Sensor Network Key Distribution Scheme. Jeremy Brown, Xiaojiang Du, Kendall Nygard. Department of Computer Science. North Dakota State University. Fargo ...
An Efficient Public-Key-Based Heterogeneous Sensor Network Key Distribution Scheme Jeremy Brown, Xiaojiang Du, Kendall Nygard Department of Computer Science North Dakota State University Fargo, North Dakota 58105 Email: {jeremy.brown,xiaojiang.du,kendall.nygard}@ndsu.edu
Abstract—Most existing research regarding sensor network security considers homogenous sensor networks. To achieve better security and performance, we adopt a heterogeneous sensor network (HSN) model that consists of physically different types of sensor nodes. In this paper, we present an efficient key distribution scheme for HSNs, which takes advantage of powerful high-end sensor nodes. The scheme establishes a secure communication topology in the network in an efficient and secure manner. We show that the scheme has smaller memory requirements than a popular key distribution scheme and it is more resilient against the node compromise attack. Index Terms—Security, key management, heterogeneous sensor networks.
I. T HE K EY-D ISTRIBUTION S CHEME
A. Assumptions 1) H-sensors are equipped with tamper-resistant hardware, since H-sensors are powerful nodes. 2) Each H-sensor is pre-loaded with a common public key pair. 3) L-sensors are not equipped with tamper-resistant hardware. Thus, if a L-sensor is captured, its contents are considered compromised 4) Each sensor node has a unique and calculable ID. B. Pre-Deployment Prior to deployment, each L-sensor (denoted as u) is loaded with: • • •
Due to resource constraints, achieving key agreement in wireless sensor networks is non-trivial. Typical key-distribution schemes focus on probabilistic keydistribution, as in Eschenauer and Gligor [1]. Probabilistic schemes have several undesirable side effects that public-key-based schemes do not: they cannot guarantee that a given node will be able to establish a shared secret with its neighbor(s), and they cannot guarantee security for uncompromised nodes after a number of nodes have been compromised. Research has shown that Elliptical Curve Cryptography is practical for small sensor nodes [2]. Several recent literatures (e.g., [3] show that Heterogeneous sensor networks (HSNs) can significantly improve network performance. In [4], Du et al. have designed security schemes for HSNs which use public key cryptography. In a HSN, high-end sensors (H-sensors) have better capabilities than low-end sensors (L-sensors), and can be utilized for designing better security schemes. In this paper, we present an efficient key management scheme for HSNs.
• •
An unique ID: IDu Its own private key: KuR Its public key: KuU U The common base � U station� public key: Kbs Its certificate: Ku �IDu K R . This certificate is the bs concatenation of its public key and its ID, encrypted R. with the base station private key, Kbs
These keys are pre-calculated by the base station. If we use a scheme as in [5], the keys will be based on an algorithm that links the two keys together and the node ID, which makes it possible to self-certify the result without having to transmit details back to the cluster head for inter-node communication. Likewise, each H-sensor (denoted as V ) is loaded with the following items before deployment: • • • • •
An unique ID, IDH U Its own public key, KH R Its own private key, KH U The common base station � U public � key Kbs Its own certificate: KH �IDH K R , the concatenabs tion of its public key and ID encrypted with the base station’s private key.
991 1930-529X/07/$25.00 © 2007 IEEE This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2007 proceedings.
C. One-Hop Cluster Formation Upon deployment, each H-sensor broadcasts a hello message at full power that consists of� its unique� ID R : K U �ID and its public key, encrypted with Kbs H KR . H bs These broadcasts will be repeated with a random delay so as to be able to reach the maximum number of Lsensors without colliding with neighboring H-sensors. When an L-sensor receives a hello message, it stores them, and after a predetermined amount of time, it chooses the best signal. The L-sensor will transmit its certificate to the H-sensor, in order to authenticate itself. Then the H-sensor and L-sensor will establish a shared secret Elliptic Curve Diffie-Hellman key exchange. If we assign public keys as in [5], this is a two-step process: � U � 1) The nodes exchange keys: KH �IDH K R for the bs � � H-sensor, and KuU �IDu K R for the L-sensor. bs 2) Then each sensor can calculate its session key, KHu for V and� KuH �for u: � � R × hash ID , K U × K U + K U KHu = KH u u � u bs � � � U × KU + KU KuH = KuR × hash IDH , KH H bs This calculation is expected to produce equal values for KHu and KuH . The H-sensor will maintain a list of node IDs for those nodes in its cluster.
