Protocol for Large-Scale Distributed Sensor Networks - IIS, SINICA

JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 24, 1837-1858 (2008)

Energy-Efficient Key-Management (EEKM) Protocol for Large-Scale Distributed Sensor Networks* KWANG-JIN PAEK , UI-SUNG SONG2, HYE-YOUNG KIM3, + AND JONGWAN KIM4 1

1 Convergence SW Research Division Electronics and Telecommunications Research Institute Daejeon 305-700, Korea 2 Department of Computer Education Busan National University of Education Busan 611-736, Korea 3 College of Game Hongik University Chungnam 339-701, Korea 4 Department of Computer Science and Engineering Korea University Seoul 136-701, Korea

The more wireless sensor networks grow, the more effective security mechanisms are needed. This paper suggests a cryptographic key-management protocol, Energy-Efficient Key-Management protocol. Using a location-based group key allocation, the proposed protocol provides the revocation of compromised nodes and energy-efficient rekeying. Our protocol is motivated by the observation that unicast-based rekeying does not satisfy the security requirements of periodic rekeying in wireless sensor networks. Our protocol provides broadcast-based rekeying for low-energy key management and high resilience. In addition, to increase the complexity of encryption keys, the protocol uses a dynamic composition key scheme. Our protocol provides group management protocols for secure group communication. We compared the energy efficiency of our protocol to other protocols with the rekeying and revocation messages and simulated them. Keywords: energy efficiency, key management, security, sensor network, dynamic keying, rekeying, revocation, resilience

1. INTRODUCTION Sensor nodes (SNs) are small and have wireless communication capability within short distances. An SN typically contains a wireless transmitter/receiver, and power, sensing, processing, and storage units. A wireless sensor network (WSN) is comprised of a large number of SNs with limited power, computation, storage, and communication capability [31]. The environments in which SNs are deployed may be controlled or uncontrolled. If controlled, deployments may be achieved manually to establish an infrastructure. However, manual deployments are not feasible or even possible as the number Received December 14, 2006; revised September 7 & October 16, 2007 & June 19, 2008; accepted July 17, 2008. Communicated by Jeng-Neng Hwang. * This work was supported by the IT R&D program of MKE/IITA [2006-S-085-01, Nano OS for Automobile Sensor Nodes]. * This work was supported by the Korea Research Foundation Grant funded by the Korean Government (MOEHRD) (KRF-2007-531-D00011) and was presented in the 2007 International Conference on Multimedia and Ubiquitous Engineering. + Corresponding author.

1837

1838

KWANG-JIN PAEK, UI-SUNG SONG, HYE-YOUNG KIM AND JONGWAN KIM

of the nodes increases. If the environment is not controlled, or the WSN is very large, deployment must be performed by randomly scattering the SNs to a target area. In some deployment scenarios, SNs operate under adverse conditions. Security solutions for such applications depend on strong and efficient key-distribution mechanisms. In uncontrolled environments, it is not feasible or even possible to visit a large number of SNs and change their configuration. Moreover, it is unwise to use a single, shared key for an entire WSN because an adversary could easily obtain the key. Thus, SNs must adapt to their environments to establish a secure network. Key distribution and management problems in WSNs are difficult and require new approaches. Here, we propose and describe an Energy-Efficient Key-Management protocol (EEKM) for large-scale WSNs that supports a lightweight rekeying mechanism while providing security properties similar to those of pairwise key-sharing schemes. In other words, the group-management protocol provided by EEKM enables the energy-efficient update of keys while limiting the effect of a node compromise on the immediate network neighbourhood. Existing key-management protocols focus mainly on the efficiency of distributing keys and key materials to SNs prior to deployment. EEKM does the same, but also introduces an energy-efficient way to improve scalability, rekeying, and resilience. We investigated a regional group-oriented rekeying strategy and designed and specified merge/split protocols based on this rekeying strategy. EEKM includes support for multiple group-keying mechanisms. Its design was motivated by the observation that secure updating of a group key or pairwise keys is performed by sending a key update message to every node via unicast, and that unicastbased rekeying does not meet the security requirements of periodic rekeying and group communication. EEKM supports broadcast-based rekeying and minimizes unicast-based communication for energy-efficient and safer key management. The remainder of this paper is organized as follows. In section 2, we present an overview of the proposed protocol’s architecture and assumptions. In section 3, we describe the protocol in detail. In section 4, we analyze the security of the protocol. In section 5, we evaluate the protocol. The evaluation includes an analysis of the protocol’s energy efficiency compared to other key-management protocols and a simulated prototype implementation of a sensor network test bed. In section 6, we provide an overview of existing key-distribution schemes. Finally, in section 7, we present our conclusions and recommendations for future work.

2. SENSOR NETWORK ARCHITECTURE Our objective was to develop an Energy-Efficient Key-Management (EEKM) protocol applicable to large-scale distributed sensor networks. We used the sensor network model proposed by LEAP [1] and assumed a static sensor network, i.e., with immobile SNs. The base station (BS) acting as the key server was assumed to be a laptop-class device with unlimited power. The sensor network consisted of a large number of SNs distributed throughout the area of interest. The BS could broadcast a message to all SNs. Each node belonged to its own virtual group (VG) before being randomly scattered throughout the field of interest (Fig. 1). After deployment, the sensor network is divided into four square regional groups. Each SN can determine its location

EEKM: AN ENERGY-EFFICIENT KEY MANAGEMENT PROTOCOL

1839

100 VG 1 VG 2 VG 3 VG 4

90 80 70 60

RG 1

RG 2

RG 3

RG 4

50 40 30 20 10 0

0

20

40

60

80

100

Fig. 1. A 200-node random sensor network with four regional and four virtual groups.

during the bootstrap, using a Global Positioning System (GPS). However using global positioning systems for localization in large scale sensor networks is not cost effective and may be impractical in enclosed spaces where no direct link with the satellite constellation is. There are many researches on algorithms for computing the location of a node without an infrastructure of GPS [33-36]. We can adopt one of those algorithms. Because wireless communication is not secure, we assumed that an adversary could eavesdrop on all traffic, inject packets, and/or replay old messages. If a node were compromised, all of its information would be available to the attacker. However, the BS could not be compromised. Sometimes it is necessary to revoke SNs from a secure network due to node compromise. Therefore, we assumed that there were mechanisms in place to identify compromised SNs [2-4], and revoke them. In noisy world, EEKM needs a reliable broadcast protocol. The research of network protocol is beyond the scope of this paper. There are some studies on reliable broadcasting [28, 29, 32]. EEKM can use one of these reliable broadcast protocols.

