Embed Size (px)
Citation preview
Research ArticleA Cognitive-Radio-Based Method for Improving Availability inBody Sensor Networks
Olga Leoacuten1 Juan Hernaacutendez-Serrano1 Carles Garrigues2 and Helena Rifagrave-Pous2
1Telematics Department Technical University of Catalonia 08034 Barcelona Spain2IT Multimedia and Telecommunications Department Open University of Catalonia 08018 Barcelona Spain
Correspondence should be addressed to Olga Leon olgaentelupcedu
Received 11 July 2015 Accepted 20 September 2015
Academic Editor Gyanendra P Joshi
Copyright copy 2015 Olga Leon et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
One of the main threats to body sensor networks (BSNs) is Denial of Service attacks that disrupt communications used to transmitpatientsrsquo health dataThe application of cognitive radio (CR) technology into BSNs canmitigate such a threat and improve networkavailability by allowing network nodes to cooperatively agree on a new radio channel whenever the quality of the channel being inuse decreases However the cooperative spectrum sensingmechanisms used by CRs should also be protected to prevent an attackerfrom predicting the new channel of operation In this work we present a lightweight and robust mechanism that appropriatelysecures the channel selection process while minimizing resources consumption thus being suited for resource constrained devicessuch as body sensor nodes The proposed method has been analyzed in terms of energy consumption and transmission overheadand it has been shown that it outperforms existing cryptographic approaches
1 Introduction
Sensor and wireless communication technologies are rapidlyevolving and spreading to many fields such as medicalservices Body sensor networks (BSNs) [1 2] are becomingmore popular and powerful every day and ongoing effortssuch as the IEEE 802156 standard optimized for low-powerBSN devices [3] clearly reflect the increasing importance andpotential of these types of networks
A typical BSN is composed of a number of sensors thatare placed at various locations on the body or in bodyalso known as implantable medical devices (IMDs) Asdepicted in Figure 1 these sensors forward sensed data toa more computationally powerful device or gateway (ega smartphone) that in its turn can transmit the gathereddata to a medical center Therefore the professionals canconstantly monitor the patientrsquos state and take the properactions according to the observed data Thus the use ofBSNs can considerably reduce the gap between a medicalemergency and the medical response while increasing theautonomy of patients that is to say their quality of life
Body sensors exhibit more constraints regarding sizepower battery availability and transmission (ie the humanbody is a lossy medium) than those sensors that can befound in conventional wireless sensor networks (WSNs)and therefore they require specific solutions Besides therecent IEEE 802156 standard already supported by a fewcommercial devices several low-power wireless technologies[4ndash7] suitable for BSNs have emerged during the last yearsThese technologies define typical transmission rates rangingfrom several kbps in ANT+ to 6Mbps inWiFi with the lowestpower 80211b mode
Lately there has been increasing concern in incorporatingsecurity and privacymechanisms tomedical systems in orderto preserve patientsrsquo privacy and offer continuousmonitoringof their health status Besides FDA (Food and Drug Admin-istration) made recently a call for manufacturers to addresscybersecurity issues relevant to medical devices for the entirelife cycle of the device [8] Thus it is expected that these factswill definitely encourage a number of works in this field
Generally speaking the following security servicesshould be provided in any medical system
Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2015 Article ID 272869 13 pageshttpdxdoiorg1011552015272869
2 International Journal of Distributed Sensor Networks
3G4G
BSN
Gateway
Sensor
WiFiBluetooth
Internet Medical center
Figure 1 BSN model
Confidentiality Data regarding patientsrsquo state should be onlyaccessible to authorized entities In this context this impliesthat only the BSNrsquos nodes should be able to interpret thesensed data
Authentication The BSNrsquos nodes should be able to verify thesource of any received data
Integrity Data should not be modified by an unauthorizedentity or at least BSNrsquos nodes should be able to detect thatdata has been altered
Availability Data anddevice information should be accessibleupon request by authorized entities The human body is ahighly dynamic physical environmentwherewireless channelproperties constantly change Besides these communicationscan be severely affected by interferences caused by electronicdevices in the proximity of the BSN
The first three security goals can be easily achievedby means of classical cryptographic tools in conventionalnetworks However the limited capabilities of body sensorsmay prevent from applying them toBSNs Besides traditionalcryptographic tools cannot prevent disruption of the networkservices due to interferences no matter whether they areintentional for example a Denial of Service (DoS) attack ornot Given the relevance of the data sent by body sensorsthere is clearly a need for mechanisms to maximize theavailability of such networks
The integration of CR technology [9ndash11] into BSNs lead-ing to the concept of cognitive body sensor networks (CBSNs)[12] can significantly improve availability by allowing thenodes to select the best channel at any moment and avoidthe harmful effect of interferences CRs exchange sensed dataabout channel availability and jointly agree to switch to a newchannel when the channel being in use becomes unavailable
Note that if an attacker manages to eavesdrop channelavailability data it can take advantage of it to perform a newattack on the new channel of operation thus preventing thenetwork from using an available channel and leading thenetwork to a DoS [13] Channel switching if unpredictablerendersDoS attacksmore difficult since the attackermust jamevery possible transmission channel Traditional encryptionand authentication of exchanged data may help to hide chan-nel switching decisions from external attackers but entail anadditional cost that cannot be assumedby heavily constraineddevices such as IMDs
In this paper we present a protocol to protect the processof channel selection in CR-based BSNs The main goal isto maximize the availability of the network thus ensuringthat patientsrsquo data such as blood pressure heart rate andtemperature will successfully be delivered to a gateway(nonstop monitoring of patients) The protocol makes use oflightweight encryption and authentication primitives specif-ically suited for constrained devices such as body sensors
The main contributions of this paper can be summarizedas follows
(i) We apply CR technology into BSNs in order tomaximize the availability of services in suchnetworksBecause CRs are able to sense the medium and selectthe best transmission channel at any moment theeffect of interferences or DoS attacks can be miti-gated In a conventional network such phenomenawould interrupt communications within the BSNsIn a CBSN the nodes can switch to a new channelwhenever the channel in use becomes unavailable
(ii) We propose a method suited to constrained devicesas body sensors to secure the exchange of channelavailability information and prevent an attacker fromeavesdropping such data thus diminishing the prob-ability of a successful DoS attack
International Journal of Distributed Sensor Networks 3
(iii) We provide a security analysis of the proposedmethod and derive the time period during which thecryptographic material remains secure
(iv) The proposed method is compared to otherapproaches based on traditional cryptographic prim-itives in terms of energy consumption and CPUusage
The rest of this document is structured as follows InSection 2 we review the state of the art on security in BSNsSection 3 describes the BSN model considered in this workand its potential threats A lightweight method to securethe process of channel selection in a BSN is presented inSection 4 Sections 5 and 6 present a security analysis of theproposedmethod and a comparisonwith existing approachesin terms of resources consumption Finally in Section 7 weprovide the conclusions of this work
2 Related Work
To date research on security in BSNs has mainly focused onprotecting data stored at the network nodes from unautho-rized access and providing authentication and confidentialityto the communications among the BSN devices In thefollowing we provide an overview of the proposals that canbe found in the literature
Many proposed authentication methods are based onbiometrics that is relying on measurements of physiologicalvalues (PVs) [14] such as heart rate blood pressure ortemperature in order to establish trust and generate keymaterial The main idea is ensuring access to sensors onlyto those devices in physical contact with the patient Theadvantage of these methods is that the key source is hard foran attacker to predict without physical access to the patientand also ensures forward-security because PVs change overtimeThemain challenge however is how to achieve success-ful authentication among authorized devices when the PVmeasured by each one is not exactly the same either due tomeasurement errors or due to the fact that different devicesmeasure a given PV at different time instants
Authentication by means of distance-bounding protocolswas proposed in several works [15 16] This techniqueprovides a very weak mutual authentication between twodevices based on measuring the transmission time betweenthemThe rationale behind these protocols is that a legitimatedevicemust be closer than a given distanceAs a consequencethey are vulnerable to injection attacks as long as the attackeris close enough to the patient bearing the sensors forexample by means of a hug
In [17] the authors presented a protocol based onidentity-based encryption (IBE) IBE systems are public keycryptosystems that allow any device to generate a publickey from a known identity value such as the sensor IDand require the existence of a trusted third party called theprivate key generator (PKG) to generate the correspondingprivate key To reduce the burden of key generation andencryptiondecryption introduced by traditional public keycryptography the authors proposed to use elliptic curvecryptography (ECC) which provides public key primitives
suitable for constrained devices as sensors in BSNs Despiteit it is still more expensive in terms of resource consumptionthan approaches based on symmetric cryptography
In order to preserve userrsquos privacy a number of worksproposed the use of symmetric encryption based on the AES(Advanced Encryption Standard) algorithm [18ndash20] Manysuch as the one in [19] proposed to use AES with CCMmode of operation that is to say AES counter (CTR) modefor data encryption and AES cipher-block-chaining messageauthentication code (CBC-MAC) formessage authenticationThe main advantage of this mode is that the same keycan be used for authentication and for encryption withoutcompromising security and there is no need for rekeyingas long as the number of devices is fixed As a drawbackthe added cost of encryptiondecryption and especially thecosts due to the transmission overheads cannot be neglectedin BSNs where every step forward in resourcesrsquo saving isof paramount importance In this line the authors in [20]presented an in-network mechanism that mimics the AESalgorithm and greatly reduces the costs of decryption whilethey claim achieving the same level of security
All the above-mentioned proposals approach the prob-lem of protecting patientrsquos data from unauthorized accessmodification or forgery but cannot effectively deal with DoSattacks Such a protection can be achieved by making use ofCR devices that collaboratively switch to another frequencyband [11 21 22] if the signal-to-noise ratio of the current oneis below the required value Furthermore it is also necessaryto protect the exchanged sensing data in order to prevent anattacker from eavesdropping data and get the next channelto be used in the network Note that this information mayallow an attacker to rapidly perform a DoS attack in the newchannel
In this work we present a lightweight and secure methodthat makes use of CR technology for improving the availabil-ity of the system that is ensuring that the communicationbetween the body sensor nodes will be available even underthe presence of unintentional or intentional interferencesThe application of CR technology into body sensor networkswas already proposed in previous works [23 24] However tothe best of our knowledge none of them addressed securitytopics
In [25 26] several methods for securing spectrum sens-ing mechanisms were discussed but they are not suited forheavily constrained devices such as body sensors
In [27] the authors aimed to improve the availability ofa BSN by means of a cross-layer multihop protocol that dealtwith routing of data This scheme however can be appliedonly to multihop BSNs where the path between two givennodes is established according to the connectivity among thenodes In this approach nodes make use of several paths butone single channel and thus are more vulnerable to attackssuch as jamming than CR-based networks
3 Network Model and Threats
In this work we have considered a BSN composed of aset of sensor nodes where all of them can act as sinkscollectingstoring data from other sensors and potentially
4 International Journal of Distributed Sensor Networks
Gateway
Sensor
Sink
Figure 2 Communication between sensors and the gateway
transmitting these data to an external gateway if required (seeFigure 2) Although this approach introduces some overheaddue to the fact that data must be shared among all sensorsit improves network availability and robustness against dataloss and fairly distributes energy consumption among allsensors Also itmakes the process of gathering by the gatewayeasy which can connect to any of the BSN nodes to get all theinformation
As previously mentioned we also assume that sensorshave cognitive capabilities that is they form a CBSN andare able to identify free spectrum bands and adapt theirtransmission parameters accordingly Spectrum sensing canbe performed by each node on an individual basis or cooper-atively As the latter increases the probability of detection dueto space diversity [28] we have adopted such an approach inthis work
In cooperative spectrum sensing each sensor sensesthe medium and exchanges its observations with the othermembers of the network in order to agree on a given channelfor data transmissionreception However these control dataare exposed to many attacks [13] such as packet injectioneavesdropping or Denial of Service (DoS) Next we describethe attacker model and the specific attacks that can beexecuted against CBSNs
31 Attacker Model In this work we focus on outsiders thatis external attackers that do not share any cryptographiccontent with the gateway or the victimrsquos sensor nodes Ifthe attacker nodes are part of the CBSN they will haveaccess to the keying material and therefore will be able tosuccessfully eavesdrop and inject data In any case the designof a mechanism to counteract this threat is out of the scopeof this work
In the context of CBSNs we can classify adversariesaccording to the following criteria
(i) Active or passive a passive attacker can only eavesdropdata thus being able to access patientrsquos data andviolating hisher privacy In its turn an active attackeraims at injecting or modifying data in order to sendfake reports on the state of the patient
(ii) Type of attack includes the following
(a) eavesdropping unauthorized access to storeddata or to transmitted data among the CBSNdevices thus violating the privacy of the patient
(b) modificationinjection an attacker that mayalter the content of a packet transmitted by asensor or impersonate a sensor by forging apacket these attacks can be executed due to lackof authentication and violate the integrity of theCBSN communications
(c) packet replay an attacker that may capture apacket that was previously sent by a sensor ofthe network Regardless of the fact that theCBSN is using authentication mechanisms ornot the packet will be accepted by the networksif antireplay mechanisms are not provided
(d) jamming the adversary that disrupts the CBSNcommunications by generating interfering sig-nals
(iii) Intentional or unintentional the adversary can bean external entity willing to cause damage to thecommunications among sensors and the gateway orcan be an entity that unintentionally is causing inter-ferences to those communications As an examplethe patient of interest could be near another patientwith wearable sensors which could inject fake reportsif data is not properly authenticated Examples ofunintentional attacks could take place in a situationwhere two patients bearing body sensors are huggingand unconsciously exchange data Or the patientcould be near a relative who is visiting himher at thehospital and carries any electronic device that causesinterferences to the CBSN
It is important to remark that in a CBSN where sensornodes establish communications using different channelsover time these attacks can be extended to the control dataexchange among the devices of the CBSN As an example anattacker may forge a report regarding the availability of thechannels thus leading the CBSN to select a channel that issuffering from high interferences or that is currently beingused by another service Note that this attack can lead to aDoS and the failure of the system in monitoring the patientrsquosstatus In its turn eavesdropping of the control channel allowsan attacker to have knowledge of the channels to be usedby the CBSN The attacker could take advantage of thissituation in order to easily disrupt the communications inthe network by performing a new DoS attack every time theCBSN switches to a new channel
The implementation of security mechanisms in a CBSN[12] to counteract these attacks is specially challenging dueto the limited capabilities of CBSNrsquos nodes In the followingsection we describe a simple method to secure the processof channel selection in CBSNs The proposed mechanismis suited for networks with extremely constrained-resourcesdevices since it makes use of lightweight cryptographicfunctions and minimizes the added transmissionreceptionoverhead
International Journal of Distributed Sensor Networks 5
4 Securing Sensing Data andChannel Selection in CBSNs
In the following we present a mechanism for securing theexchange of sensing data and the channel selection processin CBSNs Section 41 outlines the assumptions considered inthiswork regarding the networkmodel and in Section 42 wedescribe the protocol operation For ease of understandingwe present the terminology used along this section as follows
CTR119872 medium-term session counter (119898 bits)
CTR119878 short-term session counter (119898 bits)
119863119906
119894 data sensed by node 119906 during period 119894 (119897 bits)
ID119906 link-layer identifier of node 119906 (119898 bits)119870119906
119894 keystream to encrypt and authenticate data for
node 119906 during period 119894 (119903 bits)KM keying master119897 length of the data sensed by a given node during agiven period119898 length of the hash output and all the secrets119873 number of nodes in the network119901 number of keystreams119870119906
119894obtained from a 119878119906 (119901 =
119898119903) defining the number of sensing periods beforeupdating 119878119906119903 length of the keystreams 119870119906
119894 which must be a
divisor of119898119878119871 long-term globally shared secret (119898-bits)119878119872 medium-term globally shared secret (119898-bits)119878119904119894 long-term secret shared between the KM and
node 119894 it is used to update 119878119871in case it is compro-
mised119878119906 short-term shared secret with node 119906
41 Assumptions Although the proposed protocol isdesigned to be implemented in heavily constrained deviceswe work under the assumption that such devices have at leastthe following capabilities
(i) Compute a hash function with an output length of119898bits
(ii) Temporally store in its randomaccessmemory at least119898 sdot (119873 + 3) bits with 119873 the number of nodes in thenetwork As we detail later in Section 42 each nodemust keep a short-term shared secret for each of theN nodes in the network (including itself) and threemore long-term and medium-term secrets each onewith length of119898 bits
(iii) Sensor nodes use a synchronization protocol that willbe used to share a global short-term session counterand a medium-term session counter among all nodes(see Section 42) Given the low transmission rate ofsensor networks existing synchronization schemes[29] provide enough precision for this purpose Weassume that the chosen protocol provides recovery
methods upon loss of synchronization How syn-chronization is achieved will strongly depend on thechosen protocol but if the latter requires a masternode for providing synchronization the gateway ofthe BSN could play this role
To the best of our knowledge the former requirement canbe assumed even in very constrained devices As shown in[30] there are several lightweight hash functions that canbe integrated into a sensor mote The latter may not beharder to achieve As detailed in Section 42 during everysensing period each node stores one secret per member ofthe network a globally shared secret and two counters allof them with the same length 119898 as the hash output If weconsider a typical hash function with an output of 128 or 256bits and a network with tens to hundreds of sensors the RAMrequirements for sensor nodes are just bounded to a few tensof kilobytes
42 Protocol Operation Before deploying the CBSN everysensor nodemust be preloaded by a keyingmaster (KM)withthe following data
(1) The set of channels that the sensor will have to sensein the cooperative sensing process
(2) A long-term and globally shared secret 119878119871of 119898 bits
(the hash output length)(3) A long-term secret 119878
119904119894shared between the KM and
node 119894 that will be used to update the globally sharedsecret 119878
119871in case it is compromised
The KM is an external device which is not a member oftheBSNTypically this role is played by the device responsiblefor gathering data from the sensors or gateway (eg a smartphone or a tablet)
Upon deployment of the network every node derives amedium-term globally shared secret 119878
119872by hashing the XOR
of the long-term secret 119878119871and a counter The generation
process of 119878119872
is clearly depicted in Figure 3 This process isperiodically repeated with an updated value of the medium-term counter in order to protect the secret against a potentialattacker Details about how often this process should becarried out and the attacker capabilities are provided inSection 5
As shown in Figure 4 each node generates a set ofrandom sequences of 119898 bits one for the node itself and onefor each other node in the networkThese random sequences119878119906 with 119906 the node identifier are obtained by hashing theXOR of the link-layer identifier of the node ID119906 themedium-term shared secret 119878
119872 and a short-term session counter
CTR119878
Therefore our proposalmakes use of three types of sharedsecrets
(i) A short-term per-node shared secret 119878119906 (one per eachnode in the network) used for encryption decryptionand authentication of data
(ii) Amedium-term globally shared secret 119878119872that is used
to derive the short-term per-node shared secrets 119878119906
6 International Journal of Distributed Sensor Networks
Long-term shared secretSLmiddot middot middot
middot middot middot
middot middot middot
Medium-term session counter
Medium-term shared secret
CTRM
HashSM
mbits
mbitsmbits
mbits
Figure 3 Generation of the medium-term globally shared secret 119878119872
middot middot middot
middot middot middot
middot middot middot
middot middot middot
Short-term session counterMedium-term shared secret
node uShort-term shared secret with
Hash
SM
Su
Identifier of node uIDu
CTRS
mbits
mbitsmbits
mbits
mbits
Figure 4 Generation of the short-term shared secret 119878119906 for node 119906
(iii) A long-term globally shared secret that is used toderive a new 119878
119872when the current one is about to
expireAs clearly denoted in Figure 5 each sequence 119878119906 is divided
into 119901 fragments of 119903 bits which we will be denoted as 119870119906119894
each one being used as keystream to encrypt and authenticatedata for node 119906 in period 119894 As per this behavior a new short-term shared secret must be derived every 119901 sensing period
When a node performs spectrum sensing it generates abinary sequence 119863119906
119894of 119897 bits that stores the availability of the
different channels The length of such sequence 119897 will dependon the number of bits used to code the state of each channeland the number of channels As an example the simplest waywould be to use just a single bit for coding each channel withvalue ldquo0rdquo if the channel is occupied and ldquo1rdquo otherwise If moreprecise information about the quality of channels is needed(ie high medium low and very low quality) more bits canbe used to code the channel state
During a sensing period 119894 each node must send toits neighbors its own sensing information but also it mustprocess the information received from its neighbors to reacha joint decision
In order to send its own sensing information node 119906 willmake use of the corresponding keystream 119870119906
119894 the first 119897 bits
of the keystream will be used to encrypt channel information119863119906
119894by means of a XOR addition the remaining 119903 minus 119897 bits are
left unchanged and will be used to provide message authen-tication as illustrated in Figure 5 The resulting sequence 119862119906
119894
will be sent to all the other nodes
To verify the authenticity and decrypt the content of thepackets that have been sent by a given neighbor 119906 a nodewill XOR the sequence 119862119906
119894of the received packet with the
keystream 119870119894119906 as depicted in Figure 6 If the last 119903 minus 119897 bits
of the resulting sequence are not all 0 s the authenticationfails and the entire packet is discarded Otherwise channelinformation can be recovered from the first 119897 bits resultingfrom the XOR addition
The above described process is applied for each neighbor-ing node 119906 Then the channel reported by a larger number ofneighbors will be selected for the operation of the networkNote that because more than one channel may be reported bythe same amount of nodes a tie-break mechanism is neededto guarantee that the process leads to equal results in allnodes One simple approach that could be used is to selectthe channel with the highest identifier However this wouldlead to a lower usage of channels with lower identifiers andtherefore to providing the attacker with valuable informationabout channel usage in the CBSN As a consequence wepropose to use a tie-break method that relies on the formatof119863119906119894
Recall that a fundamental characteristic of this protocolis that there is no central entity that is known and trusted byall sensors This makes the protocol suitable for unattendedscenarios and it also makes it more efficient in terms of datatransmitted through the network because no information issent regarding which channels have to be sensed or whichchannel is finally selected Instead sensors are deployedwith all the information needed to perform the sensing in
International Journal of Distributed Sensor Networks 7
middot middot middot
Short-term shared secret with node u
Keystream pKeystream 2Keystream 1
Su
Encrypted Authdatasensing data
Sensing data
Sensing data
Sensing period 1
Sensing period p
Encrypted Authdatasensing data
Cup
Cu1
Dup
Du1
Ku1 Ku
2 Kup
mbits
rbitsrbitsrbits
lbitslbits
lbitslbits
lbits
lbits
lbitslbits r-lbitsr-lbits
r-lbits
r-lbits
Figure 5 Encrypting and authenticating sensing data
middot middot middot
Short-term shared secret with node u
Keystream pKeystream 2Keystream 1
Su
Sensing dataSensing period 1 True
Accept sensing data
Reject sensing data
Cu1
Du1
Ku1 Ku
2 Kup
If ne 0998400s
rbitsrbitsrbits
rbits lbits
mbits
r-lbits
Figure 6 Decrypting sensing data
a distributed way and make a joint decision autonomouslyThus there is no need for additional mechanisms to be usedwhen a new node joins the network In this case the newnode needs to synchronize with the rest of themembers to getthe proper value of the session counters by making use of thecorresponding protocol However when a node is expelledfrom the network because it has been compromised newcryptographic material must be generated and distributedamong the remaining nodes The KM is responsible fortriggering this process and communicates with each sensornode to update the shared long-term secret 119878
119871 Note that
because the KM shares a different secret 119878119904119894with each node 119894
it can securely distribute the new value of 119878119871 Upon reception
of 119878119871 each node should perform again the initialization
process described at the beginning of this section
5 Security Analysis
The security of the proposed method relies on the sharedsecrets used to derive the keys and perform encryption andauthentication of channel availability data As long as thesesecrets are not compromised data confidentiality can beensured that is an attacker might not be able to get the listof channels to be used in the CBSN Besides the methodmust prevent an attacker from injecting fake data into thesystem These issues are discussed as follows In Section 51we analyze how often the shared secrets should be updated inorder to guarantee a proper protection against cryptanalysisnext in Section 52 we evaluate the packet authenticationmethod used in our proposal in terms of probability ofbypassing the authentication check
8 International Journal of Distributed Sensor Networks
51 Shared Secrets Lifetime As previously mentioned inSection 31 for this analysis we are assuming that attackscome from external entities and therefore attackers are notable to obtain the cryptographic material that is stored in thebody sensors In the context of this proposal the lifetime ofeach of the shared secrets is the interval in which these secretsare considered computationally safe against cryptanalysisthat is their cryptoperiod
The cryptoperiod straightly depends on the chosen cryp-tographic protocols the length of the secrets themselves andthe amount of times they are used The more a given secret isused the shorter its cryptoperiod is as an attacker gets moreinformation about this secret and therefore the probability ofa successful cryptanalysis increases In fact cryptoperiod isdefined more in terms of the number of times a given secretor key is reused (the amount of ciphertext exposed to anattacker for a given secretkey) than as a given time periodwhich strongly depends on the transmission rate of the sensornodes
Recall the three types of shared secrets used in theproposed method
(i) Short-term per-node shared secrets one secret 119878119906 persource node that is used to lightweight encryptdecrypt and authenticate the channelsrsquo sensed data
(ii) Medium-term globally shared secrets globally sharedsecret 119878
119872that is used to derive the short-term per-
node shared secrets 119878119906(iii) Long-term globally shared secret this being the ini-
tially preloaded secret 119878119871that is used to derive a new
medium-term globally shared secret 119878119872
when thecurrent one is about to expire
As clearly denoted in Figure 5 our approach operates insome manner as an additive stream cipher It is well knownthat stream ciphers are considered to be secure as long as thekey is never reused and thus our cipher will be secure if agiven value 119878119906 is not repeated As a result 119878119906must be updatedevery 119901 = 119898119903 sensing period with 119901 the renewal period119898 the length of the shared secret 119878119906 and 119903 the amount oftransmitted bits (sensing data) in a sensing period that areencrypted with 119878119906
Recall that in our proposal the per-node key used forencryption 119878119906 is generated by means of a hash function Asecond requirement is that this function must be crypto-graphically secure Note that if the hash function does notaccomplish it an attackermight be able to reverse it that is toget the input of the hash function given an output meaningthat in our proposal an attacker would be able to recoverthe value of the medium-term globally shared secret 119878
119872(see
Figure 4)A cryptographically secure hash function with an output
of 119898 bits can offer a security level of 2119898 operations againstpreimage attacks and 21198982 against collision attacks Generallyspeaking a minimum output of 128 bits is required in orderto provide a high level of security for most applicationsbut shorter lengths are accepted if the number of generatedmessages in a given period is limited as it is the case of low-rate networks In Section 6 we propose several lightweight
hash candidates with an output of 128 bits that is to saywe can assume that it is computationally unfeasible for anattacker to invert the hash function and thus to predict thevalue of 119878119872 as long as it is updated before exceeding itscryptoperiod which has an upper bound of 21198982 = 264 uses
The long-term globally shared secret 119878119871is only used to
update the current medium-term globally shared secret 119878119872
Because 119878119872is not updated very often it is very unlikely that
an attacker manages to obtain several values of 119878119872to reverse
the hash function and recover 119878119871 As a result we can assume
that the 119878119871cryptoperiod is long enough and there is no need
to update the secret during the nodesrsquo lifetime
52 Authentication A cryptogram 119862119906119894of sensing data con-
tains an authentication field of 16 bits that is checked uponreception (see Figure 6) Consequently an attacker has achance of 1 in 216 of guessing the next authentication fieldwhich allows it to forge a valid authentication field and injectfake data Note that this attack can lead the CBSN to wrongdecisions about the availability of the spectrum
If the attacker repeatedly attempts to send valid cipher-texts it may succeed after 215 attempts in average Becausethe attacker does not know 119878119906 the authentication fieldappears to it as a random stream and therefore it must select afake authentication field at random Besides the attacker can-not determine whether a given ciphertext has been acceptedor rejected because the receiver does not acknowledge thereception of such packets to the emitter Otherwise theattacker could take advantage of this information in order toguess a valid authentication field in a faster way
In conventional networks 215 packets may seem anextremely low number but it may provide an adequate levelof security in CBSNs In these networks the attacker can onlysend fake packets during the sensing periods which is in theorder of a few milliseconds in most cognitive scenarios [31]Moreover as previously stated in Section 1 transmission ratesin BSNs are considerably low with values usually rangingfrom tens to a few hundred of kilobits per second
As an example let us consider a 1Mbps link a sensingperiod of 10ms and a packet size of 10 bytes (which is clearlybigger than the typical packet size in sensor networks) Giventhese parameters an attacker would only be able to send 125packets at most in every sensing period That is to say theattacker would need an average of 262144 sensing periods tosend a fake packet and pass the authentication check
6 Cost Evaluation and Comparisonwith Other Approaches
In this section we evaluate the cost of our proposal interms of energy consumption due to transmission overheadand computational cost and compare its performance withthe most common approach adopted in sensor networks[32] which is providing authentication andor encryption ofthe channel sensing data by means of using standard blockciphers As is well known block ciphers have as input themessage to be encrypted or authenticated which is dividedinto several blocks of fix length and a key Both the block
International Journal of Distributed Sensor Networks 9
length and the key length depend on the algorithm beingused Regardless of the algorithm block ciphers can be usedin several modes of operation depending on the service tobe provided that is encryption only authentication only orencryptionauthentication Generally the followingmodes ofoperation are applied
Authentication CBC-MAC is a block cipher mode for gen-erating message authentication codes The message to beauthenticated is divided into several blocks of equal size andeach block is encrypted so that the value of a given blockdepends on the encryption of the previous block The finaloutput of the cipher that is the message authentication codeor CBC-MAC is the result of encrypting the last block of themessage When the input of the cipher is shorter than theblock size (as it is usually the case in sensor networks) theCBC-MAC can be obtained by directly encrypting a singleblock padded until the block size of the cipher is reached
Encryption CTRmode of operation turns a block cipher intoa stream cipher meaning that the resulting ciphertext has thesame size as the input or plain textThus it does not force theoutput length to be amultiple of the block size as it is the caseof other modes such as CBC-MACThis property makes thismode of operation suitable for encryption in sensor networkswhere devices usually exchange short-length messages
Authentication+Encryption CCM (CTR + CBC-MAC) is acommon choice for providing both encryption (CTR) andauthentication (CBC-MAC) [19] Aminor variation of CCMcalled CCMlowast is used in the ZigBee standard [7]
In this work we assume that Advanced EncryptionStandard (AES) in CTRmode is used for encryption andAESCBC-MAC for authentication as it is the current standardfor symmetric cryptography even in sensor nodes [33]Currently there are efficient hardware implementations ofAES that are highly affordable
Regarding hardware platforms the vast majority of pre-vious works on BSNs have used the 16-bit Texas Instrumentsrsquo(TI) MSP430 and CC2540 families of microcontrollers [34]Built around a 16-bit CPU ultra-low-power MSP430 micro-controllers are designed for low cost and specifically low-power consumption embedded applications As an exampleTIrsquos CC2540 family [35] enable robust Bluetooth low energy(BLE) network nodes to be built with low total bill-of-material (BOM) costs BLE operates in the same spectrumrange (2400GHzndash24835GHz ISM band) as classic Blue-tooth technology but uses a different set of channels insteadof 79 1MHz channels BLE offers 40 2MHz channels 3 foradvertising purposes and 37 for data exchange
61 TransmissionReception Overhead In this section weanalyze the overhead introduced by our proposal in termsof transmissionreception of channel availability data andcompare it with the overhead exhibited when conventionalapproaches are used for data encryptionauthentication asexplained above We assume that all sensors are capable ofsensing a given set of channels and report information abouttheir state
With our proposal the minimum number of transmittedbitswill dependon the number of channels that a given sensoris reporting the number of bits used to code the state ofeach channel and the length of the authentication code Asexplained in Section 52 a length of 16 bits is enough to securemost applications in WSNs and thus we have assumed thisvalue for the authentication fieldThis leads to a total amountof Bits
119905119909= 119897 + 16 of transmitted bits where 119897 represents the
total number of bits used to code all possible channels andBits119905119909= (119899 minus 1)Bits
119905119909received bits representing the number
of bits received by a given sensor from its neighborsAiming to provide a fair comparison we choose the same
key length for block ciphers and for our proposal that is tosay a 128-bit key The transmitted bits overhead added byAES CBC-MAC authentication is 128 bits (for a semanticallysecure implementation also an IV or nonce must be sharedbetween emitter and receiver so that the overhead can behigher) Regarding encryption the number of transmittedbits is equal to the number of bits 119897 used to code the state of thechannels but it also requires the use of a nonce with a lengthequal to half of the key length that is 64 bits per message
During every sensing period every node must transmita packet with sensing information but also must process thepackets received from its neighbors Table 1 and Figure 7respectively show the transmission and reception overheaddue to the secure sharing of sensing information using bothstandard block ciphers and our proposal The values areprovided as a function of the number of bits 119897 used to codethe state of the channels and the number of nodes119873 rangingfrom 5 to 30 Given that the considered scenario is a bodysensor network this is more than a reasonable value sincea patient wearing more than 30 sensors may be an unlikelysituation
The reader may notice that the overhead introducedby this mechanism increases linearly with the number ofnodes for both approaches However with the proposedmethod the transmissionreception overhead is considerablyreduced with respect to the use of standard block cipherswhile still maintaining an acceptable level of security Infact the more the nodes in the CBSN the bigger theimprovement introduced by the former As wewill show laterthe transmissionreception savings lead to a huge saving alsoin energy consumption
62 Computational Cost In this section we provide a com-parison of the CPU cost in cycles due to the implementationof the cryptographic functions
If AES is used the total cryptographic cost per nodefor securing the exchange of sensing data equals the costof one encryption and 119873 minus 1 decryptions Assumingthe Texas Instrumentsrsquo reference AES-implementation forCC2540 microcontrollers [36] AES encryption needs 6600cyclesblock and AES decryption 8400 cyclesblock
With our proposal the energy consumption has threecomponents the computation of the different sequences 119878119906
119894
with the hash function before the sensing period begins theXOR of the keystream 119870119906
119894with the sequence 119863119906
119894that signals
the availability of channels and the XOR of the sequences 119862119906119894
received from neighbors with the precomputed 119878119906119894Therefore
10 International Journal of Distributed Sensor Networks
Table 1 Transmission overhead
119897 (bits) Overhead(bits)
Authentication only (CBC-MAC)16 12832 12864 128
Encryption only (CTR)16 8032 9664 128
Authentication and encryption (CCM)16 20832 22464 256
Authentication and encryption (our proposal)16 3232 4864 80
1000
800
600
400
200
05 10 15 20 25 30
Number of nodes (N)
Rece
ptio
n ov
erhe
ad (b
ytes
)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
Figure 7 Reception overhead for a varying number of nodes119873
a nodemust compute119873 hashes and perform119873XORs to sendchannel information and process the reports received from itsneighbors
As per [37] XORoperationwith aMSP430 accounts for 4-5 cyclesbyte Assuming a 128-bit hash function and the worstcase every XOR in our proposals accounts for 5 sdot 16 = 80cycles As previously explained in Section 51 we suggest theuse of a lightweight cryptographic hash function specificallysuited for low-end devices with an output of 128 bits Table 2depicts the number of CPU cycles per block needed [38]for two potential candidates As clearly seen in the tablecomputing one of these hash functions requires only a fewtens of cyclesblock In the following for this analysis we will
Table 2 Cycles per block for different cryptographic hash functions
Algorithm Hash output size Cyclesblock(Stripped) MAME 128 96H-PRESENT-128 128 32
consider the (stripped) MAME hash function as it is a purehash function that does not rely on a symmetric cipher andrequires more CPU cycles (worst case)
Taking into account the previous data Figure 8 showsthe CPU cycles consumed with both our proposal (with aMAME hash function) and standard AES-128 security It canbe clearly seen that our proposal scales much better withthe number of nodes while still providing an appropriatelevel of security We do not provide values for the processtime that is the time needed for key generation encryptiondecryption and data authentication but the number of CPUcycles required to execute each function In this way timevalues can be obtained for a particular sensor node accordingto its CPU features
63 Total Energy Cost Table 3 provides the transmission andreception energy consumption of a TIrsquos CC2540 microcon-troller for different modes and values of transmission powerThe displayed values have been tested under 25∘CWe do nothave values for in-body conditions (asymp38∘C) but we presentthese data for reference purposes In any case this fact onlyaffects the energy consumption for receivingtransmittingNote that the total cost in terms of energy is much highersince it should also account for duty cycles state changes andother parameters [39]
There is no single specific ldquoenergy per CPU cyclerdquo valuesince the cycle consumption depends on the type of CPUoperation Anyway in [34] the authors measured that theTIrsquos MSP430F1611 consumes energy at an average of 072 nJper clock cycle and we have adopted such value in our study
Figure 9 shows the total average energy consumption as afunction of the number of neighboring sensor nodes and thenumber 119897 of bits used to code the channels for the proposedmechanism and standard approaches CCM (authenticationand encryption) CTR (encryption only) and CBC-MAC(authentication only) We have assumed standard receptionand short-range transmission of minus6 dBm (see Table 3)
As clearly denoted in the figure ourmethod only requiresa few tens of 120583J regardless of the number of sensor nodeswhile AES-based security requires higher values of energyranging from 35 120583J to almost 240120583J when encryption andauthentication are provided and for 30 sensor nodes Themore the number of sensor nodes the bigger the improve-ment introduced by our proposal
It must be remarked however that the purpose of thisfigure is to provide reference values to be taken into accountfor future implementations Besides the level of security pro-vided by our method is lower than AES-based methods butstill ismore than adequate given the features of CBSNs (trans-mission rate number of sentmessages etc) and given the factthat the data we are trying to protect are just a limited numberof potential channels to be used for operation of the network
International Journal of Distributed Sensor Networks 11
Table 3 Currentenergy consumption for RXTX tested on TexasInstruments CC2540 EMwith 119879
119860= 25∘Cwith no peripherals active
and low MCU activity at 250 kHz
Test conditions Current EnergybyteRX standard 196mA 588 nJRX high gain 221mA 663 nJTX minus23 dBm 211mA 633 nJTX minus6 dBm 238mA 714 nJTX 0 dBm 27mA 81 nJTX 4 dBm 316mA 948 nJ
5 10 15 20 25 30
Number of nodes (N)
AES l = 16 32 64
Ours l = 16 32 64
300000
250000
200000
150000
100000
50000
0
CPU
cycle
s
Figure 8 Added CPU cycles for a secure exchange of sensing data
Indeed thismechanism introduces some overhead due tospectrum sensing and sharing of channel information and aswe pointed out above the overhead increases linearly withthe number of nodes in the network The synchronizationprotocol adds some overhead too but the increase willstrongly depend on the chosen protocol In [29] someprotocols with high energy efficiency are referenced whichcould be used in our proposal
Despite it we claim that it is definitely worth introducingthis overhead to increase the availability of the network andmake it robust to potential interferences and DoS attacksUnder these undesired situations the current channel usedby the CBSN may become unavailable but the proposedmethod allows the nodes to securely agree on a new channelof operation and rapidly resume their transmissions It mustbe remarked that securing channel availability informationmay prevent or at least diminished the effect of further DoSattacks when switching to a new channel
We do not quantify the benefits of applying our methodin terms of attack mitigation because it strongly depends onthe capabilities of the attacker (time required for sensing eachchannel number of channels that can sense etc) As a futurework it would be interesting to estimate the improvementachieved by our approach in terms of throughput of the
5 10 15 20 25 30
Number of nodes (N)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
250
200
150
100
50
0
Ener
gy co
st (120583
J)Figure 9 Added energy costs for a TIrsquos MSP430F1611 with a TIrsquosCC2540 microcontroller
CBSNs connections and the tradeoff between benefits andoverhead
7 Conclusions
Body sensor networks (BSNs) emerge as an optimal solutionfor ensuring constant and remote monitoring of the healthstatus in patients Recent advances in technology have madeit possible to deploy a network of tiny sensors over the humanbody and even in body which can measure vital signs suchas temperature heart rate or the level of glucose and reportthese data to medical personnel
Guaranteeing the availability of such communicationsis a must as long as connectivity losses during emergencysituations may prevent a patient from immediately receivingmedical assistance and may end up in catastrophic results
A new network paradigm known as cognitive body sen-sor networks (CBSNs) could mitigate this threat by allowingbody sensors to operate in a wide range of frequenciesand adapt its transmission parameters according to highlydynamic environment conditions However this would comeat the expense of implementing cooperative spectrum sensingmechanisms that allow sensors to exchange informationabout channel quality and availability As a consequenceCBSNs might become vulnerable to specific attacks that aretargeted to these mechanisms
In this paper we presented a novel and simple methodto secure the sensing process in a CBSN and improve itsavailability The method relies on cryptographic primitivesthat require a minimum amount of memory and low energyconsumption thus beingmore suited for devices with limitedresources than traditional approaches It offers authentication
12 International Journal of Distributed Sensor Networks
and encryption of control data shared by the sensors in theCBSN to agree on a given channel
Our proposal was analyzed in terms of security and weshowed that although it does not provide the same level ofsecurity as AES-based encryption and authentication it isstill sufficient for low packet rate networks such as CBSNsThe provided results also showed that our method outper-forms existing approaches in terms of transmissionreceptionoverhead and number of CPU cycles needed particularly asthe number of sensor nodes increases For typical microcon-trollers as CC2540 and MSP430 the improvement in energyconsumption clearly justifies the use of the proposed methodagainst AES-based mechanisms in constrained networkssuch as CBSNs in which maximizing the network life isextremely important
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgment
This work has been partially supported by the spanishgovernment under grant TEC2011-22746 ldquoTAMESISrdquo andby the Ministry of Economy and Competitiveness throughthe projects CO-PRIVACY (TIN2011-27076-C03-02) andSMARTGLACIS (TIN2014-57364-C2-2-R)
References
[1] B Latre B Braem I Moerman C Blondia and P DemeesterldquoA survey on wireless body area networksrdquo Wireless Networksvol 17 no 1 pp 1ndash18 2011
