A Key Distribution Scheme using Elliptic Curve Cryptography in Wireless Sensor Networks J. Louw, G. Niezen and T.D. Ramotsoela Department of Electrical, Electronic and Computer Engineering, University of Pretoria Pretoria, South Africa
A.M. Abu-Mahfouz Meraka Institute, Council for Scientific and Industrial Research PO Box 395, Pretoria, 0001, South Africa
Corresponding author: [email protected]
Abstract—Wireless sensor networks (WSNs) have become increasingly popular in many applications across a broad range of fields. Securing WSNs poses unique challenges mainly due to their resource constraints. Traditional public key cryptography (PKC) for instance is considered to be too computationally expensive for direct implementation in WSNs. Elliptic curve cryptography (ECC) allows one to reach the same level of security as traditional PKC using smaller key sizes. In this paper, a key distribution protocol was designed to securely provide authenticated motes with secret system keys using ECC based cryptographic functions. The designed scheme met the minimum requirements for a key distribution scheme to be considered secure and efficient in WSNs. Keywords-wireless sensor networks; key distribution; authentication; network security; elliptic curve cryptography
I. INTRODUCTION Wireless sensor networks (WSNs) already have a multitude of applications from wildlife monitoring to building safety but whatever their application the goal is always the same collection of data from their environment , ,  and the subsequent control of corresponding actions . As WSNs are increasingly deployed as part of the Internet-of-Things  and in critical environments, the need to protect the data they collect becomes crucial  with ad-hoc environments offering some out of the ordinary security challenges , . Consequently the only way for WSNs to live up to their full potential is to make them secure enough to use in any environment . Securing a WSN poses unique challenges mainly due to the limitations of the motes (small, low power sensor nodes that combine to form a WSN) and the accessibility of the locations in which they are deployed . Because of these obstacles traditional security mechanisms are not suited to WSNs . Similar to other systems with distinct security requirements and platform limitations, like mobile  or smart cards , efficient and secure systems are therefore needed before they can truly find widespread implementation with WSNs. Elliptic curve cryptography (ECC) could achieve the same level of security as traditional PKC (public key cryptography) but by using far smaller key
978-1-5090-2870-2/16/$31.00 ©2016 IEEE
sizes . This makes it possible to create very secure systems that can be implemented on currently available hardware. The objective of this paper is to propose a key distribution scheme to securely provide authenticated motes with secret system keys using ECC based cryptographic functions. Authenticating new motes onto the WSN involves determining whether the mote requesting authentication is in fact a valid mote added by the system administrator, or an outside mote added to try to gain unauthorized access to the system. After it has been ascertained that the mote is valid and should be allowed to join the network, a secret system-wide (user specified) security key is securely communicated to the mote. The protocol was designed in such a way that it could resist attack even if an adversary is able to obtain a working knowledge of the protocol or any pre-programmed keys (either by reverse engineering the memory from a compromised mote or by obtaining the source code). The protocol also adhered to the various internationally accepted standards and recommendations. Software was designed to implement the new protocol for both client motes (individual motes that will make up the sensor network) and the secure bridge or base mote (the mote that will bridge the network to the PC (personal computer) based control software) as well as the security management application the user will use to control the WSN. The rest of the paper is organised as follows. Section II gives a general overview of the relevant literature. Section III describes the detailed design of the new distribution scheme. In Section IV the results are presented and they are discussed. Finally, the paper is concluded in section V. II. BACKGROUND A. Wireless Sensor Networks A WSN is a collection of small discrete sensor devices called motes that collaborate towards a common goal . This goal could be data collection, monitoring or data provisioning (data on demand). Security is one of the most important problems facing the WSN paradigm. Securing WSNs creates a unique challenge because of the following factors : (1) they are normally deployed publicly, (2) they use open wireless communication channels, (3) they have
limited hardware resources and (4) they are sometimes deployed in hostile environments. The motes are designed to be cheap and expendable and if that is combined with public deployment, an environment is created where it is very easy for an attacker to physically capture or destroy any number of the motes . This means that motes cannot carry any data that can compromise the system security and that the network should be resilient enough to overcome the loss of a few motes. As a result of an attacker being easily able to interface powerful computers with the network  it is required that strong security primitives be used. Furthermore, if an attacker has captured a mote he could reverse engineer the code on it which means that one cannot rely on secrecy of the protocol or algorithms used to secure the network. All the mechanisms used to defend the network must be implemented on the extremely limited mote hardware. Designing a security scheme capable of defending a WSN requires the use of security services such as privacy, authentication and key distribution . These services