ZigBee is an enabling technology for various applications including home automation and surveillance systems. ZigBee has the advantages of high availability, low power consumption, and low cost, which is ideal for distributed sensor network environments.

However, security management in ZigBee networking is not at a suitable level for applications because the ZigBee standard security requires a huge capacity for storing master keys, network keys, and link keys between each entity. When the size of the network increases, the number of keys exponentially increases. It also does not offer the flexibility to select the destination nodes, for example.

In this paper, we apply attribute-based proxy re-encryption (ABPRE) [1], which re-encrypts a ciphertext with attributes of the new recipients to delegate the capability of decryption and reduce the number of keys, providing a more practical method. To further reduce the computational complexity, we use a constant pairing operation based on ABPRE [2].

In this work, we present a novel method for ZigBee security. Following are the main contributions of the paper. We present an efficient ZigBee security model and the proposed ABPRE provides a security model that distributes overhead. Finally we show a routing security model using ABPRE.

The paper consists of five sections. In Section II, we introduce related works including ZigBee and ABPRE. In the Section III, we propose the ABPRE model as a ZigBee standard. Section IV includes an evaluation report. Finally, we conclude the paper in Section V.

ZigBee is designed to be a low cost, power efficient device and provides effective communication within mesh networks. Therefore, it offers reliable and trustworthy network services to users.

ZigBee is based on the IEEE 802.15.4 specification and ZigBee standard. IEEE 802.15.4 defines the physical and medium access control layers of the protocol. The higher layers including the network, application support sub-layer, and ZigBee device objects are described by the ZigBee standard.

One of the most interesting features of ZigBee is the possibility of mesh networking. This extends the network range and provides higher network reliability by creation of new paths in case of network configuration changes. If an end device loses its transmission path to the coordinator, it searches for a new path to the coordinator. Therefore, the ZigBee network maintains an appropriate data transmission rate.

The ZigBee standard provides data confidentiality by encrypting packets with secret keys using Advanced Encryption Standard (AES) symmetric cryptography.

Three key types are used in ZigBee networks. A master key, which is a long-term security key between two devices, is used for delivery of network and link keys. The second key is a link key, which provides security on the specific link between the two devices. The third key type is a network key used when nodes transmit the information to a member of the network.

Even though ZigBee provides a strong method for protection of information from attackers with symmetric cryptography, ZigBee has restrictions that involve a large number of keys and network keys. In a full mesh network, each node shares each pair of keys with O(n²) complexity.

ABPRE with constant pairing operations is an enhanced version of [1]. To reduce the number of pairing operations, exponentiation is conducted instead of the operation. Therefore, the pairing operation is computed at once at the end.

In this scheme we consider the access structure consisting of AND gates between positive and negative attributes. Denote the index set of all the attributes as τ. The access structure is represented as ？(+d_i, -d_i)_i∈τ, which are the positive attribute and the negative attribute, respectively. Any user receives a secret key associated with an attribute set S ⊆ τ from the authority. The users can decrypt the ciphertext, if the following conditions of the attribute are met:

If +di appears in AS, then i ∈ S;

If -di appears in AS, then i ？ S;

SETUP(1^k): A bilinear group G of prime order p, with bilinear map e: G × G → G_T is generated. Next, it selects elements k, y, z, t_i(1 ≤ i ≤ 3n) in Z_P and two generators g,h of G at random. Let Y:= e(g,h)^y and t_i:=g^ti for each(1 ≤ i ≤ 3n). The public parameter pp includes

The master key mk is ？k, y, z, {t_i}_1≤i≤3n ？.

KGEN (S, mk) Let S denote an index set of attributes. It chooses a random r₁, ···, r_n from the Z_p and sets r = r₁ + r₂ + ··· + r_n. It computes

and for each i ∈ N(N = {1,2,..., n})(D_i,₁ = h^ri)_i∈N. This outputs a user’s secret key

ENC (m, AS): Let AS denote an access structure. To encrypt a message m ∈ GT, it selects a random s ∈ Z_p and computes

？ = g^sz, and ？ = h^skz. For i ∈ N: if+d_i appearsas

appears as

otherwise,

It outputs

RKGEN (usk, AS') Let usk denote a valid secret key consistingof

and let AS' denotean access structure. It selects a random d∈Z_p and set

For

is the ciphertext of ？ under the access structure AS'. It outputs

REENC (rk,C) : Let rk denote a valid re-key consisting of

and C denote a well-formed ciphertext

This step checks whether S satisfies AS; if not, output error; otherwise, for i ∈ N:

Next, it computes = e(C,D^T)=e(g,h)^(nd+r)(ksz). It then computes

It outputs a re-encrypted ciphertext

Note that C_re can be re-encrypted iteratively. Thus we would obtain

where C'' is obtained from the REENC algorithm with the input of another rk' and C'. The size of the ciphertext and re-encryption times increase linearly.

DEC (C, usk): Let usk denote a valid secret key

It checks whether S satisfies AS; if not, it outputs error; otherwise, decrypt.

