10.1.1.77.4906
TRANSCRIPT
-
8/7/2019 10.1.1.77.4906
1/6
1
Self-Certied Group Key Generation for Ad HocClusters in Wireless Sensor NetworksOrtal Arazi, Student Member, IEEE, Hairong Qi, Senior Member, IEEE
Abstract Dynamic formation of node clusters is inher-ently embedded in a wide range of emerging wireless sensornetwork (WSN) applications. It is expected that securitywill play a key role in the design and successful deploy-ment of these, as well as many other, applications. Thead-hoc nature and unique power-constraint characteristicsof WSN suggest that a prerequisite for achieving security isthe ability to encrypt and decrypt condential data amongan arbitrary set of sensor nodes. Consequently, the nodesare required to generate a joint secret key. Elliptic CurveCryptography (ECC) has emerged as a suitable public keycryptographic foundation for WSN. This paper describes apragmatic ECC-based methodology for self-certied groupkey generation in ad hoc clusters of sensor nodes. A novelload-balancing technique and chained data exchange yieldreduced overall communications and facilitate an e!cientdistribution of the computational eort involved.
Keywords Security in Wireless Sensor N etworks,Resource-Constraint Cryptography, G roup Public Key Gen-eration.
I. Introduction
Recent advancements in the design and fabrication oflow-power VLSI circuitry, as well as wireless communica-tions, have broadened the applications prospect for wire-less sensor networks (WSNs). The latter promise to revo-lutionize our ability to sense and control diverse physicalenvironments using large numbers of small, inexpensive de-
vices that integrate sensing, computation and communica-tion. These sensors can collaborate with each other andachieve complex information gathering and disseminationtasks such as infrastructure security, environment and habi-tat monitoring, industrial sensing and tra!c control.
In addition to the many unique characteristics of WSNsthat stem from the resource-constrained environments inwhich they operate, many applications, whereby collabora-tive processing is carried out, necessitate the ad hoc forma-tion of node clusters [1][2]. These clusters of nodes typicallyemerge around an event. Since the location and extent ofthe event are often unknown a priori, cluster members aredecided upon in an ad-hoc manner. Many WSN applica-
tions, spanning military and civilian, assume that sensornodes are deployed in hostile environments where they areprone to a wide variety of malicious attacks. As a result,security becomes a key concern [3][4][5]. The ad-hoc natureand unique power-constraint characteristics of WSNs sug-gest that a prerequisite for achieving security is the abilityto encrypt and decrypt condential data among an arbi-trary set of sensor nodes. Consequently, an ad-hoc clusterof nodes is required to generate a joint secret key, mak-
The authors are with the Electrical & Computer Engineeringdepartment at The University of Tennessee, Knoxville. Email:{oarazi,hqi}@utk.edu.
ing it highly desirable to have a secure and e!cient key-distribution mechanism facilitating simple key-generationfor large-scale sensor networks.
Although a variety of key-generation methods have beenproposed for WSNs, they cannot be directly transplantedin sensor network environments. A simple solution for keyestablishment is a single network-wide shared key. Unfor-tunately, a single node in the network being captured wouldeasily reveal the network secret key. Therefore, a currentmainstream eort consists of random key pre-distribution,in which a dierent set of pre-established keys is issuedto each node, thereby reducing the probability that cap-turing one node will jeopardize the entire network [5][6].These schemes oer partial solution with respect to scala-bility, cryptographic robustness and the ability to appendand revoke security attributes. More recent work addressestopics such as intruder identication in WSNs, relying onkey predistribution [7].
The necessity for public key cryptographic key-generation in WSNs is widely acknowledged. Public keycryptography oers scalability and decentralized manage-ment, both of which are strongly coherent with the ad-hocnature of WSNs. Elliptic Curve Cryptography (ECC) [8]emerges as a suitable public key cryptographic foundation
for sensor networks, providing high security for relativelysmall key sizes. Recent results [9] indicate that the exe-cution of ECC operations in sensor nodes is feasible, withpredictable improved performance.
