You are on page 1of 12

Computer Communications 31 (2008) 42694280

Contents lists available at ScienceDirect

Computer Communications
journal homepage: www.elsevier.com/locate/comcom

A unied security framework with three key management schemes


for wireless sensor networks
Rabia Riaz a, Ayesha Naureen b, Attiya Akram b, Ali Hammad Akbar d, Ki-Hyung Kim a,*, H. Farooq Ahmed c
a
AJOU University, School of Information and Communication, Wonchundong, Yongtonggu, 443-749 Suwon, Gyunggi, South Korea
b
College of Signals, NUST, Pakistan
c
Communication Technologies, Sendai, Japan
d
University of Engineering and Technology, Pakistan

a r t i c l e i n f o a b s t r a c t

Article history: Pervasive computing environments nd their practical manifestations through wireless sensor networks,
Available online 17 June 2008 which sense a relationship amongst themselves and the environment. Currently the proposed keying
schemes for ensuring security, in wireless sensor networks, may be classied into public and private key-
Keywords: ing schemes, or their hybrid. However, an investigation in peer work underpins the fact that neither of
Wireless sensor networks these works relates the key management schemes with the granularity of key generation, distribution,
Key management renewal, and revocation. In this paper, we propose a unied security framework with three key manage-
Symmetric keys
ment schemes, SACK, SACK-P, and SACK-H that incorporate symmetric key cryptography, asymmetric key
Public key cryptography
Node revocation
cryptography and the hybrid, respectively. We have evaluated the key management schemes against a
broad range of metrics such as energy, resource utilization, scalability and resilience to node compro-
mises. Our evaluation comprises both analytical investigation and experimental validation. The results
show that though SACK-P is heavy on resources, it provides maximal security and offers the best resil-
ience to node compromises. On the contrary, SACK is very efcient in terms of storage and communica-
tion. Our results substantiate a relationship between the level of security and resource utilization and
form a design benchmark for security frameworks.
2008 Elsevier B.V. All rights reserved.

1. Introduction Most of the well known security schemes designed for tradi-
tional wire-line and wireless networks are inert to the unique
The practical aspects of pervasive computing and networking characteristics of WSNs, most notably to the device limitations
were unbeknownst to the world until the emergence of wireless in WSNs. Consequently, these cannot be readily applied to WSNs.
sensor networks (WSNs). The availability of WSNs has resulted into For instance, public key-based schemes involve signicant com-
many new applications including home automation, environmental munication and computational overhead making them unsuit-
monitoring and sensing, medical, and personal area networks able for these battery operated devices. Likewise, symmetric
(PANs). WSNs normally consist of a large number of 3L devices key-based schemes cannot single-handedly provide robust secu-
(low cost, low energy and low bandwidth) that are densely deployed rity against attacks with burgeoning effect and gravity in distrib-
over a region of interest and connected through a wireless network. uted environments like WSNs. In summary, there is a need for
In WSN, the medium of communication is wireless, which is key management schemes in WSNs to integrate collateral security
inherently insecure. Thus, each sensor node must know one or schemes that reinforce the security robustness, under a unied
more keys to secure its communication. Furthermore, situations framework.
might arise wherein an authenticated node is compromised by In this paper we present a unied security framework that
the intruder, revealing partial or entire keying information to the embodies three key management schemes. The framework pre-
intruder making it necessary to remove such node from the net- sents (a) SACK; a key management scheme using symmetric key
work. Needless to say, that the robustness of a security framework cryptography. In the event of a key disclosure, SACK ensures that
relies upon the strength of its key management schemes. the disclosure is only restricted to the respective cluster, not the
entire network, (b) SACK-P (public); a key management scheme
* Corresponding author. Tel.: +82 1047602551; fax: +82 312192443. that is a variant of SACK that uses the asymmetric key cryptogra-
E-mail addresses: rabiaiqba118@gmail.com (R. Riaz), aayyesha@yahoo.com phy. It provides an added level of security at additional communi-
(A. Naureen), attiya_akram@yahoo.com (A. Akram), ahakbar@gmail.com (A.H. Akbar),
cation and computational overheads and (c) SACK-H (hybrid);
kkim86@gmail.com (K.-H. Kim), farooq@comtech.co.jp (H. Farooq Ahmed).
URL: http://www.ilab.ajou.ac.kr (K.-H. Kim). another variant of SACK that utilizes SACK for intra-cluster

0140-3664/$ - see front matter 2008 Elsevier B.V. All rights reserved.
doi:10.1016/j.comcom.2008.05.043
4270 R. Riaz et al. / Computer Communications 31 (2008) 42694280

