Data authentication schemes

Most of the applications in wireless sensor networks require assurance that the data sent within the network originates from the correct sender. For this purpose the mechanisms for data authentication are used. These mechanisms comprise both symmetric key cryptographic approaches and public key cryptography ones.

But, the first ones allow for authentication of messages sent between two parties sharing the secret key. The second ones allow for authenticated broadcast, i.e.

the authenticity of data can be verified by all the parties knowing the public key of the party which authenticated the data before sending. There are following approaches that can be used for authentication purposes.

Digital signatures with appendix

In this type of digital signatures the original message that needs to be signed is required in the verification phase and the hash functions are used in order to produce the signature. One of the most popular ECC algorithms used for digital signatures with appendix is the Elliptic Curve Digital Signature Algorithm [21].

It requires a cryptographic secure hash function and its security is based on the ECDLP. The methods for signature generation and for its verification are presented by Algorithm 9 and10 respectively.

Digital signatures with message recovery

In digital signatures with message recovery the verification phase does not require the original message, which in turns is recovered from the signature. Such type of digital signature is proposed in [56]. The concept adopts the idea of self-certified public keys [20] which do not require that the certificates used for authentication are separate values. In this case the certificates are parts of the public key. The user owns a public key which is derived from the signature of its private key

3.2. SECURITY SOLUTIONS FOR WIRELESS SENSOR NETWORKS 33

Algorithm 9 ECDSA signature generation [21]

Summary: Elliptic curveE(Fp) of order nand pointP ∈E(Fp), hash function h, message m and signer’s private key d.

Result: Signature (r, s).

1. Selectk∈[1, n−1].

2. Compute kP = (x1, y1).

3. Compute r=x₁ (modn). If r= 0 then go to step 1.

4. Compute e=h(m).

5. Compute s=k⁻¹(e+d∗r) (mod n). Ifs= 0 then go to step 1.

6. Return (r, s).

Algorithm 10 ECDSA signature verification [21]

Summary: Elliptic curveE(Fp) of order nand pointP ∈E(Fp), hash function h, message m, signer’s public keyQ and signature (r, s).

Result: Acceptance or rejection of the signature.

1. Verify thatr ands∈[1, n−1]. If any verification fails then return REJECT SIGNATURE.

2. Compute e=h(m).

3. Compute w=s⁻¹ (mod n).

4. Compute u₁ =ew (modn) and u₂ =rw (modn).

5. Compute X=u1P+u2Q.

6. IfX=O then return REJECT SIGNATURE.

7. If x-coordinate ofX is equal tor then return ACCEPT SIGNATURE; else return REJECT SIGNATURE.

with his identity and is signed by the trusted authority using the private key of the authority. The secret key of the user is chosen by the user and is secret for the trusted authority. The digital signature with message recovery based on self-certified public keys is divided into three phases: initialization, signature generation and message recovery. In the initialization phase the trusted authority chooses two large primespandqand publishesN =p∗qadditionally is selects an integergand an one-way functionh() which are also public. The userUiwith the identity ID_i willing to join the system chooses its private key x_i and computes pi = g^xi (modN) and sends its identity and pi to the trusted authority. The authority computes y_i = (p_i−ID_i)^h(IDi)−1 (modN) and publishes its as public key of the U_i. In order to sign the message M userU_i chooses a random integer k and computes:

r =M∗g^−k (modN) (3.2)

s=k−xi∗h(r) (3.3)

and sends the signature (r, s) to the recipient. The verification of the signature is performed as follows:

M =r∗g^s∗(y^h(ID_i ⁱ⁾+ID_i)^h(r) (modN). (3.4)

34 CHAPTER 3. STATE OF THE ART

Another approach proposing the identity based digital signature with message recovery is presented in [59]. Its security is based on the discrete logarithm problem. The scheme assumes existence of the trusted Private Key Generator (PKG) which public key takes part in the signature verification phase.

Digital signature not using hash function and resistant to forgery attacks is proposed in [7]. There are following elements needed in order to sign and verify the message M: large prime pbeing the order of the finite fieldFp, base element g∈Fp, private keyxi of the signer Ui and the corresponding public keyyi =g^xi (modp). In the signing procedure the userU_i perform following computations:

s=y_i^M (mod p). (3.5)

Then Ui chooses random integerk∈Fp and computes

r=M∗s∗g^−k (modp). (3.6)

After that user U_i computes t, where

s+t≡x⁻¹_i ∗(k−r) (modp)−1 (3.7) The signature is the triple (s, r, t). In the verification phase the verifier computes:

M⁰ ≡y_i^(s+t)∗r∗g^r∗s⁻¹≡g^xi(s+t)∗M∗s∗g^−k∗g^r∗s−1≡g^(k−r)∗M∗g^(−k+r) (modp) (3.8) If it is true that

s=y^M_i ⁰ (3.9)

then the signature is valid and indeed generated by the user U_i. Authenticated encryption

Authenticated encryption is based on block ciphers but provides simultaneously data confidentiality and integrity and data authenticity by combining encryption schemes and message authentication codes. The most commonly used scheme is the one called Counter with CBC-MAC mode (CCM) [15]. It is based on symmet-ric key block cipher, with block size of 128-bits, such as AES algorithm. It uses a single key and combines counter mode encryption and cipher block chaining-based authentication. The CCM mode consists of two processes: generation-encryption and decryption-verification. In generation-encryption phase, CBC is applied to the payload, the associated data, and the nonce to generate a MAC. After that, the counter mode based encryption is applied to the MAC and the payload to transform them into the ciphertext. In this mode the length of the payload is extended by the size of the computed MAC. In decryption-verification phase, counter mode based decryption is applied to the ciphertext to decrypt the MAC and the corresponding payload. Then, cipher block chaining is applied to the

3.2. SECURITY SOLUTIONS FOR WIRELESS SENSOR NETWORKS 35

payload, the received associated data, and the received nonce to verify the cor-rectness of the MAC. Successful verification assures that the payload and the associated data are provided by the issuer having the proper secret key. Another approach for authenticated encryption based on AES is the Galois/Counter Mode (AES-GCM) of operation [37]. GCM uses counter mode of operation and builds on it by adding a MAC based on hash function. It uses polynomial hashing in the binary finite field.

3.2.5 Security Protocols for WSN