Security in Wireless Sensor Networks: Key Management Approaches

1
Security in Wireless Sensor Networks Key
Management Approaches

2
References

• Security in Wireless Sensor Networks Key
  Management Approaches, Vasyl A. Radzevych and
  Sunu Mathew
• Securing Wireless Sensor Networks, Wenliang
  (Kevin) Du, Department of Electrical Engineering
  and Computer Science, Syracuse University

3
Overview

• Security issues in WSN
• Key management approaches in WSN
• Overview
• Pre-Deployed Keying
• Key pre-deployment
• Key derivation information pre-deployment
• Location aware pre-deployed keying
• Random Key Pre-deployment (P-RKP)
• Key derivation information pre-deployment
• Autonomous protocols
• Pairwise asymmetric (public key)
• Arbitrated protocols
• Identity based group keying
• Conclusions

4
Attacks on WSN

• Main types of attacks on WSN are
• spoofed, altered, or replayed routing information
• selective forwarding
• sinkhole attack
• sybil attack
• wormholes
• HELLO flood attacks
• acknowledgment spoofing

5
Overview of Countermeasures

• Link layer encryption prevents majority of
  attacks bogus routing information, Sybil
  attacks, acknowledgment spoofing, etc.
• This makes key management architecture of a great
  importance
• Wormhole attack, HELLO flood attacks and some
  others are still possible
• attacker can tunnel legitimate packets to the
  other part of the network or broadcast large
  number of HELLO packets
• Multi path routing, bidirectional link
  verification can also be used to prevent
  particular types of attacks like selective
  forwarding, HELLO flood

6
Key management goals

• The protocol must establish a key between all
  sensor nodes that must exchange data securely
• Node addition / deletion should be supported
• It should work in undefined deployment
  environment
• Unauthorized nodes should not be allowed to
  establish communication with network nodes

7
Key Management Problem
Sensors
8
Key Management Problem
Sensors
Secure Channels
9
Key management constraints

• Sensor node constraints
• Battery power
• Computational energy consumption
• Communication energy consumption
• Transmission range
• Memory
• Temper protection
• Sleep pattern
• Network constraints
• Ad-hoc network nature
• Packet size

10
Key management evaluation/comparison metrics

• Resilience against node capture how many node
  are to be compromised in order to affect traffic
  of not compromised nodes?
• Addition how complicated is dynamic node
  addition?
• Revocation how complicated is dynamically node
  revocation?
• Supported network size what is the maximum
  possible size of the network?
• Note Since WSN can be used in a lot of different
  ways it is not reasonable to look for one key
  management approach to suite all needs 20 000
  node network deployed from the airplane over a
  battle field has quite different requirements
  from 10 node network installed to guard the
  perimeter of the house

11
Key management approaches classification
12
Approaches to be discussed

• Pre-deployed keying
• Key pre-deployment/ Key pre-distribution
• Key derivation information pre-deployment
• Self-enforcing autonomous approaches
• Public-Key Schemes (pairwise asymmetric )
• Expensive and infeasible for sensors.
• Arbitrated protocols
• Trusted-Server Schemes
• Finding trusted servers is difficult.
• Identity based hierarchical keying

13
Pre-deployed keying

• Key pre-distribution / Key pre-deployment
• Straightforward approaches
• Eschenauer / Gligor random key pre-deployment
• Chan / Perrig q-composite approach
• Zhu / Xu approach
• DiPietro smart attacker model and PRK protocol
• Key derivation information pre-deployment
• Liu / Ning polynomial pre-deployment

14
Key Pre-distribution

• Loading Keys into sensor nodes prior to
  deployment
• Two nodes find a common key between them after
  deployment
• Challenges
• Memory/Energy efficiency
• Security nodes can be compromised
• Scalability new nodes might be added later

15
Straight forward approaches

• Master-Key Approach
• Memory efficient, but low security.
• Needs Tamper-Resistant Hardware.
• Pair-wise Key Approach
• N-1 keys for each node (e.g. N10,000).
• Security is perfect.
• Need a lot of memory and addition / deletion of
  the node and re-keying are complex.
• Most of the keys would be unusable.

