- Email: [email protected]
Matrix-based pairwise key establishment for wireless mesh networks
Future Generation Computer Systems 30 (2014) 140–145
Contents lists available at ScienceDirect
Future Generation Computer Systems journal homepage: www.elsevier.com/locate/fgcs
Matrix-based pairwise key establishment for wireless mesh networks Li Xu, Yuexin Zhang ∗ Fujian Provincial Key Laboratory of Network Security and Cryptology, School of Mathematics and Computer Science, Fujian Normal University, Fuzhou, China
highlights • • • •
This paper presents a new matrix-based pairwise key establishment scheme. Expensive operations are delegated to mesh routers. Any two mesh clients can directly establish pairwise keys. Our scheme has a very light overload of communication and storage at mesh clients.
article
info
Article history: Received 30 December 2012 Received in revised form 23 April 2013 Accepted 28 June 2013 Available online 16 July 2013 Keywords: Pairwise key Matrix Mesh clients Mesh routers Wireless mesh networks
abstract Wireless communication in wireless mesh networks (WMNs), like other types of wireless networks, is vulnerable to many malicious activities such as eavesdropping. As one of the fundamental security technologies, pairwise key establishment has been widely studied to secure wireless communication. In this paper, we propose a new matrix-based pairwise key establishment scheme for mesh clients in WMNs. A fact in WMNs is that mesh routers are more powerful than mesh clients, in both communication and storage. Motivated by this fact, expensive operations can be delegated to mesh routers to alleviate the overhead of mesh clients when establishing pairwise keys between them. Compared with other matrix-based schemes, our scheme has significant advantages: any two mesh clients can directly establish pairwise keys while communication and storage costs of mesh clients are significantly reduced. © 2013 Elsevier B.V. All rights reserved.
1. Introduction With the development of electronics and wireless communication, wireless mesh networks (hereinafter, WMNs), which serve as one of the most important wireless communication technologies, have attracted much attention from academia and industry. The nodes in a WMN automatically form an Ad Hoc network and maintain mesh connectivity, which makes a WMN a dynamically self-organized and self-configured network [1]. A WMN is made up of two types of nodes: mesh clients and mesh routers. Mesh clients are stationary or mobile devices, and mesh routers form the mesh backbone of WMNs. Each node (either mesh client or mesh router) in a WMN operates as a host and as a router, but a mesh router is more powerful than a mesh client. This makes it possible for mesh routers to accommodate more resource-intensive tasks. The gateway/bridge functionalities of mesh routers enable the integration of WMNs with other networks, including vehicular networks, Ad Hoc networks, Wi-Fi, cellular networks, wireless sensor
∗
Corresponding author. Tel.: +86 18050434359. E-mail addresses: [email protected] (L. Xu), [email protected] (Y. Zhang). 0167-739X/$ – see front matter © 2013 Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/j.future.2013.06.031
networks [2] and cloud computing systems. Mesh routers can be built based on dedicated computer systems and general-purpose computer systems. Mesh clients, on the other hand, consist of a variety of devices, including laptop/desktop, PDA, RFID reader, etc. The network architecture we are concerned about in this paper is the Hybrid WMN introduced in [2], in which mesh clients can access the network through mesh routers or by directly meshing with other mesh clients (see Fig. 1). Faced with a variety of malicious cyber attacks, WMNs are vulnerable due to wireless communications among mesh nodes. Taking active adversaries as an example, they are able to eavesdrop, interrupt or modify transmission, and even impersonate legitimate nodes or capture nodes in WMNs. To counter potential attacks, many kinds of security mechanisms have been proposed, including location technology [3,4], intrusion detection technology [5,6], secure routing technology [7,8] and key management technology [9–20]. Key management, as a fundamental security technology, has been widely studied in secure wireless communications. However, it is a non-trivial task to establish pairwise keys efficiently for power-constrained mesh clients. By exploiting the heterogeneity of WMNs, this paper presents a new design of pairwise key establishment scheme for mesh clients with very light communication and storage costs.
L. Xu, Y. Zhang / Future Generation Computer Systems 30 (2014) 140–145
141
Fig. 1. Hybrid WMNs introduced in [2].
Our contribution. In this paper, we are particularly interested in pairwise key establishment between mesh clients in WMNs. As mentioned above, mesh clients are not as powerful as mesh routers in either computation or communication. However, WMNs’ nature of heterogeneity makes it possible for mesh clients to establish pairwise keys efficiently by delegating costly operations to mesh routers. Motivated by this observation, we present a new pairwise key establishment scheme based on a modification of Blom’s scheme. Our scheme possesses the following properties: 1. any pair of mesh clients can directly establish pairwise keys; 2. compared with other matrix-based schemes, our proposed scheme has a very light cost in terms of communication and storage at mesh clients; and 3. the proposed scheme is specifically designed for pairwise key establishment in WMNs, but it is also applicable in other situations with similar features of heterogeneity including cloud computing systems. Roadmap. The remainder of this paper is organized as follows. We present a summary of related works in Section 2. Section 3 briefly reviews the preliminaries required in this paper. The proposed scheme is described in Section 4, and its security and performance analysis is given in Section 5. Section 6 concludes this paper. 2. Related work Taking wireless sensor networks (when they are integrated with WMNs, sensor nodes can also be considered as energyconstrained mesh clients) as an example, public key cryptographic algorithms are generally considered infeasible for computing and communicating between power-constrained devices [9]. Although this constraint has been partially alleviated with the advancement of modern technology, we consider that these energy-constrained
nodes are not able to afford frequent asymmetric cryptographic operations. According to its characteristics, key management in wireless sensor networks can be classified by self-enforcing schemes, arbitrated keying schemes and key pre-distribution schemes (KPS) [10]. In a KPS, a key management authority (also known as a key distribution center) loads some secret keys into sensor nodes prior to deployment, then neighbor nodes can establish secure communication keys using their pre-loaded keys. The requirement of a robust KPS is that, for adversaries, it is difficult to derive the communication keys of other nodes or destroy the entire network even though they have acquired several nodes’ secret information (e.g., by captured nodes). To meet this demand, a pairwise key between two nodes is desirable. A naïve way of designing a robust KPS is to pre-distribute each sensor node with N − 1 keys, where N is the total number of nodes and each one of N − 1 keys is shared with each one of N − 1 nodes. Any pair of nodes will share a pairwise key after deployment. For adversaries with captured nodes, they only have keys associated with compromised nodes, but not those among un-compromised nodes. Such a mechanism provides a high level of robustness but a low level of scalability: the performance of the key distribution phase will be time, computation and storage consuming when N is large, and a system-wide update is needed when establishing pairwise keys between any current node and a newly added one. A host of KPS have been proposed to provide different tradeoffs between robustness and scalability. The scheme proposed in [11] is based on symmetric encryption. In the key pre-distribution phase, the system authority randomly selects and pre-loads each node with m keys and corresponding key identifiers from a large key pool P. After deployment, neighbor nodes have the probability p to establish session keys successfully by broadcasting key identifiers, for 0 < p ≤ 1, and p is affected by key pool size P and m. The major drawback of the Eschenauer–Gligor scheme is that different pairs of nodes may share the same session key, and consequently there is
142
L. Xu, Y. Zhang / Future Generation Computer Systems 30 (2014) 140–145
Fig. 2. The matrix G in the scheme of [14].
