Security in Wireless Sensor

Networks:
Key Management Approaches

Vasyl A. Radzevych and Sunu Mathew

Overview

Wireless Sensor Networks (WSN)

Security issues in WSN
Key management approaches in WSN:

Overview
Pre-Deployed Keying

Key pre-deployment
Key derivation information pre-deployment
Location aware pre-deployed keying

Autonomous protocols

Pairwise asymmetric (public key)

Arbitrated protocols

Random Key Pre-deployment (P-RKP)

Key derivation information pre-deployment

Identity based group keying

Conclusions

Sensor Networks

Sensor network is composed of a

large number of sensor nodes
Sensor nodes are small, low-cost,
low-power devices that have following
functionality:

communicate on short distances

sense environmental data
perform limited data processing

Network usually also contains sink

node which connects it to the outside
world

Applications

WSN can be used to monitor the conditions of various

objects / processes. Some examples:

Military: friendly forces monitoring, battlefield surveillance,

biological attack detection, targeting, battle damage
assessment
Ecological: fire detection, flood detection, agricultural uses
Health related: human physiological data monitoring
Miscellaneous: car theft detection, inventory control,
habitat monitoring, home applications

Sensors are densely deployed either inside or very close

to the monitored object / process

Security issues in WSN

The discussed applications require communication in WSN to

be highly secure
Main security threats in WSN are:

Radio links are insecure eavesdropping / injecting faulty

information is possible
Sensor nodes are not temper resistant if it is compromised
attacker obtains all security information

Attacker types:

Mote-class: attacker has access to some number of nodes with

similar characteristics / laptop-class: attacker has access to more
powerful devices
Outside (discussed above) / inside: attacker compromised some
number of nodes in the network

Attacks on WSN

Main types of attacks on WSN are:

spoofed, altered, or replayed routing information

selective forwarding
sinkhole attack
sybil attack
wormholes
HELLO flood attacks
acknowledgment spoofing

False routing information

Injecting fake routing

control packets into the
network, examples:
attract / repeal traffic,
generate false error
messages
Consequences: routing
loops, increased latency,
decreased lifetime of the
network, low reliability

A4

A1

A2

A3

Example: captured node attracts

traffic by advertising shortest path
to sink, high battery power, etc

Selective forwarding

Multi hop paradigm is prevalent in WSN

It is assumed that nodes faithfully forward received
messages
Compromised node might refuse to forward packets,
however neighbors might start using another route
More dangerous: compromised node forwards selected
packets

Sinkhole and Sybil attacks

Sinkhole attack:

Idea: attacker creates metaphorical sinkhole by advertising for

example high quality route to a base station
Laptop class attacker can actually provide this kind of route
connecting all nodes to real sink and then selectively drop
packets
Almost all traffic is directed to the fake sinkhole
WSN are highly susceptible to this kind of attack because of
the communication pattern: most of the traffic is directed
towards sink single point of failure

Sybil attack:

Idea: a single node pretends to be present in different parts of

the network.
Mostly affects geographical routing protocols

Wormholes

Idea: tunnel packets

received on one part of
the network to another
Well placed wormhole can
completely disorder
routing
Wormholes may convince
distant nodes that they
are close to sink. This
may lead to sinkhole if
node on the other end
advertises high-quality
route to sink

Wormholes (cont.)

Wormholes can exploit routing race conditions which happens

when node takes routing decisions based on the first route
advertisement
Attacker may influence network topology by delivering routing
information to the nodes before it would really reach them by
multi hop routing
Even encryption can not prevent this attack
Wormholes may convince two nodes that they are neighbors
when on fact they are far away from each other
Wormholes may be used in conjunction with sybil attack

HELLO flood attack

Many WSN routing

protocols require nodes to
broadcast HELLO packets
after deployment, which is a
sort of neighbor discovery
based on radio range of the
node
Laptop class attacker can
broadcast HELLO message
to nodes and then
advertises high-quality route
to sink

Acknowledgment spoofing

Some routing protocols use

link layer acknowledgments
Attacker may spoof acks
Goals: convince that weak
link is strong or that dead
node is alive.
Consequently weak link may
be selected for routing;
packets send trough that link
may be lost or corrupted

Overview of Countermeasures

Link layer encryption prevents majority of attacks: bogus routing

information, Sybil attacks, acknowledgment spoofing, etc.
This makes the development of an appropriate key management
architecture a task of a great importance
Wormhole attack, HELLO flood attacks and some others are still
possible: attacker can tunnel legitimate packets to the other part
of the network or broadcast large number of HELLO packets
Multi path routing, bidirectional link verification can also be used
to prevent particular types of attacks like selective forwarding,
HELLO flood

