Department of Computer Science
Southern Illinois University Carbondale
CS 591 – Wireless & Network Security
Lecture 14: Key Management in WSNs
Dr. Kemal Akkaya
E-mail: [email protected]
Kemal Akkaya
Wireless & Network Security
1
Key management: Constraints in WSNs
 Sensor node constraints:
 Battery power
 Computational energy consumption
 Communication energy consumption




Transmission range
Memory
Temper protection
Sleep pattern
 Network constraints:
 Ad-hoc network nature
 Packet size
 Nodes can easily be captured and compromised
 Key Management include the processes of key setup, the initial
distribution of keys and key revocation (removal of the compromised
key).
 Many Security-critical application that depend on key management
processes demand a high level of fault tolerance when a node is
compromised.
Kemal Akkaya
Wireless & Network Security
2
Key management approaches
classification
Kemal Akkaya
Wireless & Network Security
3
Approaches
 Trusted-Server Schemes
 Finding trusted servers is difficult.
 Public-Key Schemes
 Expensive and infeasible for sensors.
 Key Pre-distribution Schemes
 Simplest solution is a network-wide shared key.
 Problem: if even a single node were compromised, the secret key would
be revealed, and decryption of all network traffic would be possible.
 Slightly better solution:
 Pairwise keys: Impractical because of storage
 Use a single shared key to establish a set of link keys, one per pair of
communicating nodes, then erase the network-wide key
 Problem: does not allow addition of new nodes after initial deployment.
 Others:
 Random pre-key distribution
 Quorum-based
Kemal Akkaya
Wireless & Network Security
4
Basic probabilistic approach
 Due to Eschenauer and Gligor
 Relies on probabilistic key sharing among nodes of WSN
 Uses simple shared-key discovery protocol for key distribution,
revocation and node re-keying
 Three phases are involved:
 key pre-distribution,
 shared-key discovery,
 path-key establishment
 Key pre-distribution





Generate a large key pool P (217-220 keys) and corresponding key identifiers
Create n key rings by randomly selecting k keys from P
Load key rings into nodes memory
Save key identifiers of a key ring and associated node identifier on a controller
For each node load a key which it shares with a base station
 Shared-key Discovery
 Takes place during initialization phase after WSN deployment. Each node
discovers its neighbor in communication range with which it shares at least one
key
 Nodes can exchange ids of keys that they poses and in this way discover a
common key
Kemal Akkaya
Wireless & Network Security
5
Path-key establishment
 During the path-key establishment phase path-keys are assigned to
selected pairs of sensor nodes that are within communication range of
each other, but do not share a key
 Node may broadcast the message with its id, id of intended node and
some key that it posses but not currently uses, to all nodes with which it
currently has an established link. Those nodes rebroadcast the message
to their neighbors
 Once this message reaches the intended node (possible through a long
path) this node contacts the initiator of path key establishment
 Analysis shows that after the shared-key discovery phase a number of
keys on a key ring are left unused
Kemal Akkaya
Wireless & Network Security
6
Node Capture & Connectivity
Node Capture
 More robust then approaches that use single mission key
 In case node is captured k<<n keys are obtained
 This means that the attacker has a probability of k/P to
attack successfully any other WSN link
Connectivity
 Two nodes are connected if they share a key
 Full connectivity of WSN is not required because of the
limited communication capabilities of the sensor nodes
 Two important questions:
 What should be the expected degree of a node so that
WSN is connected?
 Given expected degree of a node what values should the
key ring size, k, and pool, P, have for a network of size n
so that WSN is connected?
Kemal Akkaya
Wireless & Network Security
7
q-composite approach
 Enhancement of the basic probabilistic approach
 Idea: nodes should share q keys instead of only one
 Approach:
 Key pool P is an ordered set
 During initialization phase nodes broadcast ids of keys that they have
 After discovery each nodes identifies the neighbor with which it share at least q
keys
 Communication key is computed as a hash of all shared keys
 Keys appear in hash in the same order as in key pool
 Benefits
 q-composite approach has greater resiliency to node capture than the basic




