8/10/2019 WSN - Copy
1/109
Security in Wireless Sensor
Networks:Key Management Approaches
Vasyl A. Radzevych and Sunu Mathew
8/10/2019 WSN - Copy
2/109
Overview
Wireless Sensor Networks (WSN)
Security issues in WSN
Key management approaches in WSN: Overview
Pre-Deployed Keying
Key pre-deployment Key derivation information pre-deployment
Location aware pre-deployed keying Random Key Pre-deployment (P-RKP)
Key derivation information pre-deployment
Autonomous protocols Pairwise asymmetric (public key)
Arbitrated protocols Identity based group keying
Conclusions
8/10/2019 WSN - Copy
3/109
Sensor Networks
Sensor network is composed of a
large number of sensor nodes
Sensor nodes are small, low-cost,
low-power devices that have following
functionality:
communicate on short distances
sense environmental data
perform limited data processing
Network usually also contains sinknode which connects it to the outside
world
8/10/2019 WSN - Copy
4/109
Applications WSN can be used to monitor the conditions of various
objects / processes. Some examples:
Military: friendly forces monitoring, battlefield surveillance,biological attack detection, targeting, battle damageassessment
Ecological: fire detection, flood detection, agricultural uses Health related: human physiological data monitoring
Miscellaneous: car theft detection, inventory control,habitat monitoring, home applications
Sensors are densely deployed either inside or very close
to the monitored object / process
8/10/2019 WSN - Copy
5/109
8/10/2019 WSN - Copy
6/109
Attacks on WSN
Main types of attacks on WSN are:
spoofed, altered, or replayed routing information
selective forwarding
sinkhole attack
sybil attack
wormholes
HELLO flood attacks
acknowledgment spoofing
8/10/2019 WSN - Copy
7/109
False routing information
Injecting fake routing
control packets into the
network, examples:
attract / repeal traffic,
generate false errormessages
Consequences: routing
loops, increased latency,
decreased lifetime of thenetwork, low reliability
BA1
A3
A2
A4
Example: captured node attracts
traffic by advertising shortest path
to sink, high battery power, etc
8/10/2019 WSN - Copy
8/109
Selective forwarding
Multi hop paradigm is prevalent in WSN
It is assumed that nodes faithfully forward received
messages
Compromised node might refuse to forward packets,however neighbors might start using another route
More dangerous: compromised node forwards selected
packets
8/10/2019 WSN - Copy
9/109
Sinkhole and Sybil attacks Sinkhole attack:
Idea: attacker creates metaphorical sinkhole by advertising for
example high quality route to a base station
Laptop class attacker can actually provide this kind of route
connecting all nodes to real sink and then selectively drop
packets Almost all traffic is directed to the fake sinkhole
WSN are highly susceptible to this kind of attack because of
the communication pattern: most of the traffic is directed
towards sinksingle point of failure
Sybil attack:
Idea: a single node pretends to be present in different parts of
the network.
Mostly affects geographical routing protocols
8/10/2019 WSN - Copy
10/109
Wormholes
Idea: tunnel packetsreceived on one part ofthe network to another
Well placed wormhole can
completely disorderrouting
Wormholes may convincedistant nodes that theyare close to sink. This
may lead to sinkhole ifnode on the other endadvertises high-qualityroute to sink
8/10/2019 WSN - Copy
11/109
Wormholes (cont.)
Wormholes can exploit routing race conditions which happenswhen node takes routing decisions based on the first routeadvertisement
Attacker may influence network topology by delivering routing
information to the nodes before it would really reach them bymulti hop routing
Even encryption can not prevent this attack
Wormholes may convince two nodes that they are neighborswhen on fact they are far away from each other
Wormholes may be used in conjunction with sybil attack
8/10/2019 WSN - Copy
12/109
8/10/2019 WSN - Copy
13/109
8/10/2019 WSN - Copy
14/109
Overview of Countermeasures
Link layer encryption prevents majority of attacks: bogus routing
information, Sybil attacks, acknowledgment spoofing, etc.
This makes the development of an appropriate key management
architecture a task of a great importance
Wormhole attack, HELLO flood attacks and some others are still
possible: attacker can tunnel legitimate packets to the other part
of the network or broadcast large number of HELLO packets
Multi path routing, bidirectional link verification can also be used
to prevent particular types of attacks like selective forwarding,
HELLO flood
8/10/2019 WSN - Copy
15/109
Key management: goals
The protocol must establish a key between all sensor nodes
that must exchange data securely
Node addition / deletion should be supported
It should work in undefined deployment environment
Unauthorized nodes should not be allowed to establish
communication with network nodes
8/10/2019 WSN - Copy
16/109
Key management: constraints
Sensor node constraints:
Battery power
Computational energy consumption
Communication energy consumption
Transmission range
Memory
Temper protection
Sleep pattern
Network constraints: Ad-hoc network nature
Packet size
8/10/2019 WSN - Copy
17/109
Key management:
evaluation/comparison metrics
Resilience against node capture: how many node are to becompromised in order to affect traffic of not compromisednodes?
