Secured Communication Key Establishment for ...

Secured Communication Key Establishment for Cluster based Wireless Sensor Networks Quazi Mamun

Rafiqul Islam

Mohammed Kaosar

School of Comp & Maths Charles Sturt university NSW, Australia Email: [email protected]



Abstract—The resource-contraint nature of wireless sensor networks (WSNs) has caused the security one of biggest challenges. An efficient key management scheme is the pre-requisite to ensure security in WSN. In this paper we present two versions of a secured key management scheme adopted on cluster based topology of sensor network. The proposed schemes use partial key pre-distribution and symmetric cryptography techniques, and shows high resilience to different security attacks. Whereas one version of the proposed protocol uses shared partial keys in a cluster, the other version uses private partial keys. Both versions of the proposed key management scheme outperform other random key pre- distribution protocols in the sense that it requires lower space, lower communication overhead and offers very high session key candidates.

I. I NTRODUCTION Security has become one of the key concerns for WSNs [1], [2]. This is because of the envisioned growth in utilizing sensor networks in a wide variety of environmwnt, which are not benign. Most of the usage areas of WSNs are sensitive, and thus prone to different kinds of attacks [3]. A secured key management scheme is the pre-requisite for secured WSNs. In the process of key management cryptographic keys are generated, stored, protected, transferred, loaded, used, and destroyed. The aim is to establish and maintain secure channels among communicating parties [4]. Typically, key management schemes use administrative keys for the secure and efficient (re-)distribution and, at times, generation of the secure channel communication keys to the communicating parties. Communication keys may be pair-wise keys used to secure a communication channel between two nodes that are in direct or indirect communications [5], [6], [7], or they may be group keys shared by multiple nodes [8], [9], [10]. Network keys (both administrative and communication keys) may need to be changed (re-keyed) to maintain secrecy and resilience to attacks, failures, or network topology changes. The design of a suitable key management scheme for a WSN is not trivial. Recently, the key management problem has been extensively studied in the context of WSNs. A good number of results have been attained[4], [5], [6], [7], [8], [9], [10], [11], [12]. Some of these schemes depend upon public-key algorithms[11], [12]. However, the low memory and energy physical constraints of sensor nodes limit the practice of this key management scheme in the real world.

The key pre-distribution is another class of solution using symmetric encryption techniques to this problem. The design should be lightweight but compromise-tolerant. Another major drawback in the existing scheme is generating a single key for communication between two sensor nodes. If the single key is captured by an adversary the communication between the node pair is permanently destroyed and thus the resilience of the network is less. To overcome this drawback partial keys are generated and used for communication between the node pairs. Each member node of a pair uses its partial keys in different order. Thus two separate links are established between the nodes. Because of partial keys and different order lists, if one of the nodes is captured by an adversary, there is no risk involved because using a partial key a message can be neither encrypted nor decrypted. Thereby the resilience of the network gets increased. The aforementioned discussion dictates a need of a key management protocol for WSN that is simple yet robust. In this paper, we propose a key management protocol for cluster based topology using partial keys pre-distribution to establish pair-wise keys. In WSN, sensor nodes are more power-constrained in terms of communication than computation. The amount of energy spent for a single communication can be used for hundreds of computations. This fact appeals to save a number of message transfers with the cost of few more computations. Thus, in the proposed key management protocol, the number of message transfer for establishing secret keys is remained the minimum. Security and complexity analysis indicates that our scheme possesses the following properties: • Neighbour sensor nodes can directly establish pair-wise keys; • The scheme is updatable, scalable and robust against node capture attacks; • Our scheme has significant advantages in terms of storage cost and communication cost at sensor nodes; and • The minimum number of message exchanges takes place for establishing pair-wise keys The rest of the paper is organised as follows. We describe the works related to key management protocols of sensor networks in section II. As the protocol is based on cluster based topology, a brief overview of the cluster based topology