are implemented through the use of security primitives such as symmetrical key encryption, hash functions and public key cryptography. B. Key Distribution in WSNs A secure and efficient key distribution scheme must meet the following requirements: confidentiality, integrity, authentication, flexibility and scalability . Secret Key Cryptography (SKC) techniques are attractive due to their energy efficiency. A number of techniques have been proposed , . They all rely on the basic principle of key pre-distribution before deployment. The goal is to achieve the highest level of connectivity (i.e. should be able to establish connections with most neighbouring nodes) and resilience (i.e. captured motes should not compromise the system security) using as little memory as possible. However, because of the probabilistic nature of these schemes and the limited memory available these techniques are not able to achieve both perfect connectivity and perfect resilience. More recently  and  proposed key distribution techniques that utilise identitybased cryptography (IBC). In IBC, the identity of the node can be used as its public key instead of having a certificate that binds it to its public key. Other studies such as  have provided public key schemes that use hash functions and Merkel trees to provide very efficient solutions, but these schemes also have serious limitations i.e. their efficiency drops as the size of the network increases. Another technique is public-key cryptography (PKC). When using PKC, motes can setup secure connections without needing pre-distributed keys by using key agreement algorithms like Diffie-Hellmann or through distributing PKC encrypted keys . In this way any two nodes can connect to each other and capturing one node does not compromise the security of the other motes. PKC is the most widely used method for setting up secure connections and is used by, among many others, Secure Socket Layer (SSL) and the IPsec standard. The biggest problem, however, with using PKC is that it is computationally very complex and traditional techniques like RSA or ElGamal are assumed to be unfeasible for use with sensor networks . If RSA, one of the most popular and widely used PKC techniques used today, is considered, the National Institute of Standards and Technology (NIST)  suggests 1024 bit modulus and 160 bit private keys are needed to provide strong security.
Computations with 1024 bit and 160 bit values on small 8 or 16 bit processors running at 8 MHz are too slow and require large memories. Recently though it has been shown that certain types of PKC systems are indeed feasible . According to , NtruEncrypt, Rabin's scheme and ECC are some of the more popular schemes. With NtruEncrypt, both encryption and decryption use only simple polynomial multiplication, meaning these operations are very fast compared to other asymmetric encryption schemes . A major drawback is, however, that NtruEncrypt has not yet undergone enough cryptographical analysis to be considered secure. Rabin's scheme is based on the factorization of large numbers and is therefore similar to the security of RSA with the same size modulus. ECC has been the preferred choice for various PKC implementations due to its fast computations, small key size and compact signatures . For example, to provide equivalent security to 1024-bit RSA, an ECC scheme only needs 160 bits on various parameters, such as 160-bit finite field operations and 160-bit key size . Two of the more popular ECC implementations on the TinyOS platform are: TinyECC and EccM. These implementations are compared in  and it is clear that TinyECC is the superior implementation with 160 bit sign and verify time of under 2 seconds, where EccM takes more than 30 seconds. C. Algorithm Implementations TinyECC is the TinyOS implementation of ECC operation in WSNs . It is an open-source ready-to-use library which includes three popular ECC schemes: the Elliptic Curve Digital Signature Algorithm (ECDSA), the Elliptic Curve Diffie-Hellman (ECDH) scheme, the Elliptic Curve Integrated Encryption Scheme (ECIES). The mentioned ECC algorithms are variants of the respective algorithms of the same names. TinyECC was designed to be portable, efficient, resource aware and configurable. The performance of TinyECC has also been evaluated on different motes . From these performance figures it is evident that even though the MicaZ motes are faster than TelosB motes, they consume more energy while using comparable memory. Furthermore, one can see that disabling the optimizations might save time on startup and a little bit of memory usage, but causes the actual encryption and decryption time to become impractically long. Finally it is notable that the Tmote Sky mote (being basically the same hardware platform as the TelosB with the only difference of doubled processor clock speed) performed consistently, about twice as well on speed tests. Once two or more motes have agreed on a shared key (either through key agreement or some other key distribution scheme) one can continue using PKC to provide secrecy and authentication. However, this option is very inefficient due to the complexity of PKC primitives, and does not carry any distinct advantage over SKC. For this reason PKC is generallu used to provide key distribution i.e. setting up the secure channel and from there SKC can be used to provide privacy and authentication for sending data over the channel. The Advanced Encryption Standard (AES), which was published by NIST in 2001, was adopted by the US government as the new federal standard intended to replace the Data Encryption Standard (DES) . AES is a symmetric block cypher that operates on block sizes of 128 bits with a key that can be 128, 192, and 256 bits long. The key size determines the number of repetitive operations (rounds) performed on each block (10, 12 and 14 respectively) and the algorithm produces a 128 bits output.
