Cooperative Security in Distributed Sensor Networks

Oscar Garcia Morchon, Heribert Baldus Philips Research Europe

Aachen, Germany {oscar.garcia}{heribert.baldus}@philips.com

Tobias Heer, Klaus Wehrle Distributed Systems Group

Aachen, Germany {heer}{wehrle}@cs.rwth-aachen.com

Abstract — Distributed sensor network protocols, such as routing, time synchronization or data aggregation protocols make use of collaborative techniques to minimize the consumption of scarce resources in sensors. However, compromised and misbehaving nodes are a serious threat, as an attacker can employ them to eavesdrop on communication, inject forged data, or manipulate protocol operation. In this context, distributed revocation protocols play a decisive role since they allow removing compromised nodes in an efficient way. The design of distributed revocation protocols is challenging due to technical restrictions of sensor nodes, the distributed operation of sensor networks, and the presence of compromised nodes that can collude to subvert protocol operation.

We propose the Cooperative Security Protocol (CSP) to enhance network security and enable efficient distributed revocation. The CSP is based on the distribution of revocation information – so called partial revocation votes – to the neighbors of a node as prerequisite to join the network. If an intruder refuses to disclose its revocation votes, the network does not allow it to join. Thus, the node is prevented from attacking the network. If the intruder cooperates by disclosing its revocation information, it can endanger the network neither, since its neighbors, which cooperate to monitor its correct operation, can use the revocation information to ban it from the network.

Key words — Cooperative Security, Distributed Algorithms, Node and Key Revocation, Sensor Networks.

I. INTRODUCTION Research into Distributed Sensor Networks (DSNs) has

received much attention due to the increasing number of applications such as pervasive healthcare, building control systems, or military surveillance [1]. Cooperative techniques are used in the design of DSN protocols (e.g., for routing, time synchronization, or data aggregation), as they optimize the energy consumption. Autonomous detection and revocation of misbehaving or intruder nodes is crucial, as DSNs might be left unattended in malicious environments where an attacker might compromise some nodes to, e.g., eavesdrop on communications or inject false data. In such a case, it is necessary to identify and revoke malicious nodes in order to prevent them from causing further harm to the network. Node revocation is mostly achieved by marking the identity or the corresponding cryptographic keys of a node as invalid. Node revocation can be carried out in a centralized or distributed manner. Centralized approaches are simple as they make use of a powerful base station with sufficient capabilities to monitor, detect, and revoke both compromised nodes and keying material. Furthermore, a centralized decision process can use global knowledge of a network as basis for its actions.

Distributed solutions are more complex since the protocol must rely on local information and work in presence of intruders that might collude to sabotage the decision process. Besides, the design of efficient approaches is challenging due to the resource-constrained nature of nodes and operation requirements of DSNs, such as, node mobility. Nodes must implement algorithms to identify possible intruders. Moreover, nodes must collaborate in order to vote and decide whether a node should be revoked or not. Although distributed approaches are more complex than centralized ones, they also exhibit inherent advantages. Firstly, they do not require the presence of a base station or central authority, and thus, they do not present a single point of failure. Secondly, the revocation process is faster as neighboring nodes can instantly revoke compromised nodes. Thirdly, distributed solutions reduce the communication overhead, as they only require locally broadcasted messages and do not stress the wireless links with the base station.

In this paper, we describe in detail the Cooperative Security Protocol (CSP) that allows the network to decide on the admission and revocation of nodes in a distributed and collaborative way. The CSP, whose basic concept was introduced in [2], enhances the security level in distributed networks by using a novel concept: the disclosure of revocation information as a prerequisite to join the network. The idea of the CSP is that if a node does not disclose its revocation information, the network does not permit it to join, and thus, the node cannot damage it. If the node collaborates by disclosing its revocation information, it can join the network. However, it cannot jeopardize the network, since (1) its neighbors collaborate to monitor its correct operation, (2) own information that enables its distributed revocation and (3) will collaborate to revoke it, if they detect any faulty behavior.

The contribution of this paper is threefold. Firstly, we fully describe the CSP directives and properties. Secondly, we analyze the system in detail and elaborate on the CSP design parameters that guarantee the correct operation of the system, even in the presence of active attackers. Finally, we identify four applications that benefit from the CSP to improve its performance and security.

This paper is organized as follows. Section II reviews the state-of-the-art on node revocation for sensor networks. In section III, we describe the CSP concept and its basic properties. Section IV gives a conceptual overview of the CSP. In section V, we describe the keying material that enables the CSP operation, and provide an in-depth analysis of the protocol operation. Section VI elaborates on the CSP design parameters. In Section VII, we analyze application scenarios that benefit

from the CSP. Section VIII concludes and points out future work lines.

II. RELATED WORK The CSP enables distributed node revocation. Hence, we

survey different node revocation schemes, both centralized and distributed for completeness.

In centralized approaches, the base station broadcasts a revocation message to inform sensor nodes about the revocation of a compromised node and its keys (e.g. [3], [4]). To identify misbehaving nodes, the base station must monitor the network either directly or relying on the information that is provided by other nodes. For instance, in [5] the authors propose a framework to identify compromised nodes in a centralized manner wherein the responsibility of each node is only to observe abnormal behavior and raise alerts to the base station. Those approaches stress the wireless links around the base station and create a single point of failure.

The field of distributed node revocation is challenging due to design constrains such as active attackers or resource constrains. In [6], the authors present an approach to enable distributed detection and revocation of node replication attacks based on public key cryptography. Chan et al. [7] propose a distributed revocation scheme for the random pairwise key pre-distribution scheme (KPS)1 where nodes sharing a pairwise key also carry a preloaded vote that can be used to denote a message that the node is compromised. These m votes, which are distributed among m nodes carrying a pairwise key, form a Merkle tree with m leaves. If a node detects a misbehaving node, it discloses the corresponding vote. A node is revoked if more than t participants vote against a node. Chuang et al. [8] relax the memory requirements of [7] by combining it with threshold secret sharing techniques [9]. In [10], Chan et al. describe the minimal requirements and an attack model for distributed node revocation schemes, and present a more advanced procedure for static sensor networks using the random pairwise KPS. In this new revocation scheme, Chan et al. introduce several improvements in respect to [7]. Firstly, they make use of activation masks that allow a node to activate the revocation votes. Activation masks are carried by the target node, and are disclosed to nodes in its vicinity, in this manner, this scheme ensures that a node can only be revoked by nodes located in its immediate neighborhood. The node neighbors can launch a revocation procedure against a node after activating and gathering t revocation votes. Secondly, they consider the use of revocation sessions in which each node carries s different votes against other nodes, each of them used for a different revocation procedure. In this manner, this protocol avoids removing a node by error.

