providing end-to-end secure communications in wireless sensor networks

14
IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 8, NO. 3, SEPTEMBER 2011 205 Providing End-to-End Secure Communications in Wireless Sensor Networks Wenjun Gu, Neelanjana Dutta, Sriram Chellappan, and Xiaole Bai Abstractβ€”In many Wireless Sensor Networks (WSNs), pro- viding end to end secure communications between sensors and the sink is important for secure network management. While there have been many works devoted to hop by hop secure communications, the issue of end to end secure communications is largely ignored. In this paper, we design an end to end secure communication protocol in randomly deployed WSNs. Specifically, our protocol is based on a methodology called differentiated key pre-distribution. The core idea is to distribute different number of keys to different sensors to enhance the resilience of certain links. This feature is leveraged during routing, where nodes route through those links with higher resilience. Using rigorous theoretical analysis, we derive an expression for the quality of end to end secure communications, and use it to determine optimum protocol parameters. Extensive performance evaluation illustrates that our solutions can provide highly secure communications between sensor nodes and the sink in randomly deployed WSNs. We also provide detailed discussion on a potential attack (i.e. biased node capturing attack) to our solutions, and propose several countermeasures to this attack. Index Termsβ€”Sensor networks, security, key management. I. I NTRODUCTION W IRELESS Sensor Networks (WSNs) are envisaged in military, emergency and surveillance applications today, where sensor nodes need to send sensed data to the sink. In many applications under hostile environment, sensor nodes cannot be deployed deterministically and thus are randomly deployed into the field. An important requirement in network management of many mission critical applications is to secure end to end sensor networks data from being eavesdropped by the attacker. While there have been many works devoted to hop by hop secure communications in WSNs, the issue of end to end secure communications is largely ignored. This is mainly due to the fact that there exist two intuitive approaches to provide a high degree of end to end secure communications in WSNs: βˆ™ The first one is distributing a unique pairwise key into each sensor and the sink prior to deployment, and letting each sensor use this pairwise key to encrypt the commu- nications with the sink; Manuscript received October 16, 2010; revised March 7 and May 3, 2011. The associate editor coordinating the review of this paper and approving it for publication was E. Bertino. W. Gu is with Microsoft, USA (e-mail: [email protected]). N. Dutta and S. Chellappan are with the Department of Computer Sci- ence, Missouri University of Science and Technology, Rolla, USA (e-mail: [email protected], [email protected]). X. Bai is with the Department of Computer and Information Science, University of Massachusetts, Dartmouth, USA (e-mail: [email protected]). Digital Object Identifier 10.1109/TNSM.2011.072611.100080 βˆ™ The second one is simply providing hop by hop secure communications between neighboring sensors in the net- work. It is in general believed that in this way end to end secure communications can naturally be achieved via hop by hop encryption/decryption. The first approach has critical limitations in multi-hop WSNs since it precludes the possibility of intermediate sensors performing encryption/decryption along the path. This feature is necessary for interpreting and aggregating data at interme- diate sensors to save energy (a critical requirement in WSNs), authenticating received data to defend against fake packets injection attack, denial of service attack etc. Hence in WSNs, we need to use hop by hop based encryption/decryption in providing end to end secure communications. The second approach works well if all links in the network are highly resilient. However, it is very hard, if not impossible, to achieve high resilience for all the links in randomly deployed WSNs. This is due to inherent resource limitation of sensor, nature of random deployment and presence of attacks. In fact, with random key pre-distribution (RKP) [1] based schemes, a majority of links in the network have low resilience under reasonable memory constraint and even under mild attack strength, which restricts room for providing a high degree of end to end secure communications. In the following, we give an example to illustrate this fact. In order to provide secure communications between neigh- boring nodes in randomly deployed WSNs, Random key pre- distribution (RKP) was proposed [1]. In its basic version, each sensor is pre-distributed with distinct keys randomly chosen from a large pool of keys. After deployment, neighboring nodes use these pre-distributed keys to establish a pairwise key between them. Communications between neighboring sensors in each hop are encrypted/decrypted using these pairwise keys. Many key management protocols have been proposed based on key pre-distribution [2], [3], [4], [5], [6], [7], etc., each one improving upon one or more features of [1]. The resilience of each hop (link) can be reflected by the number of shared pre-distributed keys in the link. It is known that under uniform key distribution, i.e. each sensor pre- distributed with equal number of keys, will achieve maximum average number of shared pre-distributed keys in each link. However, there is an inherent limitation in uniform key dis- tribution as demonstrated in Fig. 1. In Fig. 1, we have 1000 nodes randomly deployed in a circular network with radius 500 , where = 40, = 10000 and communication range of each node is 100 . We can see that a majority of links have low resilience (i.e., small number of shared keys), while the percentage of links that are highly resilient is quite 1932-4537/11/$25.00 c ⃝ 2011 IEEE

Upload: korisnikkk

Post on 18-Apr-2015

23 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Providing End-To-End Secure Communications in Wireless Sensor Networks

IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 8, NO. 3, SEPTEMBER 2011 205

Providing End-to-End Secure Communications inWireless Sensor Networks

Wenjun Gu, Neelanjana Dutta, Sriram Chellappan, and Xiaole Bai

Abstractβ€”In many Wireless Sensor Networks (WSNs), pro-viding end to end secure communications between sensors andthe sink is important for secure network management. Whilethere have been many works devoted to hop by hop securecommunications, the issue of end to end secure communicationsis largely ignored. In this paper, we design an end to endsecure communication protocol in randomly deployed WSNs.Specifically, our protocol is based on a methodology calleddifferentiated key pre-distribution. The core idea is to distributedifferent number of keys to different sensors to enhance theresilience of certain links. This feature is leveraged duringrouting, where nodes route through those links with higherresilience. Using rigorous theoretical analysis, we derive anexpression for the quality of end to end secure communications,and use it to determine optimum protocol parameters. Extensiveperformance evaluation illustrates that our solutions can providehighly secure communications between sensor nodes and the sinkin randomly deployed WSNs. We also provide detailed discussionon a potential attack (i.e. biased node capturing attack) to oursolutions, and propose several countermeasures to this attack.

Index Termsβ€”Sensor networks, security, key management.

I. INTRODUCTION

W IRELESS Sensor Networks (WSNs) are envisagedin military, emergency and surveillance applications

today, where sensor nodes need to send sensed data to the sink.In many applications under hostile environment, sensor nodescannot be deployed deterministically and thus are randomlydeployed into the field. An important requirement in networkmanagement of many mission critical applications is to secureend to end sensor networks data from being eavesdropped bythe attacker. While there have been many works devoted tohop by hop secure communications in WSNs, the issue ofend to end secure communications is largely ignored. This ismainly due to the fact that there exist two intuitive approachesto provide a high degree of end to end secure communicationsin WSNs:

βˆ™ The first one is distributing a unique pairwise key intoeach sensor and the sink prior to deployment, and lettingeach sensor use this pairwise key to encrypt the commu-nications with the sink;

Manuscript received October 16, 2010; revised March 7 and May 3, 2011.The associate editor coordinating the review of this paper and approving itfor publication was E. Bertino.

W. Gu is with Microsoft, USA (e-mail: [email protected]).N. Dutta and S. Chellappan are with the Department of Computer Sci-

ence, Missouri University of Science and Technology, Rolla, USA (e-mail:[email protected], [email protected]).

X. Bai is with the Department of Computer and Information Science,University of Massachusetts, Dartmouth, USA (e-mail: [email protected]).

Digital Object Identifier 10.1109/TNSM.2011.072611.100080

βˆ™ The second one is simply providing hop by hop securecommunications between neighboring sensors in the net-work. It is in general believed that in this way end to endsecure communications can naturally be achieved via hopby hop encryption/decryption.

The first approach has critical limitations in multi-hopWSNs since it precludes the possibility of intermediate sensorsperforming encryption/decryption along the path. This featureis necessary for interpreting and aggregating data at interme-diate sensors to save energy (a critical requirement in WSNs),authenticating received data to defend against fake packetsinjection attack, denial of service attack etc. Hence in WSNs,we need to use hop by hop based encryption/decryption inproviding end to end secure communications.

The second approach works well if all links in the networkare highly resilient. However, it is very hard, if not impossible,to achieve high resilience for all the links in randomlydeployed WSNs. This is due to inherent resource limitationof sensor, nature of random deployment and presence ofattacks. In fact, with random key pre-distribution (RKP) [1]based schemes, a majority of links in the network have lowresilience under reasonable memory constraint and even undermild attack strength, which restricts room for providing a highdegree of end to end secure communications. In the following,we give an example to illustrate this fact.

In order to provide secure communications between neigh-boring nodes in randomly deployed WSNs, Random key pre-distribution (RKP) was proposed [1]. In its basic version, eachsensor is pre-distributed with π‘˜ distinct keys randomly chosenfrom a large pool of 𝐾 keys. After deployment, neighboringnodes use these pre-distributed keys to establish a pairwise keybetween them. Communications between neighboring sensorsin each hop are encrypted/decrypted using these pairwise keys.Many key management protocols have been proposed basedon key pre-distribution [2], [3], [4], [5], [6], [7], etc., each oneimproving upon one or more features of [1].

The resilience of each hop (link) can be reflected by thenumber of shared pre-distributed keys in the link. It is knownthat under uniform key distribution, i.e. each sensor pre-distributed with equal number of keys, will achieve maximumaverage number of shared pre-distributed keys in each link.However, there is an inherent limitation in uniform key dis-tribution as demonstrated in Fig. 1. In Fig. 1, we have 1000nodes randomly deployed in a circular network with radius500 π‘šπ‘’π‘‘π‘’π‘Ÿπ‘ , where π‘˜ = 40, 𝐾 = 10000 and communicationrange of each node is 100 π‘šπ‘’π‘‘π‘’π‘Ÿπ‘ . We can see that a majorityof links have low resilience (i.e., small number of shared keys),while the percentage of links that are highly resilient is quite

1932-4537/11/$25.00 c⃝ 2011 IEEE

Page 2: Providing End-To-End Secure Communications in Wireless Sensor Networks

206 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 8, NO. 3, SEPTEMBER 2011

Fig. 1. Percentage of links with varying number of shared keys.

low. This clearly restricts the room for routing protocols tochoose more resilient links during end to end communications.Installing more keys into each node is not always preferablesince it enables the attacker to disclose more keys upon nodecaptures, which could again compromise the link resilience.

Our Contributions: In this paper, we design an end to endsecure communication protocol in randomly deployed WSNs.The contributions of our work are four-fold:

βˆ™ We propose a methodology called differentiated key pre-distribution for end to end secure communications inrandomly deployed WSNs. Our protocol is based on thismethodology. The core idea of the methodology is to pre-distribute different number of keys to different nodes. Bydistributing more keys to some nodes, the links betweenthose nodes tend to have much higher resilience thanthe link resilience under uniform key pre-distribution.These high resilient links are preferred during routingto enhance the end to end secure communications. Forfairness in analysis, we keep the average number of keysper node in our scheme the same as that in uniform keypre-distribution. Assuming that the probability of nodecapture is the same for all nodes, the attack impact (i.e.,expected number of unique keys disclosed under nodecapturing attack) remains the same in both uniform andour heterogeneous key distribution scheme, making per-formance comparisons fair. Furthermore, we also discussimpact of biased node capturing attacks in this paper.

βˆ™ Based on the above methodology, we design a newend to end secure communication protocol in WSNs.In our protocol, links with high resilience are preferredcompared to links with low resilience during routing tosink node. Besides, we apply alternative path routingamong high resilience links to achieve good balancebetween end to end secure communications and lifetime.

