1 key predistribution approach in wireless sensor networks using lu matrix author: hangyang dai and...

1

Key Predistribution Approach in Wireless Sensor Networks Using LU Matrix

Author: Hangyang Dai and Hongbing Xu Source: IEEE Sensor Journal, vol. 10, no. 8, pp.1399-1409 , Aug. 2010. (Impact Factor = 1.581)Presenter: Yung-Chih LuDate: 2010/08/04

2

Outline

Introduction Proposed Scheme Performance & Security Evaluation Conclusion

3

Introduction(1/4)

Wireless Sensor Network

Base station

location finding system

mobilizer

transceiver Unit

sensing unit processing unit

sensordigital/analogconverter

microprocessor

storage device

power unit

Powergeneration

Sensor Architecture

4

Introduction(2/4) LU Matrix

Lower Triangular Matrix 　　　　　 Upper Triangular Matrix

5

Introduction(3/4)

The type of key agreement protocolTrusted-server:

The trusted server shares a key with every node and transmits session keys to the nodes on quest.

Public-key:

Perform a public-key infrastructure.

Key predistribution:

Keys are distributed to all sensor nodes prior to deployment.

6

Introduction(4/4)

Constraints Limited energy consumption Low transmission range Limited Memory overhead

Requirements High network connectivity Robust resilience against node capture Low memory overhead

7

Eschenauer-Gligor Scheme(1/5) Key pre-distribution phase

L. Eschenauer and V. Gligor. “A Key-Management Schemefor Distributed Sensor Networks.” In Proc. 9th ACM Conference on Computerand Communication Security, pp.41-47, Nov. 2002.

P :key pool size , k = key ring size

Pr[ two key rings share at least a key]= 1 - Pr[ two nodes do not share any key]= 1 - (C(P, k) / C(P, k)) × (C(k, 0) × C(P-k, k) / C(P, k))

=

Stirling’s approximation

:

=

Example1:

P=1000 , k=100

Pr =

≒ 1 - 3.8972×e-83/ 2.6517×e-78

≒ 1

Example2:

P=1000 , k=10

Pr =

≒ 1 - 2.2559×e-9 / 2.4955×e-9

≒ 1 - 0.9039 = 0.0961

8

Eschenauer-Gligor Scheme(2/5)

9

Eschenauer-Gligor Scheme(3/5) Key pre-distribution phase

Key poolKeys

Key identities

Key poolKeys

Key identities

Key ring(k keys)

Key ring(k keys)

Key ring(k keys)

Key ring(k keys)

Key ring(k keys)

Key ring(k keys)

Key ring(k keys)Key ring

(k keys)Key ring(k keys)

Key ring(k keys)

Key ring(k keys)

H-sensor

Key identity = key mod 232

H-Sensor : L-Sensors ID 、 L-Sensors key identifiers and Kci

L-Sensor : k keys 、 key identifiers and Kci

Kci = EKx(ci) Kx = K1 ,…, K⊕ ⊕ k

ci = H-Sensor ID

:L-Sensor

L-Sensor : Low-end sensorH-Sensor : High-end sensor

10

Eschenauer-Gligor Scheme(4/5) Shared-key discovery

Key ring(k keys)

Key ring(k keys)

Key ring(k keys)

Key ring(k keys)

Key ring(k keys)

Key ring(k keys)

Key ring(k keys)Key ring

(k keys)Key ring(k keys)

Key ring(k keys)

Key ring(k keys)

H-sensor

:L-Sensor

Step1:Each L-sensor Broadcasts a list of key identities.

Step2:L-sensor runs a challenge-response protocol if L-sensor find the common key.

Eki(α)

Eki(α)

α = Dki[Eki(α)]

11

Eschenauer-Gligor Scheme(5/5) Path-key establishment

Key ring(k keys)

Key ring(k keys)

Key ring(k keys)

Key ring(k keys)

Key ring(k keys)

Key ring(k keys)

Key ring(k keys)Key ring

(k keys)Key ring(k keys)

Key ring(k keys)

Key ring(k keys)

H-sensor

:L-Sensor

Ekc(kp)

Ekc(kp)

Ekp(α)

α = Dkp[Ekp(α)]

12

Pairwise Key Predistribution Scheme(1/5) Galois Field

q elements (q is a prime number) Field is closed under additive and multiplicative operator The sign is GF(q) s is a primitive numberExample:GF(7)3 mod 7 = 33^2 mod 7=23^3 mod 7 =63^4 mod 7 =43^5 mod 7 =53^6 mod 7 = 1The order of 3 is 63 is a primitive number

W. Du, J. Deng, Y. S. Han, P. K. Varshney, J. Katz, and A. Khalili. “A pairwise key predistribution scheme for wireless sensor networks.” ACM Trans. Inf. Syst. Secur., vol. 8, no. 2, pp. 228–258, 2005.

