Enhanced Location Based Key Pre-Distribution Scheme for Secure Communication in Wireless Sensor Network (WSN) Amit Gaur,

Smita Toshniwal, Abhinav Prakash, and Dharma P. Agrawal Center for Distributed and Mobile Computing School of Computing Sciences and Informatics University of Cincinnati, Cincinnati, OH 45221-0030 E-mail: amitgaur84@gmail.com, smitatosh@gmail.com, abhinav.prakash@gmail.com, dpa@cs.uc.edu they provide really good security for wired and cellular networks, asymmetric cryptographic Abstract: techniques cannot be utilized for sensor networks. Wireless sensors are low power devices with Symmetric cryptographic technique is more small transmission range, restricted computation suitable to WSNs as it is computationally less power, limited amount of memory and with portable expensive and less stringent on the memory power supply. Wireless Sensor Network (WSN) is a requirements. collection of such sensors where the number of To overcome limitations of existing Key sensors can vary from few hundreds to thousands. Pre-Distribution schemes, we propose a new scheme Performing secure pair-wise communication between for secure pair-wise communication for a network of sensors is a really difficult task due to inherent wireless sensor nodes in this paper which is resilient characteristics. As memory and power consumption against node capture attacks, provides security are most stringent requirements for these devices, use against attacks where communication between two of conventional techniques for secured nodes is being eavesdropped, provides complete communication are totally out of question. This paper network connectivity and is quite scalable without introduces a scheme that enables a complete pairrequiring any additional hardware or computational wise secure connectivity between any two adjacent overhead. The rest of the paper is organized as sensor nodes, in spite of using small key ring ( KR) follows: We discuss about existing schemes and their for sensors. The Proposed Scheme (ELKPD) doesn't limitations and weaknesses in 2 nd Section. In 3 rd require any additional hardware while providing keys Section, we have a detailed description of our to the sensors irrespective of their location. Also, proposed Key Pre-Distribution scheme. In 4th proposed scheme is easily scalable which enables Section, we discuss about results and performance addition of sensor nodes without any computational evaluation of the scheme and in 5 th Section, we or hardware overheads. summarize our work with future directions. II. Related Work: Keywords: Beacon Signals; Bivariate Polynomial; Various key pre-distribution schemes have Hash Function; Scalability Symmetric Keys; been proposed in literature [5] [6] [7] [8] that allow Wireless Sensor Networks. establishing security between wireless sensor nodes. A scheme has been proposed by Blom [6] in I. Introduction: which a trusted party is responsible for providing a Wireless Sensor Networks (WSN) is a large secret key to each of n participants and a public collection of low power devices (i.e. sensor nodes), identifier. Symmetric matrix calculation enables any which are small in size and operate on small sized two nodes to independently create a shared key for battery with very limited data processing power. securely communicating with each other. These devices are usually deployed for remote hostile Another scheme that is generalization of environments where their maintenance is quite Bloms scheme was proposed by Blundo et al. [7] difficult. Therefore they can be easily compromised which is based on bivariate polynomial calculation by the adversaries [1][2]. and allows any set of t nodes to compute a common To overcome such a situation, one possible key between them, with some of them being secure solution is to encrypt the communication of sensitive against any compromised node. data between sensor nodes. The conventional A random graph theory based key pretechniques for encryption are asymmetric distribution scheme was proposed by Eschenauer et cryptography (public-key) and symmetric al. [8] where the sensor nodes are considered as cryptography (secret-key). An asymmetric nodes in the graph and a probability of the key to be cryptographic technique involves multiplication of present within a sensor node is associated with the very large numbers for generating encrypting keys link between the nodes. which is not feasible on sensor nodes with very limited processing capability. So, despite the fact that

