A unified security framework with three key management schemes for wireless sensor networks

Computer Communications 31 (2008) 4269–4280

Contents lists available at ScienceDirect

Computer Communications journal homepage: www.elsevier.com/locate/comcom

A unified security framework with three key management schemes for wireless sensor networks Rabia Riaz a, Ayesha Naureen b, Attiya Akram b, Ali Hammad Akbar d, Ki-Hyung Kim a,*, H. Farooq Ahmed c a

AJOU University, School of Information and Communication, Wonchundong, Yongtonggu, 443-749 Suwon, Gyunggi, South Korea College of Signals, NUST, Pakistan c Communication Technologies, Sendai, Japan d University of Engineering and Technology, Pakistan b

a r t i c l e

i n f o

Article history: Available online 17 June 2008 Keywords: Wireless sensor networks Key management Symmetric keys Public key cryptography Node revocation

a b s t r a c t Pervasive computing environments find their practical manifestations through wireless sensor networks, which sense a relationship amongst themselves and the environment. Currently the proposed keying schemes for ensuring security, in wireless sensor networks, may be classified into public and private keying schemes, or their hybrid. However, an investigation in peer work underpins the fact that neither of these works relates the key management schemes with the granularity of key generation, distribution, renewal, and revocation. In this paper, we propose a unified security framework with three key management schemes, SACK, SACK-P, and SACK-H that incorporate symmetric key cryptography, asymmetric key cryptography and the hybrid, respectively. We have evaluated the key management schemes against a broad range of metrics such as energy, resource utilization, scalability and resilience to node compromises. Our evaluation comprises both analytical investigation and experimental validation. The results show that though SACK-P is heavy on resources, it provides maximal security and offers the best resilience to node compromises. On the contrary, SACK is very efficient in terms of storage and communication. Our results substantiate a relationship between the level of security and resource utilization and form a design benchmark for security frameworks. Ó 2008 Elsevier B.V. All rights reserved.

1. Introduction The practical aspects of pervasive computing and networking were unbeknownst to the world until the emergence of wireless sensor networks (WSNs). The availability of WSNs has resulted into many new applications including home automation, environmental monitoring and sensing, medical, and personal area networks (PANs). WSNs normally consist of a large number of 3L devices (low cost, low energy and low bandwidth) that are densely deployed over a region of interest and connected through a wireless network. In WSN, the medium of communication is wireless, which is inherently insecure. Thus, each sensor node must know one or more keys to secure its communication. Furthermore, situations might arise wherein an authenticated node is compromised by the intruder, revealing partial or entire keying information to the intruder – making it necessary to remove such node from the network. Needless to say, that the robustness of a security framework relies upon the strength of its key management schemes. * Corresponding author. Tel.: +82 1047602551; fax: +82 312192443. E-mail addresses: [email protected] (R. Riaz), [email protected] (A. Naureen), [email protected] (A. Akram), [email protected] (A.H. Akbar), [email protected] (K.-H. Kim), [email protected] (H. Farooq Ahmed). URL: http://www.ilab.ajou.ac.kr (K.-H. Kim). 0140-3664/$ - see front matter Ó 2008 Elsevier B.V. All rights reserved. doi:10.1016/j.comcom.2008.05.043

Most of the well known security schemes designed for traditional wire-line and wireless networks are inert to the unique characteristics of WSNs, most notably to the device limitations in WSNs. Consequently, these cannot be readily applied to WSNs. For instance, public key-based schemes involve significant communication and computational overhead – making them unsuitable for these battery operated devices. Likewise, symmetric key-based schemes cannot single-handedly provide robust security against attacks with burgeoning effect and gravity in distributed environments like WSNs. In summary, there is a need for key management schemes in WSNs to integrate collateral security schemes that reinforce the security robustness, under a unified framework. In this paper we present a unified security framework that embodies three key management schemes. The framework presents (a) SACK; a key management scheme using symmetric key cryptography. In the event of a key disclosure, SACK ensures that the disclosure is only restricted to the respective cluster, not the entire network, (b) SACK-P (public); a key management scheme that is a variant of SACK that uses the asymmetric key cryptography. It provides an added level of security at additional communication and computational overheads and (c) SACK-H (hybrid); another variant of SACK that utilizes SACK for intra-cluster

4270

R. Riaz et al. / Computer Communications 31 (2008) 4269–4280

communication and SACK-P for both inter-cluster and cluster to base station communication. SACK-H provides an improved level of security as compared to SACK but poses lesser resource drainage than SACK-P. An experimental and analytical evaluation of these three schemes provides an insight into the key management overhead and security strength conundrum. The evaluation is aimed at helping network security experts in mapping an ontological relationship between the desired security level, network and device resources and the achievable security level. The remainder of the paper is organized as follows. In Section 2, we present peer work in key management infrastructures, with an avid focus on resource consumption and achieving security levels. Section 3 presents the network model used in all three schemes. In Section 4, we present the detailed architecture and operation of SACK, SACK-H and SACK-P. Section 5 explains post deployment operations like scalability, network connectivity and revocation. Analytical and experimental evaluation is presented in Section 6. Finally, in Section 7, we conclude the paper.

2. Related work In this section, we present related work in bipartite. In the first part, we review the work done regarding public key cryptographic methods used in WSNs. In the second part, we present contemporary work in key generation and distribution with a side focus on keying mechanism used. 2.1. Public key cryptography in WSN In the WSNs, due to their constrained resources, cryptographic methods are evaluated on the basis of energy consumption, code size, data size and processing time. These evaluation criteria’s make public key cryptography undesirable for 3L based pervasive environments. For example, in [1], comparison of energy consumed by symmetric key and asymmetric key algorithms shows that, on MC68328 DragonBall processor, the encryption of 1024bit block using RSA consumes approximately 42 mJ, while 128 bit AES block consume only 0.104 mJ. Recent studies like [2,3] show that the right selection of algorithms and associated parameters along with code optimization can make public key cryptography feasible for sensor networks. Most work in public key domain focus on ECC and RSA. The reason for ECC’s attractiveness is that it offers considerably greater security for far smaller key size, for example 160-bit ECC offers the comparable security to 1024-bit RSA and 512 bit ECC provides security of the level of 15,360 bit RSA. The smaller key size makes possible much more compact implementations for a given level of security, resulting in faster cryptographic operations. Work in [4] investigates the effect of ECC and RSA implementation, for signature generation and key exchange, on MICA2, MICAz, MICA2DOT [based on ATmega128L] and TelosB motes. Results show that even for most constrained node, performing ECC-160 signature, once every 10 min, increases the duty cycle only about 0.5%. On the other hand, even for the most energized nodes, the RSA private key operations were extremely time and energy consuming. Working group at Harvard University deployed PKI by modifying and optimizing ECC on Mica2 motes using TinyOs. They were able to generate public keys within 34 s and distributed the shared secret in the same time, using just over 1 kB of SRAM and 34 kB of ROM [5]. The implementations of RSA (e.g. TinyPK [6]) and ECC (TinyECC [7]) prove that a public key-based protocol is viable for WSNs. The idea of (k,n) threshold scheme was introduced by Shamir [8]. A (k,n) threshold scheme allows a secret, for example a signing key, to be split into n shares such that for a certain threshold k < n, any k components can combine and recover the signing key;

