A Novel Digital Certificate Based Remote Data Access Control Scheme in WSN

A digital certificate based remote data access control scheme is proposed for safe authentication of accessor in wireless sensor network (WSN).The scheme is founded on the access control scheme on the basis of characteristic expression (namedCEB scheme). Data is divided by characteristics and the key for encryption is related to characteristic expression. Only the key matching with characteristic expression can decrypt the data. Meanwhile, three distributed certificate detection methods are designed to prevent the certificate from being misappropriated by hostile anonymous users. When a user starts query, the key access control method can judge whether the query is valid. In this case, the scheme can achieve public certificate of users and effectively protect query privacy as well. The security analysis and experiments show that the proposed scheme is superior in communication overhead, storage overhead, and detection probability.


Introduction
The WSN is a dynamic wireless network formed by multiple microsensor nodes.It can be used for continuous environment monitoring.The nodes have the features of low consumption and low cost.Furthermore, they can realize data collection, data interaction, data transmission, and distributed cooperation [1][2][3].However, WSN has some shortages, such as intrinsic vulnerability, limit sensor nodes, random deployed nodes, dynamic change of network topology, and unstable wireless channel.Furthermore, since WSN is always deployed in rugged environment, uninhabited area, or enemy positions, some unique security risks exist, such as intercept, leakage, denial of service, false injection, tampering, and replay attacks [4,5].
In this case, it is an important issue to create a safe and reliable working scene for WSN, which relates to practicability and promotion of WSN.The features of sensor nodes are seriously limited in terms of calculating speed, power supply energy, communication ability, and storage space.Consequently, it is necessary to design an effective security mechanism under the limit conditions.In this way, the data stored in sensor nodes will be complete, confidential, and reliable and have the ability against intercept and capture in data transmission.The unauthorized query and sensitive information leakage of users are prevented.
Recently, data collection in sensor network needs users to pay for the access.Meanwhile, the privacy of data access is an inevitable problem.For instance, some users are not willing to leak the information about the time of accessing, interesting data type, and retrieved nodes.The identities are expected to be unknown to network owner and other users.In this way, they can protect their benefits from being damaged by potential competitors.Therefore, it is important to realize public user authentication while satisfying user anonymous requirement.So far, anonymous authentication is widely concerned but only on authentication problem.If the identity verification is successful, the nodes will provide data for user without considering anonymity.SPYC [6] is the first anonymous access control scheme by collecting data through one or several base stations.He et al. [7] present a distributed access control with privacy support in wireless sensor networks.All of users are divided into groups.Each group has various grades.In user query, the request is sent with group identity.It can authenticate user's validity and also protect privacy of user's identity.However, this way reveals user's privacy in dividing process.Since the number of groups is limited, user's identity and his interesting data can be deduced by network provider with exhaustive analysis method.It is not a real distributed algorithm.Bethencourt et al. [8] propose a ciphertext policy attribute based encryption, called BSW scheme.Secret sharing method is employed in encryption for strict access control.The private key is related with characteristic set in BSW.An access structure is implicated in ciphertext.If the characteristic of private key satisfies the access structure, the private key can be used for decryption.In BSW, polynomial interpolation is required to reconstruct the key.Therefore, many operations of complex matching and exponentiation should be performed in decryption.Wang and Li [9] present an authorization method based on access control list (ACL).User will obtain ACL and certificate in advance.(, ) threshold method is used in authentication.The signature employs the asymmetric encryption.If user obtains authentication signatures from  ( < ) nodes, the query request will be transmitted.The node with query data will verify and respond to the request.However, the scheme is low efficient and without expandability.Long distance data transmission faces various potential attacks.Cheung and Newport [10] replace secret sharing by random elements in encryption for strict access control.The scheme is named CN.There are two shortages.On one hand, it only supports simple logic combination strategy with low descriptiveness.On the other hand, the sizes of ciphertext and key grow linearly with the increase of the number of characteristics, which degrades efficiency.Ruan et al. [11] present a groupbased anonymous scheme to conceal the message transmitted between source node and target node.They further proposed a proxy signature scheme to protect the access of data [12].However, they focus on the privacy of data but not the privacy of users, which will be solved in this paper.
In our work, each user should get certificate before data collection, and the certificate should ask for or buy from network provider.User can access data with the certificate in the network.The sensor node will verify validity of the certificate and then provide the requested data to user.Each sensor node can verify validity of the certificate, but user's identity is unknown to all entities.In our scheme, the network provider can prevent unauthorized user access and protect user privacy.The generation of certificate is based on blind signature [13].In traditional digital signature schemes, signer knows all information about his signature.But signer cannot get what he signed in blind signature system.The proxy blind signature is generated on proxy signature and blind signature, which is widely applied in payment of electronic currency and greatly protects user's benefits.Meanwhile, the proxy blind signature is suitable for the proposed application scenarios.However, anonymity of blind signature may be utilized by hostile users for unlimited access.Consequently, a novel safe access control algorithm based on digital certificate is proposed from the view of security requirement.It can address the security issues in access control.

