Research Article Enhanced Key Management Protocols …downloads.hindawi.com/journals/misy/2015/627548.pdf · Research Article Enhanced Key Management Protocols for ... xed infrastructures.

Research ArticleEnhanced Key Management Protocols forWireless Sensor Networks

Baojiang Cui1 Ziyue Wang1 Bing Zhao2 Xiaobing Liang2 and Yuemin Ding3

1School of Computer Beijing University of Posts and Telecommunications Beijing 100876 China2State Grid Metering Center Beijing 100192 China3Department of Electronic Systems Engineering Hanyang University Ansan 426791 Republic of Korea

Correspondence should be addressed to Baojiang Cui cuibjbupteducn

Received 29 August 2014 Accepted 1 September 2014

Academic Editor David Taniar

Copyright copy 2015 Baojiang Cui et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

With rapid development and extensive use of wireless sensor networks (WSNs) it is urgent to enhance the security for WSNs inwhich key management is an effective way to protect WSNs from various attacks However different types of messages exchangedin WSNs typically have different security requirements which cannot be satisfied by a single keying mechanism In this study abasic key management protocol is described for WSNs based on four kinds of keys which can be derived from an initial masterkey and an enhanced protocol is proposed based on Diffie-Hellman algorithmThe proposed scheme restricts the adverse securityimpact of a captured node to the rest ofWSNs andmeets the requirement of energy efficiency by supporting in-network processingThe master key protection key revocation mechanism and the authentication mechanism based on one-way hash function arerespectively discussed Finally the performance of the proposed scheme is analyzed from the aspects of computational efficiencystorage requirement and communication cost and its antiattack capability in protecting WSNs is discussed under various attackmodels In this paper promising research directions are also discussed

1 Introduction

Wireless sensor networks (WSNs) have been extensively usedin various applications such as homeland security battlefieldsurveillance environmental monitoring and health careThrough collection and processing of the sensing data fromthe coverage area WSNs enable users to access detailed andreliable information at any time and any place which is aubiquitous sensing technology

WSNs have two salient characteristics (i) it uses wirelesscommunication and anyone within the range of the networkcan attack it (ii) it may be deployed in unattended environ-ments or even hostile regions such as battlefield where it canbe physically attacked or captured [1]Thus how to ensure thesecurity of WSNs becomes a significant issue

Security researches of WSNs mainly focus on key distri-bution secure routing protocols secure transmission andsecurity defense In these scopes using key managementmechanisms to settle security issues under the wireless sensornetwork environment is the most crucial and challengingproblem [2]

Although key management mechanisms in the cable net-work have been deeply studied the research is still immaturein WSNs [3] because of limited communication bandwidthcomputing and storage capacity of sensor nodes and unfixedinfrastructures There is also a contradiction between themaximum security performance and minimum resourceconsumption

It is worth noting that due to the resource limitationsasymmetric encryption algorithms are seldom applied to thesensor network and most of the related works are based onsymmetric key systems

Although a number of classic protocols and schemes havebeen proposed for WSNs many protocols concentrated oncommunication and processing technologies without payingenough attention to security issues such as TEEN [4] andLEACH [5]

In recent years scholars have proposed more sophisti-cated protocols which are mainly divided into two categoriespredistribution scheme based on symmetric key and keymanagement scheme based on public key

Hindawi Publishing CorporationMobile Information SystemsVolume 2015 Article ID 627548 10 pageshttpdxdoiorg1011552015627548

2 Mobile Information Systems

Base station

(a)

Base station

(b)

Figure 1 Examples of in-network processing

Among the predistribution schemes SPINS [6] is rec-ognized as a classical secure protocol for WSNs It consistsof two modules SNEP for data confidentiality two-partydata authentication and data freshness and 120583TESLA forauthenticated broadcast It provides security for the entirenetwork based on a single key and is easy to implement butthe expansibility is limited

To balance the security performance and resource con-sumption random key predistribution schemes polynomialkey predistribution schemes and key predistribution schemebased on deployment knowledge are subsequently proposed

EampG [7] scheme is one of the earliest random keypredistribution schemes It achieves the establishment ofpairwise key in WSNs for the first time based on theidea of preallocated key generation solves the problem ofunpredictable network topology and provides a probability-based security After that the proposed Q-composite scheme[8] improves EampG schemes based on multicommon keys togenerate pairwise keys

Though quite a lot of superior security protocols havebeen proposed recently most of them have their own defi-ciencies Park proposed a lightweight security protocol(LISP) it can tolerate packet loss but the protocol cannothandle node revocation problem After that SRDA [9]proposed a secure data aggregation protocol which takes theintegrity into consideration but ignores the confidentiality ofthe information LDP [10] proposes a local key managementprotocol based on dynamic cluster It effectively supportsthe WSN security data fusion but does not give an effectivesolution of revoking captured nodes and updating keys

To avoid above deficiencies LEAP [11] establishes fourkinds of keys and provides a strong application and scala-bility but requires huge amount of communication for keyestablishment and update Furthermore its security is heavilydependent on the initial secure time ChengYrsquos predistri-bution scheme [12] is based on clusters with advantages of

the good connectivity network survivability and low com-munications costs However the cost for rekeying is signifi-cant

