A Security Architecture in Wireless Sensor
Networks with Mobile Sinks
Rishal Rasheed*, Muhammed Ilyas H, Lomin Joy V, Abhilash K Pai
Department of Computer and Information Science, College of Engineering, Cherthala
Cochin University of Science And Technology, Cochin, Kerala, India
Abstract— Mobile sinks are vital in many wireless sensor
applications for efficient data collection, data querying, and
localized sensor reprogramming. Mobile sinks prolong the
lifetime of a sensor network. However, when sensor networks
with mobile sinks are deployed in a hostile environment,
security became a critical issue. They become exposed to
varieties of malicious attacks. Thus, anti threats schemes and
security services, such as mobile sinks authentication and pairwise key establishment, are essential components for the
secure operation of such networks. Sink mobility required
frequent exchange of cryptography information between the
sensors and MS each time the MS updates its location which
imposes extra communication overhead on the sensors. Here,
data transmission starts only on requests from MS. Key
establishment is the most fundamental cryptographic primitive
in all kinds of applications where security is a concern. Key
Management is the most important issue in the security of
Wireless Sensor Networks (WSN). Efficient key management
helps to maintain the confidentiality of the secret information
from unauthorized users. Sometimes, it is also useful for
verifying the integrity of exchanged messages and authenticity
of the sender. To maximize network lifetime in WSNs, the
paths for data transfer are combined in such a way so that the
total energy consumption over the path is minimized. To
support high scalability and better data aggregation, sensor
nodes are often grouped into disjoint, non overlapping subsets
called clusters. Clusters create hierarchical WSNs which
incorporate efficient utilization of limited resources of sensor
nodes and thus extends network lifetime. In this proposed
work key sharing is carried out by Elliptic Curve
Cryptography and clustering is introduced to reduce number
of transmissions. MD5 introduced to provide integrity and
AES used to improve the symmetric key encryption.
Keywords— AES, Clustering, Elliptic Curve Cryptography,
Hand Over, Key-Management, MD5, Public-key cryptography.
I.
INTRODUCTION
Humans have relied on wired sensors for years, for simple
tasks such as temperature monitoring, to complex tasks such as
monitoring life-signs in hospital patients. Wireless Sensor
Networks provide unforeseen applications in this new field of
design. From military applications such as battlefield mapping
and target surveillance, to creating context-aware homes where
sensors can monitor safety and provide automated services
tailored to the individual user; the number of applications are
endless. Energy usage is an important issue in the design of
WSNs which typically depends on portable energy sources
like batteries for power .WSNs is large scale networks
consisting of small embedded devices, with the capability to
sense, compute and communicate sensed data. In WSNs the
sensor nodes are often grouped into individual sets called a
cluster as it provides network scalability, sharing of resources
and efficient use of constrained resources that gives network
topology stability and energy saving attributes[12].
Clustering schemes offer reduced data transmission
overheads, and efficient resource utilizations and allocations,
thus reducing the interferences among sensor nodes and
decreasing the overall energy consumption. A large number of
clusters will congest the area with small size clusters and a very
small number of clusters will exhaust the cluster head with
large amount of messages transmitted from cluster members.
LEACH protocol is hierarchical routing based on clustering
and find the optimal number of clusters in WSNs in order to
save energy and enhance network lifetime. In WSN sensor
nodes have limited storage space , processing power and
communication bandwidth. This leads to the unique challenges
in data management and information processing. In network
data processing techniques, such as data aggregation, multicast
and broadcast need to be developed. Network lifetime is the
key characteristics used for evaluating the performance of any
sensor network. A lifetime of the network is determined by
residual energy of the system. So that the main and most
important challenge in WSN is the efficient use of energy
resources[13][14].
MS are vital in many WSN applications for efficient data
gathering, localized sensor reprogramming, and for
differentiating and revoking compromised sensor nodes.