As pointed out in [10], the scope of those distributed proposals is limited since they have been specially designed to revoke nodes (and keys) in static DSNs based on the random pairwise KPS. Therefore, they do not perfectly fit other key distribution approaches. Additionally, they work under strong assumptions such as static networks or an instantaneous deployment of nodes. Garcia et al. introduce in [2] the concept of cooperative security that aims at overcoming these issues.

1 In this KPS, each node shares a pairwise key with other nodes m

The CSP builds on this concept, and can be applied to revoke nodes independently of the key distribution scheme used, supporting dynamic network topologies due to semi-mobile or joining nodes.

III. CSP CONCEPT AND BASIC PROPERTIES The CSP improves security in distributed and ubiquitous

networks, such as DSNs by enforcing the distribution of revocation information to nodes, as prerequisite, to join the network. Additionally, the CSP only makes use of symmetric primitives, such as, hash functions or Merkle trees, in order to avoid using expensive asymmetric cryptography. The CSP concept can be summarized in three directives:

• Every node carries the revocation information that enables its own revocation and shares parts of this information with its neighbor nodes. The distribution of revocation information among the node’s neighbors fulfils the property that one neighbor cannot revoke the node, but a coalition of q neighbors can. We name the set of neighbors that receive the revocation information of a node the Dynamic Trusted Security Domain (DTSD) of that node. The DTSD of a node is dynamic because nodes can move, and thus, its neighbors and with them the members of a node’s DTSD change. The DTSD of a node is called trusted because its members have revocation information that can enable its revocation.

• The disclosure of revocation information is a prerequisite to join the network. If a node does not disclose enough revocation information to its DTSD, or does not follow the CSP specifications, the network refuses to communicate with it.

• Nodes belonging to a node’s DTSD collaborate according to the CSP rules to monitor the correct operation of that node. When the DTSD discovers that a node is not operating properly, its members trigger a revocation procedure against it. This leads to the revocation of the node in the whole network.

In addition to those three general directives that form the core of the CSP, we remark five basic properties that the CSP exhibits in its operation and that complement the definition of the CSP.

Firstly, the CSP enhances security by stimulating node cooperation. If a node does not distribute its revocation information, it cannot join the network, and thus, it cannot damage the network. If a node cooperates, i.e., it distributes its revocation information to other nodes in its DTSD, the node can join the network. However, the node cannot endanger the network, since the node’s DTSD cooperates in order to monitor its correct operation. If a strange behavior is detected, node’s DTSD collaborate to revoke the node. In this manner, node cooperation enhances security in the network.

Secondly, the CSP operation is fully distributed, as it does not require the intervention of a central authority or base station during operation. Additionally, the CSP requires at least q neighbors to agree on the revocation of a node to make its revocation feasible. This fact presents four inherent advantages. (1) Distributed approaches are faster since nodes located in the

neighborhood of the compromised node can revoke it instantly. (2) It does not lead to single points of failure prone to Denial of Service attacks. (3) It prevents attackers from arbitrarily revoking other nodes because a node can only be revoked if a sufficient number of neighbors decide to disclose their partial revocation information. (4) Additionally, it is inexpensive, as it only requires local broadcast messages and inexpensive symmetric computations.

Thirdly, the CSP considers the fact of weighted trust and revocation. In general, nodes can come from different locations and trust relationships between nodes might be different. The CSP can reflect these trust relationships, making revocation easier or more difficult depending on the trust level by varying the amount to revocation information disclosed to a specific node.

The fourth CSP property refers to the fact that nodes belonging to a node’s DTSD can create an authenticated revocation message that allows revoking the target node in the whole network. This revocation message is constructed by using the revocation information disclosed previously to its DTSD. Any node in the network can authenticate the validity of this message.

Finally, the CSP includes the concept of revocation sessions. Chan et al. introduce in [10] the basic concept to avoid the revocation of legitimate nodes due to false alarms2. To this end, they limit the validity of a set of revocation votes to a certain period of time that begins after the disclosure of the first revocation vote of the current session. Chan’s concept requires time synchronization during the revocation procedure. We extend Chan’s concept of revocation sessions by requiring time synchronization and proactively changing the revocation information linked to each revocation session of duration T. This requirement is easy to fulfill as secure time synchronization protocols are available [11] and it is usually required by many applications in order to prolong the lifetime of the network. Restricting the validity of the revocation information to a certain time-span implies that each node must disclose new revocation information in each revocation session. In this manner, the system is not only resistant to false alarms, e.g., [12], but adds new features. On the one hand, the CSP increases the difficulty of collecting all the revocation information that is required to misuse it in an attack against a node, because this information is updated regularly. On the other hand, it provides support for semi-mobile networks, as a node’s DTSD can be updated dynamically when a node moves to another location3 between revocation sessions.

IV. CSP OPERATION OVERVIEW AND ASSUMPTIONS In this section, we analyze the four CSP operational phases

depicted in Figure 1. Additionally, we name the assumptions of our protocol.

2 This can be caused by imperfections in intrusion detection algorithms 3 Note that old node’s DTSD members are excluded from the DTSD, as

they cannot obtain revocation information for the current revocation session.

5544

66 77

Trust Center

Keying Material

Sensor Node

22

11

Pre-deployment

Phase

Post-deployment

Phase

DNRSSub-Phase

33Initial DTSD Set-upSub-Phase

Keying Material PreDistributionSub-Phase

Normal DTSDOperationSub-Phase

Figure 1. CSP Operational Phases

In the first phase, Keying Material Pre-Distribution Phase, a Trust Center (TC), which is located in a secure location, distributes keying material to the n sensor nodes that comprise the DSN. Observe that the TC is only online during this set-up phase. We assume that keying material includes key distribution and CSP keying material where key distribution keying material allows nodes to establish pairwise connections by using keying material such as, public/private keys, a Blundo based KPS [13],[14], or a random pairwise KPS [7]. Finally, we assume that each node is associated to a unique node identifier i which is related to both the key distribution and the CSP keying material.

The second phase, initial DTSD set-up phase, takes place after the deployment of the sensor nodes (see Figure 1.2), the nodes use the pre-distributed key distribution keying material to establish pairwise keys with their neighbors by using, e.g., a KPS.

Afterwards, each node distributes its pre-stored revocation information to its physical neighbors forming its DTSD. This revocation information must be valid for the current revocation session and observe the concept of weighted revocation. A node’s DTSD collaborates to check that the node discloses its correct revocation information4. We assume that the nodes remain static during revocation sessions and that the nodes use pre-established pairwise keys to guarantee confidentiality and authentication in the CSP communication. We also presume that the clock of each node is sufficiently synchronized to enable common revocation sessions. Finally, we assume the node’s DTSD can communicate directly with each other.