Once the one-hop cluster is formed, the H-sensor will begin to discover multi-hop neighbors. As the H-sensor has a greater transmission range than the L-sensors there will be cases where an L-sensor will be able to receive the hello message from the H-sensor, but will not be able to transmit a strong enough signal to establish a two-way communications channel with the H-sensor. Effective range of the L-Sensor x
Effective range of the H-Sensor, defines the cluster, part of a Voronoi Diagram
H
Fig. 1.
L-sensor can receive transmissions from the H-sensor
Unconnected L-Sensor
y Effective range of the L-Sensor
D. Cluster Key Distribution Once cluster formation is complete, we end up with a Voronoi diagram for one-hop neighbors. At this point, each node will form 1-hop clusters around itself. For example, node u will generate a symmetric cluster key Kuc , encrypt it with the pair-wise key for each neighbor (in this case, x), and transmit [Kuc ]Kux to that neighbor. This enables in-network processing: passive presentation and data aggregation. The two types of in-network processing help to reduce otherwise unnecessary traffic, and therefore increase the capacity of the network as well as to prolong the life of each node. In the case of data aggregation, a node aggregates data from multiple nodes into a single transmission. In the case of passive participation, nodes may decide not to transmit data due to recent transmissions from neighboring nodes. E. Multi-hop Cluster Formation It is desirable for the one-hop clusters to contain the vast majority of all nodes. Since multi-hop links to a cluster head require multiple transmissions, and more expenditure of power. This will affect the network where it is most costly: L-sensors will be required to perform more power-intensive transmissions with their constrained power supply. This it is important to use a sufficient number of H-sensors.
x
H
Fig. 2.
Effective range of the H-Sensor, defines the cluster, part of a voronoi cell
L-sensor is completely out of range of the H-sensor.
The most useful means of correcting this problem is to set a timer. If we assume loose time synchronization, i.e. that the sensors have internal timers that are synchronized at the time of deployment, it is reasonable to assume that each L-sensor can assume that within a certain amount of time, it should have been able to make contact with an H-sensor. If this is not possible, it can establish pair-wise communications with neighboring nodes. It would� do so by� transmitting a Hello message at full power: KxU �IDx K R . A neighboring Lbs sensor � U would � receive this, and reply with its certificate: Ku �IDu K R , and we could establish keys using the bs self-certifying algorithm in section 2.C. Since node x is unable to transmit directly to the Hsensor H , we can use a routing algorithm so that node
992 1930-529X/07/$25.00 © 2007 IEEE This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2007 proceedings.
u properly routes messages from node x on to H . Node x can authenticate H because it can � s Uhello message, � decrypt the message KH �IDH K R . It replies back with bs � � its certificate KxU �IDx K R , which u receives, and can bs U . The L-sensors likewise authenticate, because it has Kbs x and u can produce a shared secret using the same means as described for one-hop cluster generation. Once this pairwise key is set up for x and u, x needs to contact H for the cluster key.
F. H-Sensor Communications Since the H-sensors have been deployed such that they form a connected graph, that is: each H-sensor can transmit signals to and receive signals from at least one other H-sensor, and it is possible to transmit a message from any H-sensor to any other H-sensor, it should be trivial to set up a multi-hop H-sensor cluster. To economize on hello transmissions, it is logical for the H-sensors to monitor the other H-sensor transmissions described in section 2.C, during the one-hop cluster generation phase. Thus we will end up with a H-sensor cluster At the initial cluster-formation time, the base station will also listen for the H-sensor hello broadcasts. The base station will establish communications with the Hsensor that has the strongest signal (either D or C in the example above). II. P ERFORMANCE A NALYSIS The described scheme has a great advantage over probabilistic key distribution schemes in terms of both storage and communications overhead. A. Storage Overhead In the described scheme, we see a small number of keys present. After deployment, pairwise-key establishment and cluster formation, H-sensor H contains the U ,K U ,K R , a group key, and enough following keys: Kbs H H keys to communicate with each node within its cluster this corresponds to the degree of H The degree of H must take into account the number of H-nodes and Lnodes with which H can communicate. So, with a node H with a degree of D, and b bits per key, we use x bits worth of space in the H-sensor: x = b · (4 + DV ). For the L-sensor u, we see the following keys: U , enough keys to communicate with each KuR ,KuU ,Kbs node within range — equal to the degree of u, and enough keys to store group keys for all of its neighbors. This would produce a similar equation to the one above for the H-sensor: x = b · (3 + 2Du ).
