Secure Hop-by-Hop Aggregation of End-to-End Concealed Data in Wireless Sensor Networks
aa r X i v : . [ c s . CR ] M a r Secure Hop-by-Hop Aggregation of End-to-EndConcealed Data in Wireless Sensor Networks
Esam Mlaih
Department of Computer ScienceTexas A&M University, TX 77843, USAEmail: [email protected]
Salah A. Aly
Department of Computer ScienceTexas A&M University, TX 77843, USAEmail: [email protected]
Abstract —In-network data aggregation is an essential tech-nique in mission critical wireless sensor networks (WSNs) forachieving effective transmission and hence better power conserva-tion. Common security protocols for aggregated WSNs are eitherhop-by-hop or end-to-end, each of which has its own encryptionschemes considering different security primitives. End-to-endencrypted data aggregation protocols introduce maximum datasecrecy with in-efficient data aggregation and more vulnerabilityto active attacks, while hop-by-hop data aggregation protocolsintroduce maximum data integrity with efficient data aggregationand more vulnerability to passive attacks.In this paper, we propose a secure aggregation protocol foraggregated WSNs deployed in hostile environments in whichdual attack modes are present. Our proposed protocol is ablend of flexible data aggregation as in hop-by-hop protocolsand optimal data confidentiality as in end-to-end protocols. Ourprotocol introduces an efficient O (1) heuristic for checking dataintegrity along with cost-effective heuristic-based divide andconquer attestation process which is O (ln n ) in average - O ( n ) inthe worst scenario- for further verification of aggregated results. I. I
NTRODUCTION
A wireless sensor network is usually a collection of hun-dreds or thousands of resource-constrained devices with smallmemories, low bandwidth and limited power resources. Theyare deployed in fields where persistent human monitoring andsurveillance are either impossible or infeasible. These smalldetectors can be used to sense events ranging from simplereadings (e.g. sensing room temperature) to more importantand sensitive measures (e.g. intruder detection in militaryapplications, detecting wildfire or signs of any catastrophicphenomena). Raw data collected using these limited sensorsare usually queried by a more powerful device called basestation (BS) -which may be far away from sensing fields- forfurther analysis and event-based reactions [16].Since wireless sensor networks are energy constrained andbandwidth limited, reducing communications between sensorsand base stations has a significant effect on power conservationand bandwidth utilization [7]. Aggregated sensor networksserve this purpose by introducing designated nodes calledaggregators that provide efficient data collection and transmis-sion. An aggregator can sense its own data while aggregatingreceived results from children nodes, which in turn may beleaf sensors or aggregators as well.Aggregated wireless sensor networks provide better powerconservation and efficient use of communication channels but introduce additional security concerns. A passive adversarymay capture sensitive results of aggregated data that representsa large partition of the aggregated WSN if the key of the rootaggregator of that partition is compromised. On the other hand,an active adversary can forge aggregated data of a partition bycompromising the parent node of that partition. Many securityprotocols for aggregated WSNs were introduced to solve thesesecurity problems. These security protocols can be classifiedaccording to their underlying encryption schemes into end-to-end and hop-by-hop secure data aggregation protocols.The paper is organized as follows. In Section II, we presentprevious work on secure aggregation on WSNs and we defineour problem. In Section III, we present our network modeland its design goals, along with attacker model. In Sections IVand V, we demonstrate our security protocol and provide anal-ysis of its complexity. The paper is concluded in Section VIII.II. R
ELATED W ORK
In this section, we give a short background on previous workof secure aggregation protocols in WSNs, which are classifiedas end-to-end and hop-by-hop.In end-to-end encryption schemes [1], [4], [10], [15], in-termediate aggregators apply some aggregation functions onencrypted data which they can’t decrypt. This is because theseintermediate aggregators don’t have access to the keys thatare only shared between data originators (usually leaf sensornodes) and the BS. In CDA [4] sensor nodes share a commonsymmetric key with the BS that is kept hidden from middle-way aggregators. In [1] each leaf sensor share a distinct long-term key with the BS. This key is originally derived from themaster secret only known to the BS. These protocols show thataggregation of end-to-end encrypted data is possible throughusing additive Privacy Homomorphism (PH) as the underlyingencryption scheme. Although these protocols are supposed toprovide maximum data secrecy across the paths between leafsensor nodes and their sink, overall secrecy resilience of aWSN becomes in danger if an adversary gains access to themaster key in [1], or compromises only a single leaf sensornode in CDA to acquire the common symmetric key sharedbetween all leaf nodes.In [10], [15] public key encryption based on elliptic curvesis used to conceal transient data from leaf sensors to the BS.These schemes enhance secrecy resilience of WSNs against individual sensor attacks, since compromising a single or aset of sensor nodes won’t reveal the decryption key that onlythe BS knows. An attracting feature of [10] is the introduc-tion of data integrity in end-to-end encrypted WSNs throughMerkle hash trees of Message Authentication Codes (MACs).However, both schemes raise power consumption concerns,since computation requirements for public key encryption isstill considered high for WSNs [12].Many hop-by-hop aggregation protocols in WSNs like [3],[6], [9], [13], [17], provide more efficient aggregation opera-tions and highly consider data integrity. However, since senseddata being passed to non-leaf aggregators are revealed forthe sake of middle-way aggregation, hop-by-hop aggregationprotocols represent weaker model of data confidentiality per-spective than end-to-end aggregation protocols. Data secrecycan be revoked of a partition if a passive adversary hasobtained the key of the root aggregator of that partition.