[2] S Movassaghi M Abolhasan J Lipman D Smith and AJamalipour ldquoWireless body area networks a surveyrdquo IEEECommunications Surveys amp Tutorials vol 16 no 3 pp 1658ndash1686 2014
[3] 802156-2012mdashIEEE Standard for Local and metropolitanarea networksmdashPart 156 Wireless Body Area Networks2012 httpstandardsieeeorggetieee802download802156-2012pdf
[4] Bluetooth Low Energy (LE) June 2014 httpwwwbluetoothcomPageslow-energy-tech-infoaspx
[5] The ANT+ Alliance 2014 httpwwwthisisantcom
[6] Wi-Fi Alliance June 2014 httpwwwwi-fiorg
[7] Zigbee Alliance June 2014 httpwwwzigbeeorg
[8] M Rushanan A D Rubin D F Kune and C M SwansonldquoSoK security and privacy in implantable medical devices andbody area networksrdquo in Proceedings of the 35th IEEE Symposiumon Security and Privacy (SP rsquo14) pp 524ndash539 San Jose Calif USA May 2014
[9] I F Akyildiz W-Y Lee M C Vuran and S Mohanty ldquoNeXtgenerationdynamic spectrum accesscognitive radio wirelessnetworks a surveyrdquo Computer Networks vol 50 no 13 pp2127ndash2159 2006
[10] BWang and K J R Liu ldquoAdvances in cognitive radio networksa surveyrdquo IEEE Journal of Selected Topics in Signal Processingvol 5 no 1 pp 5ndash23 2011
[11] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in unknown dynamic environment agame-theoretic stochastic learning solutionrdquo IEEE Transactionson Wireless Communications vol 11 no 4 pp 1380ndash1391 2012
[12] D Cavalcanti S Das J Wang and K Challapali ldquoCognitiveradio based wireless sensor networksrdquo in Proceedings of the17th International Conference on Computer Communicationsand Networks (ICCCN rsquo08) pp 1ndash6 August 2008
[13] O Leon J Hernandez-Serrano andM Soriano ldquoSecuring cog-nitive radio networksrdquo International Journal of CommunicationSystems vol 23 no 5 pp 633ndash652 2010
[14] M Rostami A Juels and F Koushanfar ldquoHeart-to-Heart(H2H) authentication for implanted medical devicesrdquo in Pro-ceedings of the ACM SIGSAC Conference on Computer andCommunications Security (CCS rsquo13) pp 1099ndash1111 ACM BerlinGermany November 2013
[15] K B Rasmussen C Castelluccia T S Heydt-Benjamin andS Capkun ldquoProximity-based access control for implantablemedical devicesrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCS rsquo09) pp 410ndash419Chicago Ill USA November 2009
[16] L Shi M Li S Yu and J Yuan ldquoBANA body area networkauthentication exploiting channel characteristicsrdquo IEEE Journalon Selected Areas in Communications vol 31 no 9 pp 1803ndash1816 2013
[17] C C Tan S Zhong H Wang and Q Li ldquoBody sensornetwork security an identity-based cryptography approachrdquoin Proceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 148ndash153 April 2008
[18] O Garcia-Morchon T Falck T Heer and K Wehrle ldquoSecurityfor pervasive medical sensor networksrdquo in Proceedings of the6th Annual International Conference on Mobile and UbiquitousSystems Networking and Services (MobiQuitous rsquo09) pp 1ndash10Toronto Canada July 2009
[19] G Selimis L Huang F Masse et al ldquoA lightweight securityscheme for wireless body area networks design energy evalu-ation and proposed microprocessor designrdquo Journal of MedicalSystems vol 35 no 5 pp 1289ndash1298 2011
[20] Y Yan and T Shu ldquoEnergy-efficient In-network encryp-tiondecryption for wireless body area sensor networksrdquo inProceedings of the IEEE Global Communications Conference(GLOBECOM rsquo14) pp 2442ndash2447 IEEE Austin Tex USADecember 2014
[21] Y Xu A Anpalagan Q Wu L Shen Z Gao and J WangldquoDecision-theoretic distributed channel selection for oppor-tunistic spectrum access strategies challenges and solutionsrdquoIEEE Communications Surveys and Tutorials vol 15 no 4 pp1689ndash1713 2013
[22] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in cognitive radio networks globaloptimization using local interaction gamesrdquo IEEE Journal onSelected Topics in Signal Processing vol 6 no 2 pp 180ndash1942012
[23] R Chavez-Santiago K E Nolan O Holland et al ldquoCognitiveradio for medical body area networks using ultra widebandrdquoIEEE Wireless Communications vol 19 no 4 pp 74ndash81 2012
International Journal of Distributed Sensor Networks 13
[24] A R Syed and K-L A Yau ldquoOn cognitive radio-based wirelessbody area networks for medical applicationsrdquo in Prceedingsof the 1st IEEE Symposium on Computational Intelligence inHealthcare and e-Health (CICARE rsquo13) pp 51ndash57 SingaporeApril 2013
[25] R Chen J-M Park and K Bian ldquoRobust distributed spectrumsensing in cognitive radio networksrdquo in Proceedings of the 27thIEEE Conference on Computer Communications (INFOCOMrsquo08) pp 1876ndash1884 IEEE Phoenix Ariz USA April 2008
[26] H Rifa-Pous M J Blasco and C Garrigues ldquoReview of robustcooperative spectrum sensing techniques for cognitive radionetworksrdquoWireless Personal Communications vol 67 no 2 pp175ndash198 2012
[27] B Braem B Latre C Blondia I Moerman and P DemeesterldquoAnalyzing and improving reliability in multi-hop body sensornetworksrdquo International Journal on Advances in Internet Tech-nology vol 2 no 1 pp 152ndash161 2009
[28] I F Akyildiz B F Lo and R Balakrishnan ldquoCooperative spec-trum sensing in cognitive radio networks a surveyrdquo PhysicalCommunication vol 4 no 1 pp 40ndash62 2011
[29] B Sundararaman U Buy and A D Kshemkalyani ldquoClocksynchronization for wireless sensor networks a surveyrdquoAdHocNetworks vol 3 no 3 pp 281ndash323 2005
[30] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashCHES 2008 10th International Workshop Washington DCUSA August 10ndash13 2008 Proceedings vol 5154 of Lecture Notesin Computer Science pp 283ndash299 Springer Berlin Germany2008
[31] C Cordeiro K Challapali D Birru and N Sai ShankarldquoIEEE 80222 the first worldwide wireless standard based oncognitive radiosrdquo in Proceedings of the 1st IEEE InternationalSymposium on New Frontiers in Dynamic Spectrum AccessNetworks (DySPAN rsquo05) pp 328ndash337 Baltimore Md USANovember 2005
[32] S UllahHHiggins B Braem et al ldquoA comprehensive survey ofwireless body area networks on PHY MAC and network layerssolutionsrdquo Journal of Medical Systems vol 36 no 3 pp 1065ndash1094 2012
[33] N Sastry and D Wagner ldquoSecurity considerations for IEEE802154 networksrdquo in Proceedings of the ACM Workshop onWireless Security (WiSe rsquo04) pp 32ndash42 Philadelphia Pa USAOctober 2004
[34] M Pajic Z Jiang I LeeO Sokolsky andRMangharam ldquoFromverification to implementation a model translation tool and apacemaker case studyrdquo in Proceedings of the 18th IEEE Real Timeand Embedded Technology and Applications Symposium (RTASrsquo12) pp 173ndash184 Beijing China April 2012
[35] CC2540 24-GHz Bluetooth low energy System-on-Chip 2013httpwwwticomlitdssymlinkcc2540pdf
[36] U Kretzschmar ldquoAES128mdasha C implementation for encryp-tion and decryption MSP430 systems ECCN 5E002 TSPAmdashtechnologysoftware publiclyrdquo Application Report SLAA397ATexas Instruments Dallas Tex USA 2009 httpwwwticomcncnlitanslaa397aslaa397apdf
[37] El Barquero Aqueronte MSP430 Cycles and Instructionsedited by Aqueronte 2011 httpunbarqueroblogspotcomes201105msp430-cycles-and-instructionshtml
[38] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashHES 2008 vol 5154 of Lecture Notes in Computer Science pp283ndash299 Springer Berlin Germany 2008
[39] S Kamath and J Lindh ldquoMeasuring bluetooth low energypower consumptionrdquo Application Note AN092 Texas Instru-ments Dallas TEx USA 2012 Version SWRA347a httpwwwticomlitanswra347aswra347apdf
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
2 International Journal of Distributed Sensor Networks
3G4G
BSN
Gateway
Sensor
WiFiBluetooth
Internet Medical center
Figure 1 BSN model
Confidentiality Data regarding patientsrsquo state should be onlyaccessible to authorized entities In this context this impliesthat only the BSNrsquos nodes should be able to interpret thesensed data
Authentication The BSNrsquos nodes should be able to verify thesource of any received data
Integrity Data should not be modified by an unauthorizedentity or at least BSNrsquos nodes should be able to detect thatdata has been altered
Availability Data anddevice information should be accessibleupon request by authorized entities The human body is ahighly dynamic physical environmentwherewireless channelproperties constantly change Besides these communicationscan be severely affected by interferences caused by electronicdevices in the proximity of the BSN
The first three security goals can be easily achievedby means of classical cryptographic tools in conventionalnetworks However the limited capabilities of body sensorsmay prevent from applying them toBSNs Besides traditionalcryptographic tools cannot prevent disruption of the networkservices due to interferences no matter whether they areintentional for example a Denial of Service (DoS) attack ornot Given the relevance of the data sent by body sensorsthere is clearly a need for mechanisms to maximize theavailability of such networks
The integration of CR technology [9ndash11] into BSNs lead-ing to the concept of cognitive body sensor networks (CBSNs)[12] can significantly improve availability by allowing thenodes to select the best channel at any moment and avoidthe harmful effect of interferences CRs exchange sensed dataabout channel availability and jointly agree to switch to a newchannel when the channel being in use becomes unavailable
Note that if an attacker manages to eavesdrop channelavailability data it can take advantage of it to perform a newattack on the new channel of operation thus preventing thenetwork from using an available channel and leading thenetwork to a DoS [13] Channel switching if unpredictablerendersDoS attacksmore difficult since the attackermust jamevery possible transmission channel Traditional encryptionand authentication of exchanged data may help to hide chan-nel switching decisions from external attackers but entail anadditional cost that cannot be assumedby heavily constraineddevices such as IMDs
In this paper we present a protocol to protect the processof channel selection in CR-based BSNs The main goal isto maximize the availability of the network thus ensuringthat patientsrsquo data such as blood pressure heart rate andtemperature will successfully be delivered to a gateway(nonstop monitoring of patients) The protocol makes use oflightweight encryption and authentication primitives specif-ically suited for constrained devices such as body sensors
The main contributions of this paper can be summarizedas follows
(i) We apply CR technology into BSNs in order tomaximize the availability of services in suchnetworksBecause CRs are able to sense the medium and selectthe best transmission channel at any moment theeffect of interferences or DoS attacks can be miti-gated In a conventional network such phenomenawould interrupt communications within the BSNsIn a CBSN the nodes can switch to a new channelwhenever the channel in use becomes unavailable
(ii) We propose a method suited to constrained devicesas body sensors to secure the exchange of channelavailability information and prevent an attacker fromeavesdropping such data thus diminishing the prob-ability of a successful DoS attack
International Journal of Distributed Sensor Networks 3
(iii) We provide a security analysis of the proposedmethod and derive the time period during which thecryptographic material remains secure
(iv) The proposed method is compared to otherapproaches based on traditional cryptographic prim-itives in terms of energy consumption and CPUusage
The rest of this document is structured as follows InSection 2 we review the state of the art on security in BSNsSection 3 describes the BSN model considered in this workand its potential threats A lightweight method to securethe process of channel selection in a BSN is presented inSection 4 Sections 5 and 6 present a security analysis of theproposedmethod and a comparisonwith existing approachesin terms of resources consumption Finally in Section 7 weprovide the conclusions of this work
2 Related Work
To date research on security in BSNs has mainly focused onprotecting data stored at the network nodes from unautho-rized access and providing authentication and confidentialityto the communications among the BSN devices In thefollowing we provide an overview of the proposals that canbe found in the literature
Many proposed authentication methods are based onbiometrics that is relying on measurements of physiologicalvalues (PVs) [14] such as heart rate blood pressure ortemperature in order to establish trust and generate keymaterial The main idea is ensuring access to sensors onlyto those devices in physical contact with the patient Theadvantage of these methods is that the key source is hard foran attacker to predict without physical access to the patientand also ensures forward-security because PVs change overtimeThemain challenge however is how to achieve success-ful authentication among authorized devices when the PVmeasured by each one is not exactly the same either due tomeasurement errors or due to the fact that different devicesmeasure a given PV at different time instants
Authentication by means of distance-bounding protocolswas proposed in several works [15 16] This techniqueprovides a very weak mutual authentication between twodevices based on measuring the transmission time betweenthemThe rationale behind these protocols is that a legitimatedevicemust be closer than a given distanceAs a consequencethey are vulnerable to injection attacks as long as the attackeris close enough to the patient bearing the sensors forexample by means of a hug
In [17] the authors presented a protocol based onidentity-based encryption (IBE) IBE systems are public keycryptosystems that allow any device to generate a publickey from a known identity value such as the sensor IDand require the existence of a trusted third party called theprivate key generator (PKG) to generate the correspondingprivate key To reduce the burden of key generation andencryptiondecryption introduced by traditional public keycryptography the authors proposed to use elliptic curvecryptography (ECC) which provides public key primitives
suitable for constrained devices as sensors in BSNs Despiteit it is still more expensive in terms of resource consumptionthan approaches based on symmetric cryptography
In order to preserve userrsquos privacy a number of worksproposed the use of symmetric encryption based on the AES(Advanced Encryption Standard) algorithm [18ndash20] Manysuch as the one in [19] proposed to use AES with CCMmode of operation that is to say AES counter (CTR) modefor data encryption and AES cipher-block-chaining messageauthentication code (CBC-MAC) formessage authenticationThe main advantage of this mode is that the same keycan be used for authentication and for encryption withoutcompromising security and there is no need for rekeyingas long as the number of devices is fixed As a drawbackthe added cost of encryptiondecryption and especially thecosts due to the transmission overheads cannot be neglectedin BSNs where every step forward in resourcesrsquo saving isof paramount importance In this line the authors in [20]presented an in-network mechanism that mimics the AESalgorithm and greatly reduces the costs of decryption whilethey claim achieving the same level of security
All the above-mentioned proposals approach the prob-lem of protecting patientrsquos data from unauthorized accessmodification or forgery but cannot effectively deal with DoSattacks Such a protection can be achieved by making use ofCR devices that collaboratively switch to another frequencyband [11 21 22] if the signal-to-noise ratio of the current oneis below the required value Furthermore it is also necessaryto protect the exchanged sensing data in order to prevent anattacker from eavesdropping data and get the next channelto be used in the network Note that this information mayallow an attacker to rapidly perform a DoS attack in the newchannel
In this work we present a lightweight and secure methodthat makes use of CR technology for improving the availabil-ity of the system that is ensuring that the communicationbetween the body sensor nodes will be available even underthe presence of unintentional or intentional interferencesThe application of CR technology into body sensor networkswas already proposed in previous works [23 24] However tothe best of our knowledge none of them addressed securitytopics
In [25 26] several methods for securing spectrum sens-ing mechanisms were discussed but they are not suited forheavily constrained devices such as body sensors
In [27] the authors aimed to improve the availability ofa BSN by means of a cross-layer multihop protocol that dealtwith routing of data This scheme however can be appliedonly to multihop BSNs where the path between two givennodes is established according to the connectivity among thenodes In this approach nodes make use of several paths butone single channel and thus are more vulnerable to attackssuch as jamming than CR-based networks
3 Network Model and Threats
In this work we have considered a BSN composed of aset of sensor nodes where all of them can act as sinkscollectingstoring data from other sensors and potentially
4 International Journal of Distributed Sensor Networks
Gateway
Sensor
Sink
Figure 2 Communication between sensors and the gateway
transmitting these data to an external gateway if required (seeFigure 2) Although this approach introduces some overheaddue to the fact that data must be shared among all sensorsit improves network availability and robustness against dataloss and fairly distributes energy consumption among allsensors Also itmakes the process of gathering by the gatewayeasy which can connect to any of the BSN nodes to get all theinformation
As previously mentioned we also assume that sensorshave cognitive capabilities that is they form a CBSN andare able to identify free spectrum bands and adapt theirtransmission parameters accordingly Spectrum sensing canbe performed by each node on an individual basis or cooper-atively As the latter increases the probability of detection dueto space diversity [28] we have adopted such an approach inthis work
In cooperative spectrum sensing each sensor sensesthe medium and exchanges its observations with the othermembers of the network in order to agree on a given channelfor data transmissionreception However these control dataare exposed to many attacks [13] such as packet injectioneavesdropping or Denial of Service (DoS) Next we describethe attacker model and the specific attacks that can beexecuted against CBSNs
31 Attacker Model In this work we focus on outsiders thatis external attackers that do not share any cryptographiccontent with the gateway or the victimrsquos sensor nodes Ifthe attacker nodes are part of the CBSN they will haveaccess to the keying material and therefore will be able tosuccessfully eavesdrop and inject data In any case the designof a mechanism to counteract this threat is out of the scopeof this work
In the context of CBSNs we can classify adversariesaccording to the following criteria
(i) Active or passive a passive attacker can only eavesdropdata thus being able to access patientrsquos data andviolating hisher privacy In its turn an active attackeraims at injecting or modifying data in order to sendfake reports on the state of the patient
(ii) Type of attack includes the following
(a) eavesdropping unauthorized access to storeddata or to transmitted data among the CBSNdevices thus violating the privacy of the patient
(b) modificationinjection an attacker that mayalter the content of a packet transmitted by asensor or impersonate a sensor by forging apacket these attacks can be executed due to lackof authentication and violate the integrity of theCBSN communications
(c) packet replay an attacker that may capture apacket that was previously sent by a sensor ofthe network Regardless of the fact that theCBSN is using authentication mechanisms ornot the packet will be accepted by the networksif antireplay mechanisms are not provided
(d) jamming the adversary that disrupts the CBSNcommunications by generating interfering sig-nals
(iii) Intentional or unintentional the adversary can bean external entity willing to cause damage to thecommunications among sensors and the gateway orcan be an entity that unintentionally is causing inter-ferences to those communications As an examplethe patient of interest could be near another patientwith wearable sensors which could inject fake reportsif data is not properly authenticated Examples ofunintentional attacks could take place in a situationwhere two patients bearing body sensors are huggingand unconsciously exchange data Or the patientcould be near a relative who is visiting himher at thehospital and carries any electronic device that causesinterferences to the CBSN
It is important to remark that in a CBSN where sensornodes establish communications using different channelsover time these attacks can be extended to the control dataexchange among the devices of the CBSN As an example anattacker may forge a report regarding the availability of thechannels thus leading the CBSN to select a channel that issuffering from high interferences or that is currently beingused by another service Note that this attack can lead to aDoS and the failure of the system in monitoring the patientrsquosstatus In its turn eavesdropping of the control channel allowsan attacker to have knowledge of the channels to be usedby the CBSN The attacker could take advantage of thissituation in order to easily disrupt the communications inthe network by performing a new DoS attack every time theCBSN switches to a new channel
The implementation of security mechanisms in a CBSN[12] to counteract these attacks is specially challenging dueto the limited capabilities of CBSNrsquos nodes In the followingsection we describe a simple method to secure the processof channel selection in CBSNs The proposed mechanismis suited for networks with extremely constrained-resourcesdevices since it makes use of lightweight cryptographicfunctions and minimizes the added transmissionreceptionoverhead
International Journal of Distributed Sensor Networks 5
4 Securing Sensing Data andChannel Selection in CBSNs
In the following we present a mechanism for securing theexchange of sensing data and the channel selection processin CBSNs Section 41 outlines the assumptions considered inthiswork regarding the networkmodel and in Section 42 wedescribe the protocol operation For ease of understandingwe present the terminology used along this section as follows
CTR119872 medium-term session counter (119898 bits)
CTR119878 short-term session counter (119898 bits)
119863119906
119894 data sensed by node 119906 during period 119894 (119897 bits)
ID119906 link-layer identifier of node 119906 (119898 bits)119870119906
119894 keystream to encrypt and authenticate data for
node 119906 during period 119894 (119903 bits)KM keying master119897 length of the data sensed by a given node during agiven period119898 length of the hash output and all the secrets119873 number of nodes in the network119901 number of keystreams119870119906
119894obtained from a 119878119906 (119901 =
119898119903) defining the number of sensing periods beforeupdating 119878119906119903 length of the keystreams 119870119906
119894 which must be a
divisor of119898119878119871 long-term globally shared secret (119898-bits)119878119872 medium-term globally shared secret (119898-bits)119878119904119894 long-term secret shared between the KM and
node 119894 it is used to update 119878119871in case it is compro-
mised119878119906 short-term shared secret with node 119906
41 Assumptions Although the proposed protocol isdesigned to be implemented in heavily constrained deviceswe work under the assumption that such devices have at leastthe following capabilities
(i) Compute a hash function with an output length of119898bits
(ii) Temporally store in its randomaccessmemory at least119898 sdot (119873 + 3) bits with 119873 the number of nodes in thenetwork As we detail later in Section 42 each nodemust keep a short-term shared secret for each of theN nodes in the network (including itself) and threemore long-term and medium-term secrets each onewith length of119898 bits
(iii) Sensor nodes use a synchronization protocol that willbe used to share a global short-term session counterand a medium-term session counter among all nodes(see Section 42) Given the low transmission rate ofsensor networks existing synchronization schemes[29] provide enough precision for this purpose Weassume that the chosen protocol provides recovery
methods upon loss of synchronization How syn-chronization is achieved will strongly depend on thechosen protocol but if the latter requires a masternode for providing synchronization the gateway ofthe BSN could play this role
To the best of our knowledge the former requirement canbe assumed even in very constrained devices As shown in[30] there are several lightweight hash functions that canbe integrated into a sensor mote The latter may not beharder to achieve As detailed in Section 42 during everysensing period each node stores one secret per member ofthe network a globally shared secret and two counters allof them with the same length 119898 as the hash output If weconsider a typical hash function with an output of 128 or 256bits and a network with tens to hundreds of sensors the RAMrequirements for sensor nodes are just bounded to a few tensof kilobytes
42 Protocol Operation Before deploying the CBSN everysensor nodemust be preloaded by a keyingmaster (KM)withthe following data
(1) The set of channels that the sensor will have to sensein the cooperative sensing process
(2) A long-term and globally shared secret 119878119871of 119898 bits
(the hash output length)(3) A long-term secret 119878
119904119894shared between the KM and
node 119894 that will be used to update the globally sharedsecret 119878
119871in case it is compromised
The KM is an external device which is not a member oftheBSNTypically this role is played by the device responsiblefor gathering data from the sensors or gateway (eg a smartphone or a tablet)
Upon deployment of the network every node derives amedium-term globally shared secret 119878
119872by hashing the XOR
of the long-term secret 119878119871and a counter The generation
process of 119878119872
is clearly depicted in Figure 3 This process isperiodically repeated with an updated value of the medium-term counter in order to protect the secret against a potentialattacker Details about how often this process should becarried out and the attacker capabilities are provided inSection 5
As shown in Figure 4 each node generates a set ofrandom sequences of 119898 bits one for the node itself and onefor each other node in the networkThese random sequences119878119906 with 119906 the node identifier are obtained by hashing theXOR of the link-layer identifier of the node ID119906 themedium-term shared secret 119878
119872 and a short-term session counter
CTR119878
Therefore our proposalmakes use of three types of sharedsecrets
(i) A short-term per-node shared secret 119878119906 (one per eachnode in the network) used for encryption decryptionand authentication of data
(ii) Amedium-term globally shared secret 119878119872that is used
to derive the short-term per-node shared secrets 119878119906
6 International Journal of Distributed Sensor Networks
Long-term shared secretSLmiddot middot middot
middot middot middot
middot middot middot
Medium-term session counter
Medium-term shared secret
CTRM
HashSM
mbits
mbitsmbits
mbits
Figure 3 Generation of the medium-term globally shared secret 119878119872
middot middot middot
middot middot middot
middot middot middot
middot middot middot
Short-term session counterMedium-term shared secret
node uShort-term shared secret with
Hash
SM
Su
Identifier of node uIDu
CTRS
mbits
mbitsmbits
mbits
mbits
Figure 4 Generation of the short-term shared secret 119878119906 for node 119906
(iii) A long-term globally shared secret that is used toderive a new 119878
119872when the current one is about to
expireAs clearly denoted in Figure 5 each sequence 119878119906 is divided
into 119901 fragments of 119903 bits which we will be denoted as 119870119906119894
each one being used as keystream to encrypt and authenticatedata for node 119906 in period 119894 As per this behavior a new short-term shared secret must be derived every 119901 sensing period
When a node performs spectrum sensing it generates abinary sequence 119863119906
119894of 119897 bits that stores the availability of the
different channels The length of such sequence 119897 will dependon the number of bits used to code the state of each channeland the number of channels As an example the simplest waywould be to use just a single bit for coding each channel withvalue ldquo0rdquo if the channel is occupied and ldquo1rdquo otherwise If moreprecise information about the quality of channels is needed(ie high medium low and very low quality) more bits canbe used to code the channel state
During a sensing period 119894 each node must send toits neighbors its own sensing information but also it mustprocess the information received from its neighbors to reacha joint decision
In order to send its own sensing information node 119906 willmake use of the corresponding keystream 119870119906
119894 the first 119897 bits
of the keystream will be used to encrypt channel information119863119906
119894by means of a XOR addition the remaining 119903 minus 119897 bits are
left unchanged and will be used to provide message authen-tication as illustrated in Figure 5 The resulting sequence 119862119906
119894
will be sent to all the other nodes
To verify the authenticity and decrypt the content of thepackets that have been sent by a given neighbor 119906 a nodewill XOR the sequence 119862119906
119894of the received packet with the
keystream 119870119894119906 as depicted in Figure 6 If the last 119903 minus 119897 bits
of the resulting sequence are not all 0 s the authenticationfails and the entire packet is discarded Otherwise channelinformation can be recovered from the first 119897 bits resultingfrom the XOR addition
The above described process is applied for each neighbor-ing node 119906 Then the channel reported by a larger number ofneighbors will be selected for the operation of the networkNote that because more than one channel may be reported bythe same amount of nodes a tie-break mechanism is neededto guarantee that the process leads to equal results in allnodes One simple approach that could be used is to selectthe channel with the highest identifier However this wouldlead to a lower usage of channels with lower identifiers andtherefore to providing the attacker with valuable informationabout channel usage in the CBSN As a consequence wepropose to use a tie-break method that relies on the formatof119863119906119894
Recall that a fundamental characteristic of this protocolis that there is no central entity that is known and trusted byall sensors This makes the protocol suitable for unattendedscenarios and it also makes it more efficient in terms of datatransmitted through the network because no information issent regarding which channels have to be sensed or whichchannel is finally selected Instead sensors are deployedwith all the information needed to perform the sensing in
International Journal of Distributed Sensor Networks 7
middot middot middot
Short-term shared secret with node u
Keystream pKeystream 2Keystream 1
Su
Encrypted Authdatasensing data
Sensing data
Sensing data
Sensing period 1
Sensing period p
Encrypted Authdatasensing data
Cup
Cu1
Dup
Du1
Ku1 Ku
2 Kup
mbits
rbitsrbitsrbits
lbitslbits
lbitslbits
lbits
lbits
lbitslbits r-lbitsr-lbits
r-lbits
r-lbits
Figure 5 Encrypting and authenticating sensing data
middot middot middot
Short-term shared secret with node u
Keystream pKeystream 2Keystream 1
Su
Sensing dataSensing period 1 True
Accept sensing data
Reject sensing data
Cu1
Du1
Ku1 Ku
2 Kup
If ne 0998400s
rbitsrbitsrbits
rbits lbits
mbits
r-lbits
Figure 6 Decrypting sensing data
a distributed way and make a joint decision autonomouslyThus there is no need for additional mechanisms to be usedwhen a new node joins the network In this case the newnode needs to synchronize with the rest of themembers to getthe proper value of the session counters by making use of thecorresponding protocol However when a node is expelledfrom the network because it has been compromised newcryptographic material must be generated and distributedamong the remaining nodes The KM is responsible fortriggering this process and communicates with each sensornode to update the shared long-term secret 119878
119871 Note that
because the KM shares a different secret 119878119904119894with each node 119894
it can securely distribute the new value of 119878119871 Upon reception
of 119878119871 each node should perform again the initialization
process described at the beginning of this section
5 Security Analysis
The security of the proposed method relies on the sharedsecrets used to derive the keys and perform encryption andauthentication of channel availability data As long as thesesecrets are not compromised data confidentiality can beensured that is an attacker might not be able to get the listof channels to be used in the CBSN Besides the methodmust prevent an attacker from injecting fake data into thesystem These issues are discussed as follows In Section 51we analyze how often the shared secrets should be updated inorder to guarantee a proper protection against cryptanalysisnext in Section 52 we evaluate the packet authenticationmethod used in our proposal in terms of probability ofbypassing the authentication check
8 International Journal of Distributed Sensor Networks
51 Shared Secrets Lifetime As previously mentioned inSection 31 for this analysis we are assuming that attackscome from external entities and therefore attackers are notable to obtain the cryptographic material that is stored in thebody sensors In the context of this proposal the lifetime ofeach of the shared secrets is the interval in which these secretsare considered computationally safe against cryptanalysisthat is their cryptoperiod
The cryptoperiod straightly depends on the chosen cryp-tographic protocols the length of the secrets themselves andthe amount of times they are used The more a given secret isused the shorter its cryptoperiod is as an attacker gets moreinformation about this secret and therefore the probability ofa successful cryptanalysis increases In fact cryptoperiod isdefined more in terms of the number of times a given secretor key is reused (the amount of ciphertext exposed to anattacker for a given secretkey) than as a given time periodwhich strongly depends on the transmission rate of the sensornodes
Recall the three types of shared secrets used in theproposed method
(i) Short-term per-node shared secrets one secret 119878119906 persource node that is used to lightweight encryptdecrypt and authenticate the channelsrsquo sensed data
(ii) Medium-term globally shared secrets globally sharedsecret 119878
119872that is used to derive the short-term per-
node shared secrets 119878119906(iii) Long-term globally shared secret this being the ini-
tially preloaded secret 119878119871that is used to derive a new
medium-term globally shared secret 119878119872
when thecurrent one is about to expire
As clearly denoted in Figure 5 our approach operates insome manner as an additive stream cipher It is well knownthat stream ciphers are considered to be secure as long as thekey is never reused and thus our cipher will be secure if agiven value 119878119906 is not repeated As a result 119878119906must be updatedevery 119901 = 119898119903 sensing period with 119901 the renewal period119898 the length of the shared secret 119878119906 and 119903 the amount oftransmitted bits (sensing data) in a sensing period that areencrypted with 119878119906
Recall that in our proposal the per-node key used forencryption 119878119906 is generated by means of a hash function Asecond requirement is that this function must be crypto-graphically secure Note that if the hash function does notaccomplish it an attackermight be able to reverse it that is toget the input of the hash function given an output meaningthat in our proposal an attacker would be able to recoverthe value of the medium-term globally shared secret 119878
119872(see
Figure 4)A cryptographically secure hash function with an output
of 119898 bits can offer a security level of 2119898 operations againstpreimage attacks and 21198982 against collision attacks Generallyspeaking a minimum output of 128 bits is required in orderto provide a high level of security for most applicationsbut shorter lengths are accepted if the number of generatedmessages in a given period is limited as it is the case of low-rate networks In Section 6 we propose several lightweight
hash candidates with an output of 128 bits that is to saywe can assume that it is computationally unfeasible for anattacker to invert the hash function and thus to predict thevalue of 119878119872 as long as it is updated before exceeding itscryptoperiod which has an upper bound of 21198982 = 264 uses
The long-term globally shared secret 119878119871is only used to
update the current medium-term globally shared secret 119878119872
Because 119878119872is not updated very often it is very unlikely that
an attacker manages to obtain several values of 119878119872to reverse
the hash function and recover 119878119871 As a result we can assume
that the 119878119871cryptoperiod is long enough and there is no need
to update the secret during the nodesrsquo lifetime
52 Authentication A cryptogram 119862119906119894of sensing data con-
tains an authentication field of 16 bits that is checked uponreception (see Figure 6) Consequently an attacker has achance of 1 in 216 of guessing the next authentication fieldwhich allows it to forge a valid authentication field and injectfake data Note that this attack can lead the CBSN to wrongdecisions about the availability of the spectrum
If the attacker repeatedly attempts to send valid cipher-texts it may succeed after 215 attempts in average Becausethe attacker does not know 119878119906 the authentication fieldappears to it as a random stream and therefore it must select afake authentication field at random Besides the attacker can-not determine whether a given ciphertext has been acceptedor rejected because the receiver does not acknowledge thereception of such packets to the emitter Otherwise theattacker could take advantage of this information in order toguess a valid authentication field in a faster way
In conventional networks 215 packets may seem anextremely low number but it may provide an adequate levelof security in CBSNs In these networks the attacker can onlysend fake packets during the sensing periods which is in theorder of a few milliseconds in most cognitive scenarios [31]Moreover as previously stated in Section 1 transmission ratesin BSNs are considerably low with values usually rangingfrom tens to a few hundred of kilobits per second
As an example let us consider a 1Mbps link a sensingperiod of 10ms and a packet size of 10 bytes (which is clearlybigger than the typical packet size in sensor networks) Giventhese parameters an attacker would only be able to send 125packets at most in every sensing period That is to say theattacker would need an average of 262144 sensing periods tosend a fake packet and pass the authentication check
6 Cost Evaluation and Comparisonwith Other Approaches
In this section we evaluate the cost of our proposal interms of energy consumption due to transmission overheadand computational cost and compare its performance withthe most common approach adopted in sensor networks[32] which is providing authentication andor encryption ofthe channel sensing data by means of using standard blockciphers As is well known block ciphers have as input themessage to be encrypted or authenticated which is dividedinto several blocks of fix length and a key Both the block
International Journal of Distributed Sensor Networks 9
length and the key length depend on the algorithm beingused Regardless of the algorithm block ciphers can be usedin several modes of operation depending on the service tobe provided that is encryption only authentication only orencryptionauthentication Generally the followingmodes ofoperation are applied
Authentication CBC-MAC is a block cipher mode for gen-erating message authentication codes The message to beauthenticated is divided into several blocks of equal size andeach block is encrypted so that the value of a given blockdepends on the encryption of the previous block The finaloutput of the cipher that is the message authentication codeor CBC-MAC is the result of encrypting the last block of themessage When the input of the cipher is shorter than theblock size (as it is usually the case in sensor networks) theCBC-MAC can be obtained by directly encrypting a singleblock padded until the block size of the cipher is reached
Encryption CTRmode of operation turns a block cipher intoa stream cipher meaning that the resulting ciphertext has thesame size as the input or plain textThus it does not force theoutput length to be amultiple of the block size as it is the caseof other modes such as CBC-MACThis property makes thismode of operation suitable for encryption in sensor networkswhere devices usually exchange short-length messages
Authentication+Encryption CCM (CTR + CBC-MAC) is acommon choice for providing both encryption (CTR) andauthentication (CBC-MAC) [19] Aminor variation of CCMcalled CCMlowast is used in the ZigBee standard [7]
In this work we assume that Advanced EncryptionStandard (AES) in CTRmode is used for encryption andAESCBC-MAC for authentication as it is the current standardfor symmetric cryptography even in sensor nodes [33]Currently there are efficient hardware implementations ofAES that are highly affordable
Regarding hardware platforms the vast majority of pre-vious works on BSNs have used the 16-bit Texas Instrumentsrsquo(TI) MSP430 and CC2540 families of microcontrollers [34]Built around a 16-bit CPU ultra-low-power MSP430 micro-controllers are designed for low cost and specifically low-power consumption embedded applications As an exampleTIrsquos CC2540 family [35] enable robust Bluetooth low energy(BLE) network nodes to be built with low total bill-of-material (BOM) costs BLE operates in the same spectrumrange (2400GHzndash24835GHz ISM band) as classic Blue-tooth technology but uses a different set of channels insteadof 79 1MHz channels BLE offers 40 2MHz channels 3 foradvertising purposes and 37 for data exchange
61 TransmissionReception Overhead In this section weanalyze the overhead introduced by our proposal in termsof transmissionreception of channel availability data andcompare it with the overhead exhibited when conventionalapproaches are used for data encryptionauthentication asexplained above We assume that all sensors are capable ofsensing a given set of channels and report information abouttheir state
With our proposal the minimum number of transmittedbitswill dependon the number of channels that a given sensoris reporting the number of bits used to code the state ofeach channel and the length of the authentication code Asexplained in Section 52 a length of 16 bits is enough to securemost applications in WSNs and thus we have assumed thisvalue for the authentication fieldThis leads to a total amountof Bits
119905119909= 119897 + 16 of transmitted bits where 119897 represents the
total number of bits used to code all possible channels andBits119905119909= (119899 minus 1)Bits
119905119909received bits representing the number
of bits received by a given sensor from its neighborsAiming to provide a fair comparison we choose the same
key length for block ciphers and for our proposal that is tosay a 128-bit key The transmitted bits overhead added byAES CBC-MAC authentication is 128 bits (for a semanticallysecure implementation also an IV or nonce must be sharedbetween emitter and receiver so that the overhead can behigher) Regarding encryption the number of transmittedbits is equal to the number of bits 119897 used to code the state of thechannels but it also requires the use of a nonce with a lengthequal to half of the key length that is 64 bits per message
During every sensing period every node must transmita packet with sensing information but also must process thepackets received from its neighbors Table 1 and Figure 7respectively show the transmission and reception overheaddue to the secure sharing of sensing information using bothstandard block ciphers and our proposal The values areprovided as a function of the number of bits 119897 used to codethe state of the channels and the number of nodes119873 rangingfrom 5 to 30 Given that the considered scenario is a bodysensor network this is more than a reasonable value sincea patient wearing more than 30 sensors may be an unlikelysituation
The reader may notice that the overhead introducedby this mechanism increases linearly with the number ofnodes for both approaches However with the proposedmethod the transmissionreception overhead is considerablyreduced with respect to the use of standard block cipherswhile still maintaining an acceptable level of security Infact the more the nodes in the CBSN the bigger theimprovement introduced by the former As wewill show laterthe transmissionreception savings lead to a huge saving alsoin energy consumption
62 Computational Cost In this section we provide a com-parison of the CPU cost in cycles due to the implementationof the cryptographic functions
If AES is used the total cryptographic cost per nodefor securing the exchange of sensing data equals the costof one encryption and 119873 minus 1 decryptions Assumingthe Texas Instrumentsrsquo reference AES-implementation forCC2540 microcontrollers [36] AES encryption needs 6600cyclesblock and AES decryption 8400 cyclesblock
With our proposal the energy consumption has threecomponents the computation of the different sequences 119878119906
119894
with the hash function before the sensing period begins theXOR of the keystream 119870119906
119894with the sequence 119863119906
119894that signals
the availability of channels and the XOR of the sequences 119862119906119894
received from neighbors with the precomputed 119878119906119894Therefore
10 International Journal of Distributed Sensor Networks
Table 1 Transmission overhead
119897 (bits) Overhead(bits)
Authentication only (CBC-MAC)16 12832 12864 128
Encryption only (CTR)16 8032 9664 128
Authentication and encryption (CCM)16 20832 22464 256
Authentication and encryption (our proposal)16 3232 4864 80
1000
800
600
400
200
05 10 15 20 25 30
Number of nodes (N)
Rece
ptio
n ov
erhe
ad (b
ytes
)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
Figure 7 Reception overhead for a varying number of nodes119873
a nodemust compute119873 hashes and perform119873XORs to sendchannel information and process the reports received from itsneighbors
As per [37] XORoperationwith aMSP430 accounts for 4-5 cyclesbyte Assuming a 128-bit hash function and the worstcase every XOR in our proposals accounts for 5 sdot 16 = 80cycles As previously explained in Section 51 we suggest theuse of a lightweight cryptographic hash function specificallysuited for low-end devices with an output of 128 bits Table 2depicts the number of CPU cycles per block needed [38]for two potential candidates As clearly seen in the tablecomputing one of these hash functions requires only a fewtens of cyclesblock In the following for this analysis we will
Table 2 Cycles per block for different cryptographic hash functions
Algorithm Hash output size Cyclesblock(Stripped) MAME 128 96H-PRESENT-128 128 32
consider the (stripped) MAME hash function as it is a purehash function that does not rely on a symmetric cipher andrequires more CPU cycles (worst case)
Taking into account the previous data Figure 8 showsthe CPU cycles consumed with both our proposal (with aMAME hash function) and standard AES-128 security It canbe clearly seen that our proposal scales much better withthe number of nodes while still providing an appropriatelevel of security We do not provide values for the processtime that is the time needed for key generation encryptiondecryption and data authentication but the number of CPUcycles required to execute each function In this way timevalues can be obtained for a particular sensor node accordingto its CPU features
63 Total Energy Cost Table 3 provides the transmission andreception energy consumption of a TIrsquos CC2540 microcon-troller for different modes and values of transmission powerThe displayed values have been tested under 25∘CWe do nothave values for in-body conditions (asymp38∘C) but we presentthese data for reference purposes In any case this fact onlyaffects the energy consumption for receivingtransmittingNote that the total cost in terms of energy is much highersince it should also account for duty cycles state changes andother parameters [39]
There is no single specific ldquoenergy per CPU cyclerdquo valuesince the cycle consumption depends on the type of CPUoperation Anyway in [34] the authors measured that theTIrsquos MSP430F1611 consumes energy at an average of 072 nJper clock cycle and we have adopted such value in our study
Figure 9 shows the total average energy consumption as afunction of the number of neighboring sensor nodes and thenumber 119897 of bits used to code the channels for the proposedmechanism and standard approaches CCM (authenticationand encryption) CTR (encryption only) and CBC-MAC(authentication only) We have assumed standard receptionand short-range transmission of minus6 dBm (see Table 3)
As clearly denoted in the figure ourmethod only requiresa few tens of 120583J regardless of the number of sensor nodeswhile AES-based security requires higher values of energyranging from 35 120583J to almost 240120583J when encryption andauthentication are provided and for 30 sensor nodes Themore the number of sensor nodes the bigger the improve-ment introduced by our proposal
It must be remarked however that the purpose of thisfigure is to provide reference values to be taken into accountfor future implementations Besides the level of security pro-vided by our method is lower than AES-based methods butstill ismore than adequate given the features of CBSNs (trans-mission rate number of sentmessages etc) and given the factthat the data we are trying to protect are just a limited numberof potential channels to be used for operation of the network
International Journal of Distributed Sensor Networks 11
Table 3 Currentenergy consumption for RXTX tested on TexasInstruments CC2540 EMwith 119879
119860= 25∘Cwith no peripherals active
and low MCU activity at 250 kHz
Test conditions Current EnergybyteRX standard 196mA 588 nJRX high gain 221mA 663 nJTX minus23 dBm 211mA 633 nJTX minus6 dBm 238mA 714 nJTX 0 dBm 27mA 81 nJTX 4 dBm 316mA 948 nJ
5 10 15 20 25 30
Number of nodes (N)
AES l = 16 32 64
Ours l = 16 32 64
300000
250000
200000
150000
100000
50000
0
CPU
cycle
s
Figure 8 Added CPU cycles for a secure exchange of sensing data
Indeed thismechanism introduces some overhead due tospectrum sensing and sharing of channel information and aswe pointed out above the overhead increases linearly withthe number of nodes in the network The synchronizationprotocol adds some overhead too but the increase willstrongly depend on the chosen protocol In [29] someprotocols with high energy efficiency are referenced whichcould be used in our proposal
Despite it we claim that it is definitely worth introducingthis overhead to increase the availability of the network andmake it robust to potential interferences and DoS attacksUnder these undesired situations the current channel usedby the CBSN may become unavailable but the proposedmethod allows the nodes to securely agree on a new channelof operation and rapidly resume their transmissions It mustbe remarked that securing channel availability informationmay prevent or at least diminished the effect of further DoSattacks when switching to a new channel
