Security in Wireless Sensor Networks: Key Management Approaches

1
Security in Wireless Sensor Networks Key
Management Approaches

• Vasyl A. Radzevych and Sunu Mathew

2
Overview

• Wireless Sensor Networks (WSN)
• Security issues in WSN
• Key management approaches in WSN
• Overview
• Pre-Deployed Keying
• Key pre-deployment
• Key derivation information pre-deployment
• Location aware pre-deployed keying
• Random Key Pre-deployment (P-RKP)
• Key derivation information pre-deployment
• Autonomous protocols
• Pairwise asymmetric (public key)
• Arbitrated protocols
• Identity based group keying
• Conclusions

3
Sensor Networks

• Sensor network is composed of a large number of
  sensor nodes
• Sensor nodes are small, low-cost, low-power
  devices that have following functionality
• communicate on short distances
• sense environmental data
• perform limited data processing
• Network usually also contains sink node which
  connects it to the outside world

4
Applications

• WSN can be used to monitor the conditions of
  various objects / processes. Some examples
• Military friendly forces monitoring, battlefield
  surveillance, biological attack detection,
  targeting, battle damage assessment
• Ecological fire detection, flood detection,
  agricultural uses
• Health related human physiological data
  monitoring
• Miscellaneous car theft detection, inventory
  control, habitat monitoring, home applications
• Sensors are densely deployed either inside or
  very close to the monitored object / process

5
Security issues in WSN

• The discussed applications require communication
  in WSN to be highly secure
• Main security threats in WSN are
• Radio links are insecure eavesdropping /
  injecting faulty information is possible
• Sensor nodes are not temper resistant if it is
  compromised attacker obtains all security
  information
• Attacker types
• Mote-class attacker has access to some number of
  nodes with similar characteristics /
  laptop-class attacker has access to more
  powerful devices
• Outside (discussed above) / inside attacker
  compromised some number of nodes in the network

6
Attacks on WSN

• Main types of attacks on WSN are
• spoofed, altered, or replayed routing information
• selective forwarding
• sinkhole attack
• sybil attack
• wormholes
• HELLO flood attacks
• acknowledgment spoofing

7
False routing information

• Injecting fake routing control packets into the
  network, examples attract / repeal traffic,
  generate false error messages
• Consequences routing loops, increased latency,
  decreased lifetime of the network, low
  reliability

Example captured node attracts traffic by
advertising shortest path to sink, high battery
power, etc
8
Selective forwarding

• Multi hop paradigm is prevalent in WSN
• It is assumed that nodes faithfully forward
  received messages
• Compromised node might refuse to forward packets,
  however neighbors might start using another route
• More dangerous compromised node forwards
  selected packets

9
Sinkhole and Sybil attacks

• Sinkhole attack
• Idea attacker creates metaphorical sinkhole by
  advertising for example high quality route to a
  base station
• Laptop class attacker can actually provide this
  kind of route connecting all nodes to real sink
  and then selectively drop packets
• Almost all traffic is directed to the fake
  sinkhole
• WSN are highly susceptible to this kind of attack
  because of the communication pattern most of the
  traffic is directed towards sink single point
  of failure
• Sybil attack
• Idea a single node pretends to be present in
  different parts of the network.
• Mostly affects geographical routing protocols

10
Wormholes

• Idea tunnel packets received on one part of the
  network to another
• Well placed wormhole can completely disorder
  routing
• Wormholes may convince distant nodes that they
  are close to sink. This may lead to sinkhole if
  node on the other end advertises high-quality
  route to sink

11
Wormholes (cont.)

• Wormholes can exploit routing race conditions
  which happens when node takes routing decisions
  based on the first route advertisement
• Attacker may influence network topology by
  delivering routing information to the nodes
  before it would really reach them by multi hop
  routing
• Even encryption can not prevent this attack
• Wormholes may convince two nodes that they are
  neighbors when on fact they are far away from
  each other
• Wormholes may be used in conjunction with sybil
  attack

12
HELLO flood attack

• Many WSN routing protocols require nodes to
  broadcast HELLO packets after deployment, which
  is a sort of neighbor discovery based on radio
  range of the node
• Laptop class attacker can broadcast HELLO message
  to nodes and then advertises high-quality route
  to sink

13
Acknowledgment spoofing

• Some routing protocols use link layer
  acknowledgments
• Attacker may spoof acks
• Goals convince that weak link is strong or that
  dead node is alive.
• Consequently weak link may be selected for
  routing packets send trough that link may be
  lost or corrupted

14
Overview of Countermeasures

• Link layer encryption prevents majority of
  attacks bogus routing information, Sybil
  attacks, acknowledgment spoofing, etc.
• This makes the development of an appropriate key
  management architecture a task of a great
  importance
• Wormhole attack, HELLO flood attacks and some
  others are still possible attacker can tunnel
  legitimate packets to the other part of the
  network or broadcast large number of HELLO
  packets
• Multi path routing, bidirectional link
  verification can also be used to prevent
  particular types of attacks like selective
  forwarding, HELLO flood

