Impersonating-Resilient Dynamic Key Management for Large-Scale Wireless Sensor Networks

Key management in a large portion of ubiquitous sensor networks has been a challenge due to the limited capabilities of their wireless communicating and battery-powered sensors. Moreover, an attacker physically capturing even a few nodes hampers the entire network security by impersonating nodes to inject false data in an undetected manner. To efficiently protect from such impersonating by node capture, we propose a new dynamic key management framework particularly for large-scale clustered sensor networks. In the framework, different keying mechanisms, respectively, secure in-cluster, intercluster, and individual communication by refreshing keys on demand, while adaptively handling node addition and capture. Theoretic analysis and simulation results show that our proposed framework provides higher connectivity and security against impersonating than other existing studies do, for better trade-off with resource overheads.


Introduction
Wireless sensor networks (WSNs) of wireless communicating and battery-powered sensors have attracted attention from ubiquitous networking due to such sensors' cheapness and handy installation.In particular, for unmanned monitoring, these networks are often deployed in unattended and adversarial environments [1].Here rises providing security against security attacks, which are more likely to incur in such WSNs due to the sensors' limited capabilities on communication, computation, and storage, as a key issue.Among varied security attacks introduced in [2], we particularly target impersonating by physical node capture because such an attack enables attackers to compromise all the secrets, such as cryptographic keys, of captured nodes and spread malicious data out over the entire network with impersonating the captured nodes by the obtained keys.Thus, as several studies [2][3][4][5] have already noted, any security strategies to be proposed should be highly resource-efficient as well as provide the basic security requirements: confidentiality, protection of the content of a packet; authentication, corroboration of the source of a packet; and integrity, ensuring that the content of a packet is unchanged during transmission.
To achieve all of them, a lot of security schemes have been proposed based on symmetric or asymmetric cryptography.Simply speaking, the difference between them is if the same key is employed both by a sender for encryption and by its receiver for decryption or not [4,6].Although asymmetric schemes generally provide stronger authentication [2,4], symmetric key algorithms have been superior in WSNs for their light complexity [5,7,8].For instance, one of typical sensors Tmote has 10 kb RAM, 48 kb flash memory, 1 mb storage, and 250 kbps communication bandwidth, which is insufficient to enable traditional asymmetric cryptography to work [9].
In the paper, we propose a new symmetric key-based security framework for efficiently secure communication in WSNs.To suggest an efficient data aggregation model for large-scale WSNs, we first assume that a WSN consists of a single very powerful base station (BS) and a number of clusters of regular sensors as in [10,11].Accordingly, as in Figure 1, our framework supports three different communication patterns invoked by the following three types of keys: a static individual key shared with BS; a one-time incluster key shared within a cluster; and a static intercluster key between two neighbouring nodes across different clusters.We demonstrate how different keying mechanisms for these keys work to cope with impersonating by node capture in the following organisation.Section 2 describes what assumptions we take first and introduces our proposed security framework in cluster-based WSNs of our interest.In Section 3, with designing the impersonating attack model, we provide theoretic analysis of our framework in several performance metrics.Section 4 compares the performances of ours with those of selected conventional key schemes.Finally, we conclude the paper in Section 5.

Our Proposed Security Framework
Our framework provides multiple keying mechanisms to support the three communication patterns, while giving confidentiality, authentication, and integrity.We first give several assumptions regarding WSNs of our interest; present the keying schemes to establish and manage each of individual, in-cluster, and intercluster keys with secure transmission employing the keys; and discuss how to handle node addition and eviction.

Network and Security Assumptions.
In the paper, a WSN consists of a single BS and a number of static wireless sensors that are deployed as in [12].Every time a helicopter stays in a different deployment point, it scatters a sensor subset, called a cluster.In such a cluster, every node knows all of its cluster members' IDs and directly or indirectly interacts with others in a hop-by-hop manner.One of them is safely announced as the cluster head, a local controller, to the other members.When a node newly joins one cluster after the initial deployment, the head is informed of its ID by BS and lets all the members know the ID as well before it is actually placed.Since any sensor does not know its immediate neighbours in advance, it attempts to find its neighbours and establish required keys shortly after its deployment.This keying phase is assumed to be fairly well protected.However, once a security attacker captures a node, it can obtain all of the node's cryptographic information.We also assume that the most feasible path from a source to its destination is selected and notified to all the on-path nodes by the clusterbased backpressure routing algorithm of [13].
We illustrate our security framework using the next notations that appear in the rest of this discussion.
(i)  is the number of nodes in a WSN.
(ii)   is the number of clusters in a WSN.
(iii)   is the average size of a cluster.
(iv)   is the average number of a node's neighbours.
(v)   is the average number of border nodes, which relay messages to the outside of its cluster, in a cluster.
(vi)  and  are principals for clusters.
(vii)  and V are principals for sensor nodes.
( Key Predistribution.To assign a unique individual key to each node, BS first builds a symmetric key matrix of   ×  , where every key pair of (, ) and (, ) such that  ̸ =  is identical.Every (, ) key is used to compute a distinct individual key for each member  of cluster  by   =  (,) ().Before its deployment, every node is preloaded not only such an individual key but also {(, )} for its cluster  and 1 ≤  ̸ =  ≤   to be utilised in the initial intercluster key establishment.

