Title: Security in Wireless Sensor Networks: Key Management Approaches
1Security in Wireless Sensor Networks Key
Management Approaches
2References
- Security in Wireless Sensor Networks Key
Management Approaches, Vasyl A. Radzevych and
Sunu Mathew - Securing Wireless Sensor Networks, Wenliang
(Kevin) Du, Department of Electrical Engineering
and Computer Science, Syracuse University
3Overview
- Security issues in WSN
- Key management approaches in WSN
- Overview
- Pre-Deployed Keying
- Key pre-deployment
- Key derivation information pre-deployment
- Location aware pre-deployed keying
- Random Key Pre-deployment (P-RKP)
- Key derivation information pre-deployment
- Autonomous protocols
- Pairwise asymmetric (public key)
- Arbitrated protocols
- Identity based group keying
- Conclusions
4Attacks on WSN
- Main types of attacks on WSN are
- spoofed, altered, or replayed routing information
- selective forwarding
- sinkhole attack
- sybil attack
- wormholes
- HELLO flood attacks
- acknowledgment spoofing
5Overview of Countermeasures
- Link layer encryption prevents majority of
attacks bogus routing information, Sybil
attacks, acknowledgment spoofing, etc. - This makes key management architecture of a great
importance - Wormhole attack, HELLO flood attacks and some
others are still possible - attacker can tunnel legitimate packets to the
other part of the network or broadcast large
number of HELLO packets - Multi path routing, bidirectional link
verification can also be used to prevent
particular types of attacks like selective
forwarding, HELLO flood
6Key management goals
- The protocol must establish a key between all
sensor nodes that must exchange data securely - Node addition / deletion should be supported
- It should work in undefined deployment
environment - Unauthorized nodes should not be allowed to
establish communication with network nodes
7Key Management Problem
Sensors
8Key Management Problem
Sensors
Secure Channels
9Key management constraints
- Sensor node constraints
- Battery power
- Computational energy consumption
- Communication energy consumption
- Transmission range
- Memory
- Temper protection
- Sleep pattern
- Network constraints
- Ad-hoc network nature
- Packet size
10Key management evaluation/comparison metrics
- Resilience against node capture how many node
are to be compromised in order to affect traffic
of not compromised nodes? - Addition how complicated is dynamic node
addition? - Revocation how complicated is dynamically node
revocation? - Supported network size what is the maximum
possible size of the network? - Note Since WSN can be used in a lot of different
ways it is not reasonable to look for one key
management approach to suite all needs 20 000
node network deployed from the airplane over a
battle field has quite different requirements
from 10 node network installed to guard the
perimeter of the house
11Key management approaches classification
12Approaches to be discussed
- Pre-deployed keying
- Key pre-deployment/ Key pre-distribution
- Key derivation information pre-deployment
- Self-enforcing autonomous approaches
- Public-Key Schemes (pairwise asymmetric )
- Expensive and infeasible for sensors.
- Arbitrated protocols
- Trusted-Server Schemes
- Finding trusted servers is difficult.
- Identity based hierarchical keying
13Pre-deployed keying
- Key pre-distribution / Key pre-deployment
- Straightforward approaches
- Eschenauer / Gligor random key pre-deployment
- Chan / Perrig q-composite approach
- Zhu / Xu approach
- DiPietro smart attacker model and PRK protocol
- Key derivation information pre-deployment
- Liu / Ning polynomial pre-deployment
14Key Pre-distribution
- Loading Keys into sensor nodes prior to
deployment - Two nodes find a common key between them after
deployment - Challenges
- Memory/Energy efficiency
- Security nodes can be compromised
- Scalability new nodes might be added later
15Straight forward approaches
- Master-Key Approach
- Memory efficient, but low security.
- Needs Tamper-Resistant Hardware.
- Pair-wise Key Approach
- N-1 keys for each node (e.g. N10,000).
- Security is perfect.
- Need a lot of memory and addition / deletion of
the node and re-keying are complex. - Most of the keys would be unusable.