communication and SACK-P for both inter-cluster and cluster to whereas k 1 or fewer shares are unable to do so. Zhou and Hass
base station communication. SACK-H provides an improved level proposed a secure ad hoc network using secret sharing and thresh-
of security as compared to SACK but poses lesser resource drainage old cryptography [9]. Hubaux et al. in [10] proposed a public key
than SACK-P. An experimental and analytical evaluation of these distribution system based on web of trust model, in which the cer-
three schemes provides an insight into the key management over- ticates are issued and revoked by the users. The scheme works in
head and security strength conundrum. The evaluation is aimed at correspondence with the decentralized nature of certicate man-
helping network security experts in mapping an ontological rela- agement in ad hoc networks.
tionship between the desired security level, network and device re- Threshold cryptography and web of trust have their shortcom-
sources and the achievable security level. ings when applied to WSNs. Major issues being the associated
The remainder of the paper is organized as follows. In Section 2, expensive computation and the high probability of likely penetra-
we present peer work in key management infrastructures, with an tion by malicious agents. Also all current asymmetric key related
avid focus on resource consumption and achieving security levels. studies only support their feasibility for WSNs. None of current
Section 3 presents the network model used in all three schemes. In works propose complete key management infrastructure using
Section 4, we present the detailed architecture and operation of public key cryptography.
SACK, SACK-H and SACK-P. Section 5 explains post deployment
operations like scalability, network connectivity and revocation. 2.2. Key management in WSN
Analytical and experimental evaluation is presented in Section 6.
Finally, in Section 7, we conclude the paper. For WSNs key establishment is not an easy task. A single global
symmetric key shared to all users is secure to external attackers
who do not know the key, but a single node compromise from
2. Related work within the network will expose the key and make the complete
WSN insecure. Use of distinct pair-wise keys (symmetric or asym-
In this section, we present related work in bipartite. In the rst metric) for all possible pairs of nodes in a WSN will provide max-
part, we review the work done regarding public key cryptographic imum resilience to node compromise but will create unnecessary
methods used in WSNs. In the second part, we present contempo- storage burden on already resource constrained nodes (Table 1).
rary work in key generation and distribution with a side focus on Random pre distribution schemes like Chan et al. [11] uniformly
keying mechanism used. pre-distribute a global set of secrets in network so that each node
has a secret subset. Two neighbors can achieve a probabilistic key
2.1. Public key cryptography in WSN agreement by the intersection of their secret subsets. These
schemes use symmetric keys and have to store a large number of
In the WSNs, due to their constrained resources, cryptographic keys to maintain a desired level of connectivity. On the other hand,
methods are evaluated on the basis of energy consumption, code location based pre-distribution schemes like deployment-based
size, data size and processing time. These evaluation criterias key pre-distribution [12] uses node deployment knowledge for
make public key cryptography undesirable for 3L based pervasive pre-distribution of secrets in small cells. Thus they can achieve
environments. For example, in [1], comparison of energy con- much higher network connectivity and resilience then pre-distri-
sumed by symmetric key and asymmetric key algorithms shows bution schemes.
that, on MC68328 DragonBall processor, the encryption of 1024- In energy efcient group key management protocol [13] each
bit block using RSA consumes approximately 42 mJ, while 128 bit sensor node of a hierarchical sensor network generates a partial
AES block consume only 0.104 mJ. Recent studies like [2,3] show key dynamically. They also used multiparty DifeHellman to pro-
that the right selection of algorithms and associated parameters pose their group key computation method. Hybrid security mech-
along with code optimization can make public key cryptography anism [14] presents a key management system that can work with
feasible for sensor networks. Most work in public key domain focus or without the presence of Key Distribution Center (KDC). All nodes
on ECC and RSA. The reason for ECCs attractiveness is that it offers are preloaded with a random set of keys drawn from a common
considerably greater security for far smaller key size, for example pool before deployment. But when KDC is available, gateway nodes
160-bit ECC offers the comparable security to 1024-bit RSA and share public/private key combination with KDC.
512 bit ECC provides security of the level of 15,360 bit RSA. The LEAP [15] gives the concept of separate keys for different com-
smaller key size makes possible much more compact implementa- munication patterns in a hierarchal WSN. The base station shares
tions for a given level of security, resulting in faster cryptographic pair-wise keys with sensor nodes and it can mediate establishment
operations. Work in [4] investigates the effect of ECC and RSA of a pair-wise key between any pair of sensor nodes. Similar ap-
implementation, for signature generation and key exchange, on proach is used in ESA [16] where sensor nodes are separated into
MICA2, MICAz, MICA2DOT [based on ATmega128L] and TelosB domains which are supervised by base stations. exclusion based sys-
motes. Results show that even for most constrained node, perform- tem (EBS) proposed in [17] is a dynamic key management system
ing ECC-160 signature, once every 10 min, increases the duty cycle that uses combinatorial formulation of group key management.
only about 0.5%. On the other hand, even for the most energized
nodes, the RSA private key operations were extremely time and en-
ergy consuming. Working group at Harvard University deployed Table 1
PKI by modifying and optimizing ECC on Mica2 motes using Tiny- Literature classication on keying methodology
Os. They were able to generate public keys within 34 s and distrib- WSN category Key type Symmetric/asymmetric Paper
uted the shared secret in the same time, using just over 1 kB of
Distributed WSN Pair-wise Symmetric key [11,12,17,2022]
SRAM and 34 kB of ROM [5]. The implementations of RSA (e.g. Asymmetric key [5,23]
TinyPK [6]) and ECC (TinyECC [7]) prove that a public key-based Group wise Symmetric key [20]
protocol is viable for WSNs. Asymmetric key
The idea of (k,n) threshold scheme was introduced by Shamir Hierarchal WSN Pair-wise Symmetric key [1416,18,19]
[8]. A (k,n) threshold scheme allows a secret, for example a signing Asymmetric key [14]
key, to be split into n shares such that for a certain threshold k < n, Group wise Symmetric key [15]
Asymmetric key [13]
any k components can combine and recover the signing key;
R. Riaz et al. / Computer Communications 31 (2008) 42694280 4271

SHELL [18] is an enhancement of EBS that performs location based All sensor nodes are loosely time synchronized with the base sta-
key assignment. The network model consist of base stations, clus- tion with Tmax as the upper bound on time synchronization error
ter gateway and cluster nodes where cluster gateways keep track (similar to the mechanism reported in [15]). The WSN is arranged
of keys and keys of one cluster are stored by gateways of other in the cluster-based topology, and cluster leaders cannot go into
clusters. localized combinatorial keying (LOCK) [19] is another appli- the sleep state during their period of election as cluster leaders.
cation of EBS. And it also enhances SHELL such that the capture of a How these clusters are formed is beyond the scope of this paper,
cluster leader does not reveal any more cluster keys than the cap- but it is expected that after cluster formation each cluster leader
ture of a regular sensor node. lightweight key management system knows the IDs of each node present and available in its cluster
[20] proposes a solution where more than one master key is em- and BS knows the IDs of the cluster leaders and hence the CNs.
ployed to provide higher level of resilience. All these schemes only For our current work we have not considered mobility. A limited
consider symmetric keys which are distributed and assigned across mobility model can be handled in our existing scheme, but the
the network. The keys are generated at some special key genera- solution is not very efcient for on the move networks due to exten-
tion nodes. Our scheme on the other hand generates symmetric sive communication overhead.
key on the node where it has to be assigned thus obviates the need Our techniques assume that key management starts when all
of key assignment algorithms. the nodes have joined the network and no other communication
Much work has been done in proving the practicality of the has yet started. One important consideration in this assumption
public key cryptography for WSN but no key management archi- is to know when all nodes have joined the network. Two ap-
tecture has been proposed yet. Many Key Management solutions proaches can be considered in this regard:
have been proposed with symmetric key schemes, but asymmetric
cryptography cannot be implemented using these existing 1. Randomly started key distribution after some time of BS
schemes. To our knowledge, no work presents a complete solution initialization.
for key management framework that provides exibility to incor- 2. Whenever a new node joins network, a signal travels through
porate symmetric, asymmetric or both keying algorithms tailored the network up to base station. BS keeps a count of these sig-
according to application requirements. nals. The total number of node count is also kept with the BS.
When the number of signals becomes equal to the node count,
3. Network model the BS starts the key management process.

We consider a hierarchical WSN consisting of a BS and numer- With the rst technique there lies a possibility that some nodes
ous nodes grouped in clusters. Clusters of sensors can be formed might not get the keying material. The second key management
based on various criteria such as location, communication range, technique, which has been used in our architecture, overcomes the
resource and energy capabilities, etc. [24]. The nodes are catego- node missing probability on account of twofold communication.
rized as cluster leader (CL) and cluster node (CN). A CL is a sensor Our schemes are designed to provide key management for sen-
node with comparatively better resources. It serves as an interme- sor network therefore they have to meet several security and per-
diary between base station and cluster node communication. CN formance requirements that are considerably challenging to sensor
perform the tasks of sensing and relaying data only to their respec- network. Like energy efciency, memory optimization, communi-
tive cluster leader. CN communicate with short range radio com- cation optimization, scalability, supporting different communica-
munication. CL aggregate cluster nodes information and route it tion patterns, in-network processing and connectivity.
to destination node or base station using any secure routing proto-
col [25,26]. All the CLs and CNs are deployed in an uncontrolled 4. Proposed framework
environment. A BS is a computationally robust and resource rich
device placed in some controlled environment. For simplicity we In this section, we rst describe SACK, our basic key manage-
assume that the probability of base station compromise is negligi- ment scheme based on symmetric key cryptography. We then de-
ble (Table 2). scribe its two extensions, (a) SACK-P, a key management scheme
We assume that the nodes have unique IDs, are randomly using the asymmetric cryptography and (b) SACK-H, a hybrid key
deployed in the eld and are static. A sleep mode based energy management scheme that uses both symmetric and asymmetric
conservation scheme is used by nodes to save their batteries. The cryptography for key management. All these schemes use the net-
sleeping time of sensor nodes is upper bounded by a variable Smax. work model as described in Section 3.