2.3.
In-Cluster Key.We note that in-cluster communication most frequently occurs to exchange successive incoming percepts and to efficiently aggregate data.If a single cluster key is shared within a cluster for economical reasons, an adversary easily endangers the entire cluster by capturing only one node.Thus, we propose that a group of nodes sharing a key chain utilises all of the keys as each one's onetime encrypting keys in their own manners.One's current one-time key is derived only by its neighbours in its cluster, called in-neighbours, with its privately known base in advance and the current packet sequence number unless the base is compromised.This idea has, over the conventional key chain studies [1,15,16], the following additional advantages: strong key freshness, no need of key disclosure synchronisation, and no message overhead for direct key delivery.Key Chain Predistribution.Before the initial deployment, BS generates and provides a unique one-way key chain of  keys for every cluster  based on OWF ℎ and key (, ) of the key matrix.As in TELSA, . ., and ℎ  ((, )) =   0 .To every member , BS randomly assigns neighbour-distinct base   in [0, ), based on which  has its own key use order as in Figure 2. Due to the hard-to-reverse nature of OWF, this generation-reversing key-use guarantees that any lower indexed key hardly implies higher indexed keys.
Neighbour Discovery and Base Exchange.After its deployment, every node  first attempts to find its any neighbour V by broadcasting its id, cluster ID , and random key index  in [0, ) in public as well as its base in private by key    as (1).Receiver V in the same cluster replies as (2).Otherwise, V in another cluster  does as (3) V →  : V, .
Having received packets as (3),  becomes aware that it is a border node.
Rechaining and Key Chain Distribution.When member V reports its key reference exhaustion on the currently shared key chain to the head of cluster  or when any member V is perceived as captured, the head  generates key   =    (V) and new C  by  recursions of ℎ(  ).To propagate this key chain,  conveys   after encrypting it with its current   of the old key chain as follows: Every receiver can generate the same key chain based on the arrived   and passes it on to its in-neighbours in the same manner.As soon as a nonborder node forwards   to others or a border node generates the new key chain,   and the old key chain are immediately erased and every sequence number is reset to 0.

Intercluster Key.
For packets crossing clusters, every pair of border nodes in two adjacent clusters, called interneighbours, should share a distinct pairwise key.So far, every node has been loaded (  − 1) keys of the key matrix and known if or not it is a border node.Every nonborder node immediately erases the keys because only border nodes make use of them to establish intercluster keys as follows.
Key Establishment.Every border node  of cluster  is given a series of pairs ⟨V, ⟩ for border node V of cluster  after having received messages as (3).It can produce intercluster key  V =  (,) (⊕V) for each ⟨V, ⟩.Simultaneously, V also computes the same key, differently named  V =  (,) (V ⊕ ) for  of , for the symmetry as (, ) = (, ).As soon as computing all the required intercluster keys,  erases all the given (  − 1) keys.
2.5.Secure Transmission.Now, we present how these established keys practically secure in-cluster, intercluster, and individual communication as in ( 5) to (7), respectively: (i) Within a cluster, node  sends another node V or broadcasts packet  by transmitting the 's encryption and MAC by its current   with the current   as (5).Any receiver privately obtains  after deriving the   with the previously known   and the just arrived   .
(ii) Node  of cluster  always uses intercluster key  V to encrypt packet  and produce its MAC when it sends  to inter-neighbour V as in (6).As V also holds  V =  V ,  is safely restored by V.
(iii) When BS individually informs node  in cluster  of packet , it transmits  to the first node V on a given path as in (7).Whereas the former two to address the destination are repeatedly decrypted and reencrypted by the on-path nodes including V through a deal of in-and intercluster communication until they reach , the rest two are just carried during the transmission and only decrypted by .The opposite case of  to BS reverses the course we have described.
2.6.Handling Node Addition.Before its deployment, new node  is preloaded its individual key   only shared with BS, cluster ID , unique base   , and all of 's member ids as assumed.BS has enough time to inform 's members of 's joining and random key   , temporarily used for 's key Keyuse order of Keyuse order of u Figure 2: Different key-use orders of nodes  and V on their shared key chain {   } for 0 ≤  < .The periodically updated one-time encrypting key of  is given by   =   (  +  mod ) , where   is the base of  and its packet sequence number   increases by 1 from 0. This is the same for V with its own  V .chain acquisition, in advance by letting 's head propagate the information.The notification is started as in (7), where || and  are, respectively, replaced by ℎ|| and ||  .Then,  first exchanges messages with its neighbours as in (8), and then ( 9) or (3) to obtain their bases and C  , ( − 1) recursions of ℎ(  −1 ): For every pair ⟨V, ⟩ for interneighbour V in cluster  if exists,  privately loads its generated intercluster key  V =    ( ⊕ V) via a secure -to-V path.As we assume that this entire node joining procedure is finished in  add , the temporal key   is automatically dropped by every member after  add passes from when it is given.

