A lightweight security scheme for wireless body area networks: design, energy evaluation and proposed microprocessor design.

Page 1

ORIGINAL PAPER
A Lightweight Security Scheme for Wireless Body Area
Networks: Design, Energy Evaluation and Proposed
Microprocessor Design
Georgios Selimis & Li Huang & Fabien Massé &
Ioanna Tsekoura & Maryam Ashouei &
Francky Catthoor & Jos Huisken & Jan Stuyt &
Guido Dolmans & Julien Penders & Harmke De Groot
Received: 31 October 2010 /Accepted: 16 February 2011
# Springer Science+Business Media, LLC 2011
Abstract In order for wireless body area networks to
meet widespread adoption, a number of security impli-
cations must be explored to promote and maintain
fundamental medical ethical principles and social expect-
ations. As a result, integration of security functionality to
sensor nodes is required. Integrating security functional-
ity to a wireless sensor node increases the size of the
stored software program in program memory, the re-
quired time that the sensor’s microprocessor needs to
process the data and the wireless network traffic which is
exchanged among sensors. This security overhead has
dominant impact on the energy dissipation which is
strongly related to the lifetime of the sensor, a critical
aspect in wireless sensor network (WSN) technology.
Strict definition of the security functionality, complete
hardware model (microprocessor and radio), WBAN
topology and the structure of the medium access control
(MAC) frame are required for an accurate estimation of
the energy that security introduces into the WBAN. In
this work, we define a lightweight security scheme for
WBAN, we estimate the additional energy consumption
that the security scheme introduces to WBAN based on
commercial available off-the-shelf hardware components
(microprocessor and radio), the network topology and the
MAC frame. Furthermore, we propose a new micro-
controller design in order to reduce the energy consump-
tion of the system. Experimental results and comparisons
with other works are given.
Keywords Wireless body area networks.Security.
Low power and energy.Microprocessor design
Introduction
WBAN is a wireless network used for communication
among sensor nodes operating on, in or around the human
body in order to monitor vital body parameters and
movements. A typical sensor node in WBAN should ensure
the accurate sensing of the signal from the body, carry out
low-level processing of the sensor signal, and wirelessly
transmit the processed signal to a local processing unit [1].
Recognizing the great market potential and rapid techno-
logical developments in this sector, the Institute of
Electrical and Electronics Engineers (IEEE) is developing
an 802.15.6 standard optimized for low power WBAN
devices supporting at a data rate ranging from 10 Kb/s to
10 Mb/s [2].
Security in WBAN is very important to guarantee and
protect the patient’s personal sensitive data. The sensor
signals from human body should have secured and limited
access. Furthermore, the signal from one person cannot be
mixed up with that from another person. Note that the
choice of security mechanisms is dependent on the
deployed network topology. In WBAN, a star topology is
typically used where communication centrally organized
and every sensor node is directly linked to a master node.
G. Selimis (*):L. Huang:F. Massé:I. Tsekoura:M. Ashouei:
F. Catthoor:J. Huisken:J. Stuyt:G. Dolmans:J. Penders:
H. De Groot
Holst Centre/IMEC,
Eindhoven, The Netherlands
e-mail: georgios.selimis@imec-nl.nl
J Med Syst
DOI 10.1007/s10916-011-9669-2

