WO2012148257A1 - Method for use in multi hop wireless sensor network - Google Patents

Method for use in multi hop wireless sensor network Download PDF

Info

Publication number
WO2012148257A1
WO2012148257A1 PCT/MY2012/000090 MY2012000090W WO2012148257A1 WO 2012148257 A1 WO2012148257 A1 WO 2012148257A1 MY 2012000090 W MY2012000090 W MY 2012000090W WO 2012148257 A1 WO2012148257 A1 WO 2012148257A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
node
gateway
nodes
rfd
Prior art date
Application number
PCT/MY2012/000090
Other languages
French (fr)
Inventor
Sarwar Usman
Rao Sinniah Gopinath
Khoshdelniat Reza
Suryady Zeldi
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2012148257A1 publication Critical patent/WO2012148257A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04KSECRET COMMUNICATION; JAMMING OF COMMUNICATION
    • H04K3/00Jamming of communication; Counter-measures
    • H04K3/20Countermeasures against jamming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04KSECRET COMMUNICATION; JAMMING OF COMMUNICATION
    • H04K2203/00Jamming of communication; Countermeasures
    • H04K2203/10Jamming or countermeasure used for a particular application
    • H04K2203/18Jamming or countermeasure used for a particular application for wireless local area networks or WLAN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/18Self-organising networks, e.g. ad-hoc networks or sensor networks

