The Hybrid Combinatorial Design-based Session Key Distribution Method for IoT Networks

—Internet of Things (IoT) is currently being used in a range of applications as cutting-edge technology. IoT is a technological platform that connects the physical and digital worlds, allowing us to use things remotely. Various sensor-connected nodes serve as objects that communicate with one another over the internet. Hence security-related problems are more likely to arise in IoT networks. However, due to resource constraints such as power and memory capacity, complex security algorithms cannot be implemented in IoT networks. One of the security measures for IoT networks is to implement the lightweight key distribution algorithm. The lightweight key management process is essential for IoT networks to share the key securely. We presented the new key-distribution approach based on the hybrid combinatorial design that implements lightweight algorithms and describes the analysis functions. The comparison to existing hybrid combinatorial works shows better connectivity, resilience, and scalability.


I. INTRODUCTION
The Internet of Things (IoT) is a system that allows multiple sensor nodes and wireless nodes to communicate without the need for human involvement. The term "things" in the Internet of Things refers to physical objects such as sensor nodes that monitor or access data from other networked devices. In the research aspect, IoT has been becoming a much-desired area. The security of each node"s data is the primary issue in today's rapidly growing IoT networks.The security services are like confidentiality, authentication, and integrity of the data. Cryptographic algorithms and keys are required for encryption, and effective key management is essential for this process to work appropriately. Ineffective key management can make even the strong algorithms useless for any type of network. IoT networks also need to have strong key management procedures.
Even though key management is essential for IoT networks, using conventional key management methods demands more memory. Due to resource-constrained nodes' memory and battery limits, the IoT network requires a lightweight solution.Thus, we discussed about lightweight approaches that are already in use for key management.Basic methods to generate and distribute the keys to nodes in the network are symmetric keys and public keys. Even though the public key approach is widely used for key distribution, it could not be used often in IoT networks since it requires more memory and processing resources to run the code, and in many applications, these approaches are also costly. Hence, the Majority of IoT networks are using symmetric key distribution methods, which require only one key to share as mentioned by Alagheband et al. [1].
There are two methods for sharing keys amongst connected nodes: decentralized and centralized approaches. In the decentralized process, Nodes in the network can share their secret keys directly with one another to provide secure communication. Every node should hold private keys that are unique for communicating with each node in the network. Those private keys are exclusive to committed pairs only. However, as IoT networks grow, devices will be unable to keep as many secret keys in memory due to the restricted memory space of IoT nodes.
Another option for resolving this problem is to use a trustworthy centralized device to distribute private keys to all nodes in the network. Key Distribution Center (KDC) is an example of providing centralized service. Kouicem et al. [2] presented that the KDC is a mechanism that distributes keys to all the users in a network sharing sensitive or confidential information. When two nodes in a network need a connection, they request the KDC to generate a unique session key that end users can use as a secret key for communication. So, the nodes can share the data with other nodes connected to the network using Key Predistributions or KDC.
As a result, using a KDC with symmetric key distribution is the best way to distribute the key to all nodes. One of the best symmetric key generation approaches is combinatorial block designs.It uses a simple calculation to compute the blocks for different nodes. Many Authors have been working on this for determining the keys for multiple nodes.In the introduction, we covered the fundamental ideas of combinatorial block design, how the authors expanded these ideas to implement keys for every node, and a brief discussion on our approach.
Stinson et al. [3] used Balanced Incomplete Block Design (BIBD) which is one of the combinatorial designs to generate the blocks for sharing the keys securely with other nodes. When it is impossible to incorporate all treatments or factor combinations for every block, then BIBD is utilized here. www.ijacsa.thesai.org And also assume that the blocks (b) are just partially complete by confining with the following conditions.

1) 2)
In any block, the same key doesn"t appear more than once.
 ij: i and j are two different keys from the "v", it gives the occurrences among the blocks. Another combinatorial method is the finite projection plane. A Finite Projection plane consists of P points and set of subsets of P called lines. A prime integer q (>=2) and that has four properties.
1) Every line should be having exactly q+1 points 2) Every point occurs on exactly q+1 lines 3) Exactly points used 4) Exactly lines used; then that can be called Symmetric Design with ( , ,1) given by Stinson et al. [4].
Already existing key predistribution methods are mainly followed by three procedures.