Although the sensor networks that make use of the existing key
pre-distribution schemes for pairwise key establishment and
authentication between sensor nodes and mobile sinks, the
utilization of mobile sinks for data collection increases a new
security challenge: in the basic probabilistic and q-composite
key pre-distribution schemes, an attacker can easily obtain a
large number of keys by capturing a small fraction of nodes,
and hence, can gain control of the network by deploying a
replicated mobile sink preloaded with some compromised keys
to authenticate and then initiate data communication with any
sensor node[1].
To address the above-mentioned problem, a multi-tier
scenario is implemented with the help of cluster topology.
Security and authentication is achieved using the Public keys
and symmetric keys. Where symmetric key establishment is
achieved using public keys. Elliptic Curve Cryptography is the
underlying algorithm. Data encryptions are done using
symmetric key. 64 bit AES Encryption algorithm is used here.
Symmetric keys are transmitted only as per the requirement
which helps to identify the freshness of data. Clustering
topology is used to enhance the data aggregation and to
increase the life of the network by reducing the multiple
transmissions over the network. An Efficient algorithm is
designed for safe Hand over of data from cluster heads to
mobile sinks. MD5 hashing technique is used to preserve the
Integrity of data.
II.
confidential information. Guessing secret keys by the
adversary can be prevented by refreshing the keys frequently
in between sessions. Key sharing mechanisms mainly
achieved through single group key to modified versions of
pairwise key sharing, KDC, Q-composite, polynomial pool
based key pre-distribution etc[9][11].
Apart from the existing methods of basic key sharing
mechanisms used in WSN, we would like to introduce an
architecture that uses an hierarchy of key sharing mechanism
for efficient key sharing and secure data transmission. We
introduce public key sharing mechanism in a clustered
topology to achieve the required security[5][7][8].
III.
ARCHITECTURE
RELATED WORK
Nodes have to establish a secure communication link among
them in the network to transmit sensitive information for many
of the applications. Secure communication among sensor
nodes requires authentication, integrity and privacy. For this, a
secret key must be shared between the pair of communicating
nodes. Network topology is unknown to nodes prior to
deployment, keys are stored into ROMs of the node before
deployment. The keys must be selectively stored so as to
increase the probability that neighboring nodes must share at
least one key in common. This is later modified as qcomposite key sharing. WSN depend on battery for its energy
power source. Hence it is a major issue to design an energy
efficient WSN. In sensor networks, an attacker can obtain the
control of the network by reproducing nodes loaded with keys
which are compromised. These compromised keys are then
used to initiate the data communication by authenticating with
any sensor node. The key management problem and security
over data transmission are the key concern of this
paper[2][3][4][6].
An adversary can extract the confidential information
by acting as a legitimate user. Adversary can also harm
network by possessing attack on the sensor nodes. Security
threats in WSN are Passive Information Gathering and
Message Corruption, Node Compromise, Node Tampering,
Traffic Analysis, Acknowledgement Spoofing & altered
routing information, Selective Forwarding & Sinkhole Attack,
Wormhole Attacks, Hello Flood Attacks, DoS (Denial of
Service) Attacks[10].
Informational security and operational security are the two
major classification of security. Due to open medium
communication and its accessibility, sensor nodes are forced
to achieve Confidentiality, Authentication, Integrity,
Freshness, Availability, Secure management and Quality of
Service.
Confidentiality of information is ensured through efficient
key management. Authentication of legitimate nodes can be
achieved with the help of keys which can be cracked by
adversary by acting as a legitimate node and extract
Fig. 1. Security Architecture for WSN
Fig. 1. shows the architecture of the proposed system. System
under consideration is considered as three levels where level
one holds the mobile nodes, level two holds the Cluster Heads
and level three holds the nodes which are used for the sensing
of data. All nodes expect MS are stationary. Architecture is
divided into clusters. Each cluster is controlled by respective
cluster heads and there will be decendents connected to the
CH. Architecture is designed such a way that the nodes start
forwarding data only after the initiation of MS through CH.