15
Key management goals

• The protocol must establish a key between all
  sensor nodes that must exchange data securely
• Node addition / deletion should be supported
• It should work in undefined deployment
  environment
• Unauthorized nodes should not be allowed to
  establish communication with network nodes

16
Key management constraints

• Sensor node constraints
• Battery power
• Computational energy consumption
• Communication energy consumption
• Transmission range
• Memory
• Temper protection
• Sleep pattern
• Network constraints
• Ad-hoc network nature
• Packet size

17
Key management evaluation/comparison metrics

• Resilience against node capture how many node
  are to be compromised in order to affect traffic
  of not compromised nodes?
• Addition how complicated is dynamic node
  addition?
• Revocation how complicated is dynamically node
  revocation?
• Supported network size what is the maximum
  possible size of the network?
• Note since WSN can be used in a lot of different
  ways it is not reasonable to look for one key
  management approach to suite all needs 20 000
  node network deployed from the airplane over a
  battle field has quite different requirements
  from 10 node network installed to guard the
  perimeter of the house

18
Key management approaches classification
19
Approaches to be discussed

• Pre-deployed keying
• Key pre-deployment
• Straightforward approaches
• Eschenauer / Gligor random key pre-deployment
• Chan / Perrig q-composite approach
• Zhu / Xu approach
• DiPietro smart attacker model and PRK protocol
• Key derivation information pre-deployment
• Liu / Ning polynomial pre-deployment
• Self-enforcing autonomous approaches
• Pairwise asymmetric (public key)
• Arbitrated protocols
• Identity based hierarchical keying

20
Straight forward approaches

• Single mission key is obviously unacceptable
• Pairwise private key sharing between every two
  nodes is impractical because of the following
  reasons
• it requires pre-distribution and storage of n-1
  keys in each node which is n(n-1)/2 per WSN.
• most of the keys would be unusable since direct
  communication is possible only in the nodes
  neighborhood
• addition / deletion of the node and re-keying are
  complex

21
Basic probabilistic approach

• Due to Eschenauer and Gligor
• Relies on probabilistic key sharing among nodes
  of WSN
• Uses simple shared-key discovery protocol for key
  distribution, revocation and node re-keying
• Three phases are involved key pre-distribution,
  shared-key discovery, path-key establishment

22
Key pre-distribution

• Generate a large key pool P (217-220 keys) and
  corresponding key identifiers
• Create n key rings by randomly selecting k keys
  from P
• Load key rings into nodes memory
• Save key identifiers of a key ring and associated
  node identifier on a controller
• For each node load a key which it shares with a
  base station

23
Shared-key discovery

• Takes place during initialization phase after WSN
  deployment. Each node discovers its neighbor in
  communication range with which it shares at least
  one key
• Nodes can exchange ids of keys that they poses
  and in this way discover a common key
• A more secure approach would involve broadcasting
  a challenge for each key in the key ring such
  that each challenge is encrypted with some
  particular key. The decryption of a challenge is
  possible only if a shared key exists

24
Path-key establishment

• During the path-key establishment phase path-keys
  are assigned to selected pairs of sensor nodes
  that are within communication range of each
  other, but do not share a key
• Node may broadcast the message with its id, id of
  intended node and some key that it posses but not
  currently uses, to all nodes with which it
  currently has an established link. Those nodes
  rebroadcast the message to their neighbors
• Once this message reaches the intended node
  (possible through a long path) this node contacts
  the initiator of path key establishment
• Analysis shows that after the shared-key
  discovery phase a number of keys on a key ring
  are left unused

25
Simulation results
1000 nodes, 40 nodes neighborhood, P10000
number of hops
Path length to neighbors
26
Key revocation

• Key revocation is accomplished in the following
  way a controller node that has all keys and ids
  in its memory, broadcasts a message containing a
  list of k key identifiers for the key ring to be
  revoked
• This message is signed with signature key which
  is encrypted and unicasted to all nodes prior
  revocation. This encryption is done using
  individually shared between node and controller
  keys
• After obtaining a signature key, each node locate
  received identifiers in its key ring and removes
  the corresponding keys if they are present
• Since some links might disappear they should be
  reestablished using keys that are left in the key
  ring

27
Resiliency to node capture

• More robust then approaches that use single
  mission key
• In case node is captured kltltn keys are obtained
• This means that the attacker has a probability of
  k/P to attack successfully any other WSN link

28
WSN connectivity

• Two nodes are connected if they share a key
• Full connectivity of WSN is not required because
  of the limited communication capabilities of the
  sensor nodes
• Two important questions
• What should be the expected degree of a node so
  that WSN is connected?
• Given expected degree of a node what values
  should the key ring size, k, and pool, P, have
  for a network of size n so that WSN is connected?
• Random-graph theory helps in answering the first
  question

