EDDK: Energy-Efﬁcient Distributed Deterministic Key Management for Wireless Sensor Networks

. Energy e ﬃ ciency is an essential requirement for wireless sensor networks while security must also be ensured for mission-critical applications. In this paper, we present an energy-e ﬃ cient distributed deterministic key management scheme (EDDK) for resource-constrained wireless sensor networks. EDDK mainly focuses on the establishment and maintenance of the pairwise keys as well as the local cluster keys and can ﬁx some ﬂaws in some existing key management schemes. Not only can the neighbor table constructed during key establishment provide the security for key maintenance and data transfer, but it can also be used to e ﬀ ectively manage the storage and update of the keys. By using the elliptic curve digital signature algorithm in EDDK, both new and mobile sensor nodes can join or rejoin a sensor network securely. Unlike some centralized and location-based key management schemes, EDDK does not depend on such infrastructure as base stations and robots and thus has a high level of ﬂexibility. Experiments and analyses show that EDDK has a very low overhead in terms of computation, communication, and storage.


Introduction
A wireless sensor network (WSN) is a promising network infrastructure for many applications such as environmental monitoring, medical care, and home appliance management. It is also useful for battlefield surveillance and homeland security because WSNs can be easily deployed for those applications. However, in many hostile and tactical scenarios as well as critical commercial applications, security mechanisms are required to protect WSNs from malicious attacks. Therefore, the security of WSNs has become an important issue and a challenging design task [1]. Furthermore, security mechanisms based on cryptography would make key management a central issue to ensure the security of network services and applications in WSNs.
Many key management schemes have been proposed for WSNs over the past few years [1,2]. From the standpoint of network structure, key management schemes can be centralized or distributed. From the standpoint of key sharing between neighboring nodes, key management schemes can be probabilistic or deterministic. For centralized key management schemes, network scalability is poor and communication overhead is high. Probabilistic schemes cannot guarantee that two neighboring nodes could successfully establish a shared key according to the underlying random graph theory. It will not be desirable if some sensor nodes cannot establish shared keys with their neighbors and are thus isolated. In addition, in probabilistic schemes, the impact of node compromise and the lack of authentication are serious issues because of the reuse of the same keys by more than one node. Deterministic schemes can solve some problems that probabilistic schemes have. But the addition of new nodes is still an issue in such schemes because the confidentiality and authenticity of new pairwise keys cannot be fully realized [3][4][5]. Even in the scheme in [6], the normal node's motion will be regarded as the injection of the replicas of compromised nodes. An adversary can thus cause a network to collapse by merely changing the nodes' locations in the network. Consequently, the scheme in [6] is susceptible to the so-called node location changing attack.
Due to limited battery life of sensor nodes, any security mechanisms for WSNs must be energy efficient. Specifically, the number of message transmission and the amount of computation must be kept as low as possible. Meanwhile, the 2 EURASIP Journal on Wireless Communications and Networking size of a sensor network should not be constrained by the available storage and energy resource in each node.
In this paper, we propose a distributed deterministic key management scheme for WSNs in which the pairwise keys and the local cluster keys are set up through the broadcast information during the network initialization phase and no further message exchange is needed afterwards. Consequently, the communication overhead is very low. Furthermore, pairwise keys are also totally decentralized. Therefore, the compromise of some sensor nodes will not affect any other noncompromised pairwise keys. For the establishment of keys for new nodes and mobile nodes, we propose a composite mechanism based on the elliptic curve digital signature algorithm (ECDSA) in which resource consumption can also be kept very low.
The rest of this paper is organized as follows. In Sections 2 and 3, we discuss some related work and analyze some present deterministic key schemes. In Section 4, we present our energy-efficient distributed deterministic key management scheme (EDDK), and in Sections 5 and 6, we analyze the security and performance of EDDK. Finally, we conclude this paper in Section 7.

Centralized versus Distributed Key Management Schemes.
LKHW is a centralized key management scheme for WSNs based on the Logical Key Hierarchy (LKH) [7]. In the scheme, the base station is treated as a key distribution center (KDC) and all keys are logically distributed through a tree rooted at the base station. In such a centralized scheme, besides poor network scalability and high communication overhead, the base station that knows all pairwise keys can be a single point of failure for network security. In distributed key management schemes, different key controllers are used to lower security risk and to allow for better network scalability [2]. Consequently, a majority of the key management schemes proposed so far are distributed ones that also fall into the deterministic and probabilistic categories which we discuss in the following subsection.