Based on previous studies this paper proposes improvedstrategies to overcome somedefects In addition how to applythe established keys to form security mechanisms to confrontkinds of attacks is described in detail

2 Requirements of Sensor Networks

Many security requirements of WSNs are similar to those oftraditional networks such as data confidentiality authenti-cation and integrity What is more it should guarantee lowenergy consumption and high efficiency [13]

It is proved in recent researches that in-network dataprocessing (shown in Figure 1) whichmainly includes passiveparticipation and data aggregation is quite energy-efficientand should be widely employed

The typical application of in-network processing is todivide the network into multiple clusters where the clusterhead node collects and aggregates information from itsneighbors and delivers the summary directly to the basestation to avoid redundant transmissions and save commu-nication bandwidth

Generally the pairwise key performs better over achiev-ing data confidentiality authentication and integrity ofWSNs whereas the cluster key or network-wide key isneeded to achieve in-network data processing (shown inFigure 1) [14]

The particularity of the WSNs requires the ability ofresistance to physical attacks and trapping For exampleonce a node is compromised the loss of secret informationdoes not threaten remaining security links Moreover well-designed security mechanism should have capabilities of keyrevocation and update

Mobile Information Systems 3

Therefore it is fundamental to design a security mecha-nism which satisfies above requirements in order to achievethe security of WSNs

3 Prerequisite Knowledge

31 Notations The notations used in this paper are given inNotations section

Note that in order to simplify the representation in thefollowing discussion notations119860 and 119861 are used to representtheir node identifiers instead of ID

119860and ID

119861

In addition since keys for various security uses can bederived from the same key 119896 such as 119870

0= 119891(119870 0) for

authentication and 1198701= 119891(119870 1) for encryption we just say

a message119872 is authenticated or encrypted with119870 instead ofsaying in detail

32 Function and Algorithm Description

One-WayHash FunctionOne-way hash function119867meets thefollowing properties [15]

(i) Given 119909 it is easy to compute 119910 using function 119910 =

119867(119909)(ii) Given 119910 it is difficult to compute 119909 from function 119910 =

119867(119909)(iii) Given119909 it is difficult to find a119910meeting the condition

that 119910 = 119909 and119867(119910) = 119867(119909)

One-way hash chain is a sequence of the following hashvalue 119909

119898 119909(119898 minus 1) 119909

119895 119909

1 fulfilling the restriction

119909119895| 0 lt 119895 le 119898 119909

119895minus1= 119867(119909

119895) where 119909

119898is a random

selection of key seed Due to the unidirectional feature one-way hash key chain is widely used in secure authenticationFor example when 119909

1is given it can be verified that whether

119909119894is an element of the one-way hash key chain sequence using

the equation 1199091= 119867119894minus1(119909119894)

Key Generation Function Pseudorandom function 119891 isemployed as the key generation function here for its highcomputational efficiency When it is used in key establish-ment process the computational cost is negligible Note thatthis function is stored in all the network nodes as well as thebase station

Diffie-Hellman AlgorithmDiffie-Hellman provides a methodto ensure safety of shared key through insecure networks andit is an integral part of OAKLEY algorithm

The ingenious point is that two sides of communicationcan use this method to determine the symmetric key whichcan be used for encryption and decryption Note that the keyexchange protocol can only be used for key exchange withoutbeing able to encrypt and decrypt the messages [16]

Since the key exchange algorithm itself is usually limitedto be used as key exchange technology for many commercialproducts it is usually called Diffie-Hellman key exchange(abbreviated as DH algorithm key exchange based on DHalgorithm is also commonly referred to as DH exchange)

The purpose of this key exchange technique is to enabletwo users to achieve secure key exchange in order to ensure

the encryption of subsequent packets The effectiveness ofDiffie-Hellman key exchange algorithm relies on the diffi-culty of computing discrete logarithms [17] In short thediscrete logarithm can be defined as follows

First define primitive root of prime number 119901 whichis integer roots generated from each of its powers from 1

to 119901 minus 1 that is if 119886 is a primitive root of prime number119901 the values of 119886 mod 119901 1198862 mod 119901 119886119901minus1 mod 119901 are alldifferent integers from 1 to 119901 minus 1 in a certain arrangement

For an integer 119887 and a primitive root 119886 of prime number119901we can find the unique index 119894 making 119887 = 119886119894 mod 119901 where0 le 119894 le (119901minus1) index 119894 is called discrete logarithmor exponentof modulus 119901 which is based to cardinal number 119886 of integer119887

Based on the definition and nature of the primitive rootDiffie-Hellman key exchange algorithm is described as fol-lows [18]

(1) There are two global parameters prime number119901 andinteger 119886 where 119886 is a primitive root of 119901

(2) Suppose users 119860 and 119861 wish to exchange a key user119860 selects a random number 119883

119860(119883119860lt 119901) as private

key and calculates the public key 119884119860= 119886119883119860 mod 119901

The confidentiality store of 119883119860by user 119860 makes 119884

119860

publicly available to user 119861 Similarly user 119861 alsoselects a random number 119883

119861(119883119861lt 119901) as private

key and calculates the public key 119884119861= 119886119883119861 mod 119901

The confidentiality store of 119883119861by user 119861 makes 119884

119861

publicly available to user 119860(3) User 119860 calculates shared secret key by 119870 =

