SECURITY IN WIRELESS SENSOR NETWORKS

By

YUN ZHOU

A DISSERTATION PRESENTED TO THE GRADUATE SCHOOLOF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT

OF THE REQUIREMENTS FOR THE DEGREE OFDOCTOR OF PHILOSOPHY

UNIVERSITY OF FLORIDA

2007

1

c© 2007 Yun Zhou

2

To my family.

3

ACKNOWLEDGMENTS

My foremost gratitude goes to my advisor, Prof. Yuguang “Michael” Fang, for his

invaluable guidance, encouragement and support with my years in the Wireless Networks

Laboratory (WINET). Prof. Fang has not only guided my research in the past few years

with his insights and knowledge, but also with thoughtfulness and patience on my personal

growth.

I gratefully acknowledge my other committee members, Prof. Sartaj Sahni, Prof.

Shigang Chen, and Prof. Dapeng Wu for serving on my supervisory committee and for

their invaluable support in various stages of my work.

I would not be a wholesome graduate student without a group of great friends. I

would like to extend my thanks to my fantastic colleagues in WINET, whose presences

and fun-loving spirits built up a warm, family-like environment. I also appreciate their

collaboration and insightful advice throughout these years.

Finally, I am deeply indebted to my friends who have always been standing by my

side. Without their cherish and unwavering support, I would never imagine what I have

achieved.

4

TABLE OF CONTENTS

page

ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

LIST OF ABBREVIATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

CHAPTER

1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2 KEY AGREEMENT FOR LARGE SCALE NETWORKS . . . . . . . . . . . . 22

2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.2 Key Agreement Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.2.1 Global Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242.2.2 Key Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.2.3 Pairwise Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.2.4 Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262.2.5 Polynomial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2.3 Our Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272.3.1 Mathematical Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . 282.3.2 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302.3.3 Share Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302.3.4 Direct Key Calculation . . . . . . . . . . . . . . . . . . . . . . . . . 322.3.5 Indirect Key Negotiation . . . . . . . . . . . . . . . . . . . . . . . . 32

2.4 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332.4.1 Number of Secure Paths . . . . . . . . . . . . . . . . . . . . . . . . 342.4.2 Number of Disjoint Secure Paths . . . . . . . . . . . . . . . . . . . . 342.4.3 Number of Agent Nodes . . . . . . . . . . . . . . . . . . . . . . . . 342.4.4 An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352.4.5 Security of Direct Keys . . . . . . . . . . . . . . . . . . . . . . . . . 36

2.4.5.1 Node compromise in one subspace . . . . . . . . . . . . . . 362.4.5.2 Node compromise in all subspaces . . . . . . . . . . . . . . 372.4.5.3 Choose degree t . . . . . . . . . . . . . . . . . . . . . . . . 38

2.4.6 Security of Indirect Keys . . . . . . . . . . . . . . . . . . . . . . . . 402.4.7 Memory Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402.4.8 Computation Overhead . . . . . . . . . . . . . . . . . . . . . . . . . 422.4.9 Communication Overhead . . . . . . . . . . . . . . . . . . . . . . . 42

2.5 Security Enhancement of Indirect Keys . . . . . . . . . . . . . . . . . . . . 43

5

2.6 Key Establishment in Wireless Sensor Networks . . . . . . . . . . . . . . . 452.6.1 Random Key Material Distribution . . . . . . . . . . . . . . . . . . 452.6.2 Deterministic Key Material Distribution . . . . . . . . . . . . . . . 472.6.3 Comparisons With Related Work . . . . . . . . . . . . . . . . . . . 49

2.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

3 KEY ESTABLISHMENT USING DEPLOYMENT KNOWLEDGE IN WIRELESSSENSOR NETWORKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513.1.1 Sensor Network Model . . . . . . . . . . . . . . . . . . . . . . . . . 513.1.2 Security Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . 523.1.3 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

3.1.3.1 Attack techniques . . . . . . . . . . . . . . . . . . . . . . . 543.1.3.2 Passive vs. active . . . . . . . . . . . . . . . . . . . . . . . 553.1.3.3 External vs. internal . . . . . . . . . . . . . . . . . . . . . 55

3.1.4 Security Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 563.2 Uniform Key Material Distribution . . . . . . . . . . . . . . . . . . . . . . 573.3 A Square Cell Deployment Model . . . . . . . . . . . . . . . . . . . . . . . 583.4 New Deployment and Secret Pre-Distribution Models . . . . . . . . . . . . 59

3.4.1 Security of LBKP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593.4.2 A Hexagon Cell Model . . . . . . . . . . . . . . . . . . . . . . . . . 603.4.3 Edge-Based Secret Pre-Distribution . . . . . . . . . . . . . . . . . . 613.4.4 A Triangle Cell Model . . . . . . . . . . . . . . . . . . . . . . . . . 63

3.5 Cell-based Pairwise Key Establishment . . . . . . . . . . . . . . . . . . . . 643.5.1 Node Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643.5.2 Polynomial distribution . . . . . . . . . . . . . . . . . . . . . . . . . 643.5.3 Pairwise Key Establishment . . . . . . . . . . . . . . . . . . . . . . 653.5.4 Node Addition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663.5.5 Node Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

3.6 Analysis and Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673.6.1 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673.6.2 Memory Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703.6.3 Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

3.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

4 SCALABLE KEY ESTABLISHMENT IN WIRELESS SENSOR NETWORKS . 77

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774.2 Two Dimension Grid Design for TLK and LLK Establishment . . . . . . . 79

4.2.1 Network Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794.2.2 Share Pre-distribution . . . . . . . . . . . . . . . . . . . . . . . . . . 804.2.3 Direct Key Calculation . . . . . . . . . . . . . . . . . . . . . . . . . 814.2.4 Indirect Key Negotiation . . . . . . . . . . . . . . . . . . . . . . . . 824.2.5 LLK Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . 834.2.6 TLK Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

6

4.2.7 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . 854.2.7.1 Memory cost . . . . . . . . . . . . . . . . . . . . . . . . . 854.2.7.2 Resilience to node compromise . . . . . . . . . . . . . . . 874.2.7.3 Local secure connectivity . . . . . . . . . . . . . . . . . . . 914.2.7.4 Computation overhead . . . . . . . . . . . . . . . . . . . . 93

4.3 Scalable Link-Layer Key Agreement in Sensor Networks . . . . . . . . . . . 944.3.1 Network Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 944.3.2 Share Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 954.3.3 Node Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964.3.4 Link-layer Key Agreement . . . . . . . . . . . . . . . . . . . . . . . 974.3.5 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . 100

4.3.5.1 Memory cost . . . . . . . . . . . . . . . . . . . . . . . . . 1004.3.5.2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1014.3.5.3 Local secure connectivity . . . . . . . . . . . . . . . . . . . 102

4.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

5 A LOCATION-BASED NAMING MECHANISM FOR SECURING SENSORNETWORKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1055.2 Location-based Naming Mechanism . . . . . . . . . . . . . . . . . . . . . . 107

5.2.1 Location Determination . . . . . . . . . . . . . . . . . . . . . . . . . 1075.2.2 Location-based Name . . . . . . . . . . . . . . . . . . . . . . . . . . 108

5.3 Link Layer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105.3.1 Establishing Shared Keys . . . . . . . . . . . . . . . . . . . . . . . . 1115.3.2 B-Phase Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 1125.3.3 C-Phase Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 114

5.4 Secure Sensor Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1155.4.1 The Sybil Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1165.4.2 Identity Replication Attacks . . . . . . . . . . . . . . . . . . . . . . 1165.4.3 Wormhole Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175.4.4 Sinkhole Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1185.4.5 HELLO Flood Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 1185.4.6 The Acknowledgement Spoofing Attack . . . . . . . . . . . . . . . . 1185.4.7 The Node-compromise Attack . . . . . . . . . . . . . . . . . . . . . 1195.4.8 The Memory Exhaustion Attack . . . . . . . . . . . . . . . . . . . . 119

5.5 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

6 ACCESS CONTROL IN WIRELESS SENSOR NETWORKS . . . . . . . . . . 122

6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1226.2 Review of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

6.2.1 Malicious Nodes Deployment . . . . . . . . . . . . . . . . . . . . . . 1246.2.2 The Sybil Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1246.2.3 The Node Replication Attack . . . . . . . . . . . . . . . . . . . . . 125

7

6.2.4 The Wormhole Attack . . . . . . . . . . . . . . . . . . . . . . . . . 1266.3 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

6.3.1 Necessity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1266.3.2 The State of the Art . . . . . . . . . . . . . . . . . . . . . . . . . . 127

6.4 Our Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1296.4.1 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1296.4.2 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

6.4.2.1 Network model . . . . . . . . . . . . . . . . . . . . . . . . 1306.4.2.2 Adversary model . . . . . . . . . . . . . . . . . . . . . . . 131

6.4.3 Cryptographic Primitive . . . . . . . . . . . . . . . . . . . . . . . . 1316.4.4 Predeployment Phase . . . . . . . . . . . . . . . . . . . . . . . . . . 132

6.4.4.1 Network parameters . . . . . . . . . . . . . . . . . . . . . 1326.4.4.2 Sensor parameters . . . . . . . . . . . . . . . . . . . . . . 133

6.4.5 Node Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1346.4.6 Node Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 134

6.4.6.1 Handshake between new nodes . . . . . . . . . . . . . . . 1346.4.6.2 Handshake between a new node and an old node . . . . . 136

6.4.7 Key Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . 1376.5 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

6.5.1 New Node Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 1386.5.2 Eavesdropping and False Reports Injection . . . . . . . . . . . . . . 1386.5.3 Node Compromise . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1386.5.4 Attacks to Access Control . . . . . . . . . . . . . . . . . . . . . . . 139

6.6 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1406.6.1 ECC vs. RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1406.6.2 Comparison with Related Work . . . . . . . . . . . . . . . . . . . . 142

6.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

7 BABRA: BATCH-BASED BROADCAST AUTHENTICATION IN WIRELESSSENSOR NETWORKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1467.2 µTESLA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1477.3 BABRA Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

7.3.1 Network Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1487.3.2 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1497.3.3 Bootstrapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1517.3.4 Counteracting Bogus Packets . . . . . . . . . . . . . . . . . . . . . . 1517.3.5 Countermeasures to Radio Jamming . . . . . . . . . . . . . . . . . . 152

7.3.5.1 Intermittent jamming . . . . . . . . . . . . . . . . . . . . 1527.3.5.2 Continuous jamming . . . . . . . . . . . . . . . . . . . . . 155

7.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1577.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

8

8 MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 159

8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1598.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1618.3 Multicast Authentication Over Lossy Channels . . . . . . . . . . . . . . . . 162

8.3.1 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1628.3.2 Batch Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

8.4 Batch Signature Construction . . . . . . . . . . . . . . . . . . . . . . . . . 1648.4.1 Batch RSA Signature . . . . . . . . . . . . . . . . . . . . . . . . . . 164

8.4.1.1 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1648.4.1.2 Batch RSA . . . . . . . . . . . . . . . . . . . . . . . . . . 1648.4.1.3 Requirements to the sender . . . . . . . . . . . . . . . . . 165

8.4.2 Batch BLS Signature . . . . . . . . . . . . . . . . . . . . . . . . . . 1668.4.2.1 BLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1668.4.2.2 Batch BLS . . . . . . . . . . . . . . . . . . . . . . . . . . 1678.4.2.3 Requirements to the sender . . . . . . . . . . . . . . . . . 168

8.4.3 Batch DSA Signature . . . . . . . . . . . . . . . . . . . . . . . . . . 1688.4.3.1 Harn DSA . . . . . . . . . . . . . . . . . . . . . . . . . . . 1688.4.3.2 Harn batch DSA . . . . . . . . . . . . . . . . . . . . . . . 1698.4.3.3 The Boyd-Pavlovski attack . . . . . . . . . . . . . . . . . . 1708.4.3.4 Our batch DSA . . . . . . . . . . . . . . . . . . . . . . . . 1708.4.3.5 Requirements to the sender . . . . . . . . . . . . . . . . . 171

8.5 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1728.5.1 Resilience to Packet Loss . . . . . . . . . . . . . . . . . . . . . . . . 1728.5.2 Authentication Latency . . . . . . . . . . . . . . . . . . . . . . . . . 1738.5.3 Computational Overhead . . . . . . . . . . . . . . . . . . . . . . . . 1758.5.4 Communication Overhead . . . . . . . . . . . . . . . . . . . . . . . 176

8.6 Counteracting DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1778.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

9 SECURITY OF IEEE 802.16 IN MESH MODE . . . . . . . . . . . . . . . . . . 184

9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1849.2 Security Architecture of IEEE 802.16 in Mesh Mode . . . . . . . . . . . . . 1869.3 Security Threats to IEEE 802.16 in Mesh Mode . . . . . . . . . . . . . . . 187

9.3.1 Topological Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 1879.3.2 Authorization Threats . . . . . . . . . . . . . . . . . . . . . . . . . 1889.3.3 Threats to Link Establishment . . . . . . . . . . . . . . . . . . . . . 1929.3.4 Threats to Teks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1949.3.5 Traffic Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

9.4 802.16e Security in Mesh Mode . . . . . . . . . . . . . . . . . . . . . . . . 1959.4.1 Security Improvements . . . . . . . . . . . . . . . . . . . . . . . . . 1969.4.2 Potential Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

9.5 New Security Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . 1979.5.1 Neighbor Authentication . . . . . . . . . . . . . . . . . . . . . . . . 1979.5.2 Cryptographic Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 198

9

9.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

BIOGRAPHICAL SKETCH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

10

LIST OF TABLES

Table page

2-1 Bound and precise ratios between t∗ and N1 . . . . . . . . . . . . . . . . . . . . 40

3-1 The algorithm for polynomial distributing. . . . . . . . . . . . . . . . . . . . . . 65

3-2 Memory cost. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

4-1 Memory cost of different schemes. . . . . . . . . . . . . . . . . . . . . . . . . . . 87

4-2 Local secure connectivity of different schemes . . . . . . . . . . . . . . . . . . . 93

4-3 Computation overhead of different schemes. . . . . . . . . . . . . . . . . . . . . 94

4-4 Memory cost of different schemes . . . . . . . . . . . . . . . . . . . . . . . . . . 101

8-1 Authentication latency of different schemes. . . . . . . . . . . . . . . . . . . . . 175

8-2 Computation overhead of different schemes for one block. . . . . . . . . . . . . . 176

8-3 Computational overhead of different batch schemes. . . . . . . . . . . . . . . . . 176

8-4 Communication overhead of different schemes for one block. . . . . . . . . . . . 177

8-5 Communication overhead of signature schemes. . . . . . . . . . . . . . . . . . . 177

8-6 Comparisons between the block-based approach and the batch-based approach. . 182

11

LIST OF FIGURES

Figure page

2-1 Construction of credentials according to the equation (2–9). . . . . . . . . . . . 31

2-2 An example of key graph in the 3-dimension ID space. . . . . . . . . . . . . . . 35

2-3 Minimum required polynomial degree. . . . . . . . . . . . . . . . . . . . . . . . 41

2-4 The communication overhead. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3-1 A wireless sensor network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

3-2 A square cell deployment model. . . . . . . . . . . . . . . . . . . . . . . . . . . 59

3-3 A hexagon cell model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

3-4 A triangle grid model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

3-5 M = 120. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

3-6 M = 240. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

3-7 The probability that each node resides in its own cell is 0.9. . . . . . . . . . . . 75

3-8 The probability that each node resides in its own cell is 0.99. . . . . . . . . . . . 76

4-1 A two-dimension sensor network. . . . . . . . . . . . . . . . . . . . . . . . . . . 80

4-2 LLK establishment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

4-3 M = 240. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

4-4 M = 180. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

4-5 Topology. A) Before deployment. B) After deployment. . . . . . . . . . . . . . . 98

4-6 Deployment strategy. A) Before deployment. B) After deployment. . . . . . . . 99

4-7 Node coverage in one cell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

5-1 A square cell deployment model. . . . . . . . . . . . . . . . . . . . . . . . . . . 108

5-2 Location-based name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

6-1 Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

6-2 Handshake between two new nodes. . . . . . . . . . . . . . . . . . . . . . . . . . 136

6-3 Handshake between a new node and an old node. . . . . . . . . . . . . . . . . . 137

7-1 One batch of broadcast and the batch packet format. . . . . . . . . . . . . . . . 149

12

7-2 The authenticated broadcasting stream. . . . . . . . . . . . . . . . . . . . . . . 151

7-3 The key survival probability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

8-1 Verification rate under the random loss model. . . . . . . . . . . . . . . . . . . . 173

8-2 Verification rate under the burst loss model with the maximum burst length 10. 174

8-3 An example of Merkle tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

8-4 MABS architecture including the DoS counter measure. . . . . . . . . . . . . . . 181

9-1 Mesh networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

9-2 Sinkhole attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

9-3 Wormhole attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

9-4 Node authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

9-5 Replay attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

9-6 False base station. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

9-7 Link establishment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

9-8 TEK update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

13

LIST OF ABBREVIATIONS

AK Authorization key

ASM Authorization state machine

BABRA Batch-based broadcast authentication

BIBD Balanced incomplete block design

BS Base station

CRC Cyclic redundancy checksum

DOCSIS Data over cable service interface specifications

DoS Denial of service

DSA Digital signature algorithm

ECC Elliptic curve cryptography

ECDLP Elliptic curve discrete logarithm problem

ECDSA Elliptic curve digital signature algorithm

FEC Forward error correction

GPS Global positioning system

ID Identifier or identity

IV Initialization vector

KDC Key distribution center

KTC Key translation center

LAKE Two-layer key establishment

LBN Location-based naming

LBKP Location-based key pre-distribution

LLA Link layer authentication

LLK Link layer key

MABS Multicast authentication based on batch signature

MAC Message authentication code in cryptography or medium access control in the

networking theory

14

MSKP Multiple-space key pre-distribution

OHC One-way hash chain

OSS Operator shared secret

OWA One-way accumulator

PIKE Peer intermediaries for key establishment

PKE Pairwise key establishment

PKM Privacy and key management

PMP Point-to-multi-point

PPKP Polynomial pool-based key pre-distribution

QoS Quality of service

RKP Random key pre-distribution

RPK Random-pairwise key

RSA A cryptography algorithm named after its inventors Ron Rivest, Adi Shamir and

Leonard Adleman

SA Security association

SPINS Security protocols for sensor networks

SS Subscriber station

TEK Traffic encryption key

TESLA Timed efficient stream loss-tolerant authentication

TLK Transport layer key

TSM TEK state machine

WiMAX Worldwide interoperability for microwave access

WLAN Wireless local area network

WMAN Wireless metropolitan area networks

WSN Wireless sensor network

15

Abstract of Dissertation Presented to the Graduate Schoolof the University of Florida in Partial Fulfillment of theRequirements for the Degree of Doctor of Philosophy

SECURITY IN WIRELESS SENSOR NETWORKS

By

Yun Zhou

August 2007

Chair: Yuguang FangMajor: Electrical and Computer Engineering

Rapid advances in wired/wireless networking technology are gradually expanding the

realm of ubiquitous high-speed network access. Such a process also encounters more and

more threats and attacks from those who exploit vulnerabilities in networks. This has

been motivating research on security in wireless networks.

Key establishment is the first step to develop all the other security mechanisms,

because most security protocols depend on keys to operate correctly and provide desirable

security performance. In my research, a scalable and deterministic key agreement model

based on a multivariate polynomial and a multidimensional grid-based network topology

was developed to enable key establishment in large scale networks with very low memory

cost. I will show that my model can achieve the memory cost of several orders lower than

the number of nodes in the network, while traditional models have the memory cost at

the same order as the network size. My model has found applications in wireless sensor

networks to establish hop-to-hop keys and end-to-end keys. In addition, I also proposed

an access control protocol based on elliptic curve cryptography (ECC) for wireless sensor

networks, which accomplishes node authentication and key establishment for new nodes.

Different from conventional authentication methods, my protocol can defend against most

well-recognized attacks in wireless sensor networks, and achieve better computation and

communication performance due to the more efficient algorithms based on ECC.

16

Authentication is critical to ensure the origin of a multicast stream in hostile

environments. Conventional block-based schemes suffer from drawbacks such as vulnerability

to packet loss, authentication latency and Denial of Service (DoS) attacks. In my

research, I developed a novel multicast authentication scheme based on batch signatures.

In particular, each packet in a stream is attached with a signature. The receiver

authenticates multiple packets by checking their signatures through only one verification

operation. I proposed three implementations including two novel batch signature schemes.

My approach can achieve computational efficiency while avoiding the drawbacks of

conventional block-based schemes. I also proposed a broadcast authentication protocol

for wireless sensor networks based on symmetric key techniques. Compared with the

conventional symmetric key solutions, my scheme does not require time synchronization,

eliminates the requirement of key chain, supports broadcast for infinite rounds, and is

efficient due to the use of symmetric key techniques.

IEEE 802.16 (worldwide interoperability for microwave access, or WiMAX) is

seen as a promising technology for next generation broadband wireless access, while

security issues also draw the intentions in the literature. In my research, I analyzed the

IEEE 802.16 standard and found out that though IEEE 802.16 provides some security

measures in conventional one-hop networks, it is very vulnerable to malicious attacks in

multihop environments such as wireless mesh networks. In order to strength the defense

of IEEE 802.16 in mesh networks, I proposed a mesh-certificate-based access control and

authentication scheme for WiMAX-based mesh networks.

17

CHAPTER 1INTRODUCTION

Rapid advances in wired/wireless networking technology are gradually expanding the

realm of ubiquitous high-speed network access. At the same time, however, such a process

also encounters more and more threats and attacks from those who exploit vulnerabilities

in networks on a widespread basis. The situation is deteriorating with the increasing

popularity of wireless networks, which facilitate uncontrolled network access due to the

shared wireless medium. This motivates my research on security in wireless networks. My

overall goal is not only to make networked systems resilient to malicious attacks, but also

to promote proactive security in network and protocol design.

Key establishment is the first step to develop all the other security mechanisms,

because most security protocols depends on keys to operate correctly and provide desirable

security performance. In Chapter 2, a scalable and deterministic key agreement model

based on a multivariate polynomial and a multidimensional grid-based network topology is

introduced to enable key establishment in large scale networks with very low memory cost.

We will show that our model can achieve the memory cost of several orders lower than the

number of nodes in the network, while traditional models have the memory cost at the

same order as the network size.

Existing key agreement models can be used to establish keys in wireless sensor

networks (WSN). A problem, however, comes as the communication overhead is significant

when two neighboring nodes do not have correlated key material and thus have to

rely on a multihop path to negotiate a shared key. This problem can be alleviated by

leveraging node deployment knowledge in the sense that two nodes that will be deployed

close to each other can be preloaded with correlated key material so that they have a

higher probability of establishing a shared key. In Chapter 3, we show that by leveraging

deployment knowledge we can achieve much better performance.

18

In Chapter 4, we combine our key agreement model and deployment knowledge and

propose a novel key establishment scheme for WSNs. We will show that our scheme can

not only achieve efficient key establishment between neighboring nodes but also establish

end-to-end keys between two nodes far away from each other.

Conventional WSN designs name every node with an identifier from a one-dimension

name space that has no meaning but has identification function. However, it is much more

useful to let every node identifier carry more characteristics of the node itself. Chapter 5

introduces the naming problem and proposes a location-based naming (LBN) mechanism

for WSNs, in which deployment knowledge is embedded into node identifier and acts as

an inherent node characteristic to provide authentication service in local access control.

When LBN is enforced, the impacts of many attacks to WSN topology can be limited in a

small area. A link layer authentication (LLA) scheme is also proposed to further decrease

the impacts of those attacks. Our LBN and LLA can be combined and act as an efficient

solution against a wide range of attacks in WSNs.

To extend the lifetime of a WSN, new node deployment is necessary. In military

scenarios, adversaries may directly deploy malicious nodes or manipulate existing nodes

to introduce malicious “new” nodes through many kinds of attacks. To prevent malicious

nodes from joining the network, access control is required in the design of WSN protocols.

In Chapter 6, we propose an access control protocol based on elliptic curve cryptography

(ECC) for WSNs. Our access control protocol accomplishes node authentication and key

establishment for new nodes. Different from conventional authentication methods based on

the node identity, our access control protocol includes both the node identity and the node

bootstrapping time into the authentication procedure. Hence our access control protocol

can not only identify the identity of each node but also differentiate between old nodes

and new nodes. In addition, each new node can establish shared keys with its neighbors

during the node authentication procedure. Compared with conventional security solutions,

our access control protocol can defend against most well-recognized attacks in WSNs, and

19

achieve better computation and communication performance due to the more efficient

algorithms based on ECC than those based on RSA.

To prevent adversaries from injecting bogus messages, authentication is required for

broadcast in WSNs. µTESLA (timed efficient stream loss-tolerant authentication) is a

light-weight broadcast authentication protocol, which uses a one-way hash chain and the

delayed disclosure of keys to provide the authentication service. However, it suffers from

several drawbacks in terms of time synchronization, limited broadcast rounds, key chain

management at the source node, etc. In Chapter 7, we propose a novel protocol, called

batch-based broadcast authentication (BABRA) for WSNs. BABRA does not require

time synchronization, eliminates the requirement of key chain, and supports broadcast for

infinite rounds. Like µTESLA, BABRA is also efficient due to the use of symmetric key

techniques.

Authentication is critical to ensure the origin of a multicast stream in hostile

environments. To avoid computationally expensive signature operations on each packet,

conventional schemes divide a multicast stream into blocks, associate each block with

a signature, and spread the effect of the signature across all the packets in the block

through some efficient operations such as hash or coding. However, most of conventional

schemes suffer from drawbacks such as vulnerability to packet loss and DoS attacks.

Moreover, most of them require the entire block with its signature be collected before

authenticating each packet in the block. This authentication latency can lead to the

jitter effect to realtime applications at the receiver. Unlike the block-based approach, we

develop a novel multicast authentication scheme based on batch signature (MABS) in

Chapter 8. Particularly, each packet in a stream is attached with a signature. The receiver

authenticates multiple packets by checking their signatures through only one verification

operation. We propose two batch signature schemes based on BLS and DSA that are more

efficient than batch RSA signature scheme. MABS can achieve computational efficiency

while avoiding the drawbacks of conventional block-based schemes.

20

IEEE 802.16 (WiMAX) is seen as a promising technology for next generation

broadband wireless access. Compared with IEEE 802.11, IEEE 802.16 operates at

larger frequency band up to 66GHZ, covers longer distance up to 50km, and supports

QoS (quality of service). Therefore, 802.16 becomes an ideal choice for broadband

wireless access systems. Based on the lessons from IEEE 802.11 networks, people start

looking into the security issues in wireless access networks. In Chapter 9, we analyzed the

IEEE 802.16 standard and found out that though IEEE 802.16 provides some security

measures in conventional one-hop networks, it is very vulnerable to malicious attacks in

multihop environments such as wireless mesh networks. In order to strength the defense

of IEEE 802.16 in mesh networks, we proposed a mesh-certificate-based access control and

authentication scheme for WiMAX-based mesh networks.

21

CHAPTER 2KEY AGREEMENT FOR LARGE SCALE NETWORKS

2.1 Introduction

Key agreement is a central problem to build up secure infrastructures for networks,

because most security protocols and cryptography algorithms, such as encryption or

signature, require a secret key to be fed into some standard algorithms with public-known

messages to generate some outputs used in a specific secure context.

In his classic paper “Communication theory of secrecy systems”[1], Claude Shannon,

who had established information theory, developed the theoretical framework for the

symmetric key based cryptography. In his cryptographical system model, there are two

information sources, i.e., a message source and a key source, at the transmission end. The

key source produces a particular key K from among those which are usable in the system.

This key K is transmitted by some means, supposedly not interceptable, for example by

a messenger, to the receiving end. The message source produces a message M (in the

“clear”) which is enciphered by the encipherer TK . The resulting ciphertext E is sent to

the receiving end by a possibly interceptable means, for example radio. At the receiving

end the ciphertext E and the key K are combined in the decipherer T−1K to recover the

message M . The transformation TK and its inverse T−1K are possibly known to the public.

The Diffie-Hellman [2] and the RSA [3] algorithms mark the establishment of the

asymmetric key based cryptography. Unlike a single key used by both the transmission

end and the receiving end in symmetric key systems, there are two keys for each end in

asymmetric key systems. The transmission end encrypts a message M into a ciphertext

E by an encryption key K that belongs to the receiving end. The receiving end decrypts

the ciphertext E to get the message M by a decryption key K−1 that also belongs to

himself1 . Here the encryption key K and the decryption key K−1 are different. Though

1 In this dissertation, we does not consider the gender difference.

22

the decryption key is kept secret by the receiving end, the encryption key is usually

known to the public so that anyone can send messages using the encryption key to the

receiving end. Asymmetric key systems, therefore, is also called public key systems, and

the encryption key and decryption key are called public key and private key, respectively.

In a cryptographical system, the message source and the ciphertext space are usually

accessible by an attacker. The encryption and the decryption transforms are also seen

to be accessible to the attacker. Though in some specific systems the cryptographical

algorithms can be kept secret, this approach may increase the system vulnerability,

because an algorithm that is not inspected carefully by critical experts may have some

potential defects that can be utilized by hackers. Therefore most “secure” algorithms are

public so that they could be carefully inspected. In this case, the security of the entire

system mainly relies on the secrecy of the keys it uses.

If an attacker can find the key, the entire system is broken. The attacker can

achieve the goal by cryptanalysis. Most cryptographical systems are vulnerable to

cryptanalysis due to the existence of the redundancy of message source in the real world.

The redundancy can always provide the attacker a possible tool for cryptanalysis over

intercepted ciphertexts during their transmission. Moreover, the attacker knows the

system being used, i.e., the message space, the transformation Ti, and the probabilities

of choosing various keys, and has unlimited time and staff available for the analysis

of ciphertexts. The attacker thus can use all these resources to find the key if the

time is not important for him. Another way is to directly intercept the key during its

transmission between the message source and receiving end. Therefore, how to achieve the

key agreement between the source and sink securely is a very important issue.

Generally, to establish keys includes two steps. At first, the source and sink should

be configured with some key materials. Second, those materials are used to establish a

shared symmetric key between the source and sink. In symmetric key systems, those

key materials can be a shared symmetric key or parameters used to calculate the

23

symmetric key. In asymmetric key systems, they are parameters associated with the

chosen asymmetric key algorithm, e.g., Diffie-Hellman or RSA, and the source and sink

can negotiate a shared symmetric key by using the asymmetric key algorithm.

Asymmetric key algorithms outperform symmetric key algorithms in terms of

flexible manageability, but their efficacy relies on the authenticity of public keys.

Hence, asymmetric key algorithms are usually applicable in the networks including

fixed authorities who are in charge of the authentication of public keys. However, there are

many scenarios, e.g., dynamic conferences or ad hoc networks, where such authorities are

not available. In addition, asymmetric key algorithms require more computation resources

than symmetric key algorithms. Therefore, symmetric key algorithms are pretty suitable

for low-end devices because of their efficiency. In this chapter, we mainly focus on how to

achieve key agreement by using symmetric key algorithms.

2.2 Key Agreement Models

A network consists of many nodes. In order to secure communication between nodes,

we need some methods to establish a share key for each pair of nodes. In this section, we

review several models for key agreement in a network.

2.2.1 Global Key

The simplest symmetric key model is to use a global key, which is shared by all the

nodes in a network. Usually each node is configured with the global key by an off-line

authority before joining the network. After the node join the network, it can communicate

with other nodes securely. In order to avoid the key exposal by an attacher through

security analysis, the global key needs to be updated periodically. In each period, a key

manager generates and distributes a new global key to all the nodes in the network. One

example of the global key model used in WSNs can be found in [4].

The global key model assumes all the nodes in the network are trustful, and thus this

model can effectively prevent external attackers from accessing critical information that is

secured by the global key. However, this assumption can fail in some scenarios when an

24

attacker can get the global key by compromising only one node whereby to break into the

entire network.

2.2.2 Key Server

A special node in a network can be selected as a key distribution center (KDC) or key

translation center (KTC) models [5]. Each of other nodes has a shared key, which could be

pre-configured, with the KDC/KTC, which is a central trusted server. KDC/KTC helps to

establish a shared key between any two nodes. An example of applying KDC in WSNs is

SPINS (security protocols for sensor networks) [6].

The KDC/KTC model has a merit of low memory cost for storing key material. Each

node keeps only one key shared with the KDC/KTC. When a new node joins the network,

it can negotiate a shared key with any other node as long as the new node is configured

with a key shared with the KDC/KTC. On the other hand, the centralized model also

makes the KDC/KTC a potential failure point in the sense that the entire network is

broken down if the KDC/KTC is corrupted by an attacker.

2.2.3 Pairwise Key

The pairwise key model is a distributed model. It assumes that a pair of nodes can

be configured with a unique shared secret key. In the full pairwise key model, each pair of

nodes in a network is configured with a distinct shared key, so that they can communicate

securely right after they join the network. In a partial pairwise key model, each node is

configured with pairwise keys for a portion of the other nodes in the network. Therefore,

a pair of nodes may not have a shared key in advance. They, however, may rely on a

multihop path to negotiate a shared key online, where the path is secured by consecutive

pairwise keys.

The pairwise key model is perfect secure in the sense that no matter how many nodes

collude with each other they know nothing about the pairwise keys held by other normal

nodes. Therefore, this model is resilient to node compromise, compared with the global

key model and the KDC/KTC model. The tradeoff, however, is that each node must be

25

pre-configured with multiple keys. Consider the full pairwise key model in a network of

N nodes. Each node needs to keep N − 1 keys, and the overall number of keys in the

network, which may need to be centrally backed up, is then N(N−1)2

. As the size of the

network increases, this number becomes unacceptably large. Therefore, the pairwise key

model is usually suitable for small networks.

2.2.4 Matrix

Blom [7] proposed a matrix-based model based on. For a network of N nodes, an

offline central authority first constructs a (t + 1)×N public matrix P over a finite field Fq,

where t is a security threshold. Then the central authority selects a random (t+1)× (t+1)

symmetric matrix S over Fq, where S is secret and only known to the central authority.

An N×(t+1) matrix A = (S ·P )T is computed, where (·)T denotes the transpose operator.

The central authority pre-configures the i-th row of A and the i-th column of P to node i,

for i = 1, 2, . . . , N . After the network is set up, nodes i and j can agree on a shared key by

exchanging their columns of P and computing the key. In particular, node i computes a

key Kij as the product of its own row of A and the j-th column of P and node j computes

Kji as the product of its own row of A and the i-th column of P . Because S is symmetric,

it is easy to see:

K = A · P = (S · P )T · P = P T · ST · P

= P T · S · P = (A · P )T = KT . (2–1)

Therefore, nodes pair (i, j) will use Kij = Kji, as a shared key.

The matrix model has a t-secure property in the sense that in a network of N nodes

the collusion of less than t + 1 nodes cannot reveal any key shared by other pairs of nodes.

This is because as least t + 1 rows of A and t + 1 columns of P are required to solve the

secret symmetric matrix S. Therefore, the matrix model can tolerate up to t compromised

nodes.

26

The memory cost per node in this model is t + 1. To guarantee perfect security, the

value of t should be set as (N − 2), which means the memory cost per node is N − 1.

Therefore, the matrix model also has large memory cost as the pairwise key model.

2.2.5 Polynomial

In [8], Blundo et al. suggest to use a t-degree bivariate symmetric polynomial to

achieve key agreement. It is a special case of the matrix model in the sense that the public

matrix P is composed with node identifiers as:

P =

1 1 1 · · · 1

n1 n2 n3 · · · nN

n12 n2

2 n32 · · · nN

2

. . . . . . . . . . . . . . . . . . . . . . . .

n1t n2

t n3t · · · nN

t

, (2–2)

where ni, for i = 1, 2, . . . , N , is the identifier of the i-th node. It is easy to see that P is

a Vandermonde matrix, and thus any t + 1 columns of P are linearly independent when

ni, i = 1, 2, . . . , N are all distinct.

Like the matrix model, the polynomial model also provides the t-secure property

while features the same memory cost.

2.3 Our Model

Obviously, previous distributed models are not suitable for large networks because

of their memory cost of order N − 1 in a network of N nodes. In reality, however, we

often deal with large distributed networks or systems. How to achieve key agreement

in a large network is a very challenging problem. In view of this problem, we propose a

novel key agreement model based on a multivariate symmetric polynomial [9, 10]. It has

three components, i.e. share distribution, direct key calculation, indirect key negotiation.

In the share distribution part, partial information of a global t-degree (k + 1)-variate

polynomial is distributed among nodes. All the partial information cannot reveal the

global polynomial but can help key agreement between nodes. Some nodes may calculate

27

a shared key directly if they have some partial information in common in the direct key

calculation part. The indirect key negotiation part tells how to negotiate a shared key

between two nodes with help of other nodes if they cannot calculate a direct key.

Our model is scalable for large networks with small memory cost per node. We show

that for a network of N nodes our model has only O( k√

N) memory cost per node, where

k ≥ 1. Conventional distributed models can be generated as special cases of our scheme

when k = 1. Unlike the centralized KDC/KTC model, meanwhile, in our scheme every

node may be a KDC to help key agreement between other two nodes, which means more

robust against node compromise. In addition, our model is deterministic in the sense that

any pair of nodes can compute a shared key independently or negotiate one through k − 1

agent nodes (k ≥ 1).

2.3.1 Mathematical Tool

Our model is based on a t-degree multivariate symmetric polynomial. A t-degree

(k + 1)-variate polynomial is defined as

f(x1, x2, . . . , xk, xk+1) =t∑

i1=0

t∑i2=0

· · ·

t∑ik=0

t∑ik+1=0

ai1,i2,...,ik,ik+1xi1

1 xi22 · · · xik

k xik+1

k+1 . (2–3)

All coefficients of the polynomial are chosen from a finite field Fq, where q is a prime that

is large enough to accommodate a cryptographic key. Without specific statement, all

calculations in this chapter are performed over the finite field Fq.

A (k + 1)-tuple permutation is defined as a bijective mapping

σ : [1, k + 1] −→ [1, k + 1] . (2–4)

By choosing all the coefficients according to

ai1,i2,...,ik,ik+1= aiσ(1),iσ(2),...,iσ(k),iσ(k+1)

(2–5)

28

for any permutation σ, we can obtain a symmetric polynomial in that

f(x1, x2, . . . , xk, xk+1) = f(xσ(1), xσ(2), . . . , xσ(k), xσ(k+1)) . (2–6)

At first, every node should be configured with k credentials, which are positive and

pairwise different integers. Suppose node u has credentials (u1, u2, . . . , uk) and node v has

credentials (v1, v2, . . . , vk). Before node deployment, we can assign a polynomial share

f(u1, u2, . . . , uk, xk+1) to u and another share f(v1, v2, . . . , vk, xk+1) to v. By assigning

polynomial shares, we mean that the coefficients of t-degree univariate polynomials

f(u1, u2, . . . , uk, xk+1) and f(v1, v2, . . . , xk+1) are loaded into node u’s and v’s memory,

respectively.If the credentials of node u and node v have only one element different, i.e.,

1. for some i ∈ [1, k], ui 6= vi, and

2. for j = 1, 2, . . . , k, j 6= i, uj = vj = cj,

then node u and node v can have a shared key. Node u can take vi as the input to

its own share f(u1, u2, . . . , uk, xk+1), and node v can also take ui as the input to its share

f(v1, v2, . . . , vk, xk+1). Due to the polynomial symmetry, the desired shared key between

nodes u and v has been established as

Kuv = f(c1, c2, . . . , ci−1, ui, ci+1, . . . , ck, vi)

= f(c1, c2, . . . , ci−1, vi, ci+1, . . . , ck, ui) . (2–7)

In fact, node u and node v achieve the key agreement by a marginal t-degree bivariate

polynomial, i.e.,

fi(xi, xk+1) = f(c1, c2, . . . , ci−1, xi, ci+1, . . . , ck, xk+1) . (2–8)

where i ∈ {1, 2, . . . , k} is the common credential between nodes u and v.

29

2.3.2 Assumptions

We assume each node is identified by an index-tuple (n1, n2, . . . , nk), where ni =

0, 1, . . . , Ni − 1, i ∈ {1, 2, . . . , k}, and we may use the index-tuple as the node ID. Hence

each node is mapped into a point in a k-dimension space S1 × S2 × · · · × Sk, where

ni ∈ Si ⊂ Z and the cardinality |Si| = Ni, for i = 1, 2, . . . , k. The maximum number of

nodes that the network can consist of is N =∏k

i=1 Ni.

Our model targets at the key agreement between any pair of end nodes. Hence we

assume the underlying routing protocol can provide connectivity between any pair of

nodes in the network.

