ZigBee Security Using Attribute-Based Proxy Re-encryption

  • cc icon

    ZigBee Network is enabling technology for home automation, surveillance and monitoring system. For better secure network environment, secure and robust security model is important. The paper proposes an application, attribute-based proxy reencryption on ZigBee networks. The method can distribute the authority to designated sensor nodes to decrypt re-encrypted ciphertext with associated attributes. However, a previous method is required to compute complex pairing operations. The high complexity is not suited to low resource device sensor networks, and it does not provide routing security either. To resolve these problems, we present a novel mechanism. The method can reduce overhead by imposing overhead to full function devices and ensure routing paths as well.


    Attribute-based proxy re-encryption , Pairing , Sensor network , ZigBee security


    ZigBee is an enabling technology for various applications including home automation and surveillance systems. ZigBee has the advantages of high availability, low power consumption, and low cost, which is ideal for distributed sensor network environments.

    However, security management in ZigBee networking is not at a suitable level for applications because the ZigBee standard security requires a huge capacity for storing master keys, network keys, and link keys between each entity. When the size of the network increases, the number of keys exponentially increases. It also does not offer the flexibility to select the destination nodes, for example.

    In this paper, we apply attribute-based proxy re-encryption (ABPRE) [1], which re-encrypts a ciphertext with attributes of the new recipients to delegate the capability of decryption and reduce the number of keys, providing a more practical method. To further reduce the computational complexity, we use a constant pairing operation based on ABPRE [2].

    In this work, we present a novel method for ZigBee security. Following are the main contributions of the paper. We present an efficient ZigBee security model and the proposed ABPRE provides a security model that distributes overhead. Finally we show a routing security model using ABPRE.

    The paper consists of five sections. In Section II, we introduce related works including ZigBee and ABPRE. In the Section III, we propose the ABPRE model as a ZigBee standard. Section IV includes an evaluation report. Finally, we conclude the paper in Section V.


      >  A. ZigBee, Sensor Network Standard

    ZigBee is designed to be a low cost, power efficient device and provides effective communication within mesh networks. Therefore, it offers reliable and trustworthy network services to users.

    ZigBee is based on the IEEE 802.15.4 specification and ZigBee standard. IEEE 802.15.4 defines the physical and medium access control layers of the protocol. The higher layers including the network, application support sub-layer, and ZigBee device objects are described by the ZigBee standard.

    One of the most interesting features of ZigBee is the possibility of mesh networking. This extends the network range and provides higher network reliability by creation of new paths in case of network configuration changes. If an end device loses its transmission path to the coordinator, it searches for a new path to the coordinator. Therefore, the ZigBee network maintains an appropriate data transmission rate.

      >  B. Security Specification in ZigBee Networks

    The ZigBee standard provides data confidentiality by encrypting packets with secret keys using Advanced Encryption Standard (AES) symmetric cryptography.

    Three key types are used in ZigBee networks. A master key, which is a long-term security key between two devices, is used for delivery of network and link keys. The second key is a link key, which provides security on the specific link between the two devices. The third key type is a network key used when nodes transmit the information to a member of the network.

    Even though ZigBee provides a strong method for protection of information from attackers with symmetric cryptography, ZigBee has restrictions that involve a large number of keys and network keys. In a full mesh network, each node shares each pair of keys with O(n2) complexity.

      >  C. ABPRE with Constant Pairing Operations [2]

    ABPRE with constant pairing operations is an enhanced version of [1]. To reduce the number of pairing operations, exponentiation is conducted instead of the operation. Therefore, the pairing operation is computed at once at the end.

      >  D. Satisfying an Access Structure

    In this scheme we consider the access structure consisting of AND gates between positive and negative attributes. Denote the index set of all the attributes as τ. The access structure is represented as ?(+di, -di)i∈τ, which are the positive attribute and the negative attribute, respectively. Any user receives a secret key associated with an attribute set S ⊆ τ from the authority. The users can decrypt the ciphertext, if the following conditions of the attribute are met:

    If +di appears in AS, then i ∈ S;

    If -di appears in AS, then i ? S;

      >  E. Main Construction

    SETUP(1k): A bilinear group G of prime order p, with bilinear map e: G × GGT is generated. Next, it selects elements k, y, z, ti(1 ≤ i ≤ 3n) in ZP and two generators g,h of G at random. Let Y:= e(g,h)y and ti:=gti for each(1 ≤ i ≤ 3n). The public parameter pp includes


    The master key mk is ?k, y, z, {ti}1≤i≤3n ?.

