SECURITY IN WIRELESS SENSOR NETWORKS
By
YUN ZHOU
A DISSERTATION PRESENTED TO THE GRADUATE SCHOOLOF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT
OF THE REQUIREMENTS FOR THE DEGREE OFDOCTOR OF PHILOSOPHY
UNIVERSITY OF FLORIDA
2007
1
c© 2007 Yun Zhou
2
To my family.
3
ACKNOWLEDGMENTS
My foremost gratitude goes to my advisor, Prof. Yuguang “Michael” Fang, for his
invaluable guidance, encouragement and support with my years in the Wireless Networks
Laboratory (WINET). Prof. Fang has not only guided my research in the past few years
with his insights and knowledge, but also with thoughtfulness and patience on my personal
growth.
I gratefully acknowledge my other committee members, Prof. Sartaj Sahni, Prof.
Shigang Chen, and Prof. Dapeng Wu for serving on my supervisory committee and for
their invaluable support in various stages of my work.
I would not be a wholesome graduate student without a group of great friends. I
would like to extend my thanks to my fantastic colleagues in WINET, whose presences
and fun-loving spirits built up a warm, family-like environment. I also appreciate their
collaboration and insightful advice throughout these years.
Finally, I am deeply indebted to my friends who have always been standing by my
side. Without their cherish and unwavering support, I would never imagine what I have
achieved.
4
TABLE OF CONTENTS
page
ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
LIST OF ABBREVIATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
CHAPTER
1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2 KEY AGREEMENT FOR LARGE SCALE NETWORKS . . . . . . . . . . . . 22
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.2 Key Agreement Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.2.1 Global Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242.2.2 Key Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.2.3 Pairwise Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.2.4 Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262.2.5 Polynomial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3 Our Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272.3.1 Mathematical Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . 282.3.2 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302.3.3 Share Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302.3.4 Direct Key Calculation . . . . . . . . . . . . . . . . . . . . . . . . . 322.3.5 Indirect Key Negotiation . . . . . . . . . . . . . . . . . . . . . . . . 32
2.4 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332.4.1 Number of Secure Paths . . . . . . . . . . . . . . . . . . . . . . . . 342.4.2 Number of Disjoint Secure Paths . . . . . . . . . . . . . . . . . . . . 342.4.3 Number of Agent Nodes . . . . . . . . . . . . . . . . . . . . . . . . 342.4.4 An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352.4.5 Security of Direct Keys . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.4.5.1 Node compromise in one subspace . . . . . . . . . . . . . . 362.4.5.2 Node compromise in all subspaces . . . . . . . . . . . . . . 372.4.5.3 Choose degree t . . . . . . . . . . . . . . . . . . . . . . . . 38
2.4.6 Security of Indirect Keys . . . . . . . . . . . . . . . . . . . . . . . . 402.4.7 Memory Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402.4.8 Computation Overhead . . . . . . . . . . . . . . . . . . . . . . . . . 422.4.9 Communication Overhead . . . . . . . . . . . . . . . . . . . . . . . 42
2.5 Security Enhancement of Indirect Keys . . . . . . . . . . . . . . . . . . . . 43
5
2.6 Key Establishment in Wireless Sensor Networks . . . . . . . . . . . . . . . 452.6.1 Random Key Material Distribution . . . . . . . . . . . . . . . . . . 452.6.2 Deterministic Key Material Distribution . . . . . . . . . . . . . . . 472.6.3 Comparisons With Related Work . . . . . . . . . . . . . . . . . . . 49
2.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3 KEY ESTABLISHMENT USING DEPLOYMENT KNOWLEDGE IN WIRELESSSENSOR NETWORKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513.1.1 Sensor Network Model . . . . . . . . . . . . . . . . . . . . . . . . . 513.1.2 Security Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . 523.1.3 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.1.3.1 Attack techniques . . . . . . . . . . . . . . . . . . . . . . . 543.1.3.2 Passive vs. active . . . . . . . . . . . . . . . . . . . . . . . 553.1.3.3 External vs. internal . . . . . . . . . . . . . . . . . . . . . 55
3.1.4 Security Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 563.2 Uniform Key Material Distribution . . . . . . . . . . . . . . . . . . . . . . 573.3 A Square Cell Deployment Model . . . . . . . . . . . . . . . . . . . . . . . 583.4 New Deployment and Secret Pre-Distribution Models . . . . . . . . . . . . 59
3.4.1 Security of LBKP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593.4.2 A Hexagon Cell Model . . . . . . . . . . . . . . . . . . . . . . . . . 603.4.3 Edge-Based Secret Pre-Distribution . . . . . . . . . . . . . . . . . . 613.4.4 A Triangle Cell Model . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.5 Cell-based Pairwise Key Establishment . . . . . . . . . . . . . . . . . . . . 643.5.1 Node Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643.5.2 Polynomial distribution . . . . . . . . . . . . . . . . . . . . . . . . . 643.5.3 Pairwise Key Establishment . . . . . . . . . . . . . . . . . . . . . . 653.5.4 Node Addition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663.5.5 Node Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
3.6 Analysis and Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673.6.1 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673.6.2 Memory Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703.6.3 Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
3.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
4 SCALABLE KEY ESTABLISHMENT IN WIRELESS SENSOR NETWORKS . 77
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774.2 Two Dimension Grid Design for TLK and LLK Establishment . . . . . . . 79
4.2.1 Network Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794.2.2 Share Pre-distribution . . . . . . . . . . . . . . . . . . . . . . . . . . 804.2.3 Direct Key Calculation . . . . . . . . . . . . . . . . . . . . . . . . . 814.2.4 Indirect Key Negotiation . . . . . . . . . . . . . . . . . . . . . . . . 824.2.5 LLK Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . 834.2.6 TLK Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
6
4.2.7 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . 854.2.7.1 Memory cost . . . . . . . . . . . . . . . . . . . . . . . . . 854.2.7.2 Resilience to node compromise . . . . . . . . . . . . . . . 874.2.7.3 Local secure connectivity . . . . . . . . . . . . . . . . . . . 914.2.7.4 Computation overhead . . . . . . . . . . . . . . . . . . . . 93
4.3 Scalable Link-Layer Key Agreement in Sensor Networks . . . . . . . . . . . 944.3.1 Network Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 944.3.2 Share Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 954.3.3 Node Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964.3.4 Link-layer Key Agreement . . . . . . . . . . . . . . . . . . . . . . . 974.3.5 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . 100
4.3.5.1 Memory cost . . . . . . . . . . . . . . . . . . . . . . . . . 1004.3.5.2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1014.3.5.3 Local secure connectivity . . . . . . . . . . . . . . . . . . . 102
4.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
5 A LOCATION-BASED NAMING MECHANISM FOR SECURING SENSORNETWORKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1055.2 Location-based Naming Mechanism . . . . . . . . . . . . . . . . . . . . . . 107
5.2.1 Location Determination . . . . . . . . . . . . . . . . . . . . . . . . . 1075.2.2 Location-based Name . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.3 Link Layer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105.3.1 Establishing Shared Keys . . . . . . . . . . . . . . . . . . . . . . . . 1115.3.2 B-Phase Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 1125.3.3 C-Phase Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 114
5.4 Secure Sensor Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1155.4.1 The Sybil Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1165.4.2 Identity Replication Attacks . . . . . . . . . . . . . . . . . . . . . . 1165.4.3 Wormhole Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175.4.4 Sinkhole Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1185.4.5 HELLO Flood Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 1185.4.6 The Acknowledgement Spoofing Attack . . . . . . . . . . . . . . . . 1185.4.7 The Node-compromise Attack . . . . . . . . . . . . . . . . . . . . . 1195.4.8 The Memory Exhaustion Attack . . . . . . . . . . . . . . . . . . . . 119
5.5 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
6 ACCESS CONTROL IN WIRELESS SENSOR NETWORKS . . . . . . . . . . 122
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1226.2 Review of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
6.2.1 Malicious Nodes Deployment . . . . . . . . . . . . . . . . . . . . . . 1246.2.2 The Sybil Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1246.2.3 The Node Replication Attack . . . . . . . . . . . . . . . . . . . . . 125
7
6.2.4 The Wormhole Attack . . . . . . . . . . . . . . . . . . . . . . . . . 1266.3 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
6.3.1 Necessity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1266.3.2 The State of the Art . . . . . . . . . . . . . . . . . . . . . . . . . . 127
6.4 Our Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1296.4.1 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1296.4.2 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
6.4.2.1 Network model . . . . . . . . . . . . . . . . . . . . . . . . 1306.4.2.2 Adversary model . . . . . . . . . . . . . . . . . . . . . . . 131
6.4.3 Cryptographic Primitive . . . . . . . . . . . . . . . . . . . . . . . . 1316.4.4 Predeployment Phase . . . . . . . . . . . . . . . . . . . . . . . . . . 132
6.4.4.1 Network parameters . . . . . . . . . . . . . . . . . . . . . 1326.4.4.2 Sensor parameters . . . . . . . . . . . . . . . . . . . . . . 133
6.4.5 Node Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1346.4.6 Node Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 134
6.4.6.1 Handshake between new nodes . . . . . . . . . . . . . . . 1346.4.6.2 Handshake between a new node and an old node . . . . . 136
6.4.7 Key Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . 1376.5 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
6.5.1 New Node Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 1386.5.2 Eavesdropping and False Reports Injection . . . . . . . . . . . . . . 1386.5.3 Node Compromise . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1386.5.4 Attacks to Access Control . . . . . . . . . . . . . . . . . . . . . . . 139
6.6 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1406.6.1 ECC vs. RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1406.6.2 Comparison with Related Work . . . . . . . . . . . . . . . . . . . . 142
6.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
7 BABRA: BATCH-BASED BROADCAST AUTHENTICATION IN WIRELESSSENSOR NETWORKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1467.2 µTESLA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1477.3 BABRA Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
7.3.1 Network Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1487.3.2 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1497.3.3 Bootstrapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1517.3.4 Counteracting Bogus Packets . . . . . . . . . . . . . . . . . . . . . . 1517.3.5 Countermeasures to Radio Jamming . . . . . . . . . . . . . . . . . . 152
7.3.5.1 Intermittent jamming . . . . . . . . . . . . . . . . . . . . 1527.3.5.2 Continuous jamming . . . . . . . . . . . . . . . . . . . . . 155
7.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1577.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
8
8 MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 159
8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1598.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1618.3 Multicast Authentication Over Lossy Channels . . . . . . . . . . . . . . . . 162
8.3.1 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1628.3.2 Batch Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
8.4 Batch Signature Construction . . . . . . . . . . . . . . . . . . . . . . . . . 1648.4.1 Batch RSA Signature . . . . . . . . . . . . . . . . . . . . . . . . . . 164
8.4.1.1 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1648.4.1.2 Batch RSA . . . . . . . . . . . . . . . . . . . . . . . . . . 1648.4.1.3 Requirements to the sender . . . . . . . . . . . . . . . . . 165
8.4.2 Batch BLS Signature . . . . . . . . . . . . . . . . . . . . . . . . . . 1668.4.2.1 BLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1668.4.2.2 Batch BLS . . . . . . . . . . . . . . . . . . . . . . . . . . 1678.4.2.3 Requirements to the sender . . . . . . . . . . . . . . . . . 168
8.4.3 Batch DSA Signature . . . . . . . . . . . . . . . . . . . . . . . . . . 1688.4.3.1 Harn DSA . . . . . . . . . . . . . . . . . . . . . . . . . . . 1688.4.3.2 Harn batch DSA . . . . . . . . . . . . . . . . . . . . . . . 1698.4.3.3 The Boyd-Pavlovski attack . . . . . . . . . . . . . . . . . . 1708.4.3.4 Our batch DSA . . . . . . . . . . . . . . . . . . . . . . . . 1708.4.3.5 Requirements to the sender . . . . . . . . . . . . . . . . . 171
8.5 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1728.5.1 Resilience to Packet Loss . . . . . . . . . . . . . . . . . . . . . . . . 1728.5.2 Authentication Latency . . . . . . . . . . . . . . . . . . . . . . . . . 1738.5.3 Computational Overhead . . . . . . . . . . . . . . . . . . . . . . . . 1758.5.4 Communication Overhead . . . . . . . . . . . . . . . . . . . . . . . 176
8.6 Counteracting DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1778.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
9 SECURITY OF IEEE 802.16 IN MESH MODE . . . . . . . . . . . . . . . . . . 184
9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1849.2 Security Architecture of IEEE 802.16 in Mesh Mode . . . . . . . . . . . . . 1869.3 Security Threats to IEEE 802.16 in Mesh Mode . . . . . . . . . . . . . . . 187
9.3.1 Topological Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 1879.3.2 Authorization Threats . . . . . . . . . . . . . . . . . . . . . . . . . 1889.3.3 Threats to Link Establishment . . . . . . . . . . . . . . . . . . . . . 1929.3.4 Threats to Teks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1949.3.5 Traffic Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
9.4 802.16e Security in Mesh Mode . . . . . . . . . . . . . . . . . . . . . . . . 1959.4.1 Security Improvements . . . . . . . . . . . . . . . . . . . . . . . . . 1969.4.2 Potential Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
9.5 New Security Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . 1979.5.1 Neighbor Authentication . . . . . . . . . . . . . . . . . . . . . . . . 1979.5.2 Cryptographic Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 198
9
9.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
BIOGRAPHICAL SKETCH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
10
LIST OF TABLES
Table page
2-1 Bound and precise ratios between t∗ and N1 . . . . . . . . . . . . . . . . . . . . 40
3-1 The algorithm for polynomial distributing. . . . . . . . . . . . . . . . . . . . . . 65
3-2 Memory cost. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
4-1 Memory cost of different schemes. . . . . . . . . . . . . . . . . . . . . . . . . . . 87
4-2 Local secure connectivity of different schemes . . . . . . . . . . . . . . . . . . . 93
4-3 Computation overhead of different schemes. . . . . . . . . . . . . . . . . . . . . 94
4-4 Memory cost of different schemes . . . . . . . . . . . . . . . . . . . . . . . . . . 101
8-1 Authentication latency of different schemes. . . . . . . . . . . . . . . . . . . . . 175
8-2 Computation overhead of different schemes for one block. . . . . . . . . . . . . . 176
8-3 Computational overhead of different batch schemes. . . . . . . . . . . . . . . . . 176
8-4 Communication overhead of different schemes for one block. . . . . . . . . . . . 177
8-5 Communication overhead of signature schemes. . . . . . . . . . . . . . . . . . . 177
8-6 Comparisons between the block-based approach and the batch-based approach. . 182
11
LIST OF FIGURES
Figure page
2-1 Construction of credentials according to the equation (2–9). . . . . . . . . . . . 31
2-2 An example of key graph in the 3-dimension ID space. . . . . . . . . . . . . . . 35
2-3 Minimum required polynomial degree. . . . . . . . . . . . . . . . . . . . . . . . 41
2-4 The communication overhead. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3-1 A wireless sensor network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3-2 A square cell deployment model. . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3-3 A hexagon cell model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3-4 A triangle grid model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3-5 M = 120. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3-6 M = 240. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3-7 The probability that each node resides in its own cell is 0.9. . . . . . . . . . . . 75
3-8 The probability that each node resides in its own cell is 0.99. . . . . . . . . . . . 76
4-1 A two-dimension sensor network. . . . . . . . . . . . . . . . . . . . . . . . . . . 80
4-2 LLK establishment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4-3 M = 240. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
4-4 M = 180. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
4-5 Topology. A) Before deployment. B) After deployment. . . . . . . . . . . . . . . 98
4-6 Deployment strategy. A) Before deployment. B) After deployment. . . . . . . . 99
4-7 Node coverage in one cell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
5-1 A square cell deployment model. . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5-2 Location-based name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
6-1 Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
6-2 Handshake between two new nodes. . . . . . . . . . . . . . . . . . . . . . . . . . 136
6-3 Handshake between a new node and an old node. . . . . . . . . . . . . . . . . . 137
7-1 One batch of broadcast and the batch packet format. . . . . . . . . . . . . . . . 149
12
7-2 The authenticated broadcasting stream. . . . . . . . . . . . . . . . . . . . . . . 151
7-3 The key survival probability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
8-1 Verification rate under the random loss model. . . . . . . . . . . . . . . . . . . . 173
8-2 Verification rate under the burst loss model with the maximum burst length 10. 174
8-3 An example of Merkle tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
8-4 MABS architecture including the DoS counter measure. . . . . . . . . . . . . . . 181
9-1 Mesh networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
9-2 Sinkhole attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
9-3 Wormhole attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
9-4 Node authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
9-5 Replay attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
9-6 False base station. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
9-7 Link establishment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
9-8 TEK update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
13
LIST OF ABBREVIATIONS
AK Authorization key
ASM Authorization state machine
BABRA Batch-based broadcast authentication
BIBD Balanced incomplete block design
BS Base station
CRC Cyclic redundancy checksum
DOCSIS Data over cable service interface specifications
DoS Denial of service
DSA Digital signature algorithm
ECC Elliptic curve cryptography
ECDLP Elliptic curve discrete logarithm problem
ECDSA Elliptic curve digital signature algorithm
FEC Forward error correction
GPS Global positioning system
ID Identifier or identity
IV Initialization vector
KDC Key distribution center
KTC Key translation center
LAKE Two-layer key establishment
LBN Location-based naming
LBKP Location-based key pre-distribution
LLA Link layer authentication
LLK Link layer key
MABS Multicast authentication based on batch signature
MAC Message authentication code in cryptography or medium access control in the
networking theory
14
MSKP Multiple-space key pre-distribution
OHC One-way hash chain
OSS Operator shared secret
OWA One-way accumulator
PIKE Peer intermediaries for key establishment
PKE Pairwise key establishment
PKM Privacy and key management
PMP Point-to-multi-point
PPKP Polynomial pool-based key pre-distribution
QoS Quality of service
RKP Random key pre-distribution
RPK Random-pairwise key
RSA A cryptography algorithm named after its inventors Ron Rivest, Adi Shamir and
Leonard Adleman
SA Security association
SPINS Security protocols for sensor networks
SS Subscriber station
TEK Traffic encryption key
TESLA Timed efficient stream loss-tolerant authentication
TLK Transport layer key
TSM TEK state machine
WiMAX Worldwide interoperability for microwave access
WLAN Wireless local area network
WMAN Wireless metropolitan area networks
WSN Wireless sensor network
15
Abstract of Dissertation Presented to the Graduate Schoolof the University of Florida in Partial Fulfillment of theRequirements for the Degree of Doctor of Philosophy
SECURITY IN WIRELESS SENSOR NETWORKS
By
Yun Zhou
August 2007
Chair: Yuguang FangMajor: Electrical and Computer Engineering
Rapid advances in wired/wireless networking technology are gradually expanding the
realm of ubiquitous high-speed network access. Such a process also encounters more and
more threats and attacks from those who exploit vulnerabilities in networks. This has
been motivating research on security in wireless networks.
Key establishment is the first step to develop all the other security mechanisms,
because most security protocols depend on keys to operate correctly and provide desirable
security performance. In my research, a scalable and deterministic key agreement model
based on a multivariate polynomial and a multidimensional grid-based network topology
was developed to enable key establishment in large scale networks with very low memory
cost. I will show that my model can achieve the memory cost of several orders lower than
the number of nodes in the network, while traditional models have the memory cost at
the same order as the network size. My model has found applications in wireless sensor
networks to establish hop-to-hop keys and end-to-end keys. In addition, I also proposed
an access control protocol based on elliptic curve cryptography (ECC) for wireless sensor
networks, which accomplishes node authentication and key establishment for new nodes.
Different from conventional authentication methods, my protocol can defend against most
well-recognized attacks in wireless sensor networks, and achieve better computation and
communication performance due to the more efficient algorithms based on ECC.
16
Authentication is critical to ensure the origin of a multicast stream in hostile
environments. Conventional block-based schemes suffer from drawbacks such as vulnerability
to packet loss, authentication latency and Denial of Service (DoS) attacks. In my
research, I developed a novel multicast authentication scheme based on batch signatures.
In particular, each packet in a stream is attached with a signature. The receiver
authenticates multiple packets by checking their signatures through only one verification
operation. I proposed three implementations including two novel batch signature schemes.
My approach can achieve computational efficiency while avoiding the drawbacks of
conventional block-based schemes. I also proposed a broadcast authentication protocol
for wireless sensor networks based on symmetric key techniques. Compared with the
conventional symmetric key solutions, my scheme does not require time synchronization,
eliminates the requirement of key chain, supports broadcast for infinite rounds, and is
efficient due to the use of symmetric key techniques.
IEEE 802.16 (worldwide interoperability for microwave access, or WiMAX) is
seen as a promising technology for next generation broadband wireless access, while
security issues also draw the intentions in the literature. In my research, I analyzed the
IEEE 802.16 standard and found out that though IEEE 802.16 provides some security
measures in conventional one-hop networks, it is very vulnerable to malicious attacks in
multihop environments such as wireless mesh networks. In order to strength the defense
of IEEE 802.16 in mesh networks, I proposed a mesh-certificate-based access control and
authentication scheme for WiMAX-based mesh networks.
17
CHAPTER 1INTRODUCTION
Rapid advances in wired/wireless networking technology are gradually expanding the
realm of ubiquitous high-speed network access. At the same time, however, such a process
also encounters more and more threats and attacks from those who exploit vulnerabilities
in networks on a widespread basis. The situation is deteriorating with the increasing
popularity of wireless networks, which facilitate uncontrolled network access due to the
shared wireless medium. This motivates my research on security in wireless networks. My
overall goal is not only to make networked systems resilient to malicious attacks, but also
to promote proactive security in network and protocol design.
Key establishment is the first step to develop all the other security mechanisms,
because most security protocols depends on keys to operate correctly and provide desirable
security performance. In Chapter 2, a scalable and deterministic key agreement model
based on a multivariate polynomial and a multidimensional grid-based network topology is
introduced to enable key establishment in large scale networks with very low memory cost.
We will show that our model can achieve the memory cost of several orders lower than the
number of nodes in the network, while traditional models have the memory cost at the
same order as the network size.
Existing key agreement models can be used to establish keys in wireless sensor
networks (WSN). A problem, however, comes as the communication overhead is significant
when two neighboring nodes do not have correlated key material and thus have to
rely on a multihop path to negotiate a shared key. This problem can be alleviated by
leveraging node deployment knowledge in the sense that two nodes that will be deployed
close to each other can be preloaded with correlated key material so that they have a
higher probability of establishing a shared key. In Chapter 3, we show that by leveraging
deployment knowledge we can achieve much better performance.
18
In Chapter 4, we combine our key agreement model and deployment knowledge and
propose a novel key establishment scheme for WSNs. We will show that our scheme can
not only achieve efficient key establishment between neighboring nodes but also establish
end-to-end keys between two nodes far away from each other.
Conventional WSN designs name every node with an identifier from a one-dimension
name space that has no meaning but has identification function. However, it is much more
useful to let every node identifier carry more characteristics of the node itself. Chapter 5
introduces the naming problem and proposes a location-based naming (LBN) mechanism
for WSNs, in which deployment knowledge is embedded into node identifier and acts as
an inherent node characteristic to provide authentication service in local access control.
When LBN is enforced, the impacts of many attacks to WSN topology can be limited in a
small area. A link layer authentication (LLA) scheme is also proposed to further decrease
the impacts of those attacks. Our LBN and LLA can be combined and act as an efficient
solution against a wide range of attacks in WSNs.
To extend the lifetime of a WSN, new node deployment is necessary. In military
scenarios, adversaries may directly deploy malicious nodes or manipulate existing nodes
to introduce malicious “new” nodes through many kinds of attacks. To prevent malicious
nodes from joining the network, access control is required in the design of WSN protocols.
In Chapter 6, we propose an access control protocol based on elliptic curve cryptography
(ECC) for WSNs. Our access control protocol accomplishes node authentication and key
establishment for new nodes. Different from conventional authentication methods based on
the node identity, our access control protocol includes both the node identity and the node
bootstrapping time into the authentication procedure. Hence our access control protocol
can not only identify the identity of each node but also differentiate between old nodes
and new nodes. In addition, each new node can establish shared keys with its neighbors
during the node authentication procedure. Compared with conventional security solutions,
our access control protocol can defend against most well-recognized attacks in WSNs, and
19
achieve better computation and communication performance due to the more efficient
algorithms based on ECC than those based on RSA.
To prevent adversaries from injecting bogus messages, authentication is required for
broadcast in WSNs. µTESLA (timed efficient stream loss-tolerant authentication) is a
light-weight broadcast authentication protocol, which uses a one-way hash chain and the
delayed disclosure of keys to provide the authentication service. However, it suffers from
several drawbacks in terms of time synchronization, limited broadcast rounds, key chain
management at the source node, etc. In Chapter 7, we propose a novel protocol, called
batch-based broadcast authentication (BABRA) for WSNs. BABRA does not require
time synchronization, eliminates the requirement of key chain, and supports broadcast for
infinite rounds. Like µTESLA, BABRA is also efficient due to the use of symmetric key
techniques.
Authentication is critical to ensure the origin of a multicast stream in hostile
environments. To avoid computationally expensive signature operations on each packet,
conventional schemes divide a multicast stream into blocks, associate each block with
a signature, and spread the effect of the signature across all the packets in the block
through some efficient operations such as hash or coding. However, most of conventional
schemes suffer from drawbacks such as vulnerability to packet loss and DoS attacks.
Moreover, most of them require the entire block with its signature be collected before
authenticating each packet in the block. This authentication latency can lead to the
jitter effect to realtime applications at the receiver. Unlike the block-based approach, we
develop a novel multicast authentication scheme based on batch signature (MABS) in
Chapter 8. Particularly, each packet in a stream is attached with a signature. The receiver
authenticates multiple packets by checking their signatures through only one verification
operation. We propose two batch signature schemes based on BLS and DSA that are more
efficient than batch RSA signature scheme. MABS can achieve computational efficiency
while avoiding the drawbacks of conventional block-based schemes.
20
IEEE 802.16 (WiMAX) is seen as a promising technology for next generation
broadband wireless access. Compared with IEEE 802.11, IEEE 802.16 operates at
larger frequency band up to 66GHZ, covers longer distance up to 50km, and supports
QoS (quality of service). Therefore, 802.16 becomes an ideal choice for broadband
wireless access systems. Based on the lessons from IEEE 802.11 networks, people start
looking into the security issues in wireless access networks. In Chapter 9, we analyzed the
IEEE 802.16 standard and found out that though IEEE 802.16 provides some security
measures in conventional one-hop networks, it is very vulnerable to malicious attacks in
multihop environments such as wireless mesh networks. In order to strength the defense
of IEEE 802.16 in mesh networks, we proposed a mesh-certificate-based access control and
authentication scheme for WiMAX-based mesh networks.
21
CHAPTER 2KEY AGREEMENT FOR LARGE SCALE NETWORKS
2.1 Introduction
Key agreement is a central problem to build up secure infrastructures for networks,
because most security protocols and cryptography algorithms, such as encryption or
signature, require a secret key to be fed into some standard algorithms with public-known
messages to generate some outputs used in a specific secure context.
In his classic paper “Communication theory of secrecy systems”[1], Claude Shannon,
who had established information theory, developed the theoretical framework for the
symmetric key based cryptography. In his cryptographical system model, there are two
information sources, i.e., a message source and a key source, at the transmission end. The
key source produces a particular key K from among those which are usable in the system.
This key K is transmitted by some means, supposedly not interceptable, for example by
a messenger, to the receiving end. The message source produces a message M (in the
“clear”) which is enciphered by the encipherer TK . The resulting ciphertext E is sent to
the receiving end by a possibly interceptable means, for example radio. At the receiving
end the ciphertext E and the key K are combined in the decipherer T−1K to recover the
message M . The transformation TK and its inverse T−1K are possibly known to the public.
The Diffie-Hellman [2] and the RSA [3] algorithms mark the establishment of the
asymmetric key based cryptography. Unlike a single key used by both the transmission
end and the receiving end in symmetric key systems, there are two keys for each end in
asymmetric key systems. The transmission end encrypts a message M into a ciphertext
E by an encryption key K that belongs to the receiving end. The receiving end decrypts
the ciphertext E to get the message M by a decryption key K−1 that also belongs to
himself1 . Here the encryption key K and the decryption key K−1 are different. Though
1 In this dissertation, we does not consider the gender difference.
22
the decryption key is kept secret by the receiving end, the encryption key is usually
known to the public so that anyone can send messages using the encryption key to the
receiving end. Asymmetric key systems, therefore, is also called public key systems, and
the encryption key and decryption key are called public key and private key, respectively.
In a cryptographical system, the message source and the ciphertext space are usually
accessible by an attacker. The encryption and the decryption transforms are also seen
to be accessible to the attacker. Though in some specific systems the cryptographical
algorithms can be kept secret, this approach may increase the system vulnerability,
because an algorithm that is not inspected carefully by critical experts may have some
potential defects that can be utilized by hackers. Therefore most “secure” algorithms are
public so that they could be carefully inspected. In this case, the security of the entire
system mainly relies on the secrecy of the keys it uses.
If an attacker can find the key, the entire system is broken. The attacker can
achieve the goal by cryptanalysis. Most cryptographical systems are vulnerable to
cryptanalysis due to the existence of the redundancy of message source in the real world.
The redundancy can always provide the attacker a possible tool for cryptanalysis over
intercepted ciphertexts during their transmission. Moreover, the attacker knows the
system being used, i.e., the message space, the transformation Ti, and the probabilities
of choosing various keys, and has unlimited time and staff available for the analysis
of ciphertexts. The attacker thus can use all these resources to find the key if the
time is not important for him. Another way is to directly intercept the key during its
transmission between the message source and receiving end. Therefore, how to achieve the
key agreement between the source and sink securely is a very important issue.
Generally, to establish keys includes two steps. At first, the source and sink should
be configured with some key materials. Second, those materials are used to establish a
shared symmetric key between the source and sink. In symmetric key systems, those
key materials can be a shared symmetric key or parameters used to calculate the
23
symmetric key. In asymmetric key systems, they are parameters associated with the
chosen asymmetric key algorithm, e.g., Diffie-Hellman or RSA, and the source and sink
can negotiate a shared symmetric key by using the asymmetric key algorithm.
Asymmetric key algorithms outperform symmetric key algorithms in terms of
flexible manageability, but their efficacy relies on the authenticity of public keys.
Hence, asymmetric key algorithms are usually applicable in the networks including
fixed authorities who are in charge of the authentication of public keys. However, there are
many scenarios, e.g., dynamic conferences or ad hoc networks, where such authorities are
not available. In addition, asymmetric key algorithms require more computation resources
than symmetric key algorithms. Therefore, symmetric key algorithms are pretty suitable
for low-end devices because of their efficiency. In this chapter, we mainly focus on how to
achieve key agreement by using symmetric key algorithms.
2.2 Key Agreement Models
A network consists of many nodes. In order to secure communication between nodes,
we need some methods to establish a share key for each pair of nodes. In this section, we
review several models for key agreement in a network.
2.2.1 Global Key
The simplest symmetric key model is to use a global key, which is shared by all the
nodes in a network. Usually each node is configured with the global key by an off-line
authority before joining the network. After the node join the network, it can communicate
with other nodes securely. In order to avoid the key exposal by an attacher through
security analysis, the global key needs to be updated periodically. In each period, a key
manager generates and distributes a new global key to all the nodes in the network. One
example of the global key model used in WSNs can be found in [4].
The global key model assumes all the nodes in the network are trustful, and thus this
model can effectively prevent external attackers from accessing critical information that is
secured by the global key. However, this assumption can fail in some scenarios when an
24
attacker can get the global key by compromising only one node whereby to break into the
entire network.
2.2.2 Key Server
A special node in a network can be selected as a key distribution center (KDC) or key
translation center (KTC) models [5]. Each of other nodes has a shared key, which could be
pre-configured, with the KDC/KTC, which is a central trusted server. KDC/KTC helps to
establish a shared key between any two nodes. An example of applying KDC in WSNs is
SPINS (security protocols for sensor networks) [6].
The KDC/KTC model has a merit of low memory cost for storing key material. Each
node keeps only one key shared with the KDC/KTC. When a new node joins the network,
it can negotiate a shared key with any other node as long as the new node is configured
with a key shared with the KDC/KTC. On the other hand, the centralized model also
makes the KDC/KTC a potential failure point in the sense that the entire network is
broken down if the KDC/KTC is corrupted by an attacker.
2.2.3 Pairwise Key
The pairwise key model is a distributed model. It assumes that a pair of nodes can
be configured with a unique shared secret key. In the full pairwise key model, each pair of
nodes in a network is configured with a distinct shared key, so that they can communicate
securely right after they join the network. In a partial pairwise key model, each node is
configured with pairwise keys for a portion of the other nodes in the network. Therefore,
a pair of nodes may not have a shared key in advance. They, however, may rely on a
multihop path to negotiate a shared key online, where the path is secured by consecutive
pairwise keys.
The pairwise key model is perfect secure in the sense that no matter how many nodes
collude with each other they know nothing about the pairwise keys held by other normal
nodes. Therefore, this model is resilient to node compromise, compared with the global
key model and the KDC/KTC model. The tradeoff, however, is that each node must be
25
pre-configured with multiple keys. Consider the full pairwise key model in a network of
N nodes. Each node needs to keep N − 1 keys, and the overall number of keys in the
network, which may need to be centrally backed up, is then N(N−1)2
. As the size of the
network increases, this number becomes unacceptably large. Therefore, the pairwise key
model is usually suitable for small networks.
2.2.4 Matrix
Blom [7] proposed a matrix-based model based on. For a network of N nodes, an
offline central authority first constructs a (t + 1)×N public matrix P over a finite field Fq,
where t is a security threshold. Then the central authority selects a random (t+1)× (t+1)
symmetric matrix S over Fq, where S is secret and only known to the central authority.
An N×(t+1) matrix A = (S ·P )T is computed, where (·)T denotes the transpose operator.
The central authority pre-configures the i-th row of A and the i-th column of P to node i,
for i = 1, 2, . . . , N . After the network is set up, nodes i and j can agree on a shared key by
exchanging their columns of P and computing the key. In particular, node i computes a
key Kij as the product of its own row of A and the j-th column of P and node j computes
Kji as the product of its own row of A and the i-th column of P . Because S is symmetric,
it is easy to see:
K = A · P = (S · P )T · P = P T · ST · P
= P T · S · P = (A · P )T = KT . (2–1)
Therefore, nodes pair (i, j) will use Kij = Kji, as a shared key.
The matrix model has a t-secure property in the sense that in a network of N nodes
the collusion of less than t + 1 nodes cannot reveal any key shared by other pairs of nodes.
This is because as least t + 1 rows of A and t + 1 columns of P are required to solve the
secret symmetric matrix S. Therefore, the matrix model can tolerate up to t compromised
nodes.
26
The memory cost per node in this model is t + 1. To guarantee perfect security, the
value of t should be set as (N − 2), which means the memory cost per node is N − 1.
Therefore, the matrix model also has large memory cost as the pairwise key model.
2.2.5 Polynomial
In [8], Blundo et al. suggest to use a t-degree bivariate symmetric polynomial to
achieve key agreement. It is a special case of the matrix model in the sense that the public
matrix P is composed with node identifiers as:
P =
1 1 1 · · · 1
n1 n2 n3 · · · nN
n12 n2
2 n32 · · · nN
2
. . . . . . . . . . . . . . . . . . . . . . . .
n1t n2
t n3t · · · nN
t
, (2–2)
where ni, for i = 1, 2, . . . , N , is the identifier of the i-th node. It is easy to see that P is
a Vandermonde matrix, and thus any t + 1 columns of P are linearly independent when
ni, i = 1, 2, . . . , N are all distinct.
Like the matrix model, the polynomial model also provides the t-secure property
while features the same memory cost.
2.3 Our Model
Obviously, previous distributed models are not suitable for large networks because
of their memory cost of order N − 1 in a network of N nodes. In reality, however, we
often deal with large distributed networks or systems. How to achieve key agreement
in a large network is a very challenging problem. In view of this problem, we propose a
novel key agreement model based on a multivariate symmetric polynomial [9, 10]. It has
three components, i.e. share distribution, direct key calculation, indirect key negotiation.
In the share distribution part, partial information of a global t-degree (k + 1)-variate
polynomial is distributed among nodes. All the partial information cannot reveal the
global polynomial but can help key agreement between nodes. Some nodes may calculate
27
a shared key directly if they have some partial information in common in the direct key
calculation part. The indirect key negotiation part tells how to negotiate a shared key
between two nodes with help of other nodes if they cannot calculate a direct key.
Our model is scalable for large networks with small memory cost per node. We show
that for a network of N nodes our model has only O( k√
N) memory cost per node, where
k ≥ 1. Conventional distributed models can be generated as special cases of our scheme
when k = 1. Unlike the centralized KDC/KTC model, meanwhile, in our scheme every
node may be a KDC to help key agreement between other two nodes, which means more
robust against node compromise. In addition, our model is deterministic in the sense that
any pair of nodes can compute a shared key independently or negotiate one through k − 1
agent nodes (k ≥ 1).
2.3.1 Mathematical Tool
Our model is based on a t-degree multivariate symmetric polynomial. A t-degree
(k + 1)-variate polynomial is defined as
f(x1, x2, . . . , xk, xk+1) =t∑
i1=0
t∑i2=0
· · ·
t∑ik=0
t∑ik+1=0
ai1,i2,...,ik,ik+1xi1
1 xi22 · · · xik
k xik+1
k+1 . (2–3)
All coefficients of the polynomial are chosen from a finite field Fq, where q is a prime that
is large enough to accommodate a cryptographic key. Without specific statement, all
calculations in this chapter are performed over the finite field Fq.
A (k + 1)-tuple permutation is defined as a bijective mapping
σ : [1, k + 1] −→ [1, k + 1] . (2–4)
By choosing all the coefficients according to
ai1,i2,...,ik,ik+1= aiσ(1),iσ(2),...,iσ(k),iσ(k+1)
(2–5)
28
for any permutation σ, we can obtain a symmetric polynomial in that
f(x1, x2, . . . , xk, xk+1) = f(xσ(1), xσ(2), . . . , xσ(k), xσ(k+1)) . (2–6)
At first, every node should be configured with k credentials, which are positive and
pairwise different integers. Suppose node u has credentials (u1, u2, . . . , uk) and node v has
credentials (v1, v2, . . . , vk). Before node deployment, we can assign a polynomial share
f(u1, u2, . . . , uk, xk+1) to u and another share f(v1, v2, . . . , vk, xk+1) to v. By assigning
polynomial shares, we mean that the coefficients of t-degree univariate polynomials
f(u1, u2, . . . , uk, xk+1) and f(v1, v2, . . . , xk+1) are loaded into node u’s and v’s memory,
respectively.If the credentials of node u and node v have only one element different, i.e.,
1. for some i ∈ [1, k], ui 6= vi, and
2. for j = 1, 2, . . . , k, j 6= i, uj = vj = cj,
then node u and node v can have a shared key. Node u can take vi as the input to
its own share f(u1, u2, . . . , uk, xk+1), and node v can also take ui as the input to its share
f(v1, v2, . . . , vk, xk+1). Due to the polynomial symmetry, the desired shared key between
nodes u and v has been established as
Kuv = f(c1, c2, . . . , ci−1, ui, ci+1, . . . , ck, vi)
= f(c1, c2, . . . , ci−1, vi, ci+1, . . . , ck, ui) . (2–7)
In fact, node u and node v achieve the key agreement by a marginal t-degree bivariate
polynomial, i.e.,
fi(xi, xk+1) = f(c1, c2, . . . , ci−1, xi, ci+1, . . . , ck, xk+1) . (2–8)
where i ∈ {1, 2, . . . , k} is the common credential between nodes u and v.
29
2.3.2 Assumptions
We assume each node is identified by an index-tuple (n1, n2, . . . , nk), where ni =
0, 1, . . . , Ni − 1, i ∈ {1, 2, . . . , k}, and we may use the index-tuple as the node ID. Hence
each node is mapped into a point in a k-dimension space S1 × S2 × · · · × Sk, where
ni ∈ Si ⊂ Z and the cardinality |Si| = Ni, for i = 1, 2, . . . , k. The maximum number of
nodes that the network can consist of is N =∏k
i=1 Ni.
Our model targets at the key agreement between any pair of end nodes. Hence we
assume the underlying routing protocol can provide connectivity between any pair of
nodes in the network.
Due to the broadcast characteristics of radio communications, attackers can easily
eavesdrop any messages, either non-encrypted or encrypted, transmitted over the air
between nodes. Moreover, due to cost constraints, it is also unrealistic and uneconomical
to employ tamper-resistant hardware to secure the cryptographic material in each
individual node. Hence attackers may capture any node and compromise the secrets
stored in the node. Furthermore, attackers can use the compromised secrets to derive
more secrets shared between other non-compromised nodes. It means that the node
compromise attack is unavoidable. What we can do is to reduce the impact on other
normal nodes as much as possible. In our model, we try to reduce the probability that the
keys shared between non-compromised nodes are exposed when some nodes have already
been compromised. To further evaluate the impact of node compromise, we assume the
probability of the compromise of a node is p.