A. Problem Statement
The challenge is to find a general security protocol foraggregated WSNs that is not limited to certain topologyand provides strong data confidentiality comparable to thosein secure end-to-end communication protocols. Also, it canprovide efficient data aggregation and integrity comparableto those in hop-by-hop aggregation, taking into account thepresence of active and passive adversaries. So, when somenodes of the aggregated WSN are physically compromised,compromiser must not gain more information or have influenceon aggregated results beyond the effects of its compromisednodes. For these purposes, we propose our security protocolthat provides end-to-end data concealment using data diffu-sion, and in the same time, it provides secure and flexible hop-by-hop aggregation with efficient data integrity test followedby attestation process when forged data are detected in orderto eliminate and exclude contributions of any compromisednodes that might be the source of the forged data.III. S
YSTEM M ODEL
A. Notations
We use the following notations to describe our protocol: • BS refers to the Base Station. • S = { S , S , . . . , S n } represents the set of sen-sor/aggregator nodes in the WSN. Since in our modelsensors have the aggregation capabilities, the term sensorwill be used to refer to a sensor that aggregates as well. • ID S i refers to the node ID of sensor node S i . • K S i ,S j denotes a pairwise symmetric key between node S i and node S j . K S i and K ′ S i are two pairwise symmetrickeys of node S i shared with the BS, and K is a set of allkeys. • m S i denotes a sensed data read by sensor S i . m S i is abounded real value, i.e. m S i ∈ D = [ u, v ] for maximumand minimum sensible values v and u , respectively. • Enc K ( m ) denotes an encryption of a message m usinga key K . n' nodes(cid:13) n"(cid:13)nodes(cid:13)Level i(cid:13)Level j(cid:13)Level k(cid:13) n nodes(cid:13)S(cid:13) in(cid:13) S(cid:13) i(cid:13)
S(cid:13) j2(cid:13)
S(cid:13) j1(cid:13)
S(cid:13) jn'(cid:13)
S(cid:13) kn"(cid:13)
S(cid:13) k1(cid:13)
BS(cid:13)
Fig. 1. Network Model (Aggregated WSN). • M AC ( K S i , m S i ) denotes a message authentication codeof m S i that is sensed by sensor S i , this code is generatedusing the symmetric key K S i that is shared between S i and the BS. • F K ( m ) refers to a diffusion algorithm that is a publicknowledge in the WSN. It takes as input a key K and adata m , the result is a diffused value D ∈ [ u, v ] . • S i −→ S j represents a one (or more) hop communicationfrom sensor node S i to S j . B. Network Model
We assume a general aggregated multi-hop WSN consistingof a large collection of resource-constrained sensor/aggregatornodes (MICA motes [5] for example) connected in a treetopology rooted at a powerful node called the Base Station(BS). An illustration of this model is depicted in Fig. 1. Wedon’t impose any restrictions on the topology as long as itis a connected tree rooted at the BS. We don’t require aspecific aggregation tree construction algorithm, any efficienttree construction algorithm like TaG [8] can be used in ourmodel. The BS may initially issue aggregation queries or itmay be connected to an off-network distant querier which is inthis case considered data consumer, and the BS is consideredits query server. Aggregation queries represents the union ofall sensor readings along the paths of the WSN to its root, i.e.the BS.We assume that every sensor node S i is deployed with twounique symmetric keys K S i and K ′ S i shared with the BS, usinga secure key deployment protocol, like MIB [11]. A securebroadcast authentication protocol is assumed for authenticatingmessages, an example of such protocol is µ TESLA [12]. Se-cure key distribution between adjacent nodes is also assumed,some can be found in [2].
