Design of an Architecture for Multiple Security Levels in Wireless Sensor Networks

Jongdeog LeeDepartment of Information Science

Korea Military AcademySeoul, Korea

dlwhdejrl@gmail.com

Sang H. SonDepartment of Computer Science

University of VirginiaCharlottesville, VA 22094, USA

son@cs.virginia.edu

Mukesh SinghalDepartment of Computer Science

University of KentuckyLexington, KY 40506, USA

singhal@cs.uky.edu

Abstract—With the increased application of wireless sensornetworks (WSNs) in military, commercial, and home environ-ments, securing the data in the network is a critical issue.Several security mechanisms, such as TinySec, have beenintroduced to address the need for security in WSNs. Thereare many applications, however, which require more than justprotecting the data at a single level. For those applications,it is necessary to provide multilevel security (MLS) that canaccommodate the different sensitivity levels of information aswell as the different clearance levels of the users.

In this paper, we apply the concept of MLS to the field ofWSNs by employing the approach of multiple security levels(MSL). We employ cryptography techniques to realize the keyaspects of MSL: the separation of different security levelsand controlled information flow. Specifically, TinyKeyMan isselected as the key management scheme for this design dueto its resilience to node compromise attacks. In addition, weevaluate the two dominant costs of the design: 1) communi-cation overhead between different security levels and 2) thecryptography cost on the lifetime of a mote. The MSL design wepropose is simple and incurs low developmental costs, makingit well-suited to resource constrained WSNs.

Keywords-multilevel security (MLS); multiple security levels(MSL); wireless sensor networks (WSNs)

I. INTRODUCTION

A number of applications for wireless sensor networks(WSNs) have been developed, ranging from military surveil-lance to smart home applications. Security requirementsof WSNs are becoming critical as WSNs become morepopular and more widely-used. Several security mechanismshave been introduced by researchers to support securityin WSNs. However, none of these works have consideredthat users and information have different security clearancesand sensitivities. For example, battalion commanders havehigher security clearance than platoon leaders. How to sharedata with the only authorized people is the motivation ofmultilevel security (MLS) [1].

While MLS is conceptually straightforward and severalmodels such as the Bell-La Padula model [2] have beenintroduced, it is very difficult to achieve in practice. Devicesand chipsets which support MLS have been developed, butthey require expensive designs and non-trivial efforts to

This research work was supported, in part, by NSF CNS-0614886 andKOSEF WCU Project R33-2008-000-10110-0.

verify their properties [1]. Multiple Security Levels (MSL)are a practical approach to achieve the MLS property. TheMSL approach segregates different security levels by usinga different computing infrastructure. A security domain is adiscrete network consisting of a set of nodes having the samesecurity level. The guards (or firewalls) monitor and controlthe information flows among different security domains. Thesimplicity of MSL allows a node to employ an existingoperating system (OS) with little modification. We decideto apply the approach of MSL to support MLS in WSNsbecause its simplicity is well-suited to resource constrainedsensor nodes.

In this paper, we propose an architecture to implementseparation and controlled information flows among differentsecurity levels based on the MSL concept. In order toachieve them, we employ encryption. Each node encrypts(or decrypts) a message before sending (or after receiving)the message with a designated key over the radio in thelink layer. In the network layer, separation and controlledinformation flow are enforced by a key management. Keysare distributed in the following manner: nodes in the samesecurity level share a group key with each other but not withdifferent security levels. Since there is no shared key amongdifferent security levels, each level is isolated. Controlledinformation flow is preserved by the guards. The guardsshare keys with every security level. If a node wants to senda message to a node in a different security level, it needsto send the message to one of the guards first. The guarddecrypts the message with the sender’s key and sends it tothe target node after encryption using the shared key of thetarget node.

Node compromise is a critical problem to the key-basedsecurity since disclosed keys can be used by adversariesto compromise the system. Unfortunately, physical accessto sensor nodes is possible since they are deployed ininsecure environments in a number of applications such asVigilNet [3]. All messages exchanged in the security levelto which the captured node is a member will be exposed toadversaries. TinyKeyMan [4] is used to set up pair-wise keysin each group to remedy the problem since it is known as ahighly resilient key management scheme for node compro-mise attacks. Two nodes construct a symmetric-key using a

shared polynomial and can securely communicate with eachother until about 60% of nodes are compromised [4].

