WSN - PowerPoint

Document Sample
WSN - PowerPoint Powered By Docstoc
					Security in Wireless Sensor
Key Management Approaches

      Vasyl A. Radzevych and Sunu Mathew
•   Wireless Sensor Networks (WSN)
•   Security issues in WSN
•   Key management approaches in WSN:
    •   Overview
    •   Pre-Deployed Keying
        •   Key pre-deployment
        •   Key derivation information pre-deployment
        •   Location aware pre-deployed keying
            •   Random Key Pre-deployment (P-RKP)
            •   Key derivation information pre-deployment
    •   Autonomous protocols
        •   Pairwise asymmetric (public key)
    •   Arbitrated protocols
        •   Identity based group keying
•   Conclusions
Sensor Networks
            Sensor network is composed of a
             large number of sensor nodes
            Sensor nodes are small, low-cost,
             low-power devices that have following
                communicate on short distances
                sense environmental data
                perform limited data processing
            Network usually also contains “sink”
             node which connects it to the outside
    WSN can be used to monitor the conditions of various
     objects / processes. Some examples:
        Military: friendly forces monitoring, battlefield surveillance,
         biological attack detection, targeting, battle damage
        Ecological: fire detection, flood detection, agricultural uses
        Health related: human physiological data monitoring
        Miscellaneous: car theft detection, inventory control,
         habitat monitoring, home applications
    Sensors are densely deployed either inside or very close
     to the monitored object / process
Security issues in WSN
   The discussed applications require communication in WSN to
    be highly secure
   Main security threats in WSN are:
       Radio links are insecure – eavesdropping / injecting faulty
        information is possible
       Sensor nodes are not temper resistant – if it is compromised
        attacker obtains all security information
   Attacker types:
       Mote-class: attacker has access to some number of nodes with
        similar characteristics / laptop-class: attacker has access to more
        powerful devices
       Outside (discussed above) / inside: attacker compromised some
        number of nodes in the network
Attacks on WSN
   Main types of attacks on WSN are:
       spoofed, altered, or replayed routing information
       selective forwarding
       sinkhole attack
       sybil attack
       wormholes
       HELLO flood attacks
       acknowledgment spoofing
False routing information
   Injecting fake routing
    control packets into the
    network, examples:
    attract / repeal traffic,
    generate false error                            B
    messages                                                 A1
   Consequences: routing
    loops, increased latency,                     A4
    decreased lifetime of the
    network, low reliability
                                Example: captured node attracts
                                traffic by advertising shortest path
                                to sink, high battery power, etc
Selective forwarding
   Multi hop paradigm is prevalent in WSN
   It is assumed that nodes faithfully forward received
   Compromised node might refuse to forward packets,
    however neighbors might start using another route
   More dangerous: compromised node forwards selected
Sinkhole and Sybil attacks
   Sinkhole attack:
       Idea: attacker creates metaphorical sinkhole by advertising for
        example high quality route to a base station
       Laptop class attacker can actually provide this kind of route
        connecting all nodes to real sink and then selectively drop
       Almost all traffic is directed to the fake sinkhole
       WSN are highly susceptible to this kind of attack because of
        the communication pattern: most of the traffic is directed
        towards sink – single point of failure
   Sybil attack:
       Idea: a single node pretends to be present in different parts of
        the network.
       Mostly affects geographical routing protocols
   Idea: tunnel packets
    received on one part of
    the network to another
   Well placed wormhole can
    completely disorder
   Wormholes may convince
    distant nodes that they
    are close to sink. This
    may lead to sinkhole if
    node on the other end
    advertises high-quality
    route to sink
Wormholes (cont.)
   Wormholes can exploit routing race conditions which happens
    when node takes routing decisions based on the first route
   Attacker may influence network topology by delivering routing
    information to the nodes before it would really reach them by
    multi hop routing
   Even encryption can not prevent this attack
   Wormholes may convince two nodes that they are neighbors
    when on fact they are far away from each other
   Wormholes may be used in conjunction with sybil attack
HELLO flood attack
   Many WSN routing
    protocols require nodes to
    broadcast HELLO packets
    after deployment, which is a
    sort of neighbor discovery
    based on radio range of the
   Laptop class attacker can
    broadcast HELLO message
    to nodes and then
    advertises high-quality route
    to sink
Acknowledgment spoofing
   Some routing protocols use
    link layer acknowledgments
   Attacker may spoof acks
   Goals: convince that weak
    link is strong or that dead
    node is alive.
   Consequently weak link may
    be selected for routing;
    packets send trough that link
    may be lost or corrupted
Overview of Countermeasures
   Link layer encryption prevents majority of attacks: bogus routing
    information, Sybil attacks, acknowledgment spoofing, etc.
   This makes the development of an appropriate key management
    architecture a task of a great importance
   Wormhole attack, HELLO flood attacks and some others are still
    possible: attacker can tunnel legitimate packets to the other part
    of the network or broadcast large number of HELLO packets
   Multi path routing, bidirectional link verification can also be used
    to prevent particular types of attacks like selective forwarding,
    HELLO flood
Key management: goals
   The protocol must establish a key between all sensor nodes
    that must exchange data securely
   Node addition / deletion should be supported
   It should work in undefined deployment environment
   Unauthorized nodes should not be allowed to establish
    communication with network nodes
Key management: constraints
   Sensor node constraints:
       Battery power
           Computational energy consumption
           Communication energy consumption
       Transmission range
       Memory
       Temper protection
       Sleep pattern
   Network constraints:
       Ad-hoc network nature
       Packet size
Key management:
evaluation/comparison metrics
    Resilience against node capture: how many node are to be
     compromised in order to affect traffic of not compromised
    Addition: how complicated is dynamic node addition?
    Revocation: how complicated is dynamically node revocation?
    Supported network size: what is the maximum possible size of
     the network?
    Note: since WSN can be used in a lot of different ways it is
     not reasonable to look for one key management approach to
     suite all needs: 20 000 node network deployed from the
     airplane over a battle field has quite different requirements
     from 10 node network installed to guard the perimeter of the
Key management approaches
Approaches to be discussed
   Pre-deployed keying:
       Key pre-deployment
         Straightforward approaches
         Eschenauer / Gligor random key pre-deployment
         Chan / Perrig q-composite approach
         Zhu / Xu approach
         DiPietro smart attacker model and PRK protocol