3. ENERGY-EFFICIENT KEY MANAGEMENT PROTOCOL The proposed EEKM protocol provides multiple group-keying mechanisms for energy-efficient key management in sensor networks. In this section, we present an overview of EEKM and describe each phase of the rekeying mechanism separately. We used a temporary-master-key approach [1, 30] to generate group and pairwise keys. Adversaries cannot inject malicious nodes, even if they compromise existing nodes after the initial master keys (IK) are erased. Any node must establish its group and pairwise keys within a short time while its IK exists in its memory. After the master key is erased, that node cannot establish any keys. Moreover, we included a group rekeying protocol that securely broadcasts new IKs to all nodes. It updates all keys except for the individual key, KSiBS. Broadcast-based revocation and rekeying protocols improve resilience to node compromise.

1840


3.1 Overview Table 1 shows the notation used in the EEKM protocol descriptions. The number of keys stored by the BS is equal to n(S) + n(VG) + n(RG) + n(CK) + n(AK) + n(RVK) + n(KMBox), where the first six variables represent the number of SNs for individual keys (KSiBS), virtual groups (VKi), regional groups (RKi), single common group keys, single authentication keys, and VR in an RG, respectively, and n(KMBox) is the size of the KMBox. CK is one group key shared by all nodes and the BS. AK is one authentication key for generating the verification key. Each SN has a KMBox, CK, VK, RK, RVK, AK′, IK, and KSiBS. Table 1. Notation used in security protocols and cryptographic operations. Notation BS SEQ(BS) Si SEQ(Si) VGi RGi RVGij NA KSiBS KAB MK IK IKM CK MBK AK VKi RKi RKM RVKij E(K, …) || ldata RGF(ldata, …) KMBox sz KMBox[i] LOW(KMBox[i]) HI(KMBox[i]) KCF(…) DCK

Description Base station of a sensor network Message sequence number of BS Identifier for node i Message sequence number of Si Identifier for virtual group i Identifier for regional group i Identifier for virtual group j in regional group i Random nonce value of A Individual key shared by BS and node i Secret key shared by A and B (KAB = KBA) Master secret key for deriving individual node keys Initial master key for deriving new keys Keying material for generating new IK Common group key shared by all nodes and BS Material key for deriving KMBox Authentication key for message verification Secret MAC key shared with virtual group i Secret MAC key shared with regional group i Keying material for generating new RK Secret MAC key shared with virtual group j in regional group i Symmetric encryption function using key K Concatenation operator Sensor location data RGi generating function using ldata Key material box for key composition Size of KMBox Element of index i Low-order half part of KMBox[i] High-order half part of KMBox[i] Key composition function with KMBox and other parameters Dynamic composition key for encryption, generated by KCF


1841

Table 2. Deriving new keys from the initial key and master key. Key for deriving new keys MK: for initializing

IK: for initializing and rekeying

IKi+1: for rekeying

RKM: for group rekeying

Derived keys KSiBS = F(MK, Si) Ki = F(IK, i) CK = F(IK, 0) MBK = F(IK, 1) VKi = F(IK, VGi) RKi = F(IK, RGi) RVKij = F(IK, RVGij) KMBox[i] = F(MBK, i) IKi+1 = KCF(SEQ(BS), IKi, IKM) RKi+1 = F(IKi+1, RKi) RVKiji+1 = F(IKi+1, RVKiji) RGi+1 = RGF(RKM, 0, 0, 0, 0) RKi+1 = F(RKM, RGi+1) RVGiji+1 = F(RKM, RGi || VGj) RVKiji+1 = F(RKM, RVGiji+1)

To minimize power requirements, we used a MAC pseudo-random function (F) to derive the keys, implemented as K′ = F(K, x) = MAC(K, x). Table 2 shows the keys derived from MK and IK. SNs are preloaded with an IK, from which further keys can be established. As a security precaution, the IK can be deleted after its use to ensure that a compromised sensor cannot add additional compromised nodes to the network. 3.2 Dynamic Key Composition with Key Material Box We used a key material box (KMBox) for dynamic key composition. The KMBox is generated using the pseudo-random function F, and its size can be adjusted to the memory resources of an SN. The larger the size, the more complex the key composition is. There is a trade-off between KMBox memory and the complexity of the dynamic key. However, if the node memory is limited and cannot store the KMBox, it can compute KMBox elements on the fly. The computation cost is constant and does not depend on KMBox size (sz). Definition 1 KMBox – Key Material Box {i | sz ≥ i ≥ 1 and i is an integer} KMBox[i] = F(MBK, i). Node i can generate a KMBox array up to sz. IK size and sz are preloaded. Before SNs are deployed, an initialization phase is performed, during which time the KMBox is generated. In cryptography, a substitution box (or S-box) is a basic component of symmetric key algorithms (i.e., Shannon’s property of confusion) that make the relationship between the key and cipher text as complex and involved as possible. The S-boxes obscure the relationship between the plaintext and cipher text. In EEKM, KMBox is used as an

1842


S-box and generated from the MBK. Since all nodes must have the same S-box, MBK is generated with F(IK, 1). KMBox makes it possible to resist cryptanalysis, thereby increasing key lifetime and the interval of rekeying. The rekeying cost is not trivial, and EEKM saves rekeying cost. Fig. 2 illustrates the procedure of creating a dynamic composition key to encrypt/ decrypt message data in a sensor node. First, MBK is generated by F(IK, 1). After IK is used, it is erased in a sensor node. Second, KMBox[x] is created with F(MBK, x) and acts as S-Box. The length of KMBox is sz. Third, KCF function picks up two elements of KMBox with KMBox[F(UID || MSN, 0 and 1) mod sz] and makes the temporary key (tk) with higher and lower half part of each element. Forth, a dynamic composition key (dck) to encrypt/decrypt message data is made with F(tk, K). Fifth, the secret key, dck is used for the encryption/decryption of message data.