The contributions of this paper are two-fold. First, to thebest of our knowledge, this is the first work to create the MLSenvironment in WSNs. The MSL approach is selected aftercarefully considering practical approaches to support MLS,and is successfully applied to WSNs after addressing theproblems described above. Second, we evaluated the costscaused by the design: 1) network traffic overhead when nodesin different groups communicate and 2) the lifetime of amote affected by cryptography. The results are beneficialto designers to estimate the costs caused by the systemarchitecture.

The rest of this paper is organized as follows. Section2 presents related work. Our proposed MSL architecturefor WSNs is described in Section 3. Section 4 providesa discussion of the important issues of the architecture,including the message overhead cost introduced by thearchitecture. Another cost of the architecture, cryptography,is also detailed. Section 5 concludes the work and identifiesthe future work.

II. RELATED WORK

Teng et al. [5] suggest the multi-layer encryption (MLE)scheme for multi-level access control in WSNs. In this work,users are assigned different group keys with respect to theirsecurity clearance. Lower level users have hashed keys ofhigher level users; thus, the highest level users can accessevery part of the message while lower level users are allowedto decrypt only the limited parts of the message. This workutilizes one function of MLS by using MLE rather thancreating an MLS environment.

Although MLS has not been examined much, security ingeneral is not a new topic in WSNs. TinySec [6], a link layersecurity architecture for WSNs, is provided as a library forTinyOS. It contains two block ciphers, RC5 and Skipjack,as encryption algorithms, and Cipher Block Chaining (CBC)supports encryption and decryption of messages longer thanthe size of a block. Message integrity and authentication areguaranteed by CBC Message Authentication Code (CBC-MAC). Unfortunately, TinySec introduces a 10 percent over-head with respect to energy, latency, and bandwidth [6].

Another software package, TinyECC [7], implements El-liptic Curve Cryptography (ECC), which turns out to be oneof the efficient types of public-key cryptography (PKC) in thecontext of WSNs. Liu et al. [7] provide three different levelsof security strength by using different key sizes. However,since public-key encryption algorithms consume significantenergy, they are not very suitable for WSNs. Therefore,TinyECC is mainly used for infrequent events such as keydistribution.

As the above approaches illustrate, encryption algorithmshave been heavily investigated in WSNs with various keymanagement schemes. The reason is that any node within the

Figure 1. The MSL model [1]. Guards monitor and control communicationbetween different security domains.

radio range can readily overhear the transmitted messages inwireless communication. In such environments, encryptionis the proper way to keep data confidential. It is why weemploy an encryption scheme for separation and controlledinformation flow among different security levels, which aretwo key aspects of the MSL architecture.

III. MUTIPLE SECURITY LEVELS ARCHITECTURE

A. Design Decision

One practical approach to implementing MLS is usingMSL, in which each security domain is segregated usingdifferent computing devices. A security domain runs onthe system high mode of operation as shown in Figure 1.Note that the system high mode is the opposite term to themultilevel mode. While all users are cleared to access anydata on the system in the system high mode, not all userson the system have the valid security clearance for all datain the multilevel mode. MSL is relatively straightforward,requiring even less development and accreditation effort thanother approaches [1]. On the downside, this architecturemay cause communication overhead because inter-groupcommunication should go through the guards. Thus, it coulddegrade overall performance of the network.

The MSL approach is simple and incurs low develop-mental costs. Since the system high mode of operation hasbeen used for many years, existing commercial off-the-shelftechnologies can be used directly [1]. A typical OS, currentlyused on sensor nodes, can be employed to support MLS inthe MSL approach with little modification. It would not onlydecrease the implementation cost but allow designers to usemore memory space for the applications because of the smallsize of the OS. Based on these considerations, we decide touse MSL.

B. Node Level Design

1) Sensor Nodes: We assume that the system allows nodesto be reprogrammed on-the-fly. Thus, an application loadedon a node is not necessarily trusted—it could be malware.The challenge is how to enforce applications loaded onsensor nodes to use cryptography for data transmissions. As

Figure 2. The architecture of a sensor node. The first employs cryptographichardware, and the second uses a trusted kernel.

shown in Figure 2, an application should not be able to by-pass the cryptography. The best way to enforce cryptographyis to use cryptographic hardware that is provided in a radiosuch as CC2420 [8] as shown in Figure 2 (a). Althoughan application can toggle hardware AES-128 by settingspecial security registers, a digital hardware filter couldintercept all commands passed to the radio chip and discardany instructions that disable the cryptographic hardware. Ifapplications cannot disable the cryptographic hardware (i.e.no interface is given to applications), the hardware digitalfilter would not be necessary, and the implementation costwould be reduced.

