Security Analysis and Improvements of Session Key Establishment for Clustered Sensor Networks

WSN (wireless sensor network) is one of the main technologies in IoT (Internet of Things) applications or services. To date, several schemes have been proposed to establish a pair-wise key between two nodes in WSN, and most of them are designed to establish long-term keys used throughout the network lifetime. However, in the near future, if WSN will be used for information infrastructures in various fields such as manufacturing, distribution, or public facilities management and its life cycle can be as long as that of other common networks, it will definitely be advantageous in terms of security to encrypt messages using session keys instead of long-term keys. In this paper, we propose a session key establishment scheme for clustered sensor networks that is based on elliptic curve Diffie-Hellman (ECDH) key exchange and hash chain. The proposed scheme eliminates vulnerabilities of existing schemes for WSN and has improved security. The proposed scheme is efficient in terms of energy costs compared to related schemes.


Introduction
A wireless sensor network (WSN) is composed of dozens to thousands of sensor nodes and more than one gateway and is employed with the objective of collecting data regarding the conditions or changes in the target area [1,2].WSN is one of the key technologies in IoT (Internet of Things) applications or services and is expected to be employed in various applications in fields such as military, healthcare, public facilities management, manufacturing, distribution, and agriculture in the near future [1,[3][4][5].However, WSN is vulnerable to attacks such as node impersonation attacks, man-in-themiddle (MITM) attacks, and denial-of-service (DoS) attacks by eavesdropping or altering of the messages transmitted in wireless channels, as are other common wireless networks [6][7][8].Therefore, WSN should employ security techniques to meet the security requirements of data confidentiality and integrity, availability of services, and node authentication [9].
The key establishment scheme is one of the most fundamental and feasible security techniques [10].Lai et al. 's BROSK [11], Eschenauer and Gligor's random key pool-based scheme [12], and so forth provide the function of establishing a pair-wise key between sensor nodes [13].Such schemes are designed with the objective of establishing a long-term key to be used throughout the lifetime of WSN under the assumption that the life cycle of WSN is much shorter than the life cycle of other networks [14].For example, if WSN is installed to monitor a hostile environment that is not easily accessible to people, such as a battlefield or a disaster area, its life cycle is shorter than the attack time needed to determine the cryptographic keys.In this case, it is more effective for the cryptographic keys not to be rekeyed after being established, except when adding new nodes or eliminating existing nodes.However, if WSN is used for information infrastructures in fields such as manufacturing, distribution, or public facilities management, its life cycle may be long.In this case, there is a need for a session key establishment scheme that continuously renews cryptographic keys according to a cycle or an event [14].
In an information and communication system, the message sender encrypts the confidential data and transmits it in the form of ciphertext to the message receiver.However, if an attacker obtains the decryption key by hacking, he/she can obtain the plaintext or additionally perform other serious attacks using the key.In order to decrease the damage caused by such key exposure, a cryptographic key known as a session key is used only for a limited period of time.In communication protocols based on session keys, even if an attacker obtains one of the session keys, the number of ciphertexts he/she can decrypt with it is limited.Also, he/she needs more pairs of plaintext and ciphertext for cryptanalysis or needs to obtain more session keys for other attacks.Therefore, encryption of messages using session keys is definitely advantageous in terms of security [15].
In this paper, we focus on WSNs applied to applications such as healthcare, public facilities management, and industrial automation systems.Applying WSNs to such systems is more advantageous in terms of network performance and management costs compared to applying wired networks [18].However, in such systems, WSNs should be operated for a long period of time and are security-critical.Moreover, for easy network management, such applications can employ clustered and hierarchical sensor networks, as shown in Figure 1 [19,20].When employing clustered sensor networks for such applications, the communication between the gateway and the cluster head requires stronger security than the communication between the cluster head and the sensor node; this is because the cluster head collects the data sensed by sensor nodes in its cluster and transmits it to the gateway [17].Therefore, it is appropriate to apply the session key to the communication between the gateway and the cluster head in order to increase security.However, we found that existing session key establishment schemes for WSNs [16,17] have several security flaws; they do not provide mutual authentication between two nodes and are vulnerable to node impersonation attacks and MITM attacks.In addition, neither scheme can guarantee secrecy of future session keys if the long-term keying materials stored in the cluster head are exposed to an attacker.
In this paper, we propose a scheme to establish a session key between the gateway and the cluster head in order to enable the cluster head to transmit encrypted data to the gateway.Our proposed scheme should eliminate the weaknesses of existing schemes in order to achieve improved security.Moreover, not only the security but also the energy costs should be considered when designing the scheme because the nodes in WSNs are battery-powered.To meet these design requirements, the proposed scheme establishes session keys based on elliptic curve Diffie-Hellman (ECDH) key exchange [21,22], an effective asymmetric key technique.Also, it employs hash chain [23][24][25][26][27] in order to provide mutual authentication between the gateway and the cluster head, verification of message integrity, and session key establishment, considering energy costs.
Our major contributions are as follows: first, the proposed scheme is secure against possible attacks in key establishment schemes for WSN, such as session key attacks, replay attacks, and node capture attacks.Also, it resists both node impersonation attacks and MITM attacks through mutual authentication of two communication parties and verification of message integrity.Second, compared to long-term key establishment, there is less research on session key establishment between two nodes in WSN, and the studies are relatively more recent.Third, computation and communication costs incurred by a cluster head affect its energy consumption [28][29][30].Therefore, the proposed scheme is designed to minimize the number of messages transmitted between two nodes for efficiency in terms of communication costs.Also, even though it employs asymmetric key techniques, it is more efficient in terms of computation costs compared to other schemes with similar design requirements and key establishment techniques.
The remainder of the paper is organized as follows.Section 2 reviews several key establishment schemes between nodes in WSN.Section 3 describes the assumptions, design requirements, and main ideas of our proposed scheme.Section 4 proposes the improved scheme and describes its phases in detail.Section 5 analyzes the security of the proposed scheme against possible attacks in key establishment schemes for WSN.Section 6 is devoted to analyzing its energy costs compared to other schemes with similar design requirements and key establishment techniques.Finally, Section 7 concludes this paper.

