A Key Management Scheme Based on Pairing-Free Identity Based Digital Signature Algorithm for Heterogeneous Wireless Sensor Networks

Abstract

The secure transmission of data within a network has received great attention. As the core of the security management mechanism, the key management scheme design needs further research. In view of the safety and energy consumption problems in recent papers, we propose a key management scheme based on the pairing-free identity based digital signature (PF-IBS) algorithm for heterogeneous wireless sensor networks (HWSNs). Our scheme uses the PF-IBS algorithm to complete message authentication, which is safer and more energy efficient than some recent schemes. Moreover, we use the base station (BS) as the processing center for the huge data in the network, thereby saving network energy consumption and improving the network life cycle. Finally, we indirectly prevent the attacker from capturing relay nodes that upload data between clusters in the network (some cluster head nodes cannot communicate directly). Through performance evaluation, the scheme we proposed reasonably sacrifices part of the storage space in exchange for entire network security while saving energy consumption.

1. Introduction

Wireless sensor networks (WSNs) can be applied in military, traffic management, smart healthcare, and smart homes, etc. [1]. For example, in terms of medical health [2], it has brought great convenience to our society. However, in the application process, the secure transmission of data is essential. If there is no secure data transmission in the network, it is easy for an attacker to obtain sensitive data in the network, or even forge some data to attack the network, which will lead to the confidentiality and integrity of the data collected by the network to be questioned. Key management can provide secure communication keys for information transfer between network nodes to ensure message confidentiality, integrity, and authentication, etc.

Sensor network nodes are limited in terms of storage space, computing power, and energy reserves. As the symmetric encryption algorithm encryption and decryption process consumes less energy, this algorithm is often used for secure data transmission on the network, such as [3]. However, symmetric encryption algorithms cannot complete digital signature authentication. Traditional public key encryption algorithms (say RSA (Ron Rivest, Adi Shamirh and Len Adleman)) can only guarantee security when the key length (at least 1024 bits) is long enough. The increase in key length brings computational complexity. Considering the problems of large storage space, high computational complexity, and high energy consumption, traditional public key encryption algorithms were not considered suitable for sensor network nodes. However, through the improvement of the elliptic curve cryptography (ECC) algorithm and performing actual tests on the sensor nodes (such as [4,5]), it is proved that ECC can be applied to resource-constrained WSNs. Another issue to consider is that traditional public key infrastructure (PKI) issues a public key certificate for each node to help them verify the authenticity of the other party’s public key. However, the generation, storage, publishing, and verification of certificates also consume a lot of resources on the network. It is commendable that the emerging identity-based cryptography system solves this problem [6].

In this study, we learned that the heterogeneity of sensor nodes and sensor networks objectively exists. The internal node type in a homogeneous sensor network is single, and the network model often differs greatly from the actual application [7]. At the same time, the limitations of the homogeneous sensor network itself also limit the application of public key cryptosystems, hierarchical network management models, and other technologies in sensor networks. Therefore, in order to better study key management in sensor networks, the addition of heterogeneity has been favored by some researchers, such as [8,9,10]. We propose a key management scheme for heterogeneous wireless sensor networks (HWSNs). Our scheme makes some contributions:

• Our scheme uses the pairing-free identity based digital signature (PF-IBS) algorithm to complete identity authentication. This algorithm not only ensures the security of the key establishment process, but also saves energy.
• We adopted a new network model. The energy consumption of generating the network routing structure is borne by the base station (BS), which saves a lot of computing costs for the internal network nodes.
• We protect the location privacy information of nodes in the network to prevent attackers from discovering and attacking relay nodes in the network.

The rest of the paper is organized as follows: Section 2 reviews some guiding key management schemes. Section 3 explains the proposed key management scheme for HWSNs. Section 4 evaluates the performance of the proposed scheme. Section 5 summarizes our paper.

2. Related Works

Du et al. [11] designed a distributed key management scheme combining a routing structure and ECC based on the scheme [12]. This scheme proposes the concept of a communication neighbor (c-neighbor), that is, the node only needs to establish the communication key with the c-neighbor node instead of establishing the communication key with all neighbor nodes. However, in order to obtain a c-neighbor relationship, the low-performance sensor (L-sensor) must upload its own location information to the high-performance sensor (H-sensor). The H-sensor generates an intra-cluster routing structure based on the collected location information of the L-sensor, and then distributes neighbor information for each L-sensor in the cluster. The advantage of this scheme is that the key establishment process combined with the routing structure can omit some unnecessary communication link establishment, thereby saving the computational cost and communication cost of the network; however, the disadvantage is that the communication load of the H-sensor is too large and takes up a lot of storage space. At the same time, the node lacks message authentication during the key establishment process.

