Authentication for Bulk Data Dissemination in Sensor Networks Using Symmetric Keys 1 Limin Wang SandeepS. Kulkarni SoftwareEngineeringandNetworkSystemsLaboratory DepartmentofComputerScienceandEngineering MichiganStateUniversity EastLansingMI 48824USA Abstract Authenticating bulk data dissemination in sensor networks is important as sensors need to verify that the data is truly from a trusted source. There are two ways to achieve authentication: asymmetric key based and symmetric key based. Althoughpreviousworkhasshownthatasymmetrickeyauthenticationisfeasibleonsensornodesifusedsparingly,itisstill quiteexpensivecomparedtosymmetrickeybasedapproach. Inthispaper,weproposeasymmetrickeybasedprotocol for authenticatingdatadisseminationprocess. Ourprotocolusesthesecretinstantiationalgorithmfrom[8,14]fordistributing thekeys. We applythesymmetrickeysignaturesatthesegment/grouplevelandusehashedverificationatthepacketlevel. To improve the efficiency in the presence of packet loss/delay, we employ several techniques: the double connected hash chain,thecachingscheme,andforwarderrorcorrection(FEC).Weshowtheeffectivenessofourdesignthroughsimulation. Moreover,sinceourprotocolhasmuchlowercostthantheasymmetrickeybasedapproaches,itisespeciallyvaluableforthe burstdatadissemination,wherethebasestationauthenticatesandtransmitsamoderateamountofdata(1 5KB)atatime. (cid:24) Keywords:Sensornetworks,Datadissemination,Authentication,Symmetrickeys 1Email:{wanglim1,sandeep}@cse.msu.edu. Web:http://www.cse.msu.edu/˜{wanglim1,sandeep}. ThisworkwaspartiallysponsoredbyNSFCAREERCCR-0092724,DARPAGrantOSURS01-C-1901,ONRGrantN00014-01-1-0744,NSFequipment grantEIA-0130724,andagrantfromMichiganStateUniversity. 1 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 3. DATES COVERED 2007 2. REPORT TYPE 00-00-2007 to 00-00-2007 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER Authentication for Bulk Data Dissemination in Sensor Networks Using 5b. GRANT NUMBER Symmetric Keys 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION Michigan State University,Department of Computer Science and REPORT NUMBER Engineering,Software Engineering and Network Systems Laboratory,East Lansing,MI,48824 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES The original document contains color images. 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE 25 unclassified unclassified unclassified Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 1 Introduction Reliably disseminating a large amount of data to every sensor in the network is a fundamental task for wireless sensor networks. Wedistinguishtwotypesofbulkdatadissemination. Forone,thesizeofthedatastreamislarge(>10KB),and thesenderknowstheentiredatastreambeforeauthenticating/transmittingit. Atypicalexampleisnetworkreprogramming, whichre-tasksthenetworkbydisseminatinganewprogramtoallthesensorsinthenetwork. Thebasestationauthenticates theentireprogramandsendsitallatonce.Theothercaseiswhatwecallburstdatadissemination,whereburst/silentperiods occuralternatively. Amoderateamountofdata(1 5KB)issentineachburst. Thesilentperiodsaretypicallylong,during (cid:24) whichthesenderlistenstothenetworkorgoestosleepmode.Anexampleofburstdatadisseminationisnetworkmonitoring, inwhichthebasestationmonitorsthehealthofthenetwork,andbroadcastsasequenceofcommandsonceinawhile.Inthis case,thedatastreamisgeneratedandbroadcastbythebasestationinrealtime. Theentiredatastreamisnotknowntothe basestationinadvance. Datadisseminationinsensornetworksisperformedviawirelessradio,whichisabroadcastmedium,andisvulnerableto