1)
Probabilistic: Keys are chosen randomly from the pool and assigned to the nodes.
2) Deterministic: Based on pre-defined procedures select the keys and assign them to the nodes.
3) Hybrid Approach: The combination of both approaches is mentioned above.
The KDC implements key predistribution methods to get the keys for all nodes. The pre-key distribution can be acquired based on the key-Matrix approach by Chien et al. [5], So it helped share the key easily. Other pre-key distribution approaches are Blundo et al. [6] and Liu et al. [7], In these, Polynomial-based key pre-distribution was proposed for group key establishment. In Chan et al. [8], Two nodes having q keys should be linked, and the hash value of the q keys would be used for key verification that improved resilience from the attackers. Qian and Sun [9] presented the drawback of the above approach is that resilience increased but wouldn"t guarantee to get the common key between two devices. Li et al. [10] was provided threshold value for random key predistribution in which each should communicate with its neighbor node with the same key. Catakoglu et al. [11] increased the resiliency of the previous system by adding numerous key rings.
Camtepe andYener [12], first time they presented the symmetric balanced incomplete design(SBIBD) for generating the keys for nodes in the network, however, the disadvantage is the scalability of the network with nodes. In comparison to prior techniques, Lee et al. [13] exhibited improved resilience.Ruj et al. [14] generated the pre-key distribution method using the partial BIBD technique, however, it did not share the keys with every node in the network. Ruj et al. [15], the same authors proposed a combinatorial strategy for improving BIBD and PBIBD resilience. Bechkit et al. [16] employed a new pre-key distribution design, a combinatorialbased way to determine the keys, which improved the scalability and connectivity.Bahrami et al. [17] presented great scalability of the network nodes by using residual key predistribution design for key pool generation.
Camtepe et al. [18] presented a combinatorial method for generating keys for network nodes that are connected. And they used SBIBD and GeneralizedQuadrangle (QD), which are the basictwo deterministic key pre-distribution designs. Complete connectivity between network nodes was the improvement of this algorithm. Also provided is the hybrid pre-key distribution method.Chakrabarti et al. [19] and Kavitha et al. [20] enhanced the scalability and connectivity of the previous approach.Dargahi et al. [21] enhanced the hybrid method to get the keys for almost all network nodes, but didn"t get the exact number of keys to all network nodes. When compared to prior hybrid techniques, Akhbarifar et al. [22] used a hybrid strategy and provided improved connectivity and resilience. However, the unique keys were not generated for nodes in the network.
Despite the fact that combinatorial designs have been addressed extensively, not all linked network nodes are given the session keys. Every IoT network needs to be able to enable the construction of many nodes and should distribute a session and a unique key for every node.By supplying unique and dynamic keys for each node, we suggested a hybrid combinatorial method that resolves the problems discussed earlier. As a result, our system now supports network scalability. www.ijacsa.thesai.org Our entire method is detailed in a total of six sections:  Secton 1 gives the introduction part of basic methods for Combinatorial block designs.
 Section 2 explains the existing hybrid approaches and their drawbacks in detail.
 Section 3 is our actual work to be implemented to generate the unique and session keys for every node.
 Section 4 gives the analysis of scalability, connectivity,resilience, and Memory utilization. And also provides the results analysis with graphs.
 Section 5 is a complete discussion.
 Section 6 is a conclusion.