For instance, in Figure 1.3 all nodes except the black node exchanged their revocation information. Therefore, the black node is excluded from the network (Figure 1.4). Observe that in this case there exist a total of 9 overlapping DTSDs, one per node.

4 Because this phase takes place after node deployment, we also assume

that attackers have not compromised any node in this initial state yet, and thus, all nodes disclose the revocation information to other nodes without misbehavior.

During the normal DTSD operation phase all nodes monitor the correct operation of their neighboring nodes. Additionally, the network topology might change due to node mobility or network churn, caused by joining or leaving nodes. In both cases, the dynamic nodes must disclose their revocation information to their new neighbors in order to establish communication links with them and to update the membership of its DTSD5. For instance, in Figure 1.4, the black node moved to a new location. Therefore, it must disclose its revocation information in order to be accepted in the network (Figure 1.5).

Finally, the DNRS phase only takes place when a revocation procedure is started. In general, a node can join the network, if it discloses its CSP revocation information. Therefore, its DTSD can revoke the node, when the node is identified as intruder. Intruder detection algorithms are supposed to be implemented separately and are not part of CSP. A classification as intruder might be based on, e.g., misbehavior in routing or malicious waste of network resources. We also assume that events that trigger a revocation procedure against a node are visible to all nodes in the node’s DTSD. This does not pose a serious limitation as all nodes of a node’s DTSD can observe all communication of this node.

When the network discovers an intruder, its DTSD triggers the Distributed Node Revocation Scheme (DNRS) phase. In this phase, the DTSD discloses the revocation information, previously pre-distributed by the intruder node (Figure 1.6), and compile an authenticated revocation message against the node (Figure 1.7). This leads to the revocation of the node in the whole network.

V. COOPERATIVE SECURITY PROTOCOL In this section, we fully specify the CSP. To this end, we

first describe the CSP keying material. Then, we explain the CSP operation.

A. CSP Keying Material 1) Definitions and Terms

The CSP keying material is based on one-way cryptographic hash functions (OWHFs), hash chains, and Merkle trees. We briefly summarize these concepts:

• An OWHF is a hash function h(x) with pre-image and 2nd pre-image resistance [16].

• A hash chain (r0,m1,…,mk,…,ms) is a collection of values such that each value mk (except the first value or seed r0) is an OWHF of the previous value. In particular, the (k+1)th hash chain value is the hash of the kth hash chain value, i.e., mk+1=h(mk) [16].

• A Merkle Tree (MT) (see Figure 2) of height H is a binary tree with an assignment of a string of l bits to each interior node and leaf. The leaf values Lj , j=0,…,2H-1 are hashes of some leaf pre-image mj , La=h(ma). Interior nodes are the hashes of either the children’s nodes or leaves, i.e., Nad=h(Nab||Ncd) or Nad=h(La||Ld) [16]. MTs are used for

5 Observe that old DTSD members are eliminated by means of the concept

of revocation sessions because their revocation information becomes invalid after a period of time T.

efficiently authenticating the leaves of the tree. For instance, if Alice wants to authenticate that m2 is the third leaf of the tree in Figure 2, she must send [m2, L3, N01, N47] to Bob. Bob checks whether those values authenticate m2 by calculating h(h(N01||h(h(m2)||L3))||N47) and comparing the result with the root N07. Note that Bob obtains the order in which the previous computation must be performed from the leaf index.

N03

N01 N67

L0 L1 L2 L3 L4 L5 L6 L7

N23 N45

N47

N07

m0 m1 m2 m3 m4 m5 m6 m7

N03

N01 N67

L0 L1 L2 L3 L4 L5 L6 L7

N23 N45

N47

N07

m0 m1 m2 m3 m4 m5 m6 m7 Figure 2. Merkle Tree

2) CSP Keying Material Elements Figure 3 depicts the internal structure of the CSP keying

material that is based on the concepts stated above. In Figure 3, the keying material within the blue square is different for each node, while the triangles denoted GPM and GRM are common to all nodes in the network. Next, we detail the CSP keying material by classifying it into four groups according to their function:

• Partial Revocation Votes (PRVs) comprise the revocation information that a node distributes to other nodes. In general, each node owns t⋅s PRVs. t and s are design parameters, where t refers to the number of PRVs required to revoke a node and s+1 to the number of revocation sessions. PRVs are generated from t seeds, rij, of l bits where j identifies the jth seed of a node i. In Figure 3, the seeds are situated in the last row within the yellow square. A node uses each seed rij to generate a hash chain of length s. Hash elements generated from rij are the PRVs, mk

ij=hk(rij). k, j, and i identify the jth PRV of node i and the revocation session, s–k+1, in which that PRV is valid. In Figure 3, the t columns of s elements within the yellow square symbolize hash chains. During a revocation session k, a node i discloses to its neighbors PRVs 1

,s ki jm − + with j =

1,…,t.

• A revocation Vote (RV) is used to revoke a node in a specific revocation session. In general, a single PRV does not enable the revocation of a node, but all the t PRVs, which are valid during a revocation session allow generating a RV, Ri

k. Each node owns s+1 RVs, each of them is generated by calculating the OWHF of the t well-arranged PRVs for the corresponding revocation session, i.e., Ri

s-k+1=h(mki,1||mk

i,2||…||mki,t) for k = 1,…,s.

• PRV MTs are two MTs used for authenticating the PRVs that a node distributes. The first MT is called PM for PRV MT and is different for each node. The PM authenticates the last element of each hash chain ms

i,j with j=1,…,t. Each MT leaf is calculated as Lai,j=h(ms

i,j). The root of PM for node i is named PMi. The leaves of the second MT, which is called Global PM (GPM), are generated from the roots of the PMs of each and every node in the network. Therefore, the GPM authenticates the PRVs of all network nodes. The GPM has n leaves Lgai=h(PMi) with i=1,…,n.