Due to the broadcast characteristics of radio communications, attackers can easily

eavesdrop any messages, either non-encrypted or encrypted, transmitted over the air

between nodes. Moreover, due to cost constraints, it is also unrealistic and uneconomical

to employ tamper-resistant hardware to secure the cryptographic material in each

individual node. Hence attackers may capture any node and compromise the secrets

stored in the node. Furthermore, attackers can use the compromised secrets to derive

more secrets shared between other non-compromised nodes. It means that the node

compromise attack is unavoidable. What we can do is to reduce the impact on other

normal nodes as much as possible. In our model, we try to reduce the probability that the

keys shared between non-compromised nodes are exposed when some nodes have already

been compromised. To further evaluate the impact of node compromise, we assume the

probability of the compromise of a node is p.

2.3.3 Share Distribution

Before network deployment, a global t-degree (k + 1)-variate symmetric polynomial is

constructed as stated in Section 2.3.1. This polynomial is used to derive shares for nodes.

To achieve key agreement, every node n should have k credentials (c1, c2, . . . , ck),

which are positive and pairwise different as required in Section 2.3.1. These credentials can

be created and preloaded into nodes before deployment. However, it requires additional

30

Figure 2-1. Construction of credentials according to the equation (2–9).

memory space per node. Fortunately, the k credentials can be derived from the k indices

in node ID (n1, n2, . . . , nk) by a bijection, i.e.,

c1 = n1 + 1

c2 = n2 + 1 + N1

c3 = n3 + 1 + N1 + N2

...

ck−1 = nk−1 + 1 + N1 + · · ·+ Nk−2

ck = nk + 1 + N1 + · · ·+ Nk−1

, (2–9)

where ni = 0, 1, . . . , Ni − 1 for i = 1, 2, . . . , k. Thus, the k credentials are drawn from

different zones in that c1 ∈ [1, N1] and ci ∈ [N1 + · · · + Ni−1 + 1, N1 + · · · + Ni] for

i = 2, . . . k, which guarantee they are positive and pairwise different (Fig. 2-1).

For a node (n1, n2, . . . , nk), a polynomial share

fk+1(xk+1) = f(c1, c2, . . . , ck, xk+1) =t∑

ik+1=0

bik+1x

ik+1

k+1 (2–10)

is calculated, where

bik+1=

t∑i1=0

t∑i2=0

· · ·t∑

ik=0

ai1,i2,...,ik,ik+1ci11 ci2

2 · · · cikk (2–11)

and (c1, c2, . . . , ck) is mapped from (n1, n2, . . . , nk) according to the equations (2–9).

Obviously, the share is a t-degree univariate marginal polynomial of the global polynomial

and has t + 1 coefficients. Then the polynomial share is assigned to the node. Here, the

node only knows the t + 1 coefficients of the univariate polynomial share, but not the

coefficients of the original (k + 1)-variate polynomial. Therefore, even if the marginal

31

bivariate polynomial is exposed, the global polynomial is still safe if the degree t is chosen

properly.

2.3.4 Direct Key Calculation

According to Section 2.3.1, two nodes can calculate a shared key if their credentials

have k − 1 elements in common. Due to the one-to-one mapping in the equations (2–9),

two nodes u with ID (u1, u2, . . . , uk) and v with ID (v1, v2, . . . , vk) can directly calculate a

shared key without any interaction if their IDs (identifier) have k − 1 indices in common.

Suppose that the i-th indices of their IDs are different. Then node u can take

vi + 1 + N1 + · · · + Ni−1 as the input to its own share f(c1, c2, . . . , ck, xk+1), and node v

can as well take ui + 1 + N1 + · · · + Ni−1 as the input to its share f(c1, c2, . . . , ck, xk+1).

Due to the polynomial symmetry, the desired shared key between nodes u and v has been

established as

Kuv = f(c1, . . . , ui + 1 + N1 + · · ·+ Ni−1,

. . . , ck, vi + 1 + N1 + · · ·+ Ni−1)

= f(c1, . . . , vi + 1 + N1 + · · ·+ Ni−1,

. . . , ck, ui + 1 + N1 + · · ·+ Ni−1) . (2–12)

Because all node credentials of u and v are drawn from different subspaces where any

two subspaces have no intersection and ui 6= vi, the k + 1 credentials used to calculate

the shared key are pairwise different. Therefore the shared key calculated by the nodes u

and v is unique, i.e., other nodes do not know the shared key. Any two nodes can directly

calculate a unique shared key without any negotiation if there is only one mismatch

between their k-tuple IDs.

2.3.5 Indirect Key Negotiation

If two nodes have more than one mismatch between their IDs, they cannot calculate

a shared key directly. However, they can rely on some intermediate nodes as agents to

negotiate a shared key.

32

Suppose two nodes u and v have j (j ≥ 2) mismatches in their IDs. For simplicity, let

us omit all the same indices and mark the two nodes with those mismatching indices, say

node u

(ui1 , ui2 , . . . , uij)

and node v

(vi1 , vi2 , . . . , vij) ,

where i1, i2, . . . , ij ∈ [1, k] and are pairwise different. Then they can negotiate a shared key

along a secure path consisting of agents as

(vi1 , ui2 , ui3 , . . . , uij−1, uij) ,

(vi1 , vi2 , ui3 , . . . , uij−1, uij) ,

(vi1 , vi2 , vi3 , . . . , uij−1, uij) ,

...

(vi1 , vi2 , vi3 , . . . , vij−1, uij) ,

because all neighboring nodes along the path have direct keys. It is worth noting that

there are many secure paths between node u and node v. Another example is

(ui1 , ui2 , ui3 , . . . , uij−1, vij) ,

(ui1 , ui2 , ui3 , . . . , vij−1, vij) ,

...

(ui1 , ui2 , vi3 , . . . , vij−1, vij) ,

(ui1 , vi2 , vi3 , . . . , vij−1, vij) .

The existence of multiple paths indicates the strong resilience of our scheme in the face of

node compromise.

2.4 Analysis

In this Section, we will carry out the analysis of our model when two nodes have j

(j ≥ 2) mismatches in their IDs.

33

2.4.1 Number of Secure Paths

The number of secure paths can be calculated as follows. Each secure path is

constructed in j steps. Begin from (ui1 , ui2 , ui3 , . . . , uij−1, uij). At each step one of the

indices is replaced with the corresponding one from (vi1 , vi2 , vi3 , . . . , vij−1, vij), and thus

we can get an agent at the step. At the first step, any of the j indices of node u may be

replaced, so there are j choices. The second step has j − 1 choices. At the j-th step, there

is only one choice left. Hence, the total number of secure paths can calculated as

P = j · (j − 1) · · · · 2 · 1 = j! . (2–13)

2.4.2 Number of Disjoint Secure Paths

Out of the P secure paths some are disjoint, i.e., any two disjoint paths have no

common agent nodes except the two end nodes u and v. For nodes u and v which have

j mismatches in their IDs, the number of agent nodes that are the neighbors of the end

nodes u or v is j. Hence the number of disjoint secure paths is

Pd = j . (2–14)

2.4.3 Number of Agent Nodes

For nodes u and v who have j mismatches in their IDs, each agent node along a

secure path between the two nodes has an ID constructed in the following way. Randomly

select l positions from j mismatches between u’s and v’s IDs, draw indices from u’s ID at

those positions, and draw indices from v’s ID at the positions that are not selected. The

ID of the agent node consists of the two sets of selected indices and the common indices

between u’s and v’s ID. Hence the number of agent nodes can be calculated as

A =

(j

1

)+

(j

2

)+ · · ·+

(j

j − 1

)= 2j − 2 . (2–15)

34

n1

n2

n3 (u1,u2,u3)

(v1,v2,v3)

(v1,u2,u3)

(v1,u2,v3)

(u1,v2,u3)

(u1,v2,v3)(u1,u2,v3)

(v1,v2,u3)

Figure 2-2. An example of key graph in the 3-dimension ID space.

2.4.4 An Example

An example of 3-dimension ID space is given in Fig. 2-2. Suppose node (u1, u2, u3)

needs to establish a shared key with node (v1, v2, v3), where all 3 indices in their IDs are

mismatching. They can determine 6 agent nodes. All these 8 nodes form a cube in the

3-dimension ID space. There are 6 paths from node u to node v, in which 3 are disjoint.

For example, 3 disjoint paths are

(u1, u2, u3) → (v1, u2, u3) → (v1, v2, u3) → (v1, v2, v3) ,

(u1, u2, u3) → (u1, u2, v3) → (v1, u2, v3) → (v1, v2, v3) ,

and

(u1, u2, u3) → (u1, v2, u3) → (u1, v2, v3) → (v1, v2, v3) .

Obviously, the above set of disjoint paths is not unique.

35

2.4.5 Security of Direct Keys

All nodes in the network hold partial information of one t-degree (k + 1)-variate

polynomial to achieve key agreement. During the network lifetime, some nodes may be

compromised and then collaborate to expose the polynomial with the partial information

they hold whereby to directly calculate keys between other nodes. Obviously, the

polynomial degree t is an indication of the difficulty to expose the polynomial, and it

is directly related to the security performance. By choosing the value of t properly, we can

guarantee that no matter how many nodes are compromised, their collaboration cannot

expose direct keys held between other non-compromised nodes. In this section, we will

investigate how to choose the polynomial degree.

2.4.5.1 Node compromise in one subspace

Let us consider the malicious collaboration in one subspace. Though in this case

the collaboration can only expose the direct keys between the non-compromised nodes

in the same subspace, this is the easiest attack because adversaries only need to keep

compromising the nodes in one subspace. If they randomly choose a node to compromise,

they have to compromise more nodes to find all nodes in one subspace, which can consume

them more efforts.

Suppose there are Ni nodes in the subspace Si, in which all nodes have same ID

indices in other subspaces, for i = 1, 2, . . . , k. Any pair of nodes Si can achieve key

agreement with a t-degree bivariate polynomial fi(xi, xk+1), which is the marginal of the

global t-degree (k + 1)-variate polynomial f(x1, . . . , xi, . . . , xk, xk+1) (refer to Section

2.3.1). It has been shown in [8] that a t-degree bivariate polynomial is t-secure in that

the coalition between less than (t + 1) nodes holding shares of the t-degree bivariate

polynomial cannot reconstruct it. To guarantee any pair of nodes in Si have a direct key

that is unsolvable by other Ni− 2 nodes, an (Ni− 2)-secure bivariate polynomial should be

used. Hence, the degree of polynomial should satisfy

0 ≤ Ni − 2 ≤ t , i = 1, 2, . . . , k . (2–16)

36

2.4.5.2 Node compromise in all subspaces

Even all nodes in one subspace are corrupted, they cannot expose the global

t-degree (k + 1)-variate polynomial because they only know a marginal of the global

polynomial. In order to expose the direct key belonging to any pair of non-compromised

nodes, adversaries must compromise enough nodes in all subspaces to expose the global

polynomial.

Suppose all Ni nodes in subspace Si are compromised, they can be used to construct

Ni(Ni+1)2

equations, i.e.,

f2(u1, u1) = K11

...

f2(u1, uNi) = K1Ni

f2(u2, u2) = K22

...

f2(uNi, uNi

) = KNiNi

, (2–17)

where uj for j = 1, 2, . . . , Ni are the ID indices in subspace Si. Kj1,j2 , j1 6= j2 is the

direct key between the j1-th and the j2-th nodes in the subspace, and Kj,j is calculated by

inputting the i-th ID index of the j-th node into its own polynomial share.

If all the subspaces are compromised, the total number of equations that adversaries

can construct is

Ne =N

N1

· N1(N1 + 1)

2+

N

N2

· N2(N2 + 1)

2+

· · · +N

Nk

· Nk(Nk + 1)

2

=1

2(

k∏i=1

Ni)(k∑

i=1

Ni + k) , (2–18)

where the total number of nodes in the network is N = N1 ·N2 · · ·Nk.

The number of coefficients of a t-degree (k + 1)-variate symmetric polynomial is [8]

Nc =

(t + k + 1

k + 1

). (2–19)

37

Therefore, to guarantee perfect security of the global polynomial, the following

condition should be satisfied, i.e.,

Ne ≤ Nc =⇒ 1

2(

k∏i=1

Ni)(k∑

i=1

Ni + k) ≤(

t + k + 1

k + 1

). (2–20)

2.4.5.3 Choose degree t

Given the number of nodes in the network, any polynomial degree t satisfying the

aforementioned conditions (2–16) and (2–20) can be chosen. Each node needs to keep a

t-degree univariate polynomial, which has t + 1 coefficients. Thus, to minimize memory

cost per node, we should use the polynomial which has minimum degree satisfying the

aforementioned conditions.

Here we consider a common case where Ni = N1 for i = 1, 2, . . . , k, i.e., all subspaces

have the same number of indices. Thus, the inequality in (2–20) can be changed to

k

2N1

k(N1 + 1) ≤(

t

k + 1+ 1

)(t

k+ 1

)(t

k − 1+ 1

)

· · ·(

t

2+ 1

)(t + 1) . (2–21)

We can prove that when

t ≥ N1k+1√

k(k + 1)!/2 (2–22)

the inequality (2–21) can be satisfied.

38

Proof :

(t

k + 1+ 1

)(t

k+ 1

)· · ·

(t

2+ 1

)(t + 1)

>tk+1

(k + 1)!+

(k + 1)(k + 2)

2(k + 1)!tk

≥

(N1

k+1√

k(k + 1)!/2)k+1

(k + 1)!+

(N1

k+1√

k(k + 1)!/2)k (k + 1)(k + 2)

2(k + 1)!

=k

2N1

k+1 +

(k

2

) kk+1 (k + 1)(k + 2)

2 k+1√

(k + 1)!N1

k

>k

2N1

k+1 +(k + 1)(k + 2)

2 k+1√

(k + 1)k+1N1

k

=k

2N1

k+1 +k + 2

2N1

k

>k

2N1

k(N1 + 1) , (2–23)

where k ≥ 2. ¥

Because(

t+k+1k+1

)is a monotonic increasing function of t, the solution of (2–21) should

be [t∗,∞), where t∗ is the minimum degree satisfying (2–21). Because the solution of

(2–22) is the subset of the solution of (2–21), the minimum global polynomial degree t∗

can be bounded as

t∗ ≤ r ·N1 , (2–24)

where ratio

r =k+1

√k(k + 1)!

2. (2–25)

The second column in Table 2-1 gives some bound ratios when k is small. Figure 2-3

illustrates the precise ratio of t∗ to N1 respect to N1. We can see when N1 becomes large,

the value of t∗ becomes stable and the real ratio is bounded by r. Some average ratios are

given in the third column in Table 2-1 when k is small. Obviously when the condition in

39

Table 2-1. Bound and precise ratios between t∗ and N1

k r t∗/N1

1 1 12 1.8171 1.77153 2.4495 2.39194 2.9926 2.92195 3.4878 3.4058

the inequality (2–20) is satisfied, the condition in the inequality (2–16) is automatically

satisfied.

2.4.6 Security of Indirect Keys

For nodes u and v which have j mismatches in their IDs, the secure path between

them consists of j − 1 agent nodes. Suppose the probability that any node is corrupted is

p. The probability that the exchanged indirect shared key between u and v is exposed can

be calculated as

Pc = 1− (1− p)j−1 . (2–26)

Because the maximum number of mismatches in k-dimension ID space is k, the

maximum probability that the exchanged key is exposed is

Pc,max = 1− (1− p)k−1 . (2–27)

Obviously, by tuning k, our scheme can achieve a trade-off between security and memory

cost in large scale networks.

2.4.7 Memory Cost

The memory cost per node is mainly related to two parts, i.e., one for node ID

and the other for polynomial share. Remind that each node n is identified by a k-tuple

(n1, n2, . . . , nk). All indices can be obtained by dividing its node ID into k field. In order

to do this, each node needs to know how many bits are allocated for each field. Hence each

node should keep the values of Ni for i = 1, . . . , k. The total number of bits should be

40

0 20 40 60 80 100 120 140 160 180 2001

1.5

2

2.5

3

3.5

Number of indices − N1

Rat

io o

f min

imum

pol

ynom

ial d

egre

e to

num

ber

of in

dice

s −

t/N

1

k=2k=3k=4k=5

Figure 2-3. Minimum required polynomial degree.

used is

MID =k∑

i=1

log Ni = log N . (2–28)

When all subspaces are equal sized, the memory cost for node ID is

MID = k log N1 . (2–29)

In addition, each node in the network keeps a t-degree univariate polynomial share,

which has t + 1 coefficients drawn from the finite field Fq. With the bound calculated

in the previous section, we know the memory cost per node for polynomial share can be

41

bounded as

Mp ≤(

k√

Nk+1

√k(k + 1)!

2+ 1

)log q . (2–30)

Due to the large value of q, usually we have MID ¿ Mp. Thus, the total memory cost

is

M = MID + Mp

≤ log N +

(k√

Nk+1

√k(k + 1)!

2+ 1

)log q

∼ k√

N r log q . (2–31)

Obviously, compared with conventional probabilistic distributed models, which have

memory cost at the level of O(N), our scheme has very small memory cost per node,

which is on the order O( k√

N) when k is fixed.

2.4.8 Computation Overhead

Our scheme is based on the symmetric key technology. Each sensor node can calculate

a key by using a t-degree univariate polynomial, which is a share of a global polynomial.

To calculate a key, each node should calculate 2t − 1 modular multiplications over F∗q:

t − 1 for x2, . . . , xt and t for b1x, b2x2, . . . , btx

t. Under the symmetric key technology, the

length of q is usually 64 bits or 128 bits. Suppose the total number of nodes is N and each

subspace has the same number of nodes. We can estimate that the number of 64-bit or

128-bit modular multiplications each node needs to calculate is

C1 = 2t∗ − 1 ≤ 2rk√

N + 1 = 2k+1

√k(k + 1!

2k√

N + 1 . (2–32)

2.4.9 Communication Overhead

As the establishment of direct keys between a pair of nodes does not require

handshakes between them, the major communication overhead lies with the establishment

of indirect keys. Just like most existing security schemes that require handshakes between

42

end nodes to negotiate a shared key, this overhead is inevitable. However, few analytical

results about the overhead are given by current schemes. Most of them rely on simulation

to measure communication overhead. Here, we give an analytical estimation of the

communication overhead of our scheme.

For a pair of nodes with i, for i = 2, . . . , k, mismatches in their IDs, a secure path

between them involves i − 1 agent nodes. If the average path length between a pair of

nodes that have only one mismatch in their IDs is L, the average path length between a

pair of nodes with i mismatches in their IDs is iL. The probability that two nodes have

i mismatches in their IDs is(

ki

)( k√

N − 1)i/(N − 1). Hence the average communication

overhead can be estimated as

C2 =k∑

i=2

(ki

)( k√

N − 1)i

N − 1iL

=L( k√

N − 1)

N − 1

(k∑

i=2

(k

i

)xi

)′

x

, x =k√

N − 1

=k(

k√

Nk−1 − 1)( k√

N − 1)

N − 1L

=k(Nk−1

1 − 1)(N1 − 1)

Nk1 − 1

L , (2–33)

where N = Nk1 . Several cases when k is small are depicted in Fig. 2-4.

2.5 Security Enhancement of Indirect Keys

In our model, direct keys are safe because they are calculated by end nodes

without any interaction. On the other hand, indirect keys may be exposed during their

transmission between end nodes if any intermediate agent node is compromised. However,

the existence of multiple secure paths between two nodes can be utilized to enhance the

confidentiality of indirect keys. The idea is to transform an indirect key into many pieces

and transmit those pieces through multiple secure paths in stead of one such that the key

can be recovered if and only if all those secure paths are corrupted [11].

43

0 20 40 60 80 100 120 140 160 180 2000.5

1

1.5

2

2.5

3

3.5

4

4.5

5

Number of indices − N1

Com

mun

icat

ion

over

head

− C

2 (u

nit L

)

k=2k=3k=4k=5

Figure 2-4. The communication overhead.

Suppose node u needs to negotiate an indirect key with v. Node u may randomly

select a key Kuv and construct a new polynomial as

g(x) = Kuv + k1x + k2x2 + · · ·+ ksx

s . (2–34)

Then, Shamir’s (s + 1, T ) threshold secret sharing scheme [12] can be applied. Specifically,

T shares can be calculated as

g(1), g(2), . . . , g(T ) , (2–35)

where T ≥ s + 1.

44

Next, node u transmits the T shares to node v through multiple secure paths by

following the method proposed in [11]. Suppose u and v have j mismatches in their IDs,

which means there are j disjoint secure paths between them. Then node u may transmit

T/j shares along each secure path to node v. Once node v gets s + 1 out of T shares, it

can recover the polynomial g(x) and get the key Kuv by Lagrange interpolation.

The value T should be chosen properly such that the polynomial g(x) cannot be

recovered even if j − 1 out of j secure paths are corrupted. Thus T should satisfy

T ≥ s + 1

T − T/j < s + 1(2–36)

=⇒ s + 1 ≤ T <j(s + 1)

j − 1. (2–37)

By following the procedure, the key Kuv may be exposed only if all j secure paths are

corrupted. Hence the probability of the key exposal is reduced to

P ′c = Pc

j = (1− (1− p)j−1)j . (2–38)

The tradeoff here is the increase of communication overhead. However, we can choose

the number of secure pathes here to achieve a certain level of security while maintaining

an acceptable communication overhead.

2.6 Key Establishment in Wireless Sensor Networks

2.6.1 Random Key Material Distribution

The key agreement models described in this chapter can guarantee that every pair

of nodes in a network of N nodes has a unique shared key, but the cost is that each node

needs to store N − 1 keys. It is impractical for WSNs due to the memory constraints of

sensor nodes and the possible large scale of sensor networks. Instead, most recent research

papers in this field loose the security requirement and follow a partial pre-distribution

approach, where key materials are pre-distributed such that some sensor nodes can

45

establish shared keys directly and they can help to establish indirect shared keys between

other sensor nodes.

A typical scheme is the random key pre-distribution (called RKP hereafter) [13], in

which each node is pre-loaded with a subset of keys, called key ring, randomly selected

from a global pool of keys such that any pair of neighboring nodes can share at least one

key with a certain probability. After deployment, two neighboring nodes can have a shared

key directly or negotiate an indirect key through a secure path, along which every pair of

neighboring nodes has a direct shared key.

The theoretic base of RKP is random graph [14]. A random graph G(n, p) is a graph

of n nodes for which the probability that a link exists between two nodes is p. The graph

does not have any edge if p = 0 or is fully connected if p = 1. There is a transition from

non-connect to fully-connect when p increases. RKP exploits this property by setting p

larger than a certain value such that the network is almost connected. Here the size of

global key pool and the size of key ring for individual node can be tuned to achieve such a

property.

A major concern of RKP is node compromise. The random selection of key

ring for each node means the reuse of each key by multiple nodes. An attacker may

compromise a node and expose its key ring, out of which some keys may be used by

other non-compromised nodes. This leads to the failures of the links between those

non-compromised nodes.

To mitigate the impact of node compromise, several following schemes are proposed.

q-composite RKP [15] follows RKP except that any pair of neighboring nodes are

required to share at lest q keys with a certain probability. q-composite RKP can improve

the resilience to node compromise when the number of compromised nodes is small.

Unfortunately, it is not effective when the number is large.

Another problem of RKP is the lack of authentication because of the reuse of the

same key by multiple nodes. To solve the problem, node identity information is used to

46

derive key rings for sensor nodes [16]. A similar approach is taken in the random-pairwise

key (RPK) [15] scheme, where each node keeps a set of keys, each of which is uniquely

shared with another node. Du et al. developed the multiple-space key pre-distribution

(MSKP) scheme in [17], where the global key pool in [13] is replaced by a pool of

Blom’s matrices [7]. Liu and Ning [18, 19] presented the polynomial pool-based key

pre-distribution (PPKP) scheme, which is basically the same as MSKP, but each Blom’s

matrix is replaced by a polynomial [8]. In those schemes, each key is tied to the identities

of the nodes sharing it. In this way, the identity of a node can be verified through the

normal challenge-response approach by other nodes that share the unique key with it.

Particularly, a verifier node can send an encrypted random number, called a challenge, to

the suspect node, and the suspect node can prove its identity by returning the decrypted

result to the verifier node.

RKP requires the storage of a key ring by each node to make the network almost

connected. In some cases where sensor nodes do not have enough memory resource,

this becomes a problem. Hwang and Kim [20] revisited RKP and its follow-up schemes

and proposed to reduce the amount of key material that each node keeps while still

maintaining a certain probability of sharing a key between two nodes. The probability

can assure that there is a largest component of the network connecting most nodes. The

trade-off is that some small sets of nodes may be isolated because they do not share keys

with the largest component.

2.6.2 Deterministic Key Material Distribution

The probabilistic nature of the random distribution of key material cannot guarantee

that two neighboring nodes establish a shared key according to the underlying random

graph theory. This is not desirable because some sensor nodes may not be able to establish

shared keys with their neighbors and thus are isolated. In order to solve the problem, two

deterministic approaches have been developed.

47

One approach is to use a strongly regular graph or a complete graph to replace the

random graph to do key pre-distribution [21–23]. In a (n, r, λ, µ) strongly regular graph,

there are n nodes, each of which has a degree of r and any pair of which has λ common

neighbors when they are adjacent and µ common neighbors when they are nonadjacent.

In the strongly regular graph, every pair of nodes is connected through a path. Each link

(edge) can be assigned with a unique key which is preloaded into the two end vertices

(nodes). Besides the regular graph, the block design in set theory can be used in key

predistribution, in which all the nodes form a complete graph at the network layer. The

tool is the balanced incomplete block design (BIBD). A (v, r, λ)-BIBD is an arrangement

of v objects into many blocks such that each block contains r distinct objects and every

pair of objects occurs in exactly λ blocks. For example, when an (n2 +n+1, n+1, 1)-BIBD

is applied in a WSN, each sensor node is preloaded with n + 1 keys, which form a block

out of a pool of n2 + n + 1 keys, and every pair of nodes have one common key. In [24], the

BIBD design is combined with the polynomial model [8] in the sense that each sensor node

is preloaded with polynomials. Their scheme enables authentication in addition to those

properties provided by the original BIBD design.

The other approach is to use a multi-dimension grid to replace the random graph,

which is followed by our model [9, 10]. Particularly, each sensor node is assigned an ID

(n1, n2, . . . , nk) such that all the nodes form a k-dimension grid. Each node is preloaded

with some key material such that it can establish direct shared keys with other nodes

along the same dimension and negotiate indirect keys with other nodes in different

dimensions. There are also several similar work following the grid approach. PIKE [25]

simply assigns a unique key for each pair of nodes along each dimension. Hypercube

[18, 19] is the same as PIKE except that it uses bivariate polynomials instead of keys to

achieve key agreement between nodes along each dimension. Delgosha and Fekri [26, 27]

follow Hypercube [18, 19] but use multiple multivariate polynomials to establish multiple

common keys between each pair of nodes along each dimension.

48

In those deterministic schemes, a node can find whether it has a direct shared key

with another node based on the identity of that node. This can provide an authentication

service in that the identity of a node can be challenged based on its keys that are related

to its identity.

2.6.3 Comparisons With Related Work

Centralized schemes, such as SPINS [6], need a trusted server to facilitate key

agreement between any two nodes. The trusted server can be a potential failure point.

Distributed methods are more secure due to the elimination of the failure point.

Distributed models such as pairwise key, matrix [7] and polynomial [8] lack scalability

because of their large memory cost of N − 1 in a network of N nodes and thus only

suitable in small networks.

Probabilistic schemes [13, 15–19] can provide a certain level of scalability with the

tradeoff that they can not guarantee that every pair of nodes establish a shared key.

Though the memory cost of those schemes is less than standard distributed models

including pairwise key, matrix [7] and polynomial [8], the memory cost still increases

linearly with respect to the total number of nodes if they need to achieve a certain level of

security or communication efficiency [25] and thus is at the order of O(N). Key reuse is of

fatal under the node compromise attack. Moreover, those schemes are targeted at the key

establishment between neighboring nodes, while our model can achieve the end-to-end key

agreement.

Graph-based design [21–23] can ensure key sharing directly or indirectly between any

pair of nodes. In their schemes, however, each key is also reused by many sensor nodes as

in the probabilistic schemes. This leads to poor resilience to node compromise in that one

compromised node can expose keys belongs to other non-compromised nodes. In addition,

the memory cost of their schemes is roughly O(√

N) where N is the total number of

nodes, while the memory cost of our scheme can be O( k√

N), which is more scalable.

49

In other grid-based designs [19, 25–27], the memory cost is at the level of k( k√

N − 1)

where N is the total number of nodes. In comparison, our model has the memory cost of

k√

N k+1

√k(k+1)!

2+ 1 and can achieve more memory efficiency when k increases.

Another merit of our model is that the communication overhead tends to be a

constant (∝ L, where L is the average path length between a pair of nodes that have only

one mismatch in their IDs) when the network size is larger than a certain threshold (refer

to Fig. 2-4). This means our scheme can provide a good scalability. On the other hand,

the communication overhead can be reduced if we could reduce the value of L. We will

show in Chapters 3 and 4 that in static networks (such as sensor networks) deployment

information can be used to reduce the value of L and thus reduce the communication

overhead.

2.7 Conclusion

In this chapter, we discussed several traditional distributed key agreement models

and pointed out that they are not suitable for large networks because of their memory

cost of order N − 1 in a network of N nodes. We proposed a novel key agreement model

based on a multivariate symmetric polynomial [9, 10]. Our model is scalable for large

networks with small memory cost per node. We show that our model has only O( k√

N)

memory cost per node, where k ≥ 1. The dimension of the ID space k is a parameter we

can control to achieve the trade-off between overhead per node and security performance.

Our model is also deterministic in the sense that any pair of nodes can compute a shared

key independently or negotiate one through k − 1 agent nodes (k ≥ 1).

50

CHAPTER 3KEY ESTABLISHMENT USING DEPLOYMENT KNOWLEDGE IN WIRELESS

SENSOR NETWORKS

3.1 Introduction

The significant advances of hardware manufacturing technology and efficient software

algorithms make a network of a large number of small and low-cost sensors through

wireless communications, i.e., wireless sensor networks (WSN) [28–30], a promising

network infrastructure for many applications, such as environmental monitoring, medical

caring, home appliance managements. This is particularly true for battlefield surveillance

and homeland security scenarios, because WSNs are easy to deploy and self-configured

for those applications. In many hostile tactical scenarios and important commercial

applications, however, security mechanisms are necessary to protect WSNs from malicious

attacks, and thus the security in WSNs becomes an important and a challenging design

task.

3.1.1 Sensor Network Model

A WSN is a large network of resource-constrained sensor nodes with multiple preset

functions such as sensing and processing to fulfill different application objectives [28–30].

Usually, sensor nodes are deployed in a designated area by an authority such as

government or military unit, and then automatically form a network through wireless

communications. Sensor nodes are static most time, while mobile nodes can also be

deployed according to application requirements. One or several base stations (BS) are

deployed together with the network. A BS can be either static or mobile. Sensor nodes

keep monitoring the network area after being deployed. Once an event of interest occurs,

one of the surrounding sensor nodes may detect it, generate a report and transmit the

report to a BS through multihop wireless links. Collaboration can be carried out if

multiple surrounding nodes detect the same event. In this case, one of them generates a

final report after collaborating with the other nodes. The BS may process the report and

then forward it through either high quality wireless or wired links to the external world

51

Base Station

Event

Sensor Nodes

External Network

High Quality Link

Wireless Link

Base Station

Figure 3-1. A wireless sensor network.

for further processing. The WSN authority may send commands or queries to a BS, which

spreads those commands or queries into the network. Hence BSs act as gateways between

the WSN and the external world. An example is illustrated in Fig. 3-1.

Since a WSN consists of a large number of sensor nodes, each sensor node is usually

limited in its resource due to the cost consideration in manufacturing. For example,

MICA2 MPR400CB [31], which is the most popular sensor node platform, has only 128

KB program memory and an 8-bit ATmega128L CPU [32]. Its data rate is 38.4 KBaud in

500 ft, and it is powered by only 2 AA batteries. The constrained resource cannot support

complicated applications. On the other hand, BSs are usually well-designed and have more

resource since they are directly attached to the external world.

3.1.2 Security Challenges

Though key management problem has been investigated thoroughly in conventional

wired networks such as the Internet and wireless networks such as cellular networks,

wireless local area networks (WLAN) or ad hoc networks, the existing solutions can hardly

52

be transplanted into WSNs due to their unique characteristics, which make them very

vulnerable to malicious attacks in hostile environments such as military battlegrounds:

1. In wired networks, the key materials transmitted over shielded wired lines during thenegotiation phase between the source and sink are more difficult to intercept. Butwireless channel is open to eavesdroppers. With a radio interface configured at thesame frequency band, everyone can monitor or participate in communications. Thisprovides a convenient way for attackers to capture key materials transmitted overthe air to expose corresponding keys. In addition, attackers can also intercept theencrypted ciphertexts so that they can analyze the eavesdropped packets to get somekey information whereby to derive keys between sensor nodes.

2. In cellular networks and WLANs, the communication pattern is one-hop betweenthe base station or the access point and the mobile node, but in WSNs, all the nodesare involved into multi-hop communications. Most centralized secure protocols cannot be directly applied in distributed WSNs. Though ad hoc networks bear moresimilarities with WSNs, the nodes in ad hoc networks are more powerful than thosein WSNs, thus being able to support more secure, more complex protocols.

3. Moreover, wireless channel is very dynamic. Key establishment protocols may endurefrequent interruptions when channel condition varies. Though link layer protocolscan have some error control mechanisms, the cost of establishing keys is inevitableincreased.

4. Like in the Internet, most protocols for WSNs do not include potential securityconsiderations at their design stage. Due to the standard activity, most protocols arepublicly known. Therefore, attackers can easily launch attacks by exploiting securityholes in those protocols.

5. The constrained resource makes it very difficult to implement strong securityalgorithms on a sensor platform due to their complexity. Most time symmetrickey cryptography is the first choice to design a security protocol for WSNs,though public key cryptography is possible under careful optimization in designand implementation.

6. A WSN may scale up to thousands of sensor nodes. Moreover, during the lifetime ofthe WSN, some nodes may run out of power, and some new nodes may be inserted toincrease the network processing capability. Therefore, the number of nodes can varyfrom time to time. This node dynamics poses the demand for simple, flexible andscalable security protocols. However, to design such security protocols is not an easytask. A stronger security protocol costs more resource on sensor nodes, which canlead to the performance degradation of applications. In most cases, a trade-off has tobe made between security and performance. However, weak security protocols may beeasily broken by attackers.

53

7. A WSN is usually deployed in hostile areas without any fixed infrastructure. It isdifficult to perform continuous surveillance after network deployment. Therefore, itmay face various attacks.

3.1.3 Attacks

There are various attacks against WSNs, which can be classified from different points

of view.

3.1.3.1 Attack techniques

Attackers can disrupt a WSN by utilizing various techniques [33]. Since most

communication protocols are publicly known, attackers can eavesdrop the packets

transmitted over the air for further cryptanalysis or traffic analysis. The eavesdropped

packets can be replayed at a later time or at another place to incur inconsistency. False

packets can be injected into the network to confuse sensor nodes. Malicious nodes can also

modify received packets before forwarding them.

Node compromise is one of the most detrimental attacks to WSNs [33]. Since WSNs

are usually deployed in a hostile environment without continuous monitoring, an attacker

can capture a sensor node and use proper devices to dig into sensor hardwares and find

key material. Due to cost constraints, it is also unrealistic and uneconomical to employ

tamper-resistant hardwares to secure the cryptographic material in each individual node.

Even if tamper resistant devices are available, they are still not able to guarantee perfect

security of secret material [34]. It means that the node compromise attack is unavoidable

in WSNs. The exposed key material renders the attacker more capabilities to launch other

severe attacks, such as deriving the keys used by other non-compromised nodes. What we

can do with node compromise is to reduce the impact on other normal nodes as much as

possible. When a certain number of nodes are compromised, for instance, the probability

that a key used by other normal nodes is exposed should be as small as possible.

Sometimes attackers are not interested in data content in the network. They may

simply introduce radio jamming interference into the same radio bands to disrupt

communications between nodes [35], leading to the denial of service (DoS) attack.

54

If an attacker has infinite power supply, he can keep jamming the wireless channel

continuously whereby to stop normal communications. Otherwise, the attacker can

introduce intermittent jamming interference to deteriorate channel condition and cause

packet loss. If communication protocols are known by the attacker, the intermittent

jamming can be more efficient because the attacker knows which part of one packet is of

high value for the jamming attack.

3.1.3.2 Passive vs. active

According to operation mode, attacks can be passive or active. In a passive attack,

the attacker’s goal is to get some information without being detected. Usually, the

attacker just keeps quiet to eavesdrop traffic. If he knows the communication protocols,

he can follow those protocols like normal sensor nodes. By passively participating in the

network, the attacker collects a large volume of traffic data and carries out analysis on

them such that some secret information can be extracted. Those exposed secrets can be

used for various purposes. Usually, the passive attack is very difficult to detect, since the

attacker does not leave too much evidence.

In an active attack, the attacker exploits the security holes in the network protocol

stack to launch various attacks such as packet modification, injection or replaying. The

impact of active attacks is more severe than passive attacks. However, more anomalies can

be the evidence of malicious attacks, because the attacker is actively involved in network

communications.

3.1.3.3 External vs. internal

Usually, a WSN is deployed and managed by one authority. All the nodes in the

network can be seen as honest and cooperative entities, while attackers are precluded from

the network and have no right to access the network. Those external attackers can launch

attacks only from the outside scope of network. The impact of attack is limited.

If an attacker can get the authorization to access the network, he becomes an internal

attacker. In this case, the attacker can cause more severe damage because he is seen as

55

a legitimate entity. Usually, an attacker can become an internal one by compromising

a legitimate node, or by deploying malicious nodes which can pass the network access

control mechanism.

WSNs are usually deployed in hostile environments, such as battle fields or disaster

locations, where fixed infrastructures are not available. After deployment, it is infeasible

to provide constant surveillance and protection on a WSN. Therefore node compromise is

easy to launch by attackers.

A compromised node can be used as a platform to launch other tricky attacks. The

adversary can let the compromised node impersonate another normal node to establish

secure communications with other normal nodes. Therefore, node authentication should be

considered during the key establishment procedure. If the compromised node is involved as

a router between a pair of source and sink nodes, the key negotiation procedure may fail

just because the compromised node intentionally drops some packets for the negotiation

between the source and sink.

3.1.4 Security Requirements

The harsh environments and the existence of threats demand more careful security

considerations in the design of WSN protocols. Typically, one or more of the following

security services should be provided:

1. Confidentiality is a basic security service to keep the secrecy of important datatransmitted between sensor nodes. Usually, critical parts of a packet is encryptedbefore the packet is transmitted from the source node and then decrypted at thesink node. Without the corresponding decryption keys, attackers are prevented fromaccessing those critical information. What kind of information needs to be encrypteddepends on applications. In some cases only data part of a packet is encrypted, andin the other cases the packet header is also encrypted to protect node identities.

2. Authenticity is critical to provide the assurance of the identities of communicatingnodes. Every node should check whether a received message comes from a realsender. Without authentication, attackers may easily spoof node identities to spreadfalse information into the WSN. Usually, an attached message authentication code(MAC) can be used to authenticate the origin of a message.

56

3. Integrity should be provided to guarantee that the transmitted messages arenot modified by attackers. Attackers may introduce interference to some bits oftransmitted packets to change their polarities. A malicious routing node may alsochange important data in packets before forwarding them. Like cyclic redundancychecksum (CRC) can be used to detect random errors during packet transmissions, akeyed checksum, such as MAC, can protect packets against modification.

4. Availability indicates another important capability of a WSN to provide serviceswhenever they are needed. However, attackers may launch attacks to degrade thenetwork performance or even destroy the entire network. Denial of Service (DoS)attacks [35] are the most detrimental threat to the network availability, whereadversaries cause the network loss of ability to provide services by sending radiointerference, disrupting network protocols or depleting nodes’ power through sometricky methods.

3.2 Uniform Key Material Distribution

As is shown in Chapter 1 and Chapter 2, key establishment is the first step to set up

a secure infrastructure for WSNs. We also shew that the distributed key agreement models

such as pairwise key, matrix [7] and polynomial [8] described in Chapter 2 can guarantee

that every pair of nodes in a network of N nodes has a unique shared key, but the cost is

that each node needs to store N − 1 keys. It is impractical for WSNs due to the memory

constraints of sensor nodes and the possible large scale of sensor networks. Instead, most

recent research papers [13, 15–19] in this field loose the security requirement and follow a

partial pre-distribution approach, where key materials are pre-distributed such that some

sensor nodes can establish shared keys directly and they can help to establish indirect

shared keys between other sensor nodes.

The partial pre-distribution can reduce the memory cost for each node. The

less pre-distributed key material, however, also implies a smaller probability that

two neighboring nodes can establish a direct shared key, thus leading to lower secure

connectivity, which is the probability that two neighboring nodes establish a direct shared

key. The result of low secure connectivity is that two neighboring nodes have higher

probability of negotiating an indirect key through a multihop path, which means higher

communication overhead.

57

The reason behind this contradiction is that previous schemes [13, 15–19] assume that

all the key materials are uniformly pre-distributed in the entire network. Therefore, two

nodes with correlated key material may not be in the neighborhood of each other.