βˆ™ We conduct a rigorous theoretical study on the proposedprotocol, and determine the optimal way to differentiallypre-distribute keys into nodes. Our major performancemetric is the probability that the sink can receive amessage from a sensor without it being disclosed to theattacker (denoted as 𝑃𝑒2𝑒). We first derive the expressionsfor 𝑃𝑒2𝑒. Based on the expressions, we show how todetermine the optimal way to differentially pre-distributekeys into nodes to maximize the value of 𝑃𝑒2𝑒. All ourresults are further validated using extensive simulations,

which confirm that end to end secure communicationscan be significantly improved by our solutions.

βˆ™ We conduct an investigation on the certain advancedattacks (called biased node capturing attacks) to ourproposed scheme. We find that our scheme does not incurserious vulnerability to such advanced attacks. Neverthe-less, to further minimize the vulnerability, we propose avariety of countermeasures against such attacks.

Paper Organization: The rest of the paper is organizedas follows. In Section II, we discuss related works. Wediscuss our differentiated key pre-distribution methodology,and present our end to end secure communication protocol inSections III and IV respectively. We study advanced attacksin Sections V, and finally conclude this paper in Section VI.

II. BACKGROUND AND RELATED WORK

A. 𝑅𝐾𝑃 based Schemes

In this section, we provide a brief background on randomkey pre-distribution (𝑅𝐾𝑃 ) schemes, attack models and per-formance metrics in randomly deployed WSNs.

Basic 𝑅𝐾𝑃 Scheme: A well accepted scheme for securecommunications in randomly deployed WSNs is random keypre-distribution (RKP) [1], where there are two stages. Atthe key pre-distribution stage, each node is pre-distributedwith π‘˜ distinct keys randomly chosen from a large poolof 𝐾 keys, and then nodes are randomly deployed. At thepairwise key establishment stage, each node first obtains itsneighborhood information. If two neighbors share one or morepre-distributed keys, they establish a pairwise key in betweendirectly. To do so, one node can generate a random pairwisekey and send it to its neighbor encrypted with their sharedkeys. For two neighbors that do not share pre-distributed key,they will use neighboring nodes, called proxies, to constructkey paths for pairwise key establishment using above process.

Variants of 𝑅𝐾𝑃 Scheme: Many variants have beenproposed based on the above idea of key pre-distribution inWSNs, including for homogeneous sensor networks, heteroge-neous sensor networks and also (more recently) mobile sensornetworks. While some works focus primarily on extensionsto the basic scheme, other works focus on more involvedextensions. In this section, we provide a detailed descriptionof well known and recent works in this area.

We first discuss important related work on key managementin homogeneous sensor networks, where the number of keysdistributed per node is the same, and the network topologyis flat. In order to overcome the resilience of the basic keymanagement protocol in [1], in [2] and [7], multiple key pathsare used to enhance resilience of the link between two nodes.However, exploiting high resilience key paths for routing is notdiscussed. In [4] and [5], keys are pre-distributed accordingto well known optimization designs, which helps increasekey sharing between nodes. In [3] and [6], each sensor ispre-distributed with π‘˜ key structures (vectors or polynomials)from a key structure pool, where each key structure hasdegree πœ†. In such schemes, no key structure is discloseduntil at least πœ†+1 nodes pre-distributed with this key structureare captured. When πœ† = 0, this scheme degrades to thebasic RKP scheme. In [8], a similar technique is proposed

Page 3: Providing End-To-End Secure Communications in Wireless Sensor Networks

GU et al.: PROVIDING END-TO-END SECURE COMMUNICATIONS IN WIRELESS SENSOR NETWORKS 207

called Triangle based key management, in which deploymentinformation about expected locations of nodes and polynomialbased key predistribution are used. The idea is to divide thenetwork into triangular cells, each of which is associated witha unique random bivariate polynomial. Each sensor node isprovided with a set of polynomials belonging to cells nearestto the nodes. Based on this structure, direct key and multi-hop(indirect) key establishment protocols are developed, alongwith mechanisms for key revocation and additions.

There are works on key management in heterogeneoussensor networks. The work in [9] is most similar to ours.In [9], cluster heads are distributed with more keys thannormal sensors. However, in analysis of [9], cluster heads areassumed to be equipped with a fast encryption/deletion algo-rithm to protect their supplementary keys from compromise.The authors also admit that successful capturing of a clusterhead node can severely compromise the resilience of theirscheme. The resilience degradation is our protocol is muchmore graceful under attacks. Secondly, the protocol proposedin [9] is only for pair-wise key establishment. We propose tworesilience aware routing protocols: data centric and locationcentric protocols in this paper that further exploit the idea ofdifferentiated keys among sensors. Also, the work in [9] onlymentions biased node capture attacks, while we discuss biasednode capture attacks and design countermeasures against themin this paper. In [10], a key management scheme is proposed,where sensor nodes are organized into multiple hierarchiesusing a tree structure. The keys are divided in differentcategories such as cluster key (shared among all membersof the cluster), intermediate key (shared between a smallersubset of cluster members) and private key of each sensor(used to communicate with cluster head). In our scheme, wedo not use different cluster head keys, but rather use samekey pools that reduces complexity during key pre-distributionand subsequent pair-wise set-up. Also, the scheme in [10]suffers from poor resilience under node compromises. In [11],a protocol for cluster-head selection is proposed, and ideasare proposed for key additions and revocations under networkdynamics via one-way hash functions. Trust protocols aredesigned during initial cluster setup. Periodic use of hashfunctions for key revocation and refreshment however canbe energy consuming. In [12], a scheme is proposed forheterogeneous sensor networks wherein sensors use initialkeys to securely establish trust with their peers. This happensunder a safe period when there are no attacks. Subsequently,energy efficient key management protocols are designed as afunction of desired degree of secure communications.

In [13], more complicated security designs are envisionedfor secure sensor networks like non-group confidentiality, for-ward confidentiality and backward confidentiality. The paperassumes a safe period when secrets are established. Tech-niques are proposed for key revocation under compromises,although it is not quite clear as to how compromises canbe detected. A similar idea is also proposed in [14], forsimilar requirements except that bi-variate polynomials areused instead of symmetric keys. In [15], a robust and securekey management scheme for hierarchical sensor networksusing self-healing mechanisms is proposed. The focus is ongroup key distribution, wherein the idea is a combination of

reverse and forward hash chains. The paper also deals withattacks against individual nodes and group heads. The protocolensures security of un-compromised nodes until a minimumnumber of nodes are compromised in the same group. In [16]also, protocols are proposed for group communications amongsensors and cluster-heads. The approach uses symmetric keysthroughout, and also proposes a protocol for cluster-headselection to maximize chances of key sharing with sensorsin the group. Protocols are also designed for authentication ofpackets and nodes, and confidentiality for important packets inthe network. Other works like [17]–[19] propose ideas for keymanagement in hierarchical sensor networks emphasizing onaspects like key updation and revocation, energy efficiency,and mitigating attacks like guessing attacks, replay attacks,man-in-the-middle and denial of service attacks. Unfortu-nately, the downsides of such works are in the complexityin key pre-distribution and subsequent pairwise key set-up,which increases overhead. Furthermore, it is not quite clearas to how such schemes perform under biased node captureattacks. Nevertheless, we believe that the works referencedabove are orthogonal to our contributions in this paper whichfocuses primarily on data confidentiality of end-to-end securecommunications. Extending our techniques for incorporatingadditional security requirements within the network would aninteresting area of future work.

In the recent past, there have been a host of orthogo-nal dimensions where random key pre-distribution has beenadapted in sensor networks. While works in [20]–[27] usedeployment knowledge (i.e., partial knowledge of sensor lo-cations in the network) to enhance pair-wise key set-up amongnodes, exploiting traffic models in sensor networks for securecommunications is studied in [28] based on the premise thattraffic patterns are governed by network topologies which isexploited during key set-up and data delivery. There have alsobeen works in sensor network key management where princi-ples of Genetic Algorithms are used for key management [29],[30]. In [30], genetic algorithms are used to optimize memoryusage, power control and computational security in sensornetworks. In [29], genetic algorithms are used to optimizenetwork performance from the perspective of operation cost,security and survivability.

Mobile sensor networks have recently been studied in [31],[32], [33], [34], and there have been some recent efforts on keymanagement on them. In [35], a pair-wise key managementin sensor networks is proposed where sensors can move fromone network to another. If a sensor is allowed to roam fromone network to another, it has to communicate with differentbase stations, and hence it should have shared keys with thenew base stations. Attackers might fake as a new incomingsensor to a network to know the key of the network basestation. So the base station needs authentication of incomingnodes. The paper proposes a secure authorization schemeand pair-wise key establishment between the roaming sensorand the new base stations that it needs to communicatewith. In [36], security, integrity and authentication services inwireless sensor and actor networks are studied. Such networksconsist of static sensors and resource rich actor nodes (thatare also mobile), which are responsible for more sophisti-cated responses to sensed events without human intervention.

Page 4: Providing End-To-End Secure Communications in Wireless Sensor Networks

208 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 8, NO. 3, SEPTEMBER 2011

The authors propose to divide the wireless sensor and actornetwork into upper and lower layers, with the lower layerusing symmetric key management, and the upper layer usingasymmetric key cryptography. Similarly in [37], a scheme isproposed for group based key management that can be usedfor both static and mobile sensor networks. The objective isto provide secure communication, data confidentiality usingsecure data aggregation and resilience. The network is dividedinto clusters and homomorphic encryption is used. The schemesupports inter and intra cluster roaming of sensors.

There have also been recent works on key pre-distributionfor real life sensor network missions. In [38], a sensor networkkey management is proposed for process control systems tosecure both forward (future key secrecy to captured nodes) andbackward (past key secrecy to new incoming nodes) secrecy.The paper proposes a scheme that updates shared symmetrickeys between a node or group of nodes and network managerof PCA/SCADA. The work specially focuses on enhancingsecurity in the remote fields which are the weakest componentsin SCADA. The attack model is node capture attack whichmight lead to software corruption, impersonation attack, futurekey disclosure etc. They use a hash key chain for group keyupdate and pair-wise key update. In [39], a mathematicalanalysis of random key pre-distribution in sensor networksis attempted, from the perspective of network connectivity.The authors conduct a mathematical analysis to show thatthe number of communication links needed for a sensor toassure complete network connectivity is very large in real lifeapplications. They do an analysis then showing that undernode failures, faults and interference, the actual number ofneighbors can be fewer in real-time sensor network operations.

Orthogonally, there are also works that address end-to-endsecure communications in sensor networks without randomkey pre-distribution techniques. One particularly interestingwork is [40], that primarily focuses on end-to-end data con-fidentiality by performing intermediate data aggregation viahomomorphic encryption techniques. In their technique, eachsensor can derive its own private key based on a master secret,which is only known to the sink. Then, all data from sensorsis encrypted with keys of other sensors via a homomorphicencryption technique that allows aggregation on encrypteddata hop by hop, which can then be recovered by the sink. Thedownside of such attempts is that while in-network aggrega-tion is done, in-network processing (encryption/ decryption)of data cannot be directly accomplished. As we know, thereare several advantages with in-network processing of data likein-network (and local) aggregation, localized verification ofdata trust and integrity, local filtering of malicious data etc.Furthermore, in applications where the sink needs to knowindividual data (and not just aggregates), the work in [40] haslimited applicability. Our work is different in the sense thatwe are focusing on end-to-end secure communications via acombination of key management and routing techniques inthe network, while still retaining the advantages of in-networkaggregation.