(119884119861)119883119860 mod 119901 and user 119861 similarly calculates shared

secret key 119870 by 119870 = (119884119860)119883119861 mod 119901

Since

119870 = (119884119861)119883119860 mod 119901 = (119886119883119861 mod 119901)

119883119860 mod 119901

= 119886119883119861119883119860 mod 119901 = (119886119883119860)

119883119861 mod 119901

= (119886119883119860 mod 119901)

119883119861 mod 119901 = (119884119860)119883119861 mod 119901

(1)

Thus it corresponds that two sides have exchangedthe same secret key 119870 Because 119883

119860and 119883

119861are

confidential an adversary can only use parameters119902 119886 119884

119860and 119884

119861 Thus adversary is forced to use

discrete logarithm to determine the shared key119870Thesecurity of Diffie-Hellman key exchange algorithmrelies on the fact that although computing exponentwhich takes prime number as module is relativelyeasy computing discrete logarithm is very difficultFor large prime numbers calculating the discretelogarithm is almost impossible

33 Assumptions Basic assumptions are as follows

(i) Topology is unknown before the deployment of thenodes

4 Mobile Information Systems

(ii) The sensor network is static (sensor nodes are notmobile) after deployment

(iii) Sensor nodes have similar computational and com-munication capabilities

(iv) Transmission power of nodes can be adjusted tocontrol the propagation distance

(v) The base station has enough energy supply andcomputing power

(vi) The attacker has the ability to eavesdrop on all thechannels as well as to replay former messages andinject malicious packets

(vii) Once a node is captured all the stored informationwill be obtained by the adversary

(viii) Every node has enough space to store hundreds ofbytes for key establishment materials

(ix) Each node has some degree of ability to resist attackand it will not be captured with in a limited period oftime

4 Protocol Description

This section introduces the basic protocol in detail includingfour kinds of secure key establishment mechanisms to satisfyvarious secure communication requirements and mecha-nisms for key erasure and update

41 Overview As discussed above the single keymechanismcannot provide appropriate protection to all the requiredcommunication in the WSNs Moreover the security perfor-mance and resource consumption have to be balanced whenmaking use of different kinds of keys

The degree of sharing keys in the security mechanismhas to be taken into consideration For example if uniquepairwise keys are used for each two nodes in the WSNs toguarantee secure communication the node captured by anattacker will not reveal any security information of othernormal nodes which is ideal to prevent threat to the entirenetwork However it requires significant communicationbandwidth and energy resources which is quite inefficient

On the contrary if only a network-wide key is used forauthentication and encryption no communication betweennodes is required for establishment of additional keys and thestorage costs and energy consumption can also beminimizedHowever the security will be extremely poor Once any nodein the system is captured by an attacker the whole networksuffers an enormous risk

42 Key Establishment In this section the establishment offour kinds of keys is discussed in detail as well as theircharacteristics and abilities to resist attacks

421 Individual Key Establishment Individual key is aunique key of each sensor node that sharedwith the controller(the base station) which is used for individual authenticationand secure communication assurance [19]

For example individual key can be used to encrypt sen-sitive information such as special instructions and rekeyingcommands exchanged between a sensor node and the basestation It can also be used for message authentication to getverification of the base station or other nodes

Since every node in the network shares a unique indi-vidual key with the base station it is neither practicalnor efficient to store all these keys for the base stationespecially when the network scalability is very hugeThus it isimportant to adopt a strategy to reduce the storage overheadwhich can be achieved by the key generation function 119891

First of all it is argued that each node holds the keyestablishment function 119891 and an initial key 119870

119868which is

derived from the master key 119870 that is only possessed by thecontroller all of them are preloaded in the nodes before thekey establishment phase The generation of individual keyfor node 119860 (here 119860 indicates the unique ID of node 119860) is asfollows

119870119860= 119891 (119870

119868 119860) (2)

In the above the function 119891 for key establishment is apseudorandom function and it is efficient enough to be usedon sensor nodes

Once the individual key is generated the related nodestores it within its life cycle Since the base station has fullknowledge of the initial key 119870

119868and efficient establishment

function 119891 the storage overhead for individual keys of eachsensor node can be reduced

422 Pairwise Key Establishment Pairwise keys of a nodeindicate the keys shared with each of its direct neighbors sothe storage overhead of such keys for each node depends onthe number of its neighbors [20 21]

In this protocol pairwise keys have a lot of uses Forexample it can be used for a cluster head to encrypt the clusterkey which has to be transmitted to all of its neighbors toachieve the distribution security It is also a component toimprove system security

However it will impede passive participation whichis important in saving communication energy if such keymechanism is employed individuallyThe initial pairwise keyestablishing progress is shown in the Figure 2

The generation of pairwise keys for nodes 119860 and 119861 (here119860 is assumed to be the node that call for key establishment)is as follows

119860 997888rarr lowast Nonce119860

119861 997888rarr 119860 119861MAC119870119861(Nonce

119860| 119861)

(3)

Here node119860 broadcasts a nonce to all of its direct neigh-bors to request establishing pairwise without authenticatingits identity because if it cannot provide its own identity(namely it does not own the individual key) it will fail togenerate the pairwise in the following steps