Review of Related Works
A few key establishment schemes have been proposed to establish a pair-wise key between sensor nodes and to provide the rekeying function in case of additions of new sensor nodes or revocation of existing sensor nodes [11,12,[31][32][33][34].In Lai et al. 's BROSK [11], all sensor nodes share only one master key, and each sensor node establishes a pairwise key with its neighboring nodes using that master key.This scheme is very efficient and simple, but the entire network can become vulnerable if even one sensor node in the network is compromised by an attacker.Eschenauer and Gligor proposed a pair-wise key establishment scheme based on a random key pool [12].In the predeployment phase of their scheme, keys are randomly chosen from one key pool and are preloaded in the sensor node.After deploying sensor nodes to the field, if a sensor node determines it has the same key as its neighboring node, it sets the same key to be the pair-wise key between two nodes.In this scheme, if an attacker compromises another sensor node that has the pair-wise key between two sensor nodes, he/she can decrypt the message transmitted between these two sensor nodes.Several modified schemes have been proposed in order to compensate for this weakness [32][33][34].Based on Eschenauer and Gligor's scheme, Chan et al. proposed a scheme where a pair-wise key can be established only when two sensor nodes share multiple keys instead of one key [32].On the other hand, Du et al. proposed a scheme that combines the random key pool-based method with Blom's method [33], which establishes a pair-wise key between two nodes using the symmetric matrix  in  =  ⋅ , where matrix  is the public information, and matrix  is private information in a finite field [35].Also, Liu et al. proposed a scheme that combines Eschenauer and Gligor's method with the polynomial-based method [34] that establishes a pair-wise key between two nodes using -degree polynomial (, ) that satisfies (, ) = (, ) [36].All of Chan et al., Du et al., and Liu et al. 's schemes are proposed to securely protect the links between uncompromised nodes unless a threshold number of nodes are compromised [32][33][34].
All of the schemes mentioned above have been proposed to establish a long-term key used throughout the life cycle of WSN [14].Compared to such schemes, session key establishment schemes between nodes in WSN have been proposed more recently.References [14,37,38] proposed EBS-based rekeying schemes.Eltoweissy et al. proposed the exclusion basis system (EBS), which updates a group key for normal nodes when it evicts malicious nodes from a communication group [39].An EBS-based scheme has a key pool of size + (1 < ,  < , where  is the number of nodes in a group). administrative keys from the key pool are assigned to each node.When the scheme evicts some malicious nodes from the group, only  messages are needed to update a group key because the messages are encrypted using unknown keys to malicious ones.Chen and Lin proposed a session key establishment scheme for grid-based sensor networks [40].This scheme is based on one-way hash function, mutual authentication between communication parties, and symmetric key encryption as follows: first, secret parameters (  ,  −1 ) and (  ,  −1 ) are preloaded to the sensor node   and the cluster head   , respectively.Then, the scheme encrypts the messages transmitted from   to   using the key   = ℎ(  ‖  −1 ) and the ones from   to the gateway using the key   = ℎ(  ‖  −1 ).After a period of time,   and   are replaced with    = ℎ(  ‖  ‖ 1 ) and    = ℎ(  ‖  ‖ 2 ), respectively, where both  1 and  2 are generated by the cluster head   .Eldefrawy et al. proposed a session key agreement scheme based on asymmetric key techniques [41].In this scheme, the gateway receives random numbers from all sensor nodes in a cluster in order to compute a session key for communication between member nodes in the cluster.The scheme encrypts the random numbers transmitted from sensor nodes to the gateway based on RSA [42] and the session keys from the gateway to sensor nodes based on elliptic curve cryptography [21].Meanwhile, [43][44][45] proposed polynomial secret-sharing-based session key establishment schemes to address the node compromise problem.
Chen and Li's scheme [16] and Lee and Kim's scheme [17] employ different key establishment techniques to establish session keys between the gateway and the cluster head in clustered sensor networks.Chen and Li's scheme establishes the ( + 1)th session key by computing  +1 = ℎ(  ‖  −1 ), where  −1 and   represent the ( − 1)th and th session keys, respectively [16].However, if an attacker obtains   and  −1 of   , the future session keys to be generated in the th and the following sessions can be computed.In other words, Chen and Li's scheme does not guarantee the secrecy of future session keys.Lee and Kim applied a modified Diffie-Hellman key exchange (DHKE) technique [46] to their scheme in order to consider the efficiency in terms of computation costs of cluster heads [17].However, because all cluster heads in this scheme share only one private key, which is a long-term key used throughout the life cycle of the WSN, it can also be compromised by an attacker.Therefore, this scheme cannot guarantee the secrecy of future session keys.Furthermore, we found that their scheme is vulnerable to node impersonation attacks or MITM attacks.In Appendices A through D, we review Chen and Li's scheme and Lee and Kim's scheme in detail and analyze their security.

Design Outline of the Proposed Scheme
We consider the applications of WSNs such as healthcare, public facilities management, and industrial automation systems.The WSNs utilized for such applications should be operated for a long period of time and are security-critical.

Network Model.
Regarding the WSN that employs the proposed scheme, we assume the following: (i) The WSN is a clustered sensor network divided into several clusters; it consists of three types of nodes: sensor nodes, cluster heads, and a gateway.In a cluster, the sensor nodes sense the conditions or change regarding the target area and transmit the data to their cluster head.The cluster heads not only control the sensor nodes in respective clusters [13] but also collect the data sensed by the sensor nodes and transmit the data to the gateway [17].
(ii) Sensor nodes have limited resources such as power, computation and communication capability, memory, and transmission range [1,[47][48][49][50], whereas the gateway has an abundance of these resources.
(iii) Cluster heads are fixed and not selected from ordinary sensor nodes because resources of cluster heads are richer than those of ordinary sensor nodes.Nevertheless, our scheme can still be also applied to WSNs that perform cluster head selection [51].This will be discussed at greater length in Section 4.2.
(iv) A sensor node or a cluster head communicates with a nonneighboring node in a hop-by-hop fashion.We assume that the intermediate nodes between the cluster head and the gateway are not required to read the message contents exchanged between two nodes.Therefore, though the cluster head transmits its message hop-by-hop to the nonneighboring gateway, the message is encrypted/decrypted only at the two nodes; that is, the message encryption/decryption is performed end-to-end.
(v) In WSNs, sensor nodes or cluster heads are usually battery-powered.In this study, because the WSN nodes have a long life cycle, their batteries should be replaced or charged once every few years of system operation [18].
(vi) Sensor nodes or cluster heads can be randomly scattered in a target area or deployed according to a defined network topology.We assume that their spatial distribution depends on the application.
(vii) All nodes in the WSN, that is, sensor nodes, cluster heads, and the gateway, are static.That is, they are not mobile.