Fig. 2. The relation among KMBox, EEKM protocol and other keys.

3.3 Key Distribution In the proposed scheme, key distribution consists of three phases: initialization, group key setup, and pairwise key setup. The key setup phases depend on IK, initially shared by the BS and all of the nodes. All derived keys (CK, VK, RK, RVK, and MBK) are created from the IK. A temporary IK is stored in an SN for only a brief moment; it is erased after the key setup phase so an adversary does not have enough time to compromise a node and capture its IK. Initialization Phase: This phase is preformed before deployment. We use a secret-key mechanism, and each SN stores six keys (KSiBS, IK, AK′, CK, VK, and MBK) in the initialization phase.


1843

Every node has an individual key that is only shared with the BS. This key is generated and preloaded into each node prior to its deployment. The individual key KSiBS for node Si (each node has a unique identification) is generated as follows: KSiBS = F(MK, Si), where F is the pseudo-random function and MK is a master key known only to the BS. Keeping only MK, the BS can store all of the individual keys. When it needs to communicate with an individual node Si, it computes KSiBS on the fly. We refer to F(AK, 0) as the verification key AK′, which is stored in each node. The equation AK′ = F(AK, 0) enables a node to verify the authenticity of a message with AK, a random number. The verification key AK′ is used to verify the authenticity of messages in the revocation and rekeying protocol. The network-wise key (CK) is used to secure the broadcast messages to all of the SNs. The BS generates an IK and then loads it on each node. The common group key CK is shared with all nodes and the BS in the network, and it is necessary when BS distributes a confidential message, e.g., a query on some event of interest or an instruction, to all nodes in the network. CK is generated as follows: CK = F(IK, 0). This is a networkwise key used for broadcasting messages to the entire network. The virtual group key VK is for randomly classified nodes. Fig. 1 shows the randomly distributed nodes of each VG. Each node is divided into an equal number of VGs, and has its own virtual group identifier (VGi). VK is generated as follows: VKi = F(IK, VGi). MBK is generated with F(IK, 1) and is used to create the KMBox (see section 3.2). The dynamic composition key (DCK) contains the elements of the KMBox selected by the key composition function (KCF), which uses unique message identification (UMI) as a parameter. UMIs are unique in the lifetime of the WSN and consist of three components: the UID (BS or Si); message sequence number (MSN; SEQ[BS] or SEQ[Si]), and material key. The KCF makes up the dynamic secret key with the UMI. The group identification (GID) can be a common group VGi or RGi. Node A sends group G an encrypted message with KCF and GK, as follows: A → G: A || SEQ(A), GID, E(KCF(A, SEQ(A), GKGID), message || N). Algorithm 1 shows the key composition function. Algorithm 1 KCF − Key Composition Function KCF(UID, MSN, K) { tk = HI(KMBox[F(UID || MSN, 0) mod sz]) || LOW(KMBox[F(UID || MSN, 1) mod sz]); dck = F(tk, K); return dck; } Group Key-Setup Phase: The key-setup phase, performed after deployment, stores eight keys in each SN (KSiBS, IK, AK′, CK, RK, VK, RVK, and MBK). The SNs of a group share a common location-based group key (LBK). The RG identifier is created using RGF with IK, location data, and the other parameters. The RG is generated as follows: RGi = RGF(IK, ldata, pattern, size, cp).

1844


Algorithm 2 RGF – ID-Generating Function for the Regional Group RGF(IK, ldata, pattern, size, cp) { // using ldata: location data (GPS data) Calculate the coordination of the node with ldata; Calculate the distance of the node from a standard point in WSN; // using pattern, size, and cp: // the pattern, size, and center point of regional group // if nodes are in the same regional group, // they have the same id of RG Calculate the numerical regional group id of the node using the distance, coordination, pattern, and size; // generate the regional group id // with the numerical regional group id rgid = F(IK, id); return rgid; } The regional group key RK is for regionally classified nodes. Fig. 1 shows four regional groups. All nodes are regionally divided into RGs. Each node has its regional group identifier RGi, and RK is generated as follows: RKi = F(IK, RGi). These patterns are used to effectively isolate compromised nodes and generate an appropriate rekeying message for uninfected groups. RVG is generated with VG and RG. Each VG in an RG has a unique subgroup ID in the WSN. RVGij is the subgroup that belongs to RGi and VGj; it is different than RVGji. The number of RVG is |RG| * |VG|, where |x| is the number in group x. In Fig. 1, the number of RVG is 16. RVG, which improves resilience by dividing nodes into small subgroups, is generated as follows: RVGij = F(IK, RGi || VGj). RVK is created with IK and RVG. It is a subgroup key for RVG and is generated as follows: RVKij = F(IK, RVGij). Pairwise Key-Setup Phase: The pairwise key-setup phase is performed after deployment. Node A computes its pairwise key with B, KAB, as KAB = F(KB, A) and KB = F(IK, B). Node B computes KAB in the same way. KAB serves as their pairwise key. These steps and neighbour-discovery steps are accomplished simultaneously. Pairwise key-setup is executed as follows: A → neighbour nodes of A (broadcast): A. B → A: B, MAC(KAB, A || B). When two neighbour nodes, A and B, are added at the same time, the above scheme can be simplified. If A receives B’s response to its message before responding to B’s message, A will omit its own response. They will have two different pairwise keys, KAB