whereas k 1 or fewer shares are unable to do so. Zhou and Hass proposed a secure ad hoc network using secret sharing and threshold cryptography [9]. Hubaux et al. in [10] proposed a public key distribution system based on web of trust model, in which the certificates are issued and revoked by the users. The scheme works in correspondence with the decentralized nature of certificate management in ad hoc networks. Threshold cryptography and web of trust have their shortcomings when applied to WSNs. Major issues being the associated expensive computation and the high probability of likely penetration by malicious agents. Also all current asymmetric key related studies only support their feasibility for WSN’s. None of current works propose complete key management infrastructure using public key cryptography. 2.2. Key management in WSN For WSNs key establishment is not an easy task. A single global symmetric key shared to all users is secure to external attackers who do not know the key, but a single node compromise from within the network will expose the key and make the complete WSN insecure. Use of distinct pair-wise keys (symmetric or asymmetric) for all possible pairs of nodes in a WSN will provide maximum resilience to node compromise but will create unnecessary storage burden on already resource constrained nodes (Table 1). Random pre distribution schemes like Chan et al. [11] uniformly pre-distribute a global set of secrets in network so that each node has a secret subset. Two neighbors can achieve a probabilistic key agreement by the intersection of their secret subsets. These schemes use symmetric keys and have to store a large number of keys to maintain a desired level of connectivity. On the other hand, location based pre-distribution schemes like deployment-based key pre-distribution [12] uses node deployment knowledge for pre-distribution of secrets in small cells. Thus they can achieve much higher network connectivity and resilience then pre-distribution schemes. In energy efficient group key management protocol [13] each sensor node of a hierarchical sensor network generates a partial key dynamically. They also used multiparty Diffie–Hellman to propose their group key computation method. Hybrid security mechanism [14] presents a key management system that can work with or without the presence of Key Distribution Center (KDC). All nodes are preloaded with a random set of keys drawn from a common pool before deployment. But when KDC is available, gateway nodes share public/private key combination with KDC. LEAP [15] gives the concept of separate keys for different communication patterns in a hierarchal WSN. The base station shares pair-wise keys with sensor nodes and it can mediate establishment of a pair-wise key between any pair of sensor nodes. Similar approach is used in ESA [16] where sensor nodes are separated into domains which are supervised by base stations. exclusion based system (EBS) proposed in [17] is a dynamic key management system that uses combinatorial formulation of group key management.

Table 1 Literature classification on keying methodology WSN category

Key type

Symmetric/asymmetric

Paper

Distributed WSN

Pair-wise

Symmetric key Asymmetric key Symmetric key Asymmetric key

[11,12,17,20–22] [5,23] [20] –

Symmetric key Asymmetric key Symmetric key Asymmetric key

[14–16,18,19] [14] [15] [13]

Group wise Hierarchal WSN

Pair-wise Group wise

4271

R. Riaz et al. / Computer Communications 31 (2008) 4269–4280

SHELL [18] is an enhancement of EBS that performs location based key assignment. The network model consist of base stations, cluster gateway and cluster nodes where cluster gateways keep track of keys and keys of one cluster are stored by gateways of other clusters. localized combinatorial keying (LOCK) [19] is another application of EBS. And it also enhances SHELL such that the capture of a cluster leader does not reveal any more cluster keys than the capture of a regular sensor node. lightweight key management system [20] proposes a solution where more than one master key is employed to provide higher level of resilience. All these schemes only consider symmetric keys which are distributed and assigned across the network. The keys are generated at some special key generation nodes. Our scheme on the other hand generates symmetric key on the node where it has to be assigned thus obviates the need of key assignment algorithms. Much work has been done in proving the practicality of the public key cryptography for WSN but no key management architecture has been proposed yet. Many Key Management solutions have been proposed with symmetric key schemes, but asymmetric cryptography cannot be implemented using these existing schemes. To our knowledge, no work presents a complete solution for key management framework that provides flexibility to incorporate symmetric, asymmetric or both keying algorithms tailored according to application requirements. 3. Network model We consider a hierarchical WSN consisting of a BS and numerous nodes grouped in clusters. Clusters of sensors can be formed based on various criteria such as location, communication range, resource and energy capabilities, etc. [24]. The nodes are categorized as cluster leader (CL) and cluster node (CN). A CL is a sensor node with comparatively better resources. It serves as an intermediary between base station and cluster node communication. CN perform the tasks of sensing and relaying data only to their respective cluster leader. CN communicate with short range radio communication. CL aggregate cluster nodes information and route it to destination node or base station using any secure routing protocol [25,26]. All the CL’s and CN’s are deployed in an uncontrolled environment. A BS is a computationally robust and resource rich device placed in some controlled environment. For simplicity we assume that the probability of base station compromise is negligible (Table 2). We assume that the nodes have unique IDs, are randomly deployed in the field and are static. A sleep mode based energy conservation scheme is used by nodes to save their batteries. The sleeping time of sensor nodes is upper bounded by a variable Smax.

All sensor nodes are loosely time synchronized with the base station with Tmax as the upper bound on time synchronization error (similar to the mechanism reported in [15]). The WSN is arranged in the cluster-based topology, and cluster leaders cannot go into the sleep state during their period of election as cluster leaders. How these clusters are formed is beyond the scope of this paper, but it is expected that after cluster formation each cluster leader knows the IDs of each node present and available in its cluster and BS knows the IDs of the cluster leaders and hence the CN’s. For our current work we have not considered mobility. A limited mobility model can be handled in our existing scheme, but the solution is not very efficient for on the move networks due to extensive communication overhead. Our techniques assume that key management starts when all the nodes have joined the network and no other communication has yet started. One important consideration in this assumption is to know when all nodes have joined the network. Two approaches can be considered in this regard: 1. Randomly started key distribution after some time of BS initialization. 2. Whenever a new node joins network, a signal travels through the network up to base station. BS keeps a count of these signals. The total number of node count is also kept with the BS. When the number of signals becomes equal to the node count, the BS starts the key management process. With the first technique there lies a possibility that some nodes might not get the keying material. The second key management technique, which has been used in our architecture, overcomes the node missing probability on account of twofold communication. Our schemes are designed to provide key management for sensor network therefore they have to meet several security and performance requirements that are considerably challenging to sensor network. Like energy efficiency, memory optimization, communication optimization, scalability, supporting different communication patterns, in-network processing and connectivity. 4. Proposed framework In this section, we first describe SACK, our basic key management scheme based on symmetric key cryptography. We then describe its two extensions, (a) SACK-P, a key management scheme using the asymmetric cryptography and (b) SACK-H, a hybrid key management scheme that uses both symmetric and asymmetric cryptography for key management. All these schemes use the network model as described in Section 3.

