Keywords

1 Introduction

With the continuous development of communication technology and microelectronics, wireless sensor networks (WSNs) have been widely used in the fields of smart home, environmental monitoring and industrial control [1]. In order to achieve highly reliable, low-power data transmission between WSNs, the IEEE 802.15.4e [2] standard was released in 2012, which proposed a Time Slotted Channel Hopping (TSCH) technology. This technology coordinates the working state through precise time synchronization, and makes the communication channel for nodes change with the change in different communication time-slots, nodes that are non-working are in a dormant state. Only when there are data that need to be transmitted, the nodes turn on the RF module for data transmission, as a way of reducing the energy consumption of sensor nodes and solving the idle listening problem [3] during the data communication phase. Based on this standard, in 2013, the Internet Engineering Task Force (IETF) started to develop a whole industrial IoT protocol stack – IETF 6TiSCH [4], aiming at low power consumption, high-reliability data and low latency transmission in industrial process control [5].

In the 6TiSCH protocol stack, the encryption and authentication operations for data security are implemented in the link layer using IEEE 802.15.4e protocol. The encryption algorithm in the protocol uses AES-CCM mode [6], which is a combination of Cipher Block Chaining Message Authentication Code (CBC-MAC) mode for authentication and Counter mode (CTR) mode for encryption. The hardware implementation of the AES algorithm [7] can finish encrypting and authenticating data in a short time. However, the keys in the AES algorithm generally come from the pre-set by the managers, and the whole network shares the same key, at this time, if there is a malicious node in the network that leaks the AES key of the whole network, it will expose the data transmission of the whole network nodes to danger.

Research on 6TiSCH WSNs has mainly focused on the resource scheduling of the network, while research on 6TiSCH network security is scarce. Sajjad [8] analyzed the security of the IEEE 802.15.4 protocol and pointed out that the protocol is susceptible to jamming-influenced DOS attacks at the MAC layer, and the IEEE 802.15.4 protocol itself does not specify the way for creating and exchanging keys during data encryption. To solve the DOS attacks caused by malicious nodes through jamming, the authors [9] proposed a dynamic scheme DISH with random replacement of time-slots and channels and proved that the scheme can effectively resist DOS attacks. However, the key negotiation and management problems in 6TiSCH networks are still a major threat that hinders secure transmission between nodes, and in [10], the authors hypothesize that when the keys are in the hands of malicious nodes, they will intercept and tamper with packets in inter-node data communication, and then attack the protocol stack through traffic dispersion attacks and overload attacks.

On the other hand, many researchers have focused on secure communication in WSNs using modified AES algorithms, for the reason that hardware-accelerated AES algorithms are suitable for implementation on restricted nodes with fast computation speed and less energy consumption, but in application scenarios such as industrial scenarios where high-security data transmission is required, AES is difficult to guarantee a sufficient degree of security. Sciancalepore et al. [11] proposed a security framework in IEEE 802.15.4 protocol with Diffie-Hellman (DH) protocol for key negotiation and AES algorithm for encryption. The article [12] proposed an encryption scheme in WSNs, where the scheme divides the plaintext into three parts for hybrid encryption, using AES, DES, and RSA algorithms for encryption respectively. Both articles use the high-energy RSA algorithm on restricted nodes, it will accelerate the energy consumption of nodes in the network. The paper [13] proposes a key extension algorithm based on the AES algorithm to increase the degree of confusion caused by the encryption process and complete hardware implementation of the improved algorithm, but the reconfiguration of the encryption steps of the AES algorithm itself could hardly to solve the problem of key leakage fundamentally.

To solve the key establishment problem between 6TiSCH network nodes, this paper proposes a hybrid encryption method of AES and ECC algorithms in the 6TiSCH sensor network, using elliptic curve encryption to establish keys on two nodes and encrypting the data by AES-CCM mode. The ECC algorithm is chosen because it has a shorter key length for the same level of security, 160 bit key length ECC algorithm can achieve the same level of security as the 1024 bit key length RSA algorithm [14]. Meanwhile, to accelerate the key generation time, this paper considers the underlying optimization algorithm of the ECC algorithm, and combines the work of Rivain [15] to propose a scalar multiplication algorithm with a regular window method to accelerate our proposed hybrid encryption algorithm.

