Documente Academic
Documente Profesional
Documente Cultură
Abstract – Dynamic formation of node clusters is inher- ing it highly desirable to have a secure and ecient key-
ently embedded in a wide range of emerging wireless sensor distribution mechanism facilitating simple key-generation
network (WSN) applications. It is expected that security
will play a key role in the design and successful deploy- for large-scale sensor networks.
ment of these, as well as many other, applications. The
ad-hoc nature and unique power-constraint characteristics
Although a variety of key-generation methods have been
of WSN suggest that a prerequisite for achieving security is proposed for WSNs, they cannot be directly transplanted
the ability to encrypt and decrypt condential data among in sensor network environments. A simple solution for key
an arbitrary set of sensor nodes. Consequently, the nodes establishment is a single network-wide shared key. Unfor-
are required to generate a joint secret key. Elliptic Curve
Cryptography (ECC) has emerged as a suitable public key tunately, a single node in the network being captured would
cryptographic foundation for WSN. This paper describes a easily reveal the network secret key. Therefore, a current
pragmatic ECC-based methodology for self-certied group mainstream eort consists of random key pre-distribution,
key generation in ad hoc clusters of sensor nodes. A novel
load-balancing technique and chained data exchange yield in which a dierent set of pre-established keys is issued
reduced overall communications and facilitate an ecient to each node, thereby reducing the probability that cap-
distribution of the computational eort involved. turing one node will jeopardize the entire network [5][6].
Keywords – Security in Wireless Sensor Networks, These schemes oer partial solution with respect to scala-
Resource-Constraint Cryptography, Group Public Key Gen- bility, cryptographic robustness and the ability to append
eration.
and revoke security attributes. More recent work addresses
topics such as intruder identication in WSNs, relying on
I. Introduction key predistribution [7].
Recent advancements in the design and fabrication of The necessity for public key cryptographic key-
low-power VLSI circuitry, as well as wireless communica- generation in WSNs is widely acknowledged. Public key
tions, have broadened the applications prospect for wire- cryptography oers scalability and decentralized manage-
less sensor networks (WSNs). The latter promise to revo- ment, both of which are strongly coherent with the ad-hoc
lutionize our ability to sense and control diverse physical nature of WSNs. Elliptic Curve Cryptography (ECC) [8]
environments using large numbers of small, inexpensive de- emerges as a suitable public key cryptographic foundation
vices that integrate sensing, computation and communica- for sensor networks, providing high security for relatively
tion. These sensors can collaborate with each other and small key sizes. Recent results [9] indicate that the exe-
achieve complex information gathering and dissemination cution of ECC operations in sensor nodes is feasible, with
tasks such as infrastructure security, environment and habi- predictable improved performance.
tat monitoring, industrial sensing and trac control.
In addition to the many unique characteristics of WSNs This paper describes a pragmatic, scalable and resource-
that stem from the resource-constrained environments in ecient ECC-based group key-generation methodology,
which they operate, many applications, whereby collabora- specically optimized for WSNs. In particular, we address
tive processing is carried out, necessitate the ad hoc forma- the need for minimizing communications as well as dis-
tion of node clusters [1][2]. These clusters of nodes typically tributing the computation load across the network. Based
emerge around an event. Since the location and extent of on a novel algebraic exploration of standard ECC cryp-
the event are often unknown a priori, cluster members are tographic techniques, we derive a group key distribution
decided upon in an ad-hoc manner. Many WSN applica- scheme, which is resource-ecient, scalable and robust.
tions, spanning military and civilian, assume that sensor Once a secret key is generated between two or more nodes,
nodes are deployed in hostile environments where they are data encryption and decryption is carried out using sym-
prone to a wide variety of malicious attacks. As a result, metric algorithms, which necessitate, at their core, simple
security becomes a key concern [3][4][5]. The ad-hoc nature XOR operations.
and unique power-constraint characteristics of WSNs sug- The rest of the paper is structured as follows. In Sec. II
gest that a prerequisite for achieving security is the ability we briey review prior work in the area of key establish-
to encrypt and decrypt condential data among an arbi- ment for WSNs and outline the unique attributes of key
trary set of sensor nodes. Consequently, an ad-hoc cluster generation in WSNs. Sec. III presents the mathematical
of nodes is required to generate a joint secret key, mak- foundations from which the methodologies proposed are
derived. Sec. IV describes a key-generation scheme for ad-
The authors are with the Electrical & Computer Engineering
department at The University of Tennessee, Knoxville. Email: hoc clusters of sensor nodes, while in Sec. V discussions on
{oarazi,hqi}@utk.edu. future directions are presented.
