Providing secrecy in key management protocols for large ... - CiteSeerX

Ad Hoc Networks 1 (2003) 455–468 www.elsevier.com/locate/adhoc

Providing secrecy in key management protocols for large wireless sensors networks Roberto Di Pietro a b

a,*,1

, Luigi V. Mancini

a,1

, Sushil Jajodia

b

Dipartimento di Informatica, Universit
a di Roma ‘‘La Sapienza’’, Via Salaria 113, 00198 Roma, Italy Center for Secure Information Systems, George Mason University, University Drive, VA 22030, USA

Abstract This paper defines a new protocol KeEs for the key establishment that meets the security requirements of the threat model proposed. The KeEs protocol assures forward and backward secrecy of the session key, so that if any set of the session keys is compromised, even including the current session key, these compromised keys do not undermine neither the security of future session keys, nor the security of past session keys. We illustrate the protocol in two different scenarios, one in which a Base Station acts as a synchronizer for re-keying the sensors, and a second scenario based on a completely distributed approach where the sensors rely only on themselves to achieve synchronization in the re-keying process. For both scenarios the KeEs protocol requires minimal overhead in terms of computations and transmissions. Finally, in KeES none of the resources needed by a generic sensor is bounded to the size of the WSN.
2003 Elsevier B.V. All rights reserved. Keywords: Wireless sensor network security; Key management protocol; Forward and backward secrecy; Synchronization; Distributed algorithms

1. Introduction Advances in micro-electro-mechanical systems (MEMS) technology allow sensors to be reprogrammable, self-localizing, and to support low-energy, wireless, multi-hop networking, while requiring only minimal pre-configuration. To support the reliability of coordinated control, management, and reporting functions, the sensor

*

Corresponding author. E-mail addresses: [email protected] (R. Di Pietro), [email protected] (L.V. Mancini), [email protected] (S. Jajodia). 1 This work was partially supported by the Italian MIUR under the FIRB WEB-MINDS Project, and by the EU under the IST-2001-34734 EYES project.

networks are self-organizing with both decentralized control and autonomous sensor behavior, resulting in a sophisticated processing capability [5]. A wireless sensors network (WSN) is a collection of sensors, whose number can range from a few hundred to a few hundred thousands and possibly more. These sensors do not rely on any pre-deployed network architecture, thus communicating via an ad hoc wireless network. Distributed in irregular patterns across remote and often hostile environments, sensors will autonomously aggregate into collaborative, peer-to-peer networks. Sensor networks must be robust and survivable despite individual sensor failures and intermittent connectivity (for instance due to noisy channel or shadow zone). Often WSNs are

1570-8705/$ - see front matter
2003 Elsevier B.V. All rights reserved. doi:10.1016/S1570-8705(03)00046-5

456

R. Di Pietro et al. / Ad Hoc Networks 1 (2003) 455–468

infrastructureless, and their power supply is provided by battery, whose consumption for both communication and computation activities must be optimized. Providing confidentiality and authentication is critical to prevent an adversary from compromising the security of a distributed sensor network. However, providing key management for confidentiality and group-level authentication is difficult due to the ad hoc nature, intermittent connectivity, and resource limitations of the distributed sensor network environment. This paper deals with key management issue in large WSNs by identifying and developing protocols, algorithms and mechanisms that efficiently provide key management services. In particular, our research focuses on the key management for confidentiality and group-level authentication in resource-limited distributed sensor networks. WSNs will be deployed in the near future both in military and commercial scenarios [15,20]. For instance, they could be used to collect data from a field in order to reveal the presence of a toxic gas, to facilitate rescue operations in snow in a wide open mountainous area, to fulfill perimeter surveillance duties, to operate for commercial purpose in severe environmental constrained scenario (for instance, to measure concentration of metal such as nodules of manganese on the ocean bed), to provide a relay network for tactical communication in a battlefield, and to enforce physical access control. For instance, a WSN could control the secure access to a building. Each person could carry with him a sensor which contains encrypted some sort of personal information. This information is exchanged with other sensors distributed across the building, and are used to authenticate, to assign the appropriate clearance to the users, and eventually to trace their movements in the buildings. Hence, the motivations for secure WSNs stem from the need of confidentiality for the above critical scenarios. Our central goal is to develop a general framework for the key establishment protocols and related security services in a WSN. Section 2 reports the related work in the field, while Section 3 highlights the requirements and constraints a WSN is subject to and that make key establishment protocols a challenging task. Section 4 de-

fines the threat and the trust model, as well as the security requirements of a WSN. In Section 5, we illustrate the environment in which our WSN is supposed to operate, defining the communication model, the per-sensor required components, our hypothesis as for sensor synchronization, and the notation employed. Further, we detail our KeEs protocol. The KeEs protocol verifies the security requirements while being compliant with the guidelines previously pointed out. In particular, the KeEs protocol is composed of two phases: In the first, the key is autonomously generated by each sensor in a time triggered manner, while the second phase provides key synchronization among the sensors. The protocol has been detailed in all its components, under two different scenarios: One in which the WSN can rely on a Base Station (BS) to trigger the re-keying synchronization, and another in which the sensors act without any external synchronization point. We have devised a keygeneration algorithm that assures a few interesting properties of the keys generated: (1) implicit key authentication, (2) backward secrecy, and (3) forward secrecy. In Section 6, we show that the devised protocol matches the security requirements and we evaluate the overhead required for its execution. Note that the key generation and the synchronization protocols generate a minimal overhead as for computations and communications required, and the per-sensor required storage is bounded to a small constant. Finally, we draw our conclusions and expose a few points for further research in the field.