       Key derivation information pre-deployment
           Liu / Ning polynomial pre-deployment
   Self-enforcing autonomous approaches
       Pairwise asymmetric (public key)
   Arbitrated protocols
           Identity based hierarchical keying
Straight forward approaches
   Single mission key is obviously unacceptable
   Pairwise private key sharing between every two nodes is
    impractical because of the following reasons:
       it requires pre-distribution and storage of n-1 keys in each node
        which is n(n-1)/2 per WSN.
       most of the keys would be unusable since direct communication
        is possible only in the nodes neighborhood
       addition / deletion of the node and re-keying are complex
Basic probabilistic approach
   Due to Eschenauer and Gligor
   Relies on probabilistic key sharing among nodes of WSN
   Uses simple shared-key discovery protocol for key
    distribution, revocation and node re-keying
   Three phases are involved: key pre-distribution, shared-key
    discovery, path-key establishment
Key pre-distribution
   Generate a large key pool P (217-220 keys) and corresponding
    key identifiers
   Create n key rings by randomly selecting k keys from P
   Load key rings into nodes memory
   Save key identifiers of a key ring and associated node
    identifier on a controller
   For each node load a key which it shares with a base station
Shared-key discovery
   Takes place during initialization phase after WSN deployment.
    Each node discovers its neighbor in communication range
    with which it shares at least one key
   Nodes can exchange ids of keys that they poses and in this
    way discover a common key
   A more secure approach would involve broadcasting a
    challenge for each key in the key ring such that each
    challenge is encrypted with some particular key. The
    decryption of a challenge is possible only if a shared key
Path-key establishment
   During the path-key establishment phase path-keys are
    assigned to selected pairs of sensor nodes that are within
    communication range of each other, but do not share a key
   Node may broadcast the message with its id, id of intended
    node and some key that it posses but not currently uses, to all
    nodes with which it currently has an established link. Those
    nodes rebroadcast the message to their neighbors
   Once this message reaches the intended node (possible
    through a long path) this node contacts the initiator of path
    key establishment
   Analysis shows that after the shared-key discovery phase a
    number of keys on a key ring are left unused
Simulation results
                    1000 nodes, 40 nodes neighborhood, P=10000

                number of hops

           Path length to neighbors
Key revocation
   Key revocation is accomplished in the following way: a
    controller node that has all keys and ids in its memory,
    broadcasts a message containing a list of k key identifiers for
    the key ring to be revoked
   This message is signed with signature key which is encrypted
    and unicasted to all nodes prior revocation. This encryption is
    done using individually shared between node and controller
   After obtaining a signature key, each node locate received
    identifiers in its key ring and removes the corresponding keys
    if they are present
   Since some links might disappear they should be
    reestablished using keys that are left in the key ring
Resiliency to node capture
   More robust then approaches that use single mission key
   In case node is captured k<<n keys are obtained
   This means that the attacker has a probability of k/P to attack
    successfully any other WSN link
WSN connectivity
   Two nodes are connected if they share a key
   Full connectivity of WSN is not required because of the limited
    communication capabilities of the sensor nodes
   Two important questions:
       What should be the expected degree of a node so that WSN is
       Given expected degree of a node what values should the key
        ring size, k, and pool, P, have for a network of size n so that
        WSN is connected?
   Random-graph theory helps in answering the first question
Random graphs
   A random graph G(n,p) is a graph of n nodes for which the
    probability that a link between any two nodes exists is p
   Question: what value should p have so that it is “almost
    certainly true” that graph G(p,n) is connected?
                         Erdos-Renyi formula:
                                                         e c
               Pc  lim Pr[G (n, p)is _ connected]  e          (1)
                     n inf

                     ln( n) c
                p                                             (2)
                       n     n
   Pc is a desired probability for the graph connectivity
   Based on the formulas above p and d=p(n-1) can be found
    (d-expected degree of a node)
Random-graphs (cont.)

