SECURITY IN WIRELESS SENSOR NETWORKS
Department of Computer Science
University of Tennessee, Knoxville
saraogi AT cs.utk.edu
Abstract to a very demanding environment to provide
security. Public-key cryptography is too
Wireless sensor networks are a new type of expensive to be usable, and even fast
networked systems, characterized by severely symmetric-key ciphers must be used
constrained computational and energy sparingly. Communication bandwidth is
resources, and an ad hoc operational extremely dear: each bit transmitted consumes
environment. This paper studies the security about as much power as executing 800–1000
aspects of these networks. The paper first instructions , and as a consequence, any
introduces sensor networks, and then presents message expansion caused by security
its related security problems, threats, risks and mechanisms comes at significant cost.
characteristics. Additionally, the paper gives a
brief introduction to proposed protocols for In , the authors point out that it seems
sensor network security applications such as unlikely that Moore’s law will help in the
SPINS , TinySec  and LEAP . foreseeable future. Because one of the most
important factors determining the value of a
Introduction sensor network comes from how many sensors
can be deployed, it seems likely there will be
Sensor networks refer to a heterogeneous strong pressure to develop ever-cheaper sensor
system combining tiny sensors and actuators nodes. In other words, we expect that users
with general-purpose computing elements. will want to ride the Moore’s law curve down
These networks will consist of hundreds or towards ever-cheaper systems at a fixed
thousands of self-organizing, low-power, low- performance point, rather than holding price
cost wireless nodes deployed en masse to constant and improving performance over
monitor and affect the environment. Potential time.
applications include burglar alarms, inventory
control, medical monitoring and emergency Thus, the resource-starved nature of sensor
response , monitoring remote or networks poses great challenges for security.
inhospitable habitats [9, 10], target tracking in However, in many applications the security
battlefields , disaster relief networks, early aspects are as important as performance and
fire detection in forests, and environmental low energy consumption. Besides the
monitoring. battlefield applications, security is critical in
premise security and surveillance, building
Sensor networks are typically characterized by monitoring, burglar alarms, and in sensors in
limited power supplies, low bandwidth, small critical systems such as airports, hospitals.
memory sizes and limited energy. This leads
Sensor Network Architecture energy [14, 15, 16] by using in-network
processing techniques such as data
Sensor networks often have one or more aggregation [24, 25] (an aggregation point
points of centralized control called base can collect sensor readings from
stations. A base station is typically a gateway surrounding nodes and forward a single
to another network, a powerful data message representing an aggregate of the
processing or storage center, or an access values) and passive participation (a node
point for human interface. They can be used as that overhears a neighboring sensor node
a nexus to disseminate control information transmitting the same reading as its own
into the network or extract data from it. Base current reading can elect to not transmit
stations have also been referred to as sinks. the same).
The sensor nodes establish a routing forest,
with a base station at the root of every tree. Security Issues and Goals
Base stations are many orders of magnitude
more powerful than sensor nodes. Typically, 1. Data Confidentiality
base stations have enough battery power to
surpass the lifetime of all sensor nodes, Confidentiality means keeping information
sufficient memory to store cryptographic keys, secret from unauthorized parties. A sensor
stronger processors, and means for network should not leak sensor readings to
communicating with outside networks. neighboring networks. In many applications
(e.g. key distribution) nodes communicate
Communication Architecture highly sensitive data. The standard approach
for keeping sensitive data secret is to encrypt
Generally, the sensor nodes communicate the data with a secret key that only intended
using RF, so broadcast is the fundamental receivers possess, hence achieving
communication primitive. The baseline confidentiality. Since public-key cryptography
protocols account for this property: on one is too expensive to be used in the resource
hand it affects the trust assumptions, and on constrained sensor networks, most of the
the other it is exploited to minimize the energy proposed protocols use symmetric key
usage. encryption methods. The creators of TinySec
 argue that cipher block chaining (CBC) is
In the sensor applications developed so far, the most appropriate encryption scheme for
the communication patterns within the sensor networks. They found RC5 and
network fall into the following categories: Skipjack to be most appropriate for software
implementation on embedded
• Node to base station communication, e.g. microcontrollers. The default block cipher in
sensor readings, specific alerts. TinySec is Skipjack. SPINS uses RC6 as its
• Base station to node communication, e.g. cipher.