2.3.3 Share Distribution
Before network deployment, a global t-degree (k + 1)-variate symmetric polynomial is
constructed as stated in Section 2.3.1. This polynomial is used to derive shares for nodes.
To achieve key agreement, every node n should have k credentials (c1, c2, . . . , ck),
which are positive and pairwise different as required in Section 2.3.1. These credentials can
be created and preloaded into nodes before deployment. However, it requires additional
30
Figure 2-1. Construction of credentials according to the equation (2–9).
memory space per node. Fortunately, the k credentials can be derived from the k indices
in node ID (n1, n2, . . . , nk) by a bijection, i.e.,
c1 = n1 + 1
c2 = n2 + 1 + N1
c3 = n3 + 1 + N1 + N2
...
ck−1 = nk−1 + 1 + N1 + · · ·+ Nk−2
ck = nk + 1 + N1 + · · ·+ Nk−1
, (2–9)
where ni = 0, 1, . . . , Ni − 1 for i = 1, 2, . . . , k. Thus, the k credentials are drawn from
different zones in that c1 ∈ [1, N1] and ci ∈ [N1 + · · · + Ni−1 + 1, N1 + · · · + Ni] for
i = 2, . . . k, which guarantee they are positive and pairwise different (Fig. 2-1).
For a node (n1, n2, . . . , nk), a polynomial share
fk+1(xk+1) = f(c1, c2, . . . , ck, xk+1) =t∑
ik+1=0
bik+1x
ik+1
k+1 (2–10)
is calculated, where
bik+1=
t∑i1=0
t∑i2=0
· · ·t∑
ik=0
ai1,i2,...,ik,ik+1ci11 ci2
2 · · · cikk (2–11)
and (c1, c2, . . . , ck) is mapped from (n1, n2, . . . , nk) according to the equations (2–9).
Obviously, the share is a t-degree univariate marginal polynomial of the global polynomial
and has t + 1 coefficients. Then the polynomial share is assigned to the node. Here, the
node only knows the t + 1 coefficients of the univariate polynomial share, but not the
coefficients of the original (k + 1)-variate polynomial. Therefore, even if the marginal
31
bivariate polynomial is exposed, the global polynomial is still safe if the degree t is chosen
properly.
2.3.4 Direct Key Calculation
According to Section 2.3.1, two nodes can calculate a shared key if their credentials
have k − 1 elements in common. Due to the one-to-one mapping in the equations (2–9),
two nodes u with ID (u1, u2, . . . , uk) and v with ID (v1, v2, . . . , vk) can directly calculate a
shared key without any interaction if their IDs (identifier) have k − 1 indices in common.
Suppose that the i-th indices of their IDs are different. Then node u can take
vi + 1 + N1 + · · · + Ni−1 as the input to its own share f(c1, c2, . . . , ck, xk+1), and node v
can as well take ui + 1 + N1 + · · · + Ni−1 as the input to its share f(c1, c2, . . . , ck, xk+1).
Due to the polynomial symmetry, the desired shared key between nodes u and v has been
established as
Kuv = f(c1, . . . , ui + 1 + N1 + · · ·+ Ni−1,
. . . , ck, vi + 1 + N1 + · · ·+ Ni−1)
= f(c1, . . . , vi + 1 + N1 + · · ·+ Ni−1,
. . . , ck, ui + 1 + N1 + · · ·+ Ni−1) . (2–12)
Because all node credentials of u and v are drawn from different subspaces where any
two subspaces have no intersection and ui 6= vi, the k + 1 credentials used to calculate
the shared key are pairwise different. Therefore the shared key calculated by the nodes u
and v is unique, i.e., other nodes do not know the shared key. Any two nodes can directly
calculate a unique shared key without any negotiation if there is only one mismatch
between their k-tuple IDs.
2.3.5 Indirect Key Negotiation
If two nodes have more than one mismatch between their IDs, they cannot calculate
a shared key directly. However, they can rely on some intermediate nodes as agents to
negotiate a shared key.
32
Suppose two nodes u and v have j (j ≥ 2) mismatches in their IDs. For simplicity, let
us omit all the same indices and mark the two nodes with those mismatching indices, say
node u
(ui1 , ui2 , . . . , uij)
and node v
(vi1 , vi2 , . . . , vij) ,
where i1, i2, . . . , ij ∈ [1, k] and are pairwise different. Then they can negotiate a shared key
along a secure path consisting of agents as
(vi1 , ui2 , ui3 , . . . , uij−1, uij) ,
(vi1 , vi2 , ui3 , . . . , uij−1, uij) ,
(vi1 , vi2 , vi3 , . . . , uij−1, uij) ,
...
(vi1 , vi2 , vi3 , . . . , vij−1, uij) ,
because all neighboring nodes along the path have direct keys. It is worth noting that
there are many secure paths between node u and node v. Another example is
(ui1 , ui2 , ui3 , . . . , uij−1, vij) ,
(ui1 , ui2 , ui3 , . . . , vij−1, vij) ,
...
(ui1 , ui2 , vi3 , . . . , vij−1, vij) ,
(ui1 , vi2 , vi3 , . . . , vij−1, vij) .
The existence of multiple paths indicates the strong resilience of our scheme in the face of
node compromise.
2.4 Analysis
In this Section, we will carry out the analysis of our model when two nodes have j
(j ≥ 2) mismatches in their IDs.
33
2.4.1 Number of Secure Paths
The number of secure paths can be calculated as follows. Each secure path is
constructed in j steps. Begin from (ui1 , ui2 , ui3 , . . . , uij−1, uij). At each step one of the
indices is replaced with the corresponding one from (vi1 , vi2 , vi3 , . . . , vij−1, vij), and thus
we can get an agent at the step. At the first step, any of the j indices of node u may be
replaced, so there are j choices. The second step has j − 1 choices. At the j-th step, there
is only one choice left. Hence, the total number of secure paths can calculated as
P = j · (j − 1) · · · · 2 · 1 = j! . (2–13)
2.4.2 Number of Disjoint Secure Paths
Out of the P secure paths some are disjoint, i.e., any two disjoint paths have no
common agent nodes except the two end nodes u and v. For nodes u and v which have
j mismatches in their IDs, the number of agent nodes that are the neighbors of the end
nodes u or v is j. Hence the number of disjoint secure paths is
Pd = j . (2–14)
2.4.3 Number of Agent Nodes
For nodes u and v who have j mismatches in their IDs, each agent node along a
secure path between the two nodes has an ID constructed in the following way. Randomly
select l positions from j mismatches between u’s and v’s IDs, draw indices from u’s ID at
those positions, and draw indices from v’s ID at the positions that are not selected. The
ID of the agent node consists of the two sets of selected indices and the common indices
between u’s and v’s ID. Hence the number of agent nodes can be calculated as
A =
(j
1
)+
(j
2
)+ · · ·+
(j
j − 1
)= 2j − 2 . (2–15)
34
n1
n2
n3 (u1,u2,u3)
(v1,v2,v3)
(v1,u2,u3)
(v1,u2,v3)
(u1,v2,u3)
(u1,v2,v3)(u1,u2,v3)
(v1,v2,u3)
Figure 2-2. An example of key graph in the 3-dimension ID space.
2.4.4 An Example
An example of 3-dimension ID space is given in Fig. 2-2. Suppose node (u1, u2, u3)
needs to establish a shared key with node (v1, v2, v3), where all 3 indices in their IDs are
mismatching. They can determine 6 agent nodes. All these 8 nodes form a cube in the
3-dimension ID space. There are 6 paths from node u to node v, in which 3 are disjoint.
For example, 3 disjoint paths are
(u1, u2, u3) → (v1, u2, u3) → (v1, v2, u3) → (v1, v2, v3) ,
(u1, u2, u3) → (u1, u2, v3) → (v1, u2, v3) → (v1, v2, v3) ,
and
(u1, u2, u3) → (u1, v2, u3) → (u1, v2, v3) → (v1, v2, v3) .
Obviously, the above set of disjoint paths is not unique.
35
2.4.5 Security of Direct Keys
All nodes in the network hold partial information of one t-degree (k + 1)-variate
polynomial to achieve key agreement. During the network lifetime, some nodes may be
compromised and then collaborate to expose the polynomial with the partial information
they hold whereby to directly calculate keys between other nodes. Obviously, the
polynomial degree t is an indication of the difficulty to expose the polynomial, and it
is directly related to the security performance. By choosing the value of t properly, we can
guarantee that no matter how many nodes are compromised, their collaboration cannot
expose direct keys held between other non-compromised nodes. In this section, we will
investigate how to choose the polynomial degree.
2.4.5.1 Node compromise in one subspace
Let us consider the malicious collaboration in one subspace. Though in this case
the collaboration can only expose the direct keys between the non-compromised nodes
in the same subspace, this is the easiest attack because adversaries only need to keep
compromising the nodes in one subspace. If they randomly choose a node to compromise,
they have to compromise more nodes to find all nodes in one subspace, which can consume
them more efforts.
Suppose there are Ni nodes in the subspace Si, in which all nodes have same ID
indices in other subspaces, for i = 1, 2, . . . , k. Any pair of nodes Si can achieve key
agreement with a t-degree bivariate polynomial fi(xi, xk+1), which is the marginal of the
global t-degree (k + 1)-variate polynomial f(x1, . . . , xi, . . . , xk, xk+1) (refer to Section
2.3.1). It has been shown in [8] that a t-degree bivariate polynomial is t-secure in that
the coalition between less than (t + 1) nodes holding shares of the t-degree bivariate
polynomial cannot reconstruct it. To guarantee any pair of nodes in Si have a direct key
that is unsolvable by other Ni− 2 nodes, an (Ni− 2)-secure bivariate polynomial should be
used. Hence, the degree of polynomial should satisfy
0 ≤ Ni − 2 ≤ t , i = 1, 2, . . . , k . (2–16)
36
2.4.5.2 Node compromise in all subspaces
Even all nodes in one subspace are corrupted, they cannot expose the global
t-degree (k + 1)-variate polynomial because they only know a marginal of the global
polynomial. In order to expose the direct key belonging to any pair of non-compromised
nodes, adversaries must compromise enough nodes in all subspaces to expose the global
polynomial.
Suppose all Ni nodes in subspace Si are compromised, they can be used to construct
Ni(Ni+1)2
equations, i.e.,
f2(u1, u1) = K11
...
f2(u1, uNi) = K1Ni
f2(u2, u2) = K22
...
f2(uNi, uNi
) = KNiNi
, (2–17)
where uj for j = 1, 2, . . . , Ni are the ID indices in subspace Si. Kj1,j2 , j1 6= j2 is the
direct key between the j1-th and the j2-th nodes in the subspace, and Kj,j is calculated by
inputting the i-th ID index of the j-th node into its own polynomial share.
If all the subspaces are compromised, the total number of equations that adversaries
can construct is
Ne =N
N1
· N1(N1 + 1)
2+
N
N2
· N2(N2 + 1)
2+
· · · +N
Nk
· Nk(Nk + 1)
2
=1
2(
k∏i=1
Ni)(k∑
i=1
Ni + k) , (2–18)
where the total number of nodes in the network is N = N1 ·N2 · · ·Nk.
The number of coefficients of a t-degree (k + 1)-variate symmetric polynomial is [8]
Nc =
(t + k + 1
k + 1
). (2–19)
37
Therefore, to guarantee perfect security of the global polynomial, the following
condition should be satisfied, i.e.,
Ne ≤ Nc =⇒ 1
2(
k∏i=1
Ni)(k∑
i=1
Ni + k) ≤(
t + k + 1
k + 1
). (2–20)
2.4.5.3 Choose degree t
Given the number of nodes in the network, any polynomial degree t satisfying the
aforementioned conditions (2–16) and (2–20) can be chosen. Each node needs to keep a
t-degree univariate polynomial, which has t + 1 coefficients. Thus, to minimize memory
cost per node, we should use the polynomial which has minimum degree satisfying the
aforementioned conditions.
Here we consider a common case where Ni = N1 for i = 1, 2, . . . , k, i.e., all subspaces
have the same number of indices. Thus, the inequality in (2–20) can be changed to
k
2N1
k(N1 + 1) ≤(
t
k + 1+ 1
)(t
k+ 1
)(t
k − 1+ 1
)
· · ·(
t
2+ 1
)(t + 1) . (2–21)
We can prove that when
t ≥ N1k+1√
k(k + 1)!/2 (2–22)
the inequality (2–21) can be satisfied.
38
Proof :
(t
k + 1+ 1
)(t
k+ 1
)· · ·
(t
2+ 1
)(t + 1)
>tk+1
(k + 1)!+
(k + 1)(k + 2)
2(k + 1)!tk
≥
(N1
k+1√
k(k + 1)!/2)k+1
(k + 1)!+
(N1
k+1√
k(k + 1)!/2)k (k + 1)(k + 2)
2(k + 1)!
=k
2N1
k+1 +
(k
2
) kk+1 (k + 1)(k + 2)
2 k+1√
(k + 1)!N1
k
>k
2N1
k+1 +(k + 1)(k + 2)
2 k+1√
(k + 1)k+1N1
k
=k
2N1
k+1 +k + 2
2N1
k
>k
2N1
k(N1 + 1) , (2–23)
where k ≥ 2. ¥
Because(
t+k+1k+1
)is a monotonic increasing function of t, the solution of (2–21) should
be [t∗,∞), where t∗ is the minimum degree satisfying (2–21). Because the solution of
(2–22) is the subset of the solution of (2–21), the minimum global polynomial degree t∗
can be bounded as
t∗ ≤ r ·N1 , (2–24)
where ratio
r =k+1
√k(k + 1)!
2. (2–25)
The second column in Table 2-1 gives some bound ratios when k is small. Figure 2-3
illustrates the precise ratio of t∗ to N1 respect to N1. We can see when N1 becomes large,
the value of t∗ becomes stable and the real ratio is bounded by r. Some average ratios are
given in the third column in Table 2-1 when k is small. Obviously when the condition in
39
Table 2-1. Bound and precise ratios between t∗ and N1
k r t∗/N1
1 1 12 1.8171 1.77153 2.4495 2.39194 2.9926 2.92195 3.4878 3.4058
the inequality (2–20) is satisfied, the condition in the inequality (2–16) is automatically
satisfied.
2.4.6 Security of Indirect Keys
For nodes u and v which have j mismatches in their IDs, the secure path between
them consists of j − 1 agent nodes. Suppose the probability that any node is corrupted is
p. The probability that the exchanged indirect shared key between u and v is exposed can
be calculated as
Pc = 1− (1− p)j−1 . (2–26)
Because the maximum number of mismatches in k-dimension ID space is k, the
maximum probability that the exchanged key is exposed is
Pc,max = 1− (1− p)k−1 . (2–27)
Obviously, by tuning k, our scheme can achieve a trade-off between security and memory
cost in large scale networks.
2.4.7 Memory Cost
The memory cost per node is mainly related to two parts, i.e., one for node ID
and the other for polynomial share. Remind that each node n is identified by a k-tuple
(n1, n2, . . . , nk). All indices can be obtained by dividing its node ID into k field. In order
to do this, each node needs to know how many bits are allocated for each field. Hence each
node should keep the values of Ni for i = 1, . . . , k. The total number of bits should be
40
0 20 40 60 80 100 120 140 160 180 2001
1.5
2
2.5
3
3.5
Number of indices − N1
Rat
io o
f min
imum
pol
ynom
ial d
egre
e to
num
ber
of in
dice
s −
t/N
1
k=2k=3k=4k=5
Figure 2-3. Minimum required polynomial degree.
used is
MID =k∑
i=1
log Ni = log N . (2–28)
When all subspaces are equal sized, the memory cost for node ID is
MID = k log N1 . (2–29)
In addition, each node in the network keeps a t-degree univariate polynomial share,
which has t + 1 coefficients drawn from the finite field Fq. With the bound calculated
in the previous section, we know the memory cost per node for polynomial share can be
41
bounded as
Mp ≤(
k√
Nk+1
√k(k + 1)!
2+ 1
)log q . (2–30)
Due to the large value of q, usually we have MID ¿ Mp. Thus, the total memory cost
is
M = MID + Mp
≤ log N +
(k√
Nk+1
√k(k + 1)!
2+ 1
)log q
∼ k√
N r log q . (2–31)
Obviously, compared with conventional probabilistic distributed models, which have
memory cost at the level of O(N), our scheme has very small memory cost per node,
which is on the order O( k√
N) when k is fixed.
2.4.8 Computation Overhead
Our scheme is based on the symmetric key technology. Each sensor node can calculate
a key by using a t-degree univariate polynomial, which is a share of a global polynomial.
To calculate a key, each node should calculate 2t − 1 modular multiplications over F∗q:
t − 1 for x2, . . . , xt and t for b1x, b2x2, . . . , btx
t. Under the symmetric key technology, the
length of q is usually 64 bits or 128 bits. Suppose the total number of nodes is N and each
subspace has the same number of nodes. We can estimate that the number of 64-bit or
128-bit modular multiplications each node needs to calculate is
C1 = 2t∗ − 1 ≤ 2rk√
N + 1 = 2k+1
√k(k + 1!
2k√
N + 1 . (2–32)
2.4.9 Communication Overhead
As the establishment of direct keys between a pair of nodes does not require
handshakes between them, the major communication overhead lies with the establishment
of indirect keys. Just like most existing security schemes that require handshakes between
42
end nodes to negotiate a shared key, this overhead is inevitable. However, few analytical
results about the overhead are given by current schemes. Most of them rely on simulation
to measure communication overhead. Here, we give an analytical estimation of the
communication overhead of our scheme.
For a pair of nodes with i, for i = 2, . . . , k, mismatches in their IDs, a secure path
between them involves i − 1 agent nodes. If the average path length between a pair of
nodes that have only one mismatch in their IDs is L, the average path length between a
pair of nodes with i mismatches in their IDs is iL. The probability that two nodes have
i mismatches in their IDs is(
ki
)( k√
N − 1)i/(N − 1). Hence the average communication
overhead can be estimated as
C2 =k∑
i=2
(ki
)( k√
N − 1)i
N − 1iL
=L( k√
N − 1)
N − 1
(k∑
i=2
(k
i
)xi
)′
x
, x =k√
N − 1
=k(
k√
Nk−1 − 1)( k√
N − 1)
N − 1L
=k(Nk−1
1 − 1)(N1 − 1)
Nk1 − 1
L , (2–33)
where N = Nk1 . Several cases when k is small are depicted in Fig. 2-4.
2.5 Security Enhancement of Indirect Keys
In our model, direct keys are safe because they are calculated by end nodes
without any interaction. On the other hand, indirect keys may be exposed during their
transmission between end nodes if any intermediate agent node is compromised. However,
the existence of multiple secure paths between two nodes can be utilized to enhance the
confidentiality of indirect keys. The idea is to transform an indirect key into many pieces
and transmit those pieces through multiple secure paths in stead of one such that the key
can be recovered if and only if all those secure paths are corrupted [11].
43
0 20 40 60 80 100 120 140 160 180 2000.5
1
1.5
2
2.5
3
3.5
4
4.5
5
Number of indices − N1
Com
mun
icat
ion
over
head
− C
2 (u
nit L
)
k=2k=3k=4k=5
Figure 2-4. The communication overhead.
Suppose node u needs to negotiate an indirect key with v. Node u may randomly
select a key Kuv and construct a new polynomial as
g(x) = Kuv + k1x + k2x2 + · · ·+ ksx
s . (2–34)
Then, Shamir’s (s + 1, T ) threshold secret sharing scheme [12] can be applied. Specifically,
T shares can be calculated as
g(1), g(2), . . . , g(T ) , (2–35)
where T ≥ s + 1.
44
Next, node u transmits the T shares to node v through multiple secure paths by
following the method proposed in [11]. Suppose u and v have j mismatches in their IDs,
which means there are j disjoint secure paths between them. Then node u may transmit
T/j shares along each secure path to node v. Once node v gets s + 1 out of T shares, it
can recover the polynomial g(x) and get the key Kuv by Lagrange interpolation.
The value T should be chosen properly such that the polynomial g(x) cannot be
recovered even if j − 1 out of j secure paths are corrupted. Thus T should satisfy
T ≥ s + 1
T − T/j < s + 1(2–36)
=⇒ s + 1 ≤ T <j(s + 1)
j − 1. (2–37)
By following the procedure, the key Kuv may be exposed only if all j secure paths are
corrupted. Hence the probability of the key exposal is reduced to
P ′c = Pc
j = (1− (1− p)j−1)j . (2–38)
The tradeoff here is the increase of communication overhead. However, we can choose
the number of secure pathes here to achieve a certain level of security while maintaining
an acceptable communication overhead.
2.6 Key Establishment in Wireless Sensor Networks
2.6.1 Random Key Material Distribution
The key agreement models described in this chapter can guarantee that every pair
of nodes in a network of N nodes has a unique shared key, but the cost is that each node
needs to store N − 1 keys. It is impractical for WSNs due to the memory constraints of
sensor nodes and the possible large scale of sensor networks. Instead, most recent research
papers in this field loose the security requirement and follow a partial pre-distribution
approach, where key materials are pre-distributed such that some sensor nodes can
45
establish shared keys directly and they can help to establish indirect shared keys between
other sensor nodes.
A typical scheme is the random key pre-distribution (called RKP hereafter) [13], in
which each node is pre-loaded with a subset of keys, called key ring, randomly selected
from a global pool of keys such that any pair of neighboring nodes can share at least one
key with a certain probability. After deployment, two neighboring nodes can have a shared
key directly or negotiate an indirect key through a secure path, along which every pair of
neighboring nodes has a direct shared key.
The theoretic base of RKP is random graph [14]. A random graph G(n, p) is a graph
of n nodes for which the probability that a link exists between two nodes is p. The graph
does not have any edge if p = 0 or is fully connected if p = 1. There is a transition from
non-connect to fully-connect when p increases. RKP exploits this property by setting p
larger than a certain value such that the network is almost connected. Here the size of
global key pool and the size of key ring for individual node can be tuned to achieve such a
property.
A major concern of RKP is node compromise. The random selection of key
ring for each node means the reuse of each key by multiple nodes. An attacker may
compromise a node and expose its key ring, out of which some keys may be used by
other non-compromised nodes. This leads to the failures of the links between those
non-compromised nodes.
To mitigate the impact of node compromise, several following schemes are proposed.
q-composite RKP [15] follows RKP except that any pair of neighboring nodes are
required to share at lest q keys with a certain probability. q-composite RKP can improve
the resilience to node compromise when the number of compromised nodes is small.
Unfortunately, it is not effective when the number is large.
Another problem of RKP is the lack of authentication because of the reuse of the
same key by multiple nodes. To solve the problem, node identity information is used to
46
derive key rings for sensor nodes [16]. A similar approach is taken in the random-pairwise
key (RPK) [15] scheme, where each node keeps a set of keys, each of which is uniquely
shared with another node. Du et al. developed the multiple-space key pre-distribution
(MSKP) scheme in [17], where the global key pool in [13] is replaced by a pool of
Blom’s matrices [7]. Liu and Ning [18, 19] presented the polynomial pool-based key
pre-distribution (PPKP) scheme, which is basically the same as MSKP, but each Blom’s
matrix is replaced by a polynomial [8]. In those schemes, each key is tied to the identities
of the nodes sharing it. In this way, the identity of a node can be verified through the
normal challenge-response approach by other nodes that share the unique key with it.
Particularly, a verifier node can send an encrypted random number, called a challenge, to
the suspect node, and the suspect node can prove its identity by returning the decrypted
result to the verifier node.
RKP requires the storage of a key ring by each node to make the network almost
connected. In some cases where sensor nodes do not have enough memory resource,
this becomes a problem. Hwang and Kim [20] revisited RKP and its follow-up schemes
and proposed to reduce the amount of key material that each node keeps while still
maintaining a certain probability of sharing a key between two nodes. The probability
can assure that there is a largest component of the network connecting most nodes. The
trade-off is that some small sets of nodes may be isolated because they do not share keys
with the largest component.
2.6.2 Deterministic Key Material Distribution
The probabilistic nature of the random distribution of key material cannot guarantee
that two neighboring nodes establish a shared key according to the underlying random
graph theory. This is not desirable because some sensor nodes may not be able to establish
shared keys with their neighbors and thus are isolated. In order to solve the problem, two
deterministic approaches have been developed.
47
One approach is to use a strongly regular graph or a complete graph to replace the
random graph to do key pre-distribution [21–23]. In a (n, r, λ, µ) strongly regular graph,
there are n nodes, each of which has a degree of r and any pair of which has λ common
neighbors when they are adjacent and µ common neighbors when they are nonadjacent.
In the strongly regular graph, every pair of nodes is connected through a path. Each link
(edge) can be assigned with a unique key which is preloaded into the two end vertices
(nodes). Besides the regular graph, the block design in set theory can be used in key
predistribution, in which all the nodes form a complete graph at the network layer. The
tool is the balanced incomplete block design (BIBD). A (v, r, λ)-BIBD is an arrangement
of v objects into many blocks such that each block contains r distinct objects and every
pair of objects occurs in exactly λ blocks. For example, when an (n2 +n+1, n+1, 1)-BIBD
is applied in a WSN, each sensor node is preloaded with n + 1 keys, which form a block
out of a pool of n2 + n + 1 keys, and every pair of nodes have one common key. In [24], the
BIBD design is combined with the polynomial model [8] in the sense that each sensor node
is preloaded with polynomials. Their scheme enables authentication in addition to those
properties provided by the original BIBD design.
The other approach is to use a multi-dimension grid to replace the random graph,
which is followed by our model [9, 10]. Particularly, each sensor node is assigned an ID
(n1, n2, . . . , nk) such that all the nodes form a k-dimension grid. Each node is preloaded
with some key material such that it can establish direct shared keys with other nodes
along the same dimension and negotiate indirect keys with other nodes in different
dimensions. There are also several similar work following the grid approach. PIKE [25]
simply assigns a unique key for each pair of nodes along each dimension. Hypercube
[18, 19] is the same as PIKE except that it uses bivariate polynomials instead of keys to
achieve key agreement between nodes along each dimension. Delgosha and Fekri [26, 27]
follow Hypercube [18, 19] but use multiple multivariate polynomials to establish multiple
common keys between each pair of nodes along each dimension.
48
In those deterministic schemes, a node can find whether it has a direct shared key
with another node based on the identity of that node. This can provide an authentication
service in that the identity of a node can be challenged based on its keys that are related
to its identity.
2.6.3 Comparisons With Related Work
Centralized schemes, such as SPINS [6], need a trusted server to facilitate key
agreement between any two nodes. The trusted server can be a potential failure point.
Distributed methods are more secure due to the elimination of the failure point.
Distributed models such as pairwise key, matrix [7] and polynomial [8] lack scalability
because of their large memory cost of N − 1 in a network of N nodes and thus only
suitable in small networks.
Probabilistic schemes [13, 15–19] can provide a certain level of scalability with the
tradeoff that they can not guarantee that every pair of nodes establish a shared key.
Though the memory cost of those schemes is less than standard distributed models
including pairwise key, matrix [7] and polynomial [8], the memory cost still increases
linearly with respect to the total number of nodes if they need to achieve a certain level of
security or communication efficiency [25] and thus is at the order of O(N). Key reuse is of
fatal under the node compromise attack. Moreover, those schemes are targeted at the key
establishment between neighboring nodes, while our model can achieve the end-to-end key
agreement.
Graph-based design [21–23] can ensure key sharing directly or indirectly between any
pair of nodes. In their schemes, however, each key is also reused by many sensor nodes as
in the probabilistic schemes. This leads to poor resilience to node compromise in that one
compromised node can expose keys belongs to other non-compromised nodes. In addition,
the memory cost of their schemes is roughly O(√
N) where N is the total number of
nodes, while the memory cost of our scheme can be O( k√
N), which is more scalable.
49
In other grid-based designs [19, 25–27], the memory cost is at the level of k( k√
N − 1)
where N is the total number of nodes. In comparison, our model has the memory cost of
k√
N k+1
√k(k+1)!
2+ 1 and can achieve more memory efficiency when k increases.
Another merit of our model is that the communication overhead tends to be a
constant (∝ L, where L is the average path length between a pair of nodes that have only
one mismatch in their IDs) when the network size is larger than a certain threshold (refer
to Fig. 2-4). This means our scheme can provide a good scalability. On the other hand,
the communication overhead can be reduced if we could reduce the value of L. We will
show in Chapters 3 and 4 that in static networks (such as sensor networks) deployment
information can be used to reduce the value of L and thus reduce the communication
overhead.
2.7 Conclusion
In this chapter, we discussed several traditional distributed key agreement models
and pointed out that they are not suitable for large networks because of their memory
cost of order N − 1 in a network of N nodes. We proposed a novel key agreement model
based on a multivariate symmetric polynomial [9, 10]. Our model is scalable for large
networks with small memory cost per node. We show that our model has only O( k√
N)
memory cost per node, where k ≥ 1. The dimension of the ID space k is a parameter we
can control to achieve the trade-off between overhead per node and security performance.
Our model is also deterministic in the sense that any pair of nodes can compute a shared
key independently or negotiate one through k − 1 agent nodes (k ≥ 1).
50
CHAPTER 3KEY ESTABLISHMENT USING DEPLOYMENT KNOWLEDGE IN WIRELESS
SENSOR NETWORKS
3.1 Introduction
The significant advances of hardware manufacturing technology and efficient software
algorithms make a network of a large number of small and low-cost sensors through
wireless communications, i.e., wireless sensor networks (WSN) [28–30], a promising
network infrastructure for many applications, such as environmental monitoring, medical
caring, home appliance managements. This is particularly true for battlefield surveillance
and homeland security scenarios, because WSNs are easy to deploy and self-configured
for those applications. In many hostile tactical scenarios and important commercial
applications, however, security mechanisms are necessary to protect WSNs from malicious
attacks, and thus the security in WSNs becomes an important and a challenging design
task.
3.1.1 Sensor Network Model
A WSN is a large network of resource-constrained sensor nodes with multiple preset
functions such as sensing and processing to fulfill different application objectives [28–30].
Usually, sensor nodes are deployed in a designated area by an authority such as
government or military unit, and then automatically form a network through wireless
communications. Sensor nodes are static most time, while mobile nodes can also be
deployed according to application requirements. One or several base stations (BS) are
deployed together with the network. A BS can be either static or mobile. Sensor nodes
keep monitoring the network area after being deployed. Once an event of interest occurs,
one of the surrounding sensor nodes may detect it, generate a report and transmit the
report to a BS through multihop wireless links. Collaboration can be carried out if
multiple surrounding nodes detect the same event. In this case, one of them generates a
final report after collaborating with the other nodes. The BS may process the report and
then forward it through either high quality wireless or wired links to the external world
51
Base Station
Event
Sensor Nodes
External Network
High Quality Link
Wireless Link
Base Station
Figure 3-1. A wireless sensor network.
for further processing. The WSN authority may send commands or queries to a BS, which
spreads those commands or queries into the network. Hence BSs act as gateways between
the WSN and the external world. An example is illustrated in Fig. 3-1.
Since a WSN consists of a large number of sensor nodes, each sensor node is usually
limited in its resource due to the cost consideration in manufacturing. For example,
MICA2 MPR400CB [31], which is the most popular sensor node platform, has only 128
KB program memory and an 8-bit ATmega128L CPU [32]. Its data rate is 38.4 KBaud in
500 ft, and it is powered by only 2 AA batteries. The constrained resource cannot support
complicated applications. On the other hand, BSs are usually well-designed and have more
resource since they are directly attached to the external world.
3.1.2 Security Challenges
Though key management problem has been investigated thoroughly in conventional
wired networks such as the Internet and wireless networks such as cellular networks,
wireless local area networks (WLAN) or ad hoc networks, the existing solutions can hardly
52
be transplanted into WSNs due to their unique characteristics, which make them very
vulnerable to malicious attacks in hostile environments such as military battlegrounds:
1. In wired networks, the key materials transmitted over shielded wired lines during thenegotiation phase between the source and sink are more difficult to intercept. Butwireless channel is open to eavesdroppers. With a radio interface configured at thesame frequency band, everyone can monitor or participate in communications. Thisprovides a convenient way for attackers to capture key materials transmitted overthe air to expose corresponding keys. In addition, attackers can also intercept theencrypted ciphertexts so that they can analyze the eavesdropped packets to get somekey information whereby to derive keys between sensor nodes.
2. In cellular networks and WLANs, the communication pattern is one-hop betweenthe base station or the access point and the mobile node, but in WSNs, all the nodesare involved into multi-hop communications. Most centralized secure protocols cannot be directly applied in distributed WSNs. Though ad hoc networks bear moresimilarities with WSNs, the nodes in ad hoc networks are more powerful than thosein WSNs, thus being able to support more secure, more complex protocols.
3. Moreover, wireless channel is very dynamic. Key establishment protocols may endurefrequent interruptions when channel condition varies. Though link layer protocolscan have some error control mechanisms, the cost of establishing keys is inevitableincreased.
4. Like in the Internet, most protocols for WSNs do not include potential securityconsiderations at their design stage. Due to the standard activity, most protocols arepublicly known. Therefore, attackers can easily launch attacks by exploiting securityholes in those protocols.
5. The constrained resource makes it very difficult to implement strong securityalgorithms on a sensor platform due to their complexity. Most time symmetrickey cryptography is the first choice to design a security protocol for WSNs,though public key cryptography is possible under careful optimization in designand implementation.
6. A WSN may scale up to thousands of sensor nodes. Moreover, during the lifetime ofthe WSN, some nodes may run out of power, and some new nodes may be inserted toincrease the network processing capability. Therefore, the number of nodes can varyfrom time to time. This node dynamics poses the demand for simple, flexible andscalable security protocols. However, to design such security protocols is not an easytask. A stronger security protocol costs more resource on sensor nodes, which canlead to the performance degradation of applications. In most cases, a trade-off has tobe made between security and performance. However, weak security protocols may beeasily broken by attackers.
53
7. A WSN is usually deployed in hostile areas without any fixed infrastructure. It isdifficult to perform continuous surveillance after network deployment. Therefore, itmay face various attacks.
3.1.3 Attacks
There are various attacks against WSNs, which can be classified from different points
of view.
3.1.3.1 Attack techniques
Attackers can disrupt a WSN by utilizing various techniques [33]. Since most
communication protocols are publicly known, attackers can eavesdrop the packets
transmitted over the air for further cryptanalysis or traffic analysis. The eavesdropped
packets can be replayed at a later time or at another place to incur inconsistency. False
packets can be injected into the network to confuse sensor nodes. Malicious nodes can also
modify received packets before forwarding them.
Node compromise is one of the most detrimental attacks to WSNs [33]. Since WSNs
are usually deployed in a hostile environment without continuous monitoring, an attacker
can capture a sensor node and use proper devices to dig into sensor hardwares and find
key material. Due to cost constraints, it is also unrealistic and uneconomical to employ
tamper-resistant hardwares to secure the cryptographic material in each individual node.
Even if tamper resistant devices are available, they are still not able to guarantee perfect
security of secret material [34]. It means that the node compromise attack is unavoidable
in WSNs. The exposed key material renders the attacker more capabilities to launch other
severe attacks, such as deriving the keys used by other non-compromised nodes. What we
can do with node compromise is to reduce the impact on other normal nodes as much as
possible. When a certain number of nodes are compromised, for instance, the probability
that a key used by other normal nodes is exposed should be as small as possible.
Sometimes attackers are not interested in data content in the network. They may
simply introduce radio jamming interference into the same radio bands to disrupt
communications between nodes [35], leading to the denial of service (DoS) attack.
54
If an attacker has infinite power supply, he can keep jamming the wireless channel
continuously whereby to stop normal communications. Otherwise, the attacker can
introduce intermittent jamming interference to deteriorate channel condition and cause
packet loss. If communication protocols are known by the attacker, the intermittent
jamming can be more efficient because the attacker knows which part of one packet is of
high value for the jamming attack.
3.1.3.2 Passive vs. active
According to operation mode, attacks can be passive or active. In a passive attack,
the attacker’s goal is to get some information without being detected. Usually, the
attacker just keeps quiet to eavesdrop traffic. If he knows the communication protocols,
he can follow those protocols like normal sensor nodes. By passively participating in the
network, the attacker collects a large volume of traffic data and carries out analysis on
them such that some secret information can be extracted. Those exposed secrets can be
used for various purposes. Usually, the passive attack is very difficult to detect, since the
attacker does not leave too much evidence.
In an active attack, the attacker exploits the security holes in the network protocol
stack to launch various attacks such as packet modification, injection or replaying. The
impact of active attacks is more severe than passive attacks. However, more anomalies can
be the evidence of malicious attacks, because the attacker is actively involved in network
communications.
3.1.3.3 External vs. internal
Usually, a WSN is deployed and managed by one authority. All the nodes in the
network can be seen as honest and cooperative entities, while attackers are precluded from
the network and have no right to access the network. Those external attackers can launch
attacks only from the outside scope of network. The impact of attack is limited.
If an attacker can get the authorization to access the network, he becomes an internal
attacker. In this case, the attacker can cause more severe damage because he is seen as
55
a legitimate entity. Usually, an attacker can become an internal one by compromising
a legitimate node, or by deploying malicious nodes which can pass the network access
control mechanism.
WSNs are usually deployed in hostile environments, such as battle fields or disaster
locations, where fixed infrastructures are not available. After deployment, it is infeasible
to provide constant surveillance and protection on a WSN. Therefore node compromise is
easy to launch by attackers.
A compromised node can be used as a platform to launch other tricky attacks. The
adversary can let the compromised node impersonate another normal node to establish
secure communications with other normal nodes. Therefore, node authentication should be
considered during the key establishment procedure. If the compromised node is involved as
a router between a pair of source and sink nodes, the key negotiation procedure may fail
just because the compromised node intentionally drops some packets for the negotiation
between the source and sink.
3.1.4 Security Requirements
The harsh environments and the existence of threats demand more careful security
considerations in the design of WSN protocols. Typically, one or more of the following
security services should be provided:
1. Confidentiality is a basic security service to keep the secrecy of important datatransmitted between sensor nodes. Usually, critical parts of a packet is encryptedbefore the packet is transmitted from the source node and then decrypted at thesink node. Without the corresponding decryption keys, attackers are prevented fromaccessing those critical information. What kind of information needs to be encrypteddepends on applications. In some cases only data part of a packet is encrypted, andin the other cases the packet header is also encrypted to protect node identities.
2. Authenticity is critical to provide the assurance of the identities of communicatingnodes. Every node should check whether a received message comes from a realsender. Without authentication, attackers may easily spoof node identities to spreadfalse information into the WSN. Usually, an attached message authentication code(MAC) can be used to authenticate the origin of a message.
56
3. Integrity should be provided to guarantee that the transmitted messages arenot modified by attackers. Attackers may introduce interference to some bits oftransmitted packets to change their polarities. A malicious routing node may alsochange important data in packets before forwarding them. Like cyclic redundancychecksum (CRC) can be used to detect random errors during packet transmissions, akeyed checksum, such as MAC, can protect packets against modification.
4. Availability indicates another important capability of a WSN to provide serviceswhenever they are needed. However, attackers may launch attacks to degrade thenetwork performance or even destroy the entire network. Denial of Service (DoS)attacks [35] are the most detrimental threat to the network availability, whereadversaries cause the network loss of ability to provide services by sending radiointerference, disrupting network protocols or depleting nodes’ power through sometricky methods.
3.2 Uniform Key Material Distribution
As is shown in Chapter 1 and Chapter 2, key establishment is the first step to set up
a secure infrastructure for WSNs. We also shew that the distributed key agreement models
such as pairwise key, matrix [7] and polynomial [8] described in Chapter 2 can guarantee
that every pair of nodes in a network of N nodes has a unique shared key, but the cost is
that each node needs to store N − 1 keys. It is impractical for WSNs due to the memory
constraints of sensor nodes and the possible large scale of sensor networks. Instead, most
recent research papers [13, 15–19] in this field loose the security requirement and follow a
partial pre-distribution approach, where key materials are pre-distributed such that some
sensor nodes can establish shared keys directly and they can help to establish indirect
shared keys between other sensor nodes.
The partial pre-distribution can reduce the memory cost for each node. The
less pre-distributed key material, however, also implies a smaller probability that
two neighboring nodes can establish a direct shared key, thus leading to lower secure
connectivity, which is the probability that two neighboring nodes establish a direct shared
key. The result of low secure connectivity is that two neighboring nodes have higher
probability of negotiating an indirect key through a multihop path, which means higher
communication overhead.
57
The reason behind this contradiction is that previous schemes [13, 15–19] assume that
all the key materials are uniformly pre-distributed in the entire network. Therefore, two
nodes with correlated key material may not be in the neighborhood of each other.
We observe that in many practical scenarios certain deployment knowledge may be
known a priori. Hence, the problem not well addressed is that which deployment model we
should adopt to obtain as much gain as possible. Existing schemes either assume a simple
square cell deployment model [36–38] or use group-based pre-distribution [39–44].
