legitimately join the network, the response message from node 𝑌 should include the value of 𝑁0 + 1 to prove that it has the preloaded shared node key with node 𝑋. Node 𝑌 then includes the encrypted new shared node key using the following format of the response message with node𝑋:

𝑌 → 𝑋 : 𝑅𝐸𝑆∣∣𝐼𝐷𝑌∣∣(𝑁0+ 1)∣∣𝐸𝐾𝑋,𝑌(𝐾𝑋𝑁,𝑌 𝑁), where𝑅𝐸𝑆 is the message type of response, 𝐼𝐷𝑌 is the ID of node 𝑌 , 𝐾𝑋𝑁,𝑌 𝑁 is the new shared node key between nodes 𝑋 and 𝑌 . This process is executed by every node in the network repeatedly until all neighbors of the node are discovered. With the two-way handshake with key refreshment

2012 IEEE Network Operations and Management Symposium (NOMS) 107

link problem/attack.

2) Route request: After the neighbor discovery, every sen-sor node knows the local topology but not the global topology to communicate with the sink. To obtain the whole topology, the sink needs to collect all of the local information from each node. With this global topology, the sink can monitor the network to avoid interference from adversaries. At the be-ginning of the network deployment, the sink locally broadcasts the route request (RREQ) message to its neighbors using the following format:

𝑆𝐾 → 𝐴𝐿𝐿 : 𝑅𝑅𝐸𝑄∣∣𝑆𝐾∣∣𝐴𝐿𝐿∣∣𝑀𝐴𝐶𝐾𝐺(∗)

∣∣𝑝𝑜𝑠𝑖𝑡𝑖𝑜𝑛 𝑜𝑓 𝑆𝐾∣∣𝐸𝐾𝐺(𝑂𝐻𝐶0), where 𝑅𝑅𝐸𝑄 is the message type, 𝑆𝐾 is the ID of the sink, 𝐴𝐿𝐿 denotes all nodes, 𝑀𝐴𝐶𝐾𝐺(∗) is the message authentication code (MAC) of the part before the MAC se-cured with the global key, and𝐸𝐾𝐺(𝑂𝐻𝐶0) is the encrypted initial one-way hash code (𝑂𝐻𝐶0) secured with the global key. Note that the RREQ message initiated by the sink includes 𝑂𝐻𝐶0that will be used later to generate the sequence number to be included in every message in the data forwarding phase. Each node in the network is initially pre-configured a one-way function𝐹 (.) to generate a sequence number 𝑆0, 𝑆1, . . . , 𝑆𝑛 such that 𝑆𝑖 = 𝐹 (𝑆𝑖+1), 0≤𝑖<𝑛. Since OHCs function as sequence numbers of the message, inclusion of OHCs is a lightweight defense against adversaries trying to replay the same message in the network. This mechanism here allows each node to authenticate that the OHC is originated from the sink. Therefore, an adversary can not arbitrarily forge the sink to send a fake 𝑂𝐻𝐶0 without knowing the global key. A sensor node, say, node𝑋, receiving the RREQ message directly from the sink rebroadcasts this message to its neighbors with modification shown as follows:

𝑋 → 𝐴𝐿𝐿 : 𝑅𝑅𝐸𝑄∣∣𝐼𝐷𝑋∣∣𝐴𝐿𝐿∣∣𝑀𝐴𝐶𝐾𝐺(∗)

∣∣𝑝𝑜𝑠𝑖𝑡𝑖𝑜𝑛 𝑜𝑓 𝑆𝐾∣∣𝐸𝐾𝐺(𝑂𝐻𝐶0), where the position information of the sink is included to be used in the secure grid construction to be described later.

Here, node𝑋 replaces the sender ID of RREQ by its ID and includes its MAC. Each node receiving the RREQ message for the first time validates the sender of this RREQ message, records𝑂𝐻𝐶0, and rebroadcasts the message to its neighbors.