Handling Node Eviction.
A node is regarded to be evicted when its battery seems to be exhausted; when a large portion of its communication links do not work; or when it is detected as captured.Any of its neighbouring nodes perceiving one of the conditions announces it to the entire network.As soon as its uselessness is notified, its cluster members and interneighbours discard every related secret from their memory.
In particular, if the node is captured as in the last case, the rest of its cluster should update the shared key chain as in the rechaining and key chain distribution.Also, its in-neighbours individually reselect and broadcasts a new base different from the previous one to their in-neighbours as in (1).

Analysis of Our Framework
In this section, we, in turn, analyse our framework in the following performance metrics: network connectivity, resiliency against impersonating attacks by node capture, and resource requirements.

Connectivity.
Because of its deterministic nature, our framework achieves perfect connectivity between any two neighbouring nodes for both in-cluster and intercluster communication at the initialisation phase.This also holds for newly added nodes due to the prior node ID announcement by BS as in Section 2.6.

Resiliency
The overall  * in is the normalised sum of impersonated fractions over every cluster,  in , given by (10)

Resource Requirements
Storage.Because the key size is usually larger than any other secret as a node ID or a base, we discuss only the number of retained keys for storage overhead.After the initialisation, every node obtains a single individual key, , in-cluster keys of its key chain and additionally O(  ) intercluster keys if it is a border node.Thus, the required storage of our framework is mainly due to the key chain length  given   .
Communication.The communication overhead for our security framework occurs between a neighbouring pair during initial keying, rekeying, and keying for a new node.At the initialisation, the pair exchanges only their ids and bases, whereas a seed key for a new key chain and new bases travel for re-keying.For a new node, the pair where one is the new node exchanges at most their ids, bases, a temporal or intercluster key, and the last key of the currently shared key chain as in Section 2.6.

Comparison with Previous Studies
In this section, we compare the performances of our proposed framework with those of the following three selected conventional studies.
2KP (see [8]).BS has two key pools of  1 and of  keys and assigns two key sets,  1 keys from the  1 -pool and  keys from the -pool, to each node in advance.As soon as every node is deployed, it broadcasts the key ID sequence of its  1key set.Only pairs sharing one or more common keys can establish a pairwise key somehow computed by a PRF, and then every node drops its  1 -key set.For node addition, a new node and its neighbours exchange the key ID sequences of their -key sets to establish their pairwise keys as before.
LOCK (see [19]).This utilises two layers of keys for clustered WSNs.BS communicates only with weakly trusted cluster key servers (KSes) with (  +   ) keys by assigning a unique subset of   keys from (+)   combinations to each node before deployment.Every KS distributes its generated ( + ) keys amongst its cluster members in the same manner.In both layers, each member establishes pairwise keys within its included group by exchanging their key ids.Additionally, every regular node shares   backup keys with BS to report the compromise of its KS.
LEAP+ (see [1]).Initially, every node  is preloaded the same set of  keys, termed  1 ,  2 , . . .,   , by which  can derive its own base key in session  by    =    ().For  to establish pairwise key with every neighbouring V in session , it first broadcasts its ID and waits for the encrypted V's ID with    presumed by V.Then,  derives   V as well and the pair individually computes the pairwise key by   V =    V ().After the session ends, every node  erases   and    from its memory.Every node is also preloaded a unique one-way key chain of  keys and transmits the last key as the current onetime key to its neighbours before it first attempts to broadcast.Then, every time it broadcasts a message, it uses the current one-time key to encrypt both the message and the next onetime key.The current one-time key is discarded after it is used in encryption or decryption.
In the following simulations, we vary only the number of used or stored keys,  1 , ,   , , and   , to see its impact while fixing the network parameters as  = 10000,   =   = 100,   = 50, and   = 30.