16
Establishing Secure Channels
B
A
C
17
Basic probabilistic approach

• Due to Eschenauer and Gligor
• Relies on probabilistic key sharing among nodes
• Uses simple shared-key discovery protocol for key
  distribution, revocation and node re-keying
• Three phases are involved
• key pre-distribution,
• shared-key discovery,
• path-key establishment

18
Key pre-distribution

• Generate a large key pool P (217-220 keys) and
  corresponding key id
• Create n key rings by randomly selecting k keys
  from P
• Load key rings into nodes memory
• Save key ids of a key ring and associated node id
  on a trusted controller
• For each node, load the i-th controller node with
  a key Kci which it shares with that controller
  node

19
Shared-key discovery

• Takes place during initialization phase after WSN
  deployment.
• Each node discovers its neighbor in communication
  range with which it shares at least one key
• Nodes can exchange ids of keys that they posses
  to discover a common key
• A more secure approach
• Broadcast a challenge for each key in the key
  ring such that each challenge is encrypted with
  some particular key i.e. broadcast a, EKi (a),
  i1, , k, .
• The decryption of a challenge is possible only if
  a shared key exists

20
Path-key establishment

• During this phase path-keys are assigned to
  selected pairs of sensor nodes that are within
  communication range of each other, but do not
  share a key
• Node S may broadcast the message with its id, id
  of intended node D and some key that it posses
  but not currently uses, to all nodes with which
  it currently has an established link. Those nodes
  rebroadcast the message to their neighbors
• Once this message reaches node D (possibly
  through a long path) D contacts S
• Analysis shows that after the shared-key
  discovery phase a number of keys on a key ring
  are left unused

21
Simulation results
1000 nodes, 40 nodes neighborhood, P10000
number of hops
Path length to neighbors
22
Key revocation

• A controller node broadcasts a message containing
  a list of k key ids for the key ring to be
  revoked
• This message is signed with signature key Ke
• Ke is encrypted with Kci and unicasted to all
  nodes prior to revocation.
• Kci are shared by i-th controller with each node
  
• After obtaining a signature key, each node
  locates received ids in its key ring and removes
  the corresponding keys if any
• Since some links might disappear they should be
  reestablished using keys that are left in the key
  ring

23
Resiliency to node capture

• More robust than approaches that use single
  mission key
• In case a node is captured kltltn keys are obtained
• This means that the attacker has a probability of
  k/P to attack successfully any other WSN link

24
WSN connectivity

• Two nodes are connected if they share a key
• Full connectivity of WSN is not required
• Two important questions
• What should be the expected degree of a node so
  that WSN is connected?
• Given expected degree of a node what values
  should the key ring size, k, and pool, P, have
  for a network of size n so that WSN is connected?
• Random-graph theory helps in answering the first
  question

25
Random graphs

• A random graph G(n,p) is a graph of n nodes for
  which the probability that a link between any two
  nodes exists is p
• Question what value should p have so that it is
  almost certainly true that graph G(n,p) is
  connected?
• Pc is a desired probability for the graph
  connectivity
• Based on the formulas above p and dp(n-1) can be
  found (d expected degree of a node)

Erdos-Renyi formula
(1)
(2)
26
Random-graphs (cont.)
Expected degree of node vs. number of nodes,
where PcPrG(n,p) is connected
27
Key ring and key pool sizes

• Due to the limited communication capabilities a
  number of nodes with which a particular node can
  communicate is nltltn
• This means that the probability of two nodes
  sharing at least one key in their key rings of
  size k is pd/(n-1)gtgtp
• Key pool size P can be derived as a function of
  k

28
Key ring and key pool sizes (cont.)

• Since keys are drawn out of a pool P without
  replacement, the number of key rings can be
  expressed as follows
• Lets pick the first key ring, the total number
  of possible key rings that do not share a key
  with this key ring is the number of key-rings
  that can be drawn out of remaining P-k unused
  keys in pool, which is