When node 𝑌 receives this RREQ message, it checks the ID of the sender (node𝑋) and looks up if node 𝑋 is its verified neighbor. If the sender is valid, node 𝑌 then calculates the MAC to ensure that the message format before the MAC has not been modified and records the value of𝑂𝐻𝐶0. If node𝑌 receives again the same RREQ message from the other nodes, it only checks the validity of the sender without rebroadcasting this message.

3) Secure grid construction: After receiving and rebroad-casting the RREQ message, every node constructs sink-oriented grids as explained previously. To securely construct grids, the source node𝑋 then sends an announcement message to its neighbors using the following format:

where𝐴𝑁𝑁 is the message type of announcement. The neigh-bor node 𝑌 of the source node 𝑋 replies the announcement message with its position using the following format:

𝑌 → 𝑋 : 𝑅𝐴𝑁𝑁∣∣𝐼𝐷𝑌∣∣𝑀𝐴𝐶𝐾𝑋𝑁,𝑌 𝑁(∗)∣∣𝑝𝑜𝑠𝑖𝑡𝑖𝑜𝑛 𝑜𝑓 𝑌 , where 𝑅𝐴𝑁𝑁 is the message type of announcement reply,

𝑀𝐴𝐶𝐾𝑋𝑁,𝑌 𝑁(∗) is the MAC secured with the new shared

node key known by nodes 𝑌 and 𝑋. After obtaining the location information of all neighbors, the source node then determines the dissemination node for every dissemination point and informs each dissemination node of its the position.

The format of the confirmation message from source node 𝑋 to a newly chosen dissemination node𝑌 is shown as follows:

𝑋 → 𝑌 : 𝐶𝑂𝑁𝐹 ∣∣𝐼𝐷𝑋∣∣𝑀𝐴𝐶𝐾𝑋𝑁,𝑌 𝑁(∗)∣∣𝑝𝑜𝑠𝑖𝑡𝑖𝑜𝑛 𝑜𝑓 𝑋, where𝐶𝑂𝑁𝐹 is the message type of confirmation. Note that the position of the source node can be used by the dissem-ination point to ensure that the source node is trustworthy through calculating the distance from itself to the source node (it should not be greater than 𝛼(¹₂+√

2)). By implementing this mechanism, the source node and the dissemination node can make sure that both parties are sincere.

4) Route reply: To answer the RREQ message in the route discovery phase initiated by the sink, a sensor node forwards its neighbor information to the sink by sending the route reply (RREP) message. After each node, say, node 𝑌 , receives the RREQ message, it waits for a fixed period of time and then sends the RREP message to the sink via its dissemination node 𝑍 using the following format:

𝑌 → 𝑍 : 𝑅𝑅𝐸𝑃 ∣∣𝐼𝐷𝑌∣∣𝑆𝐾∣∣𝑀𝐴𝐶𝐾𝑌 𝑁,𝑍𝑁(∗)

∣∣𝐸𝐾𝑆𝐾,𝑌(𝑁𝐵𝑅𝑌)

where 𝑅𝑅𝐸𝑃 is the message type of route reply,

𝑀𝐴𝐶𝐾𝑌 𝑁,𝑍𝑁 is the message authentication code secured

with the new shared node key known by nodes𝑌 and 𝑍, and 𝐸𝐾𝑆𝐾,𝑌(𝑁𝐵𝑅𝑌) is the encrypted neighbor information of node 𝑌 with the shared primary key known only by the sink and node 𝑌 since node 𝑌 includes IDs of all neighboring nodes in the RREP message. The information of the suspected node is also included with a specific mark so that the sink knows that some node tries to join the network as the neighbor of node 𝑌 but fails in the authentication by node 𝑌 . The possible detailed neighbor information of node𝑌 (𝑁𝐵𝑅𝑌) is:

𝐼𝐷𝑛1∣∣𝐼𝐷𝑛2∣∣ × 𝐼𝐷𝑛3∣∣ . . . ∣∣𝐼𝐷𝑛𝑘∣∣𝑀𝐴𝐶𝐾𝑆𝐾,𝑋(∗), where 𝐼𝐷𝑛1 to 𝐼𝐷𝑛𝑘 are the IDs of the neighbors of node 𝑌 . The malicious node, e.g., ×𝐼𝐷𝑛3, has an extra mark ×. The information is then used by the sink to inform the other nodes to update their neighbor tables. In this way, every node can participate in securing the network.