119870119860119861

= 119891 (119870119861 119860) (4)

Since node 119860 possesses both the key establishmentfunction 119891 and the initial key 119870

119868 it can compute 119870

119861

independently and then obtains the pairwise key119870119860119861

as well

Mobile Information Systems 5

A B

1

2

Figure 2 Pairwise key establishing phase

Note that each node has a timer which conducts it toachieve key erasure when it makes sure that the pairwise keysestablishment is finished This process is significant becauseall the nodes keep the network-wide initial key 119870

119868to help

complete the establishments in the initial period and oncethe relatively safe period passes by it will face great risk thatsome nodes may be compromised

So it is suggested that after a reasonable length of timethe initial key 119870

119868and the neighbors individual master keys

stored in the node be all erased (but its own individualmasterkey will always be held)

In this way when almost the pairwise keys are establishedsuccessfully no nodes will possess the necessary generatingkey materials until there is a new group of nodes to bejoined The key erasure mechanism is so necessary that howto control the key erasing time is worth exploring but it is notan emphasis in this paper

In addition it can also be seen from the above equationthat after the establishing time namely related key materialsare erased once the node 119860 is compromised by an attackerand a 1198601015840 broadcasts a nonce for establishing pairwise keys itcannot success due to such establishment mechanism

But once the attacker uses 1198601015840 to take passive joiningstrategy the responding node 1198601015840 will generate the pairwisekey with 119861 (here 119861 is one of a new batch of joining nodes thatis asking to establish pairwise keywith its neighbors including1198601015840) as follows 119870

1198611198601015840 = 119891(119870

(1198601015840) 119861) and then the attacker will

be able to inject erroneous packets into the network at willFor the new added nodes an alternative is proposed to

establish secure pairwise key

119870119860119861

= 119891 (119870119861 119860) oplus 119891 (119870

119860 119861) (5)

Since the pseudorandom function 119891 is efficient suchimprovement could be accepted

The advantage of above key establishing scheme is thatthere is no message exchanging between nodes 119860 and 119861

during the computing step which extremely saves commu-nication overhead

Note that there will be a situation that two nodes want toestablish the pairwise key while one of them does not possess

the master key119870119868 such as one new added node and an older

node which has finished all its pairwise key establishmentsand erased the master key 119870

119868

To deal with such situation a scheme that asks for helpfrom controller is simply presented as follows

119860 997888rarr 119861 Nonce119860 119860

119861 997888rarr Base station 119877119870119860119861

119860 119861MAC119870119861(119877119860119861 119860 119861)

Base station 997888rarr 119860 119864119870119860(119870119860119861) MAC

119870119860(119861 119864119870119860(119870119860119861))

Base station 997888rarr 119861 119864119870119861(119870119860119861) MAC

119870119861(119860 119864119870119861(119870119860119861))

(6)

Here 119860 is a new node who calls for establishing pairwisekey with its neighbor 119861 Here 119861 is an older node that hasgenerated all its own pairwise keys and erased the initial key119870119868 which makes it unable to generate new pairwise keyIf 119861 wants to verify the identity of node 119860 the most

credible way is asking for help of base stationHowever reducing the use of base station is an important

goal here and the improvement is worth further exploring

423 Cluster Key Establishment Cluster key is a key gener-ated by an elected cluster head and shared with its neighborsand it is mainly used for encrypting local broadcast packetsItsmost significant advantage is that it enables the in-networkprocessing such as passive participation and data aggregationwhich cannot be supported by the pairwise key but could saveenergy consumption efficiently

This key establishing process is obvious as follows

119860 997888rarr 119861119894 119864119870119860119861119894

(119870119862

119860) (7)

Here node 119860 is the elected cluster head and 119861119894represents

one of its immediate neighbors 1198611 1198612 119861

119899(1 le 119894 le

119899) Cluster head 119860 first generates a key 119870119862119860randomly and

encrypts it with its pairwise keys and then sends it to eachneighbor 119861

119894 Moreover node 119861

119894decrypts the cluster key and

then stores 119870119862119860in a table

When any neighbor of 119860 is revoked which means therewill be a risk to continue using the old cluster key cluster head119860 regenerates and transmits the 119870119862

1015840

119860in the same way

Cluster division and cluster head selection approaches arealso worthy of discussion But it is not an emphasis in thispaper A simple mesh division method is shown in Figure 3based on virtual cluster idea

424 Group Key Establishment The group key119870119892is used for

encryptingmessages that need to be broadcasted to the wholegroup Note that different from above situations the keypoint here is no longer about key establishment or encryptingschemes because there is only one group key shared amongthe entire network meanwhile it does not make sense toencrypt a broadcast message using master key of each sensornode separately

It is also because there is only one group key sharedamong sensor nodes once a compromised node is revoked

6 Mobile Information Systems

Cluster headActive node

Base station

Figure 3 Mesh division method

the rekeying and updating mechanism comes to be impor-tant

120583TESLA [22] is a widely employed protocol due to thehigh efficiency and perfect tolerance for packet loss A one-way hash function119867 is used here to help achieve the processFirstly the controller generates a random seed 119896

