Exploiting unidirectional links for key establishment protocols in heterogeneous sensor networks

Computer Communications 31 (2008) 2959–2971

Contents lists available at ScienceDirect

Computer Communications journal homepage: www.elsevier.com/locate/comcom

Exploiting unidirectional links for key establishment protocols in heterogeneous sensor networks q Yuanyuan Zhang *, Dawu Gu, Juanru Li Department of Computer Science and Engineering, Shanghai Jiao Tong University, No. 800 Donchuan Road, Shanghai, China

a r t i c l e

i n f o

Article history: Available online 10 March 2008 Keywords: Key establishment Key pre-distribution ID-based cryptography Pairing Unidirectional links Heterogeneous sensor networks

a b s t r a c t Wireless sensor networks are designed for outdoor environment surveillance and require benign coverage, steady working status and long lifetime, so they require efficient security services eagerly. Most security schemes work efficiently only when bidirectional links exist. So does key establishment protocols in WSNs. However, unidirectional links may emerge frequently. In traditional key establishment schemes, designers delete all the unidirectional links from the network. Hence, the sensors covered only by unidirectional links are excluded from the collaborating network, even if they are stable and energetic. The schemes shorten the lifetime and shrink the connectivity of the whole network. To improve the network connectivity and increase the number of useable sensors in the network, we design a key establishment protocol for heterogeneous sensor networks exploiting unidirectional links. We propose intercluster and intra-cluster key establishment schemes for clusters and their members, respectively. Intra-cluster scheme adopts key pre-distribution mechanism, where cluster members and the cluster heads choose different number of keys. The results show that it greatly increases the resiliency against node compromise. Inter-cluster scheme adopts ID-based cryptographic algorithm using pairing and obtain identity authentication and perfect resilience against node compromise. Finally, the simulation reveals our scheme can greatly increase the proportion of available sensor nodes and network connectivity, which will efficiently prolong the network lifetime. Ó 2008 Elsevier B.V. All rights reserved.

1. Introduction Wireless Sensor Networks (WSNs) are increasingly useful in variety of rigorous applications, such as battlefield surveillance and national defense operations. Since sensor networks usually exposed to hostile environments, they may suffer the loss of individual nodes and are threatened by invasions and compromise. Therefore, one might claim for security issues providing confidentiality, data integrity and authenticity. Key establishment protocols are used to set up the shared secrets for security services. Because of the limited computation ability, battery capacity and available memory of sensor devices. Hence, the key establishment protocols focus on lighter weight cryptographic algorithms and fewer messages flows. Eschenauer and Gligor proposed a probabilistic key pre-distribution scheme in [4]. It gains good scalability and network resiliency against compromising. The improved schemes [1–3] are proposed aiming at q This work was supported by 863 Hi-tech Research and Development Program of China (2006AA01Z446). * Corresponding author. Tel.: +86 021 54745402. E-mail addresses: [email protected], [email protected] (Y. Zhang).

0140-3664/$ - see front matter Ó 2008 Elsevier B.V. All rights reserved. doi:10.1016/j.comcom.2008.03.003

some specific applications. Chan et al. [1] proposed the q-composite random key pre-distribution scheme which achieves greatly strengthen security. Based on [4] and Blom’s matrix key distribution scheme [17], literature [2] proposed a novel key establishment protocol for low cost SmartDusts [18]. The schemes above suffer a lot from security threats and communication overhead. First, nodes must set up secure links with some neighboring nodes, which is realized by key exchange message flooding, thus causing unavoidably great quantity of communication overhead in the network. Second, they verify the legitimacy of a neighbor but can not authenticate node identity. The less of identity authentication may cause several attacks including ID replication. Third, it depends on bidirectional links to exchange neighbors’ key ring. Once the link degenerates to unidirectional link, the neighboring node cannot build a legitimate secure link. Even though the routing protocol in network layer supports unidirectional links, the key establishment protocol will counteract the advantages the routing protocol brings about. In a large scaled sensor network, message flooding control is an essential problem. An efficient method to control the communication overhead is to constrain the message flooding within a small group [13–15]. They divide the network into several small clusters

2960

Y. Zhang et al. / Computer Communications 31 (2008) 2959–2971

and each one of them elects a high capable node as cluster head. Literature [14] demonstrated a probabilistic unbalanced key predistribution, i.e., deploying far more keys in more capable nodes, and fewer keys in less capable nodes. The more capable node acts as the administrator in a cluster composed by less capable nodes. Similarly, this scheme did not provide any identity authentication and did not consider unidirectional links, neither. Another literature [15] inherited from [4] is quite similar to the unbalanced key pre-distribution in [14]. But its clustering scheme causes a great amount of unidirectional links which are not taken into account. To endow the security scheme with node authenticity, literature [13] proposed and evaluated a security scheme based on a distributed certification facility. Each cluster head holds a share of a network key for certification. However, the intra-cluster security scheme in [13] is quite weak. It used a cluster-wide symmetric key that is known to the cluster’s nodes, which is the bottleneck of this security scheme. And literature [16] proposed a location-based pair-wise key establishment based on Elliptic Curve Cryptography using pairings. It offers neighbor nodes authentication and benign resilience ability against node compromising. According to [1–3,14,15], healthy nodes which are covered by unidirectional links will probably be deleted, which is not acceptable in rigorous applications. The improved schemes available in [1–3,14,15] also suffer these flaws. Hence, we must design a new approach for scenarios requiring high security and connectivity. The existence of unidirectional links is an essential issue which we consider in our work. In wireless sensor networks, different nodes are likely to have different power capabilities and transmit with different power levels, and transceivers may vary its transmission range due to total power residual. Also, the network is facing the lack of infrastructure and dynamic topology. These factors lead to possible unidirectional link where the transmission of a high power node is received by a lower power node but not vice versa. Utilizing unidirectional links for wireless networks has two obvious advantages over using only bidirectional links. First, they can improve the network connectivity. For example, removal of unidirectional links C ? B in Fig. 1 partitions the network. Second, they can provide shorter paths. For example, removal of link A ? C prolongs the path from node A to C. The effects of these links engage a challenge on routing and key establishment protocols. Early research on wireless network unidirectional links focuses on routing protocols in MANET [10–12]. But the existing schemes cause lots of message flood and the evaluation shows they are not outstandingly superior to traditional protocols. Obviously, they are not suitable for large scaled sensor networks. Traditional security schemes [3,4] that are typically designed for emergence of bidirectional links either fail or work awkwardly in the present of such asymmetry. To the best of our knowledge, there is no prior contribution proposed for networks exploiting unidirectional links.

A A

B B

C

C D

D

Fig. 1. A locality with unidirectional links (left) and its topology (right).

In this paper, we attempt to design an efficient key establishment scheme for large scaled heterogeneous sensor networks which are composed of two types of nodes. One is average sensor mote, denoted as L-node; the other is more capable managing nodes, denoted as H-node. The whole network is partitioned by non-overlapped clusters whose cluster heads are H-nodes, and members are L-nodes. The contributions of our work are listed below. First, we propose a tripartite key negotiation for intra-cluster nodes, which is based on random key pre-distribution scheme, and called IntraSec. Belonging to only one cluster, each sensor node maintains a key ring chosen from a subset of a large key pool. Besides the basic mechanism inherited from [4], IntraSec can help nodes covered by unidirectional links in finding a small local loop containing several nodes. Then, IntraSec helps build the trust relationship among these nodes. These trust relationships are bricks for multihop key establishment schemes. Second, we develop a tripartite key establishment protocol, InterSec-I and InterSec-II, for cluster heads, using ID-based public key cryptography and pairing scheme. In InterSec, cluster heads covered by unidirectional links launch loop searching in its locality, authentication, and then processing negotiation of a tripartite key. Third, we introduce a novel neighboring cluster authentication. It helps achieve the goal of alleviating the influence of node replication to the victim’s vicinity which is a convenient place to release such attacks. Finally, we present the protocol to establish pairwise keys between two unidirectional link-covered nodes. The established keys are fundamental in forthcoming security applications for WSNs. Our scheme provides a efficient usage of sensor nodes and obviously increases the network connectivity. The rest of this paper is organized as follows: Related work is presented in Section 2. In Section 3 we introduce preliminaries, including connectivity and cryptographic basis. Then, we describe the clustered network model and pre-deployed security issues in Section 4. In Sections 5 and 6 we detail the key establishment protocols including Intra-cluster and Inter-cluster key establishment exploiting unidirectional links. We discuss some issues concerned in the key establishment protocols in Section 7. Sections 8 and 9 analyze the security against several notorious attacks and then evaluate the performance of our scheme. We end our paper in Section 10 with conclusion.