In an example network, with 10 H-sensors and 1000 Lsensors, spread evenly among the H-sensors, and the Hsensors have an average degree of 100, and the L-sensors have an average degree of 20, the storage requirement is x = 10b · (4 + DH ) + 1000b · (3 + 2Dl ), or 44,040 keys. If b is 160-bits, we have a network-wide storage requirement of 7,046,400-bits, of which, each H-sensor would store 104 keys (16,640-bits), and each L-sensor would store 43 keys, (6,880-bits). For comparison, the E-G scheme says that two hosts have the probability of connecting given by the following equation: p=1−
((P −k)!)2 (P −2k)!P !
where P is the key pool size, and k is the keychain size[3]. So we can say there is almost a 52% chance that two sensors will have a single shared key with a key pool of 5,000, and a key chain of 60 [1]. This means that with 160-bit keys, each L-sensor would have to store 9,600bits of keys for half the connectivity chance. At about 120 keys (and 19,200-bits), there is a 95% chance that two arbitrary sensors share a key. The described scheme requires roughly one third of the storage space, while providing improved in-network processing. B. Communications Overhead One of the operations that consumes the most energy for a sensor node is operating its transmitter. For this reason, it is important that transmissions be used sparingly. We see that the main topology formation in the scheme is quite efficient: there are only the two following transmissions: 1) H-sensor broadcasts Hello to all 2) L-sensor responds with its public key The L-sensor has the H-sensors public key at step 1, and after step 2, both nodes can independently calculate a session key. If they both calculate equal session keys, the nodes are assured of the authenticity of the other party, and normal network operations can begin. For transmission efficiency, it is important for the network to include sufficient H-sensors so that the majority of the L-sensors will communicate directly with an H-sensor. Group key formation follows this phase, and requires the H-sensor to transmit once to each L-sensor. After the group key is distributed, in-network processing allows for further transmission optimization. C. Computational Overhead The most computationally-intensive operation in this scheme is the one-hop cluster formation phase where the
993 1930-529X/07/$25.00 © 2007 IEEE This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2007 proceedings.
H-sensors and L-sensors must calculate session keys. We see first that the L-sensor must decrypt the H-sensors Hello message. The comes the session key calculation: � � � � U × KU + KU . KuH = KuR × hash IDH , KH H bs This includes one hash operation, two multiplications and an addition. III. S ECURITY A NALYSIS It is important in key management schemes to keep all necessary information confidential so that an intruder cannot use it to break the system. On deployment, neither H-sensors nor L-sensors know their neighbors, nor do they know which sensors have the strongest signals. � U � When the initial hello messages, e.g. KH �IDV K R , bs are transmitted from the H-sensors, we see that they are R , and given that this key pair is all encrypted by Kbs cryptographically secure, this is a highly secure message [5]. An attacker can neither modify nor read its contents. There are, however, two vulnerabilities to be addressed: replay and capture.
to be captured, since every node in the sensor network contains it. � AU hostile� party will have to use the captured certificate, Ku �iDu K R , because it is mathematically infeasible bs to manufacture another one. Thus, revoking that nodes ID will revoke the certificates. By transmitting only the node ID in revoke messages, we can save some transmission resources. Thus, assuming that a revoke message originates at the base station, it would take the form: [REVOKE�ID1 �ID2 � . . . �IDn �seqn r]
With careful monitoring, a central administrator can work to revoke keys from captured L-sensors. Once Lsensors know not to trust various node IDs and the associated keys, an attacker cannot gain access to data, nor can he perform other attacks on the network. It is, however, desirable, for a centralized party to also be able U for nodes to use in the event of a to provide a new Kbs node compromise.
A. Potential Vulnerabilities
B. Comparison to Probabilistic Key Management Schemes
If a message is intercepted by a hostile party, it is possible for the attacker to replay the message. If this is done at cluster-formation time, this will potentially confuse L-sensors into trying to transmit to a L-sensor that is out of range. The attacker will not be able to reply with a valid key, so the attack will result in lost Lsensor energy. However, it is easy to solve this problem: each node can attach a sequence number to its packets, encrypted by its private key. � UThus, a�Hello message from node H would become: KH �IDV K R � [seqn ]KHR . The bs U to decrypt recipient of the Hello message could use Kbs and verify the public key for node H , which it can then use to decrypt and authenticate the sequence number. R , so it is mathematically No other node possesses KH improbable that a hostile party could forge the sequence number. The second attack requires the enemy to physically capture a sensor. Given the assumption that the Hsensors have tamper-resistant hardware, there is no grave concern, from a data-security standpoint. We will temporarily lose that cluster, and any data from that sector. If, however, an L-sensor is captured, it is safe to assume that an attacker will be able to extract its keys, and attempt to use them on the network. The most damaging U , which will make it possible for the node key is Kbs to attempt to join other clusters or to establish pairwise keys with other L-sensors. It is also the most likely key
There are trade-offs in probabilistic key distribution schemes. The most serious trade-off is that a larger key pool, P , increases security, but it decreases the probability that any two sensors will be able to connect with a fixed key chain size, k . This is because when a sensor u is captured, the hostile party has compromised k keys out of the pool P . No such trade-off exists with the scheme described here, as all keys are cryptographically U) calculated, and no key (except the group key, and Kbs are shared among multiple sensors. A similar probabilistic concern exists in this system when considering how many sensors to distribute in a sensor network. A relatively sparse distribution of sensors would seem to require a long transmission range of all sensors, and likewise, if we cannot increase the range of sensors, a greater number of sensors would seem to make up for transmission shortcomings. However, we see that if this is the only limitation, small increases of node numbers, or more powerful transmitters make this much less of a problem. One such question is: how can we ensure a high probability of having a connected H-sensor graph? Using a 10,000 by 10,000 square matrix, and randomly placing up to 1,000 H-sensors, each with ranges varying from 50-450 squares, there is a high probability of having a connected graph after deploying a minimum of 300 sensors. See Figure 3.