16Establishing Secure Channels
B
A
C
17Basic probabilistic approach
- Due to Eschenauer and Gligor
- Relies on probabilistic key sharing among nodes
- Uses simple shared-key discovery protocol for key
distribution, revocation and node re-keying - Three phases are involved
- key pre-distribution,
- shared-key discovery,
- path-key establishment
-
18Key pre-distribution
- Generate a large key pool P (217-220 keys) and
corresponding key id - Create n key rings by randomly selecting k keys
from P - Load key rings into nodes memory
- Save key ids of a key ring and associated node id
on a trusted controller - For each node, load the i-th controller node with
a key Kci which it shares with that controller
node
19Shared-key discovery
- Takes place during initialization phase after WSN
deployment. - Each node discovers its neighbor in communication
range with which it shares at least one key - Nodes can exchange ids of keys that they posses
to discover a common key - A more secure approach
- Broadcast a challenge for each key in the key
ring such that each challenge is encrypted with
some particular key i.e. broadcast a, EKi (a),
i1, , k, . - The decryption of a challenge is possible only if
a shared key exists
20Path-key establishment
- During this phase path-keys are assigned to
selected pairs of sensor nodes that are within
communication range of each other, but do not
share a key - Node S may broadcast the message with its id, id
of intended node D and some key that it posses
but not currently uses, to all nodes with which
it currently has an established link. Those nodes
rebroadcast the message to their neighbors - Once this message reaches node D (possibly
through a long path) D contacts S - Analysis shows that after the shared-key
discovery phase a number of keys on a key ring
are left unused
21Simulation results
1000 nodes, 40 nodes neighborhood, P10000
number of hops
Path length to neighbors
22Key revocation
- A controller node broadcasts a message containing
a list of k key ids for the key ring to be
revoked - This message is signed with signature key Ke
- Ke is encrypted with Kci and unicasted to all
nodes prior to revocation. - Kci are shared by i-th controller with each node
- After obtaining a signature key, each node
locates received ids in its key ring and removes
the corresponding keys if any - Since some links might disappear they should be
reestablished using keys that are left in the key
ring
23Resiliency to node capture
- More robust than approaches that use single
mission key - In case a node is captured kltltn keys are obtained
- This means that the attacker has a probability of
k/P to attack successfully any other WSN link
24WSN connectivity
- Two nodes are connected if they share a key
- Full connectivity of WSN is not required
- Two important questions
- What should be the expected degree of a node so
that WSN is connected? - Given expected degree of a node what values
should the key ring size, k, and pool, P, have
for a network of size n so that WSN is connected? - Random-graph theory helps in answering the first
question
25Random graphs
- A random graph G(n,p) is a graph of n nodes for
which the probability that a link between any two
nodes exists is p - Question what value should p have so that it is
almost certainly true that graph G(n,p) is
connected? - Pc is a desired probability for the graph
connectivity - Based on the formulas above p and dp(n-1) can be
found (d expected degree of a node)
Erdos-Renyi formula
(1)
(2)
26Random-graphs (cont.)
Expected degree of node vs. number of nodes,
where PcPrG(n,p) is connected
27Key ring and key pool sizes
- Due to the limited communication capabilities a
number of nodes with which a particular node can
communicate is nltltn - This means that the probability of two nodes
sharing at least one key in their key rings of
size k is pd/(n-1)gtgtp - Key pool size P can be derived as a function of
k -
28Key ring and key pool sizes (cont.)
- Since keys are drawn out of a pool P without
replacement, the number of key rings can be
expressed as follows - Lets pick the first key ring, the total number
of possible key rings that do not share a key
with this key ring is the number of key-rings
that can be drawn out of remaining P-k unused
keys in pool, which is
29Key ring and key pool sizes (cont.)
- Consequently, the probability that no key is
shared between the two rings is the ratio of the
number of rings without a match by the total
number of rings. - Since P is very large Stirlings approximation
can be used to derive the final expression for
p -
(3)
30Key ring and key pool size (cont.)