Attack Models: In the standard attack model used insecure communications in WSNs [2], [1], [7], etc., the attackerlaunches two types of attacks. In node capturing attack, theattacker physically captures a certain percent of sensor nodes,

and is able to disclose the pre-distributed and pairwise keysstored in those captured nodes. The sink node is assumed to bewell protected and cannot be captured. In link monitoring at-tack, the attacker monitors all wireless links after deployment.Clearly, all communications of captured nodes are decipheredby the attacker. Furthermore, by combining the disclosed pre-distributed keys and messages recorded, the attacker can infersome pairwise keys between other uncaptured nodes. Theattack model used in our paper is one where the attackerlaunches both node capturing and link monitoring attacks.

While works like [41], [42] assume a safe period (no nodecapture) after deployment, this may not be realistic in practice,and this attack model is not widely adopted. Note that whenmultiple key paths are used to establish a pairwise key on alink, that pairwise key (link) is not compromised until all thekey paths are compromised. The above attack model has asalient feature in that it is hard to detect the attacker. This isbecause the attacker only passively monitors traffic after nodescapture, and does not send out traffic actively. In [43], a varietyof active attack models are proposed against routing protocols,which require the attacker to actively send out fake/modifiedmessages. Dealing with those attacks is orthogonal to ourwork, and thus is out of our scope.

Performance Metrics: Note that while our goal is end-to-end secure communications in WSNs, we are (as pointedbefore) still interested in local in-network data processingamong sensors during network operation. Consequently (as instandard RKP schemes), we use two standard metrics: connec-tivity and resilience to evaluate our key management scheme.Connectivity is the probability that two physical neighborscan establish a pairwise key between them. Note that while theabove definition refers to local connectivity and is the standardmetric, one could also define global (end-to-end) connectivityas the probability that the entire network is securely connected,or as the number of nodes in the largest connected componentof the secure network. Global connectivity can be inferred bylocal connectivity [44], we focus only on local connectivity(henceforth called connectivity) in this paper. Resilience is theprobability that a pairwise key (link) between two nodes is notcompromised under attack.

B. Routing Protocols in WSNs

Routing in wireless sensor networks has some differencesfrom that in traditional wired and wireless ad hoc networks dueto resource constraints, faults/failures etc. There are two mainparadigms of routing protocols in WSNs: location-centricrouting and data-centric routing. Other paradigms includehierarchical routing and security aware routing.

Location-centric routing: Greedy Perimeter StatelessRouting (GPSR) [45] is a well known location centric routingprotocol. In GPSR, beacon messages are broadcast by eachnode to inform its neighbors of its position. GPSR assumesthat sensors can determine through separate means the locationof the sink. Each node makes forwarding decisions based onthe relative position of the sink and its neighbors. In general,the neighbor that is closest to the sink is chosen.

Data-centric routing: Directed diffusion [46] is the mostwell known data centric routing protocol, in which the sink

Page 5: Providing End-To-End Secure Communications in Wireless Sensor Networks

GU et al.: PROVIDING END-TO-END SECURE COMMUNICATIONS IN WIRELESS SENSOR NETWORKS 209

sends queries to all nodes and waits for data from thenodes satisfying specific requirement (e.g., located in selectedregions, sensing data meet certain criteria, etc). In order tocreate a query, an interest is defined using a list of attribute-value pairs such as name of objects, geographical area, etc.The interest is broadcast through the network, and used byeach node to compare with the data received. The interestentry also contains several gradient fields. A gradient is a replylink to a neighbor from which the interest was received. Byutilizing interests and gradients, paths are established betweensensors and the sink. Several paths may be established, andone of them is selected by reinforcement.

Other Paradigms: Two other paradigms for routing inWSNs are hierarchical [47] and security aware routing [48],[49]. In the former, certain nodes are either pre-assignedor chosen at run time to be cluster heads. Routing takesplace on two planes: sensor to sensor towards cluster headand cluster head to cluster head towards the sink. In thispaper, we focus on flat networks. The issue of hierarchy isdiscussed in Section IV-D. In security aware routing [48],[49], nodes route packets in the presence of attacks like fakepackets injection, selective forwarding, etc. Such works, whiledefinitely important are orthogonal to our work here, whichfocuses on securing communications from node capture andeavesdropper.

III. METHODOLOGY

In this section, we will introduce our differentiated key pre-distribution methodology. In order to provide a high quality ofend to end secure communications, it is clear that we shouldenhance the resilience of individual links in the network. Anintuitive way to do so is to increase the number of keys pre-distributed into each node (π‘˜). When the number of sharedkeys in each link increases, resilience seems to increase sinceall shared keys have to be disclosed to compromise the link.

However, such a solution is counter-productive. When π‘˜increases, more keys are disclosed per node capture. Thecompromise of only a small percent of nodes can disclosemany more keys to the attacker, which compromises theresilience of links. We need an approach by which linkresilience can be enhanced without the downside of disclosingmore keys to the attacker. On the other side, the number of pre-distributed keys (π‘˜) is also subject to the memory constraintof sensor nodes.

In this paper, we propose a methodology called differen-tiated key pre-distribution to enhance the quality of end toend secure communications in randomly deployed WSNs.Our methodology is based on the observation that links inthe network are not equally important with respect to securecommunications. Only the links used for data transmissionhave impacts on security. The core idea of our methodologyis to pre-distribute different number of keys to different nodes.We keep the average number of keys per node the same asthat in uniform key pre-distribution, so that the attacker impact(e.g., average number of keys disclosed per node capture)remains the same. By distributing more keys to some nodes,the links between those nodes tend to have much higherresilience than the link resilience under uniform key pre-

distribution. These high resilient links are preferred duringrouting to enhance the end to end secure communications.

We illustrate our methodology using the example in Fig. 1,where 1000 sensors are deployed randomly in a WSN underthe same scenario. We divide the 1000 nodes into two classes,with 200 nodes in the first class and 800 nodes in the second.We distribute π‘˜1 = 80 keys in each first class node anddistribute π‘˜2 = 30 keys in each second class node. As such,the average number of keys per node (40) is the same as in Fig.1, where π‘˜ is the same for all nodes. In Table 1, we show theimpacts of our methodology. We can see that when we applyour differentiated key pre-distribution for the above setting,the number of high resilient links (those with large numberof shared keys) dramatically increases, with the cost that thenumber of low resilience links also increases. This is becausecompared with the link resilience in traditional 𝑅𝐾𝑃 schemeswith uniform key pre-distribution, the links between two firstclass nodes in our scheme tend to have higher resilience,while those between two second class nodes tend to haverelatively lower resilience. When those high resilient links arepreferred during routing path selection, the end to end securityperformance can be enhanced significantly.

Use of this methodology to provide end to end secure com-munications between sensor nodes and the sink in randomlydeployed WSNs, raises the following important questions:

βˆ™ How to determine the parameters in key pre-distribution?We need to determine the number of node classes, thenumber of nodes in each class, and the number of keysdistributed into nodes in each class. Determining theoptimal values of these parameters needs a rigorousderivation of end to end secure communication perfor-mance.

βˆ™ How to pre-distribute different number of keys into differ-ent classes of nodes? An intuitive way is always choosingkeys randomly from the key pool regardless of node class.Is there any better way to achieve higher resilience?

βˆ™ How to do routing given links having different resilience?In this situation, the length of routing path and energybalancing are not the only factors to consider duringrouting path selection. Link resilience also plays a role.Care should be taken to make a good balance amongthese factors.

βˆ™ Will there be any new attack to our proposed scheme?To achieve better security performance, nodes with morepre-distributed keys are likely to be selected to forwardmore traffic. The attacker may prefer choosing thosenodes to capture. How can we defend against such attack?

IV. END-TO-END SECURE COMMUNICATION PROTOCOL

In this section, we will address the first three questionsabove. The last question will be addressed in Section V. Inparticular, we will present our end to end secure communica-tion protocol based on the methodology above. Our protocolconsists of two components: differentiated key managementand resilience aware routing. Table 2 lists the parameters inprotocol description and their notations. Theoretical analysisis conducted to determine optimal protocol parameters.

Page 6: Providing End-To-End Secure Communications in Wireless Sensor Networks

210 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 8, NO. 3, SEPTEMBER 2011

TABLE IINCREASE OF THE NUMBER OF LINKS WITH DIFFERENT NUMBER OF SHARED KEYS UNDER DIFFERENTIATED KEY PRE-DISTRIBUTION

# of shared keys 0 1 2 3 4# of links increase 54% βˆ’8% βˆ’20% βˆ’29% βˆ’19%# of shared keys 5 6 7 8 >8

# of links increase βˆ’2% 25% 56% 183% 475%

A. Differentiated Key Management

Our differentiated key management consists of two stages:key pre-distribution and pairwise key establishment. The maindifference between our key management protocol and tradi-tional 𝑅𝐾𝑃 based key management protocols lies in the stageof key pre-distribution.

Key Pre-distribution: We study a network with 𝑁 sensornodes and one sink node. The 𝑁 sensor nodes are divided into𝑐 classes, each of which has 𝑛𝑖 (1 ≀ 𝑖 ≀ 𝑐) nodes. We call thesensors in the π‘–π‘‘β„Ž class as class 𝑖 nodes. We then pre-distributeπ‘˜π‘– (1 ≀ 𝑖 ≀ 𝑐 and π‘˜1 β‰₯ π‘˜2 β‰₯ β‹… β‹… β‹… β‰₯ π‘˜π‘) unique keys chosenfrom a large key pool with size 𝐾 into each class 𝑖 node,detail of which will be discussed in the following. Note that,the sink node is pre-distributed with all 𝐾 keys in the keypool. After this, the sink is deployed strategically at certainposition, while the 𝑁 sensor nodes are deployed randomly inthe network. The 𝑁 sensor nodes will execute the followingprotocols for pairwise key establishment and routing.

We detail our key pre-distribution in the following. For eachclass 1 node, its π‘˜1 unique keys are chosen randomly from thekey pool. However we use a semi-random way to distributekeys into all other nodes to increase the chance of key sharingbetween these nodes and class 1 nodes. For a node in class𝑖 (𝑖 > 1), βŒŠπ‘˜π‘–/𝑛1βŒ‹ keys are first chosen randomly from thedistributed keys in each of 𝑛1 βˆ’ (π‘˜π‘– βˆ’ βŒŠπ‘˜π‘–/𝑛1βŒ‹ β‹… 𝑛1) class 1nodes, which are chosen randomly from all 𝑛1 class 1 nodes.For the remaining π‘˜π‘– βˆ’ βŒŠπ‘˜π‘–/𝑛1βŒ‹ β‹… 𝑛1 class 1 nodes, βŒˆπ‘˜π‘–/𝑛1βŒ‰keys are chosen randomly from the distributed keys of eachnode. We define ⌊π‘₯βŒ‹ as the largest integer no more than π‘₯,and define ⌈π‘₯βŒ‰ as the smallest integer no less than π‘₯. If someof the chosen keys are the same, the redundant keys will bere-chosen until all π‘˜π‘– keys are distinct.

