You are on page 1of 6

Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing

ACKDs: An Authenticated Combinatorial Key Distribution Scheme for


Wireless Sensor Networks

Linchun Li, Jianhua Li, Ling Tie, Jun Pan


Department of Electrical Engineering, Shanghai Jiao Tong University, Shanghai, China
lilinchun@sjtu.edu.cn, lijh888@sjtu.edu.cn

Abstract The group member should be sure that it is definitely


the key management server rather than others who
In wireless sensor networks, sensor nodes generate the renewed keys in the distribution messages.
generally cooperate with each other in collecting The easy and usual way to solve this problem is to
sensing data and in-network processing according to make the key management server sign the renewed
the group communication model. Key distribution is at keys using public key cryptography (PKC). Due to the
the heart of secure group communications. In this computational complexity and communication
paper, we present a scalable, efficient and overhead of the public key cryptography and the
authenticated scheme for group key distribution. The frequent group rekeying, using PKC for authentication
proposed scheme is based on a combinatorial in wireless sensor networks may be energy consuming,
exclusion basis system (EBS) for efficiency and one- even though a number of studies [1, 2] focusing on the
way hash chains for authentication. It guarantees an energy analysis of PKC have shown that PKC is
authenticated group rekeying procedure and is feasible to be used in sensor networks.
efficient in terms of storage, communication and Mohamed Eltoweissy et al. proposed an EBS-based
computation overheads. group key management scheme in [3], which levers on
exclusion basis system (EBS), a combinatorial
formulation of the group key management problem.
1. Introduction This approach then be put into use for ad hoc and
sensor networks in [4,5,6]. EBS provides a matrix-like
Typically, the wireless sensor networks (WSNs) key distribution structure. It stores less number of keys
consisting of a large number of tiny sensors with than LKH tree [7,8] for the multicast group of the
limited resources are deployed in open, hostile, same size. Relation between number of group
unattended environments, for a wide variety of members N and parameters k and m is as follows:
applications, including object tracking, environment C (k + m, k ) ≥ N . The overhead of an optimum EBS
monitoring, smart environments, and so on. For has been proved to be half that of a binary key tree
efficiency, the sensor nodes usually form into groups (refer to [3] for details). It gives very good scalability
(clusters) and perform in-network processing of the key distribution scheme compared with previous
according to the inherently collaborative nature of approaches for ad hoc and sensor networks, such as
wireless sensor networks, consequently, create needs GKMPAN [9]. But as far as we know, these EBS-
for efficient and secure group communications. based key distribution schemes did not address the
Effective solutions for the problem of key issue of authentication. The security of the key
management are essential for the feasibility of secure distribution message is not fully guaranteed. Also, an
group communication in sensor networks. While, the original EBS-based key distribution scheme may suffer
security of the group key distribution messages, that is, from collusion attacks, which is point out by Younis et
the confidentiality and authenticity of the distribution al. in [10].
messages, should also be considered as well as the In this paper, we present a lightweight
efficiency. The key distribution messages are usually authentication method for group key distribution in
encrypted with symmetric cryptography, so the wireless sensor network based on EBS and one-way
confidentiality is guaranteed. But the authenticity of hash chain, which is efficient in terms of storage,
the source of distribution message cannot be verified. communication and computation overheads. Also, our