Observe that the use of MTs allows authenticating the PRVs that a node owns. The path in the GPM is common to all PRVs a node has. The path in the PM depends upon the PRV identifier, so that a node can use it to authenticate both the validity and the index of the disclosed PRVs.

msi1

Lai1 Lai2 LaitLaij

msi2 ms

ij msit

ms-1i1 ms-1

i2 ms-1ij ms-1

i,t

m1i1 m1

i2 m1ij m1

it

ri,1 ri,2 ri,j ri,t

Rsi

Rs-1i

R1i

R0i

RAT

GRM

RCT

Lrsi

Lrs-1i

Lr1i

Lr0i

Log(n)

Log(t)

Log(s+1)

Log(n)

t

s+1

msi1

Lai1 Lai2 LaitLaij

msi2 ms

ij msit

ms-1i1 ms-1

i2 ms-1ij ms-1

i,t

m1i1 m1

i2 m1ij m1

it

ri,1 ri,2 ri,j ri,t

R0i

R1i

RSi

RS+1i

RAT

RCTRCT

Lrsi

Lrs-1i

Lr1i

Lr0i

Log(n)

Log(t)

Log(s+1)

Log(n)

t

s+1

msi1

Lai1 Lai2 LaitLaij

msi2 ms

ij msit

ms-1i1 ms-1

i2 ms-1ij ms-1

i,t

m1i1 m1

i2 m1ij m1

it

ri,1 ri,2 ri,j ri,t

Rsi

Rs-1i

R1i

R0i

RAT

RCTRCT

Lrsi

Lrs-1i

Lr1i

Lr0i

Log(n)

Log(t)

Log(s+1)

Log(n)

t

s+1

msi1

Lai1 Lai2 LaitLaij

msi2 ms

ij msit

ms-1i1 ms-1

i2 ms-1ij ms-1

i,t

m1i1 m1

i2 m1ij m1

it

ri,1 ri,2 ri,j ri,t

R1i

R2i

RSi

RS+1i

GPM

PM

RCTRM

Lrsi

Lrs-1i

Lr1i

Lr0i

Log(n)

Log(t)

Log(s+1)

Log(n)

t

s+1 RM

msi1

Lai1 Lai2 LaitLaij

msi2 ms

ij msit

ms-1i1 ms-1

i2 ms-1ij ms-1

i,t

m1i1 m1

i2 m1ij m1

it

ri,1 ri,2 ri,j ri,t

Rsi

Rs-1i

R1i

R0i

RAT

GRM

RCT

Lrsi

Lrs-1i

Lr1i

Lr0i

Log(n)

Log(t)

Log(s+1)

Log(n)

t

s+1

msi1

Lai1 Lai2 LaitLaij

msi2 ms

ij msit

ms-1i1 ms-1

i2 ms-1ij ms-1

i,t

m1i1 m1

i2 m1ij m1

it

ri,1 ri,2 ri,j ri,t

R0i

R1i

RSi

RS+1i

RAT

RCTRCT

Lrsi

Lrs-1i

Lr1i

Lr0i

Log(n)

Log(t)

Log(s+1)

Log(n)

t

s+1

msi1

Lai1 Lai2 LaitLaij

msi2 ms

ij msit

ms-1i1 ms-1

i2 ms-1ij ms-1

i,t

m1i1 m1

i2 m1ij m1

it

ri,1 ri,2 ri,j ri,t

Rsi

Rs-1i

R1i

R0i

RAT

RCTRCT

Lrsi

Lrs-1i

Lr1i

Lr0i

Log(n)

Log(t)

Log(s+1)

Log(n)

t

s+1

msi1

Lai1 Lai2 LaitLaij

msi2 ms

ij msit

ms-1i1 ms-1

i2 ms-1ij ms-1

i,t

m1i1 m1

i2 m1ij m1

it

ri,1 ri,2 ri,j ri,t

R1i

R2i

RSi

RS+1i

GPM

PM

RCTRM

Lrsi

Lrs-1i

Lr1i

Lr0i

Log(n)

Log(t)

Log(s+1)

Log(n)

t

s+1

msi1

Lai1 Lai2 LaitLaij

msi2 ms

ij msit

ms-1i1 ms-1

i2 ms-1ij ms-1

i,t

m1i1 m1

i2 m1ij m1

it

ri,1 ri,2 ri,j ri,t

Rsi

Rs-1i

R1i

R0i

RAT

GRMGRM

RCTRCT

Lrsi

Lrs-1i

Lr1i

Lr0i

Log(n)

Log(t)

Log(s+1)

Log(n)

t

s+1

msi1

Lai1 Lai2 LaitLaij

msi2 ms

ij msit

ms-1i1 ms-1

i2 ms-1ij ms-1

i,t

m1i1 m1

i2 m1ij m1

it

ri,1 ri,2 ri,j ri,t

R0i

R1i

RSi

RS+1i

RAT

RCTRCT

Lrsi

Lrs-1i

Lr1i

Lr0i

Log(n)

Log(t)

Log(s+1)

Log(n)

t

s+1

msi1

Lai1 Lai2 LaitLaij

msi2 ms

ij msit

ms-1i1 ms-1

i2 ms-1ij ms-1

i,t

m1i1 m1

i2 m1ij m1

it

ri,1 ri,2 ri,j ri,t

Rsi

Rs-1i

R1i

R0i

RAT

RCTRCT

Lrsi

Lrs-1i

Lr1i

Lr0i

Log(n)

Log(t)

Log(s+1)

Log(n)

t

s+1

msi1

Lai1 Lai2 LaitLaij

msi2 ms

ij msit

ms-1i1 ms-1

i2 ms-1ij ms-1

i,t

m1i1 m1

i2 m1ij m1

it

ri,1 ri,2 ri,j ri,t

R1i

R2i

RSi

RS+1i

GPM

PM

RCTRM

Lrsi

Lrs-1i

Lr1i

Lr0i

Log(n)

Log(t)

Log(s+1)

Log(n)

t

s+1 RM

Figure 3. CSP Keying Material

• RV MTs are two MTs used to authenticate the RVs of a node. The first MT is called RM and is different for each node. Its leaves are calculated as Lri

k=h(Rik). The RM root

for node i is called RMi. The second MT is called Global RM and is used to authenticate the RVs of all network nodes. GRM has n leaves Lgci=h(RMi) with i=1,…,n.

TABLE 1 NOTATION Symbol Meaning

n Number of nodes in the network. t Number of partial revocation votes per node. s Number of revocation sessions. i Node identifier – i=1,...,n j PRV identifier – j=1,...,t k Revocation session identifier – k=1,...,s q Minimum number of nodes needed to revoke an intruder c Number of compromised nodes in a DTSD x Number of PRVs that a node receive – x:{1,…,t/q}

1s kijm − + jth PRV for node i and session k

RVik Revocation value for node i and session k

T Duration of a revocation session TN Network lifetime TR Period of revocation procedures TΔ Duration of the revocation session overlapping

The generation of CSP keying material takes place before deployment. To this end, the TC must firstly compute all the t·s PRVs for all the nodes in the network. Then, the TC computes the s+1 RVs for each node in the network. For each node i, the TC computes the MTs PTi and RTi. Finally, the TC computes the global MTs, GPT and GTR, by using the roots of PTi and RTi, with i=1,…,n.

B. CSP Detailed Operation In section IV, we described the general operation of the

CSP. Now, we specify the CSP operation, for the CSP keying material structure defined in Section V.A.

1) Initial Set-Up Sub-Phase: This phase takes place immediately after node deployment. Each node i that wants to join the network must disclose the following information to its neighbors.