We illustrate with a simple example. Let 𝑁 = 100, 𝑐 = 2,𝑛1 = 20, 𝑛2 = 80, π‘˜1 = 80, π‘˜2 = 30. The following is the keypre-distribution procedure. For each of the 20 nodes in class 1,we choose 80 distinct keys randomly from the key pool. Foreach of the 80 nodes in class 2, we choose 30 distinct keysas follows. We first randomly classify class 1 nodes into twotypes. Type 𝐴 has 10 (i.e., 𝑛1βˆ’(π‘˜2βˆ’βŒŠπ‘˜2/𝑛1βŒ‹β‹…π‘›1)) nodes, andType 𝐡 has 10 (i.e., π‘˜2βˆ’βŒŠπ‘˜2/𝑛1βŒ‹β‹…π‘›1) nodes. Now, βŒŠπ‘˜2/𝑛1βŒ‹ =1 key is chosen randomly from the pre-distributed keys in eachof the 10 Type 𝐴 class 1 nodes above, and is distributed intothe class 2 node under discussion. Then, βŒˆπ‘˜2/𝑛1βŒ‰ = 2 keysare chosen randomly from the pre-distributed keys in each ofthe 10 Type 𝐡 class 1 nodes above, and are distributed intothe class 2 node under discussion. At this point, the class 2node has 30 keys distributed. If these 30 keys are unique, keydistribution is over. Otherwise, we redo the preceding 2 stepsfor the duplicate keys until all 30 keys are unique. Note thatsince π‘˜1 > π‘˜2, uniqueness can always be guaranteed.

By distributing keys in this way, we guarantee π‘˜π‘– uniquekeys are distributed, and the number of keys chosen from eachclass 1 node are balanced and differs by at most 1. The reasonwe pre-distribute keys for class 𝑖 nodes in the above semi-random way instead of purely randomly is two folded. First,we can enhance the probability that a class 𝑖 node shares keywith a class 1 node. Second, we do not decrease the probabilitythat a class 𝑖 node shares key with a non-class 1 node. Bothfacts are confirmed by our simulation, and can help increaselink resilience. Besides, pre-distributing keys for non-class 1nodes in the above way will not decrease the effective keyspace much, which is defined as the number of keys in thekey pool that are distributed in at least one sensor node. Thisis because when the values of 𝑛1, π‘˜1 and 𝐾 are carefullychosen, the number of unique pre-distributed keys among the𝑛1 class 1 nodes is already close to 𝐾 .

Pairwise Key Establishment: Once nodes are pre-distributed with keys and deployed, they start to discovertheir neighbors within their communication range π‘Ÿ via localcommunication, and obtain the key IDs of their neighbors’pre-distributed keys. With the above information, each nodeconstructs all the one-hop and two-hop key paths to allits neighbors. If node 𝑖 shares pre-distributed keys with aneighbor 𝑗, there is one direct key path with one hop betweenthem. However, node 𝑖 will also construct all the two-hopkey paths with each of its neighbors, regardless of whethera one-hop key path has been constructed or not, to enhancethe link resilience (the attacker has to compromise all keypaths for a link between two nodes in order to compromisethis link). Suppose node 𝑖 wants to construct all two-hop keypaths with node 𝑗 now. To do so, node 𝑖 sends a request toits neighbors, containing the node IDs of 𝑖 and 𝑗. After aneighboring node π‘š receives the request, it checks if it sharespre-distributed keys with node 𝑖 and shares pre-distributedkeys with node 𝑗. If both conditions are satisfied, node π‘šsends a reply back to node 𝑖. In this way, a two-hop key pathπ‘–βˆ’π‘šβˆ’ 𝑗 is constructed. If possible, other two-hop key pathsare also constructed as above. After node 𝑖 constructs all two-hop key paths to node 𝑗, node 𝑖 will generate multiple randomkey shares, and transmit each key share on each key path. Keyshares are encrypted/decrypted hop by hop by a combination(e.g., XOR) of all shared keys on that hop. Ultimately, thepairwise key between nodes 𝑖 and 𝑗 is a combination of allthe key shares (e.g, XOR) transmitted. Nodes also estimate andstore the number of protection keys for each link as follows.Assume there are 𝑝 two-hop key paths between 𝑖 and 𝑗, eachwith the help of proxy 𝑠𝑙 (1 ≀ 𝑙 ≀ 𝑝), and denote π‘˜(𝑖, 𝑗) asthe number of shared keys between 𝑖 and 𝑗. The number of

Page 7: Providing End-To-End Secure Communications in Wireless Sensor Networks

GU et al.: PROVIDING END-TO-END SECURE COMMUNICATIONS IN WIRELESS SENSOR NETWORKS 211

TABLE IIPROTOCOL PARAMETERS

Notation Protocol parameter

𝑆 network area (= πœ‹π‘…2)π‘Ÿ communication range𝑁 number of nodes in the network𝑐 number of node classes𝑛𝑖 number of class 𝑖 nodes (1 ≀ 𝑖 ≀ 𝑐)π‘˜π‘– number of keys pre-distributed in class 𝑖 node (1 ≀ 𝑖 ≀ 𝑐)𝐾 number of keys in key pool𝑁𝑐 number of captured nodes

protections keys between 𝑖 and 𝑗 (π‘˜π‘’π‘¦(𝑖, 𝑗)) is,

π‘˜π‘’π‘¦(𝑖, 𝑗) = π‘˜(𝑖, 𝑗) +

π‘βˆ‘π‘™=1

π‘šπ‘–π‘›(π‘˜(𝑖, 𝑠𝑙), π‘˜(𝑠𝑙, 𝑗)). (1)

We calculate π‘˜π‘’π‘¦(𝑖, 𝑗) like this because the resilience of a two-hop key path is mainly decided by the weaker link (the onewith fewer shared keys). The larger the number of protectionkeys for a link, the more resilient is the link in general.

B. Resilience Aware Routing

In this section, we will describe how to incorporate ourdifferentiated key pre-distribution with popular WSN routingprotocols for end to end secure communications. We partic-ularly focus on one popular location centric routing protocoland one popular data centric routing protocol. Incorporationwith other routing paradigms is similar. The basic idea isto tune the routing protocols such that they consider linkresilience as a metric during routing. In order to preventoveruse of a few nodes, we will let nodes choose severalnext hop nodes, and use one at each time to prolong networklifetime.

Extensions to location centric routing protocol: Thelocation centric routing protocol we extend is GPSR [45]. InGPSR, each node chooses a neighbor as the next hop that isclosest to the sink. In order to achieve high end to end securecommunications without compromising network lifetime, weextend GPSR protocol as follows. Each node 𝑖 assigns aweight to all its secure neighbors (neighbors with which apairwise key is established) that are closer to the sink thanitself. We denote π‘ˆ(𝑖) as the set of node 𝑖’s secure neighborsthat are closer to the sink than itself, and recall π‘˜π‘’π‘¦(𝑖, 𝑗) isthe number of protection keys for the link between nodes 𝑖and 𝑗, we assign weight to each node 𝑗 in set π‘ˆ(𝑖) as,

𝑀𝑗 =π‘˜π‘’π‘¦(𝑖, 𝑗)π›Όβˆ‘

π‘šβˆˆπ‘ˆ(𝑖) π‘˜π‘’π‘¦(𝑖,π‘š)𝛼. (2)

Here 𝑀𝑗 is the probability that 𝑖 chooses 𝑗 as the forwarder.When 𝛼 = 0, all nodes in π‘ˆ(𝑖) are given equal priorityregardless of link resilience. When 𝛼 is positive, more re-silient links are given higher priority. When 𝛼 approachesinfinity, only the most resilient links are chosen for routing.An intermediate value of 𝛼 can be used to achieve a goodbalance between security and lifetime, which can be decidedby security policy and other factors. For example, a large value

of 𝛼 can be chosen when high resilience is preferred andenergy consumption imbalance is not a serious issue, whilea small value of 𝛼 can be chosen when energy is limitedand energy consumption balance is critical. We will study thesensitivity of security and lifetime to 𝛼 in Section IV-E.

Extensions to data centric routing protocol: In traditionalminimum hop routing protocol [50], a variant of DirectedDiffusion routing protocol, a node will choose a neighboron the minimum hop path to the sink. We can extend thisprotocol in a similar way as above. During the next hopdetermination process, packets are forwarded only on theminimum hop secure paths. A secure path consists of links thathave pairwise keys established. We denote the set of neighborson the minimum hop secure path of node 𝑖 by π‘ˆ(𝑖). Note thatin a relatively dense network, there could be several minimumhop secure paths between node 𝑖 and the sink. Node 𝑖 thenassigns a weight 𝑀𝑗 to each of its secure neighbors 𝑗 in theset π‘ˆ(𝑖). The expression of 𝑀𝑗 is given in (2).

C. Key Pre-distribution Parameters Determination

In this section, we discuss how to determine the designparameters in our proposed protocol above, namely numberof node classes (𝑐), number of nodes in each class (𝑐𝑖)and number of keys in class 𝑖 nodes (π‘˜π‘–). Our parameterdetermination is primarily based on the derivation of the endto end security metric 𝑃𝑒2𝑒, which is detailed below.

1) Analysis Architecture: Recall that 𝑃𝑒2𝑒 is the probabilitythat the sink can receive a message from a sensor withoutit being disclosed to the attacker. We focus on the extendedGPSR described above. To simplify the exposition, we hereassign an overwhelming weight (𝛼 approaches infinity) to themost secure neighbor such that all traffic will be forwarded byit. When there are more than one such nodes, the one closestto the sink is chosen. We assume the number of capturednodes (𝑁𝑐) is known, which can be obtained from worst caseestimation or historical experience.

Let 𝑃𝑒2𝑒(β„“) denote resilience for a path from a node to thesink with geographic distance β„“. 𝑃𝑒2𝑒 can be obtained as,

𝑃𝑒2𝑒 =1

πœ‹π‘…2

∫ 𝑅

β„“=0

𝑃𝑒2𝑒(β„“)2πœ‹β„“π‘‘β„“. (3)

Here, we assume the network is of a disk shape centered at thesink with radius 𝑅. 𝑃𝑒2𝑒 for the networks with other shapescan be obtained accordingly.

Page 8: Providing End-To-End Secure Communications in Wireless Sensor Networks

212 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 8, NO. 3, SEPTEMBER 2011

For a specific β„“, 𝑃𝑒2𝑒(β„“) can be expressed as,

𝑃𝑒2𝑒(β„“) =βˆžβˆ‘β„Ž=1

𝑃 (β„Žβˆ£β„“)π‘ƒπ‘π‘Žπ‘‘β„Ž(β„Ž), (4)

where 𝑃 (β„Žβˆ£β„“) is the conditional probability that a node atdistance β„“ can reach the sink with β„Ž hops, and π‘ƒπ‘π‘Žπ‘‘β„Ž(β„Ž) is theend to end resilience for a path with β„Ž hops.

In (4), π‘ƒπ‘π‘Žπ‘‘β„Ž(β„Ž) can be calculated following its definition asprobability that all nodes/links are uncaptured/uncompromisedin the path with β„Ž hops. It is multiplication of the probabilitythat all β„Ž nodes on the path are uncaptured, the probability thatthe first β„Ž βˆ’ 1 hops between two nodes are uncompromised,and the probability that the last hop between a node and thesink is uncompromised. Then we have,

π‘ƒπ‘π‘Žπ‘‘β„Ž(β„Ž) =

(π‘βˆ’β„Žπ‘π‘

)(𝑁𝑁𝑐

) β‹…(𝑃

(1)π‘™π‘–π‘›π‘˜

)β„Žβˆ’1

β‹… 𝑃 (2)π‘™π‘–π‘›π‘˜. (5)

In the above, 𝑃(1)π‘™π‘–π‘›π‘˜ is the probability that a link between

two uncaptured nodes is uncompromised, while 𝑃(2)π‘™π‘–π‘›π‘˜ is the

probability that a link between an uncaptured node and thesink is uncompromised.