Page 2

However, besides its simplicity, the star topology cannot
always meet the desired reliability requirement. For
example, when the sensor node is attached to the back of
a body, the direct communication link will be blocked if the
master node is placed at the front of the body yielding to a
degradation of the wireless link.
Hence, in this paper, we will consider a restrained
tree topology as shown in Fig. 1. The WBAN starts to
operate using a star topology and time division multiple
access medium access control (TDMA MAC). When the
link between a sensor node and the master node degrades
to a predefined level, a restrained tree topology is
triggered to establish. As illustrated in the figure, suitable
sensor node(s) are chosen to act as gateways for the
subgroups where the sensor node(s) have worsen quality
link with the master node. Due to the requirements of strict
latency in WBANs, the tree topology is restrained such
that the tree depth, i.e. the maximum number of hops from
any end sensor node to the master node, is limited.
Further, the maximum number of gateways within one
network is limited.
When a wireless sensor sends or receives a packet to/
from another wireless sensor, the following security
primitives should be provided. Message/Data Confiden-
tiality which prevents messages from unauthorized
access via encryption algorithms since only the devices
that share the secret key can decrypt the messages and
communicate. Message/Data Integrity which prevents
changes from being carried out by an invalid intruder
and ensures that the transmitted messages from WSN
have not been manipulated by the invalid intruder. This
service is achieved through data authentication proto-
cols. Message/Data Authentication which allows a
receiver to verify that the message was sent by the
claimed sender. Replay Protection which prevents the
replayed message to be accepted by the receiver. To
achieve this service, the sender assigns a monotonically
increasing sequence of numbers (nonce) to each packet
and the receiver rejects the packets with smaller
sequence numbers. All the above services imply that
the sender and receiver share a common key. The
process that generates and distributes the shared keys is
known as secure association and it is determined by the
system resources, the security requirements of the
application (security level, attacker model) and the
network topology (star topology, multi-hop topology).
There are many works focused on security for WSN
but it is not accurate and realistic to apply WSN
security schemes directly into WBAN without taking
into account all the parameters of WBAN technology.
Book [4] provides a thorough analysis of the major trends
in wireless networks security. It is focused on general
application scenarios so it is difficult to apply directly the
described security protocols into WBAN system. In paper
[5] the authors present a suite of security protocols
optimized for sensor networks, SPINS. SPINS has two
secure building blocks: SNEP and TESLA but SPINS
introduce a more general WSN security approach. Paper
[6] estimates and compares the energy dissipation of Key
agreement protocols taking into consideration both pro-
cessor and radio power. It is the first work that highlights
the need to evaluate security protocols in terms of energy
for both microprocessor and radio hardware model. Paper
[7] presents an analysis of various WSN security mecha-
nisms from the perspective of healthcare applications, and
considers the importance of security to the successful
deployment of pervasive computing solutions in the
healthcare industry. However, no implementation and
design details are provided. Paper [8] presents the
integration of key management and secures communica-
tion techniques within a multi-hop protocol for a WBAN
scenario. No experimental results are provided based on
real hardware models. The idea of a cyber-physical
approach to security is proposed in [9] - where the authors
Fig. 1 A restrained tree
topology for WBAN [3] and
the medical information
environment
J Med Syst

Page 3

proposed the use of physiological signals for hiding secret
between two sensor nodes.
The motivation of the proposed work is to integrate high
complex security mechanisms in a WBAN. We have to
consider the wireless sensor resources, the topology of the
healthcare network-environment and the MAC frame to
provide a secure protocol for WBAN. Toevaluatetheenergy
that security introduces to the system a realistic hardware
model is needed: microprocessor for processing the security
algorithms and radio for transmitting/receiving data. There-
fore, our work proposes a unified solution that provides
lightweight security by taking into account wireless sensor
resources, WBAN topology and MAC frame and it is based
on realistic and accurate models and estimations.
We focus on the main security vulnerabilities concerning
WBAN and how we can take countermeasures for them.
We provide a realistic security scheme for WBAN based on
the lightweight security protocol for healthcare environ-
ments [8]. We are taking into account all the technology
parameters such as the wireless sensor system, wireless
topology and MAC frame. Due to scarce resources of the
sensor nodes in terms of Central Processing Unit (CPU)
requirements, available energy and memory sizes, it is
preferable to base the protection on symmetric key crypto-
graphic primitives [4]. Using the lightweight cryptographic
primitive Advanced Encryption Standard (AES) [10] and the
security mode CCM [11], we support Data Confidentiality,
Data Authentication, Data Integrity, Replay Attacks protec-
tion, and Secure association. Based on these services we
provide secure data transmission, master node broadcasting,
neighbor discovery and network key update-forward secrecy.
The main contributions of the current work are the
following:
&
We evaluate the energy overhead that security introduces
to the system based on commercially available off-the-
shelf components and the WBAN application scenario.
We demonstrate the overhead in terms of energy that the
proposed security scheme introduces in executing the
WBAN functionality. Microcontroller and radio represent
the main sources of energy overhead introduced by the
security functionalities. As baseline platform, we use the
TI MSP430F1611 [12] microprocessor and the Nordic
NRF24L01 [13] wireless Transceiver for the evaluation
of our proposed system.
We propose a new microcontroller unit that replaces the
MSP430F1611 and executes the security mechanisms
more efficient in terms of energy and performance. The
proposed microcontroller has been designed in order to
support the typical processing load such as a 16-bit
processor and accelerates the cryptographic functions.
The result is lower energy consumption and better
performance for the same functionality. Experimental
results are provided.
&
This paper is organized as follows: in Section II the
design considerations that Wireless Body Area Network
implies to the security system are given. The proposed
security system is presented in Section III. Experimental
method and results are presented in Section IV. The
microcontroller extension and the corresponding results
are given in Section V. Future work is provided in Section
V. Finally conclusions are presented in Section VI.
Design considerations
We take into account a couple of considerations in order to
propose the security scheme for WBAN.
A. System architecture
As illustrated in Fig. 2, a typical WBAN consists of a
master node that broadcasts control messages and the
wireless sensors that stream the sensor data to the master
node. Master node is connected via a secure link (wired or
Fig. 2 Wireless body area net-
work architecture
J Med Syst

