1

Key management for wireless sensor networks

Sources: ACM Transactions on Sensor Networks, 2(4), pp. 500-528, 2006.Sources: Computer Communications, 30(9), pp. 1964-1979, 2007.Reporter: Chun-Ta Li (李俊達 )

222

Outline LEAP+: Efficient Security Mechanisms for Large-Scale

Distributed Sensor Networks [ACM Transactions on Sensor Network] Introduction Zhu et al.’s scheme

Key Management for Long-Lived Sensor Networks in Hostile Environments [Computer Communications] Chorzempa et al.’s scheme Comparisons

Comments

3

Introduction Security of wireless sensor networks

BSAFN AFN

AFN

Aggregation and Forwarding Nodes

MSN

MSN

MSN

MSN

MSN

MSN

MSNMSN

MSN

MSN

MSN

MSN

Base Station

Micro Sensor Nodes

MSN BS MSN

BS

AFN MSN

MSN MSN

cluster

// symmetric shared keys

// multiple keying mechanism

4

Introduction (cont.) Dynamic keying in a hierarchical WSN

Establishing individual node keys Establishing pairwise shared keys

The basic scheme The extended scheme

Establishing cluster keys Establishing global key

Clustering and key setup Node addition Key renewal Recovery from multiple MSN

node captures Re-clustering after AFN capture

[Zhu et al.’s scheme] [Chorzempa et al.’s scheme]

5

Zhu et al.’s scheme

BSMSN

MSN

MSN

MSN

MSN

MSN

MSNMSN

MSN

MSN

MSN

// sensors are not mobile

// neighboring nodes of any sensor are not known in advance// BS will not be compromised

Base Station

Micro Sensor Nodes

6

Zhu et al.’s scheme (cont.) Four types of required keys

Individual Key: MSN <-> BS (MSN can compute a MAC for ensuring validity of its sensed readings to BS)

Global Key: all MSNs (BS may broadcast queries or commands to the entire network)

Cluster Key: MSN <-> neighbors (securing locally broadcast message)

Pairwise Shared Key: MSNa <-> MSNb

7

Zhu et al.’s scheme (cont.) Notations

N is the number of nodes in the network. u, v are principals such as communicating nodes. {fk} is a family of pseudo-random function. {s}k means encryption message s with key k. MAC(k,s) is the message authentication code of message s

using a symmetric k. {Tmin, Test} are two types of time interval, where Tmin > Test. KIN is an initial key Ku is a master key belongs to node u such that Ku = fKIN

(u).

8

Zhu et al.’s scheme (cont.) Establishing Individual Node Keys (IKu)

BS u

IKu = fKm(u)

// f is a pseudo-random function

// Km is a master key known only to BS

// Each node has a unique id u

9

Zhu et al.’s scheme (cont.) Establishing Pairwise Shared Keys (Basic)

Key predistribution

Neighbor discovery

Key erasure (when its timer expires after Tmin)

BS uKu = fKIN

(u)

// KIN

is an initial key known to each node

// Each node u derives a master key Ku

u neighbors1.

HELLO(u)vu

2. v, MAC(Kv, u|v)// Kuv = fKv

(u) = fKu(v) = Kvu

u Node u erases KIN and all master keys (Kv) of its neighbors (no erasure Ku)

10

Zhu et al.’s scheme (cont.) Establishing Pairwise Shared Keys (Extended)

Key predistribution

Neighbor discovery

Key erasure

BS u

Kju = fK

j

IN(u), i < j < M

KiIN

u neighbors1. HELLO(u,i)

vu2. v, MAC(Ki

v, u|v)// Kuv = fK

i

v(u) = fK

i

u(v) = Kvu

u Node u erases KiIN and all master keys (Ki

v) of its neighbors (no erasure Kiu

or any other preloaded master keys Kju where i < j < M)

11

Zhu et al.’s scheme (cont.) Establishing Cluster Keys (Kc

i)

vu

w

Kcu

Kcw

Kcv

(Kcv)Kvu

(Kc v) K vw

(Kcu)Kuv

(K cu )

Kuw

(Kc w) K wv(K c

w )K

wu// When node u is revoked, every neighbor node generate a new cluster key and transmits it to all other neighbors

one-way key chain HCv

one-way key chain HCw

one-way key chain HCu

12

Zhu et al.’s scheme (cont.) Rekeying the Global Key k’g (when a compromised node

is detected) Authenticated Node Revocation

Secure Key Distribution

BS

w

v

ut

x

Broadcast M

M = u, fk’g(0), kT

i, MAC(kTi, u | fk’g

(0))

• v and w will remove its pairwise key shared with u• v and w will update its cluster key

