Key handling in wireless sensor networks

Home

Search

Collections

Journals

About

Contact us

My IOPscience

Key handling in wireless sensor networks

This content has been downloaded from IOPscience. Please scroll down to see the full text. 2007 J. Phys.: Conf. Ser. 76 012060 (http://iopscience.iop.org/1742-6596/76/1/012060) View the table of contents for this issue, or go to the journal homepage for more

Download details: IP Address: 173.174.151.224 This content was downloaded on 13/03/2016 at 16:25

Please note that terms and conditions apply.

Sensors and their Applications XIV (SENSORS07) Journal of Physics: Conference Series 76 (2007) 012060

IOP Publishing doi:10.1088/1742-6596/76/1/012060

Key Handling in Wireless Sensor Networks Yue Li and Thomas Newe1 Optical Fibre Sensors Research Centre, Department of Electronic and Computer Engineering, University of Limerick, Limerick, Ireland [email protected] Abstract. With the rapid growth of Wireless Sensor Networks (WSNs), many advanced application areas have received significant attention. However, security will be an important factor for their full adoption. Wireless sensor nodes pose unique challenges and as such traditional security protocols, used in traditional networks cannot be applied directly. Some new protocols have been published recently with the goal of providing both privacy of data and authentication of sensor nodes for WSNs. Such protocols can employ private-key and/or public key cryptographic algorithms. Public key algorithms hold the promise of simplifying the network infrastructure required to provide security services such as: privacy, authentication and non-repudiation, while symmetric algorithms require less processing power on the lower power wireless node. In this paper a selection of key establishment/agreement protocols are reviewed and they are broadly divided into two categories: group key agreement protocols and pair-wise key establishment protocols. A summary of the capabilities and security related services provided by each protocol is provided.

1.

Introduction

Wireless sensor networks are more vulnerable to security attacks than wired ones due to their broadcast, resource limitations and uncontrolled environments where they are often left unattended. In addition to the security requirements for fixed networks such as: identity authentication, data confidentiality and non-repudiation, WSNs have a number of additional requirements due to the constraints on sensor devices [1], which includes: Scalability: ability to support a larger network. Key distribution protocol must support large networks, and must be flexible against substantial increase in the size of the network even after deployment. Efficiency: storage, processing and communication limitations on sensor nodes must be considered. Key connectivity: probability that two (or more) sensor nodes store the same key. Enough key connectivity must be provided for a WSN to perform its intended functionality. Resilience: resistance against node capture. Usually higher resilience means lower number of compromised links.

1

To whom any correspondence should be addressed.

c 2007 IOP Publishing Ltd

1



A generic set of eight security requirements for protocols in WSNs, against which the protocols in this paper are evaluated, are given: 1. Confidentiality 5. Contributory key agreement 2. Implicit key authentication 6. Mutual Authentication of user 3. Forward secrecy 7. Resilience 4. Assurance of key freshness 8. Scalability A selection of protocols for both key agreement and pair-wise key distribution are discussed in the following sections. A summary of the capabilities and services provided by each protocol is then provided.

2.

Group Key Agreement Protocols

A group key agreement protocol relies on shared long-term keys between participants and servers in order to allow participants to construct a group key. This means that once a shared group session key is established among the group, symmetric encryption algorithms can be used to encrypt/decrypt the mission-critical messages and control information [11]. Symmetric key algorithms are generally used due to the computational limitations of current sensor nodes. Recently, Bresson et al. and Tseng proposed two authenticated key agreement protocols [2][3] for resource-limited wireless nodes. Because both protocols employ an online/offline signature scheme [4] and shift much of the total amount of computation to the high-performance server, the computational cost of each node is reduced to only one exponential, one hash function and several multiplication operations, which minimize the computation burden on mobile nodes. Let U = {U1, U2,… , Un} be the initial set of low-power sensor nodes that want to generate a group key with powerful node S. Each client as well as the base station holds a pair of secret/public keys at the initialization phase before running the protocol. The following system parameters and notations are used to describe the security protocols in this section. q: a large prime. p: a large prime such that p=2q+1. Gq: a subgroup of quadratic residues in Z *p that is Gq = {i2|i ∈ Z *p }. g: a generator for the subgroup Gq. SKi: a low-power node Ui’s secret key in Z *q . PKi: a low-power node Ui’s public key such that PKi = gSKi mod p. SKS: the powerful node S’s secret key in Z *q . PKs: the powerful node S’s public key such that PKs = gSKs mod p. H(): a one-way hash function H with arbitrary length input and a fixed length output[5], i.e. {0,1}*→{0,1}k, where k is the length of output. SigUi(m): the signing algorithm based on ElGamal [6] or DSA[7] schemes under Ui’s secret key SKi and the signed message m. ||: denotes the concatenation. 2.1