Addition: how complicated is dynamic node addition?
Revocation: how complicated is dynamically node revocation?
Supported network size: what is the maximum possible size ofthe network?
Note: since WSN can be used in a lot of different ways it isnot reasonable to look for one key management approach tosuite all needs: 20 000 node network deployed from the
airplane over a battle field has quite different requirementsfrom 10 node network installed to guard the perimeter of thehouse
8/10/2019 WSN - Copy
18/109
Key management approaches
classification
8/10/2019 WSN - Copy
19/109
Approaches to be discussed Pre-deployed keying:
Key pre-deployment
Straightforward approaches
Eschenauer / Gligor random key pre-deployment
Chan / Perrig q-composite approach
Zhu / Xu approach DiPietro smart attacker model and PRK protocol
Key derivation information pre-deployment
Liu / Ning polynomial pre-deployment
Self-enforcing autonomous approaches
Pairwise asymmetric (public key) Arbitrated protocols
Identity based hierarchical keying
8/10/2019 WSN - Copy
20/109
Straight forward approaches
Single mission key is obviously unacceptable
Pairwise private key sharing between every two nodes is
impractical because of the following reasons:
it requires pre-distribution and storage of n-1 keys in each node
which is n(n-1)/2 per WSN. most of the keys would be unusable since direct communication
is possible only in the nodes neighborhood
addition / deletion of the node and re-keying are complex
8/10/2019 WSN - Copy
21/109
Basic probabilistic approach
Due to Eschenauer and Gligor
Relies on probabilistic key sharing among nodes of WSN
Uses simple shared-key discovery protocol for key
distribution, revocation and node re-keying
Three phases are involved: key pre-distribution, shared-key
discovery, path-key establishment
8/10/2019 WSN - Copy
22/109
Key pre-distribution
Generate a large key pool P (217-220keys) and corresponding
key identifiers
Create n key rings by randomly selecting k keys from P
Load key rings into nodes memory
Save key identifiers of a key ring and associated node
identifier on a controller
For each node load a key which it shares with a base station
8/10/2019 WSN - Copy
23/109
Shared-key discovery
Takes place during initialization phase after WSN deployment.Each node discovers its neighbor in communication rangewith which it shares at least one key
Nodes can exchange ids of keys that they poses and in this
way discover a common key A more secure approach would involve broadcasting a
challenge for each key in the key ring such that eachchallenge is encrypted with some particular key. Thedecryption of a challenge is possible only if a shared key
exists
8/10/2019 WSN - Copy
24/109
Path-key establishment
During the path-key establishment phase path-keys areassigned to selected pairs of sensor nodes that are withincommunication range of each other, but do not share a key
Node may broadcast the message with its id, id of intended
node and some key that it posses but not currently uses, to allnodes with which it currently has an established link. Thosenodes rebroadcast the message to their neighbors
Once this message reaches the intended node (possiblethrough a long path) this node contacts the initiator of path
key establishment Analysis shows that after the shared-key discovery phase a
number of keys on a key ring are left unused
8/10/2019 WSN - Copy
25/109
Simulation results
Path length to neighbors
1000 nodes, 40 nodes neighborhood, P=10000
number of hops
8/10/2019 WSN - Copy
26/109
8/10/2019 WSN - Copy
27/109
Resiliency to node capture
More robust then approaches that use single mission key
In case node is captured k
8/10/2019 WSN - Copy
28/109
WSN connectivity
Two nodes are connected if they share a key
Full connectivity of WSN is not required because of the limited
communication capabilities of the sensor nodes
Two important questions:
What should be the expected degree of a node so that WSN is
connected?
Given expected degree of a node what values should the key
ring size, k, and pool, P, have for a network of size n so that
WSN is connected? Random-graph theory helps in answering the first question
8/10/2019 WSN - Copy
29/109
Random graphs A random graph G(n,p) is a graph of n nodes for which the
probability that a link between any two nodes exists is p
Question: what value should p have so that it is almost
certainly true that graph G(p,n) is connected?
Pcis a desired probability for the graph connectivity
Based on the formulas above p and d=p(n-1) can be found
(d-expected degree of a node)
n
c
n
np
where
econnectedispnGPce
nc
)ln(
]_),(Pr[liminf
(1)
(2)
Erdos-Renyi formula:
8/10/2019 WSN - Copy
30/109
Random-graphs (cont.)
