With rapid development and extensive use of wireless sensor networks (WSNs), it is urgent to enhance the security for WSNs, in which key management is an effective way to protect WSNs from various attacks. However, different types of messages exchanged in WSNs typically have different security requirements which cannot be satisfied by a single keying mechanism. In this study, a basic key management protocol is described for WSNs based on four kinds of keys, which can be derived from an initial master key, and an enhanced protocol is proposed based on Diffie-Hellman algorithm. The proposed scheme restricts the adverse security impact of a captured node to the rest of WSNs and meets the requirement of energy efficiency by supporting in-network processing. The master key protection, key revocation mechanism, and the authentication mechanism based on one-way hash function are, respectively, discussed. Finally, the performance of the proposed scheme is analyzed from the aspects of computational efficiency, storage requirement and communication cost, and its antiattack capability in protecting WSNs is discussed under various attack models. In this paper, promising research directions are also discussed.
Wireless sensor networks (WSNs) have been extensively used in various applications, such as homeland security, battlefield surveillance, environmental monitoring, and health care. Through collection and processing of the sensing data from the coverage area, WSNs enable users to access detailed and reliable information at any time and any place, which is a ubiquitous sensing technology.
WSNs have two salient characteristics: (i) it uses wireless communication and anyone within the range of the network can attack it; (ii) it may be deployed in unattended environments or even hostile regions, such as battlefield, where it can be physically attacked or captured [
Security researches of WSNs mainly focus on key distribution, secure routing protocols, secure transmission, and security defense. In these scopes, using key management mechanisms to settle security issues under the wireless sensor network environment is the most crucial and challenging problem [
Although key management mechanisms in the cable network have been deeply studied, the research is still immature in WSNs [
It is worth noting that, due to the resource limitations, asymmetric encryption algorithms are seldom applied to the sensor network and most of the related works are based on symmetric key systems.
Although a number of classic protocols and schemes have been proposed for WSNs, many protocols concentrated on communication and processing technologies without paying enough attention to security issues, such as TEEN [
In recent years, scholars have proposed more sophisticated protocols which are mainly divided into two categories: predistribution scheme based on symmetric key and key management scheme based on public key.
Among the predistribution schemes, SPINS [
To balance the security performance and resource consumption, random key predistribution schemes, polynomial key predistribution schemes, and key predistribution scheme based on deployment knowledge are subsequently proposed.
E&G [
Though quite a lot of superior security protocols have been proposed recently, most of them have their own deficiencies. Park proposed a lightweight security protocol (LISP); it can tolerate packet loss but the protocol cannot handle node revocation problem. After that, SRDA [
To avoid above deficiencies, LEAP [
Based on previous studies, this paper proposes improved strategies to overcome some defects. In addition, how to apply the established keys to form security mechanisms to confront kinds of attacks is described in detail.
Many security requirements of WSNs are similar to those of traditional networks, such as data confidentiality, authentication, and integrity. What is more, it should guarantee low energy consumption and high efficiency [
It is proved in recent researches that in-network data processing (shown in Figure
Examples of in-network processing.
The typical application of in-network processing is to divide the network into multiple clusters where the cluster head node collects and aggregates information from its neighbors and delivers the summary directly to the base station to avoid redundant transmissions and save communication bandwidth.
Generally, the pairwise key performs better over achieving data confidentiality, authentication, and integrity of WSNs, whereas, the cluster key or network-wide key is needed to achieve in-network data processing (shown in Figure
The particularity of the WSNs requires the ability of resistance to physical attacks and trapping. For example, once a node is compromised, the loss of secret information does not threaten remaining security links. Moreover, well-designed security mechanism should have capabilities of key revocation and update.
Therefore, it is fundamental to design a security mechanism, which satisfies above requirements, in order to achieve the security of WSNs.
The notations used in this paper are given in Notations section.