Boujelben et al. [13] proposed an identity based key management scheme for heterogeneous sensor networks. This scheme assumes that each node knows the identity identifiers of all neighboring nodes in advance. Bilinear pairing based on identity cryptography (IBC) is used to assist in establishing the session key. For two nodes (say ${\mathrm{N}}_i$ and ${\mathrm{N}}_j)$ that want to establish a session key ${\mathrm{K}}_{ij}$, each node first uses its own private key and the other’s public key and combines the properties of bilinear mapping to generate a common key ${\mathrm{V}}_{ij}$. Then, they use ${\mathrm{V}}_{ij}$ to encrypt the message $({\mathrm{r}}_{i}P$ or ${\mathrm{r}}_{j}P$) sent to the other party to generate a message authentication code, and send the message authentication code and message to the other party. Finally, when the message sent by the other party is verified, they use the Diffie–Hellman key exchange algorithm [14] to generate ${\mathrm{K}}_{ij}.$ The advantage of this scheme is better security and less key storage occupancy. The disadvantage is that the key establishment process only has message authentication and no identity authentication, and the key establishment process consumes more energy.

Wang et al. [15] proposed a distributed key management scheme that makes communication links more secure. In this scheme, Wang et al. have taken some improvement measures to address the two issues in the scheme [11]. Wang et al. used an energy-aware routing protocol to improve the first problem. For the second problem, the identity-based encryption (IBE) algorithm is used for message authentication. The advantage of the scheme is that it achieves better security through message authentication during the key establishment process. At the same time, the energy-aware routing algorithm [16] is used to save network energy consumption. The disadvantage of the scheme is that using the IBE algorithm to complete message authentication will consume a lot of energy. At the same time, the message authentication process cannot defend against replay attacks.

Harbi et al. [17] proposed a key management scheme that can ensure network data transmission security by enhancing authentication during key establishment. The scheme found that the Inter-Cluster Multiple Key Distribution Scheme for Wireless Sensor Network (ICMDS) [18] has the problem where it cannot implement the calculation of the session key. After reviewing the design process of the ICMDS scheme, Habib et al. found that the master private key needed to establish the key was lacking. In response to the problem of the ICMDS scheme, Habib et al. designed a new key management scheme based on the identity-based encryption (IBE) algorithm. The advantage of this scheme is that it can resist multiple types of attacks. However, the disadvantage of this scheme is that once the master private key is known by the attacker, all session keys established within the network will be exposed. In addition, completing identity authentication will consume a lot of energy.

Through the analysis of the above schemes, we know that ensuring the security of the designed key management scheme has always been the focus of attention. However, the security problems of key management schemes still exist. Even though security can be guaranteed in some ways, it comes at the expense of energy consumption. At the same time, we learn that identity-based security mechanisms have also received great attention from researchers.

3. Proposed Key Management Scheme for HWSNs

3.1. PF-IBS Algorithm

We optimize the PF-IBS algorithm proposed by Sharma et al. [19] The public key of each node in our optimized PF-IBS algorithm is related to $I{D}_i$, which is more conducive to identity authentication. Its security depends on the intractability of the discrete logarithm on the elliptic curve. Its implementation requires the following four steps:

Setup: 

PKG selects a safe elliptic curve $\mathrm{E}/{\mathrm{F}}_{\mathrm{p}}$ over the finite field ${\mathrm{F}}_{\mathrm{p}}$: ${\mathrm{y}}^2={\mathrm{x}}^3+\mathrm{ax}+\mathrm{b}$, where $\mathrm{a}$, b $\in F_p$ and $\Delta =4a^3+27b^2\ne 0$. $E/F_p$ satisfying $\Delta =4a^3+27b^2\ne 0$ is a non-singular hyperelliptic curve, which is suitable for cryptographic applications. $\mathrm{E}\left(F_p\right)$ consists of points on an elliptic curve and points of infinity and constitutes a group. $\mathrm{P}\in \mathrm{E}\left(F_p\right)$ as the generator of $\mathbb{G}$.

(1)

PKG selects $\mathrm{s}\in {\mathrm{Z}}_{q }^{*}$ as the master private key and obtains the master public key ${\mathrm{P}}_{pub}=sP$.

(2)

PKG selects two hash functions: ${\mathrm{H}}_1:{\left\{0,1\right\}}^{l_{I{D}_i}}\times \mathbb{G}\to Z_q^{*}{ \mathrm{and} \mathrm{H}}_2:{\left\{0,1\right\}}^{l_{I{D}_i}}\times \mathbb{G}\times {\left\{0,1\right\}}^{l_m}\to Z_q^{*}$, where $l_{I{D}_i}$ represents the length of $I{D}_i$ and $l_m$ represents the length of the message $m$.

(3)

PKG outputs public system parameter $\pi =\left\{E/F_p,q,\mathbb{G},P,P_{pub},H_1,H_2\right\}$.

Extract: 

PKG inputs each node identity $I{D}_i\in {\left\{0,1\right\}}^{*},\pi$, and s.