Table 2
List of used notations

Notation Description Notation Description


BS Base station Kpub[CNj] Public key for jth CN
CL Cluster leader Kpri[CNj] Private key for jth CN
CN Sensor node other then CL Kpri[CLi] Private key for CL of ith cluster
SN Sensor nodes (CL or CN) Kpub[CLi] Public key for CL of ith cluster
SNIDj Sensor node identity of node j KCL CL routing Key
N No. of nodes in network KCi Cluster wide Key for ith cluster
C No. of clusters in network SCL Seed for CL Key generation
n No. of nodes in cluster SCi Seed for CN of ith cluster
KNB Key shared between SN and BS G Elliptic curve for ECC
KM Master key stored on each SN F Base point on G
M Size of master key [1024 bit] Tmax SN maximum time synchronization bound with BS
m Size of KNB [128 bit] Smax Maximum sleep time for SN
H No. of hops Tdis Key distribution time per hop
L Data packet length Tgen Standard key generation time
4272 R. Riaz et al. / Computer Communications 31 (2008) 42694280

4.1. SACK: storage and communication optimized keying framework Key generation: For our scheme, we will use key generation
for wireless sensor networks algorithm as proposed in [27]. This algorithm is a hybrid of pre-
and post-deployment key generation mechanisms. It uses mod-
In SACK, each sensor node is programmed according to the ulo-2 division as the mechanism to convolute locally hosted key
application requirements before network deployment. At the same KM and the arriving seed SSE (SCL or SCi) to generate the nal key
time, one unique Key (KNB) of size m bit and one master key (KM) of KE (KCL or KCi) (Fig. 1).
size M bits is stored in FLASH ROM of each node. The reason for The key KE is temporal KCL and KCi are generated and used for
storing KM in FLASH ROM instead of hard coding in ROM is to ex- specic epochs and are removed from SN after that epoch. The
ploit this information for later purging the keys in corrupted/com- epochs may be dened as every X s from the bootstrap time of
promised nodes (see Section 4.1.2). Base station (BS) stores [SNIDj, the WSN. These keys will also be generated for re-keying after re-
KNB] pair for each node and uses it to authenticate and establish moval of compromised node.
a pair-wise symmetric key for each sensor node at the time of node The maximum number of iterations possible for the mod 2 divi-
joining in the network. BS also stores routing keys (KCL) and cluster sion for KM [1024 bit] and SSE[64] is given by KM (SSE*2) 1. This
keys (KCi) in a database for specied period of time T = Tmax + Smax. allows us about 895 iterations before our remainder is less than
This information is used when a sleep node has to re-join the net- 128 bit. This also shows that with a single generator polynomial,
work on becoming active. we can generate 64 different keys by varying number of iterations.
Key analysis: Since a single key is inappropriate for securing all We have set the maximum limit to 64 iterations due to 6 bit allo-
communication in a sensor network (see Section 2.2), our frame- cation to variable i, otherwise a single polynomial can generate up
work supports establishment of three different keys. This helps to 895 distinct keys.
in minimizing the impact of any keys compromise to only a certain
number of nodes. Base Station Node Pairwise Key (KNB) is a unique 4.1.1. Re-keying model
pair-wise key of each node with the BS. BS can use this key to prop- The re-keying procedure helps in enhancing overall system pro-
agate any interest directly to that sensor node. Routing Key (KCL) is tection by frequently changing the security keys. It is especially
used by CLs to communicate with BS and other CLs. If any CL can- needed when a node is compromised and is needed to be excluded
not directly reach BS, then it establishes a route through other CL from the system, or a cluster session expires and new clusters are
using this key and hence we call it the routing key. Cluster Key formed. Selecting appropriate time interval for re-keying is very
(KCi) is used by CN of ith cluster to communicate with their CL crucial for the system as too frequent re-keying can put extra bur-
and other members of their cluster. den on system resources, and long delays can give an intruder suf-
Key assignment and distribution: After formation of clusters, the cient time to compromise the keys.
BS sends a key generation seed SCL to CLs. Each CL then computes Re-keying after session expiry and new cluster formation is
KCL using SCL and KM. Once KCL is generated, every CL generates a same as explained in key assignment and distribution section. Keys
seed SCi different from SCL and broadcasts it to its respective CNs. assigned in previous session can now be used to secure seed trans-
Each Node of cluster i then computes KCi by applying SCion KM. missions in the new session if they have not been compromised.
These seeds i.e. SCLand SCi, contain a 64 bit generator polynomial In the situation of a node compromise, BS rst performs a node
and 6 bit specifying the number of iterations (164). revocation operation, called TASER (To catch A thief, SEt one pRo-
Assuming that, at bootstrapping time, no SN is physically com- tocol), on the node that was declared as malicious using its KNB. The
promised, an intruder eavesdropping into this communication can- TASER operation, as explained in Section 4.1.2, removes the keys
not know or generate any keys as it doesnt have information about stored in the RAM of that node thus making it impossible for the
KM. Hence our scheme generates and distributes keys simulta- node to get new communication keys. This will also make re-key-
neously, unlike [16] and [13] which require separate key distribu- ing optional instead of an obligation. For extremely security critical
tion algorithms for key allocation. application re-keying could be performed. If the compromised

L eg en d :
/: M o d u lo 2 d iv is io n o p e ra tio n
: T ru n c a te s th e in p u t s tre a m to 1 2 8 b its iff r > 1 2 8
i: 6 b its tra n s m itte d fro m B S a n d C L to C L a n d S N re s p e c tiv e ly . R e fe rs to n u m b e r
o f ite ra tio n s (1 ~ 6 4 )
K M: 1 0 2 4 b its It is th e / o p e ra n d
S SE: 6 4 b its A g e n e ra to r p o ly n o m ia l tra n s m itte d fro m B S to C L a n d fro m C L to
S N . It is / o p e ra to r
R: R e m a in d e r o f / b e tw e e n o p e ra to r a n d o p e ra n d .
r: N u m b e r o f b its in re m a in d e r
K E: 1 2 8 b its R e s u lta n t k e y g e n e ra te d fo r E th e p o c h

B e g in P ro c fo r C L a n d C N fo r E th a n d E th + 1 E p o c h s re s p e c tiv e ly
R = KM

W h ile ( i != 0 ) d o
R = R / S SE
i = i-1
E n d w h ile

If r ( R ) > 1 2 8
K E = (R )
E ls e
KE = R

E n d P ro c

Fig. 1. Key generation algorithm.