Table 2 List of used notations Notation

Description

Notation

Description

BS CL CN SN SNIDj N C n KNB KM M m H L

Base station Cluster leader Sensor node other then CL Sensor nodes (CL or CN) Sensor node identity of node j No. of nodes in network No. of clusters in network No. of nodes in cluster Key shared between SN and BS Master key stored on each SN Size of master key [1024 bit] Size of KNB [128 bit] No. of hops Data packet length

Kpub[CNj] Kpri[CNj] Kpri[CLi] Kpub[CLi] KCL KCi SCL SCi G F Tmax Smax Tdis Tgen

Public key for jth CN Private key for jth CN Private key for CL of ith cluster Public key for CL of ith cluster CL routing Key Cluster wide Key for ith cluster Seed for CL Key generation Seed for CN of ith cluster Elliptic curve for ECC Base point on G SN maximum time synchronization bound with BS Maximum sleep time for SN Key distribution time per hop Standard key generation time

4272

R. Riaz et al. / Computer Communications 31 (2008) 4269–4280

4.1. SACK: storage and communication optimized keying framework for wireless sensor networks In SACK, each sensor node is programmed according to the application requirements before network deployment. At the same time, one unique Key (KNB) of size m bit and one master key (KM) of size M bits is stored in FLASH ROM of each node. The reason for storing KM in FLASH ROM instead of hard coding in ROM is to exploit this information for later purging the keys in corrupted/compromised nodes (see Section 4.1.2). Base station (BS) stores [SNIDj, KNB] pair for each node and uses it to authenticate and establish a pair-wise symmetric key for each sensor node at the time of node joining in the network. BS also stores routing keys (KCL) and cluster keys (KCi) in a database for specified period of time T = Tmax + Smax. This information is used when a sleep node has to re-join the network on becoming active. Key analysis: Since a single key is inappropriate for securing all communication in a sensor network (see Section 2.2), our framework supports establishment of three different keys. This helps in minimizing the impact of any key’s compromise to only a certain number of nodes. Base Station Node Pairwise Key (KNB) is a unique pair-wise key of each node with the BS. BS can use this key to propagate any interest directly to that sensor node. Routing Key (KCL) is used by CL’s to communicate with BS and other CL’s. If any CL cannot directly reach BS, then it establishes a route through other CL using this key and hence we call it the routing key. Cluster Key (KCi) is used by CN of ith cluster to communicate with their CL and other members of their cluster. Key assignment and distribution: After formation of clusters, the BS sends a key generation seed SCL to CL’s. Each CL then computes KCL using SCL and KM. Once KCL is generated, every CL generates a seed SCi different from SCL and broadcasts it to its respective CN’s. Each Node of cluster i then computes KCi by applying SCion KM. These seeds i.e. SCLand SCi, contain a 64 bit generator polynomial and 6 bit specifying the number of iterations (1–64). Assuming that, at bootstrapping time, no SN is physically compromised, an intruder eavesdropping into this communication cannot know or generate any keys as it doesn’t have information about KM. Hence our scheme generates and distributes keys simultaneously, unlike [16] and [13] which require separate key distribution algorithms for key allocation.

Key generation: For our scheme, we will use key generation algorithm as proposed in [27]. This algorithm is a hybrid of preand post-deployment key generation mechanisms. It uses modulo-2 division as the mechanism to convolute locally hosted key KM and the arriving seed SSE (SCL or SCi) to generate the final key KE (KCL or KCi) (Fig. 1). The key KE is temporal – KCL and KCi are generated and used for specific epochs and are removed from SN after that epoch. The epochs may be defined as every X s from the bootstrap time of the WSN. These keys will also be generated for re-keying after removal of compromised node. The maximum number of iterations possible for the mod 2 division for KM [1024 bit] and SSE[64] is given by KM (SSE*2) 1. This allows us about 895 iterations before our remainder is less than 128 bit. This also shows that with a single generator polynomial, we can generate 64 different keys by varying number of iterations. We have set the maximum limit to 64 iterations due to 6 bit allocation to variable i, otherwise a single polynomial can generate up to 895 distinct keys. 4.1.1. Re-keying model The re-keying procedure helps in enhancing overall system protection by frequently changing the security keys. It is especially needed when a node is compromised and is needed to be excluded from the system, or a cluster session expires and new clusters are formed. Selecting appropriate time interval for re-keying is very crucial for the system as too frequent re-keying can put extra burden on system resources, and long delays can give an intruder sufficient time to compromise the keys. Re-keying after session expiry and new cluster formation is same as explained in key assignment and distribution section. Keys assigned in previous session can now be used to secure seed transmissions in the new session if they have not been compromised. In the situation of a node compromise, BS first performs a node revocation operation, called TASER (To catch A thief, SEt one pRotocol), on the node that was declared as malicious using its KNB. The TASER operation, as explained in Section 4.1.2, removes the keys stored in the RAM of that node thus making it impossible for the node to get new communication keys. This will also make re-keying optional instead of an obligation. For extremely security critical application re-keying could be performed. If the compromised

L eg en d : /:

ℑ: i: K M: S SE: R: r: K E:

M o d u lo 2 d iv is io n o p e ra tio n T ru n c a te s th e in p u t s tre a m to 1 2 8 b its iff r > 1 2 8 6 b its — tra n s m itte d fro m B S a n d C L to C L a n d S N re s p e c tiv e ly . R e fe rs to n u m b e r o f ite ra tio n s (1 ~ 6 4 ) 1 0 2 4 b its — It is th e / o p e ra n d 6 4 b its — A g e n e ra to r p o ly n o m ia l tra n s m itte d fro m B S to C L a n d fro m C L to S N . It is / o p e ra to r R e m a in d e r o f / b e tw e e n o p e ra to r a n d o p e ra n d . N u m b e r o f b its in re m a in d e r 1 2 8 b its — R e s u lta n t k e y g e n e ra te d fo r E th e p o c h

B e g in P ro c fo r C L a n d C N fo r E th a n d E th + 1 E p o c h s re s p e c tiv e ly R = KM W h ile ( i != 0 ) d o R = R / S SE i = i-1 E n d w h ile If r ( R ) > 1 2 8 K E = ℑ (R ) E ls e KE = R E n d P ro c Fig. 1. Key generation algorithm.