In (5), the value of(π‘βˆ’β„Ž

𝑁𝑐)

(𝑁𝑁𝑐)

clearly remains the same

under our differentiated key pre-distribution. The value of(𝑃

(1)π‘™π‘–π‘›π‘˜

)β„Žβˆ’1

is increased since the resilience of high resilientlinks, which are preferred for routing, is increased underdifferentiated key pre-distribution. Similarly, the value of 𝑃 (2)

π‘™π‘–π‘›π‘˜

is increased since the last hop node is more likely to be a nodewith large number of keys. Therefore, under differentiated keypre-distribution, the value of π‘ƒπ‘π‘Žπ‘‘β„Ž(β„Ž) increases, which leadsto the increase of 𝑃𝑒2𝑒(β„“) in (4). In (4), the value of 𝑃 (β„Žβˆ£β„“)tends to decrease for small β„Ž, and tends to increase for largeβ„Ž in our protocol. This is because in extending GPSR or min-hop protocol, we prefer high resilient links, which may notreside on the path with minimum hops. This will lead to thedecrease of 𝑃𝑒2𝑒(β„“) in (4). However, such impact by 𝑃 (β„Žβˆ£β„“)is dominated by that of π‘ƒπ‘π‘Žπ‘‘β„Ž(β„Ž) in general, as confirmedby extensive simulations in Section IV-E. Overall, the valuesof 𝑃𝑒2𝑒(β„“) and 𝑃𝑒2𝑒 increase under differentiated key pre-distribution, which shows the benefit of our methodology. Thederivations of 𝑃

(1)π‘™π‘–π‘›π‘˜ , 𝑃

(2)π‘™π‘–π‘›π‘˜ are given below. Due to space

limitation, the derivations of 𝑃 (β„Žβˆ£β„“) are skipped. In fact, ourderivation of 𝑃 (β„Žβˆ£β„“) is similar to the work in [51] and [52].

2) Derivation of π‘žπ‘–: Before we give the derivation for 𝑃 (1)π‘™π‘–π‘›π‘˜

and 𝑃(2)π‘™π‘–π‘›π‘˜ , we need to derive π‘žπ‘–, which is the probability that

a node on the path between a sensor and the sink belongs toclass 𝑖. The probability of a class 𝑖 node appearing on the keypath is different from the percentage of class 𝑖 nodes in thenetwork. This is because during our routing path selection, weprefer the nodes on the highly resilient links, and those nodesare more likely to be nodes with more keys pre-distributed.We will show the derivation of π‘žπ‘– in the following.

We first give some definitions. We define 𝑝𝑖 as percentage ofclass 𝑖 nodes in the network, given by 𝑝𝑖 = 𝑛𝑖/𝑁 . We defineπ‘ƒπ‘ β„Žπ‘Žπ‘Ÿπ‘’(𝑖, 𝑗, β„“) as the probability that a class 𝑖 node shares β„“

keys with a class 𝑗 node, which can be given as,

π‘ƒπ‘ β„Žπ‘Žπ‘Ÿπ‘’(𝑖, 𝑗, β„“) =

(𝐾ℓ

)(πΎβˆ’β„“π‘˜π‘–βˆ’β„“

)(πΎβˆ’π‘˜π‘–

π‘˜π‘—βˆ’β„“

)(πΎπ‘˜π‘–

)(πΎπ‘˜π‘—

) . (6)

If we define π‘ƒπ‘π‘Ÿπ‘’π‘“π‘’π‘Ÿ(𝑗, β„“) as the probability that a class 𝑗 nodeis preferred to a class β„“ node during routing path selection, theexpression of π‘ƒπ‘π‘Ÿπ‘’π‘“π‘’π‘Ÿ(𝑗, β„“) can be given by,

π‘ƒπ‘π‘Ÿπ‘’π‘“π‘’π‘Ÿ(𝑗, β„“) =

π‘βˆ‘π‘–=1

𝑝𝑖

( π‘˜π‘—βˆ‘π‘’=1

π‘ƒπ‘ β„Žπ‘Žπ‘Ÿπ‘’(𝑖, 𝑗, 𝑒) (7)

(

π‘’βˆ’1βˆ‘π‘£=0

π‘ƒπ‘ β„Žπ‘Žπ‘Ÿπ‘’(𝑖, β„“, 𝑣))

+1

2

π‘˜π‘—βˆ‘π‘’=1

π‘ƒπ‘ β„Žπ‘Žπ‘Ÿπ‘’(𝑖, 𝑗, 𝑒)π‘ƒπ‘ β„Žπ‘Žπ‘Ÿπ‘’(𝑖, β„“, 𝑒)).

Finally, the expression of π‘žπ‘– is given by,

π‘žπ‘– =

(𝑛𝑛𝑒𝑖𝑝𝑖

1

) π‘βˆβ„“=1

(π‘ƒπ‘π‘Ÿπ‘’π‘“π‘’π‘Ÿ(𝑖, β„“))π‘›π‘›π‘’π‘–π‘β„“βˆ’π‘“(β„“). (8)

In (8), 𝑛𝑛𝑒𝑖 is the average number of physical neighbors of anode, which is given by 𝑛𝑛𝑒𝑖 = 𝑁 πœ‹π‘Ÿ2

𝑆 . Besides, 𝑓(β„“) equals1 when β„“ = 𝑖, and equals 0 otherwise.

3) Derivation of 𝑃(1)π‘™π‘–π‘›π‘˜ and 𝑃

(2)π‘™π‘–π‘›π‘˜: Given the expressions

of π‘žπ‘– derived above, we will derive the expressions for 𝑃(1)π‘™π‘–π‘›π‘˜

and 𝑃(2)π‘™π‘–π‘›π‘˜ in this section.

If we denote 𝑃(1)π‘™π‘–π‘›π‘˜(𝑖, 𝑗) as resilience of the pairwise key

between a class 𝑖 node and a class 𝑗 node, and 𝑃(2)π‘™π‘–π‘›π‘˜(𝑖) as the

resilience of the pairwise key between a class 𝑖 node and thesink, the expressions of 𝑃

(1)π‘™π‘–π‘›π‘˜ and 𝑃

(2)π‘™π‘–π‘›π‘˜ can be given by,

𝑃(1)π‘™π‘–π‘›π‘˜ =

π‘βˆ‘π‘–=1

π‘βˆ‘π‘—=1

π‘žπ‘–π‘žπ‘—π‘ƒ(1)π‘™π‘–π‘›π‘˜(𝑖, 𝑗), (9)

𝑃(2)π‘™π‘–π‘›π‘˜ =

π‘βˆ‘π‘–=1

π‘žπ‘–π‘ƒ(2)π‘™π‘–π‘›π‘˜(𝑖). (10)

We now derive the expressions for 𝑃(1)π‘™π‘–π‘›π‘˜(𝑖, 𝑗) and 𝑃

(2)π‘™π‘–π‘›π‘˜(𝑖).

We denote π‘ƒπ‘Ÿπ‘’π‘ (𝑖) as the probability that at least one of 𝑖unique pre-distributed keys is not disclosed to the attacker, de-note π‘˜π‘Žπ‘£π‘”(𝑖, 𝑗) as the average number of shared pre-distributedkeys between a class 𝑖 node and a class 𝑗 node, denote π‘˜π‘Žπ‘£π‘”(𝑖)as the average number of shared pre-distributed keys betweena class 𝑖 node and one of its physical neighbors, and denoteπ‘›π‘π‘Žπ‘‘β„Ž(𝑖, 𝑗) as the number of two-hop key paths between aclass 𝑖 node and a class 𝑗 node. Thus, the expressions for𝑃

(1)π‘™π‘–π‘›π‘˜(𝑖, 𝑗) and 𝑃

(2)π‘™π‘–π‘›π‘˜(𝑖) can be given by,

𝑃(1)π‘™π‘–π‘›π‘˜(𝑖, 𝑗) = 1βˆ’

(1βˆ’ π‘ƒπ‘Ÿπ‘’π‘ (π‘˜π‘Žπ‘£π‘”(𝑖, 𝑗))

)(11)(

1βˆ’ (1βˆ’π‘π‘/𝑁)π‘ƒπ‘Ÿπ‘’π‘ (π‘˜π‘Žπ‘£π‘”(𝑖))

π‘ƒπ‘Ÿπ‘’π‘ (π‘˜π‘Žπ‘£π‘”(𝑗)))π‘›π‘π‘Žπ‘‘β„Ž(𝑖,𝑗)

, π‘Žπ‘›π‘‘

𝑃(2)π‘™π‘–π‘›π‘˜(𝑖) = π‘ƒπ‘Ÿπ‘’π‘ (π‘˜π‘–). (12)

In (11), π‘ƒπ‘Ÿπ‘’π‘ (π‘˜π‘Žπ‘£π‘”(𝑖, 𝑗)) is probability that the direct one-hop key path between a class 𝑖 node and a class 𝑗 node is

Page 9: Providing End-To-End Secure Communications in Wireless Sensor Networks

GU et al.: PROVIDING END-TO-END SECURE COMMUNICATIONS IN WIRELESS SENSOR NETWORKS 213

uncompromised, 𝑁𝑐/𝑁 is probability that the proxy node onone of the two-hop key paths is captured, π‘ƒπ‘Ÿπ‘’π‘ (π‘˜π‘Žπ‘£π‘”(𝑖)) is theprobability that the link on a two-hop key path between a class𝑖 node and the proxy is uncompromised, and π‘ƒπ‘Ÿπ‘’π‘ (π‘˜π‘Žπ‘£π‘”(𝑗))is defined similarly. A two-hop key path is uncompromised ifthe proxy is uncaptured and both links are uncompromised.The pairwise key between a class 𝑖 node and a class 𝑗 node isuncompromised if at least one key path (either one-hop or two-hop key path) is uncompromised. In (12), number of sharedpre-distributed keys between a class 𝑖 node and the sink is π‘˜π‘–since the sink is assumed to have all 𝐾 pre-distributed keysand will not be captured. We now derive the expressions forπ‘ƒπ‘Ÿπ‘’π‘ (𝑖), π‘˜π‘Žπ‘£π‘”(𝑖, 𝑗), π‘˜π‘Žπ‘£π‘”(𝑖) and π‘›π‘π‘Žπ‘‘β„Ž(𝑖, 𝑗).