 Expected degree of node vs. number of nodes, where
 Pc=Pr[G(n,p) is connected]
Key ring and key pool sizes
   Due to the limited communication capabilities a number of
    nodes with which a particular node can communicate is
   This means that the probability of two nodes sharing at
    least one key in their key rings of size k is p’=d/(n’-1)>>p
   Key pool size P can be derived as a function of k:

                                k 2( P k 1 / 2)
                            (1  )
                  p'  1       P
                                2k ( P 2 k 1 / 2)
                           (1  )
Key ring and key pool size (cont.)

  Probability of sharing at least one key when two nodes
  choose k keys from a pool of size P
Key ring and key pool size: example

    WSN contains n=10000 nodes, desired probability of network
     connectivity is Pc=0.99999, communication range supports 40
     nodes neighborhoods
    According to the formula (1) c=11.5, therefore p=2*10-3
    This means that if each node can communicate with on
     average 20 other nodes the network will be connected
    p’=20/(40-1)=0.5
    According to formula (3) k can be set to 250 and P can be set
     to 100000
q-composite approach
   Enhancement of the basic probabilistic approach
   Idea: nodes should share q keys instead of only one
   Approach:
       Key pool P is an ordered set
       During initialization phase nodes broadcast ids of keys that
        they have
       After discovery each nodes identifies the neighbor with which it
        share at least q keys
       Communication key is computed as a hash of all shared keys
       Keys appear in hash in the same order as in key pool
Benefits of q-composite approach

    q-composite approach has greater resiliency to node capture
     than the basic approach if small number of nodes were
    Simulations show that for q=2, the amount of additional
     communications compromised when 50 nodes (out of 10000)
     have been compromised is 4.74%, as opposed to 9.52% in
     the basic scheme
    However if large number of nodes have been compromised q-
     composite scheme exposes larger portion of network than the
     basic approach
    The larger q is the harder it is to obtain initial information
    Parameter q can be customized to achieve required balance
     for a particular network
Zhu / Xu approach
   Another modification of the basic probabilistic approach
   Major enhancement:
       Pseudorandom number generator is used to improve security of
        key discovery algorithm
       Also uses secret sharing which jointly with logical paths allows
        nodes to establish a pairwise key that is exclusively known to the
        two nodes (in contrast to basic probabilistic approach, where
        other nodes might also know some particular key)
Zhu / Xu approach: key pre-
   Background: a pseudo-random number generator, or
    PRNG, is a random number generator that produces a
    sequence of values based on a seed and a current state.
    Given the same seed, a PRNG will always output the same
    sequence of values.
   Key pool P of size l is generated
   For each node u, pseudorandom number generator is used to
    generate the set of m distinct integers between 1 and l (key
    ids). Nodes unique id u is used as a seed for the generator
   Each node is loaded with key ring of size m
   Keys for the key rings are selected from key pool P in
    correspondence with integers (key ids) generated for a
    particular node by pseudorandom number generator
   This allows any node u that knows another nodes v id to
    determine the set of ids of keys that v poses
Zhu / Xu approach: Logical
path establishment
   The established on previous step keys are not exclusive and
    consequently not secure enough, however they can be used
    to establish exclusive key
   During the network initialization phase, nodes discover so
    called logical paths
   Nodes can establish a direct path in case they share a
    common key on their key rings
   This can easily be accomplished as was described in the
    previous slide by discovering common key id
   In case nodes do not share a key authors propose a path-key
    establishment algorithm similar to one in basic probabilistic
    approach, the difference is that nodes try to establish several
    logical paths, which later should help in establishing a
    pairwise key
Zhu / Xu: pairwise key
   The next step of network initialization is pairwise key
   A sender node randomly generates a secret key ks
   Then derives n-1 random strings sk1, sk2,…, skn-1
   skn is computed as follows: skn = ks XOR sk1XOR sk2 XOR,…,
    XOR skn-1
   This way a recipient has to receive all n shares in order to
    derive a secret key ks
   After secret shares are computed, each of them is send to the
    recipient using different logical path
   Once all shares are received the recipient can confirm the
    establishment of pairwise key by sending a HELLO message
    encoded with a new key
   Authors provide a framework according to which number of
    shares and the way they are send is decided
Further enhancements
   So far all the discussed approaches have used one of the
    following algorithms for shared-key discovery:
       Key id notification
       Challenge response
       Pseudorandom key id generation
   Those algorithms work well against so called “oblivious”
    attacker, the one that randomly selects next sensor to
   What if attacker selects nodes that will allow him to
    compromise the network faster, based on already obtained
    information (key ids)?
   This is the case of so called “smart” attacker
Smart attacker
   More precisely smart attacker can be defined as follows:
       at each step of the attack sequence, the next sensor to tamper is
        sensor s, where s maximizes E[G(s)| I(s)], the expectation of the
        key information gain G(s) given the information I(s) the attacker
        knows on sensor s key-ring