4273

R. Riaz et al. / Computer Communications 31 (2008) 4269–4280

node was CN, then re-keying is needed only on cluster level which can be done by just generating new KCi. In case of CL compromise, re-clustering will be required on network level to update routing key KCL and cluster key KCi. 4.1.2. Node revocation In a master key encryption system, all the communication that takes place between sensor nodes is encrypted using the same master key. If this key is revealed to intruders, inter-node communication becomes totally insecure. Interestingly, a very important step that has often been ignored in key management is ‘‘key revocation” which is tightly coupled with other processes of key management. While a sensor network is deployed with all legitimate and healthy nodes, it is probable that a sensor node is entirely compromised, revealing all the keying information to the intruder, including the master key. This is indeed like a ‘‘security catastrophe” because a compromised node means totally insecure network

communication. A damage control mechanism must, therefore, be triggered to let the network become aware of the problem and resolve it. Such a problem cannot be circumvented using temporary mechanisms such as assigning new keys only to the compromised node and/or its communicating neighbors. Instead, bulky solutions are required to let such nodes go out of the network – for good (Fig. 2). TASER is triggered after pre-TASER operations such as detection of the malicious node and its notification to the BS. We present only the TASER operation here considering the pre-TASER operations to be beyond the scope of the paper, existing schemes like [28] can be utilize for pre-TASER part. We assume that only compromised nodes are detected as faulty, i.e. the probability of detecting a healthy node as malicious is extremely low. Also messages sent by BS are always assumed to be legitimate. The BS knows the address space (location) of the keying information in the compromised sensor node. It sends a TASER (step 3) message masked as a normal management operation primitive just before the epoch for the next key update phase (step 4). The compromised sensor node executes the command that is followed by the resetting of the FLASH ROM, purging previously assigned keying information to the sensor node. The RAM is totally reset including all the variables and values set by the intruder. At least another epoch passes (step 5), before the compromised node and its intruder recover from the TASER that struck. It may take up to several epochs before the sensor board coldstarts, initializes variables, and intruder re-deploys the keys (step 6). The sensor node cannot assign itself a new key during the subsequent re-keying processes as it cannot decrypt the new session key (KCE3) using previous key (KCE1) and the master key. Hence, such a node is isolated from the network. 4.2. SACK-P (SACK public) SACK-P is based on public key infrastructure (PKI) and the key setup proceeds as in the following stages: Key analysis: Two keys per node (one private key Kpub[CNj] and one public key Kpri[CNj]) are needed here, as required in PKI. Key generation and assignment: A public/private key pair is generated for each node using ECC prior to network deployment. Base

Fig. 2. TASER operation.

1. Generate Key Pair ( Node

K pub [CN j], K pri [CN j] )

2. Deploy K pri [CN j] in Sensor Node

BS

3. Register [SN IDj , K pub [CN j]] at BS

Pre -Deployment Key Generation and Key Registration 5. Store [SN IDj , K pub [CN j]] on OK

SN

1.

Send [SN IDj , K pub [CN j]]

Cluster Formation

CL

2. Forward [SN IDj , K pub [CN j]] 4. Send OK or Revoke

BS CL

4. Send OK or Revoke

3. Authenticate by matching Sent K pub [CN j] against stored K pub [CN j]

1. Send [SN IDj , K pub [CN j]]

Deployment

SN

7. Broadcast K pub [CN j]

Key Distribution Fig. 3. SACK-P scheme.

CL

6. Broadcast K pub [CN j]]

4274

R. Riaz et al. / Computer Communications 31 (2008) 4269–4280

station maintains [SNIDj, Kpub [CNj]] pair for each node and each node is pre-installed with its respective private key Kpri[CNj], prior to network deployment. Key distribution: At network setup, each SN sends JOIN request message encrypted with Kpri [CNj] and its ID to the nearest CL. The CL forwards the message to BS. BS verifies the node authenticity by decrypting the message with the public key registered against that node ID stored in its database. If authenticated as a legitimate node, an OK message is sent to the CL; otherwise a REVOKE message is directed to the CL. If the cluster leader receives an OK message, it stores the node’s public key Kpub [CNj] for future references, otherwise the message is discarded. After completion of this process, the BS broadcasts its public key to all the CLs. On receiving the BS public key, each CL broadcasts its public key to its CN’s (Fig. 3). 4.3. SACK-H: SACK hybrid The system takes advantage of the difference in the computational capabilities of different nodes. It puts the burden of more complex, computationally expensive algorithms on the devices with more robust resources. It uses the asymmetric cryptography during inter-cluster level communication, while symmetric cryptography is used during intra-cluster communication. Two types of encryption algorithms are deployed on each node: one is public key based encryption algorithm like ECC or RSA and the other is symmetric key based encryption algorithm like Skip Jack, RC5, DES or AES. We propose ECC+AES for better security due to reasons mentioned in Section 2.1. Key analysis: SACK-H uses same keys as mentioned in SACK but now, instead of KCL, we have separate public/private key pairs for each CL denoted as Kpri [CLi] and Kpub [CLi]. Key assignment and distribution: In pre-deployment phase each node is given a unique identity [KNB] and has both algorithms ECC/AES installed over it. In addition, a master key KM and basic keying material for ECC i.e. the Graph G and base point F are preinstalled on each node. The graph is of the form y2 = x3 + ax + b. The key generation process is initiated by the BS, which calculates its public/private key pair and broadcasts its public key, so that each CL receives the public key of the BS. Each CL after generating its public/private key pair sends its public key along with its ID to BS. BS saves this public key and also broadcasts it along with CLs ID so that all the CLs get the public keys of all the other CLs. After the completion of the key generation at CL level, each cluster leader generates a seed and broadcasts it to all the CN. Cluster

CL

nodes use this seed to generate the cluster wide common symmetric key (Fig. 4). 5. Post deployment operations Network post-deployment issues are critical factors in determining the efficiency of any key management protocol for WSN specific environment. Each scheme’s working in correspondence to these issues is explained against the following matrices. Scalability: Each of the three schemes supports node additions after network deployment. In case of SACK and SACK-H, when a new node wants to join the network it sends its SNIDj and a join message encrypted with KNB to its nearest CL’s. CL, unable to decrypt the message, forwards SNIDjand join request message to BS for authentication. BS looks for the node’s ID in its database for [SNIDj, KNB] pair. It then decrypts the message using KNB. If the message decrypts successfully it authenticates that the new node is legitimate node. After node is authenticated, BS informs the CL. CL sends that session’s seed SCi to the new node allowing the node to join cluster by generating KCi. For SACK-P, the new node performs the key generation and registration activities before deployment. At node deployment, each SN sends JOIN request message encrypted with Kpri [CNj] and its ID to the nearest CL which forwards the message to BS. Upon authentication by BS, the new node is added to the cluster and its public key is stored with the CL. Table 3 describes network scalability determined by security overhead in terms of data packet length. For instance, for 44 bytes of data packet to transmit and taking into account 128K program memory of MICA, the framework can be best implemented in a network of up to 3000 sensor nodes. L describes maximum data length in packet, during all phases of key management process. For SACK the maximum data length is in the case of sending SCL and SCi, which is 70 bit 9 bytes. Similarly for SACK-H value of L = 10 bytes and for SACK-P value of L = 16 bytes. Key connectivity: Key connectivity is described as the number of keys required to be stored on each node for specified level of required network connectivity. SACK shares a common symmetric key KCL for BS–CL and CL–CL interactions based on session seeds SCL. It stores a common symmetric key Kci for CL–SN interaction based on session seeds SCi. This provides 100% network wide connectivity. SACK-H provides good key connectivity on frequent interaction basis. In a typical information gathering scenario where the pri-

1.Deploy KM, KNB and SNID on all nodes

BS

CN

Pre-Deployment BS

1.Generate its Kpub[BS] and Kpri[BS]

Post-Deployment

2.Broadcast [Kpub[BS], SNID] to all CLs

CL

3.Send [Kpub[CLi], SNID] to BS BS

4.Broadcast [Kpub[CL], SNID] to all CLs 5.Calculate and Broadcast SCi to all CNs

CN 5.Calculate KCi through KM and Sci Fig. 4. SACK-H scheme.