We observe that in many practical scenarios certain deployment knowledge may be

known a priori. Hence, the problem not well addressed is that which deployment model we

should adopt to obtain as much gain as possible. Existing schemes either assume a simple

square cell deployment model [36–38] or use group-based pre-distribution [39–44].

In this chapter, we study how to leverage deployment knowledge to facilitate key

establishment in WSNs. We make the following contributions. First, we propose new

hexagon [45] and triangle [46] cell based deployment models and demonstrate that

they are much better choices than a square cell deployment model for facilitating key

establishment. Second, we propose a novel edge-based secret pre-distribution model to

reduce the memory costs of sensor nodes. Last, we use extensive analytical results and

simulation study to show that the proposed schemes can provide perfect resilience to node

capture attacks, high secure connectivity, and high energy efficiency with much smaller

memory costs.

3.3 A Square Cell Deployment Model

The schemes in [36–38] use square cells to model node deployment. The entire

network is divided into many non-overlapping square cells, each of which is centered at a

predefined deployment point. In each square cell a group of nodes is deployed. Based on

the square cell model, different secret pre-distribution models and key agreement models

can be applied. In particular, the location-based key pre-distribution (LBKP) scheme [36]

can achieve better performance due to its polynomial-based resistance to node compromise

attacks and high secure connectivity. In LBKP each deployment point is associated with a

unique t-degree bivariate polynomial, and all nodes destined to the same deployment point

are preloaded with a partial information of the corresponding polynomial. To guarantee

a certain secure connectivity, each polynomial is also assigned to the horizontal and the

58

C33 C34 C32

C43

C23

Figure 3-2. A square cell deployment model.

vertical neighboring cells. For example, in Fig. 3-2, the polynomial of cell C33 is also

assigned to cells C32, C34, C23, and C43. The polynomials of other cells are assigned in the

same way. As a result, a node in C33 has some common polynomial information with other

nodes in the shadow areas. We refer readers to [36] for more technical details.

3.4 New Deployment and Secret Pre-Distribution Models

Compared with the uniform deployment model in [13, 15–19], the square cell model

in LBKP [36] is able to localize the impact of node compromise attacks in that each set

of secrets is pre-distributed on a cell-scale instead of a network-scale. Even when some

nodes are compromised and their preloaded secrets are revealed to attackers, it would

only gracefully degrade the security of the home cell or adjacent cells of compromised

nodes, so the square cell model outperforms the uniform deployment model in terms of

security. However, can we do better? To answer this question, below we first analyze the

security of t-degree bivariate polynomials, then we propose a hexagon cell model and an

edge-based secret pre-distribution model. Last, we present a triangle cell model featuring

higher security and lower memory cost.

3.4.1 Security of LBKP

LBKP [36] is based on the polynomial model [8], in which a t-degree bivariate

symmetric polynomial is t-secure, meaning that adversaries have to compromise no less

than t + 1 nodes holding shares of a same polynomial to reconstruct it. Consider node

compromise attacks. If t + 1 out of x compromised nodes share a common t-degree

bivariate polynomial, the polynomial itself can be compromised and thus the directly

59

shared keys between non-compromised nodes using the same polynomial can be exposed.

Let Ns denote the number of nodes sharing a t-degree bivariate polynomial and N be the

number of nodes in the attacked area. Given x compromised nodes, the probability that i

out of Ns nodes are compromised is

Pc(i) =

(Ns

i

)(N−Ns

x−i

)(

Nx

) , (3–1)

and thus the probability that the polynomial is compromised is given by

Pc =Ns∑

i=t+1

Pc(i) . (3–2)

Suppose each node has a memory size of M units for cryptographic materials and each

memory unit can accommodate a cryptographic key or a polynomial coefficient. Provided

that each node needs to store Np t-degree bivariate polynomial shares, the maximum

allowed polynomial degree is

tM = bM

Np

c − 1 . (3–3)

Then the probability of exposing a polynomial can be rewritten as

Pc =Ns∑

i=b MNpcPc(i) . (3–4)

3.4.2 A Hexagon Cell Model

If the attacked area is fixed, we have two controllable parameters, i.e., Ns and Np,

which can be adjusted to achieve different security performance. Intuitively, if we could

decrease the value(s) of Ns and/or Np, the probability Pc of polynomial exposure would

be reduced as well. How can we utilize deployment models to adjust the parameters?

Motivated by the hexagon cell used in cellular networks, we propose the following hexagon

cell deployment model [45] for key establishment in sensor networks.

Here we design a deployment model such that each deployment point is enclosed in a

hexagon cell, as shown in Fig. 3-3. Each deployment point, or hexagon cell, is associated

60

c0

c1c2

c3c4

c5

c6c0

c1c2

c3c4

c5

c6

(a) Hex-v (b) Hex-e

Figure 3-3. A hexagon cell model.

with a unique t-degree bivariate polynomial and all nodes destined to the deployment

point are preloaded with shares of the polynomial. All nodes destined to a cell are usually

deployed as a group and are supposed to reside at the deployment point of their home cell.

Due to deployment errors and randomness, however, the real resident point of each node

may follow some probability distribution function(PDF), such as Gaussian distribution or

Uniform distribution, in an area, which may be a circle or a square, around its deployment

point.

In addition, the polynomial of each cell is also assigned to 3 out of its 6 neighboring

cells intermittently. For example, in Fig. 3-3(a), the polynomial associated with cell C0 is

also assigned to cells C1, C3, and C5. Hence, each polynomial is used in 4 cells. A node

in C0 has some common polynomial information with other nodes in the shadow areas.

Assume that both areas of a hexagon cell and a square cell are (approximately) equal to α

and node density ρ remains unchanged. By using the hexagon grid model, the number Ns

of nodes sharing one polynomial is reduced from 5ρα to 4ρα as compared to LBKP [36].

Another benefit is that the number Np of polynomial shares each node needs to store is

reduced from 5 to 4 at the same time. It means that we can decrease the probability of

polynomial exposure, leading to the favorable security improvement. We will discuss more

about this issue in Section 3.6.

3.4.3 Edge-Based Secret Pre-Distribution

When designing a cell-based PKE (pairwise key establishment) scheme, we are often

concerned with two indices, namely, intra-cell connectivity and inter-cell connectivity. As

61

the names suggest, the former indicates the secure connectivity inside a cell, while the

latter means the secure connectivity between adjacent cells. Schemes [37, 38] use random

secret pre-distribution [13, 17] in each cell to achieve a certain intra-cell connectivity. To

attain a certain inter-cell connectivity, [37] lets the key subsets of two neighboring cells

have a intersection, and [38] uses random-pairwise secret pre-distribution scheme [15]

between two neighboring cells. However, the inter-cell connectivity of both schemes is still

unsatisfactory. By contrast, LBKP [36] assigns each cell a unique polynomial and thus can

guarantee a high intra-cell connectivity. It also assigns a polynomial of one cell to its four

neighboring cells so as to achieve a certain inter-cell connectivity. The similar polynomial

pre-distribution model is used as well for our proposed hexagon cell model.

Let us depict a deployment model using a graph G(D, E), where the vertex set Dconsists of all deployment points, and the edge set E comprises adjacent deployment

points. Previous schemes [36–38] and our proposed hexagon grid approach give more

emphasis to the intra-cell connectivity and leave the inter-cell connectivity in the

secondary place. That is because they all use a vertex-based secret pre-distribution

model in which a unique key subset or polynomial is associated with each deployment

point.

In this chapter, we also switch to another strategy by putting more efforts on

guaranteeing a high inter-cell connectivity. Particularly, we propose a new edge-based

secret pre-distribution model, in which a unique t-degree bivariate polynomial is

affiliated with each edge in E and assigned to two end deployment points of that edge.

For example, in Fig. 3-3(b), each double headed arrow means the cells connected by

the arrow are assigned with a same unique t-degree bivariate polynomial. For ease of

presentation, hereafter we denote by HEX-V the hexagon grid model with vertex-based

secret pre-distribution and by HEX-E with edge-based secret pre-distribution. We will see

in Section 3.6.3 that HEX-E can guarantee high intra-cell and inter-cell connectivity at the

same time.

62

By using HEX-E, the number of nodes sharing one polynomial is further reduced to

2ρα, which is the least bound of Ns that is necessary for both inter-cell connectivity and

intra-cell connectivity. As will be explained later, the security of a cell-based PKE scheme

is mainly related to Ns×Np. Though Np is increased to 6 with HEX-E, the overall security

will still be improved because of the relatively larger decrease of Ns (cf. Section 3.6).

3.4.4 A Triangle Cell Model

As discussed previously, given a memory constraint of M units, if we could decrease

the value of Np, the maximum allowed polynomial degree would be increased, which

implies higher security. We have shown that HEX-E would increase Np from 4 to 6 as

compared to HEX-V. Although the overall security is still improved, it is still worthy to

investigate whether we can as well reduce NP by using edge-based secret pre-distribution.

It is interesting to notice that edge-based secret pre-distribution requires each node

to keep Np bivariate polynomial shares, each corresponding to a neighboring cell. This

observation motivates us to find a cell-based deployment model for which each cell has as

small number of neighboring cells as possible. An intuitive solution is to use a triangle cell

model [46], which has least number of neighbors for each cell.

In the triangle cell model, each deployment point is enclosed in a triangle cell, as

shown in Fig. 3-4. When using edge-based secret pre-distribution, each pair of neighboring

deployment points are assigned a unique pairwise t-degree bivariate polynomial. As

before, sensor nodes are deployed in groups and the group of nodes destined to the same

deployment point are preloaded with shares of the corresponding polynomials. We will

denote our new scheme by TRI-E hereafter. In TRI-E, each node is preloaded with 3

polynomial shares, which is the least bound of Np. Then each node in C0 might be able to

establish pairwise keys with nodes in the shadow area in Fig. 3-4.

It is worth pointing out that in TRI-E we only consider 3 neighboring cells C1/C2/C3

that have common boundaries with C0 because these cells usually have more connections

with C0. We can distribute more polynomials to make C0 be directly connected to more

63

c0

c1c2

c3

Figure 3-4. A triangle grid model.

neighboring cells. However, it would result in the notable increase of memory cost and

the sharp degradation of security due to the increase of Ns, both of which are undesirable

in security-sensitive sensor networks. Moreover, we will show in Section 3.6.3 that TRI-E

may still achieve high network connectivity with focus on only 3 neighboring cells.

3.5 Cell-based Pairwise Key Establishment

In this section, we present a general cell-based pairwise key establishment protocol, in

which any of the aforementioned grid models can be applied.

3.5.1 Node Deployment

We assume that every sensor node has a predetermined deployment point where it

is supposed to reside. Each deployment point should be enclosed in a unique cell, either

square or hexagon or triangle. So the entire deployment area is divided into U×V adjacent

non-overlapping cells Cuv, for row index u = 1, . . . , U and column index v = 1, . . . , V . We

assume that sensor nodes are deployed in equally-sized, non-overlapping groups Guv, for

u = 1, . . . , U and v = 1, . . . , V . Each group is uniquely associated with a cell and will be

deployed around the deployment point of the cell. In addition, every node is preloaded

with the coordinate of the deployment point of its home cell and assigned a unique,

positive, integer-valued ID.

3.5.2 Polynomial distribution

Before deployment, we construct a global polynomial pool F with enough t-degree

bivariate polynomials. Each polynomial has a unique polynomial ID and is assigned

to several groups of nodes according to a specific secret pre-distribution scheme. The

algorithm for polynomial pre-distribution is summarized in Table 3-1.

64

Table 3-1. The algorithm for polynomial distributing.

Function VertexDistributing(Deployment Model){For each Guv {

Assign a f(x, y) to Guv;Assign the f(x, y) to some neighboring G′

uv

according to the Deployment Model;Remove the f(x, y) from F ;

}}

Function EdgeDistributing(Deployment model){For each Guv {

For each neighboring group G′uv of Guv {

If G′uv and Guv do not share a polynomial {

Assign a f(x, y) to G′uv and Guv;

Remove the f(x, y) from F ;}

}}

}

3.5.3 Pairwise Key Establishment

After deployment, every node broadcasts its node ID and the coordinate of the

deployment point of its home cell. The broadcasted information can be in plaintext

because the adversary would learn nothing about either the polynomial shares associated

with the overheard IDs or the polynomial associated with the overheard coordinates. If

the secrecy of the deployment point is desired, three methods may be used. One is to

broadcast polynomial IDs instead. The second is to use the normal challenge-response

method [5]. The third is to use the Merkle puzzle [47], which is suggested by [15].

However, these methods would incur too much computation and communication overhead,

which is undesirable in resource-constrained sensor networks.

If two neighboring nodes find that they are destined to the same deployment point or

two neighboring deployment points, they can establish a direct pairwise key by evaluating

their own corresponding polynomial shares with the ID of each other as input. Since

65

each node ID is unique, the established pairwise key is also unique. This property is

particularly useful for secure communications in that it can provide mutual authentication

through the normal challenge-response method.

It is possible that two neighboring nodes do not have shares of the same polynomial(s)

for instance due to deployment errors. In this case, they can rely on any secure multi-hop

path between them to establish an indirect pairwise key. Suppose there is a path

consisting of nodes n1, n2, . . . , ni between nodes a and b. It is called a secure multi-hop

path if and only if each pair of neighboring nodes on the path have established a direct

pairwise key. If so, it would be safe to exchange a pairwise key between a and b along

this path. However, the exchanged key would be exposed to adversaries if any of the

nodes on the path is compromised. To deal with this situation, multi-path routing such as

SPREAD [11] can be applied to exchange a pairwise key between a and b through multiple

node-disjoint or edge-disjoint paths. For the lack of space, the further investigation on this

issue is left to the extension of this paper.

However, as we will show in Section 3.6.3, our schemes have pretty high connectivity

in that every node can establish direct keys with almost all its neighbors, so we do not

need to spend much energy on the establishment of indirect keys.

3.5.4 Node Addition

We may need to add new nodes into the network in some cases and then we

also need to establish pairwise keys for the new nodes. Before deployment, each new

node is preloaded with the polynomial shares of the cell where the new node is to be

deployed. After deployment, the new node can initiate the aforementioned pairwise key

establishment procedure to establish pairwise keys with its neighbors.

3.5.5 Node Revocation

During the network operation, it is possible that some nodes might be compromised

by the adversary. Hence the memberships of compromised nodes need to be canceled

and their keys need to be revoked. This can be achieved by deleting the corresponding

66

pairwise keys from other normal nodes. However, when the number of compromised nodes

sharing a polynomial is larger than t, the polynomial itself would be compromised and

other normal nodes using the same polynomial is under the threat of malicious attacks. To

address the problem, we may use the following method. After pairwise key establishment,

each node assigns a counter for each polynomial it uses and initiates the counter to 0. If a

compromised node is detected, other normal nodes sharing the same polynomials simply

increase the counter for each corresponding polynomial by 1 after they delete the related

shared pairwise keys. When any counter exceeds t, the counter and the corresponding

polynomial should be deleted. Our method is much more memory-efficient than the one

used in LBKP [36] that requires each node to keep IDs of those compromised nodes. After

that, some normal nodes may need to re-initiate the pairwise key establishment procedure

to establish new pairwise keys.

As will be discussed later, by using our proposed deployment and edge-based secret

pre-distribution models, our scheme may achieve perfect resilience to node compromise

attacks. We accomplish this by limiting the total number of nodes sharing one polynomial

to no more than the polynomial degree. Therefore, no matter how many nodes adversaries

compromise, they would be unable to reconstruct any polynomial and thus to utilize

the acquired knowledge to launch attacks on non-compromised nodes. By contrast,

conventional schemes like LBKP [36] are lack of this nice feature because of their large

memory costs, which will be detailed in Section 3.6.2.

3.6 Analysis and Evaluation

Here we evaluate the proposed schemes in terms of security, secure connectivity, and

memory costs, which are widely used in performance evaluation by previous schemes.

3.6.1 Security

An attacker may launch a node compromise attack to reconstruct a t-degree bivariate

polynomial so as to compromise the links between non-compromised nodes using the same

polynomial. We compare the security our schemes with LBKP [36] and E-G (short for

67

Eschenauer and Gligor) [13] with regard to the link compromise probability that a link is

compromised. Because every link is secured by a t-degree bivariate polynomial, we may

use the probability of polynomial exposal (Equation (3–4) in Section 3.4.1) to evaluate the

link compromise probability.

There are two scales of node compromise attacks in our considerations. In the local

node compromise attack, the adversary tries to compromise nodes in a particular area.

Due to the threshold-based security of polynomials, the attacker must compromise enough

nodes to recover a polynomial. As is shown in Section 3.4, using hexagon and triangle

cells and the edge-based pre-distribution method, our schemes reduce the number of nodes

sharing a polynomial. Hence, our schemes are more resilient compared with LBKP in the

local node compromise attack. Besides, the exposure of one polynomial has no impact on

others areas because each polynomial is used in a small area.

In the random node compromise attack, the attacker randomly select nodes as the

objects of attack. In this random attack, the link compromise probability of E-G may be

calculated as[15, 37]

Pc = 1−(1− m

M

)x

, (3–5)

where each node randomly selects a key subset of size m from a global key set of size M

and the number of compromised nodes is x.

Suppose node deployment density is ρ = 0.0025 nodes/m2, the network size is

2000m × 2000m, the total number of nodes is |N | = 10000, and the node transmission

range is 50m. For E-G, the size of the global key pool is set to 100000, while for our

schemes and LBKP, the inter-cell distance, which is the distance between the centers of

neighboring cells, is set to 100m.

Fig. 3-5 and Fig. 3-6 depict their respective link compromise probability versus the

fraction of compromised nodes for different numbers (M) of memory units allocated for

storing pre-distributed secrets. From Fig. 3-5 and Fig. 3-6, we can clearly see that E-G

scheme has the worst security performance in almost all scenarios. Every time adversaries

68

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10

0.2

0.4

0.6

0.8

1

1.2

1.4

Fraction of compromised nodes

Link

com

prom

ise

prob

abili

ty

E−GLBKPHEX−VHEX−ETRI−E

Figure 3-5. M = 120.

compromise one more node, they would increase their chances of compromising more links

between non-compromise nodes. If M is increased, say from 120 to 240, the security of

E-G would degrade more dramatically with the increase of compromised nodes. This is

because adversaries would get more information of the global key pool after compromising

a node. It is of no surprise that LBKP have better security performance than E-G because

of its (t + 1)-compromise resistant property. We can also observe that our schemes

outperform both E-G and LBKP. For example, when M is equal to 240, LBKP can only

tolerate the compromise of 30% nodes, while all our schemes can tolerate the compromise

of over 50% nodes. In addition, TRI-E scheme exhibits the best security performance of

having perfect resilience to node compromise attacks when M is equal to 240.

69

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10

0.2

0.4

0.6

0.8

1

1.2

1.4

Fraction of compromised nodes

Link

com

prom

ise

prob

abili

ty

E−GLBKPHEX−VHEX−ETRI−E

Figure 3-6. M = 240.

3.6.2 Memory Cost

The different security performance of LBKP and our schemes result from the fact

that different schemes require each node to store different number of polynomial shares.

A share of a t-degree bivariate polynomial is a t-degree univariate polynomial with t + 1

coefficients. The Column A of Table 3-2 gives the memory cost of those schemes.

Intuitively, we could get perfect resilience to node compromise attacks by limiting the

number of nodes sharing one polynomial to be less than (t + 1). However, to achieve this,

different schemes may incur different memory costs. Let ρ still be the node deployment

density and D be the inter-cell distance in meters. We calculated the different memory

costs of LBKP and our schemes for achieving perfect resilience to node compromise

attacks, which are given in the Column B of Table 3-2. We can easily find the following

70

Table 3-2. Memory cost.

scheme A BLBKP 5(t + 1) 5(5ρD2 + 1)

HEX-V 4(t + 1) 4(2√

3ρD2 + 1)

HEX-E 6(t + 1) 6(√

3ρD2 + 1)

TRI-E 3(t + 1) 3(3√

32

ρD2 + 1)

relationship that

LBKP > HEX-V > HEX-E > TRI-E .

Given the same memory constraint M , our schemes have better security performance

because of the much less memory requirements which imply larger polynomial degrees

and thus higher security. Among our schemes, TRI-E has the best security performance

because of its smallest memory cost, which renders it the most attractive candidate for

sensor networks where the memory of each node is very tight.

3.6.3 Connectivity

If two neighboring nodes can establish a pairwise key, they are able to communicate

in a secure manner. However, not every pair of neighboring nodes could establish a

pairwise key directly. That is because deployment errors may render a node unlucky

to find no neighboring node that shares the same polynomial with it. Let us define

connectivity as the probability that any pair of neighboring nodes can establish a direct

pairwise key after deployment. In resource-constrained sensor networks, high connectivity

is preferred because it means that each node does not need to spend too much scarce

energy in establishing indirect pairwise keys through multi-hop routing.

Suppose node nuv ∈ Guv resides at (x, y). Let A(nu′v′j , nuv) be the event that node

nu′v′j ∈ Gu′v′ is a neighbor of nuv, B(nu′v′

j , nuv) be the event that node nu′v′j is a secure

neighbor of nuv, and C(nu′v′j , nuv) be the event that node nu′v′

j is in the same group as nuv

or one of the neighboring groups of nuv. By secure neighbors, we mean those neighboring

nodes of one given node, say nuv, that can establish direct keys with it. The probability

71

that nu′v′j ∈ Gu′v′ is a neighbor of node nuv is the integral of the PDF pu′v′(x, y) over the

circle around node nuv, i.e.,

P (A(nu′v′j , nuv)) =

∫∫

|nu′v′j −nuv|≤R

pu′v′(x, y) dxdy ,

where R is the node transmission range which is the same for all the sensor nodes,

|nu′v′j − nuv| denotes the distance between nodes nu′v′

j and nuv, and pu′v′(x, y) is the

distribution of the resident point of the nodes in Gu′v′ . If we assume a general distribution

p(x, y) of node resident points, then the distribution puv(x, y) for a particular group Guv

can be p(x− xu, y − yv), where (xu, yv) is the coordinate of the deployment point of Guv.

Let T u′v′j be the experiment:

T u′v′j =

1 , A(nu′v′j , nuv) happens;

0 , otherwise.

Then the average number of neighbors of node nuv located at (x, y) is:

Nuv(x, y) =∑

nu′v′j 6=nuv

E[T u′v′j ] =

∑

nu′v′j 6=nuv

P (A(nu′v′j , nuv)),

where E[T u′v′j ] indicates the expectation of T u′v′

j .

We can calculate the average number of secure neighbors of node nuv located at (x, y)

in the similar way, i.e.,

Muv(x, y) =∑

nu′v′j 6=nuv

P (B(nu′v′j , nuv))

=∑

nu′v′j 6=nuv

P (A(nu′v′j , nuv)

⋂C(nu′v′

j , nuv)),

Then the average number of neighbors of one node is

N̄ =∑u,v

P (nuv ∈ Guv)

∫ ∫Nuv(x, y)puv(x, y) dxdy

=1

UV

∑u,v

∫ ∫Nuv(x, y)p(x− xu, y − yv) dxdy ,

72

and the average number of secure neighbors of one node is:

M̄ =∑u,v

P (nuv ∈ Guv)

∫ ∫Muv(x, y)puv(x, y) dxdy

=1

UV

∑u,v

∫ ∫Muv(x, y)p(x− xu, y − yv) dxdy .

Hence, the network connectivity p can be calculated as

p =M̄

N̄. (3–6)

To evaluate the connectivity, we need the distribution of node resident points. A

reasonable assumption is that the PDF of node resident points follows a two dimensional

Gaussian distribution,

p(x, y) =1

2πσ2exp

−(x2 + y2)

2σ2, (3–7)

where we assume the corresponding deployment point to be the origin of coordinate

system.

Using the same configuration parameters given in Section 3.6.1, we can calculate

the probability (denoted by pr) that a node resides in its home cell after deployment.

pr is computed by choosing appropriate variance of Gaussian distribution such that the

node would reside in the circle that has the same diameter with its home cell. Fig. 3-7

and Fig. 3-8 plot the connectivity versus the inter-cell distance, which is normalized by

node transmission range, for pr = 0.9 and pr = 0.99, respectively. When the cell size

is small, a node transmission range may not only cover its home cell and neighboring

cells but also cover other non-neighboring cells, which means the node may have many

neighbors with which it can not establish direct pairwise keys. Hence, the connectivity is

small. With the increase of the inter-cell distance, the connectivity of both vertex-based

and edge-based schemes would increase dramatically, because the number of neighbors

with which a node can not establish direct pairwise keys decreases quickly. In particular,

when the inter-cell distance is larger than two times of the node transmission range,

73

the connectivity of all schemes becomes stable at a very high level, because most of the

neighbors of a node are from its home cell or neighboring cells. It means that every node

can establish direct pairwise keys with almost all its neighbors. However, the cell size

should not be set too large. Otherwise, the number of nodes in one cell would be too large

when the node density is (approximately) constant, leading to the large number of nodes

sharing one polynomial. In this case, to maintain a certain security, the polynomial degree

should be increased, which means more memory cost. Hence, to achieve the tradeoff

between the security and the connectivity, the cell size should be set the value at which

the connectivity achieves the first desirable point.

It is well known that energy consumption is of paramount importance for resource-constrained

sensor networks. It is, therefore, wise to minimize radio transmissions and receptions.

Random distribution schemes [13, 15–19] have low connectivity and thus have to rely

on multi-hop and/or multi-path routing to establish indirect keys for maintaining an

acceptable global network connectivity. Although the square-grid-based schemes [37, 38]

may improve the connectivity, they still use random distribution in each cell and thus

can not guarantee a full connectivity between two neighboring cells, thus leading to

unfavorable energy consumption in establishing indirect pairwise keys. By contrast, our

schemes are of high energy efficiency and thus pretty suitable for resource-constrained

sensor networks in that there is almost no need for establishing indirect pairwise keys.

3.7 Conclusion

In this chapter, we investigated different deployment models for their use in pairwise

key establishment for wireless sensor networks. We demonstrated that the hexagon

and the triangle grid deployment models have much better security performance than

the square one used in previous proposals. We also proposed a novel edge-based secret

pre-distribution model which can greatly reduce the memory costs of sensor nodes.

Our proposed pairwise key establishment protocol features perfect resilience to node

compromise attacks with much smaller memory costs. In addition, it can guarantee a

74

0.5 1 1.5 2 2.5 3 3.5 40.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Normalized inter−grid distance

Con

nect

ivity

LBKPHEX−VHEX−ETRI−E

Figure 3-7. The probability that each node resides in its own cell is 0.9.

high network connectivity and thus greatly reduce the communication overhead and

transmission energy consumption incurred in establishing indirect pairwise keys through

multi-hop and/or multi-path routing. To summarize, we propose a lightweight, simple, and

secure solution to establish pairwise keys in resource-constrained sensor networks.

75

0.5 1 1.5 2 2.5 3 3.5 40.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Normalized inter−grid distance

Con

nect

ivity

LBKPHEX−VHEX−ETRI−E

Figure 3-8. The probability that each node resides in its own cell is 0.99.

76

CHAPTER 4SCALABLE KEY ESTABLISHMENT IN WIRELESS SENSOR NETWORKS

4.1 Introduction

We have shown in previous chapters that key management is very critical to security

protocols, because encryption and authentication services are based on the operations

involving keys. One of the fundamental problems of key management is how to set up keys

to protect connections between sensor nodes. Generally, two kinds of connections can be

formed in a network. One is the one-hop connection between a pair of neighboring nodes.

In the network stack, this one-hop connection is managed by the link layer protocol. In

order to secure the link layer connection, a shared link layer key (called LLK hereafter)

needs to be established between the neighboring nodes. The other type of connection can

be formed between two nodes over a multihop path. Because the two nodes are out of the

neighborhood of each other, this end-to-end connection is managed by the transport layer

protocol in stead of the link layer protocol. Therefore, a transport layer key (called TLK

hereafter) needs to be established to provide the end-to-end security.

As is shown in Chapter 2, the TLK establishment is not an easy problem. In a

network of N nodes, theoretically, each node can be preloaded with N − 1 keys uniquely

shared with other nodes, but the feasibility can be challenged because of the contradictory

requirements between the scarce memory of sensor nodes and the large scale of sensor

networks. Instead, most recent solutions [13, 15–19] relax the security requirement and

target at the establishment of link layer keys (LLK) between any pair of neighboring

nodes. In a large scale sensor network, the number of neighbors of a node is usually a

small constant. Thus it is more feasible to establish an LLK infrastructure whereby to

save memory resource. Based on this LLK infrastructure, two end nodes can perform

secure communications over a multi-hop path with the help of intermediate nodes, and

can negotiate a TLK on demand, if needed, through the secure handshake. The LLK

infrastructure can effectively prevent external attackers from accessing the network, but

77

cannot counteract internal attackers, such as compromised nodes. Therefore, a TLK

negotiated along a multi-link path can be exposed if any of the intermediate nodes is

compromised. Because the number of hops along a path can be large, the possibility of the

TLK exposure is rather high.

Moreover, the previous LLK schemes [13, 15–19] themselves are also vulnerable to

node compromise. An adversary can use the secrets in compromised nodes to derive the

secrets shared between other non-compromised nodes. Hence some compromised nodes

may cause many failure points in the network and destroy the entire LLK infrastructure.

Another drawback of the previous LLK schemes is that they have a large memory

requirement to maintain a certain level of security or connectivity.Based on our work in [9], here we introduce a novel scheme key establishment scheme

by combining deployment knowledge. First, we consider a two dimensional grid model,which leads to LAKE (two-LAyer Key Establishment) [48], for the establishment of bothTLKs and LLKs in sensor networks. Particularly, all sensor nodes are organized into atwo dimensional space, and a tri-variate polynomial is pre-distributed to facilitate theestablishment of TLKs and LLKs in the space. To increase connectivity and reducecommunication overhead, the nodes close to each other are preloaded with correlatedsecrets, called shares, derived from the tri-variate polynomials. Second, we extend ourscheme into the multi-dimension case and propose an efficient LLK scheme [49]. The maincontributions are as follows:

1. Our LAKE effectively addresses the TLK establishment problem for sensor networks.Any two nodes can negotiate a TLK on demand directly or with the help of onlyone intermediate node. Though in conventional LLK schemes two nodes can alsonegotiate a TLK through a multi-hop path, there are more than one intermediatenode that can learn the TLK. Hence LAKE is much more secure under the nodecompromise attack compared with the conventional proposals;

2. Compared with the conventional LLK schemes, our scheme features much lessmemory cost;

3. By utilizing location information, our scheme guarantees that two neighboring nodescan establish a direct LLK with high probability. This provides energy efficiencycompared with the conventional LLK schemes because the probability of indirectLLKs establishment through multi-hop paths between two neighboring nodes isreduced.

78

4.2 Two Dimension Grid Design for TLK and LLK Establishment

In LAKE, a t-degree tri-variate polynomial is pre-distributed to facilitate key

establishment in a two-dimensional space, which is a special case of our model discussed

in Chapter 2. We will show that LAKE can efficiently establish both LLKs and TLKs

between sensor nodes. An LLK infrastructure can be established just after network

deployment. TLKs are established on demand when two end nodes need to communicate

with each other.

4.2.1 Network Model

It has been shown in Chapter 3 that utilizing deployment information can achieve

higher connectivity. So, even our key agreement model can achieve deterministic key

agreement between any pair of nodes, as is shown in [9], we consider incorporating

deployment information into LAKE.

The entire network is divided into N1 non-overlapping square cells and each cell

includes N2 sensor nodes. Each node in the network is identified by a coordinate (n1, n2)

in the two-dimensional space, where ni = 0, 1, . . . , Ni − 1, i ∈ {1, 2}, and we may use the

coordinate (n1, n2) as the node ID and the index n1 as the cell ID.

Cell IDs are assigned in a fixed order such that each cell ID acts like a coordinate in a

two-dimensional plane. We may allocate 2h higher bits from the node ID field for the cell

ID. The 2h bits are divided into a pair of integers (i, j), where i is the row index and j is

the column index of the cell. Hence, each cell ID reflects the location information of the

corresponding nodes. This information is coarse, so we only can tell in which area a node

with a given cell ID resides. The node deployment in each cell may follow any probabilistic

distribution, such as Gaussian [17, 45, 50] or uniform [36, 38, 46]. We assume Gaussian

distribution here.

Our key agreement model is deterministic, so every node knows with which of other

nodes it can establish a shared key directly. If two nodes cannot calculate a shared key

directly, they rely on one intermediate node to negotiate an indirect key. Just like previous

79

(0,n2)

(18,6)

(7,n2)

(56,n2)

(8,n2)

(18,4)

(37,4)

(37,6)

(63,n2)

Figure 4-1. A two-dimension sensor network.

work [13, 15–19], we assume the underlying routing protocol can correctly route key

negotiation messages over multihop paths between those peer nodes.

Fig. 4-1 illustrates an example of the network model. There are 64 cells in the

network. Each cell consists of N2 nodes. We assign cell IDs in an order from left to

right and from top to down. Every node can be located by the cell ID in its node ID.

For example, node (0, n2) is in the most up-left cell, and node (63, n2) is in the most

down-right cell. Other examples of nodes are also depicted in Fig. 4-1.

4.2.2 Share Pre-distribution

Before network deployment, a global t-degree tri-variate polynomial is chosen. This

polynomial is used to derive shares for sensor nodes.

To establish keys, every node should have two credentials (c1, c2), which are positive

and pairwise different. These credentials can be created and preloaded into nodes before

deployment. However, it requires additional memory space per node. Fortunately, the two

credentials can be derived from node ID by a bijection, i.e.,

c1 = n1 + 1 + N2

c2 = n2 + 1, (4–1)

80

where ni = 0, 1, . . . , Ni − 1 for i = 1, 2. Thus, the two credentials are drawn from different

zones [N2 + 1, N1 + N2] and [1, N2] respectively, which guarantee they are positive and

pairwise different. Besides, by doing this mapping, each node needs to store only N2

instead of two credentials.

Every node in the network is assigned a polynomial share

f(c1, c2, x3) = f(n1 + 1 + N2, n2 + 1, x3) =t∑

i1=0

t∑i2=0

t∑i3=0

ai1,i2,i3(n1 + 1 + N2)i1(n2 + 1)i2xi3

3 . (4–2)

Hence, every node in the network needs to keep only a t-degree univariate polynomial

that has t + 1 coefficients over a finite field Fq. Those coefficients are preloaded into every

node’s memory before deployment and used to establish keys after deployment.

4.2.3 Direct Key Calculation

Two nodes can calculate a shared key directly if they have a credential in common,

i.e., a common index in their node IDs. We will call one of the two nodes a level-i

neighbor of the other if their i-th indices in their IDs are different and the other indices

are the same. Obviously, every node can establish shared keys with its neighbors at level 1

(inter-cell) and level 2 (intra-cell).

In the two-dimensional network, all nodes in each cell are level-2 neighbors because

they have the same cell ID, and each node has a level-1 neighbor in each of other cells.

For example, in the two-dimension network in Fig. 4-1, node (18, 4) and node (18, 6) are

level-2 neighbors and they can calculate a shared key directly. Node (18, 4) and node

(37, 4) are level-1 neighbors and they can also calculate a shared key directly.

All nodes can calculate direct keys by itself without interaction with other logical

neighbors. Each direct key between two logical neighboring nodes is only secret to

them. An adversary cannot learn the direct key unless he/she knows the corresponding

polynomial share.

81

4.2.4 Indirect Key Negotiation

If two nodes have no common indices in their IDs, they cannot calculate a shared

key directly because they are not logical neighbors. This happens when the two nodes

reside in different cells and they have different indices in their cells, respectively. In this

case, one node can find in its cell a level-2 neighbor, which is also a level-1 neighbor of

the other node. Then the intermediate node can act as an agent to facilitate a shared key

negotiation between the two end nodes.

There are two agent nodes that can help the indirect key negotiation. Suppose node u

with ID (u1, u2) and node v with ID (v1, v2), where u1 6= v1 and u2 6= v2, need to negotiate

a shared key. Any of the node (u1, v2) or node (v1, u2) can act as an agent, because either

one is the common neighbor of nodes u and v. Then an indirect key can be established

through the following protocol:

u → a : 〈a, u, nu, {〈v, u, Kuv〉}Kua , H(a ‖ u

‖ nu ‖ {〈v, u, Kuv〉}Kua ‖ Kua)〉 ,

a → v : 〈v, a, na, {〈v, u, Kuv〉}Kav , H(v ‖ a

‖ na ‖ {〈v, u, Kuv〉}Kav ‖ Kav)〉 ,

where a is an agent node, nu and na are nonces used to counteract replay attacks, Kuv

is the indirect key between node u and node v, Kua and Kav are direct keys shared with

the agent a, “{·}{·}” is the encryption operation, H(·) is a hash function that generates

a message authentication code for authentication and integrity checking, and “‖” is the

concatenation operator. After verifying the authenticity and the integrity of the key Kuv,

the agent node a forwards the key to node v and immediately deletes it so that it cannot

be revealed later.

For example in Fig. 4-1, there are two secure paths between node (18, 6) and node

(37, 4) and a shared key can be negotiated through either of the secure paths with the help

of the agent nodes (18, 4) or (37, 6).

82

4.2.5 LLK Establishment

Given node density and radio radius in a large scale sensor network, the number of

neighbors of a node is usually small. Each node may establish LLKs for all neighbors

and keep those LLKs in its memory for future use. This can be done just after node

deployment because each node has been preloaded with a polynomial share which can help

key establishment.

When two neighboring nodes are from the same cell, i.e., have the same cell index,

they can apply the direct key calculation to establish an LLK. Due to the deployment

knowledge, we can expect that each node can establish LLKs directly with most of its

neighboring nodes because they are almost from the same cell.

If two neighboring nodes are from different cells but they are level-1 neighbors, then

they can calculate a direct LLK, just like nodes (1, 2) and (2, 2) in Fig. 4-2. Even if two

level-1 neighbors are far away from each other, like nodes (1, 5) and (2, 5), they can always

calculate a shared key independently.

The keys between level-1 neighbors can act as bridges between two cells. A node

in one cell can go through any of the bridges to negotiate keys with nodes in the other

cell. In Fig. 4-2, for example, node (1, 2) can negotiate an indirect LLK with node (2, 6)

through either node (2, 2) or node (1, 6).

Due to the deployment error, some nodes may reside outside of their supposed cells.

In Fig. 4-2, for example, node (1, 7) needs to establish LLKs with neighboring nodes (2, 2),

(2, 5), (2, 6). In this case, node (1, 7) can carry out indirect key negotiation through its

level-1 neighbor (2, 7). Of course, node (2, 7) may be multihop away from node (1, 7), but

the underlying routing protocol can route key negotiation messages between them, just as

is shown in previous work.

Communication overhead is a concern in the indirect LLKs negotiation. LAKE

includes deployment information into the establishment of LLKs, thus each node

may calculate direct LLKs with almost all of its neighbors. This high local secure

83

(1,2) (2,2)

(1,6)

(1,7)

(2,7)

(1,5)

(2,5)(2,6)

cell boundary

Figure 4-2. LLK establishment.

connectivity is desirable because it means that each node does not need to spend too

much energy on the establishment of indirect LLKs with neighbors through multi-hop

routing. Conventional LLK schemes with uniform key pre-distribution have more energy

consumption in terms of lower local secure connectivity. In next section, we will evaluate

the secure connectivity assuming Gaussian distribution for node location in each cell.

4.2.6 TLK Establishment

Due to the huge number of nodes in the network, it is impossible to establish a

TLK for each pair of nodes and store the TLK in the pair of nodes during network

initialization phase. A dynamic establishment of TLKs is much promising in large scale

sensor networks. Generally, a TLK should be dynamically established on demand during

the handshake procedure between any pair of nodes when they want to communicate with

each other.

Similar to the LLK establishment, each node can establish a direct TLK for each of

the other nodes in its cell because they are level-2 neighbors. As each node has a level-1

neighbor in each of other cells in the network, it can establish a direct TLK for the level-1

neighbor in that cell (like nodes (18, 6) and (37, 6) in Fig. 4-1). Then it can rely on the

level-1 neighbor as an agent to establish indirect TLKs with other nodes in that cell (in

Fig. 4-1), node (18, 6) can negotiate an indirect TLK with node (37, 4) through node

84

(37, 6)). Due to the deployment error, there is a possibility that node (37, 6) is not in cell

37, but the underlying routing protocol can relay key negotiation messages between these

nodes as is assumed in previous work.

If a secure link is defined as the communication path between two nodes that have

a shared key, where the secure link may be one-hop or multi-hop, LAKE can achieve the

TLK agreement through a secure path consisting of no more than two secure links, which

means that at most one agent is needed to facilitate the TLK establishment between any

two end nodes. Each secure path in most conventional schemes, which target at LLKs

establishment, usually consists of more than two secure links, and the length of secure

path is difficult to determine because it depends on not only the underlying routing

protocol but also the establishment of direct keys between neighboring nodes, especially

in large scale networks. Thus most conventional schemes are more vulnerable to the node

compromise attack than LAKE.