Key management: goals

The protocol must establish a key between all sensor nodes

that must exchange data securely
Node addition / deletion should be supported
It should work in undefined deployment environment
Unauthorized nodes should not be allowed to establish
communication with network nodes

Key management: constraints

Sensor node constraints:

Battery power

Computational energy consumption

Communication energy consumption

Transmission range
Memory
Temper protection
Sleep pattern

Network constraints:

Ad-hoc network nature

Packet size

Key management:
evaluation/comparison metrics

Resilience against node capture: how many node are to be

compromised in order to affect traffic of not compromised
nodes?
Addition: how complicated is dynamic node addition?
Revocation: how complicated is dynamically node revocation?
Supported network size: what is the maximum possible size of
the network?
Note: since WSN can be used in a lot of different ways it is
not reasonable to look for one key management approach to
suite all needs: 20 000 node network deployed from the
airplane over a battle field has quite different requirements
from 10 node network installed to guard the perimeter of the
house

Key management approaches

classification

Approaches to be discussed

Pre-deployed keying:

Key pre-deployment
Straightforward approaches
Eschenauer / Gligor random key pre-deployment
Chan / Perrig q-composite approach
Zhu / Xu approach
DiPietro smart attacker model and PRK protocol

Key derivation information pre-deployment

Self-enforcing autonomous approaches

Liu / Ning polynomial pre-deployment

Pairwise asymmetric (public key)

Arbitrated protocols

Identity based hierarchical keying

Straight forward approaches

Single mission key is obviously unacceptable

Pairwise private key sharing between every two nodes is
impractical because of the following reasons:

it requires pre-distribution and storage of n-1 keys in each node

which is n(n-1)/2 per WSN.
most of the keys would be unusable since direct communication
is possible only in the nodes neighborhood
addition / deletion of the node and re-keying are complex

Basic probabilistic approach

Due to Eschenauer and Gligor

Relies on probabilistic key sharing among nodes of WSN
Uses simple shared-key discovery protocol for key
distribution, revocation and node re-keying
Three phases are involved: key pre-distribution, shared-key
discovery, path-key establishment

Key pre-distribution

Generate a large key pool P (217-220 keys) and corresponding

key identifiers
Create n key rings by randomly selecting k keys from P
Load key rings into nodes memory
Save key identifiers of a key ring and associated node
identifier on a controller
For each node load a key which it shares with a base station

Shared-key discovery

Takes place during initialization phase after WSN deployment.

Each node discovers its neighbor in communication range
with which it shares at least one key
Nodes can exchange ids of keys that they poses and in this
way discover a common key
A more secure approach would involve broadcasting a
challenge for each key in the key ring such that each
challenge is encrypted with some particular key. The
decryption of a challenge is possible only if a shared key
exists

Path-key establishment

During the path-key establishment phase path-keys are

assigned to selected pairs of sensor nodes that are within
communication range of each other, but do not share a key
Node may broadcast the message with its id, id of intended
node and some key that it posses but not currently uses, to all
nodes with which it currently has an established link. Those
nodes rebroadcast the message to their neighbors
Once this message reaches the intended node (possible
through a long path) this node contacts the initiator of path
key establishment
Analysis shows that after the shared-key discovery phase a
number of keys on a key ring are left unused

Simulation results
1000 nodes, 40 nodes neighborhood, P=10000

number of hops

Path length to neighbors

Key revocation

Key revocation is accomplished in the following way: a

controller node that has all keys and ids in its memory,
broadcasts a message containing a list of k key identifiers for
the key ring to be revoked
This message is signed with signature key which is encrypted
and unicasted to all nodes prior revocation. This encryption is
done using individually shared between node and controller
keys
After obtaining a signature key, each node locate received
identifiers in its key ring and removes the corresponding keys
if they are present
Since some links might disappear they should be
reestablished using keys that are left in the key ring

Resiliency to node capture

More robust then approaches that use single mission key

In case node is captured k<<n keys are obtained
This means that the attacker has a probability of k/P to attack
successfully any other WSN link

WSN connectivity

Two nodes are connected if they share a key

Full connectivity of WSN is not required because of the limited
communication capabilities of the sensor nodes
Two important questions:

What should be the expected degree of a node so that WSN is

connected?
Given expected degree of a node what values should the key
ring size, k, and pool, P, have for a network of size n so that
WSN is connected?