29
Key ring and key pool sizes (cont.)

• Consequently, the probability that no key is
  shared between the two rings is the ratio of the
  number of rings without a match by the total
  number of rings.
• Since P is very large Stirlings approximation
  can be used to derive the final expression for
  p

(3)
30
Key ring and key pool size (cont.)
Probability of sharing at least one key when two
nodes choose k keys from a pool of size P
31
Eschenauer-Gligor Scheme
Key Pool S
Each node randomly selects m keys
A
B
E
D
C

• When S 10,000, m75
• Pr (two nodes have a common key) 0.50

32
Key ring and key pool size example

• WSN contains n10000 nodes, desired probability
  of network connectivity is Pc0.99999,
  communication range supports 40 nodes
  neighborhoods
• According to the formula (1) c11.5, therefore
  p210-3
• d210-3999920
• This means that if each node can communicate with
  on average 20 other nodes the network will be
  connected
• p20/(40-1)0.5
• According to formula (3) k can be set to 250 and
  P can be set to 100000

33
q-composite approach

• Enhancement of the basic probabilistic approach
• Idea nodes should share q keys instead of only
  one
• Approach
• Key pool P is an ordered set
• During initialization phase nodes broadcast ids
  of keys that they have
• After discovery each nodes identifies the
  neighbor with which it share at least q keys
• Communication key is computed as a hash of all
  shared keys
• Keys appear in hash in the same order as in key
  pool

34
Benefits of q-composite approach

• q-composite approach has greater resiliency to
  node capture than the basic approach if small
  number of nodes were captured
• Simulations show that for q2, the amount of
  additional communications compromised when 50
  nodes (out of 10000) have been compromised is
  4.74, as opposed to 9.52 in the basic scheme
• However if large number of nodes have been
  compromised q-composite scheme exposes larger
  portion of network than the basic approach
• The larger q is the harder it is to obtain
  initial information
• Parameter q can be customized to achieve required
  balance for a particular network

35
Zhu / Xu approach

• Another modification of the basic probabilistic
  approach
• Major enhancement
• Pseudorandom number generator is used to improve
  security of key discovery algorithm
• Also uses secret sharing which jointly with
  logical paths allows nodes to establish a
  pairwise key that is exclusively known to the two
  nodes (in contrast to basic probabilistic
  approach, where other nodes might also know some
  particular key)

36
Zhu / Xu approach key pre-distribution

• Background use a pseudo-random number generator,
  or PRNG. Given the same seed, a PRNG will always
  output the same sequence of values.
• Key pool P of size l is generated
• For each node u, pseudorandom number generator is
  used to generate the set of m distinct integers
  between 1 and l (key ids). Nodes id u is used as
  a seed.
• Each node is loaded with key ring of size m
• Keys for the key rings are selected from key pool
  P in correspondence with integers (key ids)
  generated for a particular node by PRNG
• This allows any node u that knows another nodes
  id v to determine the set of ids of keys that v
  posseses

37
Zhu / Xu approach Logical path establishment

• The keys established on previous step are not
  exclusive, however they can be used to establish
  exclusive key
• During the network initialization phase, nodes
  discover so called logical paths
• Nodes can establish a direct path in case they
  share a common key on their key rings
• In case nodes do not share a key authors propose
  a path-key establishment algorithm similar to one
  in basic probabilistic approach,
• The difference is that nodes try to establish
  several logical paths, which later should help in
  establishing a pairwise key

38
Zhu / Xu pairwise key establishment

• The next step of network initialization is
  pairwise key establishment
• A sender node randomly generates a secret key ks
• Then derives n-1 random strings sk1, sk2,,
  skn-1
• skn is computed as follows skn ks XOR sk1XOR
  sk2 XOR,, XOR skn-1
• This way a recipient has to receive all n shares
  in order to derive a secret key ks

39
Zhu / Xu pairwise key establishment

• After secret shares are computed, each of them is
  send to the recipient using different logical
  path
• Once all shares are received the recipient can
  confirm the establishment of pairwise key by
  sending a HELLO message encoded with a new key
• Authors provide a framework to decide
• number of shares
• and the way they are sent