Bresson et al’s key agreement protocol

Bresson et al. [2] adopted the offline signature technique [4] to propose an authenticated group key agreement protocol suitable for asymmetric wireless networks involving low-power mobile nodes. The offline signature technique reduces the computational burden placed on the low-power sensor nodes; however the computational requirements of the base station remain high. The protocol was designed to provide security service such as implicit key authentication and forward secrecy. This protocol is a two-round protocol and computationally asymmetric.

2



Mobile Ui

Server S

1. yi, SigUi {yi}

xi ∈ RZ *q ;

yi = gxi mod p; αi = PKs xi mod p;

αi = yi SKs X=H(C||α1||α2||..||αn) Ki= X ⊕ H(C|| αi)

2. C, Ki X=Ki ⊕ H(C|| αi) K= H(X||Ui||S)

K= H(X||Ui||S)

Figure 1 Bresson et al.’s key agreement protocol In [8] Nam et al. presented a potential attack on the Bresson el al’s protocol. This attack made some strong assumptions but it indicated a flaw in the protocol design which left the protocol susceptible to an impersonating attack. This indicates that the protocol does not satisfy some of the security services assessed here such as implicit key authentication and forward secrecy. 2.2 Tseng’s protocol In [3] Tseng proposes a protocol which suggests some improvements on Bresson et al, see Figure 2. Mobile Ui Server S xi ∈ RZ *q and x1-1; yi = gxi mod p; αi = PKs xi mod p;

X =z

xi−1 i

mod p

1. yi, SigUi {yi}

2. C,(ai’, zi),

K=X ∏ nj =1 z j mod p

x ∈ RZ *q X=gx mod p zi = yix mod p αi’ = yi SKs mod p C=H(X ⊕ z1… ⊕ zn) K=X ∏ nj =1 z j mod p

Figure 2 Tseng’s key agreement protocol Initially, each client Ui selects a random xi ∈ RZ *q and computes αi = PKs xi mod p as well as yi=gxi mod p which is sent to server S together with a signature on yi. On receipt of the messages from participant nodes the server S can check the signature using the public key of Ui, if the verification is successful, S proceeds to Step 2. In Step 2, S chooses a random x ∈ RZ *q , computes X, zi , αi’ and a checking value, C, and then S broadcasts the message containing C, αi’, and zi, for i=1,…,n, to all clients. Upon receiving the broadcast message from S, each client Ui authenticates the message from Server S by checking αi= αi’, if the check holds the client computes X and then verifies that C is correct. Finally, client Ui computes the group session key K if the verification holds. The design goal of Tseng’s protocol is to achieve perfect forward secrecy, implicit key authentication and contributory key agreement. However, work undertaken by the author in the formal verification of this protocol revels that this is not the case and an active adversary can fool mobile clients into accepting a session key generated by the adversary itself. This work is soon to be published. 2.3

Summary

Bresson et al. and Tseng proposed group key agreement protocols tried to achieve perfect key implicit key authentication and forward secrecy while minimizing the computational burden on clients. Due to the significant reduction of computational cost on clients, those protocols are applicable to modern

3



sensor nodes. However, both protocols fail to achieve their security goals, as they are vulnerable to impersonation attacks. Further improvement is required to modify the protocols to meet all their goals.

3.