C. Attacker Model
We assume a dual operational mode adversary (both passiveand active) who is interested in revealing in-network data secrecy and injecting forged data. In our model, we considereffective attacks, where an adversary physically compromises k ≪ n nodes to gain the advantage that would result ofattacking m nodes where k < m ≤ n without the needof attempting such attack on these m nodes directly. Thatis, with few compromised nodes, an adversary can endangerthe security of an aggregated WSN as if it had physicallycompromised much larger collection of nodes. When wedenote a node as being physically compromised, we mean thatan adversary gained control over the node’s operation, havingaccess to all its memory, keys, and resources, and is capableto reprogram such a compromised node with attacking code.Attacker is not limited to a single place, it can compromisescattered partitions of nodes in which every partition may havenodes in parent/children relationship.In this work, we don’t consider preventing attacks thatdisrupt the regular operation of a WSN such as denial-of-service (DoS) attack [14] or underlying routing protocolattacks. We are interested in preventing attacks that aim toacquire aggregation results or tamper them rather than attacksthat aim to prevent a querier from being served. D. Design Goals
We designed our protocol to protect against spy-out andfalse data injection attacks, for that, we considered the fol-lowing security perspectives: • Resilience: An adversary who compromises few nodes ofan aggregated WSN must not spy-out or gain any impacton the final aggregation outcome beyond the influence ofthe readings and results of its compromised nodes. • Efficient Data Integrity, Commitment and Attestation:Aggregation result must be verified to be the authenticunion of sensor readings and intermediate results. Suchverification and attestation processes should not imposesignificant overhead over the WSN that is over aggrega-tion communication overhead. • Generality: The protocol should apply to any aggregatedWSN with arbitrary tree topology, moreover, the proto-col should support expandable WSNs without any extrareconfiguration. • Status Monitoring: BS must determine when a sensornode becomes dead or unreachable, by knowing andmaintaining a list of all nodes contributed in everyaggregation query.IV. E
FFICIENT AND S ECURE D ATA A GGREGATION P ROTOCOL
In this section, we present our proposed protocol thatresolves the compromise between data secrecy and efficientaggregation. An overview of the protocol will be presentedfirst, then it will be followed by discussing the protocol details.
A. Overview
Our protocol is designed over the approach of data diffusionthat preserves the mathematical relationships between differentvalues which are all bounded by a defined range. By preserving mathematical relationships we can perform efficient hop-by-hop aggregation of collected diffused data. The informationof these mathematical relationships are kept concealed end-to-end to maintain complete communication path secrecy. Besidemaintaining the mathematical relationships, the diffusion algo-rithm must not increase the size of encrypted data. Based onthis, we can achieve efficient secure hop-by-hop aggregationof end-to-end concealed data in aggregated WSNs.