We do not quantify the benefits of applying our methodin terms of attack mitigation because it strongly depends onthe capabilities of the attacker (time required for sensing eachchannel number of channels that can sense etc) As a futurework it would be interesting to estimate the improvementachieved by our approach in terms of throughput of the
5 10 15 20 25 30
Number of nodes (N)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
250
200
150
100
50
0
Ener
gy co
st (120583
J)Figure 9 Added energy costs for a TIrsquos MSP430F1611 with a TIrsquosCC2540 microcontroller
CBSNs connections and the tradeoff between benefits andoverhead
7 Conclusions
Body sensor networks (BSNs) emerge as an optimal solutionfor ensuring constant and remote monitoring of the healthstatus in patients Recent advances in technology have madeit possible to deploy a network of tiny sensors over the humanbody and even in body which can measure vital signs suchas temperature heart rate or the level of glucose and reportthese data to medical personnel
Guaranteeing the availability of such communicationsis a must as long as connectivity losses during emergencysituations may prevent a patient from immediately receivingmedical assistance and may end up in catastrophic results
A new network paradigm known as cognitive body sen-sor networks (CBSNs) could mitigate this threat by allowingbody sensors to operate in a wide range of frequenciesand adapt its transmission parameters according to highlydynamic environment conditions However this would comeat the expense of implementing cooperative spectrum sensingmechanisms that allow sensors to exchange informationabout channel quality and availability As a consequenceCBSNs might become vulnerable to specific attacks that aretargeted to these mechanisms
In this paper we presented a novel and simple methodto secure the sensing process in a CBSN and improve itsavailability The method relies on cryptographic primitivesthat require a minimum amount of memory and low energyconsumption thus beingmore suited for devices with limitedresources than traditional approaches It offers authentication
12 International Journal of Distributed Sensor Networks
and encryption of control data shared by the sensors in theCBSN to agree on a given channel
Our proposal was analyzed in terms of security and weshowed that although it does not provide the same level ofsecurity as AES-based encryption and authentication it isstill sufficient for low packet rate networks such as CBSNsThe provided results also showed that our method outper-forms existing approaches in terms of transmissionreceptionoverhead and number of CPU cycles needed particularly asthe number of sensor nodes increases For typical microcon-trollers as CC2540 and MSP430 the improvement in energyconsumption clearly justifies the use of the proposed methodagainst AES-based mechanisms in constrained networkssuch as CBSNs in which maximizing the network life isextremely important
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgment
This work has been partially supported by the spanishgovernment under grant TEC2011-22746 ldquoTAMESISrdquo andby the Ministry of Economy and Competitiveness throughthe projects CO-PRIVACY (TIN2011-27076-C03-02) andSMARTGLACIS (TIN2014-57364-C2-2-R)
References
[1] B Latre B Braem I Moerman C Blondia and P DemeesterldquoA survey on wireless body area networksrdquo Wireless Networksvol 17 no 1 pp 1ndash18 2011
[2] S Movassaghi M Abolhasan J Lipman D Smith and AJamalipour ldquoWireless body area networks a surveyrdquo IEEECommunications Surveys amp Tutorials vol 16 no 3 pp 1658ndash1686 2014
[3] 802156-2012mdashIEEE Standard for Local and metropolitanarea networksmdashPart 156 Wireless Body Area Networks2012 httpstandardsieeeorggetieee802download802156-2012pdf
[4] Bluetooth Low Energy (LE) June 2014 httpwwwbluetoothcomPageslow-energy-tech-infoaspx
[5] The ANT+ Alliance 2014 httpwwwthisisantcom
[6] Wi-Fi Alliance June 2014 httpwwwwi-fiorg
[7] Zigbee Alliance June 2014 httpwwwzigbeeorg
[8] M Rushanan A D Rubin D F Kune and C M SwansonldquoSoK security and privacy in implantable medical devices andbody area networksrdquo in Proceedings of the 35th IEEE Symposiumon Security and Privacy (SP rsquo14) pp 524ndash539 San Jose Calif USA May 2014
[9] I F Akyildiz W-Y Lee M C Vuran and S Mohanty ldquoNeXtgenerationdynamic spectrum accesscognitive radio wirelessnetworks a surveyrdquo Computer Networks vol 50 no 13 pp2127ndash2159 2006
[10] BWang and K J R Liu ldquoAdvances in cognitive radio networksa surveyrdquo IEEE Journal of Selected Topics in Signal Processingvol 5 no 1 pp 5ndash23 2011
[11] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in unknown dynamic environment agame-theoretic stochastic learning solutionrdquo IEEE Transactionson Wireless Communications vol 11 no 4 pp 1380ndash1391 2012
[12] D Cavalcanti S Das J Wang and K Challapali ldquoCognitiveradio based wireless sensor networksrdquo in Proceedings of the17th International Conference on Computer Communicationsand Networks (ICCCN rsquo08) pp 1ndash6 August 2008
[13] O Leon J Hernandez-Serrano andM Soriano ldquoSecuring cog-nitive radio networksrdquo International Journal of CommunicationSystems vol 23 no 5 pp 633ndash652 2010
[14] M Rostami A Juels and F Koushanfar ldquoHeart-to-Heart(H2H) authentication for implanted medical devicesrdquo in Pro-ceedings of the ACM SIGSAC Conference on Computer andCommunications Security (CCS rsquo13) pp 1099ndash1111 ACM BerlinGermany November 2013
[15] K B Rasmussen C Castelluccia T S Heydt-Benjamin andS Capkun ldquoProximity-based access control for implantablemedical devicesrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCS rsquo09) pp 410ndash419Chicago Ill USA November 2009
[16] L Shi M Li S Yu and J Yuan ldquoBANA body area networkauthentication exploiting channel characteristicsrdquo IEEE Journalon Selected Areas in Communications vol 31 no 9 pp 1803ndash1816 2013
[17] C C Tan S Zhong H Wang and Q Li ldquoBody sensornetwork security an identity-based cryptography approachrdquoin Proceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 148ndash153 April 2008
[18] O Garcia-Morchon T Falck T Heer and K Wehrle ldquoSecurityfor pervasive medical sensor networksrdquo in Proceedings of the6th Annual International Conference on Mobile and UbiquitousSystems Networking and Services (MobiQuitous rsquo09) pp 1ndash10Toronto Canada July 2009
[19] G Selimis L Huang F Masse et al ldquoA lightweight securityscheme for wireless body area networks design energy evalu-ation and proposed microprocessor designrdquo Journal of MedicalSystems vol 35 no 5 pp 1289ndash1298 2011
[20] Y Yan and T Shu ldquoEnergy-efficient In-network encryp-tiondecryption for wireless body area sensor networksrdquo inProceedings of the IEEE Global Communications Conference(GLOBECOM rsquo14) pp 2442ndash2447 IEEE Austin Tex USADecember 2014
[21] Y Xu A Anpalagan Q Wu L Shen Z Gao and J WangldquoDecision-theoretic distributed channel selection for oppor-tunistic spectrum access strategies challenges and solutionsrdquoIEEE Communications Surveys and Tutorials vol 15 no 4 pp1689ndash1713 2013
[22] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in cognitive radio networks globaloptimization using local interaction gamesrdquo IEEE Journal onSelected Topics in Signal Processing vol 6 no 2 pp 180ndash1942012
[23] R Chavez-Santiago K E Nolan O Holland et al ldquoCognitiveradio for medical body area networks using ultra widebandrdquoIEEE Wireless Communications vol 19 no 4 pp 74ndash81 2012
International Journal of Distributed Sensor Networks 13
[24] A R Syed and K-L A Yau ldquoOn cognitive radio-based wirelessbody area networks for medical applicationsrdquo in Prceedingsof the 1st IEEE Symposium on Computational Intelligence inHealthcare and e-Health (CICARE rsquo13) pp 51ndash57 SingaporeApril 2013
[25] R Chen J-M Park and K Bian ldquoRobust distributed spectrumsensing in cognitive radio networksrdquo in Proceedings of the 27thIEEE Conference on Computer Communications (INFOCOMrsquo08) pp 1876ndash1884 IEEE Phoenix Ariz USA April 2008
[26] H Rifa-Pous M J Blasco and C Garrigues ldquoReview of robustcooperative spectrum sensing techniques for cognitive radionetworksrdquoWireless Personal Communications vol 67 no 2 pp175ndash198 2012
[27] B Braem B Latre C Blondia I Moerman and P DemeesterldquoAnalyzing and improving reliability in multi-hop body sensornetworksrdquo International Journal on Advances in Internet Tech-nology vol 2 no 1 pp 152ndash161 2009
[28] I F Akyildiz B F Lo and R Balakrishnan ldquoCooperative spec-trum sensing in cognitive radio networks a surveyrdquo PhysicalCommunication vol 4 no 1 pp 40ndash62 2011
[29] B Sundararaman U Buy and A D Kshemkalyani ldquoClocksynchronization for wireless sensor networks a surveyrdquoAdHocNetworks vol 3 no 3 pp 281ndash323 2005
[30] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashCHES 2008 10th International Workshop Washington DCUSA August 10ndash13 2008 Proceedings vol 5154 of Lecture Notesin Computer Science pp 283ndash299 Springer Berlin Germany2008
[31] C Cordeiro K Challapali D Birru and N Sai ShankarldquoIEEE 80222 the first worldwide wireless standard based oncognitive radiosrdquo in Proceedings of the 1st IEEE InternationalSymposium on New Frontiers in Dynamic Spectrum AccessNetworks (DySPAN rsquo05) pp 328ndash337 Baltimore Md USANovember 2005
[32] S UllahHHiggins B Braem et al ldquoA comprehensive survey ofwireless body area networks on PHY MAC and network layerssolutionsrdquo Journal of Medical Systems vol 36 no 3 pp 1065ndash1094 2012
[33] N Sastry and D Wagner ldquoSecurity considerations for IEEE802154 networksrdquo in Proceedings of the ACM Workshop onWireless Security (WiSe rsquo04) pp 32ndash42 Philadelphia Pa USAOctober 2004
[34] M Pajic Z Jiang I LeeO Sokolsky andRMangharam ldquoFromverification to implementation a model translation tool and apacemaker case studyrdquo in Proceedings of the 18th IEEE Real Timeand Embedded Technology and Applications Symposium (RTASrsquo12) pp 173ndash184 Beijing China April 2012
[35] CC2540 24-GHz Bluetooth low energy System-on-Chip 2013httpwwwticomlitdssymlinkcc2540pdf
[36] U Kretzschmar ldquoAES128mdasha C implementation for encryp-tion and decryption MSP430 systems ECCN 5E002 TSPAmdashtechnologysoftware publiclyrdquo Application Report SLAA397ATexas Instruments Dallas Tex USA 2009 httpwwwticomcncnlitanslaa397aslaa397apdf
[37] El Barquero Aqueronte MSP430 Cycles and Instructionsedited by Aqueronte 2011 httpunbarqueroblogspotcomes201105msp430-cycles-and-instructionshtml
[38] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashHES 2008 vol 5154 of Lecture Notes in Computer Science pp283ndash299 Springer Berlin Germany 2008
[39] S Kamath and J Lindh ldquoMeasuring bluetooth low energypower consumptionrdquo Application Note AN092 Texas Instru-ments Dallas TEx USA 2012 Version SWRA347a httpwwwticomlitanswra347aswra347apdf
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 3
(iii) We provide a security analysis of the proposedmethod and derive the time period during which thecryptographic material remains secure
(iv) The proposed method is compared to otherapproaches based on traditional cryptographic prim-itives in terms of energy consumption and CPUusage
The rest of this document is structured as follows InSection 2 we review the state of the art on security in BSNsSection 3 describes the BSN model considered in this workand its potential threats A lightweight method to securethe process of channel selection in a BSN is presented inSection 4 Sections 5 and 6 present a security analysis of theproposedmethod and a comparisonwith existing approachesin terms of resources consumption Finally in Section 7 weprovide the conclusions of this work
2 Related Work
To date research on security in BSNs has mainly focused onprotecting data stored at the network nodes from unautho-rized access and providing authentication and confidentialityto the communications among the BSN devices In thefollowing we provide an overview of the proposals that canbe found in the literature
Many proposed authentication methods are based onbiometrics that is relying on measurements of physiologicalvalues (PVs) [14] such as heart rate blood pressure ortemperature in order to establish trust and generate keymaterial The main idea is ensuring access to sensors onlyto those devices in physical contact with the patient Theadvantage of these methods is that the key source is hard foran attacker to predict without physical access to the patientand also ensures forward-security because PVs change overtimeThemain challenge however is how to achieve success-ful authentication among authorized devices when the PVmeasured by each one is not exactly the same either due tomeasurement errors or due to the fact that different devicesmeasure a given PV at different time instants
Authentication by means of distance-bounding protocolswas proposed in several works [15 16] This techniqueprovides a very weak mutual authentication between twodevices based on measuring the transmission time betweenthemThe rationale behind these protocols is that a legitimatedevicemust be closer than a given distanceAs a consequencethey are vulnerable to injection attacks as long as the attackeris close enough to the patient bearing the sensors forexample by means of a hug
In [17] the authors presented a protocol based onidentity-based encryption (IBE) IBE systems are public keycryptosystems that allow any device to generate a publickey from a known identity value such as the sensor IDand require the existence of a trusted third party called theprivate key generator (PKG) to generate the correspondingprivate key To reduce the burden of key generation andencryptiondecryption introduced by traditional public keycryptography the authors proposed to use elliptic curvecryptography (ECC) which provides public key primitives
suitable for constrained devices as sensors in BSNs Despiteit it is still more expensive in terms of resource consumptionthan approaches based on symmetric cryptography
In order to preserve userrsquos privacy a number of worksproposed the use of symmetric encryption based on the AES(Advanced Encryption Standard) algorithm [18ndash20] Manysuch as the one in [19] proposed to use AES with CCMmode of operation that is to say AES counter (CTR) modefor data encryption and AES cipher-block-chaining messageauthentication code (CBC-MAC) formessage authenticationThe main advantage of this mode is that the same keycan be used for authentication and for encryption withoutcompromising security and there is no need for rekeyingas long as the number of devices is fixed As a drawbackthe added cost of encryptiondecryption and especially thecosts due to the transmission overheads cannot be neglectedin BSNs where every step forward in resourcesrsquo saving isof paramount importance In this line the authors in [20]presented an in-network mechanism that mimics the AESalgorithm and greatly reduces the costs of decryption whilethey claim achieving the same level of security
All the above-mentioned proposals approach the prob-lem of protecting patientrsquos data from unauthorized accessmodification or forgery but cannot effectively deal with DoSattacks Such a protection can be achieved by making use ofCR devices that collaboratively switch to another frequencyband [11 21 22] if the signal-to-noise ratio of the current oneis below the required value Furthermore it is also necessaryto protect the exchanged sensing data in order to prevent anattacker from eavesdropping data and get the next channelto be used in the network Note that this information mayallow an attacker to rapidly perform a DoS attack in the newchannel
In this work we present a lightweight and secure methodthat makes use of CR technology for improving the availabil-ity of the system that is ensuring that the communicationbetween the body sensor nodes will be available even underthe presence of unintentional or intentional interferencesThe application of CR technology into body sensor networkswas already proposed in previous works [23 24] However tothe best of our knowledge none of them addressed securitytopics
In [25 26] several methods for securing spectrum sens-ing mechanisms were discussed but they are not suited forheavily constrained devices such as body sensors
In [27] the authors aimed to improve the availability ofa BSN by means of a cross-layer multihop protocol that dealtwith routing of data This scheme however can be appliedonly to multihop BSNs where the path between two givennodes is established according to the connectivity among thenodes In this approach nodes make use of several paths butone single channel and thus are more vulnerable to attackssuch as jamming than CR-based networks
3 Network Model and Threats
In this work we have considered a BSN composed of aset of sensor nodes where all of them can act as sinkscollectingstoring data from other sensors and potentially
4 International Journal of Distributed Sensor Networks
Gateway
Sensor
Sink
Figure 2 Communication between sensors and the gateway
transmitting these data to an external gateway if required (seeFigure 2) Although this approach introduces some overheaddue to the fact that data must be shared among all sensorsit improves network availability and robustness against dataloss and fairly distributes energy consumption among allsensors Also itmakes the process of gathering by the gatewayeasy which can connect to any of the BSN nodes to get all theinformation
As previously mentioned we also assume that sensorshave cognitive capabilities that is they form a CBSN andare able to identify free spectrum bands and adapt theirtransmission parameters accordingly Spectrum sensing canbe performed by each node on an individual basis or cooper-atively As the latter increases the probability of detection dueto space diversity [28] we have adopted such an approach inthis work
In cooperative spectrum sensing each sensor sensesthe medium and exchanges its observations with the othermembers of the network in order to agree on a given channelfor data transmissionreception However these control dataare exposed to many attacks [13] such as packet injectioneavesdropping or Denial of Service (DoS) Next we describethe attacker model and the specific attacks that can beexecuted against CBSNs
31 Attacker Model In this work we focus on outsiders thatis external attackers that do not share any cryptographiccontent with the gateway or the victimrsquos sensor nodes Ifthe attacker nodes are part of the CBSN they will haveaccess to the keying material and therefore will be able tosuccessfully eavesdrop and inject data In any case the designof a mechanism to counteract this threat is out of the scopeof this work
In the context of CBSNs we can classify adversariesaccording to the following criteria
(i) Active or passive a passive attacker can only eavesdropdata thus being able to access patientrsquos data andviolating hisher privacy In its turn an active attackeraims at injecting or modifying data in order to sendfake reports on the state of the patient
(ii) Type of attack includes the following
(a) eavesdropping unauthorized access to storeddata or to transmitted data among the CBSNdevices thus violating the privacy of the patient
(b) modificationinjection an attacker that mayalter the content of a packet transmitted by asensor or impersonate a sensor by forging apacket these attacks can be executed due to lackof authentication and violate the integrity of theCBSN communications
(c) packet replay an attacker that may capture apacket that was previously sent by a sensor ofthe network Regardless of the fact that theCBSN is using authentication mechanisms ornot the packet will be accepted by the networksif antireplay mechanisms are not provided
(d) jamming the adversary that disrupts the CBSNcommunications by generating interfering sig-nals
(iii) Intentional or unintentional the adversary can bean external entity willing to cause damage to thecommunications among sensors and the gateway orcan be an entity that unintentionally is causing inter-ferences to those communications As an examplethe patient of interest could be near another patientwith wearable sensors which could inject fake reportsif data is not properly authenticated Examples ofunintentional attacks could take place in a situationwhere two patients bearing body sensors are huggingand unconsciously exchange data Or the patientcould be near a relative who is visiting himher at thehospital and carries any electronic device that causesinterferences to the CBSN
It is important to remark that in a CBSN where sensornodes establish communications using different channelsover time these attacks can be extended to the control dataexchange among the devices of the CBSN As an example anattacker may forge a report regarding the availability of thechannels thus leading the CBSN to select a channel that issuffering from high interferences or that is currently beingused by another service Note that this attack can lead to aDoS and the failure of the system in monitoring the patientrsquosstatus In its turn eavesdropping of the control channel allowsan attacker to have knowledge of the channels to be usedby the CBSN The attacker could take advantage of thissituation in order to easily disrupt the communications inthe network by performing a new DoS attack every time theCBSN switches to a new channel
The implementation of security mechanisms in a CBSN[12] to counteract these attacks is specially challenging dueto the limited capabilities of CBSNrsquos nodes In the followingsection we describe a simple method to secure the processof channel selection in CBSNs The proposed mechanismis suited for networks with extremely constrained-resourcesdevices since it makes use of lightweight cryptographicfunctions and minimizes the added transmissionreceptionoverhead
International Journal of Distributed Sensor Networks 5
4 Securing Sensing Data andChannel Selection in CBSNs
In the following we present a mechanism for securing theexchange of sensing data and the channel selection processin CBSNs Section 41 outlines the assumptions considered inthiswork regarding the networkmodel and in Section 42 wedescribe the protocol operation For ease of understandingwe present the terminology used along this section as follows
CTR119872 medium-term session counter (119898 bits)
CTR119878 short-term session counter (119898 bits)
119863119906
119894 data sensed by node 119906 during period 119894 (119897 bits)
ID119906 link-layer identifier of node 119906 (119898 bits)119870119906
119894 keystream to encrypt and authenticate data for
node 119906 during period 119894 (119903 bits)KM keying master119897 length of the data sensed by a given node during agiven period119898 length of the hash output and all the secrets119873 number of nodes in the network119901 number of keystreams119870119906
119894obtained from a 119878119906 (119901 =
119898119903) defining the number of sensing periods beforeupdating 119878119906119903 length of the keystreams 119870119906
119894 which must be a
divisor of119898119878119871 long-term globally shared secret (119898-bits)119878119872 medium-term globally shared secret (119898-bits)119878119904119894 long-term secret shared between the KM and
node 119894 it is used to update 119878119871in case it is compro-
mised119878119906 short-term shared secret with node 119906
41 Assumptions Although the proposed protocol isdesigned to be implemented in heavily constrained deviceswe work under the assumption that such devices have at leastthe following capabilities
(i) Compute a hash function with an output length of119898bits
(ii) Temporally store in its randomaccessmemory at least119898 sdot (119873 + 3) bits with 119873 the number of nodes in thenetwork As we detail later in Section 42 each nodemust keep a short-term shared secret for each of theN nodes in the network (including itself) and threemore long-term and medium-term secrets each onewith length of119898 bits
(iii) Sensor nodes use a synchronization protocol that willbe used to share a global short-term session counterand a medium-term session counter among all nodes(see Section 42) Given the low transmission rate ofsensor networks existing synchronization schemes[29] provide enough precision for this purpose Weassume that the chosen protocol provides recovery
methods upon loss of synchronization How syn-chronization is achieved will strongly depend on thechosen protocol but if the latter requires a masternode for providing synchronization the gateway ofthe BSN could play this role
To the best of our knowledge the former requirement canbe assumed even in very constrained devices As shown in[30] there are several lightweight hash functions that canbe integrated into a sensor mote The latter may not beharder to achieve As detailed in Section 42 during everysensing period each node stores one secret per member ofthe network a globally shared secret and two counters allof them with the same length 119898 as the hash output If weconsider a typical hash function with an output of 128 or 256bits and a network with tens to hundreds of sensors the RAMrequirements for sensor nodes are just bounded to a few tensof kilobytes
42 Protocol Operation Before deploying the CBSN everysensor nodemust be preloaded by a keyingmaster (KM)withthe following data
(1) The set of channels that the sensor will have to sensein the cooperative sensing process
(2) A long-term and globally shared secret 119878119871of 119898 bits
(the hash output length)(3) A long-term secret 119878
119904119894shared between the KM and
node 119894 that will be used to update the globally sharedsecret 119878
119871in case it is compromised
The KM is an external device which is not a member oftheBSNTypically this role is played by the device responsiblefor gathering data from the sensors or gateway (eg a smartphone or a tablet)
Upon deployment of the network every node derives amedium-term globally shared secret 119878
119872by hashing the XOR
of the long-term secret 119878119871and a counter The generation
process of 119878119872
is clearly depicted in Figure 3 This process isperiodically repeated with an updated value of the medium-term counter in order to protect the secret against a potentialattacker Details about how often this process should becarried out and the attacker capabilities are provided inSection 5
As shown in Figure 4 each node generates a set ofrandom sequences of 119898 bits one for the node itself and onefor each other node in the networkThese random sequences119878119906 with 119906 the node identifier are obtained by hashing theXOR of the link-layer identifier of the node ID119906 themedium-term shared secret 119878
119872 and a short-term session counter
CTR119878
Therefore our proposalmakes use of three types of sharedsecrets
(i) A short-term per-node shared secret 119878119906 (one per eachnode in the network) used for encryption decryptionand authentication of data
(ii) Amedium-term globally shared secret 119878119872that is used
to derive the short-term per-node shared secrets 119878119906
6 International Journal of Distributed Sensor Networks
Long-term shared secretSLmiddot middot middot
middot middot middot
middot middot middot
Medium-term session counter
Medium-term shared secret
CTRM
HashSM
mbits
mbitsmbits
mbits
Figure 3 Generation of the medium-term globally shared secret 119878119872
middot middot middot
middot middot middot
middot middot middot
middot middot middot
Short-term session counterMedium-term shared secret
node uShort-term shared secret with
Hash
SM
Su
Identifier of node uIDu
CTRS
mbits
mbitsmbits
mbits
mbits
Figure 4 Generation of the short-term shared secret 119878119906 for node 119906
(iii) A long-term globally shared secret that is used toderive a new 119878
119872when the current one is about to
expireAs clearly denoted in Figure 5 each sequence 119878119906 is divided
into 119901 fragments of 119903 bits which we will be denoted as 119870119906119894
each one being used as keystream to encrypt and authenticatedata for node 119906 in period 119894 As per this behavior a new short-term shared secret must be derived every 119901 sensing period
When a node performs spectrum sensing it generates abinary sequence 119863119906
119894of 119897 bits that stores the availability of the
different channels The length of such sequence 119897 will dependon the number of bits used to code the state of each channeland the number of channels As an example the simplest waywould be to use just a single bit for coding each channel withvalue ldquo0rdquo if the channel is occupied and ldquo1rdquo otherwise If moreprecise information about the quality of channels is needed(ie high medium low and very low quality) more bits canbe used to code the channel state
During a sensing period 119894 each node must send toits neighbors its own sensing information but also it mustprocess the information received from its neighbors to reacha joint decision
In order to send its own sensing information node 119906 willmake use of the corresponding keystream 119870119906
119894 the first 119897 bits
of the keystream will be used to encrypt channel information119863119906
119894by means of a XOR addition the remaining 119903 minus 119897 bits are
left unchanged and will be used to provide message authen-tication as illustrated in Figure 5 The resulting sequence 119862119906
119894
will be sent to all the other nodes
To verify the authenticity and decrypt the content of thepackets that have been sent by a given neighbor 119906 a nodewill XOR the sequence 119862119906
119894of the received packet with the
keystream 119870119894119906 as depicted in Figure 6 If the last 119903 minus 119897 bits
of the resulting sequence are not all 0 s the authenticationfails and the entire packet is discarded Otherwise channelinformation can be recovered from the first 119897 bits resultingfrom the XOR addition
The above described process is applied for each neighbor-ing node 119906 Then the channel reported by a larger number ofneighbors will be selected for the operation of the networkNote that because more than one channel may be reported bythe same amount of nodes a tie-break mechanism is neededto guarantee that the process leads to equal results in allnodes One simple approach that could be used is to selectthe channel with the highest identifier However this wouldlead to a lower usage of channels with lower identifiers andtherefore to providing the attacker with valuable informationabout channel usage in the CBSN As a consequence wepropose to use a tie-break method that relies on the formatof119863119906119894
Recall that a fundamental characteristic of this protocolis that there is no central entity that is known and trusted byall sensors This makes the protocol suitable for unattendedscenarios and it also makes it more efficient in terms of datatransmitted through the network because no information issent regarding which channels have to be sensed or whichchannel is finally selected Instead sensors are deployedwith all the information needed to perform the sensing in
International Journal of Distributed Sensor Networks 7
middot middot middot
Short-term shared secret with node u
Keystream pKeystream 2Keystream 1
Su
Encrypted Authdatasensing data
Sensing data
Sensing data
Sensing period 1
Sensing period p
Encrypted Authdatasensing data
Cup
Cu1
Dup
Du1
Ku1 Ku
2 Kup
mbits
rbitsrbitsrbits
lbitslbits
lbitslbits
lbits
lbits
lbitslbits r-lbitsr-lbits
r-lbits
r-lbits
Figure 5 Encrypting and authenticating sensing data
middot middot middot
Short-term shared secret with node u
Keystream pKeystream 2Keystream 1
Su
Sensing dataSensing period 1 True
Accept sensing data
Reject sensing data
Cu1
Du1
Ku1 Ku
2 Kup
If ne 0998400s
rbitsrbitsrbits
rbits lbits
mbits
r-lbits
Figure 6 Decrypting sensing data
a distributed way and make a joint decision autonomouslyThus there is no need for additional mechanisms to be usedwhen a new node joins the network In this case the newnode needs to synchronize with the rest of themembers to getthe proper value of the session counters by making use of thecorresponding protocol However when a node is expelledfrom the network because it has been compromised newcryptographic material must be generated and distributedamong the remaining nodes The KM is responsible fortriggering this process and communicates with each sensornode to update the shared long-term secret 119878
119871 Note that
because the KM shares a different secret 119878119904119894with each node 119894
it can securely distribute the new value of 119878119871 Upon reception
of 119878119871 each node should perform again the initialization
process described at the beginning of this section
5 Security Analysis
The security of the proposed method relies on the sharedsecrets used to derive the keys and perform encryption andauthentication of channel availability data As long as thesesecrets are not compromised data confidentiality can beensured that is an attacker might not be able to get the listof channels to be used in the CBSN Besides the methodmust prevent an attacker from injecting fake data into thesystem These issues are discussed as follows In Section 51we analyze how often the shared secrets should be updated inorder to guarantee a proper protection against cryptanalysisnext in Section 52 we evaluate the packet authenticationmethod used in our proposal in terms of probability ofbypassing the authentication check
8 International Journal of Distributed Sensor Networks
51 Shared Secrets Lifetime As previously mentioned inSection 31 for this analysis we are assuming that attackscome from external entities and therefore attackers are notable to obtain the cryptographic material that is stored in thebody sensors In the context of this proposal the lifetime ofeach of the shared secrets is the interval in which these secretsare considered computationally safe against cryptanalysisthat is their cryptoperiod
The cryptoperiod straightly depends on the chosen cryp-tographic protocols the length of the secrets themselves andthe amount of times they are used The more a given secret isused the shorter its cryptoperiod is as an attacker gets moreinformation about this secret and therefore the probability ofa successful cryptanalysis increases In fact cryptoperiod isdefined more in terms of the number of times a given secretor key is reused (the amount of ciphertext exposed to anattacker for a given secretkey) than as a given time periodwhich strongly depends on the transmission rate of the sensornodes
Recall the three types of shared secrets used in theproposed method
(i) Short-term per-node shared secrets one secret 119878119906 persource node that is used to lightweight encryptdecrypt and authenticate the channelsrsquo sensed data
(ii) Medium-term globally shared secrets globally sharedsecret 119878
119872that is used to derive the short-term per-
node shared secrets 119878119906(iii) Long-term globally shared secret this being the ini-
tially preloaded secret 119878119871that is used to derive a new
medium-term globally shared secret 119878119872
when thecurrent one is about to expire
As clearly denoted in Figure 5 our approach operates insome manner as an additive stream cipher It is well knownthat stream ciphers are considered to be secure as long as thekey is never reused and thus our cipher will be secure if agiven value 119878119906 is not repeated As a result 119878119906must be updatedevery 119901 = 119898119903 sensing period with 119901 the renewal period119898 the length of the shared secret 119878119906 and 119903 the amount oftransmitted bits (sensing data) in a sensing period that areencrypted with 119878119906
Recall that in our proposal the per-node key used forencryption 119878119906 is generated by means of a hash function Asecond requirement is that this function must be crypto-graphically secure Note that if the hash function does notaccomplish it an attackermight be able to reverse it that is toget the input of the hash function given an output meaningthat in our proposal an attacker would be able to recoverthe value of the medium-term globally shared secret 119878
119872(see
Figure 4)A cryptographically secure hash function with an output
of 119898 bits can offer a security level of 2119898 operations againstpreimage attacks and 21198982 against collision attacks Generallyspeaking a minimum output of 128 bits is required in orderto provide a high level of security for most applicationsbut shorter lengths are accepted if the number of generatedmessages in a given period is limited as it is the case of low-rate networks In Section 6 we propose several lightweight
hash candidates with an output of 128 bits that is to saywe can assume that it is computationally unfeasible for anattacker to invert the hash function and thus to predict thevalue of 119878119872 as long as it is updated before exceeding itscryptoperiod which has an upper bound of 21198982 = 264 uses
The long-term globally shared secret 119878119871is only used to
update the current medium-term globally shared secret 119878119872
Because 119878119872is not updated very often it is very unlikely that
an attacker manages to obtain several values of 119878119872to reverse
the hash function and recover 119878119871 As a result we can assume
that the 119878119871cryptoperiod is long enough and there is no need
to update the secret during the nodesrsquo lifetime
52 Authentication A cryptogram 119862119906119894of sensing data con-
tains an authentication field of 16 bits that is checked uponreception (see Figure 6) Consequently an attacker has achance of 1 in 216 of guessing the next authentication fieldwhich allows it to forge a valid authentication field and injectfake data Note that this attack can lead the CBSN to wrongdecisions about the availability of the spectrum
If the attacker repeatedly attempts to send valid cipher-texts it may succeed after 215 attempts in average Becausethe attacker does not know 119878119906 the authentication fieldappears to it as a random stream and therefore it must select afake authentication field at random Besides the attacker can-not determine whether a given ciphertext has been acceptedor rejected because the receiver does not acknowledge thereception of such packets to the emitter Otherwise theattacker could take advantage of this information in order toguess a valid authentication field in a faster way
In conventional networks 215 packets may seem anextremely low number but it may provide an adequate levelof security in CBSNs In these networks the attacker can onlysend fake packets during the sensing periods which is in theorder of a few milliseconds in most cognitive scenarios [31]Moreover as previously stated in Section 1 transmission ratesin BSNs are considerably low with values usually rangingfrom tens to a few hundred of kilobits per second
As an example let us consider a 1Mbps link a sensingperiod of 10ms and a packet size of 10 bytes (which is clearlybigger than the typical packet size in sensor networks) Giventhese parameters an attacker would only be able to send 125packets at most in every sensing period That is to say theattacker would need an average of 262144 sensing periods tosend a fake packet and pass the authentication check
6 Cost Evaluation and Comparisonwith Other Approaches
In this section we evaluate the cost of our proposal interms of energy consumption due to transmission overheadand computational cost and compare its performance withthe most common approach adopted in sensor networks[32] which is providing authentication andor encryption ofthe channel sensing data by means of using standard blockciphers As is well known block ciphers have as input themessage to be encrypted or authenticated which is dividedinto several blocks of fix length and a key Both the block
International Journal of Distributed Sensor Networks 9
length and the key length depend on the algorithm beingused Regardless of the algorithm block ciphers can be usedin several modes of operation depending on the service tobe provided that is encryption only authentication only orencryptionauthentication Generally the followingmodes ofoperation are applied
Authentication CBC-MAC is a block cipher mode for gen-erating message authentication codes The message to beauthenticated is divided into several blocks of equal size andeach block is encrypted so that the value of a given blockdepends on the encryption of the previous block The finaloutput of the cipher that is the message authentication codeor CBC-MAC is the result of encrypting the last block of themessage When the input of the cipher is shorter than theblock size (as it is usually the case in sensor networks) theCBC-MAC can be obtained by directly encrypting a singleblock padded until the block size of the cipher is reached
Encryption CTRmode of operation turns a block cipher intoa stream cipher meaning that the resulting ciphertext has thesame size as the input or plain textThus it does not force theoutput length to be amultiple of the block size as it is the caseof other modes such as CBC-MACThis property makes thismode of operation suitable for encryption in sensor networkswhere devices usually exchange short-length messages
Authentication+Encryption CCM (CTR + CBC-MAC) is acommon choice for providing both encryption (CTR) andauthentication (CBC-MAC) [19] Aminor variation of CCMcalled CCMlowast is used in the ZigBee standard [7]
In this work we assume that Advanced EncryptionStandard (AES) in CTRmode is used for encryption andAESCBC-MAC for authentication as it is the current standardfor symmetric cryptography even in sensor nodes [33]Currently there are efficient hardware implementations ofAES that are highly affordable
Regarding hardware platforms the vast majority of pre-vious works on BSNs have used the 16-bit Texas Instrumentsrsquo(TI) MSP430 and CC2540 families of microcontrollers [34]Built around a 16-bit CPU ultra-low-power MSP430 micro-controllers are designed for low cost and specifically low-power consumption embedded applications As an exampleTIrsquos CC2540 family [35] enable robust Bluetooth low energy(BLE) network nodes to be built with low total bill-of-material (BOM) costs BLE operates in the same spectrumrange (2400GHzndash24835GHz ISM band) as classic Blue-tooth technology but uses a different set of channels insteadof 79 1MHz channels BLE offers 40 2MHz channels 3 foradvertising purposes and 37 for data exchange
61 TransmissionReception Overhead In this section weanalyze the overhead introduced by our proposal in termsof transmissionreception of channel availability data andcompare it with the overhead exhibited when conventionalapproaches are used for data encryptionauthentication asexplained above We assume that all sensors are capable ofsensing a given set of channels and report information abouttheir state
With our proposal the minimum number of transmittedbitswill dependon the number of channels that a given sensoris reporting the number of bits used to code the state ofeach channel and the length of the authentication code Asexplained in Section 52 a length of 16 bits is enough to securemost applications in WSNs and thus we have assumed thisvalue for the authentication fieldThis leads to a total amountof Bits
119905119909= 119897 + 16 of transmitted bits where 119897 represents the
total number of bits used to code all possible channels andBits119905119909= (119899 minus 1)Bits
119905119909received bits representing the number
of bits received by a given sensor from its neighborsAiming to provide a fair comparison we choose the same
key length for block ciphers and for our proposal that is tosay a 128-bit key The transmitted bits overhead added byAES CBC-MAC authentication is 128 bits (for a semanticallysecure implementation also an IV or nonce must be sharedbetween emitter and receiver so that the overhead can behigher) Regarding encryption the number of transmittedbits is equal to the number of bits 119897 used to code the state of thechannels but it also requires the use of a nonce with a lengthequal to half of the key length that is 64 bits per message
During every sensing period every node must transmita packet with sensing information but also must process thepackets received from its neighbors Table 1 and Figure 7respectively show the transmission and reception overheaddue to the secure sharing of sensing information using bothstandard block ciphers and our proposal The values areprovided as a function of the number of bits 119897 used to codethe state of the channels and the number of nodes119873 rangingfrom 5 to 30 Given that the considered scenario is a bodysensor network this is more than a reasonable value sincea patient wearing more than 30 sensors may be an unlikelysituation
The reader may notice that the overhead introducedby this mechanism increases linearly with the number ofnodes for both approaches However with the proposedmethod the transmissionreception overhead is considerablyreduced with respect to the use of standard block cipherswhile still maintaining an acceptable level of security Infact the more the nodes in the CBSN the bigger theimprovement introduced by the former As wewill show laterthe transmissionreception savings lead to a huge saving alsoin energy consumption
62 Computational Cost In this section we provide a com-parison of the CPU cost in cycles due to the implementationof the cryptographic functions
If AES is used the total cryptographic cost per nodefor securing the exchange of sensing data equals the costof one encryption and 119873 minus 1 decryptions Assumingthe Texas Instrumentsrsquo reference AES-implementation forCC2540 microcontrollers [36] AES encryption needs 6600cyclesblock and AES decryption 8400 cyclesblock
With our proposal the energy consumption has threecomponents the computation of the different sequences 119878119906
119894
with the hash function before the sensing period begins theXOR of the keystream 119870119906
119894with the sequence 119863119906
119894that signals
the availability of channels and the XOR of the sequences 119862119906119894
received from neighbors with the precomputed 119878119906119894Therefore
10 International Journal of Distributed Sensor Networks
Table 1 Transmission overhead
119897 (bits) Overhead(bits)
Authentication only (CBC-MAC)16 12832 12864 128
Encryption only (CTR)16 8032 9664 128
Authentication and encryption (CCM)16 20832 22464 256
Authentication and encryption (our proposal)16 3232 4864 80
1000
800
600
400
200
05 10 15 20 25 30
Number of nodes (N)
Rece
ptio
n ov
erhe
ad (b
ytes
)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
Figure 7 Reception overhead for a varying number of nodes119873
a nodemust compute119873 hashes and perform119873XORs to sendchannel information and process the reports received from itsneighbors
As per [37] XORoperationwith aMSP430 accounts for 4-5 cyclesbyte Assuming a 128-bit hash function and the worstcase every XOR in our proposals accounts for 5 sdot 16 = 80cycles As previously explained in Section 51 we suggest theuse of a lightweight cryptographic hash function specificallysuited for low-end devices with an output of 128 bits Table 2depicts the number of CPU cycles per block needed [38]for two potential candidates As clearly seen in the tablecomputing one of these hash functions requires only a fewtens of cyclesblock In the following for this analysis we will
Table 2 Cycles per block for different cryptographic hash functions
Algorithm Hash output size Cyclesblock(Stripped) MAME 128 96H-PRESENT-128 128 32
consider the (stripped) MAME hash function as it is a purehash function that does not rely on a symmetric cipher andrequires more CPU cycles (worst case)
Taking into account the previous data Figure 8 showsthe CPU cycles consumed with both our proposal (with aMAME hash function) and standard AES-128 security It canbe clearly seen that our proposal scales much better withthe number of nodes while still providing an appropriatelevel of security We do not provide values for the processtime that is the time needed for key generation encryptiondecryption and data authentication but the number of CPUcycles required to execute each function In this way timevalues can be obtained for a particular sensor node accordingto its CPU features
63 Total Energy Cost Table 3 provides the transmission andreception energy consumption of a TIrsquos CC2540 microcon-troller for different modes and values of transmission powerThe displayed values have been tested under 25∘CWe do nothave values for in-body conditions (asymp38∘C) but we presentthese data for reference purposes In any case this fact onlyaffects the energy consumption for receivingtransmittingNote that the total cost in terms of energy is much highersince it should also account for duty cycles state changes andother parameters [39]
There is no single specific ldquoenergy per CPU cyclerdquo valuesince the cycle consumption depends on the type of CPUoperation Anyway in [34] the authors measured that theTIrsquos MSP430F1611 consumes energy at an average of 072 nJper clock cycle and we have adopted such value in our study
Figure 9 shows the total average energy consumption as afunction of the number of neighboring sensor nodes and thenumber 119897 of bits used to code the channels for the proposedmechanism and standard approaches CCM (authenticationand encryption) CTR (encryption only) and CBC-MAC(authentication only) We have assumed standard receptionand short-range transmission of minus6 dBm (see Table 3)
As clearly denoted in the figure ourmethod only requiresa few tens of 120583J regardless of the number of sensor nodeswhile AES-based security requires higher values of energyranging from 35 120583J to almost 240120583J when encryption andauthentication are provided and for 30 sensor nodes Themore the number of sensor nodes the bigger the improve-ment introduced by our proposal
It must be remarked however that the purpose of thisfigure is to provide reference values to be taken into accountfor future implementations Besides the level of security pro-vided by our method is lower than AES-based methods butstill ismore than adequate given the features of CBSNs (trans-mission rate number of sentmessages etc) and given the factthat the data we are trying to protect are just a limited numberof potential channels to be used for operation of the network
International Journal of Distributed Sensor Networks 11
Table 3 Currentenergy consumption for RXTX tested on TexasInstruments CC2540 EMwith 119879
119860= 25∘Cwith no peripherals active
and low MCU activity at 250 kHz
Test conditions Current EnergybyteRX standard 196mA 588 nJRX high gain 221mA 663 nJTX minus23 dBm 211mA 633 nJTX minus6 dBm 238mA 714 nJTX 0 dBm 27mA 81 nJTX 4 dBm 316mA 948 nJ
5 10 15 20 25 30
Number of nodes (N)
AES l = 16 32 64
Ours l = 16 32 64
300000
250000
200000
150000
100000
50000
0
CPU
cycle
s
Figure 8 Added CPU cycles for a secure exchange of sensing data
Indeed thismechanism introduces some overhead due tospectrum sensing and sharing of channel information and aswe pointed out above the overhead increases linearly withthe number of nodes in the network The synchronizationprotocol adds some overhead too but the increase willstrongly depend on the chosen protocol In [29] someprotocols with high energy efficiency are referenced whichcould be used in our proposal
Despite it we claim that it is definitely worth introducingthis overhead to increase the availability of the network andmake it robust to potential interferences and DoS attacksUnder these undesired situations the current channel usedby the CBSN may become unavailable but the proposedmethod allows the nodes to securely agree on a new channelof operation and rapidly resume their transmissions It mustbe remarked that securing channel availability informationmay prevent or at least diminished the effect of further DoSattacks when switching to a new channel