This paper describes a pragmatic, scalable and resource-e!cient ECC-based group key-generation methodology,specically optimized for WSNs. In particular, we addressthe need for minimizing communications as well as dis-tributing the computation load across the network. Basedon a novel algebraic exploration of standard ECC cryp-tographic techniques, we derive a group key distributionscheme, which is resource-e!cient, scalable and robust.
Once a secret key is generated between two or more nodes,data encryption and decryption is carried out using sym-metric algorithms, which necessitate, at their core, simpleXOR operations.
The rest of the paper is structured as follows. In Sec. IIwe briey review prior work in the area of key establish-ment for WSNs and outline the unique attributes of keygeneration in WSNs. Sec. III presents the mathematicalfoundations from which the methodologies proposed arederived. Sec. IV describes a key-generation scheme for ad-hoc clusters of sensor nodes, while in Sec. V discussions onfuture directions are presented.
-
8/7/2019 10.1.1.77.4906
2/6
2
II. Resource-Efficient Key-Generation for
Wireless Sensor Networks
A. Related Work
This paper inherently reinforces a recent trend [9][10]which challenges the notion that Di!e-Hellman (DH) andpublic-key based schemes, are not feasible in WSNs. It isdue to this infeasibility assumption that many publicationsin recent years focus on key pre-distribution techniques[5][6][11][12][13]. A trivial key pre-distribution scheme isto allow each node to hold Q 1 secret pairwise keys,each of which is known only to the node and to one ofthe other Q 1 nodes (assuming there are Q nodes in thenetwork). However, the constrained memory resources andthe di!culty in adding new nodes to the network, limit theeectiveness of this general scheme.
Other researchers have extended the original notion ofkey pre-distribution to include a statistical element. Inparticular, methods such as those proposed in [14] assumethat each sensor node receives a random subset of keysdrawn from a large key pool. To agree on a key for com-munication, two nodes nd one common key within theirsubsets and use that key as their shared secret key. Ad-ditional information, such as data concerning the positionand/or geographical distribution of the sensor nodes, canbe used to further improve the key pre-distribution concept[6].
Nonetheless, the problems identied in the key pre-distribution approach triggered an in-depth study of pub-lic key cryptographic key-generation for WSNs. The mainreasons are two-fold. First, both scalability and security ro-bustness are compromised if keys are pre-distributed basedon future predictions of the deployment of nodes, or if a
centralized entity manages the key-generation process. Sec-ond, due to the ad-hoc nature of WSNs, online central man-agement is impractical. Fundamental questions, addressedby this paper, pertain to the implications of implementingpublic key cryptography in WSNs.
B. Security Considerations and Requirements
This paper treats public key cryptographic xed as wellas ephemeral key-generation. The former relates to the casewhere two specic nodes generate the same secret valuewhenever they wish to establish a joint key. In ephemeralkey-generation, the two nodes generate a dierent key foreach session established, based on a random component
introduced by each node. Ephemeral key-generation ismore secure and is generally preferred in many applica-tions. In this paper (as shown in gure 1), we will developan ephemeral key generation method only for nodes ap-pearing in more than one cluster. All other nodes willgenerate a xed group key. As will later be shown, anECC self-certied xed key-generation can be executed bya single exponentiation.