In this chapter, we study how to leverage deployment knowledge to facilitate key
establishment in WSNs. We make the following contributions. First, we propose new
hexagon [45] and triangle [46] cell based deployment models and demonstrate that
they are much better choices than a square cell deployment model for facilitating key
establishment. Second, we propose a novel edge-based secret pre-distribution model to
reduce the memory costs of sensor nodes. Last, we use extensive analytical results and
simulation study to show that the proposed schemes can provide perfect resilience to node
capture attacks, high secure connectivity, and high energy efficiency with much smaller
memory costs.
3.3 A Square Cell Deployment Model
The schemes in [36–38] use square cells to model node deployment. The entire
network is divided into many non-overlapping square cells, each of which is centered at a
predefined deployment point. In each square cell a group of nodes is deployed. Based on
the square cell model, different secret pre-distribution models and key agreement models
can be applied. In particular, the location-based key pre-distribution (LBKP) scheme [36]
can achieve better performance due to its polynomial-based resistance to node compromise
attacks and high secure connectivity. In LBKP each deployment point is associated with a
unique t-degree bivariate polynomial, and all nodes destined to the same deployment point
are preloaded with a partial information of the corresponding polynomial. To guarantee
a certain secure connectivity, each polynomial is also assigned to the horizontal and the
58
C33 C34 C32
C43
C23
Figure 3-2. A square cell deployment model.
vertical neighboring cells. For example, in Fig. 3-2, the polynomial of cell C33 is also
assigned to cells C32, C34, C23, and C43. The polynomials of other cells are assigned in the
same way. As a result, a node in C33 has some common polynomial information with other
nodes in the shadow areas. We refer readers to [36] for more technical details.
3.4 New Deployment and Secret Pre-Distribution Models
Compared with the uniform deployment model in [13, 15–19], the square cell model
in LBKP [36] is able to localize the impact of node compromise attacks in that each set
of secrets is pre-distributed on a cell-scale instead of a network-scale. Even when some
nodes are compromised and their preloaded secrets are revealed to attackers, it would
only gracefully degrade the security of the home cell or adjacent cells of compromised
nodes, so the square cell model outperforms the uniform deployment model in terms of
security. However, can we do better? To answer this question, below we first analyze the
security of t-degree bivariate polynomials, then we propose a hexagon cell model and an
edge-based secret pre-distribution model. Last, we present a triangle cell model featuring
higher security and lower memory cost.
3.4.1 Security of LBKP
LBKP [36] is based on the polynomial model [8], in which a t-degree bivariate
symmetric polynomial is t-secure, meaning that adversaries have to compromise no less
than t + 1 nodes holding shares of a same polynomial to reconstruct it. Consider node
compromise attacks. If t + 1 out of x compromised nodes share a common t-degree
bivariate polynomial, the polynomial itself can be compromised and thus the directly
59
shared keys between non-compromised nodes using the same polynomial can be exposed.
Let Ns denote the number of nodes sharing a t-degree bivariate polynomial and N be the
number of nodes in the attacked area. Given x compromised nodes, the probability that i
out of Ns nodes are compromised is
Pc(i) =
(Ns
i
)(N−Ns
x−i
)(
Nx
) , (3–1)
and thus the probability that the polynomial is compromised is given by
Pc =Ns∑
i=t+1
Pc(i) . (3–2)
Suppose each node has a memory size of M units for cryptographic materials and each
memory unit can accommodate a cryptographic key or a polynomial coefficient. Provided
that each node needs to store Np t-degree bivariate polynomial shares, the maximum
allowed polynomial degree is
tM = bM
Np
c − 1 . (3–3)
Then the probability of exposing a polynomial can be rewritten as
Pc =Ns∑
i=b MNpcPc(i) . (3–4)
3.4.2 A Hexagon Cell Model
If the attacked area is fixed, we have two controllable parameters, i.e., Ns and Np,
which can be adjusted to achieve different security performance. Intuitively, if we could
decrease the value(s) of Ns and/or Np, the probability Pc of polynomial exposure would
be reduced as well. How can we utilize deployment models to adjust the parameters?
Motivated by the hexagon cell used in cellular networks, we propose the following hexagon
cell deployment model [45] for key establishment in sensor networks.
Here we design a deployment model such that each deployment point is enclosed in a
hexagon cell, as shown in Fig. 3-3. Each deployment point, or hexagon cell, is associated
60
c0
c1c2
c3c4
c5
c6c0
c1c2
c3c4
c5
c6
(a) Hex-v (b) Hex-e
Figure 3-3. A hexagon cell model.
with a unique t-degree bivariate polynomial and all nodes destined to the deployment
point are preloaded with shares of the polynomial. All nodes destined to a cell are usually
deployed as a group and are supposed to reside at the deployment point of their home cell.
Due to deployment errors and randomness, however, the real resident point of each node
may follow some probability distribution function(PDF), such as Gaussian distribution or
Uniform distribution, in an area, which may be a circle or a square, around its deployment
point.
In addition, the polynomial of each cell is also assigned to 3 out of its 6 neighboring
cells intermittently. For example, in Fig. 3-3(a), the polynomial associated with cell C0 is
also assigned to cells C1, C3, and C5. Hence, each polynomial is used in 4 cells. A node
in C0 has some common polynomial information with other nodes in the shadow areas.
Assume that both areas of a hexagon cell and a square cell are (approximately) equal to α
and node density ρ remains unchanged. By using the hexagon grid model, the number Ns
of nodes sharing one polynomial is reduced from 5ρα to 4ρα as compared to LBKP [36].
Another benefit is that the number Np of polynomial shares each node needs to store is
reduced from 5 to 4 at the same time. It means that we can decrease the probability of
polynomial exposure, leading to the favorable security improvement. We will discuss more
about this issue in Section 3.6.
3.4.3 Edge-Based Secret Pre-Distribution
When designing a cell-based PKE (pairwise key establishment) scheme, we are often
concerned with two indices, namely, intra-cell connectivity and inter-cell connectivity. As
61
the names suggest, the former indicates the secure connectivity inside a cell, while the
latter means the secure connectivity between adjacent cells. Schemes [37, 38] use random
secret pre-distribution [13, 17] in each cell to achieve a certain intra-cell connectivity. To
attain a certain inter-cell connectivity, [37] lets the key subsets of two neighboring cells
have a intersection, and [38] uses random-pairwise secret pre-distribution scheme [15]
between two neighboring cells. However, the inter-cell connectivity of both schemes is still
unsatisfactory. By contrast, LBKP [36] assigns each cell a unique polynomial and thus can
guarantee a high intra-cell connectivity. It also assigns a polynomial of one cell to its four
neighboring cells so as to achieve a certain inter-cell connectivity. The similar polynomial
pre-distribution model is used as well for our proposed hexagon cell model.
Let us depict a deployment model using a graph G(D, E), where the vertex set Dconsists of all deployment points, and the edge set E comprises adjacent deployment
points. Previous schemes [36–38] and our proposed hexagon grid approach give more
emphasis to the intra-cell connectivity and leave the inter-cell connectivity in the
secondary place. That is because they all use a vertex-based secret pre-distribution
model in which a unique key subset or polynomial is associated with each deployment
point.
In this chapter, we also switch to another strategy by putting more efforts on
guaranteeing a high inter-cell connectivity. Particularly, we propose a new edge-based
secret pre-distribution model, in which a unique t-degree bivariate polynomial is
affiliated with each edge in E and assigned to two end deployment points of that edge.
For example, in Fig. 3-3(b), each double headed arrow means the cells connected by
the arrow are assigned with a same unique t-degree bivariate polynomial. For ease of
presentation, hereafter we denote by HEX-V the hexagon grid model with vertex-based
secret pre-distribution and by HEX-E with edge-based secret pre-distribution. We will see
in Section 3.6.3 that HEX-E can guarantee high intra-cell and inter-cell connectivity at the
same time.
62
By using HEX-E, the number of nodes sharing one polynomial is further reduced to
2ρα, which is the least bound of Ns that is necessary for both inter-cell connectivity and
intra-cell connectivity. As will be explained later, the security of a cell-based PKE scheme
is mainly related to Ns×Np. Though Np is increased to 6 with HEX-E, the overall security
will still be improved because of the relatively larger decrease of Ns (cf. Section 3.6).
3.4.4 A Triangle Cell Model
As discussed previously, given a memory constraint of M units, if we could decrease
the value of Np, the maximum allowed polynomial degree would be increased, which
implies higher security. We have shown that HEX-E would increase Np from 4 to 6 as
compared to HEX-V. Although the overall security is still improved, it is still worthy to
investigate whether we can as well reduce NP by using edge-based secret pre-distribution.
It is interesting to notice that edge-based secret pre-distribution requires each node
to keep Np bivariate polynomial shares, each corresponding to a neighboring cell. This
observation motivates us to find a cell-based deployment model for which each cell has as
small number of neighboring cells as possible. An intuitive solution is to use a triangle cell
model [46], which has least number of neighbors for each cell.
In the triangle cell model, each deployment point is enclosed in a triangle cell, as
shown in Fig. 3-4. When using edge-based secret pre-distribution, each pair of neighboring
deployment points are assigned a unique pairwise t-degree bivariate polynomial. As
before, sensor nodes are deployed in groups and the group of nodes destined to the same
deployment point are preloaded with shares of the corresponding polynomials. We will
denote our new scheme by TRI-E hereafter. In TRI-E, each node is preloaded with 3
polynomial shares, which is the least bound of Np. Then each node in C0 might be able to
establish pairwise keys with nodes in the shadow area in Fig. 3-4.
It is worth pointing out that in TRI-E we only consider 3 neighboring cells C1/C2/C3
that have common boundaries with C0 because these cells usually have more connections
with C0. We can distribute more polynomials to make C0 be directly connected to more
63
c0
c1c2
c3
Figure 3-4. A triangle grid model.
neighboring cells. However, it would result in the notable increase of memory cost and
the sharp degradation of security due to the increase of Ns, both of which are undesirable
in security-sensitive sensor networks. Moreover, we will show in Section 3.6.3 that TRI-E
may still achieve high network connectivity with focus on only 3 neighboring cells.
3.5 Cell-based Pairwise Key Establishment
In this section, we present a general cell-based pairwise key establishment protocol, in
which any of the aforementioned grid models can be applied.
3.5.1 Node Deployment
We assume that every sensor node has a predetermined deployment point where it
is supposed to reside. Each deployment point should be enclosed in a unique cell, either
square or hexagon or triangle. So the entire deployment area is divided into U×V adjacent
non-overlapping cells Cuv, for row index u = 1, . . . , U and column index v = 1, . . . , V . We
assume that sensor nodes are deployed in equally-sized, non-overlapping groups Guv, for
u = 1, . . . , U and v = 1, . . . , V . Each group is uniquely associated with a cell and will be
deployed around the deployment point of the cell. In addition, every node is preloaded
with the coordinate of the deployment point of its home cell and assigned a unique,
positive, integer-valued ID.
3.5.2 Polynomial distribution
Before deployment, we construct a global polynomial pool F with enough t-degree
bivariate polynomials. Each polynomial has a unique polynomial ID and is assigned
to several groups of nodes according to a specific secret pre-distribution scheme. The
algorithm for polynomial pre-distribution is summarized in Table 3-1.
64
Table 3-1. The algorithm for polynomial distributing.
Function VertexDistributing(Deployment Model){For each Guv {
Assign a f(x, y) to Guv;Assign the f(x, y) to some neighboring G′
uv
according to the Deployment Model;Remove the f(x, y) from F ;
}}
Function EdgeDistributing(Deployment model){For each Guv {
For each neighboring group G′uv of Guv {
If G′uv and Guv do not share a polynomial {
Assign a f(x, y) to G′uv and Guv;
Remove the f(x, y) from F ;}
}}
}
3.5.3 Pairwise Key Establishment
After deployment, every node broadcasts its node ID and the coordinate of the
deployment point of its home cell. The broadcasted information can be in plaintext
because the adversary would learn nothing about either the polynomial shares associated
with the overheard IDs or the polynomial associated with the overheard coordinates. If
the secrecy of the deployment point is desired, three methods may be used. One is to
broadcast polynomial IDs instead. The second is to use the normal challenge-response
method [5]. The third is to use the Merkle puzzle [47], which is suggested by [15].
However, these methods would incur too much computation and communication overhead,
which is undesirable in resource-constrained sensor networks.
If two neighboring nodes find that they are destined to the same deployment point or
two neighboring deployment points, they can establish a direct pairwise key by evaluating
their own corresponding polynomial shares with the ID of each other as input. Since
65
each node ID is unique, the established pairwise key is also unique. This property is
particularly useful for secure communications in that it can provide mutual authentication
through the normal challenge-response method.
It is possible that two neighboring nodes do not have shares of the same polynomial(s)
for instance due to deployment errors. In this case, they can rely on any secure multi-hop
path between them to establish an indirect pairwise key. Suppose there is a path
consisting of nodes n1, n2, . . . , ni between nodes a and b. It is called a secure multi-hop
path if and only if each pair of neighboring nodes on the path have established a direct
pairwise key. If so, it would be safe to exchange a pairwise key between a and b along
this path. However, the exchanged key would be exposed to adversaries if any of the
nodes on the path is compromised. To deal with this situation, multi-path routing such as
SPREAD [11] can be applied to exchange a pairwise key between a and b through multiple
node-disjoint or edge-disjoint paths. For the lack of space, the further investigation on this
issue is left to the extension of this paper.
However, as we will show in Section 3.6.3, our schemes have pretty high connectivity
in that every node can establish direct keys with almost all its neighbors, so we do not
need to spend much energy on the establishment of indirect keys.
3.5.4 Node Addition
We may need to add new nodes into the network in some cases and then we
also need to establish pairwise keys for the new nodes. Before deployment, each new
node is preloaded with the polynomial shares of the cell where the new node is to be
deployed. After deployment, the new node can initiate the aforementioned pairwise key
establishment procedure to establish pairwise keys with its neighbors.
3.5.5 Node Revocation
During the network operation, it is possible that some nodes might be compromised
by the adversary. Hence the memberships of compromised nodes need to be canceled
and their keys need to be revoked. This can be achieved by deleting the corresponding
66
pairwise keys from other normal nodes. However, when the number of compromised nodes
sharing a polynomial is larger than t, the polynomial itself would be compromised and
other normal nodes using the same polynomial is under the threat of malicious attacks. To
address the problem, we may use the following method. After pairwise key establishment,
each node assigns a counter for each polynomial it uses and initiates the counter to 0. If a
compromised node is detected, other normal nodes sharing the same polynomials simply
increase the counter for each corresponding polynomial by 1 after they delete the related
shared pairwise keys. When any counter exceeds t, the counter and the corresponding
polynomial should be deleted. Our method is much more memory-efficient than the one
used in LBKP [36] that requires each node to keep IDs of those compromised nodes. After
that, some normal nodes may need to re-initiate the pairwise key establishment procedure
to establish new pairwise keys.
As will be discussed later, by using our proposed deployment and edge-based secret
pre-distribution models, our scheme may achieve perfect resilience to node compromise
attacks. We accomplish this by limiting the total number of nodes sharing one polynomial
to no more than the polynomial degree. Therefore, no matter how many nodes adversaries
compromise, they would be unable to reconstruct any polynomial and thus to utilize
the acquired knowledge to launch attacks on non-compromised nodes. By contrast,
conventional schemes like LBKP [36] are lack of this nice feature because of their large
memory costs, which will be detailed in Section 3.6.2.
3.6 Analysis and Evaluation
Here we evaluate the proposed schemes in terms of security, secure connectivity, and
memory costs, which are widely used in performance evaluation by previous schemes.
3.6.1 Security
An attacker may launch a node compromise attack to reconstruct a t-degree bivariate
polynomial so as to compromise the links between non-compromised nodes using the same
polynomial. We compare the security our schemes with LBKP [36] and E-G (short for
67
Eschenauer and Gligor) [13] with regard to the link compromise probability that a link is
compromised. Because every link is secured by a t-degree bivariate polynomial, we may
use the probability of polynomial exposal (Equation (3–4) in Section 3.4.1) to evaluate the
link compromise probability.
There are two scales of node compromise attacks in our considerations. In the local
node compromise attack, the adversary tries to compromise nodes in a particular area.
Due to the threshold-based security of polynomials, the attacker must compromise enough
nodes to recover a polynomial. As is shown in Section 3.4, using hexagon and triangle
cells and the edge-based pre-distribution method, our schemes reduce the number of nodes
sharing a polynomial. Hence, our schemes are more resilient compared with LBKP in the
local node compromise attack. Besides, the exposure of one polynomial has no impact on
others areas because each polynomial is used in a small area.
In the random node compromise attack, the attacker randomly select nodes as the
objects of attack. In this random attack, the link compromise probability of E-G may be
calculated as[15, 37]
Pc = 1−(1− m
M
)x
, (3–5)
where each node randomly selects a key subset of size m from a global key set of size M
and the number of compromised nodes is x.
Suppose node deployment density is ρ = 0.0025 nodes/m2, the network size is
2000m × 2000m, the total number of nodes is |N | = 10000, and the node transmission
range is 50m. For E-G, the size of the global key pool is set to 100000, while for our
schemes and LBKP, the inter-cell distance, which is the distance between the centers of
neighboring cells, is set to 100m.
Fig. 3-5 and Fig. 3-6 depict their respective link compromise probability versus the
fraction of compromised nodes for different numbers (M) of memory units allocated for
storing pre-distributed secrets. From Fig. 3-5 and Fig. 3-6, we can clearly see that E-G
scheme has the worst security performance in almost all scenarios. Every time adversaries
68
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10
0.2
0.4
0.6
0.8
1
1.2
1.4
Fraction of compromised nodes
Link
com
prom
ise
prob
abili
ty
E−GLBKPHEX−VHEX−ETRI−E
Figure 3-5. M = 120.
compromise one more node, they would increase their chances of compromising more links
between non-compromise nodes. If M is increased, say from 120 to 240, the security of
E-G would degrade more dramatically with the increase of compromised nodes. This is
because adversaries would get more information of the global key pool after compromising
a node. It is of no surprise that LBKP have better security performance than E-G because
of its (t + 1)-compromise resistant property. We can also observe that our schemes
outperform both E-G and LBKP. For example, when M is equal to 240, LBKP can only
tolerate the compromise of 30% nodes, while all our schemes can tolerate the compromise
of over 50% nodes. In addition, TRI-E scheme exhibits the best security performance of
having perfect resilience to node compromise attacks when M is equal to 240.
69
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10
0.2
0.4
0.6
0.8
1
1.2
1.4
Fraction of compromised nodes
Link
com
prom
ise
prob
abili
ty
E−GLBKPHEX−VHEX−ETRI−E
Figure 3-6. M = 240.
3.6.2 Memory Cost
The different security performance of LBKP and our schemes result from the fact
that different schemes require each node to store different number of polynomial shares.
A share of a t-degree bivariate polynomial is a t-degree univariate polynomial with t + 1
coefficients. The Column A of Table 3-2 gives the memory cost of those schemes.
Intuitively, we could get perfect resilience to node compromise attacks by limiting the
number of nodes sharing one polynomial to be less than (t + 1). However, to achieve this,
different schemes may incur different memory costs. Let ρ still be the node deployment
density and D be the inter-cell distance in meters. We calculated the different memory
costs of LBKP and our schemes for achieving perfect resilience to node compromise
attacks, which are given in the Column B of Table 3-2. We can easily find the following
70
Table 3-2. Memory cost.
scheme A BLBKP 5(t + 1) 5(5ρD2 + 1)
HEX-V 4(t + 1) 4(2√
3ρD2 + 1)
HEX-E 6(t + 1) 6(√
3ρD2 + 1)
TRI-E 3(t + 1) 3(3√
32
ρD2 + 1)
relationship that
LBKP > HEX-V > HEX-E > TRI-E .
Given the same memory constraint M , our schemes have better security performance
because of the much less memory requirements which imply larger polynomial degrees
and thus higher security. Among our schemes, TRI-E has the best security performance
because of its smallest memory cost, which renders it the most attractive candidate for
sensor networks where the memory of each node is very tight.
3.6.3 Connectivity
If two neighboring nodes can establish a pairwise key, they are able to communicate
in a secure manner. However, not every pair of neighboring nodes could establish a
pairwise key directly. That is because deployment errors may render a node unlucky
to find no neighboring node that shares the same polynomial with it. Let us define
connectivity as the probability that any pair of neighboring nodes can establish a direct
pairwise key after deployment. In resource-constrained sensor networks, high connectivity
is preferred because it means that each node does not need to spend too much scarce
energy in establishing indirect pairwise keys through multi-hop routing.
Suppose node nuv ∈ Guv resides at (x, y). Let A(nu′v′j , nuv) be the event that node
nu′v′j ∈ Gu′v′ is a neighbor of nuv, B(nu′v′
j , nuv) be the event that node nu′v′j is a secure
neighbor of nuv, and C(nu′v′j , nuv) be the event that node nu′v′
j is in the same group as nuv
or one of the neighboring groups of nuv. By secure neighbors, we mean those neighboring
nodes of one given node, say nuv, that can establish direct keys with it. The probability
71
that nu′v′j ∈ Gu′v′ is a neighbor of node nuv is the integral of the PDF pu′v′(x, y) over the
circle around node nuv, i.e.,
P (A(nu′v′j , nuv)) =
∫∫
|nu′v′j −nuv|≤R
pu′v′(x, y) dxdy ,
where R is the node transmission range which is the same for all the sensor nodes,
|nu′v′j − nuv| denotes the distance between nodes nu′v′
j and nuv, and pu′v′(x, y) is the
distribution of the resident point of the nodes in Gu′v′ . If we assume a general distribution
p(x, y) of node resident points, then the distribution puv(x, y) for a particular group Guv
can be p(x− xu, y − yv), where (xu, yv) is the coordinate of the deployment point of Guv.
Let T u′v′j be the experiment:
T u′v′j =
1 , A(nu′v′j , nuv) happens;
0 , otherwise.
Then the average number of neighbors of node nuv located at (x, y) is:
Nuv(x, y) =∑
nu′v′j 6=nuv
E[T u′v′j ] =
∑
nu′v′j 6=nuv
P (A(nu′v′j , nuv)),
where E[T u′v′j ] indicates the expectation of T u′v′
j .
We can calculate the average number of secure neighbors of node nuv located at (x, y)
in the similar way, i.e.,
Muv(x, y) =∑
nu′v′j 6=nuv
P (B(nu′v′j , nuv))
=∑
nu′v′j 6=nuv
P (A(nu′v′j , nuv)
⋂C(nu′v′
j , nuv)),
Then the average number of neighbors of one node is
N̄ =∑u,v
P (nuv ∈ Guv)
∫ ∫Nuv(x, y)puv(x, y) dxdy
=1
UV
∑u,v
∫ ∫Nuv(x, y)p(x− xu, y − yv) dxdy ,
72
and the average number of secure neighbors of one node is:
M̄ =∑u,v
P (nuv ∈ Guv)
∫ ∫Muv(x, y)puv(x, y) dxdy
=1
UV
∑u,v
∫ ∫Muv(x, y)p(x− xu, y − yv) dxdy .
Hence, the network connectivity p can be calculated as
p =M̄
N̄. (3–6)
To evaluate the connectivity, we need the distribution of node resident points. A
reasonable assumption is that the PDF of node resident points follows a two dimensional
Gaussian distribution,
p(x, y) =1
2πσ2exp
−(x2 + y2)
2σ2, (3–7)
where we assume the corresponding deployment point to be the origin of coordinate
system.
Using the same configuration parameters given in Section 3.6.1, we can calculate
the probability (denoted by pr) that a node resides in its home cell after deployment.
pr is computed by choosing appropriate variance of Gaussian distribution such that the
node would reside in the circle that has the same diameter with its home cell. Fig. 3-7
and Fig. 3-8 plot the connectivity versus the inter-cell distance, which is normalized by
node transmission range, for pr = 0.9 and pr = 0.99, respectively. When the cell size
is small, a node transmission range may not only cover its home cell and neighboring
cells but also cover other non-neighboring cells, which means the node may have many
neighbors with which it can not establish direct pairwise keys. Hence, the connectivity is
small. With the increase of the inter-cell distance, the connectivity of both vertex-based
and edge-based schemes would increase dramatically, because the number of neighbors
with which a node can not establish direct pairwise keys decreases quickly. In particular,
when the inter-cell distance is larger than two times of the node transmission range,
73
the connectivity of all schemes becomes stable at a very high level, because most of the
neighbors of a node are from its home cell or neighboring cells. It means that every node
can establish direct pairwise keys with almost all its neighbors. However, the cell size
should not be set too large. Otherwise, the number of nodes in one cell would be too large
when the node density is (approximately) constant, leading to the large number of nodes
sharing one polynomial. In this case, to maintain a certain security, the polynomial degree
should be increased, which means more memory cost. Hence, to achieve the tradeoff
between the security and the connectivity, the cell size should be set the value at which
the connectivity achieves the first desirable point.
It is well known that energy consumption is of paramount importance for resource-constrained
sensor networks. It is, therefore, wise to minimize radio transmissions and receptions.
Random distribution schemes [13, 15–19] have low connectivity and thus have to rely
on multi-hop and/or multi-path routing to establish indirect keys for maintaining an
acceptable global network connectivity. Although the square-grid-based schemes [37, 38]
may improve the connectivity, they still use random distribution in each cell and thus
can not guarantee a full connectivity between two neighboring cells, thus leading to
unfavorable energy consumption in establishing indirect pairwise keys. By contrast, our
schemes are of high energy efficiency and thus pretty suitable for resource-constrained
sensor networks in that there is almost no need for establishing indirect pairwise keys.
3.7 Conclusion
In this chapter, we investigated different deployment models for their use in pairwise
key establishment for wireless sensor networks. We demonstrated that the hexagon
and the triangle grid deployment models have much better security performance than
the square one used in previous proposals. We also proposed a novel edge-based secret
pre-distribution model which can greatly reduce the memory costs of sensor nodes.
Our proposed pairwise key establishment protocol features perfect resilience to node
compromise attacks with much smaller memory costs. In addition, it can guarantee a
74
0.5 1 1.5 2 2.5 3 3.5 40.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Normalized inter−grid distance
Con
nect
ivity
LBKPHEX−VHEX−ETRI−E
Figure 3-7. The probability that each node resides in its own cell is 0.9.
high network connectivity and thus greatly reduce the communication overhead and
transmission energy consumption incurred in establishing indirect pairwise keys through
multi-hop and/or multi-path routing. To summarize, we propose a lightweight, simple, and
secure solution to establish pairwise keys in resource-constrained sensor networks.
75
0.5 1 1.5 2 2.5 3 3.5 40.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Normalized inter−grid distance
Con
nect
ivity
LBKPHEX−VHEX−ETRI−E
Figure 3-8. The probability that each node resides in its own cell is 0.99.
76
CHAPTER 4SCALABLE KEY ESTABLISHMENT IN WIRELESS SENSOR NETWORKS
4.1 Introduction
We have shown in previous chapters that key management is very critical to security
protocols, because encryption and authentication services are based on the operations
involving keys. One of the fundamental problems of key management is how to set up keys
to protect connections between sensor nodes. Generally, two kinds of connections can be
formed in a network. One is the one-hop connection between a pair of neighboring nodes.
In the network stack, this one-hop connection is managed by the link layer protocol. In
order to secure the link layer connection, a shared link layer key (called LLK hereafter)
needs to be established between the neighboring nodes. The other type of connection can
be formed between two nodes over a multihop path. Because the two nodes are out of the
neighborhood of each other, this end-to-end connection is managed by the transport layer
protocol in stead of the link layer protocol. Therefore, a transport layer key (called TLK
hereafter) needs to be established to provide the end-to-end security.
As is shown in Chapter 2, the TLK establishment is not an easy problem. In a
network of N nodes, theoretically, each node can be preloaded with N − 1 keys uniquely
shared with other nodes, but the feasibility can be challenged because of the contradictory
requirements between the scarce memory of sensor nodes and the large scale of sensor
networks. Instead, most recent solutions [13, 15–19] relax the security requirement and
target at the establishment of link layer keys (LLK) between any pair of neighboring
nodes. In a large scale sensor network, the number of neighbors of a node is usually a
small constant. Thus it is more feasible to establish an LLK infrastructure whereby to
save memory resource. Based on this LLK infrastructure, two end nodes can perform
secure communications over a multi-hop path with the help of intermediate nodes, and
can negotiate a TLK on demand, if needed, through the secure handshake. The LLK
infrastructure can effectively prevent external attackers from accessing the network, but
77
cannot counteract internal attackers, such as compromised nodes. Therefore, a TLK
negotiated along a multi-link path can be exposed if any of the intermediate nodes is
compromised. Because the number of hops along a path can be large, the possibility of the
TLK exposure is rather high.
Moreover, the previous LLK schemes [13, 15–19] themselves are also vulnerable to
node compromise. An adversary can use the secrets in compromised nodes to derive the
secrets shared between other non-compromised nodes. Hence some compromised nodes
may cause many failure points in the network and destroy the entire LLK infrastructure.
Another drawback of the previous LLK schemes is that they have a large memory
requirement to maintain a certain level of security or connectivity.Based on our work in [9], here we introduce a novel scheme key establishment scheme
by combining deployment knowledge. First, we consider a two dimensional grid model,which leads to LAKE (two-LAyer Key Establishment) [48], for the establishment of bothTLKs and LLKs in sensor networks. Particularly, all sensor nodes are organized into atwo dimensional space, and a tri-variate polynomial is pre-distributed to facilitate theestablishment of TLKs and LLKs in the space. To increase connectivity and reducecommunication overhead, the nodes close to each other are preloaded with correlatedsecrets, called shares, derived from the tri-variate polynomials. Second, we extend ourscheme into the multi-dimension case and propose an efficient LLK scheme [49]. The maincontributions are as follows:
1. Our LAKE effectively addresses the TLK establishment problem for sensor networks.Any two nodes can negotiate a TLK on demand directly or with the help of onlyone intermediate node. Though in conventional LLK schemes two nodes can alsonegotiate a TLK through a multi-hop path, there are more than one intermediatenode that can learn the TLK. Hence LAKE is much more secure under the nodecompromise attack compared with the conventional proposals;
2. Compared with the conventional LLK schemes, our scheme features much lessmemory cost;
3. By utilizing location information, our scheme guarantees that two neighboring nodescan establish a direct LLK with high probability. This provides energy efficiencycompared with the conventional LLK schemes because the probability of indirectLLKs establishment through multi-hop paths between two neighboring nodes isreduced.
78
4.2 Two Dimension Grid Design for TLK and LLK Establishment
In LAKE, a t-degree tri-variate polynomial is pre-distributed to facilitate key
establishment in a two-dimensional space, which is a special case of our model discussed
in Chapter 2. We will show that LAKE can efficiently establish both LLKs and TLKs
between sensor nodes. An LLK infrastructure can be established just after network
deployment. TLKs are established on demand when two end nodes need to communicate
with each other.
4.2.1 Network Model
It has been shown in Chapter 3 that utilizing deployment information can achieve
higher connectivity. So, even our key agreement model can achieve deterministic key
agreement between any pair of nodes, as is shown in [9], we consider incorporating
deployment information into LAKE.
The entire network is divided into N1 non-overlapping square cells and each cell
includes N2 sensor nodes. Each node in the network is identified by a coordinate (n1, n2)
in the two-dimensional space, where ni = 0, 1, . . . , Ni − 1, i ∈ {1, 2}, and we may use the
coordinate (n1, n2) as the node ID and the index n1 as the cell ID.
Cell IDs are assigned in a fixed order such that each cell ID acts like a coordinate in a
two-dimensional plane. We may allocate 2h higher bits from the node ID field for the cell
ID. The 2h bits are divided into a pair of integers (i, j), where i is the row index and j is
the column index of the cell. Hence, each cell ID reflects the location information of the
corresponding nodes. This information is coarse, so we only can tell in which area a node
with a given cell ID resides. The node deployment in each cell may follow any probabilistic
distribution, such as Gaussian [17, 45, 50] or uniform [36, 38, 46]. We assume Gaussian
distribution here.
Our key agreement model is deterministic, so every node knows with which of other
nodes it can establish a shared key directly. If two nodes cannot calculate a shared key
directly, they rely on one intermediate node to negotiate an indirect key. Just like previous
79
(0,n2)
(18,6)
(7,n2)
(56,n2)
(8,n2)
(18,4)
(37,4)
(37,6)
(63,n2)
Figure 4-1. A two-dimension sensor network.
work [13, 15–19], we assume the underlying routing protocol can correctly route key
negotiation messages over multihop paths between those peer nodes.
Fig. 4-1 illustrates an example of the network model. There are 64 cells in the
network. Each cell consists of N2 nodes. We assign cell IDs in an order from left to
right and from top to down. Every node can be located by the cell ID in its node ID.
For example, node (0, n2) is in the most up-left cell, and node (63, n2) is in the most
down-right cell. Other examples of nodes are also depicted in Fig. 4-1.
4.2.2 Share Pre-distribution
Before network deployment, a global t-degree tri-variate polynomial is chosen. This
polynomial is used to derive shares for sensor nodes.
To establish keys, every node should have two credentials (c1, c2), which are positive
and pairwise different. These credentials can be created and preloaded into nodes before
deployment. However, it requires additional memory space per node. Fortunately, the two
credentials can be derived from node ID by a bijection, i.e.,
c1 = n1 + 1 + N2
c2 = n2 + 1, (4–1)
80
where ni = 0, 1, . . . , Ni − 1 for i = 1, 2. Thus, the two credentials are drawn from different
zones [N2 + 1, N1 + N2] and [1, N2] respectively, which guarantee they are positive and
pairwise different. Besides, by doing this mapping, each node needs to store only N2
instead of two credentials.
Every node in the network is assigned a polynomial share
f(c1, c2, x3) = f(n1 + 1 + N2, n2 + 1, x3) =t∑
i1=0
t∑i2=0
t∑i3=0
ai1,i2,i3(n1 + 1 + N2)i1(n2 + 1)i2xi3
3 . (4–2)
Hence, every node in the network needs to keep only a t-degree univariate polynomial
that has t + 1 coefficients over a finite field Fq. Those coefficients are preloaded into every
node’s memory before deployment and used to establish keys after deployment.
4.2.3 Direct Key Calculation
Two nodes can calculate a shared key directly if they have a credential in common,
i.e., a common index in their node IDs. We will call one of the two nodes a level-i
neighbor of the other if their i-th indices in their IDs are different and the other indices
are the same. Obviously, every node can establish shared keys with its neighbors at level 1
(inter-cell) and level 2 (intra-cell).
In the two-dimensional network, all nodes in each cell are level-2 neighbors because
they have the same cell ID, and each node has a level-1 neighbor in each of other cells.
For example, in the two-dimension network in Fig. 4-1, node (18, 4) and node (18, 6) are
level-2 neighbors and they can calculate a shared key directly. Node (18, 4) and node
(37, 4) are level-1 neighbors and they can also calculate a shared key directly.
All nodes can calculate direct keys by itself without interaction with other logical
neighbors. Each direct key between two logical neighboring nodes is only secret to
them. An adversary cannot learn the direct key unless he/she knows the corresponding
polynomial share.
81
4.2.4 Indirect Key Negotiation
If two nodes have no common indices in their IDs, they cannot calculate a shared
key directly because they are not logical neighbors. This happens when the two nodes
reside in different cells and they have different indices in their cells, respectively. In this
case, one node can find in its cell a level-2 neighbor, which is also a level-1 neighbor of
the other node. Then the intermediate node can act as an agent to facilitate a shared key
negotiation between the two end nodes.
There are two agent nodes that can help the indirect key negotiation. Suppose node u
with ID (u1, u2) and node v with ID (v1, v2), where u1 6= v1 and u2 6= v2, need to negotiate
a shared key. Any of the node (u1, v2) or node (v1, u2) can act as an agent, because either
one is the common neighbor of nodes u and v. Then an indirect key can be established
through the following protocol:
u → a : 〈a, u, nu, {〈v, u, Kuv〉}Kua , H(a ‖ u
‖ nu ‖ {〈v, u, Kuv〉}Kua ‖ Kua)〉 ,
a → v : 〈v, a, na, {〈v, u, Kuv〉}Kav , H(v ‖ a
‖ na ‖ {〈v, u, Kuv〉}Kav ‖ Kav)〉 ,
where a is an agent node, nu and na are nonces used to counteract replay attacks, Kuv
is the indirect key between node u and node v, Kua and Kav are direct keys shared with
the agent a, “{·}{·}” is the encryption operation, H(·) is a hash function that generates
a message authentication code for authentication and integrity checking, and “‖” is the
concatenation operator. After verifying the authenticity and the integrity of the key Kuv,
the agent node a forwards the key to node v and immediately deletes it so that it cannot
be revealed later.
For example in Fig. 4-1, there are two secure paths between node (18, 6) and node
(37, 4) and a shared key can be negotiated through either of the secure paths with the help
of the agent nodes (18, 4) or (37, 6).
82
4.2.5 LLK Establishment
Given node density and radio radius in a large scale sensor network, the number of
neighbors of a node is usually small. Each node may establish LLKs for all neighbors
and keep those LLKs in its memory for future use. This can be done just after node
deployment because each node has been preloaded with a polynomial share which can help
key establishment.
When two neighboring nodes are from the same cell, i.e., have the same cell index,
they can apply the direct key calculation to establish an LLK. Due to the deployment
knowledge, we can expect that each node can establish LLKs directly with most of its
neighboring nodes because they are almost from the same cell.
If two neighboring nodes are from different cells but they are level-1 neighbors, then
they can calculate a direct LLK, just like nodes (1, 2) and (2, 2) in Fig. 4-2. Even if two
level-1 neighbors are far away from each other, like nodes (1, 5) and (2, 5), they can always
calculate a shared key independently.
The keys between level-1 neighbors can act as bridges between two cells. A node
in one cell can go through any of the bridges to negotiate keys with nodes in the other
cell. In Fig. 4-2, for example, node (1, 2) can negotiate an indirect LLK with node (2, 6)
through either node (2, 2) or node (1, 6).
Due to the deployment error, some nodes may reside outside of their supposed cells.
In Fig. 4-2, for example, node (1, 7) needs to establish LLKs with neighboring nodes (2, 2),
(2, 5), (2, 6). In this case, node (1, 7) can carry out indirect key negotiation through its
level-1 neighbor (2, 7). Of course, node (2, 7) may be multihop away from node (1, 7), but
the underlying routing protocol can route key negotiation messages between them, just as
is shown in previous work.
Communication overhead is a concern in the indirect LLKs negotiation. LAKE
includes deployment information into the establishment of LLKs, thus each node
may calculate direct LLKs with almost all of its neighbors. This high local secure
83
(1,2) (2,2)
(1,6)
(1,7)
(2,7)
(1,5)
(2,5)(2,6)
cell boundary
Figure 4-2. LLK establishment.
connectivity is desirable because it means that each node does not need to spend too
much energy on the establishment of indirect LLKs with neighbors through multi-hop
routing. Conventional LLK schemes with uniform key pre-distribution have more energy
consumption in terms of lower local secure connectivity. In next section, we will evaluate
the secure connectivity assuming Gaussian distribution for node location in each cell.
4.2.6 TLK Establishment
Due to the huge number of nodes in the network, it is impossible to establish a
TLK for each pair of nodes and store the TLK in the pair of nodes during network
initialization phase. A dynamic establishment of TLKs is much promising in large scale
sensor networks. Generally, a TLK should be dynamically established on demand during
the handshake procedure between any pair of nodes when they want to communicate with
each other.
Similar to the LLK establishment, each node can establish a direct TLK for each of
the other nodes in its cell because they are level-2 neighbors. As each node has a level-1
neighbor in each of other cells in the network, it can establish a direct TLK for the level-1
neighbor in that cell (like nodes (18, 6) and (37, 6) in Fig. 4-1). Then it can rely on the
level-1 neighbor as an agent to establish indirect TLKs with other nodes in that cell (in
Fig. 4-1), node (18, 6) can negotiate an indirect TLK with node (37, 4) through node
84
(37, 6)). Due to the deployment error, there is a possibility that node (37, 6) is not in cell
37, but the underlying routing protocol can relay key negotiation messages between these
nodes as is assumed in previous work.
If a secure link is defined as the communication path between two nodes that have
a shared key, where the secure link may be one-hop or multi-hop, LAKE can achieve the
TLK agreement through a secure path consisting of no more than two secure links, which
means that at most one agent is needed to facilitate the TLK establishment between any
two end nodes. Each secure path in most conventional schemes, which target at LLKs
establishment, usually consists of more than two secure links, and the length of secure
path is difficult to determine because it depends on not only the underlying routing
protocol but also the establishment of direct keys between neighboring nodes, especially
in large scale networks. Thus most conventional schemes are more vulnerable to the node
compromise attack than LAKE.
4.2.7 Performance Evaluation
In this section, we carry out some performance evaluation on the memory cost,
the resilience to the node compromise attack, the local secure connectivity, and the
computation overhead.
