Random key predistribution schemes for sensor networks
1 / 39

Random Key Predistribution Schemes For Sensor Networks - PowerPoint PPT Presentation

  • Uploaded on

Random Key Predistribution Schemes For Sensor Networks. Haowan Chen, Adrian Perigg, Dawn Song. Index . Introduction Basic Scheme Q-composite Scheme Multi path Key Reinforcement Scheme Random Pair wise Scheme Conclusion. Sensor Networks. What are Sensors ?

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Random Key Predistribution Schemes For Sensor Networks' - sakina

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Random key predistribution schemes for sensor networks

Random Key Predistribution Schemes For Sensor Networks

Haowan Chen, Adrian Perigg, Dawn Song


  • Introduction

  • Basic Scheme

  • Q-composite Scheme

  • Multi path Key Reinforcement Scheme

  • Random Pair wise Scheme

  • Conclusion

Sensor networks
Sensor Networks

  • What are Sensors ?

    • A device that responds to physical stimulus (as heat, light, motion etc) and transmits a resulting measurement impulse

  • Revolutionizes information gathering and processing

  • Networking sensors: ability to coordinate among themselves on a larger sensing task


  • Real time traffic monitoring

  • Real time pollution and temperature monitoring

  • Building safety monitoring systems

  • Wild Life Monitoring and Tracking

  • Military sensing and tracking

  • Monitoring complex machinery and processes

  • Video surveillance

Sensor network limitations
Sensor Network Limitations

  • Impracticality of public key cryptosystems

  • Vulnerability of nodes to physical capture

  • Nodes not tamper resistant (neighbor distrust)

  • Lack of a-priori knowledge of post deployment configuration

  • Limited memory resources

  • Limited bandwidth and transmission power

  • Over-reliance on base stations exposes vulnerabilities

Bootstrapping security requirements
Bootstrapping Security Requirements

  • Deployed nodes must be able to establish secure node to node communication

  • Scheme should be functional without involving the base station as arbiter or verifier

  • Additional legitimate nodes deployed at a later time can form secure connections with already-deployed nodes

  • Unauthorized nodes should not be able to establish communications with network nodes and thus gain entry into the network

  • The scheme must work without prior knowledge of which nodes will come into communication range of each other after deployment.

  • The computational and storage requirement of the scheme must be low, and the scheme should be robust to DoS attacks from out-of-network sources.

Evaluation metrics in key setup schemes
Evaluation Metrics In Key Setup Schemes

  • Resilience against node capture

  • Resistance against node replication

  • Revocation

  • Scale

Review of basic scheme
Review Of “Basic Scheme”

  • Proposed by Eschenauer and Gligor

  • 4 phases

    - Initialization

    - Node Deployment

    - Key Setup

    - Path Key Generation

Initialization phase
Initialization Phase

  • Pick a random set of keys S out of the total possible key space

  • “Key Ring” : for each node, randomly select m keys from S and store in node memory

    Criteria : two random subsets of size m in S will share at least one key with probability P

Deployment and key setup phases
Deployment And Key Setup Phases

  • Sensor nodes are deployed

  • Key Setup Phase

    • key discovery:

      • a short identifier is assigned to each key before deployment

      • each node broadcasts its set of identifiers

    • verification: nodes containing shared keys in their “key rings” verify that neighbor actually holds key by challenge response protocol

Path key generation
Path Key Generation

  • A connected graph of secure links is formed

  • Nodes setup path keys with nodes in their vicinity whose share keys are not present in their key rings

  • Path can be found from source node to its neighbor from connected graph

  • Source node generates path key and sends it securely via the path to target node

Parameter choices for connected graph erd s r nyis formula
Parameter choices for connected graph (Erdös-Rényis Formula)

  • For high graph connectivity during key-setup phase right parameters need to be picked

  • D -> degree for the vertices in graph such that graph is connected with a high probability c =0.999