R. Riaz et al. / Computer Communications 31 (2008) 42694280 4273

node was CN, then re-keying is needed only on cluster level which communication. A damage control mechanism must, therefore, be
can be done by just generating new KCi. In case of CL compromise, triggered to let the network become aware of the problem and re-
re-clustering will be required on network level to update routing solve it. Such a problem cannot be circumvented using temporary
key KCL and cluster key KCi. mechanisms such as assigning new keys only to the compromised
node and/or its communicating neighbors. Instead, bulky solutions
4.1.2. Node revocation are required to let such nodes go out of the network for good
In a master key encryption system, all the communication that (Fig. 2).
takes place between sensor nodes is encrypted using the same TASER is triggered after pre-TASER operations such as detection
master key. If this key is revealed to intruders, inter-node commu- of the malicious node and its notication to the BS. We present
nication becomes totally insecure. Interestingly, a very important only the TASER operation here considering the pre-TASER opera-
step that has often been ignored in key management is key revo- tions to be beyond the scope of the paper, existing schemes like
cation which is tightly coupled with other processes of key man- [28] can be utilize for pre-TASER part. We assume that only com-
agement. While a sensor network is deployed with all legitimate promised nodes are detected as faulty, i.e. the probability of detect-
and healthy nodes, it is probable that a sensor node is entirely ing a healthy node as malicious is extremely low. Also messages
compromised, revealing all the keying information to the intruder, sent by BS are always assumed to be legitimate. The BS knows
including the master key. This is indeed like a security catastro- the address space (location) of the keying information in the com-
phe because a compromised node means totally insecure network promised sensor node. It sends a TASER (step 3) message masked
as a normal management operation primitive just before the epoch
for the next key update phase (step 4). The compromised sensor
node executes the command that is followed by the resetting of
the FLASH ROM, purging previously assigned keying information
to the sensor node. The RAM is totally reset including all the vari-
ables and values set by the intruder. At least another epoch passes
(step 5), before the compromised node and its intruder recover
from the TASER that struck. It may take up to several epochs before
the sensor board coldstarts, initializes variables, and intruder re-de-
ploys the keys (step 6). The sensor node cannot assign itself a new
key during the subsequent re-keying processes as it cannot decrypt
the new session key (KCE3) using previous key (KCE1) and the master
key. Hence, such a node is isolated from the network.

4.2. SACK-P (SACK public)

SACK-P is based on public key infrastructure (PKI) and the key


setup proceeds as in the following stages:
Key analysis: Two keys per node (one private key Kpub[CNj] and
one public key Kpri[CNj]) are needed here, as required in PKI.
Key generation and assignment: A public/private key pair is gen-
Fig. 2. TASER operation. erated for each node using ECC prior to network deployment. Base

1. Generate Key Pair ( K pub [CN j], K pri [CN j] )

Node 2. Deploy K pri [CN j] in Sensor Node

3. Register [SN IDj , K pub [CN j]] at BS BS

Pre -Deployment
Key Generation and Key Registration

5. Store [SN IDj , K pub [CN j]] on OK

2. Forward
SN 1. Send [SN IDj , CL [SN IDj , K pub [CN j]]
K pub [CN j]] 3. Authenticate
Cluster Formation 4. Send OK or Revoke by matching
Sent K pub [CN j]
BS
against stored
CL 4. Send OK or Revoke K pub [CN j]

1. Send [SN IDj , K pub [CN j]]

Deployment SN 7. Broadcast K pub [CN j] CL 6. Broadcast K pub [CN j]]


Key Distribution

Fig. 3. SACK-P scheme.


4274 R. Riaz et al. / Computer Communications 31 (2008) 42694280

station maintains [SNIDj, Kpub [CNj]] pair for each node and each nodes use this seed to generate the cluster wide common symmet-
node is pre-installed with its respective private key Kpri[CNj], prior ric key (Fig. 4).
to network deployment.
Key distribution: At network setup, each SN sends JOIN request 5. Post deployment operations
message encrypted with Kpri [CNj] and its ID to the nearest CL. The
CL forwards the message to BS. BS veries the node authenticity Network post-deployment issues are critical factors in deter-
by decrypting the message with the public key registered against mining the efciency of any key management protocol for WSN
that node ID stored in its database. If authenticated as a legitimate specic environment. Each schemes working in correspondence
node, an OK message is sent to the CL; otherwise a REVOKE message to these issues is explained against the following matrices.
is directed to the CL. If the cluster leader receives an OK message, it Scalability: Each of the three schemes supports node additions
stores the nodes public key Kpub [CNj] for future references, other- after network deployment. In case of SACK and SACK-H, when a
wise the message is discarded. After completion of this process, new node wants to join the network it sends its SNIDj and a join
the BS broadcasts its public key to all the CLs. On receiving the BS message encrypted with KNB to its nearest CLs. CL, unable to de-
public key, each CL broadcasts its public key to its CNs (Fig. 3). crypt the message, forwards SNIDjand join request message to BS
for authentication. BS looks for the nodes ID in its database for
4.3. SACK-H: SACK hybrid [SNIDj, KNB] pair. It then decrypts the message using KNB. If the
message decrypts successfully it authenticates that the new node
The system takes advantage of the difference in the computa- is legitimate node. After node is authenticated, BS informs the CL.
tional capabilities of different nodes. It puts the burden of more CL sends that sessions seed SCi to the new node allowing the node
complex, computationally expensive algorithms on the devices to join cluster by generating KCi.
with more robust resources. It uses the asymmetric cryptography For SACK-P, the new node performs the key generation and reg-
during inter-cluster level communication, while symmetric cryp- istration activities before deployment. At node deployment, each
tography is used during intra-cluster communication. Two types SN sends JOIN request message encrypted with Kpri [CNj] and its
of encryption algorithms are deployed on each node: one is public ID to the nearest CL which forwards the message to BS. Upon
key based encryption algorithm like ECC or RSA and the other is authentication by BS, the new node is added to the cluster and
symmetric key based encryption algorithm like Skip Jack, RC5, its public key is stored with the CL.
DES or AES. We propose ECC+AES for better security due to reasons Table 3 describes network scalability determined by security
mentioned in Section 2.1. overhead in terms of data packet length. For instance, for 44 bytes
Key analysis: SACK-H uses same keys as mentioned in SACK but of data packet to transmit and taking into account 128K program
now, instead of KCL, we have separate public/private key pairs for memory of MICA, the framework can be best implemented in a
each CL denoted as Kpri [CLi] and Kpub [CLi]. network of up to 3000 sensor nodes. L describes maximum data
Key assignment and distribution: In pre-deployment phase each length in packet, during all phases of key management process.
node is given a unique identity [KNB] and has both algorithms For SACK the maximum data length is in the case of sending SCL
ECC/AES installed over it. In addition, a master key KM and basic and SCi, which is 70 bit 9 bytes. Similarly for SACK-H value of
keying material for ECC i.e. the Graph G and base point F are pre- L = 10 bytes and for SACK-P value of L = 16 bytes.
installed on each node. The graph is of the form y2 = x3 + ax + b. Key connectivity: Key connectivity is described as the number of
The key generation process is initiated by the BS, which calcu- keys required to be stored on each node for specied level of re-
lates its public/private key pair and broadcasts its public key, so quired network connectivity.
that each CL receives the public key of the BS. Each CL after gener- SACK shares a common symmetric key KCL for BSCL and CLCL
ating its public/private key pair sends its public key along with its interactions based on session seeds SCL. It stores a common sym-
ID to BS. BS saves this public key and also broadcasts it along with metric key Kci for CLSN interaction based on session seeds SCi. This
CLs ID so that all the CLs get the public keys of all the other CLs. provides 100% network wide connectivity.
After the completion of the key generation at CL level, each cluster SACK-H provides good key connectivity on frequent interaction
leader generates a seed and broadcasts it to all the CN. Cluster basis. In a typical information gathering scenario where the pri-