978-1-4244-7489-9/10/$26.00 2010 IEEE

552

A random key distribution scheme has been proposed by Chan et al. in [5] where two nodes need to share more than q keys where (q>1) to form a secure link with each other. All the schemes that have been discussed above do not take advantage of the deployment location information of the sensor nodes. If this information is used judiciously, one can have more keys in common among nodes that are near to each other. This minimizes the number of keys that need to be stored in the memory of sensor nodes. Du et al. in [12] have utilized information regarding the deployment of sensor nodes to distribute the keys in a way such that nodes physically close to each other, share a larger number of common keys than far away nodes. But the assumption made in this scheme is that we have preexisting knowledge regarding the deployment location of the sensor nodes which is not possible in a random deployment. Although another scheme proposed in [10] doesnt require information regarding the deployment of each individual sensor node, it makes use of the knowledge of the group of nodes that are going to be deployed together. The scheme that has been proposed in this paper, without having any prior knowledge regarding location of sensor nodes or group of sensor nodes provides keys to the nodes that are location dependent. It makes sure that the system has unique symmetric key between every pair of nodes, at all times with very limited storage overhead. It is also possible to add more sensor nodes to the system without any need for additional hardware or computational overhead. This makes it quite scalable and secured against attack based on eavesdropping of transferred information. III. Proposed Scheme: In this section we discuss our proposed Enhanced Location Dependent Key Pre-Distribution Scheme (ELDKP), which is a combination of Enhanced Approach for Random Key PreDistribution proposed by Cheng et al. [3] and Location Dependent Key Management (LDK) Using Random Key Pre-Distribution in Sensor Networks proposed by Anjum [4]. Assumptions made in this scheme are the same as that of LDK. Along with regular sensor nodes, some identical but special sensor nodes called Special Nodes are deployed which have the capability to transmit at different power levels which results in more than one transmission range. These Special Nodes are tamper-proof and their expensive nature makes them to be deployed selectively and possibly optimally. The use of such Special Nodes has already been discussed in the literature for

location determination of sensors [13] [14], while their deployment can be done in the same way. In the ELDKP Scheme, S n is the number of sensor nodes and Sp is the number of special nodes and the following three phases are executed in their lifetime. Key Generation and Pre-deployment Phase, Key-Initialization Phase, and Communication Phase. A. Key Generation and Pre-deployment Phase: During the Pre-deployment Phase, one trusted Central Key Distribution agency, before deployment preloads the Sensor and Special nodes with information that would be required in the later phases for secure communication. The information given to each sensor node is: a) Set of keys from a pre-existing pool KP that forms original key ring KR of the sensor node. This selection of keys is done in the same way as described in the Enhanced Approach for Random Key Pre-Distribution proposed by Cheng et al. [3], where each of L matrices have m*m keys, making the total number of keys as: KP= L*(m*m), (1) =L*m2 . Figure 1(a) and 1(b) respectively show the distribution of keys in entire key pool and an individual key matrix where each entry in matrix is a unique randomly generated cryptographic key and Ki,x,y refers to the key in the ith matrix and xth row and yth column of that matrix.

Now, out of this pool KP, S numbers of matrices are randomly selected [3] such that: S . (2)

553

Where = 2,

is a Ceiling function that returns the

smallest integer above a non-integer number (e.g. = 6). This makes sure that any two pair of sensors has at least one matrix in common. And from these selected matrices, one row and one column is randomly selected for each matrix and preloaded in the memory of sensors to form their original key ring KR.

For example if the matrix illustrated in Figure 2 is a (4*4) common matrix (i.e., m=4 in this case) for the sensor nodes A and B, the row 1 and column 2 defines the keys for node A and row 3 column 4 defines keys for node B. We can clearly see that keys KI,3,2 and Ki,1,4 are in common and no matter how we select the rows and column for the common matrix, we would always have at least 2 or more keys in common. This ensures complete connectivity in the network as we will see later on in this paper. b) A unique Sensor Node ID (SId). c) Identities of the keys are preloaded in its memory. d) A common key K, which would be used for having secure communication between Sensor- Sensor pair and Sensor- Special Node pair. e) A Bivariate Polynomial Function BPf() that leads to a common seed for hashing function. f) A Hashing function Hf () produces new keys from pre-existing pool after receiving beacon signals from any Special nodes. g) A Hashing function ESS () to produce secure symmetric key for encrypted communication between Sensor nodes. The Special nodes are also preloaded with some information such as: a) A unique Special Node ID (SpId), and b) The same common key K, which has been loaded in sensors. After pre-loading the sensors with this information, Sn sensor nodes and Sp special nodes are deployed in a uniform random fashion in the monitored area. B. Key Initialization Phase: After deployment of nodes, initialization phase begins. In this phase, special nodes start transmitting different beacon signals at different transmission