4.2.7.1 Memory cost
According to Chapter 2, we can simple get the minimum polynomial degree t∗ as
t∗ ≤ 3√
3! N1 = 1.8171 N1 . (4–3)
Because each node keeps t + 1 coefficients of a t-degree univariate polynomial, the memory
cost per node is less than 1.8171√
N + 1, where N is the total number of nodes in the
network.
We compare the memory cost per node of our LAKE with some typical schemes
in Table 4-1. The second column in Table 4-1 gives the normal memory cost of each
scheme. In key-pool-based schemes [13, 15, 16, 20, 37, 40], each node keeps m keys out
85
of a global or local key pool. Du’s [17], Liu’s [18] and Huang’s [38] schemes replace key
pools with space pools of matrix or polynomials of degree t. In PIKE [25], each node is
preloaded with unique pairwise keys for 2(√
N − 1) nodes, where N is the total number of
nodes in the network. Hypercube scheme [19] uses higher dimensional grid. Unlike PIKE,
hypercube uses a t-degree bivariate polynomial for each dimension. For fair comparison,
we assume two-dimensional grid for hypercube. Therefore, the memory cost of hypercube
is 2(t + 1). In LBKP [36] each node is preloaded with 5 polynomial shares, each of which
has a degree of t. HEX [45] and TRI [46] have memory cost of 6(t + 1) and 3(t + 1),
respectively. In LAKE, unlike previous work, each node needs to keep only a t-degree
univariate polynomial and thus the memory cost is only t + 1.
The third column in Table 4-1 gives how many memory units are necessary to provide
secrecy for direct keys, i.e., no matter how many nodes are compromised the direct keys
among non-compromised nodes are still safe. Key-pool-based schemes [13, 15, 16, 20,
37, 40] cannot provide secrecy because each time an adversary compromises one more
node he/she knows more keys in the global or local key pools. In Du’s [17], Liu’s [18] and
Huang’s [38] schemes, the degree of each matrix or polynomial must be set as t = N − 2
to avoid the exposure of direct keys. So their memory cost is on the order of N . In PIKE
[25], all those 2(√
N − 1) keys are preloaded and unique, so any of the keys is secure even
other keys are compromised. In two-dimensional hypercube [19], each dimension has√
N
nodes. In order to protect direct keys, the polynomial degree must be set as t =√
N − 2
and thus the memory cost is 2(√
N − 1). Suppose LBKP [36], HEX [45] and TRI [46]
and LAKE use the same network configuration, where the entire network is divided into√
N cells and each cell consists√
N nodes. In LBKP [36], to guarantee each bivariate
polynomial is secret, the degree should be no less than 5√
N − 2 because each bivariate
polynomial is used in its home cell and four adjoining cells. Similarly, the memory costs
of HEX [45] and TRI [46] are 6(2√
N − 1) and 3(2√
N − 1), respectively. However, the
memory cost of LAKE is less than 1.8171√
N + 1.
86
Table 4-1. Memory cost of different schemes.
Schemes Memory Cost For Secrecykey-pool-based [13, 15, 16, 20, 37, 40] mspace-pool-based [17, 18, 38] O(λ(t + 1)) O(λ(N − 1))
PIKE-2D [25] 2(√
N − 1) 2(√
N − 1)
Hypercube-2D [19] 2(t + 1) 2(√
N − 1)
LBKP [36] 5(t + 1) 5(5√
N − 1)
HEX [45] 6(t + 1) 6(2√
N − 1)
TRI [46] 3(t + 1) 3(2√
N − 1)
LAKE t + 1 < 1.8171√
N + 1
4.2.7.2 Resilience to node compromise
By launching the node compromise attack, an adversary may easily obtain all secrets
stored in the compromised nodes. Usually, it is impossible to prevent this kind of attack
due to the lack of tamper-proof hardware. Furthermore, the adversary may use the
compromised secrets to derive the direct keys belonging to other pairs of normal nodes. In
addition, by compromising some nodes, the adversary can also obtain the messages passing
through these nodes. This may also lead to the exposure of indirect keys. Here we can use
the additional key exposure probability to evaluate the resilience to the node compromise
attack.
By choosing the global polynomial degree t, we can achieve the secrecy of the global
polynomial, i.e., no matter how many nodes an adversary compromises, he/she cannot
calculate the direct keys belonging to other pairs of non-compromised nodes. Hence, the
additional direct key exposure probability of LAKE is 0.
In conventional key-pool-based or space-pool-based schemes [13, 15, 16, 20, 37, 40],
every time an adversary compromises one more nodes, he/she obtains more information
about the global key pool or space pool, which means more keys are compromised. For
example, in E-G [13], the additional direct key exposure probability can be calculated as
[15, 37]
Pc = 1−(
1− M
S
)x
, (4–4)
87
where each node randomly selects a key subset of size M from a global key set of size S
and the number of compromised nodes is x. We can see it is an increasing function of x.
PIKE (peer intermediaries for key establishment) [25] can also achieve the zero
additional direct key exposure probability because of the pre-distribution of unique direct
keys.
Hypercube-2D [19], LBKP [36], HEX [45] and TRI [46] use t-degree bivariate
polynomial to achieve key agreement. Suppose there are A nodes sharing a t-degree
bivariate polynomial and N is the total number of nodes in the network. Given x
compromised nodes, the probability that i out of A nodes were compromised is
Pc(i) =
(Ai
)(N−Ax−i
)(
Nx
) , (4–5)
and thus the probability that the polynomial was compromised is given by
Pc =A∑
i=t+1
Pc(i) . (4–6)
Suppose each node has a memory size of M units for cryptographic materials and each
memory unit can accommodate a cryptographic key or a polynomial coefficient, and each
node must keep B polynomial shares, the probability of exposing a polynomial can be
rewritten as
Pc =A∑
i=bMBcPc(i) . (4–7)
Here the values of A and B are√
N and 2 for Hypercube-2D [19], 5Nc and 5 for LBKP
[36], 2Nc and 6 for HEX [45], and 2Nc and 3 for TRI [46], where Nc is the number of
nodes in one cell.
An example: Suppose 10000 nodes are deployed in an area 2000× 2000m2. The global
key pool of E-G [13]is set 100000. PIKE [25] and Hypercube [19] use two-dimensional
grid. For LBKP [36], HEX [45], TRI [46] and LAKE, there are 100 cells and thus the
number of nodes per cell is 100. Suppose each node has a memory size of M units for
88
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10
0.2
0.4
0.6
0.8
1
1.2
1.4
Fraction of compromised nodes
Link
com
prom
ise
prob
abili
tyE−GPIKEHypercubeLBKPHEXTRILAKE
Figure 4-3. M = 240.
cryptographic materials and each memory unit can accommodate a cryptographic key or
a polynomial coefficient. Fig. 4-3 and Fig. 4-4 gives the additional direct key exposure
probability according to the fraction of compromised nodes when M = 240, 180. We
observe that LAKE outperforms other schemes with the zero probability of the additional
direct key exposure. When there is more memory resource (M = 240), Hypercube-2D [19]
can also give the zero probability of the additional direct key exposure. However, when
memory resource is limited (M = 180), Hypercube-2D [19] becomes vulnerable to node
compromise.
89
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10
0.2
0.4
0.6
0.8
1
1.2
1.4
Fraction of compromised nodes
Link
com
prom
ise
prob
abili
tyE−GPIKEHypercubeLBKPHEXTRILAKE
Figure 4-4. M = 180.
Every node needs an agent node to establish indirect LLKs and TLKs with other
nodes. If the agent node is compromised, the indirect keys are exposed. Suppose x out of
N nodes in the network are compromised. The probability of the indirect key exposure is
Pc = 1−(
N−1x
)(
Nx
) =x
N. (4–8)
PIKE-2D [25] and Hypercube-2D [19] can achieve the same probability of the indirect
key exposure because it also relies one agent node to establish pairwise keys between
neighboring nodes. In other schemes [13, 15, 16, 20, 37, 40], two nodes have to rely on
90
a secure path consisting of multiple agent nodes to establish an indirect key. It is very
difficult to determine those agent nodes because it depends on not only the underlying
routing protocol but also the establishment of direct keys between neighboring nodes,
especially in large scale networks. For example, in E-G [13] the secure path between two
neighboring nodes consists of 2 or 3 agent nodes and the secure path between any two
end nodes consists of more than 11 agent nodes on average [13]. Suppose the secure path
between two nodes in E-G and LBKP consists of h agent nodes. The probability that the
indirect key between the two end nodes is exposed can be calculated as
pc = 1−(
N−hx
)(
Nx
) ≈ 1−(1− x
N
)h
≈ xh
N, (4–9)
where N À h > 1. Thus, LAKE is more resilient to the node compromise attack.
4.2.7.3 Local secure connectivity
Every node can calculate direct LLKs with some neighbors, and establish indirect
LLKs with other neighbors through one agent node. The local secure connectivity is
directly related to the communication overhead of key establishment. If a node has high
probability to calculate direct LLKs, it can save a lot of communication overhead on
the establishment of indirect LLKs through multi-hop routing. Hence, high local secure
connectivity, which is the probability of establishment of direct LLKs, is desirable in
sensor networks.
In the schemes [13, 15, 16, 20], key materials are uniformly pre-distributed in the
network. It is highly possible that two nodes with correlated key materials cannot
establish a direct LLK because they are far away from each other. For example, in
E-G scheme [13], each node randomly selects M keys from S keys, thus the local secure
connectivity of E-G is 1− (S−M
M
)/(
SM
) ≈ 1− (1− M
S
)M ≈ M2
S, where S À M . In PIKE-2D
[25] and Hypercube-2D [19], each node keeps pairwise keys with 2(√
N −1) nodes, thus the
local secure connectivity of these two schemes is 2(√
N−1)/N ≈ 2√N
. The low connectivity
will incur significant communication overhead.
91
It has been shown that deployment knowledge can be used to increase the connectivity
[36–38, 45, 46]. By intentionally pre-distributing the same set of secrets in small cells, they
can achieve much higher connectivity than uniform pre-distribution schemes. Though
our key agreement model still work in uniform pre-distribution scenarios, we consider
deployment knowledge here to further increase the local secure connectivity.
Due to deployment errors, we cannot expect each node resides at the predetermined
location. Rather, the node deployment in each cell follows some probabilistic distribution.
In order to evaluate the influence of deployment knowledge, we use the Gaussian
distribution [17, 45, 50] in our simulation. Particularly, the location of each node follows
the distribution,
p(x, y) =1
2πσ2exp
−((x− xc)2 + (y − yc)
2)
2σ2, (4–10)
where (xc, yc) is the center of the cell in which the node resides and (x, y) is the real
location of the node.
We use the same configuration parameters in Section 4.2.7.2 in our simulation.
There are 10000 nodes deployed in an area 2000 × 2000m2. All the schemes evaluated
here can store M = 200 keys. Node radio radius is 150m, which is corresponding to
MICA2 capability [31]. The global key pool of E-G [13] is set 100000. The schemes
E-G [13], PIKE-2D [25] and Hypercube [19] use the uniform pre-distribution. As for
the location-based schemes LBKP [36], HEX [45], TRI [46] and LAKE, there are 100
cells and thus the number of nodes per cell is 100. The inter-cell distance (the distance
between the centers of neighboring cells) is set 200m. The standard derivation is set to
σ = 50m. Under these configurations, we simulate a sensor network, find the local secure
connectivity of each node, and average it over all the nodes. The average local secure
connectivity is given in Table 4-2.
We observe that the local secure connectivity for the uniform pre-distribution
schemes [13, 19, 25] is very low. The location-based schemes [36, 45, 46] have much higher
connectivity because all the nodes in neighboring cells are pre-distributed with correlated
92
Table 4-2. Local secure connectivity of different schemes
Schemes Local ConnectivityE-G [13] 0.2797PIKE-2D [25], Hypercube-2D [19] 0.0276LBKP [36] 0.9999HEX [45] 0.9960TRI [46] 0.9985LAKE 0.5317
key materials. LAKE has lower local secure connectivity than the location-based schemes
[36, 45, 46], because in LAKE only the nodes in one cell have correlated key materials and
each node can establish a direct key with only one node in another cell. However, LAKE
still has much higher local secure connectivity than the uniform pre-distribution schemes
such as E-G [13], PIKE-2D [25] and Hypercube [19].
4.2.7.4 Computation overhead
LAKE is based on the symmetric key technology, where a global t-degree tri-variate
symmetric polynomial is used to build up a secure infrastructure. Each sensor node
can calculate a key by using a t-degree univariate polynomial, which is a share of the
global polynomial. It has been shown in Hypercube [19] that the polynomial evaluation is
comparable with conventional symmetric key primitives such as Message Authentication
Code based on RC5 or SkipJack. To calculate a key, each node should calculate 2t − 1
modular multiplications over Z∗q: t− 1 for x2, . . . , xt and t for b1x, b2x2, . . . , btx
t. Under the
symmetric key technology, the length of q is usually 64 bits or 128 bits. Suppose the same
configuration parameters in Section 4.2.7.2 is used here, where total number of nodes is
N = 10000, the number of nodes per cell is 100, and the number of cells is 100. According
to the Table 4-1, the t is less than 181. Hence, each node needs to perform only 361 64-bit
or 128-bit modular multiplications. Similarly, the number of modular multiplications of
other polynomial-based schemes is given in Table 4-3. Obviously LAKE is more efficient
than most conventional symmetric key schemes.
93
Table 4-3. Computation overhead of different schemes.
Schemes #. of shares degree #. of multiplicationsHypercube-2D [19] 2 98 390LBKP [36] 5 498 3875HEX [45] 6 198 2370TRI [46] 3 198 1185LAKE 1 < 181 < 361
Public key techniques such as RSA and Diffie-Hellman can also achieve key
agreement. The basic operation of RSA and Diffie-Hellman is the modular exponentiation
of the form yx (mod q). One modular exponentiation needs 32log2 q log2 q-bit modular
multiplications on average [5]. To guarantee the same level of security, here q is usually
1024 bits and y and x are drawn from Z∗q. Thus public key based operation requires
1536 1024-bit modular multiplications on average. A 1024-bit modular multiplication is(
102464
)2= 256 times more expensive than a 64-bit modular multiplication [17]. Hence the
public key techniques are 256 × 1536361
= 1089 times more expensive than LAKE if 64-bit
symmetric keys are used in LAKE.
4.3 Scalable Link-Layer Key Agreement in Sensor Networks
In this section, we extend our LAKE into the multi-dimension case [49]. Our scheme
is based on a method we have developed in [9]. Each sensor node carries a share of
a global t-degree multivariate symmetric polynomial. If the shares of two nodes are
correlated, the two nodes can calculate a shared key directly. Otherwise, they can
negotiate an indirect key with the help of an intermediate node. We utilize node
deployment knowledge such that nodes with correlated shares are deployed as close as
possible. In this way, each node can directly calculate LLKs with most of its neighbors. In
this section, we will elaborate the details of our scheme.
4.3.1 Network Model
We assume each node is identified by an index-tuple (n1, n2, . . . , nk), where ni =
0, 1, . . . , Ni − 1, i ∈ {1, 2, . . . , k}, and we may use the index-tuple as the node ID. Hence
94
each node is mapped into a point in a k-dimension vector set S1 × S2 × · · · × Sk, where
ni ∈ Si ⊂ Z and the cardinality |Si| = Ni, for i = 1, 2, . . . , k. The maximum number of
nodes that the network can consist of is N =∏k
i=1 Ni.
Due to the broadcast characteristics of radio communications, adversaries can easily
eavesdrop any messages, either non-encrypted or encrypted, transmitted over the air
between nodes. Adversaries may capture any node and compromise the secrets stored in
the node. Furthermore, adversaries can use the compromised secrets to derive more secrets
shared between other non-compromised nodes. We try to reduce the probability that the
keys shared between non-compromised nodes are exposed when some nodes have already
been compromised. To further evaluate the impact of node compromise, we assume the
probability of the compromise of a node is p.
4.3.2 Share Distribution
Before network deployment, a global t-degree (k + 1)-variate symmetric polynomial is
constructed as is stated in Chapter 2. This polynomial is used to derive shares for sensor
nodes.
To achieve key agreement, every node n should have k credentials (c1, c2, . . . , ck),
which are positive and pairwise different. These credentials can be created and preloaded
into nodes before deployment. However, it requires additional memory space per node.
Fortunately, the k credentials can be derived from the k indices in node ID (n1, n2, . . . , nk)
by a bijection, i.e.,
c1 = n1 + 1
c2 = n2 + 1 + N1
c3 = n3 + 1 + N1 + N2
...
ck−1 = nk−1 + 1 + N1 + · · ·+ Nk−2
ck = nk + 1 + N1 + · · ·+ Nk−1
, (4–11)
95
where ni = 0, 1, . . . , Ni − 1 for i = 1, 2, . . . , k. Thus, the k credentials are drawn from
different zones in that c1 ∈ [1, N1] and ci ∈ [N1 + · · · + Ni−1 + 1, N1 + · · · + Ni] for
i = 2, . . . k, which guarantee they are positive and pairwise different.
For a node (n1, n2, . . . , nk), a polynomial share
fk+1(xk+1) = f(c1, c2, . . . , ck, xk+1) =t∑
ik+1=0
bik+1x
ik+1
k+1 (4–12)
is calculated, where
bik+1=
t∑i1=0
t∑i2=0
· · ·t∑
ik=0
ai1,i2,...,ik,ik+1ci11 ci2
2 · · · cikk (4–13)
and (c1, c2, . . . , ck) is mapped from (n1, n2, . . . , nk) according to the equations (4–11).
Then the polynomial share is assigned to the node. Here, the node only knows the t + 1
coefficients of the univariate polynomial share, but not the coefficients of the original
(k+1)-variate polynomial. Therefore, even if the marginal bivariate polynomial is exposed,
the global polynomial is still safe if the degree t is chosen properly.
4.3.3 Node Deployment
Two nodes can calculate a shared key if their credentials have only one mismatch
in them. Due to the one-to-one mapping in the equations (4–11), two nodes u with ID
(u1, u2, . . . , uk) and v with ID (v1, v2, . . . , vk) can directly calculate a shared key without
any interaction if their IDs have only one mismatch. If the two nodes are within the radio
coverage of each, then the key can be used as an LLK. Therefore, we need a deployment
method that intentionally make nodes with only one mismatch in their IDs be deployed as
close as possible. In such a way, each node can establish Link-layer keys with most of its
neighbors.
Because node ID is an index-tuple (n1, n2, . . . , nk), where ni = 0, 1, . . . , Ni − 1, i ∈{1, 2, . . . , k}, the network is logically constructed with k levels. The i-th level consists of
N1×N2× · · · ×Ni cells, each of which has Ni+1 subcells, i.e., Ni+1× · · · ×Nk nodes, where
i = 1, 2, . . . , k− 2. The (k− 1)-th level consists of N1×N2× · · · ×Nk−1 cells, each of which
96
has Nk nodes. Here, the notation (n1, n2, . . . , ni) can be seen as cell ID at the i-th level for
i = 1, 2, . . . , k − 1. An example is illustrated in Fig. 4-5 (A), where N1 = N2 = N3 = 9.
To facilitate key agreement, the logical network topology is transformed into a real
one, which decides the real node deployment model. Suppose a level-(i − 1) cell has
Ni = Ri × Ci subcells. To do the transformation, the following two steps are taken:
1. in the first step, flip the even rows of the level-(i− 1) cell vertically;
2. in the second step, flip the even columns of the level-(i− 1) cell horizontally.
An example is depicted in Fig. 4-6. A cell at the (i − 2)-th level has Ni−1 = 3 × 5
level-(i − 1) subcells (Fig. 4-6 (A)), each of which again has Ni subcells. By the two-step
transformation, we get the real cell topology illustrated in Fig. 4-6 (B).
The entire network topology is constructed based on the two-step transformation. In
this way, the network is divided into N1 × N2 × · · · × Nk−1 cells, where cells are located
according to the space order determined by the two-step transformation. All the nodes
are deployed into corresponding cells based on their IDs. The real network topology of the
example in Fig. 4-5 (A) is illustrated in Fig. 4-5 (B).
4.3.4 Link-layer Key Agreement
As is stated before, two nodes u with ID (u1, u2, . . . , uk) and v with ID (v1, v2, . . . , vk)
can directly calculate a shared key without any interaction if there is only one mismatch,
say the i-th indices, in their IDs. Then node u can take vi +1+N1 + · · ·+Ni−1 as the input
to its own share f(c1, c2, . . . , ck, xk+1), and node v can as well take ui + 1 + N1 + · · ·+ Ni−1
as the input to its share f(c1, c2, . . . , ck, xk+1). The direct shared key between nodes u and
v is then calculated as
Kuv = f(c1, . . . , ui + 1 + N1 + · · ·+ Ni−1,
. . . , ck, vi + 1 + N1 + · · ·+ Ni−1)
= f(c1, . . . , vi + 1 + N1 + · · ·+ Ni−1,
. . . , ck, ui + 1 + N1 + · · ·+ Ni−1) . (4–14)
97
00 01
03 04
02
05
06 07 08
10 11
13 14
12
15
16 17 18
20 21
23 24
22
25
26 27 28
30 31
33 34
32
35
36 37 38
40 41
43 44
42
45
46 47 48
50 51
53 54
52
55
56 57 58
60 61
63 64
62
65
66 67 68
70 71
73 74
72
75
76 77 78
80 81
83 84
82
85
86 87 88
A
00 01
03 04
02
05
06 07 08
1011
1314
12
15
161718
20 21
23 24
22
25
26 27 28
30 31
33 34
32
35
36 37 38
4041
4344
42
45
464748
50 51
53 54
52
55
56 57 58
60 61
63 64
62
65
66 67 68
7071
7374
72
75
767778
80 81
83 84
82
85
86 87 88
B
Figure 4-5. Topology. A) Before deployment. B) After deployment.98
0
Ni-1
0 0 0 0
0 0 0 0 0
0 0 0 0 0
… … … … …… … … … …… … … … …Ni-1 Ni-1 Ni-1 Ni-1
Ni-1 Ni-1 Ni-1 Ni-1 Ni-1
Ni-1 Ni-1 Ni-1 Ni-1 Ni-1
A0 0 0 0 0
0 0 0 0 0
0 0 0 0 0
… … … … …… … … … …… … … … …Ni-1Ni-1
Ni-1Ni-1
Ni-1Ni-1
Ni-1Ni-1
Ni-1
Ni-1
Ni-1Ni-1 Ni-1Ni-1 Ni-1
B
Figure 4-6. Deployment strategy. A) Before deployment. B) After deployment.
Because all node credentials of u and v are drawn from different subsets where any
two subsets have no intersection and ui 6= vi, the k + 1 credentials used to calculate the
shared key are pairwise different, and the set of credentials is unique. Therefore the shared
key calculated by the nodes u and v is unique, i.e., other nodes do not know the shared
key.
Consider our deployment model. At the lowest level, the network is divided into
N1 × N2 × · · · × Nk−1 cells. All the nodes in each of those cells have common ID prefix,
which is the cell ID, and their node IDs are only different at the k-th position. Therefore,
any pair of nodes in one cell can calculate a direct shared key. For example, two nodes
(041) and (044) in cell (04) (Fig. 4-5 (B)) can calculate a shared key directly.
99
For two neighboring cells, if their cell IDs has only one mismatch, each node in
one cell can find another node in the other cell such that the two nodes have only one
mismatch in their node IDs, i.e., the two nodes can calculate a shared key directly. In
the example Fig. 4-5 (B), node (041) in cell (04) can calculate a shared key directly with
node (081) in cell (08). With the help of node (081), node (041) can indirectly establish a
shared key with every other node in cell (08).
For two neighboring cells with two mismatches in their cell IDs, they are in the
diagonal direction of each other and have a neighboring cell in common, which has only
one mismatch in cell ID with each of them. In Fig. 4-5 (b), node (081) in cell (08) can
indirectly negotiate a shared key with node (151) in cell (15) through node (181) in cell
(18), because node (181) has direct keys with node (081) and (151) respectively. Then
node (081) can indirectly negotiate a shared key with each of other nodes in cell (15)
through node (151).
In our deployment model, each node can calculate direct LLKs with most of its
neighbors because most of its neighbors are in the same cell as it, and negotiate indirect
LLKs with the rest neighbors with the help of only one intermediate node. Moreover, each
node can even establish shared keys with other nodes multi-hop away.
4.3.5 Performance Evaluation
In this section, we will carry out some analysis and evaluate our scheme in comparison
with some typical schemes including [13, 21, 23, 25, 36].
4.3.5.1 Memory cost
It has been proved in [9] that to guarantee the security of the global polynomial, the
minimum degree t∗ can be bound as [9]
t∗ ≤ r ·N1 , (4–15)
100
Table 4-4. Memory cost of different schemes
Schemes Memory CostE-G [13] mLBKP [36] 5(t + 1)
PIKE [25] 2(√
N − 1)
Combinatorial [21, 23] O(√
N)
Ours O( k√
N)
where ratio
r =k+1
√k(k + 1)!
2. (4–16)
We compare the memory cost per node of our schemes with other schemes in Table
4-4. In E-G scheme [13] each node has a subset of m keys, where m may be more than
100 if it needs to maintain a certain security or connectivity. In LBKP [36] each node is
preloaded with 5 polynomial shares, each of which has a degree of t. However, in order to
maintain strong security, the value of t is very high. So its memory cost is much higher
than ours. In PIKE [25], each node must store 2(√
N − 1) keys where N is the network
size. Combinatorial design techniques are proposed in [21, 23]. They are similar to E-G
[13], but they can ensure key sharing between any pair of nodes. The memory cost of their
schemes is roughly O(√
N) where N is the total number of nodes. However, the memory
cost of our scheme can be O( k√
N), which is much less.
4.3.5.2 Security
In our scheme, each node can calculate direct LLKs with most of its neighbors. Each
direct LLK is only known by the pair of nodes that shares it, and the key can not be
derived by other nodes, because we choose the value of t such that the global polynomial
is secure in case of node compromise. As for other neighbors, each node can negotiate an
indirect LLK with each of them through only one intermediate node. So if the probability
of node compromise is p, then the probability of the exposure of the indirect key is just p.
101
In conventional schemes [13, 21, 23, 36], when the number of compromised nodes
is large, the direct keys among non-compromised nodes can be exposed. Moreover, the
indirect keys are as well insecure because each indirect key has to be established with the
help of several intermediate nodes along a path. If such a path involve h intermediate
nodes, then the probability that an indirect key is exposed can be calculated as
Pc = 1− (1− p)h . (4–17)
PIKE [25] is similar to our scheme in that any pair of nodes can establish a shared
key through no more than one intermediate node. The difference is that it does not
utilize deployment knowledge to facilitate LLK agreement and thus is more expensive in
communication. Moreover, its memory cost per node is higher than ours. Obviously, our
scheme is more secure than conventional schemes.
4.3.5.3 Local secure connectivity
Every node can calculate direct LLKs with some neighbors, and establish indirect
LLKs with other neighbors through one intermediate node. The local secure connectivity
is directly related to the communication overhead of key establishments. If a node has
high probability to calculate direct LLKs, it can save a lot of communication overhead on
the establishment of indirect LLKs through multi-hop routing. Hence, high local secure
connectivity, which is the probability of establishment of direct LLKs, is desirable in
sensor networks.
Suppose nodes are uniformly deployed in each cell. The local secure connectivity
can be calculated as the ratio of node coverage in its cell to the node transmission area.
Suppose the side length of each cell is 2D, node radio radius is R. Due to the symmetry
of square cell, we only consider the first quadrant in the Cartesian coordinate plane (Fig.
4-7), where the center of cell is located at the origin of the plane. The first quadrant is
divided into five areas, each of which is corresponding to different node coverage A(xo, yo)
102
in the cell, where (xo, yo) is the location of node. The A(xo, yo) can be calculated as
A(xo, yo) =
πR2 , when 0 ≤ xo < D −R, 0 ≤ yo < D −R
R2(π − 12arccos(2Yo
2 − 1) + Yo
√1− Yo
2) ,
when 0 ≤ xo < D −R, D −R ≤ yo < D
R2(π − 12arccos(2Xo
2 − 1) + Xo
√1−Xo
2) ,
when D −R ≤ xo < D, 0 ≤ yo < D −R
R2(π − 12arccos(2Xo
2 − 1)− 12arccos(2Yo
2 − 1)
+Xo
√1−Xo
2 + Yo
√1− Yo
2) ,
when D −R ≤ xo < D, D −R ≤ yo < D,
(xo −D)2 + (yo −D)2 > R2
R2((Xo +√
1− Yo2)(Yo +
√1−Xo
2)
+ arccos(−Xo
√1− Yo
2 − Yo
√1−Xo
2)
−|√
(1−Xo2)(1− Yo
2)−XoYo|) ,
when D −R ≤ xo < D, D −R ≤ yo < D,
(xo −D)2 + (yo −D)2 ≤ R2
(4–18)
where Xo = D−xo
R, Yo = D−yo
R. Thus the local secure connectivity can be calculated as
C =1
πR2D2
∫ D
0
∫ D
0
A(xo, yo) dxodyo . (4–19)
In scheme [13], each node selects M keys from S keys, thus the local secure
connectivity is roughly 1 − (S−M
M
)/(
SM
) ≈ M2
S, where S À M . In PIKE [25], each
node keeps unique pairwise keys with 2(√
N − 1) nodes, thus the local secure connectivity
of PIKE is about 2/√
N . Schemes [21, 23] are similar to PIKE [25] in that the local
secure connectivity is roughly O(1/√
N). LBKP scheme [36] uses location information
to facilitate key pre-distribution so that each node can establish direct LLKs with all
103
D-R Dx
D-R
D
y
o
Figure 4-7. Node coverage in one cell.
neighbors in its cell and in neighboring cells, leading the local secure connectivity to about
1 if all the nodes are uniformly deployed in their home cell.
The low local secure connectivity of schemes [13, 21, 23, 25] is because each node
cannot store too much keys to increase the local secure connectivity. However, in ours
scheme the local secure connectivity is unrelated to memory cost. For example, suppose
the size of cell size is 200 × 200m2 and node radio radius is 25m. The local secure
connectivity of ours scheme is 0.89, which is much higher than that of [13, 21, 23, 25],
which is usually much less than 0.5.
4.4 Conclusion
In this Chapter, we proposed novel LLK and TLK establishments schemes, which is
scalable for large networks with small memory cost. Compared with conventional schemes
which have memory cost of at least O(√
N) in a network with N nodes, our scheme has
only O( k√
N) memory cost per node, where k > 1. Moreover, we utilize node deployment
knowledge to facilitate direct LLK agreement so that the local secure connectivity is very
high. In this way, the communication overhead of establishing indirect LLKs is reduced
significantly. The security of our scheme is very strong in that most LLKs are established
directly, and the other indirect LLKs are established through only one intermediate node.
104
CHAPTER 5A LOCATION-BASED NAMING MECHANISM FOR SECURING SENSOR
NETWORKS
5.1 Introduction
Every node in a network has a name. We usually call it identifier, because it helps
us to identify each individual node. Besides identification function, the name may tell us
some useful information about the node, and the information is much helpful in many
network activities. For example, in the social network, we may infer a person’s family
background from his last name, and the IP address in the Internet consists of network
identifier and host identifier which are used in routing protocols. However, if we deprive
the name of those meaningful information, we need to assign every node some additional
attributions to reflect those required information in some scenarios, which means extra
storage. Unfortunately, current naming mechanism in sensor networks gives us a bad
example, in which every node’s identifier is taken from a one dimension name space that
has no meaning but the identification function.
Obviously, it is more beneficial if every node’s identifier reflects more information
about itself. In this chapter, we propose a location-based naming (LBN) mechanism
for sensor networks [51, 52]. The idea is to embed some location information into node
identifier (ID) and use the location information to facilitate many applications in sensor
networks. Particularly, the entire network is divided into many cells, and each cell is
marked by a cell index. All sensor nodes are deployed in groups such that each cell is
deployed with a group of nodes. Hence, the nodes in one cell have the same cell index. To
distinguish each individual node in one cell, each node is assigned a node index, which is
unique in the cell. In this way each node ID has two parts: the cell index that tells which
cell in the network the node resides, and the node index that acts like the conventional
identifier for the identification of the node in the cell. Thus location information is
embedded into node IDs by the one-to-one mapping between cell indices and the locations
of cells.
105
This LBN mechanism may find many applications in sensor networks, such as
geographic routing, target tracking, environment surveillance, etc. However, our focus is
the security applications in sensor networks. Because it is embedded into node IDs, the
location information may act like an inherent node characteristic in stationary sensor
networks, thus it can be used to provide authentication services in local access control
[53]. For example, every node participates in the network though a neighbor-to-neighbor
communication mode, so every node should accept the packets only from the nodes in its
neighborhood. The LBN mechanism is pretty suitable in this scenario in that every node
may identify whether a packet comes from a neighbor or another distant node based on
the node ID in the packet.
Many attacks in sensor networks try to raise havoc by skewing network topology [33].
For example, a malicious node may impersonate other normal nodes by changing its node
ID, thus cause severe topological distortion leading to the failure of routing protocols.
However, by binding location information with node IDs, LBN can be used to detect
those topological distortions. When LBN is employed, a malicious node can not change
its ID into those in the cells far away from its own cell, because the malicious node may
be detected if its ID does not belong to its own cell. However, the malicious node may
still impersonate the IDs in its neighborhood, because all IDs in one cell has the same cell
index. In this case, some neighborhood authentication service should be applied to detect
the malicious node.We make the following contributions in this chapter:
1. We introduce the naming problem for sensor networks in the literature for the firsttime;
2. We propose a location-based naming mechanism LBN and explore its security valuefor sensor networks;
3. We propose a link layer authentication scheme LLA, which incorporates LBN, toprovide a neighborhood authentication service;
106
4. We will show that our LBN mechanism and LLA scheme can be combined to providean efficient defense against many notorious attacks in sensor networks.
The rest of this chapter is organized as follows. In Section 5.2 we propose the
location-based naming mechanism LBN to fulfill our idea on network naming system. In
Section 5.3 we describe the link layer authentication scheme LLA, and show how it acts
as a reenforcement of our LBN mechanism by providing neighborhood authentication. We
will discuss how our LBN mechanism and LLA scheme can be combined to defend against
many notorious attacks in sensor networks in Section 5.4. Some discussions are given in
Section 5.5, and conclusion is given in Section 5.6.
5.2 Location-based Naming Mechanism
5.2.1 Location Determination
To utilize location information, it is the first requirement to acquire location
information. The location determination is not a trivial task in stationary sensor networks.
It is infeasible to install every node with a GPS (global positioning system) due to the
desire for low price sensor nodes. Though there are some post-deployment facilitating
methods [53–55], they rely on the cooperation between sensor nodes, which leads to a large
amount of communication overhead.
However, when a sensor network is deployed in an area, some location information
is known a priori. Hence, if we deploy a group of nodes into an area, we may preload
the location information of the area into the nodes’ memory. This a-priori location
information can be used in many scenarios such as key management [36–41]. Due to
deployment errors, the a-priori location information is less precise than that of posterior
measurements, however, it obviates the need to use expensive positioning devices and
complex distributed location determination algorithms, thus it is pretty suitable for
some applications in resource constrained sensor networks. In this paper, we uses the
course-grained a-priori location information to develop a security scheme to defend against
many attacks to network topology.
107
(i, j)
(i-1, j) (i-1, j+1)(i-1, j-1)
(i, j-1) (i, j+1)
(i+1, j-1) (i+1, j) (i+1, j+1)
Figure 5-1. A square cell deployment model.
Before deploying a group of sensor nodes, we should decide which place the
group should reside. Thus the entire deployment area is divided into many adjacent
non-overlapping cells. Every cell is centered with a deployment point. Based on specific
deployment models, the contour of cell may be square [36–38, 48, 49], hexagon [45] or
triangle [46]. For simplicity, square cell (Fig. 5-1) is used as an instance in this paper.
However, other shapes are still applicable with a few modifications.
Each group of nodes is intended to be deployed in a predefined cell. Due to
deployment errors, every node will be deployed around the deployment point of its cell
according to some probability distribution function(PDF), such as Gaussian distribution
or Uniform distribution. It is necessary to point out that the area where the node resides
does not necessarily have the same shape as its cell. For example, the area where the node
resides may be a circle because of the centralized Gaussian distribution while its cell is
a square. However, we may improve deployment precision so that the probability that a
node resides out of its cell is very small [45, 46, 48, 49].
5.2.2 Location-based Name
When the deployment model is defined, the location of each deployment point is
known. By associating each group of nodes with a specific cell, we may know in which
cell of the network each node will reside. In a large scale sensor network, the coordinates
of deployment points usually have length of several bytes. However, in current link layer
108
protocols for sensor networks, the node ID field length is usually less than 4 bytes. For
example, in TinyOS packet format, the node ID field length is only 16 bits [56]. It is
impossible to include the location coordinates of deployment points directly into node ID
field in large scale sensor networks. However, our scheme does not rely on precise location
information, we only count on the relative location information between sensor nodes.
Hence, we tend to use indices.
In our deployment model, each cell is marked with a cell index, which is a pair of
integers (i, j), where i is the row index and j is the column index. Thus we can identify
each cell and its associated group of nodes by cell index. The indices are not absolute
location coordinates, so they could be very small integers. With this benefit, we may
allocate several bits from the node ID field for cell index, and the rest bits from the node
ID field as node index in the associated cell. In this way each node is identified by a pair
(cell index, node index). For example, we may allocate 10 bits from a 16 bits ID field for
cell index, and the rest of 6 bits for node index (Fig. 5-2). Then the maximum affordable
network may consist of cells of 32 rows and 32 columns, where each cell contains 64 nodes,
and the total number of nodes is 65536.
Only index can not provide more information other than cell identification. What we
care about is how the indices describe the relationship between nodes. In our deployment
model all cells are indexed according a fixed order from top to right and from left to right
such that each cell index (i, j) acts like a coordinate in a two dimensional plane (Fig. 5-1).
In other words, cell indices are normalized coordinates of cells. Hence, the indices reflect
the spatial relationship between nodes. By checking node ID fields in received packets,
a node may tell whether the sources of packets come from its own cell or neighboring
cells or other distant cells. If we treat each node as a kind of resource, and the packets
reception by the node as a kind of resource access, then the orderly naming mechanism
may provide an authentication service for the access control at link layer. Because link
layer communications run between neighboring nodes and in our scheme the neighbors
109
cell index node index
MSB LSB
Figure 5-2. Location-based name.
of one node most likely come from its cell or neighboring cells, every node should only
accept the packets from the nodes in its cell or neighboring cells, and deny the packets
from other distant cells1 . Obviously, our LBN mechanism has its significance for securing
sensor networks. An example is that most ID-spoofing attacks may be defeated because
of inherent location information in node IDs. We will show in Section 5.4 that our LBN
mechanism may defend against a wide range of attacks in sensor networks.
5.3 Link Layer Security
Sensor networks are vulnerable to malicious attacks in unattended and hostile
environments such as battlefield surveillance and homeland security monitoring [57, 58].
Adversaries can easily eavesdrop messages transmitted over the air between nodes, or
disable the entire network by launching physical attacks to sensor nodes or logical attacks
to communication protocols [33, 35]. Under such circumstances, security services such as
encryption and authentication are indispensable for guaranteeing the proper operation of
sensor networks.
In the overall network security infrastructure, link layer security is the basic tile,
because all communications are established on the neighbor-to-neighbor communication
mode. A node should only accept the packets from authenticated neighboring nodes. To
establish trustiness between neighboring nodes, authentication services at link layer are
1 Due to deployment errors, some nodes may accidently run into distant cells other thanits destined cell. Thus these nodes may be precluded because they do not belong to thecells where they reside. However, it is shown in [36, 45, 46, 48, 49] that this probabilityis very small. We could treat it as the trade-off of the usage of a-priori deploymentknowledge.
110
required. To prevent eavesdropping attacks, two neighboring nodes need to negotiate a
shared key used for encryptions at the link layer. Some proposals [36–41] use location
information in key management in sensor networks, which may be used to establish link
layer encryption keys. However, they have not addressed the authentication problem.
Motivated by their work, we propose a link layer authentication (LLA) scheme in this
section, which incorporates the LBN mechanism to provide a neighborhood authentication
service.
Our LLA scheme consists two phases. The first one is the bootstrapping phase
(B-Phase), which is the initial time period after network deployment. The second is the
normal communication phase (C-Phase) during which nodes communicate normal packets
to fulfill kinds of applications.
In each phase a two-step authentication is enforced. The first step is the ID-based
authentication, in which every node decides to accept or reject a packet by checking
the packet ID field according to LBN. The second step is the key-based authentication,
in which the two communicating nodes verify the IDs of each other by the shared key
between them. The underlying techniques we use here are something inherent and
something known [5]. Something inherent means an entity is authenticated by its inherent
characteristic, which is the location-based node ID in our scheme. Something known
means an entity is authenticated by the secrets it knows, which are shared keys in our
scheme.