4.2.7 Performance Evaluation

In this section, we carry out some performance evaluation on the memory cost,

the resilience to the node compromise attack, the local secure connectivity, and the

computation overhead.

4.2.7.1 Memory cost

According to Chapter 2, we can simple get the minimum polynomial degree t∗ as

t∗ ≤ 3√

3! N1 = 1.8171 N1 . (4–3)

Because each node keeps t + 1 coefficients of a t-degree univariate polynomial, the memory

cost per node is less than 1.8171√

N + 1, where N is the total number of nodes in the

network.

We compare the memory cost per node of our LAKE with some typical schemes

in Table 4-1. The second column in Table 4-1 gives the normal memory cost of each

scheme. In key-pool-based schemes [13, 15, 16, 20, 37, 40], each node keeps m keys out

85

of a global or local key pool. Du’s [17], Liu’s [18] and Huang’s [38] schemes replace key

pools with space pools of matrix or polynomials of degree t. In PIKE [25], each node is

preloaded with unique pairwise keys for 2(√

N − 1) nodes, where N is the total number of

nodes in the network. Hypercube scheme [19] uses higher dimensional grid. Unlike PIKE,

hypercube uses a t-degree bivariate polynomial for each dimension. For fair comparison,

we assume two-dimensional grid for hypercube. Therefore, the memory cost of hypercube

is 2(t + 1). In LBKP [36] each node is preloaded with 5 polynomial shares, each of which

has a degree of t. HEX [45] and TRI [46] have memory cost of 6(t + 1) and 3(t + 1),

respectively. In LAKE, unlike previous work, each node needs to keep only a t-degree

univariate polynomial and thus the memory cost is only t + 1.

The third column in Table 4-1 gives how many memory units are necessary to provide

secrecy for direct keys, i.e., no matter how many nodes are compromised the direct keys

among non-compromised nodes are still safe. Key-pool-based schemes [13, 15, 16, 20,

37, 40] cannot provide secrecy because each time an adversary compromises one more

node he/she knows more keys in the global or local key pools. In Du’s [17], Liu’s [18] and

Huang’s [38] schemes, the degree of each matrix or polynomial must be set as t = N − 2

to avoid the exposure of direct keys. So their memory cost is on the order of N . In PIKE

[25], all those 2(√

N − 1) keys are preloaded and unique, so any of the keys is secure even

other keys are compromised. In two-dimensional hypercube [19], each dimension has√

N

nodes. In order to protect direct keys, the polynomial degree must be set as t =√

N − 2

and thus the memory cost is 2(√

N − 1). Suppose LBKP [36], HEX [45] and TRI [46]

and LAKE use the same network configuration, where the entire network is divided into√

N cells and each cell consists√

N nodes. In LBKP [36], to guarantee each bivariate

polynomial is secret, the degree should be no less than 5√

N − 2 because each bivariate

polynomial is used in its home cell and four adjoining cells. Similarly, the memory costs

of HEX [45] and TRI [46] are 6(2√

N − 1) and 3(2√

N − 1), respectively. However, the

memory cost of LAKE is less than 1.8171√

N + 1.

86

Table 4-1. Memory cost of different schemes.

Schemes Memory Cost For Secrecykey-pool-based [13, 15, 16, 20, 37, 40] mspace-pool-based [17, 18, 38] O(λ(t + 1)) O(λ(N − 1))

PIKE-2D [25] 2(√

N − 1) 2(√

N − 1)

Hypercube-2D [19] 2(t + 1) 2(√

N − 1)

LBKP [36] 5(t + 1) 5(5√

N − 1)

HEX [45] 6(t + 1) 6(2√

N − 1)

TRI [46] 3(t + 1) 3(2√

N − 1)

LAKE t + 1 < 1.8171√

N + 1

4.2.7.2 Resilience to node compromise

By launching the node compromise attack, an adversary may easily obtain all secrets

stored in the compromised nodes. Usually, it is impossible to prevent this kind of attack

due to the lack of tamper-proof hardware. Furthermore, the adversary may use the

compromised secrets to derive the direct keys belonging to other pairs of normal nodes. In

addition, by compromising some nodes, the adversary can also obtain the messages passing

through these nodes. This may also lead to the exposure of indirect keys. Here we can use

the additional key exposure probability to evaluate the resilience to the node compromise

attack.

By choosing the global polynomial degree t, we can achieve the secrecy of the global

polynomial, i.e., no matter how many nodes an adversary compromises, he/she cannot

calculate the direct keys belonging to other pairs of non-compromised nodes. Hence, the

additional direct key exposure probability of LAKE is 0.

In conventional key-pool-based or space-pool-based schemes [13, 15, 16, 20, 37, 40],

every time an adversary compromises one more nodes, he/she obtains more information

about the global key pool or space pool, which means more keys are compromised. For

example, in E-G [13], the additional direct key exposure probability can be calculated as

[15, 37]

Pc = 1−(

1− M

S

)x

, (4–4)

87

where each node randomly selects a key subset of size M from a global key set of size S

and the number of compromised nodes is x. We can see it is an increasing function of x.

PIKE (peer intermediaries for key establishment) [25] can also achieve the zero

additional direct key exposure probability because of the pre-distribution of unique direct

keys.

Hypercube-2D [19], LBKP [36], HEX [45] and TRI [46] use t-degree bivariate

polynomial to achieve key agreement. Suppose there are A nodes sharing a t-degree

bivariate polynomial and N is the total number of nodes in the network. Given x

compromised nodes, the probability that i out of A nodes were compromised is

Pc(i) =

(Ai

)(N−Ax−i

)(

Nx

) , (4–5)

and thus the probability that the polynomial was compromised is given by

Pc =A∑

i=t+1

Pc(i) . (4–6)

Suppose each node has a memory size of M units for cryptographic materials and each

memory unit can accommodate a cryptographic key or a polynomial coefficient, and each

node must keep B polynomial shares, the probability of exposing a polynomial can be

rewritten as

Pc =A∑

i=bMBcPc(i) . (4–7)

Here the values of A and B are√

N and 2 for Hypercube-2D [19], 5Nc and 5 for LBKP

[36], 2Nc and 6 for HEX [45], and 2Nc and 3 for TRI [46], where Nc is the number of

nodes in one cell.

An example: Suppose 10000 nodes are deployed in an area 2000× 2000m2. The global

key pool of E-G [13]is set 100000. PIKE [25] and Hypercube [19] use two-dimensional

grid. For LBKP [36], HEX [45], TRI [46] and LAKE, there are 100 cells and thus the

number of nodes per cell is 100. Suppose each node has a memory size of M units for

88

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10

0.2

0.4

0.6

0.8

1

1.2

1.4

Fraction of compromised nodes

Link

com

prom

ise

prob

abili

tyE−GPIKEHypercubeLBKPHEXTRILAKE

Figure 4-3. M = 240.

cryptographic materials and each memory unit can accommodate a cryptographic key or

a polynomial coefficient. Fig. 4-3 and Fig. 4-4 gives the additional direct key exposure

probability according to the fraction of compromised nodes when M = 240, 180. We

observe that LAKE outperforms other schemes with the zero probability of the additional

direct key exposure. When there is more memory resource (M = 240), Hypercube-2D [19]

can also give the zero probability of the additional direct key exposure. However, when

memory resource is limited (M = 180), Hypercube-2D [19] becomes vulnerable to node

compromise.

89

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10

0.2

0.4

0.6

0.8

1

1.2

1.4

Fraction of compromised nodes

Link

com

prom

ise

prob

abili

tyE−GPIKEHypercubeLBKPHEXTRILAKE

Figure 4-4. M = 180.

Every node needs an agent node to establish indirect LLKs and TLKs with other

nodes. If the agent node is compromised, the indirect keys are exposed. Suppose x out of

N nodes in the network are compromised. The probability of the indirect key exposure is

Pc = 1−(

N−1x

)(

Nx

) =x

N. (4–8)

PIKE-2D [25] and Hypercube-2D [19] can achieve the same probability of the indirect

key exposure because it also relies one agent node to establish pairwise keys between

neighboring nodes. In other schemes [13, 15, 16, 20, 37, 40], two nodes have to rely on

90

a secure path consisting of multiple agent nodes to establish an indirect key. It is very

difficult to determine those agent nodes because it depends on not only the underlying

routing protocol but also the establishment of direct keys between neighboring nodes,

especially in large scale networks. For example, in E-G [13] the secure path between two

neighboring nodes consists of 2 or 3 agent nodes and the secure path between any two

end nodes consists of more than 11 agent nodes on average [13]. Suppose the secure path

between two nodes in E-G and LBKP consists of h agent nodes. The probability that the

indirect key between the two end nodes is exposed can be calculated as

pc = 1−(

N−hx

)(

Nx

) ≈ 1−(1− x

N

)h

≈ xh

N, (4–9)

where N À h > 1. Thus, LAKE is more resilient to the node compromise attack.

4.2.7.3 Local secure connectivity

Every node can calculate direct LLKs with some neighbors, and establish indirect

LLKs with other neighbors through one agent node. The local secure connectivity is

directly related to the communication overhead of key establishment. If a node has high

probability to calculate direct LLKs, it can save a lot of communication overhead on

the establishment of indirect LLKs through multi-hop routing. Hence, high local secure

connectivity, which is the probability of establishment of direct LLKs, is desirable in

sensor networks.

In the schemes [13, 15, 16, 20], key materials are uniformly pre-distributed in the

network. It is highly possible that two nodes with correlated key materials cannot

establish a direct LLK because they are far away from each other. For example, in

E-G scheme [13], each node randomly selects M keys from S keys, thus the local secure

connectivity of E-G is 1− (S−M

M

)/(

SM

) ≈ 1− (1− M

S

)M ≈ M2

S, where S À M . In PIKE-2D

[25] and Hypercube-2D [19], each node keeps pairwise keys with 2(√

N −1) nodes, thus the

local secure connectivity of these two schemes is 2(√

N−1)/N ≈ 2√N

. The low connectivity

will incur significant communication overhead.

91

It has been shown that deployment knowledge can be used to increase the connectivity

[36–38, 45, 46]. By intentionally pre-distributing the same set of secrets in small cells, they

can achieve much higher connectivity than uniform pre-distribution schemes. Though

our key agreement model still work in uniform pre-distribution scenarios, we consider

deployment knowledge here to further increase the local secure connectivity.

Due to deployment errors, we cannot expect each node resides at the predetermined

location. Rather, the node deployment in each cell follows some probabilistic distribution.

In order to evaluate the influence of deployment knowledge, we use the Gaussian

distribution [17, 45, 50] in our simulation. Particularly, the location of each node follows

the distribution,

p(x, y) =1

2πσ2exp

−((x− xc)2 + (y − yc)

2)

2σ2, (4–10)

where (xc, yc) is the center of the cell in which the node resides and (x, y) is the real

location of the node.

We use the same configuration parameters in Section 4.2.7.2 in our simulation.

There are 10000 nodes deployed in an area 2000 × 2000m2. All the schemes evaluated

here can store M = 200 keys. Node radio radius is 150m, which is corresponding to

MICA2 capability [31]. The global key pool of E-G [13] is set 100000. The schemes

E-G [13], PIKE-2D [25] and Hypercube [19] use the uniform pre-distribution. As for

the location-based schemes LBKP [36], HEX [45], TRI [46] and LAKE, there are 100

cells and thus the number of nodes per cell is 100. The inter-cell distance (the distance

between the centers of neighboring cells) is set 200m. The standard derivation is set to

σ = 50m. Under these configurations, we simulate a sensor network, find the local secure

connectivity of each node, and average it over all the nodes. The average local secure

connectivity is given in Table 4-2.

We observe that the local secure connectivity for the uniform pre-distribution

schemes [13, 19, 25] is very low. The location-based schemes [36, 45, 46] have much higher

connectivity because all the nodes in neighboring cells are pre-distributed with correlated

92

Table 4-2. Local secure connectivity of different schemes

Schemes Local ConnectivityE-G [13] 0.2797PIKE-2D [25], Hypercube-2D [19] 0.0276LBKP [36] 0.9999HEX [45] 0.9960TRI [46] 0.9985LAKE 0.5317

key materials. LAKE has lower local secure connectivity than the location-based schemes

[36, 45, 46], because in LAKE only the nodes in one cell have correlated key materials and

each node can establish a direct key with only one node in another cell. However, LAKE

still has much higher local secure connectivity than the uniform pre-distribution schemes

such as E-G [13], PIKE-2D [25] and Hypercube [19].

4.2.7.4 Computation overhead

LAKE is based on the symmetric key technology, where a global t-degree tri-variate

symmetric polynomial is used to build up a secure infrastructure. Each sensor node

can calculate a key by using a t-degree univariate polynomial, which is a share of the

global polynomial. It has been shown in Hypercube [19] that the polynomial evaluation is

comparable with conventional symmetric key primitives such as Message Authentication

Code based on RC5 or SkipJack. To calculate a key, each node should calculate 2t − 1

modular multiplications over Z∗q: t− 1 for x2, . . . , xt and t for b1x, b2x2, . . . , btx

t. Under the

symmetric key technology, the length of q is usually 64 bits or 128 bits. Suppose the same

configuration parameters in Section 4.2.7.2 is used here, where total number of nodes is

N = 10000, the number of nodes per cell is 100, and the number of cells is 100. According

to the Table 4-1, the t is less than 181. Hence, each node needs to perform only 361 64-bit

or 128-bit modular multiplications. Similarly, the number of modular multiplications of

other polynomial-based schemes is given in Table 4-3. Obviously LAKE is more efficient

than most conventional symmetric key schemes.

93

Table 4-3. Computation overhead of different schemes.

Schemes #. of shares degree #. of multiplicationsHypercube-2D [19] 2 98 390LBKP [36] 5 498 3875HEX [45] 6 198 2370TRI [46] 3 198 1185LAKE 1 < 181 < 361

Public key techniques such as RSA and Diffie-Hellman can also achieve key

agreement. The basic operation of RSA and Diffie-Hellman is the modular exponentiation

of the form yx (mod q). One modular exponentiation needs 32log2 q log2 q-bit modular

multiplications on average [5]. To guarantee the same level of security, here q is usually

1024 bits and y and x are drawn from Z∗q. Thus public key based operation requires

1536 1024-bit modular multiplications on average. A 1024-bit modular multiplication is(

102464

)2= 256 times more expensive than a 64-bit modular multiplication [17]. Hence the

public key techniques are 256 × 1536361

= 1089 times more expensive than LAKE if 64-bit

symmetric keys are used in LAKE.

4.3 Scalable Link-Layer Key Agreement in Sensor Networks

In this section, we extend our LAKE into the multi-dimension case [49]. Our scheme

is based on a method we have developed in [9]. Each sensor node carries a share of

a global t-degree multivariate symmetric polynomial. If the shares of two nodes are

correlated, the two nodes can calculate a shared key directly. Otherwise, they can

negotiate an indirect key with the help of an intermediate node. We utilize node

deployment knowledge such that nodes with correlated shares are deployed as close as

possible. In this way, each node can directly calculate LLKs with most of its neighbors. In

this section, we will elaborate the details of our scheme.

4.3.1 Network Model

We assume each node is identified by an index-tuple (n1, n2, . . . , nk), where ni =

0, 1, . . . , Ni − 1, i ∈ {1, 2, . . . , k}, and we may use the index-tuple as the node ID. Hence

94

each node is mapped into a point in a k-dimension vector set S1 × S2 × · · · × Sk, where

ni ∈ Si ⊂ Z and the cardinality |Si| = Ni, for i = 1, 2, . . . , k. The maximum number of

nodes that the network can consist of is N =∏k

i=1 Ni.

Due to the broadcast characteristics of radio communications, adversaries can easily

eavesdrop any messages, either non-encrypted or encrypted, transmitted over the air

between nodes. Adversaries may capture any node and compromise the secrets stored in

the node. Furthermore, adversaries can use the compromised secrets to derive more secrets

shared between other non-compromised nodes. We try to reduce the probability that the

keys shared between non-compromised nodes are exposed when some nodes have already

been compromised. To further evaluate the impact of node compromise, we assume the

probability of the compromise of a node is p.

4.3.2 Share Distribution

Before network deployment, a global t-degree (k + 1)-variate symmetric polynomial is

constructed as is stated in Chapter 2. This polynomial is used to derive shares for sensor

nodes.

To achieve key agreement, every node n should have k credentials (c1, c2, . . . , ck),

which are positive and pairwise different. These credentials can be created and preloaded

into nodes before deployment. However, it requires additional memory space per node.

Fortunately, the k credentials can be derived from the k indices in node ID (n1, n2, . . . , nk)

by a bijection, i.e.,

c1 = n1 + 1

c2 = n2 + 1 + N1

c3 = n3 + 1 + N1 + N2

...

ck−1 = nk−1 + 1 + N1 + · · ·+ Nk−2

ck = nk + 1 + N1 + · · ·+ Nk−1

, (4–11)

95

where ni = 0, 1, . . . , Ni − 1 for i = 1, 2, . . . , k. Thus, the k credentials are drawn from

different zones in that c1 ∈ [1, N1] and ci ∈ [N1 + · · · + Ni−1 + 1, N1 + · · · + Ni] for

i = 2, . . . k, which guarantee they are positive and pairwise different.

For a node (n1, n2, . . . , nk), a polynomial share

fk+1(xk+1) = f(c1, c2, . . . , ck, xk+1) =t∑

ik+1=0

bik+1x

ik+1

k+1 (4–12)

is calculated, where

bik+1=

t∑i1=0

t∑i2=0

· · ·t∑

ik=0

ai1,i2,...,ik,ik+1ci11 ci2

2 · · · cikk (4–13)

and (c1, c2, . . . , ck) is mapped from (n1, n2, . . . , nk) according to the equations (4–11).

Then the polynomial share is assigned to the node. Here, the node only knows the t + 1

coefficients of the univariate polynomial share, but not the coefficients of the original

(k+1)-variate polynomial. Therefore, even if the marginal bivariate polynomial is exposed,

the global polynomial is still safe if the degree t is chosen properly.

4.3.3 Node Deployment

Two nodes can calculate a shared key if their credentials have only one mismatch

in them. Due to the one-to-one mapping in the equations (4–11), two nodes u with ID

(u1, u2, . . . , uk) and v with ID (v1, v2, . . . , vk) can directly calculate a shared key without

any interaction if their IDs have only one mismatch. If the two nodes are within the radio

coverage of each, then the key can be used as an LLK. Therefore, we need a deployment

method that intentionally make nodes with only one mismatch in their IDs be deployed as

close as possible. In such a way, each node can establish Link-layer keys with most of its

neighbors.

Because node ID is an index-tuple (n1, n2, . . . , nk), where ni = 0, 1, . . . , Ni − 1, i ∈{1, 2, . . . , k}, the network is logically constructed with k levels. The i-th level consists of

N1×N2× · · · ×Ni cells, each of which has Ni+1 subcells, i.e., Ni+1× · · · ×Nk nodes, where

i = 1, 2, . . . , k− 2. The (k− 1)-th level consists of N1×N2× · · · ×Nk−1 cells, each of which

96

has Nk nodes. Here, the notation (n1, n2, . . . , ni) can be seen as cell ID at the i-th level for

i = 1, 2, . . . , k − 1. An example is illustrated in Fig. 4-5 (A), where N1 = N2 = N3 = 9.

To facilitate key agreement, the logical network topology is transformed into a real

one, which decides the real node deployment model. Suppose a level-(i − 1) cell has

Ni = Ri × Ci subcells. To do the transformation, the following two steps are taken:

1. in the first step, flip the even rows of the level-(i− 1) cell vertically;

2. in the second step, flip the even columns of the level-(i− 1) cell horizontally.

An example is depicted in Fig. 4-6. A cell at the (i − 2)-th level has Ni−1 = 3 × 5

level-(i − 1) subcells (Fig. 4-6 (A)), each of which again has Ni subcells. By the two-step

transformation, we get the real cell topology illustrated in Fig. 4-6 (B).

The entire network topology is constructed based on the two-step transformation. In

this way, the network is divided into N1 × N2 × · · · × Nk−1 cells, where cells are located

according to the space order determined by the two-step transformation. All the nodes

are deployed into corresponding cells based on their IDs. The real network topology of the

example in Fig. 4-5 (A) is illustrated in Fig. 4-5 (B).

4.3.4 Link-layer Key Agreement

As is stated before, two nodes u with ID (u1, u2, . . . , uk) and v with ID (v1, v2, . . . , vk)

can directly calculate a shared key without any interaction if there is only one mismatch,

say the i-th indices, in their IDs. Then node u can take vi +1+N1 + · · ·+Ni−1 as the input

to its own share f(c1, c2, . . . , ck, xk+1), and node v can as well take ui + 1 + N1 + · · ·+ Ni−1

as the input to its share f(c1, c2, . . . , ck, xk+1). The direct shared key between nodes u and

v is then calculated as

Kuv = f(c1, . . . , ui + 1 + N1 + · · ·+ Ni−1,

. . . , ck, vi + 1 + N1 + · · ·+ Ni−1)

= f(c1, . . . , vi + 1 + N1 + · · ·+ Ni−1,

. . . , ck, ui + 1 + N1 + · · ·+ Ni−1) . (4–14)

97

00 01

03 04

02

05

06 07 08

10 11

13 14

12

15

16 17 18

20 21

23 24

22

25

26 27 28

30 31

33 34

32

35

36 37 38

40 41

43 44

42

45

46 47 48

50 51

53 54

52

55

56 57 58

60 61

63 64

62

65

66 67 68

70 71

73 74

72

75

76 77 78

80 81

83 84

82

85

86 87 88

A

00 01

03 04

02

05

06 07 08

1011

1314

12

15

161718

20 21

23 24

22

25

26 27 28

30 31

33 34

32

35

36 37 38

4041

4344

42

45

464748

50 51

53 54

52

55

56 57 58

60 61

63 64

62

65

66 67 68

7071

7374

72

75

767778

80 81

83 84

82

85

86 87 88

B

Figure 4-5. Topology. A) Before deployment. B) After deployment.98

0

Ni-1

0 0 0 0

0 0 0 0 0

0 0 0 0 0

… … … … …… … … … …… … … … …Ni-1 Ni-1 Ni-1 Ni-1

Ni-1 Ni-1 Ni-1 Ni-1 Ni-1

Ni-1 Ni-1 Ni-1 Ni-1 Ni-1

A0 0 0 0 0

0 0 0 0 0

0 0 0 0 0

… … … … …… … … … …… … … … …Ni-1Ni-1

Ni-1Ni-1

Ni-1Ni-1

Ni-1Ni-1

Ni-1

Ni-1

Ni-1Ni-1 Ni-1Ni-1 Ni-1

B

Figure 4-6. Deployment strategy. A) Before deployment. B) After deployment.

Because all node credentials of u and v are drawn from different subsets where any

two subsets have no intersection and ui 6= vi, the k + 1 credentials used to calculate the

shared key are pairwise different, and the set of credentials is unique. Therefore the shared

key calculated by the nodes u and v is unique, i.e., other nodes do not know the shared

key.

Consider our deployment model. At the lowest level, the network is divided into

N1 × N2 × · · · × Nk−1 cells. All the nodes in each of those cells have common ID prefix,

which is the cell ID, and their node IDs are only different at the k-th position. Therefore,

any pair of nodes in one cell can calculate a direct shared key. For example, two nodes

(041) and (044) in cell (04) (Fig. 4-5 (B)) can calculate a shared key directly.

99

For two neighboring cells, if their cell IDs has only one mismatch, each node in

one cell can find another node in the other cell such that the two nodes have only one

mismatch in their node IDs, i.e., the two nodes can calculate a shared key directly. In

the example Fig. 4-5 (B), node (041) in cell (04) can calculate a shared key directly with

node (081) in cell (08). With the help of node (081), node (041) can indirectly establish a

shared key with every other node in cell (08).

For two neighboring cells with two mismatches in their cell IDs, they are in the

diagonal direction of each other and have a neighboring cell in common, which has only

one mismatch in cell ID with each of them. In Fig. 4-5 (b), node (081) in cell (08) can

indirectly negotiate a shared key with node (151) in cell (15) through node (181) in cell

(18), because node (181) has direct keys with node (081) and (151) respectively. Then

node (081) can indirectly negotiate a shared key with each of other nodes in cell (15)

through node (151).

In our deployment model, each node can calculate direct LLKs with most of its

neighbors because most of its neighbors are in the same cell as it, and negotiate indirect

LLKs with the rest neighbors with the help of only one intermediate node. Moreover, each

node can even establish shared keys with other nodes multi-hop away.

4.3.5 Performance Evaluation

In this section, we will carry out some analysis and evaluate our scheme in comparison

with some typical schemes including [13, 21, 23, 25, 36].

4.3.5.1 Memory cost

It has been proved in [9] that to guarantee the security of the global polynomial, the

minimum degree t∗ can be bound as [9]

t∗ ≤ r ·N1 , (4–15)

100

Table 4-4. Memory cost of different schemes

Schemes Memory CostE-G [13] mLBKP [36] 5(t + 1)

PIKE [25] 2(√

N − 1)

Combinatorial [21, 23] O(√

N)

Ours O( k√

N)

where ratio

r =k+1

√k(k + 1)!

2. (4–16)

We compare the memory cost per node of our schemes with other schemes in Table

4-4. In E-G scheme [13] each node has a subset of m keys, where m may be more than

100 if it needs to maintain a certain security or connectivity. In LBKP [36] each node is

preloaded with 5 polynomial shares, each of which has a degree of t. However, in order to

maintain strong security, the value of t is very high. So its memory cost is much higher

than ours. In PIKE [25], each node must store 2(√

N − 1) keys where N is the network

size. Combinatorial design techniques are proposed in [21, 23]. They are similar to E-G

[13], but they can ensure key sharing between any pair of nodes. The memory cost of their

schemes is roughly O(√

N) where N is the total number of nodes. However, the memory

cost of our scheme can be O( k√

N), which is much less.

4.3.5.2 Security

In our scheme, each node can calculate direct LLKs with most of its neighbors. Each

direct LLK is only known by the pair of nodes that shares it, and the key can not be

derived by other nodes, because we choose the value of t such that the global polynomial

is secure in case of node compromise. As for other neighbors, each node can negotiate an

indirect LLK with each of them through only one intermediate node. So if the probability

of node compromise is p, then the probability of the exposure of the indirect key is just p.

101

In conventional schemes [13, 21, 23, 36], when the number of compromised nodes

is large, the direct keys among non-compromised nodes can be exposed. Moreover, the

indirect keys are as well insecure because each indirect key has to be established with the

help of several intermediate nodes along a path. If such a path involve h intermediate

nodes, then the probability that an indirect key is exposed can be calculated as

Pc = 1− (1− p)h . (4–17)

PIKE [25] is similar to our scheme in that any pair of nodes can establish a shared

key through no more than one intermediate node. The difference is that it does not

utilize deployment knowledge to facilitate LLK agreement and thus is more expensive in

communication. Moreover, its memory cost per node is higher than ours. Obviously, our

scheme is more secure than conventional schemes.

4.3.5.3 Local secure connectivity

Every node can calculate direct LLKs with some neighbors, and establish indirect

LLKs with other neighbors through one intermediate node. The local secure connectivity

is directly related to the communication overhead of key establishments. If a node has

high probability to calculate direct LLKs, it can save a lot of communication overhead on

the establishment of indirect LLKs through multi-hop routing. Hence, high local secure

connectivity, which is the probability of establishment of direct LLKs, is desirable in

sensor networks.

Suppose nodes are uniformly deployed in each cell. The local secure connectivity

can be calculated as the ratio of node coverage in its cell to the node transmission area.

Suppose the side length of each cell is 2D, node radio radius is R. Due to the symmetry

of square cell, we only consider the first quadrant in the Cartesian coordinate plane (Fig.

4-7), where the center of cell is located at the origin of the plane. The first quadrant is

divided into five areas, each of which is corresponding to different node coverage A(xo, yo)

102

in the cell, where (xo, yo) is the location of node. The A(xo, yo) can be calculated as

A(xo, yo) =

πR2 , when 0 ≤ xo < D −R, 0 ≤ yo < D −R

R2(π − 12arccos(2Yo

2 − 1) + Yo

√1− Yo

2) ,

when 0 ≤ xo < D −R, D −R ≤ yo < D

R2(π − 12arccos(2Xo

2 − 1) + Xo

√1−Xo

2) ,

when D −R ≤ xo < D, 0 ≤ yo < D −R

R2(π − 12arccos(2Xo

2 − 1)− 12arccos(2Yo

2 − 1)

+Xo

√1−Xo

2 + Yo

√1− Yo

2) ,

when D −R ≤ xo < D, D −R ≤ yo < D,

(xo −D)2 + (yo −D)2 > R2

R2((Xo +√

1− Yo2)(Yo +

√1−Xo

2)

+ arccos(−Xo

√1− Yo

2 − Yo

√1−Xo

2)

−|√

(1−Xo2)(1− Yo

2)−XoYo|) ,

when D −R ≤ xo < D, D −R ≤ yo < D,

(xo −D)2 + (yo −D)2 ≤ R2

(4–18)

where Xo = D−xo

R, Yo = D−yo

R. Thus the local secure connectivity can be calculated as

C =1

πR2D2

∫ D

0

∫ D

0

A(xo, yo) dxodyo . (4–19)

In scheme [13], each node selects M keys from S keys, thus the local secure

connectivity is roughly 1 − (S−M

M

)/(

SM

) ≈ M2

S, where S À M . In PIKE [25], each

node keeps unique pairwise keys with 2(√

N − 1) nodes, thus the local secure connectivity

of PIKE is about 2/√

N . Schemes [21, 23] are similar to PIKE [25] in that the local

secure connectivity is roughly O(1/√

N). LBKP scheme [36] uses location information

to facilitate key pre-distribution so that each node can establish direct LLKs with all

103

D-R Dx

D-R

D

y

o

Figure 4-7. Node coverage in one cell.

neighbors in its cell and in neighboring cells, leading the local secure connectivity to about

1 if all the nodes are uniformly deployed in their home cell.

The low local secure connectivity of schemes [13, 21, 23, 25] is because each node

cannot store too much keys to increase the local secure connectivity. However, in ours

scheme the local secure connectivity is unrelated to memory cost. For example, suppose

the size of cell size is 200 × 200m2 and node radio radius is 25m. The local secure

connectivity of ours scheme is 0.89, which is much higher than that of [13, 21, 23, 25],

which is usually much less than 0.5.

4.4 Conclusion

In this Chapter, we proposed novel LLK and TLK establishments schemes, which is

scalable for large networks with small memory cost. Compared with conventional schemes

which have memory cost of at least O(√

N) in a network with N nodes, our scheme has

only O( k√

N) memory cost per node, where k > 1. Moreover, we utilize node deployment

knowledge to facilitate direct LLK agreement so that the local secure connectivity is very

high. In this way, the communication overhead of establishing indirect LLKs is reduced

significantly. The security of our scheme is very strong in that most LLKs are established

directly, and the other indirect LLKs are established through only one intermediate node.

104

CHAPTER 5A LOCATION-BASED NAMING MECHANISM FOR SECURING SENSOR

NETWORKS

5.1 Introduction

Every node in a network has a name. We usually call it identifier, because it helps

us to identify each individual node. Besides identification function, the name may tell us

some useful information about the node, and the information is much helpful in many

network activities. For example, in the social network, we may infer a person’s family

background from his last name, and the IP address in the Internet consists of network

identifier and host identifier which are used in routing protocols. However, if we deprive

the name of those meaningful information, we need to assign every node some additional

attributions to reflect those required information in some scenarios, which means extra

storage. Unfortunately, current naming mechanism in sensor networks gives us a bad

example, in which every node’s identifier is taken from a one dimension name space that

has no meaning but the identification function.

Obviously, it is more beneficial if every node’s identifier reflects more information

about itself. In this chapter, we propose a location-based naming (LBN) mechanism

for sensor networks [51, 52]. The idea is to embed some location information into node

identifier (ID) and use the location information to facilitate many applications in sensor

networks. Particularly, the entire network is divided into many cells, and each cell is

marked by a cell index. All sensor nodes are deployed in groups such that each cell is

deployed with a group of nodes. Hence, the nodes in one cell have the same cell index. To

distinguish each individual node in one cell, each node is assigned a node index, which is

unique in the cell. In this way each node ID has two parts: the cell index that tells which

cell in the network the node resides, and the node index that acts like the conventional

identifier for the identification of the node in the cell. Thus location information is

embedded into node IDs by the one-to-one mapping between cell indices and the locations

of cells.

105

This LBN mechanism may find many applications in sensor networks, such as

geographic routing, target tracking, environment surveillance, etc. However, our focus is

the security applications in sensor networks. Because it is embedded into node IDs, the

location information may act like an inherent node characteristic in stationary sensor

networks, thus it can be used to provide authentication services in local access control

[53]. For example, every node participates in the network though a neighbor-to-neighbor

communication mode, so every node should accept the packets only from the nodes in its

neighborhood. The LBN mechanism is pretty suitable in this scenario in that every node

may identify whether a packet comes from a neighbor or another distant node based on

the node ID in the packet.

Many attacks in sensor networks try to raise havoc by skewing network topology [33].

For example, a malicious node may impersonate other normal nodes by changing its node

ID, thus cause severe topological distortion leading to the failure of routing protocols.

However, by binding location information with node IDs, LBN can be used to detect

those topological distortions. When LBN is employed, a malicious node can not change

its ID into those in the cells far away from its own cell, because the malicious node may

be detected if its ID does not belong to its own cell. However, the malicious node may

still impersonate the IDs in its neighborhood, because all IDs in one cell has the same cell

index. In this case, some neighborhood authentication service should be applied to detect

the malicious node.We make the following contributions in this chapter:

1. We introduce the naming problem for sensor networks in the literature for the firsttime;

2. We propose a location-based naming mechanism LBN and explore its security valuefor sensor networks;

3. We propose a link layer authentication scheme LLA, which incorporates LBN, toprovide a neighborhood authentication service;

106

4. We will show that our LBN mechanism and LLA scheme can be combined to providean efficient defense against many notorious attacks in sensor networks.

The rest of this chapter is organized as follows. In Section 5.2 we propose the

location-based naming mechanism LBN to fulfill our idea on network naming system. In

Section 5.3 we describe the link layer authentication scheme LLA, and show how it acts

as a reenforcement of our LBN mechanism by providing neighborhood authentication. We

will discuss how our LBN mechanism and LLA scheme can be combined to defend against

many notorious attacks in sensor networks in Section 5.4. Some discussions are given in

Section 5.5, and conclusion is given in Section 5.6.

5.2 Location-based Naming Mechanism

5.2.1 Location Determination

To utilize location information, it is the first requirement to acquire location

information. The location determination is not a trivial task in stationary sensor networks.

It is infeasible to install every node with a GPS (global positioning system) due to the

desire for low price sensor nodes. Though there are some post-deployment facilitating

methods [53–55], they rely on the cooperation between sensor nodes, which leads to a large

amount of communication overhead.

However, when a sensor network is deployed in an area, some location information

is known a priori. Hence, if we deploy a group of nodes into an area, we may preload

the location information of the area into the nodes’ memory. This a-priori location

information can be used in many scenarios such as key management [36–41]. Due to

deployment errors, the a-priori location information is less precise than that of posterior

measurements, however, it obviates the need to use expensive positioning devices and

complex distributed location determination algorithms, thus it is pretty suitable for

some applications in resource constrained sensor networks. In this paper, we uses the

course-grained a-priori location information to develop a security scheme to defend against

many attacks to network topology.

107

(i, j)

(i-1, j) (i-1, j+1)(i-1, j-1)

(i, j-1) (i, j+1)

(i+1, j-1) (i+1, j) (i+1, j+1)

Figure 5-1. A square cell deployment model.

Before deploying a group of sensor nodes, we should decide which place the

group should reside. Thus the entire deployment area is divided into many adjacent

non-overlapping cells. Every cell is centered with a deployment point. Based on specific

deployment models, the contour of cell may be square [36–38, 48, 49], hexagon [45] or

triangle [46]. For simplicity, square cell (Fig. 5-1) is used as an instance in this paper.

However, other shapes are still applicable with a few modifications.

Each group of nodes is intended to be deployed in a predefined cell. Due to

deployment errors, every node will be deployed around the deployment point of its cell

according to some probability distribution function(PDF), such as Gaussian distribution

or Uniform distribution. It is necessary to point out that the area where the node resides

does not necessarily have the same shape as its cell. For example, the area where the node

resides may be a circle because of the centralized Gaussian distribution while its cell is

a square. However, we may improve deployment precision so that the probability that a

node resides out of its cell is very small [45, 46, 48, 49].

5.2.2 Location-based Name

When the deployment model is defined, the location of each deployment point is

known. By associating each group of nodes with a specific cell, we may know in which

cell of the network each node will reside. In a large scale sensor network, the coordinates

of deployment points usually have length of several bytes. However, in current link layer

108

protocols for sensor networks, the node ID field length is usually less than 4 bytes. For

example, in TinyOS packet format, the node ID field length is only 16 bits [56]. It is

impossible to include the location coordinates of deployment points directly into node ID

field in large scale sensor networks. However, our scheme does not rely on precise location

information, we only count on the relative location information between sensor nodes.

Hence, we tend to use indices.

In our deployment model, each cell is marked with a cell index, which is a pair of

integers (i, j), where i is the row index and j is the column index. Thus we can identify

each cell and its associated group of nodes by cell index. The indices are not absolute

location coordinates, so they could be very small integers. With this benefit, we may

allocate several bits from the node ID field for cell index, and the rest bits from the node

ID field as node index in the associated cell. In this way each node is identified by a pair

(cell index, node index). For example, we may allocate 10 bits from a 16 bits ID field for

cell index, and the rest of 6 bits for node index (Fig. 5-2). Then the maximum affordable

network may consist of cells of 32 rows and 32 columns, where each cell contains 64 nodes,

and the total number of nodes is 65536.

Only index can not provide more information other than cell identification. What we

care about is how the indices describe the relationship between nodes. In our deployment

model all cells are indexed according a fixed order from top to right and from left to right

such that each cell index (i, j) acts like a coordinate in a two dimensional plane (Fig. 5-1).

In other words, cell indices are normalized coordinates of cells. Hence, the indices reflect

the spatial relationship between nodes. By checking node ID fields in received packets,

a node may tell whether the sources of packets come from its own cell or neighboring

cells or other distant cells. If we treat each node as a kind of resource, and the packets

reception by the node as a kind of resource access, then the orderly naming mechanism

may provide an authentication service for the access control at link layer. Because link

layer communications run between neighboring nodes and in our scheme the neighbors

109

cell index node index

MSB LSB

Figure 5-2. Location-based name.

of one node most likely come from its cell or neighboring cells, every node should only

accept the packets from the nodes in its cell or neighboring cells, and deny the packets

from other distant cells1 . Obviously, our LBN mechanism has its significance for securing

sensor networks. An example is that most ID-spoofing attacks may be defeated because

of inherent location information in node IDs. We will show in Section 5.4 that our LBN

mechanism may defend against a wide range of attacks in sensor networks.

5.3 Link Layer Security

Sensor networks are vulnerable to malicious attacks in unattended and hostile

environments such as battlefield surveillance and homeland security monitoring [57, 58].

Adversaries can easily eavesdrop messages transmitted over the air between nodes, or

disable the entire network by launching physical attacks to sensor nodes or logical attacks

to communication protocols [33, 35]. Under such circumstances, security services such as

encryption and authentication are indispensable for guaranteeing the proper operation of

sensor networks.

In the overall network security infrastructure, link layer security is the basic tile,

because all communications are established on the neighbor-to-neighbor communication

mode. A node should only accept the packets from authenticated neighboring nodes. To

establish trustiness between neighboring nodes, authentication services at link layer are

1 Due to deployment errors, some nodes may accidently run into distant cells other thanits destined cell. Thus these nodes may be precluded because they do not belong to thecells where they reside. However, it is shown in [36, 45, 46, 48, 49] that this probabilityis very small. We could treat it as the trade-off of the usage of a-priori deploymentknowledge.

110

required. To prevent eavesdropping attacks, two neighboring nodes need to negotiate a

shared key used for encryptions at the link layer. Some proposals [36–41] use location

information in key management in sensor networks, which may be used to establish link

layer encryption keys. However, they have not addressed the authentication problem.

Motivated by their work, we propose a link layer authentication (LLA) scheme in this

section, which incorporates the LBN mechanism to provide a neighborhood authentication

service.

Our LLA scheme consists two phases. The first one is the bootstrapping phase

(B-Phase), which is the initial time period after network deployment. The second is the

normal communication phase (C-Phase) during which nodes communicate normal packets

to fulfill kinds of applications.

In each phase a two-step authentication is enforced. The first step is the ID-based

authentication, in which every node decides to accept or reject a packet by checking

the packet ID field according to LBN. The second step is the key-based authentication,

in which the two communicating nodes verify the IDs of each other by the shared key

between them. The underlying techniques we use here are something inherent and

something known [5]. Something inherent means an entity is authenticated by its inherent

characteristic, which is the location-based node ID in our scheme. Something known

means an entity is authenticated by the secrets it knows, which are shared keys in our

scheme.

