BAS : The Biphase Authentication Scheme for Wireless Sensor Networks

Thedevelopment of wireless sensor networks can be considered as the beginning of a new generation of applications. Authenticity of communicating entities is essential for the success of wireless sensor networks. Authentication in wireless sensor networks is always a challenging task due to broadcast nature of the transmissionmedium. Sensor nodes are usually resource constrained with respect to energy, memory, and computation and communication capabilities. It is not possible for each node to authenticate all incoming request messages, whether these request messages are from authorized or unauthorized nodes. Any malicious node can flood the network by sending messages repeatedly for creating denial of service attack, which will eventually bring down the whole network. In this paper, a lightweight authentication scheme named as Biphase Authentication Scheme (BAS) is presented for wireless sensor networks. This scheme provides initial small scale authentication for the request messages entering wireless sensor networks and resistance against denial of service attacks.


Introduction
A wireless sensor network (WSN) consists of a number of tiny devices called sensor nodes and a base station.These tiny devices may be few or thousands in number; it depends on the size of network.Sensor nodes can be easily deployed and the distance is normally less than few meters between two sensor nodes.Sensors can cooperate with each other to observe physical or environmental situations such as temperature, motion, and pressure.Nodes are used to detect, collect, and process environmental data.Due to small size, sensor nodes are resource constrained with respect to energy, memory, and computational and communicational capabilities [1,2].Nodes life period depends on their battery power.The base station is authoritative data processing and storage center and it is also called sink [3].It usually serves as entryway to another network, is more dominant, and is resource enriched than sensor nodes.Any new node which wants to join the existing network, whether it is authentic user or not, is checked through base station [4].
There are two types of devices defined in IEEE 802.15.4 for WSN [5].These devices are full-function devices (FFDs) and reduced-function devices (RFDs).RFDs have minimal resources and less memory capacity than FFDs.FFDs act as a personal area network (PAN) coordinator [6] but RFDs only work as worker node.FFDs can communicate with RFDs and all other FFDs in network, but RFDs can only communicate with near neighboring RFDs and FFDs.
WSNs are used in healthcare applications, military applications, environment and habitat monitoring, home automation, and traffic control.Due to their extensive usage in various domains, authenticity of communicating entities is vital for proper functionality of WSN.The purpose of authentication is to enable a sensor node to make sure of the identities of entities communicating with it.Authentication in WSNs is always a stimulating task due to the wireless nature of transmission media.The following two characteristics of WSNs make it challenging to provide an authentication mechanism for secure communication in WSNs.
(1) Resource Constraints.Sensor nodes have limited communicational and computational capabilities.Nodes have limited memory and energy availability.As sensor nodes are resource constrained [7][8][9], it is not possible for each node to authenticate all incoming request messages, whether these request messages are from authorized or unauthorized nodes.Any malicious node can easily send request message to join the network.All these resource constraints require that the authentication process should be efficient and lightweight for effective working of WSNs.
(2) Network Constraints.WSNs use wireless open channel.An invader can easily get access to the network and insert bogus messages in network.The network may transmit these fake request packets inserted by an invader many hops before they are identified by base station.Any malicious node can flood the network by sending fake request messages repeatedly to bring down the network by creating denial of service (DoS) attack.This results in consumption of network bandwidth and nodes energy, obstruction of communication among nodes, and disruption of the service to a specific system.As a result, it makes the system or service unavailable for the legitimate users.All these problems inversely affect the network lifetime and gradually reduce the functionality as well as the overall performance of the entire network.So there is requirement of some authentication mechanism, which can prevent the transmission of messages in the network, injected by an adversary, and provide partial authentication if not complete at initial message exchange time.
This research aims to exploit the problems of authentication in WSNs.In this study, an authentication scheme named as "Biphase Authentication Scheme" is proposed to make authentication process efficient and to overcome the authentication vulnerability in WSNs.The purpose of this scheme is to (i) defend sensor network against DoS attack, (ii) reduce network traffic, (iii) save nodes battery powers, (iv) increase the lifetime of WSN.
The functionality as well as the performance of the entire network improves by using the proposed scheme.
This paper is divided into following sections.Section 2 presents security requirements for WSNs, and some existing protocols, used for authentication process in WSNs, are reviewed with their advantages and limitations indicated.Section 3 provides an overview of the authentication process in WSNs.The main objective of this section is to introduce an authentication scheme named as Biphase Authentication Scheme (BAS) for WSNs.Section 4 highlights the network model used for performance evaluation.Section 5 provides the results obtained from the analysis of BAS by comparing it with previously proposed methods.Conclusion and recommendations for future work are presented in Sections 6 and 7, respectively.