2. Related work 2.1. Random pre-distribution key establishment schemes L. Eschenauer and V.D. Gligor proposed a novel key establishment protocol [4] in 2002. The basic idea is based on random graph theory. It assumes that there is an off-line key-ring pre-distribution phase, in which each node chooses from a large key pool Q of m keys. P.S., every key in the key pool has a unique ID. After this phase, a key-setup phase is performed. Nodes first perform keydiscovery to find out which neighbors they share a key with. The procedure proceeds as follows. One node exchanges its key ID set with one neighbor’s and both of them compute the intersection of two key ID sets. A secret key for this secure link is derived using these keys. After this phase, a connected graph of secure links is formed. Therefore, a node tends to setup a pair-wise key through a path with any other nodes in the network even if they do not directly share any keys. To ensure the secure graph is connected, choosing a proper Q and m is quite tricky. H. Chan and A. Perrig improved this method in [1]. They proposed a modification where q common keys (q > 1) are needed, instead of just one. Their protocol gains more resilience of the network against node capture. After the key-setup phase, there ex-

Y. Zhang et al. / Computer Communications 31 (2008) 2959–2971

ist more than one path between two nodes. Let j be the number of disjoint paths. The new link key can be computed by both node a and b as k0 = v1  v2    vj, where vi,  ,vj are random values. These protocols are more resilience against node capture than before. Once a node is captured, only a few keys will be exposed, but the chance of calculating the key for an arbitrary link is very tiny. We should notice that, secure keys are all based on bidirectional links. If node B and node C do not share a bidirectional link, in Fig. 1, they cannot exchange their key ID sets to calculate a shared secret. In most scenarios, the network graph is strongly connected, so node B and C are able to find out another path between them. Once the network becomes sparse, the impact on unidirectional links becomes gigantic, it is difficult to fulfill the demand to build secure secrets between these nodes. 2.2. Probabilistic key establishment for hierarchical sensor networks Recently deployed sensor network systems are increasing following heterogeneous designs. Literature [15] presented an effective key management scheme that takes advantage of the powerful nodes in heterogeneous sensor networks. It considers an HSN consisting of two types of sensors: a small number of more powerful H-sensors and a large number of L-sensors. Let H-sensors serve as cluster heads and form clusters around them. Each L-sensor is pre-loaded with k keys from a large key pool Q. Each H-sensor is pre-loaded with m keys, where m  k. Being the cluster heads, H-sensors are responsible to collect the key ring information from their member L-sensors and help calculate shared keys. It is intuitive that bidirectional links exist between the H-sensor and member L-sensors. Moreover, during the clustering phase, each H-sensor broadcasts a Hello message to nearby L-sensors using the maximum power and with a random delay, which will cause a serious problem. Because the transmission range of H-sensor and L-sensor is different, the L-sensor in the cluster far away from its cluster head probably cannot reach it. The link between them is unidirectional. Unfortunately, [15] did not discuss this problem in their work. Another literature [14] demonstrated a probabilistic unbalanced distribution of keys throughout the network that leverages the existence of a small percentage of more capable sensor nodes. Given a large key pool Q, they store a key ring of size k keys in each sensor (L1) node, and a key ring of size m in each capable (L2) node, where m  k. Eschenauer and Gligor [4] present two trusted method to which the unbalanced key pre-distribution schemes are applied: (1) Backhaul. In this scenario, an L1 node only trust an L2 node in terms of both sharing same keys. (2) Peer-to-Peer. Two L1 nodes wish to establish a session key. They trust only each other, or neighboring L2 nodes. If L1 nodes do not have a direct key match, they will only use an L2 to assist in establishing a session key. Eschenauer and Gligor [4] imply the existence of unidirectional links between L1 nodes can be patched by an intermediate L2 node. However, the precondition is the L1 node must bidirectionally connected with L2 node. Moreover, this method cannot provide any further security, e.g. identity authentication. Literature [16] adopted public key based cryptography to provide ID authentication to its ID-based key establishment scheme. Instead of other certificate-based methods, ID-based schemes avoid certificate exchanging and save communication overhead. Zhang et al. [16] aim to provide confidentiality, authentication, integrity and non-repudiation. The unidirectional link problem does not exist in this scheme, for it is unnecessary to exchange certificates between neighboring nodes and all the data exchange is left to the routing protocol to concern. However, the performance cost is tremendous according to the computation on pairings. In their scheme, each node participates in the ID-based system and involves in pairing calculation. So far as we know, energy con-

2961

sumption on one ECC-160 pairing calculation is about 34 mJ. A typical sensor device equipped with two alkaline batteries (21600 Ws), such as Micaz, could not suffer frequent computation on pairings.

3. Preliminaries 3.1. Connectivity in wireless sensor networks with directional links With the consumption of energy, sensor node will face energy crisis which may cause the transmission power goes weak and then shrink the radio range. Moreover, some application requiring transmitter gain control may verify the transmission range as well. All these schemes may result in emergence of unidirectional links. An unidirectional link exists from node A to node B in a wireless sensor network when B is within the transmission range of A while B cannot hear A (node A is outside the transmission range of node B). Hence, the link from A to B exists while the link from B to A does not. The topology of a network is considered to be a directed graph and indicated as D = (V,E), where V is the set of nodes in the network and E represents the set of links in the network. A ? B 2 E indicates a link exists between node A and node B if B is within the transmission range of A. If B ? A 2 E at the mean time, we say that there is a bidirectional link exists between node A and node B and indicates as A M B. Otherwise, we say that there is a unidirectional link from node A to node B, where B is downstream neighbor while A is upstream neighbor. Though B ? A does not exit, there may be a route from B to A leveraging intermediate nodes. We define the existing reverse route of a link A ? B as the shortest directed path from B to A. If A M B 2 E, the reverse route of A ? B is link B ? A. Intuitively, if D = (V,E) is strongly connected, every link would have a reverse route. We can categorize the minimum strong connected components by reverse route length parameter. Definition 1. An r-loop component is a minimum strong connected component which is constructed by unidirectional links and its reverse route length is r  1. For example, a bidirectional link can be defined as 2-loop component. The component in Fig. 2 can be defined as 3-loop component. Literature [6] studied the impact of the presence of unidirectional links on network characteristics. They resorted to forming simulations to statistically analyze network topologies

Fig. 2. Average distribution of r-loop in the network.