Page 4

wireless) to a server where only limited users (e.g. medical
staff) are authorized to have access. Normally, this server is
located inside a hospital and several WBANs are allowed to
be connected to the indicated server simultaneously. Server
keeps secure the wireless sensor IDs and the corresponding
keys.
B. Threat model
In order to find the vulnerable aspects of the WBAN, we
should define the threat model, which demonstrates the
critical security points of the system that we should provide
solutions. The entire WBAN (attached on human skin) is
assumed to be under surveillance of user resulting to the
impossibility for someone to steal the nodes without being
detected. Anti-counterfeiting techniques can be applied to
store keys in a secure manner [15].
The server of the system is a device that is supposedly
physically protected and only authorized users (e. g. medical
staff) are allowed to access to this server. The indicated server
is responsible for the following tasks: It stores the keys of
sensor nodes and matches each key with its corresponding
sensor identity. It generates random keys when it is needed in
order to update the network key. Finally, the server commu-
nicateswiththemasternodewithwiredorwirelesssecurelink.
Therefore we assume an active model of attacks. Our
proposed security scheme tries to avoid eavesdropping,
inserting, deleting, modifying on all data transmitted in the
WBAN [8].
C. Communication patterns
The type of the transmitted data among the nodes can be
distinguished into two basic categories, sensor data and
control data. Sensor nodes transmit unicast sensor data to
the master node, such as skin temperature, skin conduc-
tance, heart rate, electrocardiography (ECG), electroen-
cephalography (EEG), electromyography (EMG), and
electrooculography (EOG) etc. On the other hand the
master node broadcasts control messages to organize and
synchronize the whole network. In addition, all the nodes
use gateway nodes (i. e. relay nodes) when they cannot
reach the destination node(s). More specifically the basic
communication patterns are the following:
&
“From Master Node” to the “Rest of nodes”: Broadcast
transmission. Master node broadcasts messages to control
the whole network. This broadcast can be the typical
“beacon” that the master node broadcasts to send informa-
tion to wireless sensors and synchronize the network.
From a“Nodei”to “Master Node or/and Nodej”: Unicast
transmission. Node transmits sensor data to master node
or to another node.
&
D. Keys
As we mentioned due to the very limited resources of the
sensor nodes in terms of CPU processing, available energy
and memory size, it is preferable to base the protection on
symmetric key cryptographic primitives. We consider two
types of keys:
&
Node Keys (Keyn): A Node Key is a key that is shared
by a sensor node and server. Each Node Key is pre-
loaded to each sensor node and it is stored in the server
as well. It is used for sensor discovery by the server and
authentication. When the authentication takes place then
the server generates and distributes a new Network Key
(Keyg)
Network Key (Keyg): The Network Key is a key that is
shared by all nodes in the network. It is used to encrypt
(or decrypt) and authenticate sensor data and authenti-
cate global broadcast messages. This key is generated
by the server and it is distributed to all connected nodes.
&
Together with keys we are using nonces. A nonce is
an abbreviation of number used once. It is often a
random or pseudo-random number issued to ensure that
old communications cannot be reused in replay attacks.
Both communication participants know the value of
nonces and update them increasing the number by one
after the usage.
Proposed security scheme
As we mentioned in Section I, the provided security
services are being supported by symmetric key crypto-
graphic primitives and they are the following: Message/
Data Confidentiality, Message/Data Integrity, Message/Data
Authentication and Replay Protection. The proposed secure
association consists of the following phases: master key
pre-loading, neighbor discovery, link key computation and
key update.
We use the well defined and standardized CCM mode
to support the indicated security services. CCM specifies
an algorithm, Counter with Cipher Block Chaining-
Message Authentication Code (CTR and CBC) that can
reassure of the confidentiality and authenticity of encryp-
ted data. CCM is based on an approved symmetric key
block cipher algorithm whose block size is 128 bits, such
as the Advanced Encryption Standard (AES) algorithm.
The main advantage of CCM mode is that we apply the
same key for authentication and for encryption without
compromising security [14] and the key does not have to
be re-initialized as long as the device communicates with a
fixed participant(s).
J Med Syst