packetinjectionorcorruptionattacks.Moreover,thecurrentdatadissemination(reprogramming)protocols[10,13,16,22,27] areepidemicinnature.Onceafalseorviralcommandisacceptedononesensor,itcouldrapidlyinfecttheentirenetwork,and hence,leadtocatastrophicdamage. Forthesereasons,itisimportantthatsensorsbeabletoverifythatthedata/commands arefromatrustedsource. Inthispaper,weareinterestedinprovidingauthenticationforthisbulkdatadisseminationinsensornetworks. Ourgoal istoprovideawaythatsensorscanverifytheauthenticityandintegrityofthereceiveddata. Asymmetrickeyvs. symmetrickeyauthentication. Authenticationisacomputationandenergyexpensiveoperation. Mostauthenticationapproachesrelyonasymmetricdigitalsignatures. Intheseapproaches,abasestationsignsthepackets usingitsprivatekey.Allthesensorshavethepublickeyofthebasestation,andcanuseittoverifythesignatures. However, theseasymmetricdigitalsignaturesaretypicallylong(e.g.,50-1000bytesperpacket).Creatingandverifyingthemhavevery highcomputationoverhead.Communicatingthelongsignaturestothesensorsoverradioalsorequiresalotofbandwidthand energy. Moreover,sincethecryptographicoperationsareoverlappedwiththeradiooperations;iftheencryption/decryption operationsarenotfastenough,wemayencounterproblemsiftheradiopacketsneededbythesensorsarenolongeravailable. AlthoughrecentworkhasshownthatRSAandellipticcurvecryptography(ECC)arefeasibleonMica/TelosBmotes[9,21, 28],theyshouldstillbeavoidedorusedsparingly. Asanillustrationofthecostofasymmetrickeyauthentication,inarecentwork[28],WangandLishowthat,ifweuse 1024-bit RSA on Mica motes, the time required for the public key operation is 0.79s. Since it takes 0.42ms to transmit a singlebyteofdataoverradioonMica2motes[11],thetimeforapublickeyoperationisthesameasthetimefortransmitting 1.88KB data. The asymmetric key authentication is especially inefficient for the burst data dissemination where the base 2 stationsendsa moderateamountofdataatatime. Forexample,ifthebasestationtransmits1.5KBdataineachburst,the timerequiredbythepublickeyoperationforauthenticatingadataburstevenexceedsthetimeforthedatatransmissionitself. Asanalternative,symmetrickeybasedauthenticationneedsmuchlessenergy/memory/computationresources,andhence, isexpectedtobemoreappropriateforresourceconstrainedsensornodes. Forexample,accordingto[11],ifweuseSkipjack (orRC5)onMica2motes,theexecutiontimeforencryting/decryptingan8-byteblockisonly0.38ms(or0.26msinthecase ofRC5),whichislessthanthetimeforsendingonebytedataoverradio. Hence,thecostofusingsymmetrickeysignatures is negligible. A simple approach is to use a single network-wide key shared by the base station and all the sensors [11]. Theproblemwiththisapproachisthatif onesensoriscompromisedandthekeyiscaptured(whichhasbeenshowntobe relativelyeasy[4]),theentirenetworkisnolongersecure.Anothersymmetrickeybasedapproachistoshareapairwisekey betweenthebasestationandeachsensor. Althoughthisapproachisresistanttonodecompromise,itdoesnotscalewellto largenetworks. Moreover,withsymmetrickeybasedapproaches,thenumberofkeysthatarestoredateachsensormustbe small. Denial of service attack. Most sensor nodes have only a few kilobytes of RAM, yet the data from the base station aretypically tens ofkilobytes (consider thesize of a program). A sensormust store the receiveddata to the external flash (EEPROM) while it is accepting radio packets. If a large portion of the data that have been written to EEPROM fail in verification later, the data have to be erased. Since the energy cost of writing to external flash is high, the energy wasted instoringthefalsedataissignificant. Hence,thenetworkisvulnerabletodenialofserviceattacks,inwhichtheadversary