II. RELATED WORKS ON HYBRID COMBINATORIAL DESIGNS
Camtepe and Yener [12] proposed a first-time pre-key distribution strategy based on the SBIBD technique. It was the basic combinatorial design to get the keys for network nodes.
Assume there are b blocks, each with k keys, and v total number keys can be used, each key replicated r times.The following criteria were used to allocate keys to the nodes in the proposed algorithm.
The fundamental advantage of this approach is that it identifies the unique keys among the b nodes. This technique had good connectivity and resilience, but it lacks scalability. However, this strategy has the disadvantage of limiting the total number of blocks that meet the before-mentioned criteria. As a result, it was completely reliant on the q value. This approach could not identify the keys for all n nodes in the network; where N is the total number of network nodes, and that was not meet the above condition.Although this method cannot be applied to all of the network's nodes, it accurately delivers the keys for the limited number of nodes.
In Camtepe et al. [18] (HSYM), the previous approach was upgraded by including scalability and resilience properties. It was implemented using a hybrid technique that enhanced the number of nodes in the IoT networks. It could find the b blocks by using SBIBD and this method found the complimentary design for all symmetric blocks then chose q+1 keys and assigns them to the remaining nodes.The author's implementation is described in Algorithm1.The fact that more nodes have a chance of acquiring the same key reduces the probability of obtaining a key share, which is a drawback of this technique. Dargahi et al. [21] (MHS) proposed an enhancement version of the above hybrid approach. For b blocks, they also used the same BIBD method. For the remaining nodes in IoT networks, they used a different key pool. N-b times, they have chosen q+1 keys from the new key pool that were assigned to additional N-b nodes.The generation of the blocks is described in Algorithm 2.The authors have used more space in the node memory to store the extra keys and new key pool in the nodes, but we all know, that IoT devices have limited capacity. Akhbarifar et al. [22] (MHSYM) proposed a new enhancement of the previous proposes. They identified two random blocks in b, combined their blocks data, then extracted the q+1 keys from it. Then allocated each of the remaining nodes with a random selection of q+1 keys.Algorithm 3's detailed explanation of the entire process. The key share probability was increased as compared to Camptepe [18] method, but there is no guarantee that at least one common key would be allocated among the blocks. The complete procedure explained in Algorithm 3. from KP 1 and assign them to b nodes; 5. Choose two blocks among b blocks randomly; 6. Merging two blocks to construct new key-pool M; 7. Select ( blocks among subsets of M and assign them to remaining nodes. End As mentioned above, the Procedures to apply the hybrid combinatorial design won't generate keys for all blocks of nodes.Our method uses a limited memory source to provide session keys for all blocks of nodes.The proposed work covers related algorithms and also provides examples for key generation.

III. OUR PROPOSED WORK
The Symmetric BIBD (SBIBD) allows multiple users in the same network to share the same keys without causing any problems. The IoT Architecture has not been supporting for huge capacity of memory inbuilt and high processing devices. Because of the above-mentioned reasons, the IoT node connected to the network is unable to remember all of the keys required for communication with other nodes in the network.
The SBIBD allows for the storage of the smallest amount of keys on the devices themselves, however, scalability is an issue here. If the network grows larger, nodes will be unable to store numerous keys in the tiny size memory. So, we are providing a new solution to this problem, a centralized system called Dynamic Key Generation and Distribution Center (DGDC). And the whole design that we suggest is depicted in Fig. 1.
In the context of IoT, we describe the symmetric key authentication and key management system based on BIBD.
In this paper, we present a technique for exchanging the secret key that uses for providing the different security levels to assure scalability and confidentiality. We propose a technique for key agreement between two IoT devices that have never been in contact before, based on trusting the centralized server or using a proxy-based approach. Fig. 1, describes the overall architecture that we have implemented to generate the session key and distribute it to the host which is requestedto the centralized server. The diagram itself is made up of three different blocks: DGDC, Initiate System (A) which starts to set up the communication connection, and Destination System (B) which accepts data from User (A) after receiving the Session key from DGDC.
The connected systems first exchanged their symmetric key to communicate with the centralized block, which is DGDC. Before implementing this architecture, the symmetric keys (secret keys for authentication) should be shared with DGDC so that other systems already connected to the network can communicate with it. Hence, this step is really important for our design because it is also providing authentication.Key generation and Key Distribution are the two main components of DGDC's actual work.
For Generating the keys, DGDC always works on the below-mentioned algorithms to implement the symmetric keys for all connected nodes. The previous algorithms mentioned in the related works are not implementing unique keys for all connected nodes.It is a pioneering building component for dynamic key implementation and distribution, increasing data security by often changing node keys.
In the DGDC, Data generation block contains all of the modules that have been proposed to create dynamic and unique keys for data transactions carried out by connected nodes. The modules are: 1) SBIBD, 2) Building the remaining nodes, 3) Computing the unique keys for each node in the network using a hybrid combinatorial design approach, 4) Reconstructing the outgoing blocks of nodes to protect the keys that have been compromised.
To create a complete table with unique keys for every node, DGDC executes each module in the order that they are presented.Once the table has been built, DGDC verifies requests using secret keys before sending the session key to the requested nodes.
Here, the architecture also proposed by us gives more security levels to the data because the session keys are not known by each individual connected system in the network. If an attacker compromises one of the systems, the attackers are unable to identify the session keys from the compromised system as it never stores any keys in their systems.
In particular, eight steps must be completed to observe the workings of our model. They are mentioned below in the Fig. 1. The model can generate and distribute the session key for communication between the request systems based on the mentioned processes. One of the most essential features of the proposed approach is the ability to dynamically alter the session keys of each system. www.ijacsa.thesai.org