is provided in section III. In section IV and section V we describe the proposed key management protocol. We evaluate the proposed protocol by analysing and simulation results in section VI. Finally, the paper is concluded in section VII. II. E XISTING WORK FOR THE KEY MANAGEMENT PROCESS Key management entails the basic functions of analysis, assignment, generation, and distribution [13]. During key analysis, keying requirements are analysed to determine the required number of keys for the network as well as the number of keys needed by each node. In addition, analysis may take place to determine keys that need updating. Next, key assignment is performed. Key assignment refers to the mapping of keys to different parties. Administrative key assignment is considered here since communication keys are simply assigned by agreement of parties wanting to establish a secure communication channel. Key assignment may be static or dynamic depending on the key management solution employed. Mapping decisions significantly impact the level of security offered by the key management scheme since a captured node may reveal all its keys to an attacker. If that node or a small number of nodes collectively possess all network administrative keys, capturing these nodes will jeopardize the security of the entire network. Therefore, when a node is captured the fewer the number of keys known to that node, the smaller the security risk. However, since some schemes depend on the existence of overlapping keys among nodes to establish communication among these nodes, decreasing the number of keys known to a node may hamper network connectivity. In the third step, generation of administrative keys may take place once or multiple times over the lifespan of the network. The generation of communication keys is the responsibility of the communicating parties. In all cases, the key generating node(s) must be trusted by all key-receiving nodes. In static key pre-distribution schemes, administrative keys are generated by a key server and loaded into nodes prior to deployment [2]. In other schemes, new keys are generated regularly throughout the lifetime of the network, possibly with a different key generated at different times. The fourth and last step, named as key distribution, refers to the delivery of keys to their designated nodes after they have been generated and assigned to the nodes. The distribution of communication keys usually takes place after the network has been deployed. Communication keys are used for a short period and should be regularly updated (this may include analysis, assignment, generation, and [re]distribution) of network keys. Re-keying essentially comprises these basic functions providing acceptable levels of security and conserving scarce resources, in particular energy, needed for network operations. [14], [15] Traditionally, the four basic functions discussed above, have been tightly coupled, where all were performed by a centralized server or collaboratively by the nodes in a network, with each node performing the same functions. Existing proposals, [16], [17], [18], [19], have moved to decouple these functions

to various degrees. Such decoupling can immensely benefit sensor networks due to their large scale, high vulnerability to attacks, and limited resources. Keying functions are triggered by keying events. These events include network deployment, node addition, node eviction, or periodic (or on-demand) key refresh. Entities with key management responsibilities may include a key server, BS, gateway nodes, or even sensor nodes [20], [21]. Several key distribution schemes have been proposed for WSNs. Key management schemes in sensor networks can be classified broadly into dynamic [22], [13] or static [17], [18] solutions based on whether re-keying (update) of administrative keys is enabled post network deployment. Schemes can also be classified into homogeneous [17], [18], or heterogeneous [23] schemes with regard to the role of network nodes in the key management process. All nodes in a homogeneous scheme perform the same functionality. On the other hand, nodes in a heterogeneous scheme are assigned different roles. Homogeneous schemes generally assume a flat network model, while heterogeneous schemes are intended for both flat and clustered networks. Other classification criteria include whether nodes are anonymous or have pre-deployment knowledge (location, degree of hostility, etc.) imparted to the nodes. Another classification criteria includes asymmetric (public key) cryptography or symmetric cryptography. Although there are some works done in [24], [25] to customize public key cryptography and elliptic key cryptography for low-power devices, such approaches are still considered as costly due to high processing requirements. The last classification criterion includes pre-distribution [17], [18], [26] or post distribution of secret keys. Recent research suggests that symmetric secret key pre-distribution is possibly the only practical approach for establishing secure channels among sensor nodes [27]. The milestone protocol for secret key management in WSNs was developed in [17]. This protocol uses a probabilistic key pre-distribution technique to bootstrap the initial trust between sensor nodes. The main idea is to have each sensor randomly pick a set of keys from a key pool before deployment. Then, in order to establish a pair-wise key, two sensor nodes only need to identify the common keys that they share. To bootstrap security using Eschenauer and Gligor’s original scheme, a network goes through three phases. In the first phase (key predistribution), which takes place prior to network deployment, a large pool of S keys and their IDs are generated. Each node is then assigned a ring of m keys, drawn from the pool at random, without replacement. In the second phase (shared-key discovery), which takes place during network setup, all nodes broadcast the IDs of the keys on their key rings. Through these broadcasts, a node finds out with which of their neighbours (as determined by communication range) they share a key. These keys can then be used for establishing secure links between the two neighbours. Finally, during the path-key establishment phase, pairs of neighbouring nodes that do not share a key can set up their own keys, as long as they are connected by two or more secure links at the end of shared key discovery. Because of the way keys are assigned, a key can be found in more than

Cluster head

Cluster member

Data exchange

IV. OVERVIEW OF THE PROPOSED KEY MANAGEMENT SCHEME

Base Station (BS)

Fig. 1. Communications in cluster based topology.

two nodes, and used in multiple communication links. When a node is compromised, all its keys, and all the links secured by these keys are also compromised. The Eschenauer-Gligor scheme is further improved by Chan, by Hung-Min et al. [28], and by Liu and Ning [29]. The proposed key management scheme uses the proposed multi-cluster oriented logical topology, and can be classified by the characteristics of i) dynamic nature in re-keying of network keys (both administrative and communication), ii) heterogeneity as different nodes (member nodes, cluster heads, BS) perform in different ways, iii) being anonymous as the scheme does not assume any pre-deployment knowledge like location etc., iv) symmetric cryptography, and v) predistribution of partial keys.