5.3.1 Establishing Shared Keys
Any distributed key agreement model discussed in Chapter 2 can be used to establish
keys in WSNs, and they all require the exchange of node IDs as the inputs to the key
agreement model. For simplicity, we assume t-degree bivariate polynomials to establish
shared keys between neighboring nodes, i.e.,
f(x, y) =t∑
i=0
t∑j=0
aijxiyj (5–1)
111
over a finite field Fq.
We use the method proposed in [36] to predistribute polynomials so that two nodes
in the same cell and neighboring cells hold shares of the same set of polynomial(s)2 . Each
cell is associated with a unique t-degree bivariate polynomial, and the nodes destined
to the cell are preloaded with shares of the corresponding polynomial. Besides, the
polynomial is also assigned to the horizontal and the vertical neighboring cells. For
example, in Fig. 5-1, the polynomial of cell (i, j) is also assigned to cells (i, j − 1),
(i, j + 1), (i − 1, j), and (i + 1, j). Thus a node in cell (i, j) may establish shared keys
with nodes in it cells and all neighboring cells. We refer readers to [36] for more technical
details.
After the polynomials distribution, every pair of nodes has a shared polynomials set
P , which is used to derive polynomial shares for the pair of nodes. The set P is decided by
the cell indices of the two nodes. For two nodes in the same cell or neighboring cells, P is
non-empty, but for two nodes from two distant cells, P is empty. It is different from [36] in
that [36] requires every node to keep the coordinates of its cell while our scheme does not
because the location information is in the node ID field. So a node may know instantly
whether it has the shares of the same set of polynomials as another node only from its
node ID.
5.3.2 B-Phase Authentication
After deployment, the network is in the bootstrapping phase. In this phase, a
trustiness should be set up between nodes so that other high layer protocols may begin to
work on this trustworthy infrastructure. This is achieved by B-phase authentication.
2 We have developed a more efficient scheme in [45, 46] using hexagon and triangle cells.It can also be used in LBN design if we choose to use hexagon or triangle cells in place ofsquare cells.
112
At very begin, every node broadcasts its node ID, i.e.,
v → ∗ : < v > ,
to inform its neighbors its existence. In the schemes [36–38, 45, 46, 48], every node needs
to broadcast both its cell coordinates and its node ID to its neighbors. However, our
scheme is more efficient because the node ID has already included the corresponding
location information.
When node u hears node v, it first checks the cell index field in v’s node ID. In LBN
mechanism, the cell index should be the same as that of u or the one of the neighboring
cell indices which may be easily verified because all cell indices are orderly sorted. If it is
not the case, the received ID v may be a spoofed value from a malicious node, and node u
just ignores node v’s packets.
If the received ID v is acceptable, node u knows immediately the shared polynomials
set P with node v. Because node u and node v have shares derived from the polynomials
in P , node u may further verify node v through a challenge-response method. Node u
randomly selects a polynomial f(x, y), which has a unique index pf3 , from P and uses
the corresponding share f(u, y) to calculate a shared key Kuv = f(u, v) with node v.
The shared key Kuv is unique when all node IDs are distinct. This property is critical
for authentication. Then node u picks a nonce nu, which is a random number, and sends
to node v a challenge packet including the ID u, index of the polynomial f(x, y), and
encrypted nu by f(u, v), i.e.,
u → v : < u, v, pf , {nu}Kuv > ,
where {} means encryption operation.
3 Polynomial indices may be preloaded into nodes memory, or may be calculated by ahash function with cell indices as inputs.
113
If node v does have the ID it claims, it sure has the shared polynomials set P with
node u. Then node v may use the polynomial index in the received packet to find the
shared key Kuv and be able to decrypt the nonce nu. Next, node v also picks a nonce nv,
returns to node u a response packet including the node ID v, nonce nu, and the encrypted
nv by f(u, v), i.e.,
v → u : < v, u, nu, {nv}Kuv > .
After getting the response from v, node u may check the returned value of nu. If it
is the same as that it has sent to node v, then node v is an authenticated node, otherwise
not.
To authenticate itself, node u also decrypts nv and returns it to node v, i.e.,
u → v : < u, v, nv > .
Following the three way handshake authentication procedure, every node may set up
trustiness with its neighbors during the bootstrapping phase.
During the B-phase authentication, a shared key is established between neighboring
nodes. This shared key may act as the master key and be used to derive other keys for
different purposes, such as encryption, authentication, etc. Thus, the future communications
between neighboring nodes are secured by the shared key.
5.3.3 C-Phase Authentication
After the bootstrapping phase, normal communications may run between neighboring
nodes to fulfill kinds of applications. During this phase, an adversary may inject, modify,
or spoof packets to raise havoc among the network. To guarantee normal operation of the
network, every packet should be authenticated so that the sink node knows it is talking
with the authenticated source node.
A normal way to achieve packet authentication and integrity is to use message
authentication code (MAC). MAC is a digest calculated by a one-way and collision-resistant
hash function with messages and some secrets as inputs. An example is HMAC [59]. Every
114
node may check whether a received packet is tampered by recalculating the MAC and
comparing it with that in the packet.
When a node v needs to send a packet to node u, it constructs the packet like,
v → u : < v, u, nv,m, H(v ‖ u ‖ nv ‖ m ‖ Kuv) > ,
where nv is a nonce, m is the message, H() is a hash function, “‖” is the concatenation
operator, and Kuv is a shared key between u and v. To protect the master key established
in the bootstrapping phase, it is better to use a derived authentication key here. For
example, we may calculate an authentication key as H(Kuv||1) and an encryption key as
H(Kuv||0). Here the message m may be in plaintext if only authentication is needed or be
encrypted if both authentication and encryption are desired.
When node u receives the packet from node v, it first checks the cell index field in v’s
ID according to LBN. If the ID v is not acceptable, node u simply drops the packet, thus
it does not need to check the MAC field. Moreover, node u may check the cell index field
just after extracting node v’s ID from the packet and stop receiving the remaining part of
the packet to save energy if node v’s ID is not acceptable, because packet transmission and
reception are the most energy-costly radio operations in sensor nodes. Only if the ID v is
acceptable, node u proceeds to verify the MAC field in the packet and authenticate the
packet.
TinySec [56] defines link layer packet formats including Auth packet format, in which
only authentication is provided, and AE packet format, in which both authentication and
encryption are provided. It is similar to our scheme, however, it does not address how to
establish authentication and encryption keys. It is obvious that we can combine TinySec
with our scheme to provide a complete solution for link layer security in sensor networks.
5.4 Secure Sensor Networks
By using link layer encryption, we may prevent eavesdropping attacks. However,
an intelligent adversary may launch many active attacks by utilizing the defects in the
115
network protocols which are not designed carefully to involve security defenses at the
beginning. Karlof and Wagner [33] classified a series of attacks to sensor networks, which
may cause the rapid deterioration of network performance. Most of the attacks try to
cause topological distortion by spoofing or replaying routing information. However, as we
will show in this section, our LBN has inherent resistance to these topological attacks,
because the location information in node IDs reflects topology of the network. Any attack
that causes serious topological distortions can be detected by our LBN and LLA. In this
section, we discuss many typical attacks as examples.
5.4.1 The Sybil Attack
In the Sybil attack [60], a malicious node illegitimately takes on multiple identities,
which may be fabricated IDs or impersonated IDs. The Sybil attack may pose a serious
threat to routing protocols, data aggregation, voting, fair resource allocation, misbehavior
detection, etc [33, 60]. Several potential defense methods are proposed in [60], including
radio resource testing, verification of key sets for random key predistribution, registration,
position verification and code attestation. However, those methods rely on either strict
physical assumptions or cooperations between a bunch of nodes.
In our scheme, every node ID should appear only in a small area of the network
due to the LBN mechanism. If the malicious node claims an ID belonging to distant
cells, it may be easily found out by its neighbors and then be precluded. The only IDs
the malicious node can claim are those in its cell and neighboring cells. Even that, the
malicious node can not pass the link layer authentication because it does not have the
corresponding polynomial shares belonging to the node whose ID is claimed by the
malicious node. So the Sybil attack can not get success in our scheme.
5.4.2 Identity Replication Attacks
In the identity replication attack [60], an adversary may put many replicas of a
captured node at many places in the network to incur inconsistency. Like the Sybil
attack, the identity replication attack may lead to the failure of many network functions.
116
Conventional defenses include centralized computing based on location or number of
simultaneous connections[60], which is communication intensive and lacks of scalability.
In our scheme, the adversary can not put the replicas of the captured node at places
other than its vicinity because the presence of a node ID should be localized due to the
LBN mechanism. The adversary can only put those replicas in a small area where the
captured node originally resides. However, convergence of the replicas of the same node
ID in a small area may be easily detected by surrounding normal nodes. So, the identity
replication attack finds no place in our scheme.
5.4.3 Wormhole Attacks
In the Wormhole attack [61], two malicious nodes collude to tunnel packets from
one place to another distant place in the network. This attack may distort the network
topology by making two distant nodes believe they are neighbors, thus become a serious
attack to routing protocols. Hu et al. proposed to use packet leashes [61] to limit
the maximum range over which packets can be tunneled by the two colluding nodes.
Directional antennas [62] are also used to defend against the Wormhole attack. However,
these defenses are targeted to the Wormhole attack in ad hoc networks, and require
expensive hardware devices, which are infeasible for most resource constrained sensor
networks. Wang and Bhargava [63] proposed to use centralized computing to defend
against the Wormhole attack in sensor networks, in which a controller collects all nodes’
location information to reconstruct the network topology such that any topological
distortion may be visualized. However, this approach causes much communication
overhead and is not realistic if malicious nodes move around in the entire network because
each location change will trigger a new round of execution of the topology reconstruction
algorithm.
By using LBN, a node may check the cell index fields in the received packets and
simply drop those packets coming from a distant place. So the impact of the Wormhole
attack is limited in neighboring cells automatically. Though the two colluding nodes
117
may tunnel packets in a small area, in this case they can not cause severe network scale
topological distortions and may even be helpful to facilitate local communications. So, the
Wormhole attack may be defeated in our scheme.
5.4.4 Sinkhole Attacks
In the sinkhole attack [33], a malicious node tries to lure nearly all the traffic
from a particular area, creating a metaphorical sinkhole with the malicious node at the
center. This kind of attack typically works by making the malicious node look especially
attractive to surrounding nodes by claiming a lower routing cost to the base station in
the sensor network. If geographical routing protocols are used, every route is found based
on geographical information, which can be extracted from node IDs. In this case, the
malicious node can not cheat other nodes because other nodes may easily find whether
the malicious node is on the route to the base station based on the ID of the malicious
node. If different routing criteria such as reliability are used, it is rather difficult to detect
the sinkhole attack. However, the node ID may still provide some information about the
location of the malicious node, thus if the source node finds the location of the malicious
node is far away from the direction of the base station, it means a potential threat and
some methods may be used to verify the routing information.
5.4.5 HELLO Flood Attacks
In the HELLO flood attack [33], a malicious node may broadcast HELLO packets
with large enough transmission power to convince most nodes in the network that the
malicious node is their neighbor, thus lead the network into the state of confusion. This
attack may be defeated because it is easy to check whether a HELLO packet is acceptable
from its ID field in our scheme.
5.4.6 The Acknowledgement Spoofing Attack
In the acknowledgement spoofing attack [33], a malicious node may spoof link layer
acknowledgments for the packets destined to a neighboring node which is dead or the
packets lost due to the bad channel reliability, thus make the source node form a wrong
118
routing decision based on the belief that the dead destination node is alive or the channel
is reliable. In our scheme, it is easy to detect the attack by LLA because the malicious
node does not have corresponding link layer keys.
5.4.7 The Node-compromise Attack
In our link layer authentication scheme, predistributed polynomials are used to
establish shared keys between nodes. It is under the threat of the node-compromise
attack, in which a small number of compromised nodes may expose a large amount of
secrets in the network. It has been proved in [7, 8] that a t-degree bivariate polynomial
is t-collusion resistant, meaning that the collusion of no more than t nodes can not
expose the polynomial. However if one t-degree bivariate polynomial is used by more
than t nodes, an adversary may compromise more than t nodes holding shares of a same
polynomial to reconstruct it, and then use the reconstructed polynomial to derive shared
keys between non-compromised nodes that hold shares of the same polynomial. We
have proposed efficient schemes [45, 46, 48, 49] that achieve the perfect resilience to the
node-compromise attack. The details have been discussed in previous chapters.
5.4.8 The Memory Exhaustion Attack
The B-phase authentication in our scheme is not stateless, because every node needs
to keep the nonce in its memory so that it can verify the returned nonce value from its
neighbor. For each authentication request, a nonce should be generated. A malicious node
may launch the memory exhaustion attack by sending authentication requests at very
high frequency to neighbors, thus cause its neighbors unusable by exhausting memory
resources of the neighbors. However, it is also easy to detect frequent authentication
requests from a malicious node. To defend against this kind of attack, normal nodes just
need to drop those authentication requests if the frequency of request is too high. Some
countermeasures can also be triggered to punish the malicious node.
119
5.5 Discussion
To the best of our knowledge, there has been no research on the additional value
of node identifier. Though many schemes [36–38, 45, 46, 48] use node identifiers in
key establishment, they simply use the identification function. Our scheme is the first
investigation that tries to dig out more application values of node identifier. We have
shown that by embedding location information into node identifiers our LBN has intrinsic
immunity from many attacks against network topology. Besides security value, we believe
our LBN can still be used in other applications in sensor networks.
Our LLA scheme incorporates LBN as the first step authentication method, and uses
shared key to further verify node identity. In LLA, predistributed polynomials are used to
achieve key agreement to provide authentication service. However, other shared-key-based
authentication schemes can also work well with LBN in the second authentication step,
as long as they guarantee neighboring nodes can establish a unique shared key. Similar
schemes are SPINS [6], LEAP [64]. The building block SNEP in SPINS [6] can provide
neighbor authentication by a shared key. However, two neighboring nodes rely on the
base station to negotiate a shared key, which is not efficient in terms of communication
overhead. In LEAP [64], a global key is used to derive shared keys to achieve neighbor
authentication, where the underlying assumption is that adversaries can not compromise
any node during network bootstrap phase, thus the global key can be safe. However, our
scheme does not rely on this assumption and is resilient to node compromise attacks.
Zhang et al. [65] proposed to use location-based keys to secure sensor networks. Their
scheme is based on public key cryptography, while our scheme is based on symmetric
key cryptography. Besides, in their scheme each location-based key is tight to a precise
location in the network and the location information should be obtained by mobile robots.
When a node moves, its location-based key associated with its previous location is invalid.
Hence, their scheme is only applicable in stationary sensor networks, where sensor nodes
do not move after deployment. Our scheme only uses course-gained a-priori deployment
120
knowledge and does not need any positioning devices. Though our scheme is targeted to
stationary sensor networks, low mobility can also be supported as long as nodes only move
in their vicinity.
5.6 Conclusion
In this paper, we have introduced the naming problem for sensor networks in the
literature for the first time. We believe that more benefits can be achieved by endowing
node ID more meaningful information. A location-based naming mechanism LBN
has been proposed to fulfill our idea. By using LBN, the impacts of many attacks to
topology in sensor networks can be limited in a small area. We also proposed a link
layer authentication scheme LLA, which incorporates LBN, to provide a neighborhood
authentication service. It has been shown that our LBN and LLA can be an efficient
defense against a wide range of attacks in sensor networks.
We have investigated the security value of our location-based naming mechanism.
However we believe it may also find other applications in sensor networks, such as
geographic routing, target tracking, environment surveillance, etc, especially those
applications in which security is desired. We will develop more efficient solutions in those
applications based on our new idea in our future work.
121
CHAPTER 6ACCESS CONTROL IN WIRELESS SENSOR NETWORKS
6.1 Introduction
A WSN usually consists of a large number of sensor nodes. In order to save
manufacturing cost, a sensor node is usually built as a small device, which has limited
memory, a low-end processor, and is powered by a battery [6]. The constrained resources
result in limited computation and communication capabilities. After several weeks or
months of operation, some nodes in the network may exhaust their power because of the
uneven distribution of traffic load. Applications may fail due to the loss of some critical
sensor nodes and become useless. Though power saving technology in the design of both
hardware and software may extend the lifetime of a sensor network, new node deployment
is still necessary in many cases.
Besides the natural loss of sensor nodes, a sensor network is also susceptible to
malicious attacks in unattended and hostile environments. Some sensor nodes may
be destroyed by adversaries. If the number of attacked sensor nodes exceeds a certain
threshold, the entire network may become useless. Hence, new sensor nodes need to be
deployed to maintain the normal operation of the sensor network if necessary.
In military scenarios, however, a sensor network is usually lack of careful surveillance
after deployment. Hence an adversary can also deploy malicious nodes into the network.
These malicious nodes may easily eavesdrop messages transmitted over the air between
nodes or insert false reports into the network [6].
In addition, an intelligent attacker may launch tricky attacks from the inside of
the sensor network by manipulating existing sensor nodes. A sensor node may be
compromised due to the lack of tamper resistance [34] so that all the secrets in it are
exposed to the adversary. Then the adversary may use the compromised node to launch
other more serious attacks. For example, in the Sybil attack [60], a malicious node, which
may be a compromised one, impersonates other normal nodes or new nodes. Another
122
example is the node replication attack [66], where an adversary compromises a node and
deploys many copies of the node into the sensor network. The adversary can also launch
the Wormhole attack [61–63], in which packets are tunneled between two distant places
in the sensor network, thus introducing false nodes in the neighborhood of normal nodes.
These attacks may cause fatal havoc [33, 35] in the sensor network.
Recently, many schemes [6, 13, 15, 17, 18, 56] were proposed to protect sensor
networks. They may prevent external attackers from eavesdropping messages or inserting
false reports. However, they can hardly defend against internal attacks such as the Sybil
attack, the node replication attack and the Wormhole attack. Though several techniques
[60–63, 66] were proposed to counteract the internal attacks, each of them is only targeted
to one specific attack by using different approaches and hardware assumptions. It is
very difficult to integrate those techniques into a uniform hardware platform. Even if
the integration is possible, it may cost a lot of resources and deviate from the low cost
consideration.
In this chapter, we analyze the internal attacks including the Sybil attack, the node
replication attack and the Wormhole attack. We observe that the common trick under
these attacks is that they manipulate existing nodes to introduce malicious “new” nodes,
which are indistinguishable from legitimate new nodes under current sensor network
security technology. Those introduced “new” nodes could be accepted by other normal
nodes as legitimate ones. Based on this observation, we design an access control protocol
[67] for sensor networks to prevent malicious nodes, no matter whether they are directly
deployed by adversaries or introduced “new” ones, from participating in sensor networks.
A new node should prove that it not only has correct identity but also is truly new to
be admitted into the sensor network. Besides the node identity which is widely used in
authentication, we introduce the node bootstrapping time, which is the time when the
new node bootstraps itself to join the sensor network, into the authentication procedure
to differentiate malicious “new” nodes, which are actually old nodes, from legitimate new
123
nodes. Unlike the conventional approaches in [60–63, 66] that attempt to detect malicious
nodes after they join sensor networks, our access control protocol can prevent malicious
nodes from joining sensor networks at the very beginning. Moreover, key establishment
is also included in our access control protocol to help the new node establish shared keys
with its neighbors so that it can perform secure communications with them.
The rest of this chapter is organized as follows. We analyze most typical attacks in
Section 6.2 and show why access control is necessary for sensor networks in Section 6.3.
The details of our access control protocol are described in Section 6.4. Some security
analysis and performance evaluations are carried out in Section 6.5 and Section 6.6. We
finally conclude the chapter in Section 6.7.
6.2 Review of Attacks
Sensor networks have high values in military applications, in which they are often
deployed in hostile environments to perform various kinds of military tasks. Usually,
sensor networks are lack of careful surveillance after deployment. Hence, adversaries have
opportunities to deploy malicious nodes, or launch tricky attacks from the inside of a
sensor network by manipulating existing sensor nodes.
6.2.1 Malicious Nodes Deployment
An attacker can directly deploy malicious nodes into the network. In Fig. 6-1 (a),
for example, a malicious node B is deployed in the vicinity of existing node A. Node
B may easily eavesdrop messages sent out or received by node A. If node B knows the
communication protocols in the sensor network, it may even inject false reports to disrupt
the network functionalities [6, 33, 35]. Some security measures may be enforced to thwart
this kind of attack, but if the adversary has the capability of breaking into the security
infrastructure, he/she can still deploy as many malicious nodes as possible.
6.2.2 The Sybil Attack
The Sybil attack was first studied in the context of peer-to-peer networks [69].
Then it was found to be a serious threat to sensor networks [60]. In the Sybil attack, a
124
malicious node illegitimately takes on multiple identities. The impersonated identities
may belong to existing nodes or non-existing nodes. The malicious node may be deployed
directly by adversaries or just a compromised one. In Fig. 6-1 (b), for example, a node
B is compromised by an adversary who then makes node B impersonate other identities,
e.g., node C. From the point of the view of node A, it is just like a new node C coming
out in its vicinity. It has been shown that the Sybil attack may pose a serious threat to
distributed storage (redundant information destined to several nodes may finally be stored
in one malicious node), routing protocols (multipath routing, geographic routing) [33],
and so on. In addition, it may also cause devastating consequences to other applications
such as data aggregation, voting, fair resource allocation, and misbehavior detection [60].
Several potential defense methods were proposed in [60], including radio resource testing,
verification of key sets for random key predistribution, registration, position verification,
and code attestation. Those methods rely on either strict hardware assumptions or
complicated cooperation between a bunch of nodes.
6.2.3 The Node Replication Attack
In the node replication attack [66], an adversary intentionally puts many replicas
of a compromised node at many places in the network to incur inconsistency. In Fig.
6-1 (c), for example, node B is compromised and one of its copies is deployed in the
vicinity of node A so that node A may take node B as its new neighbor. Like the Sybil
attack, the node replication attack can also render adversaries the abilities to subvert
data aggregation, misbehavior detection and voting protocols by injecting false data
or suppressing legitimate data [66]. The conventional methods to defend against the
node replication attack usually include centralized computing based on node locations
or number of simultaneous connections, which is vulnerable to the single-point failure.
Distributed detection of the node replication attack was proposed in [66], where the
location of a suspect node is verified by randomly selected witness nodes.
125
6.2.4 The Wormhole Attack
In the Wormhole attack [61], an adversary tunnels packets between two distant places
in the sensor network. In Fig. 6-1 (d), for example, the adversary deploys two special
devices into the vicinities of node A and node B, respectively. These two devices share
a secret broadband channel, which is invisible to sensor nodes. Then these devices may
record packets sent out by one node, tunnel those packets through the secret broadband
channel to the other end, and replay those packets in the vicinity of the other node. The
consequence is that node A may find a new node B coming out in its neighborhood, and
vice versa. This attack may distort the network topology by making two distant nodes
believe they are neighbors, thus becoming a serious attack to routing protocols [61].
6.3 Access Control
6.3.1 Necessity
New node deployment is inevitable when applications in the sensor network become
instable because of the loss of sensor nodes. The cooperative characteristic of sensor
network applications requires mutual trust among sensor nodes. A deployed new node,
however, may not be a legitimate one as is shown in Section 6.2. It may be a malicious
node directly deployed by adversaries, or an introduced “new” node due to the Sybil
attack, the node replication attack or the Wormhole attack. The underlying trick of the
Sybil attack, the node replication attack and the Wormhole attack is that those malicious
“new” nodes are indistinguishable from legitimate new nodes under current sensor network
security technology, hence those malicious “new” nodes will be accepted by other normal
nodes as legitimate ones.
To prevent malicious nodes from joining sensor networks, access control should
be enforced to control sensor node deployment. A sensor node should prove that it
is a legitimate one when deployed into the sensor network. Usually, an access control
mechanism should accomplish two tasks:
126
A(B)C
(b)
A
B
B
(c)
A
B
B
(d)
AB
(a)
A
Figure 6-1. Attacks.
1. Node authentication : Through authentication a deployed node proves its identity(ID) to its neighboring nodes and proves that it has the right to access the sensornetwork;
2. Key establishment : Shared keys should be established between a deployed node andits neighboring nodes to protect communications.
6.3.2 The State of the Art
A lot of solutions [6, 13, 15, 17, 18, 68] were proposed in the literature to protect
sensor networks. However, they can hardly address the access control problem in sensor
networks. SPINS [6] and TinySec [56] are vulnerable to the node compromise attack,
127
where an adversary can simply compromise one node and then use its key to generate and
deploy as many malicious nodes as possible. Randomly predistributed symmetric keys
schemes [13, 15] were proposed to achieve key agreements between neighboring sensor
nodes, but they can not provide the authentication service because of the reuse of the
same keys among many sensor nodes. By compromising a few sensor nodes, an adversary
can get a lot of keys and whereby to manufacture and deploy many malicious nodes.
ID-based symmetric keys schemes [17, 18] involve node IDs into key agreements. They
could provide the authentication service, where a node’s identity could be challenged based
on the keys it holds. Those schemes, however, are based on threshold-based symmetric
key techniques, where the security threshold is directly determined by the node memory
resource. Due to the contradiction between the large number of sensor nodes in a network
and the constrained memory resource, they usually can not provide full security. If the
number of compromised nodes exceeds a threshold, an adversary can destroy the security
infrastructure and deploy as many malicious nodes as possible.
With the development of hardware capability, public key techniques become a possible
and promising approach to secure sensor networks because of its flexible key management
and scalability. Very recently, Watro et al. [68] proposed TinyPK protocol, where RSA [3]
certificates are used to authenticate external parties to sensor networks and Diffie-Hellman
[2] key exchanges are used to achieve key agreements between external parties and sensor
nodes. Compared with symmetric key techniques, TinyPK is more resilient to the node
compromise attack. TinyPK could be used in the access control during node deployment.
It may prevent adversaries from deploying malicious nodes, and detect the Sybil attack,
but it can not detect the node replication attack and the Wormhole attack, because the
“new” nodes introduced by these two attacks have legitimate certificates.
128
6.4 Our Protocol
6.4.1 Outline
A preloaded public key certificate which includes ID information or an ID-based
symmetric key can be used to prove the identity of a new node. When the new node is
deployed into the sensor network, its neighbors may verify the certificate or challenge the
ID-based symmetric key to check whether the new node has a legitimate identity. By
using this ID authentication, adversaries are prevented from directly deploying malicious
nodes because they do not have corresponding certificates or ID-based symmetric keys.
However, the ID authentication is not enough to protect the sensor network, as is shown
in Section 6.3. In the Sybil attack, the node replication attack and the Wormhole attack,
an adversary in fact could manipulate existing nodes to introduce malicious “new” nodes.
Those old nodes have preloaded certificates or ID-based symmetric keys, so the “new”
nodes also have legitimate identities. Hence, we need to differentiate those old nodes from
new nodes to further protect the sensor network.
A solution to solve the problem is to involve a timestamp into the authentication
procedure. It is a common solution to solving the freshness problems in our real lives. For
example, the tickets we buy for movies or football games carry timestamps which show
when the tickets are valid. The similar idea can also be applied to the design of our access
control protocol for sensor networks.
After a sensor node is deployed into a sensor network, it will bootstrap itself at
a preset time to join the sensor network. The difference between an old node and
a new node is that they have different bootstrapping times. Hence, we may use the
bootstrapping time as the timestamp into our access control protocol.
Our access control protocol uses a preloaded certificate which includes both ID
information and bootstrapping time to authenticate the identity of a new node. The
certificate is generated by a certification authority (CA), e.g., the administrator of the
sensor network. In the certificate the node ID information and its bootstrapping time
129
are signed by CA’s private key to protect their integrities, so that adversaries can not
falsify the ID and the bootstrapping time. When the new node is deployed into the
sensor network, it can show its certificate to its neighbors. The neighbors can verify the
ID and the bootstrapping time with the CA’s public key. A new node can be accepted
into the sensor network only if it has a correct identity and its bootstrapping time is
within a tolerance period of current time. Through the authentication of both ID and
bootstrapping time, our access control protocol can prevent malicious nodes from joining
the sensor network because they do not have correct IDs or bootstrapping times.
The Diffie-Hellman algorithm is used to establish shared keys between the new node
with its neighbors. Hence each node is preloaded with a 〈private key, public key〉 pair.
After a new node passes the authentication procedure, it exchanges its public key with
those of its neighbors. Then the new node can establish shared keys with its neighbors
according to the Diffie-Hellman algorithm. To prevent nodes from falsifying public
keys, the public key of each sensor node is also signed by the CA and included into its
certificate.
6.4.2 Assumptions
6.4.2.1 Network model
We assume that sensor nodes are stationary so that if a node finds a new node in its
neighborhood, the new node must be either a newly deployed node or a node introduced
by adversaries. All sensor nodes have the same transmission range and communicate
with each other via bi-directional wireless links. Each node has a unique, integer-valued,
non-zero ID.
We assume that all sensor nodes are loosely synchronized. Each sensor node has a
preset bootstrapping time. After being deployed into the sensor network, each sensor
node bootstraps itself at its bootstrapping time to join the sensor network. Two sensor
nodes may have the same bootstrapping time if they are deployed simultaneously. A
possible collision at the MAC layer may occur if the two nodes bootstrap themselves
130
simultaneously. However, we assume that the MAC-layer protocol has collision resolution
mechanisms to solve the problem [65]. Hence, each node can finish bootstrapping within a
tolerance time interval after its bootstrapping time.
6.4.2.2 Adversary model
Due to the broadcast characteristic of radio communications, adversaries may
easily eavesdrop any message, either a ciphertext or a plaintext, transmitted over the
air. Adversaries can not decrypt any ciphertext if they do not have the corresponding
decryption key. Otherwise, a stronger cryptographic primitive should be used to increase
the security.
For the cost consideration, it is not economical to equip every sensor node with
tamper resistant devices. Adversaries may easily compromise a sensor node and extract
all the secrets stored in its memory. Even if tamper resistant devices are available, they
are still not able to guarantee perfect security of secrets [34]. Hence, node compromise is
usually unavoidable in wireless sensor networks. Compromising, however, is not a trivial
job. We assume that each sensor node can sustain a tolerance time interval before it is
compromised, which is also assumed by previous work [34, 64].
6.4.3 Cryptographic Primitive
Compared with symmetric key cryptography, public key cryptography is more
expensive in terms of computational complexity. Hence most of sensor network security
proposals are based on symmetric key cryptography [6, 13, 15, 17, 18, 36]. However, with
the fast development of hardware performance, public key cryptography becomes possible
on low-end devices [68, 70].
Elliptic curve cryptography (ECC) [71, 72] and RSA [3] are mature public-key
techniques that have been researched by the academic community for many years.
Compared to RSA, ECC is seen to be the standard for the next generation cryptographic
technology. The fundamental operation underlying RSA is the modular exponentiation in
integer rings. Its security stems from the difficulty of factorizing large integers. Currently
131
there only exist sub-exponential algorithms to solve the integer factorization problem1 .
ECC operates on groups of points over elliptic curves and derives its security from the
hardness of the elliptic curve discrete logarithm problem (ECDLP)2 [71, 72]. The best
algorithms known for solving ECDLP are exponential. Hence, ECDLP is harder than
RSA given the same length of keys. In other words, ECC can achieve the same level of
security with smaller key sizes. It has been shown that 160-bit ECC provides comparable
security to 1024-bit RSA and 224-bit ECC provides comparable security to 2048-bit
RSA [73]. Under the same security level, smaller key sizes of ECC offer merits of faster
computational efficiency, as well as memory, energy and bandwidth savings, thus ECC is
better suited for the resource constrained devices.
Due to the merits of ECC, our access control protocol uses 160-bit ECC as the
underlying cryptographic infrastructure. Particularly, the signature operation in our
protocol is based on the elliptic curve digital signature algorithm (ECDSA) [73], and the
shared key is established according to the Diffie-Hellman algorithm over ECDLP.
6.4.4 Predeployment Phase
6.4.4.1 Network parameters
Before a sensor network is deployed, the CA chooses a set of system parametersincluding:
1. a finite field Fq, where q is a large odd prime of at least 160 bits;
2. an elliptic curve E over Fq (denoted by E(Fq) hereafter);
3. a cyclic group G =< G > of points over the elliptic curve E(Fq), where G is thegenerator of the group and has an order n of at least 160 bits, with n > 4
√q;
4. the CA’s private key κ ∈ Z∗n = {1, 2, . . . , n− 1};
1 Given a positive integer n = pq where p and q are large pairwise distinct primes, find pand q.
2 Given a generator G of a finite cyclic point group G over an elliptic curve E(Fq) andanother point Q in the group, find an element x ∈ Fq such that xG = Q.
132
5. the CA’s public key Q = κG ∈ G.
The CA never shares its private key with anyone else. Since ECDLP is a hard
problem [71, 72], no one can derive the CA’s private key κ from the pair < G,Q >. In
addition, the CA does not get involved in the network operation, so adversaries have no
opportunity to directly attack the CA to get κ.
6.4.4.2 Sensor parametersFor each sensor node, say Ni, the CA preloads it with a set of node parameters
including:
1. the elliptic curve E(Fq);
2. the cyclic group G over E(Fq);
3. the CA’s public key Q;
4. the bootstrapping time Ti when node Ni bootstraps itself to join the sensor network;
5. the length of bootstrapping phase Li during which the node is allowed to join thesensor network;
6. Ni’s private key si ∈ Z∗n;
7. Ni’s public key Pi = siG = (xpi, ypi) ∈ G, where xpi, ypi ∈ Fq;
8. the signature < Ci, ci > for node Ni, where Ci ∈ G and ci ∈ Z∗n;
9. a hash function H : {0, 1}∗ → Z∗n, which translates a binary sequence into an integerin Z∗n.
The signature is calculated according to ECDSA. The CA first chooses a random
number ki ∈ Z∗n and then calculates
Ci = kiG = (xci, yci) , (6–1)
ci = ki−1(H(Ni ‖ Ti ‖ Li ‖ Pi) + κxci) (mod n) , (6–2)
where “‖” is the concatenation operator.
133
6.4.5 Node Deployment
At the very beginning, a network of sensor nodes, say hundreds or thousands of
nodes, is deployed in a designated area. At a preset time, these sensor nodes bootstrap
themselves and then start to establish communications. During the network operation
phase, if some sensor nodes are lost due to the natural power exhaustion or malicious
attacks, new sensor nodes need to be deployed. These new sensor nodes all have a preset
bootstrapping time different from that of the previously deployed nodes. Hence, without
loss of generality, we assume that sensor nodes are deployed in groups, where sensor nodes
in one group have the same bootstrapping time and the length of bootstrapping phase but
these values for different groups may be different.
6.4.6 Node Authentication
After being deployed into the sensor network, every new node should broadcast a
message to inform its neighbors of its existence. For example, a new node Ni bootstraps
itself at time Ti and broadcasts a message:
Ni → ∗ : 〈∗, Ni, Ti, Li, Pi, Ci, ci〉 . (6–3)
Then handshakes between the new node and its neighbors can be performed for
authentication. Because the neighbors of the new node may include both new nodes and
old nodes, the handshakes can be divided into two cases: the handshake between new
nodes (Fig. 6-2) and the handshake between a new node and an old node (Fig. 6-3).
6.4.6.1 Handshake between new nodes
If node Ni also hears a broadcasted message from another new node Nj, it verifies
whether Nj is a legitimate new node by doing the following.
Node Ni first compares Nj’s bootstrapping time Tj with its own bootstrapping time
Ti. If Tj ≥ Ti, then node Tj might be a new node. Actually Tj = Ti if Ni and Nj are both
new nodes. The reason of using “≥” here is to maintain the software compatibility so that
this procedure can also be used by an old node to authenticate a new node (refer to Fig.
134
6-3). Node Ni proceeds to verify whether node Nj is a new node by comparing Tj with
its current time t. If Tj is out of date (|Tj − t| > Lj), node Ni simply drops the received
message. If Tj is within a tolerance time interval (|Tj − t| ≤ Lj), node Ni continues to
verify Nj’s identity by ECDSA. Specifically, node Ni computes
u1 = H(Nj ‖ Tj ‖ Lj ‖ Pj) , (6–4)
u2 = cj−1u1 (mod n) , (6–5)
u3 = cj−1xcj (mod n) , (6–6)
V = u2G + u3Q . (6–7)
If V = Cj, node Ni can make sure that node Nj is a legitimate new node. This is because
if the signature is valid, the verification equation holds:
V = u2G + u3Q
= cj−1u1G + cj
−1xciQ
= cj−1(H(Nj ‖ Tj ‖ Lj ‖ Pj) + κxci)G
= kjG
= Cj . (6–8)
After node Ni verifies the identity of node Nj, it calculates a shared key with its
private key and Nj’s public key, i.e.,
Kij = siPj = sisjG . (6–9)
Following the same procedure, node Nj can verify the identity of node Ni after it
hears the broadcasted message from node Ni and calculate a shared key as
Kij = sjPi = sisjG . (6–10)
135
*, Ni, Ti, Li, Pi, Ci, ci
*, Nj, Tj, Lj, Pj, Cj, cj
Ni Nj
if Ti >= Tj if |Ti – t| > Li, reject Ni ; else { calculate verifier V ; if V = Ci { accept Ni ; calculate Kij = sjPi ; } else reject Ni ; }
if Tj >= Ti if |Tj – t| > Lj, reject Nj ; else { calculate verifier V ; if V = Cj { accept Nj ; calculate Kij = siPj;} else reject Nj ; } Nj, Ni, { ni }Kij
Ni, Nj, ni, { nj }Kij
Nj, Ni, nj……Figure 6-2. Handshake between two new nodes.
Node Ni and node Nj can make sure that each other does have the shared key by
following the challenge-response procedure. Node Ni just selects a nonce ni, encrypts it
and sends it to node Nj. If node Nj has the shared key, it can decrypt the nonce ni. Then
node Nj sends back a message including the nonce ni and an encrypted nonce nj chosen
by itself to node Ni. Node Ni can also decrypt the nonce nj and return it to node Nj. The
handshake between node Ni and node Nj is depicted in Fig. 6-2.
6.4.6.2 Handshake between a new node and an old node
When an old node Nj hears the broadcasted message from the new node Ni, it also
checks the validity of Ni’s bootstrapping time and then verifies Ni’s identity (Fig. 6-3).
After that, node Nj calculates a shared key with its private key and Ni’s public key,
selects a nonce nj, encrypts the nonce with the shared key, and replies with the message:
Nj → Ni : 〈Ni, Nj, Tj, Lj, Pj, Cj, cj, {nj}Kij〉 . (6–11)
Node Ni does not need to check the validity of Nj’s bootstrapping time because Nj is
not a new node. Adversaries may attack our access control protocol by utilizing this point.
We will analyze this in Section 6.5. Node Ni simply verifies Nj’s identity by following
ECDSA. Then node Ni can decrypt the nonce nj and return it to Nj to show that it is a
136
*, Ni, Ti, Li, Pi, Ci, ci
Ni, Nj, Tj, Lj, Pj, Cj, cj, { nj }Kij
Ni Nj
if Ti >= Tj if |Ti – t| > Li, reject Ni ; else { calculate verifier V ; if V = Ci { accept Ni ; calculate Kij = sjPi ; } else reject Ni ; }
calculate verifier V ; if V = Cj { accept Nj ; calculate Kij = siPj;}else reject Nj ;
……Nj, Ni, nj, { ni }Kij
Ni, Nj, ni
Figure 6-3. Handshake between a new node and an old node.
legitimate new node. Node Ni also challenges node Nj by sending an encrypted nonce ni
and requiring Nj to return it. The whole handshake is depicted in Fig. 6-3.
6.4.7 Key Establishment
During the node authentication procedure, the new node Ni has already established
shared keys with its neighbors, e.g., Nj. They calculate the shared key by following the
Diffie-Hellman algorithm based on ECDLP, i.e.,
Kij = siPj = sisjG = sjPi = Kji . (6–12)
Because no efficient algorithm can solve ECDLP within less than exponential time,
we can expect that adversaries can not calculate the private keys si and sj given pairs
〈G, siG〉 and 〈G, sjG〉. Hence, the shared key is kept secret even if adversaries eavesdrop
transmitted public keys.
The shared key Kij between node Ni and node Nj can be used to derive different keys
for multiple security services, such as message encryption and message authentication [6].
For example, the shared key can be fed into a function f (a hash function or a pseudo
137
random function [74]) to generate an encryption key as f(Kij, 1) and an authentication
key f(Kij, 2).
6.5 Security Analysis
6.5.1 New Node Deployment
By authentication, our access control protocol can prevent adversaries from directly
deploying malicious nodes into sensor networks. Because adversaries do not know the
private key of the CA, he/she can not falsify certificates for malicious nodes.