2962

Y. Zhang et al. / Computer Communications 31 (2008) 2959–2971

than mathematical analysis. It generates random topologies with unidirectional links and analyzes them for relevant network properties including connectivity in the presence and absence of unidirectional links. By their simulation results, see Fig. 2, the typical minimum strong connected component is 2-loop and 3-loop, which means the typical length of the reverse route is 2 hops. As depicted in Fig. 1, node A, B and C construct a 3-loop component. In traditional schemes such as [4], node A and C shall not establish a shared key. They may depend on node B as a medium. 3.2. ID-based cryptography (IBC) and paring schemes Boneh and Franklin [5] have proposed an ID-Based Cryptography system based on Weil pairing. The system maintains a Key Generation Center (KGC) which helps generating private key corresponding to an entity’s ID that acts as its public key. By this advantage, ID-Based Cryptography (IBC) becomes a favorable alternative to traditional certificate-based system. Traditional system requires frequent certificates exchange, update and retire, while IBC makes an entity’s public key its own identity such as email address or social number, and eliminates the need for certificate and related communication overhead. All of these advantages make IBC very suitable for wireless sensor networks (WSNs) whose total energy cannot afford great communication overhead. For example, MICAz [7] from XBOW depends on two AA alkaline batteries which capacity approximate 2000 mAh and current values in receive and transmit are 8 mA and 12 mA every 250 kbp, respectively. IBC becomes popular in various fields including key establishment [8] due to the pairing schemes recent years. The following introduces the concept of the pairing schemes. Let E=Fq indicates the elliptic curve E over the finite field Fq . Let EðFq Þ be the group of points of the curve. Let n be a positive integer. Let G1 and G2 be additively-written groups of order n, and let GT be a multiplicatively-written group of order n. Let G be a subgroup of EðFq Þ. Let the order of G be denoted by l, and define k to be the smallest integer such that l/qk  1. A bilinear pairing is a computable, non-degenerate function ^ e : G1  G2 ! GT which satisfies the following properties: (i) Bilinear: For P; Q ; R; S 2 G; c; d 2 Zq , there exist: – ^eðP 1 þ P 2 ; Q Þ ¼ ^eðP 1 ; Q Þ^ eðP2 ; Q Þ – ^eðP; Q 1 þ Q 2 Þ ¼ ^eðP; Q 1 Þ^ eðP; Q 2 Þ – ^eðcP; dQ Þ ¼ ^ eðcP; Q Þd ^ eðP; dQ Þc ¼ ^eðP; Q Þcd (ii) Non-degenerate: There exists a P 2 G such that ^ eðP; PÞ 6¼ 1 (iii) Computable: One can compute ^eðP; Q Þ in polynomial time. Most of the IBC applications rely on the hardness of the following problem. Given P, aP, bP and cP for some a; b 2 Zq , compute ^eðP; PÞabc . This problem is known as the Bilinear Diffie–Hellman Problem (BDHP). The hardness of BDHP depends on the hardness of the Diffie–Hellman problem both on E=Fq and in Fqk . So, for most IBC applications the parameters q, l and k must satisfy the following security requirements: (1) l should be large enough so that solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) in an order-n subgroup of EðFq Þ is infeasible; (2) k should be large enough so that solving the Discrete Logarithm Problem (DLP) in Fqk is infeasible.

4. Network model and pre-deployment phase 4.1. Network model We present the heterogeneous network model and the cluster formation. We consider an HSN is constituted by two types of sensors: (1) a large quantity of less capable sensors (L-nodes) with

limited energy supply and processing ability, and smaller transmission range r; (2) a small quantity of powerful sensors (H-nodes) capable of handling complex applications such as public key cryptography algorithms, and larger transmission range indicated as R. Here, we notice that the different radio ranges of H-nodes and Lnodes may cause the emergence of unidirectional links. Due to cost constrains, L-nodes are not loaded with tamperresistant hardware. So, if adversary captures an L-node, he can extract the secret information, like key materials, data and code stored on the node. H-nodes are more powerful and equipped with tamper-resistant hardware. Even it is captured the secrets are unable to be revealed by adversaries. We assume that the network area is a flat square and the sensor nodes are static once they are deployed. We define deployment zone as the desired region where a cluster is to be deployed. As an example, an H-node and its cluster-member-to-be L-nodes are deployed by being dropped from a helicopter. The deployment will result in a clustering architecture in HSN. It is proved to be a promising scheme in large scale sensor networks to reduce management cost and gain better scalability. During the clustering formation phase, each H-node broadcasts a Hello message to its neighboring L-nodes with a random delay using its pre-fixed transmission power. (By the way, the transmission range of H-nodes will cover the deployment zone completely.) The random delay of L-nodes Hello message is to avoid collision from different H-nodes in MAC layer. The deployment must ensure the Hnodes cover the physical network area completely. In the circumstances, most L-node will receive a Hello message from the nearest H-node and make this H-node its Cluster Head (CH). If an L-node receives more than one Hello message, which means it is in an overlapped transmission region, it chooses the H-node that have bidirectional link in between (otherwise, choose randomly), and claim itself the cluster member of this cluster. At the same time, this L-node records the cluster heads it has heard, and constructs a Vicinal Cluster Head Table (VCHT), the structure of which is shown in Fig. 3. It refers to the network model in Fig. 3. The first field of VCHT is L-node ID, which indicate the owner of the table. The next field is Cluster ID. It is the cluster node a belongs to. The third one is Vicinal Cluster Heads. The value of this field indicates the H-nodes that node a can hear but not chosen as its CH. In Fig. 3, node a is covered by three H-nodes and it chooses H-node A as its CH. The other two will be backups if Hnode A fails. Clusters in the network are non-overlapped, but the overlap of H-nodes transmission range is recommended. When the clustering phase finishes, the network is divided into several non-overlapped clusters. See Fig. 4. Each cluster member tells its CH the VCHT it maintains. So the CH is aware of the neighboring cluster. 4.2. Key pre-deployment phase We assume that each L-node has a unique identity denoted as id, and each H-nodes’ denoted as ID. Inheritably, we generally use lower case marks for L-nodes and upper case marks for Hnodes in the following text. Prior to network deployment, there exists a trusted key generation center (KGC) who does the following jobs.

L-node ID

Cluster head

Vicinal Cluster head

a

A

B, C

Fig. 3. An example of VCHT.

Y. Zhang et al. / Computer Communications 31 (2008) 2959–2971

2963

Table 1 Secure link discovery process among cluster members a ? : keyIDlista, ClusterIDa, na b ? a: keyIDlistb, ClusterIDb, nb, Hkab ðna jjnb jj0Þ a ! b : Hkba ðna jjnb jj1Þ

to or from the nodes in the same cluster. Therefore, we consider the cluster is a small scale homogeneous sensor network including a manage node, the only H-node in this cluster. 5.1. Neighboring authentication using bidirectional link

H-node (Cluster head) L-node (Cluster member) H-node transmission boundary Cluster boundary Fig. 4. HSN clustering formation.

(i) Key pre-distribution for H-nodes: (a) Each H-node choose from a large key pool Q a key set SI containing enough keys for symmetric algorithm (e.g. AES) for each H-node I and store for intra-cluster usage. (b) Generate the pairing parameters ðp; q; E=Fp ; G1 ; G2 ; ^eÞ. (c) Pick a random s 2 (1, 2, . . ., l  1) as the network wide master secret and a random generator W of G1 and compute WKGC = sW, then the KGC publishes (W,WKGC). (d) Calculate for each H-node I an ID-based private key PrA ¼ sHðIDA Þ whose corresponding public key is PuA ¼ HðIDA Þ. (ii) Key pre-distribution for L-nodes: (a) Each L-node randomly chooses m keys from key set SI, saved as its key ring.

This is also known as secure link discovery process. Each member L-node shares some symmetric keys with their bidirectional linked neighbor L-node with some probability, so it is probable to find a secure link, indicated as sec-link, between neighboring nodes a and b. It implies that sec-links are bidirectional. The process is listed in Table 1. During this phase, each L-node is required to discover all the possible sec-links with its neighbors. Suppose node a wishes to discover neighboring nodes once having its keyIDlist. To do so, node a locally broadcasts an authentication request including its keyIDlist, ClusterID and a random nonce na. On receiving this message, node b first verifies if the ClusterID equals to its own. If ClusterIDa does not match, node b simply discards the request. Otherwise, node b computes the intersection of both key ring and calculates a shared key as kab ¼ vi¼1 ki , where k1, . . ., kv are elements in the intersection. Node b then unicasts a reply to node a including its keyIDlist, ClusterID, a random nonce nb, and a MAC computed as Hkab ðna jjnb jj0Þ. On receiving the reply, node a also first check whether the ClusterIDb equals ClusterIDa, if so, it proceeds to derive a shared key just like node b did. If the message is verified, node a unicasts message Hkba ðna jjnb jj1Þ to node b. The three steps complete a secure link discovery. It is based on the existence of bidirectional link between node a and b. If the link between is unidirectional, the process above will fail.Right after the secure link discovery process, most nodes are nodes are covered by sec-links. Definition 2. Security association is a set of nodes covered by seclinks. Definition 3. A sec-node is an L-node which is covered by at least one sec-link. An unsec-node is an L-node which is not covered by any sec-links. The status switch of an L-node is depicted in Fig. 5.