(1) linear independent

(2) Node k only store the seed sk

k=1,2,…,N

13

Pairwise Key Predistribution Scheme(2/5) Blom’s scheme

D : a symmetric matrix of size(λ+1)×(λ+1)G : a matrix of size (λ+1)×N

1X + 1Y = 0 …(1)3X + 2Y = 0 …(2)2X + 4Y = 0 …(3)(2) – 2．(1)X = 0 …(4)substitute (4) into (1)X = Y = 0

[ ]１　６　２６　３　５２　５　２ [ ]１　１

３　２２　４ [ ]２　０

４　４０　６

＝ mod 7.

[ ]２　４　００　４　６ [ ]１　１

３　２２　４ [ ]０　３

３　４＝ mod 7.

[ ]２　４　００　４　６[ ]２　０

４　４０　６

T＝

Example: N=2 , λ=2 , GF(7)

D ． G =

A=(D ． G)T =

A ． G =

K12 = K21 = 3﹛λ-secure property guarantees that no coalition of up to λ nodes (not including i and j) have any information about Kij or Kji.

14

Pairwise Key Predistribution Scheme(3/5)Key pre-distribution phase

Step1:Generating a G matrix

Step2:Generating ω D matricesD1,…,Dω

Step3:Caculating Ai = (Di ． G)T

i = 1,…, ωStep4:Selecting τ spaces per node2≦τ<ωExample: ω=3 , τ=2 ,each L-sensor store (λ+1)×τ elements

A1(1)

A3(1)

A1 A2 A3

H-sensor

A2(2)

A3(2)

Seed sk

k=1,…,NSeed: s1

Seed: s2

L1-Sensor

L ２ -Sensor …

…

Step3:

Step4Step4:

15

Pairwise Key Predistribution Scheme(4/5) Key agreement

phase

H-sensor

Step1:Each L-sensor Broadcasts a messagemessage = L-sensor’s id + the indices of the spaces + seed

Step2:Two L-sensors can establish a common secret key if they both hold a common key space.

A2(2)

A3(2)Seed: s2Seed: s1

A1(1)

A3(1)

message

16

Pairwise Key Predistribution Scheme(5/5) Pactual[ two nodes share at least a space]

= 1 – Pactual[two nodes do not share any space]

17

Proposed Scheme(1/6) Blundo Polynomial-based protocol

Setup server randomly generates a symmetric bivariate t-degree polynomial

Example: f(x,y) = 4x2y2 + x3y1 + x1y3

It’s a symmetric bivariate 3-degree polynomial

[ ]０　０　１０　４　０１　０　０

over a finite field Fq

18

Proposed Scheme(2/6) Blundo Polynomial-based protocol

Lu-Sensor

Lv-Sensor

Step1: computes 1: Lu-Sensor ID 2: Lv-Sensor ID

f(1,y) = 4y2 + y1 +y3

f(2,y) = 16y2 + 8y1 + 2y3

Step2:The Setup server loads the sensor node with coefficients

Step3:Each sensor node broadcasts its own ID

Step4:Receiver use ID to compute a shared secret keyKuv = f(u,v) = f(v,u) = Kvu

K12 = f(1,2) = 26 = f(2,1) = K21

1 4 1 y1 y2 y3

8 16

2 y1 y2 y3

H-sensor

19

Proposed Scheme(3/6) Polynomial predistribution phase

Polynomialpool

(Bivariate t-degree

Polynomial + Unique ID)

Polynomialpool

(Bivariate t-degree

Polynomial + Unique ID)

Assuming that u11=1, u22=2, u33=3

20

Proposed Scheme(4/6) Polynomial predistribution phase

Randomly distribute one row of L and one column of U to each sensor node

r1 : 1st row , c1 : 1st columnr2 : 2nd row , c2 : 2nd column

21

Proposed Scheme(5/6) Shared key establishment phase

MAC: message-authentication codeCLR: is a confirmation

To Match or Not To Match?

SB: node B’s ID

22

Proposed Scheme(6/6)

Step1:Generating a PolynomialPool (ω Polynomials) P1,…,Pω

Step2:Selecting τ polynomials per node2≦τ<ωExample: ω=3 , τ=2 ,each L-sensor store (t+1)×τelements

P1(r1)

P1(c1)

P3(r1)

P3(c1)

P1 P2 P3

H-sensor

P2(r2)

P2(c2)

P3(r2)

P3(c2)

L1-Sensor

L ２ -Sensor

…

Step2:

Step1:

23

Performance & Security Evaluation(1/4)

24

Performance & Security Evaluation(2/4) network connectivity

25

Performance & Security Evaluation(3/4) resilience against node capture

k=400

26

Performance & Security Evaluation(4/4) memory overhead

Compare with Blundo scheme

27

Conclusion

High network connectivity memory space saving certain threshold node to node authentication