Our access control protocol can effectively defend against the Sybil attack, the node
replication attack, and the Wormhole attack. As is shown in Section 6.2, the underlying
trick of those attacks is that the adversary could manipulate existing nodes to introduce
malicious “new” nodes into the sensor network. By including the bootstrapping time in
our access control protocol, a new node is only allowed to join the sensor network during
its bootstrapping phase. After that it becomes an old node. Hence, malicious “new” nodes
are prevented from joining the sensor network at the very beginning, because they do
not have the proper bootstrapping time, and they are prevented from falsifying the latest
bootstrapping time which does not match their certificates.
6.5.2 Eavesdropping and False Reports Injection
When a new node passes the authentication procedure, it has already established
shared keys with its neighbors by following the Diffie-Hellman algorithm over ECDLP.
The shared keys can be used to secure communications among sensor nodes. Particularly,
different keys can be derived from the shared keys to provide security services such as
message encryption and message authentication. Hence, adversaries are prevented from
eavesdropping or injecting false reports into the sensor network.
6.5.3 Node Compromise
Usually node compromise can not be prevented in sensor networks, unless future
advances of hardware design and manufacturing could provide stronger tamper resistance
[34]. Our access control can not eliminate the node compromise problem, but it can
138
prevent adversaries from spreading the impact of node compromise across the entire
network. Two direct results of node compromise, the Sybil attack and the node replication
attack, can be prevented by our access control protocol after the node bootstrapping
phase. Moreover, based on the ECC public key infrastructure, each sensor node does
not know the private keys of other nodes, and each shared key is only known to two
neighboring nodes who established it. Even if an adversary compromises a node, he/she
can only know what the compromised node knows, but not the shared keys between other
non-neighboring nodes. Hence, the impact of node compromise is limited to the vicinity of
the compromised node.
If an adversary could compromise a sensor node during its bootstrapping phase,
he/she might use it to launch other attacks. However, node compromising is not a trivial
task. Usually a sensor node is designed to be able to sustain compromise for a certain
time interval [34]. The node bootstrapping phase, however, is usually very short, and in
practice it is reasonable to expect it to be shorter than the time needed to compromise
the node [64]. Hence we do not need to worry about node compromise during the node
bootstrapping phase.
6.5.4 Attacks to Access Control
Our access control protocol tries to solve the new node deployment problem in
hostile environments. During the handshake between a new node and an old node, the
bootstrapping time of the new node is verified by the old node, but the new node does not
check the bootstrapping time of the old node because the old node has been involved in
the sensor network. An adversary may take this opportunity to trick the new node into
establishing communications with malicious old nodes.
One scenario is that an adversary might introduce a malicious node through the Sybil
attack or the node replication attack into the area where the new node is to be deployed.
When the new node is deployed, it might establish communications with the malicious
node. To make the attack successful, however, the adversary has to activate the malicious
139
node at the same time when the new node bootstraps itself and expects that no other
old nodes exist in that area. Otherwise, the introduced malicious node can be detected
by other old nodes because the malicious node is heard by those old nodes as a new node
but it does not have the correct bootstrapping time. Under this strict condition, the
probability of this attack is rather small.
A similar scenario is that an adversary might launch the Wormhole attack to establish
a tunnel between a new node and another distant old node so that these two nodes
might establish communications through handshakes. To make the attack successful, the
adversary still has to establish the tunnel at the same time when the new node bootstraps
itself and expects that no other old nodes exist around the new node. Otherwise, the old
nodes around the new node can detect the Wormhole because they can find a “new” node
in their neighborhoods, which is actually an image of the old node at the other end of the
Wormhole. We can expect that the probability of this attack is also very small under the
strict condition.
Another case is that the adversary just compromises an old node without doing any
tricks to spread its impact. The compromised node stays at its original location and
follows the normal network protocols. If the new node is deployed into the vicinity of the
compromised node, they could establish communications. This attack is just the node
compromise attack and currently no solutions can solve the problem. Our access control
protocol can not prevent this attack, either, but the impact of the attack is limited to the
vicinity of the compromised node.
6.6 Evaluation
6.6.1 ECC vs. RSA
The length of the bootstrapping phase is critical for the security performance of our
access control protocol. The shorter the bootstrapping phase is, the less opportunities
adversaries have to attack the sensor network. Hence a short bootstrapping phase is
desirable to keep the sensor network safe.
140
Usually, RSA and Diffie-Hellman over DLP3 can also be used in our access control
protocol. The reason that our protocol uses ECC rather than RSA and Diffie-Hellman
over DLP is because ECC is more efficient for the same security level. In our access
control protocol, the most expensive operation is the point multiplication of the form
kP for k ∈ Z∗n and P ∈ G. Every sensor node needs to perform only three point
multiplications over an elliptic curve: two for node authentication and one for key
establishment. TinyPK [68] uses RSA to authenticate external parties and Diffie-Hellman
over DLP to establish shared keys between external parties and sensor nodes. It requires
three modular exponentiation operations over integer rings for each sensor node: one
RSA public key operation and one RSA private key operation for node authentication
and one DLP operation for key establishment. It has been shown in [68, 70] that a point
mulitplication needs less computation time than a modular exponentiation unless the
exponent is chosen as some specific value. In TinyPK [68], a public exponent e = 3 is
chosen for computational simplicity, and a 1024-bit RSA modular exponentiation with
e = 3 on MICA1 Motes [31] needs 14.5s. The DLP of 2x is evaluated in [68, 70]. It
shows that a 1024-bit modular exponentiation 2x, where x is at least 160 bits, needs
more than 50s on both MICA1 and MICA2 Motes [31]. However, a 163-bit point
multiplication of ECC on MICA2 Motes requires only 34s [70]. If assembly languages
are used in implementation, much more decrease of computing time can be achieved.
Gura et al. [75] evaluated the assembly language implementations of ECC and RSA
on the Atmel ATmega128 processor [32], which is popular for sensor platform such as
Crossbow MICA Motes. In their implementation, a 160-bit point multiplication of ECC
requires only 0.81s, while 1024-bit RSA public key operation and private key operation
require 0.43s and 10.99s, respectively. Obviously, ECC is more computational efficient,
3 Given a generator g of a finite cyclic group Z∗q and another element p ∈ Z∗q, find aninteger x, 0 ≤ x ≤ q − 2, such that gx = p (mod q).
141
especially for assembly language implementations, which makes ECC realistic on current
sensor hardware platforms. This means every sensor node can finish bootstrapping in a
very short time interval. With the fast advance of hardware technology, we believe the
bootstrapping phase can be further reduced in future.
In wireless sensor networks, the transmission energy consumption rate could be
over three orders of magnitude greater than the energy consumption rates for computing
[76]. Most of the performance overhead is attributable to the increase in packet size [77].
Compared with a 1024-bit RSA signature, our access control protocol only introduces a
480-bit signature when 160-bit ECC is used. Hence by using ECC instead of RSA our
protocol can achieve much more energy and bandwidth savings.
6.6.2 Comparison with Related Work
Because currently no solutions can prevent node compromise in sensor network,
the best we can do is to limit the impact of node compromise to the vicinity of the
compromised nodes, i.e., prevent adversaries from launching network-scale attacks
based on compromised nodes. Most of symmetric key techniques, including randomly
predistributed keys [13, 15], ID-based keys [17, 18], and location-based keys [36, 37, 45]
try to improve the resilience to node compromise by increasing the least number of
sensor nodes that an adversary needs to compromise to destroy the entire network
security architecture. These schemes can tolerate a certain number of compromised
nodes. TinyPK [68] is more resilient to node compromise because of the use of RSA. It
may prevent adversaries from spreading the impact of node compromise by launching
the Sybil attack, but it can not detect the node replication attack because the copies
of the compromised nodes also have legitimate certificates. By including the node
bootstrapping time into access control procedure, our protocol can effectively prevent
adversaries from manipulating compromised nodes to launch the Sybil attack and the node
replication attack, and the impact of node compromise is thus limited to the vicinity of
the compromised nodes.
142
To defend against the Sybil attack, several potential methods were proposed in [60].
One method is the radio resource testing, in which each node assigns a unique channel
to each of its neighbors including those fake neighbors and tests whether its neighbors
could communicate with it through the assigned channels. This method assumes that
each node has enough radio resources and requires several rounds of broadcasting over
multiple channels, thus leading to a large communication overhead. Another method is to
use the ID-based symmetric keys. Particularly, each sensor node is preloaded with a set of
keys which are selected from a global key pool by its node ID. The ID of a suspect node
is challenged by a set of validating nodes based on the keys shared between the suspect
node and the validating nodes. Besides the large amount of communication overhead, this
method may fail if many sensor nodes are compromised so that most of the keys in the
global key pool are exposed. In our access control protocol, those malicious “new” nodes
introduced by the Sybil attack are prevented from joining the sensor network at the very
beginning, because they do not have proper bootstrapping time and corresponding keys
which are challenged during the authentication procedure.
Conventional methods to defend against the node replication attack [66] usually
include centralized computing based on node locations or the number of simultaneous
connections, which is vulnerable to the single-point failure. Distributed detection of the
node replication attack was proposed in [66], where each node is assumed to know its
location and it is required to send its location to a set of witness nodes. If a witness
node finds a contradiction in the location claims of a suspect node, this suspect node
must be a replicated one. Obviously, this method may introduce a lot of communication
overhead. Like the fake nodes in the Sybil attack, the replications of compromised nodes
are also prevented from participating in the sensor network at the very beginning in our
access control protocol. Though those replications have legitimate identities, they do not
have correct bootstrapping times to show they are the new nodes. The authentication
143
procedure in our protocol is performed locally, thus avoiding much more communication
overhead. Moreover, our protocol does not require each node to know its own location.
To defend against the Wormhole attack, Hu et al. proposed to use packet leashes
[61] to limit the maximum range over which packets can be tunneled. They require
that each node either know its location or have a tightly synchronized clock so that this
information can be used to calculate the maximum distance that a relayed packet could
travel. Directional antennas [62] were also used to defend against the Wormhole attack.
However, these defenses are targeted to ad hoc networks and require expensive hardware
devices, which may be infeasible for most resource constrained sensor networks. Our
protocol does not require location information and only needs loose synchronized clock.
Wang and Bhargava [63] proposed to use centralized computing to defend against the
Wormhole attack in sensor networks, in which a controller collects all nodes’ location
information to reconstruct the network topology such that any topological distortion may
be visualized. This approach, however, causes much intensive communication overhead
and is only suitable for static Wormhole. If adversaries move around in the entire network,
the location of the Wormhole will change dynamically. Each location change will trigger
a new round of execution of the topology reconstruction algorithm. Our protocol can
prevent dynamic Wormhole by only involving localized authentication, thus can save a lot
of communication overhead.
6.7 Conclusion
Currently little work has been reported to address the access control problem in
sensor networks. Though many proposals [6, 13, 15, 17, 18, 36] try to secure sensor
networks, adversaries can still attack the networks [60–63, 66] by manipulating old nodes
to introduce malicious “new” nodes. In this paper, we analyze most of the well-recognized
attacks targeted at sensor networks, including the Sybil attack, the node replication attack
and the Wormhole attack, and design an access control protocol to prevent malicious
nodes, which may be directly deployed or just old nodes manipulated by adversaries, from
144
participating in sensor networks. Besides the node identity authentication, we introduce
the node bootstrapping time into the node authentication procedure to differentiate
malicious nodes from legitimate new nodes. Unlike the conventional approaches in
[60–63, 66] that try to detect malicious nodes after they join sensor networks, our access
control protocol can prevent malicious nodes from joining sensor networks at the very
beginning. In addition, key establishment is also realized in our access control protocol to
help the new node establish shared keys with its neighbors so that it can perform secure
communications with them. Compared with the conventional sensor network security
solutions, our access control protocol can defend against most of the notorious attacks in
sensor networks, and achieve better computation and communication performance due
to the usage of the more efficient algorithms based on Elliptic Curve Cryptography than
those based on RSA.
145
CHAPTER 7BABRA: BATCH-BASED BROADCAST AUTHENTICATION IN WIRELESS SENSOR
NETWORKS
7.1 Introduction
A WSN consists of hundreds or even thousands cheap sensor nodes, which collaborate
with each other and communicate with external world through one or several powerful
nodes, called base stations.
Broadcast is a common communication pattern to fulfill collaboration among sensor
nodes. For example, the base station may spread messages such as commands or requests
to the entire network through the network broadcast. Each individual node may use the
local broadcast to fulfill some specific functions in its neighborhood, such as exchanging
routing information or cluster head election. Therefore, the correct broadcast is critical
to the collaboration objective of sensor networks. In hostile environments, however,
adversaries may take the advantage of broadcast to inject false information, which can
raise significant havoc in the network. To defeat such an attack, authentication is required.
Each broadcasted packet should carry some authentication information so that the
recipient node can verify its authenticity.
µTESLA [6] is a light-weight broadcast authentication protocol, which uses a
one-way hash key chain and the delayed disclosure of keys to provide the authentication
service. It is efficient due to the use of symmetric key techniques. However, it requires
synchronization between the source and recipient, which can be a potential security hole
for adversaries [78]. Moreover, the key chain in µTESLA has limited length, and thus can
only support limited rounds of broadcast. If the source node needs to broadcast for a long
period, it has to generate a long key chain. But the management of a long key chain is
difficult for low-end sensor nodes. So µTESLA can only be used by the base stations for
the network broadcast.
In this chapter, we propose a novel protocol, called batch-based broadcast authentication
(BABRA) for wireless sensor networks [79]. BABRA broadcasts packets in batches and
146
the transmissions of different batches do not require time synchronization. Therefore,
BABRA eliminates the security hole that µTESLA suffers. Moreover, BABRA uses
independent keys instead of a key chain for different batches, and thus supports broadcast
for infinite rounds. In addition, BABRA is also built on symmetric key techniques and
thus is efficient.
The rest of the chapter is organized as follows. Section 7.2 simply describes the
µTESLA protocol. Details of BABRA are given in Section 7.3. Some comparisons between
µTESLA and BABRA are carried out in Section 7.4. The paper is finally ended in Section
7.5.
7.2 µTESLA
Though public key signatures can provide authentication services, they are too
expensive for sensor networks. Therefore most researchers are seeking symmetric key
solutions. µTESLA is a broadcast authentication protocol, which is a simplified version
of TESLA [80]. It is based on a one-way hash chain (OHC), which is a sequence of keys,
K0, K1, . . . , Kn, such that Kj−1 = H(Kj), ∀j, j > 0, where the hash function H satisfies
two properties:
1. Given x, it is easy to computer y = H(x);
2. Given y, it is computationally infeasible to compute x such that y = H(x).
The first key K0 is unicasted to all the recipient nodes as a commitment in advance.
The entire broadcast stream is divided into continuous time slots. A broadcasted packet
in the t-th time slot carries a message authentication code (MAC) generated by using the
t-th key Kt of the OHC. All the recipient nodes do not know Kt when they receive the
packet. After d time slots, the source node discloses Kt. Then every node can authenticate
Kt by applying the hash function to Kt several times and checking whether Hk(Kt) =
Kt−k holds, where Kt−k is the t− k-th key that has been received and authenticated. After
that, the recipient node can use the authenticated Kt to authenticate the packets of the
t-th slot. The delayed key release can efficient prevent malicious nodes from impersonating
147
the source node, because the disclosed key Kt can not be used to spoof packets after the
t-th slot.
Though µTESLA is more efficient compared with other public key signatures
protocols, it has some strong requirements. The slot-based broadcast requires time
synchronization throughout the entire network. The time synchronization procedure may
undergo potential threats leading to the failure of the entire protocol [78]. The distribution
of the key chain commitment K0 to all the nodes is communication expensive because
the commitment has to be unicasted to each node while the network can consist of large
volume of nodes. The OHC length is limited, and thus it can not support broadcast for a
long time. The complex key chain management indicates that µTESLA can be used only
by the base station for the network broadcast.
Multilevel key chains are used to extend the lifetime of authenticated broadcast [81],
but it is still limited by the highest level OHC. The multilevel key chains also require the
source node manage many OHCs at the same time and thus are not suitable for sensor
nodes. Moreover, time synchronization is still a requirement.
7.3 BABRA Design
Unlike µTESLA, BABRA do not require time synchronization, and supports
broadcast for infinite rounds. It can be used in both the network broadcast and the
local broadcast. In this section, we give the details of BABRA.
7.3.1 Network Model
We consider the application scenarios including the network broadcast, where
the base station broadcasts messages into the entire network, and the local broadcast,
where each node broadcasts messages in its one-hop neighborhood. BABRA can provide
authentication services for these broadcast patterns. Though confidentiality is also critical
to group communications, the management of encryption keys is a very challenging task
[82] and is out of our considerations.
148
t
Mi,j H(Ki+1) MAC(i, Mi,j, H(Ki+1), Ki)
i
Ki
... ...
Pi,j
...
C D
.........
E
...
i
Figure 7-1. One batch of broadcast and the batch packet format.
The main purpose of authenticating broadcast is to prevent adversaries from injecting
bogus packets. BABRA also uses delayed key disclosure to counteract the bogus packet
injection. In addition, adversaries can also inject radio interference at the physical layer
to disrupt communications, leading to the DoS attack [35]. The intermittent interference
can deteriorate channel condition and cause packet loss. The continuous jamming can even
stop communications. However, due to the large scale of network and cost considerations,
adversaries may not be able to jam the entire network. In this paper, we assume that the
impact of radio jamming only covers a portion of the network at one time.
There are other attacks and corresponding countermeasures discussed in the literature
[33, 35]. They are out of the scope of this paper because most of them are unrelated
to broadcast authentication. We have developed several schemes [9, 45, 46] to establish
pairwise keys to secure point-to-point communications. In this chapter, we simply assume
that every pair of neighboring nodes shares a pairwise key after network initialization.
7.3.2 Architecture
In BABRA, broadcasted packets are sent in batches and each batch is a burst
sequence of packets. There is a key associated with each batch. All the packets in one
batch carry an MAC calculated based on the associated key, and are sent in C time units,
which is the batch period (BP). At the end of the BP, the source node starts a timer of
D units, which is the delay period (DP). During the BP and the DP, the batch key is
kept secret by the source node. When the DP timer expires, the source node discloses
149
the corresponding batch key in a key disclose period (KP) of E time units. When a
recipient node gets the first packet of the batch, it starts a timer last for C time units.
Only the batch packets that arrive within the period of C time units are accepted by the
recipient. At the end of the period, the recipient starts a new timer for D time units as
the DP. After the DP, the recipient can receive the corresponding batch key and use the
key to recalculate the MAC to check the authenticity of the cached batch packets. Due
to the delayed key disclosure, the adversary can not use the disclosed key to inject bogus
batch packets because the source node never sends any packet of this batch after the key
disclosure period.
However, each batch key should be authenticated before being used to authenticate
the corresponding batch packets. BABRA achieves this goal by using an immediate
authentication method proposed in [83]. Particularly, all the packets in one batch also
carry a hash of the key associated with the next batch. Hence, each broadcasted packet
consists of four parts: the batch index, the payload, the hash of the key of next batch,
and the MAC calculated over the previous three parts and the batch key (Fig. 7-1). The
delayed batch key can authenticate the corresponding batch. The hash of the key of next
batch is authenticated at the same time, and can be used to authenticate the key of next
batch.
The entire broadcast stream is depicted in Fig. 7-2. Before broadcast, the source
node bootstraps all the recipient nodes with the hash H(K1) of the first batch key K1.
Depending on the scenarios where BABRA is applied, different methods can be used
to bootstrap the hash value. We will discuss this issue later. After bootstrapping, the
source node can send out batches of broadcasted packets one by one and disclose the
corresponding batch keys lately (Fig. 7-2). Each batch is not necessary to be sent right
after the end of the previous batch. Therefore, BABRA can be adapted to different data
rates.
150
t1 2 ...
K1
K2
H(K1)
i
Ki
i-1... .........
D
D
Ki-1D
D
............ ... ...
Figure 7-2. The authenticated broadcasting stream.
In hostile environments, the adversary can inject jamming interference and cause
packet loss. The nodes in the jammed area will seek help from the surrounding neighbors
to recover the lost information such as keys or key hashes. To facilitate such local
collaboration, each recipient node keeps the latest k keys received from the source node.
We will discuss this issue in Section 7.3.5.
7.3.3 Bootstrapping
As is mentioned before, the hash H(K1) of the first batch key K1 needs to be
bootstrapped into all the recipient nodes. To avoid using expensive public key signatures
to authenticate H(K1), we need some methods based on symmetric key techniques.
For the local broadcast, the source node can unicast H(K1) to each of its neighbors.
Each unicast is authenticated with the pairwise key shared between the source and
the corresponding neighbor. Because the number of neighbors is small, such unicast
bootstrapping can be finished in a very short time period.
Though unicast can also be used to bootstrap the network broadcast, the overhead is
too much because there are too many nodes in a network. It takes too much time for the
base station to unicast to each node. A simple way to bootstrap the network broadcast is
to preload each node with H(K1) before deployment. It is easy to achieve this because the
entire sensor network is usually managed under a unique authority, and thus preloading
secure parameters is a common way to establish a secure architecture for the sensor
network [6, 9, 45, 46, 81].
7.3.4 Counteracting Bogus Packets
The parameter DP is critical to the security of the entire broadcasting protocol. If
the value of DP is small, there is a chance that the adversary catches the key before some
151
nodes get the corresponding batch packets and then sends bogus packets towards these
nodes. Therefore, the value of DP should be large enough for all nodes to get the batch
before the release of the key. For the local broadcast, the DP value Dl is larger than
maximum one-hop transmission delay, and thus can be set as
Dl = λl
(R
c+ P
), (7–1)
where λl > 1 is a constant, R is the radius of node coverage, c is the speed of light, and
P is the packet processing delay. For the network broadcast, the DP value Dn should be
larger than the time that a packet is transmitted over the maximum diameter L of the
network, and thus can be set as
Dn = λnL
R
(R
c+ P
), (7–2)
where λn > 1 is a constant.
7.3.5 Countermeasures to Radio Jamming
The adversary can introduce jamming interference to disrupt communications, leading
to the DoS attack. The intermittent interference can deteriorate channel condition and
cause packet loss. The continuous jamming can even stop communications. Here we
discuss their impacts and countermeasures.
7.3.5.1 Intermittent jamming
Each batch of broadcasting is authenticated by the corresponding batch key. If some
of the batch packets are lost due to jamming, the recipient just experiences lower quality
of service. But if the batch key is lost, the entire batch is useless. Therefore, to tolerate
the key loss is a very important task. Here we introduce the following two methods to
solve this problem.
To provide resilience to the key loss, the first method in BABRA is to transmit
each batch key several times during the corresponding key disclose period. Suppose the
average packet loss rate is pl, and each batch key is transmitted t times during its KP. The
152
probability that the key can be received is
P = 1− plt . (7–3)
Fig. 7-3 gives the key survival probabilities P versus the key disclose times t when the
packet loss rate pl varies from 0.2 to 0.8. We can see by simply disclosing multiple times,
the batch key can be received with very high probability.
It is worth noting that to disclose key multiple times is the simplest forward error
correction (FEC) method to counteract packet loss in communications. More complex and
robust FEC methods can also be used here to increase the resilience to the key loss. One
example is to use Reed-Solomon codes. We do not discuss this issue here for the sake of
page limit.
The second method is carried out just in case that it is unlucky that all the t
receptions of batch key fail. In such a case, the recipient node will seek help from its
neighbors right after the expiration of the KP timer. For the key loss during the network
broadcast, the node will locally broadcast a message to request its neighbors for the lost
key:
a −→ ∗ : 〈j,H(Kai+1),MAC(j,H(Ka
i+1), Kai )〉 ,
where j is the index of the batch of which the key is lost, Kai+1 is the key associated
with the next batch of node a’s local broadcast stream, and Kai is the key of the current
batch of a’s local broadcast stream. Therefore this message is authenticated by the local
broadcast authentication. The adversary can not spoof the message.
If a neighbor node b knows the key Kj, it will reply a message through a local
broadcast message:
b −→ ∗ : 〈Kj, H(Kbi+1),MAC(Kj, H(Kb
i+1), Kbi )〉 ,
where Kbi+1 is the key associated with the next batch of node b’s local broadcast stream,
and Kbi is the key of the current batch of b’s local broadcast stream. This message is also
153
0 2 4 6 8 10 120.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Key Disclose Times − t
Key
Sur
viva
l Pro
babi
lity
− P
pl=0.2pl=0.4pl=0.6pl=0.8
Figure 7-3. The key survival probability.
authenticated so that it can not be spoofed. In addition, the key Kj is broadcasted, so
node b has no bonus of replying bogus messages because nearby nodes that also have
Kj can check whether node b lies to node a. This local monitoring has been used in
misbehavior detection. One example is discussed in [84].
When node a gets Kj from its neighbor b, it will broadcast Kj again through its local
authenticated broadcast so that its neighbors know that it really gets Kj.
If none of node a’s neighbors knows Kj, they will continue the above procedure until
some node can reply with Kj. For example, if node b does not get Kj but its neighbor c
knows Kj, then b can learn Kj from c. Then b can broadcast Kj if it has a request from a.
154
If multiple nodes in the neighborhood of node a knows Kj, all of them might try to
reply at the same time. But the underlying contention resolving mechanisms at the Media
Access Layer can guarantee that one of them replies successfully. Other nodes that hear
the replying of Kj stop trying to broadcast Kj.
For the key lost during the local broadcast, it is easy to resend the key from the
source node to the recipient node because it only involves one-hop communication, which
can be encrypted and authenticated by the pairwise key shared between the source and
the recipient.
7.3.5.2 Continuous jamming
Continuous jamming is more severe to broadcast. When the channel is jammed,
the recipient gets nothing. Because the key of each batch is authenticated by its hash
included in the previous batch, the key can not be authenticated if all the packets of the
previous batch are lost due to the continuous jamming. Here we need some measures to
help recipient nodes recover the interrupted broadcast stream when the jamming attack
stops.
When the recipient node a gets a packet in the next batch right after the jamming
attack, node a broadcasts a message including the index, say j, of the batch and the
index i of the last batch it receives just before the jamming attack. This message is
authenticated by node a’s local broadcast protocol, i.e.,
a −→ ∗ : 〈j, i, H(Kal+1),MAC(j, i, H(Ka
l+1), Kal )〉 ,
where Kal+1 is the key associated with the next batch of node a’s local broadcast stream,
and Kal is the key of the current batch of a’s local broadcast stream. Node a broadcasts
the index j for the hash H(Kj) of the key Kj associated with the batch right after the
jamming attack. In addition, the packets of several batches just before the jamming attack
are cached in a’s buffer and not authenticated due to the loss of the corresponding keys
during the jamming attack. So node a also broadcast the index i of the last batch just
155
before the jamming attack. Because every node will cache the latest k keys disclosed by
the source, if any neighbor finds in its buffer that there are keys associated with some
batches before the jamming attack, it can reply with those keys so that node a can
authenticate the packets of those batches.
When a nearby node b, which is uninfluenced from the jamming attack and has
cached k latest keys Km, . . . , Km−k+1, replies with an authenticated broadcast message as:
b −→ ∗ : 〈H(Kj), [Ki, . . . , Km−k+1], H(Kbl+1),
MAC(H(Kj), [Ki, . . . , Km−k+1], H(Kbl+1), K
bl )〉 ,
where Kbl+1 is the key associated with the next batch of node b’s local broadcast stream,
and Kbl is the key of the current batch of b’s local broadcast stream. H(Kj) is used to
authenticate the key Kj of the next batch j right after the jamming attack, and then the
key Kj is used to authenticate the packets in the batch. Here the keys Ki, ..., Km−k+1
are optional. Node b checks the latest k cached keys Km, . . . , Km−k+1. If the index
i ≥ m−k+1, node b knows that node a needs the keys from Km−k+1 to Ki to authenticate
the packets of the last several batches just before the jamming attack. Then node b replies
with these keys.
Due to the broadcast, the surrounding nodes that also have copies of H(Kj) can
check whether node b lies to node a. Hence node a can get correct H(Kj) and use it to
authenticate Kj later whereby to recover the entire broadcast stream. When node a gets
H(Kj) and/or Ki, ..., Km−k+1 from its neighbor b, it will broadcast them again through its
local authenticated broadcast so that its neighbors know that it really gets them.
If all the neighbors of node a do not know the information that a desires, they will
continue the above procedure until there is at least one node can give those information.
For the local broadcast under the jamming attack, it is easy for the recipient node
to recover after the jamming. Through unicast, the recipient node a can get all the
156
required information from the source node b, where the communication is encrypted and
authenticated by the pairwise key shared between a and b.
7.4 Discussion
Each packet in BABRA and that in µTESLA both carry an MAC as the authentication
information. The difference is that BABRA replaces the timestamp in the µTESLA packet
with a batch index and a key hash. The batch index is just like the timestamp and thus
can be represented with the same number of bits. However, BABRA does not use limited
key chain and not require each batch to be sent right after the end of the previous batch,
so BABRA can support a longer lifetime of a broadcast stream. Suppose each batch
period be 100ms, which is corresponding to one time slot [81]. A 32-bit batch index
can support a broadcast stream up to 4971 days if the source keeps sending batches
continuously.
As for the key hash in each BABRA packet, its length should guarantee that no two
keys have the same hash value. Otherwise, the adversary can spoof broadcasted packets.
Considering the 32-bit batch index, the number of keys in BABRA is 232. According to
the birthday paradox [85], a 64-bit key hash is enough to guarantee that all the 232 keys
generate different hash values with a probability close to 1. Though BABRA introduces
the additional packet overhead for the key hash, it is worth because of the elimination of
the time synchronization requirement.
Like µTESLA, BABRA also requires every node to buffer packets before the
corresponding key is disclosed. The difference is the management of keys. In µTESLA, the
source node has to manage a key chain, which has a length determined by the lifetime of
the broadcast stream. However, to manage such a key chain may not be feasible when the
source wants to broadcast for a long time. In BABRA, all the keys are independent. The
elimination of key chains makes BABRA suitable for both the network broadcast by base
station and the local broadcast by sensor nodes. Each node in BABRA caches the latest
157
k keys disclosed by the source node. The value k can be adapted according to the buffer
space of each node.
7.5 Conclusion
Though there are many broadcast authentication protocols proposed for conventional
wired networks, few work has been carried out for wireless sensor networks. Though
µTESLA can provide the broadcast authentication service for sensor networks, it still
suffers some drawbacks. BABRA is a batch-based broadcast authentication protocol for
wireless sensor networks. BABRA broadcasts packets in batches and the transmissions of
different batches do not require time synchronization. Therefore BABRA eliminates the
security hole that µTESLA suffers. BABRA uses independent keys in stead of a key chain
for different batches, and thus supports broadcast for infinite rounds. BABRA can support
both the network broadcast and the local broadcast. In addition, BABRA is also built on
symmetric key techniques and thus is efficient.
158
CHAPTER 8MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE
8.1 Introduction
Multicast [86] is an efficient method to deliver multimedia content to a group of
receivers and is gaining popular applications such as live show, IPTV, realtime stock
quotes broadcast, video conference or interactive games. Authentication is critical in
securing multicast streams [87–89] because it proves the origin of a multicast stream. An
ideal approach is to attach a signature to each packet and let each receiver verify the
signature to authenticate the packet. However, existing digital signature algorithms are
computationally expensive. For a typical multicast application, the sender is a powerful
server, but receivers can have various computation and communication capabilities and
usually are less powerful than the sender. The ideal approach raises a serious challenge
to the receiver’s computational capability and may not be affordable in most realtime
multicast applications.
In order to reduce the number of signature verification operation, conventional
schemes [90–95] divide a multicast stream into blocks, associate each block with a
signature, and spread the effect of the signature across all the packets in the block
through some efficient operations such as hash chains or redundancy codes. In this way,
the computation requirement is reduced to one signature verification plus some hash or
decoding operations per-block instead of per-packet.
The block-based approach suffers from some drawbacks in reality. Some schemes
[90–95] use hash chains to link packets to their block signatures and other schemes
[102–107] use erasure codes or error correction codes to protect block signatures. Hash and
coding establish relationship among all the packets in one block. However the relationship
makes existing schemes vulnerable to packet loss, which is very common in current
Internet and wireless networks. The loss of a certain number of packets can result in
the failure of authentication of other received packets. In an extreme case, the loss of
159
the signature of one block makes the whole block of packets unable to be authenticated.
Though existing schemes allow increasing the resilience to packet loss by attaching
more authentication information to each packet, this results in more computational and
communication overhead, which is undesirable in resource-constrained scenarios such
as mobile and wireless communications. Moreover, the block design requires the sender
and/or receivers buffer a certain number of packets before processing them. A larger
block size can achieve higher computational efficiency, but incurs longer buffering delay.
This authentication latency at the sender and/or receivers can compromise the realtime
requirements in many multimedia application scenarios such as live video show or stock
quotes delivery. Meanwhile, the block design is vulnerable to the Denial of Service (DoS)
attack. An attacker can inject a large number of forged packets to exhaust the receiving
buffer so that signatures cannot be received by the receiver and cost extra computational
overhead at the receiver.
Unlike the conventional block-based signature approach, we propose a new multicast
authentication scheme using packet-based signatures in this paper. In order to avoid
expensive per-packet-based signature verification, we use an efficient cryptographic
primitive called batch signature [3, 109–113] to verify the signatures of any number of
packets at the same time. Therefore our scheme is called multicast authentication based
on batch signature (MABS). The main contributions are made as follows:
1. MABS is perfectly resilient to packet loss in the sense that no matter how manypackets are lost, the rest can also be verified by receivers. In contrast, mostconventional schemes cannot totally solve the packet loss problem;
2. By using batch signatures, MABS can completely eliminate authentication latency atthe sender and receivers. This is a significant improvement to the quality of realtimeapplications compared with conventional block-based schemes;
3. We propose three implementations of MABS including two new batch signatureschemes based on BLS [111] and DSA [112], which are more efficient than the existingone based on RSA [3];
160
4. MABS can efficiently defeat the DoS attack by using packet filtering, while mostconventional schemes are vulnerable to DoS.
The rest of the chapter is organized as follows. We first briefly review related
work, then describe the details of MABS over lossy channels. Next, we introduce three
implementations including two new batch signature schemes based on BLS and DSA in
addition to the one based on RSA. We will show the performance superiority of our MABS
over conventional schemes. Last we introduce the countermeasure to DoS and conclude the
chapter.
8.2 Related Work
There have been many multicast authentication schemes [90–95] in the literature. In
the hash chain schemes [90–95], a multicast stream is divided into blocks, each of which
is associated with a signature. In each block, the hash of each packet is embedded into
several other packets in a deterministic or probabilistic way. The hashes form chains
linking each packet to the block signature. The receiver verifies the block signature and
authenticates all the packets through hash chains.
A special hash chain scheme is the tree chaining scheme [100, 101], which constructs
a hash tree for each block of messages. The root of the tree is signed by the sender. Each
packet carries the signed root and several hashes. When the receiver receives one packet
in the block, he uses the authentication information in the packet to authenticate it. The
buffered authentication information is further used to authenticate other packets in the
same block. However, without the buffered authentication information, each packet is
independently verifiable with a trade-off of per-packet signature verification.
In the signature amortization schemes [102–107], a signature is generated for the
concatenation of the hashes of all the packets in one block. An erasure coding or forward
error correction coding algorithm is used to chop the block signature into many pieces and
attach each packet with one piece. The coding approach makes the receiver be capable of
recovering the block signature when receiving at least a certain number of pieces.
161
Some other schemes [79, 119–122] use shared keys between the sender and the receiver
to authenticate multicast streams. Though they are more efficient than those using
signatures, they cannot provide non-repudiation as the signature approach. In this paper,
we focus on the signature approach.
8.3 Multicast Authentication Over Lossy Channels
We discuss the details of MABS hereafter.
8.3.1 Assumptions
Our target is to authenticate multicast streams from a sender to multiple receivers.
Generally, the sender is a powerful multicast server managed by a central authority and
can be trustful. The sender signs each packet or a batch of packets with a signature
and transmits them to multiple receivers through a multicast routing protocol. Each
receiver is a less powerful device with resource constraints and may be managed by an
non-trustworthy person. Each receiver needs to assure that the received packets are
really from the sender (authenticity) and the sender cannot deny the signing operation
(non-repudiation) by verifying the corresponding signatures. As is well known that packet
loss is very common in Internet and even more severe in wireless communications, we
assume a lossy channel where packets can be lost according to different loss models,
such as random loss or burst loss. Though confidentiality is another important issue
for securing multicast, it can be achieved through group key management [82]. In this
chapter, we focus on multicast authentication.
8.3.2 Batch Signature
An ideal approach to authenticate a multicast stream is to let each packet carry
a signature that can be verified by each receiver. However, expensive digital signature
algorithms raise a serious challenge to the receiver’s computational capability and may not
be affordable in most realtime multicast applications, since in most application scenarios
the receiver is resource-constrained and has much less computation and communication
power than the sender, which is a powerful server.
162
Those conventional schemes [90–95] use block-based signatures to reduce the
computational overhead but also incur a trade-off of vulnerability to packet loss and
authentication latency at the sender and/or receivers. Unlike those schemes, we use
packet-based signature as in the ideal approach, because the independency among packets
can totally eliminate the vulnerability to packet loss. Therefore the problem is how to
reduce the computation overhead at receivers.
In order to avoid the expensive packet-based signature verification, we use an efficient
cryptographic primitive called batch signature [3, 109–113] to simultaneously verify the
signatures of any number of packets.
When the receiver collects n packets:
pi = {mi, σi}, i = 1, . . . , n ,
where mi is the data payload, σi is the corresponding signature and n can be any positive
integer, he can input them into an algorithm
BatchV erify(p1, p2, . . . , pn) ∈ {True, False} ,
If the output is True, we know the n packets are authentic, and otherwise not.
To support authenticity and efficiency, the BatchV erify() algorithm should satisfy
the following properties:
1. Given a batch of packets that have been signed by the sender, BatchV erify()outputs True;
2. Given a batch of packets including some unauthentic packets, the probability thatBatchV erify() outputs True is very low;
3. The computation complexity of BatchV erify() is comparable to that of verifying onesignature and is increased gradually when the batch size n is increased.
By BatchV erify(), each receiver can achieve the computational efficiency comparable
to conventional block-based schemes in the sense that a batch of packets can be
authenticated simultaneously through one batch signature verification operation. In
163
addition, our approach use per-packet signature instead of per-block signature and thus
eliminate the authentication latency at the sender and /or receivers in conventional
schemes. Each receiver can verify the authenticity of all the received packets in its buffer
whenever the high layer applications require. This is a significant improvement to the
quality of realtime applications. Moreover, our approach has perfect resilience to packet
loss. No matter how many packets are lost, the rest can also be verified by the receiver.
8.4 Batch Signature Construction
In this section, we propose three schemes to implement the batch signature approach.
Besides the one based on RSA [3], we propose another two schemes based on BLS [111]
and DSA [112], which are more efficient than batch RSA.
8.4.1 Batch RSA Signature
8.4.1.1 RSA
RSA [3] is a very popular cryptographic algorithm in most security protocols. In
order to use RSA, a sender chooses two large random primes P and Q to get N = PQ,
and then calculates two exponents e, d ∈ Z∗N such that ed = 1 mode φ(N), where
φ(N) = (P − 1)(Q− 1). The sender publishes (e,N) as his public key and keeps d in secret
as his private key. A signature of a message m can be generated as σ = (h(m))d mod N ,
where h() is a collision-resistant hash function. The sender sends {m,σ} to the receiver
that can verify the authenticity of the message m by checking σe = h(m) mod N .
8.4.1.2 Batch RSA
To accelerate the authentication of multiple signatures, the batch verification of RSA
[109, 110] can be used. Given n packets {mi, σi}, i = 1, . . . , n, where mi is the data
payload and σi is the corresponding signature, the receiver can first calculate hi = h(mi)
and then perform the following verification:
(n∏
i=1
σi
)e
=n∏
i=1
hi mod N . (8–1)
164
If all n packets are truly from the sender, the equation holds because
(n∏
i=1
σi
)e
mod N =n∏
i=1
σei mod N
=n∏
i=1
hedi mod N =
n∏i=1
hi mod N . (8–2)
Before the batch verification, the receiver must ensure all the messages are distinct.
Otherwise the batch RSA is vulnerable to the forgery attack [110]. This is easy to
implement because sequence numbers are widely used in many network protocols and can
ensure all the messages are distinct. It has been proved in [110] that when all the messages
are distinct, the batch RSA is resistant to signature forgery as long as the underlying RSA
algorithm is secure.
The attacker may not forge signatures but manipulate authentic packets to produce
invalid signatures. For example, given two packets {mi, σi} and {mj, σj} for i 6= j, an
attacker can modify them into {mi, σiλ} and {mj, σj/λ}. The modified packets can still
pass the batch verification, but the signature of each packet is not correct (that is why
the batch RSA verification is called screening in [110]). However, the attacker can do this
only when he gets {mi, σi} and {mj, σj}, which means the message mi and mj have been
correctly signed by the sender. Therefore, this attack is of no harm to the receiver [110].