(1)

PKG selects $r_{I{D}_i}\in Z_q^{*}$, and calculates $R_{I{D}_i}=r_{I{D}_i}·P\mathrm{and}{c}_{I{D}_i}=H_1(I{D}_i||R_{I{D}_i})$, where $c_{I{D}_i}$ is the public key of each node.

(2)

PKG calculates $d_{I{D}_i}=r_{I{D}_i}+c_{I{D}_i}s mod q$, where $\left(R_{I{D}_i},d_{I{D}_i}\right)$ is the private key of the node.

(3)

PKG preloads $\left(R_{I{D}_i},d_{I{D}_i}\right)$ and π correspondingly into each node.

Sign: 

Taking nodes $u$ and $v$ as an example, $u$ signs the message $m_u$ with its private key $\left(R_u,d_u\right)$ and sends $I{D}_u$, $m_u$, and the signed message ${\sigma }_u$ to $v$.

(1)

$u$ chooses $\mathrm{a} \mathrm{random} \mathrm{number} {\phi }_u\in Z_q^{*}$, calculates $E_u={\phi }_u·P$ first, and then calculates $h_u=H_2\left(m_u,I{D}_u,R_u\right)$ and $Z_u={\phi }_u+h_u·d_u mod q$.

(2)

$u$ generates ${\sigma }_u=\left(E_u,R_u,Z_u\right)$.

Verify: 

$v$ uses the received $I{D}_u$ to verify ${\sigma }_u$ sent by $u$.

(1)

$v$ calculates $c_u=H_1(I{D}_u|\left|R_u\right) \mathrm{and} h_u=H_2\left(m_u, I{D}_u,R_u\right)$.

(2)

$v$ determines whether the left and right sides of $Z_u·P=E_u+h_u·\left(R_u+c_u{P}_{pub}\right)$ are equal. If two sides are equal, $m_u$ and identity authentication pass, and vice versa.

3.2. Construction of Network Model

3.2.1. Network Assumptions

Our network model includes a powerful BS, a few high-performance sensors (H-sensors), and many low-performance sensors (L-sensors). According to the needs of the network architecture, each H-sensor in the network will be used as the cluster head (CH). We have listed some assumptions about the network model:

(1)

The L-sensor does not have tamper-resistant hardware. Once the opponent captures the L-sensor, all the important information stored in the L-sensor can be obtained. Due to cost issues, the L-sensors’ computing power, storage space, and energy are greatly limited.

(2)

The H-sensor plays a key role in the transmission of sensor data within the cluster. The important information they store may affect the security of the L-sensor communication link within the cluster. Therefore, the H-sensor has a tamper-proof facility to better enhance the security of the network.

(3)

BS has a high computing power, wide communication range, and enough storage space and energy.

(4)

Each L-sensor and each H-sensor in the network has a unique identifier ${\mathrm{ID}}_{L_i}$ and ${\mathrm{ID}}_{H_i}$, respectively. The BS has its identifier ${\mathrm{ID}}_{BS}$. The identifiers of all L-sensors are denoted by ${\mathrm{ID}}_{L_s}$. The identifiers of all H-sensors are denoted by ${\mathrm{ID}}_{H_s}$. The identifiers of some L-sensors are represented by IDs.

(5)

The BS is well protected and trusted.

3.2.2. Network Communication Mode

Our network model draws on three communication modes used in LEAP+ [20]:

• Unicast (the process by which a particular node sends a message to a single node).
• Local broadcast (the process by which a particular node sends a message to all neighbor nodes within its communication range).
• Global broadcast (the process by which a particular node sends a message to all nodes in the network).

3.2.3. Data Preloading of Network Nodes

Based on the above assumptions that the BS is trusted and protected, we use the BS to act as a PKG role. The BS uses π and s in combination with ${\mathrm{ID}}_{L_i}$ to generate each L-sensor‘s identity-based public key $c_{L_i}$ and private key $({\mathrm{R}}_{L_i},d_{L_i})$. The same operation process for the identity identifiers ${\mathrm{ID}}_{H_i}$ of each H-sensor and ${\mathrm{ID}}_{BS}$ of the BS can generate $c_{H_i}$, $({\mathrm{R}}_{H_i},d_{H_i})$, and $c_{BS}$, $({\mathrm{R}}_{BS},d_{BS})$ for them. The asymmetric pair keys of all L-sensors are denoted by $c_{L_s}$ and $({\mathrm{R}}_{L_s},d_{L_s})$, respectively. Similar expression methods, $c_{H_s}$ and $({\mathrm{R}}_{H_s},d_{H_s})$, will be used to represent the public and private keys of all H-sensors. Each L-sensor is preloaded with $\left\{\pi ,I{D}_{BS},c_{BS},I{D}_{H_s},c_{H_s},K_{H_s}^U,I{D}_{L_i},K_{L_i}^R,\left(R_{L_i},d_{L_i}\right)\right\}$, where $K_{H_s}^U$ represents the public keys of the ECC encryption algorithm [21] for all H-sensors and $K_{L_i}^R$ represents the private key of the ECC encryption algorithm for each L-sensor. Each H-sensor will preload $\left\{\pi ,I{D}_{BS},c_{BS},I{D}_{H_i},\left(R_{H_i},d_{H_i}\right),K_{H_i}^R,I{D}_{L_s},c_{L_s},K_H\right\}$, where $K_{H_i}^R$ is the private key of the ECC encryption algorithm of each H-sensor and ${\mathrm{K}}_H$ is used for communication between H-sensors (and BS). The BS is preloaded with $\left\{\mathrm{s},\mathsf{\pi },{\mathrm{ID}}_{BS},\left(R_{BS},d_{BS}\right),I{D}_{H_s} c_{H_s},\left(R_{H_s},d_{H_s}\right),I{D}_{L_s},c_{L_s},\left(R_{L_s},d_{L_s}\right),K_{L_s}^U,K_H\right\}$, where $K_{L_s}^U$ represents the public keys of the ECC encryption algorithm for all L-sensors.