BS (k’g)KcBS

(k’g)Kci

// If verification is successful,

The value of hash chain

• v and w will store fk’g(0) temporarily

13

Zhu et al.’s scheme (cont.) Integration of the pairwise key establishment

phase with the cluster establishment phase

vu

1. HELLO(u)

2. v, {Kcv}Kv

, MAC(Kv, u | v | {Kcv}Kv

)

3. u, {Kcu}Kuv

, MAC(Ku, u | {Kcu}Kuv

)

14

Chorzempa et al.’s scheme

BSAFN

AFN

AFN

Aggregation and Forwarding Nodes

MSN

MSN

MSN

MSN

MSN

MSN

MSNMSN

MSN

MSN

MSN

MSN

Base Station

Micro Sensor Nodes

15

Chorzempa et al.’s scheme (cont.) Location training

• MSNs have completed neighbor discovery

• AFN is aware of one-hop MSNs

=>

ID1 ID2IDAFN1

=>CEM

neighbors

Coordinate Establishment Message (CEM)

• hopcountNj+1 < hopcountNi

(IDAFN2) (IDAFN1

) Reassign to AFN2

• hopcountNj+1 > hopcountNi

(IDAFN1)(IDAFN1

)

= Discard CEM

• hopcountNj+1 > hopcountNi

(IDAFN2) (IDAFN1

) Unicast CEM to its primary AFN1

16

Chorzempa et al.’s scheme (cont.) Three types of required keys

Administrative key set (k+m), EBS(n,k,m) Pairwise secret key Kpi (BS<->MSN)

Tree administrative key Kti

Number of MSN nodes in a cluster hold

not hold

AFNM1

M3

M4M2

Kt1

Kt1

Kt2

Kt2

An example of EBS(10,3,2)

A cluster view

Kp1

Kp2

Kp3 Kp4

Update a session key Kg with Kg’

(k + m broadcasts)

(EBS; Exclusion Basis System)

17

Chorzempa et al.’s scheme (cont.) If N1 is captured (replace administrative keys

and session keys known to N1)

(m broadcasts)

• Non-colluding node captures (|y|=2; N1, N6)

(my broadcasts)

IDAFN||EKa4(EKa2(Ka1’~Ka5’))

IDAFN||EKa5(EKa2(Ka1’~Ka5’))

IDAFN||EKa4(EKa3(Ka1’~Ka5’))

IDAFN||EKa5(EKa3(Ka1’~Ka5’))

18

Chorzempa et al.’s scheme (cont.) Colluding node captures (Administrative key

recovery) (EBS(6,2,1))

K1

K2

K3

M1 M2 M3 M4 M5 M6

1

1

0

1

0

1

0

1

1

1

1

0

1

0

1

0

1

1

AFNM1

M4

M5M2

tree1

tree1

M3

tree1

tree2

tree2

M6

tree2

Sc

Sut

EKt2(EK1

(K1’)||EK2(K2’)||EK3

(K3’))

Kt2

Kt2

Kt2

19

Chorzempa et al.’s scheme (cont.) Reactive re-clustering after AFN capture

membership list

(location training)BS

AFNa

MSN

AFNb

MSN MSNMSN… …

capture

absorption

BS

Ni

AFNb

EKAFNb(KAFNb-Ni || IDNi) || TicketNi ,

TicketNi = EKpi(KAFNb-Ni || IDAFNb || IDNi || routeNi-AFNb || nonce)

AFNb

IDNi || IDAFNb || EKAFNb-Ni( administrative keys)) || TicketNi

20

Chorzempa et al.’s scheme (cont.) MSN addition

AFNb

OldOld …

AFNa

OldOld …

OldOld New Old OldOld

hellohello

OldNew => neighborshello

Old Newneighbors

IDNi || IDAFNp || hopcountNi

OldNew AFNa

(IDNnew || IDAFNa || nonce) || MACKpi

BS

AFNa BS

(IDNnew || IDAFNa || nonce) || MACKpi || MACKAFNa

1.

2.

3.

4.

5. BS New

TicketNnew = EKpi(KAFNa-Nnew || IDAFNa || IDNnew || nonce)

21

ComparisonsZhu et al.’s scheme Chorzempa et al.’s scheme

Mutual authentication Yes No

Forward secrecy No No mentioned

Dynamic keying Yes Yes

S2S key establishment Yes No mentioned

Recovery from compromised attack

Yes Yes

Required key 1+1+2n 1+1+k

n: the number of neighbors

22

Comments In Zhu et al.’s scheme, an old node is unable

to establish a pairwise key with a new node. In Chorzempa et al.’s scheme, it lacks the

mechanism of pairwise key establishment for any two sensors.