Definitions

  • the preferred embodiments of the present invention directs to a method for use in a wireless sensor network, and more particularly a method for use in a multi hop wireless sensor network.
  • wireless networks are vulnerable in terms of security, whereby they are prone to malicious attacks by unknown or uncertified entities.
  • Abusers may deploy various types of assaults to disrupt the purpose of wireless networks, such as injecting into the data packets or changing the routes of packet destinations and jamming the signal. Such disruption may jeopardize an important data transmission between a sender and recipient.
  • One of the common steps involved when infiltrating networks is becoming part of the network or in other words undetectably joining the network.
  • wireless networking is commonly associated with multi-hop networking and mesh networking, in which for such network, information is conveyed or routed from a source to a destination using two or more networks. Disruptions due to malicious attacks therefore are expected to increase.
  • the present invention discloses a method for use in a wireless sensor network comprising at least one gateway and at least two nodes ; said method comprising the steps of: performing a bi-directional authentication between nodes and between node and gateway; defining and selecting an authentication header between available nodes, wherein said header contains information related to authentication, level of security for authentication and authentication messages; providing authentication information with a predetermined amount of times on validation failure; and forbidding an unknown entity from entering the network in the event that the validation failure exceeds the predetermined amount of time.
  • FIG 1 provides an overview of authentication mechanism in multi-hop environment
  • FIG 2 provides an overview of authentication protocol phases
  • FIG 3 provides an overview of authentication header format in accordance with the present invention
  • FIG 4 provides an overview of a different level of security in a single use-case
  • FIG 5 provides a sequence flow of messages between a node and gateway in accordance with the present invention
  • FIG 6 provides a flow chart of node authentication with the gateway
  • FIG 7 provides a sequence flow of messages between node, node head and a gateway
  • FIG 8 provides a flow chart of node authentication in multi-hop environment
  • FIG 9 provides an example of application of the present invention. DETAILED DESCRIPTION
  • the present invention generally relates to an authentication mechanism which aids to authorize all the entities or nodes prior to joining a network.
  • validation of nodes is performed in single and multi-hop network topologies.
  • the method of the present invention generally comprises of three main stages, these are: performing a bi-directional authentication processes, whereby authentications are carried out between gateway and nodes, as well as node and node; defining a compressed authentication header, said header contains information related to facilitating authentication, level of security required and authentication message type; and providing authentication information ,
  • FIG 1 illustrates a high level overview of communication and authentication in multi-hop environment.
  • a gateway GW (10) is communicating with several nodes (1 1, 12, 13, 14, 15, 16) in the sensor network.
  • nodes would perform gateway discovery so to search for suitable gateways in order to join a network.
  • a node would later on perform an authentication procedure upon selected the gateway and said gateway would proceed with the same procedure for affirmation.
  • GW (10) authenticates Ndl, Nd2 and Nd3 at single-hop level.
  • Ndl represents a normal node whereas Nd2 and Nd3 are qualified node-head at first hop level to the gateway.
  • a node-head is a node entity which has enough resources to take responsibility of authenticating nodes at multi-hop level for the gateway.
  • Nd4 is a second hop level node-head authenticating Nd6 and relaying it to the gateway through Nd2.
  • Nd5 is a normal node authenticated by the Nd3.
  • the authentication protocol is divided into two phases which is illustrated as Phase 1 and Phase 2 as seen in FIG 2.
  • Phase 1 (SI OO)
  • gateway is configured to authenticate the first hop level nodes and assigns node-head status to those which are qualified and have enough resources to be relay-authentication nodes.
  • Phase 2 (S200) nodes with the node-head capabilities authenticate multi-hop level nodes. During this process, node-head also identifies and assign responsibility of node-head to those nodes with enough resources.
  • the identification of a header is crucial as it is assigned to inform important information about the authentication process.
  • the extension header used for the present invention is known as compact authentication header (cAH) which consists of one byte.
  • cAH compact authentication header
  • An exemplary of such header (40) is illustrated in FIG 3.
  • the header is part of the 6L0WPAN payload and as mentioned, informs about crucial information for authentication process.
  • a packet will be considered as an authentication packet, if the authentication header's first two bits are 1 and 0.
  • the third and fourth bits of authentication header are use for security level fields which is considered as vital information for providing variable strength of authentication information.
  • security level fields there are three types of information highlighted by security level fields.
  • Basic level, intermediate level and advance level security which is implemented using two bits as 0 1 , 1 0 and 1 1 respectively. The next four bits are used for informing about the authentication message type. This is highlighted in TABLE 1 below.
  • the authentication messages are used by the authentication protocol for validating different entities in a sequential process which will be described herein. TABLE 1
  • authentication protocol also includes level of security which can be use for different use-cases.
  • level of security which can be use for different use-cases.
  • the purpose of security level is to allow different configurable sizes of authentication information for providing variable level of protection.
  • Basic security level will take lesser resources but will provide simpler authentication information.
  • the level of security may be required for encryption system on authentication information depending on the category of security; for instance, basic level security may use XOR based encryption whereas advance level may acquire complex encryption system like AES.
  • TABLE 2 illustrates an example of security levels with the possible encryption systems.
  • the level of security is configured in pre-deployed phase of sensor network depending on the use- case.
  • any entity in the sensor network environment receives authentication information, it decrypts the information based on defined encryption type in the authentication header and validates it.