1845

and KBA. They can choose KAB as their pairwise key if A < B. All nodes erase IK at the end of the pairwise key-setup phase. After this phase, each node can exchange group information. 3.4 Addition and Deletion of Nodes Addition of Sensor Nodes: The new SNs are arbitrarily deployed in the WSN and they have the same ID of new VGs. The IK of new nodes is the current IK of older nodes. Before deployment, the new nodes complete an initialization phase and have N1 and F(N2, 0) in the pairwise key-setup phase. N1 and N2 are nonce, used for mutual authentication during pairwise key setup. After deployment, they perform a group key setup and another pairwise key setup. The pairwise key-setup steps for new nodes are executed as follows: BS → older nodes: BS || SEQ(BS), E(KCF(BS, SEQ(BS), CK), F(N1, 0) || N2 || N). New node A → neighbour nodes: A, N1. If neighbour nodes are older nodes, the pairwise key-setup phase is written as follows: Older neighbour node B → new node A: B, N2. New node A → older neighbour node B: A || SEQ(A), E(KCF(A, SEQ(A), KB), KA || N). If neighbour nodes are new nodes, the setup phase is identical to the initial pairwise phase: New neighbour node B → new node A : B, MAC(KAB, A || B). After this step, the IK of new nodes is erased and pairwise keys are established in all nodes. Revocation of Sensor Nodes: It is important to securely update group keys when a compromised node is detected. The group keys must be changed and distributed to all the remaining nodes in a secure, reliable, and timely fashion. This is referred to as group rekeying. Whenever an SN is compromised, it is essential to be able to revoke the entire key of that node. The BS broadcasts the revocation message to all nodes. CNODE stands for a compromised node and {CNODE1 || CNODE2 || …} is the set of compromised nodes. BS → all nodes: BS || SEQ(BS), AKi, F(AKi+1, 0), E(KCF(BS, SEQ(BS), CK), {CNODE1 || CNODE2 || …} || N). All nodes authenticate the revocation message with AKi and AKi’ = F(AKi, 0). This message includes the verification key AKi+1 = F(AKi+1, 0) for authentication of the next message. All nodes verify the authenticity of the revocation message and then eliminate compromised nodes from the neighbour node list of each SN.

1846


BS → all nodes (broadcast): BS || SEQ(BS), AKi+1, F(AKi+2, 0), {RGa, E(KCF(BS, SEQ(BS), RKa), IKi+1 || N) || RGb, E(KCF(BS, SEQ(BS), RKb), IKi+1 || N) || …}. The above group rekey message is used to update the IK of all regional groups except for compromised regional groups. All nodes authenticate this message with AKi+1 and save F(AKi+2, 0) for the next authentication. If some nodes in VGc and RGc (RVGcc) are compromised, a non-compromised node C belongs to VGc and RGc (RVGcc), and the IK update message for the compromised region is as follows: BS → all nodes (broadcast): BS || SEQ(BS), AKi+2, F(AKi+3, 0), {RVGca, E(KCF(BS, SEQ(BS), RVGca), IKi+1 || N) || RVGcb, E(KCF(BS, SEQ(BS), RVGcb), IKi+1 || N) || RVGcd, E(KCF(BS, SEQ(BS), RVGcd), IKi+1 || N) || …}. All RVGs receive a new IK, except for RVGcc. The other nodes only save F(AKi+3, 0). C, the non-compromised neighbour node of D, does not belong to RVGcc and has the new IKi+1. The node D can get the new IKi+1 from the node C as follows: D → C: D, MAC(KCD, C || D || N). C → D: C, SEQ(C), E(KCF(C, SEQ(C), KCD), IKi+1 || N). The pairwise key KCD used in this message is not a new key. After receiving IKi+1, all nodes regenerate derived keys. 3.5 Key Update Using the same encryption key for extended periods may incur a cryptanalytic risk. In short-lived networks, the threat can be ignored [6]. For other networks, however, it is necessary to renew the encryption keys occasionally [7]. To do this, the key server generates the new keys and pushes them to the nodes, as in the case of in revocation. The time interval between subsequent renewals may depend on the data traffic volume, strength of underlying cryptographic primitives, and extra processing load incurred by all nodes. Rekeying: The rekeying protocol updates the IK, and all nodes regenerate each derived key, except for the secret key KSiBS shared between the BS and each sensor node. The following message is broadcast to send a new IK. BS → all nodes (broadcast): BS || SEQ(BS), AKi, F(AKi+1, 0), E(KCF(BS, SEQ(BS), CK), IKM || N). The new IKi+1 is generated by KCF(SEQ(BS), IKi, IKM). After this is broadcast, every derived key generated by IKi is regenerated with the new IKi+1. To maintain the modified organization of the groups, RG and RVG are not modified. RK and RVK do not use the previous equations, but the following equations: RKi+1 = F(IKi+1, RKi),


1847

RVKiji+1 = F(IKi+1, RVKiji). The regional group key update is carried out as follows: BS → all nodes (broadcast): BS || SEQ(BS), AKi, F(AKi+1, 0), {RGa, E(KCF(BS, SEQ(BS), RGa), RKM || N) || RGb, E(KCF(BS, SEQ(BS), RGb), RKM || N) || …}. The new RKi+1 is generated by KCF(SEQ(BS), RKi, RKM). The node belonging to RGa or RGb updates its RKi with the new RKi+1. The new RVKi+1 is generated by F(RKM, RVKi). This message updates RK only and does not affect the other keys. 3.6 Group Management EEKM supports group-management protocols for secure group communication. Group-management protocols can merge and split groups. The proposed protocol also reorganizes regional groups and updates their RK and RG. Merging Groups: The merge message is sent to groups to integrate them into one group. This message leads to effective group communication. BS → all nodes (broadcast): BS || SEQ(BS), AKi, F(AKi+1, 0), {RGa,E(KCF(BS, SEQ(BS), RGa), RKM || N) || RGb, E(KCF(BS, SEQ(BS), RGb), RKM || N) || …}. RGi+1 is generated by RGF(RKM, 0, 0, 0, 0), and RKi+1 is generated by F(RKM, RG ). Nodes belonging to the target group have the same RKi+1. RVG and RVK do not use the previous equations, but the following equations: i+1

RVGiji+1 = F(RKM, RGi || VGj), RVKiji+1 = F(RKM, RVGiji+1). Splitting Groups: The split message is sent to the groups to be divided into proper groups. This message is useful for restricting the effect of a compromised node on the immediate network neighbourhood. BS → all nodes (broadcast): BS || SEQ(BS), AKi, F(AKi+1, 0), {RGa, E(KCF(BS, SEQ(BS), RGa), RKM || pattern || size || cp || N) || …}.

(a)

(b) (c) Fig. 3. Patterns of regional groups.