We do not quantify the benefits of applying our methodin terms of attack mitigation because it strongly depends onthe capabilities of the attacker (time required for sensing eachchannel number of channels that can sense etc) As a futurework it would be interesting to estimate the improvementachieved by our approach in terms of throughput of the
5 10 15 20 25 30
Number of nodes (N)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
250
200
150
100
50
0
Ener
gy co
st (120583
J)Figure 9 Added energy costs for a TIrsquos MSP430F1611 with a TIrsquosCC2540 microcontroller
CBSNs connections and the tradeoff between benefits andoverhead
7 Conclusions
Body sensor networks (BSNs) emerge as an optimal solutionfor ensuring constant and remote monitoring of the healthstatus in patients Recent advances in technology have madeit possible to deploy a network of tiny sensors over the humanbody and even in body which can measure vital signs suchas temperature heart rate or the level of glucose and reportthese data to medical personnel
Guaranteeing the availability of such communicationsis a must as long as connectivity losses during emergencysituations may prevent a patient from immediately receivingmedical assistance and may end up in catastrophic results
A new network paradigm known as cognitive body sen-sor networks (CBSNs) could mitigate this threat by allowingbody sensors to operate in a wide range of frequenciesand adapt its transmission parameters according to highlydynamic environment conditions However this would comeat the expense of implementing cooperative spectrum sensingmechanisms that allow sensors to exchange informationabout channel quality and availability As a consequenceCBSNs might become vulnerable to specific attacks that aretargeted to these mechanisms
In this paper we presented a novel and simple methodto secure the sensing process in a CBSN and improve itsavailability The method relies on cryptographic primitivesthat require a minimum amount of memory and low energyconsumption thus beingmore suited for devices with limitedresources than traditional approaches It offers authentication
12 International Journal of Distributed Sensor Networks
and encryption of control data shared by the sensors in theCBSN to agree on a given channel
Our proposal was analyzed in terms of security and weshowed that although it does not provide the same level ofsecurity as AES-based encryption and authentication it isstill sufficient for low packet rate networks such as CBSNsThe provided results also showed that our method outper-forms existing approaches in terms of transmissionreceptionoverhead and number of CPU cycles needed particularly asthe number of sensor nodes increases For typical microcon-trollers as CC2540 and MSP430 the improvement in energyconsumption clearly justifies the use of the proposed methodagainst AES-based mechanisms in constrained networkssuch as CBSNs in which maximizing the network life isextremely important
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgment
This work has been partially supported by the spanishgovernment under grant TEC2011-22746 ldquoTAMESISrdquo andby the Ministry of Economy and Competitiveness throughthe projects CO-PRIVACY (TIN2011-27076-C03-02) andSMARTGLACIS (TIN2014-57364-C2-2-R)
References
[1] B Latre B Braem I Moerman C Blondia and P DemeesterldquoA survey on wireless body area networksrdquo Wireless Networksvol 17 no 1 pp 1ndash18 2011
[2] S Movassaghi M Abolhasan J Lipman D Smith and AJamalipour ldquoWireless body area networks a surveyrdquo IEEECommunications Surveys amp Tutorials vol 16 no 3 pp 1658ndash1686 2014
[3] 802156-2012mdashIEEE Standard for Local and metropolitanarea networksmdashPart 156 Wireless Body Area Networks2012 httpstandardsieeeorggetieee802download802156-2012pdf
[4] Bluetooth Low Energy (LE) June 2014 httpwwwbluetoothcomPageslow-energy-tech-infoaspx
[5] The ANT+ Alliance 2014 httpwwwthisisantcom
[6] Wi-Fi Alliance June 2014 httpwwwwi-fiorg
[7] Zigbee Alliance June 2014 httpwwwzigbeeorg
[8] M Rushanan A D Rubin D F Kune and C M SwansonldquoSoK security and privacy in implantable medical devices andbody area networksrdquo in Proceedings of the 35th IEEE Symposiumon Security and Privacy (SP rsquo14) pp 524ndash539 San Jose Calif USA May 2014
[9] I F Akyildiz W-Y Lee M C Vuran and S Mohanty ldquoNeXtgenerationdynamic spectrum accesscognitive radio wirelessnetworks a surveyrdquo Computer Networks vol 50 no 13 pp2127ndash2159 2006
[10] BWang and K J R Liu ldquoAdvances in cognitive radio networksa surveyrdquo IEEE Journal of Selected Topics in Signal Processingvol 5 no 1 pp 5ndash23 2011
[11] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in unknown dynamic environment agame-theoretic stochastic learning solutionrdquo IEEE Transactionson Wireless Communications vol 11 no 4 pp 1380ndash1391 2012
[12] D Cavalcanti S Das J Wang and K Challapali ldquoCognitiveradio based wireless sensor networksrdquo in Proceedings of the17th International Conference on Computer Communicationsand Networks (ICCCN rsquo08) pp 1ndash6 August 2008
[13] O Leon J Hernandez-Serrano andM Soriano ldquoSecuring cog-nitive radio networksrdquo International Journal of CommunicationSystems vol 23 no 5 pp 633ndash652 2010
[14] M Rostami A Juels and F Koushanfar ldquoHeart-to-Heart(H2H) authentication for implanted medical devicesrdquo in Pro-ceedings of the ACM SIGSAC Conference on Computer andCommunications Security (CCS rsquo13) pp 1099ndash1111 ACM BerlinGermany November 2013
[15] K B Rasmussen C Castelluccia T S Heydt-Benjamin andS Capkun ldquoProximity-based access control for implantablemedical devicesrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCS rsquo09) pp 410ndash419Chicago Ill USA November 2009
[16] L Shi M Li S Yu and J Yuan ldquoBANA body area networkauthentication exploiting channel characteristicsrdquo IEEE Journalon Selected Areas in Communications vol 31 no 9 pp 1803ndash1816 2013
[17] C C Tan S Zhong H Wang and Q Li ldquoBody sensornetwork security an identity-based cryptography approachrdquoin Proceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 148ndash153 April 2008
[18] O Garcia-Morchon T Falck T Heer and K Wehrle ldquoSecurityfor pervasive medical sensor networksrdquo in Proceedings of the6th Annual International Conference on Mobile and UbiquitousSystems Networking and Services (MobiQuitous rsquo09) pp 1ndash10Toronto Canada July 2009
[19] G Selimis L Huang F Masse et al ldquoA lightweight securityscheme for wireless body area networks design energy evalu-ation and proposed microprocessor designrdquo Journal of MedicalSystems vol 35 no 5 pp 1289ndash1298 2011
[20] Y Yan and T Shu ldquoEnergy-efficient In-network encryp-tiondecryption for wireless body area sensor networksrdquo inProceedings of the IEEE Global Communications Conference(GLOBECOM rsquo14) pp 2442ndash2447 IEEE Austin Tex USADecember 2014
[21] Y Xu A Anpalagan Q Wu L Shen Z Gao and J WangldquoDecision-theoretic distributed channel selection for oppor-tunistic spectrum access strategies challenges and solutionsrdquoIEEE Communications Surveys and Tutorials vol 15 no 4 pp1689ndash1713 2013
[22] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in cognitive radio networks globaloptimization using local interaction gamesrdquo IEEE Journal onSelected Topics in Signal Processing vol 6 no 2 pp 180ndash1942012
[23] R Chavez-Santiago K E Nolan O Holland et al ldquoCognitiveradio for medical body area networks using ultra widebandrdquoIEEE Wireless Communications vol 19 no 4 pp 74ndash81 2012
International Journal of Distributed Sensor Networks 13
[24] A R Syed and K-L A Yau ldquoOn cognitive radio-based wirelessbody area networks for medical applicationsrdquo in Prceedingsof the 1st IEEE Symposium on Computational Intelligence inHealthcare and e-Health (CICARE rsquo13) pp 51ndash57 SingaporeApril 2013
[25] R Chen J-M Park and K Bian ldquoRobust distributed spectrumsensing in cognitive radio networksrdquo in Proceedings of the 27thIEEE Conference on Computer Communications (INFOCOMrsquo08) pp 1876ndash1884 IEEE Phoenix Ariz USA April 2008
[26] H Rifa-Pous M J Blasco and C Garrigues ldquoReview of robustcooperative spectrum sensing techniques for cognitive radionetworksrdquoWireless Personal Communications vol 67 no 2 pp175ndash198 2012
[27] B Braem B Latre C Blondia I Moerman and P DemeesterldquoAnalyzing and improving reliability in multi-hop body sensornetworksrdquo International Journal on Advances in Internet Tech-nology vol 2 no 1 pp 152ndash161 2009
[28] I F Akyildiz B F Lo and R Balakrishnan ldquoCooperative spec-trum sensing in cognitive radio networks a surveyrdquo PhysicalCommunication vol 4 no 1 pp 40ndash62 2011
[29] B Sundararaman U Buy and A D Kshemkalyani ldquoClocksynchronization for wireless sensor networks a surveyrdquoAdHocNetworks vol 3 no 3 pp 281ndash323 2005
[30] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashCHES 2008 10th International Workshop Washington DCUSA August 10ndash13 2008 Proceedings vol 5154 of Lecture Notesin Computer Science pp 283ndash299 Springer Berlin Germany2008
[31] C Cordeiro K Challapali D Birru and N Sai ShankarldquoIEEE 80222 the first worldwide wireless standard based oncognitive radiosrdquo in Proceedings of the 1st IEEE InternationalSymposium on New Frontiers in Dynamic Spectrum AccessNetworks (DySPAN rsquo05) pp 328ndash337 Baltimore Md USANovember 2005
[32] S UllahHHiggins B Braem et al ldquoA comprehensive survey ofwireless body area networks on PHY MAC and network layerssolutionsrdquo Journal of Medical Systems vol 36 no 3 pp 1065ndash1094 2012
[33] N Sastry and D Wagner ldquoSecurity considerations for IEEE802154 networksrdquo in Proceedings of the ACM Workshop onWireless Security (WiSe rsquo04) pp 32ndash42 Philadelphia Pa USAOctober 2004
[34] M Pajic Z Jiang I LeeO Sokolsky andRMangharam ldquoFromverification to implementation a model translation tool and apacemaker case studyrdquo in Proceedings of the 18th IEEE Real Timeand Embedded Technology and Applications Symposium (RTASrsquo12) pp 173ndash184 Beijing China April 2012
[35] CC2540 24-GHz Bluetooth low energy System-on-Chip 2013httpwwwticomlitdssymlinkcc2540pdf
[36] U Kretzschmar ldquoAES128mdasha C implementation for encryp-tion and decryption MSP430 systems ECCN 5E002 TSPAmdashtechnologysoftware publiclyrdquo Application Report SLAA397ATexas Instruments Dallas Tex USA 2009 httpwwwticomcncnlitanslaa397aslaa397apdf
[37] El Barquero Aqueronte MSP430 Cycles and Instructionsedited by Aqueronte 2011 httpunbarqueroblogspotcomes201105msp430-cycles-and-instructionshtml
[38] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashHES 2008 vol 5154 of Lecture Notes in Computer Science pp283ndash299 Springer Berlin Germany 2008
[39] S Kamath and J Lindh ldquoMeasuring bluetooth low energypower consumptionrdquo Application Note AN092 Texas Instru-ments Dallas TEx USA 2012 Version SWRA347a httpwwwticomlitanswra347aswra347apdf
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
4 International Journal of Distributed Sensor Networks
Gateway
Sensor
Sink
Figure 2 Communication between sensors and the gateway
transmitting these data to an external gateway if required (seeFigure 2) Although this approach introduces some overheaddue to the fact that data must be shared among all sensorsit improves network availability and robustness against dataloss and fairly distributes energy consumption among allsensors Also itmakes the process of gathering by the gatewayeasy which can connect to any of the BSN nodes to get all theinformation
As previously mentioned we also assume that sensorshave cognitive capabilities that is they form a CBSN andare able to identify free spectrum bands and adapt theirtransmission parameters accordingly Spectrum sensing canbe performed by each node on an individual basis or cooper-atively As the latter increases the probability of detection dueto space diversity [28] we have adopted such an approach inthis work
In cooperative spectrum sensing each sensor sensesthe medium and exchanges its observations with the othermembers of the network in order to agree on a given channelfor data transmissionreception However these control dataare exposed to many attacks [13] such as packet injectioneavesdropping or Denial of Service (DoS) Next we describethe attacker model and the specific attacks that can beexecuted against CBSNs
31 Attacker Model In this work we focus on outsiders thatis external attackers that do not share any cryptographiccontent with the gateway or the victimrsquos sensor nodes Ifthe attacker nodes are part of the CBSN they will haveaccess to the keying material and therefore will be able tosuccessfully eavesdrop and inject data In any case the designof a mechanism to counteract this threat is out of the scopeof this work
In the context of CBSNs we can classify adversariesaccording to the following criteria
(i) Active or passive a passive attacker can only eavesdropdata thus being able to access patientrsquos data andviolating hisher privacy In its turn an active attackeraims at injecting or modifying data in order to sendfake reports on the state of the patient
(ii) Type of attack includes the following
(a) eavesdropping unauthorized access to storeddata or to transmitted data among the CBSNdevices thus violating the privacy of the patient
(b) modificationinjection an attacker that mayalter the content of a packet transmitted by asensor or impersonate a sensor by forging apacket these attacks can be executed due to lackof authentication and violate the integrity of theCBSN communications
(c) packet replay an attacker that may capture apacket that was previously sent by a sensor ofthe network Regardless of the fact that theCBSN is using authentication mechanisms ornot the packet will be accepted by the networksif antireplay mechanisms are not provided
(d) jamming the adversary that disrupts the CBSNcommunications by generating interfering sig-nals
(iii) Intentional or unintentional the adversary can bean external entity willing to cause damage to thecommunications among sensors and the gateway orcan be an entity that unintentionally is causing inter-ferences to those communications As an examplethe patient of interest could be near another patientwith wearable sensors which could inject fake reportsif data is not properly authenticated Examples ofunintentional attacks could take place in a situationwhere two patients bearing body sensors are huggingand unconsciously exchange data Or the patientcould be near a relative who is visiting himher at thehospital and carries any electronic device that causesinterferences to the CBSN
It is important to remark that in a CBSN where sensornodes establish communications using different channelsover time these attacks can be extended to the control dataexchange among the devices of the CBSN As an example anattacker may forge a report regarding the availability of thechannels thus leading the CBSN to select a channel that issuffering from high interferences or that is currently beingused by another service Note that this attack can lead to aDoS and the failure of the system in monitoring the patientrsquosstatus In its turn eavesdropping of the control channel allowsan attacker to have knowledge of the channels to be usedby the CBSN The attacker could take advantage of thissituation in order to easily disrupt the communications inthe network by performing a new DoS attack every time theCBSN switches to a new channel
The implementation of security mechanisms in a CBSN[12] to counteract these attacks is specially challenging dueto the limited capabilities of CBSNrsquos nodes In the followingsection we describe a simple method to secure the processof channel selection in CBSNs The proposed mechanismis suited for networks with extremely constrained-resourcesdevices since it makes use of lightweight cryptographicfunctions and minimizes the added transmissionreceptionoverhead
International Journal of Distributed Sensor Networks 5
4 Securing Sensing Data andChannel Selection in CBSNs
In the following we present a mechanism for securing theexchange of sensing data and the channel selection processin CBSNs Section 41 outlines the assumptions considered inthiswork regarding the networkmodel and in Section 42 wedescribe the protocol operation For ease of understandingwe present the terminology used along this section as follows
CTR119872 medium-term session counter (119898 bits)
CTR119878 short-term session counter (119898 bits)
119863119906
119894 data sensed by node 119906 during period 119894 (119897 bits)
ID119906 link-layer identifier of node 119906 (119898 bits)119870119906
119894 keystream to encrypt and authenticate data for
node 119906 during period 119894 (119903 bits)KM keying master119897 length of the data sensed by a given node during agiven period119898 length of the hash output and all the secrets119873 number of nodes in the network119901 number of keystreams119870119906
119894obtained from a 119878119906 (119901 =
119898119903) defining the number of sensing periods beforeupdating 119878119906119903 length of the keystreams 119870119906
119894 which must be a
divisor of119898119878119871 long-term globally shared secret (119898-bits)119878119872 medium-term globally shared secret (119898-bits)119878119904119894 long-term secret shared between the KM and
node 119894 it is used to update 119878119871in case it is compro-
mised119878119906 short-term shared secret with node 119906
41 Assumptions Although the proposed protocol isdesigned to be implemented in heavily constrained deviceswe work under the assumption that such devices have at leastthe following capabilities
(i) Compute a hash function with an output length of119898bits
(ii) Temporally store in its randomaccessmemory at least119898 sdot (119873 + 3) bits with 119873 the number of nodes in thenetwork As we detail later in Section 42 each nodemust keep a short-term shared secret for each of theN nodes in the network (including itself) and threemore long-term and medium-term secrets each onewith length of119898 bits
(iii) Sensor nodes use a synchronization protocol that willbe used to share a global short-term session counterand a medium-term session counter among all nodes(see Section 42) Given the low transmission rate ofsensor networks existing synchronization schemes[29] provide enough precision for this purpose Weassume that the chosen protocol provides recovery
methods upon loss of synchronization How syn-chronization is achieved will strongly depend on thechosen protocol but if the latter requires a masternode for providing synchronization the gateway ofthe BSN could play this role
To the best of our knowledge the former requirement canbe assumed even in very constrained devices As shown in[30] there are several lightweight hash functions that canbe integrated into a sensor mote The latter may not beharder to achieve As detailed in Section 42 during everysensing period each node stores one secret per member ofthe network a globally shared secret and two counters allof them with the same length 119898 as the hash output If weconsider a typical hash function with an output of 128 or 256bits and a network with tens to hundreds of sensors the RAMrequirements for sensor nodes are just bounded to a few tensof kilobytes
42 Protocol Operation Before deploying the CBSN everysensor nodemust be preloaded by a keyingmaster (KM)withthe following data
(1) The set of channels that the sensor will have to sensein the cooperative sensing process
(2) A long-term and globally shared secret 119878119871of 119898 bits
(the hash output length)(3) A long-term secret 119878
119904119894shared between the KM and
node 119894 that will be used to update the globally sharedsecret 119878
119871in case it is compromised
The KM is an external device which is not a member oftheBSNTypically this role is played by the device responsiblefor gathering data from the sensors or gateway (eg a smartphone or a tablet)
Upon deployment of the network every node derives amedium-term globally shared secret 119878
119872by hashing the XOR
of the long-term secret 119878119871and a counter The generation
process of 119878119872
is clearly depicted in Figure 3 This process isperiodically repeated with an updated value of the medium-term counter in order to protect the secret against a potentialattacker Details about how often this process should becarried out and the attacker capabilities are provided inSection 5
As shown in Figure 4 each node generates a set ofrandom sequences of 119898 bits one for the node itself and onefor each other node in the networkThese random sequences119878119906 with 119906 the node identifier are obtained by hashing theXOR of the link-layer identifier of the node ID119906 themedium-term shared secret 119878
119872 and a short-term session counter
CTR119878
Therefore our proposalmakes use of three types of sharedsecrets
(i) A short-term per-node shared secret 119878119906 (one per eachnode in the network) used for encryption decryptionand authentication of data
(ii) Amedium-term globally shared secret 119878119872that is used
to derive the short-term per-node shared secrets 119878119906
6 International Journal of Distributed Sensor Networks
Long-term shared secretSLmiddot middot middot
middot middot middot
middot middot middot
Medium-term session counter
Medium-term shared secret
CTRM
HashSM
mbits
mbitsmbits
mbits
Figure 3 Generation of the medium-term globally shared secret 119878119872
middot middot middot
middot middot middot
middot middot middot
middot middot middot
Short-term session counterMedium-term shared secret
node uShort-term shared secret with
Hash
SM
Su
Identifier of node uIDu
CTRS
mbits
mbitsmbits
mbits
mbits
Figure 4 Generation of the short-term shared secret 119878119906 for node 119906
(iii) A long-term globally shared secret that is used toderive a new 119878
119872when the current one is about to
expireAs clearly denoted in Figure 5 each sequence 119878119906 is divided
into 119901 fragments of 119903 bits which we will be denoted as 119870119906119894
each one being used as keystream to encrypt and authenticatedata for node 119906 in period 119894 As per this behavior a new short-term shared secret must be derived every 119901 sensing period
When a node performs spectrum sensing it generates abinary sequence 119863119906
119894of 119897 bits that stores the availability of the
different channels The length of such sequence 119897 will dependon the number of bits used to code the state of each channeland the number of channels As an example the simplest waywould be to use just a single bit for coding each channel withvalue ldquo0rdquo if the channel is occupied and ldquo1rdquo otherwise If moreprecise information about the quality of channels is needed(ie high medium low and very low quality) more bits canbe used to code the channel state
During a sensing period 119894 each node must send toits neighbors its own sensing information but also it mustprocess the information received from its neighbors to reacha joint decision
In order to send its own sensing information node 119906 willmake use of the corresponding keystream 119870119906
119894 the first 119897 bits
of the keystream will be used to encrypt channel information119863119906
119894by means of a XOR addition the remaining 119903 minus 119897 bits are
left unchanged and will be used to provide message authen-tication as illustrated in Figure 5 The resulting sequence 119862119906
119894
will be sent to all the other nodes
To verify the authenticity and decrypt the content of thepackets that have been sent by a given neighbor 119906 a nodewill XOR the sequence 119862119906
119894of the received packet with the
keystream 119870119894119906 as depicted in Figure 6 If the last 119903 minus 119897 bits
of the resulting sequence are not all 0 s the authenticationfails and the entire packet is discarded Otherwise channelinformation can be recovered from the first 119897 bits resultingfrom the XOR addition
The above described process is applied for each neighbor-ing node 119906 Then the channel reported by a larger number ofneighbors will be selected for the operation of the networkNote that because more than one channel may be reported bythe same amount of nodes a tie-break mechanism is neededto guarantee that the process leads to equal results in allnodes One simple approach that could be used is to selectthe channel with the highest identifier However this wouldlead to a lower usage of channels with lower identifiers andtherefore to providing the attacker with valuable informationabout channel usage in the CBSN As a consequence wepropose to use a tie-break method that relies on the formatof119863119906119894
Recall that a fundamental characteristic of this protocolis that there is no central entity that is known and trusted byall sensors This makes the protocol suitable for unattendedscenarios and it also makes it more efficient in terms of datatransmitted through the network because no information issent regarding which channels have to be sensed or whichchannel is finally selected Instead sensors are deployedwith all the information needed to perform the sensing in
International Journal of Distributed Sensor Networks 7
middot middot middot
Short-term shared secret with node u
Keystream pKeystream 2Keystream 1
Su
Encrypted Authdatasensing data
Sensing data
Sensing data
Sensing period 1
Sensing period p
Encrypted Authdatasensing data
Cup
Cu1
Dup
Du1
Ku1 Ku
2 Kup
mbits
rbitsrbitsrbits
lbitslbits
lbitslbits
lbits
lbits
lbitslbits r-lbitsr-lbits
r-lbits
r-lbits
Figure 5 Encrypting and authenticating sensing data
middot middot middot
Short-term shared secret with node u
Keystream pKeystream 2Keystream 1
Su
Sensing dataSensing period 1 True
Accept sensing data
Reject sensing data
Cu1
Du1
Ku1 Ku
2 Kup
If ne 0998400s
rbitsrbitsrbits
rbits lbits
mbits
r-lbits
Figure 6 Decrypting sensing data
a distributed way and make a joint decision autonomouslyThus there is no need for additional mechanisms to be usedwhen a new node joins the network In this case the newnode needs to synchronize with the rest of themembers to getthe proper value of the session counters by making use of thecorresponding protocol However when a node is expelledfrom the network because it has been compromised newcryptographic material must be generated and distributedamong the remaining nodes The KM is responsible fortriggering this process and communicates with each sensornode to update the shared long-term secret 119878
119871 Note that
because the KM shares a different secret 119878119904119894with each node 119894
it can securely distribute the new value of 119878119871 Upon reception
of 119878119871 each node should perform again the initialization
process described at the beginning of this section
5 Security Analysis
The security of the proposed method relies on the sharedsecrets used to derive the keys and perform encryption andauthentication of channel availability data As long as thesesecrets are not compromised data confidentiality can beensured that is an attacker might not be able to get the listof channels to be used in the CBSN Besides the methodmust prevent an attacker from injecting fake data into thesystem These issues are discussed as follows In Section 51we analyze how often the shared secrets should be updated inorder to guarantee a proper protection against cryptanalysisnext in Section 52 we evaluate the packet authenticationmethod used in our proposal in terms of probability ofbypassing the authentication check
8 International Journal of Distributed Sensor Networks
51 Shared Secrets Lifetime As previously mentioned inSection 31 for this analysis we are assuming that attackscome from external entities and therefore attackers are notable to obtain the cryptographic material that is stored in thebody sensors In the context of this proposal the lifetime ofeach of the shared secrets is the interval in which these secretsare considered computationally safe against cryptanalysisthat is their cryptoperiod
The cryptoperiod straightly depends on the chosen cryp-tographic protocols the length of the secrets themselves andthe amount of times they are used The more a given secret isused the shorter its cryptoperiod is as an attacker gets moreinformation about this secret and therefore the probability ofa successful cryptanalysis increases In fact cryptoperiod isdefined more in terms of the number of times a given secretor key is reused (the amount of ciphertext exposed to anattacker for a given secretkey) than as a given time periodwhich strongly depends on the transmission rate of the sensornodes
Recall the three types of shared secrets used in theproposed method
(i) Short-term per-node shared secrets one secret 119878119906 persource node that is used to lightweight encryptdecrypt and authenticate the channelsrsquo sensed data
(ii) Medium-term globally shared secrets globally sharedsecret 119878
119872that is used to derive the short-term per-
node shared secrets 119878119906(iii) Long-term globally shared secret this being the ini-
tially preloaded secret 119878119871that is used to derive a new
medium-term globally shared secret 119878119872
when thecurrent one is about to expire
As clearly denoted in Figure 5 our approach operates insome manner as an additive stream cipher It is well knownthat stream ciphers are considered to be secure as long as thekey is never reused and thus our cipher will be secure if agiven value 119878119906 is not repeated As a result 119878119906must be updatedevery 119901 = 119898119903 sensing period with 119901 the renewal period119898 the length of the shared secret 119878119906 and 119903 the amount oftransmitted bits (sensing data) in a sensing period that areencrypted with 119878119906
Recall that in our proposal the per-node key used forencryption 119878119906 is generated by means of a hash function Asecond requirement is that this function must be crypto-graphically secure Note that if the hash function does notaccomplish it an attackermight be able to reverse it that is toget the input of the hash function given an output meaningthat in our proposal an attacker would be able to recoverthe value of the medium-term globally shared secret 119878
119872(see
Figure 4)A cryptographically secure hash function with an output
of 119898 bits can offer a security level of 2119898 operations againstpreimage attacks and 21198982 against collision attacks Generallyspeaking a minimum output of 128 bits is required in orderto provide a high level of security for most applicationsbut shorter lengths are accepted if the number of generatedmessages in a given period is limited as it is the case of low-rate networks In Section 6 we propose several lightweight
hash candidates with an output of 128 bits that is to saywe can assume that it is computationally unfeasible for anattacker to invert the hash function and thus to predict thevalue of 119878119872 as long as it is updated before exceeding itscryptoperiod which has an upper bound of 21198982 = 264 uses
The long-term globally shared secret 119878119871is only used to
update the current medium-term globally shared secret 119878119872
Because 119878119872is not updated very often it is very unlikely that
an attacker manages to obtain several values of 119878119872to reverse
the hash function and recover 119878119871 As a result we can assume
that the 119878119871cryptoperiod is long enough and there is no need
to update the secret during the nodesrsquo lifetime
52 Authentication A cryptogram 119862119906119894of sensing data con-
tains an authentication field of 16 bits that is checked uponreception (see Figure 6) Consequently an attacker has achance of 1 in 216 of guessing the next authentication fieldwhich allows it to forge a valid authentication field and injectfake data Note that this attack can lead the CBSN to wrongdecisions about the availability of the spectrum
If the attacker repeatedly attempts to send valid cipher-texts it may succeed after 215 attempts in average Becausethe attacker does not know 119878119906 the authentication fieldappears to it as a random stream and therefore it must select afake authentication field at random Besides the attacker can-not determine whether a given ciphertext has been acceptedor rejected because the receiver does not acknowledge thereception of such packets to the emitter Otherwise theattacker could take advantage of this information in order toguess a valid authentication field in a faster way
In conventional networks 215 packets may seem anextremely low number but it may provide an adequate levelof security in CBSNs In these networks the attacker can onlysend fake packets during the sensing periods which is in theorder of a few milliseconds in most cognitive scenarios [31]Moreover as previously stated in Section 1 transmission ratesin BSNs are considerably low with values usually rangingfrom tens to a few hundred of kilobits per second
As an example let us consider a 1Mbps link a sensingperiod of 10ms and a packet size of 10 bytes (which is clearlybigger than the typical packet size in sensor networks) Giventhese parameters an attacker would only be able to send 125packets at most in every sensing period That is to say theattacker would need an average of 262144 sensing periods tosend a fake packet and pass the authentication check
6 Cost Evaluation and Comparisonwith Other Approaches
In this section we evaluate the cost of our proposal interms of energy consumption due to transmission overheadand computational cost and compare its performance withthe most common approach adopted in sensor networks[32] which is providing authentication andor encryption ofthe channel sensing data by means of using standard blockciphers As is well known block ciphers have as input themessage to be encrypted or authenticated which is dividedinto several blocks of fix length and a key Both the block
International Journal of Distributed Sensor Networks 9
length and the key length depend on the algorithm beingused Regardless of the algorithm block ciphers can be usedin several modes of operation depending on the service tobe provided that is encryption only authentication only orencryptionauthentication Generally the followingmodes ofoperation are applied
Authentication CBC-MAC is a block cipher mode for gen-erating message authentication codes The message to beauthenticated is divided into several blocks of equal size andeach block is encrypted so that the value of a given blockdepends on the encryption of the previous block The finaloutput of the cipher that is the message authentication codeor CBC-MAC is the result of encrypting the last block of themessage When the input of the cipher is shorter than theblock size (as it is usually the case in sensor networks) theCBC-MAC can be obtained by directly encrypting a singleblock padded until the block size of the cipher is reached
Encryption CTRmode of operation turns a block cipher intoa stream cipher meaning that the resulting ciphertext has thesame size as the input or plain textThus it does not force theoutput length to be amultiple of the block size as it is the caseof other modes such as CBC-MACThis property makes thismode of operation suitable for encryption in sensor networkswhere devices usually exchange short-length messages
Authentication+Encryption CCM (CTR + CBC-MAC) is acommon choice for providing both encryption (CTR) andauthentication (CBC-MAC) [19] Aminor variation of CCMcalled CCMlowast is used in the ZigBee standard [7]
In this work we assume that Advanced EncryptionStandard (AES) in CTRmode is used for encryption andAESCBC-MAC for authentication as it is the current standardfor symmetric cryptography even in sensor nodes [33]Currently there are efficient hardware implementations ofAES that are highly affordable
Regarding hardware platforms the vast majority of pre-vious works on BSNs have used the 16-bit Texas Instrumentsrsquo(TI) MSP430 and CC2540 families of microcontrollers [34]Built around a 16-bit CPU ultra-low-power MSP430 micro-controllers are designed for low cost and specifically low-power consumption embedded applications As an exampleTIrsquos CC2540 family [35] enable robust Bluetooth low energy(BLE) network nodes to be built with low total bill-of-material (BOM) costs BLE operates in the same spectrumrange (2400GHzndash24835GHz ISM band) as classic Blue-tooth technology but uses a different set of channels insteadof 79 1MHz channels BLE offers 40 2MHz channels 3 foradvertising purposes and 37 for data exchange
61 TransmissionReception Overhead In this section weanalyze the overhead introduced by our proposal in termsof transmissionreception of channel availability data andcompare it with the overhead exhibited when conventionalapproaches are used for data encryptionauthentication asexplained above We assume that all sensors are capable ofsensing a given set of channels and report information abouttheir state
With our proposal the minimum number of transmittedbitswill dependon the number of channels that a given sensoris reporting the number of bits used to code the state ofeach channel and the length of the authentication code Asexplained in Section 52 a length of 16 bits is enough to securemost applications in WSNs and thus we have assumed thisvalue for the authentication fieldThis leads to a total amountof Bits
119905119909= 119897 + 16 of transmitted bits where 119897 represents the
total number of bits used to code all possible channels andBits119905119909= (119899 minus 1)Bits
119905119909received bits representing the number
of bits received by a given sensor from its neighborsAiming to provide a fair comparison we choose the same
key length for block ciphers and for our proposal that is tosay a 128-bit key The transmitted bits overhead added byAES CBC-MAC authentication is 128 bits (for a semanticallysecure implementation also an IV or nonce must be sharedbetween emitter and receiver so that the overhead can behigher) Regarding encryption the number of transmittedbits is equal to the number of bits 119897 used to code the state of thechannels but it also requires the use of a nonce with a lengthequal to half of the key length that is 64 bits per message
During every sensing period every node must transmita packet with sensing information but also must process thepackets received from its neighbors Table 1 and Figure 7respectively show the transmission and reception overheaddue to the secure sharing of sensing information using bothstandard block ciphers and our proposal The values areprovided as a function of the number of bits 119897 used to codethe state of the channels and the number of nodes119873 rangingfrom 5 to 30 Given that the considered scenario is a bodysensor network this is more than a reasonable value sincea patient wearing more than 30 sensors may be an unlikelysituation
The reader may notice that the overhead introducedby this mechanism increases linearly with the number ofnodes for both approaches However with the proposedmethod the transmissionreception overhead is considerablyreduced with respect to the use of standard block cipherswhile still maintaining an acceptable level of security Infact the more the nodes in the CBSN the bigger theimprovement introduced by the former As wewill show laterthe transmissionreception savings lead to a huge saving alsoin energy consumption
62 Computational Cost In this section we provide a com-parison of the CPU cost in cycles due to the implementationof the cryptographic functions
If AES is used the total cryptographic cost per nodefor securing the exchange of sensing data equals the costof one encryption and 119873 minus 1 decryptions Assumingthe Texas Instrumentsrsquo reference AES-implementation forCC2540 microcontrollers [36] AES encryption needs 6600cyclesblock and AES decryption 8400 cyclesblock
With our proposal the energy consumption has threecomponents the computation of the different sequences 119878119906
119894
with the hash function before the sensing period begins theXOR of the keystream 119870119906
119894with the sequence 119863119906
119894that signals
the availability of channels and the XOR of the sequences 119862119906119894
received from neighbors with the precomputed 119878119906119894Therefore
10 International Journal of Distributed Sensor Networks
Table 1 Transmission overhead
119897 (bits) Overhead(bits)
Authentication only (CBC-MAC)16 12832 12864 128
Encryption only (CTR)16 8032 9664 128
Authentication and encryption (CCM)16 20832 22464 256
Authentication and encryption (our proposal)16 3232 4864 80
1000
800
600
400
200
05 10 15 20 25 30
Number of nodes (N)
Rece
ptio
n ov
erhe
ad (b
ytes
)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
Figure 7 Reception overhead for a varying number of nodes119873
a nodemust compute119873 hashes and perform119873XORs to sendchannel information and process the reports received from itsneighbors
As per [37] XORoperationwith aMSP430 accounts for 4-5 cyclesbyte Assuming a 128-bit hash function and the worstcase every XOR in our proposals accounts for 5 sdot 16 = 80cycles As previously explained in Section 51 we suggest theuse of a lightweight cryptographic hash function specificallysuited for low-end devices with an output of 128 bits Table 2depicts the number of CPU cycles per block needed [38]for two potential candidates As clearly seen in the tablecomputing one of these hash functions requires only a fewtens of cyclesblock In the following for this analysis we will
Table 2 Cycles per block for different cryptographic hash functions
Algorithm Hash output size Cyclesblock(Stripped) MAME 128 96H-PRESENT-128 128 32
consider the (stripped) MAME hash function as it is a purehash function that does not rely on a symmetric cipher andrequires more CPU cycles (worst case)
Taking into account the previous data Figure 8 showsthe CPU cycles consumed with both our proposal (with aMAME hash function) and standard AES-128 security It canbe clearly seen that our proposal scales much better withthe number of nodes while still providing an appropriatelevel of security We do not provide values for the processtime that is the time needed for key generation encryptiondecryption and data authentication but the number of CPUcycles required to execute each function In this way timevalues can be obtained for a particular sensor node accordingto its CPU features
63 Total Energy Cost Table 3 provides the transmission andreception energy consumption of a TIrsquos CC2540 microcon-troller for different modes and values of transmission powerThe displayed values have been tested under 25∘CWe do nothave values for in-body conditions (asymp38∘C) but we presentthese data for reference purposes In any case this fact onlyaffects the energy consumption for receivingtransmittingNote that the total cost in terms of energy is much highersince it should also account for duty cycles state changes andother parameters [39]
There is no single specific ldquoenergy per CPU cyclerdquo valuesince the cycle consumption depends on the type of CPUoperation Anyway in [34] the authors measured that theTIrsquos MSP430F1611 consumes energy at an average of 072 nJper clock cycle and we have adopted such value in our study
Figure 9 shows the total average energy consumption as afunction of the number of neighboring sensor nodes and thenumber 119897 of bits used to code the channels for the proposedmechanism and standard approaches CCM (authenticationand encryption) CTR (encryption only) and CBC-MAC(authentication only) We have assumed standard receptionand short-range transmission of minus6 dBm (see Table 3)
As clearly denoted in the figure ourmethod only requiresa few tens of 120583J regardless of the number of sensor nodeswhile AES-based security requires higher values of energyranging from 35 120583J to almost 240120583J when encryption andauthentication are provided and for 30 sensor nodes Themore the number of sensor nodes the bigger the improve-ment introduced by our proposal
It must be remarked however that the purpose of thisfigure is to provide reference values to be taken into accountfor future implementations Besides the level of security pro-vided by our method is lower than AES-based methods butstill ismore than adequate given the features of CBSNs (trans-mission rate number of sentmessages etc) and given the factthat the data we are trying to protect are just a limited numberof potential channels to be used for operation of the network
International Journal of Distributed Sensor Networks 11
Table 3 Currentenergy consumption for RXTX tested on TexasInstruments CC2540 EMwith 119879
119860= 25∘Cwith no peripherals active
and low MCU activity at 250 kHz
Test conditions Current EnergybyteRX standard 196mA 588 nJRX high gain 221mA 663 nJTX minus23 dBm 211mA 633 nJTX minus6 dBm 238mA 714 nJTX 0 dBm 27mA 81 nJTX 4 dBm 316mA 948 nJ
5 10 15 20 25 30
Number of nodes (N)
AES l = 16 32 64
Ours l = 16 32 64
300000
250000
200000
150000
100000
50000
0
CPU
cycle
s
Figure 8 Added CPU cycles for a secure exchange of sensing data
Indeed thismechanism introduces some overhead due tospectrum sensing and sharing of channel information and aswe pointed out above the overhead increases linearly withthe number of nodes in the network The synchronizationprotocol adds some overhead too but the increase willstrongly depend on the chosen protocol In [29] someprotocols with high energy efficiency are referenced whichcould be used in our proposal
Despite it we claim that it is definitely worth introducingthis overhead to increase the availability of the network andmake it robust to potential interferences and DoS attacksUnder these undesired situations the current channel usedby the CBSN may become unavailable but the proposedmethod allows the nodes to securely agree on a new channelof operation and rapidly resume their transmissions It mustbe remarked that securing channel availability informationmay prevent or at least diminished the effect of further DoSattacks when switching to a new channel
We do not quantify the benefits of applying our methodin terms of attack mitigation because it strongly depends onthe capabilities of the attacker (time required for sensing eachchannel number of channels that can sense etc) As a futurework it would be interesting to estimate the improvementachieved by our approach in terms of throughput of the
5 10 15 20 25 30
Number of nodes (N)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
250
200
150
100
50
0
Ener
gy co
st (120583
J)Figure 9 Added energy costs for a TIrsquos MSP430F1611 with a TIrsquosCC2540 microcontroller
CBSNs connections and the tradeoff between benefits andoverhead
7 Conclusions
Body sensor networks (BSNs) emerge as an optimal solutionfor ensuring constant and remote monitoring of the healthstatus in patients Recent advances in technology have madeit possible to deploy a network of tiny sensors over the humanbody and even in body which can measure vital signs suchas temperature heart rate or the level of glucose and reportthese data to medical personnel
Guaranteeing the availability of such communicationsis a must as long as connectivity losses during emergencysituations may prevent a patient from immediately receivingmedical assistance and may end up in catastrophic results
A new network paradigm known as cognitive body sen-sor networks (CBSNs) could mitigate this threat by allowingbody sensors to operate in a wide range of frequenciesand adapt its transmission parameters according to highlydynamic environment conditions However this would comeat the expense of implementing cooperative spectrum sensingmechanisms that allow sensors to exchange informationabout channel quality and availability As a consequenceCBSNs might become vulnerable to specific attacks that aretargeted to these mechanisms
In this paper we presented a novel and simple methodto secure the sensing process in a CBSN and improve itsavailability The method relies on cryptographic primitivesthat require a minimum amount of memory and low energyconsumption thus beingmore suited for devices with limitedresources than traditional approaches It offers authentication
12 International Journal of Distributed Sensor Networks
and encryption of control data shared by the sensors in theCBSN to agree on a given channel
Our proposal was analyzed in terms of security and weshowed that although it does not provide the same level ofsecurity as AES-based encryption and authentication it isstill sufficient for low packet rate networks such as CBSNsThe provided results also showed that our method outper-forms existing approaches in terms of transmissionreceptionoverhead and number of CPU cycles needed particularly asthe number of sensor nodes increases For typical microcon-trollers as CC2540 and MSP430 the improvement in energyconsumption clearly justifies the use of the proposed methodagainst AES-based mechanisms in constrained networkssuch as CBSNs in which maximizing the network life isextremely important
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgment
This work has been partially supported by the spanishgovernment under grant TEC2011-22746 ldquoTAMESISrdquo andby the Ministry of Economy and Competitiveness throughthe projects CO-PRIVACY (TIN2011-27076-C03-02) andSMARTGLACIS (TIN2014-57364-C2-2-R)
References
[1] B Latre B Braem I Moerman C Blondia and P DemeesterldquoA survey on wireless body area networksrdquo Wireless Networksvol 17 no 1 pp 1ndash18 2011
[2] S Movassaghi M Abolhasan J Lipman D Smith and AJamalipour ldquoWireless body area networks a surveyrdquo IEEECommunications Surveys amp Tutorials vol 16 no 3 pp 1658ndash1686 2014
[3] 802156-2012mdashIEEE Standard for Local and metropolitanarea networksmdashPart 156 Wireless Body Area Networks2012 httpstandardsieeeorggetieee802download802156-2012pdf
[4] Bluetooth Low Energy (LE) June 2014 httpwwwbluetoothcomPageslow-energy-tech-infoaspx
[5] The ANT+ Alliance 2014 httpwwwthisisantcom
[6] Wi-Fi Alliance June 2014 httpwwwwi-fiorg
[7] Zigbee Alliance June 2014 httpwwwzigbeeorg
[8] M Rushanan A D Rubin D F Kune and C M SwansonldquoSoK security and privacy in implantable medical devices andbody area networksrdquo in Proceedings of the 35th IEEE Symposiumon Security and Privacy (SP rsquo14) pp 524ndash539 San Jose Calif USA May 2014
[9] I F Akyildiz W-Y Lee M C Vuran and S Mohanty ldquoNeXtgenerationdynamic spectrum accesscognitive radio wirelessnetworks a surveyrdquo Computer Networks vol 50 no 13 pp2127ndash2159 2006
[10] BWang and K J R Liu ldquoAdvances in cognitive radio networksa surveyrdquo IEEE Journal of Selected Topics in Signal Processingvol 5 no 1 pp 5ndash23 2011
[11] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in unknown dynamic environment agame-theoretic stochastic learning solutionrdquo IEEE Transactionson Wireless Communications vol 11 no 4 pp 1380ndash1391 2012
[12] D Cavalcanti S Das J Wang and K Challapali ldquoCognitiveradio based wireless sensor networksrdquo in Proceedings of the17th International Conference on Computer Communicationsand Networks (ICCCN rsquo08) pp 1ndash6 August 2008
[13] O Leon J Hernandez-Serrano andM Soriano ldquoSecuring cog-nitive radio networksrdquo International Journal of CommunicationSystems vol 23 no 5 pp 633ndash652 2010
[14] M Rostami A Juels and F Koushanfar ldquoHeart-to-Heart(H2H) authentication for implanted medical devicesrdquo in Pro-ceedings of the ACM SIGSAC Conference on Computer andCommunications Security (CCS rsquo13) pp 1099ndash1111 ACM BerlinGermany November 2013
[15] K B Rasmussen C Castelluccia T S Heydt-Benjamin andS Capkun ldquoProximity-based access control for implantablemedical devicesrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCS rsquo09) pp 410ndash419Chicago Ill USA November 2009
[16] L Shi M Li S Yu and J Yuan ldquoBANA body area networkauthentication exploiting channel characteristicsrdquo IEEE Journalon Selected Areas in Communications vol 31 no 9 pp 1803ndash1816 2013