III. OVERVIEW OF C LUSTER BASED SENSOR NETWORKS Cluster based topology in WSNs is a common phenomena. This topology is greatly described in [30]. In this topology, the base station (BS) is the data processing point for the data received from the sensor nodes, and where the data is accessed by the end-user. It is generally considered fixed and at a distance from the sensor nodes. Unlike the sensor nodes, the BS is considered to have no resource constraints, and thus high volume of data processing and storage are available at this station. From each cluster, a node is selected as cluster head (CH), which acts as a gateway between the sensor nodes and the BS. The function of the CH of a cluster is to perform common functions for all the nodes in the cluster, like sending instructions to the cluster member nodes, aggregating the data before sending it to the BS. In some way, the CH is the sink for the cluster nodes, and the BS is the sink for the cluster heads. In a cluster based topology, a member node only sends and receives messages to and from its cluster head CH as shown in Figure 1. The cluster heads of different clusters may communicate among themselves to send the data to the base station BS.

The key management scheme proposed in this paper is based on partial keys pre-distribution and symmetric cryptography. Because of the resource-constraint nature of WSNs, both pre-distribution of keys and symmetric cryptography are appropriate for WSNs. The scheme proposes that each of the sensors stores a set of partial key (half-keys) rather than the set of full keys. This has two-fold advantages: i) lower storage requirement and ii) even if a sensor is captured by an attacker it cannot obtain the encryption / decryption keys. Two communicating sensors in a cluster establish their encryption/decryption key by concatenating the partial keys. In the proposed scheme, keys are not assigned randomly from a key-pool as in [17] and [26]. Consequently, the number of keys generated is much lower when compared with [17] and [26]. Nonetheless, the key management system remains secure, because a large number of keys can be generated by the sensors participating in a cluster, and each pair of sensor nodes use a different communication key. Another important feature of the scheme is that two communicating nodes always use a new secret key for data encryption/decryption in each round. This feature enables WSNs to achieve resilience to attacks, as well as data freshness without generating a long nonce.1 The two versions of the proposed key management scheme differs in the sense that in the first version (shared partial keys) all members of a cluster and the cluster head use same set of partial keys. on the other hand, in the second version (private partial keys) each node select its own set of partial keys. The advanges and disadvatages of using private partial keys instead of shared partial keys is discussed in Secion VI. In [31], it is discussed that public key cryptography is not well suited for securing WSNs. Indeed, the memory of a sensor is typically insufficient to hold the long keys necessary to guarantee secure asymmetric cryptography. Moreover, sensors are usually equipped with processors that require high energy and time to compute the modular exponentiations involved in the implementation of public key cryptography. Therefore, symmetric cryptography is used for the proposed key management scheme. A symmetric cryptography can be defined as follows: µ ´ = Ek (µ) is an encrypted message where µ is the plain text, k is the secret key, and E is the encryption algorithm. Accordingly, µ = Ek−1 (´ µ) is the decryption of the same message µ. V. D ETAILED DESCRIPTION OF THE PROPOSED KEY MANAGEMENT SCHEME

In describing the proposed scheme, various notations are used. Figure 2 lists these notations. Figure 3 describes the key management scheme (two versions interleaved) as a whole. For easy understanding, the scheme is divided into several steps which are also marked in Figure 3. The steps are described below. 1A

nonce is a cryptographic value that is used only once.

N : total number of sensor nodes deployed n : total number of clusters k : total number of partial keys in the key pool Ci : i-th cluster CHi : cluster head of cluster Ci NK : network key Ai : a sensor node which is in the cluster Ci BS : base station P : key pool of partial keys PKi : i-th partial key indn : index of nth partial key ID(x) : unique identification of node x L: list of index of all partial keys Li : list of index of partial keys designated for cluster Ci LPKi : list of partial keys nominated for cluster Ci E : encryption function O A : A set of indexes of partial keys selected by sensor node Ai i

RAqi ( Li ) : the function adopted by the node Ai to select q number of indexes from Li in

a random order. ENK(M) : message M being encrypted by network key NK KtAB : secret key established between sensor nodes A and B for t-th round || : concatenation function A→B: node A sends message to node B

Fig. 2. Notation used in the proposed key management scheme.

Step 1 : Pre-distribution

A key pool of partial keys is generated at the BS prior to the deployment of sensors. The size of the key pool is an important factor to determine. Considering that, an encryption / decryption key should be 128 bits long and the key pool contains 10,000 partial keys, each 64 bits long, the total memory consumption for storing all the partial keys in a sensor is ((128/2) × 10000) bits or 80KB. It should be noted that, the Berkeley Mica Motes (one of the oldest sensors) has 128K bytes of program storage, and 4K bytes of SRAM. Although the proposed scheme forces each sensor node to consume all the partial keys generated at BS, soon after the cluster formation phase, a sensor can delete all the partial keys except the nominated keys for it. Thus, if a sensor stores 500 partial keys, it requires only 4KB to store the partial keys. Note that, using n partial keys, two nodes can establish up to 2 × n2 secret session keys. The number of session key candidates is one of the important performance evaluation metrics. Number of session key candidates simply refers to the minimum number of session keys possibly being created for data encryption/decryption. Before deployment, each sensor is loaded with a key pool of partial keys P , a list of index L (of the partial keys), a single network key NK , and a unique identifier ID. Note that, if a key pool contains η number of partial keys, log2 η bits are required for identifying each of the partial keys (to be used as index). Thus, initially a sensor node is loaded with around 98KB (80KB for partial keys P , 17.5KB for the index list, 128 bits of networks key and identifier). Soon after the cluster formation, considering 500 partial keys in the nominated partial key list, each node requires 4KB for partial keys P , 875B for the index list, 128 bits of networks key and identifier, or in total, not more than 5KB of memory.