1) Both users A and B identified their symmetric keys and exchanged them with DGDC for authentication purposes.
2) User A requests a session key from DGDC to communicate with User B.
3) By using a symmetric key, DGDC completes the authentication process and obtains the common key of both parties. And sends it to User A. 4) Using the Session key provided by the DGDC, User A transfers the data to User B. 5) Using its symmetric key, User B requests the session key from DGDC. 6) Like Step3, DGDC finishes its authentication process and provides the session key (which is already shared with A) to B. 7) User B uses the session key to decrypt the data provided by User A and provides the acknowledgment in an encrypted format.
8) The communication between User A and User B begins with the use of the same session key.
In the Proposed Work, The main required module is DGDC, it is generating the session keys dynamically and distributes them to the systems. First, we have to complete the code for generating the SBIBD with restricted blocks provided in Algorithm 4. The session keys for all nodes in the network could not be generated through the SBIBD procedure.
Where N is the number of network nodes used in communication. Calculate N>=q2+q+1, where q is the largest prime integer that may be used to solve the preceding equation; the result is v and b. Here, The "N" and the "v " may not be the same. That is, the SBIBD algorithm was unable to determinethe keys for each node in the N network. SBIBD can be generated with v blocks and q+1 keys, which are represented by the k in each block.
The input for Algorithm 4 is N which is the number of nodes that need to be connected to the network, where v, k, and r are generated by the above Algorithm 4. The maximum number of nodes (blocks) in a network for generating session keys in SBIBD is represented by b. However, Algorithm 4 provides limited session keys for a few numbers of network nodes, therefore we are improvising by using other Algorithms 5, 6, and 7.

Input(s): N (Total Number of nodes) Output(s): B Begin
1. Choose the maximum prime number q to compute the below equation 2. Using the previous equation, generate inputs for producing the blocks. ; where v is the size of the key pool ; b is the number of blocks ; k is the number of keys allotted to each block ; denotes, In SBIBD, each node has only one shared key to communicate to other nodes in the B.

Construct blocks B using Symmetric BIBD design . Then assign the blocks in End
Algorithm 5 completes the generation of remaining blocks of the network nodes. Algorithm4 computes the " B ' number of blocks, while Algorithm5 will handle the rest.c=N-b; c is the number of blocks to be calculated, where N network nodes and b have already been given in Algorithm 4. Algorithm 5 determines which of the c number blocks should be assigned to the network's other nodes. In Algorithm 5, the R represents the remaining nodes of the IoT network.Select the keys from the key pool, and then place them as keys to generate the blocks by the requirements of Algorithm 5.

Input(s): c,v,k Output(s): R Begin
1. Construct the (v,N-b,k,r, ); here v is the key pool, N-b blocks need to construct, k keys for each node, r repetitions among the blocks, = 2 or more; means each block in N-b should share two or more keys among the q+1 keys. 2. As a result, each key from the key pool can only be used at most 3q times in the construction of N-b blocks.

Then return R blocks from this Algorithm { } End
The final blocks are represented by which is input for Algorithm 6 and also computed the key pair values for all resource-constrained nodes.
Algorithm 6 is used to generate the v number of keys, however, the remaining keys were not able to be generated directly. The remaining c keys are found and perform an XOR operation on the common keys that existed between the two nodes. At the end of Algorithm6, be able to find the unique session keys between each node in the network. Here, Algorithm6 uses 32 bit (8 bytes) key for computation as the IoT devices could be handled easily with this length. Get the common keys that are presented in both blocks. 5. (i) If the length of the l is one then directly take the key as the secret key for both blocks.
(ii) If the length of the l is above one, take the last two keys from blocks and do the XOR operation among those keys.