• A DTSD key, Ki, used to ensure confidentiality and authentication in communications within its DTSD.

• A set of PRVs – node i must disclose its revocation information (i.e. its PRVs) to the rest of nodes. PRV disclosure must be carried out according to rules A and B. PRVs are sent in a confidential and authenticated mode to each node by using pre-established pairwise keys:

• Rule A: The number of PRVs, x, that node i discloses to a neighbor depends on their trust relationship. x can be fixed or variable in order to enable weighted revocation. Section V.C.2. gives more details about it.

• Rule B: Node i must disclose each of its PRVs to at least 2q-1 different nodes in order to ensure the correct operation of the CSP. We refer the reader to section VI.B. for more details.

To ensure that each PRV is disclosed uniformly, nodes i discloses to node z a number of PRVs x, with indexes

with l=1,...,x, where ,( )modL

ki j l tm + , L

ki jm denotes the last PRV

that node i had disclosed to some node in its DTSD.

• PM and GPM paths are the values used to authenticate the PRVs a node discloses. For instance, if a node i discloses PRV, k

i jm − to node z, i discloses its path in the GPM that allows node z to authenticate that a PRV belongs to i. In the same manner, i also discloses the path in PM that allows identifying that PRV, . Observe that node z can authenticate the validity of the jth PRV for session

by calculating and comparing the result with the corresponding leaf of PMi. Observe that all nodes get the GPM root that can be used to authenticate the PRVs from other nodes.

ki jm −

k 1,(s k k

i jh m+ − )

• RM and GRM paths are the values that authenticate the RV for the current revocation session . A node discloses to other nodes the GRM and RM paths that authenticate the node’s RVs for the current revocation session k. Observe that the path does not include the RV for that session, and thus, the RV can only be calculated from the PRVs of the current session. As RM and GRM are MTs, nodes can authenticate that the disclosed path belongs to node i , and authenticate the RV for the current session

k

.k

After this phase, each node in the network has distributed its CSP keying material to its neighbors. The node’s neighborhood forms the node’s DTSD. For instance, Figure 1.4 depicts a possible network in which all nodes are in communication range. Therefore, the DTSD of each node in that network comprises the rest of nodes in the network.

2) Normal Operation Sub-Phase: As explained in section IV, sensor nodes might be added to the network or move, and thus, node’s neighborhood might change. Therefore, the DTSDs of a node must be updated. To this end, a new or mobile node, i, follow the next two steps. Firstly, node i must disclose its CSP keying material to nodes in their close vicinity, i.e., its future new DTSD, as described in section V.B.1. Then, after getting the CSP keying material of the new node, the

DTSD members analyze its validity. The verification takes place in two consecutive phases: local and global verification:

a) During the local verification phase each node checks that the disclosed PRVs are valid for the current revocation session and they belong to node i. They also validate that the RM and GRM paths are valid, i.e., they correspond to i’s RV for that session. To this end, they use the authentication properties of Merkle trees and hash chains.

b) During the global verification phase nodes belonging to the DTSD of i verify that the node has disclosed all PRVs. To this end, each node in i’s DTSD broadcasts to the rest of nodes belonging to i’s DTSD the PRVs each individual node got. The DTSD will communicate with i if all following conditions are fulfilled:

• Condition A – At least q-1 nodes must confirm the correct reception of each PRV value and (G)RM.

• Condition B – There are at most q-1 nodes in the DTSD that state not having received the required number of unique PRV values.

• Condition C – Node i was not revoked previously.

3) DNRS Sub-Phase Revocation procedures cannot start at any time, as

continuously keeping on the radios of sensor nodes, such as, e.g., MICAz, would require a huge amount of energy. To solve this problem, revocation procedures are restricted to certain periodic points in time that take place every TR seconds. In this manner, a revocation session is divided into T/TR slots. Therefore, nodes belonging to i’s DTSD can decide every TR seconds whether or not i is to be revoked. We assume that events that can trigger a revocation procedure against a node are visible to all nodes in the node’s DTSD, so that whenever such an event occurs, most of the nodes vote consistently. We analyze this issue in section VI.C. In this manner, all the members of the intruder’s DTSD launch a revocation procedure against it by disclosing and exchanging all PRVs that they got from the intruder. Once all the PRVs (

t1 1

,1 ,2 ,, ,..., 1s k s k s ki i i tm m m− + − + − + ) for the current revocation session

have been disclosed, any member of the intruder’s DTSD can compute the RV against it by calculating the hash of the t well-arranged PRVs, . To authenticate the RV, and thus, the revocation of the intruder, DTSD nodes broadcast the RV vote together with the RM and GRM path that authenticate this RV and which was disclosed before. Any node in the network can authenticate this revocation message, as all nodes own the root of the GRM.

k

1 1,1 ,2 ,( || || ... || )k s k s k s k

i i i i tRV h m m m− + − + − += 1

C. Other CSP Features In this section, we extend the core CSP operation described

before addressing two properties, namely weighted revocation and revocation sessions, presented in Section III.

1) Weighted Revocation The CSP enables weighted revocation in the sense that the

number of PRVs that a node discloses to other nodes can be set according to pre-defined trust relationships. Ideally, we consider the existence of a trust metric Trust(i,j) common to all nodes in the network. Trust(i,z) is used to return the number of

PRVs, l, that node i must disclose to node z. In general, l=1,…,x where x = l/q. This option is useful in different application scenarios. Firstly, it can be used in situations wherein a node does not trust other nodes, so that the node discloses less PRVs to those nodes in order to make its revocation more difficult. Secondly, it can be used to reflect in an objective manner communication priorities, e.g., in routing protocols. In this manner, nodes with a higher trust relationship get a higher number of PRVs, leading to a higher degree of collaboration in routing or data aggregation protocols.

2) Revocation Sessions The CSP implements the concept of revocation sessions by

means of hash chains. In general, the PRVs against a node i in a generic revocation session k are the (s-k+1)th elements of the hash chains that the node owns (see CSP keying material definition and Figure 4). In this manner, knowledge of old PRVs does not enable attackers to revoke nodes due to the one- way property of OWHFs.

All nodes that participated in a revocation session k have to perform a re-authentication procedure. This means that these nodes have to disclose their new PRVs for session k+1 to the other nodes at the beginning of the new session, if they want to stay in the network. Nodes must also update the RM path, so that the RV for the next revocation session can be authenticated. Observe, that the authentication of these new PRVs has minimal computational requirements (only one hash operation per PRV) as in general, a node that in session k had the PRV, 1s k

ijm − + , must check whether the new PRV, s kijm − , is

valid, i.e. 1 ( )s k sij ijm h m− + −= k .

kT (k+1)T(k-1)T

kk+1

k-1

ΔT ΔT

kendT1k

startT + 1kendT +k

startTTemporal

Axis

Revocation Sessions

Figure 4. Overlapping of revocation sessions

Revocation sessions must overlap as depicted in Figure 4. This is necessary in order to ensure that a node can be revoked in the whole network as we assume a propagation time for a revocation message Trevocation (see section VI.C). During this overlap TΔ the revocation procedure works according to the following rules:

• Rule C – Members of the DTSD cast partial votes against nodes being revoked by using PRVs from the most recent session k+1.