Network Model and Hypothesis
As shown in Figure 1, suppose that there are a network service provider , an intermediate proxy , and some users  in WSN. nodes in WSN continuously monitor target environment and provide interesting data to users.No reliable base station in network will connect intranet with outside network.The collected data will be restored in local nodes or other nodes.Therefore, user can obtain data directly from nodes.The nodes are supposed to know their geographical location information by existing locating algorithm.
We suppose users can conspire, forge a certificate, and even capture part of nodes to obtain their interesting information.Users are not willing to reveal their identities and the way to access data but want to obtain information about other users as much as possible.Of course, they will have a sharp practice if it is profitable.Different from that of general wireless sensor network, users will not sponsor denial of service (DoS) since it is no good for data acquisition.Users will not escape access control and collect data by directly capturing many nodes since enormous costs and efforts are required.On the contrary, users will capture a small part of nodes for reuse of certificate.(2)  sends (, ) to user  (user with certificate can access data on nodes).

User Authentication and Privacy Protection
(3)  receives the information and randomly selects data ,  ∈  *  and calculates the following values: If  = 0, repeat step (3) until  ̸ = 0.After that,   is sent to .
(4)  receives   and computes   =     +  +   as a signature of message.  is sent to .

Verification.
Each sensor node has   and   before deployment.Network provider can dynamically update   and   by using method in [14].Once the certificate is obtained by user,  can access the WSN and collect data from nodes.Any node   that receives certificate (,   , , , ) will verify whether the equation  = ℎ( ‖ (     (  ‖) ) − (mod ) is satisfied.According to  = ℎ( ‖ )(mod ), we only need to prove whether  = (     (  ‖) ) − (mod) is satisfied.We have the following deduction process: The above expression proves the validity of certificate (,   , , , ).After that,   will check again.Only the two steps are successful: node   will provide data to user  according to the certificate.