Adversary Capabilities.
We assume that an attacker can eavesdrop on or modify transmitted messages.Sensor nodes and cluster heads are vulnerable to physical attacks because they are usually deployed without tamper-proof devices in unattended environments [30,[52][53][54].Therefore, an attacker can perform node capture attacks, that is, the capture of a node in a WSN and the extraction of secret parameters for use in subsequent attacks.The gateway is a trusted node that is not compromised and is secure against privileged-insider attacks or stolen-verifier attacks.

Design Requirements.
The goal of our proposed scheme is for the cluster head to securely transmit the data to the gateway.For this goal, the proposed scheme provides functions to establish a session key between the cluster head and the gateway and encrypt/decrypt the data using it.In addition, the security weaknesses of existing schemes described in Section 2 will be addressed in the proposed scheme.The design requirements of the proposed scheme are as follows: (i) Because the proposed scheme protects the data using a session key, the session key should not be exposed to an attacker attempting to eavesdrop on transmitted messages.Furthermore, although long-term parameters in the cluster head are exposed to an attacker, the attacker should be unable to compute future or past session keys.
(ii) To achieve confidentiality and integrity of the data transmitted between the gateway and the cluster head, the proposed scheme should be designed such that it is secure against possible attacks on key establishment schemes such as node impersonation attacks, MITM attacks, and replay attacks.
(iii) The security protocols alone cannot perfectly prevent node capture attacks; however, the proposed scheme should be designed to minimize the effects of such attacks [7].That is, even if some sensor nodes are compromised by node capture attacks, it should have no effect on the communication with other normal nodes or the security of the entire network [9].
(iv) Sensor nodes or cluster heads are battery-powered and their batteries should be replaced or charged once every few years of system operation [18].This implies that the resources of cluster heads in our network model can be relatively richer than those of sensor nodes in other sensor networks; however, they are still limited.Therefore, the proposed scheme should be designed to consider the energy consumption and security.For this, the scheme will be designed to be efficient in terms of computation and communication costs.

Notations.
Notations section shows the notations used in the remainder of the paper: (i) A pair of private and public keys for RSA signature [42] ( , ,  , ) is generated as follows: the scheme chooses two large primes  and  and computes  =  ⋅ .It chooses  ∈ {1, 2, . . ., Φ() − 1} which fulfills the notion that (, Φ()) = 1, where Φ() = ( − 1)( − 1).Then, it computes  which fulfills the notion that  ⋅  ≡ 1 mod Φ().Here, the public key  , is  and , and the private key  , is .In this paper,   , () denotes the signing of a message  with the private key  , , and it means   mod Φ().  , (, ) denotes the verifying of a message  and its signature  with the public key  , .It computes  * =   mod Φ() and then compares  with  * .If  * = , then the signature  is valid; otherwise, it is invalid.
(ii) A pair of private and public keys for ECDH [21,22] (   ,    ) is generated as follows: the scheme chooses a large prime  and defines the elliptic curve  over   ( > 3) which is the set of all pairs (, ) which fulfills the notion that  2 ≡  3 +  +  mod  and an imaginary point of infinity , where 4 3 + 27 2 ̸ = 0 mod  (,  ∈   ).When  is a primitive element on the elliptic curve  and "×" denotes an elliptic curve multiplication, the scheme chooses an integer    (0 <    < , where  is the number of points on ) and computes    =    × .Here,    is another element on .

Main Ideas.
Symmetric key-based session key establishment schemes are efficient with regard to computation costs; however, one of their persisting issues is the sharing and updating of the symmetric key, that is, the session key Then, it computes the following values in order: The gateway generates n public keys , encryption key (KEK) by two nodes [15].Moreover, if the KEK is a long-term key, it is futile to employ the session key because it can be exposed to an attacker.Meanwhile, another method to establish a session key is to generate the next session key using keying materials stored in the previous session, similar to Chen and Li's scheme [16].However, in such schemes, if an attacker obtains keying materials in a session, the past or future session keys can be computed.To meet the requirements described in Section 3.3, our proposed scheme is designed as follows: (i) The proposed scheme establishes a session key based on asymmetric key techniques in order to resist session key attacks and provide secrecy of past or future session keys.To take into account computation costs and energy consumption of cluster heads, the proposed scheme chooses an efficient key exchange technique, ECDH [21,22], from asymmetric key techniques with the same security level.
(ii) To resist node impersonation attacks, MITM attacks, and so forth, the proposed scheme should provide mutual authentication between the gateway and the cluster head and verify message integrity.To realize this, the proposed scheme is designed based on the hash chain containing the digests of public keys generated by the gateway, as shown in Figure 2. The gateway transmits one element of the hash chain to the cluster head for each session.Using the received hash chain element, the cluster head can authenticate the message sender and verify the integrity of the message.In our scheme, the cluster head can perform these processes efficiently in terms of computation and communication costs by computing only a single hash value.

Description of the Proposed Scheme
Our scheme is composed of the following three phases: predeployment phase, hash chain setup phase, and key establishment phase.The predeployment phase is performed before cluster heads are deployed in the field.After that, the hash chain setup phase and the key establishment phase are performed.Each of these phases is described in detail from Section 4.1 to Section 4.3.