Probability of sharing at least one key when two
nodes choose k keys from a pool of size P
31Eschenauer-Gligor Scheme
Key Pool S
Each node randomly selects m keys
A
B
E
D
C
- When S 10,000, m75
- Pr (two nodes have a common key) 0.50
32Key ring and key pool size example
- WSN contains n10000 nodes, desired probability
of network connectivity is Pc0.99999,
communication range supports 40 nodes
neighborhoods - According to the formula (1) c11.5, therefore
p210-3 - d210-3999920
- This means that if each node can communicate with
on average 20 other nodes the network will be
connected - p20/(40-1)0.5
- According to formula (3) k can be set to 250 and
P can be set to 100000
33q-composite approach
- Enhancement of the basic probabilistic approach
- Idea nodes should share q keys instead of only
one - Approach
- Key pool P is an ordered set
- During initialization phase nodes broadcast ids
of keys that they have - After discovery each nodes identifies the
neighbor with which it share at least q keys - Communication key is computed as a hash of all
shared keys - Keys appear in hash in the same order as in key
pool
34Benefits of q-composite approach
- q-composite approach has greater resiliency to
node capture than the basic approach if small
number of nodes were captured - Simulations show that for q2, the amount of
additional communications compromised when 50
nodes (out of 10000) have been compromised is
4.74, as opposed to 9.52 in the basic scheme - However if large number of nodes have been
compromised q-composite scheme exposes larger
portion of network than the basic approach - The larger q is the harder it is to obtain
initial information - Parameter q can be customized to achieve required
balance for a particular network
35Zhu / Xu approach
- Another modification of the basic probabilistic
approach - Major enhancement
- Pseudorandom number generator is used to improve
security of key discovery algorithm - Also uses secret sharing which jointly with
logical paths allows nodes to establish a
pairwise key that is exclusively known to the two
nodes (in contrast to basic probabilistic
approach, where other nodes might also know some
particular key)
36Zhu / Xu approach key pre-distribution
- Background use a pseudo-random number generator,
or PRNG. Given the same seed, a PRNG will always
output the same sequence of values. - Key pool P of size l is generated
- For each node u, pseudorandom number generator is
used to generate the set of m distinct integers
between 1 and l (key ids). Nodes id u is used as
a seed. - Each node is loaded with key ring of size m
- Keys for the key rings are selected from key pool
P in correspondence with integers (key ids)
generated for a particular node by PRNG - This allows any node u that knows another nodes
id v to determine the set of ids of keys that v
posseses
37Zhu / Xu approach Logical path establishment
- The keys established on previous step are not
exclusive, however they can be used to establish
exclusive key - During the network initialization phase, nodes
discover so called logical paths - Nodes can establish a direct path in case they
share a common key on their key rings - In case nodes do not share a key authors propose
a path-key establishment algorithm similar to one
in basic probabilistic approach, - The difference is that nodes try to establish
several logical paths, which later should help in
establishing a pairwise key
38Zhu / Xu pairwise key establishment
- The next step of network initialization is
pairwise key establishment - A sender node randomly generates a secret key ks
- Then derives n-1 random strings sk1, sk2,,
skn-1 - skn is computed as follows skn ks XOR sk1XOR
sk2 XOR,, XOR skn-1 - This way a recipient has to receive all n shares
in order to derive a secret key ks
39Zhu / Xu pairwise key establishment
- After secret shares are computed, each of them is
send to the recipient using different logical
path - Once all shares are received the recipient can
confirm the establishment of pairwise key by
sending a HELLO message encoded with a new key - Authors provide a framework to decide
- number of shares
- and the way they are sent
40Further enhancements
- So far all the discussed approaches have used one
of the following algorithms for shared-key
discovery - Key id notification
- Challenge response
- Pseudorandom key id generation
- Those algorithms work well against so called
oblivious attacker, the one that randomly
selects next sensor to compromise - What if attacker selects nodes that will allow
him to compromise the network faster, based on
already obtained information (key ids)? - This is the case of so called smart attacker
41Smart attacker
- More precisely smart attacker can be defined as
follows - at each step of the attack sequence, the next
sensor to tamper is sensor s, where s maximizes
EG(s) I(s), the expectation of the key
information gain G(s) given the information I(s)
the attacker knows on sensor s key-ring - Simulations show that Key id notification and
pseudorandom key id generation can be easily
beaten by the smart attacker - Challenge response performs better
-
42Simulation results
Experimental results on id notification and
pseudorandom key id generation Number of sensors
to corrupt in order to compromise an arbitrary
channel.
43Simulation results
Experimental results on challenge
response Number of sensors to corrupt in order
to compromise an arbitrary channel.
44PRK algorithm
- Why not using challenge response? Inefficient
- DiPietro et al. suggested a new algorithm that
achieves the following goal - Define a key pre-deployment scheme that supports
an efficient and secure key discovery phase, - as efficient as pseudorandom key id generation
(no message exchange) and - as secure as challenge response
45PRK algorithm
- Key pre-distribution
- For each sensor sa
- For all keys vPi of the pool P, compute zfy(a
vPi) - Iff z0 mod (P/K), then put vPi into the key ring
Va of sensor sa - Assumption P/K divides by 2h, where h is the size
of the input - Key discovery
- In case sensor sb wants to establish a secure
channel with sensor sa it has to perform the
following calculations - For each key vbj in its key ring sensor sb
computes zfy(avbj) - If z0 mod (P/K), sensor sa also has key sb
46PRK algorithm analysis
- Benefits
- Complexity is comparable to pseudo-random index
transformation no message exchange and K
applications of the pseudo-random function. - Only who already knows key vPi can know whether
sensor sa has that key or not by computing
zfy(avbj) and checking out if - z0 mod( P/K ). All other entities gets no
information from z. This is exactly the same
information revealed by challenge response
47PRK algorithm analysis
- Drawbacks
- Not enough control of key ring size it is
possible that applying the formula to sensor id
and key in a key pool will yield key ring that is
- too large - larger than sensor memory
- too small not enough for the network to be
connected - In either case node id a should be regenerated
- Authors prove that it is feasible to regenerate
sensor ids to achieve required properties
48PRK algorithm simulations
Experimental results on PRK algorithm number of
sensors to corrupt in order to compromise an
arbitrary channel. The PRK algorithm is as secure
as challenge response and in the same time as
efficient as pseudorandom key id generation
49Background polynomial based key pre-distribution
- Polynomial based key pre-distribution scheme
reduces the amount of pre-distributed information
still allowing each pair of nodes to compute a
shared key - Polynomial based key pre-distribution is
?-collusion resistant, meaning that as long as ?