Certificate Detection Algorithm. Each certificate
(,   , , , ) consists of simple characters or digital number, which are unable to track.Hostile users may reuse their certificates and may not fear being caught.Therefore, node should verify whether the certificate is used before responding, called certificate detection.It performs before using certificate and after signature verification.The witness node is introduced for verifying abused certificates effectively.Suppose the certificate is successfully used by user  for −1,  ≥ 1 times.Now,  attempts to use the uncompromised node   at th time.The certificate (,   , , , ) is authenticated by the node   and should be verified if it is used. represents the probability of certificate (,   , , , ) being abused in th use (assume it is successfully used for  − 1 times). denotes the communication cost for each data transmission. is the storage cost in th use., , , and ℎ are, respectively, nodes number, communication range, number of compromised nodes, and the average hops number between two nodes.In this section, three methods are presented to verify the use of certificate.
(1) Geography Mapping.Geography mapping (GM) is used in the first method.The way for selecting storage nodes is referenced.We randomly select a number of nodes as witness nodes.GPSR [13] is used to find witness nodes.Node   receives certificate (,   , , , ); after that, we randomly select  witness nodes with GPSR for certificate detection.The positions of witness nodes are calculated by (, ) = {  }  =1 .
Here,  is the hash function and  is the random number.Node   will send  to  witness nodes and set the longest round-trip time of message.Each witness node   will judge if  is stored after receiving .If not, certificate (,   , , , ) will be stored in local memory.Otherwise,   will respond to a passive message to node   .Now, we will evaluate detection probability of GM method. witness nodes are required to verify certificate (,   , , , ).  denotes the generated random number for determining witness position at th time.One node may be selected in many times of selecting witness nodes.Assume the generated random number   in each time is independent.After the certificate being used for  − 1 times, the number of witness nodes is   ( − 1).The probability of one node not being selected in  − 1 times is denoted by (1 − /) −1 .In this case, the probability for one node being selected for one time at least will be 1 − (1 − /) −1 .Consequently, we have The nodes that are selected as witness nodes are unknown to user .He can only capture some nodes randomly.Assume there are  nodes being compromised and  < .The probability for witness node being compromised is (1 − (1 − /) −1 ) ≈ ( − 1)/.( − 1)(1 − /) nodes are not compromised.If none of them is being selected as witness nodes, th certificate detection fails and the probability is Consequently, in GS method, the probability for verifying th certificate abuse is ( th detection requires  = ( + )ℎ message transmissions.Here,  is the number of uncompromised nodes that send passive message to node   .If ( − 1) witness nodes are uncompromised, the probability for each node responding to a passive message is /.In this case, there are totally  = (−1) 2 / passive messages.We have  = (1+(−1)/)ℎ.Furthermore, the storage cost is  ≈ .
(2) Path Feedback.The second method employs path feedback (PF).It is founded on GM and realized by using the broadcast feature of wireless signal.In the procedure of sending certificate (,   , , , ) for detection request, all nodes within communication radius of transmission path can receive request message.If one node finds  is stored by itself, it will send a passive message to source node.With the same number of , PF can greatly improve detection probability of certificate.For example, assume that node   is one of  witness nodes selected by node   at th time and it is not selected in  − 1 times.In this case,   will record .  is supposed to be a node at path, which acts as witness of certificate and can receive the detection request from node   to   .Different from GM method, PF allows node  at path to send a passive message to node   .Now, we calculate detection probability of PF method.The hops number between arbitrary two nodes is ℎ.For simplification, we assume  nodes are randomly deployed within the area  and there are ℎ + 1 nodes on each detection path from node   .The area of circular is   =  2 .The intersect area of two adjacent circulars is S  = (4−3 √ 3) 2 /6.The area formed by  hops path is  ℎ = ℎ  − (ℎ − 1)  .There are  witness nodes, so the number of request messages is .Therefore, the total area formed by  paths can be calculated by Similarly, there are  nodes being captured,  < , and the probability is (1 − (1 − /) −1 ) ≈ ( − 1)/.The remaining ( − 1)(1 − /) witness nodes are uncompromised.If none of them has received the request message, th detection is failure and the probability is (1 −   /) (−1)(1−/) .Consequently, we have Similar to that of GM method, the communication cost of PF is  = ( + )ℎ,  ≥ 1.If none of ( − 1) witness nodes are captured, one passive message will always respond with the probability of   /.That is, the number of passive messages is  = ( − 1)  /.So, we have  = (1 + ( − 1)  /)ℎ.In addition, the storage cost is the same as that of GM,  ≈ .Obviously, PF has higher detection probability and lower communication cost and storage cost by comparing to GM: (3) Crossline.The third method is based on crossline theory, called CL method.GM and PF have a common characteristic of compromise among detection probability, communication cost, and storage cost.More witness nodes will improve detection probability but also cause large communication cost and storage cost and vice versa.However, it is different in CL method.CL method is based on crossline technology [15].
Data storage is along with one direction, called "copy path, " but not in one node or several isolated nodes.User query towards another direction is called "query path." If two paths are crossed, user can query expected data.