CL 1.Deploy KM, KNB and SNID on all nodes


BS
CN
Pre-Deployment

BS 1.Generate its Kpub[BS] and Kpri[BS] Post-Deployment

2.Broadcast [Kpub[BS], SNID] to all CLs CL

3.Send [Kpub[CLi], SNID] to BS

BS 4.Broadcast [Kpub[CL], SNID] to all CLs CL

5.Calculate and Broadcast SCi to all CNs

CN
5.Calculate KCi through KM and Sci

Fig. 4. SACK-H scheme.


R. Riaz et al. / Computer Communications 31 (2008) 42694280 4275

Table 3
Comparison of three schemes for scalability and network resilience

Scheme Network scalability Keys required for network Secure node revocation Keys revealed on compromise of CN and CL
compromise
SACK L = 9 bytes, 14,250 nodes 1 TASER CN = KCi and KM, CL = KCL, KCi and KM
SACK-P L = 16 bytes, 8000 nodes N 1 TASER CN = Kpri[CNj] and Kpub[CLj], CL = Kpri[CLj], Kubi[BS] and
Kpub[CNj]
SACK-H L = 10 bytes, 12,800 nodes C keys: 1 from each cluster TASER CN = KCi and KM, CL = KCL + Kpri[CLj] + Kpub[CL] [public keys of
all CL]

mary purpose of the nodes is to gather data and forward it to BS, Any node compromise in SACK-P does not reveal any keying
nodes in one cluster communicate with each other more fre- information except its own private key and a few public keys.
quently. Such communication is ensured by a common cluster The most harm that this compromised node can do is the decryp-
wide symmetric key. Similarly, each CL possesses the public keys tion of messages destined for it.
for all the other CLs, hence complete network-wide key connectiv- Table 3 gives a comparison of scalability and resilience for the
ity is ensured. three schemes along with describing the revocation method.
In SACK-P, all the communication between the nodes is via pub- Mobility: Although our current work assumes all nodes to be
lic keys. CLs have public keys of other cluster leaders and CNs have static but all schemes inherently support small scale mobility for
public keys of CN and CL of their cluster. However, the scheme is CN. When a mobile node move from its CLs transmission range,
extensible in the sense that communication patterns can also be it sends its SNIDj and a movement message mentioning previous
considered even when nodes dont have direct access to each CLs ID encrypted with KNB to its nearest CLs. CL, unable to decrypt
others public keys using the help of intermediary parties like in the message, forwards SNIDjand message to BS for authentication.
[29]. BS looks for the nodes ID in its database for [SNIDj, KNB] pair. It then
Revocation: Each of the three schemes considers the TASER decrypts the message using KNB. If the message decrypts success-
operation for the compromised node removal as described in the fully and CLs ID matches with BS database information, it authen-
node revocation section. For SACK-P, although the node compro- ticates that the mobile node is legitimate node. After node is
mise does not reveal any important keying information but TASER authenticated, BS informs the CL. CL sends that sessions seed SCi
can be used for removal of other SNs public keys from compro- to the newly moved node allowing it to join cluster by generating
mised node. This will prevent compromised node from generating KCi.
any kind of attacks on SNs whose public keys it possesses. This solution is feasible only for small scale mobility in net-
For conventional networks, trusted certicate authorities (CAs) work; in case of networks with large scale mobility this will cause
issue certicate revocation list (CRL), containing information about a signicantly increase in communication overhead. Also mobility
revoked certicates at regular intervals. The CRLs are either placed support for CL will be our main focus while designing an efcient
in online repositories i.e. (OCSP) [30], where they are readily avail- mobility algorithm as part of our future work.
able, or they may be broadcast to the individual nodes.
SACK-P employs hierarchical mode of communication, which 6. Performance evaluations
makes application of CR scheme simple. BS has already been as-
signed the role of trusted certicate authority (CA) in SACK-P and The evaluations are based on the simulations carried out in
can be further designated to maintain the CRLs. The CRLs are up- TOSSIM environment for the individual NesC implementations of
dated whenever a node (CL/CN) is revoked after being declared as SACK, SACK-H and SACK-P. The simulations were compiled for
malicious. The CRLs are broadcasted from the BS to the CLs at reg- Mica2 environment. This device offers an 8-bit, 7.3828-MHz AT-
ular intervals. Each CL lters the CRL according to its CNs. Accord- mega 128L processor, 4 kilobyte (kB) of primary memory (SRAM),
ing to SACK-P communication architecture, when a CL wants to and 128 kB of program space (ROM) with 433, 868/916, or
communicate with another CL, the process takes place via BS and 310 MHz multi-channel radio transceiver, 38.4 kpbs radio and
when a CN wants to communicate with another CN, the communi- 500-1000 feet outdoor range (depending on version) [32]. For time
cation takes place via relevant CLs. For the CLCL communication, analysis, timers have been used in application code to get the mea-
CRL is checked at the BS to determine the status of the receiver. surements for the various key management phases. Time is kept at
If found revoked, the communication request is returned to the a 4 MHz granularity. We used PowerTOSSIM plugin in TinyViz for
sender with an indication that the intended CL has been revoked. energy analysis (Table 4).
In a similar manner, for the CNCN interaction, necessary checks Table 5 gives experimental values for memory, energy and time
are performed at each CL on the CRL to check the validity of a node analysis of all three schemes and compares them with [5], as it is
uncompromised status. the only other key generation and distribution solution based on
Resilience: Network resilience is dened as its resistance against ECC.
node captures [31]. Resilience has a direct relation with network
security i.e. higher resilience of a network means more security.
SACK relies on immediate discovery of compromised node to Table 4
preserve resilience. Failing to adhere to that, one SN compromise Simulation parameters
reveals its current cluster or routing key and master key KM which, Parameter Value
in turn, makes the whole network vulnerable. Thus it requires
Fidelity Bit level simulation
strong methods which could detect node compromise on earliest Time 4 MHz granularity
possible and start TASER process for damage control. Hardware platform 40 kb RFM mica networking stack
SACK-H utilizes a common symmetric key for cluster wide com- Network size 1000 nodes [default for TOSSIM]
munications. For one CN compromise, only the CNs and CL of that Radio model Lossy
Packet size Varying with max payload 32 bytes
particular cluster are vulnerable. Asymmetric key communications
Transmission range of CN 500 feet
in CLs imply that a CL compromise does not affect other CLs.
4276 R. Riaz et al. / Computer Communications 31 (2008) 42694280

Table 5
Memory, time and energy analysis comparison

SACK SACK-P SACK-H ECC [5]