2
ment of the issue of authenticating the exchanged values. B. Keys Issued to Nodes by the CA
In fact, a common assumption made by these schemes is The private and public keys discussed in this section are
that an authentication mechanism is already available. To issued by the CA to all nodes in the network. We will begin
that end, our method also concerns the ecient integration our discussion by focusing only on keys issued to Ql . As
of self-certied authentications. indicated above, the CA holds a pair of keys (private (g)
Finally, in an eort to eectively distribute the computa- and public (R)). By using g, LGl , kl , a hash function and
tional load between the nodes, we propose to partition the G, it establishes the pair of private and public keys issued
self-certied key-generation process into secure and non- to node l. We consider two scenarios for issuing the private
secure operations. The latter enables ooading the non- key ({l ), and the public key (Ui ) of node i . The node key
secure operations from a node participating in the key- {l > used in the following applications, can be derived by
generation process to available neighboring nodes. Such either one of the scenarios described in this section. In the
ooading assists in load balancing the computational eort rst scenario, the CA knows the node’s secret keys. In this
and, consequently, power-consumption across the network. case Ql ’s private key ({l ), and the public value (Ui ) can
Since many application, in which collaborative process- be generated as follows:
ing is carried out, necessitate the ad hoc formation of node
clusters, it is imperative to generate a group key for these 1. The CA generates a random scalar kl and calculates
clusters. In this paper we will show that generating such kl × G;
a group key is accomplished in two steps. The rst step 2. The CA then generates node l’s public and private keys
would be to generate a shared key between pairs of nodes in as follows:
the cluster, while the second would be to generate a group
Ui = kl × G (1)
key by utilizing the shared keys established during the rst
step. We further illustrate how the key exchange and key {l = [K(LGl > Ui ) × hi + d] prg rugG
conrmation procedures establish self certication as well
3. The CA issues the values {l and Ui to Ql ;
as a group shared key.
4. Ql can establish the validity of the values issued to him
III. Mathematical Foundations for Efficient by checking whether xi × G = H (ID i > Ui ) × Ui + R.
Two-Node DH Key Generation In the second scenario considered, the CA is not allowed
A. Notation and Terminology to know the node’s secret keys. In this case Ql ’s private
key and public key can be generated as follows:
Our mathematical foundations rely on ECC crypto- 1. The node generates a random value yl and submits Wi
graphic techniques pertaining to operations over a nite = yl × G to the CA;
group of points in which the discrete log problem applies. 2. The CA generates a random kl and calculates kl × G.
In order to describe the formalism for ecient two-node 3. The CA then generates the pair of private and public
DH key generation, we must rst dene some notation and keys as follows:
terminology. As we are using ECC, the need to distinguish
between a scalar and a point on the curve in evident. A Ui = Wi + hi × G (2)
group-point is hereby denoted by a capital letter in bold sl = [K(LGl > Ui ) × hi + d] prg rugG
font (e.g. P), and a scalar will be presented in regular low-
ercase letters. Multiplication of a point by a scalar (e.g. The CA issues the values sl and Ui to Ql ;
v × P) will be referred to as an exponentiation, where v is 4. Ql generates his secret key as
the exponent. The intractability of a discrete log operation
means that given the points P and v × P, the complexity {l = [sl + K(LGl > Ui ) × vi ] prg rugJ= (3)
of nding v is exponential. The following notations will be
used throughout the reminder of the paper: 5. Ql can establish the validity of the values sl and Ui
issued to him by checking whether sl × G = H (ID i > Ui ) ×
• G a generating group-point, used by all relevant nodes (Ui Wi ) + R.
• rugG the order of G.(exponents are calculated prgxor
rugG) Two important points should be noted here: (1) in
• CA a Certifying Authority both cases {l × G = H (ID i > Ui ) × Ui + R> and (2) since
• g the CA’s private key {l = [K(ID i > Ui ) × (hi +v i ) + d] prg rugG, {l × G =
• R the CA’s public key (where R = d × G) H (ID i > Ui ) × Ui + R, which is identical to the case of the
• {l the private key of node l served by the CA CA being allowed to know the node’s secret keys.