2. Related works 2.1. Group key establishment in dynamic peer groups Recent research focused on key establishment protocols in dynamic peer groups. In particular, the authors in [29] focus on the problem of key agreement in dynamic peer groups and recognize that key agreement, especially in a group setting, is the stepping stone for all the other security services. Dynamic peer groups require not only initial key agreement (IKA) but also auxiliary key

R. Di Pietro et al. / Ad Hoc Networks 1 (2003) 455–468

agreement (AKA) operations, such as member addition. The work discusses session key agreement operations and presents a concrete protocol suite, CLIQUES, which offers complete key agreement services. CLIQUES is based on multiparty extensions of the well-known Diffie–Hellman key exchange method [9]. The provided protocols are provably secure against passive adversaries. In [1] the protocols provided in [29] are enhanced to provide services like authenticated key agreement in dynamic peer groups with the emphasis on efficient and provably secure key authentication, key confirmation and integrity. However, protocols in [1,29] resort to public key cryptography (PKC) primitives [9]. As it was pointed out in [3], the use of PKC is unfeasible in large WSNs, since the memory of a sensor is insufficient to hold the keys (of sufficient length to ensure security) that are required in asymmetric cryptographic algorithms. Moreover, the low frequency processor with which the sensor are equipped with (for instance, 4 MHz as in [24]) would consume too much time, and finally the energy consumption required by the processor to perform operations (basically heavy exponentiations) would take too much energy to allow the implementation of such a technique. 2.2. Key establishment in WSNs The feasibility of implementing a security subsystem for a limited WSN platform has been shown in [24]. The system assumptions require the presence of BSs, which act as gateways for intersensors communications. Being the BS more powerful in its resources (think of it as a workstation), it is possible to implement public key cryptography, leaving the burden of computation to the BS. In this way the authors can relax the assumption on tamper-resistance of sensors, assuming a trusted BS. With this architecture, which diverges from the paradigm of a completely distributed network composed of only sensors, a few properties are enforced, such as authenticated and confidential communications, as well as authenticated broadcast. In [2], a key management scheme which periodically updates the keys employed by sensors is proposed. However, the proposed key manage-

457

ment framework does not assures neither forward nor backward secrecy. As for the key generation, the solution devised requires two phases: In the first phase, among the large number of sensors, only a small fraction of sensors is selected. In the second phase, among the sensors belonging to the previously identified set, a further small set of sensors is selected, and these finally compete for being the key manager. This competition is decided probabilistically. Once the key is generated, it is then distributed to all the sensors in the network. Finally, two recent works in the WSN field are of particular interest: In [12], the idea of probabilistic key assignment for WSNs is introduced and the authors provide a centralized algorithm to perform re-keying in a distributed WSN. In [8] a distributed group key management protocol for WSNs is proposed. The initial key assignment to the sensors is based on a probabilistic model. The probability of the confidentiality of the channel can be dynamically improved at the price of a slight increase in the communication overhead. 2.3. Hierarchical algorithms for key establishment in dynamic peer groups Among protocols that employ symmetric key techniques, many are specific implementation of the logical key hierarchy (LKH) model. The LKH model was introduced in [13,30,31] to deal with secure multicast. In particular, this model allows an efficient update of the session key when a user joins or leaves the group. With the LKH, a key distribution center (center in the following) maintains a key tree which will be used for group key update and distribution. Each intermediate node in the tree represents a cryptographic symmetric key. The center associates each group member (user) with one leaf node of the tree. Each user knows all the keys from its leaf node up to the root; the set of such keys is referred to as key path. All the users know the key at the root node, and that key is employed to encrypt the payload traffic. However, the LKH model employs a number of keys that is logarithmic in the number of users in the system, and the number of messages required to manage group dynamics is logarithmic in the number of users too.

458

R. Di Pietro et al. / Ad Hoc Networks 1 (2003) 455–468

3. Characterization of a WSN The key establishment protocols for distributed sensor networks must satisfy several security and functional requirements. The keying protocol must establish a shared key (or keys) among all the sensors that exchange application data to provide confidentiality and group-level authentication of application data. In the following, we identify the main requirements and the constraints that affect a WSN. 3.1. Requirements • Confidentiality. The shared key established by the key establishment protocol, must be protected from disclosure to unauthorized parties. Moreover, confidentiality is a pre-requisite to protect against traffic analysis. Confidentiality should be provided by using a fine keys granularity, that is, keys with as small a scope as possible. This approach prevents a single break from compromising a large portion of the sensor network. It is worth noting that small granularity can be expressed in terms of time, that is the shorter the life-time of a key, the shorter the probability of compromising the WSN; or in terms of the number of sensors that share a key, for example a key shared among only two sensors, if compromised, should not compromise the whole WSN. • Authenticity. The access to the shared key should be limited to only those parties identified in the protocol, thus implementing implicit key authentication. • Scalability. A re-keying scheme that has poor scalability (either in terms of energy or communication cost) for establishing and maintaining a key is not suitable for WSNs, due to the large number of sensors a WSN could be composed of. Note that such number is not pre-established: Sensors could be added on the fly, for example, because of an increased monitoring need. • Availability. Key management services must ensure that confidentiality and group-level authentication services are available to authorized parties when needed. Moreover, to ensure an higher availability of the communication infra-

structure, the sensors should optimize the use of their resources (such as battery and computing capabilities), and should minimize, in particular, the energy consumption so to extend the lifetime of the network. The key management functions should not limit the availability of the network and should not create single points of failure such as a centralized key management node for all the network-wide security. The requirement of security not interfering with the operations of the network is important in maintaining the availability of the network. If for some reason the sensors are not cryptographically synchronized, that is all the sensors have the proper keys to encrypt communications, the availability of the network could suffer. • Self-organization. Distributed sensor networks must self-organize their routing and key management protocols. Usually the location of a particular sensor is not known before its deployment. Hence, the immediate neighboring of a sensor, the number of hops required to route a message, or the power required to send a messages with a particular error rate from one sensor to another is not known in advance. 3.2. Constraints on WSN 1. Limited communication bandwidth: Wireless links have limited bandwidth, and transmissions consume valuable energy [4]. 2. Limited communication range: The radio frequency (RF), a sensor is equipped with, usually has a very short coverage range, for instance a few dozens of meters. Any sensor might be cut off from the others (for example entering a shadow zone), or might be in contact with many of its peer. In general, it is impossible to predict with which other sensors a sensor might be in contact with. When information has to be gathered or disseminated, due to the short range of the RF, a sensor could have to relay data on behalf of the others. Thus a WSN relies on multi-hop routing. 3. Limited memory: A sensor is equipped with a very short amount of memory, and no mass storage is available, but a few thousands of bytes of EEPROM like memory, as in [14,24].