40
Further enhancements

• So far all the discussed approaches have used one
  of the following algorithms for shared-key
  discovery
• Key id notification
• Challenge response
• Pseudorandom key id generation
• Those algorithms work well against so called
  oblivious attacker, the one that randomly
  selects next sensor to compromise
• What if attacker selects nodes that will allow
  him to compromise the network faster, based on
  already obtained information (key ids)?
• This is the case of so called smart attacker

41
Smart attacker

• More precisely smart attacker can be defined as
  follows
• at each step of the attack sequence, the next
  sensor to tamper is sensor s, where s maximizes
  EG(s) I(s), the expectation of the key
  information gain G(s) given the information I(s)
  the attacker knows on sensor s key-ring
• Simulations show that Key id notification and
  pseudorandom key id generation can be easily
  beaten by the smart attacker
• Challenge response performs better

42
Simulation results
Experimental results on id notification and
pseudorandom key id generation Number of sensors
to corrupt in order to compromise an arbitrary
channel.
43
Simulation results
Experimental results on challenge
response Number of sensors to corrupt in order
to compromise an arbitrary channel.
44
PRK algorithm

• Why not using challenge response? Inefficient
• DiPietro et al. suggested a new algorithm that
  achieves the following goal
• Define a key pre-deployment scheme that supports
  an efficient and secure key discovery phase,
• as efficient as pseudorandom key id generation
  (no message exchange) and
• as secure as challenge response

45
PRK algorithm

• Key pre-distribution
• For each sensor sa
• For all keys vPi of the pool P, compute zfy(a
  vPi)
• Iff z0 mod (P/K), then put vPi into the key ring
  Va of sensor sa
• Assumption P/K divides by 2h, where h is the size
  of the input
• Key discovery
• In case sensor sb wants to establish a secure
  channel with sensor sa it has to perform the
  following calculations
• For each key vbj in its key ring sensor sb
  computes zfy(avbj)
• If z0 mod (P/K), sensor sa also has key sb

46
PRK algorithm analysis

• Benefits
• Complexity is comparable to pseudo-random index
  transformation no message exchange and K
  applications of the pseudo-random function.
• Only who already knows key vPi can know whether
  sensor sa has that key or not by computing
  zfy(avbj) and checking out if
• z0 mod( P/K ). All other entities gets no
  information from z. This is exactly the same
  information revealed by challenge response

47
PRK algorithm analysis

• Drawbacks
• Not enough control of key ring size it is
  possible that applying the formula to sensor id
  and key in a key pool will yield key ring that is
  
• too large - larger than sensor memory
• too small not enough for the network to be
  connected
• In either case node id a should be regenerated
• Authors prove that it is feasible to regenerate
  sensor ids to achieve required properties

48
PRK algorithm simulations
Experimental results on PRK algorithm number of
sensors to corrupt in order to compromise an
arbitrary channel. The PRK algorithm is as secure
as challenge response and in the same time as
efficient as pseudorandom key id generation
49
Background polynomial based key pre-distribution

• Polynomial based key pre-distribution scheme
  reduces the amount of pre-distributed information
  still allowing each pair of nodes to compute a
  shared key
• Polynomial based key pre-distribution is
  ?-collusion resistant, meaning that as long as ?
  or less nodes are compromised the rest of the
  network is secure
• Utilizes polynomial shares

50
Polynomial based key pre-distribution
initialization

• Special case ?1
• Each node has an id rU which is unique and is a
  member of finite field Zp
• Three elements a, b, c are chosen from Zp
• Polynomial f(x,y) (a b(x y) cxy) mod p is
  generated
• For each node polynomial share gu(x) (an bnx)
  mod p
• where an (a brU) mod p and bn (b crU)
  mod p is formed and pre-distributed

51
Polynomial based key pre-distribution key
discovery

• In order for node U to be able to communicate
  with node V the following computations have to be
  performed
• Ku,v Kv,u f(ru,rv) (a b(rurv) crurv )mod
  p
• U computes Ku,v gu(rv)
• V computes Kv,u gv(ru)