  • FIG 4 illustrates a scenario whereby wireless sensor network clusters exist with different levels of security within a single deployment.
  • FIG 5 and FIG 6 illustrate the authentication process in sequence diagram format in accordance with the preferred embodiment of the present invention. As seen in FIG 5 authentication procedure is instigated by the node by sending REQ ST message to available gateway or node-head.
  • the node will only send a request (A 100) to most suitable gateway or node-head which is within its range.
  • REQ ST message is customized accordingly to convey or contain private information which can only be understood by the authorize network entities.
  • said node will use authentication information (A200) which is included in the REQ ST message.
  • the gateway receives said REQ ST message, it acknowledges such request (A300) and that there is a node requesting for authentication initiation procedure.
  • the gateway will proceed to prepare and send RESP AUTH P message and includes authentication information for the node to validate.
  • the authentication information is an encrypted data that need to be verified by the receiving entity and it will be stored based on security level with variable size according to strength required for the use-case.
  • node receives and validates the RESP AUTH P message from the gateway based on authentication information provided (A400).
  • node may request the gateway by sending REQ_AUTH_P for multiple times (A500) before forbidding it.
  • node will register the gateway and send back RESP AUTH C message. This message includes success of registering the gateway as well as node's authentication information.
  • the gateway validates (A600) the node by checking authentication information provided in the message.
  • gateway requests the node by sending REQ AUTH C message. If the validation fails for multiple times, the gateway will forbid (A700) the node to join the network and record j ⁇ this information. If the authentication information provided by the node successfully validated, node will be accordingly registered with the gateway for future operations.
  • gateway inquires (A800) from the node if it can take responsibility as a node-head based on its available resources. This message is conveyed to the node using REQ AUTH RESPONSIBILITY message. Node inspects its resources (A900) such as, but not limiting to, battery level, memory resources and RSSI value; and accordingly response back to the gateway. If the node has enough resources it will send a response back with RESP_AUTH_RESPONSIBILITY_SUCCESS message.
  • resources such as, but not limiting to, battery level, memory resources and RSSI value
  • gateway will send back RESP AUTH RESPONSIBILITY FAIL message which informs (A900a) the gateway to consider the node as a normal node.
  • gateway will register (A900b) the node as a node-head for authenticating other nodes at multi-hop level from the gateway.
  • FIG 7 and FIG 8 show sequential flow of multi-hop authentication procedure between node- head, node-n and the gateway.
  • node-n initiates the authentication procedure (T100) by sending REQ ST message to the node 1 (node-head).
  • the node-head sends RESP_AUTH_NH message (T200) by including authentication information to node-n.
  • node-n receives the message, it will understand that it is communicating and authenticating with a node-head rather than directly with the gateway.
  • node-n uses node-head key to authenticate the node-head (T300).
  • node-n notifies authentication information (T400) to the node-head by sending RESP_AUTH_C message.
  • the node attempts n (predetermined amount) times (T500) to request the node-head for providing proper authentication information by sending REQ AUTH C message. If no proper information is provided, node will terminate communications with the current node-head and will further search for more node-head or the gateway.
  • node-head receives RESP AUTH C message, it authenticates the information provided by the node-n and in case of successful validation of authentication information it registers node-n (T600) as a valid node and sends RESP_AUTH_C_LN message to the gateway for registration. Gateway on receiving information (T700) about node-n, understands that node-n can be accessed through node-1 (node-head).
  • Gateway saves this information for future communication and send acknowledgement to nodel . If the validation of node-n fails (T800), node-head will request back the node-n by sending REQ AUTH C message n times prior to forbidding it. In accordance with the present invention, a similar procedure will be performed for determination of node-n to work as a node-head by nodel (node-head). Furthermore in case of node (node-head) failure or topology change, a node may require to access the network using other accessible node-head or gateway within its range. The joining to a new node-head or gateway will also require re-authentication.
  • FIG 9. An exemplary of an application having implemented the method and system of the present invention is shown in FIG 9.
  • this exemplary there is provided a wireless sensor network in precision agriculture domain, whereby the authentication method is based on the present invention.
  • a gateway and a plurality of nodes, namely, Node 1 (Node-head), Node 2, Node 3 (Node-head), Node 4 in a green house environment.
  • Node 1 Node-head
  • Node 2 Node 3
  • Node 4 in a green house environment.
  • Node 1 will initialize the authentication procedure before joining the network by requesting suitable available gateway to provide authentication information. After authentication and taking responsibility of node- head, Node 1 will authenticate Node 2 and Node 3 at hop-level 2 from the gateway. Node 2 will be treated as a normal node due to lesser resources respond whereas Node 3 will take the responsibility of Node-head at hop-level 2.
  • Node 4 will analyze the suitable gateway or node- head within its range and will choose node 3 for authenticating point to join the network at hop level 3. All the node-heads will also inform the gateway about the authenticated nodes for the future communications.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Radar, Positioning & Navigation (AREA)
  • Remote Sensing (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention relates to a method for use in a wireless sensor network comprising at least one gateway and at least two nodes; said method comprising the steps of: performing a bi-directional authentication between nodes and between node and gateway; defining and selecting an authentication header between available nodes, wherein said header contains information related to authentication, level of security for authentication and authentication messages; providing authentication information with a predetermined amount of times on validation failure; and forbidding an unknown entity from entering the network in the event that the validation failure exceeds the predetermined amount of time.