5.3.1 Establishing Shared Keys

Any distributed key agreement model discussed in Chapter 2 can be used to establish

keys in WSNs, and they all require the exchange of node IDs as the inputs to the key

agreement model. For simplicity, we assume t-degree bivariate polynomials to establish

shared keys between neighboring nodes, i.e.,

f(x, y) =t∑

i=0

t∑j=0

aijxiyj (5–1)

111

over a finite field Fq.

We use the method proposed in [36] to predistribute polynomials so that two nodes

in the same cell and neighboring cells hold shares of the same set of polynomial(s)2 . Each

cell is associated with a unique t-degree bivariate polynomial, and the nodes destined

to the cell are preloaded with shares of the corresponding polynomial. Besides, the

polynomial is also assigned to the horizontal and the vertical neighboring cells. For

example, in Fig. 5-1, the polynomial of cell (i, j) is also assigned to cells (i, j − 1),

(i, j + 1), (i − 1, j), and (i + 1, j). Thus a node in cell (i, j) may establish shared keys

with nodes in it cells and all neighboring cells. We refer readers to [36] for more technical

details.

After the polynomials distribution, every pair of nodes has a shared polynomials set

P , which is used to derive polynomial shares for the pair of nodes. The set P is decided by

the cell indices of the two nodes. For two nodes in the same cell or neighboring cells, P is

non-empty, but for two nodes from two distant cells, P is empty. It is different from [36] in

that [36] requires every node to keep the coordinates of its cell while our scheme does not

because the location information is in the node ID field. So a node may know instantly

whether it has the shares of the same set of polynomials as another node only from its

node ID.

5.3.2 B-Phase Authentication

After deployment, the network is in the bootstrapping phase. In this phase, a

trustiness should be set up between nodes so that other high layer protocols may begin to

work on this trustworthy infrastructure. This is achieved by B-phase authentication.

2 We have developed a more efficient scheme in [45, 46] using hexagon and triangle cells.It can also be used in LBN design if we choose to use hexagon or triangle cells in place ofsquare cells.

112

At very begin, every node broadcasts its node ID, i.e.,

v → ∗ : < v > ,

to inform its neighbors its existence. In the schemes [36–38, 45, 46, 48], every node needs

to broadcast both its cell coordinates and its node ID to its neighbors. However, our

scheme is more efficient because the node ID has already included the corresponding

location information.

When node u hears node v, it first checks the cell index field in v’s node ID. In LBN

mechanism, the cell index should be the same as that of u or the one of the neighboring

cell indices which may be easily verified because all cell indices are orderly sorted. If it is

not the case, the received ID v may be a spoofed value from a malicious node, and node u

just ignores node v’s packets.

If the received ID v is acceptable, node u knows immediately the shared polynomials

set P with node v. Because node u and node v have shares derived from the polynomials

in P , node u may further verify node v through a challenge-response method. Node u

randomly selects a polynomial f(x, y), which has a unique index pf3 , from P and uses

the corresponding share f(u, y) to calculate a shared key Kuv = f(u, v) with node v.

The shared key Kuv is unique when all node IDs are distinct. This property is critical

for authentication. Then node u picks a nonce nu, which is a random number, and sends

to node v a challenge packet including the ID u, index of the polynomial f(x, y), and

encrypted nu by f(u, v), i.e.,

u → v : < u, v, pf , {nu}Kuv > ,

where {} means encryption operation.

3 Polynomial indices may be preloaded into nodes memory, or may be calculated by ahash function with cell indices as inputs.

113

If node v does have the ID it claims, it sure has the shared polynomials set P with

node u. Then node v may use the polynomial index in the received packet to find the

shared key Kuv and be able to decrypt the nonce nu. Next, node v also picks a nonce nv,

returns to node u a response packet including the node ID v, nonce nu, and the encrypted

nv by f(u, v), i.e.,

v → u : < v, u, nu, {nv}Kuv > .

After getting the response from v, node u may check the returned value of nu. If it

is the same as that it has sent to node v, then node v is an authenticated node, otherwise

not.

To authenticate itself, node u also decrypts nv and returns it to node v, i.e.,

u → v : < u, v, nv > .

Following the three way handshake authentication procedure, every node may set up

trustiness with its neighbors during the bootstrapping phase.

During the B-phase authentication, a shared key is established between neighboring

nodes. This shared key may act as the master key and be used to derive other keys for

different purposes, such as encryption, authentication, etc. Thus, the future communications

between neighboring nodes are secured by the shared key.

5.3.3 C-Phase Authentication

After the bootstrapping phase, normal communications may run between neighboring

nodes to fulfill kinds of applications. During this phase, an adversary may inject, modify,

or spoof packets to raise havoc among the network. To guarantee normal operation of the

network, every packet should be authenticated so that the sink node knows it is talking

with the authenticated source node.

A normal way to achieve packet authentication and integrity is to use message

authentication code (MAC). MAC is a digest calculated by a one-way and collision-resistant

hash function with messages and some secrets as inputs. An example is HMAC [59]. Every

114

node may check whether a received packet is tampered by recalculating the MAC and

comparing it with that in the packet.

When a node v needs to send a packet to node u, it constructs the packet like,

v → u : < v, u, nv,m, H(v ‖ u ‖ nv ‖ m ‖ Kuv) > ,

where nv is a nonce, m is the message, H() is a hash function, “‖” is the concatenation

operator, and Kuv is a shared key between u and v. To protect the master key established

in the bootstrapping phase, it is better to use a derived authentication key here. For

example, we may calculate an authentication key as H(Kuv||1) and an encryption key as

H(Kuv||0). Here the message m may be in plaintext if only authentication is needed or be

encrypted if both authentication and encryption are desired.

When node u receives the packet from node v, it first checks the cell index field in v’s

ID according to LBN. If the ID v is not acceptable, node u simply drops the packet, thus

it does not need to check the MAC field. Moreover, node u may check the cell index field

just after extracting node v’s ID from the packet and stop receiving the remaining part of

the packet to save energy if node v’s ID is not acceptable, because packet transmission and

reception are the most energy-costly radio operations in sensor nodes. Only if the ID v is

acceptable, node u proceeds to verify the MAC field in the packet and authenticate the

packet.

TinySec [56] defines link layer packet formats including Auth packet format, in which

only authentication is provided, and AE packet format, in which both authentication and

encryption are provided. It is similar to our scheme, however, it does not address how to

establish authentication and encryption keys. It is obvious that we can combine TinySec

with our scheme to provide a complete solution for link layer security in sensor networks.

5.4 Secure Sensor Networks

By using link layer encryption, we may prevent eavesdropping attacks. However,

an intelligent adversary may launch many active attacks by utilizing the defects in the

115

network protocols which are not designed carefully to involve security defenses at the

beginning. Karlof and Wagner [33] classified a series of attacks to sensor networks, which

may cause the rapid deterioration of network performance. Most of the attacks try to

cause topological distortion by spoofing or replaying routing information. However, as we

will show in this section, our LBN has inherent resistance to these topological attacks,

because the location information in node IDs reflects topology of the network. Any attack

that causes serious topological distortions can be detected by our LBN and LLA. In this

section, we discuss many typical attacks as examples.

5.4.1 The Sybil Attack

In the Sybil attack [60], a malicious node illegitimately takes on multiple identities,

which may be fabricated IDs or impersonated IDs. The Sybil attack may pose a serious

threat to routing protocols, data aggregation, voting, fair resource allocation, misbehavior

detection, etc [33, 60]. Several potential defense methods are proposed in [60], including

radio resource testing, verification of key sets for random key predistribution, registration,

position verification and code attestation. However, those methods rely on either strict

physical assumptions or cooperations between a bunch of nodes.

In our scheme, every node ID should appear only in a small area of the network

due to the LBN mechanism. If the malicious node claims an ID belonging to distant

cells, it may be easily found out by its neighbors and then be precluded. The only IDs

the malicious node can claim are those in its cell and neighboring cells. Even that, the

malicious node can not pass the link layer authentication because it does not have the

corresponding polynomial shares belonging to the node whose ID is claimed by the

malicious node. So the Sybil attack can not get success in our scheme.

5.4.2 Identity Replication Attacks

In the identity replication attack [60], an adversary may put many replicas of a

captured node at many places in the network to incur inconsistency. Like the Sybil

attack, the identity replication attack may lead to the failure of many network functions.

116

Conventional defenses include centralized computing based on location or number of

simultaneous connections[60], which is communication intensive and lacks of scalability.

In our scheme, the adversary can not put the replicas of the captured node at places

other than its vicinity because the presence of a node ID should be localized due to the

LBN mechanism. The adversary can only put those replicas in a small area where the

captured node originally resides. However, convergence of the replicas of the same node

ID in a small area may be easily detected by surrounding normal nodes. So, the identity

replication attack finds no place in our scheme.

5.4.3 Wormhole Attacks

In the Wormhole attack [61], two malicious nodes collude to tunnel packets from

one place to another distant place in the network. This attack may distort the network

topology by making two distant nodes believe they are neighbors, thus become a serious

attack to routing protocols. Hu et al. proposed to use packet leashes [61] to limit

the maximum range over which packets can be tunneled by the two colluding nodes.

Directional antennas [62] are also used to defend against the Wormhole attack. However,

these defenses are targeted to the Wormhole attack in ad hoc networks, and require

expensive hardware devices, which are infeasible for most resource constrained sensor

networks. Wang and Bhargava [63] proposed to use centralized computing to defend

against the Wormhole attack in sensor networks, in which a controller collects all nodes’

location information to reconstruct the network topology such that any topological

distortion may be visualized. However, this approach causes much communication

overhead and is not realistic if malicious nodes move around in the entire network because

each location change will trigger a new round of execution of the topology reconstruction

algorithm.

By using LBN, a node may check the cell index fields in the received packets and

simply drop those packets coming from a distant place. So the impact of the Wormhole

attack is limited in neighboring cells automatically. Though the two colluding nodes

117

may tunnel packets in a small area, in this case they can not cause severe network scale

topological distortions and may even be helpful to facilitate local communications. So, the

Wormhole attack may be defeated in our scheme.

5.4.4 Sinkhole Attacks

In the sinkhole attack [33], a malicious node tries to lure nearly all the traffic

from a particular area, creating a metaphorical sinkhole with the malicious node at the

center. This kind of attack typically works by making the malicious node look especially

attractive to surrounding nodes by claiming a lower routing cost to the base station in

the sensor network. If geographical routing protocols are used, every route is found based

on geographical information, which can be extracted from node IDs. In this case, the

malicious node can not cheat other nodes because other nodes may easily find whether

the malicious node is on the route to the base station based on the ID of the malicious

node. If different routing criteria such as reliability are used, it is rather difficult to detect

the sinkhole attack. However, the node ID may still provide some information about the

location of the malicious node, thus if the source node finds the location of the malicious

node is far away from the direction of the base station, it means a potential threat and

some methods may be used to verify the routing information.

5.4.5 HELLO Flood Attacks

In the HELLO flood attack [33], a malicious node may broadcast HELLO packets

with large enough transmission power to convince most nodes in the network that the

malicious node is their neighbor, thus lead the network into the state of confusion. This

attack may be defeated because it is easy to check whether a HELLO packet is acceptable

from its ID field in our scheme.

5.4.6 The Acknowledgement Spoofing Attack

In the acknowledgement spoofing attack [33], a malicious node may spoof link layer

acknowledgments for the packets destined to a neighboring node which is dead or the

packets lost due to the bad channel reliability, thus make the source node form a wrong

118

routing decision based on the belief that the dead destination node is alive or the channel

is reliable. In our scheme, it is easy to detect the attack by LLA because the malicious

node does not have corresponding link layer keys.

5.4.7 The Node-compromise Attack

In our link layer authentication scheme, predistributed polynomials are used to

establish shared keys between nodes. It is under the threat of the node-compromise

attack, in which a small number of compromised nodes may expose a large amount of

secrets in the network. It has been proved in [7, 8] that a t-degree bivariate polynomial

is t-collusion resistant, meaning that the collusion of no more than t nodes can not

expose the polynomial. However if one t-degree bivariate polynomial is used by more

than t nodes, an adversary may compromise more than t nodes holding shares of a same

polynomial to reconstruct it, and then use the reconstructed polynomial to derive shared

keys between non-compromised nodes that hold shares of the same polynomial. We

have proposed efficient schemes [45, 46, 48, 49] that achieve the perfect resilience to the

node-compromise attack. The details have been discussed in previous chapters.

5.4.8 The Memory Exhaustion Attack

The B-phase authentication in our scheme is not stateless, because every node needs

to keep the nonce in its memory so that it can verify the returned nonce value from its

neighbor. For each authentication request, a nonce should be generated. A malicious node

may launch the memory exhaustion attack by sending authentication requests at very

high frequency to neighbors, thus cause its neighbors unusable by exhausting memory

resources of the neighbors. However, it is also easy to detect frequent authentication

requests from a malicious node. To defend against this kind of attack, normal nodes just

need to drop those authentication requests if the frequency of request is too high. Some

countermeasures can also be triggered to punish the malicious node.

119

5.5 Discussion

To the best of our knowledge, there has been no research on the additional value

of node identifier. Though many schemes [36–38, 45, 46, 48] use node identifiers in

key establishment, they simply use the identification function. Our scheme is the first

investigation that tries to dig out more application values of node identifier. We have

shown that by embedding location information into node identifiers our LBN has intrinsic

immunity from many attacks against network topology. Besides security value, we believe

our LBN can still be used in other applications in sensor networks.

Our LLA scheme incorporates LBN as the first step authentication method, and uses

shared key to further verify node identity. In LLA, predistributed polynomials are used to

achieve key agreement to provide authentication service. However, other shared-key-based

authentication schemes can also work well with LBN in the second authentication step,

as long as they guarantee neighboring nodes can establish a unique shared key. Similar

schemes are SPINS [6], LEAP [64]. The building block SNEP in SPINS [6] can provide

neighbor authentication by a shared key. However, two neighboring nodes rely on the

base station to negotiate a shared key, which is not efficient in terms of communication

overhead. In LEAP [64], a global key is used to derive shared keys to achieve neighbor

authentication, where the underlying assumption is that adversaries can not compromise

any node during network bootstrap phase, thus the global key can be safe. However, our

scheme does not rely on this assumption and is resilient to node compromise attacks.

Zhang et al. [65] proposed to use location-based keys to secure sensor networks. Their

scheme is based on public key cryptography, while our scheme is based on symmetric

key cryptography. Besides, in their scheme each location-based key is tight to a precise

location in the network and the location information should be obtained by mobile robots.

When a node moves, its location-based key associated with its previous location is invalid.

Hence, their scheme is only applicable in stationary sensor networks, where sensor nodes

do not move after deployment. Our scheme only uses course-gained a-priori deployment

120

knowledge and does not need any positioning devices. Though our scheme is targeted to

stationary sensor networks, low mobility can also be supported as long as nodes only move

in their vicinity.

5.6 Conclusion

In this paper, we have introduced the naming problem for sensor networks in the

literature for the first time. We believe that more benefits can be achieved by endowing

node ID more meaningful information. A location-based naming mechanism LBN

has been proposed to fulfill our idea. By using LBN, the impacts of many attacks to

topology in sensor networks can be limited in a small area. We also proposed a link

layer authentication scheme LLA, which incorporates LBN, to provide a neighborhood

authentication service. It has been shown that our LBN and LLA can be an efficient

defense against a wide range of attacks in sensor networks.

We have investigated the security value of our location-based naming mechanism.

However we believe it may also find other applications in sensor networks, such as

geographic routing, target tracking, environment surveillance, etc, especially those

applications in which security is desired. We will develop more efficient solutions in those

applications based on our new idea in our future work.

121

CHAPTER 6ACCESS CONTROL IN WIRELESS SENSOR NETWORKS

6.1 Introduction

A WSN usually consists of a large number of sensor nodes. In order to save

manufacturing cost, a sensor node is usually built as a small device, which has limited

memory, a low-end processor, and is powered by a battery [6]. The constrained resources

result in limited computation and communication capabilities. After several weeks or

months of operation, some nodes in the network may exhaust their power because of the

uneven distribution of traffic load. Applications may fail due to the loss of some critical

sensor nodes and become useless. Though power saving technology in the design of both

hardware and software may extend the lifetime of a sensor network, new node deployment

is still necessary in many cases.

Besides the natural loss of sensor nodes, a sensor network is also susceptible to

malicious attacks in unattended and hostile environments. Some sensor nodes may

be destroyed by adversaries. If the number of attacked sensor nodes exceeds a certain

threshold, the entire network may become useless. Hence, new sensor nodes need to be

deployed to maintain the normal operation of the sensor network if necessary.

In military scenarios, however, a sensor network is usually lack of careful surveillance

after deployment. Hence an adversary can also deploy malicious nodes into the network.

These malicious nodes may easily eavesdrop messages transmitted over the air between

nodes or insert false reports into the network [6].

In addition, an intelligent attacker may launch tricky attacks from the inside of

the sensor network by manipulating existing sensor nodes. A sensor node may be

compromised due to the lack of tamper resistance [34] so that all the secrets in it are

exposed to the adversary. Then the adversary may use the compromised node to launch

other more serious attacks. For example, in the Sybil attack [60], a malicious node, which

may be a compromised one, impersonates other normal nodes or new nodes. Another

122

example is the node replication attack [66], where an adversary compromises a node and

deploys many copies of the node into the sensor network. The adversary can also launch

the Wormhole attack [61–63], in which packets are tunneled between two distant places

in the sensor network, thus introducing false nodes in the neighborhood of normal nodes.

These attacks may cause fatal havoc [33, 35] in the sensor network.

Recently, many schemes [6, 13, 15, 17, 18, 56] were proposed to protect sensor

networks. They may prevent external attackers from eavesdropping messages or inserting

false reports. However, they can hardly defend against internal attacks such as the Sybil

attack, the node replication attack and the Wormhole attack. Though several techniques

[60–63, 66] were proposed to counteract the internal attacks, each of them is only targeted

to one specific attack by using different approaches and hardware assumptions. It is

very difficult to integrate those techniques into a uniform hardware platform. Even if

the integration is possible, it may cost a lot of resources and deviate from the low cost

consideration.

In this chapter, we analyze the internal attacks including the Sybil attack, the node

replication attack and the Wormhole attack. We observe that the common trick under

these attacks is that they manipulate existing nodes to introduce malicious “new” nodes,

which are indistinguishable from legitimate new nodes under current sensor network

security technology. Those introduced “new” nodes could be accepted by other normal

nodes as legitimate ones. Based on this observation, we design an access control protocol

[67] for sensor networks to prevent malicious nodes, no matter whether they are directly

deployed by adversaries or introduced “new” ones, from participating in sensor networks.

A new node should prove that it not only has correct identity but also is truly new to

be admitted into the sensor network. Besides the node identity which is widely used in

authentication, we introduce the node bootstrapping time, which is the time when the

new node bootstraps itself to join the sensor network, into the authentication procedure

to differentiate malicious “new” nodes, which are actually old nodes, from legitimate new

123

nodes. Unlike the conventional approaches in [60–63, 66] that attempt to detect malicious

nodes after they join sensor networks, our access control protocol can prevent malicious

nodes from joining sensor networks at the very beginning. Moreover, key establishment

is also included in our access control protocol to help the new node establish shared keys

with its neighbors so that it can perform secure communications with them.

The rest of this chapter is organized as follows. We analyze most typical attacks in

Section 6.2 and show why access control is necessary for sensor networks in Section 6.3.

The details of our access control protocol are described in Section 6.4. Some security

analysis and performance evaluations are carried out in Section 6.5 and Section 6.6. We

finally conclude the chapter in Section 6.7.

6.2 Review of Attacks

Sensor networks have high values in military applications, in which they are often

deployed in hostile environments to perform various kinds of military tasks. Usually,

sensor networks are lack of careful surveillance after deployment. Hence, adversaries have

opportunities to deploy malicious nodes, or launch tricky attacks from the inside of a

sensor network by manipulating existing sensor nodes.

6.2.1 Malicious Nodes Deployment

An attacker can directly deploy malicious nodes into the network. In Fig. 6-1 (a),

for example, a malicious node B is deployed in the vicinity of existing node A. Node

B may easily eavesdrop messages sent out or received by node A. If node B knows the

communication protocols in the sensor network, it may even inject false reports to disrupt

the network functionalities [6, 33, 35]. Some security measures may be enforced to thwart

this kind of attack, but if the adversary has the capability of breaking into the security

infrastructure, he/she can still deploy as many malicious nodes as possible.

6.2.2 The Sybil Attack

The Sybil attack was first studied in the context of peer-to-peer networks [69].

Then it was found to be a serious threat to sensor networks [60]. In the Sybil attack, a

124

malicious node illegitimately takes on multiple identities. The impersonated identities

may belong to existing nodes or non-existing nodes. The malicious node may be deployed

directly by adversaries or just a compromised one. In Fig. 6-1 (b), for example, a node

B is compromised by an adversary who then makes node B impersonate other identities,

e.g., node C. From the point of the view of node A, it is just like a new node C coming

out in its vicinity. It has been shown that the Sybil attack may pose a serious threat to

distributed storage (redundant information destined to several nodes may finally be stored

in one malicious node), routing protocols (multipath routing, geographic routing) [33],

and so on. In addition, it may also cause devastating consequences to other applications

such as data aggregation, voting, fair resource allocation, and misbehavior detection [60].

Several potential defense methods were proposed in [60], including radio resource testing,

verification of key sets for random key predistribution, registration, position verification,

and code attestation. Those methods rely on either strict hardware assumptions or

complicated cooperation between a bunch of nodes.

6.2.3 The Node Replication Attack

In the node replication attack [66], an adversary intentionally puts many replicas

of a compromised node at many places in the network to incur inconsistency. In Fig.

6-1 (c), for example, node B is compromised and one of its copies is deployed in the

vicinity of node A so that node A may take node B as its new neighbor. Like the Sybil

attack, the node replication attack can also render adversaries the abilities to subvert

data aggregation, misbehavior detection and voting protocols by injecting false data

or suppressing legitimate data [66]. The conventional methods to defend against the

node replication attack usually include centralized computing based on node locations

or number of simultaneous connections, which is vulnerable to the single-point failure.

Distributed detection of the node replication attack was proposed in [66], where the

location of a suspect node is verified by randomly selected witness nodes.

125

6.2.4 The Wormhole Attack

In the Wormhole attack [61], an adversary tunnels packets between two distant places

in the sensor network. In Fig. 6-1 (d), for example, the adversary deploys two special

devices into the vicinities of node A and node B, respectively. These two devices share

a secret broadband channel, which is invisible to sensor nodes. Then these devices may

record packets sent out by one node, tunnel those packets through the secret broadband

channel to the other end, and replay those packets in the vicinity of the other node. The

consequence is that node A may find a new node B coming out in its neighborhood, and

vice versa. This attack may distort the network topology by making two distant nodes

believe they are neighbors, thus becoming a serious attack to routing protocols [61].

6.3 Access Control

6.3.1 Necessity

New node deployment is inevitable when applications in the sensor network become

instable because of the loss of sensor nodes. The cooperative characteristic of sensor

network applications requires mutual trust among sensor nodes. A deployed new node,

however, may not be a legitimate one as is shown in Section 6.2. It may be a malicious

node directly deployed by adversaries, or an introduced “new” node due to the Sybil

attack, the node replication attack or the Wormhole attack. The underlying trick of the

Sybil attack, the node replication attack and the Wormhole attack is that those malicious

“new” nodes are indistinguishable from legitimate new nodes under current sensor network

security technology, hence those malicious “new” nodes will be accepted by other normal

nodes as legitimate ones.

To prevent malicious nodes from joining sensor networks, access control should

be enforced to control sensor node deployment. A sensor node should prove that it

is a legitimate one when deployed into the sensor network. Usually, an access control

mechanism should accomplish two tasks:

126

A(B)C

(b)

A

B

B

(c)

A

B

B

(d)

AB

(a)

A

Figure 6-1. Attacks.

1. Node authentication : Through authentication a deployed node proves its identity(ID) to its neighboring nodes and proves that it has the right to access the sensornetwork;

2. Key establishment : Shared keys should be established between a deployed node andits neighboring nodes to protect communications.

6.3.2 The State of the Art

A lot of solutions [6, 13, 15, 17, 18, 68] were proposed in the literature to protect

sensor networks. However, they can hardly address the access control problem in sensor

networks. SPINS [6] and TinySec [56] are vulnerable to the node compromise attack,

127

where an adversary can simply compromise one node and then use its key to generate and

deploy as many malicious nodes as possible. Randomly predistributed symmetric keys

schemes [13, 15] were proposed to achieve key agreements between neighboring sensor

nodes, but they can not provide the authentication service because of the reuse of the

same keys among many sensor nodes. By compromising a few sensor nodes, an adversary

can get a lot of keys and whereby to manufacture and deploy many malicious nodes.

ID-based symmetric keys schemes [17, 18] involve node IDs into key agreements. They

could provide the authentication service, where a node’s identity could be challenged based

on the keys it holds. Those schemes, however, are based on threshold-based symmetric

key techniques, where the security threshold is directly determined by the node memory

resource. Due to the contradiction between the large number of sensor nodes in a network

and the constrained memory resource, they usually can not provide full security. If the

number of compromised nodes exceeds a threshold, an adversary can destroy the security

infrastructure and deploy as many malicious nodes as possible.

With the development of hardware capability, public key techniques become a possible

and promising approach to secure sensor networks because of its flexible key management

and scalability. Very recently, Watro et al. [68] proposed TinyPK protocol, where RSA [3]

certificates are used to authenticate external parties to sensor networks and Diffie-Hellman

[2] key exchanges are used to achieve key agreements between external parties and sensor

nodes. Compared with symmetric key techniques, TinyPK is more resilient to the node

compromise attack. TinyPK could be used in the access control during node deployment.

It may prevent adversaries from deploying malicious nodes, and detect the Sybil attack,

but it can not detect the node replication attack and the Wormhole attack, because the

“new” nodes introduced by these two attacks have legitimate certificates.

128

6.4 Our Protocol

6.4.1 Outline

A preloaded public key certificate which includes ID information or an ID-based

symmetric key can be used to prove the identity of a new node. When the new node is

deployed into the sensor network, its neighbors may verify the certificate or challenge the

ID-based symmetric key to check whether the new node has a legitimate identity. By

using this ID authentication, adversaries are prevented from directly deploying malicious

nodes because they do not have corresponding certificates or ID-based symmetric keys.

However, the ID authentication is not enough to protect the sensor network, as is shown

in Section 6.3. In the Sybil attack, the node replication attack and the Wormhole attack,

an adversary in fact could manipulate existing nodes to introduce malicious “new” nodes.

Those old nodes have preloaded certificates or ID-based symmetric keys, so the “new”

nodes also have legitimate identities. Hence, we need to differentiate those old nodes from

new nodes to further protect the sensor network.

A solution to solve the problem is to involve a timestamp into the authentication

procedure. It is a common solution to solving the freshness problems in our real lives. For

example, the tickets we buy for movies or football games carry timestamps which show

when the tickets are valid. The similar idea can also be applied to the design of our access

control protocol for sensor networks.

After a sensor node is deployed into a sensor network, it will bootstrap itself at

a preset time to join the sensor network. The difference between an old node and

a new node is that they have different bootstrapping times. Hence, we may use the

bootstrapping time as the timestamp into our access control protocol.

Our access control protocol uses a preloaded certificate which includes both ID

information and bootstrapping time to authenticate the identity of a new node. The

certificate is generated by a certification authority (CA), e.g., the administrator of the

sensor network. In the certificate the node ID information and its bootstrapping time

129

are signed by CA’s private key to protect their integrities, so that adversaries can not

falsify the ID and the bootstrapping time. When the new node is deployed into the

sensor network, it can show its certificate to its neighbors. The neighbors can verify the

ID and the bootstrapping time with the CA’s public key. A new node can be accepted

into the sensor network only if it has a correct identity and its bootstrapping time is

within a tolerance period of current time. Through the authentication of both ID and

bootstrapping time, our access control protocol can prevent malicious nodes from joining

the sensor network because they do not have correct IDs or bootstrapping times.

The Diffie-Hellman algorithm is used to establish shared keys between the new node

with its neighbors. Hence each node is preloaded with a 〈private key, public key〉 pair.

After a new node passes the authentication procedure, it exchanges its public key with

those of its neighbors. Then the new node can establish shared keys with its neighbors

according to the Diffie-Hellman algorithm. To prevent nodes from falsifying public

keys, the public key of each sensor node is also signed by the CA and included into its

certificate.

6.4.2 Assumptions

6.4.2.1 Network model

We assume that sensor nodes are stationary so that if a node finds a new node in its

neighborhood, the new node must be either a newly deployed node or a node introduced

by adversaries. All sensor nodes have the same transmission range and communicate

with each other via bi-directional wireless links. Each node has a unique, integer-valued,

non-zero ID.

We assume that all sensor nodes are loosely synchronized. Each sensor node has a

preset bootstrapping time. After being deployed into the sensor network, each sensor

node bootstraps itself at its bootstrapping time to join the sensor network. Two sensor

nodes may have the same bootstrapping time if they are deployed simultaneously. A

possible collision at the MAC layer may occur if the two nodes bootstrap themselves

130

simultaneously. However, we assume that the MAC-layer protocol has collision resolution

mechanisms to solve the problem [65]. Hence, each node can finish bootstrapping within a

tolerance time interval after its bootstrapping time.

6.4.2.2 Adversary model

Due to the broadcast characteristic of radio communications, adversaries may

easily eavesdrop any message, either a ciphertext or a plaintext, transmitted over the

air. Adversaries can not decrypt any ciphertext if they do not have the corresponding

decryption key. Otherwise, a stronger cryptographic primitive should be used to increase

the security.

For the cost consideration, it is not economical to equip every sensor node with

tamper resistant devices. Adversaries may easily compromise a sensor node and extract

all the secrets stored in its memory. Even if tamper resistant devices are available, they

are still not able to guarantee perfect security of secrets [34]. Hence, node compromise is

usually unavoidable in wireless sensor networks. Compromising, however, is not a trivial

job. We assume that each sensor node can sustain a tolerance time interval before it is

compromised, which is also assumed by previous work [34, 64].

6.4.3 Cryptographic Primitive

Compared with symmetric key cryptography, public key cryptography is more

expensive in terms of computational complexity. Hence most of sensor network security

proposals are based on symmetric key cryptography [6, 13, 15, 17, 18, 36]. However, with

the fast development of hardware performance, public key cryptography becomes possible

on low-end devices [68, 70].

Elliptic curve cryptography (ECC) [71, 72] and RSA [3] are mature public-key

techniques that have been researched by the academic community for many years.

Compared to RSA, ECC is seen to be the standard for the next generation cryptographic

technology. The fundamental operation underlying RSA is the modular exponentiation in

integer rings. Its security stems from the difficulty of factorizing large integers. Currently

131

there only exist sub-exponential algorithms to solve the integer factorization problem1 .

ECC operates on groups of points over elliptic curves and derives its security from the

hardness of the elliptic curve discrete logarithm problem (ECDLP)2 [71, 72]. The best

algorithms known for solving ECDLP are exponential. Hence, ECDLP is harder than

RSA given the same length of keys. In other words, ECC can achieve the same level of

security with smaller key sizes. It has been shown that 160-bit ECC provides comparable

security to 1024-bit RSA and 224-bit ECC provides comparable security to 2048-bit

RSA [73]. Under the same security level, smaller key sizes of ECC offer merits of faster

computational efficiency, as well as memory, energy and bandwidth savings, thus ECC is

better suited for the resource constrained devices.

Due to the merits of ECC, our access control protocol uses 160-bit ECC as the

underlying cryptographic infrastructure. Particularly, the signature operation in our

protocol is based on the elliptic curve digital signature algorithm (ECDSA) [73], and the

shared key is established according to the Diffie-Hellman algorithm over ECDLP.

6.4.4 Predeployment Phase

6.4.4.1 Network parameters

Before a sensor network is deployed, the CA chooses a set of system parametersincluding:

1. a finite field Fq, where q is a large odd prime of at least 160 bits;

2. an elliptic curve E over Fq (denoted by E(Fq) hereafter);

3. a cyclic group G =< G > of points over the elliptic curve E(Fq), where G is thegenerator of the group and has an order n of at least 160 bits, with n > 4

√q;

4. the CA’s private key κ ∈ Z∗n = {1, 2, . . . , n− 1};

1 Given a positive integer n = pq where p and q are large pairwise distinct primes, find pand q.

2 Given a generator G of a finite cyclic point group G over an elliptic curve E(Fq) andanother point Q in the group, find an element x ∈ Fq such that xG = Q.

132

5. the CA’s public key Q = κG ∈ G.

The CA never shares its private key with anyone else. Since ECDLP is a hard

problem [71, 72], no one can derive the CA’s private key κ from the pair < G,Q >. In

addition, the CA does not get involved in the network operation, so adversaries have no

opportunity to directly attack the CA to get κ.

6.4.4.2 Sensor parametersFor each sensor node, say Ni, the CA preloads it with a set of node parameters

including:

1. the elliptic curve E(Fq);

2. the cyclic group G over E(Fq);

3. the CA’s public key Q;

4. the bootstrapping time Ti when node Ni bootstraps itself to join the sensor network;

5. the length of bootstrapping phase Li during which the node is allowed to join thesensor network;

6. Ni’s private key si ∈ Z∗n;

7. Ni’s public key Pi = siG = (xpi, ypi) ∈ G, where xpi, ypi ∈ Fq;

8. the signature < Ci, ci > for node Ni, where Ci ∈ G and ci ∈ Z∗n;

9. a hash function H : {0, 1}∗ → Z∗n, which translates a binary sequence into an integerin Z∗n.

The signature is calculated according to ECDSA. The CA first chooses a random

number ki ∈ Z∗n and then calculates

Ci = kiG = (xci, yci) , (6–1)

ci = ki−1(H(Ni ‖ Ti ‖ Li ‖ Pi) + κxci) (mod n) , (6–2)

where “‖” is the concatenation operator.

133

6.4.5 Node Deployment

At the very beginning, a network of sensor nodes, say hundreds or thousands of

nodes, is deployed in a designated area. At a preset time, these sensor nodes bootstrap

themselves and then start to establish communications. During the network operation

phase, if some sensor nodes are lost due to the natural power exhaustion or malicious

attacks, new sensor nodes need to be deployed. These new sensor nodes all have a preset

bootstrapping time different from that of the previously deployed nodes. Hence, without

loss of generality, we assume that sensor nodes are deployed in groups, where sensor nodes

in one group have the same bootstrapping time and the length of bootstrapping phase but

these values for different groups may be different.

6.4.6 Node Authentication

After being deployed into the sensor network, every new node should broadcast a

message to inform its neighbors of its existence. For example, a new node Ni bootstraps

itself at time Ti and broadcasts a message:

Ni → ∗ : 〈∗, Ni, Ti, Li, Pi, Ci, ci〉 . (6–3)

Then handshakes between the new node and its neighbors can be performed for

authentication. Because the neighbors of the new node may include both new nodes and

old nodes, the handshakes can be divided into two cases: the handshake between new

nodes (Fig. 6-2) and the handshake between a new node and an old node (Fig. 6-3).

6.4.6.1 Handshake between new nodes

If node Ni also hears a broadcasted message from another new node Nj, it verifies

whether Nj is a legitimate new node by doing the following.

Node Ni first compares Nj’s bootstrapping time Tj with its own bootstrapping time

Ti. If Tj ≥ Ti, then node Tj might be a new node. Actually Tj = Ti if Ni and Nj are both

new nodes. The reason of using “≥” here is to maintain the software compatibility so that

this procedure can also be used by an old node to authenticate a new node (refer to Fig.

134

6-3). Node Ni proceeds to verify whether node Nj is a new node by comparing Tj with

its current time t. If Tj is out of date (|Tj − t| > Lj), node Ni simply drops the received

message. If Tj is within a tolerance time interval (|Tj − t| ≤ Lj), node Ni continues to

verify Nj’s identity by ECDSA. Specifically, node Ni computes

u1 = H(Nj ‖ Tj ‖ Lj ‖ Pj) , (6–4)

u2 = cj−1u1 (mod n) , (6–5)

u3 = cj−1xcj (mod n) , (6–6)

V = u2G + u3Q . (6–7)

If V = Cj, node Ni can make sure that node Nj is a legitimate new node. This is because

if the signature is valid, the verification equation holds:

V = u2G + u3Q

= cj−1u1G + cj

−1xciQ

= cj−1(H(Nj ‖ Tj ‖ Lj ‖ Pj) + κxci)G

= kjG

= Cj . (6–8)

After node Ni verifies the identity of node Nj, it calculates a shared key with its

private key and Nj’s public key, i.e.,

Kij = siPj = sisjG . (6–9)

Following the same procedure, node Nj can verify the identity of node Ni after it

hears the broadcasted message from node Ni and calculate a shared key as

Kij = sjPi = sisjG . (6–10)

135

*, Ni, Ti, Li, Pi, Ci, ci

*, Nj, Tj, Lj, Pj, Cj, cj

Ni Nj

if Ti >= Tj if |Ti – t| > Li, reject Ni ; else { calculate verifier V ; if V = Ci { accept Ni ; calculate Kij = sjPi ; } else reject Ni ; }

if Tj >= Ti if |Tj – t| > Lj, reject Nj ; else { calculate verifier V ; if V = Cj { accept Nj ; calculate Kij = siPj;} else reject Nj ; } Nj, Ni, { ni }Kij

Ni, Nj, ni, { nj }Kij

Nj, Ni, nj……Figure 6-2. Handshake between two new nodes.

Node Ni and node Nj can make sure that each other does have the shared key by

following the challenge-response procedure. Node Ni just selects a nonce ni, encrypts it

and sends it to node Nj. If node Nj has the shared key, it can decrypt the nonce ni. Then

node Nj sends back a message including the nonce ni and an encrypted nonce nj chosen

by itself to node Ni. Node Ni can also decrypt the nonce nj and return it to node Nj. The

handshake between node Ni and node Nj is depicted in Fig. 6-2.

6.4.6.2 Handshake between a new node and an old node

When an old node Nj hears the broadcasted message from the new node Ni, it also

checks the validity of Ni’s bootstrapping time and then verifies Ni’s identity (Fig. 6-3).

After that, node Nj calculates a shared key with its private key and Ni’s public key,

selects a nonce nj, encrypts the nonce with the shared key, and replies with the message:

Nj → Ni : 〈Ni, Nj, Tj, Lj, Pj, Cj, cj, {nj}Kij〉 . (6–11)

Node Ni does not need to check the validity of Nj’s bootstrapping time because Nj is

not a new node. Adversaries may attack our access control protocol by utilizing this point.

We will analyze this in Section 6.5. Node Ni simply verifies Nj’s identity by following

ECDSA. Then node Ni can decrypt the nonce nj and return it to Nj to show that it is a

136

*, Ni, Ti, Li, Pi, Ci, ci

Ni, Nj, Tj, Lj, Pj, Cj, cj, { nj }Kij

Ni Nj

if Ti >= Tj if |Ti – t| > Li, reject Ni ; else { calculate verifier V ; if V = Ci { accept Ni ; calculate Kij = sjPi ; } else reject Ni ; }

calculate verifier V ; if V = Cj { accept Nj ; calculate Kij = siPj;}else reject Nj ;

……Nj, Ni, nj, { ni }Kij

Ni, Nj, ni

Figure 6-3. Handshake between a new node and an old node.

legitimate new node. Node Ni also challenges node Nj by sending an encrypted nonce ni

and requiring Nj to return it. The whole handshake is depicted in Fig. 6-3.

6.4.7 Key Establishment

During the node authentication procedure, the new node Ni has already established

shared keys with its neighbors, e.g., Nj. They calculate the shared key by following the

Diffie-Hellman algorithm based on ECDLP, i.e.,

Kij = siPj = sisjG = sjPi = Kji . (6–12)

Because no efficient algorithm can solve ECDLP within less than exponential time,

we can expect that adversaries can not calculate the private keys si and sj given pairs

〈G, siG〉 and 〈G, sjG〉. Hence, the shared key is kept secret even if adversaries eavesdrop

transmitted public keys.

The shared key Kij between node Ni and node Nj can be used to derive different keys

for multiple security services, such as message encryption and message authentication [6].

For example, the shared key can be fed into a function f (a hash function or a pseudo

137

random function [74]) to generate an encryption key as f(Kij, 1) and an authentication

key f(Kij, 2).

6.5 Security Analysis

6.5.1 New Node Deployment

By authentication, our access control protocol can prevent adversaries from directly

deploying malicious nodes into sensor networks. Because adversaries do not know the

private key of the CA, he/she can not falsify certificates for malicious nodes.