Random-graph theory helps in answering the first question

Random graphs

A random graph G(n,p) is a graph of n nodes for which the

probability that a link between any two nodes exists is p
Question: what value should p have so that it is almost
certainly true that graph G(p,n) is connected?
Erdos-Renyi formula:

Pc lim Pr[G (n, p)is _ connected] e

n inf

e c

(1)

where
p

ln( n) c

n
n

(2)

Pc is a desired probability for the graph connectivity

Based on the formulas above p and d=p(n-1) can be found
(d-expected degree of a node)

Random-graphs (cont.)

Expected degree of node vs. number of nodes, where

Pc=Pr[G(n,p) is connected]

Key ring and key pool sizes

Due to the limited communication capabilities a number of

nodes with which a particular node can communicate is
n<<n
This means that the probability of two nodes sharing at
least one key in their key rings of size k is p=d/(n-1)>>p
Key pool size P can be derived as a function of k:

k 2( P k 1 / 2)
(1 )
P
p' 1
2k ( P 2 k 1 / 2)
(1 )
P

Key ring and key pool size (cont.)

Probability of sharing at least one key when two nodes

choose k keys from a pool of size P

Key ring and key pool size: example

WSN contains n=10000 nodes, desired probability of network

connectivity is Pc=0.99999, communication range supports 40
nodes neighborhoods
According to the formula (1) c=11.5, therefore p=2*10-3
d=2*10-3*9999=20
This means that if each node can communicate with on
average 20 other nodes the network will be connected
p=20/(40-1)=0.5
According to formula (3) k can be set to 250 and P can be set
to 100000

q-composite approach

Enhancement of the basic probabilistic approach

Idea: nodes should share q keys instead of only one
Approach:

Key pool P is an ordered set

During initialization phase nodes broadcast ids of keys that
they have
After discovery each nodes identifies the neighbor with which it
share at least q keys
Communication key is computed as a hash of all shared keys
Keys appear in hash in the same order as in key pool

Benefits of q-composite approach

q-composite approach has greater resiliency to node capture

than the basic approach if small number of nodes were
captured
Simulations show that for q=2, the amount of additional
communications compromised when 50 nodes (out of 10000)
have been compromised is 4.74%, as opposed to 9.52% in
the basic scheme
However if large number of nodes have been compromised qcomposite scheme exposes larger portion of network than the
basic approach
The larger q is the harder it is to obtain initial information
Parameter q can be customized to achieve required balance
for a particular network

Zhu / Xu approach

Another modification of the basic probabilistic approach

Major enhancement:

Pseudorandom number generator is used to improve security of

key discovery algorithm
Also uses secret sharing which jointly with logical paths allows
nodes to establish a pairwise key that is exclusively known to the
two nodes (in contrast to basic probabilistic approach, where
other nodes might also know some particular key)

Zhu / Xu approach: key predistribution

Background: a pseudo-random number generator, or

PRNG, is a random number generator that produces a
sequence of values based on a seed and a current state.
Given the same seed, a PRNG will always output the same
sequence of values.
Key pool P of size l is generated
For each node u, pseudorandom number generator is used to
generate the set of m distinct integers between 1 and l (key
ids). Nodes unique id u is used as a seed for the generator
Each node is loaded with key ring of size m
Keys for the key rings are selected from key pool P in
correspondence with integers (key ids) generated for a
particular node by pseudorandom number generator
This allows any node u that knows another nodes v id to
determine the set of ids of keys that v poses

Zhu / Xu approach: Logical

path establishment

The established on previous step keys are not exclusive and

consequently not secure enough, however they can be used
to establish exclusive key
During the network initialization phase, nodes discover so
called logical paths
Nodes can establish a direct path in case they share a
common key on their key rings
This can easily be accomplished as was described in the
previous slide by discovering common key id
In case nodes do not share a key authors propose a path-key
establishment algorithm similar to one in basic probabilistic
approach, the difference is that nodes try to establish several
logical paths, which later should help in establishing a
pairwise key

Zhu / Xu: pairwise key

establishment

The next step of network initialization is pairwise key

establishment
A sender node randomly generates a secret key ks
Then derives n-1 random strings sk1, sk2,, skn-1
skn is computed as follows: skn = ks XOR sk1XOR sk2 XOR,,
XOR skn-1
This way a recipient has to receive all n shares in order to
derive a secret key ks
After secret shares are computed, each of them is send to the
recipient using different logical path
Once all shares are received the recipient can confirm the
establishment of pairwise key by sending a HELLO message
encoded with a new key
Authors provide a framework according to which number of
shares and the way they are send is decided

Further enhancements

So far all the discussed approaches have used one of the

following algorithms for shared-key discovery:

Key id notification
Challenge response
Pseudorandom key id generation

Those algorithms work well against so called oblivious

attacker, the one that randomly selects next sensor to
compromise
What if attacker selects nodes that will allow him to
compromise the network faster, based on already obtained
information (key ids)?
This is the case of so called smart attacker

Smart attacker

More precisely smart attacker can be defined as follows:

at each step of the attack sequence, the next sensor to tamper is

sensor s, where s maximizes E[G(s)| I(s)], the expectation of the
key information gain G(s) given the information I(s) the attacker
knows on sensor s key-ring

Simulations show that Key id notification and pseudorandom

key id generation can be easily beaten by the smart attacker
Challenge response performs better

Simulation results

Experimental results on id notification and pseudorandom key id generation:

Number of sensors to corrupt in order to compromise an arbitrary channel.

Simulation results

Experimental results on challenge response:

Number of sensors to corrupt in order to compromise an arbitrary channel.

PRK algorithm

Why not using challenge response? Inefficient

The goal is to define a key pre-deployment scheme that
supports an efficient and secure key discovery phase, as
efficient as pseudorandom key id generation (no message
exchange) and as secure as challenge response
DiPietro et al. suggested a new algorithm that achieves the
above described requirements

PRK algorithm

Key pre-distribution

For each sensor sa

For all keys vPi of the pool P, compute z=fy(a || vPi)

Iff z0 mod (P/K), then put vPi into the key ring Va of sensor sa

Assumption P/K divides by 2h, where h is the size of the input

Key discovery

In case sensor sb wants to establish a secure channel with

sensor sa it has to perform the following calculations:

For each key vbj in its key ring sensor sb computes z=fy(a||vbj)
If z0 mod (P/K), sensor sa also has key sb

PRK algorithm analysis

Benefits:

Complexity is comparable to pseudo-random index

transformation: no message exchange and K applications of the
pseudo-random function.
Only who already knows key vPi can know whether sensor sa has
that key or not by computing z=fy(a||vbj) and checking out if
z0 mod( P/K ). All other entities gets no information from z. This
is exactly the same information revealed by challenge response

Drawbacks:

Not enough control of key ring size: it is possible that applying

the formula to sensor id and key in a key pool will yield key ring
that is

too large - larger than sensor memory

too small not enough for the network to be connected

In either case node id a should be regenerated

Authors prove that it is feasible to regenerate sensor ids to
achieve required properties

PRK algorithm: simulations

Experimental results on PRK algorithm: number of sensors to corrupt in order

to compromise an arbitrary channel. The PRK algorithm is as secure as
challenge response and in the same time as efficient as pseudorandom key id
generation

Background: polynomial based

key pre-distribution

Polynomial based key pre-distribution scheme reduces the

amount of pre-distributed information still allowing each pair of
nodes to compute a shared key
Polynomial based key pre-distribution is -collusion resistant,
meaning that as long as or less nodes are compromised the
rest of the network is secure
Utilizes polynomial shares

Polynomial based key predistribution : initialization

Special case: =1
Each node has an id rU which is unique and is a member of
finite field Zp
Three elements a, b, c are chosen from Zp
Polynomial f(x,y) = (a + b(x + y) + cxy) mod p is generated
For each node polynomial share gu(x) = (an+ bnx) mod p
where an= (a + brU) mod p and bn= (b + crU) mod p is formed
and pre-distributed

Polynomial based key predistribution : key discovery

In order for node U to be able to communicate with node V

the following computations have to be performed:
Ku,v= Kv,u= f(ru,rv) = (a + b(ru+rv) + crurv )mod p
U computes Ku,v= gu(rv)
V computes Kv,u= gv(ru)

Polynomial based key predistribution : example

Example:
3 nodes: U, V, W, with the following ids 12, 7, 1
respectively
p=17 (chosen parameter)
a=8, b=7, c=2 (chosen parameters)
Polynomial f(x,y) = 8+7(x+y)+2xy
g polynomials are gu(x) = 7 + 14x, gv(x) = 6 + 4x,
gw(x) = 15+9x
Keys are Ku,v=3, Ku,v=4, Ku,v=10
U computes Ku,v= gu(rv) = 7+14*7mod17 = 3
V computes Kv,u= gv(ru) = 6+4*12mod17 = 3