5. Intra-cluster key establishment

Table 2 Messages flowing in IntraSec-I

Most intra-cluster communications happen among L-nodes. To save energy for these less capable processors, we adopt symmetric key security intra-cluster. To reduce control overhead, we constrain intra-cluster communications inside the cluster boundary. That means all member nodes send, forward or receive messages

Intra-I Intra-I Intra-I Intra-I Intra-I

M1: M2: M3: M4: M5:

c ? : ida, na, nc, ClusterIDc, keyIDlistc b ? : idc, na, nb, nc, ClusterIDb, keyIDlistb, keyIDlistc a ? c: idb, n0a , nb, nc, keyID listb, Hkabc ðidb jjn0a jjnb jjnc Þ c ! b : n0a ; n0c ; Hkabc ðn0a jjn0c jjnb Þ b ! a : n0b ; Hkabc ðn0a jjn0b Þ

C

A unsec-node

sec-node B

E initiating

F D G

retired

A: discover bidirectional link(s) with other sec-node B: no longer has any bidirectional link(s) to other sec-node C: some secure link(s) breaks, but at least one secure link remains D: discover secure link(s) E: can not discover any secure link F: node no longer works in the network, for energy runs out, node breaks down, or lost G: node no longer works in the network, for node breaks down, or lost

Fig. 5. An L-node changes its status.

2964

Y. Zhang et al. / Computer Communications 31 (2008) 2959–2971

Apparently, only sec-nodes can reach the CH in its cluster. If unsec-nodes want to securely send data to the CH, they need to build trust relationships with sec-nodes. Therefore, we offer a scheme to use the unidirectional links in the locality and support the unsecnodes to build trust relationship with sec-nodes.

c a and c establish ka c

a and b share

5.2.1. IntraSec-I In this subsection, we introduce a scheme to build trust relations between sec-nodes and unsec-nodes. As mentioned in previous text, 2-loop and 3-loop are the most connected components in simulated networks. Consider the case shown in Fig. 6. Here, node a is a sec-node, node b and c are unsec-nodes. For unsec-node b and c cannot reach CH through sec-links, they must rely on the only sec-node a in this 3-loop. Sec-node in 3-loop, say node a, periodically broadcast message ‘‘ida, na, ClusterIDa, keyID lista”. The unsec-nodes who can hear at least one sec-node have the qualification to start IntraSec-I. Once unsec-node c (do not lose generality) intends to transmit secure message to CH, they start the following protocol, called IntraSecI, to establish a trust relationship with the sec-node in this 3-loop. The process is in see Table 2. When an unsec-node c wants to transmit messages to CH, it starts the protocol. First, c broadcasts Intra-I M1.The field ida in this message indicates node c chooses node a to be its upstream neighbor in this session. If node b who is within c’s radio range hears the message, b knows that a is the upstream neighbor of c. Then b checks if a is its secure neighbor. If not, b halts the process. Otherwise, node b broadcasts Intra-I M2. When a hears that, it knows the topology in the locality, as Fig. 6 depicts. It then computes the key rings intersection keyIDlista\b\c = keyIDlista\ keyIDlistb \ keyIDlistc jkeyIDlist a\b\c j and calculates kabc ¼ i¼1 ki . Now, a unicasts Intra-I M3 to c. The field n0a ¼ na þ 1 which indicates this message is the fresh respond of request Intra-I M1. On hearing the message, c becomes aware of the topology in Fig. 6. Now, node c computes kabc and check Hkabc ðidb jjn0a jjnb jjnc Þ to make sure the integrity and freshness of Intra-I M3. It then send Intra-I M4 to node b including MAC Hkabc ðn0a jjn0c jjnb Þ. Node b send Intra-I M5 to node a including MAC Hkabc ðn0a jjn0b Þ. After two MAC transmission and verification, all three parties in 3-loop establish a shared key kabc. IntraSec-I establishes a shared secret kabc among node a, b and c. It also offers a simple authentication among these nodes. Now, node c can use this secret for securely transferring data to sec-node a, and then to the CH. 5.2.2. IntraSec-II In Fig. 6, there exists a sec-node in the triangle. Let’s consider another case in Fig. 7. This 3-loop locality contains two sec-nodes a and b. They have set up a secure link in secure link discovery process. The sec-node in 3-loop, say node a, periodically broadcast message ‘‘ida, na, ClusterIDa, keyIDlista”. If unsec-node c wishes to transfer data to CH, it must set up trust relationship with node a and b. Instead of common version of IntraSec-I, we improve it IntraSec-II. The messages exchanged in IntraSec-II list in Table 3.

c a, b and c establish

k a bc

a

b

Fig. 6. A 3-loop locality to build trust relationship.

k bc b

a

5.2. Supporting unidirectional links

b and c establish

ka b

Fig. 7. A 3-loop containing 2 sec-nodes.

Table 3 Messages flowing in IntraSec-II Intra-II Intra-II Intra-II Intra-II

M1: M2: M3: M4:

c ? : ida, nc, ClusterIDc, keyIDlistc, Hkac ðna jjnc Þ b ? a: idc, nb, nc, ClusterIDb, keyIDlistc, Ekab ðHkac ðna jjnc Þjjnb Þ a ? c: idb, n0a , Ekac ðkeyIDlist b\c jjn0a jjnb jjnc Þ c ? b: nb, n0c , Ekbc ðn0c jjnb Þ

Node c starts IntraSec-II to discover locality 3-loop. First, c broadcasts Intra-II M1 to its physical neighbor, where ida indicates nodes c decides node a to be its upstream neighbor, if node b hears the message, it checks if ida is its neighbor who is connected with itself by a sec-link. If not, node b stops forwarding in this protocol session. If node a is a secure neighbor of node b, as depicted in Fig. 7, node b sends Intra-II M2 to node a. Notice that, node a and node b have set up sec-link and a shared secret kab. On receiving the message, node a first decrypts Ekab ðHkac ðna jjnc Þjjnb Þ in the message and get the hash value. Then, it verifies the MAC and judge the correctness. Further, it is important for node a to check na to affirm the lifetime of node c’s request is fresh. Now, node a is aware of the request of node c and confirms c its downstream neighbor. Node a unicasts message Intra-II M3 to c. Node c calculates kac using the knowledge of both node a’s and its own keyIDlist. Node c decrypts Ekac ðkeyIDlistb\c jjn0a jjnb jjnc Þ and verifies the freshness using nc, then it calculates kbc to encrypt Ekbc ðn0c jjnb Þ and sends Intra-II M4 to node b. Node b computes kbc and decrypts Ekbc ðn0c jjnb Þ, then it can verify the freshness and accept node c as its upstream neighbor. In this scenario, node a and b have had a shared key kab. So, different from IntraSec-I, IntraSec-II does not build a shared key among three nodes. Instead, it establishes the trust between node c and a, node c and b, respectively. It helps alleviate some communication overhead. 6. Inter-cluster key establishment As we mentioned before, L-nodes communicate with the nodes in their cluster. If an L-node intends to communicate with L-nodes in other clusters, it has to utilize several H-nodes to reach the target cluster, and then find the target L-node. From Fig. 4, we can see all the H-nodes in this HSN constitute an upper level peer-to-peer network. To verify the communication pattern in the network, the security scheme for upper level network should be different from the lower level. And because the computation ability and energy supply of H-nodes are more sufficient, we adopt ID-based cryptography with pairing scheme in key establishment protocol design. The key establishment consists two phase, the first phase is Neighbor Authentication. The second phase is Distanced Pairwise Key Establishment. In WSNs, neighbor authentication is a process that neighboring sensor nodes validate each other’s legal identity. The process is fundamental in supporting many security services. For instance, a node should only accept messages from and forward messages to

2965

Y. Zhang et al. / Computer Communications 31 (2008) 2959–2971

authenticated neighboring nodes. Otherwise, external adversaries can easily inject or extract information into or from the network. Considering the importance of neighbor authentications, not only do we design neighbor authentication processes using bidirectional links, but we also propose authentications using unidirectional links.

emerges unidirectional links in the network. Traditional solutions such as [1–4] often ignore the unidirectional links. This causes the lost of some healthy clusters and lots of healthy sensors. So the surveillance area covered by the HSN will shrink enormously. To alleviate the impact of unidirectional links, we provide a novel scheme for HSNs.