Predeployment Phase.
Keying materials include information or algorithms required for key establishment.Not only in the proposed scheme but also in many secure protocols for WSN, keying materials are preloaded into nodes before they are deployed in the field [16,17,33,55].There are two reasons for preloading the keying materials.First, WSN is difficult to be equipped with secure channels such as mail compared to other common networks.Second, computation or communication costs can be reduced by skipping the initialization process after nodes are deployed in the target area.The predeployment phase of our scheme is as follows (steps (P-1) to (P-4)): (P-1) The scheme generates a pair of private and public keys for RSA signature [42] ( , ,  , ) as described in Section 3.4.(P-2) The two keys ( , ,  , ) are preloaded into .
The private key  , is stored only in  and is not shared with other nodes.The public key  , is preloaded into all cluster heads.In the hash chain setup phase described in Section 4.2,  signs the first element of the hash chain using  , , and   verifies the signature using  , .(P-3) The scheme generates a pair of private and public keys for ECDH [21,22] (

Hash Chain Setup Phase.
In the hash chain setup phase,  generates a hash chain to be used in the key establishment phase discussed in Section 4.3.If the number of elements in the hash chain is , during  sessions, the hash chain setup phase is performed once only in the first session, and the key establishment phase is performed ( − 1) times in total, once in each session from the second to the th session.In this phase, when  transmits the first element of the hash chain,  1 , with its signature to   ,   verifies that  1 is generated by  and is not altered during the transmission using the signature.Figure 3 depicts the hash chain setup phase.The detailed process of this phase is as follows (steps (H-1) to (H-11)): (H-1)  generates  private keys (   ,  −1  , . . .,  2  ,  1  ) used for ECDH [21,22] of  sessions.Then, (H-1) Generates n pairs of private and public keys.
. . .computes  public keys (   ,  −1  , . . .,  2  ,  1  ) corresponding to the private keys.(H-2)  generates a single hash chain containing  elements, as shown in Figure 2, using the public keys (   ,  −1  , . . .,  2  ,  1  ).First,  computes the hashed value of    ; that is,   = ℎ(   ), and it then computes the following values in order, (H-3)  signs the first element of the hash chain ( ) are correct, it means that the message sender computed the same session key as  1 of .Therefore,  can authenticate   as the message sender and verify that the message is not altered during the transmission by checking the decryption result. will replace [  ,  1   ] with [  ,  2  ] in its database for the next session.
Our proposed scheme is more suitable for a network model wherein cluster heads are fixed and not selected from ordinary sensor nodes.In this case, the resources of cluster heads are usually richer than those of ordinary sensor nodes.Nevertheless, our scheme can still be applied to WSNs that perform random node deployment, clustering, or cluster head selection [51].In the predeployment phase, our scheme preloads only three keys, that is,  1   ,  1  , and  , , to the cluster head   .Even though nodes in WSNs have limited memory, they do not require additional memory to store these three keys.Therefore, when the cluster heads are replaced, the scheme preloads three keys to all cluster head candidates in the predeployment phase.Then, only the selected cluster heads perform the hash chain setup phase in the field.

Key Establishment Phase.
After the hash chain setup phase generates a hash chain with  elements in the first session, the key establishment phase is performed for each session from the second session to the last, th session. transmits a key establishment request message including one element of the hash chain to   .Then,   verifies the message, generates the session key based on ECDH [21,22], encrypts the data using the key, and transmits it as the response message to .If all verifications in this phase are passed successfully,  and   can share the same session key and encrypt/decrypt the data using the key. Figure 4 shows the process of the key establishment phase as follows (steps (K-1) to (K-7)): After  exhausts the last element of the hash chain in the key establishment phase for the th session, the scheme performs the hash chain setup phase for a set of  new sessions.