Given the number of captured nodes 𝑁𝑐, the averagenumber of disclosed pre-distributed keys, denoted by 𝐾𝑑𝑖𝑠,is given by,

𝐾𝑑𝑖𝑠 = 𝐾(1βˆ’ (1βˆ’ π‘˜π‘Žπ‘£π‘”πΎ

)𝑁𝑐), (13)

where π‘˜π‘Žπ‘£π‘” is the average number of keys pre-distributed in anode. The expression of π‘˜π‘Žπ‘£π‘” is given by,

π‘˜π‘Žπ‘£π‘” =

π‘βˆ‘π‘–=1

π‘π‘–π‘˜π‘–. (14)

Given the expression of 𝐾𝑑𝑖𝑠 above, we are able to give theexpression of π‘ƒπ‘Ÿπ‘’π‘ (𝑖) as,

π‘ƒπ‘Ÿπ‘’π‘ (𝑖) = 1βˆ’(

πΎβˆ’π‘–πΎπ‘‘π‘–π‘ βˆ’π‘–

)(

𝐾𝐾𝑑𝑖𝑠

) . (15)

Recall the expression of π‘ƒπ‘ β„Žπ‘Žπ‘Ÿπ‘’(𝑖, 𝑗, β„“) in (6) above, theexpressions of π‘˜π‘Žπ‘£π‘”(𝑖, 𝑗) and π‘˜π‘Žπ‘£π‘”(𝑖) can be given by,

π‘˜π‘Žπ‘£π‘”(𝑖, 𝑗) =

π‘šπ‘–π‘›{π‘˜π‘–,π‘˜π‘—}βˆ‘β„“=1

β„“π‘ƒπ‘ β„Žπ‘Žπ‘Ÿπ‘’(𝑖, 𝑗, β„“), (16)

π‘˜π‘Žπ‘£π‘”(𝑖) =π‘βˆ‘

𝑗=1

π‘π‘—π‘˜π‘Žπ‘£π‘”(𝑖, 𝑗). (17)

Finally, the expression of π‘›π‘π‘Žπ‘‘β„Ž(𝑖, 𝑗) can be given by,

π‘›π‘π‘Žπ‘‘β„Ž(𝑖, 𝑗) = 0.5865𝑛𝑛𝑒𝑖

π‘βˆ‘β„“=1

𝑝ℓ (18)

(1βˆ’ π‘ƒπ‘ β„Žπ‘Žπ‘Ÿπ‘’(𝑖, β„“, 0))(1βˆ’ π‘ƒπ‘ β„Žπ‘Žπ‘Ÿπ‘’(𝑗, β„“, 0)),

where 0.5865𝑛𝑛𝑒𝑖 is the average number of common neigh-bors of two neighboring nodes [2].

Therefore, we have derived the expressions for 𝑃(1)π‘™π‘–π‘›π‘˜ and

𝑃(2)π‘™π‘–π‘›π‘˜ above.

Based on our derivation of 𝑃𝑒2𝑒, we find that end to endsecurity depends on several key pre-distribution parameters,that are, number of node classes (𝑐), number of nodes in eachclass (𝑐𝑖) and number of keys in class 𝑖 nodes (π‘˜π‘–). The ex-pression of 𝑃𝑒2𝑒 is clearly a nonlinear function of all the aboveparameters. Given the network parameters (𝑅, π‘Ÿ,𝑁,𝑁𝑐) andthe memory constraint of sensors (maximum value of π‘˜), wecan apply standard optimization tools on the above equationsto obtain the optimal values for the design parameters.

The above analysis also has other usages. Consider a node

𝑖 with geographic distance 𝐿 to the sink. For any referencenumber 𝛿 (0 < 𝛿 < 1), we have,

𝑃 (Resilience for the path from 𝑖 to sink > 𝛿) ≀ 𝑃𝑒2𝑒(𝐿)

𝛿,

where 𝑃𝑒2𝑒(𝐿) is decided by (4). This bound follows directlyby using Markov Inequality.

The above inequality illustrates tradeoff between networksize and end to end security performance. When networksize (𝐿) increases, 𝑃𝑒2𝑒(𝐿) decreases. Thus the upperboundin the right-hand side will decrease. For a required end toend resilience for any node in the network, there exists anupperbound for the network size, beyond which resiliencecannot increase. Therefore, in a large scale network, we candeploy nodes in groups, each of which has a sink. We henceeffectively decrease network size in each group, and canachieve the required end to end security performance.

D. Remarks

In the following, we will discuss the issues of empty setπ‘ˆ(𝑖) (discussed in Section IV-B), possibility of longer hops,extending our solutions to hierarchical networks, and thepossibility of applying public key cryptography.

In extending GPSR, a node 𝑖 may find that its set π‘ˆ(𝑖)is empty. In such case, node 𝑖 can follow the right handrule in [45] to choose a secure neighbor that is further awayfrom the sink than 𝑖 itself. If node 𝑖 does not to have anysecure neighbor, it may increase its communication rangeto find some secure neighbors. Applying such rules willeliminate loops and guarantee finding a secure path if it exists.Increasing communication range for more secure neighborsworks for the extended minimum hop protocol as well.

We point out that the number of path hops in our schemescould be larger than that in traditional GPSR or minimumhop routing schemes. This is because in our schemes, nodeschoose neighbors considering both path length and link re-silience, and thus could choose neighbors on a path withmore hops. Besides, as mentioned above, a node may choosea secure neighbor that is further away from the sink thanitself. Intuitively, a path with more hops tends to decrease pathresilience as the chance of attacker compromising at least onehop is increased. However, in our schemes, the path resilienceimprovement via choosing highly resilient links overwhelmsthe negative effect of a little longer paths of a small percentageof nodes. Overall, the path resilience will be improved.

In this paper, we have focused on flat topologies. In somesituations nodes could be deployed in hierarchies. The end toend routing here occurs in more than one plane, i.e., sensorto cluster head via multiple sensors, and cluster head to sinkvia multiple cluster heads. Our methodology and protocols areapplicable in hierarchical networks. Cluster heads are chosenas class 1 nodes (provisioned with more keys), while othersensors are chosen as class 2 nodes, class 3 nodes and so ondepending on number of hierarchy levels.

Recently, public key cryptography has been receiving at-tention in WSNs [53] [54] [55] [56], which can be used toestablish pairwise keys between neighboring sensor nodes.However, public key cryptography based scheme involves

Page 10: Providing End-To-End Secure Communications in Wireless Sensor Networks

214 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 8, NO. 3, SEPTEMBER 2011

Fig. 2. Sensitivity of 𝑃𝑒2𝑒 to number of captured nodes 𝑁𝑐. Fig. 3. Sensitivity of 𝑃𝑒2𝑒 to communication range π‘Ÿ.

high energy consumption due to its complicated computation,which may not be preferable for energy constrained sensornodes. Based on experiments in [54], [55] and [56], energyconsumption in public key cryptography based pairwise keyestablishment is about two to three orders of magnitudemore than that in the symmetric key cryptography basedscheme. In [53], special hardware is used to reduce energyconsumption of public key based operation, which incursextra cost. Considering that public key cryptography basedpairwise key establishment is still energy consuming forenergy constrained sensors, random key pre-distribution basedpairwise key establishment is still highly relevant and practicalfor large scale deployment of secure wireless sensor networks.Furthermore, some researchers in the sensor networks area arebuilding their own customized sensor-mote prototypes [57],with lower memory, processing power, and battery life thancommercial platforms. For such prototypes also, symmetrickey cryptography techniques will have practical relevance.

E. Performance Evaluation

In this section, we present performance evaluation basedon both analysis and simulation. The analysis is based on ourdiscussions in Section IV-C. We first describe our simulationsetup, and then report performance data and our observations.

1) Simulation Setup: We conduct our simulation using aself-made simulator in 𝐢. The network is circular with radius500 π‘šπ‘’π‘‘π‘’π‘Ÿπ‘ , where 1000 nodes are uniformly deployed atrandom. The sink is at the center of the network. Unless oth-erwise specified, the default parameters are: 𝑐 = 2, 𝑛1 = 200,𝑛2 = 800, π‘˜1 = 80, π‘˜2 = 30, π‘˜ = 40, 𝐾 = 10000, π‘Ÿ =100 π‘šπ‘’π‘‘π‘’π‘Ÿπ‘ , 𝛼 = 1 and 𝑁𝑐 = 50 (for notation, please refer toTable 2 in Section IV). The default values of π‘˜1, π‘˜2 and π‘˜ arechosen such that π‘˜1𝑛1/(𝑛1+𝑛2)+π‘˜2𝑛2/(𝑛1+𝑛2) = π‘˜, whichmeans the average number of keys disclosed to the attackeris the same in our differentiated key pre-distribution and theoriginal 𝑅𝐾𝑃 scheme for the same number of captured nodes.Our communication model is one where sensors periodicallytransmit data to the sink. In the legend in all figures, ourGPSR and our minhop refer to our protocols extending GPSR[45] and minimum hop [50] routing presented in SectionIV-B respectively. The legends GPSR and minhop refer tothe traditional GPSR and minimum hop routing protocolsfollowing the uniform key pre-distribution respectively. Eachpoint in the simulation data is the average of 100 runs basedon independent random seeds.

2) Sensitivity of 𝑃𝑒2𝑒 to Attack Intensity: In Fig. 2, wefirst compare our differentiated key pre-distribution with thetraditional uniform key pre-distribution (for both GPSR andminimum hop routing protocols) under different number ofcaptured nodes 𝑁𝑐. We find that while the performance ofall schemes degrades with increasing 𝑁𝑐, our schemes areconsistently better than those of traditional schemes. We alsofind that the improvement increases with larger values of 𝑁𝑐.This is because when the attacker captures more nodes, theresilience of highly resilient links in our schemes degrades ata much slower pace than those of the less resilient links intraditional schemes. Besides, we can also observe that the endto end security under minimum hop based protocols is betterthan their GPSR counterparts. This is because minimum hopbased protocols always choose the path with minimum hops,while the GPSR based protocols may choose longer paths,which compromises end to end resilience. The cost though isthe increased initial energy consumption in query flooding.

3) Sensitivity of 𝑃𝑒2𝑒 to Network Density: In Fig. 3, wecompare our schemes and traditional schemes under differentcommunication range π‘Ÿ, which in turn corresponds to differentnetwork density (i.e., number of neighbors per node). Whenπ‘Ÿ is small, 𝑃𝑒2𝑒 is low due to both low connectivity (manynodes cannot find secure neighbors) and low resilience (fewerproxies resulting in fewer key paths for each link). When π‘Ÿincreases, 𝑃𝑒2𝑒 increases correspondingly. For all values of π‘Ÿ,our schemes performs consistently better.

4) Sensitivity of network lifetime to parameter 𝛼: Recallfrom Section IV-B that 𝛼 is the knob that trades-off securitywith lifetime. In Fig. 4, we compare our schemes and tradi-tional schemes for varying 𝛼. We define network lifetime asthe time until when the first node has used up its energy. Sincetraditional schemes do not have weight assignment, they areinsensitive to 𝛼. The lifetime in our schemes decreases withlarger values of 𝛼. This is because a larger value of 𝛼 meansmore priority is given to links with high resilience, therebydraining the corresponding neighbors more rapidly.

We also observe that the extended GPSR has higher lifetimecompared with extended minimum hop for smaller values of 𝛼,and the difference diminishes as 𝛼 increases. This is becausefor smaller values of 𝛼, lifetime is mainly decided by totalnumber of candidate forwarders of each node. In extendedGPSR, each node usually can find more forwarders (secureneighbors closer to sink) than it can find in extended minimumhop protocol (secure neighbors on minimum hop secure path).When 𝛼 increases, lifetime is mainly decided by the number

Page 11: Providing End-To-End Secure Communications in Wireless Sensor Networks

GU et al.: PROVIDING END-TO-END SECURE COMMUNICATIONS IN WIRELESS SENSOR NETWORKS 215

Fig. 4. Sensitivity of lifetime to parameter 𝛼.

of most secure neighbors of each node. This number is similarfor both protocols, and hence they have similar lifetimes when𝛼 increases. We also observe that lifetime of traditional GPSRscheme is lower than that of traditional minimum hop scheme.This is because in traditional GPSR scheme, some nodes areso positioned that most of their nearby nodes will choosethem as forwarders, which results in their energy being drainedquickly. While in traditional minimum hop scheme, nodes areless likely to be the only one on the minimum hop path ofmost of their neighbors, and thus traffic is more balanced.