approach if small number of nodes were captured
Simulations show that for q=2, the amount of additional communications
compromised when 50 nodes (out of 10000) have been compromised is
4.74%, as opposed to 9.52% in the basic scheme
However if large number of nodes have been compromised q-composite
scheme exposes larger portion of network than the basic approach
The larger q is the harder it is to obtain initial information
Parameter q can be customized to achieve required balance for a particular
network
Kemal Akkaya
Wireless & Network Security
8
Zhu / Xu approach
 Another modification of the basic probabilistic approach
 Major enhancement:
 Pseudorandom number generator is used to improve security of key discovery
algorithm
 Also uses secret sharing which jointly with logical paths allows nodes to
establish a pairwise key that is exclusively known to the two nodes (in contrast
to basic probabilistic approach, where other nodes might also know some
particular key)
Kemal Akkaya
Wireless & Network Security
9
Zhu / Xu approach: key predistribution
 Background: a pseudo-random number generator, or PRNG, is a random
number generator that produces a sequence of values based on a seed
and a current state. Given the same seed, a PRNG will always output the
same sequence of values.
 Key pool P of size l is generated
 For each node u, pseudorandom number generator is used to generate
the set of m distinct integers between 1 and l (key ids). Nodes unique id u
is used as a seed for the generator
 Each node is loaded with key ring of size m
 Keys for the key rings are selected from key pool P in correspondence
with integers (key ids) generated for a particular node by pseudorandom
number generator
 This allows any node u that knows another nodes v id to determine the
set of ids of keys that v poses
Kemal Akkaya
Wireless & Network Security
10
Further enhancements
 So far all the discussed approaches have used one of the following
algorithms for shared-key discovery:
 Key id notification
 Challenge response
 Pseudorandom key id generation
 Those algorithms work well against so called “oblivious” attacker, the one
that randomly selects next sensor to compromise
 What if attacker selects nodes that will allow him to compromise the
network faster, based on already obtained information (key ids)?
 This is the case of so called “smart” attacker
Kemal Akkaya
Wireless & Network Security
11
Smart attacker
 More precisely smart attacker can be defined as follows:
 at each step of the attack sequence, the next sensor to tamper is sensor s,
where s maximizes E[G(s)| I(s)], the expectation of the key information gain G(s)
given the information I(s) the attacker knows on sensor s key-ring
 Simulations show that Key id notification and pseudorandom key id
generation can be easily beaten by the smart attacker
 Challenge response performs better
Kemal Akkaya
Wireless & Network Security
12
Simulation results
Experimental results on id notification and pseudorandom key id generation:
Number of sensors to corrupt in order to compromise an arbitrary channel.
Kemal Akkaya
Wireless & Network Security
13
Simulation results
Experimental results on challenge response:
Number of sensors to corrupt in order to compromise an arbitrary channel.
Kemal Akkaya
Wireless & Network Security
14
Background: polynomial based key predistribution
 Polynomial based key pre-distribution scheme reduces the amount of predistributed information still allowing each pair of nodes to compute a
shared key
 Polynomial based key pre-distribution is λ-collusion resistant, meaning
that as long as λ or less nodes are compromised the rest of the network is
secure
 Utilizes polynomial shares
Kemal Akkaya
Wireless & Network Security
15
Polynomial based key pre-distribution :
initialization