[17] C C Tan S Zhong H Wang and Q Li ldquoBody sensornetwork security an identity-based cryptography approachrdquoin Proceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 148ndash153 April 2008
[18] O Garcia-Morchon T Falck T Heer and K Wehrle ldquoSecurityfor pervasive medical sensor networksrdquo in Proceedings of the6th Annual International Conference on Mobile and UbiquitousSystems Networking and Services (MobiQuitous rsquo09) pp 1ndash10Toronto Canada July 2009
[19] G Selimis L Huang F Masse et al ldquoA lightweight securityscheme for wireless body area networks design energy evalu-ation and proposed microprocessor designrdquo Journal of MedicalSystems vol 35 no 5 pp 1289ndash1298 2011
[20] Y Yan and T Shu ldquoEnergy-efficient In-network encryp-tiondecryption for wireless body area sensor networksrdquo inProceedings of the IEEE Global Communications Conference(GLOBECOM rsquo14) pp 2442ndash2447 IEEE Austin Tex USADecember 2014
[21] Y Xu A Anpalagan Q Wu L Shen Z Gao and J WangldquoDecision-theoretic distributed channel selection for oppor-tunistic spectrum access strategies challenges and solutionsrdquoIEEE Communications Surveys and Tutorials vol 15 no 4 pp1689ndash1713 2013
[22] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in cognitive radio networks globaloptimization using local interaction gamesrdquo IEEE Journal onSelected Topics in Signal Processing vol 6 no 2 pp 180ndash1942012
[23] R Chavez-Santiago K E Nolan O Holland et al ldquoCognitiveradio for medical body area networks using ultra widebandrdquoIEEE Wireless Communications vol 19 no 4 pp 74ndash81 2012
International Journal of Distributed Sensor Networks 13
[24] A R Syed and K-L A Yau ldquoOn cognitive radio-based wirelessbody area networks for medical applicationsrdquo in Prceedingsof the 1st IEEE Symposium on Computational Intelligence inHealthcare and e-Health (CICARE rsquo13) pp 51ndash57 SingaporeApril 2013
[25] R Chen J-M Park and K Bian ldquoRobust distributed spectrumsensing in cognitive radio networksrdquo in Proceedings of the 27thIEEE Conference on Computer Communications (INFOCOMrsquo08) pp 1876ndash1884 IEEE Phoenix Ariz USA April 2008
[26] H Rifa-Pous M J Blasco and C Garrigues ldquoReview of robustcooperative spectrum sensing techniques for cognitive radionetworksrdquoWireless Personal Communications vol 67 no 2 pp175ndash198 2012
[27] B Braem B Latre C Blondia I Moerman and P DemeesterldquoAnalyzing and improving reliability in multi-hop body sensornetworksrdquo International Journal on Advances in Internet Tech-nology vol 2 no 1 pp 152ndash161 2009
[28] I F Akyildiz B F Lo and R Balakrishnan ldquoCooperative spec-trum sensing in cognitive radio networks a surveyrdquo PhysicalCommunication vol 4 no 1 pp 40ndash62 2011
[29] B Sundararaman U Buy and A D Kshemkalyani ldquoClocksynchronization for wireless sensor networks a surveyrdquoAdHocNetworks vol 3 no 3 pp 281ndash323 2005
[30] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashCHES 2008 10th International Workshop Washington DCUSA August 10ndash13 2008 Proceedings vol 5154 of Lecture Notesin Computer Science pp 283ndash299 Springer Berlin Germany2008
[31] C Cordeiro K Challapali D Birru and N Sai ShankarldquoIEEE 80222 the first worldwide wireless standard based oncognitive radiosrdquo in Proceedings of the 1st IEEE InternationalSymposium on New Frontiers in Dynamic Spectrum AccessNetworks (DySPAN rsquo05) pp 328ndash337 Baltimore Md USANovember 2005
[32] S UllahHHiggins B Braem et al ldquoA comprehensive survey ofwireless body area networks on PHY MAC and network layerssolutionsrdquo Journal of Medical Systems vol 36 no 3 pp 1065ndash1094 2012
[33] N Sastry and D Wagner ldquoSecurity considerations for IEEE802154 networksrdquo in Proceedings of the ACM Workshop onWireless Security (WiSe rsquo04) pp 32ndash42 Philadelphia Pa USAOctober 2004
[34] M Pajic Z Jiang I LeeO Sokolsky andRMangharam ldquoFromverification to implementation a model translation tool and apacemaker case studyrdquo in Proceedings of the 18th IEEE Real Timeand Embedded Technology and Applications Symposium (RTASrsquo12) pp 173ndash184 Beijing China April 2012
[35] CC2540 24-GHz Bluetooth low energy System-on-Chip 2013httpwwwticomlitdssymlinkcc2540pdf
[36] U Kretzschmar ldquoAES128mdasha C implementation for encryp-tion and decryption MSP430 systems ECCN 5E002 TSPAmdashtechnologysoftware publiclyrdquo Application Report SLAA397ATexas Instruments Dallas Tex USA 2009 httpwwwticomcncnlitanslaa397aslaa397apdf
[37] El Barquero Aqueronte MSP430 Cycles and Instructionsedited by Aqueronte 2011 httpunbarqueroblogspotcomes201105msp430-cycles-and-instructionshtml
[38] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashHES 2008 vol 5154 of Lecture Notes in Computer Science pp283ndash299 Springer Berlin Germany 2008
[39] S Kamath and J Lindh ldquoMeasuring bluetooth low energypower consumptionrdquo Application Note AN092 Texas Instru-ments Dallas TEx USA 2012 Version SWRA347a httpwwwticomlitanswra347aswra347apdf
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 5
4 Securing Sensing Data andChannel Selection in CBSNs
In the following we present a mechanism for securing theexchange of sensing data and the channel selection processin CBSNs Section 41 outlines the assumptions considered inthiswork regarding the networkmodel and in Section 42 wedescribe the protocol operation For ease of understandingwe present the terminology used along this section as follows
CTR119872 medium-term session counter (119898 bits)
CTR119878 short-term session counter (119898 bits)
119863119906
119894 data sensed by node 119906 during period 119894 (119897 bits)
ID119906 link-layer identifier of node 119906 (119898 bits)119870119906
119894 keystream to encrypt and authenticate data for
node 119906 during period 119894 (119903 bits)KM keying master119897 length of the data sensed by a given node during agiven period119898 length of the hash output and all the secrets119873 number of nodes in the network119901 number of keystreams119870119906
119894obtained from a 119878119906 (119901 =
119898119903) defining the number of sensing periods beforeupdating 119878119906119903 length of the keystreams 119870119906
119894 which must be a
divisor of119898119878119871 long-term globally shared secret (119898-bits)119878119872 medium-term globally shared secret (119898-bits)119878119904119894 long-term secret shared between the KM and
node 119894 it is used to update 119878119871in case it is compro-
mised119878119906 short-term shared secret with node 119906
41 Assumptions Although the proposed protocol isdesigned to be implemented in heavily constrained deviceswe work under the assumption that such devices have at leastthe following capabilities
(i) Compute a hash function with an output length of119898bits
(ii) Temporally store in its randomaccessmemory at least119898 sdot (119873 + 3) bits with 119873 the number of nodes in thenetwork As we detail later in Section 42 each nodemust keep a short-term shared secret for each of theN nodes in the network (including itself) and threemore long-term and medium-term secrets each onewith length of119898 bits
(iii) Sensor nodes use a synchronization protocol that willbe used to share a global short-term session counterand a medium-term session counter among all nodes(see Section 42) Given the low transmission rate ofsensor networks existing synchronization schemes[29] provide enough precision for this purpose Weassume that the chosen protocol provides recovery
methods upon loss of synchronization How syn-chronization is achieved will strongly depend on thechosen protocol but if the latter requires a masternode for providing synchronization the gateway ofthe BSN could play this role
To the best of our knowledge the former requirement canbe assumed even in very constrained devices As shown in[30] there are several lightweight hash functions that canbe integrated into a sensor mote The latter may not beharder to achieve As detailed in Section 42 during everysensing period each node stores one secret per member ofthe network a globally shared secret and two counters allof them with the same length 119898 as the hash output If weconsider a typical hash function with an output of 128 or 256bits and a network with tens to hundreds of sensors the RAMrequirements for sensor nodes are just bounded to a few tensof kilobytes
42 Protocol Operation Before deploying the CBSN everysensor nodemust be preloaded by a keyingmaster (KM)withthe following data
(1) The set of channels that the sensor will have to sensein the cooperative sensing process
(2) A long-term and globally shared secret 119878119871of 119898 bits
(the hash output length)(3) A long-term secret 119878
119904119894shared between the KM and
node 119894 that will be used to update the globally sharedsecret 119878
119871in case it is compromised
The KM is an external device which is not a member oftheBSNTypically this role is played by the device responsiblefor gathering data from the sensors or gateway (eg a smartphone or a tablet)
Upon deployment of the network every node derives amedium-term globally shared secret 119878
119872by hashing the XOR
of the long-term secret 119878119871and a counter The generation
process of 119878119872
is clearly depicted in Figure 3 This process isperiodically repeated with an updated value of the medium-term counter in order to protect the secret against a potentialattacker Details about how often this process should becarried out and the attacker capabilities are provided inSection 5
As shown in Figure 4 each node generates a set ofrandom sequences of 119898 bits one for the node itself and onefor each other node in the networkThese random sequences119878119906 with 119906 the node identifier are obtained by hashing theXOR of the link-layer identifier of the node ID119906 themedium-term shared secret 119878
119872 and a short-term session counter
CTR119878
Therefore our proposalmakes use of three types of sharedsecrets
(i) A short-term per-node shared secret 119878119906 (one per eachnode in the network) used for encryption decryptionand authentication of data
(ii) Amedium-term globally shared secret 119878119872that is used
to derive the short-term per-node shared secrets 119878119906
6 International Journal of Distributed Sensor Networks
Long-term shared secretSLmiddot middot middot
middot middot middot
middot middot middot
Medium-term session counter
Medium-term shared secret
CTRM
HashSM
mbits
mbitsmbits
mbits
Figure 3 Generation of the medium-term globally shared secret 119878119872
middot middot middot
middot middot middot
middot middot middot
middot middot middot
Short-term session counterMedium-term shared secret
node uShort-term shared secret with
Hash
SM
Su
Identifier of node uIDu
CTRS
mbits
mbitsmbits
mbits
mbits
Figure 4 Generation of the short-term shared secret 119878119906 for node 119906
(iii) A long-term globally shared secret that is used toderive a new 119878
119872when the current one is about to
expireAs clearly denoted in Figure 5 each sequence 119878119906 is divided
into 119901 fragments of 119903 bits which we will be denoted as 119870119906119894
each one being used as keystream to encrypt and authenticatedata for node 119906 in period 119894 As per this behavior a new short-term shared secret must be derived every 119901 sensing period
When a node performs spectrum sensing it generates abinary sequence 119863119906
119894of 119897 bits that stores the availability of the
different channels The length of such sequence 119897 will dependon the number of bits used to code the state of each channeland the number of channels As an example the simplest waywould be to use just a single bit for coding each channel withvalue ldquo0rdquo if the channel is occupied and ldquo1rdquo otherwise If moreprecise information about the quality of channels is needed(ie high medium low and very low quality) more bits canbe used to code the channel state
During a sensing period 119894 each node must send toits neighbors its own sensing information but also it mustprocess the information received from its neighbors to reacha joint decision
In order to send its own sensing information node 119906 willmake use of the corresponding keystream 119870119906
119894 the first 119897 bits
of the keystream will be used to encrypt channel information119863119906
119894by means of a XOR addition the remaining 119903 minus 119897 bits are
left unchanged and will be used to provide message authen-tication as illustrated in Figure 5 The resulting sequence 119862119906
119894
will be sent to all the other nodes
To verify the authenticity and decrypt the content of thepackets that have been sent by a given neighbor 119906 a nodewill XOR the sequence 119862119906
119894of the received packet with the
keystream 119870119894119906 as depicted in Figure 6 If the last 119903 minus 119897 bits
of the resulting sequence are not all 0 s the authenticationfails and the entire packet is discarded Otherwise channelinformation can be recovered from the first 119897 bits resultingfrom the XOR addition
The above described process is applied for each neighbor-ing node 119906 Then the channel reported by a larger number ofneighbors will be selected for the operation of the networkNote that because more than one channel may be reported bythe same amount of nodes a tie-break mechanism is neededto guarantee that the process leads to equal results in allnodes One simple approach that could be used is to selectthe channel with the highest identifier However this wouldlead to a lower usage of channels with lower identifiers andtherefore to providing the attacker with valuable informationabout channel usage in the CBSN As a consequence wepropose to use a tie-break method that relies on the formatof119863119906119894
Recall that a fundamental characteristic of this protocolis that there is no central entity that is known and trusted byall sensors This makes the protocol suitable for unattendedscenarios and it also makes it more efficient in terms of datatransmitted through the network because no information issent regarding which channels have to be sensed or whichchannel is finally selected Instead sensors are deployedwith all the information needed to perform the sensing in
International Journal of Distributed Sensor Networks 7
middot middot middot
Short-term shared secret with node u
Keystream pKeystream 2Keystream 1
Su
Encrypted Authdatasensing data
Sensing data
Sensing data
Sensing period 1
Sensing period p
Encrypted Authdatasensing data
Cup
Cu1
Dup
Du1
Ku1 Ku
2 Kup
mbits
rbitsrbitsrbits
lbitslbits
lbitslbits
lbits
lbits
lbitslbits r-lbitsr-lbits
r-lbits
r-lbits
Figure 5 Encrypting and authenticating sensing data
middot middot middot
Short-term shared secret with node u
Keystream pKeystream 2Keystream 1
Su
Sensing dataSensing period 1 True
Accept sensing data
Reject sensing data
Cu1
Du1
Ku1 Ku
2 Kup
If ne 0998400s
rbitsrbitsrbits
rbits lbits
mbits
r-lbits
Figure 6 Decrypting sensing data
a distributed way and make a joint decision autonomouslyThus there is no need for additional mechanisms to be usedwhen a new node joins the network In this case the newnode needs to synchronize with the rest of themembers to getthe proper value of the session counters by making use of thecorresponding protocol However when a node is expelledfrom the network because it has been compromised newcryptographic material must be generated and distributedamong the remaining nodes The KM is responsible fortriggering this process and communicates with each sensornode to update the shared long-term secret 119878
119871 Note that
because the KM shares a different secret 119878119904119894with each node 119894
it can securely distribute the new value of 119878119871 Upon reception
of 119878119871 each node should perform again the initialization
process described at the beginning of this section
5 Security Analysis
The security of the proposed method relies on the sharedsecrets used to derive the keys and perform encryption andauthentication of channel availability data As long as thesesecrets are not compromised data confidentiality can beensured that is an attacker might not be able to get the listof channels to be used in the CBSN Besides the methodmust prevent an attacker from injecting fake data into thesystem These issues are discussed as follows In Section 51we analyze how often the shared secrets should be updated inorder to guarantee a proper protection against cryptanalysisnext in Section 52 we evaluate the packet authenticationmethod used in our proposal in terms of probability ofbypassing the authentication check
8 International Journal of Distributed Sensor Networks
51 Shared Secrets Lifetime As previously mentioned inSection 31 for this analysis we are assuming that attackscome from external entities and therefore attackers are notable to obtain the cryptographic material that is stored in thebody sensors In the context of this proposal the lifetime ofeach of the shared secrets is the interval in which these secretsare considered computationally safe against cryptanalysisthat is their cryptoperiod
The cryptoperiod straightly depends on the chosen cryp-tographic protocols the length of the secrets themselves andthe amount of times they are used The more a given secret isused the shorter its cryptoperiod is as an attacker gets moreinformation about this secret and therefore the probability ofa successful cryptanalysis increases In fact cryptoperiod isdefined more in terms of the number of times a given secretor key is reused (the amount of ciphertext exposed to anattacker for a given secretkey) than as a given time periodwhich strongly depends on the transmission rate of the sensornodes
Recall the three types of shared secrets used in theproposed method
(i) Short-term per-node shared secrets one secret 119878119906 persource node that is used to lightweight encryptdecrypt and authenticate the channelsrsquo sensed data
(ii) Medium-term globally shared secrets globally sharedsecret 119878
119872that is used to derive the short-term per-
node shared secrets 119878119906(iii) Long-term globally shared secret this being the ini-
tially preloaded secret 119878119871that is used to derive a new
medium-term globally shared secret 119878119872
when thecurrent one is about to expire
As clearly denoted in Figure 5 our approach operates insome manner as an additive stream cipher It is well knownthat stream ciphers are considered to be secure as long as thekey is never reused and thus our cipher will be secure if agiven value 119878119906 is not repeated As a result 119878119906must be updatedevery 119901 = 119898119903 sensing period with 119901 the renewal period119898 the length of the shared secret 119878119906 and 119903 the amount oftransmitted bits (sensing data) in a sensing period that areencrypted with 119878119906
Recall that in our proposal the per-node key used forencryption 119878119906 is generated by means of a hash function Asecond requirement is that this function must be crypto-graphically secure Note that if the hash function does notaccomplish it an attackermight be able to reverse it that is toget the input of the hash function given an output meaningthat in our proposal an attacker would be able to recoverthe value of the medium-term globally shared secret 119878
119872(see
Figure 4)A cryptographically secure hash function with an output
of 119898 bits can offer a security level of 2119898 operations againstpreimage attacks and 21198982 against collision attacks Generallyspeaking a minimum output of 128 bits is required in orderto provide a high level of security for most applicationsbut shorter lengths are accepted if the number of generatedmessages in a given period is limited as it is the case of low-rate networks In Section 6 we propose several lightweight
hash candidates with an output of 128 bits that is to saywe can assume that it is computationally unfeasible for anattacker to invert the hash function and thus to predict thevalue of 119878119872 as long as it is updated before exceeding itscryptoperiod which has an upper bound of 21198982 = 264 uses
The long-term globally shared secret 119878119871is only used to
update the current medium-term globally shared secret 119878119872
Because 119878119872is not updated very often it is very unlikely that
an attacker manages to obtain several values of 119878119872to reverse
the hash function and recover 119878119871 As a result we can assume
that the 119878119871cryptoperiod is long enough and there is no need
to update the secret during the nodesrsquo lifetime
52 Authentication A cryptogram 119862119906119894of sensing data con-
tains an authentication field of 16 bits that is checked uponreception (see Figure 6) Consequently an attacker has achance of 1 in 216 of guessing the next authentication fieldwhich allows it to forge a valid authentication field and injectfake data Note that this attack can lead the CBSN to wrongdecisions about the availability of the spectrum
If the attacker repeatedly attempts to send valid cipher-texts it may succeed after 215 attempts in average Becausethe attacker does not know 119878119906 the authentication fieldappears to it as a random stream and therefore it must select afake authentication field at random Besides the attacker can-not determine whether a given ciphertext has been acceptedor rejected because the receiver does not acknowledge thereception of such packets to the emitter Otherwise theattacker could take advantage of this information in order toguess a valid authentication field in a faster way
In conventional networks 215 packets may seem anextremely low number but it may provide an adequate levelof security in CBSNs In these networks the attacker can onlysend fake packets during the sensing periods which is in theorder of a few milliseconds in most cognitive scenarios [31]Moreover as previously stated in Section 1 transmission ratesin BSNs are considerably low with values usually rangingfrom tens to a few hundred of kilobits per second
As an example let us consider a 1Mbps link a sensingperiod of 10ms and a packet size of 10 bytes (which is clearlybigger than the typical packet size in sensor networks) Giventhese parameters an attacker would only be able to send 125packets at most in every sensing period That is to say theattacker would need an average of 262144 sensing periods tosend a fake packet and pass the authentication check
6 Cost Evaluation and Comparisonwith Other Approaches
In this section we evaluate the cost of our proposal interms of energy consumption due to transmission overheadand computational cost and compare its performance withthe most common approach adopted in sensor networks[32] which is providing authentication andor encryption ofthe channel sensing data by means of using standard blockciphers As is well known block ciphers have as input themessage to be encrypted or authenticated which is dividedinto several blocks of fix length and a key Both the block
International Journal of Distributed Sensor Networks 9
length and the key length depend on the algorithm beingused Regardless of the algorithm block ciphers can be usedin several modes of operation depending on the service tobe provided that is encryption only authentication only orencryptionauthentication Generally the followingmodes ofoperation are applied
Authentication CBC-MAC is a block cipher mode for gen-erating message authentication codes The message to beauthenticated is divided into several blocks of equal size andeach block is encrypted so that the value of a given blockdepends on the encryption of the previous block The finaloutput of the cipher that is the message authentication codeor CBC-MAC is the result of encrypting the last block of themessage When the input of the cipher is shorter than theblock size (as it is usually the case in sensor networks) theCBC-MAC can be obtained by directly encrypting a singleblock padded until the block size of the cipher is reached
Encryption CTRmode of operation turns a block cipher intoa stream cipher meaning that the resulting ciphertext has thesame size as the input or plain textThus it does not force theoutput length to be amultiple of the block size as it is the caseof other modes such as CBC-MACThis property makes thismode of operation suitable for encryption in sensor networkswhere devices usually exchange short-length messages
Authentication+Encryption CCM (CTR + CBC-MAC) is acommon choice for providing both encryption (CTR) andauthentication (CBC-MAC) [19] Aminor variation of CCMcalled CCMlowast is used in the ZigBee standard [7]
In this work we assume that Advanced EncryptionStandard (AES) in CTRmode is used for encryption andAESCBC-MAC for authentication as it is the current standardfor symmetric cryptography even in sensor nodes [33]Currently there are efficient hardware implementations ofAES that are highly affordable
Regarding hardware platforms the vast majority of pre-vious works on BSNs have used the 16-bit Texas Instrumentsrsquo(TI) MSP430 and CC2540 families of microcontrollers [34]Built around a 16-bit CPU ultra-low-power MSP430 micro-controllers are designed for low cost and specifically low-power consumption embedded applications As an exampleTIrsquos CC2540 family [35] enable robust Bluetooth low energy(BLE) network nodes to be built with low total bill-of-material (BOM) costs BLE operates in the same spectrumrange (2400GHzndash24835GHz ISM band) as classic Blue-tooth technology but uses a different set of channels insteadof 79 1MHz channels BLE offers 40 2MHz channels 3 foradvertising purposes and 37 for data exchange
61 TransmissionReception Overhead In this section weanalyze the overhead introduced by our proposal in termsof transmissionreception of channel availability data andcompare it with the overhead exhibited when conventionalapproaches are used for data encryptionauthentication asexplained above We assume that all sensors are capable ofsensing a given set of channels and report information abouttheir state
With our proposal the minimum number of transmittedbitswill dependon the number of channels that a given sensoris reporting the number of bits used to code the state ofeach channel and the length of the authentication code Asexplained in Section 52 a length of 16 bits is enough to securemost applications in WSNs and thus we have assumed thisvalue for the authentication fieldThis leads to a total amountof Bits
119905119909= 119897 + 16 of transmitted bits where 119897 represents the
total number of bits used to code all possible channels andBits119905119909= (119899 minus 1)Bits
119905119909received bits representing the number
of bits received by a given sensor from its neighborsAiming to provide a fair comparison we choose the same
key length for block ciphers and for our proposal that is tosay a 128-bit key The transmitted bits overhead added byAES CBC-MAC authentication is 128 bits (for a semanticallysecure implementation also an IV or nonce must be sharedbetween emitter and receiver so that the overhead can behigher) Regarding encryption the number of transmittedbits is equal to the number of bits 119897 used to code the state of thechannels but it also requires the use of a nonce with a lengthequal to half of the key length that is 64 bits per message
During every sensing period every node must transmita packet with sensing information but also must process thepackets received from its neighbors Table 1 and Figure 7respectively show the transmission and reception overheaddue to the secure sharing of sensing information using bothstandard block ciphers and our proposal The values areprovided as a function of the number of bits 119897 used to codethe state of the channels and the number of nodes119873 rangingfrom 5 to 30 Given that the considered scenario is a bodysensor network this is more than a reasonable value sincea patient wearing more than 30 sensors may be an unlikelysituation
The reader may notice that the overhead introducedby this mechanism increases linearly with the number ofnodes for both approaches However with the proposedmethod the transmissionreception overhead is considerablyreduced with respect to the use of standard block cipherswhile still maintaining an acceptable level of security Infact the more the nodes in the CBSN the bigger theimprovement introduced by the former As wewill show laterthe transmissionreception savings lead to a huge saving alsoin energy consumption
62 Computational Cost In this section we provide a com-parison of the CPU cost in cycles due to the implementationof the cryptographic functions
If AES is used the total cryptographic cost per nodefor securing the exchange of sensing data equals the costof one encryption and 119873 minus 1 decryptions Assumingthe Texas Instrumentsrsquo reference AES-implementation forCC2540 microcontrollers [36] AES encryption needs 6600cyclesblock and AES decryption 8400 cyclesblock
With our proposal the energy consumption has threecomponents the computation of the different sequences 119878119906
119894
with the hash function before the sensing period begins theXOR of the keystream 119870119906
119894with the sequence 119863119906
119894that signals
the availability of channels and the XOR of the sequences 119862119906119894
received from neighbors with the precomputed 119878119906119894Therefore
10 International Journal of Distributed Sensor Networks
Table 1 Transmission overhead
119897 (bits) Overhead(bits)
Authentication only (CBC-MAC)16 12832 12864 128
Encryption only (CTR)16 8032 9664 128
Authentication and encryption (CCM)16 20832 22464 256
Authentication and encryption (our proposal)16 3232 4864 80
1000
800
600
400
200
05 10 15 20 25 30
Number of nodes (N)
Rece
ptio
n ov
erhe
ad (b
ytes
)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
Figure 7 Reception overhead for a varying number of nodes119873
a nodemust compute119873 hashes and perform119873XORs to sendchannel information and process the reports received from itsneighbors
As per [37] XORoperationwith aMSP430 accounts for 4-5 cyclesbyte Assuming a 128-bit hash function and the worstcase every XOR in our proposals accounts for 5 sdot 16 = 80cycles As previously explained in Section 51 we suggest theuse of a lightweight cryptographic hash function specificallysuited for low-end devices with an output of 128 bits Table 2depicts the number of CPU cycles per block needed [38]for two potential candidates As clearly seen in the tablecomputing one of these hash functions requires only a fewtens of cyclesblock In the following for this analysis we will
Table 2 Cycles per block for different cryptographic hash functions
Algorithm Hash output size Cyclesblock(Stripped) MAME 128 96H-PRESENT-128 128 32
consider the (stripped) MAME hash function as it is a purehash function that does not rely on a symmetric cipher andrequires more CPU cycles (worst case)
Taking into account the previous data Figure 8 showsthe CPU cycles consumed with both our proposal (with aMAME hash function) and standard AES-128 security It canbe clearly seen that our proposal scales much better withthe number of nodes while still providing an appropriatelevel of security We do not provide values for the processtime that is the time needed for key generation encryptiondecryption and data authentication but the number of CPUcycles required to execute each function In this way timevalues can be obtained for a particular sensor node accordingto its CPU features
63 Total Energy Cost Table 3 provides the transmission andreception energy consumption of a TIrsquos CC2540 microcon-troller for different modes and values of transmission powerThe displayed values have been tested under 25∘CWe do nothave values for in-body conditions (asymp38∘C) but we presentthese data for reference purposes In any case this fact onlyaffects the energy consumption for receivingtransmittingNote that the total cost in terms of energy is much highersince it should also account for duty cycles state changes andother parameters [39]
There is no single specific ldquoenergy per CPU cyclerdquo valuesince the cycle consumption depends on the type of CPUoperation Anyway in [34] the authors measured that theTIrsquos MSP430F1611 consumes energy at an average of 072 nJper clock cycle and we have adopted such value in our study
Figure 9 shows the total average energy consumption as afunction of the number of neighboring sensor nodes and thenumber 119897 of bits used to code the channels for the proposedmechanism and standard approaches CCM (authenticationand encryption) CTR (encryption only) and CBC-MAC(authentication only) We have assumed standard receptionand short-range transmission of minus6 dBm (see Table 3)
As clearly denoted in the figure ourmethod only requiresa few tens of 120583J regardless of the number of sensor nodeswhile AES-based security requires higher values of energyranging from 35 120583J to almost 240120583J when encryption andauthentication are provided and for 30 sensor nodes Themore the number of sensor nodes the bigger the improve-ment introduced by our proposal
It must be remarked however that the purpose of thisfigure is to provide reference values to be taken into accountfor future implementations Besides the level of security pro-vided by our method is lower than AES-based methods butstill ismore than adequate given the features of CBSNs (trans-mission rate number of sentmessages etc) and given the factthat the data we are trying to protect are just a limited numberof potential channels to be used for operation of the network
International Journal of Distributed Sensor Networks 11
Table 3 Currentenergy consumption for RXTX tested on TexasInstruments CC2540 EMwith 119879
119860= 25∘Cwith no peripherals active
and low MCU activity at 250 kHz
Test conditions Current EnergybyteRX standard 196mA 588 nJRX high gain 221mA 663 nJTX minus23 dBm 211mA 633 nJTX minus6 dBm 238mA 714 nJTX 0 dBm 27mA 81 nJTX 4 dBm 316mA 948 nJ
5 10 15 20 25 30
Number of nodes (N)
AES l = 16 32 64
Ours l = 16 32 64
300000
250000
200000
150000
100000
50000
0
CPU
cycle
s
Figure 8 Added CPU cycles for a secure exchange of sensing data
Indeed thismechanism introduces some overhead due tospectrum sensing and sharing of channel information and aswe pointed out above the overhead increases linearly withthe number of nodes in the network The synchronizationprotocol adds some overhead too but the increase willstrongly depend on the chosen protocol In [29] someprotocols with high energy efficiency are referenced whichcould be used in our proposal
Despite it we claim that it is definitely worth introducingthis overhead to increase the availability of the network andmake it robust to potential interferences and DoS attacksUnder these undesired situations the current channel usedby the CBSN may become unavailable but the proposedmethod allows the nodes to securely agree on a new channelof operation and rapidly resume their transmissions It mustbe remarked that securing channel availability informationmay prevent or at least diminished the effect of further DoSattacks when switching to a new channel
We do not quantify the benefits of applying our methodin terms of attack mitigation because it strongly depends onthe capabilities of the attacker (time required for sensing eachchannel number of channels that can sense etc) As a futurework it would be interesting to estimate the improvementachieved by our approach in terms of throughput of the
5 10 15 20 25 30
Number of nodes (N)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
250
200
150
100
50
0
Ener
gy co
st (120583
J)Figure 9 Added energy costs for a TIrsquos MSP430F1611 with a TIrsquosCC2540 microcontroller
CBSNs connections and the tradeoff between benefits andoverhead
7 Conclusions
Body sensor networks (BSNs) emerge as an optimal solutionfor ensuring constant and remote monitoring of the healthstatus in patients Recent advances in technology have madeit possible to deploy a network of tiny sensors over the humanbody and even in body which can measure vital signs suchas temperature heart rate or the level of glucose and reportthese data to medical personnel
Guaranteeing the availability of such communicationsis a must as long as connectivity losses during emergencysituations may prevent a patient from immediately receivingmedical assistance and may end up in catastrophic results
A new network paradigm known as cognitive body sen-sor networks (CBSNs) could mitigate this threat by allowingbody sensors to operate in a wide range of frequenciesand adapt its transmission parameters according to highlydynamic environment conditions However this would comeat the expense of implementing cooperative spectrum sensingmechanisms that allow sensors to exchange informationabout channel quality and availability As a consequenceCBSNs might become vulnerable to specific attacks that aretargeted to these mechanisms
In this paper we presented a novel and simple methodto secure the sensing process in a CBSN and improve itsavailability The method relies on cryptographic primitivesthat require a minimum amount of memory and low energyconsumption thus beingmore suited for devices with limitedresources than traditional approaches It offers authentication
12 International Journal of Distributed Sensor Networks
and encryption of control data shared by the sensors in theCBSN to agree on a given channel
Our proposal was analyzed in terms of security and weshowed that although it does not provide the same level ofsecurity as AES-based encryption and authentication it isstill sufficient for low packet rate networks such as CBSNsThe provided results also showed that our method outper-forms existing approaches in terms of transmissionreceptionoverhead and number of CPU cycles needed particularly asthe number of sensor nodes increases For typical microcon-trollers as CC2540 and MSP430 the improvement in energyconsumption clearly justifies the use of the proposed methodagainst AES-based mechanisms in constrained networkssuch as CBSNs in which maximizing the network life isextremely important
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgment
This work has been partially supported by the spanishgovernment under grant TEC2011-22746 ldquoTAMESISrdquo andby the Ministry of Economy and Competitiveness throughthe projects CO-PRIVACY (TIN2011-27076-C03-02) andSMARTGLACIS (TIN2014-57364-C2-2-R)
References
[1] B Latre B Braem I Moerman C Blondia and P DemeesterldquoA survey on wireless body area networksrdquo Wireless Networksvol 17 no 1 pp 1ndash18 2011
[2] S Movassaghi M Abolhasan J Lipman D Smith and AJamalipour ldquoWireless body area networks a surveyrdquo IEEECommunications Surveys amp Tutorials vol 16 no 3 pp 1658ndash1686 2014
[3] 802156-2012mdashIEEE Standard for Local and metropolitanarea networksmdashPart 156 Wireless Body Area Networks2012 httpstandardsieeeorggetieee802download802156-2012pdf
[4] Bluetooth Low Energy (LE) June 2014 httpwwwbluetoothcomPageslow-energy-tech-infoaspx
[5] The ANT+ Alliance 2014 httpwwwthisisantcom
[6] Wi-Fi Alliance June 2014 httpwwwwi-fiorg
[7] Zigbee Alliance June 2014 httpwwwzigbeeorg
[8] M Rushanan A D Rubin D F Kune and C M SwansonldquoSoK security and privacy in implantable medical devices andbody area networksrdquo in Proceedings of the 35th IEEE Symposiumon Security and Privacy (SP rsquo14) pp 524ndash539 San Jose Calif USA May 2014
[9] I F Akyildiz W-Y Lee M C Vuran and S Mohanty ldquoNeXtgenerationdynamic spectrum accesscognitive radio wirelessnetworks a surveyrdquo Computer Networks vol 50 no 13 pp2127ndash2159 2006
[10] BWang and K J R Liu ldquoAdvances in cognitive radio networksa surveyrdquo IEEE Journal of Selected Topics in Signal Processingvol 5 no 1 pp 5ndash23 2011
[11] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in unknown dynamic environment agame-theoretic stochastic learning solutionrdquo IEEE Transactionson Wireless Communications vol 11 no 4 pp 1380ndash1391 2012
[12] D Cavalcanti S Das J Wang and K Challapali ldquoCognitiveradio based wireless sensor networksrdquo in Proceedings of the17th International Conference on Computer Communicationsand Networks (ICCCN rsquo08) pp 1ndash6 August 2008
[13] O Leon J Hernandez-Serrano andM Soriano ldquoSecuring cog-nitive radio networksrdquo International Journal of CommunicationSystems vol 23 no 5 pp 633ndash652 2010
[14] M Rostami A Juels and F Koushanfar ldquoHeart-to-Heart(H2H) authentication for implanted medical devicesrdquo in Pro-ceedings of the ACM SIGSAC Conference on Computer andCommunications Security (CCS rsquo13) pp 1099ndash1111 ACM BerlinGermany November 2013
[15] K B Rasmussen C Castelluccia T S Heydt-Benjamin andS Capkun ldquoProximity-based access control for implantablemedical devicesrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCS rsquo09) pp 410ndash419Chicago Ill USA November 2009
[16] L Shi M Li S Yu and J Yuan ldquoBANA body area networkauthentication exploiting channel characteristicsrdquo IEEE Journalon Selected Areas in Communications vol 31 no 9 pp 1803ndash1816 2013
[17] C C Tan S Zhong H Wang and Q Li ldquoBody sensornetwork security an identity-based cryptography approachrdquoin Proceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 148ndash153 April 2008
[18] O Garcia-Morchon T Falck T Heer and K Wehrle ldquoSecurityfor pervasive medical sensor networksrdquo in Proceedings of the6th Annual International Conference on Mobile and UbiquitousSystems Networking and Services (MobiQuitous rsquo09) pp 1ndash10Toronto Canada July 2009
[19] G Selimis L Huang F Masse et al ldquoA lightweight securityscheme for wireless body area networks design energy evalu-ation and proposed microprocessor designrdquo Journal of MedicalSystems vol 35 no 5 pp 1289ndash1298 2011
[20] Y Yan and T Shu ldquoEnergy-efficient In-network encryp-tiondecryption for wireless body area sensor networksrdquo inProceedings of the IEEE Global Communications Conference(GLOBECOM rsquo14) pp 2442ndash2447 IEEE Austin Tex USADecember 2014
[21] Y Xu A Anpalagan Q Wu L Shen Z Gao and J WangldquoDecision-theoretic distributed channel selection for oppor-tunistic spectrum access strategies challenges and solutionsrdquoIEEE Communications Surveys and Tutorials vol 15 no 4 pp1689ndash1713 2013
[22] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in cognitive radio networks globaloptimization using local interaction gamesrdquo IEEE Journal onSelected Topics in Signal Processing vol 6 no 2 pp 180ndash1942012
[23] R Chavez-Santiago K E Nolan O Holland et al ldquoCognitiveradio for medical body area networks using ultra widebandrdquoIEEE Wireless Communications vol 19 no 4 pp 74ndash81 2012
International Journal of Distributed Sensor Networks 13
[24] A R Syed and K-L A Yau ldquoOn cognitive radio-based wirelessbody area networks for medical applicationsrdquo in Prceedingsof the 1st IEEE Symposium on Computational Intelligence inHealthcare and e-Health (CICARE rsquo13) pp 51ndash57 SingaporeApril 2013
[25] R Chen J-M Park and K Bian ldquoRobust distributed spectrumsensing in cognitive radio networksrdquo in Proceedings of the 27thIEEE Conference on Computer Communications (INFOCOMrsquo08) pp 1876ndash1884 IEEE Phoenix Ariz USA April 2008
[26] H Rifa-Pous M J Blasco and C Garrigues ldquoReview of robustcooperative spectrum sensing techniques for cognitive radionetworksrdquoWireless Personal Communications vol 67 no 2 pp175ndash198 2012
[27] B Braem B Latre C Blondia I Moerman and P DemeesterldquoAnalyzing and improving reliability in multi-hop body sensornetworksrdquo International Journal on Advances in Internet Tech-nology vol 2 no 1 pp 152ndash161 2009
[28] I F Akyildiz B F Lo and R Balakrishnan ldquoCooperative spec-trum sensing in cognitive radio networks a surveyrdquo PhysicalCommunication vol 4 no 1 pp 40ndash62 2011
[29] B Sundararaman U Buy and A D Kshemkalyani ldquoClocksynchronization for wireless sensor networks a surveyrdquoAdHocNetworks vol 3 no 3 pp 281ndash323 2005
[30] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashCHES 2008 10th International Workshop Washington DCUSA August 10ndash13 2008 Proceedings vol 5154 of Lecture Notesin Computer Science pp 283ndash299 Springer Berlin Germany2008
[31] C Cordeiro K Challapali D Birru and N Sai ShankarldquoIEEE 80222 the first worldwide wireless standard based oncognitive radiosrdquo in Proceedings of the 1st IEEE InternationalSymposium on New Frontiers in Dynamic Spectrum AccessNetworks (DySPAN rsquo05) pp 328ndash337 Baltimore Md USANovember 2005
[32] S UllahHHiggins B Braem et al ldquoA comprehensive survey ofwireless body area networks on PHY MAC and network layerssolutionsrdquo Journal of Medical Systems vol 36 no 3 pp 1065ndash1094 2012
[33] N Sastry and D Wagner ldquoSecurity considerations for IEEE802154 networksrdquo in Proceedings of the ACM Workshop onWireless Security (WiSe rsquo04) pp 32ndash42 Philadelphia Pa USAOctober 2004
[34] M Pajic Z Jiang I LeeO Sokolsky andRMangharam ldquoFromverification to implementation a model translation tool and apacemaker case studyrdquo in Proceedings of the 18th IEEE Real Timeand Embedded Technology and Applications Symposium (RTASrsquo12) pp 173ndash184 Beijing China April 2012
[35] CC2540 24-GHz Bluetooth low energy System-on-Chip 2013httpwwwticomlitdssymlinkcc2540pdf
[36] U Kretzschmar ldquoAES128mdasha C implementation for encryp-tion and decryption MSP430 systems ECCN 5E002 TSPAmdashtechnologysoftware publiclyrdquo Application Report SLAA397ATexas Instruments Dallas Tex USA 2009 httpwwwticomcncnlitanslaa397aslaa397apdf
[37] El Barquero Aqueronte MSP430 Cycles and Instructionsedited by Aqueronte 2011 httpunbarqueroblogspotcomes201105msp430-cycles-and-instructionshtml
[38] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashHES 2008 vol 5154 of Lecture Notes in Computer Science pp283ndash299 Springer Berlin Germany 2008
[39] S Kamath and J Lindh ldquoMeasuring bluetooth low energypower consumptionrdquo Application Note AN092 Texas Instru-ments Dallas TEx USA 2012 Version SWRA347a httpwwwticomlitanswra347aswra347apdf
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
6 International Journal of Distributed Sensor Networks
Long-term shared secretSLmiddot middot middot
middot middot middot
middot middot middot
Medium-term session counter
Medium-term shared secret
CTRM
HashSM
mbits
mbitsmbits
mbits
Figure 3 Generation of the medium-term globally shared secret 119878119872
middot middot middot
middot middot middot
middot middot middot
middot middot middot
Short-term session counterMedium-term shared secret
node uShort-term shared secret with
Hash
SM
Su
Identifier of node uIDu
CTRS
mbits
mbitsmbits
mbits
mbits
Figure 4 Generation of the short-term shared secret 119878119906 for node 119906
(iii) A long-term globally shared secret that is used toderive a new 119878
119872when the current one is about to
expireAs clearly denoted in Figure 5 each sequence 119878119906 is divided
into 119901 fragments of 119903 bits which we will be denoted as 119870119906119894
each one being used as keystream to encrypt and authenticatedata for node 119906 in period 119894 As per this behavior a new short-term shared secret must be derived every 119901 sensing period
When a node performs spectrum sensing it generates abinary sequence 119863119906
119894of 119897 bits that stores the availability of the
different channels The length of such sequence 119897 will dependon the number of bits used to code the state of each channeland the number of channels As an example the simplest waywould be to use just a single bit for coding each channel withvalue ldquo0rdquo if the channel is occupied and ldquo1rdquo otherwise If moreprecise information about the quality of channels is needed(ie high medium low and very low quality) more bits canbe used to code the channel state
During a sensing period 119894 each node must send toits neighbors its own sensing information but also it mustprocess the information received from its neighbors to reacha joint decision
In order to send its own sensing information node 119906 willmake use of the corresponding keystream 119870119906
119894 the first 119897 bits
of the keystream will be used to encrypt channel information119863119906
119894by means of a XOR addition the remaining 119903 minus 119897 bits are
left unchanged and will be used to provide message authen-tication as illustrated in Figure 5 The resulting sequence 119862119906
119894
will be sent to all the other nodes
To verify the authenticity and decrypt the content of thepackets that have been sent by a given neighbor 119906 a nodewill XOR the sequence 119862119906
119894of the received packet with the
keystream 119870119894119906 as depicted in Figure 6 If the last 119903 minus 119897 bits
of the resulting sequence are not all 0 s the authenticationfails and the entire packet is discarded Otherwise channelinformation can be recovered from the first 119897 bits resultingfrom the XOR addition
The above described process is applied for each neighbor-ing node 119906 Then the channel reported by a larger number ofneighbors will be selected for the operation of the networkNote that because more than one channel may be reported bythe same amount of nodes a tie-break mechanism is neededto guarantee that the process leads to equal results in allnodes One simple approach that could be used is to selectthe channel with the highest identifier However this wouldlead to a lower usage of channels with lower identifiers andtherefore to providing the attacker with valuable informationabout channel usage in the CBSN As a consequence wepropose to use a tie-break method that relies on the formatof119863119906119894
Recall that a fundamental characteristic of this protocolis that there is no central entity that is known and trusted byall sensors This makes the protocol suitable for unattendedscenarios and it also makes it more efficient in terms of datatransmitted through the network because no information issent regarding which channels have to be sensed or whichchannel is finally selected Instead sensors are deployedwith all the information needed to perform the sensing in
International Journal of Distributed Sensor Networks 7
middot middot middot
Short-term shared secret with node u
Keystream pKeystream 2Keystream 1
Su
Encrypted Authdatasensing data
Sensing data
Sensing data
Sensing period 1
Sensing period p
Encrypted Authdatasensing data
Cup
Cu1
Dup
Du1
Ku1 Ku
2 Kup
mbits
rbitsrbitsrbits
lbitslbits
lbitslbits
lbits
lbits
lbitslbits r-lbitsr-lbits
r-lbits
r-lbits
Figure 5 Encrypting and authenticating sensing data
middot middot middot
Short-term shared secret with node u
Keystream pKeystream 2Keystream 1
Su
Sensing dataSensing period 1 True
Accept sensing data
Reject sensing data
Cu1
Du1
Ku1 Ku
2 Kup
If ne 0998400s
rbitsrbitsrbits
rbits lbits
mbits
r-lbits
Figure 6 Decrypting sensing data
a distributed way and make a joint decision autonomouslyThus there is no need for additional mechanisms to be usedwhen a new node joins the network In this case the newnode needs to synchronize with the rest of themembers to getthe proper value of the session counters by making use of thecorresponding protocol However when a node is expelledfrom the network because it has been compromised newcryptographic material must be generated and distributedamong the remaining nodes The KM is responsible fortriggering this process and communicates with each sensornode to update the shared long-term secret 119878
119871 Note that
because the KM shares a different secret 119878119904119894with each node 119894
it can securely distribute the new value of 119878119871 Upon reception
of 119878119871 each node should perform again the initialization
process described at the beginning of this section
5 Security Analysis