Time (s) Key generation 0.016 12.003 12.003 34.173
Key distribution BSCL 0.025 0.2 0.25
CLSN 0.025 0.025 0.25
CNBS 0.29
Memory utilization (bytes) ROM 12,840 41,480 34,000 34,342
RAM 1300 2450 2000 1140
Energy consumption (lJ) Transmission 255.82 394.84 317
Computation 102.81 131 129
Total 376.52 501.06 449 816

6.1. Memory analysis are given in Table 7. Table 7 also shows maximum message ex-
change which is in case of communication between CN of one clus-
MICA2 mote has a 4 kB of primary memory (RAM). The maxi- ter with CN of other cluster in all three schemes. Table also gives
mum limit for RAM utilization for MICA2 is specied to be 3.9K. communication overhead for re-keying procedure.
MICA2 mote has a 128 kB of program space (ROM). SACK is based Other dynamic key management systems like LEACH [13] uses
on symmetric key cryptography hence occupies the smallest por- (d 1)2/(N 1) messages for re-keying [d is number of neighbors].
tion of RAM and ROM in the three schemes (Table 5). SACK-P uti- EBS based schemes [1517] use minimum m (number of keys not
lizes public key cryptography for all the communications and known to compromised node) messages only for transmission of
hence utilizes maximum RAM and ROM space compared to other new keys. Number of messages required for generation and assign-
two schemes. SACK-H uses public key cryptography for BSCL ment of these keys are additional to these m messages.
interaction whereas symmetric key cryptography is used for CL Based on these results we can say that our schemes provide
SN communication hence it memory usage falls between other optimum solution for storage and communication for key
two schemes. This memory analysis is done excluding BS as our management.
BS has no energy/memory constraints and is maintaining public
keys for all the nodes involved in the network. The reason that 6.3. Time analysis
SACK-P takes more memory than [5] being that SACK-P also pro-
vides key update and node revocation mechanism in addition to The key generation time for SACK remains constant at 16 ms for
just key generation and distribution provided by [5]. 60 iterations. This involves the time of computing a 128-bit key
EBS based schemes [1517] store a key pool (P) of size k + m using a master key of 1024 bit and a seed SSE of 64 bit (Fig. 6).
where k keys are stored per node along with c communication SACK-H and SACK-P essentially require the same average key gen-
keys. E.g. in [17] key generation nodes store k + m + 1 keys and eration time of 12 s. As shown by single line for SACK-H and SACK-
other nodes store k + 1 keys. LEAP [13] stores 3d + 2 + L keys per P key generation time in Fig. 5. The reason for this similarity being
node where d = number of neighbors and L = number of keys in that symmetric key generation part in SACK-H requires a negligible
key chain. Thus we can easily claim from Table 6, that SACK and amount of time i.e., 16 ms. Thus, giving same timing characteristics
SACK-H have very less storage requirement for nodes other then for key generation in SACK-H and SACK-P.
BS, which in our case have limitless resources. Although SACK-P For SACK, the maximum time for the entire key distribution
consumes little larger memory space but it provides maximum process, is constant around 50 ms. Seed distribution from BS to
resilience and security. CL takes a constant time of approx. 25 ms and seed distribution
from CLs to SNs is averaging around 25 ms as well, entailing that
6.2. Communication overhead each hop addition implies an addition of 25 ms factor. Abrupt in-
crease in key distribution time in Fig. 6 is due to addition of a
For a network of N nodes having C clusters with n members new hop. For SACK-H, the time for cluster-wise key distribution re-
each, values for message exchange for key setup and rekeying mains constant at 25 ms whereas time for each new CL addition re-
quires about 200 ms. this makes the graph follow a linear trend i.e.
with the increase in number of clusters the time for key distribu-
Table 6
Number of keys stored per node tion increases linearly. For SACK-P, BS and each CL broadcast essen-
tially takes the same average time of approx. 250 ms whereas each
BS CL CN
SN key distribution requires an average time of approx 290 ms.
SACK N+1 4 3 Thus the graph follows an linear trend with node addition, i.e. with
SACK-H C+N+2 C+6 3
the increase in the number of nodes, the time spent in key distri-
SACK-P N+1 n+2 2
bution increases linearly as shown in Fig. 5.

Table 7
Message communication for key management phases

Scheme Key setup Max communication [CNi to CNj communication] Re-keying


SACK C + 1 broadcast messages 3 encryptions and 3 decryptions 3 messages [for CL
removal]
SACK-H 2C + 1 broadcast messages, C unicast messages 3 encryptions and 3 decryptions 4 messages [for CL
removal]
C + 1 broadcast messages, 2N + Cn unicast First time = 3 encryptions and 3 decryptions, next time = 1 encryption and 1 Not required
messages decryption
R. Riaz et al. / Computer Communications 31 (2008) 42694280 4277

20
SACK-H:Key
18 Generation
16 SACK-P:Key
14 Generation

12 SACK-H:Key
Time (s)

Distribution
10
SACK-P:Key
8 Distribution
6
SACK-H:Key
4 Management

2 SACK-P:Key
Management
0
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
No of Nodes

Fig. 5. Key generation, distribution and management time for SACK-H and SACK-P.

distance of CL from the BS. In real life scenario this variation could
70
be much noticeable depending on the size of WSN.
60
6.4. Analytical evaluation
50
SACK timing characteristics are directly dependent upon the
Time (ms)

40 SACK: Key Generation number of hops. This is because seed distribution is done through
broadcasting. Key generation on seed reception takes place approx.
SACK: Key Distribution
30 at the same time on each node in a particular hop. Thus key man-
SACK: Key Management
agement time for SACK can be formulated as H(Tdis + Tgen). For
20 H = 2, Tgen = 16 ms, Tdis = 25 ms, key management time is estimated
to be 82 ms. Our experimental outputs gives total key management
10 time as 64.08 ms for two hops. Reason for this difference is that we
broadcasted the seed parallel to key generation process in actual
0 implementation.
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
SACK-H timing characteristics depend upon characteristics of
No of Nodes
cluster-wise timing and hop-wise timing. Symmetric keys are uti-
Fig. 6. Key generation, distribution and management time for SACK. lized in cluster wide communication and public keys are utilized
for network-wise communication. Time for cluster-wise key man-
agement is formulated by Tdis(2C + 1) and time for hop-wise key
Fig. 6 shows a steady time for key distribution from CL to CN. management is formulated by Tdis(H 1) + Tgen (H 1). Experi-
Reason is each cluster node select its nearest possible cluster lea- mental results show that for same number of clusters the differ-
der so there is not much variation is their distance. The little vari- ence in total time for key distribution is very less. The cost of
ation in time for key distribution from BS to CL is due to the adding a new CL is about 200 ms and cost of adding a whole cluster

600
SACK: Tx, Rx Energy
SACK-H: Tx, Rx Energy
500
SACK-P:TX, RX Energy
SACK: Processing Energy
400
Energy (uJ)

SACK-H:Processing Energy
SACK-P:Processing Energy
300
SACK:Total Energy
SACK-H:Total Energy
200
SACK-P:Total Energy

100

0
2 3 4 5 6 7 8
No. of Nodes

Fig. 7. Energy consumption comparison.