injectsalotofgarbagepacketsthatwouldeventuallyexhaustthesensors’energy. Accordingtotheircapacities,theadversariescanbecategorizedintotwogroups: mote-classadversariesandlaptop-class adversaries. Mote-class adversaries have limited energy, and cannot launch extensive denial of service attacks. A laptop- classadversarycanlaunchadenialofserviceattackbysendinggarbagedatatothesensors.Onewaytomitigatelaptop-class adversariesistorequirethatonlythosepacketsthathavebeenauthenticatedcanbestoredtoflash(asdonein[5,6]).Inthis way,thecostoffailedverificationiseffectivelyreduced. However,thisrequirementcanalsoincreasethepropagationtime andenergyusagesignificantly,becauseitpotentiallydropsvalidpacketsthatcannotbeverified. Contribution of the paper. In this paper, we propose a symmetric key based protocol that authenticates the data dis- seminationprocessinsensornetworks. Inourwork,thenetworkconsistsofabasestationandacollectionofsensors. We notethattheonlycommunicationthatneedstobeauthenticatedisthecommunicationfromthebasestation,ratherthanthe communication between two arbitrary sensors. Utilizing this fact, we use a secret instantiation algorithm from [8,14] to provideauthentication. Thealgorithmrequiresonly O(logn)keysto bemaintainedateachsensor. Thus, in ourprotocol, onlyaverysmallnumberofkeysaremaintainedateverysensor. Signingeachpacketinthedatastreamtoauthenticateitisinfeasible,asitincursgreatcomputationandcommunication 3 overhead,evenwithalowcostsigningalgorithm.Thepracticalalternativethatreducestheoverheadistouseahashchainto linkthepackets,andsigntheheadofthehashchain[6,7].Weapplyasymmetrickeysignaturetoagroupofpackets,rather theentiredatastream. Forthereprogrammingtypeofbulkdatadissemination(whichsendsalargeamountofdataatonce), weapplythesymmetrickeysignatureatthesegmentlevel. Atalower(i.e.,packet)level,weusehashedverification,which hasfasterexecutiontimeandconsumeslessmemory,comparedtosignatures.Inthecaseofburstdatadisseminationsuchas networkmonitoring,thebasestationsignseachdataburst(inthecasethatadataburstislong,itdividesthedataburstinto severalparts,andsignseachpart),andusesthehashchaintolinkthepacketswithinaburst.Thisapproachessentiallybreaks onelonghashchainintoconsecutiveshorthashchains. Theadvantageisthatthebasestationonlyneedstoknowthegroup ofpacketsitisgoingtotransmit,ratherthanhavingtoacquire/authenticatetheentiredatastreamatonce. Aswepointedout, thesymmetrickeyauthenticationhasverylowcost,hence,itdoesnotincurmuchoverheadeventhoughweapplyitmultiple times. Hence, our protocolcan be used for authenticating the online data stream (or burst data dissemination). Moreover, sincethebasestationstartstransmittingdataassoonasitsignsthefirstgroupofpackets,itallowsaquickstartforbothtypes ofbulkdatadissemination. We consider both mote-class adversaries and laptop-class adversaries. Since one of our goals is to protect the sensor network in the event of a denial of service attack, we require the authentication for a packet be done before the packet is storedtoEEPROM.Forbulkdatadisseminationthatonlytoleratesmote-classadversaries,wereferreadersto[29]. We note that although the basic hash chain scheme has very little computation overhead, it does not tolerate packets arrivingoutoforder,whichisthetypicalcaseduetopacketlossinwirelesssensornetworks.Toovercomethisproblem,we designadoubleconnectedhashchaintoachievestrongerresistanceagainstpacketloss. WewillshowinSection4thatthis schemegreatlyimprovesperformanceofdatadisseminationinthepresenceofloss/delay.Moreover,onthereceiverside,we introducea group cache schemeto improveefficiency. We investigatethe tradeoffbetweenthe memory consumption (the sizeofthecache)andperformance.Wealsostudytheeffectofapplyingforwarderrorcorrection(FEC)toreducetheimpact