EDDK: Energy-Efficient Distributed Deterministic Key Management for Wireless Sensor Networks
- 1.8k Downloads
Energy efficiency is an essential requirement for wireless sensor networks while security must also be ensured for mission-critical applications. In this paper, we present an energy-efficient distributed deterministic key management scheme (EDDK) for resource-constrained wireless sensor networks. EDDK mainly focuses on the establishment and maintenance of the pairwise keys as well as the local cluster keys and can fix some flaws in some existing key management schemes. Not only can the neighbor table constructed during key establishment provide the security for key maintenance and data transfer, but it can also be used to effectively manage the storage and update of the keys. By using the elliptic curve digital signature algorithm in EDDK, both new and mobile sensor nodes can join or rejoin a sensor network securely. Unlike some centralized and location-based key management schemes, EDDK does not depend on such infrastructure as base stations and robots and thus has a high level of flexibility. Experiments and analyses show that EDDK has a very low overhead in terms of computation, communication, and storage.
KeywordsSensor Node Communication Overhead Intrusion Detection System Malicious Node Elliptic Curve Cryptography
A wireless sensor network (WSN) is a promising network infrastructure for many applications such as environmental monitoring, medical care, and home appliance management. It is also useful for battlefield surveillance and homeland security because WSNs can be easily deployed for those applications. However, in many hostile and tactical scenarios as well as critical commercial applications, security mechanisms are required to protect WSNs from malicious attacks. Therefore, the security of WSNs has become an important issue and a challenging design task . Furthermore, security mechanisms based on cryptography would make key management a central issue to ensure the security of network services and applications in WSNs.
Many key management schemes have been proposed for WSNs over the past few years [1, 2]. From the standpoint of network structure, key management schemes can be centralized or distributed. From the standpoint of key sharing between neighboring nodes, key management schemes can be probabilistic or deterministic. For centralized key management schemes, network scalability is poor and communication overhead is high. Probabilistic schemes cannot guarantee that two neighboring nodes could successfully establish a shared key according to the underlying random graph theory. It will not be desirable if some sensor nodes cannot establish shared keys with their neighbors and are thus isolated. In addition, in probabilistic schemes, the impact of node compromise and the lack of authentication are serious issues because of the reuse of the same keys by more than one node. Deterministic schemes can solve some problems that probabilistic schemes have. But the addition of new nodes is still an issue in such schemes because the confidentiality and authenticity of new pairwise keys cannot be fully realized [3, 4, 5]. Even in the scheme in , the normal node's motion will be regarded as the injection of the replicas of compromised nodes. An adversary can thus cause a network to collapse by merely changing the nodes' locations in the network. Consequently, the scheme in  is susceptible to the so-called node location changing attack.
Due to limited battery life of sensor nodes, any security mechanisms for WSNs must be energy efficient. Specifically, the number of message transmission and the amount of computation must be kept as low as possible. Meanwhile, the size of a sensor network should not be constrained by the available storage and energy resource in each node.
In this paper, we propose a distributed deterministic key management scheme for WSNs in which the pairwise keys and the local cluster keys are set up through the broadcast information during the network initialization phase and no further message exchange is needed afterwards. Consequently, the communication overhead is very low. Furthermore, pairwise keys are also totally decentralized. Therefore, the compromise of some sensor nodes will not affect any other noncompromised pairwise keys. For the establishment of keys for new nodes and mobile nodes, we propose a composite mechanism based on the elliptic curve digital signature algorithm (ECDSA) in which resource consumption can also be kept very low.
The rest of this paper is organized as follows. In Sections 2 and 3, we discuss some related work and analyze some present deterministic key schemes. In Section 4, we present our energy-efficient distributed deterministic key management scheme (EDDK), and in Sections 5 and 6, we analyze the security and performance of EDDK. Finally, we conclude this paper in Section 7.