Page 5

The following communication modes can be identified
as crucial to support the previous protocol services.
Hence, they have been used also to construct our energy
models:
Mode1 (CCMMode1): Sensor node sends message to
master node to be registered into the network.
Mode2 (CCMMode2): Master node replies with a new
key and the corresponding nonce.
Mode3 (CCMMode3): Sensor node sends a secure
acknowledgement message back.
Mode4 (CBCMode4): Master node broadcasts control
messages to the whole network.
Mode5 (CCMMode5): Sensor node transmits sensor data
to the master node or to another node.
A. Transmitting sensor data from nodeito Master/Nodej
(Mode5)
Nodeisenses data and transmits these data to the master
node or to another node. As all the nodes in the network, it
shares the temporal common network key Keyg,which is
generated by the server. The security overhead is the CCM
algorithm for microprocessor processing and 4 additional
transmitted/received bytes for message authentication code
in radio communication. If there is a gateway node between
node and master node, then the corresponding processing
and communication overhead is doubled. Data Confidenti-
ality, Data Integrity, Data Authentication and Replay
Protection security services are provided to the transmitted
packets. In Fig. 3, the transmission of sensor data from
sensor node to master node is presented.
B. Transmitting control messages from master node
to network (Mode4)
The master node authenticates its broadcasting data using
AES-CBC mode. In this case, the additional cost that
security introduces is AES-CBC algorithm in terms of
microprocessor overhead and 4 additional transmitted/
received bytes in terms of radio communication. We use
Keyg network key for this broadcasting. If there is a
gateway between master node and destination node, as
illustrated in Fig. 1, then the gateway forwards the packet.
Note that each node that wants to enter the system receives
control information from the master node without authen-
tication (since it does not handle the current network key).
Then, it is able to send an appropriate HELLO Message to
join the network.
C. Secure association protocol
The secure association protocol consists of the following
processes:
Node Key (Keyn) pre-loading The Node Key pre-loading is
performed before deployment in secure environment.
During this phase, a unique Node Key is installed in each
sensor. The server holds the Node Keys and their
corresponding IDs.
Secure Neighbor Discovery (Mode1, Mode2, Mode3) The
neighbor discovery phase starts after the insertion of
nodeiinside the WBAN. Nodeiinitializes a timer to fire
after some time Tmin. Then it tries to join into the network
broadcasting a HELLO message. We apply the AES CCM
security mode for the HELLO message. Sensor encrypts
with its secret key Keynthe corresponding nonce (non-
ceKn) which has a size of 8 bytes. Then, the encrypted and
authenticated nonce is encapsulated to the MAC frame
(mode1). Master node receives HELLO message and it
conveys it to the server. Then server checks if it is valid or
not, by decrypting the message using the Keyn. Since
authentication server confirms that key is valid, sends
back a confirmation message. The confirmation message
includes a new generated key – Network Key (Keyg) – and
its corresponding nonce (nonceKg),(mode2). Since the
sensor node receives the message via the master node, it
sends back an acknowledgment message to the server and
it updates its key to Keyg(mode3) The following Fig. 4
presents the overall scenario during Neighbor Discovery.
Fig. 4 Neighbor discovery process
Fig. 3 Transmission of sensor data from Sensor Node to master Node
J Med Syst

