Efficient Pairwise Key Establishment and Management ... - IEEE Xplore

Download PDF
0 downloads 0 Views 233KB Size Report
Comment
Abstract-- Key establishment and management is the core of security protocols for wireless sensor networks deployed in the hostile environment. Due to the strict ...
Efficient Pairwise Key Establishment and Management in Static Wireless Sensor Networks Yi Cheng and Dharma P. Agrawal OBR Center for Distributed and Mobile Computing Lab University of Cincinnati, Cincinnati, OH 45221 {chengyg, dpa}@ececs.uc.edu Abstract-- Key establishment and management is the core of security protocols for wireless sensor networks deployed in the hostile environment. Due to the strict resource constraints, traditional asymmetric key cryptosystems, such as public/private key based schemes, are infeasible for large-scale wireless sensor networks. Research shows that pre-distributing pairwise keys into wireless sensor nodes before deployment is a practical way to deal with the key establishment problem. Existing random key based key pre-distribution schemes only provide probabilistic connectivity of the network and some level of network resilience. In this paper, we propose an efficient pairwise key establishment and management scheme to achieve both network connectivity and resilience for static wireless sensor networks. Compared with current key pre-distribution schemes, our scheme supports large network size, and has lower communication and computational overhead. 1.

INTRODUCTION

Wireless sensor networks (WSNs) composed of a large number of tiny, low power and cost wireless sensors can be easily deployed at any interested area to monitor the surrounding environment [1]. This attractive property makes they are widely used in a variety of applications, both in military operations and civilian fields. Security is extremely important when wireless sensor networks deployed in a hostile environment. The sensitive data must be protected properly to ensure the information authenticity, confidentiality and integrity [2][3][4][5][6][7][8]. In some military applications, the highest level security requirement must be satisfied; otherwise, the result could be extremely dangerous. Resource constraints are the main limitation of wireless sensor networks. Each sensor node only has limited battery power, small memory storage size, and low power computing capacity. The lack of infrastructure support is another problem for wireless sensor network. Therefore, security protocols used for wireless sensor networks must be not only secure but also efficient. Traditional asymmetric key cryptosystem, such as public/private key based security protocols , need high computing power and large memory storage, hence can not be applied in wireless sensor networks. Furthermore, due to the unpredictable network topology, short radio transmission range and intermittence operations of sensor nodes, traditional key distribution protocols suitable for infrastructure supported wireless networks also can not be used in wireless sensor networks.

0-7803-9466-6/05/$20.00 ©2005 IEEE

Research shows that key pre-distribution protocol may be a practical selection to deal with the key distribution problem under the wireless sensor environment [9]. The basic idea of key pre-distribution scheme includes two phases, key predistribution phase and pair-wise key setup phase. In key predistribution phase, each sensor node is pre-loaded some keys in its memory before it is deployed. After deployment each node exchanges key information with its neighbors and tries to establish a secure link between them, which is the pair-wise key setup phase. Once these two phases are finished, a secure link network can be established among the wireless sensor network, and data can be propagated through the secure links to the base station. Many key pre-distribution schemes have been proposed recently. We will review two naïve solutions first, and then discuss some improved schemes. The first naïve solution is master key approach. In this approach, a key distribution center (KDC) assigns a single master key to all sensor nodes before they are deployed. After deployment, any two sensor nodes can communicate securely with the master key. This approach looks very simple and efficient, but has a severe drawback when the sensor nodes are physically captured by the adversary, since even one node’s compromise could crash the entire network’s secrecy. Another naïve solution is to assign a distinct pairwise key for each pair of sensor nodes before they are deployed. This solution guarantees any two nodes can communicate securely after deployment and any node’s compromising or capture could not affect the rest of the network. Although this approach can provide a perfect security for wireless sensor network, it can not be applied for large scale networks in practice. As we mentioned before, each sensor node has limited memory storage which only can store a limited number of keys inside. In pairwise key approach, each sensor node has to store (n-1) keys in its memory (where n is the network size). Imaging how could a tiny sensor store 9,999 distinct keys in its limited memory just for a network with 10,000 nodes inside? (In practice, most wireless sensor networks are expected to composed of more than 10,000 nodes) To achieve the security and scalability simultaneously, many key pre-distribution schemes have been proposed in literatures recently [9][1][11][12][13][14]. Some of them are based on the probability and random graph theories, other schemes are either based on symmetric matrices operations or polynomial computations. Each scheme has its advantage and weakness, but none of them can satisfy all the security and