29
Random graphs

• A random graph G(n,p) is a graph of n nodes for
  which the probability that a link between any two
  nodes exists is p
• Question what value should p have so that it is
  almost certainly true that graph G(p,n) is
  connected?
• Pc is a desired probability for the graph
  connectivity
• Based on the formulas above p and dp(n-1) can be
  found (d-expected degree of a node)

Erdos-Renyi formula
(1)
(2)
30
Random-graphs (cont.)
Expected degree of node vs. number of nodes,
where PcPrG(n,p) is connected
31
Key ring and key pool sizes

• Due to the limited communication capabilities a
  number of nodes with which a particular node can
  communicate is nltltn
• This means that the probability of two nodes
  sharing at least one key in their key rings of
  size k is pd/(n-1)gtgtp
• Key pool size P can be derived as a function of
  k

32
Key ring and key pool sizes (cont.)

• Since keys are drawn out of a pool P without
  replacement, the number of key rings can be
  expressed as follows
• Lets pick the first key ring, the total number
  of possible key rings that do not share a key
  with this key ring is the number of key-rings
  that can be drawn out of remaining P-k unused
  keys in pool, which is

33
Key ring and key pool sizes (cont.)

• Consequently, the probability that no key is
  shared between the two rings is the ratio of the
  number of rings without a match by the total
  number of rings.
• Since P is very large Stirlings approximation
  can be used to derive the final expression for
  p

(3)
34
Key ring and key pool size (cont.)
Probability of sharing at least one key when two
nodes choose k keys from a pool of size P
35
Key ring and key pool size example

• WSN contains n10000 nodes, desired probability
  of network connectivity is Pc0.99999,
  communication range supports 40 nodes
  neighborhoods
• According to the formula (1) c11.5, therefore
  p210-3
• d210-3999920
• This means that if each node can communicate with
  on average 20 other nodes the network will be
  connected
• p20/(40-1)0.5
• According to formula (3) k can be set to 250 and
  P can be set to 100000

36
q-composite approach

• Enhancement of the basic probabilistic approach
• Idea nodes should share q keys instead of only
  one
• Approach
• Key pool P is an ordered set
• During initialization phase nodes broadcast ids
  of keys that they have
• After discovery each nodes identifies the
  neighbor with which it share at least q keys
• Communication key is computed as a hash of all
  shared keys
• Keys appear in hash in the same order as in key
  pool

37
Benefits of q-composite approach

• q-composite approach has greater resiliency to
  node capture than the basic approach if small
  number of nodes were captured
• Simulations show that for q2, the amount of
  additional communications compromised when 50
  nodes (out of 10000) have been compromised is
  4.74, as opposed to 9.52 in the basic scheme
• However if large number of nodes have been
  compromised q-composite scheme exposes larger
  portion of network than the basic approach
• The larger q is the harder it is to obtain
  initial information
• Parameter q can be customized to achieve required
  balance for a particular network

38
Zhu / Xu approach

• Another modification of the basic probabilistic
  approach
• Major enhancement
• Pseudorandom number generator is used to improve
  security of key discovery algorithm
• Also uses secret sharing which jointly with
  logical paths allows nodes to establish a
  pairwise key that is exclusively known to the two
  nodes (in contrast to basic probabilistic
  approach, where other nodes might also know some
  particular key)

39
Zhu / Xu approach key pre-distribution

• Background a pseudo-random number generator, or
  PRNG, is a random number generator that produces
  a sequence of values based on a seed and a
  current state. Given the same seed, a PRNG will
  always output the same sequence of values.
• Key pool P of size l is generated
• For each node u, pseudorandom number generator is
  used to generate the set of m distinct integers
  between 1 and l (key ids). Nodes unique id u is
  used as a seed for the generator
• Each node is loaded with key ring of size m
• Keys for the key rings are selected from key pool
  P in correspondence with integers (key ids)
  generated for a particular node by pseudorandom
  number generator
• This allows any node u that knows another nodes v
  id to determine the set of ids of keys that v
  poses

40
Zhu / Xu approach Logical path establishment

• The established on previous step keys are not
  exclusive and consequently not secure enough,
  however they can be used to establish exclusive
  key
• During the network initialization phase, nodes
  discover so called logical paths
• Nodes can establish a direct path in case they
  share a common key on their key rings
• This can easily be accomplished as was described
  in the previous slide by discovering common key
  id
• In case nodes do not share a key authors propose
  a path-key establishment algorithm similar to one
  in basic probabilistic approach, the difference
  is that nodes try to establish several logical
  paths, which later should help in establishing a
  pairwise key