R. Di Pietro et al. / Ad Hoc Networks 1 (2003) 455–468

4. Limited computational power: The processor a sensor is equipped with, is characterized by low processing power, for instance 4 MHz as in [24]. This is mainly for saving energy: An higher frequency would imply an higher energy consumption [14], conflicting with the next point. 5. Power constraint: Whether re-fillable or not, the general idea is that the only power any sensor can rely on is generated by its own batteries. Some current research projects address the possibility of employing solar cell to re-power the sensor, but the problem of limiting energy consumption still remains, since sensors could experience sun lack (think of a cloudy day, or night). Therefore, regardless of the energy source, such power supply is limited, and every effort has to be made to optimize this resource [14].

4. Security model 4.1. Threat model The attacks to the WSN considered in this paper are limited to passive attacks. Indeed, we assume that an eavesdropper can constantly monitor the whole WSN. In the following, we consider two types of attacks that an adversary can perform: (1) Cypher text attack, that is given the cypher text the adversary tries to recover the encryption key. For instance, this type of attack is particularly critical when the WSN has been deployed to provide a relay for tactical communications in the battlefield. (2) Chosen plain text attack, that is the adversary can feed the sensor with known data and then observe the encrypted message sent by the sensor. Therefore, we consider confidentiality and authenticity of data of paramount importance. Note that taking into account chosen plain text attack is mandatory only if we adopts encryption algorithms that are subject to this kind of attack. Indeed, the encryption algorithm can be designed to resist such an attack, and can be analyzed to verify this feature. Authenticity of data ‘‘sensed’’ is needed, otherwise unauthorized users could provide the WSN

459

with bogus data that could induce the final sink of the collected data to take decisions on the basis of a false scenario. In particular, the decisions that will be taken on the basis of such bogus data could be figured out by the adversary, who could take full advantages of the induced behavior. This situation can occur both in the military and commercial scenario. Confidentiality is another critical issue. As an example, consider a sensor that reveals the concentration of a certain gas in the air. The sensors take the measure, encrypt these data, and then send it to the final sink. An adversary that can decrypt the data sent by the sensors could predict the decisions that will be taken on the basis of these data. Finally, note that if the application of the WSN is to ‘‘sense’’ some physical phenomenon, and an adversary has access to the environment in which the WSN has been deployed, there is no possibility to prevent the adversary from deploying his sensor network, and from ‘‘sensing’’ the same data. This form of attack is out of the scope of the present paper. In Section 4.2 we will state the security requirements needed to face the threats above exposed. We assume that the environment in which the sensors operate is untrusted. Moreover, we assume that the basic wireless communication is not secure. Indeed, a broadcast can be eavesdropped by any adversary in its communication range. Each sensor trusts itself, while sensors do not trust neither the BS, nor other sensors. 4.2. Security requirements According to [23,29], we consider as the main security properties of a key establishment protocol, the following: • Session key secrecy (SKS). It should be computationally unfeasible for an adversary to recover a session key, this requirements enforces implicit key authentication: Only authorized users can hold the current session key. • Forward secrecy. No subsequent session keys can be recovered, given that an adversary managed to recover a contiguous subset of old session keys.

460

R. Di Pietro et al. / Ad Hoc Networks 1 (2003) 455–468

• Backward secrecy. Given that an adversary managed to recover a contiguous subset of session keys, no previous session keys can be recovered. As for SKS, there is the possibility that an adversary could employ chosen plain text attack, which improves the adversaryÕs chances of successfully recovering the key, given that enough chosen plain text is provided. To mitigate such a threat (1) we employ a periodic re-keying, to reduce the amount of the cypher text available to the adversary. Indeed, the cypher text generated is proportional to the re-keying period only; and (2) we devise a protocol to generate key such that even if the current session key is recovered by the adversary, after the re-keying period has elapsed, the adversary has no clue on the new session key. Note that without an infrastructure and a centralized access control, a sensor can rely only on itself and its peer to enforce security. Nevertheless, we show how the above security requirements are matched by the KeEs protocol, in Section 6.1.

5. KeEs protocol This section presents the KeEs protocol that aims at enforcing a secure key establishment in accordance with the security requirements stated in Section 4, and with minimum overhead as shown in Section 6.2. 5.1. System assumptions Since sensors communicate using RF, broadcasting is the fundamental communication primitive. Each sensor can directly communicate only to a limited range of the WSN, therefore packets are delivered via multi-hop. Moreover, communications are the main power-demanding operations. Therefore, communications should be maintained to the strict necessary. Note that receiving a message is less power consuming than sending a message [28], and this is a parameter of interest in designing a key establishment protocol. In the following, m denotes a message that a sensor has to send, while Ek ðmÞ indicates the sym-

metric encryption with algorithm E, employing the key k, of message m. Conversely, Ek1 ðmÞ represents the decryption of message m employing key k. The length in bits of key k is denoted by q. H and G, unless otherwise specified, are one-way hash functions. The notation Hi ðSÞ, i P 1 represents the computation HðHð. . . ðHðSÞÞ . . .ÞÞ, that is to apply i times the hash function H on S. The two hash functions and the encryption algorithm do not need to be kept secret. Each sensor is provided with two random seeds, S1 and S2 , each q bits long. These two seeds are the only critical secrets that the tamper-resistance property has to preserve. Finally, each sensor can store an integer counter that indicates the sequence number of the current session key, and has enough memory to store a limited, constant number of session keys. Section 6.2.3 shows how to relax this last assumption, at the expense of an increased computation. We assume that sensors are tamper-resistant, as in [2,19]. In particular, to the extent of this paper, only the seeds S1 and S2 above introduced need to be tamper proof. The tamper-resistance property of the single sensor protects the network from adversaries trying to recover the secrets of the sensors, from capturing honest ones. Indeed, an adversary trying to gain access to the secrets by physically extracting them from the sensor, would damage it, thus vanishing the attempt. Sensors typically share the same physical media: They transmit and acquire signals at the same frequency band, and follow the same hopping sequence or spreading code. The functions of the data link layer manage the wireless link resources and coordinate medium access control among neighboring sensors. The medium access control protocol is essential to a WSN because it allows mobile sensors to share a common broadcast channel. The network layer functions maintain the multiple hop communication paths across the network; each sensor can function as a router that discovers and maintains routes to other sensors in the WSN [25]. However, our KeEs protocol does not rely upon neither a basic routing layer, nor a secure routing layer [18,32]. The KeEs protocol generate the keys without requiring communications among sensors, as detailed in the following paragraphs.

