Redundancy in Key Management for WSNs

Abstract

Security in wireless sensor networks is commonly based on symmetric encryption and requires key-management systems to establish and exchange secret keys. A constraint that is common to many key-management approaches is an upper bound to the total number of nodes in the network. An example is represented by the schemes based on combinatorial design. These schemes use specific rules for the generation of sets of keys that are distributed to the nodes before deploying the network. The aim of these approaches is to improve the resilience of the network. However, the quantity of data that must be stored by each node is proportional to the number of nodes of the network, so the available memory affects the applicability of these schemes. This paper investigates the opportunity of reducing the storage overhead by distributing the same set of keys to more than one node. In addition, the presence of redundant sets of keys affects the resilience and the security of the network. A careful analysis is conducted to evaluate benefits and drawbacks of redundant key distribution approaches. The results show that the use of redundancy decreases the level of resilience, but it scales well on very large networks.

1. Introduction

A Wireless Sensor network (WSN) is a distributed computer network. The nodes that compose the WSN are autonomous devices which can collect data from the surrounding environment, perform some elaborations and communicate wirelessly with the other nodes of the network. The typical nodes are low-cost devices with limited power and computational capabilities. WSNs are currently applied in many fields, from military applications [1] to cold chain monitoring [2,3].

Symmetric cryptography is normally used to protect the communications. Since WSNs have specific characteristics, such as low computational capabilities and a large quantity of autonomous distributed nodes, they require specific key-management schemes to generate and distribute the keys used to encrypt and/or authenticate the messages. Although there exist lightweight public key schemes [4], they are only applied if the involved devices are considered compliant with the additional overhead [5,6].

In literature, many key-management schemes based on different approaches have been proposed. Any kind of approach involves benefits and drawbacks that are compliant with specific characteristics (e.g., mobile nodes and deployment knowledge). Many approaches are based on predeployment key distribution. Some of these schemes involve a memory overhead proportional to the number of nodes in the network. Therefore, the size of available memory involves an upper bound to the maximum number of nodes in the network. An opportunity to remove this threshold is represented by the distribution of redundant sets of keys. i.e., the same set distributed to multiple nodes. For example, the network could be divided in two parts. A complete distribution is done among one half of the nodes, while each node of the other part has the copy of a set from one node of the first part. In this way the size of the network is the double, with the same memory overhead. In this paper, the predeployment distribution approaches are investigated and they are extended with the concept of security. The differences and similarities of the various approaches are analyzed to identify their effects on resilience. The results show that the use of redundancy decreases the level of resilience, but it scales well on very large networks.

The organization of the rest of the paper is the following: in Section 2 related works are described, Section 3 describes redundancy effects in key management, in Section 4 redundant schemes are analyzed, finally, conclusions are drawn in Section 5.

2. Related Works

In this section, a brief description of the main state-of-the-art approaches is presented. For a more in-depth description it is possible to read existing surveys on key distribution in WSNs [7,8].

2.1. Global Key

In the class of schemes, based on a global key, all nodes share a master key that is used to establish the final pairwise keys.

Besides PGK, the main scheme based on a global master key is the Symmetric-key key establishment, which is adopted by ZigBee (ZigBee Specification 1.0, June 2005, ZigBee Alliance). In this scheme, a node A, with identification number ID${}_A$, starts the key establishment by sending a random number (C${}_A$). To generate a common secret, a node B with identification number ID${}_B$, after receiving the initial message, computes a new random number (C${}_B$) and executes a keyed hash function with the global master key on the concatenation of the subsequent data: ID${}_B$, ID${}_A$, C${}_B$ and C${}_A$. After generating the common secret, node B executes a hash function on this secret to generate the pairwise key. Then, node B sends back its identifier ID${}_B$, the random number C${}_B$ and the Message authentication code (MAC), calculated on the concatenation of the subsequent data: a constant number $k_1$, ID${}_B$, ID${}_A$, C${}_B$ and C${}_A$. Then, node A calculates the pairwise key, checks the MAC and sends to node B a new MAC generated from the same data concatenated to a second constant number $k_2$.

2.2. Full Pairwise Keys

In the full pairwise keys scheme (FPWK) all the keys are distributed before deployment, and no additional operation is required. Each possible link has a specific key, so each node stores a key per each other node in the network.

2.3. Random Key Predistribution Approaches

Random key predistribution basically consists in the generation of a large quantity of secret material and in the random distribution of a part of this material to each node. The first random key predistribution approach has been proposed by Eschenauer and Gligor [9]. In this approach, a pool containing $p$ keys is generated before deployment. Then, a ring containing r keys, that are randomly selected from the pool, is picked up by each node. During the network initialization, each node checks if there are shared keys with other neighboring nodes. The values of $p$ and r determine the probability of establishing a link between two nodes and the quantity of secret keys that an adversary can obtain by compromising a node.