MASS 2005

efficiency requirements of wireless sensor networks listed below: • secrecy and authentication • resilience against node capture • node replication • nodes revocation • nodes addition • network connectivity • maximum supported network size • minimum memory storage requirement • low commu nication overhead • low computational overhead In this paper, we propose a new efficient pairwise key establishment and management scheme for static wireless sensor networks. Compared with existing key pre -distribution schemes, our approach can provide the complete network connectivity and better resilience against node capture attack. Low communication overhead, low computational overhead and large network size supporting are other benefits of our proposed scheme. The re mainder of this paper is organized as follows: In Section 2, we briefly describe and discuss some current existing key pre -distribution schemes. A detailed introduction of our proposed efficient pairwise key establishment and management scheme is presented in Section 3. Section 4 gives analysis and evaluation of our proposed scheme. We conclude our work in section 5. 2.

RELATED WORK

Recently, various key pre-distribution schemes have been proposed to establish secure links between sensor nodes in wireless sensor networks [9][1][11][12][13][14]. Due to the resource constraints , large scale and lack of infrastructure support, traditional public/private key based asymmetrical key distribution protocols are not suitable in wireless sensor networks. Researchers claimed that pre-distributing communication keys into sensor nodes before they are deployed is a practical selection for key distribution and management in wireless sensor network environments [9]. Eschenauer and Gligor proposed a random key predistribution scheme in [9]. The basic idea of their scheme is randomly selecting and storing a subset of communication keys from a very large size key pool into each wireless sensor node’s memory before it is deployed. Each node uses a key discovery process to exchange key information with its neighbors after deployment. If two neighbor nodes share one or more common keys in their memories, they can establish a secure communication link between them. Otherwise, two communicating nodes need to setup a path key with other intermediate nodes’ participation. Random graph theory is used to show that if the probability of two nodes sharing at least one common key satisfies a critical condition, the connectivity of the entire network can be obtained with a high probability.

Based on the work on [9], Chan et al. [1] proposed a “qcomposite” scheme to improve the resilience of the network. Resilience is defined as how much fraction of the communication between non-compromised nodes will be compromised after some nodes are captured or compromised by the adversary, which is the main metric to evaluate the security property of a key pre-distribution scheme. The main difference between above two schemes is that the latter requires two neighbor nodes share at least q (q 2) common keys to establish a secure communication link. Chan et al. showed that as the value of q is increased, the network resilience against node capture is improved when the number of nodes captured is small [1]. In other words, an attacker needs to capture more nodes in [1] to compromise the same fraction of additional communication links in [9]. Both Eschenauer’s and Chan’s schemes can not guarantee the connectivity of the entire network and need large memory storage to store keys for a large-scale network. Keys reuse is another weakness of these schemes, which means some nodes’ capture may compromise the communication between other non-captured nodes. Blom [11] proposed a key pre-distribution method to guarantee any two members in a group compute a common key between them. In Blom’s scheme, first a ( 1) n matrix G and a ( 1) ( 1) symmetric matrix D are constructed, is the expected threshold to where n is the group size and compromise the secret collusively. Each member in the group randomly stores a row vector from matrix A and the corresponding column vector form the matrix G, where th th A = ( D G )T . Suppose member a get the i row from A and i th column from G, member b get the j row from A and jth column from G. When a and b want to communicate with each other, they exchange their column vector first, and then use their row vector to multiply their partner’s column vector. After the calculation, a gets an entry located in ith row and jth column of a symmetric matrix, and b gets an entry located in jth row and ith column of the same symmetric matrix. Due to the property of symmetric matrix, the two entries have the same value, therefore a and b obtain a shared common key between them. In Blom’s scheme, as long as no more than members are compromised, the entire group is perfectly secure. Du et al. [12] modified Blom’s scheme slightly and make it suitable for wireless sensor networks. In [12], Blom’s scheme is used to calculate pairwise keys between sensor nodes . To improve the performance and network resilience, Du et al. separate a singe key space in [11] into multiple key spaces just using the random key pre-distribution mechanism in [9]. The main advantage of Blom’s scheme is it can provide a full connectivity of the network, but it also has the “ secure” problem. The network keeps secure only when no members are compromised; once the number of more than compromised node exceeds the threshold , the entire network could be crashed. Although Du et al.’s scheme in [12]