Security Analysis of the Proposed Scheme
The existing schemes are not able to protect past or future session keys if long-term keying materials are exposed to an attacker.The proposed scheme employs asymmetric key techniques to improve this problem, especially ECDH [21,22], considering computation efficiency in cluster heads.Additionally, it employs the hash chain composed of digests of public keys generated by the gateway in order to resist MITM attacks or node impersonation attacks and to provide mutual authentication of two nodes and the verification of message integrity, considering computation and communication costs: (i) Data Encryption Using a Session Key.If the life cycle of WSN is much longer than the time required for an attacker to obtain cryptographic keys through cryptanalysis or hacking, it is better in terms of security to use the session key instead of a longterm key [15,16,56].In the proposed scheme,   or  encrypts/decrypts the data using keys renewed in every session.Therefore, it is relatively more difficult for an attacker to guess cryptographic keys in our proposed scheme than in long-term keybased schemes because the information that he/she can obtain by eavesdropping messages is limited and valid in only one session.Furthermore, even when an attacker succeeds in guessing the cryptographic keys, , . . ., . . . the damage is significantly reduced because he/she can decrypt the data in only one session.(ii) Session Key Attacks.This attack is to obtain session keys by eavesdropping the messages exchanged between two nodes.In the key establishment phase of the proposed scheme, even if an attacker eavesdrops the key establishment request message {   ,  +1 } transmitted from  to   , he/she cannot compute the session key.Even if he/she can extract the public key of ,    (=    × ) from the message, it is very difficult to compute the private key of ,    , because of the elliptic curved discrete logarithm problem (ECDLP) [21,22]  or the result value of decryption is a meaningless random value, the session key  +1 is the wrong value.In this case,  cannot be sure that the message sender is   .
(iv) Node Impersonation Attacks.Node impersonation attacks in WSN mean that an attacker communicates with a legitimate node by impersonating a gateway, a sensor node, or a cluster head.In the proposed scheme, if  or   receives a message, it performs the authentication process of the message sender.Therefore, an attacker cannot impersonate  or   .
(v) MITM Attacks.This means that a malicious node decrypts or alters the messages transmitted between two legitimate nodes.The proposed scheme resists MITM attacks by the mutual authentication between  and   and the verification of the received messages integrity.
In the hash chain setup phase, when   receives the message { 1 ,   ,  2 ,  1  ,   } from , it checks if  1 is the first element of the hash chain generated by ; that is, it verifies the signature of  1 ,   .If this verification is passed successfully, it means that the message sender is  and that the value of  1 is not altered during the transmission.Each element of the hash chain,   , is the digest of    and  +1 , that is, ℎ(   ‖  +1 ).Other nodes except  are not able to compute    or  +1 from   because ℎ(⋅) is a oneway hash function.Therefore, after   completes one verification of  1 and   , the following ( − 1) key establishment request messages can be successively verified using  1 .That is, whenever   receives the key establishment request message {   ‖  +1 }, it compares   with the digest of    and  +1 to verify the message integrity.As a result, an attacker cannot alter the first element of the hash chain,  1 , because he/she cannot forge the signature of ,   .Also, he/she cannot alter the rest of the elements from  2 to   because of the characteristics of the one-way hash function.
Meanwhile, the message {   } transmitted from   to  is secure, unless the session key is exposed to the attacker because it is encrypted using the session key.Also, an attacker cannot alter this message without knowing the session key.
(vi) Secrecy of Past or Future Session Keys.This means that an attacker should not be able to compute past or future session keys that were already used in the previous sessions or will be generated in the following sessions even when he/she obtains long-term keying materials.In the proposed scheme,  and   exchange their public keys,    and    , and generate the session key   (=    ×    =    ×    ) based on ECDH [21,22].The parameters stored in   are  , and (   ,    ), where  , is a long-term key, and (   ,    ) are values renewed in each session.When they are exposed to an attacker, past or future session keys are protected as follows.
Even though an attacker obtains  , , he/she is not able to compute the private key  , because of the integer factorization problem [42].That is, because he/she cannot forge the signature of ,   , he/she cannot alter    transmitted from  to   .   and    are ephemeral keys renewed in each session.This means that   replaces    and    with  +1  and  +1  , respectively, in the end of the th session.Assume the worst scenario in which an attacker obtains the private key,  +1  , between the th and ( + 1)th sessions through some methods.Even in this case, the proposed scheme can protect the data securely transmitted before and after the ( + 1)th session.For example, if an attacker knows the private key of   ,  +1  , and eavesdrops on the message of { +1  ,  +2 } transmitted from  to   in the ( + 1)th session, he/she can compute the session key and decrypt the message  +1  using  +1 .However, he/she cannot obtain any more information to restore the other session keys except  +1 from the decryption result of  +1  , ( +1 ‖  +2  ).As a result, the proposed scheme can assure the confidentiality of the data transmitted in all other sessions except the ( + 1)th session.
(vii) Replay Attacks.This means an attacker stores messages transmitted on security protocols and transmits them again later.The proposed scheme resists replay attacks as follows: In the proposed scheme, the message transmitted from  to   is the message { 1 ,   ,  1  ,  2 ,   } in the hash chain setup phase or the message {   ,  +1 } in the key establishment phase.The former contains the current timestamp of  system,   , and is verified by the message receiver   .The latter consists of the values that depend on the former because both are elements of a hash chain.Therefore, an attacker is not able to perform replay attacks using these messages.
The message {   } is transmitted from   to  as a response to the hash chain setup request of  or to the key establishment request of .Therefore, an attacker cannot use this message for replay attacks.
(viii) Node Capture Attacks.This means that an attacker physically captures some nodes deployed in WSN and extracts secret parameters from them for other attacks.In the proposed scheme, each cluster head generates a unique session key.Therefore, the links between uncompromised nodes are still secure even when one cluster head is compromised by node capture attacks.For example, assume that an attacker captures   and extracts    ,    , or  , from it.The public key of ,  , , is preloaded into not only   but also all cluster heads.However, an attacker cannot use it for any other attacks because he/she is not able to compute the private key  , from  , .Also,    and    are not shared with other nodes except   , so the attacker cannot obtain other session keys except a session key between   and  using these two values.
Table 1 shows the comparison of the security in the proposed scheme and that in other schemes that have design requirements similar to ours.Table 1 shows which scheme is secure against possible attacks in key establishment schemes or provides security functionalities.This table shows that the proposed scheme is clearly improved in terms of security.In Appendices A through D, we review and analyze the security of the schemes proposed by Chen and Li and Lee and Kim.

Energy Cost Analysis of the Proposed Scheme
In this section, we analyze the efficiency of the proposed scheme in terms of computation and communication costs.
Computation costs refer to the number of times each operation is performed on a cluster head or a gateway system Yes: the scheme resists the attacks or provides the functionality; No: the scheme does not resist the attacks or provide the functionality.Partially: "Yes" under the condition that the secret parameters stored in   have not been exposed to an attacker.Cluster head 0 in a scheme.Communication costs refer to the number of messages exchanged between two nodes in a scheme.In a WSN, these two costs affect the energy consumption of nodes [28][29][30].In addition, we compare the computation and communication costs of our scheme with those of existing schemes that are similar to ours in terms of design requirements or key establishment techniques.We focus on the repeatedly performed phases, that is, the hash chain set up phase and the key establishment phase, and exclude the predeployment phase.The predeployment phase does not directly affect the efficiency because it is performed only prior to the deployment of sensor nodes and cluster heads in the field.2 shows the kinds of operations and the number of times they are performed on a cluster head or gateway system in the proposed scheme during  sessions.In the proposed scheme, the hash chain setup phase is performed once, and the key establishment phase is performed ( − 1) times:
Table 3 also shows the types of operations and the number of times they are performed on a cluster head or gateway system in Lee and Kim's scheme [17] during  sessions.In terms of design requirements and key establishment techniques, our scheme is similar to that of Lee and Kim.To analyze the energy costs of the proposed scheme, we define several notations as follows: (i)   : the energy cost of performing a signing of 1024bit RSA signature.
(ii)  V : the energy cost of performing a verification of 1024-bit RSA signature.
(iii) : the energy cost of performing a SHA1.
(iv) : the energy cost of performing a 64-bit AES encryption.[28].We assume that the cluster head transmits the total of  byte data to the gateway during  sessions.(v) : the energy cost of performing a 64-bit AES decryption.
(vi)   : the energy cost of performing a 1024-bit DHKE key generation.
(vii)   : the energy cost of performing a 1024-bit DHKE key exchange.
(viii)   : the energy cost of performing a 163-bit ECDH key generation.
(ix)   : the energy cost of performing a 163-bit ECDH key exchange.
Potlapally et al. described the energy consumption of well-known cryptographic algorithms and security protocols using the experimentation results in [28] (Table 5).
Table 4 shows the energy costs of our scheme and Lee and Kim's scheme based on computation cost analysis of the two schemes and Potlapally et al. 's experimentation results.Assume that the cluster head transmits the total of  byte data to the gateway during  sessions.To perform the proposed scheme, the gateway uses about 546.50+440.20+0.00121mJ (=   +  +  +   +   ), and the cluster head uses about 15.97 + 440.20 + 0.00121 mJ (=  V +  +  +   +  ).Under the same conditions, to perform Lee and Kim's scheme, the gateway uses about 1922.46+ 0.00242 mJ (=  +  +  +   +   ), and the cluster head uses about 1046.50+ 0.00242 mJ (=  +  +   ).
Given that the cluster heads are battery-powered, we have to focus more on the energy costs in the cluster head than in the gateway.Table 4 shows that the energy cost of the cluster head in our scheme is smaller than that in Lee and Kim's scheme (15.97 + 440.20 + 0.00121 mJ < 1046.50+ 0.00242 mJ).Therefore, in terms of energy consumption based on computation costs, the proposed scheme is more efficient than Lee and Kim's scheme.This can be attributed to the difference in the energy costs of the two key exchange algorithms, that is, 163-bit ECDH and 1024-bit DHKE; 163bit ECDH and 1024-bit DHKE schemes have the same security level, but the energy consumption of the former is only one-quarter that of the latter (276.70 + 163.50 mJ < 875.96 + 1046.5 mJ in Table 5) [28].Meanwhile, the verification of RSA signature in the proposed scheme does not significantly affect the total energy costs of   , even though the scheme is an asymmetric key technique.This is because, for  sessions, the operation is performed only once in the hash chain setup phase and the verification is performed more efficiently than the signing in RSA signature (15.97 mJ < 546.50 mJ in Table 5) [15,28].