119898and uses

the function119867 to get a sequence of the following hash values119896119898 119896119898minus1

119896119895 119896

1 that meets the restriction 119896

119895| 0 lt

119895 le 119898 119896119895minus1

= 119867(119896119895)

Then preload this key chain 119896119898 119896119898minus1

119896119895 119896

1 in

the base station and use delayed key disclosure to achievemessage authentication Let 119860 be the revoked node and 1198701015840

119892

the new group key the process is as follows

Base station 997888rarr lowast 119860 119891 (1198701015840

119892 0) MAC

119896119895(119860 | 119891 (119870

1015840

119892 0))

(8)

When the verification is done all the nodes will removerelated information of node 119860 and restore the group key 1198701015840

119892

in the tableNote that the initial Group key 119870

119892is preloaded in all

the sensor nodes before their deployment like the initial key119870119868 but we cannot take 119870

119868also as the group key because

it will be erased in a very short time after the pairwise keyestablishmentThe key used for deriving related keys must beprotected separately from normal ones

Figure 4 simply illustrates the authenticationmechanism

119896119895minus1

= 119867(119896119895) (9)

5 Enhanced Protocol

51 Requirements Analysis The design of the basic schemepresented in the previous section ismotivated by the observa-tion that single keying mechanism is not suitable for meeting

K1 K2 K3 K4 K5

p1 p2 p3 p4 p5 p6

Time

Figure 4 Using the one-way hash function for source authentica-tion

all the security requirements of different types of exchangedmessages

The advantage of this scheme is that the captured nodedoes not threat the safety of the other nodes in case themasterkey 119870 is absolutely safe in time interval 119879min

During the time interval 119879min all the nodes of the WSNwill hold the general master key 119870 and we note that thisscheme cannot provide confidentiality when a node is com-promised in 119879min Because by using the stolen informationlike the master key119870 an attacker can easily derive the masterkeys of all the rest normal nodes that are deployed in thesame time interval as well as negotiating new pairwise keywith normal nodes in any region whichmeans once a node iscompromised in time interval 119879min the security of the entirenetwork is extremely dangerous

52 Enhanced Scheme Based on the Diffie-Hellman algo-rithm above presenting the improved scheme prior todeployment of the network each node prestores the largeprime number 119901 and its primitive root 119886 instead of the initialkey 119870

119868which is derived from the master key 119870

Note that the generation of individual key for node 119860 isstill same

119870119860= 119891 (119870

119868 119860) (10)

Different from the basic scheme this process is completedonce the node is deployed after that the information of theinitial key 119870

119868is deleted Thus the attacker cannot get any

information about the initial key119870119868or the master key119870 even

if it is compromised during the working periodSince the node no longer keeps initial key 119870

119868 which

is required to participate in relevant calculations (function)in the pairwise key generating process the basic schemecannot be achieved For this situation make the followingimprovements

Gain a key evolution function to each node Takes node119860 and 119861 for examples

119883119860= ℎ (119860 | 119870

119860) mod 119901

119883119861= ℎ (119861 | 119870

119861) mod 119901

(11)

Then calculate the public message

119884119860= 119886119883119860 mod 119901

119884119861= 119886119883119861 mod 119901

(12)

Mobile Information Systems 7

The pairwise key generation process is as follows

119860 997888rarr lowast Nonce119860 119884119860

119861 997888rarr 119860 MAC119870119860119861

(119861 | 119884119861) 119861 119884

119861

(13)

Here node119860 broadcasts a nonce to all its direct neighborsand asks to establish pairwise key and broadcasts the publicmessage 119884

119860at the same time When its neighbor (take node

119861 for example) receives the message it first verifies thelegitimacy of 119884

119860and then calculates the pairwise key using

the following function

119870119860119861

= (119884119860)119883119861 mod 119901 (14)

After that node 119861 sends messages 119861 and 119884119861back to the

asking node 119860 and sends a message MAC119870119860119861

(119861 | 119884119861) to

authenticate its identity If node 119861 cannot respond to node119860 in this way it means node 119861 cannot get 119870

119860119861only taking

use of 119884119860 then consider node 119861 as untrusted In addition

node 119860 does not need to send authenticating message backto node 119861 anymore because if it cannot prove its own identity(namely it cannot get 119870

119860119861only taking use of 119884

119861 and it will

fail to generate the pairwise key 119870119860119861)

Compared with the basic protocol the most obviousimprovement of enhanced protocol is that it takes use ofDiffie-Hellman algorithm to generate pairwise keys insteadof storing the initial key 119870

119868in a certain period of time Thus

even if a node is compromised in119879min the attacker canmerelyget the information of key related to the compromised nodewhich means only limited security threats can be causedavoiding the disruption of the entire network caused bylosing initial key 119870

119868 Despite the slight increment in the

computational overhead the security of the WSN is greatlyimproved

6 Performance Evaluation

The ability of the protocol to fight against kinds of attacks isdiscussed in detail in above sectionsThis section analyzes thestorage requirement and energy efficiency

61 Storage Requirement In the basic protocol a node needsto store four types of keys Considering a node with 119898

neighbors in the WSN it needs to store one individual key119898 cluster keys 119898 pairwise keys and one group key In theenhanced protocol each node stores the same number of keysas the basic protocol