52
Polynomial based key pre-distribution example

• Example
• 3 nodes U, V, W, with the following ids 12, 7,
  1 respectively
• p17 (chosen parameter)
• a8, b7, c2 (chosen parameters)
• Polynomial f(x,y) 87(xy)2xy
• g polynomials are gu(x) 7 14x, gv(x) 6
  4x,
• gw(x) 159x
• Keys are Ku,v3, Ku,v4, Ku,v10
• U computes Ku,v gu(rv) 7147mod17 3
• V computes Kv,u gv(ru) 6412mod17 3

53
Polynomial based key pre-distribution
generalization

• Polynomial based key pre-distribution scheme can
  be generalized to any ? by changing polynomials
  in the following way
• is a randomly generated, bivariate
  ?-degree, symmetric polynomial over finite field
  Zp, pn is prime

54
Liu-Ning approach

• Combination of polynomial-based key
  pre-distribution and the key pool idea discussed
  above
• Increases network resilience to node capture
• Can tolerate no more than ? compromised nodes,
  where ? is constrained by the size of memory of a
  node
• Idea use a pool of randomly generated
  polynomials
• When pool contains only one polynomial the
  approach degenerates to basic polynomial based
  key pre-distribution scheme
• When all polynomials are of degree 0 the approach
  degenerates to key pool approach
• Three phases are involved setup, direct key
  establishment, path key establishment

55
Setup phase

• Set F of bivariate ?-degree polynomials over
  finite field Fq is generated
• Each polynomial is assigned a unique id
• For each sensor node a subset of s polynomial is
  randomly chosen from F
• For each polynomial in the chosen subset a
  polynomial share is loaded into nodes memory

56
Direct key establishment phase

• During this phase all possible direct links are
  established
• A node can establish a direct link with another
  node if they both share a polynomial share of a
  particular polynomial
• How to find common polynomial? Use above
  discussed approaches

57
Path key establishment phase

• If direct connection establishment fails nodes
  have to start path key establishment phase
• Nodes need to find a path such that each
  intermediate nodes share a common key
• Node may broadcast the message with polynomials
  ids that it posses to all nodes with which it
  currently has an established link
• Once this message reaches the intended node
  (possible through a long path) this node computes
  a key and contacts the initiator of path key
  establishment
• Drawback may introduce considerable
  communication overhead

58
Simulation results
The probability p that 2 sensors share a
polynomial vs size s of the polynomial pool (s
number of polynomial shares in each sensor)
59
Simulation results comparison with other
approaches
Fraction of compromised links between non
compromised nodes vs number of compromised
nodes (20000 nodes, nodes can store equivalent of
200 keys)
60
Grid-based key pre-distribution

• Instance of general framework discussed above
• Benefits
• Guarantees that any two nodes can establish a
  pairwise key, if no nodes were compromised
• Allows sensors to directly determine whether it
  can establish a pairwise key with another node
  and which polynomial to use in case of positive
  answer

61
Subset assignment

• 2m ?-degree polynomials are generated
• , where
• and N is the size of the network
• Each row of the grid is associated with
  polynomial
• and each column is associated with
  polynomial
• For each sensor an unoccupied intersection (i, j)
  of the grid is selected and assigned to the node

62
Subset assignment (cont.)

• The id of the node is created by concatenation of
  binary representations of i and j. IDlt ib jb gt
• Intersections should be densely selected within a
  rectangle area of the grid
• Polynomial shares of corresponding (row / column)
  polynomials together with id are pre-distributed
  to each node

63
Node assignment in the grid
Node assignment in the grid
64
Polynomial share discovery

• To establish a pairwise key with node j, node i
  checks whether cicj or rirj
• If either of conditions hold, nodes have a
  polynomial share of the same polynomial,
  consequently they can compute a common key
  directly
• Otherwise nodes have to go through path discovery
  