This paper is organized as follows: Sect. 2 proposes a secure communication scheme based on a hybrid ECC-AES algorithm in the 6TiSCH WSN. Section 3 considers the scalar multiplication operation of the ECC algorithm, and a regular window algorithm is proposed to accelerate key generation time, in Sect. 4, the proposed scheme is simulated under different elliptic curve parameters, and Sect. 5 concludes the scheme and presents the future work.

2 Hybrid ECC-AES Encryption Scheme

In this section, we present a secure communication scheme with a hybrid ECC-AES algorithm. The scheme establishes a shared key for every two nodes in the sensor network by using the Elliptic Curve Diffie-Hellman (ECDH) algorithm, but the ECDH algorithm has the risk of being subject to man-in-the-middle (MITM) attacks. To resist MITM attacks, we generate an implicit certificate for each node when it joins the network using the ECQV algorithm [16]. The scheme divides the process of node communication into three phases, node joining phase, shared key establishment phase and dynamic key encryption phase, which are described in detail below. The main notations used in this paper are shown in Table 1.

First, taking a brief of the ECC algorithm, the ECC algorithm is defined on a finite field \(F_q\), the general form of an elliptic curve is Weiertass equation: \(y^2 = x^3 + ax + b,{ }(4a^3 + 27b^3 \ne 0)\). The algorithm chooses a basis point G on the elliptic curve, it is feasible to select a positive integer to compute \(k \cdot G\). This operation is called scalar multiplication, while it is computationally infeasible to find the integer k by the result \(k \cdot G\) and the point G. This is the Elliptic Curve Discrete Logarithm Problem (ECDLP), which the security of the ECC algorithm is built on this.

Table 1. Symbols appearing in this paper
Full size table

2.1 Node Joining Phase

In this phase, to generate certificates for each edge node to join the WSN, the scheme adopts Certificate Authority (CA) in the joining phase, and the certificates do not use traditional X.509 certificates, because such certificates are too large in byte length and cause high energy consumption and transmission delay in the edge nodes during transmission, so this paper utilizes the ECQV protocol to generate implicit certificates to reduce such costs. During the join phase, the edge node obtains synchronization with the network through the beacon frame, gets the certificate through CA, and computes its public and private keys, only four information exchanges with the CA are required in the process. Throughout the communication process, it can be assumed that the parameters \(\{ F_q ,a,b,G,n\}\) of the elliptic curve have been predetermined and stored in the edge node A and the CA. See Fig. 1 for the communication diagram of this phase.

  1. 1.

    The CA randomly selects \(d_{CA} \in \left\{ {2,3, \ldots ,n - 1} \right\} \) as the private key of the CA in the initial stage, and calculates \(Q_{CA} = d_{CA} \cdot G\) as the public key of the CA

  2. 2.

    CA will broadcast a beacon frame every certain time-slots, the frame includes network related information, and the node A expects to join the WSN will continuously listen to message communication in the network, once the beacon frame is received, the node will enter the computation state.

  3. 3.

    The edge node will randomly generate \(r_A \in \left\{ {2,3, \ldots ,n - 1} \right\} \) and compute \( R_A = r_A \cdot G\). The identity information \(ID_A \) of the node is generated based on the computed result \(R_A = (x_A ,y_A )\), \(ID_A = H(x_A |{|}addr_A {)}\). After the calculation is completed, the node sends an association request frame to CA, and the payload information in the frame includes \(\{ R_A ,ID_A \}\).

  4. 4.

    After receiving the relevant information, the CA will calculate the certificate and part of the key information for the node according to the ECQV protocol.

    $$ \begin{array}{*{20}c} {P_A = R_A + r_{CA} \cdot G} \\ \end{array} $$
    (1)
    $$ \begin{array}{*{20}c} {cert_A = code\left( {P_A ,ID_A } \right)} \\ \end{array} $$
    (2)
    $$ \begin{array}{*{20}c} {w = H\left( {cert_A } \right) \cdot r_{CA} + d_{CA} \left( {mod n} \right)} \\ \end{array} $$
    (3)

where \( r_{CA}\) is the random number generated by CA, and CA will send the result \(\{ P_A ,cert_A ,w\}\) as the payload in an association response frame to the edge node after the calculation step is completed.

  1. 5.