CL

4275

R. Riaz et al. / Computer Communications 31 (2008) 4269–4280 Table 3 Comparison of three schemes for scalability and network resilience Scheme

Network scalability

Keys required for network compromise

Secure node revocation

Keys revealed on compromise of CN and CL

SACK SACK-P

L = 9 bytes, 14,250 nodes L = 16 bytes, 8000 nodes

1 N

TASER TASER

SACK-H

L = 10 bytes, 12,800 nodes

C keys: 1 from each cluster

CN = KCi and KM, CL = KCL, KCi and KM CN = Kpri[CNj] and Kpub[CLj], CL = Kpri[CLj], Kubi[BS] and Kpub[CNj] CN = KCi and KM, CL = KCL + Kpri[CLj] + Kpub[CL] [public keys of all CL]

1

mary purpose of the nodes is to gather data and forward it to BS, nodes in one cluster communicate with each other more frequently. Such communication is ensured by a common cluster wide symmetric key. Similarly, each CL possesses the public keys for all the other CLs, hence complete network-wide key connectivity is ensured. In SACK-P, all the communication between the nodes is via public keys. CL’s have public keys of other cluster leaders and CN’s have public keys of CN and CL of their cluster. However, the scheme is extensible in the sense that communication patterns can also be considered even when nodes don’t have direct access to each other’s public keys using the help of intermediary parties like in [29]. Revocation: Each of the three schemes considers the TASER operation for the compromised node removal as described in the node revocation section. For SACK-P, although the node compromise does not reveal any important keying information but TASER can be used for removal of other SN’s public keys from compromised node. This will prevent compromised node from generating any kind of attacks on SN’s whose public keys it possesses. For conventional networks, trusted certificate authorities (CAs) issue certificate revocation list (CRL), containing information about revoked certificates at regular intervals. The CRLs are either placed in online repositories i.e. (OCSP) [30], where they are readily available, or they may be broadcast to the individual nodes. SACK-P employs hierarchical mode of communication, which makes application of CR scheme simple. BS has already been assigned the role of trusted certificate authority (CA) in SACK-P and can be further designated to maintain the CRLs. The CRLs are updated whenever a node (CL/CN) is revoked after being declared as malicious. The CRLs are broadcasted from the BS to the CLs at regular intervals. Each CL filters the CRL according to its CNs. According to SACK-P communication architecture, when a CL wants to communicate with another CL, the process takes place via BS and when a CN wants to communicate with another CN, the communication takes place via relevant CLs. For the CL–CL communication, CRL is checked at the BS to determine the status of the receiver. If found revoked, the communication request is returned to the sender with an indication that the intended CL has been revoked. In a similar manner, for the CN–CN interaction, necessary checks are performed at each CL on the CRL to check the validity of a node uncompromised status. Resilience: Network resilience is defined as its resistance against node captures [31]. Resilience has a direct relation with network security i.e. higher resilience of a network means more security. SACK relies on immediate discovery of compromised node to preserve resilience. Failing to adhere to that, one SN compromise reveals its current cluster or routing key and master key KM which, in turn, makes the whole network vulnerable. Thus it requires strong methods which could detect node compromise on earliest possible and start TASER process for damage control. SACK-H utilizes a common symmetric key for cluster wide communications. For one CN compromise, only the CNs and CL of that particular cluster are vulnerable. Asymmetric key communications in CLs imply that a CL compromise does not affect other CLs.

TASER

Any node compromise in SACK-P does not reveal any keying information except its own private key and a few public keys. The most harm that this compromised node can do is the decryption of messages destined for it. Table 3 gives a comparison of scalability and resilience for the three schemes along with describing the revocation method. Mobility: Although our current work assumes all nodes to be static but all schemes inherently support small scale mobility for CN. When a mobile node move from its CL’s transmission range, it sends its SNIDj and a movement message mentioning previous CL’s ID encrypted with KNB to its nearest CL’s. CL, unable to decrypt the message, forwards SNIDjand message to BS for authentication. BS looks for the node’s ID in its database for [SNIDj, KNB] pair. It then decrypts the message using KNB. If the message decrypts successfully and CL’s ID matches with BS database information, it authenticates that the mobile node is legitimate node. After node is authenticated, BS informs the CL. CL sends that session’s seed SCi to the newly moved node allowing it to join cluster by generating KCi. This solution is feasible only for small scale mobility in network; in case of networks with large scale mobility this will cause a significantly increase in communication overhead. Also mobility support for CL will be our main focus while designing an efficient mobility algorithm as part of our future work. 6. Performance evaluations The evaluations are based on the simulations carried out in TOSSIM environment for the individual NesC implementations of SACK, SACK-H and SACK-P. The simulations were compiled for Mica2 environment. This device offers an 8-bit, 7.3828-MHz ATmega 128L processor, 4 kilobyte (kB) of primary memory (SRAM), and 128 kB of program space (ROM) with 433, 868/916, or 310 MHz multi-channel radio transceiver, 38.4 kpbs radio and 500-1000 feet outdoor range (depending on version) [32]. For time analysis, timers have been used in application code to get the measurements for the various key management phases. Time is kept at a 4 MHz granularity. We used PowerTOSSIM plugin in TinyViz for energy analysis (Table 4). Table 5 gives experimental values for memory, energy and time analysis of all three schemes and compares them with [5], as it is the only other key generation and distribution solution based on ECC.