41
Zhu / Xu pairwise key establishment

• The next step of network initialization is
  pairwise key establishment
• A sender node randomly generates a secret key ks
• Then derives n-1 random strings sk1, sk2,,
  skn-1
• skn is computed as follows skn ks XOR sk1XOR
  sk2 XOR,, XOR skn-1
• This way a recipient has to receive all n shares
  in order to derive a secret key ks
• After secret shares are computed, each of them is
  send to the recipient using different logical
  path
• Once all shares are received the recipient can
  confirm the establishment of pairwise key by
  sending a HELLO message encoded with a new key
• Authors provide a framework according to which
  number of shares and the way they are send is
  decided

42
Further enhancements

• So far all the discussed approaches have used one
  of the following algorithms for shared-key
  discovery
• Key id notification
• Challenge response
• Pseudorandom key id generation
• Those algorithms work well against so called
  oblivious attacker, the one that randomly
  selects next sensor to compromise
• What if attacker selects nodes that will allow
  him to compromise the network faster, based on
  already obtained information (key ids)?
• This is the case of so called smart attacker

43
Smart attacker

• More precisely smart attacker can be defined as
  follows
• at each step of the attack sequence, the next
  sensor to tamper is sensor s, where s maximizes
  EG(s) I(s), the expectation of the key
  information gain G(s) given the information I(s)
  the attacker knows on sensor s key-ring
• Simulations show that Key id notification and
  pseudorandom key id generation can be easily
  beaten by the smart attacker
• Challenge response performs better

44
Simulation results
Experimental results on id notification and
pseudorandom key id generation Number of sensors
to corrupt in order to compromise an arbitrary
channel.
45
Simulation results
Experimental results on challenge
response Number of sensors to corrupt in order
to compromise an arbitrary channel.
46
PRK algorithm

• Why not using challenge response? Inefficient
• The goal is to define a key pre-deployment scheme
  that supports an efficient and secure key
  discovery phase, as efficient as pseudorandom key
  id generation (no message exchange) and as secure
  as challenge response
• DiPietro et al. suggested a new algorithm that
  achieves the above described requirements

47
PRK algorithm

• Key pre-distribution
• For each sensor sa
• For all keys vPi of the pool P, compute zfy(a
  vPi)
• Iff z0 mod (P/K), then put vPi into the key ring
  Va of sensor sa
• Assumption P/K divides by 2h, where h is the size
  of the input
• Key discovery
• In case sensor sb wants to establish a secure
  channel with sensor sa it has to perform the
  following calculations
• For each key vbj in its key ring sensor sb
  computes zfy(avbj)
• If z0 mod (P/K), sensor sa also has key sb

48
PRK algorithm analysis

• Benefits
• Complexity is comparable to pseudo-random index
  transformation no message exchange and K
  applications of the pseudo-random function.
• Only who already knows key vPi can know whether
  sensor sa has that key or not by computing
  zfy(avbj) and checking out if
• z0 mod( P/K ). All other entities gets no
  information from z. This is exactly the same
  information revealed by challenge response
• Drawbacks
• Not enough control of key ring size it is
  possible that applying the formula to sensor id
  and key in a key pool will yield key ring that is
  
• too large - larger than sensor memory
• too small not enough for the network to be
  connected
• In either case node id a should be regenerated
• Authors prove that it is feasible to regenerate
  sensor ids to achieve required properties

49
PRK algorithm simulations
Experimental results on PRK algorithm number of
sensors to corrupt in order to compromise an
arbitrary channel. The PRK algorithm is as secure
as challenge response and in the same time as
efficient as pseudorandom key id generation
50
Background polynomial based key pre-distribution

• Polynomial based key pre-distribution scheme
  reduces the amount of pre-distributed information
  still allowing each pair of nodes to compute a
  shared key
• Polynomial based key pre-distribution is
  ?-collusion resistant, meaning that as long as ?
  or less nodes are compromised the rest of the
  network is secure
• Utilizes polynomial shares

51
Polynomial based key pre-distribution
initialization

• Special case ?1
• Each node has an id rU which is unique and is a
  member of finite field Zp
• Three elements a, b, c are chosen from Zp
• Polynomial f(x,y) (a b(x y) cxy) mod p is
  generated
• For each node polynomial share gu(x) (an bnx)
  mod p
• where an (a brU) mod p and bn (b crU)
  mod p is formed and pre-distributed

52
Polynomial based key pre-distribution key
discovery

• In order for node U to be able to communicate
  with node V the following computations have to be
  performed
• Ku,v Kv,u f(ru,rv) (a b(rurv) crurv )mod
  p
• U computes Ku,v gu(rv)
• V computes Kv,u gv(ru)

53
Polynomial based key pre-distribution example

• Example
• 3 nodes U, V, W, with the following ids 12, 7,
  1 respectively
• p17 (chosen parameter)
• a8, b7, c2 (chosen parameters)
• Polynomial f(x,y) 87(xy)2xy
• g polynomials are gu(x) 7 14x, gv(x) 6
  4x,
• gw(x) 159x
• Keys are Ku,v3, Ku,v4, Ku,v10
• U computes Ku,v gu(rv) 7147mod17 3
• V computes Kv,u gv(ru) 6412mod17 3

