Download presentation
Presentation is loading. Please wait.
Published byShanon Elliott Modified over 8 years ago
1
Key management for wireless sensor networks Sources: ACM Transactions on Sensor Networks, 2(4), pp. 500- 528, 2006. Sources: Computer Communications, 30(9), pp. 1964-1979, 2007. Reporter: Chun-Ta Li ( 李俊達 )
2
2 22 Outline LEAP+: Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks [ACM Transactions on Sensor Network] Introduction Zhu et al.’s scheme Key Management for Long-Lived Sensor Networks in Hostile Environments [Computer Communications] Chorzempa et al.’s scheme Comparisons Comments
3
3 Introduction Security of wireless sensor networks BS AFN Aggregation and Forwarding Nodes MSN Base Station Micro Sensor Nodes MSN BS MSN BS AFN MSN cluster // symmetric shared keys // multiple keying mechanism
4
4 Introduction (cont.) Dynamic keying in a hierarchical WSN Establishing individual node keys Establishing pairwise shared keys The basic scheme The extended scheme Establishing cluster keys Establishing global key Clustering and key setup Node addition Key renewal Recovery from multiple MSN node captures Re-clustering after AFN capture [Zhu et al.’s scheme] [Chorzempa et al.’s scheme]
5
5 Zhu et al.’s scheme BS MSN // sensors are not mobile // neighboring nodes of any sensor are not known in advance // BS will not be compromised Base Station Micro Sensor Nodes
6
6 Zhu et al.’s scheme (cont.) Four types of required keys Individual Key: MSN BS (MSN can compute a MAC for ensuring validity of its sensed readings to BS) Global Key: all MSNs (BS may broadcast queries or commands to the entire network) Cluster Key: MSN neighbors (securing locally broadcast message) Pairwise Shared Key: MSN a MSN b
7
7 Zhu et al.’s scheme (cont.) Notations N is the number of nodes in the network. u, v are principals such as communicating nodes. {f k } is a family of pseudo-random function. {s} k means encryption message s with key k. MAC(k,s) is the message authentication code of message s using a symmetric k. {T min, T est } are two types of time interval, where T min > T est. K IN is an initial key Ku is a master key belongs to node u such that Ku = f K IN (u).
8
8 Zhu et al.’s scheme (cont.) Establishing Individual Node Keys (IK u ) BS u IK u = f K m (u) // f is a pseudo-random function // K m is a master key known only to BS // Each node has a unique id u
9
9 Zhu et al.’s scheme (cont.) Establishing Pairwise Shared Keys (Basic) Key predistribution Neighbor discovery Key erasure (when its timer expires after T min ) BS u K u = f K IN (u) // K IN is an initial key known to each node // Each node u derives a master key K u u neighbors 1. HELLO(u) v u 2. v, MAC(K v, u|v) // K uv = f K v (u) = f K u (v) = K vu u Node u erases K IN and all master keys (K v ) of its neighbors (no erasure K u )
10
10 Zhu et al.’s scheme (cont.) Establishing Pairwise Shared Keys (Extended) Key predistribution Neighbor discovery Key erasure BS u K j u = f K j IN (u), i < j < M K i IN u neighbors 1. HELLO(u,i) v u 2. v, MAC(K i v, u|v) // K uv = f K i v (u) = f K i u (v) = K vu u Node u erases K i IN and all master keys (K i v ) of its neighbors (no erasure K i u or any other preloaded master keys K j u where i < j < M)
11
11 Zhu et al.’s scheme (cont.) Establishing Cluster Keys (K c i ) v u w KcuKcu KcwKcw KcvKcv (K c v ) K vu (K c v ) K vw (K c u ) K uv (K c u ) K uw (K c w ) K wv (K c w ) K wu // When node u is revoked, every neighbor node generate a new cluster key and transmits it to all other neighbors one-way key chain HC v one-way key chain HC w one-way key chain HC u
