Dr. Kemal Akkaya E-mail: [email protected]

Wireless & Network Security 1 Kemal Akkaya

Department of Computer ScienceSouthern Illinois University Carbondale

CS 591 – Wireless & Network Security

Lecture 14: Key Management in WSNs Dr. Kemal Akkaya

E-mail: [email protected]


Key management: Constraints in WSNs Sensor node constraints:

Battery power Computational energy consumption Communication energy consumption

Transmission range Memory Temper protection Sleep pattern

Network constraints: Ad-hoc network nature Packet size

Nodes can easily be captured and compromised Key Management include the processes of key setup, the initial

distribution of keys and key revocation (removal of the compromised key).

Many Security-critical application that depend on key management processes demand a high level of fault tolerance when a node is compromised.


Key management approaches classification


Approaches Trusted-Server Schemes

Finding trusted servers is difficult.

Public-Key Schemes Expensive and infeasible for sensors.

Key Pre-distribution Schemes Simplest solution is a network-wide shared key.

Problem: if even a single node were compromised, the secret key would be revealed, and decryption of all network traffic would be possible.

Slightly better solution: Pairwise keys: Impractical because of storage Use a single shared key to establish a set of link keys, one per pair of

communicating nodes, then erase the network-wide key Problem: does not allow addition of new nodes after initial deployment.

Others: Random pre-key distribution Quorum-based


Basic probabilistic approach Due to Eschenauer and Gligor Relies on probabilistic key sharing among nodes of WSN Uses simple shared-key discovery protocol for key distribution,

revocation and node re-keying Three phases are involved:

key pre-distribution, shared-key discovery, path-key establishment

Key pre-distribution Generate a large key pool P (217-220 keys) and corresponding key identifiers Create n key rings by randomly selecting k keys from P Load key rings into nodes memory Save key identifiers of a key ring and associated node identifier on a controller For each node load a key which it shares with a base station

Shared-key Discovery Takes place during initialization phase after WSN deployment. Each node

discovers its neighbor in communication range with which it shares at least one key

Nodes can exchange ids of keys that they poses and in this way discover a common key


Path-key establishment During the path-key establishment phase path-keys are assigned to

selected pairs of sensor nodes that are within communication range of each other, but do not share a key

Node may broadcast the message with its id, id of intended node and some key that it posses but not currently uses, to all nodes with which it currently has an established link. Those nodes rebroadcast the message to their neighbors

Once this message reaches the intended node (possible through a long path) this node contacts the initiator of path key establishment

Analysis shows that after the shared-key discovery phase a number of keys on a key ring are left unused


Node Capture & Connectivity

Node CaptureMore robust then approaches that use single mission key In case node is captured k<<n keys are obtainedThis means that the attacker has a probability of k/P to

attack successfully any other WSN linkConnectivity

Two nodes are connected if they share a keyFull connectivity of WSN is not required because of the

limited communication capabilities of the sensor nodesTwo important questions:What should be the expected degree of a node so that

WSN is connected?Given expected degree of a node what values should the

key ring size, k, and pool, P, have for a network of size n so that WSN is connected?


q-composite approach Enhancement of the basic probabilistic approach Idea: nodes should share q keys instead of only one Approach:

Key pool P is an ordered set During initialization phase nodes broadcast ids of keys that they have After discovery each nodes identifies the neighbor with which it share at least q

keys Communication key is computed as a hash of all shared keys Keys appear in hash in the same order as in key pool

Benefits q-composite approach has greater resiliency to node capture than the basic

approach if small number of nodes were captured Simulations show that for q=2, the amount of additional communications

compromised when 50 nodes (out of 10000) have been compromised is 4.74%, as opposed to 9.52% in the basic scheme

However if large number of nodes have been compromised q-composite scheme exposes larger portion of network than the basic approach

The larger q is the harder it is to obtain initial information Parameter q can be customized to achieve required balance for a particular

network


Zhu / Xu approach Another modification of the basic probabilistic approach Major enhancement:

Pseudorandom number generator is used to improve security of key discovery algorithm

Also uses secret sharing which jointly with logical paths allows nodes to establish a pairwise key that is exclusively known to the two nodes (in contrast to basic probabilistic approach, where other nodes might also know some particular key)


Zhu / Xu approach: key pre-distribution

Background: a pseudo-random number generator, or PRNG, is a random number generator that produces a sequence of values based on a seed and a current state. Given the same seed, a PRNG will always output the same sequence of values.

Key pool P of size l is generated For each node u, pseudorandom number generator is used to generate

the set of m distinct integers between 1 and l (key ids). Nodes unique id u is used as a seed for the generator

Each node is loaded with key ring of size m Keys for the key rings are selected from key pool P in correspondence

with integers (key ids) generated for a particular node by pseudorandom number generator

This allows any node u that knows another nodes v id to determine the set of ids of keys that v poses


Further enhancements So far all the discussed approaches have used one of the following

algorithms for shared-key discovery: Key id notification Challenge response Pseudorandom key id generation

Those algorithms work well against so called “oblivious” attacker, the one that randomly selects next sensor to compromise

What if attacker selects nodes that will allow him to compromise the network faster, based on already obtained information (key ids)?