ofpacketloss/delay. We apply our algorithm to MNP [16], a data dissemination algorithm for wireless sensor networks. We show the per- formance of our algorithm and the effectiveness of our design (the double connected hash chain, caching, FEC) through simulationonTOSSIM[18]. Organization of the paper. In Section 2, we describe the system model and security requirements of the secure data disseminationproblem. InSection3,wepresentourauthenticationprotocol. Wefocusonthesecretinstantiationalgorithm, the double connected hash chain, the caching scheme and applying FEC scheme. In Section 4, we evaluate our approach (integratedwithMNP[16])intermsofcomputationcost,memoryoverhead,delay,energyconsumption,andcommunication cost. Wealsoinvestigatetheeffectivenessofthetechniqueswehavedesignedforourprotocol. Wesurveyrelatedworkin Section5andconcludeinSection6. 4 2 SystemModeland SecurityRequirements The goal of this paper is to design a secure data dissemination protocol. Our protocol is targeted for TinyOS mote platforms,suchasMica2/XSMmote[1,2]orTelosBmote[3]. Itissupposedtobeusedwiththeexistingdatadissemination protocols,suchasMNP[16]andDeluge[10],inwhichthecodeimageispropagatedfromabasestationtoallthesensorsin thenetwork. Intheremainderofthispaper,weuseMNPasanexample. However,wenotethatourprotocolcanbeapplied tootherdatadisseminationprotocols,suchasDeluge[10],Infuse[13],aswell. InSection2.1,wegiveanoverviewofMNP. InSection2.2,wedescribethethreatmodelandsecurityrequirements. 2.1 ABriefOverviewofMNP MNP is a bulk data dissemination protocol, which provides a reliable and energy efficient service to propagate a large amount of data to all the sensors in the network overradio. MNP applies the advertise-request-datathree-way handshake interface[12]. Data are sent in segments. Each segment contains K packets; the last segment may contain fewer packets. Sensors must receivethe segmentsin order. A sensor (or the base station) advertisessegment N only if all the packetsin segments 1-N are available. Within a segment, the packetscan be received out of order. When the neighbors receive the advertisementsforasegment,iftheyhavenotreceivedthatsegmentcompletely,theywillsendrequeststotheadvertiser.This requestalsospecifiesthepacketsthattherequesterwants. Thesenderthentransmitstherequestedpacketsinthesegment. Thisprocesscontinuesuntileverypacketfromthebasestationisreceivedbyeverysensor.Thismodelprovidesefficientand reliabletransmissioninahighlylossyandunstablewirelessenvironment. Every sensor in the network needs to receive the data stream from the base station. Once the sensors receive part of thedatastream(oneormoresegments), theycanadvertiseandforwardtheprogramto theirneighbors. Message collision becomes a major problem when multiple sensors that are close to each other are trying to transmit at the same time. To reducethemessagecollisionproblem,MNPusesasenderselectionalgorithmtotrytoguaranteethatthereisonlyonesender in a neighborhood at a time (refer to [16] for details). If a sensor wins in the sender selection algorithm and becomes the sender, it broadcasts a “StartDownload” message several times, then starts transmitting the requested data packets in the segment. Attheendofthetransmission,thesenderbroadcastsa“TerminateDownload”messagetoinformthereceiversthat thetransmissionhasfinished.Thesensorsthatarenottransmittingorreceivingdataareputtosleepstatetosaveenergy. Since sometechniques we presentinSection 3 areusedto deal with packetloss, we describethe reliabilityschemefor MNPinmoredetails. InMNP,eachpackethasauniqueID,from1tothesizeofthesegment. Eachreceiverisresponsible