Our access control protocol can effectively defend against the Sybil attack, the node

replication attack, and the Wormhole attack. As is shown in Section 6.2, the underlying

trick of those attacks is that the adversary could manipulate existing nodes to introduce

malicious “new” nodes into the sensor network. By including the bootstrapping time in

our access control protocol, a new node is only allowed to join the sensor network during

its bootstrapping phase. After that it becomes an old node. Hence, malicious “new” nodes

are prevented from joining the sensor network at the very beginning, because they do

not have the proper bootstrapping time, and they are prevented from falsifying the latest

bootstrapping time which does not match their certificates.

6.5.2 Eavesdropping and False Reports Injection

When a new node passes the authentication procedure, it has already established

shared keys with its neighbors by following the Diffie-Hellman algorithm over ECDLP.

The shared keys can be used to secure communications among sensor nodes. Particularly,

different keys can be derived from the shared keys to provide security services such as

message encryption and message authentication. Hence, adversaries are prevented from

eavesdropping or injecting false reports into the sensor network.

6.5.3 Node Compromise

Usually node compromise can not be prevented in sensor networks, unless future

advances of hardware design and manufacturing could provide stronger tamper resistance

[34]. Our access control can not eliminate the node compromise problem, but it can

138

prevent adversaries from spreading the impact of node compromise across the entire

network. Two direct results of node compromise, the Sybil attack and the node replication

attack, can be prevented by our access control protocol after the node bootstrapping

phase. Moreover, based on the ECC public key infrastructure, each sensor node does

not know the private keys of other nodes, and each shared key is only known to two

neighboring nodes who established it. Even if an adversary compromises a node, he/she

can only know what the compromised node knows, but not the shared keys between other

non-neighboring nodes. Hence, the impact of node compromise is limited to the vicinity of

the compromised node.

If an adversary could compromise a sensor node during its bootstrapping phase,

he/she might use it to launch other attacks. However, node compromising is not a trivial

task. Usually a sensor node is designed to be able to sustain compromise for a certain

time interval [34]. The node bootstrapping phase, however, is usually very short, and in

practice it is reasonable to expect it to be shorter than the time needed to compromise

the node [64]. Hence we do not need to worry about node compromise during the node

bootstrapping phase.

6.5.4 Attacks to Access Control

Our access control protocol tries to solve the new node deployment problem in

hostile environments. During the handshake between a new node and an old node, the

bootstrapping time of the new node is verified by the old node, but the new node does not

check the bootstrapping time of the old node because the old node has been involved in

the sensor network. An adversary may take this opportunity to trick the new node into

establishing communications with malicious old nodes.

One scenario is that an adversary might introduce a malicious node through the Sybil

attack or the node replication attack into the area where the new node is to be deployed.

When the new node is deployed, it might establish communications with the malicious

node. To make the attack successful, however, the adversary has to activate the malicious

139

node at the same time when the new node bootstraps itself and expects that no other

old nodes exist in that area. Otherwise, the introduced malicious node can be detected

by other old nodes because the malicious node is heard by those old nodes as a new node

but it does not have the correct bootstrapping time. Under this strict condition, the

probability of this attack is rather small.

A similar scenario is that an adversary might launch the Wormhole attack to establish

a tunnel between a new node and another distant old node so that these two nodes

might establish communications through handshakes. To make the attack successful, the

adversary still has to establish the tunnel at the same time when the new node bootstraps

itself and expects that no other old nodes exist around the new node. Otherwise, the old

nodes around the new node can detect the Wormhole because they can find a “new” node

in their neighborhoods, which is actually an image of the old node at the other end of the

Wormhole. We can expect that the probability of this attack is also very small under the

strict condition.

Another case is that the adversary just compromises an old node without doing any

tricks to spread its impact. The compromised node stays at its original location and

follows the normal network protocols. If the new node is deployed into the vicinity of the

compromised node, they could establish communications. This attack is just the node

compromise attack and currently no solutions can solve the problem. Our access control

protocol can not prevent this attack, either, but the impact of the attack is limited to the

vicinity of the compromised node.

6.6 Evaluation

6.6.1 ECC vs. RSA

The length of the bootstrapping phase is critical for the security performance of our

access control protocol. The shorter the bootstrapping phase is, the less opportunities

adversaries have to attack the sensor network. Hence a short bootstrapping phase is

desirable to keep the sensor network safe.

140

Usually, RSA and Diffie-Hellman over DLP3 can also be used in our access control

protocol. The reason that our protocol uses ECC rather than RSA and Diffie-Hellman

over DLP is because ECC is more efficient for the same security level. In our access

control protocol, the most expensive operation is the point multiplication of the form

kP for k ∈ Z∗n and P ∈ G. Every sensor node needs to perform only three point

multiplications over an elliptic curve: two for node authentication and one for key

establishment. TinyPK [68] uses RSA to authenticate external parties and Diffie-Hellman

over DLP to establish shared keys between external parties and sensor nodes. It requires

three modular exponentiation operations over integer rings for each sensor node: one

RSA public key operation and one RSA private key operation for node authentication

and one DLP operation for key establishment. It has been shown in [68, 70] that a point

mulitplication needs less computation time than a modular exponentiation unless the

exponent is chosen as some specific value. In TinyPK [68], a public exponent e = 3 is

chosen for computational simplicity, and a 1024-bit RSA modular exponentiation with

e = 3 on MICA1 Motes [31] needs 14.5s. The DLP of 2x is evaluated in [68, 70]. It

shows that a 1024-bit modular exponentiation 2x, where x is at least 160 bits, needs

more than 50s on both MICA1 and MICA2 Motes [31]. However, a 163-bit point

multiplication of ECC on MICA2 Motes requires only 34s [70]. If assembly languages

are used in implementation, much more decrease of computing time can be achieved.

Gura et al. [75] evaluated the assembly language implementations of ECC and RSA

on the Atmel ATmega128 processor [32], which is popular for sensor platform such as

Crossbow MICA Motes. In their implementation, a 160-bit point multiplication of ECC

requires only 0.81s, while 1024-bit RSA public key operation and private key operation

require 0.43s and 10.99s, respectively. Obviously, ECC is more computational efficient,

3 Given a generator g of a finite cyclic group Z∗q and another element p ∈ Z∗q, find aninteger x, 0 ≤ x ≤ q − 2, such that gx = p (mod q).

141

especially for assembly language implementations, which makes ECC realistic on current

sensor hardware platforms. This means every sensor node can finish bootstrapping in a

very short time interval. With the fast advance of hardware technology, we believe the

bootstrapping phase can be further reduced in future.

In wireless sensor networks, the transmission energy consumption rate could be

over three orders of magnitude greater than the energy consumption rates for computing

[76]. Most of the performance overhead is attributable to the increase in packet size [77].

Compared with a 1024-bit RSA signature, our access control protocol only introduces a

480-bit signature when 160-bit ECC is used. Hence by using ECC instead of RSA our

protocol can achieve much more energy and bandwidth savings.

6.6.2 Comparison with Related Work

Because currently no solutions can prevent node compromise in sensor network,

the best we can do is to limit the impact of node compromise to the vicinity of the

compromised nodes, i.e., prevent adversaries from launching network-scale attacks

based on compromised nodes. Most of symmetric key techniques, including randomly

predistributed keys [13, 15], ID-based keys [17, 18], and location-based keys [36, 37, 45]

try to improve the resilience to node compromise by increasing the least number of

sensor nodes that an adversary needs to compromise to destroy the entire network

security architecture. These schemes can tolerate a certain number of compromised

nodes. TinyPK [68] is more resilient to node compromise because of the use of RSA. It

may prevent adversaries from spreading the impact of node compromise by launching

the Sybil attack, but it can not detect the node replication attack because the copies

of the compromised nodes also have legitimate certificates. By including the node

bootstrapping time into access control procedure, our protocol can effectively prevent

adversaries from manipulating compromised nodes to launch the Sybil attack and the node

replication attack, and the impact of node compromise is thus limited to the vicinity of

the compromised nodes.

142

To defend against the Sybil attack, several potential methods were proposed in [60].

One method is the radio resource testing, in which each node assigns a unique channel

to each of its neighbors including those fake neighbors and tests whether its neighbors

could communicate with it through the assigned channels. This method assumes that

each node has enough radio resources and requires several rounds of broadcasting over

multiple channels, thus leading to a large communication overhead. Another method is to

use the ID-based symmetric keys. Particularly, each sensor node is preloaded with a set of

keys which are selected from a global key pool by its node ID. The ID of a suspect node

is challenged by a set of validating nodes based on the keys shared between the suspect

node and the validating nodes. Besides the large amount of communication overhead, this

method may fail if many sensor nodes are compromised so that most of the keys in the

global key pool are exposed. In our access control protocol, those malicious “new” nodes

introduced by the Sybil attack are prevented from joining the sensor network at the very

beginning, because they do not have proper bootstrapping time and corresponding keys

which are challenged during the authentication procedure.

Conventional methods to defend against the node replication attack [66] usually

include centralized computing based on node locations or the number of simultaneous

connections, which is vulnerable to the single-point failure. Distributed detection of the

node replication attack was proposed in [66], where each node is assumed to know its

location and it is required to send its location to a set of witness nodes. If a witness

node finds a contradiction in the location claims of a suspect node, this suspect node

must be a replicated one. Obviously, this method may introduce a lot of communication

overhead. Like the fake nodes in the Sybil attack, the replications of compromised nodes

are also prevented from participating in the sensor network at the very beginning in our

access control protocol. Though those replications have legitimate identities, they do not

have correct bootstrapping times to show they are the new nodes. The authentication

143

procedure in our protocol is performed locally, thus avoiding much more communication

overhead. Moreover, our protocol does not require each node to know its own location.

To defend against the Wormhole attack, Hu et al. proposed to use packet leashes

[61] to limit the maximum range over which packets can be tunneled. They require

that each node either know its location or have a tightly synchronized clock so that this

information can be used to calculate the maximum distance that a relayed packet could

travel. Directional antennas [62] were also used to defend against the Wormhole attack.

However, these defenses are targeted to ad hoc networks and require expensive hardware

devices, which may be infeasible for most resource constrained sensor networks. Our

protocol does not require location information and only needs loose synchronized clock.

Wang and Bhargava [63] proposed to use centralized computing to defend against the

Wormhole attack in sensor networks, in which a controller collects all nodes’ location

information to reconstruct the network topology such that any topological distortion may

be visualized. This approach, however, causes much intensive communication overhead

and is only suitable for static Wormhole. If adversaries move around in the entire network,

the location of the Wormhole will change dynamically. Each location change will trigger

a new round of execution of the topology reconstruction algorithm. Our protocol can

prevent dynamic Wormhole by only involving localized authentication, thus can save a lot

of communication overhead.

6.7 Conclusion

Currently little work has been reported to address the access control problem in

sensor networks. Though many proposals [6, 13, 15, 17, 18, 36] try to secure sensor

networks, adversaries can still attack the networks [60–63, 66] by manipulating old nodes

to introduce malicious “new” nodes. In this paper, we analyze most of the well-recognized

attacks targeted at sensor networks, including the Sybil attack, the node replication attack

and the Wormhole attack, and design an access control protocol to prevent malicious

nodes, which may be directly deployed or just old nodes manipulated by adversaries, from

144

participating in sensor networks. Besides the node identity authentication, we introduce

the node bootstrapping time into the node authentication procedure to differentiate

malicious nodes from legitimate new nodes. Unlike the conventional approaches in

[60–63, 66] that try to detect malicious nodes after they join sensor networks, our access

control protocol can prevent malicious nodes from joining sensor networks at the very

beginning. In addition, key establishment is also realized in our access control protocol to

help the new node establish shared keys with its neighbors so that it can perform secure

communications with them. Compared with the conventional sensor network security

solutions, our access control protocol can defend against most of the notorious attacks in

sensor networks, and achieve better computation and communication performance due

to the usage of the more efficient algorithms based on Elliptic Curve Cryptography than

those based on RSA.

145

CHAPTER 7BABRA: BATCH-BASED BROADCAST AUTHENTICATION IN WIRELESS SENSOR

NETWORKS

7.1 Introduction

A WSN consists of hundreds or even thousands cheap sensor nodes, which collaborate

with each other and communicate with external world through one or several powerful

nodes, called base stations.

Broadcast is a common communication pattern to fulfill collaboration among sensor

nodes. For example, the base station may spread messages such as commands or requests

to the entire network through the network broadcast. Each individual node may use the

local broadcast to fulfill some specific functions in its neighborhood, such as exchanging

routing information or cluster head election. Therefore, the correct broadcast is critical

to the collaboration objective of sensor networks. In hostile environments, however,

adversaries may take the advantage of broadcast to inject false information, which can

raise significant havoc in the network. To defeat such an attack, authentication is required.

Each broadcasted packet should carry some authentication information so that the

recipient node can verify its authenticity.

µTESLA [6] is a light-weight broadcast authentication protocol, which uses a

one-way hash key chain and the delayed disclosure of keys to provide the authentication

service. It is efficient due to the use of symmetric key techniques. However, it requires

synchronization between the source and recipient, which can be a potential security hole

for adversaries [78]. Moreover, the key chain in µTESLA has limited length, and thus can

only support limited rounds of broadcast. If the source node needs to broadcast for a long

period, it has to generate a long key chain. But the management of a long key chain is

difficult for low-end sensor nodes. So µTESLA can only be used by the base stations for

the network broadcast.

In this chapter, we propose a novel protocol, called batch-based broadcast authentication

(BABRA) for wireless sensor networks [79]. BABRA broadcasts packets in batches and

146

the transmissions of different batches do not require time synchronization. Therefore,

BABRA eliminates the security hole that µTESLA suffers. Moreover, BABRA uses

independent keys instead of a key chain for different batches, and thus supports broadcast

for infinite rounds. In addition, BABRA is also built on symmetric key techniques and

thus is efficient.

The rest of the chapter is organized as follows. Section 7.2 simply describes the

µTESLA protocol. Details of BABRA are given in Section 7.3. Some comparisons between

µTESLA and BABRA are carried out in Section 7.4. The paper is finally ended in Section

7.5.

7.2 µTESLA

Though public key signatures can provide authentication services, they are too

expensive for sensor networks. Therefore most researchers are seeking symmetric key

solutions. µTESLA is a broadcast authentication protocol, which is a simplified version

of TESLA [80]. It is based on a one-way hash chain (OHC), which is a sequence of keys,

K0, K1, . . . , Kn, such that Kj−1 = H(Kj), ∀j, j > 0, where the hash function H satisfies

two properties:

1. Given x, it is easy to computer y = H(x);

2. Given y, it is computationally infeasible to compute x such that y = H(x).

The first key K0 is unicasted to all the recipient nodes as a commitment in advance.

The entire broadcast stream is divided into continuous time slots. A broadcasted packet

in the t-th time slot carries a message authentication code (MAC) generated by using the

t-th key Kt of the OHC. All the recipient nodes do not know Kt when they receive the

packet. After d time slots, the source node discloses Kt. Then every node can authenticate

Kt by applying the hash function to Kt several times and checking whether Hk(Kt) =

Kt−k holds, where Kt−k is the t− k-th key that has been received and authenticated. After

that, the recipient node can use the authenticated Kt to authenticate the packets of the

t-th slot. The delayed key release can efficient prevent malicious nodes from impersonating

147

the source node, because the disclosed key Kt can not be used to spoof packets after the

t-th slot.

Though µTESLA is more efficient compared with other public key signatures

protocols, it has some strong requirements. The slot-based broadcast requires time

synchronization throughout the entire network. The time synchronization procedure may

undergo potential threats leading to the failure of the entire protocol [78]. The distribution

of the key chain commitment K0 to all the nodes is communication expensive because

the commitment has to be unicasted to each node while the network can consist of large

volume of nodes. The OHC length is limited, and thus it can not support broadcast for a

long time. The complex key chain management indicates that µTESLA can be used only

by the base station for the network broadcast.

Multilevel key chains are used to extend the lifetime of authenticated broadcast [81],

but it is still limited by the highest level OHC. The multilevel key chains also require the

source node manage many OHCs at the same time and thus are not suitable for sensor

nodes. Moreover, time synchronization is still a requirement.

7.3 BABRA Design

Unlike µTESLA, BABRA do not require time synchronization, and supports

broadcast for infinite rounds. It can be used in both the network broadcast and the

local broadcast. In this section, we give the details of BABRA.

7.3.1 Network Model

We consider the application scenarios including the network broadcast, where

the base station broadcasts messages into the entire network, and the local broadcast,

where each node broadcasts messages in its one-hop neighborhood. BABRA can provide

authentication services for these broadcast patterns. Though confidentiality is also critical

to group communications, the management of encryption keys is a very challenging task

[82] and is out of our considerations.

148

t

Mi,j H(Ki+1) MAC(i, Mi,j, H(Ki+1), Ki)

i

Ki

... ...

Pi,j

...

C D

.........

E

...

i

Figure 7-1. One batch of broadcast and the batch packet format.

The main purpose of authenticating broadcast is to prevent adversaries from injecting

bogus packets. BABRA also uses delayed key disclosure to counteract the bogus packet

injection. In addition, adversaries can also inject radio interference at the physical layer

to disrupt communications, leading to the DoS attack [35]. The intermittent interference

can deteriorate channel condition and cause packet loss. The continuous jamming can even

stop communications. However, due to the large scale of network and cost considerations,

adversaries may not be able to jam the entire network. In this paper, we assume that the

impact of radio jamming only covers a portion of the network at one time.

There are other attacks and corresponding countermeasures discussed in the literature

[33, 35]. They are out of the scope of this paper because most of them are unrelated

to broadcast authentication. We have developed several schemes [9, 45, 46] to establish

pairwise keys to secure point-to-point communications. In this chapter, we simply assume

that every pair of neighboring nodes shares a pairwise key after network initialization.

7.3.2 Architecture

In BABRA, broadcasted packets are sent in batches and each batch is a burst

sequence of packets. There is a key associated with each batch. All the packets in one

batch carry an MAC calculated based on the associated key, and are sent in C time units,

which is the batch period (BP). At the end of the BP, the source node starts a timer of

D units, which is the delay period (DP). During the BP and the DP, the batch key is

kept secret by the source node. When the DP timer expires, the source node discloses

149

the corresponding batch key in a key disclose period (KP) of E time units. When a

recipient node gets the first packet of the batch, it starts a timer last for C time units.

Only the batch packets that arrive within the period of C time units are accepted by the

recipient. At the end of the period, the recipient starts a new timer for D time units as

the DP. After the DP, the recipient can receive the corresponding batch key and use the

key to recalculate the MAC to check the authenticity of the cached batch packets. Due

to the delayed key disclosure, the adversary can not use the disclosed key to inject bogus

batch packets because the source node never sends any packet of this batch after the key

disclosure period.

However, each batch key should be authenticated before being used to authenticate

the corresponding batch packets. BABRA achieves this goal by using an immediate

authentication method proposed in [83]. Particularly, all the packets in one batch also

carry a hash of the key associated with the next batch. Hence, each broadcasted packet

consists of four parts: the batch index, the payload, the hash of the key of next batch,

and the MAC calculated over the previous three parts and the batch key (Fig. 7-1). The

delayed batch key can authenticate the corresponding batch. The hash of the key of next

batch is authenticated at the same time, and can be used to authenticate the key of next

batch.

The entire broadcast stream is depicted in Fig. 7-2. Before broadcast, the source

node bootstraps all the recipient nodes with the hash H(K1) of the first batch key K1.

Depending on the scenarios where BABRA is applied, different methods can be used

to bootstrap the hash value. We will discuss this issue later. After bootstrapping, the

source node can send out batches of broadcasted packets one by one and disclose the

corresponding batch keys lately (Fig. 7-2). Each batch is not necessary to be sent right

after the end of the previous batch. Therefore, BABRA can be adapted to different data

rates.

150

t1 2 ...

K1

K2

H(K1)

i

Ki

i-1... .........

D

D

Ki-1D

D

............ ... ...

Figure 7-2. The authenticated broadcasting stream.

In hostile environments, the adversary can inject jamming interference and cause

packet loss. The nodes in the jammed area will seek help from the surrounding neighbors

to recover the lost information such as keys or key hashes. To facilitate such local

collaboration, each recipient node keeps the latest k keys received from the source node.

We will discuss this issue in Section 7.3.5.

7.3.3 Bootstrapping

As is mentioned before, the hash H(K1) of the first batch key K1 needs to be

bootstrapped into all the recipient nodes. To avoid using expensive public key signatures

to authenticate H(K1), we need some methods based on symmetric key techniques.

For the local broadcast, the source node can unicast H(K1) to each of its neighbors.

Each unicast is authenticated with the pairwise key shared between the source and

the corresponding neighbor. Because the number of neighbors is small, such unicast

bootstrapping can be finished in a very short time period.

Though unicast can also be used to bootstrap the network broadcast, the overhead is

too much because there are too many nodes in a network. It takes too much time for the

base station to unicast to each node. A simple way to bootstrap the network broadcast is

to preload each node with H(K1) before deployment. It is easy to achieve this because the

entire sensor network is usually managed under a unique authority, and thus preloading

secure parameters is a common way to establish a secure architecture for the sensor

network [6, 9, 45, 46, 81].

7.3.4 Counteracting Bogus Packets

The parameter DP is critical to the security of the entire broadcasting protocol. If

the value of DP is small, there is a chance that the adversary catches the key before some

151

nodes get the corresponding batch packets and then sends bogus packets towards these

nodes. Therefore, the value of DP should be large enough for all nodes to get the batch

before the release of the key. For the local broadcast, the DP value Dl is larger than

maximum one-hop transmission delay, and thus can be set as

Dl = λl

(R

c+ P

), (7–1)

where λl > 1 is a constant, R is the radius of node coverage, c is the speed of light, and

P is the packet processing delay. For the network broadcast, the DP value Dn should be

larger than the time that a packet is transmitted over the maximum diameter L of the

network, and thus can be set as

Dn = λnL

R

(R

c+ P

), (7–2)

where λn > 1 is a constant.

7.3.5 Countermeasures to Radio Jamming

The adversary can introduce jamming interference to disrupt communications, leading

to the DoS attack. The intermittent interference can deteriorate channel condition and

cause packet loss. The continuous jamming can even stop communications. Here we

discuss their impacts and countermeasures.

7.3.5.1 Intermittent jamming

Each batch of broadcasting is authenticated by the corresponding batch key. If some

of the batch packets are lost due to jamming, the recipient just experiences lower quality

of service. But if the batch key is lost, the entire batch is useless. Therefore, to tolerate

the key loss is a very important task. Here we introduce the following two methods to

solve this problem.

To provide resilience to the key loss, the first method in BABRA is to transmit

each batch key several times during the corresponding key disclose period. Suppose the

average packet loss rate is pl, and each batch key is transmitted t times during its KP. The

152

probability that the key can be received is

P = 1− plt . (7–3)

Fig. 7-3 gives the key survival probabilities P versus the key disclose times t when the

packet loss rate pl varies from 0.2 to 0.8. We can see by simply disclosing multiple times,

the batch key can be received with very high probability.

It is worth noting that to disclose key multiple times is the simplest forward error

correction (FEC) method to counteract packet loss in communications. More complex and

robust FEC methods can also be used here to increase the resilience to the key loss. One

example is to use Reed-Solomon codes. We do not discuss this issue here for the sake of

page limit.

The second method is carried out just in case that it is unlucky that all the t

receptions of batch key fail. In such a case, the recipient node will seek help from its

neighbors right after the expiration of the KP timer. For the key loss during the network

broadcast, the node will locally broadcast a message to request its neighbors for the lost

key:

a −→ ∗ : 〈j,H(Kai+1),MAC(j,H(Ka

i+1), Kai )〉 ,

where j is the index of the batch of which the key is lost, Kai+1 is the key associated

with the next batch of node a’s local broadcast stream, and Kai is the key of the current

batch of a’s local broadcast stream. Therefore this message is authenticated by the local

broadcast authentication. The adversary can not spoof the message.

If a neighbor node b knows the key Kj, it will reply a message through a local

broadcast message:

b −→ ∗ : 〈Kj, H(Kbi+1),MAC(Kj, H(Kb

i+1), Kbi )〉 ,

where Kbi+1 is the key associated with the next batch of node b’s local broadcast stream,

and Kbi is the key of the current batch of b’s local broadcast stream. This message is also

153

0 2 4 6 8 10 120.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Key Disclose Times − t

Key

Sur

viva

l Pro

babi

lity

− P

pl=0.2pl=0.4pl=0.6pl=0.8

Figure 7-3. The key survival probability.

authenticated so that it can not be spoofed. In addition, the key Kj is broadcasted, so

node b has no bonus of replying bogus messages because nearby nodes that also have

Kj can check whether node b lies to node a. This local monitoring has been used in

misbehavior detection. One example is discussed in [84].

When node a gets Kj from its neighbor b, it will broadcast Kj again through its local

authenticated broadcast so that its neighbors know that it really gets Kj.

If none of node a’s neighbors knows Kj, they will continue the above procedure until

some node can reply with Kj. For example, if node b does not get Kj but its neighbor c

knows Kj, then b can learn Kj from c. Then b can broadcast Kj if it has a request from a.

154

If multiple nodes in the neighborhood of node a knows Kj, all of them might try to

reply at the same time. But the underlying contention resolving mechanisms at the Media

Access Layer can guarantee that one of them replies successfully. Other nodes that hear

the replying of Kj stop trying to broadcast Kj.

For the key lost during the local broadcast, it is easy to resend the key from the

source node to the recipient node because it only involves one-hop communication, which

can be encrypted and authenticated by the pairwise key shared between the source and

the recipient.

7.3.5.2 Continuous jamming

Continuous jamming is more severe to broadcast. When the channel is jammed,

the recipient gets nothing. Because the key of each batch is authenticated by its hash

included in the previous batch, the key can not be authenticated if all the packets of the

previous batch are lost due to the continuous jamming. Here we need some measures to

help recipient nodes recover the interrupted broadcast stream when the jamming attack

stops.

When the recipient node a gets a packet in the next batch right after the jamming

attack, node a broadcasts a message including the index, say j, of the batch and the

index i of the last batch it receives just before the jamming attack. This message is

authenticated by node a’s local broadcast protocol, i.e.,

a −→ ∗ : 〈j, i, H(Kal+1),MAC(j, i, H(Ka

l+1), Kal )〉 ,

where Kal+1 is the key associated with the next batch of node a’s local broadcast stream,

and Kal is the key of the current batch of a’s local broadcast stream. Node a broadcasts

the index j for the hash H(Kj) of the key Kj associated with the batch right after the

jamming attack. In addition, the packets of several batches just before the jamming attack

are cached in a’s buffer and not authenticated due to the loss of the corresponding keys

during the jamming attack. So node a also broadcast the index i of the last batch just

155

before the jamming attack. Because every node will cache the latest k keys disclosed by

the source, if any neighbor finds in its buffer that there are keys associated with some

batches before the jamming attack, it can reply with those keys so that node a can

authenticate the packets of those batches.

When a nearby node b, which is uninfluenced from the jamming attack and has

cached k latest keys Km, . . . , Km−k+1, replies with an authenticated broadcast message as:

b −→ ∗ : 〈H(Kj), [Ki, . . . , Km−k+1], H(Kbl+1),

MAC(H(Kj), [Ki, . . . , Km−k+1], H(Kbl+1), K

bl )〉 ,

where Kbl+1 is the key associated with the next batch of node b’s local broadcast stream,

and Kbl is the key of the current batch of b’s local broadcast stream. H(Kj) is used to

authenticate the key Kj of the next batch j right after the jamming attack, and then the

key Kj is used to authenticate the packets in the batch. Here the keys Ki, ..., Km−k+1

are optional. Node b checks the latest k cached keys Km, . . . , Km−k+1. If the index

i ≥ m−k+1, node b knows that node a needs the keys from Km−k+1 to Ki to authenticate

the packets of the last several batches just before the jamming attack. Then node b replies

with these keys.

Due to the broadcast, the surrounding nodes that also have copies of H(Kj) can

check whether node b lies to node a. Hence node a can get correct H(Kj) and use it to

authenticate Kj later whereby to recover the entire broadcast stream. When node a gets

H(Kj) and/or Ki, ..., Km−k+1 from its neighbor b, it will broadcast them again through its

local authenticated broadcast so that its neighbors know that it really gets them.

If all the neighbors of node a do not know the information that a desires, they will

continue the above procedure until there is at least one node can give those information.

For the local broadcast under the jamming attack, it is easy for the recipient node

to recover after the jamming. Through unicast, the recipient node a can get all the

156

required information from the source node b, where the communication is encrypted and

authenticated by the pairwise key shared between a and b.

7.4 Discussion

Each packet in BABRA and that in µTESLA both carry an MAC as the authentication

information. The difference is that BABRA replaces the timestamp in the µTESLA packet

with a batch index and a key hash. The batch index is just like the timestamp and thus

can be represented with the same number of bits. However, BABRA does not use limited

key chain and not require each batch to be sent right after the end of the previous batch,

so BABRA can support a longer lifetime of a broadcast stream. Suppose each batch

period be 100ms, which is corresponding to one time slot [81]. A 32-bit batch index

can support a broadcast stream up to 4971 days if the source keeps sending batches

continuously.

As for the key hash in each BABRA packet, its length should guarantee that no two

keys have the same hash value. Otherwise, the adversary can spoof broadcasted packets.

Considering the 32-bit batch index, the number of keys in BABRA is 232. According to

the birthday paradox [85], a 64-bit key hash is enough to guarantee that all the 232 keys

generate different hash values with a probability close to 1. Though BABRA introduces

the additional packet overhead for the key hash, it is worth because of the elimination of

the time synchronization requirement.

Like µTESLA, BABRA also requires every node to buffer packets before the

corresponding key is disclosed. The difference is the management of keys. In µTESLA, the

source node has to manage a key chain, which has a length determined by the lifetime of

the broadcast stream. However, to manage such a key chain may not be feasible when the

source wants to broadcast for a long time. In BABRA, all the keys are independent. The

elimination of key chains makes BABRA suitable for both the network broadcast by base

station and the local broadcast by sensor nodes. Each node in BABRA caches the latest

157

k keys disclosed by the source node. The value k can be adapted according to the buffer

space of each node.

7.5 Conclusion

Though there are many broadcast authentication protocols proposed for conventional

wired networks, few work has been carried out for wireless sensor networks. Though

µTESLA can provide the broadcast authentication service for sensor networks, it still

suffers some drawbacks. BABRA is a batch-based broadcast authentication protocol for

wireless sensor networks. BABRA broadcasts packets in batches and the transmissions of

different batches do not require time synchronization. Therefore BABRA eliminates the

security hole that µTESLA suffers. BABRA uses independent keys in stead of a key chain

for different batches, and thus supports broadcast for infinite rounds. BABRA can support

both the network broadcast and the local broadcast. In addition, BABRA is also built on

symmetric key techniques and thus is efficient.

158

CHAPTER 8MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE

8.1 Introduction

Multicast [86] is an efficient method to deliver multimedia content to a group of

receivers and is gaining popular applications such as live show, IPTV, realtime stock

quotes broadcast, video conference or interactive games. Authentication is critical in

securing multicast streams [87–89] because it proves the origin of a multicast stream. An

ideal approach is to attach a signature to each packet and let each receiver verify the

signature to authenticate the packet. However, existing digital signature algorithms are

computationally expensive. For a typical multicast application, the sender is a powerful

server, but receivers can have various computation and communication capabilities and

usually are less powerful than the sender. The ideal approach raises a serious challenge

to the receiver’s computational capability and may not be affordable in most realtime

multicast applications.

In order to reduce the number of signature verification operation, conventional

schemes [90–95] divide a multicast stream into blocks, associate each block with a

signature, and spread the effect of the signature across all the packets in the block

through some efficient operations such as hash chains or redundancy codes. In this way,

the computation requirement is reduced to one signature verification plus some hash or

decoding operations per-block instead of per-packet.

The block-based approach suffers from some drawbacks in reality. Some schemes

[90–95] use hash chains to link packets to their block signatures and other schemes

[102–107] use erasure codes or error correction codes to protect block signatures. Hash and

coding establish relationship among all the packets in one block. However the relationship

makes existing schemes vulnerable to packet loss, which is very common in current

Internet and wireless networks. The loss of a certain number of packets can result in

the failure of authentication of other received packets. In an extreme case, the loss of

159

the signature of one block makes the whole block of packets unable to be authenticated.

Though existing schemes allow increasing the resilience to packet loss by attaching

more authentication information to each packet, this results in more computational and

communication overhead, which is undesirable in resource-constrained scenarios such

as mobile and wireless communications. Moreover, the block design requires the sender

and/or receivers buffer a certain number of packets before processing them. A larger

block size can achieve higher computational efficiency, but incurs longer buffering delay.

This authentication latency at the sender and/or receivers can compromise the realtime

requirements in many multimedia application scenarios such as live video show or stock

quotes delivery. Meanwhile, the block design is vulnerable to the Denial of Service (DoS)

attack. An attacker can inject a large number of forged packets to exhaust the receiving

buffer so that signatures cannot be received by the receiver and cost extra computational

overhead at the receiver.

Unlike the conventional block-based signature approach, we propose a new multicast

authentication scheme using packet-based signatures in this paper. In order to avoid

expensive per-packet-based signature verification, we use an efficient cryptographic

primitive called batch signature [3, 109–113] to verify the signatures of any number of

packets at the same time. Therefore our scheme is called multicast authentication based

on batch signature (MABS). The main contributions are made as follows:

1. MABS is perfectly resilient to packet loss in the sense that no matter how manypackets are lost, the rest can also be verified by receivers. In contrast, mostconventional schemes cannot totally solve the packet loss problem;

2. By using batch signatures, MABS can completely eliminate authentication latency atthe sender and receivers. This is a significant improvement to the quality of realtimeapplications compared with conventional block-based schemes;

3. We propose three implementations of MABS including two new batch signatureschemes based on BLS [111] and DSA [112], which are more efficient than the existingone based on RSA [3];

160

4. MABS can efficiently defeat the DoS attack by using packet filtering, while mostconventional schemes are vulnerable to DoS.

The rest of the chapter is organized as follows. We first briefly review related

work, then describe the details of MABS over lossy channels. Next, we introduce three

implementations including two new batch signature schemes based on BLS and DSA in

addition to the one based on RSA. We will show the performance superiority of our MABS

over conventional schemes. Last we introduce the countermeasure to DoS and conclude the

chapter.

8.2 Related Work

There have been many multicast authentication schemes [90–95] in the literature. In

the hash chain schemes [90–95], a multicast stream is divided into blocks, each of which

is associated with a signature. In each block, the hash of each packet is embedded into

several other packets in a deterministic or probabilistic way. The hashes form chains

linking each packet to the block signature. The receiver verifies the block signature and

authenticates all the packets through hash chains.

A special hash chain scheme is the tree chaining scheme [100, 101], which constructs

a hash tree for each block of messages. The root of the tree is signed by the sender. Each

packet carries the signed root and several hashes. When the receiver receives one packet

in the block, he uses the authentication information in the packet to authenticate it. The

buffered authentication information is further used to authenticate other packets in the

same block. However, without the buffered authentication information, each packet is

independently verifiable with a trade-off of per-packet signature verification.

In the signature amortization schemes [102–107], a signature is generated for the

concatenation of the hashes of all the packets in one block. An erasure coding or forward

error correction coding algorithm is used to chop the block signature into many pieces and

attach each packet with one piece. The coding approach makes the receiver be capable of

recovering the block signature when receiving at least a certain number of pieces.

161

Some other schemes [79, 119–122] use shared keys between the sender and the receiver

to authenticate multicast streams. Though they are more efficient than those using

signatures, they cannot provide non-repudiation as the signature approach. In this paper,

we focus on the signature approach.

8.3 Multicast Authentication Over Lossy Channels

We discuss the details of MABS hereafter.

8.3.1 Assumptions

Our target is to authenticate multicast streams from a sender to multiple receivers.

Generally, the sender is a powerful multicast server managed by a central authority and

can be trustful. The sender signs each packet or a batch of packets with a signature

and transmits them to multiple receivers through a multicast routing protocol. Each

receiver is a less powerful device with resource constraints and may be managed by an

non-trustworthy person. Each receiver needs to assure that the received packets are

really from the sender (authenticity) and the sender cannot deny the signing operation

(non-repudiation) by verifying the corresponding signatures. As is well known that packet

loss is very common in Internet and even more severe in wireless communications, we

assume a lossy channel where packets can be lost according to different loss models,

such as random loss or burst loss. Though confidentiality is another important issue

for securing multicast, it can be achieved through group key management [82]. In this

chapter, we focus on multicast authentication.

8.3.2 Batch Signature

An ideal approach to authenticate a multicast stream is to let each packet carry

a signature that can be verified by each receiver. However, expensive digital signature

algorithms raise a serious challenge to the receiver’s computational capability and may not

be affordable in most realtime multicast applications, since in most application scenarios

the receiver is resource-constrained and has much less computation and communication

power than the sender, which is a powerful server.

162

Those conventional schemes [90–95] use block-based signatures to reduce the

computational overhead but also incur a trade-off of vulnerability to packet loss and

authentication latency at the sender and/or receivers. Unlike those schemes, we use

packet-based signature as in the ideal approach, because the independency among packets

can totally eliminate the vulnerability to packet loss. Therefore the problem is how to

reduce the computation overhead at receivers.

In order to avoid the expensive packet-based signature verification, we use an efficient

cryptographic primitive called batch signature [3, 109–113] to simultaneously verify the

signatures of any number of packets.

When the receiver collects n packets:

pi = {mi, σi}, i = 1, . . . , n ,

where mi is the data payload, σi is the corresponding signature and n can be any positive

integer, he can input them into an algorithm

BatchV erify(p1, p2, . . . , pn) ∈ {True, False} ,

If the output is True, we know the n packets are authentic, and otherwise not.

To support authenticity and efficiency, the BatchV erify() algorithm should satisfy

the following properties:

1. Given a batch of packets that have been signed by the sender, BatchV erify()outputs True;

2. Given a batch of packets including some unauthentic packets, the probability thatBatchV erify() outputs True is very low;

3. The computation complexity of BatchV erify() is comparable to that of verifying onesignature and is increased gradually when the batch size n is increased.

By BatchV erify(), each receiver can achieve the computational efficiency comparable

to conventional block-based schemes in the sense that a batch of packets can be

authenticated simultaneously through one batch signature verification operation. In

163

addition, our approach use per-packet signature instead of per-block signature and thus

eliminate the authentication latency at the sender and /or receivers in conventional

schemes. Each receiver can verify the authenticity of all the received packets in its buffer

whenever the high layer applications require. This is a significant improvement to the

quality of realtime applications. Moreover, our approach has perfect resilience to packet

loss. No matter how many packets are lost, the rest can also be verified by the receiver.

8.4 Batch Signature Construction

In this section, we propose three schemes to implement the batch signature approach.

Besides the one based on RSA [3], we propose another two schemes based on BLS [111]

and DSA [112], which are more efficient than batch RSA.

8.4.1 Batch RSA Signature

8.4.1.1 RSA

RSA [3] is a very popular cryptographic algorithm in most security protocols. In

order to use RSA, a sender chooses two large random primes P and Q to get N = PQ,

and then calculates two exponents e, d ∈ Z∗N such that ed = 1 mode φ(N), where

φ(N) = (P − 1)(Q− 1). The sender publishes (e,N) as his public key and keeps d in secret

as his private key. A signature of a message m can be generated as σ = (h(m))d mod N ,

where h() is a collision-resistant hash function. The sender sends {m,σ} to the receiver

that can verify the authenticity of the message m by checking σe = h(m) mod N .

8.4.1.2 Batch RSA

To accelerate the authentication of multiple signatures, the batch verification of RSA

[109, 110] can be used. Given n packets {mi, σi}, i = 1, . . . , n, where mi is the data

payload and σi is the corresponding signature, the receiver can first calculate hi = h(mi)

and then perform the following verification:

(n∏

i=1

σi

)e

=n∏

i=1

hi mod N . (8–1)

164

If all n packets are truly from the sender, the equation holds because

(n∏

i=1

σi

)e

mod N =n∏

i=1

σei mod N

=n∏

i=1

hedi mod N =

n∏i=1

hi mod N . (8–2)

Before the batch verification, the receiver must ensure all the messages are distinct.

Otherwise the batch RSA is vulnerable to the forgery attack [110]. This is easy to

implement because sequence numbers are widely used in many network protocols and can

ensure all the messages are distinct. It has been proved in [110] that when all the messages

are distinct, the batch RSA is resistant to signature forgery as long as the underlying RSA

algorithm is secure.

The attacker may not forge signatures but manipulate authentic packets to produce

invalid signatures. For example, given two packets {mi, σi} and {mj, σj} for i 6= j, an

attacker can modify them into {mi, σiλ} and {mj, σj/λ}. The modified packets can still

pass the batch verification, but the signature of each packet is not correct (that is why

the batch RSA verification is called screening in [110]). However, the attacker can do this

only when he gets {mi, σi} and {mj, σj}, which means the message mi and mj have been

correctly signed by the sender. Therefore, this attack is of no harm to the receiver [110].

