Random key predistribution schemes for sensor networks
This presentation is the property of its rightful owner.
Sponsored Links
1 / 39

Random Key Predistribution Schemes For Sensor Networks PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Random Key Predistribution Schemes For Sensor Networks. Haowan Chen, Adrian Perigg, Dawn Song. Index. Introduction Basic Scheme Q-composite Scheme Multi path Key Reinforcement Scheme Random Pair wise Scheme Conclusion. Sensor Networks. What are Sensors ?

Download Presentation

Random Key Predistribution Schemes For Sensor Networks

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Random Key Predistribution Schemes For Sensor Networks

Haowan Chen, Adrian Perigg, Dawn Song


  • Introduction

  • Basic Scheme

  • Q-composite Scheme

  • Multi path Key Reinforcement Scheme

  • Random Pair wise Scheme

  • Conclusion

Sensor Networks

  • What are Sensors ?

    • A device that responds to physical stimulus (as heat, light, motion etc) and transmits a resulting measurement impulse

  • Revolutionizes information gathering and processing

  • Networking sensors: ability to coordinate among themselves on a larger sensing task


  • Real time traffic monitoring

  • Real time pollution and temperature monitoring

  • Building safety monitoring systems

  • Wild Life Monitoring and Tracking

  • Military sensing and tracking

  • Monitoring complex machinery and processes

  • Video surveillance

Sensor Network Limitations

  • Impracticality of public key cryptosystems

  • Vulnerability of nodes to physical capture

  • Nodes not tamper resistant (neighbor distrust)

  • Lack of a-priori knowledge of post deployment configuration

  • Limited memory resources

  • Limited bandwidth and transmission power

  • Over-reliance on base stations exposes vulnerabilities

Bootstrapping Security Requirements

  • Deployed nodes must be able to establish secure node to node communication

  • Scheme should be functional without involving the base station as arbiter or verifier

  • Additional legitimate nodes deployed at a later time can form secure connections with already-deployed nodes

  • Unauthorized nodes should not be able to establish communications with network nodes and thus gain entry into the network

  • The scheme must work without prior knowledge of which nodes will come into communication range of each other after deployment.

  • The computational and storage requirement of the scheme must be low, and the scheme should be robust to DoS attacks from out-of-network sources.

Evaluation Metrics In Key Setup Schemes

  • Resilience against node capture

  • Resistance against node replication

  • Revocation

  • Scale

Review Of “Basic Scheme”

  • Proposed by Eschenauer and Gligor

  • 4 phases

    - Initialization

    - Node Deployment

    - Key Setup

    - Path Key Generation

Initialization Phase

  • Pick a random set of keys S out of the total possible key space

  • “Key Ring” : for each node, randomly select m keys from S and store in node memory

    Criteria : two random subsets of size m in S will share at least one key with probability P

Deployment And Key Setup Phases

  • Sensor nodes are deployed

  • Key Setup Phase

    • key discovery:

      • a short identifier is assigned to each key before deployment

      • each node broadcasts its set of identifiers

    • verification: nodes containing shared keys in their “key rings” verify that neighbor actually holds key by challenge response protocol

Path Key Generation

  • A connected graph of secure links is formed

  • Nodes setup path keys with nodes in their vicinity whose share keys are not present in their key rings

  • Path can be found from source node to its neighbor from connected graph

  • Source node generates path key and sends it securely via the path to target node

Parameter choices for connected graph (Erdös-Rényis Formula)

  • For high graph connectivity during key-setup phase right parameters need to be picked

  • D -> degree for the vertices in graph such that graph is connected with a high probability c =0.999

  • D = ((n-1)/n) (ln(n) – ln(-ln(c))) where n is network size

  • Probability of successful key setup with some neighbor, p = (d/n’) where n’ is expected no. of neighbors

Q-composite scheme : An improved “Basic Scheme”

  • Initialization same as Basic Scheme but with different size of selected key pool S

  • In Key Setup Phase, key discovery is more secure, using Merkle Puzzles

  • In Key Discovery every node identifies every neighbor node with which it shares at least ‘q’ keys

  • Link Key K is generated as a hash of all shared q’ keys, where q’ >= q

    eg : K = hash( k1 ll k2 ll k3 ll….ll kq’ )

  • Key Setup is not performed between nodes that share fewer than q keys

Key Pool Size Computation- A Tradeoff

  • amount of key overlap required for key setup is q (increased from 1 in Basic)

  • Hence exponentially harder for adversary with a given key set to break a link

  • But to preserve probability of two nodes sharing sufficient keys to establish a secure link, size of key pool S to be reduced

  • Reduced pool size allows attacker to gain larger sample of S by breaking fewer nodes

  • Optimum overlap – best security !!