A subsequent scheme based on random key predistribution is the q-composite random key predistribution [10]. With this scheme two nodes must share at least q starting keys to establish a link. They generate a pairwise key by performing a hash function on the concatenation of all shared starting keys. The main drawback of q-composite random key predistribution with respect to the scheme proposed by Eschenauer and Gligor is the larger quantity of memory required.

2.4. Combinatorial Design

In combinatorial design [11], and in particular in block design, it is possible to generate sets of elements that respect specific properties. These sets of elements can be used for various applications such as cryptography.

In the key-management schemes based on block design, the elements correspond to the keys and the sets correspond to the rings assigned to the nodes. Among block design a class often used for key management is the Symmetric Balanced Incomplete Block Design (SBIBD). This strategy allows to generate sets of keys with the following characteristics:

• a pool is composed of $p=r^2-r+1$ keys,
• the number of rings of keys, which corresponds to the maximum number of nodes, corresponds to $n=p$,
• each ring is composed by r keys,
• the same key is present in r rings, so it is shared by r nodes,
• the same set composed by more than one key cannot be present in more than one block.

Many papers adopt combinatorial design and in particular SBIBD for key management. A detailed description is included in [12]. In [13,14], the application of SBIBD and Generalized Quadrangles to key management is investigated and a hybrid proposal was presented. Srinivasa et al. [15] proposed an approach based on SBIBD and multiple key-space. Lee and Stinson [16] used Transversal designs. Ruj and Roy [17] used partially BIBDs, while Bechkit et al. [18] used unital design. In [19], Ruj et al. also managed the triple key distribution that protects against malicious nodes forwarding fake messages.

3. Redundant Key Management

PGK, FPWK and combinatorial design schemes can be defined deterministic schemes with predeployment key distribution. In this general approach, sets of keys are distributed to the nodes according to specific rules. The presence of redundant sets, distributed to more than one node, depends on the adopted strategy. However, all these options can be considered as specific configurations of the deterministic predeployment key distribution.

In the deterministic predeployment key distribution, the set of r keys loaded by a node is defined ring, while the set of all the $p$ keys in the network is defined pool. There are two kinds of redundancy: one related to the individual keys and another one to the rings. The redundancy of a key ($t_k$) corresponds to the quantity of nodes that know that key, while the redundancy of a ring ($t_r$) corresponds to the quantity of nodes that have that identical ring. The possible values of $t_k$ are between 2 and the number of nodes n. The values of $t_r$ are between 1 and n.

In PGK, there is only one key. This scheme corresponds to the deterministic predeployment key distribution with $r=1$, $p=1$, $t_k=n$ and $t_r=n$. This configuration has the minimum quantity of keys and the maximum value of redundancy.

In FPWK there is a key per link. Therefore, the configuration is $r=n-1$, $p=\frac{n^2-n}{2}$, $t_k=2$ and $t_r=1$. This configuration has the maximum quantity of keys and the minimum redundancy. However, FPWK requires that each node stores a quantity of keys equal to the size of the network. Therefore, the limit to the memory available for key storing also represents a limit for the number of nodes in the network.

The intermediate solutions between the global key scheme and FPWK can be obtained by applying ring redundancy to the latter scheme. If each ring, which is unique in FPWK, is loaded by two nodes, the new configuration is $r=\frac{n}{2}-1$, $p=\frac{n^2-2n}{8}$, $t_k=4$ and $t_r=2$. More in general, in the deterministic predeployment key distribution with ring redundancy $t_r$, the parameters are:

$$r=\frac{n}{t_r}-1,$$

(1)

$$p=\frac{n^2-n{t}_r}{2t_r^2},$$

(2)

and

$$t_k=2t_r$$

(3)

A relevant element of the previous configuration corresponds to (3). This formula implies that each key is only included in two rings, and the whole redundancy depends on $t_r$. Therefore, this configuration is called the minimum key redundancy configuration.

The schemes based on combinatorial design have key redundancy and no ring redundancy. Since $n=r^2-r+1$, a scheme based on SBIBD corresponds to the deterministic predeployment key distribution with $r=t_k=\lceil \frac{\sqrt{4n-3}+1}{2}\rceil$, $p=n$, and $t_r=1$. However, as with for FPWK, the total number of nodes in the network affects the size of the ring. Therefore, the maximum size of the storage available for the keys represents a limit to the size of the network.