4278 R. Riaz et al. / Computer Communications 31 (2008) 42694280

700
BS: SACK
650 BS: SACK-H

600 BS: SACK-P


CL: SACK
550

Energy (uJ)
CL: SACK-H
500 CL: SACK-P
CN: SACK
450
CN: SACK-H
400 CN: SACK-P

350
300
250
2 3 4 5 6 7 8
Number of Nodes

Fig. 8. Energy consumption on BS, CL and CN.

is about 200 25 ms where 25 ms is the total time for symmetric Table 9


key management at cluster level. Analytical Values for energy consumption
SACK-P is directly dependent on the number of nodes in the CN CL BS Average
network. This is because the whole scheme is based upon the use
SACK 143 439 296 292.67
of public keys, and it requires that each node individually registers SACK-H 286 3738 9372 4465.33
its public key at the BS. The key management time in SACK-P orig- SACK-P 1404.8 16,400 46707.2 21,504
inates from the formula Tdis(N + C) + Tgen (N). This implies that the
key management time increases linearly with the increase in the Where PR is reception energy, PT is transmission energy and PC
number of nodes and clusters, respectively. Our implementation is computation energy. The energy consumed in sending 1 byte is
results show that SACK-P key generation requires a constant time estimated to be 59.2 lJ whereas the energy consumed in receiving
whereas key distribution, dependent upon the number of nodes, is specied to be 28.6 lJ. Also energy cost of computation is small
increases linearly with the increase in the number of nodes. Hence compared to data transmission. These values are based on actual
key management trend also follows from the key distribution. mote implementation [3] (Table 9).
Since we simulated energy for small number of nodes, so here
6.5. Energy analysis we will calculate energy consumption for a network of 100 nodes
with 10 clusters and each cluster having 10 nodes using above
6.5.1. Experimental evaluation mentioned values, table species analytical evaluation of the en-
For SACK and SACK-H, the energy consumption tends to balance ergy characteristics of the three schemes. These values indicate
out with the changing number of nodes i.e. there is slight increase that even for larger network energy consumption at CN does not
in energy consumption with the increase in number of nodes. A increase signicantly, except in SACK-P. For SACK all analytical val-
linear trend of slight increase is prevalent in the energy character- ues remain almost same as noticed in experimental results. Nodes
istics of SACK and SACK-H. For SACK-P, the energy consumption in- using asymmetric key in SACK-H and SACK-P shows exponential
creases rapidly with the increase in number of nodes. This is increase in energy consumption with the increase in network size.
because more nodes are involved in the activities of key genera-
tion, key registration and key distribution. Thus, there is an expo- 6.6. Discussion
nential increase in the energy characteristics of SACK-P which
becomes clear as the network size increases Fig. 7. Table 10. presents the complete picture of all three schemes.
In case of SACK and SACK-P, there are no specic energy charac- According to the observations, SACK-P utilizes maximum resources
teristics corresponding to node role but for SACK-H, the measure- but it also provides end to end security and maximum resilience to
ments differ in context to node role. For SACK-H the initial node compromise, making it the most secure solution.
hypothesis has been that BS performs the most energy consuming Evaluating the schemes from the resource utilization perspec-
operations of key management Fig. 8. The role based energy break- tive, the schemes can be arranged from the most favorable to the
down for SACK-H reveals the same showing that BS exhibits max- least favorable as SACK, SACK-H, and SACK-P. Time characteristics
imum energy characteristics, CLs depict moderate energy
characteristics whereas the energy characteristics for CNs coincide Table 10
with those specied for SACK. Analytical values for energy consumption

SACK SACK-P SACK-H


6.5.2. Analytical evaluation Memory cost Low High Medium
Table 8 gives analytical equations for energy consumption for Energy/power Low High Medium
the proposed schemes. consumption
Key management time Low High Medium
Communication Low High [bootstrap time], low Medium
Table 8 overhead otherwise
Energy consumption equation for various levels of nodes Resilience to node Low High Medium
compromise
CN CL BS End-to-end security No Yes No
SACK PR + PC PR + PT + 3PC PT + 2PC Scalability High Low Medium
SACK-H PR + PC PR(C + 1) + 2PT + 3PC PR(C) + PT(C + 1) + PC Network connectivity Good Good Good
SACK-P PR + PT + PC PR(n + 1) + PT(n + 1) + PC PR(N 1) + PT + PC(N 1) Node revocation Compulsory Optional Compulsory
R. Riaz et al. / Computer Communications 31 (2008) 42694280 4279