Communication Costs.
Communication costs as well as computation costs affect the energy costs of cluster heads [29,30].In our scheme, the messages { 1 ,   ,  2 ,  1   ,   } and { 1   } are exchanged between the cluster head and the gateway in the hash chain setup phase, while the messages {   ,  +1 } and {   } are exchanged in the key establishment phase.That is, in the proposed scheme, two message exchanges are needed between the two nodes during one session, which is same as the number of messages in Lee and Kim's scheme and less than the three messages in Chen and Li's scheme.The proposed scheme minimizes the number of messages, considering that it provides all functions of session key establishment, node authentication, and data encryption.

Conclusion
In this paper, we propose a session key establishment scheme for clustered sensor networks based on ECDH [21,22] and hash chain [23][24][25][26][27].Our proposed scheme is secure against the possible attacks in key establishment schemes of WSN such as session key attacks, node impersonation attacks, MITM attacks, replay attacks, and node capture attacks.
The scheme eliminates vulnerabilities of existing session key establishment schemes for WSN and provides secrecy of past or future session keys.Additionally, the proposed scheme is designed to minimize the number of messages for efficiency in terms of communication costs.Also, it is more efficient in terms of computation costs compared to other schemes based on asymmetric key techniques.Because of the efficiency of the proposed scheme, the cluster head requires less energy to operate.

A. Review of Chen and Li's Scheme
In Chen and Li's scheme [16], two secret parameters   and  −1 are preloaded in   before deploying nodes to the field. knows every secret parameter of cluster heads and sensor nodes in the network.After the nodes are deployed to the field,   performs the following (CL-1) to (CL-10) in order to transmit the data to  (in [16], Chen and Li's scheme is composed of two parts of data transmission from the sensor node to the cluster head and from the cluster head to the gateway.Section II reviews only the latter considering our topic).In the first session, all the steps of (CL-1) to (CL-10) are performed.After the second session, the steps except (CL-1) and (CL-3) are repeated in each session.Figure 5 shows session key establishment between the gateway and the cluster head in Chen and Li's scheme: (CL-1)   computes  1 = ℎ(  ‖  −1 ) using its secret parameters   and  −1 .  will use the result value  1 as the session key to communicate with .

B. Cryptanalysis of Chen and Li's Scheme
In the th session of Chen and Li's scheme,   or  encrypts the message using the session key   and then transmits it to the other node.Before the end of the session, two nodes separately compute the new session key  +1 = ℎ(  ‖  −1 ) for the next session and replace secret parameters   and  −1 with  +1 and   , respectively.The following analyzes the security of their scheme against possible attacks in key establishment schemes for WSN: (i) Session key attacks and MITM attacks: session key attacks mean that an attacker obtains session keys by eavesdropping the messages exchanged between two nodes.MITM attacks refer to attacks in which an attacker eavesdrops or alters the messages transmitted between two legitimate nodes.In Chen and Li's scheme, an attacker cannot compute the session key  +1 (= ℎ(  ‖  −1 )) using only the transmitted messages without knowing the secret parameters   and  −1 , stored in   .
(ii) Node impersonation attacks: this attack means an attacker impersonates a gateway or a cluster head to communicate with legitimate nodes.Chen and Li's scheme does not provide any node authentication process.However, an attacker cannot impersonate  or   without knowing the secret parameters . Replaces a j and a j−1 with sk 1 and a j CH j a j , a j−1 sk 1 = h(a j ‖a j−1 ) C 1 = ENC sk 1 (sensor_list‖ID j ‖RN j ) Decrypts the data received from the using the decrypted results.
ID g ‖key_list‖RN * j ‖RN g = DEC sk 1 (C g ) RN * j =?RN j sensor nodes and computes data 1 C 1 data = ENC sk 1 (data 1 ‖RN g ‖ID j ) sk 2 = h(sk 1 ‖a j ) Replaces a j and a j−1 with sk 1 and a j .
Figure 5: Session key establishment between the gateway and the cluster head in Chen and Li's scheme (redrawn from [16]).such as (  ,  −1 ) or (  ,  −1 ) because the secret parameters are unique values for only   and , and the two nodes encrypt/decrypt messages using the session keys derived from them.
(iii) Secrecy of past session keys: this means that an attacker should be unable to compute the past session keys already used in the previous sessions even when the long-term keying materials are exposed to the attacker.In Chen and Li's scheme, even if an attacker obtains   and  −1 from   because of the characteristics of the one-way hash function, he/she cannot recover the past session keys used in the previous sessions, that is, from the first session to the ( − 1)th session [16].
(iv) Secrecy of future session key: this means that an attacker should be unable to compute the future session keys to be generated subsequent to the current session even when the long-term keying materials are exposed to the attacker.If an attacker obtains   and  −1 of   , he/she can compute the future session keys to be generated in the th and the following sessions.That is, their scheme cannot assure the confidentiality or integrity of all messages transmitted, since the th session until the  system determines that the secret parameters of   are compromised.
(v) Node capture attacks: this means that an attacker captures sensor nodes or cluster heads deployed in the target field and uses secret parameters extracted from them for other attacks.Because   and  −1 are derived from unique values   and  −1 for   , the link between uncompromised nodes is still secure even when an attacker captures   and extracts the secret parameters   and  −1 from it.