Evaluation: Pool Size Computation

M = 200 keys

P = 0.5

Observation : For Optimal Choice of key overlap, expected no. of nodes to be captured for eavesdropping (0.1 probability) is high

Pool Size Computation

  • P(i) -> no. of ways to choose two key ring with i common keys

  • Pconnect -> probability of any two nodes sharing sufficient keys to form a secure connection

  • Then p(i) is given as :

Pconnect = 1 – (p(0) + p(1) +…..+p(q-1))

For minimum key overlap q and min. connection probability p,

choose largest ISI such that pconnect >= p


Metric : resilience against node capture by calculating the fraction of links in the network that an attacker is able to eavesdrop on indirectly as a result of recovering keys from captured nodes


Metric : estimation of max. supported size of network given certain security properties hold

Multipath Key Reinforcement – An Add On to “Basic Scheme”

  • Initial Key Setup using Basic Scheme

  • Now, consider the secure link between nodes A and B after key-setup

  • This link is secured using a single key k from pool S


  • Problem - k may be present in key ring memory of some other nodes

  • If any of these nodes are captured, security of A->B is in jeopardy

  • Solution : update communication key to a random value after key – setup

  • Coordinate key update over multiple independent paths

Multipath Key Update

  • Assumption : j be the no. of disjoint paths between A and B created during key setup

  • Node A generates j random values v1,v2…vj of same length as shared key

  • Each value is routed along a different path to B and when B receives all j keys, new link key is computed as:

    k’ = k + v1 + v2 + ….+ vj

  • Long paths are not suitable

  • 2-hop multipath key reinforcement is optimal

    • Discovery overhead is minimized


Metric : Resistance against node capture

Observation : reinforced basic scheme works best


Metric : Maximum Supportable Network Sizes

Observation : Multipath Key Reinforcement gives boost when implemented with basic scheme

Random-pairwise keys scheme

  • In all schemes so far, no node can authenticate the identity of a neighbor it is communicating with

  • Ex. A shares some set of keys with B

    • It is possible that C could also posses this key

    • Hence, A does not know if is communicating with B for sure

Node to node authentication

  • Possible if a node can ascertain the identity of the nodes that it is communicating with

  • Useful in many cases:

    • Detecting node misbehavior

    • Resisting node replication attack

    • Shift security functions away from the base station

Random pairwise scheme: properties

  • Perfect resilience against node capture

  • Node to node identity authentication

  • Distributed node revocation

  • Resistance to node replication

  • Comparable scalability

Random pairwise scheme: description

  • To achieve the probability p described by ER formula, in a network of n nodes:

    • Each node need only store a random set of nppairwise keys (instead of n-1)

    • Thus, if node can store m keys, network size n=m/p

    • “n should increase with increasing m and decreasing p”

Phase 1: Initialization

  • n=m/punique node identities generated

  • Each node identity matched with m other randomly selected distinct node IDs

    • Pairwise key generated for each pair of nodes

    • Along with ID of other node that also knows the key, key is stored at both nodes

Phase 2: Key Setup

  • Each node broadcasts node ID to immediate neighbors

  • By searching in each others key rings, neighboring nodes can tell if they share a common pairwise key

  • Cryptographic handshake performed between neighbors to accept the fact that they both have knowledge of key

Multihop range extension

  • Key discovery involves much less traffic than random key predistribution

  • Hence can have nodes rebroadcast node ID for certain number of hops

Multihop range extension

  • Has impact on maximum supportable network size n

    • n=mn’/d (as seen earlier,p=d/n’, n=m/p)

    • Since n’ increases, maximum network size n also increases

  • Should be used with caution: since message rebroadcast is performed without authentication/verification: can lead to potential DoS attacks

    • To prevent, can remove multihop range extension, as is not required for random pairwise scheme

Support for Distributed Node Revocation

  • Node revocation in random pairwise possible via base stations (but is slow)

  • Assumption: mechanism present in each sensor to detect if neighboring nodes have been compromised

  • Nodes broadcast public votes against a detected misbehaving node.

  • If any B observes more than threshold number t of public votes against A, then B breaks off all communication with A

  • Voting scheme, voting members

Support for Distributed Node Revocation

  • Scheme 1: Consider any node A in the network; there are m nodes matched with it

    • These are voting members for A

    • Each assigned a random voting key Ki

    • Each also knows hashes of other nodes’ keys

    • Nodes compute hash of Ki to verify vote

    • Increases memory requirement to O(m2)

Support for Distributed Node Revocation

  • Scheme 2: Merkle tree mechanism: O(log m) computation per output (fractal traversal)

    • Only a single verifying hash value (root) needs to be stored

    • Drawback: necessary to remember which nodes already traversed, to avoid replay votes

Threshold issues

  • t should be

    • Low enough that unlikely that any node has degree < t

    • High enough that compromised nodes cannot revoke legitimate nodes

Broadcast Mechanism

  • Voting scheme uses naïve broadcast, vulnerable to DoS attack

  • Network of voting members form random graph with almost same (high) probability of being connected as original network (mn’/n)

Resisting revocation attack

  • To prevent widespread release of revocation keys by compromised nodes, only nodes that have established direct communication with a node B have ability to revoke B

  • Done by distributing revocation keys to voting members in deactivated form, source node knows secret SBi, which voting members request during key discovery and setup

Resistance against node replication/node generation

  • To be resistant to addition of infiltrator nodes derived form captured nodes, in case of capture being undetected by the network

  • Degree of a node limited to counter replication

  • Method for degree counting implemented with public vote counting, thus a node able to track nodes which share pairwise keys with it


  • Efficient bootstrapping of secure keys important for secure sensor networks

  • Tradeoffs exist in each scheme, choice depends on which tradeoff is most appealing (scenario dependent)

  • q-composite scheme: good security for small scale attacks/vulnerable to large scale

  • 2-hop multipath: improved security/network traffic overhead

  • Random pairwise: resilient, good security/does not support as large networks as other schemes

  • Login