or less nodes are compromised the rest of the
network is secure - Utilizes polynomial shares
50Polynomial based key pre-distribution
initialization
- Special case ?1
- Each node has an id rU which is unique and is a
member of finite field Zp - Three elements a, b, c are chosen from Zp
- Polynomial f(x,y) (a b(x y) cxy) mod p is
generated - For each node polynomial share gu(x) (an bnx)
mod p - where an (a brU) mod p and bn (b crU)
mod p is formed and pre-distributed
51Polynomial based key pre-distribution key
discovery
- In order for node U to be able to communicate
with node V the following computations have to be
performed - Ku,v Kv,u f(ru,rv) (a b(rurv) crurv )mod
p - U computes Ku,v gu(rv)
- V computes Kv,u gv(ru)
52Polynomial based key pre-distribution example
- Example
- 3 nodes U, V, W, with the following ids 12, 7,
1 respectively - p17 (chosen parameter)
- a8, b7, c2 (chosen parameters)
- Polynomial f(x,y) 87(xy)2xy
- g polynomials are gu(x) 7 14x, gv(x) 6
4x, - gw(x) 159x
- Keys are Ku,v3, Ku,v4, Ku,v10
- U computes Ku,v gu(rv) 7147mod17 3
- V computes Kv,u gv(ru) 6412mod17 3
53Polynomial based key pre-distribution
generalization
- Polynomial based key pre-distribution scheme can
be generalized to any ? by changing polynomials
in the following way - is a randomly generated, bivariate
?-degree, symmetric polynomial over finite field
Zp, pn is prime
54Liu-Ning approach
- Combination of polynomial-based key
pre-distribution and the key pool idea discussed
above - Increases network resilience to node capture
- Can tolerate no more than ? compromised nodes,
where ? is constrained by the size of memory of a
node - Idea use a pool of randomly generated
polynomials - When pool contains only one polynomial the
approach degenerates to basic polynomial based
key pre-distribution scheme - When all polynomials are of degree 0 the approach
degenerates to key pool approach - Three phases are involved setup, direct key
establishment, path key establishment
55Setup phase
- Set F of bivariate ?-degree polynomials over
finite field Fq is generated - Each polynomial is assigned a unique id
- For each sensor node a subset of s polynomial is
randomly chosen from F - For each polynomial in the chosen subset a
polynomial share is loaded into nodes memory
56Direct key establishment phase
- During this phase all possible direct links are
established - A node can establish a direct link with another
node if they both share a polynomial share of a
particular polynomial - How to find common polynomial? Use above
discussed approaches
57Path key establishment phase
- If direct connection establishment fails nodes
have to start path key establishment phase - Nodes need to find a path such that each
intermediate nodes share a common key - Node may broadcast the message with polynomials
ids that it posses to all nodes with which it
currently has an established link - Once this message reaches the intended node
(possible through a long path) this node computes
a key and contacts the initiator of path key
establishment - Drawback may introduce considerable
communication overhead
58Simulation results
The probability p that 2 sensors share a
polynomial vs size s of the polynomial pool (s
number of polynomial shares in each sensor)
59Simulation results comparison with other
approaches
Fraction of compromised links between non
compromised nodes vs number of compromised
nodes (20000 nodes, nodes can store equivalent of
200 keys)
60Grid-based key pre-distribution
- Instance of general framework discussed above
- Benefits
- Guarantees that any two nodes can establish a
pairwise key, if no nodes were compromised - Allows sensors to directly determine whether it
can establish a pairwise key with another node
and which polynomial to use in case of positive
answer
61Subset assignment
- 2m ?-degree polynomials are generated
- , where
- and N is the size of the network
- Each row of the grid is associated with
polynomial - and each column is associated with
polynomial - For each sensor an unoccupied intersection (i, j)
of the grid is selected and assigned to the node
62Subset assignment (cont.)
