Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture 14: Key Management in WSNs Dr. Kemal Akkaya

Kemal AkkayaWireless & Network Security 2 Key management: Constraints in WSNs  Sensor node constraints:  Battery power Computational energy consumption Communication energy consumption  Transmission range  Memory  Temper protection  Sleep pattern  Network constraints:  Ad-hoc network nature  Packet size  Nodes can easily be captured and compromised  Key Management include the processes of key setup, the initial distribution of keys and key revocation (removal of the compromised key).  Many Security-critical application that depend on key management processes demand a high level of fault tolerance when a node is compromised.

Kemal AkkayaWireless & Network Security 3 Key management approaches classification

Kemal AkkayaWireless & Network Security 4 Approaches  Trusted-Server Schemes  Finding trusted servers is difficult.  Public-Key Schemes  Expensive and infeasible for sensors.  Key Pre-distribution Schemes  Simplest solution is a network-wide shared key. Problem: if even a single node were compromised, the secret key would be revealed, and decryption of all network traffic would be possible.  Slightly better solution: Pairwise keys: Impractical because of storage Use a single shared key to establish a set of link keys, one per pair of communicating nodes, then erase the network-wide key Problem: does not allow addition of new nodes after initial deployment.  Others: Random pre-key distribution Quorum-based

Kemal AkkayaWireless & Network Security 5 Basic probabilistic approach  Due to Eschenauer and Gligor  Relies on probabilistic key sharing among nodes of WSN  Uses simple shared-key discovery protocol for key distribution, revocation and node re-keying  Three phases are involved:  key pre-distribution,  shared-key discovery,  path-key establishment  Key pre-distribution  Generate a large key pool P ( keys) and corresponding key identifiers  Create n key rings by randomly selecting k keys from P  Load key rings into nodes memory  Save key identifiers of a key ring and associated node identifier on a controller  For each node load a key which it shares with a base station  Shared-key Discovery  Takes place during initialization phase after WSN deployment. Each node discovers its neighbor in communication range with which it shares at least one key  Nodes can exchange ids of keys that they poses and in this way discover a common key

Kemal AkkayaWireless & Network Security 6 Path-key establishment  During the path-key establishment phase path-keys are assigned to selected pairs of sensor nodes that are within communication range of each other, but do not share a key  Node may broadcast the message with its id, id of intended node and some key that it posses but not currently uses, to all nodes with which it currently has an established link. Those nodes rebroadcast the message to their neighbors  Once this message reaches the intended node (possible through a long path) this node contacts the initiator of path key establishment  Analysis shows that after the shared-key discovery phase a number of keys on a key ring are left unused

Kemal AkkayaWireless & Network Security 7 Node Capture & Connectivity  Node Capture  More robust then approaches that use single mission key  In case node is captured k<<n keys are obtained  This means that the attacker has a probability of k/P to attack successfully any other WSN link  Connectivity  Two nodes are connected if they share a key  Full connectivity of WSN is not required because of the limited communication capabilities of the sensor nodes  Two important questions:  What should be the expected degree of a node so that WSN is connected?  Given expected degree of a node what values should the key ring size, k, and pool, P, have for a network of size n so that WSN is connected?

Kemal AkkayaWireless & Network Security 8 q-composite approach  Enhancement of the basic probabilistic approach  Idea: nodes should share q keys instead of only one  Approach:  Key pool P is an ordered set  During initialization phase nodes broadcast ids of keys that they have  After discovery each nodes identifies the neighbor with which it share at least q keys  Communication key is computed as a hash of all shared keys  Keys appear in hash in the same order as in key pool  Benefits  q-composite approach has greater resiliency to node capture than the basic approach if small number of nodes were captured  Simulations show that for q=2, the amount of additional communications compromised when 50 nodes (out of 10000) have been compromised is 4.74%, as opposed to 9.52% in the basic scheme  However if large number of nodes have been compromised q-composite scheme exposes larger portion of network than the basic approach  The larger q is the harder it is to obtain initial information  Parameter q can be customized to achieve required balance for a particular network

Kemal AkkayaWireless & Network Security 9 Zhu / Xu approach  Another modification of the basic probabilistic approach  Major enhancement:  Pseudorandom number generator is used to improve security of key discovery algorithm  Also uses secret sharing which jointly with logical paths allows nodes to establish a pairwise key that is exclusively known to the two nodes (in contrast to basic probabilistic approach, where other nodes might also know some particular key)

Kemal AkkayaWireless & Network Security 10 Zhu / Xu approach: key pre- distribution  Background: a pseudo-random number generator, or PRNG, is a random number generator that produces a sequence of values based on a seed and a current state. Given the same seed, a PRNG will always output the same sequence of values.  Key pool P of size l is generated  For each node u, pseudorandom number generator is used to generate the set of m distinct integers between 1 and l (key ids). Nodes unique id u is used as a seed for the generator  Each node is loaded with key ring of size m  Keys for the key rings are selected from key pool P in correspondence with integers (key ids) generated for a particular node by pseudorandom number generator  This allows any node u that knows another nodes v id to determine the set of ids of keys that v poses

Kemal AkkayaWireless & Network Security 11 Further enhancements  So far all the discussed approaches have used one of the following algorithms for shared-key discovery:  Key id notification  Challenge response  Pseudorandom key id generation  Those algorithms work well against so called “oblivious” attacker, the one that randomly selects next sensor to compromise  What if attacker selects nodes that will allow him to compromise the network faster, based on already obtained information (key ids)?  This is the case of so called “smart” attacker

Kemal AkkayaWireless & Network Security 12 Smart attacker  More precisely smart attacker can be defined as follows:  at each step of the attack sequence, the next sensor to tamper is sensor s, where s maximizes E[G(s)| I(s)], the expectation of the key information gain G(s) given the information I(s) the attacker knows on sensor s key-ring  Simulations show that Key id notification and pseudorandom key id generation can be easily beaten by the smart attacker  Challenge response performs better

Kemal AkkayaWireless & Network Security 13 Simulation results Experimental results on id notification and pseudorandom key id generation: Number of sensors to corrupt in order to compromise an arbitrary channel.