Probabilistic versus Deterministic Key Management
Schemes. Eschenauer and Gligor proposed a basic probabilistic key predistribution scheme [8]. In the scheme, each sensor is assigned a random subset of keys from a key pool before the network is deployed so that any two sensor nodes will have a certain probability of sharing at least one key. Chan et al. improved the above scheme and proposed the q-composite key predistribution scheme [9]. In the scheme, any two sensor nodes are required to share at least q predistributed keys as the basis for the establishment of a pairwise key between the two nodes. Liu and Ning proposed a framework in which pairwise keys are predistributed by using bivariate polynomials [10]. Du et al. proposed a similar pairwise key predistribution scheme [11] that uses Blom's method [12]. The main difference between the schemes in [10,11] is that the former is based on a set of bivariate tdegree polynomials while the latter is based on the Blom's method. Two representative deterministic key management schemes, that is, the LEAP protocol [3,4], and the OMTK protocol [5], will be analyzed in the next section. In addition, Lai et al. proposed the BROadcast Session Key (BROSK) negotiation protocol [13]. Lee and Stinson proposed two deterministic schemes based on combinatorial design theory: the ID-based one-way function scheme (IOS) and the deterministic multiple space Blom's scheme (DMBS) [14]. They also discussed the use of combinatorial set systems in the design of deterministic key predistribution schemes for WSNs [15].
A comparison of the properties of the EDDK scheme with some existing key establishment schemes such as the Random Key Pre-distribution (RKP) schemes [8][9][10][11], the LEAP protocol [3,4] and the OMTK scheme [5] is provided in Table 1. We can thus see that the RKP and the OTMK schemes do not support the establishment of local cluster keys while the LEAP and the OTMK schemes do not adapt well to node mobility.

Public Key Cryptography in WSNs.
Prior studies have shown that it is feasible to apply public key cryptography to sensor networks by choosing proper algorithms with reasonable parameters and by using optimization and lowpower techniques [16][17][18]. Gura et al. evaluated the assembly language implementations of Elliptic Curve Cryptography (ECC) and RSA on the Atmel ATmega128 processor [16] and showed that a 160-bit point multiplication of ECC only needs 0.81 seconds while a 1024-bit RSA public key operation and private key operation only need 0.43 seconds and 10.99 seconds, respectively. Du et al. developed a public key authentication scheme based on a symmetric key technique called the Merkle tree [19]. Zhang et al. proposed the notion of location-based keys by binding private keys of individual nodes to their IDs as well as locations [20].
In the method proposed by Zhou et al. [6], although ECC can be used together with timestamp to prevent an adversary from impersonating legitimate new nodes with compromised ones, the shortcomings of the method are equally obvious. Not only does the method incur communication overhead required for time synchronization, but it also limits the mobility of network nodes. This is because as soon as a legitimate node leaves its original location, it will be regarded as a malicious node [6]. As the result, the mobile node cannot establish shared keys with its new neighbors and will consequently be excluded from the network. Therefore, the access control protocol is susceptible to the so-called node location changing attack.