In a public cryptographic session, a need emerges to au-thenticate the public values submitted by the participants.Customarily, this is facilitated by the use of a certicate,issued by a CA (Certifying Authority/Agent), attesting to
Cluster A Cluster B
Fig. 1. Illustration of two clusters established in accordance with amoving target. Only nodes shared by both clusters are issued anephemeral key. Nodes belonging to only one cluster are issued axed key.
the connection between a users public key and his ID. Veri-fying the authenticity of certied values requires a referenceto the public key of the CA. An authentication procedurewhich is based on certication therefore needs the followingvalues as input: the users public key, his ID, the certicate
and the CAs public key. The latter value is considered tobe universal and expected to be known to all relevant par-ties. The rst three values are unique to each user. Inself-certied public key cryptographic applications [15][16],a user submits its ID along with its public key, but doesnot submit an explicit certicate, thereby reducing com-munication and management overheads, which is a vitalconsideration in WSNs. Verifying the validity of a userspublic key, that is, verifying that the public key is associ-ated with the users ID, is achieved in an implied mannerthat still needs an explicit reference to the CAs public key.In identity-based systems [17], the users public key is itsactual ID, which saves the need for any public value other
than the users ID. Nevertheless, an explicit reference tothe CAs public key is required.
Public key cryptographic applications are customarilybased on one of two possible intractable mathematicalproblems: factorizing a large (e.g., 1024-bit) composite in-teger, or performing a discrete-log operation. The latteralso includes Elliptic Curve Cryptography (ECC), whichhas attractive features when considering for use in WSNs.A 163-bit ECC application has the same cryptocomplexityas a 1024-bit application over a composite integer. In recentwork [9], it has been shown that point by scalar multipli-cation - a fundamental ECC operation - can be performedin 34 seconds on MICA2 motes. The latter pertained to
163-bit keys.There are known ECC ephemeral-key-generation meth-
ods, in which the validity of a received ephemeral value isbased on the validity of a received static value. In thesecases, however, it is still necessary to provide for explicitcertication of the received static value. To that end, wepresent a comprehensive ECC self-certied ephemeral keygeneration methodology, suitable for WSN environments.Furthermore, a method for generating a joint secret keybetween an ad-hoc cluster of nodes is described. Althoughgroup key generation based on public key cryptographyhas been considered in the literature [18], there is no treat-
-
8/7/2019 10.1.1.77.4906
3/6
3
ment of the issue of authenticating the exchanged values.In fact, a common assumption made by these schemes isthat an authentication mechanism is already available. Tothat end, our method also concerns the e!cient integrationof self-certied authentications.
Finally, in an eort to eectively distribute the computa-tional load between the nodes, we propose to partition theself-certied key-generation process into secure and non-secure operations. The latter enables o"oading the non-secure operations from a node participating in the key-generation process to available neighboring nodes. Sucho"oading assists in load balancing the computational eortand, consequently, power-consumption across the network.
Since many application, in which collaborative process-ing is carried out, necessitate the ad hoc formation of nodeclusters, it is imperative to generate a group key for theseclusters. In this paper we will show that generating sucha group key is accomplished in two steps. The rst stepwould be to generate a shared key between pairs of nodes inthe cluster, while the second would be to generate a group
key by utilizing the shared keys established during the rststep. We further illustrate how the key exchange and keyconrmation procedures establish self certication as wellas a group shared key.