12
12 Zhu et al.’s scheme (cont.) Rekeying the Global Key k’ g (when a compromised node is detected) Authenticated Node Revocation Secure Key Distribution BS w v ut x Broadcast M M = u, f k’ g (0), k T i, MAC(k T i, u | f k’ g (0)) v and w will remove its pairwise key shared with u v and w will update its cluster key BS (k’ g ) K c BS (k’ g ) K c i // If verification is successful, The value of hash chain v and w will store f k’ g (0) temporarily
13
13 Zhu et al.’s scheme (cont.) Integration of the pairwise key establishment phase with the cluster establishment phase v u 1. HELLO(u) 2. v, {K c v } K v, MAC(K v, u | v | {K c v } K v ) 3. u, {K c u } K uv, MAC(K u, u | {K c u } K uv )
14
14 Chorzempa et al.’s scheme BS AFN Aggregation and Forwarding Nodes MSN Base Station Micro Sensor Nodes
15
15 Chorzempa et al.’s scheme (cont.) Location training MSNs have completed neighbor discovery AFN is aware of one-hop MSNs => ID 1 ID 2 ID AFN 1 => CEM neighbors Coordinate Establishment Message (CEM) hopcount Nj +1 < hopcount Ni (ID AFN 2 )(ID AFN 1 ) Reassign to AFN 2 hopcount Nj +1 > hopcount Ni (ID AFN 1 ) = Discard CEM hopcount Nj +1 > hopcount Ni (ID AFN 2 )(ID AFN 1 ) Unicast CEM to its primary AFN 1
16
16 Chorzempa et al.’s scheme (cont.) Three types of required keys Administrative key set (k+m), EBS(n,k,m) Pairwise secret key Kp i (BS MSN) Tree administrative key Kt i Number of MSN nodes in a cluster hold not hold AFN M1M1 M3M3 M4M4 M2M2 Kt 1 Kt 2 An example of EBS(10,3,2) A cluster view Kp 1 Kp 2 Kp 3 Kp 4 Update a session key Kg with Kg’ (k + m broadcasts) (EBS; Exclusion Basis System)
17
17 Chorzempa et al.’s scheme (cont.) If N 1 is captured (replace administrative keys and session keys known to N 1 ) (m broadcasts) Non-colluding node captures (|y|=2; N 1, N 6 ) (m y broadcasts) ID AFN ||E Ka4 (E Ka2 (Ka 1 ’~Ka 5 ’)) ID AFN ||E Ka5 (E Ka2 (Ka 1 ’~Ka 5 ’)) ID AFN ||E Ka4 (E Ka3 (Ka 1 ’~Ka 5 ’)) ID AFN ||E Ka5 (E Ka3 (Ka 1 ’~Ka 5 ’))
18
18 Chorzempa et al.’s scheme (cont.) Colluding node captures (Administrative key recovery) (EBS(6,2,1)) K1K1 K2K2 K3K3 M1M1 M2M2 M3M3 M4M4 M5M5 M6M6 1 1 0 1 0 1 0 1 1 1 1 0 1 0 1 0 1 1 AFN M1M1 M4M4 M5M5 M2M2 tree 1 M3M3 tree 2 M6M6 ScSc S ut E Kt 2 (E K 1 (K 1 ’)||E K 2 (K 2 ’)||E K 3 (K 3 ’)) Kt 2
19
19 Chorzempa et al.’s scheme (cont.) Reactive re-clustering after AFN capture membership list (location training) BS AFN a MSN AFN b MSN …… capture absorption BS Ni AFN b E K AFNb (K AFNb-Ni || ID Ni ) || Ticket Ni, Ticket Ni = E Kpi (K AFNb-Ni || ID AFNb || ID Ni || route Ni-AFNb || nonce) AFN b ID Ni || ID AFNb || E K AFNb-Ni ( administrative keys)) || Ticket Ni
20
20 Chorzempa et al.’s scheme (cont.) MSN addition AFN b Old … AFN a Old … New Old hello Old New => neighbors hello Old New neighbors ID Ni || ID AFNp || hopcount Ni Old New AFN a (ID Nnew || ID AFNa || nonce) || MAC Kp i BS AFN a BS (ID Nnew || ID AFNa || nonce) || MAC Kp i || MAC K AFNa 1. 2. 3. 4. 5. BS New Ticket Nnew = E Kpi (K AFNa-Nnew || ID AFNa || ID Nnew || nonce)
21
21 Comparisons Zhu et al.’s schemeChorzempa et al.’s scheme Mutual authenticationYesNo Forward secrecyNoNo mentioned Dynamic keyingYes S2S key establishmentYesNo mentioned Recovery from compromised attack Yes Required key1+1+2n1+1+k n: the number of neighbors
22
22 Comments In Zhu et al.’s scheme, an old node is unable to establish a pairwise key with a new node. In Chorzempa et al.’s scheme, it lacks the mechanism of pairwise key establishment for any two sensors.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.