Analysis of Deterministic Key Schemes
In the LEAP protocol, a deterministic key sharing scheme based on symmetric key cryptography [3], the pairwise key establishment process between the neighboring nodes can be described as follows: For node u, the ACK from a neighboring node v is authenticated using the individual key K v of node v derived through K v = f (K IN , ID v ). Since it knows K IN , node u can derive K v and use it to verify the identity of node v. Node u can then compute a pairwise key K uv with node v through Node v can also compute K uv in the same way. K uv can then serve as the pairwise key for nodes u and v.
In the above scheme, since the same formula is always used in computing the pairwise key, should an adversary get K IN by capturing a sensor node with hardware faults, all pairwise keys in the network could be easily computed. Moreover, since the first step of the aforementioned process is not authenticated, an adversary can inject fake hello messages to launch a resource exhausting attack. The problem still remains in the improved version of the LEAP protocol, that is, the journal version LEAP+ [4].
The OTMK scheme [5] made some improvement over the LEAP protocol. When node u tries to set up pairwise keys with its neighbor nodes, it would broadcast the following message: where nonce u is a random number. If nodes u and v receive the JOIN request messages from each other, they will generate a pairwise key by using the following formula: when ID u < ID v . If ID u > ID v , they will generate a pairwise key by using the following formula: The above procedure still has some drawbacks, however. First, since all the nodes use the preconfigured master key M (M is similar to K IN in the LEAP protocol) to encrypt the JOIN messages, if M is compromised through cryptanalysis, an adversary can easily deploy some malicious nodes into the network because function f is generally known. Moreover, the adversary can compute a large number of pairwise keys by eavesdropping on nonce and ID in the JOIN messages broadcast by other nodes so that it can overhear, forge, and alter network messages later.
The OTMK scheme uses the following protocol to allow new nodes to join an existing network [5]: Since the first step above does not authenticate new node u, the protocol is vulnerable to denial of service (DoS) attacks. Let us consider the case in which a malicious node impersonates on a legitimate node u and broadcasts a JOIN message. A legitimate node v would then finish the second step. However, the malicious node may never execute the third step. By broadcasting many different spoof messages, the malicious node can incur a large amount of computation, communication, and storage overhead for node v. In addition, if an old node does not work properly after deployment due to many possible problems, an adversary can get the preloaded master key by compromising the node. The adversary can then deduce the individual keys (e.g., K v and y i ) of all the old nodes and subsequently deploy some malicious nodes into the network. Since it has already obtained the master key, the adversary can get pairwise keys between the new and the old nodes by performing the third step in the above protocol.
We can see from the above analysis that not only is the new node joining protocol in the OTMK scheme susceptible to DoS attacks, but it is also possible for an adversary to freely deploy malicious nodes into the network and to obtain pairwise keys between the new and the old nodes.
In order to mitigate the compromise of the master key during the key setup phase, the OTMK scheme applies a mechanism that follows the same principle as that in the μTESLA protocol [21]. That is, it employs a one-way hash chain as the master key during each time period to authenticate new nodes.
The drawback of this mechanism is also obvious because it makes the protocol more complex while less secure. As long as an adversary can eavesdrop on all pairwise key setup procedures in time slot j and records E Kv (K u,v ), the adversary can compute all pairwise keys in time slot j after H j is received. Moreover, for the delayed authentication, the adversary can send a large number of joining messages to v by impersonating on u. As the result, v could store an excessive amount of messages that need to be authenticated in the third step, leading to a DoS attack.

EDDK: Energy-Efficient Distributed Deterministic Key Management Scheme
To fix the flaws present in the aforementioned key management schemes, we propose a distributed deterministic key management scheme (EDDK) for WSNs based on some of our earlier research [22][23][24]. EDDK mainly focuses on the establishment and maintenance of the pairwise keys as well as the local cluster keys. Unlike centralized and locationbased key management schemes, EDDK does not depend 4 EURASIP Journal on Wireless Communications and Networking on such infrastructure as base stations (BSs) and robots. Consequently, there is not any single node that shares a master key with the BS, which makes the scheme highly flexible. Therefore, EDDK can meet the requirement that there is only one resource-limited sink node in a large WSN. For the establishment and authentication of a global broadcast key, please refer to the μTESLA protocol [21].
To enhance message security in the network initialization phase, instead of using the individual key directly, each sensor node can derive a separate encryption key and a MAC key from the individual key [21]. This method can also be applied to enhance security in data transmission as well as in key update. For ease of illustration, in the following discussion, we simply use the same key to both encrypt and authenticate a message although two different keys can be used.

Notation.
For the purpose of clarity, we first list and explain the symbols that will be used in our description.
(i) f and K I are the networkwide shared pseudorandom function and the initial key, respectively, that are predistributed to every node before deployment.
(ii) K a is node A's individual key and is computed by using formula (7) below; K ab is the pairwise key that is shared by two neighboring nodes A and B and is periodically updated by them.
(iii) K Ba is node A's local cluster key that is shared by node A with all its neighbors and is periodically updated by node A. This local cluster key is used to secure all local broadcast messages of a node, for example, routing control message forwarded.
(iv) P and s denote the public key and the private key of a node, respectively. The public key P T of a trusted authority TA is predistributed to every node before deployment. But the private key s T is not stored in the WSNs. Therefore, adversaries cannot get s T by attacking TA directly.
(v) ID S and ID R are the identifiers of the sender and the receiver, respectively.
(vi) SN denotes the sequence number of a data message, that is, generally shared by two communicating nodes to fight against replay attacks and to ensure the freshness of data.