Expected degree of node vs. number of nodes, where
Pc=Pr[G(n,p) is connected]
8/10/2019 WSN - Copy
31/109
8/10/2019 WSN - Copy
32/109
Key ring and key pool size (cont.)
Probability of sharing at least one key when two nodes
choose k keys from a pool of size P
8/10/2019 WSN - Copy
33/109
Key ring and key pool size: example
WSN contains n=10000 nodes, desired probability of networkconnectivity is Pc=0.99999, communication range supports 40nodes neighborhoods
According to the formula (1) c=11.5, therefore p=2*10-3
d=2*10-3*9999=20 This means that if each node can communicate with on
average 20 other nodes the network will be connected
p=20/(40-1)=0.5
According to formula (3) k can be set to 250 and P can be setto 100000
8/10/2019 WSN - Copy
34/109
q-composite approach
Enhancement of the basic probabilistic approach
Idea: nodes should share q keys instead of only one
Approach:
Key pool P is an ordered set
During initialization phase nodes broadcast ids of keys that
they have
After discovery each nodes identifies the neighbor with which it
share at least q keys
Communication key is computed as a hash of all shared keys Keys appear in hash in the same order as in key pool
8/10/2019 WSN - Copy
35/109
Benefits of q-composite approach
q-composite approach has greater resiliency to node capturethan the basic approach if small number of nodes werecaptured
Simulations show that for q=2, the amount of additionalcommunications compromised when 50 nodes (out of 10000)
have been compromised is 4.74%, as opposed to 9.52% inthe basic scheme
However if large number of nodes have been compromised q-composite scheme exposes larger portion of network than thebasic approach
The larger q is the harder it is to obtain initial information Parameter q can be customized to achieve required balance
for a particular network
8/10/2019 WSN - Copy
36/109
Zhu / Xu approach
Another modification of the basic probabilistic approach
Major enhancement:
Pseudorandom number generator is used to improve security of
key discovery algorithm
Also uses secret sharing which jointly with logical paths allows
nodes toestablish a pairwise key that is exclusively known to thetwo nodes (in contrast to basic probabilistic approach, where
other nodes might also know some particular key)
8/10/2019 WSN - Copy
37/109
Zhu / Xu approach: key pre-
distribution
Background: a pseudo-random number generator, orPRNG, is a random number generator that produces asequence of values based on a seed and a current state.Given the same seed, a PRNGwill always output the samesequence of values.
Key pool P of size l is generated For each node u, pseudorandom number generator is used to
generate the set of m distinct integers between 1 and l (keyids). Nodes unique id u is used as a seed for the generator
Each node is loaded with key ring of size m
Keys for the key rings are selected from key pool P incorrespondence with integers (key ids) generated for aparticular node by pseudorandom number generator
This allows any node u that knows another nodes v id todetermine the set of ids of keys that v poses
/
8/10/2019 WSN - Copy
38/109
Zhu / Xu approach: Logical
path establishment
The established on previous step keys are not exclusive andconsequently not secure enough, however they can be usedto establish exclusive key
During the network initialization phase, nodes discover socalled logical paths
Nodes can establish a direct path in case they share acommon key on their key rings
This can easily be accomplished as was described in theprevious slide by discovering common key id
In case nodes do not share a key authors propose a path-key
establishment algorithm similar to one in basic probabilisticapproach, the difference is that nodes try to establish severallogical paths, which later should help in establishing apairwise key
Zh / X i i k
8/10/2019 WSN - Copy
39/109
Zhu / Xu: pairwise key
establishment
The next step of network initialization is pairwise keyestablishment
A sender node randomly generates a secret key ks
Then derives n-1 random strings sk1, sk2,, skn-1
sknis computed as follows: skn= ks XOR sk1XOR sk2 XOR,,XOR skn-1 This way a recipient has to receive all n shares in order to
derive a secret key ks
After secret shares are computed, each of them is send to therecipient using different logical path
Once all shares are received the recipient can confirm theestablishment of pairwise key by sending a HELLO messageencoded with a new key
Authors provide a framework according to which number ofshares and the way they are send is decided
8/10/2019 WSN - Copy
40/109
Further enhancements
So far all the discussed approaches have used one of the
following algorithms for shared-key discovery:
Key id notification
Challenge response
Pseudorandom key id generation
Those algorithms work well against so called oblivious
attacker, the one that randomly selects next sensor to
compromise
What if attacker selects nodes that will allow him tocompromise the network faster, based on already obtained
information (key ids)?