(d)

1848


The new RGi+1 is generated by the RGF(RKM, ldata, pattern, size, cp), the new RK is generated by F(RKM, RGi+1), and RVG and RVK are generated by the same equations of the merge message. Each node computes its own RGi+1 according to RGF and the parameters. Fig. 3 illustrates the various patterns of regional groups. i+1

4. SECURITY ANALYSIS The success of a key management scheme is determined in part by its ability to efficiently survive attacks on highly vulnerable and resource challenged sensor net-works. Key management schemes in sensor networks can be classified broadly into dynamic or static solutions based on whether rekeying (update) of administrative keys is enabled post network deployment. Some dynamic schemes with rekeying have been proposed, particularly for emerging long-lived sensor networks. Efficient rekeying is essential for these schemes to be adopted [25]. We analyze random-key preconfiguration scheme (static key management scheme) and EEKM (dynamic key management scheme). Static key management schemes assume that once administrative keys are pre-deployed in the nodes, they will not be changed. Administrative keys are generated prior to deployment, assigned to nodes either randomly or based on some deployment information, and then distributed to nodes. Dynamic key management schemes may change administrative keys periodically, on demand or on detection of node capture. The major advantage of dynamic keying is enhanced network survivability, since any captured key(s) is replaced in a timely manner in a process known as rekeying. Another advantage of dynamic keying is providing better support for network expansion; upon adding new nodes, unlike static keying, which uses a fixed pool of keys, the probability of network capture does not necessarily increase. The major challenge in dynamic keying is to design a secure and efficient rekeying mechanism. EEKM is designed to provide a secure and energy-efficient rekeying mechanism. Static key management schemes depend on the pre-distribution of a randomly selected set of k keys [15] or bivariate key polynomials [26] to each node out of a pool of P = k + m keys. Two nodes can communicate directly if they are within the transmission range of each other and they share at least one key/key polynomial. Since the key polynomial model is more general, it is used in the analysis below. By [25], the probability of sharing a key polynomial between any two randomly selected nodes, PS, is defined as follows: PS = 1, if k > m, ⎛ k −1 m − i ⎞ PS = ⎜1 − ∏ ⎟ , if k ≤ m, ⎝ i =0 k + m − 1 ⎠

where k is the number of polynomials known to a node and m is the number of polynomials unknown to that node. The large value of m leads to less network connectivity since the probability of sharing a key is lowered. The relationship between resilience, connectivity, and m in a 200,000-node network is shown in Fig. 4.


1849

Fig. 4. The relationship between resilience and connectivity.

Static schemes tend to rely on using a larger key pool to enhance network re-silience to attacks, whereas EEKM use a temporary master key method for key-setup phase to achieve better network connectivity. Each node uses pre-distributed keys as encryption (decryption) key for secure communication. In dynamic schemes, resilience to attacks is primarily achieved by rekeying. EKM’s resilience is independent of node capture and depends on revocation and rekeying. Encryption (decryption) key of a node is dynamically generated by KCF for each message. Table 3. Summary analysis of static key management and EEKM. Network life Key generation Handling node capture Re-keying cost Storage cost Network resilience Encryption (decryption) key

Static keying Assumed short-lived Once predeployment Revealed keys are lost May be practically infeasible with respect to number of messages More keys per node High as long as number of nodes captured is small Pre-distributed key

EEKM (Dynamic keying) Assumed long-lived Multiple times post deployment Revealed group keys and KMBox are altered by rekeying Requires few messages (for sending IKM) Fewer keys per node High, largely independent of number of nodes captured as long as rekeying is performed in a timely manner Dynamically generated key by KCF

Table 3 summarizes primary features of static key management scheme and EEKM. It also provides a qualitative analysis of both schemes. As mentioned in section 3.4, key revocation refers to the task of securely removing keys which are known to be compromised. Existing key revocation schemes can be divided into two categories: centralized key revocation scheme [1, 15] and distributed key

1850


revocation scheme [16, 27]. In a centralized key revocation scheme, a centralized authority (BS) is used to revoke compromised sensors [1, 15]. In a distributed key revocation scheme, no centralized authority is used and a vote is cast and collected among sensornodes. If the vote tally against a sensor node exceeds a specified threshold, the sensor node will be revoked [16, 27]. EEKM belongs to the centralized key revocation scheme. This paper focuses on the centralized key revocation scheme. We compare the centralized revocation schemes proposed in [16], LEAP, and EEKM in section 5. The revocation scheme of [16] can be divided into three phases: signature key distribution, key revocation and link reconfiguration. This scheme depends on a signature key distributed in the sensor network by unicasting and thus incurs additional inter-sensor communication cost. In a large scale sensor network, distributing the signature key might be a problem. In LEAP, the revocation scheme consists of three phases: key revocation, cluster key update, and group key update. The new group key is distributed to all the legitimate sensor nodes via a recursive process over the spanning tree by unicasting. Hop-by-hop translation of regular broadcast messages involves non-trivial overhead for sensor nodes and is not scalable. EEKM revocation scheme is composed of two phases: key revocation and IK update. Revocation and IK update message are broadcasted to all the sensor nodes. The non-update nodes get IK from its neighbour node.

5. EVALUATION Energy efficiency is one of the most important factors in WSNs. We evaluated the energy efficiency of EEKM. We measured the average energy when the rekeying protocol was performed for the periodic key update. We assumed no data loss in the packet transmission and simulated EEKM using a network simulator with the random network shown in Fig. 1. Table 4. Radio-dissipated energy. Operation Transmitter electronics Receiver electronics PT-com = PR-com = Pcom Transmit amplifier (Pamp)

Energy dissipated 50 nJ/bit 100 pJ/bit/m2

We assumed a simple model where the radio dissipates Pcom = 50 nJ/bit to run the transmitter or receiver circuitry and Pamp = 100 pJ/bit/m2 for the transmit amplifier (Table 4). We assumed the overall distance for transmission to be r, the minimum receiving power at a node for a given transmission error rate was Preceive, and the power at a transmission node was Psend. The radio frequency (RF) attenuation model near the ground is given by Preceive ∝

Psend rα

,


1851

where α is the RF attenuation exponent. Due to multiple paths and other interference effects, α typically ranges from 2 to 5 [8]. We assumed α to be 2. Thus, to transmit a k-bit message with distance r, we used Eq. (1): Psend(k, r) = Pcom × k + Pamp × k × r2.