2. Related Work
2.1. Centralized versus Distributed Key Management Schemes
LKHW is a centralized key management scheme for WSNs based on the Logical Key Hierarchy (LKH) . In the scheme, the base station is treated as a key distribution center (KDC) and all keys are logically distributed through a tree rooted at the base station. In such a centralized scheme, besides poor network scalability and high communication overhead, the base station that knows all pairwise keys can be a single point of failure for network security. In distributed key management schemes, different key controllers are used to lower security risk and to allow for better network scalability . Consequently, a majority of the key management schemes proposed so far are distributed ones that also fall into the deterministic and probabilistic categories which we discuss in the following subsection.
2.2. Probabilistic versus Deterministic Key Management Schemes
Eschenauer and Gligor proposed a basic probabilistic key predistribution scheme . In the scheme, each sensor is assigned a random subset of keys from a key pool before the network is deployed so that any two sensor nodes will have a certain probability of sharing at least one key. Chan et al. improved the above scheme and proposed the q-composite key predistribution scheme . In the scheme, any two sensor nodes are required to share at least q predistributed keys as the basis for the establishment of a pairwise key between the two nodes. Liu and Ning proposed a framework in which pairwise keys are predistributed by using bivariate polynomials . Du et al. proposed a similar pairwise key predistribution scheme  that uses Blom's method . The main difference between the schemes in [10, 11] is that the former is based on a set of bivariate Open image in new window -degree polynomials while the latter is based on the Blom's method.
Two representative deterministic key management schemes, that is, the LEAP protocol [3, 4], and the OMTK protocol , will be analyzed in the next section. In addition, Lai et al. proposed the BROadcast Session Key (BROSK) negotiation protocol . Lee and Stinson proposed two deterministic schemes based on combinatorial design theory: the ID-based one-way function scheme (IOS) and the deterministic multiple space Blom's scheme (DMBS) . They also discussed the use of combinatorial set systems in the design of deterministic key predistribution schemes for WSNs .
Properties of key establishment schemes.
Key setup schemes
Local cluster key
New node joining
2.3. Public Key Cryptography in WSNs
Prior studies have shown that it is feasible to apply public key cryptography to sensor networks by choosing proper algorithms with reasonable parameters and by using optimization and low-power techniques [16, 17, 18]. Gura et al. evaluated the assembly language implementations of Elliptic Curve Cryptography (ECC) and RSA on the Atmel ATmega128 processor  and showed that a 160-bit point multiplication of ECC only needs 0.81 seconds while a 1024-bit RSA public key operation and private key operation only need 0.43 seconds and 10.99 seconds, respectively. Du et al. developed a public key authentication scheme based on a symmetric key technique called the Merkle tree . Zhang et al. proposed the notion of location-based keys by binding private keys of individual nodes to their IDs as well as locations .
In the method proposed by Zhou et al. , although ECC can be used together with timestamp to prevent an adversary from impersonating legitimate new nodes with compromised ones, the shortcomings of the method are equally obvious. Not only does the method incur communication overhead required for time synchronization, but it also limits the mobility of network nodes. This is because as soon as a legitimate node leaves its original location, it will be regarded as a malicious node . As the result, the mobile node cannot establish shared keys with its new neighbors and will consequently be excluded from the network. Therefore, the access control protocol is susceptible to the so-called node location changing attack.
3. Analysis of Deterministic Key Schemes
For node Open image in new window , the ACK from a neighboring node Open image in new window is authenticated using the individual key Open image in new window of node Open image in new window derived through Open image in new window . Since it knows Open image in new window , node Open image in new window can derive Open image in new window and use it to verify the identity of node Open image in new window . Node Open image in new window can then compute a pairwise key Open image in new window with node Open image in new window through Open image in new window . Node Open image in new window can also compute Open image in new window in the same way. Open image in new window can then serve as the pairwise key for nodes Open image in new window and Open image in new window .
In the above scheme, since the same formula is always used in computing the pairwise key, should an adversary get Open image in new window by capturing a sensor node with hardware faults, all pairwise keys in the network could be easily computed. Moreover, since the first step of the aforementioned process is not authenticated, an adversary can inject fake hello messages to launch a resource exhausting attack. The problem still remains in the improved version of the LEAP protocol, that is, the journal version LEAP+ .