a risk that the communication among un-compromised nodes may become insecure after the compromise of other nodes. This security deficiency is partially improved in [12] by developing the Eschenauer and Gligor scheme to a q-composite random KPS, where neighbor nodes can establish a session key as long as they share t (t ≥ q) common keys. Nevertheless, there still exist constraints between the key pool size P , m, and the security parameter q. As a frequently-used mathematical tool, a matrix is employed to establish pairwise keys diffusely. The pioneering work was introduced in [13], where a KPS was proposed that allowed any pair of nodes to establish the pairwise key by exchanging some public information. In Blom’s scheme, there exists a (λ+1)×N public matrix G over a finite field GF (q), where N is the size of network nodes and q > N. The system authority generates a random (λ + 1) × (λ + 1) secret symmetric matrix D and computes an N × (λ + 1) matrix A = (D · G)T , where (D · G)T is the transpose of D · G. For the kth node, k = 1, 2, . . . , N, the system authority pre-loads it with the kth row of matrix A and the kth column of matrix G. Obviously, K = A · G is a symmetric matrix. After node deployment, the uth node and the v th node can calculate and gain their pairwise key by exchanging their pre-loaded columns of public matrix G. Blom’s scheme is λ-secure, namely the network remains secure as long as the number of nodes that exposed their pre-stored columns of matrix A is no more than λ. To reduce the high cost of wireless communication, in [14] Blom’s scheme was improved by giving a new design of public matrix G. The node in Du et al.’s scheme does not need to store a whole column of matrix G, but a key seed, which can be used to compute a column of G. The key seed is the second element in each column of matrix G in [14] (as shown in Fig. 2). Furthermore, they employed multiple key-space to enhance the performance of their scheme. By viewing the set of keys generated from A · G in Blom’s scheme as a key-space, the system authority in Du et al.’s scheme generates ω secret symmetric matrices D1 , D2 , . . . , Dω and computes matrices Ai = (Di · G)T for each Di . As a result, there are in total ω key-spaces A1 · G, A2 · G, . . . , Aω · G. For the jth sensor node, the system authority randomly selects τ Ai s and loads the jth node with the jth row of each selected Ai and the key seed of the jth column of G. Neighbor nodes can successfully establish a pairwise key only if they are loaded with columns from the same matrices Ai . Parakh et al. proposed a matrix-based key agreement algorithm for sensor networks in [15]. The system authority in their scheme chooses a diagonalizable N × N symmetric matrix Y at random and diagonalizes Y such that Y = M −1 Dy M, where Dy is a diagonal matrix with eigenvalues of Y . It then randomly picks a diagonal matrix Dx and computes the N × N matrix X = M −1 Dx M. It is clear that these two matrices commute with each other, i.e., XY = YX . Then, the system authority randomly picks row–column pairs for each sensor node. For example, the system authority randomly picks r from a uniform distribution over [1, N ] and assigns node i with the rth row and column of X , and the rth column of Y . After deployment, two sensor nodes i and j can compute two keys Kij and Kji by exchanging their stored columns of Y and agree on a session key K = Hash(Kij ∥ Kji ). However, the scheme in [15] has an inherent flaw: different links may share the same key due to the random selection of row–column pairs, and thus the security of other links may be at risk if a sensor node is captured by adversaries. By decomposing a symmetric matrix into a matrix product of two matrices, a lower triangular matrix and an upper triangular
matrix, Dai et al. proposed a key pre-distribution scheme in sensor networks [16]. Using matrix decomposition and network coding, a scalable and robust key pre-distribution scheme is proposed in [17]. Notice that in certain situations, deployment knowledge may be available. Du et al. [18] extended the Eschenauer–Gligor scheme and proposed a key management scheme with deployment knowledge. They further optimized the scheme in [19] by employing both matrix and deployment knowledge. A reliable pairwise key-updating scheme via key pre-distribution and local collaboration is proposed in [20]. 3. Preliminaries There are three types of participants in our key establishment scheme, namely the system authority, mesh routers and mesh clients. The scheme consists of three phases:
• System setup: the system authority generates system parameters;
• Key seed application: mesh clients apply for key seeds from the system authority securely; and
• Pairwise key establishment: with the assistance of mesh routers, two mesh clients establish a secret pairwise key directly. We assume the following. 1. Operations related to the system authority are carried out in a secure environment, while neither mesh routers nor mesh clients are physically secure. In particular, once they are captured by adversaries, any secret data stored in captured nodes will be exposed to adversaries. 2. Mesh clients are able to apply for key seeds from the system authority securely. 4. Pairwise key establishment in WMNs This section is devoted to describing our scheme, which is a variant of Blom’s scheme [13] reviewed in Section 2. System setup: Assume that the population of residents in a given area is P. For each individual, there are about Q devices (like PCs or phones) that may serve as mesh clients and access the network through mesh routers or by directly meshing with other mesh clients, namely, there are about M = PQ mesh clients in this area. Let λ be the system’s security parameter. During the system setup phase, the system authority performs the following tasks.
• Chooses N independent key seeds s1 , s2 , . . . , sN from a finite field GFq , for N ≥ M, and lets idi be the identifier of key seed si .
• Creates a secret (λ + 1) × N matrix G:
s1 (s1 )2
s2 (s2 )2
··· ··· .. .
sN (sN )2
. (1) .. . · · · (sN )λ+1 • Generates a secret symmetric (λ + 1) × (λ + 1) matrix D in GFq . • Computes the public matrix A = (D · G)T . • Loads matrix A at all mesh routers. G=
.. . (s1 )λ+1
.. . (s2 )λ+1
Note that differently from other matrix-based schemes, we let G be the secret matrix to adversaries, and A be the public matrix in our scheme. Key seed application: Every mesh client who would like to access the WMN for the first time must apply for a key seed and the corresponding key seed identifier from the system authority. We assume that mesh clients are able to apply for key seeds from the system authority securely. An alternative way of distributing key seeds is that, for every mesh client, a device which may become a mesh client is loaded with a key seed generated by the system authority when it leaves the factory.
L. Xu, Y. Zhang / Future Generation Computer Systems 30 (2014) 140–145
143
Eq. (1), we choose N independent key seeds and generate secret G matrices. This also explains why we do not generate G matrices as in [14], where mesh client i can use its stored key seed si to calculate mesh client 2i’s key seed s2i = (si )2 (as shown in Fig. 2). Generating matrix G in this way does not introduce any security issue to other schemes where G is a public matrix but is not applicable in our scheme since matrix G must be a secret to adversaries. Remark 2. Our pairwise key establishment scheme is designed for mesh clients in WMNs. In contrast to mesh clients, mesh routers in WMNs are more powerful and capable of costly operations. By exploiting this heterogeneity, the mesh clients in our scheme can generate pairwise keys in an efficient way. To meet the needs of practical application and increase the robustness of WMNs, different system security parameters λ can be set when establishing pairwise keys between mesh router and mesh router, or mesh router and mesh client.
Fig. 3. Pairwise key establishment.