- The id of the node is created by concatenation of
binary representations of i and j. IDlt ib jb gt - Intersections should be densely selected within a
rectangle area of the grid - Polynomial shares of corresponding (row / column)
polynomials together with id are pre-distributed
to each node
63Node assignment in the grid
Node assignment in the grid
64Polynomial share discovery
- To establish a pairwise key with node j, node i
checks whether cicj or rirj - If either of conditions hold, nodes have a
polynomial share of the same polynomial,
consequently they can compute a common key
directly - Otherwise nodes have to go through path discovery
65Path discovery
- Idea nodes can use intermediate nodes to help in
establishing a common key - The intermediate node should be located in either
the same row / column as first node or same
column / row as a second node - This way intermediate node definitely share a
polynomial with both nodes - Note there are only two of such intermediate
nodes for each pair of nodes - What if both if them are compromised /
unreachable? - The path through the grid should be established
- Authors developed an efficient protocol to
accomplish this - The main idea of the protocol is that
intermediate nodes try to forward the request to
the node that is located in the same row / column
as a destination
66Path discovery example
Establishing a path through the grid
67Summary
- Robust security mechanisms are vital to the wide
acceptance and use of sensor networks for many
applications - Key management in turns is one the most important
aspects in any security architecture - Various peculiarities of Wireless Sensor Networks
make the development of good key management
scheme a challenging task - We have discussed several approaches to key
management in WSN - All of them have strong and weak points
- The diverse nature of WSN usage makes it not
reasonable to look for some particular approach
that would be suitable for all cases
68Bibliography
- I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, E.
Cyirci. Wireless Sensor Networks A Survey.
Computer Networks, 38(4)393-422, 2002. - C. Karlof and D. Wagner, Secure Routing in
Wireless Sensor Networks Attacks and
Countermeasures. First IEEE International
Workshop on Sensor Network Protocols and
Applications, May 2003 - D. Carman, P. Kruus, and B. Matt. Constraints
and approaches for distributed sensor network
security. NAI Labs Technical Report 00-010,
September 2000 - L. Eschenauer and V. Gligor. A Key-Management
Scheme for Distributed Sensor Networks. In Proc.
of ACM CCS02, November 2002 - H. Chan, A. Perrig, D. Song Random Key
Predistribution Schemes for Sensor Networks. In
2003 IEEE Symposium on Research in Security and
Privacy - S. Zhu, S. Xu, S. Setia, S. Jajodia Establishing
Pair-wise Keys For Secure Communication in Ad Hoc
Networks A Probabilistic Approach. In Proc. of
the 11th IEEE International Conference on Network
Protocols - R. Di Pietro, L. Mancini, A. Mei. Efficient and
Resilient Key Discovery Based on Pseudo-Random
Key Pre-Deployment. 18th International Parallel
and Distributed Processing Symposium
69Bibliography
- D. Liu, P. Ning, Establishing Pairwise Keys in
Distributed Sensor Networks, 10th ACM CCS '03,
Washington D.C., October, 2003 - G. Jolly, M. Kusçu, P. Kokate, M. Younis. A
Low-Energy Key Management Protocol for Wireless
Sensor Networks. Eighth IEEE International
Symposium on Computers and Communications - G. Gaubatz, J.Kaps, B. Sunar Public Key
Cryptography in Sensor Networks Revisited. 1st
European Workshop on Security in Ad-Hoc and
Sensor Networks - C. Blundo, A. De Santis, A. Herzberg, S. Kutten,
U. Vaccaro, and M. Yung. Perfectly secure key
distribution for dynamic conferences. In
Information and Computation, 146 (1), 1998, pp
1-23. - Introduction to Modern Cryptography by M.
Bellare, P. Rogaway November 3, 2003 - Handbook of Applied Cryptography, by A.
Menezes, P. van Oorschot, and S. Vanstone, CRC
Press, 1996. - The Strange Logic of Random Graphs, Joel H.
Spencer - Nanotechnology website http//www.nanotech-now.com
70Bibliography
- W. Du, J. Deng, Y. Han, S. Chen, P. Varshney. A
Key Management Scheme for Wireless Sensor
Networks Using Deployment Knowledge. IEEE Infocom
2004. - D. Huang, M. Mehta, D. Medhi, L. Harn.
Location-aware Key Management for Wireless Sensor
Networks. 2004 ACM Workshop on Security of Ad Hoc
and Sensor Networks. (SASN 04)