5) Routing update: After receiving neighbor tables from all sensor nodes in the network, the sink may suspect one or more sensor nodes to be malicious. There are several ways that the

108 2012 IEEE Network Operations and Management Symposium (NOMS)

checking the validity of the primary key. The second one is done by considering the report from one or more nodes in the network. To further make sure the validity that a sensor node is truly malicious, we recognize that a node is malicious if there are at least𝑀 sensor nodes reporting this malicious behavior, or the sink itself detects the malicious behavior and there are at least 𝑀-1 sensor nodes reporting the malicious behavior.

As for the action that can be taken by the sink to secure the network, it employs isolating the malicious node from the entire network. The sink may broadcast routing updates in the network to tell every node in the network to exclude the malicious node. However, this option is costly. Therefore, the sink only sends routing updates to those nodes with malicious neighboring nodes joining their neighbor tables. The format of the routing update message sent by the sink to node𝑋 via node 𝑌 is given as follows:

𝑆𝐾 → 𝑌 : 𝑅𝑈𝑃 ∣∣𝑆𝐾∣∣𝐼𝐷𝑋∣∣𝑀𝐴𝐶𝐾𝑆𝐾,𝑌(∗)

∣∣𝐸𝐾𝑆𝐾,𝑋(𝐼𝐷 𝑜𝑓 𝑀𝑎𝑙𝑖𝑐𝑖𝑜𝑢𝑠 𝑁𝑜𝑑𝑒), where 𝑅𝑈𝑃 is the message type of routing update, and 𝐸𝐾𝑆𝐾,𝑋(𝐼𝐷 𝑜𝑓 𝑀𝑎𝑙𝑖𝑐𝑖𝑜𝑢𝑠 𝑁𝑜𝑑𝑒) is the encrypted mali-cious ID using the primary key known by the sink and node 𝑋. When an intermediate node 𝑌 receives the routing update message, it forwards it to its upstream nodes until the message reaches node 𝑋 in the modified format. Node 𝑌 needs to reconfigure the message so that the routing update message sent by node𝑌 to node 𝑋 has the following format:

𝑌 → 𝑋 : 𝑅𝑈𝑃 ∣∣𝐼𝐷𝑌∣∣𝐼𝐷𝑋∣∣𝑀𝐴𝐶𝐾𝑋𝑁,𝑌 𝑁(∗)

∣∣𝐸𝐾𝑆𝐾,𝑋(𝐼𝐷 𝑜𝑓 𝑀𝑎𝑙𝑖𝑐𝑖𝑜𝑢𝑠 𝑁𝑜𝑑𝑒).

6) Data forwarding: After the sink sends routing updates, each node waits for a fixed time period. Afterward, the source node forwards data to the sink via the dissemination node chosen according to the farthest-highest dissemination node search mechanism explained previously. Node 𝑋 forwards data to the sink via node𝑌 using the following format:

𝑋 → 𝑌 : 𝐷𝐴𝑇 𝐴∣∣𝐼𝐷𝑋∣∣𝑆𝐾∣∣𝑂𝐻𝐶𝑛∣∣𝑀𝐴𝐶𝐾𝑋𝑁,𝑌 𝑁(∗)

∣∣𝐸𝐾𝑆𝐾,𝑋(𝐷𝑎𝑡𝑎),

where 𝑂𝐻𝐶𝑛 is the latest OHC sequence number of its dissemination node or neighboring node. Note that

𝑀𝐴𝐶𝐾𝑋𝑁,𝑌 𝑁(∗) is included to authenticate that the ID of

the sender is the same as that sent by the legitimate sender 𝑋. Since the data is encrypted with the shared primary key 𝐾𝑆𝐾,𝑋 known only by the sink and the sending node𝑋, an intermediate node can not decrypt it. This ensures that the data is only known by the sink and the source node. On receiving the data packet, the dissemination nodes of node𝑋 send their latest energy information to node 𝑋 to determine the path later. On receiving a message from an arbitrary node, say, node 𝑋, during the communication by a node, say, node 𝑌 , node 𝑌 launches two-way handshake with key refreshment if node 𝑌 notices that node 𝑋 is not in its neighbor list. After launching two-way handshake, node𝑌 informs the sink of its