0-7695-2909-7/07 $25.00 © 2007 IEEE 262


DOI 10.1109/SNPD.2007.107
proposed authenticated combinatorial key distribution through compromising sensor nodes and colluding to a
scheme (ACKDs) can reduce the damage of collusion level that allows revealing all cryptographic keys in the
if there is any as the analysis later shows. group, since the sensor nodes are usually not tamper-
The paper is organized as follows. Section 2 gives resistant due to the low cost, and all the information
preliminaries for this paper, including networks including the cryptographic keys is revealed when a
assumption and threat model. Section 3 introduces our node gets compromised; 2) the adversary may directly
scheme in detail through an example of 8-node-size attack a group header, and acquire a full acknowledge
sensor networks after a brief description of one-way of the EBS canonical matrix and according
hash chain and an overview of EBS-based scheme. administrative keys of its group. Then the attacker can
Section 4 gives analysis of the proposed scheme. Last, exploit this advantage to evict any legal sensor nodes
section 5 offers concluding remarks. in this group and update a group session key, while the
sensor nodes cannot be aware of this. So an
2. Network assumption and threat model authenticated EBS-based group key distribution
scheme is on demand.
For scalability and efficiency, we adopt a We also assume all the devices in WSNs are
hierarchical model for WSNs. In this model, a large monitored by the intrusion detection system so that the
number of resource-limited sensor nodes distributed compromised ones, including sensor nodes and group
over an area of interest may statically or dynamically header, can be evicted once they are identified.
form a group as in [9, 10]. While group heads, more
resource-rich than sensor nodes, manage group 3. The proposed key distribution scheme
topology, routing information. The group head also
aggregates data of interest from its member sensor Our authenticated EBS-based group key
nodes, and sends it to the base station. They are able to distribution scheme inherits the formulation of EBS,
communicate with the base station (also known as but update keys in a different approach. One-way hash
command node). In addition, we assume that in each chain is used. The new administrative key and the old
group, the group head is capable of reaching all sensor administrative key will be in the same sequence of
nodes within its group via broadcast. The base station one-way hash chain.
in charge of the network’s mission can be assumed to
pose no restrictions in terms of communication, 3.1. Implicit Authentication based on One-way
computation and storage. Hash Chain
In our network assumption, the base station is the
only authority for key generation. To be secure, though Hash function takes a binary string of arbitrary
group header is responsible for the key management of length as input, and outputs a binary string of fixed
its group, the exclusion basis system for individual length. A one-way function H satisfies the following
groups and corresponding keys still have to be properties: (1) given x , it is easy to compute y such
generated by the base station and secretly sent to each
that y = H ( x) ; (2) given y , it is computationally
group header. Then the group header will distribute
administrative keys and the group session key to infeasible to compute x such that y = H ( x) ; (3) given
sensor nodes within its group according to the EBS x, it is computationally infeasible to find y such that
canonical matrix. y ≠ x and H ( y ) = H ( x) .
The wireless nature of WSNs renders the sensor
A one-way hash chain is a sequence of hash values
nodes and group headers exposed to different types of
malicious attack, especially when deployed in hostile {x n , x n−1 ,..., x j ,..., x1 } such that:
and unattended environments. The various attacks may { x j ∀j : 0 < j ≤ n, x j−1 = H ( x j )} .
range from passive eavesdropping ongoing packet Here, x n is randomly selected as a cryptographic
transmissions to active modifying messages. In this seed, and then the entire chain is computed using the
paper we mainly consider active attacks on WSN. The one-way hash function, where each x j is derived as
adversary may try to modify, fabricate or replay the
x j = H ( x j+1 ) = ... = H n− j ( x n ) . Finally, we can get
key distribution message. In particular, the adversary
will likely compromise devices in WSNs and further x1 = H ( x 2 ) = ... = H n−2 ( x n−1 ) = H n−1 ( x n ) .
manipulate the sensor networks. This goal can be Owing to the one-way property of hash function,
achieved in two ways: 1) the adversary can one-way hash chain is extensively applied in
incrementally aggregate the cryptographic information authentication, e.g. x1 can be used to verify the