III. Mathematical Foundations for Efficient
Two-Node DH Key Generation
A. Notation and Terminology
Our mathematical foundations rely on ECC crypto-graphic techniques pertaining to operations over a nitegroup of points in which the discrete log problem applies.In order to describe the formalism for e!cient two-nodeDH key generation, we must rst dene some notation andterminology. As we are using ECC, the need to distinguishbetween a scalar and a point on the curve in evident. Agroup-point is hereby denoted by a capital letter in boldfont (e.g. P), and a scalar will be presented in regular low-ercase letters. Multiplication of a point by a scalar (e.g.vP) will be referred to as an exponentiation, where v isthe exponent. The intractability of a discrete log operationmeans that given the points P and v P, the complexityof nding v is exponential. The following notations will beused throughout the reminder of the paper:
G a generating group-point, used by all relevant nodes rugG the order ofG.(exponents are calculated prgxor
rugG) CA a Certifying Authority g the CAs private key R the CAs public key (where R = dG) {l the private key of node l served by the CA Ui the public key of a node i served by the CA LGl the identication details, or attributes, of node l K(y>W) a scalar obtained by performing a hash trans-formation on the scalar y and group point W kl a random 163-bit scalar generated by the CA (forthe purpose of calculating xl) Ql> Qm sensor nodes l and m, respectively
B. Keys Issued to Nodes by the CA
The private and public keys discussed in this section areissued by the CA to all nodes in the network. We will beginour discussion by focusing only on keys issued to Ql. Asindicated above, the CA holds a pair of keys (private (g)and public (R)). By using g, LGl, kl, a hash function andG, it establishes the pair of private and public keys issued
to node l. We consider two scenarios for issuing the privatekey ({l), and the public key (Ui) of node i. The node key{l> used in the following applications, can be derived byeither one of the scenarios described in this section. In therst scenario, the CA knows the nodes secret keys. In thiscase Qls private key ({l), and the public value (Ui) canbe generated as follows:
1. The CA generates a random scalar kl and calculateskl G;2. The CA then generates node ls public and private keysas follows:
Ui = kl G (1)
{l = [K(LGl>Ui) hi + d] prg rugG
3. The CA issues the values {l and Ui to Ql;4. Ql can establish the validity of the values issued to himby checking whether xiG = H(IDi>Ui)Ui +R.
In the second scenario considered, the CA is not allowedto know the nodes secret keys. In this case Qls privatekey and public key can be generated as follows:1. The node generates a random value yl and submits Wi= yl G to the CA;2. The CA generates a random kl and calculates kl G.3. The CA then generates the pair of private and public
keys as follows:
Ui = Wi + hiG (2)
sl = [K(LGl>Ui) hi + d] prg rugG
The CA issues the values sl and Ui to Ql;4. Ql generates his secret key as
{l = [sl + K(LGl>Ui) vi] prg rugJ= (3)
5. Ql can establish the validity of the values sl and Uiissued to him by checking whether slG = H(IDi>Ui)(Ui Wi) +R.
Two important points should be noted here: (1) inboth cases {l G = H(IDi>Ui) Ui +R> and (2) since{l = [K(IDi>Ui) (hi+vi) + d] prg rugG, {l G =H(IDi>Ui)Ui +R, which is identical to the case of theCA being allowed to know the nodes secret keys.
IV. Self-Certified Diffie-Hellman
Key-Generations
A. Fixed Key-Generation
A self-certied DH xed-key-generation (gure 2), isachieved by the following two steps: (1) Ql and Qm ex-change the pairs (LGl>Ui) and (LGm>Uj), respectively, and
-
8/7/2019 10.1.1.77.4906
4/6
4
Node jNode i
IDi,U
i IDj ,Uj
xi[H(ID
j,U
j) U
j+R] =u x
j[H(ID
i,U
i) U
i+R]u
?
Fig. 2. A self-certied Di!e-Hellman xed-key generation.
(2) Ql and Qm generate the session-key,
Nlm (generated by Ql) = {l [K(LGm >Uj)Uj +R]
Nml (generated by Qm) = {m [K(LGl>Ui)Ui +R]=(4)
If indeed Nlm = Nml >then not only is key conrmationobtained (verication of key equivalence), we also observekey self-certication= The two keys are expected to be iden-
tical, having the value xixjG. (i.e. Ql calculates: {l[K(LGm >Uj)Uj+R] = {l[K(LGm>Uj)hiG+dG]= xi [H(IDj>Uj) hi + d ] G =xi xj G= Similarlogic is applied by the calculations performed at Qm). Tocomplete the authentication cycle there is a need for key-conrmation, during which the two nodes either verify thatthey share an identical key by encrypting and decrypting atest value, or establish a communication session and implic-itly verify that they share the same key. Verifying that thekeys generated by the two nodes are equal also establishestheir correct identities.