Table 4 Simulation parameters Parameter

Value

Fidelity Time Hardware platform Network size Radio model Packet size Transmission range of CN

Bit level simulation 4 MHz granularity 40 kb RFM mica networking stack 1000 nodes [default for TOSSIM] Lossy Varying with max payload 32 bytes 500 feet

4276

R. Riaz et al. / Computer Communications 31 (2008) 4269–4280

Table 5 Memory, time and energy analysis comparison

Time (s)

Key generation Key distribution

Memory utilization (bytes)

BS–CL CL–SN CN–BS

ROM RAM Transmission Computation Total

Energy consumption (lJ)

6.1. Memory analysis MICA2 mote has a 4 kB of primary memory (RAM). The maximum limit for RAM utilization for MICA2 is specified to be 3.9K. MICA2 mote has a 128 kB of program space (ROM). SACK is based on symmetric key cryptography hence occupies the smallest portion of RAM and ROM in the three schemes (Table 5). SACK-P utilizes public key cryptography for all the communications and hence utilizes maximum RAM and ROM space compared to other two schemes. SACK-H uses public key cryptography for BS–CL interaction whereas symmetric key cryptography is used for CL– SN communication hence it memory usage falls between other two schemes. This memory analysis is done excluding BS as our BS has no energy/memory constraints and is maintaining public keys for all the nodes involved in the network. The reason that SACK-P takes more memory than [5] being that SACK-P also provides key update and node revocation mechanism in addition to just key generation and distribution provided by [5]. EBS based schemes [15–17] store a key pool (P) of size k + m where k keys are stored per node along with c communication keys. E.g. in [17] key generation nodes store k + m + 1 keys and other nodes store k + 1 keys. LEAP [13] stores 3d + 2 + L keys per node where d = number of neighbors and L = number of keys in key chain. Thus we can easily claim from Table 6, that SACK and SACK-H have very less storage requirement for nodes other then BS, which in our case have limitless resources. Although SACK-P consumes little larger memory space but it provides maximum resilience and security. 6.2. Communication overhead For a network of N nodes’ having C clusters with n members each, values for message exchange for key setup and rekeying Table 6 Number of keys stored per node

SACK SACK-H SACK-P

BS

CL

CN

N+1 C+N+2 N+1

4 C+6 n+2

3 3 2

SACK

SACK-P

SACK-H

ECC [5]

0.016 0.025 0.025 – 12,840 1300 255.82 102.81 376.52

12.003 0.2 0.025 – 41,480 2450 394.84 131 501.06

12.003 0.25 0.25 0.29 34,000 2000 317 129 449

34.173

34,342 1140 – – 816

are given in Table 7. Table 7 also shows maximum message exchange which is in case of communication between CN of one cluster with CN of other cluster in all three schemes. Table also gives communication overhead for re-keying procedure. Other dynamic key management systems like LEACH [13] uses (d 1)2/(N 1) messages for re-keying [d is number of neighbors]. EBS based schemes [15–17] use minimum m (number of keys not known to compromised node) messages only for transmission of new keys. Number of messages required for generation and assignment of these keys are additional to these m messages. Based on these results we can say that our schemes provide optimum solution for storage and communication for key management. 6.3. Time analysis The key generation time for SACK remains constant at 16 ms for 60 iterations. This involves the time of computing a 128-bit key using a master key of 1024 bit and a seed SSE of 64 bit (Fig. 6). SACK-H and SACK-P essentially require the same average key generation time of 12 s. As shown by single line for SACK-H and SACKP key generation time in Fig. 5. The reason for this similarity being that symmetric key generation part in SACK-H requires a negligible amount of time i.e., 16 ms. Thus, giving same timing characteristics for key generation in SACK-H and SACK-P. For SACK, the maximum time for the entire key distribution process, is constant around 50 ms. Seed distribution from BS to CL takes a constant time of approx. 25 ms and seed distribution from CLs to SNs is averaging around 25 ms as well, entailing that each hop addition implies an addition of 25 ms factor. Abrupt increase in key distribution time in Fig. 6 is due to addition of a new hop. For SACK-H, the time for cluster-wise key distribution remains constant at 25 ms whereas time for each new CL addition requires about 200 ms. this makes the graph follow a linear trend i.e. with the increase in number of clusters the time for key distribution increases linearly. For SACK-P, BS and each CL broadcast essentially takes the same average time of approx. 250 ms whereas each SN key distribution requires an average time of approx 290 ms. Thus the graph follows an linear trend with node addition, i.e. with the increase in the number of nodes, the time spent in key distribution increases linearly as shown in Fig. 5.

Table 7 Message communication for key management phases Scheme

Key setup

Max communication [CNi to CNj communication]

Re-keying

SACK

C + 1 broadcast messages

3 encryptions and 3 decryptions

SACK-H

2C + 1 broadcast messages, C unicast messages

3 encryptions and 3 decryptions

C + 1 broadcast messages, 2N + Cn unicast messages

First time = 3 encryptions and 3 decryptions, next time = 1 encryption and 1 decryption

3 messages [for CL removal] 4 messages [for CL removal] Not required

4277

R. Riaz et al. / Computer Communications 31 (2008) 4269–4280

20

SACK-H:Key Generation

18 16

SACK-P:Key Generation

Time (s)

14

SACK-H:Key Distribution

12 10

SACK-P:Key Distribution

8 6

SACK-H:Key Management

4

SACK-P:Key Management

2 0 2

3

4

5

6

7

8

9 10 11 No of Nodes

12

13

14

15

16

Fig. 5. Key generation, distribution and management time for SACK-H and SACK-P.

distance of CL from the BS. In real life scenario this variation could be much noticeable depending on the size of WSN.

70 60

6.4. Analytical evaluation

Time (ms)

50 40

SACK: Key Generation SACK: Key Distribution

30

SACK: Key Management

20 10 0 2

3

4

5

6

7

8

9

10 11 12 13 14 15 16

No of Nodes Fig. 6. Key generation, distribution and management time for SACK.

Fig. 6 shows a steady time for key distribution from CL to CN. Reason is each cluster node select its nearest possible cluster leader so there is not much variation is their distance. The little variation in time for key distribution from BS to CL is due to the

SACK timing characteristics are directly dependent upon the number of hops. This is because seed distribution is done through broadcasting. Key generation on seed reception takes place approx. at the same time on each node in a particular hop. Thus key management time for SACK can be formulated as H(Tdis + Tgen). For H = 2, Tgen = 16 ms, Tdis = 25 ms, key management time is estimated to be 82 ms. Our experimental outputs gives total key management time as 64.08 ms for two hops. Reason for this difference is that we broadcasted the seed parallel to key generation process in actual implementation. SACK-H timing characteristics depend upon characteristics of cluster-wise timing and hop-wise timing. Symmetric keys are utilized in cluster wide communication and public keys are utilized for network-wise communication. Time for cluster-wise key management is formulated by Tdis(2C + 1) and time for hop-wise key management is formulated by Tdis(H 1) + Tgen (H 1). Experimental results show that for same number of clusters the difference in total time for key distribution is very less. The cost of adding a new CL is about 200 ms and cost of adding a whole cluster

600 SACK: Tx, Rx Energy SACK-H: Tx, Rx Energy

500

Energy (uJ)

SACK-P:TX, RX Energy SACK: Processing Energy

400

SACK-H:Processing Energy SACK-P:Processing Energy

300

SACK:Total Energy SACK-H:Total Energy

200

SACK-P:Total Energy

100

0 2

3

4

5

6

7

8

No. of Nodes Fig. 7. Energy consumption comparison.