6.1. Neighbor authentication

6.2.1. InterSec-I Given a scenario as Fig. 8 where node A is a SEC-NODE and node B, C are UNSEC-NODEs. Node A, B and C construct a 3-loop connected component which can help node B and C to build a trust relationship using SEC-NODE A. The process is listed in Table 5. If UNSEC-NODE C intends to build trust relationship with SECNODE A, it first broadcasts Inter-I M1 within transmission range. Say node B hears the message, and node B knows C cannot hear it, and then it broadcasts Inter-I M2. We suppose that node A hears the message, it realizes that node C, B and itself completes a 3-loop connected component. Then, node A calculates kABC using received ephemeral public key cWKGC, bWKGC and aWKGC ða; b; c 2 Zq Þ, and a MAC as HkABC ðIDB jjN 0A jjN B jjN C Þ. Then node A unicasts Inter-I M3 to node C. On receiving Inter-I M3, Inter-I M4, node C and node B can calculate kABC using received ephemeral public keys, respectively. InterSec-I successfully constructs a trust relationship among these three nodes. We should notice that, after node B and C broadcast messages, they set a TTL for this session, for example, node C sets TTL = 2, which node C intends to receive Inter-I M3 in TTL time. If C cannot receive any corresponding replies, say Inter-I M3, within this time, this session ends unsuccessfully. After some time, C launch a new InterSec-I session to look for 3-loop component. The protocol holds its validity because they have correct IDbase private keys corresponding to their IDs, kABC equals to kBAC and kCAB due to the following equations.

After network deployment phase, each node is required to discover and perform mutual authentication with neighboring Hnodes which is a necessary procedure in many security schemes for WSNs. As mentioned before, in the cluster formation phase, each cluster head collects its neighboring cluster ID. So, during the neighboring authentication process, each node will first check the request H-node is its neighboring CH. It is a necessary step for neighboring authentication. Then, they start to authenticate each other by the following process. Table 4 exhibits an example of H-node A authenticates its neighbor H-node B. Node A locally broadcasts an authentication request including its ID and a nonce. On receiving this message, node B computes a shared key kBA ¼ eðP rB ; PuA Þ, where PuA ¼ HðIDA Þ. It then unicasts a reply to node A including its ID, a nonce and a MAC which is computed as HkBA ðN A jjN B jj0Þ. Upon receiving the reply, node A also first compute the shared key with node B kAB ¼ eðPrA ; P uB Þ. Then node A computes HkAB ðN A jjN B jj0Þ. If the results equals to what it receives, node A considers node B an authentic neighbor. Subsequently, node A returns to node B a message HkBA ðN A jjN B jj1Þ. If node B verifies the correctness of this message, it accept node A as an authentic neighbor as well. The shared key kAB and kBA are equal because: kBA ¼ eðPrB ; P uA Þ ¼ eðsHðIDB Þ; HðIDA ÞÞ ¼ eðHðIDB Þ; HðIDA ÞÞs ¼ eðHðIDB Þ; sHðIDA ÞÞ ¼ eðP rA ; PuB Þ ¼ kAB

kABC ¼ eðaP rA ; WÞeðPuB ; bW KGC ÞeðPuC ; cW KGC Þ ¼ eðasHðIDA Þ; WÞeðHðIDB Þ; bsWÞeðHðIDC Þ; csWÞ

After the three-way handshake, and the ID-based scheme with pairing, all the nodes can achieve mutual authentication with neighboring nodes. Neighbor authentication process helps the H-nodes to form an upper level network topology. Right after the topology’s formation, bidirectional links cover most H-nodes in the network. With the shrink of radio transmission diameter, some bidirectional links depredate to unidirectional links.

kBAC ¼ eðP uA ; aW KGC ÞeðbP rB ; WÞeðPuC ; cW KGC Þ ¼ eðHðIDA Þ; asWÞeðbsHðIDB Þ; WÞeðHðIDC Þ; csWÞ kCAB ¼ eðP uA ; aW KGC ÞeðPuB ; bW KGC ÞeðcPrC ; WÞ ¼ eðHðIDA Þ; asWÞeðHðIDB Þ; bsWÞeðcsHðIDC Þ; WÞ kABC ¼ kBAC ¼ kCAB ¼ eðHðIDA Þ; WÞas eðHðIDB Þ; WÞbs eðHðIDC Þ; WÞcs ¼ eðHðIDA Þ þ HðIDB Þ þ HðIDC Þ; WÞðaþbþcÞs

Definition 4. SECURITY ASSOCIATION is a set of H-nodes which are covered by bidirectional links. Definition 5. A SEC-NODE is an H-node which is covered by at least one bidirectional link with other H-nodes. An UNSEC-NODE is an Hnode which is not covered by any bidirectional links with other Hnodes.

C A, B and C establish

UNSEC-NODEs have to build trust relationships with SEC-NODEs in order to securely send data to other H-nodes.

A

kA B C

B

6.2. Exploiting unidirectional links in neighbor authentication Fig. 8. A 3-loop locality to build trust relationship.

After a long time running, the H-nodes consume some amount of energy and cause the range of transmission varies, then there Table 5 Messages flowing in InterSec-I Table 4 Secure link discovery process among cluster heads A ? : IDA, NA B ? A: IDB, NB, HkBA ðN A jjN B jj0Þ A ! B : HkAB ðN A jjN B jj1Þ

Inter-I Inter-I Inter-I Inter-I Inter-I

M1: M2: M3: M4: M5:

C ? : IDA, NC, cWKGC B ? : IDC, NB, NC, ccWKGC, bWKGC A ? C: IDB, N 0A , NB, NC, bWKGC, HkABC ðIDB jjN 0A jjN B jjN C Þ C ! B : N 0A , N 0C , HkCAB ðN 0A jjN 0B Þ B ! A : N 0A , N 0C , HkCAB ðN 0A jjN 0B Þ

2966

Y. Zhang et al. / Computer Communications 31 (2008) 2959–2971

Using InterSec-I, node B and C can build a trusted relationship and authenticate them to SEC-NODE A. 6.2.2. InterSec-II Previously, IntraSec-II considers a 3-loop locality containing two sec-nodes a and b. They have a sec-link in between. Here in InterSec, we also take care of this type of scenarios. We depict it in Fig. 9. It contains two SEC-NODEs A and B. Because node A and B have authenticate each other through the bidirectional link between them, there is no need to negotiate a tripartite key for three nodes. Instead, node C and A, node C and B calculate shared keys, respectively. InterSec-II is taking the following steps in Table 6. The share key between node A and C is computed as kAC = kA = kC, and the key between node B and C is computed as kBC = kB = kC. kA kC kAC kB kC kBC

¼ eðaPrA ; WÞeðP uC ; cW KGC Þ ¼ eðasHðIDA Þ; WÞeðHðIDC Þ; csWÞ ¼ eðcP rC ; WÞeðPuA ; aW KGC Þ ¼ eðcsHðIDC Þ; WÞ eðHðIDA Þ; asWÞ ¼ kA ¼ kC ¼ eðHðIDA Þ; WÞas eðHðIDC Þ; WÞcs ¼ eðasHðIDA Þ þ csHðIDC Þ; WÞ ¼ eðbP rB ; WÞeðPuC ; cW KGC Þ ¼ eðbsHðIDB Þ; WÞeðHðIDC Þ; csWÞ ¼ eðcP rC ; WÞeðPuB ; bW KGC Þ ¼ eðcsHðIDC Þ; WÞeðHðIDB Þ; bsWÞ ¼ kB ¼ kC ¼ eðHðIDB Þ; WÞbs eðHðIDC Þ; WÞcs ¼ eðbsHðIDB Þ þ csHðIDC Þ; WÞ

6.3. Distanced pairwise key establishment After neighbor authentications, a H-node needs to establish pairwise shared keys with other H-nodes that are multihop away when requires for securing end-to-end traffic. Assume that node U and V are source and destiny nodes, and the routing path between them has been established using routing protocols which exploit unidirectional links, e.g. [9]. To establish a pairwise key, node U and V execute the following steps: (i) If both node U and V are SEC-NODEs, then using the underlying routing protocol, they exchange messages:

C

A A and B share

lHðIDU Þ mHðIDV Þ

Here, l; m 2 Zq are randomly chosen by node U and V, respectively. Node V calculates K V;U ¼ eðP rV ; mHðIDU Þ þ lHðIDU ÞÞ ¼ eðsHðIDV Þ; mHðIDU Þ þ lHðIDU ÞÞ And node U calculates K U;V ¼ eðP rU ; lHðIDV Þ þ mHðIDV ÞÞ ¼ eðsHðIDU Þ; lHðIDV Þ þ mHðIDV ÞÞ K U;V ¼ K V;U ¼ eðHðIDU Þ; HðIDV ÞÞsðlþmÞ (ii) If both node U and V are unsec-nodes, see Fig. 10, they must belong to 3-loops, respectively. Then, node U sends message ‘‘IDU,lH(IDU)” to a sec-node in its 3-loop. The multihop routing between sec-nodes is searched by underlying routing protocols. When the message arrives at the 3-loop node V is in, i.e. arrives at node Y, it then unicasts it to node V. Then, node U and V can computes the pairwise key KU,V = KV,U = e(H(IDU),H(IDV))s(l+m). (iii) If one node is a sec-node, the other is unsec-node; the process can refer to 2). Since the messages are transmitted in plaintext, any third party can overhear. However, the third party cannot derive the pairwise key KU,V without knowing the ID-based private key of U or V.