8.4.1.3 Requirements to the sender
In most RSA implementations, the public key e is usually small while the private
key d is large. Therefore, the RSA signature verification is efficient while the signature
generation is expensive. This poses a challenge to the computation capability of the
sender because the sender needs to sign each packet. Choosing a small private key d can
improve the computation efficiency but compromise the security. If the sender does not
have enough resource, a pair of {e, d} with comparable sizes can achieve a certain level of
trade-off between computation efficiency and security at the sender part. If the sender is
a powerful server, then signing each packet can be affordable in this scenario. Next, we
165
propose two efficient batch signature schemes based on BLS [111] and DSA [112], which
can reduce the computation complexity at the sender.
8.4.2 Batch BLS Signature
Here we propose a batch signature scheme based on the BLS signature in [111].
8.4.2.1 BLS
The BLS signature scheme uses a cryptographic primitive called pairing, which can
be defined as a map over two cyclic groups G1 and G2, e : G1 × G1 → G2, and satisfy the
following properties:
1. Bilinear: for all u, v ∈ G1 and a, b ∈ Z, we have e(ua, vb) = e(u, v)ab;
2. Non-degenerate: for the generator g1 of G1, i.e., gp = 1 ∈ G1, where p is the order ofG1, we have e(g1, g1) 6= 1 ∈ G2.
The BLS signature scheme consists of three phases:
In the key generation phase, a sender chooses a random integer x ∈ Zp and computes
y = g1x ∈ G1. The private key is x and the public key is y;
1. Given a message m ∈ {0, 1}∗ in the signing phase, the sender first computesh = H(m) ∈ G1, where H() is a hash function, then computes σ = hx ∈ G1. Thesignature of m is σ;
2. In the verification phase, the receiver first computes h = H(m) ∈ G1, and then checkwhether e(h, y) = e(σ, g1).
If the verification succeeds, then the message m is authenticated because
e(h, y) = e(h, g1x) = e(hx, g1) = e(σ, g1) . (8–3)
One merit of BLS signature is that it can generate a very short signature. It has
been shown in [111] that an n-bit BLS signature can provide a security level equivalent
to solving a discrete log problem (DLP) [113] over a finite field of size approximately
26n. Therefore, a 171-bit BLS signature provides the same level of security as a 1024-bit
DLP-based signature scheme such as DSA. This is a very nice choice in the scenario where
communication overhead is an important issue.
166
8.4.2.2 Batch BLS
Based on BLS, we propose our batch BLS scheme here. Given n packets {mi, σi}, i =
1, . . . , n, the receiver can verify the batch of BLS signatures by first computing hi =
H(mi), i = 1, . . . , n and then checking whether e(∏n
i=1 hi, y) = e(∏n
i=1 σi, g1). This is
because if all the messages are authentic, then
e(n∏
i=1
hi, y) =n∏
i=1
e(hi, g1x) =
n∏i=1
e(hix, g1) = e(
n∏i=1
σi, g1) . (8–4)
We can prove that our batch BLS is secure to signature forgery as long as BLS is secure to
signature forgery.
Theorem 1 Suppose an attacker A can break the batch BLS by forging signatures,
another attacker B can break BLS under the chosen message attack by colluding with A.
Proof. Suppose B is given n − 1 messages and their valid signatures {mi, σi}, i =
1, . . . , n − 1, B can forge a signature σn for any chosen message mn, such that {mn, σn}satisfies the BLS signature scheme, by colluding with A in the following steps:
1. B sends n messages mi, i = 1, . . . , n and n− 1 signatures σi, i = 1, . . . , n− 1 to A;
2. Because A can break the batch BLS scheme, A generates n false signatures σi′, i =
1, . . . , n that pass the batch BLS verification, then returns to B a value V =∏n
i=1 σi′;
3. B computes σn = V/∏n−1
i=1 σi as the signature for mi, because
e(n∏
i=1
hi, y) = e(V, g1) ⇒ e(n∏
i=1
hi, y) = e(n∏
i=1
σi, g1)
⇒ e(n−1∏i=1
hi, y)e(hn, y) = e(n−1∏i=1
σi, g1)e(σn, g1)
⇒ e(hn, y) = e(σn, g1) . (8–5)
¥
Since BLS is forgery-secure under the chosen message attack [111], our batch BLS
scheme is also secure to forgery under the chosen message attack.
167
Also like batch RSA, the attacker may not forge signatures but manipulate authentic
packets to produce invalid signatures. For example, two packets {mi, σi} and {mj, σj} for
i 6= j can be replaced with {mi, σiλ} and {mj, σj/λ} and still pass the batch verification.
However, it does not affect the correctness and the authenticity of mi and mj because they
have been correctly signed by the sender.
8.4.2.3 Requirements to the sender
In our batch BLS, the sender needs to sign each packet. Because BLS signature
can provide a security level equivalent to conventional RSA and DSA with much shorter
signature [111], the signing operation is more efficient than RSA signature generation.
Moreover, BLS can be implemented over elliptic curves [71, 72], which have been shown in
the literature to be more efficient than finite integer fields on which RSA is implemented.
Therefore, we can expect that our batch BLS is more affordable by the sender than batch
RSA and also achieve computation efficiency at the receiver.
8.4.3 Batch DSA Signature
DSA [112] is another popular digital signal algorithm. Unlike RSA, which is based
on hardness of factoring two large primes, DSA is deemed secure based on the difficulty
of solving DLP [113]. A batch DSA signature scheme was proposed in [114] but later was
found insecure [115]. Harn improved the security of [114] in [116, 117]. Unfortunately,
Boyd and Pavlovski pointed out in [118] that Harn’s work is still vulnerable to malicious
attacks. Here we propose a batch DSA scheme based on Harn’s work and counteract the
attack described in [118].
8.4.3.1 Harn DSA
In Harn DSA [117], some system parameters are defined as:
1. p, a prime longer than 512-bit;
2. q, a 160-bit prime divisor of p− 1;
3. g, a generator of Z∗p with order q, i.e., gq = 1 mod p;
168
4. x, the private key of the signer, 0 < x < q;
5. y, the public key of the signer, y = gx mod p;
6. H(), a hash function generating an output in Z∗q.
Given a message m, the signer generates a signature as:
1. randomly selects an integer k with 0 < k < q;
2. computes h = H(m);
3. computes r = (gk mod p) mod q;
4. computes s = rk − hx mod q.
The signature for m is (r, s).
The receiver can verify the signature by first computing h = H(m) and then checking
whether ((gsr−1yhr−1
) mod p) mod q = r. This is because if the packet is authentic, then
((gsr−1
yhr−1
) mod p) mod q
= ((g(s+hx)r−1
) mod p) mod q
= (gk mod p) mod q
= r . (8–6)
8.4.3.2 Harn batch DSA
Given n packets {mi, (ri, si)}, i = 1, . . . , n, the receiver can verify the batch of
signatures by first computing hi = H(mi) and then checking whether
((gPn
i=1 siri−1
yPn
i=1 hiri−1
) mod p) mod q =n∏
i=1
ri . (8–7)
169
This is because if the batch of packets is authentic, then
((gPn
i=1 siri−1
yPn
i=1 hiri−1
) mod p) mod q
= ((gPn
i=1(si+hix)ri−1
) mod p) mod q
= (gPn
i=1 ki mod p) mod q
=n∏
i=1
ri . (8–8)
8.4.3.3 The Boyd-Pavlovski attack
Boyd and Pavlovski [118] pointed out an attack against the Harn batch DSA scheme
[117] where an attacker can forge signatures for any chosen message set that has not been
signed by the sender. The process is:
1. choose B and C, calculate A = (gByC mod p) mod q;
2. for any message set mi, i = 1, . . . , n, randomly choose ri, i = 1, . . . , n− 2;
3. compute rn−1 and rn to ensure that
n∏i=1
ri = A mod q (8–9)
n∑i=1
hiri−1 = C mod q (8–10)
4. randomly choose si, i = 1, . . . , n− 1 and compute sn to ensure that
n∑i=1
siri−1 = B mod q . (8–11)
The probability that {mi, ri, si}, i = 1, . . . , n are forged messages satisfying the batch
verification is 12
[118].
8.4.3.4 Our batch DSA
In order to counteract the Boyd-Pavlovski attack, our batch DSA makes an
improvement to the Harn DSA algorithm. We replace the hash operation H(m) in the
170
signature generation and verification process with H(r,m). All the other steps are the
same as those in Harn’s scheme.
Though it is simple, our method can significantly increase the security of batch DSA.
In the Boyd-Pavlovski attack, the attacker can compute ri values according to Eq. (8–9)
and Eq. (8–10) because parameters A, C, hi values are known. By introducing ri into the
hash operation, the hash values hi in Eq. (8–10) are unknown to the attacker. Therefore
the attacker cannot compute ri values and the forgery attack discussed in [118] is defeated.
Like the cases in batch RSA and our batch BLS, the attacker may manipulate
authentic packets {mi, (ri, si)} to produce invalid signatures {mi, (ri′, si
′)}, which can still
pass the batch verification. The attacker can keep ri unchanged, randomly choose si′,
i = 1, . . . , n− 1 and solve sn′ satisfying
n∑i=1
si′ri−1 mod q =
n∑i=1
siri−1 mod q . (8–12)
However, this attack does not affect the correctness and authenticity of messages because
they have been really signed by the sender [118]. Therefore, the receiver can still accept
them because the batch verification succeeds.
8.4.3.5 Requirements to the sender
In batch RSA and our batch BLS, the sender needs to compute one modular
exponentiation to sign each packet. In the batch DSA, the sender needs to compute
one modular exponentiation to get r and two modular multiplications to get s. However,
r is independent on the message m. Therefore, the sender can generate many r values
off-line. When the sender starts a multicast session, he can use reserved r values to
compute s values. In this way, only two modular multiplications are necessary to sign a
packet. Therefore, our batch DSA is much more efficient than batch RSA and our batch
BLS at the sender, while also achieve computation efficiency at the receiver.
171
8.5 Performance Evaluation
In this section, we compare the performance of MABS with some well-known schemes
EMSS [92], augmented chain (AugChain) [96], PiggyBack [94], tree chain (Tree) [101]
and SAIDA [103]. These schemes are representatives of hash chain, tree chain and coding
schemes and are widely used in performance evaluation in the literature.
8.5.1 Resilience to Packet Loss
We use simulation to evaluate the resilience to packet loss. The metric here is the
verification rate, i.e., the ratio of the number of authenticated packets to the number of
received packets.
For EMSS [92], we choose the chain configuration of 5-11-17-24-36-39, which has
the best performance among all the configurations of length 6 as is shown in [92]. For
AugChain [96], we choose C3,7 chain configuration. For PiggyBack [94], we choose two
class priorities. For Tree chain [101], we choose binary tree. For SAIDA [103], we choose
the erasure code (256, 128). For all these schemes, we choose the block size of 256 packets
and simulate over 100 blocks. We consider the random loss and the burst loss with a
maximum loss length of 10 packets. The verification rates under different loss rates are
given in Fig. 8-1 and Fig. 8-2.
We can see that the verification rates of EMSS [92], augmented chain (AugChain) [96]
and PiggyBack [94] are decreased quickly when the loss rate is increasing. The reason is
that hash chains result in the correlation among packets and this correlation is vulnerable
to packet loss. SAIDA [103] illustrates a resilience to packet loss up to a certain threshold,
because of the threshold performance of erasure codes. Our MABS and Tree schemes
[101] have perfect resilience to packet loss in the sense that all the received packets can be
authenticated. This is because all the packets in MABS and Tree schemes are independent
from each other. As we will show later, however, Tree achieves this independency by
incurring large overhead and authentication latency at the sender and the receiver, while
our MABS does not have these drawbacks.
172
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Loss rate
Ver
ifica
tion
rate
MABSTreeEMSSAugChainPiggyBackSAIDA
Figure 8-1. Verification rate under the random loss model.
8.5.2 Authentication Latency
The block-based hash chains and codes used in conventional scheme incur authentication
latency at the sender and/or receivers. The sender can compute a signature for a
block only after he builds up hash chains or codes for the block, and each receiver can
authenticate the packets in the block only after he verifies the block signature. A larger
block size can achieve higher computation efficiency, but also incur longer latency. This
latency can compromise the realtime requirement in many time-critical applications such
as video live show or stock quotes broadcast.
173
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Loss rate
Ver
ifica
tion
rate
MABSTreeEMSSAugChainPiggyBackSAIDA
Figure 8-2. Verification rate under the burst loss model with the maximum burst length10.
We show the latency in different schemes in Table 8-1. In particular, we consider how
many packets need to be buffered for one packet to be signed or verified at the sender or
each receiver. We can see that existing schemes all require that the sender and/or each
receiver buffer up to one block of packets. Our MABS does not have latency at the sender
and the receiver. The sender can send out one packet right after signing it, and each
receiver can verify all the packets he has received whenever the higher layer application
requires, because there is no relationship among packets and no limit on the number
174
Table 8-1. Authentication latency of different schemes.
Schemes Sender ReceiverEMSS [92] 1 nAugChain [96] p nPiggyBack [94] n 1Tree [101] n 1SAIDA [103] n mMABS 1 1
of packets in each batch verification. This can greatly increase the QoS performance of
multicast streams.
8.5.3 Computational Overhead
Here we compare the computational overhead of our MABS with those of other
schemes. he result is depicted in Table 8-2. All the conventional schemes require one
signature (either signing or verification) operation and at least n hashing operations on a
block of n packets. SAIDA [103] even requires additional coding operation. Our MABS
can achieve the same level computational efficiency at the receiver as conventional schemes
while increasing the computational overhead at the sender. This is affordable because
usually the sender is much more powerful than receivers. Moreover, we propose our batch
BLS and batch DSA that are more efficient than the batch RSA and thus the sender has
more options to choose according to its capability.
We compare the computational overhead of three batch signature schemes in Table
8-3. RSA and BLS require one modular exponentiation at the sender and DSA requires
two modular multiplications when r value is computed off-line. Usually one c-bit modular
exponentiation is equivalent to 1.5c modular multiplications over the same field [110, 118].
Moreover, a c-bit modular exponentiation in DLP is equivalent to a c6-bit modular
exponentiation in BLS for the same security level. Therefore, we can estimate that the
computational overhead of one 1024-bit RSA signing operation is roughly equivalent to
that of 768 DSA signing operations (1536 modular multiplications) and that of 6 BLS
signing operations (each one is corresponding to 255 modular multiplications).
175
Table 8-2. Computation overhead of different schemes for one block.
Schemes Sender ReceiverEMSS [92] 1S + nH 1V + nHAugChain [96] 1S + nH 1V + nHPiggyBack [94] 1S + nH 1V + nHTree [101] 1S + (2n− 1)H 1V + nlognHSAIDA [103] 1S + nH + 1EC 1V + nH + 1EDMABS nS 1V
Table 8-3. Computational overhead of different batch schemes.
Schemes Sender(per packet) Receiver (per n packets)Batch RSA 1 E 1 E + (2n− 2) MBatch BLS 1 E 2 P + (2n− 2) MBatch DSA 2 M 2 E + 3n M
According to a report [123] on the computational overhead of signature schemes
on PIII 1 GHz CPU, the signing and verification time for 1024-bit RSA with a 1007-bit
private key are 7.9ms and 0.4ms, for 157-bit BLS are 2.75ms and 81ms, and for 1024-bit
DSA with a 160-bit private key (without precomputing r value) are 4.09ms and 4.87ms.
We can observe that for BLS and DSA the signing is efficient but the verification is
expensive, and vice versa for RSA. Therefore, we can save more computational resource at
the receiver by using our batch BLS and batch DSA than batch RSA. It is also meaningful
to use our batch BLS and batch DSA at the receiver to save computation resources.
8.5.4 Communication Overhead
Here we compare the communication overhead of MABS with those of conventional
schemes. Here the communication overhead is computed over one block of n packets. The
result is depicted in Table 8-4. Conventional schemes attach a large number of hashes
plus one signature to each block. MABS requires one signature for each packet, but this
overhead is comparable with conventional schemes considering those hashes.
We also compare the length of two popular hash algorithm MD5 [124] and SHA-1
[125] and the signature length of three signature algorithms in Table 8-5. Given the same
176
Table 8-4. Communication overhead of different schemes for one block.
Schemes Overhead per PacketEMSS [92] 1S + dnH (d ≥ 6)AugChain [96] 1S + 2nHPiggyBack [94] 1S + (2n−∑r
i=1 ki)HTree [101] nS + nlognH
SAIDA [103] 1S + n2
mH
MABS nS
Table 8-5. Communication overhead of signature schemes.
Schemes Length (bits)MD5 128SHA-1 160RSA 1024BLS 171DSA 320
security level as 1024-bit RSA, BLS generates a 171-bit signature and DSA a 320-bit
signature. It is clear that by using BLS or DSA, MABS can achieve more bandwidth
efficiency than using RSA, and could be even more efficient than conventional schemes
using a large number of hashes.
8.6 Counteracting DoS
Though batch signature can authenticate many packets at the same time, it fails if
in the batch there are some false packets forged by an attacker. The attacker may take
this opportunity to launch the DoS attack. Particularly, the attacker keeps injecting
forged packets to disrupt the batch signature verification. An naive approach to defeat
this attack is to use smaller batch size in the batch verification, but this incurs more
computation overhead. In the worst case, the attacker can inject forged packets at very
high frequency and expect that the receiver stop the batch operation and recover the
conventional per-packet signature verification.
In order to deal with the DoS attack, we need a method to filter out forged packets.
An option is the one-way accumulators (OWA) [107, 126–130]. An OWA can be used for
177
membership checking. It consists of four algorithms:
a = Accumulate(S) ,
w = Witness(s, S) ,
a = Recover(s, w) ,
v = V erify(s, w, a) ,
where S is a set of elements and s ∈ S, a is the accumulator of S and represents S, w is a
mark of the element s and can be combined with s to recover the accumulator a. Given w,
we can verify whether s is in the set S represented by a and the result v is a boolean value
in {Truse, False}.To support efficient multicast authentication, the OWA should have the following
properties:
1. All the algorithms of OWA are computationally efficient;
2. Given an accumulator a and the set S represented by a, the probability that anattacker forges an element s′ not in S and its witness w′ such that V erify(s′, w′, a) =True is very low.
When the sender has a set of packets for multicast, he generates an OWA for the set
and attaches a witness to each packet. The attacker may inject large volume of forged
packets that are not in any set from the sender. Therefore, the multicast stream may
consist of many sets, some from the sender and others from the attacker. The receiver
divides received packets into several sets by performing the OWA Recover algorithm.
Particularly, if Recover(pi, wi) = Recover(pj, wj) for packets (pi, pj) and their witnesses
(wi, wj), then packets pi and pj belong to the same set. The properties of OWA can ensure
that authentic packets and forged packets fall into different sets. Therefore, the receiver
can perform the batch verification over each set. If the verification over one set succeeds,
the set of packets is authentic, and not otherwise. In this way, the receiver can drop a set
of packets when the batch verification over the set fails and do not need to separate the
178
set into smaller subsets and batch-verify each subset. Therefore, the DoS attack due to
forged packets can be efficiently defeated.
Here we do not use the accumulator a to verify whether a packet comes from the
receiver. The reasons are: (1) If we want to use a to authenticate a packet, then the
sender has to generate a signature for a and transmit the signature. Like conventional
schemes [90–92, 94, 96, 102], this one is vulnerable to packet loss because if the signature
for a is lost, the set of packets cannot be authenticated. (2) We use the batch verification
to authenticate packets and this method is perfectly resilient to packet loss. Therefore,
here we do not need a. We only use the Recover algorithm to check whether two packets
belong to the same set.
An efficient method to construct OWAs is the Merkle hash tree [47]. Here we take a
binary tree for example (Fig. 8-3). The sender constructs a binary tree for 8 packets. Each
leaf is a hash of one packet. Each internal node is the hash value on both its left and right
children and the root is the accumulator of these packets. The witness of one packet is the
set of the siblings of the nodes along the path from the packet to the root. For example,
the witness of the packet P3 is {H4, H1,2, H5,8} and the accumulator can be recovered as
H1,8 = H((H1,2, (H(P3), H4)), H5,8).
Constructing a Merkle tree is very efficient because only hash operation is performed.
Meanwhile, the one-way property of hash operation ensures that given the root of a
Merkle tree it is infeasible to find out a packet, which is not in the set associated with the
Merkle tree and from which there is a path to the root.
When the sender has a set of packets for broadcast, it generates a Merkle tree for
the set and attaches a witness to each packet. The root can be recovered based on each
packet and its mark. Each receiver can find whether two packets belong to the same set
by checking whether they lead to the same root value. Therefore, the recovered roots
help classify received packets into disjoint sets. Once a set is authentic, the corresponding
179
P1 P2 P3 P4 P5 P6 P7 P8
H1 H2 H3 H4 H5 H6 H7 H8
H1,2 H3,4 H5,6 H7,8
H1,4 H5,8
H1,8
Figure 8-3. An example of Merkle tree.
root can be used to authenticate the rest of packets under the same Merkle tree without
batch-verifying them, which saves computation overhead at each receiver.
Fig. 8-4 illustrates the details of MABS including the DoS countermeasure. At
the sender part, the sender generates a multicast stream. For each message mi, the
sender computes a signature σi according to some signature algorithm. Then the sender
constructs OWAs on {mi, σi} and computes a witness wi based on OWA algorithms.
Therefore each packet is pi = {mi, σi, wi}. These packets are sent over a lossy and hostile
channel to many receivers through multicast routing. At the receiver part, the receiver
gets a stream of packets including both authentic and potentially forged ones. At first,
the receiver uses the OWA Recover algorithm to classify received packets into disjoint
sets. Each set consists of packets pi = {mi, σi} where wi is no longer needed. Because the
properties of OWA can ensure that authentic packets and forged packets fall into different
sets, the receiver can perform the BatchV erify algorithm over each set. If the verification
over one set succeeds, the set of packets is authentic. Otherwise, the set of packets is
forged and can be dropped without further verification on each packet.
The traditional block-based approach is vulnerable to DoS. Because there is no
filtering, each receiver has to recover the relationship among authentic packets mixed with
180
Signing Verification
Classification
Pi
Mi
C1 C2 C3 …Mi
Sender Receiver
Figure 8-4. MABS architecture including the DoS counter measure.
forged packets, which is very time and computationally intensive. In the extreme case, a
deadlock can form at the receiver when the receiving buffer is exhausted by a mixing of
forged packets and authentic packets without block signatures. Those authentic packets
are waiting for signatures, but signatures cannot be received because the receiving buffer is
exhausted by forged packets.
In our design, authentic packets and forged packets are separated into disjoint sets.
The batch verification is carried out over each set. Therefore, each batch verification can
authenticate a set of packets and no more is needed. The deadlock experienced by the
block-based protocols can also be eliminated.
If an attacker wants to inject some forged packets into the batch consisting of
authentic packets, he must break the one-way property of Merkle tree. However, this
attempt fails because given the root of a Merkle tree it is infeasible to find out a packet
from which there is a path to the root due to the one-way property of hash functions.
Therefore, by using Merkle tree, our design can efficiently defeat DoS attacks.
181
Table 8-6. Comparisons between the block-based approach and the batch-based approach.
Schemes DoS Resilience Computational Overhead Communication OverheadHash chains Poor O(1S + nH) O(1S + αnH), (α > 1)
(m,n)-Coding Poor O(1S + nH + 1C) O(1S + n2
mH)
Batch signature Strong O(1S + nlognH) O(nS + nlognH)
However, the increased DoS resilience comes with more overhead, which is shown in
Table 8-6. For the computational overhead, both the block-based protocols and our design
require one signature verification operation on a block or a batch n packets. In addition,
the protocols using hash chains also require n hashes, and the ones using coding requires
n hashes and one coding operation. Our design requires nlogn hashes, which is more
expensive than the ones using hash chains and less expensive than the ones using coding.
However, the overall computation overhead of all these protocols at each receiver is at the
same level since hash operation is much more efficient (on the order of µs) than signature
operation (on the order of ms).
For the communication overhead over n packets, conventional protocols require an
overhead of one signature and O(n) hashes, while our design requires an overhead of
n signature and O(nlogn) hashes. The increased overhead is a trade-off for increased
security. However, when BLS is used [111], the signature length is 171 bits. A most
well-known hash algorithm SHA-1 generates a hash value of 160 bits. Therefore, our
protocol can also achieve the same level of communication efficiency as conventional
protocols.
8.7 Conclusion
In this paper, we proposed a new multicast authentication scheme called MABS
based on batch signature, which supports one signature verification over multiple packets
at the receiver. Three batch signature implementations were proposed. In particular,
we proposed our batch BLS and batch DSA, which are more efficient than the batch
RSA. Unlike the conventional block-based multicast authentication schemes, MABS can
182
perfectly tolerate packet loss and completely eliminate the authentication latency at
the sender and receivers. Combining with packet filtering, MABS can also defeat DoS
effectively.
183
CHAPTER 9SECURITY OF IEEE 802.16 IN MESH MODE
9.1 Introduction
IEEE 802.16 standard [132], which is the base of WiMAX (worldwide interoperability
for microwave access) [133], is seen as a promising technology for next generation
broadband wireless access. Compared with IEEE 802.11 standard [134], it operates at
larger frequency band up to 66GHZ, covers longer distance up to 50km, and supports QoS
services. Therefore, 802.16 becomes an ideal choice for broadband wireless access systems
such as WLANs (wireless local area networks) or WMANs (wireless metropolitan area
networks).
IEEE 802.16 defines two modes. In the PMP (point-to-multipoint) mode, SSs
(subscriber stations, such as laptops) can reach the BS (base station) in one hop.
Otherwise, SSs shall operate in the Mesh mode such that those SSs form a multihop
network, which is called mesh network [135], to the BS.
Compared with the PMP topology, the mesh topology extends BS coverage, and its
flexibility on installation and configuration make it a promising architecture for future
WLANs and WMANs. In Fig. 9-1, for example, multiple laptops can form a WLAN of a
mesh topology, multiple wireless routers can form a WMAN of a mesh topology, and the
mesh WMAN bridges the gap between WLANs and the Internet.
Among all the topics in wireless networks, security is drawing intense attention
recently. When IEEE 802.11 is getting more and more popular in the deployment of
WLANs, many vulnerabilities have been found in the literature [136–140]. This becomes
a major obstacle to many security-critical wireless applications such as online shopping or
secure communications.
The lessons from IEEE 802.11 make people more cautious and lead to the incorporation
of security design into IEEE 802.16. Based on DOCSIS (data over cable service interface
specifications) [141], which was designed to solve the last mile problem for cable systems,
184
Internet
BaseStation
WLANsWMAN
Figure 9-1. Mesh networks.
IEEE 802.16 defines a PKM (privacy and key management) protocol. It provides
subscribers with privacy, authentication, or confidentiality across the fixed broadband
wireless network. It does this by applying cryptographic transforms to MPDUs carried
across connections between SS and BS.
However, IEEE 802.16 security still needs to be examined before its deployment.
Since mesh networks are gaining more and more interests and IEEE 802.16 is seen as
one of promising techniques to build up mesh networks, we believe that it is necessary to
analyze the security of IEEE 802.16 in mesh networks. However, there are only a few work
overviewing the potential vulnerabilities of IEEE 802.16 in PMP mode [142–144].
In this chapter, we analyze the security of IEEE 802.16 in mesh mode [145], point out
several potential threats and propose some possible solutions. We find out that though
IEEE 802.16 provides some security measures in conventional one-hop networks, it is very
vulnerable to malicious attacks in multihop environments. We also propose some security
improvements.
185
9.2 Security Architecture of IEEE 802.16 in Mesh Mode
IEEE 802.16 MAC (Medium Access Control) defines a PKM protocol as a sublayer,
providing authentication, key management and data traffic privacy services.
IEEE 802.16 MAC is connection-oriented. Each SS establishes a connection to
associate with a service flow. In PKM, an SA (security association) is shared between
SS and BS for each connection to main its security state such as the cryptographic suite,
TEKs (traffic encryption keys) and IVs (initialization vectors) and managed by a TSM
(TEK state machine). An ASM (authorization state machine) is maintained by each SS
for authorization when entering the network and the initialization of TSMs.A new SS can join a mesh network by the following process:
1. The SS searches for MSH-NCFG:Network Descriptor messages to synchronize withthe network and build up a list of available BSs and a list of neighboring SSs.
2. The new SS selects from its neighbors a potential Sponsor node. Meanwhile the newSS becomes a Candidate node.
3. The Candidate node (the new SS) shall be authorized by an Authorization node (aBS or a backend server) through the PKM protocol. The Sponsor node will tunnelthe PKM-REQ messages from the Candidate node to the Authorization node throughUDP protocol. Upon receiving tunneled PKM-RSP messages from the Authorizationnode the Sponsor node forwards them to the Candidate node.
4. The Candidate node shall register itself at a Registration node (a BS or a backendserver) to get a Node ID. The Sponsor node again tunnels the REG-REQ messagefrom the Candidate node to the Registration node. Upon receiving the tunneledREG-RSP from the Registration node the Sponsor node forwards it back to theCandidate node.
5. After authorization the Candidate node becomes a regular node in the mesh network.Then it will build connectivity at higher layers.
6. After entering the network, the new SS can establish links with nodes otherthan its Sponsor Node by following a Challenge-Response process based onMSH-NCFG:Neighbor Link Establishment messages.
186
Upon entering the network, the new SS starts for each neighbor a separate TSM for
each SA authorized by BS. Then the TSM takes charge of the SA maintenance, and the
ASM maintains the reauthorization of the SS.
9.3 Security Threats to IEEE 802.16 in Mesh Mode
In this section, we present the following potential threats to IEEE 802.16 standard in
mesh mode.
9.3.1 Topological Attacks
In the mesh network, every SS broadcasts MSH-NCFG:Network Descriptor messages
regularly. Each MSH-NCFG:Network Descriptor carries some physical layer information
for the new SS to acquire coarse synchronization. In addition, each MSH-NCFG:Network
Descriptor provides a list of available BSs and a list of neighboring SSs of the sender.
Those lists include information such as Node ID of BS or neighbors and the corresponding
hop-count. To join the network on initialization or after signal loss, a new SS shall search
for MSH-NCFG:Network Descriptor messages and build a physical neighbor list. Based on
the BS information, the new SS chooses a Sponsor node, which helps the new SS join the
network.
The problem here is that MSH-NCFG messages are not encrypted and authenticated.
This can lead to the attacks against network topology, which has been studied in ad hoc
and sensor networks [46].
By claiming a shorter path to BS, for example, a malicious node has much more
chance to become a Sponsor node. In this way, the Sponsor node can lure the network
entry traffic in the local area like a Sinkhole [33]. Then the Sponsor node can monitor,
modify or spoof the authorization information exchanged between new nodes and BS.
An example is illustrated in Fig. 9-2, where node A can create a sinkhole and becomes
the Sponsor for nodes B and C. In addition, false topological information contained in
MSH-NCFG messages can cheat the new SS into forming an incorrect view of network
topology, which can introduce problems to routing protocols.
187
A
B
BS
C
Figure 9-2. Sinkhole attacks.
Attackers can even replay MSH-NCFG messages instead of modifying or spoofing.
One example is the Wormhole attack [61]. As is illustrated in Fig. 9-3. Attackers establish
a secret channel, tunnel MSH-NCFG messages from nodes A and B through the channel
and replay them. In this way, nodes A and B believe they are neighbors of each other.
Attackers can also record MSH-NCFG messages at one place, move and reply them at
another place. Obviously, the distorted network topology can become a serious attack to
routing protocols.
9.3.2 Authorization Threats
A Candidate node needs authorization to access the mesh network. This can be
achieved through a handshake between the Candidate node and an Authorization center.
The handshake is carried out by PKM-REQ and PKM-RSP messages (Fig. 9-4).
The Candidate node first sends a PKM-REQ:Auth Info message to the Authorization
center. The message only carries the X.509 certificate for the manufacturer of the
Candidate node.
188
A
B
BS
Figure 9-3. Wormhole attacks.
Then the Candidate sends a PKM-REQ:Auth Request message to the Authorization
center. The message contains the Candidate’s X.509 certificate issued by its manufacturer,
the Candidate’s cryptographic capabilities, the Candidate’s Basic CID.
The Authorization center verifies the Candidate’s X.509 certificate with its manufacturer’s
public key extracted from the PKM-REQ:Auth Info message. If the verification fails, the
Authorization center simply replies to the Candidate a PKM-RSP:Auth Reject message
containing an error-code and a display-string.
If the Candidate is authentic, the Authorization center replies a PKM-RSP:Auth
Reply message. This message contains an AK (authorization key) encrypted with the
Candidate’s public key, the AK lifetime, the AK sequence number, SA-descriptors, PKM
configuration, an OSS (operator shared secret), the OSS lifetime, the OSS sequence
number.
In the PMP mode, the AK is used for the Candidate to access the network. In the
Mesh mode, however, the Candidate shall use the OSS to access the network. Here the
OSS is shared by all the nodes in the mesh network.
189
UDP
PKM-REQ: Auth Info
PKM-REQ: Auth Request
PKM-RSP: Auth Reply, orPKM-RSP: Auth Reject
Candidate Sponsor
AuthorizationCenter
Figure 9-4. Node authorization.
Because the Candidate usually cannot communicate with the Authorization center
directly in the Mesh mode, the Sponsor node help to tunnel the PKM-REQ messages
from the Candidate to the Authorization center through UDP protocol and forward the
PKM-RSP messages tunneled back from the Authorization center to the Candidate.
The above process is supposed to guarantee the authenticity of the Candidate before
it joins the network. However, all the messages are not encrypted and authenticated.
Though the AK in PKM-RSP:Auth Reply messages is encrypted, it is useless in the Mesh
mode. Hence, there are several security holes failing the goal of the authorization process.
First, all the messages can be intercepted and modified by attackers between
the Candidate and the Sponsor. Though we can assume the UDP tunnel can prevent
eavesdropping and tampering from attackers between the Sponsor and the Authorization
center because all the links between the Sponsor and the Authorization are secured by
MAC layer TEKs, we cannot guarantee the loyalty of the Sponsor. Therefore, a malicious
Sponsor as an internal attacker can also intercept all the messages and modify them.
In the PKM-REQ:Auth Request message, the Candidate includes its cryptographic
capabilities. The Authorization center chooses from them a set of cryptographic
algorithms that the Candidate node uses to communicate with the network. The
190
stronger the algorithms are, the securer the traffic is. However, attackers can modify
the PKM-REQ:Auth Request message to prevent a weaker cryptographic setting to the
Authorization center so that a set of weak cryptographic algorithms is used to secure the
communication between the Candidate and the network. This is called the security level
rollback attack, which has been discussed in IEEE 802.11 [140].
In the PKM-RSP:Auth Reply message, the information of all SAs that the Candidate
can access is contained. An authorized SS should get the services to which it has
subscribed. But attackers can modify the SA information and remove any SA so that
the SS gets less or even no service, leading to the DoS (Denial of Service) attack.
In addition, an OSS is included in the PKM-RSP:Auth Reply. The OSS is used as
a global key shared by all the nodes in the network. The Candidate shall use the OSS
to establish links with neighbors and access the network. Unfortunately, the OSS can
be intercepted by attackers such that they can use it to join the network. Attackers can
even modify it so that the new node gets wrong OSS and thus fails to join the network.
Moreover, attackers can reduce the OSS lifetime so that the Candidate has to update its
OSS more frequently, leading to faster energy consumption.
Because the PKM-RSP:Auth Reject message is not authenticated, attackers can spoof
the message such that the Candidate fails in the authorization process, leading to the DoS
attack.
The entire authorization process is carried out in one connection, but there is no clear
definition of Authorization SA that is associated with the connection [142]. Therefore
the Authorization center is incapable of distinguishing the authorization messages from
different authorization processes. All the messages in an authorization process can be
replayed.
In Fig. 9-5, for example, an attacker can intercept a PKM-REQ:Auth Request
message and later replay it to the BS B. The BS can not distinguish it from new
PKM-REQ:Auth Request messages and then reply with a PKM-RSP:Auth Reply message.
191
BS B
Auth Request
BS A
Figure 9-5. Replay attacks.
In this way, the attacker can learn the OSS. In another case, the attacker can replay the
intercepted PKM-REQ:Auth Request to another mesh domain registered at BS A. As well
BS A will accept the message and reply with a PKM-RSP:Auth Reply message, which
discloses the OSS used by BS A.
The authorization process is asymmetric in that the Authorization center authenticates
the Candidate but not vice versa. This renders attackers an opportunity to impersonate
the Authorization center 9-6. An attacker can achieve this goal by intercepting PKM-RSP
messages from the Authorization center and replaying them or totally forging those
messages. The Candidate node cannot verify the authenticity of those messages. This will
leave the entire network under the control of the attacker and become a major threat to
the authorization process. This is also the case in the PMP mode [142].
9.3.3 Threats to Link Establishment
After entering the network, the new SS can establish links with its neighbors other
than its Sponsor Node. The link establishment follows a Challenge-Response process
based on the OSS of the network (Fig. 9-7). All the messages exchanged between two
192
BS
“BS”
Figure 9-6. False base station.
neighboring nodes are encapsulated in the MSH-NCFG:Neighbor Link Establishment
messages.
When node A needs to establish a link with node B, A sends a challenge,
HMAC{OSS, frame number, ID of node A, ID of node B},where the OSS is the global key obtained in the authorization process and the frame
number is the last known frame number in which node B sent an MSH-NCFG message.
Upon receiving the challenge, node B computes the same value because it knows the
OSS and the fame number. If the two values do not match, node B returns a rejection. If
a match is achieved, node B accepts the link and replies a challenge response containing
HMAC{OSS, frame number, ID of node B, ID of node A},where the frame number is the one of the MSH-NCFG message that node A just sent.
Node B also randomly selects and includes an unused Link ID indicating the link from B
to A.
Upon receiving the challenge response, node A verifies it like node B does. If a match
is achieved, node A replies an Accept. It also randomly selects and includes an unused
Link ID indicating the link from A to B. Otherwise, a rejection is returned.
The security of the 3-way handshake depends on the secrecy of OSS, which makes the
authentication between neighbors too weak. As is mentioned in Section 9.3.2, the OSS is
193
Challenge
Challenge Response
Accept
Node A Node B
Figure 9-7. Link establishment.
shared by all nodes and there are many opportunities for attackers to get it. For example,
a malicious node can disclose it to an external attacker, or the attacker directly eavesdrops
it when a new node gets a PKM-RSP:Auth Reply message from its Sponsor node. Using
the OSS, the attacker can join the network without being authorized and establish links
with its neighbor. Then the attacker can get services from its neighbors.
9.3.4 Threats to Teks
Each SA includes two TEKs at the same time. The TSM (TEK state machine)
associated with the SA is in charge of the TEK update for the SA (Fig. 9-8).
An SS can start to update its TEKs by sending a PKM-REQ:Key Request message
containing SS-Certificate, SAID, HMAC-Digest.
Its neighbor verifies the SS-Certificate. If the verification successes, the neighbor
replies with a PKM-RSP:Key Reply containing SAID, old TEK parameters, new TEK
parameters, HMAC-Digest. Otherwise, the neighbor replies with a PKM-RSP:Key Reject.
To protect the confidentiality of TEKs, The SS’s public key extracted from the
PKM-REQ:Key Request message is used to encrypt TEK parameters. To protect the
integrity of TEKs, the HMAC-Digests are attached to these messages. However, those
HMAC-Digests are calculated with the OSS. This leads to possible message tampering
when the OSS is disclosed to attackers. In such a case, attackers cannot find TEKs, but
they can spoof a PKM-RSP:Key Reply including false TEKs encrypted with SS’s public
key and authenticate the message with the OSS.
194
PKM-REQ: Key Request
Node A Node B
PKM-RSP: Key Reply / Key Reject
Figure 9-8. TEK update.
9.3.5 Traffic Threats
In IEEE 802.16, only data traffic is encrypted. Particularly, only the MAC PDU
payload is encrypted. The generic MAC header and all MAC management messages are
not encrypted. Therefore, attackers can eavesdrop or forge those clear information to raise
problems.
To protect data traffic, two cryptographic methods are defined: DES in CBC mode
[146] and AES in CCM mode [147]. DES-CBC provides confidentiality by encrypting the
MAC PDU payload with corresponding TEKs. AES-CCM provides confidentiality and
authenticity for the MAC PDU payload. Particularly, AES-CCM algorithm appends an
8-byt ICV (Integrity Check Value) to the end of the payload and then encrypting both
the payload and the ICV. Therefore, DES-CBC is weaker than AES-CCM because the
messages encrypted by DES-CBC can be tampered or spoofed. DES-CBC is required by
all the implementations of IEEE 802.16 devices but AES-CCM is optional. Attackers can
launch the Security Level Rollback attack as is mentioned in Section 9.3.2 to cheat the SS
and BS into using DES-CBC, which can give attackers more opportunities to attack the
data traffic.
9.4 802.16e Security in Mesh Mode
An amendment to IEEE 802.16-2004 [132] is passed in 2005 as IEEE 802.16e [148].