This is the case of so called smart attacker
8/10/2019 WSN - Copy
41/109
Smart attacker
More precisely smart attacker can be defined as follows:
at each step of the attack sequence, the next sensor to tamper is
sensor s, where s maximizes E[G(s)| I(s)], the expectation of the
key information gain G(s) given the information I(s) the attacker
knows on sensor s key-ring
Simulations show that Key id notification and pseudorandom
key id generationcan be easily beaten by the smart attacker
Challenge response performs better
8/10/2019 WSN - Copy
42/109
Simulation results
Experimental results on id notification and pseudorandom key id generation:
Number of sensors to corrupt in order to compromise an arbitrary channel.
8/10/2019 WSN - Copy
43/109
Simulation results
Experimental results on challenge response:
Number of sensors to corrupt in order to compromise an arbitrary channel.
8/10/2019 WSN - Copy
44/109
PRK algorithm
Why not using challenge response? Inefficient
The goal is to define a key pre-deployment scheme thatsupports an efficient and secure key discovery phase, asefficient as pseudorandom key id generation (no messageexchange) and as secure as challenge response
DiPietro et al. suggested a new algorithm that achieves theabove described requirements
8/10/2019 WSN - Copy
45/109
8/10/2019 WSN - Copy
46/109
8/10/2019 WSN - Copy
47/109
PRK algorithm: simulations
Experimental results on PRK algorithm: number of sensors to corrupt in order
to compromise an arbitrary channel. The PRK algorithm is as secure as
challenge response and in the same time as efficient as pseudorandom key id
generation
8/10/2019 WSN - Copy
48/109
Background: polynomial based
key pre-distribution
Polynomial based key pre-distribution scheme reduces the
amount of pre-distributed information still allowing each pair of
nodes to compute a shared key
Polynomial based key pre-distribution is -collusion resistant,
meaning that as long as or less nodes are compromised therest of the network is secure
Utilizes polynomial shares
8/10/2019 WSN - Copy
49/109
Polynomial based key pre-
distribution : initialization
Special case: =1
Each node has an id rUwhich is unique and is a member of
finite field Zp
Three elements a, b, c are chosen from Zp
Polynomial f(x,y) = (a + b(x + y) + cxy) mod p is generated
For each node polynomial share gu(x) = (an+ bnx) mod p
where an= (a + brU) mod p and bn= (b + crU) mod p is formed
and pre-distributed
8/10/2019 WSN - Copy
50/109
Polynomial based key pre-
distribution : key discovery
In order for node U to be able to communicate with node V
the following computations have to be performed:
Ku,v= Kv,u= f(ru,rv) = (a + b(ru+rv) + crurv)mod p
U computes Ku,v= gu(rv)
V computes Kv,u= gv(ru)
8/10/2019 WSN - Copy
51/109
Polynomial based key pre-
distribution : example
Example:
3 nodes: U, V, W, with the following ids 12, 7, 1respectively
p=17 (chosen parameter)
a=8, b=7, c=2 (chosen parameters) Polynomial f(x,y) = 8+7(x+y)+2xy
g polynomials are gu(x) = 7 + 14x, gv(x) = 6 + 4x,
gw(x) = 15+9x
Keys are Ku,v=3, Ku,v=4, Ku,v=10 U computes Ku,v= gu(rv) = 7+14*7mod17 = 3
V computes Kv,u= gv(ru) = 6+4*12mod17 = 3
P l i l b d k
8/10/2019 WSN - Copy
52/109
Polynomial based key pre-
distribution : generalization
Polynomial based key pre-distribution scheme can begeneralized to any by changing polynomials in the followingway:
is a randomly generated, bivariate -degree, symmetricpolynomial over finite field Zp, pn is prime
0
,
0 0,
mod),()(
),(),(;mod),(
i
i
iuuu
i
i
j
j
ji
ji
xaprxfxg
xyfyxfpyxayxf
),( yxf
8/10/2019 WSN - Copy
53/109
Liu-Ning approach
Combination of polynomial-based key pre-distribution and thekey pool idea discussed above
Increases network resilience to node capture
Can tolerate no more than compromised nodes, where isconstrained by the size of memory of a node
Idea: use a pool of randomly generated polynomials
When pool contains only one polynomial the approachdegenerates to basic polynomial based key pre-distributionscheme
When all polynomials are of degree 0 the approach
degenerates to key pool approach Three phases are involved: setup, direct key establishment,
path key establishment
8/10/2019 WSN - Copy
54/109
Setup phase
Set F of bivariate -degree polynomials over finite field Fq is