Polynomial based key predistribution : generalization

Polynomial based key pre-distribution scheme can be

generalized to any by changing polynomials in the following
way:
i j

f ( x, y ) ai , j x i y j mod p; f ( x, y ) f ( y, x)
i 0 j 0

g u ( x) f ( x, ru ) mod p au ,i x i
i 0

f ( x, y ) is a randomly generated, bivariate -degree, symmetric

polynomial over finite field Zp, pn is prime

Liu-Ning approach

Combination of polynomial-based key pre-distribution and the

key pool idea discussed above
Increases network resilience to node capture
Can tolerate no more than compromised nodes, where is
constrained by the size of memory of a node
Idea: use a pool of randomly generated polynomials
When pool contains only one polynomial the approach
degenerates to basic polynomial based key pre-distribution
scheme
When all polynomials are of degree 0 the approach
degenerates to key pool approach
Three phases are involved: setup, direct key establishment,
path key establishment

Setup phase

Set F of bivariate -degree polynomials over finite field Fq is

generated
Each polynomial is assigned a unique id
For each sensor node a subset of s polynomial is randomly
chosen from F
For each polynomial in the chosen subset a polynomial share
is loaded into nodes memory

Direct key establishment

phase

During this phase all possible direct links are established

A node can establish a direct link with another node if they
both share a polynomial share of a particular polynomial
How to find common polynomial? Use above discussed
approaches

Path key establishment phase

If direct connection establishment fails nodes have to start

path key establishment phase
Nodes need to find a path such that each intermediate nodes
share a common key
Node may broadcast the message with polynomials ids that it
posses to all nodes with which it currently has an established
link
Once this message reaches the intended node (possible
through a long path) this node computes a key and contacts
the initiator of path key establishment
Drawback: may introduce considerable communication
overhead

Simulation results

The probability p that 2 sensors share a polynomial vs

size s of the polynomial pool (s number of polynomial
shares in each sensor)

Simulation results: comparison

with already discussed
approaches

Fraction of compromised links between non compromised nodes

vs number of compromised nodes
(20000 nodes, nodes can store equivalent of 200 keys)

Grid-based key predistribution

Instance of general framework discussed above

Benefits:
Guarantees that any two nodes can establish a pairwise
key, if no nodes were compromised
Allows sensors to directly determine whether it can
establish a pairwise key with another node and which
polynomial to use in case of positive answer

Subset assignment

2m -degree polynomials are generated

F { fi c ( x, y), fi r ( x, y)}i 0,..,m1 , where m

and N is the size of the network

Each row of the grid is associated with f i r ( x, y ) polynomial
and each column is associated with f i c ( x, y ) polynomial
For each sensor an unoccupied intersection (i, j) of the grid
is selected and assigned to the node

Subset assignment (cont.)

The id of the node is created by concatenation of binary

representations of i and j. ID=< ib:: jb >
Intersections should be densely selected within a rectangle
area of the grid
Polynomial shares of corresponding (row / column)
polynomials together with id are pre-distributed to each node

Node assignment in the grid

Node assignment in the grid

Polynomial share discovery

To establish a pairwise key with node j, node i checks

whether ci=cj or ri=rj
If either of conditions hold, nodes have a polynomial share of
the same polynomial, consequently they can compute a
common key directly
Otherwise nodes have to go through path discovery

Path discovery

Idea: nodes can use intermediate nodes to help in

establishing a common key
The intermediate node should be located in either the same
row / column as first node or same column / row as a second
node
This way intermediate node definitely share a polynomial with
both nodes
Note: there are only two of such intermediate nodes for each
pair of nodes
What if both if them are compromised / unreachable?
The path through the grid should be established
Authors developed an efficient protocol to accomplish this
The main idea of the protocol is that intermediate nodes try to
forward the request to the node that is located in the same
row / column as a destination

Path discovery: example

Establishing a path through the grid

Public key infrastructure

The limited computation and power resources of sensor

nodes often makes it undesirable to use existing publickey algorithms, such as Diffie-Hellman key agreement or
RSA signatures

Symmetric vs. asymmetric

algorithms

Public key scheme for WSN

Is it possible to develop a public key infrastructure suitable for

wireless sensor networks?
Recent studies show that it is still possible to utilize public key
ideas for the purposes of securing WSN
Gaubatz et al. developed an ultra low power implementation
of Rabin's Scheme and NtruEncrypt Algorithm
Authors have demonstrated that it is possible to design public
key encryption architectures with power consumption of less
than 20 mW using the right selection of algorithms and
associated parameters, optimization and low power
techniques
The details of solutions will not be discussed, since it mainly
involves VLSI / circuit design

Arbitrated keying protocols:

system model

According to the model, network consists of three types of

nodes: command node, gateways and regular sensor nodes
Gateways partition the network into distinct clusters as follows