The above procedure still has some drawbacks, however. First, since all the nodes use the preconfigured master key Open image in new window ( Open image in new window is similar to Open image in new window in the LEAP protocol) to encrypt the JOIN messages, if Open image in new window is compromised through cryptanalysis, an adversary can easily deploy some malicious nodes into the network because function Open image in new window is generally known. Moreover, the adversary can compute a large number of pairwise keys by eavesdropping on nonce and ID in the JOIN messages broadcast by other nodes so that it can overhear, forge, and alter network messages later.
Since the first step above does not authenticate new node Open image in new window , the protocol is vulnerable to denial of service (DoS) attacks. Let us consider the case in which a malicious node impersonates on a legitimate node Open image in new window and broadcasts a JOIN message. A legitimate node Open image in new window would then finish the second step. However, the malicious node may never execute the third step. By broadcasting many different spoof messages, the malicious node can incur a large amount of computation, communication, and storage overhead for node Open image in new window . In addition, if an old node does not work properly after deployment due to many possible problems, an adversary can get the preloaded master key by compromising the node. The adversary can then deduce the individual keys (e.g., Open image in new window and Open image in new window ) of all the old nodes and subsequently deploy some malicious nodes into the network. Since it has already obtained the master key, the adversary can get pairwise keys between the new and the old nodes by performing the third step in the above protocol.
We can see from the above analysis that not only is the new node joining protocol in the OTMK scheme susceptible to DoS attacks, but it is also possible for an adversary to freely deploy malicious nodes into the network and to obtain pairwise keys between the new and the old nodes.
The drawback of this mechanism is also obvious because it makes the protocol more complex while less secure. As long as an adversary can eavesdrop on all pairwise key setup procedures in time slot Open image in new window and records Open image in new window , the adversary can compute all pairwise keys in time slot Open image in new window after Open image in new window is received. Moreover, for the delayed authentication, the adversary can send a large number of joining messages to Open image in new window by impersonating on Open image in new window . As the result, Open image in new window could store an excessive amount of messages that need to be authenticated in the third step, leading to a DoS attack.
4. EDDK: Energy-Efficient Distributed Deterministic Key Management Scheme
To fix the flaws present in the aforementioned key management schemes, we propose a distributed deterministic key management scheme (EDDK) for WSNs based on some of our earlier research [22, 23, 24]. EDDK mainly focuses on the establishment and maintenance of the pairwise keys as well as the local cluster keys. Unlike centralized and location-based key management schemes, EDDK does not depend on such infrastructure as base stations (BSs) and robots. Consequently, there is not any single node that shares a master key with the BS, which makes the scheme highly flexible. Therefore, EDDK can meet the requirement that there is only one resource-limited sink node in a large WSN. For the establishment and authentication of a global broadcast key, please refer to the μ TESLA protocol .
To enhance message security in the network initialization phase, instead of using the individual key directly, each sensor node can derive a separate encryption key and a MAC key from the individual key . This method can also be applied to enhance security in data transmission as well as in key update. For ease of illustration, in the following discussion, we simply use the same key to both encrypt and authenticate a message although two different keys can be used.
Open image in new window is node A's individual key and is computed by using formula (7) below; Open image in new window is the pairwise key that is shared by two neighboring nodes A and Open image in new window and is periodically updated by them.
Open image in new window is node A's local cluster key that is shared by node A with all its neighbors and is periodically updated by node A. This local cluster key is used to secure all local broadcast messages of a node, for example, routing control message forwarded.
Open image in new window and Open image in new window denote the public key and the private key of a node, respectively. The public key Open image in new window of a trusted authority TA is predistributed to every node before deployment. But the private key Open image in new window is not stored in the WSNs. Therefore, adversaries cannot get Open image in new window by attacking TA directly.
Open image in new window denotes the sequence number of a data message, that is, generally shared by two communicating nodes to fight against replay attacks and to ensure the freshness of data.
Open image in new window is used to encrypt message Open image in new window with key Open image in new window ; Open image in new window is used to compute message Open image in new window 's message authentication code (MAC) with key Open image in new window .