can increase the threshold value; but it only provides a probabilistic connectivity of the network. A polynomial-based key pre-distribution scheme is proposed by Blundo et al. in [13]. Based on bivariate polynomials operations, their scheme allows any group of t nodes to compute a common key and being secure against collusion among some of them. The problem is this scheme also only tolerates no more than t compromised nodes . Liu and Ning further improved this scheme in [14] by taking advantage of sensors’ expected locations information. They proposed a location-based pairwise keys establishment scheme using bi-variable polynomials . In their work, Liu and Ning showed there is a trade-off between the security against node capture attack and the performance of the pairwise key establishment scheme. All proposed schemes in [9][1][11][12][13][14] can not provide an enough network resilience against node capture attack. As we have discussed previously, once the number of captured node reaches a critical value, the entire network will be crashed or a large fraction of the communication between the non-captured nodes will be compromised. In this paper, we try to solve the limitations and weaknesses of the current key pre-distribution schemes. A new efficient pairwise key establishment and management scheme is proposed in the next section, which can provide good network resilience against node capture attack as well as the full network connectivity. 3. EFFICIENT PAIRWISE M ANAGEMENT SCHEME

KEY

ESTABLISHMENT

A ND

In this section, we introduce our proposed Efficient Pairwise Key Establishment and Management scheme (EPKEM) in detail. 3.1. Assumptions In this work, we assume the wireless sensor network is a static, large-scale, and homogeneous network. Each sensor node has the same battery power, memory storage size, CPU processing capacity and radio transmission range. Sensor nodes are uniformly distributed in an area by the airplane or other vehicles and can not change their position after deployment. Sensor node’s location can not be predicted before deployment so that no prior location knowledge is available. The sink node has unlimited computation and communication power, unlimited memory storage capacity, and very large radio transmission range which can reach any sensor node in the network. Sink node can be located in either the center or a corner of the sensor network. 3.2. Basic Idea Unlike existing key pre -distribution schemes, the pairwise communication keys are different from the pre -loaded network setup keys in EPKEM. Pre -loaded setup keys are only used to establish a connected network and calculate the intended pairwise communication keys which will be used to secure the exchanging data/information between sensor nodes.

3.3. Four Phases of EPKEM In EPKEM, pairwise communication key is established through four phases: setup key pre-assignment phase, common keys discovery phase, pairwise key computation phase, and key ring establishment phase. These four phases are described as follows. 3.3.1. Setup Key Pre-Assignment Phase In setup key pre-assignment phase, the Key Distribution Server (KDS) generates a very large size key pool P with more than 2 20 distinct keys inside. For each sensor node N i ( N i denotes this node’s ID), KDS randomly selects a secret key from P and stores it into N i ’s memory. This key, denoted as k Ni

KDS

, is only shared by the KDS and the

intended node N i , and will be used to identify node N i and secure the communication between N i and KDS in the future. Then, for each sensor node, KDS randomly selects a subset keys from the rest of P and pre-loads them into the node’s memory, these keys will be worked as the network setup keys after deployment. The KDS assigns setup keys to each node under certain rules to ensure any two nodes have at least two keys in common. To achieve this requirement, a simple method is described as follows. Suppose the intended network size is n , KDS randomly selects n keys from the rest keys in P and uses them to construct a (m m) key matrix K , where m = n . Figure 1 illustrates an example of constructed key matrix, where each key has a unique two-dimensional id denoted as ki , j (i, j = 1, 2,...,m) . KDS constructs some key chains by randomly selecting a row and a column from key matrix K . We use kci , j (i, j = 1,2,...,m) to represent the key chain which is composed by i th row and jth column of key matrix K . The total number of constructed key chains is n , which is the same as the network size. For each sensor node, KDS randomly pickup a key chain and stores it into that node’s memory. For convenience, we assume node N a has kci , j stored in memory and node N b has kcl ,m stored in memory in this paper. ID 1