CH checks the packet authenticity for further transmission and
response. Before the deployment, every node in the network
will be assigned with an asymmetric key pair (Public Key and
Private Key). Also every node contains Public key of MS and
a CERTIFICATE (public key of node is encrypted by private
key of sink). We also introduced the method of hand over
which can be efficiently handled between selected
intermediate nodes. If MS is moved out of the coverage of
cluster head, CH can forward the packet through intermediate
nodes to the neighboring cluster. Link between C4-C5 and C8C9 helps to achieve this process and hence avoiding packet
loss. Packet is forwarded to next cluster if the MS is moved
out of the range of present CH. Architecture can be deployed
in two ways. First assume that the architecture is deployed
with clusters and its CH, where details of clusters are assigned
at each cluster head. Second method is to detect the respective
clusters automatically similar to the method of CH election
which is discussed in the coming sections. Every node search
for cluster heads with minimum transmission distances. Here
the CERTIFICATE is used as an identity to get access to
clusters and hence to the network. Due to CERTIFICATE
verification, an intruder cannot attack or join the cluster during
the formation of clusters.
IV.
WORKING OF THE PROPOSED SYSTEM
This paper present a Multi-Tier Cluster based Security
Scheme in WSN with mobile sinks. Paper focuses on secure
and efficient transmission of data from node to sinks. Nodes
are activated or send data only as per the request from mobile
sinks and its cluster head. This helps to reduce unnecessary
transmissions over the network. Initially Mobile Sink holds
the entire node ID and their Public keys. Cluster Head hold the
ID of mobile stations and its clusters’ public keys. Each
cluster holds separate key for Broadcast messages which is
used for symmetric encryption. Descendant hold the ID of
mobile sinks and its cluster head’s public key. Selective nodes
hold the ID and public keys of selective inter cluster node
which is used for safe handover. This paper supports three
type of communication. Unicast, Multi-cast and Broadcast
communications.
A. Unicast Communication
Here mobile sink send unicast request packet to Cluster Head
(CH). Mobile node encrypt message using mobile node’s
private key and symmetric key is encrypted using destination
nodes public key. This symmetric key is used for further
communication between these two nodes. The CH receiving
the packet will forward the packet to its intended descendant
after the authentication check. On receiving the message by
the destination, decrypt the session key. Descendant send back
the sensed data to its CH. Hash of the data is obtained. Data is
Encrypted using session key. Hash is encrypted using mobile
nodes public key. After receiving the data (response packet)
from its descendant, CH forward to the respective sink.
B. Broadcast Communication
Here mobile sink send broadcast request packet to Cluster
Heads (CH). This packet will be encrypted using MS private
key to confirm the authentication. The CH receiving the
packet will forward the packet to its neighboring CHS
(avoiding the sender) and to its decedents. Descendants send
back the sensed data to its CH. Decedents encrypt the data
using the shared symmetric key between the nodes in a cluster.
After receiving the entire data from its descendants, CH
aggregates the data and forward to the respective sink. CH
encrypt the symmetric key using MS public key so that only
MS can read the key and data.
C. Multicast Communication
Here mobile sink send multi-cast request packet to cluster
Head (CH). The CH receiving the packet will forward the
packet to its descendants. Descendant send back the sensed
data to its CH. After receiving the entire data from its
descendants, CH aggregates the data and forward to respective
sink. This communication is similar to Broadcast
Communication. Here the data is not forwarded to entire
clusters. CH forwarded data only to the respective
descendants.
D. Security
To make data transmission more secure, we encrypt data using
symmetric keys. Here we use the AES for symmetric key
encryption with a block size of 128 bits,we can use three
different key lengths: 128, 192 and 256 bits. The algorithm
described by AES is a symmetric key algorithm, meaning the
same key is used for both encrypting and decrypting the data.