(1)

The energy that a radio expends to receive this message is: Preceive(k) = Pcom × k.

(2)

Using Eqs. (1) and (2) and the random 200-node network shown in Fig. 1, we simulated the transmission of data between every node and sink node that was located within 50m (at x = 50, y = − 50). For our experiments, we assumed that each node received an 8,192-bit control packet from the sink node for rekeying. We analyzed the communication cost of EEKM compared to LEAP and a random graph-based scheme. Table 5 shows the communication costs of rekeying for the three protocols in Fig. 5. In EEKM, the BS broadcasts the newly encrypted IK to all nodes. In LEAP, the BS initiates the process by sending the new group key to each of its children in the spanning tree using its cluster key for encryption. In the random-key preconfiguration scheme, rekeying is equivalent to self-revocation of a key by a node. After removing the expired key, the affected nodes restart the discovery process of shared keys, and possibly the path-key establishment phase. EEKM consumes minimum power and supports both group and pairwise rekeying. Table 6 shows the communication costs of revocation for the three protocols in Fig. 5 with one compromised node.

G

H

I

D

E

F

A

B

C

r

r

r

r

Fig. 5. The normalized sensor network for measuring the energy cost of rekeying.

Table 5. Communication cost for rekeying. Protocols

Rekeying

EEKM LEAP Random-key preconfiguration scheme

Group and pairwise Group Pairwise

Communication cost Send Receive 0 9 * Preceive(k) 8 * Psend(k, r) 9 * Preceive(k) 12 * 3 * Psend(k, r)

12 * 3 * Preceive(k)


1852

Table 6. Communication cost for revocation. Communication cost Send Receive 0 18 * Preceive(k) 13 * Psend(k, r) 20 * Preceive(k) 3 * Psend(k, r) 20 * Preceive(k)

Protocols EEKM LEAP Random-key preconfiguration scheme

10

x 10

11

11

10

The average remaining energy of nodes (pJ)

The average energy of nodes (J)

9 8 7 6 5 4 EEKM LEAP

3

x 10

9

8

7

6

5 EEKM LEAP Random-key

4

Random-key 2

0

10

5

15

20

25

30

35

40

45

3 0

50

The number of rekeying

Fig. 6. The avera1 ge energy after sending each rekeying message using the equations in Table 5.

5

10

15 20 25 30 35 The nmber of revocation times

40

45

50

Fig. 7. The average energy after sending each revocation message using the equations in Table 6.

Figs. 6 and 7 plots the average energy of the equations (Tables 5 and 6) with r = 1 and k = 8,192 respectively. EEKM is more energy efficient than the other methods. Moreover, the rekeying cost of EEKM is network-topology independent for the messagebroadcasting scheme. The rekeying cost of LEAP and the random-key preconfiguration scheme is dependent on network topology because of node-to-node communication. LEAP sends rekeying messages to nodes along the path of the spanning tree. The rekeying cost of the random-key preconfiguration scheme is very expensive because its selfrevocation mechanism for rekeying needs at least two hop communications to complete path-key establishment. We simulated each protocol with the network shown in Fig. 1. The results are similar to the equations shown in Table 5. Fig. 8 shows the average of 10 results. In EEKM, the plot does not change in each simulation, whereas they do change using the other protocols. Table 7 shows the average energy after processing 50 rekeying procedures. EEKM was 56% more energy-efficient than the random-key preconfiguration scheme. The rekeying scheme of EEKM updates group and pairwise keys. Table 7. Average energy after processing 50 rekeying procedures in a simulation. Initial energy (J/node)

Simulation environment

1


Average energy (J/node) after 50th rekeying 0.980 0.948 0.426


10

1853

x 10 11

The average energy of nodes (J)

9

8

7

6

EEKM

5

LEAP Random-key 4

0

5

10

15

20 25 30 The number of rekeying

35

40

45

50

Fig. 8. The average energy of the rekeying simulation results.

Table 8. Average energy after processing 50 revocation procedures in the equation in Table 6. Initial energy (J/node)

Protocol

1


Average energy (J/node) after 50th rekeying 0.6314 0.3236 0.5288

Table 8 shows average energy after sending 50 revocation messages with the equation in Table 6. EEKM is 49% more energy-efficient than LEAP.

6. RELATED WORK The architecture and design of sensor networks and hardware have progressed significantly in the past few years [10-13]. Perrig et al. [6] first proposed a set of cryptographic primitives for highly resourceconstrained SNs. They designed and implemented two security primitives for first-generation SNs, SNEP, and μTESLA. Carman et al. [9] analyzed several approaches for key management and distribution in sensor networks. In particular, they discussed the energy consumption of three different approaches for key establishment: pre-deployed keying protocols, arbitrated protocols involving a trusted server, and autonomous key-agreement protocols. Basagni et al. [14] discussed a cluster-based rekeying scheme for periodically updating the group-wide traffic encryption key in a sensor network. However, they assumed that SNs were tamper-proof and could trust each other. Pairwise key management is an important security primitive for WNSs because pairwise keys can be used to secure hop-by-hop communication between neighbours and to bootstrap higher-level security mechanisms. The first random-key preconfiguration scheme was proposed by Eschenauer and Gigor [15]. The entire system maintains a key pool with a large number of keys. Each SN contains a predistributed number of keys selected from the key pool.