B. Network Setup and Query Dissemination
After field deployment, communication paths should beestablished. An efficient algorithm like TaG [8] can be usedfor tree topology construction. Communication channels aresecured using pairwise encryption keys between every par-ent/children nodes, this is the same technique used in manyhop-by-hop protocols (e.g. [17]) for securing communicationchannels.After tree construction, every sensor node S i sends its ID S i and an initial random reading m i ∈ [ u, v ] to the BS in amessage encrypted using pairwise symmetric key K S i . Theinitial random reading m i serves in data diffusion algorithmas we will see later.When the BS receives a query from a querier, it disseminatesthis query through the WSN paths. This query contains thedesired aggregation function to be performed. C. Data Diffusion
The purpose of the data diffusion process is to consolidatetransient data from intermediate aggregators while giving themflexibility and efficiency while applying aggregation functionson these concealed data. Data diffusion serves also in dataintegrity check as we will see later. Every sensor node diffusesits sensed data before transmission. Middle-way aggregationof diffused data occurs before the final result reaches the BS,which is the only one who can revert diffused result to itsactual value.Assume S = { S , S , . . . , S n } be the set of sensor nodesand every node S i reads a value m S i . Every sensor node S i uses a diffusion function F K ( m S i ) , using the keys K S i and K ′ S i to generate a pair of diffused data, where K S i , K ′ S i aretwo shared keys between S i and the base station (BS). Wedefine the diffusion function F K Si ( m S i ) as follows: Definition 1:
Assume
P S : D × K → D be a publicgenerator map (i.e., one way function) to produce D j = P S ( K S i , D j − ) (1)where D j ∈ D , D = m S i , and K S i ∈ K for j ≥ and ≤ i ≤ n . Let F : D × D −→ D be a diffusion functiondefined as F K Si ( m jS i ) = P S ( K S i , D j − ) ⊙ m jS i , (2)The value of the generator sequence P S is taken as aninput along with the sensed reading m jS i to the mathematicaloperand ⊙ which generates a diffused value F K Si ( m jS i ) ∈ D .There is no strict definition of operand ⊙ , it refers to anyreversible operation that takes two inputs and produces an …..(cid:13) …..(cid:13)…..(cid:13)…..(cid:13)…..(cid:13) BS(cid:13) H(cid:13) G(cid:13) Q(cid:13)W(cid:13) R(cid:13)X(cid:13) Y(cid:13) Z(cid:13)
Fig. 2. An example of an aggregated WSN tree. output that belongs to D . Examples of ⊙ could vary betweentrivial operators such as simple addition ”+” to more complexbijection functions. D ′ j is generated symmetrically to D j , butusing key K ′ S i instead of K S i .Since the BS shares the private key K S i and initial randomreading m S i of every sensor node S i , the BS is able togenerate the diffusion value D j of every transmission phase.This means that the BS can revert every diffused reading D jS i sent by a sensor S i in the WSN to its actual value.V. T HE SU M A GGREGATION
In this section, we propose the
SU M aggregation func-tion in our secure aggregation protocol. The algorithm thatperforms the
SU M aggregation SumAgg is illustrated inalgorithm 1. When the BS receives a query of
SU M aggre-gation function, it broadcasts this request through the WSN.Whenever a sensor node gets this request, it passes such arequest to its children nodes, this goes on until reaching leaflevel. A leaf sensor node receiving this request will send itsdiffused reading to its parent. For illustration purposes, letus consider the network in Fig. 2. Leaf sensor X sends thefollowing packet to its immediate parent W : X −→ W : ID X , IV X,W , Enc K X,W (cid:16) F K X ( m X ) ,F K ′ X ( m X ) (cid:17) , M AC X (3)where M AC X = M AC (cid:16) K X , F K X ( m X ) || F K ′ X ( m X ) (cid:17) (4)As we can see, node X sends its ID X and an encrypted pairof its diffused sensed data m X to its parent W . X also sendsa pairwise counter IV X,W to protect against replay attacks.Finally, X sends a MAC of its reading using its private key andattach it at the end of the packet for authentication purposesas we shall see later.The sensor node W receives similar packets from its otherchildren, i.e. Y and Z . Now W needs to aggregate datareceived from its children along with its own sensed data m W .This is done through applying the SU M aggregation function
Input : A WSN with set S of n nodes and BS. Output : SU M aggregation result.BS broadcasts
SU M aggregation query in the WSN for ∀ S i ∈ S do list S i = { ID S i } Sense m S i DSU M S i = F K Si ( m S i ) DSU M ′ S i = F K ′ Si ( m S i ) for ∀ S j that is an immediate child of S i do DSU M S i = DSU M S i + DSU M S j DSU M ′ S i = DSU M ′ S i + DSU M ′ S j list S i = list S i ∪ list S j end forend for BS sums aggregation of its immediate children nodes. if IPET check for final aggregation result in the BS passes then return
