-Laurent Eschenauer -Virgil D. Gligor

Presented by Vishal S. Jadhav

A Key-Management Scheme for Distributed Sensor

Networks

AgendaIntroductionBasic Scheme

Key Predistribution PhaseShared Key Discovery PhasePath Key establishment PhaseRevocationResiliency to sensor node capture

AnalysisSimulationConclusion

Abstract• DSN’s are ad-hoc networks with limited

computational ability.• They allow dynamic addition and removal

of nodes from the network.• They may be subjected to surreptitious use

by the enemy.• DSN's require cryptographic protection of

communications, sensor-capture detection key revocation and sensor disabling.

Cont..In this paper we present a key

management scheme for operational and security requirements of DSN.

The scheme includes selective distribution and revocation and rekeying of keys to sensor nodes.

It relies on probabilistic key sharing among nodes of random graph.

IntroductionDistributed Sensor Networks and Wireless

Embedded Networks:-Similarities

Both have limited computational capability and rely on wireless communication through radio signals or optical links.

Both include data collection nodes and control nodes.

nodes are highly mobile

Differences:-DSN’s scale is orders of magnitude larger

than that of embedded wireless networks.DSN’s allow deletion, addition dynamically

without actual physical contact.They can be deployed in hostile areas.

How can we secure communication in DSNs?

Traditional Ways to secure communicationsThe best ways are symmetric-key ciphers,

low-energy,authenticated encryption modes and hash functions are the tools of choice for protecting DSN communications.

Problems:-Traditional approaches are impractical for

DSN as their network topology is unknown,range limitations.

Key-Predistribution is a feasible way.

Problems with Traditional Key Distribution

– single mission key-It compromises the whole system.– a set of separate n-1 keys- each being pair-wise

privately shared with another node, must be installed in every sensor which renders it is impractical for DSNs.

– Pair-wise private key sharing between any two sensor nodes is unusable

– Incremental addition and deletion as well as re-keying of sensor nodes could become both expensive and complex

– A dedicated RAM memory for storing n - 1 keys would push the on-chip, sensor-memory limits for the foreseeable future.

Overview of Basic Scheme:-• Key Distribution

– Generation of Keys and key identifiers– Random drawing of keys to establish key-ring of

sensor– Loading the key ring in memory of each sensor.– Saving of the key identifiers and associated sensor

identifier on a trusted controller node.– Loading the controller node with key shared with

that node.

• Revocation• Re-Keying• Resiliency to Sensor-Node Capture

Key Distribution Phase• Shared key discovery phase-

It takes place during intialization,each node discovers its neighbor and who it shares a key with. This can be done by broadcasting list of identifiers on the key ring.

• To avoid broadcasting we can also use private shared key discovery.– For example, for every key on a key ring, each node

could broadcast a list α,EKi(α), i = 1, · · · , k, where α is a challenge. The decryption of EKi (α) with the proper key by a recipient would reveal the challenge α and establish a shared key with the broadcasting node.

• This would force attacker to perform traffic analysis to discover the pattern of key sharing.

Pair wise key sharing

Shared Key Discovery Phase• The shared-key discovery phase establishes the

topology of the sensor array as seen by the routing layer of the DSN.

• A link exists between two sensor nodes only if they share a key; and if a link exists between two nodes, all communication on that link is secured by link encryption.

• It may be possible that a set of nodes share the same key. It does not matter as in normal operation the nodes trust each other and during revocation removal of keys for a node ensures that keys are removed network wide.

Path-key establishment phase

In this phase we assign a path-key between the two sensor nodes which do not have direct path between but are connected by 2 or more links.

The design of DSN is such that no. of keys on key ring are left unassigned to any link.

Such provisioning of having some keys unassigned helps further during revocation or incremental addition of nodes as this may require shared key discovery phase and path key establishment to be done again

RevocationRevocation needs to be done when a sensor node

is compromised.A controller node broadcasts a single revocation

message containing a signed list of k key identifiers for the key ring to be revoked.