1 k1, 1

2 k1, 2

3

4

5

k1,3

k1, 4

k1,5

… …

m k1,m

2

k 2 ,1

k 2 ,2

k 2 ,3

k 2, 4

k 2 ,5



k 2 ,m

3

k 3,1

k3, 2

k 3 ,3

k3, 4

k3, 5



k 3 ,m

4

k 4 ,1

k 4, 2

k 4 ,3

k 4 ,4

k 4, 5



k 4 ,m

5

k 5,1

k 5 ,2

k 5,3

k 5 ,4

k 5,5



k 5 ,m

: m

:

:

:

:

:

km , 2

km , 3

km , 4

km , 5

… …

:

k m ,1

k m ,m

Figure 1: An example of constructed setup key matrix K

ID

Keys in key chain { k 1,1 ,…, k1,m , k 2 ,1 ,…, k m ,1 , k N

k c1,1 :

: { k i ,1 ,…, ki ,m , k1, j ,…, k m, j , k N

k ci , j :

: { k m,1 ,…, k m,m , k1,m ,…, km

kcm, m

1 ,m

1,1

i, j

KDS

KDS

, kN

m ,m

}

}

KDS

}

Table 1: Keys in key chain

Table 1 lists the constructed key chains, it easy to see that any two key chains kci, j and k cl ,m will share exactly two

l and j m . Or, they may share m keys in common when i = l or j = m . For instance, key

common keys when i

chains k c2 ,3 and k c4, 5 will have two common keys, k 2 ,5 and

k 4 ,3 . In our scheme, after the setup keys pre-assignment phase any two sensor nodes share either two or m common keys and a secure link between them can be established by these common keys after deployment. 3.3.2. Common Keys Discovery Phase After deployment, any two neighboring sensor nodes need to figure out their shared common keys. To achieve this, each node broadcasts its node ID and key chain ID to its neighbors. Once a node received its neighbor’s key chain ID, it can identify which keys they shared in common. For example, nodes N a and N b are two neighbors within each other’s radio transmission range. Once N a knows N b ’s key chain ID

(l, m) , N a checks its memory and looking for key k i , m and

k l , j which should be the common keys shared with node N b . On the other side, Node N b also can find the shared keys

ki , m and k l , j

In Equation (1), “ ” is the exclusive-or operator. In our proposed scheme, all setup keys in the key matrix K are distinct to each other, any pair of nodes will not share the same two keys as other pairs. Furthermore, each node is the sensor network has a unique identity; hence the calculated pairwise communication key for each pair of sensor nodes is distinct to others and only shared between them. This unique pairwise communication key can not be computed or guessed by any other nodes , and will be used for data exchange and node authentication between intended neighboring nodes in the network. 3.3.4. Key Ring Establishment phase Once a sensor node computed all corresponding pairwise communication keys with its neighbors, it erases all the preassigned setup keys from its memory immediately to prevent the possible key compromising and node capture attack. Only the computed pairwise communication keys with its neighbors and the secret key k N KDS shared with KDS are kept in the memory of each node, which compose the permanent key ring of a sensor node. A connected secure link network can be established when the above four phases are finished. Each sensor node now can use k N KDS to communicate with KDS and the calculated pairwise keys to authenticate and communicate with its proper neighbor nodes securely. 4.