specific requests, key updations
• Base station to all nodes, e.g. routing 2. Data Authenticity
beacons, queries or reprogramming of the
entire network In a sensor network, an adversary can easily
• Communication amongst a defined cluster inject messages, so the receiver needs to make
of nodes (say, a node and all its sure that the data used in any decision-making
neighbors). Clustering can reduce the total process originates from the correct source.
number of messages sent and thus save Data authentication prevents unauthorized
parties from participating in the network and 4. Data Freshness
legitimate nodes should be able to detect
messages from unauthorized nodes and reject Data freshness implies that the data is recent,
them. and it ensures that an adversary has not
replayed old messages. A common defense
In the two-party communication case, data (used by SNEP ) is to include a
authentication can be achieved through a monotonically increasing counter with every
purely symmetric mechanism: The sender and message and reject messages with old counter
the receiver share a secret key to compute a values. With this policy, every recipient must
message authentication code (MAC) of all maintain a table of the last value from every
communicated data. When a message with a sender it receives. However, for RAM-
correct MAC arrives, the receiver knows that constrained sensor nodes, this defense
it must have been sent by the sender. becomes problematic for even modestly sized
networks. Assuming nodes devote only a
However, authentication for broadcast small fraction of their RAM for this neighbor
messages requires stronger trust assumptions table, an adversary replaying broadcast
on the network nodes. The creators of SPINS messages from many different senders can fill
 contend that if one sender wants to send up the table. At this point, the recipient has
authentic data to mutually untrusted receivers, one of two options: ignore any messages from
using a symmetric MAC is insecure since any senders not in its neighbor table, or purge
one of the receivers know the MAC key, and entries from the table. Neither is acceptable;
hence could impersonate the sender and forge the first creates a DoS attack and the second
messages to other receivers. SPINS constructs permits replay attacks.
authenticated broadcast from symmetric
primitives, but introduces asymmetry with In , the authors contend that protection
delayed key disclosure and one-way function against the replay of data packets should be
key chains. LEAP  uses a globally shared provided at the application layer and not by a
symmetric key for broadcast messages to the secure routing protocol as only the application
whole group. However, since the group key is can fully and accurately detect the replay of
shared among all the nodes in the network, an data packets (as opposed to retransmissions,
efficient rekeying mechanism is defined for for example). In , the authors reason that by
updating this key after a compromised node is using information about the network's
revoked. This means that LEAP has also topology and communication patterns, the
defined an efficient mechanism to verify application and routing layers can properly
whether a node has been compromised. and efficiently manage a limited amount of
memory devoted to replay detection.
3. Data Integrity
In , the authors have identified two types of
Data integrity ensures the receiver that the freshness: weak freshness, which provides
received data is not altered in transit by an partial message ordering, but carries no delay
adversary. Note that Data Authentication can information, and strong freshness, which
provide Data Integrity also. provides a total order on a request-response
pair, and allows for delay estimation. Weak
freshness is required by sensor measurements,
while strong freshness is useful for time
synchronization within the network.
5. Robustness and Survivability 3. False Node and malicious data
The sensor network should be robust against An intruder might add a node to the system
various security attacks, and if an attack that feeds false data or prevents the passage of
succeeds, its impact should be minimized. The true data. Such messages also consume the
compromise of a single node should not break scarce energy resources of the nodes. This
the security of the entire network. type of attack is called “sleep deprivation
torture” in . Insertion of malicious code is
Security Threats, Types of Attacks on one of the most dangerous attacks that can
Sensor Networks and Countermeasures occur. Malicious code injected in the network
could spread to all nodes, potentially
Wireless networks are vulnerable to security destroying the whole network, or even worse,
attacks due to the broadcast nature of the taking over the network on behalf of an
transmission medium. Furthermore, wireless adversary. A seized sensor network can either
sensor networks have an additional send false observations about the environment
vulnerability because nodes are often placed to a legitimate user or send observations about
in a hostile or dangerous environment where the monitored area to a malicious user. By
they are not physically protected. spoofing, altering, or replaying routing
information, adversaries may be able to create
1. Passive Information Gathering routing loops, attract or repel network traffic,
extend or shorten source routes, generate false
An intruder with an appropriately powerful error messages, partition the network, increase
receiver and well designed antenna can easily end-to-end latency, etc.