This is the case of so called “smart” attacker


Smart attacker More precisely smart attacker can be defined as follows:

at each step of the attack sequence, the next sensor to tamper is sensor s, where s maximizes E[G(s)| I(s)], the expectation of the key information gain G(s) given the information I(s) the attacker knows on sensor s key-ring

Simulations show that Key id notification and pseudorandom key id generation can be easily beaten by the smart attacker

Challenge response performs better


Simulation results

Experimental results on id notification and pseudorandom key id generation: Number of sensors to corrupt in order to compromise an arbitrary channel.


Simulation results

Experimental results on challenge response:Number of sensors to corrupt in order to compromise an arbitrary channel.


Background: polynomial based key pre-distribution

Polynomial based key pre-distribution scheme reduces the amount of pre-distributed information still allowing each pair of nodes to compute a shared key

Polynomial based key pre-distribution is λ-collusion resistant, meaning that as long as λ or less nodes are compromised the rest of the network is secure

Utilizes polynomial shares


Polynomial based key pre-distribution : initialization

Special case: λ=1 Each node has an id rU which is unique and is a member of finite field Zp

Three elements a, b, c are chosen from Zp

Polynomial f(x,y) = (a + b(x + y) + cxy) mod p is generated For each node polynomial share gu(x) = (an+ bnx) mod p

where an= (a + brU) mod p and bn= (b + crU) mod p is formed and pre-distributed


Polynomial based key pre-distribution : key discovery

In order for node U to be able to communicate with node V the following computations have to be performed: Ku,v= Kv,u= f(ru,rv) = (a + b(ru+rv) + crurv )mod p

U computes Ku,v= gu(rv)

V computes Kv,u= gv(ru)


Polynomial based key pre-distribution : example

Example: 3 nodes: U, V, W, with the following id’s 12, 7, 1 respectively p=17 (chosen parameter) a=8, b=7, c=2 (chosen parameters) Polynomial f(x,y) = 8+7(x+y)+2xy g polynomials are gu(x) = 7 + 14x, gv(x) = 6 + 4x,

gw(x) = 15+9x Keys are Ku,v=3, Ku,v=4, Ku,v=10 U computes Ku,v= gu(rv) = 7+14*7mod17 = 3 V computes Kv,u= gv(ru) = 6+4*12mod17 = 3


Liu-Ning approach

Combination of polynomial-based key pre-distribution and the key pool idea discussed above

Increases network resilience to node capture Can tolerate no more than λ compromised nodes,

where λ is constrained by the size of memory of a node Idea: use a pool of randomly generated polynomials When pool contains only one polynomial the approach

degenerates to basic polynomial based key pre-distribution scheme

When all polynomials are of degree 0 the approach degenerates to key pool approach

Three phases are involved: setup, direct key establishment, path key establishment


Phases Setup Phase

Set F of bivariate λ-degree polynomials over finite field Fq is generated Each polynomial is assigned a unique id For each sensor node a subset of s’ polynomial is randomly chosen from F For each polynomial in the chosen subset a polynomial share is loaded into nodes

memory Direct Key Establishment Phase

During this phase all possible direct links are established A node can establish a direct link with another node if they both share a polynomial

share of a particular polynomial How to find common polynomial? Use above discussed approaches

Path Key Establishment Phase If direct connection establishment fails nodes have to start path key establishment phase Nodes need to find a path such that each intermediate nodes share a common key Node may broadcast the message with polynomials ids that it posses to all nodes with

which it currently has an established link Once this message reaches the intended node (possible through a long path) this node

computes a key and contacts the initiator of path key establishment Drawback: may introduce considerable communication overhead


Grid-based key pre-distribution Instance of general framework discussed above Benefits:

Guarantees that any two nodes can establish a pairwise key, if no nodes were compromised

Allows sensors to directly determine whether it can establish a pairwise key with another node and which polynomial to use in case of positive answer


Location Aware Purely Random Key Predistribution (P-RKP)

Du et. al (IEEE Infocom 2004) Improves Random Key Predistribution (Eschenauer and Gligor) by exploiting Location

Information. Studies a Gaussian distribution for deployment of Sensor nodes to improve security and

memory usage.

Groups select from key group S (i,j) Probability node is in a certain group is (1 / tn).

njtiSS ji ..1,,...1,,


Location Aware Purely Random Key Predistribution (P-RKP)

Key sharing graphs used to enable connectivity

Use flooding to find secure path (Limit to 3 hops)

Setting up the key pools Two horizontally or vertically neighboring

pools share a|Sc| keys where 0<= a <= 0.25 Two diagonally neighboring key pools share

b|Sc| keys, where 0<=b<=0.25 Two non-neighboring key pools share no

keys. Overlapping factors - a,b

Documents

Dr. Kemal Akkaya E-mail: [email protected]