1854


Chan et al. [16] improved this scheme by introducing a q-composite random keypredistribution scheme. Instead of using one shared key to set up the pairwise key, a pair of neighbour nodes used their q-common keys to establish their pairwise key. This improved resilience to node compromise. Du et al. [17] and Liu and Ning [18] further improved this scheme by using polynomials instead of random numbers as the key. Closet (location-based) pair-wise keys predistribution scheme [24] is an alternative to random pair-wise key scheme. It takes advantage of the location information to improve the key connectivity. This solution decreases memory usage, and preserves a good key connectivity if deployment errors are low. A different approach to pairwise keys was taken by Zhu et al. [1], who proposed LEAP, a robust and lightweight method of setting up pairwise keys using a temporary master key. In this scheme, every node is preconfigured with an initial master key. Each SN uses a PRF and the master key to generate its own key and pairwise keys with neighbour nodes. The master key is only kept in an SN for a short time before being erased, so an adversary does not have enough time to compromise a node to capture its master key. Similar to random-key schemes, LEAP also supports secure joining of new nodes. One advantage of LEAP is that adversaries cannot inject other malicious nodes, even if they can compromise existing nodes after their master keys are erased. A disadvantage of this approach is that each node must establish its pairwise keys within a short time while its master key exists in its memory. After the master key is erased, that node cannot establish any keys with other nodes. Karlof et al. [19] described TinySec, a link-layer security mechanism using a single preloaded fixed group key for both encryption and authentication, assuming no node compromises. The power, energy, and related computational and communication limitations of nodes in this range make it impractical to use typical asymmetric (public key) cryptosystems to secure communications. Less energy is spent to communicate over smaller distances because power is proportional to the square of the distance. Also, in the range of the sensor capabilities we consider, symmetric key ciphers and hash functions are two to four orders of magnitude faster than digital signatures [20]. Hence, symmetric key ciphers, low-energy authenticated encryption modes [21-23], and hash functions become the tools of choice for protecting WSN communications.

7. CONCLUSIONS AND FUTURE WORK We designed an Energy-Efficient Key-Management (EEKM) protocol for largescale distributed sensor networks. Table 9 compares EEKM to other protocols. EEKM uses a predeployed temporary master key approach that supports a robust and lightweight method for setting up various derived keys. A broadcast-based rekeying protocol is suitable for periodic rekeying. Our simulation results indicate that EEKM is more energy-efficient than the other key-management protocols and its energy consumption topology independent. EEKM provides group-management protocols for secure group communication. We believe that our technique is more practical than existing key-management schemes for sensor networks.


1855

Table 9. Characteristics of each protocol. Key distribution scheme Item

EEKM

LEAP

Random-key preconfiguration scheme

Rekey objects

Group key Pairwise key

Group key

Pairwise key

Rekey energy efficiency for all keys

100%

97%

43%

Key distribution Group management Revocation and rekey energy efficiency

Generating key Random key Generating key after after deployment deployment and temporary preconfiguration before and temporary deployment master key master key Support No support No support 100%

51%

83%

Next-generation sensor networks will be long-lived, highly dynamic, and quality of service (QoS) supportable. The attack profile on these networks will be more varied and complex. Research is needed on adaptive key management to solve these challenges. Our future work includes implementing EEKM API on the TinyOS, and developing applications with this API on real WSNs. We will include fault-tolerant broadcast protocol in noisy world as our research area.

REFERENCES 1. S. Zhu, S. Setia, and S. Jajodia, “LEAP: efficient security mechanisms for largescale distributed sensor networks,” in Proceedings of the 10th ACM Conference on Computer and Communications Security, 2003, pp. 62-72. 2. S. Buchegger and J. L. Boudec, “Performance analysis of the CONFIDANT protocol (cooperation of nodes: Fairness in dynamic ad-hoc networks),” in Proceedings of the 3rd ACM International Symposium on Mobile Ad Hoc Networking and Computing, 2002, pp. 226-236. 3. S. Marti, T. J. Giuli, K. Lai, and M. Baker, “Mitigating routing misbehavior in mobile ad hoc networks,” in Proceedings of the 6th Annual ACM/IEEE International Conference on Mobile Computing and Networking, 2000, pp. 255-265. 4. Y. Zhang and W. Lee, “Intrusion detection in wireless ad hoc networks,” in Proceedings of the 6th International Conference on Mobile Computing and Networking, 2000, pp. 275-283. 5. K. Akkaya and M. Younis, “A survey on routing protocols for wireless sensor networks,” Ad Hoc Networks, Vol. 3, 2005, pp. 325-349. 6. A. Perrig, R. Szewczyk, V. Wen, D. Cullar, and J. D. Tygar, “SPINS: security protocols for sensor networks,” Wireless Network, Vol. 8, 2002, pp. 521-534. 7. W. Fumy and P. Landrock, “Principles of key management,” IEEE Journal of Se-

1856


lected Areas in Communications, Vol. 11, 1993, pp. 785-793. 8. F. Zhao and L. J. Guibas, Wireless Sensor Networks: An Information Processing Approach, Elsevier, Oxford, 2004. 9. D. Balenson, D. McGrew, and A. Sherman, “Key management for large dynamic groups: one-way function trees and amortized initialization,” IETF Internet draft, 2000. 10. V. Raghunathan, C. Schurgers, S. Park, and M. B. Srivastava, “Energy-aware wireless microsensor network,” IEEE Signal Processing Magazine, Vol. 19, 2002, pp. 4050. 11. E. Shih, B. Calhoun, S. H. Cho, and A. Chandrakasan, “Energy-efficient link layer for wireless microsensor network,” in Proceedings of the Workshop on VLSI, 2001, pp. 16-21. 12. E. Shih, S. H. Cho, N. Ickes, R. Min, A. Sinha, A. Wang, and A. Chandrakasan, “Physical layer driven protocol and algorithm design for energy-efficient wireless sensor networks,” in Proceedings of the 7th ACM Annual International Conference on Mobile Computing and Networking, 2001, pp. 272-287. 13. S. H. Cho and A. Chandrakasn, “Energy efficient protocols for low-duty cycle wireless microsensor networks,” in Proceedings of International Conference on Acoustics, Speech, and Signal Processing, 2001, pp. 2041-2044. 14. S. Basagni, K. Herrin, E. Rosti, and D. Bruschi, “Secure pebblenets,” in Proceedings of the 2nd ACM International Symposium on Mobile Ad Hoc Networking and Computing, 2001, pp. 156-163. 15. L. Eschenauer and V. Gligor, “A key-management scheme for distributed sensor networks,” in Proceedings of the 9th ACM Conference on Computer and Communications Security, 2002, pp. 41-47. 16. H. Chan, A. Perrig, and D. Song, “Random key predistribution schemes for sensor networks,” in Proceedings of the IEEE Symposium on Security and Privacy, 2003, pp. 197-213. 17. W. Du, J. Deng, Y. Han, and P. Varshney, “A pairwise key pre-distribution scheme for wireless sensor networks,” in Proceedings of the 10th ACM Conference on Computer and Communications Security, 2003, pp. 42-51. 18. D. Liu and P. Ning, “Establishing pairwise keys in distributed sensor networks,” in Proceedings of the 10th ACM Conference on Computer and Communications Security, 2003, pp. 52-61. 19. C. Karlof, N. Sastry, U. Shankar, and D. Wagner, “TinySec: TinyOS link layer security proposal,” version 1.0, 2002. 20. D. W. Carman, P. S. Kruus, and B. J. Matt, “Constraints and approaches for distributed sensor network security,” NAI Labs Technical Report No. 00-010, 2000. 21. V. D. Gligo and P. Donescu, “Fast encryption and authentication: XCBC encryption and XECB authentication modes,” Fast Software Encryption, LNCS 2355, 2002, pp. 92-108. 22. C. S. Jutla, “Encryption modes with almost free message integrity,” in Proceedings of Advances in Cryptology − EUROCRYPT, LNCS 2045, 2001, pp. 529-544. 23. P. Rogaway, M. Bellare, J. Black, and T. Krovetz, “OCB: a block-cipher mode of operation for efficient authenticated encryption,” in Proceedings of the 8th ACM Conference on Computer and Communication Security, 2001, pp. 196-205.