R. Di Pietro et al. / Ad Hoc Networks 1 (2003) 455–468

Once the session key has been generated, it has to be distributed. Since in the KeEs protocol each sensor autonomously generates the key (see Section 5.2), the problem is how to make the sensors agree on the session key. We deal with this problem, in two different scenarios: (1) BS scenario; and (2) completely distributed scenario. The first scenario assumes the existence of a BS which has very few interactions with the WSN, more powerful hardware, power supply, is asynchronous with respect to the WSN, and its range of communication covers the whole WSN. The BS has to interact with the WSN to invoke the command to generate the new key. For example, the BS could be an unmanned aerial vehicle (UAV) [16], or a supervisor on the ground [6]. This scenario allows the reduction of the communication overhead, but introduces a single point of failure. Nevertheless, some redundant back-up for the BS can be provided to improve its availability. Finally, we assume that the BS invokes two subsequent re-keying commands only at intervals that are greater than the maximum propagation delay of a message across the WSN. This assumption is realistic, as will be seen in Section 5.5.2. In the second scenario, the sensors rely on themselves and their peers: There are no other entities in the WSN. The only assumption we make is that the local clock of sensors is loosely synchronized, that is we assume that the difference between the clock of any two sensors in the WSN cannot exceed a fixed value, say d, as in [21,22,24]. Note that a protocol has been proposed in [17] that guarantees that the nodes of a network are loosely synchronized with a drift that does not exceed a small value for a reasonable period of time. However, such a protocol and its derivations do not directly apply to WSNs, but some preliminary work on WSNs highlights that the same assumption can be guaranteed also in the WSN environment [10,11]. 5.2. Overview of the functional properties of the protocol

461

As for the first phase, each sensor autonomously generates the session key. The algorithm driving such a generation assures that each sensor generates the same key and that the security requirements (see Section 4.2) are matched. Since each sensor autonomously generates the session key, the second phase focuses on enforcing that each sensor holds the appropriate set of cryptographic keys. This phase is indeed a synchronization phase. We will discuss separately the two scenarios introduced in Section 5.1: the one with the BS acting as a coordinator, and the completely distributed one. 5.3. Key generation algorithm In order to meet the security requirements stated in Section 4, we first have to demonstrate a few general properties of the auxiliary key generation mechanisms. q

q

Lemma 1. Let H : f0; 1g ! f0; 1g be a pseudorandom number generator, and let S1 be a number randomly chosen in f0; 1gq . Then 8i 2 Nþ the value Ki ¼ Hi ðS1 Þ is a pseudo-random number. Proof. The proof is by induction. Let i ¼ 1 then K1 ¼ HðS1 Þ. Since H is a pseudo-random number generator, the generated number K1 cannot be predicted without knowledge of S1 , therefore the statement is true. Assume the assumption is true for i ¼ 1; . . . ; n  1. We have to prove it true for i ¼ n. We have Kn ¼ Hn ðS1 Þ ¼ HðHn1 ðS1 ÞÞ. By inductive hypothesis, we know that S 0 ¼ Hn1 ðS1 Þ is a pseudo-random number. So we can write Kn ¼ HðS 0 Þ. From the application of the first inductive step we have that Kn ¼ HðS 0 Þ is still a pseudo-random number. Thus the claim. h Fact 2. Let S1 and S2 two random numbers in q f0; 1g . Then K ¼ S1 S2 is still a random number. q

The protocol is composed of two main phases: In the first phase, the new session key is generated, while in the second phase the new session key is distributed to all the sensors in the WSN.

q

Theorem 3. Let H; G : f0; 1g ! f0; 1g be two pseudo-random number generators, and let S1 ; S2 be q two numbers randomly chosen in f0; 1g . Then þ i i 8i 2 N the value Ki ¼ H ðS1 Þ G ðS2 Þ is a pseudorandom number.

462

R. Di Pietro et al. / Ad Hoc Networks 1 (2003) 455–468

Proof. The proof is based on induction on i. Suppose that i ¼ 1. Then we have K1 ¼ HðS1 Þ GðS2 Þ. By Lemma 1 and Fact 2, the claim follows. Suppose now the assumption is true for i ¼ 2; . . . ; n  1. We have to show that the assumption is true for i ¼ n. We have that Kn ¼ Hn ðS1 Þ Gn ðS2 Þ ¼ HðHn1 ðS1 ÞÞ ðGðGn1 ðS2 ÞÞ. By step i ¼ n  1 of induction we have that Hn1 ðS1 Þ and Gn1 ðS2 Þ are two pseudo-randomly generated numbers. Let us refer to them as S10 and S20 , respectively. We have therefore Kn ¼ HðS10 Þ GðS20 Þ with S10 and S20 random numbers. By Lemma 1 and Fact 2, we have that Kn is still a pseudo-random number. Thus our claim. h To implement a level of security suitable to our purpose, we can resort to one-way hash functions for the generation of the pseudo-random numbers. That is, we can use as pseudo-random number generators H, G, those computable functions whose inverse is not computationally feasible, such as SHA-1 or MD5 [26]. Note that the key length should be chosen taking into consideration also (1) the computational power of the attacker, (2) the overall level of security desired, (3) the life-length of the WSN; indeed a WSN that has been deployed to last a few hours does not need the same key length of a WSN intended to last weeks. The trade-off among these constraints are addressed in [7]. 5.4. Triggering key generation Each sensor has the ability to autonomously generate a new session key. An ideal solution would require each sensor to generate the new session key at the same time. In this way, the WSN could uniformly evolve from session to session. However, synchronization problems stem from the fact that sensors experience different frequencies of functioning. In the following, we first expose a protocol to trigger the key generation phase for the two scenarios introduced in Section 5.1 then we deal with the synchronization issue among sensors. 5.4.1. Centralized approach This scenario assumes a BS, which acts as a coordinator, invoking the command to generate