SU M else
Call ComAtt /*Commitment and Attestation Algo.*/ end ifAlgorithm 1 : SumAgg:
SU M
Aggregation Algorithmas we can see in the following packet that W sends to itsparent G : W −→ G : list W , IV W,G , Enc K W,G (cid:16) X S i ∈ list W F K Si ( m S i ) , X S i ∈ list W F K ′ Si ( m S i ) (cid:17) , M AC W (5)where M AC W = M AC (cid:16) K W , X S i ∈ list W F K Si ( m S i ) || X S i ∈ list W F K ′ Si ( m S i ) (cid:17) ⊕ M AC X ⊕ M AC Y ⊕ M AC Z (6)Here list W represents the list of all IDs of the children of W who contributed in the aggregation, including ID W . Aswe can see, W sends its ID W and IDs of all its childrenwho contributed in the aggregation, and the aggregated
SU M of their data. As shown above, W sums all pairs of datain order, i.e. all first elements of every pair are summedtogether, the same thing happens to second elements of allpairs. This scenario continues until the BS receives from everyimmediate child a packet that contains the IDs of all nodesparticipated in the
SU M aggregation on the partition rootedby that child, along with its diffused aggregation pair. The BSthen computes the final aggregation pair ( DSU M, DSU M ′ ) of diffused summation: ( DSU M, DSU M ′ ) = (cid:16) X i ∈ list ∗ F K i ( m S i ) , X i ∈ list ∗ F K ′ i ( m S i ) (cid:17) (7)where list ∗ = list H ∪ . . . ∪ list G ∪ . . . ∪ list Q (8) The actual values of this diffused pair ( DSU M, DSU M ′ ) should refer to the same output, but since they are diffuseddifferently, they look different. Because the BS knows K S i and K ′ S i for every node S i , the BS is able to generate thediffusion values that every node contributed in the aggre-gation has used to diffuse its reading, the BS can revertthe pair ( DSU M, DSU M ′ ) to their actual values. This isdone by finding the summations of all diffusion values thatwere applied along the path of aggregation, and using thesesummations when applying the reverse diffusion function oncounter parts results DSU M and
DSU M ′ : ( SU M, SU M ′ ) = (cid:16) DSU M ¯ ⊙ X i ∈ list ∗ D i ,DSU M ′ ¯ ⊙ X i ∈ list ∗ D ′ i (cid:17) (9)Here, the operand ¯ ⊙ refers to the reverse of the diffusionoperation. Now the BS revealed the actual result of SU M and
SU M ′ aggregation, it needs to check the integrity of thisresult. The BS checks the equality of reverted pair SU M and
SU M ′ , if they are equal then the aggregation result is accepted(unless the BS doubts it), otherwise the result is rejected andattestation process will start to detect the path and the sourceof the outliers as explained in Section VI.The test that uses equation 9 then checks the equality ofresulted pair is called Identical Pair Equality Test (IPET). IPETis an O (1) heuristic that gives us a quick initial indicationabout the integrity of the aggregation result. Lemma 2:
The complexity of SumAgg algorithm with datadiffusion is O ( n ln( n )) on average, and the BS needs O (1) toverify the integrity of the final aggregation result.Other aggregation functions like M EAN and
M AX can bederived from above description of
SU M aggregation withslight modifications.VI. C
OMMITMENT AND A TTESTATION
In this section we turn our attention to verifying sensor’scommitments of aggregation, and attestation for finding outlieror compromised nodes. Note that we don’t consider detectingthe case where a compromised node tries to forge its owndata, this is because such a situation is hard to detect ifforged data belongs to normal data range and this resemblesnode malfunction. In contrast, we are interested in detectingcompromised nodes that are trying to forge aggregation dataof their non-compromised children. The divide and conqueralgorithm for commitment and attestation ComAtt is presentedin algorithm 2, this algorithm uses IPET check as a heuristicto reconstruct only those branches of the network MACtree which are necessary for the attestation process, avoidingunnecessary reconstruction of the whole MAC tree of theWSN. When the BS discovers that the final aggregation resultfails the IPET check, it starts the attestation process by addingits immediate children who contributed in the aggregation tothe set Q -which is the set containing nodes to be tested-for verification. For every node S i ∈ Q , the BS checks S i as follows. The BS asks from every node S i ∈ Q to resend Input : list ∗ (list of IDs of all nodes contributed in anaggregation),
M AC
Agg (MAC of finalaggregation result)