[ ] [ ]
(iii) If the length of the l is null, select the first key-value from each block and calculate XOR between those keys. For example 6. x is the final secret key that is given by the DGDC. End The blocks for nodes are generated by DGDC up through Algorithm 6, and those key values in blocks aresent to nodes during transaction time. Once generated, they can be used every time, so there are chances of keys being compromised. Thus, We have also implemented an Algorithm 7 to get a solution for compromised keys by an attacker. Algorithm 7 illustrates how we can avoid attacks by utilizing a technique that shuffles the keys in the blocks in a certain amount of time.

for ΔT End
The complete workflow illustrates the DGDCs in Fig. 2. Such that the total number of blocks (B) designed by the SBIBD=7. Each DGDC module identifies the session key for every block by using Algorithm 4. And below Table I shows the key numbers for each block.
These are the seven keys stored in DGDC before starting the communication. B17- (2,4,9,10) Two common keys from the above blocks are 2 and 4. The keys values are taken from above dictionary for 2: 83179189 and 4: 50901991. After applying Algorithm 6,the output keyvalue is D3878818. So, DGDC transmits this common key to both users for further communication.
We shall receive new blocks for nodes after the same table with keys has been used for a time determined by the DGDC.

IV. ANALYSIS
The connectivity, scalability, resilience, and memory utilization of our model are all evaluated.

A. Scalability
The model can be scalable with the maximum number of nodes that were constructed for the IoT network. The model works with all keys in the keyring that correspond to the maximum number of IoT nodes that can be supported. The number of blocks generated with their keyrings determines the network's scalability. The scalability of a proposed approach is ( ) here n is an integer value to get the next prime number and is identified by Algorithm1.
The following equation is for the calculation of the remaining nodes: The main advantage of this model is to get the probability of key share at most 1 for maximum all cases.
According to the proposed model , because the connectivity should be 1 in all maximum cases in the proposed approach.

C. Resilience
Resilience means reliability among the network nodes from the attacker. The capture attack is called by capturing and revealing the key values from the nodes. So, the links which are used by the attacked key that might be compromised then those links are at risk. The proposed approach employs a unique key to communicate across nodes. And at random times, it shuffles all key values of blocks and blocks values as well As a result, if an attacker captures a key, it will not be worked after the shuffle.

| ∑ | |
Where L denotes the link, C x is x nodes are captured, l i is the secure link between devices that already shared the i th key in the pool. D i has identified the key pool that includes key iis compromised. In our proposed system, from Algorithm 3, each key appears in the B blocks.
. For R blocks, each key repetitions are, The probability of keyi, appearing in one or more of the x compromised keyrings is: When x keyrings are captured, the probability of a link being compromised can be calculated as.
| | Resilience values are provided for 500, 800, and 1700 nodes in Tables IV, V, and VI, respectively. Fig. 3, 4, and 5 show the graphs for the corresponding tables with various nodes. Different methods for hybrid combinatorial design are provided in tables and figures, and it is demonstrated that our approach produces the best results when compared to other ways.    [21], and MHSYM [22] for the 1700 Nodes.
The above graphs and tables prove that our system greatly reduces the probability of compromized network links.Each node receives a different key for its links, and they all also get dynamic keys.

D. Memory Utilization
Here, DGDC is proposed as a centralized key distributor in the proposed system. So, there is no pressure on any network node to maintain all keys in the memory. The IoT node should store only one key that is applied to get the session key from DGDC.
As a result, We can declare that our proposed strategy improves node capture resilience with a combinatorial design.The notations and descriptions of the different parameters used in the article are given in Table VII. There is a demand for network security research that is essential due to the upsurge of online transactions. Every user in the transactions believes that the data will be secure and unaltered during transmission. To make secure data and provide reliable keys, a lot of algorithms can be used to provide confidentiality for the data and key-management techniques. In the present work, we are discussing a simple key management algorithm with less time and space complexity compared to the relevant studies on key management algorithms using combinatorial design. We observed that if the network has more than 800 nodes, the www.ijacsa.thesai.org comprised links are reduced when compared to existing techniques. We also mentioned the relevant graphs of resilence in Fig. 3, Fig. 4, and Fig. 5 for various nodes.

VI. CONCLUSION AND FUTURE WORK
In this paper, we present a new hybrid combinatorial key distribution scheme for IoT networks that improves the key share probability, scalability, and resilience against capture attacks. In comparison to the other three hybrid methods, our experimental outcomes were better. For all connected nodes, our suggested approach provides the key sharing probability with 1. Every link in the established IoT network can use the same unique key. This paper also provides low resilience values against capture attacks when compared to other schemes. We will also extend this work to reduce the resilience of specific attacks like a man in the middle, Denial of service. We would like to implement it in real networks for better analysis.