Special case: λ=1
Each node has an id rU which is unique and is a member of finite field Zp
Three elements a, b, c are chosen from Zp
Polynomial f(x,y) = (a + b(x + y) + cxy) mod p is generated
For each node polynomial share gu(x) = (an+ bnx) mod p
where an= (a + brU) mod p and bn= (b + crU) mod p is formed and predistributed
Kemal Akkaya
Wireless & Network Security
16
Polynomial based key pre-distribution : key
discovery
 In order for node U to be able to communicate with node V the following
computations have to be performed:
 Ku,v= Kv,u= f(ru,rv) = (a + b(ru+rv) + crurv )mod p
 U computes Ku,v= gu(rv)
 V computes Kv,u= gv(ru)
Kemal Akkaya
Wireless & Network Security
17
Polynomial based key pre-distribution :
example
 Example:
 3 nodes: U, V, W, with the following id’s 12, 7, 1 respectively
 p=17 (chosen parameter)
 a=8, b=7, c=2 (chosen parameters)
 Polynomial f(x,y) = 8+7(x+y)+2xy
 g polynomials are gu(x) = 7 + 14x, gv(x) = 6 + 4x,
gw(x) = 15+9x
 Keys are Ku,v=3, Ku,v=4, Ku,v=10
 U computes Ku,v= gu(rv) = 7+14*7mod17 = 3
 V computes Kv,u= gv(ru) = 6+4*12mod17 = 3
Kemal Akkaya
Wireless & Network Security
18
Liu-Ning approach
 Combination of polynomial-based key pre-distribution
and the key pool idea discussed above
 Increases network resilience to node capture
 Can tolerate no more than λ compromised nodes,
where λ is constrained by the size of memory of a node
 Idea: use a pool of randomly generated polynomials
 When pool contains only one polynomial the approach
degenerates to basic polynomial based key predistribution scheme
 When all polynomials are of degree 0 the approach
degenerates to key pool approach
 Three phases are involved:
 setup,
 direct key establishment,
 path key establishment
Kemal Akkaya
Wireless & Network Security
19
Phases
 Setup Phase




Set F of bivariate λ-degree polynomials over finite field Fq is generated
Each polynomial is assigned a unique id
For each sensor node a subset of s’ polynomial is randomly chosen from F
For each polynomial in the chosen subset a polynomial share is loaded into nodes
memory
 Direct Key Establishment Phase
 During this phase all possible direct links are established
 A node can establish a direct link with another node if they both share a polynomial
share of a particular polynomial
 How to find common polynomial? Use above discussed approaches
 Path Key Establishment Phase
 If direct connection establishment fails nodes have to start path key establishment phase
 Nodes need to find a path such that each intermediate nodes share a common key
 Node may broadcast the message with polynomials ids that it posses to all nodes with
which it currently has an established link
 Once this message reaches the intended node (possible through a long path) this node
computes a key and contacts the initiator of path key establishment
 Drawback: may introduce considerable communication overhead
Kemal Akkaya
Wireless & Network Security
20
Grid-based key pre-distribution
 Instance of general framework discussed above
 Benefits:
 Guarantees that any two nodes can establish a pairwise key, if no nodes
were compromised
 Allows sensors to directly determine whether it can establish a pairwise key
with another node and which polynomial to use in case of positive answer
Kemal Akkaya
Wireless & Network Security
21
Location Aware Purely Random Key
Predistribution (P-RKP)
 Du et. al (IEEE Infocom 2004)
 Improves Random Key Predistribution (Eschenauer and Gligor) by exploiting Location
Information.
 Studies a Gaussian distribution for deployment of Sensor nodes to improve security and
memory usage.
 Groups select from key group S (i,j)
 Probability node is in a certain group is (1 / tn).
S   Si, j , i  1,...t, j  1..n
Kemal Akkaya
Wireless & Network Security
22
Location Aware Purely Random Key
Predistribution (P-RKP)
 Key sharing graphs used to enable
connectivity
 Use flooding to find secure path
(Limit to 3 hops)
 Setting up the key pools
 Two horizontally or vertically neighboring
pools share a|Sc| keys where 0<= a <= 0.25
 Two diagonally neighboring key pools share
b|Sc| keys, where 0<=b<=0.25
 Two non-neighboring key pools share no
keys.
 Overlapping factors - a,b
Kemal Akkaya
Wireless & Network Security
23