54
Polynomial based key pre-distribution
generalization

• Polynomial based key pre-distribution scheme can
  be generalized to any ? by changing polynomials
  in the following way
• is a randomly generated, bivariate
  ?-degree, symmetric polynomial over finite field
  Zp, pn is prime

55
Liu-Ning approach

• Combination of polynomial-based key
  pre-distribution and the key pool idea discussed
  above
• Increases network resilience to node capture
• Can tolerate no more than ? compromised nodes,
  where ? is constrained by the size of memory of a
  node
• Idea use a pool of randomly generated
  polynomials
• When pool contains only one polynomial the
  approach degenerates to basic polynomial based
  key pre-distribution scheme
• When all polynomials are of degree 0 the approach
  degenerates to key pool approach
• Three phases are involved setup, direct key
  establishment, path key establishment

56
Setup phase

• Set F of bivariate ?-degree polynomials over
  finite field Fq is generated
• Each polynomial is assigned a unique id
• For each sensor node a subset of s polynomial is
  randomly chosen from F
• For each polynomial in the chosen subset a
  polynomial share is loaded into nodes memory

57
Direct key establishment phase

• During this phase all possible direct links are
  established
• A node can establish a direct link with another
  node if they both share a polynomial share of a
  particular polynomial
• How to find common polynomial? Use above
  discussed approaches

58
Path key establishment phase

• If direct connection establishment fails nodes
  have to start path key establishment phase
• Nodes need to find a path such that each
  intermediate nodes share a common key
• Node may broadcast the message with polynomials
  ids that it posses to all nodes with which it
  currently has an established link
• Once this message reaches the intended node
  (possible through a long path) this node computes
  a key and contacts the initiator of path key
  establishment
• Drawback may introduce considerable
  communication overhead

59
Simulation results
The probability p that 2 sensors share a
polynomial vs size s of the polynomial pool (s
number of polynomial shares in each sensor)
60
Simulation results comparison with already
discussed approaches
Fraction of compromised links between non
compromised nodes vs number of compromised
nodes (20000 nodes, nodes can store equivalent of
200 keys)
61
Grid-based key pre-distribution

• Instance of general framework discussed above
• Benefits
• Guarantees that any two nodes can establish a
  pairwise key, if no nodes were compromised
• Allows sensors to directly determine whether it
  can establish a pairwise key with another node
  and which polynomial to use in case of positive
  answer

62
Subset assignment

• 2m ?-degree polynomials are generated
• , where
• and N is the size of the network
• Each row of the grid is associated with
  polynomial
• and each column is associated with
  polynomial
• For each sensor an unoccupied intersection (i, j)
  of the grid is selected and assigned to the node

63
Subset assignment (cont.)

• The id of the node is created by concatenation of
  binary representations of i and j. IDlt ib jb gt
• Intersections should be densely selected within a
  rectangle area of the grid
• Polynomial shares of corresponding (row / column)
  polynomials together with id are pre-distributed
  to each node

64
Node assignment in the grid
Node assignment in the grid
65
Polynomial share discovery

• To establish a pairwise key with node j, node i
  checks whether cicj or rirj
• If either of conditions hold, nodes have a
  polynomial share of the same polynomial,
  consequently they can compute a common key
  directly
• Otherwise nodes have to go through path discovery
  

66
Path discovery

• Idea nodes can use intermediate nodes to help in
  establishing a common key
• The intermediate node should be located in either
  the same row / column as first node or same
  column / row as a second node
• This way intermediate node definitely share a
  polynomial with both nodes
• Note there are only two of such intermediate
  nodes for each pair of nodes
• What if both if them are compromised /
  unreachable?
• The path through the grid should be established
• Authors developed an efficient protocol to
  accomplish this
• The main idea of the protocol is that
  intermediate nodes try to forward the request to
  the node that is located in the same row / column
  as a destination

67
Path discovery example
Establishing a path through the grid
68
Public key infrastructure

• The limited computation and power resources of
  sensor nodes often makes it undesirable to use
  existing public-key algorithms, such as
  Diffie-Hellman key agreement or RSA signatures

69
Symmetric vs. asymmetric algorithms
70
Public key scheme for WSN

• Is it possible to develop a public key
  infrastructure suitable for wireless sensor
  networks?
• Recent studies show that it is still possible to
  utilize public key ideas for the purposes of
  securing WSN
• Gaubatz et al. developed an ultra low power
  implementation of Rabin's Scheme and NtruEncrypt
  Algorithm
• Authors have demonstrated that it is possible to
  design public key encryption architectures with
  power consumption of less than 20 mW using the
  right selection of algorithms and associated
  parameters, optimization and low power techniques
• The details of solutions will not be discussed,
  since it mainly involves VLSI / circuit design

71
Arbitrated keying protocols system model

• According to the model, network consists of three
  types of nodes command node, gateways and
  regular sensor nodes
• Gateways partition the network into distinct
  clusters as follows