3.2.4. Routing Structure Generation

In HWSNs, the routing structure consists of two parts: Intra-cluster routing and inter-cluster routing. The former means that the intra-cluster L-sensor uploads the collected perceptual data to the nearest CH through the shortest path algorithm. The latter refers to the routing protocol where the CH uploads the collected sensory data to the BS according to the shortest path algorithm. We apply wireless sensor networks to military environmental monitoring. It is assumed that the surveillance area is a square area of 1000 m × 1000 m, and a trusted and protected BS is established in the center of the area in advance. Please note that our scheme does not restrict the BS to the regional center, but the communication range of the BS must cover the area. Then, a military aircraft randomly and uniformly spreads 20 H-sensors and 980 L-sensors in the surveillance area. Each L-sensor (and H-sensor) can obtain its own location through some sort of location service (such as [22,23]). Considering that the energy consumption and cost of GPS are not suitable for WSNs, we do not use the GPS location service.

In our scheme, the routing structure design within the network requires the BS to collect the location information of nodes in the entire network in advance. First, the BS broadcasts the invitation-join message (including ${\mathrm{ID}}_{BS}$ and timestamp ${\mathrm{T}}_{BS}$) to all nodes in the network by means of global broadcast. Then, once the H-sensor receives the invitation-join message, each H-sensor (say ${\mathrm{H}}_1$) will locally broadcast a Hello message (including $I{D}_{H_1}$ and timestamp $T_{H_1}$). Each L-sensor determines which H-sensor it belongs to by analyzing the signal strength of the received Hello message. (We assume that some L-sensors choose $H_1$ as the CH). Take $u$ in these L-sensors as an example. $u$ uploads its join-reply message (including $I{D}_u$, location information $l_u$, timestamp $T_u$, and digital signature ${\sigma }_u$). What we need to pay attention to is that $l_u$ needs to encrypt with $K_{H_1}^U$. Finally, after $H_1$ receives ${\sigma }_u$, it uses the $I{D}_u$ preloaded to verify ${\sigma }_u$. Other nodes perform similar operations. $H_1$ encrypts the encrypted join-reply messages of these L-sensors with $K_H$ and uploads them to BS. In Figure 1, we show a system model diagram of the entire network routing structure design.

Although the nodes in this area are randomly and evenly distributed, there is no guarantee that some communication nodes must be within their own communication range. Therefore, there are two problems in the process of uploading join-reply messages to the BS in the network: (1) Some special L-sensors may not receive Hello messages broadcast by H-sensors. (2) There may be special H-sensors that cannot communicate directly with all surrounding H-sensors, resulting in an interrupt to upload the join-reply messages.

In order to prevent some L-sensors in the network from becoming isolated nodes because they cannot receive Hello messages from H-sensors, we use the surrounding L-sensors to help these L-sensors complete the join-reply message upload. When there is no direct communication between H-sensors, we select some relay L-sensors between H-sensors to complete the upload of the join-reply messages. The specific solutions to these two problems are as follows:

For the first problem, the BS can notify all L-sensors (including these special L-sensors) through global broadcast. After receiving the invitation-join message, these special L-sensors through local broadcast send their own join-reply messages to the L-sensor that can receive the H-sensor signal strength, and they then use the L-sensor to indirectly upload their own join-reply messages to the H-sensor. For the second problem, these special H-sensors (say ${\mathrm{H}}_1$) first decrypt the join-reply messages of these L-sensors with ${\mathrm{K}}_{H_1}^R$ and then find the appropriate relay nodes by the position information of these L-sensors. The nodes in our scheme are randomly deployed, so CH can only find some relay nodes from the location information of the collected L-sensors. This is different from some schemes (such as [24,25]) using manual deployment of relay nodes to enhance network connectivity. Finally, ${\mathrm{H}}_1$ can indirectly upload the collected join-reply messages (encrypted with ${\mathrm{K}}_H$) of these L-sensors to the surrounding H-sensors by means of relay nodes. The BS will receive join-reply messages of all L-sensors. After completing the message collection, the BS generates a network routing structure using the location information of all L-sensors in combination with the shortest path algorithm.