If hardware support is unavailable, another way to enforceencryption is via a trusted kernel (Figure 2 (b)). Instead ofan application interfacing with the radio, it requests that thekernel transmits a message. The trusted kernel encrypts themessage using the agreed key before sending the message.When receiving a message, the kernel decrypts the messageand passes it to the application. By preventing an applicationfrom interfacing with the radio directly, applications areenforced to use cryptography in the link layer. While akernel-based OS is not widely used in WSNs, there hasbeen research in this area [9]. Both cryptographic hardwareand a trusted kernel enforce applications to use cryptographybefore transmitting data over the radio.

2) Guards: A guard is a special node that connectsdifferent security groups. While each sensor node has its owngroup key, a guard is given the key of every group. It decryptsa message using the sender’s key and re-encrypts it usingthe receiver’s key. Note that a guard contains informationabout node group membership; thus, it is able to identifythe correct keys by recognizing the source and destinationof the packet. Both a collator and a downgrader containa filter to control the flow of information. As shown inFigure 3, a collator discards all requests to send messagesto lower security levels. A collator compares the securitylevels of the source and destination, and rejects the requestif the security level of the source is higher than that of thedestination. In contrast, a downgrader’s filter only acceptsrequests to send messages from higher security levels tolower security levels. While information flow from a higher

Figure 3. The architecture of a collator (a) and a downgrader (b). A collatordiscards all messages sent from higher security levels to lower securitylevels. A downgrader’s filter functions differently. It only allows informationto flow from higher security levels to lower security levels.

security level to a lower security level is typically againstthe default security policy, this function is essential inMLS. For instance, satellite information is considered topsecret but needs to be downgraded so that pilots, who areclassified users, can access the information about the exactlocation of the enemy force. This is known as the sensor-to-shooter problem [10]. However, a general-purpose strategyof automatically downgrading information remains an openproblem, and solutions proposed in the literature are handledon a case-by-case basis [10]. Especially, the MSL approachmakes it difficult to downgrade information without humanintervention because of a lack of flexibility [1]. A down-grader’s filter should interact with the security officers sothat they can make the correct judgement by understandingthe semantics of the messages. Therefore, we propose thatbase nodes take the place of downgraders since base nodesare connected to base stations and provide an interface tothe users through these connections. Further explanation ofa collator and a downgrader with a key management schemeis provided in Section III-C2.

C. Network Level Design

In this section, we elaborate on how a sensor node com-municates with other nodes in the same group and those in adifferent group. The overall flow of information is presentedin Figure 4. In contrast to intra-group communication, inter-group communication is controlled by collators and down-graders. Users are able to join the network by using mobiledevices. The base node authenticates the user’s device andprovides the user the appropriate group key. Users can thencommunicate with nodes in the same security level.

1) Intra-group Communication: Nodes in the same groupcommunicate with each other using a group key; this schemeprevents other nodes from decrypting the message. However,if the group has a single key and if the key is disclosed bynode compromise attacks, all messages in the group willbe readable using the compromised key. In order to dealwith this undesirable situation, we use TinyKeyMan [4],a pairwise key management scheme, which is extremelyresilient to node compromise attack.

Figure 4. Controlled information flow in MSL. Inter-group communicationoccurs via guards; the upstream flow and downstream flow are controlledby a collator and a downgrader respectively. Nodes in the same group areable to communicate using shared keys. A user’s device is assigned keyswith respect to his security clearance so that the device can join the group.

Blundo et al. [11] established pair-wise keys using abivariate t-degree polynomial

f(x, y) =t∑

i,j=0

aijxiyj

over a finite field Fq , which has the property of f(x, y) =f(y, x). Every node has f(i, y), where i is the source IDand y is a variable for the destination ID. Suppose thatnodes 1 and 2 want to generate a symmetric-key for securecommunication. Node 1 having f(1, y) computes f(1, 2) tocommunicate with node 2. Node 2 can also derive f(2, 1)from f(2, y). Since f(1, 2) is identical to f(2, 1), it is usedas a symmetric-key for communication between them.