The security of the proposed method relies on the sharedsecrets used to derive the keys and perform encryption andauthentication of channel availability data As long as thesesecrets are not compromised data confidentiality can beensured that is an attacker might not be able to get the listof channels to be used in the CBSN Besides the methodmust prevent an attacker from injecting fake data into thesystem These issues are discussed as follows In Section 51we analyze how often the shared secrets should be updated inorder to guarantee a proper protection against cryptanalysisnext in Section 52 we evaluate the packet authenticationmethod used in our proposal in terms of probability ofbypassing the authentication check
8 International Journal of Distributed Sensor Networks
51 Shared Secrets Lifetime As previously mentioned inSection 31 for this analysis we are assuming that attackscome from external entities and therefore attackers are notable to obtain the cryptographic material that is stored in thebody sensors In the context of this proposal the lifetime ofeach of the shared secrets is the interval in which these secretsare considered computationally safe against cryptanalysisthat is their cryptoperiod
The cryptoperiod straightly depends on the chosen cryp-tographic protocols the length of the secrets themselves andthe amount of times they are used The more a given secret isused the shorter its cryptoperiod is as an attacker gets moreinformation about this secret and therefore the probability ofa successful cryptanalysis increases In fact cryptoperiod isdefined more in terms of the number of times a given secretor key is reused (the amount of ciphertext exposed to anattacker for a given secretkey) than as a given time periodwhich strongly depends on the transmission rate of the sensornodes
Recall the three types of shared secrets used in theproposed method
(i) Short-term per-node shared secrets one secret 119878119906 persource node that is used to lightweight encryptdecrypt and authenticate the channelsrsquo sensed data
(ii) Medium-term globally shared secrets globally sharedsecret 119878
119872that is used to derive the short-term per-
node shared secrets 119878119906(iii) Long-term globally shared secret this being the ini-
tially preloaded secret 119878119871that is used to derive a new
medium-term globally shared secret 119878119872
when thecurrent one is about to expire
As clearly denoted in Figure 5 our approach operates insome manner as an additive stream cipher It is well knownthat stream ciphers are considered to be secure as long as thekey is never reused and thus our cipher will be secure if agiven value 119878119906 is not repeated As a result 119878119906must be updatedevery 119901 = 119898119903 sensing period with 119901 the renewal period119898 the length of the shared secret 119878119906 and 119903 the amount oftransmitted bits (sensing data) in a sensing period that areencrypted with 119878119906
Recall that in our proposal the per-node key used forencryption 119878119906 is generated by means of a hash function Asecond requirement is that this function must be crypto-graphically secure Note that if the hash function does notaccomplish it an attackermight be able to reverse it that is toget the input of the hash function given an output meaningthat in our proposal an attacker would be able to recoverthe value of the medium-term globally shared secret 119878
119872(see
Figure 4)A cryptographically secure hash function with an output
of 119898 bits can offer a security level of 2119898 operations againstpreimage attacks and 21198982 against collision attacks Generallyspeaking a minimum output of 128 bits is required in orderto provide a high level of security for most applicationsbut shorter lengths are accepted if the number of generatedmessages in a given period is limited as it is the case of low-rate networks In Section 6 we propose several lightweight
hash candidates with an output of 128 bits that is to saywe can assume that it is computationally unfeasible for anattacker to invert the hash function and thus to predict thevalue of 119878119872 as long as it is updated before exceeding itscryptoperiod which has an upper bound of 21198982 = 264 uses
The long-term globally shared secret 119878119871is only used to
update the current medium-term globally shared secret 119878119872
Because 119878119872is not updated very often it is very unlikely that
an attacker manages to obtain several values of 119878119872to reverse
the hash function and recover 119878119871 As a result we can assume
that the 119878119871cryptoperiod is long enough and there is no need
to update the secret during the nodesrsquo lifetime
52 Authentication A cryptogram 119862119906119894of sensing data con-
tains an authentication field of 16 bits that is checked uponreception (see Figure 6) Consequently an attacker has achance of 1 in 216 of guessing the next authentication fieldwhich allows it to forge a valid authentication field and injectfake data Note that this attack can lead the CBSN to wrongdecisions about the availability of the spectrum
If the attacker repeatedly attempts to send valid cipher-texts it may succeed after 215 attempts in average Becausethe attacker does not know 119878119906 the authentication fieldappears to it as a random stream and therefore it must select afake authentication field at random Besides the attacker can-not determine whether a given ciphertext has been acceptedor rejected because the receiver does not acknowledge thereception of such packets to the emitter Otherwise theattacker could take advantage of this information in order toguess a valid authentication field in a faster way
In conventional networks 215 packets may seem anextremely low number but it may provide an adequate levelof security in CBSNs In these networks the attacker can onlysend fake packets during the sensing periods which is in theorder of a few milliseconds in most cognitive scenarios [31]Moreover as previously stated in Section 1 transmission ratesin BSNs are considerably low with values usually rangingfrom tens to a few hundred of kilobits per second
As an example let us consider a 1Mbps link a sensingperiod of 10ms and a packet size of 10 bytes (which is clearlybigger than the typical packet size in sensor networks) Giventhese parameters an attacker would only be able to send 125packets at most in every sensing period That is to say theattacker would need an average of 262144 sensing periods tosend a fake packet and pass the authentication check
6 Cost Evaluation and Comparisonwith Other Approaches
In this section we evaluate the cost of our proposal interms of energy consumption due to transmission overheadand computational cost and compare its performance withthe most common approach adopted in sensor networks[32] which is providing authentication andor encryption ofthe channel sensing data by means of using standard blockciphers As is well known block ciphers have as input themessage to be encrypted or authenticated which is dividedinto several blocks of fix length and a key Both the block
International Journal of Distributed Sensor Networks 9
length and the key length depend on the algorithm beingused Regardless of the algorithm block ciphers can be usedin several modes of operation depending on the service tobe provided that is encryption only authentication only orencryptionauthentication Generally the followingmodes ofoperation are applied
Authentication CBC-MAC is a block cipher mode for gen-erating message authentication codes The message to beauthenticated is divided into several blocks of equal size andeach block is encrypted so that the value of a given blockdepends on the encryption of the previous block The finaloutput of the cipher that is the message authentication codeor CBC-MAC is the result of encrypting the last block of themessage When the input of the cipher is shorter than theblock size (as it is usually the case in sensor networks) theCBC-MAC can be obtained by directly encrypting a singleblock padded until the block size of the cipher is reached
Encryption CTRmode of operation turns a block cipher intoa stream cipher meaning that the resulting ciphertext has thesame size as the input or plain textThus it does not force theoutput length to be amultiple of the block size as it is the caseof other modes such as CBC-MACThis property makes thismode of operation suitable for encryption in sensor networkswhere devices usually exchange short-length messages
Authentication+Encryption CCM (CTR + CBC-MAC) is acommon choice for providing both encryption (CTR) andauthentication (CBC-MAC) [19] Aminor variation of CCMcalled CCMlowast is used in the ZigBee standard [7]
In this work we assume that Advanced EncryptionStandard (AES) in CTRmode is used for encryption andAESCBC-MAC for authentication as it is the current standardfor symmetric cryptography even in sensor nodes [33]Currently there are efficient hardware implementations ofAES that are highly affordable
Regarding hardware platforms the vast majority of pre-vious works on BSNs have used the 16-bit Texas Instrumentsrsquo(TI) MSP430 and CC2540 families of microcontrollers [34]Built around a 16-bit CPU ultra-low-power MSP430 micro-controllers are designed for low cost and specifically low-power consumption embedded applications As an exampleTIrsquos CC2540 family [35] enable robust Bluetooth low energy(BLE) network nodes to be built with low total bill-of-material (BOM) costs BLE operates in the same spectrumrange (2400GHzndash24835GHz ISM band) as classic Blue-tooth technology but uses a different set of channels insteadof 79 1MHz channels BLE offers 40 2MHz channels 3 foradvertising purposes and 37 for data exchange
61 TransmissionReception Overhead In this section weanalyze the overhead introduced by our proposal in termsof transmissionreception of channel availability data andcompare it with the overhead exhibited when conventionalapproaches are used for data encryptionauthentication asexplained above We assume that all sensors are capable ofsensing a given set of channels and report information abouttheir state
With our proposal the minimum number of transmittedbitswill dependon the number of channels that a given sensoris reporting the number of bits used to code the state ofeach channel and the length of the authentication code Asexplained in Section 52 a length of 16 bits is enough to securemost applications in WSNs and thus we have assumed thisvalue for the authentication fieldThis leads to a total amountof Bits
119905119909= 119897 + 16 of transmitted bits where 119897 represents the
total number of bits used to code all possible channels andBits119905119909= (119899 minus 1)Bits
119905119909received bits representing the number
of bits received by a given sensor from its neighborsAiming to provide a fair comparison we choose the same
key length for block ciphers and for our proposal that is tosay a 128-bit key The transmitted bits overhead added byAES CBC-MAC authentication is 128 bits (for a semanticallysecure implementation also an IV or nonce must be sharedbetween emitter and receiver so that the overhead can behigher) Regarding encryption the number of transmittedbits is equal to the number of bits 119897 used to code the state of thechannels but it also requires the use of a nonce with a lengthequal to half of the key length that is 64 bits per message
During every sensing period every node must transmita packet with sensing information but also must process thepackets received from its neighbors Table 1 and Figure 7respectively show the transmission and reception overheaddue to the secure sharing of sensing information using bothstandard block ciphers and our proposal The values areprovided as a function of the number of bits 119897 used to codethe state of the channels and the number of nodes119873 rangingfrom 5 to 30 Given that the considered scenario is a bodysensor network this is more than a reasonable value sincea patient wearing more than 30 sensors may be an unlikelysituation
The reader may notice that the overhead introducedby this mechanism increases linearly with the number ofnodes for both approaches However with the proposedmethod the transmissionreception overhead is considerablyreduced with respect to the use of standard block cipherswhile still maintaining an acceptable level of security Infact the more the nodes in the CBSN the bigger theimprovement introduced by the former As wewill show laterthe transmissionreception savings lead to a huge saving alsoin energy consumption
62 Computational Cost In this section we provide a com-parison of the CPU cost in cycles due to the implementationof the cryptographic functions
If AES is used the total cryptographic cost per nodefor securing the exchange of sensing data equals the costof one encryption and 119873 minus 1 decryptions Assumingthe Texas Instrumentsrsquo reference AES-implementation forCC2540 microcontrollers [36] AES encryption needs 6600cyclesblock and AES decryption 8400 cyclesblock
With our proposal the energy consumption has threecomponents the computation of the different sequences 119878119906
119894
with the hash function before the sensing period begins theXOR of the keystream 119870119906
119894with the sequence 119863119906
119894that signals
the availability of channels and the XOR of the sequences 119862119906119894
received from neighbors with the precomputed 119878119906119894Therefore
10 International Journal of Distributed Sensor Networks
Table 1 Transmission overhead
119897 (bits) Overhead(bits)
Authentication only (CBC-MAC)16 12832 12864 128
Encryption only (CTR)16 8032 9664 128
Authentication and encryption (CCM)16 20832 22464 256
Authentication and encryption (our proposal)16 3232 4864 80
1000
800
600
400
200
05 10 15 20 25 30
Number of nodes (N)
Rece
ptio
n ov
erhe
ad (b
ytes
)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
Figure 7 Reception overhead for a varying number of nodes119873
a nodemust compute119873 hashes and perform119873XORs to sendchannel information and process the reports received from itsneighbors
As per [37] XORoperationwith aMSP430 accounts for 4-5 cyclesbyte Assuming a 128-bit hash function and the worstcase every XOR in our proposals accounts for 5 sdot 16 = 80cycles As previously explained in Section 51 we suggest theuse of a lightweight cryptographic hash function specificallysuited for low-end devices with an output of 128 bits Table 2depicts the number of CPU cycles per block needed [38]for two potential candidates As clearly seen in the tablecomputing one of these hash functions requires only a fewtens of cyclesblock In the following for this analysis we will
Table 2 Cycles per block for different cryptographic hash functions
Algorithm Hash output size Cyclesblock(Stripped) MAME 128 96H-PRESENT-128 128 32
consider the (stripped) MAME hash function as it is a purehash function that does not rely on a symmetric cipher andrequires more CPU cycles (worst case)
Taking into account the previous data Figure 8 showsthe CPU cycles consumed with both our proposal (with aMAME hash function) and standard AES-128 security It canbe clearly seen that our proposal scales much better withthe number of nodes while still providing an appropriatelevel of security We do not provide values for the processtime that is the time needed for key generation encryptiondecryption and data authentication but the number of CPUcycles required to execute each function In this way timevalues can be obtained for a particular sensor node accordingto its CPU features
63 Total Energy Cost Table 3 provides the transmission andreception energy consumption of a TIrsquos CC2540 microcon-troller for different modes and values of transmission powerThe displayed values have been tested under 25∘CWe do nothave values for in-body conditions (asymp38∘C) but we presentthese data for reference purposes In any case this fact onlyaffects the energy consumption for receivingtransmittingNote that the total cost in terms of energy is much highersince it should also account for duty cycles state changes andother parameters [39]
There is no single specific ldquoenergy per CPU cyclerdquo valuesince the cycle consumption depends on the type of CPUoperation Anyway in [34] the authors measured that theTIrsquos MSP430F1611 consumes energy at an average of 072 nJper clock cycle and we have adopted such value in our study
Figure 9 shows the total average energy consumption as afunction of the number of neighboring sensor nodes and thenumber 119897 of bits used to code the channels for the proposedmechanism and standard approaches CCM (authenticationand encryption) CTR (encryption only) and CBC-MAC(authentication only) We have assumed standard receptionand short-range transmission of minus6 dBm (see Table 3)
As clearly denoted in the figure ourmethod only requiresa few tens of 120583J regardless of the number of sensor nodeswhile AES-based security requires higher values of energyranging from 35 120583J to almost 240120583J when encryption andauthentication are provided and for 30 sensor nodes Themore the number of sensor nodes the bigger the improve-ment introduced by our proposal
It must be remarked however that the purpose of thisfigure is to provide reference values to be taken into accountfor future implementations Besides the level of security pro-vided by our method is lower than AES-based methods butstill ismore than adequate given the features of CBSNs (trans-mission rate number of sentmessages etc) and given the factthat the data we are trying to protect are just a limited numberof potential channels to be used for operation of the network
International Journal of Distributed Sensor Networks 11
Table 3 Currentenergy consumption for RXTX tested on TexasInstruments CC2540 EMwith 119879
119860= 25∘Cwith no peripherals active
and low MCU activity at 250 kHz
Test conditions Current EnergybyteRX standard 196mA 588 nJRX high gain 221mA 663 nJTX minus23 dBm 211mA 633 nJTX minus6 dBm 238mA 714 nJTX 0 dBm 27mA 81 nJTX 4 dBm 316mA 948 nJ
5 10 15 20 25 30
Number of nodes (N)
AES l = 16 32 64
Ours l = 16 32 64
300000
250000
200000
150000
100000
50000
0
CPU
cycle
s
Figure 8 Added CPU cycles for a secure exchange of sensing data
Indeed thismechanism introduces some overhead due tospectrum sensing and sharing of channel information and aswe pointed out above the overhead increases linearly withthe number of nodes in the network The synchronizationprotocol adds some overhead too but the increase willstrongly depend on the chosen protocol In [29] someprotocols with high energy efficiency are referenced whichcould be used in our proposal
Despite it we claim that it is definitely worth introducingthis overhead to increase the availability of the network andmake it robust to potential interferences and DoS attacksUnder these undesired situations the current channel usedby the CBSN may become unavailable but the proposedmethod allows the nodes to securely agree on a new channelof operation and rapidly resume their transmissions It mustbe remarked that securing channel availability informationmay prevent or at least diminished the effect of further DoSattacks when switching to a new channel
We do not quantify the benefits of applying our methodin terms of attack mitigation because it strongly depends onthe capabilities of the attacker (time required for sensing eachchannel number of channels that can sense etc) As a futurework it would be interesting to estimate the improvementachieved by our approach in terms of throughput of the
5 10 15 20 25 30
Number of nodes (N)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
250
200
150
100
50
0
Ener
gy co
st (120583
J)Figure 9 Added energy costs for a TIrsquos MSP430F1611 with a TIrsquosCC2540 microcontroller
CBSNs connections and the tradeoff between benefits andoverhead
7 Conclusions
Body sensor networks (BSNs) emerge as an optimal solutionfor ensuring constant and remote monitoring of the healthstatus in patients Recent advances in technology have madeit possible to deploy a network of tiny sensors over the humanbody and even in body which can measure vital signs suchas temperature heart rate or the level of glucose and reportthese data to medical personnel
Guaranteeing the availability of such communicationsis a must as long as connectivity losses during emergencysituations may prevent a patient from immediately receivingmedical assistance and may end up in catastrophic results
A new network paradigm known as cognitive body sen-sor networks (CBSNs) could mitigate this threat by allowingbody sensors to operate in a wide range of frequenciesand adapt its transmission parameters according to highlydynamic environment conditions However this would comeat the expense of implementing cooperative spectrum sensingmechanisms that allow sensors to exchange informationabout channel quality and availability As a consequenceCBSNs might become vulnerable to specific attacks that aretargeted to these mechanisms
In this paper we presented a novel and simple methodto secure the sensing process in a CBSN and improve itsavailability The method relies on cryptographic primitivesthat require a minimum amount of memory and low energyconsumption thus beingmore suited for devices with limitedresources than traditional approaches It offers authentication
12 International Journal of Distributed Sensor Networks
and encryption of control data shared by the sensors in theCBSN to agree on a given channel
Our proposal was analyzed in terms of security and weshowed that although it does not provide the same level ofsecurity as AES-based encryption and authentication it isstill sufficient for low packet rate networks such as CBSNsThe provided results also showed that our method outper-forms existing approaches in terms of transmissionreceptionoverhead and number of CPU cycles needed particularly asthe number of sensor nodes increases For typical microcon-trollers as CC2540 and MSP430 the improvement in energyconsumption clearly justifies the use of the proposed methodagainst AES-based mechanisms in constrained networkssuch as CBSNs in which maximizing the network life isextremely important
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgment
This work has been partially supported by the spanishgovernment under grant TEC2011-22746 ldquoTAMESISrdquo andby the Ministry of Economy and Competitiveness throughthe projects CO-PRIVACY (TIN2011-27076-C03-02) andSMARTGLACIS (TIN2014-57364-C2-2-R)
References
[1] B Latre B Braem I Moerman C Blondia and P DemeesterldquoA survey on wireless body area networksrdquo Wireless Networksvol 17 no 1 pp 1ndash18 2011
[2] S Movassaghi M Abolhasan J Lipman D Smith and AJamalipour ldquoWireless body area networks a surveyrdquo IEEECommunications Surveys amp Tutorials vol 16 no 3 pp 1658ndash1686 2014
[3] 802156-2012mdashIEEE Standard for Local and metropolitanarea networksmdashPart 156 Wireless Body Area Networks2012 httpstandardsieeeorggetieee802download802156-2012pdf
[4] Bluetooth Low Energy (LE) June 2014 httpwwwbluetoothcomPageslow-energy-tech-infoaspx
[5] The ANT+ Alliance 2014 httpwwwthisisantcom
[6] Wi-Fi Alliance June 2014 httpwwwwi-fiorg
[7] Zigbee Alliance June 2014 httpwwwzigbeeorg
[8] M Rushanan A D Rubin D F Kune and C M SwansonldquoSoK security and privacy in implantable medical devices andbody area networksrdquo in Proceedings of the 35th IEEE Symposiumon Security and Privacy (SP rsquo14) pp 524ndash539 San Jose Calif USA May 2014
[9] I F Akyildiz W-Y Lee M C Vuran and S Mohanty ldquoNeXtgenerationdynamic spectrum accesscognitive radio wirelessnetworks a surveyrdquo Computer Networks vol 50 no 13 pp2127ndash2159 2006
[10] BWang and K J R Liu ldquoAdvances in cognitive radio networksa surveyrdquo IEEE Journal of Selected Topics in Signal Processingvol 5 no 1 pp 5ndash23 2011
[11] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in unknown dynamic environment agame-theoretic stochastic learning solutionrdquo IEEE Transactionson Wireless Communications vol 11 no 4 pp 1380ndash1391 2012
[12] D Cavalcanti S Das J Wang and K Challapali ldquoCognitiveradio based wireless sensor networksrdquo in Proceedings of the17th International Conference on Computer Communicationsand Networks (ICCCN rsquo08) pp 1ndash6 August 2008
[13] O Leon J Hernandez-Serrano andM Soriano ldquoSecuring cog-nitive radio networksrdquo International Journal of CommunicationSystems vol 23 no 5 pp 633ndash652 2010
[14] M Rostami A Juels and F Koushanfar ldquoHeart-to-Heart(H2H) authentication for implanted medical devicesrdquo in Pro-ceedings of the ACM SIGSAC Conference on Computer andCommunications Security (CCS rsquo13) pp 1099ndash1111 ACM BerlinGermany November 2013
[15] K B Rasmussen C Castelluccia T S Heydt-Benjamin andS Capkun ldquoProximity-based access control for implantablemedical devicesrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCS rsquo09) pp 410ndash419Chicago Ill USA November 2009
[16] L Shi M Li S Yu and J Yuan ldquoBANA body area networkauthentication exploiting channel characteristicsrdquo IEEE Journalon Selected Areas in Communications vol 31 no 9 pp 1803ndash1816 2013
[17] C C Tan S Zhong H Wang and Q Li ldquoBody sensornetwork security an identity-based cryptography approachrdquoin Proceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 148ndash153 April 2008
[18] O Garcia-Morchon T Falck T Heer and K Wehrle ldquoSecurityfor pervasive medical sensor networksrdquo in Proceedings of the6th Annual International Conference on Mobile and UbiquitousSystems Networking and Services (MobiQuitous rsquo09) pp 1ndash10Toronto Canada July 2009
[19] G Selimis L Huang F Masse et al ldquoA lightweight securityscheme for wireless body area networks design energy evalu-ation and proposed microprocessor designrdquo Journal of MedicalSystems vol 35 no 5 pp 1289ndash1298 2011
[20] Y Yan and T Shu ldquoEnergy-efficient In-network encryp-tiondecryption for wireless body area sensor networksrdquo inProceedings of the IEEE Global Communications Conference(GLOBECOM rsquo14) pp 2442ndash2447 IEEE Austin Tex USADecember 2014
[21] Y Xu A Anpalagan Q Wu L Shen Z Gao and J WangldquoDecision-theoretic distributed channel selection for oppor-tunistic spectrum access strategies challenges and solutionsrdquoIEEE Communications Surveys and Tutorials vol 15 no 4 pp1689ndash1713 2013
[22] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in cognitive radio networks globaloptimization using local interaction gamesrdquo IEEE Journal onSelected Topics in Signal Processing vol 6 no 2 pp 180ndash1942012
[23] R Chavez-Santiago K E Nolan O Holland et al ldquoCognitiveradio for medical body area networks using ultra widebandrdquoIEEE Wireless Communications vol 19 no 4 pp 74ndash81 2012
International Journal of Distributed Sensor Networks 13
[24] A R Syed and K-L A Yau ldquoOn cognitive radio-based wirelessbody area networks for medical applicationsrdquo in Prceedingsof the 1st IEEE Symposium on Computational Intelligence inHealthcare and e-Health (CICARE rsquo13) pp 51ndash57 SingaporeApril 2013
[25] R Chen J-M Park and K Bian ldquoRobust distributed spectrumsensing in cognitive radio networksrdquo in Proceedings of the 27thIEEE Conference on Computer Communications (INFOCOMrsquo08) pp 1876ndash1884 IEEE Phoenix Ariz USA April 2008
[26] H Rifa-Pous M J Blasco and C Garrigues ldquoReview of robustcooperative spectrum sensing techniques for cognitive radionetworksrdquoWireless Personal Communications vol 67 no 2 pp175ndash198 2012
[27] B Braem B Latre C Blondia I Moerman and P DemeesterldquoAnalyzing and improving reliability in multi-hop body sensornetworksrdquo International Journal on Advances in Internet Tech-nology vol 2 no 1 pp 152ndash161 2009
[28] I F Akyildiz B F Lo and R Balakrishnan ldquoCooperative spec-trum sensing in cognitive radio networks a surveyrdquo PhysicalCommunication vol 4 no 1 pp 40ndash62 2011
[29] B Sundararaman U Buy and A D Kshemkalyani ldquoClocksynchronization for wireless sensor networks a surveyrdquoAdHocNetworks vol 3 no 3 pp 281ndash323 2005
[30] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashCHES 2008 10th International Workshop Washington DCUSA August 10ndash13 2008 Proceedings vol 5154 of Lecture Notesin Computer Science pp 283ndash299 Springer Berlin Germany2008
[31] C Cordeiro K Challapali D Birru and N Sai ShankarldquoIEEE 80222 the first worldwide wireless standard based oncognitive radiosrdquo in Proceedings of the 1st IEEE InternationalSymposium on New Frontiers in Dynamic Spectrum AccessNetworks (DySPAN rsquo05) pp 328ndash337 Baltimore Md USANovember 2005
[32] S UllahHHiggins B Braem et al ldquoA comprehensive survey ofwireless body area networks on PHY MAC and network layerssolutionsrdquo Journal of Medical Systems vol 36 no 3 pp 1065ndash1094 2012
[33] N Sastry and D Wagner ldquoSecurity considerations for IEEE802154 networksrdquo in Proceedings of the ACM Workshop onWireless Security (WiSe rsquo04) pp 32ndash42 Philadelphia Pa USAOctober 2004
[34] M Pajic Z Jiang I LeeO Sokolsky andRMangharam ldquoFromverification to implementation a model translation tool and apacemaker case studyrdquo in Proceedings of the 18th IEEE Real Timeand Embedded Technology and Applications Symposium (RTASrsquo12) pp 173ndash184 Beijing China April 2012
[35] CC2540 24-GHz Bluetooth low energy System-on-Chip 2013httpwwwticomlitdssymlinkcc2540pdf
[36] U Kretzschmar ldquoAES128mdasha C implementation for encryp-tion and decryption MSP430 systems ECCN 5E002 TSPAmdashtechnologysoftware publiclyrdquo Application Report SLAA397ATexas Instruments Dallas Tex USA 2009 httpwwwticomcncnlitanslaa397aslaa397apdf
[37] El Barquero Aqueronte MSP430 Cycles and Instructionsedited by Aqueronte 2011 httpunbarqueroblogspotcomes201105msp430-cycles-and-instructionshtml
[38] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashHES 2008 vol 5154 of Lecture Notes in Computer Science pp283ndash299 Springer Berlin Germany 2008
[39] S Kamath and J Lindh ldquoMeasuring bluetooth low energypower consumptionrdquo Application Note AN092 Texas Instru-ments Dallas TEx USA 2012 Version SWRA347a httpwwwticomlitanswra347aswra347apdf
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 7
middot middot middot
Short-term shared secret with node u
Keystream pKeystream 2Keystream 1
Su
Encrypted Authdatasensing data
Sensing data
Sensing data
Sensing period 1
Sensing period p
Encrypted Authdatasensing data
Cup
Cu1
Dup
Du1
Ku1 Ku
2 Kup
mbits
rbitsrbitsrbits
lbitslbits
lbitslbits
lbits
lbits
lbitslbits r-lbitsr-lbits
r-lbits
r-lbits
Figure 5 Encrypting and authenticating sensing data
middot middot middot
Short-term shared secret with node u
Keystream pKeystream 2Keystream 1
Su
Sensing dataSensing period 1 True
Accept sensing data
Reject sensing data
Cu1
Du1
Ku1 Ku
2 Kup
If ne 0998400s
rbitsrbitsrbits
rbits lbits
mbits
r-lbits
Figure 6 Decrypting sensing data
a distributed way and make a joint decision autonomouslyThus there is no need for additional mechanisms to be usedwhen a new node joins the network In this case the newnode needs to synchronize with the rest of themembers to getthe proper value of the session counters by making use of thecorresponding protocol However when a node is expelledfrom the network because it has been compromised newcryptographic material must be generated and distributedamong the remaining nodes The KM is responsible fortriggering this process and communicates with each sensornode to update the shared long-term secret 119878
119871 Note that
because the KM shares a different secret 119878119904119894with each node 119894
it can securely distribute the new value of 119878119871 Upon reception
of 119878119871 each node should perform again the initialization
process described at the beginning of this section
5 Security Analysis
The security of the proposed method relies on the sharedsecrets used to derive the keys and perform encryption andauthentication of channel availability data As long as thesesecrets are not compromised data confidentiality can beensured that is an attacker might not be able to get the listof channels to be used in the CBSN Besides the methodmust prevent an attacker from injecting fake data into thesystem These issues are discussed as follows In Section 51we analyze how often the shared secrets should be updated inorder to guarantee a proper protection against cryptanalysisnext in Section 52 we evaluate the packet authenticationmethod used in our proposal in terms of probability ofbypassing the authentication check
8 International Journal of Distributed Sensor Networks
51 Shared Secrets Lifetime As previously mentioned inSection 31 for this analysis we are assuming that attackscome from external entities and therefore attackers are notable to obtain the cryptographic material that is stored in thebody sensors In the context of this proposal the lifetime ofeach of the shared secrets is the interval in which these secretsare considered computationally safe against cryptanalysisthat is their cryptoperiod
The cryptoperiod straightly depends on the chosen cryp-tographic protocols the length of the secrets themselves andthe amount of times they are used The more a given secret isused the shorter its cryptoperiod is as an attacker gets moreinformation about this secret and therefore the probability ofa successful cryptanalysis increases In fact cryptoperiod isdefined more in terms of the number of times a given secretor key is reused (the amount of ciphertext exposed to anattacker for a given secretkey) than as a given time periodwhich strongly depends on the transmission rate of the sensornodes
Recall the three types of shared secrets used in theproposed method
(i) Short-term per-node shared secrets one secret 119878119906 persource node that is used to lightweight encryptdecrypt and authenticate the channelsrsquo sensed data
(ii) Medium-term globally shared secrets globally sharedsecret 119878
119872that is used to derive the short-term per-
node shared secrets 119878119906(iii) Long-term globally shared secret this being the ini-
tially preloaded secret 119878119871that is used to derive a new
medium-term globally shared secret 119878119872
when thecurrent one is about to expire
As clearly denoted in Figure 5 our approach operates insome manner as an additive stream cipher It is well knownthat stream ciphers are considered to be secure as long as thekey is never reused and thus our cipher will be secure if agiven value 119878119906 is not repeated As a result 119878119906must be updatedevery 119901 = 119898119903 sensing period with 119901 the renewal period119898 the length of the shared secret 119878119906 and 119903 the amount oftransmitted bits (sensing data) in a sensing period that areencrypted with 119878119906
Recall that in our proposal the per-node key used forencryption 119878119906 is generated by means of a hash function Asecond requirement is that this function must be crypto-graphically secure Note that if the hash function does notaccomplish it an attackermight be able to reverse it that is toget the input of the hash function given an output meaningthat in our proposal an attacker would be able to recoverthe value of the medium-term globally shared secret 119878
119872(see
Figure 4)A cryptographically secure hash function with an output
of 119898 bits can offer a security level of 2119898 operations againstpreimage attacks and 21198982 against collision attacks Generallyspeaking a minimum output of 128 bits is required in orderto provide a high level of security for most applicationsbut shorter lengths are accepted if the number of generatedmessages in a given period is limited as it is the case of low-rate networks In Section 6 we propose several lightweight
hash candidates with an output of 128 bits that is to saywe can assume that it is computationally unfeasible for anattacker to invert the hash function and thus to predict thevalue of 119878119872 as long as it is updated before exceeding itscryptoperiod which has an upper bound of 21198982 = 264 uses
The long-term globally shared secret 119878119871is only used to
update the current medium-term globally shared secret 119878119872
Because 119878119872is not updated very often it is very unlikely that
an attacker manages to obtain several values of 119878119872to reverse
the hash function and recover 119878119871 As a result we can assume
that the 119878119871cryptoperiod is long enough and there is no need
to update the secret during the nodesrsquo lifetime
52 Authentication A cryptogram 119862119906119894of sensing data con-
tains an authentication field of 16 bits that is checked uponreception (see Figure 6) Consequently an attacker has achance of 1 in 216 of guessing the next authentication fieldwhich allows it to forge a valid authentication field and injectfake data Note that this attack can lead the CBSN to wrongdecisions about the availability of the spectrum
If the attacker repeatedly attempts to send valid cipher-texts it may succeed after 215 attempts in average Becausethe attacker does not know 119878119906 the authentication fieldappears to it as a random stream and therefore it must select afake authentication field at random Besides the attacker can-not determine whether a given ciphertext has been acceptedor rejected because the receiver does not acknowledge thereception of such packets to the emitter Otherwise theattacker could take advantage of this information in order toguess a valid authentication field in a faster way
In conventional networks 215 packets may seem anextremely low number but it may provide an adequate levelof security in CBSNs In these networks the attacker can onlysend fake packets during the sensing periods which is in theorder of a few milliseconds in most cognitive scenarios [31]Moreover as previously stated in Section 1 transmission ratesin BSNs are considerably low with values usually rangingfrom tens to a few hundred of kilobits per second
As an example let us consider a 1Mbps link a sensingperiod of 10ms and a packet size of 10 bytes (which is clearlybigger than the typical packet size in sensor networks) Giventhese parameters an attacker would only be able to send 125packets at most in every sensing period That is to say theattacker would need an average of 262144 sensing periods tosend a fake packet and pass the authentication check
6 Cost Evaluation and Comparisonwith Other Approaches
In this section we evaluate the cost of our proposal interms of energy consumption due to transmission overheadand computational cost and compare its performance withthe most common approach adopted in sensor networks[32] which is providing authentication andor encryption ofthe channel sensing data by means of using standard blockciphers As is well known block ciphers have as input themessage to be encrypted or authenticated which is dividedinto several blocks of fix length and a key Both the block
International Journal of Distributed Sensor Networks 9
length and the key length depend on the algorithm beingused Regardless of the algorithm block ciphers can be usedin several modes of operation depending on the service tobe provided that is encryption only authentication only orencryptionauthentication Generally the followingmodes ofoperation are applied
Authentication CBC-MAC is a block cipher mode for gen-erating message authentication codes The message to beauthenticated is divided into several blocks of equal size andeach block is encrypted so that the value of a given blockdepends on the encryption of the previous block The finaloutput of the cipher that is the message authentication codeor CBC-MAC is the result of encrypting the last block of themessage When the input of the cipher is shorter than theblock size (as it is usually the case in sensor networks) theCBC-MAC can be obtained by directly encrypting a singleblock padded until the block size of the cipher is reached
Encryption CTRmode of operation turns a block cipher intoa stream cipher meaning that the resulting ciphertext has thesame size as the input or plain textThus it does not force theoutput length to be amultiple of the block size as it is the caseof other modes such as CBC-MACThis property makes thismode of operation suitable for encryption in sensor networkswhere devices usually exchange short-length messages
Authentication+Encryption CCM (CTR + CBC-MAC) is acommon choice for providing both encryption (CTR) andauthentication (CBC-MAC) [19] Aminor variation of CCMcalled CCMlowast is used in the ZigBee standard [7]
In this work we assume that Advanced EncryptionStandard (AES) in CTRmode is used for encryption andAESCBC-MAC for authentication as it is the current standardfor symmetric cryptography even in sensor nodes [33]Currently there are efficient hardware implementations ofAES that are highly affordable
Regarding hardware platforms the vast majority of pre-vious works on BSNs have used the 16-bit Texas Instrumentsrsquo(TI) MSP430 and CC2540 families of microcontrollers [34]Built around a 16-bit CPU ultra-low-power MSP430 micro-controllers are designed for low cost and specifically low-power consumption embedded applications As an exampleTIrsquos CC2540 family [35] enable robust Bluetooth low energy(BLE) network nodes to be built with low total bill-of-material (BOM) costs BLE operates in the same spectrumrange (2400GHzndash24835GHz ISM band) as classic Blue-tooth technology but uses a different set of channels insteadof 79 1MHz channels BLE offers 40 2MHz channels 3 foradvertising purposes and 37 for data exchange
61 TransmissionReception Overhead In this section weanalyze the overhead introduced by our proposal in termsof transmissionreception of channel availability data andcompare it with the overhead exhibited when conventionalapproaches are used for data encryptionauthentication asexplained above We assume that all sensors are capable ofsensing a given set of channels and report information abouttheir state
With our proposal the minimum number of transmittedbitswill dependon the number of channels that a given sensoris reporting the number of bits used to code the state ofeach channel and the length of the authentication code Asexplained in Section 52 a length of 16 bits is enough to securemost applications in WSNs and thus we have assumed thisvalue for the authentication fieldThis leads to a total amountof Bits
119905119909= 119897 + 16 of transmitted bits where 119897 represents the
total number of bits used to code all possible channels andBits119905119909= (119899 minus 1)Bits
119905119909received bits representing the number
of bits received by a given sensor from its neighborsAiming to provide a fair comparison we choose the same
key length for block ciphers and for our proposal that is tosay a 128-bit key The transmitted bits overhead added byAES CBC-MAC authentication is 128 bits (for a semanticallysecure implementation also an IV or nonce must be sharedbetween emitter and receiver so that the overhead can behigher) Regarding encryption the number of transmittedbits is equal to the number of bits 119897 used to code the state of thechannels but it also requires the use of a nonce with a lengthequal to half of the key length that is 64 bits per message
During every sensing period every node must transmita packet with sensing information but also must process thepackets received from its neighbors Table 1 and Figure 7respectively show the transmission and reception overheaddue to the secure sharing of sensing information using bothstandard block ciphers and our proposal The values areprovided as a function of the number of bits 119897 used to codethe state of the channels and the number of nodes119873 rangingfrom 5 to 30 Given that the considered scenario is a bodysensor network this is more than a reasonable value sincea patient wearing more than 30 sensors may be an unlikelysituation
The reader may notice that the overhead introducedby this mechanism increases linearly with the number ofnodes for both approaches However with the proposedmethod the transmissionreception overhead is considerablyreduced with respect to the use of standard block cipherswhile still maintaining an acceptable level of security Infact the more the nodes in the CBSN the bigger theimprovement introduced by the former As wewill show laterthe transmissionreception savings lead to a huge saving alsoin energy consumption
62 Computational Cost In this section we provide a com-parison of the CPU cost in cycles due to the implementationof the cryptographic functions
If AES is used the total cryptographic cost per nodefor securing the exchange of sensing data equals the costof one encryption and 119873 minus 1 decryptions Assumingthe Texas Instrumentsrsquo reference AES-implementation forCC2540 microcontrollers [36] AES encryption needs 6600cyclesblock and AES decryption 8400 cyclesblock
With our proposal the energy consumption has threecomponents the computation of the different sequences 119878119906
119894
with the hash function before the sensing period begins theXOR of the keystream 119870119906
119894with the sequence 119863119906
119894that signals
the availability of channels and the XOR of the sequences 119862119906119894
received from neighbors with the precomputed 119878119906119894Therefore
10 International Journal of Distributed Sensor Networks
Table 1 Transmission overhead
119897 (bits) Overhead(bits)
Authentication only (CBC-MAC)16 12832 12864 128
Encryption only (CTR)16 8032 9664 128
Authentication and encryption (CCM)16 20832 22464 256
Authentication and encryption (our proposal)16 3232 4864 80
1000
800
600
400
200
05 10 15 20 25 30
Number of nodes (N)
Rece
ptio
n ov
erhe
ad (b
ytes
)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
Figure 7 Reception overhead for a varying number of nodes119873
a nodemust compute119873 hashes and perform119873XORs to sendchannel information and process the reports received from itsneighbors
As per [37] XORoperationwith aMSP430 accounts for 4-5 cyclesbyte Assuming a 128-bit hash function and the worstcase every XOR in our proposals accounts for 5 sdot 16 = 80cycles As previously explained in Section 51 we suggest theuse of a lightweight cryptographic hash function specificallysuited for low-end devices with an output of 128 bits Table 2depicts the number of CPU cycles per block needed [38]for two potential candidates As clearly seen in the tablecomputing one of these hash functions requires only a fewtens of cyclesblock In the following for this analysis we will
Table 2 Cycles per block for different cryptographic hash functions
Algorithm Hash output size Cyclesblock(Stripped) MAME 128 96H-PRESENT-128 128 32
consider the (stripped) MAME hash function as it is a purehash function that does not rely on a symmetric cipher andrequires more CPU cycles (worst case)
Taking into account the previous data Figure 8 showsthe CPU cycles consumed with both our proposal (with aMAME hash function) and standard AES-128 security It canbe clearly seen that our proposal scales much better withthe number of nodes while still providing an appropriatelevel of security We do not provide values for the processtime that is the time needed for key generation encryptiondecryption and data authentication but the number of CPUcycles required to execute each function In this way timevalues can be obtained for a particular sensor node accordingto its CPU features
63 Total Energy Cost Table 3 provides the transmission andreception energy consumption of a TIrsquos CC2540 microcon-troller for different modes and values of transmission powerThe displayed values have been tested under 25∘CWe do nothave values for in-body conditions (asymp38∘C) but we presentthese data for reference purposes In any case this fact onlyaffects the energy consumption for receivingtransmittingNote that the total cost in terms of energy is much highersince it should also account for duty cycles state changes andother parameters [39]
There is no single specific ldquoenergy per CPU cyclerdquo valuesince the cycle consumption depends on the type of CPUoperation Anyway in [34] the authors measured that theTIrsquos MSP430F1611 consumes energy at an average of 072 nJper clock cycle and we have adopted such value in our study
Figure 9 shows the total average energy consumption as afunction of the number of neighboring sensor nodes and thenumber 119897 of bits used to code the channels for the proposedmechanism and standard approaches CCM (authenticationand encryption) CTR (encryption only) and CBC-MAC(authentication only) We have assumed standard receptionand short-range transmission of minus6 dBm (see Table 3)
As clearly denoted in the figure ourmethod only requiresa few tens of 120583J regardless of the number of sensor nodeswhile AES-based security requires higher values of energyranging from 35 120583J to almost 240120583J when encryption andauthentication are provided and for 30 sensor nodes Themore the number of sensor nodes the bigger the improve-ment introduced by our proposal
It must be remarked however that the purpose of thisfigure is to provide reference values to be taken into accountfor future implementations Besides the level of security pro-vided by our method is lower than AES-based methods butstill ismore than adequate given the features of CBSNs (trans-mission rate number of sentmessages etc) and given the factthat the data we are trying to protect are just a limited numberof potential channels to be used for operation of the network
International Journal of Distributed Sensor Networks 11
Table 3 Currentenergy consumption for RXTX tested on TexasInstruments CC2540 EMwith 119879
119860= 25∘Cwith no peripherals active
and low MCU activity at 250 kHz
Test conditions Current EnergybyteRX standard 196mA 588 nJRX high gain 221mA 663 nJTX minus23 dBm 211mA 633 nJTX minus6 dBm 238mA 714 nJTX 0 dBm 27mA 81 nJTX 4 dBm 316mA 948 nJ
5 10 15 20 25 30
Number of nodes (N)
AES l = 16 32 64
Ours l = 16 32 64
300000
250000
200000
150000
100000
50000
0
CPU
cycle
s
Figure 8 Added CPU cycles for a secure exchange of sensing data
Indeed thismechanism introduces some overhead due tospectrum sensing and sharing of channel information and aswe pointed out above the overhead increases linearly withthe number of nodes in the network The synchronizationprotocol adds some overhead too but the increase willstrongly depend on the chosen protocol In [29] someprotocols with high energy efficiency are referenced whichcould be used in our proposal
Despite it we claim that it is definitely worth introducingthis overhead to increase the availability of the network andmake it robust to potential interferences and DoS attacksUnder these undesired situations the current channel usedby the CBSN may become unavailable but the proposedmethod allows the nodes to securely agree on a new channelof operation and rapidly resume their transmissions It mustbe remarked that securing channel availability informationmay prevent or at least diminished the effect of further DoSattacks when switching to a new channel
We do not quantify the benefits of applying our methodin terms of attack mitigation because it strongly depends onthe capabilities of the attacker (time required for sensing eachchannel number of channels that can sense etc) As a futurework it would be interesting to estimate the improvementachieved by our approach in terms of throughput of the
5 10 15 20 25 30
Number of nodes (N)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
250
200
150
100
50
0
Ener
gy co
st (120583
J)Figure 9 Added energy costs for a TIrsquos MSP430F1611 with a TIrsquosCC2540 microcontroller
CBSNs connections and the tradeoff between benefits andoverhead
7 Conclusions
Body sensor networks (BSNs) emerge as an optimal solutionfor ensuring constant and remote monitoring of the healthstatus in patients Recent advances in technology have madeit possible to deploy a network of tiny sensors over the humanbody and even in body which can measure vital signs suchas temperature heart rate or the level of glucose and reportthese data to medical personnel
Guaranteeing the availability of such communicationsis a must as long as connectivity losses during emergencysituations may prevent a patient from immediately receivingmedical assistance and may end up in catastrophic results