ranges, which is a different random number within different ranges and is encrypted with common key K. Once the nodes start receiving the beacon signals, they first decrypt the number by using the common key K and then use hashing function Hf() to generate new set of keys. As we can see in Figure 3, we have a special node Sp1 at the center which is transmitting 3 beacon signals at 3 different transmission ranges. The sensor node Sn1 receives 2 encrypted beacon signals R2 and R3 which it decrypts with key K and then applies Hashing function Hf() with seed R3 and R 2 to its initial key ring IK 1[ ] to lead to a derived key ring DK1[ ] and in similar fashion sensor node Sn 2 by using hash function on its initial key ring IK 2[ ] leads to DK2[ ]. It may be noted that the array DK i [ ] is the final array, that has the keys derived by using Hf() on IKi[ ] by using different seeds. Therefore, the final number of keys in a sensor node is the multiplication of the number of initial keys it had with number of beacon signals it receives [3]. There can be some cases where a single sensor node receives beacon signals from more than 1 special node, which is actually good for the system as it increases its location dependent diversity of the keys.

Sn2 DK2 = Hf(R3,IK2[])

DK1 = Hf(R3,IK1[])

DK1 = Hf(R2,IK1[]) Sp1 R1 R2

Sn1

R3

Figure 3. Illustrating Key Initialization At the end of key initialization phase, we are left with the set of keys that have the diversity based on their location and the initial random distribution. The final number of keys in a sensor node can be given by: = Nki + (NBs * Nki), (3) =Nki * (NBs+1),

554

where Nki is Number of keys in initial key ring and NBs is Number of beacon signals received. During the deployment of number of special nodes, it is essential to make sure that no node remains uncovered. Otherwise, that sensor node will just have the initial key ring and no location dependent derived keys. Since these Special nodes are tamper proof, they are expensive in nature and having too much of them will add to the system cost. So, to optimize their number and assuming coverage of almost whole of the network in a uniform random deployment, we use the following equation: In network with node density , i.e., (The number of Special Nodes/ Area), fractional area required to be covered as fa, r being the maximum transmission radius of any special node, we have [11]: = -ln(1-fa)/r2, The number of Special Nodes = (-ln(1fa)*Area)/(r2). (4) C. Communication Phase: In this phase, adjacent sensor nodes exchange information to establish trust (i.e. secure communication key) between them. The sensor node broadcasts the handshake message encrypted by a common key K to all its neighbors which includes its ID along with the identities of the keys preloaded in its memory which is decrypted upon reception by key K. For example, referring back to the sensor nodes A and B of Figure 2, Node A will give out in encrypted form, the message [IDA, (i,1,2)..] where IDA is its sensor id and it has keys of ith matrix which are in 1 st row and 2nd column. Similarly, Node B will send the message [IDB, (i,3,4)..] in encrypted form, where IDB is its sensor id and it has keys of ith matrix which are in 3 rd row and 4th column. After exchange of this information, they can find out their common keys to be KI,3,2 and Ki,1,4. Also, while storing the derived key ring, we need to ensure that the indices of the keys from initial key ring remain unchanged. The same broadcast message helps in finding common keys in derived key ring. Once the sensors have found their common keys, they use their Ids to generate a common seed for Hashing function ESS () by using Bivariate polynomial function BPf (). Since Bivariate polynomial function F(x,y) = F(y,x), if x,y are replaced with Ids of the nodes, the common seed can be determined. For example, again referring back to Nodes A and B, in the Bivariate polynomial function BPf() taking Node id for node A IDA, the seed Cs would be BPf(IDA,IDB) and for node B with id IDB common seed would be BPf(IDB,IDA) but as BPf(IDA,IDB) = BPf(IDB,IDA), we end up with a seed Cs that is common to both nodes A and B. Along with the Ids and identity of keys, node A transmits a random time stamped number ARand and