In CL method, certificate is regarded as a unique data type and message to be copied or queried.If certificate is received, each node will send a detection request along with any fixed vertical path.If the request is intersected with uncompromised witness nodes which have certificate record, the witness nodes will respond with passive message to source node.Otherwise, the certificate will be regarded as new.The source node will select any horizontal path and copy the certificate to all nodes on the path for storage.
Node   randomly generates a position (,  1 ) after receiving certificate (,   , , , ). 1 is arbitrary random number.A proxy query request message with m will be sent to the node at (,  1 ) by using GPSR.The node, which receives the proxy query request and is near to (,  1 ), is called proxy query node of   , denoted by  1 .If  is stored in node  1 ,  1 will send a passive message to node   .Otherwise,  1 will send the query request messages, respectively, along the horizontal and vertical directions.If node   receives an abused passive message before the timer expired, the use of certificate (,   , , , ) is refused.Otherwise, the certificate (,   , , , ) is unused.Node   will generate a random number  2 (different with  1 ) and send a copied proxy query request message including  to nodes nearby (,  2 ).The node  2 , which is closest to (,  2 ), is regarded as the copied proxy node of   after receiving the request message.Then,  2 stores and sends two copy paths towards horizontal direction.All nodes on copy path will store .Now, we analyze the detection probability of CL method.The certificate (,   , , , ) is used for  − 1 times.Therefore, there are  − 1 copy paths randomly generated in network.At least one node can receive request message for detection.We assume only one node receives the request message.There are  − 1 cross nodes.Since the query path of node   is unpredictable, user  attempts to use certificate (,   , , , ) at th time by randomly capturing a number of nodes.If  nodes are compromised by , the probability of each cross node being captured is /.If all of the cross nodes are compromised, th certificate detection is failure.The probability is (/) −1 .So, we have The communication cost evaluation should consider two cases: th detection is successful or failure.For the first case, communication cost includes query cost  1 and copy cost  2 . 1 consists of the cost of transmitting proxy query request and the cost of sending two query requests from proxy query node. 2 consists of the cost of transmitting proxy copy request and the cost of sending two copy requests from proxy query node.The hops at horizontal and vertical direction are, respectively,  and .The average hops number between arbitrary two nodes is ℎ.Consequently, we have If th detection is failure,  is a sum of  1 and the sent passive messages.If  − 1 cross nodes are uncompromised,  − 1 passive messages will respond to node   .In this case,  = ℎ +  + ( − 1)ℎ.So, we have  = (1 − ) (2ℎ + ) +  +  (ℎ + ) . (9) In addition, the storage cost of CL method is 3.3.Security and Performance Evaluation.Data access control is necessary to ensure authorized access, since illegal access to sensitive data may cause disastrous consequences.
From the view of protected object, security evaluation of data access control is classified into accessor security and access object security.The implementation of our method is analyzed as follows.
(1) Effective access control: the master key in each stage is realized by encryption of a set of characteristics.Since the key chain is one-way, attackers cannot obtain the key for data encryption without the master key.Encryption on the master key has provable security under the BDH hypothesis.It demonstrates that attackers cannot decrypt the master key except that they have expectant access structure.Therefore, the method makes the data only be accessed by authorized user.
(2) Constraining the collusion attack: the collusive users want to obtain the master key for data decryption.Actually, the method has provable security to select message attack under BDH hypothesis.The master key is encrypted as (, )  .User can get  only by eliminating (, )  .The only way to construct (, )  is ( (−)/ ,   ) = (, )  /(, )  .Then, (, )  can be calculated.For each user,  is randomly selected from   .The key of an unauthorized user is no use for other users to calculate (, )  .
(3) Limit impact of node capture: each sensor node only stores the key for current data encryption.The key used before will be erased.Due to the one-way feature of key, attackers cannot deduce previous keys by using current key.Each node encrypts data independently, which is not useful to capture other nodes.
(4) Performance and functionality analysis: a sensor node is responsible for the following operations: (1) generate and encrypt the master key with the proposed method; (2) generate the key for data encryption by using the master key; (3) encrypt data of sensor nodes.These operations are deployed to various stages.Concretely, one node at one stage performs at most one dot product of scalar at elliptic curve, a one-way hash algorithm, and a symmetry data encryption.
In data request procedure, each node responds to data ⟨ V , {}   ⟩ at th period of Vth stage. V includes   + 1 group members in  1 and a group element in   .{}   is data segment.In data cancel process, TP only needs to broadcast a group element in  2 to all of sensor nodes.Table 1 compares the functionalities of our method to those of BSW [8] and CN [10].BSW has only designed threshold by simple combination of keys without network scalability and user revocation, and it can not withstand collusion attacks.CN is resilient to collusion attack and can resist some other attacks.The proposed method has scalability, ability against collusion attack, and user cancel.Meanwhile, the descriptiveness is better and functionality is more comprehensive.