5) Sensitivity of 𝑃𝑒2𝑒 and network lifetime to number ofclass 1 nodes: In Figs. 5 and 6, we compare the tradi-tional schemes, our schemes with default parameters, and ourschemes with optimal parameters. The optimal parametersare obtained via our analysis in Section IV-C. The averagenumber of keys pre-distributed per node is the same acrossall schemes for fairness of comparison. In Fig. 5, we findthat traditional schemes are insensitive to 𝑛1 since all nodesare given same number of keys. Our schemes achieve muchbetter performance under intermediate values of 𝑛1, while theperformance of our schemes is close to that of traditionalschemes for very small and very large values of 𝑛1. This isbecause when 𝑛1 approaches 0 or 1000, all nodes will begiven same number of keys, and thus our schemes degrade totraditional schemes. In Fig. 6, we also observe that lifetimeof the traditional schemes is insensitive to 𝑛1 due to the samereason as above. The lifetime of our schemes increases withthe value of 𝑛1. The case when 𝑛1 = 0 can be treated as thesame as 𝑛1 = 1000. This is because for small values of 𝑛1,the class 1 nodes are given many keys initially, and so theytend to be used as forwarders much more frequently and thelifetime tends to be small. When 𝑛1 increases, the numberof keys given to class 1 nodes decreases, thus helping todistribute the load more evenly and improve network lifetime.Finally, in both figures, we observe that the optimal parametersderived by our analysis give better performance than thedefault parameters, which confirms the correctness of ouranalysis.

V. BIASED NODE CAPTURING ATTACK AND ITS

COUNTERMEASURES

Recall that in traditional attack model discussed in SectionII-A, the attacker captures a certain percent of the nodes in the

network. Such an attack is an unbiased one since the capturednodes are chosen at random. In this section, we will studya type of advanced attack model, denoted as biased nodecapturing attack, in which the attacker has bias in choosingnodes to capture, aiming to achieve higher attack impact.

A. Biased Node Capturing Attack

Simply put, biased node capturing attack is one in which theattacker attempts to capture some special nodes in the network.Typically, the capture of those nodes results in higher attackimpact, and they are chosen with bias instead of randomly.The existence of such special nodes comes from the fact thatthe roles (or importance) of sensor nodes in the network areinherently different. In a multi-hop sensor network, the nodesnear the sink are such special nodes, whose capture resultsin more secret information disclosed to the attacker. This isbecause a node near the sink generally forwards more traffic,and its capture results in more data being disclosed. Thus, theattacker can take advantage of the heterogeneity in topologyto capture those important nodes near the sink.

In our differentiated key management, we also introduce atype of heterogeneity among the nodes in that different nodeshave different number of pre-distributed keys. The capture ofnodes with more pre-distributed keys tends to have higherattack impact due to the fact that more pre-distributed keysare disclosed. Thus, the attacker could also take advantageof the heterogeneity in the number of pre-distributed keys toachieve higher attack impact. Such an attack can be easilyaccomplished via identifying more resilient links (and hencenodes) via simple traffic analysis of monitored communica-tion.

In Fig. 7, we show the impacts of three types of biasedattacks and the unbiased one. The first biased attack is onethat chooses to capture nodes closest to the sink, denoted astopology in Fig. 7. The second is one that chooses to capturenodes with the largest number of pre-distributed keys, denotedas key in Fig. 7. The third combines both strategies, in whichthe attacker first chooses nodes closest to the sink. Whenmultiple nodes are at the same distance to the sink, tie isbroken based on the number of keys pre-distributed. Such acombined attack is denoted as topology+key in Fig. 7.

In Fig. 7, we find that the biased attacks result in higherattack impact than unbiased one. However, the attack impactcaused by biased attack based on topology alone is much moresevere than that caused by biased attack based on key alone.Besides, the impact of the combined attack is close to thatcaused by the biased attack based on topology alone. Thisis because the nodes close to the sink are generally thoseforwarding more traffic. The capture of a few such nodesresults in a significant portion of the data being disclosed.On the other side, when nodes with more pre-distributedkeys are captured, the overall number of pre-distributed keysdisclosed is still a small portion of the key pool size. The aboveobservations show that the attack impact caused by topologyheterogeneity dominates that caused by key heterogeneity.Combining key heterogeneity with topology heterogeneitydoes not further degrade security much. Therefore, our differ-entiated key management technique does not introduce a lot

Page 12: Providing End-To-End Secure Communications in Wireless Sensor Networks

216 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 8, NO. 3, SEPTEMBER 2011

Fig. 5. Sensitivity of 𝑃𝑒2𝑒 to number of class 1 nodes 𝑛1. Fig. 6. Sensitivity of lifetime to number of class 1 nodes𝑛1.

Fig. 7. Sensitivity of 𝑃𝑒2𝑒 to the strategy of biased attack. Fig. 8. Sensitivity of 𝑃𝑒2𝑒 to disclosure probability 𝑃𝑑𝑖𝑠.

of additional negative impacts when the biased attack basedon network topology is already in place.

B. Countermeasures

In the following, we will discuss the countermeasures to thebiased attacks discussed above.

Note that the biased attack based on topology naturallyexists in multi-hop sensor networks, and thus is not intro-duced by our differentiated key management. Here we discussits countermeasures briefly. One potential countermeasure isletting the nodes near the sink just forward the encrypted datawithout needing to decrypt it for aggregation. In this way, thecapture of such nodes does not disclose the data forwarded.To do so, nodes with a certain number of hops away fromthe sink need to be pre-distributed with a unique pairwise keywith the sink before node deployment. Such approach comesat the cost that no data aggregation is conducted near thesink. An alternative countermeasure is letting the sink nodemove around the network so the amount of forwarded trafficis balanced among the nodes in the network. Thus, the impactof such biased attack is alleviated.

As shown in Fig. 7 above, the biased attack based onnumber of pre-distributed keys causes higher attack impactalthough such impact is far less than that of biased attackbased on topology. One countermeasure is to use tamperresistant hardware for nodes pre-distributed with more keys.Therefore, such nodes become more robust to attack in thatthe attacker may not be able to obtain secret information in thecaptured node. Such idea is inspired by the work in [9] wheresome special nodes are assumed never to disclose their secretinformation after capture. Here, we relax such assumption andallow a certain probability of secret information in such nodesbeing disclosed. Such probability is denoted as 𝑃𝑑𝑖𝑠.

In Fig. 8, we show sensitivity of 𝑃𝑒2𝑒 to 𝑃𝑑𝑖𝑠, the probabilitythat nodes with tamper resistant hardware having their secretinformation disclosed after being captured. All three curves inFig. 8 are based on GPSR routing. Similar observations aremade in minimum hop routing as well. We find that, whentamper resistant hardware can achieve a disclosure probabilityless than 0.5, the security performance of our differentiatedkey management under biased attack based on number ofpre-distributed keys is better than that under unbiased attack.When 𝑃𝑑𝑖𝑠 is between 0.5 and 0.8, the performance underbiased attack falls below that under unbiased attack since morepre-distributed keys are disclosed. However, it is still betterthan that in traditional uniform key management. Only when𝑃𝑑𝑖𝑠 becomes larger than 0.8 (ineffective tamper resistanthardware), the performance of differentiated key managementunder biased attack is worse than that in traditional uniformkey management. In summary, with reasonably effective tam-per resistant hardware (𝑃𝑑𝑖𝑠 < 0.5), the performance of ourdifferentiated key management will not degrade under biasedattack. Such improvement comes at the cost of tamper resistanthardware. However, we only need to provide tamper resistanthardware for a small portion of the nodes, which is worthwhileconsidering the security performance improvement.

An alternative countermeasure to the biased attack based onthe number of pre-distributed keys is one where camouflagingtechniques are applied. Such camouflaging techniques aimto hide those nodes with more pre-distributed keys. Duringpairwise key establishment, each node 𝑖 sends π‘˜1 key IDs to itsneighbors. Recall π‘˜1 is maximum among all π‘˜β€²

𝑖𝑠. If the numberof keys distributed in node 𝑖 is smaller than π‘˜1, node 𝑖 willappend random dummy key IDs to ensure a homogeneous keyID list size. During the routing path selection and later com-munications, important nodes are more likely to receive/send

Page 13: Providing End-To-End Secure Communications in Wireless Sensor Networks

GU et al.: PROVIDING END-TO-END SECURE COMMUNICATIONS IN WIRELESS SENSOR NETWORKS 217

more packets due to the high resilience of its links. Ouralternative path routing can help alleviate this problem whentraffic forwarding is shared by multiple neighbors. Besides,we can let nodes with low traffic burden send dummy trafficto maintain a homogeneous communication burden among allnodes. Based on the above camouflaging techniques, all nodesin our protocol tend to behave homogeneously. Therefore, theattacker cannot distinguish nodes with more keys from others.This approach costs extra communication overhead.

VI. CONCLUSION

In this paper, we address the issue of providing end toend secure communications in randomly deployed wirelesssensor networks, via differentiated key pre-distribution, wherethe idea is to distribute different number of keys to dif-ferent sensors to enhance the resilience of certain links inthe network. This feature is leveraged during routing, wherenodes route through links with higher resilience. We presentour end to end secure communication protocol based onthe above methodology by extending well known locationcentric (GPSR) and data centric (minimum hop) routing proto-cols. Detailed theoretical analysis and performance evaluationsdemonstrate the strengths of our techniques.

ACKNOWLEDGMENT

This work was supported in part by the National ScienceFoundation of China (NSFC) under grant No. 61070245. Anyopinions, findings, conclusions, and recommendations in thispaper are those of the authors and do not necessarily reflectthe views of the funding agencies.

REFERENCES

[1] L. Eschenauer and V. D. Gligor, β€œA key-management scheme fordistributed sensor networks," in Proc. 9th ACM Conf. Comput. Commun.Security, Nov. 2002.

[2] H. Chan, A. Perrig, and D. Song, β€œRandom key predistribution schemesfor sensor networks," in Proc. IEEE Symp. Research Security Privacy,May 2003.

[3] W. Du, J. Deng, Y. S. Han, and P. K. Varshney, β€œA pairwise key pre-distribution scheme for wireless sensor networks," in Proc. 10th ACMConf. Comput. Commun. Security, Oct. 2003.

[4] J. Lee and D. R. Stinson, β€œDeterministic key predistribution schemesfor distributed sensor networks," in Proc. 11th Workshop Sel. AreasCryptography, Aug. 2004.

[5] J. Lee and D. R. Stinson, β€œA combinatorial approach to key predistribu-tion for distributed sensor networks," in Proc. IEEE Wireless Commun.Netw. Conf., Mar. 2005.

[6] D. Liu and P. Ning, β€œEstablishing pairwise keys in distributed sensornetworks," in Proc. 10th ACM Conf. Comput. Commun. Security, Oct.2003.

[7] S. Zhu, S. Xu, S. Setia, and S. Jajodia, β€œEstablishing pairwise keys forsecure communication in ad hoc networks: a probabilistic approach," inProc. 11th IEEE International Conf. Netw. Protocols, Nov. 2003.

[8] H. Dai and H. Xu, β€œTriangle-based key management scheme for wirelesssensor networks," Frontiers Electrical Electron. Eng. China, vol. 4,no. 3, pp. 300-306, 2009.

[9] P. Traynor, H. Choi, G. Cao, S. Zhu, and T. L. Porta, β€œEstablishingpair-wise keys in heterogeneous sensor networks," in Proc. 25th IEEEConf. Comput. Commun., Apr. 2006.

[10] A. Poornima and B. Amberker, β€œTree-based key management schemefor heterogeneous sensor networks," in 16th IEEE International Conf.Netw., 2008.

[11] Y. Zhang, W. Yang, K. Kim, and M. Park, β€œAn AVL tree-based dynamickey management in hierarchical wireless sensor network," in Proc.International Conf. Intelligent Inf. Hiding Multimedia Signal Process.,pp. 298-303, 2008.