263
authenticity of its succeeding elements in the chain. periodically as well as upon node compromise,
That is, by determining x1 = H i−1 ( x i ) or not, the eviction, or addition to maintain secure group
membership of x i in the sequence of one-way hash communications in the presence of attacks. Thus,
chain can be verified. This procedure is called implicit provide key update to support current, forward and
authentication. backward secrecy. More details of the EBS are
referred to [3].
3.2. Exclusion basis system (EBS)
3.3. Authenticated EBS-based group key
An EBS is defined as a collection Γ of subsets of distribution
the set of members [3]. Each subset corresponds to a
key and the elements of a subset A ∈ Γ are the nodes For simplicity of discussion, we consider an
that have that key. An EBS Γ of dimension (N, k, m) example of a group consisting of 8 sensor nodes.
represents a situation in a secure group where there are
N members numbered 1 through N, and where a key 3.3.1. Constructing an authenticated EBS(8,3,2).
server holds a distinct key for each subset in Γ . If the Since C (5,3) = 10 > 8 , an EBS(8,3,2) is constructed.
subset Ai is in Γ , then each of the members whose Among the enumeration of all C(5,3) ways to form a
number appears in the subset Ai knows the distinct subset of three keys from five keys, we select 8 to
key (provided by the key server) for that subset. form a canonical matrix for EBS(8,3,2) as shown in
Furthermore, for each t ∈ [1, N ] there are m elements the un-shadowed part of Table I. The sensor nodes are
numbered from N 1 to N 8 .
in Γ whose union is [1, N ] − {t} . From this, it follows
ACK EBS N1 N2 N3 N4 N5 N6 N7 N8 N9 N10
that the key server can evict any member t , re-key,
B B B B B B B B B B B B B B B B B B B B

KC1 K1 1 0 0 1 0 1 0 1 1 1
and let all remaining members know the replacement
B B B B

KC2 K2 1 0 1 0 1 0 1 0 1 1
keys for the k keys they are entitled to know, by
B B B B

KC3 K3 1 1 0 0 1 1 1 1 0 0
multicasting m messages encrypted by the keys
B B B B

KC4 K4 0 1 1 1 0 0 1 1 1 0
corresponding to the m elements in Γ whose union is
B B B B

KC5 K5 0 1 1 1 1 1 0 0 0 1
[1, N ] − {t} . That is to say, among the dimension (N, k,
B B B B

Table 1. The canonical matrix for EBS(8,3,2) and the


m) of an EBS Γ , N is the total number of group extended portion for new joining node N 9 , N 10
members, k is the number of keys each member is Each sensor node has three administrative keys and
entitled to know, and m is the number of messages each key corresponds to a subset of sensor nodes in the
multicast by the key server when updating keys to group as in table I. In the original EBS, the
evict a suspected member. administrative keys are randomly generated. While in
To construct EBS (N, k, m) for feasible values of N, our proposed scheme, the administrative keys are
k, and m, we employ a canonical enumeration of all picked up from one-way hash chains.
possible ways of forming subsets of k objects from a First, the base station responsible for key
set of k+m objects. For any k and m, let Canonical(k, m) generation randomly generates five keys as seeds of
be the canonical enumeration of all C (k + m, k ) ways one-way hash chains: K 1n , K 2n , K 3n , K 4n , K 5n , S n .
to form a subset of k elements from a set of k+m Second, five one-way hash key chains of length n
objects. For the sequence of bit strings in Canonical(k, are created as KC i = {K i1 , K i2 ,..., K in−1 , K in } , i = 1, ⋅⋅⋅,5 ,
m), we form a matrix A, whose C (k + m, k ) columns
where { K i j ∀j : 0 < j ≤ n, K i j−1 = H ( K i j )} .
are the successive bit strings of length k + m, each with
Third, the base station sets the first keys of the five
k ones. “A” is called the canonical matrix for EBS (N,
key chains, K 11 , K 21 , K 31 , K 41 , K 51 as the
k, m).
When using an EBS-based group key management administrative keys.
for wireless sensor networks, an EBS-based scheme Fourth, the base station generates a group session
can yield optimal results for the number of key chain as the same way above:
administrative keys per sensor node, k, and the number SC = {S 1 , S 2 ,..., S n−1 , S n } .
of re-keying messages, m, according to the group size Last, the base station secretly sends the EBS that
N, and consequently create lightweight communication includes the canonical matrix, administrative keys and
and computation overhead, and impose relatively low S 1 to the group header. In turn, the group header
load on base station and group headers. assigns group session key S 1 and administrative keys
Through EBS, the group header can refresh keys to sensor nodes according to the canonical matrix via