Most AES calculations are done in a special finite field. The
key size used for an AES cipher specifies the number of
repetitions of transformation rounds that convert the input,
called the plain text, into the final output, called the cipher
text. The number of cycles of repetition are 10, 12, 14 cycles
of repetition for 128-bit, 192-bit and 256-bit keys respectively.
Each round consists of several processing steps, each
containing four similar but different stages, including one that
depends on the encryption key itself. A set of reverse rounds
are applied to transform cipher text back into the original plain
text using the same encryption key. Since the proposed system
uses only symmetric keys for a short time, 128 bit key is
preferred so as to enhance the encryption and decryption
computation. This will also help to reduce the packet size
which carry the key to nodes. Elliptic Curve Cryptography is
used for asymmetric key encryption. This is an approach to
public-key cryptography based on the algebraic structure of
elliptic curves over finite fields. Elliptic curves are also used
in several integer factorization algorithms that have
applications in cryptography. The primary benefit promised by
ECC is a smaller key size, reducing storage and transmission
requirements, i.e. that an elliptic curve group could provide
the same level of security afforded by an RSA-based system
with a large modulus and correspondingly larger key e.g., a
256- bit ECC public key should provide comparable security
to a 3072-bit RSA public key. Hence the proposed system
could assure high security with reduced key size.
E. Cluster Head Selection
Clustering is one of the important methods for prolonging the
network lifetime in wireless sensor networks (WSNs). It
involves grouping of sensor nodes into clusters and electing
cluster heads (CHs) for all the clusters. CHs collect the data
from respective cluster’s nodes and forward the aggregated
data to base station. A major challenge in WSNs is to select
appropriate cluster heads. Second layer of our architecture
holds the cluster head. All the data from mobile sink must pass
through the cluster head. An authentication check by the
cluster head prove the authenticity to transmit the data to the
descendants. Initially MS assign CH. At the time of CH
election, all the nodes forward energy details to CH upon
request. Node with higher energy will be elected as the CH.
Once the cluster head is elected, old CH forward the
CERTIFICATE mentioning new CH's Identity encrypted by
the old CH's private key. Nodes can join the new cluster head
by forwarding their respective CERTIFICATE by confirming
the authentication. This help to avoid the entry attempt of an
intruder node into the cluster.
F. Effective Handover
Handover refers to the “transfer of transmission of data
packets from one node to other or from one cluster to other
cluster with high data delivery rate”. This happens when the
MS move out of the CH range to forward the packet. We had
assign intermediate node to forward data packets in between
the clusters nodes. On receiving the handover packets, cluster
head looks for its transmission range with the MS. If it is out
of coverage, packet will get forwarded to next neighbor
cluster. This can be efficiently done by calculating the location
of the MS. All nodes under consideration other than MS are
static. Handover enhances the good practice necessary to
maintain high standards of Networks data transmission.
V.



ALGORITHMS
Working of the architecture require following three set of
Algorithms. Algorithm I is executed at the Cluster Head.
Algorithm II execute at the nodes other than CH for data
processing and data transmission. Algorithm III used for
Cluster Head election and node joining to cluster.