The original AES algorithm is not usually implemented in WSN applications because it is computationally expensive . It was however found that it is still feasible for use on these wireless devices. There have also been many proposed optimised implementations that improve the algorithms performance . In  a series of benchmarks comparing software AES encryption against the hardware CC2420 functions are presented. It was found that hardware encryption is indeed much faster than the software approach. The CC2420 provides two modes of hardware security; standalone mode and in-line mode. The standalone can be used by the application layer for encryption and decryption functions as opposed to the in-line mode which can be used in the data link layer to provide authentication and secrecy. The in-line mode provides several sub-modes that provide various combinations of secrecy and authentication. These modes are: (1) Cipher Block Chaining Message Authentication Code (CBC-MAC) which provides authentication, Counter (CTR) which provides encryption/decryption and CCM (CTR CBC-MAC) which provides both functionalities. CBC-MAC alone does not provide any form of secrecy while CTR has serious flaws . It is recommended that no application should use CTR mode. CCM on the other hand provides good security and performance with minimal overhead. III. DETAILED DESIGN The system starts with the client mote generating its keypair, then sending its identity (network address and public key) to the secure bridge mote, which then forwards that request to the management application. Once the management application receives an authorization request it asks the user to authenticate the mote. Once the user authenticates the mote the management application sends the system key to the secure bridge mote which then encrypts the system key and sends the encrypted key to the client. When the client receives the encrypted key it decrypts it and sets up the hardware security using the system key. Once the hardware security setup is complete the client starts running a simple test program (possibly a data collection program) to show that the system works. A. Design Considerations The proposed scheme was implemented and tested on Crossbow TelosB motes. The mote identity was chosen to be a combination of network address and a public key. The public key would be generated from private key which would in turn be generated by a sensor based true RNG that would have to be designed as part of the client software. This dynamic identity scheme was chosen because of the excellent protection it offers against physical attacks and its ease of use. Furthermore ECIES with 160 bit keys were chosen as the key distribution algorithm because it was recommended by various international standards bodies and suits the scheme. For symmetric security AES CCM was chosen because of recommendations by the standards bodies and because of the availability of a very efficient hardware implementation. For PKC functions TinyECC was chosen because it provided the best performance and flexibility. To develop the management software, the QT4 platform was chosen because of ease of use and great support. Furthermore, Linux (2.6.x 64bit kernel) with KDE 4.1 would be used as the reference platform, porting the management software to other platforms (including windows) would be trivial given that QT4 is crossplatform. KDevelop and QTDesigner would be used as the
IDE. The serial forwarder application was used to connect to mote hardware. Fig. 1 shows a block diagram of the conceptual design of the preferred solution. The three main components (management application, client and secure bridge) are shown, as well as the hardware platform.
Fig. 1. Conceptual System Design
The system architecture could best be described as an extended client – server architecture with the client motes running the client side of the system, while the management application is the server. The secure bridge mote, however, is neither a client nor a server but more of an intelligent bridge or translator. It connects the wireless clients to the server application by forwarding requests in both directions, but it does more than just simply forward data; it implements both the PKC and SKC algorithms used on the wireless network. B. Authorisation Authorisation starts with the client mote starting up, and using the sensor data as input to the random number generator, which generates a 160 bit private key. The private key is then used to generate a 168 bit public key. The public key and device address are added to an authorization request message. This authorization request message is then encrypted using AES CCM and a hard coded 128 bit start- up key. This symmetric encryption using the start-up key is not absolutely needed as the system will not be compromised if an attacker learns the public key, but is added as an extra layer of security that must be broken to compromise the system. The encrypted authorization request message is then transmitted to the secure bridge mote, where it is decrypted and verified. Next the decrypted authorization request is sent to the manageme nt application where the user is shown the public key and mote address. The user can then decide to authorize the mote onto the network. Once the user authorizes the mote the key distribution protocol is started. It is important to note that the client mote does not need to be within the transmission range of a common bridge mote. The protocol stays the same even if the packet has to go through a number of intermediate motes. Even though the intermediate motes are able to decrypt the packet, the message integrity is protected by a MAC and having the client’s public key is of no use to a possible attacker.