[12] T. Landstra, M. Zawodniok, and S. Jagannathan, β€œEnergy-efficienthybrid key management protocol for wireless sensor networks," in IEEEConf. Local Comput. Netw., 2007.

[13] A. Poornima and B. Amberker, β€œKey management schemes for securecommunication in heterogeneous sensor networks," International J.Recent Trends Eng., 2009.

[14] A. Das, β€œAn unconditionally secure key management scheme for large-scale heterogeneous wireless sensor networks," in Proc. First Interna-tional Commun. Syst. Netw. Workshops, pp. 1-10, 2009.

[15] Y. Yang, J. Zhou, R. Deng, and F. Bao, β€œHierarchical self-healingkey distribution for heterogeneous wireless sensor networks," SecurityPrivacy Commun. Netw., pp. 285-295, 2009.

[16] B. Tian, S. Han, and T. Dillon, β€œA key management scheme for hetero-geneous sensor networks using keyed-hash chain," in 5th InternationalConf. Mobile Ad-hoc Sensor Netw., 2010.

[17] J. Kim, J. Lee, and K. Rim, β€œEnergy efficient key management protocolin wireless sensor networks," International J. Security its Appl., 2010.

[18] M. Wen, Z. Yin, Y. Long, and Y. Wang, β€œAn adaptive key managementframework for the wireless mesh and sensor networks," Wireless SensorNetw. J., 2010.

[19] H. Jen-Yan, I. Liao, and H. Tang, β€œA forward authentication keymanagement scheme for heterogeneous sensor networks," EURASIP J.Wireless Commun. Netw., 2010.

[20] D. Liu, P. Ning, and W. Du, β€œGroup-based key predistribution forwireless sensor networks," ACM Trans. Sensor Netw., vol. 4, no. 2,pp. 1-30, 2008.

[21] N. Canh, P. Truc, T. Hai, Y. Lee, and S. Lee, β€œEnhanced group-basedkey management scheme for wireless sensor networks using deploymentknowledge," in Proc. 6th IEEE Consumer Commun. Netw. Conf., pp. 1-5, 2009.

[22] W. Du, J. Deng, Y. Han, S. Chen, and P. Varshney, β€œA key managementscheme for wireless sensor networks using deployment knowledge," in23rd Annual Joint Conf. IEEE Comput. Commun. Societies, 2004.

[23] D. Liu and P. Ning, β€œImproving key predistribution with deploymentknowledge in static sensor networks," ACM Trans. Sensor Netw., vol. 1,no. 2, pp. 204-239, 2005.

[24] N. Canh, Y. Lee, and S. Lee, β€œHGKM: a group-based key managementscheme for sensor networks using deployment knowledge," in Proc. 6thAnnual Commun. Netw. Services Research Conf., pp. 544-551, 2008.

[25] Y. Zhang, W. Liu, W. Lou, and Y. Fang, β€œLocation-based compromise-tolerant security mechanisms for wireless sensor networks," IEEE J. Sel.Areas Commun., vol. 24, no. 2, pp. 247-260, 2006.

[26] Y. Zhang, W. Liu, Y. Fang, and D. Wu, β€œSecure localization andauthentication in ultra-wideband sensor networks," IEEE J. Sel. AreasCommun., vol. 24, no. 4, pp. 829-835, 2006.

[27] K. Ren, W. Lou, and Y. Zhang, β€œLEDS: providing location-aware end-to-end data security in wireless sensor networks," IEEE Trans. MobileComput., vol. 7, no. 5, pp. 585-598, May 2008.

[28] S. Patil, β€œSensor network traffic-adaptive key management scheme," inProc. International Conf. Advances Recent Technol. Commun. Comput.,pp. 610-614, 2009.

[29] Y. Qian, K. Lu, B. Rong, and D. Tipper, β€œA design of optimal key man-agement scheme for secure and survivable wireless sensor networks,"Security Commun. Netw., vol. 1, no. 1, pp. 75-85, 2008.

[30] C. Wang, T. Hong, G. Horng, and W. Wang, β€œA ga-based key-management scheme in hierarchical wireless sensor networks," Inter-national J. Innovative Comput., Inf. Control, 2008.

[31] G. Wang, G. Cao, and T. L. Porta, β€œMovement-assisted sensor deploy-ment," in Proc. IEEE Conf. Comput. Commun., Mar. 2004.

[32] S. Chellappan, W. Gu, X. Bai, B. Ma, D. Xuan, and K.Zhang, β€œDeploy-ing wireless sensor networks under limited mobility constraints," IEEETrans. Mobile Comput., vol. 6, no. 10, Oct. 2007.

[33] P. Andreou, D. Zeinalipour-Yazti, P. Chrysanthis, and G. Samaras, β€œIn-network data acquisition and replication in mobile sensor networks,"Distributed Parallel Databases, pp. 1-26, 2011.

[34] C. Wang, P. Ramanathan, and K. Saluja, β€œModeling latency-lifetimetrade-off for target detection in mobile sensor networks," ACM Trans.Sensor Netw., vol. 7, no. 1, pp. 1-24, 2010.

[35] S. Choi, V. Sarangan, and S. Trost, β€œKey management in wireless sensornetworks with inter-network sensor roaming," in 33rd IEEE Conf. LocalComput. Netw., 2008.

[36] Y. Lee and S. Lee, β€œA new efficient key management protocol forwireless sensor and actor networks," Arxiv preprint arXiv:0912.0580,2009.

[37] K. Kifayat, M. Merabti, Q. Shi, and D. Llewellyn-Jones, β€œGroup-basedkey management for mobile sensor networks," in Proc. IEEE SarnoffSymp., pp. 1-5, 2010.

Page 14: Providing End-To-End Secure Communications in Wireless Sensor Networks

218 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 8, NO. 3, SEPTEMBER 2011

[38] H. Alzaid, D. Park, J. Nieto, C. Boyd, and E. Foo, β€œA forward andbackward secure key management in wireless sensor networks forPCS/SCADA," Sensor Syst. Software, pp. 66-82, 2010.

[39] R. Silva, N. Pereira, and M. Nunes, β€œProbabilistic key managementpractical concerns in wireless sensor networks," J. Netw., vol. 3, no. 2,2008.

[40] C. Castelluccia, E. Mykletun, and G. Tsudik, β€œEfficient aggregation ofencrypted data in wireless sensor networks," in Proc. Second AnnualInternational Conf. Mobile Ubiquitous Syst. Netw. Services, pp. 109-117, 2005.

[41] B. Dutertre, S. Cheung, and J. Levy, β€œLightweight key management inwireless sensor networks by leveraging initial trust," SRI International,SDL Technical Report SRI-SDL-04-02, 2004.

[42] Z. Sencun, S. Sanjeev, and J. Sushi, β€œLEAP: efficient security mecha-nisms for large-scale distributed sensor networks," in Proc. ACM Conf.Comput. Commun. Security, pp. 62-72, 2003.

[43] C. Karlof and D. Wagner, β€œSecure routing in wireless sensor networks:attacks and countermeasures," Elsevier’s AdHoc Netw. J., vol. 1, pp. 293-315, Sep. 2003.

[44] J. Spencer, β€œThe strange logic of random graphs," 2001.[45] B. Karp and H. Kung, β€œGPSR: greedy perimeter stateless routing for

wireless networks," in Proc. ACM International Conf. Mobile Comput.Netw., Aug. 2000.

[46] C. Intanagonviwat, R. Govindan, and D. Estrin, β€œDirected diffusion: ascalable and robust communication paradigm for sensor networks," inProc. ACM International Conf. Mobile Comput. Netw., Aug. 2000.

[47] W. Heinzelman, A. Chandrakasan, and H. Balakrishnan, β€œEnergy-efficient communication protocols for wireless microsensor networks(leach)," in Proc. 33rd Hawaii International Conf. Syst. Science, Jan.2000.

[48] S. Tanachaiwiwat, P. Dave, R. Bhindwale, and A. Helmy, β€œSecure lo-cations: routing on trust and isolating compromised sensors in location-aware sensor networks," in Proc. 1st ACM Conf. Embedded Netw. SensorSyst., Nov. 2003.

[49] A. D. Wood, L. Fang, J. A. Stankovic, and T. He, β€œSIGF: a family ofconfigurable, secure routing protocols for wireless sensor networks," inProc. 4th ACM Workshop Security Ad Hoc Sensor Netw., Oct. 2006.

[50] C. Schugers and M. Srivastava, β€œEnergy efficient routing in wirelesssensor networks," in Proc. Milcom, Oct. 2001.

[51] S. A. G. Chandler, β€œCalculation of number of relay hops required inrandomly located radio network," Electron. Lett., vol. 25, pp. 1669-1671, Nov. 1989.

[52] Y. C. Cheng and T. G. Robertazzi, β€œCritical connectivity phenomena inmultihop radio models," IEEE Trans. Commun., vol. 37, pp. 770-777,July 1989.

[53] L. Batina, N. Mentens, K. Sakiyama, B. Preneel, and I. Verbauwhede,β€œLow-cost elliptic curve cryptography for wireless sensor networks,"in Proc. 3rd European Workshop Security Ad-Hoc Sensor Netw., Sep.2006.

[54] A. Liu, P. Kampanakis, and P. Ning, β€œTinyecc: elliptic curve cryptogra-phy for sensor networks (version 0.3)." Available: http://discovery.csc.ncsu.edu/software/TinyECC/, Feb. 2007.

[55] K. Piotrowski, P. Langendoerfer, and S. Peter, β€œHow public key cryp-tography influences wireless sensor node lifetime," in Proc. 4th ACMWorkshop Security Ad Hoc Sensor Netw., Oct. 2006.

[56] R. Watro, D. Kong, S. Cuti, C. Gardiner, C. Lynn, and P. Kruus, β€œTinypk:securing sensor networks with public key technology," in Proc. 2nd ACMConf. Embedded Netw. Sensor Syst., Oct. 2004.

[57] Available: https://sites.google.com/a/mst.edu/missouri-snt-motes/home

Wenjun Gu is a software development engineerin Microsoft Corporation. His research interests arein Wireless Networks, Network Security and Dis-tributed Systems. He received his M.S. and Ph.D.degrees in Computer Science and Engineering fromThe Ohio State University in 2007 and 2008 re-spectively. He received his B.S. and M.S. degreesin Electronic Engineering from Shanghai Jiao TongUniversity (SJTU), China, in 2000 and 2003 respec-tively.

Neelanjana Dutta is a PhD candidate in the Com-puter Science Department at Missouri Universityof Science and Technology. Her current researchinterests are in mobile wireless networks and adhocnetworks. She received her Bachelors degree in In-formation Technology from West Bengal Universityof Technology in India.

Sriram Chellappan is an Assistant Professor in theDept. of Computer Science at Missouri Universityof Science and Technology. He received his Ph.D.degree in Computer Science and Engineering fromThe Ohio-State University in December 2007. Hisresearch interests are in Network Security, CyberPhysical Systems and Vehicular Networking.

Xiaole Bai is an assistant professor in Computerand Information Science Department at Univer-sity of Massachusetts Dartmouth. He received hisB.S.degree in 1999 at Southeast University, China,and the M.S. degree in 2003 at Networking Labora-tory, Helsinki University of Technology, Finland. Hethen joined The Ohio State University in 2004 andreceived his Ph.D. degree in 2009 from Departmentof Computer Science and Engineering. His researchinterests include networking, cyber space security,and distributed computing.