Sei sulla pagina 1di 5

A New Security Scheme for Wireless Sensor Networks

Junqi Zhang and Vijay Varadharajan Department of Computing, Macquarie University Sydney, Australia {janson,vijay}@ics.mq.edu.au

AbstractWireless Sensor Networks (WSN) are ad-hoc mobile networks in which the sensors have limited resources and communication capabilities. Secure communications in some wireless sensor networks are critical. Recently, several secure schemes for wireless sensor networks have been proposed. Localized combinatorial keying (LOCK) proposed by Mohamed Eltoweissy is secure wireless sensor network scheme based on the dynamical key management. In this paper, we present a new wireless sensor network security scheme. Our scheme is based on LOCK scheme and employees ID-based secure group key management. Our scheme have several advantages over the existing LOCK scheme. This scheme improves the wireless sensor network system security. It minimizes the number of key storage requirement and the number of the communication messages for rekeying. In addition, one unique advantage is that it does not affect any other nodes when evicting compromised node or moving the node from one location to another.

I. I NTRODUCTION Wireless Sensor Networks (WSNs) are the wireless networks that comprise of a large number of spatially distributed small autonomous devices cooperatively monitoring environmental conditions and sending the collected data to a command center using wireless channels. Wireless sensor network has some unique characteristics such as large scale of deployment, mobility of nodes, node failures, communication failures and dynamic network topology. In addition, each sensor node has constraints on resource such as energy, memory, computation speed and bandwidth because of the constraints on size and cost. Wireless sensor networks have many applications in both military and civilian such as battleeld surveillance, habitat monitoring, healthcare, trafc control etc. Many applications of the WSN require secure communications. However, wireless networks are prone to different types of malicious attacks because of the wireless connectivity, the absence of the physical protection and the unattended deployment etc.. Therefore, the security in sensor network is extremely important. However, the characteristics of the wireless sensor network make incorporating security very challenge. The constraints on sensor make the design and operation exceedingly different from the contemporary wireless networks. The existing security mechanisms for the wire-line and wireless networks can not apply to the wireless sensor network because of the constrained energy, memory and computation capability. Thus, resource conscious security protocols and management techniques become necessary for WSN environment.

Key management protocols are the core of the secure communications. Recently, many dynamic key management schemes for the wireless sensor network have been proposed. Dynamic key management schemes are used in the longlived networks and emphasize rekeying to achieve resilience to attack. In these schemes, the administrative keys are changed periodically or on demand. These dynamic schemes have scalability to support adding new nodes and evicting compromised nodes. Gaurav Jolly et al. [1] proposed a dynamic key management scheme based on ID-based symmetric keying. In this scheme, the network includes a base station and a number of clusters of sensor nodes led by gateways. The base station generates and assigns keys and the gateways distribute keys. This scheme uses affordable storage while the rekeying is not efcient as it needs a large number of message exchanges for rekeying. To balance the number of keys employed for each node and the number of messages for rekeying, Mohamed Eltoweissy et al. [2] proposed an efcient rekeying solution called exclusion-based systems (EBSs). Then they developed the rst EBS-based secure wireless sensor network scheme [3]. The shortage of this scheme is that it does not address the collusion problem. To address this problem, Mohamed F. Younis et al. [4] developed another EBS-based scheme called SHELL. This scheme has the similar network model with Jolys scheme while SHELL uses the EBS framework to perform the rekeying within the cluster. This scheme is based on a centralized key server to perform rekeying. Mohamed Eltoweissy et al. [5] proposed another EBS-base scheme called LOCK which employs two layer EBS to perform localized rekeying to minimize overhead.

The EBS reduced the number of the communication messages but it uses the compromised keys to encrypt the message inside the encrypted message. This might be a problem particularly for the more power computation and long-lived gateway. In addition, these schemes reduce the possibility of the collusion attack, yet they still can not solve the problem. In this paper, we propose a new wireless sensor network security scheme based on LOCK. We employ the same network model as LOCK. However, we use a new ID-based encryption algorithm. Our scheme can improve the system security and avoid the collusion attack. Moreover, it simplies the key management and reduces the number of communication messages for rekeying.
1

978-1-4244-2324-8/08/$25.00 2008 IEEE.