Pair-wise key establishment protocols

A pair-wise key between two nodes can be established through a trusted server or utilizing key predistribution solutions, where two nodes exchange their pre-distribution key chains and discover a shared key if it exists. The SNEP [9] key agreement protocol (trusted server based) and a basic probabilistic key pre-distribution protocol are discussed in this section. The following notations are used to describe the security protocols in this section: • KP: The Number of keys in the key pool. • NA, NB: The nuances generated by node A and node B. • KBA , KAB : Two encryption keys KBA and KBA between A and B. • K’AB , K’BA : The secret MAC keys shared between A and B. • {M} KAB : The encryption of message M with encryption key KAB. • MAC (K’AB ,M): The computation of a MAC for a message using MAC key K’AB. • M1 || M2: Denotes the concatenation of two messages M1 and M2. • α: challenge. • {α}Ki, i=1,…, n: a list of challenge encrypted with the keys in the node’s key ring. • skAB: session key between node A and node B. 3.1

SNEP key agreement protocol

To achieve two-party authentication and data integrity, SNEP [9] uses a message authentication code (MAC). Another important security property of SNEP is semantic security. This ensures that an eavesdropper has no information about the plaintext, even if it sees multiple encryptions of the same plaintext. SNEP achieve this security property by preceding each message with a counter value, which increments after transmission. SNEP proposes each node shares a master secret key χAS and a Pseudo Random Function (PRF) with the server, where A and S represent node A and server S respectively. Node A and server S can then generate encryption keys KAS=PRF(χAS, 1) and KSA=PRF( χAS, 2), and MAC keys K’AS=PRF( χAS,3), K’BS=PRF( χAS, 4) SNEP uses a base station as a trusted agent for key setup. Assume that node A wants to establish a shared secret session key skAB with node B, Since A and B do not share any secrets, they need to use a trusted third party, which is the base station S in this case. In the trust setup, both A and B share a master secret key with the base station, XAS and XBS, respectively. The protocol uses SNEP with NA and NB to ensure strong key freshness. The key agreement protocol is specified in Figure 3 below.

Figure 3: Node-to-node key agreements using SNEP At the start of the protocol, node A sends node B nonce NA together with the identity of node A. As soon as node B receives this message, node B generates nonce NB, and creates MAC(k’BS,NA|NB|A|B), this message is then forwarded to the trusted server S by B, together with NA, A, NB and B. In Step 3, upon receipt of the message containing the MAC authentication from B, S verifies the MAC using key, 4



k’BS. If verification is successful, S will generate a shared session key between A and B, skAB, S encrypts the session key with kSA and sends it to A together with the MAC(k’SA,NA|B|{skAB}kSA). The base station also sends the same session key skAB encrypted with kSB to B together with the authentication code MAC(k’SB,NB|A|{skAB}kSB). Nodes A and B verify that the message is from the base station S using the MAC keys k’SA and k’SB respectively. If the authentication is successful, the session key is decrypted by node A and node B using kSA and kSB respectively. Now, node A and node B share a session key skAB. In this memory-efficient protocol the nodes only needs to share a key with the base station and form keys with other nodes through the base station. Those nodes closest to the base station must forward a high volume of traffic between the nodes and base station. This reduces the lifetime of the network as these nodes expend greater energy resources. Scalability is an issue with this protocol as all keys are formed through the base station. It may be suitable for smaller sensor networks but its reduced scalability is unsuitable for large sensor networks. 3.2

Basic Probabilistic Key Pre-distribution Protocol

Eschenauer and Gilgor [10] proposed a probabilistic Key Pre-Distribution (KPD) scheme for pair-wise key establishment. The main idea was to let each sensor node randomly pick a set of keys from a key pool before deployment so any two sensor nodes have a high probability of sharing at least one common key. 1. A→B: {α}Ki, i=1,…, n 2. B→A: {α||B}skAB 3. A→B: {known messages}skAB Figure 4 Basic probabilistic key pre-distribution protocol In key setup phase, for each sensor, n keys are randomly drawn from the key-pool without replacement. These n keys and their identities form the key-chain for each sensor node. To avoid exposing key ID and key sharing patterns to adversary, private shared-key discovery as shown in Figure 4 is recommended in key discovery phase. In step 1, Node A broadcast a list of {α}Ki, i=1,…, n, where α is a challenge encrypted by a list of keys in the key chain. In step 2, after receiving the list of encrypted challenges, node B tries to decrypt those messages using the keys from its key chain to solve the challenge. If the challenge is solved, node B sends A an encrypted message under shared key skAB, which contain challenge α and ID of node B. Upon receipt of the encrypted message from node B, node A decrypts the message using skAB from its key chain. Finally, A sends B a pre-agreed set of messages encrypted under the session key skAB, if the message is decrypted by B then skAB is confirmed to be a session key between node A and node B. In [1], Comptepe et al. state that scalability and resilience of the protocol are low, and these properties can be improved by using a larger key pool, but, a larger key-pool means smaller probability of key share because key-chain size may not increase due to storage limitations. Probability that a link is compromised, when a sensor node is captured, is k/KP which is very high for small key-pools, and produces low resilience.