C. Key Distribution Once the user has decided to authorize a mote, the management application starts by sending the secure bridge mote the public key and address of the client it wishes to authorize. Next it sends the system key which is encrypted using the ECIES algorithm with the client’s public key. After ECIES encryption, the encrypted key is again secured with AES CCM using the start-up key to ensure it arrives at the client unmodified. When the client has received and decrypted the message it continues to decrypt the system key with ECIES using its own private key and, once done, sets the AES algorithm key to the system key. If at any point the system key needs to be updated, the key distribution procedure is simply repeated as before only substituting the new system key. D. Privacy and Authenticity When a mote has been authorized and received the system key, it can then proceed to start running the data collection program (for testing purposes this took the form of a simple data collection node). Once the data collection program has collected data and wishes to securely transmit the data back to the secure bridge mote, it must encrypt the data and add a MAC to enable the secure bridge mote to verify the authenticity of the packet. This is also where replay attack protection must be implemented. A simple method to implement replay attack immunity is to add a non- repeating sequential counter into the data packet. The management application (which contains basic data collection functions) records the value of the counter in each received data packet and validates each consecutive data packet by ensuring that its counter is larger than the previous packet’s counter. In this way, even if a packet is lost, no re-synchronisation process is necessary. There is however a caveat; the size of the counter determines the maximum amount of data packets that can be transmitted before the system key needs to be updated. For the test example, this counter was chosen as a 16 bit value allowing 65536 data messages to be sent before a key change is needed, and assuming one message is sent by a client every minute the system key should only need changing every 45 days. If required it is very easy to enlarge this counter. IV. RESULTS In the system a once-off setup time of just less than 22 seconds is required. This is, admittedly, not insignificant especially as the network size grows but it has the advantage of being a once-off setup after which the client can securely communicate to all other authorized clients without any further setup time. Furthermore each consecutive message takes only a few ms to authenticate using hardware CBCMAC. This means that after a very short time the final scheme gains a big advantage over the originally specified scheme. This time also assumes that the human operator can immediately authenticate the node which might not always be case and could greatly affect the setup time. The s ystem is fully capable of working with multiple motes meaning that it is scalable. This means that as the network size grows, little to no modification will be required to the system. It is also flexible in that each of the subsystems can be replaced or upgraded without affecting the rest of the system. Flexibility and reliability were two of the requirements listed in  for a key distribution scheme to be considered secure and efficient which bodes well for the system. The other three requirements (confidentiality, integrity and availability) are also met by this scheme.
The computational overhead of the added security protocol can be defined as the amount of time that was needed to perform the hardware security functions and send the entire secured packet versus the time it took to send the entire packet without any security functions. An experiment was conducted to find time taken to send the message from the upper layer, which means that this time includes the time taken by the device to perform the hardware security functions which makes up a large part of the measurement. It was found that the hardware security features (even being an order of magnitude quicker than ECDSA) still introduce a 26% overhead when looking at the time to transmit a single packet. However, this is not as important as the packet overhead which is user configurable from the default 20% to under 8% when sending very large packets. Furthermore, the sending of a single packet is a small part of an entire WSN program and if taken in a larger context introduces much less than 26% overhead. Fig. 2 shows the packet overhead against the TinyOS data field size. The random number generator provides many advantages in relation to the ability to resist hardware attacks. Using the onboard sensor as a source of entropy provides a convenient way to create a TRNG (true random number generator). Due to the use of a secure hashing mechanism in the RNG it can also be expected to be very secure, even in the worst case scenario (e.g. when the devices are deployed in a very stable environment, this could maximize the chances of producing the same sensor data). The system showed very strong protection against the replay attack. Although the s ystem can detect replay attacks, it is not immune to it and a denial of service type of attack against the system could be feasible.