    The edge node receives the relevant information in the frame and calculates the public and private key of the node based on the relevant key information.

$$ \begin{array}{*{20}c} {d_A = r_A \cdot H\left( {cert_A } \right) + w\left( {mod{ }n} \right)} \\ \end{array} $$
(4)
$$ \begin{array}{*{20}c} {Q_A = d_A \cdot G} \\ \end{array} $$
(5)
$$ \begin{array}{*{20}c} {Q_A^{^{\prime}} = P_A \cdot H\left( {cert_A } \right) + Q_{CA} } \\ \end{array} $$
(6)

The edge node checks whether the calculation result of \(Q_A { }\) is equal to \(Q_A^{^{\prime}}\), if so, it accomplishes the authentication to CA, proves that the association response frame is indeed sent by CA, and the node takes \(\{ d_A ,Q_A \}\) as the key pair of the edge node, \(cert_A { }\) as the certificate of the edge node, and pledge node sends the association confirm frame to CA, means that node joins the network successfully.

Fig. 1.
figure 1

Diagram of frames exchange between edge node A and CA during the join phase

Full size image

2.2 Shared Key Establishment Phase

When a node A in the WSN wants to establish a connection with another node B, it enters the shared key generation phase, and the key establishment exploits the ECDH algorithm. To avoid MITM attacks, the scheme adds the authentication operation of the node before calculating the shared key, and the authentication operation utilizes the elliptic curve implicit certificate generated by CA. Also, in order to resist replay attacks, the scheme also adds the nonce value field in the authentication operation as a check against replay attacks. The communication diagram for this phase is shown in Fig. 2.

  1. 1.

    Node A in the network expects to establish communication connection with B, it will send an association request frame to node B. The payload of the frame contains \( \{ P_A ,cert_A ,Q_A ,nonce_A ,MIC_A \}\), where \(MIC_A \) is an authentication message to prevent replay attack, \(MIC_A = auth(P_A ,cert_A ,Q_A ,nonce_A )\).

  2. 2.

    After receiving the information in the frame, node B will first authenticate the MIC value, node B calculates \( MIC^{\prime}_A = auth(P_A ,cert_A ,Q_A ,nonce_A )\), check whether \(MIC^{\prime}_A\) and \(MIC_A\) are equal, if not, node B abort the session, otherwise, it calculates \( Q^{\prime}_A = P_A \cdot H\left( {cert_A } \right) + Q_{CA}\), check whether \(Q^{\prime}_A\) is equal to \( Q_A\), if so, then node B stores the relevant information of node A and replies the association response frame to node A with \( \{ P_B ,cert_B ,Q_B ,nonce_B ,MIC_B \}\) as the payload.

  3. 3.

    Node A receives the reply frame, calculates \(MIC^{\prime}_B = auth(P_B ,cert_B ,Q_B ,nonce_B )\) and verifies whether \(MIC^{\prime}_B\) is equal to \(MIC_B\), if not, the session is aborted, otherwise, it continues to calculate \(Q^{\prime}_B = P_B \cdot H\left( {cert_B } \right) + Q_{CA}\) and checks whether \(Q^{\prime}_B\) is equal to \( Q_B\), if equal, then node B stores the relevant information of node A and sends association confirm frame, representing that node A,B authentication is completed and the calculation of shared key can be carried out.

  4. 4.

    Nodes A, B calculate the shared key \(K_{AB} \) starting from the time slots of association confirm frame transmission and reception respectively.

$$ \begin{array}{*{20}c} {K_{AB} = r_A \cdot Q_B = r_B \cdot Q_A } \\ \end{array} $$
(7)
Fig. 2.
figure 2

Diagram of frames exchange between two 6TiSCH WSN nodes during the shared key establishment phase

Full size image

2.3 Dynamic Key Encryption Phase

After two nodes complete the establishment of the shared key, the encryption and authentication of the data communication should be updated at a certain time to avoid the probability of key leakage during the node communication process, but re-computing the second phase when the key needs to be replaced will highly increase the energy consumption of the restricted nodes and the time delay of the communication process. Therefore, the shared key \(K_{AB}\) which established during the second phase can be stored in the node’s memory space, and the session key can be updated by \(K_{AB}\) in each time-slot of the node’s communication. The key update formula is as follows:

$$ K_{AES - CBC} = H(x_k |\left| {addr_A } \right||addr_B ||ASN) $$
(8)
$$ K_{AES - CTR} = H(y_k |\left| {addr_A } \right||addr_B ||ASN) $$
(9)

It can be seen that only one hash operation is needed to update the session key, and the two communication nodes do not need to exchange any information, which achieves a fast key update with very little overhead, and the encryption process uses AES-CCM mode.