Arbitrated keying protocols:

node requirements

Sensor nodes

Gateways

Are equipped with GPS modules and can determine its location
during bootstrapping
Remain stationary
Can unicast / broadcast information to other gateways on the
network
Can establish the group key using a group key agreement
protocols

Command node

is assumed to be secure and is trusted by all of the nodes in the

sensor network

Identity based hierarchical keying:

initialization phase (description)

Description of the initialization phase:

Prior deployment each gateway is assigned |S|/|G| keys, where

|S| is the number of sensors on the network and |G| is the
number of gateways
Each sensor is preloaded with id if the gateway with which it
share a key
After deployment each gateway forms a cluster using cluster
formation algorithm and acquires the keys of the sensors in its
cluster from the other gateways
After key exchange is performed gateways erases key of sensors
that do not belong to its cluster

Identity based hierarchical keying:

initialization phase (protocol)
Each sensor Si broadcasts its id (idSi ) and id (idGj) of the
gateway with which it shares a key

Clustering process is performed

After clustering gateways identify set of sensors that
belong to its cluster {id}i and broadcasts it to other gateways

Each gateway Gj replies to Gi with the set of keys and

corresponding sensor ids {(KSk,Gj, idSk)}i

On the last step, each sensor receives a message that assigns

it to the gateway

Identity based hierarchical

keying: node addition
Each new sensor is preloaded with two keys as other sensors
Command node transmits the list of (identifier, key) pairs to a
randomly selected gateway Gh, which becomes the gateway that
shares the keys of the new sensors:
Each added node broadcasts a hello message (same as on
initialization phase)
Clustering mechanisms adjusts itself
Each gateway broadcasts the sensors in its range to the
gateways in G, requesting the keys for those sensors

Identity based hierarchical

keying: node addition (cont.)

Gh responds to those requests

Each new sensor Si is assigned to the gateway Gi

Identity based hierarchical

keying: node revocation

If a group of sensors are compromised, they can be trivially

evicted from the command nodes sensor list by the command
node, as well as from their cluster by the gateway.
Gateway revocation is slightly more complicated
Command node evicts gateway G from the list of gateways
and chooses a head gateway Gh randomly
Command node sends the identifiers of each sensor and their
new gateway Gi to Gh
Also the new keys that sensors share with Gi are sent

Identity based hierarchical

keying: node revocation (cont)

Clustering process takes place

Second and third parts of the message is sent to Gi
Gi notifies each sensor on its cluster about new shared key

Identity based hierarchical

keying: simulations

Distribution of sensor energy consumption with our

approach.

Identity based hierarchical

keying: analysis

Benefits:

Low energy consumption

Low communication overhead for key establishment
Low memory requirements for sensor nodes
Good resilience against sensor capture

Drawbacks:

Specific network model requirements

Sensors have to be equipped with GPS modules
Efficient clustering algorithm is required

Location Aware Key

Management for WSN

Problem:

How to pick a large key pool while still maintaining high

connectivity? (i.e maintain resilience while ensuring connectivity)
(e.g. 100,000 vs 200)

Solution:

Exploit Location information (Deployment Knowledge)

Du et. al. Infocom 2004. Exploit Location Knowledge for P-RKP

Huang et. Al. SASN 2004. Exploit Location Knowledge for SKRKP

Location Aware Purely Random

Key Predistribution (P-RKP)

Du et. al (IEEE Infocom 2004)

Improves Random Key Predistribution (Eschenauer and Gligor)

by exploiting Location Information.

Studies a Gaussian distribution for deployment of Sensor nodes

to improve security and memory usage.

Location Aware Purely Random

Key Predistribution (P-RKP)

Rectangular Deployment area (X x Y)

General Deployment Model (Individual)

Current predeployment schemes assume pdf for location f(x,y) as

1/XY.
Group based Deployment Model.

Group based Deployment Model:

N sensor nodes divided into t x n equal size groups. Group G(i,j)

has deployment point x(i,j).
Deployment points arranged in a grid
Resident points of node k follow pdf

Location Aware Purely Random

Key Predistribution (P-RKP)

Groups select from key group S (i,j)

S Si, j , i 1,...t, j 1..n

Probability node is in a certain group is (1 / tn).

