The Internet of Things (IoT) is one of the fastest emerging technologies in the industry. It includes diverse applications with different requirements to provide services to users. Secure, low-powered, and long-range transmissions are some of the most vital requirements in developing IoT applications. IoT uses several communication technologies to fulfill transmission requirements. However, Low Powered Wide Area Networks (LPWAN) transmission standards have been gaining attention because of their exceptional low-powered and long-distance transmission capabilities. The features of LPWAN transmission standards make them a perfect candidate for IoT applications. However, the current LPWAN standards lack state-of-the-art security mechanism s because of the limitations of the IoT devices in energy and computational capacity. Most of the LPWAN standards, such as Sigfox, NB-IoT, and Weightless, use static keys for node authentication and encryption. LoRaWAN is the only LPWAN technology providing session key mechanisms for better security. However, the session key mechanism is vulnerable to replay attacks. In this paper, we propose a centralized lightweight session key mechanism for LPWAN standards using the Blom-Yang key agreement (BYka) mechanism. The security of the session key mechanism is tested using the security verification tool Scyther. In addition, an energy consumption model is implemented on the LoRaWAN protocol using the NS3 simulator to verify the energy depletion in a LoRaWAN node because of the proposed session key mechanisms. The proposed session key is also verified on the Mininet-WiFi emulator for its correctness. The analysis demonstrates that the proposed session key mechanism uses a fewer number of transmissions than the existing session key mechanisms in LPWAN and provides mechanisms against replay attacks that are possible in current LPWAN session key schemes.
Keywords: IoT security; LPWAN; key exchange; session keys.