1. Establishing Pairwise Keys in Distributed Sensor Networks Donggang Liu, Peng Ning Jason Buckingham CSCI 7143: Secure Sensor Networks October 12, 2004

2. Motivation Authentication and key management are essential to a secure network Due to resource constraints, public key cryptography and key distribution center (KDC) are not feasible!

3. Prior Schemes Probabilistic key predistribution with key ring (article we read last week “A Key Management Scheme for Distributed Sensor Networks”) q-composite key predistribution  Increases the resilience of the network against node capture Random pairwise keys scheme  Random pairs of nodes are assigned pairwise keys. Adds authentication if each node stores the ID of the other node that shares the associated pairwise key.

4. Problems with existing schemes For basic probabilistic and q-composite schemes, as the number of compromised nodes increases, the fraction of affected pairwise keys rapidly increases. For random pairwise keys scheme, network size is limited by the desired probability of two nodes sharing a link.

5. Polynomial-Based Key Predistribution The key setup server randomly generates a bivariate t- degree polynomial:  over a finite field Fq where q is a prime number and f(x,y) = f(y,x).  Each sensor i has a unique ID, and the server computes a polynomial share of f(x,y) by computing f(i,y). Two nodes i & j can computer the same key (node i can compute f(i,j) by evaluating f(i,y) at point j and vice versa).

6. Problems with Polynomial-Based Key Predistribution Tolerates only the compromise of t nodes (t is the degree of the polynomial). To support additional nodes with the same security, the size of the polynomial must increase and thus the memory requirements increase.

7. Polynomial Pool-Based Key Predistribution Uses a pool of randomly generated bivariate polynomials to establish pairwise keys. Two special cases:  When the polynomial pool has only one polynomial this is the same as Polynomial Based Key Predistribution  When the polynomials are all of degree 0 this is the same as the basic key pool predistribution

8. Setup The key setup server generates a set of polynomials, assigning each polynomial a unique ID. Each sensor node is randomly assigned a subset of these polynomials

9. Key Establishment Done through direct key or path key establishment Secure Link: two nodes can establish a pairwise key through direct key establishment Polynomial share discovery is done through predistribution or real-time discovery  Predistribution requires additional memory, makes it difficult for nodes to join the network on the fly, and may provide additional information to an attacker.  Real-time discovery is done through the exchange of a list of polynomial IDs or with a challenge. This adds additional communication overhead.

10. Path Key Establishment through real-time discovery Two nodes that do not share a direct link that need to communicate with each other must establish a pairwise key This is done by finding a path between the two nodes via nodes that do share a pairwise key directly This path discovery problem introduces substantial communication overhead!

11. Differences from Basic Key Pool Predistribution Chooses a polynomial from a polynomial pool instead of a key from a key pool In Basic Key Pool Predistribution, several nodes share the same key. With polynomial pools, there is a unique key between each pair of sensors (each node gets a unique polynomial share based on its unique node ID). If no more that t shares on the same polynomial are discovered then no pairwise keys from non- compromised nodes can be discovered.

12. Network Connectivity The probability of two sensors sharing the same polynomial (can directly connect) is:  s is the number of polynomials (pool size), and s’ is the number of polynomial shares stored on each node The probability that two nodes can establish a pairwise key (directly or indirectly) is P s = 1 – (1 – p)(1 – p 2 ) d, where d is the average number of neighbors each node has.

13. Vulnerability of Polynomial Pool Predistribution If an attacker compromises t+1 nodes that have the same polynomial, he is able to compromise all links that use that polynomial. Solution: don’t allow a polynomial to be used in more than t+1 nodes. Given this constraint, the total number of sensors cannot exceed

14. Comparison with Previous Schemes Fraction of compromised links between non-compromised sensors vs. number of compromised sensor nodes.

15. Grid-Based Key Predistribution For a sensor network with at most N nodes, We construct an m x m grid with a set of 2m polynomials Each node is assigned a unique row/column intersection in the grid A node at coordinate (i, j) stores the polynomial shares for and

16. Pairwise Key Establishment To directly establish a pairwise key with a node j, node i must either be in the same column or same row as node j. If not, path discovery is performed. Either node (c i, r j ) or (c j, r i ) can establish a pairwise key with both nodes What if both nodes (c i, r j ) and (c j, r i ) are compromised or out of range??

17. Path Discovery There are still many alternative paths. In fact, there are up to 2(m – 2) pairs of such nodes in the grid.

18. Grid-Based Analysis Each node can potentially establish a pairwise key with 2(m – 1) other nodes directly. The percent of nodes that a node can establish a link with directly is In fact, if there are no compromised nodes, it is guaranteed that two nodes can establish a pairwise key Overhead: nodes only need to store two t-degree polynomial shares, and the IDs of each compromised node. Communication overhead is mostly from path discovery

19. Attacks against a pair of nodes How difficult is it to compromise a pairwise key without compromising the related nodes? Even if an attacker compromises t+1 nodes, the nodes can still establish a new pairwise key via path discovery. Interesting attack: if a node involved in a key path that was used to establish a pairwise key is compromised, the previously established key is then compromised if the attacker has recorded the message that established the key.

20. Attacks against a pair of nodes (cont.) To prevent two nodes from establishing a pairwise key, the attacker has to block all possible key paths between the nodes. There are 2m – 2 key paths between any two nodes that involve one or two intermediate nodes. There are at least 2m – 3 paths, and an attacker must compromise at least one node in each path to prevent two particular nodes from communicating.

21. Attacks against the network The attacker can try to systematically or randomly compromise nodes in the network  to lower the probability that two nodes can establish a pairwise key  to simply increase communication overhead and the cost to establish a pairwise key Even if an adversary compromises l polynomials, then there are ml nodes with at least one polynomial compromised, and m 2 – lm nodes with uncompromised polynomials. The attacker has compromised (t+1)l nodes and affects the key establishment of ml nodes.

22. Grid-Based Key Predistribution Attractive Properties:  Guarantees that any two sensors can establish a pairwise key when no nodes have been compromised.  Resilient to node compromise. Even if there are compromised nodes, there is still a high probability that two nodes will be able to establish a pairwise key.  No communication overhead during polynomial share discovery (each node knows if it can establish a pairwise key with another node).  Allows for optimized deployment of sensors so sensors that can establish a direct key can be deployed near each other.

23. Additional Topics It is unclear if the grid based scheme allows for dynamic addition of new nodes How is an attack detected, especially if the adversary is simply listening to the data?