   Simulations show that Key id notification and pseudorandom
    key id generation can be easily beaten by the smart attacker
   Challenge response performs better
Simulation results

Experimental results on id notification and pseudorandom key id generation:
Number of sensors to corrupt in order to compromise an arbitrary channel.
Simulation results

 Experimental results on challenge response:
 Number of sensors to corrupt in order to compromise an arbitrary channel.
PRK algorithm
   Why not using challenge response? Inefficient
   The goal is to define a key pre-deployment scheme that
    supports an efficient and secure key discovery phase, as
    efficient as pseudorandom key id generation (no message
    exchange) and as secure as challenge response
   DiPietro et al. suggested a new algorithm that achieves the
    above described requirements
PRK algorithm
   Key pre-distribution
       For each sensor sa
           For all keys vPi of the pool P, compute z=fy(a || vPi)
           Iff z≡0 mod (P/K), then put vPi into the key ring Va of sensor sa
       Assumption P/K divides by 2h, where h is the size of the input
   Key discovery
       In case sensor sb wants to establish a secure channel with
        sensor sa it has to perform the following calculations:
           For each key vbj in its key ring sensor sb computes z=fy(a||vbj)
           If z≡0 mod (P/K), sensor sa also has key sb
PRK algorithm analysis
   Benefits:
       Complexity is comparable to pseudo-random index
        transformation: no message exchange and K applications of the
        pseudo-random function.
       Only who already knows key vPi can know whether sensor sa has
        that key or not by computing z=fy(a||vbj) and checking out if
        z≡0 mod( P/K ). All other entities gets no information from z. This
        is exactly the same information revealed by challenge response
   Drawbacks:
       Not enough control of key ring size: it is possible that applying
        the formula to sensor id and key in a key pool will yield key ring
        that is
           too large - larger than sensor memory
           too small – not enough for the network to be connected
       In either case node id a should be regenerated
       Authors prove that it is feasible to regenerate sensor ids to
        achieve required properties
PRK algorithm: simulations

Experimental results on PRK algorithm: number of sensors to corrupt in order
to compromise an arbitrary channel. The PRK algorithm is as secure as
challenge response and in the same time as efficient as pseudorandom key id
Background: polynomial based
key pre-distribution
   Polynomial based key pre-distribution scheme reduces the
    amount of pre-distributed information still allowing each pair of
    nodes to compute a shared key
   Polynomial based key pre-distribution is λ-collusion resistant,
    meaning that as long as λ or less nodes are compromised the
    rest of the network is secure
   Utilizes polynomial shares
Polynomial based key pre-
distribution : initialization
   Special case: λ=1
   Each node has an id rU which is unique and is a member of
    finite field Zp
   Three elements a, b, c are chosen from Zp
   Polynomial f(x,y) = (a + b(x + y) + cxy) mod p is generated
   For each node polynomial share gu(x) = (an+ bnx) mod p
    where an= (a + brU) mod p and bn= (b + crU) mod p is formed
    and pre-distributed
Polynomial based key pre-
distribution : key discovery
   In order for node U to be able to communicate with node V
    the following computations have to be performed:
     Ku,v= Kv,u= f(ru,rv) = (a + b(ru+rv) + crurv )mod p

     U computes Ku,v= gu(rv)

     V computes Kv,u= gv(ru)
Polynomial based key pre-
distribution : example
   Example:
     3 nodes: U, V, W, with the following id’s 12, 7, 1
     p=17 (chosen parameter)
     a=8, b=7, c=2 (chosen parameters)
     Polynomial f(x,y) = 8+7(x+y)+2xy
     g polynomials are gu(x) = 7 + 14x, gv(x) = 6 + 4x,
      gw(x) = 15+9x
     Keys are Ku,v=3, Ku,v=4, Ku,v=10
     U computes Ku,v= gu(rv) = 7+14*7mod17 = 3
     V computes Kv,u= gv(ru) = 6+4*12mod17 = 3
Polynomial based key pre-
distribution : generalization
   Polynomial based key pre-distribution scheme can be
    generalized to any λ by changing polynomials in the following
                    i  j 
        f ( x, y )   ai , j x i y j mod p; f ( x, y )  f ( y, x)
                    i 0 j 0
       g u ( x)  f ( x, ru ) mod p   au ,i x i
                                       i 0