264
secure channels. Hence, the collection of subsets of node according to the extended EBS. Since this
EBS(8,3,2) is: procedure is the same as the original EBS-based key
Γ = {K 11 = {1, 4, 6,8}, K 21 = {1,3,5, 7}, K 31 = {1, 2,5, 6, 7,8}, distribution scheme, we do not dwell on the operations
K 41 = {2,3, 4, 7,8}, K 51 = {2,3, 4,5, 6}} ; in this paper for brevity. Refer to [3] for the detail.
where the number in the subset represents the
3.3.3. Evicting a sensor node from the group. Our
corresponding sensor node.
key distribution scheme can efficiently evict
compromised sensor nodes. Revocation procedure is
3.3.2. Adding a new sensor node to the group. When
triggered after the faulty or compromised sensor nodes
a new node, e.g. N 9 , joins the group, since 8 < C (5,3) , are detected.
the first thing the group header should do is to extend The group header will identify which
the canonical matrix. According to the theorem in [3], administrative keys in the EBS are known to the
group header can easily create a new column in the evicted node and should be revoked, then request
canonical matrix, distinct from the former eight ones, replacement keys from the base station. After receiving
by choosing the rest bit string in Canonical(k, m). It is the request message, the base station will identify
shown as the bit string under N 9 in the shadowed part which key chains the revoked keys belong to, and
of table I. Thus, N 9 can be added to the group without determine the succeeding key in the key chain to be
changing any administrative keys in the system. Then used to update the revoked key. Then the base station
the group header requests the next group session key sends the replacement keys and new group session key
S 2 from the base station. After that, it generates to the group header via secure channel. After receiving
following messages: that message, the group header will simply multicast
Message 1: S 1 ( S 2 ) ; these new keys encrypted with current administrative
keys that the evicted sensor does not know.
Message 2: SK 9 ( S 2 , K 11 , K 21 , K 41 ) ;
Suppose sensor node N 1 should be evicted. Since
where A( B ) means B is encrypted with A , and N 1 possesses first keys of KC1 , KC 2 , KC 3 , these keys
SK 9 is the personal key shared between N 9 and have to be updated. Now, the set K 41 ∪ K 51 is the set of
group header. keys known to all members except N 1 , that is,
First, the group header multicasts new group
K 41 ∪ K 51 = [1,8] − {1} . Hence, the keys K 41 and K 51 will
session key S 2 encrypted with S 1 to the sensor nodes
be used to encrypt updating message. The following
within its group. The session key is updated in order to
messages will be generated for updating administrative
provide backward secrecy.
keys K 11 , K 21 , K 31 and distributing new group session
Second, the group header unicasts to N 9 the group
session key S 2 and the administrative key that are key:
Message 1: K 41 ( S 2 , K 11 ( K 12 ), K 21 ( K 22 ), K 31 ( K 32 )) ;
entitled to N 9 according to the bit string under N 9 ,
encrypted using its personal key SK 9 . Message 2: K 51 ( S 2 , K 11 ( K 12 ), K 21 ( K 22 ), K 31 ( K 32 )) .
Upon receiving the multicast message, all the other Since node N 1 does not have the knowledge of
sensor nodes decrypt the first multicast message with K 41 and K 51 , it cannot decrypt the updating messages
S 1 and obtain the new group session key S 2 , then, and update its administrative keys and group session
they perform hash operation to see whether key. Thus, node N 1 is evicted from the group
H ( S 2 ) = S 1 . If so, it can be concluded that the new communication.
group session key is really distributed from the base Whereas, other sensor nodes, upon receiving
station. The source authentication of group session key updating messages, can decrypt encrypted message
is verified. If not, the key distribution message is using K 41 or K 51 , which is known to itself, and get new
discarded. group session key S 2 and encapsulated encrypted
While, the new joining node N 9 decrypts the administrative keys. We consider node N 5 for
second message using SK 9 , obtain S 2 and its example. After decrypting message using K 51 , it
administrative keys K 11 , K 21 , K 41 . further decrypts sub-messages using K 21 and K 31
When the expanding group size exceeds C (5,3) , respectively, and gets K 22 , K 32 . Then N 5 performs
the relationship C (k + m, k ) ≥ N is broken and new hash operations on the new administrative keys to see
administrative keys should be added to the system. The whether H ( K 22 ) = K 21 , H ( K 32 ) = K 31 and H ( S 2 ) = S 1 .
group header will request the base station to extend If so, N 5 determines that K 22 , K 32 and S 2 are really
current EBS, and assign administrative keys to new