generated
Each polynomial is assigned a unique id
For each sensor node a subset of s polynomial is randomly
chosen from F
For each polynomial in the chosen subset a polynomial share
is loaded into nodes memory
Direct key establishment
8/10/2019 WSN - Copy
55/109
Direct key establishment
phase
During this phase all possible direct links are established
A node can establish a direct link with another node if theyboth share a polynomial share of a particular polynomial
How to find common polynomial? Use above discussedapproaches
8/10/2019 WSN - Copy
56/109
Path key establishment phase
If direct connection establishment fails nodes have to startpath key establishment phase
Nodes need to find a path such that each intermediate nodesshare a common key
Node may broadcast the message with polynomials ids that itposses to all nodes with which it currently has an establishedlink
Once this message reaches the intended node (possiblethrough a long path) this node computes a key and contacts
the initiator of path key establishment Drawback: may introduce considerable communication
overhead
8/10/2019 WSN - Copy
57/109
Simulation results
The probability p that 2 sensors share a polynomial vs
size s of the polynomial pool (s number of polynomial
shares in each sensor)
Simulation results: comparison
8/10/2019 WSN - Copy
58/109
Simulation results: comparison
with already discussed
approaches
Fraction of compromised links between non compromised nodes
vs number of compromised nodes
(20000 nodes, nodes can store equivalent of 200 keys)
Grid based key pre
8/10/2019 WSN - Copy
59/109
Grid-based key pre-
distribution
Instance of general framework discussed above
Benefits:
Guarantees that any two nodes can establish a pairwise
key, if no nodes were compromised
Allows sensors to directly determine whether it can
establish a pairwise key with another node and which
polynomial to use in case of positive answer
8/10/2019 WSN - Copy
60/109
Subset assignment
2m -degree polynomials are generated
, where
and N is the size of the network
Each row of the grid is associated with polynomial
and each column is associated with polynomial
For each sensor an unoccupied intersection (i, j) of the grid
is selected and assigned to the node
Nm 1,..,0)},(),,({ mir
i
c
i yxfyxfF
),( yxf r
i
),( yxf ci
8/10/2019 WSN - Copy
61/109
Subset assignment (cont.)
The id of the node is created by concatenation of binary
representations of i and j. ID=< ib:: jb >
Intersections should be densely selected within a rectangle
area of the grid
Polynomial shares of corresponding (row / column)polynomials together with id are pre-distributed to each node
8/10/2019 WSN - Copy
62/109
Node assignment in the grid
Node assignment in the grid
8/10/2019 WSN - Copy
63/109
Polynomial share discovery
To establish a pairwise key with node j, node i checks
whether ci=cjor ri=rj
If either of conditions hold, nodes have a polynomial share of
the same polynomial, consequently they can compute a
common key directly Otherwise nodes have to go through path discovery
8/10/2019 WSN - Copy
64/109
Path discovery
Idea: nodes can use intermediate nodes to help inestablishing a common key
The intermediate node should be located in either the samerow / column as first node or same column / row as a secondnode
This way intermediate node definitely share a polynomial withboth nodes
Note: there are only two of such intermediate nodes for eachpair of nodes
What if both if them are compromised / unreachable?
The path through the grid should be established Authors developed an efficient protocol to accomplish this
The main idea of the protocol is that intermediate nodes try toforward the request to the node that is located in the samerow / column as a destination
8/10/2019 WSN - Copy
65/109
Path discovery: example
Establishing a path through the grid
8/10/2019 WSN - Copy
66/109
Public key infrastructure
The limited computation and power resources of sensor
nodes often makes it undesirable to use existing public-
key algorithms, such as Diffie-Hellman key agreement or
RSA signatures
8/10/2019 WSN - Copy
67/109
P bli k h f WSN
8/10/2019 WSN - Copy
68/109
Public key scheme for WSN
Is it possible to develop a public key infrastructure suitable forwireless sensor networks?