Page 6

Network Key Update Both unicast and broadcast commu-
nication patterns are based on the secrecy of the shared
network key Keyg.. As we mentioned after Neighbor
Discovery process, the Server sends to the node a new
generated Network Key Keyg'. Then the server should
update the keys of the other nodes such that all the nodes
could share a common network key. Master node sends to
each sensor node in a unicast manner individually the new
network key until all the nodes of the network share the
same key. When a sensor node leaves the network, the
server should update the network key as well, providing
forward secrecy into the system, since the node that leaves
the network cannot successfully read/modify/insert/delete
data in the WBAN.
Experimental evaluation method and results
In this section we estimate the energy dissipation that the
security services introduce to the global system that is
composed of off-the-shelf-components, namely the micro-
processor and the radio.
A. Timing and power overhead for the microprocessor
The compiler (IAR Compiler for MSP430 v 4.20.1) settings
are optimized towards High/Balanced optimization for
memory size and speed. The required footprint for our
security services is for code memory 8357 bytes of code
memory and 1330 bytes of data memory. The execution
time and the corresponding clock cycles for each mode
(Sub Section IV.D) are displayed in Table 1 and it is the
same for sender and receiver sides. Based on the time that
the processor spends for the security modes and on the
MSP430F1611 datasheet we estimate the required energy
that MSP430 needs. According to the datasheet [12], the
average power consumption is 12.63 mW at 3 V while
running at 8 MHz. Then Table 1 presents the required
energy.
B. Timing and power overhead for the radio Transceiver
The low-power Nordic NRF24L01 2.4 GHz Transceiver is
used for radio communication. It takes advantages of its
proprietary packet format, which is presented in Fig. 5 and
described in the datasheet to allow for special features of
interest for this proposed security scheme. The PCF -
Packet Control Field - defines the size of the Payload Field
enabling the support of the dynamic payload length (from
1–32 bytes).
From the five modes mentioned in Section III, we
derive two types of secure frames Secure Type1, and
Secure Type2. Secure Type 1 is applied for the mode1
and mode3 whereas Secure Type 2 is applied for mode2,
mode4 and mode5. The proposed Secure Types presented
in Fig. 6.
The overhead that security introduces is 4 bytes both
in the transmitter and the receiver sides representing the
overhead introduced by the message authentication
code.
We estimate the energy we need in order to send/receive
the two different types of packets. According to the
nRF24L01’s datasheet [13], a typical packet transmission/
reception is composed of ‘Settling’ period and an ‘OnAir’
period. The energy numbers are therefore:
Epacket¼ Esettlingþ EOnAir;
On one hand, independent of the size of the packet, the
‘settling’ period is required prior any packet transmis-
sion/reception for the phase lock loop (PLL) to correctly
lock the radio’s carrier frequency. According to the
datasheet,
Esettling¼ tsettling»P3V
settling¼ 130ms»8mA»3V ¼ 3:16mJ:
The ‘OnAir’ period represents on-air transmission/
reception time and therefore is intrinsically related to the
packet size as well as the air data rate. Assuming a 2-byte
CRC check, a Tx/Rx output power (+0 dB), and a 2Mbps
air data rate, the amount of energy needed over the ‘OnAir’
period is computed as follows:
EOnAir SizePayload
?
?
?
?¼
?¼ 1051:65nJ þ SizePayload»18:450nJ
These numbers show that the microprocessor activity is by
far the dominant factor of the overall energy dissipation for
our introduced hardware model.
SizeOverheadNordicþ SizePayload
DataRateOnAir
?¼ 966:15nJ þ SizePayload»16:895nJ
??»P3V
OnAir
ERx
ETx
OnAirSizePayload
OnAirSizePayload
Table 1 Timing and Power overhead that security introduces to the
MSP430 processor
F = 8 MHz Power =
12.63 mW
Clock
cycles
Timing Energy
Mode1
Mode2
Mode3
Mode4
Mode5
31504
46367
31526
16156
46386
3.93 msec CCMMode1:49.63 μJ
5.8 msec CCMMode2:73.25 μJ
3.94 msec CCMMode3:49.76 μJ
2.02 msec CBCMode4:25.51 μJ
6.95 msec CCMMode5:87.78 μJ
J Med Syst