• Rule D – Whenever a node receives and authenticates a RV from either session k or k+1 against a node i, node i is revoked.

VI. THRESHOLD VALUES FOR CSP PARAMETERS In a distributed system as the CSP minimal and maximal

values for certain design parameters must be taken into account in order to ensure its correct operation. Here, we investigate the threshold values for those CSP parameters.

A. Maximum Number of Compromised Nodes The CSP is a distributed protocol that exploits node

collaboration to enable node revocation. Therefore, an important parameter is the maximum number of compromised nodes the CSP can resist to. In this section, we show that an intruder can neither revoke i nor subvert the CSP operation within a DTSD, as long as the intruder can not capture more than c nodes in a DTSD, where:

1c q= − (1)

The reason is that if c were larger, an attacker could get all the PRVs that are necessary to revoke a node. Note that this does not imply that the whole network can only resist q-1 compromised nodes, but that the maximum number of intruders within one DTSD is q-1.

Additionally, we have to ensure the correct operation of the CSP in the presence of c≤q-1 intruders. To this end, the DTSD of a node i must have a minimum number of members. In particular, i must send each of its PRVs to more than one member creating some redundancy of the PRVs, in order to guarantee that compromised nodes cannot collude to subvert the CSP operation, e.g., the admittance of a new node. To obtain the minimum required redundancy value of PRVs, we pay attention to a scenario in which an intruder, i, wants to join the network. In this scenario, we have to be sure that i’s DTSD (and more specifically, the uncompromised nodes of the DTSD) receive enough information to revoke the new intruder node.

We address the worst possible situation wherein an intruder wants to join the network with q-1 intruders in i’s DTSD. Before admitting the new intruder node, all DTSD nodes vote whether the node has disclosed enough revocation information (see section V.B.2, Condition B). Assuming that the new compromised node does not disclose one of its PRVs and that the q-1 intruder nodes collude by claiming that they have received that specific PRV, at least q honest nodes must claim the contrary. Otherwise the new intruder node would be admitted without having disclosed one of its PRVs, which causes a situation that would make its revocation impossible. Hence, q-1+q=2q-1 nodes must receive each PRV.

We derive the minimum DTSD size6, , that guarantees the correct operation of the CSP by multiplying the number of necessary nodes to revoke a node by the minimum number of nodes carrying the same PRV. This value is:

minΦ

min (2 1)q qΦ = − (2) Finally, we derive a new parameter,α , to describe the

percentage of compromised nodes in the network that the CSP can defend against. α is calculated as the ratio between the maximum number of intruders within a DTSD and the minimum number of members contained in a DTSD:

1(2 1) (2 1)

c qq q q q

α −= =

− − (3)

6 Note that if weighted authentication is used, more that nodes are required to revoke a node, and thus, increases correspondingly.

q

minΦ

Figure 5 depicts the PRV redundancy for a node i within its DTSD. Each row is composed of t squares that represent the t distinct PRVs that are necessary to revoke a node. These t PRVs are distributed to at least 2q-1 different nodes belonging to i’s DTSD. PRVs in different rows represent the required redundancy of each PRV in the DTSD to ensure that a node can always be revoked. Figure 5 depicts the scenario described previously in which two intruder nodes own the same PRVs (red squares) while three further honest nodes are in possession of the same PRV (blue squares), so that a new compromised node must disclose all its PRVs correctly if it wants to be admitted in the network.

t/q t/q t/q

2q-1

Figure 5. PRVs redundancy in a DTSD (t=9,q=3.c=3)

Table 2 summarizes the CSP threshold design parameters related to the DTSD membership for different values of q. From these results we can conclude that the growth of minΦ is faster than the growth of c with q. Therefore, the CSP resists a larger amount of compromised nodes (higher α) for lower values of q. Low values of q are also interesting as they minimize the resource requirements of the CSP. The fact that the CSP resists around a 15% of uniformly distributed compromised nodes is of special interest. That means that an attacker must manipulate 15% of the nodes distributed uniformly if he wants to control the whole network. This is a strong assumption, especially in large DNSs that might be deployed in a large area. In a more realistic scenario wherein an attacker can only compromise a few nodes in a non-uniform manner, larger values of q would be more useful.

TABLE 2 THRESHOLD VALUES FOR CSP MEMBERSHIP PARAMETERS q C minΦ α 2 1 6 17% 3 2 15 13% 4 3 28 11%

B. Revocation Parameters The CSP requires us to set up several parameters related to

the DNRS phase and revocation sessions, namely probability of correct and erroneous revocation, number of revocation slots in a revocation session, duration of a revocation session, number of revocation sessions, and duration of the overlap. Next, we expound these factors.

1) Correct and Erroneous Node Revocation Probabilities The CSP relies on an intruder detection algorithm to

distinguish between honest and compromised nodes. Such algorithms may yield some level of inaccuracy. This means that a node can only estimate whether a neighbor has been compromised with a certain level of certainty leading to the disclosure of some PRVs erroneously. We assume that each node makes a decision every TR seconds (see section V.C.3.) and that the underlying intruder detection algorithm is featured

by a probability pe of making an error, i.e. of disclosing the PRVs erroneously7, and ps of disclosing its PRV faultless.

Firstly, the probability of revoking a node successfully, ps’, can be calculated as the probability that all the PRVs are disclosed. On the one hand, we know that 2q-1 nodes have each PRV, therefore, a PRV will be disclosed with probability 1-(1-ps)2q-1. On the other hand, a node can only be revoked if all PRVs are disclosed, hence:

( 2 1' 1 (1 )qq

s sp p −= − − ) (4)

Secondly, we calculate the probability of erroneously revoking a node after i·TR seconds8. In this case, a PRV is disclosed erroneously with probability, pe’;

2 1' 1 (1 ) qe ep p −= − − (5)

Hence, an error occurs after i trials with probability p(X=i)=(1-pe’)i-1pe’. The likelihood of erroneously revoking a node is equal to the probability of erroneously disclosing a PRV, because erroneous disclosures of PRVs are independent events.