4.2. Key Establishment Phase
After deployment, every sensor node will broadcast a network joining message to determine the neighboring relationships in the network. To prevent two or more nodes from attempting to transmit at the same time in the network initialization phase, every node would implement a binary exponential backoff algorithm to avoid collisions before broadcasting its joining message. In addition, to prevent an adversary from getting all the pairwise keys after obtaining Open image in new window as it could in the LEAP protocol, any pairwise key that is computed through using the pseudorandom function should be updated in time.
In the above equations, join denotes the message type and Open image in new window is the concatenation operator. Using (7), every receiving node can compute the sender's individual key (e.g., Open image in new window and Open image in new window ). After verifying the correctness of the joining message, according to (9), the neighboring nodes can get the same pairwise key (e.g., Open image in new window ). Open image in new window and Open image in new window are the random numbers generated by the senders that are mainly used to make the pairwise key between the neighboring nodes completely decentralized. In (8), authentication of the sender can counter resource exhaustion attacks. As long as the ID of a node is in the neighbor table, all repeated join messages will be discarded.
Our experiments show that the key establishment time is less than 10 s for a network of up to 20 neighbors. Deng et al.  showed that an attacker who has the experience and tools needs to spend at least tens of seconds or minutes to obtain the data of a Mica2 mote after a node is captured. Therefore, we set the key establishment timer for 10 s so that an adversary cannot impersonate a legitimate node in the key establishment phase through obtaining the initial key and the pseudorandom function. This is because when the timer runs out, key establishment will stop even under the situation in which some nodes have not established pairwise keys with some of their neighbors.
After the key establishment timer reaches its preset threshold value, a node will delete all the individual keys of its neighbors (e.g., Open image in new window and Open image in new window ), the random numbers (e.g., Open image in new window and Open image in new window ), the pseudorandom function Open image in new window and the initial key Open image in new window to improve security as well as to save storage space in the node. Therefore, even if an adversary could compromise some legitimate nodes, it still could not compute the pairwise keys and the local cluster keys of noncompromised nodes.
Note that the neighboring nodes do not have to acknowledge the setup of the pairwise keys because the measures taken later in the key maintenance phase will help the neighbors that failed to set up the pairwise keys successfully finish the task.
Note also that each sensor node only needs to broadcast one network joining message during the key establishment phase with no further message exchange required. Moreover, the network joining message may be the route request message. The pairwise key and the local cluster key can be established at the same time when a node forwards a route request message. Thus, the communication overhead can be very low.
4.3. Data Transfer Phase
Pairwise sequence number
Local cluster key
Local broadcast sequence number
In EDDK, every message always gets authenticated while encryption is optional. Message confidentiality becomes necessary only when some information needs to be kept secret. For example, in an intrusion detection system, the actual content of an alarm message could be empty. Receiving an alarm message indicates an intrusion. Thus, encryption is not necessary but only leading to increase in latency, computation overhead, and power consumption. Meanwhile, authentication helps to ensure that authorized nodes will not accept invalid messages injected by an adversary. Consequently, adversaries can hardly forge false alarms.
In the above process, Open image in new window is the pairwise key that is shared by the sender and the receiver, and Open image in new window is the local cluster key of the sender. SN is the pairwise sequence number while Open image in new window is the local broadcast sequence number. Since the sequence numbers are used to ensure the freshness of a message and to counter replay attacks, it is not necessary to keep them secret. It is obvious that the local broadcast does not need the acknowledgment message, so it is omitted in (11).
To save energy, a sensor node may employ early rejection in which it would turn off its radio after determining that a message is false or malicious. Upon the receipt of a message, a receiver would first examine if the sender of the message is in its neighbor table and if the SN is the same as that in its neighbor table; it would then compute the message authentication code and compare the result with the received MAC; it would finally decrypt the message only when all the previous steps have completed successfully. Hence, the use of the neighbor table not only improves the security of data transfer but also helps to reduce computation and communication overhead in the node.