Page 7

C. Energy cost of secure communication
Based on Tables 1 and 2 the overall extra energy dissipation
per application scenario is calculated. “CCMModex/Sender or
Receiver” and “CBCModex/Sender or Receiver” refers to the
introduced energy cost due to microprocessor and it
assigns the security operation (CBC or CCM) with the
corresponding communication mode . “Transmitter”
refers to the dissipated radio energy due to transmission
and “Receiver” due to reception. We added only the
energy cost that security (4 bytes) introduces to the radio
system for the first two application scenarios. For this
reason we subtract Non Secure Energy from Secure
Energy (Securex-Secure). We have added the whole
energy radio cost for the two last services because are
pure security related application scenarios by definition.
Then the dissipated energy per application scenario is
estimated.
1. Data Transmission from sensor to master (per packet):
CCMMode5=Senderþ TransmitterðSecure2?Non SecureÞ
þ ReceiverðSecure2?Non SecureÞþ CCMMode5=Receiver
¼ 2»87:78mJ þ 0:54mJ þ 0:59mJ ¼ 176:69mJ
2. Master node broadcasting (per packet):
CBCMode4=Senderþ N»CBCMode4=Receiver
þ TransmitterSecure2?Non Secure
þ ReceiverSecure2?Non Secure
¼ 25:51mJ þ 25:51mJ þ 0:54mJ þ 0:59mJ
¼ 26:05 þ 26:1
ðÞ
ðÞ
ðÞmJ
3. Neighbor Discovery
CCMMode1=Senderþ CCMMode1=Receiver
þ TransmitterSecure1þ ReceiverSecure1
þ CCMMode2=Senderþ CCMMode2=Receiver
þ TransmitterSecure2þ ReceiverSecure2
þ CCMMode3=Senderþ CCMMode3=Receiver
þ TransmitterSecure1þ ReceiverSecure1
¼ 372:06mJ
4. Network Key Update
CCMMode2=Senderþ CCMMode2=Receiver
þ TransmitterSecure2þ ReceiverSecure2
þ CCMMode3=Senderþ CCMMode3=Receiver
þ TransmitterSecure1þ ReceiverSecure1
¼ 265:38mJ
New microcontroller design
A. Proposed design methodology
Many works focus on the energy that the radio consumes
and overlook the microprocessor energy consumption. As
reported in [16] an accurate hardware model (microproces-
sor and radio) and the functionality (software) are required
for accurate energy evaluation of the system. Based on the
previous section results, we conclude that the energy
consumption of the microcontroller is dominant compared
Fig. 5 Nordic NRF24L01
2.4 GHz Transceiver packet [13]
Fig. 6 The proposed two types
of security
J Med Syst

Page 8

to the energy consumption of the radio for our proposed
application scenario. Therefore, we propose a specific
microprocessor design that accelerates the security func-
tionality and reduces the energy dissipation of the whole
system.
We replace the MSP430F1611 processor with a new
custom processor that has special instructions in order to
accelerate the security functionality. The new processor is
optimized for the AES algorithm and as result needs less
clock cycles and memory accesses to deliver the AES
output. We used the IP Designer tool suite of Target
compiler [17] for the implementation of the proposed
microcontroller. The proposed design is based on a 16-bit
default processor which contains a 16-bit datapath,
connected with a 16-bit width data memory, register file
of 8 general purpose registers and ALU (Arithmetic Logic
Unit). The ALU supports simple arithmetic and logical
instructions. The instruction word is also 16 bits and the
program code is stored in a 16-bit width program
memory. The choice of the 16-bit default processor is
based on the fact that the typical low power processors
such as MSP430 are 16-bit based. The default processor
is extended with additional 128-bit vector units intended
to support and accelerate the cryptographic domain.
These vector units are a vector memory, a vector register
file of 8 registers and a functional unit which contains
the cryptographic instructions. Additionally, the functional
unit contains logical and arithmetic instructions that our
applications require, such as XOR, OR, AND and special
instructionswhichimplementthecommunicationbetweenthe
two different register files (the default 16-bit register file and
the vector register file). The proposed microprocessor design
is shown in Fig. 7.
The main advantage of the indicated design approach is
the ability to use the vector units only when the specific
cryptographic domain needs them. Therefore, hardware
acceleration in combination with suitable software routines
support AES-CTR, AES-CBC and AES-CCM modes of
operation.
The most complex operations of AES functionality are
Subbytes and Mixcolums. The SubBytes is implemented
with the one hot encoding because it shows a reduction
in power consumption compared with other implementa-
tions we studied and implemented. Specifically for
90 nm CMOS technology, the power consumption is
decreased by 25.8% compared to the implementation
with combinational logic, and by 7.8% compared to the
look up table implementation in hardware. The MixCol-
umns is implemented with the use of xtime instruction.
The xtime implements the finite field multiplication of an
element with the {02} element, with combinational logic.
By repeating the application of xtime and adding the
intermediate results, we can achieve multiplication by
any constant. Finally the ShiftRows is implemented
through the appropriate wiring.
B. Experimental results and comparisons
In Table 3 we compare our proposed microprocessor when
it executes the AES algorithm, with other works (ref. [18–
20] that support AES. We show that our proposed
Table 2 Energy overhead that security introduces to the Nordic
NRF24L01 2.4 GHz Transceiver
Packet typePacket SizeTransmitter Receivers
Secure 1
Secure 2
Non Secure
153 bits
281 bits
249 bits
3.55 μJ
5.71 μJ
5.17 μJ
3.87 μJ
6.23 μJ
5.64 μJ
Fig. 7 The proposed microprocessor architecture
J Med Syst