Description

METHOD FOR USE IN MULTI HOP WIRELESS SENSOR NETWORK
FIELD OF INVENTION The preferred embodiments of the present invention directs to a method for use in a wireless sensor network, and more particularly a method for use in a multi hop wireless sensor network.
BACKGROUND
The need to improve the operative efficiency in wireless sensor networks has been progressively emerging and thus placed as a significant target among researchers and innovators of the relevant art when developing advanced wireless sensor network paradigm. Further, the rapid growth in global accessibility results to incessantly seek solutions in creating methods or systems which are robust and reliable. The main challenges include providing resilient, cost efficient and secured connections for future generation networks.
In most instances however, wireless networks are vulnerable in terms of security, whereby they are prone to malicious attacks by unknown or uncertified entities. Abusers may deploy various types of assaults to disrupt the purpose of wireless networks, such as injecting into the data packets or changing the routes of packet destinations and jamming the signal. Such disruption may jeopardize an important data transmission between a sender and recipient. One of the common steps involved when infiltrating networks is becoming part of the network or in other words undetectably joining the network. Moreover, nowadays, in order to ensure seamless and reliable connection, wireless networking is commonly associated with multi-hop networking and mesh networking, in which for such network, information is conveyed or routed from a source to a destination using two or more networks. Disruptions due to malicious attacks therefore are expected to increase. In order to alleviate the shortcoming as described above, more networks deploy authentication mechanisms, whereby nodes is subjected to at least one form of authentication process prior to joining the sensor network. This current ultimatum maybe be expedient at a certain level however other problems would surface including such as complicated protocols for authentication of wireless sensor network entities, failure to accommodate issues relating to malicious gateways or mobile based full function device (FFD) and using single level of security for all types of use-cases which prove to be ineffective purely because security applicability varies subject to different types of applications.
An exemplary of a related prior art as one of the available solutions to improve wireless network security is as disclosed in United States Patent Application US 20090103731 - Authentication of 6L0WPAN Nodes Using EAP-GPSK. The invention relates to a method of authentication which promotes exchanging extensible authentication protocol messages for authentication by sending a plurality of packets formatted in the form of the suitable wireless network protocol. Nonetheless, this prior art does not disclose any information in relation to providing bi-directional authentication of each entity which may be involved using a distributed mechanism and the messaging protocol disclosed in this prior art seems to be rather complex. Recognizing the aforementioned shortcomings associated to the prior art and existing systems, the present invention has been accomplished to significantly improve the conventional methods and systems. It is therefore another object of the present invention to provide a method for use in multi-hop wireless sensor network, said method and system provides expediency in providing secured connection within said wireless sensor network.
It is further object of the present invention to provide a method for use in multi-hop wireless sensor network, said method and system is highly reliable and economical.
It is another object of the present invention to provide a method for use in multi-hop wireless sensor network, said method and system aids to protect the network from hazardous intrusions.
Still other objects of the present invention will become readily apparent to those skilled in the art from the following detailed description, wherein embodiments of the invention are described by way of illustration. As will be realized, the invention is capable of other and different embodiments and its several details are capable of modifications in various respects, all without departing from the spirit and the scope of the present invention.
SUMMARY OF INVENTION
The present invention discloses a method for use in a wireless sensor network comprising at least one gateway and at least two nodes ; said method comprising the steps of: performing a bi-directional authentication between nodes and between node and gateway; defining and selecting an authentication header between available nodes, wherein said header contains information related to authentication, level of security for authentication and authentication messages; providing authentication information with a predetermined amount of times on validation failure; and forbidding an unknown entity from entering the network in the event that the validation failure exceeds the predetermined amount of time.
BRIEF DESCRIPTION OF THE FIGURES The invention will be more understood by reference to the description below taken in conjunction with the accompanying drawings herein:
FIG 1 provides an overview of authentication mechanism in multi-hop environment;
FIG 2 provides an overview of authentication protocol phases;
FIG 3 provides an overview of authentication header format in accordance with the present invention;
FIG 4 provides an overview of a different level of security in a single use-case;
FIG 5 provides a sequence flow of messages between a node and gateway in accordance with the present invention;
FIG 6 provides a flow chart of node authentication with the gateway;
FIG 7 provides a sequence flow of messages between node, node head and a gateway;
FIG 8 provides a flow chart of node authentication in multi-hop environment; and
FIG 9 provides an example of application of the present invention. DETAILED DESCRIPTION
In addition to the drawings, further understanding of the object, construction, characteristics and functions of the invention, a detailed description with reference to the embodiments is given in the following.
In the following description, reference is made to the accompanying drawings where, by way of illustration, specific embodiments of the invention are shown. It is to be understood that other embodiments may be used as structural and other changes may be made without departing from the scope of the present invention. Also, the various embodiments and aspects * from each of the various embodiments may be used in any suitable combinations. Accordingly, the drawings and detailed description are to be regarded as illustrative in nature and not as restrictive.