the new key. The deployment of the BS can be done as in [6,16]. The BS decides, based on some security parameter, when to broadcast the command to generate a new session key. Note that the delegation to the BS of when to trigger the key generation, reduces the WSN workload. Moreover, the BS can also take more appropriate decisions, other than re-keying frequencies, since the BS relies on a superset of information and has less constraints than the basic sensors forming the WSN. 5.4.2. Completely distributed approach In this scenario each sensor stores the parameter l that drives the generation of the new session key: After a time-out of l clocks has elapsed, the sensor invokes the generation of the new session key. However, because a WSN can be composed of hundred of thousands of sensors, we make no tight assumption about synchronization of the clocks. Hence, different sensors can generate keys at different frequencies. For instance, the KeEs protocol could lead to a situation in which a sensor has locally generated the jth session key while another sensor can have just generated the ðj þ pÞth, p P 1, session key. To impose a strict synchronization on the WSN, would imply an excessive overhead, affecting the scalability and the availability of the WSN; however, we assume that the jitter (that is the maximum difference among the local session key counters a WSN can experience) is bounded by a constant. We assume (see Section 5.1) that the maximum difference among the local clock of the sensors is limited by a constant d. In the following, both l and d will be expressed in seconds. The next subsection delves on how to assure a congruent evolution of the cryptographic keys of the sensors in the WSN among different sessions. 5.5. Key synchronization In the following, we deal with two scenarios: One in which the command to switch from one session key to the next is given from a centralized BS, while the second assumes a completely distributed algorithm to synchronize the WSN which requires minimum overhead.

R. Di Pietro et al. / Ad Hoc Networks 1 (2003) 455–468

5.5.1. Centralized approach When a sensor receives a message that requires to update the current session key, it first saves the current value of the key, and then updates the session key. The sensor must save the value of the previous key, since the sensor could receive messages that have been encrypted with the old key (for instance the session key has been updated while some message was still in transit). We show the pseudo-code of a sensor for this scenario in Fig. 1. The BS encrypts the command to generate the new key with the last key generated by sensors. Note that each sensor needs to store only one previously generated key, since we have assumed in Section 5.1 that the time between two subsequent re-keying commands invoked from the BS, is greater than the time required by a message to reach destination. This assumption is realistic, as discussed in Section 5.5.2. 5.5.2. Completely distributed approach With this approach each sensor generates the new key according to its local time-out, driven by parameter l. It could be possible that the local session counters do not have the same value, as seen in Section 5.4.2. Since the clock value difference between any two sensors is limited by d, to a first approximation we have that the maximum difference between two local session counters is given by jitter ¼

Fig. 1. The pseudo-code of a sensor under BS synchronization.

463

dd=le. However, we have to take into account the worst-case communication time of the WSN (D), that is the maximum time required by a message sent by a sensor to reach a different sensor in the WSN. Such a delay requires to increase the jitter of dD=le units. Hence, if each sensor maintains dðd þ DÞ=le þ 1 session keys (key ring), each incoming message can be decrypted, as proved in the following lemma. Lemma 4. Assume that (1) the clock value difference of the sensors is limited by d; (2) the worst case communication delay is less than D; (3) the new session key is generated with period l; and (4) each sensor can store up to dðd þ DÞ=le þ 1 session keys. Then, when sensor us sends an encrypted message to sensor ur , sensor ur is able to correctly decrypt such a message. Proof. Let SCs and SCr be the local session counters of us and ur , respectively. When ur receives a message sent by us , either one of these two cases occur: • SCs 6 SCr , that is session counter of the sender is lower than or equal to the current session counter of the receiving sensor. Suppose that ur is not able to retrieve the appropriate key among its key ring. This implies that SCr  SCs > dðd þ DÞ=le since the key ring of the receiver stores the last dðd þ DÞ=le session keys. But this would imply that the clock difference between the clock of ur and us (dr;s ), plus the time taken by the message to reach ur (Ds;r ) violates the hypothesis of this lemma, that is, ðdr;s þ Ds;r Þ=l > dðd þ DÞ=le þ 1. • SCs > SCr , that is the session counter of the sender is greater than the current session counter of the receiving sensor. In this case, ur generates SCs  SCr keys to update its local session counter to SCs . Each of the new generated keys is stored in the local memory of ur in a FIFO circular list, overwriting the oldest keys. Following the pattern of the previous point, one can show that SCs  SCr < dðd þ DÞ=le þ 1; and this completes the proof of the lemma. h The pseudo-code of a sensor for this scenario is in Fig. 2. In Section 6.2.3 we discuss how to relax the

464

R. Di Pietro et al. / Ad Hoc Networks 1 (2003) 455–468

sociated a unique index, that could be the number of time-out elapsed from the starting period of operation of the WSN until now. Receiving such a message, the receiver can locally compute the appropriate key. Note that in this way, we trade-off local memory space with an increase in both computation and length of the messages. Such an approach preserves scalability. 5.6. Join and leave In this subsection we sketch how other sensors join the WSN, and how a sensor that has been isolated from the WSN for an arbitrary period of time (for instance it has moved to a shadow zone) can re-join the WSN.