Algorithm I






CH checks for packet Authenticity
If type equals unicast and data request
◦ forward packet to respective descendant
◦ assign response=1
else if type equals multi-cast/broadcast and data
response
◦ forward packet to all its descendants
◦ assign response = no of descendants
if type equals unicast and data response and
response!=0
◦ forward the received packet back to MS
◦ response=response-1
if type equals multi-cast/broadcast and data
response and response!=0
◦ CH wait till it receives packet no = response
◦ aggregate data at CH
◦ find hash of the aggregated data
◦ hash+key encrypted using public key of MS
◦ forward the aggregated data, encrypted(key and
hash) to MS
If MS moves out of range
◦ forward the packet to respective handover node
If type=1
◦ generate a symmetric key
◦ generate hash of the data
◦ encrypt data using symmetric key
◦ encrypt hash+key using MS public key
◦ forward data to CH
If type equals multi-cast
◦ encrypt data using group key
◦ obtain hash of data
◦ encrypt hash of data using MS public key
◦ forward the encrypted (data and hash)
If type equals broadcast
◦ If packet received from CH
▪ similar steps of multi-cast
◦ else if packet received from handover node
▪ forward the packet ti its CH
Algorithm III
Assume that CHs are already assigned before deployment
CHE = Energy of node at the time of cluster head election
E(CH) represents energy of CH





If E(CH)<=(60 % CHE)
◦ call for CH election
every descendant forward their energy to CH
CH elect node with MAX energy
Broadcast the newly selected CH with
authentication
All other node forward CERTIFICATE to newly
elected CH to join the cluster
Algorithm III follows till the node reaches its energy to 20%
of total assigned energy. After that it follows normal LEACH
protocol.
VI.
TABLE I is a formatted unit of data packet that can be used in
the proposed architecture. This formatted packet helps in
guaranteed delivery and avoid duplicate delivery. These
aspects in the packet include data integrity, Authenticity,
Freshness, efficient routing between CH and descendants.
TYPE REQ/RES DEST SRCE TTL DATA1 DATA2
TABLE I.
Algorithm II

Packet checked for authenticity
PACKET FORMAT USED
PACKET FORMAT USED IN THE ARCHITECTURE
• Type : Two bits combination represent the different types of
packets. We use '01' for unicast, '10' for multi cast and '11' for
broadcast. Hand Over packets use type as '00'.
• Request/Response : Whether the packet is a response from
the previous forwarded message or a request to send a new
message from the MS. We denote '0' for REQ (request)
packets and '1' for RES (response) packets.
• DEST : Hold address of the respective Destination node.
• SRCE : Hold address of the respective Source node.
• TTL : Represents the time to show the freshness of the data
packet and also helps to show the validity and hence avoid
redundancy of the packet.
• Data1: Holds the encrypted message.
• Data2: Holds the encrypted hash value and encrypted
symmetric key which is optional depending upon the packet
type.
• TYPE + REQ/RES : '001' shows handover of the packets
while '000' represent the CERTIFICATE exchange at the time
of cluster head election and cluster formation.
VII. ACHIEVEMENTS OVER ATTACKS
In this section we focus on the properties that are achieved
through the architecture and also how this architecture over
come the attacks that are possible in WSN. WSN is a very
interesting target because if offers a large attack
surface and an interesting playground for creative attack ideas.
So hierarchical security structure involved in the architecture
ensure high security than any other WSN architecture. TABLE
II shows the properties achieved in the architecture.
TABLE II.
Properties
Authenticity
Confidentiality
Scalability
Flexibility







In this paper, we proposed a general multi layer security
framework for authentication, clustering and secure key
sharing and data transmission between mobile sinks and
sensor nodes. The proposed scheme, based on the hierarchical
security mechanism, substantially improved network
resilience to mobile sink replication attacks compared to the
single polynomial pool-based key predistribution approach.
Using symmetric keys, asymmetric keys and hash in data
transmission hinder an attacker from gathering sensor data, by
deploying a replicated mobile sink or by replicating nodes in
the network. We have further improved the security
performance of the proposed scheme against stationary access
node replication attack by strengthening the authentication
mechanism between stationary sensor nodes and mobile
nodes. We used the CERTIFICATE for all the authentication
mechanism in the network.
REFERENCES
[1]
Amar Rasheed, Rabi N. Mahapatra, “The Three-Tier Security Scheme in
Wireless Sensor Networks with Mobile Sinks,” IEEE TRANSACTIONS
ON PARALLEL AND DISTRIBUTED SYSTEMS,VOL. 23, NO.
5,MAY 2012
[2]
Liu, D. and Ning, P. “Establishing pairwise keys in
distributed sensor networks” In Proceedings of the 10th
ACM Conference on Computer and Communications
Security,2003.