Connectivity.
As already stated, the deterministic key establishing methods in ours and LEAP+ guarantee perfect connectivity regardless of the number of keys.
Since 2KP has stably high resiliency with 200 selected keys from 10000 keys [8], we take that  1 = 200,  = {50, 200}, and  1 =  = 10000.To see the cases with and without new nodes, we also consider ( 1 ,  2 ) = {(10000, 0), (9000, 1000)}, where  1 and  2 are, respectively, the numbers of initially deployed nodes and of newly added nodes such that  =  1 +  2 .Respectively saying  1 and  2 , the connecting probabilities between any neighbouring pair after  1 nodes, are deployed and the one after  2 nodes are added we formulate the overall connectivity of 2KP,  2 , as follows: In both ( 13) and ( 14), the second term of the right represents the probability that two nodes do not share any keys to form a secure connection.
Regarding that  =   and  =   , the connectivity of LOCK,  LOCK , is generally given in two different cases as follows: The upper equation holds by the fact that one's key set has at least one common key with every other's key set if  > , whereas the key sharing probability for  ≤  is given as  1 or  2 by its probabilistic nature.For  ≤ , we take that (, ) = {(4, 5), (3,7), (2,13), (2,14)} to, respectively, offer 126, 120, 105, and 120 key combinations for storage efficiency in a 100-node cluster.The comparison of direct pairwising connectivity amongst ours, 2KP, LOCK, and LEAP+ has given our setting is resulted as in Figure 3.As illustrated, our framework, LEAP+ and LOCK for  > , has the perfect connectivity.The connectivity of 2KP is highly sensitive with  regardless of node addition.LOCK is more likely to share keys as the difference from  to  is smaller.Thus, we observe that our framework enhances network connectivity higher than 2KP and LOCK of  ≤  regardless of the numbers of keys and of newly added nodes.

Resiliency.
If  nodes are captured in total, no nodes other than the captured nodes can be impersonated in 2KP and LEAP+.Since they do not keep the keys based on which neighbouring pairs establish their pairwise keys using a PRF, the pairwise keys are hardly discovered by unauthorised parties due to the randomness of PRF.For broadcasting in LEAP+, every node owns its one-way key chain as well as its neighbours' one-time broadcasting keys.Even though the attacker obtains such a broadcasting key, it is hard to derive its future broadcasting keys by the one wayness of OWF [17].Similarly, our impersonated probability on individual communication is given by / as well.
In LOCK,  keys are always kept to establish pairwise keys with new nodes even though the keys are periodically updated.The fraction of total sensor nodes that is impersonated by  = ∑   =1   captured nodes,  LOCK , is given as follows: We say that   is the minimum number of key combinations in cluster  that   captured nodes can restore.In other words, the attacker obtains at least ǩ  distinct keys, which produces ǩ  C  key combinations, from   compromised keys.This means that at least ǩ  C  nodes can be impersonated until they are detected as compromised.
Given  total captured nodes in [500, 3000] for   in [0,   ] for every cluster , the average resiliency comparison work over 100 simulations is shown as in Figure 4.More specifically, we consider high selective attacks for   in [0.7, 1] and    4.
Communication.While assuming that the key size, , is greater than node ids, key ids, bases, and the MACs of all of these without losing generality, we present the communication overheads required between a neighbouring pair for each of initial keying, rekeying,and keying for a new node by the different studies as in Table 2.For any keying course, our keying framework consumes communication sources with a single key with its MAC, two bases with their MACs, or two node ids as discussed in Section 3.3.Similarly, a neighbouring pair exchanges associated node ids or a broadcasting key with its MAC in LEAP+.By contrast, in 2KP and LOCK, every node broadcasts the sequence of their own key ids as needed to find neighbours having common keys.Since the broadcasting key delivery of LEAP+ more often occurs than our rechaining, our framework reduces the communication overheads of all the keying phases over 2KP, LOCK, and LEAP+.
Computation.All the complexities required to chain keys by an OWF, to produce an MAC by a hash function, and to generate a pairwise key by a PRF can be regarded to be negligible [1,8].Thus, the security frameworks without the key ID comparison, ours and LEAP+, have lower computation overheads than 2KP and LOCK do.
Although our framework does not achieve the least storage overhead, it is fairly competitive because the resource consumption of wireless sensor nodes is usually dominated by communication [20].