    KGEN (S, mk) Let S denote an index set of attributes. It chooses a random r1, ···, rn from the Zp and sets r = r1 + r2 + ··· + rn. It computes


    and for each iN(N = {1,2,..., n})(Di,1 = hri)i∈N. This outputs a user’s secret key


    ENC (m, AS): Let AS denote an access structure. To encrypt a message mGT, it selects a random sZp and computes


    = gsz, and = hskz. For iN: if+di appearsas


    appears as




    It outputs


    RKGEN (usk, AS') Let usk denote a valid secret key consistingof


    and let AS' denotean access structure. It selects a random dZp and set




    is the ciphertext of ? under the access structure AS'. It outputs


    REENC (rk,C) : Let rk denote a valid re-key consisting of


    and C denote a well-formed ciphertext


    This step checks whether S satisfies AS; if not, output error; otherwise, for iN:


    Next, it computes = e(C,DT)=e(g,h)(nd+r)(ksz). It then computes


    It outputs a re-encrypted ciphertext


    Note that Cre can be re-encrypted iteratively. Thus we would obtain


    where C'' is obtained from the REENC algorithm with the input of another rk' and C'. The size of the ciphertext and re-encryption times increase linearly.

    DEC (C, usk): Let usk denote a valid secret key


    It checks whether S satisfies AS; if not, it outputs error; otherwise, decrypt.

    If C is an original well-formed ciphertext consisting of


    for iN:


    Next, it computes E = e(C,DT) = e(g,h)krsz. It outputs


    Otherwise, if C is a re-encrypted well-formed ciphertext consisting of


    then it decrypts C' using usk and obtains ? = gd.

    Then it outputs


    Otherwise, if it is a multi-time re-encrypted wellformed ciphertext, and then decryption is similar to the above phases.


    The method is based on the [6] process, which proposes the first form of ZigBee security using ABPRE. In the process, firstly, the sender receives the access structure and public parameters from private key generator (PKG). When the sender needs to transmit the plaintext by executing the encryption process, the data is encrypted with the user's attributes and secret keys. If the recipient is located in the same sub-network or the sender has his attributes, the sender directly transmits the packet to the recipient and then the recipient decrypts the packet with his attributes and public parameters. When the recipient is located in the other network or has attributes which are not in the sender, the sender transmits the packet to the base node. The packet is reencrypted and then is transmitted to the node in the distance. The recipient decrypts the packet with his secret values. If the packet is encrypted several times, the decryption process is also conducted by an equal number of them. The method needs to pass the base node when the recipient is in the other network. Passing the base node, the packet is reencrypted, which ensures that the packet is transmitted using the right path. The detailed process is depicted in Fig. 1.

    In Fig. 2, an example of the scenario is described. When the sender wants to send a message to recipient #1, it directly transmits the ciphertextto the destination after encryption. In the case of recipient #2, the sender transmits the packet to the base node. The base node then re-encrypts the packet using recipient #2's attributes. The re-encrypted data is transmitted to recipient #2 and then the data is decrypted with the attributes of recipient #2.

    The detailed process of the algorithm is described in Table 2.


      >  A. Performance Analysis

    The attribute-based proxy re-encryption scheme has the capability of attribute encryption with specific attributes and re-encrypting the message for delegating the capability of decryption to selected users, which enables various features such as the simplicity of group key management and delegation of decryption capability. Comparing the number of keys with other schemes, ABPRE has O(n) complexity, but the current ZigBee system is O(n2) because in symmetric cryptography all users should maintain the same secret key as the others. Therefore, traditional cryptography is not suitable for ZigBee security, but the proposed method is efficient in terms of distribution and management of keys. However, ABPRE does not offer a digital signature because it uses the attributes that are not representative of the user.

    A detailed report is presented in Table 2. For practical application, a proposal is required to reduce the computation cost because the scheme claims high overhead including pairing operations. Currently pairing operations over sensor networks take about 1 second (Table 3). Therefore, it is not practical if many pairing operations are needed. In traditional ABPRE, the pairing operation is conducted by a number of attributes. Therefore, it is infeasible to enable the technology over a sensor network.