4278

R. Riaz et al. / Computer Communications 31 (2008) 4269–4280

700 BS: SACK

650

BS: SACK-H

600

BS: SACK-P

Energy (uJ)

CL: SACK

550

CL: SACK-H

500

CL: SACK-P CN: SACK

450

CN: SACK-H

400

CN: SACK-P

350 300 250 2

3

4 5 6 Number of Nodes

7

8

Fig. 8. Energy consumption on BS, CL and CN.

is about 200 ± 25 ms where 25 ms is the total time for symmetric key management at cluster level. SACK-P is directly dependent on the number of nodes in the network. This is because the whole scheme is based upon the use of public keys, and it requires that each node individually registers its public key at the BS. The key management time in SACK-P originates from the formula Tdis(N + C) + Tgen (N). This implies that the key management time increases linearly with the increase in the number of nodes and clusters, respectively. Our implementation results show that SACK-P key generation requires a constant time whereas key distribution, dependent upon the number of nodes, increases linearly with the increase in the number of nodes. Hence key management trend also follows from the key distribution. 6.5. Energy analysis 6.5.1. Experimental evaluation For SACK and SACK-H, the energy consumption tends to balance out with the changing number of nodes i.e. there is slight increase in energy consumption with the increase in number of nodes. A linear trend of slight increase is prevalent in the energy characteristics of SACK and SACK-H. For SACK-P, the energy consumption increases rapidly with the increase in number of nodes. This is because more nodes are involved in the activities of key generation, key registration and key distribution. Thus, there is an exponential increase in the energy characteristics of SACK-P which becomes clear as the network size increases Fig. 7. In case of SACK and SACK-P, there are no specific energy characteristics corresponding to node role but for SACK-H, the measurements differ in context to node role. For SACK-H the initial hypothesis has been that BS performs the most energy consuming operations of key management Fig. 8. The role based energy breakdown for SACK-H reveals the same showing that BS exhibits maximum energy characteristics, CLs depict moderate energy characteristics whereas the energy characteristics for CNs coincide with those specified for SACK. 6.5.2. Analytical evaluation Table 8 gives analytical equations for energy consumption for the proposed schemes.

Table 8 Energy consumption equation for various levels of nodes

SACK SACK-H SACK-P

CN

CL

BS

PR + PC PR + PC PR + PT + PC

PR + PT + 3PC PR(C + 1) + 2PT + 3PC PR(n + 1) + PT(n + 1) + PC

PT + 2PC PR(C) + PT(C + 1) + PC PR(N 1) + PT + PC(N

1)

Table 9 Analytical Values for energy consumption

SACK SACK-H SACK-P

CN

CL

BS

Average

143 286 1404.8

439 3738 16,400

296 9372 46707.2

292.67 4465.33 21,504

Where PR is reception energy, PT is transmission energy and PC is computation energy. The energy consumed in sending 1 byte is estimated to be 59.2 lJ whereas the energy consumed in receiving is specified to be 28.6 lJ. Also energy cost of computation is small compared to data transmission. These values are based on actual mote implementation [3] (Table 9). Since we simulated energy for small number of nodes, so here we will calculate energy consumption for a network of 100 nodes with 10 clusters and each cluster having 10 nodes using above mentioned values, table specifies analytical evaluation of the energy characteristics of the three schemes. These values indicate that even for larger network energy consumption at CN does not increase significantly, except in SACK-P. For SACK all analytical values remain almost same as noticed in experimental results. Nodes using asymmetric key in SACK-H and SACK-P shows exponential increase in energy consumption with the increase in network size. 6.6. Discussion Table 10. presents the complete picture of all three schemes. According to the observations, SACK-P utilizes maximum resources but it also provides end to end security and maximum resilience to node compromise, making it the most secure solution. Evaluating the schemes from the resource utilization perspective, the schemes can be arranged from the most favorable to the least favorable as SACK, SACK-H, and SACK-P. Time characteristics Table 10 Analytical values for energy consumption

Memory cost Energy/power consumption Key management time Communication overhead Resilience to node compromise End-to-end security Scalability Network connectivity Node revocation

SACK

SACK-P

SACK-H

Low Low

High High

Medium Medium

Low Low

Medium Medium

Low

High High [bootstrap time], low otherwise High

No High Good Compulsory

Yes Low Good Optional

No Medium Good Compulsory

Medium

R. Riaz et al. / Computer Communications 31 (2008) 4269–4280

for SACK significantly differ from those of SACK-H and SACK-P, occupying only a minimal time span for key generation and key distribution. Both SACK and SACK-H show similar energy characteristics that follow a linear trend of increase with the increase in the number of nodes. SACK-P shows efficient energy consumption for lesser number of nodes but the rapid exponential increase trend shows that it would not support greater number of nodes. When evaluating the schemes from the security perspective, the schemes can be arranged from the least favorable to the most favorable as SACK, SACK-H, and SACK-P. SACK relies on symmetric key cryptography and hence one node compromise may make the whole network vulnerable. SACK-H relies both on symmetric key and public key cryptography and hence depicts better security behavior than SACK. SACK-P relying on public key cryptography shows the strongest security characteristics. Also only SACK-P provides end-to-end security. For example in case of CNi to CNj communication, first time message exchange for getting each other public keys will take about four cycles of encryption/decryption. But from next time messages will not need any encryption/decryption on intermediate nodes. In SACK and SACK-H every communication between CNi to CNj will require extra encryption/decryption at CL level. [33] [here i and j represent cluster number]. Another advantage of SACK-P is that it makes node revocation optional instead of compulsory. The reason is that node compromise doesn’t reveal keying information of uncompromised nodes. 7. Conclusion Wireless sensor networks provide practical revelation of the idea of pervasive computing. In this paper we have presented a thorough investigation into various aspects of the key management schemes for WSN, especially focusing on their keying methodology. Our investigation gives an insight into the key management overhead and security strength of three possible keying implementations, i.e. symmetric, asymmetric and hybrid key cryptography. The results clearly show that there exist an inverse relationship between the resource availability and the achievable level of security. For example, SACK-P provides maximum security and maximum resilience to node compromise but it is heavy on system resources. Its energy consumption increases proportionally with increasing network size. On the other hand, SACK is extremely light on resources but its security could be compromised even with a single node’s physical capture. In short, our paper provides a complete picture of cryptographic key management schemes, and these results can help network security experts in mapping an ontological relationship between the desired security level, network and device resources and the achievable security level. 8. Future directions Our future work includes adding an efficient solution for mobility support in the proposed framework and designing an efficient algorithm for malicious nodes detection to minimize node compromise effect on network. Also we plan to add the deployment knowledge advantage to our proposed schemes to make them more secure. Schemes will also be verified for node revocation against different attack scenarios. Node revocation mechanism will be improved against different observations. Acknowledgement This work was funded in part by the IT R&D program of MKE/ IITA (Development of IP-based Sensor Network (IP-USN) and was supported in part by the Korea Research Foundation Grant (MOEHRD, Basic Research Promotion Fund).