InterSec-II helps UNSEC-NODE C build a trust relationship with SEC-NODEs A and B without influence on the authenticity between SEC-NODEs A and B. Moreover, InterSec-II requires node C to compute four pairings, node A and B are only required to compute two pairings, respectively.

A and C establish kA C

U ! V : IDU ; V ! U : IDV ;

B and C establish kB C

kA B

B

7. Other issues In this section we discuss some details skipped in previous text. 7.1. Detecting unidirectional links Detecting unidirectional links is quite straight forward. Following the network deployment phase, unidirectional links between nodes are discovered like this. A node periodically broadcasts Hello messages, and waits for neighbors to reply. If it receives a reply in a certain period of time, it ascertains that there exists a bidirectional link. If it does not receive the reply in a certain period, the node is not aware of the downstream neighbor existence. But the downstream neighbor knows it has an upstream neighbor. For example, see Fig. 1, node C is an upstream neighbor of node B. The unidirectional link C ? B is not known by node C but known by node B. 7.2. Avoiding dead loops and unavailable loops We have the knowledge in sub Section 3.1 that most loop components in the sensor network digraph are 2-loop and 3-loop. Hence, we adopt an efficient one-round loop discovery process including three messages at most. For example, Intra-I M1, M2 and M3 pass information for establishing locality topology. We should notice that, messages transmitting in a loop must avoid dead circulation. We give each node a ‘‘Time-To-Live” (TTL) for each request message in the protocol. For instance, node c sets a

Fig. 9. A 3-loop locality to build trust relationship.

Y

X

Z

Table 6 Messages flowing in InterSec-II Inter-II Inter-II Inter-II Inter-II

M1: M2: M3: M4:

C ? : IDA, NC, cWKGC, HkAC ðN A jjN C Þ B ? A: IDC, NB, NC, bWKGC, cWKGC, EkAB ðHkAC ðN A jjN C ÞjjN B Þ A ? C: IDB, N 0A , bWKGC, EkAC ðN 0A jjN B jjN C Þ C ? B: NB, N 0C , EkBC ðN 0C jjN B Þ

U

W

V

Fig. 10. Node U and V intend to establish a pairwise key.

2967

Y. Zhang et al. / Computer Communications 31 (2008) 2959–2971

   m X m 1  Pr½Fa;b  ¼ 1  ð1Þiþ1 i i¼1

unsec-node or UNSEC-NODE

 1  Pr½Ea;b  ¼ 1 

m X

ð1Þiþ1

i¼1

8. Security analysis We propose a novel key establishment protocol exploiting unidirectional links in HSNs. The purpose of designing the protocol is accommodating the requirement of long-lived sensor networks. It contains protocols for intra-cluster key establishment and protocols for inter-cluster key establishment. It has the following security advantages: (i) Resilience against node compromise inside cluster. (ii) Resistance to injection, replay and man-in-the-middle attack. (iii) Resistance to nodes replication.

8.1. Resilience against node compromise Since we use a triangle to replace some traditional secure links in our scheme, when the adversary compromises some node and reveal the secret keys, the probability of compromising a triangle is much smaller than a sec-link. We assume that there are N nodes in the network and each node stores m keys chosen form its cluster key set jSIj. All the security schemes and cryptographic algorithms are public except the keys and their relevant information. Adversary can capture x nodes and extract all the secure information and launch a distribution analysis and attack on other secure links. We measure the resilience capability of the network as follow: 1

total number of compromised links total number of secure links

Obviously, the resilience is equivalent to 1 minus the probability of the event that a sec-link’s vertexes have some of their shared keys known by the adversary whose has compromised x nodes. The key ring of node i is denoted as Ki and the jth element in Ki is deS j noted as ki , the key sets’ union of these nodes is M ¼ xi¼1 K i . We let the probability of event Fa,b be ‘‘at least one of the keys shared by node a and b is known by the set M” which is M \ (Ka \ Kb \ Kc) 6¼ £. 1 1 1 Hence, the event Fa;b ¼ ðka 2 K b ^ ka 2 K c ^ ka 2 MÞ _    m m m _ðka 2 K b ^ ka 2 K c ^ ka 2 K c Þ, and Pr[Fa,b] indicates the probability of compromising of a link. So the resilience of our scheme can be presented as 1  Pr[Fa,b]. We have resiliency of our scheme:

2 

jSI j  i

mi   jSI j

xm  i   jSI j

m

xm



Use this method, the resiliency of the traditional key pre-distribution scheme [4] can be presented as

Fig. 11. Unavailable 3-loops.

TTL = 3 (to recognize 3-loops) for its message Intra-1 M1 in IntraSec-I schemes. It means if node c does not receive any corresponding reply in 3-hop time, it considers this session fails. The unavailable 3-loops do not include any sec-nodes. All three forms of unavailable 3-loops are listed in Fig. 11. They are isolated in the network and do not make any contribution to the network collaboration. Maybe, some of them are energetic and larger r-loop where r > 3 can make usef of them. However, due to the communication overhead for larger loop searching, we do not consider them any longer.

jSI j  i



m



i

jSI j  i

 

jSI j  i

mi   jSI j

xm  i   jSI j

m

xm



which indicate that the resilience ability of triangle is obviously better than traditional schemes. The derivation of resiliency is rather complex, so it is moved to Appendix A. 8.2. Resistance to injection, replay and man-in-the-middle attack Different from passive adversaries, active adversaries are capable of injecting, modifying and replaying messages in the network. They create malicious information, or redundant information, or copy legitimate authentication messages somewhere else in the network and so on. By theses attacks, the adversaries are attempting to create message flows or network partition. 1) Intra-cluster: As mentioned before, neighboring member nodes in the same cluster are required to check the validity by their key rings with its communicating neighbors and they do not accept messages from invalid nodes. Since they communicate only with legitimate nodes, the adversaries can be prevented from injecting malicious messages into the cluster. Once the nodes are compromised and become internal adversaries, all the secrets are revealed. The resilience against node compromising has analyzed in the previous subsection. Our scheme can obviously reduce the threat when facing node compromising attacks. 2) Inter-cluster: Cluster heads in the network are also required to confirm the validity and authenticate neighboring cluster heads. Because cluster heads do not accept messages from unauthenticated nodes, our scheme can prevent injection and replay attacks by neighboring authentication. Man-inthe-middle attack is another serious threat in Bilinear Diffie–Hellman Problem (BDHP) we adopt in our work. We require the communicating pair authenticate each other using its ID-based public key. It prevents an adversary pass through identity authentication, further rejects invalid key exchange messages produced by the adversary.

8.3. Resistance to node replication We proposed a new establishment protocol in Section 7 for upper level network. It includes a neighboring authentication between cluster heads. Any cluster heads are able to verify the identities of the clusters in the neighborhood and clusters with whom they are communicating. This property is useful in preventing node replication. Assume that a cluster head, say node Z, maintains a list of its neighboring cluster head. If an adversary replicates another cluster head, say node X, and places itself in the vicinity of Z. If node X is not recognized as node Z’s vicinal cluster head, node Z rejects node X’s request. If node X is in and it pretends to be a SEC-NODE, by Section 7.1 neighboring authentication scheme, node X can not be authenticated by node Z for its lack of valid ID-based private key. If it pretends to be an UNSEC-NODE, forged node X will seek

2968

Y. Zhang et al. / Computer Communications 31 (2008) 2959–2971

for another neighboring node of node Z and launch the attack. But, by InterSec-I and InterSec-II, forged node X does not hold the valid private key; it shall not pass neighboring authentication. To launch a successful attack, the adversary must replicate a whole cluster, which is very difficult and costly. From this point of view, our scheme performs well against node replication attack.