• Ui the public key of a node i served by the CA
IV. Self-Certified Diffie-Hellman
• LGl the identication details, or attributes, of node l
Key-Generations
• K(y> W) a scalar obtained by performing a hash trans-
formation on the scalar y and group point W A. Fixed Key-Generation
• kl a random 163-bit scalar generated by the CA (for A self-certied DH xed-key-generation (gure 2), is
the purpose of calculating xl ) achieved by the following two steps: (1) Ql and Qm ex-
• Ql > Qm sensor nodes l and m, respectively change the pairs (LGl > Ui ) and (LGm > Uj ), respectively, and
4
communication session between the two nodes. We are left DH key joint to nodes Ql and Ql+1 , generated during the
with the following two operations: syl × K(LGm > Uj ) × Uj , rst time slot for even l’s, and Nl denote the DH keys
and ({l + syl ) × (EVj + R)= The rst is a dynamic scalar generated during the second time slot for odd l’s. This
by point multiplication executed in an ad hoc manner (as way, during each slot, each node is busy generating a joint
it contains the value Uj )= In the interest of distributing the DH key with exactly one other node.
power consumption across the sensor network, we employ Based on each node having two DH keys, one joint to the
an ooading technique in which nodes assist other nodes preceding node in the chain and one joint to the following
by performing part of the required calculations. node (where Qp1 and Q0 are considered to be consecu-
In the context of security operations, we must prove tive), the secret session key Nv , joint to all members in the
that calculations that are ooaded, and are subsequently group, is then generated as follows. A certain node Qm in
transmitted over potentially eavesdrop-prone media, do the group (Qm can be an arbitrary node, or a node with
not jeopardize the trustworthiness of the process. As- some distinct preferences such as the cluster head or group
sisting neighbor nodes (not included in the ad hoc clus- lead) generates a random Nv . It encrypts Nv with Nm+
ter, but with proximity to it) will calculate the value and sends the ciphertext to Qm+1 . Node Qm+1 decrypts
({l + syl ) × (EVj + R)= It should be noted that all nodes the ciphertext, as it also has Nm+ , thereby recovering Nv .
are assumed to have knowledge of R. Moreover, none of It then encrypts Nv with the DH key joint to Qm+1 and
the ooaded values are assumed to be secret, and while {l Qm+2 , etc. This way, Nv securely propagates in the chain,
and syl are secret, their sum does not disclose their values. by decryption and encryption operations taking place at
Furthermore, even though {l is xed, syl never repeats it- each node. Nv nally gets back to the originator Qm , who
self. In other words, the secret key {l is masked with the veries that the received Nv equals to the original.
random noise syl . It is further noted that the neighbor- Although calculations are carried out concurrently by
ing assisting node is not necessarily trusted in delivering a the odd and even nodes, we must consider the fact that
correct answer. The assisting node merely performs math- transmission of information is done sequentially, since the
ematical processing with no decisions being made by it. An same media is shared by all nodes. Letting wdffhvv and
attempt to send a misleading result by the assisting node w{ denote the expected channel access time and transmis-
will be detected in the key conrmation step. sion/reception times, respectively, the aggregate time con-
All procedures presented this far are also valid for the sumed by the group key generation process, Wjn , can be
case where nodes use dierent CAs. That is, if the user expressed as
keys of Ql were issued by a CA whose public key is R1
with a private key g1 = orjR1 > and the user keys of Qm Wjn = 2p(wdffhvv + w{ ) + wGK > (9)
were issued by a CA whose public key is R2 with a private where wGK is the overall time required to perform the ac-
key g2 = orjR2 , all derived expressions, for both xed and tual DH calculations. One should note that the access and
ephemeral session keys, are valid. That is, a node refers to transmission times are expected to be in the order of mil-
the public key of the CA of his counterpart when generating liseconds, while the DH related computations are in the
a session key with that counterpart. order of seconds (shown for MICA2 motes in [9]). To that
end, the fact that communications are done sequentially
V. Group-Key Generation based on Pairwise DH
has little impact on the overall delay of the group key gen-
Key Generation
eration process.