A primary contribution oered by this method of self-certied xed key DH key generation lies in the number of
exponentiations needed to calculate the value {l {m J=As indicated above, each node (among each pair of nodes)calculates the value {l{mJ= Note that the calculationsperformed by Ql are Nlm = {l [K(LGm >Uj)Uj +R] ={lK(LGm >Uj) Uj + {lR= Further note that the calcu-lations have been separated into two parts. The rst isa dynamic scalar by point multiplication executed in anad hoc manner (as it contains the value Uj)= The secondis a scalar by point multiplication that can be calculatedand stored before the key-generation session commences,thereby avoiding the need for a real-time exponentiation(as it contains information known a priori by node l). It isclear that Ql is able to calculate its session-key by a single
ad-hoc exponentiation instead of two, {lK(LGm>Uj), Uj,where similar considerations apply to Qm .
B. Ephemeral Key-Generation
A self-certied DH ephemeral key-generation is achievedby the following steps: (1) Ql and Qm generate a randomsyl and sym , respectively, (2) Ql calculates the ephemeralvalue EVi = pviG, Qm calculates the ephemeral valueEVj = pvj G (performed prior to establishing the com-munication session between the two nodes), (3) Ql and Qmexchange the values (LGl>Ui>EVi) and (LGm >Uj>EVj),respectively, and (4) Ql and Qm generate the ephemeral
session key,
Nlm (generated by Ql) = syl [K(LGm >Uj)]Uj +R]
+ ({l + syl)EVj (5)
Nml (generated by Qm) = sym [K(LGl>Ui)]Ui +R]
+ ({m + sym)EVi (6)
As listed in the xed-key scenario, if indeed Nlm = Nml>then not only is key conrmation obtained (verication ofkey equivalence). but we also observe key self-certication=The two keys are expected to be identical, having the valuesyl xj G + xi pvj G + pvi pvj G= (i.e. Qlcalculates: pvi[H(IDj>Uj)]Uj+R]+(xi+pvi)EVj =sylxjG+xipvjG+pvipvjG= Similar logic isapplied by the calculations performed at Qm . To completethe authentication cycle we need to follow the same stepsdescribed in the section on xed key generation.
B.1 Partitioning of Secure and Non-secure Operations
A primary contribution oered by this method of self-certied ephemeral-key DH key generation lies in thenumber of exponentiations needed to calculate the valuepvi xjG+ xi pvjG+ pvi pvjG= As indicatedabove, each node (among each pair of nodes) computes thevalue pvi xj G+ xi pvj G+ pvi pvj G= Notethat the calculations performed by Ql correspond to
Nlm = syl [K(LGm >Uj)]Uj +R] +
({l + syl)EVj
= syl K(LGm >Uj)Uj + (xi+pvi)EVj
+syl R
= syl K(LGm >Uj)Uj + (xi+pvi)(EVj +R) xiR= (7)
Therefore:
Nlm = syl K(LGm >Uj)Uj + (xi+pvi) (EVj +R)
{l R
Nml = sym K(LGl>Ui)Ui + (xj+pvj) (EVi +R)
{m R (8)
The pre-calculation and storage of {lR would enable Qlto calculate its session-key by performing the two exponen-tiations: sylK(LGm >Uj)Uj and ({l+pvi)(EVj+R)=
B.2 O"oading the Non-Secure Operation to an UntrustedNeighboring Node
As indicated above, Ql is required to calculate its ses-sion key by performing the four exponentiations: pvi H(IDj>Uj) Uj, ({l + syl) (EVj + R)> {l R andEVj = pvjG= Among these four exponentiations, xiRis a scalar by point multiplication that can be calculatedand stored before the key-generation session commences.This would avoid the need for a real-time exponentiation(as it contains information known a priori by node l). Sim-ilarly, sym G is also performed prior to establishing the
-
8/7/2019 10.1.1.77.4906
5/6
5
communication session between the two nodes. We are leftwith the following two operations: sylK(LGm >Uj)Uj,and ({l + syl) (EVj +R)= The rst is a dynamic scalarby point multiplication executed in an ad hoc manner (asit contains the value Uj)= In the interest of distributing thepower consumption across the sensor network, we employan o"oading technique in which nodes assist other nodesby performing part of the required calculations.