When the key establishment is complete in a networkhaving a scale of 119873 there is an upper limit of the numberof keys to be stored in the nodes including119873 individual keys119862(119873 2) pairwise keys 1198732 cluster keys and 119873 group keys(though there is only one group key in a certain period)which add up to ((52)119873+(1198732(119873minus2)) = (1198732+3119873)2) andaverage to each node is (52 + (119873minus 1)2(119873minus 2) = 1198732 + 2)

Note that communication distance of sensor node islimited so that it will not reach a high complexity that eachtwo nodes are connected

In addition using an efficient clustering method canreduce the number of required cluster keys and the realstorage complexity is much smaller

Although memory is a quite scarce resource for thecurrent generation of nodes inWSNs for a reasonable degreestorage is not an issue in our protocol For example 100 keystotally take 800 bytes when the key size is 8 bytes

62 Communication Cost In this paper the average commu-nication cost increases with the connection degree of a sensornetwork and decreases with the network size 119873 Efficientpreloaded functions are widely used which greatly reducesthe message exchanges in key establishing phase so that tosave communication cost Whats more the use of locatedcluster key enables in-network data processing which alsohelps achieve communication and energy efficiency

It is worth noting that the communication cost of theenhanced protocol remains at the same level as that of thebasic protocol

63 Computational Cost Functions used in the proposedprotocols are all of high computational efficiency For exam-ple pseudorandom function 119891 is employed to be the keygeneration function and the computational cost will benegligible when it is used in key establishment process In theenhanced protocol although computational cost is slightlyincreased by using Diffie-Hellman algorithm for a networkof reasonable density we believe that the computationaloverhead is applicable for a network of reasonable density inour protocols For example for a WSN of size119873 = 1000 andconnection degree of 20 the average computational cost is27 symmetric key operations per node per revocation and alarger119873 will reduce the cost further

Overall we conclude that the protocols proposed in thisstudy are scalable and efficient enough in storage communi-cation and computation

7 Security Analysis

This section analyzes the security of the key managementprotocols The survivability of the network is discussed whenundetected compromised nodes occur and the robustness ofproposed schemes is studied in defending against variousattacks

71 Survivability Once a sensor node 119860 is compromised theadversary can launch attacks by utilizing keying materialsof node 119860 If the threat is detected somehow the protocolscan revoke node 119860 efficiently and update the information ofnodes quickly throughout the whole network Basically eachneighbor of compromised node 119860 could delete its pairwisekey shared with node 119860 as well as updating the cluster keyThe group key could also be updated efficiently by taking useof 120583TESLA mechanism When the revocation is completedthe adversary cannot launch further attacks anymore

However security detection in WSNs is more difficultthan in other systems since sensor systems are often deployedin unattended environments Thus the survivability of

8 Mobile Information Systems

the network is one of most important security requirementswhen compromised nodes is not detected

Firstly because individual key is only shared between thebase station and each sensor node it usually does not help theattacker launch attacks

Secondly obtaining the cluster keys and pairwise keys ofa compromised node enables the attacker to establish trustwith the neighbor nodes which can be used by the attackerto inject malicious sensor readings and routing controlinformation into the network However in the proposedprotocols in this study the attacker usually has to achieve suchattacks by taking use of the identity of the captured node

Note that a salient feature of the proposed protocols isthe ability in localizing possible threats Because after thedeployment of the network and the pairwise key establishingphase every node will keep a list of trusted neighbor nodesAs compromised node and its copy nodes cannot establishtrust relationship with other nodes except its neighbors theattacker can only damage secure links within limited range

Finally obtaining the group key enables the attacker todecryptmessages broadcast by the base stationThebroadcastmessages by their nature are intended to be received by allthe nodes in the network Thus compromising any singlenode is enough to possess this message whatever securitymechanism is used However obtaining the group key doesnot allow the attacker to damage the entire network withmalicious packets by impersonating the base station becauseall messages sent from the base station are authenticated by120583TESLA mechanism

72 Dealing with the Attacks on Secure Routing Ciou et alhave described various possible attacks of routing protocolsforWSNs [18] How the proposed schemes can defend againstsuch attacks is shown in this section

An inside attackermay attempt to alter and replay routinginformation to make routing loops attract or repel networktraffic and generate false messages Moreover the attackercan launch the selective forwarding attack in which thecaptured node suppresses routing packets sent from a fewselected nodes while forwarding the other packets reliably

In this paper the schemes cannot protect theWSNs fromsuch attacks however the schemes can hinder or minimizethe consequences caused by such attacks

First based on the key establishment and authenticationphases of the proposed protocols it is apparent that suchattacks are only possible within a small area of two-hops fromthe captured node

Second since such attacks are localized in a certainzone the attacker faces a high risk of being detected whenlaunching such attacks For example the probabilistic chal-lenge mechanism can help detect the spoofing attack and thedetection of altering attack is also possible since the relatedsending node may overhear the forwarded messages alteredby the captured node

Last but not least once a compromised node is detectedthe group rekeying process of the protocols can efficientlyrevoke the compromised node from the network