Based on the presented procedure for generating a self- A remark on the encryption/decryption operation per-
authenticated DH secret key joint to a pair of nodes, it is formed at each node: This is a symmetric operation that
next shown how a group of p nodes generates a secret ses- can be based on standard procedures like DES or AES.
sion key Nv joint to all nodes in the group and not known However, let us also consider the case where this operation
to any party outside the group. In this respect it is noted is a simple exclusive-OR (XOR) operation between Nv and
that the self authentication of the DH keys is based on Nm+ . That is,
the identity, LGv , of the participants. These identity val- fm = Nv XOR Nm+ (10)
ues can also be associated with attributes of nodes, rather
where fm is the ciphertext sent from Qm to Qm+1 . Node
than their explicit identities. For example, they can be as-
Qm+1 then performs the following to propagate Nv to Qm+2 ,
sociated with parameters that specify the meaning of the
noted that Qm and Qm+1 share the same key Nm+ , and Qm+1
group. That is, nodes that do not posses appropriate pa-
and Qm+2 share Nm+1 ,
rameters allowing them to participate in the group cannot
force themselves into the group. Nv = fm XOR Nm+ XOR Nm+1 (11)
Let the nodes in the group be indexed in a chain, where
node Ql generates two DH keys, one jointly generated with However, as all nodes nally share Nv , and they also receive
node Ql1 and one with Ql+1 > l = 0> 1> = = = > p 1. Al- all exchanged ciphertexts, this suggests that all pairwise
though this is not a necessity, the indexing is cyclic. That DH keys will also be known to all nodes in the group (each
is, Qp1 and Q0 also generate a joint key. For simplicity, node simply XORs Nv with all ciphertexts). The question,
let us further assume that p is even. These 2p DH keys and this is a strategic consideration, is what kind of a threat
can all be generated in two time slots. Let Nl+ denote the can be posed by this procedure. After all, if the members of
6
the group nally know the joint secret key, Nv , they might References
as well know the individual DH keys. This surely holds if [1] H. Qi, Y. Xu, and X. Wang, “Mobile-agent-based collaborative
the DH keys expire when the key Nv expires. signal and information processing in sensor networks,” in Pro-
ceedings of the IEEE, vol. 91, pp. 1172—1183, August 2003.
[2] H. Qi and Y. Xu, “Decentralized reactive clustering for collabo-
VI. Discussion and Future Work rative processing in sensor networks,” in Proc. of the IEEE 10th
International Conference on Parallel and Distributed Systems
This paper presented an ecient methodology for ECC- (ICPADS), vol. 91, (Newport Beach, CA), pp. 54—61, July 2004.
based public key generation in wireless sensor networks. [3] A. Perrig, J. Stankovic, and D. Wagner, “Security in wireless
A novel algebraic approach for partitioning the key gen- sensor networks,” Communications of the ACM, vol. 47, pp. 53—
57, June 2004.
eration process was described, addressing both xed and [4] R. Watro, D. Kong, S. Cuti, C. Gardiner, C. Lynn, and P. Kruus,
ephemeral key establishments. A unique feature of the “Tinypk: Securing sensor networks with public key technology,”
scheme relies on distributing the computation load among in Proceedings of the Second ACM Workshop on Security of Ad
Hoc and Sensor Networks, (Washington DC, USA), pp. 59—64,
neighboring nodes thereby gaining execution speed and 2004.
load-balancing the power consumption. Based on these [5] H. Chan, A. Perrig, and D. Song, “Random key predistribution
foundations, a procedure for group key generation within schemes for sensor networks,” in Proceedings of the 2003 IEEE
Symposium on Security and Privacy, (Washington DC, USA),
a cluster of nodes was presented, oering scalability with pp. 197—214, 2003.
respect to network size and robustness. [6] W. Du, J. Deng, Y. S. Han, S. Chen, and P. K. Varshney, “A
The paper presented a comprehensive approach for key management scheme for wireless sensor networks using de-
ployment knowledge,” in Proc. of IEEE INFOCOM 2004, (Hong
a practical implementation of group key generation in Kong, China), 2004.
resource-constraint WSNs. Remaining challenges include [7] W. Zhang and G. Cao, “Group rekeying for ltering false data
the study of fault tolerance issues, neighbor-node selection in sensor networks: A predistribution and local collaboration-
based approach,” in Proceedings of the 2005 IEEE INFOCOM,
and analysis of energy consumption. (Miami, FL, USA), 2005.