RREP message via an intermediate node𝑍 shown as follows:

𝑌 → 𝑍 : 𝑁𝐼𝑁𝐹 ∣∣𝐼𝐷𝑌∣∣𝑆𝐾∣∣𝑀𝐴𝐶𝐾𝑌 𝑁,𝑍𝑁(∗)

∣∣𝐸𝐾𝑆𝐾,𝑌(𝑁𝐵𝑅𝑌),

where 𝑁𝐼𝑁𝐹 is the message type of new neighbor infor-mation. Here𝑁𝐵𝑅𝑌 contains only the new joining node ID and MAC, i.e.,𝐼𝐷𝑋∣∣𝑀𝐴𝐶𝐾𝑆𝐾,𝑋(𝐼𝐷𝑋). On receiving the 𝑁𝐼𝑁𝐹 message, the sink sends an RREQ message to the new joining node, say, node𝑋, via an arbitrary node 𝑊 using the following format:

𝑆𝐾 → 𝑊 : 𝑅𝑅𝐸𝑄∣∣𝑆𝐾∣∣𝐼𝐷𝑋∣∣𝑀𝐴𝐶𝐾𝐺(∗)

∣∣𝑝𝑜𝑠𝑖𝑡𝑖𝑜𝑛 𝑜𝑓 𝑆𝐾∣∣𝐸𝐾𝐺(𝑂𝐻𝐶0).

The new joining node 𝑋 then follows the mechanism ex-plained previously.

IV. SECURITYANALYSIS OFTHEPROPOSEDPROTOCOL

The security strength of the proposed protocol is now analyzed as follows. First, one can note that the proposed protocol can defend against some typical attacks on routing, including

∙ Sybil attack: For the sybil attack, a malicious node can pretend to have multiple identities in the network. When a node sends a packet to the other node, authentication is performed by our protocol to ascertain that a node can not fake other nodes in the network. Unless the adversary captures some node to obtain the key, no other node can pretend the other node. Thus, the sybil attack does not work in our protocol.

∙ Wormhole and sink-hole attacks: An adversary can launch the combination of wormhole and sink-hole attacks by tunneling and replaying messages in any part of the network. Since our protocol provides an OHC in every forwarded message, it is resistant to wormhole and sink-hole attacks.

∙ Black hole and selective forwarding attacks: The black hole attack occurs when an adversary advertises low-cost routes to the network. Once nodes route via it, the adversary can selectively forward/drop packets. Since the routing decision is determined by the source according to the location and remaining energy of the dissemination node, our protocol is resistant to the black hole attack unless the adversary captures a node.

∙ Manipulation of routing information attack: In our pro-tocol, every sensor node performs two-way handshake before building its own neighbor information and de-termining its forwarding path. The sink also takes the responsibility to update the routing information of every node in the network. Hence, our protocol is resistant to the manipulation of route information attack.

∙ Hello flood attack: A hello flood attack happens if the adversary sends HELLO messages to the network in order to convince other nodes that the adversary is a neighbor.

Because of the two-way handshake with key refreshment, our protocol is resistant to the hello flood attack.

2012 IEEE Network Operations and Management Symposium (NOMS) 109

the pre-distribution of a set of three encryption keys. In case an adversary captures a node, the adversary could get the three types of key. Therefore, the node key shared by two neighboring nodes should be updated. By updating the node key, the adversary can only get the shared node key between the captured node and its neighbors when it is captured. In the following, the random node capture attack is further considered since it is more threatening than the aforementioned attacks. Now, let us investigate the security strength under the random node capture attack.

We first derive the percentage of cells affected by the ran-dom node capture attack with respect to the data authenticity

We first derive the percentage of cells affected by the ran-dom node capture attack with respect to the data authenticity