72
Arbitrated keying protocols node requirements

• Sensor nodes
• Are equipped with GPS modules and can determine
  its location during bootstrapping
• Remain stationary
• Gateways
• Can unicast / broadcast information to other
  gateways on the network
• Can establish the group key using a group key
  agreement protocols
• Command node
• is assumed to be secure and is trusted by all of
  the nodes in the sensor network

73
Identity based hierarchical keying
initialization phase (description)

• Description of the initialization phase
• Prior deployment each gateway is assigned S/G
  keys, where S is the number of sensors on the
  network and G is the number of gateways
• Each sensor is preloaded with id if the gateway
  with which it share a key
• After deployment each gateway forms a cluster
  using cluster formation algorithm and acquires
  the keys of the sensors in its cluster from the
  other gateways
• After key exchange is performed gateways erases
  key of sensors that do not belong to its cluster

74
Identity based hierarchical keying
initialization phase (protocol)

• Each sensor Si broadcasts its id (idSi ) and id
  (idGj) of the gateway with which it shares a key

• Clustering process is performed

• After clustering gateways identify set of
  sensors that
• belong to its cluster idi and broadcasts
  it to other gateways

• Each gateway Gj replies to Gi with the set of
  keys and corresponding sensor ids (KSk,Gj,
  idSk)i

• On the last step, each sensor receives a
  message that assigns
• it to the gateway

75
Identity based hierarchical keying node addition

• Each new sensor is preloaded with two keys
  as other sensors
• Command node transmits the list of
  (identifier, key) pairs to a randomly selected
  gateway Gh, which becomes the gateway that shares
  the keys of the new sensors

• Each added node broadcasts a hello message
  (same as on
• initialization phase)

• Clustering mechanisms adjusts itself
• Each gateway broadcasts the sensors in its
  range to the gateways in G, requesting the keys
  for those sensors

76
Identity based hierarchical keying node addition
(cont.)

• Gh responds to those requests

• Each new sensor Si is assigned to the
  gateway Gi

77
Identity based hierarchical keying node
revocation

• If a group of sensors are compromised, they can
  be trivially evicted from the command nodes
  sensor list by the command node, as well as from
  their cluster by the gateway.
• Gateway revocation is slightly more complicated
• Command node evicts gateway G from the list of
  gateways and chooses a head gateway Gh randomly
• Command node sends the identifiers of each sensor
  and their new gateway Gi to Gh
• Also the new keys that sensors share with Gi are
  sent

78
Identity based hierarchical keying node
revocation (cont)

• Clustering process takes place
• Second and third parts of the message is
  sent to Gi
• Gi notifies each sensor on its cluster about
  new shared key

79
Identity based hierarchical keying simulations
Distribution of sensor energy consumption with
our approach.
80
Identity based hierarchical keying analysis

• Benefits
• Low energy consumption
• Low communication overhead for key establishment
• Low memory requirements for sensor nodes
• Good resilience against sensor capture
• Drawbacks
• Specific network model requirements
• Sensors have to be equipped with GPS modules
• Efficient clustering algorithm is required

81
Location Aware Key Management for WSN

• Problem
• How to pick a large key pool while still
  maintaining high connectivity? (i.e maintain
  resilience while ensuring connectivity) (e.g.
  100,000 vs 200)
• Solution
• Exploit Location information (Deployment
  Knowledge)
• Du et. al. Infocom 2004. Exploit Location
  Knowledge for P-RKP
• Huang et. Al. SASN 2004. Exploit Location
  Knowledge for SK-RKP

82
Location Aware Purely Random Key Predistribution
(P-RKP)

• Du et. al (IEEE Infocom 2004)
• Improves Random Key Predistribution (Eschenauer
  and Gligor) by exploiting Location Information.
• Studies a Gaussian distribution for deployment of
  Sensor nodes to improve security and memory
  usage.

83
Location Aware Purely Random Key Predistribution
(P-RKP)

• Rectangular Deployment area (X x Y)
• General Deployment Model (Individual)
• Current predeployment schemes assume pdf for
  location f(x,y) as 1/XY.
• Group based Deployment Model.
• Group based Deployment Model
• N sensor nodes divided into t x n equal size
  groups. Group G(i,j) has deployment point x(i,j).
• Deployment points arranged in a grid
• Resident points of node k follow pdf

84
Location Aware Purely Random Key Predistribution
(P-RKP)

• Groups select from key group S (i,j)
• Probability node is in a certain group is (1 /
  tn).

