A new key establishment scheme for wireless sensor networks

With the rapid development and wide application of wireless sensor networks (WSN), more and more security problems are emerging. Especially for the sensor networks deployed in a hostile environment with various potential malicious attacks, the security issue is a top priority concern. To ensure security in a wireless sensor network, it is essential to encrypt messages and authenticate the communicating nodes. Therefore, it is a major concern how to bootstrap secure communications between sensor nodes, i.e., how to set up secret keys between communicating nodes. Since the key establishment is the initial step for secure communication, topics on key establishment, agreement and management has been studied for a long time. However, most of traditional key management schemes can not be applied to the WSN for the communication and computational limitations [1]. Currently, three main problems of WSN security are becoming hot. The first one is that how to enforce efficient security techniques for the resources-limited WSN. The second one is that how to possess the anonymity when the message are passed on multi-hop media. And the third one is that how to establish secure group communication inside the WSN [2]. Because of size, form factor and cost considerations, wireless sensor networks suffer from severe resource constraints, such as communication bandwidth and range, computation power, memory and energy. Therefore, WSN has a demand of the energy-efficiency of key establishment protocols. Traditional key establishment mainly includes public key cryptography which requires heavy computations. New techniques should be developed for the special conditions of WSN [3]. Considering that the sensor nodes are dispersed when they are deployed, nodes sometimes have to communicate others by the routing on multi-hops of ad hoc network. That means if two un-neighbored nodes are to agree on secret key with each other (We call it "path key agreement"), they have to send their secret respective message to each other over the multi-hop media. Especially if the network is deployed in a hostile environment, the process of path key agreement should not expose any sensitive information to the other parties even in an supposed secure channel. To conserve power, intermediate network nodes should aggregate results from individual sensors. Aggregation collects results from several sensors and calculates a smaller message that summarizes the important information from a group of sensors. For example, suppose the operator is interested in the average sensor reading for some value in the network. An inefficient way to find this would be for every sensor node to send its reading to the base station (possibly over multiple forwarding hops), and for the base station to calculate the average of all readings received. A more efficient way to collect the same information would be for intermediate nodes to forward the calculated average value of the readings they receive along with a count of the number of readings it incorporates. Each node then calculates the average for all of its descendents and only need send that value and the number of descendants to its parent. We call it "in-network process" [4][5]. This group operation needs secure group communications. However, group key establishment is the bottle neck for secure group communication in WSN. The roadmap of this paper is as follows: Section 2 gives a brief overview of research background related to our scheme, including LU composition for pairwise key establishment,integrating LU composition with elliptic curve D-H for path-key establishment,and tree-based extension of LU composition for group key establishment . Section 3 illustrates the related works about this key establishment for WSN. Section 4 describes our scheme to solve the problem. Lastly, Section 5 gives some concluding remarks about this paper, as well as briefly reporting the status of this piece of research work. Definition 1. If the multiplication result of a n*n lower triangular matrix L and a n*n upper triangular matrix U equals to a symmetric matrix K, namely K=LU. We say K is the "LU composition" of triangular matrices L and U. Elliptic Curve Diffie-Hellman (ECDH) [7] is a key agreement protocol that allows two parties to establish a shared secret key over an insecure channel. Suppose Alice wants to establish a shared key with Party Bob, but the only channel available for them may be eaversdropped by a third party. Both have agreed to a common and publicly known curve K over a finite field eg. F2 p as well as to a base point P €K in advance. Bob also by secret = kBQA. An eavesdropper knows only QA and QB but is not able to compute the secret from that. The details about the algorithm principle of ECDH can be referenced in [27]. A common model for WSN is that sensors (or nodes) in the network are deployed