Pairwise key establishment: When two mesh clients i and j want to mesh with each other, they should execute the following operations to gain a pairwise key between them, as shown in Fig. 3. Firstly, two mesh clients i and j exchange their key seed identifiers idi and idj , and send a request {req : idi , idj } to the mesh routers. Then, the mesh routers need to retrieve the stored matrix A, and reply to mesh clients i, j with the jth and ith rows of matrix A. Upon receiving the reply from the mesh routers, mesh clients i and j can establish pairwise keys directly. The calculation of the pairwise key is described as follows. Calculation at mesh client i: • mesh client i uses its key seed si to calculate the ith column of 1 T matrix G: (si , s2i , . . . , sλ+ ) ; i • let (aj1 , aj2 , . . . , aj(λ+1) ) be the jth row of matrix A, which is sent by the mesh routers; and • mesh client i calculates the key shared with mesh client j as 1 T kji = (aj1 , aj2 , . . . , aj(λ+1) ) · (si , s2i , . . . , sλ+ ) i
=
λ+1
ajk · (si )k .
k=1
Calculation at mesh client j:
• mesh client j uses its key seed sj to calculate the jth column of 1 T matrix G: (sj , s2j , . . . , sλ+ ) ; j • let (ai1 , ai2 , . . . , ai(λ+1) ) be the ith row of matrix A, which is sent by the mesh routers; and
• mesh client j calculates the key shared with mesh client i as 1 T ) kij = (ai1 , ai2 , . . . , ai(λ+1) ) · (sj , s2j , . . . , sλ+ j =
λ+1
aik · (sj )k .
k=1
It remains to show that kji = kij . Note that the matrix K = A · G is a symmetric matrix: K = A · G = (D · G)T · G = GT · D · G = (A · G)T .
(2)
It follows that kji = kij , i.e., kji calculated by mesh client i is the same as kij calculated by mesh client j. This completes the description of pairwise key establishment between two mesh clients. Remark 1. The major difference between our scheme and others (including Blom’s scheme) is the generation of the matrix G. In our scheme, G is a secret matrix and the key seed si is given to the ith mesh client, which can only generate the ith column of G but does not have any other information about G. Recall that, as shown in
Remark 3. In this paper, we focus our attention on establishing pairwise keys efficiently for power-constrained mesh clients. It is possible that the storage requirement on mesh routers may become the bottleneck of networks when the number of mesh clients is considerably large. An available solution to this problem is that the system authority deploys multiple mesh routers for a given area and stores an affordable number of rows of matrix A for each router. These mesh routers cooperate with each other to retrieve the stored matrix A when it is needed. 5. Analysis In this section, we present the analysis of our scheme, by comparing it with others [13,14]. Local connectivity. Local connectivity refers to the probability of any two neighbor nodes sharing at least one key-space [19]. The scheme proposed in [14] makes use of multiple key-space, and the local connectivity is affected by parameters, e.g., τ and ω. In contrast, the scheme in [13] and our presented scheme are single key-space schemes: key materials stored (or applied) in powerconstrained nodes are chosen from a single key-space which ensures that any pair of nodes can establish pairwise keys, i.e., local connectivity is 1 in our scheme and the scheme in [13]. Resilience against node capture attacks. In a hostile environment, adversaries can mount a variety of malicious cyber attacks, and access and retrieve secret information from the memory of nodes. A successful attack on x nodes by an adversary may affect the rest of the network. It is easy to see that a large number of key-spaces contributes to a resilient network, i.e., the probability of x capturing nodes which belong to a unique key-space decreases with increase of the number of key-spaces. The scheme proposed in [14] is a multiple key-space scheme. Let Pl be the local connectivity and each sensor node randomly selects τ key-spaces from the key-space pool. The number of shared key-spaces is Ns = (Pl · τ ) for neighbor sensor nodes. Both the scheme in [13] and the newly proposed scheme are single key-space schemes. For each key-space, as mentioned in Section 2, it is λ-secure, i.e., the key-space remains secure as long as the number of nodes that expose their pre-stored secret information to adversaries is no more than λ. In our scheme, to achieve a high level of security, the system authority can compute and store enough A matrices at mesh routers. This will lead to an increase of storage cost at mesh routers, while the consumption at energy-constrained mesh clients stays the same. Resilience against man-in-the-middle attack. Fig. 4 shows a typical man-in-the-middle attack. A successful man-in-the-middle attack means that an attacker makes independent connections with mesh
144
L. Xu, Y. Zhang / Future Generation Computer Systems 30 (2014) 140–145
Fig. 5. Storage cost of networks.
Table 1 The performance of three schemes.
Fig. 4. A typical man-in-the-middle attack.
clients, exchanges messages with them, and makes them believe that they are directly communicating with each other by a pairwise key, while in fact the entire conversation is under the control of the attacker. Our proposed scheme is resilient against man-in-the-middle attack. Assume that an attack chooses a key seed s′a from the finite field GFq ; let id′a be the identifier of key seed s′a . The attacker can exchange identifiers with other mesh clients and send requests, but mesh routers cannot retrieve and obtain the corresponding row from matrix A. An alternative means of attack is that the attacker keeps the key seed identifiers of mesh clients (recall that all mesh clients’ key seed identifiers are exchanged by plain text) and tries to cheat other mesh clients. Obviously, without a key seed generated by the system authority, he cannot computes and obtains pairwise keys with other mesh clients. Besides, an attacker may be powerful enough to modify matrix A stored in the mesh routers (or to generate matrix A′ by himself and replace matrix A with A′ ). Utilizing the modified matrix A or matrix A′ (which has no knowledge of other mesh clients’ key seeds, since matrix G is constructed using all clients’ key seeds, and A = (D · G)T ), an attacker cannot succeed in man-in-the-middle attack. However, this kind of attacker has the ability to isolate mesh clients from mesh networks successfully. Storage complexity. Each sensor node in the scheme in [14] is associated with τ key-spaces, and for each key-space, the node is loaded with the corresponding row of its matrix A. Therefore, the total storage cost at each sensor node is about τ (λ + 1)|q| + |q| bits (recall that key seeds are chosen from GF (q)). The storage costs at each sensor node are 2(λ + 1)|q| bits in [13]. We consider the storage cost of our scheme from two aspects: mesh clients and mesh routers. Each mesh client needs to apply for a unique key seed si and a key seed identifier idi , so the total storage cost of each mesh client is about (|q| + logN2 ) bits. Therefore, our scheme has a significant advantage over [13,14] from the aspect of storage cost of power-constrained devices. The light storage cost at mesh clients is achieved by exploiting the heterogeneity of wireless mesh networks: mesh routers have more storage space than mesh clients. In our scheme, mesh routers
Pl Ns Sc Cmc Cc
Our scheme
Scheme [13]
Scheme [14]
=1
=1
1 |q| + logN2 logN2 2λ + 1
1 2(λ + 1)|q| (λ + 1)|q| λ+1
<1 Pl τ τ (λ + 1)|q| + |q| τ logω2 +|q| 2λ − 1
need to store an N × (λ + 1) matrix A. The size of the A matrix is determined by system’s security parameter λ, and the number of mesh clients. Let N be the number of power-constrained nodes. In [13], each sensor node needs to store 2(λ + 1)|q| bits of key material, and the total storage cost is 2(λ + 1)|q| × N bits for the whole network; Similarly, the total storage cost is (τ (λ + 1)|q| + |q|)× N bits in scheme [14], and (|q|+ logN2 )× N +(λ+ 1)|q|× N bits in our scheme. Fig. 5 shows their relationship when λ = 19, τ = 10 and |q| = 128 bits. Communication complexity. It is analyzed in [10] that communication costs much more than computation during pairwise key establishment. In the pairwise key establishment phase, the sensor nodes in scheme [13] need to broadcast a column of a public matrix; the sensor nodes in scheme [14] need to broadcast the indices of selected τ key-spaces and a key seed of public matrix G; while mesh clients in our scheme only need to broadcast the key seed identifier. It is also pointed out in [19] that local connectivity is one of the dominating factors of communication overhead: if neighbor nodes cannot establish pairwise keys directly, additional operations such as path-key establishment will be necessary which lead to additional communication cost. Additional communication is often needed as the local connectivity is not 1 in scheme [14]. Computational complexity. The sensor nodes in scheme [14] need (2λ − 1) multiplication operations in the field GF (q): (λ − 1) multiplications to regenerate a column of the G matrix, and λ multiplications to calculate the inner product of the corresponding row–column pairs. Pairwise key establishment between neighbor nodes in scheme [13] needs about λ + 1 multiplication operations. In our scheme, pairwise key establishment between two mesh clients requires about 2λ + 1 multiplication operations. We compare the performance of three schemes in Table 1, where Ns represents the number of shared key-spaces, Sc represents the storage cost at energy-constrained devices (sensor nodes or mesh clients), Cmc represents communication cost and Cc represents the computation cost of these energy-constrained devices.