1857

24. D. Liu and P. Ning, “Location-based pairwise keys in distributed sensor networks,” in Proceedings of the 10th ACM Conference on Computer and Communications Security, 2003. 25. M. Eltoweissy and R. Mukkamala, “Dynamic key management in sensor networks,” IEEE Communications Magazine, 2006, pp. 122-130. 26. D. Liu and P. Ning, “Improving key predistribution with deployment knowledge in static sensor networks,” ACM Transactions on Sensor Networks, Vol. 1, 2005, pp. 204-239. 27. H. Chan, V. D. Gligor, A. Perrig, and G. Muralidharan, “On the distribution and revocation of cryptographic keys in sensor networks,” IEEE Transactions on Dependable and Secure Computing, Vol. 2, 2005, pp. 233-247. 28. M. F. Kaashoek, A. S. Tanenbaum, and S. F. Hummel, “An efficient reliable broadcast protocol,” ACM SIGOPS Operating Systems Review, Vol. 23, 1989, pp. 5-19. 29. Z. Sahinoglu, P. Orlik, J. Zhang, B. Bhargava, and G. Ding, “Reliable broadcasting in ZigBee networks,” in Proceedings of IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks, 2005, pp. 510-520. 30. S. Zhu, S. Setia, and S. Jajodia, “LEAP+: efficient security mechanisms for largescale distributed sensor networks,” ACM Transactions on Sensor Networks, Vol. 2, 2006, pp. 500-528. 31. A. Moon, et al., “Context-aware active services in ubiquitous computing environments,” Electronics and Telecommunications Research Institute Journal, Vol. 29, 2007, pp. 169-178. 32. Y. S. Kim, et al., “Miniaturized electronic nose system based on personal digital assistant,” Electronics and Telecommunications Research Institute Journal, Vol. 27, 2005, pp. 585-594. 33. S. Capkun, M. Hamdi, and J. Hubaux, “GPS-free positioning in mobile ad-hoc networks,” in Proceedings of the Hawaii International Conference on System Sciences, Vol. 9, 2001, pp. 255. 34. H. Akcan, V. Kriakov, H. Brönnimann, and A. Delis, “GPS-free node localization in mobile wireless sensor networks,” in Proceedings of the 5th ACM International Workshop on Data Engineering for Wireless and Mobile Access, 2006, pp. 35-42. 35. A. Magnani and K. K. Leung, “Self-organized, scalable GPS-free localization of wireless sensors,” in Proceedings of IEEE Wireless Communications and Networking Conference, 2007, pp. 3798-3803. 36. J. Arias, J. Lázaro, A. Zuloaga, J. Jiménez, and A. Astarloa, “GPS-less location algorithm for wireless sensor networks,” Computer Communications, Vol. 30, 2007, pp. 2904-2916. Kwang-Jin Paek received the B.S. and M.S. degrees in Electronic and Computer Engineering form Pusan University of Foreign Studies, South Korea, in 1996 and 1998, respectively, and the Ph.D. degree in Computer Science and Engineering from Korea University, South Korea, in 2007. He is currently a postdoctoral researcher in Sensor Network Platform Research Team, Convergence SW Research Division, ETRI, South Korea. His

1858


research interests include WSN, MAC protocols in WSN, key management protocols in WSN and RFID systems, middleware systems, and mobile agent systems. Ui-Sung Song received his M.S. and Ph.D. degrees in Computer Science and Engineering from Korea University, Seoul, Korea in 1999 and 2005, respectively. From 2005 to 2006, he was a research assistant professor in the Research Institute for Information and Communication Technology at the Korea University. He is currently an Instructor in the Department of Computer Education at the Busan National University of Education. His recent research interests include distributed computing, mobile computing, sensor network and network security.

Hye-Young Kim is a corresponding author. She received her M.S. degrees from SookMyung Women’s University, Korea in 1993, and Ph.D. in Computer Science and Engineering from Korea University in 2005. She has over 9 years of experience of Software Lab., at Hyundai Electronic Co., in Korea. From 2007 March, she is a Full Time Instructor in tenured track of the College of Game at Hongik University in Korea. Her research interests include mobile game, network protocol, mobile IPv6, NEMO, design and performance evaluation of wireless networks.

Jongwan Kim received the Ph.D. degree in Computer Science and Engineering from Korea University, South Korea, in 2007, B.S. degree in Business Administration, and M.S. in Computer Science and Engineering from Shamyook University, Soongsil University, respectively. He has more than 10 years field experiences as a developer and technician in object-oriented technology. His research interests include mobile and streaming data management, location-based services, sensor/RFID, and object oriented technologies.