in clusters [8]. We follow this model and assume that sensors in the same partition are close to each other and more likely to be neighbours. The most popular ways to agree on keys and solve the continues key management problem is to build a binary tree structure in each node [9]. Therefore, it can achieve efficient key management. According to the secure communication requirement in WSN, two kinds of key establishment are needed. One is pairwise key establishment, the other is group key establishment. A few schemes has been proposed which consist of three phases in general [10]:(1)key setup prior to deployment, (2) shared-key discovery after deployment, and (3) path-key establishment if two sensor nodes do not share a direct key. The most popular pairwise key pre-distribution solution is Random Pairwise Key Scheme [11] which addresses unnecessary storage problem and provides some key resilience. It is based on Erdos and Renyi's [12] work. Each sensor node stores a random set of Np pair-wise keys to achieve probability p that two nodes are connected. Neighboring nodes can tell if they share a common pair-wise key after they send and receive "Key Discovering" Message within radio range. Its defect is that it sacrifices key connectivity to decrease the storage usage. Closest (location-based) pair-wise keys pre-distribution scheme [13] is an alternative to Random pairwise key scheme. It takes advantage of the location information to improve the key connectivity. Later on, Random key-chain based key pre-distribution solution is another random key pre-distribution solutions which originated from the solution of basic probabilistic key predistribution scheme [14]. It relies on probabilistic key sharing among the nodes of a random graph. There are several key reinforcement proposals to strengthen security of the established link keys, and improve resilience. Objective is to securely generate a unique link or path key by using established keys, so that the key is not com-promised when one or more sensor node is captured. One approach is to increase amount of key overlap required in shared key discovery phase. Q-composite random key pre-distribution scheme [11] requires q common keys to establish a link key. Similar mechanism is proposed by Pair-wise key establishment protocol [15] which uses threshold secret sharing for key reinforcement. The key reinforcement solutions in general increase processing and communication complexity, but provide good resilience in the sense that a compromised key-chain does not directly affect security of any links in the WSN. But, it may be possible for an adversary to re-cover initial link keys. An adversary can then recover reinforced link keys from the recorded multi-path reinforcement messages when the link keys are compromised. Actually, due to the randomness of the key selection process in Random key pre-distribution schemes, none of the above key management schemes can guarantee that a pairwise key will be found between two nodes wanting to communicate, and when the number of compromised nodes exceeds a certain threshold their security decreases drastically. To address this issue, key matrix based dynamic key generation solutions introduced. All possible link keys in a network of size N can be represented as an N N key matrix. It is possible to store small amount of information to each sensor node, so that every pair of nodes can calculate corresponding field of the matrix, and uses it as the link key. The original idea is from Blom's scheme [16]. Based on this work, [6] proposed a LU matrix key pre-distribution for WSN. It can guarantee that any pair of nodes can find a pairwise key between themselves. This is achieved by using the secret information assigned from the lower and upper triangular matrixes decomposed from a symmetric matrix of a pool of keys. Because all the established pairwise keys are distinct to each other, any sensor's compromise cannot affect the secure communication between noncompromised nodes. However, it cannot guarantee anonymity when two nodes exceed radio range want to establish the path-key. Considering in-network process such as data aggregation, we need to explore the way to build a secure group communication for WSN. Several group key management protocols have been proposed for mobile ad-hoc group communication. The protocol of [17] provides efficient mutual authentication and group key agreement for low-power mobile devices, and supports dynamic changes. However, it requires a wireless infrastructure with some powerful trusted server (base station) that performs heavy computations, which is not allowed according to the trust model in WSN. [18], [19], [20] proposed some key management and related schemes for wireless ad hoc network. Unfortunately, they all assume that after sensors are deployed, they are considered static. Thus it cannot solve the problem of key management when new