A Pairwise Key Pre-Distribution Scheme for Wireless Sensor Networks Wenliang (Kevin) Du, Jing Deng, Yunghsiang S. Han and Pramod K. Varshney Department.

A Pairwise Key Pre-Distribution Scheme for Wireless Sensor Networks

Wenliang (Kevin) Du, Jing Deng, Yunghsiang S. Han and Pramod K.

VarshneyDepartment of EECSSyracuse University

Overview Wireless Sensor Networks (WSN). Key management problem in WSN. Existing solutions. Our solution. Security and performance analysis. Conclusion and future work.

Wireless Sensor Networks

DeploySensors

Securing WSN

DeploySensors

Secure Channels

Problem Description How can each pair of neighboring

nodes find a secret key? Pairwise: secret keys are unique

for each pair. Can be used for authentication.

Approaches Trusted-Server Schemes

Finding trusted servers is difficult. Public-Key Schemes

Expensive and infeasible for sensors. Key Pre-distribution Schemes

Goal: Loading Keys into sensor nodes prior to deployment, s.t. any two nodes can find a secret key between them after deployment

Challenges Security: nodes can be compromised Scalability: new nodes might be added later Memory/Energy efficiency Authentication: pairwise keys

Key Pre-distribution

Naïve Solutions Master-Key Approach

Memory efficient, but low security. Needs Tamper-Resistant Hardware.

Pair-wise Key Approach N-1 keys for each node (e.g.

N=10,000). Security is perfect. Need a lot of memory and cannot add

new nodes.

Eschenauer-Gligor Scheme

m keys (random)

m

AB

E

D

CKey Pool S

m

mm

• E.g., when |S| = 10,000, m=75, the local connectivity p = 0.50

• This scheme is further improved by Chan, Perrig, and Song (IEEE S&P 2003).

Our Goal Pairwise key pre-distribution

scheme. Use Blom Scheme.

Further improvement on performance and resilience. Use random key pre-distribution

scheme.

Blom Scheme Public matrix G Private matrix D (symmetric).

D G

+1 N

+1

+1

A G = (D G)T G = GT DT G = GT D G = (A G)T

Let A = (D G)T

Blom Scheme

X=

A = (D G)T G (D G)T G

i

j

i j

Kji

Kij

N

+1 NN

Node i carries:

Node j carries:

G Matrix

To achieve -secure:Any +1 columns of G must be linearly independent.Vandermonde matrix has such a property.

1 1 1 1

s s2 s3 sN

s2 (s2)2 (s3)2 (sN)2

s (s2) (s3) (sN)

G =

Properties of Blom Scheme Blom’s Scheme

Network size is N Any pair of nodes can directly find a

secret key Tolerate compromise up to nodes Need to store +2 keys

Our next goal: increase without increasing the storage usage.

Multiple Space Scheme

(D2, G)

(D1, G)

(D, G)

Key-Space Pool

spaces

spaces

spaces

Two nodes can find a pairwiseKey if they carry a commonKey space!

How to select and ? If the memory usage is m, the

security threshold (probablistic) m is

To improve the security, we need to increase /2.

However, such an increase affects the connectivity.

2 mm

Measure Local Connectivity

plocal = the probability that two neighboring nodescan find a common key.

!)!2())!((

)(

))(( 2

21

localp

Plocal for different and

Security Analysis Network Resilience:

When x nodes are compromised, how many other secure links are affected?

jxjx

j

xj

xc

)1())((

d)compromise are nodes |broken is Pr(

1

Resilience (p = 0.33, m=200)

Blom

Resilience (p = 0.50, m =200)

Blom

Other Analysis Communication overhead Computation overhead

Improvement:Using Two-hop Neighbors

= 7 = 2

= 31 = 2

Conclusion We have proposed a pairwise key

pre-distribution scheme for WSN. We analyzed security,

computational overhead, communication overhead.

Our scheme substantially improves the network resilience.

Independent Discoveries The similar scheme is

independently discovered by two other groups: Liu and Ning from NC State (next

talk). Katz and his group from University of

Maryland.