2) Maximum Number of Revocation Slots in a Revocation Session

pe’ can be used to determine the maximum number of revocation slots in a revocation session in order to avoid erroneous node revocations. To this end, we calculate the expectation of probability distribution of pe’, E{p(X=i)}=1/pe’, i.e., a node is disclosed erroneously after TR/pe’ seconds in average. Therefore, the duration of a revocation session, T, must be less than TR/pe’ a factor β smaller, e.g., 2≤β≤4, to minimize the probability of erroneous revocation. Hence, the number of revocation slots in a revocation session is:

1'R e

TT pβ

=⋅

(6)

In Table 3, we analyze the values of ps’, pe’ and T/TR as function of β and q for fixed values of pe and ps. The results illustrate how the CSP allows improving the accuracy of intruder detection algorithms, i.e. ps’ ps, due to the fact that several nodes carry each PRV. This fact also increases the likelihood that all PRVs are erroneously disclosed within a revocation session. However, the CSP minimizes the overall occurrence of erroneous revocations by means of the concept of revocation sessions as the validity of revocation keying material is changed regularly as in [10].

TABLE 3 REVOCATION SESSION DURATION q Ps’(ps=0.95) Pe’(pe=0.95) T/TR 2 1 0.143 6.99/β 3 1 0.226 4.43/β 4 1 0.302 3.32/β

3) Duration of a Revocation Session The duration of a revocation session is specified by the

mobility of the network and the desired frequency of revocation slots. On the one hand, the mobility of the network makes it necessary to update changing DTSD in order to avoid

7 This probability might be obtained from intruder detection algorithms. 8 Observe that in this calculation we assume that there are not intruders.

false revocations (the larger the DTSD of a node, the higher the probability of revoking a node erroneously). Additionally, it helps to prevent intruders from getting more than q-1 compromised nodes within the DTSD as it is updated continuously. According to this criterion, the duration of a revocation session, T, must be chosen in a way that ensures that DTSD nodes that are not located within the communication range of the node anymore, are eliminated from the DTSD. On the other hand, T depends on the desired frequency of revocation slots. This is of special importance as having short periods of T allow the network to revoke a compromised node faster.

4) Number of revocation sessions The number of revocation sessions depends on the network

lifetime and revocation session duration. Given the network lifetime TN, and knowing that Int(x) is a function that gives us the integer part of x, the number of sessions9 is calculated as:

log2

NTInt

Ts⎛ ⎞⎛ ⎞⎜ ⎟⎜ ⎟

⎝ ⎠⎝= ⎠ (7) 5) Duration of the Revocation Session Overlapping When a DTSD identifies a node as an intruder, the DTSD

triggers a revocation procedure against it. This allows alerting nodes in close vicinity to the new compromised node rapidly. The revocation message must also reach the rest of nodes in the network in order to enable the global revocation of the node. As a RV is only valid for the current revocation session, the duration of the overlap between sessions must be larger than the propagation time of a revocation message through the network. In this manner, we guarantee that a node can be revoked globally.

propagation revocation messageT T − −Δ > (8)

VII. OTHER APPLICATION AREAS FOR THE CSP The main goal of the CSP is to provide practical means to

improve the security in distributed networks, such as, e.g., distributed sensor networks. This section analyzes four specific aspects and applications that benefit from the CSP.

A. Authentication Many security architectures for sensor networks are based

on the pre-distribution of some keying material that nodes use after deployment to agree on common secrets and provide further security services such as confidentiality and authentication. However, capturing a few of those nodes may allow an attacker to produce new “legitimate” nodes by reading out the compromised keying material [7].

Using the CSP in combination with those key distribution schemes avoids this kind of attack. The reason for this is that the CSP keying material of each node, which is generated and distributed offline by a trust server, is based on random secrets which cannot be reconstructed due to the one way property of both hash functions and Merkle trees. In this manner, the fact of authenticating the PRVs for the current session of a node is equivalent to an additional node authentication.

9 Observation: the larger the value of s, the larger the memory requirements

for the CSP.

B. The CSP as a Way to Improve Centralized Revocation The use of the CSP enables rapid isolation of possible

intruders in the network, so that those possibly compromised nodes cannot harm the network. However, in some cases additional confirmation of a node revocation by an authorized network entity might be required. Thus, the distributed CSP revocation of the node would not be definitive, but temporary, e.g., for the current revocation session.

The decision of revoking a node definitively would rely on a base station, controlling all the generated CSP revocation messages in the network. A node would only be revoked centrally if, e.g., a node is revoked several times in a distributed and cooperative manner. In this case, a base station could confirm the distributed revocation of a node by broadcasting a definitive revocation message against the target node.

This approach combines the best features of both types of revocation solutions. On the one hand, the distributed and cooperative nature of the CSP adds flexibility and increases the effectiveness of the node revocation. On the other hand, an authorized base station decides on the definitive revocation of a node, preventing collaborating attackers from maliciously revoking legitimate nodes. This solution also decreases the amount of information exchanged with the base station in comparison with fully centralized revocation approaches.

C. Transforming Clusters into DTSDs Many applications, such as, e.g., data aggregation, require

nodes to operate in clusters in order to perform certain tasks or to reduce the use of scarce resources. The CSP can be applied to those scenarios by transforming each cluster into an independent security domain wherein security relationships among nodes are controlled in a distributed manner. This includes the admission and revocation of nodes in the cluster by means of node collaboration.

For instance, we consider a cluster that uses data aggregation algorithms to minimize its energy consumption. Compromised and out of order nodes within the cluster influence the output of such aggregation algorithms, which leads to erroneous data. Using the CSP in such cases improves the security and dependability within the cluster as malicious nodes can be removed from the network after detection.

D. Cooperation Stimulation Cooperation in distributed sensor networks is used to

minimize the energy requirements of different protocols such as, e.g., routing. However, the presence of selfish nodes endangers the operation of these solutions. For instance, a typical situation occurs when a node tries to exploit its neighbor nodes to forward its own packets but drops messages from other nodes in order to save its energy resources. This situation is even graver in heterogeneous networks in which nodes from several providers compete for resources [15].

The CSP is a useful approach to agree on the selfishness of a node. In this sense, the CSP can be used as trigger mechanism to castigate nodes by penalizing its communication rights. Besides, the CSP can be adapted in order to measure the trust relationships between nodes according to the concept of weighted revocation. For instance, nodes with bad reputation

would have to distribute more PRVs to each node in order have access to the network and participate in routing protocols.

VIII. CONCLUSIONS AND FUTURE WORK Node revocation protocols allow removing misbehaving

and intruder nodes from the network, since these nodes endanger the network by eavesdropping on communication or sabotaging network operations. The CSP addresses this problem by demanding disclosure of revocation information as prerequisite to join the network. This basic concept allows increasing network resiliency in a simple manner: It ensures that if a node belongs to the network, its neighbors can efficiently revoke it in a distributed manner if the node is identified as an intruder.