Authorized licensed use limited to: Korea Advanced Institute of Science and Technology. Downloaded on August 26, 2009 at 01:54 from IEEE Xplore. Restrictions apply.

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE "GLOBECOM" 2008 proceedings.

II. O UR N EW S ECURE S ENSOR N ETWORK S CHEME In this section, we will introduce the sensor network model, the key generation algorithm and the present the new secure wireless sensor network scheme. A. Wireless Sensor Network Architecture and Assumptions Our scheme is also based on the clustered wireless sensor network architecture as in SHELL and LOCK. Some assumptions on the network nodes are as follows: 1) Wireless Sensor Network Architecture: We use the three layers wireless sensor network architecture as LOCK This includes the command node (base station), the cluster leaders (cluster head or gateways) and the sensors. In our scheme, the upper layer employs new group key management algorithm and the lower layer still uses the EBS for key distribution and re-keying. 2) Command Node: Command node is in charge of the whole wireless sensor network. It is assumed to be trusted entity. It is also assumed to have powerful computation capability and high memory storage. The key responsibilities of the command node are as follows: acting as repository for all sensors information in the region, authenticating all the gateways and the sensors, distributing the communication keys, regularly re-keying for the system and adding and evicting for the new or compromised gateways and sensors correspondingly. 3) Gateway: Each gateway is in charge of a cluster of a number of sensors. Gateway has more computation power, higher memory storage and energy supply than regular sensor. Gateway can broadcast and communicate with other gateway. Each gateway shares the communication keys with the sensors in the same cluster. Gateways are not trusted and can be compromised despite it is harder to be compromised than sensors. The responsibilities of the gateway include distributing the administrative keys based on the EBS, re-keying the session key for the sensors in the cluster. 4) Sensor: Sensors in the network are grouped into clusters. Each sensor is managed by gateway (called cluster leader or cluster head). Sensor are not trusted and can be compromised. Sensors in the same cluster share polynomials or keys and can perform sensor-to-sensor communication. The key responsibilities of sensor are detecting and relaying. Sensors have limited computation capability, memory storages. Each sensor can be reached by the gateway in the cluster. B. Key Generation Algorithm Our approach involves a dynamic group key management scheme that enables secure and efcient updating of group members. We achieve this by constructing a public key that is associated with several associated private keys. Our proposal is based on the earlier work on key distribution, described in [6]. 1) System Setup: The command node or the base station needs to set up the system such that all necessary parameters can be used during the wireless sensor network applications lifetime. The command node selects the following parameters: a large prime p = 2q + 1, where q is also prime,

an additive group G1 and a multiplicative group G2 (both have order p), a master secret key s Z, and a number P G1 . Based on the ID-based encryption algorithm [7], the command node computes the system public key Ppub = sP which is then sent to all cluster leaders (gateways) that will be used in the wireless sensors network. The command node also selects two strong public one-way functions H1 : {0, 1} G1 and H2 : G1 {0, 1} . Each gateway set an ID and private key SID = sQID (QID = H1 (ID)). 2) Algorithm Construction: This scheme consists of the following three steps: Encryption Setup, Encryption and Decryption. Encryption Setup In order to communicate with m cluster leaders (gateways), the command node needs to setup the following parameters. Select a random number r Z. Compute R = rP . Compute xi = e(rQIDi , Ppub ) where e is the Weil pairing mapping. Compute the following polynomial function m f (x) = i=1 (x xi ) mod p. We have the following equation m m i i=1 (x xi ) = i=0 ai x mod p Then we can obtain:
m

a0 = a1 =

(xj ) (xj )

(1) (2)

j=1 m m

i=1 j=1,j=i

m m

am2 = am1 =
j=1

(xi )(xj )
i=1 j=i+1 m

(3) (4)

(xj )

am = 1 (5) m {ai } satisfying i=0 ai xj = 0 mod p, j = 1, , m. We can use the set {ai } to construct the corresponding exponential functions. {a0 P, a1 P, a2 P, , an P } {P0 , P1 , P2 , , Pm } (6) Encryption Let Sk {0, 1} be the session key, then we can encrypt it as follows. Select a random number R Z and a random number D G1 . Compute (m + 3) tuple T (R, Sk H2 (D), D + RP0 , RP1 , , RPm ) (7) = (R, C, C0 , C1 , , Cm ) Broadcast T to cluster leaders. Decryption When the cluster leaders receive the T , they can decrypt the corresponding session key as follows.

