Most of existing key management schemes for group communication in WSNs ad- dress only session key establishment and renewal. Key predistribution is considered as the most suitable key assignment mechanism for WSNs. However, key predistri- bution schemes are concerned only with the establishment pairwise keys which can only be used for peer-to-peer communication between neighboring nodes.
Generally speaking, a HWSN includes three types of entities: the base station, cluster heads, and normal sensor nodes. These entities comprise a hierarchical net- work. In such a network, various types of communication may occur. The base station broadcasts control commands throughout the whole network. Each clus- ter head multicasts messages within the cluster. A node communicates with its neighboring nodes by unicasting. In one word, a single key cannot meet different communication requirements in WSNs, especially in hierarchical WSNs. Differ- ent types of keys should be established in WSNs to secure unicast, multicast, and broadcast communications.
Most of existing symmetric schemes for WSNs mainly consider a distributed network topology. They introduce different mechanisms for pairwise key establish- ment. Some centralized schemes [52, 55, 56] only discuss how to distribute and update globally shared group key. Research shows that such a network topology is poor at performance and scalability. HWSNs have better scalability while they in- volve various communication patterns, including unicast of single nodes, multicast
within a group and broadcast in the whole network. Therefore, different keys must be established to encrypt different types of packets.
2.3.1 LEAP
Zhu et al. [29] devised a scheme called LEAP for hierarchical WSNs. LEAP sup- ports the establishment of individual keys, pairwise keys, cluster keys, and a global key. Different keys are used to handle the different types of packets.
• Individual key [41]: This is a unique key that is shared between the base sta- tion and each sensor node [29]. The key is preloaded into each node’s mem- ory before being deployed. The individual key is calculated as Km
u = fKm(u)
where f is a pseudo-random function and Km is the master key known only to the base station. Each sensor node uses the individual key to calculate MAC on the messages to the base stations. In the same way, a base station can use the shared individual key to encrypt messages to each node. The base station does not store all the individual keys. The base station can generate the individual key whenever it attempts to communicate with a node.
• Pairwise shared key [41]: Each node shares a pairwise key with each of its im- mediate neighbors. The pairwise key is used to secure communications that requires privacy or source authentication. Similar to the scheme in [3], there are four stages of pairwise key establishment: key predistribution, neighbor discovery, pairwise key establishment, and key erasure. During the initial stage of key predistribution, node U is loaded with a key Ki by the controller and drives the master key Ku using it. For neighbor discovery, node U first initializes a timer to activate at time tmin, then it broadcasts a HELLO mes- sage containing its ID. The neighboring node V responds to node U with an acknowledgement (ACK) containing its ID if it receives node U’s HELLO message. The ACK of V is authenticated using its master key Kv which is derived from Ki. Node U verifies the authentication of V by generating the master key Kv with Ki. The neighbor discovery stage can be denoted as:
U → ∗ : U;
In the stage of pairwise key establishment, node U computes the pairwise key
Kuv shared with node V , as Kuv = fKv(u). Node V can also compute Kuv
in the same way. Kuv serves as their pairwise key. In the final stage, when its timer expires after tmin, node U erases Ki and all the masters keys of its neighbors, which is computed in the neighbor discovery stage. Even though an adversary captures a node, the communications between it and another node cannot be decrypted without the key Ki.
• Cluster key [41]: This is a key shared between a node and its neighboring nodes. Cluster key establishment follows the pairwise key establishment phase. Suppose a node U wants to establish a cluster key with all its im- mediate neighbors V1, V2, . . . , Vm. Node U first generates a random key Kuc, then encrypts this key with the pairwise key shared with its neighbors, and then transmits the encrypted key to each neighbor Vi(1 ≤ i ≤ m).
U → Vi : (Kuc)Ku,vi.
Each node Vi decrypts the key Kuc with the key Ku,vi and stores it in a table,
and then sends its own cluster key to node U in the same way. When node U is revoked, every neighbor node generates a new cluster key and transmits it to all the other neighbors in the same way.