A NALYSIS AND EVALUATION

In this section, we analysis the security property and evaluate the performance of our proposed scheme by comparing with current existing random key based key predistribution schemes in [9] [1], which are the closest work to ours.

through the same procedure. 4.1. Security Analysis of EPKEM

3.3.3. Pairwise Key Computation Phase After the common key discovery phase, each sensor node knows its neighbor node’s ID and their shared common keys. Since all the pre-loaded setup keys are picked from the same key matrix K , the same key may be stored in different nodes. That means, when some nodes are captured, keys stored in non-captured nodes may be compromised too. To address this problem, we establish a new pairwise communication key for each pair of neighbor nodes instead of using the shared common keys directly. The new pairwise communication key can be calculated based on the shared setup keys. Suppose node N a and N b are a pair of neighbor nodes and their shared setup keys are

k i, m and k l , j . To establish a private

pairwise key which is unaware to other nodes, node N a and node N b compute their pairwise key using Equation 1.

kNa

Nb

= ki, m

Na

kl, j

Nb

(1)

4.1.1. Compromised Keys Revocation In wireless sensor networks, compromised keys must be dynamically removed from the network instantly. In our proposed scheme, each node knows its neighbor’s ID and shares a unique pairwise communication key only with an intended 1-hop neighbor. Once a misbehaving node which in most case was captured or compromised by the adversary is detected (malicious node detection is not discussed in this paper, interested readers may reference related literatures), all its 1-hop neighbor nodes immediately remove the corresponding pairwise keys shared with it. In addition, the misbehaving node’s ID will be sent to the sink node immediately. Once sink node gets the information, it informs the KDS to remove the compromised node and its corresponding setup and secret keys from the key pool P permanently and prevent any communication with that compromised node in the future. In [9] [1], since the compromised keys may be shared by any nodes at any where, the information of the compromised

1 0.9

Fraction of compromised keys among non-captured nodes

keys must be propagated to every node in the entire network. Each node gets that information need to check its key ring, locate the compromised keys and remove them from its memory. The compromised key revocation procedure in [9] [1] involves all the sensor nodes in the network, which will consume more time, energy, and bandwidth resources and produce much more communication overhead than our scheme.

0.8 0.7 0.6 0.5 0.4 0.3

random key pre-distribution q-composite (q=2)

0.2

q-composite (q=3) 0.1

4.1.2. Sensor Nodes Addition In some applications, new sensor nodes need to be added into an existed network to replace the power exhausted or compromised nodes. EPKEM achieves nodes addition through the similar procedure as in [9] [1]. First, key distribution server (KDS) constructs a new key matrix and the corresponding key chains, then KDS assigns a secret key and a key chain to each of the new nodes just like the key pre-assignment phase described in Section 3. In addition, KDS also needs to assign the new key chains to nodes N e which are currently existing in the network and located close to the new nodes’ deployment area. These key chains are encrypted by key k N e KDS (the secret key shared between N e and KDS) and sent to nodes N e at the same time when the new sensors are deployed. Once nodes N e receive the message and decrypt it, they can obtain the new setup keys and establish secure links with the new deployed nodes through the same procedure described in Section 3. After the four setup phases finished, new sensor nodes can join into the network and communicate with existing nodes securely. 4.1.3. Resistance Against Node Replication Wireless sensor networks are commonly deployed in a hostile environment; therefore, some nodes may be captured by the adversary. It is a serious attack if the adversary duplicates the captured nodes and populates them into the network to obtain the critical information, especially in [9] [1], where the same keys may be shared by some different nodes at somewhere of the network. Also, there is no node authentication procedure existed in these two schemes. In our proposed scheme node replication attack can be completely avoided since after initialization phase each node only keeps the pairwise communication key and ID information of its 1-hop neighbors in memory, and only communicates with these neighbors . Without the proper pairwise key’s authentication and neighborhood knowledge verification, any stranger’s communication request will be just ignored. Therefore, the node replication attack is prevented totally in EPKEM scheme. 4.1.4. Resiliency to Node Capture In wireless sensor networks adversaries not only can get the critical data by eavesdropping or intercepting the radio mediums, but also can physically capture sensor nodes to obtain the secret information, such as communication keys, critical data and other valuable information. Node capture attack is the most serious threat in wireless sensor networks.