in similar fashion B sends BRand in the handshake message. After exchange of all this information, oneway hashing function ESS() is used to generate the secure pair-wise communication key SCK. SCK=ESS (Cs, CK1, CK2, CK3, .. CK n, ARand, Brand, (5) where CK1, CK2 , CK3 , .. CK n are common keys between each pair of nodes A and B. Now, this SCK is used for encrypting communication between the sensor nodes. For key revocation, a revocation message is broadcasted by all special nodes to all sensor nodes. Thereafter, all derived keys are deleted and the random time stamped number, i.e., ARand, BRand are generated again. After which, the whole process of key initialization takes place again which leads to the next-generation of derived keys and a new pair-wise key. It may be noted that the original key ring still remains with sensor node and is not deleted. It is kept encrypted with common key K already loaded in the memory of sensor node and provides a unique symmetric key between every pair of nodes in the network. With all this arrangement, addition of new sensor nodes is a trivial problem which can be addressed by carrying out the same process of key pre-distribution at first where it is loaded with same information as loaded in previous sensor nodes already deployed. Once deployed, the new sensor node starts receiving beacon signal from special nodes and generates its derived key ring and can start communicating with its neighboring sensor nodes. Due to presence of initial key ring with all deployed sensor nodes, it always finds at least a pair of keys common for communication. IV. Performance Results and Security Analysis: In this section we investigate the performance of ELDKP and analyze its security performance as well. We also compare ELDKP against LDK by varying various parameters. The metric that is used for comparison is the Compromise Ratio which is defined as The ratio of the number of secure links formed by the non-compromised nodes that have become vulnerable to the total number of secure links formed by non-compromised nodes in the network[4]. For a perfectly secure scheme, the compromise ratio would be 0, i.e., compromise of any node would not make the rest of uncompromised nodes vulnerable. We have considered a uniform random distribution of sensor and special nodes in an area of 100*100 units, with default transmission range of special nodes as 15 units and of sensor nodes as 5 units. The value is obtained after 10 trials and averaging the results hence obtained. Each special

555

node is assumed to have 5 times power levels of a sensor node. We use equation (4) to find out the optimum number of special nodes that need to be deployed in the network so as to have all sensor nodes covered. From Table 1, we can have 99.5% coverage of area with 75 special nodes at maximum transmission range R of 15 whereas 169 nodes with 10 units at the maximum transmission range are required to have the same area coverage. In simulations, we assume the number of special nodes as 125. Table 1: Illustrating optimum number of Special nodes required. fa R Sp 95% 15 units 43 96% 15 units 46 97% 15 units 50 98% 15 units 56 99% 15 units 66 99.50% 15 units 75 95% 10 units 96 96% 10 units 103 97% 10 units 112 98% 10 units 125 99% 10 units 147 99.50% 10 units 169 Where, fa: Fractional area covered; R: Maximum transmission range of special node; S p: Calculated value of special node. In Table 2, we can see the number of Beacon signals received (NBs) and the number of neighbors of each sensor node(Avg.) is the function of the number of special node and transmission range of sensor nodes is varied. The number of beacon signals received is an important parameter to be considered as from equation (3), it decides the final number of derived keys that would be residing in the memory of sensor nodes and this number should not be too large which we can see from results that in our scheme varies from 16 to 20. Network connectivity is an important parameter in evaluating the effectiveness of any key distribution mechanism. A good scheme would have higher connectivity and low communication overheads. As we discussed in Section 2 about a scheme based on graph theory [8], we observe that it does not provides us with unique communication key between every pair of sensor nodes and information needs to be exchanged up to three or more hops to setup a secured key which introduces additional communication overhead as information is exchanged between neighboring sensors. As we can see in (Figure 4), complete connectivity in our

scheme is realized by just a single exchange of information over a single hop. Schemes [3] [9] are also similar to our scheme in this respect. Table 2: Illustrating the number of Beacon signals received and number of neighbors of each sensor node as number of special node and transmission range of sensor nodes is varied. Avg. No. Neighbor Unconnected Sn SRs count: Sn Sp NBs 500 5 5 2 100 16 500 10 17 0 100 17 500 5 5 2 125 20 500 10 17 0 125 20 1000 5 10 0 125 20 1000 10 35 0 125 20 1000 5 5 4 100 17 1000 10 34 0 100 16 Where, Sn: Number of sensor nodes deployed; SRs: Maximum transmission range of sensor nodes; Avg. Neighbor count: Average number of neighbors of each Sensor node; No. Unconnected Sn: Number of unconnected sensor nodes; Sp: Number of special nodes; and NBs: Number of beacon signals received by each sensor node.

