PROGRAMA DE SEGUIMIENTO Y CONTROL

Multi-level µTESLA [5] (ML-µTESLA) is a source authentication protocol, based on multi-level key chains. It is an extended version of µTESLA. However, in µTESLA, there is a difficulty to distribute the key chain commitments to a large number of sensor nodes. In particular, the method of bootstrapping new receivers in µTESLA does not scale to a large WSN. In [5], the authors claim that there is a mismatch between the unicast-based

distribution of key chain commitments and the authentication key of broadcast messages in µTESLA. The transmission of the initial parameters is based on unicast, however the technique is intended for broadcast authentication. The goal of Multi-level µTESLA is to enhance the scalability of µTESLA, so that it could be applied to large WSNs.

In the following, we first detail the mechanism of multi-level-key chain. Then, we discuss the steps of execution of the protocol that are: the setup phase, the sending message phase, and the receiving message phase.

Multi-level key chain The concept of Multi-level key chain has been first introduced

by [5]. As µTESLA uses a unicast transmission to send the initialization parameters (for bootstrapping new receivers), this concept is not viable when dealing with broadcast trans- mission [13]. To mitigate this problem, the authors in [5] use multi-level key chain to distribute the commitment of one-way chain.

Setup Phase In the setup phase, the sender/broadcaster generates a multi-level key

chain. This chain is a set of one-way key chain with different levels.

The low level key chains are intended for authenticating broadcast messages, while the high level key chain is used to distribute and authenticate commitments (first key) of the low-level key chains. The high level key chain uses a long enough interval to divide the time line into equal time intervals, so that it cover the lifetime of a sensor network, without having too many keys. The low level key chains have short enough intervals.

The lifetime of a sensor network is divided into n₀(long) intervals. In Figure 2.4, n₀= 3. The high level key chain has four elements K3, K2, K1, and K0, which are generated by randomly picking K₃ and computing K_i = f (K_i+1) for i = 0, 1, .., n₀ − 1, where f is a pseudo-random function. The key K_i is associated with each time interval T_i. The disclosure of the authentication key Kiis disclosed in time interval Ti+1since the high level time interval is usually very long compared to the network delay and clock discrepancies. As in µTESLA, the security condition to check whether the base station has disclosed the key Ki when a sensor node receives a message authenticated with key Ki at time Ti is as follows: Tc+δ−T0

Tint < Ti+d; where Tc is the local time when the packet is received, Ti is the

ith time interval, T0 is the start time of the first time interval, Tint is the duration of each time interval, δ is the maximum clock difference between the sender and itself, and d is the key disclosure delay. In case of high level key chains, the disclosure delay is represented in terms of number of high level time intervals. In general, the high level key is disclosed in the next time interval, since the high level time interval is usually very long compared to the network delay and clock discrepancies (d = 1). For instance, let us assume a scenario where a packet is received at T3 (the third time interval), the local time of the receiver is

Tc, and having received the values of δ, T0, Tint, and d. In this case, the security condition is as follows: Tc+δ−T0

Tint < 3+1.

Each time interval Ti is further divided into n1 (short) time intervals of equal duration, denoted as T_i,1, T_i,2, ..., and T_i,n1. The base station generates a low level key chain for each time interval Ti by randomly picking Ki,n1 and computing the remaining keys by

T_1,1 T_3,1 Time T_1,2 T_1,3 T_2,1 T_2,2 T_2,3 T_3,2 T_3,3 K_1,2 K_1,3 K_2,1 K_2,2 K_2,3 K_3,1 K_3,2 K_3,3 T₁ T₂ T3 K₁ K₂ K₃ K_1,0 K_1,1 K_2,0 K_3,0 f f f01 f01 f1 f1 f1 f1 f1 f1 f1 f1 f1 f K₀

Figure 2.4. – An example of two level key chain mechanism (n0 = 3, and n1 = 3)

applying a pseudo-random function f 1. The key K_i,jis intended for authenticating messages broadcasted during the time interval Ti,j. The starting time of the key chain < Ki,0 > is predetermined at Ti,j. The disclosure delay for the low level key chains can be determined in the same way as in µTESLA. We assume that all the low-level key chains use the same disclosure delay d. In case of low level key chains, d is represented on terms of number of low level time intervals. When d = 3, it means that the low level key will be disclosed after three low level time intervals. When sensor nodes are initialized, their clocks are synchronized with the base station.

In addition, the base station distributes to the sensor nodes the following parameters: the starting time, the commitment K₀ for the high-level key chain, the duration T_int of each low-level time interval, the duration of each high level time interval, the disclosure delay for the low-level key chains, and the maximum clock discrepancy between the base station and the sensor nodes throughout the lifetime of the sensor network. In order for the sensor nodes to use a low level key chain during the time interval Ti, they must authenticate the commitment (first key of the chain) K_i,0 before the start time of T_i. To achieve this goal, the base station broadcasts a commitment distribution message, denoted as CDMi, during each time interval Ti, with CDMi = i|Ki+2,0|M AC(K

0

i, i|Ki+2,0)|Ki−1 where the 0 _|0 _{symbol denotes message concatenation, and K}0

i is derived from key Ki with a pseudo random function other than f and f1. Thus, to use a low-level key chain during Ti, the base station needs to generate the key chain during Ti−2, and distribute Ki,0 in CDMi−2. In particular, instead of choosing each key K_i,n1 randomly, each K_i,n1 is derived from a high-level Ki+1 (which is used to be in the next high-level time interval) through another pseudo-random function f 01. That is Ki,n1 = f 01(Ki+1).

Message Sending Procedure Executed by the Broadcaster Let us consider that the base station needs to send a data packet at time interval T_i,j. The format of the data packet is as follows: P = level_number|index|M |M AC(Ki,j, M )|Ki,j−d (2) where level_number represents the level of the hash chain, index is the index of the packet, M is the message generated at time interval T_i,j, K_i,j−d represents the key corresponding to time interval

Ti,j−d, and d represents the key disclosure delay for low level key chains.

Message Authenticating Procedure Executed by the Broadcaster When receiv-

ing a CDM packet, the receiver does the following operations: (i) first, it needs to be ensure that the packet could not be spoofed by an adversary. To verify this condition, the receiver should check for each CDM packet that the sender did not disclose the key; ii) second, it should verify the authenticity of the received key by comparing it to the last stored authenticated key; and iii) third, if the check is successful, the new key is authentic and the receiver can authenticate CDM packets.

When receiving a data packet, the receiver does the following operations: i) first, it checks whether the sender did not disclose the received authentication key (as in µTESLA); ii) second, it verifies the authenticity of the received (disclosed key) by comparing it to the last stored key; and iii) third, if the key is authenticated, then the new key could be used to authenticate received data packets.