The proposed protocol can protect WSNs from thefollowing attacks

Sybil Attacks In Sybil attacks the attacker may replicatethe captured node and deploy multiple replicas into theoriginal network With help of the base station such replicanodes will then try to establish pairwise and cluster keyswith normal nodes that are not neighbors of the capturednode [23] If the base station does not know the precisetopology of the wireless network this attack may work inpairwise key establishment However it cannot happen forproposed protocols because each normal node keeps a list ofits approved neighbors and the base station is not involved forpairwise or cluster key establishments in this study

HELLO Flood Attack The attacker may send a HELLOmessage to all nodes in the network by increasing thetransmission power to be high enough to make all the nodesconvinced that it is their neighbor Once this attack succeedsnodes of the entire networkmay send their readings and someother packets in vainHowever it cannot succeed in proposedprotocols because the attacked does not have a network-widekey for authentication

It is worth noting that the group key in the protocols is notfor authentication purpose but for the distribution of securemessages to the entire network from the base station

73 Defending against Sinkhole and Wormhole Attacks Thecombination of the sinkhole and the wormhole attacks is oneof the most difficult attacks to be prevented

In the sinkhole attack a malicious node tries to attractpackets from the neighbor nodes and then drops them Itcan launch such attack by advertising information of highreliability or high remaining energy which is very hard todetect in the WSNs

In the wormhole attack two distant malicious nodesconceal their distance information to the network Afterplacing one such node near the target zone and another onenear the base station the attacker will convince the nodeswithin the target area which are usually multiple hops awayfrom the base station as only one or two hops to create asinkholeMoreover nodes which aremultiple hops awaymaybelieve that they are neighbors of each other Since to launchwormhole attack the attacker does not need to compromiseany sensor nodes such attack is very powerful in practice[24]

In the proposed protocols an outside attacker cannotsucceed in launching wormhole attack except in the neighbordiscovery process since a node will know all its neighbornodes after the pairwise key is established which means theattacker cannot convince two distant nodes to believe thatthey are neighbors of each other

Because the time of neighbor discovery process is veryshort (usually for seconds) the probability that the attackerachieves such attacks is also quite small If an inside attackercompromises two or more nodes it can launch such attacksHowever it cannot convince two distant nodes as neighborswhen the neighbor discovery phase is finished The authen-ticated neighborhood information is critical to deal with thewormhole attacks

In the sinkhole attack if the attacker compromises a node119860 that is close to the base station and another node 119861 in

Mobile Information Systems 9

the target area the attacker will succeed in making node119860 asa sinkhole Since the number of hops between node 119861 and thebase station turns smaller node 119861will be especially attractiveto surrounding nodes In practice the location of base stationis usually static When the network is constructed topologywill be known to the entire network and then sensor nodeswill know the approximate number of hops from the basestation Thus it is difficult for an attacker to make a veryattractive sinkhole in the WSN without being detected

74 Conclusion This paper proposes a basic keymanagementprotocol based on initial secure time which assumes thatthe attacker cannot compromise a node in a short timeIt satisfies various security requirements of WSNs usingthe combination of four kinds of secure keys Meanwhilethe erasure and update mechanism of keys is important tosupport network security

To further improve the security of the basic schemean enhanced protocol based on Diffie-Hellman algorithmis proposed which avoids storing the master key in sensornodes so as to restrict the security impact of a captured nodeto the rest network

The proposed protocol achieves high communication andenergy efficiency by supporting in-network data processingand enhances the network security through strict authenti-cation and encryption mechanisms Compared to originalideas the proposed scheme improves not only the networksecurity but also the extensibility of WSNs

This paper presents a proposal for key establishment andachieves security mainly based on the combining applicationof four kinds of keys This is a critical step and how to usesuch keys to found a protection mechanism is a focus in ourfuture research

Notations

119873 The number of nodes in the network119860 119861 Two communicating nodes in the network

(also represents the node identifier)119891(119870119860) Calculate with parameter 119860 using the key

119870 in pseudorandom function 119891119867(119870) One-way hash function to generate a

chain of keys using the seed119870MAC119870(119898) Message authentication code (MAC) of

message119898 using MAC key 119870119870 The master key only possessed by base

station119870119860 Individual key of node 119860

119864119870(119898) Encryption of message119898 with a

symmetric key 1198701198721| 1198722 Concatenation of the sequences119872

1and

1198722

119860 rarr 119861 119872 Node 119860 sends a message119872 to node 119861119860 rarr lowast 119872 Node 119860 sends a local broadcast message

119872 to all its neighborsℎ(119898) Calculate hash value of message119898

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This work was supported by National ratural Science Foun-dation of China (nos 61170268 61100047 and 61272493)International SampTCooperation Special Projects of China (no2013DFG72850) and The National Basic Research Programof China (973 Program) (no 2012CB724400)

References

[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002

[2] X HeM Niedermeier andH deMeer ldquoDynamic keymanage-ment in wireless sensor networks a surveyrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 611ndash622 2013

[3] R Riaz A Naureen A Akram A H Akbar K H Kim and HFarooq Ahmed ldquoA unified security framework with three keymanagement schemes for wireless sensor networksrdquo ComputerCommunications vol 31 no 18 pp 4269ndash4280 2008