Sensor Protocol for Information via Negotiation (SPIN).
SPIN is a security scheme that provides authentication for WSN.It provides security but with great consumption of energy.SPIN has two main components, secure network encryption protocol (SNEP) and micro timed efficient stream loss-tolerant authentication (TESLA) [10].
SPIN provides confidentiality, two-party data authentication, data integrity, and data freshness [11].This protocol uses the trusted third party, which is central key distribution center (KDC), and overall communication between nodes takes place through it.In this scheme all key creation activities are performed through the base station.Its responsibility is to authenticate and create the session keys between nodes and send shared keys to communicating nodes.The KDC can communicate with nodes either directly or indirectly.In SPIN every node and the server share a unique key.Each node has an individual shared master key and this key is used for validation purpose of node by base station.All further keys are evaluated from the shared key.
This protocol depends on KDC for communication.Session keys are created and distributed through KDC.There is a lot of burden on base station in this scheme.Two nodes cannot directly establish a secret key with each other.If they wish to create secure communication session keys, they must first talk with the base station.In enormous scale network, the base station is many hops away.This feature is a drawback of this protocol; all the information passes through the base station.The traffic flow on sensor nodes nearby the base station is increased which results in consumption of energy [12].
In SPIN protocol, no proper solution is provided for information leakage or if a node is captured.The scalability of SPIN protocol is limited and it cannot easily applied to large scale sensor networks.It also suffers from denial of service (DoS) attack [13].An adversary can easily send a request to the target node, and the target node forwards its request to KDC for authentication purpose.The adversary node can send network joining messages repeatedly to bring down the network by creating DoS attack, due to which the receiver node may lose its energy.

Broadcast Session Key Protocol (BROSK)
. BROSK is a broadcasting negotiation protocol which is used for secure communication in WSNs.In this protocol, no trusted party or server is used just like SPIN and it consumes less energy as compared to SPIN.Each node directly constructs a session key with its neighboring node by sending a key negotiation message [14].This protocol uses a single master key in each sensor node for the entire WSN, and a message authentication code (MAC) is used to provide authentication.A sensor node will attempt to negotiate a shared session key by transmitting the key negotiation message.When node receives the message transmitted by its neighbor, it can establish the mutual-session keys by creating the MAC and use these shared keys for secure message exchange.
The scalability of BROSK protocol is significant and it can easily apply to large scale sensor networks.In this protocol master key is not managed in a proper way and there is no proper information about master key, that is, what is done with the master key once the broadcasting process has completed.In BROSK protocol the same master key is shared by each node.This key is used by nodes to verify other nodes: whether node is authorized or unauthorized user.In this scheme no proper solution is provided for the problem if master key is compromised.An intruder can effortlessly compromise the whole network communication and create all further keys [15].

Localized Encryption and Authentication Protocol (LEAP).
LEAP is used to provide security in sensor network [5].In LEAP four types of keys are used which are individual keys, pairwise keys, cluster keys, and group keys.By using an individual key, a node can inform the base station about the anomalous behavior of its surrounding nodes.The base station uses this key to give instruction to a specific node.A master key is used to produce the individual keys and these keys are stored in nodes before their deployment.
Pairwise keys are shared by a node and its neighbors.These keys are used for secure communication.A node can establish pairwise keys by sending a message to the neighboring node.Cluster keys are shared by a node and its multiple neighbors.The node uses the pairwise key to encrypt the cluster key so that only the legitimate neighbors are able to decrypt the message to get access to the cluster key.A group key which is also called global key is shared by all nodes in the entire network.This key is used by the base station to encrypt data, and encrypted data is transferred to all the nodes in the group.This key removes the need for a base station to encrypt and send the same message to individual nodes with individual keys.
This protocol is effective in terms of communication and energy.It provides mechanisms for authentication broadcasting of a base station, data packets, and key revocation.The drawback of this protocol is security weakness during the process of key formation and the high cost of capacity needed to save the four keys for each node.In neighbor discovery phase of the pairwise key creation an invader can force a node to compute pairwise keys with many or all nodes.In this way any invader can easily compromise the node and get access to the pairwise keys without any information about the initial key.