The BS determines the communication neighbor relationship between nodes according to the network routing structure. Next, the BS can help the node establish a session key according to the communication neighbor relationship of the nodes in the network. In

Table 1. Notation for security protocols.

Notation	Description
$\mathrm{E}\left(k,m\right)$	Asymmetric encryption of $m$ using the key $k$
$\mathrm{D}\left(K,m\right)$	Asymmetric decryption of $m$ using the key $K$
$\mathrm{Sign}\left(k,m\right)$	Digital signature of $m$ using the key $k$
$\mathrm{Verify}\left(K,m\right)$	Signature verification of $m$ using the key $K$

, we describe some security measures identifiers. In Figure 2, we visually demonstrate the process by which the L-sensor in the network uploads its own location information to the BS.

3.3. Key Establishment Process

3.3.1. Centralized Session Key Establishment

It is assumed that the L-sensor (say $u$, $v$) will be determined to be the communication neighbor node relationship. The BS first generates a session key ${\mathrm{K}}_{uv}$ for $u$ and $v$ through a pseudo-random function. Then, ${\mathrm{K}}_{uv}$ is encrypted by $K_u^U$ and ${\mathrm{K}}_v^U$, respectively. Finally, the encrypted ${\mathrm{K}}_{uv}$ is digitally signed with $\left({\mathrm{R}}_{BS},{\mathrm{d}}_{BS}\right)$ to obtain ${\mathsf{\sigma }}_{BS}$. The BS sends ${\mathsf{\sigma }}_{BS}$ to $u$ and $v$ by unicast. When the two nodes receive ${\mathsf{\sigma }}_{BS}$, they use the preloaded $c_{BS}$ to perform digital signature verification and then use their own $K_u^R$ and $K_v^R$ to decrypt and obtain ${\mathrm{K}}_{uv}$, respectively.

3.3.2. Distributed Session Key Establishment

The assumption of the communication neighbor node relationship is consistent with the above. The BS first encrypts the routing materials of $u$ and $v$ with $K_u^U$ and ${\mathrm{K}}_v^U$, respectively. Then, the BS digitally signs the encrypted routing material with $\left({\mathrm{R}}_{BS},{\mathrm{d}}_{BS}\right)$ to obtain ${\mathsf{\sigma }}_{BS}$. Finally, the BS sends ${\mathsf{\sigma }}_{BS}$ to $u$ and $v$ by unicast, respectively. When the two nodes receive ${\mathsf{\sigma }}_{BS}$, they use the preloaded $c_{BS}$ to perform digital signature verification and then use their own $K_u^R$ and $K_v^R$, respectively, to decrypt and obtain their own routing materials.

The routing material of each L-sensor includes the ${\mathrm{ID}}_i$ and $c_{L_i}$ of its optimal communication neighbor node and the ${\mathrm{ID}}_j$ and $c_{L_j}$ of the backup communication neighbor node (relay nodes may contain IDs of multiple backup communication neighbor nodes). In the early stage, the optimal neighbor node will be the first object to establish the session key. However, the process of establishing session keys between nodes requires authentication to prevent some attacks (such as [26]). Taking nodes $u$ and $v$ as examples, combining the principle of the PF-IBS algorithm, the key establishment process of ${\mathrm{K}}_{uv}$ requires the following five steps:

STEP 1:$u$ selects ${\phi }_u,r_u\in {}_R{Z}_{*}^q$, calculates $E_u={\phi }_{u}P$ first, and then calculates $h_u=H_2\left(m_u,I{D}_u,R_u\right)$ and $Z_u={\phi }_u+h_u{d}_u mod q$, where $m_u=r_{u}P$. Finally, $u$ sends $⟨I{D}_u,E_u,R_u,Z_u,m_u,T_u⟩$ to $v$.

STEP 2: After obtaining the message from $u$, $v$ first determines if $T_u$ is valid, and, if it expires, rejects the message. It is determined whether $I{D}_u$ is consistent with the $I{D}_u$ distributed by BS. If the confirmation is consistent, then $u$ is a communication neighbor node. Next, $v$ calculates $h_u=H_2\left(m_u,I{D}_u,R_u\right)$ and determines whether the left and right sides of $Z_{u}P=E_u+h_u\left(R_u+c_u{P}_{pub}\right)$ are equal. If the two sides are equal, $m_u$ and identity authentication pass, and vice versa. It should be noted that the BS has assigned the public key $c_u$ of $u$ to $v$.