This amendment increases the support to mobile devices and the security. The original
PKM protocol in IEEE 802.16 becomes the PKMv1 protocol in IEEE 802.16e, and a new
195
protocol PKMv2 is incorporated. In this section, we talk about the security improvement
of 802.16e over 802.16 and discuss its threats.
9.4.1 Security Improvements
802.16e supports two authentication methods: RSA-based and EAP-based [149]. TheRSA-based authentication is similar to that in 802.16. The handshake is like:
1. RSA-Request (SS → BS): MS Random, MS Certificate, SAID, SigSS.
2. RSA-Reply (SS ← BS): MS Random, BS Random, Encrypted pre-PAK, KeyLifetime, Key Sequence Number, BS Certificate, SigBS.
3. RSA-Acknowledgement (SS → BS): BS Random, Auth Result Code, Error-Code,Display-String, SigSS.
Here the differences are: random numbers are included in authentication messages
to prevent replay attacks; the BS includes its own certificate in the authentication reply
message to prove its identity. The optional EAP-based authentication can be used
independently or combined with the RSA-based one. The real EAP methods are not
specified in 802.16e. Both the methods support mutual authentication between SS and BS,
which is a significant improvement to 802.16.
A master AK (Authorization Key) is established between SS and BS during
authentication. Then the SS uses the AK to negotiate security capabilities and acquire
available SA information. Three messages are defined for the handshake: SA-TEK-Challenge,
SA-TEK-Request and SA-TEK-Response. These messages are authenticated with message
authentication digests. Therefore attackers cannot forge these messages.
In addition to the DES-CBC and AES-CCM methods in 802.16, 802.16e also defines
an AES-CTR mode [150] and an AES-CBC mode [151] to protect the MAC PDU payload.
These two methods provide confidentiality by encrypting the MAC PDU payload.
9.4.2 Potential Threats
The MSH-NCFG:Network Descriptor message is still a security hole in 802.16e. It
can be modified or forged by attackers to launch topological attacks. Though 802.16e
introduces mutual authentication in the authorization process, it does not mention how
196
to distribute the OSS for the Mesh mode. Therefore, the threats to the OSS in 802.16 are
still problems. Attackers can find the OSS and use it to establish links with normal nodes.
All the management messages are not encrypted either and thus can be eavesdropped.
9.5 New Security Improvements
In this section, we propose some improvements to strengthen IEEE 802.16 security in
the Mesh mode.
9.5.1 Neighbor Authentication
In IEEE 802.16 Mesh mode, two neighbors rely on an OSS to establish a link. It is
vulnerable to attacks as is stated in previous sections. Here we propose to use certificates
to achieve authentication between neighbors.Before a node establishes links with its neighbors, it must be authenticated by an
Authorization center through an authorization process. The node can acquire a certificateissued by the Authorization center during the authorization process. We can call it a meshcertificate. After that, the node can use the mesh certificate to join the network. Theentire process is performed as the following:
1. A → B: A’s mesh certificate.
2. B → A: B’s mesh certificate.
3. Challenge (A → B): encrypted nonce-A, frame number, ID-A, ID-B, A’ signature.
4. Challenge-Response (B → A): encrypted nonce-B, frame number, ID-B, ID-A, B’signature.
5. Accept (A → B): accept, A’ signature.
Nodes A and B first exchange their mesh certificates. They verify each other’s mesh
certificate with the Authorization center’s public key and extracts each other’s public key.
Then A sends an challenge to B, which includes a nonce-A encrypted with B’s public key.
B uses A’s public to verify A’s signature to check the authenticity of the Challenge. As
long as this verification success, node B accepts node A and decrypt nonce-A with its own
public key. Likewise, node A can authenticate node B based on the Challenge-Response
197
message and get nonce-B. At last, node A replies with an Accept message to finish the
handshake.
Now nodes A and B both know nonce-A and nonce-B. They can compute a link key
as
K-AB=H(ID-A, ID-B, nonce-A, nonce-B) ,
where H() is a hash function such as HMAC or CMAC in 802.16.Later node A can use the link key K-AB to update TEKs from node B. The process is
the following:
1. Key Request (A → B): SAID, random number, MAC-Digest.
2. Key Reply (B → A): SAID, random number, encrypted old TEK parameters,encrypted new TEK parameters, MAC-Digest.
Here the random numbers are used to prevent the replay attack. The shared link key
K-AB is used to compute MAC-Digests and encrypt TEK parameters.
The above neighbor authentication process is much securer than the original one in
IEEE 802.16, because it is based on mesh certificates instead of the global shared OSS.
In addition, the TEK update is secured by the shared link key instead of the original
public key. Because the TEK update is performed periodically, we can expect our neighbor
authentication process it is more efficient than the original one in IEEE 802.16.
9.5.2 Cryptographic Issues
Generally, RSA-based public key cryptography is more expensive in computation than
symmetric key cryptography. Therefore, the use of public key algorithms should be as less
as possible in a security protocol. Meanwhile the performance can be increased if more
efficient public key techniques are developed.
One substitute to the RSA-based public key cryptography is the elliptic curve
cryptography (ECC) [71, 72]. ECC can achieve the same level of security as RSA with
smaller key sizes. It has been shown that 160-bit ECC provides comparable security to
1024-bit RSA and 224-bit ECC provides comparable security to 2048-bit RSA [73]. Under
the same security level, smaller key sizes of ECC offer merits of faster computational
198
efficiency, as well as memory, energy and bandwidth savings. Therefore ECC can be
incorporated into IEEE 802.16 in future to replace RSA-based cryptography.
9.6 Conclusion
We discussed the security of IEEE 802.16 in mesh mode and found out it is very
vulnerable to malicious attacks in multihop environments. Some improvements were
proposed to secure IEEE 802.16 in Mesh mode.
199
REFERENCES
[1] C. E. Shannon, “Communication theory of secrecy systems,” Bell System TechnicalJournal, vol. 28, pp. 656–715, Oct. 1949.
[2] W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Transactionson Information Theory, vol. IT-22, no. 6, pp. 644–654, Nov. 1976.
[3] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digitalsignatures and public-key cryptosystems,” Communications of the ACM, vol. 21,no. 2, pp 120–126, Feb. 1978.
[4] S. Basagni, K. Herrin, D. Bruschi, and E. Rosti, “Secure pebblenets,” Proceedings ofthe 2nd ACM International Symposium on Mobile Ad Hoc Networking & Computing(Mobihoc’01), Long Beach, CA, Oct. 2001, pp. 156–163.
[5] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography,CRC Press, ISBN: 0-8493-8523-7, Oct. 1996.
[6] A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen, and D. E. Culler, “SPINS: Securityprotocols for sensor networks,” Wireless Networks, Kluwer Academic Publishers,vol. 8, pp. 521–534, 2002.
[7] R. Blom, “An optimal class of symmetric key generation systems,” Proceedings ofAdvances in Cryptology: EUROCRYPT’84, Paris, France, Apr. 1984, pp. 335–338.
[8] C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung,“Perfectly-secure key distribution for dynamic conferences,” Proceedings of the12th Annual International Cryptology Conference on Advances in Cryptology(CRYPTO’92), Aug. 1992, pp. 471–486.
[9] Y. Zhou and Y. Fang, “A scalable key agreement scheme for large scale networks,”Proceedings of the 2006 IEEE International Conference on Networking, Sensing andControl (ICNSC’06), Ft. Lauderdale, Florida, Apr. 2006, pp. 631–636.
[10] Y. Zhou and Y. Fang, “Scalable and deterministic key agreement for large scalenetworks,” to appear in IEEE Transactions on Wireless Communications.
[11] W. Lou, W. Liu and Y. Fang, “SPREAD: Enhancing data confidentiality in mobilead hoc networks,” Proceedings of the 23rd Annual Joint Conference of the IEEEComputer and Communications Societies (INFOCOM’04), Hong Kong, China, Mar.2004, vol. 4, pp. 2404–2413.
[12] A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11,pp. 612–613, Nov. 1979.
[13] L. Eschenauer and V. Gligor, “A key management scheme for distributed sensornetworks,” Proceedings of the 9th ACM Conference on Computer and Communica-tions Security (CCS’02), Washington D.C., Nov. 2002, pp. 41–47.
200
[14] J. Spencer, The strange logic of random graphs, Algorithms and Combinatorics 22,Springer-Verlag 2000, ISBN 3-540-41654-4.
[15] H. Chan, A. Perrig and D. Song, “Random key predistribution schemes for sensornetworks,” Proceedings of the 2003 IEEE Symposium on Security and Privacy(SP’03), Berkeley, CA, May 2003, pp. 197–213.
[16] R. D. Pietro, L. V. Mancini and A. Mei, “Random key-assignment for secure wirelesssensor networks,” Proceedings of the 1st ACM Workshop on Security of Ad hoc andSensor Networks (SASN’03), Fairfax, VA, 2003, pp. 62–71.
[17] W. Du, J. Deng, Y. S. Han, and P. K.Varshney, “A pairwise key pre-distributionscheme for wireless sensor networks,” Proceedings of the 10th ACM Conference onComputer and Communications Security (CCS’03), Washington, DC, Oct. 2003, pp.42–51.
[18] D. Liu and P. Ning, “Establishing pairwise keys in distributied sensor networks,”Proceedings of the 10th ACM Conference on Computer and CommunicationsSecurity (CCS’03), Washington, DC, Oct. 2003, pp. 52–61.
[19] D. Liu, P. Ning, and R. Li, “Establishing pairwise keys in distributed sensornetworks,” ACM Transactions on Information and System Security, vol. 8, no. 1, pp.41–77, Feb. 2005.
[20] J. Hwang and Y. Kim, “Revisiting random key pre-distibution schemes for wirelesssensor networks,” Proceedings of the 2nd ACM Workshop on Security of Ad hoc andSensor Networks (SASN’04), Washington, DC, Oct. 2004, pp. 43–52.
[21] J. Lee and D. R. Stinson, “Deterministic key pre-distribution schemes for distributedsensor networks,” Proceedings of the 11th International Workshop on Selected Areasin Cryptography (SAC’04), Waterloo, Canada, Aug. 2004, pp. 294–307.
[22] J. Lee and D. R. Stinson, “A combinatorial approach to key pre-distributionmechanisms for wireless sensor networks,” Proceedings of the 2005 IEEE WirelessCommunications and Networking Conference (WCNC’05), New Orleans, LA, Mar.2005, pp. 1200–1205.
[23] S. A. Camtepe and B. Yener, “Combinatorial design of key distribution mechanismsfor wireless sensor networks,” IEEE/ACM Transactions on Networking, vol. 15,no. 2, pp. 346-358, Apr. 2007.
[24] D.S. Sanchez and H. Baldus, “A deterministic pairwise key pre-distribution schemefor mobile sensor networks,” Proceedings of the 1st IEEE/CreateNet InternationalConference on Security and Privacy for Emerging Areas in CommunicationsNetworks (SECURECOMM’05), Athens, Greece, Sep. 2005, pp. 277–288.
[25] H. Chan and A. Perrig, “Pike: peer intermediaries for key establishment in sensornetworks,” Proceedings of the 24th Annual Joint Conference of the IEEE Computer
201
and Communications Societies (INFOCOM’05), Miami, FL, Mar. 2005, vol. 1, pp.524–535.
[26] F. Delgosha and F. Fekri, “Key pre-distribution in wireless sensor networks usingmultivariate polynomials,” Proceedings of the 2nd Annual IEEE Communica-tions Society Conference on Sensor and Ad Hoc Communications and Networks(SECON’05), Santa Clara, CA, Sep. 2005, pp. 118–129.
[27] F. Delgosha and F. Fekri, “Threshold key-establishment in distributed sensornetworks using a multivariate scheme,” Proceedings of the 25th IEEE InternationalConference on Computer Communications (INFOCOM’06), Barcelona, Spain, Apr.2006, pp. 1–12.
[28] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “A survey on sensornetworks,” IEEE Communication Magazine, vol. 40, no. 8, pp. 102–114, Aug. 2002.
[29] J. M. Kahn, R. H. Katz and K. S. J. Pister, “Next century challenges: Mobilenetworking for Smart Dust,” Proceedings of the 5th Annual ACM/IEEE Interna-tional Conference on Mobile Computing and Networking (MOBICOM’99), Seattle,WA, Aug. 1999, pp. 217–278.
[30] G. J. Pottie, W. J. Kaiser, “Wireless integrated network sensors,” Communicationsof the ACM, vol. 43, no. 5, pp. 51–58, May 2000.
[31] Crossbow Technology, http://www.xbow.com/ 2006.
[32] Atmel Corporation, http://www.atmel.com/ 2006.
[33] C. Karlof and D. Wagner, “Secure routing in wireless sensor networks: attacks andcountermeasures,” Proceedings of the 1st IEEE International Workshop on SensorNetwork Protocols and Applications (SNPA’03), Anchorage, AK, May 2003, pp.113–127.
[34] R. Anderson and M. Kuhn, “Tamper resistance - a cautionary note,” PProceed-ings of the 2nd USENIX Workshop on Electronic Commerce, Oakland, CA, Nov.1996, pp. 1–11.
[35] A. Wood and J. Stankovic, “Denial of service in sensor networks,” IEEE ComputerMagzine, vol. 35, no. 10, pp. 54–62, Oct. 2002.
[36] D. Liu and P. Ning, “Location-based pairwise key establishments for relatively staticsensor networks,” Proceedings of the 1st ACM Workshop on Security of Ad hoc andSensor Networks (SASN’03), Fairfax, VA, Oct. 2003, pp. 72–82.
[37] W. Du, J. Deng, Y. S. Han, S. Chen and P. K.Varshney, “A key managementscheme for wireless sensor networks using deployment knowledge,” Proceedings of the23rd Annual Joint Conference of the IEEE Computer and Communications Societies(INFOCOM’04), Hong Kong, China, Mar. 2004, pp. 586–597.
202
[38] D. Huang, M. Mehta, D. Medhi, and L. Harn, “Location-aware key managementscheme for wireless sensor networks,” Proceedings of the 2nd ACM Workshop onSecurity of Ad hoc and Sensor Networks (SASN’04), Washington, DC, Oct. 2004, pp.29–42.
[39] Z. Yu and Y. Guan, “A robust group-based key management scheme for wirelesssensor networks,” Proceedings of the 2005 IEEE Wireless Communications andNetworking Conference (WCNC’05), New Orleans, LA, Mar. 2005, vol. 4, pp.1915–1920.
[40] D. Liu, P. Ning and W. Du, “Group-based key pre-distribution in wireless sensornetworks,” Proceedings of the 4th ACM Workshop on Wireless Security (WISE’05),Cologne, Germany, Sep. 2005, pp. 11–20.
[41] L. Zhou, J. Ni and C.V. Ravishankar, “Efficient key establishment for group-basedwireless sensor deployments,” Proceedings of the 4th ACM Workshop on WirelessSecurity (WISE’05), Cologne, Germany, Sep. 2005, pp. 1–10.
[42] L. Zhou, J. Ni and C. V. Ravishankar, “Supporting secure communication and datacollection in mobile sensor networks,” Proceedings of the 25th IEEE InternationalConference on Computer Communications (INFOCOM’06), Barcelona, Spain, Apr.2006, pp. 1–12.
[43] F. Anjum, “Location dependent key management using random key-predistributionin sensor networks,” Proceedings of the 5th ACM Workshop on Wireless Security(WISE’06), Los Angeles, CA, Sep. 2006, pp. 21–30.
[44] T. Ito, H. Ohta, N. Matsuda, and T. Yoneda, “A key pre-distribution scheme forsecure sensor networks using probability density function of node deployment,”Proceedings of the 3rd ACM Workshop on Security of Ad hoc and Sensor Networks(SASN’05), Alexandria, VA, Nov. 2005, pp. 69–75.
[45] Y. Zhou, Y. Zhang and Y. Fang, “LLK: A link-layer key establishment scheme inwireless sensor networks,” Proceedings of the 2005 IEEE Wireless Communicationsand Networking Conference (WCNC’05), New Orleans, LA, Mar. 2005, vol. 4, pp.1921–1926.
[46] Y. Zhou, Y. Zhang and Y. Fang, “Key establishment in sensor networks basedon triangle grid deployment model,” Proceedings of the 2005 IEEE MilitaryCommunications Conference (MILCOM’05), Atlantic City, NJ, Oct. 2005, vol. 3, pp.1450–1455.
[47] R. Merkle, “Secure communication over insecure channels,” Communications of theACM, vol. 21, no. 4, pp. 294–299, Apr. 1978.
[48] Y. Zhou and Y. Fang, “A two-layer key establishment scheme for wireless sensornetworks,” to appear in IEEE Transactions on Mobile Computing.
203
[49] Y. Zhou and Y. Fang, “Scalable link-layer key agreement in sensor networks,”Proceedings of the 2006 IEEE Military Communications Conference (MILCOM’06),Washington, DC, Oct. 2006, pp. 1–6.
[50] W. Du, L. Fang and P. Ning, “LAD: localization anomaly detection for wirelesssensor networks,” Journal of Parallel and Distributed Computing, Academic Press,Inc., vol. 66, no. 7, pp. 874–886, Jul. 2006.
[51] Y. Zhou and Y. Fang, “Defend against topological attacks in sensor networks,”Proceedings of the 2005 IEEE Military Communications Conference (Milcom’05),Atlantic City, NJ, Oct. 2005, vol. 2, pp. 768–773.
[52] Y. Zhou and Y. Fang, “A location-based naming mechanism for securing sensornetworks,” Wireless Communications and Mobile Computing, Special Issue onWireless Networks Security, Wiley, vol. 6, no. 3, pp. 347–355, May 2006.
[53] N. Sastry, U. Shankar and D. Wagner, “Secure verification of location claims,”Proceedings of the 2003 ACM Workshop on Wireless Security (WISE’03), San Diego,CA, Sep. 2003, pp. 1–10.
[54] P. Corke, R. Peterson and D. Rus, “Networked robots: flying robot navigation usinga sensor net,” Proceedings of the 11th Internatonal Symposium of Robotics Research(ISRR’03), Siena, Italy, Oct. 2003, pp. 234–243.
[55] C. Savarese, J. Rabaey and J. Beutel, “Locationing in distributed ad-hoc wirelesssensor networks,” Proceedings of the 26th IEEE International Conference onAcoustics, Speech, and Signal Processing (ICASSP’01), Salt Lake City, UT, May2001, pp. 2037–2040.
[56] C. Karlof, N. Sastry and D. Wagner, “TinySec: A link layer security architecture forwireless sensor networks,” Proceedings of the 2nd ACM International Conference onEmbedded Networked Sensor Systems (SENSYS’04), Baltimore, MD, Nov. 2004, pp.162–175.
[57] H. T. Kung and D. Vlah, “Efficient location tracking using sensor networks,”Proceedings of the 2003 IEEE Wireless Communications and Networking Conference(WCNC’03), March, 2003, vol. 3, pp. 1954–1961.
[58] R. Brooks, P. Ramanathan and A. Sayeed, “Distributed target classification andtracking in sensor networks,” Proceedings of the IEEE, vol. 91, no. 8, pp.1163–1171,2003.
[59] M. Bellare, R. Canetti and H. Krawczyk, “Keying hash functions for messageauthentication,” Proceedings of the 16th Annual International Cryptology Conferenceon Advances in Cryptology (CRYPTO’96), Santa Barbara, CA, Aug. 1996, pp. 1–15.
[60] J. Newsome, E. Shi, D. Song, and A. Perrig, “The sybil attack in sensor networks:analysis & defenses,” Proceedings of the 3rd IEEE International Symposium on
204
Information Processing in Sensor Networks (IPSN’04), Berkeley, CA, Apr. 2004, pp.259–268.
[61] Y. Hu, A. Perrig and D. B. Johnson, “Packet leashes: a defense against wormholeattacks in wireless networks,” Proceedings of the 22nd Annual Joint Conference ofthe IEEE Computer and Communications Societies (INFOCOM’03), San Francisco,CA, Mar. 2003, vol. 3, pp. 1976–1986.
[62] L. Hu and D. Evans, “Using directional antennas to prevent wormhole attacks,”Proceedings of the 11th Annual Network and Distributed System Security Symposium(NDSS’04), San Diego, CA, Feb. 2004.
[63] W. Wang and B. Bhargava, “Visualization of wormholes in sensor networks,” Pro-ceedings of the 2004 ACM Workshop on Wireless Security (WISE’04), Philadelphia,PA, Oct. 2004, pp. 51–60.
[64] S. Zhu, S. Setia and S. Jajodia, “LEAP: efficient security mechanism for large-scaledistributed sensor networks,” Proceedings of the 10th ACM Conference on Computerand Communications Security (CCS’03), Washington, DC, Oct. 2003, pp. 62–72.
[65] Y. Zhang, W. Liu, W. Lou, and Y. Fang, “Securing sensor networks withlocation-based keys,” Proceedings of the 2005 IEEE Wireless Communicationsand Networking Conference (WCNC’05), New Orleans, LA, Mar. 2005, vol. 4, pp.1909–1914.
[66] B. Parno, A. Perrig and V. Gligor, “Distributed detection of node replication attacksin sensor networks,” Proceedings of the 2005 IEEE Symposium on Security andPrivacy (SP’05), Berkeley/Oakland, CA, May 2005, pp. 49–63.
[67] Y. Zhou, Y. Zhang and Y. Fang, “Access control in wireless sensor networks,” toappear in Elsevier Ad Hoc Networks, Special Issue on Security in Ad Hoc and SensorNetworks.
[68] R. Watro, D. Kong, S. Cuti, C. Gardiner, C. Lynn, and P. Kruus, “TinyPK:securing sensor networks with public key technology,” Proceedings of the 2nd ACMWorkshop on Security of Ad hoc and Sensor Networks (SASN’04), Washington, DC,Oct. 2004, pp. 59–64.
[69] J. R. Douceur, “The Sybil attack,” Proceedings of the 1st International Workshopon Peer-to-Peer Systems (IPTPS’02), Cambridge, MA, Mar. 2002, pp. 251–260.
[70] D. J. Malan, M. Welsh and M. D. Smith, “A public-key infrastructure for keydistribution in TinyOS based on elliptic curve cryptography,” Proceedings of the1st IEEE International Conference on Sensor and Ad Hoc Communications andNetworks (SECON’04), Santa Clara, CA, Oct. 2004, pp. 71–80.
[71] N. Koblitz, “Elliptic Curve Cryptosystems,” Mathematics of Computation, vol. 48,pp. 203–209, 1987.
205
[72] V. Miller, “Uses of Elliptic Curves in Cryptography,” Advances in Cryptology -CRYPTO’85, Santa Barbara, CA, 1985, pp. 417–426.
[73] S. Vanstone, “Responses to NIST’s proposal,” Communications of the ACM, vol. 35,pp. 50–52, Jul. 1992.
[74] O. Goldreich, S. Goldwasser and S. Micali, “How to construct random functions,”Journal of the ACM vol. 33, no. 4, pp. 792–807, 1986.
[75] N. Gura, A. Patel, A. Wander, H. Eberle, and S. C. Shantz, “Comparing ellipticcurve cryptography and RSA on 8-bit CPUs,” Proceedings of the 6th Interna-tional Workshop on Cryptographic Hardware and Embedded Systems (CHES’04),Cambridge, MA, Aug. 2004, pp. 119–132.
[76] D. W. Carman, P. S. Kruus and B. J. Matt, “Constraints and approaches fordistributed sensor network security,” NAI Labs Technical Report #00-010, Sep. 2000.
[77] A. Perrig, J. Stankovic and D. Wagner, “Security in wireless sensor networks,”Communications of the ACM, vol. 47, no. 6, pp. 53–57, Jun. 2004.
[78] M. Manzo, T. Roosta and S. Sastry, “Time synchronization attacks in sensornetworks,” Proceedings of the 3rd ACM Workshop on Security of Ad hoc and SensorNetworks (SASN’05), Alexandria, VA, Nov. 2005, pp. 107–116.
[79] Y. Zhou and Y. Fang, “BABRA: batch-based broadcast authentication in wirelesssensor networks,” Proceedings of the 49th Annual IEEE Global TelecommunicationsConference (GLOBECOM’06), San Francisco, CA, Nov. 2006, pp. 1–5.
[80] A. Perrig, R. Canetti, B. Brisco, D. Song, and D. Tygar, “TESLA: multicastsource authentication transform introduction,” IETF working draft,draft-ietf-msec-tesla-intro-01.txt.
[81] D. Liu and P. Ning, “Efficient distribution of key chain commitments for broadcastauthentication in distributed sensor networks,” Proceedings of the 10th AnnualNetwork and Distributed System Security Symposium (NDSS’03), San Diego, CA,Feb. 2003.
[82] S. Rafaeli and D. Hutchison, “A survey of key management for secure groupcommunication,” ACM Computing Surveys, vol. 35, no. 3, pp. 309–329, Sep. 2003.
[83] A. Perrig, R. Canetti, D. Song, and J.D. Tygar, “Efficient and secure sourceauthentication for multicast,” Proceedings of the 8th Annual Network and DistributedSystem Security Symposium (NDSS’01), San Diego, CA, Feb. 2001.
[84] I. Khalil, S. Bagchi and C. Nita-Rotaru, “DICAS: detection, diagnosis and isolationof control attacks in sensor networks,” Proceedings of the 1st IEEE/CreateNet Inter-national Conference on Security and Privacy for Emerging Areas in CommunicationsNetworks (SECURECOMM’05), Athens, Greece, Sep. 2005, pp. 89–100.
206
[85] C. Kaufman, R. Perlman and M. Speciner. Network Security: private communicationin a public world, 2nd Edition, Prentice-Hall, 2002.
[86] S. E. Deering, “Multicast routing in internetworks and extended LANs,” Proceed-ings of the 1988 ACM Symposium on Communications Architectures and Protocols(SIGCOMM’88), Stanford, CA, Aug. 1988, pp. 55–64.
[87] T. Ballardie and J. Crowcroft, “Multicast-specific security threats andcounter-measures,” Proceedings of the 2th Annual Network and Distributed Sys-tem Security Symposium (NDSS 1995), San Diego, CA, Feb. 1995, pp. 2–16.
[88] P. Judge and M. Ammar, “Security issues and solutions in mulicast contentdistribution: a survey,” IEEE Network Magzine, vol. 17, no. 1, pp. 30–36, Jan./Feb.2003.
[89] Y. Challal, H. Bettahar and A. Bouabdallah, “A taxonomy of multicast data originauthentication: issues and solutions,” IEEE Communication Surveys & Tutorials,vo. 6, no. 3, pp. 34–57, 2004.
[90] R. Gennaro and P. Rohatgi, “How to sign digital streams,” Information andComputation, Academic Press, vol. 165, no. 1, pp. 100–116, Feb. 2001.
[91] R. Gennaro and P. Rohatgi, “How to sign digital streams,” Proceedings of the 17thAnnual Cryptology Conference on Advances in Cryptology (CRYPTO’97), SantaBarbara, CA, Aug. 1997.
[92] A. Perrig, R. Canetti, J. D. Tygar, and D. Song, “Efficient authentication andsigning of multicast streams over lossy channels,” Proceedings of the 2000 IEEESymposium on Security and Privacy (SP’00), Berkeley, CA, May 2000, pp. 56–75.
[93] Y. Challal, H. Bettahar and A. Bouabdallah, “A2Cast: an adaptive sourceauthentication protocol for multicast streams,” Proceedings of the 9th Interna-tional Symposium on Computers and Communications (ISCC’04), Alexandria,Egypt, Jun. 2004, vol. 1, pp. 363–368.
[94] S. Miner and J. Staddon, “Graph-based authentication of digital streams,” Proceed-ings of the 2001 IEEE Symposium on Security and Privacy (SP’01), Oakland, CA,May 2001, pp. 232–246.
[95] Z. Zhang, Q. Sun, W-C Wong, J. Apostolopoulos and S. Wee, “A content-awarestream authentication scheme optimized for distortion and overhead,” Proceedings ofthe 2006 IEEE International Conference on Multimedia and Expo (ICME’06),Toronto, Canada, Jul. 2006, pp. 541–544.
[96] P. Golle and N. Modadugu, “Authenticating streamed data in the presence ofrandom packet loss,” Proceedings of the 8th Annual Network and Distributed SystemSecurity Symposium (NDSS’01), San Diego, CA, Feb. 2001.
207
[97] Z. Zhang, Q. Sun and W-C Wong, “A proposal of butterfly-graphy based streamauthentication over lossy networks,” Proceedings of the 2005 IEEE InternationalConference on Multimedia and Expo (ICME’05), Amsterdam, Netherlands, Jul. 2005.
[98] S. Ueda, N. Kawaguchi, H. Shigeno and K. Okada, “Stream authentication schemefor the use over the IP telephony,” Proceedings of the 18th International Conferenceon Advanced Information Networking and Application (AINA’04), Fukuoka, Japan,Mar. 2004, vol. 2, pp. 164–169.
[99] A. Chan and E. Rogers Sr., “A graph-theoretical analysis of multicastauthentication,” Proceedings of the 23rd International Conference on DistributedComputing Systems (ICDCS’03), Providence, RI, May 2003, pp. 155–162.
[100] C. K. Wong and S. S. Lam, “Digital signatures for flows and multicasts,” Proceed-ings of the 6th International Conference on Network Protocols (ICNP’98), Austin,TX, Oct. 1998, pp. 198–209.
[101] C. K. Wong and S. S. Lam, “Digital signatures for flows and multicasts,”IEEE/ACM Transactions on Networking, vol. 7, no. 4, pp. 502–513, Aug. 1999.
[102] J. M. Park, E. K. P. Chong, and H. J. Siegel, “Efficient multicast packetauthentication using signature amortization,” Proceedings of the 2002 IEEESymposium on Security and Privacy (SP’02), Berkeley, CA, May 2002, pp. 227–240.
[103] J. M. Park, E. K. P. Chong, and H. J. Siegel, “Efficient multicast streamauthentication using erasure codes,” ACM Transactions on Information andSystem Security, vol. 6, no. 2, pp. 258–285, May 2003.
[104] A. Pannetrat and R. Molva, “Authenticating real time packet streams andmulticasts,” Proceedings of the 7th IEEE International Symposium on Comput-ers and Communications (ISCC’02), Taormina/Giardini Naxos, Italy, Jul. 2002, pp.490–495.
[105] A. Pannetrat and R. Molva, “Efficient multicast packet authentication,” Pro-ceedings of the 10th Annual Network and Distributed System Security Symposium(NDSS’03), San Diego, CA, Feb. 2003.
[106] Y. Wu and T. Li, “Video stream authentication in lossy networks,” Proceedings ofthe 2006 IEEE Wireless Communications and Networking Conference (WCNC’06),Las Vegas, NV, Apr. 2006, vol. 4, pp. 2150–2155.
[107] C. Karlof, N. Sastry, Y. Li, A. Perrig, and J. D. Tygar, “Distillation codes andapplications to DoS resistant multicast authentication,” Proceedings of the 11thAnnual Network and Distributed System Security Symposium (NDSS’04), San Diego,CA, Feb. 2004.
208
[108] C.A. Gunter, S. Khanna, K. Tan, and S. Venkatesh, “DoS protection for reliablyauthenticated broadcast,” Proceedings of the 11th Annual Network and DistributedSystem Security Symposium (NDSS’04), San Diego, CA, Feb. 2004.
[109] L. Harn, “Batch verifying multiple RSA digital signatures,” IEE Electronic Letters,vol. 34, no. 12, pp. 1219–1220, Jun. 1998.
[110] M. Bellare, J. A. Garay and T. Rabin, “Fast batch verification for modularexponentiation and digital signatures,” Proceedings of Advances in Cryptology:EUROCRYPT’98, Espoo, Finland, May 1998, pp. 236–250.
[111] D. Boneh, B. Lynn and H. Shacham, “Short signatures from the weil pairing,”Proceedings of the 7th International Conference on the Theory and Application ofCryptology and Information Security Advances in Cryptology: ASIACRYPT’01, GoldCoast, Australia, Dec. 2001, pp. 514–532.
[112] FIPS PUB 186, Digital signature standard (DSS), May 1994.
[113] T. ElGamal, “A public key cryptosystem and a signature scheme based on discretelogarithms,” IEEE Transactions on Information Theory, vol. IT-31, no. 4, pp.469–472, Jul. 1985.
[114] D. Naccache, D. M’Raihi, S. Vaudenay, and D. Raphaeli, “Can D.S.A. be improved?complexity trade-offs with the digital signature standard,” Proceedings of Workshopon the Theory and Application of Cryptographic Techniques Advances in Cryptology:EUROCRYPT’94, Perugia, Italy, May 1995, pp. 77–85.
[115] C. H. Lim and P. J. Lee, “Security of interactive DSA batch verification,” IEEElectronic Letters, vol. 30, no. 19, pp. 1592–1593, Sep. 1994.
[116] L. Harn, “DSA-type secure interactive batch verification protocols,” IEE ElectronicLetters, vol. 31, no. 4, pp. 257–258, Feb. 1995.
[117] L. Harn, “Batch verifying multiple DSA-type digital signatures,” IEE ElectronicLetters, vol. 34, no. 9, pp. 870–871, Apr. 1998.
[118] C. Boyd and C. Pavlovski, “Attacking and repairing batch verification schemes,”Proceedings of the 6th International Conference on the Theory and Application ofCryptology and Information Security Advances in Cryptology: ASIANCRYPT’00,Kyoto, Japan, Dec. 2000, pp. 58–71.
[119] Y. Desmedt, Y. Frankel, and M. Yung, “Multi-receiver/multi-sender networksecurity: efficient authenticated multicast/feedback,” Proceedings of the 11thAnnual Joint Conference of the IEEE Computer and Communications Societies(INFOCOM’92), Florence, Italy, May 1992, vol. 3, pp. 2045–2054.
[120] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B. Pinkas, “Multicastsecurity: a taxonomy and some efficient constructions,” Proceedings of the 18th
209
Annual Joint Conference of the IEEE Computer and Communications Societies(INFOCOM’99), New York, NY, Mar. 1999, vol. 2, pp. 708–716.
[121] F. Bergadano, D. Cavagnino and B. Crispo, “Individual single-source authenticationon the mbone,” Proceedings of the 2000 IEEE International Conference on Multime-dia and Expo (ICME’00), New York, NY, Jul. 2000, vol. 1, pp. 541–544.
[122] A. Perrig, “The BiBa one-time signature and broadcast authentication protocol,”Proceedings of the 8th ACM Conference on Computer and Communications Security(CCS’01), Philadelphia, PA, Nov. 2001, pp. 28–37.
[123] P. Barreto, H. Kim, B. Lynn, and M. Scott, “Efficient algorithms for pairing-basedcryptosystems”, Proceedings of the 22nd Annual International Cryptology Conferenceon Advances in Cryptology: CRYPTO’02, Santa Barbara, CA, Aug. 2002, pp.354–368.
[124] R. Rivest, “The MD5 message-digest algorithm,” RFC 1319, April 1992.
[125] D. Eastlake and P. Jones, US secure hash algorithm 1 (SHA1), RFC 3174, Sep.2001.
[126] N. Baric and B. Pfitzmann, “Collision-free accumulators and fail-stop signatureschemes without trees,” Proceedings of International Conference on the Theory andApplication of Cryptographic Techniques Advances in Cryptology: EUROCRYPT’97,Konstanz, Germany, May 1997, pp. 480–494.
[127] J. Benaloh and M. de Mare, “One way accumulators: a decentralized alternativeto digital signatures,” Proceedings of International Conference on the Theory andApplication of Cryptographic Techniques Advances in Cryptology: EUROCRYPT’93,Lofthus, Norway, May 1993, pp. 274–285.
[128] J. Camenisch and A. Lysyanskaya, “Dynamic accumulators and application toefficient revocation of anonymous credentials,” Proceedings of the 22nd AnnualInternational Cryptology Conference on Advances in Cryptology: CRYPTO’02, SantaBarbara, CA, Aug. 2002, pp. 61–76.
[129] M. Goodrich, R. Tamassia and J. Hasic, “An efficient dynamic and distributedcryptographic accumulator,” Proceedings of the 5th International Conference onInformation Security (ICIS’02), 2002, pp. 372–388.
[130] K. Nyberg, “Fast accumulated hashing,” Proceedings of the 3rd InternationalWorkshop on Fast Software Encryption (FSE’96), Cambridge, UK, Feb. 1996, pp.83–87.
[131] T. Sander, “Efficient accumulators without trapdoor extended abstracts,” Pro-ceedings of the 2nd International Conference on Information and CommunicationSecurity (ICICS’99), Sydney, Australia, Nov. 1999, pp. 252–262.
210
[132] IEEE Std 802.16-2004, IEEE standard for local and metropolitan area networks, part16: air interface for fixed broadband wireless access systems, June 2004.
[133] WiMAX Forum, http://www.wimaxforum.org/home/, May 2006.
[134] IEEE Std 802.11-1999, Information technology - telecommunications and infor-mation exchange between systems - local and metropolitan area networks - specificrequirements - part 11: wireless lan medium access control (MAC) and physical layer(PHY) specifications, 1999.
[135] I.F. Akyildiz, X. Wang and W. Wang, “Wireless mesh networks: a survey,”Computer Networks, Elsevier, vol. 47, pp. 445–487, Mar. 2005.
[136] N. Borisov, I. Goldberg and D. Wagner, “Intercepting mobile communications:the insecurity of 802.11,” Proceedings of the 7th Annual International Conferenceon Mobile Computing and Networking (Mobicom’01), Rome, Italy, Jul. 2001, pp.180–189.
[137] W.A. Arbaugh, N. Shankar, Y.C. Wan, and K. Zhang, “Your 802.11 wirelessnetwork has no clothes,” IEEE Wireless Communications Magizine, vol. 9, no. 6, pp.44–51, Dec. 2002.
[138] J. Bellardo and S. Savage, ”802.11 denial-of-service attacks: real vulnerabilities andpractical solutions,” Proceedings of the 12th USENIX Security Symposium (SEC’03),Washington, DC, Aug. 2003, pp. 15–28.
[139] A. Mishra, N.L. Petroni, W.A. Arbaugh, and T. Fraser, “Security issues in IEEE802.11 wireless local area networks: a survey,” Wireless Communications and MobileComputing, Wiley, vol. 4, no. 8, pp. 821–833, Dec. 2004.
[140] C. He, J. C. Mitchell, “Security analysis and improvements for IEEE 802.11i,”Proceedings of the 12th Annual Network and Distributed System Security Symposium(NDSS’05), San Diego, CA, Feb. 2005, pp 90–110.
[141] DOCSIS Home, http://www.cablemodem.com/, May 2006.
[142] D. Johnston and J. Walker, “Overview of IEEE 802.16 security,” IEEE Security &Privacy Magzine, vol. 2, no. 3, pp. 40–48, May/Jun. 2004.
[143] M. Barbeau, ”Wimax/802.16 threat analysis,” Proceedings of the 1st ACMInternational Workshop on Quality of Service & Security in Wireless and MobileNetworks (Q2SWINET’05), Montreal, Canada, Oct. 2005, pp. 8–15.
[144] F. Yang, H. Zhou, L, Zhang, and J. Feng, ”An improved security scheme in WMANbased on IEEE standard 802.16,” Proceedings of the 2005 International Conferenceon Wireless Communications, Networking and Mobile Computing (WCNMC’05),Wuhan, China, Sep. 2005, vol. 2, pp. 1191–1194.
211
[145] Y. Zhou and Y. Fang, “Security of ieee 802.16 in mesh mode,” Proceedings of the2006 IEEE Military Communications Conference (Milcom 2006), Washington, DC,Oct. 2006, pp. 1–6.
[146] IETF RFC 2405, The ESP DES-CBC Cipher Algorithm With Explicit IV, November1998.
[147] IETF RFC 3610, Counter with CBC-MAC (CCM), September 2003.
[148] IEEE Std 802.16e-2005, IEEE standard for local and metropolitan area networks,part 16: air interface for fixed and mobile broadband wireless access systems,amendment 2: physical and medium access control layers for combined fixed andmobile operation in licensed bands and corrigendum 1, December 2005.
[149] IETF RFC 3748, Extensible Authentication Protocol (EAP), June 2004.
[150] IETF RFC 3686, Using Advanced Encryption Standard (AES) Counter Mode WithIPsec Encapsulating Security Payload (ESP), January 2004.
[151] IETF RFC 3602, The AES-CBC Cipher Algorithm and Its Use with IPsec,September 2003.
212
BIOGRAPHICAL SKETCH
Yun Zhou received a B.E. degree in electronic information engineering (2000) and
an M.E. degree in communication and information system (2003) from the Department
of Electronic Engineering and Information Science at the University of Science and
Technology of China, Hefei, China. He is currently pursuing the Ph.D. degree in the
Department of Electrical and Computer Engineering at the University of Florida,
Gainesville, USA. His research interests are in the areas of security, cryptography, wireless
communications and networking, signal processing, and operating systems. He is a student
member of the IEEE.
213