A Dynamic User Authentication Scheme for Wireless
Sensor Networks.A user authentication scheme for WSN prevents unauthorized users from querying the sensor data from any sensor node in network [16].The computational overhead of this scheme is low.For authentication purpose, this scheme uses user's password and uses cryptographic hash functions.This scheme comprises three phases: registration, login, and authentication phase.This scheme permits only authentic users to query sensor data.
During registration phase, a user sends ID and a password for registration purpose to a gateway node.The gateway node stores the user ID and password in its database and tells the user about successful registration.When the user wants to query sensor data, it has to log in to a sensor login-node.The user sends its ID and password to the login-node.When the login-node receives the login request from the user, it checks the dataset list to find the user ID.If the ID is not found, then a rejection message is sent to the user.If the ID is found, then the login-node sends a message for authentication purpose to the gateway node.When the gateway node receives the message from the login-node, it checks its database to find the user ID.If the ID is not found, a rejection message is sent to the login-node.If the ID is found, then the gateway node sends an acceptance message to the login-node.The loginnode then sends an acceptance message to the user.
This scheme has some flaws.It cannot provide resistance against replay and forged attacks.It also suffers from stolenverifier attack; both gate way and login-node have the lookup table which contains secret information about registered users.Passwords may be exposed by any of the sensor nodes and the user is unable to alter the password.

An Improved Dynamic User Authentication Scheme for
Wireless Sensor Networks.It is a user authentication scheme [17] to overcome the flaws of user authentication scheme by [16] as it provides resistance against reply attack and forged attack, and it is a modified version of the user authentication scheme by [16].In this scheme user can easily change password and can log in to the network from any sensor node and this scheme does not require additional computation.This scheme comprises four phases which are registration, login, authentication, and password-changing phase.The registration, login, and authentication phases work in a similar way to the phases in the user authentication scheme by [16].When a sensor node receives the login request from a user, it forwards this request to the gateway node.The gateway node confirms the legitimacy of the user.User registration is also performed at the gateway node.In password-changing phase, when a user wants to alter its password, it sends its ID, original hashed password, and new hashed password to the gateway node.When the gateway node receives the request for password change from the user, it checks the user ID and whether the hashed password sent by user is correct or not.If the ID is not found in its database or the hashed password is incorrect, then the gateway node sends a rejection message to the user.Otherwise, it changes the user password and sends the user a password change message.This scheme overcomes the flaws of the user authentication scheme by [16] but it also suffers from security flaws and is unable to provide resistance against node compromise attack.all the incoming messages.This scheme provides initial small scale authentication of the messages entering to WSNs.There are two types of devices defined in IEEE 802.15.4 for WSN: full-function devices (FFDs) and reduced-function devices (RFDs).In this proposed scheme, FFDs will act as authenticator nodes.These authenticator nodes will forward the outside request messages to the base station as shown in Figure 1.In case of unauthorized node request message, these nodes will block the request message and will not forward it to the base station.

Proposed Biphase Authentication Scheme (BAS)
BAS comprises two phases: initial authentication phase and final authentication phase.

Initial Authentication Phase.
The initial authentication phase is performed with the help of authenticator nodes.This phase acts as a filter, and authenticator nodes act as gateway nodes.Any new node that wants to join the network sends its request to the authenticator node.This phase blocks the request messages sent by an adversary in the network.Only authorized nodes request messages are sent to the base station for final authentication.