Blundo’s method is limited in that it is not secure if thenumber of compromised nodes is more than t, the degree ofthe bivariate polynomial. The parameter t is dependent onmemory size which is a scarce resource in WSNs. In orderto address this issue, TinyKeyMan uses multiple polynomialsinstead of one. It consists of three phases. Phase one is pre-distribution, where node i has a polynomial set from the poolconsisting of f1(i, y), f2(i, y), ..., fn(i, y), where n is thenumber of polynomials in the pool. A set could be decidedrandomly or predetermined. In the second phase, direct keyestablishment, nodes having the same polynomials establishsymmetric keys using the property of f(x, y) = f(y, x).If this phase fails (i.e. two nodes do not share polynomi-als), phase three is invoked. Intermediate nodes that sharepolynomials with both will form a bridge between them.An intermediate node decrypts the received message withthe sender’s key and send the message after encryption withthe receiver’s key. Liu et al. have shown that their methodis extremely resistant to node compromise attacks: securecommunication is guaranteed until 60% of all nodes in thenetwork are compromised. This result outperforms the q-composite and basic probabilistic schemes [4].

We employ TinyKeyMan to establish pairwise keys among

Figure 5. An example of inter-group communication. The solid line denotesthe flow from the confidential node (B) to the top secret node (A) and thedot line represents the reverse flow (i.e. from A to B). Nodes are able tocommunicate with each other if there are shared polynomials among them.

nodes in the same group. Each group has a different poly-nomial pool, and each node is assigned a set of polynomialsfrom the pool of the group.

A node must have a direct path (formed in phase 2) oran indirect path (formed during phase 3) to all nodes inthe same group and intra-group communication is carriedout using these keys. Each group’s polynomial pool mustbe disjoint from those of other groups in order to disabledirect communication between groups. Otherwise, nodesin different security levels can communicate directly usingshared polynomials.

2) Inter-group Communication: Inter-group communica-tion is controlled by two types of guards: collators anddowngraders. Their architectures and roles were describedin Section III-B2. Collators and downgraders are assignedpolynomial sets from every group. They are able to commu-nicate with each security level using shared polynomials asintra-group communication. Figure 5 illustrates an exampleof inter-group communication. Suppose that A is a top secretnode, and B is a confidential node. Let C be a collator,and D be a downgrader. Node A has the polynomial set{f1, f3, f5, f7} and node B has the set {f23, f24, f28, f29}.Nodes C and D have polynomial sets {f3, f13, f23, f33} and{f5, f15, f25, f35} respectively. If node B wants to send amessage to node A, it sends the message to node C afterencrypting the message using f23. Then, node C decrypts themessage and re-encrypts it using f3. In the same manner, ifthe flow is reversed (i.e. from A to B), node D becomes theintermediary node between A and B. Since node B does notshare polynomials with node D (i.e. phase 2 fails), D needsto find an indirect path (phase 3) to deliver the message toB. Assume that E is also confidential and has polynomials{f21, f25, f27, f29}, D sends its message to E using f25 and,E passes it to B using f29.

A collator and a downgrader can communicate with everygroup. While a compromised sensor node only affects itsown group, a compromised collator or downgrader endan-gers the whole network. We discuss the potential security

vulnerability of collators and downgraders in the followingsubsections.

Collator: A collator is responsible for an informationflow from lower security levels to higher security levels.Since it is possible for the collators to be deployed ininsecure environments (i.e. node capture is possible), they arevulnerable to node compromise attacks. As discussed earlier,however, TinyKeyMan is very resilient to node compromiseattacks. Thus, non-compromised nodes can still communicatesecurely even if the polynomials of some collators aredisclosed.

A more serious problem occurs when attackers capture acollator and manipulate its codes. As defined above, a colla-tor provides uni-directional communication. If the device ismanipulated so information flows from high security levelsto low security levels, it could be a serious problem. Supposethat a secret level node sends a message to a top secret levelnode through the manipulated collator. Instead of routing themessage to the top secret level node, it could send it to adifferent node with a lower security level. This is a violationof the security policy since secret information is leaked tounauthorized nodes (confidential or unclassified).

In order to make it more difficult for adversaries tocompromise a collator, we assume that a collator has memorywith security protection. Curry created an embedded memorywith security row lock protection [12]. The device allowsexternal memory access by first reading the correspondingsecurity bit. If the security bit is unlocked, the device returnsthe actual value stored in the requested position. However, ifthe security bit is set for the requested location, a zero valueis returned. Even if the security bits are erased, the securedcontents in the locked positions are also removed at the sametime [12]. Since adversaries acquire neither programmingcodes nor keys by capturing collators, it would be verydifficult for them to manipulate the code of a collator.