Fig. 2. Packet overhead vs. data field size
V. CONCLUSION In this paper, a complete security scheme using ECC algorithms was designed. The scheme met the minimum requirements for a key distribution scheme to be considered secure and efficient. The only concern is the system overhead caused by the scheme and its setup time, but these values should be acceptable for most applications where security is a concern. Results regarding the RNG were very promising and might be worth further investigation as there is currently no project that implements this kind of true RNG, even though it is so well suited to WSNs. Further observations suggest that the system is very stable and could be easily adapted to many tasks by simply adding functionality in the client application. A suggestion for future work is more rigorous testing to find all vulnerabilities and exploits to be able to improve the system. Removing the human operator from the process to make the system more scalable would also be useful.
References  A. Kumar and G.P. Hancke, "Energy Efficient Environment Monitoring System Based on the IEEE 802.15.4 Standard for Low Cost Requirements.," IEEE Sensors Journal, vol. 14, no. 8, pp. 2557-2566.
 W. Du, J. Deng, Y. Han, S. Chen, and P. Varshney, "A key management scheme for wireless sensor networks using deployment knowledge," Proceedings of the IEEE , Hong Kong, 2004, pp. 586-597.
 C. Opperman and G.P. Hancke, "Using NFC-enabled Phones for Remote Data Acquisition and Digital Control," IEEE Africon, Livingstone, 2011, pp. 1-6.  B. de Silva, R. Fisher, A. Kumar, and G.P. Hancke, "Experimental Link Quality Characterization of Wireless Sensor Networks for Underground Monitoring," IEEE Transactions on Industrial Informatics, vol. 11, no. 5, pp. 1099-1110, October 2015.  S. Chinnapen-Rimer and G.P. Hancke, "Actor coordination using infogap decision theory in wireless sensor and actor networks," Inderscience International Journal of Sensor Networks, vol. 10, no. 4, pp. 177-191.  C. Kruger and G.P. Hancke, "Benchmarking Internet of Things Devices," IEEE International Conference on Industrial Informatics, Porto Alegre, 2014, pp. 611-616.
 K. McCuster and N. O'Connor, "Low-energy symmetric key distribution in wireless sensor networks," IEEE Transactions on Dependable and Secure Computing, vol. 8, no. 3, pp. 363-376, 2011.  K. Lakshmanarao and H. Maringanti, "Hashed identity based secure key and data exchange in wireless sensor networks using IEEE 802.15.4 standard," International Journal of Applied Engineering Research, vol. 10, no. 9, pp. 23231-23241, 2015.  W. Du, R. Wang, and P. Ning, "An efficient scheme for authenticating public keys in sensor networks," Proceedings of the 6th ACM International Symposium on Mobile Ad Hoc Networking and Computing, New York, 2005, pp. 58-67.
 G.P. Hancke, K. Markantonakis, and K. Mayes, "Security Challenges for User-Oriented RFID Applications within the 'Internet of Things'," Journal of Internet Technology, vol. 11, no. 3, pp. 307-313, May 2010.  A. Abu-Mahfouz and G.P. Hancke, "Distance Bounding: A Practical Security Solution for Industrial Real-time Location Systems?," IEEE Transactions on Industrial Informatics, vol. 9, no. 1, pp. 16-27.  G.P. Hancke, "Distance Bounding for RFID: Effectiveness of Terrorist Fraud in the Presence of Bit Errors," IEEE RFID-TA, Nice, 2012, pp. 9196.  Y. Zhou, Y. Fang, and Y. Zhang, "Securing wireless sensor networks: a survey," IEEE Communications Surveys & Tutorials, vol. 10, no. 3, pp. 6-28.  T. Ramotsoela and G.P. Hancke, "Data aggregation using homomorphic encryption in wireless sensor networks," Information Security for South Africa (ISSA) Conference, Johannesbur 2015, pp. 1-8.  J. Liu, Y. Xiao, S. Li, W. Liang, and C. Chen, "Cyber Security and Privacy Issues in Smart Grids," IEEE Communications Surveys & Tutorials, vol. 14, no. 4, pp. 981-997, Jan 2012.  