EPKEM

0 0

100

200

300

400

500

600

700

800

900

1000

Number of captured sensor nodes

Figure 2: Fraction of compromised keys among non-captured nodes vs number of captured nodes.

In Eschenauer and Gligor’s scheme [9], sensor nodes use the same setup keys as the communication keys in the network; any node’s capture could compromise other noncaptured nodes’ communication keys. This kind of problem is defined as the resiliency of a network. In [9], given the key ring size of 200 and the probability that any two nodes share at least one common key as 0.33, 10% of the communication among the non-captured nodes could be compromised when only 50 nodes are captured. “q-composite” scheme in [1] improves the network resilience by requiring two nodes share at least q ( q 2) common keys to establish a secure link. This scheme only works well in case of a small number of nodes are captured. As shown in Figure 2, when the number of captured nodes increases, the fraction of compromised communication between non-captured nodes increases faster than Eschenauer and Gligor’s scheme. In EPKEM, after pairwise key setup phase, each pair of neighboring nodes have a unique pairwise communication key which is distinct to others. Any node’s capture does not reveal any key information about other links between non-captured nodes. This approach can achieve good network resilience against the node capture attack, which is one of the main contributions of our work. Comparing our scheme with the previous two schemes, we can see that when 200 nodes are captured, above 30% of the communication between noncaptured nodes are compromised in [9][1]; when the number of captured nodes increases to 500, more than 60% of the communication of the rest network will be compromised. But in our proposed EPKEM scheme, no communication between non-captured nodes will be compromised no matter how many nodes are captured by the adversary. 4.2. Performance Evaluation of EPKEM 4.2.1. Network Connectivity Network connectivity is an important metric to evaluate a key pre-distribution scheme. A good key pre-distribution should guarantee the network connectivity no matter how the network deploys. Based on the probability theory, [9][1] only provide probabilistic connectivity of a network, in other words, it can not guarantee the entire network’s connectivity in practice. Some nodes or some portions of a network could

be isolated from the rest of the network when there is no common key existing. EPKEM can guarantee a full secure connectivity of the entire network, which is the second contribution of our work. Different to any probability theory based key pre-distribution schemes, our scheme guarantee any two nodes share at least two network setup keys in the key pre-assignment phase. After deployment any pair of sensor nodes within each other’s radio transmission range can establish a pairwise communication key by using their shared network setup keys, which means our proposed scheme can provide a complete connected secure network in the deployment area. 4.2.2. Maximum Supported Network Size Compared with Eschenauer and Gligor’s scheme [9] and Chan et al.’s “q-composite” scheme [1], EPKEM can provide the largest maximum supported network size. As described in Section 3, given the key ring size m , the maximum supported network size of our scheme is m 2 , which is much larger than the network size supported by the previous two schemes. Figure 3 indicates the difference of maximum supported network size among these three schemes. For conveniences, we use the same evaluation metrics as in [1], where the probability of any two nodes can establish a secure link is 0.33, and the maximum compromise threshold is 0.1. Figure 4 shows that for previous two schemes, the network size is linearly increasing as the key ring size increases. However, our proposed scheme provides an exponential increasing network size when the key ring size increases, (where we used the number of pre -assigned setup keys as the key ring size of our scheme, which is much larger than our final key ring size). It is easy to see that our proposed scheme has the better scalability than other two schemes. 4.2.3. Communication and Computational Overhead In [9][1], to establish a secure link with its neighbors, sensor node needs to broadcast all the keys or key identities in its key ring to other nodes. For a large-scale network, each node has a large number of keys in its key ring. This kind of key information exchanging not only consumes the sensor nodes’ limited energy and radio bandwidth, but also produces traffic overload and collisions. In EPKEM, only the node ID and the key chain ID needs to be broadcast, which extremely reduces the energy consumption and communication overhead in the network. Additionally, in [9][1] once two nodes have no shared common keys, a direct pairwise key can not be established. These two nodes have to setup a path-key with other nodes’ participation. This path-key establishment approach needs to exchange additional key information with intermediate nodes. More CPU power and time consumption are required for this procedure, also additional memory storage is occupied. Our proposed scheme guarantees any two nodes establish a pairwise communication key directly, which produces much lower communication and computational overhead than previous schemes.