Memory protection may require additional implementationeffort and may increase the price of the device. However,these costs and effort remain minimal since collators rep-resent only a small portion of the whole network. Further,collators presumably already contain important information.It is reasonable to assume that collators possess bettercomputing resources than other sensor nodes.

Downgrader: A downgrader releases information fromhigh security levels to low security levels. When a down-grader is compromised, a message could be downgradedbelow its designated level. For instance, a top secret message,which is supposed to be downgraded to the secret level,could be downgraded to the unclassified level by a maliciousdowngrader. Because the damage by a malicious downgradercan affect all security levels, it is a more serious problemthan a malicious collator, which does not affect the top secretlevel.

It is important to note that the security policy can be bro-ken without compromising a downgrader. A malfunction of

the system or malware could request that information, whichshould remain secret, be downgraded. Since the informationis sent to a downgrader, the downgrader would introduce themessage to a lower security level. Once the information isdowngraded, it would not be easy to find and to remove theinformation. In order to prevent this situation, a downgraderneeds to understand the semantics of the message to makea correct judgment with respect to downgrading. As Hintonstates, human intervention is necessary to resolve the down-grading problem [1]. A downgrader needs to interface withusers and it must not be compromised. Since base nodes areconnected to base stations and assumed to be more securethan other nodes, we believe that a base node should takethe place of a downgrader.

IV. EXPERIMENTS AND RESULTS

A. Communication Overhead Evaluation

Since it is necessary to send messages to guards in orderto communicate with different security levels, network trafficoverhead is an unavoidable cost for inter-group communi-cation. We simulate inter-group communication to estimatethe communication overhead. The purpose of the experimentis to estimate the message overhead in inter-group com-munication and to show that communication overhead canbe reduced if the number of guards is increased. We useTinyOS-2 and TOSSIM for the simulation. MicaZ is selectedas a sensor platform.

Since a point-to-point traffic pattern is assumed, we se-lected the Tymo protocol, which is implemented in TinyOS-2 [13]. Tymo is a TinyOS version of the Dymo protocol, apoint-to-point routing protocol designed for Mobile Ad-hocNetworks (MANET).

We created two network topologies consisting of 64 nodes:grid and random. In the grid topology, the distance betweennodes is 2 meters. In the random topology, nodes arerandomly deployed on a 20 meter by a 20 meter field. LetG denote the grid topology, and let R denote the randomtopology. To create a more realistic network environment,asymmetric links are assumed for both networks.

Ten pairs of nodes are selected and each pair of nodessends 100 messages between each other. We count thenumber of forwarded messages at intermediate nodes (MF ),and the number of successfully delivered messages at targetnodes, (MD). The average number of forwarded messagesfor one delivered message, MA, is computed by MF / MD.We performed our experiments using the Tymo protocol firstwithout guards (intra-group communication) and then add anumber of guards (1, 2, 4, 6, and 8) since we anticipate thatincreasing the number of guards will reduce network trafficoverhead. Each experiment is performed 10 times.

Topology G is examined first, and the result is shown inFigure 6. The result of the Tymo protocol without collators(intra-group communication) shows the fewest forwardedmessages, MF , and most successfully delivered mesages,

Figure 6. The result of the grid topology with 64 nodes.

Figure 7. The result of the random topology with 64 nodes.

MD. When we add one collator to the network and force twonodes to communicate through the collator, there is a 240%increase in MF over intra-group communication while MD

falls to 89% of that seen during intra-group communication.When we increase the number of collators, MF is reduced,and MD is close to that of intra-group communication. Inthe case of 4 collators, only 157% of the MF of intra-groupcommunication is required, and MD is almost the same.Even if we continue to add more collators, the additionalunits do not help to reduce MF and to increase MD intopology G. As shown in Figure 8, MA is minimized whenthere are at least 4 collators in topology G.

Figure 7 represents the results of the random topology.Comparing topology R to topology G, topology R requiresmore MF and delivers fewer MD than the grid topology.This is because the node density of the random topologyis irregular. Some parts of the network are sparse; thus,there is a higher probability of dropping messages than thegrid topology. With one collator, only 167% of the MF

of intra-group communication is required, but there is a23% reduction in MD. As in topology G, Figure 7 showsthat increasing the number of collators reduces MF andincreases MD. Although the number of nodes is the same forboth topologies, more collators are required to minimize thenetwork traffic overhead. While MA of 4 collators is about197% of intra-group communication, MA of 8 collators isless than 150% as is shown in Figure 8.