978-1-4244-2324-8/08/$25.00 2008 IEEE.


Authorized licensed use limited to: Korea Advanced Institute of Science and Technology. Downloaded on August 26, 2009 at 01:54 from IEEE Xplore. Restrictions apply.

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE "GLOBECOM" 2008 proceedings.

e(SIDi , R) = e(sQIDi , rP ) = e(rQIDi , Ppub ) = xi


m

(8)

C0 +

xj Cj = D+R(a0 , +a1 xi +, +am xm )P = D (9) i i j=1 C H2 (D) = Sk (10)

If a wireless gateway public key QID is not included in the encryption key generation, this gateway will not be able to decrypt the session key. Therefore it cannot get the session key. This is because for any xi not belonging to the group, m we can see i=0 ai xi = 0 mod p. j We can see this algorithm has the following properties which made it suitable for the clustered wireless sensor network. Firstly, most computations are performed by the command node. On the other hand, the gateway only needs to do the bilinear pairing and the multiplication and the exor (the bitwise exclusive or). Moreover, each gateway in the network system only needs to store one decryption key for its all its life. Furthermore, the communication overhead is reduced to one broadcast message. Finally, the system also has very good scalability. It is easy to add new gateway and evict the compromised gateway and there is no affect on any other gateways. C. Exclusion Basis Systems (EBS) The Exclusion Basis System (EBS) was developed by Mohamed Eltoweissy et al. in [2], [5] for efcient key management to minimize the number of keys and reduce the number of re-keying messages in group communications.
TABLE I T HE C ANONICAL M ATRIX EBS(10, 3, 2)
K1 K2 K3 K4 K5 M0 M1 M2 M3 M4 M5 M6 M7 M8 M9 1 1 1 1 1 1 0 0 0 0 1 1 1 0 0 0 1 1 1 0 1 0 0 1 1 0 1 1 0 1 0 1 0 1 0 1 1 0 1 1 0 0 1 0 1 1 0 1 1 1

We illustrate rekeying an EBS-based system with the help of the following example. Assume that there are 10 members in the group with keys as Table 1. Suppose member M0 has been compromised. Since M0 possesses keys K1 , K2 , and K3 , these keys will have to be redistributed. Now, the set K4 K5 is the set of keys known to all members except M0 . Hence, the keys used for rekeying will be K4 and K5 . The following messages will be generated for rekeying: where E(K1 (K1 )) key K1 is encrypted with key K1 and S is the new session key for the cluster. The way these messages are constructed ensures that only the legitimate nodes will be able to decrypt the new keys. Thus, as a result of the above messages being broadcasted, member M0 will be evicted and the new keys K1 , K2 , and K3 will be made available to only those nodes that possessed keys K1 , K2 , and K3 . D. System Operation In this section, we describe the procedures for the system initialization and normal operations.
Message 1: E(K4 (S , E(K1 (K1 )), E(K2 (K2 )); E(K3 (K3 )))) Message 2: E(K5 (S , E(K1 (K1 )), E(K2 (K2 )); E(K3 (K3 ))))