members join or old members leave. To solve this problem, tree-based schemes are introduced to make key management more effective and efficient. [21] has analyzed and optimized a number of CGKA protocols (i.e., BD [22], CLIQUES [23], STR [24] ,TGDH [25] and [29,30,31,32]) from the perspective of static and dynamic mobile ad-hoc groups. The optimized way relies on the the tree-based extension of the well-known elliptic curve Diffie-Hellman key exchange protocol (ECDH). However, public key cryptography solutions are still not the first choice for WSN since its high computational overhead. Tree-based key exchange protocol with LU Matrix Composition(TKLU) has three protocols which are Pairwise key establishment protocol, Path Key establishment protocol and group key establishment protocol. (1)Sensor nodes who are neighboring can establish pairwise key after they are deployed by LU composition technique. And they are able to authenticate each other in the process of pairwise key establishment. (2)Sensor nodes who are not neighboring should establish secret keys over the multi-hop path. They can achieve to agree on keys in unsecure channel. Even if the third parties obtain the message they can not deduce the keys. It also can achieve authenticity at the same time. (3)Those neighborhood nodes can agree on group key for secure data aggregation. Step 1: Base Generation 1. The base station generates a large pool of keys(e.g. 5 20 or more). The keys are selected from a finite filed GF(q) to create a symmetric matrix(SM). Where q is the smallest prime larger than the key size. 2. The base station select one publicly known curve K over a finite field eg. F2 p as well as to a base point P€K. Base station does the decomposition of the created SM to obtain one lower triangular matrix A and one upper triangular matrix B. Every node is randomly assigned one row from matrix A and one corresponding column from matrix B. For example, node i is assigned row Aix and column Byi, node j is assigned row Ajx and column Byj . After the key pre-distribution, each node only has two vectors in its memory. Each vector has n elements. After key pre-distribution, each node can establish a pairwise key with its neighbors to make sure the secure around communication. We design a protocol for the process of pairwise key establishment: 1. Node i sends its column Byi to node j. 5.If it is verified, node i send F(Kij) to node j for the verification. Suppose node i and node j are not neighboring to each other. If they need to establish a secure communication channel, the first thing they have to do is to establish a path key between them. The steps are as follows( Figure 2): 1. Node i generates a random number ri, where 1 < ri < 2 p , compute Qi = ri P. And node i sends Byi;Qi to node j over routing. 2. Upon node j receive the path key request from node i, node j generates a random number rj , where 1 < rj < 2 p , compute Qj = rijP. At the same time, node j computes Kji by vector multiplication of Byi and Byj . As figure 3 shows, suppose there are n members who wish to form a group (key tree). The shallowest rightmost leaf node is chosen as the sponsor. First, all members are ordered according to some criteria to be M1, M2… ,Mn. Then the first two members, M1 and M2, execute a 2-party pairwise key exchange presented above. The same do the members Mi and Mi+1, where i is an even integer from [0, n]. Now we have n=2 groups. Each sponsor broadcasts then its tree with all blinded keys. The rest process is similar to be the one in the first round, if we consider a member as a group with only one member. Such process is repeated until all members are in one group. After ith round the number of groups is reduced to n=2i. The setup of the group is finished after logn2 rounds. An example with n= 6 as shown in figure 3. Assume the order of members is M1, M6. In the first round M1 and M2 perform a pairwise key establishment and forms a new group TI1 . Similarly, groups TI2 of M3 and M4, and TI3 of M5 and M6 are formed respectively. In the second round, M2, M4 broadcasts their trees with respective blinded keys. Then groups TI1 and TI2 form a new group TII1, TI3 do nothing and is renamed to TII2 . Finally the only two groups TII1 and TII2 form the group TIII consisting of all members. Then a group key tree is built up. Compromised Keys Revocation Compromised keys should be removed from the wireless sensor networks immediately. In our proposed scheme, each node knows its neighbor's ID and shares a unique pairwise communication key only with an intended 1-hop neighbor. Those nodes between several-hop distance shares path keys. Each node also shares some group keys inside its group after the nodes are deployed. Once a misbehaving node which was captured or compromised by the adversary is detected (we do not discuss malicious node detection in this paper. Reader can reference [26] or other related articles), all