In the context of security operations, we must provethat calculations that are o"oaded, and are subsequentlytransmitted over potentially eavesdrop-prone media, donot jeopardize the trustworthiness of the process. As-sisting neighbor nodes (not included in the ad hoc clus-ter, but with proximity to it) will calculate the value({l + syl) (EVj +R)= It should be noted that all nodesare assumed to have knowledge of R. Moreover, none ofthe o"oaded values are assumed to be secret, and while {land syl are secret, their sum does not disclose their values.Furthermore, even though {l is xed, syl never repeats it-self. In other words, the secret key {l is masked with the
random noise syl. It is further noted that the neighbor-ing assisting node is not necessarily trusted in delivering acorrect answer. The assisting node merely performs math-ematical processing with no decisions being made by it. Anattempt to send a misleading result by the assisting nodewill be detected in the key conrmation step.
All procedures presented this far are also valid for thecase where nodes use dierent CAs. That is, if the userkeys of Ql were issued by a CA whose public key is R1with a private key g1 = orjR1> and the user keys of Qmwere issued by a CA whose public key is R2 with a privatekey g2 = orjR2, all derived expressions, for both xed andephemeral session keys, are valid. That is, a node refers to
the public key of the CA of his counterpart when generatinga session key with that counterpart.
V. Group-Key Generation based on Pairwise DH
Key Generation
Based on the presented procedure for generating a self-authenticated DH secret key joint to a pair of nodes, it isnext shown how a group of p nodes generates a secret ses-sion key Nv joint to all nodes in the group and not knownto any party outside the group. In this respect it is notedthat the self authentication of the DH keys is based onthe identity, LGv, of the participants. These identity val-ues can also be associated with attributes of nodes, rather
than their explicit identities. For example, they can be as-sociated with parameters that specify the meaning of thegroup. That is, nodes that do not posses appropriate pa-rameters allowing them to participate in the group cannotforce themselves into the group.
Let the nodes in the group be indexed in a chain, wherenode Ql generates two DH keys, one jointly generated withnode Ql1 and one with Ql+1> l = 0> 1> = = = > p 1. Al-though this is not a necessity, the indexing is cyclic. Thatis, Qp1and Q0 also generate a joint key. For simplicity,let us further assume that p is even. These 2p DH keyscan all be generated in two time slots. Let Nl+ denote the
DH key joint to nodes Ql and Ql+1, generated during therst time slot for even ls, and Nl denote the DH keysgenerated during the second time slot for odd ls. Thisway, during each slot, each node is busy generating a jointDH key with exactly one other node.
Based on each node having two DH keys, one joint to thepreceding node in the chain and one joint to the followingnode (where Qp1 and Q0 are considered to be consecu-tive), the secret session key Nv, joint to all members in thegroup, is then generated as follows. A certain node Qm inthe group (Qm can be an arbitrary node, or a node withsome distinct preferences such as the cluster head or grouplead) generates a random Nv. It encrypts Nv with Nm+and sends the ciphertext to Qm+1. Node Qm+1 decryptsthe ciphertext, as it also has Nm+, thereby recovering Nv.It then encrypts Nv with the DH key joint to Qm+1andQm+2, etc. This way, Nv securely propagates in the chain,by decryption and encryption operations taking place ateach node. Nv nally gets back to the originator Qm , whoveries that the received Nv equals to the original.