Fig. 2. The pseudo-code of a sensor in the completely distributed approach.

requirements on memory, increasing the computational overhead on each incoming message, and trade off analysis. Finally, note that it is reasonable to assume that the time required by a message to reach its destination is considerably lower than the elapsed time between two subsequent re-keying. However, suppose that the WSN has to increase in size of one or two order of magnitude, this would reflect on the value D. Increasing the value D, also the number of keys to store increases. Hence, this could undermine the scalability of the proposed approach. We observe that this point can be overcome in the following way: Each key has as-

5.6.1. Join A first scenario is when a sensor has been isolated from the rest of the WSN (for example it has moved in a shadow zone, where it cannot be reached by the RF due to the topology of the ground), and then re-joins the network. We assume the sensor recognizes it is experiencing an isolation period by listening to the media access carrier (MAC). Aware of this, the sensor stops generating keys, stopping its time-out. When the isolated sensor re-joins the WSN, to re-acquire synchronization with the other sensors of the WSN, it will repeatedly apply the key generation algorithm as many time as needed and then will restart the timeout. Note that (1) a sensor can detect it has rejoined the WSN by listening to the traffic on the MAC; (2) the number of key generation the rejoining sensor has to perform, is the same if the sensor would have not lost connectivity with the rest of the WSN. A second scenario is when new sensors are added to the WSN. We can assume that before the deployment, these new sensors are pre-loaded with the keys that are actually in use in the WSN. Indeed, the owner of the WSN knows the whole period of activation of the WSN, and hence can compute the current session key at the moment of the deployment. Another possibility that does not require such a strict synchronization, is that the reference time (an estimation of the operating period of the WSN) is lower than that of the effective time. In this case,

R. Di Pietro et al. / Ad Hoc Networks 1 (2003) 455–468

the receiving sensor generates as many keys as necessary. Note that this case can be seen as a particular case in which the sensor has been isolated from the rest of the WSN and discussed above. The pseudo-code of Fig. 2 deals with this case.

465

Proposition 6. To recover a session key is at least as hard as to perform a chosen plain text attack, where the number of plain text strings, and their length, is decided by the attacked party.

5.6.2. Leave Our scheme considers the leave operations only due to destruction or battery exhaustion, as assumed in [2]. This approach is justified under the assumption of sensors tamper-resistant, where seeds S1 and S2 are never released. If a sensor must be excluded from the WSN for some other reason, one could extend the protocol described in [6] to the model described in this paper. Finally, a particular case occurs when a sensor temporarily leaves the WSN, for instance because it has entered a shadow zone. Note that this case falls in the join operation described in Section 5.6.1.

Note that from Proposition 5, it holds that the current session key cannot be recovered by an adversary even if she knows all the previously generated session keys. Therefore, the adversary must resort to cryptanalysis. The best case for an adversary is to perform a chosen plain text attack. It has been proved [27] that the chance of success in such an attack increases with the availability of the data. Therefore, to limit this threat, the value l will be set to provide the desired level of security. Indeed, the value l rules the frequency of the rekeying in the WSN and the more frequent the rekeying, the more secure the session key from the computational point of view.

6. Analysis of security requirements and overhead

Proposition 7. The KeEs protocol assures implicit key authentication.

In the following we show that our protocol matches the security requirements expressed in Section 4.2 and we give a measure of the complexity of its execution, in terms of messages sent and received and the number of encryptions and decryption performed. 6.1. Matching security requirements We assume that an adversary can eavesdrop all the traffic in the WSN without loss, that is the adversary successfully collects all the data transmitted in each session. Then the following propositions hold: Proposition 5. The devised protocol for generating the session key (the KeEs protocol), enforces both forward and backward secrecy. Proof. The proof from the computationally point of view derives from the properties of (1) one-way hash functions, that is computing the inverse of a one-way hash function is known to be computationally unfeasible; and (2) the xor, exposed in Fact 2. h

Proof. From Proposition 6, it is possible to set l such that the required level of security is reached. Hence, only legitimate users have knowledge of the current session key. h As for the centralized case, the BS sends a broadcast command to update the session key. Note that once the BS has invoked the command to update the session key, the BS will employ the new key for the subsequent communications with sensors. It is possible that an adversary can perform denial of service (DoS) by continuously sending this command, once it has been eavesdropped. In the threat model (see Section 4.1), we assumed to deal with a passive adversary, however the countermeasure to tackle with DoS is briefly exposed below. It suffices to add in the body of the re-keying command an encrypted value whose plain text is shared between the BS and the sensors. Such a value is encrypted with the current session key that must be replaced. If an old rekeying command originated from the BS is intercepted by the adversary and then broadcast, the receiving sensors will simply discard it. Indeed, the sensors can detect that the key employed to cypher

466

R. Di Pietro et al. / Ad Hoc Networks 1 (2003) 455–468

the known value is an old key already replaced. That is, the knowledge of the current session key implements a sort of authentication mechanism. 6.2. Overhead analysis Table 1 summarizes the overhead each sensor incurs with the KeEs protocol, for both the centralized and the completely decentralized approach. Details on the overhead are reported below. 6.2.1. Communication overhead Centralized approach. As for the key generation, no messages are sent from any sensor, since the generation is bounded only to receiving the rekeying message sent by the BS. As for key distribution, messages are neither sent nor received by sensors, since each sensor already holds the current session key, which has been autonomously generated. Completely distributed approach. As for the key generation, no sensor sends any message. Indeed, session key generation is driven by a time-out whose frequency is ruled by the security parameter l. As for key distribution, no overhead is incurred. 6.2.2. Storage overhead Centralized approach. Each sensor has to store one extra key to decrypt the messages that were routed while the BS invoked the command to update the session key. Completely distributed approach. Each sensor has to store an extra number of keys that is equal to dðd þ DÞ=le. Note that if memory is the most constrained resource it is not necessary to store that chain of session keys, since the keys could be computed as shown in the next subsection. 6.2.3. Computational overhead Centralized approach. As for the key generation, each sensor has to decrypt the message sent by the