for SACK signicantly differ from those of SACK-H and SACK-P, References
occupying only a minimal time span for key generation and key
distribution. Both SACK and SACK-H show similar energy charac- [1] D.W. Carman, P.S. Kruus, B.J. Matt, Constraints and Approaches for Distributed
Sensor Network Security, NAI Labs, Tech. Report 00-010, 2000.
teristics that follow a linear trend of increase with the increase [2] N. Gura, et al., Comparing elliptic curve cryptography and RSA on 8-bit CPUs,
in the number of nodes. SACK-P shows efcient energy consump- CHES 04, in: Proceedings of the Workshop on Cryptographic Hardware and
tion for lesser number of nodes but the rapid exponential increase Embedded Systems, August 2004.
[3] A.S. Wander, et al., Energy analysis of public-key cryptography for
trend shows that it would not support greater number of nodes. wireless sensor networks, PerCom 05, in: Proceedings of the Third IEEE
When evaluating the schemes from the security perspective, International Conference on Pervasive Computing and Communication,
the schemes can be arranged from the least favorable to the most March 2005.
[4] K. Piotrowski, P. Langendoerfer, S. Peter, How public key cryptography
favorable as SACK, SACK-H, and SACK-P. SACK relies on symmetric
inuences wireless sensor node lifetime, SANS 06 Virginia, USA, October
key cryptography and hence one node compromise may make the 2006.
whole network vulnerable. SACK-H relies both on symmetric key [5] D.J. Malan, M. Welsh, M.D. Smith, A public-key infrastructure for key
and public key cryptography and hence depicts better security distribution in TinyOS based on elliptic curve cryptography, Proceedings of
the First IEEE International Conference on Sensor and Ad Hoc Communications
behavior than SACK. SACK-P relying on public key cryptography and Networks, Santa Clara, CA, October 2004.
shows the strongest security characteristics. Also only SACK-P pro- [6] R. Watro et al., TinyPK securing sensor networks with public key technology,
vides end-to-end security. For example in case of CNi to CNj com- SASN 04, in: Proceedings of the Second ACM Workshop on Security of Ad Hoc
and Sensor Networks, ACM Press, New York, 2004, pp. 5964.
munication, rst time message exchange for getting each other [7] A. Liu, P. Ning, TinyECC: Elliptic Curve Cryptography for sensor networks
public keys will take about four cycles of encryption/decryption. (version 0.1), September 2005, available at http://discovery.csc.ncsu.edu/
But from next time messages will not need any encryption/decryp- software/TinyECC/.
[8] A. Shamir, How to share a secret, Communications of the ACM 22 (11) (1979)
tion on intermediate nodes. In SACK and SACK-H every communi- 612613.
cation between CNi to CNj will require extra encryption/decryption [9] L. Zhou, Z.J. Haas, Securing ad hoc networks, IEEE Network 13 (6) (1999) 24
at CL level. [33] [here i and j represent cluster number]. Another 30.
[10] J.-P. Hubaux, L. Buttyan, S. Capkun, The quest for security in mobile ad hoc
advantage of SACK-P is that it makes node revocation optional in- networks, in: Proceedings of ACM Symposium on Mobile Ad Hoc Networking
stead of compulsory. The reason is that node compromise doesnt and Computing (MobiHoc 2001), October 2001, pp. 146155.
reveal keying information of uncompromised nodes. [11] H. Chan, A. Perrig, D. Song. Random key predistribution schemes for sensor
networks, IEEE Symposium on Security and Privacy (2003) 197213.
[12] W. Du, J. Deng, Y.S. Han, S. Chen, P.K. Varshney, A key management scheme for
7. Conclusion wireless sensor networks using deployment knowledge, IEEE INFOCOM 2004
(2004) 586597.
[13] B. Panja, S. Madria, B. Bhargava, Energy efcient group key management
Wireless sensor networks provide practical revelation of the protocol for hierarchical sensor networks, International Journal of Distributed
idea of pervasive computing. In this paper we have presented a Sensor Networks 3 (2) (2007) 201223.
thorough investigation into various aspects of the key manage- [14] P. Traynor, R. Kumar, H. Choi, G. Cao, S. Zhu, T.L. Porta, Efcient hybrid security
mechanisms for heterogeneous sensor networks, IEEE Transaction on Mobile
ment schemes for WSN, especially focusing on their keying meth- computing 6 (6) (2007).
odology. Our investigation gives an insight into the key [15] S. Zhu, S. Setia, S. Jajodia, LEAP: efcient security mechanisms for large-scale
management overhead and security strength of three possible key- distributed sensor networks CCS 03, in: Proceedings of the 10th ACM
Conference on Computer and Communication Security, ACM Press, New
ing implementations, i.e. symmetric, asymmetric and hybrid key
York, 2003, pp. 6272.
cryptography. The results clearly show that there exist an inverse [16] Y. Law, R. Corin, S. Etalle, P. Hartel, A formally veried decentralized key
relationship between the resource availability and the achievable management for wireless sensor networks, Personal Wireless
Communications (2003).
level of security. For example, SACK-P provides maximum security
[17] M. Eltoweissy, H. Heydari, L. Morales, H. Sadborough, Combinatorial
and maximum resilience to node compromise but it is heavy on optimization of key management in group communications, Journal of
system resources. Its energy consumption increases proportionally Network and System Management (2004) 332b.
with increasing network size. On the other hand, SACK is extremely [18] M. Younis, K. Ghumman, M. Eltoweissy, Location aware combinatorial key
management scheme for clustered sensor networks, IEEE Transactions on
light on resources but its security could be compromised even with Parallel and Distributed Systems (2006).
a single nodes physical capture. In short, our paper provides a [19] M. Eltoweissy, M. Moharrum, R. Mukkamala, Dynamic key management in
complete picture of cryptographic key management schemes, and sensor networks, IEEE Communications Magazine 44 (4) (2006) 122130.
[20] B. Dutertre, S. Cheung, J. Levy, Lightweight key management in wireless sensor
these results can help network security experts in mapping an networks by leveraging initial trust, Tech. Rep. SRI-SDL-04-02, System Design
ontological relationship between the desired security level, net- Laboratory April 2004.
work and device resources and the achievable security level. [21] Y. Zhou, Y. Fang, A two-layer key establishment scheme for wireless
sensor networks, IEEE Transactions on Mobile Computing 6 (9) (2007)
10091020.
8. Future directions [22] S.A. Camtepe, B. Yener, Combinatorial design of key distribution mechanism
for wireless sensor networks, IEEE/ACM Transactions on Networking 15 (2)
(2007).
Our future work includes adding an efcient solution for mobil- [23] J. Lee, D.R. Stinson, Deterministic key predistribution schemes for
ity support in the proposed framework and designing an efcient distributed sensor networks, Selected Areas in Cryptography 3357 (2004)
algorithm for malicious nodes detection to minimize node compro- 294307.
[24] O. Younis, S. Fahmy, HEED: a hybrid, energy-efcient, distributed clustering
mise effect on network. Also we plan to add the deployment approach for ad hoc sensor networks, IEEE Transactions on Mobile Computing
knowledge advantage to our proposed schemes to make them 3 (4) (2004) 366379.
more secure. Schemes will also be veried for node revocation [25] B. Przydatek, D. Song, A. Perrig, SIA: secure information aggregation in sensor
networks Sensys 03, in: Proceedings of the First International Conference on
against different attack scenarios. Node revocation mechanism will Embedded Networked Sensor Systems, ACM Press, New York, 2003, pp. 255
be improved against different observations. 265.
[26] C. Karlof, D. Wagner, Secure routing in wireless sensor networks: attacks
and countermeasures, Proceedings of the First IEEE International
Acknowledgement
Workshop on Sensor Network Protocols and Applications, May 2003,
pp. 113127.
This work was funded in part by the IT R&D program of MKE/ [27] R. Riaz, A.H. Akbar, M. Hasan, K. Kim, K. Lhee, A. Naureen, A. Akram, H.F.
Ahmed, Key management scheme for sensor networks with proactive key
IITA (Development of IP-based Sensor Network (IP-USN) and was
revocation and sleep state consideration 2007 IFIP, International Conference
supported in part by the Korea Research Foundation Grant on Network and Parallel Computing Workshops (NPC 2007), Dalian, China,
(MOEHRD, Basic Research Promotion Fund). September 1821, 2007, pp. 368373.
4280 R. Riaz et al. / Computer Communications 31 (2008) 42694280

[28] H. Chan, V.D. Gligor, A. Perrig, G. Muralidhran, On the distribution and [31] Y. Wang, G. Attebury, B. Ramamurthy, Survey of security issues in
revocation of cryptographic keys in sensor networks, IEEE Transactions on wireless sensor networks, IEEE Communication Surveys and Tutorials 8 (2)
Dependable and Secure Computing 2 (3) (2005). (2006).
[29] M. Chorzempa, J.M. Park, M. Eltoweissy, T. Hou, Key management for wireless [32] I. Crossbow, Technology, MICA2: wireless measurement system,
sensor networks in hostile environments, in: Y. Xiao (Ed.), Security in Sensor http://www.xbow.com/Products/Productpdfles/Wirelesspdf/6020-0042-
Networks, CRC Press, 2006. 0%4AMICA2.pdf.
[30] M. Myers, R. Ankney, A. Malpani, S. Galperin, C. Adams, X. 509 Internet public [33] A. Naureen, A. Akram, R. Riaz, K.H. Kim, H.F. Ahmed, An end-to-end
key infrastructure online certicate status protocol ocsp, Internet Request for security architecture for sensor networks, ICIS 2007, Canada, December 9
Comments (RFC) 2560 (1999). 12, 2007.

You might also like