L. Xu, Y. Zhang / Future Generation Computer Systems 30 (2014) 140–145
6. Conclusion Based on Blom’s scheme, we have presented a matrix-based pairwise key establishment scheme for wireless mesh networks. The new scheme has a very light overload of storage and communication at mesh clients, without introducing any significant computation operations. The essential design philosophy of our scheme is to utilize the heterogeneity of wireless mesh networks: mesh routers are more powerful than mesh clients and can afford expensive operations during key establishment. We believe that the same idea is also applicable in other situations, such as cloud computing systems, with the same feature of heterogeneity. Acknowledgments This work is supported partially by National Natural Science Foundation of China (Grant No. 61072080 and No. 61202450), Ph.D. Programs Foundation of Ministry of Education of China (Grant No. 20123503120001), Natural Science Foundation of Fujian Province (No. 2013J01222), Department of Education, Fujian Province, A-Class Project (Grant No. JA12076) and the development project of Fujian provincial strategic emerging industries technologies: Key technologies in development of next generation Integrated High Performance Gateway, Fujian development and reform commission high-technical [2013]266. References [1] I.F. Akyildiz, X. Wang, A survey on wireless mesh networks, IEEE Communications Magazine 43 (2005) S23–S30. [2] I.F. Akyildiz, X. Wang, W. Wang, Wireless mesh networks: a survey, Computer Networks 47 (2005) 445–487. [3] P. Bahl, V.N. Padmanabhan, RADAR: an in-building RF-based user location and tracking system, in: INFOCOM, pp. 775–784. [4] Z. Yang, Y. Liu, Understanding node localizability of wireless ad-hoc networks, in: [21], pp. 2339–2347. [5] A.P. Lauf, R.A. Peters, W.H. Robinson, A distributed intrusion detection system for resource-constrained devices in ad-hoc networks, Ad Hoc Networks 8 (2010) 253–266. [6] C. Pham, Scheduling randomly-deployed heterogeneous video sensor nodes for reduced intrusion detection time, in: M.K. Aguilera, H. Yu, N.H. Vaidya, V. Srinivasan, R.R. Choudhury (Eds.), ICDCN, in: Lecture Notes in Computer Science, vol. 6522, Springer, 2011, pp. 303–314. [7] W. Galuba, P. Papadimitratos, M. Poturalski, K. Aberer, Z. Despotovic, W. Kellerer, Castor: scalable secure routing for ad hoc networks, in: [21], pp. 2829–2837. [8] S. Khan, N.A. Alrajeh, K.-K. Loo, Secure route selection in wireless mesh networks, Computer Networks 56 (2012) 491–503. [9] A. Wander, N. Gura, H. Eberle, V. Gupta, S.C. Shantz, Energy analysis of publickey cryptography for wireless sensor networks, in: PerCom, IEEE Computer Society, 2005, pp. 324–328. [10] D.W. Carman, P.S. Kruus, B.J. Matt, Constraints and approaches for distributed sensor network security, Technical Report 00-010, NAI Labs, 2000.
145
[11] L. Eschenauer, V.D. Gligor, A key-management scheme for distributed sensor networks, in: V. Atluri (Ed.), ACM Conference on Computer and Communications Security, ACM, 2002, pp. 41–47. [12] H. Chan, A. Perrig, D.X. Song, Random key predistribution schemes for sensor networks, in: IEEE Symposium on Security and Privacy, IEEE Computer Society, 2003, pp. 197–213. [13] R. Blom, An optimal class of symmetric key generation systems, in: T. Beth, N. Cot, I. Ingemarsson (Eds.), Advances in Cryptology, in: Lecture Notes in Computer Science, vol. 209, Springer, Berlin, Heidelberg, 1985, pp. 335–338. [14] W. Du, J. Deng, Y.S. Han, P.K. Varshney, J. Katz, A. Khalili, A pairwise key predistribution scheme for wireless sensor networks, ACM Transactions on Information and System Security 8 (2005) 228–258. [15] A. Parakh, S. Kak, Matrix based key agreement algorithms for sensor networks, in: 2011 IEEE 5th International Conference on Advanced Networks and Telecommunication Systems, ANTS, pp. 1–3. [16] H. Dai, H. Xu, A key predistribution scheme with matrix decomposition for secure wireless sensor networks, in: 7th World Congress on Intelligent Control and Automation, 2008, WCICA 2008, pp. 1724–1727. [17] R. Zeng, Y. Jiang, C. Lin, Y. Fan, X.S. Shen, A scalable and robust key predistribution scheme with network coding for sensor data storage, Computer Networks 55 (2011) 2534–2544. [18] W. Du, J. Deng, Y.S. Han, S. Chen, P.K. Varshney, A key management scheme for wireless sensor networks using deployment knowledge, in: INFOCOM, pp. 586–597. [19] W. Du, J. Deng, Y.S. Han, P.K. Varshney, A key predistribution scheme for sensor networks using deployment knowledge, IEEE Transactions on Dependable and Secure Computing 3 (2006) 62–77. [20] M. Wen, K. Chen, Y. Zhang, H. Li, A reliable pairwise key-updating scheme for sensor networks, Journal of Software 18 (2007) 1232–1245. [21] INFOCOM 2010. 29th IEEE International Conference on Computer Communications, Joint Conference of the IEEE Computer and Communications Societies, 15–19 March 2010, IEEE, San Diego, CA, USA, 2010.
Li Xu is a Professor and Doctoral Supervisor at the School of Mathematics and Computer Science at the Fujian Normal University. He received his B.S. and M.S. degrees from the Fujian Normal University in 1992 and 2001. He received his Ph.D. degree from the Nanjing University of Posts and Telecommunications in 2004. Currently he is the Vice Dean of the School of Mathematics and Computer Science and the Director of the Key Lab of Network Security and Cryptography in Fujian Province. His interests include wireless networks and communication, network and information security, complex networks and systems, intelligent information in communication networks, etc. Dr. Xu has been invited to act as PC chair or member at more than twenty international conferences. He is a member of IEEE and ACM, and a senior member of CCF and CIE in China. He has published over 100 papers in journals and conferences. Yuexin Zhang received his B.S. degree from the Department of Physics and Electronic Information Engineering, Inner Mongolia Normal University, China, in 2010. He received his M.S. degree from the School of Mathematics and Computer Science, Fujian Normal University, China, in 2013. His research interests include cryptography and information security.