[4] C Intanaonwiwat R Govindan and D Estrin ldquoDirected dif-fusion a scalable and robust communication paradigm forsensor networksrdquo in Proceedings of the 6th Annual ACMIEEEInternational Conference on Mobile Computing and Networking(MobiCom rsquo00) pp 56ndash67 ACMIEEE Boston Mass USAAugust 2000

[5] AManjeshwar andD PAgrawal ldquoTEEN a routing protocol forenhanced efficiency in wireless sensor networksrdquo in Proceedingsof the 15th International Parallel andDistributed Processing Sym-posium (IPDPS rsquo01) pp 2009ndash2015 IEEEComputer Society SanFrancisco Calif USA April 2001

[6] A Perrig R Szewczyk V Wen D Culler and J D TygarldquoSPINS security protocols for sensor networksrdquo in Proceedingsof the 7th Annual International Conference onMobile Computingand Networking (Mobicom rsquo01) pp 189ndash199 Rome Italy July2001

[7] W Du J Deng Y S Han and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 ACM PressWashington DC USA October 2003

[8] H Chan A Perrig and D Song ldquoRandom key predistributionschemes for sensor networksrdquo in Proceedings of the IEEESymposium on Security and Privacy pp 197ndash213 Oakland CalifUSA May 2003

[9] H O Sanli S Ozdemir and H Cam ldquoSRDA secure reference-based data aggregation protocol for wireless sensor networksrdquoin Proceedings of the IEEE 60th Vehicular Technology Conference(VTC rsquo04) pp 406ndash410 IEEE Los Angeles Calif USA 2004

[10] T Dimitriou and I Krontiris ldquoA localized distributed protocolfor secure information exchange in sensor networksrdquo in Pro-ceedings of the 19th IEEE International Parallel and DistributedProcessing Symposium (IPDPS rsquo05) pp 37ndash45 IEEE April 2005

10 Mobile Information Systems

[11] S Zhu S Setia and S Jajodia ldquoLEAP efficient security mech-anisms for large-scale distributed sensor networksrdquo in Proceed-ings of the 10th ACM Conference on Computer and Communica-tions Security (CCS rsquo03) pp 62ndash72 ACM New York NY USAOctober 2003

[12] J Shen and L Xu ldquoCluster-based key pre-distribution sehemefor wireless sensor networksrdquo Journal ofWuhanUniversity Nat-ural Science Edition vol 55 no 1 pp 117ndash120 2009 (Chinese)

[13] X Huang M Yang and S-S Lv ldquoSecure and efficient key man-agement protocol for wireless sensor network and simulationrdquoJournal of System Simulation vol 20 no 7 pp 1898ndash1903 2008

[14] X Chen J Li J Ma Q Tang and W Lou ldquoNew algo-rithms for secure outsourcing of modular exponentiationsrdquo inComputer SecuritymdashESORICS 2012 17th European Symposiumon Research in Computer Security (ESORICS rsquo12) Pisa ItalySeptember 10ndash12 2012 vol 7459 of Lecture Notes in ComputerScience pp 541ndash556 Springer Berlin Germany 2012

[15] L-C Li J-H Li and J Pan ldquoSelf-healing group key man-agement scheme with revocation capability for wireless sensornetworksrdquo Journal on Communications vol 30 no 12 pp 12ndash172009

[16] Z Ming W Suo-ping and X He ldquoDynamic key managementscheme for wireless sensor networks based on clusterrdquo Journalof Nanjing University of Posts and Telecommunications (NaturalScience) vol 32 no 1 2012

[17] G-J Wang T-T Lv and M-Y Guo ldquoTransitory initial key-based key management protocol in wireless sensor networksrdquoChinese Journal of Sensors and Actuators vol 20 no 7 pp 1581ndash1586 2007

[18] Y-F Ciou F-Y Leu Y-L Huang and K Yim ldquoA han-dover security mechanism employing the Diffie-Hellman keyexchange approach for the IEEE80216e wireless networksrdquoMobile Information Systems vol 7 no 3 pp 241ndash269 2011

[19] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grained access control system based on outsourced attribute-based encryptionrdquo in Computer SecuritymdashESORICS 2013 18thEuropean Symposium on Research in Computer Security EghamUK September 9ndash13 2013 Proceedings vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013

[20] A Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols (ICNP rsquo03) pp 326ndash335 Atlanta GaUSA November 2003

[21] W Du Y S Han J Deng and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 WashingtonDC USA October 2003

[22] D Liu and P Ning ldquoMulti-level 120583TESLA broadcast authenti-cation for distributed sensor networksrdquo ACM Transactions onEmbedded Computing Systems vol 3 no 4 pp 800ndash836 2004

[23] J Li Q Wang C Wang and K Ren ldquoEnhancing attribute-based encryptionwith attribute hierarchyrdquoMobileNetworks andApplications vol 16 no 5 pp 553ndash561 2011

[24] Y S Lee J W Park and L Barolli ldquoA localization algorithmbased on AOA for ad-hoc sensor networksrdquoMobile InformationSystems vol 8 no 1 pp 61ndash72 2012

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Distributed Sensor Networks

International Journal of

Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014

International Journal of

ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia

International Journal of

Biomedical Imaging

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

ArtificialNeural Systems

Advances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Computational Intelligence and Neuroscience

Industrial EngineeringJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014