Key Establishment
Phase. Before deployment, every sensor node is predistributed with a networkwide shared pseudorandom function f [25] and an initial key K I to combat attacks in the network initialization phase. Through the pseudorandom function f and the initial key K I , every node in the network can compute its individual key. For example, node E's individual key can be computed as follows: After deployment, every sensor node will broadcast a network joining message to determine the neighboring relationships in the network. To prevent two or more nodes from attempting to transmit at the same time in the network initialization phase, every node would implement a binary exponential backoff algorithm to avoid collisions before broadcasting its joining message. In addition, to prevent an adversary from getting all the pairwise keys after obtaining K I as it could in the LEAP protocol, any pairwise key that is computed through using the pseudorandom function should be updated in time.
As illustrated in Figure 1(a), we use nodes E and G to explain the pairwise key setup procedure: In the above equations, join denotes the message type and || is the concatenation operator. Using (7), every receiving node can compute the sender's individual key (e.g., K e and K g ). After verifying the correctness of the joining message, according to (9), the neighboring nodes can get the same pairwise key (e.g., K eg ). SN e and SN g are the random numbers generated by the senders that are mainly used to make the pairwise key between the neighboring nodes completely decentralized. In (8), authentication of the sender can counter resource exhaustion attacks. As long as the ID of a node is in the neighbor table, all repeated join messages will be discarded.
Our experiments show that the key establishment time is less than 10 s for a network of up to 20 neighbors. Deng et al. [5] showed that an attacker who has the experience and tools needs to spend at least tens of seconds or minutes to obtain the data of a Mica2 mote after a node is captured. Therefore, we set the key establishment timer for 10 s so that an adversary cannot impersonate a legitimate node in the key establishment phase through obtaining the initial key and the pseudorandom function. This is because when the timer runs out, key establishment will stop even under the situation in which some nodes have not established pairwise keys with some of their neighbors.
After the key establishment timer reaches its preset threshold value, a node will delete all the individual keys of its neighbors (e.g., K e and K g ), the random numbers (e.g., SN e and SN g ), the pseudorandom function f and the initial key K I to improve security as well as to save storage space in the node. Therefore, even if an adversary could compromise some legitimate nodes, it still could not compute the pairwise keys and the local cluster keys of noncompromised nodes.
Note that the neighboring nodes do not have to acknowledge the setup of the pairwise keys because the measures taken later in the key maintenance phase will help the EURASIP Journal on Wireless Communications and Networking  neighbors that failed to set up the pairwise keys successfully finish the task.
Note also that each sensor node only needs to broadcast one network joining message during the key establishment phase with no further message exchange required. Moreover, the network joining message may be the route request message. The pairwise key and the local cluster key can be established at the same time when a node forwards a route request message. Thus, the communication overhead can be very low.

Data Transfer
Phase. In EDDK, we use a neighbor table to maintain the keys and the sequence numbers as shown in Table 2. The Sequence Number and the Key Lifetime fields are combined into one to save memory space in the node. For ease of use, we initialize both the pairwise sequence number and the local broadcast sequence number to be (7) The sequence number would be incremented after each message is sent out. When the sequence number reaches the predefined threshold, key update will be performed. After the key is updated, the sequence number will be reset to 1 again. The use of the neighbor table can help ensure the security of data transfer.
In EDDK, every message always gets authenticated while encryption is optional. Message confidentiality becomes necessary only when some information needs to be kept secret. For example, in an intrusion detection system, the actual content of an alarm message could be empty.
Receiving an alarm message indicates an intrusion. Thus, encryption is not necessary but only leading to increase in latency, computation overhead, and power consumption. Meanwhile, authentication helps to ensure that authorized nodes will not accept invalid messages injected by an adversary. Consequently, adversaries can hardly forge false alarms.
(i) Authentication mode only: Local Broadcast: In the above process, K is the pairwise key that is shared by the sender and the receiver, and K B is the local cluster key of the sender. SN is the pairwise sequence number while SN B is the local broadcast sequence number. Since the sequence numbers are used to ensure the freshness of a message and to counter replay attacks, it is not necessary to keep them secret. It is obvious that the local broadcast does not need the acknowledgment message, so it is omitted in (11).
(ii) Encryption and authentication mode: Local Broadcast: To save energy, a sensor node may employ early rejection in which it would turn off its radio after determining that a message is false or malicious. Upon the receipt of a message, a receiver would first examine if the sender of the message is in its neighbor table and if the SN is the same as that in its neighbor table; it would then compute the message authentication code and compare the result with the received MAC; it would finally decrypt the message only when all 6 EURASIP Journal on Wireless Communications and Networking the previous steps have completed successfully. Hence, the use of the neighbor table not only improves the security of data transfer but also helps to reduce computation and communication overhead in the node.