4.4. Key Maintenance Phase
The security strength on the information transmitted in the network relies primarily on the protection of the keys that are used for encryption. Should an attacker get the keys, the security system would fail because the attacker can use the keys to decrypt intercepted cipher texts to get the original plaintexts or to fake network data to deceive legitimate nodes. The attacker could achieve the above goal through the means of cryptanalysis on eavesdropped messages that are transmitted over the wireless media or by compromising some sensor nodes in the network. Therefore, the sender and the receiver must update the keys used between them periodically. When a compromised node is identified, the keys that it uses must also be revoked immediately. Moreover, key management system must quickly respond to network changes to perform functions such as key establishment and maintenance of new nodes and mobile nodes.
4.4.1. Key Update
Pairwise key update
- (ii)Local cluster key update
The above key update procedures can counter replay, forgery and tampering attacks. Thus, the keys can be updated both securely and timely.
4.4.2. Compromised Key Revocation
As long as the noncompromised nodes are still connected, the local cluster key Open image in new window can be successfully updated.
4.4.3. New Node Joining
where Open image in new window is a random number, Open image in new window is the generator in the cyclic group of points over the elliptic curve and has an order Open image in new window of at least 160 bits, Open image in new window is a hash function that can translate a binary sequence into an integer, and Open image in new window is the private key of the TA.
Following the same procedure, the receivers can also verify the identity of the new node Open image in new window after hearing the broadcast joining messages from it. The pairwise key negotiation would fall into one of the following two scenarios: between two new nodes or between a new node and an existing node.
New nodes are preloaded with the pseudorandom function Open image in new window and a new initial key Open image in new window . The pairwise key negotiation between two new nodes is performed using (9) in which Open image in new window and Open image in new window . Consequently, new nodes Open image in new window and Open image in new window can establish a pairwise key without having to send out any more messages and Open image in new window .
The results will be identical because Open image in new window .
No further message exchanges are necessary during pairwise key setup beyond broadcasting the identity message by the new node Open image in new window . Therefore, the communication overhead is low in the new node joining process.
Although the public-key algorithm is computationally more expensive, it is easier to manage and more resilient to node compromise than secret key algorithms. To achieve the same level of security, a smaller key size in ECC (elliptic curve cryptography) can be used, which offers the advantages of faster computation as well as savings in memory, energy, and bandwidth. Thus, ECC is more suitable for resource-constrained sensor nodes.
4.4.4. Mobile Node Joining
We assume that a sensor node can sense its own movement. If a sensor node moves to a new location, it will establish pairwise keys with its new neighbors following the aforementioned public-key-based node joining procedure, and its old neighbors will also revoke the pairwise keys with it.
where rejoin shows that this is a mobile node joining message. Since current time Open image in new window is newer than both timestamps Open image in new window and Open image in new window , nodes A and Open image in new window will be regarded as mobile nodes. After correctly verifying each other's joining message, the pairwise key computation procedure between two mobile nodes is the same as that in (22), that is, Open image in new window . Similarly, according to (21), (22), and (23), the pairwise key between mobile node A and the existing node Open image in new window is Open image in new window and, according to (17), (22), and (23), the pairwise key between mobile node A and the new node Open image in new window is Open image in new window . In fact, only the pairwise key between a mobile node and an existing node would normally need to be computed.
The mobile nodes could be normal nodes whose locations have changed due to some reasons. However, it is also possible that the mobile nodes are the replicas of some compromised nodes that are placed in the network by adversaries. Hence, the intrusion detection system in a sensor network should focus on monitoring the mobile nodes whose locations have changed. When the behavior of a mobile node matches an attack profile or deviates from a normal profile, the mobile node should be labeled as a malicious node.
In order to counter Sybil attacks and the node replication attacks, we limit the number of neighbors for any node, that is, the number of entries in the neighbor table, by using a threshold. When the number of neighbors of a node reaches the threshold value, no new neighbors can be added into the neighbor table. Thus, an affected new mobile node can not establish pairwise keys with its new neighbors and, as the result, could not communicate with them. This measure can help prevent replicas of compromised nodes from joining the network as mobile nodes.