its 1-hop neighbor nodes immediately remove the corresponding pairwise keys shared with it. At the same time, the leader in the group including the malicious node broadcasts the group key revocation process to update group keys. Other nodes which have shared path keys with it remove those path keys instantly. Moreover, the misbehavior node ID will be sent to the sink node to broadcast the entire network about this node removal message. Each node needs to check whether it has keys shared with this node. Another security concern is resiliency to Node Capture. Once adversaries capture sensor nodes, they can obtain the secret information inside such as communication keys and other sensitive data. Actually, node capture attach is the biggest threat in wireless sensor networks. On the area of key establishment for wireless sensor networks, several key pre-distribution schemes are very popular. The main idea is that each sensor node has m keys which are randomly drawn from a key pool. If two nodes have one common key, they will create a communication link by using the key. The most popular random key pre-distribution schemes are from Eschenauer's random key pre-distribution scheme [14] and Adrian's "q-composite" scheme [11];Comparing with those schemes, we can achieve zero fraction of compromised keys in non compromised sensor nodes with the increasing numbers of sensors. The tradition solutions for key establishment has two ways. One extreme solution in terms of resource usage is to deploy single master key to all sensors. Since, an adversary may capture a node and compromise the key very easily, it has very low resilience. The other extreme is to use distinct pair-wise keys for all possible pairs in the WSN. For a network of size N, each sensor node i (1<=i <= N) should pre-stores a key-chain KCi = {Kij|i≠j and 1<=j<= N} of size N-1 out of N(N -1)=2 distinct keys. Node i stores a unique pair-wise key for each one of N-1 sensor nodes in the WSN. Actually, this solution is a very exhaustive one which creates unnecessary storage burden on a sensor node although this solution has very good key resilience. Our scheme can perform better memory storage than pure pairwise key pre-distribution schemes. Before the deployment, sensor nodes are preloaded with 2 vectors which have N figures(While, in most of other pairwise key establishment schemes, keys are preloaded into sensor nodes). After deployment, for dense sensor fields (suppose average k neighbors per node), one node needs stores k pairwise keys. In addition, Suppose naturally the deployment of sensors divides the sensors into m groups, on average, each group has n = N/m (N is the network size) sensors inside. Thus each sensor should have k pairwise keys and Log(n) group keys(here path key can be ignored as a small number). The number of keys in each sensor should be k + Log(N/m). For a very high-density networks such as dense sensor fields (about 40 neighbors per node), a high-density group which consists of 50 to 80 nodes(suppose the whole number of a general network sensors is 2000), one node only needs store around 40 + 7 = 47 keys after key establishment. We implement our scheme on MICA2. The Berkeley MICA2 mote has a 7.3MHz processor with 128 KB flash memory, 4.0 KB RAM, and a Chipcon CC1000 radio at 19.2 Kbps. Our experiments employ Tiny OS (TOS) as the sensor operating system [6,4], executing on MICA2 motes. We tested the key setup time for the two key setup protocols: pairwise key establishment, path key establishment and group key establishment. Here, we used two to twenty motes to execute our key setup schemes. Every node can communicate with every other node. This simulates the different densities of sensor networks, from each node having only one neighbor to each node having nine neighbors. Figure 4 shows the total time for our key establishment schemes. First, we see that as the network becomes denser, the time for pairwise key establishment grows longer. For example, for a two node network, the time for pairwise key setup is about 0.21 seconds, and for a ten node network, the time is about 2.77 seconds. Another finding is that the number of messages for the key setup scheme will significantly affect the completion time for that protocol as the density increases. To provide more details, Table 2 shows the total time delay of seting up pairwise keys and group keys, and average time delay of path keys. This table confirms two observations from figure 4: 1) Path keys and pairwise keys establishment are relative low cost; 2) It still cost less than the new key management schemes [28,29,30]. In this paper, we introduce a new scheme that can be used for establish various keys(pairwise keys, path keys and group keys) for wireless sensor networks. It can achieve quick authenticity without extra computations and communications. The experiment result shows the performance of TKLU is invigorating.