Key Maintenance Phase.
The security strength on the information transmitted in the network relies primarily on the protection of the keys that are used for encryption. Should an attacker get the keys, the security system would fail because the attacker can use the keys to decrypt intercepted cipher texts to get the original plaintexts or to fake network data to deceive legitimate nodes. The attacker could achieve the above goal through the means of cryptanalysis on eavesdropped messages that are transmitted over the wireless media or by compromising some sensor nodes in the network. Therefore, the sender and the receiver must update the keys used between them periodically. When a compromised node is identified, the keys that it uses must also be revoked immediately. Moreover, key management system must quickly respond to network changes to perform functions such as key establishment and maintenance of new nodes and mobile nodes.

Key Update.
To defend against cryptanalysis and to prevent adversaries from decrypting all previous messages after one or more sensor node are compromised, all keys must be updated periodically. When the lifetime of a pairwise key (i.e., the SN) is reached, two neighboring nodes need to perform the update of the neighbor table. The node whose ID is smaller would invoke the update procedure shown in (14) and the neighbor table will be updated as the result. Similarly, when the lifetime of the local cluster key of a node (i.e., the SN B ) reaches the preset value, the node will broadcast the cluster key update message.
where pairwise-key denotes the message type and K and K are the old and the new pairwise keys, respectively.
(ii) Local cluster key update where cluster-key denotes the message type and K B and K B are the old and the new local cluster keys, respectively. The above key update procedures can counter replay, forgery and tampering attacks. Thus, the keys can be updated both securely and timely.

Compromised Key Revocation.
When one or more sensor nodes are compromised and can thus become insider attackers, measures must be taken to segregate them from the network so that they cannot eavesdrop on the information transmitted in the network and launch active attacks towards the network. We assume here that the intrusion detection system used in the network can discover compromised nodes and then inform the key management scheme to take actions to isolate these nodes. First, the neighbors of the compromised nodes should revoke the pairwise keys shared with the compromised nodes. Second, the local cluster key K B must be updated. Here, we use the pairwise keys possessed by noncompromised nodes to encrypt the update messages: As long as the noncompromised nodes are still connected, the local cluster key K B can be successfully updated.

New Node Joining.
To solve the problems present in the schemes in [3][4][5], we use the Elliptic Curve Digital Signature Algorithm (ECDSA) [26] to authenticate a new node without any negative impact on energy efficiency. In Figure 1(b), let us assume that B is the existing node and N and W are new joining nodes. When a new node tries to set up the pairwise keys with its neighbors, it broadcasts a joining message: N −→ * : new-join || ID n || P n || T n || SN n || C n || c n , Let us now use node N as an example to explain the fields in (17), new-join indicates that this is a new node joining message. P n is the public key of node N. T n is the timestamp at which the node should join the network. Node N will be treated as a new node when current time t < T n . SN n is the random number generated by node N that will be used to compute the pairwise key between two new nodes. The signature C n , c n is calculated by the trusted authority TA based on the ECDSA algorithm [26]. The calculating process is shown as follows: where r n is a random number, G is the generator in the cyclic group of points over the elliptic curve and has an order n of at least 160 bits, H is a hash function that can translate a binary sequence into an integer, and s T is the private key of the TA. The receiving nodes, both W and B, will each perform the following calculation: EURASIP Journal on Wireless Communications and Networking 7 where P T = s T G = (x pT , y pT ) and P n = s n G = (x pn , y pn ). If V n = C n , then N's neighbors can be assured that N is a legitimate node and the verification process is illustrated below: Following the same procedure, the receivers can also verify the identity of the new node W after hearing the broadcast joining messages from it. The pairwise key negotiation would fall into one of the following two scenarios: between two new nodes or between a new node and an existing node.
New nodes are preloaded with the pseudorandom function f and a new initial key K I . The pairwise key negotiation between two new nodes is performed using (9) in which K n = f (K I , ID n ) and K w = f (K I , ID w ). Consequently, new nodes N and W can establish a pairwise key without having to send out any more messages and K nw = f (K n ⊕ K w , SN n ⊕ SN w ).
Let us now use nodes N and B to illustrate pairwise key negotiation between a new node and an existing one. After authenticating the identity of the new node N, the existing node B would broadcast a response message with the signature C b , c b of the TA: According to the Diffie-Hellman algorithm [27] over the elliptic curve discrete logarithm problem (ECDLP), nodes N and B could independently calculate the pairwise key using their own private keys and the other's public key as follows: The results will be identical because s n P b = s n s b G = s b s n G = s b P n .
No further message exchanges are necessary during pairwise key setup beyond broadcasting the identity message by the new node N. Therefore, the communication overhead is low in the new node joining process.
Although the public-key algorithm is computationally more expensive, it is easier to manage and more resilient to node compromise than secret key algorithms. To achieve the same level of security, a smaller key size in ECC (elliptic curve cryptography) can be used, which offers the advantages of faster computation as well as savings in memory, energy, and bandwidth. Thus, ECC is more suitable for resourceconstrained sensor nodes.