4. Summary In this paper an introduction to security issues in WSNs was given and both group key agreement protocols and pair-wise protocols were discussed. Group key agreement protocols proposed by Bresson et al. and Tseng utilize public algorithms for authentication of nodes but with less computational burden on the clients, which are well suitable for modern sensor nodes. But, both protocols are vulnerable to impersonating attacks which result in failure in achieving initial goals of supplying implicit key authentication and forward secrecy.

5



Two efficient pair-wise key establishment protocols: SNEP key agreement and basic probabilistic key pre-distribution are also discussed in this paper. Both protocols have weakness on scalability which makes them not applicable to large wireless sensor networks. Protocol

Requirement list 1 2 3 4 5 6 7 Bresson et al √ x *√ x *√ *√ Low Tseng’s protocol √ x √ x √ *√ Low SNEP √ √ √ *√ x √ Mod Basic probabilistic KPD √ √ x x x x Low √ - Indicates that the protocol provides this service. *√ - Indicates that the protocol can be modified to provide this service. x - indicates that the protocol does not provide this service. Table 1 Requirements achieved by key distribution protocols

8 Mod Mod Low Mod

Table 1 summarizes what security requirements are achieved by the aforementioned protocols. The number in the table represents the security requirements referred to in section 1. Based on the study on these protocols, further research must be carried out to design an efficient protocol for source constrained sensor nodes to supply the required security services listed.

Acknowledgment The authors wish to thank the following for their financial support: • SFI Research Frontiers Programme grant number 05/RFP/CMS0071. • The Embark Initiative, who fund this research through the Irish Research Council for Science, Engineering and Technology (IRCSET) postgraduate Research Scholarship Scheme.

Reference: [1] S. A. Camtepe and B. Yener, (2005). Key Distribution Mechanisms for Wireless Sensor Networks: a Survey. Technical Report TR-05-07, March 23, 2005. [2] Bresson, E., Chevassut, O., Essiari, A. and Pointcheval, D. (2004). Multual authentication and group key agreement for low-power mobile devices. Comput. Commun., 27, 1730–1737. [3] Y.-M. Tseng (2007), A secure authenticated group key agreement protocol for resource-limited mobile devices, The Computer Journal, vol. 50, no. 1, pp. 41–52. [4] Shamir, A. and Tauman, Y. (2001) Improved on-line/off-line signature schemes. In Proc. Advances in Cryptology— Crypto’01, Santa Barbara, CA, August 19–23, LNCS 2139, pp. 355–367. Springer-Verlag, Berlin. [5] NIST/NSA FIPS 180-2 (2005) Secure Hash Standard (SHS). NIST/NSA, Gaithersburg, MD, USA. [6] ELGamal, T. (1985) A public-key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory, 31, 469–472. [7] NIST (1992) The Digital Signature Standard (DSA). Commun. ACM, 35, 36–40. [8]Nam, J., Kim, S., and Won, D.,(2005) A weakness in the Bresson-Chevassut-Essiari-Pointcheval’s group key agreement scheme for low-power mobile devices. IEEE Communications Letter 9, 429-431. [9] Perring A., Szewczyk R., Tygar J.D., and Culler D.,(2002). SPINS: Security Protocols for Sensor Networks, Wireless Networks 8,521-534. [10] Eschenauer, L. and Gligor, V. D. (2002). A key-management scheme for distributed sensor networks. In 9th ACM conference on Computer and Communications Security. [11] Newe, T., Coffey, T., (2003). Security Protocols for 2G and 3G Wireless Communications. ACM ISICT 03, Dublin, Ireland, September 24-26, 2003. pp 348-353.

6