BS and then compute two hash functions and then xor their result. As for the key diffusion, no operations are required. Completely distributed approach. Note that we can reduce storage requirements increasing the computational overhead. Indeed, assuming that a sensor can store only two seeds and two auxiliary variables, it is still possible to decrypt incoming messages. This is shown with an example. Assume that the total number of time-outs elapsed is t, the jitter is equal to four and assume that for a specific sensor (1) its current session is t0 ¼ t  4; and (2) its 0 0 current seeds are S10 ¼ Ht ðS1 Þ and S20 ¼ Gt ðS2 Þ. On the arrival of a message m that has a session ID of t  2, the sensor computes Ht2 ðS1 Þ ¼ H2 ðS10 Þ and Gt2 ðS2 Þ ¼ G2 ðS20 Þ. From these two value, it is possible to recover the key to decrypt the message m. When the local session will move from t0 to t0 þ 1 because the time-out elapsed, the seeds will 0 be set to S10 ¼ Hðt þ1Þ ðS1 Þ ¼ HðS10 Þ and S20 ¼ ðt0 þ1Þ 0 G ðS2 Þ ¼ GðS2 Þ. Note that no messages can piggyback a session number lower than t  4, as shown in Lemma 4. As for the trade off analysis between security and both storage and computation resources, note that the value of l is related to the desired level of security of a session. Indeed, the higher is the rekeying frequency (that is, smaller values for l) the higher is the security achieved, since fewer cipher text is released. As for d, this value has an upper bound that usually can be expressed in a few millisecond [10,11]. As for the value that D can assume, it is reasonable to assume that D < l, that is the traversing time of the WSN is smaller than the re-keying period. To show a numerical example, we formulate a conservative hypothesis where we assume that d ¼ 30 s, l ¼ 300 s, and D < l. The jitter would be equal to dðd þ DÞ=leþ 1 6 d30ð1=300Þe þ 2 ¼ d1=10e þ 2 ¼ 3. Hence, for a wide range of values, each sensor is required to store three keys only.

Table 1 Sensor overhead for the key generation and distribution applying the KeEs protocol Overhead for the KeEs protocol

Messages sent per sensor

Messages received per sensor

# of encryptions

# of decryptions

Storage requirement

Base Station Completely distributed

0 0

1 0

0 0

1 0

1 ðdðd þ DÞ=le þ 1Þ

R. Di Pietro et al. / Ad Hoc Networks 1 (2003) 455–468

7. Concluding remarks In this paper we have (1) highlighted the constraints and requirements that make key establishment protocols a challenging task; (2) defined a threat model which assumes that an adversary can eavesdrop all the encrypted communications in the WSN and even perform chosen plain text attacks. For this threat model, we have defined the security requirements to meet; and (3) devised a key establishment protocol (KeEs) that matches the security requirements derived from the threat model. The proposed protocol has been analyzed in two different scenarios: The first in which there is a BS that acts as a synchronizer for the sensors, while the second scenario follows the completely distributed approach. Sensors rely only on themselves to achieve synchronization. For both scenarios (1) the properties assured by the KeEs protocol include forward and backward secrecy as well as implicit key authentication; and (2) the KeEs protocol requires minimal overhead, in terms of computations and transmissions required. In KeEs, none of the resources available to a generic sensor is bounded in any way to the number of sensors in the WSN, hence KeEs achieve scalability and reliable security. Our future works are concentrated on two main areas: (1) How to improve the protocol under the hypothesis that an adversary could perform a broad range of active attacks (in this paper we have sketched how to tackle with DoS). (2) How to make the security parameters l, which drives the key generation in the completely distribute approach, adaptive to potential tentatives of attack. Acknowledgements The authors would like to acknowledge Yvo Desmedt and Mike Burmester for their suggestions, and the anonymous reviewers for their insightful comments.

References [1] G. Ateniese, M. Steiner, G. Tsudik, New multiparty authentication services and key agreement protocols, IEEE Journal on Selected Areas in Communications 18 (4) (2000) 628–639.

467

[2] S. Basagni, K. Herrin, D. Bruschi, E. Rosti, Secure pebblenets, in: Proceedings of the 2001 ACM International Symposium on Mobile ad hoc Networking & Computing, Long Beach, CA, USA, ACM Press, New York, 2001, pp. 156–163. [3] H. Chan, A. Perrig, D. Song, Random key predistribution schemes for sensor networks, in: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, 11–14 May 2003, pp. 197–213. [4] J.-C. Chen, K.M. Sivalingam, P. Agrawal, Performance comparison of battery power consumption in wireless multiple access protocols, Wireless Networks 5 (6) (1999) 445–460. [5] D.A.R.P.A., June 2002. www.darpa.mil/mto/mems. [6] R. Di Pietro, L.V. Mancini, S. Jajodia, Secure selective exclusion in ad hoc wireless network, in: Proceedings of the 17th IFIP International Conference on Information Security, Cairo, Egypt, 5–7 May 2002, Kluwer, Dordrecht, 2002, pp. 423–434. [7] R. Di Pietro, L.V. Mancini, A. Mei, A time driven methodology for keys dimensioning in secure multicast communications, in: Proceedings of the 18th International Conference on Information Security, Athens, Greece, 26– 28 May 2003, Kluwer, Dordrecht, 2003, pp. 121–132. [8] R. Di Pietro, L.V. Mancini, A. Mei, Random keys assignment for secure wireless sensor networks, in: Proceedings of the ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN Õ03), 31 October 2003, Fairfax, VA, USA. [9] W. Diffie, M.E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory IT-22 (6) (1976) 644–654. [10] J. Elson, L. Girod, D. Estrin, Fine-grained network time synchronization using reference broadcasts, in: Proceedings of the Fifth Symposium on Operating Systems Design and Implementation (OSDI 2002), Boston, MA, USA, 9–11 December 2002. [11] J. Elson, K. R€ omer, Wireless sensor networks: a new regime for time synchronization, ACM SIGCOMM Computer Communication Review 33 (1) (2003) 149–154. [12] L. Eschenauer, V.D. Gligor, A key-management scheme for distributed sensor networks, in: Proceedings of the 9th ACM Conference on Computer and Communications Security, ACM Press, New York, 2002, pp. 41–47. [13] H. Harney, E. Harder, Logical key hierarchy protocol, Internet draft, IETF, April 1999. [14] J. Hill, R. Szewczyk, A. Woo, S. Hollar, D.E. Culler, K.S.J. Pister, System architecture directions for networked sensors, in: Proceedings of the 9th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS-IX), Cambridge, MA, USA, 12–15 November 2000, ACM-SIGPLAN, 2000, pp. 93–104. [15] J.M. Kahn, R.H. Katz, K.J. Pister, Mobile networking for smart dust, in: Proceedings of the ACM/IEEE International Conference on Mobile Computing and Networking (MobiCom99), ACM Press, New York, 1999, pp. 271– 278.