C. Review of Lee and Kim's Scheme
Lee and Kim proposed a session key establishment scheme based on Diffie-Hellman key exchange (DHKE) technique [46] for secure communication between the gateway and the cluster head [17].Before nodes are deployed in the field, a large prime for modulus operations, , and a primitive element,  ( ∈  *  ), are stored in each cluster head and the gateway.After cluster heads are deployed in the field, procedure 1 is performed for the first session and procedure 2 is performed for the second and subsequent sessions.Figure 6 illustrates both procedures.In procedure 1, the following steps ((LK-1) to (LK-5)) are performed for key setup: (LK-1) The cluster head   computes the hashed value of ,  = ℎ().Then, it generates a random number   and encrypts   and its identity   using the key ; that is,   =   (  ‖   ).Then,   transmits the key setup request message {  ,   } to .
(LK-2) Upon receiving the message from   ,  computes the key  = ℎ() and then decrypts   using the key ; that is,   ‖   =   (  ). generates a random number   and computes the session key  1 =    ⋅  mod .
(LK-3)  computes   =    mod  and encrypts the result   and its identity   using the key ; that is,   =   (  ‖   ).Then, it returns the message {  } to   .
(LK-4) Upon receiving the message {  } from ,   decrypts   using the key .Then,   computes (LK-5)   encrypts  1 using the session key  1 and transmits the result to .Then,  decrypts the message to obtain  1 .
Procedure 2 comprises the following steps ((LK-6) to (LK-10)) and is performed for   to transmit data to  for the second and subsequent sessions.where   is the random number received from   in procedure 1.
(LK-8)  computes    =  ℎV mod  and encrypts the result    and   using the key ; that is,    =   (  ‖    ).Then, it sends the message {   } to   .
(LK-9) Upon receiving the data request message {   } from ,   decrypts    using the key .Then,   computes a new session key   = (   )   mod .
(LK-10)   encrypts   using the session key   and then transmits the result    to .Then,  decrypts    using the key   to obtain   .

D. Cryptanalysis of Lee and Kim's Scheme
In procedure 1 of Lee and Kim's scheme,   and  exchange their random numbers   and   in order to share the first session key  1 (=    ⋅  mod ).In procedure 2, they compute the session key   =  ℎV⋅  mod  for the second and subsequent sessions, where    is a new random number of , and ℎV = ℎ( −1 )    .However,  and  are likely to be exposed to attackers because they are shared by not only   and  but also all cluster heads in the network, and they are long-term parameters used throughout the lifetime of the network.If  and  are exposed to an attacker, this scheme can be vulnerable to node impersonation attacks and MITM attacks and cannot assure the secrecy of future session keys.The following analyzes the security of Lee and Kim's scheme against possible attacks in key establishment schemes for WSN: (i) Session key attacks: in this scheme, all the messages exchanged between  and   are encrypted with the key .Therefore, an attacker cannot restore session keys using only these messages without knowing secret parameters  and .
(ii) Node impersonation attacks and MITM attacks: upon receiving a message,  or   only determines whether the message is encrypted using the key  without the message sender authentication process.
Even if an attacker obtains the value of  from other cluster heads excluding   , he/she can compute the key  = ℎ() and transmit data request messages to   just like  or can alter the messages.
(iii) Secrecy of future session keys:   stored in   is a random number but is a long-term parameter that is not updated.If an attacker obtains   after the th session ended, he/she can compute future session keys between  and   in the following sessions.In this case, confidentiality and integrity of the data encrypted using these session keys cannot be guaranteed.
(iv) Replay attacks: this means that an attacker resends the messages transmitted on security protocols.In their scheme,   neither checks random numbers or timestamps nor authenticates  in order to resist replay attacks using the data request messages from .Therefore, an attacker can repeatedly broadcast one of the data request messages to cluster heads to cause DoS attacks in WSN.
(v) Node capture attacks: in their scheme, if an attacker extracts the values of , , and   from a cluster head in the target area, he/she can compromise even links with other cluster heads.This vulnerability causes more serious problems when new cluster heads are added for expansion or changes in the network.When a new cluster head starts procedure 1 for key setup,  and the new cluster head exchange their random numbers after encrypting them using the key .If an attacker already knows the key  through node capture attacks against existing cluster heads, he/she can perform node impersonation attacks, MITM attacks, and so forth by eavesdropping the exchanged messages or altering the random numbers.Session key for the th session ‖:

Notations
Concatenation operation ≤? or =?: Verification operation   or   : Currenttimestampof or   Δ: The maximum of transmission delay time permitted.

Figure 1 :
Figure 1: The flow of the sensed data in a clustered sensor network.In practice, the data is transmitted hop-by-hop between nonneighboring nodes.

Figure 2 :
Figure 2: Hash chain generation in the proposed scheme.

Figure 3 :
Figure 3: Hash chain setup phase of the proposed scheme.

Figure 4 :
Figure 4: Key establishment phase of the proposed scheme.