Contents lists available at ScienceDirect
Future Generation Computer Systems journal homepage: www.elsevier.com/locate/fgcs
Matrix-based pairwise key establishment for wireless mesh networks Li Xu, Yuexin Zhang ∗ Fujian Provincial Key Laboratory of Network Security and Cryptology, School of Mathematics and Computer Science, Fujian Normal University, Fuzhou, China
highlights • • • •
This paper presents a new matrix-based pairwise key establishment scheme. Expensive operations are delegated to mesh routers. Any two mesh clients can directly establish pairwise keys. Our scheme has a very light overload of communication and storage at mesh clients.
article
info
Article history: Received 30 December 2012 Received in revised form 23 April 2013 Accepted 28 June 2013 Available online 16 July 2013 Keywords: Pairwise key Matrix Mesh clients Mesh routers Wireless mesh networks
abstract Wireless communication in wireless mesh networks (WMNs), like other types of wireless networks, is vulnerable to many malicious activities such as eavesdropping. As one of the fundamental security technologies, pairwise key establishment has been widely studied to secure wireless communication. In this paper, we propose a new matrix-based pairwise key establishment scheme for mesh clients in WMNs. A fact in WMNs is that mesh routers are more powerful than mesh clients, in both communication and storage. Motivated by this fact, expensive operations can be delegated to mesh routers to alleviate the overhead of mesh clients when establishing pairwise keys between them. Compared with other matrix-based schemes, our scheme has significant advantages: any two mesh clients can directly establish pairwise keys while communication and storage costs of mesh clients are significantly reduced. © 2013 Elsevier B.V. All rights reserved.
1. Introduction With the development of electronics and wireless communication, wireless mesh networks (hereinafter, WMNs), which serve as one of the most important wireless communication technologies, have attracted much attention from academia and industry. The nodes in a WMN automatically form an Ad Hoc network and maintain mesh connectivity, which makes a WMN a dynamically self-organized and self-configured network [1]. A WMN is made up of two types of nodes: mesh clients and mesh routers. Mesh clients are stationary or mobile devices, and mesh routers form the mesh backbone of WMNs. Each node (either mesh client or mesh router) in a WMN operates as a host and as a router, but a mesh router is more powerful than a mesh client. This makes it possible for mesh routers to accommodate more resource-intensive tasks. The gateway/bridge functionalities of mesh routers enable the integration of WMNs with other networks, including vehicular networks, Ad Hoc networks, Wi-Fi, cellular networks, wireless sensor
∗
Corresponding author. Tel.: +86 18050434359. E-mail addresses: [email protected] (L. Xu), [email protected] (Y. Zhang). 0167-739X/$ – see front matter © 2013 Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/j.future.2013.06.031
networks [2] and cloud computing systems. Mesh routers can be built based on dedicated computer systems and general-purpose computer systems. Mesh clients, on the other hand, consist of a variety of devices, including laptop/desktop, PDA, RFID reader, etc. The network architecture we are concerned about in this paper is the Hybrid WMN introduced in [2], in which mesh clients can access the network through mesh routers or by directly meshing with other mesh clients (see Fig. 1). Faced with a variety of malicious cyber attacks, WMNs are vulnerable due to wireless communications among mesh nodes. Taking active adversaries as an example, they are able to eavesdrop, interrupt or modify transmission, and even impersonate legitimate nodes or capture nodes in WMNs. To counter potential attacks, many kinds of security mechanisms have been proposed, including location technology [3,4], intrusion detection technology [5,6], secure routing technology [7,8] and key management technology [9–20]. Key management, as a fundamental security technology, has been widely studied in secure wireless communications. However, it is a non-trivial task to establish pairwise keys efficiently for power-constrained mesh clients. By exploiting the heterogeneity of WMNs, this paper presents a new design of pairwise key establishment scheme for mesh clients with very light communication and storage costs.
L. Xu, Y. Zhang / Future Generation Computer Systems 30 (2014) 140–145
141
Fig. 1. Hybrid WMNs introduced in [2].
Our contribution. In this paper, we are particularly interested in pairwise key establishment between mesh clients in WMNs. As mentioned above, mesh clients are not as powerful as mesh routers in either computation or communication. However, WMNs’ nature of heterogeneity makes it possible for mesh clients to establish pairwise keys efficiently by delegating costly operations to mesh routers. Motivated by this observation, we present a new pairwise key establishment scheme based on a modification of Blom’s scheme. Our scheme possesses the following properties: 1. any pair of mesh clients can directly establish pairwise keys; 2. compared with other matrix-based schemes, our proposed scheme has a very light cost in terms of communication and storage at mesh clients; and 3. the proposed scheme is specifically designed for pairwise key establishment in WMNs, but it is also applicable in other situations with similar features of heterogeneity including cloud computing systems. Roadmap. The remainder of this paper is organized as follows. We present a summary of related works in Section 2. Section 3 briefly reviews the preliminaries required in this paper. The proposed scheme is described in Section 4, and its security and performance analysis is given in Section 5. Section 6 concludes this paper. 2. Related work Taking wireless sensor networks (when they are integrated with WMNs, sensor nodes can also be considered as energyconstrained mesh clients) as an example, public key cryptographic algorithms are generally considered infeasible for computing and communicating between power-constrained devices [9]. Although this constraint has been partially alleviated with the advancement of modern technology, we consider that these energy-constrained
nodes are not able to afford frequent asymmetric cryptographic operations. According to its characteristics, key management in wireless sensor networks can be classified by self-enforcing schemes, arbitrated keying schemes and key pre-distribution schemes (KPS) [10]. In a KPS, a key management authority (also known as a key distribution center) loads some secret keys into sensor nodes prior to deployment, then neighbor nodes can establish secure communication keys using their pre-loaded keys. The requirement of a robust KPS is that, for adversaries, it is difficult to derive the communication keys of other nodes or destroy the entire network even though they have acquired several nodes’ secret information (e.g., by captured nodes). To meet this demand, a pairwise key between two nodes is desirable. A naïve way of designing a robust KPS is to pre-distribute each sensor node with N − 1 keys, where N is the total number of nodes and each one of N − 1 keys is shared with each one of N − 1 nodes. Any pair of nodes will share a pairwise key after deployment. For adversaries with captured nodes, they only have keys associated with compromised nodes, but not those among un-compromised nodes. Such a mechanism provides a high level of robustness but a low level of scalability: the performance of the key distribution phase will be time, computation and storage consuming when N is large, and a system-wide update is needed when establishing pairwise keys between any current node and a newly added one. A host of KPS have been proposed to provide different tradeoffs between robustness and scalability. The scheme proposed in [11] is based on symmetric encryption. In the key pre-distribution phase, the system authority randomly selects and pre-loads each node with m keys and corresponding key identifiers from a large key pool P. After deployment, neighbor nodes have the probability p to establish session keys successfully by broadcasting key identifiers, for 0 < p ≤ 1, and p is affected by key pool size P and m. The major drawback of the Eschenauer–Gligor scheme is that different pairs of nodes may share the same session key, and consequently there is
142
L. Xu, Y. Zhang / Future Generation Computer Systems 30 (2014) 140–145
Fig. 2. The matrix G in the scheme of [14].