• Global key [41]: This key is shared between the base station and all the sensor nodes in the network. It is mainly used by the base station to distribute confi- dential messages to the whole network. A simple method of bootstrapping a group key is to preload each node with the global key before the deployment. An important issue that arises immediately is the need to securely update the global key once the membership changes or a compromised node is detected. Such key renewal involves much communication overhead. However, Zhu
et al. [29] proposed an efficient scheme based on cluster keys for which the transmission cost will be only one key. In WSNs, all messages sent by the base station must be authenticated; otherwise, an adversary may impersonate them. µTESLA, based on a one-way key chain and delayed the disclosure of keys, is an efficient method to broadcast messages into a WSN. To bootstrap
chain. If Kg is the new group key and U is the node to be revoked, the base station broadcasts the following message M:
Controller → ∗ : u k fK0
g(0) k MAC(k
T
i ; u | fKg0(0)),
where fK0
g(0) is the authentication key which enables a node to verify the au-
thenticity of the global key fK0
g that it will receive later. The server then dis-
tributes the MAC key Ki
T after one µTESLA interval. After a node V receives the message M, it verifies the authenticity of the message using µTESLA. If node V is a neighbor of U, V will remove its pairwise key shared with U and update its cluster key. Each node encrypts the renewed global key with its cluster key and transmits it to neighbors. This algorithm continues recur- sively until all the nodes have received the renewed key.
2.3.2 The Time-based Key Management Scheme
In order to minimize the portion of compromised network when the initial key IK is disclosed, Jang et al. [1] split the lifetime of a sensor network into P time slots and each time slot is assigned with an initial key. As depicted in Figure 2.8, Tj and Nj represent a time slot and a group of node deployed during that time slot Tj, respectively. If a node is deployed at time slot Tj, the sensor node is preloaded with the initial key IKj and m master keys of randomly chosen time slots. Then the newly deployed node can establish pairwise keys with nodes which are deployed at the same or different time slots. Three situations exist for the establishment of pairwise keys.
1. All nodes in the same group Nj (1 ≤ j ≤ P ) are able to establish pairwise keys with each other using the initial key IKj during the time slot Tj.
2. Then, they are able to establish pairwise keys with other nodes which are deployed at different time slots, but have the master key derived from the current initial key. Suppose u is a node deployed at time slot Tj and v is a node deployed before Tj. If the node v has the master key Kvj which is derived from the initial key IKj for the time slot Tj, the node v can compute
Figure 2.8: Key materials preloaded to nodes at different time slots in the scheme [1]
a pairwise key Kuv = fKvj(u). The node u is also able to generate a master
key of the node v, Kvj = fIKj(v).
3. Finally, a pair of sensor nodes that do not share any keying material but are within each other’s communication range, can establish pairwise keys via proxy nodes.
2.3.3 Security Issues
LEAP efficiently establishes multi-level keys. LEAP is energy-efficient since it supports an in-network processing technique which greatly reduces network com- munication. LEAP can minimizing the effects of selective forwarding attack by restricting this problem to a local area. LEAP can also prevent a HELLO attack since the nodes accept packets only from authenticated neighbors. However, LEAP suffers from sinkhole attack. In a sinkhole attack, a compromised node attracts packets by advertising information like high battery power, etc., then later drops all the packets [41]. Like many other key management protocols, LEAP assumes that sensor nodes are secure during the initialization phase and can be compromised after the phase. However, such an assumption could be incorrect. The security of
LEAP depends mainly upon the initial key which is erased from sensor nodes after the initialization phase. However, the same initial key IK should be used again for node addition after that phase, while the new node can be captured before removing the initial key. Therefore, the initial key IK should never be used for node addition in LEAP after the initial time Tmin. Different initial keys are used for different time slots in the time-based key management scheme [1]. The threat caused by the dis- closure of the initial key is eliminated. However, the key connectivity is constrained by the number of preloaded master keys m and the order of the current time slot. If
m is far less than the lifetime P of the network, the key connectivity m
P −j is far less than 1 at the time slots j (j ≤ P/2). On the contrary, if m is close to P , higher key connectivity can be achieved with a heavy burden on storage.
We consider the security problem of the established pairwise key between two nodes. The pairwise key does not exclusively belong to the two end nodes and threat against confidentiality and authentication may arise from it. As shown in Figure 2 in [1], Nodes of group N1, N2, and N6are preloaded with master key Ku7, the pairwise keys between any two groups of them are known by the other group. In addition,
m master keys of randomly-chosen time slots are preloaded to the nodes when they
are deployed to the network without taking the lifetime of nodes into consideration. Suppose a node which can survive at most Gwtime slots is deployed at the j-th time slot with m master keys of randomly-chosen time slots. Those master keys of the time slots from the (j + Gw)-th to the P -th would never be used. They waste the scant memory of sensor nodes.