Experiments and Analysis
Simulations have been performed in NS-2 (Network Simulator version 2), developed by UC Berkeley University, to   evaluate the efficiency of the proposed scheme.The settings for experiments are as follows.There are 1000 nodes in WSN deployed in the area with the size of 1000 × 1000.The communication radius of nodes is 50 m.The numbers of witness nodes () in GM and PF are, respectively, 50 and 5.The reason of choosing different  lies in their different detection probability.The number of compromised nodes is set to 100.Assume that no package loss or conflict occurs in data transmission.In Figure 2, every point represents the average usage of a certificate among 100 random nodes.For the use of each certificate, we randomly capture nodes for 100 times and calculate the average value.In addition, different network topology and random certificate are simulated.The evaluation indicators include detection probability, communication cost, and storage cost [15].Figure 2(a) compares the detection probability of three methods as a function of the round of certificate used.As seen, the detection probability increases as .When  is greater than 2, it can be completely detected.Since CL selects two cross curves to store and verify certificate, if the cross point is not captured, detection will be successful.But the detection probability is the minimum.On the contrary, the selection of target nodes in GM is totally random.It is not the optimized way for selection since a part of nodes may be captured, and certificate usage can be detected more than 8 times.By comparing to GM scheme, PF can realize feedback by using nodes on the path.Since  nodes will produce  paths, it is unable to capture nodes on all paths.Consequently, the detection accuracy is higher than that of GM scheme while requiring less witness nodes.
Figures 3(a), 3(b), and 3(c) compare the communication overhead and storage overhead of three detection schemes, separately.As we can see, the communication overhead in CL is lower than that of PF, but the storage overhead is opposite.In GM scheme, communication and storage overhead are larger than those of PF.This is because the witness nodes in GM are fixed and the number of witness nodes is more than that in PF.Since PF depends on other nodes and witness nodes on the path and requires less witness nodes, the communication and storage overhead are lower than those of GM.
Figure 3 demonstrates the effect of  on GM and PF.Due to the fact that we concern certificate use at the first time,  = 2 is set.Additionally,  has no impact on CL scheme.For comparison, it is also shown.As seen, the detection probabilities, respectively, in GM and PF are growing as .The communication and storage overhead show the same tend.When  = 10, PF can detect the first abuse of certificate with the probability of 0.9.But in GM, the detection probability is less than 0.5, even  = 100.Since PF lets other nodes on the path responding to a passive message to the source node when detecting a message, it introduces higher communication overhead than GM.Moreover, when  is larger than 20, the detection probability of PF is close to 1.The communication and storage overhead are grown continuously as well.Consequently, a compromise should be chosen among detection probability, communication overhead, and storage overhead.Figure 4 shows the detection probabilities in three schemes with increase of compromised nodes.We set  = 2 and  = 50 in GM and  = 10 in PF.In Figure 3, three schemes are affected by c since the number of witness nodes is random.For instance, CL can detect certificate being abused firstly with the probability of  = 98%.Because many nodes on copy path may receive detection request message, it demonstrates that the scheme has good effect on capturing attacks.
In the following, we simulate various performance indicators after applying our scheme, including length of ciphertext, key generation time, and time overhead on encryption and decryption.These indicators are compared to BSW and CN.In finite field, a super singular ellipse curve  2 =  3 + .The time to match with PCB library is 5.5 ms.The time of selection random elements from  1 and  2 are 16 ms and 1.6 ms, respectively.As we can see, the length of ciphertext, key generation time, and encryption time linearly increase as the number of characteristics in all three schemes.But the decryption time is not linear.Since the decryption time is related to the number of characteristics and access trees, different access tree may include different access structure.Moreover, the indicators in CEB are superior to that of other schemes.Because secret sharing is employed in encryption of BSW, serious access control is realized.Polynomial interpolation is required to construct key.Many complex matching and exponentiation operations are required in decryption.Although CN scheme replaces secret sharing with random elements in encryption, the length of ciphertext and key linearly increase as the  number of system characteristics.It causes low efficiency of CN scheme.However, our scheme encrypts and stores data periodically.The data of each node is encrypted by symmetric encryption algorithm.Meanwhile, the keys in encryption are linked as a one-way key chain.One key is used in a period.
The abilities against collusion attacks of three schemes are compared in Figure 6.Simply, we assume each node only generate one data unit at each phase of per round.The total number of users in current network is supposed to be 100.The collusion users vary from 10 to 50.Then we simulate data leaking rate of three schemes.
As a note, the purposes of collusion users are to obtain more data with the key.By comparing with directly capturing node and intercepting attacks, collusion can save overhead and is hard to be detected [16].As shown in Figure 6, three schemes have almost the same abilities against attacks when there are few collusion users.With the growth of collusion users, data security of BSW and CN decreases rapidly, while that of our scheme shows a gentle decline.When the number of collusion users is greater than 40, data security of BSW scheme drops more dramatically than that of CN.As mentioned above, although CN generates key by utilizing the way of random number, actually, the number belongs to pseudorandom number.Attack can be realized with exhaustive method, easily with more collusion users.The proposed scheme has eliminated the above advantages.The master key is continuously updated.Once malicious users are found, we will cancel the operation.In this case, collusion users can only obtain their own data without obtaining data of other nodes.Therefore, the interference caused by attacks will be restricted to be the minimum.