Step 2: Cluster formation phase The single network key and the unique identifier of each node are used for distributing the administrative keys securely and authentication purposes respectively. During the cluster formation phase, the proposed key management scheme authenticates each sensor in a cluster. Most of the sensor networks are used to protect or monitor critical infrastructures. In such structural monitoring applications, it would be a reasonable assumption that the sensor field is under super surveillance only during the deployment phase, which usually does not last too long [32]. Thus, it can be assumed that adversaries do not actively catch or attack individual sensor nodes in this phase because otherwise they would run a high risk of exposing themselves. Therefore, a single network key can be assumed sufficient in the early deployment phase. However, an adversary might send strong signals as HELLO messages to tempt a sensor to consider it as its neighbour, and, therefore, becomes a member of a cluster. For this reason, in the proposed scheme, a three-tier authentication check is performed after forming a cluster. All members of the cluster send their IDs (encrypted by the network key) to the cluster head. After collecting all the IDs, the cluster head sends all the IDs along with its own ID and the cluster id to the BS for authentication. Shared partial Key version: In this version of the proposed key management scheme, all sensor nodes of a cluster (including the cluster head) share the same list of partial keys. After authenticating the members of a cluster, the BS communicates with all cluster heads. Note that, all communications between the BS and the cluster heads are encrypted by the network key NK . The BS selects a set of predetermined number of partial keys from the key pool P for each cluster. We assume this number is 500. Each cluster will have different set of partial keys and these keys will be used to establish the communication keys in the next phase. For each cluster i, an index list of the nominated partial keys, identified as LP K i , is prepared. The BS sends the index list LP K i to the cluster head CH i . The cluster head then disseminates the LP K i to all member nodes of the cluster i. Once a sensor node comes to know which partial keys it will use with its cluster head, it deletes the rest of the partial keys from P which was inserted in the pre-distribution phase. Private partial Key version: Here, instead of using the same partial keys by all sensors in a cluster, each node selects it own partial key lists. Each sensor then creates the corresponding id list of the partial keys it chooses. After the authertication is performed successfully, the BS informs the cluster leaders the number of partial keys each node will be using. A cluster head selects different set of partial keys (dictated by the BS) for all members of the cluster and sends the index list to the corresponding member nodes. A member node, receving a list from the cluster head, comes to know how many partial keys would be used in constructing the communication keys. The member node then select the partial keys and send the index list to the cluster head. Thus each node maintain two list of

1. Pre-distribution Before deployment, each sensor is loaded with (i) A pool of partial keys, P = {PK1, PK2, …, PKk} generated at the BS (ii) A list L  {ind1, ind 2 , ..., ind k } that contains the index for each of the keys from the key pool P such that

L(ind n )  PK n for n  1 , 2, 3, …, k (iii) A network key NK. (iv) A unique sensor node identification number ID(i) for i = 1, 2, 3, …, N 2. Cluster formation phase (i) After the cluster C i (i = 1, 2, …, n) is formed, all member nodes of the cluster send encrypted IDs to the cluster head CHi : Ai → CHi : ENK ( ID( Ai )) where Ai  Ci (ii) The cluster head CHi collects all the IDs and sends them along with its own ID to the base station for authentication: CHi → BS : E NK ({ ID( Ai ) A  C , ID(CH i ) }) i

i

Shared Partial Keys: (iii) If authentication is successful, the base station selects a list of partial keys LPKi from P for each cluster and sends the list of index Li ( Li  L ) to the cluster head of cluster Ci: BS → CHi :

ENK ({Li | ( Li (ind x )  LPKi )}) (iv) CHi disseminates the encrypted list of index it to all cluster members, CHi → {Ai | A  C }: ENK ( Li ) i

i

(v) Each member node of the cluster deletes the partial keys that are not mapped by LPKi from P to find out its partial key list: PKLi  {P  {L(ind x ) ind  L }} x

i

Private Partial Keys: (iii) If authentication is successful, the base station sends an acknowledgement to each cluster head CHi using a positive integer η indicating the number of partial keys to be used for constructing the communication keys by each sensor node. (iv) Cluster Head CHi selects different sets of partial keys for each member of the cluster and sends the list of Ai Ai Ai Ai index LCH ( LCH  L ) to each member Ai of the cluster Ci CH i  Ai : ENK ( LCH ); LCH  i i i i



