1

Pair-wise path key establishment in wireless sensor networks

Authors: Jang-Ping Sheu and Jui-Che ChengSources: Computer Communications, 2007, article in press.Reporter: Chun-Ta Li (李俊達 )

222

Outline Motivation Pair-wise path key establishment protocol Comments

3

Motivation Pair-wise key establishment using multiple

node-disjoint paths Weakness of single communication path

A node is compromised along the path Byzantine attack (alter, inject, spoof, or sniff packets) stop forwarding attack

S DI1 ImI2 …

intermediate nodes

KS,D

Compromised

4

Motivation (cont.) An example of multi-path key establishment with the

(3, 4) secret sharing scheme

Malicious node detection and identification procedure

5

Pair-wise path key establishment protocol Group-based key pre-distribution

． g = a*b hexagonal grids

． G(x,y): a group of sensors

． N = G(x,y)

∪(x,y)=(1,1)

(a,b)

Assume that each group has 100 sensor nodes, a=10, and b=5, the G(2,3) has sensor nodes with IDs from 701 to 800.

． c = N/g

． G(x,y) includes sensors with IDs from c((x-1)b+y-1)+1 to c((x-1)b+y)

6

Pair-wise path key establishment protocol (cont.) Establish a pair-wise key with neighbors

A B

ID, Group ID

ID, Group ID

1

2

3

assistance neighbors

EKA1(KAB1

)

EKA2(KAB2

)

EKA3(KAB3

)

EK1B(KAB1

)

EK2B(KAB2

)

EK3B(KAB3

)

KAB = KAB1K∪ AB2

K∪ AB3

7

Pair-wise path key establishment protocol (cont.) End-to-end path key establishment (SD)

S D

A B C

E F G

H I J

RREQ RREQ

h0 = x and hm=H(hm-1)

hm hm

hm hm

hm

hm

hm

hm

8

Pair-wise path key establishment protocol (cont.) End-to-end path key establishment (DS)

S D

A B C

E F G

H I J

RREP RREP

． The node IDs of the entire path are included in the RREP

． Each intermediate node will record the next one-hop and next two-hop neighboring nodes in its routing table

． Each intermediate node will check to see if it has a pair-wise key with its next two-hop node

9

Pair-wise path key establishment protocol (cont.) Malicious node detection and identification procedure

KSD1 KSD1

S D

A B C

E F G

H I J

KSD1

KSD2

KSD3

KSD2 KSD2

KSD3 KSD3

KSD1

KSD2

KSD3

KSD = KSD1K∪ SD2

K∪ SD3

S DA B C

KSA{KSD1, hm-1, MAChm-1{KSD1}}

KSB{KSD1, hm-1, MAChm-1{KSD1}}

KAB{KSD1, hm-1, MAChm-1{KSD1}}

KSB{KSD1, hm-1, MAChm-1{KSD1}}

KAC{KSD1, hm-1, MAChm-1{KSD1}}

KBC{KSD1, hm-1, MAChm-1{KSD1}}

KAC{KSD1, hm-1, MAChm-1{KSD1}}

KBD{KSD1, hm-1, MAChm-1{KSD1}}

KCD{KSD1, hm-1, MAChm-1{KSD1}}

KBD{KSD1, hm-1, MAChm-1{KSD1}}

10

Pair-wise path key establishment protocol (cont.) Key disclosure request (ReqKey)

odd path

even path KEB{ReqKey}

KEC{ReqKey}

odd path

even pathKSB{hm-2}

KSA{hm-2}

11

Comments Compromised node attacks

conspiracy attacks The pair-wise path key can be derived if there are t intermediate

nodes in t different routes without perfect forward secrecy

Impersonation attacks Lack of mutual authentication between source and

destination node Lack of anonymity between source and destination

node

12

Comments (cont.)

1

2

4

3

Back-end system

sensor

sink node

Store credential ci = h(Ki||IDi||Ti||Li), IDi, Ti, and Li in sensor node

1. Sensor Sink node: (IDi,Ti,Li,M1)M1= cir1P

2. Sink node Sensor: (M2,M3)M2= r2P , M3=h(IDs||r1P||M2||sk=r1r2P)

3. Sensor Sink node: (M4)M4= h(IDi||IDs||sk=r1r2P)

G, P: a subgroup of elliptic curve group E(Fp) and its generator point P whose order is a large prime number q over E(Fp)

Deployment phase

13

Comments (cont.) Credential update

1

2

4

3

Back-end system

sensor

sink node

1. Sink node Sensor: (ci’,Ki’,Ti’,Li’)

New credential ci’ = h(Ki’||IDi||Ti’||Li’)

sk

14

Comments (cont.) Intra-group communication

Ssink node

A B

1. Sensor A Sink node: (IDA,IDB,M1)

M1= EskA[rxP]

2. Sink node Sensor A: (M2,M3)

M2= EskA[ryP] , M3=EK[IDS||IDA||IDB||rxP||TicketAB||TK||TL]

K= rxryP , TicketAB=EskB[IDA||IDB||TK||TL]

4. Sensor A Sensor B: (IDA,IDB,TicketAB,raP,MAC(TK;raP))

3. Sensor A Sink node: (MAC(K;ryP))

5. Sensor B Sensor A: (ETK[rbP], MAC(SKAB;rbP))

6. Sensor A Sensor B: (MAC(SKAB;raP))

SKAB= rarbP

15

Comments (cont.) Inter-group communication

S1sink node

A

B

S2

1. Sensor A Sink node: (IDA,IDB,M1=EskA[rxP])

2. Sink node Sensor A: (M2,M3)

M2= EskA[ryP] , M3=EK[IDS1||IDA||IDB||rxP||TicketAB||TK||TL]

K= rxryP , TicketAB=EPSK[IDA||IDB||TK||TL]

3. Sensor A Sink node: (MAC(K;ryP))

4. Sensor A Sensor B: (IDA,IDB,TicketAB,raP,MAC(TK;raP))

5. Sensor B Sink node: (IDB,TicketAB,M4=EskB[rx’P])

6. Sink node Sensor B: (M5,M6)

M5= EskB[ry’P] , M6=EK’[IDS1||IDS2||IDA||IDB||rx’P||TK||TL]

7. Sensor B Sink node: (MAC(K’;ry’P))

8. Sensor B Sensor A: (ETK[rbP], MAC(SKAB;rbP))

9. Sensor A Sensor B: (MAC(SKAB;raP))