The present invention generally relates to an authentication mechanism which aids to authorize all the entities or nodes prior to joining a network. In one embodiment of the present invention, validation of nodes is performed in single and multi-hop network topologies.
The method of the present invention generally comprises of three main stages, these are: performing a bi-directional authentication processes, whereby authentications are carried out between gateway and nodes, as well as node and node; defining a compressed authentication header, said header contains information related to facilitating authentication, level of security required and authentication message type; and providing authentication information ,
o
with a predetermined countable limit on validation failure prior to forbidding the entry of a malicious entity. Each of the stages will be described in detail hereinbelow.
FIG 1 illustrates a high level overview of communication and authentication in multi-hop environment. In this environment, a gateway GW (10) is communicating with several nodes (1 1, 12, 13, 14, 15, 16) in the sensor network. Typically, nodes would perform gateway discovery so to search for suitable gateways in order to join a network. A node would later on perform an authentication procedure upon selected the gateway and said gateway would proceed with the same procedure for affirmation.
From the above, in FIG 1, GW (10) authenticates Ndl, Nd2 and Nd3 at single-hop level. Ndl represents a normal node whereas Nd2 and Nd3 are qualified node-head at first hop level to the gateway. It should be mentioned that a node-head is a node entity which has enough resources to take responsibility of authenticating nodes at multi-hop level for the gateway. Nd4 is a second hop level node-head authenticating Nd6 and relaying it to the gateway through Nd2. Nd5 is a normal node authenticated by the Nd3.
In a further aspect of authentication, there are two set of keys used for authentication protocol by the nodes; these keys are specifically for gateway authentication and the node-head authentication. According to the present invention, authentication key for gateway and node- head are pre-deployed to the sensor network.
As briefly described above, the authentication protocol is divided into two phases which is illustrated as Phase 1 and Phase 2 as seen in FIG 2. In the Phase 1 (SI OO), gateway is configured to authenticate the first hop level nodes and assigns node-head status to those which are qualified and have enough resources to be relay-authentication nodes. In Phase 2 (S200) nodes with the node-head capabilities authenticate multi-hop level nodes. During this process, node-head also identifies and assign responsibility of node-head to those nodes with enough resources.
In the preferred embodiment of the present invention, the identification of a header is crucial as it is assigned to inform important information about the authentication process. The extension header used for the present invention is known as compact authentication header (cAH) which consists of one byte. An exemplary of such header (40) is illustrated in FIG 3. The header is part of the 6L0WPAN payload and as mentioned, informs about crucial information for authentication process. A packet will be considered as an authentication packet, if the authentication header's first two bits are 1 and 0. The third and fourth bits of authentication header are use for security level fields which is considered as vital information for providing variable strength of authentication information.
Preferably, in terms of informing the level of security required, there are three types of information highlighted by security level fields. Basic level, intermediate level and advance level security which is implemented using two bits as 0 1 , 1 0 and 1 1 respectively. The next four bits are used for informing about the authentication message type. This is highlighted in TABLE 1 below. The authentication messages are used by the authentication protocol for validating different entities in a sequential process which will be described herein. TABLE 1
Authentication Message Type
Figure imgf000010_0001
According to the present invention, authentication protocol also includes level of security which can be use for different use-cases. The purpose of security level is to allow different configurable sizes of authentication information for providing variable level of protection. There are three categories of authentication security levels illustrated for authentication protocol of the present invention, these are; basic level with a payload size of 8 bytes with simpler encryption, intermediate level with a payload size of 16 bytes with decent level of encryption system and advance level with a payload size of 32 bytes with complex encryption system.
It is preferred that higher the size will provide more secure authentication information but with the impact on processing and power resources. Basic security level will take lesser resources but will provide simpler authentication information. The level of security may be required for encryption system on authentication information depending on the category of security; for instance, basic level security may use XOR based encryption whereas advance level may acquire complex encryption system like AES.
TABLE 2 illustrates an example of security levels with the possible encryption systems. The level of security is configured in pre-deployed phase of sensor network depending on the use- case. When any entity in the sensor network environment receives authentication information, it decrypts the information based on defined encryption type in the authentication header and validates it. FIG 4 illustrates a scenario whereby wireless sensor network clusters exist with different levels of security within a single deployment.
TABLE 2
Examples in Security Levels
Figure imgf000011_0001
It should be noted that based on one embodiment of the present invention, authentication information varies with different levels of security. It may contain existing methods for authentication information such as random number generation, hash tables and semantics. FIG 5 and FIG 6 illustrate the authentication process in sequence diagram format in accordance with the preferred embodiment of the present invention. As seen in FIG 5 authentication procedure is instigated by the node by sending REQ ST message to available gateway or node-head.