Conclusion
To address the issue on security of access object and accessor, we proposed a digital certificate based remote data access control scheme.It is founded on access control scheme with characteristic expression.Our scheme has two features.On one hand, the network data is divided by characteristic and connected with key.When user requires query, the access control strategy, which is related to key, will judge the validity of the query.In this way, data access control is realized.On the other hand, anonymous authentication is realized for security of accessor.Moreover, three distributed certificate detection methods are designed for preventing certificate being abused by malicious anonymous users.The security analysis and experiments show that our scheme has the ability against collusion attacks and higher detection probability.The next work is to perfect our scheme and apply it on real sensor nodes.The experiments are summarized as follows.GM has lower detection probability, or higher communication and storage overhead are required to achieve some detection probability.PF has higher detection probability but grows as witness nodes and successful use times of certificate.Meanwhile, the communication and storage overhead of PF are within a reasonable range.The case of CL scheme is similar to that of PF.

Figure 2 :
Figure 2: The relationship of detection rounds with detection probability, communication overhead, and storage overhead.

Figure 3 :
Figure 3: The relationship of witness nodes with detection probability, communication overhead, and storage overhead.

Figure 4 :
Figure 4: The relationship between detection probability and compromised nodes.

Figures 5 (
Figure4shows the detection probabilities in three schemes with increase of compromised nodes.We set  = 2 and  = 50 in GM and  = 10 in PF.In Figure3, three schemes are affected by c since the number of witness nodes is random.For instance, CL can detect certificate being abused firstly with the probability of  = 98%.Because many nodes on copy path may receive detection request message, it demonstrates that the scheme has good effect on capturing attacks.In the following, we simulate various performance indicators after applying our scheme, including length of ciphertext, key generation time, and time overhead on encryption and decryption.These indicators are compared to BSW and CN.In finite field, a super singular ellipse curve  2 =  3 + .The time to match with PCB library is 5.5 ms.The time of selection random elements from  1 and  2 are 16 ms and 1.6 ms, respectively.Figures 5(a)-5(d) show the comparison with length of ciphertext, key generation time, encryption time, and decryption time.Ciphertext includes ID, head, and data block.The head consists of characteristic collection , a group element in  2 , and || group elements in  1 .As we can see, the length of ciphertext, key generation time, and encryption time linearly increase as the number of characteristics in all three schemes.But the decryption time is not linear.Since the decryption time is related to the number of characteristics and access trees, different access tree may include different access structure.Moreover, the indicators in CEB are superior to that of other schemes.Because secret sharing is employed in encryption of BSW, serious access control is realized.Polynomial interpolation is required to construct key.Many complex matching and exponentiation operations are required in decryption.Although CN scheme replaces secret sharing with random elements in encryption, the length of ciphertext and key linearly increase as the

Figure 5 :
Figure 5: The comparison of various schemes.

Figure 6 :
Figure 6: The comparison of abilities against collusion attacks for three schemes.

Table 1 :
Functionality comparison of various methods.