Table 8 Pairing computations each node in InterSec Schemes

Pairings To compute

Pairings Computed beforehand

In total

InterSec-I InterSec-II

3 2

1 1

2 1

9. Performance analysis After security analysis on our scheme, the evaluation of our protocol takes place. Typical evaluators are: To sum and compare the storage overhead, and the computational overhead on the network nodes. 9.1. Storage overhead We select proper number of keys for each node in probabilistic key schemes to guarantee the connectivity of the network graph is at least 80%. In scheme proposed in [4] and [14], the connectivity is computed as follows: Connectivity ¼ 1 

ððP  mÞ!Þ2 P!ðP  2mÞ!

where each normal sensor node chooses m keys from a large key pool Q containing P keys. For example, we suppose P = 1000. In scheme [4] and [14], it is ease to compute that a node has to choose at least m = 40 keys to fulfill 80% connectivity. In scheme [16] which adopts ID-based cryptography must store the parameters for the elliptic curve and its location-base key (LBK). Our scheme combines probabilistic scheme and ID-based scheme, so each L-node stores m keys, H-node stores l keys and elliptic curve parameters and an ID-based private key. Table 7 lists the comparison on memory overhead of four schemes. We apply AES-128 and ECC-160 in the following schemes. According to the recommended parameters in secp160 [19], each node will store a sextuple T = (p, a, b, G, n, h) whose length can be computed 820 bits. 9.2. Computation overhead

[16], only few powerful nodes in the our scheme compute pairings, so the total energy consumption is much less than scheme [16]. The bilinear map e chooses Tate pairing [20]. The elliptic curve is defined over Fp, where p is a 160-bit prime. The parameters deliver an equivalent level to RSA-1024. Zhang et al. [16] quantify the energy consumption of the Tate pairing. It assumes that the sensor CPU is a low-power 32-bit Intel PXA255 processor at 400 MHz. The computation of the Tate pairing roughly needs 33/400  752 62.04 ms, and the energy consumption is approximately 25.5 mJ. Assume that 1000 nodes in the network and 10% of them launch key establishment procedures each round. In our scheme, there deploys 50 H-nodes and leaves 950 L-nodes in the network. The computation cost comparison results list in Fig. 12. 10. Experimental results In the following experiments, we are going comparing our scheme with traditional schemes in resiliency against node compromising and proportion of available nodes. 10.1. System configuration In our simulation, we use the following network setups: The Lnodes and H-nodes are randomly and uniformly deployed in a flat squared area of 800 m  800 m. The transmission range of sensor nodes varies as follows: L-nodes randomly shrink the transmission range by a factor F chosen from range [1/2, 1]. According to this model, an L-node changes its transmission range picked randomly from the interval [1/2, 1] each round. Similarly, H-nodes vary their transmission range the same way, too. 10.2. Resiliency against node compromising

Comparing to much lower energy consumption on AES-128 algorithm, 2.49 l Ws/B, pairing computation is quite considerable. In InterSec-I, the shared key for a local triangle component need to compute three pairings. And, in InterSec-II Fig. 9, node A and B compute two pairings each, node C computes two pairings in each session (see Table 8). As the formula in Section 6.2.1 shows, eðaP rA ; WÞ, eðbPrB ; WÞ and eðcP rC ; WÞ can be computed beforehand and stored for every session. Therefore, each node only computes two pairings for each session. Similarly, the node A, B and C in Section 6.2.2 compute only one paring each, which will cause great energy saving. Apparently, scheme [16] consumes much more energy than our scheme, because each node participate the neighbor nodes authentication and multihop pairwise key establishment procedures which involve several pairing computations. In contrast with

In previous section, we formally analyze the resiliency of IntraSec and the scheme proposed in [4]. In this section, we attempt to evaluate and compare the resiliency on flat and hierarchical structured network. The flat network model is derived from literature

Table 7 Storage overhead in four schemes Schemes

L-nodes

H-nodes

Scheme in [4] Scheme in [14] Scheme in [16] Our scheme

128  m bits 128  m bits 820 bits 128  m bits

– 128  l bits – 128  l bits + 820 bits

Fig. 12. Computation overhead comparison.

Y. Zhang et al. / Computer Communications 31 (2008) 2959–2971

[4], where each node chooses m keys from key pool Q randomly. The second is our proposed two level hierarchical networks. The adversary compromises several nodes and reveals their key rings, which will jeopardize some proportion of secure links in the network. We regulate that each member node chooses m keys from j SIj, where jSIj is chosen from the large key pool Q. If the adversary compromised several L-nodes in the network (not constrained in this cluster), resiliency is much better than the scheme in [4]. The result in Fig. 13 shows that, the resilience for flat network is much weaker than hierarchical networks with different key pool size. With the growth of the number of compromised nodes, proportion of compromised links increase pace is much larger in flat network. But, in our scheme, the proportion is always under 5%.

cure links to be 80% approximately. We compare the proportion of available nodes in sub-protocol IntraSec with the scheme [4], and the results are shown in Fig. 14. The hierarchical network includes two types of nodes, L-nodes and H-nodes. The amount of H-nodes in the network is 5% of Lnodes. We assume that the key pool size is 10000, the key ring size of L-nodes is 40, and the key ring size of H-nodes is 400, which will

10.3. Proportion of available nodes Since we exploit the unidirectional links in the network to increase the proportion of available nodes in the network, some nodes covered by unidirectional links are capable to continue working in the network for a longer time. We compare our work to traditional scheme in [4] and [14] which are representative schemes for flat and hierarchical networks. For flat networks, let the key pool size be 1000 and the key ring size of L-nodes is 40, which will guarantee the connectivity of se-

Fig. 13. Proportion of compromised links.

2969

Fig. 14. Proportion results comparing IntraSec with [4].

2970

Y. Zhang et al. / Computer Communications 31 (2008) 2959–2971

Fig. 15. Proportion of unavailable nodes.

guarantee the connectivity to be 80%, approximately. We evaluate the percentage of the unavailable nodes in the network according to the degradation of radio range at first. The results are shown in Fig. 15. We can find that, the decreasing of the transmission range will cause growing proportion of unavailable L-nodes. It is very necessary to deploy an efficient scheme to deal with these nodes. In Fig. 16, combining IntraSec and InterSec, we compare our scheme with [14], and the results are revealed in the diagram. Obviously in these figures, our scheme has better performance, especially when comparing with [4] in flat network. For example, when the transmission range degradates to 60 m, the gap between two schemes becomes wider, which means exploiting unidirectional links will greatly enlarge the proportion of available sensors in the network. When comparing with [14], the advantage is not superior, but still outperform the previous schemes. 11. Conclusion In this work, we design a key establishment protocol for heterogeneous sensor networks. Different from previous proposals, our scheme considers the existing a great mount of unidirectional links in the network and reasonably employs them, and then endows healthy nodes that covered by unidirectional links the chance to establish shared secrets. In a heterogeneous sensor network, normal sensor nodes, also known as L-nodes in this paper, which compose the clusters; more capable nodes, H-nodes, deployed uniformly in the network and claim themselves cluster heads. An L-node constrains its communication within its cluster. Inter-cluster messages depend on the cluster head to forward outside the cluster. Therefore, our protocol includes two parts. First part is key establishment among cluster members; second part is key establishment among cluster heads. In the first part, we design probabilistic key pre-distribution scheme for cluster members. This scheme occupies symmetric cryptographic algorithms and costs less computation resource and energy consumption, which is more feasible for regular sensor nodes. In a cluster, nodes that are covered by bidirectional links can ascertain the neighboring nodes validity by keyIDlist exchange, and set up secure links as proposed in [4]. If there exist unidirectional links, node can apply IntraSec protocol to find out a minimum strong connection component, 3-loop mostly, to build a trust relationship. Known the pre-knowledge of cluster deployment, we can fulfill some relations on key ring choice, which boosts the resilience ability against node compromising.

Fig. 16. Proportion results comparing our scheme with [14].