Final Authentication Phase.
The final authentication phase is performed with the help of the base station.The base station matches the (ID, Key) pair sent by the authenticator node in its database.If they are matched, then the new node is successfully approved, and complete access to network will be permitted.An acceptance message will be sent to the new node through the authenticator node.If the (ID, Key) pair is not found, then the new node is not successfully approved, no access to network will be permitted, and a rejection message is sent to the authenticator node.
In BAS, each node is preloaded with node ID, master key   , key generation algorithm, and pairwise shared key with base station   before their deployment.This scheme has been designed to be very lightweight and uses symmetric keys.Symmetric key system requires less storage than asymmetric key system, so this system is better than asymmetric key system for sensor networks [15].Each node has its unique ID, master key   of 1024 bits, and pairwise key   of 128 bits [18].A base station has [ID,   ] pair for every node in its database and uses it to authenticate every sensor node at the time of node joining the network.  is a unique pairwise key of each node with the base station.Base station can use this key to directly communicate with nodes.
In BAS, we use a modified form of key generation algorithm [19].This algorithm is used to create the encryption key   from any random seed S of 64 bits.This random seed S is used for security purpose; when any authenticator node receives network joining request from any new node, it calculates the encryption key   from any random seed S by using key generation algorithm and sends the same random seed to new node.New node calculates its own encryption key   from random seed sent by authenticator node, then sends its calculated encryption key   to authenticator node, and authenticator node checks that encryption key calculated by new node is correct or not by comparing it with its own calculated   .This algorithm is depicted in Algorithm 1.
In BAS mechanism, initial authentication is performed between new node () and authenticator node (AN) and consists of the following steps if the node  is new node and it wants to join the network.
(1) The node  sends its ID to authenticator node.
(2) Authenticator node receives message  1 from  and performs the following functions.
(3) If node  is authorized user and it has master key   , it can easily obtain its own   by using the random seed  sent by the authenticator node and the key generation algorithm; see Algorithm 1.
(4) The node  sends   to authenticator node.
(5) Authenticator node receives  3 from  and performs the following functions.
(a) It checks the   ; if it is correct, it agrees to become its agent and an [In-Progress] message is sent to node  which means that node  is working on the authentication process.
(b) If   is incorrect, it refuses to become its agent and does not send new node request to base station.
(6) When node  receives message  4 from authenticator node, it forwards its pairwise key   to authenticator node.
Final authentication is performed with the help of base station and consists of the following steps.
(8) BS receives message from authenticator node; it decrypts message, checks   and ID  sent by authenticator node by comparing them with values presented in its database, and performs the following functions.
(a) If they are matched, then new node is successfully approved and access to network is granted and [Accept] message is sent to authenticator node.
(10) On receiving [Reject] message authenticator node will not forward it to node .
Complete authentication process of proposed scheme is summarized in Figure 2.

Network Model
We consider a WSN of 100 Mica2 sensor nodes and a base station.The network is arranged using the cluster-based topology [20].Sensor nodes are arranged in cluster form, and every cluster has a node that acts as the cluster head (CH).
In BAS network model, FFDs will act as CHs and all new nodes that want to join the network will forward their request messages to the CH.Each CH will send request to another nearby CH.Finally the request reached base station through multihop wireless communication via CHs.The base station is also a Mica2 node with greater energy and computation capabilities.In cluster-based topology each node in cluster is one hop away from its CH.Each CH is one hope away from its neighboring CHs and many hops away from other CHs.Each CH forwards data to its closest CH.In our network model the farthest CH is at a distance of D hops from base station.For our scheme, we assume that  = 4.In BAS, CHs will also work as authenticator nodes.Mica2 nodes send and receive messages consuming 16.25 J/byte and 12.25 J/byte energy, respectively [21].This energy consumption is for one hop distance and transmission energy consumption varies with respect to number of hops.
Authenticator nodes/CHs consume 0.73 J energy [19] to obtain encryption key   by using key generation algorithm.
The following equations are used to calculate energy consumption of nodes in proposed network model.
(i)   is transmitting energy,   is receiving energy, and   is energy consumption to obtain encryption key.
(ii)    is total transmitted energy consumption of messages, which will be calculated as Here  is the number of sent bytes by each CH and  is the number of hops used to send message to BS.
(iii)    is total received energy consumption of messages, which will be calculated as Here  is the total number of received bytes in network.
(iv)    is the total energy consumption to obtain encryption key   , which is calculated as Here  is the number of times encryption keys are generated by authenticator nodes in BAS.
(v)  Tot is the total energy consumption, which will be calculated as (vi)  Tot is the total number of sent and received messages in the network, which will be calculated as Here    is the number of sent messages and    is the number of received messages in the network.