   f ( x, y ) is a randomly generated, bivariate λ-degree, symmetric
    polynomial over finite field Zp, p≥n is prime
Liu-Ning approach
   Combination of polynomial-based key pre-distribution and the
    key pool idea discussed above
   Increases network resilience to node capture
   Can tolerate no more than λ compromised nodes, where λ is
    constrained by the size of memory of a node
   Idea: use a pool of randomly generated polynomials
   When pool contains only one polynomial the approach
    degenerates to basic polynomial based key pre-distribution
   When all polynomials are of degree 0 the approach
    degenerates to key pool approach
   Three phases are involved: setup, direct key establishment,
    path key establishment
Setup phase
   Set F of bivariate λ-degree polynomials over finite field Fq is
   Each polynomial is assigned a unique id
   For each sensor node a subset of s’ polynomial is randomly
    chosen from F
   For each polynomial in the chosen subset a polynomial share
    is loaded into nodes memory
Direct key establishment
   During this phase all possible direct links are established
   A node can establish a direct link with another node if they
    both share a polynomial share of a particular polynomial
   How to find common polynomial? Use above discussed
Path key establishment phase
   If direct connection establishment fails nodes have to start
    path key establishment phase
   Nodes need to find a path such that each intermediate nodes
    share a common key
   Node may broadcast the message with polynomials ids that it
    posses to all nodes with which it currently has an established
   Once this message reaches the intended node (possible
    through a long path) this node computes a key and contacts
    the initiator of path key establishment
   Drawback: may introduce considerable communication
Simulation results

 The probability p that 2 sensors share a polynomial vs
 size s of the polynomial pool (s’ – number of polynomial
 shares in each sensor)
Simulation results: comparison
with already discussed

  Fraction of compromised links between non compromised nodes
  vs number of compromised nodes
  (20000 nodes, nodes can store equivalent of 200 keys)
Grid-based key pre-
   Instance of general framework discussed above
   Benefits:
     Guarantees that any two nodes can establish a pairwise
       key, if no nodes were compromised
     Allows sensors to directly determine whether it can
       establish a pairwise key with another node and which
       polynomial to use in case of positive answer
Subset assignment
   2m λ-degree polynomials are generated
    F  { fi c ( x, y), fi r ( x, y)}i 0,..,m1 , where m     N
    and N is the size of the network
   Each row of the grid is associated with f i r ( x, y ) polynomial
    and each column is associated with f i c ( x, y ) polynomial
   For each sensor an unoccupied intersection (i, j) of the grid
    is selected and assigned to the node
Subset assignment (cont.)
   The id of the node is created by concatenation of binary
    representations of i and j. ID=< ib:: jb >
   Intersections should be densely selected within a rectangle
    area of the grid
   Polynomial shares of corresponding (row / column)
    polynomials together with id are pre-distributed to each node
Node assignment in the grid

          Node assignment in the grid
Polynomial share discovery
   To establish a pairwise key with node j, node i checks
    whether ci=cj or ri=rj
   If either of conditions hold, nodes have a polynomial share of
    the same polynomial, consequently they can compute a
    common key directly
   Otherwise nodes have to go through path discovery
Path discovery
   Idea: nodes can use intermediate nodes to help in
    establishing a common key
   The intermediate node should be located in either the same
    row / column as first node or same column / row as a second
   This way intermediate node definitely share a polynomial with
    both nodes
   Note: there are only two of such intermediate nodes for each
    pair of nodes
   What if both if them are compromised / unreachable?
   The path through the grid should be established
   Authors developed an efficient protocol to accomplish this
   The main idea of the protocol is that intermediate nodes try to
    forward the request to the node that is located in the same
    row / column as a destination
Path discovery: example

      Establishing a path through the grid
Public key infrastructure
   The limited computation and power resources of sensor
    nodes often makes it undesirable to use existing public-
    key algorithms, such as Diffie-Hellman key agreement or
    RSA signatures
Symmetric vs. asymmetric
Public key scheme for WSN