STEP 3:$v$ selects ${\phi }_v,r_v\in {}_R{Z}_q^{*}$, calculates $E_v={\phi }_{v}P$ first, and then calculates $h_v=H_2\left(m_v,I{D}_v,R_v\right)$ and $Z_u={\phi }_u+h_u{d}_u mod q$, where $m_v=r_{v}P$. Then, $v$ sends $⟨I{D}_v,E_v,R_v,Z_v,m_v,T_v⟩$ to $u$.

STEP 4: After obtaining the message from $v$, $u$ first determines if $T_v$ is valid, and, if it expires, rejects the message. It is determined whether ${\mathrm{ID}}_v$ is consistent with the ${\mathrm{ID}}_v$ distributed by BS. If the confirmation is consistent, then $v$ is a communication neighbor node. Next, $u$ calculates $h_v=H_2\left(m_v,I{D}_v,R_v\right)$ and determines whether the left and right sides of $Z_{v}P=E_v+h_v\left(R_v+c_v{P}_{pub}\right)$ are equal. If the two sides are equal, $m_v$ and identity authentication pass, and vice versa.

STEP 5:$u$ and $v$ respectively generate a shared key ${\mathrm{K}}_{uv}=r_u·r_{v}P=r_v·r_{u}P=K_{vu}$.

3.3.3. New Node Key Establishment and Old Key Deletion

In order to achieve the shortest path for the L-sensor to upload data, some L-sensors in the routing structure will be the optimal communication neighbor node of multiple L-sensors. There may be some L-sensors that act as relay nodes for inter-cluster data uploading. These optimal communication neighbor nodes and relay nodes undertake too many data upload tasks. They die prematurely due to excessive energy expenditure. There are even some L-sensors that are captured by the attacker. The death or capture of certain nodes can result in severe network partitioning, which prevents uploading of collected data. In order to extend the network life cycle, we need to revoke them and add new L-sensors. We assume that there is a detection mechanism (such as [27,28]) in the network to screen out death or captured nodes in the network. The BS notifies all L-sensors in the network about the IDs of these nodes by means of global broadcast. All L-sensors will check the IDs of their communication neighbor nodes. If IDs of these nodes are found, the L-sensor will delete IDs of these nodes and the previously established shared keys. When adding some new nodes to a certain area, the BS first encrypts the ${\mathrm{ID}}_i$ of the new node with the $c_{L_j}$ of the specific node of the area. Then, it uses (${\mathrm{R}}_{BS}$, ${\mathrm{d}}_{BS}$) to digitally sign the encrypted message to obtain ${\mathsf{\sigma }}_{BS}$. Finally, it sends the ${\mathsf{\sigma }}_{BS}$ to the specific node in the area by unicast, and these specific nodes will obtain IDs of new nodes. The new node (preloading IDs of the specific node) uses the above-mentioned distributed key establishment method to complete key establishment between the specific node and the new node.

3.3.4. Routing Update

In our scheme, the BS periodically informs nodes in the network to upload their remaining energy values. After obtaining the remaining energy values of all nodes, the BS will update the routing structure according to the remaining energy value of the node and the path energy consumption values. Next, according to the new routing table, the BS notifies the L-sensor to update the communication neighbor by unicast and completes the new session keys establishment.

4. Performance Evaluation

4.1. The Comparison of Key Storage Cost

In [11], Du et al. assume that in HWSNs, the number of H-sensors and L-sensors is M and N, respectively, and satisfies M << N. The following other schemes have the same assumptions on the number of nodes. In this scheme, each L-sensor (such as $u$) preloads its own private key and CH’s public key. Each H-sensor preloads its own private key, $u$’s public key, and key ${\mathrm{K}}_H$. The number of keys preloaded by Du et al.’s scheme is

$$\mathrm{N}\times 2+\mathrm{M}\times 3=2\mathrm{N}+3\mathrm{M}.$$

(1)

In [13], Boujelben et al. adopted a pairing idea of bilinear mapping during the key establishment process to assist the node in completing the session key establishment. This scheme has the smallest key storage space occupation. Each H-sensor and each L-sensor only need to store its own private key preloaded by the key distribution center. The number of keys preloaded by Boujelben et al.’s scheme is

$$\mathrm{M}\times 1+\mathrm{N}\times 1=\mathrm{M}+\mathrm{N}.$$

(2)

In [15], according to the design process of Wang et al.’s scheme, each L-sensor only preloads its own private key ${\mathrm{d}}_{L_i}$. Each H-sensor only preloads its own private key ${\mathrm{d}}_{H_i}$ and ${\mathrm{K}}_H$. Thus, in the scheme of Wang et al., the number of keys preloaded is

$$\mathrm{N}+\mathrm{M}\times 2=\mathrm{N}+2\mathrm{M}.$$

(3)