In our experiments, we increased the number of guardsto determine an appropriate number of guards for bothnetworks, G and R. As a result, about 6% of all nodes (4collators) in topology G should be guards to minimize the

Figure 8. The average number of forwarded messages for one deliveredmessage in the grid topology and the random topology.

network overhead while topology R requires about 12% (8collators). It is simple to increase the number of collators,but it is difficult to add downgraders in our design sincedowngraders are base nodes (discussed in Section III-C2).Further, very few base nodes are typicially assumed in mostapplications. If we fix the number of base nodes to be1, the message overhead of inter-group communication isabout 268% of intra-group communication in topology Gand 215% of that in topology R as shown in Figure 8.

Based on these results, users can estimate overall networktraffic overhead if they know the proportions of intra-groupcommunication and inter-group communication. Note thatinter-group communication has two components: the up-stream (i.e., from low to high security) and the downstream(i.e., from high to low security). Suppose one network (callednetwork A) whose traffic pattern is 50% intra-group com-munication, 40% upstream communication, and 10% down-stream communication. The overall communication overheadin network A would be:

OverheadG = 0.5× 1 + 0.4× 1.57 + 0.1× 2.68 ≈ 1.40

OverheadR = 0.5× 1 + 0.4× 1.48 + 0.1× 2.15 ≈ 1.30

If the ratio of inter-group communication increases, networktraffic overhead also increases. Let network B have a trafficpattern of 10% intra-group communication, 50% upstreamcommunication, and 40% downstream communication. Inthis case, the expected communication overhead in networkB is:

OverheadG = 0.1× 1 + 0.5× 1.57 + 0.4× 2.68 ≈ 1.96

OverheadR = 0.1× 1 + 0.5× 1.48 + 0.4× 2.15 = 1.70

In comparison, between 30% and 40% overhead is intro-duced to network A while network B has between 70%and 96% overhead. Note that the traffic pattern of networkB mainly consists of inter-group communication, while thedominant traffic pattern of network A is intra-group commu-nication. This example indicates that the MSL architectureincurs higher overhead for the network consisting of highproportions of inter-group communication.

B. The Price of CryptographyThe MSL architecture we propose employs cryptographic

engines for each security domain. Although it is possible forevery security domain to use the same encryption algorithm,having more powerful algorithms for higher security domainswould be reasonable as security levels correspond to sensi-tivity. The strength of encryption algorithms, however, is notthe only concern in WSNs due to the resource limitationsof sensor nodes. Powerful algorithms may take up morememory as well as consume more energy. A good ruleof thumb is to use the most powerful algorithm for everymessage, but the cost of the algorithm should not exceedthe system’s budget. While a low level security domain mayuse a light encryption algorithm rather than a heavy one, ahigh level security domain should use a powerful algorithmeven if its cost is expensive. In order to balance the trade-off between security strength and the cost of encryption, wemust investigate several cryptography algorithms.

1) Examined Block Ciphers: We have implemented andanalyzed four widely used block ciphers: Advanced Encryp-tion Standard (AES), RC5, Skipjack, and Corrected BlockTiny Encryption Algorithm (XXTEA). RC5 and Skipjack arechosen because they are implemented in TinySec, while AESis the current encryption standard of the U.S. governmentand one of the most broadly used radios, CC2420, providesa hardware AES encryption. XXTEA is notable for itssimplicity of implementation and small memory footprint,which make it a good candidate for running on the resource-constrained sensor motes.

2) Security Strength: Currently, brute force is the onlycryptanalysis that can be applied against AES, Skipjack,and XXTEA when they are used with the correct numberof rounds and key-length. Because of that, we can directlycompare the security strength of AES, Skipjack, and XXTEAbased on the length of the key they use. The followinghierarchy can be built: AES-256 > AES-192 > AES-128= XXTEA (128-bit) > Skipjack (80-bit).

In contrast to the above algorithms, all cryptographicparameters including the number of rounds are adjustablein RC5. Therefore, RC5’s security strength is determined byboth the key size and the number of rounds. This makes RC5difficult to compare to the other block ciphers. Accordingto [14], using more than 16 rounds is considered to besufficient protection. Based on this, the security strength ofRC5-32/18/16 is equal to AES-128 and XXTEA, where 32is the block size in bits, 18 is the number of rounds, and 16is the key size in bytes.