65
Path discovery

• Idea nodes can use intermediate nodes to help in
  establishing a common key
• The intermediate node should be located in either
  the same row / column as first node or same
  column / row as a second node
• This way intermediate node definitely share a
  polynomial with both nodes
• Note there are only two of such intermediate
  nodes for each pair of nodes
• What if both if them are compromised /
  unreachable?
• The path through the grid should be established
• Authors developed an efficient protocol to
  accomplish this
• The main idea of the protocol is that
  intermediate nodes try to forward the request to
  the node that is located in the same row / column
  as a destination

66
Path discovery example
Establishing a path through the grid
67
Summary

• Robust security mechanisms are vital to the wide
  acceptance and use of sensor networks for many
  applications
• Key management in turns is one the most important
  aspects in any security architecture
• Various peculiarities of Wireless Sensor Networks
  make the development of good key management
  scheme a challenging task
• We have discussed several approaches to key
  management in WSN
• All of them have strong and weak points
• The diverse nature of WSN usage makes it not
  reasonable to look for some particular approach
  that would be suitable for all cases

68
Bibliography

• I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, E.
  Cyirci. Wireless Sensor Networks A Survey.
  Computer Networks, 38(4)393-422, 2002.
• C. Karlof and D. Wagner, Secure Routing in
  Wireless Sensor Networks Attacks and
  Countermeasures. First IEEE International
  Workshop on Sensor Network Protocols and
  Applications, May 2003
• D. Carman, P. Kruus, and B. Matt. Constraints
  and approaches for distributed sensor network
  security. NAI Labs Technical Report 00-010,
  September 2000
• L. Eschenauer and V. Gligor. A Key-Management
  Scheme for Distributed Sensor Networks. In Proc.
  of ACM CCS02, November 2002
• H. Chan, A. Perrig, D. Song Random Key
  Predistribution Schemes for Sensor Networks. In
  2003 IEEE Symposium on Research in Security and
  Privacy
• S. Zhu, S. Xu, S. Setia, S. Jajodia Establishing
  Pair-wise Keys For Secure Communication in Ad Hoc
  Networks A Probabilistic Approach. In Proc. of
  the 11th IEEE International Conference on Network
  Protocols
• R. Di Pietro, L. Mancini, A. Mei. Efficient and
  Resilient Key Discovery Based on Pseudo-Random
  Key Pre-Deployment. 18th International Parallel
  and Distributed Processing Symposium

69
Bibliography

• D. Liu, P. Ning, Establishing Pairwise Keys in
  Distributed Sensor Networks, 10th ACM CCS '03,
  Washington D.C., October, 2003
• G. Jolly, M. Kusçu, P. Kokate, M. Younis. A
  Low-Energy Key Management Protocol for Wireless
  Sensor Networks. Eighth IEEE International
  Symposium on Computers and Communications
• G. Gaubatz, J.Kaps, B. Sunar Public Key
  Cryptography in Sensor Networks Revisited. 1st
  European Workshop on Security in Ad-Hoc and
  Sensor Networks
• C. Blundo, A. De Santis, A. Herzberg, S. Kutten,
  U. Vaccaro, and M. Yung. Perfectly secure key
  distribution for dynamic conferences. In
  Information and Computation, 146 (1), 1998, pp
  1-23.
• Introduction to Modern Cryptography by M.
  Bellare, P. Rogaway November 3, 2003
• Handbook of Applied Cryptography, by A.
  Menezes, P. van Oorschot, and S. Vanstone, CRC
  Press, 1996.
• The Strange Logic of Random Graphs, Joel H.
  Spencer
• Nanotechnology website http//www.nanotech-now.com
  

70
Bibliography

• W. Du, J. Deng, Y. Han, S. Chen, P. Varshney. A
  Key Management Scheme for Wireless Sensor
  Networks Using Deployment Knowledge. IEEE Infocom
  2004.
• D. Huang, M. Mehta, D. Medhi, L. Harn.
  Location-aware Key Management for Wireless Sensor
  Networks. 2004 ACM Workshop on Security of Ad Hoc
  and Sensor Networks. (SASN 04)