Kemal AkkayaWireless & Network Security 14 Simulation results Experimental results on challenge response: Number of sensors to corrupt in order to compromise an arbitrary channel.

Kemal AkkayaWireless & Network Security 15 Background: polynomial based key pre- distribution  Polynomial based key pre-distribution scheme reduces the amount of pre- distributed information still allowing each pair of nodes to compute a shared key  Polynomial based key pre-distribution is λ-collusion resistant, meaning that as long as λ or less nodes are compromised the rest of the network is secure  Utilizes polynomial shares

Kemal AkkayaWireless & Network Security 16 Polynomial based key pre-distribution : initialization  Special case: λ=1  Each node has an id r U which is unique and is a member of finite field Z p  Three elements a, b, c are chosen from Z p  Polynomial f(x,y) = (a + b(x + y) + cxy) mod p is generated  For each node polynomial share g u (x) = (a n + b n x) mod p where a n = (a + br U ) mod p and b n = (b + cr U ) mod p is formed and pre- distributed

Kemal AkkayaWireless & Network Security 17 Polynomial based key pre-distribution : key discovery  In order for node U to be able to communicate with node V the following computations have to be performed:  K u,v = K v,u = f(r u,r v ) = (a + b(r u +r v ) + cr u r v )mod p  U computes K u,v = g u (r v )  V computes K v,u = g v (r u )

Kemal AkkayaWireless & Network Security 18 Polynomial based key pre-distribution : example  Example:  3 nodes: U, V, W, with the following id’s 12, 7, 1 respectively  p=17 (chosen parameter)  a=8, b=7, c=2 (chosen parameters)  Polynomial f(x,y) = 8+7(x+y)+2xy  g polynomials are g u (x) = x, g v (x) = 6 + 4x, g w (x) = 15+9x  Keys are K u,v =3, K u,v =4, K u,v =10  U computes K u,v = g u (r v ) = 7+14*7mod17 = 3  V computes K v,u = g v (r u ) = 6+4*12mod17 = 3

Kemal AkkayaWireless & Network Security 19 Liu-Ning approach  Combination of polynomial-based key pre-distribution and the key pool idea discussed above  Increases network resilience to node capture  Can tolerate no more than λ compromised nodes, where λ is constrained by the size of memory of a node  Idea: use a pool of randomly generated polynomials  When pool contains only one polynomial the approach degenerates to basic polynomial based key pre- distribution scheme  When all polynomials are of degree 0 the approach degenerates to key pool approach  Three phases are involved:  setup,  direct key establishment,  path key establishment

Kemal AkkayaWireless & Network Security 20 Phases  Setup Phase  Set F of bivariate λ-degree polynomials over finite field F q is generated  Each polynomial is assigned a unique id  For each sensor node a subset of s’ polynomial is randomly chosen from F  For each polynomial in the chosen subset a polynomial share is loaded into nodes memory  Direct Key Establishment Phase  During this phase all possible direct links are established  A node can establish a direct link with another node if they both share a polynomial share of a particular polynomial  How to find common polynomial? Use above discussed approaches  Path Key Establishment Phase  If direct connection establishment fails nodes have to start path key establishment phase  Nodes need to find a path such that each intermediate nodes share a common key  Node may broadcast the message with polynomials ids that it posses to all nodes with which it currently has an established link  Once this message reaches the intended node (possible through a long path) this node computes a key and contacts the initiator of path key establishment  Drawback: may introduce considerable communication overhead

Kemal AkkayaWireless & Network Security 21 Grid-based key pre-distribution  Instance of general framework discussed above  Benefits:  Guarantees that any two nodes can establish a pairwise key, if no nodes were compromised  Allows sensors to directly determine whether it can establish a pairwise key with another node and which polynomial to use in case of positive answer

Kemal AkkayaWireless & Network Security 22 Location Aware Purely Random Key Predistribution (P-RKP)  Du et. al (IEEE Infocom 2004)  Improves Random Key Predistribution (Eschenauer and Gligor) by exploiting Location Information.  Studies a Gaussian distribution for deployment of Sensor nodes to improve security and memory usage.  Groups select from key group S (i,j)  Probability node is in a certain group is (1 / tn).

Kemal AkkayaWireless & Network Security 23 Location Aware Purely Random Key Predistribution (P-RKP)  Key sharing graphs used to enable connectivity  Use flooding to find secure path (Limit to 3 hops)  Setting up the key pools  Two horizontally or vertically neighboring pools share a|Sc| keys where 0<= a <= 0.25  Two diagonally neighboring key pools share b|Sc| keys, where 0<=b<=0.25  Two non-neighboring key pools share no keys.  Overlapping factors - a,b