  • D = ((n-1)/n) (ln(n) – ln(-ln(c))) where n is network size

  • Probability of successful key setup with some neighbor, p = (d/n’) where n’ is expected no. of neighbors

Q composite scheme an improved basic scheme
Q-composite scheme : An improved “Basic Scheme”

  • Initialization same as Basic Scheme but with different size of selected key pool S

  • In Key Setup Phase, key discovery is more secure, using Merkle Puzzles

  • In Key Discovery every node identifies every neighbor node with which it shares at least ‘q’ keys

  • Link Key K is generated as a hash of all shared q’ keys, where q’ >= q

    eg : K = hash( k1 ll k2 ll k3 ll….ll kq’ )

  • Key Setup is not performed between nodes that share fewer than q keys

Key pool size computation a tradeoff
Key Pool Size Computation- A Tradeoff

  • amount of key overlap required for key setup is q (increased from 1 in Basic)

  • Hence exponentially harder for adversary with a given key set to break a link

  • But to preserve probability of two nodes sharing sufficient keys to establish a secure link, size of key pool S to be reduced

  • Reduced pool size allows attacker to gain larger sample of S by breaking fewer nodes

  • Optimum overlap – best security !!

Evaluation: Pool Size Computation

M = 200 keys

P = 0.5

Observation : For Optimal Choice of key overlap, expected no. of nodes to be captured for eavesdropping (0.1 probability) is high

Pool size computation
Pool Size Computation

  • P(i) -> no. of ways to choose two key ring with i common keys

  • Pconnect -> probability of any two nodes sharing sufficient keys to form a secure connection

  • Then p(i) is given as :

Pconnect = 1 – (p(0) + p(1) +…..+p(q-1))

For minimum key overlap q and min. connection probability p,

choose largest ISI such that pconnect >= p


Metric : resilience against node capture by calculating the fraction of links in the network that an attacker is able to eavesdrop on indirectly as a result of recovering keys from captured nodes


Metric : estimation of max. supported size of network given certain security properties hold

Multipath key reinforcement an add on to basic scheme
Multipath Key Reinforcement – An Add On to “Basic Scheme”

  • Initial Key Setup using Basic Scheme

  • Now, consider the secure link between nodes A and B after key-setup

  • This link is secured using a single key k from pool S

Problem Scheme”

  • Problem - k may be present in key ring memory of some other nodes

  • If any of these nodes are captured, security of A->B is in jeopardy

  • Solution : update communication key to a random value after key – setup

  • Coordinate key update over multiple independent paths

Multipath key update
Multipath Key Update Scheme”

  • Assumption : j be the no. of disjoint paths between A and B created during key setup

  • Node A generates j random values v1,v2…vj of same length as shared key

  • Each value is routed along a different path to B and when B receives all j keys, new link key is computed as:

    k’ = k + v1 + v2 + ….+ vj

  • Long paths are not suitable

  • 2-hop multipath key reinforcement is optimal

    • Discovery overhead is minimized

Evaluation Scheme”

Metric : Resistance against node capture

Observation : reinforced basic scheme works best

Evaluation Scheme”

Metric : Maximum Supportable Network Sizes

Observation : Multipath Key Reinforcement gives boost when implemented with basic scheme

Random-pairwise keys scheme Scheme”

  • In all schemes so far, no node can authenticate the identity of a neighbor it is communicating with

  • Ex. A shares some set of keys with B

    • It is possible that C could also posses this key

    • Hence, A does not know if is communicating with B for sure

Node to node authentication
Node to node authentication Scheme”

  • Possible if a node can ascertain the identity of the nodes that it is communicating with

  • Useful in many cases:

    • Detecting node misbehavior

    • Resisting node replication attack

    • Shift security functions away from the base station

Random pairwise scheme properties
Random pairwise scheme: properties Scheme”

  • Perfect resilience against node capture

  • Node to node identity authentication

  • Distributed node revocation

  • Resistance to node replication

  • Comparable scalability

Random pairwise scheme description
Random pairwise scheme: description Scheme”