Performance Evaluation
The performance of the proposed scheme BAS is evaluated for different metrics like energy consumption, packets ratio, and DoS attack.BAS was compared with one of the existing schemes, SPIN, by applying both schemes to the network model explained in Section 4.

Energy Consumption.
When a new node wants to join the network, it has to send request to the base station and receive the reply message from it.The authentication of a node is checked at base station.This will result in consumption of nodes energy and an increase in network traffic.The basic purpose of BAS is to prevent the transmission of packets in the network injected by an adversary to enhance the life period of sensor network.
In SPIN protocol a new node which is an adversary sends request to CH, that is, CH 7 as shown in Figure 3. Then CH 7 forwards its request to nearby CH 8 .Finally the request reached the base station after multihop wireless communication.
The total transmitted energy consumption is calculated by (10); see Section 4. In this case, four CHs are involved in routing process (CH 7 , CH 8 , CH 9 , and CH 10 ).The number of hops  is 4 as the farthest CH is four hops away from the base station.In SPIN protocol the length of message which consists of ID, symmetric key, and nonce bits is 36 bytes [22].
The total received energy consumption is calculated by (11).In the case shown in Figure 3, 36 bytes are received by each CH in network, so the total number of received bytes in network including the received bytes of base station is  = 36 * 5 = 180 bytes.
The energy consumption to obtain encryption key in SPIN is zero as it is only used in BAS.The total energy consumption for SPIN is calculated by (13).
In BAS new node  sends its ID to authenticator node.Authenticator node sends seed [] to node .The size of ID, seed, and encryption key   is 2, 8, and 16 bytes, respectively.Node  will send its own key   to authenticator node.Authenticator node checks new node's key; if it is incorrect, then it does not forward its request to base station.In this case, as shown in Figure 4, two messages are received by authenticator node and only one message is transmitted by it.
The total transmitted energy consumption in this case is calculated by (10).Here  = 1 as new node (adversary) is one hop away from the CH and the number of sent bytes of seed is  = 8 bytes.
The total received energy consumption is calculated by (11).
Here the number of the received bytes is  = 18 bytes, including 2-byte ID and 16-byte encryption key.
The energy consumption in generating key   by authenticator node is calculated by (12).
Here  = 1, as only one key is generated by authenticator node.
The total energy consumption is calculated by (13).
Tot = 130 J + 220.5 J + 0.73 J = 351.23 J An adversary can send request to some specific number of CHs to involve all CHs in the network.The total energy consumption will vary with respect to the number of CHs involved in routing process and with the total number of sent and received messages in the network.However, the energy consumption will be less in BAS compared to SPIN.Table 1 shows the energy consumption comparison between both schemes.
Simulation is used to evaluate the performance of proposed scheme.The results of this simulation are performed by using MATLAB.Figure 5 presents the energy consumption graph of BAS and SPIN scheme with respect to the number of adversary nodes.When the number of adversary nodes increases, the level of energy consumption also increases.This is because a higher number of CHs get involved in the routing process.
The results prove that energy consumption in proposed scheme BAS is much less as compared to SPIN scheme.So our scheme is helpful to improve the network performance and its lifetime by saving nodes battery power.

Packets Overhead.
In SPIN protocol when an adversary sends a request to any node in the network, each node forwards the request to the base station.As a result, the traffic in the network near the base station increases, which reduces the performance of the whole network.In SPIN protocol when an adversary sends a request to CH 7 in the network, as shown in Figure 3, 4 packets will be sent and 5 packets will be received in the network.The total number of sent and received messages  Tot is calculated by (14).
In BAS only one packet will be transmitted by authenticator node and 2 packets will be received by it as shown in Figure 4.
The total number of sent and received messages  Tot is calculated by (14).
An adversary can send request to some specific number of CHs to involve all CHs in the network.The number of data packets will vary with respect to the number of CHs involved in routing process and the total number of sent and received packets in the network.However, the number of data packets will be less in BAS compared to SPIN scheme.Table 2 shows the data packets overhead comparison between both schemes.
We use simulation to evaluate the performance of the proposed scheme.Figure 6 presents the data packets overhead of BAS and SPIN scheme with respect to the number of adversary nodes.When the number of adversary nodes  increases, the packets overhead in the network also increases.This is because a higher number of CHs get involved in the routing process, so the ratio of sent and received packets in the network is also high.However, the data packets overhead will vary with respect to the number of adversary nodes and the number of cluster heads involved in the routing process.
Results show that the total number of sent and received packets in the network will be less in BAS compared to SPIN scheme.So our scheme is helpful to improve the network performance and its lifetime by reducing network traffic.