pick off the data stream. Interception of the
messages containing the physical locations of Strong authentication techniques can prevent
sensor nodes allows an attacker to locate the an adversary from impersonating as a valid
nodes and destroy them. Besides the locations node in the sensor network.
of sensor nodes, an adversary can observe the
application specific content of messages 4. The Sybil attack
including message IDs, timestamps and other
fields. To minimize the threats of passive In a Sybil attack , a single node presents
information gathering, strong encryption multiple identities to other nodes in the
techniques needs to be used. network. They pose a significant threat to
geographic routing protocols, where location
2. Subversion of a Node aware routing requires nodes to exchange
coordinate information with their neighbors to
A particular sensor might be captured, and efficiently route geographically addressed
information stored on it (such as the key) packets.
might be obtained by an adversary. If a node
has been compromised then how to exclude Authentication and encryption techniques can
that node, and that node only, from the sensor prevent an outsider to launch a Sybil attack on
network is at issue (LEAP  defines an the sensor network. However, an insider
efficient way to do so). cannot be prevented from participating in the
network, but (s)he should only be able to do
so using the identities of the nodes (s)he has
compromised. Using globally shared keys
allows an insider to masquerade as any them in a different part. The simplest instance
(possibly even nonexistent) node. Public key of this attack is a single node situated between
cryptography can prevent such an insider two other nodes forwarding messages between
attack, but it is too expensive to be used in the the two of them. However, wormhole attacks
resource constrained sensor networks. One more commonly involve two distant malicious
solution is to have every node share a unique nodes colluding to understate their distance
symmetric key with a trusted base station. from each other by relaying packets along an
Two nodes can then use a Needham- out-of-bound channel available only to the
Schroeder like protocol to verify each other’s attacker.
identity and establish a shared key. A pair of
neighboring nodes can use the resulting key to An adversary situated close to a base station
implement an authenticated, encrypted link may be able to completely disrupt routing by
between them. An example of a protocol creating a well-placed wormhole. An
which uses such a scheme is LEAP , which adversary could convince nodes who would
supports the establishment of four types of normally be multiple hops from a base station
keys. that they are only one or two hops away via
the wormhole. This can create a sinkhole:
5. Sinkhole attacks since the adversary on the other side of the
wormhole can artificially provide a high-
In a sinkhole attack, the adversary’s goal is to quality route to the base station, potentially all
lure nearly all the traffic from a particular area traffic in the surrounding area will be drawn
through a compromised node, creating a through her if alternate routes are significantly
metaphorical sinkhole with the adversary at less attractive.
the center. Sinkhole attacks typically work by
making a compromised node look especially The following diagram shows an example of a
attractive to surrounding nodes with respect to wormhole being used to create a sinkhole:
the routing algorithm. For instance, an
adversary could spoof or replay an
advertisement for an extremely high quality B
route to a base station. Due to either the real or
imagined high quality route through the A1
compromised node, it is likely each
neighboring node of the adversary will
forward packets destined for a base station
through the adversary, and also propagate the
attractiveness of the route to its neighbors.