Although calculations are carried out concurrently bythe odd and even nodes, we must consider the fact thattransmission of information is done sequentially, since thesame media is shared by all nodes. Letting wdffhvv andw{ denote the expected channel access time and transmis-sion/reception times, respectively, the aggregate time con-sumed by the group key generation process, Wjn , can beexpressed as
Wjn = 2p(wdffhvv + w{) + wGK> (9)
where wGK is the overall time required to perform the ac-tual DH calculations. One should note that the access andtransmission times are expected to be in the order of mil-
liseconds, while the DH related computations are in theorder of seconds (shown for MICA2 motes in [9]). To thatend, the fact that communications are done sequentiallyhas little impact on the overall delay of the group key gen-eration process.
A remark on the encryption/decryption operation per-formed at each node: This is a symmetric operation thatcan be based on standard procedures like DES or AES.However, let us also consider the case where this operationis a simple exclusive-OR (XOR) operation between Nv andNm+. That is,
fm = Nv XOR Nm+ (10)
where fm is the ciphertext sent from Qm to Qm+1. NodeQm+1 then performs the following to propagate Nv to Qm+2,noted that Qm and Qm+1 share the same key Nm+, and Qm+1and Qm+2 share Nm+1,
Nv = fm XOR Nm+ XOR Nm+1 (11)
However, as all nodes nally share Nv, and they also receiveall exchanged ciphertexts, this suggests that all pairwiseDH keys will also be known to all nodes in the group (eachnode simply XORs Nv with all ciphertexts). The question,and this is a strategic consideration, is what kind of a threatcan be posed by this procedure. After all, if the members of
-
8/7/2019 10.1.1.77.4906
6/6
6
the group nally know the joint secret key, Nv, they mightas well know the individual DH keys. This surely holds ifthe DH keys expire when the key Nv expires.
VI. Discussion and Future Work
This paper presented an e!cient methodology for ECC-based public key generation in wireless sensor networks.
A novel algebraic approach for partitioning the key gen-eration process was described, addressing both xed andephemeral key establishments. A unique feature of thescheme relies on distributing the computation load amongneighboring nodes thereby gaining execution speed andload-balancing the power consumption. Based on thesefoundations, a procedure for group key generation withina cluster of nodes was presented, oering scalability withrespect to network size and robustness.
The paper presented a comprehensive approach fora practical implementation of group key generation inresource-constraint WSNs. Remaining challenges includethe study of fault tolerance issues, neighbor-node selection
and analysis of energy consumption.As the described procedure relies on a cyclic exchangeof information, future work will address the issue of faulttolerance. The fault is two-fold. First of all, how toguarantee that all the nodes within the cluster will be in-cluded in the chain without disconnections. Second, whathappens when one or more nodes fail in the chain. Futurework will concern the generation of redundant paths, whilealtogether minimizing the overall computational complex-ity. Moreover, the existence of malicious node (whetherpart of the cluster or assisting nodes) will be addressed tocontribute to the robustness of the key generation process.
As stated in the paper, o-loading non-secure computa-
tions to neighboring nodes would provide load balancing,elongating the network lifetime. A question that naturallyarises pertains to the manner by which neighboring nodesare selected. We will study the joint eect of geographi-cal distance between nodes and the remaining energy onthe neighboring nodes in order to generate a fair selection.Although the communication time associated with the of-oading process is much shorter than the DH key genera-tion time, the energy consumed during data transmissionand reception is not negligible. We will study the tradeosbetween energy consumption and real-time key generationin order to reach an optimal solution. In this paper, weassume the sensor nodes are all static. However, the pro-
posed scheme, in particular the ephemeral key-generationmethodology, has great potential in mobile sensor networkapplications, in which issues like speed of mobility and keygeneration turnaround time need to be evaluated.
The framework presented in this paper can be utilizedand broadened to address a wide range of security chal-lenges in resource-constrained sensor networks.
VII. Acknowledgment
The authors would like to thank Benjamin Arazi andItamar Elhanany for their valuable comments and usefuldiscussions.
References
[1] H. Qi, Y. Xu, and X. Wang, Mobile-agent-based collaborativesignal and information processing in sensor networks, in Pro-ceedings of the IEEE, vol. 91, pp. 11721183, August 2003.