Mobile Node
Joining. We assume that a sensor node can sense its own movement. If a sensor node moves to a new location, it will establish pairwise keys with its new neighbors following the aforementioned public-key-based node joining procedure, and its old neighbors will also revoke the pairwise keys with it.
In Figure 1(b), let us suppose that B is the existing node, N and W are new joining nodes, and A and D are mobile nodes. After nodes A and D move to a new location, each will broadcast a network joining message independently as shown below: A −→ * : rejoin || ID a || P a || T a || C a || c a , where rejoin shows that this is a mobile node joining message. Since current time t is newer than both timestamps T a and T d , nodes A and D will be regarded as mobile nodes. After correctly verifying each other's joining message, the pairwise key computation procedure between two mobile nodes is the same as that in (22), that is, K ad = s a P d = s d P a . Similarly, according to (21), (22), and (23), the pairwise key between mobile node A and the existing node B is K ab = s a P b = s b P a and, according to (17), (22), and (23), the pairwise key between mobile node A and the new node N is K an = s a P n = s n P a . In fact, only the pairwise key between a mobile node and an existing node would normally need to be computed.
The mobile nodes could be normal nodes whose locations have changed due to some reasons. However, it is also possible that the mobile nodes are the replicas of some compromised nodes that are placed in the network by adversaries. Hence, the intrusion detection system in a sensor network should focus on monitoring the mobile nodes whose locations have changed. When the behavior of a mobile node matches an attack profile or deviates from a normal profile, the mobile node should be labeled as a malicious node.
In order to counter Sybil attacks and the node replication attacks, we limit the number of neighbors for any node, that is, the number of entries in the neighbor table, by using a threshold. When the number of neighbors of a node reaches the threshold value, no new neighbors can be added into the neighbor table. Thus, an affected new mobile node can not establish pairwise keys with its new neighbors and, as the result, could not communicate with them. This measure can help prevent replicas of compromised nodes from joining the network as mobile nodes.
In the above joining scenarios, after the pairwise key is established, the existing node needs to unicast its local cluster key to its new neighbors to complete the key establishment process.

Security Analysis
We first compare the security of EDDK with some related schemes and then analyze EDDK in terms of preventing both general and special attacks to WSNs.

Security Comparison with Related Schemes.
In the LEAP+ protocol [4], when the timer expires after T min , each node will erase the initial key K IN and all the master keys of its neighbors. However, even with tamper-proof hardware, damaged or disabled nodes may still have the initial key in the flash memory. Therefore, should an adversary physically capture such a node and obtain the initial key, all the pairwise keys in the network could be easily computed. From (8) and (9), we can see that all pairwise keys in EDDK are decentralized and cannot be inferred uniformly based on any centralized rule. Even if the adversary could know the pseudorandom function f and the initial key K I , it would not be able to get noncompromised pairwise keys since the random number SN generated by each node in (9) is different.
The new node joining protocol in the OMTK scheme [5] not only is susceptible to DoS attacks but also makes it possible for an adversary to inject malicious nodes into the network and to obtain pairwise keys between new and existing nodes. The additional mechanism that uses a oneway hash chain as the master key during each time period to authenticate new nodes only makes the protocol more complex while less secure. To solve the above problems, we employ ECDSA to authenticate the identity of any node. Even if an adversary could compromise a node, it would not get any information about noncompromised nodes.