Page 9

microprocessor design needs the less clock cycles com-
pared with the other works. Additionally, the memory
requirements of the microprocessor are smaller compared to
[20], which supports only AES. The achieved throughput is
the highest among the presented throughputs in the Table 3.
The cost in area is significantly higher, because we
implement a processor and we aim for the optimization of
the energy, while the works [19, 20] aim for the
optimization of the area and power. Finally the energy
dissipated by the microprocessor is lower than the energy
indicated in the [19] for the execution of encryption. The
synthesis results have been acquired using Cadence tools
[21]. The chosen CMOS technology is 90 nm with 1.2 V
core voltage and all post synthesis simulations and
generation of switching activity information have been
done at logic gate level after place and route with 100 MHz
frequency. The power consumption is measured using
Primetime of Synopsys [22]. The estimated power and
energy measurements take into account the whole system,
including the memories, while the estimations of the area
exclude the memories.
The high performance that the microprocessor design
exhibits, allows the further reduction of the frequency or
the voltage in order to achieve even more energy efficient
systems. The proposed microprocessor design achieves a
throughput of approximately 22 Mbps, when it executes the
AES-CCM mode of operation, a value which is extremely
high for the WSN. A typical value of throughput is 1 Mbps.
In order to achieve this throughput we reduce the frequency
to 4.61 MHz and re-synthesize the microprocessor design.
The results are presented in Table 4. The initial micropro-
cessor design in order to achieve the high frequency of
100 MHz, makes extensive use of buffers and large and fast
gates. Therefore when we reduce the frequency we give
freedom to the synthesis tools to use more power efficient
gates, leading to the overall reduction of the energy
dissipation.
In Fig. 8 the improvement of the total system (Micro-
processor and Radio) energy consumption by using the
proposed microprocessor is given.
Future Work
As we described, the main goal of the proposed protocol is the
integration of security mechanisms in wireless sensor nodes to
enable their use for applications with high security require-
ments such as medical devices and systems. This effort makes
the integration of security systems in sensors feasible. On the
otherhand,invasivephysicalattacks[23] on the memory (non-
volatile) where the key or other “secret data” are stored make
any attempt for building protocol based security mechanisms
useless. Making the sensor node secure itself and resistant to
physical attacks is an important countermeasure. Physical
attacks protection remains a hard problem because this type of
attacks is based on sophisticated reverse engineering methods
(making use of sophisticated microscopes) which try to extract
the key from a non-volatile memory. Combining the proposed
systems with physical attacks countermeasures is going to be
the main part of our future work.
Conclusions
We propose a complete security scheme for WBAN based
on symmetric algorithms. We highlight and take into
Table 3 Comparison with other works
Proposed Ref. [18] Ref. [19] Ref. [20]
Clock cycles
Program size(bytes)
Data and vector memory
size (bytes)
Throughtput(Mbps)
Area(GEs)
Energy (nJ)
132
1468
848
1032
–
–
534
–
–
1151
3816
624
96.97
34299
9.39
9.9
3400
–
0119
4070
50.95
20.84
–
–
Table 4 Microprocessor synthesis results for different frequencies
Throughtput
(Mbps)
Frequency
(MHz)
Clock
Period (ns)
Power
(mW)
Area
(nand2 eq.)
Energy
(nJ)
21.76
1
100
4.61
10
217
7.12
2.76
34299
27389
41.86
35.20
Fig. 8 System comparison results:MSP430 + Nordic vs. Proposed
microprocessor + Nordic
J Med Syst