   Is it possible to develop a public key infrastructure suitable for
    wireless sensor networks?
   Recent studies show that it is still possible to utilize public key
    ideas for the purposes of securing WSN
   Gaubatz et al. developed an ultra low power implementation
    of Rabin's Scheme and NtruEncrypt Algorithm
   Authors have demonstrated that it is possible to design public
    key encryption architectures with power consumption of less
    than 20 mW using the right selection of algorithms and
    associated parameters, optimization and low power
   The details of solutions will not be discussed, since it mainly
    involves VLSI / circuit design
Arbitrated keying protocols:
system model
   According to the model, network consists of three types of
    nodes: command node, gateways and regular sensor nodes
   Gateways partition the network into distinct clusters as follows
Arbitrated keying protocols:
node requirements
   Sensor nodes
       Are equipped with GPS modules and can determine its location
        during bootstrapping
       Remain stationary
   Gateways
       Can unicast / broadcast information to other gateways on the
       Can establish the group key using a group key agreement
   Command node
       is assumed to be secure and is trusted by all of the nodes in the
        sensor network
Identity based hierarchical keying:
initialization phase (description)
   Description of the initialization phase:
       Prior deployment each gateway is assigned |S|/|G| keys, where
        |S| is the number of sensors on the network and |G| is the
        number of gateways
       Each sensor is preloaded with id if the gateway with which it
        share a key
       After deployment each gateway forms a cluster using cluster
        formation algorithm and acquires the keys of the sensors in its
        cluster from the other gateways
       After key exchange is performed gateways erases key of sensors
        that do not belong to its cluster
    Identity based hierarchical keying:
    initialization phase (protocol)
    • Each sensor Si broadcasts its id (idSi ) and id (idGj) of the
      gateway with which it shares a key

•     Clustering process is performed
•     After clustering gateways identify set of sensors that
      belong to its cluster {id}i and broadcasts it to other gateways

•    Each gateway Gj replies to Gi with the set of keys and
        corresponding sensor ids {(KSk,Gj, idSk)}i

•     On the last step, each sensor receives a message that assigns
      it to the gateway
Identity based hierarchical
keying: node addition
• Each new sensor is preloaded with two keys as other sensors
• Command node transmits the list of (identifier, key) pairs to a
randomly selected gateway Gh, which becomes the gateway that
shares the keys of the new sensors:

• Each added node broadcasts a hello message (same as on
initialization phase)

• Clustering mechanisms adjusts itself
• Each gateway broadcasts the sensors in its range to the
gateways in G, requesting the keys for those sensors
Identity based hierarchical
keying: node addition (cont.)
•   Gh responds to those requests

•   Each new sensor Si is assigned to the gateway Gi
Identity based hierarchical
keying: node revocation
   If a group of sensors are compromised, they can be trivially
    evicted from the command node’s sensor list by the command
    node, as well as from their cluster by the gateway.
   Gateway revocation is slightly more complicated
   Command node evicts gateway G from the list of gateways
    and chooses a head gateway Gh randomly
   Command node sends the identifiers of each sensor and their
    new gateway Gi to Gh
   Also the new keys that sensors share with Gi are sent
Identity based hierarchical
keying: node revocation (cont)

•   Clustering process takes place
•   Second and third parts of the message is sent to Gi
•   Gi notifies each sensor on its cluster about new shared key
Identity based hierarchical
keying: simulations

    Distribution of sensor energy consumption with our
Identity based hierarchical
keying: analysis
   Benefits:
       Low energy consumption
       Low communication overhead for key establishment
       Low memory requirements for sensor nodes
       Good resilience against sensor capture
   Drawbacks:
       Specific network model requirements
       Sensors have to be equipped with GPS modules
       Efficient clustering algorithm is required
Location Aware Key
Management for WSN

   Problem:
       How to pick a large key pool while still maintaining high
        connectivity? (i.e maintain resilience while ensuring connectivity)
        (e.g. 100,000 vs 200)
   Solution:
       Exploit Location information (Deployment Knowledge)
           Du et. al. Infocom 2004. Exploit Location Knowledge for P-RKP
           Huang et. Al. SASN 2004. Exploit Location Knowledge for SK-
Location Aware Purely Random
Key Predistribution (P-RKP)

   Du et. al (IEEE Infocom 2004)

       Improves Random Key Predistribution (Eschenauer and Gligor)
        by exploiting Location Information.

       Studies a Gaussian distribution for deployment of Sensor nodes
        to improve security and memory usage.
Location Aware Purely Random
Key Predistribution (P-RKP)
   Rectangular Deployment area (X x Y)
   General Deployment Model (Individual)
       Current predeployment schemes assume pdf for location f(x,y) as
       Group based Deployment Model.

   Group based Deployment Model:
       N sensor nodes divided into t x n equal size groups. Group G(i,j)
        has deployment point x(i,j).
       Deployment points arranged in a grid
       Resident points of node k follow pdf
Location Aware Purely Random
Key Predistribution (P-RKP)
   Groups select from key group S (i,j)