(LK- 6 )
generates a new random number    and computes ℎV = ℎ( −1 )    , where  −1 is the previous session key shared with   .(LK-7)  computes a new session key   =    ⋅ℎV mod , When this phase is completed, ( , ,  , ) and 1 are preloaded into .( 1  ,  1  ) and  , are preloaded into   .The private key of ,  , , and the private key of   , 1 , are secret parameters that cannot be shared with other nodes.
1  ,  1  ) as described in Section 3.4.(P-4) The two keys  1  and  1  are preloaded into   . 1  is not shared with any cluster heads or sensor nodes other than   . 1  are stored in the database of .
verifies   using the preloaded public key  , ; that is,   performs   , (  ,  1 ‖   ‖   ).  compares the hashed value of  1  and  2 with  1 .In  1 = ℎ( 1  ‖  2 ), it is very difficult to compute  1  or  2 from  1 because of the characteristics of the one-way hash function.Therefore,   can verify that  1  and  2 are generated by  and not altered during the transmission by verifying  1 = ℎ( 1  ‖  2 ).If the verification is obtained, then   stores  2 , and the next step will be performed.  computes the session key  1 =  1  ×  1  for this first session.Then,   replaces ( 1  ,  1  ) with ( 2  ,  2  ).(H-9)   encrypts  1 and  2  using the session key   ; that is, it performs  1  =   1 (  ‖  1 ‖  2  ), where  1 represents the data that   wants to transmit to  in this session.Then,   transmits the message { 1  } to .(H-10) Upon receiving the message from   ,  finds [  ,  1  ] from its database and then computes the session key  1 =  1  ×  1  .(H-11)  decrypts  1  using  1 .If the decryption is completed and the result values ( *  ‖  1 ‖  2 [21,22]ng its private key  , ; that is,   =   , ( 1 ‖   ‖   ), where   is the identity of   , and   is the current timestamp of  system.Then,  transmits the message { 1 ,   ,  2 ,  1  ,   } to   .(H-4)determines if (  −   ) ≤ Δ, where   is the current timestamp of   system, and Δ is the maximum permitted transmission delay time.If (  −   ) ≤ Δ, then the next step proceeds; otherwise, this phase is aborted.(H-5)(H-7)generatesa pair of private and public keys ( 2  ,  2  ) for ECDH[21,22]in the next session.(H-8) 1)  transmits the key establishment request message {   ,  +1 } to   .(K-2)   computes ℎ(   ‖  +1 ) and verifies that   = ℎ(   ‖  +1 ), where   is stored in the previous session.If the verification is passed, then   replaces   with  +1 , and the next step is performed.(K-3)   computes the session key   =    ×    .(K-4)   generates its new private and public keys  +1   encrypts   and  +1  using the session key   ; that is,    =    (  ‖   ‖  +1  ), where   is the data that   wants to transmit to  in this session, and   is the identity of   .Then, it transmits the response message {   } to .(K-6) When  receives the message from   , it finds [  ,    ] from its database and computes the session key   =    ×    .(K-7)  decrypts    using   and determines whether or not the decryption result is correct.If the verification is passed successfully,  can authenticate   as the message sender and verify that the message was not altered during the transmission. replaces [  ,    ] with [  ,  +1  ] in its database.
. Also, the private key of  or   ,    1 , and its signature,   , to   .  verifies  1 and   using the public key of ,  , .If the verification is passed,  When  receives the message { +1  } from   in the next ( + 1)th session, it finds the public key of   ,  +1  , in its database and computes the session key  +1 =  +1  ×  +1  .If  can decrypt  +1 can authenticate  as the sender of  1 .An attacker cannot impersonate  because he/she cannot forge the signature   without knowing the private key of ,  , .Meanwhile,   generates the public key  +1  for the ( + 1)th session and transmits it to  in the th session.Then,  stores this  +1  in its database. using  +1 , that is, if the result value of decryption is a correct plaintext, then  can authenticate   as the sender of the message { +1  }.However, if  fails to decrypt  +1

Table 1 :
Security comparison of the proposed scheme.

Table 2 :
Computation cost analysis of the proposed scheme (during  sessions).

Table 4 :
Energy costs comparison of the proposed scheme (during  sessions).
* Energy cost comparison based on the experimental results in
[28]ese values are the experimental results in[28], in which the cryptographic algorithms were developed on a Compaq iPAQ H3670 equipped with a 206 MHz Intel SA-1110 StrongARM processor and 64 MB RAM.
1,   } to  to request the keys to decrypt the data received from the sensor nodes.Here,  1 =   1 (  ‖   ‖   ), where   is the list of sensor nodes that sent the data,   is the identity of   , and   is a random number generated by   .(CL-3)Whenreceives the request message { 1 ,   }, it finds the secret parameters   and  −1 of   in its database and computes the session key  1 .(CL-4)decrypts  1 using  1 ; that is,   ‖   ‖   =   1 ( 1 ).(CL-5)  computes   =   1 (  ‖   ‖   ‖   ),where   is the identity of ,   is the decryption key list in regard to  , and   is a random number generated by .Then, it returns the response message {  ,   } to   .(CL-6) When   receives the response message {  ,   } from , it decrypts the messages using key  1 ; that is,   ‖   ‖  *  ‖   =   1 (  ).Then,   compares   with  *  , where   is a random number generated in step (CL-2), and  *  is a part of the decrypted results (  ‖   ‖  *  ‖   ).If the verification is passed, the next step is performed.(CL-7)   decrypts each data received from sensor nodes using the decryption keys in the  .Then,   derives  1 from the decrypted results to transmit them to .(CL-8)   encrypts  1 using session key  1 ; that is,  1  =   1 ( 1 ‖   ‖   ).Then, it transmits the message { 1  ,   } to .(CL-9)  decrypts  1  using  1 when it receives the message { 1  ,   }; that is,  1 ‖  *  ‖   =   1 ( 1  ).Then,  compares  *  with   .If the verification is passed,  can use  1 .(CL-10)   and  separately compute the next session key  2 = ℎ( 1 ‖   ) and replace secret parameters   and  −1 with  1 and   .
: G a t e w a yn o d e   : th cluster head   : Identity of    : Identity of    , ,  , : Private and public keys of  for RSA signature scheme [42]    ,    : Private and public keys of   for elliptic curve Diffie-Hellman key exchange (ECDH) [21, 22]   (): Signingofamessage with a key  in RSA signature scheme [42]   (, ): Verification of a message  and its signature  with a key  in RSA signature scheme [42]   (): Encryption of a plaintext  using a symmetric key    (): Decryption of a ciphertext  using a symmetric key  ℎ(⋅): One-way hash function   or   : Random number generated by  or     : D a t at h a t  transmits to  in the th session   :