Recent studies show that it is still possible to utilize public keyideas for the purposes of securing WSN
Gaubatz et al. developed an ultra low power implementationof Rabin's Scheme and NtruEncrypt Algorithm
Authors have demonstrated that it is possible to design publickey encryption architectures with power consumption of lessthan 20 mW using the right selection of algorithms andassociated parameters, optimization and low power
techniques The details of solutions will not be discussed, since it mainly
involves VLSI / circuit design
Arbitrated keying protocols:
8/10/2019 WSN - Copy
69/109
Arbitrated keying protocols:
system model
According to the model, network consists of three types of
nodes: command node, gateways and regular sensor nodes
Gateways partition the network into distinct clusters as follows
Arbitrated keying protocols:
8/10/2019 WSN - Copy
70/109
Arbitrated keying protocols:
node requirements
Sensor nodes
Are equipped with GPS modules and can determine its location
during bootstrapping
Remain stationary
Gateways Can unicast / broadcast information to other gateways on the
network
Can establish the group key using a group key agreement
protocols
Command node
is assumed to be secure and is trusted by all of the nodes in the
sensor network
Identity based hierarchical keying:
8/10/2019 WSN - Copy
71/109
Identity based hierarchical keying:
initialization phase (description)
Description of the initialization phase:
Prior deployment each gateway is assigned |S|/|G| keys, where
|S| is the number of sensors on the network and |G| is the
number of gateways
Each sensor is preloaded with id if the gateway with which itshare a key
After deployment each gateway forms a cluster using cluster
formation algorithm and acquires the keys of the sensors in its
cluster from the other gateways
After key exchange is performed gateways erases key of sensorsthat do not belong to its cluster
Identity based hierarchical keying:
8/10/2019 WSN - Copy
72/109
Identity based hierarchical keying:
initialization phase (protocol)
Each sensor Sibroadcasts its id (idSi) and id (idGj) of thegateway with which it shares a key
After clustering gateways identify set of sensors thatbelong to its cluster {id}i andbroadcasts it to other gateways
Clustering process is performed
Each gateway Gj replies to Gi with the set of keys and
corresponding sensor ids {(KSk,G
j
, idSk
)}i
On the last step, each sensor receives a message that assigns
it to the gateway
Identity based hierarchical
8/10/2019 WSN - Copy
73/109
Identity based hierarchical
keying: node addition
Each new sensor is preloaded with two keys as other sensors
Command node transmits the list of (identifier, key) pairs to a
randomly selected gateway Gh, which becomes the gateway that
shares the keys of the new sensors:
Each added node broadcasts a hello message (same as on
initialization phase)
Clustering mechanisms adjusts itself
Each gateway broadcasts the sensors in its range to the
gateways in G, requesting the keys for those sensors
Identity based hierarchical
8/10/2019 WSN - Copy
74/109
Identity based hierarchical
keying: node addition (cont.)
Gh responds to those requests
Each new sensor Siis assigned to the gateway Gi
Identity based hierarchical
8/10/2019 WSN - Copy
75/109
Identity based hierarchical
keying: node revocation
If a group of sensors are compromised, they can be triviallyevicted from the command nodes sensor list by the commandnode, as well as from their cluster by the gateway.
Gateway revocation is slightly more complicated
Command node evicts gateway G from the list of gateways
and chooses a head gateway Ghrandomly Command node sends the identifiers of each sensor and their
new gateway Gito Gh
Also the new keys that sensors share with Gi are sent
8/10/2019 WSN - Copy
76/109
Identity based hierarchical
8/10/2019 WSN - Copy
77/109
Identity based hierarchical
keying: simulations
Distribution of sensor energy consumption with our
approach.
8/10/2019 WSN - Copy
78/109
Location Aware Key
8/10/2019 WSN - Copy
79/109
Location Aware Key
Management for WSN
Problem:
How to pick a large key pool while still maintaining high
connectivity? (i.e maintain resilience while ensuring connectivity)
(e.g. 100,000 vs 200) Solution:
Exploit Location information (Deployment Knowledge)
Du et. al. Infocom 2004. Exploit Location Knowledge for P-RKP
Huang et. Al. SASN 2004. Exploit Location Knowledge for SK-RKP
Location Aware Purely Random
8/10/2019 WSN - Copy
80/109
Location Aware Purely Random
Key Predistribution (P-RKP)
Du et. al (IEEE Infocom 2004)
Improves Random Key Predistribution (Eschenauer and Gligor)
by exploiting Location Information.
Studies a Gaussian distribution for deployment of Sensor nodes
to improve security and memory usage.
Location Aware Purely Random
8/10/2019 WSN - Copy
81/109
Location Aware Purely Random
Key Predistribution (P-RKP)
Rectangular Deployment area (X x Y)
General Deployment Model (Individual)
Current predeployment schemes assume pdf for location f(x,y) as
1/XY.
Group based Deployment Model.
Group based Deployment Model:
N sensor nodes divided into t x n equal size groups. Group G(i,j)
has deployment point x(i,j).
Deployment points arranged in a grid Resident points of node k follow pdf
Location Aware Purely Random
8/10/2019 WSN - Copy
82/109
Location Aware Purely Random
Key Predistribution (P-RKP)
Groups select from key group S (i,j)
Probability node is in a certain group is (1 / tn).
njtiSS ji ..1,,...1,,
Location Aware Purely Random
8/10/2019 WSN - Copy
83/109
Location Aware Purely Random
Key Predistribution (P-RKP)
Key sharing graphs used to enable connectivity
Use flooding to find secure path (Limit to 3 hops)
Setting up the key pools
Two horizontally or vertically neighboring pools share a|Sc| keys
where 0
8/10/2019 WSN - Copy
84/109
Location Aware Purely Random
Key Predistribution (P-RKP)
Location Aware Purely Random
8/10/2019 WSN - Copy
85/109
Location Aware Purely Random
Key Predistribution (P-RKP)
Key Assignment for Key Pools
For group , select keys from the global key pool S,
then remove these keys from S.