4279

References [1] D.W. Carman, P.S. Kruus, B.J. Matt, Constraints and Approaches for Distributed Sensor Network Security, NAI Labs, Tech. Report 00-010, 2000. [2] N. Gura, et al., Comparing elliptic curve cryptography and RSA on 8-bit CPUs, CHES ’04, in: Proceedings of the Workshop on Cryptographic Hardware and Embedded Systems, August 2004. [3] A.S. Wander, et al., Energy analysis of public-key cryptography for wireless sensor networks, PerCom ’05, in: Proceedings of the Third IEEE International Conference on Pervasive Computing and Communication, March 2005. [4] K. Piotrowski, P. Langendoerfer, S. Peter, How public key cryptography influences wireless sensor node lifetime, SANS’ 06 Virginia, USA, October 2006. [5] D.J. Malan, M. Welsh, M.D. Smith, A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography, Proceedings of the First IEEE International Conference on Sensor and Ad Hoc Communications and Networks, Santa Clara, CA, October 2004. [6] R. Watro et al., TinyPK securing sensor networks with public key technology, SASN ’04, in: Proceedings of the Second ACM Workshop on Security of Ad Hoc and Sensor Networks, ACM Press, New York, 2004, pp. 59–64. [7] A. Liu, P. Ning, TinyECC: Elliptic Curve Cryptography for sensor networks (version 0.1), September 2005, available at http://discovery.csc.ncsu.edu/ software/TinyECC/. [8] A. Shamir, How to share a secret, Communications of the ACM 22 (11) (1979) 612–613. [9] L. Zhou, Z.J. Haas, Securing ad hoc networks, IEEE Network 13 (6) (1999) 24– 30. [10] J.-P. Hubaux, L. Buttyan, S. Capkun, The quest for security in mobile ad hoc networks, in: Proceedings of ACM Symposium on Mobile Ad Hoc Networking and Computing (MobiHoc 2001), October 2001, pp. 146–155. [11] H. Chan, A. Perrig, D. Song. Random key predistribution schemes for sensor networks, IEEE Symposium on Security and Privacy (2003) 197–213. [12] W. Du, J. Deng, Y.S. Han, S. Chen, P.K. Varshney, A key management scheme for wireless sensor networks using deployment knowledge, IEEE INFOCOM 2004 (2004) 586–597. [13] B. Panja, S. Madria, B. Bhargava, Energy efficient group key management protocol for hierarchical sensor networks, International Journal of Distributed Sensor Networks 3 (2) (2007) 201–223. [14] P. Traynor, R. Kumar, H. Choi, G. Cao, S. Zhu, T.L. Porta, Efficient hybrid security mechanisms for heterogeneous sensor networks, IEEE Transaction on Mobile computing 6 (6) (2007). [15] S. Zhu, S. Setia, S. Jajodia, LEAP: efficient security mechanisms for large-scale distributed sensor networks CCS ’03, in: Proceedings of the 10th ACM Conference on Computer and Communication Security, ACM Press, New York, 2003, pp. 62–72. [16] Y. Law, R. Corin, S. Etalle, P. Hartel, A formally verified decentralized key management for wireless sensor networks, Personal Wireless Communications (2003). [17] M. Eltoweissy, H. Heydari, L. Morales, H. Sadborough, Combinatorial optimization of key management in group communications, Journal of Network and System Management (2004) 332b. [18] M. Younis, K. Ghumman, M. Eltoweissy, Location aware combinatorial key management scheme for clustered sensor networks, IEEE Transactions on Parallel and Distributed Systems (2006). [19] M. Eltoweissy, M. Moharrum, R. Mukkamala, Dynamic key management in sensor networks, IEEE Communications Magazine 44 (4) (2006) 122–130. [20] B. Dutertre, S. Cheung, J. Levy, Lightweight key management in wireless sensor networks by leveraging initial trust, Tech. Rep. SRI-SDL-04-02, System Design Laboratory April 2004. [21] Y. Zhou, Y. Fang, A two-layer key establishment scheme for wireless sensor networks, IEEE Transactions on Mobile Computing 6 (9) (2007) 1009–1020. [22] S.A. Camtepe, B. Yener, Combinatorial design of key distribution mechanism for wireless sensor networks, IEEE/ACM Transactions on Networking 15 (2) (2007). [23] J. Lee, D.R. Stinson, Deterministic key predistribution schemes for distributed sensor networks, Selected Areas in Cryptography 3357 (2004) 294–307. [24] O. Younis, S. Fahmy, HEED: a hybrid, energy-efficient, distributed clustering approach for ad hoc sensor networks, IEEE Transactions on Mobile Computing 3 (4) (2004) 366–379. [25] B. Przydatek, D. Song, A. Perrig, SIA: secure information aggregation in sensor networks Sensys ’03, in: Proceedings of the First International Conference on Embedded Networked Sensor Systems, ACM Press, New York, 2003, pp. 255– 265. [26] C. Karlof, D. Wagner, Secure routing in wireless sensor networks: attacks and countermeasures, Proceedings of the First IEEE International Workshop on Sensor Network Protocols and Applications, May 2003, pp. 113–127. [27] R. Riaz, A.H. Akbar, M. Hasan, K. Kim, K. Lhee, A. Naureen, A. Akram, H.F. Ahmed, Key management scheme for sensor networks with proactive key revocation and sleep state consideration” 2007 IFIP, International Conference on Network and Parallel Computing Workshops (NPC 2007), Dalian, China, September 18–21, 2007, pp. 368–373.

4280

R. Riaz et al. / Computer Communications 31 (2008) 4269–4280

[28] H. Chan, V.D. Gligor, A. Perrig, G. Muralidhran, On the distribution and revocation of cryptographic keys in sensor networks, IEEE Transactions on Dependable and Secure Computing 2 (3) (2005). [29] M. Chorzempa, J.M. Park, M. Eltoweissy, T. Hou, Key management for wireless sensor networks in hostile environments, in: Y. Xiao (Ed.), Security in Sensor Networks, CRC Press, 2006. [30] M. Myers, R. Ankney, A. Malpani, S. Galperin, C. Adams, X. 509 Internet public key infrastructure online certificate status protocol – ocsp, Internet Request for Comments (RFC) 2560 (1999).

[31] Y. Wang, G. Attebury, B. Ramamurthy, Survey of security issues in wireless sensor networks, IEEE Communication Surveys and Tutorials 8 (2) (2006). [32] I. Crossbow, Technology, MICA2: wireless measurement system, http://www.xbow.com/Products/Productpdffiles/Wirelesspdf/6020-00420%4AMICA2.pdf. [33] A. Naureen, A. Akram, R. Riaz, K.H. Kim, H.F. Ahmed, An end-to-end security architecture for sensor networks, ICIS 2007, Canada, December 9– 12, 2007.