Effectively, the adversary creates a large
“sphere of influence” , attracting all traffic
destined for a base station from nodes several Adversaries A1 and A2 combine to form a
hops away from the compromised node. sinkhole-wormhole attack. The nodes near A2
believe that the Base Station B is closer via
6. Wormholes the sinkhole A1. Hence, the wormhole
convinces two distant nodes that they are
In the wormhole attack , an adversary neighbors by relaying packets between the
tunnels messages received in one part of the two of them.
network over a low latency link and replays
A technique for detecting wormhole attacks is encryptions of the same plaintext . The
presented in , but it requires extremely basic technique to achieve this is
tight time synchronization and is thus randomization: Before encrypting the message
infeasible for most sensor networks. with a chaining encryption function (i.e. DES-
CBC), the sender precedes the message with a
SPINS: Security Protocols for Sensor random bit string (also called the Initialization
Networks  Vector). This prevents the attacker from
inferring the plaintext of encrypted messages
SPINS a suite of security building blocks if it knows plaintext-ciphertext pairs encrypted
proposed by Perig et all. It is optimized for with the same key. To avoid adding the
resource constrained environments and additional transmission overhead of these
wireless communication. SPINS has two extra bits, SNEP uses a shared counter
secure building blocks: SNEP and µTESLA. between the sender and the receiver for the
block cipher in counter mode (CTR). The
SNEP provides data confidentiality, two-party communicating parties share the counter and
data authentication, and data freshness. increment it after each block.
µTESLA provides authenticated broadcast for
severely resource-constrained environments. SNEP offers the following properties:
All cryptographic primitives (i.e. encryption,
message authentication code (MAC), hash, Semantic security: Since the counter value is
random number generator) are constructed out incremented after each message, the same
of a single block cipher for code reuse. This, message is encrypted differently each time.
along with the symmetric cryptographic The counter value is long enough that it never
primitives used reduces the overhead on the repeats within the lifetime of the node.
resource constrained sensor network.
Data authentication: If the MAC verifies
In a broadcast medium such as a sensor correctly, a receiver can be assured that the
network, data authentication through a message originated from the claimed sender.
symmetric mechanism cannot be applied as all
the receivers know the key. µTESLA Replay protection: The counter value in the
constructs authenticated broadcast from MAC prevents replaying old messages. Note
symmetric primitives, but introduces that if the counter were not present in the
asymmetry with delayed key disclosure and MAC, an adversary could easily replay
one-way function key chains. messages.
SNEP: Confidentiality, Authentication, Data freshness: If the message verified
Integrity, and Freshness correctly, a receiver knows that the message
must have been sent after the previous
SNEP uses encryption to achieve message it received correctly (that had a lower
confidentiality and message authentication counter value). This enforces a message
code (MAC) to achieve two-party ordering and yields weak freshness.
authentication and data integrity. Apart from
confidentiality, another important security Low communication overhead: The counter
property is semantic security, which ensures state is kept at each end point and does not
that an eavesdropper has no information about need to be sent in each message.
the plaintext, even if it sees multiple
µTESLA: Authenticated Broadcast the packet in transit. The node stores the
packet in a buffer. At the time of key
Most of the proposals for authenticated disclosure, the base station broadcasts the
broadcast are impractical for sensor networks, verification key to all receivers. When a node
as they rely on asymmetric digital signatures receives the disclosed key, it can easily verify
for the authentication. The TESLA protocol the correctness of the key (which we explain
provides efficient authenticated broadcast [22, below). If the key is correct, the node can now
23] but it is not designed for limited use it to authenticate the packet stored in its
computing environments. µTESLA solves the buffer.
following inadequacies of TESLA in sensor
networks: Each MAC key is a key of a key chain,
generated by a public one-way function F. To
• TESLA authenticates the initial packet generate the one-way key chain, the sender
with a digital signature, which is too chooses the last key Kn of the chain randomly,
expensive for sensor nodes. µTESLA uses and repeatedly applies F to compute all other
only symmetric mechanisms. keys: Ki = F(Ki+1). Each node can easily
• Disclosing a key in each packet requires perform time synchronization and retrieve an
too much energy for sending and authenticated key of the key chain for the
receiving. µTESLA discloses the key once commitment in a secure and authenticated
per epoch. manner, using the SNEP building block.
• It is expensive to store a one-way key
chain in a sensor node. µTESLA restricts K0 K1 K2 K3 K4 Time
the number of authenticated senders.