Page 10

consideration the most critical aspects concerning WBAN
security technology. More importantly, we propose a
complete energy evaluation approach based on commer-
cially available off-the-shelf components since energy
consumption is one of the main concerns in WBAN.
Evaluation energy results are given in detail. In addition,
we replace the commercial processor with a new custom
processor that has special instructions in order to accelerate
the security functionality. The new processor is optimized
for the symmetric algorithm and it needs less clock cycles
and memory accesses to deliver the output.
References
1. Sana Ullah, Henry Higgins, Bart Braem, Benoit Latre, Chris
Blondia, Ingrid Moerman, Shahnaz Saleem, Ziaur Rahman,
Kyung Kwak, “A Comprehensive Survey of Wireless Body Area
Networks”, Journal of Medical Systems, pp. 1–30, (2010).
2. IEEE 802.15.6 Body Area Network standard, available: http://
www.ieee802.org/15/pub/TG6.html
3. F. Shu, D. Neirynck, and O. Rousseaux, “IMEC UWB MAC
Proposal for IEEE 802.15.6”, Available:https://mentor.ieee.org/
802.15/dcn/09/15-09-0332-00-0006-imec-uwb-mac-proposal-
documentation.doc, (2009).
4. L. Buttyan and J. P. Hubaux, “Security and Cooperation in
Wireless Networks: Thwarting Malicious and Selfish Behavior in
the Age of Ubiquitous Computing”, Cambridge University Press,
(2007).
5. A. Perrig, R. Szewczyk, V. Wen, D. Culler, and D. Tygar, “SPINS:
Security Protocols for Sensor Networks, in Wireless Networks”,
Mobicom, pp. 189–199, (2001).
6. A. Hodjat and I. Verbauwhede, “The energy cost of secrets in ad-
hoc networks”, Proc. IEEE CAS Workshop on Wireless Commu-
nication and Networking, (2002).
7. Ng, H. S., Sim, M. L., and Tan, C. M., Security issues of wireless
sensor networks in healthcare applications. BT Technology
Journal 24(2):138–144, 2006.
8. D. Singelée, B. Latré, B. Braem, M. Peeters, M. De Soete, P. De
Cleyn, B. Preneel, I. Moerman, C. Blondia, “A Secure Cross-
Layer Protocol for Multi-hop Wireless Body Area Networks”,
ADHOC-NOW, pp. 94–107, (2008).
9. S. Cherukuri, K. Venkatasubramanian, and S. K. S. Gupta,
“BioSec:ABiometricBasedApproachforSecuringCommunication
in Wireless Networks of Biosensors Implanted in the Human Body”,
in Proc. of Wireless Security and Privacy Workshop, pp. 432 – 439,
(2003).
10. National Institute of Standards and Technology (NIST), “FIPS-197:
Advanced Encryption Standard”, November 2001. Available online
at http://www.itl.nist.gov/fipspubs/, (2001).
11. National Institute of Standards and Technology (NIST), “NIST
Special Publication 800–38 C, Recommendation for Block Cipher
Modes of Operation: the CCM Mode for Authentication and
Confidentiality”, (2004).
12. MSP430F15x, MSP430F16x, MSP430F161x Mixed Signal
Microcontroller, available: http://focus.ti.com/lit/ds/symlink/
msp430f1611.pdf, (Revised May 2009).
13. Nordic Semiconductor, nRF24L01, single chip 2.4 GHz Tranceiver,
(2007).
14. J. Jonsson, “On the Security of CTR + CBC-MAC”, selected
Areas in Cryptography, (2002).
15. Georgios Selimis, Mario Konijnenburg, Maryam Ashouei, Jos
Huisken, Harmke de Groot, Vincent van der Leest, Geert-Jan
Schrijen, Marten van Hulst and Pim Tuyls, “Evaluation of 90 nm
6 T-SRAM as Physical Unclonable Function for Secure Key
Generation in Wireless Sensor Nodes”, in proceedings of IEEE
ISCAS Brazil, (2011).
16. R. Min and A. Chandrakasan, “Top Five Myths about the Energy
Consumption of Wireless Communication”, in ACM Sigmobile
Mobile Communication and Communications Review, pp. 65–67,
(2002).
17. Target Compiler Technologies: http://www.retarget.com.
18. Feldhofer,M.,Wolkerstorfer,J.,andRijmen,V.,“AESImplementation
onaGrainofSand”,IEEProceedingsonInformationSecurity.Volume
152:13–20, 2005.
19. J.-P.Kaps,andB.Sunar,“EnergyComparisonofAESandSHA-1for
Ubiquitous Computing”, in Proceedings of Emerging directions in
embedded and ubiquitous computing (EUC 2006 Workshops), pp.
372–381, (2006).
20. N. Suarez, G. M. Callico, R. Sarmiento, O. Santana, and A. A.
Abbo, “Processor Customization for Software Implementation of
the AES algorithm for Wireless Sensor Networks”, pp. 326–335,
Patmos, (2009).
21. Cadence design tools, http://www.cadence.com
22. Synopsys Primetime, http://www.synopsys.com
23. A. Becher, Z. Benenson, and M. Dornseif, “Tampering with
motes: Real-world physical attacks on wireless sensor networks”,
in Proceedings of SPC, pp.114-118, (2006).
J Med Syst