A secure and scalable A secure and scalable rekeying mechanism for rekeying mechanism for hierarchical wireless hierarchical wireless sensor networkssensor networks

Authors: Song Guo, A-Ni Shen, and Minyi GuoSource: IEICE Transactions on Information and Systems, Vol.E93D, No.3, p.p.421-429, 2010.Presenter: Yung-Chih Lu (呂勇志 )Date: 2010/12/02

1

OutlineOutlineIntroductionRelated Work

◦Basic Predistribution and Local Collaboration-Based Group Rekeying Scheme (B-PCGR)

Proposed SchemeSecurity AnalysisPerformance EvaluationConclusionComment

2

Introduction Introduction (1/2)(1/2)

Goal◦Rekeying◦Against attack

Eavesdropping attack Node capture attack Forward secrecy Backward secrecy

◦Saving resource Computation cost Communication cost Storage Overhead

3

Introduction Introduction (2/2)(2/2)

Wireless Sensor Networks

Cluster Head: High-End Sensor AP: Access PointSensor Node: Low-End Sensor

Pure flat WSNsThree-tier hierarchical WSNs

4

Basic Predistribution and Local Basic Predistribution and Local Collaboration-Based Group Rekeying Collaboration-Based Group Rekeying Scheme Scheme (1/3) (1/3) Key pre-distribution phase

◦Sensor Node

Ex: g(x)=3x2+5x1+2 , x=0,1,2,…

g(x)

distributionBase

Station

g(x): a t-degree g-polynomial

:Sensor node

g(x)

g(x)

g(x)

W. Zhang and G. Cao, IEEE INFOCOM, 2005.

5

Basic Predistribution and Local Basic Predistribution and Local Collaboration-Based Group Rekeying Collaboration-Based Group Rekeying Scheme Scheme (2/3) (2/3) Setup phase

SI

g(x)

Step1: Generates

Step2: CalculatesStep3: Sends esi(x,Sj) to SjStep4: Removes g(x) and esi(x,y)

Ex: g(x) =3x2+5x1+2 , t=2 Step1: e(x,y) = x2y1+4y1+5 , t=2, u=1

Step2: e(x,1) = x2+9 g’(x) = 4x2+5x+11

Step3: e(x,2)=2x2+13 e(x,3)=3x2+17e(x,y): a bivariate (t,u)-degree e-polynomial

si: the Id of sensor node i S1: 1 S2: 2 S3: 3

S3

S2

Secure Channel

Step3

Step3

g’(x)Step4

6

Basic Predistribution and Local Basic Predistribution and Local Collaboration-Based Group Rekeying Collaboration-Based Group Rekeying Scheme Scheme (3/3) (3/3) Rekeying Phase

◦Sensor node g’(x), x=0,1,2,… esj(x,Si), j ≠i

SI

S3

S2

Secure Channel

g’(x)

Step1: e(0,2)=2x2+13 =13 e(0,3)=3x2+17 =17Step2: S2 sends (2,13) to S1

S3 sends (3,17) to S1

Step3: To reconstruct the polynomial e(0,y)=5+4yStep4: computes g(0)=g’(0)-e(0,1) =11-9 =2

e(x,2)=2x2+13

e(x,3)=3x2+17

Step2

Step2

7

Proposed Scheme Proposed Scheme (1/2) (1/2)

Key pre-distribution phase◦Cluster Head

Id KBS,CHa

KCHa,Si

◦Sensor node Id KBS,Si

KCHa,Si

K: a pair-wise keyBS: Base Station 8

Proposed Scheme Proposed Scheme (2/2) (2/2)

Group key establishment and rekeyingCHa S

iGenerates a Rk

i

E(Rki,

KCHa,Si)

1. Generates a Group key GKk

a

2.

ka

ka

ka

Si

ikk

a

GKxAxg

RxxAa

)()(

)()(

E(gka(x),

GKk-1a)

GKka=

gka(Rk

i)

Ωa: a set of all compromised nodes detected in cluster-ak: k-th 9

Security AnalysisSecurity Analysis

nc: The average number of sensor nodes in a clusterω: The number of compromised nodes in a clustert,u: The degree of a polynomialLkey: The number of bits of a key Lid: The number of bits of an id

Verification-Based Group Rekeying (VGR)

10

Performance EvaluationPerformance Evaluation

nc: The average number of sensor nodes in a clusterω: The number of compromised nodes in a clustert,u: The degree of a polynomialLkey: The number of bits of a key Lid: The number of bits of an id

11

ConclusionConclusionRobustness to the node capture

attackReactive rekeying capability to

malicious nodesLow communication and storage

overhead

12

CommentCommentthe degree of a polynomial ≧the

number of sensor nodes in a clusterCompare ECC with polynomialIDS is a heavy burden for the

cluster head.

IDS: Intrusion Detection SystemECC: Elliptic Curve Cryptography

13