994 1930-529X/07/$25.00 © 2007 IEEE This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2007 proceedings.
L-sensor Range = H-sensor Range/4 50000
1-Hop Clusters 2-Hop Clusters 3-Hop+ Clusters
0.8 40000
0.6
Range Range Range Range Range Range Range Range Range
0.4
0.2
Number of L-sensors
Probability of forming a connected H-sensor graph
1
= 450 = 400 = 350 = 300 = 250 = 200 = 150 = 100 = 50
30000
20000
10000
0
0
0
200
Fig. 3.
400 600 Number of H-sensors deployed
800
1000
200
400
600
800
Range of H-sensor
The probability of having a connected graph.
Fig. 5.
The number of n-hop clusters with varied H-sensor range
L-sensor Range = H-sensor Range / 2 50000
1-Hop Clusters 2-Hop Clusters 3-Hop+ Clusters
guarantee that arbitrary nodes will be able to connect with each other, and all messages are cryptographically secure. This scheme provides facilities for in-network processing, which will help optimize usage of sensor resources. Compromised nodes do not affect other parts of the sensor network: all of the damage is localized to the node’s immediate neighbors, and provided that the compromise is detected, the security breach is fairly easily stopped.
Number of L-sensors
40000
30000
20000
10000
0 200
400
600
Fig. 4.
R EFERENCES
800
Range of H-Sensor
The number of n-hop clusters with varied H-sensor range
The number of L-sensors that are in one-hop or nhop clusters is also an interesting point. Because the most energy-efficient configuration would place most Lsensors in a one-hop cluster, it would be advantageous to deploy a sensor network consisting mostly of onehop sensors. We use simulation to determine the number of L-sensors in 1-hop, 2-hop, and 3-hop+ cluster. The results are plotted in Figure 4 and 5. In Figure 4 and 5, we vary the H-sensor range, and then make the L-sensor range a corresponding fraction of that H-sensor range (i.e., 1/2 and 1/4 of the H-sensor range). The two graphs are similar. It is fairly obvious that more L-sensors are in one-hop clusters when the H-sensor transmission range becomes larger.
[1] L. Eschenauer and V. D. Gligor, “A key-management scheme for distributed sensor networks,” in Proceedings of the ACM Conference on Computer and Communications Security, 2002, pp. 41–47. [2] N. Gura, A. Patel, A. Wander, H. Eberle, and S. C. Shantz, “Comparing elliptic curve cryptography and rsa on 8-bit cpus,” in Proc. of the 6th International Workshop on Cryptographic Hardware and Embedded Systems, Boston, Massachusetts, Aug. 2004. [3] E. J. Duarte-Melo and M. Liu, “Data-gathering wireless sensor networks: Organization and capacity,” Computer Networks, vol. 43, no. 4, pp. 519–537, 2003. [4] X. Du, M. Guizani, S. Ci, Y. Xiao, and H.-H. Chen, “A routing-driven elliptic curve cryptography based key management scheme for heterogeneous sensor networks,” Ad Hoc Networks, vol. 5, no. 1, 2007. [5] O. Arazi and H. Qi, “Self-certified group key generation for ad hoc clusters in wireless sensor networks,” in Proc. IEEE International Conference on Computer Communications and Networks, ICCCN 2005, San Diego, California, Oct. 2005, pp. 359–364.
IV. C ONCLUSIONS This paper has described a key-distribution scheme for a heterogeneous sensor network. The scheme can 995 1930-529X/07/$25.00 © 2007 IEEE This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2007 proceedings.