3) Lifetime: We estimate the lifetime of a mote forbetter understanding of the cost of cryptography. We haveimplemented block ciphers on a MicaZ mote in nesC, whichis the language used in TinyOS. We used a Tektronix MSO4034 oscilloscope to measure the latency of the programin MicaZ. The MicaZ motes have 4 KB of RAM, 128 KBof ROM, and use a CC2420 radio. A micro-controller unit

mode transmit receive sense MCU sleepcurrent (mA) 25.4 27.7 9 8 0.016

Table ICURRENT DRAW OF MICAZ FOR DIFFERENT STATES.

of MicaZ is ATmega128L. The oscilloscope allowed us tomeasure the voltage drop in the circuit and determine thetime it took for the different algorithms to execute.

To measure the execution time of the algorithms weconnect one of the mote’s pins to the oscilloscope and useit to signal when a phase begins and finishes execution.The oscilloscope registers the changes of the pin’s level anddisplays them on the screen. We believe that this methodprovides accurate measurements since the controlling of thepin does not significantly affect the MCU’s latency or energyconsumption. The results are given in [15].

The lifetime is dependent on the fraction of active andinactive states of a mote. Suppose that we have a MicaZsensor node with an accelerometer sensor. The current drawfor each mode is listed in Table I. Note that the current drawof transmit, receive, and sleep modes include the currentdraw of MCU, since we assume that a radio operates withan MCU. For example, the current draw of a radio is 17.4mA when it transmits a message; thus, the current draw ofthe transmit mode, including the current draw of the MCU,is 17.4 mA + 8 mA = 25.4 mA.

Let P (T ) denote the proportion of the lifetime that themote sends a message, and P (R) denote the proportion ofthe lifetime of receiving a message. Let P (S) denote theproportion of the lifetime that the mote gets the value fromthe accelerometer. The proportion of the lifetime of inactivemode is denoted as P (I). P(E) and P(D) are the proportionof the lifetime of encryption and decryption, respectively.Then, average current, C, can be calculated in mA as

C = P (E)× 8 + P (T )× 25.4 + P (D)× 8+P (R)× 27.7 + P (S)× 9 + P (I)× 0.016 (1)

A MicaZ mote is typically powered by a pair of AA batteries,which supply approximately 2200mAh at 3V. Therefore, itslifetime in hours can be computed as 2200 / C. We omittedother factors that can affect lifetime such as routing andMAC protocols for simplicity. This method has been usedin lifetime estimation of a sentry in VigilNet [3]. If P (T ),P (R), and P (S) are 0.05, 0.05, and 0.2 respectively, thelifetime of a mote without security (i.e. P(E) and P(D) are0) is about 492 hours (20.52 days).

When using ciphers, the lifetime of a mote decreases.Suppose that the mote currently uses AES-128 and the lengthof payload is 16 bytes long. We compute P (E) and P (D)by comparing them to transmission delay. Chintalapudi et al.[16] estimated transmitting delay in µ sec as

τs = 628 + 38× d, where d is the payload length in bytes

Figure 9. The lifetime of a mote according to different block ciphers.The leftmost bar denotes AES-256 and the rightmost bar denotes nosecurity. Overall, the lifetime is decreased as the security strength increasesexcept hardware AES-128. Hardware AES-128, which is built in CC2420,guarantees the almost same lifetime as no security, providing securityas strong as AES-128, XXTEA, and RC5-32/18/16. We assume that theencryption delay of hardware AES-128 is same as its decryption delay.

Since we assume that d is 16, the total time for trans-mission is about 1.24 ms. According to [15], encryptionand decryption for 16 bytes take 1.53 ms and 3.52 msrespectively. By comparing them, P (E) = 0.06 and P (D)= 0.14. According to equation (1), C is 6.06 mA; thus, thelifetime of a MicaZ mote in 363 hours (15.05 days). Figure 9shows the expected lifetime of a mote according to differentencryption algorithms. Up to 34.82% of lifetime reductionis measured.

These results indicate that the choice of encryption al-gorithms can dramatically affect the lifetime of a mote.Certainly, the proper choice of cryptographic algorithms iscritical to satisfy the requirements of the security strengthand lifetime. The system designer must select an appropriatecryptography combination in order to satisfy both require-ments.