A new network paradigm known as cognitive body sen-sor networks (CBSNs) could mitigate this threat by allowingbody sensors to operate in a wide range of frequenciesand adapt its transmission parameters according to highlydynamic environment conditions However this would comeat the expense of implementing cooperative spectrum sensingmechanisms that allow sensors to exchange informationabout channel quality and availability As a consequenceCBSNs might become vulnerable to specific attacks that aretargeted to these mechanisms
In this paper we presented a novel and simple methodto secure the sensing process in a CBSN and improve itsavailability The method relies on cryptographic primitivesthat require a minimum amount of memory and low energyconsumption thus beingmore suited for devices with limitedresources than traditional approaches It offers authentication
12 International Journal of Distributed Sensor Networks
and encryption of control data shared by the sensors in theCBSN to agree on a given channel
Our proposal was analyzed in terms of security and weshowed that although it does not provide the same level ofsecurity as AES-based encryption and authentication it isstill sufficient for low packet rate networks such as CBSNsThe provided results also showed that our method outper-forms existing approaches in terms of transmissionreceptionoverhead and number of CPU cycles needed particularly asthe number of sensor nodes increases For typical microcon-trollers as CC2540 and MSP430 the improvement in energyconsumption clearly justifies the use of the proposed methodagainst AES-based mechanisms in constrained networkssuch as CBSNs in which maximizing the network life isextremely important
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgment
This work has been partially supported by the spanishgovernment under grant TEC2011-22746 ldquoTAMESISrdquo andby the Ministry of Economy and Competitiveness throughthe projects CO-PRIVACY (TIN2011-27076-C03-02) andSMARTGLACIS (TIN2014-57364-C2-2-R)
References
[1] B Latre B Braem I Moerman C Blondia and P DemeesterldquoA survey on wireless body area networksrdquo Wireless Networksvol 17 no 1 pp 1ndash18 2011
[2] S Movassaghi M Abolhasan J Lipman D Smith and AJamalipour ldquoWireless body area networks a surveyrdquo IEEECommunications Surveys amp Tutorials vol 16 no 3 pp 1658ndash1686 2014
[3] 802156-2012mdashIEEE Standard for Local and metropolitanarea networksmdashPart 156 Wireless Body Area Networks2012 httpstandardsieeeorggetieee802download802156-2012pdf
[4] Bluetooth Low Energy (LE) June 2014 httpwwwbluetoothcomPageslow-energy-tech-infoaspx
[5] The ANT+ Alliance 2014 httpwwwthisisantcom
[6] Wi-Fi Alliance June 2014 httpwwwwi-fiorg
[7] Zigbee Alliance June 2014 httpwwwzigbeeorg
[8] M Rushanan A D Rubin D F Kune and C M SwansonldquoSoK security and privacy in implantable medical devices andbody area networksrdquo in Proceedings of the 35th IEEE Symposiumon Security and Privacy (SP rsquo14) pp 524ndash539 San Jose Calif USA May 2014
[9] I F Akyildiz W-Y Lee M C Vuran and S Mohanty ldquoNeXtgenerationdynamic spectrum accesscognitive radio wirelessnetworks a surveyrdquo Computer Networks vol 50 no 13 pp2127ndash2159 2006
[10] BWang and K J R Liu ldquoAdvances in cognitive radio networksa surveyrdquo IEEE Journal of Selected Topics in Signal Processingvol 5 no 1 pp 5ndash23 2011
[11] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in unknown dynamic environment agame-theoretic stochastic learning solutionrdquo IEEE Transactionson Wireless Communications vol 11 no 4 pp 1380ndash1391 2012
[12] D Cavalcanti S Das J Wang and K Challapali ldquoCognitiveradio based wireless sensor networksrdquo in Proceedings of the17th International Conference on Computer Communicationsand Networks (ICCCN rsquo08) pp 1ndash6 August 2008
[13] O Leon J Hernandez-Serrano andM Soriano ldquoSecuring cog-nitive radio networksrdquo International Journal of CommunicationSystems vol 23 no 5 pp 633ndash652 2010
[14] M Rostami A Juels and F Koushanfar ldquoHeart-to-Heart(H2H) authentication for implanted medical devicesrdquo in Pro-ceedings of the ACM SIGSAC Conference on Computer andCommunications Security (CCS rsquo13) pp 1099ndash1111 ACM BerlinGermany November 2013
[15] K B Rasmussen C Castelluccia T S Heydt-Benjamin andS Capkun ldquoProximity-based access control for implantablemedical devicesrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCS rsquo09) pp 410ndash419Chicago Ill USA November 2009
[16] L Shi M Li S Yu and J Yuan ldquoBANA body area networkauthentication exploiting channel characteristicsrdquo IEEE Journalon Selected Areas in Communications vol 31 no 9 pp 1803ndash1816 2013
[17] C C Tan S Zhong H Wang and Q Li ldquoBody sensornetwork security an identity-based cryptography approachrdquoin Proceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 148ndash153 April 2008
[18] O Garcia-Morchon T Falck T Heer and K Wehrle ldquoSecurityfor pervasive medical sensor networksrdquo in Proceedings of the6th Annual International Conference on Mobile and UbiquitousSystems Networking and Services (MobiQuitous rsquo09) pp 1ndash10Toronto Canada July 2009
[19] G Selimis L Huang F Masse et al ldquoA lightweight securityscheme for wireless body area networks design energy evalu-ation and proposed microprocessor designrdquo Journal of MedicalSystems vol 35 no 5 pp 1289ndash1298 2011
[20] Y Yan and T Shu ldquoEnergy-efficient In-network encryp-tiondecryption for wireless body area sensor networksrdquo inProceedings of the IEEE Global Communications Conference(GLOBECOM rsquo14) pp 2442ndash2447 IEEE Austin Tex USADecember 2014
[21] Y Xu A Anpalagan Q Wu L Shen Z Gao and J WangldquoDecision-theoretic distributed channel selection for oppor-tunistic spectrum access strategies challenges and solutionsrdquoIEEE Communications Surveys and Tutorials vol 15 no 4 pp1689ndash1713 2013
[22] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in cognitive radio networks globaloptimization using local interaction gamesrdquo IEEE Journal onSelected Topics in Signal Processing vol 6 no 2 pp 180ndash1942012
[23] R Chavez-Santiago K E Nolan O Holland et al ldquoCognitiveradio for medical body area networks using ultra widebandrdquoIEEE Wireless Communications vol 19 no 4 pp 74ndash81 2012
International Journal of Distributed Sensor Networks 13
[24] A R Syed and K-L A Yau ldquoOn cognitive radio-based wirelessbody area networks for medical applicationsrdquo in Prceedingsof the 1st IEEE Symposium on Computational Intelligence inHealthcare and e-Health (CICARE rsquo13) pp 51ndash57 SingaporeApril 2013
[25] R Chen J-M Park and K Bian ldquoRobust distributed spectrumsensing in cognitive radio networksrdquo in Proceedings of the 27thIEEE Conference on Computer Communications (INFOCOMrsquo08) pp 1876ndash1884 IEEE Phoenix Ariz USA April 2008
[26] H Rifa-Pous M J Blasco and C Garrigues ldquoReview of robustcooperative spectrum sensing techniques for cognitive radionetworksrdquoWireless Personal Communications vol 67 no 2 pp175ndash198 2012
[27] B Braem B Latre C Blondia I Moerman and P DemeesterldquoAnalyzing and improving reliability in multi-hop body sensornetworksrdquo International Journal on Advances in Internet Tech-nology vol 2 no 1 pp 152ndash161 2009
[28] I F Akyildiz B F Lo and R Balakrishnan ldquoCooperative spec-trum sensing in cognitive radio networks a surveyrdquo PhysicalCommunication vol 4 no 1 pp 40ndash62 2011
[29] B Sundararaman U Buy and A D Kshemkalyani ldquoClocksynchronization for wireless sensor networks a surveyrdquoAdHocNetworks vol 3 no 3 pp 281ndash323 2005
[30] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashCHES 2008 10th International Workshop Washington DCUSA August 10ndash13 2008 Proceedings vol 5154 of Lecture Notesin Computer Science pp 283ndash299 Springer Berlin Germany2008
[31] C Cordeiro K Challapali D Birru and N Sai ShankarldquoIEEE 80222 the first worldwide wireless standard based oncognitive radiosrdquo in Proceedings of the 1st IEEE InternationalSymposium on New Frontiers in Dynamic Spectrum AccessNetworks (DySPAN rsquo05) pp 328ndash337 Baltimore Md USANovember 2005
[32] S UllahHHiggins B Braem et al ldquoA comprehensive survey ofwireless body area networks on PHY MAC and network layerssolutionsrdquo Journal of Medical Systems vol 36 no 3 pp 1065ndash1094 2012
[33] N Sastry and D Wagner ldquoSecurity considerations for IEEE802154 networksrdquo in Proceedings of the ACM Workshop onWireless Security (WiSe rsquo04) pp 32ndash42 Philadelphia Pa USAOctober 2004
[34] M Pajic Z Jiang I LeeO Sokolsky andRMangharam ldquoFromverification to implementation a model translation tool and apacemaker case studyrdquo in Proceedings of the 18th IEEE Real Timeand Embedded Technology and Applications Symposium (RTASrsquo12) pp 173ndash184 Beijing China April 2012
[35] CC2540 24-GHz Bluetooth low energy System-on-Chip 2013httpwwwticomlitdssymlinkcc2540pdf
[36] U Kretzschmar ldquoAES128mdasha C implementation for encryp-tion and decryption MSP430 systems ECCN 5E002 TSPAmdashtechnologysoftware publiclyrdquo Application Report SLAA397ATexas Instruments Dallas Tex USA 2009 httpwwwticomcncnlitanslaa397aslaa397apdf
[37] El Barquero Aqueronte MSP430 Cycles and Instructionsedited by Aqueronte 2011 httpunbarqueroblogspotcomes201105msp430-cycles-and-instructionshtml
[38] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashHES 2008 vol 5154 of Lecture Notes in Computer Science pp283ndash299 Springer Berlin Germany 2008
[39] S Kamath and J Lindh ldquoMeasuring bluetooth low energypower consumptionrdquo Application Note AN092 Texas Instru-ments Dallas TEx USA 2012 Version SWRA347a httpwwwticomlitanswra347aswra347apdf
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
8 International Journal of Distributed Sensor Networks
51 Shared Secrets Lifetime As previously mentioned inSection 31 for this analysis we are assuming that attackscome from external entities and therefore attackers are notable to obtain the cryptographic material that is stored in thebody sensors In the context of this proposal the lifetime ofeach of the shared secrets is the interval in which these secretsare considered computationally safe against cryptanalysisthat is their cryptoperiod
The cryptoperiod straightly depends on the chosen cryp-tographic protocols the length of the secrets themselves andthe amount of times they are used The more a given secret isused the shorter its cryptoperiod is as an attacker gets moreinformation about this secret and therefore the probability ofa successful cryptanalysis increases In fact cryptoperiod isdefined more in terms of the number of times a given secretor key is reused (the amount of ciphertext exposed to anattacker for a given secretkey) than as a given time periodwhich strongly depends on the transmission rate of the sensornodes
Recall the three types of shared secrets used in theproposed method
(i) Short-term per-node shared secrets one secret 119878119906 persource node that is used to lightweight encryptdecrypt and authenticate the channelsrsquo sensed data
(ii) Medium-term globally shared secrets globally sharedsecret 119878
119872that is used to derive the short-term per-
node shared secrets 119878119906(iii) Long-term globally shared secret this being the ini-
tially preloaded secret 119878119871that is used to derive a new
medium-term globally shared secret 119878119872
when thecurrent one is about to expire
As clearly denoted in Figure 5 our approach operates insome manner as an additive stream cipher It is well knownthat stream ciphers are considered to be secure as long as thekey is never reused and thus our cipher will be secure if agiven value 119878119906 is not repeated As a result 119878119906must be updatedevery 119901 = 119898119903 sensing period with 119901 the renewal period119898 the length of the shared secret 119878119906 and 119903 the amount oftransmitted bits (sensing data) in a sensing period that areencrypted with 119878119906
Recall that in our proposal the per-node key used forencryption 119878119906 is generated by means of a hash function Asecond requirement is that this function must be crypto-graphically secure Note that if the hash function does notaccomplish it an attackermight be able to reverse it that is toget the input of the hash function given an output meaningthat in our proposal an attacker would be able to recoverthe value of the medium-term globally shared secret 119878
119872(see
Figure 4)A cryptographically secure hash function with an output
of 119898 bits can offer a security level of 2119898 operations againstpreimage attacks and 21198982 against collision attacks Generallyspeaking a minimum output of 128 bits is required in orderto provide a high level of security for most applicationsbut shorter lengths are accepted if the number of generatedmessages in a given period is limited as it is the case of low-rate networks In Section 6 we propose several lightweight
hash candidates with an output of 128 bits that is to saywe can assume that it is computationally unfeasible for anattacker to invert the hash function and thus to predict thevalue of 119878119872 as long as it is updated before exceeding itscryptoperiod which has an upper bound of 21198982 = 264 uses
The long-term globally shared secret 119878119871is only used to
update the current medium-term globally shared secret 119878119872
Because 119878119872is not updated very often it is very unlikely that
an attacker manages to obtain several values of 119878119872to reverse
the hash function and recover 119878119871 As a result we can assume
that the 119878119871cryptoperiod is long enough and there is no need
to update the secret during the nodesrsquo lifetime
52 Authentication A cryptogram 119862119906119894of sensing data con-
tains an authentication field of 16 bits that is checked uponreception (see Figure 6) Consequently an attacker has achance of 1 in 216 of guessing the next authentication fieldwhich allows it to forge a valid authentication field and injectfake data Note that this attack can lead the CBSN to wrongdecisions about the availability of the spectrum
If the attacker repeatedly attempts to send valid cipher-texts it may succeed after 215 attempts in average Becausethe attacker does not know 119878119906 the authentication fieldappears to it as a random stream and therefore it must select afake authentication field at random Besides the attacker can-not determine whether a given ciphertext has been acceptedor rejected because the receiver does not acknowledge thereception of such packets to the emitter Otherwise theattacker could take advantage of this information in order toguess a valid authentication field in a faster way
In conventional networks 215 packets may seem anextremely low number but it may provide an adequate levelof security in CBSNs In these networks the attacker can onlysend fake packets during the sensing periods which is in theorder of a few milliseconds in most cognitive scenarios [31]Moreover as previously stated in Section 1 transmission ratesin BSNs are considerably low with values usually rangingfrom tens to a few hundred of kilobits per second
As an example let us consider a 1Mbps link a sensingperiod of 10ms and a packet size of 10 bytes (which is clearlybigger than the typical packet size in sensor networks) Giventhese parameters an attacker would only be able to send 125packets at most in every sensing period That is to say theattacker would need an average of 262144 sensing periods tosend a fake packet and pass the authentication check
6 Cost Evaluation and Comparisonwith Other Approaches
In this section we evaluate the cost of our proposal interms of energy consumption due to transmission overheadand computational cost and compare its performance withthe most common approach adopted in sensor networks[32] which is providing authentication andor encryption ofthe channel sensing data by means of using standard blockciphers As is well known block ciphers have as input themessage to be encrypted or authenticated which is dividedinto several blocks of fix length and a key Both the block
International Journal of Distributed Sensor Networks 9
length and the key length depend on the algorithm beingused Regardless of the algorithm block ciphers can be usedin several modes of operation depending on the service tobe provided that is encryption only authentication only orencryptionauthentication Generally the followingmodes ofoperation are applied
Authentication CBC-MAC is a block cipher mode for gen-erating message authentication codes The message to beauthenticated is divided into several blocks of equal size andeach block is encrypted so that the value of a given blockdepends on the encryption of the previous block The finaloutput of the cipher that is the message authentication codeor CBC-MAC is the result of encrypting the last block of themessage When the input of the cipher is shorter than theblock size (as it is usually the case in sensor networks) theCBC-MAC can be obtained by directly encrypting a singleblock padded until the block size of the cipher is reached
Encryption CTRmode of operation turns a block cipher intoa stream cipher meaning that the resulting ciphertext has thesame size as the input or plain textThus it does not force theoutput length to be amultiple of the block size as it is the caseof other modes such as CBC-MACThis property makes thismode of operation suitable for encryption in sensor networkswhere devices usually exchange short-length messages
Authentication+Encryption CCM (CTR + CBC-MAC) is acommon choice for providing both encryption (CTR) andauthentication (CBC-MAC) [19] Aminor variation of CCMcalled CCMlowast is used in the ZigBee standard [7]
In this work we assume that Advanced EncryptionStandard (AES) in CTRmode is used for encryption andAESCBC-MAC for authentication as it is the current standardfor symmetric cryptography even in sensor nodes [33]Currently there are efficient hardware implementations ofAES that are highly affordable
Regarding hardware platforms the vast majority of pre-vious works on BSNs have used the 16-bit Texas Instrumentsrsquo(TI) MSP430 and CC2540 families of microcontrollers [34]Built around a 16-bit CPU ultra-low-power MSP430 micro-controllers are designed for low cost and specifically low-power consumption embedded applications As an exampleTIrsquos CC2540 family [35] enable robust Bluetooth low energy(BLE) network nodes to be built with low total bill-of-material (BOM) costs BLE operates in the same spectrumrange (2400GHzndash24835GHz ISM band) as classic Blue-tooth technology but uses a different set of channels insteadof 79 1MHz channels BLE offers 40 2MHz channels 3 foradvertising purposes and 37 for data exchange
61 TransmissionReception Overhead In this section weanalyze the overhead introduced by our proposal in termsof transmissionreception of channel availability data andcompare it with the overhead exhibited when conventionalapproaches are used for data encryptionauthentication asexplained above We assume that all sensors are capable ofsensing a given set of channels and report information abouttheir state
With our proposal the minimum number of transmittedbitswill dependon the number of channels that a given sensoris reporting the number of bits used to code the state ofeach channel and the length of the authentication code Asexplained in Section 52 a length of 16 bits is enough to securemost applications in WSNs and thus we have assumed thisvalue for the authentication fieldThis leads to a total amountof Bits
119905119909= 119897 + 16 of transmitted bits where 119897 represents the
total number of bits used to code all possible channels andBits119905119909= (119899 minus 1)Bits
119905119909received bits representing the number
of bits received by a given sensor from its neighborsAiming to provide a fair comparison we choose the same
key length for block ciphers and for our proposal that is tosay a 128-bit key The transmitted bits overhead added byAES CBC-MAC authentication is 128 bits (for a semanticallysecure implementation also an IV or nonce must be sharedbetween emitter and receiver so that the overhead can behigher) Regarding encryption the number of transmittedbits is equal to the number of bits 119897 used to code the state of thechannels but it also requires the use of a nonce with a lengthequal to half of the key length that is 64 bits per message
During every sensing period every node must transmita packet with sensing information but also must process thepackets received from its neighbors Table 1 and Figure 7respectively show the transmission and reception overheaddue to the secure sharing of sensing information using bothstandard block ciphers and our proposal The values areprovided as a function of the number of bits 119897 used to codethe state of the channels and the number of nodes119873 rangingfrom 5 to 30 Given that the considered scenario is a bodysensor network this is more than a reasonable value sincea patient wearing more than 30 sensors may be an unlikelysituation
The reader may notice that the overhead introducedby this mechanism increases linearly with the number ofnodes for both approaches However with the proposedmethod the transmissionreception overhead is considerablyreduced with respect to the use of standard block cipherswhile still maintaining an acceptable level of security Infact the more the nodes in the CBSN the bigger theimprovement introduced by the former As wewill show laterthe transmissionreception savings lead to a huge saving alsoin energy consumption
62 Computational Cost In this section we provide a com-parison of the CPU cost in cycles due to the implementationof the cryptographic functions
If AES is used the total cryptographic cost per nodefor securing the exchange of sensing data equals the costof one encryption and 119873 minus 1 decryptions Assumingthe Texas Instrumentsrsquo reference AES-implementation forCC2540 microcontrollers [36] AES encryption needs 6600cyclesblock and AES decryption 8400 cyclesblock
With our proposal the energy consumption has threecomponents the computation of the different sequences 119878119906
119894
with the hash function before the sensing period begins theXOR of the keystream 119870119906
119894with the sequence 119863119906
119894that signals
the availability of channels and the XOR of the sequences 119862119906119894
received from neighbors with the precomputed 119878119906119894Therefore
10 International Journal of Distributed Sensor Networks
Table 1 Transmission overhead
119897 (bits) Overhead(bits)
Authentication only (CBC-MAC)16 12832 12864 128
Encryption only (CTR)16 8032 9664 128
Authentication and encryption (CCM)16 20832 22464 256
Authentication and encryption (our proposal)16 3232 4864 80
1000
800
600
400
200
05 10 15 20 25 30
Number of nodes (N)
Rece
ptio
n ov
erhe
ad (b
ytes
)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
Figure 7 Reception overhead for a varying number of nodes119873
a nodemust compute119873 hashes and perform119873XORs to sendchannel information and process the reports received from itsneighbors
As per [37] XORoperationwith aMSP430 accounts for 4-5 cyclesbyte Assuming a 128-bit hash function and the worstcase every XOR in our proposals accounts for 5 sdot 16 = 80cycles As previously explained in Section 51 we suggest theuse of a lightweight cryptographic hash function specificallysuited for low-end devices with an output of 128 bits Table 2depicts the number of CPU cycles per block needed [38]for two potential candidates As clearly seen in the tablecomputing one of these hash functions requires only a fewtens of cyclesblock In the following for this analysis we will
Table 2 Cycles per block for different cryptographic hash functions
Algorithm Hash output size Cyclesblock(Stripped) MAME 128 96H-PRESENT-128 128 32
consider the (stripped) MAME hash function as it is a purehash function that does not rely on a symmetric cipher andrequires more CPU cycles (worst case)
Taking into account the previous data Figure 8 showsthe CPU cycles consumed with both our proposal (with aMAME hash function) and standard AES-128 security It canbe clearly seen that our proposal scales much better withthe number of nodes while still providing an appropriatelevel of security We do not provide values for the processtime that is the time needed for key generation encryptiondecryption and data authentication but the number of CPUcycles required to execute each function In this way timevalues can be obtained for a particular sensor node accordingto its CPU features
63 Total Energy Cost Table 3 provides the transmission andreception energy consumption of a TIrsquos CC2540 microcon-troller for different modes and values of transmission powerThe displayed values have been tested under 25∘CWe do nothave values for in-body conditions (asymp38∘C) but we presentthese data for reference purposes In any case this fact onlyaffects the energy consumption for receivingtransmittingNote that the total cost in terms of energy is much highersince it should also account for duty cycles state changes andother parameters [39]
There is no single specific ldquoenergy per CPU cyclerdquo valuesince the cycle consumption depends on the type of CPUoperation Anyway in [34] the authors measured that theTIrsquos MSP430F1611 consumes energy at an average of 072 nJper clock cycle and we have adopted such value in our study
Figure 9 shows the total average energy consumption as afunction of the number of neighboring sensor nodes and thenumber 119897 of bits used to code the channels for the proposedmechanism and standard approaches CCM (authenticationand encryption) CTR (encryption only) and CBC-MAC(authentication only) We have assumed standard receptionand short-range transmission of minus6 dBm (see Table 3)
As clearly denoted in the figure ourmethod only requiresa few tens of 120583J regardless of the number of sensor nodeswhile AES-based security requires higher values of energyranging from 35 120583J to almost 240120583J when encryption andauthentication are provided and for 30 sensor nodes Themore the number of sensor nodes the bigger the improve-ment introduced by our proposal
It must be remarked however that the purpose of thisfigure is to provide reference values to be taken into accountfor future implementations Besides the level of security pro-vided by our method is lower than AES-based methods butstill ismore than adequate given the features of CBSNs (trans-mission rate number of sentmessages etc) and given the factthat the data we are trying to protect are just a limited numberof potential channels to be used for operation of the network
International Journal of Distributed Sensor Networks 11
Table 3 Currentenergy consumption for RXTX tested on TexasInstruments CC2540 EMwith 119879
119860= 25∘Cwith no peripherals active
and low MCU activity at 250 kHz
Test conditions Current EnergybyteRX standard 196mA 588 nJRX high gain 221mA 663 nJTX minus23 dBm 211mA 633 nJTX minus6 dBm 238mA 714 nJTX 0 dBm 27mA 81 nJTX 4 dBm 316mA 948 nJ
5 10 15 20 25 30
Number of nodes (N)
AES l = 16 32 64
Ours l = 16 32 64
300000
250000
200000
150000
100000
50000
0
CPU
cycle
s
Figure 8 Added CPU cycles for a secure exchange of sensing data
Indeed thismechanism introduces some overhead due tospectrum sensing and sharing of channel information and aswe pointed out above the overhead increases linearly withthe number of nodes in the network The synchronizationprotocol adds some overhead too but the increase willstrongly depend on the chosen protocol In [29] someprotocols with high energy efficiency are referenced whichcould be used in our proposal
Despite it we claim that it is definitely worth introducingthis overhead to increase the availability of the network andmake it robust to potential interferences and DoS attacksUnder these undesired situations the current channel usedby the CBSN may become unavailable but the proposedmethod allows the nodes to securely agree on a new channelof operation and rapidly resume their transmissions It mustbe remarked that securing channel availability informationmay prevent or at least diminished the effect of further DoSattacks when switching to a new channel
We do not quantify the benefits of applying our methodin terms of attack mitigation because it strongly depends onthe capabilities of the attacker (time required for sensing eachchannel number of channels that can sense etc) As a futurework it would be interesting to estimate the improvementachieved by our approach in terms of throughput of the
5 10 15 20 25 30
Number of nodes (N)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
250
200
150
100
50
0
Ener
gy co
st (120583
J)Figure 9 Added energy costs for a TIrsquos MSP430F1611 with a TIrsquosCC2540 microcontroller
CBSNs connections and the tradeoff between benefits andoverhead
7 Conclusions
Body sensor networks (BSNs) emerge as an optimal solutionfor ensuring constant and remote monitoring of the healthstatus in patients Recent advances in technology have madeit possible to deploy a network of tiny sensors over the humanbody and even in body which can measure vital signs suchas temperature heart rate or the level of glucose and reportthese data to medical personnel
Guaranteeing the availability of such communicationsis a must as long as connectivity losses during emergencysituations may prevent a patient from immediately receivingmedical assistance and may end up in catastrophic results
A new network paradigm known as cognitive body sen-sor networks (CBSNs) could mitigate this threat by allowingbody sensors to operate in a wide range of frequenciesand adapt its transmission parameters according to highlydynamic environment conditions However this would comeat the expense of implementing cooperative spectrum sensingmechanisms that allow sensors to exchange informationabout channel quality and availability As a consequenceCBSNs might become vulnerable to specific attacks that aretargeted to these mechanisms
In this paper we presented a novel and simple methodto secure the sensing process in a CBSN and improve itsavailability The method relies on cryptographic primitivesthat require a minimum amount of memory and low energyconsumption thus beingmore suited for devices with limitedresources than traditional approaches It offers authentication
12 International Journal of Distributed Sensor Networks
and encryption of control data shared by the sensors in theCBSN to agree on a given channel
Our proposal was analyzed in terms of security and weshowed that although it does not provide the same level ofsecurity as AES-based encryption and authentication it isstill sufficient for low packet rate networks such as CBSNsThe provided results also showed that our method outper-forms existing approaches in terms of transmissionreceptionoverhead and number of CPU cycles needed particularly asthe number of sensor nodes increases For typical microcon-trollers as CC2540 and MSP430 the improvement in energyconsumption clearly justifies the use of the proposed methodagainst AES-based mechanisms in constrained networkssuch as CBSNs in which maximizing the network life isextremely important
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgment
This work has been partially supported by the spanishgovernment under grant TEC2011-22746 ldquoTAMESISrdquo andby the Ministry of Economy and Competitiveness throughthe projects CO-PRIVACY (TIN2011-27076-C03-02) andSMARTGLACIS (TIN2014-57364-C2-2-R)
References
[1] B Latre B Braem I Moerman C Blondia and P DemeesterldquoA survey on wireless body area networksrdquo Wireless Networksvol 17 no 1 pp 1ndash18 2011
[2] S Movassaghi M Abolhasan J Lipman D Smith and AJamalipour ldquoWireless body area networks a surveyrdquo IEEECommunications Surveys amp Tutorials vol 16 no 3 pp 1658ndash1686 2014
[3] 802156-2012mdashIEEE Standard for Local and metropolitanarea networksmdashPart 156 Wireless Body Area Networks2012 httpstandardsieeeorggetieee802download802156-2012pdf
[4] Bluetooth Low Energy (LE) June 2014 httpwwwbluetoothcomPageslow-energy-tech-infoaspx
[5] The ANT+ Alliance 2014 httpwwwthisisantcom
[6] Wi-Fi Alliance June 2014 httpwwwwi-fiorg
[7] Zigbee Alliance June 2014 httpwwwzigbeeorg
[8] M Rushanan A D Rubin D F Kune and C M SwansonldquoSoK security and privacy in implantable medical devices andbody area networksrdquo in Proceedings of the 35th IEEE Symposiumon Security and Privacy (SP rsquo14) pp 524ndash539 San Jose Calif USA May 2014
[9] I F Akyildiz W-Y Lee M C Vuran and S Mohanty ldquoNeXtgenerationdynamic spectrum accesscognitive radio wirelessnetworks a surveyrdquo Computer Networks vol 50 no 13 pp2127ndash2159 2006
[10] BWang and K J R Liu ldquoAdvances in cognitive radio networksa surveyrdquo IEEE Journal of Selected Topics in Signal Processingvol 5 no 1 pp 5ndash23 2011
[11] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in unknown dynamic environment agame-theoretic stochastic learning solutionrdquo IEEE Transactionson Wireless Communications vol 11 no 4 pp 1380ndash1391 2012
[12] D Cavalcanti S Das J Wang and K Challapali ldquoCognitiveradio based wireless sensor networksrdquo in Proceedings of the17th International Conference on Computer Communicationsand Networks (ICCCN rsquo08) pp 1ndash6 August 2008
[13] O Leon J Hernandez-Serrano andM Soriano ldquoSecuring cog-nitive radio networksrdquo International Journal of CommunicationSystems vol 23 no 5 pp 633ndash652 2010
[14] M Rostami A Juels and F Koushanfar ldquoHeart-to-Heart(H2H) authentication for implanted medical devicesrdquo in Pro-ceedings of the ACM SIGSAC Conference on Computer andCommunications Security (CCS rsquo13) pp 1099ndash1111 ACM BerlinGermany November 2013
[15] K B Rasmussen C Castelluccia T S Heydt-Benjamin andS Capkun ldquoProximity-based access control for implantablemedical devicesrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCS rsquo09) pp 410ndash419Chicago Ill USA November 2009
[16] L Shi M Li S Yu and J Yuan ldquoBANA body area networkauthentication exploiting channel characteristicsrdquo IEEE Journalon Selected Areas in Communications vol 31 no 9 pp 1803ndash1816 2013
[17] C C Tan S Zhong H Wang and Q Li ldquoBody sensornetwork security an identity-based cryptography approachrdquoin Proceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 148ndash153 April 2008
[18] O Garcia-Morchon T Falck T Heer and K Wehrle ldquoSecurityfor pervasive medical sensor networksrdquo in Proceedings of the6th Annual International Conference on Mobile and UbiquitousSystems Networking and Services (MobiQuitous rsquo09) pp 1ndash10Toronto Canada July 2009
[19] G Selimis L Huang F Masse et al ldquoA lightweight securityscheme for wireless body area networks design energy evalu-ation and proposed microprocessor designrdquo Journal of MedicalSystems vol 35 no 5 pp 1289ndash1298 2011
[20] Y Yan and T Shu ldquoEnergy-efficient In-network encryp-tiondecryption for wireless body area sensor networksrdquo inProceedings of the IEEE Global Communications Conference(GLOBECOM rsquo14) pp 2442ndash2447 IEEE Austin Tex USADecember 2014
[21] Y Xu A Anpalagan Q Wu L Shen Z Gao and J WangldquoDecision-theoretic distributed channel selection for oppor-tunistic spectrum access strategies challenges and solutionsrdquoIEEE Communications Surveys and Tutorials vol 15 no 4 pp1689ndash1713 2013
[22] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in cognitive radio networks globaloptimization using local interaction gamesrdquo IEEE Journal onSelected Topics in Signal Processing vol 6 no 2 pp 180ndash1942012
[23] R Chavez-Santiago K E Nolan O Holland et al ldquoCognitiveradio for medical body area networks using ultra widebandrdquoIEEE Wireless Communications vol 19 no 4 pp 74ndash81 2012
International Journal of Distributed Sensor Networks 13
[24] A R Syed and K-L A Yau ldquoOn cognitive radio-based wirelessbody area networks for medical applicationsrdquo in Prceedingsof the 1st IEEE Symposium on Computational Intelligence inHealthcare and e-Health (CICARE rsquo13) pp 51ndash57 SingaporeApril 2013
[25] R Chen J-M Park and K Bian ldquoRobust distributed spectrumsensing in cognitive radio networksrdquo in Proceedings of the 27thIEEE Conference on Computer Communications (INFOCOMrsquo08) pp 1876ndash1884 IEEE Phoenix Ariz USA April 2008
[26] H Rifa-Pous M J Blasco and C Garrigues ldquoReview of robustcooperative spectrum sensing techniques for cognitive radionetworksrdquoWireless Personal Communications vol 67 no 2 pp175ndash198 2012
[27] B Braem B Latre C Blondia I Moerman and P DemeesterldquoAnalyzing and improving reliability in multi-hop body sensornetworksrdquo International Journal on Advances in Internet Tech-nology vol 2 no 1 pp 152ndash161 2009
[28] I F Akyildiz B F Lo and R Balakrishnan ldquoCooperative spec-trum sensing in cognitive radio networks a surveyrdquo PhysicalCommunication vol 4 no 1 pp 40ndash62 2011
[29] B Sundararaman U Buy and A D Kshemkalyani ldquoClocksynchronization for wireless sensor networks a surveyrdquoAdHocNetworks vol 3 no 3 pp 281ndash323 2005
[30] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashCHES 2008 10th International Workshop Washington DCUSA August 10ndash13 2008 Proceedings vol 5154 of Lecture Notesin Computer Science pp 283ndash299 Springer Berlin Germany2008
[31] C Cordeiro K Challapali D Birru and N Sai ShankarldquoIEEE 80222 the first worldwide wireless standard based oncognitive radiosrdquo in Proceedings of the 1st IEEE InternationalSymposium on New Frontiers in Dynamic Spectrum AccessNetworks (DySPAN rsquo05) pp 328ndash337 Baltimore Md USANovember 2005
[32] S UllahHHiggins B Braem et al ldquoA comprehensive survey ofwireless body area networks on PHY MAC and network layerssolutionsrdquo Journal of Medical Systems vol 36 no 3 pp 1065ndash1094 2012
[33] N Sastry and D Wagner ldquoSecurity considerations for IEEE802154 networksrdquo in Proceedings of the ACM Workshop onWireless Security (WiSe rsquo04) pp 32ndash42 Philadelphia Pa USAOctober 2004
[34] M Pajic Z Jiang I LeeO Sokolsky andRMangharam ldquoFromverification to implementation a model translation tool and apacemaker case studyrdquo in Proceedings of the 18th IEEE Real Timeand Embedded Technology and Applications Symposium (RTASrsquo12) pp 173ndash184 Beijing China April 2012
[35] CC2540 24-GHz Bluetooth low energy System-on-Chip 2013httpwwwticomlitdssymlinkcc2540pdf
[36] U Kretzschmar ldquoAES128mdasha C implementation for encryp-tion and decryption MSP430 systems ECCN 5E002 TSPAmdashtechnologysoftware publiclyrdquo Application Report SLAA397ATexas Instruments Dallas Tex USA 2009 httpwwwticomcncnlitanslaa397aslaa397apdf
[37] El Barquero Aqueronte MSP430 Cycles and Instructionsedited by Aqueronte 2011 httpunbarqueroblogspotcomes201105msp430-cycles-and-instructionshtml
[38] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashHES 2008 vol 5154 of Lecture Notes in Computer Science pp283ndash299 Springer Berlin Germany 2008
[39] S Kamath and J Lindh ldquoMeasuring bluetooth low energypower consumptionrdquo Application Note AN092 Texas Instru-ments Dallas TEx USA 2012 Version SWRA347a httpwwwticomlitanswra347aswra347apdf
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 9
length and the key length depend on the algorithm beingused Regardless of the algorithm block ciphers can be usedin several modes of operation depending on the service tobe provided that is encryption only authentication only orencryptionauthentication Generally the followingmodes ofoperation are applied
Authentication CBC-MAC is a block cipher mode for gen-erating message authentication codes The message to beauthenticated is divided into several blocks of equal size andeach block is encrypted so that the value of a given blockdepends on the encryption of the previous block The finaloutput of the cipher that is the message authentication codeor CBC-MAC is the result of encrypting the last block of themessage When the input of the cipher is shorter than theblock size (as it is usually the case in sensor networks) theCBC-MAC can be obtained by directly encrypting a singleblock padded until the block size of the cipher is reached
Encryption CTRmode of operation turns a block cipher intoa stream cipher meaning that the resulting ciphertext has thesame size as the input or plain textThus it does not force theoutput length to be amultiple of the block size as it is the caseof other modes such as CBC-MACThis property makes thismode of operation suitable for encryption in sensor networkswhere devices usually exchange short-length messages
Authentication+Encryption CCM (CTR + CBC-MAC) is acommon choice for providing both encryption (CTR) andauthentication (CBC-MAC) [19] Aminor variation of CCMcalled CCMlowast is used in the ZigBee standard [7]
In this work we assume that Advanced EncryptionStandard (AES) in CTRmode is used for encryption andAESCBC-MAC for authentication as it is the current standardfor symmetric cryptography even in sensor nodes [33]Currently there are efficient hardware implementations ofAES that are highly affordable
Regarding hardware platforms the vast majority of pre-vious works on BSNs have used the 16-bit Texas Instrumentsrsquo(TI) MSP430 and CC2540 families of microcontrollers [34]Built around a 16-bit CPU ultra-low-power MSP430 micro-controllers are designed for low cost and specifically low-power consumption embedded applications As an exampleTIrsquos CC2540 family [35] enable robust Bluetooth low energy(BLE) network nodes to be built with low total bill-of-material (BOM) costs BLE operates in the same spectrumrange (2400GHzndash24835GHz ISM band) as classic Blue-tooth technology but uses a different set of channels insteadof 79 1MHz channels BLE offers 40 2MHz channels 3 foradvertising purposes and 37 for data exchange
61 TransmissionReception Overhead In this section weanalyze the overhead introduced by our proposal in termsof transmissionreception of channel availability data andcompare it with the overhead exhibited when conventionalapproaches are used for data encryptionauthentication asexplained above We assume that all sensors are capable ofsensing a given set of channels and report information abouttheir state
With our proposal the minimum number of transmittedbitswill dependon the number of channels that a given sensoris reporting the number of bits used to code the state ofeach channel and the length of the authentication code Asexplained in Section 52 a length of 16 bits is enough to securemost applications in WSNs and thus we have assumed thisvalue for the authentication fieldThis leads to a total amountof Bits
119905119909= 119897 + 16 of transmitted bits where 119897 represents the
total number of bits used to code all possible channels andBits119905119909= (119899 minus 1)Bits
119905119909received bits representing the number
of bits received by a given sensor from its neighborsAiming to provide a fair comparison we choose the same
key length for block ciphers and for our proposal that is tosay a 128-bit key The transmitted bits overhead added byAES CBC-MAC authentication is 128 bits (for a semanticallysecure implementation also an IV or nonce must be sharedbetween emitter and receiver so that the overhead can behigher) Regarding encryption the number of transmittedbits is equal to the number of bits 119897 used to code the state of thechannels but it also requires the use of a nonce with a lengthequal to half of the key length that is 64 bits per message
During every sensing period every node must transmita packet with sensing information but also must process thepackets received from its neighbors Table 1 and Figure 7respectively show the transmission and reception overheaddue to the secure sharing of sensing information using bothstandard block ciphers and our proposal The values areprovided as a function of the number of bits 119897 used to codethe state of the channels and the number of nodes119873 rangingfrom 5 to 30 Given that the considered scenario is a bodysensor network this is more than a reasonable value sincea patient wearing more than 30 sensors may be an unlikelysituation
The reader may notice that the overhead introducedby this mechanism increases linearly with the number ofnodes for both approaches However with the proposedmethod the transmissionreception overhead is considerablyreduced with respect to the use of standard block cipherswhile still maintaining an acceptable level of security Infact the more the nodes in the CBSN the bigger theimprovement introduced by the former As wewill show laterthe transmissionreception savings lead to a huge saving alsoin energy consumption
62 Computational Cost In this section we provide a com-parison of the CPU cost in cycles due to the implementationof the cryptographic functions
If AES is used the total cryptographic cost per nodefor securing the exchange of sensing data equals the costof one encryption and 119873 minus 1 decryptions Assumingthe Texas Instrumentsrsquo reference AES-implementation forCC2540 microcontrollers [36] AES encryption needs 6600cyclesblock and AES decryption 8400 cyclesblock
With our proposal the energy consumption has threecomponents the computation of the different sequences 119878119906
119894
with the hash function before the sensing period begins theXOR of the keystream 119870119906
119894with the sequence 119863119906
119894that signals
the availability of channels and the XOR of the sequences 119862119906119894
received from neighbors with the precomputed 119878119906119894Therefore
10 International Journal of Distributed Sensor Networks
Table 1 Transmission overhead
119897 (bits) Overhead(bits)
Authentication only (CBC-MAC)16 12832 12864 128
Encryption only (CTR)16 8032 9664 128
Authentication and encryption (CCM)16 20832 22464 256
Authentication and encryption (our proposal)16 3232 4864 80
1000
800
600
400
200
05 10 15 20 25 30
Number of nodes (N)
Rece
ptio
n ov
erhe
ad (b
ytes
)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
Figure 7 Reception overhead for a varying number of nodes119873
a nodemust compute119873 hashes and perform119873XORs to sendchannel information and process the reports received from itsneighbors
As per [37] XORoperationwith aMSP430 accounts for 4-5 cyclesbyte Assuming a 128-bit hash function and the worstcase every XOR in our proposals accounts for 5 sdot 16 = 80cycles As previously explained in Section 51 we suggest theuse of a lightweight cryptographic hash function specificallysuited for low-end devices with an output of 128 bits Table 2depicts the number of CPU cycles per block needed [38]for two potential candidates As clearly seen in the tablecomputing one of these hash functions requires only a fewtens of cyclesblock In the following for this analysis we will
Table 2 Cycles per block for different cryptographic hash functions
Algorithm Hash output size Cyclesblock(Stripped) MAME 128 96H-PRESENT-128 128 32
consider the (stripped) MAME hash function as it is a purehash function that does not rely on a symmetric cipher andrequires more CPU cycles (worst case)
Taking into account the previous data Figure 8 showsthe CPU cycles consumed with both our proposal (with aMAME hash function) and standard AES-128 security It canbe clearly seen that our proposal scales much better withthe number of nodes while still providing an appropriatelevel of security We do not provide values for the processtime that is the time needed for key generation encryptiondecryption and data authentication but the number of CPUcycles required to execute each function In this way timevalues can be obtained for a particular sensor node accordingto its CPU features
63 Total Energy Cost Table 3 provides the transmission andreception energy consumption of a TIrsquos CC2540 microcon-troller for different modes and values of transmission powerThe displayed values have been tested under 25∘CWe do nothave values for in-body conditions (asymp38∘C) but we presentthese data for reference purposes In any case this fact onlyaffects the energy consumption for receivingtransmittingNote that the total cost in terms of energy is much highersince it should also account for duty cycles state changes andother parameters [39]
There is no single specific ldquoenergy per CPU cyclerdquo valuesince the cycle consumption depends on the type of CPUoperation Anyway in [34] the authors measured that theTIrsquos MSP430F1611 consumes energy at an average of 072 nJper clock cycle and we have adopted such value in our study
Figure 9 shows the total average energy consumption as afunction of the number of neighboring sensor nodes and thenumber 119897 of bits used to code the channels for the proposedmechanism and standard approaches CCM (authenticationand encryption) CTR (encryption only) and CBC-MAC(authentication only) We have assumed standard receptionand short-range transmission of minus6 dBm (see Table 3)
As clearly denoted in the figure ourmethod only requiresa few tens of 120583J regardless of the number of sensor nodeswhile AES-based security requires higher values of energyranging from 35 120583J to almost 240120583J when encryption andauthentication are provided and for 30 sensor nodes Themore the number of sensor nodes the bigger the improve-ment introduced by our proposal
It must be remarked however that the purpose of thisfigure is to provide reference values to be taken into accountfor future implementations Besides the level of security pro-vided by our method is lower than AES-based methods butstill ismore than adequate given the features of CBSNs (trans-mission rate number of sentmessages etc) and given the factthat the data we are trying to protect are just a limited numberof potential channels to be used for operation of the network
International Journal of Distributed Sensor Networks 11
Table 3 Currentenergy consumption for RXTX tested on TexasInstruments CC2540 EMwith 119879
119860= 25∘Cwith no peripherals active
and low MCU activity at 250 kHz
Test conditions Current EnergybyteRX standard 196mA 588 nJRX high gain 221mA 663 nJTX minus23 dBm 211mA 633 nJTX minus6 dBm 238mA 714 nJTX 0 dBm 27mA 81 nJTX 4 dBm 316mA 948 nJ
5 10 15 20 25 30
Number of nodes (N)
AES l = 16 32 64
Ours l = 16 32 64
300000
250000
200000
150000
100000
50000
0
CPU
cycle
s
Figure 8 Added CPU cycles for a secure exchange of sensing data
Indeed thismechanism introduces some overhead due tospectrum sensing and sharing of channel information and aswe pointed out above the overhead increases linearly withthe number of nodes in the network The synchronizationprotocol adds some overhead too but the increase willstrongly depend on the chosen protocol In [29] someprotocols with high energy efficiency are referenced whichcould be used in our proposal
Despite it we claim that it is definitely worth introducingthis overhead to increase the availability of the network andmake it robust to potential interferences and DoS attacksUnder these undesired situations the current channel usedby the CBSN may become unavailable but the proposedmethod allows the nodes to securely agree on a new channelof operation and rapidly resume their transmissions It mustbe remarked that securing channel availability informationmay prevent or at least diminished the effect of further DoSattacks when switching to a new channel
We do not quantify the benefits of applying our methodin terms of attack mitigation because it strongly depends onthe capabilities of the attacker (time required for sensing eachchannel number of channels that can sense etc) As a futurework it would be interesting to estimate the improvementachieved by our approach in terms of throughput of the
5 10 15 20 25 30
Number of nodes (N)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
250
200
150
100
50
0
Ener
gy co
st (120583
J)Figure 9 Added energy costs for a TIrsquos MSP430F1611 with a TIrsquosCC2540 microcontroller
CBSNs connections and the tradeoff between benefits andoverhead
7 Conclusions
Body sensor networks (BSNs) emerge as an optimal solutionfor ensuring constant and remote monitoring of the healthstatus in patients Recent advances in technology have madeit possible to deploy a network of tiny sensors over the humanbody and even in body which can measure vital signs suchas temperature heart rate or the level of glucose and reportthese data to medical personnel