10000

random key pre-distribution q-composite (q=2) q-composite (q=3) EPKEM

9000

Maximum network size

8000 7000 6000 5000 4000 3000 2000 1000 0 50

75

100

125

150

175

200

Number of keys in each sensor's memory

Figure 3: Maximum supported network size vs number of keys in sensor’s memory. 5.

CONCLUSION

In this paper, we present a new efficient pairwis e key establishment and management scheme (EPKEM) for large scale wireless sensor networks. Compared to the random key based pre-distribution scheme and the enhanced q-composite scheme, our scheme can provide the full network connectivity and the best resiliency, as well as the maximum supported network size for fixed key ring size. Lower computational and communication overhead are also achieved in our proposed scheme. A CKNOWLEDGEMENT This work has been supported by the Ohio Board of Regents Doctoral Enhancement Funds. REFERENCES [1] [2] [3] [4]

[5] [6]

[7] [8] [9]

D. P. Agrawal and Q-A Zeng, “Introduction to Wireless and Mobile Systems,” Brooks/Cole Publishing, Aug. 2003. Neha Jain and Dharma P. Agrawal. “Current trends in wireless sensor network design,” International Journal of Distributed Sensor Networks, Vol.1, issue 1, pp.101-122, 2005. David W. Carman, Peter S. Kruus, and Brian J. Matt. Constraints and approaches for distributed sensor network security. NAI Labs Technical Report #00-010, September 2000. Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, and J. D. Tygar. SPINS: Security protocols for sensor networks. In Seventh Annual ACM International Conference on Mobile Computing and Networks (MobiCom 2001), July 2001. Sencun Zhu, Sanjeev Setia, and Sushil Jajodia. LEAP: Efficient security mechanisms for large-scale distributed sensor networks. In ACM CCS 2003, pages 62–72, October 2003. J. M. Kahn, R. H. Katz, and K. S. J. Pister. Next century challenges: Mobile networking for smart dust. In Proceedings of the 5th Annual ACM/IEEE Internation Conference on Mobile Computing and Networking (MobiCom), pages 483–492, 1999. C. Karlof and D. Wagner. Secure routing in wireless sensor networks: Attacks and countermeasures. In First IEEE Int’l Workshop on Sensor Network Proto cols and Applications, May 2003. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “A survey on sensor networks,” IEEE Communication Magazine, vol. 40, no. 8, pp. 102–116, Aug. 2002. L. Eschenauer and V. D. Gligor. “A key-management scheme for distributed sensor networks,” In Proceedings of the 9th ACM conference on Computer and communications security, November 2002.

[10] H. Chan, A. Perrig, and D. Song. “Random key pre-distribution schemes for sensor networks,” In IEEE Symposium on Security and Privacy, pages 197–213, Berkeley, California, May 11-14 2003. [11] R. Blom. “An optimal class of symmetric key generation systems,” Advances in Cryptology: Proceedings of EUROCRYPT 84 (Thomas Beth, Norbert Cot, and Ingemar Ingemarsson, eds.), Lecture Notes in Comput er Science, Springer-Verlag, 209:335–338, 1985. [12] W. Du, J. Deng, Y. S. Han, and P. K. Varshney, “A pairwise key predistribution scheme for wireless sensor networks,” in Proceedings of the

10th ACM Conference on Computer and Communications Security (CCS), Washington, DC, USA, October 27-31 2003, pp. 42–51. [13] C. Blundo, A. D. Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung. “Perfectly -secure key distribution for dynamic conferences,” Lecture Notes in Computer Science, 740:471–486, 1993. [14] Dong gang Liu and Peng Ning “Location-Based Pairwise Key Establishments for Relatively Static Sensor Networks,” 2003 ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN’03), October 31, 2003 George W. Johnson Center at George Mason University, Fairfax, VA, USA.