If C is an original well-formed ciphertext consisting of

for i ∈ N:

Next, it computes E = e(C,D^T) = e(g,h)^krsz. It outputs

Otherwise, if C is a re-encrypted well-formed ciphertext consisting of

then it decrypts C' using usk and obtains ？ = g^d.

Then it outputs

Otherwise, if it is a multi-time re-encrypted wellformed ciphertext, and then decryption is similar to the above phases.

The method is based on the [6] process, which proposes the first form of ZigBee security using ABPRE. In the process, firstly, the sender receives the access structure and public parameters from private key generator (PKG). When the sender needs to transmit the plaintext by executing the encryption process, the data is encrypted with the user's attributes and secret keys. If the recipient is located in the same sub-network or the sender has his attributes, the sender directly transmits the packet to the recipient and then the recipient decrypts the packet with his attributes and public parameters. When the recipient is located in the other network or has attributes which are not in the sender, the sender transmits the packet to the base node. The packet is reencrypted and then is transmitted to the node in the distance. The recipient decrypts the packet with his secret values. If the packet is encrypted several times, the decryption process is also conducted by an equal number of them. The method needs to pass the base node when the recipient is in the other network. Passing the base node, the packet is reencrypted, which ensures that the packet is transmitted using the right path. The detailed process is depicted in Fig. 1.

In Fig. 2, an example of the scenario is described. When the sender wants to send a message to recipient #1, it directly transmits the ciphertextto the destination after encryption. In the case of recipient #2, the sender transmits the packet to the base node. The base node then re-encrypts the packet using recipient #2's attributes. The re-encrypted data is transmitted to recipient #2 and then the data is decrypted with the attributes of recipient #2.

The detailed process of the algorithm is described in Table 2.

The attribute-based proxy re-encryption scheme has the capability of attribute encryption with specific attributes and re-encrypting the message for delegating the capability of decryption to selected users, which enables various features such as the simplicity of group key management and delegation of decryption capability. Comparing the number of keys with other schemes, ABPRE has O(n) complexity, but the current ZigBee system is O(n²) because in symmetric cryptography all users should maintain the same secret key as the others. Therefore, traditional cryptography is not suitable for ZigBee security, but the proposed method is efficient in terms of distribution and management of keys. However, ABPRE does not offer a digital signature because it uses the attributes that are not representative of the user.

A detailed report is presented in Table 2. For practical application, a proposal is required to reduce the computation cost because the scheme claims high overhead including pairing operations. Currently pairing operations over sensor networks take about 1 second (Table 3). Therefore, it is not practical if many pairing operations are needed. In traditional ABPRE, the pairing operation is conducted by a number of attributes. Therefore, it is infeasible to enable the technology over a sensor network.

To solve this drawback, we use a constant pairing operation based on ABPRE [2]. In this method, we must compute two or three pairing operations by conducting decryption. The re-encryption is conducted by a full function node, a base node. Therefore, overhead is reduced in the leaf nodes. Table 4 illustrates the computational complexity of ABPRE. The leaf node needs to conduct the encryption process per each transmission. In the previous method, we had to conduct re-encryption whenever we needed to transmit data to users that were not included in first access structure of the ciphertext by the leaf node. However, in the case of the proposed method, the reencryption process imposes the overhead on the base node, a much more powerful device. Therefore, the computational costs on the leaf nodes are reduced.

Even though the method provides a small number of pairing operations, it is still not a practical method for ATmega128L and MSP430 devices. The pairing operation over sensor nodes should be improved to perform the proposed method.

The security strength of the proposed model is based on the user's secret key and attributes. First, if the sender's secret key is not revealed to others, the encryption and decryption process are secure, depending on the CTDH and ADBDH assumption. Secondly, the re-encryption process also demands the user's secret key to allow it to proceed. Even though malicious users might obtain the user's encrypted text, they cannot generate a re-encrypted text because the encryption key is not available for malicious users.

In this paper, we propose the novel ABPRE based the ZigBee security model. The method solves the key management problem, provides an attribute-based encryption model, and ensures routing path security. It also has strong features in low cost computation by replacing exponentiation operations for pairing operations and provides a constant number of pairing operations. As a result, the proposed model can be a more practical security model in resource-constrained embedded systems than previous models. However, the method does not show reasonable performance. Future work in faster implementation of the model over various sensor nodes and locating a method for speeding up the model is needed because the current sensor nodes do not show high performance, as described in Table 3.

If sender ‘A’ wants to transmit data to ‘B’ and ‘C’, ‘A’ encrypts the data with attributes of base node ‘1’ and then sends it to ‘1’. Base node ‘1’ sends a ciphertext to ‘2’. First ‘2’ sends the received data to ‘3’ and ‘2’ re-encrypts the data with attributes of ‘B’ and then sends attributes. After receiving the data, ‘3’ also conducts the same procedure, which is computed in base node ‘2’.