[2] H. Qi and Y. Xu, Decentralized reactive clustering for collabo-rative processing in sensor networks, in Proc. of the IEEE 10thInternational Conference on Parallel and Distributed Systems(ICPADS), vol. 91, (Newport Beach, CA), pp. 5461, July 2004.
[3] A. Perrig, J. Stankovic, and D. Wagner, Security in wirelesssensor networks, Communications of the ACM, vol. 47, pp. 5357, June 2004.
[4] R. Watro, D. Kong, S. Cuti, C. Gardiner, C. Lynn, and P. Kruus,Tinypk: Securing sensor networks with public key technology,in Proceedings of the Second ACM Workshop on Security of AdHoc and Sensor Networks, (Washington DC, USA), pp. 5964,2004.
[5] H. Chan, A. Perrig, and D. Song, Random key predistributionschemes for sensor networks, in Proceedings of the 2003 IEEESymposium on Security and Privacy, (Washington DC, USA),pp. 197214, 2003.
[6] W. Du, J. Deng, Y. S. Han, S. Chen, and P. K. Varshney, Akey management scheme for wireless sensor networks using de-ployment knowledge, in Proc. of IEEE INFOCOM 2004, (HongKong, China), 2004.
[7] W. Zhang and G. Cao, Group rekeying for ltering false datain sensor networks: A predistribution and local collaboration-based approach, in Proceedings of the 2005 IEEE INFOCOM,
(Miami, FL, USA), 2005.[8] A. J. Menezes, Elliptic Curve Public Key Cryptosystems.
Boston, MA: Kluwer Academic Publishers, 1993.[9] D. Malan, M. Welsh, and M. D. Smith, A public-key infrastruc-
ture for key distribution in tinyos based on elliptic curve cryp-tography, in Proc. of 1st IEEE International Conference onSensor and Ad Hoc Communications and Networks (SECON),(Santa Clara, CA), October 2004.
[10] A. S. Wander, N. Gura, H. Eberle, V. Gupta, and S. C. Shantz,Energy analysis of public-key cryptography for wireless sensornetworks, in Proceedings of the third IEEE International Con-ference on Pervasive Computing and Communication (PerCom2005), pp. 324328, 2005.
[11] W. Du, J. Deng, Y. S. Han, and P. Varshney, A pairwise keypre-distribution scheme for wireless sensor networks, in Pro-ceedings of the 10th ACM Conference on Computer and Com-munications Security (CCS), (Washington DC, USA), pp. 42
51, October 2003.[12] A. Chan, Probabilistic distributed key pre-distribution for mo-bile and ad hoc networks, in Proceedings of the 2004 IEEEInternational Conference on Communications, pp. 37433747,June 20-24 2004.
[13] M. Ramkumar and N. Memon, An e!cient key predistributionscheme for ad hoc networks security,
[14] L. Eschenauer and V. D. Gligor, A key-management schemefor distributed sensor networks, in Proceedings of the 9th ACMconference on Computer and communications security, (Wash-ington, DC), pp. 4147, November 2002.
[15] M. Girault, Self-certied public keys, in Advances inCryptologyEUROCRYPT91, pp. 491497, March 1991. LNCS- Springer-Verlag.
[16] B. Arazi, Certication of dl/ec keys, in Proceedingsof the IEEE P1363 Study Group for Future Public-KeyCryptography Standards, M ay 19 99. A lso available ashttp://grouper.ieee.org/groups/1363/StudyGroup/submissions.
html#Hybrid.[17] A. Fiat and A. Shamir, How to prove yourself: Practical solu-
tions to identication and signature problems, in Advances inCryptology - CRYPTO 86, vol. 263, pp. 186196, March 1987.Springer-Verlag.
[18] Y. Kim, A. Perrig, and G. Tsudik, Group key agreement e!-cient in communication, Communications of the ACM, vol. 53,pp. 905921, July 2004.