                    S   Si, j , i  1,... , j  1..n

   Probability node is in a certain group is (1 / tn).
Location Aware Purely Random
Key Predistribution (P-RKP)
   Key sharing graphs used to enable connectivity
   Use flooding to find secure path (Limit to 3 hops)
   Setting up the key pools
       Two horizontally or vertically neighboring pools share a|Sc| keys
        where 0<= a <= 0.25
       Two diagonally neighboring key pools share b|Sc| keys, where
       Two non-neighboring key pools share no keys.
       Overlapping factors - a,b
Location Aware Purely Random
Key Predistribution (P-RKP)
Location Aware Purely Random
Key Predistribution (P-RKP)
   Key Assignment for Key Pools
     For group S 1,1, select    | S c | keys from the global key pool S,
      then remove these | S c | keys from S.
     For group S , j  2,..., n
                 1, j
                                  , select a. | S c | keys from pool S1, j 1
        then select w  (1  a). | S c | keys from global pool S
       For group S i , j , i  2,.... t , j  1,.... n select a. | S c | from each of the key
        pools    S i 1, j , and S i , j 1 if they exist; select b.| S c | Keys from
        each of the key pools S i 1, j 1 and S          i 1, j 1        if they exist; then
        select w keys from the global key pool S, and remove these w keys
        from S.
Location Aware Purely Random
Key Predistribution (P-RKP)

   Detemining |Sc|

       When |S| = 100,000, t = n = 10, a = 0.167, b = 0.083
        |Sc| = 1770
Location Aware Purely Random
Key Predistribution (P-RKP)
   Performance Evaluation
       Evaluation Metrics
           Connectivity (Local and Global)
           Communication overhead
           Resilience against node capture
   System configuration
       |S| = 100,000. N = 10,000.
       Deployment area = 1000m x 1000m
       T =n =10m. Each grid is 100m x 100m.
       Center of grid is deployment point. Wireless communication
        range is 40m.
Location Aware Purely Random
Key Predistribution (P-RKP)
Location Aware Purely Random
Key Predistribution (P-RKP)

   Local Connectivity
       Plocal = Pr((B(n1,n2)|A(n1,n2))
  Probability node is in a certain group is (1 / tn)
 Probability that nodes i and j have local connectivity) is
   1)Probability that n and n share a key (p-lambda) *
                          i       j

   2)Probability that n resides around the point Z(x,y) *

   3)Probability that n is a neighbor of n
                          i                j

Plocal is the average of this value across the whole region
Location Aware Purely Random
Key Predistribution (P-RKP)
   Performance – Local connectivity
       With 100 keys, location management improves local connectivity
        from 0.095 to 0.687
Location Aware Purely Random
Key Predistribution (P-RKP)
   Global connectivity
       Only simulation results are available
Location Aware Purely Random
Key Predistribution (P-RKP)
   Effects of the Overlapping Factors (a,b)
Location Aware Purely Random
Key Predistribution (P-RKP)
   Communication overhead
       Path needed when two neighbours cannot find a common key.
       ph(i) is the probability that the smallest number of hops needed to
        connect two neighbouring nodes is i. i is at most 3.
Location Aware Purely Random
Key Predistribution (P-RKP)
   Resilience against node capture

       Fraction of additional communication (among uncaptured nodes)
        that can be compromised based on capture of x nodes.

       Location of the x captured nodes affects results.

       Assume random location of x nodes (unrealistic)

       Location knowledge significantly improves network resilience
           1 – (1 – m/|S|)^x
Location Aware Purely Random
Key Predistribution (P-RKP)
Location Aware Structured Key
Random Key Predistribution (SK-RKP)
    Huang et. al. (SASN 2004)

        Claims random node capture assumption too weak (selective
         capture possible)
        Grid–group deployment scheme.
        Introduces the node fabrication attack
        Uses location based information and a structured key pool
        Claims fewer number of keys and resilience to selective node
         capture and node fabrication attacks
Location Aware SK-RKP
   P-RKP vs SK-RKP
   Robustness of both weakened by selective node capture attack
Location Aware SK-RKP
   Both are also weakened by node fabrication attack
   P-RKP – By capturing two nodes, attacker can
    fabricate and deploy (2m new nodes.
   SK-RKP is harder to compromise (still possible)
   Grid-Group Deployment Scheme
       Partition N sensors into i.j groups with n z sensors in each
       Assign the identifier [(i,j),b] to each sensor in the G(i,j)
        where b= 1,….N
       Assign m keys to each sensor in group G(i,j)
       Uniformly distribute the sensors for the group G(i,j) in zone
Key Predistribution (I –
Scheme) within a given zone

   Divide key poll P into L x M sub-key pools (P(i,j), i = 1….L,j =
    1…M)). Each sub-key pool is divided into w sub-key spaces. A
    sub-key space is a N x (  +1) key matrix A, where each
    element of A is a unique key)
   Divide the N sensors into L x M groups (a group is represented
    by G(i,j) where i = 1,….L, j = 1,…M)
   Assign unique identifiers to the sensors. For each sensor,
    assign id = [(i,j),b], where (i,j) is the group id and b = 1,….N
   For sensor [(i,j),b], randomly select T sub-key spaces in P(i,j)
    making sure the selected sub-key space is not already
    selected  times. Load sensor with the bth row of matrix A for
    each sub key space selected
Key Predistribution (E-
Scheme) for adjacent zones