The intermediate cases between combinatorial design and the global master key are characterized by equations that depend on specific combinatorial design strategy. With the SBIBD strategy, in the deterministic predeployment key distribution with ring redundancy $t_r$, the parameters are:

$$r=⌈\frac{\sqrt{\frac{4n}{t_r}-3}+1}{2}⌉,$$

(4)

$$p=\frac{n}{t_r},$$

(5)

and

$$t_k=t_{r}r$$

(6)

4. Analysis and Evaluation

This section analyzes the properties of deterministic predeployment key distribution according to its configurations.

We shall assume that an adversary can perform a replay attack and eavesdrop on all the links of the network. An adversary can also capture a node and find all the secret information from its memory.

4.1. Resilience

One of the greatest risks in a WSN is that some nodes are compromised, and their secret material is used to attack other nodes. The strength of a scheme against this attack is called resilience. In particular, it is of special interest the resilience against eavesdropping, which is evaluated according to the quantity of links that an adversary can eavesdrop after compromising a specific amount of nodes.

$$\sum _{k=\lceil x/t_r\rceil }^{min(x,n/t_r)}{\displaystyle \frac{\left(\genfrac{}{}{0pt}{}{n/t_r}{k}\right)\left(\left(\genfrac{}{}{0pt}{}{k{t}_r}{x}\right)-{\sum }_{i=\lceil x/t_r\rceil }^{k-1}{(-1)}^{k-i}\left(\genfrac{}{}{0pt}{}{k}{i}\right)\left(\genfrac{}{}{0pt}{}{i{t}_r}{x}\right)\right)\left((k{t}_r-x)(n-k{t}_r)+\left(\genfrac{}{}{0pt}{}{k{t}_r-x}{2}\right)+\frac{k(\frac{n}{t_r}-k)\left(\genfrac{}{}{0pt}{}{t_r}{2}\right)}{\left(\frac{n}{t_r}-1\right)}\right)}{\left(\genfrac{}{}{0pt}{}{n}{x}\right)\left(\genfrac{}{}{0pt}{}{n-x}{2}\right)}}$$

(7)

$$\begin{array}{c}\hfill \sum _{k=\lceil x/t_r\rceil }^{max(x,n/t_r)}({\displaystyle \frac{\left(\genfrac{}{}{0pt}{}{n/t_r}{k}\right)\left(\left(\genfrac{}{}{0pt}{}{k{t}_r}{x}\right)-{\sum }_{i=\lceil x/t_r\rceil }^{k-1}{(-1)}^{k-i}\left(\genfrac{}{}{0pt}{}{k}{i}\right)\left(\genfrac{}{}{0pt}{}{i{t}_r}{x}\right)\right)}{\left(\genfrac{}{}{0pt}{}{n}{x}\right)}}·\\ \hfill ·\sum _{i=max(1,r^2-r-(r-1)k)}^{r^2-2r+1}\left(\frac{P(r,k,i)}{\left(\genfrac{}{}{0pt}{}{r^2-r+1}{k}\right)}·\frac{\left(\left(\genfrac{}{}{0pt}{}{n}{2}\right)\frac{r^2-r+1-i}{r^2-r+1}-x(n-1)+\left(\genfrac{}{}{0pt}{}{x}{2}\right)\right)}{\left(\genfrac{}{}{0pt}{}{n-x}{2}\right)}\right))\end{array}$$

(8)