µTESLA uses symmetric authentication but
introduces asymmetry through a delayed P1 P2 P3 P4 P5 P6 P7
disclosure of the symmetric keys, which
results in an efficient broadcast authentication
scheme. For the base station to broadcast For example, let the key be disclosed in 2 time
authenticated information to the nodes, intervals. Each key of the key chain
µTESLA requires that the base station and corresponds to a time interval and all packets
nodes are loosely time synchronized, and each sent within one time interval are authenticated
node knows an upper bound on the maximum with the same key. The receiver node is
synchronization error. To send an loosely time synchronized and knows K0 (a
authenticated packet, the base station simply commitment to the key chain) in an
computes a MAC on the packet with a key authenticated way. Packets P1 and P2 sent in
that is secret at that point in time. When a interval 1 contain a MAC with key K1. Packet
node gets a packet, it can verify that the P3 has a MAC using key K2. So far, the
corresponding MAC key was not yet disclosed receiver cannot authenticate any packets yet.
by the base station (based on its loosely Let us assume that packets P4, P5, and P6 are
synchronized clock, its maximum all lost, as well as the packet that discloses key
synchronization error, and the time schedule at K1, so the receiver can still not authenticate
which keys are disclosed). Since a receiving P1, P2, or P3. In interval 4 the base station
node is assured that the MAC key is known broadcasts key K2, which the node
only by the base station, the receiving node is authenticates by verifying K0 = F(F(K2)), and
assured that no adversary could have altered hence knows also K1 = F(K2), so it can
authenticate packets P1, P2 with K1, and P3 security (through an Initialization Vector) and
with K2. replay protection.
Instead of adding a disclosed key to each data TinySec supports two different security
packet, the key disclosure is independent from options: authenticated encryption (TinySec-
the packets broadcast, and is tied to time AE) and authentication only (TinySec-Auth).
intervals. Within the context of µTESLA, the With authenticated encryption, TinySec
sender broadcasts the current key periodically encrypts the data payload and authenticates
in a special packet. the packet with a MAC. The MAC is
computed over the encrypted data and the
For further details about the implementation packet header. In authentication only mode,
and evaluation results of SNEP, refer to . TinySec authenticates the entire packet with a
MAC, but the data payload is not encrypted.
TinySec: A Link Layer Security Encryption
Architecture for Wireless Sensor
Networks  TinySec uses an 8 byte IV and cipher block
chaining (CBC) .
TinySec is a lightweight, generic security
package that can be integrated into sensor The structure of the IV is dst||AM||l||src||ctr,
network applications. It is incorporated into where dst is the destination address of the
the official TinyOS release. In , the authors receiver, AM is the active message (AM)
reason why Link Layer security is ideal for handler type, l is the length of the data
sensor networks. Sensor networks use in- payload, src is the source address of the
network processing such as aggregation and sender, and ctr is a 16 bit counter. The counter
duplicate elimination [24, 25] to reduce traffic starts at 0 and the sender increases it by 1 after
and save energy. Since in-network processing each message sent.
requires the intermediate nodes to access,
modify, and suppress the contents of A stream cipher uses a key K and IV as a seed
messages, end-to-end security mechanisms and stretches it into a large pseudorandom
between each sensor node and the base station keystream GK(IV). The keystream is then
cannot be used to guarantee the authenticity, xored against the message: C = (IV, GK(IV)
integrity, and confidentiality of messages. xor P). The fastest stream ciphers are faster
End-to-end security mechanisms are also than the fastest block ciphers, which might
vulnerable to certain denial of service attacks. make them look tempting in a resource-
If message integrity is only checked at the constrained environment. However, stream
final destination, the network may route ciphers have a failure mode: if the same IV is
packets injected by an adversary many hops ever used to encrypt two different packets,
before they are detected. This kind of attack then it is often possible to recover both
will waste energy and bandwidth. A link-layer plaintexts. Guaranteeing that IVs are never
security architecture can detect unauthorized reused requires IVs to be fairly long, say, at
packets when they are first injected into the least 8 bytes. Since an 8-byte overhead in a
network. TinySec provides the basic security 30-byte packet is unacceptable in the resource
properties of message authentication and constrained sensor network, TinySec uses
integrity (using MAC), message block cipher.