Location Aware Purely Random

Key Predistribution (P-RKP)

Key sharing graphs used to enable connectivity

Use flooding to find secure path (Limit to 3 hops)

Setting up the key pools

Two horizontally or vertically neighboring pools share a|Sc| keys

where 0<= a <= 0.25
Two diagonally neighboring key pools share b|Sc| keys, where
0<=b<=0.25
Two non-neighboring key pools share no keys.
Overlapping factors - a,b

Location Aware Purely Random

Key Predistribution (P-RKP)

Location Aware Purely Random

Key Predistribution (P-RKP)

Key Assignment for Key Pools

| S c | keys from the global key pool S,
For group S 1,1, select
then remove these | S c | keys from S.
For group S , j 2,..., n
, select a. | S c | keys from pool S1, j 1,
1, j

then select w (1 a). | S c | keys from global pool S

For group S i , j , i 2,.... t , j 1,.... n select a. | S c | from each of the key
pools
S i 1, j , and S i , j 1 if they exist; select b.| S c | Keys from
each of the key pools S i 1, j 1 and S
if they exist; then
select w keys from the global key pool S, and remove these w keys
from S.
i 1, j 1

Location Aware Purely Random

Key Predistribution (P-RKP)

Detemining |Sc|

When |S| = 100,000, t = n = 10, a = 0.167, b = 0.083

|Sc| = 1770

Location Aware Purely Random

Key Predistribution (P-RKP)

Performance Evaluation

Evaluation Metrics

Connectivity (Local and Global)

Communication overhead
Resilience against node capture

System configuration

|S| = 100,000. N = 10,000.

Deployment area = 1000m x 1000m
T =n =10m. Each grid is 100m x 100m.
Center of grid is deployment point. Wireless communication
range is 40m.

Location Aware Purely Random

Key Predistribution (P-RKP)

Location Aware Purely Random

Key Predistribution (P-RKP)

Local Connectivity

Plocal = Pr((B(n1,n2)|A(n1,n2))

Probability node is in a certain group is (1 / tn)

Probability that nodes i and j have local connectivity) is
1)Probability that n and n share a key (p-lambda) *
2)Probability that n resides around the point Z(x,y) *
3)Probability that n is a neighbor of n
Plocal is the average of this value across the whole region

Location Aware Purely Random

Key Predistribution (P-RKP)

Performance Local connectivity

With 100 keys, location management improves local connectivity

from 0.095 to 0.687

Location Aware Purely Random

Key Predistribution (P-RKP)

Global connectivity

Only simulation results are available

Location Aware Purely Random

Key Predistribution (P-RKP)

Effects of the Overlapping Factors (a,b)

Location Aware Purely Random

Key Predistribution (P-RKP)

Communication overhead

Path needed when two neighbours cannot find a common key.

ph(i) is the probability that the smallest number of hops needed to
connect two neighbouring nodes is i. i is at most 3.

Location Aware Purely Random

Key Predistribution (P-RKP)

Resilience against node capture

Fraction of additional communication (among uncaptured nodes)

that can be compromised based on capture of x nodes.

Location of the x captured nodes affects results.

Assume random location of x nodes (unrealistic)

Location knowledge significantly improves network resilience

1 (1 m/|S|)^x

Location Aware Purely Random

Key Predistribution (P-RKP)

Location Aware Structured Key

Random Key Predistribution (SK-RKP)

Huang et. al. (SASN 2004)

Claims random node capture assumption too weak (selective

capture possible)
Gridgroup deployment scheme.
Introduces the node fabrication attack
Uses location based information and a structured key pool
Claims fewer number of keys and resilience to selective node
capture and node fabrication attacks

Location Aware SK-RKP

P-RKP vs SK-RKP
Robustness of both weakened by selective node capture attack

Location Aware SK-RKP

Both are also weakened by node fabrication attack

P-RKP By capturing two nodes, attacker can
fabricate and deploy (2m new nodes.
SK-RKP is harder to compromise (still possible)
Grid-Group Deployment Scheme

Partition N sensors into i.j groups with n z sensors in each

group
Assign the identifier [(i,j),b] to each sensor in the G(i,j)
where b= 1,.N
Assign m keys to each sensor in group G(i,j)
Uniformly distribute the sensors for the group G(i,j) in zone
Z(i,j)

Key Predistribution (I
Scheme) within a given zone

Divide key poll P into L x M sub-key pools (P(i,j), i = 1.L,j =

1M)). Each sub-key pool is divided into w sub-key spaces. A
sub-key space is a N x ( +1) key matrix A, where each
element of A is a unique key)
Divide the N sensors into L x M groups (a group is represented
by G(i,j) where i = 1,.L, j = 1,M)
Assign unique identifiers to the sensors. For each sensor,
assign id = [(i,j),b], where (i,j) is the group id and b = 1,.N
For sensor [(i,j),b], randomly select T sub-key spaces in P(i,j)
making sure the selected sub-key space is not already
selected times. Load sensor with the bth row of matrix A for
each sub key space selected