   For each sensor in group G(i,j), randomly select one sensor,
    say j, from a neighbouring group, say G(i2,j2).
   Install duple < k i , j, id j > in i and duple < k i , j , id i > in j, where
    key k i , j is unique and id i , id j are the node ids.
    Once a peer node is selected, it cannot select another node in
    the same group
   If all sensors have selected a node in each of its neighboring
    groups, stop, otherwise go to the first step
Location Aware SK-RKP
Key establishment within the
same zone
   Key establishment within the same zone
       Each sensor, say [(i,j),b], broadcasts identifier [(i,j),b] and key
        space identifiers [  1 , 2 ]
       For each neighbor, sensor adds a link in key-graph if they
        share a key .
       Sensor broadcasts list of neighbors who share key-space with
        it. Uses similar messages from others to expand key-graph.
       Source routing to to request and establish pairwise keys with
        all its neighbors.
Key establishment within
adjacent zones
   Each sensor, broadcasts desired node list (of nodes in
    the adjacent zone)
   A neighbor of the requestor within the same zone who
    already shares a key with the nodes For each neighbor,
    sensor adds a link in key-graph if they share a key
   Sensor broadcasts list of neighbors who share key-
    space with it. Uses similar messages from others to
    expand key-graph.
   Source routing to request and establish pairwise keys
    with all its neighbors.
Performance Analysis

   Memory overhead

       For p = 0.5238, m = 68 (similar to Du et. Al.)

   Security Analysis

       Secure against Random Node capture, Selective Node capture and
        Node Fabrication attacks
Performance Analysis
   Robust security mechanisms are vital to the wide
    acceptance and use of sensor networks for many
   Key management in turns is one the most important
    aspects in any security architecture
   Various peculiarities of Wireless Sensor Networks make
    the development of good key management scheme a
    challenging task
   We have discussed several approaches to key management
    in WSN
   All of them have strong and weak points
   The diverse nature of WSN usage makes it not reasonable to
    look for some particular approach that would be suitable for all
   I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, E. Cyirci. Wireless Sensor
    Networks: A Survey. Computer Networks, 38(4):393-422, 2002.
   C. Karlof and D. Wagner, Secure Routing in Wireless Sensor Networks:
    Attacks and Countermeasures. First IEEE International Workshop on
    Sensor Network Protocols and Applications, May 2003
   D. Carman, P. Kruus, and B. Matt. Constraints and approaches for
    distributed sensor network security. NAI Labs Technical Report #00-010,
    September 2000
   L. Eschenauer and V. Gligor. A Key-Management Scheme for Distributed
    Sensor Networks. In Proc. of ACM CCS’02, November 2002
   H. Chan, A. Perrig, D. Song Random Key Predistribution Schemes for
    Sensor Networks. In 2003 IEEE Symposium on Research in Security and
   S. Zhu, S. Xu, S. Setia, S. Jajodia Establishing Pair-wise Keys For Secure
    Communication in Ad Hoc Networks: A Probabilistic Approach. In Proc. of
    the 11th IEEE International Conference on Network Protocols
   R. Di Pietro, L. Mancini, A. Mei. Efficient and Resilient Key Discovery Based
    on Pseudo-Random Key Pre-Deployment. 18th International Parallel and
    Distributed Processing Symposium
   D. Liu, P. Ning, Establishing Pairwise Keys in Distributed Sensor Networks,
    10th ACM CCS '03, Washington D.C., October, 2003
   G. Jolly, M. Kusçu, P. Kokate, M. Younis. A Low-Energy Key Management
    Protocol for Wireless Sensor Networks. Eighth IEEE International
    Symposium on Computers and Communications
   G. Gaubatz, J.Kaps, B. Sunar Public Key Cryptography in Sensor Networks
    – Revisited. 1st European Workshop on Security in Ad-Hoc and Sensor
   C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung.
    Perfectly secure key distribution for dynamic conferences. In Information
    and Computation, 146 (1), 1998, pp 1-23.
   “Introduction to Modern Cryptography” by M. Bellare, P. Rogaway
    November 3, 2003
   “Handbook of Applied Cryptography”, by A. Menezes, P. van Oorschot, and
    S. Vanstone, CRC Press, 1996.
   “The Strange Logic of Random Graphs”, Joel H. Spencer
   Nanotechnology website
   W. Du, J. Deng, Y. Han, S. Chen, P. Varshney. A Key Management
    Scheme for Wireless Sensor Networks Using Deployment Knowledge. IEEE
    Infocom 2004.
   D. Huang, M. Mehta, D. Medhi, L. Harn. Location-aware Key Management
    for Wireless Sensor Networks. 2004 ACM Workshop on Security of Ad Hoc
    and Sensor Networks. (SASN 04)

Shared By: