Message Overhead

In this section we present our emulation results with regard to message overhead of our basic and extended key distribution scheme. We measure the total number of packets sent during network setup and key establishment. Note that the key graph structure does not affect the mes-sage overhead caused by our extended approach: For network setup, only a constant number of

6.4 EMULATION 145

packets are needed to exchange the initial keys and for key exchange. For key establishment, all messages will be sent over all edges, regardless of the structure of the graph. Hence, in the following emulations we do not distinguish between different graph structures.

Network Setup

In this experiment we counted the total number of packets sent when setting up the network, i.e. packets needed for incrementally building the key graph by adding nodes one to n. We performed our experiment for the basic approach utilizing the MF algorithm and the extended approach using the configuration device method (see Section5.5). In both cases we used s = 2, s= 4 and s = 6 as our security level. The cumulated results for these experiments are presented in Figure6.4.

0 5000 10000 15000 20000 25000 30000 35000 40000 45000 50000

0 25 50 75 100 125 150 175 200 225 250

#nodes

#packets

Extended (s=2) Extended (s=4) Extended (s=6) Basic (MF, s=2) Basic (MF, s=4) Basic (MF, s=6)

Figure 6.4: Total messages during network setup

We can see a very slow linear growth in the messages needed when using the extended ap-proach. This can easily be seen: Introducing a new device into the network requires a constant number of packets to communicate the neighbor-lists to the configuration device and another ksmessages to store the first s new keys of the new device on already existing devices. Hence, when each device needs a constant number of packets, introducing n devices needs O(n) pack-ets leading to the linear growth. Note, when using e.g. the manual physical contact or the static

pre-distribution method there would be no message overhead at all when using the extended approach.

The basic approach using the MF algorithm as the path search algorithm shows a quadratic growth. The reason for this is that whenever a single device is added to the network, the global view which is stored on every device needs to be updated. Hence, a new device which is introduced in the network must communicate its presence to all existing devices. This is done most effectively by flooding the network. Hence, introducing a single device leads to a linear overhead of messages. Therefore for introducing n devices n-times linear overhead is needed, hence quadratic growth.

Key Establishment

In this experiment we evaluated the message overhead produced by our basic and our extended key distribution scheme during key establishment. We counted the total number of packets sent during the establishment of a new key between two arbitrary devices. Again we chose a security level of s = 2, s = 4 and s = 6. However, the security level s influences only the extended key establishment algorithm while for the basic key establishment algorithm the difference between different s-values is negligible. Furthermore, we used Equation6.13to calculate the number of packets sent. The analytical and simulated results are presented in Figure6.5.

0

Figure 6.5: Total messages during key establishment

6.5 DISCUSSION 147

In this scenario, the basic approach using the MF algorithm for path search clearly uses less messages than the extended key establishment algorithm. The basic approach can trade off memory for network traffic: The only packets needed for key establishment are those that transport the actual key shares. The plotted line representing the basic approach shows the worst-case effort needed to do this.

The extended approach requires more messages, but still manages a linear growth rate with respect to the number of devices. This is simply due to the flooding nature of our extended approach, i.e. messages must reach any device in the network in order to find the right one.

6.4.5 Summary

In this section we complemented our analytical results from previous sections with experimen-tal results. On the one hand, these results are inline with our analytical model. On the other hand we gained more precise insight in the dependence of our algorithms from the path search algorithm. With these results in mind it is now possible to discuss in which scenario which algorithm should be used.

6.5 Discussion

We provided in this chapter an evaluation of our key distribution schemes. We can conclude that our extended approach is always better with respect to the attacker resilience. Furthermore, the memory requirements are constant in the case of a k-degree key graph structure and sub-linear otherwise. Thus, from the point of memory footprint this algorithm can scale infinitely.

In contrast, the network traffic during key establishment grows linearly and therefore limits scalability. However, this is a general problem of a reactive algorithm that does not use any knowledge about the network: The only way to ”find” another device is to query all other de-vices, i.e. communicate with (n − 1) devices. Thus, for a reactive algorithm with no additional information linear growth is also the lower bound. Therefore, the extended key distribution scheme represents a good trade-off between memory requirements and network traffic. We achieve constant memory requirements while causing linear growth in network traffic, which is the lower bound for reactive algorithms.

Analyzing the memory overhead and the message overhead of our basic and fault-tolerant ap-proach, we found that the approaches are slightly better than the extended approach. However, as showed in our simulated experiments, this effect is countered and completely eradicated when taking the path search algorithm into account. Hence, the overhead of the basic and fault-tolerant approach is completely dominated by the path search algorithm.

Analyzing our experimental results with respect to the path search algorithm we can conclude that global view algorithms can be used in small networks, since the memory overhead for the global view quickly grows larger than the available memory on resource-constrained devices.

Therefore, in large networks global view algorithms should be avoided. As already discussed in Section3.5the distributed algorithms for path search are a good alternative. However, the best known distributed algorithm by Ogier and Shacham [ORS93] uses logarithmic memory and quadratic communication overhead in order to find node-disjoint paths, which is still a higher overhead than our extended key distribution algorithm needs.

In conclusion, our extended key distribution scheme outperforms our basic and fault-tolerant approach in all performance metrics. as showed in our analysis, the attacker resilience of our extended approach is always better. With respect to memory and communication overhead the basic and fault-tolerant approach is only as good as the path search method used. However, there is no path search algorithm available which uses less memory and/or communication overhead than our extended approach.

7

Related Work

In this chapter we present existing key distribution schemes and compare them to our approach.

The chapter is structured as follows: First we discuss key distribution schemes in other applica-tion areas, namely classical internet-based schemes in Secapplica-tion7.1and key distribution schemes for mobile ad hoc networks in Section7.2. After that we focus more closely on key distribution in wireless sensor networks (Section7.3). Finally, we give a summary of this chapter including a tabular overview of all existing approaches with respect to our requirements as presented in Section2.2. This comparison once again shows the novelty of our approach.

7.1 Classical Key Distribution Schemes

In the early days of cryptography, communication partners agreed on a set of algorithms to en-/decrypt messages. These algorithms were known only to these communication partners, i.e.

the common secret between the partners were the cryptographic algorithms used. In modern cryptographic systems, the used algorithms are well known to all participants of the system.

Instead of a set of algorithms, communication partners exchange keys that are used in the algorithms.

The earliest approach for a key exchange scheme is the Diffie-Hellman key exchange algo-rithm [DH76] used e.g. by Secure Socket Layer (SSL) [FKK96], its successor Transport Layer Security(TLS) [DA99], and the Internet Key Exchange (IKE) protocol [HC98]. It allows two communication partners to securely establish a common symmetric key using asymmetric cryp-tographic operations, i.e. modular arithmetic. However, pure Diffie-Hellman is vulnerable to man-in-the-middle attacks, as the communication partners are not authenticated. To solve this problem, the communication partners can sign their messages [DvOW92]. This requires a cer-tification infrastructure, e.g. based on the X.509 ITU-T recommendation [X.597].

149

Another well known approach to exchange keys is the Kerberos system [KN93]. Kerberos is a variation of the Needham-Schroeder algorithm [NS78] which uses a central trusted author-ity to exchange keys securely and reliably. In contrast to Diffie-Hellman, Kerberos relies on symmetric cryptography only.

Classical key distribution schemes do not fulfill our requirements concerning decentralized operation (Section2.2) and reliance on symmetric cryptography (Section2.2) and thus cannot be used in wireless sensor networks with highly resource-constrained devices.