Note that, in order to simplify the representation in the following discussion, notations
In addition, since keys for various security uses can be derived from the same key
Given Given Given
One-way hash chain is a sequence of the following hash value
The ingenious point is that two sides of communication can use this method to determine the symmetric key, which can be used for encryption and decryption. Note that the key exchange protocol can only be used for key exchange, without being able to encrypt and decrypt the messages [
Since the key exchange algorithm itself is usually limited to be used as key exchange technology for many commercial products, it is usually called Diffie-Hellman key exchange (abbreviated as DH algorithm, key exchange based on DH algorithm is also commonly referred to as
The purpose of this key exchange technique is to enable two users to achieve secure key exchange in order to ensure the encryption of subsequent packets. The effectiveness of Diffie-Hellman key exchange algorithm relies on the difficulty of computing discrete logarithms [
First define primitive root of prime number
For an integer
Based on the definition and nature of the primitive root, Diffie-Hellman key exchange algorithm is described as follows [ There are two global parameters: prime number Suppose users User Since
Thus, it corresponds that two sides have exchanged the same secret key
Basic assumptions are as follows. Topology is unknown before the deployment of the nodes. The sensor network is static (sensor nodes are not mobile) after deployment. Sensor nodes have similar computational and communication capabilities. Transmission power of nodes can be adjusted to control the propagation distance. The base station has enough energy supply and computing power. The attacker has the ability to eavesdrop on all the channels as well as to replay former messages and inject malicious packets. Once a node is captured, all the stored information will be obtained by the adversary. Every node has enough space to store hundreds of bytes for key establishment materials. Each node has some degree of ability to resist attack and it will not be captured with in a limited period of time.
This section introduces the basic protocol in detail, including four kinds of secure key establishment mechanisms to satisfy various secure communication requirements and mechanisms for key erasure and update.
As discussed above, the single key mechanism cannot provide appropriate protection to all the required communication in the WSNs. Moreover, the security performance and resource consumption have to be balanced when making use of different kinds of keys.
The degree of sharing keys in the security mechanism has to be taken into consideration. For example, if unique pairwise keys are used for each two nodes in the WSNs to guarantee secure communication, the node captured by an attacker will not reveal any security information of other normal nodes, which is ideal to prevent threat to the entire network. However, it requires significant communication bandwidth and energy resources, which is quite inefficient.
On the contrary, if only a network-wide key is used for authentication and encryption, no communication between nodes is required for establishment of additional keys, and the storage costs and energy consumption can also be minimized. However, the security will be extremely poor. Once any node in the system is captured by an attacker, the whole network suffers an enormous risk.
In this section, the establishment of four kinds of keys is discussed in detail as well as their characteristics and abilities to resist attacks.
Individual key is a unique key of each sensor node that shared with the controller (the base station) which is used for individual authentication and secure communication assurance [
For example, individual key can be used to encrypt sensitive information, such as special instructions and rekeying commands, exchanged between a sensor node and the base station. It can also be used for message authentication to get verification of the base station or other nodes.
Since every node in the network shares a unique individual key with the base station, it is neither practical nor efficient to store all these keys for the base station especially when the network scalability is very huge. Thus, it is important to adopt a strategy to reduce the storage overhead, which can be achieved by the key generation function
First of all, it is argued that each node holds the key establishment function
Once the individual key is generated, the related node stores it within its life cycle. Since the base station has full knowledge of the initial key
Pairwise keys of a node indicate the keys shared with each of its direct neighbors, so the storage overhead of such keys for each node depends on the number of its neighbors [
In this protocol, pairwise keys have a lot of uses. For example, it can be used for a cluster head to encrypt the cluster key, which has to be transmitted to all of its neighbors, to achieve the distribution security. It is also a component to improve system security.
However, it will impede passive participation, which is important in saving communication energy, if such key mechanism is employed individually. The initial pairwise key establishing progress is shown in the Figure
Pairwise key establishing phase.
The generation of pairwise keys for nodes
Here, node
Since node
Note that, each node has a timer which conducts it to achieve key erasure when it makes sure that the pairwise keys establishment is finished. This process is significant because all the nodes keep the network-wide initial key
So it is suggested that, after a reasonable length of time, the initial key
In this way, when almost the pairwise keys are established successfully, no nodes will possess the necessary generating key materials until there is a new group of nodes to be joined. The key erasure mechanism is so necessary that how to control the key erasing time is worth exploring, but it is not an emphasis in this paper.