Repeated Attacks (DoS Attack
). DoS attack, also known as jamming attack, is main physical layer attack in WSN [23].In this attack, an adversary repetitively send malicious requests in the network.Its purpose is to block availability of service to legitimate users, by creating DoS attack, by sending a number of messages continuously in the network.
In SPIN protocol when an adversary sends request to any CH or a number of CHs in the network, the whole authentication process will be performed to check authenticity of adversary node.Any malicious node or a number of malicious nodes can send the request messages repeatedly after short intervals of time, due to which all the CHs will be involved in the routing process and will gradually lose their battery powers.DoS attack will occur in the network, which will make the system or service unavailable for the authorized users.
In BAS when an adversary sends request to any CH in the network, only one packet will be transmitted by CH and 2 packets will be received by it.Similarly even if the same adversary node sends request to some specific of CHs or to all CHs in the network, only one packet will be transmitted and 2 packets will be received by every CH.There is no risk of DoS attack in the network and no disruption to the availability of the service to authorized users.
So the proposed BAS scheme is helpful to defend WSN against DoS attacks and improve the functionality and performance of the entire network.

Conclusion
The proposed Biphase Authentication Scheme (BAS) improves the performance and increases the lifetime of network.The main objective is to provide outside authentication for the user that wants to join the existing WSN.By using the proposed scheme, request messages of nodes can be filtered and messages of only partially authorized users are sent to the base station for final authentication.Initial authentication phase reduces the network traffic, and through final authentication phase only authorized nodes are able to become a part of the network.This scheme is helpful to overcome the flaws in existing schemes, that is, SPIN and BROSK.
It provides the solution for issues in SPIN scheme.SPIN protocol suffers from DoS attack, energy consumption, and network traffic problem.BAS overcomes these issues as shown in Section 5, so this scheme is better than SPIN scheme and improves the performance of the network.
In BROSK protocol the same master key is shared by each node.All other keys for communication are created from the master key.If the master key is compromised, then an invader can easily compromise the whole network and create all further keys.BAS provides a solution for this problem.If the master key is compromised, an adversary cannot compromise the entire network and cannot produce further keys for communication.So this scheme provides more secure environment for network functionality than BROSK protocol and removes security vulnerabilities.

Future Work
WSNs are exposed to security attacks due to wireless nature of the media.Current authentication schemes used for WSNs cannot provide satisfactory solution for authentication vulnerabilities in network.There are other problems such as data integrity and confidentiality in WSNs.Further authentication schemes should be developed to provide outside as well as inside network security in WSN.Several extensions of this research work can be further developed.For future work our plan is to extend the proposed Biphase Authentication Scheme to provide inside network security such as data integrity, data freshness, and data confidentiality.This will overcome inside network authentication vulnerabilities in WSN like authentication vulnerabilities in network, will provide more secure environment for proper functionality of WSNs, and would be very effective to increase network performance.The effect of various nondeterministic factors, such as distance between nodes, remaining energy level of CH, and so forth, on BAS will also be carried out.

( a )
It calculates encryption key (  ) using any random seed  and key generation algorithm; see Algorithm 1.(b) It sends the same random seed to new node . 2 = AN →  : []

Figure 5 :
Figure 5: Variation of energy consumption with respect to number of adversary nodes.

Figure 6 :
Figure 6: Variation of packets overhead with respect to the number of adversary nodes.

Table 1 :
Energy consumption comparison between SPIN and BAS.Energy consumption  Tot =    +    +    SPIN BAS

Table 2 :
Packets overhead comparison between SPIN and BAS.Total packets overhead  Tot =    +