a risk that the communication among un-compromised nodes may become insecure after the compromise of other nodes. This security deficiency is partially improved in [12] by developing the Eschenauer and Gligor scheme to a q-composite random KPS, where neighbor nodes can establish a session key as long as they share t (t ≥ q) common keys. Nevertheless, there still exist constraints between the key pool size P , m, and the security parameter q. As a frequently-used mathematical tool, a matrix is employed to establish pairwise keys diffusely. The pioneering work was introduced in [13], where a KPS was proposed that allowed any pair of nodes to establish the pairwise key by exchanging some public information. In Blom’s scheme, there exists a (λ+1)×N public matrix G over a finite field GF (q), where N is the size of network nodes and q > N. The system authority generates a random (λ + 1) × (λ + 1) secret symmetric matrix D and computes an N × (λ + 1) matrix A = (D · G)T , where (D · G)T is the transpose of D · G. For the kth node, k = 1, 2, . . . , N, the system authority pre-loads it with the kth row of matrix A and the kth column of matrix G. Obviously, K = A · G is a symmetric matrix. After node deployment, the uth node and the v th node can calculate and gain their pairwise key by exchanging their pre-loaded columns of public matrix G. Blom’s scheme is λ-secure, namely the network remains secure as long as the number of nodes that exposed their pre-stored columns of matrix A is no more than λ. To reduce the high cost of wireless communication, in [14] Blom’s scheme was improved by giving a new design of public matrix G. The node in Du et al.’s scheme does not need to store a whole column of matrix G, but a key seed, which can be used to compute a column of G. The key seed is the second element in each column of matrix G in [14] (as shown in Fig. 2). Furthermore, they employed multiple key-space to enhance the performance of their scheme. By viewing the set of keys generated from A · G in Blom’s scheme as a key-space, the system authority in Du et al.’s scheme generates ω secret symmetric matrices D1 , D2 , . . . , Dω and computes matrices Ai = (Di · G)T for each Di . As a result, there are in total ω key-spaces A1 · G, A2 · G, . . . , Aω · G. For the jth sensor node, the system authority randomly selects τ Ai s and loads the jth node with the jth row of each selected Ai and the key seed of the jth column of G. Neighbor nodes can successfully establish a pairwise key only if they are loaded with columns from the same matrices Ai . Parakh et al. proposed a matrix-based key agreement algorithm for sensor networks in [15]. The system authority in their scheme chooses a diagonalizable N × N symmetric matrix Y at random and diagonalizes Y such that Y = M −1 Dy M, where Dy is a diagonal matrix with eigenvalues of Y . It then randomly picks a diagonal matrix Dx and computes the N × N matrix X = M −1 Dx M. It is clear that these two matrices commute with each other, i.e., XY = YX . Then, the system authority randomly picks row–column pairs for each sensor node. For example, the system authority randomly picks r from a uniform distribution over [1, N ] and assigns node i with the rth row and column of X , and the rth column of Y . After deployment, two sensor nodes i and j can compute two keys Kij and Kji by exchanging their stored columns of Y and agree on a session key K = Hash(Kij ∥ Kji ). However, the scheme in [15] has an inherent flaw: different links may share the same key due to the random selection of row–column pairs, and thus the security of other links may be at risk if a sensor node is captured by adversaries. By decomposing a symmetric matrix into a matrix product of two matrices, a lower triangular matrix and an upper triangular
matrix, Dai et al. proposed a key pre-distribution scheme in sensor networks [16]. Using matrix decomposition and network coding, a scalable and robust key pre-distribution scheme is proposed in [17]. Notice that in certain situations, deployment knowledge may be available. Du et al. [18] extended the Eschenauer–Gligor scheme and proposed a key management scheme with deployment knowledge. They further optimized the scheme in [19] by employing both matrix and deployment knowledge. A reliable pairwise key-updating scheme via key pre-distribution and local collaboration is proposed in [20]. 3. Preliminaries There are three types of participants in our key establishment scheme, namely the system authority, mesh routers and mesh clients. The scheme consists of three phases:
• System setup: the system authority generates system parameters;
• Key seed application: mesh clients apply for key seeds from the system authority securely; and
• Pairwise key establishment: with the assistance of mesh routers, two mesh clients establish a secret pairwise key directly. We assume the following. 1. Operations related to the system authority are carried out in a secure environment, while neither mesh routers nor mesh clients are physically secure. In particular, once they are captured by adversaries, any secret data stored in captured nodes will be exposed to adversaries. 2. Mesh clients are able to apply for key seeds from the system authority securely. 4. Pairwise key establishment in WMNs This section is devoted to describing our scheme, which is a variant of Blom’s scheme [13] reviewed in Section 2. System setup: Assume that the population of residents in a given area is P. For each individual, there are about Q devices (like PCs or phones) that may serve as mesh clients and access the network through mesh routers or by directly meshing with other mesh clients, namely, there are about M = PQ mesh clients in this area. Let λ be the system’s security parameter. During the system setup phase, the system authority performs the following tasks.
• Chooses N independent key seeds s1 , s2 , . . . , sN from a finite field GFq , for N ≥ M, and lets idi be the identifier of key seed si .
• Creates a secret (λ + 1) × N matrix G:
s1 (s1 )2
s2 (s2 )2
··· ··· .. .
sN (sN )2
. (1) .. . · · · (sN )λ+1 • Generates a secret symmetric (λ + 1) × (λ + 1) matrix D in GFq . • Computes the public matrix A = (D · G)T . • Loads matrix A at all mesh routers. G=
.. . (s1 )λ+1
.. . (s2 )λ+1
Note that differently from other matrix-based schemes, we let G be the secret matrix to adversaries, and A be the public matrix in our scheme. Key seed application: Every mesh client who would like to access the WMN for the first time must apply for a key seed and the corresponding key seed identifier from the system authority. We assume that mesh clients are able to apply for key seeds from the system authority securely. An alternative way of distributing key seeds is that, for every mesh client, a device which may become a mesh client is loaded with a key seed generated by the system authority when it leaves the factory.
L. Xu, Y. Zhang / Future Generation Computer Systems 30 (2014) 140–145
143
Eq. (1), we choose N independent key seeds and generate secret G matrices. This also explains why we do not generate G matrices as in [14], where mesh client i can use its stored key seed si to calculate mesh client 2i’s key seed s2i = (si )2 (as shown in Fig. 2). Generating matrix G in this way does not introduce any security issue to other schemes where G is a public matrix but is not applicable in our scheme since matrix G must be a secret to adversaries. Remark 2. Our pairwise key establishment scheme is designed for mesh clients in WMNs. In contrast to mesh clients, mesh routers in WMNs are more powerful and capable of costly operations. By exploiting this heterogeneity, the mesh clients in our scheme can generate pairwise keys in an efficient way. To meet the needs of practical application and increase the robustness of WMNs, different system security parameters λ can be set when establishing pairwise keys between mesh router and mesh router, or mesh router and mesh client.
Fig. 3. Pairwise key establishment.