In the above joining scenarios, after the pairwise key is established, the existing node needs to unicast its local cluster key to its new neighbors to complete the key establishment process.
5. Security Analysis
We first compare the security of EDDK with some related schemes and then analyze EDDK in terms of preventing both general and special attacks to WSNs.
5.1. Security Comparison with Related Schemes
In the LEAP+ protocol , when the timer expires after Open image in new window , each node will erase the initial key Open image in new window and all the master keys of its neighbors. However, even with tamper-proof hardware, damaged or disabled nodes may still have the initial key in the flash memory. Therefore, should an adversary physically capture such a node and obtain the initial key, all the pairwise keys in the network could be easily computed. From (8) and (9), we can see that all pairwise keys in EDDK are decentralized and cannot be inferred uniformly based on any centralized rule. Even if the adversary could know the pseudorandom function Open image in new window and the initial key Open image in new window , it would not be able to get noncompromised pairwise keys since the random number SN generated by each node in (9) is different.
The new node joining protocol in the OMTK scheme  not only is susceptible to DoS attacks but also makes it possible for an adversary to inject malicious nodes into the network and to obtain pairwise keys between new and existing nodes. The additional mechanism that uses a one-way hash chain as the master key during each time period to authenticate new nodes only makes the protocol more complex while less secure. To solve the above problems, we employ ECDSA to authenticate the identity of any node. Even if an adversary could compromise a node, it would not get any information about noncompromised nodes.
5.2. Preventing General Attacks on WSNs
General attacks to WSNs mainly include eavesdropping, faking, altering, and replaying network messages as well as launching DoS attacks towards the normal nodes.
In both the network initialization phase and the network maintenance phase, we use the node's individual key, the pairwise key, or the local cluster key to encrypt and authenticate network messages. Therefore, adversaries who do not know these keys cannot obtain, fake, or tamper with the contents of network messages.
Due to the use of the neighbor table, adversaries can hardly launch replay attacks. For the node joining messages, if a node exists in the neighbor table, any duplicate joining messages claimed to be from it will be discarded by the receiving node. For the data messages, by using the sequence number field in the neighbor table, any duplicate data messages will also be discarded by the receiver.
Based on (8), (10)–(17), (21), and (23), key establishment messages, node sensing messages, and key maintenance messages can be authenticated. Furthermore, key establishment messages and new and mobile node joining messages are not necessarily fed back. Thus, EDDK can effectively counter DoS attacks.
5.3. Preventing Specific Attacks to WSNs
Specific attacks to WSNs mainly include rushing attacks, Sybil attacks, node replication attacks, hello flooding attacks, acknowledge spoofing attacks, and selective forwarding attacks, to name a few [1, 28].
Every node needs to broadcast a "hello" message periodically to advertise itself. The sequence numbers and the pairwise keys stored in the neighbor table can help to authenticate the "hello" messages and the acknowledgment messages. As the result, an adversary who does not know the shared information cannot flood a large number of "hello" messages and forge acknowledgment messages.
To counter selective forwarding attacks, we adopt a measure similar to that used in  in which each sensor node can work under a promiscuous mode so that it can overhear data transmission among its neighboring nodes. If a neighbor of a suspected node detects that the number of messages that the suspected node fails to forward exceed a threshold, the neighbor can collaborate with other neighbors to make a decision about the suspected node. In addition, multipath routing can also help to deal with the selective forwarding problem.
Because we allow mobile nodes to rejoin the network, the replicas of compromised nodes may affect EDDK. By limiting the number of neighbors for any node and by authenticating all messages using the sequence numbers and the pairwise keys, we can prevent an intruder from launching Sybil attacks, rushing attacks, and node replication attacks to some extent. Moreover, we can use multiple paths to the sink node to counter such attacks. In a sensor network where nodes are mostly stationary, the intrusion detection system can focus on monitoring mobile nodes whose locations have just changed. If the behavior of a mobile node matches an attack profile or deviates from a normal profile, the node will be regarded as a malicious node.