1) initialization: The initial phase includes gateway registration, sensor discovery, the clusters forming and the key distribution. The command node generates n keys for the sensor network based on the algorithm in Section 2.2. Each of the gateway is assigned an identication IDi , initial session key sk and one decryption key Sid and all these are preloaded before the gateway employed. Moreover, each gateway in the network is preloaded a discovery key ksg , which is also preloaded to each sensor. This is used for the sensor discovery by sharing the same key. Gateway Registration Each gateway acted as the cluster leader registers to the command node by sending its ID and location encrypted with the initialized session key. After receiving the messages from all the gateways, the command node regenerates the encryption key based on the registered gateway and then broadcasts the session key encrypted with the new encryption key to all the gateways. Only the gateways registered in the current sensor network can decrypt it. Then these gateways can communicate with each other using this session key. Sensors Discovery The sensors broadcast their ID and location messages encrypted with the key ksg . Upon receiving the encrypted message, the gateway decrypts the message and then tabulate the sensorID and location. Clustering All the sensors in the network are to be partitioned into disjoint clusters. Each cluster is managed by a gateway (called cluster leader or cluster head). These cluster heads collaborate among themselves to group the sensors into clusters based on the cluster forming criteria such as the geographical location, type etc.. Upon the completion of the clustering, each gateway tabulates the ID and location of the sensors in it cluster and inform them with the cluster. Lower Layer Key Distribution Each cluster head (gateway) designates a number of the sensors as the key generation nodes (KGN). These KGNs generate the kc + Mc administrative keys based on the EBS. These keys are shared with the command node and not known to the cluster head gateway. The gateway will distribute each sensor node kc keys and the command node will use the Mc unknown keys to deliver the back up keys. This procedure is the same with the LOCK scheme. 2) Normal Network Operations: After the initialization phase, each gateway would have received the upper layer session key. In addition, each sensor would have received the administrative keys based on the EBS and the cluster session key. The normal network operations include the key refresh and addition of the new sensors. Key Refreshing For the up layer session key refresh, the command node generates new encryption key and encrypts the new session key with the encryption key and broadcasts to all the cluster head. Upon receiving the encrypted message, each cluster head in the wireless sensor network can decrypt it and get the new session key. For the lower layer session key refresh, each cluster head generates new session key and encrypted with itself keys and then broadcast it. Upon receiving the message, each node in the cluster can decrypt it and get the session key as it shares
3

978-1-4244-2324-8/08/$25.00 2008 IEEE.


Authorized licensed use limited to: Korea Advanced Institute of Science and Technology. Downloaded on August 26, 2009 at 01:54 from IEEE Xplore. Restrictions apply.

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE "GLOBECOM" 2008 proceedings.

at least one key with the cluster head based on the EBS. Addition of New Gateway and Sensor For the addition of new cluster head, the gateway is assigned an ID and preloaded the privet key which is generated and stored in the command node of the wireless sensor network. For the addition of new sensors in the existing cluster, the command node rst noties the gateways that the new sensors are being deployed and sends the gateways the key ks to be used. The new sensors broadcast discovery message containing their ID and location encrypted with kSG . The gateways decide among themselves which cluster the new sensors should join. Once the new sensors join the corresponding cluster, each gateway with new sensors will assign key combinations to these new sensors and inform the command node the new sensor ID. The command node will authenticate the new sensors and then certify it. In case that there is no more combination keys available, the gateway will have to increase the number of the administrative keys for the cluster based on the EBS expansion. 3) Evict the Compromised Gateway or the Compromised Sensors: In this paper, we assume that there is a compromise detection mechanism that the command node monitors the gateways and detects for their compromise or failure in the sensor network and the gateway can do the same for sensors in its cluster. In this section, we will describe the revocation from the key management point of view. This includes the eviction the compromised gateway and the eviction of the compromised sensors. The eviction of Compromised Gateway Upon detecting and identifying the compromised gateway, the command node will recomputing the encryption key so that only the un-compromised gateway can decrypt the message from the command node. Then the command node encrypts the new session key and broadcasts it. At this stage, the compromised gateway will not decrypt the encrypted message. On the other hand, all remain gateways will receive the new session key and form a new secure group. There are two methods to recover from the gateway compromise. One is that we deploy new gateway as the replacement and another is that we redistribute the sensors in the compromised cluster to other clusters. If we deploy new gateway as a replacement, the recovery procedure will be the regeneration and redistribution of new keys. Firstly, the new gateway is preloaded with the new private key and new session key. Upon deploying the new gateway, the sensors in the cluster can authenticate the new gateway and register to it. Then the new gateway can designate new KGN and generate new lower layer administrative key based on the EBS. Finally, the new gateway sends the new cluster administrative keys to the command node and redistribute the keys to the senors. If we redistribute the sensors in the compromised cluster to other cluster gateways, we need the following procedure. Firstly, the sensors authenticate new gateways and then join the new cluster based on the location etc.. The cluster that has new sensors join will process the addition of new sensor as described in last section. The eviction of Compromised Sensors