265
distributed from the base station, because the Corresponding actions will be taken as soon as
undisclosed keys in one-hash chains are only known to possible to remove this threat, e.g. evict the
the base station. If the equation does not hold, the key compromised sensor nodes using our proposed
distribution message is discarded. Thus, the source of ACKDs.
updated keys is authenticated. Third, if the adversary directly compromises a
Now, the collection of subsets of EBS(7,3,2) is: group header and tries to further control the sensor
Γ = {K 12 = {4, 6,8}, K 22 = {3,5, 7}, K 32 = {2,5, 6, 7,8}, K 41 = {2,3,
nodes within the group, the attack will be thwarted in
4, 7,8}, K 51 = {2,3, 4,5, 6}} the same way as above.
Last, ACKDs ensures backward secrecy and
forward secrecy. Through the key distribution process,
4. Analysis the compromised nodes or leaving nodes can be
efficiently evicted and new joining nodes are denied
In this section, we analyze the security of the access to previous communication.
proposed authenticated combinatorial key distribution The above analysis shows that those active attacks
scheme (ACKDs). Our proposed key distribution always fail because the adversary cannot authenticate
scheme is effective in defeating active attacks on himself to sensor nodes.
sensor network as follows. Our proposed ACKDs is efficient because no extra
First, if adversaries try to modify an updating storage and communication overhead is incurred on
message with fabricated or replayed keys in order to sensor side compared with original EBS-based scheme.
evict a trustworthy sensor node or replace a spurious In order to verify the authenticity of the updating keys,
group session key for the original one, the attack will each sensor node only needs to perform one extra
be frustrated. Because attackers cannot fabricate computation-efficient hash operation. In our scheme,
subsequent keys in the sequence of one-way hash key the base station is required to generate and store one-
chain to be used to update the revoked key due to the way hash chains in advance. The base station can
one-way property. Thus, only the keys from base afford such operations since it is assumed to be
station rather than others can prove its authenticity to powerful in terms of communication, computation and
sensor nodes. storage.
Second, if compromised nodes within a group
collude to share their administrative keys, our key 5. Conclusion
distribution scheme can prevent them from further
manipulating the sensor network and limit the
To secure the group communication for wireless
destruction of collusion attack to a minimum extent.
sensor networks, this paper presents an authenticated
Since the value of m is selected to be relatively small
combinatorial key distribution scheme (ACKDs) that
to reduce the number of re-key messages, there always aims at providing authenticity of key distribution
exist common administrative keys between any pair of messages. The analysis shows that our scheme can
sensor nodes. As a result, selective compromise and effectively defeat active attacks on the key distribution
collusion of certain nodes can reveal all the message and improve the security of group
administrative keys and group session key at that communication. The scheme is also lightweight in
session. For example, the collusion of N 1 and N 2 can terms of storage, communication and computation
reveal all the administrative keys at that session, e.g. overheads. Using one-way hash chain other than PKC
K 11 , K 21 , K 31 , K 41 , K 51 , and S 1 . Then, in the original to implement authentication extends the lifetime of
EBS-based key distribution scheme, the adversaries sensor nodes and improves the scalability of sensor
can exploit such information to work as a group header network.
and control the sensor networks as their will. But they
cannot do further damage if the sensor networks are 6. References
secured by ACKDs. The collusion of sensor nodes can
only recover the previously and currently disclosed [1] A. S. Wander, N. Gura, H. Eberle, V. Gupta, and
keys of one-way hash chains. Any attempt to further Sheueling Chang Shantz, “Energy Analysis of Public-Key
control sensor nodes, such as evicting a node, adding a Cryptography for Wireless Sensor Networks.” 3rd IEEE
new node, etc, will be defeated in the implicit International Conference on Pervasive Computing and
authentication procedure for they don’t know the rest Communication (PerCom 2005).
keys of one-way hash chains. The active attack of the
[2] G. Gaubatz, J. Kaps, and B. Sunar. Public keys
coalition only leads to its exposure to the intrusion
cryptography in sensor networks – revisited. In The
detection system responsible for monitoring.