Still referring to FIG 5 and FIG 6, the node will only send a request (A 100) to most suitable gateway or node-head which is within its range. REQ ST message is customized accordingly to convey or contain private information which can only be understood by the authorize network entities. According to pre-configured security level, said node will use authentication information (A200) which is included in the REQ ST message. When the gateway receives said REQ ST message, it acknowledges such request (A300) and that there is a node requesting for authentication initiation procedure. The gateway will proceed to prepare and send RESP AUTH P message and includes authentication information for the node to validate. The authentication information is an encrypted data that need to be verified by the receiving entity and it will be stored based on security level with variable size according to strength required for the use-case.
Subsequently, node receives and validates the RESP AUTH P message from the gateway based on authentication information provided (A400). In the case of failure in the validation procedure, node may request the gateway by sending REQ_AUTH_P for multiple times (A500) before forbidding it. In the case of success, node will register the gateway and send back RESP AUTH C message. This message includes success of registering the gateway as well as node's authentication information. The gateway validates (A600) the node by checking authentication information provided in the message. In case of authentication failure, gateway requests the node by sending REQ AUTH C message. If the validation fails for multiple times, the gateway will forbid (A700) the node to join the network and record j ^ this information. If the authentication information provided by the node successfully validated, node will be accordingly registered with the gateway for future operations.
In the following stage, upon completion of the node validation, gateway inquires (A800) from the node if it can take responsibility as a node-head based on its available resources. This message is conveyed to the node using REQ AUTH RESPONSIBILITY message. Node inspects its resources (A900) such as, but not limiting to, battery level, memory resources and RSSI value; and accordingly response back to the gateway. If the node has enough resources it will send a response back with RESP_AUTH_RESPONSIBILITY_SUCCESS message. Alternately if the node does not have enough resources, it will send back RESP AUTH RESPONSIBILITY FAIL message which informs (A900a) the gateway to consider the node as a normal node. In the event that the gateway receives the message RESP AUTH RESPONSIBILITY SUCCESS, gateway will register (A900b) the node as a node-head for authenticating other nodes at multi-hop level from the gateway.
FIG 7 and FIG 8 show sequential flow of multi-hop authentication procedure between node- head, node-n and the gateway. Referring to FIG 7 and FIG 8, node-n initiates the authentication procedure (T100) by sending REQ ST message to the node 1 (node-head). The node-head sends RESP_AUTH_NH message (T200) by including authentication information to node-n. When node-n receives the message, it will understand that it is communicating and authenticating with a node-head rather than directly with the gateway. Hence on receiving the message, node-n uses node-head key to authenticate the node-head (T300). On successful validation, node-n notifies authentication information (T400) to the node-head by sending RESP_AUTH_C message. In the event of validation failure, the node attempts n (predetermined amount) times (T500) to request the node-head for providing proper authentication information by sending REQ AUTH C message. If no proper information is provided, node will terminate communications with the current node-head and will further search for more node-head or the gateway. When node-head receives RESP AUTH C message, it authenticates the information provided by the node-n and in case of successful validation of authentication information it registers node-n (T600) as a valid node and sends RESP_AUTH_C_LN message to the gateway for registration. Gateway on receiving information (T700) about node-n, understands that node-n can be accessed through node-1 (node-head). Gateway saves this information for future communication and send acknowledgement to nodel . If the validation of node-n fails (T800), node-head will request back the node-n by sending REQ AUTH C message n times prior to forbidding it. In accordance with the present invention, a similar procedure will be performed for determination of node-n to work as a node-head by nodel (node-head). Furthermore in case of node (node-head) failure or topology change, a node may require to access the network using other accessible node-head or gateway within its range. The joining to a new node-head or gateway will also require re-authentication.
An exemplary of an application having implemented the method and system of the present invention is shown in FIG 9. In this exemplary, there is provided a wireless sensor network in precision agriculture domain, whereby the authentication method is based on the present invention.
Now referring in FIG 9, there is provided a gateway (GW), and a plurality of nodes, namely, Node 1 (Node-head), Node 2, Node 3 (Node-head), Node 4 in a green house environment. ^
Due to the precision agriculture use-case requirement, basic security level (8 bytes authentication information using hash values with simple encryption like XOR) will be feasible to use as the stake of security vulnerability is less. Node 1 will initialize the authentication procedure before joining the network by requesting suitable available gateway to provide authentication information. After authentication and taking responsibility of node- head, Node 1 will authenticate Node 2 and Node 3 at hop-level 2 from the gateway. Node 2 will be treated as a normal node due to lesser resources respond whereas Node 3 will take the responsibility of Node-head at hop-level 2. Node 4 will analyze the suitable gateway or node- head within its range and will choose node 3 for authenticating point to join the network at hop level 3. All the node-heads will also inform the gateway about the authenticated nodes for the future communications.
The present invention may be modified in light of the above teachings. It is therefore understood that, within the scope of the appended claims, the invention may be practiced otherwise than as specifically described.