The basic CSP concept is characterized by five key properties. (1) The CSP makes use of node cooperation to allow node revocation but also to decide about the admission of a node in the network and suspicious node behavior. (2) The distributed operation of the protocol resists the collusion of up to q compromised nodes making the revocation procedure faster and removing single points of failure around a base station. (3) The CSP introduces the concept of weighted revocation in order to reflect the fact that relationships and trust between nodes might differ. (4) The CSP allows creating an authenticated revocation message that verifies that at least q nodes agreed on the revocation of the target node. This message can be authenticated by any node in the network. (5) Finally, periodic updates of the revocation information, which is disclosed by a node, limit its temporal validity. In this manner, the CSP prevents nodes from being revoked erroneously and complicates collusion attacks.

The CSP shows several advantages in comparison with previous distributed revocation schemes. In the CSP, every node stores the revocation information –partial revocation votes– that enable its own revocation and employs collaborative techniques to ensure its correct distribution. This approach reduces the memory requirements as each node carries its own revocation information. The CSP is also more flexible as it enables any node in the intruder’s DTSD to participate in the revocation process. The DTSD is not pre-established but it can be updated on the fly after the disclosure of the revocation information. This is especially useful in mobile distributed networks, or static networks in which pre-deployment information is not available. Additionally, the CSP enables weighted revocation as nodes might get more or less revocation votes according to predefined rules. This is also not possible in previous schemes in which each node carries a single revocation vote. Finally, the CSP enables a higher number of revocation sessions as the votes for each revocation session can be efficiently generated by means of computationally inexpensive hash chains.

In this paper, we have presented the overall structure that enables the CSP. We have defined a possible structure for the CSP keying material and analyzed the operational phases involved in the CSP. We have also analyzed the threshold values for the CSP parameters in order to ensure the correct operation of the protocol. This analysis shows that the CSP operates correctly in the presence of up to 17% of compromised nodes distributed uniformly over the network. In more realistic scenarios, wherein an attacker can only capture a

few nodes in a non-uniform manner, the protocol achieves even better performance. Additionally, the CSP allows improving the performance of intruder detection algorithms due to the cooperative nature of the CSP and the concept of revocation sessions. Finally, we have pointed out several applications (in addition to key revocation) to which the CSP concept is applicable in order to improve their operation.

Certain aspects of the CSP still require further work to be conducted. On the one hand, computational, communicational, energetic, and memory related requirements must be analyzed. Preliminary results (not included in this paper) show that the keying material structure described in the paper implies a low overhead in static networks. However, mobile networks increase both the computational and communications costs. Hence, research into more advanced keying material structures is also required. Additionally, we need to obtain practical results and experience from implementations of CSP aided applications such as dependability enhancement, secure clustering, cooperation stimulation, or the use of the CSP in other types of distributed networks. Finally, reliable intruder detection algorithms must be developed and combined with the CSP.

REFERENCES [1] Romer, K., and Mattern, F., “The design space of wireless sensor

networks”, in Proceedings of IEEE Wireless Communicaitons, Vol. 11, Issue 6, pp. 54-61. 2004.

[2] Garcia-Morchon, O., Baldus, H., “Distributed Node Revocation based on Collaborative Security”, in Proceedings of 3rd International Workshop on Wireless and Sensor Networks Security (IEEE WSNS 2007) Sept. 2007.

[3] Eschenauer, L. and Gligor, V. D. “A Key-Management Scheme for Distributed Sensor Networks”, in Proceedings of Ninth ACM Conf. Computer and Comm. Security, pp. 41-47, Nov. 2002.

[4] Perrig, A., Szewczyk, R., Wwen, V., Culler, D., and Tygar, J.D., “SPINS: Security protocols for sensor networks“, in Proceedings of Wireless Networks, 8(5):521-534, September 2002.

[5] Zhang, Q., Yu, T., Ning, P., "A Framework for Identifying Compromised Nodes in Sensor Networks", in Proceedings of 2nd IEEE Communications Society/CreateNet International Conference on Security and Privacy in Communication Networks (SecureComm 2006), August 2006.

[6] Parno, B., Perrig, A., and Gligor, V., “Distributed detection of node replication attacks in sensor networks”, in Proceedings of the IEEE Symposium on Security and Privacy, May 2005 Page(s):49 – 63.

[7] Chan, H., Perrig, A., Song, D., “Random Key Predistribution Schemes for Sensor Networks”, in Proceedings of IEEE Symposium on Research in Security and Privacy, pp. 197-213. 2003

[8] Chuang, P.-J., and Chao, T.-H., “A Node Revocation Scheme for Sensor Networks”, in Proceedings of the sixth IASTED International Multi-Conference on Wireless and Optical Communicaitons Wireless Sensor Networks, July 2006, Canada.

[9] Shamir, A., “How to share a Secret”, in Proceedings of Communications of the ACM Volume 22 , Issue 11 (November 1979) Pages: 612 - 613

[10] Chan, H., Gligor, V. D., Perrig, A., and Muralidharan, G., “On the Distribution and Revocation of Cryptographic Keys in Sensor Networks”, in Proceedings of IEEE Transactions on Dependable and Secure Computing vol.2 no.3, July-September 2005.

[11] Sun, K., Ning, P., Wang, C., Liu, A., Zhou, Y., "TinySeRSync: Secure and Resilient Time Synchronization in Wireless Sensor Networks", in Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS '06), pages 264--277, Alexandria, Virginia, October/November 2006.

[12] Gupta, S., Zheng, R., Cheng, A., “ANDES: An Anomaly Detection System for Wireless Sensor Networks” in Proceedings of the 4th International Conference on Mobile Ad-hoc and Sensor Systems (MASS 2007), Sept. 2007.

[13] Blundo, C., Santis, A.D., Herzberg, A., Kutten , S., Vaccaro, U., and Yung, M., “Perfectly-Secure Key Distribution for Dynamic Conferences“, in Proceedings of Conf. Advances in Cryptology (Crypto’92), E.F. Brickell, ed., pp. 471-486, 1992.

[14] Garcia-Morchon, O., Baldus, H., and Sanchez, D. S., “Resource-Efficient Security for Medical Body Sensor Networks”, in Proceedings of the international Workshop on Wearable and Implantable Body Sensor Networks (Bsn'06), Vol. 00, April 2006.

[15] Buttyan. L., Hubaus J-P. “Stimulating Cooperation in Self-Organizing Mobile Ad-Hoc Networks”, in Proceedings of ACM/Kluwer Mobile Networks and Applications (MONET), Vol. 8 No. 5, October 2003.

[16] Menezes, A.J., van Oorschot, P.C, and Vanstone, S.A., Handbook of Applied Cryptography, CRC Press, 1996.