8.4.1.3 Requirements to the sender

In most RSA implementations, the public key e is usually small while the private

key d is large. Therefore, the RSA signature verification is efficient while the signature

generation is expensive. This poses a challenge to the computation capability of the

sender because the sender needs to sign each packet. Choosing a small private key d can

improve the computation efficiency but compromise the security. If the sender does not

have enough resource, a pair of {e, d} with comparable sizes can achieve a certain level of

trade-off between computation efficiency and security at the sender part. If the sender is

a powerful server, then signing each packet can be affordable in this scenario. Next, we

165

propose two efficient batch signature schemes based on BLS [111] and DSA [112], which

can reduce the computation complexity at the sender.

8.4.2 Batch BLS Signature

Here we propose a batch signature scheme based on the BLS signature in [111].

8.4.2.1 BLS

The BLS signature scheme uses a cryptographic primitive called pairing, which can

be defined as a map over two cyclic groups G1 and G2, e : G1 × G1 → G2, and satisfy the

following properties:

1. Bilinear: for all u, v ∈ G1 and a, b ∈ Z, we have e(ua, vb) = e(u, v)ab;

2. Non-degenerate: for the generator g1 of G1, i.e., gp = 1 ∈ G1, where p is the order ofG1, we have e(g1, g1) 6= 1 ∈ G2.

The BLS signature scheme consists of three phases:

In the key generation phase, a sender chooses a random integer x ∈ Zp and computes

y = g1x ∈ G1. The private key is x and the public key is y;

1. Given a message m ∈ {0, 1}∗ in the signing phase, the sender first computesh = H(m) ∈ G1, where H() is a hash function, then computes σ = hx ∈ G1. Thesignature of m is σ;

2. In the verification phase, the receiver first computes h = H(m) ∈ G1, and then checkwhether e(h, y) = e(σ, g1).

If the verification succeeds, then the message m is authenticated because

e(h, y) = e(h, g1x) = e(hx, g1) = e(σ, g1) . (8–3)

One merit of BLS signature is that it can generate a very short signature. It has

been shown in [111] that an n-bit BLS signature can provide a security level equivalent

to solving a discrete log problem (DLP) [113] over a finite field of size approximately

26n. Therefore, a 171-bit BLS signature provides the same level of security as a 1024-bit

DLP-based signature scheme such as DSA. This is a very nice choice in the scenario where

communication overhead is an important issue.

166

8.4.2.2 Batch BLS

Based on BLS, we propose our batch BLS scheme here. Given n packets {mi, σi}, i =

1, . . . , n, the receiver can verify the batch of BLS signatures by first computing hi =

H(mi), i = 1, . . . , n and then checking whether e(∏n

i=1 hi, y) = e(∏n

i=1 σi, g1). This is

because if all the messages are authentic, then

e(n∏

i=1

hi, y) =n∏

i=1

e(hi, g1x) =

n∏i=1

e(hix, g1) = e(

n∏i=1

σi, g1) . (8–4)

We can prove that our batch BLS is secure to signature forgery as long as BLS is secure to

signature forgery.

Theorem 1 Suppose an attacker A can break the batch BLS by forging signatures,

another attacker B can break BLS under the chosen message attack by colluding with A.

Proof. Suppose B is given n − 1 messages and their valid signatures {mi, σi}, i =

1, . . . , n − 1, B can forge a signature σn for any chosen message mn, such that {mn, σn}satisfies the BLS signature scheme, by colluding with A in the following steps:

1. B sends n messages mi, i = 1, . . . , n and n− 1 signatures σi, i = 1, . . . , n− 1 to A;

2. Because A can break the batch BLS scheme, A generates n false signatures σi′, i =

1, . . . , n that pass the batch BLS verification, then returns to B a value V =∏n

i=1 σi′;

3. B computes σn = V/∏n−1

i=1 σi as the signature for mi, because

e(n∏

i=1

hi, y) = e(V, g1) ⇒ e(n∏

i=1

hi, y) = e(n∏

i=1

σi, g1)

⇒ e(n−1∏i=1

hi, y)e(hn, y) = e(n−1∏i=1

σi, g1)e(σn, g1)

⇒ e(hn, y) = e(σn, g1) . (8–5)

¥

Since BLS is forgery-secure under the chosen message attack [111], our batch BLS

scheme is also secure to forgery under the chosen message attack.

167

Also like batch RSA, the attacker may not forge signatures but manipulate authentic

packets to produce invalid signatures. For example, two packets {mi, σi} and {mj, σj} for

i 6= j can be replaced with {mi, σiλ} and {mj, σj/λ} and still pass the batch verification.

However, it does not affect the correctness and the authenticity of mi and mj because they

have been correctly signed by the sender.

8.4.2.3 Requirements to the sender

In our batch BLS, the sender needs to sign each packet. Because BLS signature

can provide a security level equivalent to conventional RSA and DSA with much shorter

signature [111], the signing operation is more efficient than RSA signature generation.

Moreover, BLS can be implemented over elliptic curves [71, 72], which have been shown in

the literature to be more efficient than finite integer fields on which RSA is implemented.

Therefore, we can expect that our batch BLS is more affordable by the sender than batch

RSA and also achieve computation efficiency at the receiver.

8.4.3 Batch DSA Signature

DSA [112] is another popular digital signal algorithm. Unlike RSA, which is based

on hardness of factoring two large primes, DSA is deemed secure based on the difficulty

of solving DLP [113]. A batch DSA signature scheme was proposed in [114] but later was

found insecure [115]. Harn improved the security of [114] in [116, 117]. Unfortunately,

Boyd and Pavlovski pointed out in [118] that Harn’s work is still vulnerable to malicious

attacks. Here we propose a batch DSA scheme based on Harn’s work and counteract the

attack described in [118].

8.4.3.1 Harn DSA

In Harn DSA [117], some system parameters are defined as:

1. p, a prime longer than 512-bit;

2. q, a 160-bit prime divisor of p− 1;

3. g, a generator of Z∗p with order q, i.e., gq = 1 mod p;

168

4. x, the private key of the signer, 0 < x < q;

5. y, the public key of the signer, y = gx mod p;

6. H(), a hash function generating an output in Z∗q.

Given a message m, the signer generates a signature as:

1. randomly selects an integer k with 0 < k < q;

2. computes h = H(m);

3. computes r = (gk mod p) mod q;

4. computes s = rk − hx mod q.

The signature for m is (r, s).

The receiver can verify the signature by first computing h = H(m) and then checking

whether ((gsr−1yhr−1

) mod p) mod q = r. This is because if the packet is authentic, then

((gsr−1

yhr−1

) mod p) mod q

= ((g(s+hx)r−1

) mod p) mod q

= (gk mod p) mod q

= r . (8–6)

8.4.3.2 Harn batch DSA

Given n packets {mi, (ri, si)}, i = 1, . . . , n, the receiver can verify the batch of

signatures by first computing hi = H(mi) and then checking whether

((gPn

i=1 siri−1

yPn

i=1 hiri−1

) mod p) mod q =n∏

i=1

ri . (8–7)

169

This is because if the batch of packets is authentic, then

((gPn

i=1 siri−1

yPn

i=1 hiri−1

) mod p) mod q

= ((gPn

i=1(si+hix)ri−1

) mod p) mod q

= (gPn

i=1 ki mod p) mod q

=n∏

i=1

ri . (8–8)

8.4.3.3 The Boyd-Pavlovski attack

Boyd and Pavlovski [118] pointed out an attack against the Harn batch DSA scheme

[117] where an attacker can forge signatures for any chosen message set that has not been

signed by the sender. The process is:

1. choose B and C, calculate A = (gByC mod p) mod q;

2. for any message set mi, i = 1, . . . , n, randomly choose ri, i = 1, . . . , n− 2;

3. compute rn−1 and rn to ensure that

n∏i=1

ri = A mod q (8–9)

n∑i=1

hiri−1 = C mod q (8–10)

4. randomly choose si, i = 1, . . . , n− 1 and compute sn to ensure that

n∑i=1

siri−1 = B mod q . (8–11)

The probability that {mi, ri, si}, i = 1, . . . , n are forged messages satisfying the batch

verification is 12

[118].

8.4.3.4 Our batch DSA

In order to counteract the Boyd-Pavlovski attack, our batch DSA makes an

improvement to the Harn DSA algorithm. We replace the hash operation H(m) in the

170

signature generation and verification process with H(r,m). All the other steps are the

same as those in Harn’s scheme.

Though it is simple, our method can significantly increase the security of batch DSA.

In the Boyd-Pavlovski attack, the attacker can compute ri values according to Eq. (8–9)

and Eq. (8–10) because parameters A, C, hi values are known. By introducing ri into the

hash operation, the hash values hi in Eq. (8–10) are unknown to the attacker. Therefore

the attacker cannot compute ri values and the forgery attack discussed in [118] is defeated.

Like the cases in batch RSA and our batch BLS, the attacker may manipulate

authentic packets {mi, (ri, si)} to produce invalid signatures {mi, (ri′, si

′)}, which can still

pass the batch verification. The attacker can keep ri unchanged, randomly choose si′,

i = 1, . . . , n− 1 and solve sn′ satisfying

n∑i=1

si′ri−1 mod q =

n∑i=1

siri−1 mod q . (8–12)

However, this attack does not affect the correctness and authenticity of messages because

they have been really signed by the sender [118]. Therefore, the receiver can still accept

them because the batch verification succeeds.

8.4.3.5 Requirements to the sender

In batch RSA and our batch BLS, the sender needs to compute one modular

exponentiation to sign each packet. In the batch DSA, the sender needs to compute

one modular exponentiation to get r and two modular multiplications to get s. However,

r is independent on the message m. Therefore, the sender can generate many r values

off-line. When the sender starts a multicast session, he can use reserved r values to

compute s values. In this way, only two modular multiplications are necessary to sign a

packet. Therefore, our batch DSA is much more efficient than batch RSA and our batch

BLS at the sender, while also achieve computation efficiency at the receiver.

171

8.5 Performance Evaluation

In this section, we compare the performance of MABS with some well-known schemes

EMSS [92], augmented chain (AugChain) [96], PiggyBack [94], tree chain (Tree) [101]

and SAIDA [103]. These schemes are representatives of hash chain, tree chain and coding

schemes and are widely used in performance evaluation in the literature.

8.5.1 Resilience to Packet Loss

We use simulation to evaluate the resilience to packet loss. The metric here is the

verification rate, i.e., the ratio of the number of authenticated packets to the number of

received packets.

For EMSS [92], we choose the chain configuration of 5-11-17-24-36-39, which has

the best performance among all the configurations of length 6 as is shown in [92]. For

AugChain [96], we choose C3,7 chain configuration. For PiggyBack [94], we choose two

class priorities. For Tree chain [101], we choose binary tree. For SAIDA [103], we choose

the erasure code (256, 128). For all these schemes, we choose the block size of 256 packets

and simulate over 100 blocks. We consider the random loss and the burst loss with a

maximum loss length of 10 packets. The verification rates under different loss rates are

given in Fig. 8-1 and Fig. 8-2.

We can see that the verification rates of EMSS [92], augmented chain (AugChain) [96]

and PiggyBack [94] are decreased quickly when the loss rate is increasing. The reason is

that hash chains result in the correlation among packets and this correlation is vulnerable

to packet loss. SAIDA [103] illustrates a resilience to packet loss up to a certain threshold,

because of the threshold performance of erasure codes. Our MABS and Tree schemes

[101] have perfect resilience to packet loss in the sense that all the received packets can be

authenticated. This is because all the packets in MABS and Tree schemes are independent

from each other. As we will show later, however, Tree achieves this independency by

incurring large overhead and authentication latency at the sender and the receiver, while

our MABS does not have these drawbacks.

172

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Loss rate

Ver

ifica

tion

rate

MABSTreeEMSSAugChainPiggyBackSAIDA

Figure 8-1. Verification rate under the random loss model.

8.5.2 Authentication Latency

The block-based hash chains and codes used in conventional scheme incur authentication

latency at the sender and/or receivers. The sender can compute a signature for a

block only after he builds up hash chains or codes for the block, and each receiver can

authenticate the packets in the block only after he verifies the block signature. A larger

block size can achieve higher computation efficiency, but also incur longer latency. This

latency can compromise the realtime requirement in many time-critical applications such

as video live show or stock quotes broadcast.

173

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Loss rate

Ver

ifica

tion

rate

MABSTreeEMSSAugChainPiggyBackSAIDA

Figure 8-2. Verification rate under the burst loss model with the maximum burst length10.

We show the latency in different schemes in Table 8-1. In particular, we consider how

many packets need to be buffered for one packet to be signed or verified at the sender or

each receiver. We can see that existing schemes all require that the sender and/or each

receiver buffer up to one block of packets. Our MABS does not have latency at the sender

and the receiver. The sender can send out one packet right after signing it, and each

receiver can verify all the packets he has received whenever the higher layer application

requires, because there is no relationship among packets and no limit on the number

174

Table 8-1. Authentication latency of different schemes.

Schemes Sender ReceiverEMSS [92] 1 nAugChain [96] p nPiggyBack [94] n 1Tree [101] n 1SAIDA [103] n mMABS 1 1

of packets in each batch verification. This can greatly increase the QoS performance of

multicast streams.

8.5.3 Computational Overhead

Here we compare the computational overhead of our MABS with those of other

schemes. he result is depicted in Table 8-2. All the conventional schemes require one

signature (either signing or verification) operation and at least n hashing operations on a

block of n packets. SAIDA [103] even requires additional coding operation. Our MABS

can achieve the same level computational efficiency at the receiver as conventional schemes

while increasing the computational overhead at the sender. This is affordable because

usually the sender is much more powerful than receivers. Moreover, we propose our batch

BLS and batch DSA that are more efficient than the batch RSA and thus the sender has

more options to choose according to its capability.

We compare the computational overhead of three batch signature schemes in Table

8-3. RSA and BLS require one modular exponentiation at the sender and DSA requires

two modular multiplications when r value is computed off-line. Usually one c-bit modular

exponentiation is equivalent to 1.5c modular multiplications over the same field [110, 118].

Moreover, a c-bit modular exponentiation in DLP is equivalent to a c6-bit modular

exponentiation in BLS for the same security level. Therefore, we can estimate that the

computational overhead of one 1024-bit RSA signing operation is roughly equivalent to

that of 768 DSA signing operations (1536 modular multiplications) and that of 6 BLS

signing operations (each one is corresponding to 255 modular multiplications).

175

Table 8-2. Computation overhead of different schemes for one block.

Schemes Sender ReceiverEMSS [92] 1S + nH 1V + nHAugChain [96] 1S + nH 1V + nHPiggyBack [94] 1S + nH 1V + nHTree [101] 1S + (2n− 1)H 1V + nlognHSAIDA [103] 1S + nH + 1EC 1V + nH + 1EDMABS nS 1V

Table 8-3. Computational overhead of different batch schemes.

Schemes Sender(per packet) Receiver (per n packets)Batch RSA 1 E 1 E + (2n− 2) MBatch BLS 1 E 2 P + (2n− 2) MBatch DSA 2 M 2 E + 3n M

According to a report [123] on the computational overhead of signature schemes

on PIII 1 GHz CPU, the signing and verification time for 1024-bit RSA with a 1007-bit

private key are 7.9ms and 0.4ms, for 157-bit BLS are 2.75ms and 81ms, and for 1024-bit

DSA with a 160-bit private key (without precomputing r value) are 4.09ms and 4.87ms.

We can observe that for BLS and DSA the signing is efficient but the verification is

expensive, and vice versa for RSA. Therefore, we can save more computational resource at

the receiver by using our batch BLS and batch DSA than batch RSA. It is also meaningful

to use our batch BLS and batch DSA at the receiver to save computation resources.

8.5.4 Communication Overhead

Here we compare the communication overhead of MABS with those of conventional

schemes. Here the communication overhead is computed over one block of n packets. The

result is depicted in Table 8-4. Conventional schemes attach a large number of hashes

plus one signature to each block. MABS requires one signature for each packet, but this

overhead is comparable with conventional schemes considering those hashes.

We also compare the length of two popular hash algorithm MD5 [124] and SHA-1

[125] and the signature length of three signature algorithms in Table 8-5. Given the same

176

Table 8-4. Communication overhead of different schemes for one block.

Schemes Overhead per PacketEMSS [92] 1S + dnH (d ≥ 6)AugChain [96] 1S + 2nHPiggyBack [94] 1S + (2n−∑r

i=1 ki)HTree [101] nS + nlognH

SAIDA [103] 1S + n2

mH

MABS nS

Table 8-5. Communication overhead of signature schemes.

Schemes Length (bits)MD5 128SHA-1 160RSA 1024BLS 171DSA 320

security level as 1024-bit RSA, BLS generates a 171-bit signature and DSA a 320-bit

signature. It is clear that by using BLS or DSA, MABS can achieve more bandwidth

efficiency than using RSA, and could be even more efficient than conventional schemes

using a large number of hashes.

8.6 Counteracting DoS

Though batch signature can authenticate many packets at the same time, it fails if

in the batch there are some false packets forged by an attacker. The attacker may take

this opportunity to launch the DoS attack. Particularly, the attacker keeps injecting

forged packets to disrupt the batch signature verification. An naive approach to defeat

this attack is to use smaller batch size in the batch verification, but this incurs more

computation overhead. In the worst case, the attacker can inject forged packets at very

high frequency and expect that the receiver stop the batch operation and recover the

conventional per-packet signature verification.

In order to deal with the DoS attack, we need a method to filter out forged packets.

An option is the one-way accumulators (OWA) [107, 126–130]. An OWA can be used for

177

membership checking. It consists of four algorithms:

a = Accumulate(S) ,

w = Witness(s, S) ,

a = Recover(s, w) ,

v = V erify(s, w, a) ,

where S is a set of elements and s ∈ S, a is the accumulator of S and represents S, w is a

mark of the element s and can be combined with s to recover the accumulator a. Given w,

we can verify whether s is in the set S represented by a and the result v is a boolean value

in {Truse, False}.To support efficient multicast authentication, the OWA should have the following

properties:

1. All the algorithms of OWA are computationally efficient;

2. Given an accumulator a and the set S represented by a, the probability that anattacker forges an element s′ not in S and its witness w′ such that V erify(s′, w′, a) =True is very low.

When the sender has a set of packets for multicast, he generates an OWA for the set

and attaches a witness to each packet. The attacker may inject large volume of forged

packets that are not in any set from the sender. Therefore, the multicast stream may

consist of many sets, some from the sender and others from the attacker. The receiver

divides received packets into several sets by performing the OWA Recover algorithm.

Particularly, if Recover(pi, wi) = Recover(pj, wj) for packets (pi, pj) and their witnesses

(wi, wj), then packets pi and pj belong to the same set. The properties of OWA can ensure

that authentic packets and forged packets fall into different sets. Therefore, the receiver

can perform the batch verification over each set. If the verification over one set succeeds,

the set of packets is authentic, and not otherwise. In this way, the receiver can drop a set

of packets when the batch verification over the set fails and do not need to separate the

178

set into smaller subsets and batch-verify each subset. Therefore, the DoS attack due to

forged packets can be efficiently defeated.

Here we do not use the accumulator a to verify whether a packet comes from the

receiver. The reasons are: (1) If we want to use a to authenticate a packet, then the

sender has to generate a signature for a and transmit the signature. Like conventional

schemes [90–92, 94, 96, 102], this one is vulnerable to packet loss because if the signature

for a is lost, the set of packets cannot be authenticated. (2) We use the batch verification

to authenticate packets and this method is perfectly resilient to packet loss. Therefore,

here we do not need a. We only use the Recover algorithm to check whether two packets

belong to the same set.

An efficient method to construct OWAs is the Merkle hash tree [47]. Here we take a

binary tree for example (Fig. 8-3). The sender constructs a binary tree for 8 packets. Each

leaf is a hash of one packet. Each internal node is the hash value on both its left and right

children and the root is the accumulator of these packets. The witness of one packet is the

set of the siblings of the nodes along the path from the packet to the root. For example,

the witness of the packet P3 is {H4, H1,2, H5,8} and the accumulator can be recovered as

H1,8 = H((H1,2, (H(P3), H4)), H5,8).

Constructing a Merkle tree is very efficient because only hash operation is performed.

Meanwhile, the one-way property of hash operation ensures that given the root of a

Merkle tree it is infeasible to find out a packet, which is not in the set associated with the

Merkle tree and from which there is a path to the root.

When the sender has a set of packets for broadcast, it generates a Merkle tree for

the set and attaches a witness to each packet. The root can be recovered based on each

packet and its mark. Each receiver can find whether two packets belong to the same set

by checking whether they lead to the same root value. Therefore, the recovered roots

help classify received packets into disjoint sets. Once a set is authentic, the corresponding

179

P1 P2 P3 P4 P5 P6 P7 P8

H1 H2 H3 H4 H5 H6 H7 H8

H1,2 H3,4 H5,6 H7,8

H1,4 H5,8

H1,8

Figure 8-3. An example of Merkle tree.

root can be used to authenticate the rest of packets under the same Merkle tree without

batch-verifying them, which saves computation overhead at each receiver.

Fig. 8-4 illustrates the details of MABS including the DoS countermeasure. At

the sender part, the sender generates a multicast stream. For each message mi, the

sender computes a signature σi according to some signature algorithm. Then the sender

constructs OWAs on {mi, σi} and computes a witness wi based on OWA algorithms.

Therefore each packet is pi = {mi, σi, wi}. These packets are sent over a lossy and hostile

channel to many receivers through multicast routing. At the receiver part, the receiver

gets a stream of packets including both authentic and potentially forged ones. At first,

the receiver uses the OWA Recover algorithm to classify received packets into disjoint

sets. Each set consists of packets pi = {mi, σi} where wi is no longer needed. Because the

properties of OWA can ensure that authentic packets and forged packets fall into different

sets, the receiver can perform the BatchV erify algorithm over each set. If the verification

over one set succeeds, the set of packets is authentic. Otherwise, the set of packets is

forged and can be dropped without further verification on each packet.

The traditional block-based approach is vulnerable to DoS. Because there is no

filtering, each receiver has to recover the relationship among authentic packets mixed with

180

Signing Verification

Classification

Pi

Mi

C1 C2 C3 …Mi

Sender Receiver

Figure 8-4. MABS architecture including the DoS counter measure.

forged packets, which is very time and computationally intensive. In the extreme case, a

deadlock can form at the receiver when the receiving buffer is exhausted by a mixing of

forged packets and authentic packets without block signatures. Those authentic packets

are waiting for signatures, but signatures cannot be received because the receiving buffer is

exhausted by forged packets.

In our design, authentic packets and forged packets are separated into disjoint sets.

The batch verification is carried out over each set. Therefore, each batch verification can

authenticate a set of packets and no more is needed. The deadlock experienced by the

block-based protocols can also be eliminated.

If an attacker wants to inject some forged packets into the batch consisting of

authentic packets, he must break the one-way property of Merkle tree. However, this

attempt fails because given the root of a Merkle tree it is infeasible to find out a packet

from which there is a path to the root due to the one-way property of hash functions.

Therefore, by using Merkle tree, our design can efficiently defeat DoS attacks.

181

Table 8-6. Comparisons between the block-based approach and the batch-based approach.

Schemes DoS Resilience Computational Overhead Communication OverheadHash chains Poor O(1S + nH) O(1S + αnH), (α > 1)

(m,n)-Coding Poor O(1S + nH + 1C) O(1S + n2

mH)

Batch signature Strong O(1S + nlognH) O(nS + nlognH)

However, the increased DoS resilience comes with more overhead, which is shown in

Table 8-6. For the computational overhead, both the block-based protocols and our design

require one signature verification operation on a block or a batch n packets. In addition,

the protocols using hash chains also require n hashes, and the ones using coding requires

n hashes and one coding operation. Our design requires nlogn hashes, which is more

expensive than the ones using hash chains and less expensive than the ones using coding.

However, the overall computation overhead of all these protocols at each receiver is at the

same level since hash operation is much more efficient (on the order of µs) than signature

operation (on the order of ms).

For the communication overhead over n packets, conventional protocols require an

overhead of one signature and O(n) hashes, while our design requires an overhead of

n signature and O(nlogn) hashes. The increased overhead is a trade-off for increased

security. However, when BLS is used [111], the signature length is 171 bits. A most

well-known hash algorithm SHA-1 generates a hash value of 160 bits. Therefore, our

protocol can also achieve the same level of communication efficiency as conventional

protocols.

8.7 Conclusion

In this paper, we proposed a new multicast authentication scheme called MABS

based on batch signature, which supports one signature verification over multiple packets

at the receiver. Three batch signature implementations were proposed. In particular,

we proposed our batch BLS and batch DSA, which are more efficient than the batch

RSA. Unlike the conventional block-based multicast authentication schemes, MABS can

182

perfectly tolerate packet loss and completely eliminate the authentication latency at

the sender and receivers. Combining with packet filtering, MABS can also defeat DoS

effectively.

183

CHAPTER 9SECURITY OF IEEE 802.16 IN MESH MODE

9.1 Introduction

IEEE 802.16 standard [132], which is the base of WiMAX (worldwide interoperability

for microwave access) [133], is seen as a promising technology for next generation

broadband wireless access. Compared with IEEE 802.11 standard [134], it operates at

larger frequency band up to 66GHZ, covers longer distance up to 50km, and supports QoS

services. Therefore, 802.16 becomes an ideal choice for broadband wireless access systems

such as WLANs (wireless local area networks) or WMANs (wireless metropolitan area

networks).

IEEE 802.16 defines two modes. In the PMP (point-to-multipoint) mode, SSs

(subscriber stations, such as laptops) can reach the BS (base station) in one hop.

Otherwise, SSs shall operate in the Mesh mode such that those SSs form a multihop

network, which is called mesh network [135], to the BS.

Compared with the PMP topology, the mesh topology extends BS coverage, and its

flexibility on installation and configuration make it a promising architecture for future

WLANs and WMANs. In Fig. 9-1, for example, multiple laptops can form a WLAN of a

mesh topology, multiple wireless routers can form a WMAN of a mesh topology, and the

mesh WMAN bridges the gap between WLANs and the Internet.

Among all the topics in wireless networks, security is drawing intense attention

recently. When IEEE 802.11 is getting more and more popular in the deployment of

WLANs, many vulnerabilities have been found in the literature [136–140]. This becomes

a major obstacle to many security-critical wireless applications such as online shopping or

secure communications.

The lessons from IEEE 802.11 make people more cautious and lead to the incorporation

of security design into IEEE 802.16. Based on DOCSIS (data over cable service interface

specifications) [141], which was designed to solve the last mile problem for cable systems,

184

Internet

BaseStation

WLANsWMAN

Figure 9-1. Mesh networks.

IEEE 802.16 defines a PKM (privacy and key management) protocol. It provides

subscribers with privacy, authentication, or confidentiality across the fixed broadband

wireless network. It does this by applying cryptographic transforms to MPDUs carried

across connections between SS and BS.

However, IEEE 802.16 security still needs to be examined before its deployment.

Since mesh networks are gaining more and more interests and IEEE 802.16 is seen as

one of promising techniques to build up mesh networks, we believe that it is necessary to

analyze the security of IEEE 802.16 in mesh networks. However, there are only a few work

overviewing the potential vulnerabilities of IEEE 802.16 in PMP mode [142–144].

In this chapter, we analyze the security of IEEE 802.16 in mesh mode [145], point out

several potential threats and propose some possible solutions. We find out that though

IEEE 802.16 provides some security measures in conventional one-hop networks, it is very

vulnerable to malicious attacks in multihop environments. We also propose some security

improvements.

185

9.2 Security Architecture of IEEE 802.16 in Mesh Mode

IEEE 802.16 MAC (Medium Access Control) defines a PKM protocol as a sublayer,

providing authentication, key management and data traffic privacy services.

IEEE 802.16 MAC is connection-oriented. Each SS establishes a connection to

associate with a service flow. In PKM, an SA (security association) is shared between

SS and BS for each connection to main its security state such as the cryptographic suite,

TEKs (traffic encryption keys) and IVs (initialization vectors) and managed by a TSM

(TEK state machine). An ASM (authorization state machine) is maintained by each SS

for authorization when entering the network and the initialization of TSMs.A new SS can join a mesh network by the following process:

1. The SS searches for MSH-NCFG:Network Descriptor messages to synchronize withthe network and build up a list of available BSs and a list of neighboring SSs.

2. The new SS selects from its neighbors a potential Sponsor node. Meanwhile the newSS becomes a Candidate node.

3. The Candidate node (the new SS) shall be authorized by an Authorization node (aBS or a backend server) through the PKM protocol. The Sponsor node will tunnelthe PKM-REQ messages from the Candidate node to the Authorization node throughUDP protocol. Upon receiving tunneled PKM-RSP messages from the Authorizationnode the Sponsor node forwards them to the Candidate node.

4. The Candidate node shall register itself at a Registration node (a BS or a backendserver) to get a Node ID. The Sponsor node again tunnels the REG-REQ messagefrom the Candidate node to the Registration node. Upon receiving the tunneledREG-RSP from the Registration node the Sponsor node forwards it back to theCandidate node.

5. After authorization the Candidate node becomes a regular node in the mesh network.Then it will build connectivity at higher layers.

6. After entering the network, the new SS can establish links with nodes otherthan its Sponsor Node by following a Challenge-Response process based onMSH-NCFG:Neighbor Link Establishment messages.

186

Upon entering the network, the new SS starts for each neighbor a separate TSM for

each SA authorized by BS. Then the TSM takes charge of the SA maintenance, and the

ASM maintains the reauthorization of the SS.

9.3 Security Threats to IEEE 802.16 in Mesh Mode

In this section, we present the following potential threats to IEEE 802.16 standard in

mesh mode.

9.3.1 Topological Attacks

In the mesh network, every SS broadcasts MSH-NCFG:Network Descriptor messages

regularly. Each MSH-NCFG:Network Descriptor carries some physical layer information

for the new SS to acquire coarse synchronization. In addition, each MSH-NCFG:Network

Descriptor provides a list of available BSs and a list of neighboring SSs of the sender.

Those lists include information such as Node ID of BS or neighbors and the corresponding

hop-count. To join the network on initialization or after signal loss, a new SS shall search

for MSH-NCFG:Network Descriptor messages and build a physical neighbor list. Based on

the BS information, the new SS chooses a Sponsor node, which helps the new SS join the

network.

The problem here is that MSH-NCFG messages are not encrypted and authenticated.

This can lead to the attacks against network topology, which has been studied in ad hoc

and sensor networks [46].

By claiming a shorter path to BS, for example, a malicious node has much more

chance to become a Sponsor node. In this way, the Sponsor node can lure the network

entry traffic in the local area like a Sinkhole [33]. Then the Sponsor node can monitor,

modify or spoof the authorization information exchanged between new nodes and BS.

An example is illustrated in Fig. 9-2, where node A can create a sinkhole and becomes

the Sponsor for nodes B and C. In addition, false topological information contained in

MSH-NCFG messages can cheat the new SS into forming an incorrect view of network

topology, which can introduce problems to routing protocols.

187

A

B

BS

C

Figure 9-2. Sinkhole attacks.

Attackers can even replay MSH-NCFG messages instead of modifying or spoofing.

One example is the Wormhole attack [61]. As is illustrated in Fig. 9-3. Attackers establish

a secret channel, tunnel MSH-NCFG messages from nodes A and B through the channel

and replay them. In this way, nodes A and B believe they are neighbors of each other.

Attackers can also record MSH-NCFG messages at one place, move and reply them at

another place. Obviously, the distorted network topology can become a serious attack to

routing protocols.

9.3.2 Authorization Threats

A Candidate node needs authorization to access the mesh network. This can be

achieved through a handshake between the Candidate node and an Authorization center.

The handshake is carried out by PKM-REQ and PKM-RSP messages (Fig. 9-4).

The Candidate node first sends a PKM-REQ:Auth Info message to the Authorization

center. The message only carries the X.509 certificate for the manufacturer of the

Candidate node.

188

A

B

BS

Figure 9-3. Wormhole attacks.

Then the Candidate sends a PKM-REQ:Auth Request message to the Authorization

center. The message contains the Candidate’s X.509 certificate issued by its manufacturer,

the Candidate’s cryptographic capabilities, the Candidate’s Basic CID.

The Authorization center verifies the Candidate’s X.509 certificate with its manufacturer’s

public key extracted from the PKM-REQ:Auth Info message. If the verification fails, the

Authorization center simply replies to the Candidate a PKM-RSP:Auth Reject message

containing an error-code and a display-string.

If the Candidate is authentic, the Authorization center replies a PKM-RSP:Auth

Reply message. This message contains an AK (authorization key) encrypted with the

Candidate’s public key, the AK lifetime, the AK sequence number, SA-descriptors, PKM

configuration, an OSS (operator shared secret), the OSS lifetime, the OSS sequence

number.

In the PMP mode, the AK is used for the Candidate to access the network. In the

Mesh mode, however, the Candidate shall use the OSS to access the network. Here the

OSS is shared by all the nodes in the mesh network.

189

UDP

PKM-REQ: Auth Info

PKM-REQ: Auth Request

PKM-RSP: Auth Reply, orPKM-RSP: Auth Reject

Candidate Sponsor

AuthorizationCenter

Figure 9-4. Node authorization.

Because the Candidate usually cannot communicate with the Authorization center

directly in the Mesh mode, the Sponsor node help to tunnel the PKM-REQ messages

from the Candidate to the Authorization center through UDP protocol and forward the

PKM-RSP messages tunneled back from the Authorization center to the Candidate.

The above process is supposed to guarantee the authenticity of the Candidate before

it joins the network. However, all the messages are not encrypted and authenticated.

Though the AK in PKM-RSP:Auth Reply messages is encrypted, it is useless in the Mesh

mode. Hence, there are several security holes failing the goal of the authorization process.

First, all the messages can be intercepted and modified by attackers between

the Candidate and the Sponsor. Though we can assume the UDP tunnel can prevent

eavesdropping and tampering from attackers between the Sponsor and the Authorization

center because all the links between the Sponsor and the Authorization are secured by

MAC layer TEKs, we cannot guarantee the loyalty of the Sponsor. Therefore, a malicious

Sponsor as an internal attacker can also intercept all the messages and modify them.

In the PKM-REQ:Auth Request message, the Candidate includes its cryptographic

capabilities. The Authorization center chooses from them a set of cryptographic

algorithms that the Candidate node uses to communicate with the network. The

190

stronger the algorithms are, the securer the traffic is. However, attackers can modify

the PKM-REQ:Auth Request message to prevent a weaker cryptographic setting to the

Authorization center so that a set of weak cryptographic algorithms is used to secure the

communication between the Candidate and the network. This is called the security level

rollback attack, which has been discussed in IEEE 802.11 [140].

In the PKM-RSP:Auth Reply message, the information of all SAs that the Candidate

can access is contained. An authorized SS should get the services to which it has

subscribed. But attackers can modify the SA information and remove any SA so that

the SS gets less or even no service, leading to the DoS (Denial of Service) attack.

In addition, an OSS is included in the PKM-RSP:Auth Reply. The OSS is used as

a global key shared by all the nodes in the network. The Candidate shall use the OSS

to establish links with neighbors and access the network. Unfortunately, the OSS can

be intercepted by attackers such that they can use it to join the network. Attackers can

even modify it so that the new node gets wrong OSS and thus fails to join the network.

Moreover, attackers can reduce the OSS lifetime so that the Candidate has to update its

OSS more frequently, leading to faster energy consumption.

Because the PKM-RSP:Auth Reject message is not authenticated, attackers can spoof

the message such that the Candidate fails in the authorization process, leading to the DoS

attack.

The entire authorization process is carried out in one connection, but there is no clear

definition of Authorization SA that is associated with the connection [142]. Therefore

the Authorization center is incapable of distinguishing the authorization messages from

different authorization processes. All the messages in an authorization process can be

replayed.

In Fig. 9-5, for example, an attacker can intercept a PKM-REQ:Auth Request

message and later replay it to the BS B. The BS can not distinguish it from new

PKM-REQ:Auth Request messages and then reply with a PKM-RSP:Auth Reply message.

191

BS B

Auth Request

BS A

Figure 9-5. Replay attacks.

In this way, the attacker can learn the OSS. In another case, the attacker can replay the

intercepted PKM-REQ:Auth Request to another mesh domain registered at BS A. As well

BS A will accept the message and reply with a PKM-RSP:Auth Reply message, which

discloses the OSS used by BS A.

The authorization process is asymmetric in that the Authorization center authenticates

the Candidate but not vice versa. This renders attackers an opportunity to impersonate

the Authorization center 9-6. An attacker can achieve this goal by intercepting PKM-RSP

messages from the Authorization center and replaying them or totally forging those

messages. The Candidate node cannot verify the authenticity of those messages. This will

leave the entire network under the control of the attacker and become a major threat to

the authorization process. This is also the case in the PMP mode [142].

9.3.3 Threats to Link Establishment

After entering the network, the new SS can establish links with its neighbors other

than its Sponsor Node. The link establishment follows a Challenge-Response process

based on the OSS of the network (Fig. 9-7). All the messages exchanged between two

192

BS

“BS”

Figure 9-6. False base station.

neighboring nodes are encapsulated in the MSH-NCFG:Neighbor Link Establishment

messages.

When node A needs to establish a link with node B, A sends a challenge,

HMAC{OSS, frame number, ID of node A, ID of node B},where the OSS is the global key obtained in the authorization process and the frame

number is the last known frame number in which node B sent an MSH-NCFG message.

Upon receiving the challenge, node B computes the same value because it knows the

OSS and the fame number. If the two values do not match, node B returns a rejection. If

a match is achieved, node B accepts the link and replies a challenge response containing

HMAC{OSS, frame number, ID of node B, ID of node A},where the frame number is the one of the MSH-NCFG message that node A just sent.

Node B also randomly selects and includes an unused Link ID indicating the link from B

to A.

Upon receiving the challenge response, node A verifies it like node B does. If a match

is achieved, node A replies an Accept. It also randomly selects and includes an unused

Link ID indicating the link from A to B. Otherwise, a rejection is returned.

The security of the 3-way handshake depends on the secrecy of OSS, which makes the

authentication between neighbors too weak. As is mentioned in Section 9.3.2, the OSS is

193

Challenge

Challenge Response

Accept

Node A Node B

Figure 9-7. Link establishment.

shared by all nodes and there are many opportunities for attackers to get it. For example,

a malicious node can disclose it to an external attacker, or the attacker directly eavesdrops

it when a new node gets a PKM-RSP:Auth Reply message from its Sponsor node. Using

the OSS, the attacker can join the network without being authorized and establish links

with its neighbor. Then the attacker can get services from its neighbors.

9.3.4 Threats to Teks

Each SA includes two TEKs at the same time. The TSM (TEK state machine)

associated with the SA is in charge of the TEK update for the SA (Fig. 9-8).

An SS can start to update its TEKs by sending a PKM-REQ:Key Request message

containing SS-Certificate, SAID, HMAC-Digest.

Its neighbor verifies the SS-Certificate. If the verification successes, the neighbor

replies with a PKM-RSP:Key Reply containing SAID, old TEK parameters, new TEK

parameters, HMAC-Digest. Otherwise, the neighbor replies with a PKM-RSP:Key Reject.

To protect the confidentiality of TEKs, The SS’s public key extracted from the

PKM-REQ:Key Request message is used to encrypt TEK parameters. To protect the

integrity of TEKs, the HMAC-Digests are attached to these messages. However, those

HMAC-Digests are calculated with the OSS. This leads to possible message tampering

when the OSS is disclosed to attackers. In such a case, attackers cannot find TEKs, but

they can spoof a PKM-RSP:Key Reply including false TEKs encrypted with SS’s public

key and authenticate the message with the OSS.

194

PKM-REQ: Key Request

Node A Node B

PKM-RSP: Key Reply / Key Reject

Figure 9-8. TEK update.

9.3.5 Traffic Threats

In IEEE 802.16, only data traffic is encrypted. Particularly, only the MAC PDU

payload is encrypted. The generic MAC header and all MAC management messages are

not encrypted. Therefore, attackers can eavesdrop or forge those clear information to raise

problems.

To protect data traffic, two cryptographic methods are defined: DES in CBC mode

[146] and AES in CCM mode [147]. DES-CBC provides confidentiality by encrypting the

MAC PDU payload with corresponding TEKs. AES-CCM provides confidentiality and

authenticity for the MAC PDU payload. Particularly, AES-CCM algorithm appends an

8-byt ICV (Integrity Check Value) to the end of the payload and then encrypting both

the payload and the ICV. Therefore, DES-CBC is weaker than AES-CCM because the

messages encrypted by DES-CBC can be tampered or spoofed. DES-CBC is required by

all the implementations of IEEE 802.16 devices but AES-CCM is optional. Attackers can

launch the Security Level Rollback attack as is mentioned in Section 9.3.2 to cheat the SS

and BS into using DES-CBC, which can give attackers more opportunities to attack the

data traffic.