(v) A member node Ai of the cluster Ci selects η partial keys and sends the list of index L

Ai  CH i : ENK ( L

CHi Ai

the cluster head CHi

);

L

Ai CHi

L

CHi Ai





CHi Ai



CHi Ai

(L

 L ) back to

(vi) Each member node of the cluster deletes the partial keys that are not used by either itself or the cluster head for constructing communication keys. Each node constructs Partial key lists as below i } PKL A  {P  {LCH A (ind x ) | x  1...} i

i

Ai PKLCHi  { p  {LCH (ind x ) | x  1...}} i

3. Steady state phase Shared Partial Keys: To establish an encryption/decryption key between a cluster member Ai and the cluster head CHi the nodes act as follows: q (i) CHi → Ai: ENK (OCH )  ENK ( RCH ( Li )) i i Ai → CHi: ENK (OA )  ENK ( RAq ( Li )) i i (the cardinality of OA and OCL is same.) i i

(ii) Now both nodes Ai and CHi compute the secret key for the t-th round as K At CH  ( Li (OA [t ]) || L(OCH [t ])) i i i i where OA [t ] returns the t-th index of OA . i i 1 For the next round Ai and CLi compute the secret key as K At CH  ( Li (OAi [t  1]) || L(OCHi [t  1])) and so on. i i

Private Partial Keys: (i)

Ai and CHi compute the secret key for the t-th round as K At iCHi  ( PKL Ai [t ]]) || ( PKLCHi [t ]]) For the next round Ai and CHi compute the secret key as 1 K At iCH  ( PKL Ai [t  1]]) || ( PKLCHi [t  1]]) and so on. i

Fig. 3. Proposed key management scheme (two versions are shown interleaved)

partial keys, one partial key list for itself, and one for the cluster head. Step 3: Steady state phase At this phase, the sensor nodes are ready to establish the communication keys. Note that, in the cluster topology, a sensor node Ai of cluster i only communicates with its cluster head CH i . In the shared partial keys version, For each member of cluster i, the cluster head CH i then sends a unique order list OCH i which contains the ordered list of index numbers of q partial keys selected from LP K i . In response, each member node Ai creates an order list OAi , which maintains the same cardinality with OCH i but different order of the indexes, and sends the OAi to CH i . Sensors Ai and cluster head CH i can now construct their secret communication keys for each round. for simplicity we use simple concatenation function to create a communication key from two partial keys. After every q rounds, the cluster head and the members can regenerate new order lists to create fresh communication keys. on the other hand, in the private partial keys version, the difference is that each sensor compute the secret keya by concatenating from two partial key lists - one of its own, and the other one for the cluster head (see Figure 3). If the cluster heads want to communicate among themselves, they can construct their session keys in a similar way if they share some common partial keys. This can be done by the BS while assigning LP K i s and generating some common partial keys in each LP K i such that the cluster heads can construct a secure communication key among themselves. When a new cluster is reconstructed, the aforementioned procedures take place. VI. A NALYSIS AND SIMULATION RESULTS Both of the two versions of the proposed key management scheme have their advantages over one another. One of the implications of using private partial keys is that it increases the resilience at a cost of more buffers is required in each sensor to store triple number of partial keys compared to shared partial keys approach. This is because a sensor has to save the partial keys of its own as well as the partial keys of its successor and predecessor sensor nodes. However, in this approach, sensors dont need to store the partial key order lists of neighbouring sensors. Using private partial keys instead of using shared partial keys also increases the domain of session key candidates. This has been shown in the Figure 5. Thus private partial keys approach requires lower number of partial keys compare to shared partial keys approach to have the same number of session key candidates. For example, from the Figure 5 we find that 35 private partial keys can create as many number of session key candidates which can be generated using 50 shared partial keys. Now to store 50 keys (each key 128 bits) in shared keys approach around 800 bytes are required where as using 35 private keys around 560 bytes are required. Both storage requirements are affordable by a sensor. Another implication of private partial key method is that whenever an adversary captures a node, it can, at best, find