Pairwise key establishment: When two mesh clients i and j want to mesh with each other, they should execute the following operations to gain a pairwise key between them, as shown in Fig. 3. Firstly, two mesh clients i and j exchange their key seed identifiers idi and idj , and send a request {req : idi , idj } to the mesh routers. Then, the mesh routers need to retrieve the stored matrix A, and reply to mesh clients i, j with the jth and ith rows of matrix A. Upon receiving the reply from the mesh routers, mesh clients i and j can establish pairwise keys directly. The calculation of the pairwise key is described as follows. Calculation at mesh client i: • mesh client i uses its key seed si to calculate the ith column of 1 T matrix G: (si , s2i , . . . , sλ+ ) ; i • let (aj1 , aj2 , . . . , aj(λ+1) ) be the jth row of matrix A, which is sent by the mesh routers; and • mesh client i calculates the key shared with mesh client j as 1 T kji = (aj1 , aj2 , . . . , aj(λ+1) ) · (si , s2i , . . . , sλ+ ) i
=
λ+1
ajk · (si )k .
k=1
Calculation at mesh client j:
• mesh client j uses its key seed sj to calculate the jth column of 1 T matrix G: (sj , s2j , . . . , sλ+ ) ; j • let (ai1 , ai2 , . . . , ai(λ+1) ) be the ith row of matrix A, which is sent by the mesh routers; and
• mesh client j calculates the key shared with mesh client i as 1 T ) kij = (ai1 , ai2 , . . . , ai(λ+1) ) · (sj , s2j , . . . , sλ+ j =
λ+1
aik · (sj )k .
k=1
It remains to show that kji = kij . Note that the matrix K = A · G is a symmetric matrix: K = A · G = (D · G)T · G = GT · D · G = (A · G)T .
(2)
It follows that kji = kij , i.e., kji calculated by mesh client i is the same as kij calculated by mesh client j. This completes the description of pairwise key establishment between two mesh clients. Remark 1. The major difference between our scheme and others (including Blom’s scheme) is the generation of the matrix G. In our scheme, G is a secret matrix and the key seed si is given to the ith mesh client, which can only generate the ith column of G but does not have any other information about G. Recall that, as shown in
Remark 3. In this paper, we focus our attention on establishing pairwise keys efficiently for power-constrained mesh clients. It is possible that the storage requirement on mesh routers may become the bottleneck of networks when the number of mesh clients is considerably large. An available solution to this problem is that the system authority deploys multiple mesh routers for a given area and stores an affordable number of rows of matrix A for each router. These mesh routers cooperate with each other to retrieve the stored matrix A when it is needed. 5. Analysis In this section, we present the analysis of our scheme, by comparing it with others [13,14]. Local connectivity. Local connectivity refers to the probability of any two neighbor nodes sharing at least one key-space [19]. The scheme proposed in [14] makes use of multiple key-space, and the local connectivity is affected by parameters, e.g., τ and ω. In contrast, the scheme in [13] and our presented scheme are single key-space schemes: key materials stored (or applied) in powerconstrained nodes are chosen from a single key-space which ensures that any pair of nodes can establish pairwise keys, i.e., local connectivity is 1 in our scheme and the scheme in [13]. Resilience against node capture attacks. In a hostile environment, adversaries can mount a variety of malicious cyber attacks, and access and retrieve secret information from the memory of nodes. A successful attack on x nodes by an adversary may affect the rest of the network. It is easy to see that a large number of key-spaces contributes to a resilient network, i.e., the probability of x capturing nodes which belong to a unique key-space decreases with increase of the number of key-spaces. The scheme proposed in [14] is a multiple key-space scheme. Let Pl be the local connectivity and each sensor node randomly selects τ key-spaces from the key-space pool. The number of shared key-spaces is Ns = (Pl · τ ) for neighbor sensor nodes. Both the scheme in [13] and the newly proposed scheme are single key-space schemes. For each key-space, as mentioned in Section 2, it is λ-secure, i.e., the key-space remains secure as long as the number of nodes that expose their pre-stored secret information to adversaries is no more than λ. In our scheme, to achieve a high level of security, the system authority can compute and store enough A matrices at mesh routers. This will lead to an increase of storage cost at mesh routers, while the consumption at energy-constrained mesh clients stays the same. Resilience against man-in-the-middle attack. Fig. 4 shows a typical man-in-the-middle attack. A successful man-in-the-middle attack means that an attacker makes independent connections with mesh
144
L. Xu, Y. Zhang / Future Generation Computer Systems 30 (2014) 140–145
Fig. 5. Storage cost of networks.
Table 1 The performance of three schemes.
Fig. 4. A typical man-in-the-middle attack.
clients, exchanges messages with them, and makes them believe that they are directly communicating with each other by a pairwise key, while in fact the entire conversation is under the control of the attacker. Our proposed scheme is resilient against man-in-the-middle attack. Assume that an attack chooses a key seed s′a from the finite field GFq ; let id′a be the identifier of key seed s′a . The attacker can exchange identifiers with other mesh clients and send requests, but mesh routers cannot retrieve and obtain the corresponding row from matrix A. An alternative means of attack is that the attacker keeps the key seed identifiers of mesh clients (recall that all mesh clients’ key seed identifiers are exchanged by plain text) and tries to cheat other mesh clients. Obviously, without a key seed generated by the system authority, he cannot computes and obtains pairwise keys with other mesh clients. Besides, an attacker may be powerful enough to modify matrix A stored in the mesh routers (or to generate matrix A′ by himself and replace matrix A with A′ ). Utilizing the modified matrix A or matrix A′ (which has no knowledge of other mesh clients’ key seeds, since matrix G is constructed using all clients’ key seeds, and A = (D · G)T ), an attacker cannot succeed in man-in-the-middle attack. However, this kind of attacker has the ability to isolate mesh clients from mesh networks successfully. Storage complexity. Each sensor node in the scheme in [14] is associated with τ key-spaces, and for each key-space, the node is loaded with the corresponding row of its matrix A. Therefore, the total storage cost at each sensor node is about τ (λ + 1)|q| + |q| bits (recall that key seeds are chosen from GF (q)). The storage costs at each sensor node are 2(λ + 1)|q| bits in [13]. We consider the storage cost of our scheme from two aspects: mesh clients and mesh routers. Each mesh client needs to apply for a unique key seed si and a key seed identifier idi , so the total storage cost of each mesh client is about (|q| + logN2 ) bits. Therefore, our scheme has a significant advantage over [13,14] from the aspect of storage cost of power-constrained devices. The light storage cost at mesh clients is achieved by exploiting the heterogeneity of wireless mesh networks: mesh routers have more storage space than mesh clients. In our scheme, mesh routers
Pl Ns Sc Cmc Cc
Our scheme
Scheme [13]
Scheme [14]
=1
=1
1 |q| + logN2 logN2 2λ + 1
1 2(λ + 1)|q| (λ + 1)|q| λ+1
<1 Pl τ τ (λ + 1)|q| + |q| τ logω2 +|q| 2λ − 1
need to store an N × (λ + 1) matrix A. The size of the A matrix is determined by system’s security parameter λ, and the number of mesh clients. Let N be the number of power-constrained nodes. In [13], each sensor node needs to store 2(λ + 1)|q| bits of key material, and the total storage cost is 2(λ + 1)|q| × N bits for the whole network; Similarly, the total storage cost is (τ (λ + 1)|q| + |q|)× N bits in scheme [14], and (|q|+ logN2 )× N +(λ+ 1)|q|× N bits in our scheme. Fig. 5 shows their relationship when λ = 19, τ = 10 and |q| = 128 bits. Communication complexity. It is analyzed in [10] that communication costs much more than computation during pairwise key establishment. In the pairwise key establishment phase, the sensor nodes in scheme [13] need to broadcast a column of a public matrix; the sensor nodes in scheme [14] need to broadcast the indices of selected τ key-spaces and a key seed of public matrix G; while mesh clients in our scheme only need to broadcast the key seed identifier. It is also pointed out in [19] that local connectivity is one of the dominating factors of communication overhead: if neighbor nodes cannot establish pairwise keys directly, additional operations such as path-key establishment will be necessary which lead to additional communication cost. Additional communication is often needed as the local connectivity is not 1 in scheme [14]. Computational complexity. The sensor nodes in scheme [14] need (2λ − 1) multiplication operations in the field GF (q): (λ − 1) multiplications to regenerate a column of the G matrix, and λ multiplications to calculate the inner product of the corresponding row–column pairs. Pairwise key establishment between neighbor nodes in scheme [13] needs about λ + 1 multiplication operations. In our scheme, pairwise key establishment between two mesh clients requires about 2λ + 1 multiplication operations. We compare the performance of three schemes in Table 1, where Ns represents the number of shared key-spaces, Sc represents the storage cost at energy-constrained devices (sensor nodes or mesh clients), Cmc represents communication cost and Cc represents the computation cost of these energy-constrained devices.