6. Performance Evaluation
In the probabilistic key sharing schemes, if two nodes have to rely on a third node to help them establish a pairwise key, a large amount of computation (e.g., encryption and decryption) and communication will be required due to the fact that threshold cryptography-based schemes usually involve expensive operations such as modular multiplications. In contrast, in EDDK, every node can establish a pairwise key with each of its neighbors and thus does not need any additional help in pairwise key establishment.
We have used MATLAB 7.9.0 (R2009b) to perform the simulation to evaluate the EDDK scheme and to compare it with some other similar schemes. We have also implemented EDDK in the Crossbow's IRIS sensor nodes. We have chosen RC5 (with 12 rounds) as the block cipher to implement the encryption/decryption algorithm and to generate CBC-MAC. We have also used MAC with RC5 to provide the pseudo random function that is used to derive the individual keys as well as the pairwise keys.
We have evaluated the EDDK scheme in terms of computation overhead, communication overhead, and storage overhead.
6.1. Computation Overhead
Although the ECC algorithm is adopted in the node mobility scenario, for achieving the same level of security, a smaller key size in ECC can offer faster computational efficiency, especially in assembly language implementations, which only require 0.81 s for completing a 160-bit point multiplication of ECC . Node authentication needs two point multiplication operations according to (19), whereas pairwise key setup needs only one point multiplication operation according to (22) in the node mobility scenario.
6.2. Communication Overhead
According to (8), (10)–(17), (21), and (23) in the EDDK scheme, messages sent by every node can be authenticated while the schemes in [3, 4, 5] cannot. Should a message not be authenticated by the recipient, an adversary could freely inject malicious messages into the network. Moreover, the recipient has to feed reply messages into the network and wait for further messages in order to authenticate the sender. Consequently, the communication overhead in EDDK is much lower than that in the other schemes. Moreover, communication overhead is generally considered to be much worse, and therefore less desirable, than computation overhead due to higher energy consumption.
6.3. Storage Overhead
In the EDDK scheme, each node needs to store the pairwise keys and the local cluster keys related to its neighbors. Since in the mobility scenario, we employ the ECC-based public key mechanism to verify the identities of the nodes and to establish pairwise keys, each node still needs to store its own private and public keys, the TA's signature for it and the TA's public key. In our current research, since we use 160-bit ECC as the underlying cryptographic foundation, the key materials related to the public key need 160-byte storage space. The LEAP, and the OTMK schemes do not adopt the public key mechanism, however. In addition to the pairwise keys and the local cluster keys, in the LEAP protocol, each node still needs to store its own individual key that is used for computing the pairwise keys and at most Open image in new window initial keys: Open image in new window that are used for deriving the individual key in different node addition scenarios. The OTMK scheme does not support the establishment of a local cluster key. In our comparison with these schemes, we assume that, in the OTMK scheme, a node already has the local cluster key. Moreover, to allow new normal nodes to join an existing network, in OMTK, a node has to generate Open image in new window verifiers that contain random numbers Open image in new window and Open image in new window .
We can thus conclude that the EDDK scheme is more advantageous in computation, communication, and storage and is thus more suitable for resource-constrained wireless sensor networks.
In this paper, we proposed an energy-efficient distributed deterministic key management scheme (EDDK) in which pairwise keys and local cluster keys of sensor nodes can be established and maintained securely. Furthermore, pairwise keys are totally decentralized. Hence, the compromise of any sensor node will not affect any other noncompromised pairwise keys. By broadcasting only one identity authentication message, a node can set up a pairwise key with a neighboring node both in the network initialization phase and in the node mobility scenario. Therefore, the communication overhead is very low. In addition, not only can the neighbor table mechanism used in EDDK ensure security for key management and data transmission, but it can also help nodes effectively store and update keys. The use of the elliptic curve digital signature algorithm in EDDK provides the support for the establishment of pairwise keys and local cluster keys under the node mobility scenario. Simulation and analysis has shown that EDDK is more advantageous in computation, communication, and storage than other similar schemes.