To sign the list of key identifiers, the controller generates a signature key Ke and unicasts it to each node by encrypting it with a key Kci.

After obtaining the signature key, each node verifies the signature of the signed list of key identifiers, locates those identifiers in its key ring, and removes the corresponding keys(if there).After this reconfiguration of nodes may be required.

Re-KeyingAlthough it is anticipated that in most DSNs

the lifetime of a key shared between two nodes exceeds that of the two nodes, it is possible that in some cases the lifetime of keys expires and re-keying must take place.

Re-keying is equivalent with a self-revocation of a key by a node

After expired-key removal, the affected nodes restart the shared-key discovery and, possibly, the path-key establishment, phase.

Resiliency to Sensor-Node Capture

It can be done in following ways:-Active manipulation of Sensor inputs.

data correlation analysis and data-anomaly detectionComplete Physical Control of Adversary

“sleep-deprivation attack”tamper-detection technologies

Key Distribution much more robust.K<<n keys of single ring are obtainedAttacker has n/p chance to attack

succesfully

AnalysisNotation

p : probability that a shared key exists between two nodes

n : # of network nodesd : d = p(n-1)

expected degree of a nodeaverage # of edges connecting that node with its graph

neighborsTo establish DSN shared-key connectivity

What value should d so that a DSN of n nodes is connected ?

Given d and the # of nodes n’ in a neighborhood, what value should the key ring size, k, and pool, P ?

Random Graph TheoryFor a random graph G(n,p)

n nodes – probability p that a link i~j existsdegree of a node: d = p*(n-1)

Erdos – Renyi (1960)if

with c any real constant then

Pr[connected] = .99999 when c chosen to be 11.5

Given n we can find d so as to have a connected graph with desired Pr

AnalysisAnalysis

1000 2000 3000 4000 5000 6000 7000 8000 9000 1000010

12

14

16

18

20

22

24

n (number of nodes)

d (d

egre

e of

nod

e)

Pr=99%

Pr=99.9%

Pr=99.99%

Pr=99.999%

Pr=99.9999%

AnalysisThis figure shows that, to increase the

probability that a random graph is connected by one order, the expected degree of a node increases only by 2.

Moreover, the curves of this plot are almost flat when n is large, indicating that the size of the network has insignificant impact on the expected degree of a node required to have a connected graph.

Analysis Given d and the # of nodes n’ in a neighborhood, what

value should the key ring size, k, and pool, P ?p’ : probability of sharing a key between any two nodes in

a neighborhood

Using Stirling Approximation:

Scenario10,000 nodes – physical topology is connected Neighborhood connectivity, n’, of 40 nodesPr[Graph is connected] chosen to 99.999 %

Analysisc =11.5, p = (ln(10,000)+11.5)/10,000= 2*10-3

Average degree d = p*(n-1) =20Because of neighborhood constraint p’=d/(n’-1) =

0.5If pool of P = 100,000 keys

Each node needs to have k =250 keys.Assuming 128 bit keys + 16 bit index : 4Kb memory

Figure 2: Probability of sharing at least one keywhen two nodes choose k keys from a pool of size P

SimulationAverage path length at the network layer

Path length to neighbors

Usage of the keypool (P=10000)

ConclusionRelatively Simple and depends on Probabilistic

Key Sharing.Scalable

Accommodates DSN from 10 to 100,000 nodes and more

Permits incremental addition of sensor nodesFlexibility

Saves Sensor-Cost and MemoryCan be used in hostile and adaptive environments

• SecureCompromise of key affects few links.[k/p]Revocation and Re-Keying possible easily.

Referenceshttp://www.ee.kth.se/~mabenr/jbLecturesT

woThree/2002-Eschenauer-keymgmt.ppthttp://camars.kaist.ac.kr/~hyoon/courses/

cs710_2004_fall/AKeyMana.ppt