  • To achieve the probability p described by ER formula, in a network of n nodes:

    • Each node need only store a random set of nppairwise keys (instead of n-1)

    • Thus, if node can store m keys, network size n=m/p

    • “n should increase with increasing m and decreasing p”

Phase 1 initialization
Phase 1: Initialization Scheme”

  • n=m/punique node identities generated

  • Each node identity matched with m other randomly selected distinct node IDs

    • Pairwise key generated for each pair of nodes

    • Along with ID of other node that also knows the key, key is stored at both nodes

Phase 2 key setup
Phase 2: Key Setup Scheme”

  • Each node broadcasts node ID to immediate neighbors

  • By searching in each others key rings, neighboring nodes can tell if they share a common pairwise key

  • Cryptographic handshake performed between neighbors to accept the fact that they both have knowledge of key

Multihop range extension
Multihop range extension Scheme”

  • Key discovery involves much less traffic than random key predistribution

  • Hence can have nodes rebroadcast node ID for certain number of hops

Multihop range extension1
Multihop range extension Scheme”

  • Has impact on maximum supportable network size n

    • n=mn’/d (as seen earlier,p=d/n’, n=m/p)

    • Since n’ increases, maximum network size n also increases

  • Should be used with caution: since message rebroadcast is performed without authentication/verification: can lead to potential DoS attacks

    • To prevent, can remove multihop range extension, as is not required for random pairwise scheme

Support for distributed node revocation
Support for Distributed Node Revocation Scheme”

  • Node revocation in random pairwise possible via base stations (but is slow)

  • Assumption: mechanism present in each sensor to detect if neighboring nodes have been compromised

  • Nodes broadcast public votes against a detected misbehaving node.

  • If any B observes more than threshold number t of public votes against A, then B breaks off all communication with A

  • Voting scheme, voting members

Support for distributed node revocation1
Support for Distributed Node Revocation Scheme”

  • Scheme 1: Consider any node A in the network; there are m nodes matched with it

    • These are voting members for A

    • Each assigned a random voting key Ki

    • Each also knows hashes of other nodes’ keys

    • Nodes compute hash of Ki to verify vote

    • Increases memory requirement to O(m2)

Support for distributed node revocation2
Support for Distributed Node Revocation Scheme”

  • Scheme 2: Merkle tree mechanism: O(log m) computation per output (fractal traversal)

    • Only a single verifying hash value (root) needs to be stored

    • Drawback: necessary to remember which nodes already traversed, to avoid replay votes

Threshold issues
Threshold issues Scheme”

  • t should be

    • Low enough that unlikely that any node has degree < t

    • High enough that compromised nodes cannot revoke legitimate nodes

Broadcast mechanism
Broadcast Mechanism Scheme”

  • Voting scheme uses naïve broadcast, vulnerable to DoS attack

  • Network of voting members form random graph with almost same (high) probability of being connected as original network (mn’/n)

Resisting revocation attack
Resisting revocation attack Scheme”

  • To prevent widespread release of revocation keys by compromised nodes, only nodes that have established direct communication with a node B have ability to revoke B

  • Done by distributing revocation keys to voting members in deactivated form, source node knows secret SBi, which voting members request during key discovery and setup

Resistance against node replication node generation
Resistance against node replication/node generation Scheme”

  • To be resistant to addition of infiltrator nodes derived form captured nodes, in case of capture being undetected by the network

  • Degree of a node limited to counter replication

  • Method for degree counting implemented with public vote counting, thus a node able to track nodes which share pairwise keys with it

Conclusion Scheme”

  • Efficient bootstrapping of secure keys important for secure sensor networks

  • Tradeoffs exist in each scheme, choice depends on which tradeoff is most appealing (scenario dependent)

  • q-composite scheme: good security for small scale attacks/vulnerable to large scale

  • 2-hop multipath: improved security/network traffic overhead

  • Random pairwise: resilient, good security/does not support as large networks as other schemes