The quantity of links that can be eavesdropped by an adversary with one key, is always $\left(\genfrac{}{}{0pt}{}{t_k}{2}\right)$. This value represents the quantity of links based on each key. The equations are more complicated if some nodes with their rings are compromised. The equations must consider how many keys can be present in more than one compromised ring, and that the links of the compromised nodes are no longer active and so they must not be considered. The formulas to compute the probability that a link is compromised, i.e., the average percentage of compromised links, in the deterministic predeployment key distribution scheme are (7) and (8), for the minimum key redundancy and for SBIBD configuration, respectively. With the introduction of redundancy, it is possible that an adversary compromises identical nodes. However, only different rings provide new secret material to the adversary. Therefore, by considering x compromised nodes, both formulas start with a summation from $\lceil x/t_r\rceil$ to $min(x,n/t_r)$ which represents the minimum and the maximum quantity of compromised rings (k), respectively. In fact, $t_r$ corresponds to the quantity of nodes with the same ring. The first part inside the summation represents the probability that exactly k rings are compromised. It is computed as $\left(\genfrac{}{}{0pt}{}{n/t_r}{k}\right)\left(\left(\genfrac{}{}{0pt}{}{k{t}_r}{x}\right)-{\sum }_{i=\lceil x/t_r\rceil }^{k-1}{(-1)}^{k-i}\left(\genfrac{}{}{0pt}{}{k}{i}\right)\left(\genfrac{}{}{0pt}{}{i{t}_r}{x}\right)\right){\left(\genfrac{}{}{0pt}{}{n}{x}\right)}^{-1}$. The denominator of this fraction ($\left(\genfrac{}{}{0pt}{}{n}{x}\right)$) represents the number of possible groups of x compromised nodes. The first binomial represents the number of possible groups of k different rings. The second element of the numerator computes the number of possible groups of x nodes with k different rings among the $k{t}_r$ nodes that share those rings. This result is computed as a difference. Since this formula does not guarantee that at least a node per ring is present, the subtrahend is the summation of all the possible groups of x nodes that are included in less than k rings. The summation is alternatively positive and negative since each superior group redundantly includes all the smaller groups. The result of the described part of the formulas represents the probabilistic weight that will be multiplied by the corresponding quantity of compromised links. Therefore, always considering one compromised link, the results of (7) and (8) would be 1.

The subsequent part of the formulas depends on the considered scheme. With the minimum key redundancy configuration, $(k{t}_r-x)$ represents the quantity of not-compromised nodes with a ring identical to a compromised one. Each of these nodes has $n-k{t}_r$ possible links with a node with a not-compromised ring. All these $n-k{t}_r$ links are compromised. Moreover, all the $\left(\genfrac{}{}{0pt}{}{k{t}_r-x}{2}\right)$ links among the not-compromised nodes with a compromised ring are compromised. Finally, $k(\frac{n}{t_r}-k)\left(\genfrac{}{}{0pt}{}{t_r}{2}\right){\left(\frac{n}{t_r}-1\right)}^{-1}$ computes the quantity of links among the nodes with the same ring that randomly selected a compromised key. In details, the quantity of not-compromised rings $(\frac{n}{t_r}-k)$ is multiplied by the number of links per ring $\left(\genfrac{}{}{0pt}{}{t_r}{2}\right)$, multiplied by the quantity of compromised keys per ring k, divided by the quantity of keys per ring $\frac{n}{t_r}-1$. The final result is divided by $\left(\genfrac{}{}{0pt}{}{n-x}{2}\right)$ which is the number of links among all the not-compromised nodes.

The first part of (8) is identical to the first part of (7). Also in this case the second part, on the second line, computes the number of compromised links.

The index of the initial summation is i, which represents the quantity of keys not compromised by the adversary. The part of the formula on the second line computes the probability that i has a specific value. The minimum value corresponds to $r^2-r-(r-1)k$, since the quantity of different rings $\frac{n}{t_r}=p=r^2-r+1$ and since with k compromised rings, the maximum number of compromised keys is the minimum between $p=r^2-r+1$ and $\left(\right(r-1)k+1)$, which represents the number of keys compromised by a set rings that share the same key (i.e., among all the compromised keys only one is repeated, and the number of different keys is maximum). The maximum value is ($r^2-2r+1$), which corresponds to the number of not-compromised keys when one ring is compromised. The first fraction within the summation computes the probability of the current value of i. The numerator is $P(r,k,i)$ which is a function that computes the quantity of groups of k compromised rings compliant with i not-compromised keys. This value is divided by the total quantity of groups of k compromised rings. The value of function $P\left(\right)$ is computed through tables. The tables for $3\le r\le 6$ are reported in Appendix A. The last part of the formula is the fraction of compromised links. The denominator $\left(\genfrac{}{}{0pt}{}{n-x}{2}\right)$ computes the number of possible links between not-compromised nodes. The first part of the numerator is the total quantity of links $\left(\genfrac{}{}{0pt}{}{n}{2}\right)$ multiplied by the number of compromised keys $(r^2-r+1-i)$ and divided by the total number of keys $(r^2-r+1)$. The result corresponds to the quantity of compromised links, but it also counts the links with compromised nodes. Therefore, the $(n-1)$ links of the x compromised nodes, minus the $\left(\genfrac{}{}{0pt}{}{x}{2}\right)$ links among the compromised nodes that would be counted two times, are subtracted.

4.2. Experimental Analysis

To provide a clear idea of the properties of the deterministic predeployment key distribution, the resilience of some configurations has been computed and plotted.