85
Location Aware Purely Random Key Predistribution
(P-RKP)

• Key sharing graphs used to enable connectivity
• Use flooding to find secure path (Limit to 3
  hops)
• Setting up the key pools
• Two horizontally or vertically neighboring pools
  share aSc keys where 0lt a lt 0.25
• Two diagonally neighboring key pools share bSc
  keys, where 0ltblt0.25
• Two non-neighboring key pools share no keys.
• Overlapping factors - a,b

86
Location Aware Purely Random Key Predistribution
(P-RKP)
87
Location Aware Purely Random Key Predistribution
(P-RKP)

• Key Assignment for Key Pools
• For group , select keys
  from the global key pool S, then remove these
  keys from S.
• For group , select a.
  keys from pool , then select
  keys from global pool S
• For group select
  a. from each of the key pools
  , and if they exist select
  b. Keys from each of the key pools
  and if they exist then
  select w keys from the global key pool S, and
  remove these w keys from S.

88
Location Aware Purely Random Key Predistribution
(P-RKP)

• Detemining Sc
• When S 100,000, t n 10, a 0.167, b
  0.083
• Sc 1770

89
Location Aware Purely Random Key Predistribution
(P-RKP)

• Performance Evaluation
• Evaluation Metrics
• Connectivity (Local and Global)
• Communication overhead
• Resilience against node capture
• System configuration
• S 100,000. N 10,000.
• Deployment area 1000m x 1000m
• T n 10m. Each grid is 100m x 100m.
• Center of grid is deployment point. Wireless
  communication range is 40m.

90
Location Aware Purely Random Key Predistribution
(P-RKP)
91
Location Aware Purely Random Key Predistribution
(P-RKP)

• Local Connectivity
• Plocal Pr((B(n1,n2)A(n1,n2))
• Probability node is in a certain group is (1 /
  tn)
• Probability that nodes i and j have local
  connectivity) is 1)Probability that and
  share a key (p-lambda)
• 2)Probability that resides around the point
  Z(x,y)
• 3)Probability that is a neighbor of
• Plocal is the average of this value across the
  whole region

92
Location Aware Purely Random Key Predistribution
(P-RKP)

• Performance Local connectivity
• With 100 keys, location management improves local
  connectivity from 0.095 to 0.687

93
Location Aware Purely Random Key Predistribution
(P-RKP)

• Global connectivity
• Only simulation results are available

94
Location Aware Purely Random Key Predistribution
(P-RKP)

• Effects of the Overlapping Factors (a,b)

95
Location Aware Purely Random Key Predistribution
(P-RKP)

• Communication overhead
• Path needed when two neighbours cannot find a
  common key.
• ph(i) is the probability that the smallest number
  of hops needed to connect two neighbouring nodes
  is i. i is at most 3.

96
Location Aware Purely Random Key Predistribution
(P-RKP)

• Resilience against node capture
• Fraction of additional communication (among
  uncaptured nodes) that can be compromised based
  on capture of x nodes.
• Location of the x captured nodes affects results.
• Assume random location of x nodes (unrealistic)
• Location knowledge significantly improves network
  resilience
• 1 (1 m/S)x

97
Location Aware Purely Random Key Predistribution
(P-RKP)
98
Location Aware Structured Key Random Key
Predistribution (SK-RKP)

• Huang et. al. (SASN 2004)
• Claims random node capture assumption too weak
  (selective capture possible)
• Gridgroup deployment scheme.
• Introduces the node fabrication attack
• Uses location based information and a structured
  key pool
• Claims fewer number of keys and resilience to
  selective node capture and node fabrication
  attacks

99
Location Aware SK-RKP

• P-RKP vs SK-RKP
• Robustness of both weakened by selective node
  capture attack

100
Location Aware SK-RKP

• Both are also weakened by node fabrication attack
  
• P-RKP By capturing two nodes, attacker can
  fabricate and deploy (2m new nodes.
• SK-RKP is harder to compromise (still possible)
• Grid-Group Deployment Scheme
• Partition N sensors into i.j groups with
  sensors in each group
• Assign the identifier (i,j),b to each sensor in
  the G(i,j) where b 1,.N
• Assign m keys to each sensor in group G(i,j)
• Uniformly distribute the sensors for the group
  G(i,j) in zone Z(i,j)

101
Key Predistribution (I Scheme) within a given
zone

• Divide key poll P into L x M sub-key pools
  (P(i,j), i 1.L,j 1M)). Each sub-key pool is
  divided into w sub-key spaces. A sub-key space is
  a N x ( 1) key matrix A, where each element
  of A is a unique key)
• Divide the N sensors into L x M groups (a group
  is represented by G(i,j) where i 1,.L, j
  1,M)
• Assign unique identifiers to the sensors. For
  each sensor, assign id (i,j),b, where (i,j)
  is the group id and b 1,.N
• For sensor (i,j),b, randomly select T sub-key
  spaces in P(i,j) making sure the selected sub-key
  space is not already selected times. Load
  sensor with the bth row of matrix A for each sub
  key space selected

102
Key Predistribution (E-Scheme) for adjacent zones

• For each sensor in group G(i,j), randomly select
  one sensor, say j, from a neighbouring group, say
  G(i2,j2).
• Install duple lt , gt in i and duple lt
  , gt in j, where key is unique
  and , are the node ids.
• Once a peer node is selected, it cannot select
  another node in the same group
• If all sensors have selected a node in each of
  its neighboring groups, stop, otherwise go to the
  first step

103
Location Aware SK-RKP
104
Key establishment within the same zone

• Key establishment within the same zone
• Each sensor, say (i,j),b, broadcasts identifier
  (i,j),b and key space identifiers ,
  
• For each neighbor, sensor adds a link in
  key-graph if they share a key .
• Sensor broadcasts list of neighbors who share
  key-space with it. Uses similar messages from
  others to expand key-graph.
• Source routing to to request and establish
  pairwise keys with all its neighbors.