In addition, it can also be seen from the above equation that after the establishing time, namely, related key materials are erased, once the node
But once the attacker uses
For the new added nodes, an alternative is proposed to establish secure pairwise key:
Since the pseudorandom function
The advantage of above key establishing scheme is that there is no message exchanging between nodes
Note that there will be a situation that two nodes want to establish the pairwise key while one of them does not possess the master key
To deal with such situation, a scheme that asks for help from controller is simply presented as follows:
Here
If
However, reducing the use of base station is an important goal here and the improvement is worth further exploring.
Cluster key is a key generated by an elected cluster head and shared with its neighbors and it is mainly used for encrypting local broadcast packets. Its most significant advantage is that it enables the in-network processing such as passive participation and data aggregation, which cannot be supported by the pairwise key but could save energy consumption efficiently.
This key establishing process is obvious as follows:
Here node
When any neighbor of
Cluster division and cluster head selection approaches are also worthy of discussion. But it is not an emphasis in this paper. A simple mesh division method is shown in Figure
Mesh division method.
The group key
It is also because there is only one group key shared among sensor nodes; once a compromised node is revoked, the rekeying and updating mechanism comes to be important.
Then preload this key chain
Note that the initial Group key
Figure
Using the one-way hash function for source authentication.
The design of the basic scheme presented in the previous section is motivated by the observation that single keying mechanism is not suitable for meeting all the security requirements of different types of exchanged messages.
The advantage of this scheme is that the captured node does not threat the safety of the other nodes in case the master key
During the time interval
Based on the Diffie-Hellman algorithm above, presenting the improved scheme, prior to deployment of the network, each node prestores the large prime number
Note that the generation of individual key for node
Since the node no longer keeps initial key
Gain a key evolution function to each node. Takes node
Then calculate the public message:
The pairwise key generation process is as follows:
Here, node
After that, node
Compared with the basic protocol, the most obvious improvement of enhanced protocol is that it takes use of Diffie-Hellman algorithm to generate pairwise keys instead of storing the initial key
The ability of the protocol to fight against kinds of attacks is discussed in detail in above sections. This section analyzes the storage requirement and energy efficiency.
In the basic protocol, a node needs to store four types of keys. Considering a node with
When the key establishment is complete in a network having a scale of
Note that communication distance of sensor node is limited so that it will not reach a high complexity that each two nodes are connected.
In addition, using an efficient clustering method can reduce the number of required cluster keys and the real storage complexity is much smaller.
Although memory is a quite scarce resource for the current generation of nodes in WSNs, for a reasonable degree, storage is not an issue in our protocol. For example, 100 keys totally take 800 bytes when the key size is 8 bytes.
In this paper, the average communication cost increases with the connection degree of a sensor network and decreases with the network size
It is worth noting that the communication cost of the enhanced protocol remains at the same level as that of the basic protocol.
Functions used in the proposed protocols are all of high computational efficiency. For example, pseudorandom function
Overall, we conclude that the protocols proposed in this study are scalable and efficient enough in storage, communication, and computation.
This section analyzes the security of the key management protocols. The survivability of the network is discussed when undetected compromised nodes occur and the robustness of proposed schemes is studied in defending against various attacks.
Once a sensor node
However, security detection in WSNs is more difficult than in other systems since sensor systems are often deployed in unattended environments. Thus, the survivability of the network is one of most important security requirements when compromised nodes is not detected.
Firstly, because individual key is only shared between the base station and each sensor node, it usually does not help the attacker launch attacks.
Secondly, obtaining the cluster keys and pairwise keys of a compromised node enables the attacker to establish trust with the neighbor nodes, which can be used by the attacker to inject malicious sensor readings and routing control information into the network. However, in the proposed protocols in this study, the attacker usually has to achieve such attacks by taking use of the identity of the captured node.
Note that a salient feature of the proposed protocols is the ability in localizing possible threats. Because after the deployment of the network and the pairwise key establishing phase, every node will keep a list of trusted neighbor nodes. As compromised node and its copy nodes cannot establish trust relationship with other nodes except its neighbors, the attacker can only damage secure links within limited range.