In [17], Harbi et al. designed a layered sensor network key management scheme. As can be seen from the node initialization phase of the scheme, each L-sensor also preloads a master private key $\mathrm{k}$ and the BS’s public key ${\mathrm{Pu}}_{BS}$, and each H-sensor preloads a master private key $\mathrm{k}$ and the BS’s public key ${\mathrm{Pu}}_{BS}$. In this scheme, the BS is considered a powerful device; therefore, all keys preloaded to the BS are negligible. The number of keys preloaded by Harbi et al.’s layered sensor network key management scheme is

$$\mathrm{N}\times 2+\mathrm{M}\times 2=2\mathrm{N}+2\mathrm{M}.$$

(4)

In our scheme, the BS preloads a lot of keys, which play a very important role. It should be emphasized that the BS has enough storage space; thus, all keys preloaded to the BS are negligible. In terms of preloading keys, our centralized key management scheme is the same as the distributed key management scheme. Each L-sensor is preloaded with $\left\{c_{BS},c_{H_s},K_{H_s}^U,\left(R_{L_i},d_{L_i}\right),K_{L_i}^R\right\}$, and each H-sensor preloads $\left\{c_{BS},\left(R_{H_i},d_{H_i}\right),K_{H_i}^R,c_{L_s},K_H\right\}$. In our scheme, the number of keys preloaded is

$$\mathrm{N}\times \left(2\times \mathrm{M}+3\right)+\mathrm{M}\times \left(4+\mathrm{N}\right)=3\mathrm{M}\mathrm{N}+3\mathrm{N}+4\mathrm{M}.$$

(5)

In

Table 2. Proportion of two types of nodes in heterogeneous wireless sensor networks (HWSNs).

Sensor Type:	1	2	3	4	5
H-sensor	4	8	12	16	20
L-sensor	196	392	588	784	980

, we show the distribution ratio between the H-sensor and the L-sensor in HWSNs. Figure 3 shows the comparison of the above schemes in terms of key preloading.

In Figure 3, the total key storage cost is higher in our scheme, but the storage cost of a single L-sensor can withstand the number of preloaded keys. We assume that the length of a single key is 160 bits. We follow the configuration of the fifth set of nodes in Table 2. A single L-sensor needs 0.86 KB to store the preloaded keys and a single H-sensor needs 19.68 KB to store the preloaded keys. We know that MICA2 has 128 KB of storage space, so the L-sensor can withstand the number of preloaded keys. The storage space of a single H-sensor itself is larger than the storage space of a single L-sensor, so the H-sensor can withstand the number of preloaded keys. Our scheme occupies more total key storage space for several reasons: (1) In our scheme, each L-sensor does not know which H-sensor will manage it before deployment. Therefore, it is essential that each L-sensor preloads ${\mathrm{K}}_{H_s}^U$ in advance. ${\mathrm{K}}_{H_s}^U$ and ${\mathrm{K}}_{H_i}^R$ can be used to encrypt the location information of the protected node to prevent attackers from eavesdropping on the node’s private information. $K_{L_i}^R$ will be used to protect the session key or routing material of the L-sensor assigned by the BS. (2) In Wang’s scheme, the scheme assumes that the L-sensor and the H-sensor in the cluster know the neighbors in advance. This indicates that the scheme is applicable to a network model in which the node knows the deployment knowledge rather than the randomly deployed network model, because randomly deployed nodes cannot know in advance which nodes are communication neighbors [29]. In order to obtain the deployment knowledge of the network model, our scheme needs to store $c_{BS}$ to complete the digital signature authentication to obtain the routing structure from the BS. (3) We do not use the IBE algorithm to protect the L-sensor location information. Although this approach eliminates the need to preload ${\mathrm{K}}_{H_s}^U$ and ${\mathrm{K}}_{H_i}^R$, the use of bilinear mapping operation in the IBE algorithm consumes more energy than the ECC encryption algorithm. Due to space limitations, we can refer to some papers [30,31] to understand the IBE algorithm.

4.2. The Comparison of Computation Cost

According to the HWSNs model we designed, we use MATLAB to simulate a cluster-generated routing structure to study. As the distribution of nodes in a single cluster is the same as the distribution of nodes in the entire network, in order to obtain the computing cost of the network model faster, we take a single cluster as the research object. Figure 4 shows a routing structure diagram of nodes within a cluster in the case of a single cluster. In Figure 4, the cluster contains 1 H-sensor and 75 L-sensors.

To compare the computational costs, we use the paper [32] referenced by Harbi et al. to obtain some important calculation parameters. The acquisition of important calculation parameters in [32] is derived from the PBC library based on the GMP library. We adopt the same energy consumption comparison idea as the scheme [11,12,15], that is, we only consider the calculation cost of the key without considering the cost of data communication.

Table 3. Various calculation operation times in the algorithm.

Operation Style	Time (ms)
Point addition calculation on ECC	0.0288
Scalar multiplication calculation on ECC	2.226
Hash function calculation on $\mathbb{G}$	12.419
Bilinear pairing calculation on $\mathbb{G}$	5.811
One-way hash function calculation	0.0023
Encryption calculation-based ECC	4.452
Decryption calculation-based ECC	2.226
Encryption/decryption calculation-based IBE	3.85
Symmetric encryption/decryption calculation	0.0046

shows the time required for various calculation operations in the designed algorithm. Figure 5 shows the comparison of the energy consumed by our scheme with other schemes during the key establishment process.