Preventing General Attacks on WSNs. General attacks to
WSNs mainly include eavesdropping, faking, altering, and replaying network messages as well as launching DoS attacks towards the normal nodes.
In both the network initialization phase and the network maintenance phase, we use the node's individual key, the pairwise key, or the local cluster key to encrypt and authenticate network messages. Therefore, adversaries who do not know these keys cannot obtain, fake, or tamper with the contents of network messages.
Due to the use of the neighbor table, adversaries can hardly launch replay attacks. For the node joining messages, if a node exists in the neighbor table, any duplicate joining messages claimed to be from it will be discarded by the receiving node. For the data messages, by using the sequence number field in the neighbor table, any duplicate data messages will also be discarded by the receiver.
Based on (8), (10)- (17), (21), and (23), key establishment messages, node sensing messages, and key maintenance messages can be authenticated. Furthermore, key establishment messages and new and mobile node joining messages are not necessarily fed back. Thus, EDDK can effectively counter DoS attacks.

Preventing Specific Attacks to WSNs. Specific attacks
to WSNs mainly include rushing attacks, Sybil attacks, node replication attacks, hello flooding attacks, acknowledge spoofing attacks, and selective forwarding attacks, to name a few [1,28].
Every node needs to broadcast a "hello" message periodically to advertise itself. The sequence numbers and the pairwise keys stored in the neighbor table can help to authenticate the "hello" messages and the acknowledgment messages. As the result, an adversary who does not know the shared information cannot flood a large number of "hello" messages and forge acknowledgment messages.
To counter selective forwarding attacks, we adopt a measure similar to that used in [29] in which each sensor node can work under a promiscuous mode so that it can overhear data transmission among its neighboring nodes. If a neighbor of a suspected node detects that the number of messages that the suspected node fails to forward exceed a threshold, the neighbor can collaborate with other neighbors to make a decision about the suspected node. In addition, multipath routing can also help to deal with the selective forwarding problem.
Because we allow mobile nodes to rejoin the network, the replicas of compromised nodes may affect EDDK. By limiting the number of neighbors for any node and by authenticating all messages using the sequence numbers and the pairwise keys, we can prevent an intruder from launching Sybil attacks, rushing attacks, and node replication attacks to some extent. Moreover, we can use multiple paths to the sink node to counter such attacks. In a sensor network where nodes are mostly stationary, the intrusion detection system can focus on monitoring mobile nodes whose locations have just changed. If the behavior of a mobile node matches an attack profile or deviates from a normal profile, the node will be regarded as a malicious node.

Performance Evaluation
In the probabilistic key sharing schemes, if two nodes have to rely on a third node to help them establish a pairwise key, a large amount of computation (e.g., encryption and decryption) and communication will be required due to the fact that threshold cryptography-based schemes usually involve expensive operations such as modular multiplications. In contrast, in EDDK, every node can establish a pairwise key with each of its neighbors and thus does not need any additional help in pairwise key establishment.
We have used MATLAB 7.9.0 (R2009b) to perform the simulation to evaluate the EDDK scheme and to compare it with some other similar schemes. We have also implemented EDDK in the Crossbow's IRIS sensor nodes. We have chosen RC5 (with 12 rounds) as the block cipher to implement the encryption/decryption algorithm and to generate CBC-MAC. We have also used MAC with RC5 to provide the pseudo random function that is used to derive the individual keys as well as the pairwise keys.
We have evaluated the EDDK scheme in terms of computation overhead, communication overhead, and storage overhead.

Computation Overhead.
In the network initialization phase, the computation overhead for each node includes the encryption and authentication of the local broadcast message, the verification and decryption of the received messages from neighbors, and the computation of the pseudorandom function in (8) and (9). Using an IRIS node with the XMTS300CB sensor board running the TinyOS system and a default message size of 36 bytes, we count the time cost resulting from these operations for a local broadcast message for 20 times. As shown in Figure 2, these operations do not incur too much computation overhead.
Although the ECC algorithm is adopted in the node mobility scenario, for achieving the same level of security, a smaller key size in ECC can offer faster computational efficiency, especially in assembly language implementations, which only require 0.81 s for completing a 160-bit point Computation overhead (ms/packet) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Times of computation multiplication of ECC [16]. Node authentication needs two point multiplication operations according to (19), whereas pairwise key setup needs only one point multiplication operation according to (22) in the node mobility scenario.