For group , select a. keys from pool ,
then select keys from global pool S
For group select a. from each of the key
pools , and if they exist; select b. Keys from
each of the key pools and if they exist; then
selectwkeys from the global key pool S, and remove these wkeys
from S.
1,1S || cS
njS j ,...,2,,1
|| cS
|| cS 1,1 jS
||).1( cSaw
njtiS ji ,....1,,....2,, || cS
jiS ,1 1, jiS || cS
1,1 jiS 1,1 jiS
Location Aware Purely Random
8/10/2019 WSN - Copy
86/109
Location Aware Purely Random
Key Predistribution (P-RKP)
Detemining |Sc|
When |S| = 100,000, t = n = 10, a = 0.167, b = 0.083
|Sc| = 1770
Location Aware Purely Random
8/10/2019 WSN - Copy
87/109
Location Aware Purely Random
Key Predistribution (P-RKP)
Performance Evaluation
Evaluation Metrics
Connectivity (Local and Global)
Communication overhead
Resilience against node capture
System configuration
|S| = 100,000. N = 10,000.
Deployment area = 1000m x 1000m
T =n =10m. Each grid is 100m x 100m. Center of grid is deployment point. Wireless communication
range is 40m.
Location Aware Purely Random
8/10/2019 WSN - Copy
88/109
Location Aware Purely Random
Key Predistribution (P-RKP)
Location Aware Purely Random
8/10/2019 WSN - Copy
89/109
y
Key Predistribution (P-RKP)
Local Connectivity
Plocal= Pr((B(n1,n2)|A(n1,n2))
Probability node is in a certain group is (1 / tn) Probability that nodes i and j have local connectivity) is
1)Probability that and share a key (p-lambda) *
2)Probability that resides around the point Z(x,y) *
3)Probability that is a neighbor ofPlocalis the average of this value across the whole region
in jn
jn
jnin
Location Aware Purely Random
8/10/2019 WSN - Copy
90/109
y
Key Predistribution (P-RKP)
PerformanceLocal connectivity
With 100 keys, location management improves local connectivity
from 0.095 to 0.687
Location Aware Purely Random
8/10/2019 WSN - Copy
91/109
y
Key Predistribution (P-RKP)
Global connectivity
Only simulation results are available
8/10/2019 WSN - Copy
92/109
Location Aware Purely Random
8/10/2019 WSN - Copy
93/109
y
Key Predistribution (P-RKP)
Communication overhead
Path needed when two neighbours cannot find a common key.
ph(i) is the probability that the smallest number of hops needed to
connect two neighbouring nodes is i. i is at most 3.
Location Aware Purely Random
8/10/2019 WSN - Copy
94/109
y
Key Predistribution (P-RKP)
Resilience against node capture
Fraction of additional communication (among uncaptured nodes)that can be compromised based on capture of x nodes.
Location of the x captured nodes affects results.
Assume random location of x nodes (unrealistic)
Location knowledge significantly improves network resilience 1(1m/|S|)^x
Location Aware Purely Random
8/10/2019 WSN - Copy
95/109
y
Key Predistribution (P-RKP)
Location Aware Structured Key
8/10/2019 WSN - Copy
96/109
y
Random Key Predistribution (SK-RKP)
Huang et. al. (SASN 2004)
Claims random node capture assumption too weak (selective
capture possible)
Gridgroup deployment scheme. Introduces the node fabricationattack
Uses location based information and a structured key pool
Claims fewer number of keys and resilience to selective node
captureand node fabricationattacks
8/10/2019 WSN - Copy
97/109
Location Aware SK-RKP
P-RKP vs SK-RKP
Robustness of both weakened by selective node capture attack
8/10/2019 WSN - Copy
98/109
Location Aware SK-RKP
Both are also weakened by node fabrication attack
P-RKPBy capturing two nodes, attacker canfabricate and deploy (2m new nodes.
SK-RKP is harder to compromise (still possible)
Grid-Group Deployment Scheme Partition N sensors into i.j groups with sensors in each
group
Assign the identifier [(i,j),b] to each sensor in the G(i,j)where b= 1,.N
Assign m keys to each sensor in group G(i,j) Uniformly distribute the sensors for the group G(i,j) in zone
Z(i,j)
zn
8/10/2019 WSN - Copy
99/109
8/10/2019 WSN - Copy
100/109
8/10/2019 WSN - Copy
101/109
Location Aware SK-RKP
Key establishment within the
8/10/2019 WSN - Copy
102/109
same zone
Key establishment within the same zone
Each sensor, say [(i,j),b], broadcasts identifier [(i,j),b] and key
space identifiers [ , ]
For each neighbor, sensor adds a link in key-graphif they
share a key .