Guaranteeing the availability of such communicationsis a must as long as connectivity losses during emergencysituations may prevent a patient from immediately receivingmedical assistance and may end up in catastrophic results
A new network paradigm known as cognitive body sen-sor networks (CBSNs) could mitigate this threat by allowingbody sensors to operate in a wide range of frequenciesand adapt its transmission parameters according to highlydynamic environment conditions However this would comeat the expense of implementing cooperative spectrum sensingmechanisms that allow sensors to exchange informationabout channel quality and availability As a consequenceCBSNs might become vulnerable to specific attacks that aretargeted to these mechanisms
In this paper we presented a novel and simple methodto secure the sensing process in a CBSN and improve itsavailability The method relies on cryptographic primitivesthat require a minimum amount of memory and low energyconsumption thus beingmore suited for devices with limitedresources than traditional approaches It offers authentication
12 International Journal of Distributed Sensor Networks
and encryption of control data shared by the sensors in theCBSN to agree on a given channel
Our proposal was analyzed in terms of security and weshowed that although it does not provide the same level ofsecurity as AES-based encryption and authentication it isstill sufficient for low packet rate networks such as CBSNsThe provided results also showed that our method outper-forms existing approaches in terms of transmissionreceptionoverhead and number of CPU cycles needed particularly asthe number of sensor nodes increases For typical microcon-trollers as CC2540 and MSP430 the improvement in energyconsumption clearly justifies the use of the proposed methodagainst AES-based mechanisms in constrained networkssuch as CBSNs in which maximizing the network life isextremely important
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgment
This work has been partially supported by the spanishgovernment under grant TEC2011-22746 ldquoTAMESISrdquo andby the Ministry of Economy and Competitiveness throughthe projects CO-PRIVACY (TIN2011-27076-C03-02) andSMARTGLACIS (TIN2014-57364-C2-2-R)
References
[1] B Latre B Braem I Moerman C Blondia and P DemeesterldquoA survey on wireless body area networksrdquo Wireless Networksvol 17 no 1 pp 1ndash18 2011
[2] S Movassaghi M Abolhasan J Lipman D Smith and AJamalipour ldquoWireless body area networks a surveyrdquo IEEECommunications Surveys amp Tutorials vol 16 no 3 pp 1658ndash1686 2014
[3] 802156-2012mdashIEEE Standard for Local and metropolitanarea networksmdashPart 156 Wireless Body Area Networks2012 httpstandardsieeeorggetieee802download802156-2012pdf
[4] Bluetooth Low Energy (LE) June 2014 httpwwwbluetoothcomPageslow-energy-tech-infoaspx
[5] The ANT+ Alliance 2014 httpwwwthisisantcom
[6] Wi-Fi Alliance June 2014 httpwwwwi-fiorg
[7] Zigbee Alliance June 2014 httpwwwzigbeeorg
[8] M Rushanan A D Rubin D F Kune and C M SwansonldquoSoK security and privacy in implantable medical devices andbody area networksrdquo in Proceedings of the 35th IEEE Symposiumon Security and Privacy (SP rsquo14) pp 524ndash539 San Jose Calif USA May 2014
[9] I F Akyildiz W-Y Lee M C Vuran and S Mohanty ldquoNeXtgenerationdynamic spectrum accesscognitive radio wirelessnetworks a surveyrdquo Computer Networks vol 50 no 13 pp2127ndash2159 2006
[10] BWang and K J R Liu ldquoAdvances in cognitive radio networksa surveyrdquo IEEE Journal of Selected Topics in Signal Processingvol 5 no 1 pp 5ndash23 2011
[11] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in unknown dynamic environment agame-theoretic stochastic learning solutionrdquo IEEE Transactionson Wireless Communications vol 11 no 4 pp 1380ndash1391 2012
[12] D Cavalcanti S Das J Wang and K Challapali ldquoCognitiveradio based wireless sensor networksrdquo in Proceedings of the17th International Conference on Computer Communicationsand Networks (ICCCN rsquo08) pp 1ndash6 August 2008
[13] O Leon J Hernandez-Serrano andM Soriano ldquoSecuring cog-nitive radio networksrdquo International Journal of CommunicationSystems vol 23 no 5 pp 633ndash652 2010
[14] M Rostami A Juels and F Koushanfar ldquoHeart-to-Heart(H2H) authentication for implanted medical devicesrdquo in Pro-ceedings of the ACM SIGSAC Conference on Computer andCommunications Security (CCS rsquo13) pp 1099ndash1111 ACM BerlinGermany November 2013
[15] K B Rasmussen C Castelluccia T S Heydt-Benjamin andS Capkun ldquoProximity-based access control for implantablemedical devicesrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCS rsquo09) pp 410ndash419Chicago Ill USA November 2009
[16] L Shi M Li S Yu and J Yuan ldquoBANA body area networkauthentication exploiting channel characteristicsrdquo IEEE Journalon Selected Areas in Communications vol 31 no 9 pp 1803ndash1816 2013
[17] C C Tan S Zhong H Wang and Q Li ldquoBody sensornetwork security an identity-based cryptography approachrdquoin Proceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 148ndash153 April 2008
[18] O Garcia-Morchon T Falck T Heer and K Wehrle ldquoSecurityfor pervasive medical sensor networksrdquo in Proceedings of the6th Annual International Conference on Mobile and UbiquitousSystems Networking and Services (MobiQuitous rsquo09) pp 1ndash10Toronto Canada July 2009
[19] G Selimis L Huang F Masse et al ldquoA lightweight securityscheme for wireless body area networks design energy evalu-ation and proposed microprocessor designrdquo Journal of MedicalSystems vol 35 no 5 pp 1289ndash1298 2011
[20] Y Yan and T Shu ldquoEnergy-efficient In-network encryp-tiondecryption for wireless body area sensor networksrdquo inProceedings of the IEEE Global Communications Conference(GLOBECOM rsquo14) pp 2442ndash2447 IEEE Austin Tex USADecember 2014
[21] Y Xu A Anpalagan Q Wu L Shen Z Gao and J WangldquoDecision-theoretic distributed channel selection for oppor-tunistic spectrum access strategies challenges and solutionsrdquoIEEE Communications Surveys and Tutorials vol 15 no 4 pp1689ndash1713 2013
[22] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in cognitive radio networks globaloptimization using local interaction gamesrdquo IEEE Journal onSelected Topics in Signal Processing vol 6 no 2 pp 180ndash1942012
[23] R Chavez-Santiago K E Nolan O Holland et al ldquoCognitiveradio for medical body area networks using ultra widebandrdquoIEEE Wireless Communications vol 19 no 4 pp 74ndash81 2012
International Journal of Distributed Sensor Networks 13
[24] A R Syed and K-L A Yau ldquoOn cognitive radio-based wirelessbody area networks for medical applicationsrdquo in Prceedingsof the 1st IEEE Symposium on Computational Intelligence inHealthcare and e-Health (CICARE rsquo13) pp 51ndash57 SingaporeApril 2013
[25] R Chen J-M Park and K Bian ldquoRobust distributed spectrumsensing in cognitive radio networksrdquo in Proceedings of the 27thIEEE Conference on Computer Communications (INFOCOMrsquo08) pp 1876ndash1884 IEEE Phoenix Ariz USA April 2008
[26] H Rifa-Pous M J Blasco and C Garrigues ldquoReview of robustcooperative spectrum sensing techniques for cognitive radionetworksrdquoWireless Personal Communications vol 67 no 2 pp175ndash198 2012
[27] B Braem B Latre C Blondia I Moerman and P DemeesterldquoAnalyzing and improving reliability in multi-hop body sensornetworksrdquo International Journal on Advances in Internet Tech-nology vol 2 no 1 pp 152ndash161 2009
[28] I F Akyildiz B F Lo and R Balakrishnan ldquoCooperative spec-trum sensing in cognitive radio networks a surveyrdquo PhysicalCommunication vol 4 no 1 pp 40ndash62 2011
[29] B Sundararaman U Buy and A D Kshemkalyani ldquoClocksynchronization for wireless sensor networks a surveyrdquoAdHocNetworks vol 3 no 3 pp 281ndash323 2005
[30] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashCHES 2008 10th International Workshop Washington DCUSA August 10ndash13 2008 Proceedings vol 5154 of Lecture Notesin Computer Science pp 283ndash299 Springer Berlin Germany2008
[31] C Cordeiro K Challapali D Birru and N Sai ShankarldquoIEEE 80222 the first worldwide wireless standard based oncognitive radiosrdquo in Proceedings of the 1st IEEE InternationalSymposium on New Frontiers in Dynamic Spectrum AccessNetworks (DySPAN rsquo05) pp 328ndash337 Baltimore Md USANovember 2005
[32] S UllahHHiggins B Braem et al ldquoA comprehensive survey ofwireless body area networks on PHY MAC and network layerssolutionsrdquo Journal of Medical Systems vol 36 no 3 pp 1065ndash1094 2012
[33] N Sastry and D Wagner ldquoSecurity considerations for IEEE802154 networksrdquo in Proceedings of the ACM Workshop onWireless Security (WiSe rsquo04) pp 32ndash42 Philadelphia Pa USAOctober 2004
[34] M Pajic Z Jiang I LeeO Sokolsky andRMangharam ldquoFromverification to implementation a model translation tool and apacemaker case studyrdquo in Proceedings of the 18th IEEE Real Timeand Embedded Technology and Applications Symposium (RTASrsquo12) pp 173ndash184 Beijing China April 2012
[35] CC2540 24-GHz Bluetooth low energy System-on-Chip 2013httpwwwticomlitdssymlinkcc2540pdf
[36] U Kretzschmar ldquoAES128mdasha C implementation for encryp-tion and decryption MSP430 systems ECCN 5E002 TSPAmdashtechnologysoftware publiclyrdquo Application Report SLAA397ATexas Instruments Dallas Tex USA 2009 httpwwwticomcncnlitanslaa397aslaa397apdf
[37] El Barquero Aqueronte MSP430 Cycles and Instructionsedited by Aqueronte 2011 httpunbarqueroblogspotcomes201105msp430-cycles-and-instructionshtml
[38] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashHES 2008 vol 5154 of Lecture Notes in Computer Science pp283ndash299 Springer Berlin Germany 2008
[39] S Kamath and J Lindh ldquoMeasuring bluetooth low energypower consumptionrdquo Application Note AN092 Texas Instru-ments Dallas TEx USA 2012 Version SWRA347a httpwwwticomlitanswra347aswra347apdf
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
10 International Journal of Distributed Sensor Networks
Table 1 Transmission overhead
119897 (bits) Overhead(bits)
Authentication only (CBC-MAC)16 12832 12864 128
Encryption only (CTR)16 8032 9664 128
Authentication and encryption (CCM)16 20832 22464 256
Authentication and encryption (our proposal)16 3232 4864 80
1000
800
600
400
200
05 10 15 20 25 30
Number of nodes (N)
Rece
ptio
n ov
erhe
ad (b
ytes
)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
Figure 7 Reception overhead for a varying number of nodes119873
a nodemust compute119873 hashes and perform119873XORs to sendchannel information and process the reports received from itsneighbors
As per [37] XORoperationwith aMSP430 accounts for 4-5 cyclesbyte Assuming a 128-bit hash function and the worstcase every XOR in our proposals accounts for 5 sdot 16 = 80cycles As previously explained in Section 51 we suggest theuse of a lightweight cryptographic hash function specificallysuited for low-end devices with an output of 128 bits Table 2depicts the number of CPU cycles per block needed [38]for two potential candidates As clearly seen in the tablecomputing one of these hash functions requires only a fewtens of cyclesblock In the following for this analysis we will
Table 2 Cycles per block for different cryptographic hash functions
Algorithm Hash output size Cyclesblock(Stripped) MAME 128 96H-PRESENT-128 128 32
consider the (stripped) MAME hash function as it is a purehash function that does not rely on a symmetric cipher andrequires more CPU cycles (worst case)
Taking into account the previous data Figure 8 showsthe CPU cycles consumed with both our proposal (with aMAME hash function) and standard AES-128 security It canbe clearly seen that our proposal scales much better withthe number of nodes while still providing an appropriatelevel of security We do not provide values for the processtime that is the time needed for key generation encryptiondecryption and data authentication but the number of CPUcycles required to execute each function In this way timevalues can be obtained for a particular sensor node accordingto its CPU features
63 Total Energy Cost Table 3 provides the transmission andreception energy consumption of a TIrsquos CC2540 microcon-troller for different modes and values of transmission powerThe displayed values have been tested under 25∘CWe do nothave values for in-body conditions (asymp38∘C) but we presentthese data for reference purposes In any case this fact onlyaffects the energy consumption for receivingtransmittingNote that the total cost in terms of energy is much highersince it should also account for duty cycles state changes andother parameters [39]
There is no single specific ldquoenergy per CPU cyclerdquo valuesince the cycle consumption depends on the type of CPUoperation Anyway in [34] the authors measured that theTIrsquos MSP430F1611 consumes energy at an average of 072 nJper clock cycle and we have adopted such value in our study
Figure 9 shows the total average energy consumption as afunction of the number of neighboring sensor nodes and thenumber 119897 of bits used to code the channels for the proposedmechanism and standard approaches CCM (authenticationand encryption) CTR (encryption only) and CBC-MAC(authentication only) We have assumed standard receptionand short-range transmission of minus6 dBm (see Table 3)
As clearly denoted in the figure ourmethod only requiresa few tens of 120583J regardless of the number of sensor nodeswhile AES-based security requires higher values of energyranging from 35 120583J to almost 240120583J when encryption andauthentication are provided and for 30 sensor nodes Themore the number of sensor nodes the bigger the improve-ment introduced by our proposal
It must be remarked however that the purpose of thisfigure is to provide reference values to be taken into accountfor future implementations Besides the level of security pro-vided by our method is lower than AES-based methods butstill ismore than adequate given the features of CBSNs (trans-mission rate number of sentmessages etc) and given the factthat the data we are trying to protect are just a limited numberof potential channels to be used for operation of the network
International Journal of Distributed Sensor Networks 11
Table 3 Currentenergy consumption for RXTX tested on TexasInstruments CC2540 EMwith 119879
119860= 25∘Cwith no peripherals active
and low MCU activity at 250 kHz
Test conditions Current EnergybyteRX standard 196mA 588 nJRX high gain 221mA 663 nJTX minus23 dBm 211mA 633 nJTX minus6 dBm 238mA 714 nJTX 0 dBm 27mA 81 nJTX 4 dBm 316mA 948 nJ
5 10 15 20 25 30
Number of nodes (N)
AES l = 16 32 64
Ours l = 16 32 64
300000
250000
200000
150000
100000
50000
0
CPU
cycle
s
Figure 8 Added CPU cycles for a secure exchange of sensing data
Indeed thismechanism introduces some overhead due tospectrum sensing and sharing of channel information and aswe pointed out above the overhead increases linearly withthe number of nodes in the network The synchronizationprotocol adds some overhead too but the increase willstrongly depend on the chosen protocol In [29] someprotocols with high energy efficiency are referenced whichcould be used in our proposal
Despite it we claim that it is definitely worth introducingthis overhead to increase the availability of the network andmake it robust to potential interferences and DoS attacksUnder these undesired situations the current channel usedby the CBSN may become unavailable but the proposedmethod allows the nodes to securely agree on a new channelof operation and rapidly resume their transmissions It mustbe remarked that securing channel availability informationmay prevent or at least diminished the effect of further DoSattacks when switching to a new channel
We do not quantify the benefits of applying our methodin terms of attack mitigation because it strongly depends onthe capabilities of the attacker (time required for sensing eachchannel number of channels that can sense etc) As a futurework it would be interesting to estimate the improvementachieved by our approach in terms of throughput of the
5 10 15 20 25 30
Number of nodes (N)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
250
200
150
100
50
0
Ener
gy co
st (120583
J)Figure 9 Added energy costs for a TIrsquos MSP430F1611 with a TIrsquosCC2540 microcontroller
CBSNs connections and the tradeoff between benefits andoverhead
7 Conclusions
Body sensor networks (BSNs) emerge as an optimal solutionfor ensuring constant and remote monitoring of the healthstatus in patients Recent advances in technology have madeit possible to deploy a network of tiny sensors over the humanbody and even in body which can measure vital signs suchas temperature heart rate or the level of glucose and reportthese data to medical personnel
Guaranteeing the availability of such communicationsis a must as long as connectivity losses during emergencysituations may prevent a patient from immediately receivingmedical assistance and may end up in catastrophic results
A new network paradigm known as cognitive body sen-sor networks (CBSNs) could mitigate this threat by allowingbody sensors to operate in a wide range of frequenciesand adapt its transmission parameters according to highlydynamic environment conditions However this would comeat the expense of implementing cooperative spectrum sensingmechanisms that allow sensors to exchange informationabout channel quality and availability As a consequenceCBSNs might become vulnerable to specific attacks that aretargeted to these mechanisms
In this paper we presented a novel and simple methodto secure the sensing process in a CBSN and improve itsavailability The method relies on cryptographic primitivesthat require a minimum amount of memory and low energyconsumption thus beingmore suited for devices with limitedresources than traditional approaches It offers authentication
12 International Journal of Distributed Sensor Networks
and encryption of control data shared by the sensors in theCBSN to agree on a given channel
Our proposal was analyzed in terms of security and weshowed that although it does not provide the same level ofsecurity as AES-based encryption and authentication it isstill sufficient for low packet rate networks such as CBSNsThe provided results also showed that our method outper-forms existing approaches in terms of transmissionreceptionoverhead and number of CPU cycles needed particularly asthe number of sensor nodes increases For typical microcon-trollers as CC2540 and MSP430 the improvement in energyconsumption clearly justifies the use of the proposed methodagainst AES-based mechanisms in constrained networkssuch as CBSNs in which maximizing the network life isextremely important
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgment
This work has been partially supported by the spanishgovernment under grant TEC2011-22746 ldquoTAMESISrdquo andby the Ministry of Economy and Competitiveness throughthe projects CO-PRIVACY (TIN2011-27076-C03-02) andSMARTGLACIS (TIN2014-57364-C2-2-R)
References
[1] B Latre B Braem I Moerman C Blondia and P DemeesterldquoA survey on wireless body area networksrdquo Wireless Networksvol 17 no 1 pp 1ndash18 2011
[2] S Movassaghi M Abolhasan J Lipman D Smith and AJamalipour ldquoWireless body area networks a surveyrdquo IEEECommunications Surveys amp Tutorials vol 16 no 3 pp 1658ndash1686 2014
[3] 802156-2012mdashIEEE Standard for Local and metropolitanarea networksmdashPart 156 Wireless Body Area Networks2012 httpstandardsieeeorggetieee802download802156-2012pdf
[4] Bluetooth Low Energy (LE) June 2014 httpwwwbluetoothcomPageslow-energy-tech-infoaspx
[5] The ANT+ Alliance 2014 httpwwwthisisantcom
[6] Wi-Fi Alliance June 2014 httpwwwwi-fiorg
[7] Zigbee Alliance June 2014 httpwwwzigbeeorg
[8] M Rushanan A D Rubin D F Kune and C M SwansonldquoSoK security and privacy in implantable medical devices andbody area networksrdquo in Proceedings of the 35th IEEE Symposiumon Security and Privacy (SP rsquo14) pp 524ndash539 San Jose Calif USA May 2014
[9] I F Akyildiz W-Y Lee M C Vuran and S Mohanty ldquoNeXtgenerationdynamic spectrum accesscognitive radio wirelessnetworks a surveyrdquo Computer Networks vol 50 no 13 pp2127ndash2159 2006
[10] BWang and K J R Liu ldquoAdvances in cognitive radio networksa surveyrdquo IEEE Journal of Selected Topics in Signal Processingvol 5 no 1 pp 5ndash23 2011
[11] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in unknown dynamic environment agame-theoretic stochastic learning solutionrdquo IEEE Transactionson Wireless Communications vol 11 no 4 pp 1380ndash1391 2012
[12] D Cavalcanti S Das J Wang and K Challapali ldquoCognitiveradio based wireless sensor networksrdquo in Proceedings of the17th International Conference on Computer Communicationsand Networks (ICCCN rsquo08) pp 1ndash6 August 2008
[13] O Leon J Hernandez-Serrano andM Soriano ldquoSecuring cog-nitive radio networksrdquo International Journal of CommunicationSystems vol 23 no 5 pp 633ndash652 2010
[14] M Rostami A Juels and F Koushanfar ldquoHeart-to-Heart(H2H) authentication for implanted medical devicesrdquo in Pro-ceedings of the ACM SIGSAC Conference on Computer andCommunications Security (CCS rsquo13) pp 1099ndash1111 ACM BerlinGermany November 2013
[15] K B Rasmussen C Castelluccia T S Heydt-Benjamin andS Capkun ldquoProximity-based access control for implantablemedical devicesrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCS rsquo09) pp 410ndash419Chicago Ill USA November 2009
[16] L Shi M Li S Yu and J Yuan ldquoBANA body area networkauthentication exploiting channel characteristicsrdquo IEEE Journalon Selected Areas in Communications vol 31 no 9 pp 1803ndash1816 2013
[17] C C Tan S Zhong H Wang and Q Li ldquoBody sensornetwork security an identity-based cryptography approachrdquoin Proceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 148ndash153 April 2008
[18] O Garcia-Morchon T Falck T Heer and K Wehrle ldquoSecurityfor pervasive medical sensor networksrdquo in Proceedings of the6th Annual International Conference on Mobile and UbiquitousSystems Networking and Services (MobiQuitous rsquo09) pp 1ndash10Toronto Canada July 2009
[19] G Selimis L Huang F Masse et al ldquoA lightweight securityscheme for wireless body area networks design energy evalu-ation and proposed microprocessor designrdquo Journal of MedicalSystems vol 35 no 5 pp 1289ndash1298 2011
[20] Y Yan and T Shu ldquoEnergy-efficient In-network encryp-tiondecryption for wireless body area sensor networksrdquo inProceedings of the IEEE Global Communications Conference(GLOBECOM rsquo14) pp 2442ndash2447 IEEE Austin Tex USADecember 2014
[21] Y Xu A Anpalagan Q Wu L Shen Z Gao and J WangldquoDecision-theoretic distributed channel selection for oppor-tunistic spectrum access strategies challenges and solutionsrdquoIEEE Communications Surveys and Tutorials vol 15 no 4 pp1689ndash1713 2013
[22] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in cognitive radio networks globaloptimization using local interaction gamesrdquo IEEE Journal onSelected Topics in Signal Processing vol 6 no 2 pp 180ndash1942012
[23] R Chavez-Santiago K E Nolan O Holland et al ldquoCognitiveradio for medical body area networks using ultra widebandrdquoIEEE Wireless Communications vol 19 no 4 pp 74ndash81 2012
International Journal of Distributed Sensor Networks 13
[24] A R Syed and K-L A Yau ldquoOn cognitive radio-based wirelessbody area networks for medical applicationsrdquo in Prceedingsof the 1st IEEE Symposium on Computational Intelligence inHealthcare and e-Health (CICARE rsquo13) pp 51ndash57 SingaporeApril 2013
[25] R Chen J-M Park and K Bian ldquoRobust distributed spectrumsensing in cognitive radio networksrdquo in Proceedings of the 27thIEEE Conference on Computer Communications (INFOCOMrsquo08) pp 1876ndash1884 IEEE Phoenix Ariz USA April 2008
[26] H Rifa-Pous M J Blasco and C Garrigues ldquoReview of robustcooperative spectrum sensing techniques for cognitive radionetworksrdquoWireless Personal Communications vol 67 no 2 pp175ndash198 2012
[27] B Braem B Latre C Blondia I Moerman and P DemeesterldquoAnalyzing and improving reliability in multi-hop body sensornetworksrdquo International Journal on Advances in Internet Tech-nology vol 2 no 1 pp 152ndash161 2009
[28] I F Akyildiz B F Lo and R Balakrishnan ldquoCooperative spec-trum sensing in cognitive radio networks a surveyrdquo PhysicalCommunication vol 4 no 1 pp 40ndash62 2011
[29] B Sundararaman U Buy and A D Kshemkalyani ldquoClocksynchronization for wireless sensor networks a surveyrdquoAdHocNetworks vol 3 no 3 pp 281ndash323 2005
[30] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashCHES 2008 10th International Workshop Washington DCUSA August 10ndash13 2008 Proceedings vol 5154 of Lecture Notesin Computer Science pp 283ndash299 Springer Berlin Germany2008
[31] C Cordeiro K Challapali D Birru and N Sai ShankarldquoIEEE 80222 the first worldwide wireless standard based oncognitive radiosrdquo in Proceedings of the 1st IEEE InternationalSymposium on New Frontiers in Dynamic Spectrum AccessNetworks (DySPAN rsquo05) pp 328ndash337 Baltimore Md USANovember 2005
[32] S UllahHHiggins B Braem et al ldquoA comprehensive survey ofwireless body area networks on PHY MAC and network layerssolutionsrdquo Journal of Medical Systems vol 36 no 3 pp 1065ndash1094 2012
[33] N Sastry and D Wagner ldquoSecurity considerations for IEEE802154 networksrdquo in Proceedings of the ACM Workshop onWireless Security (WiSe rsquo04) pp 32ndash42 Philadelphia Pa USAOctober 2004
[34] M Pajic Z Jiang I LeeO Sokolsky andRMangharam ldquoFromverification to implementation a model translation tool and apacemaker case studyrdquo in Proceedings of the 18th IEEE Real Timeand Embedded Technology and Applications Symposium (RTASrsquo12) pp 173ndash184 Beijing China April 2012
[35] CC2540 24-GHz Bluetooth low energy System-on-Chip 2013httpwwwticomlitdssymlinkcc2540pdf
[36] U Kretzschmar ldquoAES128mdasha C implementation for encryp-tion and decryption MSP430 systems ECCN 5E002 TSPAmdashtechnologysoftware publiclyrdquo Application Report SLAA397ATexas Instruments Dallas Tex USA 2009 httpwwwticomcncnlitanslaa397aslaa397apdf
[37] El Barquero Aqueronte MSP430 Cycles and Instructionsedited by Aqueronte 2011 httpunbarqueroblogspotcomes201105msp430-cycles-and-instructionshtml
[38] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashHES 2008 vol 5154 of Lecture Notes in Computer Science pp283ndash299 Springer Berlin Germany 2008
[39] S Kamath and J Lindh ldquoMeasuring bluetooth low energypower consumptionrdquo Application Note AN092 Texas Instru-ments Dallas TEx USA 2012 Version SWRA347a httpwwwticomlitanswra347aswra347apdf
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 11
Table 3 Currentenergy consumption for RXTX tested on TexasInstruments CC2540 EMwith 119879
119860= 25∘Cwith no peripherals active
and low MCU activity at 250 kHz
Test conditions Current EnergybyteRX standard 196mA 588 nJRX high gain 221mA 663 nJTX minus23 dBm 211mA 633 nJTX minus6 dBm 238mA 714 nJTX 0 dBm 27mA 81 nJTX 4 dBm 316mA 948 nJ
5 10 15 20 25 30
Number of nodes (N)
AES l = 16 32 64
Ours l = 16 32 64
300000
250000
200000
150000
100000
50000
0
CPU
cycle
s
Figure 8 Added CPU cycles for a secure exchange of sensing data
Indeed thismechanism introduces some overhead due tospectrum sensing and sharing of channel information and aswe pointed out above the overhead increases linearly withthe number of nodes in the network The synchronizationprotocol adds some overhead too but the increase willstrongly depend on the chosen protocol In [29] someprotocols with high energy efficiency are referenced whichcould be used in our proposal
Despite it we claim that it is definitely worth introducingthis overhead to increase the availability of the network andmake it robust to potential interferences and DoS attacksUnder these undesired situations the current channel usedby the CBSN may become unavailable but the proposedmethod allows the nodes to securely agree on a new channelof operation and rapidly resume their transmissions It mustbe remarked that securing channel availability informationmay prevent or at least diminished the effect of further DoSattacks when switching to a new channel
We do not quantify the benefits of applying our methodin terms of attack mitigation because it strongly depends onthe capabilities of the attacker (time required for sensing eachchannel number of channels that can sense etc) As a futurework it would be interesting to estimate the improvementachieved by our approach in terms of throughput of the
5 10 15 20 25 30
Number of nodes (N)
CBC-MAC l = 16 32 64
CTR l = 16
CTR l = 32
CTR l = 64
CCM l = 16
CCM l = 32
CCM l = 64
Ours l = 16
Ours l = 32
Ours l = 64
250
200
150
100
50
0
Ener
gy co
st (120583
J)Figure 9 Added energy costs for a TIrsquos MSP430F1611 with a TIrsquosCC2540 microcontroller
CBSNs connections and the tradeoff between benefits andoverhead
7 Conclusions
Body sensor networks (BSNs) emerge as an optimal solutionfor ensuring constant and remote monitoring of the healthstatus in patients Recent advances in technology have madeit possible to deploy a network of tiny sensors over the humanbody and even in body which can measure vital signs suchas temperature heart rate or the level of glucose and reportthese data to medical personnel
Guaranteeing the availability of such communicationsis a must as long as connectivity losses during emergencysituations may prevent a patient from immediately receivingmedical assistance and may end up in catastrophic results
A new network paradigm known as cognitive body sen-sor networks (CBSNs) could mitigate this threat by allowingbody sensors to operate in a wide range of frequenciesand adapt its transmission parameters according to highlydynamic environment conditions However this would comeat the expense of implementing cooperative spectrum sensingmechanisms that allow sensors to exchange informationabout channel quality and availability As a consequenceCBSNs might become vulnerable to specific attacks that aretargeted to these mechanisms
In this paper we presented a novel and simple methodto secure the sensing process in a CBSN and improve itsavailability The method relies on cryptographic primitivesthat require a minimum amount of memory and low energyconsumption thus beingmore suited for devices with limitedresources than traditional approaches It offers authentication
12 International Journal of Distributed Sensor Networks
and encryption of control data shared by the sensors in theCBSN to agree on a given channel
Our proposal was analyzed in terms of security and weshowed that although it does not provide the same level ofsecurity as AES-based encryption and authentication it isstill sufficient for low packet rate networks such as CBSNsThe provided results also showed that our method outper-forms existing approaches in terms of transmissionreceptionoverhead and number of CPU cycles needed particularly asthe number of sensor nodes increases For typical microcon-trollers as CC2540 and MSP430 the improvement in energyconsumption clearly justifies the use of the proposed methodagainst AES-based mechanisms in constrained networkssuch as CBSNs in which maximizing the network life isextremely important
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgment
This work has been partially supported by the spanishgovernment under grant TEC2011-22746 ldquoTAMESISrdquo andby the Ministry of Economy and Competitiveness throughthe projects CO-PRIVACY (TIN2011-27076-C03-02) andSMARTGLACIS (TIN2014-57364-C2-2-R)
References
[1] B Latre B Braem I Moerman C Blondia and P DemeesterldquoA survey on wireless body area networksrdquo Wireless Networksvol 17 no 1 pp 1ndash18 2011
[2] S Movassaghi M Abolhasan J Lipman D Smith and AJamalipour ldquoWireless body area networks a surveyrdquo IEEECommunications Surveys amp Tutorials vol 16 no 3 pp 1658ndash1686 2014
[3] 802156-2012mdashIEEE Standard for Local and metropolitanarea networksmdashPart 156 Wireless Body Area Networks2012 httpstandardsieeeorggetieee802download802156-2012pdf
[4] Bluetooth Low Energy (LE) June 2014 httpwwwbluetoothcomPageslow-energy-tech-infoaspx
[5] The ANT+ Alliance 2014 httpwwwthisisantcom
[6] Wi-Fi Alliance June 2014 httpwwwwi-fiorg
[7] Zigbee Alliance June 2014 httpwwwzigbeeorg
[8] M Rushanan A D Rubin D F Kune and C M SwansonldquoSoK security and privacy in implantable medical devices andbody area networksrdquo in Proceedings of the 35th IEEE Symposiumon Security and Privacy (SP rsquo14) pp 524ndash539 San Jose Calif USA May 2014
[9] I F Akyildiz W-Y Lee M C Vuran and S Mohanty ldquoNeXtgenerationdynamic spectrum accesscognitive radio wirelessnetworks a surveyrdquo Computer Networks vol 50 no 13 pp2127ndash2159 2006
[10] BWang and K J R Liu ldquoAdvances in cognitive radio networksa surveyrdquo IEEE Journal of Selected Topics in Signal Processingvol 5 no 1 pp 5ndash23 2011
[11] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in unknown dynamic environment agame-theoretic stochastic learning solutionrdquo IEEE Transactionson Wireless Communications vol 11 no 4 pp 1380ndash1391 2012
[12] D Cavalcanti S Das J Wang and K Challapali ldquoCognitiveradio based wireless sensor networksrdquo in Proceedings of the17th International Conference on Computer Communicationsand Networks (ICCCN rsquo08) pp 1ndash6 August 2008
[13] O Leon J Hernandez-Serrano andM Soriano ldquoSecuring cog-nitive radio networksrdquo International Journal of CommunicationSystems vol 23 no 5 pp 633ndash652 2010
[14] M Rostami A Juels and F Koushanfar ldquoHeart-to-Heart(H2H) authentication for implanted medical devicesrdquo in Pro-ceedings of the ACM SIGSAC Conference on Computer andCommunications Security (CCS rsquo13) pp 1099ndash1111 ACM BerlinGermany November 2013
[15] K B Rasmussen C Castelluccia T S Heydt-Benjamin andS Capkun ldquoProximity-based access control for implantablemedical devicesrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCS rsquo09) pp 410ndash419Chicago Ill USA November 2009
[16] L Shi M Li S Yu and J Yuan ldquoBANA body area networkauthentication exploiting channel characteristicsrdquo IEEE Journalon Selected Areas in Communications vol 31 no 9 pp 1803ndash1816 2013
[17] C C Tan S Zhong H Wang and Q Li ldquoBody sensornetwork security an identity-based cryptography approachrdquoin Proceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 148ndash153 April 2008
[18] O Garcia-Morchon T Falck T Heer and K Wehrle ldquoSecurityfor pervasive medical sensor networksrdquo in Proceedings of the6th Annual International Conference on Mobile and UbiquitousSystems Networking and Services (MobiQuitous rsquo09) pp 1ndash10Toronto Canada July 2009
[19] G Selimis L Huang F Masse et al ldquoA lightweight securityscheme for wireless body area networks design energy evalu-ation and proposed microprocessor designrdquo Journal of MedicalSystems vol 35 no 5 pp 1289ndash1298 2011
[20] Y Yan and T Shu ldquoEnergy-efficient In-network encryp-tiondecryption for wireless body area sensor networksrdquo inProceedings of the IEEE Global Communications Conference(GLOBECOM rsquo14) pp 2442ndash2447 IEEE Austin Tex USADecember 2014
[21] Y Xu A Anpalagan Q Wu L Shen Z Gao and J WangldquoDecision-theoretic distributed channel selection for oppor-tunistic spectrum access strategies challenges and solutionsrdquoIEEE Communications Surveys and Tutorials vol 15 no 4 pp1689ndash1713 2013
[22] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in cognitive radio networks globaloptimization using local interaction gamesrdquo IEEE Journal onSelected Topics in Signal Processing vol 6 no 2 pp 180ndash1942012
[23] R Chavez-Santiago K E Nolan O Holland et al ldquoCognitiveradio for medical body area networks using ultra widebandrdquoIEEE Wireless Communications vol 19 no 4 pp 74ndash81 2012
International Journal of Distributed Sensor Networks 13
[24] A R Syed and K-L A Yau ldquoOn cognitive radio-based wirelessbody area networks for medical applicationsrdquo in Prceedingsof the 1st IEEE Symposium on Computational Intelligence inHealthcare and e-Health (CICARE rsquo13) pp 51ndash57 SingaporeApril 2013
[25] R Chen J-M Park and K Bian ldquoRobust distributed spectrumsensing in cognitive radio networksrdquo in Proceedings of the 27thIEEE Conference on Computer Communications (INFOCOMrsquo08) pp 1876ndash1884 IEEE Phoenix Ariz USA April 2008
[26] H Rifa-Pous M J Blasco and C Garrigues ldquoReview of robustcooperative spectrum sensing techniques for cognitive radionetworksrdquoWireless Personal Communications vol 67 no 2 pp175ndash198 2012
[27] B Braem B Latre C Blondia I Moerman and P DemeesterldquoAnalyzing and improving reliability in multi-hop body sensornetworksrdquo International Journal on Advances in Internet Tech-nology vol 2 no 1 pp 152ndash161 2009
[28] I F Akyildiz B F Lo and R Balakrishnan ldquoCooperative spec-trum sensing in cognitive radio networks a surveyrdquo PhysicalCommunication vol 4 no 1 pp 40ndash62 2011
[29] B Sundararaman U Buy and A D Kshemkalyani ldquoClocksynchronization for wireless sensor networks a surveyrdquoAdHocNetworks vol 3 no 3 pp 281ndash323 2005
[30] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashCHES 2008 10th International Workshop Washington DCUSA August 10ndash13 2008 Proceedings vol 5154 of Lecture Notesin Computer Science pp 283ndash299 Springer Berlin Germany2008
[31] C Cordeiro K Challapali D Birru and N Sai ShankarldquoIEEE 80222 the first worldwide wireless standard based oncognitive radiosrdquo in Proceedings of the 1st IEEE InternationalSymposium on New Frontiers in Dynamic Spectrum AccessNetworks (DySPAN rsquo05) pp 328ndash337 Baltimore Md USANovember 2005
[32] S UllahHHiggins B Braem et al ldquoA comprehensive survey ofwireless body area networks on PHY MAC and network layerssolutionsrdquo Journal of Medical Systems vol 36 no 3 pp 1065ndash1094 2012
[33] N Sastry and D Wagner ldquoSecurity considerations for IEEE802154 networksrdquo in Proceedings of the ACM Workshop onWireless Security (WiSe rsquo04) pp 32ndash42 Philadelphia Pa USAOctober 2004
[34] M Pajic Z Jiang I LeeO Sokolsky andRMangharam ldquoFromverification to implementation a model translation tool and apacemaker case studyrdquo in Proceedings of the 18th IEEE Real Timeand Embedded Technology and Applications Symposium (RTASrsquo12) pp 173ndash184 Beijing China April 2012
[35] CC2540 24-GHz Bluetooth low energy System-on-Chip 2013httpwwwticomlitdssymlinkcc2540pdf
[36] U Kretzschmar ldquoAES128mdasha C implementation for encryp-tion and decryption MSP430 systems ECCN 5E002 TSPAmdashtechnologysoftware publiclyrdquo Application Report SLAA397ATexas Instruments Dallas Tex USA 2009 httpwwwticomcncnlitanslaa397aslaa397apdf
[37] El Barquero Aqueronte MSP430 Cycles and Instructionsedited by Aqueronte 2011 httpunbarqueroblogspotcomes201105msp430-cycles-and-instructionshtml
[38] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashHES 2008 vol 5154 of Lecture Notes in Computer Science pp283ndash299 Springer Berlin Germany 2008
[39] S Kamath and J Lindh ldquoMeasuring bluetooth low energypower consumptionrdquo Application Note AN092 Texas Instru-ments Dallas TEx USA 2012 Version SWRA347a httpwwwticomlitanswra347aswra347apdf
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
12 International Journal of Distributed Sensor Networks
and encryption of control data shared by the sensors in theCBSN to agree on a given channel
Our proposal was analyzed in terms of security and weshowed that although it does not provide the same level ofsecurity as AES-based encryption and authentication it isstill sufficient for low packet rate networks such as CBSNsThe provided results also showed that our method outper-forms existing approaches in terms of transmissionreceptionoverhead and number of CPU cycles needed particularly asthe number of sensor nodes increases For typical microcon-trollers as CC2540 and MSP430 the improvement in energyconsumption clearly justifies the use of the proposed methodagainst AES-based mechanisms in constrained networkssuch as CBSNs in which maximizing the network life isextremely important
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgment
This work has been partially supported by the spanishgovernment under grant TEC2011-22746 ldquoTAMESISrdquo andby the Ministry of Economy and Competitiveness throughthe projects CO-PRIVACY (TIN2011-27076-C03-02) andSMARTGLACIS (TIN2014-57364-C2-2-R)
References
[1] B Latre B Braem I Moerman C Blondia and P DemeesterldquoA survey on wireless body area networksrdquo Wireless Networksvol 17 no 1 pp 1ndash18 2011
[2] S Movassaghi M Abolhasan J Lipman D Smith and AJamalipour ldquoWireless body area networks a surveyrdquo IEEECommunications Surveys amp Tutorials vol 16 no 3 pp 1658ndash1686 2014
[3] 802156-2012mdashIEEE Standard for Local and metropolitanarea networksmdashPart 156 Wireless Body Area Networks2012 httpstandardsieeeorggetieee802download802156-2012pdf
[4] Bluetooth Low Energy (LE) June 2014 httpwwwbluetoothcomPageslow-energy-tech-infoaspx
[5] The ANT+ Alliance 2014 httpwwwthisisantcom
[6] Wi-Fi Alliance June 2014 httpwwwwi-fiorg
[7] Zigbee Alliance June 2014 httpwwwzigbeeorg
[8] M Rushanan A D Rubin D F Kune and C M SwansonldquoSoK security and privacy in implantable medical devices andbody area networksrdquo in Proceedings of the 35th IEEE Symposiumon Security and Privacy (SP rsquo14) pp 524ndash539 San Jose Calif USA May 2014
[9] I F Akyildiz W-Y Lee M C Vuran and S Mohanty ldquoNeXtgenerationdynamic spectrum accesscognitive radio wirelessnetworks a surveyrdquo Computer Networks vol 50 no 13 pp2127ndash2159 2006
[10] BWang and K J R Liu ldquoAdvances in cognitive radio networksa surveyrdquo IEEE Journal of Selected Topics in Signal Processingvol 5 no 1 pp 5ndash23 2011
[11] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in unknown dynamic environment agame-theoretic stochastic learning solutionrdquo IEEE Transactionson Wireless Communications vol 11 no 4 pp 1380ndash1391 2012
[12] D Cavalcanti S Das J Wang and K Challapali ldquoCognitiveradio based wireless sensor networksrdquo in Proceedings of the17th International Conference on Computer Communicationsand Networks (ICCCN rsquo08) pp 1ndash6 August 2008
[13] O Leon J Hernandez-Serrano andM Soriano ldquoSecuring cog-nitive radio networksrdquo International Journal of CommunicationSystems vol 23 no 5 pp 633ndash652 2010
[14] M Rostami A Juels and F Koushanfar ldquoHeart-to-Heart(H2H) authentication for implanted medical devicesrdquo in Pro-ceedings of the ACM SIGSAC Conference on Computer andCommunications Security (CCS rsquo13) pp 1099ndash1111 ACM BerlinGermany November 2013
[15] K B Rasmussen C Castelluccia T S Heydt-Benjamin andS Capkun ldquoProximity-based access control for implantablemedical devicesrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCS rsquo09) pp 410ndash419Chicago Ill USA November 2009
[16] L Shi M Li S Yu and J Yuan ldquoBANA body area networkauthentication exploiting channel characteristicsrdquo IEEE Journalon Selected Areas in Communications vol 31 no 9 pp 1803ndash1816 2013
[17] C C Tan S Zhong H Wang and Q Li ldquoBody sensornetwork security an identity-based cryptography approachrdquoin Proceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 148ndash153 April 2008
[18] O Garcia-Morchon T Falck T Heer and K Wehrle ldquoSecurityfor pervasive medical sensor networksrdquo in Proceedings of the6th Annual International Conference on Mobile and UbiquitousSystems Networking and Services (MobiQuitous rsquo09) pp 1ndash10Toronto Canada July 2009
[19] G Selimis L Huang F Masse et al ldquoA lightweight securityscheme for wireless body area networks design energy evalu-ation and proposed microprocessor designrdquo Journal of MedicalSystems vol 35 no 5 pp 1289ndash1298 2011
[20] Y Yan and T Shu ldquoEnergy-efficient In-network encryp-tiondecryption for wireless body area sensor networksrdquo inProceedings of the IEEE Global Communications Conference(GLOBECOM rsquo14) pp 2442ndash2447 IEEE Austin Tex USADecember 2014
[21] Y Xu A Anpalagan Q Wu L Shen Z Gao and J WangldquoDecision-theoretic distributed channel selection for oppor-tunistic spectrum access strategies challenges and solutionsrdquoIEEE Communications Surveys and Tutorials vol 15 no 4 pp1689ndash1713 2013
[22] Y Xu J Wang Q Wu A Anpalagan and Y-D Yao ldquoOppor-tunistic spectrum access in cognitive radio networks globaloptimization using local interaction gamesrdquo IEEE Journal onSelected Topics in Signal Processing vol 6 no 2 pp 180ndash1942012
[23] R Chavez-Santiago K E Nolan O Holland et al ldquoCognitiveradio for medical body area networks using ultra widebandrdquoIEEE Wireless Communications vol 19 no 4 pp 74ndash81 2012
International Journal of Distributed Sensor Networks 13
[24] A R Syed and K-L A Yau ldquoOn cognitive radio-based wirelessbody area networks for medical applicationsrdquo in Prceedingsof the 1st IEEE Symposium on Computational Intelligence inHealthcare and e-Health (CICARE rsquo13) pp 51ndash57 SingaporeApril 2013
[25] R Chen J-M Park and K Bian ldquoRobust distributed spectrumsensing in cognitive radio networksrdquo in Proceedings of the 27thIEEE Conference on Computer Communications (INFOCOMrsquo08) pp 1876ndash1884 IEEE Phoenix Ariz USA April 2008
[26] H Rifa-Pous M J Blasco and C Garrigues ldquoReview of robustcooperative spectrum sensing techniques for cognitive radionetworksrdquoWireless Personal Communications vol 67 no 2 pp175ndash198 2012
[27] B Braem B Latre C Blondia I Moerman and P DemeesterldquoAnalyzing and improving reliability in multi-hop body sensornetworksrdquo International Journal on Advances in Internet Tech-nology vol 2 no 1 pp 152ndash161 2009
[28] I F Akyildiz B F Lo and R Balakrishnan ldquoCooperative spec-trum sensing in cognitive radio networks a surveyrdquo PhysicalCommunication vol 4 no 1 pp 40ndash62 2011
[29] B Sundararaman U Buy and A D Kshemkalyani ldquoClocksynchronization for wireless sensor networks a surveyrdquoAdHocNetworks vol 3 no 3 pp 281ndash323 2005
[30] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashCHES 2008 10th International Workshop Washington DCUSA August 10ndash13 2008 Proceedings vol 5154 of Lecture Notesin Computer Science pp 283ndash299 Springer Berlin Germany2008
[31] C Cordeiro K Challapali D Birru and N Sai ShankarldquoIEEE 80222 the first worldwide wireless standard based oncognitive radiosrdquo in Proceedings of the 1st IEEE InternationalSymposium on New Frontiers in Dynamic Spectrum AccessNetworks (DySPAN rsquo05) pp 328ndash337 Baltimore Md USANovember 2005
[32] S UllahHHiggins B Braem et al ldquoA comprehensive survey ofwireless body area networks on PHY MAC and network layerssolutionsrdquo Journal of Medical Systems vol 36 no 3 pp 1065ndash1094 2012
[33] N Sastry and D Wagner ldquoSecurity considerations for IEEE802154 networksrdquo in Proceedings of the ACM Workshop onWireless Security (WiSe rsquo04) pp 32ndash42 Philadelphia Pa USAOctober 2004
[34] M Pajic Z Jiang I LeeO Sokolsky andRMangharam ldquoFromverification to implementation a model translation tool and apacemaker case studyrdquo in Proceedings of the 18th IEEE Real Timeand Embedded Technology and Applications Symposium (RTASrsquo12) pp 173ndash184 Beijing China April 2012
[35] CC2540 24-GHz Bluetooth low energy System-on-Chip 2013httpwwwticomlitdssymlinkcc2540pdf
[36] U Kretzschmar ldquoAES128mdasha C implementation for encryp-tion and decryption MSP430 systems ECCN 5E002 TSPAmdashtechnologysoftware publiclyrdquo Application Report SLAA397ATexas Instruments Dallas Tex USA 2009 httpwwwticomcncnlitanslaa397aslaa397apdf
[37] El Barquero Aqueronte MSP430 Cycles and Instructionsedited by Aqueronte 2011 httpunbarqueroblogspotcomes201105msp430-cycles-and-instructionshtml
[38] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashHES 2008 vol 5154 of Lecture Notes in Computer Science pp283ndash299 Springer Berlin Germany 2008
[39] S Kamath and J Lindh ldquoMeasuring bluetooth low energypower consumptionrdquo Application Note AN092 Texas Instru-ments Dallas TEx USA 2012 Version SWRA347a httpwwwticomlitanswra347aswra347apdf
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 13
[24] A R Syed and K-L A Yau ldquoOn cognitive radio-based wirelessbody area networks for medical applicationsrdquo in Prceedingsof the 1st IEEE Symposium on Computational Intelligence inHealthcare and e-Health (CICARE rsquo13) pp 51ndash57 SingaporeApril 2013
[25] R Chen J-M Park and K Bian ldquoRobust distributed spectrumsensing in cognitive radio networksrdquo in Proceedings of the 27thIEEE Conference on Computer Communications (INFOCOMrsquo08) pp 1876ndash1884 IEEE Phoenix Ariz USA April 2008
[26] H Rifa-Pous M J Blasco and C Garrigues ldquoReview of robustcooperative spectrum sensing techniques for cognitive radionetworksrdquoWireless Personal Communications vol 67 no 2 pp175ndash198 2012
[27] B Braem B Latre C Blondia I Moerman and P DemeesterldquoAnalyzing and improving reliability in multi-hop body sensornetworksrdquo International Journal on Advances in Internet Tech-nology vol 2 no 1 pp 152ndash161 2009
[28] I F Akyildiz B F Lo and R Balakrishnan ldquoCooperative spec-trum sensing in cognitive radio networks a surveyrdquo PhysicalCommunication vol 4 no 1 pp 40ndash62 2011
[29] B Sundararaman U Buy and A D Kshemkalyani ldquoClocksynchronization for wireless sensor networks a surveyrdquoAdHocNetworks vol 3 no 3 pp 281ndash323 2005
[30] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashCHES 2008 10th International Workshop Washington DCUSA August 10ndash13 2008 Proceedings vol 5154 of Lecture Notesin Computer Science pp 283ndash299 Springer Berlin Germany2008
[31] C Cordeiro K Challapali D Birru and N Sai ShankarldquoIEEE 80222 the first worldwide wireless standard based oncognitive radiosrdquo in Proceedings of the 1st IEEE InternationalSymposium on New Frontiers in Dynamic Spectrum AccessNetworks (DySPAN rsquo05) pp 328ndash337 Baltimore Md USANovember 2005
[32] S UllahHHiggins B Braem et al ldquoA comprehensive survey ofwireless body area networks on PHY MAC and network layerssolutionsrdquo Journal of Medical Systems vol 36 no 3 pp 1065ndash1094 2012
[33] N Sastry and D Wagner ldquoSecurity considerations for IEEE802154 networksrdquo in Proceedings of the ACM Workshop onWireless Security (WiSe rsquo04) pp 32ndash42 Philadelphia Pa USAOctober 2004
[34] M Pajic Z Jiang I LeeO Sokolsky andRMangharam ldquoFromverification to implementation a model translation tool and apacemaker case studyrdquo in Proceedings of the 18th IEEE Real Timeand Embedded Technology and Applications Symposium (RTASrsquo12) pp 173ndash184 Beijing China April 2012
[35] CC2540 24-GHz Bluetooth low energy System-on-Chip 2013httpwwwticomlitdssymlinkcc2540pdf
[36] U Kretzschmar ldquoAES128mdasha C implementation for encryp-tion and decryption MSP430 systems ECCN 5E002 TSPAmdashtechnologysoftware publiclyrdquo Application Report SLAA397ATexas Instruments Dallas Tex USA 2009 httpwwwticomcncnlitanslaa397aslaa397apdf
[37] El Barquero Aqueronte MSP430 Cycles and Instructionsedited by Aqueronte 2011 httpunbarqueroblogspotcomes201105msp430-cycles-and-instructionshtml
[38] A Bogdanov G Leander C Paar A Poschmann M J BRobshaw and Y Seurin ldquoHash functions and RFID tags mindthe gaprdquo in Cryptographic Hardware and Embedded SystemsmdashHES 2008 vol 5154 of Lecture Notes in Computer Science pp283ndash299 Springer Berlin Germany 2008
[39] S Kamath and J Lindh ldquoMeasuring bluetooth low energypower consumptionrdquo Application Note AN092 Texas Instru-ments Dallas TEx USA 2012 Version SWRA347a httpwwwticomlitanswra347aswra347apdf
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
![A Cognitive Radio Spectrum Sensing Method for an OFDM ...downloads.hindawi.com/journals/ijdmb/2020/5069021.pdf · requirements of cognitive radio (CR) [5–7]. Therefore, OFDM is](https://img.pdfslide.us/doc/110x75/5f770158e9516f36346c6219/a-cognitive-radio-spectrum-sensing-method-for-an-ofdm-requirements-of-cognitive.jpg)