    To solve this drawback, we use a constant pairing operation based on ABPRE [2]. In this method, we must compute two or three pairing operations by conducting decryption. The re-encryption is conducted by a full function node, a base node. Therefore, overhead is reduced in the leaf nodes. Table 4 illustrates the computational complexity of ABPRE. The leaf node needs to conduct the encryption process per each transmission. In the previous method, we had to conduct re-encryption whenever we needed to transmit data to users that were not included in first access structure of the ciphertext by the leaf node. However, in the case of the proposed method, the reencryption process imposes the overhead on the base node, a much more powerful device. Therefore, the computational costs on the leaf nodes are reduced.

    Even though the method provides a small number of pairing operations, it is still not a practical method for ATmega128L and MSP430 devices. The pairing operation over sensor nodes should be improved to perform the proposed method.

      >  B. Security Consideration

    The security strength of the proposed model is based on the user's secret key and attributes. First, if the sender's secret key is not revealed to others, the encryption and decryption process are secure, depending on the CTDH and ADBDH assumption. Secondly, the re-encryption process also demands the user's secret key to allow it to proceed. Even though malicious users might obtain the user's encrypted text, they cannot generate a re-encrypted text because the encryption key is not available for malicious users.


    In this paper, we propose the novel ABPRE based the ZigBee security model. The method solves the key management problem, provides an attribute-based encryption model, and ensures routing path security. It also has strong features in low cost computation by replacing exponentiation operations for pairing operations and provides a constant number of pairing operations. As a result, the proposed model can be a more practical security model in resource-constrained embedded systems than previous models. However, the method does not show reasonable performance. Future work in faster implementation of the model over various sensor nodes and locating a method for speeding up the model is needed because the current sensor nodes do not show high performance, as described in Table 3.


      >  Example: Multi-Hop Encryption Model

    If sender ‘A’ wants to transmit data to ‘B’ and ‘C’, ‘A’ encrypts the data with attributes of base node ‘1’ and then sends it to ‘1’. Base node ‘1’ sends a ciphertext to ‘2’. First ‘2’ sends the received data to ‘3’ and ‘2’ re-encrypts the data with attributes of ‘B’ and then sends attributes. After receiving the data, ‘3’ also conducts the same procedure, which is computed in base node ‘2’.

  • 1. Liang X., Cao Z., Lin H., Shao J. 2009 “Attribute based proxy reencryption with delegating capabilities” [in Proceedings of the 4th International Symposium on Information, Computer, and Communications Security] P.276-286 google
  • 2. Seo H., Kim H. 2012 “Attribute-based proxy re-encryption with a constant number of pairing operations” [Journal of Information and Communication Convergence Engineering] Vol.10 P.53-60 google
  • 3. Nguyen S. T., Rong C. 2007 “ZigBee security using identity-based cryptography” [Autonomic and Trusted Computing, Lecture Notes in Computer Science] Vol.4610 P.3-12 google
  • 4. Boneh D., Franklin M. 2001 “Identity-based encryption from the Weil pairing” [Advances in Cryptology - CRYPTO 2001, Lecture Notes in Computer Science] Vol.2139 P.213-229 google
  • 5. Seo H., Kim C. S., Kim H. 2011 “ZigBee security for Home automation using attribute-based cryptography” [in Proceedings of the IEEE International Conference on Consumer Electronics] P.364-368 google
  • 6. Seo H., Kim H. 2011 “Zigbee security for visitors in home automation using attribute based proxy re-encryption” [in Proceedings of the 15th IEEE International Symposium on Consumer Electronics] P.304-307 google
  • 7. Oliveira L. B., Aranha D. F., Gouvea C. P. L., Scott M., Camara D. F., Lopez J., Dahab R. 2011 “TinyPBC: pairings for authenticated identity-based non-interactive key distribution in sensor networks” [Computer Communications] Vol.34 P.485-493 google
  • [Fig. 1.] Process of encryption and decryption. PKG: private key generator.
    Process of encryption and decryption. PKG: private key generator.
  • [Table 1.] Process of encryption and decryption over a sensor network
    Process of encryption and decryption over a sensor network
  • [Fig. 2.] Architecture of tree network.
    Architecture of tree network.
  • [Table 2.] Performance evaluation of cryptography for ZigBee security [3-6]
    Performance evaluation of cryptography for ZigBee security [3-6]
  • [Table 3.] Timing table for pairing operations over sensor platform [7]
    Timing table for pairing operations over sensor platform [7]
  • [Table 4.] Computational complexity of ABPRE
    Computational complexity of ABPRE
  • [Fig. 3.] Multi-hop transmission. Assumption: base node has secret key of leaf nodes.
    Multi-hop transmission. Assumption: base node has secret key of leaf nodes.