Output : list L (list of IDs of outliers) list L = ∅ , list C = ∅ Q = { S i : ∀ S i ∈ list ∗ ∧ S i is immediate children of BS } while Q = ∅ do Pick a node S i from QS i −→ BS : list S i , IV S i , ( DSUM S i , DSUM ′ S i ) , MAC S i MAC
CalcS i = Reconstructed
MAC S i in BS using collecteddata and MAC
Agg if MAC
CalcS i = MAC S i OR IPET check of S i packet fails thenif S i is not committed to its previous aggregation packet then list C = list C ∪ S i end if list L = list L ∪ S i Q = Q ∪ { S j : ∀ S j ∈ list ∗ ∧ S j is immediate children of S i } end if Q = Q − S i end whilefor ∀ S i ∈ list L − list C do list ′ S i = ( list S i − list L ) ∪ S i S i −→ BS : list ′ S i , IV S i , ( P j ∈ list ′ Si F K j ( m j ) , P j ∈ list ′ Si F K ′ j ( m j )) , MAC S i if IPET check of aggregation pair of S i passes then list L = list L − S i end ifend for RETURN list L Algorithm 2 : ComAtt: Commitment and Attestation Algo.its aggregation packet. The BS then checks the commitmentof S i by constructing its authentication code M AC
CalcS i withthe help of the final aggregation result authentication code M AC
Agg and collected data. If
M AC
CalcS i is identical to M AC S i , then the BS knows that S i is committed to itspreviously sent aggregation packet. If S i is committed andits aggregation pair passes the IPET check then it is assumedhonest -unless the BS doubts its result as we shall see later-and its descendants will be excluded from further verifications.On the other hand, if S i appeared not to be committed toits previously sent aggregation, or its aggregation pair failsthe IPET test, then S i is added to the list of outliers list L ,and every children S j of S i is added to the set Q for furtherinvestigation. For the case when commitment test of S i fails, S i is also added to the list of not committed nodes list C .After processing all nodes in Q , list L will be havingsuspected nodes that either not committed or failed the IPETcheck. Non-committed nodes in list L are directly considereddishonest or compromised without any further investigation.However, it might be the case that an honest committed nodein list L failed the IPET check because one or more of itschildren were compromised. We need to eliminate such honestnodes from list L , this is done by further investigation ofcommitted nodes that fail IPET check, i.e. S i ∈ list L − list C . For every such node S i , the BS requests a new aggregationof S i that excludes data from any node S j ∈ list L , thatis, the BS is giving S i a chance to prove its honesty byfinding the aggregation of its only honest children. If the newaggregation of S i passes the IPET check, then S i is removedfrom list L , otherwise, it is kept there. Finally, the ComAttalgorithm returns list L that contains the set of outliers orcompromised nodes. Lemma 3:
The commitment process in ComAtt algorithmis O ( c ln n ) in average for some constant c , and O ( n ) in theworst case. Proof:
The proof is a direct consequence from the bi-nary tree search algorithm, considering the height (depth) ofaggregation equals ln n in averageVII. S ECURITY A NALYSIS
In this section, we show how our security protocol could becompared to hop-by-hop and end-to-end protocols in terms ofsecurity level and efficiency of data integrity check.
A. Node Attacks
We consider the logical hypothesis that a node S i is attackedby an intruder (attacker) I . This attacker I can gain access toall information of this node including K S i , list S i and m S i . Inthis case, it can alter the message m S i to m I and encrypt itusing the key K S i . We show that the only influence such anattacker can have on final aggregation result is sending forgedaggregation of attacked nodes. If the attacker attempts tochange the aggregation values of its children without knowingtheir dual diffusion seeds, then this attempt will be quicklycaught by the IPET test. So, an attacker in this case won’tbe able to forge its aggregation except by changing its ownreading m I and aggregations of its children which their dualdiffusion seeds are known to the attacker. That is, if an attackerwants to forge the aggregation of n nodes and not get caughtby IPET, then this attacker must compromise or acquire privatedata of n nodes. Lemma 4:
Our aggregation protocol represents a securitymodel against spy-out attacks that is better or at least as goodas hop-by-hop aggregation protocols.
Proof:
Our protocol has an advantage over hop-by-hopprotocols because of transient data diffusion. Only when apassive adversary succeeds in breaking the diffused data of allchildren of a hop, our protocol becomes vulnerable to spy-outattacks as any other hop-by-hop protocol.
Lemma 5:
Our protocol performs either more efficient or atleast as good as end-to-end aggregation protocols in checkingdata integrity.