C HAN H., PERRIG A., AND SONG D. “Random key
predistribution schemes for sensor networks”. In IEEE
Symposium on Research in Security and Privacy, 2003.
Laurent Eschenauer and Virgil D. Gligor.“A key
management scheme for distributed sensor networks” In
Proceedings of the 9th ACM Conference on Computer
and Communication Security, November 2002.
Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman
“A method for obtaining digital signatures and public-key
cryptosystems” Communications of the ACM, 1978
Blundo, C., Santis, A., Herzberg, A., Kutten, S., Vaccaro,
U. and Yung, M “Perfectly-Secure Key Distribution for
Dynamic Conferences” In Proceedings of Crypto 92,
1992.
X. Du, M. Guizani, Y. Xiao, S. Ci, and H. H. Chen, “A
Routing-Driven Elliptic Curve Cryptography based Key
Management Scheme for Heterogeneous Sensor
Networks”,
IEEE
Transactions
on
Wireless
Communications
Encrypted using Public key
Achieved through clustering topology
Achieved through the Certificate
Exchange
Passive Information Gathering and Message
Corruption : We use symmetric key encryption using
AES.
Node Compromise and node Tampering : Cannot
flood data because clustering topology, data transmit
only on the request from MS.
False Node : Not taken to N/W due to lack of
CERTIFCIATE.
Node Outage : Not possible as cluster head retakes
packet only if it expect some replays.
Traffic Analysis : Nothing to do with analyzing
traffic because cluster heads chooses randomly and
traffic changes due to the structure.
Acknowledgement Spoofing : Unauthenticated nodes
are not accepted. Data must be encrypted with
session key which is known only to the two nodes.
Spoofed, Altered or Replayed Routing Information :
TTL is used for freshness of the packet and clustering
topology does not make loops.
Sinkhole Attacks : Here clustered topology
forwarded packets only to CH and thus to MS.
Sybil Attacks : Multiple identities may help to join
multiple clusters. But data cannot be forwarded until
the node is requested to do so by the MS.
VIII. CONCLUSION
How achieved in proposed System
Encrypted using private key
MD5 hashing technique and AES
encryption
Integrity

ACHIEVEMENTS

[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
D. Malan, M. Welsh, and M. D. Smith ,“A Public-Key
Infrastructure for Key Distribution in TinyOS Based on
Elliptic Curve Cryptography”, in Proc. Of 1st IEEE
International Conference Communications and Networks
(SECON), Santa Clara, CA, Oct. 2004.
M. Sharifnejad, M. Shari, M. Ghiasabadi and S. Beheshti,
“A Survey on Wireless Sensor Networks Security”,
SETIT, (2007).
T.Zia; A. Zomaya, “Security Issues in Wireless Sensor
Networks”, Systems and Networks Communications
(ICSNC).
Rishal R, M Ilyas H, Lomin J V, Abhilash K P, “A
Survey on Secure Key Sharing Mechanisms that can be
used in Wireless Sensor Networks”Int. Conf. on Adv. in
Comp., Comm., and Inf. Sci, ACCIS-14, published by
Elsevier 2014.
[12]
[13]
Ameer Ahmed Abbasi, Mohamed Younis, “A survey on
clustering algorithms for wireless sensor networks”,
Computer Communications, Published by Elsevier B.V,
June 2007.
Vipin Pal, Girdhari Singh, Rajender Prasad
Yadav,”SCHS: Smart Cluster Head Selection Scheme for
Scientific Research Publish, Clustering Algorithms in
Wireless Sensor Networks”, Wireless Sensor Network,
2012
.
[14]
Khalid Hussain, Abdul Hanan Abdullah, Khalid M.
Awan, Faraz Ahsan and Akhtab Hussain,”Cluster Head
Election Schemes for WSN and MANET: A Survey”,
World Applied Sciences Journal, DOSI Publications,
2013.