Communication Overhead.
A comparison of the communication overhead among the EDDK, LEAP, and OTMK schemes in the network initialization phase is shown in Figure 3 in which m denotes the average number of neighbors for a node. In the LEAP scheme and the OTMK Basic scheme I, it requires that each node unicast a reply message to the node that initially broadcast the joining message, resulting in more messages to be sent and received by the nodes in addition to incurring additional energy consumption and delaying key setup. However, in the pairwise key setup procedure of the EDDK scheme and the OTMK Simplified scheme I, each node only needs to broadcast a network joining message without requiring any reply message. So, from Figure 3, we can see that the communication overhead for each node is very low in the latter two schemes. A comparison of communication overhead among EDDK, LEAP, and OTMK schemes in the new node joining phase is shown in Figure 4 in which n denotes the number of new nodes that simultaneously appear in the neighboring area. In the LEAP and the OTMK schemes, it requires that each existing node unicast a feedback message to the new neighbor node for the authentication of the identities of each other, resulting in additional energy consumption and key establishment delay. In addition, these two schemes failed to consider the situation in which few new nodes simultaneously appear in the neighborhood. Therefore, their communication overhead is greater than that of EDDK.
According to (8), (10)- (17), (21), and (23) in the EDDK scheme, messages sent by every node can be authenticated while the schemes in [3][4][5] cannot. Should a message not be authenticated by the recipient, an adversary could freely inject malicious messages into the network. Moreover, the recipient has to feed reply messages into the network and wait for further messages in order to authenticate the sender. Consequently, the communication overhead in EDDK is much lower than that in the other schemes. Moreover, communication overhead is generally considered to be much worse, and therefore less desirable, than computation overhead due to higher energy consumption.

Storage Overhead.
In the EDDK scheme, each node needs to store the pairwise keys and the local cluster keys related to its neighbors. Since in the mobility scenario, we employ the ECC-based public key mechanism to verify the identities of the nodes and to establish pairwise keys, each node still needs to store its own private and public keys, the TA's signature for it and the TA's public key. In our current research, since we use 160-bit ECC as the underlying cryptographic foundation, the key materials related to the public key need 160-byte storage space. The LEAP, and the OTMK schemes do not adopt the public key mechanism, however. In addition to the pairwise keys and the local cluster keys, in the LEAP protocol, each node still needs to store its own individual key that is used for computing the pairwise keys and at most M initial keys: K 1 IN , K 2 IN , . . . , K M IN that are used for deriving the individual key in different node addition scenarios. The OTMK scheme does not support the establishment of a local cluster key. In our comparison with these schemes, we assume that, in the OTMK scheme, a node already has the local cluster key. Moreover, to allow new normal nodes to join an existing network, in OMTK, a node has to generate i verifiers that contain random numbers r i and y i . A comparison of storage overhead for a node among EDDK, LEAP and OTMK schemes is shown in Figure 5 in which we can see that although EDDK has adopted the public key mechanism ECC, the storage overhead for a node in EDDK is no more than that in the LEAP and the OTMK schemes.
We can thus conclude that the EDDK scheme is more advantageous in computation, communication, and storage and is thus more suitable for resource-constrained wireless sensor networks.

Conclusions
In this paper, we proposed an energy-efficient distributed deterministic key management scheme (EDDK) in which pairwise keys and local cluster keys of sensor nodes can be established and maintained securely. Furthermore, pairwise keys are totally decentralized. Hence, the compromise of any sensor node will not affect any other noncompromised pairwise keys. By broadcasting only one identity authentication message, a node can set up a pairwise key with a neighboring node both in the network initialization phase and in the node mobility scenario. Therefore, the communication overhead is very low. In addition, not only can the neighbor table mechanism used in EDDK ensure security for key management and data transmission, but it can also help nodes effectively store and update keys. The use of the elliptic curve digital signature algorithm in EDDK provides the support for the establishment of pairwise keys and local cluster keys under the node mobility scenario. Simulation and analysis has shown that EDDK is more advantageous in computation, communication, and storage than other similar schemes.