We also compare our scheme with LDK by utilizing the compromise ratio as the performance metric, and we can see in Figure 2, that by increasing the number of power levels, performance of LDK improves considerably. But, it requires a large key pool to generate pre-distributed key ring of sensor nodes while the key ring of LDK is considerably larger than our scheme. Compromise of any node doesnt reveal any information regarding uncompromised nodes in our scheme. For the same reason in (Figure 6), increasing the transmission radius of special nodes initially decreases the compromise ratio of LDK and then increases as diversity of keys tends to decrease. But, this does not have any adverse effect on our scheme and it still provides the best possible compromise ratio of 0.

556

Our scheme is also resilient against replay attack and traffic analysis attack as these attacks are based upon the inability of network to update its keys and always use the same keys for communication. V. Conclusion: Distribution of keys to sensor nodes before deployment is a nontrivial problem. Our proposed scheme uses small key ring for sensors which makes it useful for sensors having small sized memory and also provides complete pair-wise secure connectivity. Our scheme provides location dependent keys to the sensors without using any additional hardware for location determination. The scheme is easily scalable, which enables addition of sensors nodes to the network at any point of time. All these features make our scheme quite useful for the purpose of secure communication in wireless sensor networks (WSNs). VI. References [1] D. P. Agrawal and Q. A. Zeng, Introduction to Wireless and Mobile Systems, Brooks/Cole Publishing, August, 2003. [2] N. Jain and D.P. Agrawal, Current trends in wireless sensor network design, International

Journal of Distributed Sensor Networks, Vol. 1, issue 1. 2005. [3] Y. Cheng, M. Malik, B. Xie, and D. P. Agrawal, Enhanced Approach for Random Key PreDistribution in Wireless Sensor Networks, in International Conference on Communication, Networking and Information Technology, 2008. [4] F. Anjum, Location Dependent Key Management Using Random key-predistribution in Sensor Networks, in Proceedings of the 5th ACM workshop on Wireless security, Los Angeles, California. 2006. [5] H. Chan, A. Perrig, and D. Song, Random key pre-distribution schemes for sensor networks, in IEEE Symposium on Security and Privacy , Berkeley, CA. May, 2003. [6] R. Blom, An optimal class of symmetric key generation systems, in Advances in Cryptology: Proceedings of EUROCRYPT 84, Lecture Notes in Computer Science, Springer-Verlag. 1985. [7] C. Blundo, A. D. Santis, A. Herzberg, S. Kutten , U. Vaccaro, and M. Yung, Perfectly-secure key distribution for dynamic conferences, in Lecture Notes in Computer Science, vol. 740, pp. 471 486. 1993. [8] L. Eschenauer and V. D. Gligor, A keymanagement scheme for distributed sensor networks, in Proceedings of the 9th ACM conference on Computer and communications security, November, 2002. [9] Y. Cheng and D. P. Agrawal, Efficient pairwise key establishment and management in static wireless sensor networks, in Proceedings of the 2nd IEEE International Conference on Mobile ad hoc and Sensor Systems, Washington, DC, November, 2005. [10] D. Liu, P. Ning, and W. Du, Group-based key pre-distribution in wireless sensor networks, in WiSE, September, 2005. [11] B. Liu and D. Towsley, A Study of the Coverage of Large-scale Sensor Networks, in IEEE International Conference on Mobile Adhoc and Sensor Systems, 2004. [12] W. Du, J. Deng, Y. S. Han, S. Chen, and P. K. Varshney, A key management scheme for wireless sensor networks using deployment knowledge, in INFOCOM, April, 2004. [13] L. Lazos and R. Poovendran, Serloc: Secure range-independent localization for wireless sensor networks, in Proceedings of WISE, pp. 21-30, Oct 2004. [14] S. Capkun and J. Hubaux, Secure positioning of wireless devices with application to sensor networks, in IEEE Infocom, March, 2005.

557