If the gateway detects and veries the compromised sensor in its cluster, the gateway needs to take the following procedures to evict the compromised sensors in the cluster. Firstly, the gateway in the cluster let the KGNs generate new administrative keys. Then the gateway sends the new administrative keys to command node for backup and distribute the new administrative keys to sensors in the cluster based on EBS. III. C OMPARISON AND P ERFORMANCE In this section, we will give some comparison and performance analysis. Table II lists our new scheme with two existing schemes SHELL and LOCK. All these schemes are dynamic, clustered and hierarchical. Our scheme is based on the same hierarchical and clustered structure as LOCK. Here we only compare these two schemes. We compare them from the following aspects: the hierarchical structure, group key generation (GKG), enhanced security method, the number of key storage for each command node, gateway and sensor and the number of communication messages for rekeying.
TABLE II C OMPARISON OF THE SCHEMES
Layer Lower layer GKM Upper layer GKM Lower layer key generation Upper layer key generation Lower layer key assign Upper layer key assign Command node keys Gateway keys Sensor keys Network resilience Network Life Upper layer Re-keying Lower layer Re-keying Gateway addition Gateway eviction Sensor addition Sensor eviction SHELL 2 EBS LOCK 2 EBS EBS Gateways Gateways Location -based Centralized more keys k+ keys k+ keys high Longlived m+ messages affect others affect others affect others affect others Sensors Command Node polynomial polynomial more keys more keys k keys high Longlived m messages m messages affect others affect others less affect others less affect others New Scheme 2 EBS ID-Based Sensors Command Node polynomial Centralized less keys less keys k keys higher longer -lived one message m messages not affect others only change session key less affect others less affect others

Security Both LOCK and our new scheme have 2 layers: upper layer and the lower layer. LOCK employs EBS for both upper layer and lower layer. By contrast, our scheme employs the ID-based public key algorithm for the upper layer and only use the EBS for the lower layer. EBS provides an efcient key management technique. It has been proved that the overhead of an optimum EBS is half that of a binary key tree [2]. It reduces the number of keys and the
4

978-1-4244-2324-8/08/$25.00 2008 IEEE.


Authorized licensed use limited to: Korea Advanced Institute of Science and Technology. Downloaded on August 26, 2009 at 01:54 from IEEE Xplore. Restrictions apply.

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE "GLOBECOM" 2008 proceedings.

number of re-keying messages and also guarantees the forward and backward secrecy in dynamic group communications. On the other hand, an EBS suffers from the collusion attacks. If the nodes in the system collude, their combined set of keys will reveal many keys to the colluding nodes. In [2], [3], the collusion resistance EBS was proposed. However, this will come at a cost that may not be acceptable for resourceconstrained WSNs. Another drawback of the EBS is that the sent message for re-keying still uses the disclosed keys. For instance, in the previous example, the new keys K1 , K2 and K3 were encrypted with the supposed disclosed keys K1 , K2 and K3 in sent messages. This maybe come with all keys available for other nodes. In previous example, the M9 should only decrypt the K3 . Because the K1 , K2 are supposed disclosed keys, it might also be available to M9 . In this case, M9 might get all the new keys (K1 , K2 , K3 ). This might be big issue particular for the nodes such as the cluster head in the system as they have more computation power and energy for long time life. As we discussed, the EBS needs to use the comprised keys for the redistribute new keys in re-keying. By contrast, our new scheme only needs one key for each gateway for upper layer and there is no collusion problem. Therefore, our scheme improves the system security. Key Generation and Assignment For the lower layer, our scheme still employs the same key generation and assignment method as the LOCK. In each cluster, the gateway selects a number of sensors as key generation node and assigns the keys to each sensor node based on the polynomial method. For the upper layer, we use an ID-based public key encryption. The command node generates keys and assigns one key for each gateway. These keys can be preloaded or replaced late when it is needed. In LOCK, each gateway need k keys for a key pool p = k + m, whereas each gateway only needs one key in our new scheme. Scalability and Living Life All these schemes are dynamic and the long-lived schemes. To improve network resilience, LOCK use key polynomials. There is a balance between the pool keys p and the number of keys for each gateway k. As the bigger p, the more resilient the network. However, the big p will reduce the connectivity as the probability of sharing a polynomial falls. This means that LOCK can not have big m for spare keys. Our new scheme does not have node collusion problems. So we can design enough extra keys. Therefore our new scheme can have better scalability and longer life time. Communication Overhead For communication overhead, the LOCK scheme needs m communication messages to replace an compromised gateway keys. On the other hand, our scheme only needs one encrypted messages for re-keying. Computation Overhead The another concern is the computation overhead, both of them use the symmetric key as session key. For re-keying, the EBS use the symmetric keys. However, each gateway needs to decrypts m encrypted messages and decrypted k + 1 times for each message. In our new scheme, the command node needs to recompute the encryption key and encryption messages,