This research work in this paper has been partially supported by a Grant from the Science Foundation of Beijing Education Commission (Grant no. KM201010005027). The authors would also like to thank the anonymous reviewers for their valuable comments on the paper.
- 3.Zhu S, Setia S, Jajodia S: LEAP: efficient security mechanisms for large-scale distributed sensor networks. Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS '03), October 2003, Washington, DC, USA 62-72.Google Scholar
- 5.Deng J, Hartung C, Han R, Mishra S: A practical study of transitory master key establishment for wireless sensor networks. Proceedings of the 1st International Conference on Security and Privacy for Emerging Areas in Communications Networks (SecureComm '05), September 2005, Athens, Greece 289-299.CrossRefGoogle Scholar
- 7.Di Pietro R, Mancini LV, Law YW, Etalle S, Havinga P: LKHW: a directed diffusion-based secure multicast scheme for wireless sensor networks. Proceedings of the International Conference on Parallel Processing, October 2003, Los Alamitos, Calif, USA 397-406.Google Scholar
- 8.Eschenauer L, Gligor VD: A key-management scheme for distributed sensor networks. Proceedings of the 9th ACM Conference on Computer and Communications Security, November 2002, Washington, DC, USA 41-47.Google Scholar
- 9.Chan H, Perrig A, Song D: Random key predistribution schemes for sensor networks. Proceedings of IEEE Symposium on Security And Privacy, May 2003, Oakland, Calif, USA 197-213.Google Scholar
- 10.Liu D, Ning P: Establishing pairwise keys in distributed sensor networks. Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS '03), October 2003, Washington, DC, USA 52-61.Google Scholar
- 12.Blom R: An optimal class of symmetric key generation systems. Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT '84), April 1984, Paris, France 335-338.Google Scholar
- 13.Lai B, Kim S, Verbauwhede I: Scalable session key construction protocols for wireless sensor networks. Proceedings of IEEE Workshop on Large Scale RealTime and Embedded Systems, 2002Google Scholar
- 15.Lee J, Stinson DR: A combinatorial approach to key predistribution for distributed sensor networks. Proceedings of IEEE Wireless Communications and Networking Conference (WCNC '05), March 2005, Orleans, La, USA 1200-1205.Google Scholar
- 16.Gura N, Patel A, Wander A, Eberle H, Shantz SC: Comparing elliptic curve cryptography and RSA on 8-Bit CPUs. Proceedings of the 6th International workshop on Cryptographic Hardware and Embedded Systems (CHES '04), August 2004, Cambridge, Mass, USA 119-132.Google Scholar
- 17.Wandert AS, Gura N, Eberle H, Gupta V, Shantz SC: Energy analysis of public-key cryptography for wireless sensor networks. Proceedings of the 3rd IEEE International Conference on Pervasive Computing and Communications (PerCom '05), March 2005, Kauai Island, Hawaii, USA 324-328.CrossRefGoogle Scholar
- 22.Zhang X, He J, Wei Q: An energy-efficient dynamic key management scheme in wireless sensor networks. Proceedings of the 10th International Symposium on Pervasive Systems, Algorithms, and Networks (I-SPAN '09), December 2009, Kaohsiung, Taiwan 238-242.Google Scholar
- 24.Zhang X, He J, Wei Q: Security considerations on node mobility in wireless sensor networks. Proceedings of the 4th International Conference on Computer Sciences and Convergence Information Technology (ICCIT '09), November 2009, Seoul, Korea 1143-1146.Google Scholar
- 26.Vanstone S: Responses to NIST's proposal. CACM 1992, 35(7):50-52.Google Scholar
- 28.Karlof C, Wagner D: Secure routing in wireless sensor networks: attacks and countermeasures. Proceedings of the 1st International Workshop on Sensor Network Protocols and Applications, May 2003, Anchorage, Alaska, USA 113-127.Google Scholar
- 29.Wang G, Zhang W, Cao G, La Porta T: On supporting distributed collaboration in sensor networks. Proceedings of IEEE Military Communications Conference (MILCOM '03), October 2003, Boston, Mass, USA 752-757.Google Scholar
This article is published under license to BioMed Central Ltd. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.