V. CONCLUSIONS AND FUTURE WORK

While there is a need to support MLS in WSNs, notmuch research has been done in this area. To the bestof our knowledge, we are the first to propose an archi-tecture supporting MLS in WSNs. In order to separatesecurity domains and control information flow, cryptographictechnologies are employed. Confidentiality, authenticity, andintegrity of information are maintained by the underlyingcryptography. Also, the architecture inherits resilience tonode compromise attacks from TinyKeyMan. However, inter-group communication introduces traffic overhead. Also, thechoice of cryptography can change the lifetime dramatically.

One-to-many and many-to-one traffic patterns would beinefficient in our architecture since the architecture is basedon pair-wise keys. For efficiency, a global key or group keycould be used but these are vulnerable to node compromiseattacks. We plan to implement secure dissemination andcollection protocols in our architecture as future work. Wealso plan to implement a prototype on a real platform.

REFERENCES

[1] G. D. Hinton, “Multiple independent levels of security: Thechanging face of range information management in the 21stcentury,” ITEA journal, pp. 11–12, June/July 2006.

[2] D. Bell and L. LaPadula, “Secure computer system unifiedexposition and multics interpretation,” MITRE Corp., Bedford,MA, Tech. Rep. MTR-2997, July 1975.

[3] T. He, S. Krishnamurthy, J. A. Stankovic, T. Abdelzher,L. Luo, R. Stoleru, T. Yan, L. GU, G. Zhou, J. Hui, andB. Krogh, “Vigilnet: An integrated sensor network system forenergy-efficient surveillance,” in ACM Transactions on SensorNetworks, 2004.

[4] D. Liu and P. Ning, “Establishing pairwise keys in distributedsensor networks,” in Proceedings of the 10th ACM Confer-ence on Computer and Communications Security (CCS ’03),Washington D.C, October 2003, pp. 52–61.

[5] P.-Y. Teng, S.-I. Huang, and A. Perrig, “Multi-layer encryptionfor multi-level access control in wireless sensor networks,” inProceedings of The Ifip Tc 11 23rd International InformationSecurity Conference, ser. IFIP International Federation forInformation Processing, vol. 278. Springer Boston, July 2008,pp. 705–709.

[6] C. Karlof, N. Sastry, and D. Wagner, “TinySec: a link layersecurity architecture for wireless sensor networks,” in SenSys’04: Proceedings of the 2nd international conference onEmbedded networked sensor systems. New York, NY, USA:ACM, 2004, pp. 162–175.

[7] A. Liu and P. Ning, “Tinyecc: A configurable library forelliptic curve cryptography in wireless sensor networks,” inIPSN. Los Alamitos, CA, USA: IEEE Computer Society,April 2008, pp. 245–256.

[8] CC2420 Data Sheet, “http://focus.ti.com/lit/ds/symlink/cc2420.pdf.”

[9] L. Gu and J. A. Stankovic, “t-kernel: Providing reliableos support to wireless sensor networks,” in ACM SenSys,November 2006.

[10] Introduction to Multilevel Security,“http://www.cs.stthomas.edu/faculty/resmith/r/mls.”

[11] C. Blundo, A. D. Santis, A. Herzberg, S. Kutten, U. Vaccaro,and M. Yung, “Perfectly-secure key distribution for dynamicconferences,” Lecture Notes in Computer Science, vol. 740,pp. 471–486, 1993.

[12] D. Curry, “Embedded memory with security row lock pro-tection,” U.S. Patent 6,879,518 B1, filed November 21, 2003,and issued April 12, 2005, San Jose, CA, USA.

[13] http://docs.tinyos.net/index.php/Tymo.[14] N. R. Potlapally, S. Ravi, A. Raghunathan, and N. K. Jha,

“A study of the energy consumption characteristics of crypto-graphic algorithms and security protocols,” IEEE Transactionson Mobile Computing, vol. 5, no. 2, pp. 128– 143, December2005.

[15] J. Lee, K. Kapitanova, and S. H. Son, “Supporting multilevelsecurity in wireless sensor networks,” University of VirginiaDepartment of Computer Sciences, Tech. Rep. CS-2008-11,October 2008.

[16] K. K. Chintalapudi and L. Venkatraman, “On the design ofmac protocols for low-latency hard real-time discrete controlapplications over 802.15.4 hardware,” in International Con-ference on Information Processing in Sensor Networks, 2008.