Finally, obtaining the group key enables the attacker to decrypt messages broadcast by the base station. The broadcast messages, by their nature, are intended to be received by all the nodes in the network. Thus, compromising any single node is enough to possess this message, whatever security mechanism is used. However, obtaining the group key does not allow the attacker to damage the entire network with malicious packets by impersonating the base station because all messages sent from the base station are authenticated by
Ciou et al. have described various possible attacks of routing protocols for WSNs [
An inside attacker may attempt to alter and replay routing information to make routing loops, attract or repel network traffic, and generate false messages. Moreover, the attacker can launch the selective forwarding attack, in which the captured node suppresses routing packets sent from a few selected nodes while forwarding the other packets reliably.
In this paper, the schemes cannot protect the WSNs from such attacks; however, the schemes can hinder or minimize the consequences caused by such attacks.
First, based on the key establishment and authentication phases of the proposed protocols, it is apparent that such attacks are only possible within a small area of two-hops from the captured node.
Second, since such attacks are localized in a certain zone, the attacker faces a high risk of being detected when launching such attacks. For example, the probabilistic challenge mechanism can help detect the spoofing attack and the detection of altering attack is also possible since the related sending node may overhear the forwarded messages altered by the captured node.
Last but not least, once a compromised node is detected, the group rekeying process of the protocols can efficiently revoke the compromised node from the network.
The proposed protocol can protect WSNs from the following attacks.
It is worth noting that the group key in the protocols is not for authentication purpose but for the distribution of secure messages to the entire network from the base station.
The combination of the sinkhole and the wormhole attacks is one of the most difficult attacks to be prevented.
In the sinkhole attack, a malicious node tries to attract packets from the neighbor nodes and then drops them. It can launch such attack by advertising information of high reliability or high remaining energy, which is very hard to detect in the WSNs.
In the wormhole attack, two distant malicious nodes conceal their distance information to the network. After placing one such node near the target zone and another one near the base station, the attacker will convince the nodes within the target area, which are usually multiple hops away from the base station, as only one or two hops to create a sinkhole. Moreover, nodes which are multiple hops away may believe that they are neighbors of each other. Since to launch wormhole attack the attacker does not need to compromise any sensor nodes, such attack is very powerful in practice [
In the proposed protocols, an outside attacker cannot succeed in launching wormhole attack except in the neighbor discovery process, since a node will know all its neighbor nodes after the pairwise key is established, which means the attacker cannot convince two distant nodes to believe that they are neighbors of each other.
Because the time of neighbor discovery process is very short (usually for seconds), the probability that the attacker achieves such attacks is also quite small. If an inside attacker compromises two or more nodes, it can launch such attacks. However, it cannot convince two distant nodes as neighbors when the neighbor discovery phase is finished. The authenticated neighborhood information is critical to deal with the wormhole attacks.
In the sinkhole attack, if the attacker compromises a node
This paper proposes a basic key management protocol based on initial secure time, which assumes that the attacker cannot compromise a node in a short time. It satisfies various security requirements of WSNs using the combination of four kinds of secure keys. Meanwhile, the erasure and update mechanism of keys is important to support network security.
To further improve the security of the basic scheme, an enhanced protocol based on Diffie-Hellman algorithm is proposed, which avoids storing the master key in sensor nodes so as to restrict the security impact of a captured node to the rest network.
The proposed protocol achieves high communication and energy efficiency by supporting in-network data processing and enhances the network security through strict authentication and encryption mechanisms. Compared to original ideas, the proposed scheme improves not only the network security but also the extensibility of WSNs.
This paper presents a proposal for key establishment and achieves security mainly based on the combining application of four kinds of keys. This is a critical step and how to use such keys to found a protection mechanism is a focus in our future research.
The number of nodes in the network
Two communicating nodes in the network (also represents the node identifier)
Calculate with parameter
One-way hash function to generate a chain of keys using the seed
Message authentication code (MAC) of message
The master key only possessed by base station
Individual key of node
Encryption of message
Concatenation of the sequences
Node
Node
Calculate hash value of message
The authors declare that there is no conflict of interests regarding the publication of this paper.
This work was supported by National ratural Science Foundation of China (nos. 61170268, 61100047, and 61272493), International S&T Cooperation Special Projects of China (no. 2013DFG72850), and The National Basic Research Program of China (973 Program) (no. 2012CB724400).