468

R. Di Pietro et al. / Ad Hoc Networks 1 (2003) 455–468

[16] J. Kong, H. Luo, K. Xu, D.L. Gu, M. Gerla, S. Lu, Adaptive security for multi-layer ad hoc networks, Wireless Communications and Mobile Computing 2 (5) (2002) 533– 547. [17] L. Lamport, Time, clocks, the ordering of events in a distributed system, Communications of the ACM 21 (7) (1978) 558–565. [18] S. Marti, K.L.M. Baker, Mitigating routing misbehavior in mobile ad hoc networks, in: Proceedings of the Sixth Annual International Conference on Mobile Computing and Networking, 2000, pp. 255–265. [19] Security Requirements for Cryptographic Modules, Fips Pub. 140-1, National Institute of Standard and Technology, January 1994. [20] C.E. Perkins, Ad Hoc Networking, Addison-Wesley, Reading, MA, 2001. [21] A. Perrig, R. Canetti, D. Song, J.D. Tygar, Efficient and secure source authentication for multicast, in: Network and Distributed System Security Symposium, NDSSÕ01, February 2001, Internet Society, 2001, pp. 35–46. [22] A. Perrig, R. Canetti, J.D. Tygar, D. Song, Efficient authentication and signing of multicast streams over lossy channels, in: IEEE Symposium on Security and Privacy, May 2000, pp. 56–73. [23] A. Perrig, D. Song, J.D. Tygar, Elk, a new protocol for efficient large-group key distribution, in: Proceedings of 2001 IEEE Symposium on Security & Privacy, 2001, pp. 247–262. [24] A. Perrig, R. Szewczyk, V. Wen, D. Culler, J.D. Tygar, Spins: security protocols for sensor networks, in: Proceedings of the Seventh Annual International Conference on Mobile Computing and Networking, ACM Press, New York, 2001, pp. 189–199. [25] E.M. Royer, C.-K. Toh, A review of current routing protocols for ad hoc mobile wireless network, IEEE Personal Communication Magazine 6 (2) (1999) 46–55. [26] R. Safaci-Naini, H. Wang, New constructions for multicast re-keying schemes using perfect hash function, in: Proceedings of the Seventh ACM Conference on Computer and Communications Security, 2000, pp. 228–234. [27] B. Schneier, Applied Cryptography: Protocols, Algorithms and Source Code in C, second ed., Wiley, New York, 1996. [28] A. Sinha, A. Chandrakasan, Dynamic power management in wireless sensor networks, IEEE Design and Test of Computer 18 (2) (2001) 62–74. [29] M. Steiner, G. Tsudik, M. Waidner, Key agreement in dynamic peer groups, IEEE Transactions on Parallel and Distributed Systems 11 (8) (2000) 769–780. [30] D. Wallner, E. Harder, R. Agee, Key Management for Multicast: Issues and Architectures, RFC 2627, June 1999. [31] C.K. Wong, M. Gouda, S.S. Lam, Secure group communications using key graphs, IEEE/ACM Transactions on Networking 8 (1) (2000) 16–30. [32] Y. Zhang, W. Lee, Intrusion detection in wireless ad hoc networks, in: Proceedings of the Sixth Annual International Conference on Mobile Computing and Networking, 2000, pp. 275–283.

Roberto Di Pietro ([email protected]) is pursuing a PhD in Computer Science at the University ‘‘La Sapienza’’ in Rome. He received the BS and MS degree in Computer Science from the University of Pisa in 1994. Since 1995 he has been working for the technical branch of the Italian Army and the Internal Affairs Ministry. His main research interests include security for mobile ad hoc network, security for distributed systems and computer forensics.

Luigi V. Mancini is full professor of Computer Science in the Dipartimento di Informatica at the University ‘‘La Sapienza’’ in Rome. He received the PhD degree in Computer Science from the University of Newcastle upon Tyne, UK, in 1989. His current research interests include computer and information security, fault-tolerant distributed systems, and hard-real-time distributed systems.

Sushil Jajodia is BDM International Professor of Information and Software Engineering and the director of Center for Secure Information Systems at the George Mason University, Fairfax, VA. He served as the chair of the Department of Information and Software Engineering during 1998–2002. He joined GMU after serving as the director of the Database and Expert Systems Program at the National Science Foundation. Before that he was the head of the Database and Distributed Systems Section at the Naval Research Laboratory, Washington. He has also been a visiting professor at the University of Milan and University of Rome ‘‘La Sapienza’’, Italy and at the Isaac Newton Institute for Mathematical Sciences, Cambridge University, England. He received his PhD from the University of Oregon, Eugene. His research interests include information security, temporal databases, and replicated databases. He has authored four books, edited nineteen books, and published more than 250 technical papers in the refereed journals and conference proceedings. He received the 1996 Kristian Beckman award from IFIP TC 11 for his contributions to the discipline of Information Security, and the 2000 Outstanding Research Faculty Award from GMUÕs School of Information Technology and Engineering. He has served in different capacities for various journals and conferences. He is the founding editor-in-chief of the Journal of Computer Security and on the editorial boards of ACM Transactions on Information and Systems Security and International Journal of Cooperative Information Systems. He is the consulting editor of the Kluwer International Series on Advances in Information Security. He serves as the general chair of the 10th ACM Conference on Computer Security (CCS 2003) and program chair of the 6th IFIP WG 11.5 Working Conference on Integrity and Control in Information Systems. He also serves as the chair of the ACM Special Interest Group on Security, Audit and Control (SIGSAC) and the IFIP WG 11.5 on Systems Integrity and Control. He is a senior member of the IEEE and a member of IEEE Computer Society and Association for Computing Machinery. The URL for his web page is http://csis.gmu.edu/faculty/jajodia.html.