L. Xu, Y. Zhang / Future Generation Computer Systems 30 (2014) 140–145
6. Conclusion Based on Blom’s scheme, we have presented a matrix-based pairwise key establishment scheme for wireless mesh networks. The new scheme has a very light overload of storage and communication at mesh clients, without introducing any significant computation operations. The essential design philosophy of our scheme is to utilize the heterogeneity of wireless mesh networks: mesh routers are more powerful than mesh clients and can afford expensive operations during key establishment. We believe that the same idea is also applicable in other situations, such as cloud computing systems, with the same feature of heterogeneity. Acknowledgments This work is supported partially by National Natural Science Foundation of China (Grant No. 61072080 and No. 61202450), Ph.D. Programs Foundation of Ministry of Education of China (Grant No. 20123503120001), Natural Science Foundation of Fujian Province (No. 2013J01222), Department of Education, Fujian Province, A-Class Project (Grant No. JA12076) and the development project of Fujian provincial strategic emerging industries technologies: Key technologies in development of next generation Integrated High Performance Gateway, Fujian development and reform commission high-technical [2013]266. References [1] I.F. Akyildiz, X. Wang, A survey on wireless mesh networks, IEEE Communications Magazine 43 (2005) S23–S30. [2] I.F. Akyildiz, X. Wang, W. Wang, Wireless mesh networks: a survey, Computer Networks 47 (2005) 445–487. [3] P. Bahl, V.N. Padmanabhan, RADAR: an in-building RF-based user location and tracking system, in: INFOCOM, pp. 775–784. [4] Z. Yang, Y. Liu, Understanding node localizability of wireless ad-hoc networks, in: [21], pp. 2339–2347. [5] A.P. Lauf, R.A. Peters, W.H. Robinson, A distributed intrusion detection system for resource-constrained devices in ad-hoc networks, Ad Hoc Networks 8 (2010) 253–266. [6] C. Pham, Scheduling randomly-deployed heterogeneous video sensor nodes for reduced intrusion detection time, in: M.K. Aguilera, H. Yu, N.H. Vaidya, V. Srinivasan, R.R. Choudhury (Eds.), ICDCN, in: Lecture Notes in Computer Science, vol. 6522, Springer, 2011, pp. 303–314. [7] W. Galuba, P. Papadimitratos, M. Poturalski, K. Aberer, Z. Despotovic, W. Kellerer, Castor: scalable secure routing for ad hoc networks, in: [21], pp. 2829–2837. [8] S. Khan, N.A. Alrajeh, K.-K. Loo, Secure route selection in wireless mesh networks, Computer Networks 56 (2012) 491–503. [9] A. Wander, N. Gura, H. Eberle, V. Gupta, S.C. Shantz, Energy analysis of publickey cryptography for wireless sensor networks, in: PerCom, IEEE Computer Society, 2005, pp. 324–328. [10] D.W. Carman, P.S. Kruus, B.J. Matt, Constraints and approaches for distributed sensor network security, Technical Report 00-010, NAI Labs, 2000.
145
[11] L. Eschenauer, V.D. Gligor, A key-management scheme for distributed sensor networks, in: V. Atluri (Ed.), ACM Conference on Computer and Communications Security, ACM, 2002, pp. 41–47. [12] H. Chan, A. Perrig, D.X. Song, Random key predistribution schemes for sensor networks, in: IEEE Symposium on Security and Privacy, IEEE Computer Society, 2003, pp. 197–213. [13] R. Blom, An optimal class of symmetric key generation systems, in: T. Beth, N. Cot, I. Ingemarsson (Eds.), Advances in Cryptology, in: Lecture Notes in Computer Science, vol. 209, Springer, Berlin, Heidelberg, 1985, pp. 335–338. [14] W. Du, J. Deng, Y.S. Han, P.K. Varshney, J. Katz, A. Khalili, A pairwise key predistribution scheme for wireless sensor networks, ACM Transactions on Information and System Security 8 (2005) 228–258. [15] A. Parakh, S. Kak, Matrix based key agreement algorithms for sensor networks, in: 2011 IEEE 5th International Conference on Advanced Networks and Telecommunication Systems, ANTS, pp. 1–3. [16] H. Dai, H. Xu, A key predistribution scheme with matrix decomposition for secure wireless sensor networks, in: 7th World Congress on Intelligent Control and Automation, 2008, WCICA 2008, pp. 1724–1727. [17] R. Zeng, Y. Jiang, C. Lin, Y. Fan, X.S. Shen, A scalable and robust key predistribution scheme with network coding for sensor data storage, Computer Networks 55 (2011) 2534–2544. [18] W. Du, J. Deng, Y.S. Han, S. Chen, P.K. Varshney, A key management scheme for wireless sensor networks using deployment knowledge, in: INFOCOM, pp. 586–597. [19] W. Du, J. Deng, Y.S. Han, P.K. Varshney, A key predistribution scheme for sensor networks using deployment knowledge, IEEE Transactions on Dependable and Secure Computing 3 (2006) 62–77. [20] M. Wen, K. Chen, Y. Zhang, H. Li, A reliable pairwise key-updating scheme for sensor networks, Journal of Software 18 (2007) 1232–1245. [21] INFOCOM 2010. 29th IEEE International Conference on Computer Communications, Joint Conference of the IEEE Computer and Communications Societies, 15–19 March 2010, IEEE, San Diego, CA, USA, 2010.
Li Xu is a Professor and Doctoral Supervisor at the School of Mathematics and Computer Science at the Fujian Normal University. He received his B.S. and M.S. degrees from the Fujian Normal University in 1992 and 2001. He received his Ph.D. degree from the Nanjing University of Posts and Telecommunications in 2004. Currently he is the Vice Dean of the School of Mathematics and Computer Science and the Director of the Key Lab of Network Security and Cryptography in Fujian Province. His interests include wireless networks and communication, network and information security, complex networks and systems, intelligent information in communication networks, etc. Dr. Xu has been invited to act as PC chair or member at more than twenty international conferences. He is a member of IEEE and ACM, and a senior member of CCF and CIE in China. He has published over 100 papers in journals and conferences. Yuexin Zhang received his B.S. degree from the Department of Physics and Electronic Information Engineering, Inner Mongolia Normal University, China, in 2010. He received his M.S. degree from the School of Mathematics and Computer Science, Fujian Normal University, China, in 2013. His research interests include cryptography and information security.