out the possible links encryption/decryption keys used by that node only. Thus the probability that an adversary can decrypt a random communication link by knowing another node is greatly reduced. While designing a communication scheme and imposing security constraints on it, the first thing to consider is the number of messages to accomplish security measures in that communication scheme. In order to reduce the amount and volume of messages sent, and thus to save energy, sensor readings from multiple nodes may be processed at one of many possible aggregation points. An aggregation point collects sensor readings from surrounding nodes and forwards a single message representing an aggregate of the values. In a cluster based topology, the cluster heads can act as aggregation points. Note that, in the proposed key management scheme, to establish one hundred secret communication keys, each member node sends only one message to the cluster head and receives only one message from the cluster head. Thus, for a cluster with n number of nodes inside, total 2(n − 1) number of messages are exchanged. Once this is done, the communicating nodes do not need to send messages to establish each secret key. Power management in sensor networks is also critical. At full power, the Berkeley Mica mote can run for only two weeks or so before exhausting its batteries. Consequently, for a sensor network to last for years, it is crucial that they run at around a 1% duty cycle (or less). Similarly, since the power consumption of the radio is at least three orders of magnitude higher when transmitting or listening than when in sleep mode, it is crucial to keep the radio in sleep mode for the overwhelming majority of time. In addition, communication bandwidth is extremely dear: each bit transmitted consumes about as much power as executing 800-1000 instructions [23], and therefore, any message expansion caused by security mechanisms comes at significant cost. That is why emphasis is given on calculating the future secret keys by exchanging the order list with the cluster head, rather than sending and receiving partial keys in each round. We calculated the total energy spent by the sensor nodes on establishing the secret communication keys, and compared it with that of the recently proposed protocol Elliptic Curves Signcryption (ECS) [33] and Key Exchange and Encryption Protocol (KEEP) [21]. Figure 4 shows the comparison. The proposed scheme outperforms [21], [33] not only by reducing the number of messages but also keeping the message size short. Moreover, it is to be noted that, in the proposed scheme, after exchanging the index file of the nominated partial key list, the sensor nodes do not need to exchange any messages for the next hundred data collection rounds. Besides data aggression, and the number of messages required for the key management scheme, the following evaluation metrics were also considered: (i) the number of session key candidates, (ii) scalability, (iii) key connectivity, (iv) resilience, (v) storage complexity, (vi) processing complexity, and (vii) communication complexity. The number of session key candidates simply refers to the

Fraction of links compromised

0.08 0.07 0.06 0.05 0.04 0.03 0.02 0.01 0 2

6

10

14

18

22

26

30

34

38

42

46

50

Number of nodes compromised m=20, S=500

Fig. 4. Energy consuption comparison of the proposed scheme.

m=20, S=1000

m=20, S=1500

Fig. 6. Resilience of the proposed key management scheme. 20000 18000 Session key domain

16000 14000 12000 10000 8000 6000 4000 2000 0 0

10

20

30

40

50

60

70

80

90

100

Number of partial keys Private partial keys

Shared partial keys

Fig. 5. Number of session key candidates.

minimum number of session keys possibly being created for data encryption/decryption. Figure 5 shows the exponential increase of session key domain with respect to the number of partial key assigned to a node. This means that finding out a secret key even knowing the LPK is nearly impossible. Scalability is the ability to support larger networks. Larger networks can be supported if there is enough storage for the required security credentials which is related to storage complexity of the solution. Figure 5 also implicitly shows high scalability of the proposed scheme. Every sensor needs only five hundred partial keys to store (which requires only 5KB) one of the half a million session keys that can be generated for a large sensor network. Resilience can be defined in one of the following ways: (i) probability that a link is compromised when an adversary captures a node, (ii) number of nodes whose security credentials are compromised when an adversary captures a node, or (iii) number of sensor nodes required to be captured to compromise a whole WSN [34]. Note that using the proposed scheme, even if an adversary captures a node, it cannot find out the encryption/decryption key, because the keys that remain in a sensor node are partial keys rather than full secret keys. Assume that the adversary can mount a physical attack on a sensor node after it is deployed, and read secret information

from the sensor’s memory. In this situation, the resilience of a scheme can be evaluated by estimating the fraction of total network communications that are compromised by a capture of x nodes not including the communications in which the compromised nodes are directly involved [35]. This section measures the resilience of the proposed scheme by calculating the fraction of links in the network that an attacker is able to eavesdrop as a result of recovering keys from captured nodes. That is, an answer is sought for the question: for any two nodes A and B in the network, where neither A nor B has been captured by the attacker, what is the probability that the attacker can decrypt their communication keys using the subset of the key pool that was recovered from the nodes that were compromised? Using m partial keys, the number of full keys that can be established is m P2 (where P is the permutation function). Let the number of captured nodes be x. Since each node contains m partial keys, the probability that a given key has not been compromised is p(not compromised) = (1 − x ×m P2 /S P2 ). Thus, the expected fraction of total keys compromised is m P2 /S P2 . Hence, the probability that any secure link setup in the key-setup phase between two uncompromised nodes is compromised when x number of nodes have been captured is m P2 /S P2 . Figure 6 shows how it varies with the number of nodes captured by the attacker. Note that, the scale of the x-axis shows absolute numbers of nodes compromised (i.e., independent of the actual total size of the network) while the y-axis is the fraction of the total network communications compromised. Key connectivity, one of the important factors for random key pre-distribution schemes, considers the probability that two (or more) sensor nodes store the same key or keying material to be able to establish pair-wise, group-wise or network-wise keys. In the proposed scheme, when all sensor nodes use private partial key lists, once a sensor node receives the order list from its communicating pair node, it is always able to construct the secret communication keys. On the other hand, when a public partial key list is used for a cluster, all