W. Chen, G.P. Hancke, K. Mayes, Y. Lien, and J.H. Chiu, "NFC Mobile Transaction and Authentication based on GSM Network," The 2nd IEEE International Workshop on Near Field Communication (NFC 2010), 2010, pp. 83-89.  M. Markantonakis, M. Tunstall, and G.P. Hancke, "Attacking Smart Card Systems: Theory and Practice," Elsevier Information Security Technical Reports, vol. 14, no. 2, pp. 46-56, May 2009.  K. Lauter, "The Advantages of Elliptic Curve Cryptography for Wireless Security," IEEE Wireless Communications, vol. 11, no. 1, pp. 62-67.  C. Buratti, A. Conti, D. Dardari, and R. Verdone, "An Overview on Wireless Sensor Networks Technology and Evolution," Sensors, vol. 9, no. 9, pp. 6869-6896, Aug 2009.  Y. Wang, G. Attebury, and B. Ramamurthy, "A survey of security issues in wireless sensor networks," IEEE Communications Surveys & Tutorials, vol. 8, no. 2, pp. 2-23, Feb 2007.  D. Burgner and L. Wahsheh, "Security of wireless sensor networks," 8th International Conference on Information Technology: New Generations, ITNG, Las Vegas, 2011, pp. 315-320.  Y. Xiao, et al., "A survey of key management schemes in wireless sensor networks," Computer Communications, vol. 30, no. 11-12, pp. 23142341, September 2007.  H. Chan, A. Perrig, and S. Dawn, "Random Key Predistribution Schemes for Sensor Networks," IEEE Symposium on Research in Security and Privacy, Washington, 2003, pp. 197-213.
Powered by TCPDF (www.tcpdf.org)
 P. Vamsi and K. Kant, "A taxonomy of key management schemes of wireless sensor networks," International Conference on Advanced Computing and Communication Technologies, ACCT, Rohtak, 2015, pp. 690-696.  A. Perrig, R. Szewczyk, J. Tygar, V. Wen, and D. Culler, "SPINS: Security protocols for sensor networks," Wireless Networks, vol. 8, no. 5, pp. 521-534, Sep 2002.  National Institute of Standards and Technology. (2007, March) NIST Computer Security Resource Center. [Online]. csrc.nist.gov/publications/nistpubs/800-56A/SP80056A_Revision1_Mar08-2007.pdf  G. Gaubatz, J. Kaps, E. Ozturk, and B. Sunar, "State of the art in ultralow power public key cryptography for wireless sensor networks," 3rd IEEE International Conference on Pervasive Computing and Communications Workshops, Kauai Island, 2005, pp. 146-150.  J. Hoffstein, J. Pipher, and J. Silverman, "NTRU: A Ring- Based Public Key Cryptosystem," Proceedings of the Third International Symposium on Algorithmic Number Theory, ANTS, London, 1998, pp. 267-288.  Information Technology Laboratory, "Digital Signature Standard," National Institute of Standards and Technology, Gaithersburg, Federal Information Processing Standards Publication FIPS PUB 186-3, 2006.  R. Roman, C. Alcaraz, and J. Lopez, "A Survey of Cryptographic Primitives and Implementations for Hardware-Constrained Sensor Network Nodes," Mobile Networks and Applications, vol. 12, no. 4, pp. 231-244, October 2007.  A. Liu and P. Ning, "TinyECC: A Configurable Library for Elliptic Curve Cryptography in Wireless Sensor Networks," IEEE International Conference on Information Processing in Sensor Networks, St Louis, 2008, pp. 245-256.  A. Banu and R. Velayutham, "Secure communication in Wireless Sensor Networks using AES algorithm with delay efficient sleep scheduling," Emerging Trends in Computing, Communication and Nanotechnology (ICE-CCN), Tirunelveli, 2013, pp. 706 - 711.  F. Zhang, R. Dojen, and T. Coffey, "Comparative performance and energy consumption analysis of different AES implementations on a wireless sensor network node," International Journal of Sensor Networks, vol. 10, no. 4, pp. 192-201, 2011.  M. Healy, T. Newe, and E. Lewis, "Resources Implications for Data Security in Wireless Sensor Network Nodes," IEEE International Conference on Sensor Technologies and Applications, SensorComm, Valencia, 2007, pp. 170-175.  N. Sastry and D. Wagner, "Security considerations for IEEE 802.15.4 networks, "Proceedings of the 3rd ACM workshop on Wireless security, ' Philadelphia, 2004, pp. 32-42.