In Figure 5, our scheme has a lower computational cost than schemes [13,15,17]. Du et al.’s scheme lacks location information protection and message authentication during the session key establishment process and, thus, has the lowest computational cost. However, its security is very poor. In order to improve the security of the established session key, the security authentication mechanism is very important, such as [33]. Our scheme has lower calculation costs for several reasons: (1) In our scheme, the public key of the communication neighbor node is pre-allocated by the BS, thereby saving the computational cost of the node performing the hash function operation on $\mathbb{G}$. (2) Our scheme uses the PF-IBS algorithm, which saves the computational cost of bilinear pairing operations.

4.3. Security Performance Discussion

• (1) Forward secrecy of master private key. Forward secrecy: The private key of one or more participating entities is compromised, but the established session key is not destroyed. In Harbi et al.’s scheme, once s is leaked, all session keys will be compromised, so the scheme does not have the forward secrecy of the master private key. However, in our scheme, even if $\mathrm{s}$ is leaked, it does not affect the shared key that has been established.
• (2) Resist replay attacks. Replay attacks: The attacker misleads the legitimate node by resending the previous authentication code and synchronizing it to the wrong time. In our scheme, the message forwarded by the node adds a timestamp, which ensures the freshness of the data and prevents the attacker from initiating replay attacks.
• (3) Resist the node replication attack. Replication attack: The attacker captures the node and places a copy of it in multiple geographic locations to establish the illegal communication link with the legitimate node. There are some schemes (such as [34,35]) for preventing the node replication attacks. In our scheme, the BS pre-allocates information about the communication neighbor nodes of each node within the network. At the same time, we adopt the neighbor node authentication mechanism, and the legal node refuses to receive the information of the replica node, so it cannot pass the authentication and establish a secure communication link. Therefore, our scheme can effectively resist node replication attacks.
• (4) Resisting node capture attack. Resilience: Probability of exposing keys of the uncaptured node when some nodes are captured. The lower the resilience value, the more difficult it is for an attacker to exploit the useful information of the captured node to attack legitimate nodes. Conversely, the more nodes the attacker captures, the more useful information will be obtained and the higher the resilience value. In our scheme, the attacker cannot obtain the key of the uncaptured node by the information of the captured node.
• (5) Network weak area protection: Protection of relay node location information. Similar to the need to protect some important private information in our lives (such as [36,37]), we need to protect some important data information from being leaked. However, the location information protection of the node in our scheme is different from the privacy protection of the source nodes mentioned in the paper [38]. We know that the source node location privacy protection scheme for homogeneous WSNs has achieved some research results, but the source node location privacy protection scheme for heterogeneous wireless sensor networks has not been studied. However, the protection of the source node location privacy is not the focus of our scheme. Our scheme focuses on encrypting the location information uploaded by the L-sensor to prevent an attacker from obtaining a global routing table for the network. When an attacker obtains a global routing table, it is easy to find the location of the relay node. The number of these relay nodes is very limited. As the number of captured relay nodes increases, it will seriously affect the data upload in the network, and even lead to network partitioning. Our scheme prevents attackers from eavesdropping on the location information of the node of the network to generate a global routing table to find relay nodes.

  Table 4. Discussion of various schemes about security performance.

  Various Schemes	Du et al. [11]	Boujelben et al. [13]	Wang et al. [15]	Harbi et al. [17]	Ours
  Forward secrecy	Yes	Yes	Yes	No	Yes
  Replay attack	Yes	No	Yes	Yes	No
  Replication attack	Yes	No	No	No	No
  Capture attack	No	No	No	Yes	No
  Relay node attack	Yes	Yes	Yes	Yes	No

  shows the discussion of various schemes about security attacks.

Table 4 discusses the security performance of the various schemes. In order to ensure that the scheme is more secure, it is indispensable for the proposed scheme to incorporate a secure authentication process. Although the identity-based security mechanism has many advantages in the message authentication process, it is essential to ensure the security of the master private key. At the same time, when we make full use of the characteristics of the network model to design the scheme, we must pay attention to protecting the privacy information of the network nodes.

5. Conclusions

In this paper, we presented a key management scheme based on the PF-IBS algorithm for HWSNs. In our scheme, the BS acted as a data processing center to accomplish the tasks of routing structure generation, routing material allocation, and routing updates, thereby saving a lot of computational cost for the internal network. We used the PF-IBS algorithm to perform authentication. As the algorithm does not require bilinear pairing operations, it can save a lot of computational cost compared to other authentication schemes with bilinear pairing operations. Our scheme reasonably sacrificed some storage space, but ensured network security and saved energy. In the future, we will examine some of the problems faced by key management under new routing protocols and mobile node network models.