Conclusion
In the paper, we have proposed a new dynamic keying framework for large-scale clustered WSNs, widely employed to implement ubiquitous sensor networks.In the framework, different keying mechanisms, respectively, not only protect in-cluster, intercluster, and individual communication but also effectively handle node addition and eviction.Our proposed key-use ordering mechanism of a cluster-shared oneway key chain, illustrated in Figure 2, and intercluster key establishment using the preloaded key matrix achieve perfect connectivity as well as well protect wireless sensors from impersonating by node capture with low resource overheads.Such our claims have been discussed by the given theoretic analyses and varied simulations.As one of extensions for this work, we may raise energy efficiency and practicability by utilizing environment energy and considering crosslayer networking as in [21].

Figure 1 :
Figure 1: Three different communication patterns.Whereas the single-line arrows represent pairwise in-cluster communication, the double-line ones correspond to intercluster communication across two different clusters.The base station (BS) individually communicates with a node apart by starting with accessing to the closest node as the dotted-line arrow.

Ours ( k Figure 4 :
Figure 4: Comparison of average resiliency against impersonating by node capture amongst ours, 2KP, LOCK, and LEAP+. viii)   () is a pseudorandom function (PRF) based on seed  with key .  is the base of node  based on which  utilises its key chain in its own manner. 1 || 2 is the concatenation of data  1 and  2 by concatenator ||.
. Since we view that active attacks, such as false data injection, most degrade network performances, we make the following strong attack model by node capture.(i)The attacker can retrieve all the information stored in a sensor node once it captures the sensor node.(ii) The attacker can capture a set of sensor nodes selectively in a WSN.(iii) The attacker ultimately aims at impersonating legitimate nodes to inject false data with compromised keys.  is the distinction rate amongst   's in-neighbours in (0, 1], and   is the bordering ratio of   in [0,   /  ].In this attack model, the greater   or   , the higher the selectiveness of the attack. An attacker can purposely locate and capture sensors having more secrets as border nodes in our framework by selectively attacking such nodes.Such an attacker can impersonate only existing nodes whose ids are compromised because a new node with a falsified ID is thoroughly excluded due to the prior node ID announcement by BS.Thus, the resiliency against this attack is measured by estimating the fraction of total sensor nodes that properly impersonate id-known nodes by an attack, modeled as {(  ,   ,   )} for every cluster  in a network of  nodes and   clusters, where   is the number of 's captured nodes, . In cluster , given (  ,   ), adversary  behaves as follows: (i)  completely impersonates every node  of   nodes, (ii) to impersonate each of 's O(  ) in-neighbours with their compromised bases,  should speculate its other (  − 1) in-neighbours than  by (  − 1)/(  − 1) as well as their sequence numbers by 1/, for every , (iii) to impersonate each of the rest (  −     O(  ) − 1) members,  should speculate its O(  ) neighbours by   /  , their bases by 1/, and sequence numbers by 1/, the initialisation, every node does O(  ) times of MAC to securely obtain its in-neighbours' bases and additionally O(  ) times of PRF  to generate intercluster keys if it is a border node.To update the key chain, it restores the sent seed key by one MAC operation and generates a new key chain of  recursions of OWF ℎ.Given a new node, its neighbours can verify its base or sent intercluster key by one MAC operation.The new node operates one MAC to extract the last key and ( − 1) recursions of ℎ to generate its needed key chain.Letting  be the key size in bit, OWF ℎ : {0, 1}  → {0, 1}  consumes () computation, whereas its inverting cost is (2  )

Table 2 :
Communication overhead comparison amongst ours, 2KP, LOCK, and LEAP+ in bit.Now, we compare our framework with 2KP, LOCK, and LEAP+ in three resource overhead metrics: storage, communication, and computation.Every analysed overhead is represented by the big  notation to see its maximum complexity even in the worst case.Storage.Table1provides the storage overheads of the selected keying frameworks.Regarding that  stands for the size of key in bit, the different storage requirements to nonborder and to border nodes in our framework are given as stated in Section 3.3.By 2KP, every node is preloaded  keys from the -pool for new nodes and shares pairwise keys with O(  ) neighbours.In LOCK, every KS keeps   keys for the BS-KSes communication and  keys for its cluster communication, whereas every regular node stores   keys to communicate with BS as well as  keys as its KS does.Any group member establishes pairwise keys with its O(  ) neighbours whatever the group is.LEAP+ initially assigns every node  keys to establish pairwise keys with any nodes added in any session  (≤) and a -length key chain to broadcast.Both types of keys are dropped just after they are used.Usually,  of 2KP and  and  of LEAP+ take larger values for high connectivity and network longevity, respectively.Thus, on the storage overhead, our framework is superior to 2KP and LEAP+ but is not to LOCK in our simulations, where the cases of LOCK with smaller  and   achieve better resiliency than those with large  and   as in Figure