confidentiality (through encryption), semantic
Using a block cipher for encryption has an is efficient and fast, and the fact that it relies
additional advantage. Since the most efficient on a block cipher as well minimizes the
message authentication code (MAC) number of cryptographic primitives we must
algorithms use a block cipher, the nodes will implement in the limited memory available.
need to implement a block cipher in any event. However the standard CBC-MAC
Using this block cipher for encryption as well construction is not secure for variably sized
conserves code space. messages. Adversaries can forge a MAC for
certain messages. Bellare, Kilian, and
The advantage of using CBC is that it Rogaway suggest three alternatives for
degrades gracefully in the presence of generating MACs for variable sized messages
repeated IVs. If we encrypt two plaintexts P1 . The variant used in TinySec xors the
and P2 with the same IV under CBC mode, encryption of the message length with the first
then the ciphertexts will leak the length (in plaintext block.
blocks) of the longest shared prefix of P1 and
P2, and nothing more. For instance, if the first Keying Mechanism
block of P1 is different from the first block of
P2, as will typically be the case, then the The simplest keying mechanism is to use a
cryptanalyst learns nothing apart from this single network-wide TinySec key among the
fact. CBC mode is provably secure when IVs authorized nodes. However, this cannot
do not repeat. However, CBC mode was protect against node capture attacks. If an
designed to be used with a random IV, and has adversary compromises a single node or learns
a separate leakage issue when used with a the secret key, (s)he can eavesdrop on traffic
counter as the IV (note that the TinySec IV and inject messages anywhere in the network.
has a 16 bit counter). To fix this issue, Hence, TinySec uses a separate key for each
TinySec pre-encrypts the IV. pair of nodes who might wish to
communicate. This provides better resilience
The creators of TinySec give reasons behind against node capture attacks: a compromised
their choice of cipher in . Initially they node can only decrypt traffic addressed to it
found AES and Triple-DES to be slow for and can only inject traffic to its immediate
sensor networks. They found RC5 and neighbors. But Per-link keying limits passive
Skipjack to be most appropriate for software participation and local broadcast. A less
implementation on embedded restrictive approach is for groups of
microcontrollers. Although RC5 was slightly neighboring nodes to share a TinySec key
faster, it is patented. Also, for good rather than each pair. Group keying provides
performance, RC5 requires the key schedule an intermediate level of resilience to node
to be precomputed, which uses 104 extra bytes capture attacks: a compromised node can
of RAM per key. Because of these drawbacks, decrypt all messages from nodes in its group,
the default block cipher in TinySec is but cannot violate the confidentiality of other
Skipjack. groups' messages and cannot inject messages
to other groups.
For further information about the
TinySec always authenticates messages, but implementation and performance results of
encryption is optional. TinySec uses a cipher TinySec, refer to .
block chaining construction, CBC-MAC for
computing and verifying MACs. CBC-MAC
LEAP (Localized Encryption and
Authentication Protocol)  Group Key
LEAP is a key management protocol for This is a globally shared key that is used by
sensor networks that is designed to support in- the base station for encrypting messages that
network processing, while at the same time are broadcast to the whole group. For
restricting the security impact of a node example, the base station issues missions,
compromise to the immediate network sends queries and interests. Note that from the
neighborhood of the compromised node. The confidentiality point of view there is no
design of the protocol is motivated by the advantage to separately encrypting a broadcast
observation that different types of messages message using the individual key of each
exchanged between sensor nodes have node. However, since the group key is shared
different security requirements, and that a among all the nodes in the network, an
single keying mechanism is not suitable for efficient rekeying mechanism is necessary for
meeting these different security requirements. updating this key after a compromised node is
Hence, LEAP supports the establishment of revoked.