In second part, we introduce ID-based Cryptography using pairing, and offer authentication and key establishment. Obviously, cluster heads covered by bidirectional links can offer mutual authentication as presented in [16]. Using InterSec, cluster heads that are covered by unidirectional link should search for 3-loop in its locality, and then authenticate and establish keys among them. By this key, the cluster head can build a shared secret multihop away.

2971

Y. Zhang et al. / Computer Communications 31 (2008) 2959–2971

Compared with traditional probabilistic key establishment protocol, such as [4,16], our scheme has better resiliency and lower computation overhead. The simulation and evaluation reveal our scheme has achieve the goal. Moreover, our scheme improves the proportion of availability of nodes which will not decreases with the increasing of unidirectional links, but increases ideally.

"

  m i X ^ m ð1Þiþ1 Ij Pr i i¼1 j¼1 " !   m i X ^ m j iþ1 ð1Þ ðka 2 K b Þ ¼ Pr i i¼1 j¼1 ! !# i i ^ ^ j j ðka 2 K c Þ ^ ðka 2 MÞ ^

Pr½Fa;b  ¼

j¼1

Appendix A Each L-node choose m keys from the large key set j SIj. Assume that the adversary compromised x nodes in the network and the key set of node i is denoted as jKij and the jth element in Ki is deS j noted as ki , the key sets union of these x nodes is M ¼ xi¼1 K i .

m

According to the resilience definition, we let the probability of event Ea,b be ‘‘at least one of the keys shared by a and b is known 1 by the set M” which is M\(Ka\ Kb)6¼£. Hence:Ea;b ¼ ðka 2 K b 1 m m ^ ka 2 MÞ _    _ ðka 2 K b ^ ka 2 MÞ. i i For convenience, let Ii ¼ ðka 2 K b ^ ka 2 MÞ. Then, the equation becomes: !

" # i ^ Ij Pr

i

i¼1

¼

m

m X

m

i¼1

i

ð1Þiþ1

" Pr

i ^

! j

ðka 2 K b Þ

^

j¼1

i ^

!# j

ðka 2 MÞ

j¼1

ðA:1Þ Then, we consider node b choose m keys including the certain i keys in Ka from the key pool Q. Hence,   jSI j  i " # i ^ mi j  ðA:2Þ ðka 2 K b Þ ¼  Pr jSI j j¼1 m hV i j We then compute Pr ij¼1 ðka 2 MÞ . We assume that keys of these x nodes choose these i keys from the pool, then we can compute: "

# i ^ j Pr ðka 2 MÞ ¼ j¼1



jSI j  i

According to Eqs. A.3, A.4 and A.5, the resilience of basic key pre-distribution scheme is: 2 0 12  3 jSI j  i jSI j  i   m 6 B C X6 m B mi C xm  i 7 7 iþ1  C   7 1  Pr½Fa;b  ¼ 1  6ð1Þ B  j j jS jS 4 @ A 5 i I I i¼1 m

xm

References

j¼1

!

ðA:4Þ

j¼1

Then, we consider node b choose m keys including the certain i keys in Ka from the key pool Q. Hence,   jSI j  i " # " # i i ^ ^ mi j j  ðA:5Þ ðka 2 K b Þ ¼ Pr ðka 2 K c Þ ¼  Pr jSI j j¼1 j¼1

A.1. Computing resiliency in [4]

m X Pr½Ea;b  ¼ ð1Þiþ1

#



xm  i   jSI j

ðA:3Þ

xm According to Eqs. (A.1)–(A.3), the resilience of basic key pre-distribution scheme is: 2 0 1  3 jSI j  i jSI j  i  B m 6 C X m B m  i C xm  i 7 6 7 iþ1  C   7: 1  Pr½Ea;b  ¼ 1  6ð1Þ B  jSI j jSI j 4 @ A 5 i i¼1 m xm A.2. Computing resiliency in proposed scheme According to the resilience definition, we let the probability of event Fa,b be ‘‘at least one of the keys shared by a and b is known by the set M” which is M \ (Ka \ Kb \ Kc)6¼£. Hence: Fa;b ¼ 1 1 1 m m m ðka 2 K b ^ ka 2 K c ^ka 2 MÞ _    _ ðka 2 K b ^ ka 2 K c ^ ka 2 K c Þ. i i i For convenience, let Ii ¼ ðka 2 K b ^ ka 2 K c ^ ka 2 MÞ. Then, the equation becomes:

[1] H. Chan, A. Perrig, D. Song, Random key predistribution schemes for sensor networks, in: Proc. IEEE Symp. Security, Privacy, Oakland, CA, May 2003, pp. 197–213. [2] W. Du, J. Deng, Y. Han, P. Varshney, A pairwise key predistribution scheme for wireless sensor networks, in: Proc. ACM CCS, Washington, DC, October 2003, pp. 42–51. [3] D. Liu, P. Ning, Establishing pairwise keys in distributed sensor networks, in: Proc. ACM CCS, Washington, DC, October 2003, pp. 52–61. [4] L. Eschenauer, V. Gligor, A key-management scheme for distributed sensor networks, in: Proc. ACM CCS, Washington, DC, November 2002, pp. 41–47. [5] D. Boneh, M. Franklin, Identity-based encryption from the Weil Pairing, Lecture Notes in Computer Science Proc. CRYPTO, vol. 2139, Springer-Verlag, 2001, pp. 213–229. [6] V. Ramasubramanian, D. Mosse, Statistical Analysis of Connectivity in Unidirectional Ad Hoc Networks, in: Conf. IEEE Parallel Processing, British Columbia, Canada, August 2002, pp.109–115. [7] MICAz 2.4 GHz. Crossbow Technology. (http://www.xbow.com/Products/ productdetails.aspx?sid=164). [8] N.P. Smart, An identity based authenticated key agreement protocol based on the Weil Pairing, Cryptology ePrint Archive, Report 2001/111, 2001, http:// eprint.iacr.org/. [9] M. Gerla, Y.Z. Lee, J.S. Park, Y. Yi, On demand multicast routing with unidirectional links, in: Conf. IEEE WCNC, New Orleans, March 2005, pp. 2162–2167. [10] M.K. Marina, S.R. Das, Routing performance in the presence of unidirectional links in multihop wireless networks, in: Proc. ACM Mobihoc, Lausanne, Switzerland, Jun 2002, pp. 12–23. [11] V. Ramasubramanian, R. Chandra, D. Mosse, Providing bidirectional abstraction for unidirectional ad hoc networks, in: Proc. IEEE INFOCOM, New York, June 2002, pp. 1258–1267. [12] S. Nesargi, R. Prakash, A tunneling approach to routing with unidirectional links in mobile ad hoc networks, in: Proc. Computer Communications and Networks (IC3N), Las Vegas, 2000, pp. 522–527. [13] M. Bechler, H. Hof, D. Kraft, F. P?hlke, L. Wolf, A cluster-based security architecture for ad hoc networks, in: Proc. IEEE INFOCOM, Hong Kong, March 2004. [14] P. Traynor, H. Choi, G. Cao, S. Zhu, T. La Porta, Establishing pair-wise keys in heterogeneous sensor networks, in: Proc. IEEE INFOCOM, Barcelona, April 2006, pp. 1–12. [15] X. Du, Y. Xiao, M. Guizani, H.H. Chen, An efficient key management scheme for heterogeneous sensor networks, Ad hoc networks 5 (1) (2007) 24–34. January. [16] Y. Zhang, W. Liu, W. Lou, Y. Fang, Location-based compromise-tolerant security mechanisms for wireless sensor networks, J. IEEE Select. Areas Commun. 24 (2) (2006) 247–260. [17] R. Blom, An optimal class of symmetric key generation systems, Advances in Cryptology. in: Proc. EUROCRYPT 84, Lecture Notes in Computer Science, Thomas Beth, Norbert Cot, Ingemar Ingemarsson (Eds.), Springer-Verlag, 1985, pp. 335–338. [18] J.M. Kahn, R.H. Katz, K.S.J. Pister. Next century challenges: mobile networking for smart dust, in: Proc. ACM MobiCom, Seattle, Aug.1999, pp. 483–492. [19] SECG, Elliptic Curve Cryptography, SEC 1, 2000, http://www.secg.org/. [20] P. Barreto, H. Kim, B. Bynn, M. Scott. Efficient algorithms for pairing-based cryptosystems, in: Lecture Notes in Computer Science, Springer-Verlag, 2002, pp.354–368.