Proof:
In our protocol, we use IPET heuristic to recon-struct the only necessary branches of the MAC tree for testingdata integrity. In the worst case, we will need to reconstruct thewhole MAC tree, which is the case in end-to-end protocols. VIII. C
ONCLUSIONS
In this paper, we demonstrated a model for secure dataaggregation in WSNs, which is a blend of hop-by-hop opera-tional efficiency and end-to-end data secrecy. We showed thatthis model has low computational complexity and the BS uses O (1) heuristic to verify final aggregation result of sensed dataand it needs O (ln n ) in average to detect an attacked node.We plan to perform simulation and further security analysisof this model in our future work.R EFERENCES[1] C. Castelluccia, E. Mykletun, and G. Tsudik. Efficient aggregation ofencrypted data in wireless sensor networks. In
Mobile and UbiquitousSystems: Networking and Services, 2005. MobiQuitous 2005. The Sec-ond Annual International Conference on , pages 109–117, 2005.[2] H. Chan, V. Gligor, A. Perrig, and G. Muralidharan. On the distributionand revocation of cryptographic keys in sensor networks.
IEEE Trans.Dependable Secur. Comput. , 2(3):233–247, 2005.[3] H. Chan, A. Perrig, and D. Song. Secure hierarchical in-networkaggregation in sensor networks. In
Proc. 13 ACM conf. on computerand communications security , November 2006.[4] J. Girao, D. Westhoff, and M. Schneider. CDA: Concealed DataAggregation in Wireless Sensor Networks. In
Proc. 40th InternationalConference on Communiacations, IEEE ICC ’05 , Korea, May 2005.[5] M. Horton, D. Culler, K. Pister, J. Hill, R. Szewczyk, and A. Woo. MICAthe commercialization of microsensor motes.
In Sensors , 19(4):40–48,April 2002.[6] L. Hu and D. Evans. Secure aggregation for wireless networks. In
Symposium on Applications and the Internet Workshops (SAINT’03) ,number 384, 2003.[7] C. Intanagonwiwat, D. Estrin, R. Govindan, and J. Heidemann. Impactof network density on data aggregation in wireless sensor networks. In
Proc. of International Conference on Distributed Computing Systems(ICDCS ’02) , Vienna, Austria, July 2002.[8] S. Madden, M. Franklinm, J. Hellerstein, and W. Hong. TAG: a tinyaggregation service for ad-hoc sensor networks.
SIGOPS Oper. Syst.Rev. , (36(SI):):131–146, May 2002.[9] A. Mahimkar and T. S. Rappaport. Securedav: a secure data aggregationand verification protocol for sensor networks. In
Proc. IEEE GlobalTelecommunications Conference, 2004. GLOBECOM ’04. , volume 4,pages 2175–2179, 2004.[10] E. Mykletun, J. Girao, and D. Westhoff. Public key based cryptoschemesfor data concealment in wireless sensor networks. In
Proc. IEEEInternational Conference on Communications (ICC ’06) , 2006.[11] A. Perrig, M. Luk, and C. Kuo. Message-in-a-bottle: User-friendly andsecure key deployment for sensor nodes. In
Proc. of the ACM Conferenceon Embedded Networked Sensor System (SenSys ’07) , October 2007.[12] A. Perrig, R. Szeczyk, Wen V., D. Culler, and J. Tygar. SPINS: securityprotocols for sensor networks.
Mobil Computing and Networkings , page189199, 2001.[13] B. Przydatek, D. Song, and A. Perrig. SIA: Secure informationaggregation in sensor networks. In
Proc. of SenSys 2003 , page 255265,New York, November 2003.[14] D. Raymond and S. Midkiff. Denial-of-service in wireless sensornetworks: Attacks and defenses.
IEEE Pervasive Computing , 7(1):74–81, 2008.[15] Y. Sang, H. Shen, Y. Inoguchi, Y. Tan, and N. Xiong. Secure dataaggregation in wireless sensor networks: A survey. In
Proc. of theSeventh International Conference on Parallel and Distributed Com-puting, Applications and Technologies (PDCAT ’06) , pages 315–320,Washington, DC, USA, 2006. IEEE Computer Society.[16] I. Stojmenovic. Handbook of sensor networks, algorithms and ar-chitechtrues.
Wiley series on parallel and distributed computing , 2005.[17] Y. Yang, X. Wang, and S. Zhu. SDAP: a secure hop-by-hop dataaggregation protocol for sensor networks. In