Figure 1 shows the level of resilience for a network composed by 84 nodes. The number 84 was selected since it is perfectly compliant with all the tested configurations. Each curve represents a configuration. The graph shows the [0,1] ratio of compromised links according to the number of compromised nodes. As expected, for all the curves, as the number of compromised nodes increases, the ratio of compromised links increases too. The continuous lines are referred to configurations with $r=4$, fine dots are referred to $r=3$, while sparse dots $r=2$. The ring redundancy is computed according to r and n. Both for the minimum key redundancy and for SBIBD configuration, as r increases the ratio of compromised links decreases. By comparing the minimum key redundancy configuration to SBIBD configuration, it is observed that SBIBD always provides a better level of resilience. Only when $r=2$ the two curves are identical. However, this is a special case, such as for $r=1$, since both the approaches generate the same key distribution.

A representation similar to the previous one is presented in Figure 2. However, in this case, the size of the network is not constant. For each value of r, the minimum value of n compliant with the two approaches was selected. Therefore, it is not possible to directly compare the configurations with different values of r. However, it is possible to observe that all the general properties showed by the previous chart are confirmed.

The resilience provided by a configuration with a fixed value of r on networks with various sizes is shown in Figure 3. Each curve is matched to a distribution strategy and to a specific number of compromised nodes. The graph shows the [0,1] ratio of compromised links according to the number of nodes in the network. It is observed that the size of the network only provides a slight decrease in the resilience, while each curve is quite stable.

To provide a whole overview on the contribution of r and $t_r$ on the resilience, Figure 4 shows the [0,1] ratio of compromised links according to the value of $t_r$. When the values of $t_r$ are very low, there is a visible variation in the level of resilience. However, the ratio of compromised links increases always more slowly and for high value of $t_r$ the difference is negligible. This result is because of the links of the compromised nodes. These links are considered not existing, since they are no more used by the nodes of the network, but they cannot be eavesdropped, since the adversary directly use them. When $t_r$ is high, the adversary gains an advantage by eavesdropping on all the links of the nodes identical to the compromised ones. However, if $t_r$ is small, the relative weight of the links of the compromised nodes is higher, and the other identical nodes are lower.

To evaluate the performance of a redundant scheme within the key-management scenario, SBIBD with $r=6$ is compared to EG with the same ring size. EG does not guarantee a full connectivity, since some nodes could share no common keys, so its connectivity is imposed higher than 0.99. In order to reach this connectivity level the value of p must be properly set. The formula that computes the connectivity of EG is (9).

$$0.99<\frac{\left(\genfrac{}{}{0pt}{}{p-r}{r}\right)}{\left(\genfrac{}{}{0pt}{}{p}{r}\right)}=\frac{\frac{!(p-r)}{!(p-2r)!r}}{\frac{!\left(p\right)}{!(p-r)!r}}=\frac{2!(p-r)}{!(p-2r)!\left(p\right)}={\mathsf{\Pi }}_{i=0}^{r-1}\frac{p-r-i}{p-i}$$

(9)

According to $r=6$ the configuration of EG that guarantees the best resilience is $p=18$, while in redundant SBIBD $p=31$. By using the formula of resilience for EG presented in [20] it is possible to compare these schemes. The comparison is shown in Figure 5. It is possible to observe that the redundant scheme provides a better level of resilience.

4.3. Validation

A simulator has been developed to validate the proposed formulas. The simulator generates a set of rings of keys compliant with the requirements. Then, it randomly selects a specific quantity of nodes that are considered compromised. Finally, some links are checked to verify if the keys that they use are compromised.

In particular, for every tested configuration ${10}^4$ sets of rings have been selected and ${10}^4$ links per selected set have been checked. The results validated the correctness of the formulas. Figure 6 shows some examples of comparison between the results provided by the theoretical formulas and the simulations. The relative difference is always lower than $3\times {10}^{-3}$, and it is attributed to the statistical error. As a further proof, Figure 7 compares the curve obtained with $r=4$, with the same configuration, but in this case the double of the sets of rings are selected and the double of the links per set are selected. It is possible to observe that the new curve is not steady, but the picks are strongly reduced.

5. Conclusions

In this paper, an investigation on the use of redundancy for key management in WSNs has been presented. Thanks to redundancy, an upper bound to the maximum quantity of nodes due to memory limit can be broken. The analysis provided analytical formulas to compute the effects of redundancy on resilience. Moreover, the proposed formulas can be also applied without redundancy. The correctness of the results has been validated through simulations. The analysis also showed that the minimum key redundancy configuration provides a lower level of resilience with respect to the SBIBD configuration. The initial increase of the level of redundancy produces a decrease in the resilience, but then the level becomes stable. Therefore, the redundant schemes scale well on very large networks.