900

Memory requirements (Bytes)

800 700 600 500 400 300 200 100 0 10

20

30

40

50

60

70

80

90

100

Number of partial keys

Fig. 7. Memory requirement of the proposed key management scheme.

members of the cluster share the same LPK, and therefore, share the same partial keys. Thus, connectivity is always guaranteed in this proposed key management scheme. Efficiency of the solutions is generally measured using their storage, processing, and communication complexities. Here storage complexity is measured using the amount of memory units required to store security credentials. The proposed key management scheme requires very low storages to keep the partial keys (around 5KB to store 500 partial keys, their index list, and the network key, and ID). Figure 7 depicts the memory requirement of the proposed scheme. Communication complexity is measured as the number and size of packets sent and received by a sensor node. In the proposed scheme, a node communicates with its communicating pair node using only the identifiers rather than partial keys. Thus, the packet size is relatively low. Moreover, to create the communication keys, each sensor employs fundamental calculations, such as concatenation. VII. C ONCLUSION In this paper, we described the notion of pre-distribution of partial keys for secured key management scheme and then proposed the detailed scheme to employ this on a cluster based sensor network. Each sensor node establishes a symmetric pair-wise secret key for data exchanging data with its cluster head. The proposed key management scheme outperforms other random key pre-distribution protocols in the sense that it requires lower space (due to partial keys rather than full keys stored in each sensor), lower communication overhead (as path-key establishment phase is absent in this protocol), and offers very high session key candidates. In summary, the proposed key management scheme minimizes the constraints of the WSNs, while maintaining very high level of security aspects. R EFERENCES [1] S. Roy, M. Conti, S. Setia, and S. Jajodia, “Secure data aggregation in wireless sensor networks,” Information Forensics and Security, IEEE Transactions on, vol. 7, no. 3, pp. 1040–1052, 2012. [2] X. Du and H.-H. Chen, “Security in wireless sensor networks,” Wireless Communications, IEEE, vol. 15, no. 4, pp. 60 –66, 2008.

[3] E. Karapistoli and A. Economides, “Wireless sensor network security visualization,” in Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT), 2012 4th International Congress on, 2012, pp. 850–856. [4] B. Shanyue and C. Liqing, “A new key management protocol for wireless sensor network,” in Computer Science Service System (CSSS), 2012 International Conference on, 2012, pp. 991–994. [5] K. Gagneja, “Pairwise post deployment key management scheme for heterogeneous sensor networks,” in World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2012 IEEE International Symposium on a, 2012, pp. 1–2. [6] Y. S. Kang, D. Choi, and D.-J. Park, “Security-enhanced key establishment schemes using network coding,” in Computing and Convergence Technology (ICCCT), 2012 7th International Conference on, 2012, pp. 1056–1061. [7] L. Yin, W. Qiao-Yan, J. Zheng-Ping, and S. Meng, “Secure pairwise key establishment for key predistribution in wireless sensor networks,” in Computer Science Service System (CSSS), 2012 International Conference on, 2012, pp. 822–825. [8] T. D. Subash and C. Divya, “Novel key pre-distribution scheme in wireless sensor network,” in Emerging Trends in Electrical and Computer Technology (ICETECT), 2011 International Conference on, 2011, pp. 959–963. [9] Y. nan Liu, J. Wang, H. Du, and L. Zhang, “Key sharing in hierarchical wireless sensor networks,” in Embedded and Ubiquitous Computing (EUC), 2010 IEEE/IFIP 8th International Conference on, 2010, pp. 743–748. [10] W. Yu, “A promising pairwise key establishment scheme for wireless sensor networks in hostile environments,” in Multimedia Information Networking and Security (MINES), 2010 International Conference on, 2010, pp. 809–812. [11] X. Du, M. Guizani, Y. Xiao, and H.-H. Chen, “Transactions papers a routing-driven elliptic curve cryptography based key management scheme for heterogeneous sensor networks,” Wireless Communications, IEEE Transactions on, vol. 8, no. 3, pp. 1223–1229, 2009. [12] Y. Zhang, W. Liu, W. Lou, and Y. Fang, “Location-based compromisetolerant security mechanisms for wireless sensor networks,” Selected Areas in Communications, IEEE Journal on, vol. 24, no. 2, pp. 247– 260, 2006. [13] M. Eltoweissy, M. Moharrum, and R. Mukkamala, “Dynamic key management in sensor networks,” Communications Magazine, IEEE, vol. 44, no. 4, pp. 122 – 130, 2006. [14] M. Rahman, S. Sampalli, and S. Hussain, “A robust pair-wise and group key management protocol for wireless sensor network,” in GLOBECOM Workshops (GC Wkshps), 2010 IEEE, 2010, pp. 1528–1532. [15] Y. He, Y. Pan, P. Pan, and L. Wang, “Simulation of key management protocol in wireless sensor networks,” in Computational Sciences and Optimization, 2009. CSO 2009. International Joint Conference on, vol. 2, 2009, pp. 333–335. [16] J. Hu, E. Bai, and Y. Yang, “A novel key management scheme for hierarchical wireless sensor networks,” in Communication Technology (ICCT), 2010 12th IEEE International Conference on, 2010, pp. 526– 529. [17] L. Eschenauer and V. D. Gligor, “A key-management scheme for distributed sensor networks,” in Proceedings of the 9th ACM conference on Computer and communications security, ser. CCS ’02. New York, NY, USA: ACM, 2002, pp. 41–47. [18] D. Liu and P. Ning, “Improving key predistribution with deployment knowledge in static sensor networks,” ACM Trans. Sen. Netw., vol. 1, pp. 204–239, November 2005. [19] M. Eltoweissy, A. Wadaa, S. Olariu, and L. Wilson, “Group key management scheme for large-scale sensor networks,” Ad Hoc Networks, vol. 3, no. 5, pp. 668 – 688, 2005. [20] M. Rahman and S. Sampalli, “A hybrid key management protocol for wireless sensor networks,” in Trust, Security and Privacy in Computing and Communications (TrustCom), 2012 IEEE 11th International Conference on, 2012, pp. 769–776. [21] E. Hagras, D. El-Saied, and H. Aly, “Energy efficient key management scheme based on elliptic curve signcryption for wireless sensor networks,” in Radio Science Conference (NRSC), 2011 28th National, 2011, pp. 1–9. [22] H. Anand and G. Varaprasad, “Dynamic key management method for wireless sensor networks,” in Wireless and Optical Communications