3 Consideration of ECC Optimization Algorithm

In the proposed dynamic shared key encryption scheme, since the usage of public key encryption algorithm, it is necessary to consider the overhead of the algorithm. The core operation in the ECC algorithm is the scalar multiplication \(k \cdot G\), where k is a randomly large integer, and G is a base point on the elliptic curve. A large amount of research has been focused on acceleration of the scalar multiplication operation, such as the NAF window algorithm, Fixed-base comb algorithm, and other fast algorithms [17], but these algorithms usually have difficulty in achieving a regular computational flow during the scanning computation of k and are vulnerable to side-channel attacks such as Simple Power Attack (SPA). However, secure data transmission is extremely important in 6TiSCH industrial environments, so inspired by the work of Rivain [15], a regularized window method is proposed in this paper to defend against SPA attacks, and the pseudo-code implementation of the algorithm is shown below.

figure a

The algorithm uses unsigned bits representation,\(k = { }\mathop \sum \limits_{i = 0}^{d - 1} l_i \cdot { }2^{i \cdot \omega } , l_i { }\epsilon { }\left\{ {1,2, \ldots ,{ }2^\omega - 1} \right\},{\text{d}} = \left\lfloor \frac{n}{w} \right\rfloor\), this method avoids judging the positive and negative of \(l_i\) in the bit scanning. For the 0-bit scanning through k, which is the part of the Window NAF algorithm that does not need to be computed, but to avoid SPA attacks, the algorithm uses a virtual addition method to regular the computational flow. Virtual addition defines a virtual accumulator \( R_0\). A virtual point addition operation with a similar amount of computation is performed on \(R_0 \) when bit 0 in k is scanned, but the virtual addition does not affect the final computation result.

4 Performance Analysis

In order to investigate the performance of exploiting the ECC algorithm to generate shared keys in our scheme, this section utilizes the open-source platform OpenWSN to simulate the implementation of our proposed hybrid ECC-AES encryption scheme on PC and conducts comparative experiments on the speed of nodes computing the key \(K_{AB} { }\) using the ECDH algorithm in the shared key generation phase. For the elliptic curve parameters of the scheme, three different elliptic curves secp160r1, secp192k1, and secp256k1 are experimentally selected, and the modular reduction operation adopts the Pseudo-Mersenne primes reduction algorithm [18]. The experiments select two regular scalar multiplication algorithms, the regular window method (window size \(\omega = 4\)) proposed in this paper and the common regular scalar multiplication algorithm Montgomery ladder [15], which under two elliptic curve coordinates (affine and projective) [19]. Simulation experiments are conducted to test the speed of shared key computation operation (\(K_{AB} = r_A \cdot Q_B = r_B \cdot Q_A\)) with different parameters mentioned above. Fifty repetitions of the experiments are performed for each parameter setting, and the results of the running times are recorded and plotted in Fig. 3.

Fig. 3.
figure 3

Shared key calculation time (\(K_{AB} = r_A \cdot Q_B = r_B \cdot Q_A\)) under different elliptic curve parameters.

Full size image

The experimental results show the specific time required to compute the shared key \(K_{AB} \) for the scheme with different parameter settings after the authentication message is completed by two WSN nodes. It can be found that an appropriate increase of a part of RAM and ROM for the computation process (15 point-pairs need to be stored in the case of window size \(w = 4\)), through the underlying optimization algorithm, i.e. projective coordinate transformation and sliding window algorithm, can significantly accelerate the key computation time of the nodes in the scheme. Since the window method requires pre-computation, this will bring a part of initialization time, but the percentage of this overhead will become smaller as the length of the elliptic curve key increases. Meanwhile, the window method is regularized in this paper, so it can resist most of the measured channel attacks.

5 Conclusion and Future Work

A hybrid ECC-AES encryption scheme is presented in this paper, and the scheme has proven to be highly robust in data communication between 6TiSCH WSN nodes. The scheme exploits the ECDH protocol to negotiate a shared key for two nodes in the network, the ECQV protocol to generate implicit certificates to resist man-in-the-middle attacks in the key generation phase, and add nonce values to the authentication process to prevent replay attacks, uses the underlying regular window method to avoid a certain degree of side-channel attacks. On the other hand, Simulation experiments are carried out on PC to calculate the shared key generate time in the scheme, it is proved that the scheme proposed in this paper is feasible in terms of calculation time.

Future work will focus on implementing the scheme proposed in this paper in a real wireless sensor network and proposing algorithms for generating group shared keys in the network.