so it needs more computation power. On the other hand, the gateway only needs to do the decryption. The computation includes the bilinear pairing and some multiplication and the exor (the bitwise exclusive or). Addition and Eviction For the addition new nodes or eviction of compromised nodes, the LOCK scheme needs to change some or all the gateways keys as EBS is used. On the other hand, our scheme does not need to change any other gateways communication keys, the only thing to do is that the command node recomputes the encryption key. This means that this scheme has excellent scalability because it does not affect any other nodes when adding new node or evicting compromised node. In conclusion, our new scheme has several advantages over the LOCK. This scheme improved the system security as it does not have the collusion attacks and does not use the compromised keys in re-keying. In addition this scheme also reduced the gateway key storages, and reduced the number of re-keying communications. Apart from that, our new scheme does not affect other gateway communication keys when adding or removing new or existing gateways. IV. C ONCLUSION In this paper, we have proposed a new secure wireless sensor network security architecture based on LOCK. In this security architecture, wireless sensor network security upper layer is based on an ID-based public key management algorithm. This scheme does not have the collusion problem and does not employ the comprised key any more, so it improves the sensors network security. In addition, each gateway only needs store one private key for upper layer. It can simplify the key management and reduce the number of re-keying message and computation particularly compared with the existing secure wireless sensor network schemes. Furthermore it has excellent scalability and does not affect any other nodes when adding new nodes or evicting comprised nodes. R EFERENCES
[1] G. Jolly, M. C. Kuscu, P. Kokate, and M. Younis, A low-energy key management protocol for wireless sensor networks, in the 8th IEEE International Symposium on Computers and Communication (ISCC03), June 2003. [2] M. Eltoweissy, H. Heydari, L. Morales, and H. Sudborough, Combinatorial optimization of group key management, Journal of Network and System Management, vol. 12, No. 1, March 2004. [3] M. Eltoweissy, A. Wadaa, S. Olariu, and L. Wilson, Group key management scheme for large-scale wireless sensor network, J. Ad Hoc Networks, pp. 796802, Sept, 2005. [4] M. Younis, K. Ghumman, and M. Eltoweissy, Location-aware combinatorial key management scheme for clustered sensor networks, IEEE Trans. Parallel and Distrib. Sys, 2006. [5] M. Eltoweissy, M. Moharrum, and R. Mukkamala, Dynamic key management in sensor networks, IEEE Communications Magazine, pp. 122 130, April, 2006. [6] Y. Mu and W. Susilo, Identity-based instantaneous broadcast system in mobile ad-hoc networks, in the 2004 International Workshop on Mobile Systems, E-commerce and Agent Technology, USA, 2004, pp. 3540. [7] D. Boneh and M. Franklin, Identity-based encryption from the weil pairing, Advance in Cryptology-Crypto Vol. 2139 LNCS, pp. 213229, 2001.

978-1-4244-2324-8/08/$25.00 2008 IEEE.


Authorized licensed use limited to: Korea Advanced Institute of Science and Technology. Downloaded on August 26, 2009 at 01:54 from IEEE Xplore. Restrictions apply.

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE "GLOBECOM" 2008 proceedings.

Potrebbero piacerti anche