105
Key establishment within adjacent zones

• Each sensor, broadcasts desired node list (of
  nodes in the adjacent zone)
• A neighbor of the requestor within the same zone
  who already shares a key with the nodes For each
  neighbor, sensor adds a link in key-graph if they
  share a key
• Sensor broadcasts list of neighbors who share
  key-space with it. Uses similar messages from
  others to expand key-graph.
• Source routing to request and establish pairwise
  keys with all its neighbors.

106
Performance Analysis

• Memory overhead
• For p 0.5238, m 68 (similar to Du et. Al.)
• Security Analysis
• Secure against Random Node capture, Selective
  Node capture and Node Fabrication attacks

107
Performance Analysis (Security)
108
Summary

• Robust security mechanisms are vital to the wide
  acceptance and use of sensor networks for many
  applications
• Key management in turns is one the most important
  aspects in any security architecture
• Various peculiarities of Wireless Sensor Networks
  make the development of good key management
  scheme a challenging task
• We have discussed several approaches to key
  management in WSN
• All of them have strong and weak points
• The diverse nature of WSN usage makes it not
  reasonable to look for some particular approach
  that would be suitable for all cases

109
Bibliography

• I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, E.
  Cyirci. Wireless Sensor Networks A Survey.
  Computer Networks, 38(4)393-422, 2002.
• C. Karlof and D. Wagner, Secure Routing in
  Wireless Sensor Networks Attacks and
  Countermeasures. First IEEE International
  Workshop on Sensor Network Protocols and
  Applications, May 2003
• D. Carman, P. Kruus, and B. Matt. Constraints
  and approaches for distributed sensor network
  security. NAI Labs Technical Report 00-010,
  September 2000
• L. Eschenauer and V. Gligor. A Key-Management
  Scheme for Distributed Sensor Networks. In Proc.
  of ACM CCS02, November 2002
• H. Chan, A. Perrig, D. Song Random Key
  Predistribution Schemes for Sensor Networks. In
  2003 IEEE Symposium on Research in Security and
  Privacy
• S. Zhu, S. Xu, S. Setia, S. Jajodia Establishing
  Pair-wise Keys For Secure Communication in Ad Hoc
  Networks A Probabilistic Approach. In Proc. of
  the 11th IEEE International Conference on Network
  Protocols
• R. Di Pietro, L. Mancini, A. Mei. Efficient and
  Resilient Key Discovery Based on Pseudo-Random
  Key Pre-Deployment. 18th International Parallel
  and Distributed Processing Symposium

110
Bibliography

• D. Liu, P. Ning, Establishing Pairwise Keys in
  Distributed Sensor Networks, 10th ACM CCS '03,
  Washington D.C., October, 2003
• G. Jolly, M. Kusçu, P. Kokate, M. Younis. A
  Low-Energy Key Management Protocol for Wireless
  Sensor Networks. Eighth IEEE International
  Symposium on Computers and Communications
• G. Gaubatz, J.Kaps, B. Sunar Public Key
  Cryptography in Sensor Networks Revisited. 1st
  European Workshop on Security in Ad-Hoc and
  Sensor Networks
• C. Blundo, A. De Santis, A. Herzberg, S. Kutten,
  U. Vaccaro, and M. Yung. Perfectly secure key
  distribution for dynamic conferences. In
  Information and Computation, 146 (1), 1998, pp
  1-23.
• Introduction to Modern Cryptography by M.
  Bellare, P. Rogaway November 3, 2003
• Handbook of Applied Cryptography, by A.
  Menezes, P. van Oorschot, and S. Vanstone, CRC
  Press, 1996.
• The Strange Logic of Random Graphs, Joel H.
  Spencer
• Nanotechnology website http//www.nanotech-now.com
  

111
Bibliography

• W. Du, J. Deng, Y. Han, S. Chen, P. Varshney. A
  Key Management Scheme for Wireless Sensor
  Networks Using Deployment Knowledge. IEEE Infocom
  2004.
• D. Huang, M. Mehta, D. Medhi, L. Harn.
  Location-aware Key Management for Wireless Sensor
  Networks. 2004 ACM Workshop on Security of Ad Hoc
  and Sensor Networks. (SASN 04)