four types of keys for each sensor node – an
individual key shared with the base station, a Cluster Key
pairwise key shared with another sensor node,
a cluster key shared with multiple neighboring A cluster key is a key shared by a node and all
nodes, and a group key that is shared by all the its neighbors, and it is mainly used for
nodes in the network. The protocol used for securing locally broadcast messages, e.g.,
establishing and updating these keys is routing control information, or securing sensor
communication and energy efficient, and messages which can benefit from passive
minimizes the involvement of the base station. participation. For passive participation to be
LEAP also includes an efficient protocol for feasible, neighboring nodes should be able to
inter-node traffic authentication based on the decrypt and authenticate some classes of
use of one-way key chains. A salient feature messages, e.g., sensor readings, transmitted by
of the authentication protocol is that it their neighbors. This means that such
supports source authentication without messages should be encrypted or authenticated
precluding in-network processing and passive by a locally shared key. Therefore, in LEAP
participation. each node possesses a unique cluster key that
it uses for securing its messages, while its
Individual Key immediate neighbors use the same key for
decryption or authentication of its messages.
Every node has a unique key that it shares
pairwise with the base station. This key is Pairwise Shared Key
used for secure communication between a
node and the base station. For example, a node Every node shares a pairwise key with each of
may send an alert to the base station if it its immediate neighbors. In LEAP, pairwise
observes any abnormal or unexpected keys are used for securing communications
behavior by a neighboring node. Similarly, the that require privacy or source authentication.
base station can use this key to encrypt any For example, a node can use its pairwise keys
sensitive information, e.g. keying material or to secure the distribution of its cluster key to
special instruction that it sends to an its neighbors, or to secure the transmissions of
individual node. its sensor readings to an aggregation node.
Note that the use of pairwise keys precludes Science, Rice University, Tech. Rep.
passive participation. TR01-384, June 2002.
 Jeffery Undercoffer, Sasikanth Avancha,
In , the creators of LEAP have described Anupam Joshi and John Pinkston. In
the schemes provided by LEAP for sensor Security for Sensor Networks.
nodes to establish and update individual keys,  Chris Karlof David Wagner. In Secure
pairwise shared keys, cluster keys, and group Routing in Wireless Sensor Networks:
keys for each node. Revocation of a Attacks and Countermeasures.
compromised node and the subsequent  Wadaa, S. Olariu, L. Wilson, M.
rekeying mechanism is also described. Eltoweissy, K. Jones. On Providing
Anonymity in Wireless Sensor
Networks. In Proceedings of the Tenth
Conclusion International Conference on Parallel
and Distributed Systems (ICPADS’04).
In this paper, we introduce sensor networks,  Chris Karlof, Naveen Sastry, David
its related security problems, threats, risks and Wagner. TinySec: A Link Layer
characteristics, and a brief introduction to Security Architecture for Wireless
SPINS, TinySec and LEAP. For Sensor Networks. ACM SenSys 2004,
implementation details and performance November 3-5, 2004.
evaluation of these protocols, please refer to  Sencun Zhu, Sanjeev Setia, Sushil
the ,  and . Adding security in a Jajodia. LEAP: Efficient Security
resource constrained wireless sensor network Mechanisms for Large-Scale Distributed
with minimum overhead provides significant Sensor Networks. In The Proceedings of
challenges, and is an ongoing area of research. the 10th ACM conference on Computer
and communications security, 2003.
 Alan Mainwaring, Joseph Polastre,
References Robert Szewczyk, and David Culler.
Wireless sensor networks for habitat
 Adrian Perrig, Robert Szewczyk, Victor monitoring. In First ACM International
Wen, David Culler, J. D. Tygar. SPINS: Workshop on Wireless Sensor Networks
Security Protocols for Sensor Networks. In and Applications, 2002.
The Seventh Annual International  Robert Szewczyk, Joseph Polastre,
Conference on Mobile Computing and Alan Mainwaring, and David Culler.
Networking (MobiCom 2001), 2001. Lessons from a sensor network
 Sasha Slijepcevic, Miodrag Potkonjak, expedition. In First European Workshop
Vlasios Tsiatsis, Scott Zimbeck, Mani B. on Wireless Sensor Networks (EWSN
Srivastava. On Communication Security in '04), January 2004.