fordetectingitsownloss.Anodemaintainsabitmap(whichwecallMissingVector)ofthecurrentsegmentitisreceivingin memory.EachbitinMissingVectorcorrespondstoapacket. Allthebitsareinitiallysetto1. Whenanodereceivesapacket forthefirsttime,itstoresthatpacketinEEPROMandsetsthecorrespondingbitinMissingVectorto0. TheMissingVectoris 5 attachedintherequestmessageandsenttothesender. A node that is advertisingmaintains a ForwardVector, which is a bitmap of the advertisedsegment, and is an indicator of the packets the node needs to send if it becomes a sender. The ForwardVector of an advertising node is the union of the MissingVectors in the request messages that the node has received. A node only sends the packets indicated in the ForwardVector. 2.2 ThreatModelandSecurityRequirements Weconsideranadversaryasonewhotriestoinjectitsowncodeintosensornodesorlaunchdenialofserviceattacksthat aimto exhaustsensors’battery power. It caneavesdroponanycommunicationinthe network. It isable tocompromisea sensornode,andacquireallinformationinsideit. Itcanalsoinject,change,deletepackets. However,anadversarycannot compromisethebasestation,whichissecurelyprotected. Moreover,observethatauthenticationissufficientfordatadisseminationinsensornetworks.Inotherwords,itsufficesto ensurethatthesensorscanbeassuredthatthedataarefromthetrustedsource. However,inthisapplication,confidentiality isnotrequired, i.e.,thedatabeingtransmittedarepublicandcanbeacquiredbytheadversary. Hence,thedataaresentin plaintextalongwithappropriateauthentication. Thegoalsoftheproposedprotocolareasfollows: 1. Authenticity. Eachsensormustbeabletoverifythatdataarefromatrustedsourceandhavenotbeenchangedduring transit. Weconsiderthebasestationasatrustedsource,andisprotectedagainstcompromise. 2. Compromiseresilience.Becausecurrentmost-classdevicesarenottamper-resistant,itisrelativelyeasytocompromise a sensor. It must not be possible that compromising a single sensor node will cause the other parts of the network insecure. 3. Lowcost. Thesecurityschemeshouldbeefficientintermsofcomputation,communication,andmemoryusage,and energyconsumption. Moreover,itshouldnotaddlongdelaytothedatadisseminationprocess. 4. Denial of service attack resilience. A sensor should verify the authenticity and integrity of a receivedpacketbefore writingittoflash. Thisistoreducethetimeandenergycostofreceivingfakepacketsfromanadversaryinadenialof serviceattack. 3 Protocol In this section, we describeour secure data dissemination protocol. In Section 3.1, we describethe secret instantiation algorithm [8,14], which we use to distribute the secrets (i.e., keys) and create/verify the signatures. In Section 3.2, we describehowweusethekeysandhashestosignthedatastream. Specifically,weproposethedoubleconnectedhashchains, 6 combined with symmetric key signatures, to authenticate the data stream. We also propose two other schemes to further improvetheefficiency:creatingacacheonthereceiverside(Section3.3)andusingforwarderrorcorrection(FEC)(Section 3.4). WewillstudytheeffectofapplyingtheseschemesinSection4. 3.1 SecretInstantiation The base station has a collection of secrets. Initially, each sensor receives some subset of this collection. The base stationknowsthesecretdistribution,i.e.,itknowsthesubsetofsecretsreceivedbyeachsensor. Wheneverthebasestation sendsamessage,itseparatelysignsitusingallthesecretsinitscollection. Thus,messagetransmissionisassociatedwitha collectionofsignatures,oneforeachsecretthatthebasestationhas. Tosignmessagem,withsecrets,thebasestationcan use algorithms such as MD5. (Additionally,if the length of the signature needs to be small, then only a small part of this signature(e.g.,lastbyte)maybeused.) Wheneverasensorreceivesthiscommunication,itverifiesthesignaturesbasedon thecollectionofsecretsithas. Ofcourse,asensorwillonlybeabletoverifyasubsetofthesignatures,asitdoesnothaveall thesecrets.Itisrequiredthatifallthesesignatureverificationsaresuccessful,thesensorcanassumethatthecommunication istrulyfromthebasestation(andnotfromanoutsideroranthersensorpretendingtobethebasestation). To implement this, a 2-dimensional array of secrets with r rows (numbered 0::r 1) and log n (numbered 1::log n) (cid:0) r r columns(where2 r nandnisthenumberofsensors)ismaintained. Asmentionedabove,thebasestationknowsall (cid:20) (cid:20) these secrets. Each sensor is assigned a unique ID that is a number with radix r. Observe that the ID is of length log n. r (Leading0sareaddedifnecessary.)ThisIDidentifiesthesecretsthatasensorshouldget. Specifically,ifthefirstdigit(most significant)oftheIDisxthenthesensorgetsxth secretinthefirstcolumn. IftheseconddigitoftheIDisythenthesensor getsyth secretinthesecondcolumn,andsoon. Theorem1. Ifsensorjreceivesamessageanditverifiesallthesignaturesbasedonthesecretsitknowsthenthatmessage mustbesentbythebasestation. Proof: Each sensor has a unique ID that is of length log n, thus it is associated with a unique combination of log n r r secrets. Onlythebasestationcontainsallthesecrets. Therefore,noothersensor,exceptthebasestation,hasallthesecrets thatsensorjhas. Hence,ifjverifieslog nsignatures,itisassuredthatthemessageoriginatedatthebasestation. r Toillustratethealgorithm,weshowanexampleinFigure1. Letthenumberofnodesbe16andletrbe2. Thenthebase station contains8 (i.e., 2 log 16) secrets with 2 rowsand 4 columns. Eachsensor has 4 (i.e., log 16) secrets. The set of 2 2 secretsasensorhasaredecidedbyitsuniqueID.Forexample,ifasensor’sIDis0011,thenithasthesecretsonthefirstrow inthefirsttwocolumnsandthesecretsonthesecondrowinthenexttwocolumns. Collusion. In the secret instantiation algorithm, compromising a single sensor node will not compromise the entire network. Thisisduetothefactsthateachsensorhasonlyasubsetofthesecrets,andifanadversaryattemptstopretendto bethebasestation,itneedstogetallthesecrets. However,colludingusersmaybeabletoobtainallthekeysand,thereby, 7 0(cid:13) 1(cid:13) 0(cid:13) ...(cid:13)...(cid:13)...(cid:13)...(cid:13) 1(cid:13) ...(cid:13)...(cid:13)...(cid:13)...(cid:13) 0(cid:13) 0(cid:13) 1(cid:13) 1(cid:13) 0(cid:13) 0(cid:13) 0(cid:13)1(cid:13) 0(cid:13) 0(cid:13) 1(cid:13)0(cid:13) 0(cid:13) 1(cid:13) 1(cid:13)0(cid:13) 1(cid:13) 0(cid:13) 0(cid:13)1(cid:13) 1(cid:13) 1(cid:13) 0(cid:13)1(cid:13) 0(cid:13) 0(cid:13) 0(cid:13)0(cid:13) 1(cid:13)0(cid:13) 0(cid:13)0(cid:13) 0(cid:13) 1(cid:13) 0(cid:13)1(cid:13) 1(cid:13) 1(cid:13) 0(cid:13)0(cid:13) 1(cid:13) 0(cid:13) 1(cid:13)0(cid:13) 1(cid:13)0(cid:13) 1(cid:13)1(cid:13) 0(cid:13) 1(cid:13) 0(cid:13)0(cid:13) 0(cid:13) 1(cid:13) 1(cid:13)1(cid:13) 1(cid:13) 1(cid:13) 1(cid:13)0(cid:13) Figure1.Secretinstantiation:anexample. pretendtobethebasestation. Bychoosinganappropriatevalueforr,thiskeydistributionprovidesatradeoffbetweenlevel ofcollusionresistanceandnumberofkeysatthebasestation. Inourexperiments,forsimplicity,weusedthebaser =2therebychoosingtheleastnumberofsecretsatthebasestation. Hence, in a 10x10 network (100 sensors), the base station maintains 14 (2log 100) secrets and each sensor maintains 7 2 (log 100)secrets. Inthiscase,collusionof2userswithcomplementaryIDs(e.g.,asensorwithID1010andasensorwith 2 ID0101)canallowthemtopretendtobethebasestation. Ifhighercollusionresistanceisdesired,thedesignercanchoose ahigherbase. Forexample,ifr =10isusedfora10x10network,thenthenumberofsecretsmaintainedatthebasestation increasesto20(ascomparedto14whenr =2). Sincethesesecretsareusedonlyafewtimesduringdatadissemination,it willnotaffecttheperformance(time/energy)significantly. Ontheotherhand,withincreasedvalueforr,notonlythecollusionresistanceincreases,butalsothenumberofsecrets maintainedbyeachsensor(log n)decreases. Thus,providinghigherlevelofcollusionresistancedoesnotadverselyaffect r thesensors. Forr=pn,thealgorithmcorresponds[14]tothegridalgorithmin[15]. Forr =n,thealgorithmcorresponds tothecasewhereeachsensormaintainsauniquesecretthatisknownonlytothatsensorandthebasestation. Inthiscase, collusionbetweensensorsdoesnotallowthemtopretendtobethebasestation. 3.2 AuthenticateTheDataStream Inthissection,wepresentouralgorithmtoauthenticatethedatastreamusingthesecretinstantiationalgorithmandhashed verification.First,weshowthebasichashchainapproachfrom[7]. Then,wediscusstheproblemwiththebasichashchain, andproposeourdoubleconnectedhashchaintoreducethisproblem. Assumethattheentiredatastream(oradataburst,inthecaseofburstdatadissemination)hasN (N 1)segments.Each (cid:21) segment contains K packets, possibly with the exception of the last segment. We represent the jth data packet of the ith segmentasP(i;j),i=1::N,j =1::K(wealsorefertoitaspacketjforsimplicity,aslongasitdoesnotcauseconfusion). Aswe applyonesymmetrickeysignaturetoeachsegment, we canconstructonehashchainpersegment. InFigure2, we 8 sign (H(i,1))(cid:13) i, 1(cid:13) i, 2(cid:13) i, 3(cid:13) i, 4(cid:13) i, 5(cid:13) ......(cid:13) i, k(cid:13) Figure2.Thebasichashchain(segmenti). showthebasichashchainapproachforsegmenti.ThehashofpacketP(i;j)isdenotedasH(i;j).AdatapacketP(i;j)has twoparts,thedatapartandahashofthenextpacket(notshowninFigure2forclarity). InFigure2,anarrowpointingfrom packetj topacketiindicatesthatpacketicontainsthehashofpacketj. IfP(i;j)isthelastpacketofthedatastream/burst, thenthe hash is 0. If P(i;j) is the last packetof segment i(1 i < N), the hash partcan be either 0 or the hashof the (cid:20) firstpacketofsegmenti+1,dependingontheavailabilityofthefirstpacketinsegmenti+1atthemomentthatthehash chainofsegmentiisconstructed(inthesecondcase,themultiplehashchainsfortheindividualsegmentsareconnectedinto asinglechain).Hence,adatapacketinabasichashchaincanberepresentedasinFigure3(assumingthatthefirstpacketof segmenti+1isavailable). ifP(i;j)isthelastpacketofthedatastream/burst P(i;j)=data(i;j)jj0 elseifjisthelastpacketofsegmenti P(i;j)=data(i;j)jjH(i+1;1);i=1::N(cid:0)1;j=K else P(i;j)=data(i;j)jjH(i;j+1);i=1::N;j=1::K(cid:0)1 endif Figure 3. Representation of a data packet P(i;j) in the basic hash chain (assuming that the first packet of segment i+1 is available). Note thatthe hashis computedovertheentirepacket, notjust thedata part. The basestation signs thehash ofthefirst packetin thesegment, whichistheheadofthehashchain, usingallthesecrets. We denotethesignaturesofsegmentias sign(H(i;1))inFigure2. Withthebasichashchainmechanism,asensorcanverifyadatapacketP(i;j)ifandonlyifithasreceivedandverified all the packets in the hash chain proceeding P(i;j). It implies that the data packets have to be verified in order. This is inefficientintheeventsofpacketloss/delay.Forexample,ifallthepacketsinsegmentihavebeenreceivedexceptpacket2, noneofthepacketsafterpacket2inthechaincanbeverified. Theyhavetobethrownawayifthereisnotenoughmemory tocachethem. Aswecansee,inthebasichashchainscheme,asinglepacketloss/delaycanleadtoerasureofmanyvaliddatapackets. Thisleadstosignificantenergywaste. Oursimulationresults(aswellastheresultsfrom[5,6])showthatifwerequirethat 9