9.4 802.16e Security in Mesh Mode

An amendment to IEEE 802.16-2004 [132] is passed in 2005 as IEEE 802.16e [148].

This amendment increases the support to mobile devices and the security. The original

PKM protocol in IEEE 802.16 becomes the PKMv1 protocol in IEEE 802.16e, and a new

195

protocol PKMv2 is incorporated. In this section, we talk about the security improvement

of 802.16e over 802.16 and discuss its threats.

9.4.1 Security Improvements

802.16e supports two authentication methods: RSA-based and EAP-based [149]. TheRSA-based authentication is similar to that in 802.16. The handshake is like:

1. RSA-Request (SS → BS): MS Random, MS Certificate, SAID, SigSS.

2. RSA-Reply (SS ← BS): MS Random, BS Random, Encrypted pre-PAK, KeyLifetime, Key Sequence Number, BS Certificate, SigBS.

3. RSA-Acknowledgement (SS → BS): BS Random, Auth Result Code, Error-Code,Display-String, SigSS.

Here the differences are: random numbers are included in authentication messages

to prevent replay attacks; the BS includes its own certificate in the authentication reply

message to prove its identity. The optional EAP-based authentication can be used

independently or combined with the RSA-based one. The real EAP methods are not

specified in 802.16e. Both the methods support mutual authentication between SS and BS,

which is a significant improvement to 802.16.

A master AK (Authorization Key) is established between SS and BS during

authentication. Then the SS uses the AK to negotiate security capabilities and acquire

available SA information. Three messages are defined for the handshake: SA-TEK-Challenge,

SA-TEK-Request and SA-TEK-Response. These messages are authenticated with message

authentication digests. Therefore attackers cannot forge these messages.

In addition to the DES-CBC and AES-CCM methods in 802.16, 802.16e also defines

an AES-CTR mode [150] and an AES-CBC mode [151] to protect the MAC PDU payload.

These two methods provide confidentiality by encrypting the MAC PDU payload.

9.4.2 Potential Threats

The MSH-NCFG:Network Descriptor message is still a security hole in 802.16e. It

can be modified or forged by attackers to launch topological attacks. Though 802.16e

introduces mutual authentication in the authorization process, it does not mention how

196

to distribute the OSS for the Mesh mode. Therefore, the threats to the OSS in 802.16 are

still problems. Attackers can find the OSS and use it to establish links with normal nodes.

All the management messages are not encrypted either and thus can be eavesdropped.

9.5 New Security Improvements

In this section, we propose some improvements to strengthen IEEE 802.16 security in

the Mesh mode.

9.5.1 Neighbor Authentication

In IEEE 802.16 Mesh mode, two neighbors rely on an OSS to establish a link. It is

vulnerable to attacks as is stated in previous sections. Here we propose to use certificates

to achieve authentication between neighbors.Before a node establishes links with its neighbors, it must be authenticated by an

Authorization center through an authorization process. The node can acquire a certificateissued by the Authorization center during the authorization process. We can call it a meshcertificate. After that, the node can use the mesh certificate to join the network. Theentire process is performed as the following:

1. A → B: A’s mesh certificate.

2. B → A: B’s mesh certificate.

3. Challenge (A → B): encrypted nonce-A, frame number, ID-A, ID-B, A’ signature.

4. Challenge-Response (B → A): encrypted nonce-B, frame number, ID-B, ID-A, B’signature.

5. Accept (A → B): accept, A’ signature.

Nodes A and B first exchange their mesh certificates. They verify each other’s mesh

certificate with the Authorization center’s public key and extracts each other’s public key.

Then A sends an challenge to B, which includes a nonce-A encrypted with B’s public key.

B uses A’s public to verify A’s signature to check the authenticity of the Challenge. As

long as this verification success, node B accepts node A and decrypt nonce-A with its own

public key. Likewise, node A can authenticate node B based on the Challenge-Response

197

message and get nonce-B. At last, node A replies with an Accept message to finish the

handshake.

Now nodes A and B both know nonce-A and nonce-B. They can compute a link key

as

K-AB=H(ID-A, ID-B, nonce-A, nonce-B) ,

where H() is a hash function such as HMAC or CMAC in 802.16.Later node A can use the link key K-AB to update TEKs from node B. The process is

the following:

1. Key Request (A → B): SAID, random number, MAC-Digest.

2. Key Reply (B → A): SAID, random number, encrypted old TEK parameters,encrypted new TEK parameters, MAC-Digest.

Here the random numbers are used to prevent the replay attack. The shared link key

K-AB is used to compute MAC-Digests and encrypt TEK parameters.

The above neighbor authentication process is much securer than the original one in

IEEE 802.16, because it is based on mesh certificates instead of the global shared OSS.

In addition, the TEK update is secured by the shared link key instead of the original

public key. Because the TEK update is performed periodically, we can expect our neighbor

authentication process it is more efficient than the original one in IEEE 802.16.

9.5.2 Cryptographic Issues

Generally, RSA-based public key cryptography is more expensive in computation than

symmetric key cryptography. Therefore, the use of public key algorithms should be as less

as possible in a security protocol. Meanwhile the performance can be increased if more

efficient public key techniques are developed.

One substitute to the RSA-based public key cryptography is the elliptic curve

cryptography (ECC) [71, 72]. ECC can achieve the same level of security as RSA with

smaller key sizes. It has been shown that 160-bit ECC provides comparable security to

1024-bit RSA and 224-bit ECC provides comparable security to 2048-bit RSA [73]. Under

the same security level, smaller key sizes of ECC offer merits of faster computational

198

efficiency, as well as memory, energy and bandwidth savings. Therefore ECC can be

incorporated into IEEE 802.16 in future to replace RSA-based cryptography.

9.6 Conclusion

We discussed the security of IEEE 802.16 in mesh mode and found out it is very

vulnerable to malicious attacks in multihop environments. Some improvements were

proposed to secure IEEE 802.16 in Mesh mode.

199

REFERENCES

[1] C. E. Shannon, “Communication theory of secrecy systems,” Bell System TechnicalJournal, vol. 28, pp. 656–715, Oct. 1949.

[2] W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Transactionson Information Theory, vol. IT-22, no. 6, pp. 644–654, Nov. 1976.

[3] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digitalsignatures and public-key cryptosystems,” Communications of the ACM, vol. 21,no. 2, pp 120–126, Feb. 1978.

[4] S. Basagni, K. Herrin, D. Bruschi, and E. Rosti, “Secure pebblenets,” Proceedings ofthe 2nd ACM International Symposium on Mobile Ad Hoc Networking & Computing(Mobihoc’01), Long Beach, CA, Oct. 2001, pp. 156–163.

[5] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography,CRC Press, ISBN: 0-8493-8523-7, Oct. 1996.

[6] A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen, and D. E. Culler, “SPINS: Securityprotocols for sensor networks,” Wireless Networks, Kluwer Academic Publishers,vol. 8, pp. 521–534, 2002.

[7] R. Blom, “An optimal class of symmetric key generation systems,” Proceedings ofAdvances in Cryptology: EUROCRYPT’84, Paris, France, Apr. 1984, pp. 335–338.

[8] C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung,“Perfectly-secure key distribution for dynamic conferences,” Proceedings of the12th Annual International Cryptology Conference on Advances in Cryptology(CRYPTO’92), Aug. 1992, pp. 471–486.

[9] Y. Zhou and Y. Fang, “A scalable key agreement scheme for large scale networks,”Proceedings of the 2006 IEEE International Conference on Networking, Sensing andControl (ICNSC’06), Ft. Lauderdale, Florida, Apr. 2006, pp. 631–636.

[10] Y. Zhou and Y. Fang, “Scalable and deterministic key agreement for large scalenetworks,” to appear in IEEE Transactions on Wireless Communications.

[11] W. Lou, W. Liu and Y. Fang, “SPREAD: Enhancing data confidentiality in mobilead hoc networks,” Proceedings of the 23rd Annual Joint Conference of the IEEEComputer and Communications Societies (INFOCOM’04), Hong Kong, China, Mar.2004, vol. 4, pp. 2404–2413.

[12] A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11,pp. 612–613, Nov. 1979.

[13] L. Eschenauer and V. Gligor, “A key management scheme for distributed sensornetworks,” Proceedings of the 9th ACM Conference on Computer and Communica-tions Security (CCS’02), Washington D.C., Nov. 2002, pp. 41–47.

200

[14] J. Spencer, The strange logic of random graphs, Algorithms and Combinatorics 22,Springer-Verlag 2000, ISBN 3-540-41654-4.

[15] H. Chan, A. Perrig and D. Song, “Random key predistribution schemes for sensornetworks,” Proceedings of the 2003 IEEE Symposium on Security and Privacy(SP’03), Berkeley, CA, May 2003, pp. 197–213.

[16] R. D. Pietro, L. V. Mancini and A. Mei, “Random key-assignment for secure wirelesssensor networks,” Proceedings of the 1st ACM Workshop on Security of Ad hoc andSensor Networks (SASN’03), Fairfax, VA, 2003, pp. 62–71.

[17] W. Du, J. Deng, Y. S. Han, and P. K.Varshney, “A pairwise key pre-distributionscheme for wireless sensor networks,” Proceedings of the 10th ACM Conference onComputer and Communications Security (CCS’03), Washington, DC, Oct. 2003, pp.42–51.

[18] D. Liu and P. Ning, “Establishing pairwise keys in distributied sensor networks,”Proceedings of the 10th ACM Conference on Computer and CommunicationsSecurity (CCS’03), Washington, DC, Oct. 2003, pp. 52–61.

[19] D. Liu, P. Ning, and R. Li, “Establishing pairwise keys in distributed sensornetworks,” ACM Transactions on Information and System Security, vol. 8, no. 1, pp.41–77, Feb. 2005.

[20] J. Hwang and Y. Kim, “Revisiting random key pre-distibution schemes for wirelesssensor networks,” Proceedings of the 2nd ACM Workshop on Security of Ad hoc andSensor Networks (SASN’04), Washington, DC, Oct. 2004, pp. 43–52.

[21] J. Lee and D. R. Stinson, “Deterministic key pre-distribution schemes for distributedsensor networks,” Proceedings of the 11th International Workshop on Selected Areasin Cryptography (SAC’04), Waterloo, Canada, Aug. 2004, pp. 294–307.

[22] J. Lee and D. R. Stinson, “A combinatorial approach to key pre-distributionmechanisms for wireless sensor networks,” Proceedings of the 2005 IEEE WirelessCommunications and Networking Conference (WCNC’05), New Orleans, LA, Mar.2005, pp. 1200–1205.

[23] S. A. Camtepe and B. Yener, “Combinatorial design of key distribution mechanismsfor wireless sensor networks,” IEEE/ACM Transactions on Networking, vol. 15,no. 2, pp. 346-358, Apr. 2007.

[24] D.S. Sanchez and H. Baldus, “A deterministic pairwise key pre-distribution schemefor mobile sensor networks,” Proceedings of the 1st IEEE/CreateNet InternationalConference on Security and Privacy for Emerging Areas in CommunicationsNetworks (SECURECOMM’05), Athens, Greece, Sep. 2005, pp. 277–288.

[25] H. Chan and A. Perrig, “Pike: peer intermediaries for key establishment in sensornetworks,” Proceedings of the 24th Annual Joint Conference of the IEEE Computer

201

and Communications Societies (INFOCOM’05), Miami, FL, Mar. 2005, vol. 1, pp.524–535.

[26] F. Delgosha and F. Fekri, “Key pre-distribution in wireless sensor networks usingmultivariate polynomials,” Proceedings of the 2nd Annual IEEE Communica-tions Society Conference on Sensor and Ad Hoc Communications and Networks(SECON’05), Santa Clara, CA, Sep. 2005, pp. 118–129.

[27] F. Delgosha and F. Fekri, “Threshold key-establishment in distributed sensornetworks using a multivariate scheme,” Proceedings of the 25th IEEE InternationalConference on Computer Communications (INFOCOM’06), Barcelona, Spain, Apr.2006, pp. 1–12.

[28] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “A survey on sensornetworks,” IEEE Communication Magazine, vol. 40, no. 8, pp. 102–114, Aug. 2002.

[29] J. M. Kahn, R. H. Katz and K. S. J. Pister, “Next century challenges: Mobilenetworking for Smart Dust,” Proceedings of the 5th Annual ACM/IEEE Interna-tional Conference on Mobile Computing and Networking (MOBICOM’99), Seattle,WA, Aug. 1999, pp. 217–278.

[30] G. J. Pottie, W. J. Kaiser, “Wireless integrated network sensors,” Communicationsof the ACM, vol. 43, no. 5, pp. 51–58, May 2000.

[31] Crossbow Technology, http://www.xbow.com/ 2006.

[32] Atmel Corporation, http://www.atmel.com/ 2006.

[33] C. Karlof and D. Wagner, “Secure routing in wireless sensor networks: attacks andcountermeasures,” Proceedings of the 1st IEEE International Workshop on SensorNetwork Protocols and Applications (SNPA’03), Anchorage, AK, May 2003, pp.113–127.

[34] R. Anderson and M. Kuhn, “Tamper resistance - a cautionary note,” PProceed-ings of the 2nd USENIX Workshop on Electronic Commerce, Oakland, CA, Nov.1996, pp. 1–11.

[35] A. Wood and J. Stankovic, “Denial of service in sensor networks,” IEEE ComputerMagzine, vol. 35, no. 10, pp. 54–62, Oct. 2002.

[36] D. Liu and P. Ning, “Location-based pairwise key establishments for relatively staticsensor networks,” Proceedings of the 1st ACM Workshop on Security of Ad hoc andSensor Networks (SASN’03), Fairfax, VA, Oct. 2003, pp. 72–82.

[37] W. Du, J. Deng, Y. S. Han, S. Chen and P. K.Varshney, “A key managementscheme for wireless sensor networks using deployment knowledge,” Proceedings of the23rd Annual Joint Conference of the IEEE Computer and Communications Societies(INFOCOM’04), Hong Kong, China, Mar. 2004, pp. 586–597.

202

[38] D. Huang, M. Mehta, D. Medhi, and L. Harn, “Location-aware key managementscheme for wireless sensor networks,” Proceedings of the 2nd ACM Workshop onSecurity of Ad hoc and Sensor Networks (SASN’04), Washington, DC, Oct. 2004, pp.29–42.

[39] Z. Yu and Y. Guan, “A robust group-based key management scheme for wirelesssensor networks,” Proceedings of the 2005 IEEE Wireless Communications andNetworking Conference (WCNC’05), New Orleans, LA, Mar. 2005, vol. 4, pp.1915–1920.

[40] D. Liu, P. Ning and W. Du, “Group-based key pre-distribution in wireless sensornetworks,” Proceedings of the 4th ACM Workshop on Wireless Security (WISE’05),Cologne, Germany, Sep. 2005, pp. 11–20.

[41] L. Zhou, J. Ni and C.V. Ravishankar, “Efficient key establishment for group-basedwireless sensor deployments,” Proceedings of the 4th ACM Workshop on WirelessSecurity (WISE’05), Cologne, Germany, Sep. 2005, pp. 1–10.

[42] L. Zhou, J. Ni and C. V. Ravishankar, “Supporting secure communication and datacollection in mobile sensor networks,” Proceedings of the 25th IEEE InternationalConference on Computer Communications (INFOCOM’06), Barcelona, Spain, Apr.2006, pp. 1–12.

[43] F. Anjum, “Location dependent key management using random key-predistributionin sensor networks,” Proceedings of the 5th ACM Workshop on Wireless Security(WISE’06), Los Angeles, CA, Sep. 2006, pp. 21–30.

[44] T. Ito, H. Ohta, N. Matsuda, and T. Yoneda, “A key pre-distribution scheme forsecure sensor networks using probability density function of node deployment,”Proceedings of the 3rd ACM Workshop on Security of Ad hoc and Sensor Networks(SASN’05), Alexandria, VA, Nov. 2005, pp. 69–75.

[45] Y. Zhou, Y. Zhang and Y. Fang, “LLK: A link-layer key establishment scheme inwireless sensor networks,” Proceedings of the 2005 IEEE Wireless Communicationsand Networking Conference (WCNC’05), New Orleans, LA, Mar. 2005, vol. 4, pp.1921–1926.

[46] Y. Zhou, Y. Zhang and Y. Fang, “Key establishment in sensor networks basedon triangle grid deployment model,” Proceedings of the 2005 IEEE MilitaryCommunications Conference (MILCOM’05), Atlantic City, NJ, Oct. 2005, vol. 3, pp.1450–1455.

[47] R. Merkle, “Secure communication over insecure channels,” Communications of theACM, vol. 21, no. 4, pp. 294–299, Apr. 1978.

[48] Y. Zhou and Y. Fang, “A two-layer key establishment scheme for wireless sensornetworks,” to appear in IEEE Transactions on Mobile Computing.

203

[49] Y. Zhou and Y. Fang, “Scalable link-layer key agreement in sensor networks,”Proceedings of the 2006 IEEE Military Communications Conference (MILCOM’06),Washington, DC, Oct. 2006, pp. 1–6.

[50] W. Du, L. Fang and P. Ning, “LAD: localization anomaly detection for wirelesssensor networks,” Journal of Parallel and Distributed Computing, Academic Press,Inc., vol. 66, no. 7, pp. 874–886, Jul. 2006.

[51] Y. Zhou and Y. Fang, “Defend against topological attacks in sensor networks,”Proceedings of the 2005 IEEE Military Communications Conference (Milcom’05),Atlantic City, NJ, Oct. 2005, vol. 2, pp. 768–773.

[52] Y. Zhou and Y. Fang, “A location-based naming mechanism for securing sensornetworks,” Wireless Communications and Mobile Computing, Special Issue onWireless Networks Security, Wiley, vol. 6, no. 3, pp. 347–355, May 2006.

[53] N. Sastry, U. Shankar and D. Wagner, “Secure verification of location claims,”Proceedings of the 2003 ACM Workshop on Wireless Security (WISE’03), San Diego,CA, Sep. 2003, pp. 1–10.

[54] P. Corke, R. Peterson and D. Rus, “Networked robots: flying robot navigation usinga sensor net,” Proceedings of the 11th Internatonal Symposium of Robotics Research(ISRR’03), Siena, Italy, Oct. 2003, pp. 234–243.

[55] C. Savarese, J. Rabaey and J. Beutel, “Locationing in distributed ad-hoc wirelesssensor networks,” Proceedings of the 26th IEEE International Conference onAcoustics, Speech, and Signal Processing (ICASSP’01), Salt Lake City, UT, May2001, pp. 2037–2040.

[56] C. Karlof, N. Sastry and D. Wagner, “TinySec: A link layer security architecture forwireless sensor networks,” Proceedings of the 2nd ACM International Conference onEmbedded Networked Sensor Systems (SENSYS’04), Baltimore, MD, Nov. 2004, pp.162–175.

[57] H. T. Kung and D. Vlah, “Efficient location tracking using sensor networks,”Proceedings of the 2003 IEEE Wireless Communications and Networking Conference(WCNC’03), March, 2003, vol. 3, pp. 1954–1961.

[58] R. Brooks, P. Ramanathan and A. Sayeed, “Distributed target classification andtracking in sensor networks,” Proceedings of the IEEE, vol. 91, no. 8, pp.1163–1171,2003.

[59] M. Bellare, R. Canetti and H. Krawczyk, “Keying hash functions for messageauthentication,” Proceedings of the 16th Annual International Cryptology Conferenceon Advances in Cryptology (CRYPTO’96), Santa Barbara, CA, Aug. 1996, pp. 1–15.

[60] J. Newsome, E. Shi, D. Song, and A. Perrig, “The sybil attack in sensor networks:analysis & defenses,” Proceedings of the 3rd IEEE International Symposium on

204

Information Processing in Sensor Networks (IPSN’04), Berkeley, CA, Apr. 2004, pp.259–268.

[61] Y. Hu, A. Perrig and D. B. Johnson, “Packet leashes: a defense against wormholeattacks in wireless networks,” Proceedings of the 22nd Annual Joint Conference ofthe IEEE Computer and Communications Societies (INFOCOM’03), San Francisco,CA, Mar. 2003, vol. 3, pp. 1976–1986.

[62] L. Hu and D. Evans, “Using directional antennas to prevent wormhole attacks,”Proceedings of the 11th Annual Network and Distributed System Security Symposium(NDSS’04), San Diego, CA, Feb. 2004.

[63] W. Wang and B. Bhargava, “Visualization of wormholes in sensor networks,” Pro-ceedings of the 2004 ACM Workshop on Wireless Security (WISE’04), Philadelphia,PA, Oct. 2004, pp. 51–60.

[64] S. Zhu, S. Setia and S. Jajodia, “LEAP: efficient security mechanism for large-scaledistributed sensor networks,” Proceedings of the 10th ACM Conference on Computerand Communications Security (CCS’03), Washington, DC, Oct. 2003, pp. 62–72.

[65] Y. Zhang, W. Liu, W. Lou, and Y. Fang, “Securing sensor networks withlocation-based keys,” Proceedings of the 2005 IEEE Wireless Communicationsand Networking Conference (WCNC’05), New Orleans, LA, Mar. 2005, vol. 4, pp.1909–1914.

[66] B. Parno, A. Perrig and V. Gligor, “Distributed detection of node replication attacksin sensor networks,” Proceedings of the 2005 IEEE Symposium on Security andPrivacy (SP’05), Berkeley/Oakland, CA, May 2005, pp. 49–63.

[67] Y. Zhou, Y. Zhang and Y. Fang, “Access control in wireless sensor networks,” toappear in Elsevier Ad Hoc Networks, Special Issue on Security in Ad Hoc and SensorNetworks.

[68] R. Watro, D. Kong, S. Cuti, C. Gardiner, C. Lynn, and P. Kruus, “TinyPK:securing sensor networks with public key technology,” Proceedings of the 2nd ACMWorkshop on Security of Ad hoc and Sensor Networks (SASN’04), Washington, DC,Oct. 2004, pp. 59–64.

[69] J. R. Douceur, “The Sybil attack,” Proceedings of the 1st International Workshopon Peer-to-Peer Systems (IPTPS’02), Cambridge, MA, Mar. 2002, pp. 251–260.

[70] D. J. Malan, M. Welsh and M. D. Smith, “A public-key infrastructure for keydistribution in TinyOS based on elliptic curve cryptography,” Proceedings of the1st IEEE International Conference on Sensor and Ad Hoc Communications andNetworks (SECON’04), Santa Clara, CA, Oct. 2004, pp. 71–80.

[71] N. Koblitz, “Elliptic Curve Cryptosystems,” Mathematics of Computation, vol. 48,pp. 203–209, 1987.

205

[72] V. Miller, “Uses of Elliptic Curves in Cryptography,” Advances in Cryptology -CRYPTO’85, Santa Barbara, CA, 1985, pp. 417–426.

[73] S. Vanstone, “Responses to NIST’s proposal,” Communications of the ACM, vol. 35,pp. 50–52, Jul. 1992.

[74] O. Goldreich, S. Goldwasser and S. Micali, “How to construct random functions,”Journal of the ACM vol. 33, no. 4, pp. 792–807, 1986.

[75] N. Gura, A. Patel, A. Wander, H. Eberle, and S. C. Shantz, “Comparing ellipticcurve cryptography and RSA on 8-bit CPUs,” Proceedings of the 6th Interna-tional Workshop on Cryptographic Hardware and Embedded Systems (CHES’04),Cambridge, MA, Aug. 2004, pp. 119–132.

[76] D. W. Carman, P. S. Kruus and B. J. Matt, “Constraints and approaches fordistributed sensor network security,” NAI Labs Technical Report #00-010, Sep. 2000.

[77] A. Perrig, J. Stankovic and D. Wagner, “Security in wireless sensor networks,”Communications of the ACM, vol. 47, no. 6, pp. 53–57, Jun. 2004.

[78] M. Manzo, T. Roosta and S. Sastry, “Time synchronization attacks in sensornetworks,” Proceedings of the 3rd ACM Workshop on Security of Ad hoc and SensorNetworks (SASN’05), Alexandria, VA, Nov. 2005, pp. 107–116.

[79] Y. Zhou and Y. Fang, “BABRA: batch-based broadcast authentication in wirelesssensor networks,” Proceedings of the 49th Annual IEEE Global TelecommunicationsConference (GLOBECOM’06), San Francisco, CA, Nov. 2006, pp. 1–5.

[80] A. Perrig, R. Canetti, B. Brisco, D. Song, and D. Tygar, “TESLA: multicastsource authentication transform introduction,” IETF working draft,draft-ietf-msec-tesla-intro-01.txt.

[81] D. Liu and P. Ning, “Efficient distribution of key chain commitments for broadcastauthentication in distributed sensor networks,” Proceedings of the 10th AnnualNetwork and Distributed System Security Symposium (NDSS’03), San Diego, CA,Feb. 2003.

[82] S. Rafaeli and D. Hutchison, “A survey of key management for secure groupcommunication,” ACM Computing Surveys, vol. 35, no. 3, pp. 309–329, Sep. 2003.

[83] A. Perrig, R. Canetti, D. Song, and J.D. Tygar, “Efficient and secure sourceauthentication for multicast,” Proceedings of the 8th Annual Network and DistributedSystem Security Symposium (NDSS’01), San Diego, CA, Feb. 2001.

[84] I. Khalil, S. Bagchi and C. Nita-Rotaru, “DICAS: detection, diagnosis and isolationof control attacks in sensor networks,” Proceedings of the 1st IEEE/CreateNet Inter-national Conference on Security and Privacy for Emerging Areas in CommunicationsNetworks (SECURECOMM’05), Athens, Greece, Sep. 2005, pp. 89–100.

206

[85] C. Kaufman, R. Perlman and M. Speciner. Network Security: private communicationin a public world, 2nd Edition, Prentice-Hall, 2002.

[86] S. E. Deering, “Multicast routing in internetworks and extended LANs,” Proceed-ings of the 1988 ACM Symposium on Communications Architectures and Protocols(SIGCOMM’88), Stanford, CA, Aug. 1988, pp. 55–64.

[87] T. Ballardie and J. Crowcroft, “Multicast-specific security threats andcounter-measures,” Proceedings of the 2th Annual Network and Distributed Sys-tem Security Symposium (NDSS 1995), San Diego, CA, Feb. 1995, pp. 2–16.

[88] P. Judge and M. Ammar, “Security issues and solutions in mulicast contentdistribution: a survey,” IEEE Network Magzine, vol. 17, no. 1, pp. 30–36, Jan./Feb.2003.

[89] Y. Challal, H. Bettahar and A. Bouabdallah, “A taxonomy of multicast data originauthentication: issues and solutions,” IEEE Communication Surveys & Tutorials,vo. 6, no. 3, pp. 34–57, 2004.

[90] R. Gennaro and P. Rohatgi, “How to sign digital streams,” Information andComputation, Academic Press, vol. 165, no. 1, pp. 100–116, Feb. 2001.

[91] R. Gennaro and P. Rohatgi, “How to sign digital streams,” Proceedings of the 17thAnnual Cryptology Conference on Advances in Cryptology (CRYPTO’97), SantaBarbara, CA, Aug. 1997.

[92] A. Perrig, R. Canetti, J. D. Tygar, and D. Song, “Efficient authentication andsigning of multicast streams over lossy channels,” Proceedings of the 2000 IEEESymposium on Security and Privacy (SP’00), Berkeley, CA, May 2000, pp. 56–75.

[93] Y. Challal, H. Bettahar and A. Bouabdallah, “A2Cast: an adaptive sourceauthentication protocol for multicast streams,” Proceedings of the 9th Interna-tional Symposium on Computers and Communications (ISCC’04), Alexandria,Egypt, Jun. 2004, vol. 1, pp. 363–368.

[94] S. Miner and J. Staddon, “Graph-based authentication of digital streams,” Proceed-ings of the 2001 IEEE Symposium on Security and Privacy (SP’01), Oakland, CA,May 2001, pp. 232–246.

[95] Z. Zhang, Q. Sun, W-C Wong, J. Apostolopoulos and S. Wee, “A content-awarestream authentication scheme optimized for distortion and overhead,” Proceedings ofthe 2006 IEEE International Conference on Multimedia and Expo (ICME’06),Toronto, Canada, Jul. 2006, pp. 541–544.

[96] P. Golle and N. Modadugu, “Authenticating streamed data in the presence ofrandom packet loss,” Proceedings of the 8th Annual Network and Distributed SystemSecurity Symposium (NDSS’01), San Diego, CA, Feb. 2001.

207

[97] Z. Zhang, Q. Sun and W-C Wong, “A proposal of butterfly-graphy based streamauthentication over lossy networks,” Proceedings of the 2005 IEEE InternationalConference on Multimedia and Expo (ICME’05), Amsterdam, Netherlands, Jul. 2005.

[98] S. Ueda, N. Kawaguchi, H. Shigeno and K. Okada, “Stream authentication schemefor the use over the IP telephony,” Proceedings of the 18th International Conferenceon Advanced Information Networking and Application (AINA’04), Fukuoka, Japan,Mar. 2004, vol. 2, pp. 164–169.

[99] A. Chan and E. Rogers Sr., “A graph-theoretical analysis of multicastauthentication,” Proceedings of the 23rd International Conference on DistributedComputing Systems (ICDCS’03), Providence, RI, May 2003, pp. 155–162.

[100] C. K. Wong and S. S. Lam, “Digital signatures for flows and multicasts,” Proceed-ings of the 6th International Conference on Network Protocols (ICNP’98), Austin,TX, Oct. 1998, pp. 198–209.

[101] C. K. Wong and S. S. Lam, “Digital signatures for flows and multicasts,”IEEE/ACM Transactions on Networking, vol. 7, no. 4, pp. 502–513, Aug. 1999.

[102] J. M. Park, E. K. P. Chong, and H. J. Siegel, “Efficient multicast packetauthentication using signature amortization,” Proceedings of the 2002 IEEESymposium on Security and Privacy (SP’02), Berkeley, CA, May 2002, pp. 227–240.

[103] J. M. Park, E. K. P. Chong, and H. J. Siegel, “Efficient multicast streamauthentication using erasure codes,” ACM Transactions on Information andSystem Security, vol. 6, no. 2, pp. 258–285, May 2003.

[104] A. Pannetrat and R. Molva, “Authenticating real time packet streams andmulticasts,” Proceedings of the 7th IEEE International Symposium on Comput-ers and Communications (ISCC’02), Taormina/Giardini Naxos, Italy, Jul. 2002, pp.490–495.

[105] A. Pannetrat and R. Molva, “Efficient multicast packet authentication,” Pro-ceedings of the 10th Annual Network and Distributed System Security Symposium(NDSS’03), San Diego, CA, Feb. 2003.

[106] Y. Wu and T. Li, “Video stream authentication in lossy networks,” Proceedings ofthe 2006 IEEE Wireless Communications and Networking Conference (WCNC’06),Las Vegas, NV, Apr. 2006, vol. 4, pp. 2150–2155.

[107] C. Karlof, N. Sastry, Y. Li, A. Perrig, and J. D. Tygar, “Distillation codes andapplications to DoS resistant multicast authentication,” Proceedings of the 11thAnnual Network and Distributed System Security Symposium (NDSS’04), San Diego,CA, Feb. 2004.

208

[108] C.A. Gunter, S. Khanna, K. Tan, and S. Venkatesh, “DoS protection for reliablyauthenticated broadcast,” Proceedings of the 11th Annual Network and DistributedSystem Security Symposium (NDSS’04), San Diego, CA, Feb. 2004.

[109] L. Harn, “Batch verifying multiple RSA digital signatures,” IEE Electronic Letters,vol. 34, no. 12, pp. 1219–1220, Jun. 1998.

[110] M. Bellare, J. A. Garay and T. Rabin, “Fast batch verification for modularexponentiation and digital signatures,” Proceedings of Advances in Cryptology:EUROCRYPT’98, Espoo, Finland, May 1998, pp. 236–250.

[111] D. Boneh, B. Lynn and H. Shacham, “Short signatures from the weil pairing,”Proceedings of the 7th International Conference on the Theory and Application ofCryptology and Information Security Advances in Cryptology: ASIACRYPT’01, GoldCoast, Australia, Dec. 2001, pp. 514–532.

[112] FIPS PUB 186, Digital signature standard (DSS), May 1994.

[113] T. ElGamal, “A public key cryptosystem and a signature scheme based on discretelogarithms,” IEEE Transactions on Information Theory, vol. IT-31, no. 4, pp.469–472, Jul. 1985.

[114] D. Naccache, D. M’Raihi, S. Vaudenay, and D. Raphaeli, “Can D.S.A. be improved?complexity trade-offs with the digital signature standard,” Proceedings of Workshopon the Theory and Application of Cryptographic Techniques Advances in Cryptology:EUROCRYPT’94, Perugia, Italy, May 1995, pp. 77–85.

[115] C. H. Lim and P. J. Lee, “Security of interactive DSA batch verification,” IEEElectronic Letters, vol. 30, no. 19, pp. 1592–1593, Sep. 1994.

[116] L. Harn, “DSA-type secure interactive batch verification protocols,” IEE ElectronicLetters, vol. 31, no. 4, pp. 257–258, Feb. 1995.

[117] L. Harn, “Batch verifying multiple DSA-type digital signatures,” IEE ElectronicLetters, vol. 34, no. 9, pp. 870–871, Apr. 1998.

[118] C. Boyd and C. Pavlovski, “Attacking and repairing batch verification schemes,”Proceedings of the 6th International Conference on the Theory and Application ofCryptology and Information Security Advances in Cryptology: ASIANCRYPT’00,Kyoto, Japan, Dec. 2000, pp. 58–71.

[119] Y. Desmedt, Y. Frankel, and M. Yung, “Multi-receiver/multi-sender networksecurity: efficient authenticated multicast/feedback,” Proceedings of the 11thAnnual Joint Conference of the IEEE Computer and Communications Societies(INFOCOM’92), Florence, Italy, May 1992, vol. 3, pp. 2045–2054.

[120] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B. Pinkas, “Multicastsecurity: a taxonomy and some efficient constructions,” Proceedings of the 18th

209

Annual Joint Conference of the IEEE Computer and Communications Societies(INFOCOM’99), New York, NY, Mar. 1999, vol. 2, pp. 708–716.

[121] F. Bergadano, D. Cavagnino and B. Crispo, “Individual single-source authenticationon the mbone,” Proceedings of the 2000 IEEE International Conference on Multime-dia and Expo (ICME’00), New York, NY, Jul. 2000, vol. 1, pp. 541–544.

[122] A. Perrig, “The BiBa one-time signature and broadcast authentication protocol,”Proceedings of the 8th ACM Conference on Computer and Communications Security(CCS’01), Philadelphia, PA, Nov. 2001, pp. 28–37.

[123] P. Barreto, H. Kim, B. Lynn, and M. Scott, “Efficient algorithms for pairing-basedcryptosystems”, Proceedings of the 22nd Annual International Cryptology Conferenceon Advances in Cryptology: CRYPTO’02, Santa Barbara, CA, Aug. 2002, pp.354–368.

[124] R. Rivest, “The MD5 message-digest algorithm,” RFC 1319, April 1992.

[125] D. Eastlake and P. Jones, US secure hash algorithm 1 (SHA1), RFC 3174, Sep.2001.

[126] N. Baric and B. Pfitzmann, “Collision-free accumulators and fail-stop signatureschemes without trees,” Proceedings of International Conference on the Theory andApplication of Cryptographic Techniques Advances in Cryptology: EUROCRYPT’97,Konstanz, Germany, May 1997, pp. 480–494.

[127] J. Benaloh and M. de Mare, “One way accumulators: a decentralized alternativeto digital signatures,” Proceedings of International Conference on the Theory andApplication of Cryptographic Techniques Advances in Cryptology: EUROCRYPT’93,Lofthus, Norway, May 1993, pp. 274–285.

[128] J. Camenisch and A. Lysyanskaya, “Dynamic accumulators and application toefficient revocation of anonymous credentials,” Proceedings of the 22nd AnnualInternational Cryptology Conference on Advances in Cryptology: CRYPTO’02, SantaBarbara, CA, Aug. 2002, pp. 61–76.

[129] M. Goodrich, R. Tamassia and J. Hasic, “An efficient dynamic and distributedcryptographic accumulator,” Proceedings of the 5th International Conference onInformation Security (ICIS’02), 2002, pp. 372–388.

[130] K. Nyberg, “Fast accumulated hashing,” Proceedings of the 3rd InternationalWorkshop on Fast Software Encryption (FSE’96), Cambridge, UK, Feb. 1996, pp.83–87.

[131] T. Sander, “Efficient accumulators without trapdoor extended abstracts,” Pro-ceedings of the 2nd International Conference on Information and CommunicationSecurity (ICICS’99), Sydney, Australia, Nov. 1999, pp. 252–262.

210

[132] IEEE Std 802.16-2004, IEEE standard for local and metropolitan area networks, part16: air interface for fixed broadband wireless access systems, June 2004.

[133] WiMAX Forum, http://www.wimaxforum.org/home/, May 2006.

[134] IEEE Std 802.11-1999, Information technology - telecommunications and infor-mation exchange between systems - local and metropolitan area networks - specificrequirements - part 11: wireless lan medium access control (MAC) and physical layer(PHY) specifications, 1999.

[135] I.F. Akyildiz, X. Wang and W. Wang, “Wireless mesh networks: a survey,”Computer Networks, Elsevier, vol. 47, pp. 445–487, Mar. 2005.

[136] N. Borisov, I. Goldberg and D. Wagner, “Intercepting mobile communications:the insecurity of 802.11,” Proceedings of the 7th Annual International Conferenceon Mobile Computing and Networking (Mobicom’01), Rome, Italy, Jul. 2001, pp.180–189.

[137] W.A. Arbaugh, N. Shankar, Y.C. Wan, and K. Zhang, “Your 802.11 wirelessnetwork has no clothes,” IEEE Wireless Communications Magizine, vol. 9, no. 6, pp.44–51, Dec. 2002.

[138] J. Bellardo and S. Savage, ”802.11 denial-of-service attacks: real vulnerabilities andpractical solutions,” Proceedings of the 12th USENIX Security Symposium (SEC’03),Washington, DC, Aug. 2003, pp. 15–28.

[139] A. Mishra, N.L. Petroni, W.A. Arbaugh, and T. Fraser, “Security issues in IEEE802.11 wireless local area networks: a survey,” Wireless Communications and MobileComputing, Wiley, vol. 4, no. 8, pp. 821–833, Dec. 2004.

[140] C. He, J. C. Mitchell, “Security analysis and improvements for IEEE 802.11i,”Proceedings of the 12th Annual Network and Distributed System Security Symposium(NDSS’05), San Diego, CA, Feb. 2005, pp 90–110.

[141] DOCSIS Home, http://www.cablemodem.com/, May 2006.

[142] D. Johnston and J. Walker, “Overview of IEEE 802.16 security,” IEEE Security &Privacy Magzine, vol. 2, no. 3, pp. 40–48, May/Jun. 2004.

[143] M. Barbeau, ”Wimax/802.16 threat analysis,” Proceedings of the 1st ACMInternational Workshop on Quality of Service & Security in Wireless and MobileNetworks (Q2SWINET’05), Montreal, Canada, Oct. 2005, pp. 8–15.

[144] F. Yang, H. Zhou, L, Zhang, and J. Feng, ”An improved security scheme in WMANbased on IEEE standard 802.16,” Proceedings of the 2005 International Conferenceon Wireless Communications, Networking and Mobile Computing (WCNMC’05),Wuhan, China, Sep. 2005, vol. 2, pp. 1191–1194.

211

[145] Y. Zhou and Y. Fang, “Security of ieee 802.16 in mesh mode,” Proceedings of the2006 IEEE Military Communications Conference (Milcom 2006), Washington, DC,Oct. 2006, pp. 1–6.

[146] IETF RFC 2405, The ESP DES-CBC Cipher Algorithm With Explicit IV, November1998.

[147] IETF RFC 3610, Counter with CBC-MAC (CCM), September 2003.

[148] IEEE Std 802.16e-2005, IEEE standard for local and metropolitan area networks,part 16: air interface for fixed and mobile broadband wireless access systems,amendment 2: physical and medium access control layers for combined fixed andmobile operation in licensed bands and corrigendum 1, December 2005.

[149] IETF RFC 3748, Extensible Authentication Protocol (EAP), June 2004.

[150] IETF RFC 3686, Using Advanced Encryption Standard (AES) Counter Mode WithIPsec Encapsulating Security Payload (ESP), January 2004.

[151] IETF RFC 3602, The AES-CBC Cipher Algorithm and Its Use with IPsec,September 2003.

212

BIOGRAPHICAL SKETCH

Yun Zhou received a B.E. degree in electronic information engineering (2000) and

an M.E. degree in communication and information system (2003) from the Department

of Electronic Engineering and Information Science at the University of Science and

Technology of China, Hefei, China. He is currently pursuing the Ph.D. degree in the

Department of Electrical and Computer Engineering at the University of Florida,

Gainesville, USA. His research interests are in the areas of security, cryptography, wireless

communications and networking, signal processing, and operating systems. He is a student

member of the IEEE.

213