Wireless Ad-Hoc Sensor Networks. In The  Matt Welsh, Dan Myung, Mark
Proceedings of the Eleventh IEEE Gaynor, and Steve Moulton.
International Workshops on Enabling Resuscitation monitoring with a wireless
Technologies: Infrastructure for sensor network. In Supplement to
Collaborative Enterprises (WETICE’02), Circulation: Journal of the American
2002. Heart Association, October 2003.
 Y.C. Hu, A. Perrig, and D. B. Johnson,  G.L. Duckworth, D.C. Gilbert, and
“Wormhole detection in wireless ad hoc J.E. Barger. Acoustic counter-sniper
networks,” Department of Computer system. In SPIE International
Symposium on Enabling Technologies  Adrian Perrig, Ran Canetti, Dawn
for Law Enforcement and Security, Song, and J. D. Tygar. Efficient and
1996. secure source authentication for
 J. Hill, R. Szewczyk, A. Woo, S. multicast. In Network and Distributed
Hollar, D. Culler and K. Pister. System System Security Symposium, NDSS ’01,
architecture directions for networked February 2001.
sensors. In Proceedings of ACM  Adrian Perrig, Ran Canetti, J.D.
ASPLOS IX, November 2000. Tygar, and Dawn Song. Efficient
 C.Intanagonwiwat, R.Govindan and authentication and signing of multicast
D. Estrin. Directed diffusion: A scalable streams over lossy channels. In IEEE
and robust communication paradigm for Symposium on Security and Privacy,
sensor networks In Proc. of May 2000.
MobiCOM’00, Boston, Massachussetts,  Samuel R. Madden, Michael J.
August 2000. Franklin, Joseph M. Hellerstein, and Wei
 C. Karlof, Y. Li, and J. Polastre. Hong. TAG: A tiny aggregation service
ARRIVE: An Architecture for Robust for ad-hoc sensor networks. In The Fifth
Routing In Volatile Environments. Symposium on Operating Systems
Technical Report UCB/CSD-03-1233, Design and Implementation (OSDI
University of California at Berkeley, 2002), 2002.
Mar.2003.  Samuel R. Madden, Robert
 S. Madden, R. Szewczyk, M. Szewczyk, Michael J. Franklin, and
Franklin, and D. Culler. Supporting David Culler. Supporting aggregate
Aggregate Queries Over Ad-Hoc queries over ad-hoc wireless sensor
Wireless Sensor Networks. In 4th IEEE networks. In Workshop on Mobile
Workshop on Mobile Computing Systems Computing and Systems Applications,
and Applications, June 2002. 2002.
 F. Stajano, R. Anderson. “The  M. Bellare, A. Desai, E. Jokipii, and
Resurrecting Duckling: Security Issues P. Rogaway. A concrete security
for Ad-hoc Wireless Networks”, 3rd treatment of symmetric encryption:
AT&T Software Symposium, Analysis of the DES modes of operation.
Middletown, NJ, October 1999. In Proceedings of 38th Annual
 J. R. Douceur, “The Sybil Attack,” in Symposium on Foundations of Computer
1st International Workshop on Peer-to- Science (FOCS 97), 1997.
Peer Systems (IPTPS ’02), March 2002.  Bruce Schneier. Applied
 R. L. Rivest, M.J.B. Robshaw, R. Cryptography, Second Edition. John
Sidney, and Y.L. Yin, “The RC6 Block Wiley & Sons, 1996.
Cipher”, AES submission, Jun 1998.  Mihir Bellare, Joe Kilian, and Phillip
http://theory.lcs.mit.edu/~rivest/rc6.pdf Rogaway. The security of the cipher
 Y.-C. Hu, A. Perrig, and D. B. block chaining message authentication
Johnson, “Wormhole detection in code. Journal of Computer and System
wireless ad hoc networks,” Department Sciences, 61(3):362-399, December
of Computer Science, Rice University, 2000.
Tech. Rep. TR01-384, June 2002.
 Shafi Goldwasser and Silvio Micali.
Probabilistic encryption. Journal of
Computer Security, 28:270–299, 1984.