Claims

A method for use in a wireless sensor network comprising at least one gateway and at least two nodes ; said method comprising the steps of:
Performing a bi-directional authentication between nodes and between node and gateway;
Defining and selecting an authentication header between available nodes, wherein said header contains information related to authentication, level of security for authentication and authentication messages;
Providing authentication information with a predetermined amount of times on validation failure; and
Forbidding an unknown entity from entering the network in the event that the validation failure exceeds the predetermined amount of time.
The method as claimed in Claim 1 wherein the bi directional authentication further comprising the steps of initiating authentication by means of reduce function device (RFD) via a message to full function device (FFD); sending information authentication request in a specific message from FFD to RFD; verifying authentication by RFD; providing a reply on successful verification with authentication information in a specific message from RFD and FFD; and verifying the authentication information received by FFD.
The method as claimed in Claim 1 , wherein the step of authentication between nodes comprises the steps of inquiring node for resource availability; verifying the resources by the RFD; and notifying the gateway on the acceptance by the node to the RFD and FFD.
4. The method as claimed in Claim 3 wherein the step notifying the gateway further comprising the steps of authenticating RFD only once per joining the network; and providing RFD confirmation and registration information to the FFD once per joining of node with the network.
5. The method as claimed in Claim 1 wherein the level of security is based on variable sizes of authentication information and various encryption systems.
6. The method as claimed in Claim 1 wherein defining the authentication header between nodes further comprising the step of checking available resources, said resources include battery level, memory level and RSSI value.
7. The method as claimed in Claim 1 wherein the method further comprising registering the nodes and gateway upon successful validation and verification.
8. The method as claimed in Claim 1 used for multi-hop wireless sensor network.
PCT/MY2012/000090 2011-04-26 2012-04-26 Method for use in multi hop wireless sensor network WO2012148257A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2011001845 2011-04-26
MYPI2011001845 2011-04-26