Key Predistribution (EScheme) for adjacent zones

For each sensor in group G(i,j), randomly select one sensor,

say j, from a neighbouring group, say G(i2,j2).
Install duple < k i , j, id j > in i and duple < k i , j , id i > in j, where
key k i , j is unique and id i , id j are the node ids.
Once a peer node is selected, it cannot select another node in
the same group
If all sensors have selected a node in each of its neighboring
groups, stop, otherwise go to the first step

Location Aware SK-RKP

Key establishment within the

same zone

Key establishment within the same zone

Each sensor, say [(i,j),b], broadcasts identifier [(i,j),b] and key

space identifiers [ 1 , 2 ]
For each neighbor, sensor adds a link in key-graph if they
share a key .
Sensor broadcasts list of neighbors who share key-space with
it. Uses similar messages from others to expand key-graph.
Source routing to to request and establish pairwise keys with
all its neighbors.

Key establishment within

adjacent zones

Each sensor, broadcasts desired node list (of nodes in

the adjacent zone)
A neighbor of the requestor within the same zone who
already shares a key with the nodes For each neighbor,
sensor adds a link in key-graph if they share a key
Sensor broadcasts list of neighbors who share keyspace with it. Uses similar messages from others to
expand key-graph.
Source routing to request and establish pairwise keys
with all its neighbors.

Performance Analysis

Memory overhead

For p = 0.5238, m = 68 (similar to Du et. Al.)

Security Analysis

Secure against Random Node capture, Selective Node capture and

Node Fabrication attacks

Performance Analysis
(Security)

Summary

Robust security mechanisms are vital to the wide

acceptance and use of sensor networks for many
applications
Key management in turns is one the most important
aspects in any security architecture
Various peculiarities of Wireless Sensor Networks make
the development of good key management scheme a
challenging task
We have discussed several approaches to key management
in WSN
All of them have strong and weak points
The diverse nature of WSN usage makes it not reasonable to
look for some particular approach that would be suitable for all
cases

Bibliography

I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, E. Cyirci. Wireless Sensor

Networks: A Survey. Computer Networks, 38(4):393-422, 2002.
C. Karlof and D. Wagner, Secure Routing in Wireless Sensor Networks:
Attacks and Countermeasures. First IEEE International Workshop on
Sensor Network Protocols and Applications, May 2003
D. Carman, P. Kruus, and B. Matt. Constraints and approaches for
distributed sensor network security. NAI Labs Technical Report #00-010,
September 2000
L. Eschenauer and V. Gligor. A Key-Management Scheme for Distributed
Sensor Networks. In Proc. of ACM CCS02, November 2002
H. Chan, A. Perrig, D. Song Random Key Predistribution Schemes for
Sensor Networks. In 2003 IEEE Symposium on Research in Security and
Privacy
S. Zhu, S. Xu, S. Setia, S. Jajodia Establishing Pair-wise Keys For Secure
Communication in Ad Hoc Networks: A Probabilistic Approach. In Proc. of
the 11th IEEE International Conference on Network Protocols
R. Di Pietro, L. Mancini, A. Mei. Efficient and Resilient Key Discovery Based
on Pseudo-Random Key Pre-Deployment. 18th International Parallel and
Distributed Processing Symposium

Bibliography

D. Liu, P. Ning, Establishing Pairwise Keys in Distributed Sensor Networks,

10th ACM CCS '03, Washington D.C., October, 2003
G. Jolly, M. Kusu, P. Kokate, M. Younis. A Low-Energy Key Management
Protocol for Wireless Sensor Networks. Eighth IEEE International
Symposium on Computers and Communications
G. Gaubatz, J.Kaps, B. Sunar Public Key Cryptography in Sensor Networks
Revisited. 1st European Workshop on Security in Ad-Hoc and Sensor
Networks
C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung.
Perfectly secure key distribution for dynamic conferences. In Information
and Computation, 146 (1), 1998, pp 1-23.
Introduction to Modern Cryptography by M. Bellare, P. Rogaway
November 3, 2003
Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and
S. Vanstone, CRC Press, 1996.
The Strange Logic of Random Graphs, Joel H. Spencer
Nanotechnology website http://www.nanotech-now.com

Bibliography

W. Du, J. Deng, Y. Han, S. Chen, P. Varshney. A Key Management

Scheme for Wireless Sensor Networks Using Deployment Knowledge. IEEE
Infocom 2004.
D. Huang, M. Mehta, D. Medhi, L. Harn. Location-aware Key Management
for Wireless Sensor Networks. 2004 ACM Workshop on Security of Ad Hoc
and Sensor Networks. (SASN 04)