266
Proceedings of the 1st European Workshop on Security in [8] Pavel Korshunov , “Multicast security in ad hoc
Ad-Hoc and Sensor Networks (ESAS), 2004. networks.” Available online.

[3] M. Eltoweissy, H. Heydari, L. Morales, and H. [9] S. Zhu, S. Setia, S. Xu, and S. Jajodia, “GKMPAN: An
Sudborough, “Combiiatorial Opdmization for Group Key Efficient Group Rekeying Scheme for Secure Multicast in
Management, ” Journal of Network and System Management, Ah-Hoc Networks”, in Proceeding of International
Vol. 12, No. 1, March 2004. Conference on Mobile and Ubiquitous Systems: Networking
and Services (MOBIQUITOUS ‘04), pages 42-51, Boston,
[4] M.Eltoweissy, M.Younis, K.Ghumman, “Lightweight Massachusetts, USA, August, 2004.
key management for wireless sensor networks, ”
Performance, Computing, and Communications, 2004 IEEE [10] M Younis, K. Ghumman, and M. Eltoweissy, “Key
International Conference on, April 15-17, 2004 Pages:8 13- Management in Wireless Ad Hoc Networks: Collusion
818 Analysis and Prevention,” 24th IEEE International
Performance Computing and Communications Conference,
[5] M. Moharrum, R. Mukkamala, and M. Eltoweissy, Arizona, IPCCC’ 2005, April 2005.
“CKDS: An Efficient Combinatorial Key Distribution
Scheme for Wireless Ad-Hoc Networks”, in Proceedings of [11] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E.
IEEE International Conference on Performance, Computing, Cayirci. “Wireless sensor networks: a survey,” Computer
and Communications (IPCCC ‘04), pages 631-636, Phoenix, Networks, 38(4): 293–422, March 2002.
Arizona, April 2004.
[12] T. Park and K. G. Shin. “LiSP: A Lightweight Security
[6] M. Moharrum, M. Eltoweissy and R. Mukkamala, Protocol for Wireless Sensor Networks,” ACM Transactions
“Dynamic combinatorial key management scheme for sensor on Embedded Computing Systems, 3(3): 634–660., August
networks,” Wireless Communications and Mobile 2004.
Computing, 2006; 6:1017–1035
[13] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D.
[7] C. K. Wong, M. G. Gouda, and S. S. Lam. “Secure Group Tygar. “SPINS: Security suite for sensor networks.” In
Communications using Key Graphs.” IEEE/ACM Proceedings of the Seventh Annual International Conference
Transactions on Networking, 8(1): 16–30, February 2000. on Mobile Computing and Networking (MOBICOM-01),
pages 189–199, New York, July 16–21 2001. ACM Press.

267