Publications (1)

Publication Number Publication Date
WO2012148257A1 true WO2012148257A1 (en) 2012-11-01

Family

ID=47072572

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2012/000090 WO2012148257A1 (en) 2011-04-26 2012-04-26 Method for use in multi hop wireless sensor network

Country Status (1)

Country Link
WO (1) WO2012148257A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150120960A1 (en) * 2013-10-31 2015-04-30 Deutsche Telekom Ag Method and system of data routing through time-variant contextual trust
CN107682909A (en) * 2017-11-22 2018-02-09 广东欧珀移动通信有限公司 A kind of control method and device for connecting access point
CN105577699B (en) * 2016-03-03 2018-08-24 山东航天电子技术研究所 A kind of secure access authentication method of two-way dynamic non-stop layer authentication

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070116292A1 (en) * 2005-11-18 2007-05-24 Felica Networks, Inc. Mobile terminal, data communication method, and computer program
US20100332831A1 (en) * 2009-06-26 2010-12-30 Samsung Electronics Co., Ltd. Method and apparatus for authenticating a sensor node in a sensor network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070116292A1 (en) * 2005-11-18 2007-05-24 Felica Networks, Inc. Mobile terminal, data communication method, and computer program
US20100332831A1 (en) * 2009-06-26 2010-12-30 Samsung Electronics Co., Ltd. Method and apparatus for authenticating a sensor node in a sensor network

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150120960A1 (en) * 2013-10-31 2015-04-30 Deutsche Telekom Ag Method and system of data routing through time-variant contextual trust
EP2869613A1 (en) 2013-10-31 2015-05-06 Deutsche Telekom AG Method and system of data routing through time-variant contextual trust
US10200273B2 (en) * 2013-10-31 2019-02-05 Deutsche Telekom Ag Method and system of data routing through time-variant contextual trust
CN105577699B (en) * 2016-03-03 2018-08-24 山东航天电子技术研究所 A kind of secure access authentication method of two-way dynamic non-stop layer authentication
CN107682909A (en) * 2017-11-22 2018-02-09 广东欧珀移动通信有限公司 A kind of control method and device for connecting access point
CN107682909B (en) * 2017-11-22 2020-06-26 Oppo广东移动通信有限公司 Control method and device for connecting access point

Similar Documents

Publication Publication Date Title
US10601594B2 (en) End-to-end service layer authentication
JP6262308B2 (en) System and method for performing link setup and authentication
CN105917689B (en) Secure peer-to-peer groups in information-centric networks
US8607051B2 (en) Method and apparatus for binding multiple authentications
US9113330B2 (en) Wireless authentication using beacon messages
US7707415B2 (en) Tunneling security association messages through a mesh network
KR101033345B1 (en) Transporting management traffic through a multi-hop mesh network
KR20230054421A (en) Privacy of Repeater Selection in Cellular Sliced Networks
TW201644236A (en) Efficient policy enforcement using network tokens for services C-plane approach
US20100228980A1 (en) Method and Arrangement for Providing a Wireless Mesh Network
CN101512537A (en) Method and system for secure processing of authentication key material in an Ad Hoc Wireless Network
US11316820B2 (en) Registration of data packet traffic for a wireless device
EP3231151B1 (en) Commissioning of devices in a network
TWI294578B (en) Apparatus and method for addressable authentication in a scalable, reconfigurable communication architecture and computer readable medium recording related instrucitons
Fujdiak et al. Security in low-power wide-area networks: State-of-the-art and development toward the 5G
WO2012148257A1 (en) Method for use in multi hop wireless sensor network
KR102399632B1 (en) Method and apparatus for transmitting and receiving data based on blockchain in a wireless communication system
EP3432538A1 (en) A communication device for providing a data packet to be authenticated by a further communication device
Vaishnav et al. From protocols to countermeasures: A comprehensive survey into IoT safety
Ozturk Evaluation of secure 802.1 X port-based network access authentication over 802.11 wireless local area networks
Ma et al. Security Architecture Framework

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12777005

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12777005

Country of ref document: EP

Kind code of ref document: A1