As the described procedure relies on a cyclic exchange [8] A. J. Menezes, Elliptic Curve Public Key Cryptosystems.
Boston, MA: Kluwer Academic Publishers, 1993.
of information, future work will address the issue of fault [9] D. Malan, M. Welsh, and M. D. Smith, “A public-key infrastruc-
tolerance. The “fault” is two-fold. First of all, how to ture for key distribution in tinyos based on elliptic curve cryp-
guarantee that all the nodes within the cluster will be in- tography,” in Proc. of 1st IEEE International Conference on
Sensor and Ad Hoc Communications and Networks (SECON),
cluded in the chain without disconnections. Second, what (Santa Clara, CA), October 2004.
happens when one or more nodes fail in the chain. Future [10] A. S. Wander, N. Gura, H. Eberle, V. Gupta, and S. C. Shantz,
work will concern the generation of redundant paths, while “Energy analysis of public-key cryptography for wireless sensor
networks,” in Proceedings of the third IEEE International Con-
altogether minimizing the overall computational complex- ference on Pervasive Computing and Communication (PerCom
ity. Moreover, the existence of malicious node (whether 2005), pp. 324—328, 2005.
part of the cluster or assisting nodes) will be addressed to [11] W. Du, J. Deng, Y. S. Han, and P. Varshney, “A pairwise key
pre-distribution scheme for wireless sensor networks,” in Pro-
contribute to the robustness of the key generation process. ceedings of the 10th ACM Conference on Computer and Com-
As stated in the paper, o-loading non-secure computa- munications Security (CCS), (Washington DC, USA), pp. 42—
tions to neighboring nodes would provide load balancing, 51, October 2003.
[12] A. Chan, “Probabilistic distributed key pre-distribution for mo-
elongating the network lifetime. A question that naturally bile and ad hoc networks,” in Proceedings of the 2004 IEEE
arises pertains to the manner by which neighboring nodes International Conference on Communications, pp. 3743—3747,
June 20-24 2004.
are selected. We will study the joint eect of geographi- [13] M. Ramkumar and N. Memon, “An ecient key predistribution
cal distance between nodes and the remaining energy on scheme for ad hoc networks security,”
the neighboring nodes in order to generate a fair selection. [14] L. Eschenauer and V. D. Gligor, “A key-management scheme
for distributed sensor networks,” in Proceedings of the 9th ACM
Although the communication time associated with the of- conference on Computer and communications security, (Wash-
oading process is much shorter than the DH key genera- ington, DC), pp. 41—47, November 2002.
tion time, the energy consumed during data transmission [15] M. Girault, “Self-certied public keys,” in Advances in
Cryptology—EUROCRYPT’91, pp. 491—497, March 1991. LNCS
and reception is not negligible. We will study the tradeos - Springer-Verlag.
between energy consumption and real-time key generation [16] B. Arazi, “Certication of dl/ec keys,” in Proceedings
in order to reach an optimal solution. In this paper, we of the IEEE P1363 Study Group for Future Public-Key
Cryptography Standards, May 1999. Also available as
assume the sensor nodes are all static. However, the pro- http://grouper.ieee.org/groups/1363/StudyGroup/submissions.
posed scheme, in particular the ephemeral key-generation html#Hybrid.
methodology, has great potential in mobile sensor network [17] A. Fiat and A. Shamir, “How to prove yourself: Practical solu-
tions to identication and signature problems,” in Advances in
applications, in which issues like speed of mobility and key Cryptology - CRYPTO ’86, vol. 263, pp. 186—196, March 1987.
generation turnaround time need to be evaluated. Springer-Verlag.
The framework presented in this paper can be utilized [18] Y. Kim, A. Perrig, and G. Tsudik, “Group key agreement e-
cient in communication,” Communications of the ACM, vol. 53,
and broadened to address a wide range of security chal- pp. 905—921, July 2004.
lenges in resource-constrained sensor networks.
VII. Acknowledgment
The authors would like to thank Benjamin Arazi and
Itamar Elhanany for their valuable comments and useful
discussions.