[23] [24]

[25] [26] [27] [28]

[29] [30] [31] [32] [33]

[34]

[35]

Networks (WOCN), 2012 Ninth International Conference on, 2012, pp. 1–5. J. Hill, R. Szewczyk, A. Woo, S. Hollar, D. Culler, and K. Pister, “System architecture directions for networked sensors,” SIGARCH Comput. Archit. News, vol. 28, pp. 93–104, November 2000. D. Malan, M. Welsh, and M. Smith, “A public-key infrastructure for key distribution in tinyos based on elliptic curve cryptography,” in Sensor and Ad Hoc Communications and Networks, 2004. IEEE SECON 2004. 2004 First Annual IEEE Communications Society Conference on, 2004, pp. 71 – 80. J. Lopez, “Unleashing public-key cryptography in wireless sensor networks,” J. Comput. Secur., vol. 14, pp. 469–482, September 2006. F. Kausar and A. Masood, “A random key distribution scheme for securing wireless sensor network,” in Multitopic Conference, 2006. INMIC ’06. IEEE, 2006, pp. 32 –36. W. Gu, S. Chellappan, X. Bai, and H. Wang, “Scaling laws of key predistribution protocols in wireless sensor networks,” Information Forensics and Security, IEEE Transactions on, vol. 6, no. 4, pp. 1370–1381, 2011. H.-M. Sun, Y.-H. Lin, C.-T. Yang, and M.-E. Wu, “A pair-wise key establishment for wireless sensor networks,” in Proceedings of the 2009 Fifth International Conference on Intelligent Information Hiding and Multimedia Signal Processing, ser. IIH-MSP ’09. Washington, DC, USA: IEEE Computer Society, 2009, pp. 1152–1155. D. Liu, P. Ning, and R. Li, “Establishing pairwise keys in distributed sensor networks,” ACM Trans. Inf. Syst. Secur., vol. 8, pp. 41–77, February 2005. Q. Mamun, “A qualitative comparison of different logical topologies for wireless sensor networks,” Sensors, vol. 12, no. 11, pp. 14 887–14 913, 2012. A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen, and D. E. Culler, “Spins: security protocols for sensor networks,” Wirel. Netw., vol. 8, pp. 521– 534, September 2002. Y. Zhang, W. Liu, W. Lou, and Y. Fang, “Securing sensor networks with location-based keys,” in Wireless Communications and Networking Conference, 2005 IEEE, vol. 4, 2005, pp. 1909 – 1914 Vol. 4. A. Hamed and S. El-Khamy, “New low complexity key exchange and encryption protocols for wireless sensor networks clusters based on elliptic curve cryptography,” in Radio Science Conference, 2009. NRSC 2009. National, 2009, pp. 1–13. X. Li and D. Yang, “A quantitative survivability evaluation model for wireless sensor networks,” in Networking, Sensing and Control, 2006. ICNSC ’06. Proceedings of the 2006 IEEE International Conference on, 2006, pp. 727–732. K. Ren, K. Zeng, and W. Lou, “Secure and fault-tolerant event boundary detection in wireless sensor networks,” Wireless Communications, IEEE Transactions on, vol. 7, no. 1, pp. 354 –363, 2008.