Sensor broadcasts list of neighbors who share key-space withit. Uses similar messages from others to expand key-graph.
Source routing to to request and establish pairwise keys with
all its neighbors.
1 2
Key establishment within
8/10/2019 WSN - Copy
103/109
adjacent zones
Each sensor, broadcasts desired node list (of nodes in
the adjacent zone)
A neighbor of the requestor within the same zone who
already shares a key with the nodes For each neighbor,
sensor adds a link in key-graphif they share a key
Sensor broadcasts list of neighbors who share key-
space with it. Uses similar messages from others to
expand key-graph.
Source routing to request and establish pairwise keyswith all its neighbors.
8/10/2019 WSN - Copy
104/109
Performance Analysis
Memory overhead
For p = 0.5238, m = 68 (similar to Du et. Al.)
Security Analysis
Secure against Random Node capture, Selective Node capture and
Node Fabrication attacks
Performance Analysis
8/10/2019 WSN - Copy
105/109
(Security)
8/10/2019 WSN - Copy
106/109
Summary
Robust security mechanisms are vital to the wideacceptance and use of sensor networks for manyapplications
Key management in turns is one the most importantaspects in any security architecture
Various peculiarities of Wireless Sensor Networks makethe development of good key management scheme achallenging task
We have discussed several approaches to key managementin WSN
All of them have strong and weak points The diverse nature of WSN usage makes it not reasonable to
look for some particular approach that would be suitable for allcases
Bibli h
8/10/2019 WSN - Copy
107/109
Bibliography
I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, E. Cyirci. Wireless SensorNetworks: A Survey. Computer Networks, 38(4):393-422, 2002.
C. Karlof and D. Wagner, Secure Routing in Wireless Sensor Networks:Attacks and Countermeasures. First IEEE International Workshop onSensor Network Protocols and Applications, May 2003
D. Carman, P. Kruus, and B. Matt. Constraints and approaches fordistributed sensor network security. NAI Labs Technical Report #00-010,September 2000
L. Eschenauer and V. Gligor. A Key-Management Scheme for DistributedSensor Networks. In Proc. of ACM CCS02, November 2002
H. Chan, A. Perrig, D. Song Random Key Predistribution Schemes forSensor Networks. In 2003 IEEE Symposium on Research in Security andPrivacy
S. Zhu, S. Xu, S. Setia, S. Jajodia Establishing Pair-wise Keys For SecureCommunication in Ad Hoc Networks: A Probabilistic Approach. In Proc. ofthe 11th IEEE International Conference on Network Protocols
R. Di Pietro, L. Mancini, A. Mei. Efficient and Resilient Key Discovery Basedon Pseudo-Random Key Pre-Deployment. 18th International Parallel andDistributed Processing Symposium
Bibli h
8/10/2019 WSN - Copy
108/109
Bibliography
D. Liu, P. Ning, Establishing Pairwise Keys in Distributed Sensor Networks,10th ACM CCS '03, Washington D.C., October, 2003
G. Jolly, M. Kusu, P. Kokate, M. Younis. A Low-Energy Key ManagementProtocol for Wireless Sensor Networks. Eighth IEEE InternationalSymposium on Computers and Communications
G. Gaubatz, J.Kaps, B. Sunar Public Key Cryptography in Sensor NetworksRevisited. 1st European Workshop on Security in Ad-Hoc and SensorNetworks
C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung.Perfectly secure key distribution for dynamic conferences. In Informationand Computation, 146 (1), 1998, pp 1-23.
Introduction to Modern Cryptography by M. Bellare, P. RogawayNovember 3, 2003
Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, andS. Vanstone, CRC Press, 1996.
The Strange Logic of Random Graphs, Joel H. Spencer
Nanotechnology website http://www.nanotech-now.com
Bibli h
http://www.nanotech-now.com/http://www.nanotech-now.com/http://www.nanotech-now.com/http://www.nanotech-now.com/8/10/2019 WSN - Copy
109/109
Bibliography
W. Du, J. Deng, Y. Han, S. Chen, P. Varshney. A Key Management
Scheme for Wireless Sensor Networks Using Deployment Knowledge. IEEE
Infocom 2004.
D. Huang, M. Mehta, D. Medhi, L. Harn. Location-aware Key Management
for Wireless Sensor Networks. 2004 ACM Workshop on Security of Ad Hoc
and Sensor Networks. (SASN 04)